test: add Cortex E2E tests and sanitize hardcoded credentials

- Add `cortex-snowflake-e2e.test.ts` with 16 E2E tests for the Snowflake
  Cortex AI provider: PAT auth, streaming/non-streaming completions, model
  availability, request transforms, assistant-last rejection, PAT parsing
- Tests skip via `describe.skipIf` when `SNOWFLAKE_CORTEX_PAT` is not set
- Remove hardcoded credentials from `drivers-snowflake-e2e.test.ts` docstring
  — replaced with placeholder values

Run with:
  export SNOWFLAKE_CORTEX_ACCOUNT="<account>"
  export SNOWFLAKE_CORTEX_PAT="<pat>"
  bun test test/altimate/cortex-snowflake-e2e.test.ts --timeout 120000

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: anandgupta42

packages/opencode/test/altimate/cortex-snowflake-e2e.test.ts

@@ -0,0 +1,313 @@
+/**
+ * Snowflake Cortex AI Provider E2E Tests
+ *
+ * Tests the Snowflake Cortex LLM inference endpoint via the provider's
+ * auth plugin and request transforms. Requires a Snowflake PAT (Programmatic
+ * Access Token) — password auth is NOT sufficient for the Cortex REST API.
+ *
+ * Env vars:
+ *
+ *   # Required — PAT auth for Cortex API:
+ *   export SNOWFLAKE_CORTEX_ACCOUNT="ejjkbko-fub20041"
+ *   export SNOWFLAKE_CORTEX_PAT="<your-programmatic-access-token>"
+ *
+ *   Create a PAT in Snowsight: Admin → Security → Programmatic Access Tokens
+ *
+ * Skips all tests if SNOWFLAKE_CORTEX_PAT is not set.
+ *
+ * Tests cover: PAT authentication, Cortex chat completions (streaming & non-streaming),
+ * model availability, request transforms (max_tokens, tool stripping), error handling,
+ * and the synthetic stop mechanism for assistant-last-message rejection.
+ *
+ * Run:
+ *   export SNOWFLAKE_CORTEX_ACCOUNT="ejjkbko-fub20041"
+ *   export SNOWFLAKE_CORTEX_PAT="<pat>"
+ *   bun test test/altimate/cortex-snowflake-e2e.test.ts --timeout 120000
+ */
+
+import { describe, expect, test } from "bun:test"
+import {
+  parseSnowflakePAT,
+  transformSnowflakeBody,
+  VALID_ACCOUNT_RE,
+} from "../../src/altimate/plugin/snowflake"
+
+const CORTEX_ACCOUNT = process.env.SNOWFLAKE_CORTEX_ACCOUNT
+const CORTEX_PAT = process.env.SNOWFLAKE_CORTEX_PAT
+const HAS_CORTEX = !!(CORTEX_ACCOUNT && CORTEX_PAT)
+
+function cortexBaseURL(account: string): string {
+  return `https://${account}.snowflakecomputing.com/api/v2/cortex/v1`
+}
+
+/** Make a raw Cortex chat completion request. */
+async function cortexChat(opts: {
+  account: string
+  pat: string
+  model: string
+  messages: Array<{ role: string; content: string }>
+  stream?: boolean
+  max_tokens?: number
+  tools?: unknown[]
+}): Promise<Response> {
+  const body: Record<string, unknown> = {
+    model: opts.model,
+    messages: opts.messages,
+    max_completion_tokens: opts.max_tokens ?? 256,
+  }
+  if (opts.stream !== undefined) body.stream = opts.stream
+  if (opts.tools) {
+    body.tools = opts.tools
+    body.tool_choice = "auto"
+  }
+
+  return fetch(`${cortexBaseURL(opts.account)}/chat/completions`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${opts.pat}`,
+      "X-Snowflake-Authorization-Token-Type": "PROGRAMMATIC_ACCESS_TOKEN",
+    },
+    body: JSON.stringify(body),
+  })
+}
+
+// ---------------------------------------------------------------------------
+// Cortex API E2E (requires PAT)
+// ---------------------------------------------------------------------------
+
+describe.skipIf(!HAS_CORTEX)("Snowflake Cortex E2E", () => {
+  // -------------------------------------------------------------------------
+  // Authentication
+  // -------------------------------------------------------------------------
+  describe("Authentication", () => {
+    test("PAT auth succeeds with valid credentials", async () => {
+      const resp = await cortexChat({
+        account: CORTEX_ACCOUNT!,
+        pat: CORTEX_PAT!,
+        model: "claude-3-5-sonnet",
+        messages: [{ role: "user", content: "Reply with exactly: hello" }],
+        stream: false,
+        max_tokens: 32,
+      })
+      expect(resp.status).toBe(200)
+      const json = await resp.json()
+      expect(json.choices).toBeDefined()
+      expect(json.choices.length).toBeGreaterThan(0)
+      expect(json.choices[0].message.content).toBeTruthy()
+    }, 30000)
+
+    test("rejects invalid PAT", async () => {
+      const resp = await cortexChat({
+        account: CORTEX_ACCOUNT!,
+        pat: "invalid-pat-token",
+        model: "claude-3-5-sonnet",
+        messages: [{ role: "user", content: "test" }],
+        stream: false,
+        max_tokens: 16,
+      })
+      expect(resp.status).toBeGreaterThanOrEqual(400)
+    }, 15000)
+
+    test("rejects invalid account identifier", async () => {
+      const resp = await cortexChat({
+        account: "nonexistent-account-xyz123",
+        pat: CORTEX_PAT!,
+        model: "claude-3-5-sonnet",
+        messages: [{ role: "user", content: "test" }],
+        stream: false,
+        max_tokens: 16,
+      })
+      // DNS resolution or connection error — fetch throws or returns error
+      expect(resp.ok).toBe(false)
+    }, 15000)
+  })
+
+  // -------------------------------------------------------------------------
+  // Non-streaming completions
+  // -------------------------------------------------------------------------
+  describe("Non-Streaming Completions", () => {
+    test("returns valid JSON completion", async () => {
+      const resp = await cortexChat({
+        account: CORTEX_ACCOUNT!,
+        pat: CORTEX_PAT!,
+        model: "claude-3-5-sonnet",
+        messages: [{ role: "user", content: "What is 2+2? Reply with just the number." }],
+        stream: false,
+        max_tokens: 16,
+      })
+      expect(resp.status).toBe(200)
+      const json = await resp.json()
+      expect(json.choices[0].message.role).toBe("assistant")
+      expect(json.choices[0].message.content).toContain("4")
+      expect(json.choices[0].finish_reason).toBe("stop")
+    }, 30000)
+
+    test("uses max_completion_tokens (not max_tokens)", async () => {
+      // Cortex uses max_completion_tokens — verify it works
+      const resp = await fetch(`${cortexBaseURL(CORTEX_ACCOUNT!)}/chat/completions`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${CORTEX_PAT}`,
+          "X-Snowflake-Authorization-Token-Type": "PROGRAMMATIC_ACCESS_TOKEN",
+        },
+        body: JSON.stringify({
+          model: "claude-3-5-sonnet",
+          messages: [{ role: "user", content: "Say hello" }],
+          max_completion_tokens: 16,
+          stream: false,
+        }),
+      })
+      expect(resp.status).toBe(200)
+    }, 30000)
+  })
+
+  // -------------------------------------------------------------------------
+  // Streaming completions
+  // -------------------------------------------------------------------------
+  describe("Streaming Completions", () => {
+    test("returns SSE stream with chunked deltas", async () => {
+      const resp = await cortexChat({
+        account: CORTEX_ACCOUNT!,
+        pat: CORTEX_PAT!,
+        model: "claude-3-5-sonnet",
+        messages: [{ role: "user", content: "Count from 1 to 5." }],
+        stream: true,
+        max_tokens: 64,
+      })
+      expect(resp.status).toBe(200)
+      expect(resp.headers.get("content-type")).toContain("text/event-stream")
+
+      const text = await resp.text()
+      expect(text).toContain("data: ")
+      expect(text).toContain('"finish_reason":"stop"')
+      expect(text).toContain("data: [DONE]")
+    }, 30000)
+  })
+
+  // -------------------------------------------------------------------------
+  // Model availability
+  // -------------------------------------------------------------------------
+  describe("Model Availability", () => {
+    const models = ["claude-3-5-sonnet", "llama3.3-70b", "mistral-large2"]
+
+    for (const model of models) {
+      test(`model ${model} responds`, async () => {
+        const resp = await cortexChat({
+          account: CORTEX_ACCOUNT!,
+          pat: CORTEX_PAT!,
+          model,
+          messages: [{ role: "user", content: "Reply with: ok" }],
+          stream: false,
+          max_tokens: 8,
+        })
+        // Accept 200 (model available) or 400 (model not enabled for this account)
+        expect([200, 400]).toContain(resp.status)
+      }, 30000)
+    }
+  })
+
+  // -------------------------------------------------------------------------
+  // Request transforms (via transformSnowflakeBody)
+  // -------------------------------------------------------------------------
+  describe("Request Transform Integration", () => {
+    test("max_tokens renamed to max_completion_tokens in transform", () => {
+      const input = JSON.stringify({
+        model: "claude-3-5-sonnet",
+        messages: [{ role: "user", content: "test" }],
+        max_tokens: 100,
+        stream: true,
+      })
+      const { body } = transformSnowflakeBody(input)
+      const parsed = JSON.parse(body)
+      expect(parsed.max_completion_tokens).toBe(100)
+      expect(parsed.max_tokens).toBeUndefined()
+    })
+
+    test("tools stripped for llama model in transform", () => {
+      const input = JSON.stringify({
+        model: "llama3.3-70b",
+        messages: [{ role: "user", content: "test" }],
+        tools: [{ type: "function", function: { name: "read_file" } }],
+        tool_choice: "auto",
+      })
+      const { body } = transformSnowflakeBody(input)
+      const parsed = JSON.parse(body)
+      expect(parsed.tools).toBeUndefined()
+      expect(parsed.tool_choice).toBeUndefined()
+    })
+
+    test("synthetic stop skipped for non-streaming requests", () => {
+      const input = JSON.stringify({
+        model: "claude-3-5-sonnet",
+        stream: false,
+        messages: [
+          { role: "user", content: "test" },
+          { role: "assistant", content: "response" },
+        ],
+      })
+      const { syntheticStop } = transformSnowflakeBody(input)
+      expect(syntheticStop).toBeUndefined()
+    })
+
+    test("synthetic stop triggered for streaming requests with trailing assistant", () => {
+      const input = JSON.stringify({
+        model: "claude-3-5-sonnet",
+        stream: true,
+        messages: [
+          { role: "user", content: "test" },
+          { role: "assistant", content: "response" },
+        ],
+      })
+      const { syntheticStop } = transformSnowflakeBody(input)
+      expect(syntheticStop).toBeDefined()
+      expect(syntheticStop!.status).toBe(200)
+    })
+  })
+
+  // -------------------------------------------------------------------------
+  // Cortex rejects assistant-last messages
+  // -------------------------------------------------------------------------
+  describe("Assistant-Last Message Rejection", () => {
+    test("Cortex rejects request with trailing assistant message", async () => {
+      const resp = await fetch(`${cortexBaseURL(CORTEX_ACCOUNT!)}/chat/completions`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${CORTEX_PAT}`,
+          "X-Snowflake-Authorization-Token-Type": "PROGRAMMATIC_ACCESS_TOKEN",
+        },
+        body: JSON.stringify({
+          model: "claude-3-5-sonnet",
+          messages: [
+            { role: "user", content: "hello" },
+            { role: "assistant", content: "I'm here" },
+          ],
+          max_completion_tokens: 16,
+          stream: false,
+        }),
+      })
+      // Cortex should reject this — the synthetic stop mechanism exists to prevent this
+      expect(resp.status).toBeGreaterThanOrEqual(400)
+    }, 15000)
+  })
+
+  // -------------------------------------------------------------------------
+  // PAT parsing validation
+  // -------------------------------------------------------------------------
+  describe("PAT Parsing with Real Credentials", () => {
+    test("parses real account::pat format", () => {
+      const account = CORTEX_ACCOUNT!
+      const pat = CORTEX_PAT!
+      const result = parseSnowflakePAT(`${account}::${pat}`)
+      expect(result).not.toBeNull()
+      expect(result!.account).toBe(account)
+      expect(result!.token).toBe(pat)
+    })
+
+    test("account passes validation regex", () => {
+      expect(VALID_ACCOUNT_RE.test(CORTEX_ACCOUNT!)).toBe(true)
+    })
+  })
+})

packages/opencode/test/altimate/drivers-snowflake-e2e.test.ts

@@ -4,7 +4,7 @@
  * Requires env vars (set one or more):
  *
  *   # Password auth (primary):
- *   export ALTIMATE_CODE_CONN_SNOWFLAKE_TEST='{"type":"snowflake","account":"ejjkbko-fub20041","user":"juleszobi","password":"Ejungle9!","warehouse":"COMPUTE_WH","database":"TENANT_INFORMATICA_MIGRATION","schema":"public","role":"ACCOUNTADMIN"}'
+ *   export ALTIMATE_CODE_CONN_SNOWFLAKE_TEST='{"type":"snowflake","account":"<account>","user":"<user>","password":"<password>","warehouse":"<warehouse>","database":"<database>","schema":"public","role":"ACCOUNTADMIN"}'
  *
  *   # Key-pair auth (optional — requires RSA key setup in Snowflake):
  *   export SNOWFLAKE_TEST_KEY_PATH="/path/to/rsa_key.p8"