Skip to content

test: cover macOS keychain metadata#64

Merged
rianjs merged 1 commit into
mainfrom
fix/62-keychain-metadata-e2e
Jun 20, 2026
Merged

test: cover macOS keychain metadata#64
rianjs merged 1 commit into
mainfrom
fix/62-keychain-metadata-e2e

Conversation

@rianjs

@rianjs rianjs commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Summary

  • add a gated Darwin+cgo test that writes through credstore.Store.Set and inspects the real ByteNess Keychain metadata via GetMetadata
  • assert Keychain label and description match the concrete service account format used to avoid prompts naming ""
  • log the synthetic service/account and clean up the synthetic item after the run

Existing blank-label Keychain items are not mutated by reads or failed no-overwrite writes. Metadata is present for new items and successful overwrites.

No semver tag/release is being cut here; downstream consumers still need to be verified against this fix before the coordinated release train is considered complete.

Closes #62

Verification

  • go test ./credstore
  • go test -tags keyring_no1password,keyring_nopassage ./credstore
  • CREDSTORE_OS_KEYRING_TEST=1 go test ./credstore -run 'TestOSKeyringBackendsGated|TestKeychainMetadataGated' -count=1 -v
  • make check
  • go test -race -tags keyring_nopassage ./...
  • go test -race -tags keyring_no1password,keyring_nopassage ./...

@rianjs

rianjs commented Jun 20, 2026

Copy link
Copy Markdown
Contributor Author

Findings

None.

Code Quality Lens

The diff is tightly scoped to #62: one Darwin+cgo gated empirical test, no public API changes, no formatting changes, and no downstream or release work. The test exercises the intended product path by writing through credstore.Store.Set, then independently reads real Keychain metadata through ByteNess GetMetadata and asserts the exact non-empty label/description format. Cleanup is registered before assertions and the synthetic service/account are logged for manual recovery.

I reran go test ./credstore locally; it passed.

@rianjs

rianjs commented Jun 20, 2026

Copy link
Copy Markdown
Contributor Author

  • Major: credstore/osbackend_keychain_metadata_darwin_test.go:35 only proves one fresh write path. It never exercises a true overwrite/update of an existing Keychain item, so a regression where first writes get the right Label/Description but overwrites keep blank metadata would still pass. Since the PR body claims metadata is present for successful overwrites and existing blank items are not mutated on reads or failed no-overwrite writes, this leaves the main behavioral claim under-tested. I would add a second phase that seeds an existing item and rewrites it, or a separate assertion around the rejected no-overwrite case.

  • Minor: credstore/osbackend_keychain_metadata_darwin_test.go:15 makes the test fully opt-in, so it will not run in ordinary go test or most CI lanes. That is understandable for real Keychain coverage, but it does mean the regression guard is manual unless there is a dedicated macOS job.

@rianjs rianjs force-pushed the fix/62-keychain-metadata-e2e branch from b31f490 to 011e619 Compare June 20, 2026 10:42
@rianjs

rianjs commented Jun 20, 2026

Copy link
Copy Markdown
Contributor Author

Minor

  • credstore/osbackend_keychain_metadata_darwin_test.go: The legacy-seed phase should assert the seeded item is actually nonconforming before using it to prove no-overwrite preservation. Right now it captures seededLabel / seededDescription; if raw ByteNess/macOS ever defaults these to the target metadata, that portion of the test becomes vacuous. Prefer asserting both are empty if stable, or at least asserting they differ from wantLabel / wantDescription.

  • credstore/osbackend_keychain_metadata_darwin_test.go: Consider opening the raw seed keyring with KeychainTrustApplication: true. The later no-overwrite path calls Get for the existence pre-check, which asks Keychain for secret data on the seeded item. Leaving the seed untrusted can introduce an extra authorization prompt during the gated test; the test should be deterministic once the login Keychain is unlocked.

Code Quality Lens

No blockers or product drift. The added coverage is still scoped to #62, exercises real Keychain metadata, and avoids public API changes. I reran go test ./credstore; it passed.

@rianjs rianjs force-pushed the fix/62-keychain-metadata-e2e branch from 011e619 to 6e07882 Compare June 20, 2026 10:52
@monit-reviewer

monit-reviewer commented Jun 20, 2026

Copy link
Copy Markdown

PR review failed and the daemon has stopped retrying for this commit. I am removing my pending review request to stop the automated review cycle. Re-request @monit-reviewer to retry, or push a new commit and re-request.

monit-reviewer
monit-reviewer approved these changes Jun 20, 2026
View reviewed changes

@monit-reviewer monit-reviewer left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automated PR Review

Reviewed commit: 6e07882

Manually approved via CLI.

@rianjs

rianjs commented Jun 20, 2026

Copy link
Copy Markdown
Contributor Author

Findings

None.

The review-driven edits stayed within the agreed architecture: the test still writes through credstore.Store.Set, reads real Keychain metadata through ByteNess, avoids public API changes, keeps release/tag work out of this ticket, and now covers the legacy/no-overwrite/overwrite behavior without adding avoidable Keychain trust prompt noise.

I reran go test ./credstore; it passed.

@rianjs rianjs merged commit 351effa into main Jun 20, 2026
4 checks passed
@rianjs rianjs deleted the fix/62-keychain-metadata-e2e branch June 20, 2026 11:55
@rianjs rianjs mentioned this pull request Jun 20, 2026
Merged
rianjs added a commit to open-cli-collective/newrelic-cli that referenced this pull request Jun 20, 2026
@rianjs
test: cover newrelic keychain metadata (#132)
3890753 
## Summary
- bump cli-common to the immutable pseudo-version containing
open-cli-collective/cli-common#64
- add a Darwin+cgo gated empirical test that writes through nrq's
keychain adapter with an injected newrelic-cli/<profile> config and
inspects ByteNess Keychain metadata for newrelic-cli/<profile>/api_key
- keep config/state hermetic while restoring HOME only for real macOS
Keychain default-keychain discovery

## Verification
- go list -m github.com/open-cli-collective/cli-common
- go mod tidy -diff
- go test ./internal/keychain
- NRQ_KEYCHAIN_METADATA_TEST=1 go test ./internal/keychain -run
TestKeychainMetadataGated -count=1 -v
- go test ./...
- make test
- make verify

Closes #131
@rianjs rianjs mentioned this pull request Jun 20, 2026
Merged
rianjs added a commit to open-cli-collective/slack-chat-api that referenced this pull request Jun 20, 2026
@rianjs
test: cover slack keychain metadata (#189)
1ba4277 
## Summary
- bump cli-common to the immutable pseudo-version containing
open-cli-collective/cli-common#64
- add a Darwin+cgo gated empirical test for slck Keychain metadata
- seed stale metadata for both bot_token and user_token, then verify the
adapter overwrite path repairs concrete labels/descriptions

## Verification
- go list -m github.com/open-cli-collective/cli-common
- go mod tidy -diff
- go test ./internal/keychain
- SLCK_KEYCHAIN_METADATA_TEST=1 go test ./internal/keychain -run
TestKeychainMetadataGated -count=1 -v
- go test ./...
- make test
- make verify

Closes #188
@rianjs rianjs mentioned this pull request Jun 20, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@monit-reviewer monit-reviewer monit-reviewer approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

credstore: empty keychain item Label produces confusing "" in macOS auth prompt

2 participants

@rianjs @monit-reviewer