import assert from "node:assert/strict"; import test from "node:test"; import { assertDestructiveDbAllowed } from "./destructive-db-guard.js"; import { assertCapaKrakenDbTarget, assertSafeSeedTarget } from "./safe-destructive-env.js"; const ORIGINAL_ENV = { ...process.env }; function setEnv(values: Record) { process.env = { ...ORIGINAL_ENV }; for (const [key, value] of Object.entries(values)) { if (value === undefined) { delete process.env[key]; continue; } process.env[key] = value; } } test.afterEach(() => { process.env = { ...ORIGINAL_ENV }; }); test("assertDestructiveDbAllowed allows an explicitly confirmed disposable capakraken test database", () => { setEnv({ DATABASE_URL: "postgresql://tester:secret@localhost:5432/capakraken_test", ALLOW_DESTRUCTIVE_DB_TOOLS: "true", CONFIRM_DESTRUCTIVE_DB_NAME: "capakraken_test", }); const target = assertDestructiveDbAllowed({ commandName: "db:test", allowedDatabaseNames: ["capakraken_test"], }); assert.equal(target.databaseName, "capakraken_test"); assert.equal(target.hostname, "localhost"); }); test("assertDestructiveDbAllowed rejects protected live database names even if allowlisted", () => { setEnv({ DATABASE_URL: "postgresql://tester:secret@localhost:5432/capakraken", ALLOW_DESTRUCTIVE_DB_TOOLS: "true", CONFIRM_DESTRUCTIVE_DB_NAME: "capakraken", }); assert.throws( () => assertDestructiveDbAllowed({ commandName: "db:test", allowedDatabaseNames: ["capakraken"], }), /explicitly protected/u, ); }); test("assertDestructiveDbAllowed rejects missing confirmation", () => { setEnv({ DATABASE_URL: "postgresql://tester:secret@localhost:5432/capakraken_e2e", ALLOW_DESTRUCTIVE_DB_TOOLS: "true", CONFIRM_DESTRUCTIVE_DB_NAME: "wrong_db", }); assert.throws( () => assertDestructiveDbAllowed({ commandName: "db:test", allowedDatabaseNames: ["capakraken_e2e"], }), /CONFIRM_DESTRUCTIVE_DB_NAME=capakraken_e2e/u, ); }); test("assertDestructiveDbAllowed rejects missing destructive allow flag", () => { setEnv({ DATABASE_URL: "postgresql://tester:secret@localhost:5432/capakraken_ci", ALLOW_DESTRUCTIVE_DB_TOOLS: undefined, CONFIRM_DESTRUCTIVE_DB_NAME: "capakraken_ci", }); assert.throws( () => assertDestructiveDbAllowed({ commandName: "db:test", allowedDatabaseNames: ["capakraken_ci"], }), /ALLOW_DESTRUCTIVE_DB_TOOLS=true/u, ); }); test("assertSafeSeedTarget rejects unexpected legacy disposable databases", () => { setEnv({ DATABASE_URL: "postgresql://tester:secret@localhost:5432/legacy_test", ALLOW_DESTRUCTIVE_DB_TOOLS: "true", CONFIRM_DESTRUCTIVE_DB_NAME: "legacy_test", }); assert.throws( () => assertSafeSeedTarget("db:seed"), /not in the destructive-tool allowlist/u, ); }); test("assertCapaKrakenDbTarget accepts non-destructive capakraken targets", () => { setEnv({ DATABASE_URL: "postgresql://tester:secret@localhost:5432/capakraken_dev", }); const target = assertCapaKrakenDbTarget("db:seed:holidays"); assert.equal(target.databaseName, "capakraken_dev"); }); test("assertCapaKrakenDbTarget rejects legacy non-capakraken targets", () => { setEnv({ DATABASE_URL: "postgresql://tester:secret@localhost:5432/legacy_non_capakraken", }); assert.throws( () => assertCapaKrakenDbTarget("db:seed:holidays"), /not a valid CapaKraken target/u, ); }); test("assertCapaKrakenDbTarget explains missing env loading clearly", () => { setEnv({ DATABASE_URL: undefined, }); assert.throws( () => assertCapaKrakenDbTarget("db:update:blueprints"), /Run the command through the CapaKraken env wrappers/u, ); });