Parent: #70
What to build
Add provider smoke tests for Env Binding, starting with the fake provider and leaving an opt-in seam for a real provider later.
The default test must remain safe: no 1Password probing, no broad environment dumps, no secret values in logs, reports, metadata, or SQLite.
Acceptance criteria
- Fake provider e2e materializes an agent-scoped env bundle only for the prepared run workspace.
- Required file/key readiness is tested in warn and block modes through the shared Readiness Decision.
- Fake secret values are redacted from stdout, stderr, JSON report, run metadata, handoff metadata, and state store bytes.
- Optional live provider tests are gated behind exact env vars and record SKIP unless explicitly configured.
- Real provider tests, when added, use a single targeted secret contract and never call password managers from the test by default.
- Cleanup removes materialized env bundles with the managed agent workspace.
- Docs explain how to run fake provider tests and how a future live provider smoke must be configured.
Blocked by
Cost guardrail
- Must stay free by default: fake provider tests only. Any real provider smoke must SKIP unless explicitly configured and must not require paid API usage or password-manager automation.
Parent: #70
What to build
Add provider smoke tests for Env Binding, starting with the fake provider and leaving an opt-in seam for a real provider later.
The default test must remain safe: no 1Password probing, no broad environment dumps, no secret values in logs, reports, metadata, or SQLite.
Acceptance criteria
Blocked by
Cost guardrail