Skip to content

Env Binding provider smoke and redaction tests #94

Description

@BramVR

Parent: #70

What to build

Add provider smoke tests for Env Binding, starting with the fake provider and leaving an opt-in seam for a real provider later.

The default test must remain safe: no 1Password probing, no broad environment dumps, no secret values in logs, reports, metadata, or SQLite.

Acceptance criteria

  • Fake provider e2e materializes an agent-scoped env bundle only for the prepared run workspace.
  • Required file/key readiness is tested in warn and block modes through the shared Readiness Decision.
  • Fake secret values are redacted from stdout, stderr, JSON report, run metadata, handoff metadata, and state store bytes.
  • Optional live provider tests are gated behind exact env vars and record SKIP unless explicitly configured.
  • Real provider tests, when added, use a single targeted secret contract and never call password managers from the test by default.
  • Cleanup removes materialized env bundles with the managed agent workspace.
  • Docs explain how to run fake provider tests and how a future live provider smoke must be configured.

Blocked by

Cost guardrail

  • Must stay free by default: fake provider tests only. Any real provider smoke must SKIP unless explicitly configured and must not require paid API usage or password-manager automation.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions