(t *testing.T)
| 1053 | func (e *stubPullError) ModelPullErrorSummary() string { return e.summary } |
| 1054 | |
| 1055 | func TestProviderAPIKeyEnvVars(t *testing.T) { |
| 1056 | t.Parallel() |
| 1057 | |
| 1058 | vars := ProviderAPIKeyEnvVars() |
| 1059 | |
| 1060 | // Sorted and deduplicated for reproducibility. |
| 1061 | assert.True(t, slices.IsSorted(vars), "env vars must be sorted, got %v", vars) |
| 1062 | assert.Equal(t, slices.Compact(slices.Clone(vars)), vars, "env vars must be deduplicated") |
| 1063 | |
| 1064 | // The dedicated single-secret model API keys must be present. |
| 1065 | for _, name := range []string{ |
| 1066 | "OPENAI_API_KEY", |
| 1067 | "ANTHROPIC_API_KEY", |
| 1068 | "GOOGLE_API_KEY", |
| 1069 | "MISTRAL_API_KEY", |
| 1070 | "OPENROUTER_API_KEY", |
| 1071 | "XAI_API_KEY", |
| 1072 | "NEBIUS_API_KEY", |
| 1073 | } { |
| 1074 | assert.Contains(t, vars, name) |
| 1075 | } |
| 1076 | |
| 1077 | // Non-secret detection/mode flags and multi-variable credential sets must |
| 1078 | // never be exposed as forwardable API keys. |
| 1079 | for _, name := range []string{ |
| 1080 | "GOOGLE_GENAI_USE_VERTEXAI", |
| 1081 | "GEMINI_API_KEY", |
| 1082 | "AWS_ACCESS_KEY_ID", |
| 1083 | "AWS_PROFILE", |
| 1084 | "AWS_ROLE_ARN", |
| 1085 | "AWS_BEARER_TOKEN_BEDROCK", |
| 1086 | } { |
| 1087 | assert.NotContains(t, vars, name) |
| 1088 | } |
| 1089 | |
| 1090 | // Broad, general-purpose tokens must not be forwarded as model credentials. |
| 1091 | assert.NotContains(t, vars, "GITHUB_TOKEN") |
| 1092 | } |
nothing calls this directly
no test coverage detected