package main import ( "os" "strings" "testing" ) func TestSecurityEventIdempotencyRepairMigrationExists(t *testing.T) { payload, err := os.ReadFile("../../migrations/0064_security_event_connection_idempotency_repair.sql") if err != nil { t.Fatalf("read repair migration: %v", err) } sql := string(payload) for _, statement := range []string{ "CREATE TABLE IF NOT EXISTS gateway_security_event_connection_idempotency", "CREATE INDEX IF NOT EXISTS idx_gateway_security_event_connection_idempotency_created", } { if !strings.Contains(sql, statement) { t.Fatalf("repair migration is missing %q", statement) } } } func TestSecurityEventVerificationStateRepairMigrationExists(t *testing.T) { payload, err := os.ReadFile("../../migrations/0065_security_event_verification_state_repair.sql") if err != nil { t.Fatalf("read verification state repair migration: %v", err) } sql := string(payload) for _, statement := range []string{ "ADD COLUMN IF NOT EXISTS stream_status", "ADD COLUMN IF NOT EXISTS created_at", "CREATE TABLE IF NOT EXISTS gateway_security_event_verification_challenges", "CREATE INDEX IF NOT EXISTS idx_gateway_security_event_challenges_expiry", } { if !strings.Contains(sql, statement) { t.Fatalf("verification state repair migration is missing %q", statement) } } } func TestIdentityConfigurationRevisionMigrationDefinesSecretReferencesAndSingleActiveRevision(t *testing.T) { payload, err := os.ReadFile("../../migrations/0067_identity_configuration_revisions.sql") if err != nil { t.Fatal(err) } content := string(payload) for _, required := range []string{ "CREATE TABLE IF NOT EXISTS gateway_identity_configuration_revisions", "machine_credential_ref text", "session_encryption_key_ref text", "WHERE state = 'active'", "CHECK (state IN ('draft','validated','active','superseded','failed'))", } { if !strings.Contains(content, required) { t.Fatalf("identity configuration migration is missing %q", required) } } for _, forbidden := range []string{"machine_secret", "client_secret", "exchange_token text", "onboarding_code text"} { if strings.Contains(strings.ToLower(content), forbidden) { t.Fatalf("identity configuration migration stores forbidden secret field %q", forbidden) } } } func TestIdentityOnboardingExchangeMigrationStoresOnlySecretReferences(t *testing.T) { payload, err := os.ReadFile("../../migrations/0068_identity_onboarding_exchanges.sql") if err != nil { t.Fatal(err) } content := strings.ToLower(string(payload)) for _, required := range []string{ "create table if not exists gateway_identity_onboarding_exchanges", "exchange_token_ref text not null", "security_event_configuration_url text", } { if !strings.Contains(content, required) { t.Fatalf("identity onboarding migration is missing %q", required) } } for _, forbidden := range []string{"exchange_token text", "onboarding_code", "client_secret", "machine_secret"} { if strings.Contains(content, forbidden) { t.Fatalf("identity onboarding migration stores forbidden secret field %q", forbidden) } } }