package main import ( "os" "strings" "testing" ) func TestSecurityEventIdempotencyRepairMigrationExists(t *testing.T) { payload, err := os.ReadFile("../../migrations/0064_security_event_connection_idempotency_repair.sql") if err != nil { t.Fatalf("read repair migration: %v", err) } sql := string(payload) for _, statement := range []string{ "CREATE TABLE IF NOT EXISTS gateway_security_event_connection_idempotency", "CREATE INDEX IF NOT EXISTS idx_gateway_security_event_connection_idempotency_created", } { if !strings.Contains(sql, statement) { t.Fatalf("repair migration is missing %q", statement) } } } func TestSecurityEventVerificationStateRepairMigrationExists(t *testing.T) { payload, err := os.ReadFile("../../migrations/0065_security_event_verification_state_repair.sql") if err != nil { t.Fatalf("read verification state repair migration: %v", err) } sql := string(payload) for _, statement := range []string{ "ADD COLUMN IF NOT EXISTS stream_status", "ADD COLUMN IF NOT EXISTS created_at", "CREATE TABLE IF NOT EXISTS gateway_security_event_verification_challenges", "CREATE INDEX IF NOT EXISTS idx_gateway_security_event_challenges_expiry", } { if !strings.Contains(sql, statement) { t.Fatalf("verification state repair migration is missing %q", statement) } } } func TestIdentityConfigurationRevisionMigrationDefinesSecretReferencesAndSingleActiveRevision(t *testing.T) { payload, err := os.ReadFile("../../migrations/0067_identity_configuration_revisions.sql") if err != nil { t.Fatal(err) } content := string(payload) for _, required := range []string{ "CREATE TABLE IF NOT EXISTS gateway_identity_configuration_revisions", "machine_credential_ref text", "session_encryption_key_ref text", "WHERE state = 'active'", "CHECK (state IN ('draft','validated','active','superseded','failed'))", } { if !strings.Contains(content, required) { t.Fatalf("identity configuration migration is missing %q", required) } } for _, forbidden := range []string{"machine_secret", "client_secret", "exchange_token text", "onboarding_code text"} { if strings.Contains(strings.ToLower(content), forbidden) { t.Fatalf("identity configuration migration stores forbidden secret field %q", forbidden) } } }