perf(secrets): isolate secretref docs matrix checks

2026-04-12 01:31:08 +00:00 · 2026-04-07 09:01:45 +01:00
parent 7b53b00009
commit 01e443755c
3 changed files with 38 additions and 26 deletions
--- a/src/secrets/channel-contract-api.ts
+++ b/src/secrets/channel-contract-api.ts
@@ -80,8 +80,5 @@ export type BundledChannelSecurityContractApi = Pick<
 export function loadBundledChannelSecurityContractApi(
  channelId: string,
 ): BundledChannelSecurityContractApi | undefined {
-  return loadBundledChannelPublicArtifact(channelId, [
-    "security-contract-api.js",
-    "contract-api.js",
-  ]);
+  return loadBundledChannelPublicArtifact(channelId, ["security-contract-api.js"]);
 }
--- a/src/secrets/target-registry.docs.test.ts
+++ b/src/secrets/target-registry.docs.test.ts
@@ -1,10 +1,35 @@
+import { execFileSync } from "node:child_process";
 import fs from "node:fs";
 import path from "node:path";
 import { describe, expect, it } from "vitest";
-import {
-  buildSecretRefCredentialMatrix,
-  type SecretRefCredentialMatrixDocument,
-} from "./credential-matrix.js";
+import type { SecretRefCredentialMatrixDocument } from "./credential-matrix.js";
+
+function buildSecretRefCredentialMatrixJson(): string {
+  const childEnv = { ...process.env };
+  delete childEnv.NODE_OPTIONS;
+  delete childEnv.VITEST;
+  delete childEnv.VITEST_MODE;
+  delete childEnv.VITEST_POOL_ID;
+  delete childEnv.VITEST_WORKER_ID;
+
+  return execFileSync(
+    process.execPath,
+    [
+      "--import",
+      "tsx",
+      "--input-type=module",
+      "-e",
+      `import { buildSecretRefCredentialMatrix } from "./src/secrets/credential-matrix.ts";
+process.stdout.write(\`\${JSON.stringify(buildSecretRefCredentialMatrix(), null, 2)}\\n\`);`,
+    ],
+    {
+      cwd: process.cwd(),
+      encoding: "utf8",
+      env: childEnv,
+      maxBuffer: 10 * 1024 * 1024,
+    },
+  );
+}

 describe("secret target registry docs", () => {
  it("stays in sync with docs/reference/secretref-user-supplied-credentials-matrix.json", () => {
@@ -15,9 +40,9 @@ describe("secret target registry docs", () => {
      "secretref-user-supplied-credentials-matrix.json",
    );
    const raw = fs.readFileSync(pathname, "utf8");
-    const parsed = JSON.parse(raw) as unknown;
+    const expected = buildSecretRefCredentialMatrixJson();

-    expect(parsed).toEqual(buildSecretRefCredentialMatrix());
+    expect(raw).toBe(expected);
  });

  it("stays in sync with docs/reference/secretref-credential-surface.md", () => {
--- a/src/secrets/unsupported-surface-policy.ts
+++ b/src/secrets/unsupported-surface-policy.ts
@@ -1,5 +1,4 @@
-import { getBootstrapChannelPlugin } from "../channels/plugins/bootstrap-registry.js";
-import { listBundledPluginMetadata } from "../plugins/bundled-plugin-metadata.js";
+import { loadPluginManifestRegistry } from "../plugins/manifest-registry.js";
 import { isRecord } from "../utils.js";
 import { loadBundledChannelSecurityContractApi } from "./channel-contract-api.js";

@@ -14,10 +13,9 @@ const CORE_UNSUPPORTED_SECRETREF_SURFACE_PATTERNS = [
 function listBundledChannelIds(): string[] {
  return [
    ...new Set(
-      listBundledPluginMetadata({
-        includeChannelConfigs: false,
-        includeSyntheticChannelConfigs: false,
-      }).flatMap((entry) => entry.manifest.channels ?? []),
+      loadPluginManifestRegistry({})
+        .plugins.filter((entry) => entry.origin === "bundled")
+        .flatMap((entry) => entry.channels),
    ),
  ].toSorted((left, right) => left.localeCompare(right));
 }
@@ -26,11 +24,7 @@ function collectChannelUnsupportedSecretRefSurfacePatterns(): string[] {
  const patterns: string[] = [];
  for (const channelId of listBundledChannelIds()) {
    const contract = loadBundledChannelSecurityContractApi(channelId);
-    patterns.push(
-      ...(contract?.unsupportedSecretRefSurfacePatterns ??
-        getBootstrapChannelPlugin(channelId)?.secrets?.unsupportedSecretRefSurfacePatterns ??
-        []),
-    );
+    patterns.push(...(contract?.unsupportedSecretRefSurfacePatterns ?? []));
  }
  return patterns;
 }
@@ -96,11 +90,7 @@ export function collectUnsupportedSecretRefConfigCandidates(
  if (isRecord(raw.channels)) {
    for (const channelId of Object.keys(raw.channels)) {
      const contract = loadBundledChannelSecurityContractApi(channelId);
-      const channelCandidates =
-        contract?.collectUnsupportedSecretRefConfigCandidates?.(raw) ??
-        getBootstrapChannelPlugin(
-          channelId,
-        )?.secrets?.collectUnsupportedSecretRefConfigCandidates?.(raw);
+      const channelCandidates = contract?.collectUnsupportedSecretRefConfigCandidates?.(raw);
      if (!channelCandidates?.length) {
        continue;
      }