From 01e443755ce3ae8cb4a09c0bb97dfe356a565c68 Mon Sep 17 00:00:00 2001
From: Vincent Koc <vincentkoc@ieee.org>
Date: Tue, 7 Apr 2026 09:01:45 +0100
Subject: [PATCH] perf(secrets): isolate secretref docs matrix checks

---
 src/secrets/channel-contract-api.ts       |  5 +--
 src/secrets/target-registry.docs.test.ts  | 37 +++++++++++++++++++----
 src/secrets/unsupported-surface-policy.ts | 22 ++++----------
 3 files changed, 38 insertions(+), 26 deletions(-)

diff --git a/src/secrets/channel-contract-api.ts b/src/secrets/channel-contract-api.ts
index 2cdcef6ac33..ffe5c2e894a 100644
--- a/src/secrets/channel-contract-api.ts
+++ b/src/secrets/channel-contract-api.ts
@@ -80,8 +80,5 @@ export type BundledChannelSecurityContractApi = Pick<
 export function loadBundledChannelSecurityContractApi(
   channelId: string,
 ): BundledChannelSecurityContractApi | undefined {
-  return loadBundledChannelPublicArtifact(channelId, [
-    "security-contract-api.js",
-    "contract-api.js",
-  ]);
+  return loadBundledChannelPublicArtifact(channelId, ["security-contract-api.js"]);
 }
diff --git a/src/secrets/target-registry.docs.test.ts b/src/secrets/target-registry.docs.test.ts
index 1ab785642eb..4dea7ae6e88 100644
--- a/src/secrets/target-registry.docs.test.ts
+++ b/src/secrets/target-registry.docs.test.ts
@@ -1,10 +1,35 @@
+import { execFileSync } from "node:child_process";
 import fs from "node:fs";
 import path from "node:path";
 import { describe, expect, it } from "vitest";
-import {
-  buildSecretRefCredentialMatrix,
-  type SecretRefCredentialMatrixDocument,
-} from "./credential-matrix.js";
+import type { SecretRefCredentialMatrixDocument } from "./credential-matrix.js";
+
+function buildSecretRefCredentialMatrixJson(): string {
+  const childEnv = { ...process.env };
+  delete childEnv.NODE_OPTIONS;
+  delete childEnv.VITEST;
+  delete childEnv.VITEST_MODE;
+  delete childEnv.VITEST_POOL_ID;
+  delete childEnv.VITEST_WORKER_ID;
+
+  return execFileSync(
+    process.execPath,
+    [
+      "--import",
+      "tsx",
+      "--input-type=module",
+      "-e",
+      `import { buildSecretRefCredentialMatrix } from "./src/secrets/credential-matrix.ts";
+process.stdout.write(\`\${JSON.stringify(buildSecretRefCredentialMatrix(), null, 2)}\\n\`);`,
+    ],
+    {
+      cwd: process.cwd(),
+      encoding: "utf8",
+      env: childEnv,
+      maxBuffer: 10 * 1024 * 1024,
+    },
+  );
+}
 
 describe("secret target registry docs", () => {
   it("stays in sync with docs/reference/secretref-user-supplied-credentials-matrix.json", () => {
@@ -15,9 +40,9 @@ describe("secret target registry docs", () => {
       "secretref-user-supplied-credentials-matrix.json",
     );
     const raw = fs.readFileSync(pathname, "utf8");
-    const parsed = JSON.parse(raw) as unknown;
+    const expected = buildSecretRefCredentialMatrixJson();
 
-    expect(parsed).toEqual(buildSecretRefCredentialMatrix());
+    expect(raw).toBe(expected);
   });
 
   it("stays in sync with docs/reference/secretref-credential-surface.md", () => {
diff --git a/src/secrets/unsupported-surface-policy.ts b/src/secrets/unsupported-surface-policy.ts
index 7e0716ec34e..358653f46ef 100644
--- a/src/secrets/unsupported-surface-policy.ts
+++ b/src/secrets/unsupported-surface-policy.ts
@@ -1,5 +1,4 @@
-import { getBootstrapChannelPlugin } from "../channels/plugins/bootstrap-registry.js";
-import { listBundledPluginMetadata } from "../plugins/bundled-plugin-metadata.js";
+import { loadPluginManifestRegistry } from "../plugins/manifest-registry.js";
 import { isRecord } from "../utils.js";
 import { loadBundledChannelSecurityContractApi } from "./channel-contract-api.js";
 
@@ -14,10 +13,9 @@ const CORE_UNSUPPORTED_SECRETREF_SURFACE_PATTERNS = [
 function listBundledChannelIds(): string[] {
   return [
     ...new Set(
-      listBundledPluginMetadata({
-        includeChannelConfigs: false,
-        includeSyntheticChannelConfigs: false,
-      }).flatMap((entry) => entry.manifest.channels ?? []),
+      loadPluginManifestRegistry({})
+        .plugins.filter((entry) => entry.origin === "bundled")
+        .flatMap((entry) => entry.channels),
     ),
   ].toSorted((left, right) => left.localeCompare(right));
 }
@@ -26,11 +24,7 @@ function collectChannelUnsupportedSecretRefSurfacePatterns(): string[] {
   const patterns: string[] = [];
   for (const channelId of listBundledChannelIds()) {
     const contract = loadBundledChannelSecurityContractApi(channelId);
-    patterns.push(
-      ...(contract?.unsupportedSecretRefSurfacePatterns ??
-        getBootstrapChannelPlugin(channelId)?.secrets?.unsupportedSecretRefSurfacePatterns ??
-        []),
-    );
+    patterns.push(...(contract?.unsupportedSecretRefSurfacePatterns ?? []));
   }
   return patterns;
 }
@@ -96,11 +90,7 @@ export function collectUnsupportedSecretRefConfigCandidates(
   if (isRecord(raw.channels)) {
     for (const channelId of Object.keys(raw.channels)) {
       const contract = loadBundledChannelSecurityContractApi(channelId);
-      const channelCandidates =
-        contract?.collectUnsupportedSecretRefConfigCandidates?.(raw) ??
-        getBootstrapChannelPlugin(
-          channelId,
-        )?.secrets?.collectUnsupportedSecretRefConfigCandidates?.(raw);
+      const channelCandidates = contract?.collectUnsupportedSecretRefConfigCandidates?.(raw);
       if (!channelCandidates?.length) {
         continue;
       }