守住 Market Intel seed token 不外洩

2026-05-13 15:51:49 +08:00
parent 73bbc4574c
commit 490336a764
1 changed files with 37 additions and 0 deletions
--- a/tests/test_market_intel_skeleton.py
+++ b/tests/test_market_intel_skeleton.py
@@ -4,6 +4,7 @@ import subprocess
 import sys
 from pathlib import Path

+from flask import Flask
 from sqlalchemy import create_engine, text

 from database.manager import Base
@@ -788,6 +789,42 @@ def test_seed_writer_cli_status_blocks_real_write():
    assert status["safety_contract"]["uses_core_connection_not_orm_session"] is True


+def test_seed_writer_cli_status_route_never_leaks_approval_token(monkeypatch):
+    from routes.market_intel_routes import market_intel_bp
+
+    monkeypatch.setenv("MARKET_INTEL_SEED_WRITE_APPROVAL", TEST_APPROVAL_TOKEN)
+
+    app = Flask(__name__)
+    app.secret_key = "test-secret"
+    app.register_blueprint(market_intel_bp)
+    client = app.test_client()
+    with client.session_transaction() as session:
+        session["logged_in"] = True
+
+    response = client.get("/api/market_intel/seed_writer_cli_status?execute=true&platform=all")
+    data = response.get_json()
+    payload = json.dumps(data, ensure_ascii=False, sort_keys=True)
+
+    assert response.status_code == 200
+    assert data["mode"] == "seed_writer_cli_blocked"
+    assert data["execute_requested"] is True
+    assert data["apply_real_write_requested"] is False
+    assert data["approval_token_present"] is False
+    assert data["approval_token_valid"] is False
+    assert data["approval_token_secret_configured"] is True
+    assert data["ready_for_real_write"] is False
+    assert data["writes_executed"] is False
+    assert data["would_write_database"] is False
+    assert data["database_session_created"] is False
+    assert data["database_commit_executed"] is False
+    assert "approval_token_present" in data["blocked_reasons"]
+    assert "approval_token_valid" in data["blocked_reasons"]
+    assert "apply_real_write_requested" in data["blocked_reasons"]
+    assert "approval_token_hint" not in payload
+    assert TEST_APPROVAL_TOKEN not in payload
+    assert "APPROVED_MARKET_INTEL_SEED_WRITE" not in payload
+
+
 def test_seed_writer_cli_real_write_sqlite_upserts_seed_rows():
    engine = create_engine("sqlite:///:memory:")
    with engine.begin() as conn: