import { describe, expect, it } from 'vitest'; import { createRuntimeAuditLogEntry } from './runtime-audit.js'; describe('createRuntimeAuditLogEntry', (): void => { it('serializes only allowlisted runtime audit metadata', (): void => { const entry = createRuntimeAuditLogEntry({ providerId: 'fleet', operation: 'session.send', outcome: 'succeeded', actorId: 'actor-1', tenantId: 'tenant-1', channelId: 'discord', correlationId: 'correlation-1', resourceId: 'session-1', durationMs: 12, }); expect(entry).toMatchObject({ sessionId: 'runtime:fleet', userId: 'actor-1', level: 'info', category: 'tool_use', content: 'runtime.provider.audit', metadata: { providerId: 'fleet', operation: 'session.send', outcome: 'succeeded', correlationId: 'correlation-1', resourceId: expect.stringMatching(/^sha256:/), durationMs: 12, }, }); expect(JSON.stringify(entry)).not.toContain('approvalRef'); }); it('hashes every resource ID without blocking a runtime audit or persisting its raw value', (): void => { const entry = createRuntimeAuditLogEntry({ providerId: 'fleet', operation: 'session.send', outcome: 'succeeded', actorId: 'actor-1', tenantId: 'tenant-1', channelId: 'discord', correlationId: 'correlation-1', resourceId: 'credential-canary:secret-value', durationMs: 12, }); expect(entry.metadata).toMatchObject({ resourceId: expect.stringMatching(/^sha256:/) }); expect(JSON.stringify(entry)).not.toContain('secret-value'); }); });