feat: mută secretele Discord/Telegram din TOML în .env

TOML-urile din configs/ rămân 100% calibrare — safe to commit. Secretele (ATM_DISCORD_URL, ATM_TG_TOKEN, ATM_TG_CHAT) trăiesc în .env la rădăcină (ignored), cu loader stdlib (shell wins peste file). Validare fail-fast pentru env lipsă, placeholder REPLACE_ME, chat_id non-numeric. Include .env.example + secţiune README §Secrets. Tests: 19 noi (env loader + missing-env + placeholder + chat_id + regression post-migrate snapshot). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-21 09:37:24 +03:00
parent 9e8cbafbd4
commit 9c44eb6e31
14 changed files with 610 additions and 33 deletions
--- a/tests/test_calibrate.py
+++ b/tests/test_calibrate.py
@@ -6,6 +6,13 @@ from pathlib import Path
 import pytest


+@pytest.fixture(autouse=True)
+def _secrets_env(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setenv("ATM_DISCORD_URL", "https://example.com/hook")
+    monkeypatch.setenv("ATM_TG_TOKEN", "123:abc")
+    monkeypatch.setenv("ATM_TG_CHAT", "456")
+
+
 def _minimal_config_data() -> dict:
    return {
        "window_title": "Test Chart",
@@ -26,8 +33,6 @@ def _minimal_config_data() -> dict:
            "baseline_phash": "abc123",
            "drift_threshold": 8,
        },
-        "discord": {"webhook_url": "http://example.com/hook"},
-        "telegram": {"bot_token": "123:abc", "chat_id": "456"},
    }


@@ -55,6 +60,16 @@ def test_write_config_and_marker(tmp_path: Path) -> None:
    assert cfg2.window_title == cfg.window_title


+def test_write_config_omits_secrets(tmp_path: Path) -> None:
+    """Calibration output must NOT contain Discord/Telegram secret fields."""
+    from atm.calibrate import write_config
+
+    config_path = write_config(_minimal_config_data(), tmp_path)
+    text = config_path.read_text(encoding="utf-8")
+    for marker in ("[discord]", "[telegram]", "webhook_url", "bot_token", "chat_id"):
+        assert marker not in text, f"calibrated TOML leaked secret marker: {marker}"
+
+
 def test_import_safe() -> None:
    """Importing atm.calibrate must succeed in a headless environment (no tkinter at top-level)."""
    import importlib  # noqa: F401
--- a/tests/test_config.py
+++ b/tests/test_config.py
@@ -1,6 +1,8 @@
 """Tests for atm.config — focused on attach_screenshots parsing (legacy bool vs new dict)."""
 from __future__ import annotations

+import pytest
+
 from atm.config import AlertsCfg, Config


@@ -23,11 +25,17 @@ _BASE = {
        "baseline_phash": "0" * 16,
        "drift_threshold": 8,
    },
-    "discord": {"webhook_url": "https://example.com/hook"},
-    "telegram": {"bot_token": "tok", "chat_id": "123"},
 }


+@pytest.fixture(autouse=True)
+def _secrets_env(monkeypatch: pytest.MonkeyPatch) -> None:
+    """Provide valid Discord/Telegram env vars for every test in this module."""
+    monkeypatch.setenv("ATM_DISCORD_URL", "https://example.com/hook")
+    monkeypatch.setenv("ATM_TG_TOKEN", "123:tok")
+    monkeypatch.setenv("ATM_TG_CHAT", "123")
+
+
 def _with_opts(opts: dict) -> dict:
    d = {k: v for k, v in _BASE.items()}
    d["options"] = opts
@@ -153,3 +161,119 @@ def test_operating_hours_invalid_weekday_raises_valueerror() -> None:
        Config._from_dict(_with_opts({
            "operating_hours": {"enabled": True, "weekdays": ["XYZ"]},
        }))
+
+
+# ---------------------------------------------------------------------------
+# Secrets migration: Discord + Telegram creds live in env vars, not TOML
+# ---------------------------------------------------------------------------
+
+def test_missing_discord_url_raises(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.delenv("ATM_DISCORD_URL", raising=False)
+    with pytest.raises(ValueError, match="ATM_DISCORD_URL"):
+        Config._from_dict(_with_opts({}))
+
+
+def test_missing_tg_token_raises(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.delenv("ATM_TG_TOKEN", raising=False)
+    with pytest.raises(ValueError, match="ATM_TG_TOKEN"):
+        Config._from_dict(_with_opts({}))
+
+
+def test_missing_tg_chat_raises(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.delenv("ATM_TG_CHAT", raising=False)
+    with pytest.raises(ValueError, match="ATM_TG_CHAT"):
+        Config._from_dict(_with_opts({}))
+
+
+def test_placeholder_webhook_rejected(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setenv("ATM_DISCORD_URL", "https://discord.com/api/webhooks/REPLACE_ME")
+    with pytest.raises(ValueError, match="placeholder"):
+        Config._from_dict(_with_opts({}))
+
+
+def test_placeholder_token_rejected(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setenv("ATM_TG_TOKEN", "REPLACE_ME")
+    with pytest.raises(ValueError, match="placeholder"):
+        Config._from_dict(_with_opts({}))
+
+
+def test_chat_id_non_numeric_rejected(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setenv("ATM_TG_CHAT", "abc123")
+    with pytest.raises(ValueError, match="chat_id"):
+        Config._from_dict(_with_opts({}))
+
+
+def test_chat_id_negative_groups_accepted(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setenv("ATM_TG_CHAT", "-5108062256")
+    cfg = Config._from_dict(_with_opts({}))
+    assert cfg.telegram.chat_id == "-5108062256"
+
+
+def test_telegram_section_optional() -> None:
+    """TOML without [telegram] still loads; secrets come from env; options use defaults."""
+    data = {k: v for k, v in _BASE.items()}
+    cfg = Config._from_dict(data)
+    assert cfg.telegram.bot_token == "123:tok"
+    assert cfg.telegram.chat_id == "123"
+    assert cfg.telegram.poll_timeout_s == 30
+    assert cfg.telegram.auto_poll_interval_s == 180
+    assert cfg.telegram.allowed_chat_ids == ("123",)
+
+
+def test_telegram_non_secret_keys_from_toml() -> None:
+    data = {k: v for k, v in _BASE.items()}
+    data["telegram"] = {
+        "poll_timeout_s": 42,
+        "auto_poll_interval_s": 999,
+        "allowed_chat_ids": ["123", "456"],
+    }
+    cfg = Config._from_dict(data)
+    assert cfg.telegram.poll_timeout_s == 42
+    assert cfg.telegram.auto_poll_interval_s == 999
+    assert cfg.telegram.allowed_chat_ids == ("123", "456")
+
+
+def test_regression_post_migration_load(
+    tmp_path, monkeypatch: pytest.MonkeyPatch
+) -> None:
+    """Loading a real post-migrate TOML (no [discord]/[telegram] secrets) works.
+
+    IRON RULE: prevents re-regression of the secret-in-TOML pattern.
+    """
+    fixture = tmp_path / "post_migration_sample.toml"
+    fixture.write_text(
+        'window_title = "X"\n'
+        "\n"
+        "[dot_roi]\nx=0\ny=0\nw=10\nh=10\n"
+        "[chart_roi]\nx=0\ny=0\nw=100\nh=100\n"
+        "[colors.turquoise]\nrgb=[0,253,253]\ntolerance=60.0\n"
+        "[colors.yellow]\nrgb=[253,253,0]\ntolerance=60.0\n"
+        "[colors.dark_green]\nrgb=[0,122,0]\ntolerance=60.0\n"
+        "[colors.dark_red]\nrgb=[128,0,0]\ntolerance=60.0\n"
+        "[colors.light_green]\nrgb=[0,255,0]\ntolerance=60.0\n"
+        "[colors.light_red]\nrgb=[255,0,0]\ntolerance=60.0\n"
+        "[colors.gray]\nrgb=[128,128,128]\ntolerance=60.0\n"
+        "[colors.background]\nrgb=[0,0,0]\ntolerance=25.0\n"
+        "[y_axis]\np1_y=100\np1_price=485.0\np2_y=200\np2_price=484.0\n"
+        "[canary]\nbaseline_phash=\"abc\"\ndrift_threshold=8\n"
+        "[canary.roi]\nx=0\ny=0\nw=10\nh=10\n"
+        "[telegram]\npoll_timeout_s=30\nauto_poll_interval_s=180\n"
+        "[options]\ndebounce_depth=1\nloop_interval_s=5.0\n",
+        encoding="utf-8",
+    )
+    monkeypatch.setenv("ATM_DISCORD_URL", "https://disc.example/x")
+    monkeypatch.setenv("ATM_TG_TOKEN", "999:tok")
+    monkeypatch.setenv("ATM_TG_CHAT", "-42")
+    cfg = Config.load(fixture)
+    # Secrets sourced from env
+    assert cfg.discord.webhook_url == "https://disc.example/x"
+    assert cfg.telegram.bot_token == "999:tok"
+    assert cfg.telegram.chat_id == "-42"
+    # Non-secret telegram keys sourced from TOML
+    assert cfg.telegram.poll_timeout_s == 30
+    # Calibration values sourced from TOML
+    assert cfg.colors["turquoise"].rgb == (0, 253, 253)
+    # TOML does not contain any of the secret markers
+    text = fixture.read_text(encoding="utf-8")
+    for marker in ("webhook_url", "bot_token", "chat_id"):
+        assert marker not in text, f"TOML still contains secret marker: {marker}"
--- a/tests/test_env_loader.py
+++ b/tests/test_env_loader.py
@@ -0,0 +1,104 @@
+"""Tests for the minimal .env loader (stdlib, no python-dotenv)."""
+from __future__ import annotations
+
+from pathlib import Path
+
+import pytest
+
+from atm.config import _find_env_file, _load_env_file
+
+
+def test_no_file_returns_none(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.chdir(tmp_path)
+    assert _find_env_file() is None
+
+
+def test_finds_env_in_root(tmp_path: Path) -> None:
+    (tmp_path / "pyproject.toml").write_text("", encoding="utf-8")
+    (tmp_path / ".env").write_text("X=1\n", encoding="utf-8")
+    sub = tmp_path / "sub" / "deeper"
+    sub.mkdir(parents=True)
+    found = _find_env_file(sub)
+    assert found == (tmp_path / ".env").resolve()
+
+
+def test_pyproject_sentinel_stops_walk(tmp_path: Path) -> None:
+    (tmp_path / "pyproject.toml").write_text("", encoding="utf-8")
+    sub = tmp_path / "sub"
+    sub.mkdir()
+    assert _find_env_file(sub) is None
+
+
+def test_parses_simple_kv(
+    tmp_path: Path, monkeypatch: pytest.MonkeyPatch
+) -> None:
+    for k in ("A", "B", "C"):
+        monkeypatch.delenv(k, raising=False)
+    env = tmp_path / ".env"
+    env.write_text(
+        "# comment\n"
+        "\n"
+        "A=1\n"
+        "B=hello world\n"
+        "   # indented comment\n"
+        "C=with=equals=in=value\n",
+        encoding="utf-8",
+    )
+    loaded, overridden = _load_env_file(env)
+    assert loaded == 3
+    assert overridden == 0
+    import os
+    assert os.environ["A"] == "1"
+    assert os.environ["B"] == "hello world"
+    assert os.environ["C"] == "with=equals=in=value"
+
+
+def test_parses_quoted_values(
+    tmp_path: Path, monkeypatch: pytest.MonkeyPatch
+) -> None:
+    for k in ("SQ", "DQ"):
+        monkeypatch.delenv(k, raising=False)
+    env = tmp_path / ".env"
+    env.write_text("SQ='abc'\nDQ=\"def\"\n", encoding="utf-8")
+    _load_env_file(env)
+    import os
+    assert os.environ["SQ"] == "abc"
+    assert os.environ["DQ"] == "def"
+
+
+def test_handles_crlf_and_whitespace(
+    tmp_path: Path, monkeypatch: pytest.MonkeyPatch
+) -> None:
+    for k in ("K1", "K2"):
+        monkeypatch.delenv(k, raising=False)
+    env = tmp_path / ".env"
+    env.write_bytes(b"K1=v1\r\n  K2 = v2  \r\n")
+    _load_env_file(env)
+    import os
+    assert os.environ["K1"] == "v1"
+    assert os.environ["K2"] == "v2"
+
+
+def test_shell_env_wins(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setenv("SHELLWINS", "from_shell")
+    env = tmp_path / ".env"
+    env.write_text("SHELLWINS=from_file\nOTHER=x\n", encoding="utf-8")
+    monkeypatch.delenv("OTHER", raising=False)
+    loaded, overridden = _load_env_file(env)
+    import os
+    assert os.environ["SHELLWINS"] == "from_shell"
+    assert os.environ["OTHER"] == "x"
+    assert loaded == 1
+    assert overridden == 1
+
+
+def test_malformed_line_raises_with_lineno(tmp_path: Path) -> None:
+    env = tmp_path / ".env"
+    env.write_text("A=1\nOOPSNOEQUALS\n", encoding="utf-8")
+    with pytest.raises(ValueError, match=":2:"):
+        _load_env_file(env)
+
+
+def test_missing_path_is_noop() -> None:
+    assert _load_env_file(None) == (0, 0)
+    assert _load_env_file(Path("/nonexistent/does-not-exist-xyz")) == (0, 0)