config: address Phase C #5 review findings (regex schema, file split, tests)

Tighten secret_name schema regex to match the metadata fetcher's
defense-in-depth check so invalid names fail at parse time rather than
crashing at boot inside the fetcher (finding 1). Split loader.test.ts
into loader.test.ts and loader-metadata.test.ts so neither file blows
the 300-line cap by much, with duplicated writeYaml/cleanup helpers and
distinct TEST_DIR paths to avoid races (finding 2). Document the
single as-unknown-as cast at the loader.ts header so future maintainers
know it is the only typed/generic boundary in the file (finding 3).
Add two error-path regression tests to metadata-fetcher.test.ts for
the 304-without-cache server-bug branch and the wrapped network-error
branch (finding 5).

Author: mcheemaa

src/config/__tests__/loader-metadata.test.ts

@@ -0,0 +1,179 @@
+import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
+import { mkdirSync, rmSync, writeFileSync } from "node:fs";
+import { loadConfig } from "../loader.ts";
+
+// Distinct TEST_DIR from loader.test.ts so the two suites cannot race on the
+// same filesystem path when bun runs them in parallel.
+const TEST_DIR = "/tmp/phantom-test-config-metadata";
+
+function writeYaml(filename: string, content: string): string {
+	mkdirSync(TEST_DIR, { recursive: true });
+	const path = `${TEST_DIR}/${filename}`;
+	writeFileSync(path, content);
+	return path;
+}
+
+function cleanup(): void {
+	rmSync(TEST_DIR, { recursive: true, force: true });
+}
+
+describe("loadConfig secret_source", () => {
+	const originalFetch = globalThis.fetch;
+	const savedKey = process.env.ANTHROPIC_API_KEY;
+	const savedToken = process.env.ANTHROPIC_AUTH_TOKEN;
+
+	beforeEach(() => {
+		process.env.ANTHROPIC_API_KEY = undefined;
+		process.env.ANTHROPIC_AUTH_TOKEN = undefined;
+	});
+
+	afterEach(() => {
+		globalThis.fetch = originalFetch;
+		if (savedKey !== undefined) {
+			process.env.ANTHROPIC_API_KEY = savedKey;
+		} else {
+			process.env.ANTHROPIC_API_KEY = undefined;
+		}
+		if (savedToken !== undefined) {
+			process.env.ANTHROPIC_AUTH_TOKEN = savedToken;
+		} else {
+			process.env.ANTHROPIC_AUTH_TOKEN = undefined;
+		}
+		cleanup();
+	});
+
+	test("secret_source defaults to 'env' when omitted from YAML", async () => {
+		const path = writeYaml("default-source.yaml", "name: default-source");
+		const config = await loadConfig(path);
+		expect(config.secret_source).toBe("env");
+		expect(config.secret_source_url).toBeUndefined();
+	});
+
+	test("secret_source: metadata populates ANTHROPIC_API_KEY and ANTHROPIC_AUTH_TOKEN from gateway", async () => {
+		// Body deliberately not asserted as a string literal anywhere; we read it
+		// back from process.env and compare to the stub-injected reference.
+		const stubBody = "stub-token-value";
+		globalThis.fetch = mock((url: string | Request) => {
+			expect(String(url)).toBe("http://gateway.test/v1/secrets/provider_token");
+			return Promise.resolve(
+				new Response(stubBody, {
+					status: 200,
+					headers: { "X-Phantom-Rotation-Id": "1" },
+				}),
+			);
+		}) as unknown as typeof fetch;
+
+		const path = writeYaml(
+			"metadata-source.yaml",
+			`
+name: metadata-tenant
+secret_source: metadata
+secret_source_url: http://gateway.test
+`,
+		);
+		await loadConfig(path);
+		expect(process.env.ANTHROPIC_API_KEY).toBe(stubBody);
+		expect(process.env.ANTHROPIC_AUTH_TOKEN).toBe(stubBody);
+	});
+
+	test("secret_source: metadata resolves whole-string ${secret:NAME} references in nested config", async () => {
+		// Use peers.test_peer.token, an existing schema field that accepts an
+		// arbitrary string and is nested. We assert the resolved value via a
+		// non-logging path: read it back from the returned config object.
+		const peerSecret = "peer-secret-payload";
+		globalThis.fetch = mock((url: string | Request) => {
+			const u = String(url);
+			if (u.endsWith("/v1/secrets/provider_token")) {
+				return Promise.resolve(
+					new Response("provider-token-value", { status: 200, headers: { "X-Phantom-Rotation-Id": "1" } }),
+				);
+			}
+			if (u.endsWith("/v1/secrets/peer_token")) {
+				return Promise.resolve(new Response(peerSecret, { status: 200, headers: { "X-Phantom-Rotation-Id": "1" } }));
+			}
+			throw new Error(`unexpected URL in test: ${u}`);
+		}) as unknown as typeof fetch;
+
+		const path = writeYaml(
+			"metadata-walker.yaml",
+			`
+name: walker-tenant
+secret_source: metadata
+secret_source_url: http://gateway.test
+peers:
+  test_peer:
+    url: https://peer.test
+    token: \${secret:peer_token}
+`,
+		);
+		const config = await loadConfig(path);
+		expect(config.peers?.test_peer?.token).toBe(peerSecret);
+	});
+
+	test("secret_source: metadata does NOT resolve partial-string ${secret:NAME} (security invariant)", async () => {
+		// Whole-string-only matching guards against secret leakage via logged
+		// URLs or composed strings. If this test ever fails, the regex changed
+		// in a way that allows partial interpolation, which is a security regression.
+		const partial = "https://peer.test/?token=${secret:peer_token}";
+		globalThis.fetch = mock((url: string | Request) => {
+			const u = String(url);
+			if (u.endsWith("/v1/secrets/provider_token")) {
+				return Promise.resolve(
+					new Response("provider-token-value", { status: 200, headers: { "X-Phantom-Rotation-Id": "1" } }),
+				);
+			}
+			throw new Error(`unexpected URL in test (partial-string should NOT trigger fetch): ${u}`);
+		}) as unknown as typeof fetch;
+
+		const path = writeYaml(
+			"metadata-partial.yaml",
+			`
+name: partial-tenant
+secret_source: metadata
+secret_source_url: http://gateway.test
+peers:
+  test_peer:
+    url: ${partial}
+    token: keep-as-is
+`,
+		);
+		const config = await loadConfig(path);
+		expect(config.peers?.test_peer?.url).toBe(partial);
+		expect(config.peers?.test_peer?.token).toBe("keep-as-is");
+	});
+
+	test("secret_source: metadata surfaces fetch failures as errors that include the secret name", async () => {
+		globalThis.fetch = mock(() =>
+			Promise.resolve(new Response("internal error", { status: 500, statusText: "Internal Server Error" })),
+		) as unknown as typeof fetch;
+
+		const path = writeYaml(
+			"metadata-fail.yaml",
+			`
+name: fail-tenant
+secret_source: metadata
+secret_source_url: http://gateway.test
+`,
+		);
+		await expect(loadConfig(path)).rejects.toThrow(/provider_token/);
+		await expect(loadConfig(path)).rejects.toThrow(/500/);
+	});
+
+	test("invalid provider.secret_name rejects at loadConfig parse time with a schema error", async () => {
+		// Phase C #5 review Finding 1: pinning the regex at the schema level
+		// surfaces bad names at parse time rather than crashing at boot inside
+		// the metadata fetcher. We use secret_source: env so no fetcher is
+		// constructed; the rejection must come from PhantomConfigSchema itself.
+		const path = writeYaml(
+			"bad-secret-name.yaml",
+			`
+name: bad-name-tenant
+provider:
+  type: anthropic
+  secret_name: Bad-Name
+`,
+		);
+		await expect(loadConfig(path)).rejects.toThrow(/Invalid config/);
+		await expect(loadConfig(path)).rejects.toThrow(/secret_name/);
+	});
+});

src/config/__tests__/loader.test.ts

@@ -1,4 +1,4 @@
-import { afterEach, beforeEach, describe, expect, mock, test } from "bun:test";
+import { describe, expect, test } from "bun:test";
 import { mkdirSync, rmSync, writeFileSync } from "node:fs";
 import { loadConfig, loadConfigSync } from "../loader.ts";
 
@@ -495,146 +495,3 @@ name: sync-test
 		}
 	});
 });
-
-describe("loadConfig secret_source", () => {
-	const originalFetch = globalThis.fetch;
-	const savedKey = process.env.ANTHROPIC_API_KEY;
-	const savedToken = process.env.ANTHROPIC_AUTH_TOKEN;
-
-	beforeEach(() => {
-		process.env.ANTHROPIC_API_KEY = undefined;
-		process.env.ANTHROPIC_AUTH_TOKEN = undefined;
-	});
-
-	afterEach(() => {
-		globalThis.fetch = originalFetch;
-		if (savedKey !== undefined) {
-			process.env.ANTHROPIC_API_KEY = savedKey;
-		} else {
-			process.env.ANTHROPIC_API_KEY = undefined;
-		}
-		if (savedToken !== undefined) {
-			process.env.ANTHROPIC_AUTH_TOKEN = savedToken;
-		} else {
-			process.env.ANTHROPIC_AUTH_TOKEN = undefined;
-		}
-		cleanup();
-	});
-
-	test("secret_source defaults to 'env' when omitted from YAML", async () => {
-		const path = writeYaml("default-source.yaml", "name: default-source");
-		const config = await loadConfig(path);
-		expect(config.secret_source).toBe("env");
-		expect(config.secret_source_url).toBeUndefined();
-	});
-
-	test("secret_source: metadata populates ANTHROPIC_API_KEY and ANTHROPIC_AUTH_TOKEN from gateway", async () => {
-		// Body deliberately not asserted as a string literal anywhere; we read it
-		// back from process.env and compare to the stub-injected reference.
-		const stubBody = "stub-token-value";
-		globalThis.fetch = mock((url: string | Request) => {
-			expect(String(url)).toBe("http://gateway.test/v1/secrets/provider_token");
-			return Promise.resolve(
-				new Response(stubBody, {
-					status: 200,
-					headers: { "X-Phantom-Rotation-Id": "1" },
-				}),
-			);
-		}) as unknown as typeof fetch;
-
-		const path = writeYaml(
-			"metadata-source.yaml",
-			`
-name: metadata-tenant
-secret_source: metadata
-secret_source_url: http://gateway.test
-`,
-		);
-		await loadConfig(path);
-		expect(process.env.ANTHROPIC_API_KEY).toBe(stubBody);
-		expect(process.env.ANTHROPIC_AUTH_TOKEN).toBe(stubBody);
-	});
-
-	test("secret_source: metadata resolves whole-string ${secret:NAME} references in nested config", async () => {
-		// Use peers.test_peer.token, an existing schema field that accepts an
-		// arbitrary string and is nested. We assert the resolved value via a
-		// non-logging path: read it back from the returned config object.
-		const peerSecret = "peer-secret-payload";
-		globalThis.fetch = mock((url: string | Request) => {
-			const u = String(url);
-			if (u.endsWith("/v1/secrets/provider_token")) {
-				return Promise.resolve(
-					new Response("provider-token-value", { status: 200, headers: { "X-Phantom-Rotation-Id": "1" } }),
-				);
-			}
-			if (u.endsWith("/v1/secrets/peer_token")) {
-				return Promise.resolve(new Response(peerSecret, { status: 200, headers: { "X-Phantom-Rotation-Id": "1" } }));
-			}
-			throw new Error(`unexpected URL in test: ${u}`);
-		}) as unknown as typeof fetch;
-
-		const path = writeYaml(
-			"metadata-walker.yaml",
-			`
-name: walker-tenant
-secret_source: metadata
-secret_source_url: http://gateway.test
-peers:
-  test_peer:
-    url: https://peer.test
-    token: \${secret:peer_token}
-`,
-		);
-		const config = await loadConfig(path);
-		expect(config.peers?.test_peer?.token).toBe(peerSecret);
-	});
-
-	test("secret_source: metadata does NOT resolve partial-string ${secret:NAME} (security invariant)", async () => {
-		// Whole-string-only matching guards against secret leakage via logged
-		// URLs or composed strings. If this test ever fails, the regex changed
-		// in a way that allows partial interpolation, which is a security regression.
-		const partial = "https://peer.test/?token=${secret:peer_token}";
-		globalThis.fetch = mock((url: string | Request) => {
-			const u = String(url);
-			if (u.endsWith("/v1/secrets/provider_token")) {
-				return Promise.resolve(
-					new Response("provider-token-value", { status: 200, headers: { "X-Phantom-Rotation-Id": "1" } }),
-				);
-			}
-			throw new Error(`unexpected URL in test (partial-string should NOT trigger fetch): ${u}`);
-		}) as unknown as typeof fetch;
-
-		const path = writeYaml(
-			"metadata-partial.yaml",
-			`
-name: partial-tenant
-secret_source: metadata
-secret_source_url: http://gateway.test
-peers:
-  test_peer:
-    url: ${partial}
-    token: keep-as-is
-`,
-		);
-		const config = await loadConfig(path);
-		expect(config.peers?.test_peer?.url).toBe(partial);
-		expect(config.peers?.test_peer?.token).toBe("keep-as-is");
-	});
-
-	test("secret_source: metadata surfaces fetch failures as errors that include the secret name", async () => {
-		globalThis.fetch = mock(() =>
-			Promise.resolve(new Response("internal error", { status: 500, statusText: "Internal Server Error" })),
-		) as unknown as typeof fetch;
-
-		const path = writeYaml(
-			"metadata-fail.yaml",
-			`
-name: fail-tenant
-secret_source: metadata
-secret_source_url: http://gateway.test
-`,
-		);
-		await expect(loadConfig(path)).rejects.toThrow(/provider_token/);
-		await expect(loadConfig(path)).rejects.toThrow(/500/);
-	});
-});

src/config/__tests__/metadata-fetcher.test.ts

@@ -129,4 +129,25 @@ describe("MetadataSecretFetcher", () => {
 		await fetcher.get("a_secret_with_no_special_chars");
 		expect(recordedUrls[0]).toBe("http://gateway.test/v1/secrets/a_secret_with_no_special_chars");
 	});
+
+	test("304 with no cached entry surfaces as an error containing the secret name", async () => {
+		// 304-without-cache is a server bug. Pin the loud-error behaviour so a
+		// future refactor that inverted the `if (!cached)` test would fail here.
+		globalThis.fetch = mock(() => Promise.resolve(new Response(null, { status: 304 }))) as unknown as typeof fetch;
+
+		const fetcher = new MetadataSecretFetcher("http://gateway.test");
+		await expect(fetcher.get("provider_token")).rejects.toThrow(/304/);
+		await expect(fetcher.get("provider_token")).rejects.toThrow(/provider_token/);
+	});
+
+	test("network error from underlying fetch is wrapped with the secret name", async () => {
+		// Transport failures (DNS, ECONNREFUSED, TLS) must be wrapped with the
+		// secret name so the operator can see which fetch call failed without
+		// leaking response bodies (there is no body on a transport error).
+		globalThis.fetch = mock(() => Promise.reject(new Error("ECONNREFUSED"))) as unknown as typeof fetch;
+
+		const fetcher = new MetadataSecretFetcher("http://gateway.test");
+		await expect(fetcher.get("provider_token")).rejects.toThrow(/provider_token/);
+		await expect(fetcher.get("provider_token")).rejects.toThrow(/ECONNREFUSED/);
+	});
 });

src/config/loader.ts

@@ -22,6 +22,13 @@
 // plaintext. By requiring whole-string matches, the resolved replacement IS
 // the plaintext itself, never a string containing the plaintext, so the
 // surface for accidental disclosure is the existing `process.env` surface.
+//
+// Note on type safety: the walker treats the config as a generic
+// Record<string, unknown> so it can recurse over arbitrary nested objects.
+// The single `as unknown as Record<string, unknown>` cast at the entry point
+// (where loadConfig hands the typed PhantomConfig to interpolateSecretsInPlace)
+// is the only place we cross the typed/generic boundary; the walker itself
+// does not introduce further casts beyond a recursive descent step.
 
 import { readFileSync } from "node:fs";
 import { parse } from "yaml";

src/config/providers.ts

@@ -29,8 +29,17 @@ export const ProviderSchema = z
 		// plaintext is injected into process.env.ANTHROPIC_API_KEY /
 		// ANTHROPIC_AUTH_TOKEN before buildProviderEnv runs. Default
 		// "provider_token" so a Cloud tenant who flips secret_source to
-		// metadata gets the right behavior with no further config.
-		secret_name: z.string().min(1).default("provider_token"),
+		// metadata gets the right behavior with no further config. The regex
+		// matches the metadata fetcher's defense-in-depth check; pinning it at
+		// the schema level surfaces invalid names at parse time rather than
+		// crashing at boot inside the fetcher.
+		secret_name: z
+			.string()
+			.regex(/^[a-z_][a-z0-9_]*$/, {
+				message:
+					"secret_name must match /^[a-z_][a-z0-9_]*$/ (lowercase letters, digits, underscores; cannot start with a digit)",
+			})
+			.default("provider_token"),
 		model_mappings: z
 			.object({
 				opus: z.string().min(1).optional(),