commit 2e0e39c7e7f08b163c3bf0eed2f45f3e7fdf4ba1
parent 6b60fded4ba4ee84d2b7bac21a870b418f63dff1
Author: triesap <tyson@radroots.org>
Date: Sun, 21 Jun 2026 23:20:16 +0000
secret-vault: cover host vault branch gates
- exercise secure-device acceptance for user-presence and hardware policies
- cover unavailable explicit memory backend selection
- verify radroots_secret_vault tests in the coverage shell
- confirm radroots_secret_vault policy coverage reports 100/100/100/100
Diffstat:
2 files changed, 24 insertions(+), 0 deletions(-)
diff --git a/crates/secret_vault/src/policy.rs b/crates/secret_vault/src/policy.rs
@@ -172,6 +172,10 @@ mod tests {
requirement: RadrootsHostVaultRequirement::UserPresence,
})
);
+ assert_eq!(
+ RadrootsHostVaultCapabilities::secure_device().validate(user_presence_policy),
+ Ok(())
+ );
let hardware_policy = RadrootsHostVaultPolicy {
residency: RadrootsHostVaultResidency::UserProfile,
@@ -184,5 +188,9 @@ mod tests {
requirement: RadrootsHostVaultRequirement::HardwareBacked,
})
);
+ assert_eq!(
+ RadrootsHostVaultCapabilities::secure_device().validate(hardware_policy),
+ Ok(())
+ );
}
}
diff --git a/crates/secret_vault/src/selection.rs b/crates/secret_vault/src/selection.rs
@@ -278,6 +278,22 @@ mod tests {
used_fallback: false,
}
);
+
+ let err = selection
+ .resolve(RadrootsSecretBackendAvailability {
+ host_vault: RadrootsHostVaultCapabilities::unavailable(),
+ encrypted_file: false,
+ external_command: false,
+ memory: false,
+ })
+ .expect_err("unavailable memory backend must fail");
+
+ assert_eq!(
+ err,
+ RadrootsSecretVaultError::BackendUnavailable {
+ backend: RadrootsSecretBackendKind::Memory,
+ }
+ );
}
#[test]
