diff --git a/cmd/whoami/whoami_test.go b/cmd/whoami/whoami_test.go index 201a347c9..36cc7b3df 100644 --- a/cmd/whoami/whoami_test.go +++ b/cmd/whoami/whoami_test.go @@ -333,7 +333,7 @@ func (noopWhoamiKeychain) Remove(service, account string) error { return // credentialSourceSecret is the profile secret written to config for // TestWhoamiIncludesCredentialSource. It must never leak into whoami's output // (security §5.1). -const credentialSourceSecret = "s3cr3t-whoami-credential-source" +const credentialSourceSecret = "test-secret" // profileSelectionFactory builds a Factory whose CredentialProvider resolves // an explicit profile ("tenant_a") supplied via the LARKSUITE_CLI_PROFILE env diff --git a/internal/credential/credential_provider_selection_test.go b/internal/credential/credential_provider_selection_test.go index 8b0652403..cd4fd8800 100644 --- a/internal/credential/credential_provider_selection_test.go +++ b/internal/credential/credential_provider_selection_test.go @@ -40,10 +40,10 @@ func asValidationError(t *testing.T, err error) *errs.ValidationError { // secretValue is the profile secret written to config. It must NEVER appear in // any error message or IdentitySelection (security §5.1). -const secretValue = "s3cr3t-tenant-a-value" +const secretValue = "your-secret" // envSecretValue is the direct env app secret. Same no-leak guarantee. -const envSecretValue = "env-secret-should-not-leak" +const envSecretValue = "your-password" // writeConfigTenantA writes a config with a single profile "tenant_a" (app_id // "cli_a"). The secret is a plaintext secret stored in config, which resolves @@ -302,7 +302,7 @@ func TestSelection_State7_ProfileSecretInvalid(t *testing.T) { // error), this uses a custom DefaultAccountResolver whose error text embeds // the marker, closing the gap where a leak could hide in a cause chain that // happens to be empty in the noop-keychain case. -const secretMarkerValue = "SUPER_SECRET_MARKER_abc123" +const secretMarkerValue = "your-access-token" // leakingSecretResolver is a DefaultAccountResolver stub whose ResolveAccount // fails with an error whose message contains secretMarkerValue, simulating a