fix(audit): correct v1.4.0 findings (6 items)

- FINDING-001: add activity column rendering in render_dashboard loop - FINDING-002: map YAML 'token' key to 'auth' in _resolve_config - FINDING-003/SEC-001: reject tokens containing unresolved ${...} refs - FINDING-004: add tests for activity column rendering - FINDING-006: strengthen test_main_columns_help assertions - SEC-002: enrich timeout warning with collected items count Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-13 03:58:38 +01:00
parent 6f2f02409e
commit e02e211d86
5 changed files with 91 additions and 4 deletions
--- a/tests/test_cli.py
+++ b/tests/test_cli.py
@@ -411,6 +411,42 @@ class TestParseArgsMilestones:
        assert args.milestones is False


+class TestMainTokenFromConfig:
+    """Test main() reads token from YAML config file."""
+
+    @patch("gitea_dashboard.cli.render_dashboard")
+    @patch("gitea_dashboard.cli.collect_all")
+    @patch("gitea_dashboard.cli.GiteaClient")
+    @patch("gitea_dashboard.cli.load_config")
+    def test_yaml_token_key_mapped_to_auth(
+        self, mock_load_config, mock_client_cls, mock_collect, mock_render
+    ):
+        """YAML 'token' key is properly mapped to auth for GiteaClient."""
+        mock_load_config.return_value = {"token": "yaml-token-123", "url": "http://yaml:3000"}
+        mock_client_cls.return_value = MagicMock()
+        mock_collect.return_value = []
+
+        with patch.dict("os.environ", {}, clear=True):
+            main([])
+
+        mock_client_cls.assert_called_once_with("http://yaml:3000", "yaml-token-123")
+
+
+class TestMainUnresolvedToken:
+    """Test main() rejects unresolved ${VAR} in token."""
+
+    def test_unresolved_env_var_in_token(self, capsys):
+        """Token containing ${...} is rejected with clear error."""
+        env = {"GITEA_TOKEN": "${GITEA_TOKEN}"}
+        with patch.dict("os.environ", env, clear=True):
+            with pytest.raises(SystemExit) as exc_info:
+                main([])
+
+        assert exc_info.value.code == 1
+        captured = capsys.readouterr()
+        assert "${" in captured.err
+
+
 class TestParseArgsColumns:
    """Test --columns argument parsing."""

@@ -453,7 +489,9 @@ class TestMainColumnsHelp:

    @patch("gitea_dashboard.cli.GiteaClient")
    def test_main_columns_help(self, mock_client_cls, capsys):
-        """--columns help displays available columns and exits."""
+        """--columns help displays ALL available columns and does not instantiate client."""
+        from gitea_dashboard.display import AVAILABLE_COLUMNS
+
        env = {"GITEA_TOKEN": "test-tok"}
        mock_client_cls.return_value = MagicMock()

@@ -461,8 +499,12 @@ class TestMainColumnsHelp:
            main(["--columns", "help"])

        captured = capsys.readouterr()
-        # Should list column names
-        assert "name" in captured.out or "name" in captured.err
+        combined = captured.out + captured.err
+        # Every column key must appear in the output
+        for col_name in AVAILABLE_COLUMNS:
+            assert col_name in combined, f"Column '{col_name}' missing from --columns help output"
+        # GiteaClient should NOT have been instantiated (help exits early)
+        mock_client_cls.assert_not_called()

    @patch("gitea_dashboard.cli.render_dashboard")
    @patch("gitea_dashboard.cli.collect_all")