Skip to content

Quality backlog from 2026-07 audit: untested paths, typed HTTP errors, config validation, release hygiene #111

Description

@kurok

Low-priority follow-ups from the 2026-07 repository audit, collected in one place. None of these block the other audit issues (#104, #105, #106, #107, #108, #109, #110); pick them up opportunistically or when touching the surrounding code.

Untested paths

  • VaultKubernetesAuth: fs.readFileSync throw path (missing/unreadable service-account token file — the most realistic real-world failure)
  • VaultIAMAuth: default AWS credential-chain path (construction without explicit credentials) is never invoked in tests
  • test/auth.base.test.mjs "reschedules when a renewal fails": assert the timer actually re-arms
  • Prototype-pollution guard in VaultNodeConfig.deepMerge — a deliberate security control with zero test coverage
  • Dedicated Lease.getMetadata() test
  • VaultApiClient non-2xx handling: assert err.error contents and the non-JSON-body fallback

Code quality

  • Wrap HTTP errors in the VaultError hierarchy — VaultApiClient currently throws a plain Error with ad-hoc .statusCode/.error, so callers cannot instanceof-check HTTP failures. Keep the existing field shape for compatibility.
  • Validate required config fields (role, role_id, …) consistently across auth backends — only VaultTokenAuth validates its input today. Note: stricter validation is a behavior change; flag as a minor bump.
  • VaultBaseAuth.__authToken holds either a Promise<AuthToken> or a resolved AuthToken, discriminated by instanceof — consider separating into two fields for clarity.

Dependencies & release process

  • long-timeout@0.1.1 is unmaintained (last release 2016, ~50 LOC): document the decision to keep it, or inline the code
  • Add a release-time check that CHANGELOG.md was updated (currently manual and unenforced)
  • Structured logging + log-at-source in VaultApiClient — do this after the catch/log/rethrow wrapper from Refactor: unify the 4x copy-pasted request pipeline in VaultClient #110 to avoid double-logging

Considered and rejected (do not build)

Generic middleware/plugin chain for the request pipeline; a generic secret-scrubbing log framework; TTL-based mount re-detection; aspirational coverage targets; README TOC generation tooling. The codebase is ~1.9k LOC — bespoke abstractions cost more than the duplication they remove.


Filed from the 2026-07-02 repository audit of commit 4225f9b.

Metadata

Metadata

Assignees

No one assigned

    Labels

    audit-2026-07Filed from the July 2026 repository auditenhancementNew feature or requestpriority: lowOpportunistic / backlogtestingTest coverage and test infrastructure

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions