11 tests. Positive controls deliberately leak a seed in every covered
channel (stdout, stderr, a file under $HOME, the telemetry JSONL path,
base64-encoded, first-12-char prefix) and assert the harness catches
each one. Without these, a harness that silently under-reports would
look identical to a harness that works.
Negative controls run real setup-gbrain bins with distinctive seeds:
- supabase-verify rejects a mysql:// URL and a direct-connection URL,
password never appears in any captured channel
- lib.sh read_secret_to_env reads piped stdin, emits only the length,
seed value stays invisible
- supabase-provision on an auth-failure path fails fast without
leaking the PAT to any channel
Covers D21 #5 leak harness + uses it to validate D3-eng, D10, D11
discipline end-to-end on the already-shipped bins.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Garry Tan
0933ab074a