paperclip/ui/src/pages/Secrets.render.test.tsx

// @vitest-environment jsdom

import { act } from "react";
import { createRoot } from "react-dom/client";
import { MemoryRouter } from "react-router-dom";
import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
import type { CompanySecretProviderConfig, SecretProviderDescriptor } from "@paperclipai/shared";
import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
import { ProviderVaultsTab, Secrets } from "./Secrets";

const mockSecretsApi = vi.hoisted(() => ({
  list: vi.fn(),
  providers: vi.fn(),
  providerHealth: vi.fn(),
  providerConfigs: vi.fn(),
  createProviderConfig: vi.fn(),
  updateProviderConfig: vi.fn(),
  disableProviderConfig: vi.fn(),
  setDefaultProviderConfig: vi.fn(),
  checkProviderConfigHealth: vi.fn(),
  create: vi.fn(),
  update: vi.fn(),
  rotate: vi.fn(),
  disable: vi.fn(),
  enable: vi.fn(),
  archive: vi.fn(),
  remove: vi.fn(),
  usage: vi.fn(),
  accessEvents: vi.fn(),
}));

const mockSetBreadcrumbs = vi.hoisted(() => vi.fn());
const mockPushToast = vi.hoisted(() => vi.fn());

vi.mock("../api/secrets", () => ({
  secretsApi: mockSecretsApi,
}));

vi.mock("../context/CompanyContext", () => ({
  useCompany: () => ({
    selectedCompanyId: "company-1",
  }),
}));

vi.mock("../context/BreadcrumbContext", () => ({
  useBreadcrumbs: () => ({
    setBreadcrumbs: mockSetBreadcrumbs,
  }),
}));

vi.mock("../context/ToastContext", () => ({
  useToast: () => ({
    pushToast: mockPushToast,
  }),
  useToastActions: () => ({
    pushToast: mockPushToast,
  }),
}));

vi.mock("../context/SidebarContext", () => ({
  useSidebar: () => ({
    isMobile: false,
  }),
}));

// eslint-disable-next-line @typescript-eslint/no-explicit-any
(globalThis as any).IS_REACT_ACT_ENVIRONMENT = true;

const providers: SecretProviderDescriptor[] = [
  {
    id: "local_encrypted",
    label: "Local encrypted",
    requiresExternalRef: false,
    supportsManagedValues: true,
    supportsExternalReferences: false,
    configured: true,
  },
  {
    id: "aws_secrets_manager",
    label: "AWS Secrets Manager",
    requiresExternalRef: false,
    supportsManagedValues: true,
    supportsExternalReferences: true,
    configured: true,
  },
  {
    id: "gcp_secret_manager",
    label: "GCP Secret Manager",
    requiresExternalRef: false,
    supportsManagedValues: false,
    supportsExternalReferences: true,
    configured: false,
  },
  {
    id: "vault",
    label: "Vault",
    requiresExternalRef: false,
    supportsManagedValues: false,
    supportsExternalReferences: true,
    configured: false,
  },
];

const providerConfigs = [
  {
    id: "vault-local",
    provider: "local_encrypted",
    displayName: "Local default",
    status: "ready",
    isDefault: true,
    healthStatus: "ready",
    healthCheckedAt: null,
    healthMessage: null,
    healthDetails: null,
  },
  {
    id: "vault-aws",
    provider: "aws_secrets_manager",
    displayName: "AWS production",
    status: "ready",
    isDefault: false,
    healthStatus: null,
    healthCheckedAt: null,
    healthMessage: null,
    healthDetails: null,
  },
] satisfies Partial<CompanySecretProviderConfig>[];

async function flushReact() {
  await act(async () => {
    await Promise.resolve();
    await new Promise((resolve) => window.setTimeout(resolve, 0));
  });
}

describe("Secrets page layout", () => {
  let container: HTMLDivElement;

  beforeEach(() => {
    container = document.createElement("div");
    document.body.appendChild(container);

    mockSecretsApi.list.mockResolvedValue([]);
    mockSecretsApi.providers.mockResolvedValue(providers);
    mockSecretsApi.providerHealth.mockResolvedValue({
      providers: [
        {
          provider: "local_encrypted",
          status: "warn",
          message: "Local encrypted provider has a warning.",
          warnings: ["Backup reminder"],
        },
      ],
    });
    mockSecretsApi.providerConfigs.mockResolvedValue(providerConfigs);
  });

  afterEach(() => {
    container.remove();
    document.body.innerHTML = "";
    vi.clearAllMocks();
  });

  it("uses the shared search/filter/tab affordances and keeps vault sections quiet", async () => {
    const root = createRoot(container);
    const queryClient = new QueryClient({
      defaultOptions: { queries: { retry: false } },
    });

    await act(async () => {
      root.render(
        <QueryClientProvider client={queryClient}>
          <Secrets />
        </QueryClientProvider>,
      );
    });
    await flushReact();
    await flushReact();

    expect(container.querySelector('input[data-page-search-target="true"][aria-label="Search secrets"]')).not.toBeNull();
    expect(container.textContent).toContain("Use secrets by binding them to runtime environment variables.");
    expect(container.textContent).toContain("GH_TOKEN");
    expect(container.querySelectorAll("select")).toHaveLength(0);
    expect(container.textContent).not.toContain("Provider warnings detected");
    expect(container.textContent).not.toContain("2/2 active");

    await act(async () => {
      root.unmount();
    });

    const vaultRoot = createRoot(container);
    await act(async () => {
      vaultRoot.render(
        <ProviderVaultsTab
          providers={providers}
          providerConfigs={providerConfigs as CompanySecretProviderConfig[]}
          loading={false}
          error={null}
          onRetry={vi.fn()}
          onCreate={vi.fn()}
          onEdit={vi.fn()}
          onDisable={vi.fn()}
          onSetDefault={vi.fn()}
          onHealthCheck={vi.fn()}
          pendingActionId={null}
        />,
      );
    });
    await flushReact();

    expect(container.querySelector('a[href="#provider-vaults-local_encrypted"]')).not.toBeNull();
    expect(container.textContent).toContain("AWS production");
    expect(container.textContent).not.toContain("Managed writes");
    expect(container.textContent).not.toContain("External refs");

    await act(async () => {
      vaultRoot.unmount();
    });
  });

  it("opens reference details from the secrets table count", async () => {
    mockSecretsApi.list.mockResolvedValue([
      {
        id: "secret-openai",
        companyId: "company-1",
        key: "openai_api_key",
        name: "OPENAI_API_KEY",
        provider: "local_encrypted",
        status: "active",
        managedMode: "paperclip_managed",
        externalRef: null,
        providerConfigId: null,
        providerMetadata: null,
        latestVersion: 1,
        description: null,
        lastResolvedAt: null,
        lastRotatedAt: null,
        deletedAt: null,
        createdByAgentId: null,
        createdByUserId: "user-1",
        referenceCount: 2,
        createdAt: new Date("2026-05-06T00:00:00.000Z"),
        updatedAt: new Date("2026-05-06T00:00:00.000Z"),
      },
    ]);
    mockSecretsApi.usage.mockResolvedValue({
      secretId: "secret-openai",
      bindings: [
        {
          id: "binding-agent",
          companyId: "company-1",
          secretId: "secret-openai",
          targetType: "agent",
          targetId: "agent-1",
          configPath: "env.OPENAI_API_KEY",
          versionSelector: "latest",
          required: true,
          label: null,
          target: {
            type: "agent",
            id: "agent-1",
            label: "CodexCoder",
            href: "/agents/codexcoder",
            status: "idle",
          },
          createdAt: new Date("2026-05-06T00:00:00.000Z"),
          updatedAt: new Date("2026-05-06T00:00:00.000Z"),
        },
      ],
    });

    const root = createRoot(container);
    const queryClient = new QueryClient({
      defaultOptions: { queries: { retry: false } },
    });

    await act(async () => {
      root.render(
        <MemoryRouter>
          <QueryClientProvider client={queryClient}>
            <Secrets />
          </QueryClientProvider>
        </MemoryRouter>,
      );
    });
    await flushReact();
    await flushReact();

    const referencesButton = container.querySelector(
      'button[aria-label="View references for OPENAI_API_KEY"]',
    ) as HTMLButtonElement | null;
    expect(referencesButton?.textContent).toBe("2");

    await act(async () => {
      referencesButton?.click();
    });
    await flushReact();

    expect(mockSecretsApi.usage).toHaveBeenCalledWith("secret-openai");
    expect(document.body.textContent).toContain("Secret references");
    expect(document.body.textContent).toContain("CodexCoder");
    expect(document.body.textContent).toContain("env.OPENAI_API_KEY");

    await act(async () => {
      root.unmount();
    });
  });
});
Add secrets provider vaults and remote import (#5429) ## Thinking Path > - Paperclip orchestrates AI-agent companies and needs secrets handling to work across local development, hosted operators, and governed agent execution. > - The affected subsystem is the company-scoped secrets control plane: database schema, server services/routes, CLI workflows, and the Secrets settings UI. > - The gap was that secrets were local-only and operators could not manage provider vaults or import existing remote references without exposing plaintext. > - This branch adds provider vault configuration plus an AWS Secrets Manager remote-import path while preserving company boundaries, binding context, and audit trails. > - I kept the PR to a single branch PR, removed unrelated lockfile/package drift, rebased the full branch onto the current `public-gh/master`, and addressed fresh Greptile findings. > - The benefit is a reviewable implementation of provider-backed secrets with focused tests covering provider selection, import conflicts, deleted secret reuse, rotation guards, and AWS signing behavior. ## What Changed - Added provider vault support for company secrets, including provider config storage, default vault handling, health checks, binding usage, access events, and remote import preview/commit. - Added an AWS Secrets Manager provider using SigV4 request signing, bounded request timeouts, namespace guardrails, cached runtime credential resolution, and external-reference linking without plaintext reads. - Added Secrets UI surfaces for vault management and remote import, plus CLI/API documentation for setup and operations. - Stabilized routine webhook secret binding paths and SSH environment-driver fixture bindings discovered during verification. - Addressed Greptile and CI findings: no lockfile/package drift, monotonic migration metadata, disabled-vault default races, soft-deleted secret hiding/recreate behavior, remove behavior with disabled vaults, soft-deleted external-reference re-import, non-active rotation guards, managed-secret soft deletion through PATCH, and per-call AWS SDK credential client churn. - Rebased this branch onto `public-gh/master` at `0e1a5828` and force-pushed with lease to keep this as the single PR for the branch. ## Verification - `git fetch public-gh master` - `git rebase public-gh/master` - `git diff --name-only public-gh/master...HEAD \| grep '^pnpm-lock\.yaml$' \|\| true` confirmed `pnpm-lock.yaml` is not in the PR diff. - Confirmed migration ordering: master ends at `0081_optimal_dormammu`; this PR adds `0082_dry_vision` and `0083_company_secret_provider_configs`. - Inspected migrations for repeat safety: new tables/indexes use `IF NOT EXISTS`; foreign keys are guarded by `DO $$ ... IF NOT EXISTS`; column additions use `ADD COLUMN IF NOT EXISTS`. - `pnpm -r typecheck` passed before the Greptile follow-up commits. - `pnpm test:run` ran the full stable Vitest path before the Greptile follow-up commits; it completed with 3 timing-related failures under parallel load: `codex-local-execute.test.ts`, `cursor-local-execute.test.ts`, and `environment-service.test.ts`. - `pnpm --filter @paperclipai/server exec vitest run src/__tests__/codex-local-execute.test.ts src/__tests__/cursor-local-execute.test.ts src/__tests__/environment-service.test.ts` passed on targeted rerun (`24/24`). - `pnpm build` passed before the Greptile follow-up commits. Vite reported existing chunk-size/dynamic-import warnings. - After Greptile follow-up commits: `pnpm --filter @paperclipai/server exec vitest run src/__tests__/secrets-service.test.ts` passed (`26/26`). - After Greptile follow-up commits: `pnpm --filter @paperclipai/server exec vitest run src/__tests__/aws-secrets-manager-provider.test.ts src/__tests__/secrets-service.test.ts` passed (`39/39`). - After Greptile follow-up commits: `pnpm --filter @paperclipai/server typecheck` passed. - Captured Storybook screenshots from `ui/storybook-static` for visual review. - Latest PR checks on `5ca3a5cf`: `policy`, serialized server suites 1/4-4/4, `Canary Dry Run`, `e2e`, `security/snyk`, and `Greptile Review` pass; aggregate `verify` is still registering the completed child checks. - Greptile review loop continued through the latest requested pass; all Greptile review threads are resolved and the latest `Greptile Review` check on `5ca3a5cf` passed with 0 comments added. ## Screenshots Before: the provider-vault and remote-import surfaces did not exist on `master`; these are after-state screenshots from the Storybook fixtures. ![Secrets inventory](https://raw.githubusercontent.com/paperclipai/paperclip/PAP-2339-secrets-make-a-plan/doc/pr/5429/secrets-inventory.png) ![Secret binding picker](https://raw.githubusercontent.com/paperclipai/paperclip/PAP-2339-secrets-make-a-plan/doc/pr/5429/secret-binding-picker.png) ![Environment editor with secrets](https://raw.githubusercontent.com/paperclipai/paperclip/PAP-2339-secrets-make-a-plan/doc/pr/5429/env-editor-with-secrets.png) ## Risks - Migration risk: this adds new secret provider tables and extends existing secret rows. The migrations were checked for monotonic ordering and idempotent guards, but reviewers should still inspect upgrade behavior carefully. - Provider risk: AWS support uses direct SigV4 requests. Automated tests cover signing, request timeouts, vault-config selection, namespace guardrails, pending-version archival, sanitized provider errors, and service-level cleanup paths. A real-vault AWS smoke test remains deployment validation for an operator with AWS credentials rather than an unverified merge blocker in this local branch. - UI risk: the Secrets page and import dialog are large new surfaces; screenshots are included above for reviewer inspection. - Verification risk: the full local stable test command hit parallel-load timing failures, although the exact failed files passed when rerun directly. - Operational risk: remote import intentionally avoids plaintext reads; operators must understand that imported external references resolve at runtime and may fail if AWS permissions change. > For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and discuss it in `#dev` before opening the PR. Feature PRs that overlap with planned core work may need to be redirected — check the roadmap first. See `CONTRIBUTING.md`. ## Model Used - OpenAI Codex, GPT-5 coding agent with local shell/tool use in the Paperclip worktree. Exact context-window size was not exposed by the runtime. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [ ] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] If this change affects the UI, I have included before/after screenshots - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge --------- Co-authored-by: Paperclip <noreply@paperclip.ing> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-05-09 18:22:17 -05:00			`// @vitest-environment jsdom`

			`import { act } from "react";`
			`import { createRoot } from "react-dom/client";`
			`import { MemoryRouter } from "react-router-dom";`
			`import { QueryClient, QueryClientProvider } from "@tanstack/react-query";`
			`import type { CompanySecretProviderConfig, SecretProviderDescriptor } from "@paperclipai/shared";`
			`import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";`
			`import { ProviderVaultsTab, Secrets } from "./Secrets";`

			`const mockSecretsApi = vi.hoisted(() => ({`
			`list: vi.fn(),`
			`providers: vi.fn(),`
			`providerHealth: vi.fn(),`
			`providerConfigs: vi.fn(),`
			`createProviderConfig: vi.fn(),`
			`updateProviderConfig: vi.fn(),`
			`disableProviderConfig: vi.fn(),`
			`setDefaultProviderConfig: vi.fn(),`
			`checkProviderConfigHealth: vi.fn(),`
			`create: vi.fn(),`
			`update: vi.fn(),`
			`rotate: vi.fn(),`
			`disable: vi.fn(),`
			`enable: vi.fn(),`
			`archive: vi.fn(),`
			`remove: vi.fn(),`
			`usage: vi.fn(),`
			`accessEvents: vi.fn(),`
			`}));`

			`const mockSetBreadcrumbs = vi.hoisted(() => vi.fn());`
			`const mockPushToast = vi.hoisted(() => vi.fn());`

			`vi.mock("../api/secrets", () => ({`
			`secretsApi: mockSecretsApi,`
			`}));`

			`vi.mock("../context/CompanyContext", () => ({`
			`useCompany: () => ({`
			`selectedCompanyId: "company-1",`
			`}),`
			`}));`

			`vi.mock("../context/BreadcrumbContext", () => ({`
			`useBreadcrumbs: () => ({`
			`setBreadcrumbs: mockSetBreadcrumbs,`
			`}),`
			`}));`

			`vi.mock("../context/ToastContext", () => ({`
			`useToast: () => ({`
			`pushToast: mockPushToast,`
			`}),`
			`useToastActions: () => ({`
			`pushToast: mockPushToast,`
			`}),`
			`}));`

			`vi.mock("../context/SidebarContext", () => ({`
			`useSidebar: () => ({`
			`isMobile: false,`
			`}),`
			`}));`

			`// eslint-disable-next-line @typescript-eslint/no-explicit-any`
			`(globalThis as any).IS_REACT_ACT_ENVIRONMENT = true;`

			`const providers: SecretProviderDescriptor[] = [`
			`{`
			`id: "local_encrypted",`
			`label: "Local encrypted",`
			`requiresExternalRef: false,`
			`supportsManagedValues: true,`
			`supportsExternalReferences: false,`
			`configured: true,`
			`},`
			`{`
			`id: "aws_secrets_manager",`
			`label: "AWS Secrets Manager",`
			`requiresExternalRef: false,`
			`supportsManagedValues: true,`
			`supportsExternalReferences: true,`
			`configured: true,`
			`},`
			`{`
			`id: "gcp_secret_manager",`
			`label: "GCP Secret Manager",`
			`requiresExternalRef: false,`
			`supportsManagedValues: false,`
			`supportsExternalReferences: true,`
			`configured: false,`
			`},`
			`{`
			`id: "vault",`
			`label: "Vault",`
			`requiresExternalRef: false,`
			`supportsManagedValues: false,`
			`supportsExternalReferences: true,`
			`configured: false,`
			`},`
			`];`

			`const providerConfigs = [`
			`{`
			`id: "vault-local",`
			`provider: "local_encrypted",`
			`displayName: "Local default",`
			`status: "ready",`
			`isDefault: true,`
			`healthStatus: "ready",`
			`healthCheckedAt: null,`
			`healthMessage: null,`
			`healthDetails: null,`
			`},`
			`{`
			`id: "vault-aws",`
			`provider: "aws_secrets_manager",`
			`displayName: "AWS production",`
			`status: "ready",`
			`isDefault: false,`
			`healthStatus: null,`
			`healthCheckedAt: null,`
			`healthMessage: null,`
			`healthDetails: null,`
			`},`
			`] satisfies Partial<CompanySecretProviderConfig>[];`

			`async function flushReact() {`
			`await act(async () => {`
			`await Promise.resolve();`
			`await new Promise((resolve) => window.setTimeout(resolve, 0));`
			`});`
			`}`

			`describe("Secrets page layout", () => {`
			`let container: HTMLDivElement;`

			`beforeEach(() => {`
			`container = document.createElement("div");`
			`document.body.appendChild(container);`

			`mockSecretsApi.list.mockResolvedValue([]);`
			`mockSecretsApi.providers.mockResolvedValue(providers);`
			`mockSecretsApi.providerHealth.mockResolvedValue({`
			`providers: [`
			`{`
			`provider: "local_encrypted",`
			`status: "warn",`
			`message: "Local encrypted provider has a warning.",`
			`warnings: ["Backup reminder"],`
			`},`
			`],`
			`});`
			`mockSecretsApi.providerConfigs.mockResolvedValue(providerConfigs);`
			`});`

			`afterEach(() => {`
			`container.remove();`
			`document.body.innerHTML = "";`
			`vi.clearAllMocks();`
			`});`

			`it("uses the shared search/filter/tab affordances and keeps vault sections quiet", async () => {`
			`const root = createRoot(container);`
			`const queryClient = new QueryClient({`
			`defaultOptions: { queries: { retry: false } },`
			`});`

			`await act(async () => {`
			`root.render(`
			`<QueryClientProvider client={queryClient}>`
			`<Secrets />`
			`</QueryClientProvider>,`
			`);`
			`});`
			`await flushReact();`
			`await flushReact();`

			`expect(container.querySelector('input[data-page-search-target="true"][aria-label="Search secrets"]')).not.toBeNull();`
			`expect(container.textContent).toContain("Use secrets by binding them to runtime environment variables.");`
			`expect(container.textContent).toContain("GH_TOKEN");`
			`expect(container.querySelectorAll("select")).toHaveLength(0);`
			`expect(container.textContent).not.toContain("Provider warnings detected");`
			`expect(container.textContent).not.toContain("2/2 active");`

			`await act(async () => {`
			`root.unmount();`
			`});`

			`const vaultRoot = createRoot(container);`
			`await act(async () => {`
			`vaultRoot.render(`
			`<ProviderVaultsTab`
			`providers={providers}`
			`providerConfigs={providerConfigs as CompanySecretProviderConfig[]}`
			`loading={false}`
			`error={null}`
			`onRetry={vi.fn()}`
			`onCreate={vi.fn()}`
			`onEdit={vi.fn()}`
			`onDisable={vi.fn()}`
			`onSetDefault={vi.fn()}`
			`onHealthCheck={vi.fn()}`
			`pendingActionId={null}`
			`/>,`
			`);`
			`});`
			`await flushReact();`

			`expect(container.querySelector('a[href="#provider-vaults-local_encrypted"]')).not.toBeNull();`
			`expect(container.textContent).toContain("AWS production");`
			`expect(container.textContent).not.toContain("Managed writes");`
			`expect(container.textContent).not.toContain("External refs");`

			`await act(async () => {`
			`vaultRoot.unmount();`
			`});`
			`});`

			`it("opens reference details from the secrets table count", async () => {`
			`mockSecretsApi.list.mockResolvedValue([`
			`{`
			`id: "secret-openai",`
			`companyId: "company-1",`
			`key: "openai_api_key",`
			`name: "OPENAI_API_KEY",`
			`provider: "local_encrypted",`
			`status: "active",`
			`managedMode: "paperclip_managed",`
			`externalRef: null,`
			`providerConfigId: null,`
			`providerMetadata: null,`
			`latestVersion: 1,`
			`description: null,`
			`lastResolvedAt: null,`
			`lastRotatedAt: null,`
			`deletedAt: null,`
			`createdByAgentId: null,`
			`createdByUserId: "user-1",`
			`referenceCount: 2,`
			`createdAt: new Date("2026-05-06T00:00:00.000Z"),`
			`updatedAt: new Date("2026-05-06T00:00:00.000Z"),`
			`},`
			`]);`
			`mockSecretsApi.usage.mockResolvedValue({`
			`secretId: "secret-openai",`
			`bindings: [`
			`{`
			`id: "binding-agent",`
			`companyId: "company-1",`
			`secretId: "secret-openai",`
			`targetType: "agent",`
			`targetId: "agent-1",`
			`configPath: "env.OPENAI_API_KEY",`
			`versionSelector: "latest",`
			`required: true,`
			`label: null,`
			`target: {`
			`type: "agent",`
			`id: "agent-1",`
			`label: "CodexCoder",`
			`href: "/agents/codexcoder",`
			`status: "idle",`
			`},`
			`createdAt: new Date("2026-05-06T00:00:00.000Z"),`
			`updatedAt: new Date("2026-05-06T00:00:00.000Z"),`
			`},`
			`],`
			`});`

			`const root = createRoot(container);`
			`const queryClient = new QueryClient({`
			`defaultOptions: { queries: { retry: false } },`
			`});`

			`await act(async () => {`
			`root.render(`
			`<MemoryRouter>`
			`<QueryClientProvider client={queryClient}>`
			`<Secrets />`
			`</QueryClientProvider>`
			`</MemoryRouter>,`
			`);`
			`});`
			`await flushReact();`
			`await flushReact();`

			`const referencesButton = container.querySelector(`
			`'button[aria-label="View references for OPENAI_API_KEY"]',`
			`) as HTMLButtonElement \| null;`
			`expect(referencesButton?.textContent).toBe("2");`

			`await act(async () => {`
			`referencesButton?.click();`
			`});`
			`await flushReact();`

			`expect(mockSecretsApi.usage).toHaveBeenCalledWith("secret-openai");`
			`expect(document.body.textContent).toContain("Secret references");`
			`expect(document.body.textContent).toContain("CodexCoder");`
			`expect(document.body.textContent).toContain("env.OPENAI_API_KEY");`

			`await act(async () => {`
			`root.unmount();`
			`});`
			`});`
			`});`