feat(policy-loader): 8.7 — env-var deprecation warnings (v8.0.0 removal)

plugins/llm-security/tests/lib/policy-loader.test.mjs

@@ -5,7 +5,7 @@ import assert from 'node:assert/strict';
 import { writeFileSync, mkdirSync, rmSync, existsSync } from 'node:fs';
 import { join } from 'node:path';
 import { tmpdir } from 'node:os';
-import { loadPolicy, getPolicyValue, getDefaultPolicy, _resetCacheForTest } from '../../scanners/lib/policy-loader.mjs';
+import { loadPolicy, getPolicyValue, getPolicyValueWithEnvWarn, getDefaultPolicy, _resetCacheForTest } from '../../scanners/lib/policy-loader.mjs';
 
 const TEST_ROOT = join(tmpdir(), `llm-security-policy-test-${Date.now()}`);
 const POLICY_DIR = join(TEST_ROOT, '.llm-security');
@@ -124,4 +124,114 @@ describe('policy-loader', () => {
     assert.equal(policy.ci.failOn, 'critical');
     assert.equal(policy.ci.compact, true);
   });
+
+  it('default policy includes trifecta.escalation_window=5 (D3)', () => {
+    const defaults = getDefaultPolicy();
+    assert.equal(defaults.trifecta.escalation_window, 5);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// D3: getPolicyValueWithEnvWarn — env-var deprecation warnings
+// ---------------------------------------------------------------------------
+
+describe('getPolicyValueWithEnvWarn (D3)', () => {
+  const ENV_VAR = 'LLM_SECURITY_TEST_DEPRECATED';
+  const QUIET_VAR = 'LLM_SECURITY_DEPRECATION_QUIET';
+  let originalWrite;
+  let stderrCapture;
+
+  beforeEach(() => {
+    _resetCacheForTest();
+    mkdirSync(POLICY_DIR, { recursive: true });
+    delete process.env[ENV_VAR];
+    delete process.env[QUIET_VAR];
+    stderrCapture = [];
+    originalWrite = process.stderr.write.bind(process.stderr);
+    process.stderr.write = (chunk, ...rest) => {
+      stderrCapture.push(typeof chunk === 'string' ? chunk : chunk.toString());
+      return true;
+    };
+  });
+
+  afterEach(() => {
+    process.stderr.write = originalWrite;
+    delete process.env[ENV_VAR];
+    delete process.env[QUIET_VAR];
+    _resetCacheForTest();
+    try { rmSync(TEST_ROOT, { recursive: true }); } catch {}
+  });
+
+  it('env wins over policy.json (existing behaviour unchanged)', () => {
+    writeFileSync(POLICY_FILE, JSON.stringify({
+      trifecta: { mode: 'block' },
+    }));
+    process.env[ENV_VAR] = 'off';
+    const val = getPolicyValueWithEnvWarn('trifecta', 'mode', ENV_VAR, 'warn', TEST_ROOT);
+    assert.equal(val, 'off');
+  });
+
+  it('returns policy value when env-var is unset', () => {
+    writeFileSync(POLICY_FILE, JSON.stringify({
+      trifecta: { mode: 'block' },
+    }));
+    const val = getPolicyValueWithEnvWarn('trifecta', 'mode', ENV_VAR, 'warn', TEST_ROOT);
+    assert.equal(val, 'block');
+    assert.equal(stderrCapture.join(''), ''); // no warning when only policy is set
+  });
+
+  it('returns default when neither env nor policy is set', () => {
+    rmSync(POLICY_FILE, { force: true });
+    const val = getPolicyValueWithEnvWarn('trifecta', 'mode', ENV_VAR, 'warn', TEST_ROOT);
+    assert.equal(val, 'warn');
+    assert.equal(stderrCapture.join(''), '');
+  });
+
+  it('emits one stderr deprecation warning when env+policy both set', () => {
+    writeFileSync(POLICY_FILE, JSON.stringify({
+      trifecta: { mode: 'block' },
+    }));
+    process.env[ENV_VAR] = 'off';
+    const val = getPolicyValueWithEnvWarn('trifecta', 'mode', ENV_VAR, 'warn', TEST_ROOT);
+    assert.equal(val, 'off');
+    const stderr = stderrCapture.join('');
+    assert.match(stderr, /\[llm-security\] Deprecation: env-var LLM_SECURITY_TEST_DEPRECATED/);
+    assert.match(stderr, /will be removed in v8\.0\.0/);
+    assert.match(stderr, /policy\.json key trifecta\.mode also set/);
+    assert.match(stderr, /Suppress with LLM_SECURITY_DEPRECATION_QUIET=1/);
+  });
+
+  it('warns only once per env-var within the same process', () => {
+    writeFileSync(POLICY_FILE, JSON.stringify({
+      trifecta: { mode: 'block' },
+    }));
+    process.env[ENV_VAR] = 'off';
+    getPolicyValueWithEnvWarn('trifecta', 'mode', ENV_VAR, 'warn', TEST_ROOT);
+    getPolicyValueWithEnvWarn('trifecta', 'mode', ENV_VAR, 'warn', TEST_ROOT);
+    getPolicyValueWithEnvWarn('trifecta', 'mode', ENV_VAR, 'warn', TEST_ROOT);
+    const stderr = stderrCapture.join('');
+    const matches = stderr.match(/\[llm-security\] Deprecation:/g) || [];
+    assert.equal(matches.length, 1);
+  });
+
+  it('LLM_SECURITY_DEPRECATION_QUIET=1 suppresses warning entirely', () => {
+    writeFileSync(POLICY_FILE, JSON.stringify({
+      trifecta: { mode: 'block' },
+    }));
+    process.env[ENV_VAR] = 'off';
+    process.env[QUIET_VAR] = '1';
+    const val = getPolicyValueWithEnvWarn('trifecta', 'mode', ENV_VAR, 'warn', TEST_ROOT);
+    assert.equal(val, 'off');
+    assert.equal(stderrCapture.join(''), '');
+  });
+
+  it('does not warn when policy value equals defaultValue (user did not override)', () => {
+    writeFileSync(POLICY_FILE, JSON.stringify({
+      trifecta: { mode: 'warn' }, // matches defaultValue
+    }));
+    process.env[ENV_VAR] = 'off';
+    const val = getPolicyValueWithEnvWarn('trifecta', 'mode', ENV_VAR, 'warn', TEST_ROOT);
+    assert.equal(val, 'off');
+    assert.equal(stderrCapture.join(''), '');
+  });
 });