test: ssh-tunnel — extractSshConfig validation and lifecycle safety

[anandgupta42]

Summary

What does this PR do?

1. extractSshConfig and tunnel lifecycle — src/altimate/native/connections/ssh-tunnel.ts (8 new tests)

This module handles SSH tunnel creation, configuration extraction, and lifecycle management for remote database connections. Zero tests existed prior to this PR. The extractSshConfig function is called on every connection creation in registry.ts — if it mishandles edge cases (missing port defaults, connection_string conflicts), users get cryptic errors or misconfigured tunnels.

New coverage includes:

• Null return: correctly returns null when no ssh_host is present (skip tunnel path)
• Full field extraction: all SSH config fields are correctly mapped from ConnectionConfig
• Default values: ssh_port defaults to 22, ssh_user defaults to "root", host defaults to "127.0.0.1", port defaults to 5432
• connection_string conflict: throws a clear error when ssh_host is used with connection_string (these are mutually exclusive — SSH tunnels need host/port to rewrite)
• Key/password passthrough: both ssh_private_key and ssh_password are passed through to startTunnel (which decides priority)
• Lifecycle safety: closeTunnel and closeAllTunnels are safe no-ops when no tunnels exist (no crashes on the shared activeTunnels Map)

Discovery process

• Reconnaissance identified ssh-tunnel.ts as a critical infrastructure module with zero test coverage
• A critic agent reviewed and approved all 8 tests, rejecting 2 other candidates (MongoDB list tests that didn't exercise new code paths, and trajectory helpers that are unexported)
• Tests are pure unit tests with no network, filesystem, or timing dependencies

Type of change

• New feature (non-breaking change which adds functionality)

Issue for this PR

N/A — proactive test coverage for SSH tunnel infrastructure

How did you verify your code works?

bun test test/altimate/ssh-tunnel.test.ts       # 8 pass, 11 expect() calls

Checklist

• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

https://claude.ai/code/session_01NiGUekwkcSnAAuncsehdFn

Summary by CodeRabbit

• Tests
  • Added comprehensive test suite for SSH tunnel configuration and management, validating configuration extraction, default parameter handling, and tunnel lifecycle operations.

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

A new test suite for SSH tunnel configuration extraction and lifecycle management is introduced. Tests validate parameter extraction, default value application, error handling for conflicting configurations, and tunnel closure operations.

Changes

Cohort / File(s)	Summary
SSH Tunnel Tests packages/opencode/test/altimate/ssh-tunnel.test.ts	New test suite with 91 lines validating extractSshConfig function across multiple scenarios: null returns when ssh_host absent, field mapping with defaults (ssh_port → 22, ssh_user → root), target DB defaults (host → 127.0.0.1, port → 5432), error handling for conflicting configurations, and tunnel lifecycle operations (closeTunnel, closeAllTunnels).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Suggested labels

contributor

Poem

🐰 A tunnel through SSH, secure and bright,
With tests ensuring all configs align just right,
Default ports and users, paths that never stray,
The tunnel lifecycle now tested every day!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically describes the main changes: adding tests for SSH tunnel configuration extraction and lifecycle safety.
Description check	✅ Passed	The description is comprehensive and well-structured, covering the summary, test plan, and checklist sections with detailed explanations of test coverage.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch test/hourly-20260327-0510

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

packages/opencode/test/altimate/ssh-tunnel.test.ts (1)

73-77: Avoid PEM-shaped test fixtures to reduce secret-scanner false positives.

Using "BEGIN RSA PRIVATE KEY" in tests may trigger credential scanners. A neutral placeholder still validates pass-through behavior with less CI noise.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/opencode/test/altimate/ssh-tunnel.test.ts` around lines 73 - 77, The
test uses a PEM-shaped fixture ("BEGIN RSA PRIVATE KEY") which can trigger
secret scanners; change the fixture passed for ssh_private_key to a neutral
placeholder (e.g., "SSH-PRIVATE-KEY-FAKE") and update the assertion that checks
ssh_private_key (currently expect(result!.ssh_private_key).toContain("BEGIN RSA
PRIVATE KEY")) to assert the new placeholder (e.g., equality or toContain
"SSH-PRIVATE-KEY-FAKE"); keep the ssh_password check
(expect(result!.ssh_password).toBe("also-provided")) as-is. Ensure you update
the test setup where ssh_private_key is provided and the corresponding assertion
that verifies the pass-through on the result object.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/opencode/test/altimate/ssh-tunnel.test.ts`:
- Around line 81-91: Tests rely on shared module state in activeTunnels, so make
lifecycle tests deterministic by resetting that state before and/or after each
test: inside the describe("SSH tunnel: lifecycle helpers (no real SSH)") block
add a beforeEach(() => closeAllTunnels()) (and optionally afterEach(() =>
closeAllTunnels())) so that activeTunnels is cleared prior to each invocation of
closeTunnel/getActiveTunnel; use the existing closeAllTunnels() helper (or
directly clear activeTunnels if needed) and ensure the helper is
imported/accessible in the test file.

---

Nitpick comments:
In `@packages/opencode/test/altimate/ssh-tunnel.test.ts`:
- Around line 73-77: The test uses a PEM-shaped fixture ("BEGIN RSA PRIVATE
KEY") which can trigger secret scanners; change the fixture passed for
ssh_private_key to a neutral placeholder (e.g., "SSH-PRIVATE-KEY-FAKE") and
update the assertion that checks ssh_private_key (currently
expect(result!.ssh_private_key).toContain("BEGIN RSA PRIVATE KEY")) to assert
the new placeholder (e.g., equality or toContain "SSH-PRIVATE-KEY-FAKE"); keep
the ssh_password check (expect(result!.ssh_password).toBe("also-provided"))
as-is. Ensure you update the test setup where ssh_private_key is provided and
the corresponding assertion that verifies the pass-through on the result object.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 46ba7f5c-a48f-497a-ad18-367ed5ea4e4b

📥 Commits

Reviewing files that changed from the base of the PR and between abcaa1d and 7bae482.

📒 Files selected for processing (1)

• packages/opencode/test/altimate/ssh-tunnel.test.ts

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Make lifecycle tests deterministic by resetting shared tunnel state.

activeTunnels is module-level shared state, so these tests can become order-dependent when run with other tests touching tunnel lifecycle. Add setup/teardown cleanup to lock test preconditions.

🔧 Proposed fix

-import { describe, test, expect } from "bun:test"
+import { describe, test, expect, beforeEach, afterEach } from "bun:test"

 describe("SSH tunnel: lifecycle helpers (no real SSH)", () => {
+  beforeEach(() => {
+    closeAllTunnels()
+  })
+
+  afterEach(() => {
+    closeAllTunnels()
+  })
+
   test("closeTunnel is a no-op for unknown name", () => {
     closeTunnel("nonexistent-tunnel-name")
     expect(getActiveTunnel("nonexistent-tunnel-name")).toBeUndefined()
   })

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/opencode/test/altimate/ssh-tunnel.test.ts` around lines 81 - 91,
Tests rely on shared module state in activeTunnels, so make lifecycle tests
deterministic by resetting that state before and/or after each test: inside the
describe("SSH tunnel: lifecycle helpers (no real SSH)") block add a
beforeEach(() => closeAllTunnels()) (and optionally afterEach(() =>
closeAllTunnels())) so that activeTunnels is cleared prior to each invocation of
closeTunnel/getActiveTunnel; use the existing closeAllTunnels() helper (or
directly clear activeTunnels if needed) and ensure the helper is
imported/accessible in the test file.