test(hermes): use benign secret-boundary sentinels

[cv]

Summary

Replace GUID-like Hermes secret-boundary fixture values with benign sentinels. The tests still validate raw non-placeholder secret-shaped values are rejected without committing scanner-shaped literals.

Changes

• Replace GUID-like E2E secret-boundary payloads in test/e2e/test-hermes-sandbox-secret-boundary.sh.
• Replace GUID-like raw secret fixtures in test/generate-hermes-config.test.ts and test/hermes-start.test.ts.
• Keep the existing startup rejection and no-value-echo assertions unchanged in behavior.

Type of Change

• Code change (feature, bug fix, or refactor)
• Code change with doc updates
• Doc only (prose changes, no code sample modifications)
• Doc only (includes code sample changes)

Verification

• npx prek run --all-files passes
• npm test passes
• Tests added or updated for new or changed behavior
• No secrets, API keys, or credentials committed
• Docs updated for user-facing behavior changes
• npm run docs builds without warnings (doc changes only)
• Doc pages follow the style guide (doc changes only)
• New doc pages include SPDX header and frontmatter (new pages only)

Targeted checks run:

• bash -n test/e2e/test-hermes-sandbox-secret-boundary.sh
• npx vitest run test/hermes-start.test.ts test/generate-hermes-config.test.ts --testTimeout 60000
• npm run checks
• commit and pre-push hooks

---

Signed-off-by: Carlos Villela cvillela@nvidia.com

[coderabbitai]

Warning

Review limit reached

@cv, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 22 minutes and 9 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ba7c9a4d-a90f-4f65-88fd-772fc0e29b7a

📥 Commits

Reviewing files that changed from the base of the PR and between 9b16a9e and 2bbaa11.

📒 Files selected for processing (3)

• test/e2e/test-hermes-sandbox-secret-boundary.sh
• test/generate-hermes-config.test.ts
• test/hermes-start.test.ts

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch test/hermes-secret-sentinel-fixtures

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

E2E Advisor Recommendation

Required E2E: None
Optional E2E: hermes-secret-boundary-e2e

Dispatch hint: hermes-secret-boundary-e2e

Workflow run

Full advisor summary

E2E Recommendation Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required E2E

• None. No merge-blocking E2E is required because this PR changes tests only and cannot affect runtime/user flows or security-boundary implementation behavior.

Optional E2E

• hermes-secret-boundary-e2e (medium): Optional validation that the modified Hermes sandbox secret-boundary E2E script still builds/runs successfully with the new non-secret sentinel value.

New E2E recommendations

• None.

Dispatch hint

• Workflow: .github/workflows/nightly-e2e.yaml
• jobs input: hermes-secret-boundary-e2e

[github-actions]

E2E Scenario Advisor Recommendation

Required scenario E2E: None
Optional scenario E2E: None

Workflow run

Full scenario advisor summary

E2E Scenario Advisor

Base: origin/main
Head: HEAD
Confidence: high

Required scenario E2E

• None. Changed files are tests-only outside test/e2e-scenario/ and do not modify scenario runtime, scenario metadata, scenario workflows, suite scripts, onboarding helpers, or other scenario E2E behavior. Legacy test/e2e/ coverage is owned by the general E2E advisor, not the scenario advisor.

Optional scenario E2E

• None.

Relevant changed files

• None.

[github-actions]

PR Review Advisor

Findings: 0 needs attention, 0 worth checking, 0 nice ideas
Top item: No actionable findings

Workflow run details

This is an automated advisory review. A human maintainer must make the final merge decision.

[cjagwani]

Lgtm