feat(07-04): wire keyhunter import command with dedup and DB persist

- Replace import stub with cmd/import.go dispatching to pkg/importer (trufflehog, gitleaks, gitleaks-csv) via --format flag - Reuse openDBWithKey helper so encryption + path resolution match scan/keys - engineToStorage converts engine.Finding -> storage.Finding (Source -> SourcePath) - Add pkg/storage.FindingExistsByKey for idempotent cross-import dedup keyed on (provider, masked key, source path, line number) - cmd/import_test.go: selector table, field conversion, end-to-end trufflehog import with re-run duplicate assertion, unknown-format + missing-file errors - pkg/storage queries_test: FindingExistsByKey hit and four miss cases Delivers IMP-01/02/03 end-to-end.
2026-04-05 23:59:39 +03:00
parent b3db22ac93
commit 9dbb0b87d4
4 changed files with 349 additions and 0 deletions
--- a/pkg/storage/queries_test.go
+++ b/pkg/storage/queries_test.go
@@ -147,3 +147,42 @@ func TestDeleteFinding_Miss(t *testing.T) {
 	require.NoError(t, err)
 	assert.Equal(t, int64(0), n)
 }
+
+func TestFindingExistsByKey(t *testing.T) {
+	db, encKey, _ := seedQueryFindings(t)
+
+	// Insert a finding with a deterministic masked key we can query against.
+	masked := "sk-exact...1234"
+	_, err := db.SaveFinding(storage.Finding{
+		ProviderName: "openai",
+		KeyValue:     "sk-exact-key-value-1234",
+		KeyMasked:    masked,
+		Confidence:   "high",
+		SourcePath:   "/tmp/exact.env",
+		SourceType:   "import:trufflehog",
+		LineNumber:   42,
+	}, encKey)
+	require.NoError(t, err)
+
+	// Exact tuple hits.
+	exists, err := db.FindingExistsByKey("openai", masked, "/tmp/exact.env", 42)
+	require.NoError(t, err)
+	assert.True(t, exists, "exact tuple should be found")
+
+	// Any differing field misses.
+	miss1, err := db.FindingExistsByKey("anthropic", masked, "/tmp/exact.env", 42)
+	require.NoError(t, err)
+	assert.False(t, miss1)
+
+	miss2, err := db.FindingExistsByKey("openai", "sk-other...9999", "/tmp/exact.env", 42)
+	require.NoError(t, err)
+	assert.False(t, miss2)
+
+	miss3, err := db.FindingExistsByKey("openai", masked, "/tmp/other.env", 42)
+	require.NoError(t, err)
+	assert.False(t, miss3)
+
+	miss4, err := db.FindingExistsByKey("openai", masked, "/tmp/exact.env", 7)
+	require.NoError(t, err)
+	assert.False(t, miss4)
+}