@@ -499,6 +499,8 @@ const FORMULA_EXAMPLE_GROUPS: &[FormulaExampleGroup] = &[
499499 r#"always([+ROTATE_PACKAGE_SIGNING_KEY] true -> eventually(<+NOTIFY_RELEASE_OWNER> true))"#,
500500 r#"always([+CLOUD_ACCESS_KEY_LEAKED] true -> (<+ROTATE_CLOUD_ACCESS_KEY> true | <+DISABLE_CLOUD_ACCOUNT> true))"#,
501501 r#"always([+ROTATE_CLOUD_ACCESS_KEY] true -> eventually(<+NOTIFY_CLOUD_ACCOUNT_OWNER> true))"#,
502+ r#"always([+TERRAFORM_STATE_SECRET_EXPOSED] true -> (<+ROTATE_STATE_SECRETS> true | <+LOCK_TERRAFORM_BACKEND> true))"#,
503+ r#"always([+ROTATE_STATE_SECRETS] true -> eventually(<+NOTIFY_INFRA_OWNER> true))"#,
502504 r#"next(<+APPROVE> true)"#,
503505 r#"next((<+APPROVE> true | [<+REJECT>] true))"#,
504506 r#"<+WAIT> true until <+APPROVE> true"#,
@@ -5047,6 +5049,18 @@ F2: formula generated_2 {
50475049 ));
50485050 }
50495051
5052+ #[test]
5053+ fn synthesis_list_includes_terraform_state_secret_exposure_prompt_examples() {
5054+ let output = synthesis_list_text();
5055+
5056+ assert!(output.contains(
5057+ "always([+TERRAFORM_STATE_SECRET_EXPOSED] true -> (<+ROTATE_STATE_SECRETS> true | <+LOCK_TERRAFORM_BACKEND> true))"
5058+ ));
5059+ assert!(output.contains(
5060+ "always([+ROTATE_STATE_SECRETS] true -> eventually(<+NOTIFY_INFRA_OWNER> true))"
5061+ ));
5062+ }
5063+
50505064 #[test]
50515065 fn synthesis_list_includes_escrow_progression_prompt_examples() {
50525066 let output = synthesis_list_text();
@@ -15038,6 +15052,22 @@ gfp(X, []((X)) & ([<+ARCHIVE>] true))
1503815052 verify_synthesized_model(&model, &formulas).unwrap();
1503915053 }
1504015054
15055+ #[test]
15056+ fn verify_synthesized_model_accepts_terraform_state_secret_exposure_prompt_examples() {
15057+ let formulas = parse_formula_strings(&[
15058+ "always([+TERRAFORM_STATE_SECRET_EXPOSED] true -> (<+ROTATE_STATE_SECRETS> true | <+LOCK_TERRAFORM_BACKEND> true))"
15059+ .to_string(),
15060+ "always([+ROTATE_STATE_SECRETS] true -> eventually(<+NOTIFY_INFRA_OWNER> true))"
15061+ .to_string(),
15062+ ]);
15063+ let model = modality_lang::formula_synthesis::synthesize_from_formulas(
15064+ "TerraformStateSecretExposure",
15065+ &formulas,
15066+ );
15067+
15068+ verify_synthesized_model(&model, &formulas).unwrap();
15069+ }
15070+
1504115071 #[test]
1504215072 fn verify_synthesized_model_accepts_mixed_alternatives_with_signer_requirement() {
1504315073 let formulas = parse_formula_strings(&[
0 commit comments