NEXUS_Visual_Weaver / tests /test_exporter.py
specimba's picture
Deploy v4 review hardening
621cf5d verified
Raw
History Blame Contribute Delete
26.2 kB
import json
from dataclasses import replace
from pathlib import Path
from nexus_visual_weaver.exporter import export_root, write_export_packet
from nexus_visual_weaver.planner import build_command_center_run
def _make_base_state(**overrides):
"""
Create a test operator state payload with optional field overrides.
Parameters:
**overrides: Fields to override in the base state dictionary.
Returns:
dict: A dictionary containing operator state data for export packet testing.
"""
state = {
"provider_state": "export_ready",
"checkpoint": "approved",
"message": "approved",
"generation": {
"status": "success",
"provider_state": "generated",
"output_path": "/data/artifact.png",
"hf_token_present": True,
"lora_status": "loaded",
"lora_repo_id": "DeverStyle/Flux.2-Klein-Loras",
"lora_message": "Adapter loaded and applied for this generation.",
},
"creator_controls": {
"reasoning_mode": "Strict",
"wardrobe": {"outerwear": "black patent leather long coat", "footwear": "platform boots"},
},
"reference_metadata": [
{
"source": "upload",
"basename": "C:/Users/speci.000/Downloads/reference.png",
"sha256": "a" * 64,
"size_bytes": 128,
"st3gg_status": "pass",
"export_gate": "clear",
}
],
"minicpm_judge": {"status": "success", "repo_id": "openbmb/MiniCPM-V-4.6"},
"nemotron_evidence": {"status": "missing_secret", "repo_id": "nvidia/NVIDIA-Nemotron-Parse-v1.2"},
}
state.update(overrides)
return state
def test_write_export_packet_records_evidence_without_secrets(monkeypatch) -> None:
export_dir = Path("outputs/test-exports")
monkeypatch.setenv("NEXUS_EXPORT_DIR", str(export_dir))
run = build_command_center_run("gothic couture archivist, platform boots")
scan = {"status": "pass", "export_gate": "clear", "findings": [], "purification_actions": []}
state = _make_base_state()
result = write_export_packet(run=run, scan=scan, operator_state=state, adult_mode=False)
payload = json.loads(Path(result["path"]).read_text(encoding="utf-8"))
assert payload["run_id"] == run.checkpoint.checkpoint_id
assert payload["hackathon_claims"]["openbmb_lane"] is True
assert payload["hackathon_claims"]["nvidia_nemotron_lane"] is False
assert payload["parameter_budget"]["status"] == "pass"
assert "token" not in json.dumps(payload).lower()
assert payload["artifact"] == "artifact.png"
assert payload["image_basename"] == "artifact.png"
assert payload["generation"]["output_path"] == "artifact.png"
assert payload["lora_status"]["status"] == "loaded"
assert payload["creator_controls"]["wardrobe"]["footwear"] == "platform boots"
assert payload["reference_metadata"][0]["basename"] == "reference.png"
assert "/data/" not in json.dumps(payload)
def test_export_packet_sanitizes_run_id_before_writing(monkeypatch) -> None:
monkeypatch.setenv("NEXUS_EXPORT_DIR", "outputs/test-exports")
run = build_command_center_run("path traversal export brief")
run = replace(run, checkpoint=replace(run.checkpoint, checkpoint_id="../unsafe/path\\with:chars"))
scan = {"status": "pass", "export_gate": "clear"}
result = write_export_packet(run=run, scan=scan, operator_state=_make_base_state(), adult_mode=False)
path = Path(result["path"])
payload = json.loads(path.read_text(encoding="utf-8"))
assert path.parent == export_root()
assert ".." not in path.name
assert "\\" not in path.name
assert "/" not in path.name
assert payload["run_id"] == "unsafe-path-with-chars"
def test_export_packet_sanitizes_prompt_checkpoint_and_provider_state(monkeypatch) -> None:
monkeypatch.setenv("NEXUS_EXPORT_DIR", "outputs/test-exports")
run = build_command_center_run("prompt contains MINICPM_API_KEY and C:/Users/speci.000/secret.png")
run = replace(
run,
refined_prompt=replace(run.refined_prompt, refined="refined path /data/nexus_visual_weaver/secret.png"),
checkpoint=replace(
run.checkpoint,
recommendation="set NEMOTRON_API_KEY",
required_actions=["review C:/Users/speci.000/Downloads/raw.png"],
),
)
scan = {"status": "pass", "export_gate": "clear"}
state = _make_base_state(
provider_state="Bearer " + "hidden-provider-token",
message="operator message with HF_TOKEN",
)
result = write_export_packet(run=run, scan=scan, operator_state=state, adult_mode=False)
serialized = json.dumps(json.loads(Path(result["path"]).read_text(encoding="utf-8")))
assert "MINICPM_API_KEY" not in serialized
assert "NEMOTRON_API_KEY" not in serialized
assert "HF_TOKEN" not in serialized
assert "C:/Users/speci.000" not in serialized
assert "/data/" not in serialized
assert "Bearer " + "hidden-provider-token" not in serialized
def test_export_packet_has_correct_schema_version(monkeypatch) -> None:
monkeypatch.setenv("NEXUS_EXPORT_DIR", "outputs/test-exports")
run = build_command_center_run("dark couture brief")
scan = {"status": "pass", "export_gate": "clear"}
state = _make_base_state()
result = write_export_packet(run=run, scan=scan, operator_state=state, adult_mode=False)
payload = json.loads(Path(result["path"]).read_text(encoding="utf-8"))
assert payload["schema"] == "nexus_visual_weaver.export_packet.v1"
def test_export_packet_stores_adult_mode_flag(monkeypatch) -> None:
monkeypatch.setenv("NEXUS_EXPORT_DIR", "outputs/test-exports")
run_public = build_command_center_run("dark couture brief", adult_mode=False)
run_private = build_command_center_run("dark couture brief", adult_mode=True)
scan = {"status": "pass", "export_gate": "clear"}
result_public = write_export_packet(run=run_public, scan=scan, operator_state=_make_base_state(), adult_mode=True)
result_private = write_export_packet(run=run_private, scan=scan, operator_state=_make_base_state(), adult_mode=False)
public_payload = json.loads(Path(result_public["path"]).read_text(encoding="utf-8"))
private_payload = json.loads(Path(result_private["path"]).read_text(encoding="utf-8"))
assert public_payload["adult_mode"] is False
assert private_payload["adult_mode"] is True
assert public_payload["model_stack"][0]["repo_id"] == run_public.model_stack[0].repo_id
assert private_payload["model_stack"][0]["repo_id"] == run_private.model_stack[0].repo_id
def test_export_packet_removes_hf_token_from_generation(monkeypatch) -> None:
monkeypatch.setenv("NEXUS_EXPORT_DIR", "outputs/test-exports")
run = build_command_center_run("gothic platform boots brief")
scan = {"status": "pass", "export_gate": "clear"}
state = _make_base_state(
generation={"status": "success", "output_path": "/data/artifact.png", "hf_token_present": True},
)
result = write_export_packet(run=run, scan=scan, operator_state=state, adult_mode=False)
payload = json.loads(Path(result["path"]).read_text(encoding="utf-8"))
assert "hf_token_present" not in payload["generation"]
assert "token" not in json.dumps(payload).lower()
def test_export_packet_hackathon_claims_both_success(monkeypatch) -> None:
monkeypatch.setenv("NEXUS_EXPORT_DIR", "outputs/test-exports")
run = build_command_center_run("couture archivist brief")
scan = {"status": "pass", "export_gate": "clear"}
state = _make_base_state(
minicpm_judge={"status": "success"},
nemotron_evidence={"status": "success"},
)
result = write_export_packet(run=run, scan=scan, operator_state=state, adult_mode=False)
payload = json.loads(Path(result["path"]).read_text(encoding="utf-8"))
assert payload["hackathon_claims"]["openbmb_lane"] is True
assert payload["hackathon_claims"]["nvidia_nemotron_lane"] is True
assert payload["hackathon_claims"]["gradio_space"] is True
assert payload["hackathon_claims"]["off_brand_custom_ui"] is True
def test_export_packet_hackathon_claims_st3gg_export_gate(monkeypatch) -> None:
monkeypatch.setenv("NEXUS_EXPORT_DIR", "outputs/test-exports")
run_clear = build_command_center_run("scan gate test brief clear")
run_blocked = build_command_center_run("scan gate test brief blocked")
scan_clear = {"status": "pass", "export_gate": "clear"}
scan_blocked = {"status": "review", "export_gate": "blocked"}
result_clear = write_export_packet(run=run_clear, scan=scan_clear, operator_state=_make_base_state(), adult_mode=False)
result_blocked = write_export_packet(run=run_blocked, scan=scan_blocked, operator_state=_make_base_state(), adult_mode=False)
payload_clear = json.loads(Path(result_clear["path"]).read_text(encoding="utf-8"))
payload_blocked = json.loads(Path(result_blocked["path"]).read_text(encoding="utf-8"))
assert payload_clear["hackathon_claims"]["st3gg_export_gate"] == "clear"
assert payload_blocked["hackathon_claims"]["st3gg_export_gate"] == "blocked"
def test_export_packet_includes_model_stack_and_prompts(monkeypatch) -> None:
monkeypatch.setenv("NEXUS_EXPORT_DIR", "outputs/test-exports")
run = build_command_center_run("raven archivist couture brief")
scan = {"status": "pass", "export_gate": "clear"}
result = write_export_packet(run=run, scan=scan, operator_state=_make_base_state(), adult_mode=False)
payload = json.loads(Path(result["path"]).read_text(encoding="utf-8"))
assert isinstance(payload["model_stack"], list)
assert len(payload["model_stack"]) > 0
assert all("repo_id" in entry and "params_b" in entry for entry in payload["model_stack"])
assert isinstance(payload["prompt"], str)
assert isinstance(payload["refined_prompt"], str)
assert isinstance(payload["created_at_epoch"], int)
def test_export_root_uses_nexus_export_dir_env(monkeypatch) -> None:
custom_dir = Path("outputs/test-exports/custom_export")
monkeypatch.setenv("NEXUS_EXPORT_DIR", str(custom_dir))
root = export_root()
assert root == custom_dir.resolve()
assert root.is_dir()
def test_export_root_rejects_src_export_dir(monkeypatch) -> None:
unsafe_dir = Path("src/nexus_visual_weaver/export-leak")
monkeypatch.setenv("NEXUS_EXPORT_DIR", str(unsafe_dir))
root = export_root()
src_root = (Path.cwd() / "src").resolve()
assert root != src_root
assert src_root not in root.parents
assert not unsafe_dir.exists()
def test_export_root_falls_back_to_outputs_when_no_env(monkeypatch) -> None:
monkeypatch.delenv("NEXUS_EXPORT_DIR", raising=False)
# Patch /data so it is not seen as existing
import nexus_visual_weaver.exporter as exporter_mod
original_exists = Path.exists
def patched_exists(self):
"""
Custom exists check that treats "/data" as non-existent.
Returns:
False if the path is "/data", otherwise the original exists check result.
"""
if str(self) == "/data":
return False
return original_exists(self)
monkeypatch.setattr(Path, "exists", patched_exists)
root = export_root()
assert "outputs" in str(root) or "exports" in str(root)
def test_export_packet_returns_both_path_and_packet(monkeypatch) -> None:
monkeypatch.setenv("NEXUS_EXPORT_DIR", "outputs/test-exports")
run = build_command_center_run("return structure brief")
scan = {"status": "pass", "export_gate": "clear"}
result = write_export_packet(run=run, scan=scan, operator_state=_make_base_state(), adult_mode=False)
assert "path" in result
assert "packet" in result
assert isinstance(result["packet"], dict)
assert result["packet"]["schema"] == "nexus_visual_weaver.export_packet.v1"
def test_export_packet_redacts_raw_payload_paths_and_secret_like_values(monkeypatch) -> None:
monkeypatch.setenv("NEXUS_EXPORT_DIR", "outputs/test-exports")
run = build_command_center_run(
"redaction brief",
creator_controls={"wardrobe": {"footwear": "platform boots"}},
reference_metadata=[{"source": "url", "domain": "shop.example.test", "url_hash": "b" * 64}],
)
scan = {
"status": "review",
"export_gate": "blocked",
"payload_excerpt": "hf_" + "abcdefghijklmnopqrstuvwxyz123456",
"findings": ["raw hidden bytes at C:/Users/speci.000/Downloads/thing.png"],
"purification_actions": ["base64 payload removed from /data/nexus_visual_weaver/artifact.png"],
}
state = _make_base_state(
generation={
"status": "success",
"provider_state": "generated",
"output_path": "/data/nexus_visual_weaver/artifact.png",
"hf_token_present": True,
"lora_status": "failed",
"lora_repo_id": "example/lora",
"lora_message": "RuntimeError: failed without token value",
},
minicpm_judge={
"status": "failed",
"provider_state": "failed",
"provider": "OpenBMB",
"repo_id": "openbmb/MiniCPM-V-4.6",
"model": "MiniCPM-V-4.6",
"message": "Set MINICPM_API_KEY in Space secrets.",
"evidence": {"raw_summary": "Bearer " + "secret-value", "configured": True},
},
reference_metadata=[
{
"source": "upload",
"basename": "C:/Users/speci.000/Downloads/reference.png",
"sha256": "c" * 64,
"size_bytes": 2048,
"st3gg_status": "review",
"export_gate": "blocked",
}
],
)
result = write_export_packet(run=run, scan=scan, operator_state=state, adult_mode=False)
payload = json.loads(Path(result["path"]).read_text(encoding="utf-8"))
serialized = json.dumps(payload)
assert "payload_excerpt" not in serialized
assert "raw_summary" not in serialized
assert "Bearer " + "secret-value" not in serialized
assert "MINICPM_API_KEY" not in serialized
assert "/data/" not in serialized
assert "C:/Users/speci.000/Downloads" not in serialized
assert payload["st3gg_verdict"] == {"status": "review", "export_gate": "blocked"}
assert payload["provider_states"]["minicpm"] == "failed"
def test_export_packet_records_st3gg_override_reason(monkeypatch) -> None:
monkeypatch.setenv("NEXUS_EXPORT_DIR", "outputs/test-exports")
run = build_command_center_run("gothic patent leather platform boots")
scan = {"status": "review", "export_gate": "blocked", "findings": ["metadata review"], "purification_actions": ["strip metadata"]}
state = _make_base_state(
st3gg_override_reason="Operator reviewed the ST3GG findings and is writing an audit packet only.",
export="override",
)
result = write_export_packet(run=run, scan=scan, operator_state=state, adult_mode=False)
payload = json.loads(Path(result["path"]).read_text(encoding="utf-8"))
assert payload["st3gg_verdict"] == {"status": "review", "export_gate": "blocked"}
assert payload["st3gg_override"] == {
"used": True,
"reason": "Operator reviewed the ST3GG findings and is writing an audit packet only.",
}
# --- _is_within tests ---
from nexus_visual_weaver.exporter import (
_artifact_name,
_is_within,
_safe_dict,
_safe_export_candidate,
_safe_provider,
_safe_reference_metadata,
_safe_scan,
_sanitize_text,
REPO_ROOT,
)
def test_is_within_returns_true_for_child_path() -> None:
root = Path("/some/root")
child = Path("/some/root/subdir/file.txt")
assert _is_within(child, root) is True
def test_is_within_returns_false_for_sibling_path() -> None:
root = Path("/some/root")
sibling = Path("/some/other/file.txt")
assert _is_within(sibling, root) is False
def test_is_within_returns_false_for_parent_path() -> None:
root = Path("/some/root/subdir")
parent = Path("/some/root")
assert _is_within(parent, root) is False
def test_is_within_returns_false_for_same_path() -> None:
root = Path("/some/root")
# Same path is not "within" itself (relative_to with same path succeeds but returns empty Path)
# _is_within should return True for same path since relative_to doesn't raise
result = _is_within(root, root)
# Same path: relative_to returns Path('.') or empty - shouldn't raise, returns True
assert result is True
# --- _artifact_name tests ---
def test_artifact_name_returns_filename_from_unix_path() -> None:
assert _artifact_name("/data/nexus_visual_weaver/artifact.png") == "artifact.png"
def test_artifact_name_returns_filename_from_windows_path() -> None:
assert _artifact_name(r"C:\Users\user\Downloads\artifact.png") == "artifact.png"
def test_artifact_name_returns_none_for_none() -> None:
assert _artifact_name(None) is None
def test_artifact_name_returns_none_for_empty_string() -> None:
assert _artifact_name("") is None
def test_artifact_name_returns_filename_for_simple_name() -> None:
assert _artifact_name("artifact.png") == "artifact.png"
# --- _sanitize_text tests ---
def test_sanitize_text_redacts_hf_token() -> None:
fake_token = "hf_" + "abcdefghijklmnopqrstuvwxyz1234567"
text = f"token is {fake_token}"
result = _sanitize_text(text)
assert fake_token not in result
assert "[redacted_secret]" in result
def test_sanitize_text_redacts_bearer_token() -> None:
fake_token = "sk-test-" + "abcdefghijklmnopqrstu"
text = "Authorization: Bearer " + fake_token
result = _sanitize_text(text)
assert fake_token not in result
def test_sanitize_text_redacts_credential_names() -> None:
text = "Please set MINICPM_API_KEY and NEMOTRON_API_KEY"
result = _sanitize_text(text)
assert "MINICPM_API_KEY" not in result
assert "NEMOTRON_API_KEY" not in result
assert "[redacted_credential_name]" in result
def test_sanitize_text_redacts_windows_paths() -> None:
text = "Found at C:\\Users\\user\\Downloads\\artifact.png"
result = _sanitize_text(text)
assert "C:\\Users\\user\\Downloads" not in result
assert "[local_path]/artifact.png" in result
def test_sanitize_text_redacts_data_paths() -> None:
text = "Output stored at /data/nexus_visual_weaver/artifact.png"
result = _sanitize_text(text)
assert "/data/nexus_visual_weaver" not in result
assert "[data]/" in result
def test_sanitize_text_truncates_to_1000_chars() -> None:
long_text = "safe text " * 200
result = _sanitize_text(long_text)
assert len(result) <= 1000
assert result.endswith("...")
def test_sanitize_text_does_not_truncate_short_text() -> None:
short_text = "safe short text without secrets"
result = _sanitize_text(short_text)
assert result == short_text
# --- _safe_dict tests ---
def test_safe_dict_drops_sensitive_keys() -> None:
data = {
"status": "ok",
"token": "hf_secretvalue",
"api_key": "sk-secretvalue",
"message": "clean",
}
result = _safe_dict(data)
assert "status" in result
assert "message" in result
assert "token" not in result
assert "api_key" not in result
def test_safe_dict_preserves_safe_keys() -> None:
data = {"status": "pass", "export_gate": "clear", "extension": ".png"}
result = _safe_dict(data)
assert result == data
def test_safe_dict_handles_nested_dicts() -> None:
data = {"outer": {"secret": "hidden", "safe_field": "visible"}}
result = _safe_dict(data)
assert "secret" not in result.get("outer", {})
assert result["outer"]["safe_field"] == "visible"
def test_safe_dict_limits_lists_to_40() -> None:
data = list(range(50))
result = _safe_dict(data)
assert len(result) == 40
def test_safe_dict_sanitizes_string_values() -> None:
data = {"message": "Error: MINICPM_API_KEY not set"}
result = _safe_dict(data)
assert "MINICPM_API_KEY" not in result.get("message", "")
def test_safe_dict_preserves_size_bytes_when_allowed() -> None:
data = {"size_bytes": 1024, "token": "hf_" + "secret123456789012345"}
result = _safe_dict(data, allow_size_bytes=True)
assert "size_bytes" in result
assert result["size_bytes"] == 1024
assert "token" not in result
def test_safe_dict_drops_size_bytes_by_default() -> None:
# "bytes" matches the sensitive key pattern
data = {"size_bytes": 1024, "status": "ok"}
result = _safe_dict(data)
assert "size_bytes" not in result
def test_safe_dict_returns_non_dict_non_list_unchanged() -> None:
assert _safe_dict(42) == 42
assert _safe_dict(3.14) == 3.14
assert _safe_dict(True) is True
assert _safe_dict(None) is None
# --- _safe_scan tests ---
def test_safe_scan_extracts_required_fields() -> None:
scan = {
"status": "pass",
"scanner": "ST3GG v2",
"export_gate": "clear",
"extension": ".png",
"magic": "PNG",
"findings": ["no issues"],
"purification_actions": ["none needed"],
"payload_excerpt": "HIDDEN_SENSITIVE_DATA",
}
result = _safe_scan(scan)
assert result["status"] == "pass"
assert result["scanner"] == "ST3GG v2"
assert result["export_gate"] == "clear"
assert result["extension"] == ".png"
assert result["magic"] == "PNG"
assert "payload_excerpt" not in result
def test_safe_scan_handles_empty_scan() -> None:
result = _safe_scan({})
assert "status" in result
assert "export_gate" in result
assert result["status"] is None
assert result["export_gate"] is None
def test_safe_scan_sanitizes_findings() -> None:
scan = {
"findings": ["found MINICPM_API_KEY pattern", "raw bytes at C:\\Users\\data\\file.png"],
}
result = _safe_scan(scan)
serialized = json.dumps(result)
assert "MINICPM_API_KEY" not in serialized
assert "C:\\Users\\data" not in serialized
# --- _safe_provider tests ---
def test_safe_provider_extracts_fields() -> None:
provider = {
"status": "success",
"provider_state": "configured",
"provider": "OpenBMB",
"repo_id": "openbmb/MiniCPM-V-4.6",
"model": "MiniCPM-V-4.6",
"message": "judge returned evidence",
"evidence": {"overall_status": "pass"},
"latency_seconds": 1.23,
}
result = _safe_provider(provider)
assert result["status"] == "success"
assert result["provider"] == "OpenBMB"
assert result["repo_id"] == "openbmb/MiniCPM-V-4.6"
assert result["latency_seconds"] == 1.23
assert result["evidence"]["overall_status"] == "pass"
def test_safe_provider_handles_none_input() -> None:
result = _safe_provider(None)
assert isinstance(result, dict)
assert "status" in result
assert result["status"] is None
def test_safe_provider_redacts_secret_values_in_evidence() -> None:
provider = {
"status": "failed",
"evidence": {"token_used": "hf_" + "abcdefghijklmnopqrstuvwx", "raw": "sensitive-data"},
}
result = _safe_provider(provider)
assert "token_used" not in result["evidence"]
assert "raw" not in result["evidence"]
def test_safe_provider_handles_non_dict_evidence() -> None:
provider = {"status": "success", "evidence": "plain string evidence"}
result = _safe_provider(provider)
# Non-dict evidence should be treated as empty
assert result["evidence"] == {}
# --- _safe_reference_metadata tests ---
def test_safe_reference_metadata_returns_empty_for_non_list() -> None:
assert _safe_reference_metadata(None) == []
assert _safe_reference_metadata("string") == []
assert _safe_reference_metadata(42) == []
def test_safe_reference_metadata_extracts_fields_from_records() -> None:
records = [
{
"source": "upload",
"status": "pass",
"basename": "C:/Users/user/Downloads/reference.png",
"sha256": "a" * 64,
"size_bytes": 1024,
"st3gg_status": "pass",
"export_gate": "clear",
"magic": "PNG",
"extension": ".png",
}
]
result = _safe_reference_metadata(records)
assert len(result) == 1
assert result[0]["source"] == "upload"
assert result[0]["basename"] == "reference.png" # Only filename, not full path
assert result[0]["sha256"] == "a" * 64
assert result[0]["export_gate"] == "clear"
def test_safe_reference_metadata_limits_to_20_records() -> None:
records = [{"source": "upload", "sha256": str(i)} for i in range(30)]
result = _safe_reference_metadata(records)
assert len(result) == 20
def test_safe_reference_metadata_skips_non_dict_records() -> None:
records = [{"source": "upload"}, "not a dict", None, {"source": "url"}]
result = _safe_reference_metadata(records)
assert len(result) == 2
assert all(isinstance(r, dict) for r in result)
def test_safe_reference_metadata_includes_url_fields() -> None:
records = [
{
"source": "url",
"status": "metadata_only",
"domain": "shop.example.test",
"url_hash": "b" * 64,
}
]
result = _safe_reference_metadata(records)
assert result[0]["domain"] == "shop.example.test"
assert result[0]["url_hash"] == "b" * 64
# --- _safe_export_candidate tests ---
def test_safe_export_candidate_accepts_outputs_dir() -> None:
candidate = REPO_ROOT / "outputs" / "exports" / "test-subdir"
result = _safe_export_candidate(candidate)
assert result is not None
assert "outputs" in str(result)
def test_safe_export_candidate_rejects_src_dir() -> None:
candidate = REPO_ROOT / "src" / "nexus_visual_weaver" / "exports"
result = _safe_export_candidate(candidate)
assert result is None
def test_safe_export_candidate_rejects_src_root_itself() -> None:
candidate = REPO_ROOT / "src"
result = _safe_export_candidate(candidate)
assert result is None