Merge pull request #50 from zvx-echo6/chore/config-store-test-isolation

chore(M-b): clear get_settings lru_cache in test fixtures (fixes order-dependent crypto failures + 3 latent siblings)
2026-05-21 18:14:44 +02:00 · 2026-05-21 09:52:29 -06:00 · 2026-05-21 15:51:51 +00:00 · 2026-05-21 08:24:10 -06:00 · 2026-05-21 14:23:31 +00:00
5 changed files with 116 additions and 14 deletions
--- a/tests/conftest.py
+++ b/tests/conftest.py
@ -13,6 +13,25 @@ from unittest.mock import AsyncMock, MagicMock, patch
 from central.bootstrap_config import Settings
@pytest.fixture(autouse=True)
 def isolate_enrichment_cache(tmp_path, monkeypatch):
    """Redirect the supervisor's enrichment cache off the production path.
    `central.supervisor.ENRICHMENT_CACHE_DB_PATH` defaults to
    /var/lib/central/enrichment_cache.db. Constructing a Supervisor opens it,
    so without this fixture the suite writes to (or, for any user without write
    access to /var/lib/central, fails on) the live cache. Point it at a
    per-test temp dir so no test ever touches the production path.
    """
    import central.supervisor as supervisor_mod
    monkeypatch.setattr(
        supervisor_mod,
        "ENRICHMENT_CACHE_DB_PATH",
        tmp_path / "enrichment_cache.db",
    )
@pytest.fixture(scope="session")
 def event_loop():
    """Create an event loop for the test session."""
--- a/tests/test_config_source.py
+++ b/tests/test_config_source.py
@ -12,6 +12,7 @@ from central.config_source import (
    ConfigSource,
    DbConfigSource,
 )
 from central.bootstrap_config import get_settings
 from central.crypto import KEY_SIZE, clear_key_cache
 # Test database DSN
@ -31,11 +32,20 @@ def master_key_path(tmp_path_factory: pytest.TempPathFactory) -> Path:
@pytest.fixture(autouse=True)
-def setup_master_key(master_key_path: Path, monkeypatch: pytest.MonkeyPatch) -> None:
+def setup_master_key(master_key_path: Path, monkeypatch: pytest.MonkeyPatch):
-    """Configure master key path for all tests."""
+    """Configure master key path for all tests.
-    clear_key_cache()
+
    Clear get_settings (and the crypto key cache) AFTER setting the env so
    crypto rebuilds from the test key regardless of suite order, and again on
    teardown so the test key never leaks into a later test. See PR M-b.
    """
    monkeypatch.setenv("CENTRAL_DB_DSN", TEST_DB_DSN)
    monkeypatch.setenv("CENTRAL_MASTER_KEY_PATH", str(master_key_path))
    clear_key_cache()
    get_settings.cache_clear()
    yield
    clear_key_cache()
    get_settings.cache_clear()
@pytest_asyncio.fixture
--- a/tests/test_config_store.py
+++ b/tests/test_config_store.py
@ -13,6 +13,7 @@ import asyncpg
 import pytest
 import pytest_asyncio
 from central.bootstrap_config import get_settings
 from central.config_store import ConfigStore
 from central.crypto import KEY_SIZE, clear_key_cache
@ -34,12 +35,24 @@ def master_key_path(tmp_path_factory: pytest.TempPathFactory) -> Path:
@pytest.fixture(autouse=True)
-def setup_master_key(master_key_path: Path, monkeypatch: pytest.MonkeyPatch) -> None:
+def setup_master_key(master_key_path: Path, monkeypatch: pytest.MonkeyPatch):
-    """Configure master key path for all tests."""
+    """Configure master key path for all tests.
-    clear_key_cache()
+
    CENTRAL_MASTER_KEY_PATH feeds Settings, which get_settings() lru-caches. An
    earlier test can warm that cache with the default /etc/central/master.key
    before this fixture runs, so the env change alone is not enough — clear
    get_settings (and the crypto key cache) AFTER setting the env so crypto
    rebuilds from the test key regardless of suite order, and again on teardown
    so the test key never leaks into a later test.
    """
    monkeypatch.setenv("CENTRAL_DB_DSN", TEST_DB_DSN)
    monkeypatch.setenv("CENTRAL_MASTER_KEY_PATH", str(master_key_path))
    monkeypatch.setenv("CENTRAL_CSRF_SECRET", "test-csrf-secret-for-testing-only-32chars")
    clear_key_cache()
    get_settings.cache_clear()
    yield
    clear_key_cache()
    get_settings.cache_clear()
@pytest_asyncio.fixture
@ -338,3 +351,13 @@ class TestListenerReconnect:
            pytest.fail("Listener did not stop after cancellation")
        assert listen_task.cancelled() or listen_task.done()
 def test_master_key_path_is_isolated(master_key_path: Path) -> None:
    """Contract: after setup_master_key runs, get_settings() resolves the master
    key to the per-session test key — never the production /etc/central path —
    regardless of suite order. Fails on the pre-fix code in a full-suite run
    where get_settings was warmed with the default path by an earlier test.
    """
    assert get_settings().master_key_path == master_key_path
    assert get_settings().master_key_path != Path("/etc/central/master.key")
--- a/tests/test_supervisor_hotreload.py
+++ b/tests/test_supervisor_hotreload.py
@ -14,6 +14,7 @@ import pytest_asyncio
 from central.config_models import AdapterConfig
 from central.config_source import DbConfigSource
 from central.config_store import ConfigStore
 from central.bootstrap_config import get_settings
 from central.crypto import KEY_SIZE, clear_key_cache
 # Test database DSN
@ -33,11 +34,20 @@ def master_key_path(tmp_path_factory: pytest.TempPathFactory) -> Path:
@pytest.fixture(autouse=True)
-def setup_master_key(master_key_path: Path, monkeypatch: pytest.MonkeyPatch) -> None:
+def setup_master_key(master_key_path: Path, monkeypatch: pytest.MonkeyPatch):
-    """Configure master key path for all tests."""
+    """Configure master key path for all tests.
-    clear_key_cache()
+
    Clear get_settings (and the crypto key cache) AFTER setting the env so
    crypto rebuilds from the test key regardless of suite order, and again on
    teardown so the test key never leaks into a later test. See PR M-b.
    """
    monkeypatch.setenv("CENTRAL_DB_DSN", TEST_DB_DSN)
    monkeypatch.setenv("CENTRAL_MASTER_KEY_PATH", str(master_key_path))
    clear_key_cache()
    get_settings.cache_clear()
    yield
    clear_key_cache()
    get_settings.cache_clear()
@pytest_asyncio.fixture
--- a/tests/test_supervisor_integration.py
+++ b/tests/test_supervisor_integration.py
@ -20,6 +20,7 @@ import pytest
 import pytest_asyncio
 from central.config_models import AdapterConfig
 from central.bootstrap_config import get_settings
 from central.crypto import KEY_SIZE, clear_key_cache
@ -56,11 +57,20 @@ def master_key_path(tmp_path_factory: pytest.TempPathFactory) -> Path:
@pytest.fixture(autouse=True)
-def setup_master_key(master_key_path: Path, monkeypatch: pytest.MonkeyPatch) -> None:
+def setup_master_key(master_key_path: Path, monkeypatch: pytest.MonkeyPatch):
-    """Configure master key path for all tests."""
+    """Configure master key path for all tests.
-    clear_key_cache()
+
    Clear get_settings (and the crypto key cache) AFTER setting the env so
    crypto rebuilds from the test key regardless of suite order, and again on
    teardown so the test key never leaks into a later test. See PR M-b.
    """
    monkeypatch.setenv("CENTRAL_DB_DSN", TEST_DB_DSN)
    monkeypatch.setenv("CENTRAL_MASTER_KEY_PATH", str(master_key_path))
    clear_key_cache()
    get_settings.cache_clear()
    yield
    clear_key_cache()
    get_settings.cache_clear()
 class MockConfigSource:
@ -139,12 +149,18 @@ class MockNWSAdapter:
@pytest.fixture
 def mock_nats():
-    """Mock NATS connection."""
+    """Mock NATS connection.
    nats-py's `nc.jetstream()` is synchronous, so model it with a sync
    MagicMock. (As an AsyncMock attribute, `supervisor._js = nc.jetstream()`
    would assign an unawaited coroutine — the "coroutine ... was never awaited"
    warning — rather than the JetStream mock.)
    """
    mock_nc = AsyncMock()
    mock_nc.publish = AsyncMock()
    mock_js = AsyncMock()
    mock_js.publish = AsyncMock()
-    mock_nc.jetstream.return_value = mock_js
+    mock_nc.jetstream = MagicMock(return_value=mock_js)
    return mock_nc
@ -574,3 +590,27 @@ class TestEnableDisableEnableIntegration:
        # State should be gone
        assert "nws" not in supervisor._adapter_states
 def test_enrichment_cache_path_is_hermetic(mock_config_store, tmp_path: Path) -> None:
    """No test may touch the production enrichment cache.
    The autouse `isolate_enrichment_cache` fixture (conftest) must redirect
    ENRICHMENT_CACHE_DB_PATH off /var/lib/central onto a per-test temp dir, and
    constructing a Supervisor must open the cache there — not in production.
    """
    import central.supervisor as supervisor_mod
    patched = supervisor_mod.ENRICHMENT_CACHE_DB_PATH
    assert tmp_path in patched.parents
    assert "/var/lib/central" not in str(patched)
    supervisor = supervisor_mod.Supervisor(
        config_source=MockConfigSource(),
        config_store=mock_config_store,
        nats_url="nats://localhost:4222",
        cloudevents_config=None,
    )
    # __init__ opened the cache at the temp path, leaving the db file behind.
    assert patched.exists()
    assert supervisor._enrichment_cache is not None
Author	SHA1	Message	Date
malice	e33a896592	Merge pull request #50 from zvx-echo6/chore/config-store-test-isolation chore(M-b): clear get_settings lru_cache in test fixtures (fixes order-dependent crypto failures + 3 latent siblings)	2026-05-21 09:52:29 -06:00
zvx	f666014821	chore(M-b): clear get_settings lru_cache in test fixtures (fixes order-dependent crypto failures + 3 latent siblings) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-21 15:51:51 +00:00
malice	69dddd0240	Merge pull request #49 from zvx-echo6/chore/hermetic-enrichment-cache chore(M): make enrichment-cache path test-hermetic via conftest autouse fixture	2026-05-21 08:24:10 -06:00
zvx	765635e720	chore(M): make enrichment-cache path test-hermetic via conftest autouse fixture Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-21 14:23:31 +00:00