Split the CLI tests into one file per class/group (9ad57b1) - derivepassphrase.git

Split the CLI tests into one file per class/group

Marco Ricci commited on 2025-08-09 16:22:42
Zeige 5 geänderte Dateien mit 4745 Einfügungen und 4597 Löschungen.

The CLI tests, already loosely grouped through the use of classes, are
now distributed to different files, one file per test class.

This is mostly an attempt to keep the file size managable. Navigating in
a multi-thousand-line Python file with very similar looking tests gets
disorienting very quickly.

tests/test_derivepassphrase_cli/__init__.py 62fdf37..56c3af0
tests/test_derivepassphrase_cli/test_all_cli.py 0000000..06dc2b6
tests/test_derivepassphrase_cli/test_shell_completion.py 0000000..6a899aa
tests/test_derivepassphrase_cli/test_transition.py 0000000..ce76420
tests/test_derivepassphrase_cli/test_utils.py 0000000..dfd4380

tests/test_derivepassphrase_cli/__init__.py

Zeige Datei @ 9ad57b1

@@ -4,30 +4,19 @@
 
 from __future__ import annotations
 
-import base64
 import contextlib
 import copy
-import ctypes
-import enum
 import errno
-import io
 import json
-import logging
-import operator
 import os
 import pathlib
-import re
-import shlex
 import shutil
 import socket
-import tempfile
 import textwrap
 import types
-import warnings
 from typing import TYPE_CHECKING
 
 import click.testing
-import exceptiongroup
 import hypothesis
 import pytest
 from hypothesis import strategies
@@ -36,18 +25,14 @@ from typing_extensions import Any, NamedTuple
 from derivepassphrase import _types, cli, ssh_agent, vault
 from derivepassphrase._internals import (
     cli_helpers,
-    cli_machinery,
     cli_messages,
 )
-from derivepassphrase.ssh_agent import socketprovider
 from tests import data, machinery
 from tests.data import callables
 from tests.machinery import hypothesis as hypothesis_machinery
 from tests.machinery import pytest as pytest_machinery
 
 if TYPE_CHECKING:
-    from collections.abc import Callable, Iterable, Iterator, Sequence
-    from collections.abc import Set as AbstractSet
     from typing import NoReturn
 
     from typing_extensions import Literal
@@ -90,43 +75,6 @@ class OptionCombination(NamedTuple):
     check_success: bool
 
 
-class VersionOutputData(NamedTuple):
-    derivation_schemes: dict[str, bool]
-    foreign_configuration_formats: dict[str, bool]
-    extras: frozenset[str]
-    subcommands: frozenset[str]
-    features: dict[str, bool]
-
-
-class KnownLineType(str, enum.Enum):
-    SUPPORTED_FOREIGN_CONFS = cli_messages.Label.SUPPORTED_FOREIGN_CONFIGURATION_FORMATS.value.singular.rstrip(
-        ":"
-    )
-    UNAVAILABLE_FOREIGN_CONFS = cli_messages.Label.UNAVAILABLE_FOREIGN_CONFIGURATION_FORMATS.value.singular.rstrip(
-        ":"
-    )
-    SUPPORTED_SCHEMES = (
-        cli_messages.Label.SUPPORTED_DERIVATION_SCHEMES.value.singular.rstrip(
-            ":"
-        )
-    )
-    UNAVAILABLE_SCHEMES = cli_messages.Label.UNAVAILABLE_DERIVATION_SCHEMES.value.singular.rstrip(
-        ":"
-    )
-    SUPPORTED_SUBCOMMANDS = (
-        cli_messages.Label.SUPPORTED_SUBCOMMANDS.value.singular.rstrip(":")
-    )
-    SUPPORTED_FEATURES = (
-        cli_messages.Label.SUPPORTED_FEATURES.value.singular.rstrip(":")
-    )
-    UNAVAILABLE_FEATURES = (
-        cli_messages.Label.UNAVAILABLE_FEATURES.value.singular.rstrip(":")
-    )
-    ENABLED_EXTRAS = (
-        cli_messages.Label.ENABLED_PEP508_EXTRAS.value.singular.rstrip(":")
-    )
-
-
 PASSPHRASE_GENERATION_OPTIONS: list[tuple[str, ...]] = [
     ("--phrase",),
     ("--key",),
@@ -320,535 +268,12 @@ def assert_vault_config_is_indented_and_line_broken(
     ])
 
 
-def vault_config_exporter_shell_interpreter(  # noqa: C901
-    script: str | Iterable[str],
-    /,
-    *,
-    prog_name_list: list[str] | None = None,
-    command: click.BaseCommand | None = None,
-    runner: machinery.CliRunner | None = None,
-) -> Iterator[machinery.ReadableResult]:
-    """A rudimentary sh(1) interpreter for `--export-as=sh` output.
-
-    Assumes a script as emitted by `derivepassphrase vault
-    --export-as=sh --export -` and interprets the calls to
-    `derivepassphrase vault` within.  (One call per line, skips all
-    other lines.)  Also has rudimentary support for (quoted)
-    here-documents using `HERE` as the marker.
-
-    """
-    if isinstance(script, str):  # pragma: no cover
-        script = script.splitlines(False)
-    if prog_name_list is None:  # pragma: no cover
-        prog_name_list = ["derivepassphrase", "vault"]
-    if command is None:  # pragma: no cover
-        command = cli.derivepassphrase_vault
-    if runner is None:  # pragma: no cover
-        runner = machinery.CliRunner(mix_stderr=False)
-    n = len(prog_name_list)
-    it = iter(script)
-    while True:
-        try:
-            raw_line = next(it)
-        except StopIteration:
-            break
-        else:
-            line = shlex.split(raw_line)
-        input_buffer: list[str] = []
-        if line[:n] != prog_name_list:
-            continue
-        line[:n] = []
-        if line and line[-1] == "<<HERE":
-            # naive HERE document support
-            while True:
-                try:
-                    raw_line = next(it)
-                except StopIteration as exc:  # pragma: no cover
-                    msg = "incomplete here document"
-                    raise EOFError(msg) from exc
-                else:
-                    if raw_line == "HERE":
-                        break
-                    input_buffer.append(raw_line)
-            line.pop()
-        yield runner.invoke(
-            command,
-            line,
-            catch_exceptions=False,
-            input=("".join(x + "\n" for x in input_buffer) or None),
-        )
-
-
-def parse_version_output(  # noqa: C901
-    version_output: str,
-    /,
-    *,
-    prog_name: str | None = cli_messages.PROG_NAME,
-    version: str | None = cli_messages.VERSION,
-) -> VersionOutputData:
-    r"""Parse the output of the `--version` option.
-
-    The version output contains two paragraphs.  The first paragraph
-    details the version number, and the version number of any major
-    libraries in use.  The second paragraph details known and supported
-    passphrase derivation schemes, foreign configuration formats,
-    subcommands and PEP 508 package extras.  For the schemes and
-    formats, there is a "supported" line for supported items, and
-    a "known" line for known but currently unsupported items (usually
-    because of missing dependencies), either of which may be empty and
-    thus omitted.  For extras, only active items are shown, and there is
-    a separate message for the "no extras active" case.  Item lists may
-    be spilled across multiple lines, but only at item boundaries, and
-    the continuation lines are then indented.
-
-    Args:
-        version_output:
-            The version output text to parse.
-        prog_name:
-            The program name to assert, defaulting to the true program
-            name, `derivepassphrase`.  Set to `None` to disable this
-            check.
-        version:
-            The program version to assert, defaulting to the true
-            current version of `derivepassphrase`.  Set to `None` to
-            disable this check.
-
-    Examples:
-        See [`Parametrize.VERSION_OUTPUT_DATA`][].
-
-    """
-    paragraphs: list[list[str]] = []
-    paragraph: list[str] = []
-    for line in version_output.splitlines(keepends=False):
-        if not line.strip():
-            if paragraph:
-                paragraphs.append(paragraph.copy())
-            paragraph.clear()
-        elif paragraph and line.lstrip() != line:
-            paragraph[-1] = f"{paragraph[-1]} {line.lstrip()}"
-        else:
-            paragraph.append(line)
-    if paragraph:  # pragma: no branch
-        paragraphs.append(paragraph.copy())
-        paragraph.clear()
-    assert paragraphs, (
-        f"expected at least one paragraph of version output: {paragraphs!r}"
-    )
-    assert prog_name is None or prog_name in paragraphs[0][0], (
-        f"first version output line should mention "
-        f"{prog_name}: {paragraphs[0][0]!r}"
-    )
-    assert version is None or version in paragraphs[0][0], (
-        f"first version output line should mention the version number "
-        f"{version}: {paragraphs[0][0]!r}"
-    )
-    schemes: dict[str, bool] = {}
-    formats: dict[str, bool] = {}
-    subcommands: set[str] = set()
-    extras: set[str] = set()
-    features: dict[str, bool] = {}
-    if len(paragraphs) < 2:  # pragma: no cover
-        return VersionOutputData(
-            derivation_schemes=schemes,
-            foreign_configuration_formats=formats,
-            subcommands=frozenset(subcommands),
-            extras=frozenset(extras),
-            features=features,
-        )
-    for line in paragraphs[1]:
-        line_type, _, value = line.partition(":")
-        if line_type == line:
-            continue
-        for item_ in re.split(r"(?:, *|.$)", value):
-            item = item_.strip()
-            if not item:
-                continue
-            if line_type == KnownLineType.SUPPORTED_FOREIGN_CONFS:
-                formats[item] = True
-            elif line_type == KnownLineType.UNAVAILABLE_FOREIGN_CONFS:
-                formats[item] = False
-            elif line_type == KnownLineType.SUPPORTED_SCHEMES:
-                schemes[item] = True
-            elif line_type == KnownLineType.UNAVAILABLE_SCHEMES:
-                schemes[item] = False
-            elif line_type == KnownLineType.SUPPORTED_SUBCOMMANDS:
-                subcommands.add(item)
-            elif line_type == KnownLineType.ENABLED_EXTRAS:
-                extras.add(item)
-            elif line_type == KnownLineType.SUPPORTED_FEATURES:
-                features[item] = True
-            elif line_type == KnownLineType.UNAVAILABLE_FEATURES:
-                features[item] = False
-            else:
-                raise AssertionError(  # noqa: TRY003
-                    f"Unknown version info line type: {line_type!r}"  # noqa: EM102
-                )
-    return VersionOutputData(
-        derivation_schemes=schemes,
-        foreign_configuration_formats=formats,
-        subcommands=frozenset(subcommands),
-        extras=frozenset(extras),
-        features=features,
-    )
-
-
-def bash_format(item: click.shell_completion.CompletionItem) -> str:
-    """A formatter for `bash`-style shell completion items.
-
-    The format is `type,value`, and is dictated by [`click`][].
-
-    """
-    type, value = (  # noqa: A001
-        item.type,
-        item.value,
-    )
-    return f"{type},{value}"
-
-
-def fish_format(item: click.shell_completion.CompletionItem) -> str:
-    r"""A formatter for `fish`-style shell completion items.
-
-    The format is `type,value<tab>help`, and is dictated by [`click`][].
-
-    """
-    type, value, help = (  # noqa: A001
-        item.type,
-        item.value,
-        item.help,
-    )
-    return f"{type},{value}\t{help}" if help else f"{type},{value}"
-
-
-def zsh_format(item: click.shell_completion.CompletionItem) -> str:
-    r"""A formatter for `zsh`-style shell completion items.
-
-    The format is `type<newline>value<newline>help<newline>`, and is
-    dictated by [`click`][].  Upstream `click` currently (v8.2.0) does
-    not deal with colons in the value correctly when the help text is
-    non-degenerate.  Our formatter here does, provided the upstream
-    `zsh` completion script is used; see the
-    [`cli_machinery.ZshComplete`][] class.  A request is underway to
-    merge this change into upstream `click`; see
-    [`pallets/click#2846`][PR2846].
-
-    [PR2846]: https://github.com/pallets/click/pull/2846
-
-    """
-    empty_help = "_"
-    help_, value = (
-        (item.help, item.value.replace(":", r"\:"))
-        if item.help and item.help == empty_help
-        else (empty_help, item.value)
-    )
-    return f"{item.type}\n{value}\n{help_}"
-
-
-class ListKeysAction(str, enum.Enum):
-    """Test fixture settings for [`ssh_agent.SSHAgentClient.list_keys`][].
-
-    Attributes:
-        EMPTY: Return an empty key list.
-        FAIL: Raise an [`ssh_agent.SSHAgentFailedError`][].
-        FAIL_RUNTIME: Raise an [`ssh_agent.TrailingDataError`][].
-
-    """
-
-    EMPTY = enum.auto()
-    """"""
-    FAIL = enum.auto()
-    """"""
-    FAIL_RUNTIME = enum.auto()
-    """"""
-
-    def __call__(self, *_args: Any, **_kwargs: Any) -> Any:
-        """Execute the respective action."""
-        # TODO(the-13th-letter): Rewrite using structural pattern
-        # matching.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        if self == self.EMPTY:
-            return []
-        if self == self.FAIL:
-            raise ssh_agent.SSHAgentFailedError(
-                _types.SSH_AGENT.FAILURE.value, b""
-            )
-        if self == self.FAIL_RUNTIME:
-            raise ssh_agent.TrailingDataError()
-        raise AssertionError()
-
-
-class SignAction(str, enum.Enum):
-    """Test fixture settings for [`ssh_agent.SSHAgentClient.sign`][].
-
-    Attributes:
-        FAIL: Raise an [`ssh_agent.SSHAgentFailedError`][].
-        FAIL_RUNTIME: Raise an [`ssh_agent.TrailingDataError`][].
-
-    """
-
-    FAIL = enum.auto()
-    """"""
-    FAIL_RUNTIME = enum.auto()
-    """"""
-
-    def __call__(self, *_args: Any, **_kwargs: Any) -> Any:
-        """Execute the respective action."""
-        # TODO(the-13th-letter): Rewrite using structural pattern
-        # matching.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        if self == self.FAIL:
-            raise ssh_agent.SSHAgentFailedError(
-                _types.SSH_AGENT.FAILURE.value, b""
-            )
-        if self == self.FAIL_RUNTIME:
-            raise ssh_agent.TrailingDataError()
-        raise AssertionError()
-
-
-class SocketAddressAction(str, enum.Enum):
-    """Test fixture settings for the SSH agent socket address.
-
-    Attributes:
-        MANGLE_ANNOYING_OS_NAMED_PIPE:
-            Mangle the address for the Annoying OS named pipe endpoint.
-        MANGLE_SSH_AUTH_SOCK:
-            Mangle the address for the UNIX domain socket (the
-            `SSH_AUTH_SOCK` environment variable).
-        UNSET_ANNOYING_OS_NAMED_PIPE:
-            Unset the address for the Annoying OS named pipe endpoint.
-        UNSET_SSH_AUTH_SOCK:
-            Unset the `SSH_AUTH_SOCK` environment variable (the address
-            for the UNIX domain socket).
-
-    """
-
-    MANGLE_ANNOYING_OS_NAMED_PIPE = enum.auto()
-    """"""
-    MANGLE_SSH_AUTH_SOCK = enum.auto()
-    """"""
-    UNSET_ANNOYING_OS_NAMED_PIPE = enum.auto()
-    """"""
-    UNSET_SSH_AUTH_SOCK = enum.auto()
-    """"""
-
-    def __call__(
-        self, monkeypatch: pytest.MonkeyPatch, /, *_args: Any, **_kwargs: Any
-    ) -> None:
-        """Execute the respective action."""
-        # TODO(the-13th-letter): Rewrite using structural pattern
-        # matching.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        if self in {
-            self.MANGLE_ANNOYING_OS_NAMED_PIPE,
-            self.UNSET_ANNOYING_OS_NAMED_PIPE,
-        }:  # pragma: no cover [unused]
-            pass
-        elif self == self.MANGLE_SSH_AUTH_SOCK:
-            monkeypatch.setenv(
-                "SSH_AUTH_SOCK", os.environ["SSH_AUTH_SOCK"] + "~"
-            )
-        elif self == self.UNSET_SSH_AUTH_SOCK:
-            monkeypatch.delenv("SSH_AUTH_SOCK", raising=False)
-        else:
-            raise AssertionError()
-
-
-class SystemSupportAction(str, enum.Enum):
-    """Test fixture settings for [`ssh_agent.SSHAgentClient`][] system support.
-
-    Attributes:
-        UNSET_AF_UNIX:
-            Ensure lack of support for UNIX domain sockets.
-        UNSET_AF_UNIX_AND_ENSURE_USE:
-            Ensure lack of support for UNIX domain sockets, and that the
-            agent will use this socket provider.
-        UNSET_NATIVE:
-            Ensure both `UNSET_AF_UNIX` and `UNSET_WINDLL`.
-        UNSET_NATIVE_AND_ENSURE_USE:
-            Ensure both `UNSET_AF_UNIX` and `UNSET_WINDLL`, and that the
-            agent will use the native socket provider.
-        UNSET_PROVIDER_LIST:
-            Ensure an empty list of SSH agent socket providers.
-        UNSET_WINDLL:
-            Ensure lack of support for The Annoying OS named pipes.
-        UNSET_WINDLL_AND_ENSURE_USE:
-            Ensure lack of support for The Annoying OS named pipes, and
-            that the agent will use this socket provider.
-
-    """
-
-    UNSET_AF_UNIX = enum.auto()
-    """"""
-    UNSET_AF_UNIX_AND_ENSURE_USE = enum.auto()
-    """"""
-    UNSET_NATIVE = enum.auto()
-    """"""
-    UNSET_NATIVE_AND_ENSURE_USE = enum.auto()
-    """"""
-    UNSET_PROVIDER_LIST = enum.auto()
-    """"""
-    UNSET_WINDLL = enum.auto()
-    """"""
-    UNSET_WINDLL_AND_ENSURE_USE = enum.auto()
-    """"""
-
-    def __call__(
-        self, monkeypatch: pytest.MonkeyPatch, /, *_args: Any, **_kwargs: Any
-    ) -> None:
-        """Execute the respective action.
-
-        Args:
-            monkeypatch: The current monkeypatch context.
-
-        """
-        # TODO(the-13th-letter): Rewrite using structural pattern
-        # matching.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        if self == self.UNSET_PROVIDER_LIST:
-            monkeypatch.setattr(
-                ssh_agent.SSHAgentClient, "SOCKET_PROVIDERS", []
-            )
-        elif self in {self.UNSET_NATIVE, self.UNSET_NATIVE_AND_ENSURE_USE}:
-            self.check_or_ensure_use(
-                "native",
-                monkeypatch=monkeypatch,
-                ensure_use=(self == self.UNSET_NATIVE_AND_ENSURE_USE),
-            )
-            monkeypatch.delattr(socket, "AF_UNIX", raising=False)
-            monkeypatch.delattr(ctypes, "WinDLL", raising=False)
-            monkeypatch.delattr(ctypes, "windll", raising=False)
-        elif self in {self.UNSET_AF_UNIX, self.UNSET_AF_UNIX_AND_ENSURE_USE}:
-            self.check_or_ensure_use(
-                "posix",
-                monkeypatch=monkeypatch,
-                ensure_use=(self == self.UNSET_AF_UNIX_AND_ENSURE_USE),
-            )
-            monkeypatch.delattr(socket, "AF_UNIX", raising=False)
-        elif self in {self.UNSET_WINDLL, self.UNSET_WINDLL_AND_ENSURE_USE}:
-            self.check_or_ensure_use(
-                "the_annoying_os",
-                monkeypatch=monkeypatch,
-                ensure_use=(self == self.UNSET_WINDLL_AND_ENSURE_USE),
-            )
-            monkeypatch.delattr(ctypes, "WinDLL", raising=False)
-            monkeypatch.delattr(ctypes, "windll", raising=False)
-        else:
-            raise AssertionError()
-
-    @staticmethod
-    def check_or_ensure_use(
-        provider: str, /, *, monkeypatch: pytest.MonkeyPatch, ensure_use: bool
-    ) -> None:
-        """Check that the named SSH agent socket provider will be used.
-
-        Either ensure that the socket provider will definitely be used,
-        or, upon detecting that it won't be used, skip the test.
-
-        Args:
-            provider:
-                The provider to check for.
-            ensure_use:
-                If true, ensure that the socket provider will definitely
-                be used.  If false, then check for whether it will be
-                used, and skip this test if not.
-            monkeypatch:
-                The monkeypatch context within which the fixture
-                adjustments should be executed.
-
-        """
-        if ensure_use:
-            monkeypatch.setattr(
-                ssh_agent.SSHAgentClient, "SOCKET_PROVIDERS", [provider]
-            )
-        else:  # pragma: no cover [external]
-            # This branch operates completely on instrumented or on
-            # externally defined, non-deterministic state.
-            intended: (
-                _types.SSHAgentSocketProvider
-                | socketprovider.NoSuchProviderError
-                | None
-            )
-            try:
-                intended = socketprovider.SocketProvider.lookup(provider)
-            except socketprovider.NoSuchProviderError as exc:
-                intended = exc
-            actual: (
-                _types.SSHAgentSocketProvider
-                | socketprovider.NoSuchProviderError
-                | None
-            )
-            for name in ssh_agent.SSHAgentClient.SOCKET_PROVIDERS:
-                try:
-                    actual = socketprovider.SocketProvider.lookup(name)
-                except socketprovider.NoSuchProviderError as exc:
-                    actual = exc
-                if actual is None:
-                    continue
-                break
-            else:
-                actual = None
-            if intended != actual:
-                pytest.skip(
-                    f"{provider!r} SSH agent socket provider "
-                    f"is not currently in use"
-                )
-
-
 class Parametrize(types.SimpleNamespace):
     """Common test parametrizations."""
 
-    EAGER_ARGUMENTS = pytest.mark.parametrize(
-        "arguments",
-        [["--help"], ["--version"]],
-        ids=["help", "version"],
-    )
     CHARSET_NAME = pytest.mark.parametrize(
         "charset_name", ["lower", "upper", "number", "space", "dash", "symbol"]
     )
-    COMMAND_NON_EAGER_ARGUMENTS = pytest.mark.parametrize(
-        ["command", "non_eager_arguments"],
-        [
-            pytest.param(
-                [],
-                [],
-                id="top-nothing",
-            ),
-            pytest.param(
-                [],
-                ["export"],
-                id="top-export",
-            ),
-            pytest.param(
-                ["export"],
-                [],
-                id="export-nothing",
-            ),
-            pytest.param(
-                ["export"],
-                ["vault"],
-                id="export-vault",
-            ),
-            pytest.param(
-                ["export", "vault"],
-                [],
-                id="export-vault-nothing",
-            ),
-            pytest.param(
-                ["export", "vault"],
-                ["--format", "this-format-doesnt-exist"],
-                id="export-vault-args",
-            ),
-            pytest.param(
-                ["vault"],
-                [],
-                id="vault-nothing",
-            ),
-            pytest.param(
-                ["vault"],
-                ["--export", "./"],
-                id="vault-args",
-            ),
-        ],
-    )
     UNICODE_NORMALIZATION_COMMAND_LINES = pytest.mark.parametrize(
         "command_line",
         [
@@ -866,45 +291,6 @@ class Parametrize(types.SimpleNamespace):
             ),
         ],
     )
-    DELETE_CONFIG_INPUT = pytest.mark.parametrize(
-        ["command_line", "config", "result_config"],
-        [
-            pytest.param(
-                ["--delete-globals"],
-                {"global": {"phrase": "abc"}, "services": {}},
-                {"services": {}},
-                id="globals",
-            ),
-            pytest.param(
-                ["--delete", "--", DUMMY_SERVICE],
-                {
-                    "global": {"phrase": "abc"},
-                    "services": {DUMMY_SERVICE: {"notes": "..."}},
-                },
-                {"global": {"phrase": "abc"}, "services": {}},
-                id="service",
-            ),
-            pytest.param(
-                ["--clear"],
-                {
-                    "global": {"phrase": "abc"},
-                    "services": {DUMMY_SERVICE: {"notes": "..."}},
-                },
-                {"services": {}},
-                id="all",
-            ),
-        ],
-    )
-    COLORFUL_COMMAND_INPUT = pytest.mark.parametrize(
-        ["command_line", "input"],
-        [
-            (
-                ["vault", "--import", "-"],
-                '{"services": {"": {"length": 20}}}',
-            ),
-        ],
-        ids=["cmd"],
-    )
     CONFIG_EDITING_VIA_CONFIG_FLAG_FAILURES = pytest.mark.parametrize(
         ["command_line", "input", "err_text"],
         [
@@ -993,182 +379,6 @@ class Parametrize(types.SimpleNamespace):
             ),
         ],
     )
-    COMPLETABLE_PATH_ARGUMENT = pytest.mark.parametrize(
-        "command_prefix",
-        [
-            pytest.param(
-                ("export", "vault"),
-                id="derivepassphrase-export-vault",
-            ),
-            pytest.param(
-                ("vault", "--export"),
-                id="derivepassphrase-vault--export",
-            ),
-            pytest.param(
-                ("vault", "--import"),
-                id="derivepassphrase-vault--import",
-            ),
-        ],
-    )
-    COMPLETABLE_OPTIONS = pytest.mark.parametrize(
-        ["command_prefix", "incomplete", "completions"],
-        [
-            pytest.param(
-                (),
-                "-",
-                frozenset({
-                    "--help",
-                    "-h",
-                    "--version",
-                    "--debug",
-                    "--verbose",
-                    "-v",
-                    "--quiet",
-                    "-q",
-                }),
-                id="derivepassphrase",
-            ),
-            pytest.param(
-                ("export",),
-                "-",
-                frozenset({
-                    "--help",
-                    "-h",
-                    "--version",
-                    "--debug",
-                    "--verbose",
-                    "-v",
-                    "--quiet",
-                    "-q",
-                }),
-                id="derivepassphrase-export",
-            ),
-            pytest.param(
-                ("export", "vault"),
-                "-",
-                frozenset({
-                    "--help",
-                    "-h",
-                    "--version",
-                    "--debug",
-                    "--verbose",
-                    "-v",
-                    "--quiet",
-                    "-q",
-                    "--format",
-                    "-f",
-                    "--key",
-                    "-k",
-                }),
-                id="derivepassphrase-export-vault",
-            ),
-            pytest.param(
-                ("vault",),
-                "-",
-                frozenset({
-                    "--help",
-                    "-h",
-                    "--version",
-                    "--debug",
-                    "--verbose",
-                    "-v",
-                    "--quiet",
-                    "-q",
-                    "--phrase",
-                    "-p",
-                    "--key",
-                    "-k",
-                    "--length",
-                    "-l",
-                    "--repeat",
-                    "-r",
-                    "--upper",
-                    "--lower",
-                    "--number",
-                    "--space",
-                    "--dash",
-                    "--symbol",
-                    "--config",
-                    "-c",
-                    "--notes",
-                    "-n",
-                    "--delete",
-                    "-x",
-                    "--delete-globals",
-                    "--clear",
-                    "-X",
-                    "--export",
-                    "-e",
-                    "--import",
-                    "-i",
-                    "--overwrite-existing",
-                    "--merge-existing",
-                    "--unset",
-                    "--export-as",
-                    "--modern-editor-interface",
-                    "--vault-legacy-editor-interface",
-                    "--print-notes-before",
-                    "--print-notes-after",
-                }),
-                id="derivepassphrase-vault",
-            ),
-        ],
-    )
-    COMPLETABLE_SUBCOMMANDS = pytest.mark.parametrize(
-        ["command_prefix", "incomplete", "completions"],
-        [
-            pytest.param(
-                (),
-                "",
-                frozenset({"export", "vault"}),
-                id="derivepassphrase",
-            ),
-            pytest.param(
-                ("export",),
-                "",
-                frozenset({"vault"}),
-                id="derivepassphrase-export",
-            ),
-        ],
-    )
-    BAD_CONFIGS = pytest.mark.parametrize(
-        "config",
-        [
-            {"global": "", "services": {}},
-            {"global": 0, "services": {}},
-            {
-                "global": {"phrase": "abc"},
-                "services": False,
-            },
-            {
-                "global": {"phrase": "abc"},
-                "services": True,
-            },
-            {
-                "global": {"phrase": "abc"},
-                "services": None,
-            },
-        ],
-    )
-    BASE_CONFIG_VARIATIONS = pytest.mark.parametrize(
-        "config",
-        [
-            {"global": {"phrase": "my passphrase"}, "services": {}},
-            {"global": {"key": DUMMY_KEY1_B64}, "services": {}},
-            {
-                "global": {"phrase": "abc"},
-                "services": {"sv": {"phrase": "my passphrase"}},
-            },
-            {
-                "global": {"phrase": "abc"},
-                "services": {"sv": {"key": DUMMY_KEY1_B64}},
-            },
-            {
-                "global": {"phrase": "abc"},
-                "services": {"sv": {"key": DUMMY_KEY1_B64, "length": 15}},
-            },
-        ],
-    )
     BASE_CONFIG_WITH_KEY_VARIATIONS = pytest.mark.parametrize(
         "config",
         [
@@ -1253,404 +463,24 @@ class Parametrize(types.SimpleNamespace):
             ),
         ],
     )
-    COMPLETION_FUNCTION_INPUTS = pytest.mark.parametrize(
-        ["config", "comp_func", "args", "incomplete", "results"],
-        [
-            pytest.param(
-                {"services": {DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS.copy()}},
-                cli_helpers.shell_complete_service,
-                ["vault"],
-                "",
-                [DUMMY_SERVICE],
-                id="base_config-service",
-            ),
-            pytest.param(
-                {"services": {}},
-                cli_helpers.shell_complete_service,
-                ["vault"],
-                "",
-                [],
-                id="empty_config-service",
-            ),
-            pytest.param(
-                {
-                    "services": {
-                        DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS.copy(),
-                        "newline\nin\nname": DUMMY_CONFIG_SETTINGS.copy(),
-                    }
-                },
-                cli_helpers.shell_complete_service,
-                ["vault"],
-                "",
-                [DUMMY_SERVICE],
-                id="incompletable_newline_config-service",
-            ),
-            pytest.param(
-                {
-                    "services": {
-                        DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS.copy(),
-                        "backspace\bin\bname": DUMMY_CONFIG_SETTINGS.copy(),
-                    }
-                },
-                cli_helpers.shell_complete_service,
-                ["vault"],
-                "",
-                [DUMMY_SERVICE],
-                id="incompletable_backspace_config-service",
-            ),
-            pytest.param(
-                {
-                    "services": {
-                        DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS.copy(),
-                        "colon:in:name": DUMMY_CONFIG_SETTINGS.copy(),
-                    }
-                },
-                cli_helpers.shell_complete_service,
-                ["vault"],
-                "",
-                sorted([DUMMY_SERVICE, "colon:in:name"]),
-                id="brittle_colon_config-service",
-            ),
-            pytest.param(
-                {
-                    "services": {
-                        DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS.copy(),
-                        "colon:in:name": DUMMY_CONFIG_SETTINGS.copy(),
-                        "newline\nin\nname": DUMMY_CONFIG_SETTINGS.copy(),
-                        "backspace\bin\bname": DUMMY_CONFIG_SETTINGS.copy(),
-                        "nul\x00in\x00name": DUMMY_CONFIG_SETTINGS.copy(),
-                        "del\x7fin\x7fname": DUMMY_CONFIG_SETTINGS.copy(),
-                    }
-                },
-                cli_helpers.shell_complete_service,
-                ["vault"],
-                "",
-                sorted([DUMMY_SERVICE, "colon:in:name"]),
-                id="brittle_incompletable_multi_config-service",
-            ),
-            pytest.param(
-                {"services": {DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS.copy()}},
-                cli_helpers.shell_complete_path,
-                ["vault", "--import"],
-                "",
-                [click.shell_completion.CompletionItem("", type="file")],
-                id="base_config-path",
-            ),
-            pytest.param(
-                {"services": {}},
-                cli_helpers.shell_complete_path,
-                ["vault", "--import"],
-                "",
-                [click.shell_completion.CompletionItem("", type="file")],
-                id="empty_config-path",
-            ),
-        ],
-    )
-    COMPLETABLE_SERVICE_NAMES = pytest.mark.parametrize(
-        ["config", "incomplete", "completions"],
-        [
-            pytest.param(
-                {"services": {}},
-                "",
-                frozenset(),
-                id="no_services",
-            ),
-            pytest.param(
-                {"services": {}},
-                "partial",
-                frozenset(),
-                id="no_services_partial",
-            ),
-            pytest.param(
-                {"services": {DUMMY_SERVICE: {"length": 10}}},
-                "",
-                frozenset({DUMMY_SERVICE}),
-                id="one_service",
-            ),
-            pytest.param(
-                {"services": {DUMMY_SERVICE: {"length": 10}}},
-                DUMMY_SERVICE[:4],
-                frozenset({DUMMY_SERVICE}),
-                id="one_service_partial",
-            ),
-            pytest.param(
-                {"services": {DUMMY_SERVICE: {"length": 10}}},
-                DUMMY_SERVICE[-4:],
-                frozenset(),
-                id="one_service_partial_miss",
-            ),
-        ],
-    )
-    SERVICE_NAME_COMPLETION_INPUTS = pytest.mark.parametrize(
-        ["config", "key", "incomplete", "completions"],
-        [
-            pytest.param(
-                {
-                    "services": {
-                        DUMMY_SERVICE: {"length": 10},
-                        "newline\nin\nname": {"length": 10},
-                    },
-                },
-                "newline\nin\nname",
-                "",
-                frozenset({DUMMY_SERVICE}),
-                id="newline",
-            ),
-            pytest.param(
-                {
-                    "services": {
-                        DUMMY_SERVICE: {"length": 10},
-                        "newline\nin\nname": {"length": 10},
-                    },
-                },
-                "newline\nin\nname",
-                "serv",
-                frozenset({DUMMY_SERVICE}),
-                id="newline_partial_other",
-            ),
-            pytest.param(
-                {
-                    "services": {
-                        DUMMY_SERVICE: {"length": 10},
-                        "newline\nin\nname": {"length": 10},
-                    },
-                },
-                "newline\nin\nname",
-                "newline",
-                frozenset({}),
-                id="newline_partial_specific",
-            ),
-            pytest.param(
-                {
-                    "services": {
-                        DUMMY_SERVICE: {"length": 10},
-                        "nul\x00in\x00name": {"length": 10},
-                    },
-                },
-                "nul\x00in\x00name",
-                "",
-                frozenset({DUMMY_SERVICE}),
-                id="nul",
-            ),
-            pytest.param(
-                {
-                    "services": {
-                        DUMMY_SERVICE: {"length": 10},
-                        "nul\x00in\x00name": {"length": 10},
-                    },
-                },
-                "nul\x00in\x00name",
-                "serv",
-                frozenset({DUMMY_SERVICE}),
-                id="nul_partial_other",
-            ),
-            pytest.param(
-                {
-                    "services": {
-                        DUMMY_SERVICE: {"length": 10},
-                        "nul\x00in\x00name": {"length": 10},
-                    },
-                },
-                "nul\x00in\x00name",
-                "nul",
-                frozenset({}),
-                id="nul_partial_specific",
-            ),
-            pytest.param(
-                {
-                    "services": {
-                        DUMMY_SERVICE: {"length": 10},
-                        "backspace\bin\bname": {"length": 10},
-                    },
-                },
-                "backspace\bin\bname",
-                "",
-                frozenset({DUMMY_SERVICE}),
-                id="backspace",
-            ),
-            pytest.param(
-                {
-                    "services": {
-                        DUMMY_SERVICE: {"length": 10},
-                        "backspace\bin\bname": {"length": 10},
-                    },
-                },
-                "backspace\bin\bname",
-                "serv",
-                frozenset({DUMMY_SERVICE}),
-                id="backspace_partial_other",
-            ),
-            pytest.param(
-                {
-                    "services": {
-                        DUMMY_SERVICE: {"length": 10},
-                        "backspace\bin\bname": {"length": 10},
-                    },
-                },
-                "backspace\bin\bname",
-                "back",
-                frozenset({}),
-                id="backspace_partial_specific",
-            ),
-            pytest.param(
-                {
-                    "services": {
-                        DUMMY_SERVICE: {"length": 10},
-                        "del\x7fin\x7fname": {"length": 10},
-                    },
-                },
-                "del\x7fin\x7fname",
-                "",
-                frozenset({DUMMY_SERVICE}),
-                id="del",
-            ),
-            pytest.param(
-                {
-                    "services": {
-                        DUMMY_SERVICE: {"length": 10},
-                        "del\x7fin\x7fname": {"length": 10},
-                    },
-                },
-                "del\x7fin\x7fname",
-                "serv",
-                frozenset({DUMMY_SERVICE}),
-                id="del_partial_other",
-            ),
-            pytest.param(
-                {
-                    "services": {
-                        DUMMY_SERVICE: {"length": 10},
-                        "del\x7fin\x7fname": {"length": 10},
-                    },
-                },
-                "del\x7fin\x7fname",
-                "del",
-                frozenset({}),
-                id="del_partial_specific",
-            ),
-        ],
-    )
-    CONNECTION_HINTS = pytest.mark.parametrize(
-        "conn_hint", ["none", "socket", "client"]
-    )
-    NOOP_EDIT_FUNCS = pytest.mark.parametrize(
-        ["edit_func_name", "modern_editor_interface"],
-        [
-            pytest.param("empty", True, id="empty"),
-            pytest.param("space", False, id="space-legacy"),
-            pytest.param("space", True, id="space-modern"),
-        ],
-    )
-    SERVICE_NAME_EXCEPTIONS = pytest.mark.parametrize(
-        "exc_type", [RuntimeError, KeyError, ValueError]
-    )
-    EXPORT_FORMAT_OPTIONS = pytest.mark.parametrize(
-        "export_options",
+    NOOP_EDIT_FUNCS = pytest.mark.parametrize(
+        ["edit_func_name", "modern_editor_interface"],
+        [
+            pytest.param("empty", True, id="empty"),
+            pytest.param("space", False, id="space-legacy"),
+            pytest.param("space", True, id="space-modern"),
+        ],
+    )
+    EXPORT_FORMAT_OPTIONS = pytest.mark.parametrize(
+        "export_options",
         [
             [],
             ["--export-as=sh"],
         ],
     )
-    INCOMPLETE = pytest.mark.parametrize("incomplete", ["", "partial"])
-    ISATTY = pytest.mark.parametrize(
-        "isatty",
-        [False, True],
-        ids=["notty", "tty"],
-    )
     KEY_INDEX = pytest.mark.parametrize(
         "key_index", [1, 2, 3], ids=lambda i: f"index{i}"
     )
-    KEY_TO_PHRASE_SETTINGS = pytest.mark.parametrize(
-        [
-            "list_keys_action",
-            "address_action",
-            "system_support_action",
-            "sign_action",
-            "pattern",
-        ],
-        [
-            pytest.param(
-                ListKeysAction.EMPTY,
-                None,
-                None,
-                SignAction.FAIL,
-                "not loaded into the agent",
-                id="key-not-loaded",
-            ),
-            pytest.param(
-                ListKeysAction.FAIL,
-                None,
-                None,
-                SignAction.FAIL,
-                "SSH agent failed to or refused to",
-                id="list-keys-refused",
-            ),
-            pytest.param(
-                ListKeysAction.FAIL_RUNTIME,
-                None,
-                None,
-                SignAction.FAIL,
-                "SSH agent failed to or refused to",
-                id="list-keys-protocol-error",
-            ),
-            pytest.param(
-                None,
-                SocketAddressAction.UNSET_SSH_AUTH_SOCK,
-                None,
-                SignAction.FAIL,
-                "Cannot find any running SSH agent",
-                id="agent-address-missing",
-            ),
-            pytest.param(
-                None,
-                SocketAddressAction.MANGLE_SSH_AUTH_SOCK,
-                None,
-                SignAction.FAIL,
-                "Cannot connect to the SSH agent",
-                id="agent-address-mangled",
-            ),
-            pytest.param(
-                None,
-                None,
-                SystemSupportAction.UNSET_NATIVE,
-                SignAction.FAIL,
-                "does not support communicating with it",
-                id="no-agent-support",
-            ),
-            pytest.param(
-                None,
-                None,
-                SystemSupportAction.UNSET_PROVIDER_LIST,
-                SignAction.FAIL,
-                "does not support communicating with it",
-                id="no-agent-support",
-            ),
-            pytest.param(
-                None,
-                None,
-                SystemSupportAction.UNSET_AF_UNIX_AND_ENSURE_USE,
-                SignAction.FAIL,
-                "does not support communicating with it",
-                id="no-agent-support",
-            ),
-            pytest.param(
-                None,
-                None,
-                SystemSupportAction.UNSET_WINDLL_AND_ENSURE_USE,
-                SignAction.FAIL,
-                "does not support communicating with it",
-                id="no-agent-support",
-            ),
-            pytest.param(
-                None,
-                None,
-                None,
-                SignAction.FAIL_RUNTIME,
-                "violates the communication protocol",
-                id="sign-violates-protocol",
-            ),
-        ],
-    )
     UNICODE_NORMALIZATION_ERROR_INPUTS = pytest.mark.parametrize(
         ["main_config", "command_line", "input", "error_message"],
         [
@@ -1791,9 +621,6 @@ class Parametrize(types.SimpleNamespace):
             ),
         ],
     )
-    MASK_PROG_NAME = pytest.mark.parametrize("mask_prog_name", [False, True])
-    MASK_VERSION = pytest.mark.parametrize("mask_version", [False, True])
-    CONFIG_SETTING_MODE = pytest.mark.parametrize("mode", ["config", "import"])
     MODERN_EDITOR_INTERFACE = pytest.mark.parametrize(
         "modern_editor_interface", [False, True], ids=["legacy", "modern"]
     )
@@ -1839,181 +666,18 @@ class Parametrize(types.SimpleNamespace):
             if not o.incompatible
         ],
     )
-    COMPLETABLE_ITEMS = pytest.mark.parametrize(
-        ["partial", "is_completable"],
-        [
-            ("", True),
-            (DUMMY_SERVICE, True),
-            ("a\bn", False),
-            ("\b", False),
-            ("\x00", False),
-            ("\x20", True),
-            ("\x7f", False),
-            ("service with spaces", True),
-            ("service\nwith\nnewlines", False),
-        ],
-    )
-    SHELL_FORMATTER = pytest.mark.parametrize(
-        ["shell", "format_func"],
-        [
-            pytest.param("bash", bash_format, id="bash"),
-            pytest.param("fish", fish_format, id="fish"),
-            pytest.param("zsh", zsh_format, id="zsh"),
-        ],
-    )
     TRY_RACE_FREE_IMPLEMENTATION = pytest.mark.parametrize(
         "try_race_free_implementation", [True, False]
     )
-    VERSION_OUTPUT_DATA = pytest.mark.parametrize(
-        ["version_output", "prog_name", "version", "expected_parse"],
-        [
-            pytest.param(
-                """\
-derivepassphrase 0.4.0
-Using cryptography 44.0.0
-
-Supported foreign configuration formats: vault storeroom, vault v0.2,
-    vault v0.3.
-PEP 508 extras: export.
-""",
-                "derivepassphrase",
-                "0.4.0",
-                VersionOutputData(
-                    derivation_schemes={},
-                    foreign_configuration_formats={
-                        "vault storeroom": True,
-                        "vault v0.2": True,
-                        "vault v0.3": True,
-                    },
-                    subcommands=frozenset(),
-                    features={},
-                    extras=frozenset({"export"}),
-                ),
-                id="derivepassphrase-0.4.0-export",
-            ),
-            pytest.param(
-                """\
-derivepassphrase 0.5
-
-Supported derivation schemes: vault.
-Known foreign configuration formats: vault storeroom, vault v0.2, vault v0.3.
-Supported subcommands: export, vault.
-No PEP 508 extras are active.
-""",
-                "derivepassphrase",
-                "0.5",
-                VersionOutputData(
-                    derivation_schemes={"vault": True},
-                    foreign_configuration_formats={
-                        "vault storeroom": False,
-                        "vault v0.2": False,
-                        "vault v0.3": False,
-                    },
-                    subcommands=frozenset({"export", "vault"}),
-                    features={},
-                    extras=frozenset({}),
-                ),
-                id="derivepassphrase-0.5-plain",
-            ),
-            pytest.param(
-                """\
-
-
-
-inventpassphrase -1.3
-Using not-a-library 7.12
-Copyright 2025 Nobody.  All rights reserved.
-
-Supported derivation schemes: nonsense.
-Known derivation schemes: divination, /dev/random,
-    geiger counter,
-    crossword solver.
-Supported foreign configuration formats: derivepassphrase, nonsense.
-Known foreign configuration formats: divination v3.141592,
-    /dev/random.
-Supported subcommands: delete-all-files, dump-core.
-Supported features: delete-while-open.
-Known features: backups-are-nice-to-have.
-PEP 508 extras: annoying-popups, delete-all-files,
-    dump-core-depending-on-the-phase-of-the-moon.
-
-
-
-""",
-                "inventpassphrase",
-                "-1.3",
-                VersionOutputData(
-                    derivation_schemes={
-                        "nonsense": True,
-                        "divination": False,
-                        "/dev/random": False,
-                        "geiger counter": False,
-                        "crossword solver": False,
-                    },
-                    foreign_configuration_formats={
-                        "derivepassphrase": True,
-                        "nonsense": True,
-                        "divination v3.141592": False,
-                        "/dev/random": False,
-                    },
-                    subcommands=frozenset({"delete-all-files", "dump-core"}),
-                    features={
-                        "delete-while-open": True,
-                        "backups-are-nice-to-have": False,
-                    },
-                    extras=frozenset({
-                        "annoying-popups",
-                        "delete-all-files",
-                        "dump-core-depending-on-the-phase-of-the-moon",
-                    }),
-                ),
-                id="inventpassphrase",
-            ),
-        ],
-    )
-    """Sample data for [`parse_version_output`][]."""
-    VALIDATION_FUNCTION_INPUT = pytest.mark.parametrize(
-        ["vfunc", "input"],
-        [
-            (cli_machinery.validate_occurrence_constraint, 20),
-            (cli_machinery.validate_length, 20),
-        ],
-    )
 
 
-class TestAllCLI:
-    """Tests uniformly for all command-line interfaces."""
+class TestCLI:
+    """Tests for the `derivepassphrase vault` command-line interface."""
 
-    @Parametrize.MASK_PROG_NAME
-    @Parametrize.MASK_VERSION
-    @Parametrize.VERSION_OUTPUT_DATA
-    def test_001_parse_version_output(
+    def test_200_help_output(
         self,
-        version_output: str,
-        prog_name: str | None,
-        version: str | None,
-        mask_prog_name: bool,
-        mask_version: bool,
-        expected_parse: VersionOutputData,
     ) -> None:
-        """The parsing machinery for expected version output data works."""
-        prog_name = None if mask_prog_name else prog_name
-        version = None if mask_version else version
-        assert (
-            parse_version_output(
-                version_output, prog_name=prog_name, version=version
-            )
-            == expected_parse
-        )
-
-    # TODO(the-13th-letter): Do we actually need this?  What should we
-    # check for?
-    def test_100_help_output(self) -> None:
-        """The top-level help text mentions subcommands.
-
-        TODO: Do we actually need this?  What should we check for?
-
-        """
+        """The `--help` option emits help text."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -2027,22 +691,23 @@ class TestAllCLI:
                 )
             )
             result = runner.invoke(
-                cli.derivepassphrase, ["--help"], catch_exceptions=False
+                cli.derivepassphrase_vault,
+                ["--help"],
+                catch_exceptions=False,
             )
         assert result.clean_exit(
-            empty_stderr=True, output="currently implemented subcommands"
-        ), "expected clean exit, and known help text"
+            empty_stderr=True, output="Passphrase generation:\n"
+        ), "expected clean exit, and option groups in help text"
+        assert result.clean_exit(
+            empty_stderr=True, output="Use $VISUAL or $EDITOR to configure"
+        ), "expected clean exit, and option group epilog in help text"
 
-    # TODO(the-13th-letter): Do we actually need this?  What should we
-    # check for?
-    def test_101_help_output_export(
+    # TODO(the-13th-letter): Remove this test once
+    # TestAllCLI.test_202_version_option_output no longer xfails.
+    def test_200a_version_output(
         self,
     ) -> None:
-        """The "export" subcommand help text mentions subcommands.
-
-        TODO: Do we actually need this?  What should we check for?
-
-        """
+        """The `--version` option emits version information."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -2056,24 +721,25 @@ class TestAllCLI:
                 )
             )
             result = runner.invoke(
-                cli.derivepassphrase,
-                ["export", "--help"],
+                cli.derivepassphrase_vault,
+                ["--version"],
                 catch_exceptions=False,
             )
-        assert result.clean_exit(
-            empty_stderr=True, output="only available subcommand"
-        ), "expected clean exit, and known help text"
+        assert result.clean_exit(empty_stderr=True, output=cli.PROG_NAME), (
+            "expected clean exit, and program name in version text"
+        )
+        assert result.clean_exit(empty_stderr=True, output=cli.VERSION), (
+            "expected clean exit, and version in help text"
+        )
 
-    # TODO(the-13th-letter): Do we actually need this?  What should we
-    # check for?
-    def test_102_help_output_export_vault(
+    @Parametrize.CHARSET_NAME
+    def test_201_disable_character_set(
         self,
+        charset_name: str,
     ) -> None:
-        """The "export vault" subcommand help text has known content.
-
-        TODO: Do we actually need this?  What should we check for?
-
-        """
+        """Named character classes can be disabled on the command-line."""
+        option = f"--{charset_name}"
+        charset = vault.Vault.CHARSETS[charset_name].decode("ascii")
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -2086,25 +752,27 @@ class TestAllCLI:
                     runner=runner,
                 )
             )
+            monkeypatch.setattr(
+                cli_helpers,
+                "prompt_for_passphrase",
+                callables.auto_prompt,
+            )
             result = runner.invoke(
-                cli.derivepassphrase,
-                ["export", "vault", "--help"],
+                cli.derivepassphrase_vault,
+                [option, "0", "-p", "--", DUMMY_SERVICE],
+                input=DUMMY_PASSPHRASE,
                 catch_exceptions=False,
             )
-        assert result.clean_exit(
-            empty_stderr=True, output="Export a vault-native configuration"
-        ), "expected clean exit, and known help text"
+        assert result.clean_exit(empty_stderr=True), "expected clean exit:"
+        for c in charset:
+            assert c not in result.stdout, (
+                f"derived password contains forbidden character {c!r}"
+            )
 
-    # TODO(the-13th-letter): Do we actually need this?  What should we
-    # check for?
-    def test_103_help_output_vault(
+    def test_202_disable_repetition(
         self,
     ) -> None:
-        """The "vault" subcommand help text has known content.
-
-        TODO: Do we actually need this?  What should we check for?
-
-        """
+        """Character repetition can be disabled on the command-line."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -2117,27 +785,35 @@ class TestAllCLI:
                     runner=runner,
                 )
             )
+            monkeypatch.setattr(
+                cli_helpers,
+                "prompt_for_passphrase",
+                callables.auto_prompt,
+            )
             result = runner.invoke(
-                cli.derivepassphrase,
-                ["vault", "--help"],
+                cli.derivepassphrase_vault,
+                ["--repeat", "0", "-p", "--", DUMMY_SERVICE],
+                input=DUMMY_PASSPHRASE,
                 catch_exceptions=False,
             )
-        assert result.clean_exit(
-            empty_stderr=True, output="Passphrase generation:\n"
-        ), "expected clean exit, and option groups in help text"
-        assert result.clean_exit(
-            empty_stderr=True, output="Use $VISUAL or $EDITOR to configure"
-        ), "expected clean exit, and option group epilog in help text"
+        assert result.clean_exit(empty_stderr=True), (
+            "expected clean exit and empty stderr"
+        )
+        passphrase = result.stdout.rstrip("\r\n")
+        for i in range(len(passphrase) - 1):
+            assert passphrase[i : i + 1] != passphrase[i + 1 : i + 2], (
+                f"derived password contains repeated character "
+                f"at position {i}: {result.stdout!r}"
+            )
 
-    @Parametrize.COMMAND_NON_EAGER_ARGUMENTS
-    @Parametrize.EAGER_ARGUMENTS
-    def test_200_eager_options(
+    @Parametrize.CONFIG_WITH_KEY
+    def test_204a_key_from_config(
         self,
-        command: list[str],
-        arguments: list[str],
-        non_eager_arguments: list[str],
+        running_ssh_agent: data.RunningSSHAgentInfo,
+        config: _types.VaultConfig,
     ) -> None:
-        """Eager options terminate option and argument processing."""
+        """A stored configured SSH key will be used."""
+        del running_ssh_agent
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -2145,34 +821,40 @@ class TestAllCLI:
         with contextlib.ExitStack() as stack:
             monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
             stack.enter_context(
-                pytest_machinery.isolated_config(
+                pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
+                    vault_config=config,
                 )
             )
+            monkeypatch.setattr(
+                vault.Vault,
+                "phrase_from_key",
+                callables.phrase_from_key,
+            )
             result = runner.invoke(
-                cli.derivepassphrase,
-                [*command, *arguments, *non_eager_arguments],
+                cli.derivepassphrase_vault,
+                ["--", DUMMY_SERVICE],
                 catch_exceptions=False,
             )
-        assert result.clean_exit(empty_stderr=True), "expected clean exit"
+        assert result.clean_exit(empty_stderr=True), (
+            "expected clean exit and empty stderr"
+        )
+        assert result.stdout
+        assert (
+            result.stdout.rstrip("\n").encode("UTF-8")
+            != DUMMY_RESULT_PASSPHRASE
+        ), "known false output: phrase-based instead of key-based"
+        assert (
+            result.stdout.rstrip("\n").encode("UTF-8") == DUMMY_RESULT_KEY1
+        ), "expected known output"
 
-    @Parametrize.ISATTY
-    @Parametrize.COLORFUL_COMMAND_INPUT
-    def test_201_automatic_color_mode(
+    def test_204b_key_from_command_line(
         self,
-        isatty: bool,
-        command_line: list[str],
-        input: str | None,
+        running_ssh_agent: data.RunningSSHAgentInfo,
     ) -> None:
-        """Auto-detect if color should be used.
-
-        (The answer currently is always no. See the
-        [`conventional-configurable-text-styling` wishlist
-        entry](../wishlist/conventional-configurable-text-styling.md).)
-
-        """
-        color = False
+        """An SSH key requested on the command-line will be used."""
+        del running_ssh_agent
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -2180,40 +862,50 @@ class TestAllCLI:
         with contextlib.ExitStack() as stack:
             monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
             stack.enter_context(
-                pytest_machinery.isolated_config(
+                pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
+                    vault_config={
+                        "services": {DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS}
+                    },
+                )
+            )
+            monkeypatch.setattr(
+                cli_helpers,
+                "get_suitable_ssh_keys",
+                callables.suitable_ssh_keys,
             )
+            monkeypatch.setattr(
+                vault.Vault,
+                "phrase_from_key",
+                callables.phrase_from_key,
             )
             result = runner.invoke(
-                cli.derivepassphrase,
-                command_line,
-                input=input,
+                cli.derivepassphrase_vault,
+                ["-k", "--", DUMMY_SERVICE],
+                input="1\n",
                 catch_exceptions=False,
-                color=isatty,
             )
+        assert result.clean_exit(), "expected clean exit"
+        assert result.stdout, "expected program output"
+        last_line = result.stdout.splitlines(True)[-1]
         assert (
-            not color
-            or "\x1b[0m" in result.stderr
-            or "\x1b[m" in result.stderr
-        ), "Expected color, but found no ANSI reset sequence"
-        assert color or "\x1b[" not in result.stderr, (
-            "Expected no color, but found an ANSI control sequence"
+            last_line.rstrip("\n").encode("UTF-8") != DUMMY_RESULT_PASSPHRASE
+        ), "known false output: phrase-based instead of key-based"
+        assert last_line.rstrip("\n").encode("UTF-8") == DUMMY_RESULT_KEY1, (
+            "expected known output"
         )
 
-    def test_202a_derivepassphrase_version_option_output(
+    @Parametrize.BASE_CONFIG_WITH_KEY_VARIATIONS
+    @Parametrize.KEY_INDEX
+    def test_204c_key_override_on_command_line(
         self,
+        running_ssh_agent: data.RunningSSHAgentInfo,
+        config: dict[str, Any],
+        key_index: int,
     ) -> None:
-        """The version output states supported features.
-
-        The version output is parsed using [`parse_version_output`][].
-        Format examples can be found in
-        [`Parametrize.VERSION_OUTPUT_DATA`][].  Specifically, for the
-        top-level `derivepassphrase` command, the output should contain
-        the known and supported derivation schemes, and a list of
-        subcommands.
-
-        """
+        """A command-line SSH key will override the configured key."""
+        del running_ssh_agent
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -2221,40 +913,38 @@ class TestAllCLI:
         with contextlib.ExitStack() as stack:
             monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
             stack.enter_context(
-                pytest_machinery.isolated_config(
+                pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
+                    vault_config=config,
+                )
             )
+            monkeypatch.setattr(
+                ssh_agent.SSHAgentClient,
+                "list_keys",
+                callables.list_keys,
+            )
+            monkeypatch.setattr(
+                ssh_agent.SSHAgentClient, "sign", callables.sign
             )
             result = runner.invoke(
-                cli.derivepassphrase,
-                ["--version"],
-                catch_exceptions=False,
+                cli.derivepassphrase_vault,
+                ["-k", "--", DUMMY_SERVICE],
+                input=f"{key_index}\n",
             )
-        assert result.clean_exit(empty_stderr=True), "expected clean exit"
-        assert result.stdout.strip(), "expected version output"
-        version_data = parse_version_output(result.stdout)
-        actually_known_schemes = dict.fromkeys(_types.DerivationScheme, True)
-        subcommands = set(_types.Subcommand)
-        assert version_data.derivation_schemes == actually_known_schemes
-        assert not version_data.foreign_configuration_formats
-        assert version_data.subcommands == subcommands
-        assert not version_data.features
-        assert not version_data.extras
-
-    def test_202b_export_version_option_output(
+        assert result.clean_exit(), "expected clean exit"
+        assert result.stdout, "expected program output"
+        assert result.stderr, "expected stderr"
+        assert "Error:" not in result.stderr, (
+            "expected no error messages on stderr"
+        )
+
+    def test_205_service_phrase_if_key_in_global_config(
         self,
+        running_ssh_agent: data.RunningSSHAgentInfo,
     ) -> None:
-        """The version output states supported features.
-
-        The version output is parsed using [`parse_version_output`][].
-        Format examples can be found in
-        [`Parametrize.VERSION_OUTPUT_DATA`][].  Specifically, for the
-        `export` command, the output should contain the known foreign
-        configuration formats (but not marked as supported), and a list
-        of subcommands.
-
-        """
+        """A command-line passphrase will override the configured key."""
+        del running_ssh_agent
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -2262,47 +952,53 @@ class TestAllCLI:
         with contextlib.ExitStack() as stack:
             monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
             stack.enter_context(
-                pytest_machinery.isolated_config(
+                pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
+                    vault_config={
+                        "global": {"key": DUMMY_KEY1_B64},
+                        "services": {
+                            DUMMY_SERVICE: {
+                                "phrase": DUMMY_PASSPHRASE.rstrip("\n"),
+                                **DUMMY_CONFIG_SETTINGS,
+                            }
+                        },
+                    },
+                )
             )
+            monkeypatch.setattr(
+                ssh_agent.SSHAgentClient,
+                "list_keys",
+                callables.list_keys,
+            )
+            monkeypatch.setattr(
+                ssh_agent.SSHAgentClient, "sign", callables.sign
             )
             result = runner.invoke(
-                cli.derivepassphrase,
-                ["export", "--version"],
+                cli.derivepassphrase_vault,
+                ["--", DUMMY_SERVICE],
                 catch_exceptions=False,
             )
-        assert result.clean_exit(empty_stderr=True), "expected clean exit"
-        assert result.stdout.strip(), "expected version output"
-        version_data = parse_version_output(result.stdout)
-        actually_known_formats: dict[str, bool] = {
-            _types.ForeignConfigurationFormat.VAULT_STOREROOM: False,
-            _types.ForeignConfigurationFormat.VAULT_V02: False,
-            _types.ForeignConfigurationFormat.VAULT_V03: False,
-        }
-        subcommands = set(_types.ExportSubcommand)
-        assert not version_data.derivation_schemes
+        assert result.clean_exit(), "expected clean exit"
+        assert result.stdout, "expected program output"
+        last_line = result.stdout.splitlines(True)[-1]
         assert (
-            version_data.foreign_configuration_formats
-            == actually_known_formats
+            last_line.rstrip("\n").encode("UTF-8") != DUMMY_RESULT_PASSPHRASE
+        ), "known false output: phrase-based instead of key-based"
+        assert last_line.rstrip("\n").encode("UTF-8") == DUMMY_RESULT_KEY1, (
+            "expected known output"
         )
-        assert version_data.subcommands == subcommands
-        assert not version_data.features
-        assert not version_data.extras
 
-    def test_202c_export_vault_version_option_output(
+    @Parametrize.KEY_OVERRIDING_IN_CONFIG
+    def test_206_setting_phrase_thus_overriding_key_in_config(
         self,
+        running_ssh_agent: data.RunningSSHAgentInfo,
+        caplog: pytest.LogCaptureFixture,
+        config: _types.VaultConfig,
+        command_line: list[str],
     ) -> None:
-        """The version output states supported features.
-
-        The version output is parsed using [`parse_version_output`][].
-        Format examples can be found in
-        [`Parametrize.VERSION_OUTPUT_DATA`][].  Specifically, for the
-        `export vault` subcommand, the output should contain the
-        vault-specific subset of the known or supported foreign
-        configuration formats, and a list of available PEP 508 extras.
-
-        """
+        """Configuring a passphrase atop an SSH key works, but warns."""
+        del running_ssh_agent
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -2310,54 +1006,59 @@ class TestAllCLI:
         with contextlib.ExitStack() as stack:
             monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
             stack.enter_context(
-                pytest_machinery.isolated_config(
+                pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
+                    vault_config=config,
+                )
+            )
+            monkeypatch.setattr(
+                ssh_agent.SSHAgentClient,
+                "list_keys",
+                callables.list_keys,
             )
+            monkeypatch.setattr(
+                ssh_agent.SSHAgentClient, "sign", callables.sign
             )
             result = runner.invoke(
-                cli.derivepassphrase,
-                ["export", "vault", "--version"],
+                cli.derivepassphrase_vault,
+                command_line,
+                input=DUMMY_PASSPHRASE,
                 catch_exceptions=False,
             )
-        assert result.clean_exit(empty_stderr=True), "expected clean exit"
-        assert result.stdout.strip(), "expected version output"
-        version_data = parse_version_output(result.stdout)
-        actually_known_formats: dict[str, bool] = {}
-        actually_enabled_extras: set[str] = set()
-        with contextlib.suppress(ModuleNotFoundError):
-            from derivepassphrase.exporter import storeroom, vault_native  # noqa: I001,PLC0415
-
-            actually_known_formats.update({
-                _types.ForeignConfigurationFormat.VAULT_STOREROOM: not storeroom.STUBBED,
-                _types.ForeignConfigurationFormat.VAULT_V02: not vault_native.STUBBED,
-                _types.ForeignConfigurationFormat.VAULT_V03: not vault_native.STUBBED,
-            })
-        with contextlib.suppress(ModuleNotFoundError):
-            import cryptography  # noqa: F401,PLC0415
-
-            actually_enabled_extras.add(_types.PEP508Extra.EXPORT)
-        assert not version_data.derivation_schemes
-        assert (
-            version_data.foreign_configuration_formats
-            == actually_known_formats
-        )
-        assert not version_data.subcommands
-        assert not version_data.features
-        assert version_data.extras == actually_enabled_extras
+        assert result.clean_exit(), "expected clean exit"
+        assert not result.stdout.strip(), "expected no program output"
+        assert result.stderr, "expected known error output"
+        err_lines = result.stderr.splitlines(False)
+        assert err_lines[0].startswith("Passphrase:")
+        assert machinery.warning_emitted(
+            "Setting a service passphrase is ineffective ",
+            caplog.record_tuples,
+        ) or machinery.warning_emitted(
+            "Setting a global passphrase is ineffective ",
+            caplog.record_tuples,
+        ), "expected known warning message"
+        assert all(map(is_warning_line, result.stderr.splitlines(True)))
+        assert all(
+            map(is_harmless_config_import_warning, caplog.record_tuples)
+        ), "unexpected error output"
 
-    def test_202d_vault_version_option_output(
+    @hypothesis.given(
+        notes=strategies.text(
+            strategies.characters(
+                min_codepoint=32,
+                max_codepoint=126,
+                include_characters="\n",
+            ),
+            max_size=256,
+        ),
+    )
+    def test_207_service_with_notes_actually_prints_notes(
         self,
+        notes: str,
     ) -> None:
-        """The version output states supported features.
-
-        The version output is parsed using [`parse_version_output`][].
-        Format examples can be found in
-        [`Parametrize.VERSION_OUTPUT_DATA`][].  Specifically, for the
-        vault command, the output should not contain anything beyond the
-        first paragraph.
-
-        """
+        """Service notes are printed, if they exist."""
+        hypothesis.assume("Error:" not in notes)
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -2365,81 +1066,45 @@ class TestAllCLI:
         with contextlib.ExitStack() as stack:
             monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
             stack.enter_context(
-                pytest_machinery.isolated_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                )
-            )
-            result = runner.invoke(
-                cli.derivepassphrase,
-                ["vault", "--version"],
-                catch_exceptions=False,
-            )
-        assert result.clean_exit(empty_stderr=True), "expected clean exit"
-        assert result.stdout.strip(), "expected version output"
-        version_data = parse_version_output(result.stdout)
-
-        ssh_key_supported = True
-
-        def react_to_notimplementederror(
-            _exc: BaseException,
-        ) -> None:  # pragma: no cover[unused]
-            nonlocal ssh_key_supported
-            ssh_key_supported = False
-
-        with exceptiongroup.catch({  # noqa: SIM117
-            NotImplementedError: react_to_notimplementederror,
-            Exception: lambda *_args: None,
-        }):
-            with ssh_agent.SSHAgentClient.ensure_agent_subcontext():
-                pass
-        features: dict[str, bool] = {
-            _types.Feature.SSH_KEY: ssh_key_supported,
-        }
-        assert not version_data.derivation_schemes
-        assert not version_data.foreign_configuration_formats
-        assert not version_data.subcommands
-        assert version_data.features == features
-        assert not version_data.extras
-
-
-class TestCLI:
-    """Tests for the `derivepassphrase vault` command-line interface."""
-
-    def test_200_help_output(
-        self,
-    ) -> None:
-        """The `--help` option emits help text."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_config(
+                pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
+                    vault_config={
+                        "global": {
+                            "phrase": DUMMY_PASSPHRASE,
+                        },
+                        "services": {
+                            DUMMY_SERVICE: {
+                                "notes": notes,
+                                **DUMMY_CONFIG_SETTINGS,
+                            },
+                        },
+                    },
                 )
             )
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                ["--help"],
-                catch_exceptions=False,
+                ["--", DUMMY_SERVICE],
+            )
+        assert result.clean_exit(), "expected clean exit"
+        assert result.stdout, "expected program output"
+        assert result.stdout.strip() == DUMMY_RESULT_PASSPHRASE.decode(
+            "ascii"
+        ), "expected known program output"
+        assert result.stderr or not notes.strip(), "expected stderr"
+        assert "Error:" not in result.stderr, (
+            "expected no error messages on stderr"
+        )
+        assert result.stderr.strip() == notes.strip(), (
+            "expected known stderr contents"
         )
-        assert result.clean_exit(
-            empty_stderr=True, output="Passphrase generation:\n"
-        ), "expected clean exit, and option groups in help text"
-        assert result.clean_exit(
-            empty_stderr=True, output="Use $VISUAL or $EDITOR to configure"
-        ), "expected clean exit, and option group epilog in help text"
 
-    # TODO(the-13th-letter): Remove this test once
-    # TestAllCLI.test_202_version_option_output no longer xfails.
-    def test_200a_version_output(
+    @Parametrize.VAULT_CHARSET_OPTION
+    def test_210_invalid_argument_range(
         self,
+        option: str,
     ) -> None:
-        """The `--version` option emits version information."""
+        """Requesting invalidly many characters from a class fails."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -2452,26 +1117,26 @@ class TestCLI:
                     runner=runner,
                 )
             )
+            for value in "-42", "invalid":
                 result = runner.invoke(
                     cli.derivepassphrase_vault,
-                ["--version"],
+                    [option, value, "-p", "--", DUMMY_SERVICE],
+                    input=DUMMY_PASSPHRASE,
                     catch_exceptions=False,
                 )
-        assert result.clean_exit(empty_stderr=True, output=cli.PROG_NAME), (
-            "expected clean exit, and program name in version text"
-        )
-        assert result.clean_exit(empty_stderr=True, output=cli.VERSION), (
-            "expected clean exit, and version in help text"
+                assert result.error_exit(error="Invalid value"), (
+                    "expected error exit and known error message"
                 )
 
-    @Parametrize.CHARSET_NAME
-    def test_201_disable_character_set(
+    @Parametrize.OPTION_COMBINATIONS_SERVICE_NEEDED
+    def test_211_service_needed(
         self,
-        charset_name: str,
+        options: list[str],
+        service: bool | None,
+        input: str | None,
+        check_success: bool,
     ) -> None:
-        """Named character classes can be disabled on the command-line."""
-        option = f"--{charset_name}"
-        charset = vault.Vault.CHARSETS[charset_name].decode("ascii")
+        """We require or forbid a service argument, depending on options."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -2479,9 +1144,10 @@ class TestCLI:
         with contextlib.ExitStack() as stack:
             monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
             stack.enter_context(
-                pytest_machinery.isolated_config(
+                pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
+                    vault_config={"global": {"phrase": "abc"}, "services": {}},
                 )
             )
             monkeypatch.setattr(
@@ -2491,30 +1157,37 @@ class TestCLI:
             )
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                [option, "0", "-p", "--", DUMMY_SERVICE],
-                input=DUMMY_PASSPHRASE,
+                options if service else [*options, "--", DUMMY_SERVICE],
+                input=input,
                 catch_exceptions=False,
             )
-        assert result.clean_exit(empty_stderr=True), "expected clean exit:"
-        for c in charset:
-            assert c not in result.stdout, (
-                f"derived password contains forbidden character {c!r}"
+            if service is not None:
+                err_msg = (
+                    " requires a SERVICE"
+                    if service
+                    else " does not take a SERVICE argument"
                 )
-
-    def test_202_disable_repetition(
-        self,
-    ) -> None:
-        """Character repetition can be disabled on the command-line."""
-        runner = machinery.CliRunner(mix_stderr=False)
+                assert result.error_exit(error=err_msg), (
+                    "expected error exit and known error message"
+                )
+            else:
+                assert result.clean_exit(empty_stderr=True), (
+                    "expected clean exit"
+                )
+        if check_success:
             # TODO(the-13th-letter): Rewrite using parenthesized
             # with-statements.
             # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
             with contextlib.ExitStack() as stack:
                 monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
                 stack.enter_context(
-                pytest_machinery.isolated_config(
+                    pytest_machinery.isolated_vault_config(
                         monkeypatch=monkeypatch,
                         runner=runner,
+                        vault_config={
+                            "global": {"phrase": "abc"},
+                            "services": {},
+                        },
                     )
                 )
                 monkeypatch.setattr(
@@ -2524,28 +1197,29 @@ class TestCLI:
                 )
                 result = runner.invoke(
                     cli.derivepassphrase_vault,
-                ["--repeat", "0", "-p", "--", DUMMY_SERVICE],
-                input=DUMMY_PASSPHRASE,
+                    [*options, "--", DUMMY_SERVICE] if service else options,
+                    input=input,
                     catch_exceptions=False,
                 )
-        assert result.clean_exit(empty_stderr=True), (
-            "expected clean exit and empty stderr"
-        )
-        passphrase = result.stdout.rstrip("\r\n")
-        for i in range(len(passphrase) - 1):
-            assert passphrase[i : i + 1] != passphrase[i + 1 : i + 2], (
-                f"derived password contains repeated character "
-                f"at position {i}: {result.stdout!r}"
-            )
+            assert result.clean_exit(empty_stderr=True), "expected clean exit"
 
-    @Parametrize.CONFIG_WITH_KEY
-    def test_204a_key_from_config(
+    def test_211a_empty_service_name_causes_warning(
         self,
-        running_ssh_agent: data.RunningSSHAgentInfo,
-        config: _types.VaultConfig,
+        caplog: pytest.LogCaptureFixture,
     ) -> None:
-        """A stored configured SSH key will be used."""
-        del running_ssh_agent
+        """Using an empty service name (where permissible) warns.
+
+        Only the `--config` option can optionally take a service name.
+
+        """
+
+        def is_expected_warning(record: tuple[str, int, str]) -> bool:
+            return is_harmless_config_import_warning(
+                record
+            ) or machinery.warning_emitted(
+                "An empty SERVICE is not supported by vault(1)", [record]
+            )
+
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -2556,37 +1230,52 @@ class TestCLI:
                 pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                    vault_config=config,
+                    vault_config={"services": {}},
                 )
             )
             monkeypatch.setattr(
-                vault.Vault,
-                "phrase_from_key",
-                callables.phrase_from_key,
+                cli_helpers,
+                "prompt_for_passphrase",
+                callables.auto_prompt,
             )
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                ["--", DUMMY_SERVICE],
+                ["--config", "--length=30", "--", ""],
                 catch_exceptions=False,
             )
-        assert result.clean_exit(empty_stderr=True), (
-            "expected clean exit and empty stderr"
+            assert result.clean_exit(empty_stderr=False), "expected clean exit"
+            assert result.stderr is not None, "expected known error output"
+            assert all(map(is_expected_warning, caplog.record_tuples)), (
+                "expected known error output"
             )
-        assert result.stdout
-        assert (
-            result.stdout.rstrip("\n").encode("UTF-8")
-            != DUMMY_RESULT_PASSPHRASE
-        ), "known false output: phrase-based instead of key-based"
-        assert (
-            result.stdout.rstrip("\n").encode("UTF-8") == DUMMY_RESULT_KEY1
-        ), "expected known output"
+            assert cli_helpers.load_config() == {
+                "global": {"length": 30},
+                "services": {},
+            }, "requested configuration change was not applied"
+            caplog.clear()
+            result = runner.invoke(
+                cli.derivepassphrase_vault,
+                ["--import", "-"],
+                input=json.dumps({"services": {"": {"length": 40}}}),
+                catch_exceptions=False,
+            )
+            assert result.clean_exit(empty_stderr=False), "expected clean exit"
+            assert result.stderr is not None, "expected known error output"
+            assert all(map(is_expected_warning, caplog.record_tuples)), (
+                "expected known error output"
+            )
+            assert cli_helpers.load_config() == {
+                "global": {"length": 30},
+                "services": {"": {"length": 40}},
+            }, "requested configuration change was not applied"
 
-    def test_204b_key_from_command_line(
+    @Parametrize.OPTION_COMBINATIONS_INCOMPATIBLE
+    def test_212_incompatible_options(
         self,
-        running_ssh_agent: data.RunningSSHAgentInfo,
+        options: list[str],
+        service: bool | None,
     ) -> None:
-        """An SSH key requested on the command-line will be used."""
-        del running_ssh_agent
+        """Incompatible options are detected."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -2594,50 +1283,28 @@ class TestCLI:
         with contextlib.ExitStack() as stack:
             monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
             stack.enter_context(
-                pytest_machinery.isolated_vault_config(
+                pytest_machinery.isolated_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                    vault_config={
-                        "services": {DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS}
-                    },
-                )
                 )
-            monkeypatch.setattr(
-                cli_helpers,
-                "get_suitable_ssh_keys",
-                callables.suitable_ssh_keys,
-            )
-            monkeypatch.setattr(
-                vault.Vault,
-                "phrase_from_key",
-                callables.phrase_from_key,
             )
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                ["-k", "--", DUMMY_SERVICE],
-                input="1\n",
+                [*options, "--", DUMMY_SERVICE] if service else options,
+                input=DUMMY_PASSPHRASE,
                 catch_exceptions=False,
             )
-        assert result.clean_exit(), "expected clean exit"
-        assert result.stdout, "expected program output"
-        last_line = result.stdout.splitlines(True)[-1]
-        assert (
-            last_line.rstrip("\n").encode("UTF-8") != DUMMY_RESULT_PASSPHRASE
-        ), "known false output: phrase-based instead of key-based"
-        assert last_line.rstrip("\n").encode("UTF-8") == DUMMY_RESULT_KEY1, (
-            "expected known output"
+        assert result.error_exit(error="mutually exclusive with "), (
+            "expected error exit and known error message"
         )
 
-    @Parametrize.BASE_CONFIG_WITH_KEY_VARIATIONS
-    @Parametrize.KEY_INDEX
-    def test_204c_key_override_on_command_line(
+    @Parametrize.VALID_TEST_CONFIGS
+    def test_213_import_config_success(
         self,
-        running_ssh_agent: data.RunningSSHAgentInfo,
-        config: dict[str, Any],
-        key_index: int,
+        caplog: pytest.LogCaptureFixture,
+        config: Any,
     ) -> None:
-        """A command-line SSH key will override the configured key."""
-        del running_ssh_agent
+        """Importing a configuration works."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -2648,89 +1315,54 @@ class TestCLI:
                 pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                    vault_config=config,
+                    vault_config={"services": {}},
                 )
             )
-            monkeypatch.setattr(
-                ssh_agent.SSHAgentClient,
-                "list_keys",
-                callables.list_keys,
-            )
-            monkeypatch.setattr(
-                ssh_agent.SSHAgentClient, "sign", callables.sign
-            )
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                ["-k", "--", DUMMY_SERVICE],
-                input=f"{key_index}\n",
-            )
-        assert result.clean_exit(), "expected clean exit"
-        assert result.stdout, "expected program output"
-        assert result.stderr, "expected stderr"
-        assert "Error:" not in result.stderr, (
-            "expected no error messages on stderr"
+                ["--import", "-"],
+                input=json.dumps(config),
+                catch_exceptions=False,
             )
+            config_txt = cli_helpers.config_filename(
+                subsystem="vault"
+            ).read_text(encoding="UTF-8")
+            config2 = json.loads(config_txt)
+        assert result.clean_exit(empty_stderr=False), "expected clean exit"
+        assert config2 == config, "config not imported correctly"
+        assert not result.stderr or all(  # pragma: no branch
+            map(is_harmless_config_import_warning, caplog.record_tuples)
+        ), "unexpected error output"
+        assert_vault_config_is_indented_and_line_broken(config_txt)
 
-    def test_205_service_phrase_if_key_in_global_config(
-        self,
-        running_ssh_agent: data.RunningSSHAgentInfo,
-    ) -> None:
-        """A command-line passphrase will override the configured key."""
-        del running_ssh_agent
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={
-                        "global": {"key": DUMMY_KEY1_B64},
-                        "services": {
-                            DUMMY_SERVICE: {
-                                "phrase": DUMMY_PASSPHRASE.rstrip("\n"),
-                                **DUMMY_CONFIG_SETTINGS,
-                            }
-                        },
-                    },
-                )
-            )
-            monkeypatch.setattr(
-                ssh_agent.SSHAgentClient,
-                "list_keys",
-                callables.list_keys,
-            )
-            monkeypatch.setattr(
-                ssh_agent.SSHAgentClient, "sign", callables.sign
+    @hypothesis.settings(
+        suppress_health_check=[
+            *hypothesis.settings().suppress_health_check,
+            hypothesis.HealthCheck.function_scoped_fixture,
+        ],
     )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--", DUMMY_SERVICE],
-                catch_exceptions=False,
+    @hypothesis.given(
+        conf=hypothesis_machinery.smudged_vault_test_config(
+            strategies.sampled_from([
+                conf for conf in data.TEST_CONFIGS if conf.is_valid()
+            ])
         )
-        assert result.clean_exit(), "expected clean exit"
-        assert result.stdout, "expected program output"
-        last_line = result.stdout.splitlines(True)[-1]
-        assert (
-            last_line.rstrip("\n").encode("UTF-8") != DUMMY_RESULT_PASSPHRASE
-        ), "known false output: phrase-based instead of key-based"
-        assert last_line.rstrip("\n").encode("UTF-8") == DUMMY_RESULT_KEY1, (
-            "expected known output"
     )
-
-    @Parametrize.KEY_OVERRIDING_IN_CONFIG
-    def test_206_setting_phrase_thus_overriding_key_in_config(
+    def test_213a_import_config_success(
         self,
-        running_ssh_agent: data.RunningSSHAgentInfo,
         caplog: pytest.LogCaptureFixture,
-        config: _types.VaultConfig,
-        command_line: list[str],
+        conf: data.VaultTestConfig,
     ) -> None:
-        """Configuring a passphrase atop an SSH key works, but warns."""
-        del running_ssh_agent
+        """Importing a smudged configuration works.
+
+        Tested via hypothesis.
+
+        """
+        config = conf.config
+        config2 = copy.deepcopy(config)
+        _types.clean_up_falsy_vault_config_values(config2)
+        # Reset caplog between hypothesis runs.
+        caplog.clear()
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -2741,56 +1373,30 @@ class TestCLI:
                 pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                    vault_config=config,
-                )
-            )
-            monkeypatch.setattr(
-                ssh_agent.SSHAgentClient,
-                "list_keys",
-                callables.list_keys,
+                    vault_config={"services": {}},
                 )
-            monkeypatch.setattr(
-                ssh_agent.SSHAgentClient, "sign", callables.sign
             )
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                command_line,
-                input=DUMMY_PASSPHRASE,
+                ["--import", "-"],
+                input=json.dumps(config),
                 catch_exceptions=False,
             )
-        assert result.clean_exit(), "expected clean exit"
-        assert not result.stdout.strip(), "expected no program output"
-        assert result.stderr, "expected known error output"
-        err_lines = result.stderr.splitlines(False)
-        assert err_lines[0].startswith("Passphrase:")
-        assert machinery.warning_emitted(
-            "Setting a service passphrase is ineffective ",
-            caplog.record_tuples,
-        ) or machinery.warning_emitted(
-            "Setting a global passphrase is ineffective ",
-            caplog.record_tuples,
-        ), "expected known warning message"
-        assert all(map(is_warning_line, result.stderr.splitlines(True)))
-        assert all(
+            config_txt = cli_helpers.config_filename(
+                subsystem="vault"
+            ).read_text(encoding="UTF-8")
+            config3 = json.loads(config_txt)
+        assert result.clean_exit(empty_stderr=False), "expected clean exit"
+        assert config3 == config2, "config not imported correctly"
+        assert not result.stderr or all(
             map(is_harmless_config_import_warning, caplog.record_tuples)
         ), "unexpected error output"
+        assert_vault_config_is_indented_and_line_broken(config_txt)
 
-    @hypothesis.given(
-        notes=strategies.text(
-            strategies.characters(
-                min_codepoint=32,
-                max_codepoint=126,
-                include_characters="\n",
-            ),
-            max_size=256,
-        ),
-    )
-    def test_207_service_with_notes_actually_prints_notes(
+    def test_213b_import_bad_config_not_vault_config(
         self,
-        notes: str,
     ) -> None:
-        """Service notes are printed, if they exist."""
-        hypothesis.assume("Error:" not in notes)
+        """Importing an invalid config fails."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -2798,45 +1404,25 @@ class TestCLI:
         with contextlib.ExitStack() as stack:
             monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
             stack.enter_context(
-                pytest_machinery.isolated_vault_config(
+                pytest_machinery.isolated_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                    vault_config={
-                        "global": {
-                            "phrase": DUMMY_PASSPHRASE,
-                        },
-                        "services": {
-                            DUMMY_SERVICE: {
-                                "notes": notes,
-                                **DUMMY_CONFIG_SETTINGS,
-                            },
-                        },
-                    },
                 )
             )
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                ["--", DUMMY_SERVICE],
-            )
-        assert result.clean_exit(), "expected clean exit"
-        assert result.stdout, "expected program output"
-        assert result.stdout.strip() == DUMMY_RESULT_PASSPHRASE.decode(
-            "ascii"
-        ), "expected known program output"
-        assert result.stderr or not notes.strip(), "expected stderr"
-        assert "Error:" not in result.stderr, (
-            "expected no error messages on stderr"
+                ["--import", "-"],
+                input="null",
+                catch_exceptions=False,
             )
-        assert result.stderr.strip() == notes.strip(), (
-            "expected known stderr contents"
+        assert result.error_exit(error="Invalid vault config"), (
+            "expected error exit and known error message"
         )
 
-    @Parametrize.VAULT_CHARSET_OPTION
-    def test_210_invalid_argument_range(
+    def test_213c_import_bad_config_not_json_data(
         self,
-        option: str,
     ) -> None:
-        """Requesting invalidly many characters from a class fails."""
+        """Importing an invalid config fails."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -2849,27 +1435,26 @@ class TestCLI:
                     runner=runner,
                 )
             )
-            for value in "-42", "invalid":
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                    [option, value, "-p", "--", DUMMY_SERVICE],
-                    input=DUMMY_PASSPHRASE,
+                ["--import", "-"],
+                input="This string is not valid JSON.",
                 catch_exceptions=False,
             )
-                assert result.error_exit(error="Invalid value"), (
+        assert result.error_exit(error="cannot decode JSON"), (
             "expected error exit and known error message"
         )
 
-    @Parametrize.OPTION_COMBINATIONS_SERVICE_NEEDED
-    def test_211_service_needed(
+    def test_213d_import_bad_config_not_a_file(
         self,
-        options: list[str],
-        service: bool | None,
-        input: str | None,
-        check_success: bool,
     ) -> None:
-        """We require or forbid a service argument, depending on options."""
+        """Importing an invalid config fails."""
         runner = machinery.CliRunner(mix_stderr=False)
+        # `isolated_vault_config` ensures the configuration is valid
+        # JSON.  So, to pass an actual broken configuration, we must
+        # open the configuration file ourselves afterwards, inside the
+        # context.
+        #
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
         # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
@@ -2879,34 +1464,33 @@ class TestCLI:
                 pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                    vault_config={"global": {"phrase": "abc"}, "services": {}},
+                    vault_config={"services": {}},
                 )
             )
-            monkeypatch.setattr(
-                cli_helpers,
-                "prompt_for_passphrase",
-                callables.auto_prompt,
+            cli_helpers.config_filename(subsystem="vault").write_text(
+                "This string is not valid JSON.\n", encoding="UTF-8"
             )
+            dname = cli_helpers.config_filename(subsystem=None)
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                options if service else [*options, "--", DUMMY_SERVICE],
-                input=input,
+                ["--import", os.fsdecode(dname)],
                 catch_exceptions=False,
             )
-            if service is not None:
-                err_msg = (
-                    " requires a SERVICE"
-                    if service
-                    else " does not take a SERVICE argument"
-                )
-                assert result.error_exit(error=err_msg), (
+        # The Annoying OS uses EACCES, other OSes use EISDIR.
+        assert result.error_exit(
+            error=os.strerror(errno.EISDIR)
+        ) or result.error_exit(error=os.strerror(errno.EACCES)), (
             "expected error exit and known error message"
         )
-            else:
-                assert result.clean_exit(empty_stderr=True), (
-                    "expected clean exit"
-                )
-        if check_success:
+
+    @Parametrize.VALID_TEST_CONFIGS
+    def test_214_export_config_success(
+        self,
+        caplog: pytest.LogCaptureFixture,
+        config: Any,
+    ) -> None:
+        """Exporting a configuration works."""
+        runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
         # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
@@ -2916,42 +1500,36 @@ class TestCLI:
                 pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                        vault_config={
-                            "global": {"phrase": "abc"},
-                            "services": {},
-                        },
+                    vault_config=config,
                 )
             )
-                monkeypatch.setattr(
-                    cli_helpers,
-                    "prompt_for_passphrase",
-                    callables.auto_prompt,
-                )
+            with cli_helpers.config_filename(subsystem="vault").open(
+                "w", encoding="UTF-8"
+            ) as outfile:
+                # Ensure the config is written on one line.
+                json.dump(config, outfile, indent=None)
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                    [*options, "--", DUMMY_SERVICE] if service else options,
-                    input=input,
+                ["--export", "-"],
                 catch_exceptions=False,
             )
-            assert result.clean_exit(empty_stderr=True), "expected clean exit"
+            with cli_helpers.config_filename(subsystem="vault").open(
+                encoding="UTF-8"
+            ) as infile:
+                config2 = json.load(infile)
+        assert result.clean_exit(empty_stderr=False), "expected clean exit"
+        assert config2 == config, "config not imported correctly"
+        assert not result.stderr or all(  # pragma: no branch
+            map(is_harmless_config_import_warning, caplog.record_tuples)
+        ), "unexpected error output"
+        assert_vault_config_is_indented_and_line_broken(result.stdout)
 
-    def test_211a_empty_service_name_causes_warning(
+    @Parametrize.EXPORT_FORMAT_OPTIONS
+    def test_214a_export_settings_no_stored_settings(
         self,
-        caplog: pytest.LogCaptureFixture,
+        export_options: list[str],
     ) -> None:
-        """Using an empty service name (where permissible) warns.
-
-        Only the `--config` option can optionally take a service name.
-
-        """
-
-        def is_expected_warning(record: tuple[str, int, str]) -> bool:
-            return is_harmless_config_import_warning(
-                record
-            ) or machinery.warning_emitted(
-                "An empty SERVICE is not supported by vault(1)", [record]
-            )
-
+        """Exporting the default, empty config works."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -2959,55 +1537,31 @@ class TestCLI:
         with contextlib.ExitStack() as stack:
             monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
             stack.enter_context(
-                pytest_machinery.isolated_vault_config(
+                pytest_machinery.isolated_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                    vault_config={"services": {}},
-                )
-            )
-            monkeypatch.setattr(
-                cli_helpers,
-                "prompt_for_passphrase",
-                callables.auto_prompt,
                 )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--config", "--length=30", "--", ""],
-                catch_exceptions=False,
             )
-            assert result.clean_exit(empty_stderr=False), "expected clean exit"
-            assert result.stderr is not None, "expected known error output"
-            assert all(map(is_expected_warning, caplog.record_tuples)), (
-                "expected known error output"
+            cli_helpers.config_filename(subsystem="vault").unlink(
+                missing_ok=True
             )
-            assert cli_helpers.load_config() == {
-                "global": {"length": 30},
-                "services": {},
-            }, "requested configuration change was not applied"
-            caplog.clear()
             result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--import", "-"],
-                input=json.dumps({"services": {"": {"length": 40}}}),
+                # Test parent context navigation by not calling
+                # `cli.derivepassphrase_vault` directly.  Used e.g. in
+                # the `--export-as=sh` section to autoconstruct the
+                # program name correctly.
+                cli.derivepassphrase,
+                ["vault", "--export", "-", *export_options],
                 catch_exceptions=False,
             )
-            assert result.clean_exit(empty_stderr=False), "expected clean exit"
-            assert result.stderr is not None, "expected known error output"
-            assert all(map(is_expected_warning, caplog.record_tuples)), (
-                "expected known error output"
-            )
-            assert cli_helpers.load_config() == {
-                "global": {"length": 30},
-                "services": {"": {"length": 40}},
-            }, "requested configuration change was not applied"
+        assert result.clean_exit(empty_stderr=True), "expected clean exit"
 
-    @Parametrize.OPTION_COMBINATIONS_INCOMPATIBLE
-    def test_212_incompatible_options(
+    @Parametrize.EXPORT_FORMAT_OPTIONS
+    def test_214b_export_settings_bad_stored_config(
         self,
-        options: list[str],
-        service: bool | None,
+        export_options: list[str],
     ) -> None:
-        """Incompatible options are detected."""
+        """Exporting an invalid config fails."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -3015,28 +1569,28 @@ class TestCLI:
         with contextlib.ExitStack() as stack:
             monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
             stack.enter_context(
-                pytest_machinery.isolated_config(
+                pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
+                    vault_config={},
                 )
             )
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                [*options, "--", DUMMY_SERVICE] if service else options,
-                input=DUMMY_PASSPHRASE,
+                ["--export", "-", *export_options],
+                input="null",
                 catch_exceptions=False,
             )
-        assert result.error_exit(error="mutually exclusive with "), (
+        assert result.error_exit(error="Cannot load vault settings:"), (
             "expected error exit and known error message"
         )
 
-    @Parametrize.VALID_TEST_CONFIGS
-    def test_213_import_config_success(
+    @Parametrize.EXPORT_FORMAT_OPTIONS
+    def test_214c_export_settings_not_a_file(
         self,
-        caplog: pytest.LogCaptureFixture,
-        config: Any,
+        export_options: list[str],
     ) -> None:
-        """Importing a configuration works."""
+        """Exporting an invalid config fails."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -3044,57 +1598,30 @@ class TestCLI:
         with contextlib.ExitStack() as stack:
             monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
             stack.enter_context(
-                pytest_machinery.isolated_vault_config(
+                pytest_machinery.isolated_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                    vault_config={"services": {}},
                 )
             )
+            config_file = cli_helpers.config_filename(subsystem="vault")
+            config_file.unlink(missing_ok=True)
+            config_file.mkdir(parents=True, exist_ok=True)
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                ["--import", "-"],
-                input=json.dumps(config),
+                ["--export", "-", *export_options],
+                input="null",
                 catch_exceptions=False,
             )
-            config_txt = cli_helpers.config_filename(
-                subsystem="vault"
-            ).read_text(encoding="UTF-8")
-            config2 = json.loads(config_txt)
-        assert result.clean_exit(empty_stderr=False), "expected clean exit"
-        assert config2 == config, "config not imported correctly"
-        assert not result.stderr or all(  # pragma: no branch
-            map(is_harmless_config_import_warning, caplog.record_tuples)
-        ), "unexpected error output"
-        assert_vault_config_is_indented_and_line_broken(config_txt)
-
-    @hypothesis.settings(
-        suppress_health_check=[
-            *hypothesis.settings().suppress_health_check,
-            hypothesis.HealthCheck.function_scoped_fixture,
-        ],
-    )
-    @hypothesis.given(
-        conf=hypothesis_machinery.smudged_vault_test_config(
-            strategies.sampled_from([
-                conf for conf in data.TEST_CONFIGS if conf.is_valid()
-            ])
-        )
+        assert result.error_exit(error="Cannot load vault settings:"), (
+            "expected error exit and known error message"
         )
-    def test_213a_import_config_success(
+
+    @Parametrize.EXPORT_FORMAT_OPTIONS
+    def test_214d_export_settings_target_not_a_file(
         self,
-        caplog: pytest.LogCaptureFixture,
-        conf: data.VaultTestConfig,
+        export_options: list[str],
     ) -> None:
-        """Importing a smudged configuration works.
-
-        Tested via hypothesis.
-
-        """
-        config = conf.config
-        config2 = copy.deepcopy(config)
-        _types.clean_up_falsy_vault_config_values(config2)
-        # Reset caplog between hypothesis runs.
-        caplog.clear()
+        """Exporting an invalid config fails."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -3102,33 +1629,29 @@ class TestCLI:
         with contextlib.ExitStack() as stack:
             monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
             stack.enter_context(
-                pytest_machinery.isolated_vault_config(
+                pytest_machinery.isolated_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                    vault_config={"services": {}},
                 )
             )
+            dname = cli_helpers.config_filename(subsystem=None)
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                ["--import", "-"],
-                input=json.dumps(config),
+                ["--export", os.fsdecode(dname), *export_options],
+                input="null",
                 catch_exceptions=False,
             )
-            config_txt = cli_helpers.config_filename(
-                subsystem="vault"
-            ).read_text(encoding="UTF-8")
-            config3 = json.loads(config_txt)
-        assert result.clean_exit(empty_stderr=False), "expected clean exit"
-        assert config3 == config2, "config not imported correctly"
-        assert not result.stderr or all(
-            map(is_harmless_config_import_warning, caplog.record_tuples)
-        ), "unexpected error output"
-        assert_vault_config_is_indented_and_line_broken(config_txt)
+        assert result.error_exit(error="Cannot export vault settings:"), (
+            "expected error exit and known error message"
+        )
 
-    def test_213b_import_bad_config_not_vault_config(
+    @pytest_machinery.skip_if_on_the_annoying_os
+    @Parametrize.EXPORT_FORMAT_OPTIONS
+    def test_214e_export_settings_settings_directory_not_a_directory(
         self,
+        export_options: list[str],
     ) -> None:
-        """Importing an invalid config fails."""
+        """Exporting an invalid config fails."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -3141,1240 +1664,105 @@ class TestCLI:
                     runner=runner,
                 )
             )
+            config_dir = cli_helpers.config_filename(subsystem=None)
+            with contextlib.suppress(FileNotFoundError):
+                shutil.rmtree(config_dir)
+            config_dir.write_text("Obstruction!!\n")
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                ["--import", "-"],
+                ["--export", "-", *export_options],
                 input="null",
                 catch_exceptions=False,
             )
-        assert result.error_exit(error="Invalid vault config"), (
+        assert result.error_exit(
+            error="Cannot load vault settings:"
+        ) or result.error_exit(error="Cannot load user config:"), (
             "expected error exit and known error message"
         )
 
-    def test_213c_import_bad_config_not_json_data(
+    @Parametrize.NOTES_PLACEMENT
+    @hypothesis.given(
+        notes=strategies.text(
+            strategies.characters(
+                min_codepoint=32, max_codepoint=126, include_characters="\n"
+            ),
+            min_size=1,
+            max_size=512,
+        ).filter(str.strip),
+    )
+    def test_215_notes_placement(
         self,
+        notes_placement: Literal["before", "after"],
+        placement_args: list[str],
+        notes: str,
     ) -> None:
-        """Importing an invalid config fails."""
-        runner = machinery.CliRunner(mix_stderr=False)
+        notes = notes.strip()
+        maybe_notes = {"notes": notes} if notes else {}
+        vault_config = {
+            "global": {"phrase": DUMMY_PASSPHRASE},
+            "services": {
+                DUMMY_SERVICE: {**maybe_notes, **DUMMY_CONFIG_SETTINGS}
+            },
+        }
+        result_phrase = DUMMY_RESULT_PASSPHRASE.decode("ascii")
+        expected = (
+            f"{notes}\n\n{result_phrase}\n"
+            if notes_placement == "before"
+            else f"{result_phrase}\n\n{notes}\n\n"
+        )
+        runner = machinery.CliRunner(mix_stderr=True)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
         # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
         with contextlib.ExitStack() as stack:
             monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
             stack.enter_context(
-                pytest_machinery.isolated_config(
+                pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
+                    vault_config=vault_config,
                 )
             )
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                ["--import", "-"],
-                input="This string is not valid JSON.",
+                [*placement_args, "--", DUMMY_SERVICE],
                 catch_exceptions=False,
             )
-        assert result.error_exit(error="cannot decode JSON"), (
-            "expected error exit and known error message"
-        )
+            assert result.clean_exit(output=expected), "expected clean exit"
 
-    def test_213d_import_bad_config_not_a_file(
-        self,
-    ) -> None:
-        """Importing an invalid config fails."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # `isolated_vault_config` ensures the configuration is valid
-        # JSON.  So, to pass an actual broken configuration, we must
-        # open the configuration file ourselves afterwards, inside the
-        # context.
-        #
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={"services": {}},
-                )
-            )
-            cli_helpers.config_filename(subsystem="vault").write_text(
-                "This string is not valid JSON.\n", encoding="UTF-8"
-            )
-            dname = cli_helpers.config_filename(subsystem=None)
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--import", os.fsdecode(dname)],
-                catch_exceptions=False,
-            )
-        # The Annoying OS uses EACCES, other OSes use EISDIR.
-        assert result.error_exit(
-            error=os.strerror(errno.EISDIR)
-        ) or result.error_exit(error=os.strerror(errno.EACCES)), (
-            "expected error exit and known error message"
-        )
-
-    @Parametrize.VALID_TEST_CONFIGS
-    def test_214_export_config_success(
-        self,
-        caplog: pytest.LogCaptureFixture,
-        config: Any,
-    ) -> None:
-        """Exporting a configuration works."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config=config,
-                )
-            )
-            with cli_helpers.config_filename(subsystem="vault").open(
-                "w", encoding="UTF-8"
-            ) as outfile:
-                # Ensure the config is written on one line.
-                json.dump(config, outfile, indent=None)
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--export", "-"],
-                catch_exceptions=False,
-            )
-            with cli_helpers.config_filename(subsystem="vault").open(
-                encoding="UTF-8"
-            ) as infile:
-                config2 = json.load(infile)
-        assert result.clean_exit(empty_stderr=False), "expected clean exit"
-        assert config2 == config, "config not imported correctly"
-        assert not result.stderr or all(  # pragma: no branch
-            map(is_harmless_config_import_warning, caplog.record_tuples)
-        ), "unexpected error output"
-        assert_vault_config_is_indented_and_line_broken(result.stdout)
-
-    @Parametrize.EXPORT_FORMAT_OPTIONS
-    def test_214a_export_settings_no_stored_settings(
-        self,
-        export_options: list[str],
-    ) -> None:
-        """Exporting the default, empty config works."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                )
-            )
-            cli_helpers.config_filename(subsystem="vault").unlink(
-                missing_ok=True
-            )
-            result = runner.invoke(
-                # Test parent context navigation by not calling
-                # `cli.derivepassphrase_vault` directly.  Used e.g. in
-                # the `--export-as=sh` section to autoconstruct the
-                # program name correctly.
-                cli.derivepassphrase,
-                ["vault", "--export", "-", *export_options],
-                catch_exceptions=False,
-            )
-        assert result.clean_exit(empty_stderr=True), "expected clean exit"
-
-    @Parametrize.EXPORT_FORMAT_OPTIONS
-    def test_214b_export_settings_bad_stored_config(
-        self,
-        export_options: list[str],
-    ) -> None:
-        """Exporting an invalid config fails."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={},
-                )
-            )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--export", "-", *export_options],
-                input="null",
-                catch_exceptions=False,
-            )
-        assert result.error_exit(error="Cannot load vault settings:"), (
-            "expected error exit and known error message"
-        )
-
-    @Parametrize.EXPORT_FORMAT_OPTIONS
-    def test_214c_export_settings_not_a_file(
-        self,
-        export_options: list[str],
-    ) -> None:
-        """Exporting an invalid config fails."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                )
-            )
-            config_file = cli_helpers.config_filename(subsystem="vault")
-            config_file.unlink(missing_ok=True)
-            config_file.mkdir(parents=True, exist_ok=True)
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--export", "-", *export_options],
-                input="null",
-                catch_exceptions=False,
-            )
-        assert result.error_exit(error="Cannot load vault settings:"), (
-            "expected error exit and known error message"
-        )
-
-    @Parametrize.EXPORT_FORMAT_OPTIONS
-    def test_214d_export_settings_target_not_a_file(
-        self,
-        export_options: list[str],
-    ) -> None:
-        """Exporting an invalid config fails."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                )
-            )
-            dname = cli_helpers.config_filename(subsystem=None)
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--export", os.fsdecode(dname), *export_options],
-                input="null",
-                catch_exceptions=False,
-            )
-        assert result.error_exit(error="Cannot export vault settings:"), (
-            "expected error exit and known error message"
-        )
-
-    @pytest_machinery.skip_if_on_the_annoying_os
-    @Parametrize.EXPORT_FORMAT_OPTIONS
-    def test_214e_export_settings_settings_directory_not_a_directory(
-        self,
-        export_options: list[str],
-    ) -> None:
-        """Exporting an invalid config fails."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                )
-            )
-            config_dir = cli_helpers.config_filename(subsystem=None)
-            with contextlib.suppress(FileNotFoundError):
-                shutil.rmtree(config_dir)
-            config_dir.write_text("Obstruction!!\n")
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--export", "-", *export_options],
-                input="null",
-                catch_exceptions=False,
-            )
-        assert result.error_exit(
-            error="Cannot load vault settings:"
-        ) or result.error_exit(error="Cannot load user config:"), (
-            "expected error exit and known error message"
-        )
-
-    @Parametrize.NOTES_PLACEMENT
-    @hypothesis.given(
-        notes=strategies.text(
-            strategies.characters(
-                min_codepoint=32, max_codepoint=126, include_characters="\n"
-            ),
-            min_size=1,
-            max_size=512,
-        ).filter(str.strip),
-    )
-    def test_215_notes_placement(
-        self,
-        notes_placement: Literal["before", "after"],
-        placement_args: list[str],
-        notes: str,
-    ) -> None:
-        notes = notes.strip()
-        maybe_notes = {"notes": notes} if notes else {}
-        vault_config = {
-            "global": {"phrase": DUMMY_PASSPHRASE},
-            "services": {
-                DUMMY_SERVICE: {**maybe_notes, **DUMMY_CONFIG_SETTINGS}
-            },
-        }
-        result_phrase = DUMMY_RESULT_PASSPHRASE.decode("ascii")
-        expected = (
-            f"{notes}\n\n{result_phrase}\n"
-            if notes_placement == "before"
-            else f"{result_phrase}\n\n{notes}\n\n"
-        )
-        runner = machinery.CliRunner(mix_stderr=True)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config=vault_config,
-                )
-            )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                [*placement_args, "--", DUMMY_SERVICE],
-                catch_exceptions=False,
-            )
-            assert result.clean_exit(output=expected), "expected clean exit"
-
-    @Parametrize.MODERN_EDITOR_INTERFACE
-    @hypothesis.settings(
-        suppress_health_check=[
-            *hypothesis.settings().suppress_health_check,
-            hypothesis.HealthCheck.function_scoped_fixture,
-        ],
-    )
-    @hypothesis.given(
-        notes=strategies.text(
-            strategies.characters(
-                min_codepoint=32, max_codepoint=126, include_characters="\n"
-            ),
-            min_size=1,
-            max_size=512,
-        ).filter(str.strip),
-    )
-    def test_220_edit_notes_successfully(
-        self,
-        caplog: pytest.LogCaptureFixture,
-        modern_editor_interface: bool,
-        notes: str,
-    ) -> None:
-        """Editing notes works."""
-        marker = cli_messages.TranslatedString(
-            cli_messages.Label.DERIVEPASSPHRASE_VAULT_NOTES_MARKER
-        )
-        edit_result = f"""
-
-{marker}
-{notes}
-"""
-        # Reset caplog between hypothesis runs.
-        caplog.clear()
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={
-                        "global": {"phrase": "abc"},
-                        "services": {"sv": {"notes": "Contents go here"}},
-                    },
-                )
-            )
-            notes_backup_file = cli_helpers.config_filename(
-                subsystem="notes backup"
-            )
-            notes_backup_file.write_text(
-                "These backup notes are left over from the previous session.",
-                encoding="UTF-8",
-            )
-            monkeypatch.setattr(click, "edit", lambda *_a, **_kw: edit_result)
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                [
-                    "--config",
-                    "--notes",
-                    "--modern-editor-interface"
-                    if modern_editor_interface
-                    else "--vault-legacy-editor-interface",
-                    "--",
-                    "sv",
-                ],
-                catch_exceptions=False,
-            )
-            assert result.clean_exit(), "expected clean exit"
-            assert all(map(is_warning_line, result.stderr.splitlines(True)))
-            assert modern_editor_interface or machinery.warning_emitted(
-                "A backup copy of the old notes was saved",
-                caplog.record_tuples,
-            ), "expected known warning message in stderr"
-            assert (
-                modern_editor_interface
-                or notes_backup_file.read_text(encoding="UTF-8")
-                == "Contents go here"
-            )
-            with cli_helpers.config_filename(subsystem="vault").open(
-                encoding="UTF-8"
-            ) as infile:
-                config = json.load(infile)
-            assert config == {
-                "global": {"phrase": "abc"},
-                "services": {
-                    "sv": {
-                        "notes": notes.strip()
-                        if modern_editor_interface
-                        else edit_result.strip()
-                    }
-                },
-            }
-
-    @Parametrize.NOOP_EDIT_FUNCS
-    @hypothesis.given(
-        notes=strategies.text(
-            strategies.characters(
-                min_codepoint=32, max_codepoint=126, include_characters="\n"
-            ),
-            min_size=1,
-            max_size=512,
-        ).filter(str.strip),
-    )
-    def test_221_edit_notes_noop(
-        self,
-        edit_func_name: Literal["empty", "space"],
-        modern_editor_interface: bool,
-        notes: str,
-    ) -> None:
-        """Abandoning edited notes works."""
-
-        def empty(text: str, *_args: Any, **_kwargs: Any) -> str:
-            del text
-            return ""
-
-        def space(text: str, *_args: Any, **_kwargs: Any) -> str:
-            del text
-            return "       " + notes.strip() + "\n\n\n\n\n\n"
-
-        edit_funcs = {"empty": empty, "space": space}
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={
-                        "global": {"phrase": "abc"},
-                        "services": {"sv": {"notes": notes.strip()}},
-                    },
-                )
-            )
-            notes_backup_file = cli_helpers.config_filename(
-                subsystem="notes backup"
-            )
-            notes_backup_file.write_text(
-                "These backup notes are left over from the previous session.",
-                encoding="UTF-8",
-            )
-            monkeypatch.setattr(click, "edit", edit_funcs[edit_func_name])
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                [
-                    "--config",
-                    "--notes",
-                    "--modern-editor-interface"
-                    if modern_editor_interface
-                    else "--vault-legacy-editor-interface",
-                    "--",
-                    "sv",
-                ],
-                catch_exceptions=False,
-            )
-            assert result.clean_exit(empty_stderr=True) or result.error_exit(
-                error="the user aborted the request"
-            ), "expected clean exit"
-            assert (
-                modern_editor_interface
-                or notes_backup_file.read_text(encoding="UTF-8")
-                == "These backup notes are left over from the previous session."
-            )
-            with cli_helpers.config_filename(subsystem="vault").open(
-                encoding="UTF-8"
-            ) as infile:
-                config = json.load(infile)
-            assert config == {
-                "global": {"phrase": "abc"},
-                "services": {"sv": {"notes": notes.strip()}},
-            }
-
-    # TODO(the-13th-letter): Keep this behavior or not, with or without
-    # warning?
-    @Parametrize.MODERN_EDITOR_INTERFACE
-    @hypothesis.settings(
-        suppress_health_check=[
-            *hypothesis.settings().suppress_health_check,
-            hypothesis.HealthCheck.function_scoped_fixture,
-        ],
-    )
-    @hypothesis.given(
-        notes=strategies.text(
-            strategies.characters(
-                min_codepoint=32, max_codepoint=126, include_characters="\n"
-            ),
-            min_size=1,
-            max_size=512,
-        ).filter(str.strip),
-    )
-    def test_222_edit_notes_marker_removed(
-        self,
-        caplog: pytest.LogCaptureFixture,
-        modern_editor_interface: bool,
-        notes: str,
-    ) -> None:
-        """Removing the notes marker still saves the notes.
-
-        TODO: Keep this behavior or not, with or without warning?
-
-        """
-        notes_marker = cli_messages.TranslatedString(
-            cli_messages.Label.DERIVEPASSPHRASE_VAULT_NOTES_MARKER
-        )
-        hypothesis.assume(str(notes_marker) not in notes.strip())
-        # Reset caplog between hypothesis runs.
-        caplog.clear()
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={
-                        "global": {"phrase": "abc"},
-                        "services": {"sv": {"notes": "Contents go here"}},
-                    },
-                )
-            )
-            notes_backup_file = cli_helpers.config_filename(
-                subsystem="notes backup"
-            )
-            notes_backup_file.write_text(
-                "These backup notes are left over from the previous session.",
-                encoding="UTF-8",
-            )
-            monkeypatch.setattr(click, "edit", lambda *_a, **_kw: notes)
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                [
-                    "--config",
-                    "--notes",
-                    "--modern-editor-interface"
-                    if modern_editor_interface
-                    else "--vault-legacy-editor-interface",
-                    "--",
-                    "sv",
-                ],
-                catch_exceptions=False,
-            )
-            assert result.clean_exit(), "expected clean exit"
-            assert not result.stderr or all(
-                map(is_warning_line, result.stderr.splitlines(True))
-            )
-            assert not caplog.record_tuples or machinery.warning_emitted(
-                "A backup copy of the old notes was saved",
-                caplog.record_tuples,
-            ), "expected known warning message in stderr"
-            assert (
-                modern_editor_interface
-                or notes_backup_file.read_text(encoding="UTF-8")
-                == "Contents go here"
-            )
-            with cli_helpers.config_filename(subsystem="vault").open(
-                encoding="UTF-8"
-            ) as infile:
-                config = json.load(infile)
-            assert config == {
-                "global": {"phrase": "abc"},
-                "services": {"sv": {"notes": notes.strip()}},
-            }
-
-    @hypothesis.given(
-        notes=strategies.text(
-            strategies.characters(
-                min_codepoint=32, max_codepoint=126, include_characters="\n"
-            ),
-            min_size=1,
-            max_size=512,
-        ).filter(str.strip),
-    )
-    def test_223_edit_notes_abort(
-        self,
-        notes: str,
-    ) -> None:
-        """Aborting editing notes works.
-
-        Aborting is only supported with the modern editor interface.
-
-        """
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={
-                        "global": {"phrase": "abc"},
-                        "services": {"sv": {"notes": notes.strip()}},
-                    },
-                )
-            )
-            monkeypatch.setattr(click, "edit", lambda *_a, **_kw: "")
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                [
-                    "--config",
-                    "--notes",
-                    "--modern-editor-interface",
-                    "--",
-                    "sv",
-                ],
-                catch_exceptions=False,
-            )
-            assert result.error_exit(error="the user aborted the request"), (
-                "expected known error message"
-            )
-            with cli_helpers.config_filename(subsystem="vault").open(
-                encoding="UTF-8"
-            ) as infile:
-                config = json.load(infile)
-            assert config == {
-                "global": {"phrase": "abc"},
-                "services": {"sv": {"notes": notes.strip()}},
-            }
-
-    def test_223a_edit_empty_notes_abort(
-        self,
-    ) -> None:
-        """Aborting editing notes works even if no notes are stored yet.
-
-        Aborting is only supported with the modern editor interface.
-
-        """
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={
-                        "global": {"phrase": "abc"},
-                        "services": {},
-                    },
-                )
-            )
-            monkeypatch.setattr(click, "edit", lambda *_a, **_kw: "")
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                [
-                    "--config",
-                    "--notes",
-                    "--modern-editor-interface",
-                    "--",
-                    "sv",
-                ],
-                catch_exceptions=False,
-            )
-            assert result.error_exit(error="the user aborted the request"), (
-                "expected known error message"
-            )
-            with cli_helpers.config_filename(subsystem="vault").open(
-                encoding="UTF-8"
-            ) as infile:
-                config = json.load(infile)
-            assert config == {
-                "global": {"phrase": "abc"},
-                "services": {},
-            }
-
-    @Parametrize.MODERN_EDITOR_INTERFACE
-    @hypothesis.settings(
-        suppress_health_check=[
-            *hypothesis.settings().suppress_health_check,
-            hypothesis.HealthCheck.function_scoped_fixture,
-        ],
-    )
-    @hypothesis.given(
-        notes=strategies.text(
-            strategies.characters(
-                min_codepoint=32, max_codepoint=126, include_characters="\n"
-            ),
-            max_size=512,
-        ),
-    )
-    def test_223b_edit_notes_fail_config_option_missing(
-        self,
-        caplog: pytest.LogCaptureFixture,
-        modern_editor_interface: bool,
-        notes: str,
-    ) -> None:
-        """Editing notes fails (and warns) if `--config` is missing."""
-        maybe_notes = {"notes": notes.strip()} if notes.strip() else {}
-        vault_config = {
-            "global": {"phrase": DUMMY_PASSPHRASE},
-            "services": {
-                DUMMY_SERVICE: {**maybe_notes, **DUMMY_CONFIG_SETTINGS}
-            },
-        }
-        # Reset caplog between hypothesis runs.
-        caplog.clear()
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config=vault_config,
-                )
-            )
-            EDIT_ATTEMPTED = "edit attempted!"  # noqa: N806
-
-            def raiser(*_args: Any, **_kwargs: Any) -> NoReturn:
-                pytest.fail(EDIT_ATTEMPTED)
-
-            notes_backup_file = cli_helpers.config_filename(
-                subsystem="notes backup"
-            )
-            notes_backup_file.write_text(
-                "These backup notes are left over from the previous session.",
-                encoding="UTF-8",
-            )
-            monkeypatch.setattr(click, "edit", raiser)
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                [
-                    "--notes",
-                    "--modern-editor-interface"
-                    if modern_editor_interface
-                    else "--vault-legacy-editor-interface",
-                    "--",
-                    DUMMY_SERVICE,
-                ],
-                catch_exceptions=False,
-            )
-            assert result.clean_exit(
-                output=DUMMY_RESULT_PASSPHRASE.decode("ascii")
-            ), "expected clean exit"
-            assert result.stderr
-            assert notes.strip() in result.stderr
-            assert all(
-                is_warning_line(line)
-                for line in result.stderr.splitlines(True)
-                if line.startswith(f"{cli.PROG_NAME}: ")
-            )
-            assert machinery.warning_emitted(
-                "Specifying --notes without --config is ineffective.  "
-                "No notes will be edited.",
-                caplog.record_tuples,
-            ), "expected known warning message in stderr"
-            assert (
-                modern_editor_interface
-                or notes_backup_file.read_text(encoding="UTF-8")
-                == "These backup notes are left over from the previous session."
-            )
-            with cli_helpers.config_filename(subsystem="vault").open(
-                encoding="UTF-8"
-            ) as infile:
-                config = json.load(infile)
-            assert config == vault_config
-
-    @Parametrize.CONFIG_EDITING_VIA_CONFIG_FLAG
-    def test_224_store_config_good(
-        self,
-        command_line: list[str],
-        input: str,
-        result_config: Any,
-    ) -> None:
-        """Storing valid settings via `--config` works.
-
-        The format also contains embedded newlines and indentation to make
-        the config more readable.
-
-        """
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={"global": {"phrase": "abc"}, "services": {}},
-                )
-            )
-            monkeypatch.setattr(
-                cli_helpers,
-                "get_suitable_ssh_keys",
-                callables.suitable_ssh_keys,
-            )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--config", *command_line],
-                catch_exceptions=False,
-                input=input,
-            )
-            assert result.clean_exit(), "expected clean exit"
-            config_txt = cli_helpers.config_filename(
-                subsystem="vault"
-            ).read_text(encoding="UTF-8")
-            config = json.loads(config_txt)
-            assert config == result_config, (
-                "stored config does not match expectation"
-            )
-            assert_vault_config_is_indented_and_line_broken(config_txt)
-
-    @Parametrize.CONFIG_EDITING_VIA_CONFIG_FLAG_FAILURES
-    def test_225_store_config_fail(
-        self,
-        command_line: list[str],
-        input: str,
-        err_text: str,
-    ) -> None:
-        """Storing invalid settings via `--config` fails."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={"global": {"phrase": "abc"}, "services": {}},
-                )
-            )
-            monkeypatch.setattr(
-                cli_helpers,
-                "get_suitable_ssh_keys",
-                callables.suitable_ssh_keys,
-            )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--config", *command_line],
-                catch_exceptions=False,
-                input=input,
-            )
-        assert result.error_exit(error=err_text), (
-            "expected error exit and known error message"
-        )
-
-    def test_225a_store_config_fail_manual_no_ssh_key_selection(
-        self,
-        running_ssh_agent: data.RunningSSHAgentInfo,
-    ) -> None:
-        """Not selecting an SSH key during `--config --key` fails."""
-        del running_ssh_agent
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={"global": {"phrase": "abc"}, "services": {}},
-                )
-            )
-
-            def prompt_for_selection(*_args: Any, **_kwargs: Any) -> NoReturn:
-                raise IndexError(cli_helpers.EMPTY_SELECTION)
-
-            monkeypatch.setattr(
-                cli_helpers, "prompt_for_selection", prompt_for_selection
-            )
-            # Also patch the list of suitable SSH keys, lest we be at
-            # the mercy of whatever SSH agent may be running.
-            monkeypatch.setattr(
-                cli_helpers,
-                "get_suitable_ssh_keys",
-                callables.suitable_ssh_keys,
-            )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--key", "--config"],
-                catch_exceptions=False,
-            )
-        assert result.error_exit(error="the user aborted the request"), (
-            "expected error exit and known error message"
-        )
-
-    def test_225b_store_config_fail_manual_no_ssh_agent(
-        self,
-        running_ssh_agent: data.RunningSSHAgentInfo,
-    ) -> None:
-        """Not running an SSH agent during `--config --key` fails."""
-        del running_ssh_agent
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={"global": {"phrase": "abc"}, "services": {}},
-                )
-            )
-            monkeypatch.delenv("SSH_AUTH_SOCK", raising=False)
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--key", "--config"],
-                catch_exceptions=False,
-            )
-        assert result.error_exit(error="Cannot find any running SSH agent"), (
-            "expected error exit and known error message"
-        )
-
-    def test_225c_store_config_fail_manual_bad_ssh_agent_connection(
-        self,
-        running_ssh_agent: data.RunningSSHAgentInfo,
-    ) -> None:
-        """Not running a reachable SSH agent during `--config --key` fails."""
-        running_ssh_agent.require_external_address()
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={"global": {"phrase": "abc"}, "services": {}},
-                )
-            )
-            cwd = pathlib.Path.cwd().resolve()
-            monkeypatch.setenv("SSH_AUTH_SOCK", str(cwd))
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--key", "--config"],
-                catch_exceptions=False,
-            )
-        assert result.error_exit(error="Cannot connect to the SSH agent"), (
-            "expected error exit and known error message"
-        )
-
-    @Parametrize.TRY_RACE_FREE_IMPLEMENTATION
-    def test_225d_store_config_fail_manual_read_only_file(
-        self,
-        try_race_free_implementation: bool,
-    ) -> None:
-        """Using a read-only configuration file with `--config` fails."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={"global": {"phrase": "abc"}, "services": {}},
-                )
-            )
-            callables.make_file_readonly(
-                cli_helpers.config_filename(subsystem="vault"),
-                try_race_free_implementation=try_race_free_implementation,
-            )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--config", "--length=15", "--", DUMMY_SERVICE],
-                catch_exceptions=False,
-            )
-        assert result.error_exit(error="Cannot store vault settings:"), (
-            "expected error exit and known error message"
-        )
-
-    def test_225e_store_config_fail_manual_custom_error(
-        self,
-    ) -> None:
-        """OS-erroring with `--config` fails."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={"global": {"phrase": "abc"}, "services": {}},
-                )
-            )
-            custom_error = "custom error message"
-
-            def raiser(config: Any) -> None:
-                del config
-                raise RuntimeError(custom_error)
-
-            monkeypatch.setattr(cli_helpers, "save_config", raiser)
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--config", "--length=15", "--", DUMMY_SERVICE],
-                catch_exceptions=False,
-            )
-        assert result.error_exit(error=custom_error), (
-            "expected error exit and known error message"
-        )
-
-    def test_225f_store_config_fail_unset_and_set_same_settings(
-        self,
-    ) -> None:
-        """Issuing conflicting settings to `--config` fails."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={"global": {"phrase": "abc"}, "services": {}},
-                )
-            )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                [
-                    "--config",
-                    "--unset=length",
-                    "--length=15",
-                    "--",
-                    DUMMY_SERVICE,
-                ],
-                catch_exceptions=False,
-            )
-        assert result.error_exit(
-            error="Attempted to unset and set --length at the same time."
-        ), "expected error exit and known error message"
-
-    def test_225g_store_config_fail_manual_ssh_agent_no_keys_loaded(
-        self,
-        running_ssh_agent: data.RunningSSHAgentInfo,
-    ) -> None:
-        """Not holding any SSH keys during `--config --key` fails."""
-        del running_ssh_agent
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={"global": {"phrase": "abc"}, "services": {}},
-                )
-            )
-
-            def func(
-                *_args: Any,
-                **_kwargs: Any,
-            ) -> list[_types.SSHKeyCommentPair]:
-                return []
-
-            monkeypatch.setattr(ssh_agent.SSHAgentClient, "list_keys", func)
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--key", "--config"],
-                catch_exceptions=False,
-            )
-        assert result.error_exit(error="no keys suitable"), (
-            "expected error exit and known error message"
-        )
-
-    def test_225h_store_config_fail_manual_ssh_agent_runtime_error(
-        self,
-        running_ssh_agent: data.RunningSSHAgentInfo,
-    ) -> None:
-        """The SSH agent erroring during `--config --key` fails."""
-        del running_ssh_agent
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={"global": {"phrase": "abc"}, "services": {}},
-                )
-            )
-
-            def raiser(*_args: Any, **_kwargs: Any) -> None:
-                raise ssh_agent.TrailingDataError()
-
-            monkeypatch.setattr(ssh_agent.SSHAgentClient, "list_keys", raiser)
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--key", "--config"],
-                catch_exceptions=False,
-            )
-        assert result.error_exit(
-            error="violates the communication protocol."
-        ), "expected error exit and known error message"
-
-    def test_225i_store_config_fail_manual_ssh_agent_refuses(
-        self,
-        running_ssh_agent: data.RunningSSHAgentInfo,
-    ) -> None:
-        """The SSH agent refusing during `--config --key` fails."""
-        del running_ssh_agent
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={"global": {"phrase": "abc"}, "services": {}},
-                )
-            )
-
-            def func(*_args: Any, **_kwargs: Any) -> NoReturn:
-                raise ssh_agent.SSHAgentFailedError(
-                    _types.SSH_AGENT.FAILURE, b""
-                )
-
-            monkeypatch.setattr(ssh_agent.SSHAgentClient, "list_keys", func)
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--key", "--config"],
-                catch_exceptions=False,
-            )
-        assert result.error_exit(error="refused to"), (
-            "expected error exit and known error message"
-        )
-
-    def test_226_no_arguments(self) -> None:
-        """Calling `derivepassphrase vault` without any arguments fails."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                )
-            )
-            result = runner.invoke(
-                cli.derivepassphrase_vault, [], catch_exceptions=False
-            )
-        assert result.error_exit(
-            error="Deriving a passphrase requires a SERVICE"
-        ), "expected error exit and known error message"
-
-    def test_226a_no_passphrase_or_key(
-        self,
-    ) -> None:
-        """Deriving a passphrase without a passphrase or key fails."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                )
-            )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--", DUMMY_SERVICE],
-                catch_exceptions=False,
+    @Parametrize.MODERN_EDITOR_INTERFACE
+    @hypothesis.settings(
+        suppress_health_check=[
+            *hypothesis.settings().suppress_health_check,
+            hypothesis.HealthCheck.function_scoped_fixture,
+        ],
     )
-        assert result.error_exit(error="No passphrase or key was given"), (
-            "expected error exit and known error message"
+    @hypothesis.given(
+        notes=strategies.text(
+            strategies.characters(
+                min_codepoint=32, max_codepoint=126, include_characters="\n"
+            ),
+            min_size=1,
+            max_size=512,
+        ).filter(str.strip),
     )
-
-    def test_230_config_directory_nonexistant(
+    def test_220_edit_notes_successfully(
         self,
+        caplog: pytest.LogCaptureFixture,
+        modern_editor_interface: bool,
+        notes: str,
     ) -> None:
-        """Running without an existing config directory works.
-
-        This is a regression test; see [issue\u00a0#6][] for context.
-
-        [issue #6]: https://github.com/the-13th-letter/derivepassphrase/issues/6
+        """Editing notes works."""
+        marker = cli_messages.TranslatedString(
+            cli_messages.Label.DERIVEPASSPHRASE_VAULT_NOTES_MARKER
+        )
+        edit_result = f"""
 
+{marker}
+{notes}
 """
+        # Reset caplog between hypothesis runs.
+        caplog.clear()
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -4382,45 +1770,89 @@ class TestCLI:
         with contextlib.ExitStack() as stack:
             monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
             stack.enter_context(
-                pytest_machinery.isolated_config(
+                pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
+                    vault_config={
+                        "global": {"phrase": "abc"},
+                        "services": {"sv": {"notes": "Contents go here"}},
+                    },
                 )
             )
-            with contextlib.suppress(FileNotFoundError):
-                shutil.rmtree(cli_helpers.config_filename(subsystem=None))
+            notes_backup_file = cli_helpers.config_filename(
+                subsystem="notes backup"
+            )
+            notes_backup_file.write_text(
+                "These backup notes are left over from the previous session.",
+                encoding="UTF-8",
+            )
+            monkeypatch.setattr(click, "edit", lambda *_a, **_kw: edit_result)
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                ["--config", "-p"],
+                [
+                    "--config",
+                    "--notes",
+                    "--modern-editor-interface"
+                    if modern_editor_interface
+                    else "--vault-legacy-editor-interface",
+                    "--",
+                    "sv",
+                ],
                 catch_exceptions=False,
-                input="abc\n",
             )
             assert result.clean_exit(), "expected clean exit"
-            assert result.stderr == "Passphrase:", (
-                "program unexpectedly failed?!"
+            assert all(map(is_warning_line, result.stderr.splitlines(True)))
+            assert modern_editor_interface or machinery.warning_emitted(
+                "A backup copy of the old notes was saved",
+                caplog.record_tuples,
+            ), "expected known warning message in stderr"
+            assert (
+                modern_editor_interface
+                or notes_backup_file.read_text(encoding="UTF-8")
+                == "Contents go here"
             )
             with cli_helpers.config_filename(subsystem="vault").open(
                 encoding="UTF-8"
             ) as infile:
-                config_readback = json.load(infile)
-            assert config_readback == {
+                config = json.load(infile)
+            assert config == {
                 "global": {"phrase": "abc"},
-                "services": {},
-            }, "config mismatch"
+                "services": {
+                    "sv": {
+                        "notes": notes.strip()
+                        if modern_editor_interface
+                        else edit_result.strip()
+                    }
+                },
+            }
 
-    def test_230a_config_directory_not_a_file(
+    @Parametrize.NOOP_EDIT_FUNCS
+    @hypothesis.given(
+        notes=strategies.text(
+            strategies.characters(
+                min_codepoint=32, max_codepoint=126, include_characters="\n"
+            ),
+            min_size=1,
+            max_size=512,
+        ).filter(str.strip),
+    )
+    def test_221_edit_notes_noop(
         self,
+        edit_func_name: Literal["empty", "space"],
+        modern_editor_interface: bool,
+        notes: str,
     ) -> None:
-        """Erroring without an existing config directory errors normally.
-
-        That is, the missing configuration directory does not cause any
-        errors by itself.
+        """Abandoning edited notes works."""
 
-        This is a regression test; see [issue\u00a0#6][] for context.
+        def empty(text: str, *_args: Any, **_kwargs: Any) -> str:
+            del text
+            return ""
 
-        [issue #6]: https://github.com/the-13th-letter/derivepassphrase/issues/6
+        def space(text: str, *_args: Any, **_kwargs: Any) -> str:
+            del text
+            return "       " + notes.strip() + "\n\n\n\n\n\n"
 
-        """
+        edit_funcs = {"empty": empty, "space": space}
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -4428,77 +1860,88 @@ class TestCLI:
         with contextlib.ExitStack() as stack:
             monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
             stack.enter_context(
-                pytest_machinery.isolated_config(
+                pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
+                    vault_config={
+                        "global": {"phrase": "abc"},
+                        "services": {"sv": {"notes": notes.strip()}},
+                    },
                 )
             )
-            save_config_ = cli_helpers.save_config
-
-            def obstruct_config_saving(*args: Any, **kwargs: Any) -> Any:
-                config_dir = cli_helpers.config_filename(subsystem=None)
-                with contextlib.suppress(FileNotFoundError):
-                    shutil.rmtree(config_dir)
-                config_dir.write_text("Obstruction!!\n")
-                monkeypatch.setattr(cli_helpers, "save_config", save_config_)
-                return save_config_(*args, **kwargs)
-
-            monkeypatch.setattr(
-                cli_helpers, "save_config", obstruct_config_saving
+            notes_backup_file = cli_helpers.config_filename(
+                subsystem="notes backup"
+            )
+            notes_backup_file.write_text(
+                "These backup notes are left over from the previous session.",
+                encoding="UTF-8",
             )
+            monkeypatch.setattr(click, "edit", edit_funcs[edit_func_name])
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                ["--config", "-p"],
+                [
+                    "--config",
+                    "--notes",
+                    "--modern-editor-interface"
+                    if modern_editor_interface
+                    else "--vault-legacy-editor-interface",
+                    "--",
+                    "sv",
+                ],
                 catch_exceptions=False,
-                input="abc\n",
-            )
-            assert result.error_exit(error="Cannot store vault settings:"), (
-                "expected error exit and known error message"
-            )
-
-    def test_230b_store_config_custom_error(
-        self,
-    ) -> None:
-        """Storing the configuration reacts even to weird errors."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
             )
+            assert result.clean_exit(empty_stderr=True) or result.error_exit(
+                error="the user aborted the request"
+            ), "expected clean exit"
+            assert (
+                modern_editor_interface
+                or notes_backup_file.read_text(encoding="UTF-8")
+                == "These backup notes are left over from the previous session."
             )
-            custom_error = "custom error message"
-
-            def raiser(config: Any) -> None:
-                del config
-                raise RuntimeError(custom_error)
+            with cli_helpers.config_filename(subsystem="vault").open(
+                encoding="UTF-8"
+            ) as infile:
+                config = json.load(infile)
+            assert config == {
+                "global": {"phrase": "abc"},
+                "services": {"sv": {"notes": notes.strip()}},
+            }
 
-            monkeypatch.setattr(cli_helpers, "save_config", raiser)
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--config", "-p"],
-                catch_exceptions=False,
-                input="abc\n",
+    # TODO(the-13th-letter): Keep this behavior or not, with or without
+    # warning?
+    @Parametrize.MODERN_EDITOR_INTERFACE
+    @hypothesis.settings(
+        suppress_health_check=[
+            *hypothesis.settings().suppress_health_check,
+            hypothesis.HealthCheck.function_scoped_fixture,
+        ],
     )
-            assert result.error_exit(error=custom_error), (
-                "expected error exit and known error message"
+    @hypothesis.given(
+        notes=strategies.text(
+            strategies.characters(
+                min_codepoint=32, max_codepoint=126, include_characters="\n"
+            ),
+            min_size=1,
+            max_size=512,
+        ).filter(str.strip),
     )
-
-    @Parametrize.UNICODE_NORMALIZATION_WARNING_INPUTS
-    def test_300_unicode_normalization_form_warning(
+    def test_222_edit_notes_marker_removed(
         self,
         caplog: pytest.LogCaptureFixture,
-        main_config: str,
-        command_line: list[str],
-        input: str | None,
-        warning_message: str,
+        modern_editor_interface: bool,
+        notes: str,
     ) -> None:
-        """Using unnormalized Unicode passphrases warns."""
+        """Removing the notes marker still saves the notes.
+
+        TODO: Keep this behavior or not, with or without warning?
+
+        """
+        notes_marker = cli_messages.TranslatedString(
+            cli_messages.Label.DERIVEPASSPHRASE_VAULT_NOTES_MARKER
+        )
+        hypothesis.assume(str(notes_marker) not in notes.strip())
+        # Reset caplog between hypothesis runs.
+        caplog.clear()
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -4510,33 +1953,72 @@ class TestCLI:
                     monkeypatch=monkeypatch,
                     runner=runner,
                     vault_config={
-                        "services": {
-                            DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS.copy()
-                        }
+                        "global": {"phrase": "abc"},
+                        "services": {"sv": {"notes": "Contents go here"}},
                     },
-                    main_config_str=main_config,
                 )
             )
+            notes_backup_file = cli_helpers.config_filename(
+                subsystem="notes backup"
+            )
+            notes_backup_file.write_text(
+                "These backup notes are left over from the previous session.",
+                encoding="UTF-8",
+            )
+            monkeypatch.setattr(click, "edit", lambda *_a, **_kw: notes)
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                ["--debug", *command_line],
+                [
+                    "--config",
+                    "--notes",
+                    "--modern-editor-interface"
+                    if modern_editor_interface
+                    else "--vault-legacy-editor-interface",
+                    "--",
+                    "sv",
+                ],
                 catch_exceptions=False,
-                input=input,
             )
             assert result.clean_exit(), "expected clean exit"
-        assert machinery.warning_emitted(
-            warning_message, caplog.record_tuples
+            assert not result.stderr or all(
+                map(is_warning_line, result.stderr.splitlines(True))
+            )
+            assert not caplog.record_tuples or machinery.warning_emitted(
+                "A backup copy of the old notes was saved",
+                caplog.record_tuples,
             ), "expected known warning message in stderr"
+            assert (
+                modern_editor_interface
+                or notes_backup_file.read_text(encoding="UTF-8")
+                == "Contents go here"
+            )
+            with cli_helpers.config_filename(subsystem="vault").open(
+                encoding="UTF-8"
+            ) as infile:
+                config = json.load(infile)
+            assert config == {
+                "global": {"phrase": "abc"},
+                "services": {"sv": {"notes": notes.strip()}},
+            }
 
-    @Parametrize.UNICODE_NORMALIZATION_ERROR_INPUTS
-    def test_301_unicode_normalization_form_error(
+    @hypothesis.given(
+        notes=strategies.text(
+            strategies.characters(
+                min_codepoint=32, max_codepoint=126, include_characters="\n"
+            ),
+            min_size=1,
+            max_size=512,
+        ).filter(str.strip),
+    )
+    def test_223_edit_notes_abort(
         self,
-        main_config: str,
-        command_line: list[str],
-        input: str | None,
-        error_message: str,
+        notes: str,
     ) -> None:
-        """Using unknown Unicode normalization forms fails."""
+        """Aborting editing notes works.
+
+        Aborting is only supported with the modern editor interface.
+
+        """
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -4548,32 +2030,43 @@ class TestCLI:
                     monkeypatch=monkeypatch,
                     runner=runner,
                     vault_config={
-                        "services": {
-                            DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS.copy()
-                        }
+                        "global": {"phrase": "abc"},
+                        "services": {"sv": {"notes": notes.strip()}},
                     },
-                    main_config_str=main_config,
                 )
             )
+            monkeypatch.setattr(click, "edit", lambda *_a, **_kw: "")
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                command_line,
+                [
+                    "--config",
+                    "--notes",
+                    "--modern-editor-interface",
+                    "--",
+                    "sv",
+                ],
                 catch_exceptions=False,
-                input=input,
             )
-        assert result.error_exit(
-            error="The user configuration file is invalid."
-        ), "expected error exit and known error message"
-        assert result.error_exit(error=error_message), (
-            "expected error exit and known error message"
+            assert result.error_exit(error="the user aborted the request"), (
+                "expected known error message"
             )
+            with cli_helpers.config_filename(subsystem="vault").open(
+                encoding="UTF-8"
+            ) as infile:
+                config = json.load(infile)
+            assert config == {
+                "global": {"phrase": "abc"},
+                "services": {"sv": {"notes": notes.strip()}},
+            }
 
-    @Parametrize.UNICODE_NORMALIZATION_COMMAND_LINES
-    def test_301a_unicode_normalization_form_error_from_stored_config(
+    def test_223a_edit_empty_notes_abort(
         self,
-        command_line: list[str],
     ) -> None:
-        """Using unknown Unicode normalization forms in the config fails."""
+        """Aborting editing notes works even if no notes are stored yet.
+
+        Aborting is only supported with the modern editor interface.
+
+        """
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -4585,35 +2078,66 @@ class TestCLI:
                     monkeypatch=monkeypatch,
                     runner=runner,
                     vault_config={
-                        "services": {
-                            DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS.copy()
-                        }
+                        "global": {"phrase": "abc"},
+                        "services": {},
                     },
-                    main_config_str=(
-                        "[vault]\ndefault-unicode-normalization-form = 'XXX'\n"
-                    ),
                 )
             )
+            monkeypatch.setattr(click, "edit", lambda *_a, **_kw: "")
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                command_line,
-                input=DUMMY_PASSPHRASE,
+                [
+                    "--config",
+                    "--notes",
+                    "--modern-editor-interface",
+                    "--",
+                    "sv",
+                ],
                 catch_exceptions=False,
             )
-            assert result.error_exit(
-                error="The user configuration file is invalid."
-            ), "expected error exit and known error message"
-            assert result.error_exit(
-                error=(
-                    "Invalid value 'XXX' for config key "
-                    "vault.default-unicode-normalization-form"
-                ),
-            ), "expected error exit and known error message"
+            assert result.error_exit(error="the user aborted the request"), (
+                "expected known error message"
+            )
+            with cli_helpers.config_filename(subsystem="vault").open(
+                encoding="UTF-8"
+            ) as infile:
+                config = json.load(infile)
+            assert config == {
+                "global": {"phrase": "abc"},
+                "services": {},
+            }
 
-    def test_310_bad_user_config_file(
+    @Parametrize.MODERN_EDITOR_INTERFACE
+    @hypothesis.settings(
+        suppress_health_check=[
+            *hypothesis.settings().suppress_health_check,
+            hypothesis.HealthCheck.function_scoped_fixture,
+        ],
+    )
+    @hypothesis.given(
+        notes=strategies.text(
+            strategies.characters(
+                min_codepoint=32, max_codepoint=126, include_characters="\n"
+            ),
+            max_size=512,
+        ),
+    )
+    def test_223b_edit_notes_fail_config_option_missing(
         self,
+        caplog: pytest.LogCaptureFixture,
+        modern_editor_interface: bool,
+        notes: str,
     ) -> None:
-        """Loading a user configuration file in an invalid format fails."""
+        """Editing notes fails (and warns) if `--config` is missing."""
+        maybe_notes = {"notes": notes.strip()} if notes.strip() else {}
+        vault_config = {
+            "global": {"phrase": DUMMY_PASSPHRASE},
+            "services": {
+                DUMMY_SERVICE: {**maybe_notes, **DUMMY_CONFIG_SETTINGS}
+            },
+        }
+        # Reset caplog between hypothesis runs.
+        caplog.clear()
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -4624,24 +2148,73 @@ class TestCLI:
                 pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                    vault_config={"services": {}},
-                    main_config_str="This file is not valid TOML.\n",
+                    vault_config=vault_config,
+                )
+            )
+            EDIT_ATTEMPTED = "edit attempted!"  # noqa: N806
+
+            def raiser(*_args: Any, **_kwargs: Any) -> NoReturn:
+                pytest.fail(EDIT_ATTEMPTED)
+
+            notes_backup_file = cli_helpers.config_filename(
+                subsystem="notes backup"
             )
+            notes_backup_file.write_text(
+                "These backup notes are left over from the previous session.",
+                encoding="UTF-8",
             )
+            monkeypatch.setattr(click, "edit", raiser)
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                ["--phrase", "--", DUMMY_SERVICE],
-                input=DUMMY_PASSPHRASE,
+                [
+                    "--notes",
+                    "--modern-editor-interface"
+                    if modern_editor_interface
+                    else "--vault-legacy-editor-interface",
+                    "--",
+                    DUMMY_SERVICE,
+                ],
                 catch_exceptions=False,
             )
-            assert result.error_exit(error="Cannot load user config:"), (
-                "expected error exit and known error message"
+            assert result.clean_exit(
+                output=DUMMY_RESULT_PASSPHRASE.decode("ascii")
+            ), "expected clean exit"
+            assert result.stderr
+            assert notes.strip() in result.stderr
+            assert all(
+                is_warning_line(line)
+                for line in result.stderr.splitlines(True)
+                if line.startswith(f"{cli.PROG_NAME}: ")
+            )
+            assert machinery.warning_emitted(
+                "Specifying --notes without --config is ineffective.  "
+                "No notes will be edited.",
+                caplog.record_tuples,
+            ), "expected known warning message in stderr"
+            assert (
+                modern_editor_interface
+                or notes_backup_file.read_text(encoding="UTF-8")
+                == "These backup notes are left over from the previous session."
             )
+            with cli_helpers.config_filename(subsystem="vault").open(
+                encoding="UTF-8"
+            ) as infile:
+                config = json.load(infile)
+            assert config == vault_config
 
-    def test_311_bad_user_config_is_a_directory(
+    @Parametrize.CONFIG_EDITING_VIA_CONFIG_FLAG
+    def test_224_store_config_good(
         self,
+        command_line: list[str],
+        input: str,
+        result_config: Any,
     ) -> None:
-        """Loading a user configuration file in an invalid format fails."""
+        """Storing valid settings via `--config` works.
+
+        The format also contains embedded newlines and indentation to make
+        the config more readable.
+
+        """
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -4652,30 +2225,38 @@ class TestCLI:
                 pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                    vault_config={"services": {}},
-                    main_config_str="",
+                    vault_config={"global": {"phrase": "abc"}, "services": {}},
                 )
             )
-            user_config = cli_helpers.config_filename(
-                subsystem="user configuration"
+            monkeypatch.setattr(
+                cli_helpers,
+                "get_suitable_ssh_keys",
+                callables.suitable_ssh_keys,
             )
-            user_config.unlink()
-            user_config.mkdir(parents=True, exist_ok=True)
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                ["--phrase", "--", DUMMY_SERVICE],
-                input=DUMMY_PASSPHRASE,
+                ["--config", *command_line],
                 catch_exceptions=False,
+                input=input,
             )
-            assert result.error_exit(error="Cannot load user config:"), (
-                "expected error exit and known error message"
+            assert result.clean_exit(), "expected clean exit"
+            config_txt = cli_helpers.config_filename(
+                subsystem="vault"
+            ).read_text(encoding="UTF-8")
+            config = json.loads(config_txt)
+            assert config == result_config, (
+                "stored config does not match expectation"
             )
+            assert_vault_config_is_indented_and_line_broken(config_txt)
 
-    def test_400_missing_af_unix_support(
+    @Parametrize.CONFIG_EDITING_VIA_CONFIG_FLAG_FAILURES
+    def test_225_store_config_fail(
         self,
-        caplog: pytest.LogCaptureFixture,
+        command_line: list[str],
+        input: str,
+        err_text: str,
     ) -> None:
-        """Querying the SSH agent without `AF_UNIX` support fails."""
+        """Storing invalid settings via `--config` fails."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -4689,58 +2270,27 @@ class TestCLI:
                     vault_config={"global": {"phrase": "abc"}, "services": {}},
                 )
             )
-            monkeypatch.setenv(
-                "SSH_AUTH_SOCK", "the value doesn't even matter"
-            )
             monkeypatch.setattr(
-                ssh_agent.SSHAgentClient, "SOCKET_PROVIDERS", ["posix"]
+                cli_helpers,
+                "get_suitable_ssh_keys",
+                callables.suitable_ssh_keys,
             )
-            monkeypatch.delattr(socket, "AF_UNIX", raising=False)
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                ["--key", "--config"],
+                ["--config", *command_line],
                 catch_exceptions=False,
+                input=input,
             )
-        assert result.error_exit(
-            error="does not support communicating with it"
-        ), "expected error exit and known error message"
-        assert machinery.warning_emitted(
-            "Cannot connect to an SSH agent via UNIX domain sockets",
-            caplog.record_tuples,
-        ), "expected known warning message in stderr"
-
-
-class TestCLIUtils:
-    """Tests for command-line utility functions."""
-
-    @Parametrize.BASE_CONFIG_VARIATIONS
-    def test_100_load_config(
-        self,
-        config: Any,
-    ) -> None:
-        """[`cli_helpers.load_config`][] works for valid configurations."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config=config,
-                )
+        assert result.error_exit(error=err_text), (
+            "expected error exit and known error message"
         )
-            config_filename = cli_helpers.config_filename(subsystem="vault")
-            with config_filename.open(encoding="UTF-8") as fileobj:
-                assert json.load(fileobj) == config
-            assert cli_helpers.load_config() == config
 
-    def test_110_save_bad_config(
+    def test_225a_store_config_fail_manual_no_ssh_key_selection(
         self,
+        running_ssh_agent: data.RunningSSHAgentInfo,
     ) -> None:
-        """[`cli_helpers.save_config`][] fails for bad configurations."""
+        """Not selecting an SSH key during `--config --key` fails."""
+        del running_ssh_agent
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -4751,358 +2301,38 @@ class TestCLIUtils:
                 pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                    vault_config={},
+                    vault_config={"global": {"phrase": "abc"}, "services": {}},
                 )
             )
-            stack.enter_context(
-                pytest.raises(ValueError, match="Invalid vault config")
-            )
-            cli_helpers.save_config(None)  # type: ignore[arg-type]
-
-    def test_111_prompt_for_selection_multiple(self) -> None:
-        """[`cli_helpers.prompt_for_selection`][] works in the "multiple" case."""
-
-        @click.command()
-        @click.option("--heading", default="Our menu:")
-        @click.argument("items", nargs=-1)
-        def driver(heading: str, items: list[str]) -> None:
-            # from https://montypython.fandom.com/wiki/Spam#The_menu
-            items = items or [
-                "Egg and bacon",
-                "Egg, sausage and bacon",
-                "Egg and spam",
-                "Egg, bacon and spam",
-                "Egg, bacon, sausage and spam",
-                "Spam, bacon, sausage and spam",
-                "Spam, egg, spam, spam, bacon and spam",
-                "Spam, spam, spam, egg and spam",
-                (
-                    "Spam, spam, spam, spam, spam, spam, baked beans, "
-                    "spam, spam, spam and spam"
-                ),
-                (
-                    "Lobster thermidor aux crevettes with a mornay sauce "
-                    "garnished with truffle paté, brandy "
-                    "and a fried egg on top and spam"
-                ),
-            ]
-            index = cli_helpers.prompt_for_selection(items, heading=heading)
-            click.echo("A fine choice: ", nl=False)
-            click.echo(items[index])
-            click.echo("(Note: Vikings strictly optional.)")
 
-        runner = machinery.CliRunner(mix_stderr=True)
-        result = runner.invoke(driver, [], input="9")
-        assert result.clean_exit(
-            output="""\
-Our menu:
-[1] Egg and bacon
-[2] Egg, sausage and bacon
-[3] Egg and spam
-[4] Egg, bacon and spam
-[5] Egg, bacon, sausage and spam
-[6] Spam, bacon, sausage and spam
-[7] Spam, egg, spam, spam, bacon and spam
-[8] Spam, spam, spam, egg and spam
-[9] Spam, spam, spam, spam, spam, spam, baked beans, spam, spam, spam and spam
-[10] Lobster thermidor aux crevettes with a mornay sauce garnished with truffle paté, brandy and a fried egg on top and spam
-Your selection? (1-10, leave empty to abort): 9
-A fine choice: Spam, spam, spam, spam, spam, spam, baked beans, spam, spam, spam and spam
-(Note: Vikings strictly optional.)
-"""
-        ), "expected clean exit"
-        result = runner.invoke(
-            driver, ["--heading="], input="\n", catch_exceptions=True
-        )
-        assert result.error_exit(error=IndexError), (
-            "expected error exit and known error type"
-        )
-        assert (
-            result.stdout
-            == """\
-[1] Egg and bacon
-[2] Egg, sausage and bacon
-[3] Egg and spam
-[4] Egg, bacon and spam
-[5] Egg, bacon, sausage and spam
-[6] Spam, bacon, sausage and spam
-[7] Spam, egg, spam, spam, bacon and spam
-[8] Spam, spam, spam, egg and spam
-[9] Spam, spam, spam, spam, spam, spam, baked beans, spam, spam, spam and spam
-[10] Lobster thermidor aux crevettes with a mornay sauce garnished with truffle paté, brandy and a fried egg on top and spam
-Your selection? (1-10, leave empty to abort):\x20
-"""
-        ), "expected known output"
-        # click.testing.CliRunner on click < 8.2.1 incorrectly mocks the
-        # click prompting machinery, meaning that the mixed output will
-        # incorrectly contain a line break, contrary to what the
-        # documentation for click.prompt prescribes.
-        result = runner.invoke(
-            driver, ["--heading="], input="", catch_exceptions=True
-        )
-        assert result.error_exit(error=IndexError), (
-            "expected error exit and known error type"
-        )
-        assert result.stdout in {
-            """\
-[1] Egg and bacon
-[2] Egg, sausage and bacon
-[3] Egg and spam
-[4] Egg, bacon and spam
-[5] Egg, bacon, sausage and spam
-[6] Spam, bacon, sausage and spam
-[7] Spam, egg, spam, spam, bacon and spam
-[8] Spam, spam, spam, egg and spam
-[9] Spam, spam, spam, spam, spam, spam, baked beans, spam, spam, spam and spam
-[10] Lobster thermidor aux crevettes with a mornay sauce garnished with truffle paté, brandy and a fried egg on top and spam
-Your selection? (1-10, leave empty to abort):\x20
-""",
-            """\
-[1] Egg and bacon
-[2] Egg, sausage and bacon
-[3] Egg and spam
-[4] Egg, bacon and spam
-[5] Egg, bacon, sausage and spam
-[6] Spam, bacon, sausage and spam
-[7] Spam, egg, spam, spam, bacon and spam
-[8] Spam, spam, spam, egg and spam
-[9] Spam, spam, spam, spam, spam, spam, baked beans, spam, spam, spam and spam
-[10] Lobster thermidor aux crevettes with a mornay sauce garnished with truffle paté, brandy and a fried egg on top and spam
-Your selection? (1-10, leave empty to abort): """,
-        }, "expected known output"
-
-    def test_112_prompt_for_selection_single(self) -> None:
-        """[`cli_helpers.prompt_for_selection`][] works in the "single" case."""
-
-        @click.command()
-        @click.option("--item", default="baked beans")
-        @click.argument("prompt")
-        def driver(item: str, prompt: str) -> None:
-            try:
-                cli_helpers.prompt_for_selection(
-                    [item], heading="", single_choice_prompt=prompt
-                )
-            except IndexError:
-                click.echo("Boo.")
-                raise
-            else:
-                click.echo("Great!")
+            def prompt_for_selection(*_args: Any, **_kwargs: Any) -> NoReturn:
+                raise IndexError(cli_helpers.EMPTY_SELECTION)
 
-        runner = machinery.CliRunner(mix_stderr=True)
-        result = runner.invoke(
-            driver, ["Will replace with spam. Confirm, y/n?"], input="y"
-        )
-        assert result.clean_exit(
-            output="""\
-[1] baked beans
-Will replace with spam. Confirm, y/n? y
-Great!
-"""
-        ), "expected clean exit"
-        result = runner.invoke(
-            driver,
-            ['Will replace with spam, okay? (Please say "y" or "n".)'],
-            input="\n",
-        )
-        assert result.error_exit(error=IndexError), (
-            "expected error exit and known error type"
-        )
-        assert (
-            result.stdout
-            == """\
-[1] baked beans
-Will replace with spam, okay? (Please say "y" or "n".):\x20
-Boo.
-"""
-        ), "expected known output"
-        # click.testing.CliRunner on click < 8.2.1 incorrectly mocks the
-        # click prompting machinery, meaning that the mixed output will
-        # incorrectly contain a line break, contrary to what the
-        # documentation for click.prompt prescribes.
-        result = runner.invoke(
-            driver,
-            ['Will replace with spam, okay? (Please say "y" or "n".)'],
-            input="",
-        )
-        assert result.error_exit(error=IndexError), (
-            "expected error exit and known error type"
-        )
-        assert result.stdout in {
-            """\
-[1] baked beans
-Will replace with spam, okay? (Please say "y" or "n".):\x20
-Boo.
-""",
-            """\
-[1] baked beans
-Will replace with spam, okay? (Please say "y" or "n".): Boo.
-""",
-        }, "expected known output"
-
-    def test_113_prompt_for_passphrase(
-        self,
-    ) -> None:
-        """[`cli_helpers.prompt_for_passphrase`][] works."""
-        with pytest.MonkeyPatch.context() as monkeypatch:
             monkeypatch.setattr(
-                click,
-                "prompt",
-                lambda *a, **kw: json.dumps({"args": a, "kwargs": kw}),
-            )
-            res = json.loads(cli_helpers.prompt_for_passphrase())
-        err_msg = "missing arguments to passphrase prompt"
-        assert "args" in res, err_msg
-        assert "kwargs" in res, err_msg
-        assert res["args"][:1] == ["Passphrase"], err_msg
-        assert res["kwargs"].get("default") == "", err_msg
-        assert not res["kwargs"].get("show_default", True), err_msg
-        assert res["kwargs"].get("err"), err_msg
-        assert res["kwargs"].get("hide_input"), err_msg
-
-    def test_120_standard_logging_context_manager(
-        self,
-        caplog: pytest.LogCaptureFixture,
-        capsys: pytest.CaptureFixture[str],
-    ) -> None:
-        """The standard logging context manager works.
-
-        It registers its handlers, once, and emits formatted calls to
-        standard error prefixed with the program name.
-
-        """
-        prog_name = cli_machinery.StandardCLILogging.prog_name
-        package_name = cli_machinery.StandardCLILogging.package_name
-        logger = logging.getLogger(package_name)
-        deprecation_logger = logging.getLogger(f"{package_name}.deprecation")
-        logging_cm = cli_machinery.StandardCLILogging.ensure_standard_logging()
-        with logging_cm:
-            assert (
-                sum(
-                    1
-                    for h in logger.handlers
-                    if h is cli_machinery.StandardCLILogging.cli_handler
-                )
-                == 1
-            )
-            logger.warning("message 1")
-            with logging_cm:
-                deprecation_logger.warning("message 2")
-                assert (
-                    sum(
-                        1
-                        for h in logger.handlers
-                        if h is cli_machinery.StandardCLILogging.cli_handler
-                    )
-                    == 1
-                )
-                assert capsys.readouterr() == (
-                    "",
-                    (
-                        f"{prog_name}: Warning: message 1\n"
-                        f"{prog_name}: Deprecation warning: message 2\n"
-                    ),
-                )
-            logger.warning("message 3")
-            assert (
-                sum(
-                    1
-                    for h in logger.handlers
-                    if h is cli_machinery.StandardCLILogging.cli_handler
+                cli_helpers, "prompt_for_selection", prompt_for_selection
             )
-                == 1
+            # Also patch the list of suitable SSH keys, lest we be at
+            # the mercy of whatever SSH agent may be running.
+            monkeypatch.setattr(
+                cli_helpers,
+                "get_suitable_ssh_keys",
+                callables.suitable_ssh_keys,
             )
-            assert capsys.readouterr() == (
-                "",
-                f"{prog_name}: Warning: message 3\n",
+            result = runner.invoke(
+                cli.derivepassphrase_vault,
+                ["--key", "--config"],
+                catch_exceptions=False,
             )
-            assert caplog.record_tuples == [
-                (package_name, logging.WARNING, "message 1"),
-                (f"{package_name}.deprecation", logging.WARNING, "message 2"),
-                (package_name, logging.WARNING, "message 3"),
-            ]
-
-    def test_121_standard_logging_warnings_context_manager(
-        self,
-        caplog: pytest.LogCaptureFixture,
-        capsys: pytest.CaptureFixture[str],
-    ) -> None:
-        """The standard warnings logging context manager works.
-
-        It registers its handlers, once, and emits formatted calls to
-        standard error prefixed with the program name.  It also adheres
-        to the global warnings filter concerning which messages it
-        actually emits to standard error.
-
-        """
-        warnings_cm = (
-            cli_machinery.StandardCLILogging.ensure_standard_warnings_logging()
+        assert result.error_exit(error="the user aborted the request"), (
+            "expected error exit and known error message"
         )
-        THE_FUTURE = "the future will be here sooner than you think"  # noqa: N806
-        JUST_TESTING = "just testing whether warnings work"  # noqa: N806
-        with warnings_cm:
-            assert (
-                sum(
-                    1
-                    for h in logging.getLogger("py.warnings").handlers
-                    if h is cli_machinery.StandardCLILogging.warnings_handler
-                )
-                == 1
-            )
-            warnings.warn(UserWarning(JUST_TESTING), stacklevel=1)
-            with warnings_cm:
-                warnings.warn(FutureWarning(THE_FUTURE), stacklevel=1)
-                _out, err = capsys.readouterr()
-                err_lines = err.splitlines(True)
-                assert any(
-                    f"UserWarning: {JUST_TESTING}" in line
-                    for line in err_lines
-                )
-                assert any(
-                    f"FutureWarning: {THE_FUTURE}" in line
-                    for line in err_lines
-                )
-            warnings.warn(UserWarning(JUST_TESTING), stacklevel=1)
-            _out, err = capsys.readouterr()
-            err_lines = err.splitlines(True)
-            assert any(
-                f"UserWarning: {JUST_TESTING}" in line for line in err_lines
-            )
-            assert not any(
-                f"FutureWarning: {THE_FUTURE}" in line for line in err_lines
-            )
-            record_tuples = caplog.record_tuples
-            assert [tup[:2] for tup in record_tuples] == [
-                ("py.warnings", logging.WARNING),
-                ("py.warnings", logging.WARNING),
-                ("py.warnings", logging.WARNING),
-            ]
-            assert f"UserWarning: {JUST_TESTING}" in record_tuples[0][2]
-            assert f"FutureWarning: {THE_FUTURE}" in record_tuples[1][2]
-            assert f"UserWarning: {JUST_TESTING}" in record_tuples[2][2]
 
-    def export_as_sh_helper(
+    def test_225b_store_config_fail_manual_no_ssh_agent(
         self,
-        config: Any,
+        running_ssh_agent: data.RunningSSHAgentInfo,
     ) -> None:
-        """Emits a config in sh(1) format, then reads it back to verify it.
-
-        This function exports the configuration, sets up a new
-        enviroment, then calls
-        [`vault_config_exporter_shell_interpreter`][] on the export
-        script, verifying that each command ran successfully and that
-        the final configuration matches the initial one.
-
-        Args:
-            config:
-                The configuration to emit and read back.
-
-        """
-        prog_name_list = ("derivepassphrase", "vault")
-        with io.StringIO() as outfile:
-            cli_helpers.print_config_as_sh_script(
-                config, outfile=outfile, prog_name_list=prog_name_list
-            )
-            script = outfile.getvalue()
+        """Not running an SSH agent during `--config --key` fails."""
+        del running_ssh_agent
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -5113,266 +2343,25 @@ Will replace with spam, okay? (Please say "y" or "n".): Boo.
                 pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                    vault_config={"services": {}},
-                )
-            )
-            for result in vault_config_exporter_shell_interpreter(script):
-                assert result.clean_exit()
-            assert cli_helpers.load_config() == config
-
-    @hypothesis.given(
-        global_config_settable=hypothesis_machinery.vault_full_service_config(),
-        global_config_importable=strategies.fixed_dictionaries(
-            {},
-            optional={
-                "key": strategies.text(
-                    alphabet=strategies.characters(
-                        min_codepoint=32,
-                        max_codepoint=126,
-                    ),
-                    max_size=128,
-                ),
-                "phrase": strategies.text(
-                    alphabet=strategies.characters(
-                        min_codepoint=32,
-                        max_codepoint=126,
-                    ),
-                    max_size=64,
-                ),
-            },
-        ),
+                    vault_config={"global": {"phrase": "abc"}, "services": {}},
                 )
-    def test_130a_export_as_sh_global(
-        self,
-        global_config_settable: _types.VaultConfigServicesSettings,
-        global_config_importable: _types.VaultConfigServicesSettings,
-    ) -> None:
-        """Exporting configurations as sh(1) script works.
-
-        Here, we check global-only configurations which use both
-        settings settable via `--config` and settings requiring
-        `--import`.
-
-        The actual verification is done by [`export_as_sh_helper`][].
-
-        """
-        config: _types.VaultConfig = {
-            "global": global_config_settable | global_config_importable,
-            "services": {},
-        }
-        assert _types.clean_up_falsy_vault_config_values(config) is not None
-        assert _types.is_vault_config(config)
-        return self.export_as_sh_helper(config)
-
-    @hypothesis.given(
-        global_config_importable=strategies.fixed_dictionaries(
-            {},
-            optional={
-                "key": strategies.text(
-                    alphabet=strategies.characters(
-                        min_codepoint=32,
-                        max_codepoint=126,
-                    ),
-                    max_size=128,
-                ),
-                "phrase": strategies.text(
-                    alphabet=strategies.characters(
-                        min_codepoint=32,
-                        max_codepoint=126,
-                    ),
-                    max_size=64,
-                ),
-            },
-        ),
             )
-    def test_130b_export_as_sh_global_only_imports(
-        self,
-        global_config_importable: _types.VaultConfigServicesSettings,
-    ) -> None:
-        """Exporting configurations as sh(1) script works.
-
-        Here, we check global-only configurations which only use
-        settings requiring `--import`.
-
-        The actual verification is done by [`export_as_sh_helper`][].
-
-        """
-        config: _types.VaultConfig = {
-            "global": global_config_importable,
-            "services": {},
-        }
-        assert _types.clean_up_falsy_vault_config_values(config) is not None
-        assert _types.is_vault_config(config)
-        if not config["global"]:
-            config.pop("global")
-        return self.export_as_sh_helper(config)
-
-    @hypothesis.given(
-        service_name=strategies.text(
-            alphabet=strategies.characters(
-                min_codepoint=32,
-                max_codepoint=126,
-            ),
-            min_size=4,
-            max_size=64,
-        ),
-        service_config_settable=hypothesis_machinery.vault_full_service_config(),
-        service_config_importable=strategies.fixed_dictionaries(
-            {},
-            optional={
-                "key": strategies.text(
-                    alphabet=strategies.characters(
-                        min_codepoint=32,
-                        max_codepoint=126,
-                    ),
-                    max_size=128,
-                ),
-                "phrase": strategies.text(
-                    alphabet=strategies.characters(
-                        min_codepoint=32,
-                        max_codepoint=126,
-                    ),
-                    max_size=64,
-                ),
-                "notes": strategies.text(
-                    alphabet=strategies.characters(
-                        min_codepoint=32,
-                        max_codepoint=126,
-                        include_characters=("\n", "\f", "\t"),
-                    ),
-                    max_size=256,
-                ),
-            },
-        ),
+            monkeypatch.delenv("SSH_AUTH_SOCK", raising=False)
+            result = runner.invoke(
+                cli.derivepassphrase_vault,
+                ["--key", "--config"],
+                catch_exceptions=False,
             )
-    def test_130c_export_as_sh_service(
-        self,
-        service_name: str,
-        service_config_settable: _types.VaultConfigServicesSettings,
-        service_config_importable: _types.VaultConfigServicesSettings,
-    ) -> None:
-        """Exporting configurations as sh(1) script works.
-
-        Here, we check service-only configurations which use both
-        settings settable via `--config` and settings requiring
-        `--import`.
-
-        The actual verification is done by [`export_as_sh_helper`][].
-
-        """
-        config: _types.VaultConfig = {
-            "services": {
-                service_name: (
-                    service_config_settable | service_config_importable
-                ),
-            },
-        }
-        assert _types.clean_up_falsy_vault_config_values(config) is not None
-        assert _types.is_vault_config(config)
-        return self.export_as_sh_helper(config)
-
-    @hypothesis.given(
-        service_name=strategies.text(
-            alphabet=strategies.characters(
-                min_codepoint=32,
-                max_codepoint=126,
-            ),
-            min_size=4,
-            max_size=64,
-        ),
-        service_config_importable=strategies.fixed_dictionaries(
-            {},
-            optional={
-                "key": strategies.text(
-                    alphabet=strategies.characters(
-                        min_codepoint=32,
-                        max_codepoint=126,
-                    ),
-                    max_size=128,
-                ),
-                "phrase": strategies.text(
-                    alphabet=strategies.characters(
-                        min_codepoint=32,
-                        max_codepoint=126,
-                    ),
-                    max_size=64,
-                ),
-                "notes": strategies.text(
-                    alphabet=strategies.characters(
-                        min_codepoint=32,
-                        max_codepoint=126,
-                        include_characters=("\n", "\f", "\t"),
-                    ),
-                    max_size=256,
-                ),
-            },
-        ),
+        assert result.error_exit(error="Cannot find any running SSH agent"), (
+            "expected error exit and known error message"
         )
-    def test_130d_export_as_sh_service_only_imports(
-        self,
-        service_name: str,
-        service_config_importable: _types.VaultConfigServicesSettings,
-    ) -> None:
-        """Exporting configurations as sh(1) script works.
-
-        Here, we check service-only configurations which only use
-        settings requiring `--import`.
-
-        The actual verification is done by [`export_as_sh_helper`][].
-
-        """
-        config: _types.VaultConfig = {
-            "services": {
-                service_name: service_config_importable,
-            },
-        }
-        assert _types.clean_up_falsy_vault_config_values(config) is not None
-        assert _types.is_vault_config(config)
-        return self.export_as_sh_helper(config)
 
-    # The Annoying OS appears to silently truncate spaces at the end of
-    # filenames.
-    @hypothesis.given(
-        env_var=strategies.sampled_from(["TMPDIR", "TEMP", "TMP"]),
-        suffix=strategies.builds(
-            operator.add,
-            strategies.text(
-                tuple(" 0123456789abcdefghijklmnopqrstuvwxyz"),
-                min_size=11,
-                max_size=11,
-            ),
-            strategies.text(
-                tuple("0123456789abcdefghijklmnopqrstuvwxyz"),
-                min_size=1,
-                max_size=1,
-            ),
-        ),
-    )
-    @hypothesis.example(env_var="", suffix=".")
-    def test_140a_get_tempdir(
+    def test_225c_store_config_fail_manual_bad_ssh_agent_connection(
         self,
-        env_var: str,
-        suffix: str,
+        running_ssh_agent: data.RunningSSHAgentInfo,
     ) -> None:
-        """[`cli_helpers.get_tempdir`][] returns a temporary directory.
-
-        If it is not the same as the temporary directory determined by
-        [`tempfile.gettempdir`][], then assert that
-        `tempfile.gettempdir` returned the current directory and
-        `cli_helpers.get_tempdir` returned the configuration directory.
-
-        """
-
-        @contextlib.contextmanager
-        def make_temporary_directory(
-            path: pathlib.Path,
-        ) -> Iterator[pathlib.Path]:
-            try:
-                path.mkdir()
-                yield path
-            finally:
-                shutil.rmtree(path)
-
+        """Not running a reachable SSH agent during `--config --key` fails."""
+        running_ssh_agent.require_external_address()
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -5383,43 +2372,26 @@ Will replace with spam, okay? (Please say "y" or "n".): Boo.
                 pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                    vault_config={"services": {}},
+                    vault_config={"global": {"phrase": "abc"}, "services": {}},
+                )
+            )
+            cwd = pathlib.Path.cwd().resolve()
+            monkeypatch.setenv("SSH_AUTH_SOCK", str(cwd))
+            result = runner.invoke(
+                cli.derivepassphrase_vault,
+                ["--key", "--config"],
+                catch_exceptions=False,
             )
+        assert result.error_exit(error="Cannot connect to the SSH agent"), (
+            "expected error exit and known error message"
         )
-            old_tempdir = os.fsdecode(tempfile.gettempdir())
-            monkeypatch.delenv("TMPDIR", raising=False)
-            monkeypatch.delenv("TEMP", raising=False)
-            monkeypatch.delenv("TMP", raising=False)
-            monkeypatch.setattr(tempfile, "tempdir", None)
-            temp_path = pathlib.Path.cwd() / suffix
-            if env_var:
-                monkeypatch.setenv(env_var, os.fsdecode(temp_path))
-                stack.enter_context(make_temporary_directory(temp_path))
-            new_tempdir = os.fsdecode(tempfile.gettempdir())
-            hypothesis.assume(
-                temp_path.resolve() == pathlib.Path.cwd().resolve()
-                or old_tempdir != new_tempdir
-            )
-            system_tempdir = os.fsdecode(tempfile.gettempdir())
-            our_tempdir = cli_helpers.get_tempdir()
-            assert system_tempdir == os.fsdecode(our_tempdir) or (
-                # TODO(the-13th-letter): `pytest_machinery.isolated_config`
-                # guarantees that `Path.cwd() == config_filename(None)`.
-                # So this sub-branch ought to never trigger in our
-                # tests.
-                system_tempdir == os.getcwd()  # noqa: PTH109
-                and our_tempdir == cli_helpers.config_filename(subsystem=None)
-            )
-        assert not temp_path.exists(), f"temp path {temp_path} not cleaned up!"
-
-    def test_140b_get_tempdir_force_default(self) -> None:
-        """[`cli_helpers.get_tempdir`][] returns a temporary directory.
-
-        If all candidates are mocked to fail for the standard temporary
-        directory choices, then we return the `derivepassphrase`
-        configuration directory.
 
-        """
+    @Parametrize.TRY_RACE_FREE_IMPLEMENTATION
+    def test_225d_store_config_fail_manual_read_only_file(
+        self,
+        try_race_free_implementation: bool,
+    ) -> None:
+        """Using a read-only configuration file with `--config` fails."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -5430,51 +2402,26 @@ Will replace with spam, okay? (Please say "y" or "n".): Boo.
                 pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                    vault_config={"services": {}},
+                    vault_config={"global": {"phrase": "abc"}, "services": {}},
                 )
             )
-            monkeypatch.delenv("TMPDIR", raising=False)
-            monkeypatch.delenv("TEMP", raising=False)
-            monkeypatch.delenv("TMP", raising=False)
-            config_dir = cli_helpers.config_filename(subsystem=None)
-
-            def is_dir_false(
-                self: pathlib.Path,
-                /,
-                *,
-                follow_symlinks: bool = False,
-            ) -> bool:
-                del self, follow_symlinks
-                return False
-
-            def is_dir_error(
-                self: pathlib.Path,
-                /,
-                *,
-                follow_symlinks: bool = False,
-            ) -> bool:
-                del follow_symlinks
-                raise OSError(
-                    errno.EACCES,
-                    os.strerror(errno.EACCES),
-                    str(self),
+            callables.make_file_readonly(
+                cli_helpers.config_filename(subsystem="vault"),
+                try_race_free_implementation=try_race_free_implementation,
+            )
+            result = runner.invoke(
+                cli.derivepassphrase_vault,
+                ["--config", "--length=15", "--", DUMMY_SERVICE],
+                catch_exceptions=False,
+            )
+        assert result.error_exit(error="Cannot store vault settings:"), (
+            "expected error exit and known error message"
         )
 
-            monkeypatch.setattr(pathlib.Path, "is_dir", is_dir_false)
-            assert cli_helpers.get_tempdir() == config_dir
-
-            monkeypatch.setattr(pathlib.Path, "is_dir", is_dir_error)
-            assert cli_helpers.get_tempdir() == config_dir
-
-    @Parametrize.DELETE_CONFIG_INPUT
-    def test_203_repeated_config_deletion(
+    def test_225e_store_config_fail_manual_custom_error(
         self,
-        command_line: list[str],
-        config: _types.VaultConfig,
-        result_config: _types.VaultConfig,
     ) -> None:
-        """Repeatedly removing the same parts of a configuration works."""
-        for start_config in [config, result_config]:
+        """OS-erroring with `--config` fails."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -5485,149 +2432,29 @@ Will replace with spam, okay? (Please say "y" or "n".): Boo.
                 pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                        vault_config=start_config,
+                    vault_config={"global": {"phrase": "abc"}, "services": {}},
                 )
             )
+            custom_error = "custom error message"
+
+            def raiser(config: Any) -> None:
+                del config
+                raise RuntimeError(custom_error)
+
+            monkeypatch.setattr(cli_helpers, "save_config", raiser)
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                    command_line,
+                ["--config", "--length=15", "--", DUMMY_SERVICE],
                 catch_exceptions=False,
             )
-                assert result.clean_exit(empty_stderr=True), (
-                    "expected clean exit"
-                )
-                with cli_helpers.config_filename(subsystem="vault").open(
-                    encoding="UTF-8"
-                ) as infile:
-                    config_readback = json.load(infile)
-                assert config_readback == result_config
-
-    def test_204_phrase_from_key_manually(self) -> None:
-        """The dummy service, key and config settings are consistent."""
-        assert (
-            vault.Vault(
-                phrase=DUMMY_PHRASE_FROM_KEY1, **DUMMY_CONFIG_SETTINGS
-            ).generate(DUMMY_SERVICE)
-            == DUMMY_RESULT_KEY1
-        )
-
-    @Parametrize.VALIDATION_FUNCTION_INPUT
-    def test_210a_validate_constraints_manually(
-        self,
-        vfunc: Callable[[click.Context, click.Parameter, Any], int | None],
-        input: int,
-    ) -> None:
-        """Command-line argument constraint validation works."""
-        ctx = cli.derivepassphrase_vault.make_context(cli.PROG_NAME, [])
-        param = cli.derivepassphrase_vault.params[0]
-        assert vfunc(ctx, param, input) == input
-
-    @Parametrize.CONNECTION_HINTS
-    def test_227_get_suitable_ssh_keys(
-        self,
-        running_ssh_agent: data.RunningSSHAgentInfo,
-        conn_hint: str,
-    ) -> None:
-        """[`cli_helpers.get_suitable_ssh_keys`][] works."""
-        with pytest.MonkeyPatch.context() as monkeypatch:
-            monkeypatch.setattr(
-                ssh_agent.SSHAgentClient,
-                "list_keys",
-                callables.list_keys,
+        assert result.error_exit(error=custom_error), (
+            "expected error exit and known error message"
         )
-            hint: ssh_agent.SSHAgentClient | _types.SSHAgentSocket | None
-            # TODO(the-13th-letter): Rewrite using structural pattern
-            # matching.
-            # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-            if conn_hint == "client":
-                hint = ssh_agent.SSHAgentClient()
-            elif conn_hint == "socket":
-                if isinstance(
-                    running_ssh_agent.socket, str
-                ):  # pragma: no cover
-                    if not hasattr(socket, "AF_UNIX"):
-                        pytest.skip("socket module does not support AF_UNIX")
-                    # socket.AF_UNIX is not defined everywhere.
-                    hint = socket.socket(family=socket.AF_UNIX)  # type: ignore[attr-defined]
-                    hint.connect(running_ssh_agent.socket)
-                else:  # pragma: no cover
-                    hint = running_ssh_agent.socket()
-            else:
-                assert conn_hint == "none"
-                hint = None
-            exception: Exception | None = None
-            try:
-                list(cli_helpers.get_suitable_ssh_keys(hint))
-            except RuntimeError:  # pragma: no cover
-                pass
-            except Exception as e:  # noqa: BLE001 # pragma: no cover
-                exception = e
-            finally:
-                assert exception is None, (
-                    "exception querying suitable SSH keys"
-                )
-
-    @Parametrize.KEY_TO_PHRASE_SETTINGS
-    def test_400_key_to_phrase(
-        self,
-        ssh_agent_client_with_test_keys_loaded: ssh_agent.SSHAgentClient,
-        list_keys_action: ListKeysAction | None,
-        system_support_action: SystemSupportAction | None,
-        address_action: SocketAddressAction | None,
-        sign_action: SignAction,
-        pattern: str,
-    ) -> None:
-        """All errors in [`cli_helpers.key_to_phrase`][] are handled."""
-
-        class ErrCallback(BaseException):
-            def __init__(self, *args: Any, **kwargs: Any) -> None:
-                super().__init__(*args[:1])
-                self.args = args
-                self.kwargs = kwargs
 
-        def err(*args: Any, **_kwargs: Any) -> NoReturn:
-            raise ErrCallback(*args, **_kwargs)
-
-        with pytest.MonkeyPatch.context() as monkeypatch:
-            loaded_keys = list(
-                ssh_agent_client_with_test_keys_loaded.list_keys()
-            )
-            loaded_key = base64.standard_b64encode(loaded_keys[0][0])
-            monkeypatch.setattr(ssh_agent.SSHAgentClient, "sign", sign_action)
-            if list_keys_action:
-                monkeypatch.setattr(
-                    ssh_agent.SSHAgentClient, "list_keys", list_keys_action
-                )
-            if address_action:
-                address_action(monkeypatch)
-            if system_support_action:
-                system_support_action(monkeypatch)
-            with pytest.raises(ErrCallback, match=pattern) as excinfo:
-                cli_helpers.key_to_phrase(loaded_key, error_callback=err)
-            if list_keys_action == ListKeysAction.FAIL_RUNTIME:
-                assert excinfo.value.kwargs
-                assert isinstance(
-                    excinfo.value.kwargs["exc_info"],
-                    ssh_agent.SSHAgentFailedError,
-                )
-                assert excinfo.value.kwargs["exc_info"].__context__ is not None
-                assert isinstance(
-                    excinfo.value.kwargs["exc_info"].__context__,
-                    ssh_agent.TrailingDataError,
-                )
-
-
-# TODO(the-13th-letter): Remove this class in v1.0.
-# https://the13thletter.info/derivepassphrase/latest/upgrade-notes/#upgrading-to-v1.0
-class TestCLITransition:
-    """Transition tests for the command-line interface up to v1.0."""
-
-    @Parametrize.BASE_CONFIG_VARIATIONS
-    def test_110_load_config_backup(
+    def test_225f_store_config_fail_unset_and_set_same_settings(
         self,
-        config: Any,
     ) -> None:
-        """Loading the old settings file works."""
+        """Issuing conflicting settings to `--config` fails."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -5635,22 +2462,33 @@ class TestCLITransition:
         with contextlib.ExitStack() as stack:
             monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
             stack.enter_context(
-                pytest_machinery.isolated_config(
+                pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
+                    vault_config={"global": {"phrase": "abc"}, "services": {}},
+                )
             )
+            result = runner.invoke(
+                cli.derivepassphrase_vault,
+                [
+                    "--config",
+                    "--unset=length",
+                    "--length=15",
+                    "--",
+                    DUMMY_SERVICE,
+                ],
+                catch_exceptions=False,
             )
-            cli_helpers.config_filename(
-                subsystem="old settings.json"
-            ).write_text(json.dumps(config, indent=2) + "\n", encoding="UTF-8")
-            assert cli_helpers.migrate_and_load_old_config()[0] == config
+        assert result.error_exit(
+            error="Attempted to unset and set --length at the same time."
+        ), "expected error exit and known error message"
 
-    @Parametrize.BASE_CONFIG_VARIATIONS
-    def test_111_migrate_config(
+    def test_225g_store_config_fail_manual_ssh_agent_no_keys_loaded(
         self,
-        config: Any,
+        running_ssh_agent: data.RunningSSHAgentInfo,
     ) -> None:
-        """Migrating the old settings file works."""
+        """Not holding any SSH keys during `--config --key` fails."""
+        del running_ssh_agent
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -5658,22 +2496,35 @@ class TestCLITransition:
         with contextlib.ExitStack() as stack:
             monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
             stack.enter_context(
-                pytest_machinery.isolated_config(
+                pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
+                    vault_config={"global": {"phrase": "abc"}, "services": {}},
+                )
+            )
+
+            def func(
+                *_args: Any,
+                **_kwargs: Any,
+            ) -> list[_types.SSHKeyCommentPair]:
+                return []
+
+            monkeypatch.setattr(ssh_agent.SSHAgentClient, "list_keys", func)
+            result = runner.invoke(
+                cli.derivepassphrase_vault,
+                ["--key", "--config"],
+                catch_exceptions=False,
             )
+        assert result.error_exit(error="no keys suitable"), (
+            "expected error exit and known error message"
         )
-            cli_helpers.config_filename(
-                subsystem="old settings.json"
-            ).write_text(json.dumps(config, indent=2) + "\n", encoding="UTF-8")
-            assert cli_helpers.migrate_and_load_old_config() == (config, None)
 
-    @Parametrize.BASE_CONFIG_VARIATIONS
-    def test_112_migrate_config_error(
+    def test_225h_store_config_fail_manual_ssh_agent_runtime_error(
         self,
-        config: Any,
+        running_ssh_agent: data.RunningSSHAgentInfo,
     ) -> None:
-        """Migrating the old settings file atop a directory fails."""
+        """The SSH agent erroring during `--config --key` fails."""
+        del running_ssh_agent
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -5681,29 +2532,32 @@ class TestCLITransition:
         with contextlib.ExitStack() as stack:
             monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
             stack.enter_context(
-                pytest_machinery.isolated_config(
+                pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
+                    vault_config={"global": {"phrase": "abc"}, "services": {}},
                 )
             )
-            cli_helpers.config_filename(
-                subsystem="old settings.json"
-            ).write_text(json.dumps(config, indent=2) + "\n", encoding="UTF-8")
-            cli_helpers.config_filename(subsystem="vault").mkdir(
-                parents=True, exist_ok=True
+
+            def raiser(*_args: Any, **_kwargs: Any) -> None:
+                raise ssh_agent.TrailingDataError()
+
+            monkeypatch.setattr(ssh_agent.SSHAgentClient, "list_keys", raiser)
+            result = runner.invoke(
+                cli.derivepassphrase_vault,
+                ["--key", "--config"],
+                catch_exceptions=False,
             )
-            config2, err = cli_helpers.migrate_and_load_old_config()
-            assert config2 == config
-            assert isinstance(err, OSError)
-            # The Annoying OS uses EEXIST, other OSes use EISDIR.
-            assert err.errno in {errno.EISDIR, errno.EEXIST}
+        assert result.error_exit(
+            error="violates the communication protocol."
+        ), "expected error exit and known error message"
 
-    @Parametrize.BAD_CONFIGS
-    def test_113_migrate_config_error_bad_config_value(
+    def test_225i_store_config_fail_manual_ssh_agent_refuses(
         self,
-        config: Any,
+        running_ssh_agent: data.RunningSSHAgentInfo,
     ) -> None:
-        """Migrating an invalid old settings file fails."""
+        """The SSH agent refusing during `--config --key` fails."""
+        del running_ssh_agent
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -5711,25 +2565,30 @@ class TestCLITransition:
         with contextlib.ExitStack() as stack:
             monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
             stack.enter_context(
-                pytest_machinery.isolated_config(
+                pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
+                    vault_config={"global": {"phrase": "abc"}, "services": {}},
                 )
             )
-            cli_helpers.config_filename(
-                subsystem="old settings.json"
-            ).write_text(json.dumps(config, indent=2) + "\n", encoding="UTF-8")
-            with pytest.raises(
-                ValueError, match=cli_helpers.INVALID_VAULT_CONFIG
-            ):
-                cli_helpers.migrate_and_load_old_config()
 
-    def test_200_forward_export_vault_path_parameter(
-        self,
-        caplog: pytest.LogCaptureFixture,
-    ) -> None:
-        """Forwarding arguments from "export" to "export vault" works."""
-        pytest.importorskip("cryptography", minversion="38.0")
+            def func(*_args: Any, **_kwargs: Any) -> NoReturn:
+                raise ssh_agent.SSHAgentFailedError(
+                    _types.SSH_AGENT.FAILURE, b""
+                )
+
+            monkeypatch.setattr(ssh_agent.SSHAgentClient, "list_keys", func)
+            result = runner.invoke(
+                cli.derivepassphrase_vault,
+                ["--key", "--config"],
+                catch_exceptions=False,
+            )
+        assert result.error_exit(error="refused to"), (
+            "expected error exit and known error message"
+        )
+
+    def test_226_no_arguments(self) -> None:
+        """Calling `derivepassphrase vault` without any arguments fails."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -5737,33 +2596,22 @@ class TestCLITransition:
         with contextlib.ExitStack() as stack:
             monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
             stack.enter_context(
-                pytest_machinery.isolated_vault_exporter_config(
+                pytest_machinery.isolated_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                    vault_config=data.VAULT_V03_CONFIG,
-                    vault_key=data.VAULT_MASTER_KEY,
                 )
             )
-            monkeypatch.setenv("VAULT_KEY", data.VAULT_MASTER_KEY)
             result = runner.invoke(
-                cli.derivepassphrase,
-                ["export", "VAULT_PATH"],
-            )
-        assert result.clean_exit(empty_stderr=False), "expected clean exit"
-        assert machinery.deprecation_warning_emitted(
-            "A subcommand will be required here in v1.0", caplog.record_tuples
-        )
-        assert machinery.deprecation_warning_emitted(
-            'Defaulting to subcommand "vault"', caplog.record_tuples
+                cli.derivepassphrase_vault, [], catch_exceptions=False
             )
-        assert json.loads(result.stdout) == data.VAULT_V03_CONFIG_DATA
+        assert result.error_exit(
+            error="Deriving a passphrase requires a SERVICE"
+        ), "expected error exit and known error message"
 
-    def test_201_forward_export_vault_empty_commandline(
+    def test_226a_no_passphrase_or_key(
         self,
-        caplog: pytest.LogCaptureFixture,
     ) -> None:
-        """Deferring from "export" to "export vault" works."""
-        pytest.importorskip("cryptography", minversion="38.0")
+        """Deriving a passphrase without a passphrase or key fails."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -5777,28 +2625,24 @@ class TestCLITransition:
                 )
             )
             result = runner.invoke(
-                cli.derivepassphrase,
-                ["export"],
-            )
-        assert machinery.deprecation_warning_emitted(
-            "A subcommand will be required here in v1.0", caplog.record_tuples
-        )
-        assert machinery.deprecation_warning_emitted(
-            'Defaulting to subcommand "vault"', caplog.record_tuples
+                cli.derivepassphrase_vault,
+                ["--", DUMMY_SERVICE],
+                catch_exceptions=False,
             )
-        assert result.error_exit(error="Missing argument 'PATH'"), (
-            "expected error exit and known error type"
+        assert result.error_exit(error="No passphrase or key was given"), (
+            "expected error exit and known error message"
         )
 
-    @Parametrize.CHARSET_NAME
-    def test_210_forward_vault_disable_character_set(
+    def test_230_config_directory_nonexistant(
         self,
-        caplog: pytest.LogCaptureFixture,
-        charset_name: str,
     ) -> None:
-        """Forwarding arguments from top-level to "vault" works."""
-        option = f"--{charset_name}"
-        charset = vault.Vault.CHARSETS[charset_name].decode("ascii")
+        """Running without an existing config directory works.
+
+        This is a regression test; see [issue\u00a0#6][] for context.
+
+        [issue #6]: https://github.com/the-13th-letter/derivepassphrase/issues/6
+
+        """
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -5811,34 +2655,40 @@ class TestCLITransition:
                     runner=runner,
                 )
             )
-            monkeypatch.setattr(
-                cli_helpers,
-                "prompt_for_passphrase",
-                callables.auto_prompt,
-            )
+            with contextlib.suppress(FileNotFoundError):
+                shutil.rmtree(cli_helpers.config_filename(subsystem=None))
             result = runner.invoke(
-                cli.derivepassphrase,
-                [option, "0", "-p", "--", DUMMY_SERVICE],
-                input=DUMMY_PASSPHRASE,
+                cli.derivepassphrase_vault,
+                ["--config", "-p"],
                 catch_exceptions=False,
+                input="abc\n",
             )
-        assert result.clean_exit(empty_stderr=False), "expected clean exit"
-        assert machinery.deprecation_warning_emitted(
-            "A subcommand will be required here in v1.0", caplog.record_tuples
-        )
-        assert machinery.deprecation_warning_emitted(
-            'Defaulting to subcommand "vault"', caplog.record_tuples
-        )
-        for c in charset:
-            assert c not in result.stdout, (
-                f"derived password contains forbidden character {c!r}"
+            assert result.clean_exit(), "expected clean exit"
+            assert result.stderr == "Passphrase:", (
+                "program unexpectedly failed?!"
             )
+            with cli_helpers.config_filename(subsystem="vault").open(
+                encoding="UTF-8"
+            ) as infile:
+                config_readback = json.load(infile)
+            assert config_readback == {
+                "global": {"phrase": "abc"},
+                "services": {},
+            }, "config mismatch"
+
+    def test_230a_config_directory_not_a_file(
+        self,
+    ) -> None:
+        """Erroring without an existing config directory errors normally.
+
+        That is, the missing configuration directory does not cause any
+        errors by itself.
+
+        This is a regression test; see [issue\u00a0#6][] for context.
 
-    def test_211_forward_vault_empty_command_line(
-        self,
-        caplog: pytest.LogCaptureFixture,
-    ) -> None:
-        """Deferring from top-level to "vault" works."""
+        [issue #6]: https://github.com/the-13th-letter/derivepassphrase/issues/6
+
+        """
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -5851,28 +2701,33 @@ class TestCLITransition:
                     runner=runner,
                 )
             )
+            save_config_ = cli_helpers.save_config
+
+            def obstruct_config_saving(*args: Any, **kwargs: Any) -> Any:
+                config_dir = cli_helpers.config_filename(subsystem=None)
+                with contextlib.suppress(FileNotFoundError):
+                    shutil.rmtree(config_dir)
+                config_dir.write_text("Obstruction!!\n")
+                monkeypatch.setattr(cli_helpers, "save_config", save_config_)
+                return save_config_(*args, **kwargs)
+
+            monkeypatch.setattr(
+                cli_helpers, "save_config", obstruct_config_saving
+            )
             result = runner.invoke(
-                cli.derivepassphrase,
-                [],
-                input=DUMMY_PASSPHRASE,
+                cli.derivepassphrase_vault,
+                ["--config", "-p"],
                 catch_exceptions=False,
+                input="abc\n",
             )
-        assert machinery.deprecation_warning_emitted(
-            "A subcommand will be required here in v1.0", caplog.record_tuples
-        )
-        assert machinery.deprecation_warning_emitted(
-            'Defaulting to subcommand "vault"', caplog.record_tuples
+            assert result.error_exit(error="Cannot store vault settings:"), (
+                "expected error exit and known error message"
             )
-        assert result.error_exit(
-            error="Deriving a passphrase requires a SERVICE."
-        ), "expected error exit and known error type"
 
-    def test_300_export_using_old_config_file(
+    def test_230b_store_config_custom_error(
         self,
-        caplog: pytest.LogCaptureFixture,
     ) -> None:
-        """Exporting from (and migrating) the old settings file works."""
-        caplog.set_level(logging.INFO)
+        """Storing the configuration reacts even to weird errors."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -5885,34 +2740,33 @@ class TestCLITransition:
                     runner=runner,
                 )
             )
-            cli_helpers.config_filename(
-                subsystem="old settings.json"
-            ).write_text(
-                json.dumps(
-                    {"services": {DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS}},
-                    indent=2,
-                )
-                + "\n",
-                encoding="UTF-8",
-            )
+            custom_error = "custom error message"
+
+            def raiser(config: Any) -> None:
+                del config
+                raise RuntimeError(custom_error)
+
+            monkeypatch.setattr(cli_helpers, "save_config", raiser)
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                ["--export", "-"],
+                ["--config", "-p"],
                 catch_exceptions=False,
+                input="abc\n",
+            )
+            assert result.error_exit(error=custom_error), (
+                "expected error exit and known error message"
             )
-        assert result.clean_exit(), "expected clean exit"
-        assert machinery.deprecation_warning_emitted(
-            "v0.1-style config file", caplog.record_tuples
-        ), "expected known warning message in stderr"
-        assert machinery.deprecation_info_emitted(
-            "Successfully migrated to ", caplog.record_tuples
-        ), "expected known warning message in stderr"
 
-    def test_300a_export_using_old_config_file_migration_error(
+    @Parametrize.UNICODE_NORMALIZATION_WARNING_INPUTS
+    def test_300_unicode_normalization_form_warning(
         self,
         caplog: pytest.LogCaptureFixture,
+        main_config: str,
+        command_line: list[str],
+        input: str | None,
+        warning_message: str,
     ) -> None:
-        """Exporting from (and not migrating) the old settings file fails."""
+        """Using unnormalized Unicode passphrases warns."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -5920,49 +2774,37 @@ class TestCLITransition:
         with contextlib.ExitStack() as stack:
             monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
             stack.enter_context(
-                pytest_machinery.isolated_config(
+                pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
+                    vault_config={
+                        "services": {
+                            DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS.copy()
+                        }
+                    },
+                    main_config_str=main_config,
                 )
             )
-            cli_helpers.config_filename(
-                subsystem="old settings.json"
-            ).write_text(
-                json.dumps(
-                    {"services": {DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS}},
-                    indent=2,
-                )
-                + "\n",
-                encoding="UTF-8",
-            )
-
-            def raiser(*_args: Any, **_kwargs: Any) -> None:
-                raise OSError(
-                    errno.EACCES,
-                    os.strerror(errno.EACCES),
-                    cli_helpers.config_filename(subsystem="vault"),
-                )
-
-            monkeypatch.setattr(os, "replace", raiser)
-            monkeypatch.setattr(pathlib.Path, "rename", raiser)
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                ["--export", "-"],
+                ["--debug", *command_line],
                 catch_exceptions=False,
+                input=input,
             )
         assert result.clean_exit(), "expected clean exit"
-        assert machinery.deprecation_warning_emitted(
-            "v0.1-style config file", caplog.record_tuples
-        ), "expected known warning message in stderr"
         assert machinery.warning_emitted(
-            "Failed to migrate to ", caplog.record_tuples
+            warning_message, caplog.record_tuples
         ), "expected known warning message in stderr"
 
-    def test_400_completion_service_name_old_config_file(
+    @Parametrize.UNICODE_NORMALIZATION_ERROR_INPUTS
+    def test_301_unicode_normalization_form_error(
         self,
+        main_config: str,
+        command_line: list[str],
+        input: str | None,
+        error_message: str,
     ) -> None:
-        """Completing service names from the old settings file works."""
-        config = {"services": {DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS.copy()}}
+        """Using unknown Unicode normalization forms fails."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -5973,138 +2815,33 @@ class TestCLITransition:
                 pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                    vault_config=config,
-                )
+                    vault_config={
+                        "services": {
+                            DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS.copy()
+                        }
+                    },
+                    main_config_str=main_config,
                 )
-            old_name = cli_helpers.config_filename(
-                subsystem="old settings.json"
             )
-            new_name = cli_helpers.config_filename(subsystem="vault")
-            old_name.unlink(missing_ok=True)
-            new_name.rename(old_name)
-            assert cli_helpers.shell_complete_service(
-                click.Context(cli.derivepassphrase),
-                click.Argument(["some_parameter"]),
-                "",
-            ) == [DUMMY_SERVICE]
-
-
-def completion_item(
-    item: str | click.shell_completion.CompletionItem,
-) -> click.shell_completion.CompletionItem:
-    """Convert a string to a completion item, if necessary."""
-    return (
-        click.shell_completion.CompletionItem(item, type="plain")
-        if isinstance(item, str)
-        else item
+            result = runner.invoke(
+                cli.derivepassphrase_vault,
+                command_line,
+                catch_exceptions=False,
+                input=input,
             )
-
-
-def assertable_item(
-    item: str | click.shell_completion.CompletionItem,
-) -> tuple[str, Any, str | None]:
-    """Convert a completion item into a pretty-printable item.
-
-    Intended to make completion items introspectable in pytest's
-    `assert` output.
-
-    """
-    item = completion_item(item)
-    return (item.type, item.value, item.help)
-
-
-class TestShellCompletion:
-    """Tests for the shell completion machinery."""
-
-    class Completions:
-        """A deferred completion call."""
-
-        def __init__(
-            self,
-            args: Sequence[str],
-            incomplete: str,
-        ) -> None:
-            """Initialize the object.
-
-            Args:
-                args:
-                    The sequence of complete command-line arguments.
-                incomplete:
-                    The final, incomplete, partial argument.
-
-            """
-            self.args = tuple(args)
-            self.incomplete = incomplete
-
-        def __call__(self) -> Sequence[click.shell_completion.CompletionItem]:
-            """Return the completion items."""
-            args = list(self.args)
-            completion = click.shell_completion.ShellComplete(
-                cli=cli.derivepassphrase,
-                ctx_args={},
-                prog_name="derivepassphrase",
-                complete_var="_DERIVEPASSPHRASE_COMPLETE",
-            )
-            return completion.get_completions(args, self.incomplete)
-
-        def get_words(self) -> Sequence[str]:
-            """Return the completion items' values, as a sequence."""
-            return tuple(c.value for c in self())
-
-    @Parametrize.COMPLETABLE_ITEMS
-    def test_100_is_completable_item(
-        self,
-        partial: str,
-        is_completable: bool,
-    ) -> None:
-        """Our `_is_completable_item` predicate for service names works."""
-        assert cli_helpers.is_completable_item(partial) == is_completable
-
-    @Parametrize.COMPLETABLE_OPTIONS
-    def test_200_options(
-        self,
-        command_prefix: Sequence[str],
-        incomplete: str,
-        completions: AbstractSet[str],
-    ) -> None:
-        """Our completion machinery works for all commands' options."""
-        comp = self.Completions(command_prefix, incomplete)
-        assert frozenset(comp.get_words()) == completions
-
-    @Parametrize.COMPLETABLE_SUBCOMMANDS
-    def test_201_subcommands(
-        self,
-        command_prefix: Sequence[str],
-        incomplete: str,
-        completions: AbstractSet[str],
-    ) -> None:
-        """Our completion machinery works for all commands' subcommands."""
-        comp = self.Completions(command_prefix, incomplete)
-        assert frozenset(comp.get_words()) == completions
-
-    @Parametrize.COMPLETABLE_PATH_ARGUMENT
-    @Parametrize.INCOMPLETE
-    def test_202_paths(
-        self,
-        command_prefix: Sequence[str],
-        incomplete: str,
-    ) -> None:
-        """Our completion machinery works for all commands' paths."""
-        file = click.shell_completion.CompletionItem("", type="file")
-        completions = frozenset({(file.type, file.value, file.help)})
-        comp = self.Completions(command_prefix, incomplete)
-        assert (
-            frozenset((x.type, x.value, x.help) for x in comp()) == completions
+        assert result.error_exit(
+            error="The user configuration file is invalid."
+        ), "expected error exit and known error message"
+        assert result.error_exit(error=error_message), (
+            "expected error exit and known error message"
         )
 
-    @Parametrize.COMPLETABLE_SERVICE_NAMES
-    def test_203_service_names(
+    @Parametrize.UNICODE_NORMALIZATION_COMMAND_LINES
+    def test_301a_unicode_normalization_form_error_from_stored_config(
         self,
-        config: _types.VaultConfig,
-        incomplete: str,
-        completions: AbstractSet[str],
+        command_line: list[str],
     ) -> None:
-        """Our completion machinery works for vault service names."""
+        """Using unknown Unicode normalization forms in the config fails."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -6115,28 +2852,36 @@ class TestShellCompletion:
                 pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                    vault_config=config,
+                    vault_config={
+                        "services": {
+                            DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS.copy()
+                        }
+                    },
+                    main_config_str=(
+                        "[vault]\ndefault-unicode-normalization-form = 'XXX'\n"
+                    ),
+                )
             )
+            result = runner.invoke(
+                cli.derivepassphrase_vault,
+                command_line,
+                input=DUMMY_PASSPHRASE,
+                catch_exceptions=False,
             )
-            comp = self.Completions(["vault"], incomplete)
-            assert frozenset(comp.get_words()) == completions
+            assert result.error_exit(
+                error="The user configuration file is invalid."
+            ), "expected error exit and known error message"
+            assert result.error_exit(
+                error=(
+                    "Invalid value 'XXX' for config key "
+                    "vault.default-unicode-normalization-form"
+                ),
+            ), "expected error exit and known error message"
 
-    @Parametrize.SHELL_FORMATTER
-    @Parametrize.COMPLETION_FUNCTION_INPUTS
-    def test_300_shell_completion_formatting(
+    def test_310_bad_user_config_file(
         self,
-        shell: str,
-        format_func: Callable[[click.shell_completion.CompletionItem], str],
-        config: _types.VaultConfig,
-        comp_func: Callable[
-            [click.Context, click.Parameter, str],
-            list[str | click.shell_completion.CompletionItem],
-        ],
-        args: list[str],
-        incomplete: str,
-        results: list[str | click.shell_completion.CompletionItem],
     ) -> None:
-        """Custom completion functions work for all shells."""
+        """Loading a user configuration file in an invalid format fails."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -6147,58 +2892,24 @@ class TestShellCompletion:
                 pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                    vault_config=config,
-                )
-            )
-            expected_items = [assertable_item(item) for item in results]
-            expected_string = "\n".join(
-                format_func(completion_item(item)) for item in results
-            )
-            manual_raw_items = comp_func(
-                click.Context(cli.derivepassphrase),
-                click.Argument(["sample_parameter"]),
-                incomplete,
-            )
-            manual_items = [assertable_item(item) for item in manual_raw_items]
-            manual_string = "\n".join(
-                format_func(completion_item(item)) for item in manual_raw_items
+                    vault_config={"services": {}},
+                    main_config_str="This file is not valid TOML.\n",
                 )
-            assert manual_items == expected_items
-            assert manual_string == expected_string
-            comp_class = click.shell_completion.get_completion_class(shell)
-            assert comp_class is not None
-            comp = comp_class(
-                cli.derivepassphrase,
-                {},
-                "derivepassphrase",
-                "_DERIVEPASSPHRASE_COMPLETE",
             )
-            monkeypatch.setattr(
-                comp,
-                "get_completion_args",
-                lambda *_a, **_kw: (args, incomplete),
+            result = runner.invoke(
+                cli.derivepassphrase_vault,
+                ["--phrase", "--", DUMMY_SERVICE],
+                input=DUMMY_PASSPHRASE,
+                catch_exceptions=False,
             )
-            actual_raw_items = comp.get_completions(
-                *comp.get_completion_args()
+            assert result.error_exit(error="Cannot load user config:"), (
+                "expected error exit and known error message"
             )
-            actual_items = [assertable_item(item) for item in actual_raw_items]
-            actual_string = comp.complete()
-            assert actual_items == expected_items
-            assert actual_string == expected_string
 
-    @Parametrize.CONFIG_SETTING_MODE
-    @Parametrize.SERVICE_NAME_COMPLETION_INPUTS
-    def test_400_incompletable_service_names(
+    def test_311_bad_user_config_is_a_directory(
         self,
-        caplog: pytest.LogCaptureFixture,
-        mode: Literal["config", "import"],
-        config: _types.VaultConfig,
-        key: str,
-        incomplete: str,
-        completions: AbstractSet[str],
     ) -> None:
-        """Completion skips incompletable items."""
-        vault_config = config if mode == "config" else {"services": {}}
+        """Loading a user configuration file in an invalid format fails."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -6209,37 +2920,30 @@ class TestShellCompletion:
                 pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                    vault_config=vault_config,
+                    vault_config={"services": {}},
+                    main_config_str="",
                 )
             )
-            if mode == "config":
-                result = runner.invoke(
-                    cli.derivepassphrase_vault,
-                    ["--config", "--length=10", "--", key],
-                    catch_exceptions=False,
+            user_config = cli_helpers.config_filename(
+                subsystem="user configuration"
             )
-            else:
+            user_config.unlink()
+            user_config.mkdir(parents=True, exist_ok=True)
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                    ["--import", "-"],
+                ["--phrase", "--", DUMMY_SERVICE],
+                input=DUMMY_PASSPHRASE,
                 catch_exceptions=False,
-                    input=json.dumps(config),
             )
-            assert result.clean_exit(), "expected clean exit"
-            assert machinery.warning_emitted(
-                "contains an ASCII control character", caplog.record_tuples
-            ), "expected known warning message in stderr"
-            assert machinery.warning_emitted(
-                "not be available for completion", caplog.record_tuples
-            ), "expected known warning message in stderr"
-            assert cli_helpers.load_config() == config
-            comp = self.Completions(["vault"], incomplete)
-            assert frozenset(comp.get_words()) == completions
+            assert result.error_exit(error="Cannot load user config:"), (
+                "expected error exit and known error message"
+            )
 
-    def test_410a_service_name_exceptions_not_found(
+    def test_400_missing_af_unix_support(
         self,
+        caplog: pytest.LogCaptureFixture,
     ) -> None:
-        """Service name completion quietly fails on missing configuration."""
+        """Querying the SSH agent without `AF_UNIX` support fails."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -6250,48 +2954,25 @@ class TestShellCompletion:
                 pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                    vault_config={
-                        "services": {DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS}
-                    },
-                )
-            )
-            cli_helpers.config_filename(subsystem="vault").unlink(
-                missing_ok=True
+                    vault_config={"global": {"phrase": "abc"}, "services": {}},
                 )
-            assert not cli_helpers.shell_complete_service(
-                click.Context(cli.derivepassphrase),
-                click.Argument(["some_parameter"]),
-                "",
             )
-
-    @Parametrize.SERVICE_NAME_EXCEPTIONS
-    def test_410b_service_name_exceptions_custom_error(
-        self,
-        exc_type: type[Exception],
-    ) -> None:
-        """Service name completion quietly fails on configuration errors."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={
-                        "services": {DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS}
-                    },
+            monkeypatch.setenv(
+                "SSH_AUTH_SOCK", "the value doesn't even matter"
             )
+            monkeypatch.setattr(
+                ssh_agent.SSHAgentClient, "SOCKET_PROVIDERS", ["posix"]
             )
-
-            def raiser(*_a: Any, **_kw: Any) -> NoReturn:
-                raise exc_type("just being difficult")  # noqa: EM101,TRY003
-
-            monkeypatch.setattr(cli_helpers, "load_config", raiser)
-            assert not cli_helpers.shell_complete_service(
-                click.Context(cli.derivepassphrase),
-                click.Argument(["some_parameter"]),
-                "",
+            monkeypatch.delattr(socket, "AF_UNIX", raising=False)
+            result = runner.invoke(
+                cli.derivepassphrase_vault,
+                ["--key", "--config"],
+                catch_exceptions=False,
             )
+        assert result.error_exit(
+            error="does not support communicating with it"
+        ), "expected error exit and known error message"
+        assert machinery.warning_emitted(
+            "Cannot connect to an SSH agent via UNIX domain sockets",
+            caplog.record_tuples,
+        ), "expected known warning message in stderr"

tests/test_derivepassphrase_cli/test_all_cli.py

Zeige Datei @ 9ad57b1

...	...	@@ -0,0 +1,771 @@
	1	+# SPDX-FileCopyrightText: 2025 Marco Ricci <software@the13thletter.info>
	2	+#
	3	+# SPDX-License-Identifier: Zlib
	4	+
	5	+from __future__ import annotations
	6	+
	7	+import contextlib
	8	+import enum
	9	+import re
	10	+import types
	11	+
	12	+import exceptiongroup
	13	+import pytest
	14	+from typing_extensions import NamedTuple
	15	+
	16	+from derivepassphrase import _types, cli, ssh_agent
	17	+from derivepassphrase._internals import cli_messages
	18	+from tests import machinery
	19	+from tests.machinery import pytest as pytest_machinery
	20	+
	21	+
	22	+class VersionOutputData(NamedTuple):
	23	+ derivation_schemes: dict[str, bool]
	24	+ foreign_configuration_formats: dict[str, bool]
	25	+ extras: frozenset[str]
	26	+ subcommands: frozenset[str]
	27	+ features: dict[str, bool]
	28	+
	29	+
	30	+class KnownLineType(str, enum.Enum):
	31	+ SUPPORTED_FOREIGN_CONFS = cli_messages.Label.SUPPORTED_FOREIGN_CONFIGURATION_FORMATS.value.singular.rstrip(
	32	+ ":"
	33	+ )
	34	+ UNAVAILABLE_FOREIGN_CONFS = cli_messages.Label.UNAVAILABLE_FOREIGN_CONFIGURATION_FORMATS.value.singular.rstrip(
	35	+ ":"
	36	+ )
	37	+ SUPPORTED_SCHEMES = (
	38	+ cli_messages.Label.SUPPORTED_DERIVATION_SCHEMES.value.singular.rstrip(
	39	+ ":"
	40	+ )
	41	+ )
	42	+ UNAVAILABLE_SCHEMES = cli_messages.Label.UNAVAILABLE_DERIVATION_SCHEMES.value.singular.rstrip(
	43	+ ":"
	44	+ )
	45	+ SUPPORTED_SUBCOMMANDS = (
	46	+ cli_messages.Label.SUPPORTED_SUBCOMMANDS.value.singular.rstrip(":")
	47	+ )
	48	+ SUPPORTED_FEATURES = (
	49	+ cli_messages.Label.SUPPORTED_FEATURES.value.singular.rstrip(":")
	50	+ )
	51	+ UNAVAILABLE_FEATURES = (
	52	+ cli_messages.Label.UNAVAILABLE_FEATURES.value.singular.rstrip(":")
	53	+ )
	54	+ ENABLED_EXTRAS = (
	55	+ cli_messages.Label.ENABLED_PEP508_EXTRAS.value.singular.rstrip(":")
	56	+ )
	57	+
	58	+
	59	+class Parametrize(types.SimpleNamespace):
	60	+ """Common test parametrizations."""
	61	+
	62	+ EAGER_ARGUMENTS = pytest.mark.parametrize(
	63	+ "arguments",
	64	+ [["--help"], ["--version"]],
	65	+ ids=["help", "version"],
	66	+ )
	67	+ COMMAND_NON_EAGER_ARGUMENTS = pytest.mark.parametrize(
	68	+ ["command", "non_eager_arguments"],
	69	+ [
	70	+ pytest.param(
	71	+ [],
	72	+ [],
	73	+ id="top-nothing",
	74	+ ),
	75	+ pytest.param(
	76	+ [],
	77	+ ["export"],
	78	+ id="top-export",
	79	+ ),
	80	+ pytest.param(
	81	+ ["export"],
	82	+ [],
	83	+ id="export-nothing",
	84	+ ),
	85	+ pytest.param(
	86	+ ["export"],
	87	+ ["vault"],
	88	+ id="export-vault",
	89	+ ),
	90	+ pytest.param(
	91	+ ["export", "vault"],
	92	+ [],
	93	+ id="export-vault-nothing",
	94	+ ),
	95	+ pytest.param(
	96	+ ["export", "vault"],
	97	+ ["--format", "this-format-doesnt-exist"],
	98	+ id="export-vault-args",
	99	+ ),
	100	+ pytest.param(
	101	+ ["vault"],
	102	+ [],
	103	+ id="vault-nothing",
	104	+ ),
	105	+ pytest.param(
	106	+ ["vault"],
	107	+ ["--export", "./"],
	108	+ id="vault-args",
	109	+ ),
	110	+ ],
	111	+ )
	112	+ COLORFUL_COMMAND_INPUT = pytest.mark.parametrize(
	113	+ ["command_line", "input"],
	114	+ [
	115	+ (
	116	+ ["vault", "--import", "-"],
	117	+ '{"services": {"": {"length": 20}}}',
	118	+ ),
	119	+ ],
	120	+ ids=["cmd"],
	121	+ )
	122	+ ISATTY = pytest.mark.parametrize(
	123	+ "isatty",
	124	+ [False, True],
	125	+ ids=["notty", "tty"],
	126	+ )
	127	+ MASK_PROG_NAME = pytest.mark.parametrize("mask_prog_name", [False, True])
	128	+ MASK_VERSION = pytest.mark.parametrize("mask_version", [False, True])
	129	+ VERSION_OUTPUT_DATA = pytest.mark.parametrize(
	130	+ ["version_output", "prog_name", "version", "expected_parse"],
	131	+ [
	132	+ pytest.param(
	133	+ """\
	134	+derivepassphrase 0.4.0
	135	+Using cryptography 44.0.0
	136	+
	137	+Supported foreign configuration formats: vault storeroom, vault v0.2,
	138	+ vault v0.3.
	139	+PEP 508 extras: export.
	140	+""",
	141	+ "derivepassphrase",
	142	+ "0.4.0",
	143	+ VersionOutputData(
	144	+ derivation_schemes={},
	145	+ foreign_configuration_formats={
	146	+ "vault storeroom": True,
	147	+ "vault v0.2": True,
	148	+ "vault v0.3": True,
	149	+ },
	150	+ subcommands=frozenset(),
	151	+ features={},
	152	+ extras=frozenset({"export"}),
	153	+ ),
	154	+ id="derivepassphrase-0.4.0-export",
	155	+ ),
	156	+ pytest.param(
	157	+ """\
	158	+derivepassphrase 0.5
	159	+
	160	+Supported derivation schemes: vault.
	161	+Known foreign configuration formats: vault storeroom, vault v0.2, vault v0.3.
	162	+Supported subcommands: export, vault.
	163	+No PEP 508 extras are active.
	164	+""",
	165	+ "derivepassphrase",
	166	+ "0.5",
	167	+ VersionOutputData(
	168	+ derivation_schemes={"vault": True},
	169	+ foreign_configuration_formats={
	170	+ "vault storeroom": False,
	171	+ "vault v0.2": False,
	172	+ "vault v0.3": False,
	173	+ },
	174	+ subcommands=frozenset({"export", "vault"}),
	175	+ features={},
	176	+ extras=frozenset({}),
	177	+ ),
	178	+ id="derivepassphrase-0.5-plain",
	179	+ ),
	180	+ pytest.param(
	181	+ """\
	182	+
	183	+
	184	+
	185	+inventpassphrase -1.3
	186	+Using not-a-library 7.12
	187	+Copyright 2025 Nobody. All rights reserved.
	188	+
	189	+Supported derivation schemes: nonsense.
	190	+Known derivation schemes: divination, /dev/random,
	191	+ geiger counter,
	192	+ crossword solver.
	193	+Supported foreign configuration formats: derivepassphrase, nonsense.
	194	+Known foreign configuration formats: divination v3.141592,
	195	+ /dev/random.
	196	+Supported subcommands: delete-all-files, dump-core.
	197	+Supported features: delete-while-open.
	198	+Known features: backups-are-nice-to-have.
	199	+PEP 508 extras: annoying-popups, delete-all-files,
	200	+ dump-core-depending-on-the-phase-of-the-moon.
	201	+
	202	+
	203	+
	204	+""",
	205	+ "inventpassphrase",
	206	+ "-1.3",
	207	+ VersionOutputData(
	208	+ derivation_schemes={
	209	+ "nonsense": True,
	210	+ "divination": False,
	211	+ "/dev/random": False,
	212	+ "geiger counter": False,
	213	+ "crossword solver": False,
	214	+ },
	215	+ foreign_configuration_formats={
	216	+ "derivepassphrase": True,
	217	+ "nonsense": True,
	218	+ "divination v3.141592": False,
	219	+ "/dev/random": False,
	220	+ },
	221	+ subcommands=frozenset({"delete-all-files", "dump-core"}),
	222	+ features={
	223	+ "delete-while-open": True,
	224	+ "backups-are-nice-to-have": False,
	225	+ },
	226	+ extras=frozenset({
	227	+ "annoying-popups",
	228	+ "delete-all-files",
	229	+ "dump-core-depending-on-the-phase-of-the-moon",
	230	+ }),
	231	+ ),
	232	+ id="inventpassphrase",
	233	+ ),
	234	+ ],
	235	+ )
	236	+ """Sample data for [`parse_version_output`][]."""
	237	+
	238	+
	239	+def parse_version_output( # noqa: C901
	240	+ version_output: str,
	241	+ /,
	242	+ *,
	243	+ prog_name: str \| None = cli_messages.PROG_NAME,
	244	+ version: str \| None = cli_messages.VERSION,
	245	+) -> VersionOutputData:
	246	+ r"""Parse the output of the `--version` option.
	247	+
	248	+ The version output contains two paragraphs. The first paragraph
	249	+ details the version number, and the version number of any major
	250	+ libraries in use. The second paragraph details known and supported
	251	+ passphrase derivation schemes, foreign configuration formats,
	252	+ subcommands and PEP 508 package extras. For the schemes and
	253	+ formats, there is a "supported" line for supported items, and
	254	+ a "known" line for known but currently unsupported items (usually
	255	+ because of missing dependencies), either of which may be empty and
	256	+ thus omitted. For extras, only active items are shown, and there is
	257	+ a separate message for the "no extras active" case. Item lists may
	258	+ be spilled across multiple lines, but only at item boundaries, and
	259	+ the continuation lines are then indented.
	260	+
	261	+ Args:
	262	+ version_output:
	263	+ The version output text to parse.
	264	+ prog_name:
	265	+ The program name to assert, defaulting to the true program
	266	+ name, `derivepassphrase`. Set to `None` to disable this
	267	+ check.
	268	+ version:
	269	+ The program version to assert, defaulting to the true
	270	+ current version of `derivepassphrase`. Set to `None` to
	271	+ disable this check.
	272	+
	273	+ Examples:
	274	+ See [`Parametrize.VERSION_OUTPUT_DATA`][].
	275	+
	276	+ """
	277	+ paragraphs: list[list[str]] = []
	278	+ paragraph: list[str] = []
	279	+ for line in version_output.splitlines(keepends=False):
	280	+ if not line.strip():
	281	+ if paragraph:
	282	+ paragraphs.append(paragraph.copy())
	283	+ paragraph.clear()
	284	+ elif paragraph and line.lstrip() != line:
	285	+ paragraph[-1] = f"{paragraph[-1]} {line.lstrip()}"
	286	+ else:
	287	+ paragraph.append(line)
	288	+ if paragraph: # pragma: no branch
	289	+ paragraphs.append(paragraph.copy())
	290	+ paragraph.clear()
	291	+ assert paragraphs, (
	292	+ f"expected at least one paragraph of version output: {paragraphs!r}"
	293	+ )
	294	+ assert prog_name is None or prog_name in paragraphs[0][0], (
	295	+ f"first version output line should mention "
	296	+ f"{prog_name}: {paragraphs[0][0]!r}"
	297	+ )
	298	+ assert version is None or version in paragraphs[0][0], (
	299	+ f"first version output line should mention the version number "
	300	+ f"{version}: {paragraphs[0][0]!r}"
	301	+ )
	302	+ schemes: dict[str, bool] = {}
	303	+ formats: dict[str, bool] = {}
	304	+ subcommands: set[str] = set()
	305	+ extras: set[str] = set()
	306	+ features: dict[str, bool] = {}
	307	+ if len(paragraphs) < 2: # pragma: no cover
	308	+ return VersionOutputData(
	309	+ derivation_schemes=schemes,
	310	+ foreign_configuration_formats=formats,
	311	+ subcommands=frozenset(subcommands),
	312	+ extras=frozenset(extras),
	313	+ features=features,
	314	+ )
	315	+ for line in paragraphs[1]:
	316	+ line_type, _, value = line.partition(":")
	317	+ if line_type == line:
	318	+ continue
	319	+ for item_ in re.split(r"(?:, *\|.$)", value):
	320	+ item = item_.strip()
	321	+ if not item:
	322	+ continue
	323	+ if line_type == KnownLineType.SUPPORTED_FOREIGN_CONFS:
	324	+ formats[item] = True
	325	+ elif line_type == KnownLineType.UNAVAILABLE_FOREIGN_CONFS:
	326	+ formats[item] = False
	327	+ elif line_type == KnownLineType.SUPPORTED_SCHEMES:
	328	+ schemes[item] = True
	329	+ elif line_type == KnownLineType.UNAVAILABLE_SCHEMES:
	330	+ schemes[item] = False
	331	+ elif line_type == KnownLineType.SUPPORTED_SUBCOMMANDS:
	332	+ subcommands.add(item)
	333	+ elif line_type == KnownLineType.ENABLED_EXTRAS:
	334	+ extras.add(item)
	335	+ elif line_type == KnownLineType.SUPPORTED_FEATURES:
	336	+ features[item] = True
	337	+ elif line_type == KnownLineType.UNAVAILABLE_FEATURES:
	338	+ features[item] = False
	339	+ else:
	340	+ raise AssertionError( # noqa: TRY003
	341	+ f"Unknown version info line type: {line_type!r}" # noqa: EM102
	342	+ )
	343	+ return VersionOutputData(
	344	+ derivation_schemes=schemes,
	345	+ foreign_configuration_formats=formats,
	346	+ subcommands=frozenset(subcommands),
	347	+ extras=frozenset(extras),
	348	+ features=features,
	349	+ )
	350	+
	351	+
	352	+class TestAllCLI:
	353	+ """Tests uniformly for all command-line interfaces."""
	354	+
	355	+ @Parametrize.MASK_PROG_NAME
	356	+ @Parametrize.MASK_VERSION
	357	+ @Parametrize.VERSION_OUTPUT_DATA
	358	+ def test_001_parse_version_output(
	359	+ self,
	360	+ version_output: str,
	361	+ prog_name: str \| None,
	362	+ version: str \| None,
	363	+ mask_prog_name: bool,
	364	+ mask_version: bool,
	365	+ expected_parse: VersionOutputData,
	366	+ ) -> None:
	367	+ """The parsing machinery for expected version output data works."""
	368	+ prog_name = None if mask_prog_name else prog_name
	369	+ version = None if mask_version else version
	370	+ assert (
	371	+ parse_version_output(
	372	+ version_output, prog_name=prog_name, version=version
	373	+ )
	374	+ == expected_parse
	375	+ )
	376	+
	377	+ # TODO(the-13th-letter): Do we actually need this? What should we
	378	+ # check for?
	379	+ def test_100_help_output(self) -> None:
	380	+ """The top-level help text mentions subcommands.
	381	+
	382	+ TODO: Do we actually need this? What should we check for?
	383	+
	384	+ """
	385	+ runner = machinery.CliRunner(mix_stderr=False)
	386	+ # TODO(the-13th-letter): Rewrite using parenthesized
	387	+ # with-statements.
	388	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	389	+ with contextlib.ExitStack() as stack:
	390	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	391	+ stack.enter_context(
	392	+ pytest_machinery.isolated_config(
	393	+ monkeypatch=monkeypatch,
	394	+ runner=runner,
	395	+ )
	396	+ )
	397	+ result = runner.invoke(
	398	+ cli.derivepassphrase, ["--help"], catch_exceptions=False
	399	+ )
	400	+ assert result.clean_exit(
	401	+ empty_stderr=True, output="currently implemented subcommands"
	402	+ ), "expected clean exit, and known help text"
	403	+
	404	+ # TODO(the-13th-letter): Do we actually need this? What should we
	405	+ # check for?
	406	+ def test_101_help_output_export(
	407	+ self,
	408	+ ) -> None:
	409	+ """The "export" subcommand help text mentions subcommands.
	410	+
	411	+ TODO: Do we actually need this? What should we check for?
	412	+
	413	+ """
	414	+ runner = machinery.CliRunner(mix_stderr=False)
	415	+ # TODO(the-13th-letter): Rewrite using parenthesized
	416	+ # with-statements.
	417	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	418	+ with contextlib.ExitStack() as stack:
	419	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	420	+ stack.enter_context(
	421	+ pytest_machinery.isolated_config(
	422	+ monkeypatch=monkeypatch,
	423	+ runner=runner,
	424	+ )
	425	+ )
	426	+ result = runner.invoke(
	427	+ cli.derivepassphrase,
	428	+ ["export", "--help"],
	429	+ catch_exceptions=False,
	430	+ )
	431	+ assert result.clean_exit(
	432	+ empty_stderr=True, output="only available subcommand"
	433	+ ), "expected clean exit, and known help text"
	434	+
	435	+ # TODO(the-13th-letter): Do we actually need this? What should we
	436	+ # check for?
	437	+ def test_102_help_output_export_vault(
	438	+ self,
	439	+ ) -> None:
	440	+ """The "export vault" subcommand help text has known content.
	441	+
	442	+ TODO: Do we actually need this? What should we check for?
	443	+
	444	+ """
	445	+ runner = machinery.CliRunner(mix_stderr=False)
	446	+ # TODO(the-13th-letter): Rewrite using parenthesized
	447	+ # with-statements.
	448	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	449	+ with contextlib.ExitStack() as stack:
	450	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	451	+ stack.enter_context(
	452	+ pytest_machinery.isolated_config(
	453	+ monkeypatch=monkeypatch,
	454	+ runner=runner,
	455	+ )
	456	+ )
	457	+ result = runner.invoke(
	458	+ cli.derivepassphrase,
	459	+ ["export", "vault", "--help"],
	460	+ catch_exceptions=False,
	461	+ )
	462	+ assert result.clean_exit(
	463	+ empty_stderr=True, output="Export a vault-native configuration"
	464	+ ), "expected clean exit, and known help text"
	465	+
	466	+ # TODO(the-13th-letter): Do we actually need this? What should we
	467	+ # check for?
	468	+ def test_103_help_output_vault(
	469	+ self,
	470	+ ) -> None:
	471	+ """The "vault" subcommand help text has known content.
	472	+
	473	+ TODO: Do we actually need this? What should we check for?
	474	+
	475	+ """
	476	+ runner = machinery.CliRunner(mix_stderr=False)
	477	+ # TODO(the-13th-letter): Rewrite using parenthesized
	478	+ # with-statements.
	479	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	480	+ with contextlib.ExitStack() as stack:
	481	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	482	+ stack.enter_context(
	483	+ pytest_machinery.isolated_config(
	484	+ monkeypatch=monkeypatch,
	485	+ runner=runner,
	486	+ )
	487	+ )
	488	+ result = runner.invoke(
	489	+ cli.derivepassphrase,
	490	+ ["vault", "--help"],
	491	+ catch_exceptions=False,
	492	+ )
	493	+ assert result.clean_exit(
	494	+ empty_stderr=True, output="Passphrase generation:\n"
	495	+ ), "expected clean exit, and option groups in help text"
	496	+ assert result.clean_exit(
	497	+ empty_stderr=True, output="Use $VISUAL or $EDITOR to configure"
	498	+ ), "expected clean exit, and option group epilog in help text"
	499	+
	500	+ @Parametrize.COMMAND_NON_EAGER_ARGUMENTS
	501	+ @Parametrize.EAGER_ARGUMENTS
	502	+ def test_200_eager_options(
	503	+ self,
	504	+ command: list[str],
	505	+ arguments: list[str],
	506	+ non_eager_arguments: list[str],
	507	+ ) -> None:
	508	+ """Eager options terminate option and argument processing."""
	509	+ runner = machinery.CliRunner(mix_stderr=False)
	510	+ # TODO(the-13th-letter): Rewrite using parenthesized
	511	+ # with-statements.
	512	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	513	+ with contextlib.ExitStack() as stack:
	514	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	515	+ stack.enter_context(
	516	+ pytest_machinery.isolated_config(
	517	+ monkeypatch=monkeypatch,
	518	+ runner=runner,
	519	+ )
	520	+ )
	521	+ result = runner.invoke(
	522	+ cli.derivepassphrase,
	523	+ [command, arguments, *non_eager_arguments],
	524	+ catch_exceptions=False,
	525	+ )
	526	+ assert result.clean_exit(empty_stderr=True), "expected clean exit"
	527	+
	528	+ @Parametrize.ISATTY
	529	+ @Parametrize.COLORFUL_COMMAND_INPUT
	530	+ def test_201_automatic_color_mode(
	531	+ self,
	532	+ isatty: bool,
	533	+ command_line: list[str],
	534	+ input: str \| None,
	535	+ ) -> None:
	536	+ """Auto-detect if color should be used.
	537	+
	538	+ (The answer currently is always no. See the
	539	+ [`conventional-configurable-text-styling` wishlist
	540	+ entry](../wishlist/conventional-configurable-text-styling.md).)
	541	+
	542	+ """
	543	+ color = False
	544	+ runner = machinery.CliRunner(mix_stderr=False)
	545	+ # TODO(the-13th-letter): Rewrite using parenthesized
	546	+ # with-statements.
	547	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	548	+ with contextlib.ExitStack() as stack:
	549	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	550	+ stack.enter_context(
	551	+ pytest_machinery.isolated_config(
	552	+ monkeypatch=monkeypatch,
	553	+ runner=runner,
	554	+ )
	555	+ )
	556	+ result = runner.invoke(
	557	+ cli.derivepassphrase,
	558	+ command_line,
	559	+ input=input,
	560	+ catch_exceptions=False,
	561	+ color=isatty,
	562	+ )
	563	+ assert (
	564	+ not color
	565	+ or "\x1b[0m" in result.stderr
	566	+ or "\x1b[m" in result.stderr
	567	+ ), "Expected color, but found no ANSI reset sequence"
	568	+ assert color or "\x1b[" not in result.stderr, (
	569	+ "Expected no color, but found an ANSI control sequence"
	570	+ )
	571	+
	572	+ def test_202a_derivepassphrase_version_option_output(
	573	+ self,
	574	+ ) -> None:
	575	+ """The version output states supported features.
	576	+
	577	+ The version output is parsed using [`parse_version_output`][].
	578	+ Format examples can be found in
	579	+ [`Parametrize.VERSION_OUTPUT_DATA`][]. Specifically, for the
	580	+ top-level `derivepassphrase` command, the output should contain
	581	+ the known and supported derivation schemes, and a list of
	582	+ subcommands.
	583	+
	584	+ """
	585	+ runner = machinery.CliRunner(mix_stderr=False)
	586	+ # TODO(the-13th-letter): Rewrite using parenthesized
	587	+ # with-statements.
	588	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	589	+ with contextlib.ExitStack() as stack:
	590	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	591	+ stack.enter_context(
	592	+ pytest_machinery.isolated_config(
	593	+ monkeypatch=monkeypatch,
	594	+ runner=runner,
	595	+ )
	596	+ )
	597	+ result = runner.invoke(
	598	+ cli.derivepassphrase,
	599	+ ["--version"],
	600	+ catch_exceptions=False,
	601	+ )
	602	+ assert result.clean_exit(empty_stderr=True), "expected clean exit"
	603	+ assert result.stdout.strip(), "expected version output"
	604	+ version_data = parse_version_output(result.stdout)
	605	+ actually_known_schemes = dict.fromkeys(_types.DerivationScheme, True)
	606	+ subcommands = set(_types.Subcommand)
	607	+ assert version_data.derivation_schemes == actually_known_schemes
	608	+ assert not version_data.foreign_configuration_formats
	609	+ assert version_data.subcommands == subcommands
	610	+ assert not version_data.features
	611	+ assert not version_data.extras
	612	+
	613	+ def test_202b_export_version_option_output(
	614	+ self,
	615	+ ) -> None:
	616	+ """The version output states supported features.
	617	+
	618	+ The version output is parsed using [`parse_version_output`][].
	619	+ Format examples can be found in
	620	+ [`Parametrize.VERSION_OUTPUT_DATA`][]. Specifically, for the
	621	+ `export` command, the output should contain the known foreign
	622	+ configuration formats (but not marked as supported), and a list
	623	+ of subcommands.
	624	+
	625	+ """
	626	+ runner = machinery.CliRunner(mix_stderr=False)
	627	+ # TODO(the-13th-letter): Rewrite using parenthesized
	628	+ # with-statements.
	629	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	630	+ with contextlib.ExitStack() as stack:
	631	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	632	+ stack.enter_context(
	633	+ pytest_machinery.isolated_config(
	634	+ monkeypatch=monkeypatch,
	635	+ runner=runner,
	636	+ )
	637	+ )
	638	+ result = runner.invoke(
	639	+ cli.derivepassphrase,
	640	+ ["export", "--version"],
	641	+ catch_exceptions=False,
	642	+ )
	643	+ assert result.clean_exit(empty_stderr=True), "expected clean exit"
	644	+ assert result.stdout.strip(), "expected version output"
	645	+ version_data = parse_version_output(result.stdout)
	646	+ actually_known_formats: dict[str, bool] = {
	647	+ _types.ForeignConfigurationFormat.VAULT_STOREROOM: False,
	648	+ _types.ForeignConfigurationFormat.VAULT_V02: False,
	649	+ _types.ForeignConfigurationFormat.VAULT_V03: False,
	650	+ }
	651	+ subcommands = set(_types.ExportSubcommand)
	652	+ assert not version_data.derivation_schemes
	653	+ assert (
	654	+ version_data.foreign_configuration_formats
	655	+ == actually_known_formats
	656	+ )
	657	+ assert version_data.subcommands == subcommands
	658	+ assert not version_data.features
	659	+ assert not version_data.extras
	660	+
	661	+ def test_202c_export_vault_version_option_output(
	662	+ self,
	663	+ ) -> None:
	664	+ """The version output states supported features.
	665	+
	666	+ The version output is parsed using [`parse_version_output`][].
	667	+ Format examples can be found in
	668	+ [`Parametrize.VERSION_OUTPUT_DATA`][]. Specifically, for the
	669	+ `export vault` subcommand, the output should contain the
	670	+ vault-specific subset of the known or supported foreign
	671	+ configuration formats, and a list of available PEP 508 extras.
	672	+
	673	+ """
	674	+ runner = machinery.CliRunner(mix_stderr=False)
	675	+ # TODO(the-13th-letter): Rewrite using parenthesized
	676	+ # with-statements.
	677	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	678	+ with contextlib.ExitStack() as stack:
	679	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	680	+ stack.enter_context(
	681	+ pytest_machinery.isolated_config(
	682	+ monkeypatch=monkeypatch,
	683	+ runner=runner,
	684	+ )
	685	+ )
	686	+ result = runner.invoke(
	687	+ cli.derivepassphrase,
	688	+ ["export", "vault", "--version"],
	689	+ catch_exceptions=False,
	690	+ )
	691	+ assert result.clean_exit(empty_stderr=True), "expected clean exit"
	692	+ assert result.stdout.strip(), "expected version output"
	693	+ version_data = parse_version_output(result.stdout)
	694	+ actually_known_formats: dict[str, bool] = {}
	695	+ actually_enabled_extras: set[str] = set()
	696	+ with contextlib.suppress(ModuleNotFoundError):
	697	+ from derivepassphrase.exporter import storeroom, vault_native # noqa: I001,PLC0415
	698	+
	699	+ actually_known_formats.update({
	700	+ _types.ForeignConfigurationFormat.VAULT_STOREROOM: not storeroom.STUBBED,
	701	+ _types.ForeignConfigurationFormat.VAULT_V02: not vault_native.STUBBED,
	702	+ _types.ForeignConfigurationFormat.VAULT_V03: not vault_native.STUBBED,
	703	+ })
	704	+ with contextlib.suppress(ModuleNotFoundError):
	705	+ import cryptography # noqa: F401,PLC0415
	706	+
	707	+ actually_enabled_extras.add(_types.PEP508Extra.EXPORT)
	708	+ assert not version_data.derivation_schemes
	709	+ assert (
	710	+ version_data.foreign_configuration_formats
	711	+ == actually_known_formats
	712	+ )
	713	+ assert not version_data.subcommands
	714	+ assert not version_data.features
	715	+ assert version_data.extras == actually_enabled_extras
	716	+
	717	+ def test_202d_vault_version_option_output(
	718	+ self,
	719	+ ) -> None:
	720	+ """The version output states supported features.
	721	+
	722	+ The version output is parsed using [`parse_version_output`][].
	723	+ Format examples can be found in
	724	+ [`Parametrize.VERSION_OUTPUT_DATA`][]. Specifically, for the
	725	+ vault command, the output should not contain anything beyond the
	726	+ first paragraph.
	727	+
	728	+ """
	729	+ runner = machinery.CliRunner(mix_stderr=False)
	730	+ # TODO(the-13th-letter): Rewrite using parenthesized
	731	+ # with-statements.
	732	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	733	+ with contextlib.ExitStack() as stack:
	734	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	735	+ stack.enter_context(
	736	+ pytest_machinery.isolated_config(
	737	+ monkeypatch=monkeypatch,
	738	+ runner=runner,
	739	+ )
	740	+ )
	741	+ result = runner.invoke(
	742	+ cli.derivepassphrase,
	743	+ ["vault", "--version"],
	744	+ catch_exceptions=False,
	745	+ )
	746	+ assert result.clean_exit(empty_stderr=True), "expected clean exit"
	747	+ assert result.stdout.strip(), "expected version output"
	748	+ version_data = parse_version_output(result.stdout)
	749	+
	750	+ ssh_key_supported = True
	751	+
	752	+ def react_to_notimplementederror(
	753	+ _exc: BaseException,
	754	+ ) -> None: # pragma: no cover[unused]
	755	+ nonlocal ssh_key_supported
	756	+ ssh_key_supported = False
	757	+
	758	+ with exceptiongroup.catch({ # noqa: SIM117
	759	+ NotImplementedError: react_to_notimplementederror,
	760	+ Exception: lambda *_args: None,
	761	+ }):
	762	+ with ssh_agent.SSHAgentClient.ensure_agent_subcontext():
	763	+ pass
	764	+ features: dict[str, bool] = {
	765	+ _types.Feature.SSH_KEY: ssh_key_supported,
	766	+ }
	767	+ assert not version_data.derivation_schemes
	768	+ assert not version_data.foreign_configuration_formats
	769	+ assert not version_data.subcommands
	770	+ assert version_data.features == features
	771	+ assert not version_data.extras

tests/test_derivepassphrase_cli/test_shell_completion.py

Zeige Datei @ 9ad57b1

...	...	@@ -0,0 +1,835 @@
	1	+# SPDX-FileCopyrightText: 2025 Marco Ricci <software@the13thletter.info>
	2	+#
	3	+# SPDX-License-Identifier: Zlib
	4	+
	5	+from __future__ import annotations
	6	+
	7	+import contextlib
	8	+import json
	9	+import types
	10	+from typing import TYPE_CHECKING
	11	+
	12	+import click.testing
	13	+import pytest
	14	+from typing_extensions import Any
	15	+
	16	+from derivepassphrase import _types, cli
	17	+from derivepassphrase._internals import cli_helpers
	18	+from tests import data, machinery
	19	+from tests.machinery import pytest as pytest_machinery
	20	+
	21	+if TYPE_CHECKING:
	22	+ from collections.abc import Callable, Sequence
	23	+ from collections.abc import Set as AbstractSet
	24	+ from typing import NoReturn
	25	+
	26	+ from typing_extensions import Literal
	27	+
	28	+DUMMY_SERVICE = data.DUMMY_SERVICE
	29	+DUMMY_CONFIG_SETTINGS = data.DUMMY_CONFIG_SETTINGS
	30	+
	31	+
	32	+def bash_format(item: click.shell_completion.CompletionItem) -> str:
	33	+ """A formatter for `bash`-style shell completion items.
	34	+
	35	+ The format is `type,value`, and is dictated by [`click`][].
	36	+
	37	+ """
	38	+ type, value = ( # noqa: A001
	39	+ item.type,
	40	+ item.value,
	41	+ )
	42	+ return f"{type},{value}"
	43	+
	44	+
	45	+def fish_format(item: click.shell_completion.CompletionItem) -> str:
	46	+ r"""A formatter for `fish`-style shell completion items.
	47	+
	48	+ The format is `type,value<tab>help`, and is dictated by [`click`][].
	49	+
	50	+ """
	51	+ type, value, help = ( # noqa: A001
	52	+ item.type,
	53	+ item.value,
	54	+ item.help,
	55	+ )
	56	+ return f"{type},{value}\t{help}" if help else f"{type},{value}"
	57	+
	58	+
	59	+def zsh_format(item: click.shell_completion.CompletionItem) -> str:
	60	+ r"""A formatter for `zsh`-style shell completion items.
	61	+
	62	+ The format is `type<newline>value<newline>help<newline>`, and is
	63	+ dictated by [`click`][]. Upstream `click` currently (v8.2.0) does
	64	+ not deal with colons in the value correctly when the help text is
	65	+ non-degenerate. Our formatter here does, provided the upstream
	66	+ `zsh` completion script is used; see the
	67	+ [`cli_machinery.ZshComplete`][] class. A request is underway to
	68	+ merge this change into upstream `click`; see
	69	+ [`pallets/click#2846`][PR2846].
	70	+
	71	+ [PR2846]: https://github.com/pallets/click/pull/2846
	72	+
	73	+ """
	74	+ empty_help = "_"
	75	+ help_, value = (
	76	+ (item.help, item.value.replace(":", r"\:"))
	77	+ if item.help and item.help == empty_help
	78	+ else (empty_help, item.value)
	79	+ )
	80	+ return f"{item.type}\n{value}\n{help_}"
	81	+
	82	+
	83	+def completion_item(
	84	+ item: str \| click.shell_completion.CompletionItem,
	85	+) -> click.shell_completion.CompletionItem:
	86	+ """Convert a string to a completion item, if necessary."""
	87	+ return (
	88	+ click.shell_completion.CompletionItem(item, type="plain")
	89	+ if isinstance(item, str)
	90	+ else item
	91	+ )
	92	+
	93	+
	94	+def assertable_item(
	95	+ item: str \| click.shell_completion.CompletionItem,
	96	+) -> tuple[str, Any, str \| None]:
	97	+ """Convert a completion item into a pretty-printable item.
	98	+
	99	+ Intended to make completion items introspectable in pytest's
	100	+ `assert` output.
	101	+
	102	+ """
	103	+ item = completion_item(item)
	104	+ return (item.type, item.value, item.help)
	105	+
	106	+
	107	+class Parametrize(types.SimpleNamespace):
	108	+ """Common test parametrizations."""
	109	+
	110	+ COMPLETABLE_PATH_ARGUMENT = pytest.mark.parametrize(
	111	+ "command_prefix",
	112	+ [
	113	+ pytest.param(
	114	+ ("export", "vault"),
	115	+ id="derivepassphrase-export-vault",
	116	+ ),
	117	+ pytest.param(
	118	+ ("vault", "--export"),
	119	+ id="derivepassphrase-vault--export",
	120	+ ),
	121	+ pytest.param(
	122	+ ("vault", "--import"),
	123	+ id="derivepassphrase-vault--import",
	124	+ ),
	125	+ ],
	126	+ )
	127	+ COMPLETABLE_OPTIONS = pytest.mark.parametrize(
	128	+ ["command_prefix", "incomplete", "completions"],
	129	+ [
	130	+ pytest.param(
	131	+ (),
	132	+ "-",
	133	+ frozenset({
	134	+ "--help",
	135	+ "-h",
	136	+ "--version",
	137	+ "--debug",
	138	+ "--verbose",
	139	+ "-v",
	140	+ "--quiet",
	141	+ "-q",
	142	+ }),
	143	+ id="derivepassphrase",
	144	+ ),
	145	+ pytest.param(
	146	+ ("export",),
	147	+ "-",
	148	+ frozenset({
	149	+ "--help",
	150	+ "-h",
	151	+ "--version",
	152	+ "--debug",
	153	+ "--verbose",
	154	+ "-v",
	155	+ "--quiet",
	156	+ "-q",
	157	+ }),
	158	+ id="derivepassphrase-export",
	159	+ ),
	160	+ pytest.param(
	161	+ ("export", "vault"),
	162	+ "-",
	163	+ frozenset({
	164	+ "--help",
	165	+ "-h",
	166	+ "--version",
	167	+ "--debug",
	168	+ "--verbose",
	169	+ "-v",
	170	+ "--quiet",
	171	+ "-q",
	172	+ "--format",
	173	+ "-f",
	174	+ "--key",
	175	+ "-k",
	176	+ }),
	177	+ id="derivepassphrase-export-vault",
	178	+ ),
	179	+ pytest.param(
	180	+ ("vault",),
	181	+ "-",
	182	+ frozenset({
	183	+ "--help",
	184	+ "-h",
	185	+ "--version",
	186	+ "--debug",
	187	+ "--verbose",
	188	+ "-v",
	189	+ "--quiet",
	190	+ "-q",
	191	+ "--phrase",
	192	+ "-p",
	193	+ "--key",
	194	+ "-k",
	195	+ "--length",
	196	+ "-l",
	197	+ "--repeat",
	198	+ "-r",
	199	+ "--upper",
	200	+ "--lower",
	201	+ "--number",
	202	+ "--space",
	203	+ "--dash",
	204	+ "--symbol",
	205	+ "--config",
	206	+ "-c",
	207	+ "--notes",
	208	+ "-n",
	209	+ "--delete",
	210	+ "-x",
	211	+ "--delete-globals",
	212	+ "--clear",
	213	+ "-X",
	214	+ "--export",
	215	+ "-e",
	216	+ "--import",
	217	+ "-i",
	218	+ "--overwrite-existing",
	219	+ "--merge-existing",
	220	+ "--unset",
	221	+ "--export-as",
	222	+ "--modern-editor-interface",
	223	+ "--vault-legacy-editor-interface",
	224	+ "--print-notes-before",
	225	+ "--print-notes-after",
	226	+ }),
	227	+ id="derivepassphrase-vault",
	228	+ ),
	229	+ ],
	230	+ )
	231	+ COMPLETABLE_SUBCOMMANDS = pytest.mark.parametrize(
	232	+ ["command_prefix", "incomplete", "completions"],
	233	+ [
	234	+ pytest.param(
	235	+ (),
	236	+ "",
	237	+ frozenset({"export", "vault"}),
	238	+ id="derivepassphrase",
	239	+ ),
	240	+ pytest.param(
	241	+ ("export",),
	242	+ "",
	243	+ frozenset({"vault"}),
	244	+ id="derivepassphrase-export",
	245	+ ),
	246	+ ],
	247	+ )
	248	+ COMPLETION_FUNCTION_INPUTS = pytest.mark.parametrize(
	249	+ ["config", "comp_func", "args", "incomplete", "results"],
	250	+ [
	251	+ pytest.param(
	252	+ {"services": {DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS.copy()}},
	253	+ cli_helpers.shell_complete_service,
	254	+ ["vault"],
	255	+ "",
	256	+ [DUMMY_SERVICE],
	257	+ id="base_config-service",
	258	+ ),
	259	+ pytest.param(
	260	+ {"services": {}},
	261	+ cli_helpers.shell_complete_service,
	262	+ ["vault"],
	263	+ "",
	264	+ [],
	265	+ id="empty_config-service",
	266	+ ),
	267	+ pytest.param(
	268	+ {
	269	+ "services": {
	270	+ DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS.copy(),
	271	+ "newline\nin\nname": DUMMY_CONFIG_SETTINGS.copy(),
	272	+ }
	273	+ },
	274	+ cli_helpers.shell_complete_service,
	275	+ ["vault"],
	276	+ "",
	277	+ [DUMMY_SERVICE],
	278	+ id="incompletable_newline_config-service",
	279	+ ),
	280	+ pytest.param(
	281	+ {
	282	+ "services": {
	283	+ DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS.copy(),
	284	+ "backspace\bin\bname": DUMMY_CONFIG_SETTINGS.copy(),
	285	+ }
	286	+ },
	287	+ cli_helpers.shell_complete_service,
	288	+ ["vault"],
	289	+ "",
	290	+ [DUMMY_SERVICE],
	291	+ id="incompletable_backspace_config-service",
	292	+ ),
	293	+ pytest.param(
	294	+ {
	295	+ "services": {
	296	+ DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS.copy(),
	297	+ "colon:in:name": DUMMY_CONFIG_SETTINGS.copy(),
	298	+ }
	299	+ },
	300	+ cli_helpers.shell_complete_service,
	301	+ ["vault"],
	302	+ "",
	303	+ sorted([DUMMY_SERVICE, "colon:in:name"]),
	304	+ id="brittle_colon_config-service",
	305	+ ),
	306	+ pytest.param(
	307	+ {
	308	+ "services": {
	309	+ DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS.copy(),
	310	+ "colon:in:name": DUMMY_CONFIG_SETTINGS.copy(),
	311	+ "newline\nin\nname": DUMMY_CONFIG_SETTINGS.copy(),
	312	+ "backspace\bin\bname": DUMMY_CONFIG_SETTINGS.copy(),
	313	+ "nul\x00in\x00name": DUMMY_CONFIG_SETTINGS.copy(),
	314	+ "del\x7fin\x7fname": DUMMY_CONFIG_SETTINGS.copy(),
	315	+ }
	316	+ },
	317	+ cli_helpers.shell_complete_service,
	318	+ ["vault"],
	319	+ "",
	320	+ sorted([DUMMY_SERVICE, "colon:in:name"]),
	321	+ id="brittle_incompletable_multi_config-service",
	322	+ ),
	323	+ pytest.param(
	324	+ {"services": {DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS.copy()}},
	325	+ cli_helpers.shell_complete_path,
	326	+ ["vault", "--import"],
	327	+ "",
	328	+ [click.shell_completion.CompletionItem("", type="file")],
	329	+ id="base_config-path",
	330	+ ),
	331	+ pytest.param(
	332	+ {"services": {}},
	333	+ cli_helpers.shell_complete_path,
	334	+ ["vault", "--import"],
	335	+ "",
	336	+ [click.shell_completion.CompletionItem("", type="file")],
	337	+ id="empty_config-path",
	338	+ ),
	339	+ ],
	340	+ )
	341	+ COMPLETABLE_SERVICE_NAMES = pytest.mark.parametrize(
	342	+ ["config", "incomplete", "completions"],
	343	+ [
	344	+ pytest.param(
	345	+ {"services": {}},
	346	+ "",
	347	+ frozenset(),
	348	+ id="no_services",
	349	+ ),
	350	+ pytest.param(
	351	+ {"services": {}},
	352	+ "partial",
	353	+ frozenset(),
	354	+ id="no_services_partial",
	355	+ ),
	356	+ pytest.param(
	357	+ {"services": {DUMMY_SERVICE: {"length": 10}}},
	358	+ "",
	359	+ frozenset({DUMMY_SERVICE}),
	360	+ id="one_service",
	361	+ ),
	362	+ pytest.param(
	363	+ {"services": {DUMMY_SERVICE: {"length": 10}}},
	364	+ DUMMY_SERVICE[:4],
	365	+ frozenset({DUMMY_SERVICE}),
	366	+ id="one_service_partial",
	367	+ ),
	368	+ pytest.param(
	369	+ {"services": {DUMMY_SERVICE: {"length": 10}}},
	370	+ DUMMY_SERVICE[-4:],
	371	+ frozenset(),
	372	+ id="one_service_partial_miss",
	373	+ ),
	374	+ ],
	375	+ )
	376	+ SERVICE_NAME_COMPLETION_INPUTS = pytest.mark.parametrize(
	377	+ ["config", "key", "incomplete", "completions"],
	378	+ [
	379	+ pytest.param(
	380	+ {
	381	+ "services": {
	382	+ DUMMY_SERVICE: {"length": 10},
	383	+ "newline\nin\nname": {"length": 10},
	384	+ },
	385	+ },
	386	+ "newline\nin\nname",
	387	+ "",
	388	+ frozenset({DUMMY_SERVICE}),
	389	+ id="newline",
	390	+ ),
	391	+ pytest.param(
	392	+ {
	393	+ "services": {
	394	+ DUMMY_SERVICE: {"length": 10},
	395	+ "newline\nin\nname": {"length": 10},
	396	+ },
	397	+ },
	398	+ "newline\nin\nname",
	399	+ "serv",
	400	+ frozenset({DUMMY_SERVICE}),
	401	+ id="newline_partial_other",
	402	+ ),
	403	+ pytest.param(
	404	+ {
	405	+ "services": {
	406	+ DUMMY_SERVICE: {"length": 10},
	407	+ "newline\nin\nname": {"length": 10},
	408	+ },
	409	+ },
	410	+ "newline\nin\nname",
	411	+ "newline",
	412	+ frozenset({}),
	413	+ id="newline_partial_specific",
	414	+ ),
	415	+ pytest.param(
	416	+ {
	417	+ "services": {
	418	+ DUMMY_SERVICE: {"length": 10},
	419	+ "nul\x00in\x00name": {"length": 10},
	420	+ },
	421	+ },
	422	+ "nul\x00in\x00name",
	423	+ "",
	424	+ frozenset({DUMMY_SERVICE}),
	425	+ id="nul",
	426	+ ),
	427	+ pytest.param(
	428	+ {
	429	+ "services": {
	430	+ DUMMY_SERVICE: {"length": 10},
	431	+ "nul\x00in\x00name": {"length": 10},
	432	+ },
	433	+ },
	434	+ "nul\x00in\x00name",
	435	+ "serv",
	436	+ frozenset({DUMMY_SERVICE}),
	437	+ id="nul_partial_other",
	438	+ ),
	439	+ pytest.param(
	440	+ {
	441	+ "services": {
	442	+ DUMMY_SERVICE: {"length": 10},
	443	+ "nul\x00in\x00name": {"length": 10},
	444	+ },
	445	+ },
	446	+ "nul\x00in\x00name",
	447	+ "nul",
	448	+ frozenset({}),
	449	+ id="nul_partial_specific",
	450	+ ),
	451	+ pytest.param(
	452	+ {
	453	+ "services": {
	454	+ DUMMY_SERVICE: {"length": 10},
	455	+ "backspace\bin\bname": {"length": 10},
	456	+ },
	457	+ },
	458	+ "backspace\bin\bname",
	459	+ "",
	460	+ frozenset({DUMMY_SERVICE}),
	461	+ id="backspace",
	462	+ ),
	463	+ pytest.param(
	464	+ {
	465	+ "services": {
	466	+ DUMMY_SERVICE: {"length": 10},
	467	+ "backspace\bin\bname": {"length": 10},
	468	+ },
	469	+ },
	470	+ "backspace\bin\bname",
	471	+ "serv",
	472	+ frozenset({DUMMY_SERVICE}),
	473	+ id="backspace_partial_other",
	474	+ ),
	475	+ pytest.param(
	476	+ {
	477	+ "services": {
	478	+ DUMMY_SERVICE: {"length": 10},
	479	+ "backspace\bin\bname": {"length": 10},
	480	+ },
	481	+ },
	482	+ "backspace\bin\bname",
	483	+ "back",
	484	+ frozenset({}),
	485	+ id="backspace_partial_specific",
	486	+ ),
	487	+ pytest.param(
	488	+ {
	489	+ "services": {
	490	+ DUMMY_SERVICE: {"length": 10},
	491	+ "del\x7fin\x7fname": {"length": 10},
	492	+ },
	493	+ },
	494	+ "del\x7fin\x7fname",
	495	+ "",
	496	+ frozenset({DUMMY_SERVICE}),
	497	+ id="del",
	498	+ ),
	499	+ pytest.param(
	500	+ {
	501	+ "services": {
	502	+ DUMMY_SERVICE: {"length": 10},
	503	+ "del\x7fin\x7fname": {"length": 10},
	504	+ },
	505	+ },
	506	+ "del\x7fin\x7fname",
	507	+ "serv",
	508	+ frozenset({DUMMY_SERVICE}),
	509	+ id="del_partial_other",
	510	+ ),
	511	+ pytest.param(
	512	+ {
	513	+ "services": {
	514	+ DUMMY_SERVICE: {"length": 10},
	515	+ "del\x7fin\x7fname": {"length": 10},
	516	+ },
	517	+ },
	518	+ "del\x7fin\x7fname",
	519	+ "del",
	520	+ frozenset({}),
	521	+ id="del_partial_specific",
	522	+ ),
	523	+ ],
	524	+ )
	525	+ SERVICE_NAME_EXCEPTIONS = pytest.mark.parametrize(
	526	+ "exc_type", [RuntimeError, KeyError, ValueError]
	527	+ )
	528	+ INCOMPLETE = pytest.mark.parametrize("incomplete", ["", "partial"])
	529	+ CONFIG_SETTING_MODE = pytest.mark.parametrize("mode", ["config", "import"])
	530	+ COMPLETABLE_ITEMS = pytest.mark.parametrize(
	531	+ ["partial", "is_completable"],
	532	+ [
	533	+ ("", True),
	534	+ (DUMMY_SERVICE, True),
	535	+ ("a\bn", False),
	536	+ ("\b", False),
	537	+ ("\x00", False),
	538	+ ("\x20", True),
	539	+ ("\x7f", False),
	540	+ ("service with spaces", True),
	541	+ ("service\nwith\nnewlines", False),
	542	+ ],
	543	+ )
	544	+ SHELL_FORMATTER = pytest.mark.parametrize(
	545	+ ["shell", "format_func"],
	546	+ [
	547	+ pytest.param("bash", bash_format, id="bash"),
	548	+ pytest.param("fish", fish_format, id="fish"),
	549	+ pytest.param("zsh", zsh_format, id="zsh"),
	550	+ ],
	551	+ )
	552	+
	553	+
	554	+class TestShellCompletion:
	555	+ """Tests for the shell completion machinery."""
	556	+
	557	+ class Completions:
	558	+ """A deferred completion call."""
	559	+
	560	+ def __init__(
	561	+ self,
	562	+ args: Sequence[str],
	563	+ incomplete: str,
	564	+ ) -> None:
	565	+ """Initialize the object.
	566	+
	567	+ Args:
	568	+ args:
	569	+ The sequence of complete command-line arguments.
	570	+ incomplete:
	571	+ The final, incomplete, partial argument.
	572	+
	573	+ """
	574	+ self.args = tuple(args)
	575	+ self.incomplete = incomplete
	576	+
	577	+ def __call__(self) -> Sequence[click.shell_completion.CompletionItem]:
	578	+ """Return the completion items."""
	579	+ args = list(self.args)
	580	+ completion = click.shell_completion.ShellComplete(
	581	+ cli=cli.derivepassphrase,
	582	+ ctx_args={},
	583	+ prog_name="derivepassphrase",
	584	+ complete_var="_DERIVEPASSPHRASE_COMPLETE",
	585	+ )
	586	+ return completion.get_completions(args, self.incomplete)
	587	+
	588	+ def get_words(self) -> Sequence[str]:
	589	+ """Return the completion items' values, as a sequence."""
	590	+ return tuple(c.value for c in self())
	591	+
	592	+ @Parametrize.COMPLETABLE_ITEMS
	593	+ def test_100_is_completable_item(
	594	+ self,
	595	+ partial: str,
	596	+ is_completable: bool,
	597	+ ) -> None:
	598	+ """Our `_is_completable_item` predicate for service names works."""
	599	+ assert cli_helpers.is_completable_item(partial) == is_completable
	600	+
	601	+ @Parametrize.COMPLETABLE_OPTIONS
	602	+ def test_200_options(
	603	+ self,
	604	+ command_prefix: Sequence[str],
	605	+ incomplete: str,
	606	+ completions: AbstractSet[str],
	607	+ ) -> None:
	608	+ """Our completion machinery works for all commands' options."""
	609	+ comp = self.Completions(command_prefix, incomplete)
	610	+ assert frozenset(comp.get_words()) == completions
	611	+
	612	+ @Parametrize.COMPLETABLE_SUBCOMMANDS
	613	+ def test_201_subcommands(
	614	+ self,
	615	+ command_prefix: Sequence[str],
	616	+ incomplete: str,
	617	+ completions: AbstractSet[str],
	618	+ ) -> None:
	619	+ """Our completion machinery works for all commands' subcommands."""
	620	+ comp = self.Completions(command_prefix, incomplete)
	621	+ assert frozenset(comp.get_words()) == completions
	622	+
	623	+ @Parametrize.COMPLETABLE_PATH_ARGUMENT
	624	+ @Parametrize.INCOMPLETE
	625	+ def test_202_paths(
	626	+ self,
	627	+ command_prefix: Sequence[str],
	628	+ incomplete: str,
	629	+ ) -> None:
	630	+ """Our completion machinery works for all commands' paths."""
	631	+ file = click.shell_completion.CompletionItem("", type="file")
	632	+ completions = frozenset({(file.type, file.value, file.help)})
	633	+ comp = self.Completions(command_prefix, incomplete)
	634	+ assert (
	635	+ frozenset((x.type, x.value, x.help) for x in comp()) == completions
	636	+ )
	637	+
	638	+ @Parametrize.COMPLETABLE_SERVICE_NAMES
	639	+ def test_203_service_names(
	640	+ self,
	641	+ config: _types.VaultConfig,
	642	+ incomplete: str,
	643	+ completions: AbstractSet[str],
	644	+ ) -> None:
	645	+ """Our completion machinery works for vault service names."""
	646	+ runner = machinery.CliRunner(mix_stderr=False)
	647	+ # TODO(the-13th-letter): Rewrite using parenthesized
	648	+ # with-statements.
	649	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	650	+ with contextlib.ExitStack() as stack:
	651	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	652	+ stack.enter_context(
	653	+ pytest_machinery.isolated_vault_config(
	654	+ monkeypatch=monkeypatch,
	655	+ runner=runner,
	656	+ vault_config=config,
	657	+ )
	658	+ )
	659	+ comp = self.Completions(["vault"], incomplete)
	660	+ assert frozenset(comp.get_words()) == completions
	661	+
	662	+ @Parametrize.SHELL_FORMATTER
	663	+ @Parametrize.COMPLETION_FUNCTION_INPUTS
	664	+ def test_300_shell_completion_formatting(
	665	+ self,
	666	+ shell: str,
	667	+ format_func: Callable[[click.shell_completion.CompletionItem], str],
	668	+ config: _types.VaultConfig,
	669	+ comp_func: Callable[
	670	+ [click.Context, click.Parameter, str],
	671	+ list[str \| click.shell_completion.CompletionItem],
	672	+ ],
	673	+ args: list[str],
	674	+ incomplete: str,
	675	+ results: list[str \| click.shell_completion.CompletionItem],
	676	+ ) -> None:
	677	+ """Custom completion functions work for all shells."""
	678	+ runner = machinery.CliRunner(mix_stderr=False)
	679	+ # TODO(the-13th-letter): Rewrite using parenthesized
	680	+ # with-statements.
	681	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	682	+ with contextlib.ExitStack() as stack:
	683	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	684	+ stack.enter_context(
	685	+ pytest_machinery.isolated_vault_config(
	686	+ monkeypatch=monkeypatch,
	687	+ runner=runner,
	688	+ vault_config=config,
	689	+ )
	690	+ )
	691	+ expected_items = [assertable_item(item) for item in results]
	692	+ expected_string = "\n".join(
	693	+ format_func(completion_item(item)) for item in results
	694	+ )
	695	+ manual_raw_items = comp_func(
	696	+ click.Context(cli.derivepassphrase),
	697	+ click.Argument(["sample_parameter"]),
	698	+ incomplete,
	699	+ )
	700	+ manual_items = [assertable_item(item) for item in manual_raw_items]
	701	+ manual_string = "\n".join(
	702	+ format_func(completion_item(item)) for item in manual_raw_items
	703	+ )
	704	+ assert manual_items == expected_items
	705	+ assert manual_string == expected_string
	706	+ comp_class = click.shell_completion.get_completion_class(shell)
	707	+ assert comp_class is not None
	708	+ comp = comp_class(
	709	+ cli.derivepassphrase,
	710	+ {},
	711	+ "derivepassphrase",
	712	+ "_DERIVEPASSPHRASE_COMPLETE",
	713	+ )
	714	+ monkeypatch.setattr(
	715	+ comp,
	716	+ "get_completion_args",
	717	+ lambda _a, *_kw: (args, incomplete),
	718	+ )
	719	+ actual_raw_items = comp.get_completions(
	720	+ *comp.get_completion_args()
	721	+ )
	722	+ actual_items = [assertable_item(item) for item in actual_raw_items]
	723	+ actual_string = comp.complete()
	724	+ assert actual_items == expected_items
	725	+ assert actual_string == expected_string
	726	+
	727	+ @Parametrize.CONFIG_SETTING_MODE
	728	+ @Parametrize.SERVICE_NAME_COMPLETION_INPUTS
	729	+ def test_400_incompletable_service_names(
	730	+ self,
	731	+ caplog: pytest.LogCaptureFixture,
	732	+ mode: Literal["config", "import"],
	733	+ config: _types.VaultConfig,
	734	+ key: str,
	735	+ incomplete: str,
	736	+ completions: AbstractSet[str],
	737	+ ) -> None:
	738	+ """Completion skips incompletable items."""
	739	+ vault_config = config if mode == "config" else {"services": {}}
	740	+ runner = machinery.CliRunner(mix_stderr=False)
	741	+ # TODO(the-13th-letter): Rewrite using parenthesized
	742	+ # with-statements.
	743	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	744	+ with contextlib.ExitStack() as stack:
	745	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	746	+ stack.enter_context(
	747	+ pytest_machinery.isolated_vault_config(
	748	+ monkeypatch=monkeypatch,
	749	+ runner=runner,
	750	+ vault_config=vault_config,
	751	+ )
	752	+ )
	753	+ if mode == "config":
	754	+ result = runner.invoke(
	755	+ cli.derivepassphrase_vault,
	756	+ ["--config", "--length=10", "--", key],
	757	+ catch_exceptions=False,
	758	+ )
	759	+ else:
	760	+ result = runner.invoke(
	761	+ cli.derivepassphrase_vault,
	762	+ ["--import", "-"],
	763	+ catch_exceptions=False,
	764	+ input=json.dumps(config),
	765	+ )
	766	+ assert result.clean_exit(), "expected clean exit"
	767	+ assert machinery.warning_emitted(
	768	+ "contains an ASCII control character", caplog.record_tuples
	769	+ ), "expected known warning message in stderr"
	770	+ assert machinery.warning_emitted(
	771	+ "not be available for completion", caplog.record_tuples
	772	+ ), "expected known warning message in stderr"
	773	+ assert cli_helpers.load_config() == config
	774	+ comp = self.Completions(["vault"], incomplete)
	775	+ assert frozenset(comp.get_words()) == completions
	776	+
	777	+ def test_410a_service_name_exceptions_not_found(
	778	+ self,
	779	+ ) -> None:
	780	+ """Service name completion quietly fails on missing configuration."""
	781	+ runner = machinery.CliRunner(mix_stderr=False)
	782	+ # TODO(the-13th-letter): Rewrite using parenthesized
	783	+ # with-statements.
	784	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	785	+ with contextlib.ExitStack() as stack:
	786	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	787	+ stack.enter_context(
	788	+ pytest_machinery.isolated_vault_config(
	789	+ monkeypatch=monkeypatch,
	790	+ runner=runner,
	791	+ vault_config={
	792	+ "services": {DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS}
	793	+ },
	794	+ )
	795	+ )
	796	+ cli_helpers.config_filename(subsystem="vault").unlink(
	797	+ missing_ok=True
	798	+ )
	799	+ assert not cli_helpers.shell_complete_service(
	800	+ click.Context(cli.derivepassphrase),
	801	+ click.Argument(["some_parameter"]),
	802	+ "",
	803	+ )
	804	+
	805	+ @Parametrize.SERVICE_NAME_EXCEPTIONS
	806	+ def test_410b_service_name_exceptions_custom_error(
	807	+ self,
	808	+ exc_type: type[Exception],
	809	+ ) -> None:
	810	+ """Service name completion quietly fails on configuration errors."""
	811	+ runner = machinery.CliRunner(mix_stderr=False)
	812	+ # TODO(the-13th-letter): Rewrite using parenthesized
	813	+ # with-statements.
	814	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	815	+ with contextlib.ExitStack() as stack:
	816	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	817	+ stack.enter_context(
	818	+ pytest_machinery.isolated_vault_config(
	819	+ monkeypatch=monkeypatch,
	820	+ runner=runner,
	821	+ vault_config={
	822	+ "services": {DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS}
	823	+ },
	824	+ )
	825	+ )
	826	+
	827	+ def raiser(_a: Any, *_kw: Any) -> NoReturn:
	828	+ raise exc_type("just being difficult") # noqa: EM101,TRY003
	829	+
	830	+ monkeypatch.setattr(cli_helpers, "load_config", raiser)
	831	+ assert not cli_helpers.shell_complete_service(
	832	+ click.Context(cli.derivepassphrase),
	833	+ click.Argument(["some_parameter"]),
	834	+ "",
	835	+ )

tests/test_derivepassphrase_cli/test_transition.py

Zeige Datei @ 9ad57b1

...	...	@@ -0,0 +1,428 @@
	1	+# SPDX-FileCopyrightText: 2025 Marco Ricci <software@the13thletter.info>
	2	+#
	3	+# SPDX-License-Identifier: Zlib
	4	+
	5	+# TODO(the-13th-letter): Remove this module in v1.0.
	6	+# https://the13thletter.info/derivepassphrase/latest/upgrade-notes/#upgrading-to-v1.0
	7	+
	8	+from __future__ import annotations
	9	+
	10	+import contextlib
	11	+import errno
	12	+import json
	13	+import logging
	14	+import os
	15	+import pathlib
	16	+
	17	+import click.testing
	18	+import pytest
	19	+from typing_extensions import Any
	20	+
	21	+from derivepassphrase import cli, vault
	22	+from derivepassphrase._internals import (
	23	+ cli_helpers,
	24	+)
	25	+from tests import data, machinery, test_derivepassphrase_cli
	26	+from tests.data import callables
	27	+from tests.machinery import pytest as pytest_machinery
	28	+from tests.test_derivepassphrase_cli import test_utils
	29	+
	30	+DUMMY_SERVICE = data.DUMMY_SERVICE
	31	+DUMMY_PASSPHRASE = data.DUMMY_PASSPHRASE
	32	+DUMMY_CONFIG_SETTINGS = data.DUMMY_CONFIG_SETTINGS
	33	+
	34	+
	35	+class Parametrize(
	36	+ test_derivepassphrase_cli.Parametrize, test_utils.Parametrize
	37	+):
	38	+ """Common test parametrizations."""
	39	+
	40	+ BAD_CONFIGS = pytest.mark.parametrize(
	41	+ "config",
	42	+ [
	43	+ {"global": "", "services": {}},
	44	+ {"global": 0, "services": {}},
	45	+ {
	46	+ "global": {"phrase": "abc"},
	47	+ "services": False,
	48	+ },
	49	+ {
	50	+ "global": {"phrase": "abc"},
	51	+ "services": True,
	52	+ },
	53	+ {
	54	+ "global": {"phrase": "abc"},
	55	+ "services": None,
	56	+ },
	57	+ ],
	58	+ )
	59	+
	60	+
	61	+class TestCLITransition:
	62	+ """Transition tests for the command-line interface up to v1.0."""
	63	+
	64	+ @Parametrize.BASE_CONFIG_VARIATIONS
	65	+ def test_110_load_config_backup(
	66	+ self,
	67	+ config: Any,
	68	+ ) -> None:
	69	+ """Loading the old settings file works."""
	70	+ runner = machinery.CliRunner(mix_stderr=False)
	71	+ # TODO(the-13th-letter): Rewrite using parenthesized
	72	+ # with-statements.
	73	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	74	+ with contextlib.ExitStack() as stack:
	75	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	76	+ stack.enter_context(
	77	+ pytest_machinery.isolated_config(
	78	+ monkeypatch=monkeypatch,
	79	+ runner=runner,
	80	+ )
	81	+ )
	82	+ cli_helpers.config_filename(
	83	+ subsystem="old settings.json"
	84	+ ).write_text(json.dumps(config, indent=2) + "\n", encoding="UTF-8")
	85	+ assert cli_helpers.migrate_and_load_old_config()[0] == config
	86	+
	87	+ @Parametrize.BASE_CONFIG_VARIATIONS
	88	+ def test_111_migrate_config(
	89	+ self,
	90	+ config: Any,
	91	+ ) -> None:
	92	+ """Migrating the old settings file works."""
	93	+ runner = machinery.CliRunner(mix_stderr=False)
	94	+ # TODO(the-13th-letter): Rewrite using parenthesized
	95	+ # with-statements.
	96	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	97	+ with contextlib.ExitStack() as stack:
	98	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	99	+ stack.enter_context(
	100	+ pytest_machinery.isolated_config(
	101	+ monkeypatch=monkeypatch,
	102	+ runner=runner,
	103	+ )
	104	+ )
	105	+ cli_helpers.config_filename(
	106	+ subsystem="old settings.json"
	107	+ ).write_text(json.dumps(config, indent=2) + "\n", encoding="UTF-8")
	108	+ assert cli_helpers.migrate_and_load_old_config() == (config, None)
	109	+
	110	+ @Parametrize.BASE_CONFIG_VARIATIONS
	111	+ def test_112_migrate_config_error(
	112	+ self,
	113	+ config: Any,
	114	+ ) -> None:
	115	+ """Migrating the old settings file atop a directory fails."""
	116	+ runner = machinery.CliRunner(mix_stderr=False)
	117	+ # TODO(the-13th-letter): Rewrite using parenthesized
	118	+ # with-statements.
	119	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	120	+ with contextlib.ExitStack() as stack:
	121	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	122	+ stack.enter_context(
	123	+ pytest_machinery.isolated_config(
	124	+ monkeypatch=monkeypatch,
	125	+ runner=runner,
	126	+ )
	127	+ )
	128	+ cli_helpers.config_filename(
	129	+ subsystem="old settings.json"
	130	+ ).write_text(json.dumps(config, indent=2) + "\n", encoding="UTF-8")
	131	+ cli_helpers.config_filename(subsystem="vault").mkdir(
	132	+ parents=True, exist_ok=True
	133	+ )
	134	+ config2, err = cli_helpers.migrate_and_load_old_config()
	135	+ assert config2 == config
	136	+ assert isinstance(err, OSError)
	137	+ # The Annoying OS uses EEXIST, other OSes use EISDIR.
	138	+ assert err.errno in {errno.EISDIR, errno.EEXIST}
	139	+
	140	+ @Parametrize.BAD_CONFIGS
	141	+ def test_113_migrate_config_error_bad_config_value(
	142	+ self,
	143	+ config: Any,
	144	+ ) -> None:
	145	+ """Migrating an invalid old settings file fails."""
	146	+ runner = machinery.CliRunner(mix_stderr=False)
	147	+ # TODO(the-13th-letter): Rewrite using parenthesized
	148	+ # with-statements.
	149	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	150	+ with contextlib.ExitStack() as stack:
	151	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	152	+ stack.enter_context(
	153	+ pytest_machinery.isolated_config(
	154	+ monkeypatch=monkeypatch,
	155	+ runner=runner,
	156	+ )
	157	+ )
	158	+ cli_helpers.config_filename(
	159	+ subsystem="old settings.json"
	160	+ ).write_text(json.dumps(config, indent=2) + "\n", encoding="UTF-8")
	161	+ with pytest.raises(
	162	+ ValueError, match=cli_helpers.INVALID_VAULT_CONFIG
	163	+ ):
	164	+ cli_helpers.migrate_and_load_old_config()
	165	+
	166	+ def test_200_forward_export_vault_path_parameter(
	167	+ self,
	168	+ caplog: pytest.LogCaptureFixture,
	169	+ ) -> None:
	170	+ """Forwarding arguments from "export" to "export vault" works."""
	171	+ pytest.importorskip("cryptography", minversion="38.0")
	172	+ runner = machinery.CliRunner(mix_stderr=False)
	173	+ # TODO(the-13th-letter): Rewrite using parenthesized
	174	+ # with-statements.
	175	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	176	+ with contextlib.ExitStack() as stack:
	177	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	178	+ stack.enter_context(
	179	+ pytest_machinery.isolated_vault_exporter_config(
	180	+ monkeypatch=monkeypatch,
	181	+ runner=runner,
	182	+ vault_config=data.VAULT_V03_CONFIG,
	183	+ vault_key=data.VAULT_MASTER_KEY,
	184	+ )
	185	+ )
	186	+ monkeypatch.setenv("VAULT_KEY", data.VAULT_MASTER_KEY)
	187	+ result = runner.invoke(
	188	+ cli.derivepassphrase,
	189	+ ["export", "VAULT_PATH"],
	190	+ )
	191	+ assert result.clean_exit(empty_stderr=False), "expected clean exit"
	192	+ assert machinery.deprecation_warning_emitted(
	193	+ "A subcommand will be required here in v1.0", caplog.record_tuples
	194	+ )
	195	+ assert machinery.deprecation_warning_emitted(
	196	+ 'Defaulting to subcommand "vault"', caplog.record_tuples
	197	+ )
	198	+ assert json.loads(result.stdout) == data.VAULT_V03_CONFIG_DATA
	199	+
	200	+ def test_201_forward_export_vault_empty_commandline(
	201	+ self,
	202	+ caplog: pytest.LogCaptureFixture,
	203	+ ) -> None:
	204	+ """Deferring from "export" to "export vault" works."""
	205	+ pytest.importorskip("cryptography", minversion="38.0")
	206	+ runner = machinery.CliRunner(mix_stderr=False)
	207	+ # TODO(the-13th-letter): Rewrite using parenthesized
	208	+ # with-statements.
	209	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	210	+ with contextlib.ExitStack() as stack:
	211	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	212	+ stack.enter_context(
	213	+ pytest_machinery.isolated_config(
	214	+ monkeypatch=monkeypatch,
	215	+ runner=runner,
	216	+ )
	217	+ )
	218	+ result = runner.invoke(
	219	+ cli.derivepassphrase,
	220	+ ["export"],
	221	+ )
	222	+ assert machinery.deprecation_warning_emitted(
	223	+ "A subcommand will be required here in v1.0", caplog.record_tuples
	224	+ )
	225	+ assert machinery.deprecation_warning_emitted(
	226	+ 'Defaulting to subcommand "vault"', caplog.record_tuples
	227	+ )
	228	+ assert result.error_exit(error="Missing argument 'PATH'"), (
	229	+ "expected error exit and known error type"
	230	+ )
	231	+
	232	+ @Parametrize.CHARSET_NAME
	233	+ def test_210_forward_vault_disable_character_set(
	234	+ self,
	235	+ caplog: pytest.LogCaptureFixture,
	236	+ charset_name: str,
	237	+ ) -> None:
	238	+ """Forwarding arguments from top-level to "vault" works."""
	239	+ option = f"--{charset_name}"
	240	+ charset = vault.Vault.CHARSETS[charset_name].decode("ascii")
	241	+ runner = machinery.CliRunner(mix_stderr=False)
	242	+ # TODO(the-13th-letter): Rewrite using parenthesized
	243	+ # with-statements.
	244	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	245	+ with contextlib.ExitStack() as stack:
	246	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	247	+ stack.enter_context(
	248	+ pytest_machinery.isolated_config(
	249	+ monkeypatch=monkeypatch,
	250	+ runner=runner,
	251	+ )
	252	+ )
	253	+ monkeypatch.setattr(
	254	+ cli_helpers,
	255	+ "prompt_for_passphrase",
	256	+ callables.auto_prompt,
	257	+ )
	258	+ result = runner.invoke(
	259	+ cli.derivepassphrase,
	260	+ [option, "0", "-p", "--", DUMMY_SERVICE],
	261	+ input=DUMMY_PASSPHRASE,
	262	+ catch_exceptions=False,
	263	+ )
	264	+ assert result.clean_exit(empty_stderr=False), "expected clean exit"
	265	+ assert machinery.deprecation_warning_emitted(
	266	+ "A subcommand will be required here in v1.0", caplog.record_tuples
	267	+ )
	268	+ assert machinery.deprecation_warning_emitted(
	269	+ 'Defaulting to subcommand "vault"', caplog.record_tuples
	270	+ )
	271	+ for c in charset:
	272	+ assert c not in result.stdout, (
	273	+ f"derived password contains forbidden character {c!r}"
	274	+ )
	275	+
	276	+ def test_211_forward_vault_empty_command_line(
	277	+ self,
	278	+ caplog: pytest.LogCaptureFixture,
	279	+ ) -> None:
	280	+ """Deferring from top-level to "vault" works."""
	281	+ runner = machinery.CliRunner(mix_stderr=False)
	282	+ # TODO(the-13th-letter): Rewrite using parenthesized
	283	+ # with-statements.
	284	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	285	+ with contextlib.ExitStack() as stack:
	286	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	287	+ stack.enter_context(
	288	+ pytest_machinery.isolated_config(
	289	+ monkeypatch=monkeypatch,
	290	+ runner=runner,
	291	+ )
	292	+ )
	293	+ result = runner.invoke(
	294	+ cli.derivepassphrase,
	295	+ [],
	296	+ input=DUMMY_PASSPHRASE,
	297	+ catch_exceptions=False,
	298	+ )
	299	+ assert machinery.deprecation_warning_emitted(
	300	+ "A subcommand will be required here in v1.0", caplog.record_tuples
	301	+ )
	302	+ assert machinery.deprecation_warning_emitted(
	303	+ 'Defaulting to subcommand "vault"', caplog.record_tuples
	304	+ )
	305	+ assert result.error_exit(
	306	+ error="Deriving a passphrase requires a SERVICE."
	307	+ ), "expected error exit and known error type"
	308	+
	309	+ def test_300_export_using_old_config_file(
	310	+ self,
	311	+ caplog: pytest.LogCaptureFixture,
	312	+ ) -> None:
	313	+ """Exporting from (and migrating) the old settings file works."""
	314	+ caplog.set_level(logging.INFO)
	315	+ runner = machinery.CliRunner(mix_stderr=False)
	316	+ # TODO(the-13th-letter): Rewrite using parenthesized
	317	+ # with-statements.
	318	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	319	+ with contextlib.ExitStack() as stack:
	320	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	321	+ stack.enter_context(
	322	+ pytest_machinery.isolated_config(
	323	+ monkeypatch=monkeypatch,
	324	+ runner=runner,
	325	+ )
	326	+ )
	327	+ cli_helpers.config_filename(
	328	+ subsystem="old settings.json"
	329	+ ).write_text(
	330	+ json.dumps(
	331	+ {"services": {DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS}},
	332	+ indent=2,
	333	+ )
	334	+ + "\n",
	335	+ encoding="UTF-8",
	336	+ )
	337	+ result = runner.invoke(
	338	+ cli.derivepassphrase_vault,
	339	+ ["--export", "-"],
	340	+ catch_exceptions=False,
	341	+ )
	342	+ assert result.clean_exit(), "expected clean exit"
	343	+ assert machinery.deprecation_warning_emitted(
	344	+ "v0.1-style config file", caplog.record_tuples
	345	+ ), "expected known warning message in stderr"
	346	+ assert machinery.deprecation_info_emitted(
	347	+ "Successfully migrated to ", caplog.record_tuples
	348	+ ), "expected known warning message in stderr"
	349	+
	350	+ def test_300a_export_using_old_config_file_migration_error(
	351	+ self,
	352	+ caplog: pytest.LogCaptureFixture,
	353	+ ) -> None:
	354	+ """Exporting from (and not migrating) the old settings file fails."""
	355	+ runner = machinery.CliRunner(mix_stderr=False)
	356	+ # TODO(the-13th-letter): Rewrite using parenthesized
	357	+ # with-statements.
	358	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	359	+ with contextlib.ExitStack() as stack:
	360	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	361	+ stack.enter_context(
	362	+ pytest_machinery.isolated_config(
	363	+ monkeypatch=monkeypatch,
	364	+ runner=runner,
	365	+ )
	366	+ )
	367	+ cli_helpers.config_filename(
	368	+ subsystem="old settings.json"
	369	+ ).write_text(
	370	+ json.dumps(
	371	+ {"services": {DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS}},
	372	+ indent=2,
	373	+ )
	374	+ + "\n",
	375	+ encoding="UTF-8",
	376	+ )
	377	+
	378	+ def raiser(_args: Any, *_kwargs: Any) -> None:
	379	+ raise OSError(
	380	+ errno.EACCES,
	381	+ os.strerror(errno.EACCES),
	382	+ cli_helpers.config_filename(subsystem="vault"),
	383	+ )
	384	+
	385	+ monkeypatch.setattr(os, "replace", raiser)
	386	+ monkeypatch.setattr(pathlib.Path, "rename", raiser)
	387	+ result = runner.invoke(
	388	+ cli.derivepassphrase_vault,
	389	+ ["--export", "-"],
	390	+ catch_exceptions=False,
	391	+ )
	392	+ assert result.clean_exit(), "expected clean exit"
	393	+ assert machinery.deprecation_warning_emitted(
	394	+ "v0.1-style config file", caplog.record_tuples
	395	+ ), "expected known warning message in stderr"
	396	+ assert machinery.warning_emitted(
	397	+ "Failed to migrate to ", caplog.record_tuples
	398	+ ), "expected known warning message in stderr"
	399	+
	400	+ def test_400_completion_service_name_old_config_file(
	401	+ self,
	402	+ ) -> None:
	403	+ """Completing service names from the old settings file works."""
	404	+ config = {"services": {DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS.copy()}}
	405	+ runner = machinery.CliRunner(mix_stderr=False)
	406	+ # TODO(the-13th-letter): Rewrite using parenthesized
	407	+ # with-statements.
	408	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	409	+ with contextlib.ExitStack() as stack:
	410	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	411	+ stack.enter_context(
	412	+ pytest_machinery.isolated_vault_config(
	413	+ monkeypatch=monkeypatch,
	414	+ runner=runner,
	415	+ vault_config=config,
	416	+ )
	417	+ )
	418	+ old_name = cli_helpers.config_filename(
	419	+ subsystem="old settings.json"
	420	+ )
	421	+ new_name = cli_helpers.config_filename(subsystem="vault")
	422	+ old_name.unlink(missing_ok=True)
	423	+ new_name.rename(old_name)
	424	+ assert cli_helpers.shell_complete_service(
	425	+ click.Context(cli.derivepassphrase),
	426	+ click.Argument(["some_parameter"]),
	427	+ "",
	428	+ ) == [DUMMY_SERVICE]

tests/test_derivepassphrase_cli/test_utils.py

Zeige Datei @ 9ad57b1

...	...	@@ -0,0 +1,1433 @@
	1	+# SPDX-FileCopyrightText: 2025 Marco Ricci <software@the13thletter.info>
	2	+#
	3	+# SPDX-License-Identifier: Zlib
	4	+
	5	+from __future__ import annotations
	6	+
	7	+import base64
	8	+import contextlib
	9	+import ctypes
	10	+import enum
	11	+import errno
	12	+import io
	13	+import json
	14	+import logging
	15	+import operator
	16	+import os
	17	+import pathlib
	18	+import shlex
	19	+import shutil
	20	+import socket
	21	+import tempfile
	22	+import types
	23	+import warnings
	24	+from typing import TYPE_CHECKING
	25	+
	26	+import click.testing
	27	+import hypothesis
	28	+import pytest
	29	+from hypothesis import strategies
	30	+from typing_extensions import Any
	31	+
	32	+from derivepassphrase import _types, cli, ssh_agent, vault
	33	+from derivepassphrase._internals import (
	34	+ cli_helpers,
	35	+ cli_machinery,
	36	+)
	37	+from derivepassphrase.ssh_agent import socketprovider
	38	+from tests import data, machinery
	39	+from tests.data import callables
	40	+from tests.machinery import hypothesis as hypothesis_machinery
	41	+from tests.machinery import pytest as pytest_machinery
	42	+
	43	+if TYPE_CHECKING:
	44	+ from collections.abc import Callable, Iterable, Iterator
	45	+ from typing import NoReturn
	46	+
	47	+
	48	+DUMMY_SERVICE = data.DUMMY_SERVICE
	49	+DUMMY_PASSPHRASE = data.DUMMY_PASSPHRASE
	50	+DUMMY_CONFIG_SETTINGS = data.DUMMY_CONFIG_SETTINGS
	51	+DUMMY_RESULT_PASSPHRASE = data.DUMMY_RESULT_PASSPHRASE
	52	+DUMMY_RESULT_KEY1 = data.DUMMY_RESULT_KEY1
	53	+DUMMY_PHRASE_FROM_KEY1_RAW = data.DUMMY_PHRASE_FROM_KEY1_RAW
	54	+DUMMY_PHRASE_FROM_KEY1 = data.DUMMY_PHRASE_FROM_KEY1
	55	+
	56	+DUMMY_KEY1 = data.DUMMY_KEY1
	57	+DUMMY_KEY1_B64 = data.DUMMY_KEY1_B64
	58	+DUMMY_KEY2 = data.DUMMY_KEY2
	59	+DUMMY_KEY2_B64 = data.DUMMY_KEY2_B64
	60	+DUMMY_KEY3 = data.DUMMY_KEY3
	61	+DUMMY_KEY3_B64 = data.DUMMY_KEY3_B64
	62	+
	63	+TEST_CONFIGS = data.TEST_CONFIGS
	64	+
	65	+
	66	+def vault_config_exporter_shell_interpreter( # noqa: C901
	67	+ script: str \| Iterable[str],
	68	+ /,
	69	+ *,
	70	+ prog_name_list: list[str] \| None = None,
	71	+ command: click.BaseCommand \| None = None,
	72	+ runner: machinery.CliRunner \| None = None,
	73	+) -> Iterator[machinery.ReadableResult]:
	74	+ """A rudimentary sh(1) interpreter for `--export-as=sh` output.
	75	+
	76	+ Assumes a script as emitted by `derivepassphrase vault
	77	+ --export-as=sh --export -` and interprets the calls to
	78	+ `derivepassphrase vault` within. (One call per line, skips all
	79	+ other lines.) Also has rudimentary support for (quoted)
	80	+ here-documents using `HERE` as the marker.
	81	+
	82	+ """
	83	+ if isinstance(script, str): # pragma: no cover
	84	+ script = script.splitlines(False)
	85	+ if prog_name_list is None: # pragma: no cover
	86	+ prog_name_list = ["derivepassphrase", "vault"]
	87	+ if command is None: # pragma: no cover
	88	+ command = cli.derivepassphrase_vault
	89	+ if runner is None: # pragma: no cover
	90	+ runner = machinery.CliRunner(mix_stderr=False)
	91	+ n = len(prog_name_list)
	92	+ it = iter(script)
	93	+ while True:
	94	+ try:
	95	+ raw_line = next(it)
	96	+ except StopIteration:
	97	+ break
	98	+ else:
	99	+ line = shlex.split(raw_line)
	100	+ input_buffer: list[str] = []
	101	+ if line[:n] != prog_name_list:
	102	+ continue
	103	+ line[:n] = []
	104	+ if line and line[-1] == "<<HERE":
	105	+ # naive HERE document support
	106	+ while True:
	107	+ try:
	108	+ raw_line = next(it)
	109	+ except StopIteration as exc: # pragma: no cover
	110	+ msg = "incomplete here document"
	111	+ raise EOFError(msg) from exc
	112	+ else:
	113	+ if raw_line == "HERE":
	114	+ break
	115	+ input_buffer.append(raw_line)
	116	+ line.pop()
	117	+ yield runner.invoke(
	118	+ command,
	119	+ line,
	120	+ catch_exceptions=False,
	121	+ input=("".join(x + "\n" for x in input_buffer) or None),
	122	+ )
	123	+
	124	+
	125	+class ListKeysAction(str, enum.Enum):
	126	+ """Test fixture settings for [`ssh_agent.SSHAgentClient.list_keys`][].
	127	+
	128	+ Attributes:
	129	+ EMPTY: Return an empty key list.
	130	+ FAIL: Raise an [`ssh_agent.SSHAgentFailedError`][].
	131	+ FAIL_RUNTIME: Raise an [`ssh_agent.TrailingDataError`][].
	132	+
	133	+ """
	134	+
	135	+ EMPTY = enum.auto()
	136	+ """"""
	137	+ FAIL = enum.auto()
	138	+ """"""
	139	+ FAIL_RUNTIME = enum.auto()
	140	+ """"""
	141	+
	142	+ def __call__(self, _args: Any, *_kwargs: Any) -> Any:
	143	+ """Execute the respective action."""
	144	+ # TODO(the-13th-letter): Rewrite using structural pattern
	145	+ # matching.
	146	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	147	+ if self == self.EMPTY:
	148	+ return []
	149	+ if self == self.FAIL:
	150	+ raise ssh_agent.SSHAgentFailedError(
	151	+ _types.SSH_AGENT.FAILURE.value, b""
	152	+ )
	153	+ if self == self.FAIL_RUNTIME:
	154	+ raise ssh_agent.TrailingDataError()
	155	+ raise AssertionError()
	156	+
	157	+
	158	+class SignAction(str, enum.Enum):
	159	+ """Test fixture settings for [`ssh_agent.SSHAgentClient.sign`][].
	160	+
	161	+ Attributes:
	162	+ FAIL: Raise an [`ssh_agent.SSHAgentFailedError`][].
	163	+ FAIL_RUNTIME: Raise an [`ssh_agent.TrailingDataError`][].
	164	+
	165	+ """
	166	+
	167	+ FAIL = enum.auto()
	168	+ """"""
	169	+ FAIL_RUNTIME = enum.auto()
	170	+ """"""
	171	+
	172	+ def __call__(self, _args: Any, *_kwargs: Any) -> Any:
	173	+ """Execute the respective action."""
	174	+ # TODO(the-13th-letter): Rewrite using structural pattern
	175	+ # matching.
	176	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	177	+ if self == self.FAIL:
	178	+ raise ssh_agent.SSHAgentFailedError(
	179	+ _types.SSH_AGENT.FAILURE.value, b""
	180	+ )
	181	+ if self == self.FAIL_RUNTIME:
	182	+ raise ssh_agent.TrailingDataError()
	183	+ raise AssertionError()
	184	+
	185	+
	186	+class SocketAddressAction(str, enum.Enum):
	187	+ """Test fixture settings for the SSH agent socket address.
	188	+
	189	+ Attributes:
	190	+ MANGLE_ANNOYING_OS_NAMED_PIPE:
	191	+ Mangle the address for the Annoying OS named pipe endpoint.
	192	+ MANGLE_SSH_AUTH_SOCK:
	193	+ Mangle the address for the UNIX domain socket (the
	194	+ `SSH_AUTH_SOCK` environment variable).
	195	+ UNSET_ANNOYING_OS_NAMED_PIPE:
	196	+ Unset the address for the Annoying OS named pipe endpoint.
	197	+ UNSET_SSH_AUTH_SOCK:
	198	+ Unset the `SSH_AUTH_SOCK` environment variable (the address
	199	+ for the UNIX domain socket).
	200	+
	201	+ """
	202	+
	203	+ MANGLE_ANNOYING_OS_NAMED_PIPE = enum.auto()
	204	+ """"""
	205	+ MANGLE_SSH_AUTH_SOCK = enum.auto()
	206	+ """"""
	207	+ UNSET_ANNOYING_OS_NAMED_PIPE = enum.auto()
	208	+ """"""
	209	+ UNSET_SSH_AUTH_SOCK = enum.auto()
	210	+ """"""
	211	+
	212	+ def __call__(
	213	+ self, monkeypatch: pytest.MonkeyPatch, /, _args: Any, *_kwargs: Any
	214	+ ) -> None:
	215	+ """Execute the respective action."""
	216	+ # TODO(the-13th-letter): Rewrite using structural pattern
	217	+ # matching.
	218	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	219	+ if self in {
	220	+ self.MANGLE_ANNOYING_OS_NAMED_PIPE,
	221	+ self.UNSET_ANNOYING_OS_NAMED_PIPE,
	222	+ }: # pragma: no cover [unused]
	223	+ pass
	224	+ elif self == self.MANGLE_SSH_AUTH_SOCK:
	225	+ monkeypatch.setenv(
	226	+ "SSH_AUTH_SOCK", os.environ["SSH_AUTH_SOCK"] + "~"
	227	+ )
	228	+ elif self == self.UNSET_SSH_AUTH_SOCK:
	229	+ monkeypatch.delenv("SSH_AUTH_SOCK", raising=False)
	230	+ else:
	231	+ raise AssertionError()
	232	+
	233	+
	234	+class SystemSupportAction(str, enum.Enum):
	235	+ """Test fixture settings for [`ssh_agent.SSHAgentClient`][] system support.
	236	+
	237	+ Attributes:
	238	+ UNSET_AF_UNIX:
	239	+ Ensure lack of support for UNIX domain sockets.
	240	+ UNSET_AF_UNIX_AND_ENSURE_USE:
	241	+ Ensure lack of support for UNIX domain sockets, and that the
	242	+ agent will use this socket provider.
	243	+ UNSET_NATIVE:
	244	+ Ensure both `UNSET_AF_UNIX` and `UNSET_WINDLL`.
	245	+ UNSET_NATIVE_AND_ENSURE_USE:
	246	+ Ensure both `UNSET_AF_UNIX` and `UNSET_WINDLL`, and that the
	247	+ agent will use the native socket provider.
	248	+ UNSET_PROVIDER_LIST:
	249	+ Ensure an empty list of SSH agent socket providers.
	250	+ UNSET_WINDLL:
	251	+ Ensure lack of support for The Annoying OS named pipes.
	252	+ UNSET_WINDLL_AND_ENSURE_USE:
	253	+ Ensure lack of support for The Annoying OS named pipes, and
	254	+ that the agent will use this socket provider.
	255	+
	256	+ """
	257	+
	258	+ UNSET_AF_UNIX = enum.auto()
	259	+ """"""
	260	+ UNSET_AF_UNIX_AND_ENSURE_USE = enum.auto()
	261	+ """"""
	262	+ UNSET_NATIVE = enum.auto()
	263	+ """"""
	264	+ UNSET_NATIVE_AND_ENSURE_USE = enum.auto()
	265	+ """"""
	266	+ UNSET_PROVIDER_LIST = enum.auto()
	267	+ """"""
	268	+ UNSET_WINDLL = enum.auto()
	269	+ """"""
	270	+ UNSET_WINDLL_AND_ENSURE_USE = enum.auto()
	271	+ """"""
	272	+
	273	+ def __call__(
	274	+ self, monkeypatch: pytest.MonkeyPatch, /, _args: Any, *_kwargs: Any
	275	+ ) -> None:
	276	+ """Execute the respective action.
	277	+
	278	+ Args:
	279	+ monkeypatch: The current monkeypatch context.
	280	+
	281	+ """
	282	+ # TODO(the-13th-letter): Rewrite using structural pattern
	283	+ # matching.
	284	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	285	+ if self == self.UNSET_PROVIDER_LIST:
	286	+ monkeypatch.setattr(
	287	+ ssh_agent.SSHAgentClient, "SOCKET_PROVIDERS", []
	288	+ )
	289	+ elif self in {self.UNSET_NATIVE, self.UNSET_NATIVE_AND_ENSURE_USE}:
	290	+ self.check_or_ensure_use(
	291	+ "native",
	292	+ monkeypatch=monkeypatch,
	293	+ ensure_use=(self == self.UNSET_NATIVE_AND_ENSURE_USE),
	294	+ )
	295	+ monkeypatch.delattr(socket, "AF_UNIX", raising=False)
	296	+ monkeypatch.delattr(ctypes, "WinDLL", raising=False)
	297	+ monkeypatch.delattr(ctypes, "windll", raising=False)
	298	+ elif self in {self.UNSET_AF_UNIX, self.UNSET_AF_UNIX_AND_ENSURE_USE}:
	299	+ self.check_or_ensure_use(
	300	+ "posix",
	301	+ monkeypatch=monkeypatch,
	302	+ ensure_use=(self == self.UNSET_AF_UNIX_AND_ENSURE_USE),
	303	+ )
	304	+ monkeypatch.delattr(socket, "AF_UNIX", raising=False)
	305	+ elif self in {self.UNSET_WINDLL, self.UNSET_WINDLL_AND_ENSURE_USE}:
	306	+ self.check_or_ensure_use(
	307	+ "the_annoying_os",
	308	+ monkeypatch=monkeypatch,
	309	+ ensure_use=(self == self.UNSET_WINDLL_AND_ENSURE_USE),
	310	+ )
	311	+ monkeypatch.delattr(ctypes, "WinDLL", raising=False)
	312	+ monkeypatch.delattr(ctypes, "windll", raising=False)
	313	+ else:
	314	+ raise AssertionError()
	315	+
	316	+ @staticmethod
	317	+ def check_or_ensure_use(
	318	+ provider: str, /, *, monkeypatch: pytest.MonkeyPatch, ensure_use: bool
	319	+ ) -> None:
	320	+ """Check that the named SSH agent socket provider will be used.
	321	+
	322	+ Either ensure that the socket provider will definitely be used,
	323	+ or, upon detecting that it won't be used, skip the test.
	324	+
	325	+ Args:
	326	+ provider:
	327	+ The provider to check for.
	328	+ ensure_use:
	329	+ If true, ensure that the socket provider will definitely
	330	+ be used. If false, then check for whether it will be
	331	+ used, and skip this test if not.
	332	+ monkeypatch:
	333	+ The monkeypatch context within which the fixture
	334	+ adjustments should be executed.
	335	+
	336	+ """
	337	+ if ensure_use:
	338	+ monkeypatch.setattr(
	339	+ ssh_agent.SSHAgentClient, "SOCKET_PROVIDERS", [provider]
	340	+ )
	341	+ else: # pragma: no cover [external]
	342	+ # This branch operates completely on instrumented or on
	343	+ # externally defined, non-deterministic state.
	344	+ intended: (
	345	+ _types.SSHAgentSocketProvider
	346	+ \| socketprovider.NoSuchProviderError
	347	+ \| None
	348	+ )
	349	+ try:
	350	+ intended = socketprovider.SocketProvider.lookup(provider)
	351	+ except socketprovider.NoSuchProviderError as exc:
	352	+ intended = exc
	353	+ actual: (
	354	+ _types.SSHAgentSocketProvider
	355	+ \| socketprovider.NoSuchProviderError
	356	+ \| None
	357	+ )
	358	+ for name in ssh_agent.SSHAgentClient.SOCKET_PROVIDERS:
	359	+ try:
	360	+ actual = socketprovider.SocketProvider.lookup(name)
	361	+ except socketprovider.NoSuchProviderError as exc:
	362	+ actual = exc
	363	+ if actual is None:
	364	+ continue
	365	+ break
	366	+ else:
	367	+ actual = None
	368	+ if intended != actual:
	369	+ pytest.skip(
	370	+ f"{provider!r} SSH agent socket provider "
	371	+ f"is not currently in use"
	372	+ )
	373	+
	374	+
	375	+class Parametrize(types.SimpleNamespace):
	376	+ """Common test parametrizations."""
	377	+
	378	+ DELETE_CONFIG_INPUT = pytest.mark.parametrize(
	379	+ ["command_line", "config", "result_config"],
	380	+ [
	381	+ pytest.param(
	382	+ ["--delete-globals"],
	383	+ {"global": {"phrase": "abc"}, "services": {}},
	384	+ {"services": {}},
	385	+ id="globals",
	386	+ ),
	387	+ pytest.param(
	388	+ ["--delete", "--", DUMMY_SERVICE],
	389	+ {
	390	+ "global": {"phrase": "abc"},
	391	+ "services": {DUMMY_SERVICE: {"notes": "..."}},
	392	+ },
	393	+ {"global": {"phrase": "abc"}, "services": {}},
	394	+ id="service",
	395	+ ),
	396	+ pytest.param(
	397	+ ["--clear"],
	398	+ {
	399	+ "global": {"phrase": "abc"},
	400	+ "services": {DUMMY_SERVICE: {"notes": "..."}},
	401	+ },
	402	+ {"services": {}},
	403	+ id="all",
	404	+ ),
	405	+ ],
	406	+ )
	407	+ BASE_CONFIG_VARIATIONS = pytest.mark.parametrize(
	408	+ "config",
	409	+ [
	410	+ {"global": {"phrase": "my passphrase"}, "services": {}},
	411	+ {"global": {"key": DUMMY_KEY1_B64}, "services": {}},
	412	+ {
	413	+ "global": {"phrase": "abc"},
	414	+ "services": {"sv": {"phrase": "my passphrase"}},
	415	+ },
	416	+ {
	417	+ "global": {"phrase": "abc"},
	418	+ "services": {"sv": {"key": DUMMY_KEY1_B64}},
	419	+ },
	420	+ {
	421	+ "global": {"phrase": "abc"},
	422	+ "services": {"sv": {"key": DUMMY_KEY1_B64, "length": 15}},
	423	+ },
	424	+ ],
	425	+ )
	426	+ CONNECTION_HINTS = pytest.mark.parametrize(
	427	+ "conn_hint", ["none", "socket", "client"]
	428	+ )
	429	+ KEY_TO_PHRASE_SETTINGS = pytest.mark.parametrize(
	430	+ [
	431	+ "list_keys_action",
	432	+ "address_action",
	433	+ "system_support_action",
	434	+ "sign_action",
	435	+ "pattern",
	436	+ ],
	437	+ [
	438	+ pytest.param(
	439	+ ListKeysAction.EMPTY,
	440	+ None,
	441	+ None,
	442	+ SignAction.FAIL,
	443	+ "not loaded into the agent",
	444	+ id="key-not-loaded",
	445	+ ),
	446	+ pytest.param(
	447	+ ListKeysAction.FAIL,
	448	+ None,
	449	+ None,
	450	+ SignAction.FAIL,
	451	+ "SSH agent failed to or refused to",
	452	+ id="list-keys-refused",
	453	+ ),
	454	+ pytest.param(
	455	+ ListKeysAction.FAIL_RUNTIME,
	456	+ None,
	457	+ None,
	458	+ SignAction.FAIL,
	459	+ "SSH agent failed to or refused to",
	460	+ id="list-keys-protocol-error",
	461	+ ),
	462	+ pytest.param(
	463	+ None,
	464	+ SocketAddressAction.UNSET_SSH_AUTH_SOCK,
	465	+ None,
	466	+ SignAction.FAIL,
	467	+ "Cannot find any running SSH agent",
	468	+ id="agent-address-missing",
	469	+ ),
	470	+ pytest.param(
	471	+ None,
	472	+ SocketAddressAction.MANGLE_SSH_AUTH_SOCK,
	473	+ None,
	474	+ SignAction.FAIL,
	475	+ "Cannot connect to the SSH agent",
	476	+ id="agent-address-mangled",
	477	+ ),
	478	+ pytest.param(
	479	+ None,
	480	+ None,
	481	+ SystemSupportAction.UNSET_NATIVE,
	482	+ SignAction.FAIL,
	483	+ "does not support communicating with it",
	484	+ id="no-agent-support",
	485	+ ),
	486	+ pytest.param(
	487	+ None,
	488	+ None,
	489	+ SystemSupportAction.UNSET_PROVIDER_LIST,
	490	+ SignAction.FAIL,
	491	+ "does not support communicating with it",
	492	+ id="no-agent-support",
	493	+ ),
	494	+ pytest.param(
	495	+ None,
	496	+ None,
	497	+ SystemSupportAction.UNSET_AF_UNIX_AND_ENSURE_USE,
	498	+ SignAction.FAIL,
	499	+ "does not support communicating with it",
	500	+ id="no-agent-support",
	501	+ ),
	502	+ pytest.param(
	503	+ None,
	504	+ None,
	505	+ SystemSupportAction.UNSET_WINDLL_AND_ENSURE_USE,
	506	+ SignAction.FAIL,
	507	+ "does not support communicating with it",
	508	+ id="no-agent-support",
	509	+ ),
	510	+ pytest.param(
	511	+ None,
	512	+ None,
	513	+ None,
	514	+ SignAction.FAIL_RUNTIME,
	515	+ "violates the communication protocol",
	516	+ id="sign-violates-protocol",
	517	+ ),
	518	+ ],
	519	+ )
	520	+ VALIDATION_FUNCTION_INPUT = pytest.mark.parametrize(
	521	+ ["vfunc", "input"],
	522	+ [
	523	+ (cli_machinery.validate_occurrence_constraint, 20),
	524	+ (cli_machinery.validate_length, 20),
	525	+ ],
	526	+ )
	527	+
	528	+
	529	+class TestCLIUtils:
	530	+ """Tests for command-line utility functions."""
	531	+
	532	+ @Parametrize.BASE_CONFIG_VARIATIONS
	533	+ def test_100_load_config(
	534	+ self,
	535	+ config: Any,
	536	+ ) -> None:
	537	+ """[`cli_helpers.load_config`][] works for valid configurations."""
	538	+ runner = machinery.CliRunner(mix_stderr=False)
	539	+ # TODO(the-13th-letter): Rewrite using parenthesized
	540	+ # with-statements.
	541	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	542	+ with contextlib.ExitStack() as stack:
	543	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	544	+ stack.enter_context(
	545	+ pytest_machinery.isolated_vault_config(
	546	+ monkeypatch=monkeypatch,
	547	+ runner=runner,
	548	+ vault_config=config,
	549	+ )
	550	+ )
	551	+ config_filename = cli_helpers.config_filename(subsystem="vault")
	552	+ with config_filename.open(encoding="UTF-8") as fileobj:
	553	+ assert json.load(fileobj) == config
	554	+ assert cli_helpers.load_config() == config
	555	+
	556	+ def test_110_save_bad_config(
	557	+ self,
	558	+ ) -> None:
	559	+ """[`cli_helpers.save_config`][] fails for bad configurations."""
	560	+ runner = machinery.CliRunner(mix_stderr=False)
	561	+ # TODO(the-13th-letter): Rewrite using parenthesized
	562	+ # with-statements.
	563	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	564	+ with contextlib.ExitStack() as stack:
	565	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	566	+ stack.enter_context(
	567	+ pytest_machinery.isolated_vault_config(
	568	+ monkeypatch=monkeypatch,
	569	+ runner=runner,
	570	+ vault_config={},
	571	+ )
	572	+ )
	573	+ stack.enter_context(
	574	+ pytest.raises(ValueError, match="Invalid vault config")
	575	+ )
	576	+ cli_helpers.save_config(None) # type: ignore[arg-type]
	577	+
	578	+ def test_111_prompt_for_selection_multiple(self) -> None:
	579	+ """[`cli_helpers.prompt_for_selection`][] works in the "multiple" case."""
	580	+
	581	+ @click.command()
	582	+ @click.option("--heading", default="Our menu:")
	583	+ @click.argument("items", nargs=-1)
	584	+ def driver(heading: str, items: list[str]) -> None:
	585	+ # from https://montypython.fandom.com/wiki/Spam#The_menu
	586	+ items = items or [
	587	+ "Egg and bacon",
	588	+ "Egg, sausage and bacon",
	589	+ "Egg and spam",
	590	+ "Egg, bacon and spam",
	591	+ "Egg, bacon, sausage and spam",
	592	+ "Spam, bacon, sausage and spam",
	593	+ "Spam, egg, spam, spam, bacon and spam",
	594	+ "Spam, spam, spam, egg and spam",
	595	+ (
	596	+ "Spam, spam, spam, spam, spam, spam, baked beans, "
	597	+ "spam, spam, spam and spam"
	598	+ ),
	599	+ (
	600	+ "Lobster thermidor aux crevettes with a mornay sauce "
	601	+ "garnished with truffle paté, brandy "
	602	+ "and a fried egg on top and spam"
	603	+ ),
	604	+ ]
	605	+ index = cli_helpers.prompt_for_selection(items, heading=heading)
	606	+ click.echo("A fine choice: ", nl=False)
	607	+ click.echo(items[index])
	608	+ click.echo("(Note: Vikings strictly optional.)")
	609	+
	610	+ runner = machinery.CliRunner(mix_stderr=True)
	611	+ result = runner.invoke(driver, [], input="9")
	612	+ assert result.clean_exit(
	613	+ output="""\
	614	+Our menu:
	615	+[1] Egg and bacon
	616	+[2] Egg, sausage and bacon
	617	+[3] Egg and spam
	618	+[4] Egg, bacon and spam
	619	+[5] Egg, bacon, sausage and spam
	620	+[6] Spam, bacon, sausage and spam
	621	+[7] Spam, egg, spam, spam, bacon and spam
	622	+[8] Spam, spam, spam, egg and spam
	623	+[9] Spam, spam, spam, spam, spam, spam, baked beans, spam, spam, spam and spam
	624	+[10] Lobster thermidor aux crevettes with a mornay sauce garnished with truffle paté, brandy and a fried egg on top and spam
	625	+Your selection? (1-10, leave empty to abort): 9
	626	+A fine choice: Spam, spam, spam, spam, spam, spam, baked beans, spam, spam, spam and spam
	627	+(Note: Vikings strictly optional.)
	628	+"""
	629	+ ), "expected clean exit"
	630	+ result = runner.invoke(
	631	+ driver, ["--heading="], input="\n", catch_exceptions=True
	632	+ )
	633	+ assert result.error_exit(error=IndexError), (
	634	+ "expected error exit and known error type"
	635	+ )
	636	+ assert (
	637	+ result.stdout
	638	+ == """\
	639	+[1] Egg and bacon
	640	+[2] Egg, sausage and bacon
	641	+[3] Egg and spam
	642	+[4] Egg, bacon and spam
	643	+[5] Egg, bacon, sausage and spam
	644	+[6] Spam, bacon, sausage and spam
	645	+[7] Spam, egg, spam, spam, bacon and spam
	646	+[8] Spam, spam, spam, egg and spam
	647	+[9] Spam, spam, spam, spam, spam, spam, baked beans, spam, spam, spam and spam
	648	+[10] Lobster thermidor aux crevettes with a mornay sauce garnished with truffle paté, brandy and a fried egg on top and spam
	649	+Your selection? (1-10, leave empty to abort):\x20
	650	+"""
	651	+ ), "expected known output"
	652	+ # click.testing.CliRunner on click < 8.2.1 incorrectly mocks the
	653	+ # click prompting machinery, meaning that the mixed output will
	654	+ # incorrectly contain a line break, contrary to what the
	655	+ # documentation for click.prompt prescribes.
	656	+ result = runner.invoke(
	657	+ driver, ["--heading="], input="", catch_exceptions=True
	658	+ )
	659	+ assert result.error_exit(error=IndexError), (
	660	+ "expected error exit and known error type"
	661	+ )
	662	+ assert result.stdout in {
	663	+ """\
	664	+[1] Egg and bacon
	665	+[2] Egg, sausage and bacon
	666	+[3] Egg and spam
	667	+[4] Egg, bacon and spam
	668	+[5] Egg, bacon, sausage and spam
	669	+[6] Spam, bacon, sausage and spam
	670	+[7] Spam, egg, spam, spam, bacon and spam
	671	+[8] Spam, spam, spam, egg and spam
	672	+[9] Spam, spam, spam, spam, spam, spam, baked beans, spam, spam, spam and spam
	673	+[10] Lobster thermidor aux crevettes with a mornay sauce garnished with truffle paté, brandy and a fried egg on top and spam
	674	+Your selection? (1-10, leave empty to abort):\x20
	675	+""",
	676	+ """\
	677	+[1] Egg and bacon
	678	+[2] Egg, sausage and bacon
	679	+[3] Egg and spam
	680	+[4] Egg, bacon and spam
	681	+[5] Egg, bacon, sausage and spam
	682	+[6] Spam, bacon, sausage and spam
	683	+[7] Spam, egg, spam, spam, bacon and spam
	684	+[8] Spam, spam, spam, egg and spam
	685	+[9] Spam, spam, spam, spam, spam, spam, baked beans, spam, spam, spam and spam
	686	+[10] Lobster thermidor aux crevettes with a mornay sauce garnished with truffle paté, brandy and a fried egg on top and spam
	687	+Your selection? (1-10, leave empty to abort): """,
	688	+ }, "expected known output"
	689	+
	690	+ def test_112_prompt_for_selection_single(self) -> None:
	691	+ """[`cli_helpers.prompt_for_selection`][] works in the "single" case."""
	692	+
	693	+ @click.command()
	694	+ @click.option("--item", default="baked beans")
	695	+ @click.argument("prompt")
	696	+ def driver(item: str, prompt: str) -> None:
	697	+ try:
	698	+ cli_helpers.prompt_for_selection(
	699	+ [item], heading="", single_choice_prompt=prompt
	700	+ )
	701	+ except IndexError:
	702	+ click.echo("Boo.")
	703	+ raise
	704	+ else:
	705	+ click.echo("Great!")
	706	+
	707	+ runner = machinery.CliRunner(mix_stderr=True)
	708	+ result = runner.invoke(
	709	+ driver, ["Will replace with spam. Confirm, y/n?"], input="y"
	710	+ )
	711	+ assert result.clean_exit(
	712	+ output="""\
	713	+[1] baked beans
	714	+Will replace with spam. Confirm, y/n? y
	715	+Great!
	716	+"""
	717	+ ), "expected clean exit"
	718	+ result = runner.invoke(
	719	+ driver,
	720	+ ['Will replace with spam, okay? (Please say "y" or "n".)'],
	721	+ input="\n",
	722	+ )
	723	+ assert result.error_exit(error=IndexError), (
	724	+ "expected error exit and known error type"
	725	+ )
	726	+ assert (
	727	+ result.stdout
	728	+ == """\
	729	+[1] baked beans
	730	+Will replace with spam, okay? (Please say "y" or "n".):\x20
	731	+Boo.
	732	+"""
	733	+ ), "expected known output"
	734	+ # click.testing.CliRunner on click < 8.2.1 incorrectly mocks the
	735	+ # click prompting machinery, meaning that the mixed output will
	736	+ # incorrectly contain a line break, contrary to what the
	737	+ # documentation for click.prompt prescribes.
	738	+ result = runner.invoke(
	739	+ driver,
	740	+ ['Will replace with spam, okay? (Please say "y" or "n".)'],
	741	+ input="",
	742	+ )
	743	+ assert result.error_exit(error=IndexError), (
	744	+ "expected error exit and known error type"
	745	+ )
	746	+ assert result.stdout in {
	747	+ """\
	748	+[1] baked beans
	749	+Will replace with spam, okay? (Please say "y" or "n".):\x20
	750	+Boo.
	751	+""",
	752	+ """\
	753	+[1] baked beans
	754	+Will replace with spam, okay? (Please say "y" or "n".): Boo.
	755	+""",
	756	+ }, "expected known output"
	757	+
	758	+ def test_113_prompt_for_passphrase(
	759	+ self,
	760	+ ) -> None:
	761	+ """[`cli_helpers.prompt_for_passphrase`][] works."""
	762	+ with pytest.MonkeyPatch.context() as monkeypatch:
	763	+ monkeypatch.setattr(
	764	+ click,
	765	+ "prompt",
	766	+ lambda a, *kw: json.dumps({"args": a, "kwargs": kw}),
	767	+ )
	768	+ res = json.loads(cli_helpers.prompt_for_passphrase())
	769	+ err_msg = "missing arguments to passphrase prompt"
	770	+ assert "args" in res, err_msg
	771	+ assert "kwargs" in res, err_msg
	772	+ assert res["args"][:1] == ["Passphrase"], err_msg
	773	+ assert res["kwargs"].get("default") == "", err_msg
	774	+ assert not res["kwargs"].get("show_default", True), err_msg
	775	+ assert res["kwargs"].get("err"), err_msg
	776	+ assert res["kwargs"].get("hide_input"), err_msg
	777	+
	778	+ def test_120_standard_logging_context_manager(
	779	+ self,
	780	+ caplog: pytest.LogCaptureFixture,
	781	+ capsys: pytest.CaptureFixture[str],
	782	+ ) -> None:
	783	+ """The standard logging context manager works.
	784	+
	785	+ It registers its handlers, once, and emits formatted calls to
	786	+ standard error prefixed with the program name.
	787	+
	788	+ """
	789	+ prog_name = cli_machinery.StandardCLILogging.prog_name
	790	+ package_name = cli_machinery.StandardCLILogging.package_name
	791	+ logger = logging.getLogger(package_name)
	792	+ deprecation_logger = logging.getLogger(f"{package_name}.deprecation")
	793	+ logging_cm = cli_machinery.StandardCLILogging.ensure_standard_logging()
	794	+ with logging_cm:
	795	+ assert (
	796	+ sum(
	797	+ 1
	798	+ for h in logger.handlers
	799	+ if h is cli_machinery.StandardCLILogging.cli_handler
	800	+ )
	801	+ == 1
	802	+ )
	803	+ logger.warning("message 1")
	804	+ with logging_cm:
	805	+ deprecation_logger.warning("message 2")
	806	+ assert (
	807	+ sum(
	808	+ 1
	809	+ for h in logger.handlers
	810	+ if h is cli_machinery.StandardCLILogging.cli_handler
	811	+ )
	812	+ == 1
	813	+ )
	814	+ assert capsys.readouterr() == (
	815	+ "",
	816	+ (
	817	+ f"{prog_name}: Warning: message 1\n"
	818	+ f"{prog_name}: Deprecation warning: message 2\n"
	819	+ ),
	820	+ )
	821	+ logger.warning("message 3")
	822	+ assert (
	823	+ sum(
	824	+ 1
	825	+ for h in logger.handlers
	826	+ if h is cli_machinery.StandardCLILogging.cli_handler
	827	+ )
	828	+ == 1
	829	+ )
	830	+ assert capsys.readouterr() == (
	831	+ "",
	832	+ f"{prog_name}: Warning: message 3\n",
	833	+ )
	834	+ assert caplog.record_tuples == [
	835	+ (package_name, logging.WARNING, "message 1"),
	836	+ (f"{package_name}.deprecation", logging.WARNING, "message 2"),
	837	+ (package_name, logging.WARNING, "message 3"),
	838	+ ]
	839	+
	840	+ def test_121_standard_logging_warnings_context_manager(
	841	+ self,
	842	+ caplog: pytest.LogCaptureFixture,
	843	+ capsys: pytest.CaptureFixture[str],
	844	+ ) -> None:
	845	+ """The standard warnings logging context manager works.
	846	+
	847	+ It registers its handlers, once, and emits formatted calls to
	848	+ standard error prefixed with the program name. It also adheres
	849	+ to the global warnings filter concerning which messages it
	850	+ actually emits to standard error.
	851	+
	852	+ """
	853	+ warnings_cm = (
	854	+ cli_machinery.StandardCLILogging.ensure_standard_warnings_logging()
	855	+ )
	856	+ THE_FUTURE = "the future will be here sooner than you think" # noqa: N806
	857	+ JUST_TESTING = "just testing whether warnings work" # noqa: N806
	858	+ with warnings_cm:
	859	+ assert (
	860	+ sum(
	861	+ 1
	862	+ for h in logging.getLogger("py.warnings").handlers
	863	+ if h is cli_machinery.StandardCLILogging.warnings_handler
	864	+ )
	865	+ == 1
	866	+ )
	867	+ warnings.warn(UserWarning(JUST_TESTING), stacklevel=1)
	868	+ with warnings_cm:
	869	+ warnings.warn(FutureWarning(THE_FUTURE), stacklevel=1)
	870	+ _out, err = capsys.readouterr()
	871	+ err_lines = err.splitlines(True)
	872	+ assert any(
	873	+ f"UserWarning: {JUST_TESTING}" in line
	874	+ for line in err_lines
	875	+ )
	876	+ assert any(
	877	+ f"FutureWarning: {THE_FUTURE}" in line
	878	+ for line in err_lines
	879	+ )
	880	+ warnings.warn(UserWarning(JUST_TESTING), stacklevel=1)
	881	+ _out, err = capsys.readouterr()
	882	+ err_lines = err.splitlines(True)
	883	+ assert any(
	884	+ f"UserWarning: {JUST_TESTING}" in line for line in err_lines
	885	+ )
	886	+ assert not any(
	887	+ f"FutureWarning: {THE_FUTURE}" in line for line in err_lines
	888	+ )
	889	+ record_tuples = caplog.record_tuples
	890	+ assert [tup[:2] for tup in record_tuples] == [
	891	+ ("py.warnings", logging.WARNING),
	892	+ ("py.warnings", logging.WARNING),
	893	+ ("py.warnings", logging.WARNING),
	894	+ ]
	895	+ assert f"UserWarning: {JUST_TESTING}" in record_tuples[0][2]
	896	+ assert f"FutureWarning: {THE_FUTURE}" in record_tuples[1][2]
	897	+ assert f"UserWarning: {JUST_TESTING}" in record_tuples[2][2]
	898	+
	899	+ def export_as_sh_helper(
	900	+ self,
	901	+ config: Any,
	902	+ ) -> None:
	903	+ """Emits a config in sh(1) format, then reads it back to verify it.
	904	+
	905	+ This function exports the configuration, sets up a new
	906	+ enviroment, then calls
	907	+ [`vault_config_exporter_shell_interpreter`][] on the export
	908	+ script, verifying that each command ran successfully and that
	909	+ the final configuration matches the initial one.
	910	+
	911	+ Args:
	912	+ config:
	913	+ The configuration to emit and read back.
	914	+
	915	+ """
	916	+ prog_name_list = ("derivepassphrase", "vault")
	917	+ with io.StringIO() as outfile:
	918	+ cli_helpers.print_config_as_sh_script(
	919	+ config, outfile=outfile, prog_name_list=prog_name_list
	920	+ )
	921	+ script = outfile.getvalue()
	922	+ runner = machinery.CliRunner(mix_stderr=False)
	923	+ # TODO(the-13th-letter): Rewrite using parenthesized
	924	+ # with-statements.
	925	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	926	+ with contextlib.ExitStack() as stack:
	927	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	928	+ stack.enter_context(
	929	+ pytest_machinery.isolated_vault_config(
	930	+ monkeypatch=monkeypatch,
	931	+ runner=runner,
	932	+ vault_config={"services": {}},
	933	+ )
	934	+ )
	935	+ for result in vault_config_exporter_shell_interpreter(script):
	936	+ assert result.clean_exit()
	937	+ assert cli_helpers.load_config() == config
	938	+
	939	+ @hypothesis.given(
	940	+ global_config_settable=hypothesis_machinery.vault_full_service_config(),
	941	+ global_config_importable=strategies.fixed_dictionaries(
	942	+ {},
	943	+ optional={
	944	+ "key": strategies.text(
	945	+ alphabet=strategies.characters(
	946	+ min_codepoint=32,
	947	+ max_codepoint=126,
	948	+ ),
	949	+ max_size=128,
	950	+ ),
	951	+ "phrase": strategies.text(
	952	+ alphabet=strategies.characters(
	953	+ min_codepoint=32,
	954	+ max_codepoint=126,
	955	+ ),
	956	+ max_size=64,
	957	+ ),
	958	+ },
	959	+ ),
	960	+ )
	961	+ def test_130a_export_as_sh_global(
	962	+ self,
	963	+ global_config_settable: _types.VaultConfigServicesSettings,
	964	+ global_config_importable: _types.VaultConfigServicesSettings,
	965	+ ) -> None:
	966	+ """Exporting configurations as sh(1) script works.
	967	+
	968	+ Here, we check global-only configurations which use both
	969	+ settings settable via `--config` and settings requiring
	970	+ `--import`.
	971	+
	972	+ The actual verification is done by [`export_as_sh_helper`][].
	973	+
	974	+ """
	975	+ config: _types.VaultConfig = {
	976	+ "global": global_config_settable \| global_config_importable,
	977	+ "services": {},
	978	+ }
	979	+ assert _types.clean_up_falsy_vault_config_values(config) is not None
	980	+ assert _types.is_vault_config(config)
	981	+ return self.export_as_sh_helper(config)
	982	+
	983	+ @hypothesis.given(
	984	+ global_config_importable=strategies.fixed_dictionaries(
	985	+ {},
	986	+ optional={
	987	+ "key": strategies.text(
	988	+ alphabet=strategies.characters(
	989	+ min_codepoint=32,
	990	+ max_codepoint=126,
	991	+ ),
	992	+ max_size=128,
	993	+ ),
	994	+ "phrase": strategies.text(
	995	+ alphabet=strategies.characters(
	996	+ min_codepoint=32,
	997	+ max_codepoint=126,
	998	+ ),
	999	+ max_size=64,
	1000	+ ),
	1001	+ },
	1002	+ ),
	1003	+ )
	1004	+ def test_130b_export_as_sh_global_only_imports(
	1005	+ self,
	1006	+ global_config_importable: _types.VaultConfigServicesSettings,
	1007	+ ) -> None:
	1008	+ """Exporting configurations as sh(1) script works.
	1009	+
	1010	+ Here, we check global-only configurations which only use
	1011	+ settings requiring `--import`.
	1012	+
	1013	+ The actual verification is done by [`export_as_sh_helper`][].
	1014	+
	1015	+ """
	1016	+ config: _types.VaultConfig = {
	1017	+ "global": global_config_importable,
	1018	+ "services": {},
	1019	+ }
	1020	+ assert _types.clean_up_falsy_vault_config_values(config) is not None
	1021	+ assert _types.is_vault_config(config)
	1022	+ if not config["global"]:
	1023	+ config.pop("global")
	1024	+ return self.export_as_sh_helper(config)
	1025	+
	1026	+ @hypothesis.given(
	1027	+ service_name=strategies.text(
	1028	+ alphabet=strategies.characters(
	1029	+ min_codepoint=32,
	1030	+ max_codepoint=126,
	1031	+ ),
	1032	+ min_size=4,
	1033	+ max_size=64,
	1034	+ ),
	1035	+ service_config_settable=hypothesis_machinery.vault_full_service_config(),
	1036	+ service_config_importable=strategies.fixed_dictionaries(
	1037	+ {},
	1038	+ optional={
	1039	+ "key": strategies.text(
	1040	+ alphabet=strategies.characters(
	1041	+ min_codepoint=32,
	1042	+ max_codepoint=126,
	1043	+ ),
	1044	+ max_size=128,
	1045	+ ),
	1046	+ "phrase": strategies.text(
	1047	+ alphabet=strategies.characters(
	1048	+ min_codepoint=32,
	1049	+ max_codepoint=126,
	1050	+ ),
	1051	+ max_size=64,
	1052	+ ),
	1053	+ "notes": strategies.text(
	1054	+ alphabet=strategies.characters(
	1055	+ min_codepoint=32,
	1056	+ max_codepoint=126,
	1057	+ include_characters=("\n", "\f", "\t"),
	1058	+ ),
	1059	+ max_size=256,
	1060	+ ),
	1061	+ },
	1062	+ ),
	1063	+ )
	1064	+ def test_130c_export_as_sh_service(
	1065	+ self,
	1066	+ service_name: str,
	1067	+ service_config_settable: _types.VaultConfigServicesSettings,
	1068	+ service_config_importable: _types.VaultConfigServicesSettings,
	1069	+ ) -> None:
	1070	+ """Exporting configurations as sh(1) script works.
	1071	+
	1072	+ Here, we check service-only configurations which use both
	1073	+ settings settable via `--config` and settings requiring
	1074	+ `--import`.
	1075	+
	1076	+ The actual verification is done by [`export_as_sh_helper`][].
	1077	+
	1078	+ """
	1079	+ config: _types.VaultConfig = {
	1080	+ "services": {
	1081	+ service_name: (
	1082	+ service_config_settable \| service_config_importable
	1083	+ ),
	1084	+ },
	1085	+ }
	1086	+ assert _types.clean_up_falsy_vault_config_values(config) is not None
	1087	+ assert _types.is_vault_config(config)
	1088	+ return self.export_as_sh_helper(config)
	1089	+
	1090	+ @hypothesis.given(
	1091	+ service_name=strategies.text(
	1092	+ alphabet=strategies.characters(
	1093	+ min_codepoint=32,
	1094	+ max_codepoint=126,
	1095	+ ),
	1096	+ min_size=4,
	1097	+ max_size=64,
	1098	+ ),
	1099	+ service_config_importable=strategies.fixed_dictionaries(
	1100	+ {},
	1101	+ optional={
	1102	+ "key": strategies.text(
	1103	+ alphabet=strategies.characters(
	1104	+ min_codepoint=32,
	1105	+ max_codepoint=126,
	1106	+ ),
	1107	+ max_size=128,
	1108	+ ),
	1109	+ "phrase": strategies.text(
	1110	+ alphabet=strategies.characters(
	1111	+ min_codepoint=32,
	1112	+ max_codepoint=126,
	1113	+ ),
	1114	+ max_size=64,
	1115	+ ),
	1116	+ "notes": strategies.text(
	1117	+ alphabet=strategies.characters(
	1118	+ min_codepoint=32,
	1119	+ max_codepoint=126,
	1120	+ include_characters=("\n", "\f", "\t"),
	1121	+ ),
	1122	+ max_size=256,
	1123	+ ),
	1124	+ },
	1125	+ ),
	1126	+ )
	1127	+ def test_130d_export_as_sh_service_only_imports(
	1128	+ self,
	1129	+ service_name: str,
	1130	+ service_config_importable: _types.VaultConfigServicesSettings,
	1131	+ ) -> None:
	1132	+ """Exporting configurations as sh(1) script works.
	1133	+
	1134	+ Here, we check service-only configurations which only use
	1135	+ settings requiring `--import`.
	1136	+
	1137	+ The actual verification is done by [`export_as_sh_helper`][].
	1138	+
	1139	+ """
	1140	+ config: _types.VaultConfig = {
	1141	+ "services": {
	1142	+ service_name: service_config_importable,
	1143	+ },
	1144	+ }
	1145	+ assert _types.clean_up_falsy_vault_config_values(config) is not None
	1146	+ assert _types.is_vault_config(config)
	1147	+ return self.export_as_sh_helper(config)
	1148	+
	1149	+ # The Annoying OS appears to silently truncate spaces at the end of
	1150	+ # filenames.
	1151	+ @hypothesis.given(
	1152	+ env_var=strategies.sampled_from(["TMPDIR", "TEMP", "TMP"]),
	1153	+ suffix=strategies.builds(
	1154	+ operator.add,
	1155	+ strategies.text(
	1156	+ tuple(" 0123456789abcdefghijklmnopqrstuvwxyz"),
	1157	+ min_size=11,
	1158	+ max_size=11,
	1159	+ ),
	1160	+ strategies.text(
	1161	+ tuple("0123456789abcdefghijklmnopqrstuvwxyz"),
	1162	+ min_size=1,
	1163	+ max_size=1,
	1164	+ ),
	1165	+ ),
	1166	+ )
	1167	+ @hypothesis.example(env_var="", suffix=".")
	1168	+ def test_140a_get_tempdir(
	1169	+ self,
	1170	+ env_var: str,
	1171	+ suffix: str,
	1172	+ ) -> None:
	1173	+ """[`cli_helpers.get_tempdir`][] returns a temporary directory.
	1174	+
	1175	+ If it is not the same as the temporary directory determined by
	1176	+ [`tempfile.gettempdir`][], then assert that
	1177	+ `tempfile.gettempdir` returned the current directory and
	1178	+ `cli_helpers.get_tempdir` returned the configuration directory.
	1179	+
	1180	+ """
	1181	+
	1182	+ @contextlib.contextmanager
	1183	+ def make_temporary_directory(
	1184	+ path: pathlib.Path,
	1185	+ ) -> Iterator[pathlib.Path]:
	1186	+ try:
	1187	+ path.mkdir()
	1188	+ yield path
	1189	+ finally:
	1190	+ shutil.rmtree(path)
	1191	+
	1192	+ runner = machinery.CliRunner(mix_stderr=False)
	1193	+ # TODO(the-13th-letter): Rewrite using parenthesized
	1194	+ # with-statements.
	1195	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	1196	+ with contextlib.ExitStack() as stack:
	1197	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	1198	+ stack.enter_context(
	1199	+ pytest_machinery.isolated_vault_config(
	1200	+ monkeypatch=monkeypatch,
	1201	+ runner=runner,
	1202	+ vault_config={"services": {}},
	1203	+ )
	1204	+ )
	1205	+ old_tempdir = os.fsdecode(tempfile.gettempdir())
	1206	+ monkeypatch.delenv("TMPDIR", raising=False)
	1207	+ monkeypatch.delenv("TEMP", raising=False)
	1208	+ monkeypatch.delenv("TMP", raising=False)
	1209	+ monkeypatch.setattr(tempfile, "tempdir", None)
	1210	+ temp_path = pathlib.Path.cwd() / suffix
	1211	+ if env_var:
	1212	+ monkeypatch.setenv(env_var, os.fsdecode(temp_path))
	1213	+ stack.enter_context(make_temporary_directory(temp_path))
	1214	+ new_tempdir = os.fsdecode(tempfile.gettempdir())
	1215	+ hypothesis.assume(
	1216	+ temp_path.resolve() == pathlib.Path.cwd().resolve()
	1217	+ or old_tempdir != new_tempdir
	1218	+ )
	1219	+ system_tempdir = os.fsdecode(tempfile.gettempdir())
	1220	+ our_tempdir = cli_helpers.get_tempdir()
	1221	+ assert system_tempdir == os.fsdecode(our_tempdir) or (
	1222	+ # TODO(the-13th-letter): `pytest_machinery.isolated_config`
	1223	+ # guarantees that `Path.cwd() == config_filename(None)`.
	1224	+ # So this sub-branch ought to never trigger in our
	1225	+ # tests.
	1226	+ system_tempdir == os.getcwd() # noqa: PTH109
	1227	+ and our_tempdir == cli_helpers.config_filename(subsystem=None)
	1228	+ )
	1229	+ assert not temp_path.exists(), f"temp path {temp_path} not cleaned up!"
	1230	+
	1231	+ def test_140b_get_tempdir_force_default(self) -> None:
	1232	+ """[`cli_helpers.get_tempdir`][] returns a temporary directory.
	1233	+
	1234	+ If all candidates are mocked to fail for the standard temporary
	1235	+ directory choices, then we return the `derivepassphrase`
	1236	+ configuration directory.
	1237	+
	1238	+ """
	1239	+ runner = machinery.CliRunner(mix_stderr=False)
	1240	+ # TODO(the-13th-letter): Rewrite using parenthesized
	1241	+ # with-statements.
	1242	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	1243	+ with contextlib.ExitStack() as stack:
	1244	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	1245	+ stack.enter_context(
	1246	+ pytest_machinery.isolated_vault_config(
	1247	+ monkeypatch=monkeypatch,
	1248	+ runner=runner,
	1249	+ vault_config={"services": {}},
	1250	+ )
	1251	+ )
	1252	+ monkeypatch.delenv("TMPDIR", raising=False)
	1253	+ monkeypatch.delenv("TEMP", raising=False)
	1254	+ monkeypatch.delenv("TMP", raising=False)
	1255	+ config_dir = cli_helpers.config_filename(subsystem=None)
	1256	+
	1257	+ def is_dir_false(
	1258	+ self: pathlib.Path,
	1259	+ /,
	1260	+ *,
	1261	+ follow_symlinks: bool = False,
	1262	+ ) -> bool:
	1263	+ del self, follow_symlinks
	1264	+ return False
	1265	+
	1266	+ def is_dir_error(
	1267	+ self: pathlib.Path,
	1268	+ /,
	1269	+ *,
	1270	+ follow_symlinks: bool = False,
	1271	+ ) -> bool:
	1272	+ del follow_symlinks
	1273	+ raise OSError(
	1274	+ errno.EACCES,
	1275	+ os.strerror(errno.EACCES),
	1276	+ str(self),
	1277	+ )
	1278	+
	1279	+ monkeypatch.setattr(pathlib.Path, "is_dir", is_dir_false)
	1280	+ assert cli_helpers.get_tempdir() == config_dir
	1281	+
	1282	+ monkeypatch.setattr(pathlib.Path, "is_dir", is_dir_error)
	1283	+ assert cli_helpers.get_tempdir() == config_dir
	1284	+
	1285	+ @Parametrize.DELETE_CONFIG_INPUT
	1286	+ def test_203_repeated_config_deletion(
	1287	+ self,
	1288	+ command_line: list[str],
	1289	+ config: _types.VaultConfig,
	1290	+ result_config: _types.VaultConfig,
	1291	+ ) -> None:
	1292	+ """Repeatedly removing the same parts of a configuration works."""
	1293	+ for start_config in [config, result_config]:
	1294	+ runner = machinery.CliRunner(mix_stderr=False)
	1295	+ # TODO(the-13th-letter): Rewrite using parenthesized
	1296	+ # with-statements.
	1297	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	1298	+ with contextlib.ExitStack() as stack:
	1299	+ monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
	1300	+ stack.enter_context(
	1301	+ pytest_machinery.isolated_vault_config(
	1302	+ monkeypatch=monkeypatch,
	1303	+ runner=runner,
	1304	+ vault_config=start_config,
	1305	+ )
	1306	+ )
	1307	+ result = runner.invoke(
	1308	+ cli.derivepassphrase_vault,
	1309	+ command_line,
	1310	+ catch_exceptions=False,
	1311	+ )
	1312	+ assert result.clean_exit(empty_stderr=True), (
	1313	+ "expected clean exit"
	1314	+ )
	1315	+ with cli_helpers.config_filename(subsystem="vault").open(
	1316	+ encoding="UTF-8"
	1317	+ ) as infile:
	1318	+ config_readback = json.load(infile)
	1319	+ assert config_readback == result_config
	1320	+
	1321	+ def test_204_phrase_from_key_manually(self) -> None:
	1322	+ """The dummy service, key and config settings are consistent."""
	1323	+ assert (
	1324	+ vault.Vault(
	1325	+ phrase=DUMMY_PHRASE_FROM_KEY1, **DUMMY_CONFIG_SETTINGS
	1326	+ ).generate(DUMMY_SERVICE)
	1327	+ == DUMMY_RESULT_KEY1
	1328	+ )
	1329	+
	1330	+ @Parametrize.VALIDATION_FUNCTION_INPUT
	1331	+ def test_210a_validate_constraints_manually(
	1332	+ self,
	1333	+ vfunc: Callable[[click.Context, click.Parameter, Any], int \| None],
	1334	+ input: int,
	1335	+ ) -> None:
	1336	+ """Command-line argument constraint validation works."""
	1337	+ ctx = cli.derivepassphrase_vault.make_context(cli.PROG_NAME, [])
	1338	+ param = cli.derivepassphrase_vault.params[0]
	1339	+ assert vfunc(ctx, param, input) == input
	1340	+
	1341	+ @Parametrize.CONNECTION_HINTS
	1342	+ def test_227_get_suitable_ssh_keys(
	1343	+ self,
	1344	+ running_ssh_agent: data.RunningSSHAgentInfo,
	1345	+ conn_hint: str,
	1346	+ ) -> None:
	1347	+ """[`cli_helpers.get_suitable_ssh_keys`][] works."""
	1348	+ with pytest.MonkeyPatch.context() as monkeypatch:
	1349	+ monkeypatch.setattr(
	1350	+ ssh_agent.SSHAgentClient,
	1351	+ "list_keys",
	1352	+ callables.list_keys,
	1353	+ )
	1354	+ hint: ssh_agent.SSHAgentClient \| _types.SSHAgentSocket \| None
	1355	+ # TODO(the-13th-letter): Rewrite using structural pattern
	1356	+ # matching.
	1357	+ # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
	1358	+ if conn_hint == "client":
	1359	+ hint = ssh_agent.SSHAgentClient()
	1360	+ elif conn_hint == "socket":
	1361	+ if isinstance(
	1362	+ running_ssh_agent.socket, str
	1363	+ ): # pragma: no cover
	1364	+ if not hasattr(socket, "AF_UNIX"):
	1365	+ pytest.skip("socket module does not support AF_UNIX")
	1366	+ # socket.AF_UNIX is not defined everywhere.
	1367	+ hint = socket.socket(family=socket.AF_UNIX) # type: ignore[attr-defined]
	1368	+ hint.connect(running_ssh_agent.socket)
	1369	+ else: # pragma: no cover
	1370	+ hint = running_ssh_agent.socket()
	1371	+ else:
	1372	+ assert conn_hint == "none"
	1373	+ hint = None
	1374	+ exception: Exception \| None = None
	1375	+ try:
	1376	+ list(cli_helpers.get_suitable_ssh_keys(hint))
	1377	+ except RuntimeError: # pragma: no cover
	1378	+ pass
	1379	+ except Exception as e: # noqa: BLE001 # pragma: no cover
	1380	+ exception = e
	1381	+ finally:
	1382	+ assert exception is None, (
	1383	+ "exception querying suitable SSH keys"
	1384	+ )
	1385	+
	1386	+ @Parametrize.KEY_TO_PHRASE_SETTINGS
	1387	+ def test_400_key_to_phrase(
	1388	+ self,
	1389	+ ssh_agent_client_with_test_keys_loaded: ssh_agent.SSHAgentClient,
	1390	+ list_keys_action: ListKeysAction \| None,
	1391	+ system_support_action: SystemSupportAction \| None,
	1392	+ address_action: SocketAddressAction \| None,
	1393	+ sign_action: SignAction,
	1394	+ pattern: str,
	1395	+ ) -> None:
	1396	+ """All errors in [`cli_helpers.key_to_phrase`][] are handled."""
	1397	+
	1398	+ class ErrCallback(BaseException):
	1399	+ def __init__(self, args: Any, *kwargs: Any) -> None:
	1400	+ super().__init__(*args[:1])
	1401	+ self.args = args
	1402	+ self.kwargs = kwargs
	1403	+
	1404	+ def err(args: Any, *_kwargs: Any) -> NoReturn:
	1405	+ raise ErrCallback(args, *_kwargs)
	1406	+
	1407	+ with pytest.MonkeyPatch.context() as monkeypatch:
	1408	+ loaded_keys = list(
	1409	+ ssh_agent_client_with_test_keys_loaded.list_keys()
	1410	+ )
	1411	+ loaded_key = base64.standard_b64encode(loaded_keys[0][0])
	1412	+ monkeypatch.setattr(ssh_agent.SSHAgentClient, "sign", sign_action)
	1413	+ if list_keys_action:
	1414	+ monkeypatch.setattr(
	1415	+ ssh_agent.SSHAgentClient, "list_keys", list_keys_action
	1416	+ )
	1417	+ if address_action:
	1418	+ address_action(monkeypatch)
	1419	+ if system_support_action:
	1420	+ system_support_action(monkeypatch)
	1421	+ with pytest.raises(ErrCallback, match=pattern) as excinfo:
	1422	+ cli_helpers.key_to_phrase(loaded_key, error_callback=err)
	1423	+ if list_keys_action == ListKeysAction.FAIL_RUNTIME:
	1424	+ assert excinfo.value.kwargs
	1425	+ assert isinstance(
	1426	+ excinfo.value.kwargs["exc_info"],
	1427	+ ssh_agent.SSHAgentFailedError,
	1428	+ )
	1429	+ assert excinfo.value.kwargs["exc_info"].__context__ is not None
	1430	+ assert isinstance(
	1431	+ excinfo.value.kwargs["exc_info"].__context__,
	1432	+ ssh_agent.TrailingDataError,
	1433	+ )
0	1434