Refactor the basic command-line interface tests (9de4949) - derivepassphrase.git

tests/test_derivepassphrase_cli/test_000_basic.py
@@ -16,13 +16,13 @@ import shutil
 import socket
 import textwrap
 import types
-from typing import TYPE_CHECKING
+from typing import TYPE_CHECKING, ClassVar
 
 import click.testing
 import hypothesis
 import pytest
 from hypothesis import strategies
-from typing_extensions import Any, NamedTuple
+from typing_extensions import Any, NamedTuple, TypedDict
 
 from derivepassphrase import _types, cli, ssh_agent, vault
 from derivepassphrase._internals import (
@@ -35,9 +35,10 @@ from tests.machinery import hypothesis as hypothesis_machinery
 from tests.machinery import pytest as pytest_machinery
 
 if TYPE_CHECKING:
+    from collections.abc import Iterator
     from typing import NoReturn
 
-    from typing_extensions import Literal
+    from typing_extensions import Literal, NotRequired
 
 DUMMY_SERVICE = data.DUMMY_SERVICE
 DUMMY_PASSPHRASE = data.DUMMY_PASSPHRASE
@@ -262,6 +263,18 @@ def assert_vault_config_is_indented_and_line_broken(
     ])
 
 
+class Strategies:
+    @staticmethod
+    def notes(*, max_size: int = 512) -> strategies.SearchStrategy[str]:
+        return strategies.text(
+            strategies.characters(
+                min_codepoint=32, max_codepoint=126, include_characters="\n"
+            ),
+            min_size=1,
+            max_size=max_size,
+        )
+
+
 class Parametrize(types.SimpleNamespace):
     """Common test parametrizations."""
 
@@ -271,23 +284,6 @@ class Parametrize(types.SimpleNamespace):
     CHARSET_NAME = pytest.mark.parametrize(
         "charset_name", ["lower", "upper", "number", "space", "dash", "symbol"]
     )
-    UNICODE_NORMALIZATION_COMMAND_LINES = pytest.mark.parametrize(
-        "command_line",
-        [
-            pytest.param(
-                ["--config", "--phrase"],
-                id="configure global passphrase",
-            ),
-            pytest.param(
-                ["--config", "--phrase", "--", "DUMMY_SERVICE"],
-                id="configure service passphrase",
-            ),
-            pytest.param(
-                ["--phrase", "--", DUMMY_SERVICE],
-                id="interactive passphrase",
-            ),
-        ],
-    )
     CONFIG_EDITING_VIA_CONFIG_FLAG_FAILURES = pytest.mark.parametrize(
         ["command_line", "input", "err_text"],
         [
@@ -330,17 +326,19 @@ class Parametrize(types.SimpleNamespace):
         ],
     )
     CONFIG_EDITING_VIA_CONFIG_FLAG = pytest.mark.parametrize(
-        ["command_line", "input", "result_config"],
+        ["command_line", "input", "starting_config", "result_config"],
         [
             pytest.param(
                 ["--phrase"],
                 "my passphrase\n",
+                {"global": {"phrase": "abc"}, "services": {}},
                 {"global": {"phrase": "my passphrase"}, "services": {}},
                 id="phrase",
             ),
             pytest.param(
                 ["--key"],
                 "1\n",
+                {"global": {"phrase": "abc"}, "services": {}},
                 {
                     "global": {"key": DUMMY_KEY1_B64, "phrase": "abc"},
                     "services": {},
@@ -350,6 +348,7 @@ class Parametrize(types.SimpleNamespace):
             pytest.param(
                 ["--phrase", "--", "sv"],
                 "my passphrase\n",
+                {"global": {"phrase": "abc"}, "services": {}},
                 {
                     "global": {"phrase": "abc"},
                     "services": {"sv": {"phrase": "my passphrase"}},
@@ -359,6 +358,7 @@ class Parametrize(types.SimpleNamespace):
             pytest.param(
                 ["--key", "--", "sv"],
                 "1\n",
+                {"global": {"phrase": "abc"}, "services": {}},
                 {
                     "global": {"phrase": "abc"},
                     "services": {"sv": {"key": DUMMY_KEY1_B64}},
@@ -368,6 +368,7 @@ class Parametrize(types.SimpleNamespace):
             pytest.param(
                 ["--key", "--length", "15", "--", "sv"],
                 "1\n",
+                {"global": {"phrase": "abc"}, "services": {}},
                 {
                     "global": {"phrase": "abc"},
                     "services": {"sv": {"key": DUMMY_KEY1_B64, "length": 15}},
@@ -488,20 +489,13 @@ class Parametrize(types.SimpleNamespace):
             ),
         ],
     )
-    NOOP_EDIT_FUNCS = pytest.mark.parametrize(
-        ["edit_func_name", "modern_editor_interface"],
-        [
-            pytest.param("empty", True, id="empty"),
-            pytest.param("space", False, id="space-legacy"),
-            pytest.param("space", True, id="space-modern"),
-        ],
-    )
     EXPORT_FORMAT_OPTIONS = pytest.mark.parametrize(
         "export_options",
         [
             [],
             ["--export-as=sh"],
         ],
+        ids=["json-format", "sh-format"],
     )
     KEY_INDEX = pytest.mark.parametrize(
         "key_index", [1, 2, 3], ids=lambda i: f"index{i}"
@@ -545,6 +539,45 @@ class Parametrize(types.SimpleNamespace):
                 ),
                 id="service",
             ),
+            pytest.param(
+                textwrap.dedent(r"""
+                [vault]
+                default-unicode-normalization-form = 'XXX'
+                """),
+                ["--config", "--phrase"],
+                DUMMY_PASSPHRASE,
+                (
+                    "Invalid value 'XXX' for config key "
+                    "vault.default-unicode-normalization-form"
+                ),
+                id="configure global passphrase",
+            ),
+            pytest.param(
+                textwrap.dedent(r"""
+                [vault]
+                default-unicode-normalization-form = 'XXX'
+                """),
+                ["--config", "--phrase", "--", DUMMY_SERVICE],
+                DUMMY_PASSPHRASE,
+                (
+                    "Invalid value 'XXX' for config key "
+                    "vault.default-unicode-normalization-form"
+                ),
+                id="configure service passphrase",
+            ),
+            pytest.param(
+                textwrap.dedent(r"""
+                [vault]
+                default-unicode-normalization-form = 'XXX'
+                """),
+                ["--phrase", "--", DUMMY_SERVICE],
+                DUMMY_PASSPHRASE,
+                (
+                    "Invalid value 'XXX' for config key "
+                    "vault.default-unicode-normalization-form"
+                ),
+                id="interactive passphrase",
+            ),
         ],
     )
     UNICODE_NORMALIZATION_WARNING_INPUTS = pytest.mark.parametrize(
@@ -733,14 +766,7 @@ class TestHelp:
 class TestDerivedPassphraseConstraints:
     """Tests for (derived) passphrase constraints."""
 
-    @Parametrize.CHARSET_NAME
-    def test_disable_character_set(
-        self,
-        charset_name: str,
-    ) -> None:
-        """Named character classes can be disabled on the command-line."""
-        option = f"--{charset_name}"
-        charset = vault.Vault.CHARSETS[charset_name].decode("ascii")
+    def _test(self, command_line: list[str]) -> machinery.ReadableResult:
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -758,12 +784,22 @@ class TestDerivedPassphraseConstraints:
                 "prompt_for_passphrase",
                 callables.auto_prompt,
             )
-            result = runner.invoke(
+            return runner.invoke(
                 cli.derivepassphrase_vault,
-                [option, "0", "-p", "--", DUMMY_SERVICE],
+                command_line,
                 input=DUMMY_PASSPHRASE,
                 catch_exceptions=False,
             )
+
+    @Parametrize.CHARSET_NAME
+    def test_disable_character_set(
+        self,
+        charset_name: str,
+    ) -> None:
+        """Named character classes can be disabled on the command-line."""
+        option = f"--{charset_name}"
+        charset = vault.Vault.CHARSETS[charset_name].decode("ascii")
+        result = self._test([option, "0", "-p", "--", DUMMY_SERVICE])
         assert result.clean_exit(empty_stderr=True), "expected clean exit:"
         for c in charset:
             assert c not in result.stdout, (
@@ -774,29 +810,7 @@ class TestDerivedPassphraseConstraints:
         self,
     ) -> None:
         """Character repetition can be disabled on the command-line."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                )
-            )
-            monkeypatch.setattr(
-                cli_helpers,
-                "prompt_for_passphrase",
-                callables.auto_prompt,
-            )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--repeat", "0", "-p", "--", DUMMY_SERVICE],
-                input=DUMMY_PASSPHRASE,
-                catch_exceptions=False,
-            )
+        result = self._test(["--repeat", "0", "-p", "--", DUMMY_SERVICE])
         assert result.clean_exit(empty_stderr=True), (
             "expected clean exit and empty stderr"
         )
@@ -811,12 +825,17 @@ class TestDerivedPassphraseConstraints:
 class TestPhraseBasic:
     """Tests for master passphrase configuration: basic."""
 
-    @Parametrize.CONFIG_WITH_PHRASE
-    def test_phrase_from_config(
+    def _test(
         self,
-        config: _types.VaultConfig,
+        command_line: list[str],
+        /,
+        *,
+        config: _types.VaultConfig = {  # noqa: B006
+            "services": {DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS}
+        },
+        auto_prompt: bool = False,
+        multiline: bool = False,
     ) -> None:
-        """A stored configured master passphrase will be used."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -837,72 +856,69 @@ class TestPhraseBasic:
             monkeypatch.setattr(
                 vault.Vault, "phrase_from_key", phrase_from_key
             )
+            if auto_prompt:
+                monkeypatch.setattr(
+                    cli_helpers,
+                    "prompt_for_passphrase",
+                    callables.auto_prompt,
+                )
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                ["--", DUMMY_SERVICE],
+                command_line,
+                input=None if auto_prompt else DUMMY_PASSPHRASE,
                 catch_exceptions=False,
             )
+        if multiline:
+            assert result.clean_exit(), "expected clean exit"
+        else:
             assert result.clean_exit(empty_stderr=True), (
                 "expected clean exit and empty stderr"
             )
-        assert result.stdout
+        assert result.stdout, "expected program output"
+        last_line = (
+            result.stdout.splitlines(keepends=True)[-1]
+            if multiline
+            else result.stdout
+        )
         assert (
-            result.stdout.rstrip("\n").encode("UTF-8")
-            == DUMMY_RESULT_PASSPHRASE
+            last_line.rstrip("\n").encode("UTF-8") == DUMMY_RESULT_PASSPHRASE
         ), "expected known output"
 
+    @Parametrize.CONFIG_WITH_PHRASE
+    def test_phrase_from_config(
+        self,
+        config: _types.VaultConfig,
+    ) -> None:
+        """A stored configured master passphrase will be used."""
+        self._test(["--", DUMMY_SERVICE], config=config)
+
     @Parametrize.AUTO_PROMPT
     def test_phrase_from_command_line(
         self,
         auto_prompt: bool,
     ) -> None:
         """A master passphrase requested on the command-line will be used."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={
-                        "services": {DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS}
-                    },
-                )
-            )
-            if auto_prompt:
-                monkeypatch.setattr(
-                    cli_helpers,
-                    "prompt_for_passphrase",
-                    callables.auto_prompt,
-                )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
+        self._test(
             ["-p", "--", DUMMY_SERVICE],
-                input=None if auto_prompt else DUMMY_PASSPHRASE,
-                catch_exceptions=False,
+            auto_prompt=auto_prompt,
+            multiline=True,
         )
-        assert result.clean_exit(), "expected clean exit"
-        assert result.stdout, "expected program output"
-        last_line = result.stdout.splitlines(True)[-1]
-        assert (
-            last_line.rstrip("\n").encode("UTF-8") == DUMMY_RESULT_PASSPHRASE
-        ), "expected known output"
 
 
 class TestKeyBasic:
     """Tests for SSH key configuration: basic."""
 
-    @Parametrize.CONFIG_WITH_KEY
-    def test_key_from_config(
+    def _test(
         self,
-        running_ssh_agent: data.RunningSSHAgentInfo,
-        config: _types.VaultConfig,
+        command_line: list[str],
+        /,
+        *,
+        config: _types.VaultConfig = {  # noqa: B006
+            "services": {DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS}
+        },
+        multiline: bool = False,
+        input: str | bytes | None = None,
     ) -> None:
-        """A stored configured SSH key will be used."""
-        del running_ssh_agent
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -916,49 +932,6 @@ class TestKeyBasic:
                     vault_config=config,
                 )
             )
-            monkeypatch.setattr(
-                vault.Vault,
-                "phrase_from_key",
-                callables.phrase_from_key,
-            )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--", DUMMY_SERVICE],
-                catch_exceptions=False,
-            )
-        assert result.clean_exit(empty_stderr=True), (
-            "expected clean exit and empty stderr"
-        )
-        assert result.stdout
-        assert (
-            result.stdout.rstrip("\n").encode("UTF-8")
-            != DUMMY_RESULT_PASSPHRASE
-        ), "known false output: phrase-based instead of key-based"
-        assert (
-            result.stdout.rstrip("\n").encode("UTF-8") == DUMMY_RESULT_KEY1
-        ), "expected known output"
-
-    def test_key_from_command_line(
-        self,
-        running_ssh_agent: data.RunningSSHAgentInfo,
-    ) -> None:
-        """An SSH key requested on the command-line will be used."""
-        del running_ssh_agent
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={
-                        "services": {DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS}
-                    },
-                )
-            )
             monkeypatch.setattr(
                 cli_helpers,
                 "get_suitable_ssh_keys",
@@ -971,13 +944,22 @@ class TestKeyBasic:
             )
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                ["-k", "--", DUMMY_SERVICE],
-                input="1\n",
+                command_line,
+                input=input,
                 catch_exceptions=False,
             )
+        if multiline:
             assert result.clean_exit(), "expected clean exit"
+        else:
+            assert result.clean_exit(empty_stderr=True), (
+                "expected clean exit and empty stderr"
+            )
         assert result.stdout, "expected program output"
-        last_line = result.stdout.splitlines(True)[-1]
+        last_line = (
+            result.stdout.splitlines(keepends=True)[-1]
+            if multiline
+            else result.stdout
+        )
         assert (
             last_line.rstrip("\n").encode("UTF-8") != DUMMY_RESULT_PASSPHRASE
         ), "known false output: phrase-based instead of key-based"
@@ -985,20 +967,38 @@ class TestKeyBasic:
             "expected known output"
         )
 
+    @Parametrize.CONFIG_WITH_KEY
+    def test_key_from_config(
+        self,
+        running_ssh_agent: data.RunningSSHAgentInfo,
+        config: _types.VaultConfig,
+    ) -> None:
+        """A stored configured SSH key will be used."""
+        del running_ssh_agent
+        self._test(["--", DUMMY_SERVICE], config=config)
 
-class TestPhraseAndKeyOverriding:
-    """Tests for master passphrase and SSH key configuration: overriding."""
-
-    @Parametrize.BASE_CONFIG_WITH_KEY_VARIATIONS
-    @Parametrize.KEY_INDEX
-    def test_key_override_on_command_line(
+    def test_key_from_command_line(
         self,
         running_ssh_agent: data.RunningSSHAgentInfo,
-        config: dict[str, Any],
-        key_index: int,
     ) -> None:
-        """A command-line SSH key will override the configured key."""
+        """An SSH key requested on the command-line will be used."""
         del running_ssh_agent
+        self._test(["-k", "--", DUMMY_SERVICE], input="1\n", multiline=True)
+
+
+class TestPhraseAndKeyOverriding:
+    """Tests for master passphrase and SSH key configuration: overriding."""
+
+    def _test(
+        self,
+        command_line: list[str],
+        /,
+        *,
+        config: _types.VaultConfig = {  # noqa: B006
+            "services": {DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS}
+        },
+        input: str | bytes | None = None,
+    ) -> machinery.ReadableResult:
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -1022,12 +1022,30 @@ class TestPhraseAndKeyOverriding:
             )
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                ["-k", "--", DUMMY_SERVICE],
-                input=f"{key_index}\n",
+                command_line,
+                input=input,
+                catch_exceptions=False,
             )
         assert result.clean_exit(), "expected clean exit"
-        assert result.stdout, "expected program output"
-        assert result.stderr, "expected stderr"
+        return result
+
+    @Parametrize.BASE_CONFIG_WITH_KEY_VARIATIONS
+    @Parametrize.KEY_INDEX
+    def test_key_override_on_command_line(
+        self,
+        running_ssh_agent: data.RunningSSHAgentInfo,
+        config: _types.VaultConfig,
+        key_index: int,
+    ) -> None:
+        """A command-line SSH key will override the configured key."""
+        del running_ssh_agent
+        result = self._test(
+            ["-k", "--", DUMMY_SERVICE],
+            config=config,
+            input=f"{key_index}\n",
+        )
+        assert result.stdout, "expected program output"
+        assert result.stderr, "expected stderr"
         assert "Error:" not in result.stderr, (
             "expected no error messages on stderr"
         )
@@ -1036,19 +1054,11 @@ class TestPhraseAndKeyOverriding:
         self,
         running_ssh_agent: data.RunningSSHAgentInfo,
     ) -> None:
-        """A command-line passphrase will override the configured key."""
+        """A configured passphrase does not override a configured key."""
         del running_ssh_agent
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={
+        result = self._test(
+            ["--", DUMMY_SERVICE],
+            config={
                 "global": {"key": DUMMY_KEY1_B64},
                 "services": {
                     DUMMY_SERVICE: {
@@ -1058,21 +1068,6 @@ class TestPhraseAndKeyOverriding:
                 },
             },
         )
-            )
-            monkeypatch.setattr(
-                ssh_agent.SSHAgentClient,
-                "list_keys",
-                callables.list_keys,
-            )
-            monkeypatch.setattr(
-                ssh_agent.SSHAgentClient, "sign", callables.sign
-            )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--", DUMMY_SERVICE],
-                catch_exceptions=False,
-            )
-        assert result.clean_exit(), "expected clean exit"
         assert result.stdout, "expected program output"
         last_line = result.stdout.splitlines(True)[-1]
         assert (
@@ -1092,34 +1087,9 @@ class TestPhraseAndKeyOverriding:
     ) -> None:
         """Configuring a passphrase atop an SSH key works, but warns."""
         del running_ssh_agent
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config=config,
-                )
-            )
-            monkeypatch.setattr(
-                ssh_agent.SSHAgentClient,
-                "list_keys",
-                callables.list_keys,
-            )
-            monkeypatch.setattr(
-                ssh_agent.SSHAgentClient, "sign", callables.sign
-            )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                command_line,
-                input=DUMMY_PASSPHRASE,
-                catch_exceptions=False,
+        result = self._test(
+            command_line, config=config, input=DUMMY_PASSPHRASE
         )
-        assert result.clean_exit(), "expected clean exit"
         assert not result.stdout.strip(), "expected no program output"
         assert result.stderr, "expected known error output"
         err_lines = result.stderr.splitlines(False)
@@ -1140,12 +1110,18 @@ class TestPhraseAndKeyOverriding:
 class TestInvalidCommandLines:
     """Tests concerning invalid command-lines."""
 
-    @Parametrize.VAULT_CHARSET_OPTION
-    def test_invalid_argument_range(
+    @contextlib.contextmanager
+    def _setup_environment(
         self,
-        option: str,
-    ) -> None:
-        """Requesting invalidly many characters from a class fails."""
+        /,
+        *,
+        auto_prompt: bool = False,
+        config: _types.VaultConfig = {  # noqa: B006
+            "services": {
+                DUMMY_SERVICE: {**DUMMY_CONFIG_SETTINGS},
+            },
+        },
+    ) -> Iterator[machinery.CliRunner]:
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -1153,11 +1129,57 @@ class TestInvalidCommandLines:
         with contextlib.ExitStack() as stack:
             monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
             stack.enter_context(
-                pytest_machinery.isolated_config(
+                pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
+                    vault_config=config,
+                )
+            )
+            if auto_prompt:
+                monkeypatch.setattr(
+                    cli_helpers,
+                    "prompt_for_passphrase",
+                    callables.auto_prompt,
+                )
+            yield runner
+
+    def _call(
+        self,
+        command_line: list[str],
+        /,
+        *,
+        config: _types.VaultConfig = {  # noqa: B006
+            "services": {
+                DUMMY_SERVICE: {**DUMMY_CONFIG_SETTINGS},
+            },
+        },
+        input: str | bytes | None = None,
+        runner: machinery.CliRunner | None = None,
+    ) -> machinery.ReadableResult:
+        if runner:
+            return runner.invoke(
+                cli.derivepassphrase_vault,
+                command_line,
+                input=input,
+                catch_exceptions=False,
             )
+        with self._setup_environment(
+            config=config, auto_prompt=input is not None
+        ) as runner2:
+            return runner2.invoke(
+                cli.derivepassphrase_vault,
+                command_line,
+                input=input,
+                catch_exceptions=False,
             )
+
+    @Parametrize.VAULT_CHARSET_OPTION
+    def test_invalid_argument_range(
+        self,
+        option: str,
+    ) -> None:
+        """Requesting invalidly many characters from a class fails."""
+        with self._setup_environment() as runner:
             for value in "-42", "invalid":
                 result = runner.invoke(
                     cli.derivepassphrase_vault,
@@ -1178,29 +1200,14 @@ class TestInvalidCommandLines:
         check_success: bool,
     ) -> None:
         """We require or forbid a service argument, depending on options."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={"global": {"phrase": "abc"}, "services": {}},
-                )
-            )
-            monkeypatch.setattr(
-                cli_helpers,
-                "prompt_for_passphrase",
-                callables.auto_prompt,
-            )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
+        config: _types.VaultConfig = {
+            "global": {"phrase": "abc"},
+            "services": {},
+        }
+        result = self._call(
             options if service else [*options, "--", DUMMY_SERVICE],
+            config=config,
             input=input,
-                catch_exceptions=False,
         )
         if service is not None:
             err_msg = (
@@ -1211,37 +1218,16 @@ class TestInvalidCommandLines:
             assert result.error_exit(error=err_msg), (
                 "expected error exit and known error message"
             )
-            else:
-                assert result.clean_exit(empty_stderr=True), (
-                    "expected clean exit"
-                )
             if check_success:
-            # TODO(the-13th-letter): Rewrite using parenthesized
-            # with-statements.
-            # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-            with contextlib.ExitStack() as stack:
-                monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-                stack.enter_context(
-                    pytest_machinery.isolated_vault_config(
-                        monkeypatch=monkeypatch,
-                        runner=runner,
-                        vault_config={
-                            "global": {"phrase": "abc"},
-                            "services": {},
-                        },
-                    )
-                )
-                monkeypatch.setattr(
-                    cli_helpers,
-                    "prompt_for_passphrase",
-                    callables.auto_prompt,
-                )
-                result = runner.invoke(
-                    cli.derivepassphrase_vault,
+                result = self._call(
                     [*options, "--", DUMMY_SERVICE] if service else options,
+                    config=config,
                     input=input,
-                    catch_exceptions=False,
                 )
+                assert result.clean_exit(empty_stderr=True), (
+                    "expected clean exit"
+                )
+        else:
             assert result.clean_exit(empty_stderr=True), "expected clean exit"
 
     def test_empty_service_name_causes_warning(
@@ -1261,50 +1247,31 @@ class TestInvalidCommandLines:
                 "An empty SERVICE is not supported by vault(1)", [record]
             )
 
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={"services": {}},
-                )
-            )
-            monkeypatch.setattr(
-                cli_helpers,
-                "prompt_for_passphrase",
-                callables.auto_prompt,
-            )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--config", "--length=30", "--", ""],
-                catch_exceptions=False,
-            )
+        def check_result(result: machinery.ReadableResult) -> None:
             assert result.clean_exit(empty_stderr=False), "expected clean exit"
             assert result.stderr is not None, "expected known error output"
             assert all(map(is_expected_warning, caplog.record_tuples)), (
                 "expected known error output"
             )
+
+        with self._setup_environment(
+            config={"services": {}}, auto_prompt=True
+        ) as runner:
+            result = self._call(
+                ["--config", "--length=30", "--", ""], runner=runner
+            )
+            check_result(result)
             assert cli_helpers.load_config() == {
                 "global": {"length": 30},
                 "services": {},
             }, "requested configuration change was not applied"
             caplog.clear()
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
+            result = self._call(
                 ["--import", "-"],
                 input=json.dumps({"services": {"": {"length": 40}}}),
-                catch_exceptions=False,
-            )
-            assert result.clean_exit(empty_stderr=False), "expected clean exit"
-            assert result.stderr is not None, "expected known error output"
-            assert all(map(is_expected_warning, caplog.record_tuples)), (
-                "expected known error output"
+                runner=runner,
             )
+            check_result(result)
             assert cli_helpers.load_config() == {
                 "global": {"length": 30},
                 "services": {"": {"length": 40}},
@@ -1317,23 +1284,9 @@ class TestInvalidCommandLines:
         service: bool | None,
     ) -> None:
         """Incompatible options are detected."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                )
-            )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
+        result = self._call(
             [*options, "--", DUMMY_SERVICE] if service else options,
             input=DUMMY_PASSPHRASE,
-                catch_exceptions=False,
         )
         assert result.error_exit(error="mutually exclusive with "), (
             "expected error exit and known error message"
@@ -1341,21 +1294,7 @@ class TestInvalidCommandLines:
 
     def test_no_arguments(self) -> None:
         """Calling `derivepassphrase vault` without any arguments fails."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                )
-            )
-            result = runner.invoke(
-                cli.derivepassphrase_vault, [], catch_exceptions=False
-            )
+        result = self._call([], input=DUMMY_PASSPHRASE)
         assert result.error_exit(
             error="Deriving a passphrase requires a SERVICE"
         ), "expected error exit and known error message"
@@ -1364,23 +1303,7 @@ class TestInvalidCommandLines:
         self,
     ) -> None:
         """Deriving a passphrase without a passphrase or key fails."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                )
-            )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--", DUMMY_SERVICE],
-                catch_exceptions=False,
-            )
+        result = self._call(["--", DUMMY_SERVICE], input=DUMMY_PASSPHRASE)
         assert result.error_exit(error="No passphrase or key was given"), (
             "expected error exit and known error message"
         )
@@ -1389,13 +1312,15 @@ class TestInvalidCommandLines:
 class TestImportConfigValid:
     """Tests concerning `vault` configuration imports: valid imports."""
 
-    @Parametrize.VALID_TEST_CONFIGS
-    def test_import_config(
+    def _test(
         self,
+        /,
+        *,
         caplog: pytest.LogCaptureFixture,
-        config: Any,
+        config: _types.VaultConfig,
     ) -> None:
-        """Importing a configuration works."""
+        config2 = copy.deepcopy(config)
+        _types.clean_up_falsy_vault_config_values(config2)
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -1418,14 +1343,23 @@ class TestImportConfigValid:
             config_txt = cli_helpers.config_filename(
                 subsystem="vault"
             ).read_text(encoding="UTF-8")
-            config2 = json.loads(config_txt)
+            config3 = json.loads(config_txt)
         assert result.clean_exit(empty_stderr=False), "expected clean exit"
-        assert config2 == config, "config not imported correctly"
-        assert not result.stderr or all(  # pragma: no branch
+        assert config3 == config2, "config not imported correctly"
+        assert not result.stderr or all(
             map(is_harmless_config_import_warning, caplog.record_tuples)
         ), "unexpected error output"
         assert_vault_config_is_indented_and_line_broken(config_txt)
 
+    @Parametrize.VALID_TEST_CONFIGS
+    def test_normal_config(
+        self,
+        caplog: pytest.LogCaptureFixture,
+        config: Any,
+    ) -> None:
+        """Importing a configuration works."""
+        self._test(caplog=caplog, config=config)
+
     @hypothesis.settings(
         suppress_health_check=[
             *hypothesis.settings().suppress_health_check,
@@ -1439,7 +1373,7 @@ class TestImportConfigValid:
             ])
         )
     )
-    def test_import_smudged_config(
+    def test_smudged_config(
         self,
         caplog: pytest.LogCaptureFixture,
         conf: data.VaultTestConfig,
@@ -1449,49 +1383,16 @@ class TestImportConfigValid:
         Tested via hypothesis.
 
         """
-        config = conf.config
-        config2 = copy.deepcopy(config)
-        _types.clean_up_falsy_vault_config_values(config2)
         # Reset caplog between hypothesis runs.
         caplog.clear()
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={"services": {}},
-                )
-            )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--import", "-"],
-                input=json.dumps(config),
-                catch_exceptions=False,
-            )
-            config_txt = cli_helpers.config_filename(
-                subsystem="vault"
-            ).read_text(encoding="UTF-8")
-            config3 = json.loads(config_txt)
-        assert result.clean_exit(empty_stderr=False), "expected clean exit"
-        assert config3 == config2, "config not imported correctly"
-        assert not result.stderr or all(
-            map(is_harmless_config_import_warning, caplog.record_tuples)
-        ), "unexpected error output"
-        assert_vault_config_is_indented_and_line_broken(config_txt)
+        self._test(caplog=caplog, config=conf.config)
 
 
 class TestImportConfigInvalid:
     """Tests concerning `vault` configuration imports: invalid imports."""
 
-    def test_import_config_not_a_vault_config(
-        self,
-    ) -> None:
-        """Importing an invalid config fails."""
+    @contextlib.contextmanager
+    def _setup_environment(self) -> Iterator[machinery.CliRunner]:
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -1504,64 +1405,52 @@ class TestImportConfigInvalid:
                     runner=runner,
                 )
             )
-            result = runner.invoke(
+            yield runner
+
+    def _test(
+        self,
+        command_line: list[str],
+        /,
+        *,
+        input: str | bytes | None = None,
+    ) -> machinery.ReadableResult:
+        with self._setup_environment() as runner:
+            return runner.invoke(
                 cli.derivepassphrase_vault,
-                ["--import", "-"],
-                input="null",
+                command_line,
+                input=input,
                 catch_exceptions=False,
             )
+
+    def test_not_a_vault_config(
+        self,
+    ) -> None:
+        """Importing an invalid config fails."""
+        result = self._test(["--import", "-"], input="null")
         assert result.error_exit(error="Invalid vault config"), (
             "expected error exit and known error message"
         )
 
-    def test_import_config_not_json_data(
+    def test_not_json_data(
         self,
     ) -> None:
         """Importing an invalid config fails."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                )
-            )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--import", "-"],
-                input="This string is not valid JSON.",
-                catch_exceptions=False,
+        result = self._test(
+            ["--import", "-"], input="This string is not valid JSON."
         )
         assert result.error_exit(error="cannot decode JSON"), (
             "expected error exit and known error message"
         )
 
-    def test_import_config_not_a_file(
+    def test_not_a_file(
         self,
     ) -> None:
         """Importing an invalid config fails."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # `isolated_vault_config` ensures the configuration is valid
-        # JSON.  So, to pass an actual broken configuration, we must
-        # open the configuration file ourselves afterwards, inside the
-        # context.
-        #
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={"services": {}},
-                )
-            )
+        with self._setup_environment() as runner:
+            # `_setup_environment` (via `isolated_vault_config`) ensures
+            # the configuration is valid JSON.  So, to pass an actual
+            # broken configuration, we must open the configuration file
+            # ourselves afterwards, inside the context.
             cli_helpers.config_filename(subsystem="vault").write_text(
                 "This string is not valid JSON.\n", encoding="UTF-8"
             )
@@ -1582,13 +1471,28 @@ class TestImportConfigInvalid:
 class TestExportConfigValid:
     """Tests concerning `vault` configuration exports: valid exports."""
 
-    @Parametrize.VALID_TEST_CONFIGS
-    def test_export_config_success(
+    def _assert_result(
         self,
+        result: machinery.ReadableResult,
+        /,
+        *,
         caplog: pytest.LogCaptureFixture,
-        config: Any,
     ) -> None:
-        """Exporting a configuration works."""
+        assert result.clean_exit(empty_stderr=False), "expected clean exit"
+        assert not result.stderr or all(
+            map(is_harmless_config_import_warning, caplog.record_tuples)
+        ), "unexpected error output"
+
+    def _test(
+        self,
+        /,
+        *,
+        caplog: pytest.LogCaptureFixture,
+        config: _types.VaultConfig,
+        use_import: bool = False,
+    ) -> None:
+        config2 = copy.deepcopy(config)
+        _types.clean_up_falsy_vault_config_values(config2)
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -1599,9 +1503,18 @@ class TestExportConfigValid:
                 pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                    vault_config=config,
+                    vault_config={"services": {}},
                 )
             )
+            if use_import:
+                result1 = runner.invoke(
+                    cli.derivepassphrase_vault,
+                    ["--import", "-"],
+                    input=json.dumps(config),
+                    catch_exceptions=False,
+                )
+                self._assert_result(result1, caplog=caplog)
+            else:
                 with cli_helpers.config_filename(subsystem="vault").open(
                     "w", encoding="UTF-8"
                 ) as outfile:
@@ -1612,17 +1525,20 @@ class TestExportConfigValid:
                 ["--export", "-"],
                 catch_exceptions=False,
             )
-            with cli_helpers.config_filename(subsystem="vault").open(
-                encoding="UTF-8"
-            ) as infile:
-                config2 = json.load(infile)
-        assert result.clean_exit(empty_stderr=False), "expected clean exit"
-        assert config2 == config, "config not imported correctly"
-        assert not result.stderr or all(  # pragma: no branch
-            map(is_harmless_config_import_warning, caplog.record_tuples)
-        ), "unexpected error output"
+        self._assert_result(result, caplog=caplog)
+        config3 = json.loads(result.stdout)
+        assert config3 == config2, "config not exported correctly"
         assert_vault_config_is_indented_and_line_broken(result.stdout)
 
+    @Parametrize.VALID_TEST_CONFIGS
+    def test_normal_config(
+        self,
+        caplog: pytest.LogCaptureFixture,
+        config: Any,
+    ) -> None:
+        """Exporting a configuration works."""
+        self._test(caplog=caplog, config=config, use_import=False)
+
     @hypothesis.settings(
         suppress_health_check=[
             *hypothesis.settings().suppress_health_check,
@@ -1646,52 +1562,12 @@ class TestExportConfigValid:
         Tested via hypothesis.
 
         """
-        config = conf.config
-        config2 = copy.deepcopy(config)
-        _types.clean_up_falsy_vault_config_values(config2)
         # Reset caplog between hypothesis runs.
         caplog.clear()
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={"services": {}},
-                )
-            )
-            result1 = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--import", "-"],
-                input=json.dumps(config),
-                catch_exceptions=False,
-            )
-            assert result1.clean_exit(empty_stderr=False), (
-                "expected clean exit"
-            )
-            assert not result1.stderr or all(
-                map(is_harmless_config_import_warning, caplog.record_tuples)
-            ), "unexpected error output"
-            result2 = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--export", "-"],
-                catch_exceptions=False,
-            )
-            assert result2.clean_exit(empty_stderr=False), (
-                "expected clean exit"
-            )
-            assert not result2.stderr or all(
-                map(is_harmless_config_import_warning, caplog.record_tuples)
-            ), "unexpected error output"
-            config3 = json.loads(result2.stdout)
-            assert config3 == config2, "config not exported correctly"
+        self._test(caplog=caplog, config=conf.config, use_import=True)
 
     @Parametrize.EXPORT_FORMAT_OPTIONS
-    def test_export_config_no_stored_settings(
+    def test_no_stored_settings(
         self,
         export_options: list[str],
     ) -> None:
@@ -1721,17 +1597,23 @@ class TestExportConfigValid:
                 catch_exceptions=False,
             )
         assert result.clean_exit(empty_stderr=True), "expected clean exit"
+        assert result.stdout.startswith("#!") or json.loads(result.stdout) == {
+            "services": {}
+        }
 
 
 class TestExportConfigInvalid:
     """Tests concerning `vault` configuration exports: invalid exports."""
 
-    @Parametrize.EXPORT_FORMAT_OPTIONS
-    def test_export_config_bad_stored_config(
+    @contextlib.contextmanager
+    def _test(
         self,
-        export_options: list[str],
-    ) -> None:
-        """Exporting an invalid config fails."""
+        command_line: list[str],
+        /,
+        *,
+        config: _types.VaultConfig = {"services": {}},  # noqa: B006
+        error_messages: tuple[str, ...] = (),
+    ) -> Iterator[list[str]]:
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -1742,261 +1624,219 @@ class TestExportConfigInvalid:
                 pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                    vault_config={},
+                    vault_config=config,
                 )
             )
+            yield command_line
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                ["--export", "-", *export_options],
+                command_line,
                 input="null",
                 catch_exceptions=False,
             )
-        assert result.error_exit(error="Cannot load vault settings:"), (
+        assert any([result.error_exit(error=msg) for msg in error_messages]), (
             "expected error exit and known error message"
         )
 
     @Parametrize.EXPORT_FORMAT_OPTIONS
-    def test_export_config_not_a_file(
+    def test_bad_stored_config(
         self,
         export_options: list[str],
     ) -> None:
         """Exporting an invalid config fails."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                )
-            )
+        with self._test(
+            ["--export", "-", *export_options],
+            config=None,  # type: ignore[arg-type,typeddict-item]
+            error_messages=("Cannot load vault settings:",),
+        ):
+            pass
+
+    @Parametrize.EXPORT_FORMAT_OPTIONS
+    def test_not_a_file(
+        self,
+        export_options: list[str],
+    ) -> None:
+        """Exporting an invalid config fails."""
+        with self._test(
+            ["--export", "-", *export_options],
+            error_messages=("Cannot load vault settings:",),
+        ):
             config_file = cli_helpers.config_filename(subsystem="vault")
             config_file.unlink(missing_ok=True)
             config_file.mkdir(parents=True, exist_ok=True)
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--export", "-", *export_options],
-                input="null",
-                catch_exceptions=False,
-            )
-        assert result.error_exit(error="Cannot load vault settings:"), (
-            "expected error exit and known error message"
-        )
 
     @Parametrize.EXPORT_FORMAT_OPTIONS
-    def test_export_config_target_not_a_file(
+    def test_target_not_a_file(
         self,
         export_options: list[str],
     ) -> None:
         """Exporting an invalid config fails."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                )
-            )
+        with self._test(
+            [], error_messages=("Cannot export vault settings:",)
+        ) as command_line:
             dname = cli_helpers.config_filename(subsystem=None)
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--export", os.fsdecode(dname), *export_options],
-                input="null",
-                catch_exceptions=False,
-            )
-        assert result.error_exit(error="Cannot export vault settings:"), (
-            "expected error exit and known error message"
-        )
+            command_line[:] = ["--export", os.fsdecode(dname), *export_options]
 
     @pytest_machinery.skip_if_on_the_annoying_os
     @Parametrize.EXPORT_FORMAT_OPTIONS
-    def test_export_config_settings_directory_not_a_directory(
+    def test_settings_directory_not_a_directory(
         self,
         export_options: list[str],
     ) -> None:
         """Exporting an invalid config fails."""
-        runner = machinery.CliRunner(mix_stderr=False)
+        with self._test(
+            ["--export", "-", *export_options],
+            error_messages=(
+                "Cannot load vault settings:",
+                "Cannot load user config:",
+            ),
+        ):
+            config_dir = cli_helpers.config_filename(subsystem=None)
+            with contextlib.suppress(FileNotFoundError):
+                shutil.rmtree(config_dir)
+            config_dir.write_text("Obstruction!!\n")
+
+
+class TestNotesPrinting:
+    """Tests concerning printing the service notes."""
+
+    def _test(
+        self,
+        notes: str,
+        /,
+        notes_placement: Literal["before", "after"] | None = None,
+        placement_args: list[str] | tuple[str, ...] = (),
+    ) -> None:
+        notes_stripped = notes.strip()
+        maybe_notes = {"notes": notes_stripped} if notes_stripped else {}
+        vault_config = {
+            "global": {"phrase": DUMMY_PASSPHRASE},
+            "services": {
+                DUMMY_SERVICE: {**maybe_notes, **DUMMY_CONFIG_SETTINGS}
+            },
+        }
+        result_phrase = DUMMY_RESULT_PASSPHRASE.decode("ascii")
+        expected = (
+            f"{notes_stripped}\n\n{result_phrase}\n"
+            if notes_placement == "before"
+            else f"{result_phrase}\n\n{notes_stripped}\n\n"
+            if notes_placement == "after"
+            else None
+        )
+        runner = machinery.CliRunner(mix_stderr=notes_placement is not None)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
         # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
         with contextlib.ExitStack() as stack:
             monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
             stack.enter_context(
-                pytest_machinery.isolated_config(
+                pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
+                    vault_config=vault_config,
                 )
             )
-            config_dir = cli_helpers.config_filename(subsystem=None)
-            with contextlib.suppress(FileNotFoundError):
-                shutil.rmtree(config_dir)
-            config_dir.write_text("Obstruction!!\n")
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                ["--export", "-", *export_options],
-                input="null",
+                [*placement_args, "--", DUMMY_SERVICE],
                 catch_exceptions=False,
             )
-        assert result.error_exit(
-            error="Cannot load vault settings:"
-        ) or result.error_exit(error="Cannot load user config:"), (
-            "expected error exit and known error message"
-        )
-
-
-class TestNotesPrinting:
-    """Tests concerning printing the service notes."""
-
-    @hypothesis.given(
-        notes=strategies.text(
-            strategies.characters(
-                min_codepoint=32,
-                max_codepoint=126,
-                include_characters="\n",
-            ),
-            max_size=256,
-        ),
-    )
-    def test_service_with_notes_actually_prints_notes(
-        self,
-        notes: str,
-    ) -> None:
-        """Service notes are printed, if they exist."""
-        hypothesis.assume("Error:" not in notes)
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={
-                        "global": {
-                            "phrase": DUMMY_PASSPHRASE,
-                        },
-                        "services": {
-                            DUMMY_SERVICE: {
-                                "notes": notes,
-                                **DUMMY_CONFIG_SETTINGS,
-                            },
-                        },
-                    },
-                )
-            )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--", DUMMY_SERVICE],
+            if expected is not None:
+                assert result.clean_exit(output=expected), (
+                    "expected clean exit"
                 )
+            else:
                 assert result.clean_exit(), "expected clean exit"
                 assert result.stdout, "expected program output"
-        assert result.stdout.strip() == DUMMY_RESULT_PASSPHRASE.decode(
-            "ascii"
-        ), "expected known program output"
-        assert result.stderr or not notes.strip(), "expected stderr"
+                assert result.stdout.strip() == result_phrase, (
+                    "expected known program output"
+                )
+                assert result.stderr or not notes_stripped, "expected stderr"
                 assert "Error:" not in result.stderr, (
                     "expected no error messages on stderr"
                 )
-        assert result.stderr.strip() == notes.strip(), (
+                assert result.stderr.strip() == notes_stripped, (
                     "expected known stderr contents"
                 )
 
+    @hypothesis.given(notes=Strategies.notes().filter(str.strip))
+    def test_service_with_notes_actually_prints_notes(
+        self,
+        notes: str,
+    ) -> None:
+        """Service notes are printed, if they exist."""
+        hypothesis.assume("Error:" not in notes)
+        self._test(notes, notes_placement=None, placement_args=())
+
     @Parametrize.NOTES_PLACEMENT
-    @hypothesis.given(
-        notes=strategies.text(
-            strategies.characters(
-                min_codepoint=32, max_codepoint=126, include_characters="\n"
-            ),
-            min_size=1,
-            max_size=512,
-        ).filter(str.strip),
-    )
+    @hypothesis.given(notes=Strategies.notes().filter(str.strip))
     def test_notes_placement(
         self,
         notes_placement: Literal["before", "after"],
         placement_args: list[str],
         notes: str,
     ) -> None:
-        notes = notes.strip()
-        maybe_notes = {"notes": notes} if notes else {}
-        vault_config = {
-            "global": {"phrase": DUMMY_PASSPHRASE},
-            "services": {
-                DUMMY_SERVICE: {**maybe_notes, **DUMMY_CONFIG_SETTINGS}
-            },
-        }
-        result_phrase = DUMMY_RESULT_PASSPHRASE.decode("ascii")
-        expected = (
-            f"{notes}\n\n{result_phrase}\n"
-            if notes_placement == "before"
-            else f"{result_phrase}\n\n{notes}\n\n"
+        self._test(
+            notes,
+            notes_placement=notes_placement,
+            placement_args=placement_args,
         )
-        runner = machinery.CliRunner(mix_stderr=True)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config=vault_config,
-                )
-            )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                [*placement_args, "--", DUMMY_SERVICE],
-                catch_exceptions=False,
-            )
-            assert result.clean_exit(output=expected), "expected clean exit"
 
 
-class TestNotesEditingValid:
-    """Tests concerning editing service notes: valid calls."""
+class TestNotesEditing:
+    """Superclass for tests concerning editing service notes."""
 
-    @Parametrize.MODERN_EDITOR_INTERFACE
-    @hypothesis.settings(
-        suppress_health_check=[
-            *hypothesis.settings().suppress_health_check,
-            hypothesis.HealthCheck.function_scoped_fixture,
-        ],
+    CURRENT_NOTES = "Contents go here"
+    OLD_NOTES_TEXT = (
+        "These backup notes are left over from the previous session."
     )
-    @hypothesis.given(
-        notes=strategies.text(
-            strategies.characters(
-                min_codepoint=32, max_codepoint=126, include_characters="\n"
-            ),
-            min_size=1,
-            max_size=512,
-        ).filter(str.strip),
-    )
-    def test_successful_edit(
+
+    def _calculate_expected_contents(
         self,
-        caplog: pytest.LogCaptureFixture,
+        final_notes: str,
+        /,
+        *,
         modern_editor_interface: bool,
-        notes: str,
-    ) -> None:
-        """Editing notes works."""
-        marker = cli_messages.TranslatedString(
-            cli_messages.Label.DERIVEPASSPHRASE_VAULT_NOTES_MARKER
+        current_notes: str | None = CURRENT_NOTES,
+        old_notes_text: str | None = OLD_NOTES_TEXT,
+    ) -> tuple[str, str]:
+        current_notes = current_notes or ""
+        old_notes_text = old_notes_text or ""
+        # For the modern editor interface, the notes change if and only
+        # if the notes change to a different, non-empty string.  There
+        # are no backup notes, so we return the old ones (which may be
+        # synthetic) unchanged.
+        if modern_editor_interface:
+            return old_notes_text.strip(), (
+                final_notes.strip()
+                if final_notes.strip()
+                and final_notes.strip() != current_notes.strip()
+                else current_notes.strip()
+            )
+        # For the legacy editor interface, the notes and the backup
+        # notes change if and only if the new notes differ from the
+        # previous notes.
+        return (
+            (current_notes.strip(), final_notes.strip())
+            if final_notes.strip() != current_notes.strip()
+            else (old_notes_text.strip(), current_notes.strip())
+        )
+
+    def _test(
+        self,
+        edit_result: str,
+        /,
+        *,
+        modern_editor_interface: bool,
+        current_notes: str | None = CURRENT_NOTES,
+        old_notes_text: str | None = OLD_NOTES_TEXT,
+    ) -> tuple[machinery.ReadableResult, str, _types.VaultConfig]:
+        if hypothesis.currently_in_test_context():  # pragma: no branch
+            hypothesis.note(f"{edit_result = }")
+            hypothesis.note(f"{modern_editor_interface = }")
+            hypothesis.note(
+                f"vault_config = {self._vault_config(current_notes or '')}"
             )
-        edit_result = f"""
-
-{marker}
-{notes}
-"""
-        # Reset caplog between hypothesis runs.
-        caplog.clear()
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -2007,18 +1847,15 @@ class TestNotesEditingValid:
                 pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                    vault_config={
-                        "global": {"phrase": "abc"},
-                        "services": {"sv": {"notes": "Contents go here"}},
-                    },
+                    vault_config=self._vault_config(current_notes or ""),
                 )
             )
             notes_backup_file = cli_helpers.config_filename(
                 subsystem="notes backup"
             )
+            if old_notes_text and old_notes_text.strip():  # pragma: no branch
                 notes_backup_file.write_text(
-                "These backup notes are left over from the previous session.",
-                encoding="UTF-8",
+                    old_notes_text.strip(), encoding="UTF-8"
                 )
             monkeypatch.setattr(click, "edit", lambda *_a, **_kw: edit_result)
             result = runner.invoke(
@@ -2034,113 +1871,217 @@ class TestNotesEditingValid:
                 ],
                 catch_exceptions=False,
             )
+            backup_contents = notes_backup_file.read_text(encoding="UTF-8")
+            with cli_helpers.config_filename(subsystem="vault").open(
+                encoding="UTF-8"
+            ) as infile:
+                config = json.load(infile)
+            if hypothesis.currently_in_test_context():  # pragma: no branch
+                hypothesis.note(f"{result = }")
+                hypothesis.note(f"{backup_contents = }")
+                hypothesis.note(f"{config = }")
+            return result, backup_contents, config
+
+    def _assert_noop_exit(
+        self,
+        result: machinery.ReadableResult,
+        /,
+        *,
+        modern_editor_interface: bool = False,
+    ) -> None:
+        # We do not distinguish between aborts and no-op edits.  Aborts
+        # are treated as failures (error exit), and thus tested
+        # specifically in a different class.
+        if modern_editor_interface:
+            assert result.error_exit(
+                error="the user aborted the request"
+            ) or result.clean_exit(empty_stderr=True), "expected clean exit"
+        else:
+            assert result.clean_exit(empty_stderr=False), "expected clean exit"
+
+    def _assert_normal_exit(self, result: machinery.ReadableResult) -> None:
         assert result.clean_exit(), "expected clean exit"
         assert all(map(is_warning_line, result.stderr.splitlines(True)))
-            assert modern_editor_interface or machinery.warning_emitted(
-                "A backup copy of the old notes was saved",
-                caplog.record_tuples,
-            ), "expected known warning message in stderr"
+
+    def _assert_notes_backup_warning(
+        self,
+        caplog: pytest.LogCaptureFixture,
+        /,
+        *,
+        modern_editor_interface: bool,
+        notes_unchanged: bool = False,
+    ) -> None:
         assert (
             modern_editor_interface
-                or notes_backup_file.read_text(encoding="UTF-8")
-                == "Contents go here"
+            or notes_unchanged
+            or machinery.warning_emitted(
+                "A backup copy of the old notes was saved",
+                caplog.record_tuples,
             )
-            with cli_helpers.config_filename(subsystem="vault").open(
-                encoding="UTF-8"
-            ) as infile:
-                config = json.load(infile)
-            assert config == {
+        ), "expected known warning message on stderr"
+
+    def _assert_notes_and_backup_notes(
+        self,
+        /,
+        *,
+        final_notes: str,
+        new_backup_notes: str,
+        new_config: _types.VaultConfig,
+        modern_editor_interface: bool,
+        current_notes: str | None = CURRENT_NOTES,
+        old_notes_text: str | None = OLD_NOTES_TEXT,
+    ) -> None:
+        if hypothesis.currently_in_test_context():  # pragma: no branch
+            hypothesis.note(f"{final_notes = }")
+            hypothesis.note(f"{current_notes = }")
+        expected_backup_notes, expected_notes = (
+            self._calculate_expected_contents(
+                final_notes,
+                modern_editor_interface=modern_editor_interface,
+                current_notes=current_notes,
+                old_notes_text=old_notes_text,
+            )
+        )
+        expected_config = self._vault_config(expected_notes)
+        assert new_config == expected_config
+        assert new_backup_notes == expected_backup_notes
+
+    @staticmethod
+    def _vault_config(
+        starting_notes: str = CURRENT_NOTES, /
+    ) -> _types.VaultConfig:
+        return {
             "global": {"phrase": "abc"},
             "services": {
-                    "sv": {
-                        "notes": notes.strip()
-                        if modern_editor_interface
-                        else edit_result.strip()
-                    }
+                "sv": {"notes": starting_notes.strip()}
+                if starting_notes.strip()
+                else {}
             },
         }
 
-    @Parametrize.NOOP_EDIT_FUNCS
+    class ExtraArgs(TypedDict):
+        modern_editor_interface: bool
+        current_notes: NotRequired[str]
+        old_notes_text: NotRequired[str]
+
+
+class TestNotesEditingValid(TestNotesEditing):
+    """Tests concerning editing service notes: valid calls."""
+
+    @Parametrize.MODERN_EDITOR_INTERFACE
+    @hypothesis.settings(
+        suppress_health_check=[
+            *hypothesis.settings().suppress_health_check,
+            hypothesis.HealthCheck.function_scoped_fixture,
+        ],
+    )
     @hypothesis.given(
-        notes=strategies.text(
-            strategies.characters(
-                min_codepoint=32, max_codepoint=126, include_characters="\n"
-            ),
-            min_size=1,
-            max_size=512,
-        ).filter(str.strip),
+        notes=Strategies.notes()
+        .filter(str.strip)
+        .filter(lambda notes: notes != TestNotesEditingValid.CURRENT_NOTES)
     )
-    def test_noop_edit(
+    @hypothesis.example(TestNotesEditing.CURRENT_NOTES)
+    def test_successful_edit(
         self,
-        edit_func_name: Literal["empty", "space"],
+        caplog: pytest.LogCaptureFixture,
         modern_editor_interface: bool,
         notes: str,
     ) -> None:
-        """Abandoning edited notes works."""
+        """Editing notes works."""
+        # Reset caplog between hypothesis runs.
+        caplog.clear()
+        marker = cli_messages.TranslatedString(
+            cli_messages.Label.DERIVEPASSPHRASE_VAULT_NOTES_MARKER
+        )
+        edit_result = (
+            f"""
 
-        def empty(text: str, *_args: Any, **_kwargs: Any) -> str:
-            del text
-            return ""
+{marker}
+{notes}
+"""
+            if modern_editor_interface
+            else notes.strip()
+        )
 
-        def space(text: str, *_args: Any, **_kwargs: Any) -> str:
-            del text
-            return "       " + notes.strip() + "\n\n\n\n\n\n"
+        extra_args: TestNotesEditing.ExtraArgs = {
+            "modern_editor_interface": modern_editor_interface,
+            "current_notes": self.CURRENT_NOTES,
+            "old_notes_text": self.OLD_NOTES_TEXT,
+        }
+        notes_unchanged = notes.strip() == extra_args["current_notes"].strip()
 
-        edit_funcs = {"empty": empty, "space": space}
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={
-                        "global": {"phrase": "abc"},
-                        "services": {"sv": {"notes": notes.strip()}},
-                    },
+        result, new_backup_notes, new_config = self._test(
+            edit_result, **extra_args
         )
+        self._assert_normal_exit(result)
+        self._assert_notes_and_backup_notes(
+            final_notes=notes,
+            new_backup_notes=new_backup_notes,
+            new_config=new_config,
+            **extra_args,
         )
-            notes_backup_file = cli_helpers.config_filename(
-                subsystem="notes backup"
-            )
-            notes_backup_file.write_text(
-                "These backup notes are left over from the previous session.",
-                encoding="UTF-8",
+        self._assert_notes_backup_warning(
+            caplog,
+            modern_editor_interface=modern_editor_interface,
+            notes_unchanged=notes_unchanged,
         )
-            monkeypatch.setattr(click, "edit", edit_funcs[edit_func_name])
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                [
-                    "--config",
-                    "--notes",
-                    "--modern-editor-interface"
-                    if modern_editor_interface
-                    else "--vault-legacy-editor-interface",
-                    "--",
-                    "sv",
+
+    @Parametrize.MODERN_EDITOR_INTERFACE
+    @hypothesis.settings(
+        suppress_health_check=[
+            *hypothesis.settings().suppress_health_check,
+            hypothesis.HealthCheck.function_scoped_fixture,
         ],
-                catch_exceptions=False,
     )
-            assert result.clean_exit(empty_stderr=True) or result.error_exit(
-                error="the user aborted the request"
-            ), "expected clean exit"
-            assert (
-                modern_editor_interface
-                or notes_backup_file.read_text(encoding="UTF-8")
-                == "These backup notes are left over from the previous session."
+    @hypothesis.given(notes=Strategies.notes().filter(str.strip))
+    @hypothesis.example(TestNotesEditing.CURRENT_NOTES)
+    def test_noop_edit(
+        self,
+        caplog: pytest.LogCaptureFixture,
+        modern_editor_interface: bool,
+        notes: str,
+    ) -> None:
+        """No-op editing existing notes works.
+
+        The notes are unchanged, and the command-line interface does not
+        report an abort.  For the legacy editor interface, the backup
+        notes are unchanged as well.
+
+        """
+        # Reset caplog between hypothesis runs.
+        caplog.clear()
+        marker = cli_messages.TranslatedString(
+            cli_messages.Label.DERIVEPASSPHRASE_VAULT_NOTES_MARKER
         )
-            with cli_helpers.config_filename(subsystem="vault").open(
-                encoding="UTF-8"
-            ) as infile:
-                config = json.load(infile)
-            assert config == {
-                "global": {"phrase": "abc"},
-                "services": {"sv": {"notes": notes.strip()}},
+        edit_result = (f"{marker}\n" if modern_editor_interface else "") + (
+            " " * 6 + notes + "\n" * 6
+        )
+
+        extra_args: TestNotesEditing.ExtraArgs = {
+            "modern_editor_interface": modern_editor_interface,
+            "current_notes": notes.strip(),
+            "old_notes_text": self.OLD_NOTES_TEXT,
         }
 
+        result, new_backup_notes, new_config = self._test(
+            edit_result, **extra_args
+        )
+        self._assert_noop_exit(
+            result,
+            modern_editor_interface=modern_editor_interface,
+        )
+        self._assert_notes_and_backup_notes(
+            final_notes=notes,
+            new_backup_notes=new_backup_notes,
+            new_config=new_config,
+            **extra_args,
+        )
+        self._assert_notes_backup_warning(
+            caplog,
+            modern_editor_interface=modern_editor_interface,
+            notes_unchanged=True,
+        )
+
     # TODO(the-13th-letter): Keep this behavior or not, with or without
     # warning?
     @Parametrize.MODERN_EDITOR_INTERFACE
@@ -2150,15 +2091,7 @@ class TestNotesEditingValid:
             hypothesis.HealthCheck.function_scoped_fixture,
         ],
     )
-    @hypothesis.given(
-        notes=strategies.text(
-            strategies.characters(
-                min_codepoint=32, max_codepoint=126, include_characters="\n"
-            ),
-            min_size=1,
-            max_size=512,
-        ).filter(str.strip),
-    )
+    @hypothesis.given(notes=Strategies.notes().filter(str.strip))
     def test_marker_removed(
         self,
         caplog: pytest.LogCaptureFixture,
@@ -2176,175 +2109,66 @@ class TestNotesEditingValid:
         hypothesis.assume(str(notes_marker) not in notes.strip())
         # Reset caplog between hypothesis runs.
         caplog.clear()
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={
-                        "global": {"phrase": "abc"},
-                        "services": {"sv": {"notes": "Contents go here"}},
-                    },
-                )
+
+        extra_args: TestNotesEditing.ExtraArgs = {
+            "modern_editor_interface": modern_editor_interface,
+            "current_notes": self.CURRENT_NOTES,
+            "old_notes_text": self.OLD_NOTES_TEXT,
+        }
+        notes_unchanged = notes.strip() == extra_args["current_notes"].strip()
+
+        result, new_backup_notes, new_config = self._test(
+            notes.strip(), **extra_args
         )
-            notes_backup_file = cli_helpers.config_filename(
-                subsystem="notes backup"
+        self._assert_normal_exit(result)
+        self._assert_notes_and_backup_notes(
+            final_notes=notes,
+            new_backup_notes=new_backup_notes,
+            new_config=new_config,
+            **extra_args,
         )
-            notes_backup_file.write_text(
-                "These backup notes are left over from the previous session.",
-                encoding="UTF-8",
+        self._assert_notes_backup_warning(
+            caplog,
+            modern_editor_interface=modern_editor_interface,
+            notes_unchanged=notes_unchanged,
         )
-            monkeypatch.setattr(click, "edit", lambda *_a, **_kw: notes)
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                [
-                    "--config",
-                    "--notes",
-                    "--modern-editor-interface"
-                    if modern_editor_interface
-                    else "--vault-legacy-editor-interface",
-                    "--",
-                    "sv",
-                ],
-                catch_exceptions=False,
-            )
-            assert result.clean_exit(), "expected clean exit"
-            assert not result.stderr or all(
-                map(is_warning_line, result.stderr.splitlines(True))
-            )
-            assert not caplog.record_tuples or machinery.warning_emitted(
-                "A backup copy of the old notes was saved",
-                caplog.record_tuples,
-            ), "expected known warning message in stderr"
-            assert (
-                modern_editor_interface
-                or notes_backup_file.read_text(encoding="UTF-8")
-                == "Contents go here"
-            )
-            with cli_helpers.config_filename(subsystem="vault").open(
-                encoding="UTF-8"
-            ) as infile:
-                config = json.load(infile)
-            assert config == {
-                "global": {"phrase": "abc"},
-                "services": {"sv": {"notes": notes.strip()}},
-            }
 
 
-class TestNotesEditingInvalid:
+class TestNotesEditingInvalid(TestNotesEditing):
     """Tests concerning editing service notes: invalid/error calls."""
 
-    @hypothesis.given(
-        notes=strategies.text(
-            strategies.characters(
-                min_codepoint=32, max_codepoint=126, include_characters="\n"
-            ),
-            min_size=1,
-            max_size=512,
-        ).filter(str.strip),
-    )
+    @hypothesis.given(notes=Strategies.notes())
+    @hypothesis.example("")
     def test_abort(
         self,
         notes: str,
     ) -> None:
-        """Aborting editing notes works.
+        """Aborting editing notes works, even if no notes are stored yet.
 
         Aborting is only supported with the modern editor interface.
 
         """
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={
-                        "global": {"phrase": "abc"},
-                        "services": {"sv": {"notes": notes.strip()}},
-                    },
-                )
-            )
-            monkeypatch.setattr(click, "edit", lambda *_a, **_kw: "")
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                [
-                    "--config",
-                    "--notes",
-                    "--modern-editor-interface",
-                    "--",
-                    "sv",
-                ],
-                catch_exceptions=False,
-            )
-            assert result.error_exit(error="the user aborted the request"), (
-                "expected known error message"
-            )
-            with cli_helpers.config_filename(subsystem="vault").open(
-                encoding="UTF-8"
-            ) as infile:
-                config = json.load(infile)
-            assert config == {
-                "global": {"phrase": "abc"},
-                "services": {"sv": {"notes": notes.strip()}},
-            }
+        edit_result = ""
 
-    def test_abort_no_prior_notes(
-        self,
-    ) -> None:
-        """Aborting editing notes works even if no notes are stored yet.
-
-        Aborting is only supported with the modern editor interface.
-
-        """
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={
-                        "global": {"phrase": "abc"},
-                        "services": {},
-                    },
-                )
-            )
-            monkeypatch.setattr(click, "edit", lambda *_a, **_kw: "")
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                [
-                    "--config",
-                    "--notes",
-                    "--modern-editor-interface",
-                    "--",
-                    "sv",
-                ],
-                catch_exceptions=False,
-            )
-            assert result.error_exit(error="the user aborted the request"), (
-                "expected known error message"
-            )
-            with cli_helpers.config_filename(subsystem="vault").open(
-                encoding="UTF-8"
-            ) as infile:
-                config = json.load(infile)
-            assert config == {
-                "global": {"phrase": "abc"},
-                "services": {},
+        extra_args: TestNotesEditing.ExtraArgs = {
+            "modern_editor_interface": True,
+            "current_notes": notes.strip(),
+            "old_notes_text": self.OLD_NOTES_TEXT,
         }
 
+        result, new_backup_notes, new_config = self._test(
+            edit_result, **extra_args
+        )
+        assert result.error_exit(error="the user aborted the request"), (
+            "expected error exit"
+        )
+        self._assert_notes_and_backup_notes(
+            final_notes=notes.strip(),
+            new_backup_notes=new_backup_notes,
+            new_config=new_config,
+            **extra_args,
+        )
+
     @Parametrize.MODERN_EDITOR_INTERFACE
     @hypothesis.settings(
         suppress_health_check=[
@@ -2352,14 +2176,8 @@ class TestNotesEditingInvalid:
             hypothesis.HealthCheck.function_scoped_fixture,
         ],
     )
-    @hypothesis.given(
-        notes=strategies.text(
-            strategies.characters(
-                min_codepoint=32, max_codepoint=126, include_characters="\n"
-            ),
-            max_size=512,
-        ),
-    )
+    @hypothesis.given(notes=Strategies.notes())
+    @hypothesis.example("")
     def test_fail_on_config_option_missing(
         self,
         caplog: pytest.LogCaptureFixture,
@@ -2374,6 +2192,9 @@ class TestNotesEditingInvalid:
                 DUMMY_SERVICE: {**maybe_notes, **DUMMY_CONFIG_SETTINGS}
             },
         }
+        old_notes_text = (
+            "These backup notes are left over from the previous session."
+        )
         # Reset caplog between hypothesis runs.
         caplog.clear()
         runner = machinery.CliRunner(mix_stderr=False)
@@ -2397,10 +2218,7 @@ class TestNotesEditingInvalid:
             notes_backup_file = cli_helpers.config_filename(
                 subsystem="notes backup"
             )
-            notes_backup_file.write_text(
-                "These backup notes are left over from the previous session.",
-                encoding="UTF-8",
-            )
+            notes_backup_file.write_text(old_notes_text, encoding="UTF-8")
             monkeypatch.setattr(click, "edit", raiser)
             result = runner.invoke(
                 cli.derivepassphrase_vault,
@@ -2432,7 +2250,7 @@ class TestNotesEditingInvalid:
             assert (
                 modern_editor_interface
                 or notes_backup_file.read_text(encoding="UTF-8")
-                == "These backup notes are left over from the previous session."
+                == old_notes_text
             )
             with cli_helpers.config_filename(subsystem="vault").open(
                 encoding="UTF-8"
@@ -2444,19 +2262,15 @@ class TestNotesEditingInvalid:
 class TestStoringConfigurationSuccesses:
     """Tests concerning storing the configuration: successes."""
 
-    @Parametrize.CONFIG_EDITING_VIA_CONFIG_FLAG
-    def test_store_good_config(
+    def _test(
         self,
         command_line: list[str],
-        input: str,
-        result_config: Any,
-    ) -> None:
-        """Storing valid settings via `--config` works.
-
-        The format also contains embedded newlines and indentation to make
-        the config more readable.
-
-        """
+        /,
+        *,
+        starting_config: _types.VaultConfig | None,
+        result_config: _types.VaultConfig,
+        input: str | bytes | None = None,
+    ) -> machinery.ReadableResult:
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -2467,9 +2281,12 @@ class TestStoringConfigurationSuccesses:
                 pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                    vault_config={"global": {"phrase": "abc"}, "services": {}},
+                    vault_config=starting_config,
                 )
             )
+            if starting_config is None:
+                with contextlib.suppress(FileNotFoundError):
+                    shutil.rmtree(cli_helpers.config_filename(subsystem=None))
             monkeypatch.setattr(
                 cli_helpers,
                 "get_suitable_ssh_keys",
@@ -2490,6 +2307,28 @@ class TestStoringConfigurationSuccesses:
                 "stored config does not match expectation"
             )
             assert_vault_config_is_indented_and_line_broken(config_txt)
+            return result
+
+    @Parametrize.CONFIG_EDITING_VIA_CONFIG_FLAG
+    def test_store_good_config(
+        self,
+        command_line: list[str],
+        input: str,
+        starting_config: Any,
+        result_config: Any,
+    ) -> None:
+        """Storing valid settings via `--config` works.
+
+        The format also contains embedded newlines and indentation to make
+        the config more readable.
+
+        """
+        self._test(
+            command_line,
+            input=input,
+            starting_config=starting_config,
+            result_config=result_config,
+        )
 
     def test_config_directory_nonexistant(
         self,
@@ -2504,51 +2343,30 @@ class TestStoringConfigurationSuccesses:
         [PRETTY_PRINT_JSON]: https://the13thletter.info/derivepassphrase/0.x/wishlist/pretty-print-json/
 
         """
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                )
-            )
-            with contextlib.suppress(FileNotFoundError):
-                shutil.rmtree(cli_helpers.config_filename(subsystem=None))
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--config", "-p"],
-                catch_exceptions=False,
+        result = self._test(
+            ["-p"],
+            starting_config=None,
+            result_config={"global": {"phrase": "abc"}, "services": {}},
             input="abc\n",
         )
-            assert result.clean_exit(), "expected clean exit"
-            assert result.stderr == "Passphrase:", (
-                "program unexpectedly failed?!"
-            )
-            with cli_helpers.config_filename(subsystem="vault").open(
-                encoding="UTF-8"
-            ) as infile:
-                config_readback = json.load(infile)
-            assert config_readback == {
-                "global": {"phrase": "abc"},
-                "services": {},
-            }, "config mismatch"
+        assert result.stderr == "Passphrase:", "program unexpectedly failed?!"
 
 
 class TestStoringConfigurationFailures:
     """Tests concerning storing the configuration: failures."""
 
-    @Parametrize.CONFIG_EDITING_VIA_CONFIG_FLAG_FAILURES
-    def test_store_bad_config(
+    @contextlib.contextmanager
+    def _test(
         self,
         command_line: list[str],
-        input: str,
-        err_text: str,
-    ) -> None:
-        """Storing invalid settings via `--config` fails."""
+        error_text: str,
+        input: str | bytes | None = None,
+        starting_config: _types.VaultConfig = {  # noqa: B006
+            "global": {"phrase": "abc"},
+            "services": {},
+        },
+        patch_suitable_ssh_keys: bool = True,
+    ) -> Iterator[pytest.MonkeyPatch]:
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -2559,43 +2377,52 @@ class TestStoringConfigurationFailures:
                 pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                    vault_config={"global": {"phrase": "abc"}, "services": {}},
+                    vault_config=starting_config,
                 )
             )
+            # Patch the list of suitable SSH keys by default, lest we be
+            # at the mercy of whatever SSH agent may be running. (But
+            # allow a test to turn this off, if it would interfere with
+            # the testing target, e.g. because we are testing
+            # non-reachability of the agent.)
+            if patch_suitable_ssh_keys:
                 monkeypatch.setattr(
                     cli_helpers,
                     "get_suitable_ssh_keys",
                     callables.suitable_ssh_keys,
                 )
+            yield monkeypatch
             result = runner.invoke(
                 cli.derivepassphrase_vault,
                 ["--config", *command_line],
                 catch_exceptions=False,
                 input=input,
             )
-        assert result.error_exit(error=err_text), (
+        assert result.error_exit(error=error_text), (
             "expected error exit and known error message"
         )
 
-    def test_fail_because_no_ssh_key_selection(
+    @Parametrize.CONFIG_EDITING_VIA_CONFIG_FLAG_FAILURES
+    def test_store_bad_config(
         self,
-        running_ssh_agent: data.RunningSSHAgentInfo,
+        command_line: list[str],
+        input: str,
+        err_text: str,
     ) -> None:
-        """Not selecting an SSH key during `--config --key` fails."""
-        del running_ssh_agent
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={"global": {"phrase": "abc"}, "services": {}},
-                )
-            )
+        """Storing invalid settings via `--config` fails."""
+        with self._test(command_line, error_text=err_text, input=input):
+            pass
+
+    def test_fail_because_no_ssh_key_selection(self) -> None:
+        """Not selecting an SSH key during `--config --key` fails.
+
+        (This test does not actually need a running agent; the agent's
+        response is mocked by the test harness.)
+
+        """
+        with self._test(
+            ["--key"], error_text="the user aborted the request"
+        ) as monkeypatch:
 
             def prompt_for_selection(*_args: Any, **_kwargs: Any) -> NoReturn:
                 raise IndexError(cli_helpers.EMPTY_SELECTION)
@@ -2603,198 +2430,84 @@ class TestStoringConfigurationFailures:
             monkeypatch.setattr(
                 cli_helpers, "prompt_for_selection", prompt_for_selection
             )
-            # Also patch the list of suitable SSH keys, lest we be at
-            # the mercy of whatever SSH agent may be running.
-            monkeypatch.setattr(
-                cli_helpers,
-                "get_suitable_ssh_keys",
-                callables.suitable_ssh_keys,
-            )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--key", "--config"],
-                catch_exceptions=False,
-            )
-        assert result.error_exit(error="the user aborted the request"), (
-            "expected error exit and known error message"
-        )
-
-    def test_fail_because_no_ssh_agent(
-        self,
-        running_ssh_agent: data.RunningSSHAgentInfo,
-    ) -> None:
-        """Not running an SSH agent during `--config --key` fails."""
-        del running_ssh_agent
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={"global": {"phrase": "abc"}, "services": {}},
-                )
-            )
-            monkeypatch.delenv("SSH_AUTH_SOCK", raising=False)
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--key", "--config"],
-                catch_exceptions=False,
-            )
-        assert result.error_exit(error="Cannot find any running SSH agent"), (
-            "expected error exit and known error message"
-        )
-
-    def test_fail_because_bad_ssh_agent_connection(
-        self,
-        running_ssh_agent: data.RunningSSHAgentInfo,
-    ) -> None:
-        """Not running a reachable SSH agent during `--config --key` fails."""
-        running_ssh_agent.require_external_address()
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={"global": {"phrase": "abc"}, "services": {}},
-                )
-            )
-            cwd = pathlib.Path.cwd().resolve()
-            monkeypatch.setenv("SSH_AUTH_SOCK", str(cwd))
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--key", "--config"],
-                catch_exceptions=False,
-            )
-        assert result.error_exit(error="Cannot connect to the SSH agent"), (
-            "expected error exit and known error message"
-        )
-
-    @Parametrize.TRY_RACE_FREE_IMPLEMENTATION
-    def test_fail_because_read_only_file(
-        self,
-        try_race_free_implementation: bool,
-    ) -> None:
-        """Using a read-only configuration file with `--config` fails."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={"global": {"phrase": "abc"}, "services": {}},
-                )
-            )
-            callables.make_file_readonly(
-                cli_helpers.config_filename(subsystem="vault"),
-                try_race_free_implementation=try_race_free_implementation,
-            )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--config", "--length=15", "--", DUMMY_SERVICE],
-                catch_exceptions=False,
-            )
-        assert result.error_exit(error="Cannot store vault settings:"), (
-            "expected error exit and known error message"
-        )
-
-    def test_fail_because_of_custom_error(
-        self,
-    ) -> None:
-        """Triggering internal errors during `--config` leads to failure."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={"global": {"phrase": "abc"}, "services": {}},
-                )
-            )
-            custom_error = "custom error message"
 
-            def raiser(config: Any) -> None:
-                del config
-                raise RuntimeError(custom_error)
+    def test_fail_because_no_ssh_agent(self) -> None:
+        """Not running an SSH agent during `--config --key` fails.
 
-            monkeypatch.setattr(cli_helpers, "save_config", raiser)
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--config", "--length=15", "--", DUMMY_SERVICE],
-                catch_exceptions=False,
-            )
-        assert result.error_exit(error=custom_error), (
-            "expected error exit and known error message"
-        )
+        (This test does not actually need a running agent; the agent's
+        response is mocked by the test harness.)
 
-    def test_fail_because_unsetting_and_setting_same_settings(
-        self,
-    ) -> None:
-        """Issuing conflicting settings to `--config` fails."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={"global": {"phrase": "abc"}, "services": {}},
-                )
-            )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                [
-                    "--config",
-                    "--unset=length",
-                    "--length=15",
-                    "--",
-                    DUMMY_SERVICE,
-                ],
-                catch_exceptions=False,
-            )
-        assert result.error_exit(
-            error="Attempted to unset and set --length at the same time."
-        ), "expected error exit and known error message"
+        """
+        with self._test(
+            ["--key"],
+            error_text="Cannot find any running SSH agent",
+            patch_suitable_ssh_keys=False,
+        ) as monkeypatch:
+            monkeypatch.delenv("SSH_AUTH_SOCK", raising=False)
 
-    def test_fail_because_ssh_agent_has_no_keys_loaded(
-        self,
-        running_ssh_agent: data.RunningSSHAgentInfo,
+    def test_fail_because_bad_ssh_agent_connection(self) -> None:
+        """Not running a reachable SSH agent during `--config --key` fails.
+
+        (This test does not actually need a running agent; the agent's
+        response is mocked by the test harness.)
+
+        """
+        with self._test(
+            ["--key"],
+            error_text="Cannot connect to the SSH agent",
+            patch_suitable_ssh_keys=False,
+        ) as monkeypatch:
+            cwd = pathlib.Path.cwd().resolve()
+            monkeypatch.setenv("SSH_AUTH_SOCK", str(cwd))
+
+    @Parametrize.TRY_RACE_FREE_IMPLEMENTATION
+    def test_fail_because_read_only_file(
+        self, try_race_free_implementation: bool
     ) -> None:
-        """Not holding any SSH keys during `--config --key` fails."""
-        del running_ssh_agent
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={"global": {"phrase": "abc"}, "services": {}},
-                )
+        """Using a read-only configuration file with `--config` fails."""
+        with self._test(
+            ["--length=15", "--", DUMMY_SERVICE],
+            error_text="Cannot store vault settings:",
+        ):
+            callables.make_file_readonly(
+                cli_helpers.config_filename(subsystem="vault"),
+                try_race_free_implementation=try_race_free_implementation,
             )
 
+    def test_fail_because_of_custom_error(self) -> None:
+        """Triggering internal errors during `--config` leads to failure."""
+        custom_error = "custom error message"
+        with self._test(
+            ["--length=15", "--", DUMMY_SERVICE], error_text=custom_error
+        ) as monkeypatch:
+
+            def raiser(config: Any) -> None:
+                del config
+                raise RuntimeError(custom_error)
+
+            monkeypatch.setattr(cli_helpers, "save_config", raiser)
+
+    def test_fail_because_unsetting_and_setting_same_settings(self) -> None:
+        """Issuing conflicting settings to `--config` fails."""
+        with self._test(
+            ["--unset=length", "--length=15", "--", DUMMY_SERVICE],
+            error_text="Attempted to unset and set --length at the same time.",
+        ):
+            pass
+
+    def test_fail_because_ssh_agent_has_no_keys_loaded(self) -> None:
+        """Not holding any SSH keys during `--config --key` fails.
+
+        (This test does not actually need a running agent; the agent's
+        response is mocked by the test harness.)
+
+        """
+        with self._test(
+            ["--key"],
+            error_text="no keys suitable",
+            patch_suitable_ssh_keys=False,
+        ) as monkeypatch:
+
             def func(
                 *_args: Any,
                 **_kwargs: Any,
@@ -2802,67 +2515,35 @@ class TestStoringConfigurationFailures:
                 return []
 
             monkeypatch.setattr(ssh_agent.SSHAgentClient, "list_keys", func)
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--key", "--config"],
-                catch_exceptions=False,
-            )
-        assert result.error_exit(error="no keys suitable"), (
-            "expected error exit and known error message"
-        )
 
-    def test_store_config_fail_manual_ssh_agent_runtime_error(
-        self,
-        running_ssh_agent: data.RunningSSHAgentInfo,
-    ) -> None:
-        """Triggering an error in the SSH agent during `--config --key` leads to failure."""
-        del running_ssh_agent
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={"global": {"phrase": "abc"}, "services": {}},
-                )
-            )
+    def test_store_config_fail_manual_ssh_agent_runtime_error(self) -> None:
+        """Triggering an error in the SSH agent during `--config --key` leads to failure.
+
+        (This test does not actually need a running agent; the agent's
+        response is mocked by the test harness.)
+
+        """
+        with self._test(
+            ["--key"],
+            error_text="violates the communication protocol",
+            patch_suitable_ssh_keys=False,
+        ) as monkeypatch:
 
             def raiser(*_args: Any, **_kwargs: Any) -> None:
                 raise ssh_agent.TrailingDataError()
 
             monkeypatch.setattr(ssh_agent.SSHAgentClient, "list_keys", raiser)
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--key", "--config"],
-                catch_exceptions=False,
-            )
-        assert result.error_exit(
-            error="violates the communication protocol."
-        ), "expected error exit and known error message"
 
-    def test_store_config_fail_manual_ssh_agent_refuses(
-        self,
-        running_ssh_agent: data.RunningSSHAgentInfo,
-    ) -> None:
-        """The SSH agent refusing during `--config --key` leads to failure."""
-        del running_ssh_agent
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={"global": {"phrase": "abc"}, "services": {}},
-                )
-            )
+    def test_store_config_fail_manual_ssh_agent_refuses(self) -> None:
+        """The SSH agent refusing during `--config --key` leads to failure.
+
+        (This test does not actually need a running agent; the agent's
+        response is mocked by the test harness.)
+
+        """
+        with self._test(
+            ["--key"], error_text="refused to", patch_suitable_ssh_keys=False
+        ) as monkeypatch:
 
             def func(*_args: Any, **_kwargs: Any) -> NoReturn:
                 raise ssh_agent.SSHAgentFailedError(
@@ -2870,18 +2551,8 @@ class TestStoringConfigurationFailures:
                 )
 
             monkeypatch.setattr(ssh_agent.SSHAgentClient, "list_keys", func)
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--key", "--config"],
-                catch_exceptions=False,
-            )
-        assert result.error_exit(error="refused to"), (
-            "expected error exit and known error message"
-        )
 
-    def test_config_directory_not_a_file(
-        self,
-    ) -> None:
+    def test_config_directory_not_a_file(self) -> None:
         """Erroring without an existing config directory errors normally.
 
         That is, the missing configuration directory does not cause any
@@ -2895,18 +2566,11 @@ class TestStoringConfigurationFailures:
         [PRETTY_PRINT_JSON]: https://the13thletter.info/derivepassphrase/0.x/wishlist/pretty-print-json/
 
         """
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                )
-            )
+        with self._test(
+            ["--phrase"],
+            error_text="Cannot store vault settings:",
+            input="abc\n",
+        ) as monkeypatch:
             save_config_ = cli_helpers.save_config
 
             def obstruct_config_saving(*args: Any, **kwargs: Any) -> Any:
@@ -2920,30 +2584,25 @@ class TestStoringConfigurationFailures:
             monkeypatch.setattr(
                 cli_helpers, "save_config", obstruct_config_saving
             )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--config", "-p"],
-                catch_exceptions=False,
-                input="abc\n",
-            )
-            assert result.error_exit(error="Cannot store vault settings:"), (
-                "expected error exit and known error message"
-            )
 
 
 class TestPassphraseUnicodeNormalization:
     """Tests concerning the Unicode normalization of passphrases."""
 
-    @Parametrize.UNICODE_NORMALIZATION_WARNING_INPUTS
-    def test_warning(
+    DEFAULT_VAULT_CONFIG: ClassVar[_types.VaultConfig] = {
+        "services": {DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS.copy()}
+    }
+
+    def _test(
         self,
-        caplog: pytest.LogCaptureFixture,
-        main_config: str,
         command_line: list[str],
-        input: str | None,
-        warning_message: str,
+        /,
+        *,
+        main_config: str,
+        message: str,
+        caplog: pytest.LogCaptureFixture | None = None,
+        input: str | None = None,
     ) -> None:
-        """Using unnormalized Unicode passphrases warns."""
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -2954,115 +2613,75 @@ class TestPassphraseUnicodeNormalization:
                 pytest_machinery.isolated_vault_config(
                     monkeypatch=monkeypatch,
                     runner=runner,
-                    vault_config={
-                        "services": {
-                            DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS.copy()
-                        }
-                    },
+                    vault_config=self.DEFAULT_VAULT_CONFIG,
                     main_config_str=main_config,
                 )
             )
             result = runner.invoke(
                 cli.derivepassphrase_vault,
-                ["--debug", *command_line],
+                ["--debug", *command_line]
+                if caplog is not None
+                else command_line,
                 catch_exceptions=False,
                 input=input,
             )
+        if caplog is not None:
             assert result.clean_exit(), "expected clean exit"
-        assert machinery.warning_emitted(
-            warning_message, caplog.record_tuples
-        ), "expected known warning message in stderr"
+            assert machinery.warning_emitted(message, caplog.record_tuples), (
+                "expected known warning message in stderr"
+            )
+        else:
+            assert result.error_exit(
+                error="The user configuration file is invalid."
+            ), "expected error exit and known error message"
+            assert result.error_exit(error=message), (
+                "expected error exit and known error message"
+            )
 
-    @Parametrize.UNICODE_NORMALIZATION_ERROR_INPUTS
-    def test_error(
+    @Parametrize.UNICODE_NORMALIZATION_WARNING_INPUTS
+    def test_warning(
         self,
+        caplog: pytest.LogCaptureFixture,
         main_config: str,
         command_line: list[str],
         input: str | None,
-        error_message: str,
+        warning_message: str,
     ) -> None:
-        """Using unknown Unicode normalization forms fails."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={
-                        "services": {
-                            DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS.copy()
-                        }
-                    },
-                    main_config_str=main_config,
-                )
-            )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
+        """Using unnormalized Unicode passphrases warns."""
+        self._test(
             command_line,
-                catch_exceptions=False,
+            main_config=main_config,
+            message=warning_message,
+            caplog=caplog,
             input=input,
         )
-        assert result.error_exit(
-            error="The user configuration file is invalid."
-        ), "expected error exit and known error message"
-        assert result.error_exit(error=error_message), (
-            "expected error exit and known error message"
-        )
 
-    @Parametrize.UNICODE_NORMALIZATION_COMMAND_LINES
-    def test_error_from_stored_config(
+    @Parametrize.UNICODE_NORMALIZATION_ERROR_INPUTS
+    def test_error(
         self,
+        main_config: str,
         command_line: list[str],
+        input: str | None,
+        error_message: str,
     ) -> None:
-        """Using unknown Unicode normalization forms in the config fails."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={
-                        "services": {
-                            DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS.copy()
-                        }
-                    },
-                    main_config_str=(
-                        "[vault]\ndefault-unicode-normalization-form = 'XXX'\n"
-                    ),
-                )
-            )
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
+        """Using unknown Unicode normalization forms fails."""
+        self._test(
             command_line,
-                input=DUMMY_PASSPHRASE,
-                catch_exceptions=False,
+            main_config=main_config,
+            message=error_message,
+            input=input,
         )
-            assert result.error_exit(
-                error="The user configuration file is invalid."
-            ), "expected error exit and known error message"
-            assert result.error_exit(
-                error=(
-                    "Invalid value 'XXX' for config key "
-                    "vault.default-unicode-normalization-form"
-                ),
-            ), "expected error exit and known error message"
 
 
 class TestUserConfigurationFileOther:
     """Other tests concerning the user configuration file."""
 
-    def test_bad_user_config_file(
+    @contextlib.contextmanager
+    def _test(
         self,
-    ) -> None:
-        """Loading a user configuration file in an invalid format fails."""
+        *,
+        main_config: str = "",
+    ) -> Iterator[pytest.MonkeyPatch]:
         runner = machinery.CliRunner(mix_stderr=False)
         # TODO(the-13th-letter): Rewrite using parenthesized
         # with-statements.
@@ -3074,9 +2693,10 @@ class TestUserConfigurationFileOther:
                     monkeypatch=monkeypatch,
                     runner=runner,
                     vault_config={"services": {}},
-                    main_config_str="This file is not valid TOML.\n",
+                    main_config_str=main_config,
                 )
             )
+            yield monkeypatch
             result = runner.invoke(
                 cli.derivepassphrase_vault,
                 ["--phrase", "--", DUMMY_SERVICE],
@@ -3087,38 +2707,23 @@ class TestUserConfigurationFileOther:
                 "expected error exit and known error message"
             )
 
+    def test_bad_user_config_file(
+        self,
+    ) -> None:
+        """Loading a user configuration file in an invalid format fails."""
+        with self._test(main_config="This file is not valid TOML.\n"):
+            pass
+
     def test_user_config_is_a_directory(
         self,
     ) -> None:
         """Loading a user configuration non-file fails."""
-        runner = machinery.CliRunner(mix_stderr=False)
-        # TODO(the-13th-letter): Rewrite using parenthesized
-        # with-statements.
-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9
-        with contextlib.ExitStack() as stack:
-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())
-            stack.enter_context(
-                pytest_machinery.isolated_vault_config(
-                    monkeypatch=monkeypatch,
-                    runner=runner,
-                    vault_config={"services": {}},
-                    main_config_str="",
-                )
-            )
+        with self._test():
             user_config = cli_helpers.config_filename(
                 subsystem="user configuration"
             )
             user_config.unlink()
             user_config.mkdir(parents=True, exist_ok=True)
-            result = runner.invoke(
-                cli.derivepassphrase_vault,
-                ["--phrase", "--", DUMMY_SERVICE],
-                input=DUMMY_PASSPHRASE,
-                catch_exceptions=False,
-            )
-            assert result.error_exit(error="Cannot load user config:"), (
-                "expected error exit and known error message"
-            )
 
 
 class TestSSHAgentAvailability:
