Recent commits to derivepassphrase.git (608b6108f8e6a854e2e0b99d6bec478141ce0896) https://git.schokokeks.org/derivepassphrase.git/tree/608b6108f8e6a854e2e0b99d6bec478141ce0896 Recent commits feed provided by GitList. Run the vault utility `key_to_phrase` tests against the stub SSH agent The `key_to_phrase` vault utitilies test set checks the various error conditions that can occur when obtaining an equivalent vault master passphrase from a master SSH key. The test has 10 parametrization instances, and used to run against the `ssh_agent_client_with_test_keys_loaded` fixture, which currently has 8 parametrization instances, making for a total of 80 tests attempted. However, the tests either focus on construction failures or they inject fake agent responses into the client, so in all 80 cases, there is no actual I/O occurring with the agent. For the 5 external agents (the first 50 cases), this is wasteful, and for the 3 internal agents (the remaining 30 cases), the results are identical among them. So cut this down to testing against 1 of the internal agents (the stubbed SSH agent with address support), for a total of 10 test cases, none of which involve external I/O. As a bonus, because the remaining internal agent is guaranteed reentrant, we can do away with the parametrization instance distinction between construction failures and other failures, and with the special handling of potentially non-reentrant agents. To make this work, because some tests simulate broken support for system-specific SSH agent socket providers, our setup code needs to force the use of the respective provider. As a result, only the `UNSET_PROVIDERS`, `UNSET_AF_UNIX_AND_ENSURE_USE`, `UNSET_NATIVE_AND_ENSURE_USE` and `UNSET_WINDLL_AND_ENSURE_USE` constants from our `SystemSupportAction` enum are still in use, the `UNSET_AF_UNIX`, `UNSET_NATIVE` and `UNSET_WINDLL` constants are not. We retire those constants, and remove the "skip the test if that provider is not currently in use" machinery associated with those constants. The remaining "ensure use" machinery is short enough that it can then be inlined at the call sites. https://git.schokokeks.org/derivepassphrase.git/commit/608b6108f8e6a854e2e0b99d6bec478141ce0896 software@the13thletter.info (Marco Ricci) Mon, 22 Jun 2026 15:03:49 +0200 608b6108f8e6a854e2e0b99d6bec478141ce0896 Add a pytest marker for external SSH agent use This allows finding tests which use external SSH agents more easily, so that they may be better evaluated for necessity of such agent use. https://git.schokokeks.org/derivepassphrase.git/commit/c930819d63ed7a9c38ed146716b1db3f8395dba6 software@the13thletter.info (Marco Ricci) Sun, 21 Jun 2026 22:00:04 +0200 c930819d63ed7a9c38ed146716b1db3f8395dba6 Run vault CLI config management tests against the stub agent where possible Several tests for the `vault` CLI check for failures when storing or retrieving a selected SSH key to/from the `vault` settings file. These tests used to run against every known SSH agent, separately, but not truly interact with the agent at all, because all high-level interaction was stubbed out to return error responses anyway. For externally spawned or interfaced SSH agents, this is wasteful. So we now restrict these tests to run against the stubbed agent, which is specifically designed for these purposes. Half of these tests previously falsely claimed that they don't actually need an external agent; now, they no longer lie. The other half never made any claims; now, they do. There may be other tests that request external SSH agents but don't actually require them, but this is somewhat hard to discover exhaustively. These tests were an obvious first group of tests that could be fixed in one go. Other groups (if any) will be left to future commits. https://git.schokokeks.org/derivepassphrase.git/commit/e8e4a63dcca200af6cc4d570d7202d6f38b660ea software@the13thletter.info (Marco Ricci) Sun, 21 Jun 2026 21:02:26 +0200 e8e4a63dcca200af6cc4d570d7202d6f38b660ea Use the stub agent for SSH agent client communications faking Instead of stubbing all I/O to the stub agent ourselves, use the stub agent's facilities for this. https://git.schokokeks.org/derivepassphrase.git/commit/958669d2bf797c45408d7f6ffa4c571b81385a1b software@the13thletter.info (Marco Ricci) Sat, 20 Jun 2026 14:39:49 +0200 958669d2bf797c45408d7f6ffa4c571b81385a1b Harmonize tests for missing SSH agent communication support Use a common parameter set and a common monkeypatching setup. At the moment, this is done by copy-pasting the parametrization and setup code, but this could feasibly be abstracted into a common testing function and common parameter set within the `tests.data` and `tests.data.callables` modules. https://git.schokokeks.org/derivepassphrase.git/commit/b76c2afc68fd4e0a5164fa9ff258470be947d5e2 software@the13thletter.info (Marco Ricci) Sat, 20 Jun 2026 13:58:03 +0200 b76c2afc68fd4e0a5164fa9ff258470be947d5e2 Reformat recent test changes for consistent style https://git.schokokeks.org/derivepassphrase.git/commit/bad75d455d6e170c20b0405ead16fa732de727e3 software@the13thletter.info (Marco Ricci) Sat, 20 Jun 2026 11:36:36 +0200 bad75d455d6e170c20b0405ead16fa732de727e3 Type generators explicitly as generators, not iterators For compatibility with `contextlib.contextmanager`, and because it is the more specific type, we annotate generators as `Generator[T, None, None]`, not as `Iterator[T]`. In January 2026, typeshed started shipping type annotations for the Python standard library that deprecate the use of `contextlib.contextmanager` with general functions returning `Iterator[T]`. `contextlib.contextmanager` actually requires a `Generator[T, None, None]` to work, but the `contextlib` and the `typing` documentation has been erroneously suggesting the `Iterator[T]` type as a "shorthand" notation for years. For `contextlib.contextmanager`, the difference matters. So, re-annotate everything explicitly with generators (when producing) or iterables (when consuming), whichever is appropriate. https://git.schokokeks.org/derivepassphrase.git/commit/f797d5074181fc4d5a35f04367784543249315e4 software@the13thletter.info (Marco Ricci) Fri, 19 Jun 2026 22:40:11 +0200 f797d5074181fc4d5a35f04367784543249315e4 Refactor the (SSH agent) testing machinery tests for modularity Use pytest parametrization and hypothesis randomization systematically: tests that have exhaustive configurations or error conditions use pytest parametrization, tests with whole classes of configurations or error conditions use hypothesis randomization. Consolidate tests that test the same thing, but under different circumstances, into pytest parametrized tests. Also, use class inheritance to share helper functions for setting up the stub agent environment across all relevant test groups. Consolidating tests usually involves variants of a test for different variants of the stubbed agent. Converting pytest parametrization to a hypothesis strategy usually means settling for a `strategies.sampled_from(existing_parameter_set)` implementation and leaving any smarter generation logic to future edits. https://git.schokokeks.org/derivepassphrase.git/commit/3a69028fe108068a7c7ba6e0cdeeefc18df56e7d software@the13thletter.info (Marco Ricci) Fri, 19 Jun 2026 21:31:13 +0200 3a69028fe108068a7c7ba6e0cdeeefc18df56e7d Re-align the stubbed SSH agent socket with "real world" behavior Let the stubbed SSH agent tolerate incomplete request messages, or multiple request messages at once, within the same `sendall` call. Furthermore, change the error type to OSError (EBADF) for I/O on closed socket connections (mirroring the behavior of UNIX domain sockets) and when closing the connection, assert that no incomplete requests have been issued to the agent. With this change, the stubbed SSH agent socket now usefully models the communication channel between agent and client, and can be sensibly used to simulate communication and protocol errors (or their absence). This differentiates it—in terms of scope and use cases—from the agent protocol response queue, which monkeypatches the client instead of faking a server, and which operates on full request/response messages. Add some commentary to the stubbed SSH agent socket docstring to this effect. https://git.schokokeks.org/derivepassphrase.git/commit/27f35e7c4101164e42e08051b0698a55735f8322 software@the13thletter.info (Marco Ricci) Thu, 18 Jun 2026 06:15:10 +0200 27f35e7c4101164e42e08051b0698a55735f8322 Serialize the SSH agent protocol numbers as request/response codes When calling `bytes` on the SSH agent protocol number enums, return their corresponding serialization as request codes or response codes. (A follow-up to 57e3b1ed832e865e9f9e8316f930b1beae3714f0.) https://git.schokokeks.org/derivepassphrase.git/commit/729c89799dc49635698c8f73a59ba79eb3c584a0 software@the13thletter.info (Marco Ricci) Tue, 16 Jun 2026 22:19:26 +0200 729c89799dc49635698c8f73a59ba79eb3c584a0