Recent commits to derivepassphrase.git (ac77734f1ee1a32f825aedd28e223ff88e48aa9b) https://git.schokokeks.org/derivepassphrase.git/tree/ac77734f1ee1a32f825aedd28e223ff88e48aa9b Recent commits feed provided by GitList. Add a heavy-duty test for Sequin internals Add a heavy-duty hypothesis test (rule-based state machine) that compares the state of our Sequin class against an as-literal-as-possible port of the original JavaScript sequin module, included inline in the test class. (The heavy-duty marker and the state machine machinery are probably overkill for this application, given that there is only one rule, and that the test runs very fast. Nevertheless, phrasing this as a state machine makes the workings of the test very explicit: what are the state transitions, what are the invariants, etc.) https://git.schokokeks.org/derivepassphrase.git/commit/ac77734f1ee1a32f825aedd28e223ff88e48aa9b software@the13thletter.info (Marco Ricci) Sat, 04 Jul 2026 23:22:58 +0200 ac77734f1ee1a32f825aedd28e223ff88e48aa9b Implement missing agent system support via tests.data.SystemSupportAction Implement the "missing system support for the SSH agent communication channel" setup code via the now centralized `tests.data.SystemSupportAction` enum, instead of duplicating the setup steps everywhere. This means adding the correct `SystemSupportAction` value to the `MISSING_AGENT_SUPPORT` parametrization set. In particular, since this parametrization set is already used in two different test modules, put it into `tests.machinery.pytest.Parametrize`. https://git.schokokeks.org/derivepassphrase.git/commit/988320655d5241e715792ec81fbf24f9656c0fde software@the13thletter.info (Marco Ricci) Sat, 04 Jul 2026 21:10:03 +0200 988320655d5241e715792ec81fbf24f9656c0fde Move some setup "action" classes into tests.data Move the ListKeysAction, SignAction, SocketAddressAction and SystemSupportAction classes into tests.data. We intend to reuse the SystemSupportAction class for a new purpose next. https://git.schokokeks.org/derivepassphrase.git/commit/a5e9119b7521004707782c16f16e57fe315230df software@the13thletter.info (Marco Ricci) Sat, 04 Jul 2026 21:08:08 +0200 a5e9119b7521004707782c16f16e57fe315230df Turn some parametrized unit tests into nominal property-based tests Introduce a converter function for `pytest.mark.parametrize` calls to `hypothesis.example` calls. Further use this converter function to turn some parametrized unit tests into nominal property-based hypothesis tests. We use the same call signature as `pytest.mark.parametrize` for our converter function so that transition to hypothesis-managed test functions is very easy to write (just change the decorator name). We also stick to the obvious cases only—things that should be property-based tests but are currently parametrized tests, likely because we haven't yet made the effort or don't yet know how to write suitable hypothesis strategies. (Our implementation explicitly avoids a caveat with the hypothesis strategy `st.nothing`. Background at https://github.com/HypothesisWorks/hypothesis/issues/4774 . Because we rely on certain machinery from hypothesis, we adjust our minimum hypothesis version. Since we're here, we also adjust the pytest version, reflecting our actual use.) We also add TODOs for non-trivial future work, such as consolidating work across modules or adding new testing machinery. https://git.schokokeks.org/derivepassphrase.git/commit/b99bdb26271b4db72fc485a38dba978e5cc32fd2 software@the13thletter.info (Marco Ricci) Fri, 03 Jul 2026 22:21:41 +0200 b99bdb26271b4db72fc485a38dba978e5cc32fd2 Rewrite the vault CLI tests for config management to use the stub agent All interaction with a "real" agent is stubbed out anyway, and there is no reason to run this test against multiple agents or conversely to skip it if the system cannot spawn/interface an agent at all. https://git.schokokeks.org/derivepassphrase.git/commit/2eefc775ef0cbc70d07700f70779843cb74ab066 software@the13thletter.info (Marco Ricci) Fri, 03 Jul 2026 21:53:17 +0200 2eefc775ef0cbc70d07700f70779843cb74ab066 Fix tiny mistakes across the test suite Typos, unwise variable names, and redundancies in the test logic or arguments. https://git.schokokeks.org/derivepassphrase.git/commit/95dfb499153eb2665384db352331550f5c9f8f0b software@the13thletter.info (Marco Ricci) Fri, 03 Jul 2026 21:50:35 +0200 95dfb499153eb2665384db352331550f5c9f8f0b Update tooling (mypy/pyrefly, mkdocstrings overrides) Add a pyrefly configuration, which newer versions of hatch and VS Code prefer over mypy. Fix violations that pyrefly complains about, but mypy doesn't, e.g., `del (list_of_variables)`. Remove unnecessary casts -- pyrefly warns on those, but mypy doesn't -- and document those necessary casts explicitly, even if they are a tool deficiency (usually mypy). Conversely, add conversions or tighter type bounds where necessary, usually when interacting with third-party libraries that use too lax typing because mypy doesn't complain (cryptography, click). To be fair, I have caused my fair share of those as well. Finally, fix the "devsetup" mkdocs configuration that should have been showing private members in the API documentation (if document), but wasn't. https://git.schokokeks.org/derivepassphrase.git/commit/6d48281bdbd4485bc9d49736927805f2a7228140 software@the13thletter.info (Marco Ricci) Wed, 24 Jun 2026 18:35:06 +0200 6d48281bdbd4485bc9d49736927805f2a7228140 Run the vault utility `key_to_phrase` tests against the stub SSH agent The `key_to_phrase` vault utitilies test set checks the various error conditions that can occur when obtaining an equivalent vault master passphrase from a master SSH key. The test has 10 parametrization instances, and used to run against the `ssh_agent_client_with_test_keys_loaded` fixture, which currently has 8 parametrization instances, making for a total of 80 tests attempted. However, the tests either focus on construction failures or they inject fake agent responses into the client, so in all 80 cases, there is no actual I/O occurring with the agent. For the 5 external agents (the first 50 cases), this is wasteful, and for the 3 internal agents (the remaining 30 cases), the results are identical among them. So cut this down to testing against 1 of the internal agents (the stubbed SSH agent with address support), for a total of 10 test cases, none of which involve external I/O. As a bonus, because the remaining internal agent is guaranteed reentrant, we can do away with the parametrization instance distinction between construction failures and other failures, and with the special handling of potentially non-reentrant agents. To make this work, because some tests simulate broken support for system-specific SSH agent socket providers, our setup code needs to force the use of the respective provider. As a result, only the `UNSET_PROVIDERS`, `UNSET_AF_UNIX_AND_ENSURE_USE`, `UNSET_NATIVE_AND_ENSURE_USE` and `UNSET_WINDLL_AND_ENSURE_USE` constants from our `SystemSupportAction` enum are still in use, the `UNSET_AF_UNIX`, `UNSET_NATIVE` and `UNSET_WINDLL` constants are not. We retire those constants, and remove the "skip the test if that provider is not currently in use" machinery associated with those constants. The remaining "ensure use" machinery is short enough that it can then be inlined at the call sites. https://git.schokokeks.org/derivepassphrase.git/commit/608b6108f8e6a854e2e0b99d6bec478141ce0896 software@the13thletter.info (Marco Ricci) Mon, 22 Jun 2026 15:03:49 +0200 608b6108f8e6a854e2e0b99d6bec478141ce0896 Add a pytest marker for external SSH agent use This allows finding tests which use external SSH agents more easily, so that they may be better evaluated for necessity of such agent use. https://git.schokokeks.org/derivepassphrase.git/commit/c930819d63ed7a9c38ed146716b1db3f8395dba6 software@the13thletter.info (Marco Ricci) Sun, 21 Jun 2026 22:00:04 +0200 c930819d63ed7a9c38ed146716b1db3f8395dba6 Run vault CLI config management tests against the stub agent where possible Several tests for the `vault` CLI check for failures when storing or retrieving a selected SSH key to/from the `vault` settings file. These tests used to run against every known SSH agent, separately, but not truly interact with the agent at all, because all high-level interaction was stubbed out to return error responses anyway. For externally spawned or interfaced SSH agents, this is wasteful. So we now restrict these tests to run against the stubbed agent, which is specifically designed for these purposes. Half of these tests previously falsely claimed that they don't actually need an external agent; now, they no longer lie. The other half never made any claims; now, they do. There may be other tests that request external SSH agents but don't actually require them, but this is somewhat hard to discover exhaustively. These tests were an obvious first group of tests that could be fixed in one go. Other groups (if any) will be left to future commits. https://git.schokokeks.org/derivepassphrase.git/commit/e8e4a63dcca200af6cc4d570d7202d6f38b660ea software@the13thletter.info (Marco Ricci) Sun, 21 Jun 2026 21:02:26 +0200 e8e4a63dcca200af6cc4d570d7202d6f38b660ea