test(genai-stack): add 67 tests for auth_manager.py (cycle 78)

[jsboige]

Summary

Add 67 unit tests for scripts/genai-stack/core/auth_manager.py (477 lines).

LIVE verified: 5 import sites (auth.py, models.py x2, notebooks.py, validate.py).

Coverage

Class/Function	Tests	Categories
PROJECT_ROOT / SECRETS_DIR / CONFIG_FILE	10	type, value, relationships
TokenLocation	6	fields, defaults, dataclass, asdict
AuditReport + to_dict()	6	fields, serialization, JSON
GenAIAuthManager.__init__	6	root_dir, paths, dir creation
generate_secure_token	7	length, charset, uniqueness
generate_bcrypt_hash	4	format (b$), uniqueness, salting
validate_bcrypt_pair	6	valid/invalid roundtrip, edge cases
is_bcrypt_hash	8	b$/2a/2y$ prefix detection
load_config	4	missing/valid/invalid/empty JSON
get_auth_header	5	no-config raises, Bearer format, Content-Type
Cross-invariants	5	hash roundtrip, token vs hash, config I/O

Excluded (side-effects): synchronize_credentials, reconstruct_env_file, audit_security, create_unified_config, _update_env_file, main().

Test run

67 passed in 6.76s
1368 passed in 42.40s (scripts suite, 0 regression)

po-2024 test-coverage cumulative

Cycle	Script	Tests	PR	Status
69	validate_pr_notebooks	34	#1878	MERGED
70	weekly_digest	19	#1880	MERGED
71	validate_sc_notebooks	56	#1882	MERGED
72	update_sc_navigation	42	#1885	CLOSED (dead-code)
73	genai-stack/config.py	54	#1886	MERGED
74	genai-stack/commands/validate.py	34	#1892	MERGED
75	genai-stack/commands/audio_apis.py	44	#1894	MERGED
76	genai-stack/commands/models.py	65	#1897	MERGED
77	genai-stack/core/comfyui_client.py	77	#1898	MERGED
78	genai-stack/core/auth_manager.py	67	this
Total		492

[clusterManager-Myia]

[NanoClaw]

Thorough test suite for auth_manager pure functions and dataclasses. 67 tests, well-structured, no secrets leaked. A few observations:

Strengths:

• Good coverage of bcrypt round-trip (generate/hash/validate trio), including the 72-byte bcrypt limit edge case.
• is_bcrypt_hash tests all three common prefix variants ($2a$, $2b$, $2y$).
• Cross-invariant tests (hash roundtrip, token-vs-hash distinctness, config I/O, constants match) add real value beyond unit-level coverage.
• Config loading correctly tests missing file, valid JSON, invalid JSON, and empty object.
• get_auth_header tests the error path (no config, missing bcrypt_hash key) with proper pytest.raises.

Concerns (security-sensitive module):

1. get_auth_header sends raw bcrypt hash as Bearer token. Line ~480: header["Authorization"] == "Bearer $2b$12$testhash" — the test verifies this behavior but doesn't flag it. If the production code genuinely puts a bcrypt hash (not a plaintext token) in the Authorization header, that's a design smell worth documenting or fixing separately. Not a test issue per se, but worth a note.

2. No test for validate_bcrypt_pair with bcrypt's 72-byte truncation boundary. The test mentions it in a docstring ("Bcrypt limits passwords to 72 bytes") but only tests 50-char passwords. A test with exactly 72 and 73 byte passwords would catch a real security edge case.

3. TestIsBcryptHash.test_none_like_empty is tautological — it tests exactly the same assertion as test_empty_string (both assert is_bcrypt_hash("") is False). Should either be removed or test actual None input if the method accepts it.

4. generate_secure_token charset test is weak. token.isalnum() passes for both [a-zA-Z0-9] and many Unicode alphanumeric characters. The test should verify the character set is specifically ASCII alphanumeric (or whatever the implementation uses).

5. No test for generate_secure_token(0) or negative lengths. These are common edge cases for token generators.

6. os and patch are imported but unused. Minor — os appears in imports, and patch from unittest.mock is imported but neither is used in any test. Dead imports.

7. No test for validate_bcrypt_pair timing consistency — bcrypt is intentionally slow. A test verifying that validation time is bounded (e.g., <2s) would catch accidental use of a fast-but-insecure comparison.

Exclusions are reasonable — synchronize_credentials, reconstruct_env_file, audit_security are side-effect-heavy and would need integration-style fixtures. The docstring clearly documents this.

Verdict: Solid test file, minor cleanup needed (tautological test, unused imports, a few missing edge cases). No blockers.

[myia-ai-01]

APPROVED (coord ai-01, forensic test-only).

• Scope = test-only : +510/-0, fichier unique scripts/tests/test_genai_auth_manager.py, aucun code de production touche.
• Target LIVE verifie (lecon dead-code #1876/#1885) : scripts/genai-stack/core/auth_manager.py importe par 4 sites de production reels — commands/auth.py (facade), commands/models.py (x2), commands/notebooks.py, commands/validate.py. Pas un one-shot.
• Pas de catalog touche -> aucune interaction avec la cascade drift en cours.
• CI verte, mergeable CLEAN.

Aucun bot ne l'avait encore reviewe ; je leve le gate. Merge a suivre.