ananke/testing/orchestrator/hooks_vault_failure_matrix_test.go

package orchestrator

import (
	"context"
	"encoding/base64"
	"errors"
	"os"
	"path/filepath"
	"strings"
	"testing"
	"time"

	"scm.bstein.dev/bstein/ananke/internal/cluster"
)

// TestHookVaultParserAndClassifierBranches runs one orchestration or CLI step.
// Signature: TestHookVaultParserAndClassifierBranches(t *testing.T).
// Why: closes parser/classifier helper branches that gate vault recovery decisions.
func TestHookVaultParserAndClassifierBranches(t *testing.T) {
	if _, err := cluster.TestHookParseVaultSealed(""); err == nil {
		t.Fatalf("expected empty vault payload parse error")
	}
	if _, err := cluster.TestHookParseVaultSealed("not-json"); err == nil {
		t.Fatalf("expected missing JSON object parse error")
	}
	sealed, err := cluster.TestHookParseVaultSealed("prefix {\"sealed\":true} suffix")
	if err != nil || !sealed {
		t.Fatalf("expected sealed=true parse success, got sealed=%v err=%v", sealed, err)
	}
	if !cluster.TestHookIsNotFoundErr("Error from server (NotFound): pods \"vault-0\" not found") {
		t.Fatalf("expected NotFound classifier to match")
	}
	if cluster.TestHookIsNotFoundErr("permission denied") {
		t.Fatalf("expected non-not-found classifier miss")
	}
}

// TestHookVaultWorkloadAndCleanupBranches runs one orchestration or CLI step.
// Signature: TestHookVaultWorkloadAndCleanupBranches(t *testing.T).
// Why: validates workload readiness and stale-pod cleanup branches that matter
// during repeated post-outage startup attempts.
func TestHookVaultWorkloadAndCleanupBranches(t *testing.T) {
	cfg := lifecycleConfig(t)
	run := func(ctx context.Context, timeout time.Duration, name string, args ...string) (string, error) {
		command := name + " " + strings.Join(args, " ")
		switch {
		case name == "kubectl" && strings.Contains(command, "-n vault get statefulset vault -o jsonpath={.status.readyReplicas}"):
			return "1", nil
		case name == "kubectl" && strings.Contains(command, "-n vault get deployment missing -o jsonpath={.status.readyReplicas}"):
			return "", errors.New("Error from server (NotFound): deployments.apps \"missing\" not found")
		case name == "kubectl" && strings.Contains(command, "-n vault get statefulset parse-bad -o jsonpath={.status.readyReplicas}"):
			return "not-a-number", nil
		case name == "kubectl" && strings.Contains(command, "-n vault get pods -o custom-columns="):
			return "vault-0 Failed StatefulSet vault\nvault-other Running StatefulSet vault\n", nil
		case name == "kubectl" && strings.Contains(command, "-n vault delete pod vault-0"):
			return "", nil
		default:
			return lifecycleDispatcher(&commandRecorder{})(ctx, timeout, name, args...)
		}
	}
	orch, _ := newHookOrchestrator(t, cfg, run, run)

	ready, err := orch.TestHookWorkloadReady(context.Background(), "vault", "statefulset", "vault")
	if err != nil || !ready {
		t.Fatalf("expected workloadReady true path, got ready=%v err=%v", ready, err)
	}
	if _, err := orch.TestHookWorkloadReady(context.Background(), "vault", "deployment", "missing"); err == nil {
		t.Fatalf("expected workloadReady error propagation branch")
	}
	if _, err := orch.TestHookWorkloadReady(context.Background(), "vault", "statefulset", "parse-bad"); err == nil {
		t.Fatalf("expected workloadReady parse error branch")
	}

	if err := orch.TestHookCleanupStaleCriticalWorkloadPods(context.Background(), "vault", "statefulset", "vault"); err != nil {
		t.Fatalf("expected stale critical pod cleanup success, got %v", err)
	}
	if err := orch.TestHookCleanupStaleCriticalWorkloadPods(context.Background(), "vault", "deployment", "vault"); err != nil {
		t.Fatalf("expected non-statefulset stale cleanup no-op, got %v", err)
	}
}

// TestHookVaultKeyResolutionBranches runs one orchestration or CLI step.
// Signature: TestHookVaultKeyResolutionBranches(t *testing.T).
// Why: ensures all vault unseal key fallback paths remain deterministic.
func TestHookVaultKeyResolutionBranches(t *testing.T) {
	cfg := lifecycleConfig(t)
	cfg.Startup.VaultUnsealKeyFile = filepath.Join(t.TempDir(), "vault", "unseal.key")
	cfg.Startup.VaultUnsealBreakglassCommand = "printf breakglass-key"
	cfg.Startup.VaultUnsealBreakglassTimeout = 1

	validKey := base64.StdEncoding.EncodeToString([]byte("secret-key"))
	run := func(ctx context.Context, timeout time.Duration, name string, args ...string) (string, error) {
		command := name + " " + strings.Join(args, " ")
		switch {
		case name == "kubectl" && strings.Contains(command, "-n vault get secret vault-init -o jsonpath={.data.unseal_key_b64}"):
			return validKey, nil
		case name == "sh" && strings.Contains(command, "printf breakglass-key"):
			return "breakglass-key", nil
		default:
			return lifecycleDispatcher(&commandRecorder{})(ctx, timeout, name, args...)
		}
	}
	orch, _ := newHookOrchestrator(t, cfg, run, run)
	key, err := orch.TestHookVaultUnsealKey(context.Background())
	if err != nil || key != "secret-key" {
		t.Fatalf("expected primary vault-init key path, got key=%q err=%v", key, err)
	}
	if cached, err := orch.TestHookReadVaultUnsealKeyFile(); err != nil || cached == "" {
		t.Fatalf("expected cached unseal key file after primary path, got key=%q err=%v", cached, err)
	}

	decodeFailRun := func(ctx context.Context, timeout time.Duration, name string, args ...string) (string, error) {
		command := name + " " + strings.Join(args, " ")
		switch {
		case name == "kubectl" && strings.Contains(command, "-n vault get secret vault-init -o jsonpath={.data.unseal_key_b64}"):
			return "%%%not-base64%%%", nil
		default:
			return lifecycleDispatcher(&commandRecorder{})(ctx, timeout, name, args...)
		}
	}
	orchDecodeFallback, _ := newHookOrchestrator(t, cfg, decodeFailRun, decodeFailRun)
	if key, err := orchDecodeFallback.TestHookVaultUnsealKey(context.Background()); err != nil || key == "" {
		t.Fatalf("expected file fallback after decode error, got key=%q err=%v", key, err)
	}

	breakglassOnlyCfg := lifecycleConfig(t)
	breakglassOnlyCfg.Startup.VaultUnsealKeyFile = filepath.Join(t.TempDir(), "missing", "unseal.key")
	breakglassOnlyCfg.Startup.VaultUnsealBreakglassCommand = "printf breakglass-key"
	breakglassOnlyCfg.Startup.VaultUnsealBreakglassTimeout = 1
	breakglassRun := func(ctx context.Context, timeout time.Duration, name string, args ...string) (string, error) {
		command := name + " " + strings.Join(args, " ")
		switch {
		case name == "kubectl" && strings.Contains(command, "-n vault get secret vault-init -o jsonpath={.data.unseal_key_b64}"):
			return "", errors.New("Error from server (NotFound): secrets \"vault-init\" not found")
		case name == "sh" && strings.Contains(command, "printf breakglass-key"):
			return "breakglass-key", nil
		default:
			return lifecycleDispatcher(&commandRecorder{})(ctx, timeout, name, args...)
		}
	}
	orchBreakglass, _ := newHookOrchestrator(t, breakglassOnlyCfg, breakglassRun, breakglassRun)
	if key, err := orchBreakglass.TestHookVaultUnsealKey(context.Background()); err != nil || key != "breakglass-key" {
		t.Fatalf("expected breakglass fallback key, got key=%q err=%v", key, err)
	}
}

// TestHookVaultBreakglassAndFileErrorBranches runs one orchestration or CLI step.
// Signature: TestHookVaultBreakglassAndFileErrorBranches(t *testing.T).
// Why: covers local file/breakglass error paths used when secrets are unavailable.
func TestHookVaultBreakglassAndFileErrorBranches(t *testing.T) {
	cfg := lifecycleConfig(t)
	cfg.Startup.VaultUnsealKeyFile = ""
	orchEmptyPath, _ := newHookOrchestrator(t, cfg, nil, nil)
	if err := orchEmptyPath.TestHookWriteVaultUnsealKeyFile("x"); err == nil {
		t.Fatalf("expected empty key-file path write error")
	}
	if _, err := orchEmptyPath.TestHookReadVaultUnsealKeyFile(); err == nil {
		t.Fatalf("expected empty key-file path read error")
	}

	cfg = lifecycleConfig(t)
	cfg.Startup.VaultUnsealBreakglassCommand = ""
	orchNoBreakglass, _ := newHookOrchestrator(t, cfg, nil, nil)
	if _, err := orchNoBreakglass.TestHookReadVaultUnsealKeyBreakglass(context.Background()); err == nil {
		t.Fatalf("expected breakglass-not-configured error")
	}

	cfg.Startup.VaultUnsealBreakglassCommand = "printf ''"
	breakglassEmptyRun := func(ctx context.Context, timeout time.Duration, name string, args ...string) (string, error) {
		command := name + " " + strings.Join(args, " ")
		if name == "sh" && strings.Contains(command, "printf ''") {
			return "", nil
		}
		return lifecycleDispatcher(&commandRecorder{})(ctx, timeout, name, args...)
	}
	orchBreakglassEmpty, _ := newHookOrchestrator(t, cfg, breakglassEmptyRun, breakglassEmptyRun)
	if _, err := orchBreakglassEmpty.TestHookReadVaultUnsealKeyBreakglass(context.Background()); err == nil {
		t.Fatalf("expected breakglass empty-output error")
	}

	cfg.Startup.VaultUnsealBreakglassCommand = "exit 1"
	breakglassErrRun := func(ctx context.Context, timeout time.Duration, name string, args ...string) (string, error) {
		command := name + " " + strings.Join(args, " ")
		if name == "sh" && strings.Contains(command, "exit 1") {
			return "", errors.New("command failed")
		}
		return lifecycleDispatcher(&commandRecorder{})(ctx, timeout, name, args...)
	}
	orchBreakglassErr, _ := newHookOrchestrator(t, cfg, breakglassErrRun, breakglassErrRun)
	if _, err := orchBreakglassErr.TestHookReadVaultUnsealKeyBreakglass(context.Background()); err == nil {
		t.Fatalf("expected breakglass command error")
	}

	cfg.Startup.VaultUnsealKeyFile = filepath.Join(t.TempDir(), "vault", "unseal.key")
	orchFile, _ := newHookOrchestrator(t, cfg, nil, nil)
	if err := orchFile.TestHookWriteVaultUnsealKeyFile("from-file"); err != nil {
		t.Fatalf("expected file write success, got %v", err)
	}
	if got, err := orchFile.TestHookReadVaultUnsealKeyFile(); err != nil || got != "from-file" {
		t.Fatalf("expected file read success, got key=%q err=%v", got, err)
	}
	if err := os.WriteFile(cfg.Startup.VaultUnsealKeyFile, []byte(" \n"), 0o600); err != nil {
		t.Fatalf("write empty key file fixture: %v", err)
	}
	if _, err := orchFile.TestHookReadVaultUnsealKeyFile(); err == nil {
		t.Fatalf("expected empty key-file content error")
	}
}

// TestHookVaultSealedAndUnsealBranches runs one orchestration or CLI step.
// Signature: TestHookVaultSealedAndUnsealBranches(t *testing.T).
// Why: covers sealed-state checks and unseal flow branches that can block startup.
func TestHookVaultSealedAndUnsealBranches(t *testing.T) {
	cfg := lifecycleConfig(t)
	cfg.Startup.VaultUnsealKeyFile = filepath.Join(t.TempDir(), "vault", "unseal.key")

	phaseErrRun := func(ctx context.Context, timeout time.Duration, name string, args ...string) (string, error) {
		command := name + " " + strings.Join(args, " ")
		if name == "kubectl" && strings.Contains(command, "-n vault get pod vault-0 -o jsonpath={.status.phase}") {
			return "", errors.New("phase check failed")
		}
		return lifecycleDispatcher(&commandRecorder{})(ctx, timeout, name, args...)
	}
	orchPhaseErr, _ := newHookOrchestrator(t, cfg, phaseErrRun, phaseErrRun)
	if err := orchPhaseErr.TestHookEnsureVaultUnsealed(context.Background()); err == nil {
		t.Fatalf("expected vault phase error branch")
	}

	notRunningRun := func(ctx context.Context, timeout time.Duration, name string, args ...string) (string, error) {
		command := name + " " + strings.Join(args, " ")
		if name == "kubectl" && strings.Contains(command, "-n vault get pod vault-0 -o jsonpath={.status.phase}") {
			return "Pending", nil
		}
		return lifecycleDispatcher(&commandRecorder{})(ctx, timeout, name, args...)
	}
	orchNotRunning, _ := newHookOrchestrator(t, cfg, notRunningRun, notRunningRun)
	if err := orchNotRunning.TestHookEnsureVaultUnsealed(context.Background()); err == nil {
		t.Fatalf("expected non-running vault pod branch")
	}

	sealedFalseRun := func(ctx context.Context, timeout time.Duration, name string, args ...string) (string, error) {
		command := name + " " + strings.Join(args, " ")
		switch {
		case name == "kubectl" && strings.Contains(command, "-n vault get pod vault-0 -o jsonpath={.status.phase}"):
			return "Running", nil
		case name == "kubectl" && strings.Contains(command, "vault status -format=json"):
			return `{"sealed":false}`, nil
		default:
			return lifecycleDispatcher(&commandRecorder{})(ctx, timeout, name, args...)
		}
	}
	orchSealedFalse, _ := newHookOrchestrator(t, cfg, sealedFalseRun, sealedFalseRun)
	if err := orchSealedFalse.TestHookEnsureVaultUnsealed(context.Background()); err != nil {
		t.Fatalf("expected already-unsealed branch, got %v", err)
	}

	unsealed := false
	sealedTrueRun := func(ctx context.Context, timeout time.Duration, name string, args ...string) (string, error) {
		command := name + " " + strings.Join(args, " ")
		switch {
		case name == "kubectl" && strings.Contains(command, "-n vault get pod vault-0 -o jsonpath={.status.phase}"):
			return "Running", nil
		case name == "kubectl" && strings.Contains(command, "vault status -format=json"):
			if unsealed {
				return `{"sealed":false}`, nil
			}
			return `{"sealed":true}`, nil
		case name == "kubectl" && strings.Contains(command, "-n vault get secret vault-init -o jsonpath={.data.unseal_key_b64}"):
			return base64.StdEncoding.EncodeToString([]byte("secret-key")), nil
		case name == "kubectl" && strings.Contains(command, "vault operator unseal secret-key"):
			unsealed = true
			return "", nil
		default:
			return lifecycleDispatcher(&commandRecorder{})(ctx, timeout, name, args...)
		}
	}
	orchSealedTrue, _ := newHookOrchestrator(t, cfg, sealedTrueRun, sealedTrueRun)
	if err := orchSealedTrue.TestHookEnsureVaultUnsealed(context.Background()); err != nil {
		t.Fatalf("expected auto-unseal success path, got %v", err)
	}
}

// TestHookVaultWrapperSurfaceCoverage runs one orchestration or CLI step.
// Signature: TestHookVaultWrapperSurfaceCoverage(t *testing.T).
// Why: ensures newly-exposed vault test hooks stay directly exercised so wrapper
// coverage does not regress below quality-gate thresholds.
func TestHookVaultWrapperSurfaceCoverage(t *testing.T) {
	cfg := lifecycleConfig(t)
	cfg.Startup.VaultUnsealKeyFile = filepath.Join(t.TempDir(), "vault", "unseal.key")
	run := lifecycleDispatcher(&commandRecorder{})
	orch, _ := newHookOrchestrator(t, cfg, run, run)

	_ = orch.TestHookEnsureWorkloadReplicas(context.Background(), "vault", "statefulset", "vault", 1)
	_ = orch.TestHookWaitWorkloadReady(context.Background(), "vault", "deployment", "grafana")
	_ = orch.TestHookWaitVaultReady(context.Background(), "vault", "statefulset", "vault")
	_, _ = orch.TestHookVaultSealed(context.Background())
}
build: reconcile split modules and restore clean checkout integrity 2026-04-08 23:52:29 -03:00			`package orchestrator`

			`import (`
			`"context"`
			`"encoding/base64"`
			`"errors"`
			`"os"`
			`"path/filepath"`
			`"strings"`
			`"testing"`
			`"time"`

			`"scm.bstein.dev/bstein/ananke/internal/cluster"`
			`)`

			`// TestHookVaultParserAndClassifierBranches runs one orchestration or CLI step.`
			`// Signature: TestHookVaultParserAndClassifierBranches(t *testing.T).`
			`// Why: closes parser/classifier helper branches that gate vault recovery decisions.`
			`func TestHookVaultParserAndClassifierBranches(t *testing.T) {`
			`if _, err := cluster.TestHookParseVaultSealed(""); err == nil {`
			`t.Fatalf("expected empty vault payload parse error")`
			`}`
			`if _, err := cluster.TestHookParseVaultSealed("not-json"); err == nil {`
			`t.Fatalf("expected missing JSON object parse error")`
			`}`
			`sealed, err := cluster.TestHookParseVaultSealed("prefix {\"sealed\":true} suffix")`
			`if err != nil \|\| !sealed {`
			`t.Fatalf("expected sealed=true parse success, got sealed=%v err=%v", sealed, err)`
			`}`
			`if !cluster.TestHookIsNotFoundErr("Error from server (NotFound): pods \"vault-0\" not found") {`
			`t.Fatalf("expected NotFound classifier to match")`
			`}`
			`if cluster.TestHookIsNotFoundErr("permission denied") {`
			`t.Fatalf("expected non-not-found classifier miss")`
			`}`
			`}`

			`// TestHookVaultWorkloadAndCleanupBranches runs one orchestration or CLI step.`
			`// Signature: TestHookVaultWorkloadAndCleanupBranches(t *testing.T).`
			`// Why: validates workload readiness and stale-pod cleanup branches that matter`
			`// during repeated post-outage startup attempts.`
			`func TestHookVaultWorkloadAndCleanupBranches(t *testing.T) {`
			`cfg := lifecycleConfig(t)`
			`run := func(ctx context.Context, timeout time.Duration, name string, args ...string) (string, error) {`
			`command := name + " " + strings.Join(args, " ")`
			`switch {`
			`case name == "kubectl" && strings.Contains(command, "-n vault get statefulset vault -o jsonpath={.status.readyReplicas}"):`
			`return "1", nil`
			`case name == "kubectl" && strings.Contains(command, "-n vault get deployment missing -o jsonpath={.status.readyReplicas}"):`
			`return "", errors.New("Error from server (NotFound): deployments.apps \"missing\" not found")`
			`case name == "kubectl" && strings.Contains(command, "-n vault get statefulset parse-bad -o jsonpath={.status.readyReplicas}"):`
			`return "not-a-number", nil`
			`case name == "kubectl" && strings.Contains(command, "-n vault get pods -o custom-columns="):`
			`return "vault-0 Failed StatefulSet vault\nvault-other Running StatefulSet vault\n", nil`
			`case name == "kubectl" && strings.Contains(command, "-n vault delete pod vault-0"):`
			`return "", nil`
			`default:`
			`return lifecycleDispatcher(&commandRecorder{})(ctx, timeout, name, args...)`
			`}`
			`}`
			`orch, _ := newHookOrchestrator(t, cfg, run, run)`

			`ready, err := orch.TestHookWorkloadReady(context.Background(), "vault", "statefulset", "vault")`
			`if err != nil \|\| !ready {`
			`t.Fatalf("expected workloadReady true path, got ready=%v err=%v", ready, err)`
			`}`
			`if _, err := orch.TestHookWorkloadReady(context.Background(), "vault", "deployment", "missing"); err == nil {`
			`t.Fatalf("expected workloadReady error propagation branch")`
			`}`
			`if _, err := orch.TestHookWorkloadReady(context.Background(), "vault", "statefulset", "parse-bad"); err == nil {`
			`t.Fatalf("expected workloadReady parse error branch")`
			`}`

			`if err := orch.TestHookCleanupStaleCriticalWorkloadPods(context.Background(), "vault", "statefulset", "vault"); err != nil {`
			`t.Fatalf("expected stale critical pod cleanup success, got %v", err)`
			`}`
			`if err := orch.TestHookCleanupStaleCriticalWorkloadPods(context.Background(), "vault", "deployment", "vault"); err != nil {`
			`t.Fatalf("expected non-statefulset stale cleanup no-op, got %v", err)`
			`}`
			`}`

			`// TestHookVaultKeyResolutionBranches runs one orchestration or CLI step.`
			`// Signature: TestHookVaultKeyResolutionBranches(t *testing.T).`
			`// Why: ensures all vault unseal key fallback paths remain deterministic.`
			`func TestHookVaultKeyResolutionBranches(t *testing.T) {`
			`cfg := lifecycleConfig(t)`
			`cfg.Startup.VaultUnsealKeyFile = filepath.Join(t.TempDir(), "vault", "unseal.key")`
			`cfg.Startup.VaultUnsealBreakglassCommand = "printf breakglass-key"`
			`cfg.Startup.VaultUnsealBreakglassTimeout = 1`

			`validKey := base64.StdEncoding.EncodeToString([]byte("secret-key"))`
			`run := func(ctx context.Context, timeout time.Duration, name string, args ...string) (string, error) {`
			`command := name + " " + strings.Join(args, " ")`
			`switch {`
			`case name == "kubectl" && strings.Contains(command, "-n vault get secret vault-init -o jsonpath={.data.unseal_key_b64}"):`
			`return validKey, nil`
			`case name == "sh" && strings.Contains(command, "printf breakglass-key"):`
			`return "breakglass-key", nil`
			`default:`
			`return lifecycleDispatcher(&commandRecorder{})(ctx, timeout, name, args...)`
			`}`
			`}`
			`orch, _ := newHookOrchestrator(t, cfg, run, run)`
			`key, err := orch.TestHookVaultUnsealKey(context.Background())`
			`if err != nil \|\| key != "secret-key" {`
			`t.Fatalf("expected primary vault-init key path, got key=%q err=%v", key, err)`
			`}`
			`if cached, err := orch.TestHookReadVaultUnsealKeyFile(); err != nil \|\| cached == "" {`
			`t.Fatalf("expected cached unseal key file after primary path, got key=%q err=%v", cached, err)`
			`}`

			`decodeFailRun := func(ctx context.Context, timeout time.Duration, name string, args ...string) (string, error) {`
			`command := name + " " + strings.Join(args, " ")`
			`switch {`
			`case name == "kubectl" && strings.Contains(command, "-n vault get secret vault-init -o jsonpath={.data.unseal_key_b64}"):`
			`return "%%%not-base64%%%", nil`
			`default:`
			`return lifecycleDispatcher(&commandRecorder{})(ctx, timeout, name, args...)`
			`}`
			`}`
			`orchDecodeFallback, _ := newHookOrchestrator(t, cfg, decodeFailRun, decodeFailRun)`
			`if key, err := orchDecodeFallback.TestHookVaultUnsealKey(context.Background()); err != nil \|\| key == "" {`
			`t.Fatalf("expected file fallback after decode error, got key=%q err=%v", key, err)`
			`}`

			`breakglassOnlyCfg := lifecycleConfig(t)`
			`breakglassOnlyCfg.Startup.VaultUnsealKeyFile = filepath.Join(t.TempDir(), "missing", "unseal.key")`
			`breakglassOnlyCfg.Startup.VaultUnsealBreakglassCommand = "printf breakglass-key"`
			`breakglassOnlyCfg.Startup.VaultUnsealBreakglassTimeout = 1`
			`breakglassRun := func(ctx context.Context, timeout time.Duration, name string, args ...string) (string, error) {`
			`command := name + " " + strings.Join(args, " ")`
			`switch {`
			`case name == "kubectl" && strings.Contains(command, "-n vault get secret vault-init -o jsonpath={.data.unseal_key_b64}"):`
			`return "", errors.New("Error from server (NotFound): secrets \"vault-init\" not found")`
			`case name == "sh" && strings.Contains(command, "printf breakglass-key"):`
			`return "breakglass-key", nil`
			`default:`
			`return lifecycleDispatcher(&commandRecorder{})(ctx, timeout, name, args...)`
			`}`
			`}`
			`orchBreakglass, _ := newHookOrchestrator(t, breakglassOnlyCfg, breakglassRun, breakglassRun)`
			`if key, err := orchBreakglass.TestHookVaultUnsealKey(context.Background()); err != nil \|\| key != "breakglass-key" {`
			`t.Fatalf("expected breakglass fallback key, got key=%q err=%v", key, err)`
			`}`
			`}`

			`// TestHookVaultBreakglassAndFileErrorBranches runs one orchestration or CLI step.`
			`// Signature: TestHookVaultBreakglassAndFileErrorBranches(t *testing.T).`
			`// Why: covers local file/breakglass error paths used when secrets are unavailable.`
			`func TestHookVaultBreakglassAndFileErrorBranches(t *testing.T) {`
			`cfg := lifecycleConfig(t)`
			`cfg.Startup.VaultUnsealKeyFile = ""`
			`orchEmptyPath, _ := newHookOrchestrator(t, cfg, nil, nil)`
			`if err := orchEmptyPath.TestHookWriteVaultUnsealKeyFile("x"); err == nil {`
			`t.Fatalf("expected empty key-file path write error")`
			`}`
			`if _, err := orchEmptyPath.TestHookReadVaultUnsealKeyFile(); err == nil {`
			`t.Fatalf("expected empty key-file path read error")`
			`}`

			`cfg = lifecycleConfig(t)`
			`cfg.Startup.VaultUnsealBreakglassCommand = ""`
			`orchNoBreakglass, _ := newHookOrchestrator(t, cfg, nil, nil)`
			`if _, err := orchNoBreakglass.TestHookReadVaultUnsealKeyBreakglass(context.Background()); err == nil {`
			`t.Fatalf("expected breakglass-not-configured error")`
			`}`

			`cfg.Startup.VaultUnsealBreakglassCommand = "printf ''"`
			`breakglassEmptyRun := func(ctx context.Context, timeout time.Duration, name string, args ...string) (string, error) {`
			`command := name + " " + strings.Join(args, " ")`
			`if name == "sh" && strings.Contains(command, "printf ''") {`
			`return "", nil`
			`}`
			`return lifecycleDispatcher(&commandRecorder{})(ctx, timeout, name, args...)`
			`}`
			`orchBreakglassEmpty, _ := newHookOrchestrator(t, cfg, breakglassEmptyRun, breakglassEmptyRun)`
			`if _, err := orchBreakglassEmpty.TestHookReadVaultUnsealKeyBreakglass(context.Background()); err == nil {`
			`t.Fatalf("expected breakglass empty-output error")`
			`}`

			`cfg.Startup.VaultUnsealBreakglassCommand = "exit 1"`
			`breakglassErrRun := func(ctx context.Context, timeout time.Duration, name string, args ...string) (string, error) {`
			`command := name + " " + strings.Join(args, " ")`
			`if name == "sh" && strings.Contains(command, "exit 1") {`
			`return "", errors.New("command failed")`
			`}`
			`return lifecycleDispatcher(&commandRecorder{})(ctx, timeout, name, args...)`
			`}`
			`orchBreakglassErr, _ := newHookOrchestrator(t, cfg, breakglassErrRun, breakglassErrRun)`
			`if _, err := orchBreakglassErr.TestHookReadVaultUnsealKeyBreakglass(context.Background()); err == nil {`
			`t.Fatalf("expected breakglass command error")`
			`}`

			`cfg.Startup.VaultUnsealKeyFile = filepath.Join(t.TempDir(), "vault", "unseal.key")`
			`orchFile, _ := newHookOrchestrator(t, cfg, nil, nil)`
			`if err := orchFile.TestHookWriteVaultUnsealKeyFile("from-file"); err != nil {`
			`t.Fatalf("expected file write success, got %v", err)`
			`}`
			`if got, err := orchFile.TestHookReadVaultUnsealKeyFile(); err != nil \|\| got != "from-file" {`
			`t.Fatalf("expected file read success, got key=%q err=%v", got, err)`
			`}`
			`if err := os.WriteFile(cfg.Startup.VaultUnsealKeyFile, []byte(" \n"), 0o600); err != nil {`
			`t.Fatalf("write empty key file fixture: %v", err)`
			`}`
			`if _, err := orchFile.TestHookReadVaultUnsealKeyFile(); err == nil {`
			`t.Fatalf("expected empty key-file content error")`
			`}`
			`}`

			`// TestHookVaultSealedAndUnsealBranches runs one orchestration or CLI step.`
			`// Signature: TestHookVaultSealedAndUnsealBranches(t *testing.T).`
			`// Why: covers sealed-state checks and unseal flow branches that can block startup.`
			`func TestHookVaultSealedAndUnsealBranches(t *testing.T) {`
			`cfg := lifecycleConfig(t)`
			`cfg.Startup.VaultUnsealKeyFile = filepath.Join(t.TempDir(), "vault", "unseal.key")`

			`phaseErrRun := func(ctx context.Context, timeout time.Duration, name string, args ...string) (string, error) {`
			`command := name + " " + strings.Join(args, " ")`
			`if name == "kubectl" && strings.Contains(command, "-n vault get pod vault-0 -o jsonpath={.status.phase}") {`
			`return "", errors.New("phase check failed")`
			`}`
			`return lifecycleDispatcher(&commandRecorder{})(ctx, timeout, name, args...)`
			`}`
			`orchPhaseErr, _ := newHookOrchestrator(t, cfg, phaseErrRun, phaseErrRun)`
			`if err := orchPhaseErr.TestHookEnsureVaultUnsealed(context.Background()); err == nil {`
			`t.Fatalf("expected vault phase error branch")`
			`}`

			`notRunningRun := func(ctx context.Context, timeout time.Duration, name string, args ...string) (string, error) {`
			`command := name + " " + strings.Join(args, " ")`
			`if name == "kubectl" && strings.Contains(command, "-n vault get pod vault-0 -o jsonpath={.status.phase}") {`
			`return "Pending", nil`
			`}`
			`return lifecycleDispatcher(&commandRecorder{})(ctx, timeout, name, args...)`
			`}`
			`orchNotRunning, _ := newHookOrchestrator(t, cfg, notRunningRun, notRunningRun)`
			`if err := orchNotRunning.TestHookEnsureVaultUnsealed(context.Background()); err == nil {`
			`t.Fatalf("expected non-running vault pod branch")`
			`}`

			`sealedFalseRun := func(ctx context.Context, timeout time.Duration, name string, args ...string) (string, error) {`
			`command := name + " " + strings.Join(args, " ")`
			`switch {`
			`case name == "kubectl" && strings.Contains(command, "-n vault get pod vault-0 -o jsonpath={.status.phase}"):`
			`return "Running", nil`
			`case name == "kubectl" && strings.Contains(command, "vault status -format=json"):`
			return `{"sealed":false}`, nil
			`default:`
			`return lifecycleDispatcher(&commandRecorder{})(ctx, timeout, name, args...)`
			`}`
			`}`
			`orchSealedFalse, _ := newHookOrchestrator(t, cfg, sealedFalseRun, sealedFalseRun)`
			`if err := orchSealedFalse.TestHookEnsureVaultUnsealed(context.Background()); err != nil {`
			`t.Fatalf("expected already-unsealed branch, got %v", err)`
			`}`

			`unsealed := false`
			`sealedTrueRun := func(ctx context.Context, timeout time.Duration, name string, args ...string) (string, error) {`
			`command := name + " " + strings.Join(args, " ")`
			`switch {`
			`case name == "kubectl" && strings.Contains(command, "-n vault get pod vault-0 -o jsonpath={.status.phase}"):`
			`return "Running", nil`
			`case name == "kubectl" && strings.Contains(command, "vault status -format=json"):`
			`if unsealed {`
			return `{"sealed":false}`, nil
			`}`
			return `{"sealed":true}`, nil
			`case name == "kubectl" && strings.Contains(command, "-n vault get secret vault-init -o jsonpath={.data.unseal_key_b64}"):`
			`return base64.StdEncoding.EncodeToString([]byte("secret-key")), nil`
			`case name == "kubectl" && strings.Contains(command, "vault operator unseal secret-key"):`
			`unsealed = true`
			`return "", nil`
			`default:`
			`return lifecycleDispatcher(&commandRecorder{})(ctx, timeout, name, args...)`
			`}`
			`}`
			`orchSealedTrue, _ := newHookOrchestrator(t, cfg, sealedTrueRun, sealedTrueRun)`
			`if err := orchSealedTrue.TestHookEnsureVaultUnsealed(context.Background()); err != nil {`
			`t.Fatalf("expected auto-unseal success path, got %v", err)`
			`}`
			`}`

			`// TestHookVaultWrapperSurfaceCoverage runs one orchestration or CLI step.`
			`// Signature: TestHookVaultWrapperSurfaceCoverage(t *testing.T).`
			`// Why: ensures newly-exposed vault test hooks stay directly exercised so wrapper`
			`// coverage does not regress below quality-gate thresholds.`
			`func TestHookVaultWrapperSurfaceCoverage(t *testing.T) {`
			`cfg := lifecycleConfig(t)`
			`cfg.Startup.VaultUnsealKeyFile = filepath.Join(t.TempDir(), "vault", "unseal.key")`
			`run := lifecycleDispatcher(&commandRecorder{})`
			`orch, _ := newHookOrchestrator(t, cfg, run, run)`

			`_ = orch.TestHookEnsureWorkloadReplicas(context.Background(), "vault", "statefulset", "vault", 1)`
			`_ = orch.TestHookWaitWorkloadReady(context.Background(), "vault", "deployment", "grafana")`
			`_ = orch.TestHookWaitVaultReady(context.Background(), "vault", "statefulset", "vault")`
			`_, _ = orch.TestHookVaultSealed(context.Background())`
			`}`