test: drop ssh-gate suites and shadow-route assertions (PRD 0009)

- Delete tests/unit/test_ssh_gate.py and the fixture_with_ssh helpers. - test_pipelock_yaml: drop the ssh-leak guard (structurally impossible now); the remaining tests switch to fixture_minimal. - test_pipelock_allowlist: rewrite the union/dedup test to exercise an egress.allowlist that duplicates a baked default (the property the ssh-leak assertion was hitching onto). - test_manifest_git: shadow-route assertion becomes a legacy-ssh- dies-with-hint assertion, since bottle.ssh is now parse-fail. - test_orphan_cleanup: drop the SSHGate.stop idempotency check; pipelock equivalent stays. - test_dry_run_plan: drop assertions on the removed ssh_hosts / ssh_gate keys. 52 unit tests pass.
2026-05-12 23:54:22 -04:00
parent 3d66ad2a86
commit 249e8cc15e
7 changed files with 21 additions and 251 deletions
@@ -168,11 +168,9 @@ class TestGitEntryCrossValidation(unittest.TestCase):
                 "IdentityFile": "/dev/null"},
            ]))

-    def test_shadow_route_with_ssh_entry_dies(self):
-        # An ssh entry pointing at gitea.dideric.is:30009 AND a git
-        # entry pointing at ssh://git@gitea.dideric.is:30009/... is a
-        # bypass: agents could route around the gate by using the
-        # ssh-gate. Manifest construction must reject.
+    def test_legacy_ssh_field_dies_with_hint(self):
+        # PRD 0009: bottle.ssh is removed; manifests carrying it must
+        # fail loudly with a hint pointing at bottle.git.
        with self.assertRaises(Die):
            Manifest.from_json_obj({
                "bottles": {
@@ -184,40 +182,11 @@ class TestGitEntryCrossValidation(unittest.TestCase):
                            "User": "git",
                            "Port": 30009,
                        }],
-                        "git": [{
-                            "Name": "claude-bottle",
-                            "Upstream": "ssh://git@gitea.dideric.is:30009/didericis/claude-bottle.git",
-                            "IdentityFile": "/dev/null",
-                        }],
                    },
                },
                "agents": {"demo": {"skills": [], "prompt": "", "bottle": "dev"}},
            })

-    def test_independent_ssh_and_git_targets_allowed(self):
-        # Same hostname but different ports are independent targets.
-        m = Manifest.from_json_obj({
-            "bottles": {
-                "dev": {
-                    "ssh": [{
-                        "Host": "gitea-ssh",
-                        "IdentityFile": "/dev/null",
-                        "Hostname": "gitea.dideric.is",
-                        "User": "git",
-                        "Port": 22,
-                    }],
-                    "git": [{
-                        "Name": "claude-bottle",
-                        "Upstream": "ssh://git@gitea.dideric.is:30009/didericis/claude-bottle.git",
-                        "IdentityFile": "/dev/null",
-                    }],
-                },
-            },
-            "agents": {"demo": {"skills": [], "prompt": "", "bottle": "dev"}},
-        })
-        self.assertEqual(1, len(m.bottles["dev"].ssh))
-        self.assertEqual(1, len(m.bottles["dev"].git))
-

 class TestEmptyGitField(unittest.TestCase):
    def test_no_git_field_yields_empty_tuple(self):