Description

Add comprehensive integration tests for Signatory functionality covering installation, configuration, baker/accuser integration, and service lifecycle management. Tests must follow the isolation harness pattern established in AGENTS.md.

Dependencies

Blocked by:

• Installer: Signatory Service Installation #701 (Installer module)
• CLI: Signatory Installation and Management Commands #702 (CLI commands)
• Baker/Accuser: Remote Signer Integration #704 (Baker/Accuser integration)

Test Infrastructure

Mock Signatory Server

• Create test/integration/cli-tester/lib/mock-signatory.sh:

  • Simple HTTP server mimicking Signatory API
  • Endpoints:
    • /healthz - Health check
    • /authorized_keys - List authorized keys
    • /keys/<hash> - Sign operation endpoint
  • Configurable authorized keys
  • Simulate signing operations
  • Prometheus metrics endpoint
  • Configurable response times/errors

• OR: Use Docker container with actual Signatory

  • Lightweight Signatory container
  • File-based backend for simplicity
  • Pre-configured with test keys
  • Health checks working

Test Helpers

• Add to test/integration/cli-tester/lib/lib.sh:
  ```bash

  Signatory-specific helpers

  signatory_health_check() { ... }
  signatory_add_key() { ... }
  signatory_wait_ready() { ... }
  signatory_get_metrics() { ... }
  ```

Test Cases

Test 1: Basic Installation (File Backend)

• Create test/integration/cli-tester/tests/signatory/01-install-file-backend.sh:
  ```bash
  #!/bin/bash
  set -euo pipefail
  source /tests/lib.sh

  echo "Test: Install Signatory with file backend"

  TEST_INSTANCE="test-signer-file"
  SIGNER_PORT=$(alloc_port)
  METRICS_PORT=$(alloc_port)

  test_init

  Install Signatory

  om install-signatory \
  --instance "$TEST_INSTANCE" \
  --backend file \
  --authorized-keys tz1abc...,tz2def... \
  --address "127.0.0.1:$SIGNER_PORT" \
  --metrics-address "127.0.0.1:$METRICS_PORT" \
  --service-user tezos \
  --no-enable \
  --no-start

  register_instance "$TEST_INSTANCE"

  Verify installation

  assert_service_exists "octez-signatory@$TEST_INSTANCE.service"
  assert_config_file_exists "$TEST_INSTANCE" "signatory.yaml"
  assert_directory_exists "/var/lib/octez/signatory/$TEST_INSTANCE"

  Start service

  om instance "$TEST_INSTANCE" start

  Wait for health check

  wait_for_url "http://127.0.0.1:$SIGNER_PORT/healthz" 30

  Verify health

  health_response=$(curl -s "http://127.0.0.1:$SIGNER_PORT/healthz")
  assert_contains "$health_response" "ok"

  Verify metrics endpoint

  metrics_response=$(curl -s "http://127.0.0.1:$METRICS_PORT/metrics")
  assert_contains "$metrics_response" "signatory_"

  echo "Test passed"
  ```

Test 2: Baker with Signatory Dependency

• Create test/integration/cli-tester/tests/signatory/02-baker-with-signatory.sh:
  • Install node
  • Install Signatory
  • Install baker with --remote-signer pointing to Signatory instance
  • Verify systemd dependency relationships (BindsTo, After)
  • Check baker environment has OCTEZ_REMOTE_SIGNER_URI
  • Start baker
  • Verify baker can connect to signer (check logs)
  • Test signing operation (if possible)
  • Cleanup all services

Test 3: Dependency Handling and Cascade

• Create test/integration/cli-tester/tests/signatory/03-dependency-handling.sh:
  • Install Signatory
  • Install baker depending on Signatory
  • Install accuser depending on same Signatory
  • Verify Signatory shows 2 dependents in om list
  • Attempt to remove Signatory (should fail/warn)
  • Stop and remove baker
  • Attempt to remove Signatory (should still warn, accuser depends)
  • Remove accuser
  • Remove Signatory (should succeed)
  • Cleanup

Test 4: Key Management

• Create test/integration/cli-tester/tests/signatory/04-key-management.sh:
  • Install Signatory with 2 authorized keys
  • Verify keys listed in configuration
  • Add a third key via om signatory add-key
  • Verify key added to config
  • Restart service
  • Verify new key is authorized (query endpoint)
  • Remove a key via om signatory remove-key
  • Verify key removed from config
  • Restart service
  • Verify key no longer authorized
  • Cleanup

Test 5: External Signer URI

• Create test/integration/cli-tester/tests/signatory/05-external-signer.sh:
  • Start mock external signer (or Docker Signatory)
  • Install node
  • Install baker with external signer URI (not managed instance)
  • Verify no systemd dependency created
  • Verify baker environment has correct URI
  • Start baker
  • Verify baker connects to external signer
  • Stop mock signer
  • Verify baker logs connection errors (expected)
  • Cleanup

Test 6: Edit Existing Baker Signer Configuration

• Create test/integration/cli-tester/tests/signatory/06-edit-signer-config.sh:
  • Install node
  • Install baker with local keys
  • Install Signatory
  • Edit baker to use Signatory: om instance <baker> set-signer <signatory>
  • Verify systemd unit updated with -R flag
  • Verify dependency added
  • Restart baker
  • Verify baker uses remote signer
  • Remove signer from baker: om instance <baker> unset-signer
  • Verify -R flag removed
  • Verify dependency removed
  • Cleanup

Test 7: Multiple Signatory Instances

• Create test/integration/cli-tester/tests/signatory/07-multiple-signers.sh:
  • Install node
  • Install Signatory A on port 6732
  • Install Signatory B on port 6733
  • Install baker 1 using Signatory A
  • Install baker 2 using Signatory B
  • Install accuser using Signatory A
  • Verify dependencies tracked correctly
  • Verify no port conflicts
  • Start all services
  • Verify all healthy
  • Cleanup

Test 8: Signatory Restart Cascade

• Create test/integration/cli-tester/tests/signatory/08-restart-cascade.sh:
  • Install node
  • Install Signatory
  • Install baker depending on Signatory
  • Start all services
  • Restart Signatory
  • Verify baker automatically restarts (due to BindsTo)
  • Verify baker reconnects successfully
  • Cleanup

Test Execution

CI Integration

• Add Signatory tests to CI pipeline
• Run in parallel with existing integration tests
• Use time-based sharding if needed
• Ensure cleanup on failure (EXIT trap)

Local Testing

• Document how to run tests locally
• Provide mock Signatory setup instructions
• Add to test/integration/cli-tester/README.md

Test Isolation Requirements (CRITICAL)

All tests MUST follow the isolation harness pattern:

```bash
#!/bin/bash
set -euo pipefail
source /tests/lib.sh

echo "Test: "

1. Unique instance names

TEST_SIGNER="test-signer-unique-$RANDOM"
TEST_BAKER="test-baker-unique-$RANDOM"

2. Initialize test (sets up EXIT trap)

test_init

3. Register all resources for cleanup

register_instance "$TEST_SIGNER"
register_instance "$TEST_BAKER"

4. Allocate unique ports

SIGNER_PORT=$(alloc_port)

5. Run test...

6. Cleanup happens automatically on EXIT

echo "Test passed"
```

Acceptance Criteria

• All 8 test cases pass independently
• Tests can run in parallel without conflicts
• Tests follow isolation harness pattern
• Cleanup happens on both success and failure
• Tests run reliably in CI
• Mock Signatory (or Docker setup) is reliable
• Tests complete within reasonable time (<2 min each)
• No leaked resources (services, ports, files)

Documentation

• Update test/integration/cli-tester/README.md
• Document mock Signatory setup
• Add troubleshooting section for test failures

Estimated Effort

Large (5-7 days)