test(tofu): add unit tests for TofuStore trait

- Implement  for testing purposes
- Add comprehensive tests covering first-use storage, certificate matching/replacement, and large payloads

NOTE: Unit tests and supporting mock implementation were created with AI assistance.

Author: lucasdbr05

src/tofu/mod.rs

@@ -19,3 +19,127 @@ pub trait TofuStore: Send + Sync + Debug {
     ) -> Result<(), Box<dyn Send + Sync + Error>>;
 }
 
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use std::collections::HashMap;
+    use std::sync::Mutex;
+
+    #[derive(Debug)]
+    struct InMemoryTofuStore {
+        store: Mutex<HashMap<String, Vec<u8>>>,
+    }
+
+    impl InMemoryTofuStore {
+        fn new() -> Self {
+            Self {
+                store: Mutex::new(HashMap::new()),
+            }
+        }
+    }
+
+    impl TofuStore for InMemoryTofuStore {
+        fn get_certificate(
+            &self,
+            host: &str,
+        ) -> Result<Option<Vec<u8>>, Box<dyn Send + Sync + Error>> {
+            let store = self.store.lock().unwrap();
+            Ok(store.get(host).cloned())
+        }
+
+        fn set_certificate(
+            &self,
+            host: &str,
+            cert: Vec<u8>,
+        ) -> Result<(), Box<dyn Send + Sync + Error>> {
+            let mut store = self.store.lock().unwrap();
+            store.insert(host.to_string(), cert);
+            Ok(())
+        }
+    }
+
+    #[test]
+    fn test_tofu_first_use() {
+        let store = InMemoryTofuStore::new();
+
+        let host = "example.com";
+        let cert = b"test certificate data".to_vec();
+
+        // First use: certificate should not exist
+        let result = store.get_certificate(host).unwrap();
+        assert!(
+            result.is_none(),
+            "Certificate should not exist on first use"
+        );
+
+        store.set_certificate(host, cert.clone()).unwrap();
+
+        let stored = store.get_certificate(host).unwrap();
+        assert_eq!(stored, Some(cert), "Certificate should be stored");
+    }
+
+    #[test]
+    fn test_tofu_certificate_match() {
+        let store = InMemoryTofuStore::new();
+
+        let host = "example.com";
+        let cert = b"test certificate data".to_vec();
+
+        // Store certificate
+        store.set_certificate(host, cert.clone()).unwrap();
+
+        // Retrieve and verify it matches
+        let stored = store.get_certificate(host).unwrap();
+        assert_eq!(stored, Some(cert), "Stored certificate should match");
+    }
+
+    #[test]
+    fn test_tofu_certificate_change() {
+        let store = InMemoryTofuStore::new();
+
+        let host = "example.com";
+        let cert1 = b"first certificate".to_vec();
+        let cert2 = b"second certificate".to_vec();
+
+        // Store first certificate
+        store.set_certificate(host, cert1.clone()).unwrap();
+        let stored1 = store.get_certificate(host).unwrap();
+        assert_eq!(
+            stored1,
+            Some(cert1.clone()),
+            "First certificate should be stored"
+        );
+
+        // Update with different certificate
+        store.set_certificate(host, cert2.clone()).unwrap();
+        let stored2 = store.get_certificate(host).unwrap();
+        assert_eq!(
+            stored2,
+            Some(cert2.clone()),
+            "Second certificate should replace first"
+        );
+        assert_ne!(
+            stored2,
+            Some(cert1),
+            "Stored certificate should not match first"
+        );
+    }
+
+    #[test]
+    fn test_tofu_large_certificate() {
+        let store = InMemoryTofuStore::new();
+
+        let host = "example.com";
+        // Create a large certificate (10KB)
+        let cert = vec![0x42; 10 * 1024];
+
+        // Store large certificate
+        store.set_certificate(host, cert.clone()).unwrap();
+        let stored = store.get_certificate(host).unwrap();
+        assert_eq!(
+            stored,
+            Some(cert),
+            "Large certificate should be stored correctly"
+        );
+    }
+}