Add edge case tests and compile-time interface assertions

Add edge case tests for InjectAuthorizedKeys (multiple keys, empty key,
chown failure) and direct unit tests for extract bundle computeHash and
isValid internals. Replace runtime interface compliance tests in runner
with compile-time assertions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: JAORMX

extract/bundle_test.go

@@ -4,6 +4,7 @@
 package extract
 
 import (
+	"encoding/hex"
 	"os"
 	"path/filepath"
 	"sync"
@@ -170,3 +171,137 @@ func TestBundle_Ensure_ConcurrentAccess(t *testing.T) {
 	require.NoError(t, err)
 	assert.Equal(t, []byte("concurrent data"), got)
 }
+
+// --- Direct tests for computeHash and isValid ---
+
+func TestBundle_ComputeHash_Stability(t *testing.T) {
+	t.Parallel()
+
+	files := []File{
+		{Name: "a.txt", Content: []byte("aaa"), Mode: 0o644},
+	}
+	b := NewBundle("v1", files)
+
+	hash1 := b.computeHash()
+	hash2 := b.computeHash()
+
+	assert.Equal(t, hash1, hash2, "same bundle should produce the same hash")
+	assert.Len(t, hash1, 64, "SHA-256 hex digest should be 64 characters")
+
+	// Verify it is valid hex.
+	_, err := hex.DecodeString(hash1)
+	require.NoError(t, err, "hash should be valid hex")
+}
+
+func TestBundle_ComputeHash_Sensitivity(t *testing.T) {
+	t.Parallel()
+
+	baseline := NewBundle("v1", []File{
+		{Name: "a.txt", Content: []byte("hello"), Mode: 0o644},
+	})
+	baseHash := baseline.computeHash()
+
+	tests := []struct {
+		name  string
+		build func() *Bundle
+	}{
+		{
+			name: "different version",
+			build: func() *Bundle {
+				return NewBundle("v2", []File{
+					{Name: "a.txt", Content: []byte("hello"), Mode: 0o644},
+				})
+			},
+		},
+		{
+			name: "different content",
+			build: func() *Bundle {
+				return NewBundle("v1", []File{
+					{Name: "a.txt", Content: []byte("world"), Mode: 0o644},
+				})
+			},
+		},
+		{
+			name: "different filename",
+			build: func() *Bundle {
+				return NewBundle("v1", []File{
+					{Name: "b.txt", Content: []byte("hello"), Mode: 0o644},
+				})
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			other := tt.build()
+			assert.NotEqual(t, baseHash, other.computeHash(),
+				"hash should differ when %s changes", tt.name)
+		})
+	}
+}
+
+func TestBundle_ComputeHash_EmptyBundle(t *testing.T) {
+	t.Parallel()
+
+	b1 := NewBundle("v1", nil)
+	b2 := NewBundle("v2", nil)
+
+	hash1 := b1.computeHash()
+	hash2 := b2.computeHash()
+
+	assert.Len(t, hash1, 64, "empty bundle hash should be valid 64-char hex")
+	_, err := hex.DecodeString(hash1)
+	require.NoError(t, err)
+
+	assert.NotEqual(t, hash1, hash2,
+		"empty bundles with different versions should produce different hashes")
+}
+
+func TestBundle_IsValid_MatchingHash(t *testing.T) {
+	t.Parallel()
+
+	b := NewBundle("v1", []File{
+		{Name: "x.txt", Content: []byte("data"), Mode: 0o644},
+	})
+	hash := b.computeHash()
+
+	dir := t.TempDir()
+	require.NoError(t, os.WriteFile(filepath.Join(dir, ".version"), []byte(hash), 0o644))
+
+	assert.True(t, b.isValid(dir, hash))
+}
+
+func TestBundle_IsValid_WrongHash(t *testing.T) {
+	t.Parallel()
+
+	b := NewBundle("v1", []File{
+		{Name: "x.txt", Content: []byte("data"), Mode: 0o644},
+	})
+	hash := b.computeHash()
+
+	dir := t.TempDir()
+	require.NoError(t, os.WriteFile(filepath.Join(dir, ".version"), []byte("wronghash"), 0o644))
+
+	assert.False(t, b.isValid(dir, hash))
+}
+
+func TestBundle_IsValid_MissingVersionFile(t *testing.T) {
+	t.Parallel()
+
+	b := NewBundle("v1", nil)
+	hash := b.computeHash()
+
+	dir := t.TempDir()
+	// dir exists but has no .version file.
+	assert.False(t, b.isValid(dir, hash))
+}
+
+func TestBundle_IsValid_NonexistentDir(t *testing.T) {
+	t.Parallel()
+
+	b := NewBundle("v1", nil)
+	hash := b.computeHash()
+
+	assert.False(t, b.isValid("/nonexistent/path/that/does/not/exist", hash))
+}

hooks/hooks_test.go

@@ -4,6 +4,7 @@
 package hooks
 
 import (
+	"fmt"
 	"os"
 	"path/filepath"
 	"sync"
@@ -282,6 +283,88 @@ func TestInjectEnvFile_RejectsPathTraversal(t *testing.T) {
 	assert.Contains(t, err.Error(), "path traversal")
 }
 
+// failingChown returns a ChownFunc that returns an error when the path
+// ends with the given suffix, and succeeds otherwise.
+func failingChown(pathSuffix string) ChownFunc {
+	return func(path string, _, _ int) error {
+		if filepath.Base(path) == pathSuffix || path == pathSuffix {
+			return fmt.Errorf("simulated chown failure on %s", path)
+		}
+		return nil
+	}
+}
+
+func TestInjectAuthorizedKeys_MultipleKeys(t *testing.T) {
+	t.Parallel()
+
+	chown, _ := recordingChown()
+
+	rootfs := t.TempDir()
+	require.NoError(t, os.MkdirAll(filepath.Join(rootfs, "home", "sandbox"), 0o755))
+
+	key1 := "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAATEST1 user1@host"
+	key2 := "ssh-rsa AAAAB3NzaC1yc2EAAAADTEST2 user2@host"
+	pubKey := key1 + "\n" + key2
+	hook := InjectAuthorizedKeys(pubKey, WithChown(chown))
+
+	err := hook(rootfs, nil)
+	require.NoError(t, err)
+
+	akPath := filepath.Join(rootfs, "home", "sandbox", ".ssh", "authorized_keys")
+	got, err := os.ReadFile(akPath)
+	require.NoError(t, err)
+	assert.Equal(t, pubKey+"\n", string(got))
+}
+
+func TestInjectAuthorizedKeys_EmptyKey(t *testing.T) {
+	t.Parallel()
+
+	chown, _ := recordingChown()
+
+	rootfs := t.TempDir()
+	require.NoError(t, os.MkdirAll(filepath.Join(rootfs, "home", "sandbox"), 0o755))
+
+	hook := InjectAuthorizedKeys("", WithChown(chown))
+
+	err := hook(rootfs, nil)
+	require.NoError(t, err)
+
+	akPath := filepath.Join(rootfs, "home", "sandbox", ".ssh", "authorized_keys")
+	got, err := os.ReadFile(akPath)
+	require.NoError(t, err)
+	assert.Equal(t, "\n", string(got))
+}
+
+func TestInjectAuthorizedKeys_ChownFailure(t *testing.T) {
+	t.Parallel()
+
+	t.Run("chown fails on .ssh dir", func(t *testing.T) {
+		t.Parallel()
+
+		rootfs := t.TempDir()
+		require.NoError(t, os.MkdirAll(filepath.Join(rootfs, "home", "sandbox"), 0o755))
+
+		hook := InjectAuthorizedKeys("ssh-ed25519 AAAA test", WithChown(failingChown(".ssh")))
+
+		err := hook(rootfs, nil)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "chown .ssh dir")
+	})
+
+	t.Run("chown fails on authorized_keys file", func(t *testing.T) {
+		t.Parallel()
+
+		rootfs := t.TempDir()
+		require.NoError(t, os.MkdirAll(filepath.Join(rootfs, "home", "sandbox"), 0o755))
+
+		hook := InjectAuthorizedKeys("ssh-ed25519 AAAA test", WithChown(failingChown("authorized_keys")))
+
+		err := hook(rootfs, nil)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "chown authorized_keys")
+	})
+}
+
 func TestInjectAuthorizedKeys_RejectsPathTraversal(t *testing.T) {
 	t.Parallel()
 

runner/config_test.go

@@ -112,27 +112,3 @@ func TestVirtioFSMount_Serialization(t *testing.T) {
 	assert.Equal(t, mount.Tag, restored.Tag)
 	assert.Equal(t, mount.HostPath, restored.HostPath)
 }
-
-func TestConfig_OmitEmpty_Fields(t *testing.T) {
-	t.Parallel()
-
-	// Config with only required fields set.
-	cfg := Config{
-		RootPath: "/rootfs",
-		NumVCPUs: 1,
-		RAMMiB:   256,
-	}
-
-	data, err := json.Marshal(cfg)
-	require.NoError(t, err)
-
-	var raw map[string]json.RawMessage
-	err = json.Unmarshal(data, &raw)
-	require.NoError(t, err)
-
-	// omitempty fields should not be present when zero.
-	assert.NotContains(t, raw, "net_sock_path")
-	assert.NotContains(t, raw, "virtiofs_mounts")
-	assert.NotContains(t, raw, "console_log_path")
-	assert.NotContains(t, raw, "log_level")
-}

runner/spawn.go

@@ -17,6 +17,12 @@ import (
 	"time"
 )
 
+// Compile-time interface assertions.
+var (
+	_ Spawner       = DefaultSpawner{}
+	_ ProcessHandle = (*Process)(nil)
+)
+
 const (
 	// runnerBinaryName is the name of the propolis-runner binary.
 	runnerBinaryName = "propolis-runner"

runner/spawn_test.go

@@ -390,15 +390,3 @@ func TestProcess_killTarget_PanicsOnPID1(t *testing.T) {
 	p := &Process{pid: 1}
 	assert.Panics(t, func() { p.killTarget() }, "killTarget with PID 1 should panic")
 }
-
-// --- Interface compliance ---
-
-func TestDefaultSpawner_ImplementsInterface(t *testing.T) {
-	t.Parallel()
-	var _ Spawner = DefaultSpawner{}
-}
-
-func TestProcess_ImplementsProcessHandle(t *testing.T) {
-	t.Parallel()
-	var _ ProcessHandle = &Process{}
-}