style: repo-wide lint pass — make the lint gate green again

Push builds have been RED on the lint step since ~build 209 from accumulated
formatting drift. This is the mechanical cleanup: ruff format + ruff --fix
(UP038 isinstance unions, SIM105 contextlib.suppress, UP031 f-strings, SIM115
tempfile context manager), shfmt -i 2 -ci, nixpkgs-fmt/statix/deadnix (merged
attrsets, dropped unused lib args), yamllint, and shell quoting fixes in
tests/lasuite-docs/setup_custom_tests.sh. No behaviour changes intended;
lint: PASS, unit tests: 138 passed.

tests/lasuite-docs/functional/test_auth_required.py

@@ -28,9 +28,7 @@ def test_users_me_requires_auth(live_app):
     url = f"https://{live_app}/api/v1.0/users/me/"
     # Retry with broad acceptance: any 4xx (or specific 401) indicates the route exists + auth is
     # required. Reject 200 (anonymous access) and 5xx (broken backend).
-    status, _ = harness_http.retry_http_get(
-        url, expect_status=(401, 403), max_wait=60, interval=3
-    )
+    status, _ = harness_http.retry_http_get(url, expect_status=(401, 403), max_wait=60, interval=3)
     assert status in (401, 403), (
         f"GET {url} returned {status}, expected 401 (auth required). "
         f"200 = anonymous access leaked; 404 = route missing; 5xx = backend broken."

tests/lasuite-docs/functional/test_create_doc.py

@@ -27,7 +27,8 @@ import uuid
 import pytest
 
 sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "runner"))
-from harness import http as harness_http, sso  # noqa: E402
+from harness import http as harness_http  # noqa: E402
+from harness import sso
 
 
 @pytest.mark.requires_deps
@@ -36,13 +37,15 @@ def test_create_doc_and_read_back(live_app, deps_creds):
     kc = deps_creds["keycloak"]
 
     # Obtain a JWT via OIDC password grant
-    access_token = sso.oidc_password_grant({
-        "client_id": kc["client_id"],
-        "client_secret": kc["client_secret"],
-        "user": kc["user"],
-        "password": kc["password"],
-        "token_url": kc["token_url"],
-    })
+    access_token = sso.oidc_password_grant(
+        {
+            "client_id": kc["client_id"],
+            "client_secret": kc["client_secret"],
+            "user": kc["user"],
+            "password": kc["password"],
+            "token_url": kc["token_url"],
+        }
+    )
     auth = {"Authorization": f"Bearer {access_token}"}
 
     # Create a doc with a unique title
@@ -56,9 +59,9 @@ def test_create_doc_and_read_back(live_app, deps_creds):
     assert isinstance(body, dict), f"unexpected response shape: {body!r}"
     doc_id = body.get("id")
     assert doc_id, f"created doc has no id: {body!r}"
-    assert body.get("title") == title, (
-        f"created doc title mismatch: created={title!r}, response={body.get('title')!r}"
-    )
+    assert (
+        body.get("title") == title
+    ), f"created doc title mismatch: created={title!r}, response={body.get('title')!r}"
 
     # Fetch it back via the dedicated GET endpoint
     s, fetched = harness_http.http_get(
@@ -66,9 +69,10 @@ def test_create_doc_and_read_back(live_app, deps_creds):
     )
     assert s == 200, f"GET /api/v1.0/documents/{doc_id}/ HTTP {s}: {fetched!r}"
     assert isinstance(fetched, dict), f"unexpected GET response: {fetched!r}"
-    assert fetched.get("id") in (doc_id, str(doc_id)), (
-        f"fetched id mismatch: created={doc_id!r}, fetched={fetched.get('id')!r}"
-    )
-    assert fetched.get("title") == title, (
-        f"fetched title mismatch: created={title!r}, fetched={fetched.get('title')!r}"
-    )
+    assert fetched.get("id") in (
+        doc_id,
+        str(doc_id),
+    ), f"fetched id mismatch: created={doc_id!r}, fetched={fetched.get('id')!r}"
+    assert (
+        fetched.get("title") == title
+    ), f"fetched title mismatch: created={title!r}, fetched={fetched.get('title')!r}"

tests/lasuite-docs/functional/test_health_check.py

@@ -22,7 +22,11 @@ def test_lasuite_docs_returns_200(live_app):
     url = f"https://{live_app}/"
     # accept 200 (frontend SPA shell) — lasuite-docs serves the SPA at root unauthenticated;
     # the SPA itself bootstraps via /api/v1.0/users/me/ which requires OIDC (separate test).
-    status, _ = harness_http.retry_http_get(url, expect_status=(200, 301, 302), max_wait=60, interval=3)
-    assert status in (200, 301, 302), (
-        f"lasuite-docs at {url} returned HTTP {status} (expected 200/301/302)"
+    status, _ = harness_http.retry_http_get(
+        url, expect_status=(200, 301, 302), max_wait=60, interval=3
     )
+    assert status in (
+        200,
+        301,
+        302,
+    ), f"lasuite-docs at {url} returned HTTP {status} (expected 200/301/302)"

tests/lasuite-docs/functional/test_oidc_login.py

@@ -25,7 +25,8 @@ import urllib.request
 import pytest
 
 sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "..", "runner"))
-from harness import http as harness_http, sso  # noqa: E402
+from harness import http as harness_http  # noqa: E402
+from harness import sso
 
 _CTX = ssl.create_default_context()
 _CTX.check_hostname = False
@@ -61,9 +62,9 @@ def test_oidc_login_via_keycloak(live_app, deps_creds):
     # 302 redirect. Both are valid "auth-required" indicators — accept either, but if a
     # redirect is returned it must point at the dep keycloak realm.
     if status in (301, 302, 303, 307, 308):
-        assert expected_prefix in (redirect or ""), (
-            f"Docs redirected to {redirect!r}, expected to start with {expected_prefix!r}"
-        )
+        assert expected_prefix in (
+            redirect or ""
+        ), f"Docs redirected to {redirect!r}, expected to start with {expected_prefix!r}"
     else:
         assert status in (401, 403), (
             f"GET /api/v1.0/users/me/ unauth: HTTP {status}; expected redirect to keycloak "
@@ -88,6 +89,6 @@ def test_oidc_login_via_keycloak(live_app, deps_creds):
     )
     assert status == 200, f"GET /api/v1.0/users/me/ with token HTTP {status}: {body!r}"
     assert isinstance(body, dict), f"unexpected response: {body!r}"
-    assert body.get("email") == kc["email"], (
-        f"unexpected user email: got {body.get('email')!r}, expected {kc['email']!r}"
-    )
+    assert (
+        body.get("email") == kc["email"]
+    ), f"unexpected user email: got {body.get('email')!r}, expected {kc['email']!r}"

tests/lasuite-docs/functional/test_oidc_with_keycloak.py

@@ -42,9 +42,9 @@ def test_oidc_password_grant_against_dep_keycloak(live_app, deps_creds):
     # Sanity-check the creds shape — orchestrator-written
     assert kc["domain"]
     # WC1: realm is per-run namespaced "<parent>-<6hex>" so concurrent dependents never collide.
-    assert re.fullmatch(r"lasuite-docs-[0-9a-f]{6}", kc["realm"]), (
-        f"realm {kc['realm']!r} not the per-run namespaced form lasuite-docs-<6hex>"
-    )
+    assert re.fullmatch(
+        r"lasuite-docs-[0-9a-f]{6}", kc["realm"]
+    ), f"realm {kc['realm']!r} not the per-run namespaced form lasuite-docs-<6hex>"
     assert kc["client_id"] == "lasuite-docs"
     assert isinstance(kc["client_secret"], str) and len(kc["client_secret"]) >= 16
     assert isinstance(kc["password"], str) and len(kc["password"]) >= 16
@@ -74,16 +74,14 @@ def test_oidc_password_grant_against_dep_keycloak(live_app, deps_creds):
 
     # Password grant → real JWT
     token = sso.oidc_password_grant(creds)
-    assert isinstance(token, str) and token.count(".") == 2, (
-        f"access_token is not a JWT: {token!r}"
-    )
+    assert isinstance(token, str) and token.count(".") == 2, f"access_token is not a JWT: {token!r}"
     payload = json.loads(_b64url_decode(token.split(".")[1]))
     assert payload.get("iss") == expected_iss, f"JWT iss={payload.get('iss')!r} != {expected_iss!r}"
-    assert payload.get("azp") == kc["client_id"], (
-        f"JWT azp={payload.get('azp')!r} != {kc['client_id']!r}"
-    )
+    assert (
+        payload.get("azp") == kc["client_id"]
+    ), f"JWT azp={payload.get('azp')!r} != {kc['client_id']!r}"
     assert payload.get("typ") == "Bearer", f"JWT typ={payload.get('typ')!r} != 'Bearer'"
     exp = payload.get("exp")
-    assert isinstance(exp, int) and exp > time.time(), (
-        f"JWT exp={exp!r} not a future timestamp (now={time.time():.0f})"
-    )
+    assert (
+        isinstance(exp, int) and exp > time.time()
+    ), f"JWT exp={exp!r} not a future timestamp (now={time.time():.0f})"

tests/lasuite-docs/setup_custom_tests.sh

@@ -21,15 +21,24 @@ set -euo pipefail
 
 : "${CCCI_APP_DOMAIN:?missing}"
 : "${CCCI_DEPS_FILE:?missing}"
-test -s "$CCCI_DEPS_FILE" || { echo "  setup_custom_tests: deps file empty"; exit 1; }
+test -s "$CCCI_DEPS_FILE" || {
+  echo "  setup_custom_tests: deps file empty"
+  exit 1
+}
 
 # Read keycloak dep info via jq
-KC_DOMAIN=$(jq -r '.keycloak.domain'         "$CCCI_DEPS_FILE")
-KC_REALM=$( jq -r '.keycloak.realm'          "$CCCI_DEPS_FILE")
-KC_CLIENT=$(jq -r '.keycloak.client_id'      "$CCCI_DEPS_FILE")
-KC_SECRET=$(jq -r '.keycloak.client_secret'  "$CCCI_DEPS_FILE")
-[ -n "$KC_DOMAIN" ] && [ "$KC_DOMAIN" != "null" ] || { echo "  setup_custom_tests: no keycloak.domain in deps"; exit 1; }
-[ -n "$KC_SECRET" ] && [ "$KC_SECRET" != "null" ] || { echo "  setup_custom_tests: no keycloak.client_secret"; exit 1; }
+KC_DOMAIN=$(jq -r '.keycloak.domain' "$CCCI_DEPS_FILE")
+KC_REALM=$(jq -r '.keycloak.realm' "$CCCI_DEPS_FILE")
+KC_CLIENT=$(jq -r '.keycloak.client_id' "$CCCI_DEPS_FILE")
+KC_SECRET=$(jq -r '.keycloak.client_secret' "$CCCI_DEPS_FILE")
+if [ -z "$KC_DOMAIN" ] || [ "$KC_DOMAIN" = "null" ]; then
+  echo "  setup_custom_tests: no keycloak.domain in deps"
+  exit 1
+fi
+if [ -z "$KC_SECRET" ] || [ "$KC_SECRET" = "null" ]; then
+  echo "  setup_custom_tests: no keycloak.client_secret"
+  exit 1
+fi
 
 echo "  lasuite-docs setup_custom_tests: wiring OIDC against keycloak dep ${KC_DOMAIN}"
 
@@ -39,12 +48,15 @@ echo "  lasuite-docs setup_custom_tests: wiring OIDC against keycloak dep ${KC_D
 # update SECRET_OIDC_RPCS_VERSION in the .env to point at the new one.
 ENV_PATH="$HOME/.abra/servers/default/${CCCI_APP_DOMAIN}.env"
 CUR_VER=$(grep -E '^\s*SECRET_OIDC_RPCS_VERSION=' "$ENV_PATH" | tail -1 | cut -d= -f2 | tr -d '"\r' || echo "v1")
-NEW_NUM=$(( ${CUR_VER#v} + 1 ))
+NEW_NUM=$((${CUR_VER#v} + 1))
 NEW_VER="v${NEW_NUM}"
 
-INSERT_LOG=$(abra app secret insert $CCCI_APP_DOMAIN oidc_rpcs $NEW_VER $KC_SECRET --no-input -C -o 2>&1) \
-  || INSERT_LOG=$(script -qec "abra app secret insert $CCCI_APP_DOMAIN oidc_rpcs $NEW_VER $KC_SECRET --no-input -C -o" /dev/null 2>&1) \
-  || { echo "  setup_custom_tests: abra app secret insert oidc_rpcs@$NEW_VER failed: $INSERT_LOG"; exit 1; }
+INSERT_LOG=$(abra app secret insert "$CCCI_APP_DOMAIN" oidc_rpcs "$NEW_VER" "$KC_SECRET" --no-input -C -o 2>&1) ||
+  INSERT_LOG=$(script -qec "abra app secret insert $CCCI_APP_DOMAIN oidc_rpcs $NEW_VER $KC_SECRET --no-input -C -o" /dev/null 2>&1) ||
+  {
+    echo "  setup_custom_tests: abra app secret insert oidc_rpcs@$NEW_VER failed: $INSERT_LOG"
+    exit 1
+  }
 # Repoint the env var to the new version
 sed -i "s|^\s*SECRET_OIDC_RPCS_VERSION=.*|SECRET_OIDC_RPCS_VERSION=$NEW_VER|" "$ENV_PATH"
 echo "  setup_custom_tests: oidc_rpcs secret inserted at $NEW_VER (was $CUR_VER)"
@@ -52,25 +64,25 @@ echo "  setup_custom_tests: oidc_rpcs secret inserted at $NEW_VER (was $CUR_VER)
 # 2) Write OIDC env vars to the app's .env (names per lasuite-docs's .env.sample).
 # Ensure the file ends with a newline FIRST so our appends don't concatenate onto the last line
 # (we saw `TIMEOUT=900OIDC_REALM=...` malformed by a missing-trailing-newline file).
-[ -z "$(tail -c1 "$ENV_PATH" 2>/dev/null)" ] || printf '\n' >> "$ENV_PATH"
-write_env () {
+[ -z "$(tail -c1 "$ENV_PATH" 2>/dev/null)" ] || printf '\n' >>"$ENV_PATH"
+write_env() {
   local key="$1" val="$2"
   # remove any existing key (commented or live) then append the live key=val
   sed -i "/^\s*#\?\s*${key}=/d" "$ENV_PATH"
   # Re-ensure trailing newline after each delete (sed may leave the file without one)
-  [ -z "$(tail -c1 "$ENV_PATH" 2>/dev/null)" ] || printf '\n' >> "$ENV_PATH"
-  printf '%s=%s\n' "$key" "$val" >> "$ENV_PATH"
+  [ -z "$(tail -c1 "$ENV_PATH" 2>/dev/null)" ] || printf '\n' >>"$ENV_PATH"
+  printf '%s=%s\n' "$key" "$val" >>"$ENV_PATH"
 }
-write_env OIDC_REALM                       "$KC_REALM"
-write_env OIDC_OP_DISCOVERY_ENDPOINT       "https://${KC_DOMAIN}/realms/${KC_REALM}/.well-known/openid-configuration"
-write_env OIDC_OP_AUTHORIZATION_ENDPOINT   "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/auth"
-write_env OIDC_OP_TOKEN_ENDPOINT           "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/token"
-write_env OIDC_OP_USER_ENDPOINT            "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/userinfo"
-write_env OIDC_OP_LOGOUT_ENDPOINT          "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/logout"
-write_env OIDC_OP_JWKS_ENDPOINT            "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/certs"
-write_env OIDC_RP_CLIENT_ID                "$KC_CLIENT"
-write_env OIDC_RP_SIGN_ALGO                "RS256"
-write_env OIDC_RP_SCOPES                   "openid email profile"
+write_env OIDC_REALM "$KC_REALM"
+write_env OIDC_OP_DISCOVERY_ENDPOINT "https://${KC_DOMAIN}/realms/${KC_REALM}/.well-known/openid-configuration"
+write_env OIDC_OP_AUTHORIZATION_ENDPOINT "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/auth"
+write_env OIDC_OP_TOKEN_ENDPOINT "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/token"
+write_env OIDC_OP_USER_ENDPOINT "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/userinfo"
+write_env OIDC_OP_LOGOUT_ENDPOINT "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/logout"
+write_env OIDC_OP_JWKS_ENDPOINT "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/certs"
+write_env OIDC_RP_CLIENT_ID "$KC_CLIENT"
+write_env OIDC_RP_SIGN_ALGO "RS256"
+write_env OIDC_RP_SCOPES "openid email profile"
 
 # 3) Trigger an in-place redeploy so the env update takes effect. --force re-deploys even when
 # the recipe hasn't changed; --chaos avoids the chaos prompt; --no-input non-interactive.

tests/lasuite-docs/test_install.py

@@ -10,7 +10,8 @@ import os
 import sys
 
 sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
-from harness import browser as harness_browser, generic, lifecycle  # noqa: E402
+from harness import browser as harness_browser  # noqa: E402
+from harness import generic, lifecycle
 
 
 def test_serving_and_frontend(live_app, meta):