style: repo-wide lint pass — make the lint gate green again

Push builds have been RED on the lint step since ~build 209 from accumulated
formatting drift. This is the mechanical cleanup: ruff format + ruff --fix
(UP038 isinstance unions, SIM105 contextlib.suppress, UP031 f-strings, SIM115
tempfile context manager), shfmt -i 2 -ci, nixpkgs-fmt/statix/deadnix (merged
attrsets, dropped unused lib args), yamllint, and shell quoting fixes in
tests/lasuite-docs/setup_custom_tests.sh. No behaviour changes intended;
lint: PASS, unit tests: 138 passed.

tests/lasuite-docs/setup_custom_tests.sh

@@ -21,15 +21,24 @@ set -euo pipefail
 
 : "${CCCI_APP_DOMAIN:?missing}"
 : "${CCCI_DEPS_FILE:?missing}"
-test -s "$CCCI_DEPS_FILE" || { echo "  setup_custom_tests: deps file empty"; exit 1; }
+test -s "$CCCI_DEPS_FILE" || {
+  echo "  setup_custom_tests: deps file empty"
+  exit 1
+}
 
 # Read keycloak dep info via jq
-KC_DOMAIN=$(jq -r '.keycloak.domain'         "$CCCI_DEPS_FILE")
-KC_REALM=$( jq -r '.keycloak.realm'          "$CCCI_DEPS_FILE")
-KC_CLIENT=$(jq -r '.keycloak.client_id'      "$CCCI_DEPS_FILE")
-KC_SECRET=$(jq -r '.keycloak.client_secret'  "$CCCI_DEPS_FILE")
-[ -n "$KC_DOMAIN" ] && [ "$KC_DOMAIN" != "null" ] || { echo "  setup_custom_tests: no keycloak.domain in deps"; exit 1; }
-[ -n "$KC_SECRET" ] && [ "$KC_SECRET" != "null" ] || { echo "  setup_custom_tests: no keycloak.client_secret"; exit 1; }
+KC_DOMAIN=$(jq -r '.keycloak.domain' "$CCCI_DEPS_FILE")
+KC_REALM=$(jq -r '.keycloak.realm' "$CCCI_DEPS_FILE")
+KC_CLIENT=$(jq -r '.keycloak.client_id' "$CCCI_DEPS_FILE")
+KC_SECRET=$(jq -r '.keycloak.client_secret' "$CCCI_DEPS_FILE")
+if [ -z "$KC_DOMAIN" ] || [ "$KC_DOMAIN" = "null" ]; then
+  echo "  setup_custom_tests: no keycloak.domain in deps"
+  exit 1
+fi
+if [ -z "$KC_SECRET" ] || [ "$KC_SECRET" = "null" ]; then
+  echo "  setup_custom_tests: no keycloak.client_secret"
+  exit 1
+fi
 
 echo "  lasuite-docs setup_custom_tests: wiring OIDC against keycloak dep ${KC_DOMAIN}"
 
@@ -39,12 +48,15 @@ echo "  lasuite-docs setup_custom_tests: wiring OIDC against keycloak dep ${KC_D
 # update SECRET_OIDC_RPCS_VERSION in the .env to point at the new one.
 ENV_PATH="$HOME/.abra/servers/default/${CCCI_APP_DOMAIN}.env"
 CUR_VER=$(grep -E '^\s*SECRET_OIDC_RPCS_VERSION=' "$ENV_PATH" | tail -1 | cut -d= -f2 | tr -d '"\r' || echo "v1")
-NEW_NUM=$(( ${CUR_VER#v} + 1 ))
+NEW_NUM=$((${CUR_VER#v} + 1))
 NEW_VER="v${NEW_NUM}"
 
-INSERT_LOG=$(abra app secret insert $CCCI_APP_DOMAIN oidc_rpcs $NEW_VER $KC_SECRET --no-input -C -o 2>&1) \
-  || INSERT_LOG=$(script -qec "abra app secret insert $CCCI_APP_DOMAIN oidc_rpcs $NEW_VER $KC_SECRET --no-input -C -o" /dev/null 2>&1) \
-  || { echo "  setup_custom_tests: abra app secret insert oidc_rpcs@$NEW_VER failed: $INSERT_LOG"; exit 1; }
+INSERT_LOG=$(abra app secret insert "$CCCI_APP_DOMAIN" oidc_rpcs "$NEW_VER" "$KC_SECRET" --no-input -C -o 2>&1) ||
+  INSERT_LOG=$(script -qec "abra app secret insert $CCCI_APP_DOMAIN oidc_rpcs $NEW_VER $KC_SECRET --no-input -C -o" /dev/null 2>&1) ||
+  {
+    echo "  setup_custom_tests: abra app secret insert oidc_rpcs@$NEW_VER failed: $INSERT_LOG"
+    exit 1
+  }
 # Repoint the env var to the new version
 sed -i "s|^\s*SECRET_OIDC_RPCS_VERSION=.*|SECRET_OIDC_RPCS_VERSION=$NEW_VER|" "$ENV_PATH"
 echo "  setup_custom_tests: oidc_rpcs secret inserted at $NEW_VER (was $CUR_VER)"
@@ -52,25 +64,25 @@ echo "  setup_custom_tests: oidc_rpcs secret inserted at $NEW_VER (was $CUR_VER)
 # 2) Write OIDC env vars to the app's .env (names per lasuite-docs's .env.sample).
 # Ensure the file ends with a newline FIRST so our appends don't concatenate onto the last line
 # (we saw `TIMEOUT=900OIDC_REALM=...` malformed by a missing-trailing-newline file).
-[ -z "$(tail -c1 "$ENV_PATH" 2>/dev/null)" ] || printf '\n' >> "$ENV_PATH"
-write_env () {
+[ -z "$(tail -c1 "$ENV_PATH" 2>/dev/null)" ] || printf '\n' >>"$ENV_PATH"
+write_env() {
   local key="$1" val="$2"
   # remove any existing key (commented or live) then append the live key=val
   sed -i "/^\s*#\?\s*${key}=/d" "$ENV_PATH"
   # Re-ensure trailing newline after each delete (sed may leave the file without one)
-  [ -z "$(tail -c1 "$ENV_PATH" 2>/dev/null)" ] || printf '\n' >> "$ENV_PATH"
-  printf '%s=%s\n' "$key" "$val" >> "$ENV_PATH"
+  [ -z "$(tail -c1 "$ENV_PATH" 2>/dev/null)" ] || printf '\n' >>"$ENV_PATH"
+  printf '%s=%s\n' "$key" "$val" >>"$ENV_PATH"
 }
-write_env OIDC_REALM                       "$KC_REALM"
-write_env OIDC_OP_DISCOVERY_ENDPOINT       "https://${KC_DOMAIN}/realms/${KC_REALM}/.well-known/openid-configuration"
-write_env OIDC_OP_AUTHORIZATION_ENDPOINT   "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/auth"
-write_env OIDC_OP_TOKEN_ENDPOINT           "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/token"
-write_env OIDC_OP_USER_ENDPOINT            "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/userinfo"
-write_env OIDC_OP_LOGOUT_ENDPOINT          "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/logout"
-write_env OIDC_OP_JWKS_ENDPOINT            "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/certs"
-write_env OIDC_RP_CLIENT_ID                "$KC_CLIENT"
-write_env OIDC_RP_SIGN_ALGO                "RS256"
-write_env OIDC_RP_SCOPES                   "openid email profile"
+write_env OIDC_REALM "$KC_REALM"
+write_env OIDC_OP_DISCOVERY_ENDPOINT "https://${KC_DOMAIN}/realms/${KC_REALM}/.well-known/openid-configuration"
+write_env OIDC_OP_AUTHORIZATION_ENDPOINT "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/auth"
+write_env OIDC_OP_TOKEN_ENDPOINT "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/token"
+write_env OIDC_OP_USER_ENDPOINT "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/userinfo"
+write_env OIDC_OP_LOGOUT_ENDPOINT "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/logout"
+write_env OIDC_OP_JWKS_ENDPOINT "https://${KC_DOMAIN}/realms/${KC_REALM}/protocol/openid-connect/certs"
+write_env OIDC_RP_CLIENT_ID "$KC_CLIENT"
+write_env OIDC_RP_SIGN_ALGO "RS256"
+write_env OIDC_RP_SCOPES "openid email profile"
 
 # 3) Trigger an in-place redeploy so the env update takes effect. --force re-deploys even when
 # the recipe hasn't changed; --chaos avoids the chaos prompt; --no-input non-interactive.