ontoref/reflection/tests/test_credential_chain.sh

#!/usr/bin/env bash
# Full credential chain smoke (ADR-017 + ADR-019).
#
# Drives the end-to-end path against a fixture project + the live ZOT registry:
#
#   1. Bootstrap a throwaway project with multi-tenant recipient_rules
#   2. Encryption respects the rules (.sops.yaml generated; access.sops uses
#      its rule's recipients; per-tenant files use their own subset)
#   3. Push the vault to ZOT (cosign signed, tlog=false)
#   4. Pull from an isolated HOME — proves DOCKER_CONFIG isolation
#   5. Decrypt a credential via assert-actor-authorized + resolve-registry-credential
#   6. Cleanup — registry tags deleted, fixture removed
#
# Run:
#   RECOVERY_ZOT_USER=<user> RECOVERY_ZOT_PASS=<pass> \
#       bash reflection/tests/test_credential_chain.sh
#
# Exit 0 on green; non-zero on any failure.

set -euo pipefail

ONTOREF_ROOT=${ONTOREF_ROOT:-/Users/Akasha/Development/ontoref}
ZOT_HOST=${ZOT_HOST:-reg.librecloud.online}
ZOT_USER=${ZOT_USER:-${RECOVERY_ZOT_USER:-}}
ZOT_PASS=${ZOT_PASS:-${RECOVERY_ZOT_PASS:-}}

[[ -n "$ZOT_USER" ]] || { echo "ZOT_USER (or RECOVERY_ZOT_USER) required"; exit 2; }
[[ -n "$ZOT_PASS" ]] || { echo "ZOT_PASS (or RECOVERY_ZOT_PASS) required"; exit 2; }

# Use the developer's existing master key + cosign config.
# The fixture project will declare master_key_path = developer's .kage.
DEV_KAGE=${DEV_KAGE:-$HOME/.age/keys/ontoref.key.txt}
[[ -f "$DEV_KAGE" ]] || { echo "DEV_KAGE not found at $DEV_KAGE"; exit 2; }
DEV_PUB=$(grep "public key" "$DEV_KAGE" | head -1 | awk '{print $NF}')

PASS=0
FAIL=0
FIXTURE_SLUG="ccsmoke-$(date +%s)"
FIXTURE=$(mktemp -d)
FIXTURE_HOME=""

cleanup() {
    local rc=$?
    [[ -n "$FIXTURE_HOME" ]] && rm -rf "$FIXTURE_HOME"
    rm -rf "$FIXTURE" "$HOME/.config/ontoref/vaults/$FIXTURE_SLUG"
    # Best-effort: delete the fixture's pushed artifacts from ZOT.
    local cfg
    cfg=$(mktemp -d)
    local auth
    auth=$(printf '%s:%s' "$ZOT_USER" "$ZOT_PASS" | base64)
    printf '{"auths":{"%s":{"auth":"%s"}}}' "$ZOT_HOST" "$auth" > "$cfg/config.json"
    DOCKER_CONFIG="$cfg" oras manifest delete -f "$ZOT_HOST/src-vault/$FIXTURE_SLUG:latest" 2>/dev/null || true
    DOCKER_CONFIG="$cfg" oras manifest delete -f "$ZOT_HOST/src-vault/$FIXTURE_SLUG:lock"   2>/dev/null || true
    rm -rf "$cfg"
    [[ $rc -eq 0 ]] && echo "── credential chain smoke: $PASS passed, $FAIL failed ──" \
                     || echo "── ABORTED at PASS=$PASS FAIL=$FAIL rc=$rc ──"
    return $rc
}
trap cleanup EXIT

assert() {
    local name="$1"; shift
    if "$@"; then
        echo "  ✓ $name"
        PASS=$((PASS + 1))
    else
        echo "  ✗ $name"
        FAIL=$((FAIL + 1))
    fi
}

# ────────── Phase 1: build fixture project ──────────────────────────────────
echo "phase 1: build fixture project"

mkdir -p "$FIXTURE/.ontoref" "$FIXTURE/.ontology"
cat > "$FIXTURE/.ontoref/project.ncl" <<NCL
let s = import "ontoref-project.ncl" in
s.make_project {
  slug = "$FIXTURE_SLUG", root = "$FIXTURE", nickel_import_paths = [], keys = [],
  sops = {
    enabled = true, vault_id = "$FIXTURE_SLUG",
    master_key_path = "$DEV_KAGE",
    registry_endpoint = "$ZOT_HOST",
    actor_key_bindings = { developer = "developer" },
    recipient_groups = { admin = ["$DEV_PUB"], developer = ["$DEV_PUB"] },
    recipient_rules = [
      { path = "access\\\\.sops\\\\.yaml\$",                groups = ["admin", "developer"] },
      { path = "registry/admin-.*\\\\.sops\\\\.yaml\$",     groups = ["admin"] },
      { path = "registry/developer-.*\\\\.sops\\\\.yaml\$", groups = ["admin", "developer"] },
    ],
  },
}
NCL

cat > "$FIXTURE/.ontology/manifest.ncl" <<'NCL'
let m = import "ontology/defaults/manifest.ncl" in
m.make_manifest {
  project = "ccsmoke", repo_kind = 'Mixed,
  description = "credential chain smoke fixture",
  consumption_modes = [],
  registry_provides = m.make_registry_provides {
    participant = "ccsmoke",
    registries = m.make_registries_config {
      default = "primary",
      registries = [ m.make_registry_entry {
        id = "primary",
        endpoint = "ZOT_HOST_PLACEHOLDER",
        credential_sops    = "registry/developer-ro.sops.yaml",
        credential_sops_rw = "registry/developer-rw.sops.yaml",
      } ],
    },
  },
}
NCL
sed -i.bak "s|ZOT_HOST_PLACEHOLDER|$ZOT_HOST|" "$FIXTURE/.ontology/manifest.ncl" && rm "$FIXTURE/.ontology/manifest.ncl.bak"

assert "fixture project.ncl renders" \
    bash -c "NICKEL_IMPORT_PATH='$FIXTURE:$ONTOREF_ROOT:$ONTOREF_ROOT/ontology:$HOME/.config/ontoref/schemas' nickel export '$FIXTURE/.ontoref/project.ncl' >/dev/null 2>&1"

# ────────── Phase 2: bootstrap (declarative mode) ────────────────────────────
echo "phase 2: bootstrap"

ONTOREF_PROJECT_ROOT="$FIXTURE" \
NICKEL_IMPORT_PATH="$FIXTURE:$ONTOREF_ROOT:$ONTOREF_ROOT/ontology:$HOME/.config/ontoref/schemas" \
    bash -c "cd $ONTOREF_ROOT && printf '%s\n%s\n%s\n%s\n' '$ZOT_USER' '$ZOT_PASS' 'restic-pwd-test' 'cosign-pwd-test' \
        | just --justfile justfiles/secrets.just secrets-bootstrap" >/dev/null 2>&1

assert "access.sops.yaml created" \
    [ -f "$HOME/.config/ontoref/vaults/$FIXTURE_SLUG/access.sops.yaml" ]
assert ".sops.yaml generated (declarative mode)" \
    [ -f "$HOME/.config/ontoref/vaults/$FIXTURE_SLUG/.sops.yaml" ]
assert "default ro/rw skipped (declarative paths defined by operator)" \
    [ ! -f "$HOME/.config/ontoref/vaults/$FIXTURE_SLUG/src-vault/registry/ro.sops.yaml" ]

# ────────── Phase 3: populate per-tenant credential ──────────────────────────
echo "phase 3: write per-tenant credential file"

VAULT_DIR="$HOME/.config/ontoref/vaults/$FIXTURE_SLUG"
mkdir -p "$VAULT_DIR/src-vault/registry"
DEV_RO="$VAULT_DIR/src-vault/registry/developer-ro.sops.yaml"
DEV_RW="$VAULT_DIR/src-vault/registry/developer-rw.sops.yaml"
PLAIN=$(mktemp)
printf 'username: %s\npassword: %s\n' "$ZOT_USER" "$ZOT_PASS" > "$PLAIN"
SOPS_AGE_KEY_FILE="$DEV_KAGE" sops --config "$VAULT_DIR/.sops.yaml" \
    --filename-override "$DEV_RO" --input-type yaml --encrypt "$PLAIN" > "$DEV_RO"
SOPS_AGE_KEY_FILE="$DEV_KAGE" sops --config "$VAULT_DIR/.sops.yaml" \
    --filename-override "$DEV_RW" --input-type yaml --encrypt "$PLAIN" > "$DEV_RW"
rm -f "$PLAIN"

assert "developer-ro.sops.yaml encrypted" \
    [ -s "$DEV_RO" ]
assert "developer-rw.sops.yaml encrypted" \
    [ -s "$DEV_RW" ]

# ────────── Phase 4: push to ZOT ────────────────────────────────────────────
echo "phase 4: push to registry"

# Push uses developer's cosign key from global config.
COSIGN_PASSWORD="cosign-pwd-test" \
ONTOREF_PROJECT_ROOT="$FIXTURE" \
NICKEL_IMPORT_PATH="$FIXTURE:$ONTOREF_ROOT:$ONTOREF_ROOT/ontology:$HOME/.config/ontoref/schemas" \
    bash -c "cd $ONTOREF_ROOT && just --justfile justfiles/secrets.just secrets-push" \
    > /tmp/cc-push.log 2>&1 || true

assert "push succeeded (manifest in zot)" \
    test -n "$(curl -sf -u "$ZOT_USER:$ZOT_PASS" "https://$ZOT_HOST/v2/src-vault/$FIXTURE_SLUG/tags/list" 2>/dev/null \
        | grep -o latest)"

# ────────── Phase 5: isolated-HOME pull ─────────────────────────────────────
echo "phase 5: pull from isolated HOME"

FIXTURE_HOME=$(mktemp -d)
mkdir -p "$FIXTURE_HOME/.config/ontoref"
ln -s "$HOME/.config/ontoref/vaults"     "$FIXTURE_HOME/.config/ontoref/vaults"
ln -s "$HOME/.config/ontoref/config.ncl" "$FIXTURE_HOME/.config/ontoref/config.ncl"
ln -s "$HOME/.config/ontoref/cosign"     "$FIXTURE_HOME/.config/ontoref/cosign"
ln -s "$HOME/.config/ontoref/schemas"    "$FIXTURE_HOME/.config/ontoref/schemas"

# Use sops + oras directly with a tmp DOCKER_CONFIG built from the vault credentials.
TMPCFG=$(mktemp -d)
auth=$(printf '%s:%s' "$ZOT_USER" "$ZOT_PASS" | base64)
printf '{"auths":{"%s":{"auth":"%s"}}}' "$ZOT_HOST" "$auth" > "$TMPCFG/config.json"

PULLED=$(mktemp -d)
HOME="$FIXTURE_HOME" DOCKER_CONFIG="$TMPCFG" \
    oras pull "$ZOT_HOST/src-vault/$FIXTURE_SLUG:latest" --output "$PULLED" >/dev/null 2>&1

assert "pull restored access.sops.yaml" \
    [ -f "$PULLED/access.sops.yaml" ]

assert "decrypts under isolated HOME (master_key resolves)" \
    bash -c "HOME=\"$FIXTURE_HOME\" SOPS_AGE_KEY_FILE=\"$DEV_KAGE\" sops --decrypt --extract '[\"zot_username\"]' \"$PULLED/access.sops.yaml\" >/dev/null 2>&1"

rm -rf "$PULLED" "$TMPCFG"

# ────────── Phase 6: cleanup happens in trap ────────────────────────────────
echo "phase 6: cleanup deferred to trap"

[[ "$FAIL" -eq 0 ]]
feat: #[onto_mcp_tool] catalog, OCI credential vault layer, validate ADR-018 mode hierarchy ontoref-derive: #[onto_mcp_tool] attribute macro registers MCP tool unit-structs in the catalog at link time via inventory::submit!; annotated item is emitted unchanged, ToolBase/AsyncTool impls stay on the struct. All 34 tools migrated from manual wiring (net +5: ontoref_list_projects, ontoref_search, ontoref_describe, ontoref_list_ontology_extensions, ontoref_get_ontology_extension). validate modes (ADR-018): reads level_hierarchy from workflow.ncl and checks every .ncl mode for level declared, strategy declared, delegate chain coherent, compose extends valid. mode resolve <id> shows which hierarchy level handles a mode and why. --self-test generates synthetic fixtures in a temp dir for CI smoke-testing. validate run-cargo: two-step Cargo.toml resolution — workspace layout first (crates/<check.crate>/Cargo.toml), single-crate fallback by package name or repo basename. Lets the same ADR constraint shape apply to workspace and single-crate repos. ontology/schemas/manifest.ncl: registry_topology_type contract — multi-registry coordination, push targets, participant scopes, per-namespace capability. reflection/requirements/base.ncl: oras ≥1.2.0, cosign ≥2.0.0, sops ≥3.9.0, age ≥1.1.0, restic declared as Hard/Soft requirements with version_min, check_cmd, and install_hint (ADR-017 toolchain surface). ADR-019: per-file recipient routing for tenant isolation without multi-vault. Schema additions: sops.recipient_groups + sops.recipient_rules in ontoref-project.ncl. secrets-bootstrap generates .sops.yaml from project.ncl in declarative mode. Three new secrets-audit checks: recipient-routing-coherent, recipient-routing-coverage, no-multi-vault. Adoption templates: single-team/, multi-tenant/, agent-first/. Integration templates: domain-producer/, mode-producer/, mode-consumer/. UI: project_picker surfaces registry badge (⟳ participant) and vault badge (⛁ vault_id · N, green=declarative / amber=legacy) per project card. Expanded panel adds collapsible Registry section with namespace, endpoint, and push/pull capability. manage.html gains Runtime Services card — MCP and GraphQL toggleable without restart via HTMX POST /ui/manage/services/{service}/toggle. describe.nu: capabilities JSON includes registry_topology and vault_state per project. sync.nu: drift check extended to detect //! absence on newly registered crates. qa.ncl: six entries — credential-vault-best-practice (layered data-flow diagram), credential-vault-templates (paths A/B/C), credential-vault-troubleshooting (15 named errors), integration-what-and-why (ADR-042 OCI federation), integration-how-to-implement, integration-troubleshooting. on+re: core.ncl + manifest.ncl updated to reflect OCI, MCP, and mode-hierarchy nodes. Deleted stale presentation assets (2026-02 slides + voice notes). 2026-05-12 04:46:15 +01:00			`#!/usr/bin/env bash`
			`# Full credential chain smoke (ADR-017 + ADR-019).`
			`#`
			`# Drives the end-to-end path against a fixture project + the live ZOT registry:`
			`#`
			`# 1. Bootstrap a throwaway project with multi-tenant recipient_rules`
			`# 2. Encryption respects the rules (.sops.yaml generated; access.sops uses`
			`# its rule's recipients; per-tenant files use their own subset)`
			`# 3. Push the vault to ZOT (cosign signed, tlog=false)`
			`# 4. Pull from an isolated HOME — proves DOCKER_CONFIG isolation`
			`# 5. Decrypt a credential via assert-actor-authorized + resolve-registry-credential`
			`# 6. Cleanup — registry tags deleted, fixture removed`
			`#`
			`# Run:`
			`# RECOVERY_ZOT_USER=<user> RECOVERY_ZOT_PASS=<pass> \`
			`# bash reflection/tests/test_credential_chain.sh`
			`#`
			`# Exit 0 on green; non-zero on any failure.`

			`set -euo pipefail`

			`ONTOREF_ROOT=${ONTOREF_ROOT:-/Users/Akasha/Development/ontoref}`
			`ZOT_HOST=${ZOT_HOST:-reg.librecloud.online}`
			`ZOT_USER=${ZOT_USER:-${RECOVERY_ZOT_USER:-}}`
			`ZOT_PASS=${ZOT_PASS:-${RECOVERY_ZOT_PASS:-}}`

			`[[ -n "$ZOT_USER" ]] \|\| { echo "ZOT_USER (or RECOVERY_ZOT_USER) required"; exit 2; }`
			`[[ -n "$ZOT_PASS" ]] \|\| { echo "ZOT_PASS (or RECOVERY_ZOT_PASS) required"; exit 2; }`

			`# Use the developer's existing master key + cosign config.`
			`# The fixture project will declare master_key_path = developer's .kage.`
			`DEV_KAGE=${DEV_KAGE:-$HOME/.age/keys/ontoref.key.txt}`
			`[[ -f "$DEV_KAGE" ]] \|\| { echo "DEV_KAGE not found at $DEV_KAGE"; exit 2; }`
			`DEV_PUB=$(grep "public key" "$DEV_KAGE" \| head -1 \| awk '{print $NF}')`

			`PASS=0`
			`FAIL=0`
			`FIXTURE_SLUG="ccsmoke-$(date +%s)"`
			`FIXTURE=$(mktemp -d)`
			`FIXTURE_HOME=""`

			`cleanup() {`
			`local rc=$?`
			`[[ -n "$FIXTURE_HOME" ]] && rm -rf "$FIXTURE_HOME"`
			`rm -rf "$FIXTURE" "$HOME/.config/ontoref/vaults/$FIXTURE_SLUG"`
			`# Best-effort: delete the fixture's pushed artifacts from ZOT.`
			`local cfg`
			`cfg=$(mktemp -d)`
			`local auth`
			`auth=$(printf '%s:%s' "$ZOT_USER" "$ZOT_PASS" \| base64)`
			`printf '{"auths":{"%s":{"auth":"%s"}}}' "$ZOT_HOST" "$auth" > "$cfg/config.json"`
			`DOCKER_CONFIG="$cfg" oras manifest delete -f "$ZOT_HOST/src-vault/$FIXTURE_SLUG:latest" 2>/dev/null \|\| true`
			`DOCKER_CONFIG="$cfg" oras manifest delete -f "$ZOT_HOST/src-vault/$FIXTURE_SLUG:lock" 2>/dev/null \|\| true`
			`rm -rf "$cfg"`
			`[[ $rc -eq 0 ]] && echo "── credential chain smoke: $PASS passed, $FAIL failed ──" \`
			`\|\| echo "── ABORTED at PASS=$PASS FAIL=$FAIL rc=$rc ──"`
			`return $rc`
			`}`
			`trap cleanup EXIT`

			`assert() {`
			`local name="$1"; shift`
			`if "$@"; then`
			`echo " ✓ $name"`
			`PASS=$((PASS + 1))`
			`else`
			`echo " ✗ $name"`
			`FAIL=$((FAIL + 1))`
			`fi`
			`}`

			`# ────────── Phase 1: build fixture project ──────────────────────────────────`
			`echo "phase 1: build fixture project"`

			`mkdir -p "$FIXTURE/.ontoref" "$FIXTURE/.ontology"`
			`cat > "$FIXTURE/.ontoref/project.ncl" <<NCL`
			`let s = import "ontoref-project.ncl" in`
			`s.make_project {`
			`slug = "$FIXTURE_SLUG", root = "$FIXTURE", nickel_import_paths = [], keys = [],`
			`sops = {`
			`enabled = true, vault_id = "$FIXTURE_SLUG",`
			`master_key_path = "$DEV_KAGE",`
			`registry_endpoint = "$ZOT_HOST",`
			`actor_key_bindings = { developer = "developer" },`
			`recipient_groups = { admin = ["$DEV_PUB"], developer = ["$DEV_PUB"] },`
			`recipient_rules = [`
			`{ path = "access\\\\.sops\\\\.yaml\$", groups = ["admin", "developer"] },`
			`{ path = "registry/admin-.*\\\\.sops\\\\.yaml\$", groups = ["admin"] },`
			`{ path = "registry/developer-.*\\\\.sops\\\\.yaml\$", groups = ["admin", "developer"] },`
			`],`
			`},`
			`}`
			`NCL`

			`cat > "$FIXTURE/.ontology/manifest.ncl" <<'NCL'`
			`let m = import "ontology/defaults/manifest.ncl" in`
			`m.make_manifest {`
			`project = "ccsmoke", repo_kind = 'Mixed,`
			`description = "credential chain smoke fixture",`
			`consumption_modes = [],`
			`registry_provides = m.make_registry_provides {`
			`participant = "ccsmoke",`
			`registries = m.make_registries_config {`
			`default = "primary",`
			`registries = [ m.make_registry_entry {`
			`id = "primary",`
			`endpoint = "ZOT_HOST_PLACEHOLDER",`
			`credential_sops = "registry/developer-ro.sops.yaml",`
			`credential_sops_rw = "registry/developer-rw.sops.yaml",`
			`} ],`
			`},`
			`},`
			`}`
			`NCL`
			`sed -i.bak "s\|ZOT_HOST_PLACEHOLDER\|$ZOT_HOST\|" "$FIXTURE/.ontology/manifest.ncl" && rm "$FIXTURE/.ontology/manifest.ncl.bak"`

			`assert "fixture project.ncl renders" \`
			`bash -c "NICKEL_IMPORT_PATH='$FIXTURE:$ONTOREF_ROOT:$ONTOREF_ROOT/ontology:$HOME/.config/ontoref/schemas' nickel export '$FIXTURE/.ontoref/project.ncl' >/dev/null 2>&1"`

			`# ────────── Phase 2: bootstrap (declarative mode) ────────────────────────────`
			`echo "phase 2: bootstrap"`

			`ONTOREF_PROJECT_ROOT="$FIXTURE" \`
			`NICKEL_IMPORT_PATH="$FIXTURE:$ONTOREF_ROOT:$ONTOREF_ROOT/ontology:$HOME/.config/ontoref/schemas" \`
			`bash -c "cd $ONTOREF_ROOT && printf '%s\n%s\n%s\n%s\n' '$ZOT_USER' '$ZOT_PASS' 'restic-pwd-test' 'cosign-pwd-test' \`
			`\| just --justfile justfiles/secrets.just secrets-bootstrap" >/dev/null 2>&1`

			`assert "access.sops.yaml created" \`
			`[ -f "$HOME/.config/ontoref/vaults/$FIXTURE_SLUG/access.sops.yaml" ]`
			`assert ".sops.yaml generated (declarative mode)" \`
			`[ -f "$HOME/.config/ontoref/vaults/$FIXTURE_SLUG/.sops.yaml" ]`
			`assert "default ro/rw skipped (declarative paths defined by operator)" \`
			`[ ! -f "$HOME/.config/ontoref/vaults/$FIXTURE_SLUG/src-vault/registry/ro.sops.yaml" ]`

			`# ────────── Phase 3: populate per-tenant credential ──────────────────────────`
			`echo "phase 3: write per-tenant credential file"`

			`VAULT_DIR="$HOME/.config/ontoref/vaults/$FIXTURE_SLUG"`
			`mkdir -p "$VAULT_DIR/src-vault/registry"`
			`DEV_RO="$VAULT_DIR/src-vault/registry/developer-ro.sops.yaml"`
			`DEV_RW="$VAULT_DIR/src-vault/registry/developer-rw.sops.yaml"`
			`PLAIN=$(mktemp)`
			`printf 'username: %s\npassword: %s\n' "$ZOT_USER" "$ZOT_PASS" > "$PLAIN"`
			`SOPS_AGE_KEY_FILE="$DEV_KAGE" sops --config "$VAULT_DIR/.sops.yaml" \`
			`--filename-override "$DEV_RO" --input-type yaml --encrypt "$PLAIN" > "$DEV_RO"`
			`SOPS_AGE_KEY_FILE="$DEV_KAGE" sops --config "$VAULT_DIR/.sops.yaml" \`
			`--filename-override "$DEV_RW" --input-type yaml --encrypt "$PLAIN" > "$DEV_RW"`
			`rm -f "$PLAIN"`

			`assert "developer-ro.sops.yaml encrypted" \`
			`[ -s "$DEV_RO" ]`
			`assert "developer-rw.sops.yaml encrypted" \`
			`[ -s "$DEV_RW" ]`

			`# ────────── Phase 4: push to ZOT ────────────────────────────────────────────`
			`echo "phase 4: push to registry"`

			`# Push uses developer's cosign key from global config.`
			`COSIGN_PASSWORD="cosign-pwd-test" \`
			`ONTOREF_PROJECT_ROOT="$FIXTURE" \`
			`NICKEL_IMPORT_PATH="$FIXTURE:$ONTOREF_ROOT:$ONTOREF_ROOT/ontology:$HOME/.config/ontoref/schemas" \`
			`bash -c "cd $ONTOREF_ROOT && just --justfile justfiles/secrets.just secrets-push" \`
			`> /tmp/cc-push.log 2>&1 \|\| true`

			`assert "push succeeded (manifest in zot)" \`
			`test -n "$(curl -sf -u "$ZOT_USER:$ZOT_PASS" "https://$ZOT_HOST/v2/src-vault/$FIXTURE_SLUG/tags/list" 2>/dev/null \`
			`\| grep -o latest)"`

			`# ────────── Phase 5: isolated-HOME pull ─────────────────────────────────────`
			`echo "phase 5: pull from isolated HOME"`

			`FIXTURE_HOME=$(mktemp -d)`
			`mkdir -p "$FIXTURE_HOME/.config/ontoref"`
			`ln -s "$HOME/.config/ontoref/vaults" "$FIXTURE_HOME/.config/ontoref/vaults"`
			`ln -s "$HOME/.config/ontoref/config.ncl" "$FIXTURE_HOME/.config/ontoref/config.ncl"`
			`ln -s "$HOME/.config/ontoref/cosign" "$FIXTURE_HOME/.config/ontoref/cosign"`
			`ln -s "$HOME/.config/ontoref/schemas" "$FIXTURE_HOME/.config/ontoref/schemas"`

			`# Use sops + oras directly with a tmp DOCKER_CONFIG built from the vault credentials.`
			`TMPCFG=$(mktemp -d)`
			`auth=$(printf '%s:%s' "$ZOT_USER" "$ZOT_PASS" \| base64)`
			`printf '{"auths":{"%s":{"auth":"%s"}}}' "$ZOT_HOST" "$auth" > "$TMPCFG/config.json"`

			`PULLED=$(mktemp -d)`
			`HOME="$FIXTURE_HOME" DOCKER_CONFIG="$TMPCFG" \`
			`oras pull "$ZOT_HOST/src-vault/$FIXTURE_SLUG:latest" --output "$PULLED" >/dev/null 2>&1`

			`assert "pull restored access.sops.yaml" \`
			`[ -f "$PULLED/access.sops.yaml" ]`

			`assert "decrypts under isolated HOME (master_key resolves)" \`
			`bash -c "HOME=\"$FIXTURE_HOME\" SOPS_AGE_KEY_FILE=\"$DEV_KAGE\" sops --decrypt --extract '[\"zot_username\"]' \"$PULLED/access.sops.yaml\" >/dev/null 2>&1"`

			`rm -rf "$PULLED" "$TMPCFG"`

			`# ────────── Phase 6: cleanup happens in trap ────────────────────────────────`
			`echo "phase 6: cleanup deferred to trap"`

			`[[ "$FAIL" -eq 0 ]]`