furtka/tests/test_catalog.py

"""Tests for the apps-catalog sync flow.

Same shape as ``tests/test_updater.py``: fixture reloads the module with
env-overridden paths, fake tarballs land in tmp_path, Forgejo API is
stubbed via ``urllib.request.urlopen`` monkeypatching so nothing talks
to the network.

Asserts end-to-end atomicity: on any failure path — bad sha256, broken
tarball, invalid manifest — the live catalog dir is either left
untouched (if one existed) or absent (if it didn't).
"""

from __future__ import annotations

import io
import json
import tarfile
from pathlib import Path

import pytest


@pytest.fixture
def catalog(tmp_path, monkeypatch):
    monkeypatch.setenv("FURTKA_CATALOG_DIR", str(tmp_path / "var_lib_furtka_catalog"))
    monkeypatch.setenv("FURTKA_CATALOG_STATE", str(tmp_path / "var_lib_furtka_catalog-state.json"))
    monkeypatch.setenv("FURTKA_CATALOG_LOCK", str(tmp_path / "catalog.lock"))
    monkeypatch.setenv("FURTKA_FORGEJO_HOST", "forgejo.test.local")
    monkeypatch.setenv("FURTKA_CATALOG_REPO", "daniel/furtka-apps")

    import importlib

    from furtka import catalog as c
    from furtka import paths as p

    importlib.reload(p)
    importlib.reload(c)
    return c


def _manifest(name: str = "fileshare") -> dict:
    return {
        "name": name,
        "display_name": "Fileshare",
        "version": "0.1.0",
        "description": "Test fixture app",
        "volumes": ["files"],
        "ports": [445],
        "icon": "icon.svg",
    }


def _make_catalog_tarball(
    path: Path,
    version: str,
    *,
    apps: list[tuple[str, dict]] | None = None,
    extra_entries: list[tuple[str, bytes]] | None = None,
) -> None:
    """Build a minimal valid catalog tarball.

    `apps` is a list of (folder_name, manifest_dict). Each app folder gets
    a `manifest.json` + a stub `docker-compose.yaml` + `icon.svg`.
    `extra_entries` lets tests inject malformed content (path-traversal,
    missing VERSION, ...) without rebuilding the helper.
    """
    apps = apps if apps is not None else [("fileshare", _manifest())]
    buf = io.BytesIO()
    with tarfile.open(fileobj=buf, mode="w:gz") as tf:
        entries: list[tuple[str, bytes]] = [("VERSION", f"{version}\n".encode())]
        for folder, m in apps:
            entries.append((f"apps/{folder}/manifest.json", json.dumps(m).encode()))
            entries.append(
                (f"apps/{folder}/docker-compose.yaml", b"services:\n  app:\n    image: scratch\n")
            )
            entries.append((f"apps/{folder}/icon.svg", b"<svg/>"))
        if extra_entries:
            entries.extend(extra_entries)
        for name, data in entries:
            info = tarfile.TarInfo(name=name)
            info.size = len(data)
            tf.addfile(info, io.BytesIO(data))
    path.write_bytes(buf.getvalue())


def _stub_forgejo_release(
    monkeypatch,
    catalog,
    *,
    tag: str,
    tarball_url: str = "https://forgejo.test.local/t.tar.gz",
    sha_url: str = "https://forgejo.test.local/t.tar.gz.sha256",
    releases: list | None = None,
):
    """Patch ``_rc.forgejo_api`` so check_catalog sees a canned release list."""
    if releases is None:
        releases = [
            {
                "tag_name": tag,
                "assets": [
                    {"name": f"furtka-apps-{tag}.tar.gz", "browser_download_url": tarball_url},
                    {
                        "name": f"furtka-apps-{tag}.tar.gz.sha256",
                        "browser_download_url": sha_url,
                    },
                ],
            }
        ]

    def fake_api(host, repo, path, *, error_cls=RuntimeError):
        return releases

    from furtka import _release_common as _rc

    monkeypatch.setattr(_rc, "forgejo_api", fake_api)


def _stub_download(monkeypatch, catalog, mapping: dict[str, bytes]):
    """Patch ``_rc.download`` so sync_catalog pulls from an in-memory map."""
    from furtka import _release_common as _rc

    def fake_download(url, dest, *, error_cls=RuntimeError):
        if url not in mapping:
            raise error_cls(f"test: no fake content for {url}")
        dest.parent.mkdir(parents=True, exist_ok=True)
        dest.write_bytes(mapping[url])

    monkeypatch.setattr(_rc, "download", fake_download)


# --------------------------------------------------------------------------- #
# check_catalog
# --------------------------------------------------------------------------- #


def test_check_catalog_reports_update_when_versions_differ(catalog, monkeypatch, tmp_path):
    # Pretend we already have catalog version 26.5 on disk; Forgejo reports 26.6.
    catalog.catalog_dir().mkdir(parents=True)
    (catalog.catalog_dir() / "VERSION").write_text("26.5\n")
    _stub_forgejo_release(monkeypatch, catalog, tag="26.6")

    check = catalog.check_catalog()
    assert check.current == "26.5"
    assert check.latest == "26.6"
    assert check.update_available is True
    assert check.tarball_url.endswith(".tar.gz")
    assert check.sha256_url.endswith(".sha256")


def test_check_catalog_reports_up_to_date_when_same_version(catalog, monkeypatch):
    catalog.catalog_dir().mkdir(parents=True)
    (catalog.catalog_dir() / "VERSION").write_text("26.5\n")
    _stub_forgejo_release(monkeypatch, catalog, tag="26.5")

    check = catalog.check_catalog()
    assert check.current == "26.5"
    assert check.latest == "26.5"
    assert check.update_available is False


def test_check_catalog_treats_missing_current_as_installable(catalog, monkeypatch):
    # Fresh box, no catalog ever synced — any release is an update.
    _stub_forgejo_release(monkeypatch, catalog, tag="26.5")

    check = catalog.check_catalog()
    assert check.current is None
    assert check.update_available is True


def test_check_catalog_raises_when_no_releases_published(catalog, monkeypatch):
    _stub_forgejo_release(monkeypatch, catalog, tag="x", releases=[])
    with pytest.raises(catalog.CatalogError, match="no catalog releases"):
        catalog.check_catalog()


# --------------------------------------------------------------------------- #
# sync_catalog — happy + error paths
# --------------------------------------------------------------------------- #


def test_sync_catalog_happy_path(catalog, monkeypatch, tmp_path):
    import hashlib

    tarball_path = tmp_path / "tarball.tar.gz"
    _make_catalog_tarball(tarball_path, "26.6")
    tarball_bytes = tarball_path.read_bytes()
    sha = hashlib.sha256(tarball_bytes).hexdigest()

    _stub_forgejo_release(monkeypatch, catalog, tag="26.6")
    _stub_download(
        monkeypatch,
        catalog,
        {
            "https://forgejo.test.local/t.tar.gz": tarball_bytes,
            "https://forgejo.test.local/t.tar.gz.sha256": (
                f"{sha}  furtka-apps-26.6.tar.gz\n".encode()
            ),
        },
    )

    check = catalog.sync_catalog()
    assert check.latest == "26.6"
    assert (catalog.catalog_dir() / "VERSION").read_text().strip() == "26.6"
    assert (catalog.catalog_dir() / "apps" / "fileshare" / "manifest.json").is_file()
    state = catalog.read_state()
    assert state["stage"] == "done"
    assert state["version"] == "26.6"


def test_sync_catalog_noop_when_already_current(catalog, monkeypatch, tmp_path):
    catalog.catalog_dir().mkdir(parents=True)
    (catalog.catalog_dir() / "VERSION").write_text("26.5\n")
    _stub_forgejo_release(monkeypatch, catalog, tag="26.5")

    check = catalog.sync_catalog()
    assert check.update_available is False
    assert catalog.read_state()["stage"] == "done"


def test_sync_catalog_refuses_sha256_mismatch(catalog, monkeypatch, tmp_path):
    tarball_path = tmp_path / "tarball.tar.gz"
    _make_catalog_tarball(tarball_path, "26.6")

    _stub_forgejo_release(monkeypatch, catalog, tag="26.6")
    _stub_download(
        monkeypatch,
        catalog,
        {
            "https://forgejo.test.local/t.tar.gz": tarball_path.read_bytes(),
            # Hash for some OTHER content — will mismatch.
            "https://forgejo.test.local/t.tar.gz.sha256": (b"0" * 64 + b"  wrong.tar.gz\n"),
        },
    )

    with pytest.raises(catalog.CatalogError, match="sha256 mismatch"):
        catalog.sync_catalog()
    # Live catalog never existed, must still not exist after the failed sync.
    assert not catalog.catalog_dir().exists()


def test_sync_catalog_refuses_tarball_with_invalid_manifest(catalog, monkeypatch, tmp_path):
    import hashlib

    bad_manifest = {"name": "broken"}  # missing required fields

    tarball_path = tmp_path / "tarball.tar.gz"
    _make_catalog_tarball(tarball_path, "26.6", apps=[("broken", bad_manifest)])
    tarball_bytes = tarball_path.read_bytes()
    sha = hashlib.sha256(tarball_bytes).hexdigest()

    _stub_forgejo_release(monkeypatch, catalog, tag="26.6")
    _stub_download(
        monkeypatch,
        catalog,
        {
            "https://forgejo.test.local/t.tar.gz": tarball_bytes,
            "https://forgejo.test.local/t.tar.gz.sha256": (
                f"{sha}  furtka-apps-26.6.tar.gz\n".encode()
            ),
        },
    )

    with pytest.raises(catalog.CatalogError, match="invalid manifest"):
        catalog.sync_catalog()
    # Staging was cleaned; live catalog never materialised.
    assert not catalog.catalog_dir().exists()


def test_sync_catalog_preserves_existing_catalog_on_failure(catalog, monkeypatch, tmp_path):
    """A failed sync must leave the previous live catalog intact so boxes
    keep working until the next successful sync."""
    import hashlib

    # Seed a live catalog that represents a previous successful sync.
    live = catalog.catalog_dir()
    live.mkdir(parents=True)
    (live / "VERSION").write_text("26.5\n")
    (live / "apps").mkdir()

    bad_manifest = {"name": "broken"}  # invalid
    tarball_path = tmp_path / "tarball.tar.gz"
    _make_catalog_tarball(tarball_path, "26.6", apps=[("broken", bad_manifest)])
    sha = hashlib.sha256(tarball_path.read_bytes()).hexdigest()

    _stub_forgejo_release(monkeypatch, catalog, tag="26.6")
    _stub_download(
        monkeypatch,
        catalog,
        {
            "https://forgejo.test.local/t.tar.gz": tarball_path.read_bytes(),
            "https://forgejo.test.local/t.tar.gz.sha256": f"{sha}  x\n".encode(),
        },
    )

    with pytest.raises(catalog.CatalogError):
        catalog.sync_catalog()
    # The 26.5 live catalog survives the failed 26.6 sync.
    assert (live / "VERSION").read_text().strip() == "26.5"


def test_sync_catalog_lock_contention(catalog, monkeypatch):
    _stub_forgejo_release(monkeypatch, catalog, tag="26.6")

    # Hold the lock from outside; the real sync_catalog call must refuse.
    first = catalog.acquire_lock()
    try:
        with pytest.raises(catalog.CatalogError, match="already in progress"):
            catalog.sync_catalog()
    finally:
        first.close()


# --------------------------------------------------------------------------- #
# state + current-version helpers
# --------------------------------------------------------------------------- #


def test_read_current_catalog_version_absent(catalog):
    assert catalog.read_current_catalog_version() is None


def test_read_current_catalog_version_empty_file(catalog):
    catalog.catalog_dir().mkdir(parents=True)
    (catalog.catalog_dir() / "VERSION").write_text("\n")
    assert catalog.read_current_catalog_version() is None


def test_write_and_read_state_round_trip(catalog):
    catalog.write_state("downloading", latest="26.6")
    s = catalog.read_state()
    assert s["stage"] == "downloading"
    assert s["latest"] == "26.6"
    assert "updated_at" in s
feat(catalog): on-box apps catalog synced independently of core version New `furtka catalog sync` pulls the latest daniel/furtka-apps release, verifies its sha256, extracts under /var/lib/furtka/catalog/, and atomically swaps into place — so apps can ship without cutting a new Furtka core release. A daily timer (furtka-catalog-sync.timer, 10 min post-boot + 24 h with ±6 h jitter) drives the sync; /apps gets a manual "Sync apps catalog" button that kicks the same code path via a detached systemd-run unit. Layout of the new on-box tree: /var/lib/furtka/catalog/ synced catalog (survives self-updates) ├── VERSION └── apps/<name>/ ... /var/lib/furtka/catalog-state.json sync stage + last version, UI-polled /run/furtka/catalog.lock flock so timer + manual click can't race Resolver precedence (furtka/sources.py): catalog wins over the bundled seed (/opt/furtka/current/apps/, carried by the core release for offline first-boot). Installed apps under /var/lib/furtka/apps/ are never auto- swapped — user clicks Reinstall to move an existing install onto a newer catalog version; settings merge-preserved via the existing installer.install_from path. New files: - furtka/_release_common.py — shared Forgejo/tarball primitives lifted from furtka/updater.py. Both modules now import from here; updater's behaviour and public API unchanged. - furtka/catalog.py — check_catalog(), sync_catalog() with staging + manifest validation + atomic rename. Refuses bad sha256 / broken manifests and leaves the live catalog intact on any failure path. - furtka/sources.py — resolve_app_name() / list_available() abstraction used by installer.resolve_source and api._list_available. - assets/systemd/furtka-catalog-sync.{service,timer} — oneshot service + daily timer. Timer auto-enables on self-update via a one-line addition to _link_new_units (fresh installs get enabled via the webinstaller's _FURTKA_UNITS list). API + UI: - /api/bundled renamed internally to _list_available; endpoint stays as a backcompat alias; /api/apps/available is the new canonical name. Each list entry carries a `source` field ("catalog" \| "bundled"). - POST /api/catalog/sync/check + /apply + GET /api/catalog/status. - /apps page grows a catalog-status row + Sync button; poll loop mirrors the Furtka self-update flow. CLI: `furtka catalog sync [--check]` + `furtka catalog status` (both support --json). Old `furtka app install` / `reconcile` / `update` / `rollback` surfaces are unchanged. Test gate: 194/170 baseline + 24 new tests covering catalog sync (happy path, sha256 mismatch, invalid manifest, lock contention, preserves-on-failure) + resolver precedence + api renames. ruff check + format clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-20 14:16:02 +02:00			`"""Tests for the apps-catalog sync flow.`

			Same shape as ``tests/test_updater.py``: fixture reloads the module with
			`env-overridden paths, fake tarballs land in tmp_path, Forgejo API is`
			stubbed via ``urllib.request.urlopen`` monkeypatching so nothing talks
			`to the network.`

			`Asserts end-to-end atomicity: on any failure path — bad sha256, broken`
			`tarball, invalid manifest — the live catalog dir is either left`
			`untouched (if one existed) or absent (if it didn't).`
			`"""`

			`from __future__ import annotations`

			`import io`
			`import json`
			`import tarfile`
			`from pathlib import Path`

			`import pytest`


			`@pytest.fixture`
			`def catalog(tmp_path, monkeypatch):`
			`monkeypatch.setenv("FURTKA_CATALOG_DIR", str(tmp_path / "var_lib_furtka_catalog"))`
			`monkeypatch.setenv("FURTKA_CATALOG_STATE", str(tmp_path / "var_lib_furtka_catalog-state.json"))`
			`monkeypatch.setenv("FURTKA_CATALOG_LOCK", str(tmp_path / "catalog.lock"))`
			`monkeypatch.setenv("FURTKA_FORGEJO_HOST", "forgejo.test.local")`
			`monkeypatch.setenv("FURTKA_CATALOG_REPO", "daniel/furtka-apps")`

			`import importlib`

			`from furtka import catalog as c`
			`from furtka import paths as p`

			`importlib.reload(p)`
			`importlib.reload(c)`
			`return c`


			`def _manifest(name: str = "fileshare") -> dict:`
			`return {`
			`"name": name,`
			`"display_name": "Fileshare",`
			`"version": "0.1.0",`
			`"description": "Test fixture app",`
			`"volumes": ["files"],`
			`"ports": [445],`
			`"icon": "icon.svg",`
			`}`


			`def _make_catalog_tarball(`
			`path: Path,`
			`version: str,`
			`*,`
			`apps: list[tuple[str, dict]] \| None = None,`
			`extra_entries: list[tuple[str, bytes]] \| None = None,`
			`) -> None:`
			`"""Build a minimal valid catalog tarball.`

			`apps` is a list of (folder_name, manifest_dict). Each app folder gets
			a `manifest.json` + a stub `docker-compose.yaml` + `icon.svg`.
			`extra_entries` lets tests inject malformed content (path-traversal,
			`missing VERSION, ...) without rebuilding the helper.`
			`"""`
			`apps = apps if apps is not None else [("fileshare", _manifest())]`
			`buf = io.BytesIO()`
			`with tarfile.open(fileobj=buf, mode="w:gz") as tf:`
			`entries: list[tuple[str, bytes]] = [("VERSION", f"{version}\n".encode())]`
			`for folder, m in apps:`
			`entries.append((f"apps/{folder}/manifest.json", json.dumps(m).encode()))`
			`entries.append(`
			`(f"apps/{folder}/docker-compose.yaml", b"services:\n app:\n image: scratch\n")`
			`)`
			`entries.append((f"apps/{folder}/icon.svg", b"<svg/>"))`
			`if extra_entries:`
			`entries.extend(extra_entries)`
			`for name, data in entries:`
			`info = tarfile.TarInfo(name=name)`
			`info.size = len(data)`
			`tf.addfile(info, io.BytesIO(data))`
			`path.write_bytes(buf.getvalue())`


			`def _stub_forgejo_release(`
			`monkeypatch,`
			`catalog,`
			`*,`
			`tag: str,`
			`tarball_url: str = "https://forgejo.test.local/t.tar.gz",`
			`sha_url: str = "https://forgejo.test.local/t.tar.gz.sha256",`
			`releases: list \| None = None,`
			`):`
			"""Patch ``_rc.forgejo_api`` so check_catalog sees a canned release list."""
			`if releases is None:`
			`releases = [`
			`{`
			`"tag_name": tag,`
			`"assets": [`
			`{"name": f"furtka-apps-{tag}.tar.gz", "browser_download_url": tarball_url},`
			`{`
			`"name": f"furtka-apps-{tag}.tar.gz.sha256",`
			`"browser_download_url": sha_url,`
			`},`
			`],`
			`}`
			`]`

			`def fake_api(host, repo, path, *, error_cls=RuntimeError):`
			`return releases`

			`from furtka import _release_common as _rc`

			`monkeypatch.setattr(_rc, "forgejo_api", fake_api)`


			`def _stub_download(monkeypatch, catalog, mapping: dict[str, bytes]):`
			"""Patch ``_rc.download`` so sync_catalog pulls from an in-memory map."""
			`from furtka import _release_common as _rc`

			`def fake_download(url, dest, *, error_cls=RuntimeError):`
			`if url not in mapping:`
			`raise error_cls(f"test: no fake content for {url}")`
			`dest.parent.mkdir(parents=True, exist_ok=True)`
			`dest.write_bytes(mapping[url])`

			`monkeypatch.setattr(_rc, "download", fake_download)`


			`# --------------------------------------------------------------------------- #`
			`# check_catalog`
			`# --------------------------------------------------------------------------- #`


			`def test_check_catalog_reports_update_when_versions_differ(catalog, monkeypatch, tmp_path):`
			`# Pretend we already have catalog version 26.5 on disk; Forgejo reports 26.6.`
			`catalog.catalog_dir().mkdir(parents=True)`
			`(catalog.catalog_dir() / "VERSION").write_text("26.5\n")`
			`_stub_forgejo_release(monkeypatch, catalog, tag="26.6")`

			`check = catalog.check_catalog()`
			`assert check.current == "26.5"`
			`assert check.latest == "26.6"`
			`assert check.update_available is True`
			`assert check.tarball_url.endswith(".tar.gz")`
			`assert check.sha256_url.endswith(".sha256")`


			`def test_check_catalog_reports_up_to_date_when_same_version(catalog, monkeypatch):`
			`catalog.catalog_dir().mkdir(parents=True)`
			`(catalog.catalog_dir() / "VERSION").write_text("26.5\n")`
			`_stub_forgejo_release(monkeypatch, catalog, tag="26.5")`

			`check = catalog.check_catalog()`
			`assert check.current == "26.5"`
			`assert check.latest == "26.5"`
			`assert check.update_available is False`


			`def test_check_catalog_treats_missing_current_as_installable(catalog, monkeypatch):`
			`# Fresh box, no catalog ever synced — any release is an update.`
			`_stub_forgejo_release(monkeypatch, catalog, tag="26.5")`

			`check = catalog.check_catalog()`
			`assert check.current is None`
			`assert check.update_available is True`


			`def test_check_catalog_raises_when_no_releases_published(catalog, monkeypatch):`
			`_stub_forgejo_release(monkeypatch, catalog, tag="x", releases=[])`
			`with pytest.raises(catalog.CatalogError, match="no catalog releases"):`
			`catalog.check_catalog()`


			`# --------------------------------------------------------------------------- #`
			`# sync_catalog — happy + error paths`
			`# --------------------------------------------------------------------------- #`


			`def test_sync_catalog_happy_path(catalog, monkeypatch, tmp_path):`
			`import hashlib`

			`tarball_path = tmp_path / "tarball.tar.gz"`
			`_make_catalog_tarball(tarball_path, "26.6")`
			`tarball_bytes = tarball_path.read_bytes()`
			`sha = hashlib.sha256(tarball_bytes).hexdigest()`

			`_stub_forgejo_release(monkeypatch, catalog, tag="26.6")`
			`_stub_download(`
			`monkeypatch,`
			`catalog,`
			`{`
			`"https://forgejo.test.local/t.tar.gz": tarball_bytes,`
			`"https://forgejo.test.local/t.tar.gz.sha256": (`
			`f"{sha} furtka-apps-26.6.tar.gz\n".encode()`
			`),`
			`},`
			`)`

			`check = catalog.sync_catalog()`
			`assert check.latest == "26.6"`
			`assert (catalog.catalog_dir() / "VERSION").read_text().strip() == "26.6"`
			`assert (catalog.catalog_dir() / "apps" / "fileshare" / "manifest.json").is_file()`
			`state = catalog.read_state()`
			`assert state["stage"] == "done"`
			`assert state["version"] == "26.6"`


			`def test_sync_catalog_noop_when_already_current(catalog, monkeypatch, tmp_path):`
			`catalog.catalog_dir().mkdir(parents=True)`
			`(catalog.catalog_dir() / "VERSION").write_text("26.5\n")`
			`_stub_forgejo_release(monkeypatch, catalog, tag="26.5")`

			`check = catalog.sync_catalog()`
			`assert check.update_available is False`
			`assert catalog.read_state()["stage"] == "done"`


			`def test_sync_catalog_refuses_sha256_mismatch(catalog, monkeypatch, tmp_path):`
			`tarball_path = tmp_path / "tarball.tar.gz"`
			`_make_catalog_tarball(tarball_path, "26.6")`

			`_stub_forgejo_release(monkeypatch, catalog, tag="26.6")`
			`_stub_download(`
			`monkeypatch,`
			`catalog,`
			`{`
			`"https://forgejo.test.local/t.tar.gz": tarball_path.read_bytes(),`
			`# Hash for some OTHER content — will mismatch.`
			`"https://forgejo.test.local/t.tar.gz.sha256": (b"0" * 64 + b" wrong.tar.gz\n"),`
			`},`
			`)`

			`with pytest.raises(catalog.CatalogError, match="sha256 mismatch"):`
			`catalog.sync_catalog()`
			`# Live catalog never existed, must still not exist after the failed sync.`
			`assert not catalog.catalog_dir().exists()`


			`def test_sync_catalog_refuses_tarball_with_invalid_manifest(catalog, monkeypatch, tmp_path):`
			`import hashlib`

			`bad_manifest = {"name": "broken"} # missing required fields`

			`tarball_path = tmp_path / "tarball.tar.gz"`
			`_make_catalog_tarball(tarball_path, "26.6", apps=[("broken", bad_manifest)])`
			`tarball_bytes = tarball_path.read_bytes()`
			`sha = hashlib.sha256(tarball_bytes).hexdigest()`

			`_stub_forgejo_release(monkeypatch, catalog, tag="26.6")`
			`_stub_download(`
			`monkeypatch,`
			`catalog,`
			`{`
			`"https://forgejo.test.local/t.tar.gz": tarball_bytes,`
			`"https://forgejo.test.local/t.tar.gz.sha256": (`
			`f"{sha} furtka-apps-26.6.tar.gz\n".encode()`
			`),`
			`},`
			`)`

			`with pytest.raises(catalog.CatalogError, match="invalid manifest"):`
			`catalog.sync_catalog()`
			`# Staging was cleaned; live catalog never materialised.`
			`assert not catalog.catalog_dir().exists()`


			`def test_sync_catalog_preserves_existing_catalog_on_failure(catalog, monkeypatch, tmp_path):`
			`"""A failed sync must leave the previous live catalog intact so boxes`
			`keep working until the next successful sync."""`
			`import hashlib`

			`# Seed a live catalog that represents a previous successful sync.`
			`live = catalog.catalog_dir()`
			`live.mkdir(parents=True)`
			`(live / "VERSION").write_text("26.5\n")`
			`(live / "apps").mkdir()`

			`bad_manifest = {"name": "broken"} # invalid`
			`tarball_path = tmp_path / "tarball.tar.gz"`
			`_make_catalog_tarball(tarball_path, "26.6", apps=[("broken", bad_manifest)])`
			`sha = hashlib.sha256(tarball_path.read_bytes()).hexdigest()`

			`_stub_forgejo_release(monkeypatch, catalog, tag="26.6")`
			`_stub_download(`
			`monkeypatch,`
			`catalog,`
			`{`
			`"https://forgejo.test.local/t.tar.gz": tarball_path.read_bytes(),`
			`"https://forgejo.test.local/t.tar.gz.sha256": f"{sha} x\n".encode(),`
			`},`
			`)`

			`with pytest.raises(catalog.CatalogError):`
			`catalog.sync_catalog()`
			`# The 26.5 live catalog survives the failed 26.6 sync.`
			`assert (live / "VERSION").read_text().strip() == "26.5"`


			`def test_sync_catalog_lock_contention(catalog, monkeypatch):`
			`_stub_forgejo_release(monkeypatch, catalog, tag="26.6")`

			`# Hold the lock from outside; the real sync_catalog call must refuse.`
			`first = catalog.acquire_lock()`
			`try:`
			`with pytest.raises(catalog.CatalogError, match="already in progress"):`
			`catalog.sync_catalog()`
			`finally:`
			`first.close()`


			`# --------------------------------------------------------------------------- #`
			`# state + current-version helpers`
			`# --------------------------------------------------------------------------- #`


			`def test_read_current_catalog_version_absent(catalog):`
			`assert catalog.read_current_catalog_version() is None`


			`def test_read_current_catalog_version_empty_file(catalog):`
			`catalog.catalog_dir().mkdir(parents=True)`
			`(catalog.catalog_dir() / "VERSION").write_text("\n")`
			`assert catalog.read_current_catalog_version() is None`


			`def test_write_and_read_state_round_trip(catalog):`
			`catalog.write_state("downloading", latest="26.6")`
			`s = catalog.read_state()`
			`assert s["stage"] == "downloading"`
			`assert s["latest"] == "26.6"`
			`assert "updated_at" in s`