From d812ad92deec9feccec1904d653bca56846f66cd Mon Sep 17 00:00:00 2001
From: Claude <developers@lethean.io>
Date: Thu, 2 Apr 2026 12:12:22 +0100
Subject: [PATCH] ax(node): add Bad and Ugly test categories for
 TestIdentity_NodeManager

AX Principle 10 requires all three categories (Good, Bad, Ugly) per test
group. identity_test.go had TestIdentity_NodeManager_Good with no Bad or
Ugly counterparts. Adds error-path tests for non-writable paths and
uninitialised identity, plus edge cases for double-generation and
delete-before-generate.

Co-Authored-By: Charon <charon@lethean.io>
---
 pkg/node/identity_test.go | 55 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/pkg/node/identity_test.go b/pkg/node/identity_test.go
index 3386149..5d9ba92 100644
--- a/pkg/node/identity_test.go
+++ b/pkg/node/identity_test.go
@@ -198,6 +198,61 @@ func TestIdentity_NodeManager_Good(t *testing.T) {
 	})
 }
 
+func TestIdentity_NodeManager_Bad(t *testing.T) {
+	t.Run("GenerateIdentityOnNonWritablePath", func(t *testing.T) {
+		manager, err := NewNodeManagerWithPaths("/dev/null/private.key", "/dev/null/node.json")
+		if err != nil {
+			// Some systems reject the path at construction — both outcomes are acceptable
+			return
+		}
+		err = manager.GenerateIdentity("bad-node", RoleDual)
+		if err == nil {
+			t.Error("expected error when key path is non-writable")
+		}
+	})
+
+	t.Run("DeriveSharedSecretWithoutIdentity", func(t *testing.T) {
+		manager, err := NewNodeManagerWithPaths(t.TempDir()+"/key", t.TempDir()+"/cfg.json")
+		if err != nil {
+			t.Fatalf("failed to create node manager: %v", err)
+		}
+		_, err = manager.DeriveSharedSecret("dGVzdA==") // base64 "test"
+		if err == nil {
+			t.Error("expected error when identity not initialized")
+		}
+	})
+}
+
+func TestIdentity_NodeManager_Ugly(t *testing.T) {
+	t.Run("GenerateIdentityTwice", func(t *testing.T) {
+		manager, cleanup := setupTestNodeManager(t)
+		defer cleanup()
+
+		if err := manager.GenerateIdentity("first", RoleDual); err != nil {
+			t.Fatalf("first GenerateIdentity failed: %v", err)
+		}
+		firstID := manager.GetIdentity().ID
+
+		// Generating a second identity overwrites the first
+		if err := manager.GenerateIdentity("second", RoleWorker); err != nil {
+			t.Fatalf("second GenerateIdentity failed: %v", err)
+		}
+		secondID := manager.GetIdentity().ID
+
+		if firstID == secondID {
+			t.Error("expected a different ID after regenerating identity")
+		}
+	})
+
+	t.Run("DeleteNonExistentIdentity", func(t *testing.T) {
+		manager, cleanup := setupTestNodeManager(t)
+		defer cleanup()
+
+		// Delete without ever generating — must not panic
+		_ = manager.Delete()
+	})
+}
+
 func TestIdentity_NodeRoles_Good(t *testing.T) {
 	tests := []struct {
 		role     NodeRole