fix(cli): set-pin emits PBKDF2 under [security] pin_hash (issue #2)

Was: HMAC-SHA256(random, pin) written to [system] arm_pin_hash — no verifier in the codebase accepted this output. Now: PBKDF2-SHA256 via alerts.pin.hash_pin written to [security] pin_hash, matching what the web and FSM paths verify against. Also fixes show_cmd to redact the new location.
2026-04-05 11:37:59 -04:00
parent 54ad58c870
commit c2976876ed
2 changed files with 38 additions and 11 deletions
--- a/tests/unit/test_cli_set_pin.py
+++ b/tests/unit/test_cli_set_pin.py
@@ -0,0 +1,31 @@
+"""Tests for `vigilar config set-pin`."""
+
+from click.testing import CliRunner
+
+from vigilar.alerts.pin import verify_pin
+from vigilar.cli.cmd_config import config_cmd
+
+
+def test_set_pin_outputs_pbkdf2_hash_under_security_section():
+    """The CLI must emit a hash that alerts.pin.verify_pin can validate,
+    and direct the user to [security] pin_hash (not [system] arm_pin_hash)."""
+    runner = CliRunner()
+    result = runner.invoke(config_cmd, ["set-pin"], input="1234\n1234\n")
+
+    assert result.exit_code == 0, result.output
+    # The output must direct the user to the [security] section
+    assert "[security]" in result.output
+    assert "arm_pin_hash" not in result.output
+    assert "pin_hash" in result.output
+
+    # Extract the emitted hash (line starts with `pin_hash = "..."`)
+    hash_line = next(
+        line for line in result.output.splitlines() if line.strip().startswith("pin_hash")
+    )
+    hash_value = hash_line.split('"')[1]
+
+    # Round-trip: the emitted hash must accept the plaintext PIN
+    assert verify_pin("1234", hash_value) is True
+    assert verify_pin("0000", hash_value) is False
+    # And it must be in PBKDF2 format (not the legacy HMAC "secret:mac" format)
+    assert hash_value.startswith("pbkdf2_sha256$")