fix(tests): isolate cloud-sync HOME so dev ~/.gradata/key doesn't leak (closes #216)

[Gradata]

Summary

Closes #216.

CloudClient.enabled falls through to _resolved_credential(), which reads ~/.gradata/key. The TestCloudClient fixtures didn't isolate HOME, so on any dev machine that had run gradata cloud enable, the real keyfile leaked into the test and two 'should-be-disabled' assertions failed:

• TestCloudClient::test_client_disabled_by_default
• TestCloudClient::test_client_disabled_without_token

This PR adds an autouse fixture on TestCloudClient that:

1. Points HOME at a per-test tmp dir
2. Drops GRADATA_API_KEY from the env
3. Redirects the module-level KEYFILE_DIR / KEYFILE_PATH in gradata.cloud._credentials (those are captured at import time via Path.home(), so HOME alone isn't sufficient)

Test plan

• pytest tests/test_cloud_sync.py on a dev box with a populated ~/.gradata/key → 21 passed (was 19 passed / 2 failed).
• Tests that need enabled=True still pass because they set an explicit CloudConfig.token, which short-circuits the keyfile lookup before _resolved_credential() is consulted.
• No CI regression risk: CI doesn't have ~/.gradata/key, so it already passed; behavior unchanged there.

Layering check

No layering impact — test-only change. No new imports into src/gradata/.

Risk

None. Test-isolation fix only. No production code touched.

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a1bdb8f2-58df-4447-b99e-d53a9468e926

📥 Commits

Reviewing files that changed from the base of the PR and between 2914efb and 63ad5ec.

📒 Files selected for processing (1)

• Gradata/tests/test_cloud_sync.py

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: pytest windows-latest / py3.11
• GitHub Check: pytest ubuntu-latest / py3.12
• GitHub Check: pytest windows-latest / py3.12
• GitHub Check: pytest ubuntu-latest / py3.11

🧰 Additional context used

📓 Path-based instructions (1)

Gradata/tests/**/*.py

📄 CodeRabbit inference engine (Gradata/AGENTS.md)

Gradata/tests/**/*.py: Set BRAIN_DIR environment variable via tmp_path in conftest.py for test isolation — ensure _paths.py module cache refreshes when calling Brain.init() directly inside tests
Add unit tests in tests/test_*.py for every CI push without LLM calls (deterministic); mark integration tests with @pytest.mark.integration and skip them by default (they hit real LLM APIs)

Files:

• Gradata/tests/test_cloud_sync.py

🔇 Additional comments (2)

Gradata/tests/test_cloud_sync.py (2)

9-9: LGTM!

---

103-125: ⚡ Quick win

No issues found. The attributes _credentials.KEYFILE_DIR and _credentials.KEYFILE_PATH are properly defined as module-level variables at Gradata/src/gradata/cloud/_credentials.py lines 28-29 and can be safely monkeypatched as the fixture intends.

---

📝 Walkthrough

• Test isolation fix: Added autouse fixture to TestCloudClient that isolates credential resolution by redirecting HOME and keyfile paths to temporary directories per test
• Environment cleanup: Fixture removes GRADATA_API_KEY from environment variables to prevent test leakage
• Resolves test failures: Fixes two failing tests (test_client_disabled_by_default, test_client_disabled_without_token) caused by reading developer's real ~/.gradata/key
• Test-only change: No production code modifications
• No breaking changes or new public APIs

Walkthrough

The PR adds credential isolation to the test module by importing pytest and introducing an autouse fixture on TestCloudClient that monkeypatches credential keyfile paths and environment variables to redirect them to a temporary directory, preventing tests from reading real local credentials.

Changes

Credential isolation fixture

Layer / File(s)	Summary
Credential isolation fixture Gradata/tests/test_cloud_sync.py	Adds pytest import and introduces an autouse fixture that monkeypatches credential keyfile directory/path constants and environment variables to prevent test pollution from real local credentials.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related issues

• bug: test_cloud_sync tests leak HOME — fail in dev when ~/.gradata/key exists #216: Directly related; both changes target the same file and add the same autouse fixture to monkeypatch credential paths and prevent reading ~/.gradata/key during tests.

Suggested labels

bug

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main change: isolating cloud-sync HOME to prevent real developer credentials from leaking into tests.
Description check	✅ Passed	The description is directly related to the changeset, providing detailed context about the test isolation issue, the fix implemented, test results, and risk assessment.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cloud-sync-test-isolation-gh-216

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 OpenGrep (1.21.0)

OpenGrep fatal error (exit code 2):
┌──────────────┐
│ Opengrep CLI │
└──────────────┘

�[32m✔�[39m �[1mOpengrep OSS�[0m
�[32m✔�[39m Basic security coverage for first-party code vulnerabilities.

�[1m Loading rules from local config...�[0m
[00.18][ERROR]: Error: exception Glob.Lexer.Syntax_error("malformed glob pattern: missing ']'")
Raised at Glob__Lexer.syntax_error in file "libs/glob/Lexer.mll", line 8, characters 2-26
Called from Glob__Lexer.__ocaml_lex_token_rec in file "libs/glob/Lexer.mll", line 29, characters 26-53
Cal

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}