feat(plugin): Phase 2 partial — vault_status migrated + brand skin moved + eval suite (P2.B/C, P3.A/B)

Lands the easy migrations + the automation skeleton. STT migration deferred
to Phase 2.1 (it touches the streaming engine + bootstrap JS — needs a new
streaming_hook public-API method OR forced-internal CONNECTION-MAP entries).

Migrated to plugin:
  routes/vault_status.py    GET /api/vault/status (from fork commit 3e2c74f3)
  static/{app.js,app.css,fonts/}  brand skin (from hermes-ext/)

Plugin auto-loaded by hermes-webui when HERMES_WEBUI_PYTHON_PLUGIN is set;
register_static + inject_stylesheet + inject_script wire the URL contract at
/plugins/svrnty/{app.css,app.js} per protocol §14 (Q5).

Automation skeleton:
  Makefile                          one-liner targets: test · map · sync-upstream · smoke
  scripts/boot-smoke.py             start upstream+plugin, curl every endpoint
  scripts/upstream-sync.py          fetch tags + run matrix + JSON report
  tests/evals/test_features.py      4 evals (loader contract · vault payload · brand URL contract · forced-internal=0)
  tests/unit/test_brand_skin.py     4 asset-presence + wiring tests
  tests/unit/test_vault_status.py   3 handler tests (register, success, error)

CONNECTION-MAP.md: 0 forced-internal dependencies; plugin uses only public API.
AST script timestamp removed so map-check is deterministic.

Tests: 11/11 PASS (4 evals + 7 unit). Integration tests deferred until
boot-smoke runs against a live hermes-webui (Phase 2.D + 2.E gate).

Deferred to next session:
  P2.A  STT migration (needs streaming_hook design — see routes/transcribe.py)
  P2.D  Revert 4 fork feature commits — needs STT migration first
  P2.E  Archive hermes-ext repo — gated on P2.D
  P2.F  Live boot smoke against real webui

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

tests/evals/test_features.py

@@ -0,0 +1,82 @@
+"""Eval suite v1 — one assertion per migrated feature.
+
+These run on upstream-sync against new upstream tags. They verify the plugin
+contract still holds after upstream changes. Minimal by design (per protocol
+decision Q3): catch gross breakage, evolve as issues surface.
+"""
+from pathlib import Path
+
+ROOT = Path(__file__).resolve().parents[2]
+
+
+def test_eval_loader_contract_unchanged():
+    """The 6-method public API is the protocol contract — adding methods needs a PRD bump."""
+    import sys
+    sys.path.insert(0, str(ROOT.parent / "hermes-webui"))
+    try:
+        from api.svrnty_plugin_loader import _PluginAPI
+    except ImportError:
+        # If hermes-webui not next to the plugin, skip — integration env.
+        import pytest
+        pytest.skip("hermes-webui fork not adjacent; loader contract eval skipped")
+    api = _PluginAPI()
+    required = {"register_route", "register_static", "inject_script",
+                "inject_stylesheet", "config_get", "logger"}
+    actual = {m for m in dir(api) if not m.startswith("_")}
+    assert required == actual, (
+        f"public API drift: expected {required}, got {actual}. "
+        f"Adding methods requires a Protocol PRD amendment."
+    )
+
+
+def test_eval_vault_status_payload_shape():
+    """Vault status returns {'secrets': [{'name': ...}, ...]} — schema lock."""
+    import json
+    from unittest.mock import MagicMock, patch
+    from routes import vault_status
+
+    class _H:
+        def __init__(self):
+            self.body = b""
+            self.headers = {}
+
+        def send_response(self, c): pass
+        def send_header(self, k, v): self.headers[k] = v
+        def end_headers(self): pass
+
+        @property
+        def wfile(self):
+            h = self
+            class _W:
+                def write(self_, b): h.body += b
+            return _W()
+
+    with patch("routes.vault_status.subprocess.run") as run:
+        run.return_value = MagicMock(stdout="a\nb\n", returncode=0)
+        h = _H()
+        vault_status._handle_vault_status(h, None)
+
+    payload = json.loads(h.body)
+    assert "secrets" in payload
+    assert all("name" in s for s in payload["secrets"])
+    assert payload["secrets"][0]["name"] == "a"
+
+
+def test_eval_brand_skin_url_contract():
+    """Brand skin URLs MUST be /plugins/svrnty/<asset> per protocol §14 (Q5)."""
+    from unittest.mock import MagicMock
+    import plugin
+    api = MagicMock()
+    api.logger.return_value = MagicMock()
+    plugin.register(api)
+    api.inject_stylesheet.assert_any_call("/plugins/svrnty/app.css")
+    api.inject_script.assert_any_call("/plugins/svrnty/app.js")
+
+
+def test_eval_connection_map_has_no_forced_internals():
+    """If forced-internal section grows, audit + amend protocol API (Rule 2)."""
+    cm = (ROOT / "CONNECTION-MAP.md").read_text()
+    # Look for the "None. Plugin uses only the public API." sentinel.
+    assert "Plugin uses only the public API" in cm or "0 forced internal" in cm, (
+        "Forced internal dependencies detected — review CONNECTION-MAP.md"
+    )

tests/unit/test_brand_skin.py

@@ -0,0 +1,30 @@
+"""Assert the brand-skin assets are present + wired (P3.B, minimal feature test)."""
+from pathlib import Path
+
+ROOT = Path(__file__).resolve().parents[2]
+STATIC = ROOT / "static"
+
+
+def test_brand_css_present():
+    assert (STATIC / "app.css").is_file()
+
+
+def test_brand_js_present():
+    assert (STATIC / "app.js").is_file()
+
+
+def test_montserrat_fonts_present():
+    fonts = list((STATIC / "fonts").glob("montserrat-*.woff2"))
+    assert len(fonts) >= 4, f"expected ≥4 Montserrat weights, got {len(fonts)}"
+
+
+def test_plugin_registers_static_and_injects_assets():
+    """plugin.register() must call register_static + inject_stylesheet + inject_script."""
+    from unittest.mock import MagicMock
+    import plugin as plg
+    api = MagicMock()
+    api.logger.return_value = MagicMock()
+    plg.register(api)
+    api.register_static.assert_called()
+    api.inject_stylesheet.assert_called_with("/plugins/svrnty/app.css")
+    api.inject_script.assert_called_with("/plugins/svrnty/app.js")

tests/unit/test_vault_status.py

@@ -0,0 +1,69 @@
+"""Unit tests for routes/vault_status.py — minimal one-test-per-feature (P3.B).
+
+These tests confirm the handler shape + payload contract independently of a
+running hermes-webui. Integration tests against a real webui live in
+tests/integration/.
+"""
+import json
+from unittest.mock import MagicMock, patch
+
+from routes import vault_status
+
+
+class _FakeHandler:
+    """Minimal stand-in for the http.server handler the route receives."""
+    def __init__(self):
+        self.status = None
+        self.headers = {}
+        self.body = b""
+
+    def send_response(self, code):
+        self.status = code
+
+    def send_header(self, k, v):
+        self.headers[k] = v
+
+    def end_headers(self):
+        pass
+
+    @property
+    def wfile(self):
+        outer = self
+
+        class _W:
+            def write(self_inner, b):
+                outer.body += b
+        return _W()
+
+
+def test_register_wires_one_route():
+    """register() calls api.register_route exactly once for /api/vault/status."""
+    api = MagicMock()
+    vault_status.register(api)
+    api.register_route.assert_called_once()
+    args = api.register_route.call_args[0]
+    assert args[0] == "/api/vault/status"
+    assert args[1] == "GET"
+
+
+def test_handler_returns_secrets_array_on_credctl_success():
+    """credctl list output → JSON {'secrets': [{'name': X}, ...]}."""
+    sample = "gitea\nmailchimp\nwoocommerce\n"
+    with patch("routes.vault_status.subprocess.run") as run:
+        run.return_value = MagicMock(stdout=sample, returncode=0)
+        h = _FakeHandler()
+        vault_status._handle_vault_status(h, None)
+    assert h.status == 200
+    payload = json.loads(h.body.decode())
+    names = {s["name"] for s in payload["secrets"]}
+    assert names == {"gitea", "mailchimp", "woocommerce"}
+
+
+def test_handler_returns_empty_list_on_credctl_failure():
+    """credctl missing or erroring → empty list, never raises."""
+    with patch("routes.vault_status.subprocess.run", side_effect=FileNotFoundError):
+        h = _FakeHandler()
+        vault_status._handle_vault_status(h, None)
+    assert h.status == 200
+    payload = json.loads(h.body.decode())
+    assert payload == {"secrets": []}