test(archsetup): expand validation coverage + fix ParallelDownloads (P4)

Add post-install checks beyond the original shell sweep, validated against a
live VM: test_hardening (sshd prohibit-password, quiet-printk sysctl, emptied
/etc/issue, console font, EFI mount perms), test_config_applied (pacman
ParallelDownloads/Color/multilib, makepkg flags, NetworkManager drop-ins,
fail2ban jail, reflector), and test_backups (the .archsetup.bak files
backup_system_file leaves behind — end-to-end proof of that feature).

The new tests caught a real bug: ParallelDownloads stayed at Arch's default 5
because the sed only matched a commented "#ParallelDownloads", but current Arch
ships it uncommented. Match both (^#?ParallelDownloads) so the intended 10 takes
effect.

Verified against a kept VM: 95 passed, 10 skipped (the one remaining failure was
the pre-fix ParallelDownloads on the already-built VM, which the sed fix
resolves on the next fresh install).

5 files changed, 140 insertions, 1 deletions

diff --git a/archsetup b/archsetup
index e677daa..ce08ad3 100755
--- a/archsetup
+++ b/archsetup
@@ -947,7 +947,9 @@ prerequisites() {
     # enable pacman concurrent downloads and color
     action="enabling concurrent downloads" && display "task" "$action"
     backup_system_file /etc/pacman.conf
-    sed -i "s/^#ParallelDownloads.*$/ParallelDownloads = 10/;s/^#Color$/Color/" /etc/pacman.conf
+    # Match a commented OR already-uncommented ParallelDownloads: current Arch
+    # ships it uncommented at 5, so a "^#"-only match silently leaves it at 5.
+    sed -i "s/^#\?ParallelDownloads.*$/ParallelDownloads = 10/;s/^#Color$/Color/" /etc/pacman.conf
 
     # enable multilib repository (required for 32-bit libraries, Steam, etc.)
     action="enabling multilib repository" && display "task" "$action"
diff --git a/scripts/testing/tests/test_backups.py b/scripts/testing/tests/test_backups.py
new file mode 100644
index 0000000..314cacc
--- /dev/null
+++ b/scripts/testing/tests/test_backups.py
@@ -0,0 +1,30 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+"""Post-install checks: backup_system_file ran during a real install.
+
+Expansion coverage (P4). The unit suite (tests/backup-system-file/) covers the
+helper's logic; this confirms it actually fires end-to-end — archsetup leaves a
+<file>.archsetup.bak next to each pre-existing file it edits in place.
+
+These targets are edited unconditionally on every run (pacman.conf/makepkg.conf
+always sed'd, sudoers always appended, mkinitcpio.conf HOOKS on non-ZFS), so
+their backups must exist. Conditionally-edited files (locale.gen, geoclue,
+fstab) aren't asserted here since their edits depend on the base image.
+"""
+
+import pytest
+
+
+ALWAYS_BACKED_UP = [
+    "/etc/pacman.conf",
+    "/etc/makepkg.conf",
+    "/etc/sudoers",
+    "/etc/mkinitcpio.conf",
+]
+
+
+@pytest.mark.attribution("archsetup")
+@pytest.mark.parametrize("path", ALWAYS_BACKED_UP)
+def test_backup_created_for_edited_file(host, path):
+    bak = host.file(path + ".archsetup.bak")
+    assert bak.exists, "%s.archsetup.bak missing — backup_system_file did not fire" % path
+    assert bak.is_file
diff --git a/scripts/testing/tests/test_config_applied.py b/scripts/testing/tests/test_config_applied.py
new file mode 100644
index 0000000..00c410e
--- /dev/null
+++ b/scripts/testing/tests/test_config_applied.py
@@ -0,0 +1,55 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+"""Post-install checks: archsetup's in-place config edits actually took effect.
+
+Expansion coverage (P4). These assert the *content* archsetup writes, not just
+that a service is enabled — catching cases where a sed silently no-ops (e.g.
+ParallelDownloads, which current Arch ships uncommented so a "^#"-only match
+left it at 5).
+"""
+
+import pytest
+
+
+@pytest.mark.attribution("archsetup")
+def test_pacman_parallel_downloads(host):
+    line = host.run("grep -E '^ParallelDownloads' /etc/pacman.conf").stdout
+    assert "ParallelDownloads = 10" in line, "ParallelDownloads not set to 10 (got: %r)" % line
+
+
+@pytest.mark.attribution("archsetup")
+def test_pacman_color_enabled(host):
+    assert host.run("grep -qx Color /etc/pacman.conf").rc == 0
+
+
+@pytest.mark.attribution("archsetup")
+def test_pacman_multilib_enabled(host):
+    # -F: [multilib] is a literal section header, not a regex character class.
+    assert host.run("grep -Fxq '[multilib]' /etc/pacman.conf").rc == 0
+
+
+@pytest.mark.attribution("archsetup")
+def test_makepkg_parallel_make(host):
+    line = host.run("grep -E '^MAKEFLAGS' /etc/makepkg.conf").stdout
+    assert "-j" in line, "MAKEFLAGS not configured for parallel make (got: %r)" % line
+
+
+@pytest.mark.attribution("archsetup")
+def test_makepkg_options_trimmed(host):
+    opts = host.run("grep -E '^OPTIONS' /etc/makepkg.conf").stdout
+    assert "!debug" in opts and "purge" in opts, "makepkg OPTIONS not customized"
+
+
+@pytest.mark.attribution("archsetup")
+@pytest.mark.parametrize("rel", ["dns.conf", "wifi-privacy.conf"])
+def test_networkmanager_dropin(host, rel):
+    assert host.file("/etc/NetworkManager/conf.d/%s" % rel).exists
+
+
+@pytest.mark.attribution("archsetup")
+def test_fail2ban_jail_local(host):
+    assert host.file("/etc/fail2ban/jail.local").exists
+
+
+@pytest.mark.attribution("archsetup")
+def test_reflector_config(host):
+    assert host.file("/etc/xdg/reflector/reflector.conf").exists
diff --git a/scripts/testing/tests/test_hardening.py b/scripts/testing/tests/test_hardening.py
new file mode 100644
index 0000000..f12b0e6
--- /dev/null
+++ b/scripts/testing/tests/test_hardening.py
@@ -0,0 +1,50 @@
+# SPDX-License-Identifier: GPL-3.0-or-later
+"""Post-install checks: security/system hardening archsetup applies.
+
+Expansion coverage (P4) — these were not in the original shell sweep. They
+assert the system-level changes archsetup makes in place: sshd root hardening,
+quiet kernel console, an emptied /etc/issue, the console font, and the EFI
+mount permission tightening.
+"""
+
+import pytest
+
+
+@pytest.mark.smoke
+@pytest.mark.attribution("archsetup")
+def test_sshd_root_prohibit_password(host):
+    conf = host.file("/etc/ssh/sshd_config.d/10-hardening.conf")
+    assert conf.exists, "sshd hardening drop-in missing"
+    assert "PermitRootLogin prohibit-password" in conf.content_string
+
+
+@pytest.mark.attribution("archsetup")
+def test_quiet_printk_sysctl(host):
+    conf = host.file("/etc/sysctl.d/20-quiet-printk.conf")
+    assert conf.exists
+    assert "kernel.printk" in conf.content_string
+
+
+@pytest.mark.attribution("archsetup")
+def test_issue_emptied(host):
+    # archsetup truncates /etc/issue to drop the distro/date banner.
+    assert host.file("/etc/issue").size == 0
+
+
+@pytest.mark.attribution("archsetup")
+def test_console_font_configured(host):
+    assert "ter-132n" in host.file("/etc/vconsole.conf").content_string
+
+
+@pytest.mark.attribution("archsetup")
+def test_efi_mount_permissions_tightened(host):
+    # archsetup adds fmask/dmask to the /efi vfat line so it isn't world-readable.
+    fstab = host.file("/etc/fstab").content_string
+    efi_lines = [
+        ln for ln in fstab.splitlines()
+        if ln.strip() and not ln.lstrip().startswith("#")
+        and " /efi " in ln and " vfat " in ln
+    ]
+    if not efi_lines:
+        pytest.skip("no /efi vfat line in fstab")
+    assert all("fmask=" in ln for ln in efi_lines), "/efi mount not permission-tightened"
diff --git a/todo.org b/todo.org
index 8329094..b0235d2 100644
--- a/todo.org
+++ b/todo.org
@@ -544,6 +544,8 @@ Built the Testinfra harness skeleton: =scripts/testing/tests/= (conftest.py with
 Ported the whole shell sweep to pytest: test_users (exists/shell/15 groups parametrized), test_packages (yay+functional, pacman, terminus-font, emacs+config readable, git, 5 dev tools), test_services (required enabled/active, enabled-only, timers, optional skip-if-absent, DoT drop-in, fail2ban/nmcli responds, log-cleanup cron, syncthing lingering, DNS/mDNS/docker skips), test_desktop (Hyprland tools+configs+portal+socket gated on install/compositor, DWM suckless, autologin), test_boot (grub, mkinitcpio hooks branched on zfs_root, console-font-in-initramfs, nvme gated, zfs/sanoid), test_keyring (dir 700/owner/default=login), test_archsetup (log no Error:, ≥12 state markers). conftest fixtures: target_user/home/zfs_root/has_nvme/hyprland_installed/dwm_installed/compositor_running/on_slirp. 88 tests collected, py_compile clean. Correctness fix vs the shell sweep: check =awww= not the stale =swww=. Installed python-pytest-testinfra on velox so the harness gate passes. Next: VM run to diff pytest vs shell sweep for parity.
 *** 2026-06-25 Thu @ 01:24:11 -0400 Fixed: sshd hardening had silently broken =make test=
 VM run #1 aborted ~6 min in (Error 5), before any validation ran. Root cause (pre-existing, not the Testinfra work): the 2026-06-24 sshd hardening sets =PermitRootLogin prohibit-password= + reloads sshd mid-install, and the harness SSHes as root by *password* throughout — so every op after that step got "Permission denied" and run-test.sh fataled before validations. Fix: =inject_root_key= authorizes a throwaway root key right after first SSH (before archsetup runs) and all helpers (=wait_for_ssh=/=vm_exec=/=copy_to_vm=/=copy_from_vm=/=ssh_cmd=) gained =$SSH_KEY_OPT= so they use key auth, which =prohibit-password= still allows. testinfra.sh reuses that key. Additive (password stays as fallback). bash -n + shellcheck clean. Re-running the VM suite to confirm it now reaches the validation + pytest phases.
+*** 2026-06-25 Thu @ 03:33:33 -0400 Parity proven + P4 expansion validated on a live VM
+VM run #3 (=make test-keep=, kept VM up): pytest parity = 78 passed / 10 skipped / 0 fail / 0 err — matches & exceeds the shell sweep (53/0/0). Then built P4 expansion against the live VM (iterating in ~30s, no rebuild): test_hardening (sshd prohibit-password, sysctl printk, /etc/issue emptied, vconsole font, /efi fmask), test_config_applied (pacman ParallelDownloads/Color/multilib, makepkg MAKEFLAGS/OPTIONS, NM dns+wifi-privacy drop-ins, fail2ban jail, reflector), test_backups (=.archsetup.bak= present for pacman.conf/makepkg.conf/sudoers/mkinitcpio.conf — end-to-end proof of the backup feature). Full suite vs live VM: 95 passed / 10 skipped / 1 fail. The 1 fail = a REAL archsetup bug the tests caught: =ParallelDownloads= stayed at the Arch default 5 because the sed only matched a commented =#ParallelDownloads=, but current Arch ships it uncommented — fixed the sed to match both (=^#\?ParallelDownloads=). Also fixed a test bug (=grep -qx '[multilib]'= → =grep -Fxq=, the brackets were a regex char class). Remaining: P3 cutover (pytest authoritative) + P5 retire shell sweep, then a final fresh =make test=.
 Create comprehensive integration tests using Testinfra (Python + pytest) to validate archsetup installations
 
 Tests should cover: