Module testkit 

Spin a real embedded Koi in a known posture for tests — no Docker (ADR-020 §13).

Shipped as a normal module (not a cfg(feature) — the additive-feature trap): a consumer’s integration tests get real-daemon fidelity by depending only on koi-embedded. open yields an Open node (no identity); secured yields an Authenticated node (a CA is created so it holds a real leaf).

The “same code, both postures” acceptance gate (ADR-020 §2)

The mode-transparency contract is: one consumer code path must work whether or not the node has an identity. The gate is simply to run that path against both:

use koi_embedded::testkit;
for node in [testkit::open().await, testkit::secured().await] {
    let cm = node.certmesh().unwrap();
    let env = cm.sign(b"hello").await.unwrap();          // identical in both
    assert!(!cm.verify(&env).await.unwrap().is_rejected());
    node.shutdown().await;
}

If the body ever needs if secure { … } else { … }, a primitive is missing or wrong — that is exactly what this gate catches.

Note: testkit nodes run with mDNS off (no multicast in CI); they exercise the trust primitives (sign/verify, seal/open, posture, diagnose), not LAN discovery.

Structs

TestNode

A running embedded Koi node for a test, with its data dir cleaned up on shutdown. Derefs to KoiHandle, so call any handle method (certmesh(), mdns(), …) directly on it.

Functions

open

An Open node — certmesh enabled but no CA, so it holds no identity. sign produces a freshness-stamped passthrough; posture() is Open.

secured

A secured (Authenticated) node — a CA is created so the node self-enrolls a real leaf. sign produces an ES256-signed envelope; posture() is Authenticated. The CA is created with auto_unlock: false (no vault write).