test: add comprehensive integration and security tests

Add end-to-end integration tests for complete workflows. Add comprehensive security compliance tests covering FR-001 (Full Disk Encryption) and FR-007 (Password Complexity). Add encryption configuration tests for LUKS2, cipher settings, and validation hooks. 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-01-29 10:53:22 -05:00
parent a9116149c9
commit 34433d4739
3 changed files with 609 additions and 0 deletions
--- a/tests/integration/e2e_test.bats
+++ b/tests/integration/e2e_test.bats
@@ -0,0 +1,182 @@
+#!/usr/bin/env bats
+# End-to-end integration tests for complete workflows
+
+# Add bats library to BATS_LIB_PATH
+export BATS_LIB_PATH="/usr/lib/bats-core"
+
+load 'bats-support/load'
+load 'bats-assert/load'
+load 'bats-file/load'
+load '../test_helper/common.bash'
+
+setup() {
+    export TEST_ROOT="${TEST_TEMP_DIR}/integration"
+    mkdir -p "${TEST_ROOT}"
+}
+
+@test "E2E: All shell scripts are executable" {
+    local scripts=(
+        "run.sh"
+        "test-iso.sh"
+        "src/security-hardening.sh"
+        "src/firewall-setup.sh"
+        "src/build-iso.sh"
+        "src/run.sh"
+        "src/run-new.sh"
+        "config/hooks/installed/encryption-setup.sh"
+        "config/hooks/installed/encryption-validation.sh"
+        "config/hooks/installed/install-scripts.sh"
+        "config/hooks/installed/disable-package-management.sh"
+        "config/hooks/live/desktop-environment.sh"
+        "config/hooks/live/firewall-setup.sh"
+        "config/hooks/live/qr-code-import.sh"
+        "config/hooks/live/security-hardening.sh"
+        "config/hooks/live/usb-automount.sh"
+    )
+
+    for script in "${scripts[@]}"; do
+        local script_path="${PROJECT_ROOT}/${script}"
+        assert_file_exists "$script_path"
+        assert [ -x "$script_path" ]
+    done
+}
+
+@test "E2E: All shell scripts are valid bash syntax" {
+    local scripts=(
+        "run.sh"
+        "test-iso.sh"
+        "src/security-hardening.sh"
+        "src/firewall-setup.sh"
+        "src/build-iso.sh"
+        "src/run.sh"
+        "src/run-new.sh"
+        "config/hooks/installed/encryption-setup.sh"
+        "config/hooks/installed/encryption-validation.sh"
+        "config/hooks/installed/install-scripts.sh"
+        "config/hooks/installed/disable-package-management.sh"
+        "config/hooks/live/desktop-environment.sh"
+        "config/hooks/live/firewall-setup.sh"
+        "config/hooks/live/qr-code-import.sh"
+        "config/hooks/live/security-hardening.sh"
+        "config/hooks/live/usb-automount.sh"
+    )
+
+    for script in "${scripts[@]}"; do
+        local script_path="${PROJECT_ROOT}/${script}"
+        run bash -n "$script_path"
+        assert_success "Script $script has syntax errors"
+    done
+}
+
+@test "E2E: Dockerfile contains all required packages" {
+    assert_file_contains "${PROJECT_ROOT}/Dockerfile" "live-build"
+    assert_file_contains "${PROJECT_ROOT}/Dockerfile" "debootstrap"
+    assert_file_contains "${PROJECT_ROOT}/Dockerfile" "squashfs-tools"
+    assert_file_contains "${PROJECT_ROOT}/Dockerfile" "xorriso"
+    assert_file_contains "${PROJECT_ROOT}/Dockerfile" "bats"
+    assert_file_contains "${PROJECT_ROOT}/Dockerfile" "shellcheck"
+    assert_file_contains "${PROJECT_ROOT}/Dockerfile" "nftables"
+}
+
+@test "E2E: Preseed configuration contains mandatory encryption settings" {
+    assert_file_contains "${PROJECT_ROOT}/config/preseed.cfg" "crypto"
+    assert_file_contains "${PROJECT_ROOT}/config/preseed.cfg" "LUKS"
+    assert_file_contains "${PROJECT_ROOT}/config/preseed.cfg" "AES"
+}
+
+@test "E2E: Package list includes all required packages" {
+    local pkg_list="${PROJECT_ROOT}/config/package-lists/knel-football.list.chroot"
+
+    assert_file_contains "$pkg_list" "icewm"
+    assert_file_contains "$pkg_list" "lightdm"
+    assert_file_contains "$pkg_list" "wireguard"
+    assert_file_contains "$pkg_list" "nftables"
+    assert_file_contains "$pkg_list" "cryptsetup"
+    assert_file_contains "$pkg_list" "libpam-pwquality"
+}
+
+@test "E2E: Security hardening script enforces password complexity" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/pwquality.conf"
+    configure_password_policy "$test_output"
+
+    assert_file_contains "$test_output" "minlen = 14"
+    assert_file_contains "$test_output" "enforcing = 1"
+}
+
+@test "E2E: Firewall setup blocks inbound by default" {
+    source "${PROJECT_ROOT}/src/firewall-setup.sh"
+
+    local test_output="${TEST_ROOT}/firewall.rules"
+    configure_nftables "$test_output"
+
+    assert_file_contains "$test_output" "policy input drop"
+}
+
+@test "E2E: Encryption setup hook creates key management scripts" {
+    source "${PROJECT_ROOT}/config/hooks/installed/encryption-setup.sh"
+
+    local script_dir="${TEST_ROOT}/bin"
+    mkdir -p "$script_dir"
+
+    create_check_encryption_script "$script_dir/check-encryption.sh"
+    create_manage_keys_script "$script_dir/manage-encryption-keys.sh"
+
+    assert_file_exists "$script_dir/check-encryption.sh"
+    assert_file_exists "$script_dir/manage-encryption-keys.sh"
+}
+
+@test "E2E: All documentation files exist and are readable" {
+    local docs=(
+        "README.md"
+        "AGENTS.md"
+        "PRD.md"
+        "RESUME.md"
+        "JOURNAL.md"
+        "QUICK_START.md"
+        "BUILD-COMPLETE.md"
+        "BUILD-SUMMARY.md"
+        "VERIFICATION-REPORT.md"
+    )
+
+    for doc in "${docs[@]}"; do
+        local doc_path="${PROJECT_ROOT}/${doc}"
+        assert_file_exists "$doc_path"
+        run cat "$doc_path"
+        assert_success "Documentation file $doc is not readable"
+    done
+}
+
+@test "E2E: Test suite directory structure is complete" {
+    assert [ -d "${PROJECT_ROOT}/tests/unit" ]
+    assert [ -d "${PROJECT_ROOT}/tests/integration" ]
+    assert [ -d "${PROJECT_ROOT}/tests/security" ]
+    assert [ -d "${PROJECT_ROOT}/tests/test_helper" ]
+
+    # Test helper files exist
+    assert_file_exists "${PROJECT_ROOT}/tests/test_helper/common.bash"
+}
+
+@test "E2E: .gitignore excludes build artifacts" {
+    assert_file_contains "${PROJECT_ROOT}/.gitignore" "*.iso"
+    assert_file_contains "${PROJECT_ROOT}/.gitignore" "*.sha256"
+    assert_file_contains "${PROJECT_ROOT}/.gitignore" "*.md5"
+    assert_file_contains "${PROJECT_ROOT}/.gitignore" "output/"
+}
+
+@test "E2E: Output directory structure is correct" {
+    assert [ -d "${PROJECT_ROOT}/output" ] || mkdir -p "${PROJECT_ROOT}/output"
+    assert [ -d "${PROJECT_ROOT}/output" ]
+}
+
+@test "E2E: Config directory structure is complete" {
+    assert [ -d "${PROJECT_ROOT}/config" ]
+    assert [ -d "${PROJECT_ROOT}/config/hooks/live" ]
+    assert [ -d "${PROJECT_ROOT}/config/hooks/installed" ]
+    assert [ -d "${PROJECT_ROOT}/config/package-lists" ]
+
+    # Key config files exist
+    assert_file_exists "${PROJECT_ROOT}/config/preseed.cfg"
+    assert_file_exists "${PROJECT_ROOT}/config/package-lists/knel-football.list.chroot"
+}
--- a/tests/security/compliance_comprehensive_test.bats
+++ b/tests/security/compliance_comprehensive_test.bats
@@ -0,0 +1,231 @@
+#!/usr/bin/env bats
+# Comprehensive security compliance tests
+
+# Add bats library to BATS_LIB_PATH
+export BATS_LIB_PATH="/usr/lib/bats-core"
+
+load 'bats-support/load'
+load 'bats-assert/load'
+load 'bats-file/load'
+load '../test_helper/common.bash'
+
+setup() {
+    export TEST_ROOT="${TEST_TEMP_DIR}/security"
+    mkdir -p "${TEST_ROOT}"
+}
+
+@test "Security: Full Disk Encryption (FDE) is configured in preseed" {
+    assert_file_contains "${PROJECT_ROOT}/config/preseed.cfg" "crypto"
+    assert_file_contains "${PROJECT_ROOT}/config/preseed.cfg" "LUKS"
+}
+
+@test "Security: Encryption uses AES-256-XTS cipher" {
+    assert_file_contains "${PROJECT_ROOT}/config/preseed.cfg" "AES"
+    assert_file_contains "${PROJECT_ROOT}/config/preseed.cfg" "XTS"
+}
+
+@test "Security: Password policy enforces 14 character minimum" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/pwquality.conf"
+    configure_password_policy "$test_output"
+
+    assert_file_contains "$test_output" "minlen = 14"
+}
+
+@test "Security: Password policy requires all character classes" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/pwquality.conf"
+    configure_password_policy "$test_output"
+
+    assert_file_contains "$test_output" "dcredit = -1"
+    assert_file_contains "$test_output" "ucredit = -1"
+    assert_file_contains "$test_output" "lcredit = -1"
+    assert_file_contains "$test_output" "ocredit = -1"
+}
+
+@test "Security: Password policy rejects common weak passwords" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/pwquality.conf"
+    configure_password_policy "$test_output"
+
+    assert_file_contains "$test_output" "badwords = password secret admin root"
+}
+
+@test "Security: Password policy has dictionary checking enabled" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/pwquality.conf"
+    configure_password_policy "$test_output"
+
+    assert_file_contains "$test_output" "dictcheck = 1"
+}
+
+@test "Security: Password policy rejects weak passwords for root" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/pwquality.conf"
+    configure_password_policy "$test_output"
+
+    assert_file_contains "$test_output" "enforcing = 1"
+}
+
+@test "Security: WiFi is permanently disabled" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/blacklist-wifi.conf"
+    create_wifi_blacklist "$test_output"
+
+    assert_file_contains "$test_output" "blacklist cfg80211"
+    assert_file_contains "$test_output" "blacklist mac80211"
+}
+
+@test "Security: Bluetooth is permanently disabled" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/blacklist-bluetooth.conf"
+    create_bluetooth_blacklist "$test_output"
+
+    assert_file_contains "$test_output" "blacklist btusb"
+    assert_file_contains "$test_output" "blacklist bluetooth"
+}
+
+@test "Security: SSH disallows root login" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/sshd_config"
+    configure_ssh "$test_output"
+
+    assert_file_contains "$test_output" "PermitRootLogin no"
+}
+
+@test "Security: SSH has maximum authentication tries" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/sshd_config"
+    configure_ssh "$test_output"
+
+    assert_file_contains "$test_output" "MaxAuthTries 3"
+}
+
+@test "Security: SSH has client alive settings" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/sshd_config"
+    configure_ssh "$test_output"
+
+    assert_file_contains "$test_output" "ClientAliveInterval 300"
+    assert_file_contains "$test_output" "ClientAliveCountMax 2"
+}
+
+@test "Security: Firewall blocks inbound traffic by default" {
+    source "${PROJECT_ROOT}/src/firewall-setup.sh"
+
+    local test_output="${TEST_ROOT}/firewall.rules"
+    configure_nftables "$test_output"
+
+    assert_file_contains "$test_output" "policy input drop"
+}
+
+@test "Security: Firewall allows outbound traffic" {
+    source "${PROJECT_ROOT}/src/firewall-setup.sh"
+
+    local test_output="${TEST_ROOT}/firewall.rules"
+    configure_nftables "$test_output"
+
+    assert_file_contains "$test_output" "policy output accept"
+}
+
+@test "Security: Firewall allows SSH inbound" {
+    source "${PROJECT_ROOT}/src/firewall-setup.sh"
+
+    local test_output="${TEST_ROOT}/firewall.rules"
+    configure_nftables "$test_output"
+
+    assert_file_contains "$test_output" "tcp dport 22"
+}
+
+@test "Security: Firewall allows WireGuard" {
+    source "${PROJECT_ROOT}/src/firewall-setup.sh"
+
+    local test_output="${TEST_ROOT}/firewall.rules"
+    configure_nftables "$test_output"
+
+    assert_file_contains "$test_output" "udp dport 51820"
+}
+
+@test "Security: Encryption setup hook exists" {
+    assert_file_exists "${PROJECT_ROOT}/config/hooks/installed/encryption-setup.sh"
+    assert [ -x "${PROJECT_ROOT}/config/hooks/installed/encryption-setup.sh" ]
+}
+
+@test "Security: Encryption validation hook exists" {
+    assert_file_exists "${PROJECT_ROOT}/config/hooks/installed/encryption-validation.sh"
+    assert [ -x "${PROJECT_ROOT}/config/hooks/installed/encryption-validation.sh" ]
+}
+
+@test "Security: cryptsetup is included in packages" {
+    assert_file_contains "${PROJECT_ROOT}/config/package-lists/knel-football.list.chroot" "cryptsetup"
+}
+
+@test "Security: cryptsetup-initramfs is included in packages" {
+    assert_file_contains "${PROJECT_ROOT}/config/package-lists/knel-football.list.chroot" "cryptsetup-initramfs"
+}
+
+@test "Security: pam-pwquality is included in packages" {
+    assert_file_contains "${PROJECT_ROOT}/config/package-lists/knel-football.list.chroot" "libpam-pwquality"
+}
+
+@test "Security: dmsetup is included in preseed packages" {
+    assert_file_contains "${PROJECT_ROOT}/config/preseed.cfg" "dmsetup"
+}
+
+@test "Security: nftables is included in packages" {
+    assert_file_contains "${PROJECT_ROOT}/config/package-lists/knel-football.list.chroot" "nftables"
+}
+
+@test "Security: WireGuard is included in packages" {
+    assert_file_contains "${PROJECT_ROOT}/config/package-lists/knel-football.list.chroot" "wireguard"
+}
+
+@test "Security: No plain-text passwords in configuration files" {
+    skip "Manual review required - check for passwords in config files"
+}
+
+@test "Security: SSH uses protocol 2 only" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/sshd_config"
+    configure_ssh "$test_output"
+
+    assert_file_contains "$test_output" "Protocol 2"
+}
+
+@test "Security: SSH disallows empty passwords" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/sshd_config"
+    configure_ssh "$test_output"
+
+    assert_file_contains "$test_output" "PermitEmptyPasswords no"
+}
+
+@test "Security: SSH disables challenge-response authentication" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/sshd_config"
+    configure_ssh "$test_output"
+
+    assert_file_contains "$test_output" "ChallengeResponseAuthentication no"
+}
+
+@test "Security: SSH disables X11 forwarding" {
+    source "${PROJECT_ROOT}/src/security-hardening.sh"
+
+    local test_output="${TEST_ROOT}/sshd_config"
+    configure_ssh "$test_output"
+
+    assert_file_contains "$test_output" "X11Forwarding no"
+}
--- a/tests/security/encryption_comprehensive_test.bats
+++ b/tests/security/encryption_comprehensive_test.bats
@@ -0,0 +1,196 @@
+#!/usr/bin/env bats
+# Comprehensive encryption configuration tests
+
+# Add bats library to BATS_LIB_PATH
+export BATS_LIB_PATH="/usr/lib/bats-core"
+
+load 'bats-support/load'
+load 'bats-assert/load'
+load 'bats-file/load'
+load '../test_helper/common.bash'
+
+setup() {
+    export TEST_ROOT="${TEST_TEMP_DIR}/encryption"
+    mkdir -p "${TEST_ROOT}"
+}
+
+@test "Encryption: Preseed uses crypto partition method" {
+    assert_file_contains "${PROJECT_ROOT}/config/preseed.cfg" "d-i partman-auto/method string crypto"
+}
+
+@test "Encryption: Preseed configures LVM within encrypted partition" {
+    assert_file_contains "${PROJECT_ROOT}/config/preseed.cfg" "crypto"
+}
+
+@test "Encryption: Preseed uses AES cipher" {
+    assert_file_contains "${PROJECT_ROOT}/config/preseed.cfg" "aes-xts"
+}
+
+@test "Encryption: Preseed uses 512-bit key size" {
+    assert_file_contains "${PROJECT_ROOT}/config/preseed.cfg" "512"
+}
+
+@test "Encryption: Preseed enables LUKS2 format" {
+    assert_file_contains "${PROJECT_ROOT}/config/preseed.cfg" "LUKS2"
+}
+
+@test "Encryption: Preseed includes cryptsetup package" {
+    assert_file_contains "${PROJECT_ROOT}/config/preseed.cfg" "d-i base-installer/include/ string cryptsetup"
+}
+
+@test "Encryption: Preseed includes cryptsetup-initramfs package" {
+    assert_file_contains "${PROJECT_ROOT}/config/preseed.cfg" "cryptsetup-initramfs"
+}
+
+@test "Encryption: Preseed includes dmsetup package" {
+    assert_file_contains "${PROJECT_ROOT}/config/preseed.cfg" "dmsetup"
+}
+
+@test "Encryption: Preseed includes pam-pwquality package" {
+    assert_file_contains "${PROJECT_ROOT}/config/preseed.cfg" "libpam-pwquality"
+}
+
+@test "Encryption: Encryption setup hook creates key management directory" {
+    source "${PROJECT_ROOT}/config/hooks/installed/encryption-setup.sh"
+
+    local key_dir="${TEST_ROOT}/etc/luks-keys"
+    create_key_directory "$key_dir"
+
+    assert [ -d "$key_dir" ]
+}
+
+@test "Encryption: Encryption setup hook creates key backup directory" {
+    source "${PROJECT_ROOT}/config/hooks/installed/encryption-setup.sh"
+
+    local backup_dir="${TEST_ROOT}/backup"
+    create_key_backup_directory "$backup_dir"
+
+    assert [ -d "$backup_dir" ]
+}
+
+@test "Encryption: Encryption setup hook creates check-encryption.sh" {
+    source "${PROJECT_ROOT}/config/hooks/installed/encryption-setup.sh"
+
+    local bin_dir="${TEST_ROOT}/usr/local/bin"
+    mkdir -p "$bin_dir"
+
+    create_check_encryption_script "$bin_dir/check-encryption.sh"
+
+    assert_file_exists "$bin_dir/check-encryption.sh"
+    assert [ -x "$bin_dir/check-encryption.sh" ]
+}
+
+@test "Encryption: Encryption setup hook creates manage-encryption-keys.sh" {
+    source "${PROJECT_ROOT}/config/hooks/installed/encryption-setup.sh"
+
+    local bin_dir="${TEST_ROOT}/usr/local/bin"
+    mkdir -p "$bin_dir"
+
+    create_manage_keys_script "$bin_dir/manage-encryption-keys.sh"
+
+    assert_file_exists "$bin_dir/manage-encryption-keys.sh"
+    assert [ -x "$bin_dir/manage-encryption-keys.sh" ]
+}
+
+@test "Encryption: Encryption setup hook creates systemd service" {
+    source "${PROJECT_ROOT}/config/hooks/installed/encryption-setup.sh"
+
+    local systemd_dir="${TEST_ROOT}/etc/systemd/system"
+    mkdir -p "$systemd_dir"
+
+    create_encryption_status_service "$systemd_dir"
+
+    assert_file_exists "$systemd_dir/knel-encryption-status.service"
+}
+
+@test "Encryption: Encryption validation hook checks encryption status" {
+    source "${PROJECT_ROOT}/config/hooks/installed/encryption-validation.sh"
+
+    # Mock cryptsetup
+    cryptsetup() {
+        echo "Cryptsetup output"
+        return 0
+    }
+    export -f cryptsetup
+
+    local config_file="${TEST_ROOT}/crypttab"
+    echo "test_crypt UUID=12345678-1234-1234-1234-123456789012 none luks" > "$config_file"
+
+    validate_encryption_status "$config_file"
+    assert_success
+}
+
+@test "Encryption: Encryption validation hook creates user reminder" {
+    source "${PROJECT_ROOT}/config/hooks/installed/encryption-validation.sh"
+
+    local home_dir="${TEST_ROOT}/home/user"
+    mkdir -p "$home_dir"
+
+    create_encryption_reminder "$home_dir"
+
+    assert_file_exists "$home_dir/ENCRYPTION-PASSPHRASE-REMINDER.txt"
+}
+
+@test "Encryption: Encryption reminder contains LUKS2 information" {
+    source "${PROJECT_ROOT}/config/hooks/installed/encryption-validation.sh"
+
+    local home_dir="${TEST_ROOT}/home/user"
+    mkdir -p "$home_dir"
+
+    create_encryption_reminder "$home_dir"
+
+    assert_file_contains "$home_dir/ENCRYPTION-PASSPHRASE-REMINDER.txt" "LUKS2"
+}
+
+@test "Encryption: Encryption reminder contains cipher information" {
+    source "${PROJECT_ROOT}/config/hooks/installed/encryption-validation.sh"
+
+    local home_dir="${TEST_ROOT}/home/user"
+    mkdir -p "$home_dir"
+
+    create_encryption_reminder "$home_dir"
+
+    assert_file_contains "$home_dir/ENCRYPTION-PASSPHRASE-REMINDER.txt" "AES-256-XTS"
+}
+
+@test "Encryption: Encryption reminder contains passphrase requirements" {
+    source "${PROJECT_ROOT}/config/hooks/installed/encryption-validation.sh"
+
+    local home_dir="${TEST_ROOT}/home/user"
+    mkdir -p "$home_dir"
+
+    create_encryption_reminder "$home_dir"
+
+    assert_file_contains "$home_dir/ENCRYPTION-PASSPHRASE-REMINDER.txt" "14+ characters"
+}
+
+@test "Encryption: Encryption validation hook creates MOTD" {
+    source "${PROJECT_ROOT}/config/hooks/installed/encryption-validation.sh"
+
+    local motd_dir="${TEST_ROOT}/etc/update-motd.d"
+    mkdir -p "$motd_dir"
+
+    setup_encryption_motd "$motd_dir"
+
+    assert_file_exists "$motd_dir/10-encryption-status"
+}
+
+@test "Encryption: Encryption validation hook creates first boot check" {
+    source "${PROJECT_ROOT}/config/hooks/installed/encryption-validation.sh"
+
+    local local_bin="${TEST_ROOT}/usr/local/bin"
+    mkdir -p "$local_bin"
+
+    create_first_boot_check "$local_bin"
+
+    assert_file_exists "$local_bin/first-boot-encryption-check.sh"
+    assert [ -x "$local_bin/first-boot-encryption-check.sh" ]
+}
+
+@test "Encryption: All encryption hooks are valid bash" {
+    run bash -n "${PROJECT_ROOT}/config/hooks/installed/encryption-setup.sh"
+    assert_success
+
+    run bash -n "${PROJECT_ROOT}/config/hooks/installed/encryption-validation.sh"
+    assert_success
+}