loghunter-cli 0.1.0.dev0__py3-none-any.whl

tests/test_init_wizard.py

@@ -0,0 +1,707 @@
+"""Coverage for the loghunter init wizard.
+
+Sections:
+  - Upsert matrix: section-bound transform inside the [loghunter] span.
+  - R1 root non-clobber: re-init preserves an existing root (including "").
+  - R5 _toml_str: literal/basic split, control-char rejection.
+  - Profiler: families, size, fresh buckets, bounded cap, no-data, perm-tolerant.
+  - Flow tests: drive the real _run_init with isolated HOME and monkeypatched
+    candidate-path constants — no test reaches the developer's /var/log.
+  - Verbatim line discipline: exact dialogue strings, no traceback leakage.
+"""
+
+from __future__ import annotations
+
+import tomllib
+from datetime import datetime, timedelta
+from pathlib import Path
+
+import pytest
+
+# Init wizard helpers moved from loghunter.cli to loghunter.cli_init (a
+# CLI-internal split — first-run UX remains CLI-layer ownership). This module
+# is rebound to the alias ``cli`` so the existing tests keep their
+# ``cli._foo(...)`` / ``monkeypatch.setattr(cli, "_FOO", …)`` shape unchanged.
+from loghunter import cli_init as cli
+
+
+# ── Test fixtures ──────────────────────────────────────────────────────────────
+
+EXAMPLE_TEXT = (
+    Path("loghunter/data/config_example.toml").read_text(encoding="utf-8")
+)
+
+
+def _isolated_home(monkeypatch: pytest.MonkeyPatch, tmp_path: Path) -> Path:
+    """Point HOME at tmp_path; return ~/.loghunter/ for asserting writes."""
+    monkeypatch.setenv("HOME", str(tmp_path))
+    return tmp_path / ".loghunter"
+
+
+def _stage_inputs(monkeypatch: pytest.MonkeyPatch, answers: list[str]) -> None:
+    """Drive builtins.input from a fixed list of answers."""
+    it = iter(answers)
+    monkeypatch.setattr("builtins.input", lambda *_a, **_kw: next(it))
+
+
+def _stub_candidates(
+    monkeypatch: pytest.MonkeyPatch,
+    *,
+    zeek: tuple[str, ...] = (),
+    pihole: tuple[tuple[str, str], ...] = (),
+    syslog: str = "/nonexistent-syslog-dir",
+) -> None:
+    """Replace the module-level probe constants so no real path is touched."""
+    monkeypatch.setattr(cli, "_ZEEK_CANDIDATES", zeek)
+    monkeypatch.setattr(cli, "_PIHOLE_CANDIDATES", pihole)
+    monkeypatch.setattr(cli, "_SYSLOG_CANDIDATE", syslog)
+
+
+# ════════════════════════════════════════════════════════════════════════════
+# 1–11. Upsert matrix — section-bound transform
+# ════════════════════════════════════════════════════════════════════════════
+
+
+def test_upsert_fresh_from_example_provided_active_rewrite() -> None:
+    out = cli._upsert_loghunter_key(
+        EXAMPLE_TEXT, "zeek_dir", "/opt/zeek/logs", fresh=True,
+    )
+    parsed = tomllib.loads(out)
+    assert parsed["loghunter"]["zeek_dir"] == "/opt/zeek/logs"
+    # only one active zeek_dir line
+    assert out.count('\nzeek_dir') == 1
+
+
+def test_upsert_fresh_from_example_skipped_active_gets_commented() -> None:
+    out = cli._upsert_loghunter_key(
+        EXAMPLE_TEXT, "zeek_dir", None, fresh=True,
+    )
+    parsed = tomllib.loads(out)
+    assert "zeek_dir" not in parsed["loghunter"]
+    assert "# zeek_dir" in out
+
+
+def test_upsert_fresh_from_example_skipped_already_commented_noop() -> None:
+    # pihole_dir is shipped commented in the example. Skipped → no-op.
+    out = cli._upsert_loghunter_key(
+        EXAMPLE_TEXT, "pihole_dir", None, fresh=True,
+    )
+    assert out == EXAMPLE_TEXT
+
+
+def test_upsert_existing_active_key_updated() -> None:
+    base = "[loghunter]\nzeek_dir = \"/x\"\nsyslog_dir = \"/var/log\"\n"
+    out = cli._upsert_loghunter_key(base, "zeek_dir", "/y", fresh=False)
+    parsed = tomllib.loads(out)
+    assert parsed["loghunter"]["zeek_dir"] == "/y"
+    # syslog_dir line preserved byte-identical
+    assert 'syslog_dir = "/var/log"' in out
+
+
+def test_upsert_existing_commented_key_uncommented() -> None:
+    base = '[loghunter]\n# zeek_dir = "/x"\nsyslog_dir = "/var/log"\n'
+    out = cli._upsert_loghunter_key(base, "zeek_dir", "/y", fresh=False)
+    parsed = tomllib.loads(out)
+    assert parsed["loghunter"]["zeek_dir"] == "/y"
+
+
+def test_upsert_existing_without_key_inserted_inside_span() -> None:
+    base = "[loghunter]\nsyslog_dir = \"/var/log\"\n[allowlist]\n"
+    out = cli._upsert_loghunter_key(base, "zeek_dir", "/y", fresh=False)
+    parsed = tomllib.loads(out)
+    assert parsed["loghunter"]["zeek_dir"] == "/y"
+    # inserted INSIDE [loghunter], not in [allowlist]
+    pre_allowlist = out.split("[allowlist]")[0]
+    assert "zeek_dir" in pre_allowlist
+
+
+def test_upsert_existing_full_file_outside_span_byte_identical() -> None:
+    other_blocks = (
+        "[allowlist]\ndomain_patterns = [\"~/x.txt\"]\n"
+        "\n[export.splunk]\nhost = \"192.0.2.20\"\n"
+        "\n[detectors.beacon]\nthreshold = 0.99\n"
+        "\n# narrative comment about something\n"
+    )
+    base = "[loghunter]\nzeek_dir = \"/x\"\n\n" + other_blocks
+    out = cli._upsert_loghunter_key(base, "zeek_dir", "/y", fresh=False)
+    # everything from [allowlist] onward is byte-identical
+    idx_in = base.index("[allowlist]")
+    idx_out = out.index("[allowlist]")
+    assert base[idx_in:] == out[idx_out:]
+
+
+def test_upsert_existing_skipped_strict_noop() -> None:
+    base = "[loghunter]\nzeek_dir = \"/x\"\n[allowlist]\n"
+    out = cli._upsert_loghunter_key(base, "zeek_dir", None, fresh=False)
+    assert out == base
+
+
+def test_upsert_section_bound_token_in_another_stanza_active() -> None:
+    """A `zeek_dir =` line inside [export.cloudtrail] must NEVER be matched."""
+    base = (
+        "[loghunter]\nzeek_dir = \"/x\"\n"
+        "\n[export.cloudtrail]\n"
+        "zeek_dir = \"/sneaky-active\"\n"
+        "# zeek_dir = \"/sneaky-comment\"\n"
+        "root = \"/sneaky-root\"\n"
+    )
+    out = cli._upsert_loghunter_key(base, "zeek_dir", "/y", fresh=False)
+    out = cli._upsert_loghunter_key(out, "root", "/new", fresh=False)
+    # the [export.cloudtrail] block is byte-identical
+    idx_in = base.index("[export.cloudtrail]")
+    idx_out = out.index("[export.cloudtrail]")
+    assert base[idx_in:] == out[idx_out:]
+    # the [loghunter] keys updated
+    parsed = tomllib.loads(out)
+    assert parsed["loghunter"]["zeek_dir"] == "/y"
+    assert parsed["loghunter"]["root"] == "/new"
+
+
+def test_upsert_section_bound_subtable_boundary() -> None:
+    """`[loghunter.foo]` ends the span — its zeek_dir is untouched."""
+    base = (
+        "[loghunter]\n"
+        "[loghunter.foo]\n"
+        "zeek_dir = \"/sub\"\n"
+    )
+    out = cli._upsert_loghunter_key(base, "zeek_dir", "/y", fresh=False)
+    # sub-table zeek_dir intact
+    assert 'zeek_dir = "/sub"' in out
+    # new zeek_dir landed inside [loghunter] (before the sub-table)
+    idx_main = out.index("[loghunter]\n")
+    idx_sub = out.index("[loghunter.foo]")
+    between = out[idx_main:idx_sub]
+    assert "zeek_dir = '/y'" in between
+
+
+def test_init_writes_bak_on_existing_config_update(
+    monkeypatch: pytest.MonkeyPatch, tmp_path: Path,
+) -> None:
+    home = _isolated_home(monkeypatch, tmp_path)
+    home.mkdir(parents=True)
+    cfg_path = home / "config.toml"
+    original = "[loghunter]\nroot = \"/data/lh\"\nzeek_dir = \"/x\"\n"
+    cfg_path.write_text(original, encoding="utf-8")
+
+    _stub_candidates(monkeypatch)  # nothing detected
+    # Inputs: Zeek not-found (Enter=skip), Pi-hole not-found (Enter=skip),
+    # syslog absent (Enter=skip), gate (Enter=proceed), root Enter.
+    _stage_inputs(monkeypatch, ["", "", "", "", ""])
+
+    cli._run_init([])
+
+    bak = cfg_path.with_suffix(".toml.bak")
+    assert bak.read_text(encoding="utf-8") == original
+
+
+# ════════════════════════════════════════════════════════════════════════════
+# 12–15. R1 root non-clobber
+# ════════════════════════════════════════════════════════════════════════════
+
+
+def _run_init_with_no_sources(
+    monkeypatch: pytest.MonkeyPatch, root_input: str = "",
+) -> None:
+    """All-skipped path + Enter-proceed at the gate. Last input = root."""
+    _stub_candidates(monkeypatch)
+    _stage_inputs(monkeypatch, ["", "", "", "", root_input])
+    cli._run_init([])
+
+
+def test_root_non_clobber_existing_value_preserved_on_enter(
+    monkeypatch: pytest.MonkeyPatch, tmp_path: Path,
+) -> None:
+    home = _isolated_home(monkeypatch, tmp_path)
+    home.mkdir(parents=True)
+    (home / "config.toml").write_text(
+        "[loghunter]\nroot = \"/data/lh\"\n", encoding="utf-8",
+    )
+    _run_init_with_no_sources(monkeypatch)
+    parsed = tomllib.loads((home / "config.toml").read_text(encoding="utf-8"))
+    assert parsed["loghunter"]["root"] == "/data/lh"
+
+
+def test_root_non_clobber_missing_root_uses_live_default(
+    monkeypatch: pytest.MonkeyPatch, tmp_path: Path,
+) -> None:
+    home = _isolated_home(monkeypatch, tmp_path)
+    home.mkdir(parents=True)
+    (home / "config.toml").write_text(
+        "[loghunter]\nzeek_dir = \"/x\"\n", encoding="utf-8",
+    )
+    _run_init_with_no_sources(monkeypatch)
+    parsed = tomllib.loads((home / "config.toml").read_text(encoding="utf-8"))
+    assert parsed["loghunter"]["root"] == "~/.loghunter"
+
+
+def test_root_non_clobber_existing_empty_preserved(
+    monkeypatch: pytest.MonkeyPatch, tmp_path: Path,
+) -> None:
+    """Explicit `root = ""` survives a re-init Enter — the user chose CWD."""
+    home = _isolated_home(monkeypatch, tmp_path)
+    home.mkdir(parents=True)
+    (home / "config.toml").write_text(
+        "[loghunter]\nroot = \"\"\n", encoding="utf-8",
+    )
+    _run_init_with_no_sources(monkeypatch)
+    parsed = tomllib.loads((home / "config.toml").read_text(encoding="utf-8"))
+    assert parsed["loghunter"]["root"] == ""
+
+
+def test_root_typed_value_replaces_existing(
+    monkeypatch: pytest.MonkeyPatch, tmp_path: Path,
+) -> None:
+    home = _isolated_home(monkeypatch, tmp_path)
+    home.mkdir(parents=True)
+    (home / "config.toml").write_text(
+        "[loghunter]\nroot = \"/data/lh\"\n", encoding="utf-8",
+    )
+    _run_init_with_no_sources(monkeypatch, root_input="/new/root")
+    parsed = tomllib.loads((home / "config.toml").read_text(encoding="utf-8"))
+    assert parsed["loghunter"]["root"] == "/new/root"
+
+
+# ════════════════════════════════════════════════════════════════════════════
+# 16–21. R5 _toml_str
+# ════════════════════════════════════════════════════════════════════════════
+
+
+@pytest.mark.parametrize("value", [
+    "/var/log/zeek",
+    "/var/log/My Logs",            # space
+    "/var/log/o'brien",            # single quote → basic
+    "C:\\Logs",                    # backslash
+    '/var/log/"weird"',            # double quote
+])
+def test_toml_str_roundtrips(value: str) -> None:
+    rendered = cli._toml_str(value)
+    parsed = tomllib.loads(f"x = {rendered}")
+    assert parsed["x"] == value
+
+
+def test_toml_str_single_quote_uses_basic_form() -> None:
+    assert cli._toml_str("/var/log/o'brien").startswith('"')
+
+
+def test_toml_str_no_special_uses_literal_form() -> None:
+    assert cli._toml_str("/var/log/zeek") == "'/var/log/zeek'"
+
+
+def test_toml_str_rejects_control_char() -> None:
+    with pytest.raises(ValueError, match="control character"):
+        cli._toml_str("/var/log/\n")
+
+
+# ════════════════════════════════════════════════════════════════════════════
+# 22–27. Profiler
+# ════════════════════════════════════════════════════════════════════════════
+
+
+def _make_file(path: Path, *, size: int = 8, mtime: float | None = None) -> None:
+    path.parent.mkdir(parents=True, exist_ok=True)
+    path.write_bytes(b"x" * size)
+    if mtime is not None:
+        import os
+        os.utime(path, (mtime, mtime))
+
+
+def test_profile_zeek_logs_two_families(tmp_path: Path) -> None:
+    _make_file(tmp_path / "conn.log")
+    _make_file(tmp_path / "dns.log")
+    p = cli._profile_dir(str(tmp_path), cli._ZEEK_GLOBS, logs_label=None)
+    assert p is not None
+    assert p["logs"] == "conn + dns"
+
+
+def test_profile_zeek_logs_three_families(tmp_path: Path) -> None:
+    _make_file(tmp_path / "conn.log")
+    _make_file(tmp_path / "dns.log")
+    _make_file(tmp_path / "ssl.log")
+    p = cli._profile_dir(str(tmp_path), cli._ZEEK_GLOBS, logs_label=None)
+    assert p is not None
+    assert p["logs"] == "conn, dns, ssl"
+
+
+def test_profile_human_bytes_kb(tmp_path: Path) -> None:
+    _make_file(tmp_path / "conn.log", size=12 * 1024)
+    p = cli._profile_dir(str(tmp_path), ("conn*.log*",), logs_label=None)
+    assert p is not None
+    assert p["size_str"] == "~12 KB"
+
+
+def test_profile_human_bytes_mb_and_gb() -> None:
+    assert cli._human_bytes(340 * 1024 ** 2) == "~340 MB"
+    assert cli._human_bytes(6 * 1024 ** 3) == "~6 GB"
+
+
+@pytest.mark.parametrize("delta,expected", [
+    (timedelta(minutes=30), "updated just now"),
+    (timedelta(hours=12),   "fresh today"),
+    (timedelta(days=3),     "active this week"),
+    (timedelta(days=10),    "last activity ~10 days ago"),
+    (timedelta(days=45),    "but it looks stale — nothing new in ~6 weeks"),
+    (timedelta(days=75),    "but it looks stale — nothing new in ~2 months"),
+])
+def test_fresh_bucket_boundaries(delta: timedelta, expected: str) -> None:
+    assert cli._fresh_bucket(delta) == expected
+
+
+def test_profile_bounded_cap(tmp_path: Path) -> None:
+    # Synthesize one more than the cap, all matching conn*.log*. The
+    # bounded flag must surface.
+    for i in range(cli._PROFILE_FILE_CAP + 50):
+        _make_file(tmp_path / f"conn.{i}.log")
+    p = cli._profile_dir(str(tmp_path), ("conn*.log*",), logs_label=None)
+    assert p is not None
+    assert p["bounded"] is True
+
+
+def test_profile_no_data_returns_none(tmp_path: Path) -> None:
+    # Dir exists but no matching files.
+    assert cli._profile_dir(str(tmp_path), ("conn*.log*",), logs_label=None) is None
+
+
+def test_profile_dir_missing_returns_none(tmp_path: Path) -> None:
+    assert cli._profile_dir(
+        str(tmp_path / "missing"), ("conn*.log*",), logs_label=None,
+    ) is None
+
+
+def test_profile_permission_error_silently_handled(
+    tmp_path: Path, monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    _make_file(tmp_path / "conn.log", size=8)
+
+    real_stat = Path.stat
+    def _fail_stat(self, *args, **kwargs):
+        if self.name.startswith("conn"):
+            raise PermissionError("simulated")
+        return real_stat(self, *args, **kwargs)
+    monkeypatch.setattr(Path, "stat", _fail_stat)
+
+    # Whichever file errored is skipped; no other files → no-data return.
+    result = cli._profile_dir(str(tmp_path), ("conn*.log*",), logs_label=None)
+    assert result is None
+
+
+def test_detect_zeek_permission_error_continues(
+    tmp_path: Path, monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    """A probe that raises PermissionError on glob falls through to the
+    next candidate, not the CLI error boundary."""
+    bad = tmp_path / "bad-zeek"
+    good = tmp_path / "good-zeek"
+    bad.mkdir()
+    good.mkdir()
+    _make_file(good / "conn.log")
+
+    monkeypatch.setattr(cli, "_ZEEK_CANDIDATES", (str(bad), str(good)))
+
+    real_glob = Path.glob
+    def _conditional_glob(self, pattern, *args, **kwargs):
+        if self == bad:
+            raise PermissionError("simulated")
+        return real_glob(self, pattern, *args, **kwargs)
+    monkeypatch.setattr(Path, "glob", _conditional_glob)
+
+    assert cli._detect_zeek() == str(good)
+
+
+# ════════════════════════════════════════════════════════════════════════════
+# 28–34. Flow tests — drive _run_init end-to-end
+# ════════════════════════════════════════════════════════════════════════════
+
+
+def _setup_zeek_dir(tmp_path: Path) -> str:
+    d = tmp_path / "fake-zeek"
+    d.mkdir()
+    _make_file(d / "conn.log")
+    _make_file(d / "dns.log")
+    return str(d)
+
+
+def _setup_pihole(tmp_path: Path) -> tuple[str, tuple[tuple[str, str], ...]]:
+    d = tmp_path / "fake-pihole"
+    d.mkdir()
+    _make_file(d / "pihole.log")
+    return (str(d), ((str(d / "pihole.log"), str(d)),))
+
+
+def _setup_syslog(tmp_path: Path) -> str:
+    d = tmp_path / "fake-var-log"
+    d.mkdir()
+    _make_file(d / "messages.log")
+    return str(d)
+
+
+def test_flow_all_found_all_accepted_root_enter(
+    monkeypatch: pytest.MonkeyPatch, tmp_path: Path,
+) -> None:
+    home = _isolated_home(monkeypatch, tmp_path)
+    zeek = _setup_zeek_dir(tmp_path)
+    pihole_dir, pihole_candidates = _setup_pihole(tmp_path)
+    syslog = _setup_syslog(tmp_path)
+    _stub_candidates(monkeypatch, zeek=(zeek,), pihole=pihole_candidates, syslog=syslog)
+    _stage_inputs(monkeypatch, ["", "", "", ""])
+
+    cli._run_init([])
+
+    parsed = tomllib.loads((home / "config.toml").read_text(encoding="utf-8"))
+    assert parsed["loghunter"]["root"] == "~/.loghunter"
+    assert parsed["loghunter"]["zeek_dir"] == zeek
+    assert parsed["loghunter"]["pihole_dir"] == pihole_dir
+    assert parsed["loghunter"]["syslog_dir"] == syslog
+
+
+def test_flow_typed_pihole_path(
+    monkeypatch: pytest.MonkeyPatch, tmp_path: Path,
+) -> None:
+    home = _isolated_home(monkeypatch, tmp_path)
+    zeek = _setup_zeek_dir(tmp_path)
+    _, pihole_candidates = _setup_pihole(tmp_path)
+    syslog = _setup_syslog(tmp_path)
+    _stub_candidates(monkeypatch, zeek=(zeek,), pihole=pihole_candidates, syslog=syslog)
+    _stage_inputs(monkeypatch, ["", "/custom/pihole", "", ""])
+
+    cli._run_init([])
+    parsed = tomllib.loads((home / "config.toml").read_text(encoding="utf-8"))
+    assert parsed["loghunter"]["pihole_dir"] == "/custom/pihole"
+
+
+def test_flow_pihole_not_found_typed_path(
+    monkeypatch: pytest.MonkeyPatch, tmp_path: Path,
+) -> None:
+    home = _isolated_home(monkeypatch, tmp_path)
+    zeek = _setup_zeek_dir(tmp_path)
+    syslog = _setup_syslog(tmp_path)
+    _stub_candidates(monkeypatch, zeek=(zeek,), pihole=(), syslog=syslog)
+    _stage_inputs(monkeypatch, ["", "/somewhere/pihole", "", ""])
+
+    cli._run_init([])
+    parsed = tomllib.loads((home / "config.toml").read_text(encoding="utf-8"))
+    assert parsed["loghunter"]["pihole_dir"] == "/somewhere/pihole"
+
+
+def test_flow_all_skipped_gate_redo(
+    monkeypatch: pytest.MonkeyPatch, tmp_path: Path,
+) -> None:
+    home = _isolated_home(monkeypatch, tmp_path)
+    zeek = _setup_zeek_dir(tmp_path)
+    _, pihole_candidates = _setup_pihole(tmp_path)
+    syslog = _setup_syslog(tmp_path)
+    _stub_candidates(monkeypatch, zeek=(zeek,), pihole=pihole_candidates, syslog=syslog)
+    # First pass: skip all three (s, s, s). Gate: r → redo. Second pass: Enter
+    # all three to accept. Then root Enter.
+    _stage_inputs(monkeypatch, ["s", "s", "s", "r", "", "", "", ""])
+
+    cli._run_init([])
+    parsed = tomllib.loads((home / "config.toml").read_text(encoding="utf-8"))
+    assert parsed["loghunter"]["zeek_dir"] == zeek
+    assert parsed["loghunter"]["pihole_dir"] != ""  # set
+    assert parsed["loghunter"]["syslog_dir"] == syslog
+
+
+def test_flow_all_skipped_gate_enter_proceed(
+    monkeypatch: pytest.MonkeyPatch, tmp_path: Path,
+) -> None:
+    home = _isolated_home(monkeypatch, tmp_path)
+    zeek = _setup_zeek_dir(tmp_path)
+    _, pihole_candidates = _setup_pihole(tmp_path)
+    syslog = _setup_syslog(tmp_path)
+    _stub_candidates(monkeypatch, zeek=(zeek,), pihole=pihole_candidates, syslog=syslog)
+    _stage_inputs(monkeypatch, ["s", "s", "s", "", ""])
+
+    cli._run_init([])
+    parsed = tomllib.loads((home / "config.toml").read_text(encoding="utf-8"))
+    # Fresh-from-example: all three source keys ended SKIPPED → active line in
+    # example becomes commented; tomllib sees them absent.
+    assert "zeek_dir" not in parsed["loghunter"]
+    assert "pihole_dir" not in parsed["loghunter"]
+    assert "syslog_dir" not in parsed["loghunter"]
+
+
+def test_flow_reinit_preserves_custom_root_and_other_stanzas(
+    monkeypatch: pytest.MonkeyPatch, tmp_path: Path,
+) -> None:
+    home = _isolated_home(monkeypatch, tmp_path)
+    home.mkdir(parents=True)
+    existing = (
+        "[loghunter]\nroot = \"/data/lh\"\nzeek_dir = \"/old/zeek\"\n"
+        "\n[detectors.beacon]\nthreshold = 0.99\n"
+    )
+    (home / "config.toml").write_text(existing, encoding="utf-8")
+
+    zeek = _setup_zeek_dir(tmp_path)
+    _, pihole_candidates = _setup_pihole(tmp_path)
+    syslog = _setup_syslog(tmp_path)
+    _stub_candidates(monkeypatch, zeek=(zeek,), pihole=pihole_candidates, syslog=syslog)
+    _stage_inputs(monkeypatch, ["", "", "", ""])
+
+    cli._run_init([])
+
+    out = (home / "config.toml").read_text(encoding="utf-8")
+    parsed = tomllib.loads(out)
+    assert parsed["loghunter"]["root"] == "/data/lh"
+    # the detectors stanza survives byte-identical
+    assert "[detectors.beacon]\nthreshold = 0.99" in out
+    # .bak exists with the original bytes
+    assert (home / "config.toml.bak").read_text(encoding="utf-8") == existing
+
+
+def test_flow_reinit_with_empty_root_preserved(
+    monkeypatch: pytest.MonkeyPatch, tmp_path: Path,
+) -> None:
+    home = _isolated_home(monkeypatch, tmp_path)
+    home.mkdir(parents=True)
+    (home / "config.toml").write_text(
+        "[loghunter]\nroot = \"\"\n", encoding="utf-8",
+    )
+    _stub_candidates(monkeypatch)
+    _stage_inputs(monkeypatch, ["", "", "", "", ""])
+
+    cli._run_init([])
+    parsed = tomllib.loads((home / "config.toml").read_text(encoding="utf-8"))
+    assert parsed["loghunter"]["root"] == ""
+
+
+# ════════════════════════════════════════════════════════════════════════════
+# 35. Verbatim line discipline
+# ════════════════════════════════════════════════════════════════════════════
+
+
+def test_verbatim_zeek_not_found_block(
+    monkeypatch: pytest.MonkeyPatch, tmp_path: Path, capsys: pytest.CaptureFixture[str],
+) -> None:
+    _isolated_home(monkeypatch, tmp_path)
+    _stub_candidates(monkeypatch)
+    _stage_inputs(monkeypatch, ["", "", "", "", ""])
+    cli._run_init([])
+    out = capsys.readouterr().out
+    assert "Didn't find Zeek. You might like it: https://zeek.org" in out
+    assert "If it's just hiding, tell me where." in out
+    assert "[Enter = skip  ·  type a path]" in out
+
+
+def test_verbatim_gate_and_confirm_blocks(
+    monkeypatch: pytest.MonkeyPatch, tmp_path: Path, capsys: pytest.CaptureFixture[str],
+) -> None:
+    _isolated_home(monkeypatch, tmp_path)
+    _stub_candidates(monkeypatch)
+    _stage_inputs(monkeypatch, ["", "", "", "", ""])
+    cli._run_init([])
+    out = capsys.readouterr().out
+    assert "You should provide at least one: Zeek, Pi-hole, or syslog." in out
+    assert "Or you can point loghunter at individual files. Up to you." in out
+    assert "[r = redo  ·  Enter = skip]" in out
+    assert "Done — settings written to ~/.loghunter/config.toml." in out
+    assert "(none — pass files on the command line)" in out
+    assert "data:     ~/.loghunter" in out
+    assert "Good hunting!" in out
+    # Confirm block has exactly one blank line between data line and docs URL.
+    confirm_idx = out.index("Done — settings written")
+    confirm_tail = out[confirm_idx:]
+    # Find "data:" line position and check the next non-empty line is the docs.
+    lines = confirm_tail.splitlines()
+    data_line_idx = next(i for i, line in enumerate(lines) if line.startswith("  data:"))
+    assert lines[data_line_idx + 1] == ""
+    assert lines[data_line_idx + 2].startswith("LogHunter documentation lives here:")
+
+
+def test_verbatim_zeek_no_data_found_single_line(
+    monkeypatch: pytest.MonkeyPatch, capsys: pytest.CaptureFixture[str],
+) -> None:
+    """Rev-2 no-data reduced form: `Found Zeek at {path}. Use this?` on ONE line."""
+    cli._print_zeek_found("/some/zeek", None)
+    out = capsys.readouterr().out
+    assert "Found Zeek at /some/zeek. Use this?" in out
+    # The phrase must not be split across two lines.
+    assert "Found Zeek at /some/zeek.\nUse this?" not in out
+
+
+def test_verbatim_pihole_no_data_found_single_line(
+    capsys: pytest.CaptureFixture[str],
+) -> None:
+    cli._print_pihole_found("/some/pihole", None)
+    out = capsys.readouterr().out
+    assert "Found Pi-hole at /some/pihole. Use this?" in out
+    assert "Found Pi-hole at /some/pihole.\nUse this?" not in out
+
+
+def test_verbatim_zeek_profiled_keeps_two_line_form(
+    capsys: pytest.CaptureFixture[str],
+) -> None:
+    """The profiled (full) form is still two lines — guard so the no-data fix
+    doesn't accidentally collapse the rich path."""
+    profile = {
+        "logs": "conn + dns", "size_str": "~12 KB",
+        "fresh_str": "fresh today", "bounded": False, "size_bytes": 12_288,
+    }
+    cli._print_zeek_found("/some/zeek", profile)
+    out = capsys.readouterr().out
+    assert "Found Zeek at /some/zeek." in out
+    assert "conn + dns, ~12 KB, fresh today. Use this?" in out
+
+
+# ════════════════════════════════════════════════════════════════════════════
+# CR regression: upsert duplicate-key + .bak byte preservation
+# ════════════════════════════════════════════════════════════════════════════
+
+
+def test_upsert_active_wins_over_preceding_commented_sample() -> None:
+    """A commented sample BEFORE an active value must not be uncommented —
+    the active line is the one rewritten. Else we produce duplicate keys."""
+    base = (
+        "[loghunter]\n"
+        "# zeek_dir = \"/default\"\n"
+        "zeek_dir = \"/custom\"\n"
+    )
+    out = cli._upsert_loghunter_key(base, "zeek_dir", "/y", fresh=False)
+    # the active line was rewritten
+    assert 'zeek_dir = \'/y\'' in out
+    # the commented sample is byte-preserved
+    assert '# zeek_dir = "/default"' in out
+    # produced TOML still parses (no duplicate keys)
+    parsed = tomllib.loads(out)
+    assert parsed["loghunter"]["zeek_dir"] == "/y"
+
+
+def test_bak_byte_identical_for_crlf_existing_config(
+    monkeypatch: pytest.MonkeyPatch, tmp_path: Path,
+) -> None:
+    """A user config with Windows line endings must round-trip through .bak
+    byte-identical; the non-clobber promise covers CRLF callers too."""
+    home = _isolated_home(monkeypatch, tmp_path)
+    home.mkdir(parents=True)
+    cfg_path = home / "config.toml"
+    # CRLF throughout; deliberate non-managed stanza we'll inspect after write.
+    original_bytes = (
+        b"[loghunter]\r\n"
+        b"root = \"/data/lh\"\r\n"
+        b"\r\n"
+        b"[detectors.beacon]\r\n"
+        b"threshold = 0.99\r\n"
+    )
+    cfg_path.write_bytes(original_bytes)
+
+    _stub_candidates(monkeypatch)
+    _stage_inputs(monkeypatch, ["", "", "", "", ""])
+    cli._run_init([])
+
+    bak = cfg_path.with_suffix(".toml.bak")
+    assert bak.read_bytes() == original_bytes
+    # The untouched detectors stanza retains CRLF in the rewritten file.
+    rewritten = cfg_path.read_bytes()
+    assert b"[detectors.beacon]\r\nthreshold = 0.99\r\n" in rewritten
+
+
+def test_no_traceback_on_corrupt_existing_config(
+    monkeypatch: pytest.MonkeyPatch, tmp_path: Path,
+) -> None:
+    home = _isolated_home(monkeypatch, tmp_path)
+    home.mkdir(parents=True)
+    (home / "config.toml").write_text("not = valid = toml = at = all", encoding="utf-8")
+    _stub_candidates(monkeypatch)
+    _stage_inputs(monkeypatch, [""])
+
+    with pytest.raises(ValueError, match="loghunter init: existing config"):
+        cli._run_init([])