nac-test-pyats-common 0.1.1__py3-none-any.whl → 0.2.1__py3-none-any.whl

nac_test_pyats_common/common/base_device_resolver.py

@@ -8,14 +8,12 @@ Architecture-specific resolvers extend this class and implement the
 abstract methods for schema navigation and credential retrieval.
 """
 
+import ipaddress
 import logging
 import os
 from abc import ABC, abstractmethod
 from typing import Any
 
-import yaml
-from nac_test.utils.file_discovery import find_data_file
-
 logger = logging.getLogger(__name__)
 
 
@@ -23,29 +21,31 @@ class BaseDeviceResolver(ABC):
     """Abstract base class for architecture-specific device resolvers.
 
     This class implements the Template Method pattern for device inventory
-    resolution. It handles common logic (inventory loading, credential
-    injection, device dict construction) while delegating schema-specific
-    work to abstract methods.
+    resolution. It handles common logic (credential injection, device dict
+    construction) while delegating schema-specific work to abstract methods.
+
+    Credentials are injected as environment variable references (%ENV{VARNAME})
+    rather than cleartext values for security. PyATS testbed loader will resolve
+    these references at runtime.
 
     Subclasses MUST implement:
         - get_architecture_name(): Return architecture identifier (e.g., "sdwan")
         - get_schema_root_key(): Return the root key in data model (e.g., "sdwan")
         - navigate_to_devices(): Navigate schema to get iterable of device data
-        - extract_device_id(): Extract unique device identifier from device data
         - extract_hostname(): Extract hostname from device data
         - extract_host_ip(): Extract management IP from device data
-        - extract_os_type(): Extract OS type from device data
+        - extract_os_platform_type(): Extract OS and platform info from device data
         - get_credential_env_vars(): Return (username_env_var, password_env_var)
 
     Subclasses MAY override:
-        - get_inventory_filename(): Return inventory filename
-          (default: "test_inventory.yaml")
+        - extract_device_id(): Extract device identifier (default: uses hostname)
         - build_device_dict(): Customize device dict construction
-        - _load_inventory(): Customize inventory loading
+        - validate_device_data(): Pre-extraction validation hook
 
     Attributes:
         data_model: The merged NAC data model dictionary.
-        test_inventory: The test inventory dictionary (devices to test).
+        skipped_devices: List of dicts with device_id and reason for devices
+            that failed resolution. Populated after get_resolved_inventory().
 
     Example:
         >>> class SDWANDeviceResolver(BaseDeviceResolver):
@@ -59,36 +59,29 @@ class BaseDeviceResolver(ABC):
         >>>
         >>> resolver = SDWANDeviceResolver(data_model)
         >>> devices = resolver.get_resolved_inventory()
+        >>> # devices[0]["username"] == "%ENV{IOSXE_USERNAME}"
+        >>> # devices[0]["password"] == "%ENV{IOSXE_PASSWORD}"
     """
 
-    def __init__(
-        self,
-        data_model: dict[str, Any],
-        test_inventory: dict[str, Any] | None = None,
-    ) -> None:
+    def __init__(self, data_model: dict[str, Any]) -> None:
         """Initialize the device resolver.
 
         Args:
             data_model: The merged NAC data model containing all architecture
                 data with resolved variables.
-            test_inventory: Optional test inventory specifying which devices
-                to test. If not provided, will attempt to load from file.
         """
         self.data_model = data_model
-        self.test_inventory = test_inventory or self._load_inventory()
-        logger.debug(
-            f"Initialized {self.get_architecture_name()} resolver with "
-            f"{len(self.test_inventory.get('devices', []))} devices in inventory"
-        )
+        self.skipped_devices: list[dict[str, str]] = []
+        logger.debug(f"Initialized {self.get_architecture_name()} resolver")
 
     def get_resolved_inventory(self) -> list[dict[str, Any]]:
         """Get resolved device inventory ready for SSH connection.
 
         This is the main entry point. It:
         1. Navigates the data model to find device data
-        2. Matches devices against test inventory (if provided)
-        3. Extracts hostname, IP, OS from each device
-        4. Injects SSH credentials from environment variables
+        2. Extracts hostname and management IP from each device
+        3. Sets OS type (architecture-specific, e.g., hardcoded to 'iosxe' for SD-WAN)
+        4. Injects SSH credential environment variable references
         5. Returns list of device dicts ready for nac-test
 
         Returns:
@@ -96,8 +89,8 @@ class BaseDeviceResolver(ABC):
             - hostname (str)
             - host (str)
             - os (str)
-            - username (str)
-            - password (str)
+            - username (str): Environment variable reference in %ENV{VARNAME} format
+            - password (str): Environment variable reference in %ENV{VARNAME} format
             - Plus any architecture-specific fields
 
         Raises:
@@ -106,10 +99,15 @@ class BaseDeviceResolver(ABC):
         logger.info(f"Resolving device inventory for {self.get_architecture_name()}")
 
         resolved_devices: list[dict[str, Any]] = []
-        devices_to_test = self._get_devices_to_test()
+        self.skipped_devices = []  # Reset for each resolution
+        all_devices = list(self.navigate_to_devices())
+        logger.debug(f"Found {len(all_devices)} devices in data model")
 
-        for device_data in devices_to_test:
+        for device_data in all_devices:
             try:
+                # Validate device data before extraction (optional hook)
+                self.validate_device_data(device_data)
+
                 device_dict = self.build_device_dict(device_data)
 
                 # Validate extracted fields
@@ -129,18 +127,53 @@ class BaseDeviceResolver(ABC):
                 )
             except (KeyError, ValueError) as e:
                 device_id = self._safe_extract_device_id(device_data)
-                logger.warning(f"Skipping device {device_id}: {e}")
+                logger.debug(f"Skipping device {device_id}: {e}")
+                self.skipped_devices.append(
+                    {
+                        "device_id": device_id,
+                        "reason": str(e),
+                    }
+                )
                 continue
 
         # Inject credentials (fail fast if missing)
         self._inject_credentials(resolved_devices)
 
+        skipped_msg = (
+            f", skipped {len(self.skipped_devices)}" if self.skipped_devices else ""
+        )
         logger.info(
             f"Resolved {len(resolved_devices)} devices for "
-            f"{self.get_architecture_name()} D2D testing"
+            f"{self.get_architecture_name()} D2D testing{skipped_msg}"
         )
         return resolved_devices
 
+    def validate_device_data(self, _device_data: dict[str, Any]) -> None:  # noqa: B027
+        """Validate device data before extraction (optional hook).
+
+        Override this method to perform architecture-specific validation
+        before device field extraction. This is useful for filtering devices
+        based on state, type, or other criteria.
+
+        The default implementation does nothing - all devices pass validation.
+        Subclasses can override this to implement custom validation logic.
+
+        Args:
+            _device_data: Raw device data from the data model (unused in base class).
+
+        Raises:
+            ValueError: If the device should be skipped. The error message
+                will be logged and included in skipped_devices tracking.
+
+        Example (Catalyst Center - skip devices in INIT/PNP states):
+            >>> def validate_device_data(self, device_data):
+            ...     state = device_data.get("state", "").upper()
+            ...     if state in ("INIT", "PNP"):
+            ...         raise ValueError(f"Device has unsupported state '{state}'")
+        """
+        # Default implementation does nothing - subclasses can override
+        pass
+
     def build_device_dict(self, device_data: dict[str, Any]) -> dict[str, Any]:
         """Build a device dictionary from raw device data.
 
@@ -152,15 +185,15 @@ class BaseDeviceResolver(ABC):
 
         Returns:
             Device dictionary with hostname, host, os, device_id fields,
-            plus any test-relevant fields like connection_options.
-            Credentials are injected separately.
+            plus optional platform, model, series fields if provided by
+            extract_os_platform_type(). Credentials are injected separately.
 
         Raises:
             ValueError: If any required field extraction fails.
         """
         hostname = self.extract_hostname(device_data)
         host = self.extract_host_ip(device_data)
-        os_type = self.extract_os_type(device_data)
+        os_platform_info = self.extract_os_platform_type(device_data)
         device_id = self.extract_device_id(device_data)
 
         # Validate all extracted values are non-empty strings
@@ -168,150 +201,51 @@ class BaseDeviceResolver(ABC):
             raise ValueError(f"Invalid hostname: {hostname!r}")
         if not isinstance(host, str) or not host:
             raise ValueError(f"Invalid host IP: {host!r}")
+
+        # Validate IP address format (after CIDR stripping done by subclass)
+        try:
+            ipaddress.ip_address(host)
+        except ValueError:
+            raise ValueError(
+                f"Invalid IP address format: '{host}'. "
+                "Ensure the field contains a valid IPv4 or IPv6 address."
+            ) from None
+
+        # Validate os_platform_info structure
+        # Runtime check for dict type (defensive programming for non-mypy users)
+        if not isinstance(os_platform_info, dict):
+            type_name = type(os_platform_info).__name__  # type: ignore[unreachable]
+            raise ValueError(  # type: ignore[unreachable]
+                f"extract_os_platform_type must return a dict, got {type_name}"
+            )
+        if "os" not in os_platform_info:
+            raise ValueError("extract_os_platform_type must return dict with 'os' key")
+
+        os_type = os_platform_info["os"]
         if not isinstance(os_type, str) or not os_type:
             raise ValueError(f"Invalid OS type: {os_type!r}")
         if not isinstance(device_id, str) or not device_id:
             raise ValueError(f"Invalid device ID: {device_id!r}")
 
-        # Start with required fields
-        result = {
+        # Build base device dict with required fields
+        device_dict = {
             "hostname": hostname,
             "host": host,
             "os": os_type,
             "device_id": device_id,
         }
 
-        # Preserve connection_options from test_inventory if present
-        # This allows specifying custom SSH ports, protocols, etc.
-        if "connection_options" in device_data:
-            result["connection_options"] = device_data["connection_options"]
+        # Add optional PyATS abstraction fields if present
+        for field in ["platform", "model", "series"]:
+            if field in os_platform_info:
+                device_dict[field] = os_platform_info[field]
 
-        return result
+        return device_dict
 
     # -------------------------------------------------------------------------
     # Private helper methods
     # -------------------------------------------------------------------------
 
-    def _load_inventory(self) -> dict[str, Any]:
-        """Load test inventory from file.
-
-        Searches for the inventory file using the generic file discovery
-        utility. Subclasses can override this to customize loading behavior.
-
-        Returns:
-            Test inventory dictionary, or empty dict if not found.
-        """
-        filename = self.get_inventory_filename()
-        inventory_path = find_data_file(filename)
-
-        if inventory_path is None:
-            logger.warning(
-                f"Test inventory file '{filename}' not found for "
-                f"{self.get_architecture_name()}. Using empty inventory."
-            )
-            return {}
-
-        logger.info(f"Loading test inventory from {inventory_path}")
-        try:
-            with open(inventory_path) as f:
-                raw_data = yaml.safe_load(f) or {}
-
-            # Support both nested and flat formats:
-            # Nested: {arch: {test_inventory: {...}}}
-            # Flat: {test_inventory: {...}}
-            arch_key = self.get_schema_root_key()
-            if arch_key in raw_data and "test_inventory" in raw_data[arch_key]:
-                return raw_data[arch_key]["test_inventory"]  # type: ignore[no-any-return]
-            elif "test_inventory" in raw_data:
-                return raw_data["test_inventory"]  # type: ignore[no-any-return]
-            else:
-                return raw_data
-
-        except yaml.YAMLError as e:
-            logger.error(f"Failed to parse test inventory YAML: {e}")
-            return {}
-        except OSError as e:
-            logger.error(f"Failed to read test inventory file: {e}")
-            return {}
-
-    def _get_devices_to_test(self) -> list[dict[str, Any]]:
-        """Get the list of device data dicts to process.
-
-        If test_inventory specifies devices, filter to only those.
-        Otherwise, return all devices from the data model.
-
-        Returns:
-            List of device data dictionaries from the data model.
-        """
-        all_devices = list(self.navigate_to_devices())
-        logger.debug(f"Found {len(all_devices)} total devices in data model")
-
-        # If no test inventory, test all devices
-        inventory_devices = self.test_inventory.get("devices", [])
-        if not inventory_devices:
-            logger.debug("No test inventory devices specified, testing all devices")
-            return all_devices
-
-        # Build index for efficient lookup
-        device_index = self._build_device_index(all_devices)
-
-        # Filter to devices in test inventory
-        devices_to_test: list[dict[str, Any]] = []
-        for inventory_entry in inventory_devices:
-            device_id = self._get_device_id_from_inventory(inventory_entry)
-            if device_id in device_index:
-                # Merge inventory entry data with device data
-                merged = {**device_index[device_id], **inventory_entry}
-                devices_to_test.append(merged)
-                logger.debug(f"Added device {device_id} from test inventory")
-            else:
-                logger.warning(
-                    f"Device '{device_id}' from test_inventory not found in "
-                    f"{self.get_architecture_name()} data model"
-                )
-
-        logger.debug(f"Filtered to {len(devices_to_test)} devices from test inventory")
-        return devices_to_test
-
-    def _build_device_index(
-        self, devices: list[dict[str, Any]]
-    ) -> dict[str, dict[str, Any]]:
-        """Build a lookup index of devices by their ID.
-
-        Args:
-            devices: List of device data dictionaries.
-
-        Returns:
-            Dictionary mapping device ID to device data.
-        """
-        device_index: dict[str, dict[str, Any]] = {}
-        for device_data in devices:
-            device_id = self._safe_extract_device_id(device_data)
-            if device_id:
-                device_index[device_id] = device_data
-        return device_index
-
-    def _get_device_id_from_inventory(self, inventory_entry: dict[str, Any]) -> str:
-        """Extract device ID from a test inventory entry.
-
-        Override this if your inventory uses a different field name.
-
-        Args:
-            inventory_entry: Entry from test_inventory.devices[]
-
-        Returns:
-            Device identifier string.
-        """
-        # Common patterns across architectures
-        for key in ["chassis_id", "device_id", "node_id", "hostname", "name"]:
-            if key in inventory_entry:
-                return str(inventory_entry[key])
-
-        logger.warning(
-            f"Could not extract device ID from inventory entry: {inventory_entry}"
-        )
-        return ""
-
     def _safe_extract_device_id(self, device_data: dict[str, Any]) -> str:
         """Safely extract device ID, returning empty string on failure."""
         try:
@@ -320,7 +254,15 @@ class BaseDeviceResolver(ABC):
             return "<unknown>"
 
     def _inject_credentials(self, devices: list[dict[str, Any]]) -> None:
-        """Inject SSH credentials from environment variables.
+        """Inject SSH credential environment variable references.
+
+        Injects credentials as %ENV{VARNAME} references instead of cleartext
+        values for security. PyATS testbed loader will resolve these at runtime.
+
+        This prevents credentials from being written to disk in testbed.yaml files.
+
+        If consumers need cleartext values, they can detect the %ENV{} pattern
+        and resolve via os.environ.get() themselves.
 
         Args:
             devices: List of device dicts to update in place.
@@ -329,14 +271,12 @@ class BaseDeviceResolver(ABC):
             ValueError: If required credential environment variables are not set.
         """
         username_var, password_var = self.get_credential_env_vars()
-        username = os.environ.get(username_var)
-        password = os.environ.get(password_var)
 
-        # FAIL FAST - raise error if credentials missing
+        # FAIL FAST - validate env vars are set (without reading values)
         missing_vars: list[str] = []
-        if not username:
+        if username_var not in os.environ:
             missing_vars.append(username_var)
-        if not password:
+        if password_var not in os.environ:
             missing_vars.append(password_var)
 
         if missing_vars:
@@ -346,10 +286,13 @@ class BaseDeviceResolver(ABC):
                 f"These are required for {self.get_architecture_name()} D2D testing."
             )
 
-        logger.debug(f"Injecting credentials from {username_var} and {password_var}")
+        # Inject environment variable references (not cleartext values)
+        logger.debug(
+            f"Injecting credential references for {username_var} and {password_var}"
+        )
         for device in devices:
-            device["username"] = username
-            device["password"] = password
+            device["username"] = f"%ENV{{{username_var}}}"
+            device["password"] = f"%ENV{{{password_var}}}"
 
     # -------------------------------------------------------------------------
     # Abstract methods - MUST be implemented by subclasses
@@ -370,7 +313,7 @@ class BaseDeviceResolver(ABC):
     def get_schema_root_key(self) -> str:
         """Return the root key in the data model for this architecture.
 
-        Used when loading test inventory and navigating the schema.
+        Used when navigating the schema.
 
         Returns:
             Root key (e.g., "sdwan", "apic", "cc").
@@ -396,11 +339,14 @@ class BaseDeviceResolver(ABC):
         """
         ...
 
-    @abstractmethod
     def extract_device_id(self, device_data: dict[str, Any]) -> str:
         """Extract unique device identifier from device data.
 
-        This ID is used to match test_inventory entries with data model devices.
+        Default implementation delegates to extract_hostname(), which is
+        appropriate when device_id and hostname are the same field.
+
+        Override this method when your architecture has a distinct device
+        identifier (e.g., SD-WAN uses chassis_id, not hostname).
 
         Args:
             device_data: Device data dict from navigate_to_devices().
@@ -408,11 +354,11 @@ class BaseDeviceResolver(ABC):
         Returns:
             Unique device identifier string.
 
-        Example (SD-WAN):
+        Example (SD-WAN override):
             >>> def extract_device_id(self, device_data):
             ...     return device_data["chassis_id"]
         """
-        ...
+        return self.extract_hostname(device_data)
 
     @abstractmethod
     def extract_hostname(self, device_data: dict[str, Any]) -> str:
@@ -435,6 +381,8 @@ class BaseDeviceResolver(ABC):
         """Extract management IP address from device data.
 
         Should handle any IP formatting (e.g., strip CIDR notation).
+        The returned value will be validated by the base class to ensure
+        it is a valid IPv4 or IPv6 address.
 
         Args:
             device_data: Device data dict from navigate_to_devices().
@@ -444,25 +392,36 @@ class BaseDeviceResolver(ABC):
 
         Example (SD-WAN):
             >>> def extract_host_ip(self, device_data):
-            ...     ip_var = device_data.get("management_ip_variable", "mgmt_ip")
+            ...     ip_var = device_data.get("management_ip_variable")
             ...     ip = device_data["device_variables"].get(ip_var, "")
             ...     return ip.split("/")[0] if "/" in ip else ip
         """
         ...
 
     @abstractmethod
-    def extract_os_type(self, device_data: dict[str, Any]) -> str:
-        """Extract operating system type from device data.
+    def extract_os_platform_type(self, device_data: dict[str, Any]) -> dict[str, str]:
+        """Extract PyATS device abstraction fields from device data.
+
+        Returns a dictionary with device abstraction information for PyATS:
+        - os (required): Operating system type (e.g., "iosxe", "nxos")
+        - platform (optional): Device platform (e.g., "sdwan", "cat9k")
+        - model (optional): Device model (e.g., "c8000v", "c9300")
+        - series (optional): Device series (e.g., "catalyst", "nexus")
 
         Args:
             device_data: Device data dict from navigate_to_devices().
 
         Returns:
-            OS type string (e.g., "iosxe", "nxos", "iosxr").
-
-        Example (SD-WAN):
-            >>> def extract_os_type(self, device_data):
-            ...     return device_data.get("os", "iosxe")
+            Dictionary containing at minimum the 'os' key, with optional
+            'platform', 'model', and 'series' keys.
+
+        Example:
+            >>> def extract_os_platform_type(self, device_data):
+            ...     return {
+            ...         "os": "iosxe",
+            ...         "platform": "sdwan",
+            ...         "model": "c8000v"  # if extractable
+            ...     }
         """
         ...
 
@@ -485,17 +444,3 @@ class BaseDeviceResolver(ABC):
             ...     return ("NXOS_SSH_USERNAME", "NXOS_SSH_PASSWORD")
         """
         ...
-
-    # -------------------------------------------------------------------------
-    # Optional overrides
-    # -------------------------------------------------------------------------
-
-    def get_inventory_filename(self) -> str:
-        """Return the test inventory filename.
-
-        Override to use a different filename.
-
-        Returns:
-            Filename (default: "test_inventory.yaml").
-        """
-        return "test_inventory.yaml"

nac_test_pyats_common/iosxe/iosxe_resolver.py

@@ -56,8 +56,8 @@ class IOSXEResolver(BaseDeviceResolver):
         """Extract management IP."""
         raise NotImplementedError("IOSXEResolver is not yet implemented")
 
-    def extract_os_type(self, device_data: dict[str, Any]) -> str:
-        """Extract OS type."""
+    def extract_os_platform_type(self, device_data: dict[str, Any]) -> dict[str, str]:
+        """Extract OS and platform info."""
         raise NotImplementedError("IOSXEResolver is not yet implemented")
 
     def get_credential_env_vars(self) -> tuple[str, str]:

nac_test_pyats_common/iosxe/test_base.py

@@ -21,6 +21,11 @@ class IOSXETestBase(SSHTestBase):  # type: ignore[misc]
     - IOS-XE (direct device access via IOSXE_URL)
     """
 
+    # Class-level storage for the last resolver instance
+    # This allows nac-test to access skipped_devices after calling
+    # get_ssh_device_inventory()
+    _last_resolver: Any = None
+
     @classmethod
     def get_ssh_device_inventory(
         cls, data_model: dict[str, Any]
@@ -63,6 +68,7 @@ class IOSXETestBase(SSHTestBase):  # type: ignore[misc]
                 f"No device resolver registered for controller type '{controller_type}'"
             )
         resolver = resolver_class(data_model)
+        cls._last_resolver = resolver  # Store for skipped_devices access
 
         # Inline validation: Check data model has expected root key
         expected_keys = {

nac_test_pyats_common/sdwan/api_test_base.py

@@ -68,6 +68,7 @@ class SDWANManagerTestBase(NACTestBase):  # type: ignore[misc]
     """
 
     client: httpx.AsyncClient | None = None  # MUST declare at class level
+    auth_data: dict[str, Any]  # Declared at class level for type checker compatibility
 
     @aetest.setup  # type: ignore[misc, untyped-decorator]
     def setup(self) -> None:
@@ -77,7 +78,11 @@ class SDWANManagerTestBase(NACTestBase):  # type: ignore[misc]
         1. Calling the parent class setup method
         2. Obtaining SDWAN Manager session data (jsessionid, xsrf_token) using
            cached auth
-        3. Creating and storing an SDWAN Manager client for use in verification methods
+
+        Note: Client creation is deferred to run_async_verification_test() to avoid
+        macOS fork() issues with httpx/SSL. Creating httpx.AsyncClient in a forked
+        process before entering an async context can cause crashes on macOS due to
+        OpenSSL threading primitives that are not fork-safe.
 
         The session data is obtained through the SDWANManagerAuth utility which
         manages session lifecycle and prevents duplicate authentication requests
@@ -86,10 +91,18 @@ class SDWANManagerTestBase(NACTestBase):  # type: ignore[misc]
         super().setup()
 
         # Get shared SDWAN Manager auth data (jsessionid, xsrf_token)
-        self.auth_data = SDWANManagerAuth.get_auth()
+        # This reads from file cache - no httpx client creation here
+        try:
+            self.auth_data = SDWANManagerAuth.get_auth()
+        except (RuntimeError, ValueError) as e:
+            # Convert auth failures to FAILED (not ERRORED) - auth issues are
+            # expected failure conditions, not infrastructure errors
+            self.auth_data = {}  # Ensure attribute exists for cleanup code
+            self.failed(f"Authentication failed: {e}")
+            return
 
-        # Store the SDWAN Manager client for use in verification methods
-        self.client = self.get_sdwan_manager_client()
+        # NOTE: Client creation is deferred to run_async_verification_test()
+        # to avoid macOS fork() + httpx/SSL crash issues
 
     def get_sdwan_manager_client(self) -> httpx.AsyncClient:
         """Get an httpx async client configured for SDWAN Manager.
@@ -141,9 +154,10 @@ class SDWANManagerTestBase(NACTestBase):  # type: ignore[misc]
         Simple entry point that uses base class orchestration to run async
         verification tests. This thin wrapper:
         1. Creates and manages an event loop for async operations
-        2. Calls NACTestBase.run_verification_async() to execute tests
-        3. Passes results to NACTestBase.process_results_smart() for reporting
-        4. Ensures proper cleanup of async resources
+        2. Creates the SDWAN Manager client (deferred from setup for fork safety)
+        3. Calls NACTestBase.run_verification_async() to execute tests
+        4. Passes results to NACTestBase.process_results_smart() for reporting
+        5. Ensures proper cleanup of async resources
 
         The actual verification logic is handled by:
         - get_items_to_verify() - must be implemented by the test class
@@ -158,10 +172,17 @@ class SDWANManagerTestBase(NACTestBase):  # type: ignore[misc]
             This method creates its own event loop to ensure compatibility
             with PyATS synchronous test execution model. The loop and client
             connections are properly closed after test completion.
+
+            Client creation is done HERE (not in setup) to avoid macOS fork()
+            issues with httpx/SSL. Creating httpx.AsyncClient after fork() but
+            before entering an async context can crash on macOS.
         """
         loop = asyncio.new_event_loop()
         asyncio.set_event_loop(loop)
         try:
+            # Create client INSIDE the event loop context to avoid macOS fork+SSL crash
+            self.client = self.get_sdwan_manager_client()
+
             # Call the base class generic orchestration
             results = loop.run_until_complete(self.run_verification_async())