feat: verified-credential lifecycle — close the silent-failure window

[raman325]

Proposed change

Phase 2 of the credential-write reliability work (follows #1258). Closes the residual silent-failure window that #1258 deliberately left open: a Z-Wave write returning an ambiguous ERROR_UNKNOWN where the code did not land was treated as a completed set, so the slot could report in-sync with no working code.

Introduces a per-slot verified / unverified lifecycle. An optimistic write (ambiguous, treated as completed) is not trusted until the lock actually confirms it. If confirmation never comes, the slot re-syncs and, after repeated failures, visibly suspends — never a silent in-sync.

Confirmation is an active read-back, not a wait for a push

The central finding of this work (traced end-to-end through node-zwave-js → zwave-js-server → the python client): a masked-accept write — our only source of OPTIMISTIC — emits no confirming credential event at all. In node-zwave-js AccessControl.setCredential, node.emit("credential added/modified") is gated on if (succeeded), and succeeded is the driver's own verified.userCode === codeData check — the exact check that fails on a lock that reports codes back masked (the #1251 root cause). So the event and the Error_Unknown return are mutually exclusive.

Because no push arrives, the lifecycle actively reads the slot back immediately after an optimistic write (coordinator.async_confirm_pending_writes()). LCM projects masked codes to unreadable() (present), so its read confirms the slot where the driver's own verify could not. This is order-independent (depends on no event timing) and non-fatal on a read failure (the slot stays pending and the sync tick reconciles it within the TTL).

Design (full spec was developed locally)

• WriteResult enum replaces the bool return of async_set_credential: NO_CHANGE / CONFIRMED / OPTIMISTIC. Only the Z-Wave unified ERROR_UNKNOWN path returns OPTIMISTIC today; everything else is CONFIRMED (authoritative) — so poll/eventual-consistency providers (Schlage, ZHA, …) are unaffected and keep their existing convergence.
• Coordinator gains a parallel _verified map + push_update(optimistic=); is_verified(slot) defaults to verified for absent slots; mark_verified(slot) clears a stale unverified flag; async_confirm_pending_writes() is the on-demand read-back backstop.
• BaseLock tracks _pending_writes (slot → believed pin + 60s deadline); _record_optimistic_write, _confirm_slot (a present observation confirms a pending write, keeping the believed value even when the lock reports it masked; a differing readable observation is taken as an external change). The seam drives the read-back on an optimistic result.
• coordinator._apply_read: the dropped-/no-push backstop for genuine reads — confirms a pending write when the slot is observed present, keeps waiting when absent, marks non-pending reads verified.
• Sync state machine: SyncState.PENDING_CONFIRMATION; calculate_in_sync gates on is_verified; an optimistic write parks in PENDING_CONFIRMATION (not penalised before confirmation); the breaker is charged once on timeout, then re-syncs on the next tick (no same-tick double-charge).
• Frontend: the slot card renders the new state as "Confirming" (mdi:progress-clock).

Why this isn't over-restrictive or over-loose

• Not over-restrictive: a masked-but-accepted write is confirmed by the immediate read-back (or, failing that, the sync tick) rather than waiting on a push that never arrives, so it is not driven to a false suspend. An authoritative CONFIRMED write also clears any stale unverified flag so a recovered slot can converge.
• Not over-loose: a write the lock never committed reads back absent → stays pending → re-syncs → after repeated timeouts the breaker trips and the slot suspends (visible), instead of silently reporting in-sync.

Reviews

Two adversarial review passes (stepping through every initial state × provider, stress-testing both success and failure paths) drove additional hardening: clearing the stale unverified flag on CONFIRMED, removing the expiry/sync same-tick double-charge, taking a differing readable observation as an external change, and — most importantly — replacing the assumed "push/hourly-refresh confirms it" path with the empirically-verified active read-back above.

Type of change

• Dependency upgrade
• Bugfix (non-breaking change which fixes an issue)
• New feature (which adds functionality)
• Breaking change (fix/feature causing existing functionality to break)
• Code quality improvements to existing code or addition of tests

Additional information

• Built in behavior-isolated commits: coordinator flag + WriteResult enum → base plumbing → state machine → make it live → two rounds of review-driven hardening. Each commit keeps the suite green.
• Full Python suite green (1269) + 709 frontend tests. New/updated tests: coordinator verified/optimistic, _apply_read, and the read-back confirm (present-masked / absent / read-failure / no-op); base record/confirm (incl. readable external change); sync verified-gate, PENDING_CONFIRMATION hold, confirmed→IN_SYNC, expiry→failure+resync (two-tick); seam OPTIMISTIC drives the confirm read; frontend pending_confirmation render.
• The User Code CC fallback path is a known, documented exception: it confirms inline via its V1 verify poll and does not yet participate in the lifecycle. It is the temporary workaround (removed once upstream node-zwave-js fixes the unified API), and its looseness is pre-existing 3.x behavior, not a regression.
• Related: closes the deferred follow-up from fix(zwave_js,matter): tolerate ambiguous credential writes; universal masked read projection (#1251, #1257) #1258.

🤖 Generated with Claude Code

[Copilot]

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

[codecov]

Codecov Report

❌ Patch coverage is 97.72727% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 97.15%. Comparing base (ebac273) to head (a5f499b).
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
custom_components/lock_code_manager/domain/sync.py	86.95%	3 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff            @@
##             main    #1259    +/-   ##
========================================
  Coverage   97.15%   97.15%            
========================================
  Files          54       54            
  Lines        6434     6540   +106     
  Branches      461      462     +1     
========================================
+ Hits         6251     6354   +103     
- Misses        183      186     +3     

Flag	Coverage Δ
python	97.70% <97.63%> (-0.02%)	⬇️
typescript	95.08% <100.00%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...components/lock_code_manager/domain/coordinator.py	97.46% <100.00%> (+0.91%)	⬆️
...components/lock_code_manager/domain/credentials.py	100.00% <100.00%> (ø)
...stom_components/lock_code_manager/domain/models.py	100.00% <100.00%> (ø)
...om_components/lock_code_manager/providers/_base.py	97.05% <100.00%> (+0.17%)	⬆️
...onents/lock_code_manager/providers/_zwave_js_uc.py	100.00% <100.00%> (ø)
...m_components/lock_code_manager/providers/akuvox.py	95.70% <100.00%> (ø)
...m_components/lock_code_manager/providers/matter.py	100.00% <100.00%> (ø)
..._components/lock_code_manager/providers/schlage.py	96.29% <100.00%> (ø)
..._components/lock_code_manager/providers/virtual.py	98.50% <100.00%> (ø)
...stom_components/lock_code_manager/providers/zha.py	94.57% <100.00%> (ø)
... and 4 more

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.