feat(nico): add AUTH-XX-03 specified-key access validation

[abegnoche]

Summary

Adds SpecifiedKeyAccessCheck (AUTH-XX-03), a provider-neutral "a tenant-specified key can access out-of-band components" check, wired for NICo via the bare_metal suite. Following the recent NICo-validation pattern (#457/#458/#466). Ships unreleased (released_tests.json untouched); run with ISVTEST_INCLUDE_UNRELEASED=1.

NICo models a specified key as an SSH Key Group synced to a Site; the Site's serial console (SOL) is key-accessible when the provider enables it (isSerialConsoleEnabled), SSH-key auth is on (isSerialConsoleSSHKeysEnabled), and a key group is synced to the site. The serial console is the verifiable target; network-device access is provider-managed and reported as null (unverified) rather than passing vacuously. Key material is never emitted.

Two ways to run it:

• Read-only (bare_metal.yaml): reports against whatever keys exist. When nothing is synced to the site it emits a structured skip whose reason distinguishes "no key groups exist at all" from "key groups exist but none synced to this site" (with an org_key_groups count), so the operator knows what to configure.
• Auto-provisioning (key_access.yaml): a setup → test → teardown config that provisions an ephemeral SSH key + key group synced to the site, runs the check, then deletes them — so AUTH-XX-03 goes green in CI with no manual key setup. The throwaway private key is generated and discarded immediately; only the unusable public key is registered.

Changes

• Adds SpecifiedKeyAccessCheck: passes when a specified key can reach ≥1 component, fails when a key-access path is disabled/broken, skips (with a precise reason) when access can't be evidenced.
• Adds query_key_access.py (read-only) + setup_key_access.py / teardown_key_access.py (provisioning), via the existing /carbide/ helpers; adds forge_post/forge_patch/forge_delete to nico_client.
• Wires the read-only step into suites/bare_metal.yaml + providers/nico/config/bare_metal.yaml; adds the dedicated providers/nico/config/key_access.yaml.
• Unit coverage in isvtest/tests/test_key_access.py and the query/setup/teardown scripts in isvctl/tests/providers/nico/test_nico_provider.py.

Testing

• ✅ make test (full suite, incl. new validation + script tests)
• ✅ make lint
• ✅ make demo-test
• ✅ uvx pre-commit run -a
• ✅ End-to-end via the orchestrator against a local /carbide/ stub — auto-provisioning key_access.yaml runs setup → check PASS → teardown, and the throwaway key group is removed afterward; read-only skip diagnostics and the disabled-key fail path also verified.

auth_xx_03_key_access_provision_e2e.log
auth_xx_03_key_access_e2e.log

Closes #248

_{To show artifacts inline, enable in settings.}

  

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 996e5fd7-e1a9-4816-b847-2ac852e1ec22

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/auth-xx-03-specified-key-access-42e9

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}