Grant
655e0d51f8
Loads tests/crosscheck/vector.json (the same file the TS, Python, and Rust SDKs each test against independently) and verifies the daemon's crypto::parse_key produces field-by-field identical values. What was missing: the SDKs each ran their crosscheck against the shared vectors, but the **daemon itself** never did. The daemon shares no parser code with the SDKs (separate trees, separate implementations of the same byte layout), so drift in the daemon's parser could ship undetected until an SDK on the wire couldn't validate a daemon-issued key. Four tests, one per fixture in vector.json (v1 legacy fingerprint- bound, v2 trial with entitlements, v2 perpetual unbound), plus a sanity check that publicKeyPem is present. Each fixture asserts: version, product_id UUID, license_id UUID, issued_at, expires_at, flags + derived `is_fingerprint_bound`/ `is_trial` getters, entitlements (order-sensitive), and the 32-byte fingerprint_hash bytes hex-encoded. When `fingerprintRaw` is provided and binding is active, hashes the raw fingerprint with crypto::hash_fingerprint and asserts the result matches the wire bytes — pinning the SHA-256 contract the SDKs depend on. Signature verification is intentionally out of scope: the unit tests in src/crypto/mod.rs already prove daemon's sign/verify roundtrip works, and the SDKs prove the same key verifies in three independent crypto implementations. The parser-to-fields contract is what hadn't been pinned from the daemon's side, and what this file enforces. Test count: 30 (9 unit + 4 migration + 10 API + 3 worker + 4 crosscheck), up from 26.