Extract Apple APNs/SCEP pair validation onto MDMConfig

[raju249]

Extracts the Apple APNs/SCEP both-or-neither check out of runServeCmd and puts it on MDMConfig as ValidateAppleAPNSAndSCEPPair(initFatal). Same pattern as ConditionalAccessConfig.Validate, AndroidAgentConfig.Validate, and the validators added in #45583.

The call site (inside the existing if len(toInsert) > 0 gate) goes from six lines of inline conditional initFatal calls to one method call. Behavior, error messages, and gating are unchanged.

Tests live in server/config/config_test.go: one smoke case plus two error branches (APNs-only and SCEP-only). Skipped the "neither set" case on purpose — the outer if config.MDM.IsAppleAPNsSet() || config.MDM.IsAppleSCEPSet() gate in runServeCmd guarantees at least one is set before the validator is ever reached.

This is the last pure config validation left in runServeCmd per the broader-plan note on #45583. Remaining initFatal sites are runtime failure paths (datastore init, Redis init, MDM init wiring) which need the injection from #45343 — those would be the next slice.

Related issue: Refs #33370

Checklist for submitter

• Added/updated automated tests
• Input validation (validator method plus tests; no SQL/JS/shell paths involved)
• Changes file: not applicable, internal refactor with no user-visible behavior change

Summary by CodeRabbit

• Bug Fixes
  • Improved Apple MDM configuration validation to ensure APNs and SCEP certificates are properly paired during setup.

[claude]

Claude Code Review

This pull request is from a fork — automated review is disabled. A repository maintainer can comment @claude review to run a one-time review.

[raju249]

Hello @getvictor - This is another installment for the coverage improvement in cmd/fleet/serve.go. Do you mind taking a look, please?

Thanks! 🙏 🙇

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: cff99d97-7d61-4f8c-ae91-3b7d12b3ba4b

📥 Commits

Reviewing files that changed from the base of the PR and between 8f43cae and ddde616.

📒 Files selected for processing (3)

• cmd/fleet/serve.go
• server/config/config.go
• server/config/config_test.go

---

Walkthrough

This PR extracts Apple MDM APNs/SCEP configuration validation from inline checks in the APNs/SCEP reconciliation flow into a centralized method on MDMConfig. The new ValidateAppleAPNSAndSCEPPair method enforces that both APNs and SCEP are configured together or both are absent, invoking the provided error callback when exactly one is set. A test exercises the three cases: both configured (passes), only SCEP configured (fails), and only APNs configured (fails). The serve flow now calls this validator before parsing certificates.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: extracting validation logic for Apple APNs/SCEP configuration into a dedicated method on MDMConfig.
Description check	✅ Passed	The description covers the refactoring objective, implementation details, testing strategy, and references related issue #33370. It acknowledges that a changes file is not applicable for this internal refactor.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

❌ Patch coverage is 87.50000% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 66.83%. Comparing base (8f43cae) to head (ddde616).

Files with missing lines	Patch %	Lines
cmd/fleet/serve.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #46166   +/-   ##
=======================================
  Coverage   66.82%   66.83%           
=======================================
  Files        2755     2755           
  Lines      220203   220205    +2     
  Branches    11045    11045           
=======================================
+ Hits       147160   147165    +5     
+ Misses      59749    59742    -7     
- Partials    13294    13298    +4     

Flag	Coverage Δ
backend	68.63% <87.50%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[MagnusHJensen]

Thanks @raju249 for this change!

I reviewed this one, since most US folks is out for the holiday today.