Make client/server encryption optional, rename tests to full names

Make encryption optional for both ServerRegister's LDS client
connection and the server side of ServerLDS/ServerRegister: when
certificate, privateKey, and trustStore are omitted the programs
run with SecurityPolicy#None only.  Secure servers also add a
discovery-only None endpoint so unencrypted clients can still call
FindServers and GetEndpoints.

Consolidate tests from 5 policy-specific cases (nosec_anon,
none_user, basic256sha256_anon, aes256_anon, aes128_user) down to
3 that cover the important axes: unsecure_anonymous,
secure_anonymous, secure_user.  Rename directories to use full
names.  Auto-generate certificates and trust stores in run_test.sh.

Update readme and CLAUDE.md to reflect the current program
interface (unified Client binary, split ServerRegister configs)
and the new test names.

1 files changed, 19 insertions, 0 deletions

diff --git a/tests/run_test.sh b/tests/run_test.sh
index fc44ad6..2767919 100755
--- a/tests/run_test.sh
+++ b/tests/run_test.sh
@@ -28,6 +28,25 @@ SR_PID=""
 TMPFILE=""
 FAILURES=0
 
+# ── ensure certificates exist ─────────────────────────────────
+CERT_DIR=certs
+GEN_CERT=tools/generate_certificate.sh
+
+for identity in ServerLDS ServerRegister ServerRegisterClient Client; do
+  if [ ! -f "$CERT_DIR/${identity}_cert.der" ]; then
+    "$GEN_CERT" "$CERT_DIR" "$identity"
+  fi
+done
+
+# Populate trust stores: each identity trusts every other identity.
+for store in server_lds server_register server_register_client client; do
+  mkdir -p "$CERT_DIR/trust/$store"
+  for identity in ServerLDS ServerRegister ServerRegisterClient Client; do
+    cert="$CERT_DIR/${identity}_cert.der"
+    [ -f "$cert" ] && cp -n "$cert" "$CERT_DIR/trust/$store/"
+  done
+done
+
 # ── cleanup ────────────────────────────────────────────────────
 cleanup() {
   [ -n "$LDS_PID" ] && kill "$LDS_PID" 2>/dev/null && wait "$LDS_PID" 2>/dev/null