feat(coverage): increase global test coverage from ~9% to 70% (P2 sprint plan)

[CodeMonkeyCybersecurity]

Context

Current coverage (as of fix/1-auth-issue-database-runtime-crashes):

• Global: ~9% statements (8% threshold set as ratchet floor)
• modules/auth/**: ~30% (threshold set to match)
• modules/auth/auth-issue-database.js: 99%/96%/100% (security-critical, fully tested)

Coverage thresholds are intentionally set as ratchets — they reflect actual coverage to prevent regression, not aspirational targets.

Problem

The majority of modules are at 0% coverage. Untested security-critical modules include:

• modules/auth/oauth2-analyzer.js — entropy analysis, state quality
• modules/auth/csrf-detector.js — CSRF boundary detection
• modules/auth/jwt-validator.js — JWT algorithm validation (55% but gaps)
• modules/auth/session-security-analyzer.js — session fixation detection
• modules/auth/oauth2-csrf-verifier.js — tested but at ~60%

Per governance TESTING.md: security-critical modules require 95% coverage. Business logic requires 70%.

Plan (P2 sprint)

Phase 1 — Auth module coverage (target: 70%+)

• oauth2-analyzer.js — analyzeStateQuality, provider detection, PKCE analysis
• csrf-detector.js — all detection methods
• session-security-analyzer.js — session fixation, cookie flags
• jwt-validator.js — close gaps to 95% (currently 55%)
• oauth2-verification-engine.js — integration with all verifiers

Phase 2 — Content modules

• content/webauthn-interceptor.js — WebAuthn flow interception
• modules/request-processor.js — request parsing

Phase 3 — Ratchet thresholds after each phase
As each module reaches target coverage, raise the threshold in vitest.config.js.

Definition of Done

• npm run test:coverage shows global ≥70% statements
• Auth module ≥70% (currently 30%)
• Security-critical auth files ≥95%
• CI lint scope expanded from 5 files to full modules/auth/

Priority: P2
Refs: fix/1-auth-issue-database-runtime-crashes (where thresholds were set)