Skip to content

test(coverage): drive internal/middleware + crypto to ≥95%#155

Merged
mastermanas805 merged 1 commit into
masterfrom
coverage/api-middleware-crypto-95
May 22, 2026
Merged

test(coverage): drive internal/middleware + crypto to ≥95%#155
mastermanas805 merged 1 commit into
masterfrom
coverage/api-middleware-crypto-95

Conversation

@mastermanas805
Copy link
Copy Markdown
Member

@mastermanas805 mastermanas805 commented May 22, 2026

Summary

  • Drives internal/middleware from ~51.8% to 95.3% and keeps internal/crypto at 95.6% (both ≥95% target).
  • New black-box + white-box suites cover: auth bearer/JWT extraction, fingerprint IPv4 /24 + IPv6 /48 masking + dedup cap, geo fail-open (with a real MaxMind city+ASN fixture under testdata/), rate-limit fail-open on Redis error + nil-client, idempotency canonicalisation (JSON/multipart + empty-key 400), DPoP helpers (jwkThumbprintBase64URL, requestCanonicalURL fallback, urlMatches edges), PopulateTeamRole DB-error path, and the NewRelic emit helpers.
  • Fixes a flaky base64-prefix assertion in the already-merged crypto coverage test: a random AES nonce can legitimately base64-encode to a string starting with v, so TestKeyring_Decrypt_LegacyUnversioned now asserts the real invariant ("not a vN. versioned envelope") instead of "does not start with v".

Test plan

  • go test ./internal/middleware ./internal/crypto -coverprofile -count=1 -p 1 → middleware 95.3%, crypto 95.6%, all pass
  • go vet + go build clean on both packages
  • Branch rebased onto current origin/master (passes the up-to-date-with-base CI gate)
  • CI make gate green (ignore pre-existing scan / osv-scan)

🤖 Generated with Claude Code

@mastermanas805 @claude
test(coverage): drive internal/middleware to 95.3% (≥95% target)
c9df51a 
middleware was ~51.8%; black-box + white-box suites now cover auth
bearer/JWT extraction, fingerprint masking + dedup cap, geo fail-open
(+ real MaxMind fixture), rate-limit fail-open on Redis error,
idempotency canonicalisation, DPoP helpers, role lookup, and the
NewRelic emit path. Also fixes a flaky base64-prefix assertion in the
already-merged crypto coverage test (a random nonce can legitimately
begin with "v"; the real invariant is "not a vN. versioned envelope").

internal/middleware 95.3% · internal/crypto 95.6%

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@mastermanas805 mastermanas805 merged commit 69e80e5 into master May 22, 2026
10 of 11 checks passed
@mastermanas805 mastermanas805 deleted the coverage/api-middleware-crypto-95 branch May 22, 2026 03:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mastermanas805