test(coverage): api handlers residual files + middleware → ≥95%#162
Merged
mastermanas805 merged 1 commit intoMay 23, 2026
Merged
Conversation
Raise the handler files the prior slice left below 95% (resource, webhook, onboarding, admin_customers, admin_impersonate, admin_promos_audit, admin_customer_notes, billing) plus internal/middleware to ≥95%. Seams added (production behavior unchanged — vars default to the real fn): - admin_impersonate.go: signImpersonationToken var (drives sign_failed 503). - webhook.go: cryptoEncrypt var (drives storeEncryptedURL encrypt-fail). Techniques: brokenDB closed-pool for db_failed arms; DATA-DOG/go-sqlmock for mid-sequence failures (mark-converted / team-create / user-create, soft-delete, List scan/rows-err, Detail per-query failures); bufconn fakeProvisioner for the Delete gRPC-deprovision arm; a dead MinIO endpoint for the storage-deprovision warn arm; dead-Redis clients for fail-open arms; real onboarding JWTs minted in-process for claim/preview/start branches; the cov2 webhook harness for the payment-failed + charged-receipt arms. All new test files carry a _residual suffix; new re-exports live in export_residual_test.go (no edits to the shared export_test.go / export_rbw_test.go / export_billing_test.go). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
mastermanas805
force-pushed
the
coverage/api-handlers-residual-95
branch
from
7f086d7 to
03dba73
Compare
mastermanas805
added a commit
that referenced
this pull request
May 23, 2026
…mp (#163) * test(coverage): api handlers provisioning-arms slice → ≥95% (#161) Covers db/cache/nosql/queue/queue_provider/storage/storage_presign/ provision_helper/family_bulk_twin handler files via bufconn fake provisioner, sqlmock, miniredis, and package-var seams. New exports live in export_provarms_test.go (not the shared export_test.go). Co-authored-by: Claude <noreply@anthropic.com> * chore(deps): bump x/crypto 0.50->0.52, x/net 0.53->0.55 (OSV) Clears OSV-Scanner/govulncheck (GO-2026-5005..5033 crypto, 5025..5030 net). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): api handlers residual files + middleware → ≥95% (#162) Raise the handler files the prior slice left below 95% (resource, webhook, onboarding, admin_customers, admin_impersonate, admin_promos_audit, admin_customer_notes, billing) plus internal/middleware to ≥95%. Seams added (production behavior unchanged — vars default to the real fn): - admin_impersonate.go: signImpersonationToken var (drives sign_failed 503). - webhook.go: cryptoEncrypt var (drives storeEncryptedURL encrypt-fail). Techniques: brokenDB closed-pool for db_failed arms; DATA-DOG/go-sqlmock for mid-sequence failures (mark-converted / team-create / user-create, soft-delete, List scan/rows-err, Detail per-query failures); bufconn fakeProvisioner for the Delete gRPC-deprovision arm; a dead MinIO endpoint for the storage-deprovision warn arm; dead-Redis clients for fail-open arms; real onboarding JWTs minted in-process for claim/preview/start branches; the cov2 webhook harness for the payment-failed + charged-receipt arms. All new test files carry a _residual suffix; new re-exports live in export_residual_test.go (no edits to the shared export_test.go / export_rbw_test.go / export_billing_test.go). Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): wire 0%-under-CI handlers hermetically (api_keys/logs/internal_*/custom_domain/storage) Recovers handler coverage that was 0% under CI's postgres-only matrix because the routes were k8s/storage-gated and never wired into a test app: - api_keys, internal_resend_magic_link, internal_backup_refund, magic_link_circuit ctors: pure DB + fake-mailer, now driven end-to-end. - logs.go: typed clientset field against kubernetes.Interface + SetClientset seam so a k8s fake clientset exercises the tier/status/pod-list/stream arms. - custom_domain.go: stubbed CustomDomainProvider + real DB drives Create/List/Verify(ingress+cert+fail)/Delete. - storage.go + storage_presign.go: real do-spaces-backed provider (zero network at provision/presign time) drives broker-mode + authenticated + presign arms. internal/handlers under CI conditions: 80.9% -> 84.6%. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): recover queue + vector + audit + backup arms under CI - coverage.yml: add a NATS service (8222 monitor) so /queue/new's NATS health check passes — without it every queue provision 503s and the handler's provision + per-tenant-credential arms never run under CI. Switch the postgres service to pgvector/pgvector:pg16 (drop-in superset) so /vector/new's CREATE EXTENSION vector succeeds instead of skipping (~44% -> covered). - queue.go: add SetCredProvider seam; new test injects a fake QueueCredentialProvider to cover the AuthMode=isolated success + creds-error fallback arms (legacy_open provider can't reach them). - audit.go: filter/tier/CSV/masked-email arms via query-param matrix + all tiers. - backup.go: parseListCursor/parseIntStrict arms via bad/huge ?limit + ?before. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): deletion_confirm pure helpers + redirect handler White-box coverage for confirmationLinkBase / buildConfirmationLink / teamIsPaid / deletionAuditKind* / deletionAuditResourceType / EmailConfirmDeletionRedirect- Handler — pure string/URL composition + a no-side-effect 302 that the deploy/stack delete-confirm flow only reaches when provisioning is available. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): github_deploy Get/Disconnect + vault GetSecret/List/Delete arms - github_deploy.go: Get (connected/not-connected/not-found/cross-team) and Disconnect (happy/idempotent/not-found/cross-team) — existing tests only covered Connect + Receive. - vault.go: GetSecret version-fetch + validation arms, ListKeys, DeleteSecret arms via the existing vaultTestApp + makeTeamUser helpers. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): twin approval gate + promote-approval rate-limit/HTML + family-binding helpers - twin.go: beginTwinApproval (202 pending-approval, hermetic — short-circuits before provisioning) + consumeApprovedTwin invalid/not-found arms (were 0%). - promote_approval.go: checkApproveRateLimit (real redis, under + over budget) + the 5 approval HTML helpers (white-box). - family_bindings.go: BindingError.Error, mapBindingError every kind + default + empty-key label, nameOrType, nameOrEmpty (white-box pure helpers). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): webhook authed provision + vector authed provision + brevo webhook arms - webhook.go: newWebhookAuthenticated (team-owned provision + receive verbs + list-requests) — anonymous-path tests didn't reach it. - vector.go: newVectorAuthenticated (pro-team pgvector provision) — now reachable with the pgvector CI image; skips cleanly if backend unavailable. - email_webhooks.go: Brevo invalid-payload / missing-email-skip / insert-fail fail-open arms via sqlmock. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): stack delete-confirm/cancel/UpdateEnv arms + validateHostname + SNS pure helpers - stack.go: Delete email-confirm 202 + Cancel + immediate-skip-header + not-found + cross-team; UpdateEnv not-found/invalid-body/missing-env/invalid-key/merge+ delete/deleting-409 (custom app wires the noop email client + confirm routes). - custom_domain.go: validateHostname every rejection arm (white-box). - sns_verify.go: parseSNSCertPEM / buildSNSSigningString / snsFieldValue white-box (the network defaultFetchCert path stays out by design). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): stack New validation/cap arms + vector anonymous-dedup path - stack.go New: missing-manifest / invalid-manifest / missing-tarball / per-tier deployment-cap 402 (noop provider). - vector.go: anonymous dedup path (vectorAnonymousLimits + decryptConnectionURL on the limit-exceeded branch) after exceeding the per-fingerprint cap. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): internal_terminate auth arms + vault copy validation + audit pure helpers - internal_terminate.go: empty-token / bad-purpose / missing-iat / future-iat-skew verify arms (existing test covered wrong-secret/expired/mismatch/missing-bearer). - vault.go CopySecrets: missing/invalid from-to env, same-env, invalid-key-in- allowlist, invalid-body validation arms. - audit.go: maskEmail all 4 arms + tierLookbackDays blocked/unlimited/bounded (white-box). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): github webhook Receive branch/event filter arms Covers Receive's non-push-event ignore, branch-mismatch ignore, zero-SHA branch-delete ignore, and invalid-push-payload 400 — the idempotency/ping/ signature tests didn't reach these branch-filter arms. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): make new handler tests re-run-safe on the shared test DB custom_domains.hostname is GLOBALLY unique and SetupTestDB reuses one shared instant_dev_test DB, so hardcoded hostnames collided across consecutive runs (and the rate-limit IP key survived its 2s TTL). Switch custom-domain hostnames + the promote-approval rate-limit IPs to per-run uuid-derived values. Verified 3x consecutive runs green without a DB reset. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): raise handler coverage for billing/vault/twin/custom_domain/deletion_confirm/webhook/storage Build fake-client scaffolding (no waivers) to drive previously-unreachable error and network arms under CI conditions: - billing.go: add BillingPortal interface + billingPortalFactory seam (SetBillingPortalForTestPortal) so ListInvoicesAPI / UpdatePaymentMethodAPI / ChangePlanAPI post-subscription arms (success / circuit-open / razorpay-error) run against a FAKE Razorpay portal — never a real network call, never rzp_live. 93.4% -> 94.9%. - vault.go: bad-AES-key app + closed-DB app drive encrypt/decrypt/persist/fetch/ list/delete/copy error arms; invalid-team JWT + validate-arms + quota-blocked copy. 79.9% -> 93.7%. - deletion_confirm.go: BV* export seams drive requestEmailConfirmedDeletion / resolveEmailConfirmedDeletion / cancelEmailConfirmedDeletion through a real fiber.Ctx + fake Mailer + crafted pending_deletions rows. 74.8% -> 89.3%. - twin.go: consumeApprovedTwin approval-gate arms (not-approved/mismatch/expired/ wrong-team/success) + family-validate twin_exists + redis dispatch. 65.1% -> 80.2%. - custom_domain.go: stubbed CustomDomainProvider cert-poll/still-issuing/cap/ ingress-teardown arms + validateHostname rejections + closed-DB arms. 76.8% -> 82.6%. - webhook.go: auth invalid-team + garbage-ring-item decode-skip. 90.6% -> 91.0%. - storage.go: authenticated quota-exceeded / team-lookup-fail / invalid-team arms. All new tests carry the _bvwave suffix; re-exports live in export_bvwave_test.go (no collisions with existing export_*_test.go). go build ./... + go vet clean. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): _vecwave handler arm coverage for vector/backup/github_deploy/resource Adds black-box + targeted-arm tests pushing internal/handlers coverage on the four target files via fake-provider scaffolding (no production code touched): - vector.go (67.9%→84.2%): bufconn fakeProvisioner gRPC arm of provisionVectorDB + createPgvectorExtension stub (now 100%); decryptConnectionURL three arms via exported VectorDecryptConnectionURLForTest; anon/auth validation + 402 + gRPC- error + persist-failure arms. - backup.go (78.9%→85.3%): CreateRestore target_resource_id arms (invalid/ not-found/cross-team/type-mismatch/happy/missing-sha256); list/map all-optional- fields; requireOwnedResource fetch_failed (brokenDB); parseIntStrict too-large; parseUserIDFromCtx malformed. - github_deploy.go (73.3%→81.8%): Connect invalid_body/invalid_branch/ already_connected(409)/installation_id; Receive deploy-triggered(202)+rate- limit(429); not-found arms (bad uuid / unknown connection / cross-team). - resource.go (92.8%→93.4%): pause/resume provider HAPPY paths against real pg/redis/mongo (revoke/grant CONNECT, ACL on/off, role grant/revoke) via exported Call{Pause,Resume}ProviderForTest; RotateCredentials postgres+redis happy paths. New test-only export file export_vecwave_test.go (no duplicate re-exports). Residual <95% arms are error-injection (DB-mid-call failure, races, recycle/ dedup birthday-collision) and the unreachable crypto/rand.Read arm (RotateCredentials, Go 1.26) — documented in the brief report. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): billing CreateCheckoutAPI invalid-body + dedup-guard arm Adds a CreateCheckoutAPI test that wires Redis (exercising the SETNX dedup guard success path) and posts malformed JSON to hit the invalid_body 400 arm. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): drive deploy/stack async-pipeline handlers toward 95% Adds the deploy/stack async-build-pipeline coverage slice (suffix _deployasync). Builds a fault-injecting database/sql driver (faultdb_deployasync_test.go) that proxies lib/pq and forces query/exec failures after the Nth call, so the mid-handler 'first query succeeds → a later query errors → 503' arms — unreachable with a plain closed-DB handle — are exercised across Get/Logs/List/UpdateEnv/Delete/Redeploy/ Promote/Family/ConfirmDelete/CancelDelete. Per-file coverage (CI conditions, pgvector pg16 + redis7 + mongo6 + nats): deploy.go 86.3% → 95.2% promote_approval.go 72.5% → 93.5% stack.go 80.9% → 92.5% Covers runStackDeploy/runStackRedeploy/captureAutopsy/runDeploy + per-service onUpdate/onImageBuilt callbacks via the existing noop StackProvider/compute.Provider doubles + SetStackProvider/ SetComputeProvider seams, plus ghost-team requireTeam error arms, TTL/env/tarball validation arms, promote create/in-place/vault paths, and email-confirmed deletion deprovision flows. Residual <95% arms are test-resistant: k8s-provider constructors (need a live cluster), corrupted-multipart tarball open/read arms, crypto/rand + marshal-of-controlled-data branches (cannot fail), and CAS-lost-race !ok branches (concurrency-only). Documented in the agent report. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): final handlers pass — twin/github/custom_domain/vector/backup/storage/stack/resource/webhook/api_keys + DNS+minio+twin seams Drives the api internal/handlers package coverage up via: - twin.go: faultdb DB-error arms (source/team/approval lookups, execute, validate-family) + bad-team-id + named-source carry-forward + derefUUID unit. - github_deploy.go: Connect/Get/Disconnect/Receive fetch/create/delete/enqueue/ decrypt DB-error arms via faultdb + httptest-signed push; requireTeam arms. - custom_domain.go: NEW lookupTXT package-var seam → TXT-match success + cert->ready transition; faultdb DB-error arms across requireTeam/Stack/Domain, Create/List/Delete; serialize optional fields. - vector.go / storage.go: bufconn fakeProvisioner + NEW hermetic prefix-scoped storage impl (storage.NewWithImpl seam) → credential mode + per-tenant IAM audit arm; soft-delete + persist-fail arms. - backup.go: count-fail-while-list-succeeds + insert/team/list DB-error arms. - stack.go: k8s-provider-fallback constructor branch, checkStackDeployLimit redis-error, stackOwnerCheck anon-mismatch, consumeApprovedPromote DB-error. - resource.go: Pause/Resume/Rotate faultdb DB-error + rollback arms. - webhook.go / api_keys.go / family_bulk_twin.go: auth + DB-error arms. - agent_action / maskSourceIP / buildContextConfig pure-function default branches. New seams: custom_domain.lookupTXT package var; storage.NewWithImpl (hermetic prefix-scoped impl); reuse of existing faultdb driver + bufconn fakeProvisioner. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): more handlers DB-error arms — status/api_keys/internal_terminate + pure-func default branches - status.go: compute per-component fail-open + listComponents-error 500. - api_keys.go: Create/List/Revoke db_failed via faultdb + bad-id + not-found. - internal_terminate.go: invalid-team-id + team-lookup/idempotency/pause DB-error arms. - agent_action/maskSourceIP/buildContextConfig pure-function default branches. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): deletion_confirm resolveEmailConfirmedDeletion DB-error arms ConfirmDelete → resolveEmailConfirmedDeletion missing-token / lookup-failed / mark-failed arms via faultdb + seeded pending_deletions row. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): vector anonymous over-cap dedup decrypt-fail fallthrough arm Drives vector.go's over-cap dedup branch where the existing resource's stored connection_url fails to decrypt (corrupted post-provision), exercising the fail-closed fallthrough to fresh provision (vector.go:294-298). DB-exposed bufconn fixture lets the test corrupt the row + hammer the cap. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): vector over-cap dedup + cross-service fallback; backup CreateRestore/ListRestores DB-error arms - vector.go: over-cap dedup decrypt-fail fallthrough (corrupt all active rows then over-cap) + cross-service-fallback 429 (retype rows so type-lookup misses but any-lookup hits); auth gRPC-error soft-delete via DB-exposed failing bufconn fixture. - backup.go (now 95.8%): CreateRestore team/backup/inflight/insert DB-error arms, no-user 401, missing-ack 400; ListRestores count-fail; bad-team/bad-id across all four routes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): storage decideStorageMode bucket-per-tenant + quota arms; storage/vector anon over-cap dedup - storage.go: decideStorageMode BucketPerTenant+paid branch; auth quota-check fail-open + storage-limit-reached 402; anonymous over-cap dedup happy + decrypt-fail fallthrough. - vector.go: anonymous over-cap dedup happy path. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): stack New deployment-limit/count-fail + ConfirmDelete email-disabled; webhook anon over-cap dedup - stack.go New: deployment_limit_reached 402 (over-cap team), quota_check_failed 503 (faultdb count error); ConfirmDelete deletion_email_disabled (no email client wired). - webhook.go NewWebhook: anonymous over-cap dedup branch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): resource RotateCredentials update_failed arm RotateCredentials persist-error arm (UpdateConnectionURL fails after a decryptable URL rotate) via faultdb + rfEncryptURL seed helper. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): audit List/CSV DB-error; vault PutSecret bad-AES; resource_family Family/ListFamilies DB-error arms - audit.go: List + ListCSV db_failed via faultdb. - vault.go: PutSecret encryptPlaintext aes-key-invalid 500. - resource.go (Family/ListFamilies): fetch_failed + invalid_id + list DB-error. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): whoami enrichment/nil-db; usage_wall + deploys_audit DB-error arms - whoami.Get: nil-db early return + tier/email enrichment success. - usage_wall.GetWall: db_failed via faultdb. - deploys_audit.List: db_failed via faultdb. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): final serial pass #2 — handlers DB-error/edge arms toward 95% Add 12 _final2 test files covering the biggest reachable uncovered chunks in the api internal/handlers package, lifting the package from 93.12% → 93.9% under CI conditions (pgvector/redis/mongo/nats, migrations applied, go test ./internal/handlers/... -short -count=1 -p 1). Covered arms (all reachable; no waivers): - auth.go: GitHub/Google find-or-create LinkID errors, email-lookup DB errors (fault DB), Google empty-name team-name fallback. (OAuth flows driven via the existing SetOAuthURLsForTest + startFakeOAuth seams.) - sns_verify.go: full snsVerifier.verify matrix (guards, cert-fetch error, sig decode, SignatureVersion 1/unknown/2, happy RSA verify) + getCert cache hit/miss/error via a generated throwaway RSA cert + fetchCert seam. - internal_terminate.go: dunning/downgrade DB-error arms (staged openFaultDB), razorpay canceler-not-configured / cancel-error / happy paths. - internal_resend_magic_link.go: lookup/update-hash DB errors + mark-failed / attempts-lookup / mark-abandoned best-effort error arms (fault DB + fake mailer). - deploy_ttl.go: MakePermanent/SetTTL update_failed + refresh_failed + lookupDeployment fetch_failed (seeded deploy + staged fault DB). - deploy_teardown_reconciler.go: begin_tx_failed, list_failed, empty-tx commit, mark_failed (fault DB + existing fakeTeardownProvider). - env_policy.go: Get fetch_failed, Put role_lookup_failed / owner_required / invalid_body / invalid_env_policy / persist_failed / happy. - billing.go (CreateCheckoutAPI): CreateSubscription circuit-open / razorpay-error / incomplete-response / persistence-failure (fake CreateSubscription seam, HMAC-signed payloads only, never a real key). - stack.go: UpdateEnv fetch/persist DB errors + Family fetch_failed (seeded stack + staged fault DB). - audit.go: bad-team-id unauthorized + List/CSV happy paths with metadata + actor-email lookup. - provision_helper.go denyProvisionOverCap (was 0%) + per-handler over-cap (no-existing → 429; with-existing → dedup-return) + backend-failure soft-delete + finalizeProvision-failure persist arms across db/cache/nosql/vector/queue/storage/webhook (anon + authenticated). No new exported test symbols were required (all arms reachable via existing export_*_test.go seams or white-box package handlers tests), so no export_final2_test.go was added. Provably-unreachable arms left uncovered (documented): defaultFetchCert (real network), generateOAuthState/issueSessionJWT failures (crypto/rand + HS256 []byte key cannot fail), the k8s ComputeProvider constructor branch (needs a live cluster; noop fallback is covered). Known pre-existing shared-dev-DB flakes unrelated to this change: TestAdminList_* (limit=100 paging on accumulated data) and TestQueue_* (NATS :8222 monitor not reachable locally) — verify on a fresh DB per CLAUDE.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): final pass #2 batch 2 — bulk-twin happy path + vault copy list-failed - family_bulk_twin happy path: seed active postgres+redis+mongodb parents in one env and POST /families/bulk-twin to another with working local backends, exercising twinOneParent + ProvisionForTwinCore success for all three backends (db/cache/nosql 81.8%→89.3%, twinOneParent →82.6%). - vault.go CopySecrets list_failed arm: rename vault_secrets away after the team/tier checks pass (isolated DB) so ListVaultSecretKeys errors → 5xx. Package 93.9% → 93.93% under CI conditions; only the documented pre-existing shared-dev-DB flakes remain (TestAdminList_* paging, TestQueue_* NATS :8222). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): final serial pass #3 — handlers 93.9%→94.5% via behavior-preserving seams Production seams (package-var indirection, prod path unchanged, each new line covered): - helpers.go: `randRead = rand.Read` — routes generateAppID/generateOAuthState/ generateSessionID through it so the rand.Read error arm is testable. - stack.go: `openMultipartFile` (tarball open) + `newK8sStackProvider` factory. - deploy.go: routes both fh.Open() sites through openMultipartFile; adds `newK8sComputeProvider` factory; routes generateAppID through randRead. Both k8s factory seams cover their default closure body AND the noop-fallback error arm + the success arm via injected fakes; all seam lines are 100% covered. New _final3 tests close confirmed-reachable arms: stack/deploy multipart New error arms, stack Redeploy invalid-form + tarball-open, internal-JWT verifier wrong-method/bad-uuid arms (terminate/backup-refund/resend), OAuth-start + CLI-session rand.Read errors, /claim missing-email/invalid-token/already-claimed, resolveResourceBindings rejection matrix, resource Family not-found/cross-team, familyMember map name/parent branches, agent-action deployment-limit tiers, requireName/sanitizeName invalid-UTF8, respondProvisionFailed circuit-open, twin ProvisionForTwinCore create/validate fault arms, webhook anon over-cap dedup. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): final pass #3 cont. — k8s seam closures+error arms, team_members + promote audit - Cover the newK8sStackProvider / newK8sComputeProvider default closure bodies (InvokeDefault*ForTest) AND the noop-fallback error arms (seam forced to error) so every new seam production line is 100% covered (patch-coverage). - team_members cacheInviteResponse (nil-rdb/dead-rdb store-error) + emitInviteAudit insert-error arms via exporters + fault DB. - emitPromoteAuditEvent InsertAuditEvent-error arm via exporter + fault DB. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): final pass #3 — experiments.Converted validation arms missing-fields / unknown-experiment / invalid-variant / action-truncation arms of POST /api/v1/experiments/converted. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): final pass #3 — vault.audit AppendVaultAudit-error arm Drives (*VaultHandler).audit best-effort warn arm via exporter + fault DB. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): final pass #3 — injectMessageID empty-id/unmarshal-error arms Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): final pass #3 — deploy Patch invalid_body arm Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): final pass #3 — ResourceEnvByTokenForMiddleware all 3 arms Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): final pass #3 — env_policy.Get nil-policy + bad-team-id arms Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): final pass #3 — CancelForTeam no-subscription + DB-error arms Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(coverage): seam2 — quota.CheckStorageQuota + k8s logs clientset seams Add two behavior-preserving package-var seams to lift internal/handlers coverage: - var checkStorageQuota = quota.CheckStorageQuota (seams.go); route db/cache/nosql call sites through it so StorageExceeded warning arms are reachable in tests. - var buildLogsClientset over buildLogsK8sClientset; NewLogsHandler + the in-cluster/kubeconfig fallback now coverable via a client-go fake clientset. NewLogsHandler + buildLogsK8sClientset now 100%. Local handlers coverage 93.93% -> 94.8% (capped: TestQueue_* requires NATS, unavailable locally; authoritative number needs CI with NATS + customer-DB). Recovered from a stalled background agent (stalled on the full ./... measure). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * ci: run NATS (monitoring :8222) in build-and-test so TestQueue_* pass The TestQueue_IsolatedCreds_EmbeddedInResponse / _CredIssueError_FallsBackToLegacyOpen coverage tests provision via queueprovider.Provision, which health-checks http://localhost:8222/healthz (NATSHost defaults to localhost). CI had no NATS service, so they 503'd on every run — the required build-and-test check has been red on this branch since they landed. Add a nats-server -m 8222 step (service containers can't pass -m). Repoint the two NATS-DOWN tests (finalize/softdelete final2) off 127.0.0.1 to the reserved non-resolvable host nats.test (matching the 7 other queue-fault tests) so a live localhost NATS doesn't satisfy their 503 expectation. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Residual-coverage follow-up: raises every
internal/handlersfile the priorslice (#160) left below 95% to ≥95% where reachable, plus closes the tiny
internal/middlewaregap. Seams not waivers — two minimal package-varindirections were added (production behaviour unchanged) so the two
defensive crypto/JWT-sign error arms are deterministically reachable.
Targets a coverage integration branch (
coverage/api-integration), notmaster.Coverage block (before → after)
internal/handlers/admin_customers.gointernal/handlers/admin_impersonate.gointernal/handlers/admin_promos_audit.gointernal/handlers/admin_customer_notes.gointernal/handlers/billing.gointernal/handlers/onboarding.gointernal/handlers/resource.gointernal/handlers/webhook.gointernal/middleware(package)How
*sql.DBpool) drives thedb_failed/fetch_failed/lookup_failedarms.fakeProvisionerdrives the resourceDeletegRPC-deprovision arm.Backend()==MinIOAdminaudit branch./claim/claim/preview/startvalidation + single-use + 409 + transfer branches.payment.failedno-primary-user + charged-receipt arms.Seams added (production behaviour unchanged)
admin_impersonate.go:var signImpersonationToken = func(...)— the only deterministic way to hitsign_failed(HS256 sign with a[]bytekey never fails in prod).webhook.go:var cryptoEncrypt = crypto.Encrypt— the only deterministic way to hitstoreEncryptedURL's encrypt-failed arm (AES-256-GCM never fails with a valid key).Both default to the real function; only test code swaps them via
export_residual_test.go.Conflict-avoidance
All new test files carry a
_residualsuffix. New re-exports live in a NEWinternal/handlers/export_residual_test.go; the sharedexport_test.go/export_rbw_test.go/export_billing_test.goare untouched (verified noduplicate re-exports — a dup would be a compile error).
Verification
go build ./...+go vet ./internal/handlers/ ./internal/middleware/clean.Full hermetic suite
go test ./internal/handlers/... ./internal/middleware/... -short -p 1green (EXIT=0, 0 FAIL) against postgres:16 / redis:7 / mongo:6 service containers.🤖 Generated with Claude Code
Remaining under 95% — residual arms + seam attempted
Four files improved substantially but did not reach 95% on this slice. The
residual uncovered statements are concentrated in arms that need invasive
mid-flow failure injection (not reachable with the brokenDB/sqlmock/dead-Redis
seams used here without a deeper production rewrite). Documented per the
"no waiver without a seam attempt" rule:
webhook.go (90.3%) — uncovered: the anonymous-provision success error
arms (
finalizeProvision-fail,issueOnboardingJWT-fail,createOnboardingEvent-fail at the end ofNewWebhook), the auth-pathCreateResource-fail +finalizeProvision-fail arms, the Receive HMAC-secretlookup-error arm, and the Receive
json.Marshal-fail arm. Seam tried: sqlmockmid-provision — but
NewWebhookrunsparseProvisionBody → requireName → resolveEnv → checkProvisionLimit → CreateResource → finalizeProvision → issueOnboardingJWTagainst the same*sql.DB; mocking that exact orderedmulti-query sequence is brittle (every query string + arg must match) and a
single mismatch fails the whole flow, so I covered the reachable validation +
dedup + Receive + ListRequests + storeEncryptedURL arms instead.
billing.go (93.6%) — uncovered: deep
RazorpayWebhooksub-handler arms(
handleSubscriptionChargedunknown-tier / lower-tier-charge sub-id-updatefailures,
handleSubscriptionPausedgrace-start-fail,maybeRecoverPaymentGracegrace-recover-fail / race-not-flipped) and the
ListInvoicesAPI/UpdatePaymentMethodAPIcircuit-open + success arms. Seam tried: the cov2webhook harness covers many charged/failed paths, but the sub-id-update-fail and
grace-recover-fail arms need a DB that succeeds on the lookup then fails on the
immediately-following write within one handler — a partial-failure injection the
live test DB can't produce and full sqlmock of the webhook sequence is infeasibly
brittle. The portal circuit-open + invoice-list-success arms need a real Razorpay
client behind an open breaker (no seam to force the breaker open from a test).
resource.go (92.8%) — uncovered:
RotateCredentialsrand.Read-fail(unreachable — crypto/rand never fails on these platforms), url-parse-fail
(decrypt succeeds but yields a malformed URL — decrypt-fail fires first), and
encrypt-fail (would need the same
cryptoEncryptseam pattern but the rotatepath calls
crypto.Encryptdirectly); the mongo provider pause/resume +rotateMongoPasswordarms (need a live MongoDB admin connection with apre-seeded user). The redis provider arm IS now covered (via the live test
Redis ACL toggle).
onboarding.go (93.8%) — uncovered: a few
Claimresource-transfermicro-arms inside the JWT-listed-token loop that overlap with the
fingerprint loop, the
sendClaimVerificationEmailGenerateMagicLinkPlaintext-failarm (unreachable — never fails), and
StartLanding/ClaimPreviewredirectmicro-branches. The reachable validation, single-use 409, db-error, account-exists,
create-failure (sqlmock), and fingerprint-augmentation arms are covered.