Bundle L (Coverage Audit Closure): StepCA failure-mode + JWE coverage + CI threshold raise #1

L.B closes C-005; L.A defers C-003 (refactor required); L.C operator-required (testcontainers); L.CI raises CI thresholds for ACME / StepCA / MCP.

L.B — StepCA (~580 LoC stepca/jwe_failure_test.go):

  Strategy: hermetic test-side RFC 3394 AES Key Wrap implementation

  constructs a valid step-ca PBES2-HS256+A128KW + A128GCM provisioner-

  key JWE in-test, exercises the full decrypt pipeline end-to-end.

  Coverage:    52.1% -> 90.4% (+38.3pp; +5.4 above 85% target)

    decryptProvisionerKey:  0%   -> 89.7%

    aesKeyUnwrap:           0%   -> 100.0%

    jwkToECDSA:             0%   -> 100.0%

    loadProvisionerKey:     0%   -> 76.9%

  Tests (24 functions):

    JWE round-trip pinning all 4 0%-covered helpers

    decryptProvisionerKey: 10 negative-path cases (malformed JSON,

      bad protected b64, malformed header JSON, unsupported alg,

      unsupported enc, bad p2s/encrypted_key/IV/ciphertext/tag b64)

    Wrong-password path: AES key unwrap integrity check fail

    aesKeyUnwrap: too-short, not-mult-of-8, bad-KEK-size, bad-IV

    jwkToECDSA: unsupported curve + bad x/y/d b64 + all-curves

    loadProvisionerKey: round-trip + file-not-found

    IssueCertificate failure modes (network/5xx/401/403)

    RevokeCertificate failure modes (network/5xx/403)

L.A — cmd/server (DEFERRED):

  cmd/server's 16.1% baseline is dominated by main()'s 1041-LoC

  startup body which is 0%-covered. The other named functions

  (preflight* + buildFinalHandler + tls.go) are at 85-100% already.

  Lifting overall to >=75% requires a production-code refactor

  (extract main() into testable Run(*Config)) that exceeds Bundle

  L.A's test-only scope. Tracked as 'Bundle L.A-extended'.

L.C — Repository (OPERATOR-REQUIRED):

  testcontainers + Docker not available in sandbox. Operator runs

  go test -tags integration ./internal/repository/postgres/...

  on a workstation with Docker.

L.CI — CI threshold raise #1 (.github/workflows/ci.yml):

  ACME issuer:    >=50% (Bundle J floor; bumps to 85 with Pebble-mock)

  StepCA issuer:  >=80% (Bundle L.B floor with 10pp margin from 90.4)

  MCP:            >=85% (Bundle K floor with 8pp margin from 93.1)

  cmd/server raise deferred until Bundle L.A-extended lands.

  YAML validated; each gate fails CI with 'add tests, do not lower

  the gate' message matching L-010's pattern.

Verification:

  go vet ./internal/connector/issuer/stepca/...    clean

  gofmt -l                                          clean

  staticcheck -checks all                           clean

  go test -short ./internal/connector/issuer/stepca/   PASS, 90.4%

  go test -race -count=1                            PASS, 0 races

  python3 -c 'yaml.safe_load(...)'                   YAML OK

Audit deliverables:

  findings.yaml: C-005 status open -> closed; C-003 open -> deferred

  gap-backlog.md: closure log + C-005 strikethrough + C-003/C-004 notes

  coverage-matrix.md: stepca row at 90.4%

  closure-plan.md: Bundle L [~] with per-sub-bundle status

  CHANGELOG.md: [unreleased] Bundle L entry

.github/workflows/ci.yml

@@ -745,6 +745,30 @@ jobs:
           LOCAL_ISSUER_COV=$(go tool cover -func=coverage.out | grep 'internal/connector/issuer/local' | awk '{print $NF}' | sed 's/%//' | awk '{sum+=$1; n++} END {if(n>0) printf "%.1f", sum/n; else print "0"}')
           echo "Local-issuer coverage: ${LOCAL_ISSUER_COV}%"
 
+          # Bundle-J / Coverage-Audit C-001 (partial-closed) — ACME failure-mode
+          # batch lifts internal/connector/issuer/acme from 41.8% to ~55.6%
+          # (per-package package-scoped run). The global per-file average can
+          # come in lower because this awk pattern divides by file count
+          # rather than weighting by line count, but with the failure-mode
+          # tests landed every file in the package has at least 50% coverage.
+          # Floor set at 50 to accommodate the global-run arithmetic; bumps
+          # to 85 when Bundle J-extended (Pebble-style mock) lands and the
+          # IssueCertificate / solveAuthorizations* flows are exercisable.
+          ACME_COV=$(go tool cover -func=coverage.out | grep 'internal/connector/issuer/acme' | awk '{print $NF}' | sed 's/%//' | awk '{sum+=$1; n++} END {if(n>0) printf "%.1f", sum/n; else print "0"}')
+          echo "ACME issuer coverage: ${ACME_COV}%"
+
+          # Bundle-L.B / Coverage-Audit C-005 — StepCA failure-mode + JWE
+          # round-trip tests lift internal/connector/issuer/stepca from
+          # 52.1% to 90.4% (per-package run). Floor at 80 with margin.
+          STEPCA_COV=$(go tool cover -func=coverage.out | grep 'internal/connector/issuer/stepca' | awk '{print $NF}' | sed 's/%//' | awk '{sum+=$1; n++} END {if(n>0) printf "%.1f", sum/n; else print "0"}')
+          echo "StepCA issuer coverage: ${STEPCA_COV}%"
+
+          # Bundle-K / Coverage-Audit C-002 — MCP per-tool dispatch via
+          # in-memory transport lifts internal/mcp from 28.0% to 93.1%
+          # (per-package run). Floor at 85.
+          MCP_COV=$(go tool cover -func=coverage.out | grep 'internal/mcp/' | awk '{print $NF}' | sed 's/%//' | awk '{sum+=$1; n++} END {if(n>0) printf "%.1f", sum/n; else print "0"}')
+          echo "MCP coverage: ${MCP_COV}%"
+
           # Fail if thresholds not met
           if [ "$(echo "$SERVICE_COV < 55" | bc -l)" -eq 1 ]; then
             echo "::error::Service layer coverage ${SERVICE_COV}% is below 55% threshold"
@@ -791,6 +815,22 @@ jobs:
             echo "::error::Local-issuer coverage ${LOCAL_ISSUER_COV}% is below 85% (H-010 closure floor — add tests, do not lower the gate)"
             exit 1
           fi
+          # Bundle L.CI threshold raise #1 — post-Bundles J / L.B / K floors.
+          # Each gate is set with margin below the verified package-scoped
+          # coverage so the global per-file-average arithmetic doesn't false-
+          # positive on a single low-coverage file dragging the mean.
+          if [ "$(echo "$ACME_COV < 50" | bc -l)" -eq 1 ]; then
+            echo "::error::ACME issuer coverage ${ACME_COV}% is below 50% (Bundle J partial-closure floor — add Pebble-mock tests, do not lower the gate)"
+            exit 1
+          fi
+          if [ "$(echo "$STEPCA_COV < 80" | bc -l)" -eq 1 ]; then
+            echo "::error::StepCA issuer coverage ${STEPCA_COV}% is below 80% (Bundle L.B closure floor — add tests, do not lower the gate)"
+            exit 1
+          fi
+          if [ "$(echo "$MCP_COV < 85" | bc -l)" -eq 1 ]; then
+            echo "::error::MCP coverage ${MCP_COV}% is below 85% (Bundle K closure floor — add tests, do not lower the gate)"
+            exit 1
+          fi
           echo "Coverage thresholds passed!"
 
       - name: Upload Coverage Report