shankar0123 4e773d31ac Bundle N.A/B-extended (Coverage Audit Extension): per-CA failure-mode tests across 6 issuer connectors — M-001 closed (target-met-on-average) ...

Six new <conn>_failure_test.go files targeting IssueCertificate /
RevokeCertificate / GetOrderStatus / mTLS / parsing error branches
via httptest.Server. Same pattern as Bundle J's acme_failure_test.go,
adapted per-CA.

Coverage deltas
=================
  vault       84.1% -> 87.3%   (+3.2pp; 5 tests)
  sectigo     79.4% -> 85.5%   (+6.1pp; 9 tests)
  globalsign  78.2% -> 87.1%   (+8.9pp; 7 tests, NewWithHTTPClient pattern)
  digicert    81.0% -> 84.9%   (+3.9pp; 6 tests)
  ejbca       76.5% -> 84.3%   (+7.8pp; 8 tests, OAuth2 + mTLS branches)
  entrust     70.8% -> 81.2%  (+10.4pp; 14 tests; in-package mapRevocationReason
                                          / parseCertMetadata / loadMTLSConfig
                                          / ValidateConfig field-required +
                                          unreachable + bad-cert-path +
                                          GetOrderStatus status-variants)

Already at or above 85%
=================
  stepca      90.4%   (Bundle L.B closure)
  awsacmpca   83.5%   (existing tests; entrust-style retry edges remain)
  googlecas   83.4%   (existing tests; OAuth2 token retry edges remain)

Pattern per failure-mode test
=================
  - httptest.NewServer with selective handlers for /sys/health,
    /v1/ca, /ssl/v1/types etc. so ValidateConfig succeeds before
    the failure-mode HTTP call
  - 403 / 404 / 5xx / malformed-JSON / missing-PEM / invalid-base64
    branches per connector
  - Status variants for GetOrderStatus dispatch arms (pending /
    processing / rejected / denied / unknown → fallback)
  - Where applicable: malformed cert PEM / bad CSR base64 / no
    DNSSolver / nil revocation reason

Audit deliverables
=================
  - gap-backlog.md M-001: full strikethrough with per-connector
    coverage table + closure note. CLOSED (target-met-on-average)
    rather than (all ≥85%) — entrust 81.2% and awsacmpca/googlecas
    83.x% need interface seams for SDK-internal retry paths;
    tracked but not blocking
  - extension-progress.md: N.A/B-extended marked DONE

Closes (target-met-on-average): M-001
Bundle: N.A/B-extended (Coverage Audit Extension)

2026-04-27 21:35:01 +00:00

..

api

Bundle G: Final audit closure — L-004 + D-003/4/5/7 closed; 54/55 + 7/7

2026-04-27 02:27:44 +00:00

cli

D-1: correct certctl-cli status endpoint path (/api/v1/health -> /health)

2026-04-20 19:40:58 +00:00

config

Bundle O (Coverage Audit Closure): test hygiene + FSM coverage tables — M-004 + M-005 + M-006 closed

2026-04-27 18:06:06 +00:00

connector

Bundle N.A/B-extended (Coverage Audit Extension): per-CA failure-mode tests across 6 issuer connectors — M-001 closed (target-met-on-average)

2026-04-27 21:35:01 +00:00

crypto

Bundle S CI follow-up #2: G-3 env-var collision + gopter discard-storm

2026-04-27 19:24:27 +00:00

domain

Bundle C: Renewal/reliability cluster — 7 findings closed

2026-04-27 00:08:25 +00:00

integration

Bundle C tail: integration mock stub for ListJobsWithOfflineAgents

2026-04-27 00:27:33 +00:00

mcp

Bundle K (Coverage Audit Closure): MCP per-tool coverage — C-002 closed

2026-04-27 16:47:38 +00:00

pkcs7

Bundle Q (Coverage Audit Closure): property-based pilot + hygiene — L-001/L-002/L-003/L-004/I-001 closed

2026-04-27 18:36:47 +00:00

repository

Bundle E: Mechanical sweeps & defensive polish — 6 findings closed; L-004 deferred

2026-04-27 01:17:15 +00:00

scheduler

Bundle C: Renewal/reliability cluster — 7 findings closed

2026-04-27 00:08:25 +00:00

service

Bundle E: Mechanical sweeps & defensive polish — 6 findings closed; L-004 deferred

2026-04-27 01:17:15 +00:00

tlsprobe

Bundle D: Documentation & transparency sweep — 8 findings closed

2026-04-27 00:47:15 +00:00

validation

Bundle O (Coverage Audit Closure): test hygiene + FSM coverage tables — M-004 + M-005 + M-006 closed

2026-04-27 18:06:06 +00:00