chore: Add tests for backup service, crowdsec startup, log service, and security headers

- Implement tests for BackupService to handle database extraction from backup archives with SHM and WAL entries.
- Add tests for BackupService to validate behavior when creating backups for non-SQLite databases and handling oversized database entries.
- Introduce tests for CrowdSec startup to ensure proper error handling during configuration creation.
- Enhance LogService tests to cover scenarios for skipping dot and empty directories and handling read directory errors.
- Add tests for SecurityHeadersService to ensure proper error handling during preset creation and updates.
- Update ProxyHostForm tests to include HSTS subdomains toggle and validation for port input handling.
- Enhance DNSProviders tests to validate manual challenge completion and error handling when no providers are available.
- Extend UsersPage tests to ensure fallback mechanisms for clipboard operations when the clipboard API fails.

docs/issues/local_patch_report_dod_manual_checklist.md

@@ -0,0 +1,68 @@
+---
+title: Manual Checklist - Local Patch Report DoD Ordering
+status: Open
+priority: High
+assignee: QA
+labels: testing, coverage, dod
+---
+
+# Goal
+Validate that local patch-report workflow is executed in Definition of Done (DoD) order and produces required artifacts for handoff.
+
+# Preconditions
+- Work from repository root: `/projects/Charon`
+- Branch has local changes to evaluate
+- Docker E2E environment is healthy
+
+# Manual Checklist
+
+## 1) E2E First (Mandatory)
+- [ ] Run: `cd /projects/Charon && npx playwright test --project=firefox`
+- [ ] Confirm run completes without blocking failures
+- [ ] Record run timestamp for ordering evidence
+
+## 2) Local Patch Report Preflight (Before Unit Coverage)
+- [ ] Run: `cd /projects/Charon && bash scripts/local-patch-report.sh`
+- [ ] Confirm artifacts exist:
+  - [ ] `test-results/local-patch-report.md`
+  - [ ] `test-results/local-patch-report.json`
+- [ ] Confirm JSON includes:
+  - [ ] `baseline = origin/main...HEAD`
+  - [ ] `mode = warn`
+  - [ ] `overall`, `backend`, `frontend` coverage blocks
+  - [ ] `files_needing_coverage` list
+
+## 3) Backend Coverage Run
+- [ ] Run: `cd /projects/Charon/backend && go test ./... -coverprofile=coverage.txt`
+- [ ] Confirm `backend/coverage.txt` exists and is current
+- [ ] Confirm run exit code is 0
+
+## 4) Frontend Coverage Run
+- [ ] Run: `cd /projects/Charon/frontend && npm run test:coverage`
+- [ ] Confirm `frontend/coverage/lcov.info` exists and is current
+- [ ] Confirm run exit code is 0
+
+## 5) Refresh Local Patch Report After Coverage Updates
+- [ ] Run again: `cd /projects/Charon && bash scripts/local-patch-report.sh`
+- [ ] Confirm report reflects latest coverage inputs and updated file gaps
+
+## 6) DoD Ordering Verification (Practical)
+- [ ] Verify command history/logs show this order:
+  1. E2E
+  2. Local patch report preflight
+  3. Backend/frontend coverage runs
+  4. Local patch report refresh
+- [ ] Verify no skipped step in the sequence
+
+## 7) Handoff Artifact Verification
+- [ ] Verify required handoff artifacts are present:
+  - [ ] `test-results/local-patch-report.md`
+  - [ ] `test-results/local-patch-report.json`
+  - [ ] `backend/coverage.txt`
+  - [ ] `frontend/coverage/lcov.info`
+- [ ] Verify latest QA report includes current patch-coverage summary section
+
+# Pass Criteria
+- All checklist items complete in order.
+- Local patch report artifacts are generated and current.
+- Any below-threshold overall patch coverage is explicitly documented as warn-mode during rollout.

docs/plans/current_spec.md

@@ -54,6 +54,7 @@ Both artifacts are mandatory per run. Missing either artifact is a failed local
 - Local patch report does not fail DoD on low patch coverage during initial rollout.
 - Local runner emits warnings (stdout + markdown/json status fields) when thresholds are not met.
 - DoD requires the report to run and artifacts to exist, even in warning mode.
+- Execution and final merge checks in this plan follow this same warn-mode policy during rollout.
 
 ### Threshold Defaults and Source Precedence
 
@@ -121,6 +122,10 @@ Minimum JSON fields:
   - `patch_coverage_pct`
   - `status` (`pass` | `warn`)
 - `backend` and `frontend` objects with same coverage counters and status
+- `files_needing_coverage` (required array for execution baselines), where each item includes at minimum:
+   - `path`
+   - `uncovered_changed_lines`
+   - `patch_coverage_pct`
 - `artifacts` with emitted file paths
 
 Minimum Markdown sections:
@@ -243,3 +248,198 @@ jq -r '.baseline' test-results/local-patch-report.json
 - [ ] Concrete script + task wiring tasks are present and executable.
 - [ ] Validation commands are present and reproducible.
 - [ ] Stale unrelated placeholder gates are removed from this active spec.
+
+## 10) Concrete Execution Plan — Patch Gap Closure (PR Merge Objective)
+
+Single-scope objective: close current patch gaps for this PR merge by adding targeted tests and iterating local patch reports until changed-line coverage is merge-ready under DoD.
+
+### Authoritative Gap Baseline (2026-02-17)
+
+Use this list as the only planning baseline for this execution cycle:
+
+- `backend/cmd/localpatchreport/main.go`: 0%, 200 uncovered changed lines, ranges `46-59`, `61-73`, `75-79`, `81-85`, `87-96`, `98-123`, `125-156`, `158-165`, `167-172`, `175-179`, `182-187`, `190-198`, `201-207`, `210-219`, `222-254`, `257-264`, `267-269`
+- `frontend/src/pages/UsersPage.tsx`: 30.8%, 9 uncovered (`152-160`)
+- `frontend/src/pages/CrowdSecConfig.tsx`: 36.8%, 12 uncovered (`975-977`, `1220`, `1248-1249`, `1281-1282`, `1316`, `1324-1325`, `1335`)
+- `frontend/src/pages/DNSProviders.tsx`: 70.6%, 10 uncovered
+- `frontend/src/pages/AuditLogs.tsx`: 75.0%, 1 uncovered
+- `frontend/src/components/ProxyHostForm.tsx`: 75.5%, 12 uncovered
+- `backend/internal/api/middleware/auth.go`: 86.4%, 3 uncovered
+- `frontend/src/pages/Notifications.tsx`: 88.9%, 3 uncovered
+- `backend/internal/cerberus/rate_limit.go`: 91.9%, 12 uncovered
+
+### DoD Entry Gate (Mandatory Before Phase 1)
+
+All execution phases are blocked until this gate is completed in order:
+
+1) E2E first:
+
+```bash
+cd /projects/Charon && npx playwright test --project=firefox
+```
+
+2) Local patch preflight (baseline refresh trigger):
+
+```bash
+cd /projects/Charon && bash scripts/local-patch-report.sh
+```
+
+3) Baseline refresh checkpoint (must pass before phase execution):
+
+```bash
+cd /projects/Charon && jq -r '.files_needing_coverage[].path' test-results/local-patch-report.json | sort > /tmp/charon-baseline-files.txt
+cd /projects/Charon && while read -r f; do git diff --name-only origin/main...HEAD -- "$f" | grep -qx "$f" || echo "baseline file missing from current diff: $f"; done < /tmp/charon-baseline-files.txt
+```
+
+4) If checkpoint output is non-empty, refresh this baseline list to match the latest `test-results/local-patch-report.json` before starting Phase 1.
+
+### Ordered Phases (Highest Impact First)
+
+#### Phase 1 — Backend Local Patch Report CLI (Highest Delta)
+
+Targets:
+- `backend/cmd/localpatchreport/main.go` (all listed uncovered ranges)
+
+Suggested test file:
+- `backend/cmd/localpatchreport/main_test.go`
+
+Test focus:
+- argument parsing and mode selection
+- coverage input validation paths
+- baseline/diff resolution flow
+- report generation branches (markdown/json)
+- warning/error branches for missing inputs and malformed coverage
+
+Pass criteria:
+- maximize reduction of uncovered changed lines in `backend/cmd/localpatchreport/main.go` from the `200` baseline, with priority on highest-impact uncovered ranges and no new uncovered changed lines introduced
+- backend targeted test command passes
+
+Targeted test command:
+
+```bash
+cd /projects/Charon/backend && go test ./cmd/localpatchreport -coverprofile=coverage.txt
+```
+
+#### Phase 2 — Frontend Lowest-Coverage, Highest-Uncovered Pages
+
+Targets:
+- `frontend/src/pages/CrowdSecConfig.tsx` (`975-977`, `1220`, `1248-1249`, `1281-1282`, `1316`, `1324-1325`, `1335`)
+- `frontend/src/pages/UsersPage.tsx` (`152-160`)
+- `frontend/src/pages/DNSProviders.tsx` (10 uncovered changed lines)
+
+Suggested test files:
+- `frontend/src/pages/__tests__/CrowdSecConfig.patch-gap.test.tsx`
+- `frontend/src/pages/__tests__/UsersPage.patch-gap.test.tsx`
+- `frontend/src/pages/__tests__/DNSProviders.patch-gap.test.tsx`
+
+Test focus:
+- branch/error-state rendering tied to uncovered lines
+- conditional action handlers and callback guards
+- edge-case interaction states not hit by existing tests
+
+Pass criteria:
+- maximize reduction of changed-line gaps for the three targets, prioritize highest-impact uncovered lines first, and avoid introducing new uncovered changed lines
+- frontend targeted test command passes
+
+Targeted test command:
+
+```bash
+cd /projects/Charon/frontend && npm run test:coverage -- src/pages/__tests__/CrowdSecConfig.patch-gap.test.tsx src/pages/__tests__/UsersPage.patch-gap.test.tsx src/pages/__tests__/DNSProviders.patch-gap.test.tsx
+```
+
+#### Phase 3 — Backend Residual Middleware/Security Gaps
+
+Targets:
+- `backend/internal/api/middleware/auth.go` (3 uncovered changed lines)
+- `backend/internal/cerberus/rate_limit.go` (12 uncovered changed lines)
+
+Suggested test targets/files:
+- extend `backend/internal/api/middleware/auth_test.go`
+- extend `backend/internal/cerberus/rate_limit_test.go`
+
+Test focus:
+- auth middleware edge branches (token/context failure paths)
+- rate-limit boundary and deny/allow branch coverage
+
+Pass criteria:
+- maximize reduction of changed-line gaps for both backend files, prioritize highest-impact uncovered lines first, and avoid introducing new uncovered changed lines
+- backend targeted test command passes
+
+Targeted test command:
+
+```bash
+cd /projects/Charon/backend && go test ./internal/api/middleware ./internal/cerberus -coverprofile=coverage.txt
+```
+
+#### Phase 4 — Frontend Component + Residual Page Gaps
+
+Targets:
+- `frontend/src/components/ProxyHostForm.tsx` (12 uncovered changed lines)
+- `frontend/src/pages/AuditLogs.tsx` (1 uncovered changed line)
+- `frontend/src/pages/Notifications.tsx` (3 uncovered changed lines)
+
+Suggested test files:
+- `frontend/src/components/__tests__/ProxyHostForm.patch-gap.test.tsx`
+- `frontend/src/pages/__tests__/AuditLogs.patch-gap.test.tsx`
+- `frontend/src/pages/__tests__/Notifications.patch-gap.test.tsx`
+
+Test focus:
+- form branch paths and validation fallbacks
+- single-line residual branch in audit logs
+- notification branch handling for low-frequency states
+
+Pass criteria:
+- maximize reduction of changed-line gaps for all three targets, prioritize highest-impact uncovered lines first, and avoid introducing new uncovered changed lines
+- frontend targeted test command passes
+
+Targeted test command:
+
+```bash
+cd /projects/Charon/frontend && npm run test:coverage -- src/components/__tests__/ProxyHostForm.patch-gap.test.tsx src/pages/__tests__/AuditLogs.patch-gap.test.tsx src/pages/__tests__/Notifications.patch-gap.test.tsx
+```
+
+### Execution Commands
+
+Run from repository root unless stated otherwise.
+
+1) Backend coverage:
+
+```bash
+cd backend && go test ./... -coverprofile=coverage.txt
+```
+
+2) Frontend coverage:
+
+```bash
+cd frontend && npm run test:coverage
+```
+
+3) Local patch report iteration:
+
+```bash
+bash scripts/local-patch-report.sh
+```
+
+4) Iteration loop (repeat until all target gaps are closed):
+
+```bash
+cd backend && go test ./... -coverprofile=coverage.txt
+cd /projects/Charon/frontend && npm run test:coverage
+cd /projects/Charon && bash scripts/local-patch-report.sh
+```
+
+### Phase Completion Checks
+
+- After each phase, rerun `bash scripts/local-patch-report.sh` and confirm that only the next planned target set remains uncovered.
+- Do not advance phases when a phase target still shows uncovered changed lines.
+
+### Final Merge-Ready Gate (DoD-Aligned, Warn-Mode Rollout)
+
+This PR is merge-ready only when all conditions are true:
+
+- local patch report runs in warn mode and required artifacts are generated
+- practical merge objective: drive a significant reduction in authoritative baseline uncovered changed lines in this PR, prioritizing highest-impact files; `0` remains aspirational and is not a warn-mode merge blocker
+- required artifacts exist and are current:
+   - `test-results/local-patch-report.md`
+   - `test-results/local-patch-report.json`
+- backend and frontend coverage commands complete successfully
+- DoD checks remain satisfied (E2E first, local patch report preflight, required security/coverage/type/build validations)

docs/reports/qa_report.md

@@ -11,6 +11,120 @@ summary: "Definition of Done validation results, including coverage, security sc
 post_date: "2026-02-10"
 ---
 
+## Current Branch QA/Security Audit - 2026-02-17
+
+### Patch Coverage Push Handoff (Latest Local Report)
+
+- Source: `test-results/local-patch-report.json`
+- Generated: `2026-02-17T18:40:46Z`
+- Mode: **warn**
+- Summary:
+	- Overall patch coverage: **85.4%** (threshold 90%) → **warn**
+	- Backend patch coverage: **85.1%** (threshold 85%) → **pass**
+	- Frontend patch coverage: **91.0%** (threshold 85%) → **pass**
+- Current warn-mode trigger:
+	- Overall is below threshold by **4.6 points**; rollout remains non-blocking while artifacts are still required.
+- Key files still needing patch coverage (highest handoff priority):
+	- `backend/internal/services/mail_service.go` — 20.8% patch coverage, 19 uncovered changed lines
+	- `frontend/src/pages/UsersPage.tsx` — 30.8% patch coverage, 9 uncovered changed lines
+	- `backend/internal/crowdsec/hub_sync.go` — 37.5% patch coverage, 10 uncovered changed lines
+	- `backend/internal/services/security_service.go` — 46.4% patch coverage, 15 uncovered changed lines
+	- `backend/internal/api/handlers/backup_handler.go` — 53.6% patch coverage, 26 uncovered changed lines
+	- `backend/internal/api/handlers/import_handler.go` — 67.5% patch coverage, 26 uncovered changed lines
+	- `backend/internal/api/handlers/settings_handler.go` — 73.6% patch coverage, 24 uncovered changed lines
+	- `backend/internal/util/permissions.go` — 74.4% patch coverage, 34 uncovered changed lines
+
+### 1) E2E Ordering Requirement and Evidence
+
+- Status: **FAIL (missing current-cycle evidence)**
+- Requirement: E2E must run before unit coverage and local patch preflight.
+- Evidence found this cycle:
+	- Local patch preflight was run (`bash scripts/local-patch-report.sh`).
+	- No fresh Playwright execution artifact/report was found for this cycle before the preflight.
+- Conclusion: Ordering proof is not satisfied for this audit cycle.
+
+### 2) Local Patch Preflight Artifacts (Presence + Validity)
+
+- Status: **PASS (warn-mode valid)**
+- Artifacts present:
+	- `test-results/local-patch-report.md`
+	- `test-results/local-patch-report.json`
+- Generated: `2026-02-17T18:40:46Z`
+- Validity summary:
+	- Overall patch coverage: `85.4%` (**warn**, threshold `90%`)
+	- Backend patch coverage: `85.1%` (**pass**, threshold `85%`)
+	- Frontend patch coverage: `91.0%` (**pass**, threshold `85%`)
+
+### 3) Backend/Frontend Coverage Status and Thresholds
+
+- Threshold baseline: **85% minimum** (project QA/testing instructions)
+- Backend coverage (current artifact `backend/coverage.txt`): **87.0%** → **PASS**
+- Frontend line coverage (current artifact `frontend/coverage/lcov.info`): **74.70%** (`LH=1072`, `LF=1435`) → **FAIL**
+- Note: Frontend coverage is currently below required threshold and blocks merge readiness.
+
+### 4) Fast Lint / Pre-commit Status
+
+- Command run: `pre-commit run --all-files`
+- Status: **FAIL**
+- Failing gate: `golangci-lint-fast`
+- Current blocker categories from output:
+	- `errcheck`: unchecked `AddError` return values in tests
+	- `gosec`: test file permission/path safety findings
+	- `unused`: unused helper functions in tests
+
+### 5) Security Scans Required by DoD (This Cycle)
+
+- **Go vulnerability scan (`security-scan-go-vuln`)**: **PASS** (`No vulnerabilities found`)
+- **GORM security scan (`security-scan-gorm --check`)**: **PASS** (0 critical/high/medium; info-only suggestions)
+- **CodeQL (CI-aligned via skill)**: **PASS (non-blocking)**
+	- Go SARIF: `5` results (non-error/non-warning categories in this run)
+	- JavaScript SARIF: `0` results
+- **Trivy filesystem scan (`security-scan-trivy`)**: **FAIL**
+	- Reported security issues, including Dockerfile misconfiguration (`DS-0002`: container user should not be root)
+- **Docker image scan (`security-scan-docker-image`)**: **FAIL**
+	- Vulnerabilities found: `0 critical`, `1 high`, `9 medium`, `1 low`
+	- High finding: `GHSA-69x3-g4r3-p962` in `github.com/slackhq/nebula@v1.9.7` (fixed in `1.10.3`)
+
+### 6) Merge-Readiness Summary (Blockers + Exact Next Commands)
+
+- Merge readiness: **NOT READY**
+
+#### Explicit blockers
+
+1. Missing E2E-first ordering evidence for this cycle.
+2. Frontend coverage below threshold (`74.70% < 85%`).
+3. Fast pre-commit/lint failing (`golangci-lint-fast`).
+4. Security scans failing:
+	 - Trivy filesystem scan
+	 - Docker image scan (1 High vulnerability)
+
+#### Exact next commands
+
+```bash
+cd /projects/Charon && .github/skills/scripts/skill-runner.sh docker-rebuild-e2e
+cd /projects/Charon && npx playwright test --project=firefox
+cd /projects/Charon && bash scripts/local-patch-report.sh
+
+cd /projects/Charon && .github/skills/scripts/skill-runner.sh test-frontend-coverage
+cd /projects/Charon && pre-commit run --all-files
+
+cd /projects/Charon && .github/skills/scripts/skill-runner.sh security-scan-trivy vuln,secret,misconfig json
+cd /projects/Charon && .github/skills/scripts/skill-runner.sh security-scan-docker-image
+cd /projects/Charon && .github/skills/scripts/skill-runner.sh security-scan-codeql all summary
+```
+
+#### Re-check command set after fixes
+
+```bash
+cd /projects/Charon && npx playwright test --project=firefox
+cd /projects/Charon && bash scripts/local-patch-report.sh
+cd /projects/Charon && .github/skills/scripts/skill-runner.sh test-frontend-coverage
+cd /projects/Charon && pre-commit run --all-files
+cd /projects/Charon && .github/skills/scripts/skill-runner.sh security-scan-go-vuln
+cd /projects/Charon && .github/skills/scripts/skill-runner.sh security-scan-gorm --check
+cd /projects/Charon && .github/skills/scripts/skill-runner.sh security-scan-codeql all summary
+```
+
 ## Validation Checklist
 
 - Phase 1 - E2E Tests: PASS (provided: notification tests now pass)