Charon/docs/plans/test_coverage_plan_100_percent.md

Test Coverage Plan - Achieving 100% Coverage

Created: December 16, 2025 Goal: Add unit tests to achieve 100% coverage for 6 files with missing coverage Target Coverage: 100% line coverage, 100% branch coverage

---

Executive Summary

This plan outlines the strategy to achieve 100% test coverage for 6 backend files that currently have insufficient test coverage. The focus is on:

1. crowdsec_handler.go - 62.62% (30 missing lines, 7 partial branches)
2. log_watcher.go - 56.25% (14 missing lines, 7 partial branches)
3. console_enroll.go - 79.59% (11 missing lines, 9 partial branches)
4. crowdsec_startup.go - 94.73% (5 missing lines, 1 partial branch)
5. routes.go - 69.23% (2 missing lines, 2 partial branches)
6. crowdsec_exec.go - 92.85% (2 missing lines)

---

File 1: backend/internal/api/handlers/crowdsec_handler.go

Current Coverage: 62.62% (30 missing lines, 7 partial branches) Existing Test File: backend/internal/api/handlers/crowdsec_handler_test.go Priority: HIGH (most complex, most missing coverage)

Coverage Analysis

Missing Coverage Areas

1. Start Handler - LAPI Readiness Polling (Lines 247-276)

   • LAPI readiness check loop with timeout
   • Error handling when LAPI fails to become ready
   • Warning response when LAPI not ready after timeout

2. GetLAPIDecisions Handler (Lines 629-749)

   • HTTP request creation errors
   • LAPI authentication handling
   • Non-200 response codes (401 Unauthorized)
   • Content-type validation (HTML from proxy vs JSON)
   • Empty/null response handling
   • JSON parsing errors
   • LAPI decision conversion

3. CheckLAPIHealth Handler (Lines 752-791)

   • Health endpoint unavailable fallback to decisions endpoint
   • Decision endpoint HEAD request for health check
   • Various HTTP status codes (401 indicates LAPI running but auth required)

4. ListDecisions Handler (Lines 794-828)

   • cscli command execution errors
   • Empty/null output handling
   • JSON parsing errors

5. BanIP Handler (Lines 835-869)

   • Empty IP validation
   • cscli command execution errors

6. UnbanIP Handler (Lines 872-895)

   • Missing IP parameter validation
   • cscli command execution errors

7. RegisterBouncer Handler (Lines 898-946)

   • Script not found error path
   • Bouncer registration verification with cscli query

8. GetAcquisitionConfig Handler (Lines 949-967)

   • File not found handling
   • File read errors

9. UpdateAcquisitionConfig Handler (Lines 970-1012)

   • Invalid payload handling
   • Backup creation errors
   • File write errors
   • Backup restoration on error

Test Cases to Add

Test Suite: Start Handler LAPI Polling

TestCrowdsecStart_LAPINotReadyTimeout(t *testing.T)
// Arrange: Mock executor that starts but cscli lapi status always fails
// Act: Call Start handler
// Assert: Returns 200 but with lapi_ready=false and warning message

TestCrowdsecStart_LAPIBecomesReadyAfterRetries(t *testing.T)
// Arrange: Mock executor where lapi status fails 2 times, succeeds on 3rd
// Act: Call Start handler
// Assert: Returns 200 with lapi_ready=true after polling

TestCrowdsecStart_ConfigFileNotFound(t *testing.T)
// Arrange: DataDir without config.yaml
// Act: Call Start handler
// Assert: LAPI check runs without -c flag

Test Suite: GetLAPIDecisions Handler

TestGetLAPIDecisions_RequestCreationError(t *testing.T)
// Arrange: Invalid context that fails http.NewRequestWithContext
// Act: Call handler
// Assert: Returns 500 error

TestGetLAPIDecisions_Unauthorized(t *testing.T)
// Arrange: Mock LAPI returns 401
// Act: Call handler
// Assert: Returns 401 with proper error message

TestGetLAPIDecisions_NonOKStatus(t *testing.T)
// Arrange: Mock LAPI returns 500
// Act: Call handler
// Assert: Falls back to ListDecisions (cscli)

TestGetLAPIDecisions_NonJSONContentType(t *testing.T)
// Arrange: Mock LAPI returns text/html (proxy error page)
// Act: Call handler
// Assert: Falls back to ListDecisions (cscli)

TestGetLAPIDecisions_NullResponse(t *testing.T)
// Arrange: Mock LAPI returns "null" or empty body
// Act: Call handler
// Assert: Returns empty decisions array

TestGetLAPIDecisions_JSONParseError(t *testing.T)
// Arrange: Mock LAPI returns invalid JSON
// Act: Call handler
// Assert: Returns 500 with parse error

TestGetLAPIDecisions_WithQueryParams(t *testing.T)
// Arrange: Request with ?ip=192.168.1.1&scope=ip&type=ban
// Act: Call handler
// Assert: Query params passed to LAPI URL

Test Suite: CheckLAPIHealth Handler

TestCheckLAPIHealth_HealthEndpointUnavailable(t *testing.T)
// Arrange: Mock LAPI where /health fails, /v1/decisions HEAD succeeds
// Act: Call handler
// Assert: Returns healthy=true with note about fallback

TestCheckLAPIHealth_DecisionEndpoint401(t *testing.T)
// Arrange: Mock LAPI where /health fails, /v1/decisions returns 401
// Act: Call handler
// Assert: Returns healthy=true (401 means LAPI running)

TestCheckLAPIHealth_DecisionEndpointUnexpectedStatus(t *testing.T)
// Arrange: Mock LAPI where both endpoints return 500
// Act: Call handler
// Assert: Returns healthy=false with status code

Test Suite: ListDecisions Handler

TestListDecisions_CscliNotAvailable(t *testing.T)
// Arrange: Mock executor that returns error for cscli command
// Act: Call handler
// Assert: Returns 200 with empty array and error message

TestListDecisions_EmptyOutput(t *testing.T)
// Arrange: Mock executor returns empty byte array
// Act: Call handler
// Assert: Returns empty decisions array

TestListDecisions_NullOutput(t *testing.T)
// Arrange: Mock executor returns "null" or "null\n"
// Act: Call handler
// Assert: Returns empty decisions array

TestListDecisions_InvalidJSON(t *testing.T)
// Arrange: Mock executor returns malformed JSON
// Act: Call handler
// Assert: Returns 500 with parse error

Test Suite: BanIP Handler

TestBanIP_EmptyIP(t *testing.T)
// Arrange: Request with empty/whitespace IP
// Act: Call handler
// Assert: Returns 400 error

TestBanIP_CscliExecutionError(t *testing.T)
// Arrange: Mock executor returns error
// Act: Call handler
// Assert: Returns 500 error

Test Suite: UnbanIP Handler

TestUnbanIP_MissingIPParameter(t *testing.T)
// Arrange: Request without :ip parameter
// Act: Call handler
// Assert: Returns 400 error

TestUnbanIP_CscliExecutionError(t *testing.T)
// Arrange: Mock executor returns error
// Act: Call handler
// Assert: Returns 500 error

Test Suite: RegisterBouncer Handler

TestRegisterBouncer_CscliCheckSuccess(t *testing.T)
// Arrange: Mock successful registration + cscli bouncers list shows caddy-bouncer
// Act: Call handler
// Assert: Returns registered=true

Test Suite: GetAcquisitionConfig Handler

TestGetAcquisitionConfig_ReadError(t *testing.T)
// Arrange: File exists but read fails (permissions)
// Act: Call handler
// Assert: Returns 500 error

Test Suite: UpdateAcquisitionConfig Handler

TestUpdateAcquisitionConfig_InvalidPayload(t *testing.T)
// Arrange: Non-JSON request body
// Act: Call handler
// Assert: Returns 400 error

TestUpdateAcquisitionConfig_BackupError(t *testing.T)
// Arrange: Existing file but backup (rename) fails
// Act: Call handler
// Assert: Continues anyway (logs warning)

TestUpdateAcquisitionConfig_WriteErrorRestoresBackup(t *testing.T)
// Arrange: File write fails after backup created
// Act: Call handler
// Assert: Restores backup, returns 500 error

Mock Requirements

• MockCommandExecutor: Already exists in test file, extend to support error injection
• MockHTTPServer: For testing LAPI HTTP client behavior
• MockFileSystem: For testing acquisition config file operations

Expected Assertions

• HTTP status codes (200, 400, 401, 500)
• JSON response structure
• Error messages contain expected text
• Function call counts on mocks
• Database state after operations
• File existence/content after operations

---

File 2: backend/internal/services/log_watcher.go

Current Coverage: 56.25% (14 missing lines, 7 partial branches) Existing Test File: backend/internal/services/log_watcher_test.go Priority: MEDIUM (well-tested core, missing edge cases)

Coverage Analysis

Missing Coverage Areas

1. readLoop Function - EOF Handling (Lines 130-142)

   • When reader.ReadString returns EOF
   • 100ms sleep before retry
   • File rotation detection

2. readLoop Function - Non-EOF Errors (Lines 143-146)

   • When reader.ReadString returns error other than EOF
   • Log and return to trigger file reopen

3. detectSecurityEvent Function - WAF Detection (Lines 176-194)

   • hasHeader checks for X-Coraza-Id
   • hasHeader checks for X-Coraza-Rule-Id
   • Early return when WAF detected

4. detectSecurityEvent Function - CrowdSec Detection (Lines 196-210)

   • hasHeader checks for X-Crowdsec-Decision
   • hasHeader checks for X-Crowdsec-Origin
   • Early return when CrowdSec detected

5. detectSecurityEvent Function - ACL Detection (Lines 212-218)

   • hasHeader checks for X-Acl-Denied
   • hasHeader checks for X-Blocked-By-Acl

6. detectSecurityEvent Function - Rate Limit Headers (Lines 220-234)

   • Extraction of X-Ratelimit-Remaining
   • Extraction of X-Ratelimit-Reset
   • Extraction of X-Ratelimit-Limit

7. detectSecurityEvent Function - 403 Generic (Lines 236-242)

   • 403 without specific security headers
   • Falls back to "cerberus" source

Test Cases to Add

Test Suite: readLoop EOF Handling

TestLogWatcher_ReadLoop_EOFRetry(t *testing.T)
// Arrange: Mock file that returns EOF on first read, then data
// Act: Start watcher, write log after brief delay
// Assert: Watcher continues reading after EOF, receives new entry

TestLogWatcher_ReadLoop_FileRotation(t *testing.T)
// Arrange: Create log file, write entry, rename/recreate file, write new entry
// Act: Start watcher before rotation
// Assert: Watcher detects rotation and continues with new file

Test Suite: readLoop Error Handling

TestLogWatcher_ReadLoop_ReadError(t *testing.T)
// Arrange: Mock reader that returns non-EOF error
// Act: Trigger error during read
// Assert: Watcher logs error and reopens file

Test Suite: detectSecurityEvent - WAF

TestDetectSecurityEvent_WAFWithCorazaId(t *testing.T)
// Arrange: Caddy log with X-Coraza-Id header
// Act: Parse log entry
// Assert: source=waf, blocked=true, rule_id extracted

TestDetectSecurityEvent_WAFWithCorazaRuleId(t *testing.T)
// Arrange: Caddy log with X-Coraza-Rule-Id header
// Act: Parse log entry
// Assert: source=waf, blocked=true, rule_id extracted

TestDetectSecurityEvent_WAFLoggerName(t *testing.T)
// Arrange: Caddy log with logger=http.handlers.waf
// Act: Parse log entry
// Assert: source=waf, blocked=true

Test Suite: detectSecurityEvent - CrowdSec

TestDetectSecurityEvent_CrowdSecWithDecisionHeader(t *testing.T)
// Arrange: Caddy log with X-Crowdsec-Decision header
// Act: Parse log entry
// Assert: source=crowdsec, blocked=true, decision extracted

TestDetectSecurityEvent_CrowdSecWithOriginHeader(t *testing.T)
// Arrange: Caddy log with X-Crowdsec-Origin header
// Act: Parse log entry
// Assert: source=crowdsec, blocked=true, origin extracted

TestDetectSecurityEvent_CrowdSecLoggerName(t *testing.T)
// Arrange: Caddy log with logger=http.handlers.crowdsec
// Act: Parse log entry
// Assert: source=crowdsec, blocked=true

Test Suite: detectSecurityEvent - ACL

TestDetectSecurityEvent_ACLDeniedHeader(t *testing.T)
// Arrange: Caddy log with X-Acl-Denied header
// Act: Parse log entry
// Assert: source=acl, blocked=true

TestDetectSecurityEvent_ACLBlockedHeader(t *testing.T)
// Arrange: Caddy log with X-Blocked-By-Acl header
// Act: Parse log entry
// Assert: source=acl, blocked=true

Test Suite: detectSecurityEvent - Rate Limiting

TestDetectSecurityEvent_RateLimitAllHeaders(t *testing.T)
// Arrange: 429 with X-Ratelimit-Remaining, Reset, Limit headers
// Act: Parse log entry
// Assert: All rate limit metadata extracted to Details map

TestDetectSecurityEvent_RateLimitPartialHeaders(t *testing.T)
// Arrange: 429 with only X-Ratelimit-Remaining header
// Act: Parse log entry
// Assert: Only available headers in Details map

Test Suite: detectSecurityEvent - Generic 403

TestDetectSecurityEvent_403WithoutHeaders(t *testing.T)
// Arrange: 403 response with no security headers
// Act: Parse log entry
// Assert: source=cerberus, blocked=true, block_reason="Access denied"

Mock Requirements

• MockFile: For simulating EOF and read errors
• MockReader: For controlled error injection

Expected Assertions

• Entry fields match expected values
• Headers are extracted correctly
• Details map contains expected keys/values
• Blocked flag is set correctly
• BlockReason is populated
• Source is identified correctly

---

File 3: backend/internal/crowdsec/console_enroll.go

Current Coverage: 79.59% (11 missing lines, 9 partial branches) Existing Test File: backend/internal/crowdsec/console_enroll_test.go Priority: MEDIUM (critical feature, mostly covered, need edge cases)

Coverage Analysis

Missing Coverage Areas

1. Enroll Function - Invalid Agent Name (Lines 117-119)

   • Agent name regex validation failure
   • Error message formatting

2. Enroll Function - Invalid Tenant Name (Lines 121-123)

   • Tenant name regex validation failure
   • Error message formatting

3. ensureCAPIRegistered Function - Standard Layout (Lines 198-201)

   • Checking config/online_api_credentials.yaml (standard layout)
   • Fallback to root online_api_credentials.yaml

4. ensureCAPIRegistered Function - CAPI Register Error (Lines 212-214)

   • CAPI register command failure
   • Error message with command output

5. findConfigPath Function - Standard Layout (Lines 218-222)

   • Checking config/config.yaml (standard layout)
   • Fallback to root config.yaml
   • Return empty string if neither exists

6. statusFromModel Function - Nil Check (Lines 268-270)

   • When model is nil, return not_enrolled status

7. normalizeEnrollmentKey Function - Invalid Format (Lines 374-376)

   • When key doesn't match any valid pattern
   • Error message

Test Cases to Add

Test Suite: Enroll Input Validation

TestEnroll_InvalidAgentNameCharacters(t *testing.T)
// Arrange: Agent name with special chars like "agent@name!"
// Act: Call Enroll
// Assert: Returns error "may only include letters, numbers, dot, dash, underscore"

TestEnroll_AgentNameTooLong(t *testing.T)
// Arrange: Agent name with 65 characters
// Act: Call Enroll
// Assert: Returns error (regex max 64)

TestEnroll_InvalidTenantNameCharacters(t *testing.T)
// Arrange: Tenant with special chars like "tenant$name"
// Act: Call Enroll
// Assert: Returns error "may only include letters, numbers, dot, dash, underscore"

Test Suite: ensureCAPIRegistered

TestEnsureCAPIRegistered_StandardLayoutExists(t *testing.T)
// Arrange: Create dataDir/config/online_api_credentials.yaml
// Act: Call ensureCAPIRegistered
// Assert: Returns nil (no registration needed)

TestEnsureCAPIRegistered_RootLayoutExists(t *testing.T)
// Arrange: Create dataDir/online_api_credentials.yaml (not in config/)
// Act: Call ensureCAPIRegistered
// Assert: Returns nil (no registration needed)

TestEnsureCAPIRegistered_RegisterError(t *testing.T)
// Arrange: No credentials file, mock executor returns error
// Act: Call ensureCAPIRegistered
// Assert: Returns error with command output

Test Suite: findConfigPath

TestFindConfigPath_StandardLayout(t *testing.T)
// Arrange: Create dataDir/config/config.yaml
// Act: Call findConfigPath
// Assert: Returns path to config/config.yaml

TestFindConfigPath_RootLayout(t *testing.T)
// Arrange: Create dataDir/config.yaml (not in config/)
// Act: Call findConfigPath
// Assert: Returns path to config.yaml

TestFindConfigPath_NeitherExists(t *testing.T)
// Arrange: Empty dataDir
// Act: Call findConfigPath
// Assert: Returns empty string

Test Suite: statusFromModel

TestStatusFromModel_NilModel(t *testing.T)
// Arrange: Pass nil model
// Act: Call statusFromModel
// Assert: Returns ConsoleEnrollmentStatus with status=not_enrolled

TestStatusFromModel_EmptyStatus(t *testing.T)
// Arrange: Model with empty Status field
// Act: Call statusFromModel
// Assert: Returns status=not_enrolled (default)

Test Suite: normalizeEnrollmentKey

TestNormalizeEnrollmentKey_InvalidCharacters(t *testing.T)
// Arrange: Key with special characters "abc@123#def"
// Act: Call normalizeEnrollmentKey
// Assert: Returns error "invalid enrollment key"

TestNormalizeEnrollmentKey_TooShort(t *testing.T)
// Arrange: Key with only 5 characters "ab123"
// Act: Call normalizeEnrollmentKey
// Assert: Returns error (regex requires min 10)

TestNormalizeEnrollmentKey_NonMatchingFormat(t *testing.T)
// Arrange: Random text "this is not a key"
// Act: Call normalizeEnrollmentKey
// Assert: Returns error "invalid enrollment key"

Mock Requirements

• MockFileSystem: For testing config/credentials file detection
• StubEnvExecutor: Already exists in test file, extend for CAPI register errors

Expected Assertions

• Error messages match expected patterns
• Status defaults are applied correctly
• File path resolution follows precedence order
• Regex validation catches all invalid inputs

---

File 4: backend/internal/services/crowdsec_startup.go

Current Coverage: 94.73% (5 missing lines, 1 partial branch) Existing Test File: backend/internal/services/crowdsec_startup_test.go Priority: LOW (already excellent coverage, just a few edge cases)

Coverage Analysis

Missing Coverage Areas

1. ReconcileCrowdSecOnStartup - DB Error After Creating Config (Lines 78-80)

   • After creating SecurityConfig, db.First fails on re-read
   • This is a rare edge case (DB commit succeeds but immediate read fails)

2. ReconcileCrowdSecOnStartup - Settings Table Query Fallthrough (Lines 83-90)

   • When db.Raw query fails (not just no rows)
   • Log field for setting_enabled

3. ReconcileCrowdSecOnStartup - Decision Path When Settings Enabled (Lines 92-99)

   • When SecurityConfig mode is NOT "local" but Settings enabled
   • Log indicating Settings override triggered start

Test Cases to Add

Test Suite: Database Error Handling

TestReconcileCrowdSecOnStartup_DBErrorAfterCreate(t *testing.T)
// Arrange: DB that succeeds Create but fails First (simulated with closed DB)
// Act: Call ReconcileCrowdSecOnStartup
// Assert: Function handles error gracefully, logs warning, returns early

TestReconcileCrowdSecOnStartup_SettingsQueryError(t *testing.T)
// Arrange: DB where Raw query returns error (not gorm.ErrRecordNotFound)
// Act: Call ReconcileCrowdSecOnStartup
// Assert: Function logs debug message and continues with SecurityConfig only

Test Suite: Settings Override Path

TestReconcileCrowdSecOnStartup_SettingsOverrideWithRemoteMode(t *testing.T)
// Arrange: SecurityConfig with mode="remote", Settings with enabled=true
// Act: Call ReconcileCrowdSecOnStartup
// Assert: CrowdSec is started (Settings wins), log shows Settings override

TestReconcileCrowdSecOnStartup_SettingsOverrideWithAPIMode(t *testing.T)
// Arrange: SecurityConfig with mode="api", Settings with enabled=true
// Act: Call ReconcileCrowdSecOnStartup
// Assert: CrowdSec is started (Settings wins)

Mock Requirements

• ClosedDB: Database that returns errors after operations
• Existing mocks are sufficient for most cases

Expected Assertions

• Log messages indicate override path taken
• Start is called when Settings override is active
• Error handling doesn't panic
• Function returns gracefully on DB errors

---

File 5: backend/internal/api/routes/routes.go

Current Coverage: 69.23% (2 missing lines, 2 partial branches) Existing Test File: backend/internal/api/routes/routes_test.go Priority: LOW (simple registration logic, missing only error paths)

Coverage Analysis

Missing Coverage Areas

1. Register Function - Docker Service Unavailable (Line 182)

   • When services.NewDockerService() returns error
   • Log message for unavailable Docker service

2. Register Function - Caddy Ping Timeout (Line 344)

   • When waiting for Caddy readiness times out after 30 seconds
   • Log warning about timeout

3. Register Function - Caddy Config Apply Error (Line 350)

   • When caddyManager.ApplyConfig returns error
   • Log error message

4. Register Function - Caddy Config Apply Success (Line 352)

   • When caddyManager.ApplyConfig succeeds
   • Log success message

Test Cases to Add

Test Suite: Service Initialization Errors

TestRegister_DockerServiceUnavailable(t *testing.T)
// Arrange: Environment where Docker socket is not accessible
// Act: Call Register
// Assert: Routes still registered, logs warning "Docker service unavailable"

TestRegister_CaddyPingTimeout(t *testing.T)
// Arrange: Mock Caddy that never responds to Ping
// Act: Call Register
// Assert: Function returns after 30s timeout, logs "Timeout waiting for Caddy"

TestRegister_CaddyApplyConfigError(t *testing.T)
// Arrange: Mock Caddy that returns error on ApplyConfig
// Act: Call Register
// Assert: Error logged "Failed to apply initial Caddy config"

TestRegister_CaddyApplyConfigSuccess(t *testing.T)
// Arrange: Mock Caddy that succeeds immediately
// Act: Call Register
// Assert: Success logged "Successfully applied initial Caddy config"

Mock Requirements

• MockCaddyManager: For simulating Ping and ApplyConfig behavior
• MockDockerService: For simulating Docker unavailability

Expected Assertions

• Log messages match expected patterns
• Routes are registered even when services fail
• Goroutine completes within expected timeframe

---

File 6: backend/internal/api/handlers/crowdsec_exec.go

Current Coverage: 92.85% (2 missing lines) Existing Test File: backend/internal/api/handlers/crowdsec_exec_test.go Priority: LOW (excellent coverage, just error path)

Coverage Analysis

Missing Coverage Areas

1. Stop Function - Signal Send Error (Lines 76-79)
   • When proc.Signal(syscall.SIGTERM) returns error other than ESRCH/ErrProcessDone
   • Error is returned to caller

Test Cases to Add

Test Suite: Stop Error Handling

TestDefaultCrowdsecExecutor_Stop_SignalError(t *testing.T)
// Arrange: Process that exists but signal fails with permission error
// Act: Call Stop
// Assert: Returns error (not ESRCH or ErrProcessDone)

TestDefaultCrowdsecExecutor_Stop_SignalErrorCleanup(t *testing.T)
// Arrange: Process with PID file, signal fails with unknown error
// Act: Call Stop
// Assert: Error returned but PID file NOT cleaned up

Mock Requirements

• MockProcess: For simulating signal send errors
• May need OS-level permissions testing (use build tags for Linux-only tests)

Expected Assertions

• Error is propagated to caller
• PID file cleanup behavior matches error type
• ESRCH is handled as success (process already dead)

---

Configuration File Updates

.gitignore

Status: ✅ NO CHANGES NEEDED

Current configuration already excludes:

• Test output files (*.out, *.cover, coverage/)
• Coverage artifacts (coverage*.txt, *.coverage.out)
• All test-related temporary files

.codecov.yml

Status: ✅ NO CHANGES NEEDED

Current configuration already excludes:

• All test files (*_test.go, *.test.ts)
• Integration tests (**/integration/**)
• Test utilities (**/test/**, **/__tests__/**)

The coverage targets and ignore patterns are comprehensive.

.dockerignore

Status: ✅ NO CHANGES NEEDED

Current configuration already excludes:

• Test coverage artifacts (coverage/, *.cover)
• Test result files (backend/test-output.txt)
• All test-related files

---

Testing Infrastructure Requirements

Existing Infrastructure (✅ Already Available)

1. Test Database Helper: OpenTestDB(t *testing.T) in handlers tests
2. Gin Test Mode: gin.SetMode(gin.TestMode)
3. HTTP Test Recorder: httptest.NewRecorder()
4. GORM SQLite: In-memory database for tests
5. Testify Assertions: require and assert packages

New Infrastructure Needed

1. Mock HTTP Server (for LAPI client tests)

   // Add to crowdsec_handler_test.go
   type mockLAPIServer struct {
       responses []mockResponse
       callCount int
   }
   
   type mockResponse struct {
       status      int
       contentType string
       body        []byte
   }
   

2. Mock File System (for acquisition config tests)

   // Add to test utilities
   type mockFileOps interface {
       ReadFile(path string) ([]byte, error)
       WriteFile(path string, data []byte) error
       Stat(path string) (os.FileInfo, error)
   }
   

3. Time Travel Helper (for LAPI polling timeout tests)

   // Use testify's Eventually helper or custom sleep mock
   

4. Log Capture Helper (for verifying log messages)

   // Capture logrus output to buffer for assertions
   type logCapture struct {
       buf *bytes.Buffer
       hook *logrus.Hook
   }
   

---

Test Execution Strategy

Phase 1: High-Priority Files (Week 1)

1. crowdsec_handler.go (2-3 days)

   • Implement all GetLAPIDecisions tests
   • Implement Start handler LAPI polling tests
   • Implement decision management tests
   • Implement acquisition config tests

2. log_watcher.go (1 day)

   • Implement detectSecurityEvent edge cases
   • Implement readLoop error handling
   • Verify all header detection paths

Phase 2: Medium-Priority Files (Week 2)

3. console_enroll.go (1 day)
   • Implement input validation tests
   • Implement config path resolution tests
   • Implement CAPI registration error tests

Phase 3: Low-Priority Files (Week 2)

4. crowdsec_startup.go (0.5 days)

   • Implement DB error handling tests
   • Implement Settings override path tests

5. routes.go (0.5 days)

   • Implement service initialization error tests
   • Implement Caddy startup sequence tests

6. crowdsec_exec.go (0.5 days)

   • Implement Stop signal error test

Validation Strategy

1. Run Tests After Each File

   cd backend && go test -v ./internal/api/handlers -run TestCrowdsec
   cd backend && go test -v ./internal/services -run TestLogWatcher
   cd backend && go test -v ./internal/crowdsec -run TestConsole
   

2. Generate Coverage Report

   ./scripts/go-test-coverage.sh
   

3. Verify 100% Coverage

   go tool cover -html=coverage.out -o coverage.html
   # Open coverage.html and verify all target files show 100%
   

4. Run Pre-Commit Hooks

   pre-commit run --all-files
   

---

Success Criteria

Per-File Targets

• ✅ crowdsec_handler.go: 100.00% (0 missing lines, 0 partial branches)
• ✅ log_watcher.go: 100.00% (0 missing lines, 0 partial branches)
• ✅ console_enroll.go: 100.00% (0 missing lines, 0 partial branches)
• ✅ crowdsec_startup.go: 100.00% (0 missing lines, 0 partial branches)
• ✅ routes.go: 100.00% (0 missing lines, 0 partial branches)
• ✅ crowdsec_exec.go: 100.00% (0 missing lines, 0 partial branches)

Quality Gates

1. All tests pass: go test ./... -v
2. Coverage >= 100%: For each target file
3. Pre-commit passes: All linters and formatters
4. No flaky tests: Tests are deterministic and reliable
5. Fast execution: Test suite runs in < 30 seconds

---

Risk Assessment

Low Risk

• crowdsec_exec.go: Only 2 lines missing, straightforward error path
• routes.go: Simple logging branches, easy to test
• crowdsec_startup.go: Already 94.73%, just edge cases

Medium Risk

• log_watcher.go: File I/O and error handling, but well-isolated
• console_enroll.go: Mostly covered, just input validation

High Risk

• crowdsec_handler.go: Complex HTTP client behavior, LAPI interaction, multiple fallback paths
  • Mitigation: Use httptest for mock LAPI server, test each fallback path independently

---

Implementation Checklist

Pre-Implementation

• Review existing test patterns in each test file
• Set up mock HTTP server for LAPI tests
• Create test data fixtures (sample JSON responses)
• Document expected error messages for assertions

During Implementation

• Write tests incrementally (one suite at a time)
• Run coverage after each test suite
• Verify no regression in existing tests
• Add comments explaining complex test scenarios

Post-Implementation

• Generate and review final coverage report
• Run full test suite 3 times to check for flakes
• Update test documentation if patterns change
• Create PR with coverage improvement metrics

---

Appendix: Example Test Patterns

Pattern 1: Testing HTTP Handlers with Mock LAPI

func TestGetLAPIDecisions_Success(t *testing.T) {
    // Create mock LAPI server
    mockLAPI := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        w.Header().Set("Content-Type", "application/json")
        w.WriteHeader(http.StatusOK)
        json.NewEncoder(w).Encode([]lapiDecision{
            {ID: 1, Value: "192.168.1.1", Type: "ban"},
        })
    }))
    defer mockLAPI.Close()

    // Create handler with mock LAPI URL
    h := setupHandlerWithLAPIURL(mockLAPI.URL)

    // Make request
    w := httptest.NewRecorder()
    req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/crowdsec/decisions/lapi", http.NoBody)
    h.GetLAPIDecisions(w, req)

    // Assert
    require.Equal(t, http.StatusOK, w.Code)
    var resp map[string]interface{}
    json.Unmarshal(w.Body.Bytes(), &resp)
    assert.Equal(t, "lapi", resp["source"])
}

Pattern 2: Testing File Operations

func TestGetAcquisitionConfig_Success(t *testing.T) {
    // Create temp file
    tmpFile := filepath.Join(t.TempDir(), "acquis.yaml")
    content := "source: file\nfilenames:\n  - /var/log/test.log"
    require.NoError(t, os.WriteFile(tmpFile, []byte(content), 0644))

    // Override acquisPath in handler (use setter or constructor param)
    h := NewCrowdsecHandlerWithAcquisPath(tmpFile)

    // Make request
    w := httptest.NewRecorder()
    req := httptest.NewRequest(http.MethodGet, "/api/v1/admin/crowdsec/acquisition", http.NoBody)
    h.GetAcquisitionConfig(w, req)

    // Assert
    require.Equal(t, http.StatusOK, w.Code)
    var resp map[string]interface{}
    json.Unmarshal(w.Body.Bytes(), &resp)
    assert.Equal(t, content, resp["content"])
}

Pattern 3: Testing Error Paths with Mocks

func TestEnroll_ExecutorError(t *testing.T) {
    db := openConsoleTestDB(t)
    exec := &stubEnvExecutor{
        responses: []struct {
            out []byte
            err error
        }{
            {nil, nil}, // lapi status success
            {nil, nil}, // capi register success
            {[]byte("error output"), fmt.Errorf("enrollment failed")}, // enroll error
        },
    }

    svc := NewConsoleEnrollmentService(db, exec, t.TempDir(), "secret")

    status, err := svc.Enroll(context.Background(), ConsoleEnrollRequest{
        EnrollmentKey: "abc123",
        AgentName:     "test-agent",
    })

    require.Error(t, err)
    assert.Equal(t, "failed", status.Status)
    assert.Contains(t, status.LastError, "enrollment failed")
}

---

Conclusion

This comprehensive plan provides a clear roadmap to achieve 100% test coverage for all identified files. The strategy prioritizes high-impact files first, uses proven test patterns, and includes detailed test case descriptions for every missing coverage area.

Estimated Effort: 4-5 days total Expected Outcome: 100% line and branch coverage for all 6 target files Risk Level: Medium (mostly straightforward, some complex HTTP client testing)

Implementation should proceed file-by-file, with continuous validation of coverage improvements after each test suite is added.