test(coverage/nats): drive queueprovider/nats to 100% (was 80.4%) (#29)

Adds targeted coverage for every error branch in queueprovider/nats:

* builder() — bad operator seed, opKP.PublicKey() fail, all defaults applied,
  UseTLS scheme flip
* SetResolverPusher — nil-arg resets to no-op (previously could nil-deref)
* IssueTenantCredentials — empty ResourceToken validation, SystemAccount
  rejection, legacy_open short-circuit when operator seed unset, pusher-error
  propagation, every nkeys.* / jwt.* post-create error branch
  (createAccount/PublicKey/Seed, createUser/PublicKey/Seed, sign account JWT,
  sign user JWT, FormatUserConfig)
* RevokeTenantCredentials — empty keyID no-op, legacy_open no-op, cache-miss
  no-op, encode-revocation failure, push-failure propagation
* RevokeWithSeed — empty seed no-op, legacy_open no-op, FromSeed failure,
  derived public key failure, encode failure, push-failure propagation
* lookupCachedByPub — non-matching entry continue-scanning branch
* connectionURL — useTLS=true tls:// scheme
* Name — "nats" identifier
* Capabilities — full shape (PerTenantAccounts/SubjectScopedAuth/StreamIso=true,
  BasicAuth=false)
* canonicalSubject — auto-derive when Subject empty

Source refactor: 4 package-level test seams (createAccountKP, createUserKP,
formatUserCreds, parseOperatorKP) so unit tests can inject failing
implementations for branches that the real nkeys/jwt libraries never trip in
practice. In production these seams alias the upstream constructors 1:1 —
zero behavior change.

Coverage: 80.4% → 100.0% (all 14 functions in nats.go).

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: mastermanas805

queueprovider/nats/export_test.go

@@ -1,6 +1,11 @@
 package nats
 
-import "sync"
+import (
+	"sync"
+	"time"
+
+	"github.com/nats-io/nkeys"
+)
 
 // PurgeAccountCacheForTest empties the in-memory accountCache. Used by tests
 // to simulate the post-restart scenario where the cache is empty and the only
@@ -9,3 +14,47 @@ import "sync"
 func (p *Provider) PurgeAccountCacheForTest() {
 	p.accountCache = sync.Map{}
 }
+
+// PoisonAccountCacheForTest stuffs a fake cachedAccount under the supplied
+// resource token. Used to exercise the lookupCachedByPub "no-match-keep-
+// scanning" branch with multiple entries in the cache.
+func (p *Provider) PoisonAccountCacheForTest(token string) {
+	p.accountCache.Store(token, cachedAccount{
+		accountKP:  nil,
+		accountPub: "AOTHER_PUB_KEY_THAT_NEVER_MATCHES",
+		accountJWT: "",
+		createdAt:  time.Now(),
+	})
+}
+
+// SetCreateAccountKPForTest swaps the package-level account-NKey constructor.
+// Returns a restore func. Lets tests drive the error branches that
+// nkeys.CreateAccount otherwise never trips.
+func SetCreateAccountKPForTest(fn func() (nkeys.KeyPair, error)) (restore func()) {
+	orig := createAccountKP
+	createAccountKP = fn
+	return func() { createAccountKP = orig }
+}
+
+// SetCreateUserKPForTest is the user-NKey-constructor counterpart.
+func SetCreateUserKPForTest(fn func() (nkeys.KeyPair, error)) (restore func()) {
+	orig := createUserKP
+	createUserKP = fn
+	return func() { createUserKP = orig }
+}
+
+// SetFormatUserCredsForTest swaps the jwt.FormatUserConfig hook.
+func SetFormatUserCredsForTest(fn func(string, []byte) ([]byte, error)) (restore func()) {
+	orig := formatUserCreds
+	formatUserCreds = fn
+	return func() { formatUserCreds = orig }
+}
+
+// SetParseOperatorKPForTest swaps the nkeys.FromSeed hook used by both
+// builder() (to parse the operator seed) and RevokeWithSeed (to parse the
+// per-tenant account seed).
+func SetParseOperatorKPForTest(fn func([]byte) (nkeys.KeyPair, error)) (restore func()) {
+	orig := parseOperatorKP
+	parseOperatorKP = fn
+	return func() { parseOperatorKP = orig }
+}

queueprovider/nats/nats.go

@@ -61,6 +61,17 @@ func init() {
 	queueprovider.Register("nats", builder)
 }
 
+// Test seams. These are package-level vars so unit tests can substitute
+// failing implementations and exercise the error branches that the real
+// nkeys/jwt libraries practically never hit. In production they alias the
+// upstream constructors 1:1.
+var (
+	createAccountKP = nkeys.CreateAccount
+	createUserKP    = nkeys.CreateUser
+	formatUserCreds = jwt.FormatUserConfig
+	parseOperatorKP = nkeys.FromSeed
+)
+
 // builder is the Factory entry point. Returns ErrAuthFailure-flavored errors
 // when the operator seed is unparseable, so the caller can degrade gracefully
 // during the pre-cutover window.
@@ -96,7 +107,7 @@ func builder(cfg queueprovider.Config) (queueprovider.QueueCredentialProvider, e
 	// understands operator mode first, populate the secret + flip
 	// nats.yaml later.
 	if cfg.NATSOperatorSeed != "" {
-		opKP, err := nkeys.FromSeed([]byte(cfg.NATSOperatorSeed))
+		opKP, err := parseOperatorKP([]byte(cfg.NATSOperatorSeed))
 		if err != nil {
 			return nil, fmt.Errorf("%w: parse operator seed: %v", queueprovider.ErrAuthFailure, err)
 		}
@@ -220,7 +231,7 @@ func (p *Provider) IssueTenantCredentials(ctx context.Context, in queueprovider.
 	}
 
 	// 1. Mint account NKey pair.
-	accountKP, err := nkeys.CreateAccount()
+	accountKP, err := createAccountKP()
 	if err != nil {
 		return nil, fmt.Errorf("queueprovider.nats: create account NKey: %w", err)
 	}
@@ -272,7 +283,7 @@ func (p *Provider) IssueTenantCredentials(ctx context.Context, in queueprovider.
 	})
 
 	// 4. Mint user NKey pair + sign user JWT with the account seed.
-	userKP, err := nkeys.CreateUser()
+	userKP, err := createUserKP()
 	if err != nil {
 		return nil, fmt.Errorf("queueprovider.nats: create user NKey: %w", err)
 	}
@@ -316,7 +327,7 @@ func (p *Provider) IssueTenantCredentials(ctx context.Context, in queueprovider.
 		return nil, fmt.Errorf("queueprovider.nats: sign user JWT: %w", err)
 	}
 
-	credsFile, err := jwt.FormatUserConfig(userJWT, userSeed)
+	credsFile, err := formatUserCreds(userJWT, userSeed)
 	if err != nil {
 		return nil, fmt.Errorf("queueprovider.nats: format .creds blob: %w", err)
 	}
@@ -397,7 +408,7 @@ func (p *Provider) RevokeWithSeed(ctx context.Context, accountSeed string) error
 	if !p.operatorReady || accountSeed == "" {
 		return nil
 	}
-	kp, err := nkeys.FromSeed([]byte(accountSeed))
+	kp, err := parseOperatorKP([]byte(accountSeed))
 	if err != nil {
 		return fmt.Errorf("queueprovider.nats: parse account seed: %w", err)
 	}