coverage: E2EE pack/unpack, sessionKillByAuthrole, ConnectRawSocketPeer

Three small focused test additions targeting previously-uncovered
functions identified by the cross-package coverage report. None of
them require source changes; all are pure pinning tests.

client/export_e2ee_test.go (new):
  - packE2EEPayload: 0% → 90.9%
  - unpackE2EEPayload: 0% → 100%
  Sister tests to the PPT pack/unpack coverage in
  export_ppt_test.go. Covers CBOR round-trip, invalid-serializer
  errors (json/msgpack/unknown/empty), and corrupt-bytes
  deserialization error.

router/sessionkill_test.go:
  - sessionKillByAuthrole: 0% → 91.7%
  Three tests mirroring TestSessionKillByAuthid:
   - happy path: caller's own authrole excluded; victims get
     GOODBYE with reason+message; RESULT count is 2.
   - missing authrole argument → ErrNoSuchSession.
   - invalid reason URI → ErrInvalidURI.

transport/rawsocket_connect_test.go (new):
  - ConnectRawSocketPeer: 34.3% → 91.4%
  Six tests covering the error paths:
   - bad network type → checkNetworkType error
   - bad serialization value → getProtoByte error
   - dial failure (no listener) → DialContext error
   - dial succeeds, server speaks garbage → clientHandshake error
   - TLS handshake against plain-TCP server → tls.Handshake error
   - TLS handshake while context expires → ctx.Err()

Race detector clean over count=10.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: Marko Petzold

client/export_e2ee_test.go

@@ -0,0 +1,85 @@
+package client
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/gammazero/nexus/v3/transport/serialize"
+	"github.com/gammazero/nexus/v3/wamp"
+)
+
+// TestPackE2EEPayloadCBORRoundTrip pins the End-to-End-Encrypted
+// payload pack/unpack helpers (sister of the PPT helpers tested in
+// export_ppt_test.go). E2EE is hard-coded to the CBOR serializer
+// (only entry in E2eeSerializers); this test verifies the wrap-bytes-
+// then-unwrap-bytes round-trip.
+func TestPackE2EEPayloadCBORRoundTrip(t *testing.T) {
+	origArgs := wamp.List{"opaque", "second", true}
+	origKwargs := wamp.Dict{"k1": "v1", "k2": "v2"}
+
+	opts := wamp.Dict{wamp.OptPPTSerializer: "cbor"}
+	packed, err := packE2EEPayload(opts, origArgs, origKwargs)
+	require.NoError(t, err)
+	require.Len(t, packed, 1, "E2EE pack must produce a single-element args list")
+	bin, ok := packed[0].([]byte)
+	require.True(t, ok, "E2EE pack must produce []byte payload, got %T", packed[0])
+	require.NotEmpty(t, bin)
+
+	details := wamp.Dict{wamp.OptPPTSerializer: "cbor"}
+	gotArgs, gotKwargs, err := unpackE2EEPayload(details, packed)
+	require.NoError(t, err)
+	require.Equal(t, origArgs, gotArgs)
+	require.Equal(t, origKwargs, gotKwargs)
+}
+
+// TestPackE2EEPayloadInvalidSerializer pins the error path: an
+// unsupported ppt_serializer value (anything not in the
+// E2eeSerializers whitelist) returns ErrPPTSerializerInvalid.
+func TestPackE2EEPayloadInvalidSerializer(t *testing.T) {
+	cases := []struct {
+		name       string
+		serializer string
+	}{
+		{"json_not_allowed_for_e2ee", "json"},
+		{"msgpack_not_allowed_for_e2ee", "msgpack"},
+		{"unknown_serializer", "x_unknown"},
+		{"empty_string", ""},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			opts := wamp.Dict{wamp.OptPPTSerializer: tc.serializer}
+			packed, err := packE2EEPayload(opts, wamp.List{"x"}, nil)
+			require.ErrorIs(t, err, ErrPPTSerializerInvalid)
+			require.Nil(t, packed)
+		})
+	}
+}
+
+// TestUnpackE2EEPayloadInvalidSerializer pins the inverse error
+// path on the receive side.
+func TestUnpackE2EEPayloadInvalidSerializer(t *testing.T) {
+	details := wamp.Dict{wamp.OptPPTSerializer: "json"}
+	args, kwargs, err := unpackE2EEPayload(details, wamp.List{[]byte("doesn't matter")})
+	require.ErrorIs(t, err, ErrPPTSerializerInvalid)
+	require.Nil(t, args)
+	require.Nil(t, kwargs)
+}
+
+// TestUnpackE2EEPayloadCorruptBytes pins the deserialization error
+// path: a well-typed []byte payload that isn't valid CBOR returns
+// ErrSerialization.
+func TestUnpackE2EEPayloadCorruptBytes(t *testing.T) {
+	// A few definitely-not-cbor bytes.
+	garbage := []byte{0xff, 0xff, 0xff, 0xff}
+	// Sanity: the CBOR serializer rejects this for our PassthruPayload type.
+	var pp wamp.PassthruPayload
+	require.Error(t, (&serialize.CBORSerializer{}).DeserializeDataItem(garbage, &pp),
+		"sanity: garbage must not deserialize as PassthruPayload")
+
+	details := wamp.Dict{wamp.OptPPTSerializer: "cbor"}
+	args, kwargs, err := unpackE2EEPayload(details, wamp.List{garbage})
+	require.ErrorIs(t, err, ErrSerialization)
+	require.Nil(t, args)
+	require.Nil(t, kwargs)
+}

router/sessionkill_test.go

@@ -158,6 +158,103 @@ func TestSessionKillByAuthid(t *testing.T) {
 	})
 }
 
+func TestSessionKillByAuthrole(t *testing.T) {
+	synctest.Test(t, func(t *testing.T) {
+		r := newTestRouter(t)
+
+		cli1 := testClient(t, r) // caller — all three default to authrole "anonymous"
+		cli2 := testClient(t, r)
+		cli3 := testClient(t, r)
+
+		callerAuthrole, _ := wamp.AsString(cli1.Details["authrole"])
+		require.NotEmpty(t, callerAuthrole, "test setup should give clients a non-empty authrole")
+
+		reason := wamp.URI("foo.bar.baz")
+		message := "kicked by authrole"
+
+		// Kill all sessions with this authrole. The caller's own session
+		// has the same authrole and must be excluded from the kill set.
+		cli1.Send() <- &wamp.Call{
+			Request:     wamp.GlobalID(),
+			Procedure:   wamp.MetaProcSessionKillByAuthrole,
+			Arguments:   wamp.List{callerAuthrole},
+			ArgumentsKw: wamp.Dict{"reason": reason, "message": message},
+		}
+
+		msg, err := wamp.RecvTimeout(cli1, time.Second)
+		require.NoError(t, err)
+		res, ok := msg.(*wamp.Result)
+		require.True(t, ok, "expected RESULT, got %T", msg)
+		// RESULT carries the count of kicked sessions (2: cli2 and cli3).
+		count, ok := wamp.AsInt64(res.Arguments[0])
+		require.True(t, ok, "RESULT arg[0] should be an integer count")
+		require.Equal(t, int64(2), count)
+
+		// cli2 and cli3 must receive GOODBYE with the supplied reason+message.
+		for i, victim := range []*wamp.Session{cli2, cli3} {
+			msg, err := wamp.RecvTimeout(victim, time.Second)
+			require.NoErrorf(t, err, "victim %d did not receive GOODBYE", i+2)
+			g, ok := msg.(*wamp.Goodbye)
+			require.Truef(t, ok, "victim %d expected GOODBYE, got %T", i+2, msg)
+			require.Equal(t, reason, g.Reason)
+			m, _ := wamp.AsString(g.Details["message"])
+			require.Equal(t, message, m)
+		}
+
+		// cli1 (the caller) must NOT have been kicked off.
+		_, err = wamp.RecvTimeout(cli1, time.Millisecond)
+		require.Error(t, err, "caller should be excluded from authrole-kill")
+	})
+}
+
+// TestSessionKillByAuthroleMissingArg pins the no-argument error
+// path: kill_by_authrole with no Arguments must return
+// wamp.error.no_such_session.
+func TestSessionKillByAuthroleMissingArg(t *testing.T) {
+	synctest.Test(t, func(t *testing.T) {
+		r := newTestRouter(t)
+		cli := testClient(t, r)
+
+		cli.Send() <- &wamp.Call{
+			Request:   wamp.GlobalID(),
+			Procedure: wamp.MetaProcSessionKillByAuthrole,
+			// Arguments intentionally empty.
+		}
+
+		msg, err := wamp.RecvTimeout(cli, time.Second)
+		require.NoError(t, err)
+		errMsg, ok := msg.(*wamp.Error)
+		require.True(t, ok, "expected ERROR, got %T", msg)
+		require.Equal(t, wamp.ErrNoSuchSession, errMsg.Error)
+	})
+}
+
+// TestSessionKillByAuthroleInvalidReasonURI pins the URI-validation
+// error path: a malformed reason URI is rejected with
+// wamp.error.invalid_uri.
+func TestSessionKillByAuthroleInvalidReasonURI(t *testing.T) {
+	synctest.Test(t, func(t *testing.T) {
+		r := newTestRouter(t)
+		cli := testClient(t, r)
+		callerAuthrole, _ := wamp.AsString(cli.Details["authrole"])
+
+		cli.Send() <- &wamp.Call{
+			Request:   wamp.GlobalID(),
+			Procedure: wamp.MetaProcSessionKillByAuthrole,
+			Arguments: wamp.List{callerAuthrole},
+			ArgumentsKw: wamp.Dict{
+				"reason": "not a valid uri at all",
+			},
+		}
+
+		msg, err := wamp.RecvTimeout(cli, time.Second)
+		require.NoError(t, err)
+		errMsg, ok := msg.(*wamp.Error)
+		require.True(t, ok, "expected ERROR for invalid reason URI, got %T", msg)
+		require.Equal(t, wamp.ErrInvalidURI, errMsg.Error)
+	})
+}
+
 func TestSessionModifyDetails(t *testing.T) {
 	synctest.Test(t, func(t *testing.T) {
 		r := newTestRouter(t)

transport/rawsocket_connect_test.go

@@ -0,0 +1,161 @@
+package transport_test
+
+import (
+	"context"
+	"crypto/tls"
+	"io"
+	"log"
+	"net"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/gammazero/nexus/v3/transport"
+	"github.com/gammazero/nexus/v3/transport/serialize"
+)
+
+// TestConnectRawSocketPeerBadNetworkType pins the early validation:
+// ConnectRawSocketPeer rejects unsupported network types before
+// attempting any I/O.
+func TestConnectRawSocketPeerBadNetworkType(t *testing.T) {
+	logger := log.New(io.Discard, "", 0)
+	peer, err := transport.ConnectRawSocketPeer(t.Context(),
+		"udp", "127.0.0.1:0", serialize.JSON, nil, logger, 0)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "unsupported network type")
+	require.Nil(t, peer)
+}
+
+// TestConnectRawSocketPeerBadSerialization pins the second validation
+// step: an unsupported serialization value is rejected before the dial.
+func TestConnectRawSocketPeerBadSerialization(t *testing.T) {
+	logger := log.New(io.Discard, "", 0)
+	const bogusSerialization = serialize.Serialization(99)
+	peer, err := transport.ConnectRawSocketPeer(t.Context(),
+		"tcp", "127.0.0.1:0", bogusSerialization, nil, logger, 0)
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "serialization not supported")
+	require.Nil(t, peer)
+}
+
+// TestConnectRawSocketPeerDialFailure pins the dial-error path: the
+// address is well-formed but no server is listening. net.Dial
+// returns an error; ConnectRawSocketPeer surfaces it directly.
+func TestConnectRawSocketPeerDialFailure(t *testing.T) {
+	logger := log.New(io.Discard, "", 0)
+	// Use a closed-immediately listener to get a guaranteed-unused
+	// port, then dial it after closing.
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	addr := ln.Addr().String()
+	ln.Close()
+
+	ctx, cancel := context.WithTimeout(t.Context(), 500*time.Millisecond)
+	defer cancel()
+	peer, err := transport.ConnectRawSocketPeer(ctx,
+		"tcp", addr, serialize.JSON, nil, logger, 0)
+	require.Error(t, err)
+	require.Nil(t, peer)
+}
+
+// TestConnectRawSocketPeerHandshakeFailure pins the
+// post-dial-pre-peer error path: dial succeeds but the server isn't
+// speaking RawSocket, so clientHandshake errors. The transient conn
+// must be closed and no peer returned.
+func TestConnectRawSocketPeerHandshakeFailure(t *testing.T) {
+	logger := log.New(io.Discard, "", 0)
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	defer ln.Close()
+
+	go func() {
+		conn, aerr := ln.Accept()
+		if aerr != nil {
+			return
+		}
+		// Send 4 bytes that are NOT the RawSocket handshake reply.
+		_, _ = conn.Write([]byte{0x00, 0x00, 0x00, 0x00})
+		_ = conn.Close()
+	}()
+
+	peer, err := transport.ConnectRawSocketPeer(t.Context(),
+		"tcp", ln.Addr().String(), serialize.JSON, nil, logger, 0)
+	require.Error(t, err, "handshake should fail when server doesn't speak RawSocket")
+	require.Nil(t, peer)
+}
+
+// TestConnectRawSocketPeerTLSHandshakeFailure pins the TLS error
+// path: the server accepts the TCP connect but speaks plain TCP, not
+// TLS — the TLS handshake fails, ConnectRawSocketPeer returns the
+// error and closes the underlying conn.
+func TestConnectRawSocketPeerTLSHandshakeFailure(t *testing.T) {
+	logger := log.New(io.Discard, "", 0)
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	defer ln.Close()
+
+	go func() {
+		conn, aerr := ln.Accept()
+		if aerr != nil {
+			return
+		}
+		// Read whatever the client sends (the TLS ClientHello),
+		// then close. The TLS handshake on the client side errors
+		// when the server doesn't reply with a ServerHello.
+		buf := make([]byte, 1024)
+		_, _ = conn.Read(buf)
+		_ = conn.Close()
+	}()
+
+	tlsCfg := &tls.Config{InsecureSkipVerify: true} //nolint:gosec
+	ctx, cancel := context.WithTimeout(t.Context(), 2*time.Second)
+	defer cancel()
+	peer, err := transport.ConnectRawSocketPeer(ctx,
+		"tcp", ln.Addr().String(), serialize.JSON, tlsCfg, logger, 0)
+	require.Error(t, err, "TLS handshake should fail against plain-TCP server")
+	require.Nil(t, peer)
+}
+
+// TestConnectRawSocketPeerTLSContextCancelled pins the
+// context-cancelled-during-TLS-handshake path: the TLS handshake
+// goroutine is still running when the context expires.
+// ConnectRawSocketPeer returns ctx.Err() and closes the conn.
+func TestConnectRawSocketPeerTLSContextCancelled(t *testing.T) {
+	logger := log.New(io.Discard, "", 0)
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	defer ln.Close()
+
+	// Server: accept, then NEVER send anything. The client's TLS
+	// handshake will block reading the ServerHello until the
+	// context fires.
+	accepted := make(chan net.Conn, 1)
+	go func() {
+		conn, aerr := ln.Accept()
+		if aerr != nil {
+			return
+		}
+		accepted <- conn
+		// Hold the connection open. The test will close it via
+		// listener close after the context expires.
+		<-time.After(time.Second)
+		_ = conn.Close()
+	}()
+
+	tlsCfg := &tls.Config{InsecureSkipVerify: true} //nolint:gosec
+	ctx, cancel := context.WithTimeout(t.Context(), 50*time.Millisecond)
+	defer cancel()
+	peer, err := transport.ConnectRawSocketPeer(ctx,
+		"tcp", ln.Addr().String(), serialize.JSON, tlsCfg, logger, 0)
+	require.Error(t, err, "TLS handshake should be cancelled by context")
+	require.Nil(t, peer)
+
+	// Drain the accepted-conn channel so the helper goroutine doesn't
+	// hold a reference past test end.
+	select {
+	case c := <-accepted:
+		_ = c.Close()
+	case <-time.After(100 * time.Millisecond):
+	}
+}