refactor: restructure packages, fix bugs, and improve test coverage

Reorganize internal packages into domain/sync layers, fix multiple
correctness bugs, harden the integration test infrastructure, and
add comprehensive unit tests across all major packages.

Architecture:
- Extract shared App factory into internal/app/factory.go, removing
  duplicated newApp() from all four cmd/ entry points
- Move domain types/interfaces/errors into internal/domain/
- Move sync logic into internal/sync/ with full unit tests
- Add context.Context to OktaClient interface, remove stored-context
  anti-pattern
- Add compile-time interface assertions for GitHubClient and OktaClient
- Remove unused GitHubClientFactory and cross-installation code path

Bug fixes:
- Fix mapErrorResponse: errors.HasType() never matched errors.Mark()
  markers; switch to errors.Is() so domain errors return correct HTTP
  status codes (401/400/503/502) instead of always 500
- Fix GetOrCreateTeam: non-404 errors (403, 500) were misclassified as
  ErrTeamNotFound
- Fix sync all-rules-failed detection: compared against len(reports)
  instead of tracking enabled rule count separately
- Fix PR review deduplication: count only latest review per user
- Add GitHub Check Runs support alongside legacy commit statuses
- Fix token refresh TOCTOU race with double-check pattern
- Add Okta API pagination to ListGroups, GetGroupByName, GetGroupMembers
- Normalize username case in team membership comparisons

Test infrastructure:
- Replace hardcoded ports (9001-9003) with dynamic TLS listeners
- Add IP SANs to self-signed test certificates
- Add env var save/restore between integration test scenarios
- Add unexpected-destructive-call validation
- Fix test log handler Enabled() to respect verbose flag
- Add request body size limit (10MB) to HTTP server

Test coverage (before -> after):
- internal/app: 24.5% -> 55.8%
- internal/config: 14.8% -> 74.1%
- internal/notifiers: 2.7% -> 97.3%
- internal/sync: 82.8% -> 83.3%

Cleanup:
- Remove all fmt.Errorf usage, consistently use cockroachdb/errors
- Remove dead ErrOAuthTokenExpired sentinel
- Extract extractGroupName() helper in okta package
- Pre-compile regex in sync.go computeTeamName
- Trim leading/trailing dashes from generated team names

Author: sgtoj

.github/.dependabot.yaml

@@ -4,3 +4,8 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/ci.yaml

@@ -46,10 +46,10 @@ jobs:
         with:
           go-version: '1.24'
 
-      - name: Run tests
+      - name: Run unit tests
         run: make test
 
-      - name: Run tests
+      - name: Run integration tests
         run: make test-verify-verbose
 
   build:

assets/github/manafiest.json assets/github/manifest.jsonassets/github/manafiest.json renamed to assets/github/manifest.json

@@ -3,13 +3,13 @@ package main
 import (
 	"context"
 	"encoding/json"
-	"fmt"
 	"log/slog"
 	"strings"
 	"sync"
 
 	awsevents "github.com/aws/aws-lambda-go/events"
 	"github.com/aws/aws-lambda-go/lambda"
+	"github.com/cockroachdb/errors"
 	"github.com/cruxstack/github-ops-app/internal/app"
 	"github.com/cruxstack/github-ops-app/internal/config"
 )
@@ -27,10 +27,10 @@ func initApp() {
 
 		cfg, err := config.NewConfig()
 		if err != nil {
-			initErr = fmt.Errorf("config init failed: %w", err)
+			initErr = errors.Wrap(err, "config init failed")
 			return
 		}
-		appInst, initErr = app.New(context.Background(), cfg)
+		appInst, initErr = app.NewApp(context.Background(), cfg, logger)
 	})
 }
 
@@ -99,7 +99,7 @@ func EventBridgeHandler(ctx context.Context, evt awsevents.CloudWatchEvent) erro
 	resp := appInst.HandleRequest(ctx, req)
 
 	if resp.StatusCode >= 400 {
-		return fmt.Errorf("scheduled event failed: %s", string(resp.Body))
+		return errors.Newf("scheduled event failed: %s", string(resp.Body))
 	}
 
 	return nil
@@ -122,7 +122,7 @@ func UniversalHandler(ctx context.Context, event json.RawMessage) (any, error) {
 		return nil, EventBridgeHandler(ctx, eventBridgeEvent)
 	}
 
-	return nil, fmt.Errorf("unknown lambda event type")
+	return nil, errors.New("unknown lambda event type")
 }
 
 func main() {

cmd/lambda/main.go

@@ -32,7 +32,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	a, err := app.New(ctx, cfg)
+	a, err := app.NewApp(ctx, cfg, logger)
 	if err != nil {
 		logger.Error("failed to initialize app", slog.String("error", err.Error()))
 		os.Exit(1)
@@ -52,7 +52,11 @@ func main() {
 	}
 
 	for i, sample := range samples {
-		eventType := sample["event_type"].(string)
+		eventType, ok := sample["event_type"].(string)
+		if !ok {
+			logger.Error("missing or invalid event_type", slog.Int("sample", i))
+			os.Exit(1)
+		}
 
 		switch eventType {
 		case "okta_sync":

cmd/sample/main.go

@@ -30,7 +30,7 @@ func main() {
 		os.Exit(1)
 	}
 
-	appInst, err = app.New(ctx, cfg)
+	appInst, err = app.NewApp(ctx, cfg, logger)
 	if err != nil {
 		logger.Error("app init failed", slog.String("error", err.Error()))
 		os.Exit(1)
@@ -83,12 +83,12 @@ func main() {
 
 // httpHandler converts http.Request to app.Request and handles the response.
 func httpHandler(w http.ResponseWriter, r *http.Request) {
-	body, err := io.ReadAll(r.Body)
+	defer r.Body.Close()
+	body, err := io.ReadAll(io.LimitReader(r.Body, 10<<20)) // 10MB limit
 	if err != nil {
 		http.Error(w, "failed to read request body", http.StatusBadRequest)
 		return
 	}
-	defer r.Body.Close()
 
 	headers := make(map[string]string)
 	for key, values := range r.Header {

cmd/server/main.go

@@ -1,8 +1,9 @@
 # config used during offline verification testing
 #
-#  - all api calls are mocked all config is fake
-#  - private keys is dynamically generated during test setup
-#  - endpoints are https with tls configured during setup
+#  - all api calls are mocked and all config is fake
+#  - private keys are dynamically generated during test setup
+#  - endpoints use dynamic ports assigned at runtime
+#  - base urls are set per-scenario by the test runner
 
 APP_DEBUG_ENABLED=false
 
@@ -11,15 +12,13 @@ APP_GITHUB_APP_ID=123456
 APP_GITHUB_INSTALLATION_ID=987654
 APP_GITHUB_ORG=acme-ghorg
 APP_GITHUB_WEBHOOK_SECRET=test_webhook_secret
-APP_GITHUB_BASE_URL=https://localhost:9001/
 
 # github pr compliance configuration
 APP_PR_COMPLIANCE_ENABLED=true
 APP_PR_MONITORED_BRANCHES=main,master
 
 # okta configuration (oauth2 with private key)
 APP_OKTA_DOMAIN=dev-12345.okta.com
-APP_OKTA_CLIENT_ID=test-client-id
 
 # okta sync rules
 APP_OKTA_GITHUB_USER_FIELD=githubUsername
@@ -28,4 +27,3 @@ APP_OKTA_SYNC_RULES=[{"enabled":true,"okta_group_name":"Engineering","github_tea
 # slack configuration
 APP_SLACK_TOKEN=xoxb-test-token
 APP_SLACK_CHANNEL=C01234TEST
-APP_SLACK_API_URL=https://localhost:9003/

cmd/verify/.env.test

@@ -18,7 +18,7 @@ type testHandler struct {
 
 // Enabled returns true for all log levels when verbose mode is enabled.
 func (h *testHandler) Enabled(_ context.Context, _ slog.Level) bool {
-	return true
+	return h.verbose
 }
 
 // Handle formats and writes log records to output with test-appropriate