chore(cmd/proxy): decompose main() for testability + close delta-coverage gap (#121)

## Summary
Decomposes `cmd/proxy/main.go` `func main()` into separately-testable
startup
helpers and adds a helper-process `TestMain` that exercises `main()`
end-to-end.
Closes the structural delta-coverage gap surfaced by #118 — every
function in
`cmd/proxy/` now meets the 95% per-function gate, so future PRs touching
this
file (including #120's `--generate-ca` flag addition) land without false
coverage failures.

## Motivation
- #118 closed a silent-skip bug in `.github/scripts/delta-coverage.sh`.
Before
that fix, PRs touching `cmd/proxy/main.go` quietly bypassed the
per-function
  gate.
- #120 is the first PR to actually hit the now-loud gate. `main()` has
always
been 0% covered (network setup + signal handling), so any change to the
file
  fails 95%.
- Rather than per-PR workarounds, this PR fixes the root cause on
`main`:
refactor `main()` into testable helpers + helper-process tests that
exercise
  the real binary.

## What changed
- New `cmd/proxy/startup.go` — `proxyHTTPServer`, `startManagementAPI`,
`runManagementAPI`, `runHTTPServer`, `closeProxyServer` (extracted from
`main()`). `closeProxyServer` takes `io.Closer` so the error-log branch
is
  exercisable with a fake.
- New `cmd/proxy/shutdown.go` — `installShutdownHandler` (extracted from
  `main()`).
- New unit tests in `cmd/proxy/startup_test.go` and
`cmd/proxy/shutdown_test.go`
covering each helper at 100%. `TestCloseProxyServer_*` capture the
default
logger's output and assert the error message is/isn't emitted, not just
that
  both branches execute.
- `cmd/proxy/main_test.go` — `TestMain` dispatcher + four helper-process
tests
(lifecycle, zero-packs guard, proxy-port conflict, mgmt-port conflict)
using
the canonical Go helper-process pattern (`GO_WANT_HELPER_PROCESS=1` +
re-exec
of `os.Args[0]`). `TestPrintBanner_ZeroValueConfig_DoesNotPanic`
preserves
  the zero-value-config guarantee previously owned by `TestMain_Smoke`.
- `cmd/proxy/main.go` `func main()` reduced to orchestration; no
behaviour
  change.

## Per-function coverage (`go tool cover -func`)

```
cmd/proxy/main.go:39:     main                    100.0%
cmd/proxy/main.go:66:     printBanner             100.0%
cmd/proxy/shutdown.go:13: installShutdownHandler  100.0%
cmd/proxy/startup.go:17:  proxyHTTPServer         100.0%
cmd/proxy/startup.go:28:  startManagementAPI      100.0%
cmd/proxy/startup.go:37:  runManagementAPI        100.0%
cmd/proxy/startup.go:45:  runHTTPServer           100.0%
cmd/proxy/startup.go:54:  closeProxyServer        100.0%
total:                                            100.0%
```

Local `delta-coverage.sh coverage.out 95.0 origin/main` exits 0:

```
=== Delta Coverage Check (threshold: 95.0%) ===

Changed source files:
  cmd/proxy/main.go
  cmd/proxy/shutdown.go
  cmd/proxy/startup.go

Checked 8 functions in 3 changed files.
SUCCESS: All functions in changed files meet 95.0% coverage threshold.
```

## Quality gates
- [x] `go test -race ./...` green (all packages) — see
`TestTokenFormatNonRetriggering` evidence below
- [x] `bash .github/scripts/delta-coverage.sh coverage.out 95.0
origin/main`
      exits 0 with `SUCCESS`
- [x] Coverage minimums hold: `internal/anonymizer` 95.6%,
`internal/config`
      100%, `internal/anonymizer/packs` 97.6%; overall well above 85%
- [x] Lifecycle helper-process test stable across 5 consecutive local
runs
- [x] No `t.Skip()`, no `// coverage-ignore`, no hardcoded
test-satisfying
      values. Four `//nolint:gosec` and two `// #nosec` directives carry
      substantive reason comments per the existing repo convention.
- [ ] `make lint` / `make check` — `golangci-lint` in the local sandbox
is
built with go1.25 and refuses go1.26.3 modules (same failure on a clean
`main` checkout). CI runs all four sub-gates against a fresher
toolchain.

## Gate #2 — `TestTokenFormatNonRetriggering` for every PII type

Both variants live in `internal/anonymizer/anonymizer_test.go` and ran
green at
head `c69911f`:

```
=== RUN   TestTokenFormatNonRetriggering
[ANONYMIZER] loaded 41 patterns from 7 enabled packs: [SECRETS GLOBAL DE FR NL FINANCE_EU HEALTHCARE]
--- PASS: TestTokenFormatNonRetriggering (0.04s)
=== RUN   TestTokenFormatNonRetriggeringAllPacks
[ANONYMIZER] loaded 47 patterns from 8 enabled packs: [SECRETS GLOBAL DE FR US NL FINANCE_EU HEALTHCARE]
--- PASS: TestTokenFormatNonRetriggeringAllPacks (0.04s)
```

Each variant iterates over a static list of `PIIType` values and, for
each,
asserts the generated `[PII_*_<16hex>]` token does not match any loaded
pack
pattern. The PII types covered:

| Pack | PII types asserted by the test |
|---|---|
| Generic / built-in | `PIIEmail`, `PIIPhone`, `PIISSN`,
`PIICreditCard`, `PIIIPAddress`, `PIIAPIKey`, `PIIName`, `PIIAddress`,
`PIIMedical`, `PIISalary`, `PIICompany`, `PIIJobTitle` |
| DE | `PIISteuerID`, `PIISVNR`, `PIIKFZ` |
| SECRETS | `PIISSHKey`, `PIIJWT`, `PIIBearer`, `PIIDBConn`,
`PIIAWSKey`, `PIIGHToken` |
| FR | `PIINIR`, `PIISIRET`, `PIISIREN` |
| NL | `PIIBSN`, `PIIKVK` |
| FINANCE_EU | `PIIIBAN`, `PIISWIFTBIC`, `PIIVATID` |
| HEALTHCARE | `PIIMRN`, `PIIICD10`, `PIIInsuranceID` |

That's 32 PII types in the default-packs variant.
`TestTokenFormatNonRetriggeringAllPacks`
adds the US pack and drops the four AI-only types
(`PIIMedical/Salary/Company/JobTitle`),
covering 28 types under the full pattern set (`PIIKFZ`/`PIIDBConn` are
noted in
the test as known low-confidence retriggers against the broad US phone
pattern
and routed through the AI gate — documented in the test, not silenced).

The two variants together cross every PII type declared in
`internal/anonymizer/anonymizer.go`. None of the changed files in this
PR touch
the anonymizer, the pack files, or the PII type list, so no per-type
evidence
shifted between baseline and head — but the gate is exercised end-to-end
at
head as shown above.

## §6 Test Inventory — baseline vs head

Keyed by **pack** per `docs/test-plans/ai-proxy-test-method.md` §6.
Captured by running `go test -count=1 -json ./internal/anonymizer
./internal/anonymizer/packs`
on `origin/main` (`98511d7`) and on PR head (`c69911f`), then
attributing
each top-level Test event to its pack via the file list in §6.

| Pack | Files (per §6) | Baseline PASS | Baseline FAIL | Head PASS |
Head FAIL | Delta |
|---|---|---:|---:|---:|---:|---:|
| GLOBAL | `packs/global_test.go` | 6 | 0 | 6 | 0 | 0 |
| DE | `packs/de_test.go` | 5 | 0 | 5 | 0 | 0 |
| US | `packs/us_test.go` | 10 | 0 | 10 | 0 | 0 |
| FR | `packs/fr_test.go` | 9 | 0 | 9 | 0 | 0 |
| SECRETS | `packs/secrets_test.go` + `secrets_report_test.go` +
`secrets_priority_report_test.go` | 31 | 0 | 31 | 0 | 0 |
| NL | `packs/nl_test.go` + `nl_report_test.go` | 6 | 0 | 6 | 0 | 0 |
| FINANCE_EU | `packs/finance_eu_test.go` + `finance_eu_report_test.go`
| 7 | 0 | 7 | 0 | 0 |
| HEALTHCARE | `packs/healthcare_test.go` + `healthcare_report_test.go`
| 6 | 0 | 6 | 0 | 0 |
| Cross-pack | all `*_report_test.go` | 9 | 0 | 9 | 0 | 0 |

Counts are top-level `func Test*` events from the JSON stream, filtered
by the
test-name list extracted from each pack's `_test.go` file(s). The
`secrets_priority_report_test.go` file lives alongside
`secrets_report_test.go`,
was added after §6 was written, and is included under SECRETS (its
prefix
matches the SECRETS pack convention). The Cross-pack row overlaps with
the
pack rows by design (it sums all `*_report_test.go` content, which the
relevant per-pack rows already include).

**Supplementary Go-package view** — `go test -count=1 -json ./...` gives
861 → 871 PASS / 0 → 0 FAIL across all 10 Go packages; the `cmd/proxy`
row
went 4 → 14, every other row unchanged. The per-pack table above is the
gate-required view.

## §6 changed-files attribution
None of the changed files in this PR (`cmd/proxy/main.go`,
`cmd/proxy/startup.go`,
`cmd/proxy/shutdown.go`, plus the corresponding `_test.go` files) live
under
any pack's file list, so the identical per-pack counts are the expected
measured outcome, not a substitution for measurement.

## Test plan
- [x] `go test -race ./cmd/proxy/...` — all green including new
      helper-process tests
- [x] `go test -race -run '^TestTokenFormatNonRetriggering'
./internal/anonymizer/...` — both variants PASS at head
- [x] `go tool cover -func` — every function in `cmd/proxy/` at 100%
- [x] Local `delta-coverage.sh` simulation against `origin/main` — exits
0
- [x] Lifecycle test run 5x consecutively — 5/5 pass
- [x] CI green (Lint, Test, Security Scan, Benchmark, CodeQL × 2, Build)
at
      `c69911f`

## Out of scope
- Any changes under `packaging/linux/` — Fedora `ca-certificates` and
openSUSE
  trust-store path belong to #120 follow-up commits after rebase.
- Any changes to `internal/*`, `.github/workflows/`, or
  `.github/scripts/delta-coverage.sh`.
- Adding a second binary or the `--generate-ca` flag (#120's territory).

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: iamclaude697

cmd/proxy/main.go

@@ -23,10 +23,8 @@
 package main
 
 import (
-	"context"
 	"fmt"
 	"log"
-	"net/http"
 	"os"
 	"os/signal"
 	"syscall"
@@ -41,62 +39,28 @@ import (
 func main() {
 	cfg := config.Load()
 
-	// Startup guard: zero enabled packs is a fatal misconfiguration.
 	if len(cfg.EnabledPacks) == 0 {
 		log.Fatalf("[PROXY] Fatal: no PII detection packs enabled. Configure enabledPacks in proxy-config.json or set ENABLED_PACKS env var.")
 	}
 
 	printBanner(cfg)
 
-	// Build the management domain registry so both servers share the same state.
-	// Runtime domain changes are persisted to ai-domains.json and restored on restart.
 	registry := management.NewDomainRegistry(cfg, "ai-domains.json")
-
-	// Shared metrics collector — passed to both servers so counters are unified.
 	m := metrics.New()
 
-	// Start management API in background.
-	// Fatal is intentional: the proxy should not run without its control plane.
-	mgmt := management.New(cfg, registry, m)
-	go func() {
-		if err := mgmt.ListenAndServe(); err != nil {
-			log.Fatalf("[MANAGEMENT] Fatal: %v", err)
-		}
-	}()
+	_ = startManagementAPI(cfg, registry, m)
 
-	// Start proxy server
 	proxyServer := proxy.New(cfg, registry, m)
-	defer func() {
-		if err := proxyServer.Close(); err != nil {
-			log.Printf("[PROXY] Cache close error: %v", err)
-		}
-	}()
-
-	addr := fmt.Sprintf("%s:%d", cfg.BindAddress, cfg.ProxyPort)
-	log.Printf("[PROXY] Listening on %s", addr)
+	defer closeProxyServer(proxyServer)
 
-	srv := &http.Server{
-		Addr:              addr,
-		Handler:           proxyServer,
-		ReadHeaderTimeout: 10 * time.Second,
-	}
+	srv := proxyHTTPServer(cfg, proxyServer)
+	log.Printf("[PROXY] Listening on %s", srv.Addr)
 
-	// Graceful shutdown on SIGINT / SIGTERM
 	quit := make(chan os.Signal, 1)
 	signal.Notify(quit, syscall.SIGINT, syscall.SIGTERM)
-	go func() {
-		<-quit
-		log.Printf("[PROXY] Shutting down…")
-		ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
-		defer cancel()
-		if err := srv.Shutdown(ctx); err != nil {
-			log.Printf("[PROXY] Shutdown error: %v", err)
-		}
-	}()
+	go installShutdownHandler(quit, srv, 15*time.Second)
 
-	if err := srv.ListenAndServe(); err != nil && err != http.ErrServerClosed {
-		log.Fatalf("[PROXY] Fatal: %v", err)
-	}
+	runHTTPServer(srv)
 }
 
 func printBanner(cfg *config.Config) {

cmd/proxy/main_test.go

@@ -1,15 +1,33 @@
 package main
 
 import (
+	"bytes"
 	"fmt"
 	"io"
+	"net"
 	"os"
+	"os/exec"
+	"path/filepath"
 	"strings"
+	"sync"
+	"syscall"
 	"testing"
+	"time"
 
 	"ai-anonymizing-proxy/internal/config"
 )
 
+// TestMain dispatches to main() when GO_WANT_HELPER_PROCESS=1, allowing
+// helper-process tests to re-exec this test binary as the production binary.
+// Pattern copied from stdlib os/exec internal tests.
+func TestMain(m *testing.M) {
+	if os.Getenv("GO_WANT_HELPER_PROCESS") == "1" {
+		main()
+		os.Exit(0)
+	}
+	os.Exit(m.Run())
+}
+
 // captureStdout redirects os.Stdout to a pipe for the duration of fn,
 // then returns everything written to it.
 func captureStdout(t *testing.T, fn func()) string {
@@ -76,21 +94,183 @@ func TestPrintBanner_NoProxy_ShowsDirect(t *testing.T) {
 	}
 }
 
-// TestMain_Smoke verifies the package compiles and the binary entry point exists.
-// The actual main() starts network listeners so it cannot be called in tests.
-func TestMain_Smoke(t *testing.T) {
-	// Verify printBanner doesn't panic with zero-value config
-	func() {
-		defer func() {
-			if r := recover(); r != nil {
-				t.Errorf("printBanner panicked: %v", r)
-			}
-		}()
-		captureStdout(t, func() { printBanner(&config.Config{}) })
+// TestPrintBanner_ZeroValueConfig_DoesNotPanic asserts that printBanner
+// survives a zero-value *config.Config — a regression like a nil-map deref
+// or missing-field panic on uninitialised input would be caught here.
+// Inherited from the original TestMain_Smoke, kept as its own test so the
+// guarantee survives the helper-process TestMain rewrite.
+func TestPrintBanner_ZeroValueConfig_DoesNotPanic(t *testing.T) {
+	defer func() {
+		if r := recover(); r != nil {
+			t.Errorf("printBanner panicked on zero-value config: %v", r)
+		}
 	}()
+	_ = captureStdout(t, func() { printBanner(&config.Config{}) })
+}
+
+// TestMain_HelperProcess_Lifecycle re-execs this test binary as the proxy
+// daemon, waits for it to bind its listener, sends SIGTERM, and verifies a
+// clean exit. Exercises main()'s full startup-and-shutdown lifecycle.
+func TestMain_HelperProcess_Lifecycle(t *testing.T) {
+	proxyPort := freePort(t)
+	mgmtPort := freePort(t)
+
+	cmd := exec.CommandContext(t.Context(), os.Args[0]) //nolint:gosec // G204: helper-process pattern: os.Args[0] is the test binary itself, not external input
+	cmd.Env = append(os.Environ(),
+		"GO_WANT_HELPER_PROCESS=1",
+		"BIND_ADDRESS=127.0.0.1",
+		fmt.Sprintf("PROXY_PORT=%d", proxyPort),
+		fmt.Sprintf("MANAGEMENT_PORT=%d", mgmtPort),
+		"ENABLED_PACKS=SECRETS,GLOBAL",
+		"USE_AI_DETECTION=false",
+	)
+	cmd.Dir = t.TempDir()
+	stderr := &syncBuffer{}
+	cmd.Stderr = stderr
+	cmd.Stdout = io.Discard
+
+	if err := cmd.Start(); err != nil {
+		t.Fatalf("start: %v", err)
+	}
+	t.Cleanup(func() {
+		if cmd.ProcessState == nil {
+			_ = cmd.Process.Kill()
+			_ = cmd.Wait()
+		}
+	})
+
+	waitForLog(t, stderr, "[PROXY] Listening on", 10*time.Second)
 
-	// Self-referential sanity: package name is main
-	if fmt.Sprintf("%T", main) != "func()" {
-		t.Error("expected main to be func()")
+	if err := cmd.Process.Signal(syscall.SIGTERM); err != nil {
+		t.Fatalf("signal: %v", err)
+	}
+
+	done := make(chan error, 1)
+	go func() { done <- cmd.Wait() }()
+	select {
+	case err := <-done:
+		if err != nil {
+			t.Errorf("process exited with error: %v\n%s", err, stderr.String())
+		}
+	case <-time.After(10 * time.Second):
+		_ = cmd.Process.Kill()
+		t.Fatalf("process did not exit within 10s of SIGTERM\n%s", stderr.String())
+	}
+}
+
+// TestMain_HelperProcess_ProxyPortConflict_Fatal pre-binds the proxy port so
+// the subprocess's srv.ListenAndServe() fails, exercising runHTTPServer's
+// log.Fatalf branch.
+func TestMain_HelperProcess_ProxyPortConflict_Fatal(t *testing.T) {
+	ln := listenLocal(t)
+	defer func() { _ = ln.Close() }()
+	addr, ok := ln.Addr().(*net.TCPAddr)
+	if !ok {
+		t.Fatalf("listener address %T is not *net.TCPAddr", ln.Addr())
+	}
+	proxyPort := addr.Port
+	mgmtPort := freePort(t)
+
+	cmd := exec.CommandContext(t.Context(), os.Args[0]) //nolint:gosec // G204: helper-process pattern: os.Args[0] is the test binary itself, not external input
+	cmd.Env = append(os.Environ(),
+		"GO_WANT_HELPER_PROCESS=1",
+		"BIND_ADDRESS=127.0.0.1",
+		fmt.Sprintf("PROXY_PORT=%d", proxyPort),
+		fmt.Sprintf("MANAGEMENT_PORT=%d", mgmtPort),
+		"ENABLED_PACKS=SECRETS,GLOBAL",
+		"USE_AI_DETECTION=false",
+	)
+	cmd.Dir = t.TempDir()
+	out, err := cmd.CombinedOutput()
+	if err == nil {
+		t.Fatalf("expected non-zero exit on proxy port conflict, got success\n%s", out)
+	}
+	if !strings.Contains(string(out), "[PROXY] Fatal") {
+		t.Errorf("expected '[PROXY] Fatal' in output, got:\n%s", out)
+	}
+}
+
+// TestMain_HelperProcess_MgmtPortConflict_Fatal pre-binds the management port
+// so the subprocess's mgmt.ListenAndServe() fails, exercising runManagementAPI's
+// log.Fatalf branch.
+func TestMain_HelperProcess_MgmtPortConflict_Fatal(t *testing.T) {
+	ln := listenLocal(t)
+	defer func() { _ = ln.Close() }()
+	addr, ok := ln.Addr().(*net.TCPAddr)
+	if !ok {
+		t.Fatalf("listener address %T is not *net.TCPAddr", ln.Addr())
+	}
+	mgmtPort := addr.Port
+	proxyPort := freePort(t)
+
+	cmd := exec.CommandContext(t.Context(), os.Args[0]) //nolint:gosec // G204: helper-process pattern: os.Args[0] is the test binary itself, not external input
+	cmd.Env = append(os.Environ(),
+		"GO_WANT_HELPER_PROCESS=1",
+		"BIND_ADDRESS=127.0.0.1",
+		fmt.Sprintf("PROXY_PORT=%d", proxyPort),
+		fmt.Sprintf("MANAGEMENT_PORT=%d", mgmtPort),
+		"ENABLED_PACKS=SECRETS,GLOBAL",
+		"USE_AI_DETECTION=false",
+	)
+	cmd.Dir = t.TempDir()
+	out, err := cmd.CombinedOutput()
+	if err == nil {
+		t.Fatalf("expected non-zero exit on mgmt port conflict, got success\n%s", out)
+	}
+	if !strings.Contains(string(out), "[MANAGEMENT] Fatal") {
+		t.Errorf("expected '[MANAGEMENT] Fatal' in output, got:\n%s", out)
+	}
+}
+
+// TestMain_HelperProcess_ZeroPacks_Fatal verifies that a config with no packs
+// enabled triggers the startup guard's log.Fatalf (non-zero exit). Covers that
+// branch of main() which is otherwise unreachable from the lifecycle test.
+func TestMain_HelperProcess_ZeroPacks_Fatal(t *testing.T) {
+	dir := t.TempDir()
+	cfgPath := filepath.Join(dir, "proxy-config.json")
+	if err := os.WriteFile(cfgPath, []byte(`{"enabledPacks":[]}`), 0o600); err != nil {
+		t.Fatalf("write config: %v", err)
+	}
+
+	cmd := exec.CommandContext(t.Context(), os.Args[0]) //nolint:gosec // G204: helper-process pattern: os.Args[0] is the test binary itself, not external input
+	cmd.Env = append(os.Environ(), "GO_WANT_HELPER_PROCESS=1")
+	cmd.Dir = dir
+	out, err := cmd.CombinedOutput()
+	if err == nil {
+		t.Fatalf("expected non-zero exit on zero-packs guard, got success\n%s", out)
+	}
+	if !strings.Contains(string(out), "no PII detection packs enabled") {
+		t.Errorf("expected guard message in output, got:\n%s", out)
+	}
+}
+
+// syncBuffer is a goroutine-safe wrapper around bytes.Buffer for use as
+// cmd.Stderr while a poller in the parent reads it concurrently.
+type syncBuffer struct {
+	mu  sync.Mutex
+	buf bytes.Buffer
+}
+
+func (b *syncBuffer) Write(p []byte) (int, error) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	return b.buf.Write(p)
+}
+
+func (b *syncBuffer) String() string {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	return b.buf.String()
+}
+
+func waitForLog(t *testing.T, buf *syncBuffer, substr string, timeout time.Duration) {
+	t.Helper()
+	deadline := time.Now().Add(timeout)
+	for time.Now().Before(deadline) {
+		if strings.Contains(buf.String(), substr) {
+			return
+		}
+		time.Sleep(50 * time.Millisecond)
 	}
+	t.Fatalf("did not see %q in log within %v\n%s", substr, timeout, buf.String())
 }

cmd/proxy/shutdown.go

@@ -0,0 +1,21 @@
+package main
+
+import (
+	"context"
+	"log"
+	"net/http"
+	"os"
+	"time"
+)
+
+// installShutdownHandler blocks on quit, then calls srv.Shutdown with the given
+// timeout. Intended to run in a goroutine spawned by main().
+func installShutdownHandler(quit <-chan os.Signal, srv *http.Server, timeout time.Duration) {
+	<-quit
+	log.Printf("[PROXY] Shutting down…")
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
+	defer cancel()
+	if err := srv.Shutdown(ctx); err != nil {
+		log.Printf("[PROXY] Shutdown error: %v", err)
+	}
+}