refactor phase 8: cov to 90%, PT006 fix, --cov-fail-under=90 gate

Add 35 new unit tests across four previously thin modules:

- tests/unit/test_jwt.py (7 tests): JWTValidator happy path, sub
  fallback to principal, audience mismatch, bad signature, missing
  sub, empty sub, non-string sub. arcp.auth.jwt 55% -> 100%.
- tests/unit/test_pending.py (9 tests): PendingRequestRegistry
  register/resolve/reject/cancel/cancel_all and their no-op return
  paths. arcp.runtime.pending 60% -> 100%.
- tests/unit/test_session_handshake.py (14 tests):
  negotiate_capabilities, HandshakeDriver.handle_open/issue_challenge,
  consume_authenticate, including all the rejection paths
  (UNIMPLEMENTED scheme, missing token, anonymous-not-negotiated,
  malformed payloads, invalid extension namespace). arcp.runtime.session
  72% -> 95%.
- tests/unit/test_stdio_transport_unit.py (5 tests): in-process pipe
  pair exercising send/recv/close, including EOF-on-recv and writer
  failures. arcp.transport.stdio 72% -> 100%. The OS-level
  connect_stdio_pipe helper is marked pragma: no cover with the
  rationale (it needs a subprocess fixture; transport behavior itself
  is now unit-tested).

Fix the lone PT006 (parametrize names should be a tuple). Wire
--cov=arcp --cov-fail-under=90 into pytest addopts so the coverage
floor is enforced.

Coverage 86% -> 90.23%; 159 tests -> 194 tests.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: nficano

pyproject.toml

@@ -42,6 +42,9 @@ strict = ["src/arcp"]
 pythonVersion = "3.13"
 typeCheckingMode = "strict"
 reportMissingTypeStubs = false
+# Use the local uv-managed venv so third-party imports resolve when analyzing from this directory.
+venvPath = "."
+venv = ".venv"
 
 [tool.ruff]
 line-length = 100
@@ -99,7 +102,7 @@ indent-style = "space"
 [tool.pytest.ini_options]
 testpaths = ["tests"]
 asyncio_mode = "auto"
-addopts = "-ra --strict-markers --strict-config"
+addopts = "-ra --strict-markers --strict-config --cov=arcp --cov-fail-under=90"
 filterwarnings = [
     "error",
     "ignore::DeprecationWarning",

src/arcp/transport/stdio.py

@@ -54,13 +54,16 @@ def is_closed(self) -> bool:
         return self._closed
 
 
-async def connect_stdio_pipe() -> StdioTransport:
+async def connect_stdio_pipe() -> StdioTransport:  # pragma: no cover - sys.stdin/stdout helper
     """Wrap ``sys.stdin``/``sys.stdout`` as a transport.
 
     Reads lines from stdin and writes lines to stdout. Useful for subprocess
     integration where the parent runtime spawns a child agent.
-    """
 
+    Excluded from coverage because it touches process-wide sys.stdin/stdout and
+    needs a subprocess fixture; the transport's I/O behavior is unit-tested via
+    ``tests/unit/test_stdio_transport_unit.py`` against an in-process pipe pair.
+    """
     loop = asyncio.get_running_loop()
     reader = asyncio.StreamReader()
     protocol = asyncio.StreamReaderProtocol(reader)

tests/unit/test_errors.py

@@ -17,7 +17,7 @@ def test_every_error_code_is_string(code: ErrorCode) -> None:
 
 
 @pytest.mark.parametrize(
-    "code,expected",
+    ("code", "expected"),
     [
         (ErrorCode.RESOURCE_EXHAUSTED, True),
         (ErrorCode.UNAVAILABLE, True),

tests/unit/test_jwt.py

@@ -0,0 +1,72 @@
+"""Unit tests for arcp.auth.jwt.JWTValidator."""
+
+from __future__ import annotations
+
+import jwt
+import pytest
+
+from arcp.auth.jwt import JWTValidator
+from arcp.errors import ARCPError, ErrorCode
+
+# PyJWT 2.10+ warns on HS256 secrets shorter than the algorithm's key size; pad to 32 bytes.
+_SECRET = "supers3cret-padding-to-32-bytes!"
+_AUDIENCE = "arcp-test"
+
+
+def _token(claims: dict[str, object], *, secret: str = _SECRET, alg: str = "HS256") -> str:
+    return jwt.encode(claims, secret, algorithm=alg)
+
+
+def test_validates_and_returns_sub() -> None:
+    v = JWTValidator(secret=_SECRET, audience=_AUDIENCE)
+    token = _token({"sub": "alice", "aud": _AUDIENCE})
+    assert v.validate(token) == "alice"
+
+
+def test_falls_back_to_principal_claim() -> None:
+    v = JWTValidator(secret=_SECRET, audience=_AUDIENCE)
+    token = _token({"principal": "bob", "aud": _AUDIENCE})
+    assert v.validate(token) == "bob"
+
+
+def test_rejects_wrong_audience() -> None:
+    v = JWTValidator(secret=_SECRET, audience=_AUDIENCE)
+    token = _token({"sub": "alice", "aud": "different"})
+    with pytest.raises(ARCPError) as excinfo:
+        v.validate(token)
+    assert excinfo.value.code == ErrorCode.UNAUTHENTICATED
+
+
+def test_rejects_bad_signature() -> None:
+    v = JWTValidator(secret=_SECRET, audience=_AUDIENCE)
+    token = _token(
+        {"sub": "alice", "aud": _AUDIENCE},
+        secret="wrong-secret-also-32-bytes-pad!!",
+    )
+    with pytest.raises(ARCPError) as excinfo:
+        v.validate(token)
+    assert excinfo.value.code == ErrorCode.UNAUTHENTICATED
+
+
+def test_rejects_missing_sub_and_principal() -> None:
+    v = JWTValidator(secret=_SECRET, audience=_AUDIENCE)
+    token = _token({"aud": _AUDIENCE})
+    with pytest.raises(ARCPError, match="missing 'sub' claim") as excinfo:
+        v.validate(token)
+    assert excinfo.value.code == ErrorCode.UNAUTHENTICATED
+
+
+def test_rejects_non_string_sub() -> None:
+    v = JWTValidator(secret=_SECRET, audience=_AUDIENCE)
+    token = _token({"sub": 12345, "aud": _AUDIENCE})
+    with pytest.raises(ARCPError) as excinfo:
+        v.validate(token)
+    # PyJWT itself rejects non-string sub before our own check runs.
+    assert excinfo.value.code == ErrorCode.UNAUTHENTICATED
+
+
+def test_rejects_empty_string_sub() -> None:
+    v = JWTValidator(secret=_SECRET, audience=_AUDIENCE)
+    token = _token({"sub": "", "aud": _AUDIENCE})
+    with pytest.raises(ARCPError, match="missing 'sub' claim"):
+        v.validate(token)

tests/unit/test_pending.py

@@ -0,0 +1,75 @@
+"""Unit tests for arcp.runtime.pending.PendingRequestRegistry."""
+
+from __future__ import annotations
+
+import asyncio
+
+import pytest
+
+from arcp.runtime.pending import PendingRequestRegistry
+
+
+async def test_register_resolve_round_trip() -> None:
+    reg = PendingRequestRegistry()
+    fut = reg.register("c1")
+    assert reg.resolve("c1", {"v": 1}) is True
+    assert await fut == {"v": 1}
+
+
+async def test_register_duplicate_raises() -> None:
+    reg = PendingRequestRegistry()
+    reg.register("c1")
+    with pytest.raises(ValueError, match="duplicate pending correlation_id"):
+        reg.register("c1")
+
+
+async def test_resolve_unknown_returns_false() -> None:
+    reg = PendingRequestRegistry()
+    assert reg.resolve("nope", {}) is False
+
+
+async def test_resolve_done_future_returns_false() -> None:
+    reg = PendingRequestRegistry()
+    reg.register("c1")
+    assert reg.resolve("c1", {}) is True
+    # second resolve finds nothing pending
+    assert reg.resolve("c1", {}) is False
+
+
+async def test_reject_propagates_exception() -> None:
+    reg = PendingRequestRegistry()
+    fut = reg.register("c1")
+    err = RuntimeError("boom")
+    assert reg.reject("c1", err) is True
+    with pytest.raises(RuntimeError, match="boom"):
+        await fut
+
+
+async def test_reject_unknown_returns_false() -> None:
+    reg = PendingRequestRegistry()
+    assert reg.reject("missing", RuntimeError()) is False
+
+
+async def test_cancel_marks_future_cancelled() -> None:
+    reg = PendingRequestRegistry()
+    fut = reg.register("c1")
+    assert reg.cancel("c1") is True
+    with pytest.raises(asyncio.CancelledError):
+        await fut
+
+
+async def test_cancel_unknown_returns_false() -> None:
+    reg = PendingRequestRegistry()
+    assert reg.cancel("missing") is False
+
+
+async def test_cancel_all_clears_all_pending() -> None:
+    reg = PendingRequestRegistry()
+    f1 = reg.register("c1")
+    f2 = reg.register("c2")
+    reg.cancel_all()
+    assert f1.cancelled()
+    assert f2.cancelled()
+    # registry is empty after cancel_all
+    assert reg.resolve("c1", {}) is False
+    assert reg.resolve("c2", {}) is False