test(soteria): lift runtime helper coverage

cmd/soteria/main.go

@@ -25,6 +25,8 @@ var (
 	loadConfigFn      = config.Load
 	newK8sClientFn    = k8s.New
 	newLonghornClient = longhorn.New
+	notifyContextFn   = signal.NotifyContext
+	fatalfFn          = log.Fatalf
 	newServerFn       = func(cfg *config.Config, client *k8s.Client, lh *longhorn.Client) applicationServer {
 		return server.New(cfg, client, lh)
 	}
@@ -35,11 +37,11 @@ var (
 
 func main() {
 	log.SetFlags(log.LstdFlags | log.LUTC)
-	runCtx, stop := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
+	runCtx, stop := notifyContextFn(context.Background(), syscall.SIGINT, syscall.SIGTERM)
 	defer stop()
 
 	if err := runApplicationFunc(runCtx); err != nil {
-		log.Fatalf("%v", err)
+		fatalfFn("%v", err)
 	}
 }
 

cmd/soteria/main_test.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"net/http"
+	"os"
 	"testing"
 
 	"scm.bstein.dev/bstein/soteria/internal/config"
@@ -44,6 +45,33 @@ func TestMainInvokesRunApplicationFunc(t *testing.T) {
 	}
 }
 
+func TestMainFatalfWhenRunFails(t *testing.T) {
+	restore := swapMainTestHooks()
+	defer restore()
+
+	runApplicationFunc = func(context.Context) error { return errors.New("run exploded") }
+	notifyContextFn = func(parent context.Context, _ ...os.Signal) (context.Context, context.CancelFunc) {
+		return context.WithCancel(parent)
+	}
+	fatalCalled := false
+	fatalfFn = func(format string, args ...any) {
+		fatalCalled = true
+		panic("fatal called")
+	}
+
+	defer func() {
+		recovered := recover()
+		if recovered == nil || recovered != "fatal called" {
+			t.Fatalf("expected fatal panic sentinel, got %v", recovered)
+		}
+		if !fatalCalled {
+			t.Fatalf("expected fatalf hook to be invoked")
+		}
+	}()
+
+	main()
+}
+
 func TestRunReturnsSetupAndServeErrors(t *testing.T) {
 	restore := swapMainTestHooks()
 	defer restore()
@@ -84,6 +112,24 @@ func TestRunReturnsSetupAndServeErrors(t *testing.T) {
 	})
 }
 
+func TestRunReturnsNilWhenServerClosesImmediately(t *testing.T) {
+	restore := swapMainTestHooks()
+	defer restore()
+
+	cfg := &config.Config{ListenAddr: ":8080", LonghornURL: "http://longhorn.test"}
+	loadConfigFn = func() (*config.Config, error) { return cfg, nil }
+	newK8sClientFn = func() (*k8s.Client, error) { return &k8s.Client{}, nil }
+	newLonghornClient = func(string) *longhorn.Client { return &longhorn.Client{} }
+	newServerFn = func(cfg *config.Config, client *k8s.Client, lh *longhorn.Client) applicationServer {
+		return &fakeApplicationServer{}
+	}
+	listenAndServeFn = func(*http.Server) error { return http.ErrServerClosed }
+
+	if err := run(context.Background()); err != nil {
+		t.Fatalf("expected nil when server closes cleanly before shutdown, got %v", err)
+	}
+}
+
 func TestRunHandlesContextCancellationAndServerClosed(t *testing.T) {
 	restore := swapMainTestHooks()
 	defer restore()
@@ -133,20 +179,75 @@ func TestRunHandlesContextCancellationAndServerClosed(t *testing.T) {
 	}
 }
 
+func TestRunLogsShutdownAndLateServerErrorsWithoutFailing(t *testing.T) {
+	restore := swapMainTestHooks()
+	defer restore()
+
+	cfg := &config.Config{ListenAddr: ":8080", LonghornURL: "http://longhorn.test"}
+	fakeServer := &fakeApplicationServer{}
+	listenStarted := make(chan struct{})
+	listenReleased := make(chan struct{})
+	shutdownCalled := false
+
+	loadConfigFn = func() (*config.Config, error) { return cfg, nil }
+	newK8sClientFn = func() (*k8s.Client, error) { return &k8s.Client{}, nil }
+	newLonghornClient = func(string) *longhorn.Client { return &longhorn.Client{} }
+	newServerFn = func(cfg *config.Config, client *k8s.Client, lh *longhorn.Client) applicationServer {
+		return fakeServer
+	}
+	listenAndServeFn = func(*http.Server) error {
+		close(listenStarted)
+		<-listenReleased
+		return errors.New("late serve exploded")
+	}
+	shutdownServerFn = func(*http.Server, context.Context) error {
+		shutdownCalled = true
+		close(listenReleased)
+		return errors.New("shutdown exploded")
+	}
+
+	runCtx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	done := make(chan error, 1)
+	go func() {
+		done <- run(runCtx)
+	}()
+
+	<-listenStarted
+	cancel()
+
+	if err := <-done; err != nil {
+		t.Fatalf("expected shutdown/logging path to still return nil, got %v", err)
+	}
+	if !fakeServer.started {
+		t.Fatalf("expected server Start to be called")
+	}
+	if !shutdownCalled {
+		t.Fatalf("expected shutdown hook to be invoked")
+	}
+}
+
 func swapMainTestHooks() func() {
 	originalLoad := loadConfigFn
 	originalK8s := newK8sClientFn
 	originalLonghorn := newLonghornClient
+	originalNotify := notifyContextFn
+	originalFatal := fatalfFn
 	originalServer := newServerFn
 	originalListen := listenAndServeFn
 	originalShutdown := shutdownServerFn
+	originalRunApplication := runApplicationFunc
 
 	return func() {
 		loadConfigFn = originalLoad
 		newK8sClientFn = originalK8s
 		newLonghornClient = originalLonghorn
+		notifyContextFn = originalNotify
+		fatalfFn = originalFatal
 		newServerFn = originalServer
 		listenAndServeFn = originalListen
 		shutdownServerFn = originalShutdown
+		runApplicationFunc = originalRunApplication
 	}
 }

internal/k8s/client.go

@@ -13,20 +13,28 @@ type Client struct {
 	Clientset kubernetes.Interface
 }
 
+var (
+	inClusterConfigFn      = rest.InClusterConfig
+	buildConfigFromFlagsFn = clientcmd.BuildConfigFromFlags
+	newForConfigFn         = func(cfg *rest.Config) (kubernetes.Interface, error) {
+		return kubernetes.NewForConfig(cfg)
+	}
+)
+
 func New() (*Client, error) {
-	cfg, err := rest.InClusterConfig()
+	cfg, err := inClusterConfigFn()
 	if err != nil {
 		kubeconfig := os.Getenv("KUBECONFIG")
 		if kubeconfig == "" {
 			return nil, fmt.Errorf("load in-cluster config: %w", err)
 		}
-		cfg, err = clientcmd.BuildConfigFromFlags("", kubeconfig)
+		cfg, err = buildConfigFromFlagsFn("", kubeconfig)
 		if err != nil {
 			return nil, fmt.Errorf("load kubeconfig: %w", err)
 		}
 	}
 
-	clientset, err := kubernetes.NewForConfig(cfg)
+	clientset, err := newForConfigFn(cfg)
 	if err != nil {
 		return nil, fmt.Errorf("build clientset: %w", err)
 	}

internal/k8s/client_test.go

@@ -1,11 +1,23 @@
 package k8s
 
 import (
+	"errors"
+	"os"
+	"path/filepath"
 	"strings"
 	"testing"
+
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 )
 
 func TestNewReturnsErrorWhenNoClusterConfigOrValidKubeconfigExists(t *testing.T) {
+	restore := swapClientTestHooks()
+	defer restore()
+
+	inClusterConfigFn = func() (*rest.Config, error) {
+		return nil, errors.New("cluster config exploded")
+	}
 	t.Setenv("KUBECONFIG", "/definitely/missing/kubeconfig")
 
 	client, err := New()
@@ -16,3 +28,92 @@ func TestNewReturnsErrorWhenNoClusterConfigOrValidKubeconfigExists(t *testing.T)
 		t.Fatalf("expected kubeconfig load error, got %v", err)
 	}
 }
+
+func TestNewReturnsInClusterErrorWhenNoKubeconfigIsProvided(t *testing.T) {
+	restore := swapClientTestHooks()
+	defer restore()
+
+	inClusterConfigFn = func() (*rest.Config, error) {
+		return nil, errors.New("cluster config exploded")
+	}
+	t.Setenv("KUBECONFIG", "")
+
+	client, err := New()
+	if err == nil || client != nil {
+		t.Fatalf("expected in-cluster config error, got client=%#v err=%v", client, err)
+	}
+	if !strings.Contains(err.Error(), "load in-cluster config: cluster config exploded") {
+		t.Fatalf("expected in-cluster config error, got %v", err)
+	}
+}
+
+func TestNewLoadsKubeconfigAndBuildsClientset(t *testing.T) {
+	restore := swapClientTestHooks()
+	defer restore()
+
+	inClusterConfigFn = func() (*rest.Config, error) {
+		return nil, errors.New("not in cluster")
+	}
+
+	kubeconfigPath := filepath.Join(t.TempDir(), "config")
+	if err := os.WriteFile(kubeconfigPath, []byte(`apiVersion: v1
+kind: Config
+clusters:
+- cluster:
+    server: https://127.0.0.1:6443
+  name: local
+contexts:
+- context:
+    cluster: local
+    user: local
+  name: local
+current-context: local
+users:
+- name: local
+  user:
+    token: test-token
+`), 0o600); err != nil {
+		t.Fatalf("write kubeconfig: %v", err)
+	}
+	t.Setenv("KUBECONFIG", kubeconfigPath)
+
+	client, err := New()
+	if err != nil {
+		t.Fatalf("expected kubeconfig-backed client construction, got %v", err)
+	}
+	if client == nil || client.Clientset == nil {
+		t.Fatalf("expected populated client, got %#v", client)
+	}
+}
+
+func TestNewWrapsClientsetConstructionFailures(t *testing.T) {
+	restore := swapClientTestHooks()
+	defer restore()
+
+	inClusterConfigFn = func() (*rest.Config, error) {
+		return &rest.Config{Host: "https://127.0.0.1:6443"}, nil
+	}
+	newForConfigFn = func(*rest.Config) (kubernetes.Interface, error) {
+		return nil, errors.New("clientset exploded")
+	}
+
+	client, err := New()
+	if err == nil || client != nil {
+		t.Fatalf("expected clientset construction error, got client=%#v err=%v", client, err)
+	}
+	if !strings.Contains(err.Error(), "build clientset: clientset exploded") {
+		t.Fatalf("expected wrapped clientset error, got %v", err)
+	}
+}
+
+func swapClientTestHooks() func() {
+	originalInCluster := inClusterConfigFn
+	originalBuildConfig := buildConfigFromFlagsFn
+	originalNewForConfig := newForConfigFn
+
+	return func() {
+		inClusterConfigFn = originalInCluster
+		buildConfigFromFlagsFn = originalBuildConfig
+		newForConfigFn = originalNewForConfig
+	}
+}

internal/k8s/job_helpers_test.go

@@ -40,6 +40,12 @@ func TestJobSupportHelpersCoverFallbackAndFormattingBranches(t *testing.T) {
 	if got := parseBoolWithDefault("off", true); got != false {
 		t.Fatalf("expected explicit false parse, got %v", got)
 	}
+	if got := parseBoolWithDefault("", true); got != true {
+		t.Fatalf("expected empty bool to fall back, got %v", got)
+	}
+	if got := parseBoolWithDefault("yes", false); got != true {
+		t.Fatalf("expected explicit true parse, got %v", got)
+	}
 }
 
 func TestJobNameBackupCommandAndResticEnvCoverRemainingBranches(t *testing.T) {

internal/k8s/jobs.go

@@ -68,13 +68,22 @@ func (c *Client) ReadBackupJobLog(ctx context.Context, namespace, jobName string
 		return "", fmt.Errorf("no pod found for backup job %s/%s", namespace, jobName)
 	}
 
-	sort.Slice(pods.Items, func(i, j int) bool {
+	podName := latestBackupJobPodName(pods.Items)
-		left := pods.Items[i].Status.StartTime
+	raw, err := c.Clientset.CoreV1().Pods(namespace).GetLogs(podName, &corev1.PodLogOptions{}).DoRaw(ctx)
-		right := pods.Items[j].Status.StartTime
+	if err != nil {
+		return "", fmt.Errorf("read logs for backup job pod %s/%s: %w", namespace, podName, err)
+	}
+	return string(raw), nil
+}
+
+func latestBackupJobPodName(pods []corev1.Pod) string {
+	sort.Slice(pods, func(i, j int) bool {
+		left := pods[i].Status.StartTime
+		right := pods[j].Status.StartTime
 		switch {
 		case left != nil && right != nil:
 			if left.Time.Equal(right.Time) {
-				return pods.Items[i].Name > pods.Items[j].Name
+				return pods[i].Name > pods[j].Name
 			}
 			return left.Time.After(right.Time)
 		case left != nil:
@@ -82,16 +91,10 @@ func (c *Client) ReadBackupJobLog(ctx context.Context, namespace, jobName string
 		case right != nil:
 			return false
 		default:
-			return pods.Items[i].CreationTimestamp.Time.After(pods.Items[j].CreationTimestamp.Time)
+			return pods[i].CreationTimestamp.Time.After(pods[j].CreationTimestamp.Time)
 		}
 	})
-
+	return pods[0].Name
-	podName := pods.Items[0].Name
-	raw, err := c.Clientset.CoreV1().Pods(namespace).GetLogs(podName, &corev1.PodLogOptions{}).DoRaw(ctx)
-	if err != nil {
-		return "", fmt.Errorf("read logs for backup job pod %s/%s: %w", namespace, podName, err)
-	}
-	return string(raw), nil
 }
 
 func (c *Client) ListBackupJobsForPVC(ctx context.Context, namespace, pvc string) ([]BackupJobSummary, error) {

internal/k8s/jobs_test.go

@@ -211,6 +211,46 @@ func TestReadBackupJobLogCoversSuccessAndListFailures(t *testing.T) {
 	}
 }
 
+func TestLatestBackupJobPodNameCoversSortBranches(t *testing.T) {
+	now := time.Now().UTC()
+
+	t.Run("prefers latest start time and name tiebreak", func(t *testing.T) {
+		name := latestBackupJobPodName([]corev1.Pod{
+			{
+				ObjectMeta: metav1.ObjectMeta{Name: "job-a", CreationTimestamp: metav1.NewTime(now.Add(-10 * time.Minute))},
+				Status:     corev1.PodStatus{StartTime: ptrTime(metav1.NewTime(now.Add(-1 * time.Minute)))},
+			},
+			{
+				ObjectMeta: metav1.ObjectMeta{Name: "job-z", CreationTimestamp: metav1.NewTime(now.Add(-20 * time.Minute))},
+				Status:     corev1.PodStatus{StartTime: ptrTime(metav1.NewTime(now.Add(-1 * time.Minute)))},
+			},
+		})
+		if name != "job-z" {
+			t.Fatalf("expected name tiebreak to pick lexically later pod, got %q", name)
+		}
+	})
+
+	t.Run("prefers started pod over nil start time", func(t *testing.T) {
+		name := latestBackupJobPodName([]corev1.Pod{
+			{ObjectMeta: metav1.ObjectMeta{Name: "started"}, Status: corev1.PodStatus{StartTime: ptrTime(metav1.NewTime(now))}},
+			{ObjectMeta: metav1.ObjectMeta{Name: "not-started"}},
+		})
+		if name != "started" {
+			t.Fatalf("expected started pod to win, got %q", name)
+		}
+	})
+
+	t.Run("falls back to creation time when start times are nil", func(t *testing.T) {
+		name := latestBackupJobPodName([]corev1.Pod{
+			{ObjectMeta: metav1.ObjectMeta{Name: "older", CreationTimestamp: metav1.NewTime(now.Add(-30 * time.Minute))}},
+			{ObjectMeta: metav1.ObjectMeta{Name: "newer", CreationTimestamp: metav1.NewTime(now.Add(-5 * time.Minute))}},
+		})
+		if name != "newer" {
+			t.Fatalf("expected newer creation timestamp to win, got %q", name)
+		}
+	})
+}
+
 func TestCreateBackupJobCoversValidationDryRunAndLiveCreation(t *testing.T) {
 	clientset := k8sfake.NewSimpleClientset(
 		&corev1.Secret{

internal/server/auth_support.go

@@ -89,7 +89,8 @@ func hasAllowedGroup(actual, allowed []string) bool {
 func normalizeGroups(values []string) []string {
 	groups := make([]string, 0, len(values))
 	for _, value := range values {
-		value = strings.TrimSpace(strings.TrimPrefix(value, "/"))
+		value = strings.TrimSpace(value)
+		value = strings.TrimPrefix(value, "/")
 		if value == "" {
 			continue
 		}

internal/server/auth_support_test.go

@@ -123,4 +123,20 @@ func TestRequesterAndAuthzHelpers(t *testing.T) {
 	}
 }
 
+func TestAuthHeaderAndGroupHelpers(t *testing.T) {
+	req := httptest.NewRequest(http.MethodGet, "/v1/inventory", nil)
+	req.Header.Set("X-Secondary", "second")
+	req.Header.Set("X-Primary", " first ")
+
+	if got := firstHeader(req, "X-Primary", "X-Secondary"); got != "first" {
+		t.Fatalf("expected first populated header, got %q", got)
+	}
+	if got := splitGroups(" /ops, dev ; qa "); len(got) != 3 {
+		t.Fatalf("expected split groups, got %#v", got)
+	}
+	if got := normalizeGroups([]string{" /ops ", "", "dev", " /qa"}); len(got) != 3 || got[0] != "ops" || got[2] != "qa" {
+		t.Fatalf("expected normalized groups, got %#v", got)
+	}
+}
+
 var errSentinel = http.ErrAbortHandler

internal/server/b2_refresh_test.go

@@ -37,6 +37,75 @@ func TestRefreshB2UsageRecordsCredentialResolutionErrors(t *testing.T) {
 	}
 }
 
+func TestRefreshB2UsageHandlesDisabledAndSuccessfulScans(t *testing.T) {
+	t.Run("disabled", func(t *testing.T) {
+		srv := &Server{
+			cfg: &config.Config{
+				B2Enabled:     false,
+				B2Endpoint:    "https://cached-endpoint",
+				B2Region:      "us-west-001",
+				B2ScanTimeout: time.Second,
+			},
+			client:  &fakeKubeClient{},
+			metrics: newTelemetry(),
+		}
+
+		srv.refreshB2Usage(context.Background())
+
+		usage := srv.getB2Usage()
+		if usage.Enabled || usage.Error != "" || usage.Endpoint != "https://cached-endpoint" {
+			t.Fatalf("expected disabled snapshot without scan error, got %#v", usage)
+		}
+		if srv.metrics.b2ScanSuccess != 0 || srv.metrics.b2AccountBytes != 0 {
+			t.Fatalf("expected disabled metrics snapshot, got success=%f bytes=%f", srv.metrics.b2ScanSuccess, srv.metrics.b2AccountBytes)
+		}
+	})
+
+	t.Run("successful scan", func(t *testing.T) {
+		now := time.Now().UTC()
+		server := newFakeS3Server(t,
+			[]string{"atlas"},
+			map[string][]fakeS3Object{
+				"atlas": {
+					{key: "fresh", size: 7, lastModified: now.Add(-1 * time.Hour)},
+					{key: "stale", size: 11, lastModified: now.Add(-48 * time.Hour)},
+				},
+			},
+			nil,
+		)
+		defer server.Close()
+
+		srv := &Server{
+			cfg: &config.Config{
+				B2Enabled:         true,
+				B2Endpoint:        server.URL,
+				B2Region:          "us-west-001",
+				B2AccessKeyID:     "atlas-key",
+				B2SecretAccessKey: "atlas-secret",
+				B2ScanTimeout:     2 * time.Second,
+			},
+			client:  &fakeKubeClient{},
+			metrics: newTelemetry(),
+		}
+
+		srv.refreshB2Usage(context.Background())
+
+		usage := srv.getB2Usage()
+		if !usage.Enabled || !usage.Available || usage.Error != "" {
+			t.Fatalf("expected successful B2 scan snapshot, got %#v", usage)
+		}
+		if usage.Endpoint != server.URL || usage.Region != "us-west-001" || usage.TotalObjects != 2 || usage.RecentObjects24h != 1 {
+			t.Fatalf("expected successful usage totals, got %#v", usage)
+		}
+		if usage.ScannedAt == "" || usage.ScanDurationMS < 0 {
+			t.Fatalf("expected scan metadata, got %#v", usage)
+		}
+		if srv.metrics.b2ScanSuccess != 1 || srv.metrics.b2AccountBytes != 18 {
+			t.Fatalf("expected success metrics to be recorded, got success=%f bytes=%f", srv.metrics.b2ScanSuccess, srv.metrics.b2AccountBytes)
+		}
+	})
+}
+
 func TestRefreshB2UsageRecordsScanErrorsAfterCredentialsResolve(t *testing.T) {
 	srv := &Server{
 		cfg: &config.Config{

internal/server/ui_renderer.go

@@ -17,7 +17,11 @@ type uiRenderer struct {
 }
 
 func newUIRenderer() *uiRenderer {
-	sub, err := fs.Sub(uiDist, "ui-dist")
+	return newUIRendererFromFS(uiDist, "ui-dist")
+}
+
+func newUIRendererFromFS(root fs.FS, dir string) *uiRenderer {
+	sub, err := fs.Sub(root, dir)
 	if err != nil {
 		return &uiRenderer{}
 	}
@@ -57,7 +61,7 @@ func (u *uiRenderer) ServeAsset(w http.ResponseWriter, r *http.Request) bool {
 	if cleaned == "." || strings.HasPrefix(cleaned, "../") {
 		return false
 	}
-	if strings.HasSuffix(cleaned, "/") {
+	if strings.HasSuffix(requestPath, "/") || strings.HasSuffix(cleaned, "/") {
 		return false
 	}
 	if _, err := fs.Stat(u.fsys, cleaned); err != nil {

internal/server/ui_renderer_test.go

@@ -5,6 +5,7 @@ import (
 	"net/http/httptest"
 	"strings"
 	"testing"
+	"testing/fstest"
 )
 
 func TestNewUIRendererLoadsEmbeddedAssets(t *testing.T) {
@@ -18,6 +19,16 @@ func TestNewUIRendererLoadsEmbeddedAssets(t *testing.T) {
 	}
 }
 
+func TestNewUIRendererFromFSHandlesMissingSubdirectory(t *testing.T) {
+	renderer := newUIRendererFromFS(fstest.MapFS{}, "../ui-dist")
+	if renderer == nil {
+		t.Fatalf("expected renderer instance")
+	}
+	if renderer.fsys != nil {
+		t.Fatalf("expected missing subdirectory to produce empty renderer, got %#v", renderer.fsys)
+	}
+}
+
 func TestUIRendererServeIndexHandlesMissingAndEmbeddedAssets(t *testing.T) {
 	t.Run("missing assets", func(t *testing.T) {
 		renderer := &uiRenderer{}
@@ -30,6 +41,17 @@ func TestUIRendererServeIndexHandlesMissingAndEmbeddedAssets(t *testing.T) {
 		}
 	})
 
+	t.Run("missing index file", func(t *testing.T) {
+		renderer := &uiRenderer{fsys: fstest.MapFS{}}
+		req := httptest.NewRequest(http.MethodGet, "/", nil)
+		res := httptest.NewRecorder()
+
+		err := renderer.ServeIndex(res, req)
+		if err == nil || !strings.Contains(err.Error(), "read index") {
+			t.Fatalf("expected index read error, got %v", err)
+		}
+	})
+
 	t.Run("embedded index", func(t *testing.T) {
 		renderer := newUIRenderer()
 		req := httptest.NewRequest(http.MethodGet, "/", nil)
@@ -52,19 +74,26 @@ func TestUIRendererServeIndexHandlesMissingAndEmbeddedAssets(t *testing.T) {
 
 func TestUIRendererServeAssetRejectsInvalidPathsAndServesRealAssets(t *testing.T) {
 	renderer := newUIRenderer()
+	trailingSlashRenderer := &uiRenderer{fsys: fstest.MapFS{
+		"assets/index.js": &fstest.MapFile{Data: []byte("console.log('ok')")},
+	}}
+	missingPathRenderer := &uiRenderer{fsys: fstest.MapFS{}}
 
 	testCases := []struct {
 		name   string
 		method string
 		path   string
 		ok     bool
+		use    *uiRenderer
 	}{
-		{name: "missing filesystem", method: http.MethodGet, path: "/assets/index-C8vHBL9g.js", ok: false},
+		{name: "missing filesystem", method: http.MethodGet, path: "/assets/index-C8vHBL9g.js", ok: false, use: &uiRenderer{}},
 		{name: "invalid method", method: http.MethodPost, path: "/assets/index-C8vHBL9g.js", ok: false},
 		{name: "empty path", method: http.MethodGet, path: "/", ok: false},
+		{name: "dot path", method: http.MethodGet, path: "/.", ok: false},
 		{name: "api path", method: http.MethodGet, path: "/v1/backup", ok: false},
 		{name: "parent traversal", method: http.MethodGet, path: "/../secret.txt", ok: false},
-		{name: "missing file", method: http.MethodGet, path: "/assets/does-not-exist.js", ok: false},
+		{name: "trailing slash", method: http.MethodGet, path: "/assets/", ok: false, use: trailingSlashRenderer},
+		{name: "missing file", method: http.MethodGet, path: "/assets/does-not-exist.js", ok: false, use: missingPathRenderer},
 		{name: "real asset", method: http.MethodGet, path: "/assets/index-C8vHBL9g.js", ok: true},
 		{name: "head asset", method: http.MethodHead, path: "/assets/index-B24a4-XK.css", ok: true},
 	}
@@ -72,8 +101,8 @@ func TestUIRendererServeAssetRejectsInvalidPathsAndServesRealAssets(t *testing.T
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			activeRenderer := renderer
-			if tc.name == "missing filesystem" {
+			if tc.use != nil {
-				activeRenderer = &uiRenderer{}
+				activeRenderer = tc.use
 			}
 
 			req := httptest.NewRequest(tc.method, tc.path, nil)