test: add tests for tdxVerifyOpt, NewTimestamp, shutdownCtx, and rate limiter cleanup

Fill testable coverage gaps identified during review:

- tdxVerifyOpt: all three branches (disabled, enabled without getter,
  enabled with getter)
- NewTimestamp: RFC 3339 format, second truncation, UTC, freshness
- shutdownCtx: nil context fallback (pre-Run) and set context path
- rateLimiterMap.cleanup: stale entry removal and empty map safety

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: sangwa

internal/crl_test.go

@@ -165,6 +165,41 @@ func TestCRLURLsForEvidence(t *testing.T) {
 	})
 }
 
+func TestTdxVerifyOpt(t *testing.T) {
+	t.Run("revocation disabled", func(t *testing.T) {
+		s := &Server{cfg: &Config{RevocationEnabled: false}}
+		opt := s.tdxVerifyOpt()
+		if opt.CheckRevocations {
+			t.Error("expected CheckRevocations=false when revocation is disabled")
+		}
+		if opt.Getter != nil {
+			t.Error("expected nil Getter when revocation is disabled")
+		}
+	})
+
+	t.Run("revocation enabled without getter", func(t *testing.T) {
+		s := &Server{cfg: &Config{RevocationEnabled: true}}
+		opt := s.tdxVerifyOpt()
+		if !opt.CheckRevocations {
+			t.Error("expected CheckRevocations=true when revocation is enabled")
+		}
+		// Getter is nil when tdxGetter is not configured — the library
+		// falls back to its default HTTP client.
+	})
+
+	t.Run("revocation enabled with getter", func(t *testing.T) {
+		getter := &cachedHTTPSGetter{}
+		s := &Server{cfg: &Config{RevocationEnabled: true}, tdxGetter: getter}
+		opt := s.tdxVerifyOpt()
+		if !opt.CheckRevocations {
+			t.Error("expected CheckRevocations=true")
+		}
+		if opt.Getter != getter {
+			t.Error("expected Getter to be the configured tdxGetter")
+		}
+	})
+}
+
 func TestSevsnpRevocationChecker(t *testing.T) {
 	t.Run("nil cache returns nil checker", func(t *testing.T) {
 		s := &Server{}

internal/ratelimit_test.go

@@ -188,6 +188,35 @@ func TestRateLimitMiddleware_TimeoutReturns429(t *testing.T) {
 	}
 }
 
+func TestRateLimiterMap_Cleanup(t *testing.T) {
+	m := newRateLimiterMap(1.0, 1)
+
+	// Create two entries: one "old" and one "recent".
+	_ = m.get("old-ip")
+	_ = m.get("recent-ip")
+
+	// Manually backdate the "old" entry.
+	if val, ok := m.entries.Load("old-ip"); ok {
+		val.(*rateLimiterEntry).lastSeen = time.Now().Add(-10 * time.Minute)
+	}
+
+	// Cleanup with 5m maxAge should remove "old-ip" but keep "recent-ip".
+	m.cleanup(5 * time.Minute)
+
+	if _, ok := m.entries.Load("old-ip"); ok {
+		t.Error("expected old-ip to be cleaned up")
+	}
+	if _, ok := m.entries.Load("recent-ip"); !ok {
+		t.Error("expected recent-ip to survive cleanup")
+	}
+}
+
+func TestRateLimiterMap_Cleanup_EmptyMap(t *testing.T) {
+	m := newRateLimiterMap(1.0, 1)
+	// Should not panic on empty map.
+	m.cleanup(5 * time.Minute)
+}
+
 func TestRateLimitMiddleware_PerIPIsolation(t *testing.T) {
 	s := &Server{
 		logger: slog.New(slog.NewJSONHandler(io.Discard, nil)),

internal/server_test.go

@@ -10,6 +10,7 @@ import (
 	"os"
 	"path/filepath"
 	"testing"
+	"time"
 
 	"github.com/gofiber/fiber/v2"
 )
@@ -340,6 +341,70 @@ func TestErrorHandler_PlainError_OpaqueMessage(t *testing.T) {
 // NewLogger
 // ---------------------------------------------------------------------------
 
+// ---------------------------------------------------------------------------
+// NewTimestamp
+// ---------------------------------------------------------------------------
+
+func TestNewTimestamp_Format(t *testing.T) {
+	ts := NewTimestamp()
+	// Must be valid RFC 3339.
+	parsed, err := time.Parse(time.RFC3339, ts)
+	if err != nil {
+		t.Fatalf("NewTimestamp() = %q, not valid RFC 3339: %v", ts, err)
+	}
+	// Must be truncated to seconds (no sub-second component).
+	if parsed.Nanosecond() != 0 {
+		t.Errorf("NewTimestamp() has sub-second precision: %v", parsed)
+	}
+	// Must be in UTC.
+	if parsed.Location() != time.UTC {
+		t.Errorf("NewTimestamp() not in UTC: %v", parsed.Location())
+	}
+}
+
+func TestNewTimestamp_Freshness(t *testing.T) {
+	before := time.Now().UTC().Truncate(time.Second)
+	ts := NewTimestamp()
+	after := time.Now().UTC().Truncate(time.Second).Add(time.Second)
+
+	parsed, _ := time.Parse(time.RFC3339, ts)
+	if parsed.Before(before) || parsed.After(after) {
+		t.Errorf("NewTimestamp() = %v, not within [%v, %v]", parsed, before, after)
+	}
+}
+
+// ---------------------------------------------------------------------------
+// shutdownCtx
+// ---------------------------------------------------------------------------
+
+func TestShutdownCtx_NilCtx(t *testing.T) {
+	s := &Server{} // ctx is nil (pre-Run state)
+	ctx := s.shutdownCtx()
+	if ctx == nil {
+		t.Fatal("shutdownCtx() returned nil, want context.Background()")
+	}
+	// Should not be cancelled.
+	select {
+	case <-ctx.Done():
+		t.Error("shutdownCtx() context should not be cancelled")
+	default:
+	}
+}
+
+func TestShutdownCtx_SetCtx(t *testing.T) {
+	parent, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	s := &Server{ctx: parent}
+	ctx := s.shutdownCtx()
+	if ctx != parent {
+		t.Error("shutdownCtx() should return the server's context when set")
+	}
+}
+
+// ---------------------------------------------------------------------------
+// NewLogger
+// ---------------------------------------------------------------------------
+
 func TestNewLogger_JSONFormat(t *testing.T) {
 	cfg := &Config{LogFormat: "json", LogLevel: slog.LevelInfo}
 	logger := NewLogger(cfg)