test: Add API gateway and internal account unit tests (#1922)

* test: Add API gateway and internal account unit tests

- auth_builder_test.go: BuildAuthMiddleware with JWKS URL, local signer, API keys, and error cases
- auth/composite_validator_test.go: CompositeJWTValidator with empty, single, multi-validator scenarios
- internal/middleware/response_recorder_test.go: responseRecorder defaults, idempotency, buffer pool behavior
- internal-account/domain/valuation_feature_test.go: re-export constant and error alias verification
- internal-account/adapters/persistence/valuation_feature_repository_test.go: constructor and CRUD via shared implementation

* fix: Remove unnecessary type conversion in valuation feature repository test

* fix: Address CodeRabbit feedback - rename misleading test names

---------

Co-authored-by: Ben Coombs <bjcoombs@users.noreply.github.com>

Author: bjcoombs

services/api-gateway/auth/composite_validator_test.go

@@ -0,0 +1,114 @@
+package auth
+
+import (
+	"errors"
+	"testing"
+
+	platformauth "github.com/meridianhub/meridian/shared/platform/auth"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewCompositeJWTValidator(t *testing.T) {
+	v1 := &mockValidator{claims: &platformauth.Claims{UserID: "user-1"}}
+	v2 := &mockValidator{claims: &platformauth.Claims{UserID: "user-2"}}
+
+	composite := NewCompositeJWTValidator(v1, v2)
+
+	assert.NotNil(t, composite)
+	assert.Len(t, composite.validators, 2)
+}
+
+func TestCompositeJWTValidator_EmptyValidators_ReturnsError(t *testing.T) {
+	composite := NewCompositeJWTValidator()
+
+	claims, err := composite.ValidateToken("any-token")
+
+	assert.Nil(t, claims)
+	assert.ErrorIs(t, err, platformauth.ErrInvalidToken)
+}
+
+func TestCompositeJWTValidator_FirstValidatorSucceeds(t *testing.T) {
+	expectedClaims := &platformauth.Claims{
+		UserID:   "user-1",
+		TenantID: "acme_corp",
+	}
+	v1 := &mockValidator{claims: expectedClaims}
+	v2 := &mockValidator{claims: &platformauth.Claims{UserID: "user-2"}}
+
+	composite := NewCompositeJWTValidator(v1, v2)
+
+	claims, err := composite.ValidateToken("some-token")
+
+	require.NoError(t, err)
+	assert.Equal(t, expectedClaims, claims)
+}
+
+func TestCompositeJWTValidator_FirstFailsSecondSucceeds(t *testing.T) {
+	expectedClaims := &platformauth.Claims{
+		UserID:   "user-2",
+		TenantID: "beta_corp",
+	}
+	v1 := &mockValidator{err: platformauth.ErrInvalidToken}
+	v2 := &mockValidator{claims: expectedClaims}
+
+	composite := NewCompositeJWTValidator(v1, v2)
+
+	claims, err := composite.ValidateToken("some-token")
+
+	require.NoError(t, err)
+	assert.Equal(t, expectedClaims, claims)
+}
+
+func TestCompositeJWTValidator_AllFail_ReturnsLastError(t *testing.T) {
+	firstErr := errors.New("first validator error")
+	lastErr := errors.New("last validator error")
+	v1 := &mockValidator{err: firstErr}
+	v2 := &mockValidator{err: lastErr}
+
+	composite := NewCompositeJWTValidator(v1, v2)
+
+	claims, err := composite.ValidateToken("invalid-token")
+
+	assert.Nil(t, claims)
+	assert.ErrorIs(t, err, lastErr)
+}
+
+func TestCompositeJWTValidator_SingleValidator_Succeeds(t *testing.T) {
+	expectedClaims := &platformauth.Claims{UserID: "solo-user"}
+	v := &mockValidator{claims: expectedClaims}
+
+	composite := NewCompositeJWTValidator(v)
+
+	claims, err := composite.ValidateToken("token")
+
+	require.NoError(t, err)
+	assert.Equal(t, expectedClaims, claims)
+}
+
+func TestCompositeJWTValidator_SingleValidator_Fails(t *testing.T) {
+	v := &mockValidator{err: platformauth.ErrInvalidToken}
+
+	composite := NewCompositeJWTValidator(v)
+
+	claims, err := composite.ValidateToken("expired-token")
+
+	assert.Nil(t, claims)
+	assert.ErrorIs(t, err, platformauth.ErrInvalidToken)
+}
+
+func TestCompositeJWTValidator_ThreeValidators_ThirdSucceeds(t *testing.T) {
+	expectedClaims := &platformauth.Claims{UserID: "third-user"}
+	errFirst := errors.New("first fails")
+	errSecond := errors.New("second fails")
+	v1 := &mockValidator{err: errFirst}
+	v2 := &mockValidator{err: errSecond}
+	v3 := &mockValidator{claims: expectedClaims}
+
+	composite := NewCompositeJWTValidator(v1, v2, v3)
+
+	claims, err := composite.ValidateToken("token")
+
+	require.NoError(t, err)
+	assert.Equal(t, expectedClaims, claims)
+}

services/api-gateway/auth_builder_test.go

@@ -0,0 +1,109 @@
+package gateway
+
+import (
+	"io"
+	"log/slog"
+	"testing"
+
+	platformauth "github.com/meridianhub/meridian/shared/platform/auth"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestBuildAuthMiddleware_WithJWKSURL(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(io.Discard, nil))
+
+	config := AuthConfig{
+		JWKSURL: "https://example.com/.well-known/jwks.json",
+	}
+
+	// NewJWKSProvider defers initial fetch, so any non-empty URL succeeds at creation.
+	middleware, err := BuildAuthMiddleware(config, logger)
+
+	require.NoError(t, err)
+	assert.NotNil(t, middleware)
+	middleware.Close()
+}
+
+func TestBuildAuthMiddleware_EmptyJWKSURL(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(io.Discard, nil))
+
+	config := AuthConfig{
+		JWKSURL: "", // empty URL should fail
+	}
+
+	_, err := BuildAuthMiddleware(config, logger)
+
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "failed to create JWKS provider")
+}
+
+func TestBuildAuthMiddleware_WithLocalSigner(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(io.Discard, nil))
+
+	signer, err := platformauth.NewJWTSigner(platformauth.JWTSignerConfig{})
+	require.NoError(t, err)
+
+	config := AuthConfig{
+		JWKSURL: "https://example.com/.well-known/jwks.json",
+	}
+
+	middleware, err := BuildAuthMiddleware(config, logger, signer)
+
+	require.NoError(t, err)
+	assert.NotNil(t, middleware)
+	middleware.Close()
+}
+
+func TestBuildAuthMiddleware_WithAPIKeys(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(io.Discard, nil))
+
+	config := AuthConfig{
+		JWKSURL: "https://example.com/.well-known/jwks.json",
+		APIKeys: map[string]string{
+			"api-key-1": "service-a",
+			"api-key-2": "service-b",
+		},
+		RateLimitPerSecond: 100,
+		RateLimitBurst:     200,
+	}
+
+	middleware, err := BuildAuthMiddleware(config, logger)
+
+	require.NoError(t, err)
+	assert.NotNil(t, middleware)
+	middleware.Close()
+}
+
+func TestBuildAuthMiddleware_CloseIsIdempotent(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(io.Discard, nil))
+
+	config := AuthConfig{
+		JWKSURL: "https://example.com/.well-known/jwks.json",
+		APIKeys: map[string]string{"key": "identity"},
+	}
+
+	middleware, err := BuildAuthMiddleware(config, logger)
+	require.NoError(t, err)
+
+	// Close should be safe to call multiple times.
+	assert.NotPanics(t, func() {
+		middleware.Close()
+		middleware.Close()
+	})
+}
+
+func TestBuildAuthMiddleware_WithLocalSigner_NilSignerIgnored(t *testing.T) {
+	logger := slog.New(slog.NewTextHandler(io.Discard, nil))
+
+	config := AuthConfig{
+		JWKSURL: "https://example.com/.well-known/jwks.json",
+	}
+
+	// Passing a nil signer should fall back to dex-only path.
+	middleware, err := BuildAuthMiddleware(config, logger, nil)
+
+	require.NoError(t, err)
+	assert.NotNil(t, middleware)
+	middleware.Close()
+}

services/api-gateway/internal/middleware/response_recorder_test.go

@@ -0,0 +1,100 @@
+package middleware
+
+import (
+	"bytes"
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewResponseRecorder_Defaults(t *testing.T) {
+	rec := newResponseRecorder()
+	defer rec.release()
+
+	assert.Equal(t, http.StatusOK, rec.code)
+	assert.NotNil(t, rec.headers)
+	assert.NotNil(t, rec.buf)
+	assert.False(t, rec.wroteHeader)
+}
+
+func TestResponseRecorder_WriteHeader_Idempotent(t *testing.T) {
+	rec := newResponseRecorder()
+	defer rec.release()
+
+	rec.WriteHeader(http.StatusCreated)
+	rec.WriteHeader(http.StatusBadRequest) // second call is a no-op
+
+	assert.Equal(t, http.StatusCreated, rec.code)
+	assert.True(t, rec.wroteHeader)
+}
+
+func TestResponseRecorder_Write_SetsWroteHeader(t *testing.T) {
+	rec := newResponseRecorder()
+	defer rec.release()
+
+	assert.False(t, rec.wroteHeader)
+
+	_, err := rec.Write([]byte("hello"))
+	require.NoError(t, err)
+
+	assert.True(t, rec.wroteHeader)
+	assert.Equal(t, http.StatusOK, rec.code)
+}
+
+func TestResponseRecorder_Write_AccumulatesBody(t *testing.T) {
+	rec := newResponseRecorder()
+	defer rec.release()
+
+	_, err := rec.Write([]byte("foo"))
+	require.NoError(t, err)
+	_, err = rec.Write([]byte("bar"))
+	require.NoError(t, err)
+
+	assert.Equal(t, "foobar", rec.buf.String())
+}
+
+func TestResponseRecorder_Header_ReturnsHeaders(t *testing.T) {
+	rec := newResponseRecorder()
+	defer rec.release()
+
+	rec.Header().Set("X-Custom", "value")
+
+	assert.Equal(t, "value", rec.headers.Get("X-Custom"))
+	assert.Equal(t, rec.headers, rec.Header())
+}
+
+func TestAcquireBuffer_ReturnsEmptyBuffer(t *testing.T) {
+	b := acquireBuffer()
+	defer releaseBuffer(b)
+
+	assert.Equal(t, 0, b.Len())
+}
+
+func TestReleaseBuffer_ReturnedBufferIsReset(t *testing.T) {
+	b := acquireBuffer()
+	_, err := b.WriteString("some data")
+	require.NoError(t, err)
+
+	releaseBuffer(b)
+
+	// Acquire again - should get a reset buffer (may or may not be the same object).
+	b2 := acquireBuffer()
+	defer releaseBuffer(b2)
+	assert.Equal(t, 0, b2.Len())
+}
+
+func TestReleaseBuffer_LargeBuffer_DoesNotPanic(t *testing.T) {
+	// Create a buffer larger than 64KB threshold.
+	// releaseBuffer drops oversized buffers instead of returning them to the pool.
+	large := make([]byte, 65*1024)
+	b := &bytes.Buffer{}
+	_, err := b.Write(large)
+	require.NoError(t, err)
+	assert.Greater(t, b.Cap(), 64*1024)
+
+	assert.NotPanics(t, func() {
+		releaseBuffer(b)
+	})
+}