tests: add targeted tests to cover missing lines in explore, snapshot, user routers and config

- explore.py:46-47 (_get_optional_user ValueError branch) — direct async test with invalid JWT
- snapshot.py:30 (503 when _jwt_secret is None) and :33-34 (401 on bad token)
- user.py:42-43 (_get_optional_user ValueError branch on /status with bad token)
- config.py:390,392 (ApiConfig missing POSTGRES_PASSWORD/DATABASE individual branches)
- config.py:480,482,486,490,492 (CuratorConfig individual missing-var branches)
- config.py:13 mark TYPE_CHECKING import with pragma: no cover

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: SimplicityGuy

common/config.py

@@ -10,7 +10,7 @@
 
 
 if TYPE_CHECKING:
-    from collections.abc import Sequence
+    from collections.abc import Sequence  # pragma: no cover
 
 import orjson
 import structlog

tests/api/test_explore.py

@@ -393,3 +393,25 @@ def test_expand_valid_type_invalid_category(self, test_client: TestClient) -> No
     def test_expand_genre_invalid_category(self, test_client: TestClient) -> None:
         response = test_client.get("/api/expand?node_id=Rock&type=genre&category=nonexistent")
         assert response.status_code == 400
+
+
+class TestGetOptionalUserInvalidToken:
+    """Tests for _get_optional_user with an invalid token (explore router)."""
+
+    @pytest.mark.asyncio
+    async def test_invalid_token_returns_none(self) -> None:
+        """explore.py:46-47 — bad Bearer token causes ValueError which returns None."""
+        from unittest.mock import MagicMock
+
+        import api.routers.explore as explore_module
+        from api.routers.explore import _get_optional_user
+
+        original = explore_module._jwt_secret
+        explore_module._jwt_secret = "test-jwt-secret-for-unit-tests"
+        try:
+            creds = MagicMock()
+            creds.credentials = "not.a.valid.jwt"
+            result = await _get_optional_user(creds)
+            assert result is None
+        finally:
+            explore_module._jwt_secret = original

tests/api/test_snapshot.py

@@ -92,3 +92,30 @@ def test_restore_snapshot_expired(self, test_client: TestClient) -> None:
             assert response.status_code == 404
         finally:
             store._store.pop(token, None)
+
+
+class TestSnapshotAuth:
+    """Tests for _get_current_user in snapshot router."""
+
+    def test_no_jwt_secret_returns_503(self, test_client: TestClient, auth_headers: dict[str, str]) -> None:
+        """snapshot.py:30 — 503 when _jwt_secret is None."""
+        import api.routers.snapshot as snap_module
+
+        original = snap_module._jwt_secret
+        snap_module._jwt_secret = None
+        try:
+            body = {"nodes": [{"id": "1", "type": "artist"}], "center": {"id": "1", "type": "artist"}}
+            response = test_client.post("/api/snapshot", json=body, headers=auth_headers)
+            assert response.status_code == 503
+        finally:
+            snap_module._jwt_secret = original
+
+    def test_invalid_token_returns_401(self, test_client: TestClient) -> None:
+        """snapshot.py:33-34 — 401 on bad token."""
+        body = {"nodes": [{"id": "1", "type": "artist"}], "center": {"id": "1", "type": "artist"}}
+        response = test_client.post(
+            "/api/snapshot",
+            json=body,
+            headers={"Authorization": "Bearer not.a.valid.jwt"},
+        )
+        assert response.status_code == 401

tests/api/test_user.py

@@ -300,3 +300,19 @@ def test_error_message_format(self, test_client: TestClient, auth_headers: dict[
         ids = ",".join(str(i) for i in range(101))
         data = test_client.get(f"/api/user/status?ids={ids}", headers=auth_headers).json()
         assert data["error"] == "Too many IDs: maximum is 100"
+
+
+class TestGetOptionalUserInvalidToken:
+    """Tests for _get_optional_user with an invalid token (user router)."""
+
+    def test_invalid_token_returns_false_flags(self, test_client: TestClient) -> None:
+        """user.py:42-43 — bad token on optional-auth /status falls back to all-False."""
+        response = test_client.get(
+            "/api/user/status?ids=1,2",
+            headers={"Authorization": "Bearer not.a.valid.jwt"},
+        )
+        assert response.status_code == 200
+        data = response.json()
+        for _rid, flags in data["status"].items():
+            assert flags["in_collection"] is False
+            assert flags["in_wantlist"] is False

tests/test_config.py

@@ -730,3 +730,101 @@ def test_curator_config_works_without_jwt_secret(self, monkeypatch: pytest.Monke
         # Should not raise
         config = CuratorConfig.from_env()
         assert not hasattr(config, "jwt_secret_key") or config.jwt_secret_key is None  # type: ignore[attr-defined]
+
+
+class TestConfigMissingVars:
+    """Tests for individual missing-variable branches in ApiConfig and CuratorConfig."""
+
+    def test_api_config_missing_postgres_password(self, monkeypatch: pytest.MonkeyPatch) -> None:
+        """config.py:390 — POSTGRES_PASSWORD missing fires the append."""
+        from common.config import ApiConfig
+
+        monkeypatch.setenv("POSTGRES_ADDRESS", "localhost")
+        monkeypatch.setenv("POSTGRES_USERNAME", "user")
+        monkeypatch.delenv("POSTGRES_PASSWORD", raising=False)
+        monkeypatch.setenv("POSTGRES_DATABASE", "db")
+        monkeypatch.setenv("JWT_SECRET_KEY", "secret")
+        with pytest.raises(ValueError, match="POSTGRES_PASSWORD"):
+            ApiConfig.from_env()
+
+    def test_api_config_missing_postgres_database(self, monkeypatch: pytest.MonkeyPatch) -> None:
+        """config.py:392 — POSTGRES_DATABASE missing fires the append."""
+        from common.config import ApiConfig
+
+        monkeypatch.setenv("POSTGRES_ADDRESS", "localhost")
+        monkeypatch.setenv("POSTGRES_USERNAME", "user")
+        monkeypatch.setenv("POSTGRES_PASSWORD", "pass")
+        monkeypatch.delenv("POSTGRES_DATABASE", raising=False)
+        monkeypatch.setenv("JWT_SECRET_KEY", "secret")
+        with pytest.raises(ValueError, match="POSTGRES_DATABASE"):
+            ApiConfig.from_env()
+
+    def test_curator_config_missing_postgres_address(self, monkeypatch: pytest.MonkeyPatch) -> None:
+        """config.py:480 — POSTGRES_ADDRESS missing."""
+        from common.config import CuratorConfig
+
+        monkeypatch.delenv("POSTGRES_ADDRESS", raising=False)
+        monkeypatch.setenv("POSTGRES_USERNAME", "user")
+        monkeypatch.setenv("POSTGRES_PASSWORD", "pass")
+        monkeypatch.setenv("POSTGRES_DATABASE", "db")
+        monkeypatch.setenv("NEO4J_ADDRESS", "bolt://localhost")
+        monkeypatch.setenv("NEO4J_USERNAME", "neo4j")
+        monkeypatch.setenv("NEO4J_PASSWORD", "neo4jpass")
+        with pytest.raises(ValueError, match="POSTGRES_ADDRESS"):
+            CuratorConfig.from_env()
+
+    def test_curator_config_missing_postgres_username(self, monkeypatch: pytest.MonkeyPatch) -> None:
+        """config.py:482 — POSTGRES_USERNAME missing."""
+        from common.config import CuratorConfig
+
+        monkeypatch.setenv("POSTGRES_ADDRESS", "localhost")
+        monkeypatch.delenv("POSTGRES_USERNAME", raising=False)
+        monkeypatch.setenv("POSTGRES_PASSWORD", "pass")
+        monkeypatch.setenv("POSTGRES_DATABASE", "db")
+        monkeypatch.setenv("NEO4J_ADDRESS", "bolt://localhost")
+        monkeypatch.setenv("NEO4J_USERNAME", "neo4j")
+        monkeypatch.setenv("NEO4J_PASSWORD", "neo4jpass")
+        with pytest.raises(ValueError, match="POSTGRES_USERNAME"):
+            CuratorConfig.from_env()
+
+    def test_curator_config_missing_postgres_database(self, monkeypatch: pytest.MonkeyPatch) -> None:
+        """config.py:486 — POSTGRES_DATABASE missing."""
+        from common.config import CuratorConfig
+
+        monkeypatch.setenv("POSTGRES_ADDRESS", "localhost")
+        monkeypatch.setenv("POSTGRES_USERNAME", "user")
+        monkeypatch.setenv("POSTGRES_PASSWORD", "pass")
+        monkeypatch.delenv("POSTGRES_DATABASE", raising=False)
+        monkeypatch.setenv("NEO4J_ADDRESS", "bolt://localhost")
+        monkeypatch.setenv("NEO4J_USERNAME", "neo4j")
+        monkeypatch.setenv("NEO4J_PASSWORD", "neo4jpass")
+        with pytest.raises(ValueError, match="POSTGRES_DATABASE"):
+            CuratorConfig.from_env()
+
+    def test_curator_config_missing_neo4j_username(self, monkeypatch: pytest.MonkeyPatch) -> None:
+        """config.py:490 — NEO4J_USERNAME missing."""
+        from common.config import CuratorConfig
+
+        monkeypatch.setenv("POSTGRES_ADDRESS", "localhost")
+        monkeypatch.setenv("POSTGRES_USERNAME", "user")
+        monkeypatch.setenv("POSTGRES_PASSWORD", "pass")
+        monkeypatch.setenv("POSTGRES_DATABASE", "db")
+        monkeypatch.setenv("NEO4J_ADDRESS", "bolt://localhost")
+        monkeypatch.delenv("NEO4J_USERNAME", raising=False)
+        monkeypatch.setenv("NEO4J_PASSWORD", "neo4jpass")
+        with pytest.raises(ValueError, match="NEO4J_USERNAME"):
+            CuratorConfig.from_env()
+
+    def test_curator_config_missing_neo4j_password(self, monkeypatch: pytest.MonkeyPatch) -> None:
+        """config.py:492 — NEO4J_PASSWORD missing."""
+        from common.config import CuratorConfig
+
+        monkeypatch.setenv("POSTGRES_ADDRESS", "localhost")
+        monkeypatch.setenv("POSTGRES_USERNAME", "user")
+        monkeypatch.setenv("POSTGRES_PASSWORD", "pass")
+        monkeypatch.setenv("POSTGRES_DATABASE", "db")
+        monkeypatch.setenv("NEO4J_ADDRESS", "bolt://localhost")
+        monkeypatch.setenv("NEO4J_USERNAME", "neo4j")
+        monkeypatch.delenv("NEO4J_PASSWORD", raising=False)
+        with pytest.raises(ValueError, match="NEO4J_PASSWORD"):
+            CuratorConfig.from_env()