2026-03-28 Q-004 Coverage Remediation Pass 11

Scope

Continue strict Q-004 closure work after Pass 10.
Fully close the remaining low-coverage src/lib/http/csrf.ts module before moving to the next task.
Re-verify closure through targeted tests plus full frontend validation.

Added dedicated module coverage in:
- frontend/admin/src/lib/http/csrf.test.ts
Newly covered behavior includes:
- memory token set/get/clear
- cookie token lookup and header fallback
- cookie-first bootstrap path that skips the network request
- csrf bootstrap through relative API base urls
- csrf bootstrap through slashless relative API base urls
- csrf bootstrap through absolute API base urls
- cookie fallback after bootstrap request failure
- null-result handling when bootstrap succeeds without returning a token
- no-document guard behavior

cd D:\project\frontend\admin
npm.cmd run test:run -- src/lib/http/csrf.test.ts
npm.cmd run lint
npm.cmd run build
npm.cmd run test:coverage

Overall:
- statements 80.06%
- branches 67.61%
- functions 78.00%
- lines 80.91%
Target areas:
- src/lib/http/csrf.ts: statements 100%, branches 88.46%, functions 100%, lines 100%
- src/lib/http/client.ts: statements 52.17%, branches 43.26%
- src/pages/admin/ProfileSecurityPage/ProfileSecurityPage.tsx: statements 70.17%, branches 48.97%

Frontend full coverage now completes with 42 passing test files and 171 passing tests.
The required sequential frontend validation path passed:
- lint
- build
- test:coverage
The successful frontend coverage run still emits one post-summary jsdom AggregateError network-noise line.
- It does not fail the command.
- It remains a real validation-hygiene issue and should continue to be tracked honestly.

src/lib/http/csrf.ts is no longer an open Q-004 gap.
Q-004 still cannot be honestly declared closed.
The remaining highest-value frontend gaps are now more concentrated in:
- src/lib/http/client.ts
- deeper remaining ProfileSecurityPage branches