Coverage floors and fail-closed CLI/reporting paths

Release: InvarLock 0.3.12 - Split-module thresholds and safer edge-case handling

Highlights

• Coverage thresholds now enforce split-module branch floors for critical CLI/reporting paths.
• CLI flows now handle config includes, plugin subprocess paths, and doctor/plugin exit semantics more predictably across profiles.
• Reporting, overhead checks, and observability imports fail closed more reliably when schema, network, or optional dependency edge cases show up.

0.3.12 is a hardening release aimed at the places where small reliability gaps compound into noisy CI failures or ambiguous evidence. The headline change is split-module branch-floor enforcement for critical CLI/reporting paths, but the same discipline shows up in the refactor: run/report builder flows move into smaller modules with explicit command dependencies, and exception hygiene tightens across run, report, and doctor.

The release also tightens config include resolution, plugin subprocess paths, and doctor/plugin exit semantics so profile-specific failures are more stable. Reporting gets stronger fail-closed schema behavior through network refcounting and schema patch hardening, while overhead/tiny-relax handling and profile gate-control enforcement become stricter.

On the lean-install side, observability alerting imports now stay safe when requests is unavailable. Documentation command-runner security checks and pip-audit execution are enforced, remaining certification wording is replaced with evaluation terminology, and calibration policy/preset guidance is clarified. If your workflow depends on fail-closed reporting and repeatable CLI behavior, this release should feel quieter and less ambiguous.

For the immutable release record, read the tagged CHANGELOG.md for v0.3.12.