Coverage hardening across CLI, reporting, and observability paths

Release: InvarLock 0.3.12 - Coverage thresholds with tighter fail-closed behavior

Highlights

• Coverage thresholds now enforce split-module branch floors for critical CLI/reporting paths.
• CLI flows now handle config includes, plugin subprocess paths, and doctor/plugin exit semantics more predictably across profiles.
• Reporting, overhead checks, and observability imports fail closed more reliably when schema, network, or optional dependency edge cases show up.

0.3.12 is a hardening release aimed at the places where small reliability gaps compound into noisy CI failures or ambiguous evidence. The headline change is the new split-module coverage floor enforcement for the CLI and reporting paths that matter most, but the broader theme is the same across the release: make the operational surface stricter, clearer, and easier to trust under failure.

This release also tightens the behavior around config resolution, plugin subprocess handling, and report validation so the system degrades more cleanly when an environment is only partially configured. On the observability side, alerting imports now stay safe even when requests is absent, which removes another class of surprising runtime behavior from lean installs.

If your workflow depends on fail-closed reporting and repeatable CLI behavior, 0.3.12 should feel calmer than the generated changelog format this post originally shipped with.

For more details, see CHANGELOG.md.