Update the test coverage

Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io>

Assisted by [OpenAI](https://platform.openai.com/)

Assisted by [GitHub Copilot](https://github.com/features/copilot)

Assisted by [Claude](https://claude.ai)

Author: lukaszgryglicki

cla-backend-go/v2/sign/service.go

@@ -3077,7 +3077,7 @@ func (s *service) checkCompanyCompliance(ctx context.Context, company *v1Models.
 	// Only an explicit clean/flagged is actionable. Any other status is ambiguous: block
 	// when required; otherwise honor the persisted sanction state without clearing or
 	// caching (never auto-clear an SSS-origin block on an unknown status).
-	if result.Status != sss.StatusClean && result.Status != sss.StatusFlagged {
+	if !sssStatusActionable(result.Status) {
 		return s.complianceUnavailable(f, company, fmt.Errorf("checkCompanyCompliance: unexpected SSS status %q for company %s", result.Status, company.CompanyID))
 	}
 
@@ -3137,6 +3137,13 @@ func (s *service) complianceUnavailable(f logrus.Fields, company *v1Models.Compa
 	return company.IsSanctioned, nil
 }
 
+// sssStatusActionable reports whether an SSS status is one checkCompanyCompliance can act
+// on directly (clean or flagged). Any other (ambiguous/unknown) status must be treated as
+// "no live result" rather than silently as clean.
+func sssStatusActionable(status string) bool {
+	return status == sss.StatusClean || status == sss.StatusFlagged
+}
+
 // applyComplianceToModel updates the in-memory company model to reflect a compliance
 // decision so downstream gates in the same request stay consistent with this check.
 func (s *service) applyComplianceToModel(company *v1Models.Company, sanctioned bool) {

cla-backend-go/v2/sign/service_sss_test.go

@@ -119,6 +119,27 @@ func TestComplianceUnavailableOptionalHonorsPersistedSanction(t *testing.T) {
 	}
 }
 
+// sssStatusActionable is the guard checkCompanyCompliance uses to route ambiguous statuses
+// to complianceUnavailable; flipping it is the regression that would let an unknown status
+// fall through to the clean/clear path.
+func TestSSSStatusActionable(t *testing.T) {
+	cases := []struct {
+		status string
+		want   bool
+	}{
+		{sss.StatusClean, true},
+		{sss.StatusFlagged, true},
+		{"pending", false},
+		{"PENDING", false},
+		{"", false},
+	}
+	for _, tc := range cases {
+		if got := sssStatusActionable(tc.status); got != tc.want {
+			t.Errorf("sssStatusActionable(%q) = %v, want %v", tc.status, got, tc.want)
+		}
+	}
+}
+
 func TestCheckCompanyComplianceRequiredBlocksMissingExternalID(t *testing.T) {
 	svc := &service{sssRequired: true, sssClient: newTestSSSClient(t)}