fix: close 3 strict-proto config-field gaps surfaced by BMW local smoke (v0.2.2)

[intel352]

Summary

BMW local smoke against workflow v0.51.5 surfaced three step types whose typed config protos were rejecting BMW-supplied fields under strict-contracts. v0.2.2 closes those gaps and ships a daily compat job that runs the latest published wfctl against this plugin's contracts.

Proto fields added

AuthMethodsPolicyConfig / AuthMethodsPolicyInput

Used by step.auth_methods_policy and step.auth_policy_audit. BMW supplies these via 18+ pipeline invocations in buymywishlist/app.yaml:

Field	Tag	BMW yaml source
jwt_secret	24	jwt_secret: '{{ config "jwt_secret" }}'
sms_auth_enabled	25	sms_auth_enabled: '{{ config "sms_auth_enabled" }}'
facebook_oauth_client_id	26	facebook_oauth_client_id: '{{ config "facebook_oauth_client_id" }}'
facebook_oauth_client_secret	27	facebook_oauth_client_secret: '{{ config "facebook_oauth_client_secret" }}'
instagram_oauth_client_id	28	instagram_oauth_client_id: '{{ config "instagram_oauth_client_id" }}'
instagram_oauth_client_secret	29	instagram_oauth_client_secret: '{{ config "instagram_oauth_client_secret" }}'
x_oauth_client_id	30	x_oauth_client_id: '{{ config "x_oauth_client_id" }}'
x_oauth_client_secret	31	x_oauth_client_secret: '{{ config "x_oauth_client_secret" }}'

AuthPolicyGateConfig

Used by step.auth_policy_gate. BMW yaml supplies tenant_id directly in the gate config block (tenant_id: '{{ config "bmw_tenant_id" }}').

Field	Tag	BMW yaml source
tenant_id	6	tenant_id: '{{ config "bmw_tenant_id" }}'

AuthChallengeVerifyConfig (new message)

Replaces EmptyConfig for step.auth_challenge_verify. BMW supplies signing_secret in the step's config block:

- type: step.auth_challenge_verify
  config:
    signing_secret: '{{ config "jwt_secret" }}'

Defined as:

message AuthChallengeVerifyConfig {
  string signing_secret = 1;
}

The handler now reads signing_secret from req.Config as a fallback when it is not present on req.Input — preserving the existing input-based contract while accepting config supply.

Deferred: step.auth_oauth_exchange code field (BMW yaml bug)

BMW passes code inside the step's config: block:

- type: step.auth_oauth_exchange
  config:
    code: '{{ index .steps "parse_request" "query" "code" }}'
    ...

The plugin handler reads code from req.Input (merged with req.Current) via oauthString(current, "code") — code is defined in OAuthProviderInput at tag 3, not in OAuthProviderConfig. This is a BMW yaml bug, not a plugin gap. BMW should move code to a runtime input — e.g. via a preceding step.set that lifts parse_request.query.code into the current scope, or by populating the typed input directly. No plugin change in this PR.

Workflow-compat CI

New .github/workflows/workflow-compat.yml:

• Runs on PR + daily at 09:00 UTC.
• Resolves the LATEST GoCodeAlone/workflow release tag via the GitHub API.
• Installs that wfctl via GoCodeAlone/setup-wfctl.
• Runs wfctl plugin validate --strict-contracts against plugin.json.
• Builds the plugin binary, stages it for plugin-dir discovery, and runs wfctl validate --plugin-dir ... against .github/fixtures/workflow-compat.yaml — a smoke pipeline exercising every plugin step type using the BMW-supplied config shapes.

Catches drift between this plugin's proto descriptors and the next workflow release the day it ships, rather than the next time BMW smokes.

Test plan

• go test -race ./... — all packages green (including 5 new tests in internal/strict_proto_fields_test.go).
• go vet ./... — clean.
• wfctl plugin validate --file plugin.json --strict-contracts against v0.51.5 — OK.
• wfctl validate --plugin-dir ... .github/fixtures/workflow-compat.yaml against v0.51.5 — PASS.
• PLUGIN_MANIFEST_EXPECT_VERSION=0.2.2 go test -run TestIntegration_PluginManifestAndStepTypes — passes (goreleaser pre-hook).
• CI green on PR (will verify after push).
• Post-merge: tag v0.2.2, verify GoReleaser asset upload.

🤖 Generated with Claude Code