test: OidcFederation strategy coverage (@cipherstash/auth 0.39.0)

[coderdan]

Summary

Adds contract coverage for the new OidcFederationStrategy auth strategy (introduced in stack-auth, surfaced to JS via @cipherstash/auth), and bumps the integration-tests dep to the version that ships it.

Key finding: the export was never missing in cipherstash-suite — OidcFederationStrategy shipped in @cipherstash/auth@0.39.0 (current npm latest). This repo's integration-tests just pinned ^0.38.0, the version published immediately before it. So the fix is here, not upstream.

The FFI boundary duck-types on the AuthStrategy = { getToken: () => Promise<{ token: string }> } contract (src/index.cts) and never branches on strategy type, so OIDC coverage is consumer-side wiring mirroring js-strategy.test.ts (Neon) and wasm-round-trip.test.ts (wasm).

Changes

• Bump @cipherstash/auth ^0.38.0 → ^0.39.0 in integration-tests.
• New tests/oidc-federation.test.ts — two contract tests that run in CI unconditionally (no credentials, no network):
  • the real published OidcFederationStrategy constructs via .create(region, workspaceId, getJwt) and is structurally assignable to the FFI's AuthStrategy;
  • a strategy threads through newClient with a rejected getToken propagating as a client error.
• 0.39.0 breaking change handled: AccessKeyStrategy.create now takes the full workspace CRN (was the <region>.<provider> segment). Updated wasm-round-trip.test.ts, js-strategy.test.ts, and the event-loop-exit-jsbacked.cjs fixture, dropping the now-needless CRN-splitting.

Why no live end-to-end round-trip

A federation round-trip (third-party JWT → CTS token → encrypt/decrypt) is deliberately not tested here:

• The FFI ⇄ wasm-strategy ⇄ ZeroKMS encrypt/decrypt path is already proven via AccessKeyStrategy — the strategy type is irrelevant to the FFI, which only calls getToken.
• The OIDC-specific exchange (getJwt → /api/authorise → CTS token) lives entirely inside stack-auth, tested hermetically there with MockAuthServer + a base-URL override that the published consumer API doesn't expose.
• A live round-trip needs a fresh OIDC JWT per run (they expire in minutes), so it can't be driven from a static CI secret without real IdP infra — and gating it on an env var CI never sets would leave it permanently skipped: green but inert. (An earlier revision of this PR had exactly that; it's been removed.)

Testing

• npx vitest run tests/oidc-federation.test.ts → 2 passed, 0 skipped
• Full suite on 0.39.0: 136 passed, 2 failures — both the pre-existing keyset.test.ts workspace-permission issue (grant_keyset … Forbidden), unrelated to this change.

Stacked on #100 (Rust deps → 0.37.0); merge that first and GitHub will retarget this to main.

[coderabbitai]

Looking for one thing? Review this PR in Change Stack to search files, summaries, diffs, and code without losing your place.

📝 Walkthrough

Walkthrough

This PR upgrades @cipherstash/auth from 0.38.0 to 0.39.0 and updates integration test fixtures to align with the new library API. All AccessKeyStrategy.create() calls now pass the full workspace CRN directly instead of parsing it; additionally, a comprehensive integration test suite for OidcFederationStrategy is introduced.

Changes

Auth library upgrade and integration tests

Layer / File(s)	Summary
Dependency upgrade integration-tests/package.json	@cipherstash/auth dependency updated from ^0.38.0 to ^0.39.0.
AccessKeyStrategy wiring updates integration-tests/tests/fixtures/event-loop-exit-jsbacked.cjs, integration-tests/tests/js-strategy.test.ts, integration-tests/tests/wasm-round-trip.test.ts	All three files remove CRN region parsing logic and now pass the full CS_WORKSPACE_CRN directly to AccessKeyStrategy.create(). Comment in the fixture is updated to reflect that 0.39.0 handles region extraction internally.
OidcFederationStrategy integration tests integration-tests/tests/oidc-federation.test.ts	New test suite adds a helper function to parse workspace CRNs, a contract test verifying OidcFederationStrategy.getToken behavior and error propagation, and a gated end-to-end test that federates an OIDC JWT, creates a client, encrypts/decrypts plaintext, and validates the round-trip.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• cipherstash/protectjs-ffi#90: Both PRs modify integration-tests/tests/wasm-round-trip.test.ts to align with updated @cipherstash/auth behavior introduced in wasm test work.
• cipherstash/protectjs-ffi#96: Both PRs update integration-test auth wiring around AccessKeyStrategy.create() to use the full CS_WORKSPACE_CRN.

Suggested reviewers

• freshtonic
• auxesis

Poem

🐰 A library upgraded, old parsers retire,
The full CRN flows where it's needed—no wire.
OIDC now tested, encryption round-tripped,
The auth dance grows richer, compatibility equipped! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding OidcFederation strategy test coverage and upgrading to @cipherstash/auth 0.39.0. It is concise, specific, and directly reflects the primary objectives of the changeset.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch test/oidc-federation-scaffold

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR updates the integration-tests package to consume @cipherstash/auth@^0.39.0 and adds integration coverage for the newly available OidcFederationStrategy (via the wasm-inline entry), along with updating existing AccessKeyStrategy wiring to match the 0.39.0 API change.

Changes:

• Bump integration-tests dependency @cipherstash/auth from ^0.38.0 to ^0.39.0.
• Add tests/oidc-federation.test.ts with a CI-safe contract suite plus an env-gated end-to-end federation + encrypt/decrypt round-trip.
• Update existing tests/fixtures to pass the full workspace CRN into AccessKeyStrategy.create (0.39.0 behavior).

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
integration-tests/tests/wasm-round-trip.test.ts	Update AccessKeyStrategy.create call site to pass full workspace CRN (0.39.0 API).
integration-tests/tests/oidc-federation.test.ts	Add OIDC Federation strategy contract + env-gated E2E test coverage.
integration-tests/tests/js-strategy.test.ts	Update AccessKeyStrategy.create call site to pass full workspace CRN (0.39.0 API).
integration-tests/tests/fixtures/event-loop-exit-jsbacked.cjs	Update fixture strategy construction to pass full workspace CRN (0.39.0 API).
integration-tests/package.json	Bump @cipherstash/auth dependency to ^0.39.0.
integration-tests/package-lock.json	Lockfile updates for @cipherstash/auth@0.39.0 and peer package versions.

Files not reviewed (1)

• integration-tests/package-lock.json: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.