test(token): add mutant_killers and extra_coverage for derivation pins#733
Conversation
Pin the derivation-critical surface of `uselesskey-token` so a silent change trips a test instead of silently re-keying every cached and deterministic token fixture downstream: - `tests/mutant_killers.rs`: matches the existing pattern in `uselesskey-rsa`, `uselesskey-ecdsa`, `uselesskey-ed25519`, and `uselesskey-pgp`. Pins `TokenSpec` constructor variants, `kind_name`, `stable_bytes`, and `authorization_scheme` to exact values. - `tests/token_extra_coverage.rs`: matches the existing pattern in `uselesskey-hmac`, `uselesskey-ed25519`, `uselesskey-entropy`, and `uselesskey-jwk`. Pins `DOMAIN_TOKEN_FIXTURE`, `TokenFixture::spec()` / `label()` accessors (previously only doctested), `authorization_header()` for the `ApiKey` and `OAuth` schemes (the inline `bearer` test was the only one before), negative-variant cache uniqueness across `NegativeToken` arms, and `Clone` preserves label/spec/value. Adds `uselesskey-test-support` as a dev-dep so `token_extra_coverage` can return `TestResult<()>` and avoid panic-family debt. `cargo xtask check-no-panic-family` reports the same 3 pre-existing x509 sites with no new debt from this PR.
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
Summary
uselesskey-tokenwas the only crypto-fixture crate without atests/mutant_killers.rsor a<crate>_extra_coverage.rsfile. Both pinning patterns are well-established across the workspace (rsa/ecdsa/ed25519/pgp shipmutant_killers.rs; hmac/ed25519/entropy/jwk ship*_extra_coverage.rs), and the derivation-critical surface ofTokenSpecandTokenFixturewas not pinned anywhere.This PR closes that gap. Tests only — no production code changes.
tests/mutant_killers.rsPins values that participate in cache identity and deterministic derivation:
TokenSpecconstructor variants (api_key/bearer/oauth_access_token→ correct enum)kind_name()exact stringsstable_bytes()exact byte arrays ([0,0,0,1]/[0,0,0,2]/[0,0,0,3])authorization_scheme()exact stringsA silent change to any of these would invalidate every cached and deterministic token fixture downstream without warning. The byte-exact pin matches
uselesskey-pgp/tests/mutant_killers.rs::stable_bytes_exactso the policy is uniform.tests/token_extra_coverage.rsPins the rest of the token public surface that was either doctest-only or had partial coverage:
DOMAIN_TOKEN_FIXTUREvalue ("uselesskey:token:fixture")TokenFixture::spec()/label()accessors (previously only exercised via doctests)authorization_header()forApiKeyandOAuth(the inline test only coversbearer)NegativeTokenarms produce distinct values, and none equal the positive fixture)Clonepreserveslabel/spec/valueReturns
TestResult<()>and routes assertions throughuselesskey-test-support'sensure!/ensure_eq!/require_okhelpers so this PR adds zero new panic-family debt.Test plan
cargo test -p uselesskey-token --test mutant_killers --test token_extra_coverage— all 12 new tests passcargo clippy -p uselesskey-token --all-targets -- -D warningscleancargo fmt -p uselesskey-tokencleancargo xtask check-no-panic-familyreports the same 3 pre-existing x509 debt sites — no new debt from this PRGenerated by Claude Code