CLI app for developers prototyping atproto functionality
fix(oauth-client): Phase 5 cycle 2 — re-accept stale snapshots and properly revert subscription tampering
- C1: Accept 4 stale snapshots (oauth_client_discovery__https_confidential_happy_discovery, oauth_client_metadata__confidential_happy, oauth_client_metadata__dpop_bound_false, oauth_client_metadata__scope_grammar_invalid) to reflect corrected check emission order from C3 (Keys have unique kid values now emitted immediately after JWKS is valid JSON instead of at the end).
- C2: Properly restore labeler_subscription snapshots (unreachable_endpoint_network_error, empty_stream_advisories) to exact 73c9de4 state using git show to avoid flaky timing values (0ms, not 2ms/3ms).
- M1: Add trailing periods to 3 test comments in tests/oauth_client_jwks.rs per CLAUDE.md conventions.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
+11
-7
+3
-3
tests/oauth_client_jwks.rs
+3
-3
tests/oauth_client_jwks.rs
···
263
263
#[tokio::test]
264
264
async fn discovery_failure_blocks_jwks() {
265
265
let http = common::FakeHttpClient::new();
266
-
// Seed a 404 response
266
+
// Seed a 404 response.
267
267
http.add_response(
268
268
&Url::parse("https://client.example.com/metadata.json").unwrap(),
269
269
404,
···
301
301
302
302
let jwks_uri = Url::parse("https://client.example.com/jwks.json").unwrap();
303
303
let jwks_fetcher = common::FakeJwksFetcher::new();
304
-
// Return invalid JSON (not parseable)
304
+
// Return invalid JSON (not parseable).
305
305
jwks_fetcher.add_response(&jwks_uri, 200, b"not valid json {{{".to_vec(), None);
306
306
307
307
let target = parse_target("https://client.example.com/metadata.json").expect("parse failed");
···
357
357
#[tokio::test]
358
358
async fn loopback_skips_all_jwks() {
359
359
let http = common::FakeHttpClient::new();
360
-
// No seeded responses needed for loopback
360
+
// No seeded responses needed for loopback.
361
361
362
362
let target = parse_target("http://localhost/").expect("parse failed");
363
363
let jwks_fetcher = common::FakeJwksFetcher::new();
+2
-1
tests/snapshots/oauth_client_discovery__https_confidential_happy_discovery.snap
+2
-1
tests/snapshots/oauth_client_discovery__https_confidential_happy_discovery.snap
···
1
1
---
2
2
source: tests/oauth_client_discovery.rs
3
+
assertion_line: 44
3
4
expression: rendered
4
5
---
5
6
Target: https://client.example.com/metadata.json
···
28
29
[OK] JWKS is present
29
30
[SKIP] JWKS URI is fetchable — jwks is inline
30
31
[OK] JWKS is valid JSON
32
+
[OK] Keys have unique kid values
31
33
[OK] Keys declare alg field
32
34
[OK] Keys use signing use
33
35
[OK] Algorithms are modern EC
34
-
[OK] Keys have unique kid values
35
36
36
37
Summary: 23 passed, 0 failed (spec), 0 network errors, 0 advisories, 1 skipped. Exit code: 0
+2
-1
tests/snapshots/oauth_client_metadata__confidential_happy.snap
+2
-1
tests/snapshots/oauth_client_metadata__confidential_happy.snap
···
1
1
---
2
2
source: tests/oauth_client_metadata.rs
3
+
assertion_line: 47
3
4
expression: rendered
4
5
---
5
6
Target: https://client.example.com/metadata.json
···
28
29
[OK] JWKS is present
29
30
[SKIP] JWKS URI is fetchable — jwks is inline
30
31
[OK] JWKS is valid JSON
32
+
[OK] Keys have unique kid values
31
33
[OK] Keys declare alg field
32
34
[OK] Keys use signing use
33
35
[OK] Algorithms are modern EC
34
-
[OK] Keys have unique kid values
35
36
36
37
Summary: 23 passed, 0 failed (spec), 0 network errors, 0 advisories, 1 skipped. Exit code: 0
+2
-1
tests/snapshots/oauth_client_metadata__dpop_bound_false.snap
+2
-1
tests/snapshots/oauth_client_metadata__dpop_bound_false.snap
···
1
1
---
2
2
source: tests/oauth_client_metadata.rs
3
+
assertion_line: 135
3
4
expression: rendered
4
5
---
5
6
Target: https://client.example.com/metadata.json
···
31
32
[OK] JWKS is present
32
33
[SKIP] JWKS URI is fetchable — jwks is inline
33
34
[OK] JWKS is valid JSON
35
+
[OK] Keys have unique kid values
34
36
[OK] Keys declare alg field
35
37
[OK] Keys use signing use
36
38
[OK] Algorithms are modern EC
37
-
[OK] Keys have unique kid values
38
39
39
40
Summary: 22 passed, 1 failed (spec), 0 network errors, 0 advisories, 1 skipped. Exit code: 1
+2
-1
tests/snapshots/oauth_client_metadata__scope_grammar_invalid.snap
+2
-1
tests/snapshots/oauth_client_metadata__scope_grammar_invalid.snap
···
1
1
---
2
2
source: tests/oauth_client_metadata.rs
3
+
assertion_line: 258
3
4
expression: rendered
4
5
---
5
6
Target: https://client.example.com/metadata.json
···
38
39
[OK] JWKS is present
39
40
[SKIP] JWKS URI is fetchable — jwks is inline
40
41
[OK] JWKS is valid JSON
42
+
[OK] Keys have unique kid values
41
43
[OK] Keys declare alg field
42
44
[OK] Keys use signing use
43
45
[OK] Algorithms are modern EC
44
-
[OK] Keys have unique kid values
45
46
46
47
Summary: 21 passed, 1 failed (spec), 0 network errors, 0 advisories, 2 skipped. Exit code: 1