test: Wave 17 - insta snapshot tests for all key-type crates

[EffortlessSteven]

Summary

Adds deterministic snapshot tests using insta for all 6 key-type crates:

Crate	Snapshots	Coverage
uselesskey-rsa	5	PEM shapes, DER lengths, JWK structure, KID format
uselesskey-ecdsa	6	PEM shapes (P-256/P-384), DER lengths, JWK structure, KID format
uselesskey-ed25519	5	PEM shapes, DER lengths, JWK structure, KID format
uselesskey-hmac	3	Secret lengths, JWK structure, KID format
uselesskey-token	4	API key/bearer/OAuth shapes, authorization headers
uselesskey-x509	4	Cert/key PEM shapes, DER lengths, cert metadata

Pattern

All snapshot tests follow the established pattern from existing adapter crate snapshots:

• Use \insta::assert_yaml_snapshot!\ with named snapshots
• Serialize metadata structs (algorithm, lengths, headers) — NOT key bytes
• Redact crypto material with [REDACTED]\
• Snap files stored in \ ests/snapshots/\ directories

Testing

• \cargo test --workspace --all-features --exclude uselesskey-bdd\ — all pass
• \cargo clippy --workspace --all-features -- -D warnings\ — clean
• \cargo fmt --check\ — clean

Determinism impact: None

Policy impact: None (no blob additions)

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

[coderabbitai]

Warning

Rate limit exceeded

@EffortlessSteven has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 22 minutes and 31 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 0489cd1 and 1ac4490.

⛔ Files ignored due to path filters (25)

• crates/uselesskey-ecdsa/tests/snapshots/snapshots_ecdsa__ecdsa_der_lengths.snap is excluded by !**/*.snap
• crates/uselesskey-ecdsa/tests/snapshots/snapshots_ecdsa__ecdsa_p256_private_pem_shape.snap is excluded by !**/*.snap
• crates/uselesskey-ecdsa/tests/snapshots/snapshots_ecdsa__ecdsa_p384_private_pem_shape.snap is excluded by !**/*.snap
• crates/uselesskey-ecdsa/tests/snapshots/snapshots_ecdsa__jwk_snapshots__ecdsa_kid_format.snap is excluded by !**/*.snap
• crates/uselesskey-ecdsa/tests/snapshots/snapshots_ecdsa__jwk_snapshots__ecdsa_p256_public_jwk.snap is excluded by !**/*.snap
• crates/uselesskey-ecdsa/tests/snapshots/snapshots_ecdsa__jwk_snapshots__ecdsa_p384_public_jwk.snap is excluded by !**/*.snap
• crates/uselesskey-ed25519/tests/snapshots/snapshots_ed25519__ed25519_der_lengths.snap is excluded by !**/*.snap
• crates/uselesskey-ed25519/tests/snapshots/snapshots_ed25519__ed25519_private_pem_shape.snap is excluded by !**/*.snap
• crates/uselesskey-ed25519/tests/snapshots/snapshots_ed25519__ed25519_public_pem_shape.snap is excluded by !**/*.snap
• crates/uselesskey-ed25519/tests/snapshots/snapshots_ed25519__jwk_snapshots__ed25519_kid_format.snap is excluded by !**/*.snap
• crates/uselesskey-ed25519/tests/snapshots/snapshots_ed25519__jwk_snapshots__ed25519_public_jwk.snap is excluded by !**/*.snap
• crates/uselesskey-hmac/tests/snapshots/snapshots_hmac__hmac_secret_lengths.snap is excluded by !**/*.snap
• crates/uselesskey-hmac/tests/snapshots/snapshots_hmac__jwk_snapshots__hmac_hs256_jwk.snap is excluded by !**/*.snap
• crates/uselesskey-hmac/tests/snapshots/snapshots_hmac__jwk_snapshots__hmac_kid_format.snap is excluded by !**/*.snap
• crates/uselesskey-rsa/tests/snapshots/snapshots_rsa__jwk_snapshots__rsa_2048_public_jwk.snap is excluded by !**/*.snap
• crates/uselesskey-rsa/tests/snapshots/snapshots_rsa__jwk_snapshots__rsa_kid_format.snap is excluded by !**/*.snap
• crates/uselesskey-rsa/tests/snapshots/snapshots_rsa__rsa_2048_private_pem_shape.snap is excluded by !**/*.snap
• crates/uselesskey-rsa/tests/snapshots/snapshots_rsa__rsa_2048_public_pem_shape.snap is excluded by !**/*.snap
• crates/uselesskey-rsa/tests/snapshots/snapshots_rsa__rsa_der_lengths.snap is excluded by !**/*.snap
• crates/uselesskey-token/tests/snapshots/snapshots_token__token_authorization_headers.snap is excluded by !**/*.snap
• crates/uselesskey-token/tests/snapshots/snapshots_token__token_oauth_shape.snap is excluded by !**/*.snap
• crates/uselesskey-x509/tests/snapshots/snapshots_x509__x509_cert_metadata.snap is excluded by !**/*.snap
• crates/uselesskey-x509/tests/snapshots/snapshots_x509__x509_cert_pem_shape.snap is excluded by !**/*.snap
• crates/uselesskey-x509/tests/snapshots/snapshots_x509__x509_der_lengths.snap is excluded by !**/*.snap
• crates/uselesskey-x509/tests/snapshots/snapshots_x509__x509_private_key_pem_shape.snap is excluded by !**/*.snap

📒 Files selected for processing (2)

• crates/uselesskey-x509/Cargo.toml
• crates/uselesskey-x509/tests/snapshots_x509.rs

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch wave-17/snapshot-tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-free-for-open-source-projects]

Review Summary by Qodo

Add insta snapshot tests for all key-type crates (Wave 17)

🧪 Tests

Walkthroughs

Description

• Add insta snapshot tests for all 6 key-type crates
• Snapshot PEM shapes, DER lengths, JWK structures across RSA, ECDSA, Ed25519
• Snapshot HMAC secret lengths and token metadata with redacted sensitive data
• Add insta and serde dev-dependencies to all key-type crates

Diagram

flowchart LR
  RSA["RSA<br/>5 snapshots"]
  ECDSA["ECDSA<br/>6 snapshots"]
  ED25519["Ed25519<br/>5 snapshots"]
  HMAC["HMAC<br/>3 snapshots"]
  TOKEN["Token<br/>4 snapshots"]
  X509["X509<br/>4 snapshots"]
  
  RSA -- "PEM shapes, DER lengths, JWK, KID" --> INSTA["Insta Snapshots"]
  ECDSA -- "PEM shapes, DER lengths, JWK, KID" --> INSTA
  ED25519 -- "PEM shapes, DER lengths, JWK, KID" --> INSTA
  HMAC -- "Secret lengths, JWK, KID" --> INSTA
  TOKEN -- "Token shapes, auth headers" --> INSTA
  X509 -- "Cert/key PEM, DER, metadata" --> INSTA
  
  INSTA -- "Redacted crypto material" --> DETECT["Detect unintended changes"]

Loading

File Changes

1. crates/uselesskey-rsa/tests/snapshots_rsa.rs 🧪 Tests +135/-0

Add RSA snapshot tests for PEM, DER, JWK

crates/uselesskey-rsa/tests/snapshots_rsa.rs

---

2. crates/uselesskey-ecdsa/tests/snapshots_ecdsa.rs 🧪 Tests +159/-0

Add ECDSA snapshot tests for P-256, P-384

crates/uselesskey-ecdsa/tests/snapshots_ecdsa.rs

---

3. crates/uselesskey-ed25519/tests/snapshots_ed25519.rs 🧪 Tests +123/-0

Add Ed25519 snapshot tests for PEM, DER, JWK

crates/uselesskey-ed25519/tests/snapshots_ed25519.rs

---

View more (9)

4. crates/uselesskey-hmac/tests/snapshots_hmac.rs 🧪 Tests +108/-0

Add HMAC snapshot tests for secret, JWK, KID

crates/uselesskey-hmac/tests/snapshots_hmac.rs

---

5. crates/uselesskey-token/tests/snapshots_token.rs 🧪 Tests +115/-0

Add token snapshot tests for API key, bearer, OAuth

crates/uselesskey-token/tests/snapshots_token.rs

---

6. crates/uselesskey-x509/tests/snapshots_x509.rs 🧪 Tests +106/-0

Add X509 snapshot tests for cert, key, metadata

crates/uselesskey-x509/tests/snapshots_x509.rs

---

7. crates/uselesskey-rsa/Cargo.toml Dependencies +2/-0

Add insta and serde dev-dependencies

crates/uselesskey-rsa/Cargo.toml

---

8. crates/uselesskey-ecdsa/Cargo.toml Dependencies +2/-0

Add insta and serde dev-dependencies

crates/uselesskey-ecdsa/Cargo.toml

---

9. crates/uselesskey-ed25519/Cargo.toml Dependencies +2/-0

Add insta and serde dev-dependencies

crates/uselesskey-ed25519/Cargo.toml

---

10. crates/uselesskey-hmac/Cargo.toml Dependencies +3/-0

Add insta, serde, serde_json dev-dependencies

crates/uselesskey-hmac/Cargo.toml

---

11. crates/uselesskey-token/Cargo.toml Dependencies +2/-0

Add insta and serde dev-dependencies

crates/uselesskey-token/Cargo.toml

---

12. crates/uselesskey-x509/Cargo.toml Dependencies +2/-0

Add insta and serde dev-dependencies

crates/uselesskey-x509/Cargo.toml

---

[qodo-free-for-open-source-projects]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (2) 📎 Requirement gaps (0)

1. Token prefix leaks secrets 📘 Rule violation ⛨ Security

Description

The new token snapshot tests include a prefix derived from the real token value and commit it into
.snap files, leaking token material via repo artifacts/test output. This violates the requirement
to avoid leaking secret tokens in debug/log-like outputs.

Code

crates/uselesskey-token/tests/snapshots_token.rs[R26-35]

+    let shape = TokenShape {
+        kind: "api_key",
+        len: value.len(),
+        prefix: value.chars().take(8).collect(),
+        value: value.to_string(),
+    };
+
+    insta::assert_yaml_snapshot!("token_api_key_shape", shape, {
+        ".value" => "[REDACTED]",
+    });

Evidence

PR Compliance ID 2 forbids printing/leaking secret tokens; the new tests serialize prefix from
value and the committed insta snapshot shows prefix stored in plaintext (only .value is
redacted).

CLAUDE.md; AGENTS.md
crates/uselesskey-token/tests/snapshots_token.rs[26-35]
crates/uselesskey-token/tests/snapshots/snapshots_token__token_bearer_shape.snap[5-8]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
Token snapshot tests currently serialize and snapshot a `prefix` derived from the real token string. Even though `.value` is redacted, the committed `.snap` output still contains part of the secret token.
## Issue Context
The compliance policy forbids leaking token/key material via debug/log-like outputs; insta snapshots are committed artifacts and will appear in diffs/CI output.
## Fix Focus Areas
- crates/uselesskey-token/tests/snapshots_token.rs[26-35]
- crates/uselesskey-token/tests/snapshots_token.rs[44-53]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. PEM headers committed snapshots 📘 Rule violation ⛨ Security

Description

The new PEM-shape snapshots commit PEM boundary markers like -----BEGIN PRIVATE KEY----- and
-----BEGIN CERTIFICATE----- into .snap files, which are secret-shaped blobs likely to trigger
secret scanners. This violates the policy to not commit PEM/DER/token-shaped material into the
repository.

Code

crates/uselesskey-ecdsa/tests/snapshots_ecdsa.rs[R20-27]

+fn pem_shape(pem: &str) -> PemShape {
+    let lines: Vec<&str> = pem.lines().collect();
+    PemShape {
+        first_line: lines.first().unwrap_or(&"").to_string(),
+        last_line: lines.last().unwrap_or(&"").to_string(),
+        line_count: lines.len(),
+        total_len: pem.len(),
+    }

Evidence

PR Compliance ID 4 forbids committing secret-shaped blobs (including PEM-like artifacts). The new
pem_shape() snapshots first_line/last_line, and the committed .snap files contain PEM
boundary lines for private keys/certificates.

CLAUDE.md; AGENTS.md
crates/uselesskey-ecdsa/tests/snapshots_ecdsa.rs[20-27]
crates/uselesskey-x509/tests/snapshots/snapshots_x509__x509_private_key_pem_shape.snap[5-6]
crates/uselesskey-x509/tests/snapshots/snapshots_x509__x509_cert_pem_shape.snap[5-6]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
PEM-shape snapshots currently commit PEM boundary markers (e.g., `-----BEGIN PRIVATE KEY-----`) into insta `.snap` files, creating secret-shaped repository blobs.
## Issue Context
Even without base64 bodies, PEM boundary markers commonly trigger secret scanning/push-protection and violate the repository policy to avoid committing PEM/DER/token-shaped artifacts.
## Fix Focus Areas
- crates/uselesskey-ecdsa/tests/snapshots_ecdsa.rs[20-52]
- crates/uselesskey-rsa/tests/snapshots_rsa.rs[20-51]
- crates/uselesskey-ed25519/tests/snapshots_ed25519.rs[20-51]
- crates/uselesskey-x509/tests/snapshots_x509.rs[20-46]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[qodo-free-for-open-source-projects]

1. Token prefix leaks secrets 📘 Rule violation ⛨ Security

The new token snapshot tests include a prefix derived from the real token value and commit it into
.snap files, leaking token material via repo artifacts/test output. This violates the requirement
to avoid leaking secret tokens in debug/log-like outputs.

Agent Prompt

## Issue description
Token snapshot tests currently serialize and snapshot a `prefix` derived from the real token string. Even though `.value` is redacted, the committed `.snap` output still contains part of the secret token.

## Issue Context
The compliance policy forbids leaking token/key material via debug/log-like outputs; insta snapshots are committed artifacts and will appear in diffs/CI output.

## Fix Focus Areas
- crates/uselesskey-token/tests/snapshots_token.rs[26-35]
- crates/uselesskey-token/tests/snapshots_token.rs[44-53]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[qodo-free-for-open-source-projects]

2. Pem headers committed snapshots 📘 Rule violation ⛨ Security

The new PEM-shape snapshots commit PEM boundary markers like -----BEGIN PRIVATE KEY----- and
-----BEGIN CERTIFICATE----- into .snap files, which are secret-shaped blobs likely to trigger
secret scanners. This violates the policy to not commit PEM/DER/token-shaped material into the
repository.

Agent Prompt

## Issue description
PEM-shape snapshots currently commit PEM boundary markers (e.g., `-----BEGIN PRIVATE KEY-----`) into insta `.snap` files, creating secret-shaped repository blobs.

## Issue Context
Even without base64 bodies, PEM boundary markers commonly trigger secret scanning/push-protection and violate the repository policy to avoid committing PEM/DER/token-shaped artifacts.

## Fix Focus Areas
- crates/uselesskey-ecdsa/tests/snapshots_ecdsa.rs[20-52]
- crates/uselesskey-rsa/tests/snapshots_rsa.rs[20-51]
- crates/uselesskey-ed25519/tests/snapshots_ed25519.rs[20-51]
- crates/uselesskey-x509/tests/snapshots_x509.rs[20-46]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[Copilot]

Pull request overview

Adds deterministic insta snapshot tests across key/token/x509 crates to catch unintended format/metadata changes without snapshotting secret material.

Changes:

• Introduces new snapshot test files for uselesskey-{rsa,ecdsa,ed25519,hmac,token,x509}.
• Adds corresponding .snap golden files under each crate’s tests/snapshots/.
• Adds insta + serde(derive) test-time dependencies to relevant crates.

Reviewed changes

Copilot reviewed 39 out of 40 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
crates/uselesskey-x509/tests/snapshots_x509.rs	Adds PEM/DER/metadata snapshot tests for X509 outputs
crates/uselesskey-x509/tests/snapshots/snapshots_x509__x509_private_key_pem_shape.snap	Snapshot for X509 private key PEM shape
crates/uselesskey-x509/tests/snapshots/snapshots_x509__x509_der_lengths.snap	Snapshot for X509 DER length metadata
crates/uselesskey-x509/tests/snapshots/snapshots_x509__x509_cert_pem_shape.snap	Snapshot for X509 cert PEM shape
crates/uselesskey-x509/tests/snapshots/snapshots_x509__x509_cert_metadata.snap	Snapshot for parsed X509 certificate metadata
crates/uselesskey-x509/Cargo.toml	Adds insta/serde dev deps for snapshot tests
crates/uselesskey-token/tests/snapshots_token.rs	Adds token shape + auth header snapshot tests
crates/uselesskey-token/tests/snapshots/snapshots_token__token_oauth_shape.snap	Snapshot for OAuth token shape metadata
crates/uselesskey-token/tests/snapshots/snapshots_token__token_bearer_shape.snap	Snapshot for bearer token shape metadata
crates/uselesskey-token/tests/snapshots/snapshots_token__token_authorization_headers.snap	Snapshot for authorization header shapes/lengths
crates/uselesskey-token/tests/snapshots/snapshots_token__token_api_key_shape.snap	Snapshot for API key token shape metadata
crates/uselesskey-token/Cargo.toml	Adds insta/serde for token snapshot tests
crates/uselesskey-rsa/tests/snapshots_rsa.rs	Adds RSA PEM/DER/JWK/KID snapshot tests
crates/uselesskey-rsa/tests/snapshots/snapshots_rsa__rsa_der_lengths.snap	Snapshot for RSA DER lengths by key size
crates/uselesskey-rsa/tests/snapshots/snapshots_rsa__rsa_2048_public_pem_shape.snap	Snapshot for RSA public key PEM shape
crates/uselesskey-rsa/tests/snapshots/snapshots_rsa__rsa_2048_private_pem_shape.snap	Snapshot for RSA private key PEM shape
crates/uselesskey-rsa/tests/snapshots/snapshots_rsa__jwk_snapshots__rsa_kid_format.snap	Snapshot for RSA KID format metadata
crates/uselesskey-rsa/tests/snapshots/snapshots_rsa__jwk_snapshots__rsa_2048_public_jwk.snap	Snapshot for RSA public JWK structure (redacted fields)
crates/uselesskey-rsa/Cargo.toml	Adds insta/serde dev deps for RSA snapshot tests
crates/uselesskey-hmac/tests/snapshots_hmac.rs	Adds HMAC secret length + JWK/KID snapshot tests
crates/uselesskey-hmac/tests/snapshots/snapshots_hmac__jwk_snapshots__hmac_kid_format.snap	Snapshot for HMAC KID format across algs
crates/uselesskey-hmac/tests/snapshots/snapshots_hmac__jwk_snapshots__hmac_hs256_jwk.snap	Snapshot for HMAC HS256 JWK structure (redacted fields)
crates/uselesskey-hmac/tests/snapshots/snapshots_hmac__hmac_secret_lengths.snap	Snapshot for HMAC secret byte lengths
crates/uselesskey-hmac/Cargo.toml	Adds insta/serde(_json) dev deps for HMAC snapshots
crates/uselesskey-ed25519/tests/snapshots_ed25519.rs	Adds Ed25519 PEM/DER/JWK/KID snapshot tests
crates/uselesskey-ed25519/tests/snapshots/snapshots_ed25519__jwk_snapshots__ed25519_public_jwk.snap	Snapshot for Ed25519 public JWK structure (redacted fields)
crates/uselesskey-ed25519/tests/snapshots/snapshots_ed25519__jwk_snapshots__ed25519_kid_format.snap	Snapshot for Ed25519 KID format metadata
crates/uselesskey-ed25519/tests/snapshots/snapshots_ed25519__ed25519_public_pem_shape.snap	Snapshot for Ed25519 public PEM shape
crates/uselesskey-ed25519/tests/snapshots/snapshots_ed25519__ed25519_private_pem_shape.snap	Snapshot for Ed25519 private PEM shape
crates/uselesskey-ed25519/tests/snapshots/snapshots_ed25519__ed25519_der_lengths.snap	Snapshot for Ed25519 DER lengths
crates/uselesskey-ed25519/Cargo.toml	Adds insta/serde dev deps for Ed25519 snapshots
crates/uselesskey-ecdsa/tests/snapshots_ecdsa.rs	Adds ECDSA P-256/P-384 PEM/DER/JWK/KID snapshot tests
crates/uselesskey-ecdsa/tests/snapshots/snapshots_ecdsa__jwk_snapshots__ecdsa_p384_public_jwk.snap	Snapshot for ECDSA P-384 public JWK structure (redacted fields)
crates/uselesskey-ecdsa/tests/snapshots/snapshots_ecdsa__jwk_snapshots__ecdsa_p256_public_jwk.snap	Snapshot for ECDSA P-256 public JWK structure (redacted fields)
crates/uselesskey-ecdsa/tests/snapshots/snapshots_ecdsa__jwk_snapshots__ecdsa_kid_format.snap	Snapshot for ECDSA KID format metadata
crates/uselesskey-ecdsa/tests/snapshots/snapshots_ecdsa__ecdsa_p384_private_pem_shape.snap	Snapshot for ECDSA P-384 private PEM shape
crates/uselesskey-ecdsa/tests/snapshots/snapshots_ecdsa__ecdsa_p256_private_pem_shape.snap	Snapshot for ECDSA P-256 private PEM shape
crates/uselesskey-ecdsa/tests/snapshots/snapshots_ecdsa__ecdsa_der_lengths.snap	Snapshot for ECDSA DER lengths by curve
crates/uselesskey-ecdsa/Cargo.toml	Adds insta/serde dev deps for ECDSA snapshots

Comments suppressed due to low confidence (5)

crates/uselesskey-token/tests/snapshots_token.rs:1

• The snapshots redact .value, but still persist the first 8 characters of the token in .prefix (and that prefix is committed in the .snap files). This conflicts with “Token values are always redacted” and can leak sensitive material; consider replacing prefix with non-sensitive metadata (e.g., starts_with_uk_test: bool, prefix_len: usize, or a redacted/constant placeholder) so no token characters are stored in snapshots.
  crates/uselesskey-token/tests/snapshots_token.rs:1
• The snapshots redact .value, but still persist the first 8 characters of the token in .prefix (and that prefix is committed in the .snap files). This conflicts with “Token values are always redacted” and can leak sensitive material; consider replacing prefix with non-sensitive metadata (e.g., starts_with_uk_test: bool, prefix_len: usize, or a redacted/constant placeholder) so no token characters are stored in snapshots.
  crates/uselesskey-x509/tests/snapshots_x509.rs:1
• is_self_signed is derived from subject == issuer, which only checks name equality and does not actually verify the certificate is self-signed (signature validation). Either rename the field to reflect what it measures (e.g., subject_eq_issuer) or compute self-signed status by verifying the signature against the cert’s own public key.
  crates/uselesskey-rsa/tests/snapshots_rsa.rs:72
• The algorithm field is being set to "RSA-2048"/"RSA-4096" (key size), and the alg tuple element ("RS256", "RS512") isn’t actually used to configure the keypair (RsaSpec::new(bits) ignores it). To avoid confusion, consider renaming algorithm to something like key_size/key_type, and derive it directly from bits (eliminating the alg string + match).

    let cases: Vec<DerLengths> = [
        (2048, "RS256", "snap-rsa-2048"),
        (4096, "RS512", "snap-rsa-4096"),
    ]
    .into_iter()
    .map(|(bits, alg, label)| {
        let kp = fx.rsa(label, RsaSpec::new(bits));
        DerLengths {
            algorithm: match alg {
                "RS256" => "RSA-2048",
                _ => "RSA-4096",
            },
            private_key_der_len: kp.private_key_pkcs8_der().len(),
            public_key_der_len: kp.public_key_spki_der().len(),
        }
    })

crates/uselesskey-token/Cargo.toml:25

• insta and serde(derive) appear to be introduced for snapshot tests; if they’re not required by the library’s public code, prefer adding them under [dev-dependencies] to avoid increasing downstream compile time and dependency surface for normal consumers.

base64.workspace = true
serde_json.workspace = true
proptest.workspace = true
insta.workspace = true
serde = { workspace = true, features = ["derive"] }

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.