test: Wave 23 - facade and adapter snapshot tests

[EffortlessSteven]

Adds 16 insta snapshot tests across 3 crates: uselesskey facade (9), rustls (4), tonic (3). All crypto material redacted. Deterministic via seed.

Determinism impact: None
Policy impact: None

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[qodo-free-for-open-source-projects]

Review Summary by Qodo

Add snapshot tests for facade and adapter crates

🧪 Tests

Walkthroughs

Description

• Adds 16 insta snapshot tests across 3 crates
• Tests facade, rustls adapter, and tonic adapter outputs
• Snapshots certificate/key shapes and TLS configurations
• All crypto material redacted for security

Diagram

flowchart LR
  facade["Facade Crate<br/>9 snapshot tests"]
  rustls["Rustls Adapter<br/>4 snapshot tests"]
  tonic["Tonic Adapter<br/>3 snapshot tests"]
  insta["Insta Snapshots<br/>YAML format"]
  
  facade -->|RSA, ECDSA, Ed25519| insta
  facade -->|HMAC, Token, X509| insta
  rustls -->|Cert DER lengths| insta
  rustls -->|Private key types| insta
  tonic -->|Config types| insta
  tonic -->|Certificate shapes| insta

Loading

File Changes

1. crates/uselesskey/tests/snapshots_facade.rs 🧪 Tests +277/-0

Facade crate snapshot tests for key shapes

• Adds 9 snapshot tests for facade crate covering RSA, ECDSA, Ed25519, HMAC, Token, and X509
• Tests key shapes including algorithm, PEM headers, and DER lengths
• Snapshots HMAC secret lengths and token value lengths
• Snapshots X509 self-signed and chain certificate structures

crates/uselesskey/tests/snapshots_facade.rs

---

2. crates/uselesskey-rustls/tests/snapshots_rustls.rs 🧪 Tests +113/-0

Rustls adapter snapshot tests for certificates

• Adds 4 snapshot tests for rustls adapter
• Tests self-signed and chain certificate DER lengths
• Snapshots private key types (PKCS1, PKCS8, SEC1) with redacted key lengths
• Validates adapter output shapes for certificates and keys

crates/uselesskey-rustls/tests/snapshots_rustls.rs

---

3. crates/uselesskey-tonic/tests/snapshots_tonic.rs 🧪 Tests +129/-0

Tonic adapter snapshot tests for TLS configs

• Adds 3 snapshot tests for tonic adapter
• Tests available TLS configuration types from self-signed and chain certs
• Snapshots certificate PEM formats and header validation
• Validates certificate and key structure shapes

crates/uselesskey-tonic/tests/snapshots_tonic.rs

---

View more (5)

4. crates/uselesskey-rustls/tests/testutil.rs 🧪 Tests +16/-0

Rustls test utilities for deterministic fixtures

• Adds test utility module for rustls adapter tests
• Provides deterministic Factory via OnceLock singleton
• Uses seeded random generation for reproducible snapshots

crates/uselesskey-rustls/tests/testutil.rs

---

5. crates/uselesskey-tonic/tests/testutil.rs 🧪 Tests +16/-0

Tonic test utilities for deterministic fixtures

• Adds test utility module for tonic adapter tests
• Provides deterministic Factory via OnceLock singleton
• Uses seeded random generation for reproducible snapshots

crates/uselesskey-tonic/tests/testutil.rs

---

6. crates/uselesskey/Cargo.toml Dependencies +2/-0

Add snapshot testing dependencies

• Adds serde and insta workspace dependencies for snapshot testing

crates/uselesskey/Cargo.toml

---

7. crates/uselesskey-rustls/Cargo.toml Dependencies +2/-0

Add snapshot testing dependencies

• Adds serde and insta workspace dependencies for snapshot testing

crates/uselesskey-rustls/Cargo.toml

---

8. crates/uselesskey-tonic/Cargo.toml Dependencies +2/-0

Add snapshot testing dependencies

• Adds serde and insta workspace dependencies for snapshot testing

crates/uselesskey-tonic/Cargo.toml

---

[coderabbitai]

Warning

Rate limit exceeded

@EffortlessSteven has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 25 minutes and 48 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 3f8ed52 and 2642ae5.

⛔ Files ignored due to path filters (17)

• Cargo.lock is excluded by !**/*.lock
• crates/uselesskey-rustls/tests/snapshots/snapshots_rustls__rustls_chain_cert_der_lengths.snap is excluded by !**/*.snap
• crates/uselesskey-rustls/tests/snapshots/snapshots_rustls__rustls_chain_private_key_type.snap is excluded by !**/*.snap
• crates/uselesskey-rustls/tests/snapshots/snapshots_rustls__rustls_self_signed_cert_der_len.snap is excluded by !**/*.snap
• crates/uselesskey-rustls/tests/snapshots/snapshots_rustls__rustls_self_signed_private_key_type.snap is excluded by !**/*.snap
• crates/uselesskey-tonic/tests/snapshots/snapshots_tonic__tonic_available_config_types.snap is excluded by !**/*.snap
• crates/uselesskey-tonic/tests/snapshots/snapshots_tonic__tonic_chain_certificate_shapes.snap is excluded by !**/*.snap
• crates/uselesskey-tonic/tests/snapshots/snapshots_tonic__tonic_self_signed_certificate_shapes.snap is excluded by !**/*.snap
• crates/uselesskey/tests/snapshots/snapshots_facade__ecdsa_snapshots__facade_ecdsa_p256_shape.snap is excluded by !**/*.snap
• crates/uselesskey/tests/snapshots/snapshots_facade__ecdsa_snapshots__facade_ecdsa_p384_shape.snap is excluded by !**/*.snap
• crates/uselesskey/tests/snapshots/snapshots_facade__ed25519_snapshots__facade_ed25519_shape.snap is excluded by !**/*.snap
• crates/uselesskey/tests/snapshots/snapshots_facade__hmac_snapshots__facade_hmac_shapes.snap is excluded by !**/*.snap
• crates/uselesskey/tests/snapshots/snapshots_facade__rsa_snapshots__facade_rsa_2048_shape.snap is excluded by !**/*.snap
• crates/uselesskey/tests/snapshots/snapshots_facade__rsa_snapshots__facade_rsa_pem_headers.snap is excluded by !**/*.snap
• crates/uselesskey/tests/snapshots/snapshots_facade__token_snapshots__facade_token_shapes.snap is excluded by !**/*.snap
• crates/uselesskey/tests/snapshots/snapshots_facade__x509_snapshots__facade_x509_chain_shape.snap is excluded by !**/*.snap
• crates/uselesskey/tests/snapshots/snapshots_facade__x509_snapshots__facade_x509_self_signed_shape.snap is excluded by !**/*.snap

📒 Files selected for processing (8)

• crates/uselesskey-rustls/Cargo.toml
• crates/uselesskey-rustls/tests/snapshots_rustls.rs
• crates/uselesskey-rustls/tests/testutil.rs
• crates/uselesskey-tonic/Cargo.toml
• crates/uselesskey-tonic/tests/snapshots_tonic.rs
• crates/uselesskey-tonic/tests/testutil.rs
• crates/uselesskey/Cargo.toml
• crates/uselesskey/tests/snapshots_facade.rs

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch wave-23/facade-snapshots

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-free-for-open-source-projects]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (1) 📎 Requirement gaps (0)

1. PEM markers committed in tests 📘 Rule violation ⛨ Security

Description

The new tonic snapshot tests contain literal PEM boundary markers (certificate/private key) in
source code, which are secret-shaped strings that can trigger secret scanners. This violates the
repository requirement to avoid committing secret-shaped PEM material.

Code

crates/uselesskey-tonic/tests/snapshots_tonic.rs[R83-96]

+        chain_pem_cert_count: chain
+            .chain_pem()
+            .matches("-----BEGIN CERTIFICATE-----")
+            .count(),
+        root_pem_starts_with_cert_header: chain
+            .root_cert_pem()
+            .starts_with("-----BEGIN CERTIFICATE-----"),
+        leaf_pem_starts_with_cert_header: chain
+            .leaf_cert_pem()
+            .starts_with("-----BEGIN CERTIFICATE-----"),
+        leaf_key_pem_starts_with_key_header: chain
+            .leaf_private_key_pkcs8_pem()
+            .starts_with("-----BEGIN PRIVATE KEY-----"),
+    };

Evidence

PR Compliance ID 4 forbids committing secret-shaped blobs (including PEM markers) into the
repository. The added test code introduces literal PEM boundary lines for certificates and private
keys.

CLAUDE.md
crates/uselesskey-tonic/tests/snapshots_tonic.rs[83-96]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The tonic snapshot tests add literal PEM boundary markers (e.g., `-----BEGIN PRIVATE KEY-----`) into committed source files. This is secret-shaped content and violates the no-PEM/DER/tokens-in-repo rule.

## Issue Context
Even without the base64 payload, these markers are commonly flagged by secret scanners and are explicitly called out in the compliance rule as content to avoid committing.

## Fix Focus Areas
- crates/uselesskey-tonic/tests/snapshots_tonic.rs[83-96]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Tests break no-default builds 🐞 Bug ⛯ Reliability

Description

The new tests/snapshots_*.rs integration tests in uselesskey-tonic and uselesskey-rustls
unconditionally import and use X.509 adapters, so cargo test -p <crate> --no-default-features will
fail to compile. This conflicts with the crates’ own feature modeling (default = ["x509"], with
x509 optional) and the repo’s documented expectation of feature-matrix/no-default coverage.

Code

crates/uselesskey-tonic/tests/snapshots_tonic.rs[R8-12]

+use serde::Serialize;
+use testutil::fx;
+use uselesskey_tonic::{TonicClientTlsExt, TonicIdentityExt, TonicMtlsExt, TonicServerTlsExt};
+use uselesskey_x509::{ChainSpec, X509FactoryExt, X509Spec};
+

Evidence

Both adapter crates declare x509 as an optional feature enabled by default, implying no-default
builds should be viable. However, the new integration tests directly depend on X.509 APIs without
any #[cfg(feature = "x509")] / required-features gating. The facade snapshot tests already
demonstrate the intended pattern by feature-gating the X.509 snapshot module. Repository docs also
call out CI feature-matrix checks including no-default as a guarantee.

crates/uselesskey-tonic/tests/snapshots_tonic.rs[8-12]
crates/uselesskey-rustls/tests/snapshots_rustls.rs[8-12]
crates/uselesskey-tonic/Cargo.toml[23-26]
crates/uselesskey-rustls/Cargo.toml[29-35]
crates/uselesskey/tests/snapshots_facade.rs[215-218]
docs/requirements-v0.3.md[70-73]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The new integration snapshot tests in `uselesskey-tonic` and `uselesskey-rustls` unconditionally depend on X.509 APIs. Because both crates model `x509` as an **optional** feature (enabled by default), `cargo test -p <crate> --no-default-features` will fail to compile.

### Issue Context
The repo documents feature-matrix validation including `no-default` builds. The facade snapshot tests already show the desired pattern by gating X.509 snapshots behind `#[cfg(feature = "x509")]`.

### Fix Focus Areas
- crates/uselesskey-tonic/tests/snapshots_tonic.rs[1-12]
- crates/uselesskey-rustls/tests/snapshots_rustls.rs[1-12]

### Suggested change
Add a crate-level guard at the top of each file:
```rust
#![cfg(feature = "x509")]
```

Or wrap the entire contents in a feature-gated module:
```rust
#[cfg(feature = "x509")]
mod snapshot_tests { /* existing contents */ }
```

(Optionally, you can also add `[[test]]` sections with `required-features = ["x509"]` in each crate’s `Cargo.toml` if you prefer Cargo-level gating.)

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[Copilot]

Pull request overview

Adds deterministic Insta snapshot tests to validate the public “facade” and adapter outputs (facade, rustls, tonic) without snapshotting raw secret material.

Changes:

• Added a new snapshots_facade.rs test suite covering multiple key/cert/token “shape” outputs behind feature flags.
• Added new snapshots_rustls.rs and snapshots_tonic.rs suites plus shared deterministic testutil::fx() helpers.
• Added required serde/insta dev-dependencies and checked in generated .snap artifacts.

Reviewed changes

Copilot reviewed 24 out of 25 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
crates/uselesskey/tests/snapshots_facade.rs	Adds facade-level snapshot tests for key/cert/token shapes across feature-gated modules
crates/uselesskey/tests/snapshots/snapshots_facade__x509_snapshots__facade_x509_self_signed_shape.snap	Snapshot output for facade X509 self-signed shape
crates/uselesskey/tests/snapshots/snapshots_facade__x509_snapshots__facade_x509_chain_shape.snap	Snapshot output for facade X509 chain shape
crates/uselesskey/tests/snapshots/snapshots_facade__token_snapshots__facade_token_shapes.snap	Snapshot output for facade token shapes
crates/uselesskey/tests/snapshots/snapshots_facade__rsa_snapshots__facade_rsa_pem_headers.snap	Snapshot output for facade RSA PEM header checks
crates/uselesskey/tests/snapshots/snapshots_facade__rsa_snapshots__facade_rsa_2048_shape.snap	Snapshot output for facade RSA-2048 shape
crates/uselesskey/tests/snapshots/snapshots_facade__hmac_snapshots__facade_hmac_shapes.snap	Snapshot output for facade HMAC shapes
crates/uselesskey/tests/snapshots/snapshots_facade__ed25519_snapshots__facade_ed25519_shape.snap	Snapshot output for facade Ed25519 shape
crates/uselesskey/tests/snapshots/snapshots_facade__ecdsa_snapshots__facade_ecdsa_p384_shape.snap	Snapshot output for facade ECDSA P-384 shape
crates/uselesskey/tests/snapshots/snapshots_facade__ecdsa_snapshots__facade_ecdsa_p256_shape.snap	Snapshot output for facade ECDSA P-256 shape
crates/uselesskey/Cargo.toml	Adds serde/insta as dev-dependencies for the new snapshots
crates/uselesskey-tonic/tests/testutil.rs	Adds deterministic Factory helper for tonic adapter tests
crates/uselesskey-tonic/tests/snapshots_tonic.rs	Adds tonic adapter snapshot tests around TLS config and cert/key shapes
crates/uselesskey-tonic/tests/snapshots/snapshots_tonic__tonic_self_signed_certificate_shapes.snap	Snapshot output for tonic self-signed cert/key shapes
crates/uselesskey-tonic/tests/snapshots/snapshots_tonic__tonic_chain_certificate_shapes.snap	Snapshot output for tonic chain cert/key shapes
crates/uselesskey-tonic/tests/snapshots/snapshots_tonic__tonic_available_config_types.snap	Snapshot output verifying tonic config constructors are available
crates/uselesskey-tonic/Cargo.toml	Adds serde/insta dev-dependencies for tonic snapshots
crates/uselesskey-rustls/tests/testutil.rs	Adds deterministic Factory helper for rustls adapter tests
crates/uselesskey-rustls/tests/snapshots_rustls.rs	Adds rustls adapter snapshot tests (cert DER lengths, key type)
crates/uselesskey-rustls/tests/snapshots/snapshots_rustls__rustls_self_signed_private_key_type.snap	Snapshot output for rustls self-signed private key type (redacted length)
crates/uselesskey-rustls/tests/snapshots/snapshots_rustls__rustls_self_signed_cert_der_len.snap	Snapshot output for rustls self-signed cert DER length
crates/uselesskey-rustls/tests/snapshots/snapshots_rustls__rustls_chain_private_key_type.snap	Snapshot output for rustls chain leaf private key type (redacted length)
crates/uselesskey-rustls/tests/snapshots/snapshots_rustls__rustls_chain_cert_der_lengths.snap	Snapshot output for rustls chain DER lengths/count
crates/uselesskey-rustls/Cargo.toml	Adds serde/insta dev-dependencies for rustls snapshots

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

#![allow(unused)] at the crate level can mask genuine issues in tests (e.g., leftover dead code/imports). Prefer removing it, or scoping the allow to the smallest surface area (e.g., on a specific helper/module, or using a narrower lint like dead_code / unused_imports).

Suggested change

#![allow(unused)]

[Copilot]

Indexing into chain_certs[0] and [1] will panic if the adapter ever returns an unexpected chain length (including regressions you may actually want to snapshot with a clearer assertion message). Prefer using .get(0)/.get(1) with an expect message (or derive lengths via iteration) so failures are explicit and diagnostics are clearer.

Suggested change

	leaf_cert_der_len: chain_certs[0].as_ref().len(),
	intermediate_cert_der_len: chain_certs[1].as_ref().len(),
	leaf_cert_der_len: chain_certs
	.get(0)
	.expect("expected leaf certificate at index 0 in chain_certs")
	.as_ref()
	.len(),
	intermediate_cert_der_len: chain_certs
	.get(1)
	.expect("expected intermediate certificate at index 1 in chain_certs")
	.as_ref()
	.len(),

[Copilot]

t.value() is called twice per case. If value() allocates or computes, this adds avoidable work and can make tests noisier. Consider binding the value once (e.g., let v = t.value();) and using v.len() / !v.is_empty().

Suggested change

	TokenShape {
	kind: "api_key",
	value_len: t.value().len(),
	value_non_empty: !t.value().is_empty(),
	}
	},
	{
	let t = fx.token("snapshot-bearer", TokenSpec::bearer());
	TokenShape {
	kind: "bearer",
	value_len: t.value().len(),
	value_non_empty: !t.value().is_empty(),
	}
	},
	{
	let t = fx.token("snapshot-oauth", TokenSpec::oauth_access_token());
	TokenShape {
	kind: "oauth_access_token",
	value_len: t.value().len(),
	value_non_empty: !t.value().is_empty(),
	let v = t.value();
	TokenShape {
	kind: "api_key",
	value_len: v.len(),
	value_non_empty: !v.is_empty(),
	}
	},
	{
	let t = fx.token("snapshot-bearer", TokenSpec::bearer());
	let v = t.value();
	TokenShape {
	kind: "bearer",
	value_len: v.len(),
	value_non_empty: !v.is_empty(),
	}
	},
	{
	let t = fx.token("snapshot-oauth", TokenSpec::oauth_access_token());
	let v = t.value();
	TokenShape {
	kind: "oauth_access_token",
	value_len: v.len(),
	value_non_empty: !v.is_empty(),

[qodo-free-for-open-source-projects]

1. Pem markers committed in tests 📘 Rule violation ⛨ Security

The new tonic snapshot tests contain literal PEM boundary markers (certificate/private key) in
source code, which are secret-shaped strings that can trigger secret scanners. This violates the
repository requirement to avoid committing secret-shaped PEM material.

Agent Prompt

## Issue description
The tonic snapshot tests add literal PEM boundary markers (e.g., `-----BEGIN PRIVATE KEY-----`) into committed source files. This is secret-shaped content and violates the no-PEM/DER/tokens-in-repo rule.

## Issue Context
Even without the base64 payload, these markers are commonly flagged by secret scanners and are explicitly called out in the compliance rule as content to avoid committing.

## Fix Focus Areas
- crates/uselesskey-tonic/tests/snapshots_tonic.rs[83-96]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[qodo-free-for-open-source-projects]

2. Tests break no-default builds 🐞 Bug ⛯ Reliability

The new tests/snapshots_*.rs integration tests in uselesskey-tonic and uselesskey-rustls
unconditionally import and use X.509 adapters, so cargo test -p <crate> --no-default-features will
fail to compile. This conflicts with the crates’ own feature modeling (default = ["x509"], with
x509 optional) and the repo’s documented expectation of feature-matrix/no-default coverage.

Agent Prompt

### Issue description
The new integration snapshot tests in `uselesskey-tonic` and `uselesskey-rustls` unconditionally depend on X.509 APIs. Because both crates model `x509` as an **optional** feature (enabled by default), `cargo test -p <crate> --no-default-features` will fail to compile.

### Issue Context
The repo documents feature-matrix validation including `no-default` builds. The facade snapshot tests already show the desired pattern by gating X.509 snapshots behind `#[cfg(feature = "x509")]`.

### Fix Focus Areas
- crates/uselesskey-tonic/tests/snapshots_tonic.rs[1-12]
- crates/uselesskey-rustls/tests/snapshots_rustls.rs[1-12]

### Suggested change
Add a crate-level guard at the top of each file:
```rust
#![cfg(feature = "x509")]
```

Or wrap the entire contents in a feature-gated module:
```rust
#[cfg(feature = "x509")]
mod snapshot_tests { /* existing contents */ }
```

(Optionally, you can also add `[[test]]` sections with `required-features = ["x509"]` in each crate’s `Cargo.toml` if you prefer Cargo-level gating.)

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[EffortlessSteven]

Closing: Persistent merge conflicts from many waves landing on main. Facade snapshot coverage is superseded by wave-17 snapshots (PR #41, merged) and upcoming doc-test waves. [Class D: superseded]