Problem
packages/stack/__tests__/lock-context.test.ts gates its four identity-bound encryption tests on process.env.USER_JWT and silently returns (logging "Skipping…") when it's absent:
const userJwt = process.env.USER_JWT
if (!userJwt) {
console.log('Skipping lock context test - no USER_JWT provided')
return
}USER_JWT is set in no workflow (grep of .github/ finds zero references), so these tests are always skipped in CI and the job stays green regardless.
Why it matters
This is the only test of the strategy-based identity path — OidcFederationStrategy → .withLockContext({ identityClaim }) — that replaced the old LockContext.identify(jwt) ceremony (#497). With it skipped, that path has zero executed coverage: a regression in the federation flow, the lock-context wiring, or the OidcFederationStrategy.create signature would ship a green build. The auth 0.39 → 0.40 bump (which changed OidcFederationStrategy.create to take a workspaceCrn) is currently only validated by the type/build check, not at runtime.
Contrast the wasm-e2e-tests job, which deliberately added a fail-loud guard ("Assert CS_* secrets are present") precisely so a missing/rotated secret can't hide a regression behind a skipped test.
Proposed fix
- Provision a test end-user OIDC JWT for CI (
USER_JWT) — likely minted at job start rather than a static secret, since end-user JWTs expire.
- Expose it in the
run-tests job env alongside the existing CS_* secrets.
- Add a fail-loud guard mirroring the WASM E2E job: error if
USER_JWT is unset in CI so the identity tests can't silently skip.
Found during the code review of the auth 0.40 bump on #497.
Problem
packages/stack/__tests__/lock-context.test.tsgates its four identity-bound encryption tests onprocess.env.USER_JWTand silentlyreturns (logging "Skipping…") when it's absent:USER_JWTis set in no workflow (grep of.github/finds zero references), so these tests are always skipped in CI and the job stays green regardless.Why it matters
This is the only test of the strategy-based identity path —
OidcFederationStrategy→.withLockContext({ identityClaim })— that replaced the oldLockContext.identify(jwt)ceremony (#497). With it skipped, that path has zero executed coverage: a regression in the federation flow, the lock-context wiring, or theOidcFederationStrategy.createsignature would ship a green build. The auth0.39 → 0.40bump (which changedOidcFederationStrategy.createto take aworkspaceCrn) is currently only validated by the type/build check, not at runtime.Contrast the
wasm-e2e-testsjob, which deliberately added a fail-loud guard ("Assert CS_* secrets are present") precisely so a missing/rotated secret can't hide a regression behind a skipped test.Proposed fix
USER_JWT) — likely minted at job start rather than a static secret, since end-user JWTs expire.run-testsjob env alongside the existingCS_*secrets.USER_JWTis unset in CI so the identity tests can't silently skip.Found during the code review of the auth 0.40 bump on #497.