stack-auth 0.39.1

Authentication library for CipherStash services
Documentation
["test:integration:stack-auth"]
description = "Run stack-auth Node.js integration tests"
dir = "{{config_root}}/packages/stack-auth/node"
run = [
  "npm install",
  "cargo build -p stack-auth-node",
  "cp ../../../target/debug/libstack_auth_node.dylib stack-auth-node.node 2>/dev/null || cp ../../../target/debug/libstack_auth_node.so stack-auth-node.node",
  "npx vitest run",
]

["crap:stack-auth"]
description = "Gate stack-auth on the CRAP (Change Risk Anti-Patterns) metric — fails when a complex, under-tested function exceeds the threshold"
run = [
  # Instrument and run the unit tests, emitting LCOV coverage that `cargo crap` consumes.
  # `stress_tests` are excluded: they are wall-clock timing/concurrency tests (real
  # axum servers, real sleeps, sub-second expiry windows) that become flaky under
  # llvm-cov's ~2-5x slowdown. They still run in the normal `cargo nextest` gate, and
  # excluding them here has zero effect on the report — the deterministic unit tests
  # already cover the same lines.
  "mise x --env test -- cargo llvm-cov nextest -p stack-auth --all-features -E 'not test(stress_tests)' --lcov --output-path {{config_root}}/target/stack-auth-lcov.info",
  # Score every production function. Excludes test code, examples and the node/wasm
  # binding crates so the report reflects the core library. `--fail-above` exits
  # non-zero when any function's CRAP score exceeds the threshold from the
  # workspace-root .cargo-crap.toml (30), so this gates both local runs and CI.
  # NOTE: this must stay the LAST command — the crap-stack-auth.yml CI workflow runs
  # this task and relies on mise appending its trailing args (e.g. --format github)
  # to this `cargo crap` invocation.
  "cargo crap --path packages/stack-auth --lcov {{config_root}}/target/stack-auth-lcov.info --exclude 'node/**' --exclude 'wasm/**' --exclude 'examples/**' --exclude '**/tests.rs' --exclude '**/tests/**' --fail-above",
]

# Fuzz stack-auth's public AccessKey string parser (libFuzzer via cargo-fuzz).
# Requires the nightly toolchain. Runs 60s by default; override by appending a
# libFuzzer flag, e.g. `mise run fuzz:access-key -- -max_total_time=300` (the
# last repeated value wins). `--sanitizer none` is safe — the parser is pure
# safe Rust. `--target $(rustc … host)` forces the native host triple (the
# cargo-fuzz binary may be x86_64 under Rosetta on Apple Silicon, which
# otherwise misdetects the target). The fuzz crate lives in
# `packages/stack-auth/fuzz/` (detached).
["fuzz:access-key"]
description = "Fuzz stack-auth's AccessKey string parser (libFuzzer, nightly, 60s default)"
dir = "{{config_root}}/packages/stack-auth"
run = "cargo +nightly fuzz run access_key_parse --sanitizer none --target $(rustc -vV | sed -n 's/^host: //p') -- -max_total_time=60"

# Fuzz the JWT claims decode path (Token::fuzz_decode_claims, behind the `fuzz`
# feature). On native this is the jsonwebtoken-based decode with signature
# validation disabled. Same flags/rationale as fuzz:access-key.
["fuzz:jwt-decode"]
description = "Fuzz stack-auth's JWT claims decode path (libFuzzer, nightly, 60s default)"
dir = "{{config_root}}/packages/stack-auth"
run = "cargo +nightly fuzz run jwt_decode --sanitizer none --target $(rustc -vV | sed -n 's/^host: //p') -- -max_total_time=60"