Fix Terraform state authentication by passing auth context

[osterman]

what

• Add authentication context parameter to Terraform backend operations
• Refactor PostAuthenticate interface to use parameter struct
• Extract nested logic to reduce complexity
• Fix test coverage for backend functions

why

• Terraform state operations need proper AWS credentials when accessing S3 backends
• Multi-identity scenarios require passing auth context through the call chain
• Reduces function parameter count from 6 to 2 (using PostAuthenticateParams struct)
• Simplifies nested conditional logic for better maintainability

references

• Part of multi-identity authentication context work
• Follows established authentication context patterns
• Related to docs/prd/auth-context-multi-identity.md

Summary by CodeRabbit

• New Features

  • Centralized per-command AuthContext enabling multiple concurrent identities (AWS, GitHub, Azure, etc.) and making in-process SDK and Terraform calls use Atmos-managed credentials.
  • Console session duration configurable via provider console.session_duration with CLI flag override.

• Bug Fixes

  • More reliable in-process authentication for SDK and Terraform state reads.

• Documentation

  • Added design doc, blog post, and CLI docs describing AuthContext and session-duration behavior.

• Tests

  • Expanded tests for auth flows, AWS config loading, and YAML/Terraform tag auth propagation.

[mergify]

💥 This pull request now has conflicts. Could you fix it @osterman? 🙏

[coderabbitai]

Warning

Rate limit exceeded

@osterman has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 13 minutes and 15 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 6444ffe and 4354c86.

📒 Files selected for processing (1)

• internal/aws_utils/aws_utils_test.go (2 hunks)

📝 Walkthrough

Walkthrough

Introduces a runtime AuthContext (with AWSAuthContext) and threads it through authentication, AWS SDK loading, Terraform backend/state reads, and YAML/tag evaluation. Refactors Identity.PostAuthenticate to accept PostAuthenticateParams, adds SetAuthContext/SetEnvironmentVariables, and preserves backward-compatible nil paths.

Changes

Cohort / File(s)	Summary
Schema & auth types pkg/schema/schema.go, pkg/schema/schema_auth.go, pkg/auth/types/interfaces.go, pkg/auth/types/mock_interfaces.go	Add AuthContext and AWSAuthContext; add ConsoleConfig; introduce PostAuthenticateParams; change Identity.PostAuthenticate signature and update mock generation/signatures.
Auth manager & providers pkg/auth/manager.go, pkg/auth/manager_test.go, pkg/auth/providers/mock/identity.go, pkg/auth/providers/mock/identity_test.go	Ensure/initialize AuthContext in Authenticate; construct/pass PostAuthenticateParams; adapt tests and mock identity implementations.
AWS auth implementation & setup pkg/auth/cloud/aws/setup.go, pkg/auth/cloud/aws/setup_test.go, pkg/auth/cloud/aws/console.go	Add SetAuthContext and SetAuthContextParams; change SetEnvironmentVariables to accept *schema.AuthContext; support component region override and console session-duration behavior; tests added/updated.
AWS identity implementations pkg/auth/identities/aws/*.go, pkg/auth/identities/aws/*_test.go	Convert PostAuthenticate to accept *types.PostAuthenticateParams; add nil/credential guards; call SetAuthContext and SetEnvironmentVariables; update tests.
AWS SDK utilities internal/aws_utils/aws_utils.go, internal/aws_utils/aws_utils_test.go	Add LoadAWSConfigWithAuth accepting *schema.AWSAuthContext; keep LoadAWSConfig as backward-compatible wrapper; tests for auth-aware loading and region selection.
Terraform backend & registry internal/terraform_backend/*.go, internal/terraform_backend/*_test.go	Thread *schema.AuthContext through backend APIs and registry; S3 backend uses LoadAWSConfigWithAuth and profile-aware cache keys; local/azurerm backends accept auth param; tests updated.
Terraform state abstraction internal/exec/terraform_state_getter.go, internal/exec/mock_terraform_state_getter.go, internal/exec/terraform_state_utils.go	Add TerraformStateGetter interface and mock; expose GetState(..., authContext) and wire through state fetch logic.
YAML / template processing internal/exec/yaml_func_utils.go, internal/exec/yaml_func_terraform_state.go, internal/exec/*_test.go	Thread *schema.ConfigAndStacksInfo (carrying AuthContext) through ProcessCustomYamlTags, processNodes, processCustomTags, and processTagTerraformState; tests added/updated to verify authContext propagation.
Exec & CLI call sites internal/exec/*.go (describe, varfiles, backends, utils), cmd/auth_console.go, cmd/auth_console_test.go	Update call sites to pass configAndStacksInfo/AuthContext into YAML processing; add resolveConsoleDuration; unit tests and docs adjusted.
Developer docs, tests & misc CLAUDE.md, docs/prd/error-handling-linter-rules.md, website/docs/**, website/blog/2025-10-21-auth-context-implementation.md, pkg/http/client.go, tests/*	Add blog/docs; tighten dev guidance; change mockgen directives; add tests (auth-context, varfiles, backend) and test-case adjustments (whitespace normalization).

Sequence Diagram(s)

sequenceDiagram
    participant CLI as CLI / Command
    participant AuthMgr as AuthManager
    participant Identity as Identity (AWS)
    participant AWSSetup as AWS Setup
    participant State as Terraform State
    participant Backend as TF Backend

    CLI->>AuthMgr: Authenticate(ctx, identityName, authContext)
    AuthMgr->>Identity: PostAuthenticate(ctx, PostAuthenticateParams{AuthContext, StackInfo, ProviderName, IdentityName, Credentials})
    activate Identity
    Identity->>AWSSetup: SetAuthContext(params)
    Note right of AWSSetup #cfe8ff: populate authContext.AWS (creds, profile, files, region)
    Identity->>AWSSetup: SetEnvironmentVariables(authContext, stackInfo)
    deactivate Identity

    CLI->>State: GetTerraformState(..., authContext)
    activate State
    State->>Backend: GetTerraformBackend(..., authContext)
    Backend->>Backend: ReadTerraformBackendS3(..., authContext)
    Backend->>AWSSetup: LoadAWSConfigWithAuth(ctx, region, roleArn, duration, authContext.AWS)
    Note right of Backend #e8f7cf: use Atmos-managed credentials instead of ambient env
    deactivate State

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Atmos Auth Implementation #1475 — Strong overlap: multi-provider AuthContext design and PostAuthenticate/PostAuthenticateParams refactor.
• Add auth logout command #1656 — Closely related: changes to AWS auth setup and environment/file handling intersect with SetAuthContext/SetEnvironmentVariables work.
• Update mockgen to go.uber.org/mock #1681 — Related: updates to gomock usage and generated mock files overlap with mock generation/signature changes in this PR.

Suggested reviewers

• aknysh

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 42.59% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "Fix Terraform state authentication by passing auth context" directly relates to a significant aspect of this pull request. The raw summary confirms extensive changes to Terraform backend operations (GetTerraformState, GetTerraformBackend, ReadTerraformBackendS3, etc.) now accepting an authContext parameter, which is core to the work described. However, the PR encompasses broader architectural changes beyond Terraform state authentication—notably the introduction of a system-wide AuthContext pattern, refactoring of the PostAuthenticate interface to use parameter structs, and threading authentication context through YAML processing, AWS setup, and multiple identity implementations. The title captures one important aspect but doesn't reflect the fuller scope of the architectural shift.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mergify]

Warning

This PR exceeds the recommended limit of 1,000 lines.

Large PRs are difficult to review and may be rejected due to their size.

Please verify that this PR does not address multiple issues.
Consider refactoring it into smaller, more focused PRs to facilitate a smoother review process.

[github-actions]

Warning

Changelog Entry Required

This PR is labeled minor or major but doesn't include a changelog entry.

Action needed: Add a new blog post in website/blog/ to announce this change.

Example filename: website/blog/2025-10-22-feature-name.mdx

Alternatively: If this change doesn't require a changelog entry, remove the minor or major label.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[codecov]

Codecov Report

❌ Patch coverage is 76.56250% with 45 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.56%. Comparing base (35e2af6) to head (4354c86).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/auth/identities/aws/permission_set.go	44.44%	5 Missing and 5 partials ⚠️
pkg/auth/identities/aws/assume_role.go	50.00%	3 Missing and 5 partials ⚠️
pkg/auth/identities/aws/user.go	55.55%	3 Missing and 5 partials ⚠️
cmd/auth_console.go	66.66%	5 Missing and 1 partial ⚠️
pkg/auth/manager.go	58.33%	3 Missing and 2 partials ⚠️
internal/terraform_backend/terraform_backend_s3.go	50.00%	2 Missing and 2 partials ⚠️
internal/exec/terraform_generate_backends.go	0.00%	3 Missing ⚠️
internal/exec/yaml_func_utils.go	85.71%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1695      +/-   ##
==========================================
+ Coverage   68.51%   68.56%   +0.05%     
==========================================
  Files         371      372       +1     
  Lines       33287    33438     +151     
==========================================
+ Hits        22805    22928     +123     
- Misses       8334     8353      +19     
- Partials     2148     2157       +9     

Flag	Coverage Δ
unittests	68.56% <76.56%> (+0.05%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
internal/aws_utils/aws_utils.go	75.75% <100.00%> (+34.58%)	⬆️
internal/exec/describe_stacks.go	72.72% <100.00%> (+0.15%)	⬆️
internal/exec/terraform_generate_varfiles.go	52.94% <100.00%> (ø)
internal/exec/terraform_state_getter.go	100.00% <100.00%> (ø)
internal/exec/terraform_state_utils.go	47.61% <100.00%> (ø)
internal/exec/utils.go	78.84% <100.00%> (ø)
internal/exec/yaml_func_terraform_state.go	88.63% <100.00%> (+0.83%)	⬆️
...nal/terraform_backend/terraform_backend_azurerm.go	92.17% <ø> (ø)
...ernal/terraform_backend/terraform_backend_local.go	86.66% <ø> (ø)
...al/terraform_backend/terraform_backend_registry.go	100.00% <100.00%> (ø)
... and 13 more

... and 3 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

internal/terraform_backend/terraform_backend_s3.go (1)

133-158: Fix defer cancel inside retry loop and broaden NoSuchKey handling.

• Don’t defer cancel in a loop; cancel each attempt explicitly to avoid stacking timers.
• S3 “not found” can surface as smithy API error with code NoSuchKey/NotFound. Handle both.

Suggested patch:

-    ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-    defer cancel()
+    ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
     output, err := s3Client.GetObject(ctx, &s3.GetObjectInput{
       Bucket: aws.String(bucket),
       Key:    aws.String(tfStateFilePath),
     })
+    cancel()
     if err != nil {
-      var nsk *types.NoSuchKey
-      if errors.As(err, &nsk) {
+      var nsk *types.NoSuchKey
+      if errors.As(err, &nsk) {
         log.Debug("Terraform state file doesn't exist in the S3 bucket; returning 'null'", "file", tfStateFilePath, "bucket", bucket)
         return nil, nil
       }
+      // Also match smithy API errors by code.
+      var apiErr interface{ ErrorCode() string }
+      if errors.As(err, &apiErr) {
+        if code := apiErr.ErrorCode(); code == "NoSuchKey" || code == "NotFound" {
+          log.Debug("Terraform state file doesn't exist in the S3 bucket; returning 'null'", "file", tfStateFilePath, "bucket", bucket)
+          return nil, nil
+        }
+      }
 
       lastErr = err
       if attempt < maxRetryCount {
         log.Debug("Failed to read Terraform state file from the S3 bucket", "attempt", attempt+1, "file", tfStateFilePath, "bucket", bucket, "error", err)
         time.Sleep(time.Second * 2) // backoff
         continue
       }
       return nil, fmt.Errorf("%w: %v", errUtils.ErrGetObjectFromS3, lastErr)
     }

If you prefer strict typing, import github.com/aws/smithy-go and check smithy.APIError.
As per coding guidelines.

🧹 Nitpick comments (29)

internal/terraform_backend/terraform_backend_utils_test.go (1)

180-181: Auth context parameter wired correctly.

Call site updated to new signature; nil is fine for local backend.

Consider adding one S3-backed test that passes a non-nil authContext to exercise the credential path.

internal/terraform_backend/terraform_backend_local_test.go (1)

79-81: LGTM — local backend does not use authContext.

Passing nil keeps behavior unchanged.

You can add t.Parallel() in subtests to speed up the suite.

pkg/schema/schema.go (1)

488-507: Good centralization of runtime auth state.

The AuthContext abstraction is clear and future‑proofed.

Add a small helper for checks:

 type AuthContext struct {
   AWS *AWSAuthContext `json:"aws,omitempty" yaml:"aws,omitempty"`
 }
+
+// IsZero reports whether the context has no active provider credentials.
+func (a *AuthContext) IsZero() bool {
+	if a == nil {
+		return true
+	}
+	return a.AWS == nil
+}

internal/exec/terraform_state_utils.go (2)

28-39: Docstring nit for godot and clarity.

To satisfy the “comments end with periods” linter and keep GoDoc tidy, add periods to header lines and align param docs.

-// Parameters:
+// Parameters.
 //   - atmosConfig: Atmos configuration pointer
 //   - yamlFunc: Name of the calling YAML function for error context
 //   - stack: Stack identifier
 //   - component: Component identifier
 //   - output: Output variable key to retrieve
 //   - skipCache: Flag to bypass cache lookup
-//   - authContext: Optional auth context containing Atmos-managed credentials
+//   - authContext: Optional auth context containing Atmos-managed credentials.

---

95-101: Avoid re-reading backends when state is missing (cache nil sentinel).

Currently, nil backend is stored but never hit (branch skips nil), causing repeated reads. Cache a sentinel and short‑circuit.

 var terraformStateCache = sync.Map{}
+var backendNilSentinel = &struct{}{}

 // If the result for the component in the stack already exists in the cache, return it.
 if !skipCache {
   backend, found := terraformStateCache.Load(stackSlug)
   if found && backend != nil {
+    if backend == backendNilSentinel {
+      return nil, nil
+    }
     log.Debug("Cache hit",
       "function", yamlFunc,
       cfg.ComponentStr, component,
       cfg.StackStr, stack,
       "output", output,
     )
     result, err := tb.GetTerraformBackendVariable(atmosConfig, backend.(map[string]any), output)
@@
 // Cache the result.
-terraformStateCache.Store(stackSlug, backend)
+if backend == nil {
+  terraformStateCache.Store(stackSlug, backendNilSentinel)
+} else {
+  terraformStateCache.Store(stackSlug, backend)
+}

Also applies to: 46-61

internal/terraform_backend/terraform_backend_s3_test.go (1)

106-106: Add a non‑nil authContext case; avoid tests shadowing.

Right now all paths pass nil, so the new param isn’t exercised. Also, the local tests := []struct{...} shadows the imported tests package.

• Add a focused subtest to ensure a non‑nil authContext is plumbed (no panic, correct error typing):

func TestReadTerraformBackendS3_AuthContextPlumbed(t *testing.T) {
	atmosConfig := &schema.AtmosConfiguration{}
	componentData := map[string]any{
		"workspace": "test-ws",
		"backend": map[string]any{
			"type": "s3",
			"s3": map[string]any{
				"bucket": "test-bucket", "region": "us-east-1", "key": "terraform.tfstate",
			},
		},
	}
	authCtx := &schema.AuthContext{} // minimal, just to exercise the code path
	_, _ = tb.ReadTerraformBackendS3(atmosConfig, &componentData, authCtx)
}

• Consider renaming the slice var to cases to avoid shadowing the imported tests package.

• You clear AWS_PROFILE with t.Setenv("AWS_PROFILE", "") after tests.RequireAWSProfile(...). Double‑check intent so CI runs consistently with/without local profiles.

internal/exec/yaml_func_terraform_state_test.go (1)

64-71: Pass non‑nil stackInfo to exercise the new auth-context plumbing in tests.

The info variable is available in scope. These calls should use &info instead of nil to validate the refactored code path.

-	d := processTagTerraformState(&atmosConfig, "!terraform.state component-1 foo", stack, nil)
+	d := processTagTerraformState(&atmosConfig, "!terraform.state component-1 foo", stack, &info)

-	d = processTagTerraformState(&atmosConfig, "!terraform.state component-1 bar", stack, nil)
+	d = processTagTerraformState(&atmosConfig, "!terraform.state component-1 bar", stack, &info)

-	d = processTagTerraformState(&atmosConfig, "!terraform.state component-1 nonprod baz", "", nil)
+	d = processTagTerraformState(&atmosConfig, "!terraform.state component-1 nonprod baz", "", &info)

-	d = processTagTerraformState(&atmosConfig, "!terraform.state component-2 foo", stack, nil)
+	d = processTagTerraformState(&atmosConfig, "!terraform.state component-2 foo", stack, &info)

-	d = processTagTerraformState(&atmosConfig, "!terraform.state component-2 nonprod bar", stack, nil)
+	d = processTagTerraformState(&atmosConfig, "!terraform.state component-2 nonprod bar", stack, &info)

-	d = processTagTerraformState(&atmosConfig, "!terraform.state component-2 nonprod baz", "", nil)
+	d = processTagTerraformState(&atmosConfig, "!terraform.state component-2 nonprod baz", "", &info)

internal/exec/yaml_func_utils_test.go (1)

282-289: Use real stackInfo (&info) to exercise the new flow.

Passing nil skips the authContext extraction in processTagTerraformState (see line 60–62 of yaml_func_terraform_state.go). The test declares and initializes info at line 263, which is in scope at all target lines. Update the six calls at lines 282, 285, 288, 322, 325, 328 and the one at line 340 to pass &info instead of nil.

-	d := processTagTerraformState(&atmosConfig, "!terraform.state component-1 foo", stack, nil)
+	d := processTagTerraformState(&atmosConfig, "!terraform.state component-1 foo", stack, &info)

-	d = processTagTerraformState(&atmosConfig, "!terraform.state component-1 bar", stack, nil)
+	d = processTagTerraformState(&atmosConfig, "!terraform.state component-1 bar", stack, &info)

-	d = processTagTerraformState(&atmosConfig, "!terraform.state component-1 nonprod baz", "", nil)
+	d = processTagTerraformState(&atmosConfig, "!terraform.state component-1 nonprod baz", "", &info)

-	d = processTagTerraformState(&atmosConfig, "!terraform.state component-2 foo", stack, nil)
+	d = processTagTerraformState(&atmosConfig, "!terraform.state component-2 foo", stack, &info)

-	d = processTagTerraformState(&atmosConfig, "!terraform.state component-2 nonprod bar", stack, nil)
+	d = processTagTerraformState(&atmosConfig, "!terraform.state component-2 nonprod bar", stack, &info)

-	d = processTagTerraformState(&atmosConfig, "!terraform.state component-2 nonprod baz", "", nil)
+	d = processTagTerraformState(&atmosConfig, "!terraform.state component-2 nonprod baz", "", &info)

-	processed, err := ProcessCustomYamlTags(&atmosConfig, res, stack, []string{}, nil)
+	processed, err := ProcessCustomYamlTags(&atmosConfig, res, stack, []string{}, &info)

internal/terraform_backend/terraform_backend_utils.go (1)

120-125: Update the doc comment to include the new authContext parameter.

The function signature now includes authContext, but the doc comment doesn't mention it. Per coding guidelines, all exported function parameters should be documented.

Apply this diff to document the parameter:

-// GetTerraformBackend reads and processes the Terraform state file from the configured backend.
+// GetTerraformBackend reads and processes the Terraform state file from the configured backend.
+// The authContext parameter provides Atmos-managed authentication credentials for backend access.
 func GetTerraformBackend(
 	atmosConfig *schema.AtmosConfiguration,
 	componentSections *map[string]any,
 	authContext *schema.AuthContext,
 ) (map[string]any, error) {

website/blog/2025-10-21-auth-context-implementation.md (2)

17-21: Consider adding periods to bullet points for consistency.

The document has inconsistent punctuation on list items. Some bullets end with periods, some don't. For consistency and per the static analysis hint, consider ending all bullet points with periods.

Apply this diff:

 - Refactored `PostAuthenticate` interface to use `PostAuthenticateParams` struct (reducing parameters from 6 to 2)
 - Updated Terraform backend operations to accept and use `authContext` parameter
 - Created `SetAuthContext()` function to populate context after authentication
-- Derived environment variables from auth context rather than duplicating credential logic
+- Derived environment variables from auth context rather than duplicating credential logic.

---

62-66: Consider adding periods to bullet points for consistency.

Similar to the earlier section, these bullet points should end with periods for consistency.

Apply this diff:

 - Pass `authContext` through your call chains
 - Use `SetAuthContext()` to populate credentials
-- Derive from auth context rather than duplicating credential logic
+- Derive from auth context rather than duplicating credential logic.

pkg/auth/cloud/aws/setup_test.go (1)

53-64: Make test explicit: init env map, cover region, and add a nil-authContext case.

• Initialize stack.ComponentEnvSection to avoid relying on internal helpers to allocate it.
• Include Region in authContext and assert AWS_REGION is set.
• Add a small table row/subtest for authContext=nil to verify graceful no-op.

Apply this minimal tweak here:

-	authContext := &schema.AuthContext{
+	authContext := &schema.AuthContext{
 		AWS: &schema.AWSAuthContext{
 			CredentialsFile: filepath.Join(tmp, ".aws", "atmos", "prov", "credentials"),
 			ConfigFile:      filepath.Join(tmp, ".aws", "atmos", "prov", "config"),
-			Profile:         "dev",
+			Profile:         "dev",
+			Region:          "us-west-2",
 		},
 	}
 
-	stack := &schema.ConfigAndStacksInfo{}
+	stack := &schema.ConfigAndStacksInfo{
+		ComponentEnvSection: make(schema.AtmosSectionMapType),
+	}
 	err := SetEnvironmentVariables(authContext, stack)
 	require.NoError(t, err)

And assert:

 assert.Equal(t, "dev", stack.ComponentEnvSection["AWS_PROFILE"])
+assert.Equal(t, "us-west-2", stack.ComponentEnvSection["AWS_REGION"])

internal/terraform_backend/terraform_backend_s3.go (2)

77-85: Option: thread ctx into getCachedS3Client for unified cancellation.

Today, getCachedS3Client creates its own 30s context. Consider accepting a ctx param from callers to honor upstream deadlines and tracing. Keeps timeouts consistent.

Example signature change:

-func getCachedS3Client(backend *map[string]any, authContext *schema.AuthContext) (S3API, error) {
+func getCachedS3Client(ctx context.Context, backend *map[string]any, authContext *schema.AuthContext) (S3API, error) {

And call from ReadTerraformBackendS3 with a derived timeout (keeping your 30s if none provided).

---

61-66: Cache key improvement verified; consider expanding to include credentials/config paths.

Profile addition correctly disambiguates multi-identity S3 clients. Verification confirmed no deprecated endpoint resolver APIs and proper modern usage patterns.

However, the cache key omits CredentialsFile and ConfigFile, which can vary per authContext and may contain different s3 endpoint configurations. If the same profile connects to different config files at runtime, clients could be incorrectly cached across different endpoint configurations.

Consider adding both to the cache key:

cacheKey := fmt.Sprintf("region=%s;role_arn=%s", region, roleArn)
if authContext != nil && authContext.AWS != nil {
    cacheKey += fmt.Sprintf(";profile=%s;creds_file=%s;config_file=%s", 
        authContext.AWS.Profile, authContext.AWS.CredentialsFile, authContext.AWS.ConfigFile)
}

pkg/auth/identities/aws/permission_set_test.go (1)

180-200: Also assert AWS_REGION and init env map explicitly.

• Since creds.Region is set, verify AWS_REGION is exported via SetEnvironmentVariables.
• Initialize stack.ComponentEnvSection to make the test independent of helper allocation.

Patch:

-	authContext := &schema.AuthContext{}
-	stack := &schema.ConfigAndStacksInfo{}
+	authContext := &schema.AuthContext{}
+	stack := &schema.ConfigAndStacksInfo{ComponentEnvSection: make(schema.AtmosSectionMapType)}
@@
 	assert.Contains(t, stack.ComponentEnvSection["AWS_SHARED_CREDENTIALS_FILE"], filepath.Join(".aws", "atmos", "aws-sso", "credentials"))
 	assert.Equal(t, "dev", stack.ComponentEnvSection["AWS_PROFILE"])
+	assert.Equal(t, "us-east-1", stack.ComponentEnvSection["AWS_REGION"])

pkg/auth/types/interfaces.go (1)

3-3: Pin mockgen version for reproducible builds.

go.uber.org/mock was last updated August 18, 2025. Using @latest in CI can introduce non-determinism if new versions release. Update the directive to pin to a specific version (e.g., @v0.7.0—adjust per your actual dependency) and verify mocks regenerate without changes.

internal/exec/yaml_func_utils.go (3)

13-23: Exported function needs Go doc; consider params struct to curb signature growth.

Please add a brief Go doc for ProcessCustomYamlTags. Given the growing parameter list, consider a params struct (or options) to avoid further positional args creep.

Apply:

+// ProcessCustomYamlTags processes custom Atmos YAML tags for a stack, threading stackInfo/AuthContext.
 func ProcessCustomYamlTags(
   atmosConfig *schema.AtmosConfiguration,
   input schema.AtmosSectionMapType,
   currentStack string,
   skip []string,
   stackInfo *schema.ConfigAndStacksInfo,
 ) (schema.AtmosSectionMapType, error) {

Ensure all call sites have been updated and covered by tests, especially CLI and varfile/backends paths.

---

104-114: Use static errors and wrap/join per guidelines.

getStringAfterTag builds a dynamic error. Prefer a static error from errors package and wrap/join the underlying context.

Example:

-	if str == "" {
-		err := fmt.Errorf("invalid Atmos YAML function: %s", input)
-		return "", err
-	}
+	if str == "" {
+		// errUtils.ErrInvalidYamlFunction (or introduce a new static error) per errors/errors.go.
+		return "", errors.Join(errUtils.ErrInvalidYamlFunction, fmt.Errorf("input=%q", input))
+	}

If ErrInvalidYamlFunction doesn’t exist, add one to errors/errors.go and use it here.

---

93-95: Comment punctuation nit.

End comments with periods per style guide.

-		// If any other YAML explicit tag (not currently supported by Atmos) is used, return it w/o processing
+		// If any other YAML explicit tag (not currently supported by Atmos) is used, return it without processing.

pkg/auth/identities/aws/user_test.go (1)

245-255: Good assertions; add guard for env map to avoid nil-index panics.

The test validates authContext population and derived env. Ensure the impl initializes stack.ComponentEnvSection before writes.

Add a quick guard in the test:

 authContext := &schema.AuthContext{}
 stack := &schema.ConfigAndStacksInfo{}
 ...
 require.NoError(t, err)
+require.NotNil(t, stack.ComponentEnvSection)

Confirm the implementation allocates stack.ComponentEnvSection when setting env.

Also applies to: 257-265

pkg/auth/manager.go (1)

147-165: Preserve underlying PostAuthenticate error.

Returning only ErrAuthenticationFailed loses the cause. Join it.

-		if err := identity.PostAuthenticate(ctx, &types.PostAuthenticateParams{
+		if err := identity.PostAuthenticate(ctx, &types.PostAuthenticateParams{
 			AuthContext:  authContext,
 			StackInfo:    m.stackInfo,
 			ProviderName: providerName,
 			IdentityName: identityName,
 			Credentials:  finalCreds,
-		}); err != nil {
+		}); err != nil {
 			errUtils.CheckErrorAndPrint(errUtils.ErrAuthenticationFailed, "PostAuthenticate", "")
-			return nil, errUtils.ErrAuthenticationFailed
+			return nil, errors.Join(errUtils.ErrAuthenticationFailed, err)
 		}

Confirm identities tolerate nil AuthContext/StackInfo when Authenticate is used outside stack flows.

internal/aws_utils/aws_utils.go (2)

61-64: Wrap original error properly.

Use errors.Join (or wrap the original) so callers can inspect the root cause.

-	baseCfg, err := config.LoadDefaultConfig(ctx, cfgOpts...)
-	if err != nil {
-		return aws.Config{}, fmt.Errorf("%w: %v", errUtils.ErrLoadAwsConfig, err)
-	}
+	baseCfg, err := config.LoadDefaultConfig(ctx, cfgOpts...)
+	if err != nil {
+		return aws.Config{}, errors.Join(errUtils.ErrLoadAwsConfig, err)
+	}

---

66-79: Assume-role path is fine; minor perf idea (optional).

Reloading config after setting credentials is standard and fine. If you want to avoid a second full load, you could construct a cfg from baseCfg with a custom Credentials provider, but SDK guidance favors your current approach.

No change required.

pkg/auth/cloud/aws/setup.go (5)

3-12: Add perf tracking import for exported functions.

Per repo guidance, add perf.Track in public funcs and import perf.

Apply this diff:

 import (
 	"errors"
 	"fmt"
 
 	errUtils "github.com/cloudposse/atmos/errors"
 	"github.com/cloudposse/atmos/pkg/auth/types"
 	"github.com/cloudposse/atmos/pkg/auth/utils"
 	log "github.com/cloudposse/atmos/pkg/logger"
+	"github.com/cloudposse/atmos/pkg/perf"
 	"github.com/cloudposse/atmos/pkg/schema"
 )

As per coding guidelines.

---

57-60: Add perf.Track in SetAuthContext.

Keep perf consistent across exported funcs.

Apply this diff:

 	if authContext == nil {
 		return nil // No auth context to populate.
 	}
 
+	defer perf.Track(nil, "auth.aws.SetAuthContext")()
+

As per coding guidelines.

---

129-156: Derive a couple more AWS env vars for compatibility.

Set AWS_DEFAULT_REGION and AWS_SDK_LOAD_CONFIG=1 to cover older SDKs/tools expecting them.

Apply this diff:

 	if awsAuth.Region != "" {
 		utils.SetEnvironmentVariable(stackInfo, "AWS_REGION", awsAuth.Region)
+		utils.SetEnvironmentVariable(stackInfo, "AWS_DEFAULT_REGION", awsAuth.Region)
 	}
+
+	// Ensure shared config is honored by tools that require the flag.
+	utils.SetEnvironmentVariable(stackInfo, "AWS_SDK_LOAD_CONFIG", "1")

Based on learnings.

---

129-156: Add perf.Track in SetEnvironmentVariables.

Matches public‑function guidance.

Apply this diff:

 func SetEnvironmentVariables(authContext *schema.AuthContext, stackInfo *schema.ConfigAndStacksInfo) error {
+	defer perf.Track(nil, "auth.aws.SetEnvironmentVariables")()

As per coding guidelines.

---

51-56: Nit: end bullet comments with periods.

Godot linter requires periods at the end of comment lines. Please add trailing periods to the parameter bullets in both doc comments.

As per coding guidelines.

Also applies to: 133-136

docs/prd/auth-context-multi-identity.md (1)

88-101: Tidy markdown: code fence languages, tabs, punctuation.

• Add language hints to fenced blocks (e.g., go, bash, ```mermaid) to satisfy MD040.
• Replace hard tabs with spaces (MD010).
• Ensure paragraphs and bullet sentences end with periods (godot/LanguageTool).

I can auto‑format this file if you want.

Also applies to: 138-176, 208-269

[mergify]

💥 This pull request now has conflicts. Could you fix it @osterman? 🙏

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

tests/cli_test.go (1)

408-416: Clean up the misplaced comment.

Line 408's comment about "Drop any lines matched by the ignore patterns" belongs to the applyIgnorePatterns function below, not to stripTrailingWhitespace. Additionally, the godoc comment on line 409 should end with a period per the godot linter requirement.

Apply this diff to fix the documentation:

-// Drop any lines matched by the ignore patterns so they do not affect the comparison.
-// stripTrailingWhitespace removes trailing whitespace from each line.
+// stripTrailingWhitespace removes trailing whitespace from each line.
 func stripTrailingWhitespace(input string) string {
 	lines := strings.Split(input, "\n")
 	for i, line := range lines {
 		lines[i] = strings.TrimRight(line, " \t")
 	}
 	return strings.Join(lines, "\n")
 }
 
+// Drop any lines matched by the ignore patterns so they do not affect the comparison.
 func applyIgnorePatterns(input string, patterns []string) string {

internal/aws_utils/aws_utils_test.go (1)

257-260: Consider more idiomatic error comparison.

The boolean comparison err1 == nil works but is less clear than directly comparing error states or using test helpers.

Apply this pattern for clearer intent:

-	assert.Equal(t, err1 == nil, err2 == nil, "Both functions should have same error state")
-	if err1 == nil && err2 == nil {
-		assert.Equal(t, cfg1.Region, cfg2.Region, "Both functions should return same region")
-	}
+	if err1 == nil && err2 == nil {
+		assert.Equal(t, cfg1.Region, cfg2.Region, "Both functions should return same region")
+	} else if err1 != nil && err2 != nil {
+		// Both have errors - this is expected to be consistent.
+	} else {
+		t.Errorf("Inconsistent error state: err1=%v, err2=%v", err1, err2)
+	}

internal/exec/terraform_state_getter.go (1)

10-24: Interface signature is appropriate for wrapping existing function.

The TerraformStateGetter interface correctly mirrors the GetTerraformState signature, enabling dependency injection for testing. The high parameter count is acknowledged with a comment.

For future consideration: if this interface gains additional methods or the parameter list grows further, the functional options pattern could reduce complexity.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 4934fdb and 86f14cb.

📒 Files selected for processing (12)

• internal/aws_utils/aws_utils_test.go (2 hunks)
• internal/exec/mock_terraform_state_getter.go (1 hunks)
• internal/exec/terraform_state_getter.go (1 hunks)
• internal/exec/yaml_func_resolution_context_bench_test.go (3 hunks)
• internal/exec/yaml_func_terraform_state.go (3 hunks)
• internal/exec/yaml_func_terraform_state_authcontext_test.go (1 hunks)
• internal/exec/yaml_func_utils.go (7 hunks)
• internal/exec/yaml_func_utils_context_test.go (12 hunks)
• internal/exec/yaml_func_utils_test.go (4 hunks)
• tests/cli_test.go (5 hunks)
• tests/test-cases/auth-cli.yaml (1 hunks)
• tests/test-cases/auth-mock.yaml (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• internal/exec/yaml_func_resolution_context_bench_test.go
• internal/exec/yaml_func_utils.go

🧰 Additional context used

📓 Path-based instructions (6)

{**/*_test.go,tests/**}

📄 CodeRabbit inference engine (CLAUDE.md)

Prefer unit tests with mocks over integration; table-driven tests; keep integration tests under tests/; target >80% coverage

Files:

• tests/test-cases/auth-mock.yaml
• internal/aws_utils/aws_utils_test.go
• tests/test-cases/auth-cli.yaml
• internal/exec/yaml_func_terraform_state_authcontext_test.go
• tests/cli_test.go
• internal/exec/yaml_func_utils_context_test.go
• internal/exec/yaml_func_utils_test.go

**/*_test.go

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

**/*_test.go: Every new feature must include comprehensive unit tests
Test both happy paths and error conditions
Use table-driven tests for multiple scenarios

**/*_test.go: Test behavior, not implementation; avoid tautological tests; use DI to make behavior testable
Tests must exercise production code paths; do not duplicate logic in tests
Use t.Skipf("reason") with clear context when skipping tests

Files:

• internal/aws_utils/aws_utils_test.go
• internal/exec/yaml_func_terraform_state_authcontext_test.go
• tests/cli_test.go
• internal/exec/yaml_func_utils_context_test.go
• internal/exec/yaml_func_utils_test.go

**/*.go

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

**/*.go: All code must pass golangci-lint checks
Follow Go error handling idioms and use meaningful error messages
Wrap errors with context using fmt.Errorf("context: %w", err)
Consider custom error types for domain-specific errors
Follow standard Go coding style; run gofmt and goimports
Use snake_case for environment variables
Document complex logic with inline comments

**/*.go: Generate mocks with go.uber.org/mock/mockgen using //go:generate directives; never write manual mocks
Use functional options pattern instead of functions with many parameters
Use context.Context only for cancellation, deadlines, and narrowly-scoped request values; never for config or dependencies; context should be the first parameter
All comments must end with periods (godot linter)
Organize imports in three groups with blank lines (stdlib, third-party, then Atmos packages) and sort alphabetically; keep aliases: cfg, log, u, errUtils
Error handling: wrap with static errors from errors/errors.go, combine with errors.Join, add context with fmt.Errorf("%w: msg", err), check with errors.Is; never compare strings or create dynamic error types
Use //go:generate go run go.uber.org/mock/mockgen@latest -source= -destination=test.go for mocks
Keep files small and focused (<600 lines), one command/impl per file; co-locate tests; never use //revive:disable:file-length-limit
Bind environment variables with viper.BindEnv and use ATMOS prefix
UI (prompts/status) must write to stderr; data outputs to stdout; logging only for system events, not UI
Ensure cross-platform compatibility: prefer SDKs over binaries and use filepath.Join() instead of hardcoded separators

Files:

• internal/aws_utils/aws_utils_test.go
• internal/exec/terraform_state_getter.go
• internal/exec/yaml_func_terraform_state.go
• internal/exec/yaml_func_terraform_state_authcontext_test.go
• tests/cli_test.go
• internal/exec/yaml_func_utils_context_test.go
• internal/exec/mock_terraform_state_getter.go
• internal/exec/yaml_func_utils_test.go

{internal,pkg}/**/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

{internal,pkg}/**/*.go: Use interface-driven design: define interfaces, inject dependencies for testability, and prefer DI over concrete coupling
Add defer perf.Track(atmosConfig, "pkg.FuncName")() + a blank line at the start of all public functions (use nil if no atmosConfig)

Files:

• internal/aws_utils/aws_utils_test.go
• internal/exec/terraform_state_getter.go
• internal/exec/yaml_func_terraform_state.go
• internal/exec/yaml_func_terraform_state_authcontext_test.go
• internal/exec/yaml_func_utils_context_test.go
• internal/exec/mock_terraform_state_getter.go
• internal/exec/yaml_func_utils_test.go

**/!(*_test).go

📄 CodeRabbit inference engine (.cursor/rules/atmos-rules.mdc)

Document all exported functions, types, and methods with Go doc comments

Files:

• internal/exec/terraform_state_getter.go
• internal/exec/yaml_func_terraform_state.go
• internal/exec/mock_terraform_state_getter.go

internal/exec/**/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

Implement command business logic in internal/exec/ (not in cmd/)

Files:

• internal/exec/terraform_state_getter.go
• internal/exec/yaml_func_terraform_state.go
• internal/exec/yaml_func_terraform_state_authcontext_test.go
• internal/exec/yaml_func_utils_context_test.go
• internal/exec/mock_terraform_state_getter.go
• internal/exec/yaml_func_utils_test.go

🧠 Learnings (1)

📚 Learning: 2025-10-23T00:58:28.974Z

Learnt from: CR
PR: cloudposse/atmos#0
File: CLAUDE.md:0-0
Timestamp: 2025-10-23T00:58:28.974Z
Learning: Applies to **/*.go : All comments must end with periods (godot linter)

Applied to files:

• internal/aws_utils/aws_utils_test.go

🧬 Code graph analysis (7)

internal/aws_utils/aws_utils_test.go (2)

pkg/schema/schema.go (1)

• AWSAuthContext (510-525)

internal/aws_utils/aws_utils.go (2)

• LoadAWSConfigWithAuth (53-113)
• LoadAWSConfig (118-122)

internal/exec/terraform_state_getter.go (3)

pkg/schema/schema.go (2)

• AtmosConfiguration (27-65)
• AuthContext (498-506)

pkg/perf/perf.go (1)

• Track (121-138)

internal/exec/terraform_state_utils.go (1)

• GetTerraformState (31-111)

internal/exec/yaml_func_terraform_state.go (1)

pkg/schema/schema.go (3)

• AtmosConfiguration (27-65)
• ConfigAndStacksInfo (527-610)
• AuthContext (498-506)

internal/exec/yaml_func_terraform_state_authcontext_test.go (3)

internal/exec/mock_terraform_state_getter.go (1)

• NewMockTerraformStateGetter (32-36)

pkg/schema/schema.go (5)

• AuthContext (498-506)
• AWSAuthContext (510-525)
• ConfigAndStacksInfo (527-610)
• AtmosConfiguration (27-65)
• AtmosSectionMapType (14-14)

internal/exec/yaml_func_utils.go (1)

• ProcessCustomYamlTags (13-30)

internal/exec/yaml_func_utils_context_test.go (1)

internal/exec/yaml_func_utils.go (2)

• ProcessCustomYamlTags (13-30)
• ProcessCustomYamlTagsWithContext (32-43)

internal/exec/mock_terraform_state_getter.go (1)

pkg/schema/schema.go (2)

• AtmosConfiguration (27-65)
• AuthContext (498-506)

internal/exec/yaml_func_utils_test.go (2)

internal/exec/yaml_func_utils.go (1)

• ProcessCustomYamlTags (13-30)

pkg/schema/schema.go (5)

• AtmosConfiguration (27-65)
• AuthContext (498-506)
• AWSAuthContext (510-525)
• ConfigAndStacksInfo (527-610)
• AtmosSectionMapType (14-14)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: Build (windows)
• GitHub Check: Build (linux)
• GitHub Check: Review Dependency Licenses
• GitHub Check: Analyze (go)
• GitHub Check: Lint (golangci)
• GitHub Check: autofix
• GitHub Check: website-deploy-preview
• GitHub Check: Summary

🔇 Additional comments (13)

tests/test-cases/auth-cli.yaml (1)

321-322: Pragmatic approach to cross-platform test stability.

Using ignore_trailing_whitespace: true with a clear comment is a solid way to handle Lipgloss rendering variance across platforms. The comment directly explains the reason, making it easy for maintainers to understand why this exception exists.

tests/test-cases/auth-mock.yaml (1)

33-33: Consistent cross-platform handling across login test cases.

The ignore_trailing_whitespace: true flag is applied consistently to all three login test cases that produce Lipgloss-formatted output. The comment is clear and documents the reason well.

However, verify whether the auth env tests (lines 106–170) also produce Lipgloss tables that might need the same flag for consistency. If they do, consider applying it there as well for uniform cross-platform stability.

Also applies to: 52-52, 73-73

tests/cli_test.go (2)

63-75: LGTM on the new field addition.

The IgnoreTrailingWhitespace field is cleanly integrated into the Expectation struct with proper YAML tagging. This provides a useful opt-in mechanism for tests that need to normalize trailing whitespace.

---

1305-1309: Nice consistent application across all verification paths.

The stripTrailingWhitespace function is correctly applied in all three snapshot verification scenarios (TTY, stdout, stderr) with proper conditional checks. The placement in the processing pipeline—after ignore patterns but before comparison—makes sense.

Also applies to: 1392-1396, 1419-1423

internal/exec/terraform_state_getter.go (1)

26-42: Clean wrapper implementation with proper performance tracking.

The defaultStateGetter correctly delegates to GetTerraformState and includes performance tracking. The nolint directive is appropriate since the signature must match the interface.

internal/exec/yaml_func_utils_test.go (2)

367-430: Excellent test coverage for authContext threading.

TestProcessCustomYamlTagsWithAuthContext validates that stackInfo.AuthContext flows through ProcessCustomYamlTags to tag processing functions. The test structure is clear, covers both the happy path with authContext and the backward-compatible nil case.

---

432-474: Good unit test for stackInfo parameter usage.

TestProcessCustomYamlTagsStackInfoThreading provides focused validation that stackInfo is actually used, not just accepted. This addresses the concern from past reviews about parameters being accepted but ignored.

internal/exec/yaml_func_terraform_state.go (2)

14-24: Clean parameter threading to context function.

The stackInfo parameter is properly added and forwarded to processTagTerraformStateWithContext. The nolint directive is appropriate since stackInfo is consumed by the context function.

---

89-95: Proper authContext extraction with nil-safe handling.

The authContext is correctly extracted from stackInfo when present, maintaining backward compatibility when nil. This enables Terraform state operations to use Atmos-managed credentials.

internal/exec/yaml_func_terraform_state_authcontext_test.go (3)

12-83: Comprehensive test validates authContext propagation.

TestAuthContextReachesGetTerraformState uses a mock to verify that authContext flows through the entire call chain from ProcessCustomYamlTags to GetState. The use of gomock.Eq(expectedAuthContext) ensures the exact context is passed, catching threading bugs.

---

85-125: Good backward compatibility coverage.

TestAuthContextNilWhenStackInfoNil verifies that nil stackInfo results in nil authContext, maintaining backward compatibility with existing code paths.

---

129-207: Well-structured table-driven test.

TestAuthContextWithDifferentConfigurations covers multiple AWS configuration scenarios (profile with region, different regions, credentials file paths) using a table-driven approach, following Go testing best practices.

internal/exec/yaml_func_utils_context_test.go (1)

25-25: Backward-compatible parameter updates.

All test calls correctly pass nil for the new stackInfo parameter, maintaining backward compatibility while enabling the parameter for future use. The mechanical updates are consistent throughout the test suite.

Also applies to: 42, 67, 88, 108, 129, 144, 148, 153, 164, 176, 188, 222, 257

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

tests/test-cases/schema.json (1)

61-106: Schema additions for test control look well-structured and consistent.

The new top-level properties (env, clean, snapshot, preconditions, skip) properly support test orchestration needs. The skip.os pattern correctly mirrors stdout/stderr's positive/negative matching logic via anyOf, allowing both direct OS strings and exclusion patterns.

One pattern to note: the {"type": "object", "properties": {"not": ...}, "required": ["not"]} definition is now repeated in several places (skip.os, stdout items, stderr items, tty items, file_contains items). This works but isn't DRY—consider a future refactor using JSON Schema's $defs and $ref to centralize the pattern definition.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 86f14cb and 6444ffe.

📒 Files selected for processing (1)

• tests/test-cases/schema.json (2 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

{**/*_test.go,tests/**}

📄 CodeRabbit inference engine (CLAUDE.md)

Prefer unit tests with mocks over integration; table-driven tests; keep integration tests under tests/; target >80% coverage

Files:

• tests/test-cases/schema.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: Build (linux)
• GitHub Check: Build (windows)
• GitHub Check: Review Dependency Licenses
• GitHub Check: Analyze (go)
• GitHub Check: autofix
• GitHub Check: Lint (golangci)
• GitHub Check: website-deploy-preview
• GitHub Check: Summary

🔇 Additional comments (1)

tests/test-cases/schema.json (1)

170-219: New expect assertions are comprehensive and follow existing patterns.

The file_exists, file_not_exists, and file_contains fields provide solid coverage for file-system assertions post-execution. The file_contains schema correctly uses additionalProperties to map dynamic file paths to pattern arrays, mirroring the structure for stdout/stderr.

Defaults are sensible: timeout of 120s, ignore_trailing_whitespace and clean both false. A small note: ensure the test framework actually implements these fields; mismatches between schema and implementation can cause subtle issues.

Can you confirm that the test runner supports all these new assertion types?

[github-actions]

These changes were released in v1.196.0-test.0.