Cover various problematic authentication config errors

[jviotti]

Signed-off-by: Juan Cruz Viotti jv@jviotti.com

[augmentcode]

🤖 Augment PR Summary

Summary: This PR strengthens validation and error reporting around enterprise authentication policy configuration.

Changes:

• Adds a pre-save validation pass that rejects unreachable apiKey policies whose entire scope is already covered by a public policy.
• Introduces AuthenticationShadowedError to surface the specific shadowed scope and the covering public path.
• Extends the CLI to print a dedicated, user-friendly error message for shadowed-policy failures.
• Updates unit tests to distinguish “public carve-out inside apiKey scope” from full shadowing, and adds a new test for the shadowed-policy rejection.
• Adds CLI regression tests for: too many authentication entries, apiKey entries without keys, and fully shadowed apiKey policies.

Technical Notes: Shadowing detection is path-prefix based (public policies covering an apiKey scope), and the new CLI tests lock in exact error output for these configuration failures.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 2 suggestions posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

path_covers does a raw string prefix check, but the trie builder treats paths as segment sequences and explicitly ignores leading/trailing/repeated slashes (authentication_next_segment), so equivalent scopes like "/internal/" vs "/internal" (or "" vs "/") may not be handled consistently and the shadowed-policy detection could miss unreachable configs.

Severity: medium

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[cubic-dev-ai]

2 issues found across 8 files

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[github-actions]

Benchmark Index (community)

Details

Benchmark suite	Current: 1497699	Previous: 3021b77	Ratio
Add one schema (0 existing)	395 ms	407 ms	0.97
Add one schema (100 existing)	28 ms	30 ms	0.93
Add one schema (1000 existing)	82 ms	84 ms	0.98
Add one schema (10000 existing)	662 ms	679 ms	0.97
Update one schema (1 existing)	21 ms	22 ms	0.95
Update one schema (101 existing)	29 ms	30 ms	0.97
Update one schema (1001 existing)	82 ms	88 ms	0.93
Update one schema (10001 existing)	669 ms	702 ms	0.95
Cached rebuild (1 existing)	6 ms	7 ms	0.86
Cached rebuild (101 existing)	8 ms	9 ms	0.89
Cached rebuild (1001 existing)	29 ms	29 ms	1
Cached rebuild (10001 existing)	248 ms	252 ms	0.98
Index 100 schemas	506 ms	694 ms	0.73
Index 1000 schemas	1515 ms	1589 ms	0.95
Index 10000 schemas	13682 ms	13839 ms	0.99
Index 10000 schemas (custom meta-schema)	16301 ms	16593 ms	0.98
Index 10000 schemas ($ref fan-out)	16497 ms	16726 ms	0.99

This comment was automatically generated by workflow using github-action-benchmark.

[github-actions]

Benchmark Index (enterprise)

Details

Benchmark suite	Current: 1497699	Previous: 3021b77	Ratio
Add one schema (0 existing)	375 ms	389 ms	0.96
Add one schema (100 existing)	32 ms	34 ms	0.94
Add one schema (1000 existing)	87 ms	93 ms	0.94
Add one schema (10000 existing)	678 ms	781 ms	0.87
Update one schema (1 existing)	25 ms	28 ms	0.89
Update one schema (101 existing)	31 ms	35 ms	0.89
Update one schema (1001 existing)	88 ms	96 ms	0.92
Update one schema (10001 existing)	689 ms	775 ms	0.89
Cached rebuild (1 existing)	8 ms	9 ms	0.89
Cached rebuild (101 existing)	10 ms	11 ms	0.91
Cached rebuild (1001 existing)	33 ms	35 ms	0.94
Cached rebuild (10001 existing)	280 ms	296 ms	0.95
Index 100 schemas	630 ms	523 ms	1.20
Index 1000 schemas	1440 ms	1596 ms	0.90
Index 10000 schemas	13676 ms	13526 ms	1.01
Index 10000 schemas (custom meta-schema)	16063 ms	16199 ms	0.99
Index 10000 schemas ($ref fan-out)	16549 ms	16312 ms	1.01

This comment was automatically generated by workflow using github-action-benchmark.