chore(router-tests): bump nats client lib + add router-tests to verify nats tls

[dkorittki]

This adds integration tests to the PR #2749 from @vatsalpatel .

I made a noteworthy design decision for these new tests: Currently nats tests use the nats instance from docker-compose or as defined in CI. In order to test TLS I would have to configure the instance to allow for TLS and worse: require mTLS. To avoid this instead I spawn an in-process nats server configured to require TLS, instead of using the one from docker-compose or CI. This allows developers to keep their plain text connection. Also other nats test focusing on other things don't need to bother with TLS. The newly added tests are the only ones who need to bother with TLS/mTLS.

In order to use a nats in-process server the router-tests go.mod needs a new dependency github.com/nats-io/nats-server/v2 (and nats.go upgraded from v1.35.0 → v1.50.0 as a transitive requirement — this is a backwards-compatible minor version bump). To keep version parity between router and router-tests I updated the router nats dependencies, too.

Summary by CodeRabbit

• Tests

  • Added an end-to-end NATS TLS test suite validating event delivery across multiple TLS and mTLS scenarios (including custom CA verification and tls:// URL handling). Adds test helpers to generate and use temporary TLS certificates during tests.

• Chores

  • Updated NATS libraries and several Go ecosystem dependencies to newer versions for compatibility and security.

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/docs-website.
• I have read the Contributors Guide.

Open Source AI Manifesto

This project follows the principles of the Open Source AI Manifesto. Please ensure your contribution aligns with its principles.

[coderabbitai]

Walkthrough

Adds a new end-to-end NATS TLS/mTLS router test suite and TLS helper utilities, and updates Go module dependency versions in router-tests/go.mod and router/go.mod (notably NATS libraries and related golang.org/x/* modules).

Changes

Cohort / File(s)	Summary
NATS TLS tests router-tests/events/nats_tls_test.go	New E2E test TestRouterConnectsToNATSWithTLS exercising router-to-NATS connectivity across four TLS scenarios, publishing/subscribing via GraphQL triggers and asserting event payloads.
TLS test helpers router-tests/events/helpers_test.go	New package-local helpers: tlsCerts type, generateTLSCerts to create CA/server/client certs (P-256 ECDSA), PEM encoding, and writeTempFile to persist cert/key files for tests.
Router tests go.mod router-tests/go.mod	Updated module dependencies: github.com/nats-io/nats.go → v1.50.0, added github.com/nats-io/nats-server/v2 v2.12.7, bumped various golang.org/x/* and refreshed several indirect deps (jwt, nkeys, compress, etc.).
Router go.mod router/go.mod	Bumped dependency versions including github.com/nats-io/nats.go → v1.50.0 and multiple golang.org/x/* indirect updates; no API or exported symbol changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• feat(router): add TLS support for NATS event source #2749: Introduces NATS TLS configuration and option-building codepaths (e.g., NatsTLSConfiguration, TLS on NatsEventSource, buildNatsOptions) that these tests exercise.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 47.83% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main changes: bumping the NATS client library and adding NATS TLS verification tests for router-tests.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
wundergraphinc	🟢 Ready	View Preview	Apr 22, 2026, 4:02 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

[github-actions]

Router image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-92e92abb461a6aa37bf1e121a785fcbe19fcc12b

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 65.66%. Comparing base (fdd035b) to head (2610e04).

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #2788       +/-   ##
===========================================
+ Coverage   46.28%   65.66%   +19.37%     
===========================================
  Files        1045      254      -791     
  Lines      139773    26448   -113325     
  Branches     8768        0     -8768     
===========================================
- Hits        64695    17367    -47328     
+ Misses      73326     7681    -65645     
+ Partials     1752     1400      -352     

see 806 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

router-tests/go.mod (1)

35-36: ⚠️ Potential issue | 🟠 Major

Pin go.opentelemetry.io/otel/sdk to v1.40.0 or later in this module.

Lines 35 and 209 currently pin vulnerable versions (v1.39.0 and v1.28.0 replacement) of go.opentelemetry.io/otel/sdk. The module includes google.golang.org/grpc v1.79.3 at line 43, which transitively requires the patched version to address the PATH hijacking vulnerability (GHSA-9h8m-3fm2-qjrq / CVE-2026-24051).

🔧 Suggested change

-	go.opentelemetry.io/otel/sdk v1.39.0
+	go.opentelemetry.io/otel/sdk v1.40.0
...
-	go.opentelemetry.io/otel/sdk => go.opentelemetry.io/otel/sdk v1.28.0
+	go.opentelemetry.io/otel/sdk => go.opentelemetry.io/otel/sdk v1.40.0

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@router-tests/go.mod` around lines 35 - 36, Update the pinned opentelemetry
SDK to a patched version: change all occurrences that pin
go.opentelemetry.io/otel/sdk (including the direct require at the top-level and
any replace entries) from v1.39.0 or v1.28.0 to v1.40.0 or later; specifically
update the require line(s) and any replace directive referencing
go.opentelemetry.io/otel/sdk to use v1.40.0+ and run `go mod tidy` to ensure the
module graph is consistent.

🧹 Nitpick comments (1)

router/pkg/pubsub/nats/provider_builder_test.go (1)

276-312: Consider adding KeyUsage to client certificate for consistency.

The unit test certificate helper omits KeyUsage and ExtKeyUsage on the client certificate, while the integration test (nats_tls_test.go) correctly sets KeyUsage: x509.KeyUsageDigitalSignature and ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}. While this doesn't affect these unit tests (they only inspect options, not actual TLS handshakes), aligning the helpers would improve consistency.

♻️ Optional: Add KeyUsage to client certificate

 	clientTemplate := &x509.Certificate{
 		SerialNumber: big.NewInt(2),
 		Subject:      pkix.Name{CommonName: "test-client"},
 		NotBefore:    time.Now().Add(-time.Hour),
 		NotAfter:     time.Now().Add(time.Hour),
+		KeyUsage:     x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@router/pkg/pubsub/nats/provider_builder_test.go` around lines 276 - 312, The
client cert created in generateTestCerts lacks KeyUsage/ExtKeyUsage; update the
clientTemplate in generateTestCerts to set KeyUsage:
x509.KeyUsageDigitalSignature and ExtKeyUsage:
[]x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth} (matching the nats_tls_test.go
integration helper) so the generated client certificate includes the proper
usages for client auth.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@router-tests/go.mod`:
- Around line 35-36: Update the pinned opentelemetry SDK to a patched version:
change all occurrences that pin go.opentelemetry.io/otel/sdk (including the
direct require at the top-level and any replace entries) from v1.39.0 or v1.28.0
to v1.40.0 or later; specifically update the require line(s) and any replace
directive referencing go.opentelemetry.io/otel/sdk to use v1.40.0+ and run `go
mod tidy` to ensure the module graph is consistent.

---

Nitpick comments:
In `@router/pkg/pubsub/nats/provider_builder_test.go`:
- Around line 276-312: The client cert created in generateTestCerts lacks
KeyUsage/ExtKeyUsage; update the clientTemplate in generateTestCerts to set
KeyUsage: x509.KeyUsageDigitalSignature and ExtKeyUsage:
[]x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth} (matching the nats_tls_test.go
integration helper) so the generated client certificate includes the proper
usages for client auth.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ecf47630-b184-49c4-9242-4cfb21e795c2

📥 Commits

Reviewing files that changed from the base of the PR and between b712757 and 2a69264.

⛔ Files ignored due to path filters (1)

• router-tests/go.sum is excluded by !**/*.sum

📒 Files selected for processing (9)

• docs-website/router/configuration.mdx
• router-tests/events/nats_tls_test.go
• router-tests/go.mod
• router/pkg/config/config.go
• router/pkg/config/config.schema.json
• router/pkg/config/config_events_nats_test.go
• router/pkg/config/testdata/config_full.json
• router/pkg/pubsub/nats/provider_builder.go
• router/pkg/pubsub/nats/provider_builder_test.go

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@router-tests/events/nats_tls_test.go`:
- Around line 223-244: Start the client.Run() goroutine and immediately register
cleanup to ensure the websocket/goroutine is always stopped: after creating
clientErrCh and launching go func() { clientErrCh <- client.Run() }(), call
t.Cleanup (or defer in scope) to call client.Close() and wait for clientErrCh so
the goroutine is closed even if earlier require.* assertions fail; reference
client.Run(), client.Close(), clientErrCh and resultCh when adding the cleanup
to guarantee proper teardown in all test failure paths.
- Around line 345-370: The test currently sets both a tls:// URL and an explicit
TLS config (routerTLS), so it cannot prove scheme-only behavior; update the test
in the "router uses TLS when URL scheme is tls://" block to pass a nil TLS
config to tlsNATSEventSources (remove or set routerTLS to nil) so the router
must rely on the tls:// scheme alone to enable TLS; keep using tlsSchemeURL
(returned by srv.ClientURL()) and the insecure client connect helper
(connectInsecureTLSNATSClient) to allow the self-signed server cert while
ensuring provider_builder.go's scheme handling is actually exercised.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 07c5ff43-3898-4c1a-942e-8d179e0921e6

📥 Commits

Reviewing files that changed from the base of the PR and between 2a69264 and 011df23.

⛔ Files ignored due to path filters (1)

• router-tests/go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• router-tests/events/nats_tls_test.go
• router-tests/go.mod

✅ Files skipped from review due to trivial changes (1)

• router-tests/go.mod

[dkorittki]

fyi I force pushed to rebase the actual change onto main after the original pull request got merged to main.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

router/go.mod (1)

46-46: ⚠️ Potential issue | 🔴 Critical

Critical: Upgrade go.opentelemetry.io/otel/sdk to v1.40.0+ to fix GHSA-9h8m-3fm2-qjrq.

The current version v1.39.0 (and the replace directive at line 191 pinning to v1.28.0) is vulnerable to GHSA-9h8m-3fm2-qjrq (CVE-2026-24051), a PATH hijacking vulnerability on macOS/Darwin. Explicitly pin this dependency to v1.40.0 or later in both the require section and the replace directive. Based on learnings, PR #2668 was meant to address this for the router module, but the vulnerability remains.

🔒 Proposed fix to upgrade OTel SDK

Update the require section:

-	go.opentelemetry.io/otel/sdk v1.39.0
+	go.opentelemetry.io/otel/sdk v1.40.0

Update the replace directive:

-	go.opentelemetry.io/otel/sdk => go.opentelemetry.io/otel/sdk v1.28.0
+	go.opentelemetry.io/otel/sdk => go.opentelemetry.io/otel/sdk v1.40.0

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@router/go.mod` at line 46, The go.opentelemetry.io/otel/sdk dependency is
pinned to v1.39.0 in the require block and additionally replaced/pinned to
v1.28.0 (via a replace directive), leaving the module vulnerable to
GHSA-9h8m-3fm2-qjrq; update the require line for go.opentelemetry.io/otel/sdk to
v1.40.0 or later and change/remove the replace directive that pins it to v1.28.0
so the module resolves to >= v1.40.0 (ensure the same version is used in both
the require and any replace entries referencing go.opentelemetry.io/otel/sdk).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@router/go.mod`:
- Line 46: The go.opentelemetry.io/otel/sdk dependency is pinned to v1.39.0 in
the require block and additionally replaced/pinned to v1.28.0 (via a replace
directive), leaving the module vulnerable to GHSA-9h8m-3fm2-qjrq; update the
require line for go.opentelemetry.io/otel/sdk to v1.40.0 or later and
change/remove the replace directive that pins it to v1.28.0 so the module
resolves to >= v1.40.0 (ensure the same version is used in both the require and
any replace entries referencing go.opentelemetry.io/otel/sdk).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 42c49a85-9e94-405c-a856-f43545650b61

📥 Commits

Reviewing files that changed from the base of the PR and between 011df23 and 5f3bbad.

⛔ Files ignored due to path filters (1)

• router/go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• router/go.mod

[coderabbitai]

♻️ Duplicate comments (1)

router-tests/events/nats_tls_test.go (1)

277-283: ⚠️ Potential issue | 🟡 Minor

This case still doesn't isolate tls:// handling.

Because this subtest passes a non-nil NatsTLSConfiguration, it can still succeed even if the router ignores the tls:// scheme and enables TLS only from the explicit config. Either make the scheme the only TLS signal here, or rename the case so it doesn't claim scheme-only coverage.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@router-tests/events/nats_tls_test.go` around lines 277 - 283, The test
currently supplies a non-nil NatsTLSConfiguration (routerTLS) which lets TLS
succeed via explicit config, so change the test to truly exercise scheme-only
TLS: remove or set nil the routerTLS passed into ModifyEventsConfiguration (stop
calling tlsNATSEventSourceConfig with a non-nil NatsTLSConfiguration) and rely
solely on the tls:// scheme in tlsSchemeURL, or alternatively rename the subtest
to indicate it verifies explicit-config+scheme rather than scheme-only; update
references to routerTLS, tlsNATSEventSourceConfig, and
ModifyEventsConfiguration/EventsConfiguration accordingly so the test either
uses only the scheme as the TLS signal or the name reflects the actual behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@router-tests/events/nats_tls_test.go`:
- Around line 277-283: The test currently supplies a non-nil
NatsTLSConfiguration (routerTLS) which lets TLS succeed via explicit config, so
change the test to truly exercise scheme-only TLS: remove or set nil the
routerTLS passed into ModifyEventsConfiguration (stop calling
tlsNATSEventSourceConfig with a non-nil NatsTLSConfiguration) and rely solely on
the tls:// scheme in tlsSchemeURL, or alternatively rename the subtest to
indicate it verifies explicit-config+scheme rather than scheme-only; update
references to routerTLS, tlsNATSEventSourceConfig, and
ModifyEventsConfiguration/EventsConfiguration accordingly so the test either
uses only the scheme as the TLS signal or the name reflects the actual behavior.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 23b47638-6f2b-4589-8f4e-37fbcba51f63

📥 Commits

Reviewing files that changed from the base of the PR and between 5f3bbad and b39c03d.

📒 Files selected for processing (2)

• router-tests/events/helpers_test.go
• router-tests/events/nats_tls_test.go

[SkArchon]

Changes look ok in general, few questions

[SkArchon]

Do you think we should have a example test where the nats server upgrades the client, when tls is not expected from the client?

[SkArchon]

Also are we addressing the tls: {} case in this PR? IIRC we wanted to block it?

[SkArchon]

Maybe some failure cases when cert is invalid / mismatching?

[SkArchon]

We are closing twice I think with line 141?

[SkArchon]

I dunno if this is possible, but do u think its a potential "false positive", because this is also called for the "url test"?