chore(router-tests): bump nats client lib + add router-tests to verify nats tls

[dkorittki]

This adds integration tests to the PR #2749 from @vatsalpatel .

I made a noteworthy design decision for these new tests: Currently nats tests use the nats instance from docker-compose or as defined in CI. In order to test TLS I would have to configure the instance to allow for TLS and worse: require mTLS. To avoid this instead I spawn an in-process nats server configured to require TLS, instead of using the one from docker-compose or CI. This allows developers to keep their plain text connection. Also other nats test focusing on other things don't need to bother with TLS. The newly added tests are the only ones who need to bother with TLS/mTLS.

In order to use a nats in-process server the router-tests go.mod needs a new dependency github.com/nats-io/nats-server/v2 (and nats.go upgraded from v1.35.0 → v1.50.0 as a transitive requirement — this is a backwards-compatible minor version bump). To keep version parity between router and router-tests I updated the router nats dependencies, too.

Summary by CodeRabbit

• Tests

  • Added an end-to-end NATS TLS test validating connectivity and event delivery across TLS, custom-CA verification, mutual TLS, tls:// URL handling, and startup-failure scenarios; includes utilities to generate and use temporary TLS certificates during tests.

• Chores

  • Updated NATS libraries and multiple Go ecosystem dependencies for compatibility and security.

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/docs-website.
• I have read the Contributors Guide.

Open Source AI Manifesto

This project follows the principles of the Open Source AI Manifesto. Please ensure your contribution aligns with its principles.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds an end-to-end NATS TLS/mTLS router test (with subscribe→publish→assert flows), TLS certificate generation helpers for tests, and bumps NATS and multiple golang.org/x/* dependency versions in two go.mod files.

Changes

NATS TLS tests and helpers

Layer / File(s)	Summary
Test entry and scenarios router-tests/events/nats_tls_test.go	Adds TestRouterConnectsToNATSWithTLS with subtests covering: server-requires-TLS (InsecureSkipCaVerification), custom-CA verification, mutual-TLS (server verifies client cert), tls:// URL scheme, and two startup-failure cases (no TLS config, wrong CA). Implements end-to-end subscribe→publish→receive assertions for employeeUpdated.
Embedded NATS server & client helpers router-tests/events/nats_tls_test.go	Adds helpers to start an embedded TLS-capable NATS server, build client TLS configs, derive non-TLS URLs, and create test-friendly NATS client connections used by subtests. Ensures readiness checks and t.Cleanup shutdown.
Event wiring and assertion logic router-tests/events/nats_tls_test.go	Adds helper that builds NATS event source configs for demo providers and shared logic to create GraphQL subscription, wait for subscription/trigger counts, publish JSON to NATS subject, and assert received subscription JSON equals expected payload.
TLS cert generation helpers router-tests/events/helpers_test.go	Adds tlsCerts type and generateTLSCerts to create a P-256 ECDSA self-signed CA, sign server (with SANs) and client certs (clientAuth EKU), PEM-encode them, and write per-test temp files. Adds writeTempFile to persist PEM blobs and fail on errors.

Dependency updates

Layer / File(s)	Summary
Router tests module deps router-tests/go.mod	Bumps github.com/nats-io/nats.go → v1.50.0, adds github.com/nats-io/nats-server/v2 v2.12.7, and refreshes several indirects including golang.org/x/*, github.com/nats-io/jwt/v2, github.com/nats-io/nkeys and other indirects.
Router module deps router/go.mod	Bumps github.com/nats-io/nats.go → v1.50.0 and several golang.org/x/* indirects and related dependency version updates; no exported API changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• wundergraph/cosmo#2749: Introduces NATS TLS configuration and option-building codepaths (e.g., NatsTLSConfiguration, TLS on NatsEventSource, buildNatsOptions) that these tests exercise.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 47.83% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: bumping the NATS client library version and adding comprehensive TLS integration tests for NATS in router-tests.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
wundergraphinc	🟢 Ready	View Preview	Apr 22, 2026, 4:02 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

[github-actions]

Router image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-9b88a36504b5ac2fed6f6581725da10fde877ff5

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.22%. Comparing base (85b36c1) to head (b5524bc).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2788      +/-   ##
==========================================
+ Coverage   66.16%   66.22%   +0.06%     
==========================================
  Files         256      256              
  Lines       26956    26968      +12     
==========================================
+ Hits        17835    17860      +25     
+ Misses       7712     7702      -10     
+ Partials     1409     1406       -3     

see 3 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

router-tests/go.mod (1)

35-36: ⚠️ Potential issue | 🟠 Major

Pin go.opentelemetry.io/otel/sdk to v1.40.0 or later in this module.

Lines 35 and 209 currently pin vulnerable versions (v1.39.0 and v1.28.0 replacement) of go.opentelemetry.io/otel/sdk. The module includes google.golang.org/grpc v1.79.3 at line 43, which transitively requires the patched version to address the PATH hijacking vulnerability (GHSA-9h8m-3fm2-qjrq / CVE-2026-24051).

🔧 Suggested change

-	go.opentelemetry.io/otel/sdk v1.39.0
+	go.opentelemetry.io/otel/sdk v1.40.0
...
-	go.opentelemetry.io/otel/sdk => go.opentelemetry.io/otel/sdk v1.28.0
+	go.opentelemetry.io/otel/sdk => go.opentelemetry.io/otel/sdk v1.40.0

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@router-tests/go.mod` around lines 35 - 36, Update the pinned opentelemetry
SDK to a patched version: change all occurrences that pin
go.opentelemetry.io/otel/sdk (including the direct require at the top-level and
any replace entries) from v1.39.0 or v1.28.0 to v1.40.0 or later; specifically
update the require line(s) and any replace directive referencing
go.opentelemetry.io/otel/sdk to use v1.40.0+ and run `go mod tidy` to ensure the
module graph is consistent.

🧹 Nitpick comments (1)

router/pkg/pubsub/nats/provider_builder_test.go (1)

276-312: Consider adding KeyUsage to client certificate for consistency.

The unit test certificate helper omits KeyUsage and ExtKeyUsage on the client certificate, while the integration test (nats_tls_test.go) correctly sets KeyUsage: x509.KeyUsageDigitalSignature and ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}. While this doesn't affect these unit tests (they only inspect options, not actual TLS handshakes), aligning the helpers would improve consistency.

♻️ Optional: Add KeyUsage to client certificate

 	clientTemplate := &x509.Certificate{
 		SerialNumber: big.NewInt(2),
 		Subject:      pkix.Name{CommonName: "test-client"},
 		NotBefore:    time.Now().Add(-time.Hour),
 		NotAfter:     time.Now().Add(time.Hour),
+		KeyUsage:     x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@router/pkg/pubsub/nats/provider_builder_test.go` around lines 276 - 312, The
client cert created in generateTestCerts lacks KeyUsage/ExtKeyUsage; update the
clientTemplate in generateTestCerts to set KeyUsage:
x509.KeyUsageDigitalSignature and ExtKeyUsage:
[]x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth} (matching the nats_tls_test.go
integration helper) so the generated client certificate includes the proper
usages for client auth.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@router-tests/go.mod`:
- Around line 35-36: Update the pinned opentelemetry SDK to a patched version:
change all occurrences that pin go.opentelemetry.io/otel/sdk (including the
direct require at the top-level and any replace entries) from v1.39.0 or v1.28.0
to v1.40.0 or later; specifically update the require line(s) and any replace
directive referencing go.opentelemetry.io/otel/sdk to use v1.40.0+ and run `go
mod tidy` to ensure the module graph is consistent.

---

Nitpick comments:
In `@router/pkg/pubsub/nats/provider_builder_test.go`:
- Around line 276-312: The client cert created in generateTestCerts lacks
KeyUsage/ExtKeyUsage; update the clientTemplate in generateTestCerts to set
KeyUsage: x509.KeyUsageDigitalSignature and ExtKeyUsage:
[]x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth} (matching the nats_tls_test.go
integration helper) so the generated client certificate includes the proper
usages for client auth.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ecf47630-b184-49c4-9242-4cfb21e795c2

📥 Commits

Reviewing files that changed from the base of the PR and between b712757 and 2a69264.

⛔ Files ignored due to path filters (1)

• router-tests/go.sum is excluded by !**/*.sum

📒 Files selected for processing (9)

• docs-website/router/configuration.mdx
• router-tests/events/nats_tls_test.go
• router-tests/go.mod
• router/pkg/config/config.go
• router/pkg/config/config.schema.json
• router/pkg/config/config_events_nats_test.go
• router/pkg/config/testdata/config_full.json
• router/pkg/pubsub/nats/provider_builder.go
• router/pkg/pubsub/nats/provider_builder_test.go

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@router-tests/events/nats_tls_test.go`:
- Around line 223-244: Start the client.Run() goroutine and immediately register
cleanup to ensure the websocket/goroutine is always stopped: after creating
clientErrCh and launching go func() { clientErrCh <- client.Run() }(), call
t.Cleanup (or defer in scope) to call client.Close() and wait for clientErrCh so
the goroutine is closed even if earlier require.* assertions fail; reference
client.Run(), client.Close(), clientErrCh and resultCh when adding the cleanup
to guarantee proper teardown in all test failure paths.
- Around line 345-370: The test currently sets both a tls:// URL and an explicit
TLS config (routerTLS), so it cannot prove scheme-only behavior; update the test
in the "router uses TLS when URL scheme is tls://" block to pass a nil TLS
config to tlsNATSEventSources (remove or set routerTLS to nil) so the router
must rely on the tls:// scheme alone to enable TLS; keep using tlsSchemeURL
(returned by srv.ClientURL()) and the insecure client connect helper
(connectInsecureTLSNATSClient) to allow the self-signed server cert while
ensuring provider_builder.go's scheme handling is actually exercised.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 07c5ff43-3898-4c1a-942e-8d179e0921e6

📥 Commits

Reviewing files that changed from the base of the PR and between 2a69264 and 011df23.

⛔ Files ignored due to path filters (1)

• router-tests/go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• router-tests/events/nats_tls_test.go
• router-tests/go.mod

✅ Files skipped from review due to trivial changes (1)

• router-tests/go.mod

[dkorittki]

fyi I force pushed to rebase the actual change onto main after the original pull request got merged to main.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

router/go.mod (1)

46-46: ⚠️ Potential issue | 🔴 Critical

Critical: Upgrade go.opentelemetry.io/otel/sdk to v1.40.0+ to fix GHSA-9h8m-3fm2-qjrq.

The current version v1.39.0 (and the replace directive at line 191 pinning to v1.28.0) is vulnerable to GHSA-9h8m-3fm2-qjrq (CVE-2026-24051), a PATH hijacking vulnerability on macOS/Darwin. Explicitly pin this dependency to v1.40.0 or later in both the require section and the replace directive. Based on learnings, PR #2668 was meant to address this for the router module, but the vulnerability remains.

🔒 Proposed fix to upgrade OTel SDK

Update the require section:

-	go.opentelemetry.io/otel/sdk v1.39.0
+	go.opentelemetry.io/otel/sdk v1.40.0

Update the replace directive:

-	go.opentelemetry.io/otel/sdk => go.opentelemetry.io/otel/sdk v1.28.0
+	go.opentelemetry.io/otel/sdk => go.opentelemetry.io/otel/sdk v1.40.0

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@router/go.mod` at line 46, The go.opentelemetry.io/otel/sdk dependency is
pinned to v1.39.0 in the require block and additionally replaced/pinned to
v1.28.0 (via a replace directive), leaving the module vulnerable to
GHSA-9h8m-3fm2-qjrq; update the require line for go.opentelemetry.io/otel/sdk to
v1.40.0 or later and change/remove the replace directive that pins it to v1.28.0
so the module resolves to >= v1.40.0 (ensure the same version is used in both
the require and any replace entries referencing go.opentelemetry.io/otel/sdk).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@router/go.mod`:
- Line 46: The go.opentelemetry.io/otel/sdk dependency is pinned to v1.39.0 in
the require block and additionally replaced/pinned to v1.28.0 (via a replace
directive), leaving the module vulnerable to GHSA-9h8m-3fm2-qjrq; update the
require line for go.opentelemetry.io/otel/sdk to v1.40.0 or later and
change/remove the replace directive that pins it to v1.28.0 so the module
resolves to >= v1.40.0 (ensure the same version is used in both the require and
any replace entries referencing go.opentelemetry.io/otel/sdk).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 42c49a85-9e94-405c-a856-f43545650b61

📥 Commits

Reviewing files that changed from the base of the PR and between 011df23 and 5f3bbad.

⛔ Files ignored due to path filters (1)

• router/go.sum is excluded by !**/*.sum

📒 Files selected for processing (1)

• router/go.mod

[coderabbitai]

♻️ Duplicate comments (1)

router-tests/events/nats_tls_test.go (1)

277-283: ⚠️ Potential issue | 🟡 Minor

This case still doesn't isolate tls:// handling.

Because this subtest passes a non-nil NatsTLSConfiguration, it can still succeed even if the router ignores the tls:// scheme and enables TLS only from the explicit config. Either make the scheme the only TLS signal here, or rename the case so it doesn't claim scheme-only coverage.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@router-tests/events/nats_tls_test.go` around lines 277 - 283, The test
currently supplies a non-nil NatsTLSConfiguration (routerTLS) which lets TLS
succeed via explicit config, so change the test to truly exercise scheme-only
TLS: remove or set nil the routerTLS passed into ModifyEventsConfiguration (stop
calling tlsNATSEventSourceConfig with a non-nil NatsTLSConfiguration) and rely
solely on the tls:// scheme in tlsSchemeURL, or alternatively rename the subtest
to indicate it verifies explicit-config+scheme rather than scheme-only; update
references to routerTLS, tlsNATSEventSourceConfig, and
ModifyEventsConfiguration/EventsConfiguration accordingly so the test either
uses only the scheme as the TLS signal or the name reflects the actual behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@router-tests/events/nats_tls_test.go`:
- Around line 277-283: The test currently supplies a non-nil
NatsTLSConfiguration (routerTLS) which lets TLS succeed via explicit config, so
change the test to truly exercise scheme-only TLS: remove or set nil the
routerTLS passed into ModifyEventsConfiguration (stop calling
tlsNATSEventSourceConfig with a non-nil NatsTLSConfiguration) and rely solely on
the tls:// scheme in tlsSchemeURL, or alternatively rename the subtest to
indicate it verifies explicit-config+scheme rather than scheme-only; update
references to routerTLS, tlsNATSEventSourceConfig, and
ModifyEventsConfiguration/EventsConfiguration accordingly so the test either
uses only the scheme as the TLS signal or the name reflects the actual behavior.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 23b47638-6f2b-4589-8f4e-37fbcba51f63

📥 Commits

Reviewing files that changed from the base of the PR and between 5f3bbad and b39c03d.

📒 Files selected for processing (2)

• router-tests/events/helpers_test.go
• router-tests/events/nats_tls_test.go

[SkArchon]

Changes look ok in general, few questions

[SkArchon]

lgtm