chore: add e2e tests for security propagation during join

[Daryna-del]

What/Why/How?

Added e2e tests for security propagation during join

Reference

#1409

Testing

Screenshots (optional)

Check yourself

• This PR follows the contributing guide
• All new/updated code is covered by tests
• Core code changed? - Tested with other Redocly products (internal contributions only)
• New package installed? - Tested in different environments (browser/node)
• Documentation update has been considered

Security

• The security impact of the change has been considered
• Code follows company security practices and guidelines

---

Note

Low Risk
Only new e2e fixtures and snapshots; no production join or security logic is modified in this diff.

Overview
Adds join e2e coverage for how root-level security behaves when merging OpenAPI specs, tied to #1409.

Two new parameterized cases are registered in join.test.ts: root-security-in-both-specs (each input has its own root security and paths) and root-security-without-paths (one spec has root security but empty paths). Each case includes foo.yaml / bar.yaml fixtures and a snapshot.txt golden output from the CLI join command.

The snapshots document expected behavior: per-operation security is applied from each source’s root requirement (e.g. oauth2 vs bearerAuth), components.securitySchemes are merged, and root security is not left on the merged document when operations carry the effective requirements.

^{Reviewed by Cursor Bugbot for commit 525a38c. Bugbot is set up for automated code reviews on this repo. Configure here.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 525a38c

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[github-actions]

Performance Benchmark (Lower is Faster)

CLI Version	Bundle	Lint	Check Config
cli-latest	▓ 1.00x ± 0.01	▓ 1.00x (Fastest)	▓ 1.03x ± 0.01
cli-next	▓ 1.00x (Fastest)	▓ 1.01x ± 0.01	▓ 1.00x (Fastest)

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	81.04% (🎯 80%)	7246 / 8941
🔵	Statements	80.39% (🎯 80%)	7528 / 9364
🔵	Functions	84.22% (🎯 83%)	1458 / 1731
🔵	Branches	72.63% (🎯 72%)	4899 / 6745

File Coverage

No changed files found.

Generated in workflow #10045 for commit 525a38c by the Vitest Coverage Report Action

[Daryna-del]

@cursor review

[Daryna-del]

@cursor review

[Daryna-del]

@cursor review

[tatomyr]

Please also address the bugbot comments.

[tatomyr]

Let's remove comments.

[Daryna-del]

Fixed

[tatomyr]

Why the previous solution was not working? I see it refers to the root security already.

[Daryna-del]

Yeah, good point. Previous solution was working for each case, except when we have paths: {} and security on root level. Simplified the solution to cover this case, please, review one more time.

[tatomyr]

Suggested change

	description: Bad request
	description: Bad request

Let's add a newline on file endings.

[Daryna-del]

Added to each file

[tatomyr]

Let's add only essential fields and remove others.

[Daryna-del]

Removed

[tatomyr]

It's bad practice to use verbs in paths (especially mixing post and get), so I'm against using it in our examples.

[Daryna-del]

Updated

[tatomyr]

If I'm getting it correctly, this path comes from an API description that doesn't have security defined on it; so how it got the security requirement from another description?

[Daryna-del]

Yes, you are right, updated tests

[tatomyr]

These names are hard to follow. Please use something more meaningful.

[Daryna-del]

Updated

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit ab620eb. Configure here.}