chore: add e2e tests for security propagation during join

[Daryna-del]

What/Why/How?

Added e2e tests for security propagation during join

Reference

#1409

Testing

Screenshots (optional)

Check yourself

• This PR follows the contributing guide
• All new/updated code is covered by tests
• Core code changed? - Tested with other Redocly products (internal contributions only)
• New package installed? - Tested in different environments (browser/node)
• Documentation update has been considered

Security

• The security impact of the change has been considered
• Code follows company security practices and guidelines

---

Note

Medium Risk
Join output affects how merged OpenAPI describes authentication; wrong propagation could misstate required security, though this PR is primarily tests and a changeset note.

Overview
Documents a patch for @redocly/cli where join copies each source API’s root security onto operations that omit their own security, instead of dropping that inheritance when merging specs.

Adds two e2e scenarios under tests/e2e/join/: root-security-in-both-specs (Foo oauth2 and Bar bearerAuth at the root; joined output expects per-operation security on getProducts and getPets) and root-security-without-paths (one input has root security but empty paths; snapshot locks join behavior for the other file’s operations). Both are wired into the existing snapshot-based join test matrix.

^{Reviewed by Cursor Bugbot for commit 4b8bca5. Bugbot is set up for automated code reviews on this repo. Configure here.}

[changeset-bot]

🦋 Changeset detected

Latest commit: 4b8bca5

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@redocly/cli	Patch
@redocly/openapi-core	Patch
@redocly/respect-core	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[github-actions]

CLI Version	Mean Time ± Std Dev (s)	Relative Performance (Lower is Faster)
cli-latest	1.903s ± 0.028s	▓ 1.00x (Fastest)
cli-next	1.918s ± 0.039s	▓ 1.01x

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	81.05% (🎯 80%)	7301 / 9007
🔵	Statements	80.4% (🎯 80%)	7585 / 9433
🔵	Functions	84.08% (🎯 83%)	1463 / 1740
🔵	Branches	72.55% (🎯 72%)	4939 / 6807

File Coverage

No changed files found.

Generated in workflow #9997 for commit 4b8bca5 by the Vitest Coverage Report Action

[Daryna-del]

@cursor review

[Daryna-del]

@cursor review

[Daryna-del]

@cursor review

[tatomyr]

Please also address the bugbot comments.

[tatomyr]

Let's remove comments.

[Daryna-del]

Fixed

[tatomyr]

Why the previous solution was not working? I see it refers to the root security already.

[Daryna-del]

Yeah, good point. Previous solution was working for each case, except when we have paths: {} and security on root level. Simplified the solution to cover this case, please, review one more time.

[tatomyr]

Suggested change

	description: Bad request
	description: Bad request

Let's add a newline on file endings.

[Daryna-del]

Added to each file

[tatomyr]

Let's add only essential fields and remove others.

[Daryna-del]

Removed

[tatomyr]

It's bad practice to use verbs in paths (especially mixing post and get), so I'm against using it in our examples.

[Daryna-del]

Updated

[tatomyr]

If I'm getting it correctly, this path comes from an API description that doesn't have security defined on it; so how it got the security requirement from another description?

[Daryna-del]

Yes, you are right, updated tests

[tatomyr]

These names are hard to follow. Please use something more meaningful.

[Daryna-del]

Updated

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit ab620eb. Configure here.}