feat(passkeys): Split the feature flag for passkeys

[vpomerleau]

Because

• Allow testing registration separately from authentication

This pull request

• Adds registrationEnabled and authenticationEnabled flags and uses the existing flag as a master switch

Issue that this pull request solves

Closes: FXA-13398

Checklist

Put an x in the boxes that apply

• My commit is GPG signed.
• If applicable, I have modified or added tests which pass locally.
• I have added necessary documentation (if appropriate).
• I have verified that my changes render correctly in RTL (if appropriate).
• I have manually reviewed all AI generated code.

How to review (Optional)

• Key files/areas to focus on:
• Suggested review order:
• Risky or complex parts:

Screenshots (Optional)

Please attach the screenshots of the changes made in case of change in user interface.

Other information (Optional)

Any other information that is important to this pull request.

[MagentaManifold]

LGTM. Thanks! (pinged Copilot just in case it catches anything; feel free to ignore)

[Copilot]

Pull request overview

This PR splits the passkeys feature gating into separate “registration/management” and “authentication” flags so registration can be tested independently from sign-in, while retaining a master enable switch where applicable.

Changes:

• Replaces the single settings/content-server featureFlags.passkeysEnabled flag with passkeyRegistrationEnabled and passkeyAuthenticationEnabled.
• Adds passkeys.registrationEnabled and passkeys.authenticationEnabled to fxa-auth-server config, with passkeys.enabled as a master switch.
• Updates relevant unit/integration tests and dev config to set the new flags.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
packages/fxa-settings/src/lib/config.ts	Updates settings client config typing to the new passkey feature flags.
packages/fxa-settings/src/lib/config.test.ts	Updates/extends settings config parsing tests for the new flags.
packages/fxa-content-server/server/lib/routes/react-app/route-definition-index.js	Passes the new passkey feature flags through to the React app config payload.
packages/fxa-content-server/server/lib/configuration.js	Defines new convict feature-flag env vars for passkey registration vs authentication.
packages/fxa-content-server/server/lib/beta-settings.js	Exposes the new passkey feature flags via beta settings output.
packages/fxa-auth-server/test/remote/passkeys.in.spec.ts	Updates remote test config to include new passkeys sub-flags.
packages/fxa-auth-server/lib/routes/passkeys.ts	Switches passkey registration routes to check the new registration-enabled gate.
packages/fxa-auth-server/lib/routes/passkeys.spec.ts	Updates route tests to align with the new registration flag.
packages/fxa-auth-server/lib/passkey-utils.ts	Adds helper checks for registration-enabled and authentication-enabled gating.
packages/fxa-auth-server/lib/passkey-utils.spec.ts	Adds coverage for the new helper checks.
packages/fxa-auth-server/config/index.ts	Adds new passkeys sub-flags to the auth-server convict schema.
packages/fxa-auth-server/config/dev.json	Enables the new passkeys sub-flags in dev config.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[vpomerleau]

@MagentaManifold I made a few changes based on the Copilot review since it flagged some inconsistencies. One intent to review here is that as long as the feature is generally enabled, management routes (list, delete) will be available even if we turn off adding new passkeys or sign-in with passkey. We had done something similar with recovery phone.