[OPIK-5206] [BE] feat: consume EM opikVersion for workspace version determination

[andrescrz]

Details

Consume the opikVersion field from the EM auth response and propagate it through the auth cache and RequestContext to the workspace version service. This implements the auth one-way V2 gate: when EM indicates version_2, always return V2 regardless of entity state (prevents V2→V1 demotion). Defensive design — gracefully degrades when EM doesn't provide the field (null falls through to entity check).

• Auth pipeline: added opikVersion to AuthResponse, ValidatedAuthCredentials, AuthCredentials, Redis cache, and RequestContext
• Workspace version: getWorkspaceVersion receives authSuggestedVersion as parameter; computeVersion checks for one-way V2 gate; auth-aware fallback on DB failure
• Refactored CacheService.cache() to accept AuthCredentials record instead of individual args
• RemoteAuthService: factory methods for clean mapping, setCredentialIntoContext encapsulates all context writes
• OpikVersion.findByValue now case-insensitive (defensive hardening)

Change checklist

• User facing
• Documentation update

Issues

• OPIK-5206

AI-WATERMARK

AI-WATERMARK: yes

• If yes:
  • Tools: Claude Code
  • Model(s): Claude Opus 4.6
  • Scope: Implementation, test coverage, PR description
  • Human verification: Yes — iterative code review, manual test runs, design decisions

Testing

Commands run:

• mvn test -pl . -Dtest="RemoteAuthServiceTest" — 17 tests, all pass
• mvn test -pl . -Dtest="AuthCredentialsCacheServiceTest" — 12 tests, all pass
• mvn test -pl . -Dtest="RemoteAuthServiceTest,AuthCredentialsCacheServiceTest,AuthServiceImplTest" — 32 tests, all pass

Scenarios validated:

• Cache round-trip: opikVersion null/V1/V2 stored and retrieved from Redis with full equality assertion
• API key auth: opikVersion propagation from EM response to RequestContext (null, V1, V2 × header/query param workspace)
• Session token auth: same propagation + default workspace rejection + missing workspace + error responses (401, 403, 500)
• Cache miss/hit integration: toAuthCredentials() → from(AuthCredentials) preserves all fields via mock CacheService with ArgumentCaptor
• E2E workspace version: auth one-way V2 gate (auth=V2 + V1 entities → V2), auth=V1 not a gate, auth=null defensive
• Regression: existing feature flag, entity check, cache TTL, and unauth tests unchanged and passing

Documentation

No documentation updates required — internal API change, no user-facing API changes.

[github-actions]

TS SDK E2E Tests - Node 22

275 tests  ±0   273 ✅ ±0   16m 0s ⏱️ - 1m 35s
 32 suites ±0     2 💤 ±0 
  1 files   ±0     0 ❌ ±0 

Results for commit 50adc38. ± Comparison against base commit acc2fb4.

♻️ This comment has been updated with latest results.

[thiagohora]

Well done. Left two low-severity comments, but they are not blockers.

[thiagohora]

[Low] No test covers a cache hit where the Redis map is missing the opikVersion key entirely (i.e. entries written before this PR). m.get(OPIK_VERSION_KEY) returns null in that case, which findByValue handles correctly — but a regression test would lock this behavior in and prevent silent breakage if the read path changes.

[andrescrz]

Already covered — testCacheAndRetrieveOpikVersion(null) tests the opikVersion=null round-trip, which exercises the same findByValue → Optional.empty() → null code path. The only difference with a pre-PR entry is the input to findByValue (null vs ""), but both are non-matching values that produce the same result. Testing the missing-key case specifically would require direct Redis writes (not black box).

🤖 Reply posted via /address-github-pr-comments