Handle credential update token responses

[AnthonyRonning]

Summary

• Persists replacement access/refresh tokens returned by password change and guest conversion responses.
• Keeps those response token fields optional so the SDK remains compatible with the current server's message-only responses.
• Updates focused TS/Rust tests and model defaults used by integration coverage.

Verification

• TypeScript focused compatibility test against current master server:
  • guest change password keeps authenticated token state
  • temporary guest conversion compatibility check
• Rust focused compatibility test against current master server:
  • test_guest_change_password_keeps_authenticated_token_state
• Existing SDK build/check work from branch validation.

Rollout Notes

• This SDK/client update can ship before the AEAD backend cutover.
• Current backend responses still work because replacement token fields are optional.
• After backend cutover, the same clients will persist replacement tokens returned from credential update flows.

Summary by CodeRabbit

• Bug Fixes

  • Password changes now preserve and update authentication tokens (stores returned access/refresh tokens and reuses existing refresh token when only an access token is returned) so you stay logged in after changing your password.

• Removed Features

  • Guest-to-user/email account conversion removed from public APIs, context, UI, and docs.

• Documentation

  • README license added; AI guides and guest account docs updated with new model defaults and guest-as-permanent guidance.

• Tests / CI

  • Tests made model-configurable via env vars; CI test timeout increased.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Removes guest-to-user conversion APIs, adds a CredentialUpdateResponse and token persistence on change-password, parameterizes AI model selection in tests via env vars, updates integration polling/timeouts, and refreshes related docs and examples.

Changes

Guest-to-User Account Conversion Removal & Password Change Token Persistence

Layer / File(s)	Summary
Auth contracts and runtime API updates rust/src/types.rs, rust/src/client.rs, src/lib/api.ts, src/lib/main.tsx, README.md	Adds CredentialUpdateResponse and token storage helpers; updates Rust and TypeScript change-password implementations to parse credential responses and persist tokens; removes exported guest-conversion functions and their React context wiring; updates README method list and license section.
Auth validation tests and harness rust/tests/account_management.rs, rust/src/client.rs tests, src/lib/test/integration/api.test.ts	Adds/updates tests and test-env helpers to validate guest password-change behavior and refresh-token preservation; removes guest-conversion tests and references.
Docs and API type cleanup website/api/type-aliases/OpenSecretContextType.md, website/docs/api/type-aliases/OpenSecretContextType.md, website/docs/guides/guest-accounts.md	Removes convertGuestToUserAccount from API docs, rewords signUpGuest to state guest accounts are long-lived without email recovery, and removes conversion UI/examples in guest guide.

Configurable AI Model Selection Infrastructure

Layer / File(s)	Summary
Rust model helpers and usage rust/tests/ai_integration.rs, rust/tests/api_keys.rs	Introduce env-driven helpers for chat/reasoning/embedding models and embedding dimensionality; apply them across Rust AI tests and API-key streaming tests.
TypeScript model constants and integration updates src/lib/test/integration/ai.test.ts, src/lib/test/integration/api.test.ts, src/lib/test/integration/apiKeys.test.ts	Introduce CHAT_MODEL/TTS_MODEL env constants, apply them across chat, Responses API, TTS, and API-key streaming tests; add response polling to wait for terminal status; import/use changePassword in integration flow tests.
AI guide and Maple AI docs refresh website/docs/guides/ai-integration.md, website/docs/guides/document-upload.md, website/docs/maple-ai/index.md	Replace hardcoded llama3-3-70b examples with gpt-oss-120b, refresh Available Models lists, and update related example snippets.
CI and package test timeout .github/workflows/test.yml, package.json	Set explicit Bun test timeout in workflow and package.json test script.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~40 minutes

Possibly related PRs

• OpenSecretCloud/OpenSecret-SDK#64: Overlapping documentation updates for Maple AI examples and model lists.
• OpenSecretCloud/OpenSecret-SDK#70: Related Rust SDK token/auth handling changes that intersect with password-change token behavior.

Poem

🐰 I hopped through docs and code today,
I tucked the convert button away,
Password changes now keep tokens tight,
Models learned envs and tests take flight.
A tiny test hop—SDK sleeps well tonight.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Handle credential update token responses' directly describes the main technical change: adding support for persisting access/refresh tokens returned by credential update operations (password change and guest conversion endpoints).
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch aead-aad-auth-binding-compat

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cloudflare-workers-and-pages]

Deploying opensecret-sdk with    Cloudflare Pages

Latest commit:	cd0cce9
Status:	✅  Deploy successful!
Preview URL:	https://8b6b7b0d.opensecret-sdk.pages.dev
Branch Preview URL:	https://aead-aad-auth-binding-compat.opensecret-sdk.pages.dev

View logs

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

website/docs/api/type-aliases/OpenSecretContextType.md (1)

908-916: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Clarify password change/recovery limitations after guest-conversion removal.

Line 908 now states the account has "no email recovery," which aligns with the removal of guest-conversion APIs. However, line 916 says the password "cannot be changed or recovered without adding email address," which may mislead users into believing they can add an email when the conversion feature has been removed.

Consider revising line 916 to remove the implication that adding an email is possible, or clarify the recovery path if one still exists outside the removed convertGuestToUserAccount method.

📝 Suggested rewording

If adding email is no longer possible:

-User's chosen password, cannot be changed or recovered without adding email address.
+User's chosen password. Cannot be changed or recovered without an email address.

Or more explicitly:

-User's chosen password, cannot be changed or recovered without adding email address.
+User's chosen password. Cannot be changed or recovered since this account has no email.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@website/docs/api/type-aliases/OpenSecretContextType.md` around lines 908 -
916, Update the documentation for the "Creates a new long-lived guest account"
entry in OpenSecretContextType to remove any implication that a guest can later
"add an email" to change or recover the password; specifically revise the
password parameter description (the text currently saying "cannot be changed or
recovered without adding email address") to a definitive statement that password
change/recovery is not available for guest accounts (or state the exact
alternative recovery path if one still exists) so readers aren’t misled by
references to the removed convertGuestToUserAccount flow.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@website/docs/api/type-aliases/OpenSecretContextType.md`:
- Around line 908-916: Update the documentation for the "Creates a new
long-lived guest account" entry in OpenSecretContextType to remove any
implication that a guest can later "add an email" to change or recover the
password; specifically revise the password parameter description (the text
currently saying "cannot be changed or recovered without adding email address")
to a definitive statement that password change/recovery is not available for
guest accounts (or state the exact alternative recovery path if one still
exists) so readers aren’t misled by references to the removed
convertGuestToUserAccount flow.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 74bffbfd-e226-4116-b7fb-8b987d4c0e96

📥 Commits

Reviewing files that changed from the base of the PR and between ce28e55 and 9626c74.

📒 Files selected for processing (9)

• .github/workflows/test.yml
• package.json
• rust/src/client.rs
• rust/tests/ai_integration.rs
• src/lib/main.tsx
• src/lib/test/integration/ai.test.ts
• website/api/type-aliases/OpenSecretContextType.md
• website/docs/api/type-aliases/OpenSecretContextType.md
• website/docs/guides/guest-accounts.md

✅ Files skipped from review due to trivial changes (2)

• package.json
• .github/workflows/test.yml

🚧 Files skipped from review as they are similar to previous changes (6)

• website/api/type-aliases/OpenSecretContextType.md
• rust/tests/ai_integration.rs
• rust/src/client.rs
• website/docs/guides/guest-accounts.md
• src/lib/test/integration/ai.test.ts
• src/lib/main.tsx

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/lib/test/integration/ai.test.ts (1)

816-821: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Align polling budget with the test timeout.

At Line 816, 34 × 300ms is ~10.2s of wait time before network latency, which can exceed the 10s timeout at Line 854 and fail before the terminal-status checks at Line 825.

Suggested patch

   let retrievedResponse = await fetchResponse(responseId);
   const terminalStatuses = new Set(["completed", "failed", "cancelled"]);
+  const POLL_INTERVAL_MS = 300;
+  const MAX_POLL_ATTEMPTS = 34;
   for (
     let attempt = 0;
-    attempt < 34 && !terminalStatuses.has(retrievedResponse.status);
+    attempt < MAX_POLL_ATTEMPTS && !terminalStatuses.has(retrievedResponse.status);
     attempt++
   ) {
-    await new Promise((resolve) => setTimeout(resolve, 300));
+    await new Promise((resolve) => setTimeout(resolve, POLL_INTERVAL_MS));
     retrievedResponse = await fetchResponse(responseId);
   }
@@
-}, 10000);
+}, 15000);

Also applies to: 825-825, 854-854

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/test/integration/ai.test.ts` around lines 816 - 821, The polling loop
using variables attempt, retrievedResponse, fetchResponse and terminalStatuses
currently does up to 34 attempts with a 300ms sleep (~10.2s) which can exceed
the test timeout; change the polling budget so (attempts × delay) is safely
below the test timeout: either lower the max attempts (e.g., to 30) or reduce
the delay (e.g., to 250ms), or tie the loop limit to the test timeout constant
used at the test-level so the loop cannot wait longer than the test timeout
before checking terminalStatuses and returning.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@src/lib/test/integration/ai.test.ts`:
- Around line 816-821: The polling loop using variables attempt,
retrievedResponse, fetchResponse and terminalStatuses currently does up to 34
attempts with a 300ms sleep (~10.2s) which can exceed the test timeout; change
the polling budget so (attempts × delay) is safely below the test timeout:
either lower the max attempts (e.g., to 30) or reduce the delay (e.g., to
250ms), or tie the loop limit to the test timeout constant used at the
test-level so the loop cannot wait longer than the test timeout before checking
terminalStatuses and returning.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1c994f51-b232-4dba-be15-e38cd7ebed10

📥 Commits

Reviewing files that changed from the base of the PR and between 9626c74 and e296695.

📒 Files selected for processing (4)

• src/lib/api.ts
• src/lib/main.tsx
• src/lib/test/integration/ai.test.ts
• src/lib/test/integration/api.test.ts

🚧 Files skipped from review as they are similar to previous changes (3)

• src/lib/api.ts
• src/lib/test/integration/api.test.ts
• src/lib/main.tsx