feat(davinci-client): add fido2 collectors

[ancheetah]

JIRA Ticket

https://pingidentity.atlassian.net/browse/SDKS-4372

Description

Adds FIDO2 registration and authentication collectors and unit tests

TODO: changeset?

Summary by CodeRabbit

• New Features

  • FIDO2/WebAuthn support: new registration/authentication field types, credential option shapes, and form-submit handling; Protect field handling refined.

• Bug Fixes

  • Update/validation flows broadened to accept new object-valued auto-collectors (FIDO2); validation nullability standardized and error messages made more generic.

• Tests

  • New and extended tests covering FIDO2 collectors, auto-collector utilities, and validator/update behaviors.

[changeset-bot]

🦋 Changeset detected

Latest commit: 1a29b13

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 11 packages

Name	Type
@forgerock/davinci-client	Minor
@forgerock/journey-client	Minor
@forgerock/oidc-client	Minor
@forgerock/protect	Minor
@forgerock/sdk-types	Minor
@forgerock/sdk-utilities	Minor
@forgerock/iframe-manager	Minor
@forgerock/sdk-logger	Minor
@forgerock/sdk-oidc	Minor
@forgerock/sdk-request-middleware	Minor
@forgerock/storage	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coderabbitai]

Walkthrough

Adds FIDO2 (WebAuthn) collectors, input/value types, and factory helpers; expands AutoCollector unions and inference; makes validation.input nullable; extends update/validate flows and runtime reducer handling to accept FIDO2 object-value collectors; updates utilities, types, and tests across the davinci-client package. (34 words)

Changes

Cohort / File(s)	Summary
Store & validation packages/davinci-client/src/lib/client.store.ts	update/validate signatures widened to accept AutoCollectors (including ObjectValueAutoCollector and FIDO collectors); updater value union now includes FidoRegistrationInputValue and FidoAuthenticationInputValue; error messages generalized.
Collector types packages/davinci-client/src/lib/collector.types.ts	Added FidoRegistrationInputValue, FidoAuthenticationInputValue; added FidoRegistrationCollector, FidoAuthenticationCollector, ObjectValueAutoCollector; split auto-collector type aliases; changed many .input.validation fields to `ValidationRequired[]
Collector utils & factories packages/davinci-client/src/lib/collector.utils.ts	returnAutoCollector renamed→returnSingleValueAutoCollector (removed data param); added returnObjectValueAutoCollector, returnFido2RegistrationCollector, returnFido2AuthenticationCollector; returnProtectCollector simplified; returnValidator widened to accept AutoCollectors and return Record<string, unknown>.
Field / public form types packages/davinci-client/src/lib/davinci.types.ts	Added FidoRegistrationOptions / FidoAuthenticationOptions and FidoRegistrationField / FidoAuthenticationField; included these fields in SingleValueFields.
Transform / submit typing packages/davinci-client/src/lib/davinci.utils.ts	transformSubmitRequest formData union extended to include FidoRegistrationInputValue and FidoAuthenticationInputValue.
Reducer (node) & runtime flow packages/davinci-client/src/lib/node.reducer.ts	node/next creates FIDO collectors (registration/authentication); node/update validates and assigns FidoRegistrationInputValue / FidoAuthenticationInputValue; Protect collector handling adjusted to new helper signatures; initial collector unions extended.
Tests & type tests packages/davinci-client/src/lib/collector.utils.test.ts, packages/davinci-client/src/lib/node.reducer.test.ts, packages/davinci-client/src/lib/collector.types.test-d.ts, packages/davinci-client/src/lib/node.types.test-d.ts	Added tests for single-value (Protect) and object-value (FIDO) auto-collector paths; updated inputs to include validation: null where applicable; added type-test exports for new collectors and field types.
Package metadata & changeset .changeset/tired-melons-wish.md, packages/journey-client/package.json	New changeset describing minor release with FIDO2 collectors; bumped vite dev tooling in packages/journey-client.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor User
  participant UI as Form UI
  participant Reducer as node.reducer
  participant Utils as collector.utils
  participant Store as client.store

  Note over UI,Reducer: node/next constructs collectors (includes FIDO collectors)
  UI->>Reducer: node/next (fields incl. FIDO)
  Reducer->>Utils: returnFidoRegistrationCollector / returnFidoAuthenticationCollector
  Utils-->>Reducer: ObjectValueAutoCollector / SingleValueAutoCollector
  Reducer-->>UI: state updated with collectors

  Note over User,UI: User performs WebAuthn (attestation/assertion)
  User->>UI: FIDO response
  UI->>Reducer: node/update (collectorId, value)
  Reducer->>Store: validate(collector: AutoCollectors)
  Store-->>Reducer: validation result
  alt validation ok
    Reducer->>Reducer: assign FIDO input value to collector.input.value
    Reducer-->>UI: updated state/result
  else validation error
    Store-->>UI: validation error
  end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• fix(davinci-client): add validation props to collectors #413 — overlaps expansion of collector unions, validation/update logic, and collector utils (object-value / FIDO pathways).

Suggested reviewers

• cerebrl
• ryanbas21

Poem

"I hopped through code at morning dew,
Wove WebAuthn carrots, shiny and new.
Collectors ready, validators sing,
Reducers tuck secrets in a secure ring.
A tiny rabbit cheer — secure hops, woo-hoo! 🥕🐇"

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The pull request title "feat(davinci-client): add fido2 collectors" directly and accurately summarizes the main change in the changeset. The PR introduces FIDO2 (WebAuthn) collectors, new input value types, utility functions, and associated unit tests to the davinci-client package. The title is concise, specific, and clearly conveys the primary change without vague or generic language, making it easy for teammates to understand the changeset at a glance.
Description Check	✅ Passed	The pull request description matches the required template structure with both main sections present and filled. The JIRA Ticket section properly links to https://pingidentity.atlassian.net/browse/SDKS-4372, and the Description section explains that FIDO2 registration and authentication collectors and unit tests were added. While the description is brief and could include more detail about the specific changes or impact, it contains the essential information and both required template sections are addressed. A changeset file has been included in the PR (as shown in the raw summary), and the author's "TODO: changeset?" note appears to be a reminder rather than an incomplete section.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch SDKS-4372-webauthn-collectors

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 1a29b13

Command	Status	Duration	Result
nx affected -t build typecheck lint test e2e-ci	❌ Failed	1m 52s	View ↗
nx-cloud record -- nx format:check	✅ Succeeded	2s	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-10-20 20:02:37 UTC

[codecov-commenter]

Codecov Report

❌ Patch coverage is 63.35404% with 59 lines in your changes missing coverage. Please review.
✅ Project coverage is 52.07%. Comparing base (6b110df) to head (fe032c0).

Files with missing lines	Patch %	Lines
packages/davinci-client/src/lib/collector.utils.ts	75.86%	28 Missing ⚠️
packages/davinci-client/src/lib/node.reducer.ts	41.17%	20 Missing ⚠️
packages/davinci-client/src/lib/client.store.ts	0.00%	11 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##             main     #428       +/-   ##
===========================================
+ Coverage   18.75%   52.07%   +33.32%     
===========================================
  Files         138       19      -119     
  Lines       27368     1761    -25607     
  Branches      951      254      -697     
===========================================
- Hits         5132      917     -4215     
+ Misses      22236      844    -21392     

Files with missing lines	Coverage Δ
packages/davinci-client/src/lib/collector.types.ts	100.00% <ø> (ø)
packages/davinci-client/src/lib/davinci.types.ts	100.00% <ø> (ø)
packages/davinci-client/src/lib/davinci.utils.ts	88.23% <ø> (ø)
packages/davinci-client/src/lib/node.types.ts	100.00% <ø> (ø)
packages/davinci-client/src/lib/client.store.ts	0.36% <0.00%> (-0.01%)	⬇️
packages/davinci-client/src/lib/node.reducer.ts	67.40% <41.17%> (-5.27%)	⬇️
packages/davinci-client/src/lib/collector.utils.ts	77.77% <75.86%> (+4.63%)	⬆️

... and 119 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[pkg-pr-new]

Open in StackBlitz

@forgerock/davinci-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/davinci-client@428

@forgerock/oidc-client

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/oidc-client@428

@forgerock/protect

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/protect@428

@forgerock/sdk-types

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-types@428

@forgerock/sdk-utilities

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-utilities@428

@forgerock/iframe-manager

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/iframe-manager@428

@forgerock/sdk-logger

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-logger@428

@forgerock/sdk-oidc

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-oidc@428

@forgerock/sdk-request-middleware

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/sdk-request-middleware@428

@forgerock/storage

pnpm add https://pkg.pr.new/ForgeRock/ping-javascript-sdk/@forgerock/storage@428

commit: fe032c0

[github-actions]

Deployed ab94e1d to https://ForgeRock.github.io/ping-javascript-sdk/pr-428/ab94e1d5c7b2199b36d6d8b25d5aa60af63c3f3c branch gh-pages in ForgeRock/ping-javascript-sdk

[github-actions]

📦 Bundle Size Analysis

📦 Bundle Size Analysis

🆕 New Packages

🆕 @forgerock/device-client - 9.2 KB (new)
🆕 @forgerock/oidc-client - 23.0 KB (new)
🆕 @forgerock/protect - 150.1 KB (new)
🆕 @forgerock/sdk-utilities - 7.5 KB (new)
🆕 @forgerock/journey-client - 0.0 KB (new)
🆕 @forgerock/journey-client - 82.0 KB (new)
🆕 @forgerock/sdk-types - 8.0 KB (new)
🆕 @forgerock/storage - 1.4 KB (new)
🆕 @forgerock/sdk-logger - 1.6 KB (new)
🆕 @forgerock/iframe-manager - 2.4 KB (new)
🆕 @forgerock/sdk-request-middleware - 4.4 KB (new)
🆕 @forgerock/sdk-oidc - 2.5 KB (new)
🆕 @forgerock/davinci-client - 35.5 KB (new)

---

13 packages analyzed • Baseline from latest main build

Legend

🆕 New package
🔺 Size increased
🔻 Size decreased
➖ No change

ℹ️ How bundle sizes are calculated

• Current Size: Total gzipped size of all files in the package's dist directory
• Baseline: Comparison against the latest build from the main branch
• Files included: All build outputs except source maps and TypeScript build cache
• Exclusions: .map, .tsbuildinfo, and .d.ts.map files

---

_{🔄 Updated automatically on each push to this PR}

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/davinci-client/src/lib/client.store.ts (1)

236-289: Allow AutoCollector updates with FIDO2 payloads.
returnAutoCollector now emits FIDO2 collectors whose input.value is a Fido2RegistrationInputValue / Fido2AuthenticationInputValue, but the updater here still only accepts string | string[] | PhoneNumberInputValue. As a result, update(fidoCollector)(attestationPayload) no longer type-checks even though that payload is required for the new collectors. Please widen the accepted value union (and the Updater type in client.types.ts) to include the FIDO2 input interfaces so the feature is actually usable without unsafe casts.

-import type {
-  SingleValueCollectors,
-  MultiSelectCollector,
-  ObjectValueCollectors,
-  PhoneNumberInputValue,
-  AutoCollectors,
-  MultiValueCollectors,
-} from './collector.types.js';
+import type {
+  SingleValueCollectors,
+  MultiSelectCollector,
+  ObjectValueCollectors,
+  PhoneNumberInputValue,
+  AutoCollectors,
+  MultiValueCollectors,
+  Fido2RegistrationInputValue,
+  Fido2AuthenticationInputValue,
+} from './collector.types.js';
@@
-      return function (value: string | string[] | PhoneNumberInputValue, index?: number) {
+      return function (
+        value:
+          | string
+          | string[]
+          | PhoneNumberInputValue
+          | Fido2RegistrationInputValue
+          | Fido2AuthenticationInputValue,
+        index?: number,
+      ) {

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6b110df and d2c6b35.

📒 Files selected for processing (9)

• packages/davinci-client/src/lib/client.store.ts (2 hunks)
• packages/davinci-client/src/lib/collector.types.ts (5 hunks)
• packages/davinci-client/src/lib/collector.utils.test.ts (3 hunks)
• packages/davinci-client/src/lib/collector.utils.ts (9 hunks)
• packages/davinci-client/src/lib/davinci.types.ts (3 hunks)
• packages/davinci-client/src/lib/davinci.utils.ts (2 hunks)
• packages/davinci-client/src/lib/node.reducer.ts (8 hunks)
• packages/davinci-client/src/lib/node.types.test-d.ts (2 hunks)
• packages/davinci-client/src/lib/node.types.ts (2 hunks)

🧰 Additional context used

🧬 Code graph analysis (8)

packages/davinci-client/src/lib/node.types.test-d.ts (1)

packages/davinci-client/src/lib/collector.types.ts (2)

• Fido2RegistrationCollector (601-605)
• Fido2AuthenticationCollector (606-610)

packages/davinci-client/src/lib/client.store.ts (2)

packages/davinci-client/src/lib/collector.types.ts (4)

• SingleValueCollectors (174-179)
• ObjectValueCollectors (415-420)
• MultiValueCollectors (250-252)
• AutoCollectors (617-621)

packages/davinci-client/src/lib/client.store.utils.ts (1)

• handleUpdateValidateError (51-66)

packages/davinci-client/src/lib/davinci.utils.ts (1)

packages/davinci-client/src/lib/collector.types.ts (3)

• PhoneNumberInputValue (295-298)
• Fido2RegistrationInputValue (305-316)
• Fido2AuthenticationInputValue (318-330)

packages/davinci-client/src/lib/node.types.ts (1)

packages/davinci-client/src/lib/collector.types.ts (2)

• Fido2RegistrationCollector (601-605)
• Fido2AuthenticationCollector (606-610)

packages/davinci-client/src/lib/collector.utils.test.ts (2)

packages/davinci-client/src/lib/davinci.types.ts (3)

• Fido2RegistrationField (173-181)
• Fido2AuthenticationField (193-201)
• ProtectField (156-161)

packages/davinci-client/src/lib/collector.utils.ts (1)

• returnAutoCollector (272-385)

packages/davinci-client/src/lib/collector.utils.ts (2)

packages/davinci-client/src/lib/davinci.types.ts (3)

• ProtectField (156-161)
• Fido2RegistrationField (173-181)
• Fido2AuthenticationField (193-201)

packages/davinci-client/src/lib/collector.types.ts (6)

• AutoCollectorTypes (567-571)
• InferAutoCollectorType (630-640)
• ValidatedTextCollector (184-184)
• ObjectValueCollectors (415-420)
• MultiValueCollectors (250-252)
• AutoCollectors (617-621)

packages/davinci-client/src/lib/collector.types.ts (1)

packages/davinci-client/src/types.ts (1)

• ProtectCollector (51-51)

packages/davinci-client/src/lib/node.reducer.ts (2)

packages/davinci-client/src/lib/collector.types.ts (5)

• PhoneNumberInputValue (295-298)
• Fido2RegistrationInputValue (305-316)
• Fido2AuthenticationInputValue (318-330)
• Fido2RegistrationCollector (601-605)
• Fido2AuthenticationCollector (606-610)

packages/davinci-client/src/lib/collector.utils.ts (3)

• returnProtectCollector (423-425)
• returnFido2RegistrationCollector (433-435)
• returnFido2AuthenticationCollector (443-445)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: pr
• GitHub Check: Mend Code Security Check

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (2)

packages/davinci-client/src/lib/davinci.types.ts (2)

163-191: Export the FIDO2 option interfaces.

Fido2RegistrationOptions (line 163) and Fido2AuthenticationOptions (line 183) are used in exported field types but are not themselves exported. TypeScript will emit TS4058 during declaration generation because exported members reference private names.

Apply this diff to export both interfaces:

-interface Fido2RegistrationOptions
+export interface Fido2RegistrationOptions
   extends Omit<PublicKeyCredentialCreationOptions, 'challenge' | 'user'> {

...

-interface Fido2AuthenticationOptions
+export interface Fido2AuthenticationOptions
   extends Omit<PublicKeyCredentialRequestOptions, 'challenge' | 'allowCredentials'> {

---

186-190: Fix allowCredentials to be an array.

The allowCredentials property is typed as a single object (lines 186-190), but the WebAuthn spec defines it as PublicKeyCredentialDescriptor[]. This breaks type compatibility and will cause runtime issues when multiple credentials are allowed.

Apply this diff to correct the type:

   allowCredentials?: {
     id: number[];
     transports?: AuthenticatorTransport[];
     type: PublicKeyCredentialType;
-  };
+  }[];

🧹 Nitpick comments (1)

packages/davinci-client/src/lib/node.reducer.ts (1)

182-189: Add explicit return or break to prevent fall-through.

The FIDO2 case branches (lines 183-187) don't explicitly return or break, allowing fall-through to line 190 if neither credential option is present. While the break on line 188 prevents fall-through to the next case, the logic would be clearer with explicit returns in each branch.

Consider this refactor for clarity:

 case 'FIDO2': {
   if ('publicKeyCredentialCreationOptions' in field) {
-    return returnFido2RegistrationCollector(field, idx);
+    return returnFido2RegistrationCollector(field, idx);
   } else if ('publicKeyCredentialRequestOptions' in field) {
-    return returnFido2AuthenticationCollector(field, idx);
+    return returnFido2AuthenticationCollector(field, idx);
   }
+  // Fall through to default handling if neither option is present
   break;
 }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d2c6b35 and 33ad81a.

📒 Files selected for processing (9)

• packages/davinci-client/src/lib/client.store.ts (2 hunks)
• packages/davinci-client/src/lib/collector.types.ts (5 hunks)
• packages/davinci-client/src/lib/collector.utils.test.ts (3 hunks)
• packages/davinci-client/src/lib/collector.utils.ts (9 hunks)
• packages/davinci-client/src/lib/davinci.types.ts (3 hunks)
• packages/davinci-client/src/lib/davinci.utils.ts (2 hunks)
• packages/davinci-client/src/lib/node.reducer.ts (8 hunks)
• packages/davinci-client/src/lib/node.types.test-d.ts (2 hunks)
• packages/davinci-client/src/lib/node.types.ts (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/davinci-client/src/lib/node.types.test-d.ts
• packages/davinci-client/src/lib/davinci.utils.ts

🧰 Additional context used

🧬 Code graph analysis (6)

packages/davinci-client/src/lib/collector.utils.ts (2)

packages/davinci-client/src/lib/davinci.types.ts (3)

• ProtectField (156-161)
• Fido2RegistrationField (173-181)
• Fido2AuthenticationField (193-201)

packages/davinci-client/src/lib/collector.types.ts (6)

• AutoCollectorTypes (548-552)
• InferAutoCollectorType (611-621)
• ValidatedTextCollector (184-184)
• ObjectValueCollectors (396-401)
• MultiValueCollectors (250-252)
• AutoCollectors (598-602)

packages/davinci-client/src/lib/collector.types.ts (1)

packages/davinci-client/src/types.ts (1)

• ProtectCollector (51-51)

packages/davinci-client/src/lib/node.reducer.ts (2)

packages/davinci-client/src/lib/collector.types.ts (5)

• PhoneNumberInputValue (295-298)
• Fido2RegistrationInputValue (305-307)
• Fido2AuthenticationInputValue (309-311)
• Fido2RegistrationCollector (582-586)
• Fido2AuthenticationCollector (587-591)

packages/davinci-client/src/lib/collector.utils.ts (3)

• returnProtectCollector (423-425)
• returnFido2RegistrationCollector (433-435)
• returnFido2AuthenticationCollector (443-445)

packages/davinci-client/src/lib/node.types.ts (1)

packages/davinci-client/src/lib/collector.types.ts (2)

• Fido2RegistrationCollector (582-586)
• Fido2AuthenticationCollector (587-591)

packages/davinci-client/src/lib/client.store.ts (2)

packages/davinci-client/src/lib/collector.types.ts (4)

• SingleValueCollectors (174-179)
• ObjectValueCollectors (396-401)
• MultiValueCollectors (250-252)
• AutoCollectors (598-602)

packages/davinci-client/src/lib/client.store.utils.ts (1)

• handleUpdateValidateError (51-66)

packages/davinci-client/src/lib/collector.utils.test.ts (2)

packages/davinci-client/src/lib/davinci.types.ts (3)

• Fido2RegistrationField (173-181)
• Fido2AuthenticationField (193-201)
• ProtectField (156-161)

packages/davinci-client/src/lib/collector.utils.ts (1)

• returnAutoCollector (272-385)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Mend Code Security Check
• GitHub Check: pr

🔇 Additional comments (11)

packages/davinci-client/src/lib/collector.utils.test.ts (2)

806-957: LGTM!

The new returnAutoCollector tests comprehensively validate the FIDO2 registration, authentication, and Protect collector structures. Each test correctly verifies input/output shapes, config mappings, and validation rules.

---

995-995: LGTM!

Correctly updated to test an empty array instead of an empty object, aligning with the multi-value collector's array-based validation logic.

packages/davinci-client/src/lib/client.store.ts (1)

294-348: LGTM!

The validate method correctly extends support to AutoCollectors, including the new FIDO2 collectors. The category check properly includes SingleValueAutoCollector, and the JSDoc is appropriately updated.

packages/davinci-client/src/lib/node.types.ts (1)

26-48: LGTM!

The FIDO2 collector types are correctly imported and added to the public Collectors union, extending the type system to support WebAuthn flows.

packages/davinci-client/src/lib/node.reducer.ts (2)

300-324: LGTM!

The FIDO2 collector update handling correctly validates input types and required properties (attestationValue for registration, assertionValue for authentication) before updating collector values. The logic follows the established pattern used for other object-value collectors.

---

225-235: LGTM!

The refinement from SingleValueAutoCollector to ProtectCollector (line 228) provides more specific type checking while maintaining the string value validation. This aligns with the expanded auto-collector type system.

packages/davinci-client/src/lib/collector.types.ts (1)

305-621: LGTM!

The type system extensions for FIDO2 support are well-structured:

• New input value interfaces properly use PublicKeyCredential from the WebAuthn API
• The AutoCollector generic is enhanced with IV for clarity and optional validation
• New collector types (Fido2RegistrationCollector, Fido2AuthenticationCollector) correctly extend the base
• Union types and inference mappings are complete and consistent

packages/davinci-client/src/lib/collector.utils.ts (4)

272-291: LGTM!

The refactoring to remove the data parameter and construct the validation array upfront is cleaner and more maintainable. The validation logic correctly handles the required property common to FIDO2 fields.

---

314-365: LGTM!

The FIDO2 collector branches are well-implemented:

• Proper discrimination based on credential options properties
• Config correctly captures publicKeyCredentialCreationOptions/publicKeyCredentialRequestOptions, action, and trigger
• Input value initialized to {} for object-based WebAuthn credentials
• Validation array conditionally included based on content

---

423-445: LGTM!

The wrapper functions follow the established pattern and correctly delegate to returnAutoCollector with the appropriate collector type. The removal of the data parameter from returnProtectCollector aligns with the signature changes.

---

705-709: LGTM!

The returnValidator signature correctly extends to include AutoCollectors, and the return type change from Record<string, string> to Record<string, unknown> properly accommodates object-based input values used by FIDO2 collectors.

[cerebrl]

This looks like a really good start. I think we should think about the category for these new collectors. I also would like to know how DaVinci expects errors to be structured.

[cerebrl]

I feel like we should start splitting these files up that are getting pretty long. Maybe split by category of collector? Thoughts?

[ancheetah]

Same goes for the accompanying unit test file... it's very long. We could have a /collectors folder which hosts the utils and types. Break down by category as you suggested. The types could also probably be broken down by category. Question is do we want to do this refactoring now or save it for later?

[cerebrl]

I'll leave this up to you. If you have bigger fish to fry, then we can do it later. I just thought I'd bring it up as I always get squeamish with long running files like this :)

[ancheetah]

Will save this for the end of the sprint if there's time

[cerebrl]

Sounds good. No rush. We can always just put a tech debt story in the backlog as well.

[cerebrl]

Can we use null instead of undefined?

[ancheetah]

I gave null a try for the ObjectValueAutoCollectors. Let me know if you like it better. As code rabbit pointed out below, we'll have to update our other validator props in other collectors to be more consistent.

[cerebrl]

Rather than going off of a property's presence, would it be easier to use the action property's value: "REGISTER" or "AUTHENTICATE"?

[ancheetah]

That's a good idea. I assume we are always guaranteed these values and it's not something user-configured?

[cerebrl]

You're assumption is correct. These properties should not change, as it's a part of the API. I only suggest using the action property as it's a bit more concise and "self-documenting".

[cerebrl]

I think we should have a different category for this. SingleValue doesn't feel all that accurate. It's more of an ObjectValue, like device or phone number collectors, as opposed to Protect, which is just a string value, yeah? So, ObjectValueAutoCollector?

[cerebrl]

Was this intentional?

[ancheetah]

Yes, from my understanding this data passed in here comes from formData on the DaVinci response (which is typically prefilled data). Neither WebAuthn or Protect come with prefilled data as far as I know so I think it's ok to remove this.

[cerebrl]

If we change the category of the FIDO2 collectors to ObjectValueAutoCollectors, then we could potentially not need this change.

[ancheetah]

I thought about this too. I'll go ahead and make that change to the category

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

packages/davinci-client/src/lib/node.reducer.ts (1)

300-324: Consider consolidating duplicate FIDO2 validation logic.

The validation blocks for Fido2RegistrationCollector (lines 300-311) and Fido2AuthenticationCollector (lines 313-324) are nearly identical, differing only in the property name check (attestationValue vs assertionValue). This duplication could be reduced with a helper function or consolidated logic.

Example refactor to reduce duplication:

+      const isFido2Collector = 
+        collector.type === 'Fido2RegistrationCollector' || 
+        collector.type === 'Fido2AuthenticationCollector';
+
+      if (isFido2Collector) {
-      if (collector.type === 'Fido2RegistrationCollector') {
         if (typeof action.payload.id !== 'string') {
           throw new Error('Index argument must be a string');
         }
         if (typeof action.payload.value !== 'object') {
           throw new Error('Value argument must be an object');
         }
-        if (!('attestationValue' in action.payload.value)) {
-          throw new Error('Value argument must contain an attestationValue property');
+        const requiredProp = collector.type === 'Fido2RegistrationCollector' 
+          ? 'attestationValue' 
+          : 'assertionValue';
+        if (!(requiredProp in action.payload.value)) {
+          throw new Error(`Value argument must contain a ${requiredProp} property`);
         }
         collector.input.value = action.payload.value;
+        return;
       }
-
-      if (collector.type === 'Fido2AuthenticationCollector') {
-        if (typeof action.payload.id !== 'string') {
-          throw new Error('Index argument must be a string');
-        }
-        if (typeof action.payload.value !== 'object') {
-          throw new Error('Value argument must be an object');
-        }
-        if (!('assertionValue' in action.payload.value)) {
-          throw new Error('Value argument must contain an assertionValue property');
-        }
-        collector.input.value = action.payload.value;
-      }

packages/davinci-client/src/lib/collector.types.ts (1)

555-576: Unify handling of the validation field. It’s currently declared as validation?: ValidationRequired[] | null but some code paths assign undefined (e.g. collector.utils.ts lines 523–527 and 650–654) while others use null. Decide on a single “no validations” sentinel—either null or undefined—and update the interface and all assignments to match.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 33ad81a and fe032c0.

📒 Files selected for processing (10)

• packages/davinci-client/src/lib/client.store.ts (4 hunks)
• packages/davinci-client/src/lib/collector.types.ts (5 hunks)
• packages/davinci-client/src/lib/collector.utils.test.ts (3 hunks)
• packages/davinci-client/src/lib/collector.utils.ts (9 hunks)
• packages/davinci-client/src/lib/davinci.types.ts (3 hunks)
• packages/davinci-client/src/lib/davinci.utils.ts (2 hunks)
• packages/davinci-client/src/lib/node.reducer.test.ts (2 hunks)
• packages/davinci-client/src/lib/node.reducer.ts (8 hunks)
• packages/davinci-client/src/lib/node.types.test-d.ts (2 hunks)
• packages/davinci-client/src/lib/node.types.ts (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/davinci-client/src/lib/node.types.test-d.ts
• packages/davinci-client/src/lib/davinci.utils.ts

🧰 Additional context used

🧬 Code graph analysis (7)

packages/davinci-client/src/lib/node.reducer.test.ts (4)

packages/davinci-client/src/lib/collector.types.ts (3)

• ProtectCollector (578-582)
• Fido2RegistrationCollector (583-587)
• Fido2AuthenticationCollector (588-592)

packages/davinci-client/src/types.ts (1)

• ProtectCollector (51-51)

packages/davinci-client/src/lib/node.reducer.ts (1)

• nodeCollectorReducer (107-326)

packages/davinci-client/src/lib/davinci.types.ts (2)

• Fido2RegistrationOptions (163-171)
• Fido2AuthenticationOptions (183-191)

packages/davinci-client/src/lib/node.types.ts (1)

packages/davinci-client/src/lib/collector.types.ts (2)

• Fido2RegistrationCollector (583-587)
• Fido2AuthenticationCollector (588-592)

packages/davinci-client/src/lib/collector.utils.test.ts (2)

packages/davinci-client/src/lib/davinci.types.ts (3)

• ProtectField (156-161)
• Fido2RegistrationField (173-181)
• Fido2AuthenticationField (193-201)

packages/davinci-client/src/lib/collector.utils.ts (2)

• returnSingleValueAutoCollector (273-324)
• returnObjectValueAutoCollector (333-419)

packages/davinci-client/src/lib/collector.utils.ts (2)

packages/davinci-client/src/lib/davinci.types.ts (3)

• ProtectField (156-161)
• Fido2RegistrationField (173-181)
• Fido2AuthenticationField (193-201)

packages/davinci-client/src/lib/collector.types.ts (7)

• SingleValueAutoCollectorTypes (548-548)
• ObjectValueAutoCollectorTypes (549-552)
• InferAutoCollectorType (618-630)
• ValidatedTextCollector (184-184)
• ObjectValueCollectors (396-401)
• MultiValueCollectors (250-252)
• AutoCollectors (604-609)

packages/davinci-client/src/lib/node.reducer.ts (2)

packages/davinci-client/src/lib/collector.types.ts (5)

• PhoneNumberInputValue (295-298)
• Fido2RegistrationInputValue (305-307)
• Fido2AuthenticationInputValue (309-311)
• Fido2RegistrationCollector (583-587)
• Fido2AuthenticationCollector (588-592)

packages/davinci-client/src/lib/collector.utils.ts (3)

• returnProtectCollector (457-459)
• returnFido2RegistrationCollector (467-469)
• returnFido2AuthenticationCollector (477-479)

packages/davinci-client/src/lib/client.store.ts (2)

packages/davinci-client/src/lib/client.store.utils.ts (1)

• handleUpdateValidateError (51-66)

packages/davinci-client/src/lib/collector.types.ts (7)

• PhoneNumberInputValue (295-298)
• Fido2RegistrationInputValue (305-307)
• Fido2AuthenticationInputValue (309-311)
• SingleValueCollectors (174-179)
• ObjectValueCollectors (396-401)
• MultiValueCollectors (250-252)
• AutoCollectors (604-609)

packages/davinci-client/src/lib/collector.types.ts (1)

packages/davinci-client/src/types.ts (1)

• ProtectCollector (51-51)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Mend Code Security Check
• GitHub Check: pr

🔇 Additional comments (6)

packages/davinci-client/src/lib/collector.types.ts (2)

305-311: LGTM! FIDO2 input value types are well-defined.

The optional fields (attestationValue? and assertionValue?) align with the WebAuthn API flow where these values are populated after the browser credential operation completes.

---

547-553: Good separation of auto collector categories.

Splitting SingleValueAutoCollectorTypes and ObjectValueAutoCollectorTypes provides clear type boundaries and makes the FIDO2 collectors (which handle complex objects) distinct from simple value collectors like Protect.

packages/davinci-client/src/lib/node.reducer.ts (1)

182-189: LGTM! Action-based routing aligns with prior feedback.

Using field.action to distinguish between REGISTER and AUTHENTICATE flows is more concise and self-documenting than checking for property presence.

Based on learnings

packages/davinci-client/src/lib/collector.utils.ts (3)

326-419: LGTM! New returnObjectValueAutoCollector follows established patterns.

The function correctly:

• Validates required field properties
• Builds validation arrays based on field requirements
• Distinguishes between FIDO2 registration and authentication via field.action
• Initializes input.value to an empty object {} (appropriate for FIDO2 flows)
• Returns properly typed collectors

---

589-605: Good defensive programming with optional chaining.

Adding optional chaining (field.options?.) prevents potential runtime errors if the field structure is malformed or incomplete.

Also applies to: 617-624

---

736-743: Ensure returnValidator handles FIDO2 object values
The ‘required’ rule counts object keys (e.g. attestationValue/assertionValue) but there are no tests exercising returnValidator for Fido2RegistrationCollector or Fido2AuthenticationCollector. Add or update validator tests to confirm FIDO2 inputs pass/ fail as intended.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Inconsistent validation assignment: null vs array length check.

Lines 365, 388, and 411 use validationArray.length ? validationArray : null, setting validation to null when empty. However, other collectors in this file (e.g., lines 525, 652) use undefined for empty validation. This inconsistency should be resolved.

Consider standardizing to undefined (or omitting the field entirely):

-        validation: validationArray.length ? validationArray : null,
+        validation: validationArray.length ? validationArray : undefined,

Or even better, only include validation when present:

         input: {
           key: field.key,
           value: {},
           type: field.type,
-          validation: validationArray.length ? validationArray : null,
+          ...(validationArray.length && { validation: validationArray }),
         },

Also applies to: 388-388, 411-411

🤖 Prompt for AI Agents

In packages/davinci-client/src/lib/collector.utils.ts around lines 365, 388 and
411, the code sets validation to null when validationArray is empty (validation:
validationArray.length ? validationArray : null) which is inconsistent with
other collectors that use undefined; update these three locations to standardize
behavior by either (a) setting validation to undefined when empty (validation:
validationArray.length ? validationArray : undefined) or preferably (b) only
include the validation field when validationArray has items (i.e., conditionally
add the validation property to the returned object when validationArray.length >
0) so all collectors use the same undefined/omitted convention.

[cerebrl]

Where are the other instances of undefined being assigned?

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find all instances where validation is assigned in collector.utils.ts
rg -n "validation.*validationArray" packages/davinci-client/src/lib/collector.utils.ts

Length of output: 411

---

@cerebrl The other instances where undefined is assigned to validation are:

1. Line 525 - in returnMultiValueCollector:

   validation: validationArray.length ? validationArray : undefined,

2. Line 652 - in returnObjectCollector:

   validation: validationArray.length ? validationArray : undefined,

In contrast, the new returnObjectValueAutoCollector function uses null for validation on lines 365, 388, and 411. This creates an inconsistency with the existing pattern in the codebase where returnMultiValueCollector and returnObjectCollector both use undefined when the validation array is empty.

---

🧬 Code Graph Analysis Results

<no_relevant_code_snippets>

[cerebrl]

Nice! This is actually helpful!

[coderabbitai]

@cerebrl You're welcome! I'm glad the analysis was helpful. Let me know if you need anything else as you work through the validation inconsistency. 😊

[ancheetah]

Added ObjectValueAutoCollector type and unit tests for AutoCollectors in the node reducer.

[cerebrl]

I think this can be merged in, but I left a couple of small, non-blocking comments to think about.

[cerebrl]

Is this addition to the conditional still needed now that we've narrowed the AutoCollector types?

[ancheetah]

good catch, no longer needed

[cerebrl]

This isn't a big thing, but does the tested collectorType not narrow enough? It would be nice if the type being Fido2RegistrationCollector would be enough without the need of the added field.action === 'REGISTER'. This would make it consistent with the rest of this file's conditions.

[ancheetah]

Narrowing on just collectorType is not enough because the field input is then left ambiguous and typescript will complain about the public key credential options.

If you take a look at returnObjectCollector we do something similar - narrow on field.type. In the case of FIDO2 the field.type is FIDO2 for both registration/authentication so we can't use that. It's actually enough to narrow if we just use field.action but it feels safer to explicitly have the collectorType conditional in case other field types have a similar action.

[cerebrl]

I guess I misspoke. I should have asked if we can narrow on field.action alone? Does the collectorType matter in this sense? It doesn't seem to impact the logic at all.

[ancheetah]

Yes, we can narrow on field.action alone. This would also remove the need for returning a generic ObjectValueAutoCollector at the end because at that point the field is of type never.

[ancheetah]

Updated validation types and narrowing on ObjectValueAutoCollectors.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

packages/davinci-client/src/lib/node.reducer.test.ts (2)

925-1028: Consider typing the mock input value explicitly.

The TODO comment on line 927 suggests explicitly typing mockInputValue as Fido2RegistrationInputValue. While the test works with the implicit typing, explicit typing would improve type safety and catch mismatches earlier.

Apply this diff to add explicit typing:

-    // todo: declare inputValue type as Fido2RegistrationInputValue
-    const mockInputValue = {
+    const mockInputValue: Fido2RegistrationInputValue = {
       attestationValue: {

Otherwise, the test comprehensively validates the Fido2RegistrationCollector pathway with appropriate mock data structures.

---

1030-1117: Consider typing the mock input value explicitly.

Similar to the registration test, the TODO comment on line 1032 suggests explicitly typing mockInputValue as Fido2AuthenticationInputValue for improved type safety.

Apply this diff to add explicit typing:

-    // todo: declare inputValue type as Fido2AuthenticationInputValue
-    const mockInputValue = {
+    const mockInputValue: Fido2AuthenticationInputValue = {
       assertionValue: {

The test otherwise provides excellent coverage of the Fido2AuthenticationCollector update pathway with realistic mock credentials and options.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fe032c0 and 7471c5c.

📒 Files selected for processing (11)

• packages/davinci-client/src/lib/client.store.ts (4 hunks)
• packages/davinci-client/src/lib/collector.types.test-d.ts (1 hunks)
• packages/davinci-client/src/lib/collector.types.ts (10 hunks)
• packages/davinci-client/src/lib/collector.utils.test.ts (8 hunks)
• packages/davinci-client/src/lib/collector.utils.ts (10 hunks)
• packages/davinci-client/src/lib/davinci.types.ts (3 hunks)
• packages/davinci-client/src/lib/davinci.utils.ts (2 hunks)
• packages/davinci-client/src/lib/node.reducer.test.ts (12 hunks)
• packages/davinci-client/src/lib/node.reducer.ts (8 hunks)
• packages/davinci-client/src/lib/node.types.test-d.ts (2 hunks)
• packages/davinci-client/src/lib/node.types.ts (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (4)

• packages/davinci-client/src/lib/node.reducer.ts
• packages/davinci-client/src/lib/node.types.test-d.ts
• packages/davinci-client/src/lib/node.types.ts
• packages/davinci-client/src/lib/davinci.utils.ts

🧰 Additional context used

🧬 Code graph analysis (5)

packages/davinci-client/src/lib/collector.types.ts (1)

packages/davinci-client/src/types.ts (1)

• ProtectCollector (51-51)

packages/davinci-client/src/lib/collector.utils.test.ts (2)

packages/davinci-client/src/lib/davinci.types.ts (3)

• ProtectField (156-161)
• Fido2RegistrationField (173-181)
• Fido2AuthenticationField (193-201)

packages/davinci-client/src/lib/collector.utils.ts (2)

• returnSingleValueAutoCollector (273-324)
• returnObjectValueAutoCollector (333-401)

packages/davinci-client/src/lib/node.reducer.test.ts (4)

packages/davinci-client/src/lib/collector.types.ts (3)

• ProtectCollector (578-582)
• Fido2RegistrationCollector (583-587)
• Fido2AuthenticationCollector (588-592)

packages/davinci-client/src/types.ts (1)

• ProtectCollector (51-51)

packages/davinci-client/src/lib/node.reducer.ts (1)

• nodeCollectorReducer (107-326)

packages/davinci-client/src/lib/davinci.types.ts (2)

• Fido2RegistrationOptions (163-171)
• Fido2AuthenticationOptions (183-191)

packages/davinci-client/src/lib/client.store.ts (2)

packages/davinci-client/src/lib/client.store.utils.ts (1)

• handleUpdateValidateError (51-66)

packages/davinci-client/src/lib/collector.types.ts (7)

• PhoneNumberInputValue (295-298)
• Fido2RegistrationInputValue (305-307)
• Fido2AuthenticationInputValue (309-311)
• SingleValueCollectors (174-179)
• ObjectValueCollectors (396-401)
• MultiValueCollectors (250-252)
• AutoCollectors (604-609)

packages/davinci-client/src/lib/collector.utils.ts (2)

packages/davinci-client/src/lib/davinci.types.ts (3)

• ProtectField (156-161)
• Fido2RegistrationField (173-181)
• Fido2AuthenticationField (193-201)

packages/davinci-client/src/lib/collector.types.ts (7)

• SingleValueAutoCollectorTypes (548-548)
• ObjectValueAutoCollectorTypes (549-552)
• InferAutoCollectorType (618-630)
• ValidatedTextCollector (184-184)
• ObjectValueCollectors (396-401)
• MultiValueCollectors (250-252)
• AutoCollectors (604-609)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Mend Code Security Check
• GitHub Check: pr

🔇 Additional comments (27)

packages/davinci-client/src/lib/collector.types.test-d.ts (1)

305-305: LGTM! Test reflects nullable validation field.

The addition of validation: null correctly tests the expanded input shape for multi-value collectors, aligning with the broader changes to make validation fields optional across the collector type system.

packages/davinci-client/src/lib/node.reducer.test.ts (2)

440-440: LGTM! Validation field updates are consistent.

The addition of validation: null across these test expectations correctly reflects the expanded input shapes that now include optional validation metadata. This change is consistent with the broader type system updates for multi-value and object-value collectors.

Also applies to: 475-475, 526-526, 576-576, 634-634, 677-677, 742-742, 786-786, 826-826, 852-852

---

867-923: LGTM! Comprehensive ProtectCollector test coverage.

The test suite properly validates the ProtectCollector's update pathway, including the correct input structure, configuration mapping, and value updates. The test expectations align with the SingleValueAutoCollector category and the Protect-specific configuration schema.

packages/davinci-client/src/lib/davinci.types.ts (4)

152-153: LGTM! Phone number validation flag added.

The addition of the validatePhoneNumber: boolean field extends the PhoneNumberField type to support validation control, which aligns with the validation enhancements across the collector system.

---

163-191: LGTM! FIDO2 option interfaces are properly exported.

The Fido2RegistrationOptions and Fido2AuthenticationOptions interfaces are correctly exported and properly extend the WebAuthn spec types. The overrides for challenge, user, and allowCredentials correctly use number[] arrays instead of BufferSource types, which aligns with the DaVinci API's JSON-serializable format.

---

173-201: LGTM! FIDO2 field types are well-structured.

The Fido2RegistrationField and Fido2AuthenticationField types properly capture the FIDO2 flow metadata, including the credential options, action discriminators, trigger mechanisms, and required flags. The discriminated union on the action field ('REGISTER' vs 'AUTHENTICATE') enables type-safe handling in downstream code.

---

212-218: LGTM! SingleValueFields union expanded correctly.

The union now includes ProtectField, Fido2RegistrationField, and Fido2AuthenticationField, properly extending the single-value field types to support the new auto-collector pathways.

packages/davinci-client/src/lib/collector.utils.test.ts (4)

480-480: LGTM! Validation field updates are consistent.

The addition of validation: null across these test expectations correctly reflects the nullable validation field introduced in the type definitions. This ensures tests remain aligned with the updated collector interfaces.

Also applies to: 631-631, 671-671, 713-713, 754-754

---

812-842: LGTM! ProtectCollector test is comprehensive.

The test validates the returnSingleValueAutoCollector utility with a ProtectField, correctly verifying the category, type, input/output structures, and configuration mapping. The test expectations align with the SingleValueAutoCollector category and Protect-specific config schema.

---

844-959: LGTM! FIDO2 collector tests are thorough.

Both Fido2RegistrationCollector and Fido2AuthenticationCollector tests comprehensively validate the returnObjectValueAutoCollector utility, including:

• Correct category assignment (ObjectValueAutoCollector)
• Proper input/output structure mapping
• Configuration extraction from field properties
• Validation array handling (required vs null)
• Action discriminator handling

The mock credential options are realistic and align with WebAuthn specifications.

---

997-997: LGTM! Empty multi-value corrected.

Changing the empty value expectation from {} to [] correctly reflects that multi-value collectors expect array values, not object values. This aligns with the MultiValueCollector input type definition where value is string[].

packages/davinci-client/src/lib/collector.types.ts (8)

205-205: LGTM! Validation field made nullable.

Making the validation field nullable (ValidationRequired[] | null) allows collectors to explicitly represent the absence of validation rules, which is appropriate for optional validation scenarios. This change is consistently applied across multi-value collector interfaces.

Also applies to: 226-226

---

305-311: LGTM! FIDO2 input value interfaces added.

The Fido2RegistrationInputValue and Fido2AuthenticationInputValue interfaces properly capture the WebAuthn credential payloads. Using optional properties for attestationValue and assertionValue allows these collectors to start with empty input and be populated after credential ceremonies complete.

---

326-326: LGTM! Object collector validation fields updated.

Consistently making the validation field nullable across object-value collector interfaces allows explicit representation of no-validation scenarios. The expansion to include ValidationPhoneNumber in line 375 properly supports phone number validation rules.

Also applies to: 350-350, 375-375

---

547-553: LGTM! AutoCollector taxonomy expanded.

The split into SingleValueAutoCollectorTypes and ObjectValueAutoCollectorTypes with a unified AutoCollectorTypes union properly organizes the new FIDO2 collectors alongside the existing Protect collector. The addition of ObjectValueAutoCollector to AutoCollectorCategories enables category-based discrimination in the type system.

---

558-558: LGTM! Generic parameter renamed for clarity.

Renaming the generic from V to IV (Input Value) more clearly indicates this type parameter represents the input value shape rather than a generic value. This improves code readability and self-documentation.

Also applies to: 567-567

---

578-602: LGTM! New auto-collector types properly defined.

The new collector types (ProtectCollector, Fido2RegistrationCollector, Fido2AuthenticationCollector, ObjectValueAutoCollector) are correctly defined using the AutoCollector generic with appropriate categories, type literals, and input value types. The type parameters properly constrain the input values to their respective shapes.

---

604-609: LGTM! AutoCollectors union expanded correctly.

The AutoCollectors union now includes all five auto-collector types, enabling exhaustive pattern matching and type narrowing across the FIDO2 and Protect flows.

---

618-630: LGTM! Type inference expanded for new collectors.

The InferAutoCollectorType conditional type properly maps each collector type literal to its corresponding type, with a sensible fallback to SingleValueAutoCollector for unmapped cases. The inference chain correctly handles all five auto-collector variants.

packages/davinci-client/src/lib/client.store.ts (3)

37-38: LGTM! Necessary type imports added.

The FIDO2 input value types are correctly imported to support the new collector types in the update method signature.

---

266-279: Verify that SingleValueAutoCollector category is intentionally excluded from validation.

The update method now accepts both SingleValueAutoCollector and ObjectValueAutoCollector categories. However, in the validate method (lines 338-349), only ObjectValueAutoCollector is allowed while SingleValueAutoCollector is excluded. This appears intentional since ProtectCollector (a SingleValueAutoCollector) may not have validation rules. Please confirm this design decision is correct.

---

281-288: LGTM! Function signature correctly expanded to handle FIDO2 input values.

The updater function signature now properly includes Fido2RegistrationInputValue and Fido2AuthenticationInputValue to support the new ObjectValueAutoCollector types.

packages/davinci-client/src/lib/collector.utils.ts (5)

267-324: LGTM! Well-refactored single-value auto collector.

The refactored returnSingleValueAutoCollector appropriately narrows the scope to ProtectField and initializes the input value to an empty string. The removal of the data parameter makes sense since auto collectors don't receive prefilled data.

---

326-401: LGTM! FIDO2 object-value auto collector implementation is solid.

The new returnObjectValueAutoCollector function properly handles FIDO2 registration and authentication collectors with:

• Appropriate object-value initialization ({})
• Conditional validation when required is true
• Proper branching on field.action to distinguish registration from authentication
• Consistent use of null for empty validation arrays

The implementation aligns well with the existing collector patterns.

---

507-507: Excellent! Validation consistency improved.

The validation assignment has been standardized to use null instead of undefined when the validation array is empty (lines 507, 634). This resolves the inconsistency that was flagged in previous reviews and aligns with the pattern used in the new FIDO2 collectors (lines 365, 388).

Also applies to: 634-634

---

571-587: LGTM! Defensive programming with optional chaining.

The addition of optional chaining (field.options?.map) with nullish coalescing (?? []) provides better safety against undefined options while maintaining the expected array return type. This prevents potential runtime errors.

Also applies to: 599-606

---

718-725: LGTM! Validator signature correctly expanded for object values.

The returnValidator function signature now accepts AutoCollectors and handles Record<string, unknown> values, which is necessary for validating FIDO2 collectors with object-shaped input values. The function logic appropriately handles empty objects in the required validation check.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

packages/davinci-client/src/lib/davinci.types.ts (1)

183-191: Authentication options fix is correct; minor optional tweak

• allowCredentials naming and array shape are correct.
• Optional: consider readonly number[] for challenge/id to signal immutability (non-blocking).

Also applies to: 193-201

packages/davinci-client/src/lib/client.store.ts (2)

281-289: Type-safety improvement: specialize updater value by collector type

Current value union permits shapes that don’t apply to some collectors. Consider a generic signature to infer the expected value from the collector, reducing runtime errors.

Example approach (illustrative):

• Define UpdaterFor<C> mapping collector → expected value.
• Change update<C extends AllowedCollectors>(collector: C): (value: UpdaterFor<C>, index?: number) => ...

Would you like a typed diff introducing UpdaterFor and updating update accordingly?

---

310-315: Validate signature vs runtime gating

validate accepts AutoCollectors, but only ObjectValueAutoCollector is validated at runtime. Either:

• Narrow the parameter type to only validatable categories, or
• Add a brief JSDoc clarifying that only some categories have validation rules.

Non-blocking; current behavior is safe due to gating.

Also applies to: 338-346

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7471c5c and c1ae746.

📒 Files selected for processing (13)

• .changeset/tired-melons-wish.md (1 hunks)
• packages/davinci-client/src/lib/client.store.ts (4 hunks)
• packages/davinci-client/src/lib/collector.types.test-d.ts (1 hunks)
• packages/davinci-client/src/lib/collector.types.ts (10 hunks)
• packages/davinci-client/src/lib/collector.utils.test.ts (8 hunks)
• packages/davinci-client/src/lib/collector.utils.ts (10 hunks)
• packages/davinci-client/src/lib/davinci.types.ts (3 hunks)
• packages/davinci-client/src/lib/davinci.utils.ts (2 hunks)
• packages/davinci-client/src/lib/node.reducer.test.ts (12 hunks)
• packages/davinci-client/src/lib/node.reducer.ts (8 hunks)
• packages/davinci-client/src/lib/node.types.test-d.ts (2 hunks)
• packages/davinci-client/src/lib/node.types.ts (2 hunks)
• packages/journey-client/package.json (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/davinci-client/src/lib/davinci.utils.ts
• packages/davinci-client/src/lib/collector.types.ts

🧰 Additional context used

🧬 Code graph analysis (7)

packages/davinci-client/src/lib/node.types.test-d.ts (1)

packages/davinci-client/src/lib/collector.types.ts (2)

• Fido2RegistrationCollector (583-587)
• Fido2AuthenticationCollector (588-592)

packages/davinci-client/src/lib/node.types.ts (1)

packages/davinci-client/src/lib/collector.types.ts (2)

• Fido2RegistrationCollector (583-587)
• Fido2AuthenticationCollector (588-592)

packages/davinci-client/src/lib/client.store.ts (2)

packages/davinci-client/src/lib/client.store.utils.ts (1)

• handleUpdateValidateError (51-66)

packages/davinci-client/src/lib/collector.types.ts (7)

• PhoneNumberInputValue (295-298)
• Fido2RegistrationInputValue (305-307)
• Fido2AuthenticationInputValue (309-311)
• SingleValueCollectors (174-179)
• ObjectValueCollectors (396-401)
• MultiValueCollectors (250-252)
• AutoCollectors (604-609)

packages/davinci-client/src/lib/node.reducer.ts (2)

packages/davinci-client/src/lib/collector.types.ts (5)

• PhoneNumberInputValue (295-298)
• Fido2RegistrationInputValue (305-307)
• Fido2AuthenticationInputValue (309-311)
• Fido2RegistrationCollector (583-587)
• Fido2AuthenticationCollector (588-592)

packages/davinci-client/src/lib/collector.utils.ts (3)

• returnProtectCollector (439-441)
• returnFido2RegistrationCollector (449-451)
• returnFido2AuthenticationCollector (459-461)

packages/davinci-client/src/lib/collector.utils.ts (2)

packages/davinci-client/src/lib/davinci.types.ts (3)

• ProtectField (156-161)
• Fido2RegistrationField (173-181)
• Fido2AuthenticationField (193-201)

packages/davinci-client/src/lib/collector.types.ts (7)

• SingleValueAutoCollectorTypes (548-548)
• ObjectValueAutoCollectorTypes (549-552)
• InferAutoCollectorType (618-630)
• ValidatedTextCollector (184-184)
• ObjectValueCollectors (396-401)
• MultiValueCollectors (250-252)
• AutoCollectors (604-609)

packages/davinci-client/src/lib/collector.utils.test.ts (2)

packages/davinci-client/src/lib/davinci.types.ts (3)

• ProtectField (156-161)
• Fido2RegistrationField (173-181)
• Fido2AuthenticationField (193-201)

packages/davinci-client/src/lib/collector.utils.ts (2)

• returnSingleValueAutoCollector (273-324)
• returnObjectValueAutoCollector (333-401)

packages/davinci-client/src/lib/node.reducer.test.ts (4)

packages/davinci-client/src/lib/collector.types.ts (3)

• ProtectCollector (578-582)
• Fido2RegistrationCollector (583-587)
• Fido2AuthenticationCollector (588-592)

packages/davinci-client/src/types.ts (1)

• ProtectCollector (51-51)

packages/davinci-client/src/lib/node.reducer.ts (1)

• nodeCollectorReducer (107-326)

packages/davinci-client/src/lib/davinci.types.ts (2)

• Fido2RegistrationOptions (163-171)
• Fido2AuthenticationOptions (183-191)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Mend Code Security Check
• GitHub Check: Mend Security Check

🔇 Additional comments (30)

packages/journey-client/package.json (1)

36-36: Align vite versions in dependencies and devDependencies, and clarify if this change is intentional.

The version mismatch is confirmed: vite 6.3.6 in dependencies (line 36) and vite 6.3.4 in devDependencies (line 41). This divergence should be resolved by updating devDependencies to match:

  "devDependencies": {
    "@vitest/coverage-v8": "^1.2.0",
-   "vite": "6.3.4",
+   "vite": "6.3.6",
    "vitest": "^1.2.0"
  }

Please confirm whether this vite version bump to 6.3.6 is necessary for the FIDO2 collector changes or if it is incidental.

.changeset/tired-melons-wish.md (1)

1-5: Changeset looks good

Minor bump and succinct summary for adding WebAuthn/FIDO2 collectors is appropriate.

packages/davinci-client/src/lib/collector.types.test-d.ts (1)

301-307: Type test aligns with new nullable validation

Adding validation: null matches updated collector input shape (ValidationRequired[] | null).

packages/davinci-client/src/lib/davinci.types.ts (3)

152-154: PhoneNumberField additions OK

required and validatePhoneNumber fields look correct and consistent with other fields.

---

163-171: FIDO2 registration types are well-formed

Exported Fido2RegistrationOptions and Fido2RegistrationField mirror WebAuthn, with binary IDs represented as number[]. Looks good.

Also applies to: 173-181

---

212-218: Union extension is appropriate

Including FIDO2 fields in SingleValueFields aligns with how fields are grouped for rendering.

packages/davinci-client/src/lib/client.store.ts (1)

271-276: Category gating for update is correct

Allowing both SingleValueAutoCollector and ObjectValueAutoCollector is needed for Protect and FIDO2 paths.

packages/davinci-client/src/lib/node.types.test-d.ts (1)

36-38: Collector union tests updated correctly

Including FIDO2 collectors in the Collectors union checks matches the new public surface.

Also applies to: 221-241

packages/davinci-client/src/lib/node.types.ts (1)

26-27: LGTM! Clean type extension for FIDO2 support.

The addition of Fido2RegistrationCollector and Fido2AuthenticationCollector to the public type exports and Collectors union is consistent with the broader FIDO2 support being added across the codebase.

Also applies to: 47-48

packages/davinci-client/src/lib/node.reducer.test.ts (4)

440-440: LGTM! Consistent validation handling.

Adding validation: null to the input shapes across multiple collectors standardizes the validation property handling throughout the test suite, aligning with the updated collector factory functions.

Also applies to: 475-475, 526-526, 576-576, 634-634, 677-677, 742-742, 786-786, 826-826, 852-852

---

867-923: LGTM! Comprehensive ProtectCollector test coverage.

The test properly validates the update flow for ProtectCollector with SingleValueAutoCollector category, ensuring correct value assignment.

---

925-1028: LGTM! Thorough Fido2RegistrationCollector test coverage.

The test validates the complete update flow for FIDO2 registration, including the ObjectValueAutoCollector category, input value structure with attestation, and output configuration with publicKeyCredentialCreationOptions.

---

1030-1117: LGTM! Comprehensive Fido2AuthenticationCollector test coverage.

The test properly validates the update flow for FIDO2 authentication, covering the ObjectValueAutoCollector category, input value structure with assertion, and output configuration with publicKeyCredentialRequestOptions.

packages/davinci-client/src/lib/node.reducer.ts (6)

29-30: LGTM! Necessary imports for FIDO2 support.

The new imports for returnFido2RegistrationCollector, returnFido2AuthenticationCollector, and their associated types align with the broader FIDO2 functionality being added.

Also applies to: 52-55

---

70-75: LGTM! Proper type extension for FIDO2 input values.

Extending the updateCollectorValues action's value union to include Fido2RegistrationInputValue and Fido2AuthenticationInputValue correctly handles the object-based input structures required for WebAuthn flows.

---

99-100: LGTM! Consistent initial state extension.

Adding the new FIDO2 collector types to initialCollectorValues maintains consistency with the extended collector system.

---

179-189: LGTM! Clean FIDO2 routing logic.

The updated returnProtectCollector call (removing the data parameter) aligns with the refactored function signature. The new FIDO2 branch properly routes to registration or authentication collectors based on the field.action discriminator. The break statement ensures that if field.action is neither 'REGISTER' nor 'AUTHENTICATE', execution falls through to the generic collector handling below, which is appropriate fallback behavior.

---

225-235: LGTM! Correct type narrowing for ProtectCollector.

The condition now checks collector.type === 'ProtectCollector' instead of category, which correctly handles the ProtectCollector as a SingleValueAutoCollector with string input values. This aligns with the new collector categorization where ProtectCollector has the category 'SingleValueAutoCollector' but needs special handling.

---

300-324: LGTM! Proper FIDO2 input validation and assignment.

Both Fido2RegistrationCollector and Fido2AuthenticationCollector update handlers correctly:

• Validate that id is a string (required for tracking)
• Validate that value is an object
• Check for required properties (attestationValue or assertionValue)
• Assign the value to collector.input.value

This follows the same pattern as the existing PhoneNumberCollector handler and provides appropriate error messages.

packages/davinci-client/src/lib/collector.utils.test.ts (4)

23-24: LGTM! Updated imports for new auto-collector API.

The new imports returnSingleValueAutoCollector and returnObjectValueAutoCollector along with the FIDO2 and Protect field types enable testing of the refactored auto-collector functionality.

Also applies to: 30-33

---

480-480: LGTM! Consistent validation handling across tests.

Setting validation: null for collectors without validation rules and updating the multi-value validator test expectation from {} to [] standardizes the validation property handling throughout the test suite.

Also applies to: 526-526, 576-576, 631-631, 671-671, 713-713, 754-754, 997-997

---

812-842: LGTM! Comprehensive ProtectCollector test.

The test validates the returnSingleValueAutoCollector function with a ProtectField, verifying the correct SingleValueAutoCollector category, input/output structure, and config mapping for behavioral data collection and device identification settings.

---

844-959: LGTM! Thorough FIDO2 collector tests.

Both test cases comprehensively validate:

• Fido2RegistrationCollector: ObjectValueAutoCollector category, empty object input value initialization, required validation when required: true, and config with publicKeyCredentialCreationOptions
• Fido2AuthenticationCollector: Similar structure with required: false resulting in validation: null, and config with publicKeyCredentialRequestOptions

The tests properly cover the two FIDO2 action types and their distinct option structures.

packages/davinci-client/src/lib/collector.utils.ts (7)

29-31: LGTM! Necessary type imports for auto-collector refactoring.

The imports for AutoCollectors, SingleValueAutoCollectorTypes, ObjectValueAutoCollectorTypes, and the FIDO2 field types support the new auto-collector API structure.

Also applies to: 36-37

---

267-324: LGTM! Refactored for single-value auto-collectors.

The renamed returnSingleValueAutoCollector function correctly:

• Narrows the field type to ProtectField
• Removes the data parameter and always initializes value to an empty string (appropriate for auto-collected fields that are populated automatically)
• Uses SingleValueAutoCollectorTypes for type narrowing
• Returns proper structure for ProtectCollector with config object

This aligns with the past review discussion about removing prefilled data handling for auto-collectors.

---

326-401: LGTM! New object-value auto-collector for FIDO2.

The returnObjectValueAutoCollector function properly:

• Handles Fido2RegistrationField | Fido2AuthenticationField with ObjectValueAutoCollectorTypes
• Initializes input value to an empty object {}
• Adds required validation when field.required === true
• Uses validation: null when the validation array is empty (consistent with the broader standardization)
• Branches on field.action ('REGISTER' vs 'AUTHENTICATE') to return the appropriate config with either publicKeyCredentialCreationOptions or publicKeyCredentialRequestOptions

The use of null for empty validation is consistent with the pattern established in other collectors and aligns with the past review discussion.

---

439-461: LGTM! Clean factory functions for FIDO2 collectors.

The updated returnProtectCollector now delegates to returnSingleValueAutoCollector without a data parameter, and the new returnFido2RegistrationCollector and returnFido2AuthenticationCollector functions provide convenient wrappers that delegate to returnObjectValueAutoCollector. This follows the established pattern in the file.

---

507-507: LGTM! Standardized validation handling.

Setting validation to null when the validation array is empty (rather than undefined) provides consistency across all collectors. This aligns with the past review discussion about standardizing validation property handling.

Also applies to: 634-634

---

571-587: LGTM! Added defensive optional chaining.

The optional chaining operators (field.options?.) prevent potential runtime errors if the options array is unexpectedly undefined, even though type constraints should ensure options exist. The nullish coalescing (?? []) provides a safe fallback to an empty array.

Also applies to: 599-606

---

718-725: LGTM! Extended validator to support auto-collectors.

The returnValidator function now accepts AutoCollectors in its union type and the return function accepts Record<string, unknown> as a possible value type. This properly handles validation for the new FIDO2 object-value collectors that work with complex objects rather than just strings or arrays.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Address the TODO comments for type declarations.

The TODO comments indicate that the mockInputValue variables should be explicitly typed as Fido2RegistrationInputValue and Fido2AuthenticationInputValue respectively. This would improve type safety and make the test intentions clearer.

Apply this diff to add explicit type declarations:

-    // todo: declare inputValue type as Fido2RegistrationInputValue
-    const mockInputValue = {
+    const mockInputValue: Fido2RegistrationInputValue = {
       attestationValue: {

And for the authentication test:

-    // todo: declare inputValue type as Fido2AuthenticationInputValue
-    const mockInputValue = {
+    const mockInputValue: Fido2AuthenticationInputValue = {
       assertionValue: {

Also applies to: 1032-1032

🤖 Prompt for AI Agents

In packages/davinci-client/src/lib/node.reducer.test.ts around lines 927 and
1032, the test TODOs require explicit typing for the mock input values: change
the declaration at line 927 to declare mockInputValue as
Fido2RegistrationInputValue and the declaration at line 1032 to declare
mockInputValue as Fido2AuthenticationInputValue; ensure those types are imported
from their source (or available in scope) and adjust any object literal fields
to satisfy the type if the compiler surfaces errors.

[nx-cloud]

Nx Cloud is proposing a fix for your failed CI:

We've restored the optional data parameter to the returnProtectCollector function and updated the node reducer to pass prefilled data when available. This ensures Protect collectors can be initialized with existing data from formData, maintaining compatibility with the existing Protect SDK integration.

We verified this fix by re-running @forgerock/davinci-suites:e2e-ci--src/protect.test.ts.

Suggested Fix changes

diff --git a/packages/davinci-client/src/lib/collector.utils.ts b/packages/davinci-client/src/lib/collector.utils.ts
index 6865b44..533f919 100644
--- a/packages/davinci-client/src/lib/collector.utils.ts
+++ b/packages/davinci-client/src/lib/collector.utils.ts
@@ -434,10 +434,15 @@ export function returnSingleSelectCollector(field: SingleSelectField, idx: numbe
  * @function returnProtectCollector - Creates a ProtectCollector object based on the provided field and index.
  * @param {DaVinciField} field - The field object containing key, label, type, and links.
  * @param {number} idx - The index to be used in the id of the ProtectCollector.
+ * @param {string} [data] - Optional data to prefill the collector with.
  * @returns {ProtectCollector} The constructed ProtectCollector object.
  */
-export function returnProtectCollector(field: ProtectField, idx: number) {
-  return returnSingleValueAutoCollector(field, idx, 'ProtectCollector');
+export function returnProtectCollector(field: ProtectField, idx: number, data?: string) {
+  const collector = returnSingleValueAutoCollector(field, idx, 'ProtectCollector');
+  if (data) {
+    collector.input.value = data;
+  }
+  return collector;
 }
 
 /**
diff --git a/packages/davinci-client/src/lib/node.reducer.ts b/packages/davinci-client/src/lib/node.reducer.ts
index 34ed242..36a8909 100644
--- a/packages/davinci-client/src/lib/node.reducer.ts
+++ b/packages/davinci-client/src/lib/node.reducer.ts
@@ -177,7 +177,8 @@ export const nodeCollectorReducer = createReducer(initialCollectorValues, (build
                 return returnSubmitCollector(field, idx);
               }
               case 'PROTECT': {
-                return returnProtectCollector(field, idx);
+                const str = data as string;
+                return returnProtectCollector(field, idx, str);
               }
               case 'FIDO2': {
                 if (field.action === 'REGISTER') {

  

Or Apply changes locally with:

npx nx-cloud apply-locally 6YAS-Jj8r

Apply fix locally with your editor ↗  View interactive diff ↗

_{🎓 To learn more about Self Healing CI, please visit nx.dev}

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

packages/davinci-client/src/lib/collector.utils.ts (2)

326-401: Validation assignment pattern is inconsistent with existing collectors.

Lines 365 and 388 assign null when validationArray is empty, which differs from the original pattern in this file where other collectors use undefined (e.g., lines 525, 652 in the original code). This inconsistency was already noted in previous review discussions.

---

507-507: Validation assignment changed from undefined to null.

This line previously used undefined when validationArray was empty. The change to null aligns with the new ObjectValueAutoCollector pattern but creates inconsistency with this function's previous behavior. This validation assignment inconsistency is already under discussion in previous review comments.

🧹 Nitpick comments (3)

packages/davinci-client/src/lib/node.reducer.test.ts (2)

925-1028: Good FidoRegistrationCollector test coverage.

The test suite properly validates the FIDO2 registration flow with appropriate mock data. The test structure follows existing patterns and correctly validates the ObjectValueAutoCollector category and credential creation options.

Consider adding explicit type annotations to the mockInputValue for improved type safety and IDE support:

-    // todo: declare inputValue type as Fido2RegistrationInputValue
-    const mockInputValue = {
+    const mockInputValue: FidoRegistrationInputValue = {
       attestationValue: {

Note: This addresses the TODO comment and improves type checking.

---

1030-1117: Thorough FidoAuthenticationCollector test coverage.

The test suite appropriately validates the FIDO2 authentication flow with proper mock assertion data and correctly validates the ObjectValueAutoCollector category and credential request options.

Consider adding explicit type annotation to the mockInputValue for improved type safety:

-    // todo: declare inputValue type as Fido2AuthenticationInputValue
-    const mockInputValue = {
+    const mockInputValue: FidoAuthenticationInputValue = {
       assertionValue: {

Note: This addresses the TODO comment and improves type checking.

packages/davinci-client/src/lib/client.store.ts (1)

281-288: Consider extracting the value parameter union into a named type.

The value parameter union now includes five distinct types. While functional, extracting this into a named type (e.g., CollectorInputValue) would improve readability and maintainability, especially if more input value types are added in the future.

Example:

type CollectorInputValue = 
  | string 
  | string[] 
  | PhoneNumberInputValue 
  | FidoRegistrationInputValue 
  | FidoAuthenticationInputValue;

Then use:

-      return function (
-        value:
-          | string
-          | string[]
-          | PhoneNumberInputValue
-          | FidoRegistrationInputValue
-          | FidoAuthenticationInputValue,
-        index?: number,
-      ) {
+      return function (value: CollectorInputValue, index?: number) {

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a9cc3db and 1a29b13.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (13)

• .changeset/tired-melons-wish.md (1 hunks)
• packages/davinci-client/src/lib/client.store.ts (4 hunks)
• packages/davinci-client/src/lib/collector.types.test-d.ts (1 hunks)
• packages/davinci-client/src/lib/collector.types.ts (10 hunks)
• packages/davinci-client/src/lib/collector.utils.test.ts (8 hunks)
• packages/davinci-client/src/lib/collector.utils.ts (10 hunks)
• packages/davinci-client/src/lib/davinci.types.ts (3 hunks)
• packages/davinci-client/src/lib/davinci.utils.ts (2 hunks)
• packages/davinci-client/src/lib/node.reducer.test.ts (12 hunks)
• packages/davinci-client/src/lib/node.reducer.ts (8 hunks)
• packages/davinci-client/src/lib/node.types.test-d.ts (2 hunks)
• packages/davinci-client/src/lib/node.types.ts (2 hunks)
• packages/journey-client/package.json (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• packages/davinci-client/src/lib/node.types.test-d.ts
• packages/davinci-client/src/lib/node.types.ts

🧰 Additional context used

🧬 Code graph analysis (7)

packages/davinci-client/src/lib/davinci.utils.ts (1)

packages/davinci-client/src/lib/collector.types.ts (3)

• PhoneNumberInputValue (295-298)
• FidoRegistrationInputValue (305-307)
• FidoAuthenticationInputValue (309-311)

packages/davinci-client/src/lib/client.store.ts (2)

packages/davinci-client/src/lib/client.store.utils.ts (1)

• handleUpdateValidateError (51-66)

packages/davinci-client/src/lib/collector.types.ts (7)

• PhoneNumberInputValue (295-298)
• FidoRegistrationInputValue (305-307)
• FidoAuthenticationInputValue (309-311)
• SingleValueCollectors (174-179)
• ObjectValueCollectors (396-401)
• MultiValueCollectors (250-252)
• AutoCollectors (604-609)

packages/davinci-client/src/lib/node.reducer.ts (2)

packages/davinci-client/src/lib/collector.types.ts (5)

• PhoneNumberInputValue (295-298)
• FidoRegistrationInputValue (305-307)
• FidoAuthenticationInputValue (309-311)
• FidoRegistrationCollector (583-587)
• FidoAuthenticationCollector (588-592)

packages/davinci-client/src/lib/collector.utils.ts (3)

• returnProtectCollector (439-441)
• returnFidoRegistrationCollector (449-451)
• returnFidoAuthenticationCollector (459-461)

packages/davinci-client/src/lib/collector.types.ts (1)

packages/davinci-client/src/types.ts (1)

• ProtectCollector (51-51)

packages/davinci-client/src/lib/collector.utils.ts (2)

packages/davinci-client/src/lib/davinci.types.ts (3)

• ProtectField (156-161)
• FidoRegistrationField (173-181)
• FidoAuthenticationField (193-201)

packages/davinci-client/src/lib/collector.types.ts (7)

• SingleValueAutoCollectorTypes (548-548)
• ObjectValueAutoCollectorTypes (549-552)
• InferAutoCollectorType (618-630)
• ValidatedTextCollector (184-184)
• ObjectValueCollectors (396-401)
• MultiValueCollectors (250-252)
• AutoCollectors (604-609)

packages/davinci-client/src/lib/collector.utils.test.ts (2)

packages/davinci-client/src/lib/davinci.types.ts (3)

• ProtectField (156-161)
• FidoRegistrationField (173-181)
• FidoAuthenticationField (193-201)

packages/davinci-client/src/lib/collector.utils.ts (2)

• returnSingleValueAutoCollector (273-324)
• returnObjectValueAutoCollector (333-401)

packages/davinci-client/src/lib/node.reducer.test.ts (4)

packages/davinci-client/src/lib/collector.types.ts (3)

• ProtectCollector (578-582)
• FidoRegistrationCollector (583-587)
• FidoAuthenticationCollector (588-592)

packages/davinci-client/src/types.ts (1)

• ProtectCollector (51-51)

packages/davinci-client/src/lib/node.reducer.ts (1)

• nodeCollectorReducer (107-326)

packages/davinci-client/src/lib/davinci.types.ts (2)

• FidoRegistrationOptions (163-171)
• FidoAuthenticationOptions (183-191)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Mend Code Security Check
• GitHub Check: pr

🔇 Additional comments (24)

packages/journey-client/package.json (1)

36-36: Vite version mismatch confirmed: dependencies (6.3.6) vs devDependencies (6.3.4).

The version inconsistency is verified. Line 36 sets vite to 6.3.6 in dependencies, while line 41 keeps it at 6.3.4 in devDependencies. This divergence between build and development environments should be resolved.

Align both to the same version:

  "dependencies": {
    "@forgerock/sdk-logger": "workspace:*",
    "@forgerock/sdk-request-middleware": "workspace:*",
    "@forgerock/sdk-types": "workspace:*",
    "@forgerock/sdk-utilities": "workspace:*",
    "@forgerock/storage": "workspace:*",
    "@reduxjs/toolkit": "catalog:",
    "tslib": "^2.3.0",
-   "vite": "6.3.6",
+   "vite": "6.3.4",
    "vitest-canvas-mock": "^0.3.3"
  },

Or update devDependencies to 6.3.6 to match dependencies. Confirm your intent—is this split deliberate or unintentional?

packages/davinci-client/src/lib/collector.types.test-d.ts (1)

305-305: LGTM! Type test correctly reflects nullable validation.

The addition of validation: null in the type test correctly validates that the MultiSelectCollector type allows null validation, consistent with the updated type definitions in collector.types.ts.

packages/davinci-client/src/lib/davinci.types.ts (2)

163-201: Well-structured FIDO2 type definitions.

The new FidoRegistrationOptions, FidoAuthenticationOptions, FidoRegistrationField, and FidoAuthenticationField types are well-designed and align with the WebAuthn specification. The interfaces correctly extend the standard PublicKey credential types with appropriate customizations for the DaVinci client.

---

212-218: Good expansion of SingleValueFields union.

The inclusion of FidoRegistrationField and FidoAuthenticationField in the SingleValueFields union correctly integrates the new FIDO2 field types into the existing type hierarchy.

packages/davinci-client/src/lib/collector.types.ts (2)

305-311: Clean FIDO2 input value interfaces.

The FidoRegistrationInputValue and FidoAuthenticationInputValue interfaces are appropriately simple and correctly use optional properties for the WebAuthn credential values.

---

547-630: Comprehensive AutoCollector type system expansion.

The expansion of the AutoCollector type system to support object-value collectors is well-designed:

• Clear separation between SingleValueAutoCollectorTypes and ObjectValueAutoCollectorTypes
• Proper generic parameter naming (IV for input value)
• Complete type inference mapping
• Consistent union definitions

.changeset/tired-melons-wish.md (1)

1-5: Appropriate changeset for feature addition.

The changeset correctly indicates a minor version bump for the new WebAuthn/FIDO2 collectors feature.

packages/davinci-client/src/lib/davinci.utils.ts (2)

25-30: Proper import of new FIDO2 input value types.

The import statement correctly includes the new FidoAuthenticationInputValue and FidoRegistrationInputValue types needed for the formData type union.

---

57-59: FormData union appropriately expanded.

The formData type union now includes FidoRegistrationInputValue and FidoAuthenticationInputValue, ensuring type safety when handling FIDO2 collector data in submit requests.

packages/davinci-client/src/lib/node.reducer.test.ts (1)

867-923: Comprehensive ProtectCollector test coverage.

The new test suite for ProtectCollector properly validates the update flow, including the correct handling of the SingleValueAutoCollector category and the config output structure.

packages/davinci-client/src/lib/collector.utils.test.ts (3)

812-842: Solid test coverage for ProtectCollector utility.

The test properly validates that returnSingleValueAutoCollector creates a correct ProtectCollector with the appropriate category, config output, and empty input value.

---

844-912: Comprehensive FidoRegistrationCollector test.

The test thoroughly validates the returnObjectValueAutoCollector function for FIDO2 registration, including:

• Correct ObjectValueAutoCollector category
• Proper handling of required validation
• Complete publicKeyCredentialCreationOptions in config
• Empty object as initial input value

---

914-959: Well-structured FidoAuthenticationCollector test.

The test appropriately validates FIDO2 authentication collector creation with:

• Correct ObjectValueAutoCollector category
• Null validation when not required
• Complete publicKeyCredentialRequestOptions in config
• Proper action and trigger values

packages/davinci-client/src/lib/node.reducer.ts (3)

179-189: Clean FIDO2 collector routing logic.

The new FIDO2 case correctly routes to registration or authentication collectors based on the field.action property. The use of the action property for routing (as discussed in past reviews) is more concise and self-documenting than checking for property presence.

---

300-324: Robust FIDO2 collector update handlers.

The update handlers for FidoRegistrationCollector and FidoAuthenticationCollector follow the established pattern with:

• Proper type guards and validation
• Clear, specific error messages
• Correct property validation (attestationValue for registration, assertionValue for authentication)
• Direct assignment of validated input values

---

228-228: Correct type check for ProtectCollector.

The change from checking SingleValueAutoCollector category to checking ProtectCollector type is appropriate, as it provides more specific type narrowing for the Protect-specific update logic.

packages/davinci-client/src/lib/client.store.ts (3)

37-38: LGTM!

The new FIDO2 input value type imports are necessary and correctly sourced.

---

309-314: LGTM!

The validate method signature correctly extends to accept AutoCollectors, consistent with the update method changes.

---

338-349: LGTM!

The validation category checks correctly include ObjectValueAutoCollector, and the error messaging is appropriately generic and consistent with the update method.

packages/davinci-client/src/lib/collector.utils.ts (5)

29-37: LGTM!

The new imports for AutoCollector types and FIDO2 field types are necessary and correctly sourced.

---

267-324: LGTM!

The function rename to returnSingleValueAutoCollector correctly reflects the narrowed type scope, and the removal of the data parameter is appropriate for auto-collectors that don't support prefilled data.

---

439-441: LGTM!

The refactored returnProtectCollector correctly delegates to returnSingleValueAutoCollector and the removal of the data parameter is appropriate.

---

443-461: LGTM!

The new FIDO2 collector wrapper functions follow the established pattern and correctly delegate to returnObjectValueAutoCollector with appropriate type parameters.

---

571-606: LGTM!

The addition of optional chaining for field.options is a defensive improvement that prevents potential runtime errors. The nullish coalescing fallback to empty arrays is appropriate.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Return type incorrectly weakened to unknown.

Line 725 changes the return type to unknown, but the implementation still returns string[] (line 748). This unnecessarily weakens type safety and could cause issues for consumers expecting the more specific string[] type.

Apply this diff to restore proper typing:

-  return (value: string | string[] | Record<string, unknown>) => {
+  return (value: string | string[] | Record<string, unknown>): string[] => {

🤖 Prompt for AI Agents

In packages/davinci-client/src/lib/collector.utils.ts around lines 718 to 725,
the function return type was weakened to unknown even though the implementation
returns string[]; change the function's return type from unknown to the concrete
type (string[]) so the validator signature reflects the actual return value,
ensuring callers receive the proper typed result and restoring type safety.

[ancheetah]

Updated naming Fido2 --> Fido