test(kas): fix stale unwrapKey HKDF salt round-trip test

[arkavo-com]

Summary

Fixes the long-failing KASRewrapClientTests.testKeyUnwrappingWithValidKeys (authenticationFailure).

Root cause — a stale test, not a product bug. The test sealed the wrapped key with an empty HKDF salt (the Standard/Base TDF convention) but called unwrapKey() with no salt argument, which since commit 0ee0797 defaults to CryptoConstants.hkdfSalt (the NanoTDF v12 session-key salt). Mismatched salts → different AES-GCM keys → GCM tag verification fails with authenticationFailure. unwrapKey's default is correct (it matches the real KAS rewrap_dek derivation, and the NanoTDF round-trip is exercised by KASServiceTests); the test was simply never updated when the salt default changed.

No network involved — this is a purely local ECDH → HKDF → AES-GCM round-trip.

Change

Replaced the single ambiguous test with a DRY helper (assertUnwrapRoundTrip(sealSalt:unwrapSalt:)) and two explicit, self-consistent tests covering both documented salt conventions:

• testKeyUnwrappingNanoTDFDefaultSalt — seal + unwrap with the v12 default salt (salt: nil)
• testKeyUnwrappingStandardTDFEmptySalt — seal + unwrap with an empty salt

Test Plan

• swift test — 181 tests, 8 skipped, 0 failures (verified across repeated runs)
• Both new tests pass; no other tests affected

🤖 Generated with Claude Code

---

Summary by Gitar

• Test stability:
  • Added XCTUnwrap to several JSONSerialization and data decoding calls in KASRewrapClientTests to prevent forced-unwrap crashes.
  • Streamlined testRewrapRequestEntryWithDefaultAlgorithm to avoid unnecessary error handling throws.

_{This will update automatically on new commits.}

[gitar-bot]

CI failed: The CI build failed due to numerous SwiftFormat linting violations, primarily related to the use of force unwrapping in tests and improper code formatting.

Overview

The build failed because the codebase does not currently adhere to the required Swift style guidelines. SwiftFormat identified multiple violations across 28 files, including common anti-patterns like force unwrapping in test files and incorrect keyword placement.

Failures

SwiftFormat Linting Violations (confidence: high)

• Type: tooling
• Affected jobs: 78977900605
• Related to change: no
• Root cause: The codebase contains stylistic inconsistencies and anti-patterns (e.g., try! and ! force unwrapping in tests, incorrect import sorting, and inline keywords) that violate the project's enforced SwiftFormat rules.
• Suggested fix: Run swiftformat . in the root directory to automatically resolve the majority of these formatting issues. For test-specific errors (e.g., noForceUnwrapInTests), refactor code to use XCTUnwrap as per the linter's recommendation.

Summary

• Change-related failures: 0 (The failure is caused by existing code style violations not directly introduced by the logic in this PR).
• Infrastructure/flaky failures: 0
• Recommended action: Run the swiftformat command locally to clean up the codebase. Since this is a linting failure, it is recommended to apply these fixes globally to satisfy the CI requirements.

Code Review ✅ Approved

Refactors the stale KAS unwrapKey test into a DRY helper covering both NanoTDF and Standard TDF salt conventions, while adding safety checks to decoding logic. No issues found.

Auto-approved: No blocking issues found.
Please see Auto-approve Docs for details on setting custom approval criteria.

Tip

Comment Gitar fix CI or enable auto-apply: gitar auto-apply:on

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply	Compact
gitar auto-apply:on	gitar display:verbose

---

Important

Your trial ends in 4 days — upgrade now to keep code review, CI analysis, auto-apply, custom automations, and more.

_{Was this helpful? React with 👍 / 👎 | Gitar}

[gitar-bot]

Gitar has auto-approved this PR (configure)

[arkavo-com]

Superseded by #39, which now includes this exact fix (cherry-picked commit) plus the repo-wide lint fix, per the maintainer's request to combine. Closing to avoid a merge conflict on the shared test file.