feat: always add API key to endpoint requests

[calthejuggler]

This PR deprecates the auth flag in the ClientRequestOptions type, and updates the context GET request to always send the auth headers with it.

Summary by CodeRabbit

• Refactor

  • Requests now send API and client metadata headers by default; the legacy auth flag is deprecated and only disables those headers. GET helper was streamlined and a deprecated wrapper retained for compatibility.

• Tests

  • Tests expanded to verify metadata headers for GET and other requests, cover auth flag deprecation behaviour and related warnings.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b7cadfd9-8f5e-4f53-814b-6314383e13f2

📥 Commits

Reviewing files that changed from the base of the PR and between 202d198 and a9cd82c.

📒 Files selected for processing (2)

• src/__tests__/client.test.js
• src/client.ts

🚧 Files skipped from review as they are similar to previous changes (2)

• src/tests/client.test.js
• src/client.ts

---

Walkthrough

The PR changes client request authentication to include API/auth headers by default unless auth is explicitly set to false (the auth option is marked deprecated). Client.request() now warns when auth: true is passed. getUnauthed() was renamed to get() and a deprecated getUnauthed() wrapper forwards to get(). getContext() now calls get(). post() and put() no longer force auth: true. Tests were updated to expect metadata headers by default, remove redundant auth: true, and add tests covering the deprecated auth: true warning, get() behaviour, and getUnauthed() forwarding.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🐇 I hop through headers, tidy and spry,

Defaults now sparkle in the API sky,
get() takes the lead, old names bow away,
A warning nibbles when the past wants to stay,
Tiny paws applaud the tidy relay.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: deprecating the auth flag and ensuring API keys are always sent with endpoint requests by default.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/send-API-key-at-all-times

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

src/client.ts (1)

89-97: ⚠️ Potential issue | 🟠 Major

getContext() still permits unauthenticated requests via forwarded options.

Because options is spread directly, callers can pass auth: false and bypass headers for context GET. If the intended contract is always-auth for getContext(), ignore or strip auth here.

🔧 Suggested hardening for `getContext()`

 getContext(options?: Partial<ClientRequestOptions>) {
+  const { auth: _auth, method: _method, path: _path, query: _query, ...rest } = options ?? {};
   return this.get({
-    ...options,
+    ...rest,
     path: "/context",
     query: {
       application: this._opts.application.name,
       environment: this._opts.environment,
     },
   });
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/client.ts` around lines 89 - 97, getContext currently forwards
caller-supplied options which allows bypassing authentication by passing auth:
false; update getContext (in src/client.ts) so it always enforces authentication
by overriding/stripping any auth flag from the merged options (e.g., explicitly
set auth: true or delete auth before calling this.get), ensuring the request to
path "/context" uses the client's intended auth headers regardless of the passed
Partial<ClientRequestOptions>.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/client.ts`:
- Around line 24-25: Update the docstring for ClientRequestOptions.auth to
reflect runtime behavior by changing the wording from "The API key is now always
sent. This option will be removed in a future version." to something like "The
API key is sent by default; this option can be used to suppress it." Also ensure
the comment mentions it's deprecated if still intended, and keep the runtime
behavior in code (see ClientRequestOptions.auth and the header-suppression
branch around the auth check at line where auth: false is handled) consistent
with the new wording so users aren't misled.

---

Outside diff comments:
In `@src/client.ts`:
- Around line 89-97: getContext currently forwards caller-supplied options which
allows bypassing authentication by passing auth: false; update getContext (in
src/client.ts) so it always enforces authentication by overriding/stripping any
auth flag from the merged options (e.g., explicitly set auth: true or delete
auth before calling this.get), ensuring the request to path "/context" uses the
client's intended auth headers regardless of the passed
Partial<ClientRequestOptions>.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e6f50be8-96f9-464b-a9a2-e64654edc8f8

📥 Commits

Reviewing files that changed from the base of the PR and between ec59bfe and 62db72a.

📒 Files selected for processing (2)

• src/__tests__/client.test.js
• src/client.ts