feat: add step.auth_validate pipeline step

[Copilot]

Adds step.auth_validate — a declarative pipeline step that validates ****** against a registered AuthProvider module and outputs the claims returned by the provider into the pipeline context.

Changes

• module/pipeline_step_auth_validate.go — Step implementation using existing AuthProvider interface and resolveBodyFrom for dot-path token extraction. Writes 401 JSON to HTTP response writer when available, sets Stop: true on all failure paths. Guards against nil application context.
• module/pipeline_step_auth_validate_test.go — 13 tests covering success, custom config, missing/malformed/invalid tokens, auth errors, HTTP response writing, nil app, and required field validation.
• plugins/pipelinesteps/plugin.go — Register factory and manifest entry.
• plugins/pipelinesteps/plugin_test.go — Update expected step count.

Config

Field	Type	Default	Description
auth_module	string	(required)	Service name of the AuthProvider module
token_source	string	(required)	Dot-path to the token in pipeline context (e.g. steps.parse-request.headers.Authorization)
subject_field	string	auth_user_id	Output key mapped from the sub claim

Usage

- name: auth
  type: step.auth_validate
  config:
    auth_module: m2m-auth
    token_source: steps.parse-request.headers.Authorization

On success, all claims returned by the AuthProvider are emitted as flat output keys (sub, scope, iss, etc.) plus the configured subject_field mapped from sub. On failure, pipeline stops with a 401 JSON response.

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[Copilot]

Pull request overview

Adds a new step.auth_validate pipeline step to validate HTTP Bearer/JWT-style tokens via an AuthProvider, and wires it into the pipeline-steps plugin so it can be used from YAML-configured pipelines.

Changes:

• Introduces AuthValidateStep (step.auth_validate) with configurable auth_module, token_source, and subject_field.
• Adds a dedicated unit test suite for the new step (11 tests).
• Registers the new step type/factory in plugins/pipelinesteps/plugin.go and updates plugin loader expectations.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
module/pipeline_step_auth_validate.go	Implements the new auth validation pipeline step and its 401 response behavior.
module/pipeline_step_auth_validate_test.go	Adds unit tests covering success, configuration options, and unauthorized scenarios.
plugins/pipelinesteps/plugin.go	Registers step.auth_validate in the plugin manifest and factory map.
plugins/pipelinesteps/plugin_test.go	Updates step lists/count assertions to include the new step.

[intel352]

@copilot apply changes based on the comments in this thread