fix(router): fix append algorithm producing multiple headers instead of comma-separated

[jensneuse]

Summary by CodeRabbit

• Bug Fixes

  • Header propagation now preserves Set-Cookie as separate header lines and concatenates other header values when appending; router-level response header rules now behave consistently with propagation and precedence.

• Tests

  • Extensive test coverage added for header propagation behaviors, append/first/last-write semantics, regex matching, defaults/deduplication, error scenarios, canonicalization, and router rule interactions.

Fixes #2531. The response header algorithm: append was producing multiple separate HTTP header lines instead of a single comma-separated value as documented. The fix joins all values into one comma-separated string in applyResponseRuleKeyValue.

Also adds 30 unit tests for previously uncovered functions (createMostRestrictivePolicy, AddCacheControlPolicyToRules, applyResponseRuleKeyValue, PropagatedHeaders, NewHeaderPropagation), plus 7 new integration tests that explicitly assert the single-header contract and default value fallback behavior.

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/cosmo-docs.
• I have read the Contributors Guide.

[github-actions]

Router-nonroot image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-0af67b03165da9cb3d5cf57bf0bf60a9bbae0d41-nonroot

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 61.00%. Comparing base (957d92a) to head (8bcc9a6).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #2532       +/-   ##
===========================================
- Coverage   89.99%   61.00%   -28.99%     
===========================================
  Files          17      239      +222     
  Lines        3358    25416    +22058     
  Branches      893        0      -893     
===========================================
+ Hits         3022    15506    +12484     
- Misses        336     8589     +8253     
- Partials        0     1321     +1321     

Files with missing lines	Coverage Δ
router/core/header_rule_engine.go	83.33% <100.00%> (ø)

... and 255 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

---

Walkthrough

Adds comprehensive tests for header propagation and updates the response-header Append algorithm to join non-Set-Cookie values with commas while preserving Set-Cookie as separate header lines.

Changes

Cohort / File(s)	Summary
Header Rule Engine Core Logic router/core/header_rule_engine.go	Modified Append algorithm: merge existing and new values and comma-join for all headers except Set-Cookie, which is preserved as separate header lines.
Integration / Behavior Tests router-tests/header_propagation_test.go	Added extensive tests covering Append behavior (comma-joining), Set-Cookie preservation, regex matching, defaults/first-last-write semantics, repeated headers, router response header interactions, canonicalization, and error cases.
Unit Tests for Rule Engine router/core/header_rule_engine_test.go	Added many unit tests for cache-control policy creation/merging, response rule key-value application (FirstWrite/LastWrite/Append), propagated header validation, NewHeaderPropagation validation, and nil-receiver guards.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• fix(router): fix singleflight deduplication bugs and propagate response headers #2522: Modifies header_rule_engine.go to add response header rule application and wiring that intersects with this PR's header propagation behavior.
• feat: client response expressions #2472: Updates header propagation logic and tests in header_rule_engine.go, addressing related Append/Set-Cookie behavior.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 71.43% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: fixing the append algorithm to produce comma-separated headers instead of multiple headers.
Linked Issues check	✅ Passed	The PR directly addresses issue #2531 by fixing the append algorithm to join multiple header values with commas instead of emitting multiple header lines, as documented.
Out of Scope Changes check	✅ Passed	All changes are directly related to fixing the append algorithm for response header propagation as specified in issue #2531; no out-of-scope modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[StarpTech]

LGTM

[endigma]

lgtm, nit (also applies to a few other tests)