feat(teams): port TeamsAuthCertificate config shape (#58)

[patrick-chinchill]

Summary

• Ports TeamsAuthCertificate interface from upstream (adapter-teams/src/types.ts:3-10)
• Adds certificate field to TeamsAdapterConfig with @deprecated-equivalent docstring
• Throws at startup with the exact upstream error message if certificate is set — matches adapter-teams/src/config.ts:13-18
• NOT a functional implementation: upstream doesn't implement cert auth either. Pure config-shape parity so consumers can code against the shape ahead of MS Teams SDK support.

Refs #58. Queued under ## Unreleased for bundled 0.4.26.2.

Test plan

• Startup throw test (faithful to upstream behavior)
• Full validation block from CLAUDE.md passes

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

  • Exposed certificate-based auth configuration and related types for the Teams adapter (providing a certificate still triggers a startup error).

• Documentation

  • Marked certificate authentication as deprecated/unsupported and clarified startup behavior.
  • Updated validation/error text for clearer messaging when certificate auth is attempted.

• Tests

  • Updated tests to use the new config shape and assert the revised validation messages.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 7a15cf99-d799-403d-97b8-9804eff42f6c

📥 Commits

Reviewing files that changed from the base of the PR and between fb2b43c and 53b2948.

📒 Files selected for processing (6)

• CHANGELOG.md
• src/chat_sdk/adapters/teams/__init__.py
• src/chat_sdk/adapters/teams/adapter.py
• src/chat_sdk/adapters/teams/types.py
• tests/test_teams_coverage.py
• tests/test_teams_extended.py

---

📝 Walkthrough

Walkthrough

Introduces a Python TeamsAuthCertificate dataclass, exposes it via TeamsAdapterConfig.certificate and re-exports both from the Teams adapter package; certificate-based auth remains unsupported and providing a non-None certificate triggers a startup ValidationError.

Changes

Cohort / File(s)	Summary
Type Definitions src/chat_sdk/adapters/teams/types.py	Replaced TeamsAuthCertificate TypedDict with an @dataclass; fields certificate_thumbprint and x5c are now `str
Module Exports src/chat_sdk/adapters/teams/__init__.py	Re-exported TeamsAdapterConfig and TeamsAuthCertificate by importing them from ...types and adding them to __all__.
Adapter Validation Logic src/chat_sdk/adapters/teams/adapter.py	Changed certificate presence check to config.certificate is not None (treats explicit None vs. provided empty values distinctly) and updated ValidationError wording to reference the Teams SDK adapter and use appPassword camelCase.
Tests tests/test_teams_coverage.py, tests/test_teams_extended.py	Removed an obsolete certificate-validation assertion; updated tests to construct certificate input via TeamsAuthCertificate dataclass and added assertions that adapter startup raises the expected ValidationError message, including a case with only certificate_private_key.
Changelog CHANGELOG.md	Added Unreleased entry documenting the dataclass, config exposure, re-exports, and that certificate-auth is non-functional and raises at startup.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• Teams adapter: port certificate-based mTLS authentication #58: Related — both touch Teams adapter certificate types/config and discuss certificate-based auth (this PR preserves startup ValidationError; the issue requests implementing cert-based mTLS).

Poem

🐰 I tucked my certs in dataclass rows,
Fields nullable where the cold wind blows,
I hop and re-export with careful cheer,
But start-up still says "not supported here".
A tiny hop toward parity — ear to ear. 🎉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(teams): port TeamsAuthCertificate config shape (#58)' is concise, specific, and accurately describes the main change: porting the Teams certificate authentication config shape.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/teams-cert-58

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces the TeamsAuthCertificate dataclass to the Teams adapter to align with upstream configuration shapes, while maintaining the existing startup validation that prevents certificate-based authentication. The reviewer raised a concern regarding the inconsistency introduced by converting TeamsAuthCertificate to a dataclass while TeamsAuthFederated remains a TypedDict, noting that this change breaks support for dictionary literals in configuration. I recommend addressing this inconsistency by either reverting to TypedDict for TeamsAuthCertificate or migrating TeamsAuthFederated to a dataclass to ensure a uniform API.

[gemini-code-assist]

The conversion of TeamsAuthCertificate from a TypedDict to a dataclass introduces an inconsistency with other authentication configuration shapes in this file, such as TeamsAuthFederated (line 39), which remains a TypedDict. Additionally, this is a breaking change for any existing code that passes a dictionary literal to the certificate field of TeamsAdapterConfig. To maintain a consistent API and support dictionary literals (which is common for configuration shapes ported from TypeScript interfaces), consider keeping TeamsAuthCertificate as a TypedDict. If you retain the TypedDict structure, ensure it is defined with total=False if it will be used for mode detection when narrowing from a Mapping[str, Any], as per the project's typing standards. If a dataclass is preferred, TeamsAuthFederated should also be converted for consistency.

References

1. When using cast to narrow a Mapping[str, Any] into a TypedDict, ensure that the TypedDict is a superset (total=False) that admits all possible keys, especially when performing duck-typing with .get() for mode detection.

[patrick-chinchill]

Noted — the TypedDict vs dataclass inconsistency with TeamsAuthFederated is deliberately deferred as bikeshed. No consumer usage to unify around, and TeamsAuthFederated isn't re-exported from __init__.py. Tracking as a potential follow-up; not blocking this PR.

[coderabbitai]

🧹 Nitpick comments (1)

tests/test_teams_coverage.py (1)

1491-1503: Consolidate duplicate certificate smoke coverage.

Line 1491-Line 1503 overlaps with tests/test_teams_extended.py’s basic “raises ValidationError when certificate is set” check. Keep one smoke test and leave exact-message/minimal-shape assertions in one place to reduce duplication.

As per coding guidelines: "No two tests should verify the same thing. Duplicates inflate test counts without catching more bugs."

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/test_teams_coverage.py` around lines 1491 - 1503, The test
test_certificate_raises_validation_error in tests/test_teams_coverage.py
duplicates the same certificate-validation check already present in
tests/test_teams_extended.py; remove or replace this duplicate so only one
smoke-level existence check remains here and keep the detailed "raises
ValidationError when certificate is set" assertion (including exact
message/minimal-shape checks) in tests/test_teams_extended.py; locate the
duplicate by the test name test_certificate_raises_validation_error and the use
of TeamsAdapter, TeamsAdapterConfig, and TeamsAuthCertificate and either delete
the block from tests/test_teams_coverage.py or reduce it to a single minimal
smoke assertion that does not repeat the full message/assertion logic.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@tests/test_teams_coverage.py`:
- Around line 1491-1503: The test test_certificate_raises_validation_error in
tests/test_teams_coverage.py duplicates the same certificate-validation check
already present in tests/test_teams_extended.py; remove or replace this
duplicate so only one smoke-level existence check remains here and keep the
detailed "raises ValidationError when certificate is set" assertion (including
exact message/minimal-shape checks) in tests/test_teams_extended.py; locate the
duplicate by the test name test_certificate_raises_validation_error and the use
of TeamsAdapter, TeamsAdapterConfig, and TeamsAuthCertificate and either delete
the block from tests/test_teams_coverage.py or reduce it to a single minimal
smoke assertion that does not repeat the full message/assertion logic.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 2b71798a-6b4b-4361-9079-5cec642cb241

📥 Commits

Reviewing files that changed from the base of the PR and between d23b6d9 and 9b3a04e.

📒 Files selected for processing (6)

• CHANGELOG.md
• src/chat_sdk/adapters/teams/__init__.py
• src/chat_sdk/adapters/teams/adapter.py
• src/chat_sdk/adapters/teams/types.py
• tests/test_teams_coverage.py
• tests/test_teams_extended.py

[patrick-chinchill]

Review verdict: LGTM. Refreshed and reviewed latest head fb2b43c against main. No issues found in the TeamsAuthCertificate config shape/export changes. Verification: targeted Teams certificate/adapter coverage passed (175 passed across teams coverage/extended/adapter slices) and ruff passed on touched files. Formal GitHub approval is blocked because the authenticated account owns this PR.