Bump go-jose to v4.1.4

[djeebus]

No description provided.

[cursor]

PR Summary

Low Risk
Low risk dependency patch bump; main potential impact is subtle changes in JWT/JWE/JWS handling behavior or validation edge cases in upstream go-jose.

Overview
Bumps the indirect github.com/go-jose/go-jose/v4 dependency from v4.1.3 to v4.1.4 across packages/orchestrator and packages/shared, updating the corresponding go.sum entries.

^{Reviewed by Cursor Bugbot for commit ea9d522. Bugbot is set up for automated code reviews on this repo. Configure here.}

[claude]

The go.sum entry for v4.1.4 is missing the /go.mod hash line. The orchestrator/go.sum has both the source archive hash and the go.mod hash for v4.1.4, but shared/go.sum only has the source hash. This suggests shared/go.sum was not fully regenerated — running go mod tidy in packages/shared/ should produce the missing line and avoid potential go mod verify failures.

[claude]

🔴 packages/shared/go.sum is missing the go.mod hash for go-jose v4.1.4, leaving the checksum database incomplete. This will cause go mod verify and clean-cache builds in the shared package to fail; fix by running go mod tidy in packages/shared.

Extended reasoning...

What the bug is and how it manifests

In the diff for packages/shared/go.sum, the upgrade from go-jose v4.1.3 to v4.1.4 replaced both old lines (zip hash + go.mod hash for v4.1.3) with only a single new line — the zip hash for v4.1.4. The corresponding go.mod hash line is absent:

# packages/shared/go.sum (after PR)
github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
# MISSING: github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=

By contrast, packages/orchestrator/go.sum correctly received both entries.

The specific code path that triggers it

Go's module loader records two hashes in go.sum for every dependency: one for the module zip archive (h1:) and one for the go.mod file (/go.mod h1:). When Go needs to resolve the module graph (e.g., during go mod download, go mod verify, or a build against a cold module cache), it reads each dependency's go.mod to discover transitive requirements. Before using the file it checks its hash against go.sum — if the entry is absent, Go aborts with an error such as missing go.sum entry for module providing package ... or verifying github.com/go-jose/go-jose/v4@v4.1.4/go.mod: checksum mismatch.

Why existing code doesn't prevent it

The go.sum file was edited manually (or by a partial/automated tool) rather than regenerated via go mod tidy. The CI pipeline apparently does not run go mod verify against packages/shared in a clean environment, so the incomplete entry passed unnoticed. The orchestrator module was updated correctly, suggesting the two modules were updated independently without the same tooling discipline applied to both.

Impact

Any developer or CI job that clones the repo fresh and runs go build, go test, or go mod verify inside packages/shared with an empty module cache will receive a hard failure. This blocks development and CI for the shared package until the go.sum is corrected.

How to fix it

Run go mod tidy in packages/shared and commit the regenerated go.sum. The missing line to add is:

github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=

(Same hash as was used for v4.1.3 — the go.mod file itself did not change between those patch versions, but Go still requires the entry to be present.)

Step-by-step proof

1. Clone the repo; go-jose v4.1.4 is now recorded in packages/shared/go.mod.
2. Delete the local module cache (go clean -modcache) or use a fresh CI environment.
3. cd packages/shared && go mod verify
4. Go fetches github.com/go-jose/go-jose/v4@v4.1.4/go.mod from the proxy and computes its hash h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=.
5. Go looks up this hash in packages/shared/go.sum — the entry v4.1.4/go.mod h1:... is absent.
6. Go exits with: verifying github.com/go-jose/go-jose/v4@v4.1.4/go.mod: checksum mismatch (or equivalent missing-entry error), failing the build.