fix: resolve root security during join

[Daryna-del]

What/Why/How?

Fixes a bug where root-level security from joined API descriptions was silently dropped in the output.

Previously, the join command ignored the security field defined at the root of each input spec. According to OpenAPI semantics, root-level security serves as a default for all operations that don't declare their own security. Simply merging root securities into the joined output would incorrectly apply one API's security to another API's operations.

Reference

Closes #1409

Testing

Screenshots (optional)

Check yourself

• This PR follows the contributing guide
• All new/updated code is covered by tests
• Core code changed? - Tested with other Redocly products (internal contributions only)
• New package installed? - Tested in different environments (browser/node)
• Documentation update has been considered

Security

• The security impact of the change has been considered
• Code follows company security practices and guidelines

---

Note

Medium Risk
Changes how merged OpenAPI documents express authentication defaults; wrong behavior could mis-document which schemes apply to operations, though scope is limited to the join command and covered by new e2e snapshots.

Overview
Fixes join so root-level security from each input OpenAPI document is no longer dropped. Operations without their own security now get that spec’s root default (with component prefixing), including when another joined file only defines root security and no paths.

Operation-level rules are unchanged: explicit security on an operation wins; security: [] stays public and is not overridden by root defaults. New e2e cases cover both specs with root security, root-only on a paths-empty file, and operation vs root precedence.

^{Reviewed by Cursor Bugbot for commit 1ecab94. Bugbot is set up for automated code reviews on this repo. Configure here.}

[changeset-bot]

🦋 Changeset detected

Latest commit: 1ecab94

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@redocly/cli	Patch
@redocly/openapi-core	Patch
@redocly/respect-core	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[github-actions]

CLI Version	Mean Time ± Std Dev (s)	Relative Performance (Lower is Faster)
cli-latest	1.745s ± 0.022s	▓ 1.00x (Fastest)
cli-next	1.760s ± 0.028s	▓ 1.01x

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	81% (🎯 80%)	7279 / 8986
🔵	Statements	80.35% (🎯 80%)	7563 / 9412
🔵	Functions	83.96% (🎯 83%)	1456 / 1734
🔵	Branches	72.51% (🎯 72%)	4932 / 6801

File Coverage

No changed files found.

Generated in workflow #9946 for commit 1ecab94 by the Vitest Coverage Report Action

[Daryna-del]

@cursor review

[Daryna-del]

@cursor review

[Daryna-del]

@cursor review

[tatomyr]

Please also address the bugbot comments.

[tatomyr]

Let's remove comments.

[Daryna-del]

Fixed

[tatomyr]

Why the previous solution was not working? I see it refers to the root security already.

[Daryna-del]

Yeah, good point. Previous solution was working for each case, except when we have paths: {} and security on root level. Simplified the solution to cover this case, please, review one more time.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit fc563a9. Configure here.}

[tatomyr]

Suggested change

	description: Bad request
	description: Bad request

Let's add a newline on file endings.

[tatomyr]

Let's add only essential fields and remove others.

[tatomyr]

It's bad practice to use verbs in paths (especially mixing post and get), so I'm against using it in our examples.

[tatomyr]

If I'm getting it correctly, this path comes from an API description that doesn't have security defined on it; so how it got the security requirement from another description?

[tatomyr]

These names are hard to follow. Please use something more meaningful.