fix(dbio/api): apply default rules to auth sequence responses

- ensure default retry/fail rules apply to authentication sequence responses
- previously, auth sequence responses were skipped, causing unclear errors
- verify rule application is idempotent to prevent stacking on re-compilation

Author: flarco

core/dbio/api/spec_test.go

@@ -2668,3 +2668,125 @@ dynamic_endpoints:
 		})
 	}
 }
+
+// Default rules (retry on 429/5xx, fail on >= 400) historically applied only to
+// endpoint, setup, and teardown responses. Auth sequence call responses were
+// skipped, so an OAuth token endpoint returning 401 {"error":"invalid_client"}
+// fell through to processors and died with cryptic "object has no member
+// 'access_token'" instead of failing loudly on the 401.
+func TestSpecAuthSequenceGetsDefaultRules(t *testing.T) {
+	spec := `
+name: "Auth Sequence Default Rules"
+
+defaults:
+  state:
+    base_url: "https://api.example.com"
+  request:
+    headers:
+      Authorization: "Bearer {state.token}"
+
+authentication:
+  type: "sequence"
+  expires: 270
+  sequence:
+    - request:
+        url: "https://auth.example.com/token"
+        method: POST
+        headers:
+          Content-Type: "application/x-www-form-urlencoded"
+        payload: "grant_type=client_credentials&client_id=x&client_secret=y"
+      response:
+        processors:
+          - expression: "response.json.access_token"
+            output: "state.token"
+            aggregation: last
+
+endpoints:
+  things:
+    request:
+      url: "{state.base_url}/things"
+    response:
+      records:
+        jmespath: "data[]"
+`
+
+	s, err := LoadSpec(spec)
+	require.NoError(t, err)
+
+	require.NotNil(t, s.Authentication)
+	require.Equal(t, AuthTypeSequence, s.Authentication.Type())
+
+	rawSeq, ok := s.Authentication["sequence"]
+	require.True(t, ok, "spec authentication.sequence must be present after compile")
+	authSeq := parseSequenceFromInterface(rawSeq)
+	require.Len(t, authSeq, 1)
+
+	rules := authSeq[0].Response.Rules
+	require.GreaterOrEqual(t, len(rules), 3, "auth sequence response should have at least 3 default rules appended")
+	assert.Equal(t, "Default Retry Rule", rules[len(rules)-3].Message)
+	assert.Equal(t, "JSON-RPC error response (HTTP 200 with error envelope)", rules[len(rules)-2].Message)
+	assert.Equal(t, "Default Fail Rule", rules[len(rules)-1].Message)
+	assert.Equal(t, "response.status >= 400", rules[len(rules)-1].Condition)
+}
+
+// Compiling the same spec twice (or two endpoints sharing spec.Defaults) must
+// not stack the default rules — checkResponse should be idempotent.
+func TestSpecDefaultRulesIdempotent(t *testing.T) {
+	spec := `
+name: "Idempotent Default Rules"
+
+defaults:
+  state:
+    base_url: "https://api.example.com"
+
+authentication:
+  type: "sequence"
+  sequence:
+    - request:
+        url: "https://auth.example.com/token"
+        method: POST
+      response:
+        processors:
+          - expression: "response.json.access_token"
+            output: "state.token"
+            aggregation: last
+
+endpoints:
+  a:
+    request:
+      url: "{state.base_url}/a"
+    response:
+      records:
+        jmespath: "data[]"
+  b:
+    request:
+      url: "{state.base_url}/b"
+    response:
+      records:
+        jmespath: "data[]"
+`
+
+	s, err := LoadSpec(spec)
+	require.NoError(t, err)
+
+	// Recompile both endpoints — simulates being run more than once (e.g. via
+	// ReadDataflow -> CompileSpecEndpoints / compileSpecEndpoint paths).
+	for _, name := range []string{"a", "b"} {
+		ep := s.EndpointMap[name]
+		require.NoError(t, compileSpecEndpoint(&ep, s))
+		s.EndpointMap[name] = ep
+	}
+
+	for _, name := range []string{"a", "b"} {
+		ep := s.EndpointMap[name]
+		// Endpoint response should have exactly 3 default rules (retry, jsonrpc, fail).
+		assert.Equal(t, 3, len(ep.Response.Rules), "endpoint %s should have exactly 3 default rules, got %d", name, len(ep.Response.Rules))
+	}
+
+	// Spec-level auth sequence should also have exactly 3 default rules
+	// despite being processed multiple times via compileSpecEndpoint above.
+	require.NotNil(t, s.Authentication)
+	authSeq := parseSequenceFromInterface(s.Authentication["sequence"])
+	require.Len(t, authSeq, 1)
+	assert.Equal(t, 3, len(authSeq[0].Response.Rules), "spec auth sequence should have exactly 3 default rules across multiple compiles, got %d", len(authSeq[0].Response.Rules))
+}