test(federation): fix BETTER_AUTH_SECRET requirement in M2 integration tests

Ensure BETTER_AUTH_SECRET is set before seal() is called in test #5, add
it to the DB-only run command in the header comment, and surface cleanup
errors to stderr instead of silently swallowing them.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

apps/gateway/src/__tests__/integration/federation-m2.integration.test.ts

@@ -7,7 +7,7 @@
  *   docker compose -f docker-compose.federated.yml --profile federated up -d
  *
  * Run DB-only tests (no Step-CA):
- *   FEDERATED_INTEGRATION=1 pnpm --filter @mosaicstack/gateway test \
+ *   FEDERATED_INTEGRATION=1 BETTER_AUTH_SECRET=test-secret pnpm --filter @mosaicstack/gateway test \
  *     src/__tests__/integration/federation-m2.integration.test.ts
  *
  * Run all tests including Step-CA-dependent ones:
@@ -127,6 +127,8 @@ describe.skipIf(!run)('federation M2 — DB-only tests', () => {
   const createdUserIds: string[] = [];
 
   beforeAll(async () => {
+    process.env['BETTER_AUTH_SECRET'] ??= 'test-integration-sealing-key-not-for-prod';
+
     handle = createDb(PG_URL);
     db = handle.db;
 
@@ -140,25 +142,26 @@ describe.skipIf(!run)('federation M2 — DB-only tests', () => {
       await db
         .delete(federationEnrollmentTokens)
         .where(inArray(federationEnrollmentTokens.grantId, createdGrantIds))
-        .catch(() => {});
+        .catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
       await db
         .delete(federationGrants)
         .where(inArray(federationGrants.id, createdGrantIds))
-        .catch(() => {});
+        .catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
     }
     if (db && createdPeerIds.length > 0) {
       await db
         .delete(federationPeers)
         .where(inArray(federationPeers.id, createdPeerIds))
-        .catch(() => {});
+        .catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
     }
     if (db && createdUserIds.length > 0) {
       await db
         .delete(schema.users)
         .where(inArray(schema.users.id, createdUserIds))
-        .catch(() => {});
+        .catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
     }
-    if (handle) await handle.close().catch(() => {});
+    if (handle)
+      await handle.close().catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
   });
 
   // -------------------------------------------------------------------------
@@ -363,25 +366,26 @@ describe.skipIf(!stepCaRun)('federation M2 — Step-CA tests', () => {
       await db
         .delete(federationEnrollmentTokens)
         .where(inArray(federationEnrollmentTokens.grantId, createdGrantIds))
-        .catch(() => {});
+        .catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
       await db
         .delete(federationGrants)
         .where(inArray(federationGrants.id, createdGrantIds))
-        .catch(() => {});
+        .catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
     }
     if (db && createdPeerIds.length > 0) {
       await db
         .delete(federationPeers)
         .where(inArray(federationPeers.id, createdPeerIds))
-        .catch(() => {});
+        .catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
     }
     if (db && createdUserIds.length > 0) {
       await db
         .delete(schema.users)
         .where(inArray(schema.users.id, createdUserIds))
-        .catch(() => {});
+        .catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
     }
-    if (handle) await handle.close().catch(() => {});
+    if (handle)
+      await handle.close().catch((e: unknown) => console.error('[federation-m2-test cleanup]', e));
   });
 
   /** Generate a P-256 key pair and PKCS#10 CSR, returning the CSR as PEM. */