fix(sql): correct byte order in MySQL caching_sha2_password auth

[robobun]

Summary

• Fixed incorrect byte order in caching_sha2_password scramble function
• Changed from SHA256(nonce || digest2) to SHA256(digest2 || nonce) per MySQL protocol

Test plan

• Added regression test test/regression/issue/26195.test.ts that tests caching_sha2_password authentication on MySQL 8.0+
• Tests connect to MySQL 8.4 (which uses caching_sha2_password by default) with both empty password and password-protected users

Fixes #26195

🤖 Generated with Claude Code

[robobun]

^{Updated 8:34 AM PT - Jan 17th, 2026}

❌ Your commit 20e820ac has 1 failures in Build #35116 (All Failures):

• test/integration/next-pages/test/dev-server.test.ts - 1 failing on 🍎 14 aarch64
• test/integration/next-pages/test/dev-server.test.ts - 1 failing on 🍎 13 aarch64

---

🧪   To try this PR locally:

bunx bun-pr 26196

That installs a local version of the PR into your bun-26196 executable, so you can run:

bun-26196 --bun

[coderabbitai]

Walkthrough

Fixes MySQL 8.0 caching_sha2_password authentication by changing the concatenation order in the scramble routine so the second digest is copied before the nonce, and adds a regression test verifying caching_sha2_password logins against a containerized MySQL instance.

Changes

Cohort / File(s)	Summary
Authentication Protocol Fix src/sql/mysql/protocol/Auth.zig	Updated caching_sha2_password.scramble to allocate the combined buffer as digest2.len + nonce.len and copy digest2 followed by nonce, altering the input to the final SHA256 hash.
Regression Tests test/regression/issue/26195.test.ts	Added a test that spins up a MySQL container and verifies connections using caching_sha2_password, including user creation, privileges, and connection/teardown via Bun's SQL API.

Suggested reviewers

• pfgithub
• cirospaciari
• dylan-conway

🚥 Pre-merge checks | ✅ 2 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	The commit message mentions removing redundant sql.end() calls with await using, which appears outside the stated scope of fixing byte order and adding tests.	Clarify whether the sql.end() changes are part of the intended fix or should be separated into a different PR to maintain focus on the core authentication issue.
Description check	❓ Inconclusive	The description covers the main fix and test plan, but does not follow the required template structure with explicit 'What does this PR do?' and 'How did you verify your code works?' sections.	Restructure the description to follow the template with clear section headings for 'What does this PR do?' and 'How did you verify your code works?'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main change: correcting byte order in MySQL caching_sha2_password authentication.
Linked Issues check	✅ Passed	The PR successfully addresses issue #26195 by fixing the byte order in caching_sha2_password and adding comprehensive regression tests for MySQL 8.0+ authentication.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@test/regression/issue/26195.test.ts`:
- Around line 21-28: The test double-closes the SQL instance: when using the
"await using sql = new SQL(...)" pattern the resource is automatically disposed
at scope end, so remove the explicit "await sql.end()" calls (references:
variable "sql" and method "end()" in this test) and rely on "await using" only;
update the other occurrences that match the same pattern (the blocks around
lines with the same pattern, e.g., the sections noted 33-42 and 45-48) to avoid
calling "end()" after "await using".