llm-assisted-api-debugging-lab 0.1.0

Deterministic API failure diagnoser with an LLM-assisted prompt template generator.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293

//! Case fixture model and JSON loader.
//!
//! A [`Case`] is a sanitized HTTP transaction plus environmental
//! [`Context`]. Each variant the diagnoser cares about lives as an
//! explicit field — the struct is **not** a generic `serde_json::Value`
//! bag, because we want serde to fail loudly when a fixture changes shape
//! in a way the code didn't expect.
//!
//! Loading is gated on two checks (in order):
//! 1. The requested name is in [`KNOWN_CASES`] — see [`case_fixture_path`].
//! 2. The loaded JSON's `name` field matches the requested name — see
//!    [`load_case`]. A mismatch is a fixture-edit bug
//!    ([`CaseError::NameMismatch`]).
//!
//! Bidirectional consistency between [`KNOWN_CASES`] and the on-disk
//! `fixtures/cases/*.json` set is enforced by the
//! `known_cases_matches_on_disk_fixtures` test below.

use serde::Deserialize;
use std::collections::BTreeMap;
use std::path::{Path, PathBuf};
use thiserror::Error;

/// Every case the binary knows how to load. Adding a new case requires:
/// 1. A new entry here (alphabetical-ish, but grouped by failure family).
/// 2. A matching `fixtures/cases/<name>.json` file.
/// 3. A matching `fixtures/logs/<name>.log` file.
/// 4. A `[rules.<rule_name>]` section in `prose.toml` if the case
///    triggers a rule that doesn't already exist.
///
/// The `known_cases_matches_on_disk_fixtures` test enforces (1)+(2)
/// stay in sync; new fixture without a constant entry — or vice versa —
/// breaks `cargo test`.
pub const KNOWN_CASES: &[&str] = &[
    "auth_missing",
    "bad_payload",
    "rate_limit",
    "webhook_signature",
    "timeout",
    "dns_config",
    "tls_failure",
    "injection_attempt",
];

/// Errors the case loader can produce.
///
/// The variants are designed to support a meaningful exit-code mapping
/// in any binary that uses this crate. The `llm-assisted-api-debugging-lab` binary in
/// this repo follows the convention:
///
/// - `Unknown` → exit code 2 (caller passed a bad name).
/// - `Io`, `Parse`, `NameMismatch` → exit code 3 (a fixture file is
///   broken).
///
/// The distinction matters for `set -e`-style shell integration where
/// the caller wants to react differently to "you misspelled the
/// argument" vs "the on-disk fixture is corrupt." Library consumers can
/// adopt the same convention or pick their own.
#[derive(Debug, Error)]
pub enum CaseError {
    #[error("unknown case: {0}")]
    Unknown(String),
    #[error("could not read case file {0}: {1}")]
    Io(PathBuf, #[source] std::io::Error),
    #[error("could not parse case file {0}: {1}")]
    Parse(PathBuf, #[source] serde_json::Error),
    #[error("case file {path} declares name {found:?} but was loaded as {expected:?}")]
    NameMismatch {
        path: PathBuf,
        expected: String,
        found: String,
    },
}

/// One sanitized HTTP transaction, plus environmental context, plus a
/// pointer to the log file that recorded it.
///
/// The shape mirrors what an on-call engineer would attach to an
/// escalation: the request that went out, the response that came back
/// (if any), what the caller's own stack observed at the network layer
/// (`Context`), and a pointer to the relevant log slice.
#[derive(Debug, Clone, Deserialize)]
pub struct Case {
    /// Stable case identifier; must match the JSON file's basename.
    pub name: String,
    /// One-line human description of what this fixture exercises.
    /// Currently consumed only by docs/snapshots; not load-bearing.
    #[serde(default)]
    pub description: String,
    pub request: Request,
    /// Absent for connection-layer failures (DNS, TLS, timeout) where no
    /// response was received.
    #[serde(default)]
    pub response: Option<Response>,
    #[serde(default)]
    pub context: Context,
    /// Path to the log file relative to the project root. Resolved by
    /// [`log_path_for`].
    #[serde(default)]
    pub log_path: Option<PathBuf>,
}

/// Sanitized HTTP request as authored in the fixture file.
#[derive(Debug, Clone, Deserialize)]
pub struct Request {
    pub method: String,
    pub url: String,
    /// `BTreeMap` rather than `HashMap` so the iteration order is stable
    /// for snapshot tests. Header lookups are O(log n) but with ~6
    /// headers per fixture that's irrelevant.
    #[serde(default)]
    pub headers: BTreeMap<String, String>,
    /// One-line summary of the request body. Sensitive values are masked
    /// with `***` at fixture-authoring time; the diagnoser does not
    /// further redact.
    #[serde(default)]
    pub body_summary: String,
    #[serde(default)]
    pub client_unix_ts: Option<i64>,
    /// Client-side timeout budget. Compared against
    /// `Context::elapsed_ms_before_abort` to detect timeouts.
    #[serde(default)]
    pub timeout_ms: Option<u64>,
}

/// Sanitized HTTP response. Absent on `Case` (i.e. `Case::response` is
/// `None`) for connection-layer failures where no response was received.
#[derive(Debug, Clone, Deserialize)]
pub struct Response {
    pub status: u16,
    #[serde(default)]
    pub headers: BTreeMap<String, String>,
    #[serde(default)]
    pub body_summary: String,
    #[serde(default)]
    pub server_unix_ts: Option<i64>,
    #[serde(default)]
    pub elapsed_ms: Option<u64>,
}

/// Environmental observations from the caller's own network stack —
/// things that don't appear in the HTTP transaction itself.
///
/// All fields are `Option` and `#[serde(default)]` so a fixture only
/// needs to set the ones relevant to its failure mode. Unset fields are
/// "we didn't observe this," not "we observed it as zero."
#[derive(Debug, Clone, Default, Deserialize)]
pub struct Context {
    /// `Some(false)` means DNS resolution was attempted and failed;
    /// `Some(true)` or `None` means it either succeeded or wasn't
    /// reached.
    #[serde(default)]
    pub dns_resolved: Option<bool>,
    #[serde(default)]
    pub dns_error: Option<String>,
    #[serde(default)]
    pub dns_host: Option<String>,
    /// Time spent in TLS handshake on a successful connection.
    #[serde(default)]
    pub tls_handshake_ms: Option<u64>,
    /// `Some(true)` indicates the handshake was attempted and failed.
    #[serde(default)]
    pub tls_handshake_failed: Option<bool>,
    #[serde(default)]
    pub tls_failure_reason: Option<String>,
    #[serde(default)]
    pub tls_peer: Option<String>,
    /// Skew between the client's clock and the server's, in seconds.
    /// Sign indicates direction (negative = client behind server).
    /// Absolute value is what gets compared to `signature_tolerance_secs`.
    #[serde(default)]
    pub client_clock_skew_secs: Option<i64>,
    /// Set by webhook-receiver fixtures; toggles whether clock-skew
    /// evidence is even meaningful for this case.
    #[serde(default)]
    pub signing_required: Option<bool>,
    /// HMAC tolerance window in seconds.
    #[serde(default)]
    pub signature_tolerance_secs: Option<u64>,
    /// Set when middleware re-encoded the JSON body between the wire and
    /// HMAC verification. Drives the `BodyMutatedBeforeVerification`
    /// evidence variant.
    #[serde(default)]
    pub body_mutated_before_verification: Option<bool>,
    /// Wall-clock time the client spent waiting before giving up on a
    /// non-arriving response.
    #[serde(default)]
    pub elapsed_ms_before_abort: Option<u64>,
    /// Free-text error string from the caller's network stack. Used for
    /// rendering only; rules don't read this directly.
    #[serde(default)]
    pub connection_error: Option<String>,
}

/// Look up the on-disk path for a known case name. Returns `Err(Unknown)`
/// when the name is not in `KNOWN_CASES`.
pub fn case_fixture_path(fixtures_dir: &Path, name: &str) -> Result<PathBuf, CaseError> {
    if !KNOWN_CASES.contains(&name) {
        return Err(CaseError::Unknown(name.to_string()));
    }
    Ok(fixtures_dir.join("cases").join(format!("{name}.json")))
}

/// Load a single case fixture by name from the given fixtures directory.
///
/// Asserts that the loaded fixture's `name` field matches the requested
/// name; a mismatch returns `CaseError::NameMismatch` rather than silently
/// producing a wrong-cased diagnosis.
pub fn load_case(fixtures_dir: &Path, name: &str) -> Result<Case, CaseError> {
    let path = case_fixture_path(fixtures_dir, name)?;
    let bytes = std::fs::read(&path).map_err(|e| CaseError::Io(path.clone(), e))?;
    let case: Case =
        serde_json::from_slice(&bytes).map_err(|e| CaseError::Parse(path.clone(), e))?;
    if case.name != name {
        return Err(CaseError::NameMismatch {
            path,
            expected: name.to_string(),
            found: case.name,
        });
    }
    Ok(case)
}

/// Resolve the log file path for a case, relative to the fixtures directory's
/// parent (so a case that records `fixtures/logs/foo.log` resolves correctly
/// regardless of the current working directory).
pub fn log_path_for(case: &Case, project_root: &Path) -> Option<PathBuf> {
    case.log_path.as_ref().map(|p| project_root.join(p))
}

#[cfg(test)]
mod tests {
    #![allow(clippy::panic, clippy::expect_used, clippy::unwrap_used)]
    use super::*;

    fn fixtures_dir() -> PathBuf {
        PathBuf::from(env!("CARGO_MANIFEST_DIR")).join("fixtures")
    }

    #[test]
    fn known_cases_all_load() {
        for name in KNOWN_CASES {
            let case =
                load_case(&fixtures_dir(), name).unwrap_or_else(|e| panic!("loading {name}: {e}"));
            assert_eq!(case.name, *name, "case file name field must match filename");
        }
    }

    #[test]
    fn unknown_case_is_rejected() {
        let err = load_case(&fixtures_dir(), "not_a_real_case").unwrap_err();
        assert!(matches!(err, CaseError::Unknown(_)));
    }

    #[test]
    fn known_cases_matches_on_disk_fixtures() {
        let cases_dir = fixtures_dir().join("cases");
        let mut on_disk: Vec<String> = std::fs::read_dir(&cases_dir)
            .unwrap_or_else(|e| panic!("reading {}: {e}", cases_dir.display()))
            .filter_map(|entry| entry.ok())
            .map(|entry| entry.path())
            .filter(|p| p.extension().and_then(|s| s.to_str()) == Some("json"))
            .filter_map(|p| p.file_stem().and_then(|s| s.to_str()).map(str::to_string))
            .collect();
        on_disk.sort();
        let mut declared: Vec<String> = KNOWN_CASES.iter().map(|s| s.to_string()).collect();
        declared.sort();
        assert_eq!(
            declared, on_disk,
            "KNOWN_CASES must match the set of *.json files under fixtures/cases/"
        );
    }

    #[test]
    fn name_mismatch_is_rejected() {
        // Write a temporary case file that declares the wrong name.
        let dir = std::env::temp_dir().join("llm-assisted-api-debugging-lab-name-mismatch");
        let cases_dir = dir.join("cases");
        std::fs::create_dir_all(&cases_dir).unwrap();
        let bogus = cases_dir.join("auth_missing.json");
        std::fs::write(
            &bogus,
            r#"{"name":"rate_limit","request":{"method":"GET","url":"http://x"}}"#,
        )
        .unwrap();
        let err = load_case(&dir, "auth_missing").unwrap_err();
        assert!(
            matches!(err, CaseError::NameMismatch { .. }),
            "expected NameMismatch, got {err:?}"
        );
        let _ = std::fs::remove_dir_all(&dir);
    }
}