mockforge-bench 0.3.173

Load and performance testing for MockForge
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476

//! Browser-viewable HTML rendering of self-test request/response capture.
//!
//! Issue #79 round 24 (Srikanth (d) follow-up). `conformance-self-test-
//! requests.jsonl` is great for `jq` and `grep`, but Srikanth asked for
//! something that can be loaded in a browser without external tooling.
//! This module renders the same `CaseCapture` records into a single
//! self-contained HTML file (no external CSS / JS / images).
//!
//! Round 27 (Srikanth d3) — replaced the prior content-visibility +
//! 1000-card cap approach with proper pagination. The 1000-card cap
//! silently hid the 4xx/5xx probes Srikanth needed to investigate
//! because they sat past the cap. The viewer now embeds the full
//! capture as a JSON array (`window.__captures`), filters that array
//! in JS, then renders only the current page (50 cards) of the
//! filtered subset. Filters span ALL probes regardless of which page
//! is visible, so paging never hides matching probes.

use super::self_test::CaseCapture;

/// Round 27 — page size for the paginated capture viewer. 50 cards
/// per page keeps initial render under 100 ms on a modern browser
/// while still showing enough context to scan a category at a glance.
/// The full dataset is held in memory as JSON; only the slice is in
/// the DOM at any time. Mirrored as `PAGE_SIZE` in the JS handler
/// below; the test `pagination_controls_present` asserts the two
/// stay in sync.
#[allow(dead_code)] // documentation/contract for the JS-side constant
const PAGE_SIZE: usize = 50;

/// Render the full HTML viewer for a slice of captured probes.
/// Bodies are kept verbatim (already truncated upstream to
/// `CAPTURE_BODY_CAP_BYTES`). The whole capture is serialised as a
/// JSON array embedded in a `<script>` tag and rendered on demand by
/// the inline JS handler; cross-page filters work over the full
/// array, not the visible page.
pub fn render_capture_html(entries: &[CaseCapture]) -> String {
    let total = entries.len();
    let mut out = String::with_capacity(total.max(1) * 1024);
    out.push_str(HEAD);
    push_summary(&mut out, entries);
    out.push_str("<div id=\"cards\"></div>\n");
    push_pagination_controls(&mut out);
    push_data_script(&mut out, entries);
    out.push_str(FOOT);
    out
}

fn push_summary(out: &mut String, entries: &[CaseCapture]) {
    let total = entries.len();
    let pass = entries.iter().filter(|e| (200..400).contains(&e.response_status)).count();
    let fail = entries.iter().filter(|e| !(200..400).contains(&e.response_status)).count();
    out.push_str(&format!(
        "<header>\n\
         <h1>Self-Test Request/Response Capture</h1>\n\
         <p class=\"meta\">{total} probe(s); {pass} returned 2xx-3xx, {fail} returned 4xx-5xx or errored. \
         Generated by <code>mockforge bench --conformance-self-test --conformance-self-test-capture</code>.</p>\n\
         <div class=\"toolbar\">\n\
         <input type=\"search\" id=\"q\" placeholder=\"filter by label, method, URL, or status\" oninput=\"scheduleFilter()\" />\n\
         <label><input type=\"checkbox\" id=\"showPass\" checked onchange=\"applyFilter()\"/> 2xx-3xx</label>\n\
         <label><input type=\"checkbox\" id=\"showFail\" checked onchange=\"applyFilter()\"/> 4xx-5xx</label>\n\
         <label><input type=\"checkbox\" id=\"showErr\" checked onchange=\"applyFilter()\"/> transport error</label>\n\
         <label><input type=\"checkbox\" id=\"onlyMismatches\" onchange=\"applyFilter()\"/> only show mismatches</label>\n\
         <span id=\"filterStatus\" class=\"small\"></span>\n\
         </div>\n\
         </header>\n"
    ));
}

fn push_pagination_controls(out: &mut String) {
    out.push_str(
        "<div class=\"pager\">\n\
         <button id=\"firstPage\" onclick=\"gotoPage(0)\">First</button>\n\
         <button id=\"prevPage\" onclick=\"gotoPage(currentPage - 1)\">Prev</button>\n\
         <span id=\"pageNum\" class=\"pageNum\"></span>\n\
         <button id=\"nextPage\" onclick=\"gotoPage(currentPage + 1)\">Next</button>\n\
         <button id=\"lastPage\" onclick=\"gotoPage(totalPages - 1)\">Last</button>\n\
         <label class=\"small\">Jump to page: <input type=\"number\" id=\"jumpPage\" min=\"1\" style=\"width: 5em\" onchange=\"jumpToPage()\" /></label>\n\
         </div>\n",
    );
}

/// Embed the full capture as a JSON array assigned to
/// `window.__captures`. JSON.stringify with default escaping is
/// XSS-safe inside a `<script>` tag as long as we don't have a
/// closing `</script>` substring. `serde_json::to_string` does NOT
/// escape `<`, so we post-process to break any literal `</` so the
/// script element can't be terminated by the payload. The browser
/// JS handler unescapes this back transparently.
fn push_data_script(out: &mut String, entries: &[CaseCapture]) {
    out.push_str("<script id=\"captureData\" type=\"application/json\">\n");
    // Serialise to a single line for compactness. If serialisation
    // somehow fails (shouldn't, the struct is all Serialize), embed
    // an empty array so the viewer still loads.
    let json = serde_json::to_string(entries).unwrap_or_else(|_| "[]".to_string());
    // Defensive: protect against payload bodies containing
    // `</script>`. The JSON `<` becomes `<` which is valid JSON
    // and the JS parser accepts it.
    let safe = json.replace("</", r"<\/");
    out.push_str(&safe);
    out.push_str("\n</script>\n");
}

const HEAD: &str = r#"<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>MockForge Self-Test Capture</title>
<style>
  body { font-family: -apple-system, system-ui, sans-serif; max-width: 1200px;
         margin: 1rem auto; padding: 0 1rem; color: #1f2933; line-height: 1.45; }
  h1 { font-size: 1.6rem; margin: 0; }
  h3 { margin: 1rem 0 0.3rem; font-size: 0.95rem; color: #374151; }
  header { border-bottom: 1px solid #e5e7eb; padding-bottom: 1rem; margin-bottom: 1rem; }
  .meta { color: #6b7280; font-size: 0.9rem; margin: 0.25rem 0 0.75rem; }
  .toolbar { display: flex; gap: 0.75rem; align-items: center; flex-wrap: wrap; }
  .toolbar input[type=search] { flex: 1; min-width: 240px; padding: 0.4rem 0.6rem;
    border: 1px solid #d1d5db; border-radius: 4px; font-size: 0.9rem; }
  .toolbar label { font-size: 0.85rem; color: #4b5563; cursor: pointer; }
  .pager { display: flex; gap: 0.5rem; align-items: center; flex-wrap: wrap;
    margin: 0.75rem 0; padding: 0.5rem 0; border-top: 1px solid #e5e7eb;
    border-bottom: 1px solid #e5e7eb; }
  .pager button { padding: 0.25rem 0.75rem; font-size: 0.85rem;
    border: 1px solid #d1d5db; background: #fff; border-radius: 4px; cursor: pointer; }
  .pager button:hover:not(:disabled) { background: #f3f4f6; }
  .pager button:disabled { opacity: 0.4; cursor: not-allowed; }
  .pager .pageNum { font-size: 0.85rem; color: #4b5563; min-width: 6em;
    text-align: center; font-variant-numeric: tabular-nums; }
  details.card { border: 1px solid #e5e7eb; border-radius: 6px; margin: 0.4rem 0;
    background: #fff; }
  details.card[open] { box-shadow: 0 1px 3px rgba(0,0,0,0.05); }
  summary { padding: 0.5rem 0.75rem; cursor: pointer; display: flex; gap: 0.5rem;
    align-items: center; flex-wrap: wrap; }
  summary::-webkit-details-marker { color: #9ca3af; }
  .method { background: #f3f4f6; padding: 0.05rem 0.4rem; border-radius: 3px;
    font-size: 0.8rem; }
  .label { color: #374151; font-size: 0.85rem; }
  .url { color: #6b7280; font-size: 0.8rem; word-break: break-all; }
  .body { padding: 0 0.75rem 0.75rem; border-top: 1px solid #f3f4f6; }
  .badge { display: inline-block; padding: 0.1rem 0.5rem; border-radius: 999px;
    font-size: 0.75rem; font-weight: 600; }
  .badge.pass { background: #d1fae5; color: #047857; }
  .badge.fail { background: #fee2e2; color: #b91c1c; }
  .badge.err  { background: #fef3c7; color: #92400e; }
  .badge.info { background: #dbeafe; color: #1d4ed8; }
  table.kv { width: 100%; font-size: 0.85rem; border-collapse: collapse;
    margin: 0.25rem 0 0.75rem; }
  table.kv td { padding: 0.2rem 0.5rem; border-bottom: 1px solid #f3f4f6; vertical-align: top; }
  table.kv td:first-child { color: #4b5563; width: 30%; max-width: 280px; }
  pre { background: #f9fafb; border: 1px solid #f3f4f6; padding: 0.5rem;
    border-radius: 4px; font-size: 0.8rem; overflow-x: auto; white-space: pre-wrap;
    word-break: break-word; max-height: 320px; overflow-y: auto; }
  pre.err { background: #fef2f2; border-color: #fecaca; color: #991b1b; }
  .small { color: #6b7280; font-size: 0.75rem; }
  code { font-family: ui-monospace, SFMono-Regular, monospace; font-size: 0.88em; }
</style>
</head>
<body>
"#;

const FOOT: &str = r#"
<script>
// Round 27 — pagination + cross-page filter over the JSON-embedded
// full capture. The previous CSS-only show/hide approach silently
// dropped 4xx/5xx probes past the 1000-card cap (Srikanth flagged
// this on 0.3.169). Now the JS holds the full capture in memory,
// filters across the whole array on every input, and only renders
// the current page (PAGE_SIZE entries) of the filtered subset.

const PAGE_SIZE = 50;
let captures = [];
try {
  const raw = document.getElementById('captureData').textContent.trim();
  captures = raw ? JSON.parse(raw) : [];
} catch (e) {
  document.getElementById('cards').innerHTML =
    '<p class="small">Failed to load capture data: ' + e.message + '</p>';
}
let filtered = captures.slice();
let currentPage = 0;
let totalPages = Math.max(1, Math.ceil(filtered.length / PAGE_SIZE));

function escapeHtml(s) {
  if (s == null) return '';
  return String(s)
    .replace(/&/g, '&amp;')
    .replace(/</g, '&lt;')
    .replace(/>/g, '&gt;')
    .replace(/"/g, '&quot;')
    .replace(/'/g, '&#39;');
}

function statusClass(c) {
  if (c.error) return 'err';
  if (c.response_status >= 200 && c.response_status < 400) return 'pass';
  if (c.response_status >= 400 && c.response_status < 600) return 'fail';
  return 'info';
}

function renderKv(title, kv) {
  const keys = kv ? Object.keys(kv).sort() : [];
  if (keys.length === 0) {
    return '<h3>' + escapeHtml(title) + '</h3><p class="small">(none)</p>';
  }
  let html = '<h3>' + escapeHtml(title) + '</h3><table class="kv"><tbody>';
  for (const k of keys) {
    html += '<tr><td><code>' + escapeHtml(k) + '</code></td><td><code>' +
            escapeHtml(kv[k]) + '</code></td></tr>';
  }
  html += '</tbody></table>';
  return html;
}

function renderBody(title, body, truncated) {
  if (body == null) return '';
  const suffix = truncated ? ' <span class="small">(truncated at 16 KiB)</span>' : '';
  return '<h3>' + escapeHtml(title) + suffix + '</h3><pre>' + escapeHtml(body) + '</pre>';
}

// Round 28 (Srikanth) — true when the probe's actual status didn't
// match its expected range. Used by the "only show mismatches" filter
// AND by the summary badge so users can spot misses at a glance.
function isMismatch(c) {
  const expected = c.expected_status_range || '';
  const s = c.response_status;
  if (c.error) return true;
  if (expected === '4xx') return !(s >= 400 && s < 500);
  if (expected === '2xx-3xx') return !(s >= 200 && s < 400);
  return false;
}

function renderCard(c) {
  const cls = statusClass(c);
  const statusText = c.error ? 'ERR' : String(c.response_status);
  let html = '<details class="card">';
  html += '<summary>';
  html += '<span class="badge ' + cls + '">' + escapeHtml(statusText) + '</span> ';
  // Round 28 — show the expected range alongside the actual status so
  // a reader knows what the probe wanted to see without expanding the
  // card.
  if (c.expected_status_range) {
    const matchCls = isMismatch(c) ? 'fail' : 'pass';
    html += '<span class="badge ' + matchCls + '" title="expected status range">exp ' +
            escapeHtml(c.expected_status_range) + '</span> ';
  }
  html += '<code class="method">' + escapeHtml(c.method) + '</code> ';
  html += '<span class="label">' + escapeHtml(c.label) + '</span> ';
  html += '<code class="url">' + escapeHtml(c.url) + '</code>';
  html += '</summary><div class="body">';
  html += renderKv('Request headers', c.request_headers);
  html += renderBody('Request body', c.request_body, c.request_body_truncated);
  html += renderKv('Response headers', c.response_headers);
  html += renderBody('Response body', c.response_body, c.response_body_truncated);
  if (c.error) {
    html += '<h3>Transport error</h3><pre class="err">' + escapeHtml(c.error) + '</pre>';
  }
  if (c.response_schema_error) {
    html += '<h3>Response schema mismatch</h3><pre class="err">' +
            escapeHtml(c.response_schema_error) + '</pre>';
  }
  html += '</div></details>';
  return html;
}

function renderPage() {
  totalPages = Math.max(1, Math.ceil(filtered.length / PAGE_SIZE));
  if (currentPage >= totalPages) currentPage = totalPages - 1;
  if (currentPage < 0) currentPage = 0;
  const start = currentPage * PAGE_SIZE;
  const end = Math.min(start + PAGE_SIZE, filtered.length);
  const slice = filtered.slice(start, end);
  document.getElementById('cards').innerHTML = slice.map(renderCard).join('');
  document.getElementById('pageNum').textContent =
    'Page ' + (currentPage + 1) + ' / ' + totalPages +
    ' (' + (filtered.length === 0 ? 0 : (start + 1)) + '-' + end +
    ' of ' + filtered.length + ' filtered)';
  document.getElementById('firstPage').disabled = currentPage === 0;
  document.getElementById('prevPage').disabled = currentPage === 0;
  document.getElementById('nextPage').disabled = currentPage >= totalPages - 1;
  document.getElementById('lastPage').disabled = currentPage >= totalPages - 1;
  document.getElementById('filterStatus').textContent =
    filtered.length === captures.length ? '' :
    '(' + filtered.length + ' of ' + captures.length + ' shown)';
  document.getElementById('jumpPage').max = totalPages;
  document.getElementById('jumpPage').value = currentPage + 1;
  window.scrollTo({ top: 0, behavior: 'auto' });
}

function gotoPage(p) {
  if (p < 0 || p >= totalPages) return;
  currentPage = p;
  renderPage();
}

function jumpToPage() {
  const v = parseInt(document.getElementById('jumpPage').value, 10);
  if (!isNaN(v)) gotoPage(v - 1);
}

let _filterTimer = null;
function scheduleFilter() {
  if (_filterTimer) clearTimeout(_filterTimer);
  _filterTimer = setTimeout(applyFilter, 200);
}

function applyFilter() {
  const q = document.getElementById('q').value.trim().toLowerCase();
  const showPass = document.getElementById('showPass').checked;
  const showFail = document.getElementById('showFail').checked;
  const showErr = document.getElementById('showErr').checked;
  const onlyMismatches = document.getElementById('onlyMismatches').checked;
  filtered = captures.filter(function(c) {
    // Round 28 — the mismatch filter runs FIRST so it composes
    // naturally with the status checkboxes (e.g. "mismatches that
    // are 4xx-5xx").
    if (onlyMismatches && !isMismatch(c)) return false;
    const cls = statusClass(c);
    const statusOk = (cls === 'pass' && showPass) ||
                     (cls === 'fail' && showFail) ||
                     (cls === 'err' && showErr) ||
                     (cls === 'info' && (showPass || showFail));
    if (!statusOk) return false;
    if (!q) return true;
    const hay = ((c.label || '') + ' ' + (c.method || '') + ' ' +
                 (c.url || '') + ' ' + (c.response_status || '')).toLowerCase();
    return hay.indexOf(q) !== -1;
  });
  currentPage = 0;
  renderPage();
}

// Initial render once the page loads.
renderPage();
</script>
</body>
</html>
"#;

#[cfg(test)]
mod tests {
    use super::*;
    use std::collections::BTreeMap;

    fn sample() -> Vec<CaseCapture> {
        let mut req_h = BTreeMap::new();
        req_h.insert("X-Forwarded-For".to_string(), "203.0.113.0".to_string());
        let mut resp_h = BTreeMap::new();
        resp_h.insert("content-type".to_string(), "application/json".to_string());
        vec![
            CaseCapture {
                label: "positive".to_string(),
                method: "GET".to_string(),
                url: "http://target/users".to_string(),
                request_headers: req_h.clone(),
                request_body: None,
                request_body_truncated: false,
                response_status: 200,
                response_headers: resp_h.clone(),
                response_body: Some("{\"ok\":true}".to_string()),
                response_body_truncated: false,
                error: None,
                response_schema_error: None,
                expected_status_range: "2xx-3xx".to_string(),
            },
            CaseCapture {
                label: "owasp:sqli".to_string(),
                method: "GET".to_string(),
                url: "http://target/users?id=' OR 1=1".to_string(),
                request_headers: BTreeMap::new(),
                request_body: None,
                request_body_truncated: false,
                response_status: 500,
                response_headers: resp_h,
                response_body: Some("[]".to_string()),
                response_body_truncated: false,
                error: None,
                response_schema_error: None,
                expected_status_range: "2xx-3xx".to_string(),
            },
        ]
    }

    #[test]
    fn embeds_all_probes_as_json() {
        let html = render_capture_html(&sample());
        // The JSON data script holds the full capture.
        assert!(html.contains("id=\"captureData\""));
        // Both labels are present in the JSON payload.
        assert!(html.contains("\"positive\""));
        assert!(html.contains("\"owasp:sqli\""));
    }

    /// Round 27 — Srikanth's d3 follow-up was that the round-25
    /// 1000-card cap hid 4xx/5xx probes past the cap. The fix is
    /// pagination over the full capture. A capture WAY past the
    /// old cap must still appear in the embedded data.
    #[test]
    fn no_silent_cap_past_one_thousand() {
        let mut entries = Vec::with_capacity(1500);
        for i in 0..1500 {
            entries.push(CaseCapture {
                label: format!("probe-{i}"),
                method: "GET".into(),
                url: format!("/path/{i}"),
                request_headers: BTreeMap::new(),
                request_body: None,
                request_body_truncated: false,
                response_status: if i % 4 == 0 { 500 } else { 200 },
                response_headers: BTreeMap::new(),
                response_body: None,
                response_body_truncated: false,
                error: None,
                response_schema_error: None,
                expected_status_range: "2xx-3xx".to_string(),
            });
        }
        let html = render_capture_html(&entries);
        // Probe past the old 1000 cap is still embedded.
        assert!(html.contains("\"probe-1234\""));
        assert!(html.contains("\"probe-1499\""));
        // Per-card cap text is gone (we paginate instead).
        assert!(!html.contains("Showing first 1000 of"));
    }

    #[test]
    fn pagination_controls_present() {
        let html = render_capture_html(&sample());
        for id in [
            "firstPage",
            "prevPage",
            "nextPage",
            "lastPage",
            "jumpPage",
            "pageNum",
        ] {
            assert!(html.contains(id), "missing pagination control: {id}");
        }
        assert!(html.contains("PAGE_SIZE = 50"));
    }

    #[test]
    fn empty_capture_still_produces_valid_html() {
        let html = render_capture_html(&[]);
        assert!(html.starts_with("<!doctype html>"));
        assert!(html.contains("0 probe(s)"));
        assert!(html.contains("</html>"));
    }

    #[test]
    fn embedded_json_breaks_inline_script_terminators() {
        // A payload body containing `</script>` could break out of
        // the inline data <script> if we didn't escape it. The
        // serialiser converts `</` to `<\/` so the JSON parser
        // accepts it but no DOM parser sees a closing tag.
        let entry = CaseCapture {
            label: "label".into(),
            method: "GET".into(),
            url: "/x".into(),
            request_headers: BTreeMap::new(),
            request_body: None,
            request_body_truncated: false,
            response_status: 200,
            response_headers: BTreeMap::new(),
            response_body: Some("<script>alert(1)</script>".into()),
            response_body_truncated: false,
            error: None,
            response_schema_error: None,
            expected_status_range: "2xx-3xx".to_string(),
        };
        let html = render_capture_html(&[entry]);
        assert!(
            !html.contains("</script>alert(1)</script>"),
            "raw `</script>` snuck into the embedded data"
        );
        assert!(html.contains("<\\/script>"), "missing escaped form");
    }
}