Skip to main content

mockforge_bench/conformance/
spec_driven.rs

1//! Spec-driven conformance testing
2//!
3//! Analyzes the user's OpenAPI spec to determine which features their API uses,
4//! then generates k6 conformance tests against their real endpoints.
5
6use super::generator::ConformanceConfig;
7use super::schema_validator::SchemaValidatorGenerator;
8use super::spec::ConformanceFeature;
9use crate::error::Result;
10use crate::request_gen::RequestGenerator;
11use crate::spec_parser::ApiOperation;
12use openapiv3::{
13    OpenAPI, Operation, Parameter, ParameterSchemaOrContent, ReferenceOr, RequestBody, Response,
14    Schema, SchemaKind, SecurityScheme, StringFormat, Type, VariantOrUnknownOrEmpty,
15};
16use std::collections::HashSet;
17
18/// Resolve `$ref` references against the OpenAPI components
19mod ref_resolver {
20    use super::*;
21
22    pub fn resolve_parameter<'a>(
23        param_ref: &'a ReferenceOr<Parameter>,
24        spec: &'a OpenAPI,
25    ) -> Option<&'a Parameter> {
26        match param_ref {
27            ReferenceOr::Item(param) => Some(param),
28            ReferenceOr::Reference { reference } => {
29                let name = reference.strip_prefix("#/components/parameters/")?;
30                let components = spec.components.as_ref()?;
31                match components.parameters.get(name)? {
32                    ReferenceOr::Item(param) => Some(param),
33                    ReferenceOr::Reference {
34                        reference: inner_ref,
35                    } => {
36                        // One level of recursive resolution
37                        let inner_name = inner_ref.strip_prefix("#/components/parameters/")?;
38                        match components.parameters.get(inner_name)? {
39                            ReferenceOr::Item(param) => Some(param),
40                            ReferenceOr::Reference { .. } => None,
41                        }
42                    }
43                }
44            }
45        }
46    }
47
48    pub fn resolve_request_body<'a>(
49        body_ref: &'a ReferenceOr<RequestBody>,
50        spec: &'a OpenAPI,
51    ) -> Option<&'a RequestBody> {
52        match body_ref {
53            ReferenceOr::Item(body) => Some(body),
54            ReferenceOr::Reference { reference } => {
55                let name = reference.strip_prefix("#/components/requestBodies/")?;
56                let components = spec.components.as_ref()?;
57                match components.request_bodies.get(name)? {
58                    ReferenceOr::Item(body) => Some(body),
59                    ReferenceOr::Reference {
60                        reference: inner_ref,
61                    } => {
62                        // One level of recursive resolution
63                        let inner_name = inner_ref.strip_prefix("#/components/requestBodies/")?;
64                        match components.request_bodies.get(inner_name)? {
65                            ReferenceOr::Item(body) => Some(body),
66                            ReferenceOr::Reference { .. } => None,
67                        }
68                    }
69                }
70            }
71        }
72    }
73
74    pub fn resolve_schema<'a>(
75        schema_ref: &'a ReferenceOr<Schema>,
76        spec: &'a OpenAPI,
77    ) -> Option<&'a Schema> {
78        resolve_schema_with_visited(schema_ref, spec, &mut HashSet::new())
79    }
80
81    fn resolve_schema_with_visited<'a>(
82        schema_ref: &'a ReferenceOr<Schema>,
83        spec: &'a OpenAPI,
84        visited: &mut HashSet<String>,
85    ) -> Option<&'a Schema> {
86        match schema_ref {
87            ReferenceOr::Item(schema) => Some(schema),
88            ReferenceOr::Reference { reference } => {
89                if !visited.insert(reference.clone()) {
90                    return None; // Cycle detected
91                }
92                let name = reference.strip_prefix("#/components/schemas/")?;
93                let components = spec.components.as_ref()?;
94                let nested = components.schemas.get(name)?;
95                resolve_schema_with_visited(nested, spec, visited)
96            }
97        }
98    }
99
100    /// Resolve a boxed schema reference (used by array items and object properties)
101    pub fn resolve_boxed_schema<'a>(
102        schema_ref: &'a ReferenceOr<Box<Schema>>,
103        spec: &'a OpenAPI,
104    ) -> Option<&'a Schema> {
105        match schema_ref {
106            ReferenceOr::Item(schema) => Some(schema.as_ref()),
107            ReferenceOr::Reference { reference } => {
108                // Delegate to the regular schema resolver
109                let name = reference.strip_prefix("#/components/schemas/")?;
110                let components = spec.components.as_ref()?;
111                let nested = components.schemas.get(name)?;
112                resolve_schema_with_visited(nested, spec, &mut HashSet::new())
113            }
114        }
115    }
116
117    pub fn resolve_response<'a>(
118        resp_ref: &'a ReferenceOr<Response>,
119        spec: &'a OpenAPI,
120    ) -> Option<&'a Response> {
121        match resp_ref {
122            ReferenceOr::Item(resp) => Some(resp),
123            ReferenceOr::Reference { reference } => {
124                let name = reference.strip_prefix("#/components/responses/")?;
125                let components = spec.components.as_ref()?;
126                match components.responses.get(name)? {
127                    ReferenceOr::Item(resp) => Some(resp),
128                    ReferenceOr::Reference {
129                        reference: inner_ref,
130                    } => {
131                        // One level of recursive resolution
132                        let inner_name = inner_ref.strip_prefix("#/components/responses/")?;
133                        match components.responses.get(inner_name)? {
134                            ReferenceOr::Item(resp) => Some(resp),
135                            ReferenceOr::Reference { .. } => None,
136                        }
137                    }
138                }
139            }
140        }
141    }
142}
143
144/// Resolved security scheme details for an operation
145#[derive(Debug, Clone)]
146pub enum SecuritySchemeInfo {
147    /// HTTP Bearer token
148    Bearer,
149    /// HTTP Basic auth
150    Basic,
151    /// API Key in header, query, or cookie
152    ApiKey {
153        location: ApiKeyLocation,
154        name: String,
155    },
156}
157
158/// Where an API key is transmitted
159#[derive(Debug, Clone, PartialEq)]
160pub enum ApiKeyLocation {
161    Header,
162    Query,
163    Cookie,
164}
165
166/// An API operation annotated with the conformance features it exercises
167#[derive(Debug, Clone)]
168pub struct AnnotatedOperation {
169    pub path: String,
170    pub method: String,
171    pub features: Vec<ConformanceFeature>,
172    pub request_body_content_type: Option<String>,
173    pub sample_body: Option<String>,
174    pub query_params: Vec<(String, String)>,
175    pub header_params: Vec<(String, String)>,
176    pub path_params: Vec<(String, String)>,
177    /// Response schema for validation (JSON string of the schema)
178    pub response_schema: Option<Schema>,
179    /// Round 17.2 — the resolved request-body schema (application/json).
180    /// Used by the self-test driver to synthesise schema-aware
181    /// negative mutations (wrong type, min/max bounds, pattern, enum
182    /// out-of-range, required-field removal). Independent of
183    /// `sample_body`, which is the positive payload.
184    pub request_body_schema: Option<Schema>,
185    /// Security scheme details resolved from the OpenAPI spec
186    pub security_schemes: Vec<SecuritySchemeInfo>,
187}
188
189/// Generates spec-driven conformance k6 scripts
190pub struct SpecDrivenConformanceGenerator {
191    config: ConformanceConfig,
192    operations: Vec<AnnotatedOperation>,
193}
194
195impl SpecDrivenConformanceGenerator {
196    pub fn new(config: ConformanceConfig, operations: Vec<AnnotatedOperation>) -> Self {
197        Self { config, operations }
198    }
199
200    /// Annotate a list of API operations with conformance features
201    pub fn annotate_operations(
202        operations: &[ApiOperation],
203        spec: &OpenAPI,
204    ) -> Vec<AnnotatedOperation> {
205        operations.iter().map(|op| Self::annotate_operation(op, spec)).collect()
206    }
207
208    /// Analyze an operation and determine which conformance features it exercises
209    fn annotate_operation(op: &ApiOperation, spec: &OpenAPI) -> AnnotatedOperation {
210        let mut features = Vec::new();
211        let mut query_params = Vec::new();
212        let mut header_params = Vec::new();
213        let mut path_params = Vec::new();
214
215        // Detect HTTP method feature
216        match op.method.to_uppercase().as_str() {
217            "GET" => features.push(ConformanceFeature::MethodGet),
218            "POST" => features.push(ConformanceFeature::MethodPost),
219            "PUT" => features.push(ConformanceFeature::MethodPut),
220            "PATCH" => features.push(ConformanceFeature::MethodPatch),
221            "DELETE" => features.push(ConformanceFeature::MethodDelete),
222            "HEAD" => features.push(ConformanceFeature::MethodHead),
223            "OPTIONS" => features.push(ConformanceFeature::MethodOptions),
224            _ => {}
225        }
226
227        // Detect parameter features (resolves $ref)
228        for param_ref in &op.operation.parameters {
229            if let Some(param) = ref_resolver::resolve_parameter(param_ref, spec) {
230                Self::annotate_parameter(
231                    param,
232                    spec,
233                    &mut features,
234                    &mut query_params,
235                    &mut header_params,
236                    &mut path_params,
237                );
238            }
239        }
240
241        // Detect path parameters from the path template itself
242        for segment in op.path.split('/') {
243            if segment.starts_with('{') && segment.ends_with('}') {
244                let name = &segment[1..segment.len() - 1];
245                // Only add if not already found from parameters
246                if !path_params.iter().any(|(n, _)| n == name) {
247                    path_params.push((name.to_string(), "test-value".to_string()));
248                    // Determine type from path params we didn't already handle
249                    if !features.contains(&ConformanceFeature::PathParamString)
250                        && !features.contains(&ConformanceFeature::PathParamInteger)
251                    {
252                        features.push(ConformanceFeature::PathParamString);
253                    }
254                }
255            }
256        }
257
258        // Detect request body features (resolves $ref)
259        let mut request_body_content_type = None;
260        let mut sample_body = None;
261        let mut request_body_schema: Option<Schema> = None;
262
263        let resolved_body = op
264            .operation
265            .request_body
266            .as_ref()
267            .and_then(|b| ref_resolver::resolve_request_body(b, spec));
268
269        if let Some(body) = resolved_body {
270            for (content_type, _media) in &body.content {
271                match content_type.as_str() {
272                    "application/json" => {
273                        features.push(ConformanceFeature::BodyJson);
274                        request_body_content_type = Some("application/json".to_string());
275                        // Generate sample body from schema
276                        if let Ok(template) = RequestGenerator::generate_template(op) {
277                            if let Some(body_val) = &template.body {
278                                sample_body = Some(body_val.to_string());
279                            }
280                        }
281                    }
282                    "application/x-www-form-urlencoded" => {
283                        features.push(ConformanceFeature::BodyFormUrlencoded);
284                        request_body_content_type =
285                            Some("application/x-www-form-urlencoded".to_string());
286                    }
287                    "multipart/form-data" => {
288                        features.push(ConformanceFeature::BodyMultipart);
289                        request_body_content_type = Some("multipart/form-data".to_string());
290                    }
291                    _ => {}
292                }
293            }
294
295            // Detect schema features in request body (resolves $ref in schema)
296            if let Some(media) = body.content.get("application/json") {
297                if let Some(schema_ref) = &media.schema {
298                    if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
299                        Self::annotate_schema(schema, spec, &mut features);
300                        // Round 17.2 — keep a clone of the resolved
301                        // body schema so the self-test driver can walk
302                        // it to synthesise schema-aware negatives.
303                        request_body_schema = Some(schema.clone());
304                    }
305                }
306            }
307        }
308
309        // Detect response code features
310        Self::annotate_responses(&op.operation, spec, &mut features);
311
312        // Extract response schema for validation (resolves $ref)
313        let response_schema = Self::extract_response_schema(&op.operation, spec);
314        if response_schema.is_some() {
315            features.push(ConformanceFeature::ResponseValidation);
316        }
317
318        // Detect content negotiation (response with multiple content types)
319        Self::annotate_content_negotiation(&op.operation, spec, &mut features);
320
321        // Detect security features and resolve scheme details
322        let mut security_schemes = Vec::new();
323        Self::annotate_security(&op.operation, spec, &mut features, &mut security_schemes);
324
325        // Deduplicate features
326        features.sort_by_key(|f| f.check_name());
327        features.dedup_by_key(|f| f.check_name());
328
329        AnnotatedOperation {
330            path: op.path.clone(),
331            method: op.method.to_uppercase(),
332            features,
333            request_body_content_type,
334            sample_body,
335            query_params,
336            header_params,
337            path_params,
338            response_schema,
339            request_body_schema,
340            security_schemes,
341        }
342    }
343
344    /// Annotate parameter features
345    fn annotate_parameter(
346        param: &Parameter,
347        spec: &OpenAPI,
348        features: &mut Vec<ConformanceFeature>,
349        query_params: &mut Vec<(String, String)>,
350        header_params: &mut Vec<(String, String)>,
351        path_params: &mut Vec<(String, String)>,
352    ) {
353        let (location, data) = match param {
354            Parameter::Query { parameter_data, .. } => ("query", parameter_data),
355            Parameter::Path { parameter_data, .. } => ("path", parameter_data),
356            Parameter::Header { parameter_data, .. } => ("header", parameter_data),
357            Parameter::Cookie { .. } => {
358                features.push(ConformanceFeature::CookieParam);
359                return;
360            }
361        };
362
363        // Detect type from schema
364        let is_integer = Self::param_schema_is_integer(data, spec);
365        let is_array = Self::param_schema_is_array(data, spec);
366
367        // Generate sample value
368        let sample = if is_integer {
369            "42".to_string()
370        } else if is_array {
371            "a,b".to_string()
372        } else {
373            "test-value".to_string()
374        };
375
376        match location {
377            "path" => {
378                if is_integer {
379                    features.push(ConformanceFeature::PathParamInteger);
380                } else {
381                    features.push(ConformanceFeature::PathParamString);
382                }
383                path_params.push((data.name.clone(), sample));
384            }
385            "query" => {
386                if is_array {
387                    features.push(ConformanceFeature::QueryParamArray);
388                } else if is_integer {
389                    features.push(ConformanceFeature::QueryParamInteger);
390                } else {
391                    features.push(ConformanceFeature::QueryParamString);
392                }
393                query_params.push((data.name.clone(), sample));
394            }
395            "header" => {
396                features.push(ConformanceFeature::HeaderParam);
397                header_params.push((data.name.clone(), sample));
398            }
399            _ => {}
400        }
401
402        // Check for constraint features on the parameter (resolves $ref)
403        if let ParameterSchemaOrContent::Schema(schema_ref) = &data.format {
404            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
405                Self::annotate_schema(schema, spec, features);
406            }
407        }
408
409        // Required/optional
410        if data.required {
411            features.push(ConformanceFeature::ConstraintRequired);
412        } else {
413            features.push(ConformanceFeature::ConstraintOptional);
414        }
415    }
416
417    fn param_schema_is_integer(data: &openapiv3::ParameterData, spec: &OpenAPI) -> bool {
418        if let ParameterSchemaOrContent::Schema(schema_ref) = &data.format {
419            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
420                return matches!(&schema.schema_kind, SchemaKind::Type(Type::Integer(_)));
421            }
422        }
423        false
424    }
425
426    fn param_schema_is_array(data: &openapiv3::ParameterData, spec: &OpenAPI) -> bool {
427        if let ParameterSchemaOrContent::Schema(schema_ref) = &data.format {
428            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
429                return matches!(&schema.schema_kind, SchemaKind::Type(Type::Array(_)));
430            }
431        }
432        false
433    }
434
435    /// Annotate schema-level features (types, composition, formats, constraints)
436    fn annotate_schema(schema: &Schema, spec: &OpenAPI, features: &mut Vec<ConformanceFeature>) {
437        match &schema.schema_kind {
438            SchemaKind::Type(Type::String(s)) => {
439                features.push(ConformanceFeature::SchemaString);
440                // Check format
441                match &s.format {
442                    VariantOrUnknownOrEmpty::Item(StringFormat::Date) => {
443                        features.push(ConformanceFeature::FormatDate);
444                    }
445                    VariantOrUnknownOrEmpty::Item(StringFormat::DateTime) => {
446                        features.push(ConformanceFeature::FormatDateTime);
447                    }
448                    VariantOrUnknownOrEmpty::Unknown(fmt) => match fmt.as_str() {
449                        "email" => features.push(ConformanceFeature::FormatEmail),
450                        "uuid" => features.push(ConformanceFeature::FormatUuid),
451                        "uri" | "url" => features.push(ConformanceFeature::FormatUri),
452                        "ipv4" => features.push(ConformanceFeature::FormatIpv4),
453                        "ipv6" => features.push(ConformanceFeature::FormatIpv6),
454                        _ => {}
455                    },
456                    _ => {}
457                }
458                // Check constraints
459                if s.pattern.is_some() {
460                    features.push(ConformanceFeature::ConstraintPattern);
461                }
462                if !s.enumeration.is_empty() {
463                    features.push(ConformanceFeature::ConstraintEnum);
464                }
465                if s.min_length.is_some() || s.max_length.is_some() {
466                    features.push(ConformanceFeature::ConstraintMinMax);
467                }
468            }
469            SchemaKind::Type(Type::Integer(i)) => {
470                features.push(ConformanceFeature::SchemaInteger);
471                if i.minimum.is_some() || i.maximum.is_some() {
472                    features.push(ConformanceFeature::ConstraintMinMax);
473                }
474                if !i.enumeration.is_empty() {
475                    features.push(ConformanceFeature::ConstraintEnum);
476                }
477            }
478            SchemaKind::Type(Type::Number(n)) => {
479                features.push(ConformanceFeature::SchemaNumber);
480                if n.minimum.is_some() || n.maximum.is_some() {
481                    features.push(ConformanceFeature::ConstraintMinMax);
482                }
483            }
484            SchemaKind::Type(Type::Boolean(_)) => {
485                features.push(ConformanceFeature::SchemaBoolean);
486            }
487            SchemaKind::Type(Type::Array(arr)) => {
488                features.push(ConformanceFeature::SchemaArray);
489                if let Some(item_ref) = &arr.items {
490                    if let Some(item_schema) = ref_resolver::resolve_boxed_schema(item_ref, spec) {
491                        Self::annotate_schema(item_schema, spec, features);
492                    }
493                }
494            }
495            SchemaKind::Type(Type::Object(obj)) => {
496                features.push(ConformanceFeature::SchemaObject);
497                // Check required fields
498                if !obj.required.is_empty() {
499                    features.push(ConformanceFeature::ConstraintRequired);
500                }
501                // Walk properties (resolves $ref)
502                for (_name, prop_ref) in &obj.properties {
503                    if let Some(prop_schema) = ref_resolver::resolve_boxed_schema(prop_ref, spec) {
504                        Self::annotate_schema(prop_schema, spec, features);
505                    }
506                }
507            }
508            SchemaKind::OneOf { .. } => {
509                features.push(ConformanceFeature::CompositionOneOf);
510            }
511            SchemaKind::AnyOf { .. } => {
512                features.push(ConformanceFeature::CompositionAnyOf);
513            }
514            SchemaKind::AllOf { .. } => {
515                features.push(ConformanceFeature::CompositionAllOf);
516            }
517            _ => {}
518        }
519    }
520
521    /// Detect response code features (resolves $ref in responses)
522    fn annotate_responses(
523        operation: &Operation,
524        spec: &OpenAPI,
525        features: &mut Vec<ConformanceFeature>,
526    ) {
527        for (status_code, resp_ref) in &operation.responses.responses {
528            // Only count features for responses that actually resolve
529            if ref_resolver::resolve_response(resp_ref, spec).is_some() {
530                match status_code {
531                    openapiv3::StatusCode::Code(200) => {
532                        features.push(ConformanceFeature::Response200)
533                    }
534                    openapiv3::StatusCode::Code(201) => {
535                        features.push(ConformanceFeature::Response201)
536                    }
537                    openapiv3::StatusCode::Code(204) => {
538                        features.push(ConformanceFeature::Response204)
539                    }
540                    openapiv3::StatusCode::Code(400) => {
541                        features.push(ConformanceFeature::Response400)
542                    }
543                    openapiv3::StatusCode::Code(404) => {
544                        features.push(ConformanceFeature::Response404)
545                    }
546                    _ => {}
547                }
548            }
549        }
550    }
551
552    /// Extract the response schema for the primary success response (200 or 201)
553    /// Resolves $ref for both the response and the schema within it.
554    fn extract_response_schema(operation: &Operation, spec: &OpenAPI) -> Option<Schema> {
555        // Try 200 first, then 201
556        for code in [200u16, 201] {
557            if let Some(resp_ref) =
558                operation.responses.responses.get(&openapiv3::StatusCode::Code(code))
559            {
560                if let Some(response) = ref_resolver::resolve_response(resp_ref, spec) {
561                    if let Some(media) = response.content.get("application/json") {
562                        if let Some(schema_ref) = &media.schema {
563                            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
564                                return Some(schema.clone());
565                            }
566                        }
567                    }
568                }
569            }
570        }
571        None
572    }
573
574    /// Detect content negotiation: response supports multiple content types
575    fn annotate_content_negotiation(
576        operation: &Operation,
577        spec: &OpenAPI,
578        features: &mut Vec<ConformanceFeature>,
579    ) {
580        for (_status_code, resp_ref) in &operation.responses.responses {
581            if let Some(response) = ref_resolver::resolve_response(resp_ref, spec) {
582                if response.content.len() > 1 {
583                    features.push(ConformanceFeature::ContentNegotiation);
584                    return; // Only need to detect once per operation
585                }
586            }
587        }
588    }
589
590    /// Detect security scheme features.
591    /// Checks operation-level security first, falling back to global security requirements.
592    /// Resolves scheme names against SecurityScheme definitions in components.
593    fn annotate_security(
594        operation: &Operation,
595        spec: &OpenAPI,
596        features: &mut Vec<ConformanceFeature>,
597        security_schemes: &mut Vec<SecuritySchemeInfo>,
598    ) {
599        // Use operation-level security if present, otherwise fall back to global
600        let security_reqs = operation.security.as_ref().or(spec.security.as_ref());
601
602        if let Some(security) = security_reqs {
603            for security_req in security {
604                for scheme_name in security_req.keys() {
605                    // Try to resolve the scheme from components for accurate type detection
606                    if let Some(resolved) = Self::resolve_security_scheme(scheme_name, spec) {
607                        match resolved {
608                            SecurityScheme::HTTP { ref scheme, .. } => {
609                                if scheme.eq_ignore_ascii_case("bearer") {
610                                    features.push(ConformanceFeature::SecurityBearer);
611                                    security_schemes.push(SecuritySchemeInfo::Bearer);
612                                } else if scheme.eq_ignore_ascii_case("basic") {
613                                    features.push(ConformanceFeature::SecurityBasic);
614                                    security_schemes.push(SecuritySchemeInfo::Basic);
615                                }
616                            }
617                            SecurityScheme::APIKey { location, name, .. } => {
618                                features.push(ConformanceFeature::SecurityApiKey);
619                                let loc = match location {
620                                    openapiv3::APIKeyLocation::Query => ApiKeyLocation::Query,
621                                    openapiv3::APIKeyLocation::Header => ApiKeyLocation::Header,
622                                    openapiv3::APIKeyLocation::Cookie => ApiKeyLocation::Cookie,
623                                };
624                                security_schemes.push(SecuritySchemeInfo::ApiKey {
625                                    location: loc,
626                                    name: name.clone(),
627                                });
628                            }
629                            // OAuth2 and OpenIDConnect don't map to our current feature set
630                            _ => {}
631                        }
632                    } else {
633                        // Fallback: heuristic name matching for unresolvable schemes
634                        let name_lower = scheme_name.to_lowercase();
635                        if name_lower.contains("bearer") || name_lower.contains("jwt") {
636                            features.push(ConformanceFeature::SecurityBearer);
637                            security_schemes.push(SecuritySchemeInfo::Bearer);
638                        } else if name_lower.contains("api") && name_lower.contains("key") {
639                            features.push(ConformanceFeature::SecurityApiKey);
640                            security_schemes.push(SecuritySchemeInfo::ApiKey {
641                                location: ApiKeyLocation::Header,
642                                name: "X-API-Key".to_string(),
643                            });
644                        } else if name_lower.contains("basic") {
645                            features.push(ConformanceFeature::SecurityBasic);
646                            security_schemes.push(SecuritySchemeInfo::Basic);
647                        }
648                    }
649                }
650            }
651        }
652    }
653
654    /// Resolve a security scheme name to its SecurityScheme definition
655    fn resolve_security_scheme<'a>(name: &str, spec: &'a OpenAPI) -> Option<&'a SecurityScheme> {
656        let components = spec.components.as_ref()?;
657        match components.security_schemes.get(name)? {
658            ReferenceOr::Item(scheme) => Some(scheme),
659            ReferenceOr::Reference { .. } => None,
660        }
661    }
662
663    /// Returns the number of operations being tested
664    pub fn operation_count(&self) -> usize {
665        self.operations.len()
666    }
667
668    /// Generate the k6 conformance script.
669    /// Returns (script, check_count) where check_count is the number of unique checks emitted.
670    pub fn generate(&self) -> Result<(String, usize)> {
671        let mut script = String::with_capacity(16384);
672
673        // Imports
674        script.push_str("import http from 'k6/http';\n");
675        script.push_str("import { check, group } from 'k6';\n");
676        if self.config.request_delay_ms > 0 {
677            script.push_str("import { sleep } from 'k6';\n");
678        }
679        script.push('\n');
680
681        // Tell k6 that all HTTP status codes are "expected" in conformance mode.
682        // Without this, k6 counts 4xx responses (e.g. intentional 404 tests) as
683        // http_req_failed errors, producing a misleading error rate percentage.
684        script.push_str(
685            "http.setResponseCallback(http.expectedStatuses({ min: 100, max: 599 }));\n\n",
686        );
687
688        // Options
689        script.push_str("export const options = {\n");
690        script.push_str("  vus: 1,\n");
691        script.push_str("  iterations: 1,\n");
692        if self.config.skip_tls_verify {
693            script.push_str("  insecureSkipTLSVerify: true,\n");
694        }
695        script.push_str("  thresholds: {\n");
696        script.push_str("    checks: ['rate>0'],\n");
697        script.push_str("  },\n");
698        script.push_str("};\n\n");
699
700        // Base URL (includes base_path if configured)
701        script.push_str(&format!("const BASE_URL = '{}';\n\n", self.config.effective_base_url()));
702        script.push_str("const JSON_HEADERS = { 'Content-Type': 'application/json' };\n\n");
703
704        // Failure detail collector — logs req/res info for failed checks via console.log
705        // (k6's handleSummary runs in a separate JS context, so we can't use module-level arrays)
706        script
707            .push_str("function __captureFailure(checkName, res, expected, schemaViolations) {\n");
708        script.push_str("  let bodyStr = '';\n");
709        script.push_str("  try { bodyStr = res.body ? res.body.substring(0, 2000) : ''; } catch(e) { bodyStr = '<unreadable>'; }\n");
710        script.push_str("  let reqHeaders = {};\n");
711        script.push_str(
712            "  if (res.request && res.request.headers) { reqHeaders = res.request.headers; }\n",
713        );
714        script.push_str("  let reqBody = '';\n");
715        script.push_str("  if (res.request && res.request.body) { try { reqBody = res.request.body.substring(0, 2000); } catch(e) {} }\n");
716        script.push_str("  let payload = {\n");
717        script.push_str("    check: checkName,\n");
718        script.push_str("    request: {\n");
719        script.push_str("      method: res.request ? res.request.method : 'unknown',\n");
720        script.push_str("      url: res.request ? res.request.url : res.url || 'unknown',\n");
721        script.push_str("      headers: reqHeaders,\n");
722        script.push_str("      body: reqBody,\n");
723        script.push_str("    },\n");
724        script.push_str("    response: {\n");
725        script.push_str("      status: res.status,\n");
726        script.push_str("      headers: res.headers ? Object.fromEntries(Object.entries(res.headers).slice(0, 20)) : {},\n");
727        script.push_str("      body: bodyStr,\n");
728        script.push_str("    },\n");
729        script.push_str("    expected: expected,\n");
730        script.push_str("  };\n");
731        script.push_str("  if (schemaViolations && schemaViolations.length > 0) { payload.schema_violations = schemaViolations; }\n");
732        script.push_str("  console.log('MOCKFORGE_FAILURE:' + JSON.stringify(payload));\n");
733        script.push_str("}\n\n");
734
735        // Request/response capture for --export-requests
736        if self.config.export_requests {
737            script.push_str("function __captureExchange(checkName, res) {\n");
738            script.push_str("  let bodyStr = '';\n");
739            script.push_str("  try { bodyStr = res.body ? res.body.substring(0, 2000) : ''; } catch(e) { bodyStr = '<unreadable>'; }\n");
740            script.push_str("  let reqHeaders = {};\n");
741            script.push_str(
742                "  if (res.request && res.request.headers) { reqHeaders = res.request.headers; }\n",
743            );
744            script.push_str("  let reqBody = '';\n");
745            script.push_str("  if (res.request && res.request.body) { try { reqBody = res.request.body.substring(0, 2000); } catch(e) {} }\n");
746            script.push_str("  console.log('MOCKFORGE_EXCHANGE:' + JSON.stringify({\n");
747            script.push_str("    check: checkName,\n");
748            script.push_str("    request: {\n");
749            script.push_str("      method: res.request ? res.request.method : 'unknown',\n");
750            script.push_str("      url: res.request ? res.request.url : res.url || 'unknown',\n");
751            script.push_str("      headers: reqHeaders,\n");
752            script.push_str("      body: reqBody,\n");
753            script.push_str("    },\n");
754            script.push_str("    response: {\n");
755            script.push_str("      status: res.status,\n");
756            script.push_str("      headers: res.headers ? Object.fromEntries(Object.entries(res.headers).slice(0, 30)) : {},\n");
757            script.push_str("      body: bodyStr,\n");
758            script.push_str("    },\n");
759            script.push_str("  }));\n");
760            script.push_str("}\n\n");
761        }
762
763        // Default function
764        script.push_str("export default function () {\n");
765
766        if self.config.has_cookie_header() {
767            script.push_str(
768                "  // Clear cookie jar to prevent server Set-Cookie from duplicating custom Cookie header\n",
769            );
770            script.push_str("  http.cookieJar().clear(BASE_URL);\n\n");
771        }
772
773        // Group operations by category
774        let mut category_ops: std::collections::BTreeMap<
775            &'static str,
776            Vec<(&AnnotatedOperation, &ConformanceFeature)>,
777        > = std::collections::BTreeMap::new();
778
779        for op in &self.operations {
780            for feature in &op.features {
781                let category = feature.category();
782                if self.config.should_include_category(category) {
783                    category_ops.entry(category).or_default().push((op, feature));
784                }
785            }
786        }
787
788        // Emit grouped tests
789        let mut total_checks = 0usize;
790        for (category, ops) in &category_ops {
791            script.push_str(&format!("  group('{}', function () {{\n", category));
792
793            if self.config.all_operations {
794                // All-operations mode: test every operation, using path-qualified check names
795                let mut emitted_checks: HashSet<String> = HashSet::new();
796                for (op, feature) in ops {
797                    let qualified = format!("{}:{}", feature.check_name(), op.path);
798                    if emitted_checks.insert(qualified.clone()) {
799                        self.emit_check_named(&mut script, op, feature, &qualified);
800                        total_checks += 1;
801                    }
802                }
803            } else {
804                // Default: one representative operation per feature, with path-qualified
805                // check names so failures identify which endpoint was tested.
806                let mut emitted_features: HashSet<&str> = HashSet::new();
807                for (op, feature) in ops {
808                    if emitted_features.insert(feature.check_name()) {
809                        let qualified = format!("{}:{}", feature.check_name(), op.path);
810                        self.emit_check_named(&mut script, op, feature, &qualified);
811                        total_checks += 1;
812                    }
813                }
814            }
815
816            script.push_str("  });\n\n");
817        }
818
819        // Custom checks from YAML file
820        if let Some(custom_group) = self.config.generate_custom_group()? {
821            script.push_str(&custom_group);
822        }
823
824        script.push_str("}\n\n");
825
826        // handleSummary
827        self.generate_handle_summary(&mut script);
828
829        Ok((script, total_checks))
830    }
831
832    /// Emit a single k6 check for an operation + feature with a custom check name
833    fn emit_check_named(
834        &self,
835        script: &mut String,
836        op: &AnnotatedOperation,
837        feature: &ConformanceFeature,
838        check_name: &str,
839    ) {
840        // Escape single quotes in check name since it's embedded in JS single-quoted strings
841        let check_name = check_name.replace('\'', "\\'");
842        let check_name = check_name.as_str();
843
844        script.push_str("    {\n");
845
846        // Build the URL path with parameters substituted
847        let mut url_path = op.path.clone();
848        for (name, value) in &op.path_params {
849            url_path = url_path.replace(&format!("{{{}}}", name), value);
850        }
851
852        // Build query string
853        if !op.query_params.is_empty() {
854            let qs: Vec<String> =
855                op.query_params.iter().map(|(k, v)| format!("{}={}", k, v)).collect();
856            url_path = format!("{}?{}", url_path, qs.join("&"));
857        }
858
859        let full_url = format!("${{BASE_URL}}{}", url_path);
860
861        // Build effective headers: merge spec-derived headers with custom headers.
862        // Custom headers override spec-derived ones with the same name.
863        let mut effective_headers = self.effective_headers(&op.header_params);
864
865        // For non-default response code checks, add header to tell the mock server
866        // which status code to return (the server defaults to the first declared status)
867        if matches!(feature, ConformanceFeature::Response400 | ConformanceFeature::Response404) {
868            let expected_code = match feature {
869                ConformanceFeature::Response400 => "400",
870                ConformanceFeature::Response404 => "404",
871                _ => unreachable!(),
872            };
873            effective_headers
874                .push(("X-Mockforge-Response-Status".to_string(), expected_code.to_string()));
875        }
876
877        // For security checks AND for all requests on endpoints with security requirements,
878        // inject auth credentials so the server doesn't reject with 401.
879        // Only inject if the user hasn't already provided the header via --custom-headers.
880        let needs_auth = matches!(
881            feature,
882            ConformanceFeature::SecurityBearer
883                | ConformanceFeature::SecurityBasic
884                | ConformanceFeature::SecurityApiKey
885        ) || !op.security_schemes.is_empty();
886
887        if needs_auth {
888            self.inject_security_headers(&op.security_schemes, &mut effective_headers);
889        }
890
891        let has_headers = !effective_headers.is_empty();
892        let headers_obj = if has_headers {
893            Self::format_headers(&effective_headers)
894        } else {
895            String::new()
896        };
897
898        // Determine HTTP method and emit request
899        match op.method.as_str() {
900            "GET" => {
901                if has_headers {
902                    script.push_str(&format!(
903                        "      let res = http.get(`{}`, {{ headers: {} }});\n",
904                        full_url, headers_obj
905                    ));
906                } else {
907                    script.push_str(&format!("      let res = http.get(`{}`);\n", full_url));
908                }
909            }
910            "POST" => {
911                self.emit_request_with_body(script, "post", &full_url, op, &effective_headers);
912            }
913            "PUT" => {
914                self.emit_request_with_body(script, "put", &full_url, op, &effective_headers);
915            }
916            "PATCH" => {
917                self.emit_request_with_body(script, "patch", &full_url, op, &effective_headers);
918            }
919            "DELETE" => {
920                if has_headers {
921                    script.push_str(&format!(
922                        "      let res = http.del(`{}`, null, {{ headers: {} }});\n",
923                        full_url, headers_obj
924                    ));
925                } else {
926                    script.push_str(&format!("      let res = http.del(`{}`);\n", full_url));
927                }
928            }
929            "HEAD" => {
930                if has_headers {
931                    script.push_str(&format!(
932                        "      let res = http.head(`{}`, {{ headers: {} }});\n",
933                        full_url, headers_obj
934                    ));
935                } else {
936                    script.push_str(&format!("      let res = http.head(`{}`);\n", full_url));
937                }
938            }
939            "OPTIONS" => {
940                if has_headers {
941                    script.push_str(&format!(
942                        "      let res = http.options(`{}`, null, {{ headers: {} }});\n",
943                        full_url, headers_obj
944                    ));
945                } else {
946                    script.push_str(&format!("      let res = http.options(`{}`);\n", full_url));
947                }
948            }
949            _ => {
950                if has_headers {
951                    script.push_str(&format!(
952                        "      let res = http.get(`{}`, {{ headers: {} }});\n",
953                        full_url, headers_obj
954                    ));
955                } else {
956                    script.push_str(&format!("      let res = http.get(`{}`);\n", full_url));
957                }
958            }
959        }
960
961        // Capture request/response for --export-requests
962        // (check_name is already escaped at line 829 above — don't double-escape)
963        if self.config.export_requests {
964            script.push_str(&format!(
965                "      if (typeof __captureExchange === 'function') __captureExchange('{}', res);\n",
966                check_name
967            ));
968        }
969
970        // Check: emit assertion based on feature type, with failure detail capture
971        if matches!(
972            feature,
973            ConformanceFeature::Response200
974                | ConformanceFeature::Response201
975                | ConformanceFeature::Response204
976                | ConformanceFeature::Response400
977                | ConformanceFeature::Response404
978        ) {
979            let expected_code = match feature {
980                ConformanceFeature::Response200 => 200,
981                ConformanceFeature::Response201 => 201,
982                ConformanceFeature::Response204 => 204,
983                ConformanceFeature::Response400 => 400,
984                ConformanceFeature::Response404 => 404,
985                _ => 200,
986            };
987            script.push_str(&format!(
988                "      {{ let ok = check(res, {{ '{}': (r) => r.status === {} }}); if (!ok) __captureFailure('{}', res, 'status === {}'); }}\n",
989                check_name, expected_code, check_name, expected_code
990            ));
991        } else if matches!(feature, ConformanceFeature::ResponseValidation) {
992            // Response schema validation — validate the response body against the schema
993            // Uses inline field-level error collection so failure details include
994            // which specific fields violated the schema (field_path, violation_type,
995            // expected, actual) — matching the Ajv `errors` array structure.
996            if let Some(schema) = &op.response_schema {
997                let validation_js = SchemaValidatorGenerator::generate_validation(schema);
998                let schema_json = serde_json::to_string(schema).unwrap_or_default();
999                // Escape backticks and backslashes for JS template literal safety
1000                let schema_json_escaped = schema_json.replace('\\', "\\\\").replace('`', "\\`");
1001                script.push_str(&format!(
1002                    concat!(
1003                        "      try {{\n",
1004                        "        let body = res.json();\n",
1005                        "        let ok = check(res, {{ '{check}': (r) => ( {validation} ) }});\n",
1006                        "        if (!ok) {{\n",
1007                        "          let __violations = [];\n",
1008                        "          try {{\n",
1009                        "            let __schema = JSON.parse(`{schema}`);\n",
1010                        "            function __collectErrors(schema, data, path) {{\n",
1011                        "              if (!schema || typeof schema !== 'object') return;\n",
1012                        "              let st = schema.type || (schema.schema_kind && schema.schema_kind.Type && Object.keys(schema.schema_kind.Type)[0]);\n",
1013                        "              if (st) {{ st = st.toLowerCase(); }}\n",
1014                        "              if (st === 'object') {{\n",
1015                        "                if (typeof data !== 'object' || data === null) {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'object', actual: typeof data }}); return; }}\n",
1016                        "                let props = schema.properties || (schema.schema_kind && schema.schema_kind.Type && schema.schema_kind.Type.Object && schema.schema_kind.Type.Object.properties) || {{}};\n",
1017                        "                let req = schema.required || (schema.schema_kind && schema.schema_kind.Type && schema.schema_kind.Type.Object && schema.schema_kind.Type.Object.required) || [];\n",
1018                        "                for (let f of req) {{ if (!(f in data)) {{ __violations.push({{ field_path: path + '/' + f, violation_type: 'required', expected: 'present', actual: 'missing' }}); }} }}\n",
1019                        "                for (let [k, v] of Object.entries(props)) {{ if (data[k] !== undefined) {{ let ps = v.Item || v; __collectErrors(ps, data[k], path + '/' + k); }} }}\n",
1020                        "              }} else if (st === 'array') {{\n",
1021                        "                if (!Array.isArray(data)) {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'array', actual: typeof data }}); return; }}\n",
1022                        "                let items = schema.items || (schema.schema_kind && schema.schema_kind.Type && schema.schema_kind.Type.Array && schema.schema_kind.Type.Array.items);\n",
1023                        "                if (items) {{ let is = items.Item || items; for (let i = 0; i < Math.min(data.length, 5); i++) {{ __collectErrors(is, data[i], path + '/' + i); }} }}\n",
1024                        "              }} else if (st === 'string') {{\n",
1025                        "                if (typeof data !== 'string') {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'string', actual: typeof data }}); }}\n",
1026                        "              }} else if (st === 'integer') {{\n",
1027                        "                if (typeof data !== 'number' || !Number.isInteger(data)) {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'integer', actual: typeof data }}); }}\n",
1028                        "              }} else if (st === 'number') {{\n",
1029                        "                if (typeof data !== 'number') {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'number', actual: typeof data }}); }}\n",
1030                        "              }} else if (st === 'boolean') {{\n",
1031                        "                if (typeof data !== 'boolean') {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'boolean', actual: typeof data }}); }}\n",
1032                        "              }}\n",
1033                        "            }}\n",
1034                        "            __collectErrors(__schema, body, '');\n",
1035                        "          }} catch(_e) {{}}\n",
1036                        "          __captureFailure('{check}', res, 'schema validation', __violations);\n",
1037                        "        }}\n",
1038                        "      }} catch(e) {{ check(res, {{ '{check}': () => false }}); __captureFailure('{check}', res, 'JSON parse failed: ' + e.message); }}\n",
1039                    ),
1040                    check = check_name,
1041                    validation = validation_js,
1042                    schema = schema_json_escaped,
1043                ));
1044            }
1045        } else if matches!(
1046            feature,
1047            ConformanceFeature::SecurityBearer
1048                | ConformanceFeature::SecurityBasic
1049                | ConformanceFeature::SecurityApiKey
1050        ) {
1051            // Security checks verify the server accepts the auth credentials (not 401/403)
1052            script.push_str(&format!(
1053                "      {{ let ok = check(res, {{ '{}': (r) => r.status >= 200 && r.status < 400 }}); if (!ok) __captureFailure('{}', res, 'status >= 200 && status < 400 (auth accepted)'); }}\n",
1054                check_name, check_name
1055            ));
1056        } else {
1057            script.push_str(&format!(
1058                "      {{ let ok = check(res, {{ '{}': (r) => r.status >= 200 && r.status < 500 }}); if (!ok) __captureFailure('{}', res, 'status >= 200 && status < 500'); }}\n",
1059                check_name, check_name
1060            ));
1061        }
1062
1063        // Clear cookie jar after each request to prevent Set-Cookie leaking
1064        let has_cookie = self.config.has_cookie_header()
1065            || effective_headers.iter().any(|(h, _)| h.eq_ignore_ascii_case("Cookie"));
1066        if has_cookie {
1067            script.push_str("      http.cookieJar().clear(BASE_URL);\n");
1068        }
1069
1070        script.push_str("    }\n");
1071
1072        // Rate-limit delay between checks (to avoid 429 from target API)
1073        if self.config.request_delay_ms > 0 {
1074            script.push_str(&format!(
1075                "    sleep({:.3});\n",
1076                self.config.request_delay_ms as f64 / 1000.0
1077            ));
1078        }
1079    }
1080
1081    /// Emit an HTTP request with a body
1082    fn emit_request_with_body(
1083        &self,
1084        script: &mut String,
1085        method: &str,
1086        url: &str,
1087        op: &AnnotatedOperation,
1088        effective_headers: &[(String, String)],
1089    ) {
1090        if let Some(body) = &op.sample_body {
1091            let escaped_body = body.replace('\'', "\\'");
1092            let headers = if !effective_headers.is_empty() {
1093                format!(
1094                    "Object.assign({{}}, JSON_HEADERS, {})",
1095                    Self::format_headers(effective_headers)
1096                )
1097            } else {
1098                "JSON_HEADERS".to_string()
1099            };
1100            script.push_str(&format!(
1101                "      let res = http.{}(`{}`, '{}', {{ headers: {} }});\n",
1102                method, url, escaped_body, headers
1103            ));
1104        } else if !effective_headers.is_empty() {
1105            script.push_str(&format!(
1106                "      let res = http.{}(`{}`, null, {{ headers: {} }});\n",
1107                method,
1108                url,
1109                Self::format_headers(effective_headers)
1110            ));
1111        } else {
1112            script.push_str(&format!("      let res = http.{}(`{}`, null);\n", method, url));
1113        }
1114    }
1115
1116    /// Build effective headers by merging spec-derived headers with custom headers.
1117    /// Custom headers override spec-derived ones with the same name (case-insensitive).
1118    /// Custom headers not in the spec are appended.
1119    fn effective_headers(&self, spec_headers: &[(String, String)]) -> Vec<(String, String)> {
1120        let custom = &self.config.custom_headers;
1121        if custom.is_empty() {
1122            return spec_headers.to_vec();
1123        }
1124
1125        let mut result: Vec<(String, String)> = Vec::new();
1126
1127        // Start with spec headers, replacing values if a custom header matches
1128        for (name, value) in spec_headers {
1129            if let Some((_, custom_val)) =
1130                custom.iter().find(|(cn, _)| cn.eq_ignore_ascii_case(name))
1131            {
1132                result.push((name.clone(), custom_val.clone()));
1133            } else {
1134                result.push((name.clone(), value.clone()));
1135            }
1136        }
1137
1138        // Append custom headers that aren't already in spec headers
1139        for (name, value) in custom {
1140            if !spec_headers.iter().any(|(sn, _)| sn.eq_ignore_ascii_case(name)) {
1141                result.push((name.clone(), value.clone()));
1142            }
1143        }
1144
1145        result
1146    }
1147
1148    /// Inject security headers based on resolved security scheme details.
1149    /// Respects user-provided custom headers (won't overwrite if already set).
1150    fn inject_security_headers(
1151        &self,
1152        schemes: &[SecuritySchemeInfo],
1153        headers: &mut Vec<(String, String)>,
1154    ) {
1155        let mut to_add: Vec<(String, String)> = Vec::new();
1156
1157        let has_header = |name: &str, headers: &[(String, String)]| {
1158            headers.iter().any(|(h, _)| h.eq_ignore_ascii_case(name))
1159                || self.config.custom_headers.iter().any(|(h, _)| h.eq_ignore_ascii_case(name))
1160        };
1161
1162        // If user provides Cookie header, they're using session-based auth — skip auto auth
1163        let has_cookie_auth = has_header("Cookie", headers);
1164
1165        for scheme in schemes {
1166            match scheme {
1167                SecuritySchemeInfo::Bearer => {
1168                    if !has_cookie_auth && !has_header("Authorization", headers) {
1169                        // MockForge mock server accepts any Bearer token
1170                        to_add.push((
1171                            "Authorization".to_string(),
1172                            "Bearer mockforge-conformance-test-token".to_string(),
1173                        ));
1174                    }
1175                }
1176                SecuritySchemeInfo::Basic => {
1177                    if !has_cookie_auth && !has_header("Authorization", headers) {
1178                        let creds = self.config.basic_auth.as_deref().unwrap_or("test:test");
1179                        use base64::Engine;
1180                        let encoded =
1181                            base64::engine::general_purpose::STANDARD.encode(creds.as_bytes());
1182                        to_add.push(("Authorization".to_string(), format!("Basic {}", encoded)));
1183                    }
1184                }
1185                SecuritySchemeInfo::ApiKey { location, name } => match location {
1186                    ApiKeyLocation::Header => {
1187                        if !has_header(name, headers) {
1188                            let key = self
1189                                .config
1190                                .api_key
1191                                .as_deref()
1192                                .unwrap_or("mockforge-conformance-test-key");
1193                            to_add.push((name.clone(), key.to_string()));
1194                        }
1195                    }
1196                    ApiKeyLocation::Cookie => {
1197                        if !has_header("Cookie", headers) {
1198                            to_add.push((
1199                                "Cookie".to_string(),
1200                                format!("{}=mockforge-conformance-test-session", name),
1201                            ));
1202                        }
1203                    }
1204                    ApiKeyLocation::Query => {
1205                        // Query params are handled via URL, not headers — skip here
1206                    }
1207                },
1208            }
1209        }
1210
1211        headers.extend(to_add);
1212    }
1213
1214    /// Format header params as a JS object literal
1215    fn format_headers(headers: &[(String, String)]) -> String {
1216        let entries: Vec<String> = headers
1217            .iter()
1218            .map(|(k, v)| format!("'{}': '{}'", k, v.replace('\'', "\\'")))
1219            .collect();
1220        format!("{{ {} }}", entries.join(", "))
1221    }
1222
1223    /// handleSummary — same format as reference mode for report compatibility
1224    fn generate_handle_summary(&self, script: &mut String) {
1225        // Use absolute path for report output so k6 writes where the CLI expects
1226        let report_path = match &self.config.output_dir {
1227            Some(dir) => {
1228                let abs = std::fs::canonicalize(dir)
1229                    .unwrap_or_else(|_| dir.clone())
1230                    .join("conformance-report.json");
1231                abs.to_string_lossy().to_string()
1232            }
1233            None => "conformance-report.json".to_string(),
1234        };
1235
1236        script.push_str("export function handleSummary(data) {\n");
1237        script.push_str("  let checks = {};\n");
1238        script.push_str("  if (data.metrics && data.metrics.checks) {\n");
1239        script.push_str("    checks.overall_pass_rate = data.metrics.checks.values.rate;\n");
1240        script.push_str("  }\n");
1241        script.push_str("  let checkResults = {};\n");
1242        script.push_str("  function walkGroups(group) {\n");
1243        script.push_str("    if (group.checks) {\n");
1244        script.push_str("      for (let checkObj of group.checks) {\n");
1245        script.push_str("        checkResults[checkObj.name] = {\n");
1246        script.push_str("          passes: checkObj.passes,\n");
1247        script.push_str("          fails: checkObj.fails,\n");
1248        script.push_str("        };\n");
1249        script.push_str("      }\n");
1250        script.push_str("    }\n");
1251        script.push_str("    if (group.groups) {\n");
1252        script.push_str("      for (let subGroup of group.groups) {\n");
1253        script.push_str("        walkGroups(subGroup);\n");
1254        script.push_str("      }\n");
1255        script.push_str("    }\n");
1256        script.push_str("  }\n");
1257        script.push_str("  if (data.root_group) {\n");
1258        script.push_str("    walkGroups(data.root_group);\n");
1259        script.push_str("  }\n");
1260        script.push_str("  return {\n");
1261        script.push_str(&format!(
1262            "    '{}': JSON.stringify({{ checks: checkResults, overall: checks }}, null, 2),\n",
1263            report_path
1264        ));
1265        script.push_str("    'summary.json': JSON.stringify(data),\n");
1266        script.push_str("    stdout: textSummary(data, { indent: '  ', enableColors: true }),\n");
1267        script.push_str("  };\n");
1268        script.push_str("}\n\n");
1269        script.push_str("function textSummary(data, opts) {\n");
1270        script.push_str("  return JSON.stringify(data, null, 2);\n");
1271        script.push_str("}\n");
1272    }
1273}
1274
1275#[cfg(test)]
1276mod tests {
1277    use super::*;
1278    use openapiv3::{
1279        Operation, ParameterData, ParameterSchemaOrContent, PathStyle, Response, Schema,
1280        SchemaData, SchemaKind, StringType, Type,
1281    };
1282
1283    fn make_op(method: &str, path: &str, operation: Operation) -> ApiOperation {
1284        ApiOperation {
1285            method: method.to_string(),
1286            path: path.to_string(),
1287            operation,
1288            operation_id: None,
1289        }
1290    }
1291
1292    fn empty_spec() -> OpenAPI {
1293        OpenAPI::default()
1294    }
1295
1296    #[test]
1297    fn test_annotate_get_with_path_param() {
1298        let mut op = Operation::default();
1299        op.parameters.push(ReferenceOr::Item(Parameter::Path {
1300            parameter_data: ParameterData {
1301                name: "id".to_string(),
1302                description: None,
1303                required: true,
1304                deprecated: None,
1305                format: ParameterSchemaOrContent::Schema(ReferenceOr::Item(Schema {
1306                    schema_data: SchemaData::default(),
1307                    schema_kind: SchemaKind::Type(Type::String(StringType::default())),
1308                })),
1309                example: None,
1310                examples: Default::default(),
1311                explode: None,
1312                extensions: Default::default(),
1313            },
1314            style: PathStyle::Simple,
1315        }));
1316
1317        let api_op = make_op("get", "/users/{id}", op);
1318        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1319
1320        assert!(annotated.features.contains(&ConformanceFeature::MethodGet));
1321        assert!(annotated.features.contains(&ConformanceFeature::PathParamString));
1322        assert!(annotated.features.contains(&ConformanceFeature::ConstraintRequired));
1323        assert_eq!(annotated.path_params.len(), 1);
1324        assert_eq!(annotated.path_params[0].0, "id");
1325    }
1326
1327    #[test]
1328    fn test_annotate_post_with_json_body() {
1329        let mut op = Operation::default();
1330        let mut body = RequestBody {
1331            required: true,
1332            ..Default::default()
1333        };
1334        body.content
1335            .insert("application/json".to_string(), openapiv3::MediaType::default());
1336        op.request_body = Some(ReferenceOr::Item(body));
1337
1338        let api_op = make_op("post", "/items", op);
1339        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1340
1341        assert!(annotated.features.contains(&ConformanceFeature::MethodPost));
1342        assert!(annotated.features.contains(&ConformanceFeature::BodyJson));
1343    }
1344
1345    #[test]
1346    fn test_annotate_response_codes() {
1347        let mut op = Operation::default();
1348        op.responses
1349            .responses
1350            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(Response::default()));
1351        op.responses
1352            .responses
1353            .insert(openapiv3::StatusCode::Code(404), ReferenceOr::Item(Response::default()));
1354
1355        let api_op = make_op("get", "/items", op);
1356        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1357
1358        assert!(annotated.features.contains(&ConformanceFeature::Response200));
1359        assert!(annotated.features.contains(&ConformanceFeature::Response404));
1360    }
1361
1362    #[test]
1363    fn test_generate_spec_driven_script() {
1364        let config = ConformanceConfig {
1365            target_url: "http://localhost:3000".to_string(),
1366            api_key: None,
1367            basic_auth: None,
1368            skip_tls_verify: false,
1369            categories: None,
1370            base_path: None,
1371            custom_headers: vec![],
1372            output_dir: None,
1373            all_operations: false,
1374            custom_checks_file: None,
1375            request_delay_ms: 0,
1376            custom_filter: None,
1377            export_requests: false,
1378            validate_requests: false,
1379        };
1380
1381        let operations = vec![AnnotatedOperation {
1382            path: "/users/{id}".to_string(),
1383            method: "GET".to_string(),
1384            features: vec![
1385                ConformanceFeature::MethodGet,
1386                ConformanceFeature::PathParamString,
1387            ],
1388            request_body_content_type: None,
1389            sample_body: None,
1390            query_params: vec![],
1391            header_params: vec![],
1392            path_params: vec![("id".to_string(), "test-value".to_string())],
1393            response_schema: None,
1394            request_body_schema: None,
1395            security_schemes: vec![],
1396        }];
1397
1398        let gen = SpecDrivenConformanceGenerator::new(config, operations);
1399        let (script, _check_count) = gen.generate().unwrap();
1400
1401        assert!(script.contains("import http from 'k6/http'"));
1402        assert!(script.contains("/users/test-value"));
1403        assert!(script.contains("param:path:string"));
1404        assert!(script.contains("method:GET"));
1405        assert!(script.contains("handleSummary"));
1406    }
1407
1408    #[test]
1409    fn test_generate_with_category_filter() {
1410        let config = ConformanceConfig {
1411            target_url: "http://localhost:3000".to_string(),
1412            api_key: None,
1413            basic_auth: None,
1414            skip_tls_verify: false,
1415            categories: Some(vec!["Parameters".to_string()]),
1416            base_path: None,
1417            custom_headers: vec![],
1418            output_dir: None,
1419            all_operations: false,
1420            custom_checks_file: None,
1421            request_delay_ms: 0,
1422            custom_filter: None,
1423            export_requests: false,
1424            validate_requests: false,
1425        };
1426
1427        let operations = vec![AnnotatedOperation {
1428            path: "/users/{id}".to_string(),
1429            method: "GET".to_string(),
1430            features: vec![
1431                ConformanceFeature::MethodGet,
1432                ConformanceFeature::PathParamString,
1433            ],
1434            request_body_content_type: None,
1435            sample_body: None,
1436            query_params: vec![],
1437            header_params: vec![],
1438            path_params: vec![("id".to_string(), "1".to_string())],
1439            response_schema: None,
1440            request_body_schema: None,
1441            security_schemes: vec![],
1442        }];
1443
1444        let gen = SpecDrivenConformanceGenerator::new(config, operations);
1445        let (script, _check_count) = gen.generate().unwrap();
1446
1447        assert!(script.contains("group('Parameters'"));
1448        assert!(!script.contains("group('HTTP Methods'"));
1449    }
1450
1451    #[test]
1452    fn test_annotate_response_validation() {
1453        use openapiv3::ObjectType;
1454
1455        // Operation with a 200 response that has a JSON schema
1456        let mut op = Operation::default();
1457        let mut response = Response::default();
1458        let mut media = openapiv3::MediaType::default();
1459        let mut obj_type = ObjectType::default();
1460        obj_type.properties.insert(
1461            "name".to_string(),
1462            ReferenceOr::Item(Box::new(Schema {
1463                schema_data: SchemaData::default(),
1464                schema_kind: SchemaKind::Type(Type::String(StringType::default())),
1465            })),
1466        );
1467        obj_type.required = vec!["name".to_string()];
1468        media.schema = Some(ReferenceOr::Item(Schema {
1469            schema_data: SchemaData::default(),
1470            schema_kind: SchemaKind::Type(Type::Object(obj_type)),
1471        }));
1472        response.content.insert("application/json".to_string(), media);
1473        op.responses
1474            .responses
1475            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(response));
1476
1477        let api_op = make_op("get", "/users", op);
1478        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1479
1480        assert!(
1481            annotated.features.contains(&ConformanceFeature::ResponseValidation),
1482            "Should detect ResponseValidation when response has a JSON schema"
1483        );
1484        assert!(annotated.response_schema.is_some(), "Should extract the response schema");
1485
1486        // Verify generated script includes schema validation with try-catch
1487        let config = ConformanceConfig {
1488            target_url: "http://localhost:3000".to_string(),
1489            api_key: None,
1490            basic_auth: None,
1491            skip_tls_verify: false,
1492            categories: None,
1493            base_path: None,
1494            custom_headers: vec![],
1495            output_dir: None,
1496            all_operations: false,
1497            custom_checks_file: None,
1498            request_delay_ms: 0,
1499            custom_filter: None,
1500            export_requests: false,
1501            validate_requests: false,
1502        };
1503        let gen = SpecDrivenConformanceGenerator::new(config, vec![annotated]);
1504        let (script, _check_count) = gen.generate().unwrap();
1505
1506        assert!(
1507            script.contains("response:schema:validation"),
1508            "Script should contain the validation check name"
1509        );
1510        assert!(script.contains("try {"), "Script should wrap validation in try-catch");
1511        assert!(script.contains("res.json()"), "Script should parse response as JSON");
1512    }
1513
1514    #[test]
1515    fn test_annotate_global_security() {
1516        // Spec with global security requirement, operation without its own security
1517        let op = Operation::default();
1518        let mut spec = OpenAPI::default();
1519        let mut global_req = openapiv3::SecurityRequirement::new();
1520        global_req.insert("bearerAuth".to_string(), vec![]);
1521        spec.security = Some(vec![global_req]);
1522        // Define the security scheme in components
1523        let mut components = openapiv3::Components::default();
1524        components.security_schemes.insert(
1525            "bearerAuth".to_string(),
1526            ReferenceOr::Item(SecurityScheme::HTTP {
1527                scheme: "bearer".to_string(),
1528                bearer_format: Some("JWT".to_string()),
1529                description: None,
1530                extensions: Default::default(),
1531            }),
1532        );
1533        spec.components = Some(components);
1534
1535        let api_op = make_op("get", "/protected", op);
1536        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &spec);
1537
1538        assert!(
1539            annotated.features.contains(&ConformanceFeature::SecurityBearer),
1540            "Should detect SecurityBearer from global security + components"
1541        );
1542    }
1543
1544    #[test]
1545    fn test_annotate_security_scheme_resolution() {
1546        // Test that security scheme type is resolved from components, not just name heuristic
1547        let mut op = Operation::default();
1548        // Use a generic name that wouldn't match name heuristics
1549        let mut req = openapiv3::SecurityRequirement::new();
1550        req.insert("myAuth".to_string(), vec![]);
1551        op.security = Some(vec![req]);
1552
1553        let mut spec = OpenAPI::default();
1554        let mut components = openapiv3::Components::default();
1555        components.security_schemes.insert(
1556            "myAuth".to_string(),
1557            ReferenceOr::Item(SecurityScheme::APIKey {
1558                location: openapiv3::APIKeyLocation::Header,
1559                name: "X-API-Key".to_string(),
1560                description: None,
1561                extensions: Default::default(),
1562            }),
1563        );
1564        spec.components = Some(components);
1565
1566        let api_op = make_op("get", "/data", op);
1567        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &spec);
1568
1569        assert!(
1570            annotated.features.contains(&ConformanceFeature::SecurityApiKey),
1571            "Should detect SecurityApiKey from SecurityScheme::APIKey, not name heuristic"
1572        );
1573    }
1574
1575    #[test]
1576    fn test_annotate_content_negotiation() {
1577        let mut op = Operation::default();
1578        let mut response = Response::default();
1579        // Response with multiple content types
1580        response
1581            .content
1582            .insert("application/json".to_string(), openapiv3::MediaType::default());
1583        response
1584            .content
1585            .insert("application/xml".to_string(), openapiv3::MediaType::default());
1586        op.responses
1587            .responses
1588            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(response));
1589
1590        let api_op = make_op("get", "/items", op);
1591        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1592
1593        assert!(
1594            annotated.features.contains(&ConformanceFeature::ContentNegotiation),
1595            "Should detect ContentNegotiation when response has multiple content types"
1596        );
1597    }
1598
1599    #[test]
1600    fn test_no_content_negotiation_for_single_type() {
1601        let mut op = Operation::default();
1602        let mut response = Response::default();
1603        response
1604            .content
1605            .insert("application/json".to_string(), openapiv3::MediaType::default());
1606        op.responses
1607            .responses
1608            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(response));
1609
1610        let api_op = make_op("get", "/items", op);
1611        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1612
1613        assert!(
1614            !annotated.features.contains(&ConformanceFeature::ContentNegotiation),
1615            "Should NOT detect ContentNegotiation for a single content type"
1616        );
1617    }
1618
1619    #[test]
1620    fn test_spec_driven_with_base_path() {
1621        let annotated = AnnotatedOperation {
1622            path: "/users".to_string(),
1623            method: "GET".to_string(),
1624            features: vec![ConformanceFeature::MethodGet],
1625            path_params: vec![],
1626            query_params: vec![],
1627            header_params: vec![],
1628            request_body_content_type: None,
1629            sample_body: None,
1630            response_schema: None,
1631            request_body_schema: None,
1632            security_schemes: vec![],
1633        };
1634        let config = ConformanceConfig {
1635            target_url: "https://192.168.2.86/".to_string(),
1636            api_key: None,
1637            basic_auth: None,
1638            skip_tls_verify: true,
1639            categories: None,
1640            base_path: Some("/api".to_string()),
1641            custom_headers: vec![],
1642            output_dir: None,
1643            all_operations: false,
1644            custom_checks_file: None,
1645            request_delay_ms: 0,
1646            custom_filter: None,
1647            export_requests: false,
1648            validate_requests: false,
1649        };
1650        let gen = SpecDrivenConformanceGenerator::new(config, vec![annotated]);
1651        let (script, _check_count) = gen.generate().unwrap();
1652
1653        assert!(
1654            script.contains("const BASE_URL = 'https://192.168.2.86/api'"),
1655            "BASE_URL should include the base_path. Got: {}",
1656            script.lines().find(|l| l.contains("BASE_URL")).unwrap_or("not found")
1657        );
1658    }
1659
1660    #[test]
1661    fn test_spec_driven_with_custom_headers() {
1662        let annotated = AnnotatedOperation {
1663            path: "/users".to_string(),
1664            method: "GET".to_string(),
1665            features: vec![ConformanceFeature::MethodGet],
1666            path_params: vec![],
1667            query_params: vec![],
1668            header_params: vec![
1669                ("X-Avi-Tenant".to_string(), "test-value".to_string()),
1670                ("X-CSRFToken".to_string(), "test-value".to_string()),
1671            ],
1672            request_body_content_type: None,
1673            sample_body: None,
1674            response_schema: None,
1675            request_body_schema: None,
1676            security_schemes: vec![],
1677        };
1678        let config = ConformanceConfig {
1679            target_url: "https://192.168.2.86/".to_string(),
1680            api_key: None,
1681            basic_auth: None,
1682            skip_tls_verify: true,
1683            categories: None,
1684            base_path: Some("/api".to_string()),
1685            custom_headers: vec![
1686                ("X-Avi-Tenant".to_string(), "admin".to_string()),
1687                ("X-CSRFToken".to_string(), "real-csrf-token".to_string()),
1688                ("Cookie".to_string(), "sessionid=abc123".to_string()),
1689            ],
1690            output_dir: None,
1691            all_operations: false,
1692            custom_checks_file: None,
1693            request_delay_ms: 0,
1694            custom_filter: None,
1695            export_requests: false,
1696            validate_requests: false,
1697        };
1698        let gen = SpecDrivenConformanceGenerator::new(config, vec![annotated]);
1699        let (script, _check_count) = gen.generate().unwrap();
1700
1701        // Custom headers should override spec-derived test-value placeholders
1702        assert!(
1703            script.contains("'X-Avi-Tenant': 'admin'"),
1704            "Should use custom value for X-Avi-Tenant, not test-value"
1705        );
1706        assert!(
1707            script.contains("'X-CSRFToken': 'real-csrf-token'"),
1708            "Should use custom value for X-CSRFToken, not test-value"
1709        );
1710        // Custom headers not in spec should be appended
1711        assert!(
1712            script.contains("'Cookie': 'sessionid=abc123'"),
1713            "Should include Cookie header from custom_headers"
1714        );
1715        // test-value should NOT appear
1716        assert!(
1717            !script.contains("'test-value'"),
1718            "test-value placeholders should be replaced by custom values"
1719        );
1720    }
1721
1722    #[test]
1723    fn test_effective_headers_merging() {
1724        let config = ConformanceConfig {
1725            target_url: "http://localhost".to_string(),
1726            api_key: None,
1727            basic_auth: None,
1728            skip_tls_verify: false,
1729            categories: None,
1730            base_path: None,
1731            custom_headers: vec![
1732                ("X-Auth".to_string(), "real-token".to_string()),
1733                ("Cookie".to_string(), "session=abc".to_string()),
1734            ],
1735            output_dir: None,
1736            all_operations: false,
1737            custom_checks_file: None,
1738            request_delay_ms: 0,
1739            custom_filter: None,
1740            export_requests: false,
1741            validate_requests: false,
1742        };
1743        let gen = SpecDrivenConformanceGenerator::new(config, vec![]);
1744
1745        // Spec headers with a matching custom header
1746        let spec_headers = vec![
1747            ("X-Auth".to_string(), "test-value".to_string()),
1748            ("X-Other".to_string(), "keep-this".to_string()),
1749        ];
1750        let effective = gen.effective_headers(&spec_headers);
1751
1752        // X-Auth should be overridden
1753        assert_eq!(effective[0], ("X-Auth".to_string(), "real-token".to_string()));
1754        // X-Other should be kept as-is
1755        assert_eq!(effective[1], ("X-Other".to_string(), "keep-this".to_string()));
1756        // Cookie should be appended
1757        assert_eq!(effective[2], ("Cookie".to_string(), "session=abc".to_string()));
1758    }
1759}