Skip to main content

mockforge_bench/conformance/
spec_driven.rs

1//! Spec-driven conformance testing
2//!
3//! Analyzes the user's OpenAPI spec to determine which features their API uses,
4//! then generates k6 conformance tests against their real endpoints.
5
6use super::generator::ConformanceConfig;
7use super::schema_validator::SchemaValidatorGenerator;
8use super::spec::ConformanceFeature;
9use crate::error::Result;
10use crate::request_gen::RequestGenerator;
11use crate::spec_parser::ApiOperation;
12use openapiv3::{
13    OpenAPI, Operation, Parameter, ParameterSchemaOrContent, ReferenceOr, RequestBody, Response,
14    Schema, SchemaKind, SecurityScheme, StringFormat, Type, VariantOrUnknownOrEmpty,
15};
16use std::collections::HashSet;
17
18/// Resolve `$ref` references against the OpenAPI components
19mod ref_resolver {
20    use super::*;
21
22    pub fn resolve_parameter<'a>(
23        param_ref: &'a ReferenceOr<Parameter>,
24        spec: &'a OpenAPI,
25    ) -> Option<&'a Parameter> {
26        match param_ref {
27            ReferenceOr::Item(param) => Some(param),
28            ReferenceOr::Reference { reference } => {
29                let name = reference.strip_prefix("#/components/parameters/")?;
30                let components = spec.components.as_ref()?;
31                match components.parameters.get(name)? {
32                    ReferenceOr::Item(param) => Some(param),
33                    ReferenceOr::Reference {
34                        reference: inner_ref,
35                    } => {
36                        // One level of recursive resolution
37                        let inner_name = inner_ref.strip_prefix("#/components/parameters/")?;
38                        match components.parameters.get(inner_name)? {
39                            ReferenceOr::Item(param) => Some(param),
40                            ReferenceOr::Reference { .. } => None,
41                        }
42                    }
43                }
44            }
45        }
46    }
47
48    pub fn resolve_request_body<'a>(
49        body_ref: &'a ReferenceOr<RequestBody>,
50        spec: &'a OpenAPI,
51    ) -> Option<&'a RequestBody> {
52        match body_ref {
53            ReferenceOr::Item(body) => Some(body),
54            ReferenceOr::Reference { reference } => {
55                let name = reference.strip_prefix("#/components/requestBodies/")?;
56                let components = spec.components.as_ref()?;
57                match components.request_bodies.get(name)? {
58                    ReferenceOr::Item(body) => Some(body),
59                    ReferenceOr::Reference {
60                        reference: inner_ref,
61                    } => {
62                        // One level of recursive resolution
63                        let inner_name = inner_ref.strip_prefix("#/components/requestBodies/")?;
64                        match components.request_bodies.get(inner_name)? {
65                            ReferenceOr::Item(body) => Some(body),
66                            ReferenceOr::Reference { .. } => None,
67                        }
68                    }
69                }
70            }
71        }
72    }
73
74    pub fn resolve_schema<'a>(
75        schema_ref: &'a ReferenceOr<Schema>,
76        spec: &'a OpenAPI,
77    ) -> Option<&'a Schema> {
78        resolve_schema_with_visited(schema_ref, spec, &mut HashSet::new())
79    }
80
81    fn resolve_schema_with_visited<'a>(
82        schema_ref: &'a ReferenceOr<Schema>,
83        spec: &'a OpenAPI,
84        visited: &mut HashSet<String>,
85    ) -> Option<&'a Schema> {
86        match schema_ref {
87            ReferenceOr::Item(schema) => Some(schema),
88            ReferenceOr::Reference { reference } => {
89                if !visited.insert(reference.clone()) {
90                    return None; // Cycle detected
91                }
92                let name = reference.strip_prefix("#/components/schemas/")?;
93                let components = spec.components.as_ref()?;
94                let nested = components.schemas.get(name)?;
95                resolve_schema_with_visited(nested, spec, visited)
96            }
97        }
98    }
99
100    /// Resolve a boxed schema reference (used by array items and object properties)
101    pub fn resolve_boxed_schema<'a>(
102        schema_ref: &'a ReferenceOr<Box<Schema>>,
103        spec: &'a OpenAPI,
104    ) -> Option<&'a Schema> {
105        match schema_ref {
106            ReferenceOr::Item(schema) => Some(schema.as_ref()),
107            ReferenceOr::Reference { reference } => {
108                // Delegate to the regular schema resolver
109                let name = reference.strip_prefix("#/components/schemas/")?;
110                let components = spec.components.as_ref()?;
111                let nested = components.schemas.get(name)?;
112                resolve_schema_with_visited(nested, spec, &mut HashSet::new())
113            }
114        }
115    }
116
117    pub fn resolve_response<'a>(
118        resp_ref: &'a ReferenceOr<Response>,
119        spec: &'a OpenAPI,
120    ) -> Option<&'a Response> {
121        match resp_ref {
122            ReferenceOr::Item(resp) => Some(resp),
123            ReferenceOr::Reference { reference } => {
124                let name = reference.strip_prefix("#/components/responses/")?;
125                let components = spec.components.as_ref()?;
126                match components.responses.get(name)? {
127                    ReferenceOr::Item(resp) => Some(resp),
128                    ReferenceOr::Reference {
129                        reference: inner_ref,
130                    } => {
131                        // One level of recursive resolution
132                        let inner_name = inner_ref.strip_prefix("#/components/responses/")?;
133                        match components.responses.get(inner_name)? {
134                            ReferenceOr::Item(resp) => Some(resp),
135                            ReferenceOr::Reference { .. } => None,
136                        }
137                    }
138                }
139            }
140        }
141    }
142}
143
144/// Resolved security scheme details for an operation
145#[derive(Debug, Clone)]
146pub enum SecuritySchemeInfo {
147    /// HTTP Bearer token
148    Bearer,
149    /// HTTP Basic auth
150    Basic,
151    /// API Key in header, query, or cookie
152    ApiKey {
153        location: ApiKeyLocation,
154        name: String,
155    },
156}
157
158/// Where an API key is transmitted
159#[derive(Debug, Clone, PartialEq)]
160pub enum ApiKeyLocation {
161    Header,
162    Query,
163    Cookie,
164}
165
166/// An API operation annotated with the conformance features it exercises
167#[derive(Debug, Clone)]
168pub struct AnnotatedOperation {
169    pub path: String,
170    pub method: String,
171    pub features: Vec<ConformanceFeature>,
172    pub request_body_content_type: Option<String>,
173    pub sample_body: Option<String>,
174    pub query_params: Vec<(String, String)>,
175    pub header_params: Vec<(String, String)>,
176    pub path_params: Vec<(String, String)>,
177    /// Response schema for validation (JSON string of the schema)
178    pub response_schema: Option<Schema>,
179    /// Round 25 — per-status response schemas (JSON values, pre-resolved
180    /// via $ref). Keyed by HTTP status code, populated for every
181    /// status declared in the spec that has an `application/json`
182    /// body. The self-test driver looks up the schema for each probe's
183    /// actual status and validates the response body against it
184    /// (closing round 21.3 / Srikanth's a2 / a3 ask). Empty when the
185    /// spec declares no JSON response bodies.
186    pub response_schemas: std::collections::BTreeMap<u16, serde_json::Value>,
187    /// Round 17.2 — the resolved request-body schema (application/json).
188    /// Used by the self-test driver to synthesise schema-aware
189    /// negative mutations (wrong type, min/max bounds, pattern, enum
190    /// out-of-range, required-field removal). Independent of
191    /// `sample_body`, which is the positive payload.
192    pub request_body_schema: Option<Schema>,
193    /// Security scheme details resolved from the OpenAPI spec
194    pub security_schemes: Vec<SecuritySchemeInfo>,
195}
196
197/// Generates spec-driven conformance k6 scripts
198pub struct SpecDrivenConformanceGenerator {
199    config: ConformanceConfig,
200    operations: Vec<AnnotatedOperation>,
201}
202
203impl SpecDrivenConformanceGenerator {
204    pub fn new(config: ConformanceConfig, operations: Vec<AnnotatedOperation>) -> Self {
205        Self { config, operations }
206    }
207
208    /// Annotate a list of API operations with conformance features
209    pub fn annotate_operations(
210        operations: &[ApiOperation],
211        spec: &OpenAPI,
212    ) -> Vec<AnnotatedOperation> {
213        operations.iter().map(|op| Self::annotate_operation(op, spec)).collect()
214    }
215
216    /// Analyze an operation and determine which conformance features it exercises
217    fn annotate_operation(op: &ApiOperation, spec: &OpenAPI) -> AnnotatedOperation {
218        let mut features = Vec::new();
219        let mut query_params = Vec::new();
220        let mut header_params = Vec::new();
221        let mut path_params = Vec::new();
222
223        // Detect HTTP method feature
224        match op.method.to_uppercase().as_str() {
225            "GET" => features.push(ConformanceFeature::MethodGet),
226            "POST" => features.push(ConformanceFeature::MethodPost),
227            "PUT" => features.push(ConformanceFeature::MethodPut),
228            "PATCH" => features.push(ConformanceFeature::MethodPatch),
229            "DELETE" => features.push(ConformanceFeature::MethodDelete),
230            "HEAD" => features.push(ConformanceFeature::MethodHead),
231            "OPTIONS" => features.push(ConformanceFeature::MethodOptions),
232            _ => {}
233        }
234
235        // Detect parameter features (resolves $ref)
236        for param_ref in &op.operation.parameters {
237            if let Some(param) = ref_resolver::resolve_parameter(param_ref, spec) {
238                Self::annotate_parameter(
239                    param,
240                    spec,
241                    &mut features,
242                    &mut query_params,
243                    &mut header_params,
244                    &mut path_params,
245                );
246            }
247        }
248
249        // Detect path parameters from the path template itself
250        for segment in op.path.split('/') {
251            if segment.starts_with('{') && segment.ends_with('}') {
252                let name = &segment[1..segment.len() - 1];
253                // Only add if not already found from parameters
254                if !path_params.iter().any(|(n, _)| n == name) {
255                    path_params.push((name.to_string(), "test-value".to_string()));
256                    // Determine type from path params we didn't already handle
257                    if !features.contains(&ConformanceFeature::PathParamString)
258                        && !features.contains(&ConformanceFeature::PathParamInteger)
259                    {
260                        features.push(ConformanceFeature::PathParamString);
261                    }
262                }
263            }
264        }
265
266        // Detect request body features (resolves $ref)
267        let mut request_body_content_type = None;
268        let mut sample_body = None;
269        let mut request_body_schema: Option<Schema> = None;
270
271        let resolved_body = op
272            .operation
273            .request_body
274            .as_ref()
275            .and_then(|b| ref_resolver::resolve_request_body(b, spec));
276
277        if let Some(body) = resolved_body {
278            for (content_type, _media) in &body.content {
279                match content_type.as_str() {
280                    "application/json" => {
281                        features.push(ConformanceFeature::BodyJson);
282                        request_body_content_type = Some("application/json".to_string());
283                        // Generate sample body from schema
284                        if let Ok(template) = RequestGenerator::generate_template(op) {
285                            if let Some(body_val) = &template.body {
286                                sample_body = Some(body_val.to_string());
287                            }
288                        }
289                    }
290                    "application/x-www-form-urlencoded" => {
291                        features.push(ConformanceFeature::BodyFormUrlencoded);
292                        request_body_content_type =
293                            Some("application/x-www-form-urlencoded".to_string());
294                    }
295                    "multipart/form-data" => {
296                        features.push(ConformanceFeature::BodyMultipart);
297                        request_body_content_type = Some("multipart/form-data".to_string());
298                    }
299                    _ => {}
300                }
301            }
302
303            // Detect schema features in request body (resolves $ref in schema)
304            if let Some(media) = body.content.get("application/json") {
305                if let Some(schema_ref) = &media.schema {
306                    if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
307                        Self::annotate_schema(schema, spec, &mut features);
308                        // Round 17.2 — keep a clone of the resolved
309                        // body schema so the self-test driver can walk
310                        // it to synthesise schema-aware negatives.
311                        request_body_schema = Some(schema.clone());
312                    }
313                }
314            }
315        }
316
317        // Detect response code features
318        Self::annotate_responses(&op.operation, spec, &mut features);
319
320        // Extract response schema for validation (resolves $ref)
321        let response_schema = Self::extract_response_schema(&op.operation, spec);
322        if response_schema.is_some() {
323            features.push(ConformanceFeature::ResponseValidation);
324        }
325        // Round 25 — per-status response schema map (closes round 21.3).
326        let response_schemas = Self::extract_response_schemas_per_status(&op.operation, spec);
327
328        // Detect content negotiation (response with multiple content types)
329        Self::annotate_content_negotiation(&op.operation, spec, &mut features);
330
331        // Detect security features and resolve scheme details
332        let mut security_schemes = Vec::new();
333        Self::annotate_security(&op.operation, spec, &mut features, &mut security_schemes);
334
335        // Deduplicate features
336        features.sort_by_key(|f| f.check_name());
337        features.dedup_by_key(|f| f.check_name());
338
339        AnnotatedOperation {
340            path: op.path.clone(),
341            method: op.method.to_uppercase(),
342            features,
343            request_body_content_type,
344            sample_body,
345            query_params,
346            header_params,
347            path_params,
348            response_schema,
349            response_schemas,
350            request_body_schema,
351            security_schemes,
352        }
353    }
354
355    /// Annotate parameter features
356    fn annotate_parameter(
357        param: &Parameter,
358        spec: &OpenAPI,
359        features: &mut Vec<ConformanceFeature>,
360        query_params: &mut Vec<(String, String)>,
361        header_params: &mut Vec<(String, String)>,
362        path_params: &mut Vec<(String, String)>,
363    ) {
364        let (location, data) = match param {
365            Parameter::Query { parameter_data, .. } => ("query", parameter_data),
366            Parameter::Path { parameter_data, .. } => ("path", parameter_data),
367            Parameter::Header { parameter_data, .. } => ("header", parameter_data),
368            Parameter::Cookie { .. } => {
369                features.push(ConformanceFeature::CookieParam);
370                return;
371            }
372        };
373
374        // Detect type from schema
375        let is_integer = Self::param_schema_is_integer(data, spec);
376        let is_array = Self::param_schema_is_array(data, spec);
377
378        // Generate sample value
379        let sample = if is_integer {
380            "42".to_string()
381        } else if is_array {
382            "a,b".to_string()
383        } else {
384            "test-value".to_string()
385        };
386
387        match location {
388            "path" => {
389                if is_integer {
390                    features.push(ConformanceFeature::PathParamInteger);
391                } else {
392                    features.push(ConformanceFeature::PathParamString);
393                }
394                path_params.push((data.name.clone(), sample));
395            }
396            "query" => {
397                if is_array {
398                    features.push(ConformanceFeature::QueryParamArray);
399                } else if is_integer {
400                    features.push(ConformanceFeature::QueryParamInteger);
401                } else {
402                    features.push(ConformanceFeature::QueryParamString);
403                }
404                query_params.push((data.name.clone(), sample));
405            }
406            "header" => {
407                features.push(ConformanceFeature::HeaderParam);
408                header_params.push((data.name.clone(), sample));
409            }
410            _ => {}
411        }
412
413        // Check for constraint features on the parameter (resolves $ref)
414        if let ParameterSchemaOrContent::Schema(schema_ref) = &data.format {
415            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
416                Self::annotate_schema(schema, spec, features);
417            }
418        }
419
420        // Required/optional
421        if data.required {
422            features.push(ConformanceFeature::ConstraintRequired);
423        } else {
424            features.push(ConformanceFeature::ConstraintOptional);
425        }
426    }
427
428    fn param_schema_is_integer(data: &openapiv3::ParameterData, spec: &OpenAPI) -> bool {
429        if let ParameterSchemaOrContent::Schema(schema_ref) = &data.format {
430            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
431                return matches!(&schema.schema_kind, SchemaKind::Type(Type::Integer(_)));
432            }
433        }
434        false
435    }
436
437    fn param_schema_is_array(data: &openapiv3::ParameterData, spec: &OpenAPI) -> bool {
438        if let ParameterSchemaOrContent::Schema(schema_ref) = &data.format {
439            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
440                return matches!(&schema.schema_kind, SchemaKind::Type(Type::Array(_)));
441            }
442        }
443        false
444    }
445
446    /// Annotate schema-level features (types, composition, formats, constraints)
447    fn annotate_schema(schema: &Schema, spec: &OpenAPI, features: &mut Vec<ConformanceFeature>) {
448        match &schema.schema_kind {
449            SchemaKind::Type(Type::String(s)) => {
450                features.push(ConformanceFeature::SchemaString);
451                // Check format
452                match &s.format {
453                    VariantOrUnknownOrEmpty::Item(StringFormat::Date) => {
454                        features.push(ConformanceFeature::FormatDate);
455                    }
456                    VariantOrUnknownOrEmpty::Item(StringFormat::DateTime) => {
457                        features.push(ConformanceFeature::FormatDateTime);
458                    }
459                    VariantOrUnknownOrEmpty::Unknown(fmt) => match fmt.as_str() {
460                        "email" => features.push(ConformanceFeature::FormatEmail),
461                        "uuid" => features.push(ConformanceFeature::FormatUuid),
462                        "uri" | "url" => features.push(ConformanceFeature::FormatUri),
463                        "ipv4" => features.push(ConformanceFeature::FormatIpv4),
464                        "ipv6" => features.push(ConformanceFeature::FormatIpv6),
465                        _ => {}
466                    },
467                    _ => {}
468                }
469                // Check constraints
470                if s.pattern.is_some() {
471                    features.push(ConformanceFeature::ConstraintPattern);
472                }
473                if !s.enumeration.is_empty() {
474                    features.push(ConformanceFeature::ConstraintEnum);
475                }
476                if s.min_length.is_some() || s.max_length.is_some() {
477                    features.push(ConformanceFeature::ConstraintMinMax);
478                }
479            }
480            SchemaKind::Type(Type::Integer(i)) => {
481                features.push(ConformanceFeature::SchemaInteger);
482                if i.minimum.is_some() || i.maximum.is_some() {
483                    features.push(ConformanceFeature::ConstraintMinMax);
484                }
485                if !i.enumeration.is_empty() {
486                    features.push(ConformanceFeature::ConstraintEnum);
487                }
488            }
489            SchemaKind::Type(Type::Number(n)) => {
490                features.push(ConformanceFeature::SchemaNumber);
491                if n.minimum.is_some() || n.maximum.is_some() {
492                    features.push(ConformanceFeature::ConstraintMinMax);
493                }
494            }
495            SchemaKind::Type(Type::Boolean(_)) => {
496                features.push(ConformanceFeature::SchemaBoolean);
497            }
498            SchemaKind::Type(Type::Array(arr)) => {
499                features.push(ConformanceFeature::SchemaArray);
500                if let Some(item_ref) = &arr.items {
501                    if let Some(item_schema) = ref_resolver::resolve_boxed_schema(item_ref, spec) {
502                        Self::annotate_schema(item_schema, spec, features);
503                    }
504                }
505            }
506            SchemaKind::Type(Type::Object(obj)) => {
507                features.push(ConformanceFeature::SchemaObject);
508                // Check required fields
509                if !obj.required.is_empty() {
510                    features.push(ConformanceFeature::ConstraintRequired);
511                }
512                // Walk properties (resolves $ref)
513                for (_name, prop_ref) in &obj.properties {
514                    if let Some(prop_schema) = ref_resolver::resolve_boxed_schema(prop_ref, spec) {
515                        Self::annotate_schema(prop_schema, spec, features);
516                    }
517                }
518            }
519            SchemaKind::OneOf { .. } => {
520                features.push(ConformanceFeature::CompositionOneOf);
521            }
522            SchemaKind::AnyOf { .. } => {
523                features.push(ConformanceFeature::CompositionAnyOf);
524            }
525            SchemaKind::AllOf { .. } => {
526                features.push(ConformanceFeature::CompositionAllOf);
527            }
528            _ => {}
529        }
530    }
531
532    /// Detect response code features (resolves $ref in responses)
533    fn annotate_responses(
534        operation: &Operation,
535        spec: &OpenAPI,
536        features: &mut Vec<ConformanceFeature>,
537    ) {
538        for (status_code, resp_ref) in &operation.responses.responses {
539            // Only count features for responses that actually resolve
540            if ref_resolver::resolve_response(resp_ref, spec).is_some() {
541                match status_code {
542                    openapiv3::StatusCode::Code(200) => {
543                        features.push(ConformanceFeature::Response200)
544                    }
545                    openapiv3::StatusCode::Code(201) => {
546                        features.push(ConformanceFeature::Response201)
547                    }
548                    openapiv3::StatusCode::Code(204) => {
549                        features.push(ConformanceFeature::Response204)
550                    }
551                    openapiv3::StatusCode::Code(400) => {
552                        features.push(ConformanceFeature::Response400)
553                    }
554                    openapiv3::StatusCode::Code(404) => {
555                        features.push(ConformanceFeature::Response404)
556                    }
557                    _ => {}
558                }
559            }
560        }
561    }
562
563    /// Round 25 — extract every declared response schema, keyed by the
564    /// numeric HTTP status. Only `application/json` content types are
565    /// included (the only body shape the self-test validates against).
566    /// Used by the self-test driver to validate response bodies against
567    /// the schema for the ACTUAL status returned, not just 200.
568    fn extract_response_schemas_per_status(
569        operation: &Operation,
570        spec: &OpenAPI,
571    ) -> std::collections::BTreeMap<u16, serde_json::Value> {
572        let mut out = std::collections::BTreeMap::new();
573        for (code, resp_ref) in &operation.responses.responses {
574            let openapiv3::StatusCode::Code(n) = code else {
575                continue; // skip "default" / range responses for now
576            };
577            let Some(response) = ref_resolver::resolve_response(resp_ref, spec) else {
578                continue;
579            };
580            let Some(media) = response.content.get("application/json") else {
581                continue;
582            };
583            let Some(schema_ref) = &media.schema else {
584                continue;
585            };
586            let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) else {
587                continue;
588            };
589            // Convert openapiv3::Schema → serde_json::Value so the
590            // validation step can hand it straight to jsonschema.
591            if let Ok(value) = serde_json::to_value(schema) {
592                out.insert(*n, value);
593            }
594        }
595        out
596    }
597
598    /// Extract the response schema for the primary success response (200 or 201)
599    /// Resolves $ref for both the response and the schema within it.
600    fn extract_response_schema(operation: &Operation, spec: &OpenAPI) -> Option<Schema> {
601        // Try 200 first, then 201
602        for code in [200u16, 201] {
603            if let Some(resp_ref) =
604                operation.responses.responses.get(&openapiv3::StatusCode::Code(code))
605            {
606                if let Some(response) = ref_resolver::resolve_response(resp_ref, spec) {
607                    if let Some(media) = response.content.get("application/json") {
608                        if let Some(schema_ref) = &media.schema {
609                            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
610                                return Some(schema.clone());
611                            }
612                        }
613                    }
614                }
615            }
616        }
617        None
618    }
619
620    /// Detect content negotiation: response supports multiple content types
621    fn annotate_content_negotiation(
622        operation: &Operation,
623        spec: &OpenAPI,
624        features: &mut Vec<ConformanceFeature>,
625    ) {
626        for (_status_code, resp_ref) in &operation.responses.responses {
627            if let Some(response) = ref_resolver::resolve_response(resp_ref, spec) {
628                if response.content.len() > 1 {
629                    features.push(ConformanceFeature::ContentNegotiation);
630                    return; // Only need to detect once per operation
631                }
632            }
633        }
634    }
635
636    /// Detect security scheme features.
637    /// Checks operation-level security first, falling back to global security requirements.
638    /// Resolves scheme names against SecurityScheme definitions in components.
639    fn annotate_security(
640        operation: &Operation,
641        spec: &OpenAPI,
642        features: &mut Vec<ConformanceFeature>,
643        security_schemes: &mut Vec<SecuritySchemeInfo>,
644    ) {
645        // Use operation-level security if present, otherwise fall back to global
646        let security_reqs = operation.security.as_ref().or(spec.security.as_ref());
647
648        if let Some(security) = security_reqs {
649            for security_req in security {
650                for scheme_name in security_req.keys() {
651                    // Try to resolve the scheme from components for accurate type detection
652                    if let Some(resolved) = Self::resolve_security_scheme(scheme_name, spec) {
653                        match resolved {
654                            SecurityScheme::HTTP { ref scheme, .. } => {
655                                if scheme.eq_ignore_ascii_case("bearer") {
656                                    features.push(ConformanceFeature::SecurityBearer);
657                                    security_schemes.push(SecuritySchemeInfo::Bearer);
658                                } else if scheme.eq_ignore_ascii_case("basic") {
659                                    features.push(ConformanceFeature::SecurityBasic);
660                                    security_schemes.push(SecuritySchemeInfo::Basic);
661                                }
662                            }
663                            SecurityScheme::APIKey { location, name, .. } => {
664                                features.push(ConformanceFeature::SecurityApiKey);
665                                let loc = match location {
666                                    openapiv3::APIKeyLocation::Query => ApiKeyLocation::Query,
667                                    openapiv3::APIKeyLocation::Header => ApiKeyLocation::Header,
668                                    openapiv3::APIKeyLocation::Cookie => ApiKeyLocation::Cookie,
669                                };
670                                security_schemes.push(SecuritySchemeInfo::ApiKey {
671                                    location: loc,
672                                    name: name.clone(),
673                                });
674                            }
675                            // OAuth2 and OpenIDConnect don't map to our current feature set
676                            _ => {}
677                        }
678                    } else {
679                        // Fallback: heuristic name matching for unresolvable schemes
680                        let name_lower = scheme_name.to_lowercase();
681                        if name_lower.contains("bearer") || name_lower.contains("jwt") {
682                            features.push(ConformanceFeature::SecurityBearer);
683                            security_schemes.push(SecuritySchemeInfo::Bearer);
684                        } else if name_lower.contains("api") && name_lower.contains("key") {
685                            features.push(ConformanceFeature::SecurityApiKey);
686                            security_schemes.push(SecuritySchemeInfo::ApiKey {
687                                location: ApiKeyLocation::Header,
688                                name: "X-API-Key".to_string(),
689                            });
690                        } else if name_lower.contains("basic") {
691                            features.push(ConformanceFeature::SecurityBasic);
692                            security_schemes.push(SecuritySchemeInfo::Basic);
693                        }
694                    }
695                }
696            }
697        }
698    }
699
700    /// Resolve a security scheme name to its SecurityScheme definition
701    fn resolve_security_scheme<'a>(name: &str, spec: &'a OpenAPI) -> Option<&'a SecurityScheme> {
702        let components = spec.components.as_ref()?;
703        match components.security_schemes.get(name)? {
704            ReferenceOr::Item(scheme) => Some(scheme),
705            ReferenceOr::Reference { .. } => None,
706        }
707    }
708
709    /// Returns the number of operations being tested
710    pub fn operation_count(&self) -> usize {
711        self.operations.len()
712    }
713
714    /// Generate the k6 conformance script.
715    /// Returns (script, check_count) where check_count is the number of unique checks emitted.
716    pub fn generate(&self) -> Result<(String, usize)> {
717        let mut script = String::with_capacity(16384);
718
719        // Imports
720        script.push_str("import http from 'k6/http';\n");
721        script.push_str("import { check, group } from 'k6';\n");
722        if self.config.request_delay_ms > 0 {
723            script.push_str("import { sleep } from 'k6';\n");
724        }
725        script.push('\n');
726
727        // Tell k6 that all HTTP status codes are "expected" in conformance mode.
728        // Without this, k6 counts 4xx responses (e.g. intentional 404 tests) as
729        // http_req_failed errors, producing a misleading error rate percentage.
730        script.push_str(
731            "http.setResponseCallback(http.expectedStatuses({ min: 100, max: 599 }));\n\n",
732        );
733
734        // Options
735        script.push_str("export const options = {\n");
736        script.push_str("  vus: 1,\n");
737        script.push_str("  iterations: 1,\n");
738        if self.config.skip_tls_verify {
739            script.push_str("  insecureSkipTLSVerify: true,\n");
740        }
741        script.push_str("  thresholds: {\n");
742        script.push_str("    checks: ['rate>0'],\n");
743        script.push_str("  },\n");
744        script.push_str("};\n\n");
745
746        // Base URL (includes base_path if configured)
747        script.push_str(&format!("const BASE_URL = '{}';\n\n", self.config.effective_base_url()));
748        script.push_str("const JSON_HEADERS = { 'Content-Type': 'application/json' };\n\n");
749
750        // Round 39 (#79) — emit init-scope code (e.g. `open()` calls
751        // for file uploads in custom checks) here, before any
752        // function declarations.
753        let custom_emit = self.config.generate_custom_group()?;
754        if let Some(emit) = &custom_emit {
755            if !emit.init_code.is_empty() {
756                script.push_str("// Round 39 (#79) — preloaded upload bytes for custom checks\n");
757                script.push_str(&emit.init_code);
758                script.push('\n');
759            }
760        }
761
762        // Failure detail collector — logs req/res info for failed checks via console.log
763        // (k6's handleSummary runs in a separate JS context, so we can't use module-level arrays)
764        script
765            .push_str("function __captureFailure(checkName, res, expected, schemaViolations) {\n");
766        script.push_str("  let bodyStr = '';\n");
767        script.push_str("  try { bodyStr = res.body ? res.body.substring(0, 2000) : ''; } catch(e) { bodyStr = '<unreadable>'; }\n");
768        script.push_str("  let reqHeaders = {};\n");
769        script.push_str(
770            "  if (res.request && res.request.headers) { reqHeaders = res.request.headers; }\n",
771        );
772        script.push_str("  let reqBody = '';\n");
773        script.push_str("  if (res.request && res.request.body) { try { reqBody = res.request.body.substring(0, 2000); } catch(e) {} }\n");
774        script.push_str("  let payload = {\n");
775        script.push_str("    check: checkName,\n");
776        script.push_str("    request: {\n");
777        script.push_str("      method: res.request ? res.request.method : 'unknown',\n");
778        script.push_str("      url: res.request ? res.request.url : res.url || 'unknown',\n");
779        script.push_str("      headers: reqHeaders,\n");
780        script.push_str("      body: reqBody,\n");
781        script.push_str("    },\n");
782        script.push_str("    response: {\n");
783        script.push_str("      status: res.status,\n");
784        script.push_str("      headers: res.headers ? Object.fromEntries(Object.entries(res.headers).slice(0, 20)) : {},\n");
785        script.push_str("      body: bodyStr,\n");
786        script.push_str("    },\n");
787        script.push_str("    expected: expected,\n");
788        script.push_str("  };\n");
789        script.push_str("  if (schemaViolations && schemaViolations.length > 0) { payload.schema_violations = schemaViolations; }\n");
790        script.push_str("  console.log('MOCKFORGE_FAILURE:' + JSON.stringify(payload));\n");
791        script.push_str("}\n\n");
792
793        // Request/response capture for --export-requests
794        if self.config.export_requests {
795            script.push_str("function __captureExchange(checkName, res) {\n");
796            script.push_str("  let bodyStr = '';\n");
797            script.push_str("  try { bodyStr = res.body ? res.body.substring(0, 2000) : ''; } catch(e) { bodyStr = '<unreadable>'; }\n");
798            script.push_str("  let reqHeaders = {};\n");
799            script.push_str(
800                "  if (res.request && res.request.headers) { reqHeaders = res.request.headers; }\n",
801            );
802            script.push_str("  let reqBody = '';\n");
803            script.push_str("  if (res.request && res.request.body) { try { reqBody = res.request.body.substring(0, 2000); } catch(e) {} }\n");
804            script.push_str("  console.log('MOCKFORGE_EXCHANGE:' + JSON.stringify({\n");
805            script.push_str("    check: checkName,\n");
806            script.push_str("    request: {\n");
807            script.push_str("      method: res.request ? res.request.method : 'unknown',\n");
808            script.push_str("      url: res.request ? res.request.url : res.url || 'unknown',\n");
809            script.push_str("      headers: reqHeaders,\n");
810            script.push_str("      body: reqBody,\n");
811            script.push_str("    },\n");
812            script.push_str("    response: {\n");
813            script.push_str("      status: res.status,\n");
814            script.push_str("      headers: res.headers ? Object.fromEntries(Object.entries(res.headers).slice(0, 30)) : {},\n");
815            script.push_str("      body: bodyStr,\n");
816            script.push_str("    },\n");
817            script.push_str("  }));\n");
818            script.push_str("}\n\n");
819        }
820
821        // Default function
822        script.push_str("export default function () {\n");
823
824        if self.config.has_cookie_header() {
825            script.push_str(
826                "  // Clear cookie jar to prevent server Set-Cookie from duplicating custom Cookie header\n",
827            );
828            script.push_str("  http.cookieJar().clear(BASE_URL);\n\n");
829        }
830
831        // Group operations by category
832        let mut category_ops: std::collections::BTreeMap<
833            &'static str,
834            Vec<(&AnnotatedOperation, &ConformanceFeature)>,
835        > = std::collections::BTreeMap::new();
836
837        for op in &self.operations {
838            for feature in &op.features {
839                let category = feature.category();
840                if self.config.should_include_category(category) {
841                    category_ops.entry(category).or_default().push((op, feature));
842                }
843            }
844        }
845
846        // Emit grouped tests
847        let mut total_checks = 0usize;
848        for (category, ops) in &category_ops {
849            script.push_str(&format!("  group('{}', function () {{\n", category));
850
851            if self.config.all_operations {
852                // All-operations mode: test every operation, using path-qualified check names
853                let mut emitted_checks: HashSet<String> = HashSet::new();
854                for (op, feature) in ops {
855                    let qualified = format!("{}:{}", feature.check_name(), op.path);
856                    if emitted_checks.insert(qualified.clone()) {
857                        self.emit_check_named(&mut script, op, feature, &qualified);
858                        total_checks += 1;
859                    }
860                }
861            } else {
862                // Default: one representative operation per feature, with path-qualified
863                // check names so failures identify which endpoint was tested.
864                let mut emitted_features: HashSet<&str> = HashSet::new();
865                for (op, feature) in ops {
866                    if emitted_features.insert(feature.check_name()) {
867                        let qualified = format!("{}:{}", feature.check_name(), op.path);
868                        self.emit_check_named(&mut script, op, feature, &qualified);
869                        total_checks += 1;
870                    }
871                }
872            }
873
874            script.push_str("  });\n\n");
875        }
876
877        // Custom checks from YAML file — round 39: init-scope code
878        // was already emitted above; here we just splice the group
879        // body inside the default function.
880        if let Some(emit) = custom_emit {
881            script.push_str(&emit.group_body);
882        }
883
884        script.push_str("}\n\n");
885
886        // handleSummary
887        self.generate_handle_summary(&mut script);
888
889        Ok((script, total_checks))
890    }
891
892    /// Emit a single k6 check for an operation + feature with a custom check name
893    fn emit_check_named(
894        &self,
895        script: &mut String,
896        op: &AnnotatedOperation,
897        feature: &ConformanceFeature,
898        check_name: &str,
899    ) {
900        // Escape single quotes in check name since it's embedded in JS single-quoted strings
901        let check_name = check_name.replace('\'', "\\'");
902        let check_name = check_name.as_str();
903
904        script.push_str("    {\n");
905
906        // Build the URL path with parameters substituted
907        let mut url_path = op.path.clone();
908        for (name, value) in &op.path_params {
909            url_path = url_path.replace(&format!("{{{}}}", name), value);
910        }
911
912        // Build query string
913        if !op.query_params.is_empty() {
914            let qs: Vec<String> =
915                op.query_params.iter().map(|(k, v)| format!("{}={}", k, v)).collect();
916            url_path = format!("{}?{}", url_path, qs.join("&"));
917        }
918
919        let full_url = format!("${{BASE_URL}}{}", url_path);
920
921        // Build effective headers: merge spec-derived headers with custom headers.
922        // Custom headers override spec-derived ones with the same name.
923        let mut effective_headers = self.effective_headers(&op.header_params);
924
925        // For non-default response code checks, add header to tell the mock server
926        // which status code to return (the server defaults to the first declared status)
927        if matches!(feature, ConformanceFeature::Response400 | ConformanceFeature::Response404) {
928            let expected_code = match feature {
929                ConformanceFeature::Response400 => "400",
930                ConformanceFeature::Response404 => "404",
931                _ => unreachable!(),
932            };
933            effective_headers
934                .push(("X-Mockforge-Response-Status".to_string(), expected_code.to_string()));
935        }
936
937        // For security checks AND for all requests on endpoints with security requirements,
938        // inject auth credentials so the server doesn't reject with 401.
939        // Only inject if the user hasn't already provided the header via --custom-headers.
940        let needs_auth = matches!(
941            feature,
942            ConformanceFeature::SecurityBearer
943                | ConformanceFeature::SecurityBasic
944                | ConformanceFeature::SecurityApiKey
945        ) || !op.security_schemes.is_empty();
946
947        if needs_auth {
948            self.inject_security_headers(&op.security_schemes, &mut effective_headers);
949        }
950
951        let has_headers = !effective_headers.is_empty();
952        let headers_obj = if has_headers {
953            Self::format_headers(&effective_headers)
954        } else {
955            String::new()
956        };
957
958        // Determine HTTP method and emit request
959        match op.method.as_str() {
960            "GET" => {
961                if has_headers {
962                    script.push_str(&format!(
963                        "      let res = http.get(`{}`, {{ headers: {} }});\n",
964                        full_url, headers_obj
965                    ));
966                } else {
967                    script.push_str(&format!("      let res = http.get(`{}`);\n", full_url));
968                }
969            }
970            "POST" => {
971                self.emit_request_with_body(script, "post", &full_url, op, &effective_headers);
972            }
973            "PUT" => {
974                self.emit_request_with_body(script, "put", &full_url, op, &effective_headers);
975            }
976            "PATCH" => {
977                self.emit_request_with_body(script, "patch", &full_url, op, &effective_headers);
978            }
979            "DELETE" => {
980                if has_headers {
981                    script.push_str(&format!(
982                        "      let res = http.del(`{}`, null, {{ headers: {} }});\n",
983                        full_url, headers_obj
984                    ));
985                } else {
986                    script.push_str(&format!("      let res = http.del(`{}`);\n", full_url));
987                }
988            }
989            "HEAD" => {
990                if has_headers {
991                    script.push_str(&format!(
992                        "      let res = http.head(`{}`, {{ headers: {} }});\n",
993                        full_url, headers_obj
994                    ));
995                } else {
996                    script.push_str(&format!("      let res = http.head(`{}`);\n", full_url));
997                }
998            }
999            "OPTIONS" => {
1000                if has_headers {
1001                    script.push_str(&format!(
1002                        "      let res = http.options(`{}`, null, {{ headers: {} }});\n",
1003                        full_url, headers_obj
1004                    ));
1005                } else {
1006                    script.push_str(&format!("      let res = http.options(`{}`);\n", full_url));
1007                }
1008            }
1009            _ => {
1010                if has_headers {
1011                    script.push_str(&format!(
1012                        "      let res = http.get(`{}`, {{ headers: {} }});\n",
1013                        full_url, headers_obj
1014                    ));
1015                } else {
1016                    script.push_str(&format!("      let res = http.get(`{}`);\n", full_url));
1017                }
1018            }
1019        }
1020
1021        // Capture request/response for --export-requests
1022        // (check_name is already escaped at line 829 above — don't double-escape)
1023        if self.config.export_requests {
1024            script.push_str(&format!(
1025                "      if (typeof __captureExchange === 'function') __captureExchange('{}', res);\n",
1026                check_name
1027            ));
1028        }
1029
1030        // Check: emit assertion based on feature type, with failure detail capture
1031        if matches!(
1032            feature,
1033            ConformanceFeature::Response200
1034                | ConformanceFeature::Response201
1035                | ConformanceFeature::Response204
1036                | ConformanceFeature::Response400
1037                | ConformanceFeature::Response404
1038        ) {
1039            let expected_code = match feature {
1040                ConformanceFeature::Response200 => 200,
1041                ConformanceFeature::Response201 => 201,
1042                ConformanceFeature::Response204 => 204,
1043                ConformanceFeature::Response400 => 400,
1044                ConformanceFeature::Response404 => 404,
1045                _ => 200,
1046            };
1047            script.push_str(&format!(
1048                "      {{ let ok = check(res, {{ '{}': (r) => r.status === {} }}); if (!ok) __captureFailure('{}', res, 'status === {}'); }}\n",
1049                check_name, expected_code, check_name, expected_code
1050            ));
1051        } else if matches!(feature, ConformanceFeature::ResponseValidation) {
1052            // Response schema validation — validate the response body against the schema
1053            // Uses inline field-level error collection so failure details include
1054            // which specific fields violated the schema (field_path, violation_type,
1055            // expected, actual) — matching the Ajv `errors` array structure.
1056            if let Some(schema) = &op.response_schema {
1057                let validation_js = SchemaValidatorGenerator::generate_validation(schema);
1058                let schema_json = serde_json::to_string(schema).unwrap_or_default();
1059                // Escape backticks and backslashes for JS template literal safety
1060                let schema_json_escaped = schema_json.replace('\\', "\\\\").replace('`', "\\`");
1061                script.push_str(&format!(
1062                    concat!(
1063                        "      try {{\n",
1064                        "        let body = res.json();\n",
1065                        "        let ok = check(res, {{ '{check}': (r) => ( {validation} ) }});\n",
1066                        "        if (!ok) {{\n",
1067                        "          let __violations = [];\n",
1068                        "          try {{\n",
1069                        "            let __schema = JSON.parse(`{schema}`);\n",
1070                        "            function __collectErrors(schema, data, path) {{\n",
1071                        "              if (!schema || typeof schema !== 'object') return;\n",
1072                        "              let st = schema.type || (schema.schema_kind && schema.schema_kind.Type && Object.keys(schema.schema_kind.Type)[0]);\n",
1073                        "              if (st) {{ st = st.toLowerCase(); }}\n",
1074                        "              if (st === 'object') {{\n",
1075                        "                if (typeof data !== 'object' || data === null) {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'object', actual: typeof data }}); return; }}\n",
1076                        "                let props = schema.properties || (schema.schema_kind && schema.schema_kind.Type && schema.schema_kind.Type.Object && schema.schema_kind.Type.Object.properties) || {{}};\n",
1077                        "                let req = schema.required || (schema.schema_kind && schema.schema_kind.Type && schema.schema_kind.Type.Object && schema.schema_kind.Type.Object.required) || [];\n",
1078                        "                for (let f of req) {{ if (!(f in data)) {{ __violations.push({{ field_path: path + '/' + f, violation_type: 'required', expected: 'present', actual: 'missing' }}); }} }}\n",
1079                        "                for (let [k, v] of Object.entries(props)) {{ if (data[k] !== undefined) {{ let ps = v.Item || v; __collectErrors(ps, data[k], path + '/' + k); }} }}\n",
1080                        "              }} else if (st === 'array') {{\n",
1081                        "                if (!Array.isArray(data)) {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'array', actual: typeof data }}); return; }}\n",
1082                        "                let items = schema.items || (schema.schema_kind && schema.schema_kind.Type && schema.schema_kind.Type.Array && schema.schema_kind.Type.Array.items);\n",
1083                        "                if (items) {{ let is = items.Item || items; for (let i = 0; i < Math.min(data.length, 5); i++) {{ __collectErrors(is, data[i], path + '/' + i); }} }}\n",
1084                        "              }} else if (st === 'string') {{\n",
1085                        "                if (typeof data !== 'string') {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'string', actual: typeof data }}); }}\n",
1086                        "              }} else if (st === 'integer') {{\n",
1087                        "                if (typeof data !== 'number' || !Number.isInteger(data)) {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'integer', actual: typeof data }}); }}\n",
1088                        "              }} else if (st === 'number') {{\n",
1089                        "                if (typeof data !== 'number') {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'number', actual: typeof data }}); }}\n",
1090                        "              }} else if (st === 'boolean') {{\n",
1091                        "                if (typeof data !== 'boolean') {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'boolean', actual: typeof data }}); }}\n",
1092                        "              }}\n",
1093                        "            }}\n",
1094                        "            __collectErrors(__schema, body, '');\n",
1095                        "          }} catch(_e) {{}}\n",
1096                        "          __captureFailure('{check}', res, 'schema validation', __violations);\n",
1097                        "        }}\n",
1098                        "      }} catch(e) {{ check(res, {{ '{check}': () => false }}); __captureFailure('{check}', res, 'JSON parse failed: ' + e.message); }}\n",
1099                    ),
1100                    check = check_name,
1101                    validation = validation_js,
1102                    schema = schema_json_escaped,
1103                ));
1104            }
1105        } else if matches!(
1106            feature,
1107            ConformanceFeature::SecurityBearer
1108                | ConformanceFeature::SecurityBasic
1109                | ConformanceFeature::SecurityApiKey
1110        ) {
1111            // Security checks verify the server accepts the auth credentials (not 401/403)
1112            script.push_str(&format!(
1113                "      {{ let ok = check(res, {{ '{}': (r) => r.status >= 200 && r.status < 400 }}); if (!ok) __captureFailure('{}', res, 'status >= 200 && status < 400 (auth accepted)'); }}\n",
1114                check_name, check_name
1115            ));
1116        } else {
1117            script.push_str(&format!(
1118                "      {{ let ok = check(res, {{ '{}': (r) => r.status >= 200 && r.status < 500 }}); if (!ok) __captureFailure('{}', res, 'status >= 200 && status < 500'); }}\n",
1119                check_name, check_name
1120            ));
1121        }
1122
1123        // Clear cookie jar after each request to prevent Set-Cookie leaking
1124        let has_cookie = self.config.has_cookie_header()
1125            || effective_headers.iter().any(|(h, _)| h.eq_ignore_ascii_case("Cookie"));
1126        if has_cookie {
1127            script.push_str("      http.cookieJar().clear(BASE_URL);\n");
1128        }
1129
1130        script.push_str("    }\n");
1131
1132        // Rate-limit delay between checks (to avoid 429 from target API)
1133        if self.config.request_delay_ms > 0 {
1134            script.push_str(&format!(
1135                "    sleep({:.3});\n",
1136                self.config.request_delay_ms as f64 / 1000.0
1137            ));
1138        }
1139    }
1140
1141    /// Emit an HTTP request with a body
1142    fn emit_request_with_body(
1143        &self,
1144        script: &mut String,
1145        method: &str,
1146        url: &str,
1147        op: &AnnotatedOperation,
1148        effective_headers: &[(String, String)],
1149    ) {
1150        if let Some(body) = &op.sample_body {
1151            let escaped_body = body.replace('\'', "\\'");
1152            let headers = if !effective_headers.is_empty() {
1153                format!(
1154                    "Object.assign({{}}, JSON_HEADERS, {})",
1155                    Self::format_headers(effective_headers)
1156                )
1157            } else {
1158                "JSON_HEADERS".to_string()
1159            };
1160            script.push_str(&format!(
1161                "      let res = http.{}(`{}`, '{}', {{ headers: {} }});\n",
1162                method, url, escaped_body, headers
1163            ));
1164        } else if !effective_headers.is_empty() {
1165            script.push_str(&format!(
1166                "      let res = http.{}(`{}`, null, {{ headers: {} }});\n",
1167                method,
1168                url,
1169                Self::format_headers(effective_headers)
1170            ));
1171        } else {
1172            script.push_str(&format!("      let res = http.{}(`{}`, null);\n", method, url));
1173        }
1174    }
1175
1176    /// Build effective headers by merging spec-derived headers with custom headers.
1177    /// Custom headers override spec-derived ones with the same name (case-insensitive).
1178    /// Custom headers not in the spec are appended.
1179    fn effective_headers(&self, spec_headers: &[(String, String)]) -> Vec<(String, String)> {
1180        let custom = &self.config.custom_headers;
1181        if custom.is_empty() {
1182            return spec_headers.to_vec();
1183        }
1184
1185        let mut result: Vec<(String, String)> = Vec::new();
1186
1187        // Start with spec headers, replacing values if a custom header matches
1188        for (name, value) in spec_headers {
1189            if let Some((_, custom_val)) =
1190                custom.iter().find(|(cn, _)| cn.eq_ignore_ascii_case(name))
1191            {
1192                result.push((name.clone(), custom_val.clone()));
1193            } else {
1194                result.push((name.clone(), value.clone()));
1195            }
1196        }
1197
1198        // Append custom headers that aren't already in spec headers
1199        for (name, value) in custom {
1200            if !spec_headers.iter().any(|(sn, _)| sn.eq_ignore_ascii_case(name)) {
1201                result.push((name.clone(), value.clone()));
1202            }
1203        }
1204
1205        result
1206    }
1207
1208    /// Inject security headers based on resolved security scheme details.
1209    /// Respects user-provided custom headers (won't overwrite if already set).
1210    fn inject_security_headers(
1211        &self,
1212        schemes: &[SecuritySchemeInfo],
1213        headers: &mut Vec<(String, String)>,
1214    ) {
1215        let mut to_add: Vec<(String, String)> = Vec::new();
1216
1217        let has_header = |name: &str, headers: &[(String, String)]| {
1218            headers.iter().any(|(h, _)| h.eq_ignore_ascii_case(name))
1219                || self.config.custom_headers.iter().any(|(h, _)| h.eq_ignore_ascii_case(name))
1220        };
1221
1222        // If user provides Cookie header, they're using session-based auth — skip auto auth
1223        let has_cookie_auth = has_header("Cookie", headers);
1224
1225        for scheme in schemes {
1226            match scheme {
1227                SecuritySchemeInfo::Bearer => {
1228                    if !has_cookie_auth && !has_header("Authorization", headers) {
1229                        // MockForge mock server accepts any Bearer token
1230                        to_add.push((
1231                            "Authorization".to_string(),
1232                            "Bearer mockforge-conformance-test-token".to_string(),
1233                        ));
1234                    }
1235                }
1236                SecuritySchemeInfo::Basic => {
1237                    if !has_cookie_auth && !has_header("Authorization", headers) {
1238                        let creds = self.config.basic_auth.as_deref().unwrap_or("test:test");
1239                        use base64::Engine;
1240                        let encoded =
1241                            base64::engine::general_purpose::STANDARD.encode(creds.as_bytes());
1242                        to_add.push(("Authorization".to_string(), format!("Basic {}", encoded)));
1243                    }
1244                }
1245                SecuritySchemeInfo::ApiKey { location, name } => match location {
1246                    ApiKeyLocation::Header => {
1247                        if !has_header(name, headers) {
1248                            let key = self
1249                                .config
1250                                .api_key
1251                                .as_deref()
1252                                .unwrap_or("mockforge-conformance-test-key");
1253                            to_add.push((name.clone(), key.to_string()));
1254                        }
1255                    }
1256                    ApiKeyLocation::Cookie => {
1257                        if !has_header("Cookie", headers) {
1258                            to_add.push((
1259                                "Cookie".to_string(),
1260                                format!("{}=mockforge-conformance-test-session", name),
1261                            ));
1262                        }
1263                    }
1264                    ApiKeyLocation::Query => {
1265                        // Query params are handled via URL, not headers — skip here
1266                    }
1267                },
1268            }
1269        }
1270
1271        headers.extend(to_add);
1272    }
1273
1274    /// Format header params as a JS object literal
1275    fn format_headers(headers: &[(String, String)]) -> String {
1276        let entries: Vec<String> = headers
1277            .iter()
1278            .map(|(k, v)| format!("'{}': '{}'", k, v.replace('\'', "\\'")))
1279            .collect();
1280        format!("{{ {} }}", entries.join(", "))
1281    }
1282
1283    /// handleSummary — same format as reference mode for report compatibility
1284    fn generate_handle_summary(&self, script: &mut String) {
1285        // Use absolute path for report output so k6 writes where the CLI expects
1286        let report_path = match &self.config.output_dir {
1287            Some(dir) => {
1288                let abs = std::fs::canonicalize(dir)
1289                    .unwrap_or_else(|_| dir.clone())
1290                    .join("conformance-report.json");
1291                abs.to_string_lossy().to_string()
1292            }
1293            None => "conformance-report.json".to_string(),
1294        };
1295
1296        script.push_str("export function handleSummary(data) {\n");
1297        script.push_str("  let checks = {};\n");
1298        script.push_str("  if (data.metrics && data.metrics.checks) {\n");
1299        script.push_str("    checks.overall_pass_rate = data.metrics.checks.values.rate;\n");
1300        script.push_str("  }\n");
1301        script.push_str("  let checkResults = {};\n");
1302        script.push_str("  function walkGroups(group) {\n");
1303        script.push_str("    if (group.checks) {\n");
1304        script.push_str("      for (let checkObj of group.checks) {\n");
1305        script.push_str("        checkResults[checkObj.name] = {\n");
1306        script.push_str("          passes: checkObj.passes,\n");
1307        script.push_str("          fails: checkObj.fails,\n");
1308        script.push_str("        };\n");
1309        script.push_str("      }\n");
1310        script.push_str("    }\n");
1311        script.push_str("    if (group.groups) {\n");
1312        script.push_str("      for (let subGroup of group.groups) {\n");
1313        script.push_str("        walkGroups(subGroup);\n");
1314        script.push_str("      }\n");
1315        script.push_str("    }\n");
1316        script.push_str("  }\n");
1317        script.push_str("  if (data.root_group) {\n");
1318        script.push_str("    walkGroups(data.root_group);\n");
1319        script.push_str("  }\n");
1320        script.push_str("  return {\n");
1321        script.push_str(&format!(
1322            "    '{}': JSON.stringify({{ checks: checkResults, overall: checks }}, null, 2),\n",
1323            report_path
1324        ));
1325        script.push_str("    'summary.json': JSON.stringify(data),\n");
1326        script.push_str("    stdout: textSummary(data, { indent: '  ', enableColors: true }),\n");
1327        script.push_str("  };\n");
1328        script.push_str("}\n\n");
1329        script.push_str("function textSummary(data, opts) {\n");
1330        script.push_str("  return JSON.stringify(data, null, 2);\n");
1331        script.push_str("}\n");
1332    }
1333}
1334
1335#[cfg(test)]
1336mod tests {
1337    use super::*;
1338    use openapiv3::{
1339        Operation, ParameterData, ParameterSchemaOrContent, PathStyle, Response, Schema,
1340        SchemaData, SchemaKind, StringType, Type,
1341    };
1342
1343    fn make_op(method: &str, path: &str, operation: Operation) -> ApiOperation {
1344        ApiOperation {
1345            method: method.to_string(),
1346            path: path.to_string(),
1347            operation,
1348            operation_id: None,
1349        }
1350    }
1351
1352    fn empty_spec() -> OpenAPI {
1353        OpenAPI::default()
1354    }
1355
1356    #[test]
1357    fn test_annotate_get_with_path_param() {
1358        let mut op = Operation::default();
1359        op.parameters.push(ReferenceOr::Item(Parameter::Path {
1360            parameter_data: ParameterData {
1361                name: "id".to_string(),
1362                description: None,
1363                required: true,
1364                deprecated: None,
1365                format: ParameterSchemaOrContent::Schema(ReferenceOr::Item(Schema {
1366                    schema_data: SchemaData::default(),
1367                    schema_kind: SchemaKind::Type(Type::String(StringType::default())),
1368                })),
1369                example: None,
1370                examples: Default::default(),
1371                explode: None,
1372                extensions: Default::default(),
1373            },
1374            style: PathStyle::Simple,
1375        }));
1376
1377        let api_op = make_op("get", "/users/{id}", op);
1378        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1379
1380        assert!(annotated.features.contains(&ConformanceFeature::MethodGet));
1381        assert!(annotated.features.contains(&ConformanceFeature::PathParamString));
1382        assert!(annotated.features.contains(&ConformanceFeature::ConstraintRequired));
1383        assert_eq!(annotated.path_params.len(), 1);
1384        assert_eq!(annotated.path_params[0].0, "id");
1385    }
1386
1387    #[test]
1388    fn test_annotate_post_with_json_body() {
1389        let mut op = Operation::default();
1390        let mut body = RequestBody {
1391            required: true,
1392            ..Default::default()
1393        };
1394        body.content
1395            .insert("application/json".to_string(), openapiv3::MediaType::default());
1396        op.request_body = Some(ReferenceOr::Item(body));
1397
1398        let api_op = make_op("post", "/items", op);
1399        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1400
1401        assert!(annotated.features.contains(&ConformanceFeature::MethodPost));
1402        assert!(annotated.features.contains(&ConformanceFeature::BodyJson));
1403    }
1404
1405    #[test]
1406    fn test_annotate_response_codes() {
1407        let mut op = Operation::default();
1408        op.responses
1409            .responses
1410            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(Response::default()));
1411        op.responses
1412            .responses
1413            .insert(openapiv3::StatusCode::Code(404), ReferenceOr::Item(Response::default()));
1414
1415        let api_op = make_op("get", "/items", op);
1416        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1417
1418        assert!(annotated.features.contains(&ConformanceFeature::Response200));
1419        assert!(annotated.features.contains(&ConformanceFeature::Response404));
1420    }
1421
1422    #[test]
1423    fn test_generate_spec_driven_script() {
1424        let config = ConformanceConfig {
1425            target_url: "http://localhost:3000".to_string(),
1426            api_key: None,
1427            basic_auth: None,
1428            skip_tls_verify: false,
1429            categories: None,
1430            base_path: None,
1431            custom_headers: vec![],
1432            output_dir: None,
1433            all_operations: false,
1434            custom_checks_file: None,
1435            request_delay_ms: 0,
1436            custom_filter: None,
1437            export_requests: false,
1438            validate_requests: false,
1439        };
1440
1441        let operations = vec![AnnotatedOperation {
1442            path: "/users/{id}".to_string(),
1443            method: "GET".to_string(),
1444            features: vec![
1445                ConformanceFeature::MethodGet,
1446                ConformanceFeature::PathParamString,
1447            ],
1448            request_body_content_type: None,
1449            sample_body: None,
1450            query_params: vec![],
1451            header_params: vec![],
1452            path_params: vec![("id".to_string(), "test-value".to_string())],
1453            response_schema: None,
1454            response_schemas: std::collections::BTreeMap::new(),
1455            request_body_schema: None,
1456            security_schemes: vec![],
1457        }];
1458
1459        let gen = SpecDrivenConformanceGenerator::new(config, operations);
1460        let (script, _check_count) = gen.generate().unwrap();
1461
1462        assert!(script.contains("import http from 'k6/http'"));
1463        assert!(script.contains("/users/test-value"));
1464        assert!(script.contains("param:path:string"));
1465        assert!(script.contains("method:GET"));
1466        assert!(script.contains("handleSummary"));
1467    }
1468
1469    #[test]
1470    fn test_generate_with_category_filter() {
1471        let config = ConformanceConfig {
1472            target_url: "http://localhost:3000".to_string(),
1473            api_key: None,
1474            basic_auth: None,
1475            skip_tls_verify: false,
1476            categories: Some(vec!["Parameters".to_string()]),
1477            base_path: None,
1478            custom_headers: vec![],
1479            output_dir: None,
1480            all_operations: false,
1481            custom_checks_file: None,
1482            request_delay_ms: 0,
1483            custom_filter: None,
1484            export_requests: false,
1485            validate_requests: false,
1486        };
1487
1488        let operations = vec![AnnotatedOperation {
1489            path: "/users/{id}".to_string(),
1490            method: "GET".to_string(),
1491            features: vec![
1492                ConformanceFeature::MethodGet,
1493                ConformanceFeature::PathParamString,
1494            ],
1495            request_body_content_type: None,
1496            sample_body: None,
1497            query_params: vec![],
1498            header_params: vec![],
1499            path_params: vec![("id".to_string(), "1".to_string())],
1500            response_schema: None,
1501            response_schemas: std::collections::BTreeMap::new(),
1502            request_body_schema: None,
1503            security_schemes: vec![],
1504        }];
1505
1506        let gen = SpecDrivenConformanceGenerator::new(config, operations);
1507        let (script, _check_count) = gen.generate().unwrap();
1508
1509        assert!(script.contains("group('Parameters'"));
1510        assert!(!script.contains("group('HTTP Methods'"));
1511    }
1512
1513    #[test]
1514    fn test_annotate_response_validation() {
1515        use openapiv3::ObjectType;
1516
1517        // Operation with a 200 response that has a JSON schema
1518        let mut op = Operation::default();
1519        let mut response = Response::default();
1520        let mut media = openapiv3::MediaType::default();
1521        let mut obj_type = ObjectType::default();
1522        obj_type.properties.insert(
1523            "name".to_string(),
1524            ReferenceOr::Item(Box::new(Schema {
1525                schema_data: SchemaData::default(),
1526                schema_kind: SchemaKind::Type(Type::String(StringType::default())),
1527            })),
1528        );
1529        obj_type.required = vec!["name".to_string()];
1530        media.schema = Some(ReferenceOr::Item(Schema {
1531            schema_data: SchemaData::default(),
1532            schema_kind: SchemaKind::Type(Type::Object(obj_type)),
1533        }));
1534        response.content.insert("application/json".to_string(), media);
1535        op.responses
1536            .responses
1537            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(response));
1538
1539        let api_op = make_op("get", "/users", op);
1540        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1541
1542        assert!(
1543            annotated.features.contains(&ConformanceFeature::ResponseValidation),
1544            "Should detect ResponseValidation when response has a JSON schema"
1545        );
1546        assert!(annotated.response_schema.is_some(), "Should extract the response schema");
1547
1548        // Verify generated script includes schema validation with try-catch
1549        let config = ConformanceConfig {
1550            target_url: "http://localhost:3000".to_string(),
1551            api_key: None,
1552            basic_auth: None,
1553            skip_tls_verify: false,
1554            categories: None,
1555            base_path: None,
1556            custom_headers: vec![],
1557            output_dir: None,
1558            all_operations: false,
1559            custom_checks_file: None,
1560            request_delay_ms: 0,
1561            custom_filter: None,
1562            export_requests: false,
1563            validate_requests: false,
1564        };
1565        let gen = SpecDrivenConformanceGenerator::new(config, vec![annotated]);
1566        let (script, _check_count) = gen.generate().unwrap();
1567
1568        assert!(
1569            script.contains("response:schema:validation"),
1570            "Script should contain the validation check name"
1571        );
1572        assert!(script.contains("try {"), "Script should wrap validation in try-catch");
1573        assert!(script.contains("res.json()"), "Script should parse response as JSON");
1574    }
1575
1576    #[test]
1577    fn test_annotate_global_security() {
1578        // Spec with global security requirement, operation without its own security
1579        let op = Operation::default();
1580        let mut spec = OpenAPI::default();
1581        let mut global_req = openapiv3::SecurityRequirement::new();
1582        global_req.insert("bearerAuth".to_string(), vec![]);
1583        spec.security = Some(vec![global_req]);
1584        // Define the security scheme in components
1585        let mut components = openapiv3::Components::default();
1586        components.security_schemes.insert(
1587            "bearerAuth".to_string(),
1588            ReferenceOr::Item(SecurityScheme::HTTP {
1589                scheme: "bearer".to_string(),
1590                bearer_format: Some("JWT".to_string()),
1591                description: None,
1592                extensions: Default::default(),
1593            }),
1594        );
1595        spec.components = Some(components);
1596
1597        let api_op = make_op("get", "/protected", op);
1598        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &spec);
1599
1600        assert!(
1601            annotated.features.contains(&ConformanceFeature::SecurityBearer),
1602            "Should detect SecurityBearer from global security + components"
1603        );
1604    }
1605
1606    #[test]
1607    fn test_annotate_security_scheme_resolution() {
1608        // Test that security scheme type is resolved from components, not just name heuristic
1609        let mut op = Operation::default();
1610        // Use a generic name that wouldn't match name heuristics
1611        let mut req = openapiv3::SecurityRequirement::new();
1612        req.insert("myAuth".to_string(), vec![]);
1613        op.security = Some(vec![req]);
1614
1615        let mut spec = OpenAPI::default();
1616        let mut components = openapiv3::Components::default();
1617        components.security_schemes.insert(
1618            "myAuth".to_string(),
1619            ReferenceOr::Item(SecurityScheme::APIKey {
1620                location: openapiv3::APIKeyLocation::Header,
1621                name: "X-API-Key".to_string(),
1622                description: None,
1623                extensions: Default::default(),
1624            }),
1625        );
1626        spec.components = Some(components);
1627
1628        let api_op = make_op("get", "/data", op);
1629        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &spec);
1630
1631        assert!(
1632            annotated.features.contains(&ConformanceFeature::SecurityApiKey),
1633            "Should detect SecurityApiKey from SecurityScheme::APIKey, not name heuristic"
1634        );
1635    }
1636
1637    #[test]
1638    fn test_annotate_content_negotiation() {
1639        let mut op = Operation::default();
1640        let mut response = Response::default();
1641        // Response with multiple content types
1642        response
1643            .content
1644            .insert("application/json".to_string(), openapiv3::MediaType::default());
1645        response
1646            .content
1647            .insert("application/xml".to_string(), openapiv3::MediaType::default());
1648        op.responses
1649            .responses
1650            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(response));
1651
1652        let api_op = make_op("get", "/items", op);
1653        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1654
1655        assert!(
1656            annotated.features.contains(&ConformanceFeature::ContentNegotiation),
1657            "Should detect ContentNegotiation when response has multiple content types"
1658        );
1659    }
1660
1661    #[test]
1662    fn test_no_content_negotiation_for_single_type() {
1663        let mut op = Operation::default();
1664        let mut response = Response::default();
1665        response
1666            .content
1667            .insert("application/json".to_string(), openapiv3::MediaType::default());
1668        op.responses
1669            .responses
1670            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(response));
1671
1672        let api_op = make_op("get", "/items", op);
1673        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1674
1675        assert!(
1676            !annotated.features.contains(&ConformanceFeature::ContentNegotiation),
1677            "Should NOT detect ContentNegotiation for a single content type"
1678        );
1679    }
1680
1681    #[test]
1682    fn test_spec_driven_with_base_path() {
1683        let annotated = AnnotatedOperation {
1684            path: "/users".to_string(),
1685            method: "GET".to_string(),
1686            features: vec![ConformanceFeature::MethodGet],
1687            path_params: vec![],
1688            query_params: vec![],
1689            header_params: vec![],
1690            request_body_content_type: None,
1691            sample_body: None,
1692            response_schema: None,
1693            response_schemas: std::collections::BTreeMap::new(),
1694            request_body_schema: None,
1695            security_schemes: vec![],
1696        };
1697        let config = ConformanceConfig {
1698            target_url: "https://192.168.2.86/".to_string(),
1699            api_key: None,
1700            basic_auth: None,
1701            skip_tls_verify: true,
1702            categories: None,
1703            base_path: Some("/api".to_string()),
1704            custom_headers: vec![],
1705            output_dir: None,
1706            all_operations: false,
1707            custom_checks_file: None,
1708            request_delay_ms: 0,
1709            custom_filter: None,
1710            export_requests: false,
1711            validate_requests: false,
1712        };
1713        let gen = SpecDrivenConformanceGenerator::new(config, vec![annotated]);
1714        let (script, _check_count) = gen.generate().unwrap();
1715
1716        assert!(
1717            script.contains("const BASE_URL = 'https://192.168.2.86/api'"),
1718            "BASE_URL should include the base_path. Got: {}",
1719            script.lines().find(|l| l.contains("BASE_URL")).unwrap_or("not found")
1720        );
1721    }
1722
1723    #[test]
1724    fn test_spec_driven_with_custom_headers() {
1725        let annotated = AnnotatedOperation {
1726            path: "/users".to_string(),
1727            method: "GET".to_string(),
1728            features: vec![ConformanceFeature::MethodGet],
1729            path_params: vec![],
1730            query_params: vec![],
1731            header_params: vec![
1732                ("X-Avi-Tenant".to_string(), "test-value".to_string()),
1733                ("X-CSRFToken".to_string(), "test-value".to_string()),
1734            ],
1735            request_body_content_type: None,
1736            sample_body: None,
1737            response_schema: None,
1738            response_schemas: std::collections::BTreeMap::new(),
1739            request_body_schema: None,
1740            security_schemes: vec![],
1741        };
1742        let config = ConformanceConfig {
1743            target_url: "https://192.168.2.86/".to_string(),
1744            api_key: None,
1745            basic_auth: None,
1746            skip_tls_verify: true,
1747            categories: None,
1748            base_path: Some("/api".to_string()),
1749            custom_headers: vec![
1750                ("X-Avi-Tenant".to_string(), "admin".to_string()),
1751                ("X-CSRFToken".to_string(), "real-csrf-token".to_string()),
1752                ("Cookie".to_string(), "sessionid=abc123".to_string()),
1753            ],
1754            output_dir: None,
1755            all_operations: false,
1756            custom_checks_file: None,
1757            request_delay_ms: 0,
1758            custom_filter: None,
1759            export_requests: false,
1760            validate_requests: false,
1761        };
1762        let gen = SpecDrivenConformanceGenerator::new(config, vec![annotated]);
1763        let (script, _check_count) = gen.generate().unwrap();
1764
1765        // Custom headers should override spec-derived test-value placeholders
1766        assert!(
1767            script.contains("'X-Avi-Tenant': 'admin'"),
1768            "Should use custom value for X-Avi-Tenant, not test-value"
1769        );
1770        assert!(
1771            script.contains("'X-CSRFToken': 'real-csrf-token'"),
1772            "Should use custom value for X-CSRFToken, not test-value"
1773        );
1774        // Custom headers not in spec should be appended
1775        assert!(
1776            script.contains("'Cookie': 'sessionid=abc123'"),
1777            "Should include Cookie header from custom_headers"
1778        );
1779        // test-value should NOT appear
1780        assert!(
1781            !script.contains("'test-value'"),
1782            "test-value placeholders should be replaced by custom values"
1783        );
1784    }
1785
1786    #[test]
1787    fn test_effective_headers_merging() {
1788        let config = ConformanceConfig {
1789            target_url: "http://localhost".to_string(),
1790            api_key: None,
1791            basic_auth: None,
1792            skip_tls_verify: false,
1793            categories: None,
1794            base_path: None,
1795            custom_headers: vec![
1796                ("X-Auth".to_string(), "real-token".to_string()),
1797                ("Cookie".to_string(), "session=abc".to_string()),
1798            ],
1799            output_dir: None,
1800            all_operations: false,
1801            custom_checks_file: None,
1802            request_delay_ms: 0,
1803            custom_filter: None,
1804            export_requests: false,
1805            validate_requests: false,
1806        };
1807        let gen = SpecDrivenConformanceGenerator::new(config, vec![]);
1808
1809        // Spec headers with a matching custom header
1810        let spec_headers = vec![
1811            ("X-Auth".to_string(), "test-value".to_string()),
1812            ("X-Other".to_string(), "keep-this".to_string()),
1813        ];
1814        let effective = gen.effective_headers(&spec_headers);
1815
1816        // X-Auth should be overridden
1817        assert_eq!(effective[0], ("X-Auth".to_string(), "real-token".to_string()));
1818        // X-Other should be kept as-is
1819        assert_eq!(effective[1], ("X-Other".to_string(), "keep-this".to_string()));
1820        // Cookie should be appended
1821        assert_eq!(effective[2], ("Cookie".to_string(), "session=abc".to_string()));
1822    }
1823}