Skip to main content

mockforge_bench/conformance/
spec_driven.rs

1//! Spec-driven conformance testing
2//!
3//! Analyzes the user's OpenAPI spec to determine which features their API uses,
4//! then generates k6 conformance tests against their real endpoints.
5
6use super::generator::ConformanceConfig;
7use super::schema_validator::SchemaValidatorGenerator;
8use super::spec::ConformanceFeature;
9use crate::error::Result;
10use crate::request_gen::RequestGenerator;
11use crate::spec_parser::ApiOperation;
12use openapiv3::{
13    OpenAPI, Operation, Parameter, ParameterSchemaOrContent, ReferenceOr, RequestBody, Response,
14    Schema, SchemaKind, SecurityScheme, StringFormat, Type, VariantOrUnknownOrEmpty,
15};
16use std::collections::HashSet;
17
18/// Resolve `$ref` references against the OpenAPI components
19mod ref_resolver {
20    use super::*;
21
22    pub fn resolve_parameter<'a>(
23        param_ref: &'a ReferenceOr<Parameter>,
24        spec: &'a OpenAPI,
25    ) -> Option<&'a Parameter> {
26        match param_ref {
27            ReferenceOr::Item(param) => Some(param),
28            ReferenceOr::Reference { reference } => {
29                let name = reference.strip_prefix("#/components/parameters/")?;
30                let components = spec.components.as_ref()?;
31                match components.parameters.get(name)? {
32                    ReferenceOr::Item(param) => Some(param),
33                    ReferenceOr::Reference {
34                        reference: inner_ref,
35                    } => {
36                        // One level of recursive resolution
37                        let inner_name = inner_ref.strip_prefix("#/components/parameters/")?;
38                        match components.parameters.get(inner_name)? {
39                            ReferenceOr::Item(param) => Some(param),
40                            ReferenceOr::Reference { .. } => None,
41                        }
42                    }
43                }
44            }
45        }
46    }
47
48    pub fn resolve_request_body<'a>(
49        body_ref: &'a ReferenceOr<RequestBody>,
50        spec: &'a OpenAPI,
51    ) -> Option<&'a RequestBody> {
52        match body_ref {
53            ReferenceOr::Item(body) => Some(body),
54            ReferenceOr::Reference { reference } => {
55                let name = reference.strip_prefix("#/components/requestBodies/")?;
56                let components = spec.components.as_ref()?;
57                match components.request_bodies.get(name)? {
58                    ReferenceOr::Item(body) => Some(body),
59                    ReferenceOr::Reference {
60                        reference: inner_ref,
61                    } => {
62                        // One level of recursive resolution
63                        let inner_name = inner_ref.strip_prefix("#/components/requestBodies/")?;
64                        match components.request_bodies.get(inner_name)? {
65                            ReferenceOr::Item(body) => Some(body),
66                            ReferenceOr::Reference { .. } => None,
67                        }
68                    }
69                }
70            }
71        }
72    }
73
74    pub fn resolve_schema<'a>(
75        schema_ref: &'a ReferenceOr<Schema>,
76        spec: &'a OpenAPI,
77    ) -> Option<&'a Schema> {
78        resolve_schema_with_visited(schema_ref, spec, &mut HashSet::new())
79    }
80
81    fn resolve_schema_with_visited<'a>(
82        schema_ref: &'a ReferenceOr<Schema>,
83        spec: &'a OpenAPI,
84        visited: &mut HashSet<String>,
85    ) -> Option<&'a Schema> {
86        match schema_ref {
87            ReferenceOr::Item(schema) => Some(schema),
88            ReferenceOr::Reference { reference } => {
89                if !visited.insert(reference.clone()) {
90                    return None; // Cycle detected
91                }
92                let name = reference.strip_prefix("#/components/schemas/")?;
93                let components = spec.components.as_ref()?;
94                let nested = components.schemas.get(name)?;
95                resolve_schema_with_visited(nested, spec, visited)
96            }
97        }
98    }
99
100    /// Resolve a boxed schema reference (used by array items and object properties)
101    pub fn resolve_boxed_schema<'a>(
102        schema_ref: &'a ReferenceOr<Box<Schema>>,
103        spec: &'a OpenAPI,
104    ) -> Option<&'a Schema> {
105        match schema_ref {
106            ReferenceOr::Item(schema) => Some(schema.as_ref()),
107            ReferenceOr::Reference { reference } => {
108                // Delegate to the regular schema resolver
109                let name = reference.strip_prefix("#/components/schemas/")?;
110                let components = spec.components.as_ref()?;
111                let nested = components.schemas.get(name)?;
112                resolve_schema_with_visited(nested, spec, &mut HashSet::new())
113            }
114        }
115    }
116
117    pub fn resolve_response<'a>(
118        resp_ref: &'a ReferenceOr<Response>,
119        spec: &'a OpenAPI,
120    ) -> Option<&'a Response> {
121        match resp_ref {
122            ReferenceOr::Item(resp) => Some(resp),
123            ReferenceOr::Reference { reference } => {
124                let name = reference.strip_prefix("#/components/responses/")?;
125                let components = spec.components.as_ref()?;
126                match components.responses.get(name)? {
127                    ReferenceOr::Item(resp) => Some(resp),
128                    ReferenceOr::Reference {
129                        reference: inner_ref,
130                    } => {
131                        // One level of recursive resolution
132                        let inner_name = inner_ref.strip_prefix("#/components/responses/")?;
133                        match components.responses.get(inner_name)? {
134                            ReferenceOr::Item(resp) => Some(resp),
135                            ReferenceOr::Reference { .. } => None,
136                        }
137                    }
138                }
139            }
140        }
141    }
142}
143
144/// Resolved security scheme details for an operation
145#[derive(Debug, Clone)]
146pub enum SecuritySchemeInfo {
147    /// HTTP Bearer token
148    Bearer,
149    /// HTTP Basic auth
150    Basic,
151    /// API Key in header, query, or cookie
152    ApiKey {
153        location: ApiKeyLocation,
154        name: String,
155    },
156}
157
158/// Where an API key is transmitted
159#[derive(Debug, Clone, PartialEq)]
160pub enum ApiKeyLocation {
161    Header,
162    Query,
163    Cookie,
164}
165
166/// An API operation annotated with the conformance features it exercises
167#[derive(Debug, Clone)]
168pub struct AnnotatedOperation {
169    pub path: String,
170    pub method: String,
171    pub features: Vec<ConformanceFeature>,
172    pub request_body_content_type: Option<String>,
173    pub sample_body: Option<String>,
174    pub query_params: Vec<(String, String)>,
175    pub header_params: Vec<(String, String)>,
176    pub path_params: Vec<(String, String)>,
177    /// Response schema for validation (JSON string of the schema)
178    pub response_schema: Option<Schema>,
179    /// Round 25 — per-status response schemas (JSON values, pre-resolved
180    /// via $ref). Keyed by HTTP status code, populated for every
181    /// status declared in the spec that has an `application/json`
182    /// body. The self-test driver looks up the schema for each probe's
183    /// actual status and validates the response body against it
184    /// (closing round 21.3 / Srikanth's a2 / a3 ask). Empty when the
185    /// spec declares no JSON response bodies.
186    pub response_schemas: std::collections::BTreeMap<u16, serde_json::Value>,
187    /// Round 17.2 — the resolved request-body schema (application/json).
188    /// Used by the self-test driver to synthesise schema-aware
189    /// negative mutations (wrong type, min/max bounds, pattern, enum
190    /// out-of-range, required-field removal). Independent of
191    /// `sample_body`, which is the positive payload.
192    pub request_body_schema: Option<Schema>,
193    /// Security scheme details resolved from the OpenAPI spec
194    pub security_schemes: Vec<SecuritySchemeInfo>,
195}
196
197/// Generates spec-driven conformance k6 scripts
198pub struct SpecDrivenConformanceGenerator {
199    config: ConformanceConfig,
200    operations: Vec<AnnotatedOperation>,
201}
202
203impl SpecDrivenConformanceGenerator {
204    pub fn new(config: ConformanceConfig, operations: Vec<AnnotatedOperation>) -> Self {
205        Self { config, operations }
206    }
207
208    /// Annotate a list of API operations with conformance features
209    pub fn annotate_operations(
210        operations: &[ApiOperation],
211        spec: &OpenAPI,
212    ) -> Vec<AnnotatedOperation> {
213        operations.iter().map(|op| Self::annotate_operation(op, spec)).collect()
214    }
215
216    /// Analyze an operation and determine which conformance features it exercises
217    fn annotate_operation(op: &ApiOperation, spec: &OpenAPI) -> AnnotatedOperation {
218        let mut features = Vec::new();
219        let mut query_params = Vec::new();
220        let mut header_params = Vec::new();
221        let mut path_params = Vec::new();
222
223        // Detect HTTP method feature
224        match op.method.to_uppercase().as_str() {
225            "GET" => features.push(ConformanceFeature::MethodGet),
226            "POST" => features.push(ConformanceFeature::MethodPost),
227            "PUT" => features.push(ConformanceFeature::MethodPut),
228            "PATCH" => features.push(ConformanceFeature::MethodPatch),
229            "DELETE" => features.push(ConformanceFeature::MethodDelete),
230            "HEAD" => features.push(ConformanceFeature::MethodHead),
231            "OPTIONS" => features.push(ConformanceFeature::MethodOptions),
232            _ => {}
233        }
234
235        // Detect parameter features (resolves $ref)
236        for param_ref in &op.operation.parameters {
237            if let Some(param) = ref_resolver::resolve_parameter(param_ref, spec) {
238                Self::annotate_parameter(
239                    param,
240                    spec,
241                    &mut features,
242                    &mut query_params,
243                    &mut header_params,
244                    &mut path_params,
245                );
246            }
247        }
248
249        // Detect path parameters from the path template itself
250        for segment in op.path.split('/') {
251            if segment.starts_with('{') && segment.ends_with('}') {
252                let name = &segment[1..segment.len() - 1];
253                // Only add if not already found from parameters
254                if !path_params.iter().any(|(n, _)| n == name) {
255                    path_params.push((name.to_string(), "test-value".to_string()));
256                    // Determine type from path params we didn't already handle
257                    if !features.contains(&ConformanceFeature::PathParamString)
258                        && !features.contains(&ConformanceFeature::PathParamInteger)
259                    {
260                        features.push(ConformanceFeature::PathParamString);
261                    }
262                }
263            }
264        }
265
266        // Detect request body features (resolves $ref)
267        let mut request_body_content_type = None;
268        let mut sample_body = None;
269        let mut request_body_schema: Option<Schema> = None;
270
271        let resolved_body = op
272            .operation
273            .request_body
274            .as_ref()
275            .and_then(|b| ref_resolver::resolve_request_body(b, spec));
276
277        if let Some(body) = resolved_body {
278            for (content_type, _media) in &body.content {
279                match content_type.as_str() {
280                    "application/json" => {
281                        features.push(ConformanceFeature::BodyJson);
282                        request_body_content_type = Some("application/json".to_string());
283                        // Generate sample body from schema
284                        if let Ok(template) = RequestGenerator::generate_template(op) {
285                            if let Some(body_val) = &template.body {
286                                sample_body = Some(body_val.to_string());
287                            }
288                        }
289                    }
290                    "application/x-www-form-urlencoded" => {
291                        features.push(ConformanceFeature::BodyFormUrlencoded);
292                        request_body_content_type =
293                            Some("application/x-www-form-urlencoded".to_string());
294                    }
295                    "multipart/form-data" => {
296                        features.push(ConformanceFeature::BodyMultipart);
297                        request_body_content_type = Some("multipart/form-data".to_string());
298                    }
299                    _ => {}
300                }
301            }
302
303            // Detect schema features in request body (resolves $ref in schema)
304            if let Some(media) = body.content.get("application/json") {
305                if let Some(schema_ref) = &media.schema {
306                    if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
307                        Self::annotate_schema(schema, spec, &mut features);
308                        // Round 17.2 — keep a clone of the resolved
309                        // body schema so the self-test driver can walk
310                        // it to synthesise schema-aware negatives.
311                        request_body_schema = Some(schema.clone());
312                    }
313                }
314            }
315        }
316
317        // Detect response code features
318        Self::annotate_responses(&op.operation, spec, &mut features);
319
320        // Extract response schema for validation (resolves $ref)
321        let response_schema = Self::extract_response_schema(&op.operation, spec);
322        if response_schema.is_some() {
323            features.push(ConformanceFeature::ResponseValidation);
324        }
325        // Round 25 — per-status response schema map (closes round 21.3).
326        let response_schemas = Self::extract_response_schemas_per_status(&op.operation, spec);
327
328        // Detect content negotiation (response with multiple content types)
329        Self::annotate_content_negotiation(&op.operation, spec, &mut features);
330
331        // Detect security features and resolve scheme details
332        let mut security_schemes = Vec::new();
333        Self::annotate_security(&op.operation, spec, &mut features, &mut security_schemes);
334
335        // Deduplicate features
336        features.sort_by_key(|f| f.check_name());
337        features.dedup_by_key(|f| f.check_name());
338
339        AnnotatedOperation {
340            path: op.path.clone(),
341            method: op.method.to_uppercase(),
342            features,
343            request_body_content_type,
344            sample_body,
345            query_params,
346            header_params,
347            path_params,
348            response_schema,
349            response_schemas,
350            request_body_schema,
351            security_schemes,
352        }
353    }
354
355    /// Annotate parameter features
356    fn annotate_parameter(
357        param: &Parameter,
358        spec: &OpenAPI,
359        features: &mut Vec<ConformanceFeature>,
360        query_params: &mut Vec<(String, String)>,
361        header_params: &mut Vec<(String, String)>,
362        path_params: &mut Vec<(String, String)>,
363    ) {
364        let (location, data) = match param {
365            Parameter::Query { parameter_data, .. } => ("query", parameter_data),
366            Parameter::Path { parameter_data, .. } => ("path", parameter_data),
367            Parameter::Header { parameter_data, .. } => ("header", parameter_data),
368            Parameter::Cookie { .. } => {
369                features.push(ConformanceFeature::CookieParam);
370                return;
371            }
372        };
373
374        // Detect type from schema
375        let is_integer = Self::param_schema_is_integer(data, spec);
376        let is_array = Self::param_schema_is_array(data, spec);
377
378        // Generate sample value
379        let sample = if is_integer {
380            "42".to_string()
381        } else if is_array {
382            "a,b".to_string()
383        } else {
384            "test-value".to_string()
385        };
386
387        match location {
388            "path" => {
389                if is_integer {
390                    features.push(ConformanceFeature::PathParamInteger);
391                } else {
392                    features.push(ConformanceFeature::PathParamString);
393                }
394                path_params.push((data.name.clone(), sample));
395            }
396            "query" => {
397                if is_array {
398                    features.push(ConformanceFeature::QueryParamArray);
399                } else if is_integer {
400                    features.push(ConformanceFeature::QueryParamInteger);
401                } else {
402                    features.push(ConformanceFeature::QueryParamString);
403                }
404                query_params.push((data.name.clone(), sample));
405            }
406            "header" => {
407                features.push(ConformanceFeature::HeaderParam);
408                header_params.push((data.name.clone(), sample));
409            }
410            _ => {}
411        }
412
413        // Check for constraint features on the parameter (resolves $ref)
414        if let ParameterSchemaOrContent::Schema(schema_ref) = &data.format {
415            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
416                Self::annotate_schema(schema, spec, features);
417            }
418        }
419
420        // Required/optional
421        if data.required {
422            features.push(ConformanceFeature::ConstraintRequired);
423        } else {
424            features.push(ConformanceFeature::ConstraintOptional);
425        }
426    }
427
428    fn param_schema_is_integer(data: &openapiv3::ParameterData, spec: &OpenAPI) -> bool {
429        if let ParameterSchemaOrContent::Schema(schema_ref) = &data.format {
430            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
431                return matches!(&schema.schema_kind, SchemaKind::Type(Type::Integer(_)));
432            }
433        }
434        false
435    }
436
437    fn param_schema_is_array(data: &openapiv3::ParameterData, spec: &OpenAPI) -> bool {
438        if let ParameterSchemaOrContent::Schema(schema_ref) = &data.format {
439            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
440                return matches!(&schema.schema_kind, SchemaKind::Type(Type::Array(_)));
441            }
442        }
443        false
444    }
445
446    /// Annotate schema-level features (types, composition, formats, constraints)
447    fn annotate_schema(schema: &Schema, spec: &OpenAPI, features: &mut Vec<ConformanceFeature>) {
448        match &schema.schema_kind {
449            SchemaKind::Type(Type::String(s)) => {
450                features.push(ConformanceFeature::SchemaString);
451                // Check format
452                match &s.format {
453                    VariantOrUnknownOrEmpty::Item(StringFormat::Date) => {
454                        features.push(ConformanceFeature::FormatDate);
455                    }
456                    VariantOrUnknownOrEmpty::Item(StringFormat::DateTime) => {
457                        features.push(ConformanceFeature::FormatDateTime);
458                    }
459                    VariantOrUnknownOrEmpty::Unknown(fmt) => match fmt.as_str() {
460                        "email" => features.push(ConformanceFeature::FormatEmail),
461                        "uuid" => features.push(ConformanceFeature::FormatUuid),
462                        "uri" | "url" => features.push(ConformanceFeature::FormatUri),
463                        "ipv4" => features.push(ConformanceFeature::FormatIpv4),
464                        "ipv6" => features.push(ConformanceFeature::FormatIpv6),
465                        _ => {}
466                    },
467                    _ => {}
468                }
469                // Check constraints
470                if s.pattern.is_some() {
471                    features.push(ConformanceFeature::ConstraintPattern);
472                }
473                if !s.enumeration.is_empty() {
474                    features.push(ConformanceFeature::ConstraintEnum);
475                }
476                if s.min_length.is_some() || s.max_length.is_some() {
477                    features.push(ConformanceFeature::ConstraintMinMax);
478                }
479            }
480            SchemaKind::Type(Type::Integer(i)) => {
481                features.push(ConformanceFeature::SchemaInteger);
482                if i.minimum.is_some() || i.maximum.is_some() {
483                    features.push(ConformanceFeature::ConstraintMinMax);
484                }
485                if !i.enumeration.is_empty() {
486                    features.push(ConformanceFeature::ConstraintEnum);
487                }
488            }
489            SchemaKind::Type(Type::Number(n)) => {
490                features.push(ConformanceFeature::SchemaNumber);
491                if n.minimum.is_some() || n.maximum.is_some() {
492                    features.push(ConformanceFeature::ConstraintMinMax);
493                }
494            }
495            SchemaKind::Type(Type::Boolean(_)) => {
496                features.push(ConformanceFeature::SchemaBoolean);
497            }
498            SchemaKind::Type(Type::Array(arr)) => {
499                features.push(ConformanceFeature::SchemaArray);
500                if let Some(item_ref) = &arr.items {
501                    if let Some(item_schema) = ref_resolver::resolve_boxed_schema(item_ref, spec) {
502                        Self::annotate_schema(item_schema, spec, features);
503                    }
504                }
505            }
506            SchemaKind::Type(Type::Object(obj)) => {
507                features.push(ConformanceFeature::SchemaObject);
508                // Check required fields
509                if !obj.required.is_empty() {
510                    features.push(ConformanceFeature::ConstraintRequired);
511                }
512                // Walk properties (resolves $ref)
513                for (_name, prop_ref) in &obj.properties {
514                    if let Some(prop_schema) = ref_resolver::resolve_boxed_schema(prop_ref, spec) {
515                        Self::annotate_schema(prop_schema, spec, features);
516                    }
517                }
518            }
519            SchemaKind::OneOf { .. } => {
520                features.push(ConformanceFeature::CompositionOneOf);
521            }
522            SchemaKind::AnyOf { .. } => {
523                features.push(ConformanceFeature::CompositionAnyOf);
524            }
525            SchemaKind::AllOf { .. } => {
526                features.push(ConformanceFeature::CompositionAllOf);
527            }
528            _ => {}
529        }
530    }
531
532    /// Detect response code features (resolves $ref in responses)
533    fn annotate_responses(
534        operation: &Operation,
535        spec: &OpenAPI,
536        features: &mut Vec<ConformanceFeature>,
537    ) {
538        for (status_code, resp_ref) in &operation.responses.responses {
539            // Only count features for responses that actually resolve
540            if ref_resolver::resolve_response(resp_ref, spec).is_some() {
541                match status_code {
542                    openapiv3::StatusCode::Code(200) => {
543                        features.push(ConformanceFeature::Response200)
544                    }
545                    openapiv3::StatusCode::Code(201) => {
546                        features.push(ConformanceFeature::Response201)
547                    }
548                    openapiv3::StatusCode::Code(204) => {
549                        features.push(ConformanceFeature::Response204)
550                    }
551                    openapiv3::StatusCode::Code(400) => {
552                        features.push(ConformanceFeature::Response400)
553                    }
554                    openapiv3::StatusCode::Code(404) => {
555                        features.push(ConformanceFeature::Response404)
556                    }
557                    _ => {}
558                }
559            }
560        }
561    }
562
563    /// Round 25 — extract every declared response schema, keyed by the
564    /// numeric HTTP status. Only `application/json` content types are
565    /// included (the only body shape the self-test validates against).
566    /// Used by the self-test driver to validate response bodies against
567    /// the schema for the ACTUAL status returned, not just 200.
568    fn extract_response_schemas_per_status(
569        operation: &Operation,
570        spec: &OpenAPI,
571    ) -> std::collections::BTreeMap<u16, serde_json::Value> {
572        let mut out = std::collections::BTreeMap::new();
573        for (code, resp_ref) in &operation.responses.responses {
574            let openapiv3::StatusCode::Code(n) = code else {
575                continue; // skip "default" / range responses for now
576            };
577            let Some(response) = ref_resolver::resolve_response(resp_ref, spec) else {
578                continue;
579            };
580            let Some(media) = response.content.get("application/json") else {
581                continue;
582            };
583            let Some(schema_ref) = &media.schema else {
584                continue;
585            };
586            let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) else {
587                continue;
588            };
589            // Convert openapiv3::Schema → serde_json::Value so the
590            // validation step can hand it straight to jsonschema.
591            if let Ok(value) = serde_json::to_value(schema) {
592                out.insert(*n, value);
593            }
594        }
595        out
596    }
597
598    /// Extract the response schema for the primary success response (200 or 201)
599    /// Resolves $ref for both the response and the schema within it.
600    fn extract_response_schema(operation: &Operation, spec: &OpenAPI) -> Option<Schema> {
601        // Try 200 first, then 201
602        for code in [200u16, 201] {
603            if let Some(resp_ref) =
604                operation.responses.responses.get(&openapiv3::StatusCode::Code(code))
605            {
606                if let Some(response) = ref_resolver::resolve_response(resp_ref, spec) {
607                    if let Some(media) = response.content.get("application/json") {
608                        if let Some(schema_ref) = &media.schema {
609                            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
610                                return Some(schema.clone());
611                            }
612                        }
613                    }
614                }
615            }
616        }
617        None
618    }
619
620    /// Detect content negotiation: response supports multiple content types
621    fn annotate_content_negotiation(
622        operation: &Operation,
623        spec: &OpenAPI,
624        features: &mut Vec<ConformanceFeature>,
625    ) {
626        for (_status_code, resp_ref) in &operation.responses.responses {
627            if let Some(response) = ref_resolver::resolve_response(resp_ref, spec) {
628                if response.content.len() > 1 {
629                    features.push(ConformanceFeature::ContentNegotiation);
630                    return; // Only need to detect once per operation
631                }
632            }
633        }
634    }
635
636    /// Detect security scheme features.
637    /// Checks operation-level security first, falling back to global security requirements.
638    /// Resolves scheme names against SecurityScheme definitions in components.
639    fn annotate_security(
640        operation: &Operation,
641        spec: &OpenAPI,
642        features: &mut Vec<ConformanceFeature>,
643        security_schemes: &mut Vec<SecuritySchemeInfo>,
644    ) {
645        // Use operation-level security if present, otherwise fall back to global
646        let security_reqs = operation.security.as_ref().or(spec.security.as_ref());
647
648        if let Some(security) = security_reqs {
649            for security_req in security {
650                for scheme_name in security_req.keys() {
651                    // Try to resolve the scheme from components for accurate type detection
652                    if let Some(resolved) = Self::resolve_security_scheme(scheme_name, spec) {
653                        match resolved {
654                            SecurityScheme::HTTP { ref scheme, .. } => {
655                                if scheme.eq_ignore_ascii_case("bearer") {
656                                    features.push(ConformanceFeature::SecurityBearer);
657                                    security_schemes.push(SecuritySchemeInfo::Bearer);
658                                } else if scheme.eq_ignore_ascii_case("basic") {
659                                    features.push(ConformanceFeature::SecurityBasic);
660                                    security_schemes.push(SecuritySchemeInfo::Basic);
661                                }
662                            }
663                            SecurityScheme::APIKey { location, name, .. } => {
664                                features.push(ConformanceFeature::SecurityApiKey);
665                                let loc = match location {
666                                    openapiv3::APIKeyLocation::Query => ApiKeyLocation::Query,
667                                    openapiv3::APIKeyLocation::Header => ApiKeyLocation::Header,
668                                    openapiv3::APIKeyLocation::Cookie => ApiKeyLocation::Cookie,
669                                };
670                                security_schemes.push(SecuritySchemeInfo::ApiKey {
671                                    location: loc,
672                                    name: name.clone(),
673                                });
674                            }
675                            // OAuth2 and OpenIDConnect don't map to our current feature set
676                            _ => {}
677                        }
678                    } else {
679                        // Fallback: heuristic name matching for unresolvable schemes
680                        let name_lower = scheme_name.to_lowercase();
681                        if name_lower.contains("bearer") || name_lower.contains("jwt") {
682                            features.push(ConformanceFeature::SecurityBearer);
683                            security_schemes.push(SecuritySchemeInfo::Bearer);
684                        } else if name_lower.contains("api") && name_lower.contains("key") {
685                            features.push(ConformanceFeature::SecurityApiKey);
686                            security_schemes.push(SecuritySchemeInfo::ApiKey {
687                                location: ApiKeyLocation::Header,
688                                name: "X-API-Key".to_string(),
689                            });
690                        } else if name_lower.contains("basic") {
691                            features.push(ConformanceFeature::SecurityBasic);
692                            security_schemes.push(SecuritySchemeInfo::Basic);
693                        }
694                    }
695                }
696            }
697        }
698    }
699
700    /// Resolve a security scheme name to its SecurityScheme definition
701    fn resolve_security_scheme<'a>(name: &str, spec: &'a OpenAPI) -> Option<&'a SecurityScheme> {
702        let components = spec.components.as_ref()?;
703        match components.security_schemes.get(name)? {
704            ReferenceOr::Item(scheme) => Some(scheme),
705            ReferenceOr::Reference { .. } => None,
706        }
707    }
708
709    /// Returns the number of operations being tested
710    pub fn operation_count(&self) -> usize {
711        self.operations.len()
712    }
713
714    /// Generate the k6 conformance script.
715    /// Returns (script, check_count) where check_count is the number of unique checks emitted.
716    pub fn generate(&self) -> Result<(String, usize)> {
717        let mut script = String::with_capacity(16384);
718
719        // Imports
720        script.push_str("import http from 'k6/http';\n");
721        script.push_str("import { check, group } from 'k6';\n");
722        if self.config.request_delay_ms > 0 {
723            script.push_str("import { sleep } from 'k6';\n");
724        }
725        script.push('\n');
726
727        // Tell k6 that all HTTP status codes are "expected" in conformance mode.
728        // Without this, k6 counts 4xx responses (e.g. intentional 404 tests) as
729        // http_req_failed errors, producing a misleading error rate percentage.
730        script.push_str(
731            "http.setResponseCallback(http.expectedStatuses({ min: 100, max: 599 }));\n\n",
732        );
733
734        // Options
735        script.push_str("export const options = {\n");
736        script.push_str("  vus: 1,\n");
737        script.push_str("  iterations: 1,\n");
738        if self.config.skip_tls_verify {
739            script.push_str("  insecureSkipTLSVerify: true,\n");
740        }
741        script.push_str("  thresholds: {\n");
742        script.push_str("    checks: ['rate>0'],\n");
743        script.push_str("  },\n");
744        script.push_str("};\n\n");
745
746        // Base URL (includes base_path if configured)
747        script.push_str(&format!("const BASE_URL = '{}';\n\n", self.config.effective_base_url()));
748        script.push_str("const JSON_HEADERS = { 'Content-Type': 'application/json' };\n\n");
749
750        // Round 39 (#79) — emit init-scope code (e.g. `open()` calls
751        // for file uploads in custom checks) here, before any
752        // function declarations.
753        let custom_emit = self.config.generate_custom_group()?;
754        if let Some(emit) = &custom_emit {
755            if !emit.init_code.is_empty() {
756                script.push_str("// Round 39 (#79) — preloaded upload bytes for custom checks\n");
757                script.push_str(&emit.init_code);
758                script.push('\n');
759            }
760        }
761
762        // Failure detail collector — logs req/res info for failed checks via console.log
763        // (k6's handleSummary runs in a separate JS context, so we can't use module-level arrays)
764        script
765            .push_str("function __captureFailure(checkName, res, expected, schemaViolations) {\n");
766        script.push_str("  let bodyStr = '';\n");
767        script.push_str("  try { if (res.body) { const __n = res.body.length; bodyStr = res.body.substring(0, 65536); if (__n > 65536) bodyStr = bodyStr + ' <truncated at 65536 bytes; full body was ' + __n + ' bytes>'; } else { bodyStr = ''; } } catch(e) { bodyStr = '<unreadable>'; }\n");
768        script.push_str("  let reqHeaders = {};\n");
769        script.push_str(
770            "  if (res.request && res.request.headers) { reqHeaders = res.request.headers; }\n",
771        );
772        script.push_str("  let reqBody = '';\n");
773        script.push_str("  if (res.request && res.request.body) { try { const __m = res.request.body.length; reqBody = res.request.body.substring(0, 65536); if (__m > 65536) reqBody = reqBody + ' <truncated at 65536 bytes; full body was ' + __m + ' bytes>'; } catch(e) {} }\n");
774        script.push_str("  let payload = {\n");
775        script.push_str("    check: checkName,\n");
776        script.push_str("    request: {\n");
777        script.push_str("      method: res.request ? res.request.method : 'unknown',\n");
778        script.push_str("      url: res.request ? res.request.url : res.url || 'unknown',\n");
779        script.push_str("      headers: reqHeaders,\n");
780        script.push_str("      body: reqBody,\n");
781        script.push_str("    },\n");
782        script.push_str("    response: {\n");
783        script.push_str("      status: res.status,\n");
784        script.push_str("      headers: res.headers ? Object.fromEntries(Object.entries(res.headers).slice(0, 20)) : {},\n");
785        script.push_str("      body: bodyStr,\n");
786        script.push_str("    },\n");
787        script.push_str("    expected: expected,\n");
788        script.push_str("  };\n");
789        script.push_str("  if (schemaViolations && schemaViolations.length > 0) { payload.schema_violations = schemaViolations; }\n");
790        script.push_str("  console.log('MOCKFORGE_FAILURE:' + JSON.stringify(payload));\n");
791        script.push_str("}\n\n");
792
793        // Request/response capture for --export-requests
794        //
795        // Round 44 (#79) — mirror the resilience added in `generator.rs`:
796        // wrap the primary stringify in try/catch + fall back to a minimal
797        // entry + last-resort hand-rolled JSON so a multipart body that
798        // contains bytes JSON.stringify can't roundtrip never silently
799        // drops the row from the export. See `generator.rs` for the
800        // surfacing incident.
801        if self.config.export_requests {
802            script.push_str("function __captureExchange(checkName, res) {\n");
803            script.push_str("  try {\n");
804            script.push_str("    let bodyStr = '';\n");
805            script.push_str("    try { if (res.body) { const __n = res.body.length; bodyStr = res.body.substring(0, 65536); if (__n > 65536) bodyStr = bodyStr + ' <truncated at 65536 bytes; full body was ' + __n + ' bytes>'; } else { bodyStr = ''; } } catch(e) { bodyStr = '<unreadable>'; }\n");
806            script.push_str("    let reqHeaders = {};\n");
807            script.push_str(
808                "    if (res.request && res.request.headers) { reqHeaders = res.request.headers; }\n",
809            );
810            script.push_str("    let reqBody = '';\n");
811            script.push_str("    if (res.request && res.request.body) { try { const __m = res.request.body.length; reqBody = res.request.body.substring(0, 65536); if (__m > 65536) reqBody = reqBody + ' <truncated at 65536 bytes; full body was ' + __m + ' bytes>'; } catch(e) {} }\n");
812            // Round 44 — same multipart-body fallback as the custom-
813            // checks generator. Without this, a self-test probe that
814            // happens to upload a file would log an empty body string
815            // here even after r41's fallback elsewhere.
816            script.push_str(
817                "    if (!reqBody) {\n\
818                 \x20\x20\x20\x20\x20\x20const ct = (reqHeaders['Content-Type'] || reqHeaders['content-type'] || '').toString();\n\
819                 \x20\x20\x20\x20\x20\x20if (ct.startsWith('multipart/')) reqBody = '<multipart upload; body bytes not surfaced by k6 res.request.body>';\n\
820                 \x20\x20\x20\x20}\n",
821            );
822            script.push_str("    console.log('MOCKFORGE_EXCHANGE:' + JSON.stringify({\n");
823            script.push_str("      check: checkName,\n");
824            script.push_str("      request: {\n");
825            script.push_str("        method: res.request ? res.request.method : 'unknown',\n");
826            script.push_str("        url: res.request ? res.request.url : res.url || 'unknown',\n");
827            script.push_str("        headers: reqHeaders,\n");
828            script.push_str("        body: reqBody,\n");
829            script.push_str("      },\n");
830            script.push_str("      response: {\n");
831            script.push_str("        status: res.status,\n");
832            script.push_str("        headers: res.headers ? Object.fromEntries(Object.entries(res.headers).slice(0, 30)) : {},\n");
833            script.push_str("        body: bodyStr,\n");
834            script.push_str("      },\n");
835            script.push_str("    }));\n");
836            script.push_str("  } catch (e) {\n");
837            script.push_str("    try {\n");
838            script.push_str("      console.log('MOCKFORGE_EXCHANGE:' + JSON.stringify({\n");
839            script.push_str("        check: checkName,\n");
840            script.push_str("        request: {\n");
841            script.push_str(
842                "          method: (res && res.request) ? res.request.method : 'unknown',\n",
843            );
844            script.push_str("          url: (res && res.request) ? res.request.url : (res && res.url) || 'unknown',\n");
845            script.push_str("          headers: {},\n");
846            script.push_str("          body: '<exchange capture failed: ' + (e && e.message ? e.message : 'unknown error') + '>',\n");
847            script.push_str("        },\n");
848            script.push_str("        response: {\n");
849            script.push_str("          status: (res && res.status) || 0,\n");
850            script.push_str("          headers: {},\n");
851            script.push_str("          body: '',\n");
852            script.push_str("        },\n");
853            script.push_str("        _export_error: (e && e.message) ? e.message : String(e),\n");
854            script.push_str("      }));\n");
855            script.push_str("    } catch (e2) {\n");
856            script.push_str("      console.log('MOCKFORGE_EXCHANGE:{\"check\":\"' + checkName + '\",\"request\":{\"method\":\"unknown\",\"url\":\"unknown\",\"headers\":{},\"body\":\"\"},\"response\":{\"status\":0,\"headers\":{},\"body\":\"\"},\"_export_error\":\"double-fault\"}');\n");
857            script.push_str("    }\n");
858            script.push_str("  }\n");
859            script.push_str("}\n\n");
860        }
861
862        // Default function
863        script.push_str("export default function () {\n");
864
865        if self.config.has_cookie_header() {
866            script.push_str(
867                "  // Clear cookie jar to prevent server Set-Cookie from duplicating custom Cookie header\n",
868            );
869            script.push_str("  http.cookieJar().clear(BASE_URL);\n\n");
870        }
871
872        // Group operations by category
873        let mut category_ops: std::collections::BTreeMap<
874            &'static str,
875            Vec<(&AnnotatedOperation, &ConformanceFeature)>,
876        > = std::collections::BTreeMap::new();
877
878        for op in &self.operations {
879            for feature in &op.features {
880                let category = feature.category();
881                if self.config.should_include_category(category) {
882                    category_ops.entry(category).or_default().push((op, feature));
883                }
884            }
885        }
886
887        // Emit grouped tests
888        let mut total_checks = 0usize;
889        for (category, ops) in &category_ops {
890            script.push_str(&format!("  group('{}', function () {{\n", category));
891
892            if self.config.all_operations {
893                // All-operations mode: test every operation, using path-qualified check names
894                let mut emitted_checks: HashSet<String> = HashSet::new();
895                for (op, feature) in ops {
896                    let qualified = format!("{}:{}", feature.check_name(), op.path);
897                    if emitted_checks.insert(qualified.clone()) {
898                        self.emit_check_named(&mut script, op, feature, &qualified);
899                        total_checks += 1;
900                    }
901                }
902            } else {
903                // Default: one representative operation per feature, with path-qualified
904                // check names so failures identify which endpoint was tested.
905                let mut emitted_features: HashSet<&str> = HashSet::new();
906                for (op, feature) in ops {
907                    if emitted_features.insert(feature.check_name()) {
908                        let qualified = format!("{}:{}", feature.check_name(), op.path);
909                        self.emit_check_named(&mut script, op, feature, &qualified);
910                        total_checks += 1;
911                    }
912                }
913            }
914
915            script.push_str("  });\n\n");
916        }
917
918        // Custom checks from YAML file — round 39: init-scope code
919        // was already emitted above; here we just splice the group
920        // body inside the default function.
921        if let Some(emit) = custom_emit {
922            script.push_str(&emit.group_body);
923        }
924
925        script.push_str("}\n\n");
926
927        // handleSummary
928        self.generate_handle_summary(&mut script);
929
930        Ok((script, total_checks))
931    }
932
933    /// Emit a single k6 check for an operation + feature with a custom check name
934    fn emit_check_named(
935        &self,
936        script: &mut String,
937        op: &AnnotatedOperation,
938        feature: &ConformanceFeature,
939        check_name: &str,
940    ) {
941        // Escape single quotes in check name since it's embedded in JS single-quoted strings
942        let check_name = check_name.replace('\'', "\\'");
943        let check_name = check_name.as_str();
944
945        script.push_str("    {\n");
946
947        // Build the URL path with parameters substituted
948        let mut url_path = op.path.clone();
949        for (name, value) in &op.path_params {
950            url_path = url_path.replace(&format!("{{{}}}", name), value);
951        }
952
953        // Build query string
954        if !op.query_params.is_empty() {
955            let qs: Vec<String> =
956                op.query_params.iter().map(|(k, v)| format!("{}={}", k, v)).collect();
957            url_path = format!("{}?{}", url_path, qs.join("&"));
958        }
959
960        let full_url = format!("${{BASE_URL}}{}", url_path);
961
962        // Build effective headers: merge spec-derived headers with custom headers.
963        // Custom headers override spec-derived ones with the same name.
964        let mut effective_headers = self.effective_headers(&op.header_params);
965
966        // For non-default response code checks, add header to tell the mock server
967        // which status code to return (the server defaults to the first declared status)
968        if matches!(feature, ConformanceFeature::Response400 | ConformanceFeature::Response404) {
969            let expected_code = match feature {
970                ConformanceFeature::Response400 => "400",
971                ConformanceFeature::Response404 => "404",
972                _ => unreachable!(),
973            };
974            effective_headers
975                .push(("X-Mockforge-Response-Status".to_string(), expected_code.to_string()));
976        }
977
978        // For security checks AND for all requests on endpoints with security requirements,
979        // inject auth credentials so the server doesn't reject with 401.
980        // Only inject if the user hasn't already provided the header via --custom-headers.
981        let needs_auth = matches!(
982            feature,
983            ConformanceFeature::SecurityBearer
984                | ConformanceFeature::SecurityBasic
985                | ConformanceFeature::SecurityApiKey
986        ) || !op.security_schemes.is_empty();
987
988        if needs_auth {
989            self.inject_security_headers(&op.security_schemes, &mut effective_headers);
990        }
991
992        let has_headers = !effective_headers.is_empty();
993        let headers_obj = if has_headers {
994            Self::format_headers(&effective_headers)
995        } else {
996            String::new()
997        };
998
999        // Determine HTTP method and emit request
1000        match op.method.as_str() {
1001            "GET" => {
1002                if has_headers {
1003                    script.push_str(&format!(
1004                        "      let res = http.get(`{}`, {{ headers: {} }});\n",
1005                        full_url, headers_obj
1006                    ));
1007                } else {
1008                    script.push_str(&format!("      let res = http.get(`{}`);\n", full_url));
1009                }
1010            }
1011            "POST" => {
1012                self.emit_request_with_body(script, "post", &full_url, op, &effective_headers);
1013            }
1014            "PUT" => {
1015                self.emit_request_with_body(script, "put", &full_url, op, &effective_headers);
1016            }
1017            "PATCH" => {
1018                self.emit_request_with_body(script, "patch", &full_url, op, &effective_headers);
1019            }
1020            "DELETE" => {
1021                if has_headers {
1022                    script.push_str(&format!(
1023                        "      let res = http.del(`{}`, null, {{ headers: {} }});\n",
1024                        full_url, headers_obj
1025                    ));
1026                } else {
1027                    script.push_str(&format!("      let res = http.del(`{}`);\n", full_url));
1028                }
1029            }
1030            "HEAD" => {
1031                if has_headers {
1032                    script.push_str(&format!(
1033                        "      let res = http.head(`{}`, {{ headers: {} }});\n",
1034                        full_url, headers_obj
1035                    ));
1036                } else {
1037                    script.push_str(&format!("      let res = http.head(`{}`);\n", full_url));
1038                }
1039            }
1040            "OPTIONS" => {
1041                if has_headers {
1042                    script.push_str(&format!(
1043                        "      let res = http.options(`{}`, null, {{ headers: {} }});\n",
1044                        full_url, headers_obj
1045                    ));
1046                } else {
1047                    script.push_str(&format!("      let res = http.options(`{}`);\n", full_url));
1048                }
1049            }
1050            _ => {
1051                if has_headers {
1052                    script.push_str(&format!(
1053                        "      let res = http.get(`{}`, {{ headers: {} }});\n",
1054                        full_url, headers_obj
1055                    ));
1056                } else {
1057                    script.push_str(&format!("      let res = http.get(`{}`);\n", full_url));
1058                }
1059            }
1060        }
1061
1062        // Capture request/response for --export-requests
1063        // (check_name is already escaped at line 829 above — don't double-escape)
1064        if self.config.export_requests {
1065            script.push_str(&format!(
1066                "      if (typeof __captureExchange === 'function') __captureExchange('{}', res);\n",
1067                check_name
1068            ));
1069        }
1070
1071        // Check: emit assertion based on feature type, with failure detail capture
1072        if matches!(
1073            feature,
1074            ConformanceFeature::Response200
1075                | ConformanceFeature::Response201
1076                | ConformanceFeature::Response204
1077                | ConformanceFeature::Response400
1078                | ConformanceFeature::Response404
1079        ) {
1080            let expected_code = match feature {
1081                ConformanceFeature::Response200 => 200,
1082                ConformanceFeature::Response201 => 201,
1083                ConformanceFeature::Response204 => 204,
1084                ConformanceFeature::Response400 => 400,
1085                ConformanceFeature::Response404 => 404,
1086                _ => 200,
1087            };
1088            script.push_str(&format!(
1089                "      {{ let ok = check(res, {{ '{}': (r) => r.status === {} }}); if (!ok) __captureFailure('{}', res, 'status === {}'); }}\n",
1090                check_name, expected_code, check_name, expected_code
1091            ));
1092        } else if matches!(feature, ConformanceFeature::ResponseValidation) {
1093            // Response schema validation — validate the response body against the schema
1094            // Uses inline field-level error collection so failure details include
1095            // which specific fields violated the schema (field_path, violation_type,
1096            // expected, actual) — matching the Ajv `errors` array structure.
1097            if let Some(schema) = &op.response_schema {
1098                let validation_js = SchemaValidatorGenerator::generate_validation(schema);
1099                let schema_json = serde_json::to_string(schema).unwrap_or_default();
1100                // Escape backticks and backslashes for JS template literal safety
1101                let schema_json_escaped = schema_json.replace('\\', "\\\\").replace('`', "\\`");
1102                script.push_str(&format!(
1103                    concat!(
1104                        "      try {{\n",
1105                        "        let body = res.json();\n",
1106                        "        let ok = check(res, {{ '{check}': (r) => ( {validation} ) }});\n",
1107                        "        if (!ok) {{\n",
1108                        "          let __violations = [];\n",
1109                        "          try {{\n",
1110                        "            let __schema = JSON.parse(`{schema}`);\n",
1111                        "            function __collectErrors(schema, data, path) {{\n",
1112                        "              if (!schema || typeof schema !== 'object') return;\n",
1113                        "              let st = schema.type || (schema.schema_kind && schema.schema_kind.Type && Object.keys(schema.schema_kind.Type)[0]);\n",
1114                        "              if (st) {{ st = st.toLowerCase(); }}\n",
1115                        "              if (st === 'object') {{\n",
1116                        "                if (typeof data !== 'object' || data === null) {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'object', actual: typeof data }}); return; }}\n",
1117                        "                let props = schema.properties || (schema.schema_kind && schema.schema_kind.Type && schema.schema_kind.Type.Object && schema.schema_kind.Type.Object.properties) || {{}};\n",
1118                        "                let req = schema.required || (schema.schema_kind && schema.schema_kind.Type && schema.schema_kind.Type.Object && schema.schema_kind.Type.Object.required) || [];\n",
1119                        "                for (let f of req) {{ if (!(f in data)) {{ __violations.push({{ field_path: path + '/' + f, violation_type: 'required', expected: 'present', actual: 'missing' }}); }} }}\n",
1120                        "                for (let [k, v] of Object.entries(props)) {{ if (data[k] !== undefined) {{ let ps = v.Item || v; __collectErrors(ps, data[k], path + '/' + k); }} }}\n",
1121                        "              }} else if (st === 'array') {{\n",
1122                        "                if (!Array.isArray(data)) {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'array', actual: typeof data }}); return; }}\n",
1123                        "                let items = schema.items || (schema.schema_kind && schema.schema_kind.Type && schema.schema_kind.Type.Array && schema.schema_kind.Type.Array.items);\n",
1124                        "                if (items) {{ let is = items.Item || items; for (let i = 0; i < Math.min(data.length, 5); i++) {{ __collectErrors(is, data[i], path + '/' + i); }} }}\n",
1125                        "              }} else if (st === 'string') {{\n",
1126                        "                if (typeof data !== 'string') {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'string', actual: typeof data }}); }}\n",
1127                        "              }} else if (st === 'integer') {{\n",
1128                        "                if (typeof data !== 'number' || !Number.isInteger(data)) {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'integer', actual: typeof data }}); }}\n",
1129                        "              }} else if (st === 'number') {{\n",
1130                        "                if (typeof data !== 'number') {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'number', actual: typeof data }}); }}\n",
1131                        "              }} else if (st === 'boolean') {{\n",
1132                        "                if (typeof data !== 'boolean') {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'boolean', actual: typeof data }}); }}\n",
1133                        "              }}\n",
1134                        "            }}\n",
1135                        "            __collectErrors(__schema, body, '');\n",
1136                        "          }} catch(_e) {{}}\n",
1137                        "          __captureFailure('{check}', res, 'schema validation', __violations);\n",
1138                        "        }}\n",
1139                        "      }} catch(e) {{ check(res, {{ '{check}': () => false }}); __captureFailure('{check}', res, 'JSON parse failed: ' + e.message); }}\n",
1140                    ),
1141                    check = check_name,
1142                    validation = validation_js,
1143                    schema = schema_json_escaped,
1144                ));
1145            }
1146        } else if matches!(
1147            feature,
1148            ConformanceFeature::SecurityBearer
1149                | ConformanceFeature::SecurityBasic
1150                | ConformanceFeature::SecurityApiKey
1151        ) {
1152            // Security checks verify the server accepts the auth credentials (not 401/403)
1153            script.push_str(&format!(
1154                "      {{ let ok = check(res, {{ '{}': (r) => r.status >= 200 && r.status < 400 }}); if (!ok) __captureFailure('{}', res, 'status >= 200 && status < 400 (auth accepted)'); }}\n",
1155                check_name, check_name
1156            ));
1157        } else {
1158            script.push_str(&format!(
1159                "      {{ let ok = check(res, {{ '{}': (r) => r.status >= 200 && r.status < 500 }}); if (!ok) __captureFailure('{}', res, 'status >= 200 && status < 500'); }}\n",
1160                check_name, check_name
1161            ));
1162        }
1163
1164        // Clear cookie jar after each request to prevent Set-Cookie leaking
1165        let has_cookie = self.config.has_cookie_header()
1166            || effective_headers.iter().any(|(h, _)| h.eq_ignore_ascii_case("Cookie"));
1167        if has_cookie {
1168            script.push_str("      http.cookieJar().clear(BASE_URL);\n");
1169        }
1170
1171        script.push_str("    }\n");
1172
1173        // Rate-limit delay between checks (to avoid 429 from target API)
1174        if self.config.request_delay_ms > 0 {
1175            script.push_str(&format!(
1176                "    sleep({:.3});\n",
1177                self.config.request_delay_ms as f64 / 1000.0
1178            ));
1179        }
1180    }
1181
1182    /// Emit an HTTP request with a body
1183    fn emit_request_with_body(
1184        &self,
1185        script: &mut String,
1186        method: &str,
1187        url: &str,
1188        op: &AnnotatedOperation,
1189        effective_headers: &[(String, String)],
1190    ) {
1191        if let Some(body) = &op.sample_body {
1192            let escaped_body = body.replace('\'', "\\'");
1193            let headers = if !effective_headers.is_empty() {
1194                format!(
1195                    "Object.assign({{}}, JSON_HEADERS, {})",
1196                    Self::format_headers(effective_headers)
1197                )
1198            } else {
1199                "JSON_HEADERS".to_string()
1200            };
1201            script.push_str(&format!(
1202                "      let res = http.{}(`{}`, '{}', {{ headers: {} }});\n",
1203                method, url, escaped_body, headers
1204            ));
1205        } else if !effective_headers.is_empty() {
1206            script.push_str(&format!(
1207                "      let res = http.{}(`{}`, null, {{ headers: {} }});\n",
1208                method,
1209                url,
1210                Self::format_headers(effective_headers)
1211            ));
1212        } else {
1213            script.push_str(&format!("      let res = http.{}(`{}`, null);\n", method, url));
1214        }
1215    }
1216
1217    /// Build effective headers by merging spec-derived headers with custom headers.
1218    /// Custom headers override spec-derived ones with the same name (case-insensitive).
1219    /// Custom headers not in the spec are appended.
1220    fn effective_headers(&self, spec_headers: &[(String, String)]) -> Vec<(String, String)> {
1221        let custom = &self.config.custom_headers;
1222        if custom.is_empty() {
1223            return spec_headers.to_vec();
1224        }
1225
1226        let mut result: Vec<(String, String)> = Vec::new();
1227
1228        // Start with spec headers, replacing values if a custom header matches
1229        for (name, value) in spec_headers {
1230            if let Some((_, custom_val)) =
1231                custom.iter().find(|(cn, _)| cn.eq_ignore_ascii_case(name))
1232            {
1233                result.push((name.clone(), custom_val.clone()));
1234            } else {
1235                result.push((name.clone(), value.clone()));
1236            }
1237        }
1238
1239        // Append custom headers that aren't already in spec headers
1240        for (name, value) in custom {
1241            if !spec_headers.iter().any(|(sn, _)| sn.eq_ignore_ascii_case(name)) {
1242                result.push((name.clone(), value.clone()));
1243            }
1244        }
1245
1246        result
1247    }
1248
1249    /// Inject security headers based on resolved security scheme details.
1250    /// Respects user-provided custom headers (won't overwrite if already set).
1251    fn inject_security_headers(
1252        &self,
1253        schemes: &[SecuritySchemeInfo],
1254        headers: &mut Vec<(String, String)>,
1255    ) {
1256        let mut to_add: Vec<(String, String)> = Vec::new();
1257
1258        let has_header = |name: &str, headers: &[(String, String)]| {
1259            headers.iter().any(|(h, _)| h.eq_ignore_ascii_case(name))
1260                || self.config.custom_headers.iter().any(|(h, _)| h.eq_ignore_ascii_case(name))
1261        };
1262
1263        // If user provides Cookie header, they're using session-based auth — skip auto auth
1264        let has_cookie_auth = has_header("Cookie", headers);
1265
1266        for scheme in schemes {
1267            match scheme {
1268                SecuritySchemeInfo::Bearer => {
1269                    if !has_cookie_auth && !has_header("Authorization", headers) {
1270                        // MockForge mock server accepts any Bearer token
1271                        to_add.push((
1272                            "Authorization".to_string(),
1273                            "Bearer mockforge-conformance-test-token".to_string(),
1274                        ));
1275                    }
1276                }
1277                SecuritySchemeInfo::Basic => {
1278                    if !has_cookie_auth && !has_header("Authorization", headers) {
1279                        let creds = self.config.basic_auth.as_deref().unwrap_or("test:test");
1280                        use base64::Engine;
1281                        let encoded =
1282                            base64::engine::general_purpose::STANDARD.encode(creds.as_bytes());
1283                        to_add.push(("Authorization".to_string(), format!("Basic {}", encoded)));
1284                    }
1285                }
1286                SecuritySchemeInfo::ApiKey { location, name } => match location {
1287                    ApiKeyLocation::Header => {
1288                        if !has_header(name, headers) {
1289                            let key = self
1290                                .config
1291                                .api_key
1292                                .as_deref()
1293                                .unwrap_or("mockforge-conformance-test-key");
1294                            to_add.push((name.clone(), key.to_string()));
1295                        }
1296                    }
1297                    ApiKeyLocation::Cookie => {
1298                        if !has_header("Cookie", headers) {
1299                            to_add.push((
1300                                "Cookie".to_string(),
1301                                format!("{}=mockforge-conformance-test-session", name),
1302                            ));
1303                        }
1304                    }
1305                    ApiKeyLocation::Query => {
1306                        // Query params are handled via URL, not headers — skip here
1307                    }
1308                },
1309            }
1310        }
1311
1312        headers.extend(to_add);
1313    }
1314
1315    /// Format header params as a JS object literal
1316    fn format_headers(headers: &[(String, String)]) -> String {
1317        let entries: Vec<String> = headers
1318            .iter()
1319            .map(|(k, v)| format!("'{}': '{}'", k, v.replace('\'', "\\'")))
1320            .collect();
1321        format!("{{ {} }}", entries.join(", "))
1322    }
1323
1324    /// handleSummary — same format as reference mode for report compatibility
1325    fn generate_handle_summary(&self, script: &mut String) {
1326        // Use absolute path for report output so k6 writes where the CLI expects
1327        let report_path = match &self.config.output_dir {
1328            Some(dir) => {
1329                let abs = std::fs::canonicalize(dir)
1330                    .unwrap_or_else(|_| dir.clone())
1331                    .join("conformance-report.json");
1332                abs.to_string_lossy().to_string()
1333            }
1334            None => "conformance-report.json".to_string(),
1335        };
1336
1337        script.push_str("export function handleSummary(data) {\n");
1338        script.push_str("  let checks = {};\n");
1339        script.push_str("  if (data.metrics && data.metrics.checks) {\n");
1340        script.push_str("    checks.overall_pass_rate = data.metrics.checks.values.rate;\n");
1341        script.push_str("  }\n");
1342        script.push_str("  let checkResults = {};\n");
1343        script.push_str("  function walkGroups(group) {\n");
1344        script.push_str("    if (group.checks) {\n");
1345        script.push_str("      for (let checkObj of group.checks) {\n");
1346        script.push_str("        checkResults[checkObj.name] = {\n");
1347        script.push_str("          passes: checkObj.passes,\n");
1348        script.push_str("          fails: checkObj.fails,\n");
1349        script.push_str("        };\n");
1350        script.push_str("      }\n");
1351        script.push_str("    }\n");
1352        script.push_str("    if (group.groups) {\n");
1353        script.push_str("      for (let subGroup of group.groups) {\n");
1354        script.push_str("        walkGroups(subGroup);\n");
1355        script.push_str("      }\n");
1356        script.push_str("    }\n");
1357        script.push_str("  }\n");
1358        script.push_str("  if (data.root_group) {\n");
1359        script.push_str("    walkGroups(data.root_group);\n");
1360        script.push_str("  }\n");
1361        script.push_str("  return {\n");
1362        script.push_str(&format!(
1363            "    '{}': JSON.stringify({{ checks: checkResults, overall: checks }}, null, 2),\n",
1364            report_path
1365        ));
1366        script.push_str("    'summary.json': JSON.stringify(data),\n");
1367        script.push_str("    stdout: textSummary(data, { indent: '  ', enableColors: true }),\n");
1368        script.push_str("  };\n");
1369        script.push_str("}\n\n");
1370        script.push_str("function textSummary(data, opts) {\n");
1371        script.push_str("  return JSON.stringify(data, null, 2);\n");
1372        script.push_str("}\n");
1373    }
1374}
1375
1376#[cfg(test)]
1377mod tests {
1378    use super::*;
1379    use openapiv3::{
1380        Operation, ParameterData, ParameterSchemaOrContent, PathStyle, Response, Schema,
1381        SchemaData, SchemaKind, StringType, Type,
1382    };
1383
1384    fn make_op(method: &str, path: &str, operation: Operation) -> ApiOperation {
1385        ApiOperation {
1386            method: method.to_string(),
1387            path: path.to_string(),
1388            operation,
1389            operation_id: None,
1390        }
1391    }
1392
1393    fn empty_spec() -> OpenAPI {
1394        OpenAPI::default()
1395    }
1396
1397    #[test]
1398    fn test_annotate_get_with_path_param() {
1399        let mut op = Operation::default();
1400        op.parameters.push(ReferenceOr::Item(Parameter::Path {
1401            parameter_data: ParameterData {
1402                name: "id".to_string(),
1403                description: None,
1404                required: true,
1405                deprecated: None,
1406                format: ParameterSchemaOrContent::Schema(ReferenceOr::Item(Schema {
1407                    schema_data: SchemaData::default(),
1408                    schema_kind: SchemaKind::Type(Type::String(StringType::default())),
1409                })),
1410                example: None,
1411                examples: Default::default(),
1412                explode: None,
1413                extensions: Default::default(),
1414            },
1415            style: PathStyle::Simple,
1416        }));
1417
1418        let api_op = make_op("get", "/users/{id}", op);
1419        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1420
1421        assert!(annotated.features.contains(&ConformanceFeature::MethodGet));
1422        assert!(annotated.features.contains(&ConformanceFeature::PathParamString));
1423        assert!(annotated.features.contains(&ConformanceFeature::ConstraintRequired));
1424        assert_eq!(annotated.path_params.len(), 1);
1425        assert_eq!(annotated.path_params[0].0, "id");
1426    }
1427
1428    #[test]
1429    fn test_annotate_post_with_json_body() {
1430        let mut op = Operation::default();
1431        let mut body = RequestBody {
1432            required: true,
1433            ..Default::default()
1434        };
1435        body.content
1436            .insert("application/json".to_string(), openapiv3::MediaType::default());
1437        op.request_body = Some(ReferenceOr::Item(body));
1438
1439        let api_op = make_op("post", "/items", op);
1440        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1441
1442        assert!(annotated.features.contains(&ConformanceFeature::MethodPost));
1443        assert!(annotated.features.contains(&ConformanceFeature::BodyJson));
1444    }
1445
1446    #[test]
1447    fn test_annotate_response_codes() {
1448        let mut op = Operation::default();
1449        op.responses
1450            .responses
1451            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(Response::default()));
1452        op.responses
1453            .responses
1454            .insert(openapiv3::StatusCode::Code(404), ReferenceOr::Item(Response::default()));
1455
1456        let api_op = make_op("get", "/items", op);
1457        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1458
1459        assert!(annotated.features.contains(&ConformanceFeature::Response200));
1460        assert!(annotated.features.contains(&ConformanceFeature::Response404));
1461    }
1462
1463    #[test]
1464    fn test_generate_spec_driven_script() {
1465        let config = ConformanceConfig {
1466            target_url: "http://localhost:3000".to_string(),
1467            api_key: None,
1468            basic_auth: None,
1469            skip_tls_verify: false,
1470            categories: None,
1471            base_path: None,
1472            custom_headers: vec![],
1473            output_dir: None,
1474            all_operations: false,
1475            custom_checks_file: None,
1476            request_delay_ms: 0,
1477            custom_filter: None,
1478            export_requests: false,
1479            validate_requests: false,
1480        };
1481
1482        let operations = vec![AnnotatedOperation {
1483            path: "/users/{id}".to_string(),
1484            method: "GET".to_string(),
1485            features: vec![
1486                ConformanceFeature::MethodGet,
1487                ConformanceFeature::PathParamString,
1488            ],
1489            request_body_content_type: None,
1490            sample_body: None,
1491            query_params: vec![],
1492            header_params: vec![],
1493            path_params: vec![("id".to_string(), "test-value".to_string())],
1494            response_schema: None,
1495            response_schemas: std::collections::BTreeMap::new(),
1496            request_body_schema: None,
1497            security_schemes: vec![],
1498        }];
1499
1500        let gen = SpecDrivenConformanceGenerator::new(config, operations);
1501        let (script, _check_count) = gen.generate().unwrap();
1502
1503        assert!(script.contains("import http from 'k6/http'"));
1504        assert!(script.contains("/users/test-value"));
1505        assert!(script.contains("param:path:string"));
1506        assert!(script.contains("method:GET"));
1507        assert!(script.contains("handleSummary"));
1508    }
1509
1510    #[test]
1511    fn test_generate_with_category_filter() {
1512        let config = ConformanceConfig {
1513            target_url: "http://localhost:3000".to_string(),
1514            api_key: None,
1515            basic_auth: None,
1516            skip_tls_verify: false,
1517            categories: Some(vec!["Parameters".to_string()]),
1518            base_path: None,
1519            custom_headers: vec![],
1520            output_dir: None,
1521            all_operations: false,
1522            custom_checks_file: None,
1523            request_delay_ms: 0,
1524            custom_filter: None,
1525            export_requests: false,
1526            validate_requests: false,
1527        };
1528
1529        let operations = vec![AnnotatedOperation {
1530            path: "/users/{id}".to_string(),
1531            method: "GET".to_string(),
1532            features: vec![
1533                ConformanceFeature::MethodGet,
1534                ConformanceFeature::PathParamString,
1535            ],
1536            request_body_content_type: None,
1537            sample_body: None,
1538            query_params: vec![],
1539            header_params: vec![],
1540            path_params: vec![("id".to_string(), "1".to_string())],
1541            response_schema: None,
1542            response_schemas: std::collections::BTreeMap::new(),
1543            request_body_schema: None,
1544            security_schemes: vec![],
1545        }];
1546
1547        let gen = SpecDrivenConformanceGenerator::new(config, operations);
1548        let (script, _check_count) = gen.generate().unwrap();
1549
1550        assert!(script.contains("group('Parameters'"));
1551        assert!(!script.contains("group('HTTP Methods'"));
1552    }
1553
1554    #[test]
1555    fn test_annotate_response_validation() {
1556        use openapiv3::ObjectType;
1557
1558        // Operation with a 200 response that has a JSON schema
1559        let mut op = Operation::default();
1560        let mut response = Response::default();
1561        let mut media = openapiv3::MediaType::default();
1562        let mut obj_type = ObjectType::default();
1563        obj_type.properties.insert(
1564            "name".to_string(),
1565            ReferenceOr::Item(Box::new(Schema {
1566                schema_data: SchemaData::default(),
1567                schema_kind: SchemaKind::Type(Type::String(StringType::default())),
1568            })),
1569        );
1570        obj_type.required = vec!["name".to_string()];
1571        media.schema = Some(ReferenceOr::Item(Schema {
1572            schema_data: SchemaData::default(),
1573            schema_kind: SchemaKind::Type(Type::Object(obj_type)),
1574        }));
1575        response.content.insert("application/json".to_string(), media);
1576        op.responses
1577            .responses
1578            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(response));
1579
1580        let api_op = make_op("get", "/users", op);
1581        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1582
1583        assert!(
1584            annotated.features.contains(&ConformanceFeature::ResponseValidation),
1585            "Should detect ResponseValidation when response has a JSON schema"
1586        );
1587        assert!(annotated.response_schema.is_some(), "Should extract the response schema");
1588
1589        // Verify generated script includes schema validation with try-catch
1590        let config = ConformanceConfig {
1591            target_url: "http://localhost:3000".to_string(),
1592            api_key: None,
1593            basic_auth: None,
1594            skip_tls_verify: false,
1595            categories: None,
1596            base_path: None,
1597            custom_headers: vec![],
1598            output_dir: None,
1599            all_operations: false,
1600            custom_checks_file: None,
1601            request_delay_ms: 0,
1602            custom_filter: None,
1603            export_requests: false,
1604            validate_requests: false,
1605        };
1606        let gen = SpecDrivenConformanceGenerator::new(config, vec![annotated]);
1607        let (script, _check_count) = gen.generate().unwrap();
1608
1609        assert!(
1610            script.contains("response:schema:validation"),
1611            "Script should contain the validation check name"
1612        );
1613        assert!(script.contains("try {"), "Script should wrap validation in try-catch");
1614        assert!(script.contains("res.json()"), "Script should parse response as JSON");
1615    }
1616
1617    #[test]
1618    fn test_annotate_global_security() {
1619        // Spec with global security requirement, operation without its own security
1620        let op = Operation::default();
1621        let mut spec = OpenAPI::default();
1622        let mut global_req = openapiv3::SecurityRequirement::new();
1623        global_req.insert("bearerAuth".to_string(), vec![]);
1624        spec.security = Some(vec![global_req]);
1625        // Define the security scheme in components
1626        let mut components = openapiv3::Components::default();
1627        components.security_schemes.insert(
1628            "bearerAuth".to_string(),
1629            ReferenceOr::Item(SecurityScheme::HTTP {
1630                scheme: "bearer".to_string(),
1631                bearer_format: Some("JWT".to_string()),
1632                description: None,
1633                extensions: Default::default(),
1634            }),
1635        );
1636        spec.components = Some(components);
1637
1638        let api_op = make_op("get", "/protected", op);
1639        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &spec);
1640
1641        assert!(
1642            annotated.features.contains(&ConformanceFeature::SecurityBearer),
1643            "Should detect SecurityBearer from global security + components"
1644        );
1645    }
1646
1647    #[test]
1648    fn test_annotate_security_scheme_resolution() {
1649        // Test that security scheme type is resolved from components, not just name heuristic
1650        let mut op = Operation::default();
1651        // Use a generic name that wouldn't match name heuristics
1652        let mut req = openapiv3::SecurityRequirement::new();
1653        req.insert("myAuth".to_string(), vec![]);
1654        op.security = Some(vec![req]);
1655
1656        let mut spec = OpenAPI::default();
1657        let mut components = openapiv3::Components::default();
1658        components.security_schemes.insert(
1659            "myAuth".to_string(),
1660            ReferenceOr::Item(SecurityScheme::APIKey {
1661                location: openapiv3::APIKeyLocation::Header,
1662                name: "X-API-Key".to_string(),
1663                description: None,
1664                extensions: Default::default(),
1665            }),
1666        );
1667        spec.components = Some(components);
1668
1669        let api_op = make_op("get", "/data", op);
1670        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &spec);
1671
1672        assert!(
1673            annotated.features.contains(&ConformanceFeature::SecurityApiKey),
1674            "Should detect SecurityApiKey from SecurityScheme::APIKey, not name heuristic"
1675        );
1676    }
1677
1678    #[test]
1679    fn test_annotate_content_negotiation() {
1680        let mut op = Operation::default();
1681        let mut response = Response::default();
1682        // Response with multiple content types
1683        response
1684            .content
1685            .insert("application/json".to_string(), openapiv3::MediaType::default());
1686        response
1687            .content
1688            .insert("application/xml".to_string(), openapiv3::MediaType::default());
1689        op.responses
1690            .responses
1691            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(response));
1692
1693        let api_op = make_op("get", "/items", op);
1694        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1695
1696        assert!(
1697            annotated.features.contains(&ConformanceFeature::ContentNegotiation),
1698            "Should detect ContentNegotiation when response has multiple content types"
1699        );
1700    }
1701
1702    #[test]
1703    fn test_no_content_negotiation_for_single_type() {
1704        let mut op = Operation::default();
1705        let mut response = Response::default();
1706        response
1707            .content
1708            .insert("application/json".to_string(), openapiv3::MediaType::default());
1709        op.responses
1710            .responses
1711            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(response));
1712
1713        let api_op = make_op("get", "/items", op);
1714        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1715
1716        assert!(
1717            !annotated.features.contains(&ConformanceFeature::ContentNegotiation),
1718            "Should NOT detect ContentNegotiation for a single content type"
1719        );
1720    }
1721
1722    #[test]
1723    fn test_spec_driven_with_base_path() {
1724        let annotated = AnnotatedOperation {
1725            path: "/users".to_string(),
1726            method: "GET".to_string(),
1727            features: vec![ConformanceFeature::MethodGet],
1728            path_params: vec![],
1729            query_params: vec![],
1730            header_params: vec![],
1731            request_body_content_type: None,
1732            sample_body: None,
1733            response_schema: None,
1734            response_schemas: std::collections::BTreeMap::new(),
1735            request_body_schema: None,
1736            security_schemes: vec![],
1737        };
1738        let config = ConformanceConfig {
1739            target_url: "https://192.168.2.86/".to_string(),
1740            api_key: None,
1741            basic_auth: None,
1742            skip_tls_verify: true,
1743            categories: None,
1744            base_path: Some("/api".to_string()),
1745            custom_headers: vec![],
1746            output_dir: None,
1747            all_operations: false,
1748            custom_checks_file: None,
1749            request_delay_ms: 0,
1750            custom_filter: None,
1751            export_requests: false,
1752            validate_requests: false,
1753        };
1754        let gen = SpecDrivenConformanceGenerator::new(config, vec![annotated]);
1755        let (script, _check_count) = gen.generate().unwrap();
1756
1757        assert!(
1758            script.contains("const BASE_URL = 'https://192.168.2.86/api'"),
1759            "BASE_URL should include the base_path. Got: {}",
1760            script.lines().find(|l| l.contains("BASE_URL")).unwrap_or("not found")
1761        );
1762    }
1763
1764    #[test]
1765    fn test_spec_driven_with_custom_headers() {
1766        let annotated = AnnotatedOperation {
1767            path: "/users".to_string(),
1768            method: "GET".to_string(),
1769            features: vec![ConformanceFeature::MethodGet],
1770            path_params: vec![],
1771            query_params: vec![],
1772            header_params: vec![
1773                ("X-Avi-Tenant".to_string(), "test-value".to_string()),
1774                ("X-CSRFToken".to_string(), "test-value".to_string()),
1775            ],
1776            request_body_content_type: None,
1777            sample_body: None,
1778            response_schema: None,
1779            response_schemas: std::collections::BTreeMap::new(),
1780            request_body_schema: None,
1781            security_schemes: vec![],
1782        };
1783        let config = ConformanceConfig {
1784            target_url: "https://192.168.2.86/".to_string(),
1785            api_key: None,
1786            basic_auth: None,
1787            skip_tls_verify: true,
1788            categories: None,
1789            base_path: Some("/api".to_string()),
1790            custom_headers: vec![
1791                ("X-Avi-Tenant".to_string(), "admin".to_string()),
1792                ("X-CSRFToken".to_string(), "real-csrf-token".to_string()),
1793                ("Cookie".to_string(), "sessionid=abc123".to_string()),
1794            ],
1795            output_dir: None,
1796            all_operations: false,
1797            custom_checks_file: None,
1798            request_delay_ms: 0,
1799            custom_filter: None,
1800            export_requests: false,
1801            validate_requests: false,
1802        };
1803        let gen = SpecDrivenConformanceGenerator::new(config, vec![annotated]);
1804        let (script, _check_count) = gen.generate().unwrap();
1805
1806        // Custom headers should override spec-derived test-value placeholders
1807        assert!(
1808            script.contains("'X-Avi-Tenant': 'admin'"),
1809            "Should use custom value for X-Avi-Tenant, not test-value"
1810        );
1811        assert!(
1812            script.contains("'X-CSRFToken': 'real-csrf-token'"),
1813            "Should use custom value for X-CSRFToken, not test-value"
1814        );
1815        // Custom headers not in spec should be appended
1816        assert!(
1817            script.contains("'Cookie': 'sessionid=abc123'"),
1818            "Should include Cookie header from custom_headers"
1819        );
1820        // test-value should NOT appear
1821        assert!(
1822            !script.contains("'test-value'"),
1823            "test-value placeholders should be replaced by custom values"
1824        );
1825    }
1826
1827    #[test]
1828    fn test_effective_headers_merging() {
1829        let config = ConformanceConfig {
1830            target_url: "http://localhost".to_string(),
1831            api_key: None,
1832            basic_auth: None,
1833            skip_tls_verify: false,
1834            categories: None,
1835            base_path: None,
1836            custom_headers: vec![
1837                ("X-Auth".to_string(), "real-token".to_string()),
1838                ("Cookie".to_string(), "session=abc".to_string()),
1839            ],
1840            output_dir: None,
1841            all_operations: false,
1842            custom_checks_file: None,
1843            request_delay_ms: 0,
1844            custom_filter: None,
1845            export_requests: false,
1846            validate_requests: false,
1847        };
1848        let gen = SpecDrivenConformanceGenerator::new(config, vec![]);
1849
1850        // Spec headers with a matching custom header
1851        let spec_headers = vec![
1852            ("X-Auth".to_string(), "test-value".to_string()),
1853            ("X-Other".to_string(), "keep-this".to_string()),
1854        ];
1855        let effective = gen.effective_headers(&spec_headers);
1856
1857        // X-Auth should be overridden
1858        assert_eq!(effective[0], ("X-Auth".to_string(), "real-token".to_string()));
1859        // X-Other should be kept as-is
1860        assert_eq!(effective[1], ("X-Other".to_string(), "keep-this".to_string()));
1861        // Cookie should be appended
1862        assert_eq!(effective[2], ("Cookie".to_string(), "session=abc".to_string()));
1863    }
1864}