Skip to main content

mockforge_bench/conformance/
spec_driven.rs

1//! Spec-driven conformance testing
2//!
3//! Analyzes the user's OpenAPI spec to determine which features their API uses,
4//! then generates k6 conformance tests against their real endpoints.
5
6use super::generator::ConformanceConfig;
7use super::schema_validator::SchemaValidatorGenerator;
8use super::spec::ConformanceFeature;
9use crate::error::Result;
10use crate::request_gen::RequestGenerator;
11use crate::spec_parser::ApiOperation;
12use openapiv3::{
13    OpenAPI, Operation, Parameter, ParameterSchemaOrContent, ReferenceOr, RequestBody, Response,
14    Schema, SchemaKind, SecurityScheme, StringFormat, Type, VariantOrUnknownOrEmpty,
15};
16use std::collections::HashSet;
17
18/// Resolve `$ref` references against the OpenAPI components
19mod ref_resolver {
20    use super::*;
21
22    pub fn resolve_parameter<'a>(
23        param_ref: &'a ReferenceOr<Parameter>,
24        spec: &'a OpenAPI,
25    ) -> Option<&'a Parameter> {
26        match param_ref {
27            ReferenceOr::Item(param) => Some(param),
28            ReferenceOr::Reference { reference } => {
29                let name = reference.strip_prefix("#/components/parameters/")?;
30                let components = spec.components.as_ref()?;
31                match components.parameters.get(name)? {
32                    ReferenceOr::Item(param) => Some(param),
33                    ReferenceOr::Reference {
34                        reference: inner_ref,
35                    } => {
36                        // One level of recursive resolution
37                        let inner_name = inner_ref.strip_prefix("#/components/parameters/")?;
38                        match components.parameters.get(inner_name)? {
39                            ReferenceOr::Item(param) => Some(param),
40                            ReferenceOr::Reference { .. } => None,
41                        }
42                    }
43                }
44            }
45        }
46    }
47
48    pub fn resolve_request_body<'a>(
49        body_ref: &'a ReferenceOr<RequestBody>,
50        spec: &'a OpenAPI,
51    ) -> Option<&'a RequestBody> {
52        match body_ref {
53            ReferenceOr::Item(body) => Some(body),
54            ReferenceOr::Reference { reference } => {
55                let name = reference.strip_prefix("#/components/requestBodies/")?;
56                let components = spec.components.as_ref()?;
57                match components.request_bodies.get(name)? {
58                    ReferenceOr::Item(body) => Some(body),
59                    ReferenceOr::Reference {
60                        reference: inner_ref,
61                    } => {
62                        // One level of recursive resolution
63                        let inner_name = inner_ref.strip_prefix("#/components/requestBodies/")?;
64                        match components.request_bodies.get(inner_name)? {
65                            ReferenceOr::Item(body) => Some(body),
66                            ReferenceOr::Reference { .. } => None,
67                        }
68                    }
69                }
70            }
71        }
72    }
73
74    pub fn resolve_schema<'a>(
75        schema_ref: &'a ReferenceOr<Schema>,
76        spec: &'a OpenAPI,
77    ) -> Option<&'a Schema> {
78        resolve_schema_with_visited(schema_ref, spec, &mut HashSet::new())
79    }
80
81    fn resolve_schema_with_visited<'a>(
82        schema_ref: &'a ReferenceOr<Schema>,
83        spec: &'a OpenAPI,
84        visited: &mut HashSet<String>,
85    ) -> Option<&'a Schema> {
86        match schema_ref {
87            ReferenceOr::Item(schema) => Some(schema),
88            ReferenceOr::Reference { reference } => {
89                if !visited.insert(reference.clone()) {
90                    return None; // Cycle detected
91                }
92                let name = reference.strip_prefix("#/components/schemas/")?;
93                let components = spec.components.as_ref()?;
94                let nested = components.schemas.get(name)?;
95                resolve_schema_with_visited(nested, spec, visited)
96            }
97        }
98    }
99
100    /// Resolve a boxed schema reference (used by array items and object properties)
101    pub fn resolve_boxed_schema<'a>(
102        schema_ref: &'a ReferenceOr<Box<Schema>>,
103        spec: &'a OpenAPI,
104    ) -> Option<&'a Schema> {
105        match schema_ref {
106            ReferenceOr::Item(schema) => Some(schema.as_ref()),
107            ReferenceOr::Reference { reference } => {
108                // Delegate to the regular schema resolver
109                let name = reference.strip_prefix("#/components/schemas/")?;
110                let components = spec.components.as_ref()?;
111                let nested = components.schemas.get(name)?;
112                resolve_schema_with_visited(nested, spec, &mut HashSet::new())
113            }
114        }
115    }
116
117    pub fn resolve_response<'a>(
118        resp_ref: &'a ReferenceOr<Response>,
119        spec: &'a OpenAPI,
120    ) -> Option<&'a Response> {
121        match resp_ref {
122            ReferenceOr::Item(resp) => Some(resp),
123            ReferenceOr::Reference { reference } => {
124                let name = reference.strip_prefix("#/components/responses/")?;
125                let components = spec.components.as_ref()?;
126                match components.responses.get(name)? {
127                    ReferenceOr::Item(resp) => Some(resp),
128                    ReferenceOr::Reference {
129                        reference: inner_ref,
130                    } => {
131                        // One level of recursive resolution
132                        let inner_name = inner_ref.strip_prefix("#/components/responses/")?;
133                        match components.responses.get(inner_name)? {
134                            ReferenceOr::Item(resp) => Some(resp),
135                            ReferenceOr::Reference { .. } => None,
136                        }
137                    }
138                }
139            }
140        }
141    }
142}
143
144/// Resolved security scheme details for an operation
145#[derive(Debug, Clone)]
146pub enum SecuritySchemeInfo {
147    /// HTTP Bearer token
148    Bearer,
149    /// HTTP Basic auth
150    Basic,
151    /// API Key in header, query, or cookie
152    ApiKey {
153        location: ApiKeyLocation,
154        name: String,
155    },
156}
157
158/// Where an API key is transmitted
159#[derive(Debug, Clone, PartialEq)]
160pub enum ApiKeyLocation {
161    Header,
162    Query,
163    Cookie,
164}
165
166/// An API operation annotated with the conformance features it exercises
167#[derive(Debug, Clone)]
168pub struct AnnotatedOperation {
169    pub path: String,
170    pub method: String,
171    pub features: Vec<ConformanceFeature>,
172    pub request_body_content_type: Option<String>,
173    pub sample_body: Option<String>,
174    pub query_params: Vec<(String, String)>,
175    pub header_params: Vec<(String, String)>,
176    pub path_params: Vec<(String, String)>,
177    /// Response schema for validation (JSON string of the schema)
178    pub response_schema: Option<Schema>,
179    /// Round 25 — per-status response schemas (JSON values, pre-resolved
180    /// via $ref). Keyed by HTTP status code, populated for every
181    /// status declared in the spec that has an `application/json`
182    /// body. The self-test driver looks up the schema for each probe's
183    /// actual status and validates the response body against it
184    /// (closing round 21.3 / Srikanth's a2 / a3 ask). Empty when the
185    /// spec declares no JSON response bodies.
186    pub response_schemas: std::collections::BTreeMap<u16, serde_json::Value>,
187    /// Round 17.2 — the resolved request-body schema (application/json).
188    /// Used by the self-test driver to synthesise schema-aware
189    /// negative mutations (wrong type, min/max bounds, pattern, enum
190    /// out-of-range, required-field removal). Independent of
191    /// `sample_body`, which is the positive payload.
192    pub request_body_schema: Option<Schema>,
193    /// Security scheme details resolved from the OpenAPI spec
194    pub security_schemes: Vec<SecuritySchemeInfo>,
195}
196
197/// Generates spec-driven conformance k6 scripts
198pub struct SpecDrivenConformanceGenerator {
199    config: ConformanceConfig,
200    operations: Vec<AnnotatedOperation>,
201}
202
203impl SpecDrivenConformanceGenerator {
204    pub fn new(config: ConformanceConfig, operations: Vec<AnnotatedOperation>) -> Self {
205        Self { config, operations }
206    }
207
208    /// Annotate a list of API operations with conformance features
209    pub fn annotate_operations(
210        operations: &[ApiOperation],
211        spec: &OpenAPI,
212    ) -> Vec<AnnotatedOperation> {
213        operations.iter().map(|op| Self::annotate_operation(op, spec)).collect()
214    }
215
216    /// Analyze an operation and determine which conformance features it exercises
217    fn annotate_operation(op: &ApiOperation, spec: &OpenAPI) -> AnnotatedOperation {
218        let mut features = Vec::new();
219        let mut query_params = Vec::new();
220        let mut header_params = Vec::new();
221        let mut path_params = Vec::new();
222
223        // Detect HTTP method feature
224        match op.method.to_uppercase().as_str() {
225            "GET" => features.push(ConformanceFeature::MethodGet),
226            "POST" => features.push(ConformanceFeature::MethodPost),
227            "PUT" => features.push(ConformanceFeature::MethodPut),
228            "PATCH" => features.push(ConformanceFeature::MethodPatch),
229            "DELETE" => features.push(ConformanceFeature::MethodDelete),
230            "HEAD" => features.push(ConformanceFeature::MethodHead),
231            "OPTIONS" => features.push(ConformanceFeature::MethodOptions),
232            _ => {}
233        }
234
235        // Detect parameter features (resolves $ref)
236        for param_ref in &op.operation.parameters {
237            if let Some(param) = ref_resolver::resolve_parameter(param_ref, spec) {
238                Self::annotate_parameter(
239                    param,
240                    spec,
241                    &mut features,
242                    &mut query_params,
243                    &mut header_params,
244                    &mut path_params,
245                );
246            }
247        }
248
249        // Detect path parameters from the path template itself
250        for segment in op.path.split('/') {
251            if segment.starts_with('{') && segment.ends_with('}') {
252                let name = &segment[1..segment.len() - 1];
253                // Only add if not already found from parameters
254                if !path_params.iter().any(|(n, _)| n == name) {
255                    path_params.push((name.to_string(), "test-value".to_string()));
256                    // Determine type from path params we didn't already handle
257                    if !features.contains(&ConformanceFeature::PathParamString)
258                        && !features.contains(&ConformanceFeature::PathParamInteger)
259                    {
260                        features.push(ConformanceFeature::PathParamString);
261                    }
262                }
263            }
264        }
265
266        // Detect request body features (resolves $ref)
267        let mut request_body_content_type = None;
268        let mut sample_body = None;
269        let mut request_body_schema: Option<Schema> = None;
270
271        let resolved_body = op
272            .operation
273            .request_body
274            .as_ref()
275            .and_then(|b| ref_resolver::resolve_request_body(b, spec));
276
277        if let Some(body) = resolved_body {
278            for (content_type, _media) in &body.content {
279                match content_type.as_str() {
280                    "application/json" => {
281                        features.push(ConformanceFeature::BodyJson);
282                        request_body_content_type = Some("application/json".to_string());
283                        // Generate sample body from schema
284                        if let Ok(template) = RequestGenerator::generate_template(op) {
285                            if let Some(body_val) = &template.body {
286                                sample_body = Some(body_val.to_string());
287                            }
288                        }
289                    }
290                    "application/x-www-form-urlencoded" => {
291                        features.push(ConformanceFeature::BodyFormUrlencoded);
292                        request_body_content_type =
293                            Some("application/x-www-form-urlencoded".to_string());
294                    }
295                    "multipart/form-data" => {
296                        features.push(ConformanceFeature::BodyMultipart);
297                        request_body_content_type = Some("multipart/form-data".to_string());
298                    }
299                    _ => {}
300                }
301            }
302
303            // Detect schema features in request body (resolves $ref in schema)
304            if let Some(media) = body.content.get("application/json") {
305                if let Some(schema_ref) = &media.schema {
306                    if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
307                        Self::annotate_schema(schema, spec, &mut features);
308                        // Round 17.2 — keep a clone of the resolved
309                        // body schema so the self-test driver can walk
310                        // it to synthesise schema-aware negatives.
311                        request_body_schema = Some(schema.clone());
312                    }
313                }
314            }
315        }
316
317        // Detect response code features
318        Self::annotate_responses(&op.operation, spec, &mut features);
319
320        // Extract response schema for validation (resolves $ref)
321        let response_schema = Self::extract_response_schema(&op.operation, spec);
322        if response_schema.is_some() {
323            features.push(ConformanceFeature::ResponseValidation);
324        }
325        // Round 25 — per-status response schema map (closes round 21.3).
326        let response_schemas = Self::extract_response_schemas_per_status(&op.operation, spec);
327
328        // Detect content negotiation (response with multiple content types)
329        Self::annotate_content_negotiation(&op.operation, spec, &mut features);
330
331        // Detect security features and resolve scheme details
332        let mut security_schemes = Vec::new();
333        Self::annotate_security(&op.operation, spec, &mut features, &mut security_schemes);
334
335        // Deduplicate features
336        features.sort_by_key(|f| f.check_name());
337        features.dedup_by_key(|f| f.check_name());
338
339        AnnotatedOperation {
340            path: op.path.clone(),
341            method: op.method.to_uppercase(),
342            features,
343            request_body_content_type,
344            sample_body,
345            query_params,
346            header_params,
347            path_params,
348            response_schema,
349            response_schemas,
350            request_body_schema,
351            security_schemes,
352        }
353    }
354
355    /// Annotate parameter features
356    fn annotate_parameter(
357        param: &Parameter,
358        spec: &OpenAPI,
359        features: &mut Vec<ConformanceFeature>,
360        query_params: &mut Vec<(String, String)>,
361        header_params: &mut Vec<(String, String)>,
362        path_params: &mut Vec<(String, String)>,
363    ) {
364        let (location, data) = match param {
365            Parameter::Query { parameter_data, .. } => ("query", parameter_data),
366            Parameter::Path { parameter_data, .. } => ("path", parameter_data),
367            Parameter::Header { parameter_data, .. } => ("header", parameter_data),
368            Parameter::Cookie { .. } => {
369                features.push(ConformanceFeature::CookieParam);
370                return;
371            }
372        };
373
374        // Detect type from schema
375        let is_integer = Self::param_schema_is_integer(data, spec);
376        let is_array = Self::param_schema_is_array(data, spec);
377
378        // Generate sample value
379        let sample = if is_integer {
380            "42".to_string()
381        } else if is_array {
382            "a,b".to_string()
383        } else {
384            "test-value".to_string()
385        };
386
387        match location {
388            "path" => {
389                if is_integer {
390                    features.push(ConformanceFeature::PathParamInteger);
391                } else {
392                    features.push(ConformanceFeature::PathParamString);
393                }
394                path_params.push((data.name.clone(), sample));
395            }
396            "query" => {
397                if is_array {
398                    features.push(ConformanceFeature::QueryParamArray);
399                } else if is_integer {
400                    features.push(ConformanceFeature::QueryParamInteger);
401                } else {
402                    features.push(ConformanceFeature::QueryParamString);
403                }
404                query_params.push((data.name.clone(), sample));
405            }
406            "header" => {
407                features.push(ConformanceFeature::HeaderParam);
408                header_params.push((data.name.clone(), sample));
409            }
410            _ => {}
411        }
412
413        // Check for constraint features on the parameter (resolves $ref)
414        if let ParameterSchemaOrContent::Schema(schema_ref) = &data.format {
415            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
416                Self::annotate_schema(schema, spec, features);
417            }
418        }
419
420        // Required/optional
421        if data.required {
422            features.push(ConformanceFeature::ConstraintRequired);
423        } else {
424            features.push(ConformanceFeature::ConstraintOptional);
425        }
426    }
427
428    fn param_schema_is_integer(data: &openapiv3::ParameterData, spec: &OpenAPI) -> bool {
429        if let ParameterSchemaOrContent::Schema(schema_ref) = &data.format {
430            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
431                return matches!(&schema.schema_kind, SchemaKind::Type(Type::Integer(_)));
432            }
433        }
434        false
435    }
436
437    fn param_schema_is_array(data: &openapiv3::ParameterData, spec: &OpenAPI) -> bool {
438        if let ParameterSchemaOrContent::Schema(schema_ref) = &data.format {
439            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
440                return matches!(&schema.schema_kind, SchemaKind::Type(Type::Array(_)));
441            }
442        }
443        false
444    }
445
446    /// Annotate schema-level features (types, composition, formats, constraints)
447    fn annotate_schema(schema: &Schema, spec: &OpenAPI, features: &mut Vec<ConformanceFeature>) {
448        match &schema.schema_kind {
449            SchemaKind::Type(Type::String(s)) => {
450                features.push(ConformanceFeature::SchemaString);
451                // Check format
452                match &s.format {
453                    VariantOrUnknownOrEmpty::Item(StringFormat::Date) => {
454                        features.push(ConformanceFeature::FormatDate);
455                    }
456                    VariantOrUnknownOrEmpty::Item(StringFormat::DateTime) => {
457                        features.push(ConformanceFeature::FormatDateTime);
458                    }
459                    VariantOrUnknownOrEmpty::Unknown(fmt) => match fmt.as_str() {
460                        "email" => features.push(ConformanceFeature::FormatEmail),
461                        "uuid" => features.push(ConformanceFeature::FormatUuid),
462                        "uri" | "url" => features.push(ConformanceFeature::FormatUri),
463                        "ipv4" => features.push(ConformanceFeature::FormatIpv4),
464                        "ipv6" => features.push(ConformanceFeature::FormatIpv6),
465                        _ => {}
466                    },
467                    _ => {}
468                }
469                // Check constraints
470                if s.pattern.is_some() {
471                    features.push(ConformanceFeature::ConstraintPattern);
472                }
473                if !s.enumeration.is_empty() {
474                    features.push(ConformanceFeature::ConstraintEnum);
475                }
476                if s.min_length.is_some() || s.max_length.is_some() {
477                    features.push(ConformanceFeature::ConstraintMinMax);
478                }
479            }
480            SchemaKind::Type(Type::Integer(i)) => {
481                features.push(ConformanceFeature::SchemaInteger);
482                if i.minimum.is_some() || i.maximum.is_some() {
483                    features.push(ConformanceFeature::ConstraintMinMax);
484                }
485                if !i.enumeration.is_empty() {
486                    features.push(ConformanceFeature::ConstraintEnum);
487                }
488            }
489            SchemaKind::Type(Type::Number(n)) => {
490                features.push(ConformanceFeature::SchemaNumber);
491                if n.minimum.is_some() || n.maximum.is_some() {
492                    features.push(ConformanceFeature::ConstraintMinMax);
493                }
494            }
495            SchemaKind::Type(Type::Boolean(_)) => {
496                features.push(ConformanceFeature::SchemaBoolean);
497            }
498            SchemaKind::Type(Type::Array(arr)) => {
499                features.push(ConformanceFeature::SchemaArray);
500                if let Some(item_ref) = &arr.items {
501                    if let Some(item_schema) = ref_resolver::resolve_boxed_schema(item_ref, spec) {
502                        Self::annotate_schema(item_schema, spec, features);
503                    }
504                }
505            }
506            SchemaKind::Type(Type::Object(obj)) => {
507                features.push(ConformanceFeature::SchemaObject);
508                // Check required fields
509                if !obj.required.is_empty() {
510                    features.push(ConformanceFeature::ConstraintRequired);
511                }
512                // Walk properties (resolves $ref)
513                for (_name, prop_ref) in &obj.properties {
514                    if let Some(prop_schema) = ref_resolver::resolve_boxed_schema(prop_ref, spec) {
515                        Self::annotate_schema(prop_schema, spec, features);
516                    }
517                }
518            }
519            SchemaKind::OneOf { .. } => {
520                features.push(ConformanceFeature::CompositionOneOf);
521            }
522            SchemaKind::AnyOf { .. } => {
523                features.push(ConformanceFeature::CompositionAnyOf);
524            }
525            SchemaKind::AllOf { .. } => {
526                features.push(ConformanceFeature::CompositionAllOf);
527            }
528            _ => {}
529        }
530    }
531
532    /// Detect response code features (resolves $ref in responses)
533    fn annotate_responses(
534        operation: &Operation,
535        spec: &OpenAPI,
536        features: &mut Vec<ConformanceFeature>,
537    ) {
538        for (status_code, resp_ref) in &operation.responses.responses {
539            // Only count features for responses that actually resolve
540            if ref_resolver::resolve_response(resp_ref, spec).is_some() {
541                match status_code {
542                    openapiv3::StatusCode::Code(200) => {
543                        features.push(ConformanceFeature::Response200)
544                    }
545                    openapiv3::StatusCode::Code(201) => {
546                        features.push(ConformanceFeature::Response201)
547                    }
548                    openapiv3::StatusCode::Code(204) => {
549                        features.push(ConformanceFeature::Response204)
550                    }
551                    openapiv3::StatusCode::Code(400) => {
552                        features.push(ConformanceFeature::Response400)
553                    }
554                    openapiv3::StatusCode::Code(404) => {
555                        features.push(ConformanceFeature::Response404)
556                    }
557                    _ => {}
558                }
559            }
560        }
561    }
562
563    /// Round 25 — extract every declared response schema, keyed by the
564    /// numeric HTTP status. Only `application/json` content types are
565    /// included (the only body shape the self-test validates against).
566    /// Used by the self-test driver to validate response bodies against
567    /// the schema for the ACTUAL status returned, not just 200.
568    fn extract_response_schemas_per_status(
569        operation: &Operation,
570        spec: &OpenAPI,
571    ) -> std::collections::BTreeMap<u16, serde_json::Value> {
572        let mut out = std::collections::BTreeMap::new();
573        for (code, resp_ref) in &operation.responses.responses {
574            let openapiv3::StatusCode::Code(n) = code else {
575                continue; // skip "default" / range responses for now
576            };
577            let Some(response) = ref_resolver::resolve_response(resp_ref, spec) else {
578                continue;
579            };
580            let Some(media) = response.content.get("application/json") else {
581                continue;
582            };
583            let Some(schema_ref) = &media.schema else {
584                continue;
585            };
586            let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) else {
587                continue;
588            };
589            // Convert openapiv3::Schema → serde_json::Value so the
590            // validation step can hand it straight to jsonschema.
591            if let Ok(value) = serde_json::to_value(schema) {
592                out.insert(*n, value);
593            }
594        }
595        out
596    }
597
598    /// Extract the response schema for the primary success response (200 or 201)
599    /// Resolves $ref for both the response and the schema within it.
600    fn extract_response_schema(operation: &Operation, spec: &OpenAPI) -> Option<Schema> {
601        // Try 200 first, then 201
602        for code in [200u16, 201] {
603            if let Some(resp_ref) =
604                operation.responses.responses.get(&openapiv3::StatusCode::Code(code))
605            {
606                if let Some(response) = ref_resolver::resolve_response(resp_ref, spec) {
607                    if let Some(media) = response.content.get("application/json") {
608                        if let Some(schema_ref) = &media.schema {
609                            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
610                                return Some(schema.clone());
611                            }
612                        }
613                    }
614                }
615            }
616        }
617        None
618    }
619
620    /// Detect content negotiation: response supports multiple content types
621    fn annotate_content_negotiation(
622        operation: &Operation,
623        spec: &OpenAPI,
624        features: &mut Vec<ConformanceFeature>,
625    ) {
626        for (_status_code, resp_ref) in &operation.responses.responses {
627            if let Some(response) = ref_resolver::resolve_response(resp_ref, spec) {
628                if response.content.len() > 1 {
629                    features.push(ConformanceFeature::ContentNegotiation);
630                    return; // Only need to detect once per operation
631                }
632            }
633        }
634    }
635
636    /// Detect security scheme features.
637    /// Checks operation-level security first, falling back to global security requirements.
638    /// Resolves scheme names against SecurityScheme definitions in components.
639    fn annotate_security(
640        operation: &Operation,
641        spec: &OpenAPI,
642        features: &mut Vec<ConformanceFeature>,
643        security_schemes: &mut Vec<SecuritySchemeInfo>,
644    ) {
645        // Use operation-level security if present, otherwise fall back to global
646        let security_reqs = operation.security.as_ref().or(spec.security.as_ref());
647
648        if let Some(security) = security_reqs {
649            for security_req in security {
650                for scheme_name in security_req.keys() {
651                    // Try to resolve the scheme from components for accurate type detection
652                    if let Some(resolved) = Self::resolve_security_scheme(scheme_name, spec) {
653                        match resolved {
654                            SecurityScheme::HTTP { ref scheme, .. } => {
655                                if scheme.eq_ignore_ascii_case("bearer") {
656                                    features.push(ConformanceFeature::SecurityBearer);
657                                    security_schemes.push(SecuritySchemeInfo::Bearer);
658                                } else if scheme.eq_ignore_ascii_case("basic") {
659                                    features.push(ConformanceFeature::SecurityBasic);
660                                    security_schemes.push(SecuritySchemeInfo::Basic);
661                                }
662                            }
663                            SecurityScheme::APIKey { location, name, .. } => {
664                                features.push(ConformanceFeature::SecurityApiKey);
665                                let loc = match location {
666                                    openapiv3::APIKeyLocation::Query => ApiKeyLocation::Query,
667                                    openapiv3::APIKeyLocation::Header => ApiKeyLocation::Header,
668                                    openapiv3::APIKeyLocation::Cookie => ApiKeyLocation::Cookie,
669                                };
670                                security_schemes.push(SecuritySchemeInfo::ApiKey {
671                                    location: loc,
672                                    name: name.clone(),
673                                });
674                            }
675                            // OAuth2 and OpenIDConnect don't map to our current feature set
676                            _ => {}
677                        }
678                    } else {
679                        // Fallback: heuristic name matching for unresolvable schemes
680                        let name_lower = scheme_name.to_lowercase();
681                        if name_lower.contains("bearer") || name_lower.contains("jwt") {
682                            features.push(ConformanceFeature::SecurityBearer);
683                            security_schemes.push(SecuritySchemeInfo::Bearer);
684                        } else if name_lower.contains("api") && name_lower.contains("key") {
685                            features.push(ConformanceFeature::SecurityApiKey);
686                            security_schemes.push(SecuritySchemeInfo::ApiKey {
687                                location: ApiKeyLocation::Header,
688                                name: "X-API-Key".to_string(),
689                            });
690                        } else if name_lower.contains("basic") {
691                            features.push(ConformanceFeature::SecurityBasic);
692                            security_schemes.push(SecuritySchemeInfo::Basic);
693                        }
694                    }
695                }
696            }
697        }
698    }
699
700    /// Resolve a security scheme name to its SecurityScheme definition
701    fn resolve_security_scheme<'a>(name: &str, spec: &'a OpenAPI) -> Option<&'a SecurityScheme> {
702        let components = spec.components.as_ref()?;
703        match components.security_schemes.get(name)? {
704            ReferenceOr::Item(scheme) => Some(scheme),
705            ReferenceOr::Reference { .. } => None,
706        }
707    }
708
709    /// Returns the number of operations being tested
710    pub fn operation_count(&self) -> usize {
711        self.operations.len()
712    }
713
714    /// Generate the k6 conformance script.
715    /// Returns (script, check_count) where check_count is the number of unique checks emitted.
716    pub fn generate(&self) -> Result<(String, usize)> {
717        let mut script = String::with_capacity(16384);
718
719        // Imports
720        script.push_str("import http from 'k6/http';\n");
721        script.push_str("import { check, group } from 'k6';\n");
722        if self.config.request_delay_ms > 0 {
723            script.push_str("import { sleep } from 'k6';\n");
724        }
725        script.push('\n');
726
727        // Tell k6 that all HTTP status codes are "expected" in conformance mode.
728        // Without this, k6 counts 4xx responses (e.g. intentional 404 tests) as
729        // http_req_failed errors, producing a misleading error rate percentage.
730        script.push_str(
731            "http.setResponseCallback(http.expectedStatuses({ min: 100, max: 599 }));\n\n",
732        );
733
734        // Options
735        script.push_str("export const options = {\n");
736        script.push_str("  vus: 1,\n");
737        script.push_str("  iterations: 1,\n");
738        if self.config.skip_tls_verify {
739            script.push_str("  insecureSkipTLSVerify: true,\n");
740        }
741        script.push_str("  thresholds: {\n");
742        script.push_str("    checks: ['rate>0'],\n");
743        script.push_str("  },\n");
744        script.push_str("};\n\n");
745
746        // Base URL (includes base_path if configured)
747        script.push_str(&format!("const BASE_URL = '{}';\n\n", self.config.effective_base_url()));
748        script.push_str("const JSON_HEADERS = { 'Content-Type': 'application/json' };\n\n");
749
750        // Round 39 (#79) — emit init-scope code (e.g. `open()` calls
751        // for file uploads in custom checks) here, before any
752        // function declarations.
753        let custom_emit = self.config.generate_custom_group()?;
754        if let Some(emit) = &custom_emit {
755            if !emit.init_code.is_empty() {
756                script.push_str("// Round 39 (#79) — preloaded upload bytes for custom checks\n");
757                script.push_str(&emit.init_code);
758                script.push('\n');
759            }
760        }
761
762        // Failure detail collector — logs req/res info for failed checks via console.log
763        // (k6's handleSummary runs in a separate JS context, so we can't use module-level arrays)
764        script
765            .push_str("function __captureFailure(checkName, res, expected, schemaViolations) {\n");
766        script.push_str("  let bodyStr = '';\n");
767        script.push_str("  try { if (res.body) { const __n = res.body.length; bodyStr = res.body.substring(0, 65536); if (__n > 65536) bodyStr = bodyStr + ' <truncated at 65536 bytes; full body was ' + __n + ' bytes>'; } else { bodyStr = ''; } } catch(e) { bodyStr = '<unreadable>'; }\n");
768        script.push_str("  let reqHeaders = {};\n");
769        script.push_str(
770            "  if (res.request && res.request.headers) { reqHeaders = res.request.headers; }\n",
771        );
772        script.push_str("  let reqBody = '';\n");
773        script.push_str("  if (res.request && res.request.body) { try { const __m = res.request.body.length; reqBody = res.request.body.substring(0, 65536); if (__m > 65536) reqBody = reqBody + ' <truncated at 65536 bytes; full body was ' + __m + ' bytes>'; } catch(e) {} }\n");
774        script.push_str("  let payload = {\n");
775        script.push_str("    check: checkName,\n");
776        script.push_str("    request: {\n");
777        script.push_str("      method: res.request ? res.request.method : 'unknown',\n");
778        script.push_str("      url: res.request ? res.request.url : res.url || 'unknown',\n");
779        script.push_str("      headers: reqHeaders,\n");
780        script.push_str("      body: reqBody,\n");
781        script.push_str("    },\n");
782        script.push_str("    response: {\n");
783        script.push_str("      status: res.status,\n");
784        script.push_str("      headers: res.headers ? Object.fromEntries(Object.entries(res.headers).slice(0, 20)) : {},\n");
785        script.push_str("      body: bodyStr,\n");
786        script.push_str("    },\n");
787        script.push_str("    expected: expected,\n");
788        script.push_str("  };\n");
789        script.push_str("  if (schemaViolations && schemaViolations.length > 0) { payload.schema_violations = schemaViolations; }\n");
790        script.push_str("  console.log('MOCKFORGE_FAILURE:' + JSON.stringify(payload));\n");
791        script.push_str("}\n\n");
792
793        // Request/response capture for --export-requests
794        //
795        // Round 44 (#79) — mirror the resilience added in `generator.rs`:
796        // wrap the primary stringify in try/catch + fall back to a minimal
797        // entry + last-resort hand-rolled JSON so a multipart body that
798        // contains bytes JSON.stringify can't roundtrip never silently
799        // drops the row from the export. See `generator.rs` for the
800        // surfacing incident.
801        if self.config.export_requests {
802            script.push_str("function __captureExchange(checkName, res) {\n");
803            script.push_str("  try {\n");
804            script.push_str("    let bodyStr = '';\n");
805            script.push_str("    try { if (res.body) { const __n = res.body.length; bodyStr = res.body.substring(0, 65536); if (__n > 65536) bodyStr = bodyStr + ' <truncated at 65536 bytes; full body was ' + __n + ' bytes>'; } else { bodyStr = ''; } } catch(e) { bodyStr = '<unreadable>'; }\n");
806            script.push_str("    let reqHeaders = {};\n");
807            script.push_str(
808                "    if (res.request && res.request.headers) { reqHeaders = res.request.headers; }\n",
809            );
810            // Round 46 (#79) — mirror the structured multipart summary
811            // from `generator.rs`. See the long comment there; same
812            // rationale (k6 logfmt mangling on raw binary bytes).
813            script.push_str("    let reqBody = '';\n");
814            script.push_str("    {\n");
815            script.push_str(
816                "      const ct = (reqHeaders['Content-Type'] || reqHeaders['content-type'] || '').toString();\n",
817            );
818            script.push_str("      const isMultipart = ct.startsWith('multipart/');\n");
819            script.push_str(
820                "      if (isMultipart && res.request && res.request.body) {\n\
821                 \x20\x20\x20\x20\x20\x20\x20\x20try {\n\
822                 \x20\x20\x20\x20\x20\x20\x20\x20  const raw = res.request.body;\n\
823                 \x20\x20\x20\x20\x20\x20\x20\x20  const totalBytes = raw.length;\n\
824                 \x20\x20\x20\x20\x20\x20\x20\x20  const boundaryMatch = ct.match(/boundary=([^;]+)/);\n\
825                 \x20\x20\x20\x20\x20\x20\x20\x20  const boundary = boundaryMatch ? boundaryMatch[1].replace(/^\"|\"$/g, '') : '';\n\
826                 \x20\x20\x20\x20\x20\x20\x20\x20  const parts = [];\n\
827                 \x20\x20\x20\x20\x20\x20\x20\x20  if (boundary) {\n\
828                 \x20\x20\x20\x20\x20\x20\x20\x20    const sep = '--' + boundary;\n\
829                 \x20\x20\x20\x20\x20\x20\x20\x20    let cursor = raw.indexOf(sep);\n\
830                 \x20\x20\x20\x20\x20\x20\x20\x20    while (cursor !== -1 && parts.length < 100) {\n\
831                 \x20\x20\x20\x20\x20\x20\x20\x20      const next = raw.indexOf(sep, cursor + sep.length);\n\
832                 \x20\x20\x20\x20\x20\x20\x20\x20      if (next === -1) break;\n\
833                 \x20\x20\x20\x20\x20\x20\x20\x20      const slice = raw.substring(cursor + sep.length, next);\n\
834                 \x20\x20\x20\x20\x20\x20\x20\x20      const headerEnd = slice.indexOf('\\r\\n\\r\\n');\n\
835                 \x20\x20\x20\x20\x20\x20\x20\x20      const partHeaders = headerEnd === -1 ? slice : slice.substring(0, headerEnd);\n\
836                 \x20\x20\x20\x20\x20\x20\x20\x20      const partBody = headerEnd === -1 ? '' : slice.substring(headerEnd + 4);\n\
837                 \x20\x20\x20\x20\x20\x20\x20\x20      const nameMatch = partHeaders.match(/name=\"([^\"]+)\"/);\n\
838                 \x20\x20\x20\x20\x20\x20\x20\x20      const filenameMatch = partHeaders.match(/filename=\"([^\"]+)\"/);\n\
839                 \x20\x20\x20\x20\x20\x20\x20\x20      const partCtMatch = partHeaders.match(/Content-Type:\\s*([^\\r\\n]+)/i);\n\
840                 \x20\x20\x20\x20\x20\x20\x20\x20      parts.push({\n\
841                 \x20\x20\x20\x20\x20\x20\x20\x20        name: nameMatch ? nameMatch[1] : '',\n\
842                 \x20\x20\x20\x20\x20\x20\x20\x20        filename: filenameMatch ? filenameMatch[1] : '',\n\
843                 \x20\x20\x20\x20\x20\x20\x20\x20        contentType: partCtMatch ? partCtMatch[1].trim() : '',\n\
844                 \x20\x20\x20\x20\x20\x20\x20\x20        bytes: Math.max(0, partBody.length - 2),\n\
845                 \x20\x20\x20\x20\x20\x20\x20\x20      });\n\
846                 \x20\x20\x20\x20\x20\x20\x20\x20      cursor = next;\n\
847                 \x20\x20\x20\x20\x20\x20\x20\x20    }\n\
848                 \x20\x20\x20\x20\x20\x20\x20\x20  }\n\
849                 \x20\x20\x20\x20\x20\x20\x20\x20  const summary = parts.map(function (p) { return '\\'' + p.name + '\\':\\'' + p.filename + '\\' (' + p.contentType + ', ' + p.bytes + ' bytes)'; }).join(', ');\n\
850                 \x20\x20\x20\x20\x20\x20\x20\x20  reqBody = '<multipart/form-data; boundary=' + boundary + '; ' + parts.length + ' part(s); total ' + totalBytes + ' bytes: ' + summary + '>';\n\
851                 \x20\x20\x20\x20\x20\x20\x20\x20} catch (e) {\n\
852                 \x20\x20\x20\x20\x20\x20\x20\x20  reqBody = '<multipart upload; summary failed: ' + (e && e.message ? e.message : 'unknown') + '>';\n\
853                 \x20\x20\x20\x20\x20\x20\x20\x20}\n\
854                 \x20\x20\x20\x20\x20\x20} else if (isMultipart) {\n\
855                 \x20\x20\x20\x20\x20\x20\x20\x20reqBody = '<multipart upload; body bytes not surfaced by k6 res.request.body>';\n\
856                 \x20\x20\x20\x20\x20\x20} else if (res.request && res.request.body) {\n\
857                 \x20\x20\x20\x20\x20\x20\x20\x20try { const __m = res.request.body.length; reqBody = res.request.body.substring(0, 65536); if (__m > 65536) reqBody = reqBody + ' <truncated at 65536 bytes; full body was ' + __m + ' bytes>'; } catch (e) {}\n\
858                 \x20\x20\x20\x20\x20\x20}\n\
859                 \x20\x20\x20\x20}\n",
860            );
861            script.push_str("    console.log('MOCKFORGE_EXCHANGE:' + JSON.stringify({\n");
862            script.push_str("      check: checkName,\n");
863            script.push_str("      request: {\n");
864            script.push_str("        method: res.request ? res.request.method : 'unknown',\n");
865            script.push_str("        url: res.request ? res.request.url : res.url || 'unknown',\n");
866            script.push_str("        headers: reqHeaders,\n");
867            script.push_str("        body: reqBody,\n");
868            script.push_str("      },\n");
869            script.push_str("      response: {\n");
870            script.push_str("        status: res.status,\n");
871            script.push_str("        headers: res.headers ? Object.fromEntries(Object.entries(res.headers).slice(0, 30)) : {},\n");
872            script.push_str("        body: bodyStr,\n");
873            script.push_str("      },\n");
874            script.push_str("    }));\n");
875            script.push_str("  } catch (e) {\n");
876            script.push_str("    try {\n");
877            script.push_str("      console.log('MOCKFORGE_EXCHANGE:' + JSON.stringify({\n");
878            script.push_str("        check: checkName,\n");
879            script.push_str("        request: {\n");
880            script.push_str(
881                "          method: (res && res.request) ? res.request.method : 'unknown',\n",
882            );
883            script.push_str("          url: (res && res.request) ? res.request.url : (res && res.url) || 'unknown',\n");
884            script.push_str("          headers: {},\n");
885            script.push_str("          body: '<exchange capture failed: ' + (e && e.message ? e.message : 'unknown error') + '>',\n");
886            script.push_str("        },\n");
887            script.push_str("        response: {\n");
888            script.push_str("          status: (res && res.status) || 0,\n");
889            script.push_str("          headers: {},\n");
890            script.push_str("          body: '',\n");
891            script.push_str("        },\n");
892            script.push_str("        _export_error: (e && e.message) ? e.message : String(e),\n");
893            script.push_str("      }));\n");
894            script.push_str("    } catch (e2) {\n");
895            script.push_str("      console.log('MOCKFORGE_EXCHANGE:{\"check\":\"' + checkName + '\",\"request\":{\"method\":\"unknown\",\"url\":\"unknown\",\"headers\":{},\"body\":\"\"},\"response\":{\"status\":0,\"headers\":{},\"body\":\"\"},\"_export_error\":\"double-fault\"}');\n");
896            script.push_str("    }\n");
897            script.push_str("  }\n");
898            script.push_str("}\n\n");
899        }
900
901        // Default function
902        script.push_str("export default function () {\n");
903
904        if self.config.has_cookie_header() {
905            script.push_str(
906                "  // Clear cookie jar to prevent server Set-Cookie from duplicating custom Cookie header\n",
907            );
908            script.push_str("  http.cookieJar().clear(BASE_URL);\n\n");
909        }
910
911        // Group operations by category
912        let mut category_ops: std::collections::BTreeMap<
913            &'static str,
914            Vec<(&AnnotatedOperation, &ConformanceFeature)>,
915        > = std::collections::BTreeMap::new();
916
917        for op in &self.operations {
918            for feature in &op.features {
919                let category = feature.category();
920                if self.config.should_include_category(category) {
921                    category_ops.entry(category).or_default().push((op, feature));
922                }
923            }
924        }
925
926        // Emit grouped tests
927        let mut total_checks = 0usize;
928        for (category, ops) in &category_ops {
929            script.push_str(&format!("  group('{}', function () {{\n", category));
930
931            if self.config.all_operations {
932                // All-operations mode: test every operation, using path-qualified check names
933                let mut emitted_checks: HashSet<String> = HashSet::new();
934                for (op, feature) in ops {
935                    let qualified = format!("{}:{}", feature.check_name(), op.path);
936                    if emitted_checks.insert(qualified.clone()) {
937                        self.emit_check_named(&mut script, op, feature, &qualified);
938                        total_checks += 1;
939                    }
940                }
941            } else {
942                // Default: one representative operation per feature, with path-qualified
943                // check names so failures identify which endpoint was tested.
944                let mut emitted_features: HashSet<&str> = HashSet::new();
945                for (op, feature) in ops {
946                    if emitted_features.insert(feature.check_name()) {
947                        let qualified = format!("{}:{}", feature.check_name(), op.path);
948                        self.emit_check_named(&mut script, op, feature, &qualified);
949                        total_checks += 1;
950                    }
951                }
952            }
953
954            script.push_str("  });\n\n");
955        }
956
957        // Custom checks from YAML file — round 39: init-scope code
958        // was already emitted above; here we just splice the group
959        // body inside the default function.
960        if let Some(emit) = custom_emit {
961            script.push_str(&emit.group_body);
962        }
963
964        script.push_str("}\n\n");
965
966        // handleSummary
967        self.generate_handle_summary(&mut script);
968
969        Ok((script, total_checks))
970    }
971
972    /// Emit a single k6 check for an operation + feature with a custom check name
973    fn emit_check_named(
974        &self,
975        script: &mut String,
976        op: &AnnotatedOperation,
977        feature: &ConformanceFeature,
978        check_name: &str,
979    ) {
980        // Escape single quotes in check name since it's embedded in JS single-quoted strings
981        let check_name = check_name.replace('\'', "\\'");
982        let check_name = check_name.as_str();
983
984        script.push_str("    {\n");
985
986        // Build the URL path with parameters substituted
987        let mut url_path = op.path.clone();
988        for (name, value) in &op.path_params {
989            url_path = url_path.replace(&format!("{{{}}}", name), value);
990        }
991
992        // Build query string
993        if !op.query_params.is_empty() {
994            let qs: Vec<String> =
995                op.query_params.iter().map(|(k, v)| format!("{}={}", k, v)).collect();
996            url_path = format!("{}?{}", url_path, qs.join("&"));
997        }
998
999        let full_url = format!("${{BASE_URL}}{}", url_path);
1000
1001        // Build effective headers: merge spec-derived headers with custom headers.
1002        // Custom headers override spec-derived ones with the same name.
1003        let mut effective_headers = self.effective_headers(&op.header_params);
1004
1005        // For non-default response code checks, add header to tell the mock server
1006        // which status code to return (the server defaults to the first declared status)
1007        if matches!(feature, ConformanceFeature::Response400 | ConformanceFeature::Response404) {
1008            let expected_code = match feature {
1009                ConformanceFeature::Response400 => "400",
1010                ConformanceFeature::Response404 => "404",
1011                _ => unreachable!(),
1012            };
1013            effective_headers
1014                .push(("X-Mockforge-Response-Status".to_string(), expected_code.to_string()));
1015        }
1016
1017        // For security checks AND for all requests on endpoints with security requirements,
1018        // inject auth credentials so the server doesn't reject with 401.
1019        // Only inject if the user hasn't already provided the header via --custom-headers.
1020        let needs_auth = matches!(
1021            feature,
1022            ConformanceFeature::SecurityBearer
1023                | ConformanceFeature::SecurityBasic
1024                | ConformanceFeature::SecurityApiKey
1025        ) || !op.security_schemes.is_empty();
1026
1027        if needs_auth {
1028            self.inject_security_headers(&op.security_schemes, &mut effective_headers);
1029        }
1030
1031        let has_headers = !effective_headers.is_empty();
1032        let headers_obj = if has_headers {
1033            Self::format_headers(&effective_headers)
1034        } else {
1035            String::new()
1036        };
1037
1038        // Determine HTTP method and emit request
1039        match op.method.as_str() {
1040            "GET" => {
1041                if has_headers {
1042                    script.push_str(&format!(
1043                        "      let res = http.get(`{}`, {{ headers: {} }});\n",
1044                        full_url, headers_obj
1045                    ));
1046                } else {
1047                    script.push_str(&format!("      let res = http.get(`{}`);\n", full_url));
1048                }
1049            }
1050            "POST" => {
1051                self.emit_request_with_body(script, "post", &full_url, op, &effective_headers);
1052            }
1053            "PUT" => {
1054                self.emit_request_with_body(script, "put", &full_url, op, &effective_headers);
1055            }
1056            "PATCH" => {
1057                self.emit_request_with_body(script, "patch", &full_url, op, &effective_headers);
1058            }
1059            "DELETE" => {
1060                if has_headers {
1061                    script.push_str(&format!(
1062                        "      let res = http.del(`{}`, null, {{ headers: {} }});\n",
1063                        full_url, headers_obj
1064                    ));
1065                } else {
1066                    script.push_str(&format!("      let res = http.del(`{}`);\n", full_url));
1067                }
1068            }
1069            "HEAD" => {
1070                if has_headers {
1071                    script.push_str(&format!(
1072                        "      let res = http.head(`{}`, {{ headers: {} }});\n",
1073                        full_url, headers_obj
1074                    ));
1075                } else {
1076                    script.push_str(&format!("      let res = http.head(`{}`);\n", full_url));
1077                }
1078            }
1079            "OPTIONS" => {
1080                if has_headers {
1081                    script.push_str(&format!(
1082                        "      let res = http.options(`{}`, null, {{ headers: {} }});\n",
1083                        full_url, headers_obj
1084                    ));
1085                } else {
1086                    script.push_str(&format!("      let res = http.options(`{}`);\n", full_url));
1087                }
1088            }
1089            _ => {
1090                if has_headers {
1091                    script.push_str(&format!(
1092                        "      let res = http.get(`{}`, {{ headers: {} }});\n",
1093                        full_url, headers_obj
1094                    ));
1095                } else {
1096                    script.push_str(&format!("      let res = http.get(`{}`);\n", full_url));
1097                }
1098            }
1099        }
1100
1101        // Capture request/response for --export-requests
1102        // (check_name is already escaped at line 829 above — don't double-escape)
1103        if self.config.export_requests {
1104            script.push_str(&format!(
1105                "      if (typeof __captureExchange === 'function') __captureExchange('{}', res);\n",
1106                check_name
1107            ));
1108        }
1109
1110        // Check: emit assertion based on feature type, with failure detail capture
1111        if matches!(
1112            feature,
1113            ConformanceFeature::Response200
1114                | ConformanceFeature::Response201
1115                | ConformanceFeature::Response204
1116                | ConformanceFeature::Response400
1117                | ConformanceFeature::Response404
1118        ) {
1119            let expected_code = match feature {
1120                ConformanceFeature::Response200 => 200,
1121                ConformanceFeature::Response201 => 201,
1122                ConformanceFeature::Response204 => 204,
1123                ConformanceFeature::Response400 => 400,
1124                ConformanceFeature::Response404 => 404,
1125                _ => 200,
1126            };
1127            script.push_str(&format!(
1128                "      {{ let ok = check(res, {{ '{}': (r) => r.status === {} }}); if (!ok) __captureFailure('{}', res, 'status === {}'); }}\n",
1129                check_name, expected_code, check_name, expected_code
1130            ));
1131        } else if matches!(feature, ConformanceFeature::ResponseValidation) {
1132            // Response schema validation — validate the response body against the schema
1133            // Uses inline field-level error collection so failure details include
1134            // which specific fields violated the schema (field_path, violation_type,
1135            // expected, actual) — matching the Ajv `errors` array structure.
1136            if let Some(schema) = &op.response_schema {
1137                let validation_js = SchemaValidatorGenerator::generate_validation(schema);
1138                let schema_json = serde_json::to_string(schema).unwrap_or_default();
1139                // Escape backticks and backslashes for JS template literal safety
1140                let schema_json_escaped = schema_json.replace('\\', "\\\\").replace('`', "\\`");
1141                script.push_str(&format!(
1142                    concat!(
1143                        "      try {{\n",
1144                        "        let body = res.json();\n",
1145                        "        let ok = check(res, {{ '{check}': (r) => ( {validation} ) }});\n",
1146                        "        if (!ok) {{\n",
1147                        "          let __violations = [];\n",
1148                        "          try {{\n",
1149                        "            let __schema = JSON.parse(`{schema}`);\n",
1150                        "            function __collectErrors(schema, data, path) {{\n",
1151                        "              if (!schema || typeof schema !== 'object') return;\n",
1152                        "              let st = schema.type || (schema.schema_kind && schema.schema_kind.Type && Object.keys(schema.schema_kind.Type)[0]);\n",
1153                        "              if (st) {{ st = st.toLowerCase(); }}\n",
1154                        "              if (st === 'object') {{\n",
1155                        "                if (typeof data !== 'object' || data === null) {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'object', actual: typeof data }}); return; }}\n",
1156                        "                let props = schema.properties || (schema.schema_kind && schema.schema_kind.Type && schema.schema_kind.Type.Object && schema.schema_kind.Type.Object.properties) || {{}};\n",
1157                        "                let req = schema.required || (schema.schema_kind && schema.schema_kind.Type && schema.schema_kind.Type.Object && schema.schema_kind.Type.Object.required) || [];\n",
1158                        "                for (let f of req) {{ if (!(f in data)) {{ __violations.push({{ field_path: path + '/' + f, violation_type: 'required', expected: 'present', actual: 'missing' }}); }} }}\n",
1159                        "                for (let [k, v] of Object.entries(props)) {{ if (data[k] !== undefined) {{ let ps = v.Item || v; __collectErrors(ps, data[k], path + '/' + k); }} }}\n",
1160                        "              }} else if (st === 'array') {{\n",
1161                        "                if (!Array.isArray(data)) {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'array', actual: typeof data }}); return; }}\n",
1162                        "                let items = schema.items || (schema.schema_kind && schema.schema_kind.Type && schema.schema_kind.Type.Array && schema.schema_kind.Type.Array.items);\n",
1163                        "                if (items) {{ let is = items.Item || items; for (let i = 0; i < Math.min(data.length, 5); i++) {{ __collectErrors(is, data[i], path + '/' + i); }} }}\n",
1164                        "              }} else if (st === 'string') {{\n",
1165                        "                if (typeof data !== 'string') {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'string', actual: typeof data }}); }}\n",
1166                        "              }} else if (st === 'integer') {{\n",
1167                        "                if (typeof data !== 'number' || !Number.isInteger(data)) {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'integer', actual: typeof data }}); }}\n",
1168                        "              }} else if (st === 'number') {{\n",
1169                        "                if (typeof data !== 'number') {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'number', actual: typeof data }}); }}\n",
1170                        "              }} else if (st === 'boolean') {{\n",
1171                        "                if (typeof data !== 'boolean') {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'boolean', actual: typeof data }}); }}\n",
1172                        "              }}\n",
1173                        "            }}\n",
1174                        "            __collectErrors(__schema, body, '');\n",
1175                        "          }} catch(_e) {{}}\n",
1176                        "          __captureFailure('{check}', res, 'schema validation', __violations);\n",
1177                        "        }}\n",
1178                        "      }} catch(e) {{ check(res, {{ '{check}': () => false }}); __captureFailure('{check}', res, 'JSON parse failed: ' + e.message); }}\n",
1179                    ),
1180                    check = check_name,
1181                    validation = validation_js,
1182                    schema = schema_json_escaped,
1183                ));
1184            }
1185        } else if matches!(
1186            feature,
1187            ConformanceFeature::SecurityBearer
1188                | ConformanceFeature::SecurityBasic
1189                | ConformanceFeature::SecurityApiKey
1190        ) {
1191            // Security checks verify the server accepts the auth credentials (not 401/403)
1192            script.push_str(&format!(
1193                "      {{ let ok = check(res, {{ '{}': (r) => r.status >= 200 && r.status < 400 }}); if (!ok) __captureFailure('{}', res, 'status >= 200 && status < 400 (auth accepted)'); }}\n",
1194                check_name, check_name
1195            ));
1196        } else {
1197            script.push_str(&format!(
1198                "      {{ let ok = check(res, {{ '{}': (r) => r.status >= 200 && r.status < 500 }}); if (!ok) __captureFailure('{}', res, 'status >= 200 && status < 500'); }}\n",
1199                check_name, check_name
1200            ));
1201        }
1202
1203        // Clear cookie jar after each request to prevent Set-Cookie leaking
1204        let has_cookie = self.config.has_cookie_header()
1205            || effective_headers.iter().any(|(h, _)| h.eq_ignore_ascii_case("Cookie"));
1206        if has_cookie {
1207            script.push_str("      http.cookieJar().clear(BASE_URL);\n");
1208        }
1209
1210        script.push_str("    }\n");
1211
1212        // Rate-limit delay between checks (to avoid 429 from target API)
1213        if self.config.request_delay_ms > 0 {
1214            script.push_str(&format!(
1215                "    sleep({:.3});\n",
1216                self.config.request_delay_ms as f64 / 1000.0
1217            ));
1218        }
1219    }
1220
1221    /// Emit an HTTP request with a body
1222    fn emit_request_with_body(
1223        &self,
1224        script: &mut String,
1225        method: &str,
1226        url: &str,
1227        op: &AnnotatedOperation,
1228        effective_headers: &[(String, String)],
1229    ) {
1230        if let Some(body) = &op.sample_body {
1231            let escaped_body = body.replace('\'', "\\'");
1232            let headers = if !effective_headers.is_empty() {
1233                format!(
1234                    "Object.assign({{}}, JSON_HEADERS, {})",
1235                    Self::format_headers(effective_headers)
1236                )
1237            } else {
1238                "JSON_HEADERS".to_string()
1239            };
1240            script.push_str(&format!(
1241                "      let res = http.{}(`{}`, '{}', {{ headers: {} }});\n",
1242                method, url, escaped_body, headers
1243            ));
1244        } else if !effective_headers.is_empty() {
1245            script.push_str(&format!(
1246                "      let res = http.{}(`{}`, null, {{ headers: {} }});\n",
1247                method,
1248                url,
1249                Self::format_headers(effective_headers)
1250            ));
1251        } else {
1252            script.push_str(&format!("      let res = http.{}(`{}`, null);\n", method, url));
1253        }
1254    }
1255
1256    /// Build effective headers by merging spec-derived headers with custom headers.
1257    /// Custom headers override spec-derived ones with the same name (case-insensitive).
1258    /// Custom headers not in the spec are appended.
1259    fn effective_headers(&self, spec_headers: &[(String, String)]) -> Vec<(String, String)> {
1260        let custom = &self.config.custom_headers;
1261        if custom.is_empty() {
1262            return spec_headers.to_vec();
1263        }
1264
1265        let mut result: Vec<(String, String)> = Vec::new();
1266
1267        // Start with spec headers, replacing values if a custom header matches
1268        for (name, value) in spec_headers {
1269            if let Some((_, custom_val)) =
1270                custom.iter().find(|(cn, _)| cn.eq_ignore_ascii_case(name))
1271            {
1272                result.push((name.clone(), custom_val.clone()));
1273            } else {
1274                result.push((name.clone(), value.clone()));
1275            }
1276        }
1277
1278        // Append custom headers that aren't already in spec headers
1279        for (name, value) in custom {
1280            if !spec_headers.iter().any(|(sn, _)| sn.eq_ignore_ascii_case(name)) {
1281                result.push((name.clone(), value.clone()));
1282            }
1283        }
1284
1285        result
1286    }
1287
1288    /// Inject security headers based on resolved security scheme details.
1289    /// Respects user-provided custom headers (won't overwrite if already set).
1290    fn inject_security_headers(
1291        &self,
1292        schemes: &[SecuritySchemeInfo],
1293        headers: &mut Vec<(String, String)>,
1294    ) {
1295        let mut to_add: Vec<(String, String)> = Vec::new();
1296
1297        let has_header = |name: &str, headers: &[(String, String)]| {
1298            headers.iter().any(|(h, _)| h.eq_ignore_ascii_case(name))
1299                || self.config.custom_headers.iter().any(|(h, _)| h.eq_ignore_ascii_case(name))
1300        };
1301
1302        // If user provides Cookie header, they're using session-based auth — skip auto auth
1303        let has_cookie_auth = has_header("Cookie", headers);
1304
1305        for scheme in schemes {
1306            match scheme {
1307                SecuritySchemeInfo::Bearer => {
1308                    if !has_cookie_auth && !has_header("Authorization", headers) {
1309                        // MockForge mock server accepts any Bearer token
1310                        to_add.push((
1311                            "Authorization".to_string(),
1312                            "Bearer mockforge-conformance-test-token".to_string(),
1313                        ));
1314                    }
1315                }
1316                SecuritySchemeInfo::Basic => {
1317                    if !has_cookie_auth && !has_header("Authorization", headers) {
1318                        let creds = self.config.basic_auth.as_deref().unwrap_or("test:test");
1319                        use base64::Engine;
1320                        let encoded =
1321                            base64::engine::general_purpose::STANDARD.encode(creds.as_bytes());
1322                        to_add.push(("Authorization".to_string(), format!("Basic {}", encoded)));
1323                    }
1324                }
1325                SecuritySchemeInfo::ApiKey { location, name } => match location {
1326                    ApiKeyLocation::Header => {
1327                        if !has_header(name, headers) {
1328                            let key = self
1329                                .config
1330                                .api_key
1331                                .as_deref()
1332                                .unwrap_or("mockforge-conformance-test-key");
1333                            to_add.push((name.clone(), key.to_string()));
1334                        }
1335                    }
1336                    ApiKeyLocation::Cookie => {
1337                        if !has_header("Cookie", headers) {
1338                            to_add.push((
1339                                "Cookie".to_string(),
1340                                format!("{}=mockforge-conformance-test-session", name),
1341                            ));
1342                        }
1343                    }
1344                    ApiKeyLocation::Query => {
1345                        // Query params are handled via URL, not headers — skip here
1346                    }
1347                },
1348            }
1349        }
1350
1351        headers.extend(to_add);
1352    }
1353
1354    /// Format header params as a JS object literal
1355    fn format_headers(headers: &[(String, String)]) -> String {
1356        let entries: Vec<String> = headers
1357            .iter()
1358            .map(|(k, v)| format!("'{}': '{}'", k, v.replace('\'', "\\'")))
1359            .collect();
1360        format!("{{ {} }}", entries.join(", "))
1361    }
1362
1363    /// handleSummary — same format as reference mode for report compatibility
1364    fn generate_handle_summary(&self, script: &mut String) {
1365        // Use absolute path for report output so k6 writes where the CLI expects
1366        let report_path = match &self.config.output_dir {
1367            Some(dir) => {
1368                let abs = std::fs::canonicalize(dir)
1369                    .unwrap_or_else(|_| dir.clone())
1370                    .join("conformance-report.json");
1371                abs.to_string_lossy().to_string()
1372            }
1373            None => "conformance-report.json".to_string(),
1374        };
1375
1376        script.push_str("export function handleSummary(data) {\n");
1377        script.push_str("  let checks = {};\n");
1378        script.push_str("  if (data.metrics && data.metrics.checks) {\n");
1379        script.push_str("    checks.overall_pass_rate = data.metrics.checks.values.rate;\n");
1380        script.push_str("  }\n");
1381        script.push_str("  let checkResults = {};\n");
1382        script.push_str("  function walkGroups(group) {\n");
1383        script.push_str("    if (group.checks) {\n");
1384        script.push_str("      for (let checkObj of group.checks) {\n");
1385        script.push_str("        checkResults[checkObj.name] = {\n");
1386        script.push_str("          passes: checkObj.passes,\n");
1387        script.push_str("          fails: checkObj.fails,\n");
1388        script.push_str("        };\n");
1389        script.push_str("      }\n");
1390        script.push_str("    }\n");
1391        script.push_str("    if (group.groups) {\n");
1392        script.push_str("      for (let subGroup of group.groups) {\n");
1393        script.push_str("        walkGroups(subGroup);\n");
1394        script.push_str("      }\n");
1395        script.push_str("    }\n");
1396        script.push_str("  }\n");
1397        script.push_str("  if (data.root_group) {\n");
1398        script.push_str("    walkGroups(data.root_group);\n");
1399        script.push_str("  }\n");
1400        script.push_str("  return {\n");
1401        script.push_str(&format!(
1402            "    '{}': JSON.stringify({{ checks: checkResults, overall: checks }}, null, 2),\n",
1403            report_path
1404        ));
1405        script.push_str("    'summary.json': JSON.stringify(data),\n");
1406        script.push_str("    stdout: textSummary(data, { indent: '  ', enableColors: true }),\n");
1407        script.push_str("  };\n");
1408        script.push_str("}\n\n");
1409        script.push_str("function textSummary(data, opts) {\n");
1410        script.push_str("  return JSON.stringify(data, null, 2);\n");
1411        script.push_str("}\n");
1412    }
1413}
1414
1415#[cfg(test)]
1416mod tests {
1417    use super::*;
1418    use openapiv3::{
1419        Operation, ParameterData, ParameterSchemaOrContent, PathStyle, Response, Schema,
1420        SchemaData, SchemaKind, StringType, Type,
1421    };
1422
1423    fn make_op(method: &str, path: &str, operation: Operation) -> ApiOperation {
1424        ApiOperation {
1425            method: method.to_string(),
1426            path: path.to_string(),
1427            operation,
1428            operation_id: None,
1429        }
1430    }
1431
1432    fn empty_spec() -> OpenAPI {
1433        OpenAPI::default()
1434    }
1435
1436    #[test]
1437    fn test_annotate_get_with_path_param() {
1438        let mut op = Operation::default();
1439        op.parameters.push(ReferenceOr::Item(Parameter::Path {
1440            parameter_data: ParameterData {
1441                name: "id".to_string(),
1442                description: None,
1443                required: true,
1444                deprecated: None,
1445                format: ParameterSchemaOrContent::Schema(ReferenceOr::Item(Schema {
1446                    schema_data: SchemaData::default(),
1447                    schema_kind: SchemaKind::Type(Type::String(StringType::default())),
1448                })),
1449                example: None,
1450                examples: Default::default(),
1451                explode: None,
1452                extensions: Default::default(),
1453            },
1454            style: PathStyle::Simple,
1455        }));
1456
1457        let api_op = make_op("get", "/users/{id}", op);
1458        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1459
1460        assert!(annotated.features.contains(&ConformanceFeature::MethodGet));
1461        assert!(annotated.features.contains(&ConformanceFeature::PathParamString));
1462        assert!(annotated.features.contains(&ConformanceFeature::ConstraintRequired));
1463        assert_eq!(annotated.path_params.len(), 1);
1464        assert_eq!(annotated.path_params[0].0, "id");
1465    }
1466
1467    #[test]
1468    fn test_annotate_post_with_json_body() {
1469        let mut op = Operation::default();
1470        let mut body = RequestBody {
1471            required: true,
1472            ..Default::default()
1473        };
1474        body.content
1475            .insert("application/json".to_string(), openapiv3::MediaType::default());
1476        op.request_body = Some(ReferenceOr::Item(body));
1477
1478        let api_op = make_op("post", "/items", op);
1479        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1480
1481        assert!(annotated.features.contains(&ConformanceFeature::MethodPost));
1482        assert!(annotated.features.contains(&ConformanceFeature::BodyJson));
1483    }
1484
1485    #[test]
1486    fn test_annotate_response_codes() {
1487        let mut op = Operation::default();
1488        op.responses
1489            .responses
1490            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(Response::default()));
1491        op.responses
1492            .responses
1493            .insert(openapiv3::StatusCode::Code(404), ReferenceOr::Item(Response::default()));
1494
1495        let api_op = make_op("get", "/items", op);
1496        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1497
1498        assert!(annotated.features.contains(&ConformanceFeature::Response200));
1499        assert!(annotated.features.contains(&ConformanceFeature::Response404));
1500    }
1501
1502    #[test]
1503    fn test_generate_spec_driven_script() {
1504        let config = ConformanceConfig {
1505            target_url: "http://localhost:3000".to_string(),
1506            api_key: None,
1507            basic_auth: None,
1508            skip_tls_verify: false,
1509            categories: None,
1510            base_path: None,
1511            custom_headers: vec![],
1512            output_dir: None,
1513            all_operations: false,
1514            custom_checks_file: None,
1515            request_delay_ms: 0,
1516            custom_filter: None,
1517            export_requests: false,
1518            validate_requests: false,
1519        };
1520
1521        let operations = vec![AnnotatedOperation {
1522            path: "/users/{id}".to_string(),
1523            method: "GET".to_string(),
1524            features: vec![
1525                ConformanceFeature::MethodGet,
1526                ConformanceFeature::PathParamString,
1527            ],
1528            request_body_content_type: None,
1529            sample_body: None,
1530            query_params: vec![],
1531            header_params: vec![],
1532            path_params: vec![("id".to_string(), "test-value".to_string())],
1533            response_schema: None,
1534            response_schemas: std::collections::BTreeMap::new(),
1535            request_body_schema: None,
1536            security_schemes: vec![],
1537        }];
1538
1539        let gen = SpecDrivenConformanceGenerator::new(config, operations);
1540        let (script, _check_count) = gen.generate().unwrap();
1541
1542        assert!(script.contains("import http from 'k6/http'"));
1543        assert!(script.contains("/users/test-value"));
1544        assert!(script.contains("param:path:string"));
1545        assert!(script.contains("method:GET"));
1546        assert!(script.contains("handleSummary"));
1547    }
1548
1549    #[test]
1550    fn test_generate_with_category_filter() {
1551        let config = ConformanceConfig {
1552            target_url: "http://localhost:3000".to_string(),
1553            api_key: None,
1554            basic_auth: None,
1555            skip_tls_verify: false,
1556            categories: Some(vec!["Parameters".to_string()]),
1557            base_path: None,
1558            custom_headers: vec![],
1559            output_dir: None,
1560            all_operations: false,
1561            custom_checks_file: None,
1562            request_delay_ms: 0,
1563            custom_filter: None,
1564            export_requests: false,
1565            validate_requests: false,
1566        };
1567
1568        let operations = vec![AnnotatedOperation {
1569            path: "/users/{id}".to_string(),
1570            method: "GET".to_string(),
1571            features: vec![
1572                ConformanceFeature::MethodGet,
1573                ConformanceFeature::PathParamString,
1574            ],
1575            request_body_content_type: None,
1576            sample_body: None,
1577            query_params: vec![],
1578            header_params: vec![],
1579            path_params: vec![("id".to_string(), "1".to_string())],
1580            response_schema: None,
1581            response_schemas: std::collections::BTreeMap::new(),
1582            request_body_schema: None,
1583            security_schemes: vec![],
1584        }];
1585
1586        let gen = SpecDrivenConformanceGenerator::new(config, operations);
1587        let (script, _check_count) = gen.generate().unwrap();
1588
1589        assert!(script.contains("group('Parameters'"));
1590        assert!(!script.contains("group('HTTP Methods'"));
1591    }
1592
1593    #[test]
1594    fn test_annotate_response_validation() {
1595        use openapiv3::ObjectType;
1596
1597        // Operation with a 200 response that has a JSON schema
1598        let mut op = Operation::default();
1599        let mut response = Response::default();
1600        let mut media = openapiv3::MediaType::default();
1601        let mut obj_type = ObjectType::default();
1602        obj_type.properties.insert(
1603            "name".to_string(),
1604            ReferenceOr::Item(Box::new(Schema {
1605                schema_data: SchemaData::default(),
1606                schema_kind: SchemaKind::Type(Type::String(StringType::default())),
1607            })),
1608        );
1609        obj_type.required = vec!["name".to_string()];
1610        media.schema = Some(ReferenceOr::Item(Schema {
1611            schema_data: SchemaData::default(),
1612            schema_kind: SchemaKind::Type(Type::Object(obj_type)),
1613        }));
1614        response.content.insert("application/json".to_string(), media);
1615        op.responses
1616            .responses
1617            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(response));
1618
1619        let api_op = make_op("get", "/users", op);
1620        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1621
1622        assert!(
1623            annotated.features.contains(&ConformanceFeature::ResponseValidation),
1624            "Should detect ResponseValidation when response has a JSON schema"
1625        );
1626        assert!(annotated.response_schema.is_some(), "Should extract the response schema");
1627
1628        // Verify generated script includes schema validation with try-catch
1629        let config = ConformanceConfig {
1630            target_url: "http://localhost:3000".to_string(),
1631            api_key: None,
1632            basic_auth: None,
1633            skip_tls_verify: false,
1634            categories: None,
1635            base_path: None,
1636            custom_headers: vec![],
1637            output_dir: None,
1638            all_operations: false,
1639            custom_checks_file: None,
1640            request_delay_ms: 0,
1641            custom_filter: None,
1642            export_requests: false,
1643            validate_requests: false,
1644        };
1645        let gen = SpecDrivenConformanceGenerator::new(config, vec![annotated]);
1646        let (script, _check_count) = gen.generate().unwrap();
1647
1648        assert!(
1649            script.contains("response:schema:validation"),
1650            "Script should contain the validation check name"
1651        );
1652        assert!(script.contains("try {"), "Script should wrap validation in try-catch");
1653        assert!(script.contains("res.json()"), "Script should parse response as JSON");
1654    }
1655
1656    #[test]
1657    fn test_annotate_global_security() {
1658        // Spec with global security requirement, operation without its own security
1659        let op = Operation::default();
1660        let mut spec = OpenAPI::default();
1661        let mut global_req = openapiv3::SecurityRequirement::new();
1662        global_req.insert("bearerAuth".to_string(), vec![]);
1663        spec.security = Some(vec![global_req]);
1664        // Define the security scheme in components
1665        let mut components = openapiv3::Components::default();
1666        components.security_schemes.insert(
1667            "bearerAuth".to_string(),
1668            ReferenceOr::Item(SecurityScheme::HTTP {
1669                scheme: "bearer".to_string(),
1670                bearer_format: Some("JWT".to_string()),
1671                description: None,
1672                extensions: Default::default(),
1673            }),
1674        );
1675        spec.components = Some(components);
1676
1677        let api_op = make_op("get", "/protected", op);
1678        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &spec);
1679
1680        assert!(
1681            annotated.features.contains(&ConformanceFeature::SecurityBearer),
1682            "Should detect SecurityBearer from global security + components"
1683        );
1684    }
1685
1686    #[test]
1687    fn test_annotate_security_scheme_resolution() {
1688        // Test that security scheme type is resolved from components, not just name heuristic
1689        let mut op = Operation::default();
1690        // Use a generic name that wouldn't match name heuristics
1691        let mut req = openapiv3::SecurityRequirement::new();
1692        req.insert("myAuth".to_string(), vec![]);
1693        op.security = Some(vec![req]);
1694
1695        let mut spec = OpenAPI::default();
1696        let mut components = openapiv3::Components::default();
1697        components.security_schemes.insert(
1698            "myAuth".to_string(),
1699            ReferenceOr::Item(SecurityScheme::APIKey {
1700                location: openapiv3::APIKeyLocation::Header,
1701                name: "X-API-Key".to_string(),
1702                description: None,
1703                extensions: Default::default(),
1704            }),
1705        );
1706        spec.components = Some(components);
1707
1708        let api_op = make_op("get", "/data", op);
1709        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &spec);
1710
1711        assert!(
1712            annotated.features.contains(&ConformanceFeature::SecurityApiKey),
1713            "Should detect SecurityApiKey from SecurityScheme::APIKey, not name heuristic"
1714        );
1715    }
1716
1717    #[test]
1718    fn test_annotate_content_negotiation() {
1719        let mut op = Operation::default();
1720        let mut response = Response::default();
1721        // Response with multiple content types
1722        response
1723            .content
1724            .insert("application/json".to_string(), openapiv3::MediaType::default());
1725        response
1726            .content
1727            .insert("application/xml".to_string(), openapiv3::MediaType::default());
1728        op.responses
1729            .responses
1730            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(response));
1731
1732        let api_op = make_op("get", "/items", op);
1733        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1734
1735        assert!(
1736            annotated.features.contains(&ConformanceFeature::ContentNegotiation),
1737            "Should detect ContentNegotiation when response has multiple content types"
1738        );
1739    }
1740
1741    #[test]
1742    fn test_no_content_negotiation_for_single_type() {
1743        let mut op = Operation::default();
1744        let mut response = Response::default();
1745        response
1746            .content
1747            .insert("application/json".to_string(), openapiv3::MediaType::default());
1748        op.responses
1749            .responses
1750            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(response));
1751
1752        let api_op = make_op("get", "/items", op);
1753        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1754
1755        assert!(
1756            !annotated.features.contains(&ConformanceFeature::ContentNegotiation),
1757            "Should NOT detect ContentNegotiation for a single content type"
1758        );
1759    }
1760
1761    #[test]
1762    fn test_spec_driven_with_base_path() {
1763        let annotated = AnnotatedOperation {
1764            path: "/users".to_string(),
1765            method: "GET".to_string(),
1766            features: vec![ConformanceFeature::MethodGet],
1767            path_params: vec![],
1768            query_params: vec![],
1769            header_params: vec![],
1770            request_body_content_type: None,
1771            sample_body: None,
1772            response_schema: None,
1773            response_schemas: std::collections::BTreeMap::new(),
1774            request_body_schema: None,
1775            security_schemes: vec![],
1776        };
1777        let config = ConformanceConfig {
1778            target_url: "https://192.168.2.86/".to_string(),
1779            api_key: None,
1780            basic_auth: None,
1781            skip_tls_verify: true,
1782            categories: None,
1783            base_path: Some("/api".to_string()),
1784            custom_headers: vec![],
1785            output_dir: None,
1786            all_operations: false,
1787            custom_checks_file: None,
1788            request_delay_ms: 0,
1789            custom_filter: None,
1790            export_requests: false,
1791            validate_requests: false,
1792        };
1793        let gen = SpecDrivenConformanceGenerator::new(config, vec![annotated]);
1794        let (script, _check_count) = gen.generate().unwrap();
1795
1796        assert!(
1797            script.contains("const BASE_URL = 'https://192.168.2.86/api'"),
1798            "BASE_URL should include the base_path. Got: {}",
1799            script.lines().find(|l| l.contains("BASE_URL")).unwrap_or("not found")
1800        );
1801    }
1802
1803    #[test]
1804    fn test_spec_driven_with_custom_headers() {
1805        let annotated = AnnotatedOperation {
1806            path: "/users".to_string(),
1807            method: "GET".to_string(),
1808            features: vec![ConformanceFeature::MethodGet],
1809            path_params: vec![],
1810            query_params: vec![],
1811            header_params: vec![
1812                ("X-Avi-Tenant".to_string(), "test-value".to_string()),
1813                ("X-CSRFToken".to_string(), "test-value".to_string()),
1814            ],
1815            request_body_content_type: None,
1816            sample_body: None,
1817            response_schema: None,
1818            response_schemas: std::collections::BTreeMap::new(),
1819            request_body_schema: None,
1820            security_schemes: vec![],
1821        };
1822        let config = ConformanceConfig {
1823            target_url: "https://192.168.2.86/".to_string(),
1824            api_key: None,
1825            basic_auth: None,
1826            skip_tls_verify: true,
1827            categories: None,
1828            base_path: Some("/api".to_string()),
1829            custom_headers: vec![
1830                ("X-Avi-Tenant".to_string(), "admin".to_string()),
1831                ("X-CSRFToken".to_string(), "real-csrf-token".to_string()),
1832                ("Cookie".to_string(), "sessionid=abc123".to_string()),
1833            ],
1834            output_dir: None,
1835            all_operations: false,
1836            custom_checks_file: None,
1837            request_delay_ms: 0,
1838            custom_filter: None,
1839            export_requests: false,
1840            validate_requests: false,
1841        };
1842        let gen = SpecDrivenConformanceGenerator::new(config, vec![annotated]);
1843        let (script, _check_count) = gen.generate().unwrap();
1844
1845        // Custom headers should override spec-derived test-value placeholders
1846        assert!(
1847            script.contains("'X-Avi-Tenant': 'admin'"),
1848            "Should use custom value for X-Avi-Tenant, not test-value"
1849        );
1850        assert!(
1851            script.contains("'X-CSRFToken': 'real-csrf-token'"),
1852            "Should use custom value for X-CSRFToken, not test-value"
1853        );
1854        // Custom headers not in spec should be appended
1855        assert!(
1856            script.contains("'Cookie': 'sessionid=abc123'"),
1857            "Should include Cookie header from custom_headers"
1858        );
1859        // test-value should NOT appear
1860        assert!(
1861            !script.contains("'test-value'"),
1862            "test-value placeholders should be replaced by custom values"
1863        );
1864    }
1865
1866    #[test]
1867    fn test_effective_headers_merging() {
1868        let config = ConformanceConfig {
1869            target_url: "http://localhost".to_string(),
1870            api_key: None,
1871            basic_auth: None,
1872            skip_tls_verify: false,
1873            categories: None,
1874            base_path: None,
1875            custom_headers: vec![
1876                ("X-Auth".to_string(), "real-token".to_string()),
1877                ("Cookie".to_string(), "session=abc".to_string()),
1878            ],
1879            output_dir: None,
1880            all_operations: false,
1881            custom_checks_file: None,
1882            request_delay_ms: 0,
1883            custom_filter: None,
1884            export_requests: false,
1885            validate_requests: false,
1886        };
1887        let gen = SpecDrivenConformanceGenerator::new(config, vec![]);
1888
1889        // Spec headers with a matching custom header
1890        let spec_headers = vec![
1891            ("X-Auth".to_string(), "test-value".to_string()),
1892            ("X-Other".to_string(), "keep-this".to_string()),
1893        ];
1894        let effective = gen.effective_headers(&spec_headers);
1895
1896        // X-Auth should be overridden
1897        assert_eq!(effective[0], ("X-Auth".to_string(), "real-token".to_string()));
1898        // X-Other should be kept as-is
1899        assert_eq!(effective[1], ("X-Other".to_string(), "keep-this".to_string()));
1900        // Cookie should be appended
1901        assert_eq!(effective[2], ("Cookie".to_string(), "session=abc".to_string()));
1902    }
1903}