Skip to main content

mockforge_bench/
command.rs

1//! Bench command implementation
2
3use crate::crud_flow::{CrudFlowConfig, CrudFlowDetector};
4use crate::data_driven::{DataDistribution, DataDrivenConfig, DataDrivenGenerator, DataMapping};
5use crate::dynamic_params::{DynamicParamProcessor, DynamicPlaceholder};
6use crate::error::{BenchError, Result};
7use crate::executor::K6Executor;
8use crate::invalid_data::{InvalidDataConfig, InvalidDataGenerator};
9use crate::k6_gen::{K6Config, K6ScriptGenerator};
10use crate::mock_integration::{
11    MockIntegrationConfig, MockIntegrationGenerator, MockServerDetector,
12};
13use crate::owasp_api::{OwaspApiConfig, OwaspApiGenerator, OwaspCategory, ReportFormat};
14use crate::parallel_executor::{AggregatedResults, ParallelExecutor};
15use crate::parallel_requests::{ParallelConfig, ParallelRequestGenerator};
16use crate::param_overrides::ParameterOverrides;
17use crate::reporter::TerminalReporter;
18use crate::request_gen::RequestGenerator;
19use crate::scenarios::LoadScenario;
20use crate::security_payloads::{
21    SecurityCategory, SecurityPayload, SecurityPayloads, SecurityTestConfig, SecurityTestGenerator,
22};
23use crate::spec_dependencies::{
24    topological_sort, DependencyDetector, ExtractedValues, SpecDependencyConfig,
25};
26use crate::spec_parser::SpecParser;
27use crate::target_parser::parse_targets_file;
28use crate::wafbench::WafBenchLoader;
29use mockforge_openapi::multi_spec::{
30    load_specs_from_directory, load_specs_from_files, merge_specs, ConflictStrategy,
31};
32use mockforge_openapi::spec::OpenApiSpec;
33use std::collections::{HashMap, HashSet};
34use std::path::{Path, PathBuf};
35use std::str::FromStr;
36
37/// Parse a list of `Key:Value` header strings into a `HashMap`.
38///
39/// Each element is one header in `Key:Value` form, supplied via a repeated
40/// `--headers` flag (`--headers "A:1" --headers "B:2"`). One header per flag
41/// means header VALUES may freely contain commas (#761) -- e.g. a Cookie value
42/// like `expires=Thu, 01 Jan 2099` is preserved intact, because we no longer
43/// split on commas. Empty elements are skipped so a stray flag is harmless.
44pub fn parse_header_string(inputs: &[String]) -> Result<HashMap<String, String>> {
45    let mut headers = HashMap::new();
46
47    for pair in inputs {
48        let pair = pair.trim();
49        if pair.is_empty() {
50            continue;
51        }
52        let parts: Vec<&str> = pair.splitn(2, ':').collect();
53        if parts.len() != 2 {
54            return Err(BenchError::Other(format!(
55                "Invalid header format: '{}'. Expected 'Key:Value'",
56                pair
57            )));
58        }
59        headers.insert(parts[0].trim().to_string(), parts[1].trim().to_string());
60    }
61
62    Ok(headers)
63}
64
65/// Bench command configuration
66pub struct BenchCommand {
67    /// OpenAPI spec file(s) - can specify multiple
68    pub spec: Vec<PathBuf>,
69    /// Directory containing OpenAPI spec files (discovers .json, .yaml, .yml files)
70    pub spec_dir: Option<PathBuf>,
71    /// Conflict resolution strategy when merging multiple specs: "error" (default), "first", "last"
72    pub merge_conflicts: String,
73    /// Spec mode: "merge" (default) combines all specs, "sequential" runs them in order
74    pub spec_mode: String,
75    /// Dependency configuration file for cross-spec value passing (used with sequential mode)
76    pub dependency_config: Option<PathBuf>,
77    pub target: String,
78    /// API base path prefix (e.g., "/api" or "/v2/api")
79    /// If None, extracts from OpenAPI spec's servers URL
80    pub base_path: Option<String>,
81    pub duration: String,
82    pub vus: u32,
83    /// Target requests-per-second. When `Some(n)`, the generated k6 script
84    /// switches to `constant-arrival-rate` executor at `n` RPS with `vus`
85    /// pre-allocated. When `None`, uses the legacy `ramping-vus` executor
86    /// where RPS is implicit (VUs × 1 req/sec from the script's `sleep(1)`).
87    /// Issue #79 — Srikanth's round-3 reply.
88    pub target_rps: Option<u32>,
89    /// When true, every k6 request opens a new TCP/TLS connection
90    /// (`noConnectionReuse: true` and `--no-vu-connection-reuse`). Lets users
91    /// drive a high connections-per-second rate to exercise connection-limit
92    /// chaos and observe TCP-level fault injection. Issue #79.
93    pub no_keep_alive: bool,
94    pub scenario: String,
95    pub operations: Option<String>,
96    /// Exclude operations from testing (comma-separated)
97    ///
98    /// Supports "METHOD /path" or just "METHOD" to exclude all operations of that type.
99    pub exclude_operations: Option<String>,
100    pub auth: Option<String>,
101    /// Additional headers, one `Key:Value` per entry (repeated `--headers` flag).
102    /// One header per entry so values may contain commas (#761).
103    pub headers: Vec<String>,
104    pub output: PathBuf,
105    pub generate_only: bool,
106    pub script_output: Option<PathBuf>,
107    pub threshold_percentile: String,
108    pub threshold_ms: u64,
109    pub max_error_rate: f64,
110    pub verbose: bool,
111    pub skip_tls_verify: bool,
112    /// When true, set `Transfer-Encoding: chunked` on every k6 request body so
113    /// the server experiences chunked-encoded traffic. See
114    /// `K6ScriptTemplateData::chunked_request_bodies` for caveats — k6's Go
115    /// transport may still send Content-Length in some cases.
116    pub chunked_request_bodies: bool,
117    /// Optional file containing multiple targets
118    pub targets_file: Option<PathBuf>,
119    /// Maximum number of parallel executions (for multi-target mode)
120    pub max_concurrency: Option<u32>,
121    /// Results format: "per-target", "aggregated", or "both"
122    pub results_format: String,
123    /// Optional file containing parameter value overrides (JSON or YAML)
124    ///
125    /// Allows users to provide custom values for path parameters, query parameters,
126    /// headers, and request bodies instead of auto-generated placeholder values.
127    pub params_file: Option<PathBuf>,
128
129    // === CRUD Flow Options ===
130    /// Enable CRUD flow mode
131    pub crud_flow: bool,
132    /// Custom CRUD flow configuration file
133    pub flow_config: Option<PathBuf>,
134    /// Fields to extract from responses
135    pub extract_fields: Option<String>,
136
137    // === Parallel Execution Options ===
138    /// Number of resources to create in parallel
139    pub parallel_create: Option<u32>,
140
141    // === Data-Driven Testing Options ===
142    /// Test data file (CSV or JSON)
143    pub data_file: Option<PathBuf>,
144    /// Data distribution strategy
145    pub data_distribution: String,
146    /// Data column to field mappings
147    pub data_mappings: Option<String>,
148    /// Enable per-URI control mode (each row specifies method, uri, body, etc.)
149    pub per_uri_control: bool,
150
151    // === Invalid Data Testing Options ===
152    /// Percentage of requests with invalid data
153    pub error_rate: Option<f64>,
154    /// Types of invalid data to generate
155    pub error_types: Option<String>,
156
157    // === Security Testing Options ===
158    /// Enable security testing
159    pub security_test: bool,
160    /// Custom security payloads file
161    pub security_payloads: Option<PathBuf>,
162    /// Security test categories
163    pub security_categories: Option<String>,
164    /// Fields to target for security injection
165    pub security_target_fields: Option<String>,
166
167    // === WAFBench Integration ===
168    /// WAFBench test directory or glob pattern for loading CRS attack patterns
169    pub wafbench_dir: Option<String>,
170    /// Cycle through ALL WAFBench payloads instead of random sampling
171    pub wafbench_cycle_all: bool,
172
173    // === OpenAPI 3.0.0 Conformance Testing ===
174    /// Enable conformance testing mode
175    pub conformance: bool,
176    /// API key for conformance security tests
177    pub conformance_api_key: Option<String>,
178    /// Basic auth credentials for conformance security tests (user:pass)
179    pub conformance_basic_auth: Option<String>,
180    /// Conformance report output file
181    pub conformance_report: PathBuf,
182    /// Conformance categories to test (comma-separated, e.g. "parameters,security")
183    pub conformance_categories: Option<String>,
184    /// Conformance report format: "json" or "sarif"
185    pub conformance_report_format: String,
186    /// Custom headers to inject into every conformance request (for authentication).
187    /// Each entry is "Header-Name: value" format.
188    pub conformance_headers: Vec<String>,
189    /// When true, test ALL operations for method/response/body categories
190    /// instead of just one representative per feature check.
191    pub conformance_all_operations: bool,
192    /// Optional YAML file with custom conformance checks
193    pub conformance_custom: Option<PathBuf>,
194    /// Delay in milliseconds between consecutive conformance requests.
195    /// Useful when testing against rate-limited APIs.
196    pub conformance_delay_ms: u64,
197    /// Use k6 for conformance test execution instead of the native Rust executor
198    pub use_k6: bool,
199    /// Regex filter for custom conformance checks — only checks whose name or
200    /// path matches the pattern are included. Example: "wafcrs|ssl" to test
201    /// only checks with "wafcrs" or "ssl" in the name/path.
202    pub conformance_custom_filter: Option<String>,
203    /// When true, export all request/response pairs to
204    /// `conformance-requests.json` in the output directory.
205    pub export_requests: bool,
206    /// When true, validate each request against the OpenAPI spec and report
207    /// violations to `conformance-request-violations.json`.
208    pub validate_requests: bool,
209    /// Issue #79 round 13 (4) — when true, replace the standard
210    /// conformance run with a positive + per-category negative
211    /// self-test driver. Verifies that the server actually rejects
212    /// the negatives with 4xx (i.e. its validator is wired correctly).
213    /// Useful to confirm the round-13 (3) validator-bypass fix took
214    /// effect against the user's spec.
215    pub conformance_self_test: bool,
216    /// Round 23 (c-iii) — when true, capture every self-test probe's
217    /// full request/response to `conformance-self-test-requests.jsonl`.
218    /// No effect outside `--conformance-self-test`.
219    pub conformance_self_test_capture: bool,
220    /// Round 25 (21.3 / a2 / a3) — when true, validate every probe's
221    /// response body against the spec's response schema for the actual
222    /// status returned. Requires `--conformance-self-test-capture`
223    /// because validation reads the captured body. No effect outside
224    /// `--conformance-self-test`.
225    pub validate_response_schemas: bool,
226    /// Round 47 (#79) — repeat the full self-test probe matrix this
227    /// many times in sequence. Defaults to 1. Combines with
228    /// `--conformance-delay` to keep a steady probe rate for network-
229    /// failure simulation.
230    pub conformance_self_test_iterations: u32,
231    /// Round 47 (#79) — alternative to iterations: keep firing the
232    /// probe matrix until this duration elapses. Overrides
233    /// `conformance_self_test_iterations` when present (iterations
234    /// becomes the floor — at least one matrix is always fired).
235    pub conformance_self_test_duration: Option<String>,
236
237    /// Round 18.5 — local source IPs to bind self-test requests to.
238    /// Each entry must be a valid `IpAddr` and already assigned to
239    /// an interface on the host. Operations round-robin through the
240    /// pool. Empty → one default client.
241    pub source_ips: Vec<String>,
242    /// Round 18.5 — fake source IPs to advertise via forwarded-IP
243    /// headers (rotated per operation). Used for GEODB testing
244    /// where the destination reads the IP from a header.
245    pub geo_source_ips: Vec<String>,
246    /// Round 18.5 — which forwarded-IP header(s) to populate when
247    /// `geo_source_ips` is non-empty. Empty → default 3-header set
248    /// (X-Forwarded-For, True-Client-IP, CF-Connecting-IP).
249    pub geo_source_headers: Vec<String>,
250
251    /// Round 21.1 — cap the HTML conformance report's missed-negative
252    /// drill-down at N rows. `Some(0)` means no cap; `None` keeps the
253    /// default of 200. The JSON report always carries the full set
254    /// regardless of this knob — it only controls what the HTML drill
255    /// view shows so a 50 000-violation run doesn't produce a 5 MB
256    /// browser-choking HTML file by default.
257    pub report_missed_cap: Option<u32>,
258
259    // === OWASP API Security Top 10 Testing ===
260    /// Enable OWASP API Security Top 10 testing mode
261    pub owasp_api_top10: bool,
262    /// OWASP API categories to test (comma-separated)
263    pub owasp_categories: Option<String>,
264    /// Authorization header name for OWASP auth tests
265    pub owasp_auth_header: String,
266    /// Valid authorization token for OWASP baseline requests
267    pub owasp_auth_token: Option<String>,
268    /// File containing admin/privileged paths to test
269    pub owasp_admin_paths: Option<PathBuf>,
270    /// Fields containing resource IDs for BOLA testing
271    pub owasp_id_fields: Option<String>,
272    /// OWASP report output file
273    pub owasp_report: Option<PathBuf>,
274    /// OWASP report format (json, sarif)
275    pub owasp_report_format: String,
276    /// Number of iterations per VU for OWASP tests (default: 1)
277    pub owasp_iterations: u32,
278}
279
280/// Round 18.5 / 19 — parse a list of CLI IP strings. Each entry may be:
281/// - a single IPv4/IPv6 (`10.0.0.5` / `2001:db8::1`)
282/// - a comma-separated list (`10.0.0.5,10.0.0.6,2001:db8::1`)
283/// - a CIDR range (`10.0.0.0/29` expands to 8 hosts;
284///   `2001:db8::/126` expands to 4 IPv6 hosts)
285///
286/// CIDR ranges are capped at `MAX_CIDR_EXPANSION` (256) host
287/// addresses to avoid OOM'ing on `/8` typos. The cap is generous
288/// for GEODB testing (you want 20–100 IPs, not 10M) and the warning
289/// names the cap so it's debuggable.
290///
291/// Malformed entries log a warning and are dropped; the bench
292/// continues with whatever resolved cleanly.
293fn parse_ip_list(raw: &[String], flag_name: &str) -> Vec<std::net::IpAddr> {
294    use std::net::IpAddr;
295    const MAX_CIDR_EXPANSION: usize = 256;
296    let mut out = Vec::new();
297    for entry in raw {
298        for piece in entry.split(',') {
299            let s = piece.trim();
300            if s.is_empty() {
301                continue;
302            }
303            // CIDR form: `ip/prefix`
304            if let Some((addr_part, prefix_part)) = s.split_once('/') {
305                let prefix: u32 = match prefix_part.parse() {
306                    Ok(p) => p,
307                    Err(e) => {
308                        tracing::warn!(target: "mockforge::bench", "ignoring --{flag_name} '{s}': bad CIDR prefix: {e}");
309                        continue;
310                    }
311                };
312                let net_addr: IpAddr = match addr_part.parse() {
313                    Ok(a) => a,
314                    Err(e) => {
315                        tracing::warn!(target: "mockforge::bench", "ignoring --{flag_name} '{s}': bad CIDR address: {e}");
316                        continue;
317                    }
318                };
319                expand_cidr(net_addr, prefix, MAX_CIDR_EXPANSION, flag_name, s, &mut out);
320                continue;
321            }
322            // Round 22.4 — range form: `start-end` (Srikanth (h)).
323            // Lets users specify non-power-of-2 ranges without
324            // finding a clean prefix. IPv4 only for now (the most
325            // common case); IPv6 ranges with `:` collide with the
326            // address literal so they'd need a different separator.
327            if let Some((start_str, end_str)) = s.split_once('-') {
328                let start_s = start_str.trim();
329                let end_s = end_str.trim();
330                // Reject ambiguous IPv6 ranges (contain `:`) so we
331                // don't accidentally parse `2001:db8::1-2001:db8::5`
332                // as a half address.
333                if start_s.contains(':') || end_s.contains(':') {
334                    tracing::warn!(target: "mockforge::bench", "--{flag_name} '{s}': IPv6 range syntax not supported (use CIDR like 2001:db8::/126 instead)");
335                    continue;
336                }
337                let start: IpAddr = match start_s.parse() {
338                    Ok(a) => a,
339                    Err(e) => {
340                        tracing::warn!(target: "mockforge::bench", "ignoring --{flag_name} '{s}': bad range start: {e}");
341                        continue;
342                    }
343                };
344                let end: IpAddr = match end_s.parse() {
345                    Ok(a) => a,
346                    Err(e) => {
347                        tracing::warn!(target: "mockforge::bench", "ignoring --{flag_name} '{s}': bad range end: {e}");
348                        continue;
349                    }
350                };
351                expand_range(start, end, MAX_CIDR_EXPANSION, flag_name, s, &mut out);
352                continue;
353            }
354            // Plain IP form
355            match s.parse::<IpAddr>() {
356                Ok(ip) => out.push(ip),
357                Err(e) => {
358                    tracing::warn!(target: "mockforge::bench", "ignoring malformed --{flag_name} value '{s}': {e}");
359                }
360            }
361        }
362    }
363    out
364}
365
366/// Round 22.4 — expand an inclusive `start-end` IPv4 range to host
367/// addresses, capped at `cap`. Returns silently on a backwards or
368/// mixed-family range with a warning.
369fn expand_range(
370    start: std::net::IpAddr,
371    end: std::net::IpAddr,
372    cap: usize,
373    flag_name: &str,
374    raw: &str,
375    out: &mut Vec<std::net::IpAddr>,
376) {
377    use std::net::{IpAddr, Ipv4Addr};
378    let (start_v4, end_v4) = match (start, end) {
379        (IpAddr::V4(a), IpAddr::V4(b)) => (a, b),
380        _ => {
381            tracing::warn!(target: "mockforge::bench", "--{flag_name} '{raw}': range start/end must both be IPv4");
382            return;
383        }
384    };
385    let start_u32 = u32::from(start_v4);
386    let end_u32 = u32::from(end_v4);
387    if end_u32 < start_u32 {
388        tracing::warn!(target: "mockforge::bench", "--{flag_name} '{raw}': range end {end_v4} is before start {start_v4}");
389        return;
390    }
391    let total = (end_u32 - start_u32).saturating_add(1) as usize;
392    let take = total.min(cap);
393    if total > cap {
394        tracing::warn!(target: "mockforge::bench", "--{flag_name} '{raw}': range has {total} addresses, capping at {cap}");
395    }
396    for i in 0..take as u32 {
397        out.push(IpAddr::V4(Ipv4Addr::from(start_u32 + i)));
398    }
399}
400
401/// Expand a CIDR (IPv4 or IPv6) into individual host IPs, appending
402/// to `out`. Capped at `cap` to prevent runaway expansion on a `/8`
403/// typo. When the cap kicks in we log a warning and skip the rest.
404fn expand_cidr(
405    net: std::net::IpAddr,
406    prefix: u32,
407    cap: usize,
408    flag_name: &str,
409    raw: &str,
410    out: &mut Vec<std::net::IpAddr>,
411) {
412    use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
413    match net {
414        IpAddr::V4(ipv4) => {
415            if prefix > 32 {
416                tracing::warn!(target: "mockforge::bench", "ignoring --{flag_name} '{raw}': IPv4 prefix must be <= 32");
417                return;
418            }
419            let total: u64 = 1u64 << (32 - prefix);
420            let take = total.min(cap as u64) as u32;
421            if total > cap as u64 {
422                tracing::warn!(target: "mockforge::bench", "--{flag_name} '{raw}': CIDR has {total} addresses, capping at {cap}");
423            }
424            let mask: u32 = if prefix == 0 {
425                0
426            } else {
427                !0u32 << (32 - prefix)
428            };
429            let net_u32 = u32::from(ipv4) & mask;
430            for i in 0..take {
431                out.push(IpAddr::V4(Ipv4Addr::from(net_u32.wrapping_add(i))));
432            }
433        }
434        IpAddr::V6(ipv6) => {
435            if prefix > 128 {
436                tracing::warn!(target: "mockforge::bench", "ignoring --{flag_name} '{raw}': IPv6 prefix must be <= 128");
437                return;
438            }
439            // Total addresses = 2^(128-prefix). Cap at u128::MAX
440            // conceptually but since `cap` is small (256) we just
441            // iterate up to cap.
442            let mask: u128 = if prefix == 0 {
443                0
444            } else {
445                !0u128 << (128 - prefix)
446            };
447            let net_u128 = u128::from(ipv6) & mask;
448            let remaining_bits = 128 - prefix;
449            // Compute total carefully — for prefix=0 this is 2^128
450            // which overflows; we just clamp via take.
451            let total_capped = if remaining_bits >= 64 {
452                cap as u128
453            } else {
454                (1u128 << remaining_bits).min(cap as u128)
455            };
456            if remaining_bits < 128 && (1u128 << remaining_bits) > cap as u128 {
457                tracing::warn!(target: "mockforge::bench", "--{flag_name} '{raw}': IPv6 CIDR exceeds {cap} addresses, capping");
458            }
459            for i in 0..total_capped {
460                out.push(IpAddr::V6(Ipv6Addr::from(net_u128.wrapping_add(i))));
461            }
462        }
463    }
464}
465
466impl BenchCommand {
467    /// Load and merge specs from --spec files and --spec-dir
468    pub async fn load_and_merge_specs(&self) -> Result<OpenApiSpec> {
469        let mut all_specs: Vec<(PathBuf, OpenApiSpec)> = Vec::new();
470
471        // Load specs from --spec flags
472        if !self.spec.is_empty() {
473            let specs = load_specs_from_files(self.spec.clone())
474                .await
475                .map_err(|e| BenchError::Other(format!("Failed to load spec files: {}", e)))?;
476            all_specs.extend(specs);
477        }
478
479        // Load specs from --spec-dir if provided
480        if let Some(spec_dir) = &self.spec_dir {
481            let dir_specs = load_specs_from_directory(spec_dir).await.map_err(|e| {
482                BenchError::Other(format!("Failed to load specs from directory: {}", e))
483            })?;
484            all_specs.extend(dir_specs);
485        }
486
487        if all_specs.is_empty() {
488            return Err(BenchError::Other(
489                "No spec files provided. Use --spec or --spec-dir.".to_string(),
490            ));
491        }
492
493        // If only one spec, return it directly (extract just the OpenApiSpec)
494        if all_specs.len() == 1 {
495            // Safe to unwrap because we just checked len() == 1
496            return Ok(all_specs.into_iter().next().expect("checked len() == 1 above").1);
497        }
498
499        // Merge multiple specs
500        let conflict_strategy = match self.merge_conflicts.as_str() {
501            "first" => ConflictStrategy::First,
502            "last" => ConflictStrategy::Last,
503            _ => ConflictStrategy::Error,
504        };
505
506        merge_specs(all_specs, conflict_strategy)
507            .map_err(|e| BenchError::Other(format!("Failed to merge specs: {}", e)))
508    }
509
510    /// Get a display name for the spec(s)
511    fn get_spec_display_name(&self) -> String {
512        if self.spec.len() == 1 {
513            self.spec[0].to_string_lossy().to_string()
514        } else if !self.spec.is_empty() {
515            format!("{} spec files", self.spec.len())
516        } else if let Some(dir) = &self.spec_dir {
517            format!("specs from {}", dir.display())
518        } else {
519            "no specs".to_string()
520        }
521    }
522
523    /// Round 29 — capacity advisory. Counts the targets-file entries
524    /// (or 1 for single-target), multiplies by VUs and configured RPS,
525    /// and prints a warning when the product exceeds rule-of-thumb
526    /// limits a single client can handle. The detailed sizing table
527    /// lives in `book/src/reference/bench-capacity-sizing.md`; this
528    /// just nudges the user toward it before they hang their VM.
529    fn advise_capacity(&self) {
530        let target_count = self
531            .targets_file
532            .as_ref()
533            .and_then(|p| std::fs::read_to_string(p).ok())
534            .and_then(|s| serde_json::from_str::<serde_json::Value>(&s).ok())
535            .and_then(|v| v.as_array().map(|a| a.len()))
536            .unwrap_or(1);
537        let vus = self.vus.max(1);
538        let rps_total = self.target_rps.unwrap_or(0) as usize * target_count.max(1);
539        // 50 targets × 5 VUs = 250 is roughly where Srikanth's 15GB
540        // client started hanging on a 10 MB spec. Surface a warning
541        // well before that.
542        let load_product = target_count * vus as usize;
543        if load_product >= 150 {
544            let est_ram_gb =
545                (vus as usize * 50) / 1024 + (target_count * 10 * 2) / 1024 + target_count / 2;
546            let est_cores = ((vus as usize) / 50).max(2);
547            TerminalReporter::print_warning(&format!(
548                "Capacity advisory: targets={target_count}, VUs={vus}, RPS-total≈{rps_total}. \
549                 Single-client estimate: ~{est_cores} CPU cores, ~{est_ram_gb} GB RAM. \
550                 If your machine is below that, expect OOM hangs partway through the run. \
551                 See https://docs.mockforge.dev/reference/bench-capacity-sizing.html \
552                 for the sizing table and sharding guide."
553            ));
554        }
555    }
556
557    /// Execute the bench command
558    pub async fn execute(&self) -> Result<()> {
559        // Round 23 — Srikanth flagged that k6 _does_ support per-VU source
560        // IPs via `--local-ips` (the round-22 warning that said otherwise
561        // was wrong). The k6 path now forwards `--source-ip` straight to
562        // `k6 run --local-ips`, so the only case worth flagging is the
563        // self-test+k6 combo: self-test returns before k6 ever launches,
564        // so `--use-k6` on that command is a no-op.
565        if self.conformance_self_test && self.use_k6 {
566            TerminalReporter::print_warning(
567                "--use-k6 has no effect with --conformance-self-test: the self-test driver runs and returns before k6 is invoked. Drop one or the other depending on whether you want the spec-driven self-test or a k6 bench run.",
568            );
569        }
570
571        // Round 29 — Srikanth's "5 VUs against 50 targets hung the VM"
572        // report. Print an up-front capacity advisory so the user knows
573        // BEFORE the run starts that their config exceeds what one
574        // client can comfortably handle. Pure heuristic; rules of
575        // thumb live in book/src/reference/bench-capacity-sizing.md.
576        self.advise_capacity();
577
578        // Check if we're in multi-target mode
579        if let Some(targets_file) = &self.targets_file {
580            if self.conformance {
581                return self.execute_multi_target_conformance(targets_file).await;
582            }
583            return self.execute_multi_target(targets_file).await;
584        }
585
586        // Check if we're in sequential spec mode (for dependency handling)
587        if self.spec_mode == "sequential" && (self.spec.len() > 1 || self.spec_dir.is_some()) {
588            return self.execute_sequential_specs().await;
589        }
590
591        // Single target mode (existing behavior)
592        // Print header
593        TerminalReporter::print_header(
594            &self.get_spec_display_name(),
595            &self.target,
596            0, // Will be updated later
597            &self.scenario,
598            Self::parse_duration(&self.duration)?,
599        );
600
601        // Validate k6 installation
602        if !K6Executor::is_k6_installed() {
603            TerminalReporter::print_error("k6 is not installed");
604            TerminalReporter::print_warning(
605                "Install k6 from: https://k6.io/docs/get-started/installation/",
606            );
607            return Err(BenchError::K6NotFound);
608        }
609
610        // Check for conformance testing mode (before spec loading — conformance doesn't need a user spec)
611        if self.conformance {
612            return self.execute_conformance_test().await;
613        }
614
615        // Load and parse spec(s)
616        TerminalReporter::print_progress("Loading OpenAPI specification(s)...");
617        let merged_spec = self.load_and_merge_specs().await?;
618        let parser = SpecParser::from_spec(merged_spec);
619        if self.spec.len() > 1 || self.spec_dir.is_some() {
620            TerminalReporter::print_success(&format!(
621                "Loaded and merged {} specification(s)",
622                self.spec.len() + self.spec_dir.as_ref().map(|_| 1).unwrap_or(0)
623            ));
624        } else {
625            TerminalReporter::print_success("Specification loaded");
626        }
627
628        // Check for mock server integration
629        let mock_config = self.build_mock_config().await;
630        if mock_config.is_mock_server {
631            TerminalReporter::print_progress("Mock server integration enabled");
632        }
633
634        // Check for CRUD flow mode
635        if self.crud_flow {
636            return self.execute_crud_flow(&parser).await;
637        }
638
639        // Check for OWASP API Top 10 testing mode
640        if self.owasp_api_top10 {
641            return self.execute_owasp_test(&parser).await;
642        }
643
644        // Get operations
645        TerminalReporter::print_progress("Extracting API operations...");
646        let mut operations = if let Some(filter) = &self.operations {
647            parser.filter_operations(filter)?
648        } else {
649            parser.get_operations()
650        };
651
652        // Apply exclusions if provided
653        if let Some(exclude) = &self.exclude_operations {
654            let before_count = operations.len();
655            operations = parser.exclude_operations(operations, exclude)?;
656            let excluded_count = before_count - operations.len();
657            if excluded_count > 0 {
658                TerminalReporter::print_progress(&format!(
659                    "Excluded {} operations matching '{}'",
660                    excluded_count, exclude
661                ));
662            }
663        }
664
665        if operations.is_empty() {
666            return Err(BenchError::Other("No operations found in spec".to_string()));
667        }
668
669        TerminalReporter::print_success(&format!("Found {} operations", operations.len()));
670
671        // Load parameter overrides if provided
672        let param_overrides = if let Some(params_file) = &self.params_file {
673            TerminalReporter::print_progress("Loading parameter overrides...");
674            let overrides = ParameterOverrides::from_file(params_file)?;
675            TerminalReporter::print_success(&format!(
676                "Loaded parameter overrides ({} operation-specific, {} defaults)",
677                overrides.operations.len(),
678                if overrides.defaults.is_empty() { 0 } else { 1 }
679            ));
680            Some(overrides)
681        } else {
682            None
683        };
684
685        // Generate request templates
686        TerminalReporter::print_progress("Generating request templates...");
687        let templates: Vec<_> = operations
688            .iter()
689            .map(|op| {
690                let op_overrides = param_overrides.as_ref().map(|po| {
691                    po.get_for_operation(op.operation_id.as_deref(), &op.method, &op.path)
692                });
693                RequestGenerator::generate_template_with_overrides(op, op_overrides.as_ref())
694            })
695            .collect::<Result<Vec<_>>>()?;
696        TerminalReporter::print_success("Request templates generated");
697
698        // Parse headers
699        let custom_headers = self.parse_headers()?;
700
701        // Resolve base path (CLI option takes priority over spec's servers URL)
702        let base_path = self.resolve_base_path(&parser);
703        if let Some(ref bp) = base_path {
704            TerminalReporter::print_progress(&format!("Using base path: {}", bp));
705        }
706
707        // Generate k6 script
708        TerminalReporter::print_progress("Generating k6 load test script...");
709        let scenario =
710            LoadScenario::from_str(&self.scenario).map_err(BenchError::InvalidScenario)?;
711
712        let security_testing_enabled = self.security_test || self.wafbench_dir.is_some();
713
714        // Issue #79 round 6 follow-up — Srikanth reported k6 emitting
715        // "Insufficient VUs, reached 5 active VUs and cannot initialize more"
716        // when running `--rps 100 --vus 5`. With the `constant-arrival-rate`
717        // executor, k6 needs roughly `rps × avg_request_seconds` VUs to keep
718        // up; if `--vus` is too low it can't sustain the rate. Warn pre-flight
719        // so users know to bump `--vus` rather than chase the warning.
720        //
721        // Round 8 (#79): the static 100ms heuristic was wrong for fast targets
722        // (~2ms latency). Probe the actual target first to measure baseline
723        // latency, then derive a more accurate sizing recommendation. Fall
724        // back to the 100ms heuristic only when the probe can't reach the
725        // target (auth-gated endpoints, strict WAFs, etc).
726        //
727        // Round 9 (#79): factor in operation count. k6's constant-arrival-rate
728        // counts ITERATIONS, not requests — and every iteration runs all N
729        // operations sequentially, so required VUs scale with N. Srikanth's
730        // 12-op spec at --rps 100 with 15ms latency needs ~19 VUs, not 3.
731        let num_ops = operations.len() as u32;
732        if let Some(rps) = self.target_rps {
733            let probe =
734                crate::preflight::probe_target_latency(&self.target, 3, self.skip_tls_verify).await;
735
736            let (required_vus, basis) = match probe {
737                Some(p) => (
738                    p.required_vus(rps, num_ops),
739                    format!("avg {:.1}ms (measured)", p.avg_latency.as_secs_f64() * 1000.0),
740                ),
741                None => {
742                    // Static fallback: ~100ms heuristic × num_ops per iteration.
743                    let fallback = (rps as u64)
744                        .saturating_mul(num_ops.max(1) as u64)
745                        .div_ceil(10)
746                        .min(u32::MAX as u64) as u32;
747                    (fallback, "~100ms (default — probe failed)".to_string())
748                }
749            };
750
751            if self.vus < required_vus {
752                // Round 10 (#79): Srikanth's 11422-op spec at --rps 100 produced
753                // a recommendation of ~10,740 VUs, which is absurd in practice.
754                // When the recommendation goes super-linear, the real fix is to
755                // reduce the workload (use --operations filter), not bump VUs.
756                // Cap the suggestion at 1000 and steer the user toward filtering.
757                const VU_RECOMMENDATION_CAP: u32 = 1000;
758                let recommendation = required_vus.max(self.vus + 1);
759                if recommendation > VU_RECOMMENDATION_CAP {
760                    TerminalReporter::print_warning(&format!(
761                        "Workload is very large: --rps {} × {} ops/iteration × {} \
762                         baseline ⇒ ~{} VUs needed end-to-end, far beyond what's \
763                         practical to drive. Two ways to fix:\n  1. Reduce \
764                         operations per iteration with `--operations 'pattern,…'` \
765                         (or `--exclude-operations`) to focus the bench on a \
766                         representative subset.\n  2. Drop `--rps` and use \
767                         `--vus {}` alone — closed-model load runs as fast as \
768                         the VU pool allows, bounded by latency, with no per-\
769                         iteration deadline. Expect 1-iteration coverage of ~{} \
770                         operations in {}s.",
771                        rps,
772                        num_ops,
773                        basis,
774                        recommendation,
775                        self.vus.max(5),
776                        num_ops,
777                        Self::parse_duration(&self.duration).unwrap_or(0),
778                    ));
779                } else {
780                    TerminalReporter::print_warning(&format!(
781                        "--vus {} may be insufficient for --rps {} × {} ops/iteration \
782                         (baseline latency {}). k6's constant-arrival-rate counts ITERATIONS \
783                         and each runs every operation in the spec — required ≈ rps × ops × \
784                         latency_secs VUs. Bump --vus to ~{} if you see \"Insufficient VUs\" \
785                         warnings.",
786                        self.vus, rps, num_ops, basis, recommendation,
787                    ));
788                }
789            } else if probe.is_some() {
790                TerminalReporter::print_progress(&format!(
791                    "Pre-flight probe: target latency {}, {} ops/iteration — --vus {} \
792                     is sufficient for --rps {}",
793                    basis, num_ops, self.vus, rps,
794                ));
795            }
796        }
797
798        let k6_config = K6Config {
799            target_url: self.target.clone(),
800            base_path,
801            scenario,
802            duration_secs: Self::parse_duration(&self.duration)?,
803            max_vus: self.vus,
804            threshold_percentile: self.threshold_percentile.clone(),
805            threshold_ms: self.threshold_ms,
806            max_error_rate: self.max_error_rate,
807            auth_header: self.auth.clone(),
808            custom_headers,
809            skip_tls_verify: self.skip_tls_verify,
810            security_testing_enabled,
811            chunked_request_bodies: self.chunked_request_bodies,
812            target_rps: self.target_rps,
813            no_keep_alive: self.no_keep_alive,
814            // Round 22.3 — wire `--geo-source-ip` / `--geo-source-header`
815            // through to the k6 generator so the rendered script
816            // rotates the forwarded-IP headers per iteration. Pre-fix
817            // these were Vec::new() and the script never set the
818            // headers in bench mode.
819            geo_source_ips: parse_ip_list(&self.geo_source_ips, "geo-source-ip")
820                .into_iter()
821                .map(|ip| ip.to_string())
822                .collect(),
823            geo_source_headers: if self.geo_source_headers.is_empty()
824                && !self.geo_source_ips.is_empty()
825            {
826                crate::conformance::self_test::default_geo_source_headers()
827            } else {
828                self.geo_source_headers.clone()
829            },
830        };
831
832        let generator = K6ScriptGenerator::new(k6_config, templates);
833        let mut script = generator.generate()?;
834        TerminalReporter::print_success("k6 script generated");
835
836        // Check if any advanced features are enabled
837        let has_advanced_features = self.data_file.is_some()
838            || self.error_rate.is_some()
839            || self.security_test
840            || self.parallel_create.is_some()
841            || self.wafbench_dir.is_some();
842
843        // Enhance script with advanced features
844        if has_advanced_features {
845            script = self.generate_enhanced_script(&script)?;
846        }
847
848        // Add mock server integration code
849        if mock_config.is_mock_server {
850            let setup_code = MockIntegrationGenerator::generate_setup(&mock_config);
851            let teardown_code = MockIntegrationGenerator::generate_teardown(&mock_config);
852            let helper_code = MockIntegrationGenerator::generate_vu_id_helper();
853
854            // Insert mock server code after imports
855            if let Some(import_end) = script.find("export const options") {
856                script.insert_str(
857                    import_end,
858                    &format!(
859                        "\n// === Mock Server Integration ===\n{}\n{}\n{}\n",
860                        helper_code, setup_code, teardown_code
861                    ),
862                );
863            }
864        }
865
866        // Validate the generated script
867        TerminalReporter::print_progress("Validating k6 script...");
868        let validation_errors = K6ScriptGenerator::validate_script(&script);
869        if !validation_errors.is_empty() {
870            TerminalReporter::print_error("Script validation failed");
871            for error in &validation_errors {
872                eprintln!("  {}", error);
873            }
874            return Err(BenchError::Other(format!(
875                "Generated k6 script has {} validation error(s). Please check the output above.",
876                validation_errors.len()
877            )));
878        }
879        TerminalReporter::print_success("Script validation passed");
880
881        // Write script to file
882        let script_path = if let Some(output) = &self.script_output {
883            output.clone()
884        } else {
885            self.output.join("k6-script.js")
886        };
887
888        if let Some(parent) = script_path.parent() {
889            std::fs::create_dir_all(parent)?;
890        }
891        std::fs::write(&script_path, &script)?;
892        TerminalReporter::print_success(&format!("Script written to: {}", script_path.display()));
893
894        // If generate-only mode, exit here
895        if self.generate_only {
896            println!("\nScript generated successfully. Run it with:");
897            println!("  k6 run {}", script_path.display());
898            return Ok(());
899        }
900
901        // Execute k6
902        TerminalReporter::print_progress("Executing load test...");
903        let executor = K6Executor::new()?.with_local_ips(self.source_ips.join(","));
904
905        std::fs::create_dir_all(&self.output)?;
906
907        let results = executor.execute(&script_path, Some(&self.output), self.verbose).await?;
908
909        // Print results
910        let duration_secs = Self::parse_duration(&self.duration)?;
911        TerminalReporter::print_summary_full(
912            &results,
913            duration_secs,
914            self.no_keep_alive,
915            Some(num_ops),
916        );
917
918        println!("\nResults saved to: {}", self.output.display());
919
920        Ok(())
921    }
922
923    /// Execute multi-target bench testing
924    async fn execute_multi_target(&self, targets_file: &Path) -> Result<()> {
925        TerminalReporter::print_progress("Parsing targets file...");
926        let targets = parse_targets_file(targets_file)?;
927        let num_targets = targets.len();
928        TerminalReporter::print_success(&format!("Loaded {} targets", num_targets));
929
930        if targets.is_empty() {
931            return Err(BenchError::Other("No targets found in file".to_string()));
932        }
933
934        // Determine max concurrency
935        let max_concurrency = self.max_concurrency.unwrap_or(10) as usize;
936        let max_concurrency = max_concurrency.min(num_targets); // Don't exceed number of targets
937
938        // Print header for multi-target mode
939        TerminalReporter::print_header(
940            &self.get_spec_display_name(),
941            &format!("{} targets", num_targets),
942            0,
943            &self.scenario,
944            Self::parse_duration(&self.duration)?,
945        );
946
947        // Create parallel executor
948        let executor = ParallelExecutor::new(
949            BenchCommand {
950                // Clone all fields except targets_file (we don't need it in the executor)
951                spec: self.spec.clone(),
952                spec_dir: self.spec_dir.clone(),
953                merge_conflicts: self.merge_conflicts.clone(),
954                spec_mode: self.spec_mode.clone(),
955                dependency_config: self.dependency_config.clone(),
956                target: self.target.clone(), // Not used in multi-target mode, but kept for compatibility
957                base_path: self.base_path.clone(),
958                duration: self.duration.clone(),
959                vus: self.vus,
960                target_rps: self.target_rps,
961                no_keep_alive: self.no_keep_alive,
962                scenario: self.scenario.clone(),
963                operations: self.operations.clone(),
964                exclude_operations: self.exclude_operations.clone(),
965                auth: self.auth.clone(),
966                headers: self.headers.clone(),
967                output: self.output.clone(),
968                generate_only: self.generate_only,
969                script_output: self.script_output.clone(),
970                threshold_percentile: self.threshold_percentile.clone(),
971                threshold_ms: self.threshold_ms,
972                max_error_rate: self.max_error_rate,
973                verbose: self.verbose,
974                skip_tls_verify: self.skip_tls_verify,
975                chunked_request_bodies: self.chunked_request_bodies,
976                targets_file: None,
977                max_concurrency: None,
978                results_format: self.results_format.clone(),
979                params_file: self.params_file.clone(),
980                crud_flow: self.crud_flow,
981                flow_config: self.flow_config.clone(),
982                extract_fields: self.extract_fields.clone(),
983                parallel_create: self.parallel_create,
984                data_file: self.data_file.clone(),
985                data_distribution: self.data_distribution.clone(),
986                data_mappings: self.data_mappings.clone(),
987                per_uri_control: self.per_uri_control,
988                error_rate: self.error_rate,
989                error_types: self.error_types.clone(),
990                security_test: self.security_test,
991                security_payloads: self.security_payloads.clone(),
992                security_categories: self.security_categories.clone(),
993                security_target_fields: self.security_target_fields.clone(),
994                wafbench_dir: self.wafbench_dir.clone(),
995                wafbench_cycle_all: self.wafbench_cycle_all,
996                owasp_api_top10: self.owasp_api_top10,
997                owasp_categories: self.owasp_categories.clone(),
998                owasp_auth_header: self.owasp_auth_header.clone(),
999                owasp_auth_token: self.owasp_auth_token.clone(),
1000                owasp_admin_paths: self.owasp_admin_paths.clone(),
1001                owasp_id_fields: self.owasp_id_fields.clone(),
1002                owasp_report: self.owasp_report.clone(),
1003                owasp_report_format: self.owasp_report_format.clone(),
1004                owasp_iterations: self.owasp_iterations,
1005                conformance: false,
1006                conformance_api_key: None,
1007                conformance_basic_auth: None,
1008                conformance_report: PathBuf::from("conformance-report.json"),
1009                conformance_categories: None,
1010                conformance_report_format: "json".to_string(),
1011                conformance_headers: vec![],
1012                conformance_all_operations: false,
1013                conformance_custom: None,
1014                conformance_delay_ms: 0,
1015                use_k6: false,
1016                conformance_custom_filter: None,
1017                export_requests: false,
1018                validate_requests: false,
1019                conformance_self_test: false,
1020                conformance_self_test_capture: false,
1021                conformance_self_test_iterations: 1,
1022                conformance_self_test_duration: None,
1023                validate_response_schemas: false,
1024                source_ips: Vec::new(),
1025                geo_source_ips: Vec::new(),
1026                geo_source_headers: Vec::new(),
1027                report_missed_cap: None,
1028            },
1029            targets,
1030            max_concurrency,
1031        );
1032
1033        // Execute all targets
1034        let start_time = std::time::Instant::now();
1035        let aggregated_results = executor.execute_all().await?;
1036        let elapsed = start_time.elapsed();
1037
1038        // Organize and report results
1039        self.report_multi_target_results(&aggregated_results, elapsed)?;
1040
1041        Ok(())
1042    }
1043
1044    /// Report results for multi-target execution
1045    fn report_multi_target_results(
1046        &self,
1047        results: &AggregatedResults,
1048        elapsed: std::time::Duration,
1049    ) -> Result<()> {
1050        // Print summary
1051        TerminalReporter::print_multi_target_summary(results);
1052
1053        // Print elapsed time
1054        let total_secs = elapsed.as_secs();
1055        let hours = total_secs / 3600;
1056        let minutes = (total_secs % 3600) / 60;
1057        let seconds = total_secs % 60;
1058        if hours > 0 {
1059            println!("\n  Total Elapsed Time:   {}h {}m {}s", hours, minutes, seconds);
1060        } else if minutes > 0 {
1061            println!("\n  Total Elapsed Time:   {}m {}s", minutes, seconds);
1062        } else {
1063            println!("\n  Total Elapsed Time:   {}s", seconds);
1064        }
1065
1066        // Save aggregated summary if requested
1067        if self.results_format == "aggregated" || self.results_format == "both" {
1068            let summary_path = self.output.join("aggregated_summary.json");
1069            let summary_json = serde_json::json!({
1070                "total_elapsed_seconds": elapsed.as_secs(),
1071                "total_targets": results.total_targets,
1072                "successful_targets": results.successful_targets,
1073                "failed_targets": results.failed_targets,
1074                "aggregated_metrics": {
1075                    "total_requests": results.aggregated_metrics.total_requests,
1076                    "total_failed_requests": results.aggregated_metrics.total_failed_requests,
1077                    "avg_duration_ms": results.aggregated_metrics.avg_duration_ms,
1078                    "p95_duration_ms": results.aggregated_metrics.p95_duration_ms,
1079                    "p99_duration_ms": results.aggregated_metrics.p99_duration_ms,
1080                    "error_rate": results.aggregated_metrics.error_rate,
1081                    "total_rps": results.aggregated_metrics.total_rps,
1082                    "avg_rps": results.aggregated_metrics.avg_rps,
1083                    "total_vus_max": results.aggregated_metrics.total_vus_max,
1084                },
1085                "target_results": results.target_results.iter().map(|r| {
1086                    serde_json::json!({
1087                        "target_url": r.target_url,
1088                        "target_index": r.target_index,
1089                        "success": r.success,
1090                        "error": r.error,
1091                        "total_requests": r.results.total_requests,
1092                        "failed_requests": r.results.failed_requests,
1093                        "avg_duration_ms": r.results.avg_duration_ms,
1094                        "min_duration_ms": r.results.min_duration_ms,
1095                        "med_duration_ms": r.results.med_duration_ms,
1096                        "p90_duration_ms": r.results.p90_duration_ms,
1097                        "p95_duration_ms": r.results.p95_duration_ms,
1098                        "p99_duration_ms": r.results.p99_duration_ms,
1099                        "max_duration_ms": r.results.max_duration_ms,
1100                        "rps": r.results.rps,
1101                        "vus_max": r.results.vus_max,
1102                        "output_dir": r.output_dir.to_string_lossy(),
1103                    })
1104                }).collect::<Vec<_>>(),
1105            });
1106
1107            std::fs::write(&summary_path, serde_json::to_string_pretty(&summary_json)?)?;
1108            TerminalReporter::print_success(&format!(
1109                "Aggregated summary saved to: {}",
1110                summary_path.display()
1111            ));
1112        }
1113
1114        // Write CSV with all per-target results for easy parsing
1115        let csv_path = self.output.join("all_targets.csv");
1116        let mut csv = String::from(
1117            "target_url,success,requests,failed,rps,vus,min_ms,avg_ms,med_ms,p90_ms,p95_ms,p99_ms,max_ms,error\n",
1118        );
1119        for r in &results.target_results {
1120            csv.push_str(&format!(
1121                "{},{},{},{},{:.1},{},{:.1},{:.1},{:.1},{:.1},{:.1},{:.1},{:.1},{}\n",
1122                r.target_url,
1123                r.success,
1124                r.results.total_requests,
1125                r.results.failed_requests,
1126                r.results.rps,
1127                r.results.vus_max,
1128                r.results.min_duration_ms,
1129                r.results.avg_duration_ms,
1130                r.results.med_duration_ms,
1131                r.results.p90_duration_ms,
1132                r.results.p95_duration_ms,
1133                r.results.p99_duration_ms,
1134                r.results.max_duration_ms,
1135                r.error.as_deref().unwrap_or(""),
1136            ));
1137        }
1138        let _ = std::fs::write(&csv_path, &csv);
1139
1140        println!("\nResults saved to: {}", self.output.display());
1141        println!("  - Per-target results: {}", self.output.join("target_*").display());
1142        println!("  - All targets CSV:    {}", csv_path.display());
1143        if self.results_format == "aggregated" || self.results_format == "both" {
1144            println!(
1145                "  - Aggregated summary: {}",
1146                self.output.join("aggregated_summary.json").display()
1147            );
1148        }
1149
1150        Ok(())
1151    }
1152
1153    /// Parse duration string (e.g., "30s", "5m", "1h") to seconds
1154    pub fn parse_duration(duration: &str) -> Result<u64> {
1155        let duration = duration.trim();
1156
1157        if let Some(secs) = duration.strip_suffix('s') {
1158            secs.parse::<u64>()
1159                .map_err(|_| BenchError::Other(format!("Invalid duration: {}", duration)))
1160        } else if let Some(mins) = duration.strip_suffix('m') {
1161            mins.parse::<u64>()
1162                .map(|m| m * 60)
1163                .map_err(|_| BenchError::Other(format!("Invalid duration: {}", duration)))
1164        } else if let Some(hours) = duration.strip_suffix('h') {
1165            hours
1166                .parse::<u64>()
1167                .map(|h| h * 3600)
1168                .map_err(|_| BenchError::Other(format!("Invalid duration: {}", duration)))
1169        } else {
1170            // Try parsing as seconds without suffix
1171            duration
1172                .parse::<u64>()
1173                .map_err(|_| BenchError::Other(format!("Invalid duration: {}", duration)))
1174        }
1175    }
1176
1177    /// Parse headers from the repeated `--headers "Key:Value"` flags.
1178    pub fn parse_headers(&self) -> Result<HashMap<String, String>> {
1179        let mut headers = parse_header_string(&self.headers)?;
1180
1181        // Round 47 (#79) — Srikanth on 0.3.191 tried
1182        // `mockforge bench --conformance-basic-auth user:pass --spec ...`
1183        // (no `--conformance` flag) and the auth never landed because
1184        // the bench path only reads `self.headers`. Fold the
1185        // conformance auth shortcuts (basic, api-key, the round-46
1186        // --auth-bearer collected in `conformance_headers`) into the
1187        // shared header map so the SAME auth flags work whether the
1188        // run is plain bench, conformance, or self-test. De-dup
1189        // case-insensitively on header name; explicit
1190        // `--header "Authorization: ..."` keeps priority.
1191        let already_has = |hs: &HashMap<String, String>, name: &str| -> bool {
1192            hs.keys().any(|k| k.eq_ignore_ascii_case(name))
1193        };
1194
1195        if !already_has(&headers, "Authorization") {
1196            if let Some(b) = self.conformance_basic_auth.as_ref().filter(|s| !s.is_empty()) {
1197                use base64::Engine as _;
1198                let encoded = base64::engine::general_purpose::STANDARD.encode(b.as_bytes());
1199                headers.insert("Authorization".to_string(), format!("Basic {}", encoded));
1200            }
1201        }
1202
1203        // `--conformance-headers "Name: value"` was already conformance-
1204        // only; reuse the same flag for bench. Round 46's --auth-bearer
1205        // injects `Authorization: Bearer ...` into this list at CLI
1206        // dispatch time, so this single pass also picks up the bearer
1207        // token for plain bench.
1208        for line in &self.conformance_headers {
1209            let Some((name, value)) = line.split_once(':') else {
1210                continue;
1211            };
1212            let name = name.trim();
1213            let value = value.trim();
1214            if name.is_empty() || already_has(&headers, name) {
1215                continue;
1216            }
1217            headers.insert(name.to_string(), value.to_string());
1218        }
1219
1220        // `--conformance-api-key` is conformance-test-specific (probe
1221        // pattern over multiple header names). Forwarding it to plain
1222        // bench as a simple header would mislead a user expecting the
1223        // probe behaviour, so we leave that path conformance-only and
1224        // surface a one-line note when it's set without `--conformance`.
1225        if !self.conformance && self.conformance_api_key.is_some() {
1226            TerminalReporter::print_warning(
1227                "--conformance-api-key only fires under --conformance. For plain bench use --header 'X-API-Key: ...'.",
1228            );
1229        }
1230
1231        Ok(headers)
1232    }
1233
1234    fn parse_extracted_values(output_dir: &Path) -> Result<ExtractedValues> {
1235        let extracted_path = output_dir.join("extracted_values.json");
1236        if !extracted_path.exists() {
1237            return Ok(ExtractedValues::new());
1238        }
1239
1240        let content = std::fs::read_to_string(&extracted_path)
1241            .map_err(|e| BenchError::ResultsParseError(e.to_string()))?;
1242        let parsed: serde_json::Value = serde_json::from_str(&content)
1243            .map_err(|e| BenchError::ResultsParseError(e.to_string()))?;
1244
1245        let mut extracted = ExtractedValues::new();
1246        if let Some(values) = parsed.as_object() {
1247            for (key, value) in values {
1248                extracted.set(key.clone(), value.clone());
1249            }
1250        }
1251
1252        Ok(extracted)
1253    }
1254
1255    /// Resolve the effective base path for API endpoints
1256    ///
1257    /// Priority:
1258    /// 1. CLI --base-path option (if provided, even if empty string)
1259    /// 2. Base path extracted from OpenAPI spec's servers URL
1260    /// 3. None (no base path)
1261    ///
1262    /// An empty string from CLI explicitly disables base path.
1263    fn resolve_base_path(&self, parser: &SpecParser) -> Option<String> {
1264        // CLI option takes priority (including empty string to disable)
1265        if let Some(cli_base_path) = &self.base_path {
1266            if cli_base_path.is_empty() {
1267                // Empty string explicitly means "no base path"
1268                return None;
1269            }
1270            return Some(cli_base_path.clone());
1271        }
1272
1273        // Fall back to spec's base path
1274        parser.get_base_path()
1275    }
1276
1277    /// Build mock server integration configuration
1278    async fn build_mock_config(&self) -> MockIntegrationConfig {
1279        // Check if target looks like a mock server
1280        if MockServerDetector::looks_like_mock_server(&self.target) {
1281            // Try to detect if it's actually a MockForge server
1282            if let Ok(info) = MockServerDetector::detect(&self.target).await {
1283                if info.is_mockforge {
1284                    TerminalReporter::print_success(&format!(
1285                        "Detected MockForge server (version: {})",
1286                        info.version.as_deref().unwrap_or("unknown")
1287                    ));
1288                    return MockIntegrationConfig::mock_server();
1289                }
1290            }
1291        }
1292        MockIntegrationConfig::real_api()
1293    }
1294
1295    /// Build CRUD flow configuration
1296    fn build_crud_flow_config(&self) -> Option<CrudFlowConfig> {
1297        if !self.crud_flow {
1298            return None;
1299        }
1300
1301        // If flow_config file is provided, load it
1302        if let Some(config_path) = &self.flow_config {
1303            match CrudFlowConfig::from_file(config_path) {
1304                Ok(config) => return Some(config),
1305                Err(e) => {
1306                    TerminalReporter::print_warning(&format!(
1307                        "Failed to load flow config: {}. Using auto-detection.",
1308                        e
1309                    ));
1310                }
1311            }
1312        }
1313
1314        // Parse extract fields
1315        let extract_fields = self
1316            .extract_fields
1317            .as_ref()
1318            .map(|f| f.split(',').map(|s| s.trim().to_string()).collect())
1319            .unwrap_or_else(|| vec!["id".to_string(), "uuid".to_string()]);
1320
1321        Some(CrudFlowConfig {
1322            flows: Vec::new(), // Will be auto-detected
1323            default_extract_fields: extract_fields,
1324        })
1325    }
1326
1327    /// Build data-driven testing configuration
1328    fn build_data_driven_config(&self) -> Option<DataDrivenConfig> {
1329        let data_file = self.data_file.as_ref()?;
1330
1331        let distribution = DataDistribution::from_str(&self.data_distribution)
1332            .unwrap_or(DataDistribution::UniquePerVu);
1333
1334        let mappings = self
1335            .data_mappings
1336            .as_ref()
1337            .map(|m| DataMapping::parse_mappings(m).unwrap_or_default())
1338            .unwrap_or_default();
1339
1340        Some(DataDrivenConfig {
1341            file_path: data_file.to_string_lossy().to_string(),
1342            distribution,
1343            mappings,
1344            csv_has_header: true,
1345            per_uri_control: self.per_uri_control,
1346            per_uri_columns: crate::data_driven::PerUriColumns::default(),
1347        })
1348    }
1349
1350    /// Build invalid data testing configuration
1351    fn build_invalid_data_config(&self) -> Option<InvalidDataConfig> {
1352        let error_rate = self.error_rate?;
1353
1354        let error_types = self
1355            .error_types
1356            .as_ref()
1357            .map(|types| InvalidDataConfig::parse_error_types(types).unwrap_or_default())
1358            .unwrap_or_default();
1359
1360        Some(InvalidDataConfig {
1361            error_rate,
1362            error_types,
1363            target_fields: Vec::new(),
1364        })
1365    }
1366
1367    /// Build security testing configuration
1368    fn build_security_config(&self) -> Option<SecurityTestConfig> {
1369        if !self.security_test {
1370            return None;
1371        }
1372
1373        let categories = self
1374            .security_categories
1375            .as_ref()
1376            .map(|cats| SecurityTestConfig::parse_categories(cats).unwrap_or_default())
1377            .unwrap_or_else(|| {
1378                let mut default = HashSet::new();
1379                default.insert(SecurityCategory::SqlInjection);
1380                default.insert(SecurityCategory::Xss);
1381                default
1382            });
1383
1384        let target_fields = self
1385            .security_target_fields
1386            .as_ref()
1387            .map(|fields| fields.split(',').map(|f| f.trim().to_string()).collect())
1388            .unwrap_or_default();
1389
1390        let custom_payloads_file =
1391            self.security_payloads.as_ref().map(|p| p.to_string_lossy().to_string());
1392
1393        Some(SecurityTestConfig {
1394            enabled: true,
1395            categories,
1396            target_fields,
1397            custom_payloads_file,
1398            include_high_risk: false,
1399        })
1400    }
1401
1402    /// Build parallel execution configuration
1403    fn build_parallel_config(&self) -> Option<ParallelConfig> {
1404        let count = self.parallel_create?;
1405
1406        Some(ParallelConfig::new(count))
1407    }
1408
1409    /// Load WAFBench payloads from the specified directory or pattern
1410    fn load_wafbench_payloads(&self) -> Vec<SecurityPayload> {
1411        let Some(ref wafbench_dir) = self.wafbench_dir else {
1412            return Vec::new();
1413        };
1414
1415        let mut loader = WafBenchLoader::new();
1416
1417        if let Err(e) = loader.load_from_pattern(wafbench_dir) {
1418            TerminalReporter::print_warning(&format!("Failed to load WAFBench tests: {}", e));
1419            return Vec::new();
1420        }
1421
1422        let stats = loader.stats();
1423
1424        if stats.files_processed == 0 {
1425            TerminalReporter::print_warning(&format!(
1426                "No WAFBench YAML files found matching '{}'",
1427                wafbench_dir
1428            ));
1429            // Also report any parse errors that may explain why no files were processed
1430            if !stats.parse_errors.is_empty() {
1431                TerminalReporter::print_warning("Some files were found but failed to parse:");
1432                for error in &stats.parse_errors {
1433                    TerminalReporter::print_warning(&format!("  - {}", error));
1434                }
1435            }
1436            return Vec::new();
1437        }
1438
1439        TerminalReporter::print_progress(&format!(
1440            "Loaded {} WAFBench files, {} test cases, {} payloads",
1441            stats.files_processed, stats.test_cases_loaded, stats.payloads_extracted
1442        ));
1443
1444        // Print category breakdown
1445        for (category, count) in &stats.by_category {
1446            TerminalReporter::print_progress(&format!("  - {}: {} tests", category, count));
1447        }
1448
1449        // Report any parse errors
1450        for error in &stats.parse_errors {
1451            TerminalReporter::print_warning(&format!("  Parse error: {}", error));
1452        }
1453
1454        loader.to_security_payloads()
1455    }
1456
1457    /// Generate enhanced k6 script with advanced features
1458    pub(crate) fn generate_enhanced_script(&self, base_script: &str) -> Result<String> {
1459        let mut enhanced_script = base_script.to_string();
1460        let mut additional_code = String::new();
1461
1462        // Add data-driven testing code
1463        if let Some(config) = self.build_data_driven_config() {
1464            TerminalReporter::print_progress("Adding data-driven testing support...");
1465            additional_code.push_str(&DataDrivenGenerator::generate_setup(&config));
1466            additional_code.push('\n');
1467            TerminalReporter::print_success("Data-driven testing enabled");
1468        }
1469
1470        // Add invalid data generation code
1471        if let Some(config) = self.build_invalid_data_config() {
1472            TerminalReporter::print_progress("Adding invalid data testing support...");
1473            additional_code.push_str(&InvalidDataGenerator::generate_invalidation_logic());
1474            additional_code.push('\n');
1475            additional_code
1476                .push_str(&InvalidDataGenerator::generate_should_invalidate(config.error_rate));
1477            additional_code.push('\n');
1478            additional_code
1479                .push_str(&InvalidDataGenerator::generate_type_selection(&config.error_types));
1480            additional_code.push('\n');
1481            TerminalReporter::print_success(&format!(
1482                "Invalid data testing enabled ({}% error rate)",
1483                (self.error_rate.unwrap_or(0.0) * 100.0) as u32
1484            ));
1485        }
1486
1487        // Add security testing code
1488        let security_config = self.build_security_config();
1489        let wafbench_payloads = self.load_wafbench_payloads();
1490        let security_requested = security_config.is_some() || self.wafbench_dir.is_some();
1491
1492        if security_config.is_some() || !wafbench_payloads.is_empty() {
1493            TerminalReporter::print_progress("Adding security testing support...");
1494
1495            // Combine built-in payloads with WAFBench payloads
1496            let mut payload_list: Vec<SecurityPayload> = Vec::new();
1497
1498            if let Some(ref config) = security_config {
1499                payload_list.extend(SecurityPayloads::get_payloads(config));
1500            }
1501
1502            // Add WAFBench payloads
1503            if !wafbench_payloads.is_empty() {
1504                TerminalReporter::print_progress(&format!(
1505                    "Loading {} WAFBench attack patterns...",
1506                    wafbench_payloads.len()
1507                ));
1508                payload_list.extend(wafbench_payloads);
1509            }
1510
1511            let target_fields =
1512                security_config.as_ref().map(|c| c.target_fields.clone()).unwrap_or_default();
1513
1514            additional_code.push_str(&SecurityTestGenerator::generate_payload_selection(
1515                &payload_list,
1516                self.wafbench_cycle_all,
1517            ));
1518            additional_code.push('\n');
1519            additional_code
1520                .push_str(&SecurityTestGenerator::generate_apply_payload(&target_fields));
1521            additional_code.push('\n');
1522            additional_code.push_str(&SecurityTestGenerator::generate_security_checks());
1523            additional_code.push('\n');
1524
1525            let mode = if self.wafbench_cycle_all {
1526                "cycle-all"
1527            } else {
1528                "random"
1529            };
1530            TerminalReporter::print_success(&format!(
1531                "Security testing enabled ({} payloads, {} mode)",
1532                payload_list.len(),
1533                mode
1534            ));
1535        } else if security_requested {
1536            // User requested security testing (e.g., --wafbench-dir) but no payloads were loaded.
1537            // The template has security_testing_enabled=true so it renders calling code.
1538            // We must inject stub definitions to avoid undefined function references.
1539            TerminalReporter::print_warning(
1540                "Security testing was requested but no payloads were loaded. \
1541                 Ensure --wafbench-dir points to valid CRS YAML files or add --security-test.",
1542            );
1543            additional_code
1544                .push_str(&SecurityTestGenerator::generate_payload_selection(&[], false));
1545            additional_code.push('\n');
1546            additional_code.push_str(&SecurityTestGenerator::generate_apply_payload(&[]));
1547            additional_code.push('\n');
1548        }
1549
1550        // Add parallel execution code
1551        if let Some(config) = self.build_parallel_config() {
1552            TerminalReporter::print_progress("Adding parallel execution support...");
1553            additional_code.push_str(&ParallelRequestGenerator::generate_batch_helper(&config));
1554            additional_code.push('\n');
1555            TerminalReporter::print_success(&format!(
1556                "Parallel execution enabled (count: {})",
1557                config.count
1558            ));
1559        }
1560
1561        // Insert additional code after the imports section
1562        if !additional_code.is_empty() {
1563            // Find the end of the import section
1564            if let Some(import_end) = enhanced_script.find("export const options") {
1565                enhanced_script.insert_str(
1566                    import_end,
1567                    &format!("\n// === Advanced Testing Features ===\n{}\n", additional_code),
1568                );
1569            }
1570        }
1571
1572        Ok(enhanced_script)
1573    }
1574
1575    /// Execute specs sequentially with dependency ordering and value passing
1576    async fn execute_sequential_specs(&self) -> Result<()> {
1577        TerminalReporter::print_progress("Sequential spec mode: Loading specs individually...");
1578
1579        // Load all specs (without merging)
1580        let mut all_specs: Vec<(PathBuf, OpenApiSpec)> = Vec::new();
1581
1582        if !self.spec.is_empty() {
1583            let specs = load_specs_from_files(self.spec.clone())
1584                .await
1585                .map_err(|e| BenchError::Other(format!("Failed to load spec files: {}", e)))?;
1586            all_specs.extend(specs);
1587        }
1588
1589        if let Some(spec_dir) = &self.spec_dir {
1590            let dir_specs = load_specs_from_directory(spec_dir).await.map_err(|e| {
1591                BenchError::Other(format!("Failed to load specs from directory: {}", e))
1592            })?;
1593            all_specs.extend(dir_specs);
1594        }
1595
1596        if all_specs.is_empty() {
1597            return Err(BenchError::Other(
1598                "No spec files found for sequential execution".to_string(),
1599            ));
1600        }
1601
1602        TerminalReporter::print_success(&format!("Loaded {} spec(s)", all_specs.len()));
1603
1604        // Load dependency config or auto-detect
1605        let execution_order = if let Some(config_path) = &self.dependency_config {
1606            TerminalReporter::print_progress("Loading dependency configuration...");
1607            let config = SpecDependencyConfig::from_file(config_path)?;
1608
1609            if !config.disable_auto_detect && config.execution_order.is_empty() {
1610                // Auto-detect if config doesn't specify order
1611                self.detect_and_sort_specs(&all_specs)?
1612            } else {
1613                // Use configured order
1614                config.execution_order.iter().flat_map(|g| g.specs.clone()).collect()
1615            }
1616        } else {
1617            // Auto-detect dependencies
1618            self.detect_and_sort_specs(&all_specs)?
1619        };
1620
1621        TerminalReporter::print_success(&format!(
1622            "Execution order: {}",
1623            execution_order
1624                .iter()
1625                .map(|p| p.file_name().unwrap_or_default().to_string_lossy().to_string())
1626                .collect::<Vec<_>>()
1627                .join(" → ")
1628        ));
1629
1630        // Execute each spec in order
1631        let mut extracted_values = ExtractedValues::new();
1632        let total_specs = execution_order.len();
1633
1634        for (index, spec_path) in execution_order.iter().enumerate() {
1635            let spec_name = spec_path.file_name().unwrap_or_default().to_string_lossy().to_string();
1636
1637            TerminalReporter::print_progress(&format!(
1638                "[{}/{}] Executing spec: {}",
1639                index + 1,
1640                total_specs,
1641                spec_name
1642            ));
1643
1644            // Find the spec in our loaded specs (match by full path or filename)
1645            let spec = all_specs
1646                .iter()
1647                .find(|(p, _)| {
1648                    p == spec_path
1649                        || p.file_name() == spec_path.file_name()
1650                        || p.file_name() == Some(spec_path.as_os_str())
1651                })
1652                .map(|(_, s)| s.clone())
1653                .ok_or_else(|| {
1654                    BenchError::Other(format!("Spec not found: {}", spec_path.display()))
1655                })?;
1656
1657            // Execute this spec with any extracted values from previous specs
1658            let new_values = self.execute_single_spec(&spec, &spec_name, &extracted_values).await?;
1659
1660            // Merge extracted values for the next spec
1661            extracted_values.merge(&new_values);
1662
1663            TerminalReporter::print_success(&format!(
1664                "[{}/{}] Completed: {} (extracted {} values)",
1665                index + 1,
1666                total_specs,
1667                spec_name,
1668                new_values.values.len()
1669            ));
1670        }
1671
1672        TerminalReporter::print_success(&format!(
1673            "Sequential execution complete: {} specs executed",
1674            total_specs
1675        ));
1676
1677        Ok(())
1678    }
1679
1680    /// Detect dependencies and return topologically sorted spec paths
1681    fn detect_and_sort_specs(&self, specs: &[(PathBuf, OpenApiSpec)]) -> Result<Vec<PathBuf>> {
1682        TerminalReporter::print_progress("Auto-detecting spec dependencies...");
1683
1684        let mut detector = DependencyDetector::new();
1685        let dependencies = detector.detect_dependencies(specs);
1686
1687        if dependencies.is_empty() {
1688            TerminalReporter::print_progress("No dependencies detected, using file order");
1689            return Ok(specs.iter().map(|(p, _)| p.clone()).collect());
1690        }
1691
1692        TerminalReporter::print_progress(&format!(
1693            "Detected {} cross-spec dependencies",
1694            dependencies.len()
1695        ));
1696
1697        for dep in &dependencies {
1698            TerminalReporter::print_progress(&format!(
1699                "  {} → {} (via field '{}')",
1700                dep.dependency_spec.file_name().unwrap_or_default().to_string_lossy(),
1701                dep.dependent_spec.file_name().unwrap_or_default().to_string_lossy(),
1702                dep.field_name
1703            ));
1704        }
1705
1706        topological_sort(specs, &dependencies)
1707    }
1708
1709    /// Execute a single spec and extract values for dependent specs
1710    async fn execute_single_spec(
1711        &self,
1712        spec: &OpenApiSpec,
1713        spec_name: &str,
1714        _external_values: &ExtractedValues,
1715    ) -> Result<ExtractedValues> {
1716        let parser = SpecParser::from_spec(spec.clone());
1717
1718        // For now, we execute in CRUD flow mode if enabled, otherwise standard mode
1719        if self.crud_flow {
1720            // Execute CRUD flow and extract values
1721            self.execute_crud_flow_with_extraction(&parser, spec_name).await
1722        } else {
1723            // Execute standard benchmark (no value extraction in non-CRUD mode)
1724            self.execute_standard_spec(&parser, spec_name).await?;
1725            Ok(ExtractedValues::new())
1726        }
1727    }
1728
1729    /// Execute CRUD flow with value extraction for sequential mode
1730    async fn execute_crud_flow_with_extraction(
1731        &self,
1732        parser: &SpecParser,
1733        spec_name: &str,
1734    ) -> Result<ExtractedValues> {
1735        let operations = parser.get_operations();
1736        let flows = CrudFlowDetector::detect_flows(&operations);
1737
1738        if flows.is_empty() {
1739            TerminalReporter::print_warning(&format!("No CRUD flows detected in {}", spec_name));
1740            return Ok(ExtractedValues::new());
1741        }
1742
1743        TerminalReporter::print_progress(&format!(
1744            "  {} CRUD flow(s) in {}",
1745            flows.len(),
1746            spec_name
1747        ));
1748
1749        // Generate and execute the CRUD flow script
1750        let mut handlebars = handlebars::Handlebars::new();
1751        // Register json helper for serializing arrays/objects in templates
1752        handlebars.register_helper(
1753            "json",
1754            Box::new(
1755                |h: &handlebars::Helper,
1756                 _: &handlebars::Handlebars,
1757                 _: &handlebars::Context,
1758                 _: &mut handlebars::RenderContext,
1759                 out: &mut dyn handlebars::Output|
1760                 -> handlebars::HelperResult {
1761                    let param = h.param(0).map(|v| v.value()).unwrap_or(&serde_json::Value::Null);
1762                    out.write(&serde_json::to_string(param).unwrap_or_else(|_| "[]".to_string()))?;
1763                    Ok(())
1764                },
1765            ),
1766        );
1767        let template = include_str!("templates/k6_crud_flow.hbs");
1768        let output_dir = self.output.join(format!("{}_results", spec_name.replace('.', "_")));
1769
1770        let custom_headers = self.parse_headers()?;
1771        let config = self.build_crud_flow_config().unwrap_or_default();
1772
1773        // Load parameter overrides if provided (for body configurations)
1774        let param_overrides = if let Some(params_file) = &self.params_file {
1775            let overrides = ParameterOverrides::from_file(params_file)?;
1776            Some(overrides)
1777        } else {
1778            None
1779        };
1780
1781        // Generate stages from scenario
1782        let duration_secs = Self::parse_duration(&self.duration)?;
1783        let scenario =
1784            LoadScenario::from_str(&self.scenario).map_err(BenchError::InvalidScenario)?;
1785        let stages = scenario.generate_stages(duration_secs, self.vus);
1786
1787        // Resolve base path (CLI option takes priority over spec's servers URL)
1788        let api_base_path = self.resolve_base_path(parser);
1789
1790        // Build headers JSON string for the template
1791        let mut all_headers = custom_headers.clone();
1792        if let Some(auth) = &self.auth {
1793            all_headers.insert("Authorization".to_string(), auth.clone());
1794        }
1795        let headers_json = serde_json::to_string(&all_headers).unwrap_or_else(|_| "{}".to_string());
1796
1797        // Track all dynamic placeholders across all operations
1798        let mut all_placeholders: HashSet<DynamicPlaceholder> = HashSet::new();
1799
1800        let flows_data: Vec<serde_json::Value> = flows.iter().map(|f| {
1801            // Use the metric-name sanitizer (caps at 112 chars + hash suffix)
1802            // so deeply nested flow names don't blow past k6's 128-char limit
1803            // when concatenated with `_step{i}_latency`. See issue #79.
1804            let sanitized_name = K6ScriptGenerator::sanitize_k6_metric_name(&f.name);
1805            serde_json::json!({
1806                "name": sanitized_name.clone(),
1807                "display_name": f.name,
1808                "base_path": f.base_path,
1809                "steps": f.steps.iter().enumerate().map(|(idx, s)| {
1810                    // Parse operation to get method and path
1811                    let parts: Vec<&str> = s.operation.splitn(2, ' ').collect();
1812                    let method_raw = if !parts.is_empty() {
1813                        parts[0].to_uppercase()
1814                    } else {
1815                        "GET".to_string()
1816                    };
1817                    let method = if !parts.is_empty() {
1818                        let m = parts[0].to_lowercase();
1819                        // k6 uses 'del' for DELETE
1820                        if m == "delete" { "del".to_string() } else { m }
1821                    } else {
1822                        "get".to_string()
1823                    };
1824                    let raw_path = if parts.len() >= 2 { parts[1] } else { "/" };
1825                    // Prepend API base path if configured
1826                    let path = if let Some(ref bp) = api_base_path {
1827                        format!("{}{}", bp, raw_path)
1828                    } else {
1829                        raw_path.to_string()
1830                    };
1831                    let is_get_or_head = method == "get" || method == "head";
1832                    // POST, PUT, PATCH typically have bodies
1833                    let has_body = matches!(method.as_str(), "post" | "put" | "patch");
1834
1835                    // Look up body from params file if available
1836                    let body_value = if has_body {
1837                        param_overrides.as_ref()
1838                            .map(|po| po.get_for_operation(None, &method_raw, raw_path))
1839                            .and_then(|oo| oo.body)
1840                            .unwrap_or_else(|| serde_json::json!({}))
1841                    } else {
1842                        serde_json::json!({})
1843                    };
1844
1845                    // Process body for dynamic placeholders like ${__VU}, ${__ITER}, etc.
1846                    let processed_body = DynamicParamProcessor::process_json_body(&body_value);
1847
1848                    // Also check for ${extracted.xxx} placeholders which need runtime substitution
1849                    let body_has_extracted_placeholders = processed_body.value.contains("${extracted.");
1850                    let body_is_dynamic = processed_body.is_dynamic || body_has_extracted_placeholders;
1851
1852                    serde_json::json!({
1853                        "operation": s.operation,
1854                        "method": method,
1855                        "path": path,
1856                        "extract": s.extract,
1857                        "use_values": s.use_values,
1858                        "use_body": s.use_body,
1859                        "merge_body": if s.merge_body.is_empty() { None } else { Some(&s.merge_body) },
1860                        "inject_attacks": s.inject_attacks,
1861                        "attack_types": s.attack_types,
1862                        "description": s.description,
1863                        "display_name": s.description.clone().unwrap_or_else(|| format!("Step {}", idx)),
1864                        "is_get_or_head": is_get_or_head,
1865                        "has_body": has_body,
1866                        "body": processed_body.value,
1867                        "body_is_dynamic": body_is_dynamic,
1868                        "_placeholders": processed_body.placeholders.iter().map(|p| format!("{:?}", p)).collect::<Vec<_>>(),
1869                    })
1870                }).collect::<Vec<_>>(),
1871            })
1872        }).collect();
1873
1874        // Collect all placeholders from all steps
1875        for flow_data in &flows_data {
1876            if let Some(steps) = flow_data.get("steps").and_then(|s| s.as_array()) {
1877                for step in steps {
1878                    if let Some(placeholders_arr) =
1879                        step.get("_placeholders").and_then(|p| p.as_array())
1880                    {
1881                        for p_str in placeholders_arr {
1882                            if let Some(p_name) = p_str.as_str() {
1883                                match p_name {
1884                                    "VU" => {
1885                                        all_placeholders.insert(DynamicPlaceholder::VU);
1886                                    }
1887                                    "Iteration" => {
1888                                        all_placeholders.insert(DynamicPlaceholder::Iteration);
1889                                    }
1890                                    "Timestamp" => {
1891                                        all_placeholders.insert(DynamicPlaceholder::Timestamp);
1892                                    }
1893                                    "UUID" => {
1894                                        all_placeholders.insert(DynamicPlaceholder::UUID);
1895                                    }
1896                                    "Random" => {
1897                                        all_placeholders.insert(DynamicPlaceholder::Random);
1898                                    }
1899                                    "Counter" => {
1900                                        all_placeholders.insert(DynamicPlaceholder::Counter);
1901                                    }
1902                                    "Date" => {
1903                                        all_placeholders.insert(DynamicPlaceholder::Date);
1904                                    }
1905                                    "VuIter" => {
1906                                        all_placeholders.insert(DynamicPlaceholder::VuIter);
1907                                    }
1908                                    _ => {}
1909                                }
1910                            }
1911                        }
1912                    }
1913                }
1914            }
1915        }
1916
1917        // Get required imports and globals based on placeholders used
1918        let required_imports = DynamicParamProcessor::get_required_imports(&all_placeholders);
1919        let required_globals = DynamicParamProcessor::get_required_globals(&all_placeholders);
1920
1921        // Check if security testing is enabled
1922        let security_testing_enabled = self.wafbench_dir.is_some() || self.security_test;
1923
1924        let data = serde_json::json!({
1925            "base_url": self.target,
1926            "flows": flows_data,
1927            "extract_fields": config.default_extract_fields,
1928            "duration_secs": duration_secs,
1929            "max_vus": self.vus,
1930            "auth_header": self.auth,
1931            "custom_headers": custom_headers,
1932            "skip_tls_verify": self.skip_tls_verify,
1933            // Add missing template fields
1934            "stages": stages.iter().map(|s| serde_json::json!({
1935                "duration": s.duration,
1936                "target": s.target,
1937            })).collect::<Vec<_>>(),
1938            "threshold_percentile": self.threshold_percentile,
1939            "threshold_ms": self.threshold_ms,
1940            "max_error_rate": self.max_error_rate,
1941            "headers": headers_json,
1942            "dynamic_imports": required_imports,
1943            "dynamic_globals": required_globals,
1944            "extracted_values_output_path": output_dir.join("extracted_values.json").to_string_lossy(),
1945            // Security testing settings
1946            "security_testing_enabled": security_testing_enabled,
1947            "has_custom_headers": !custom_headers.is_empty(),
1948        });
1949
1950        let mut script = handlebars
1951            .render_template(template, &data)
1952            .map_err(|e| BenchError::ScriptGenerationFailed(e.to_string()))?;
1953
1954        // Enhance script with security testing support if enabled
1955        if security_testing_enabled {
1956            script = self.generate_enhanced_script(&script)?;
1957        }
1958
1959        // Write and execute script
1960        let script_path =
1961            self.output.join(format!("k6-{}-crud-flow.js", spec_name.replace('.', "_")));
1962
1963        std::fs::create_dir_all(self.output.clone())?;
1964        std::fs::write(&script_path, &script)?;
1965
1966        if !self.generate_only {
1967            let executor = K6Executor::new()?.with_local_ips(self.source_ips.join(","));
1968            std::fs::create_dir_all(&output_dir)?;
1969
1970            executor.execute(&script_path, Some(&output_dir), self.verbose).await?;
1971
1972            let extracted = Self::parse_extracted_values(&output_dir)?;
1973            TerminalReporter::print_progress(&format!(
1974                "  Extracted {} value(s) from {}",
1975                extracted.values.len(),
1976                spec_name
1977            ));
1978            return Ok(extracted);
1979        }
1980
1981        Ok(ExtractedValues::new())
1982    }
1983
1984    /// Execute standard (non-CRUD) spec benchmark
1985    async fn execute_standard_spec(&self, parser: &SpecParser, spec_name: &str) -> Result<()> {
1986        let mut operations = if let Some(filter) = &self.operations {
1987            parser.filter_operations(filter)?
1988        } else {
1989            parser.get_operations()
1990        };
1991
1992        if let Some(exclude) = &self.exclude_operations {
1993            operations = parser.exclude_operations(operations, exclude)?;
1994        }
1995
1996        if operations.is_empty() {
1997            TerminalReporter::print_warning(&format!("No operations found in {}", spec_name));
1998            return Ok(());
1999        }
2000
2001        TerminalReporter::print_progress(&format!(
2002            "  {} operations in {}",
2003            operations.len(),
2004            spec_name
2005        ));
2006
2007        // Generate request templates
2008        let templates: Vec<_> = operations
2009            .iter()
2010            .map(RequestGenerator::generate_template)
2011            .collect::<Result<Vec<_>>>()?;
2012
2013        // Parse headers
2014        let custom_headers = self.parse_headers()?;
2015
2016        // Resolve base path
2017        let base_path = self.resolve_base_path(parser);
2018
2019        // Generate k6 script
2020        let scenario =
2021            LoadScenario::from_str(&self.scenario).map_err(BenchError::InvalidScenario)?;
2022
2023        let security_testing_enabled = self.security_test || self.wafbench_dir.is_some();
2024
2025        let k6_config = K6Config {
2026            target_url: self.target.clone(),
2027            base_path,
2028            scenario,
2029            duration_secs: Self::parse_duration(&self.duration)?,
2030            max_vus: self.vus,
2031            threshold_percentile: self.threshold_percentile.clone(),
2032            threshold_ms: self.threshold_ms,
2033            max_error_rate: self.max_error_rate,
2034            auth_header: self.auth.clone(),
2035            custom_headers,
2036            skip_tls_verify: self.skip_tls_verify,
2037            security_testing_enabled,
2038            chunked_request_bodies: self.chunked_request_bodies,
2039            target_rps: self.target_rps,
2040            no_keep_alive: self.no_keep_alive,
2041            // Round 22.3 — see other K6Config site above.
2042            geo_source_ips: parse_ip_list(&self.geo_source_ips, "geo-source-ip")
2043                .into_iter()
2044                .map(|ip| ip.to_string())
2045                .collect(),
2046            geo_source_headers: if self.geo_source_headers.is_empty()
2047                && !self.geo_source_ips.is_empty()
2048            {
2049                crate::conformance::self_test::default_geo_source_headers()
2050            } else {
2051                self.geo_source_headers.clone()
2052            },
2053        };
2054
2055        let generator = K6ScriptGenerator::new(k6_config, templates);
2056        let mut script = generator.generate()?;
2057
2058        // Enhance script with advanced features (security testing, etc.)
2059        let has_advanced_features = self.data_file.is_some()
2060            || self.error_rate.is_some()
2061            || self.security_test
2062            || self.parallel_create.is_some()
2063            || self.wafbench_dir.is_some();
2064
2065        if has_advanced_features {
2066            script = self.generate_enhanced_script(&script)?;
2067        }
2068
2069        // Write and execute script
2070        let script_path = self.output.join(format!("k6-{}.js", spec_name.replace('.', "_")));
2071
2072        std::fs::create_dir_all(self.output.clone())?;
2073        std::fs::write(&script_path, &script)?;
2074
2075        if !self.generate_only {
2076            let executor = K6Executor::new()?.with_local_ips(self.source_ips.join(","));
2077            let output_dir = self.output.join(format!("{}_results", spec_name.replace('.', "_")));
2078            std::fs::create_dir_all(&output_dir)?;
2079
2080            executor.execute(&script_path, Some(&output_dir), self.verbose).await?;
2081        }
2082
2083        Ok(())
2084    }
2085
2086    /// Execute CRUD flow testing mode
2087    async fn execute_crud_flow(&self, parser: &SpecParser) -> Result<()> {
2088        // Check if a custom flow config is provided
2089        let config = self.build_crud_flow_config().unwrap_or_default();
2090
2091        // Use flows from config if provided, otherwise auto-detect
2092        let flows = if !config.flows.is_empty() {
2093            TerminalReporter::print_progress("Using custom flow configuration...");
2094            config.flows.clone()
2095        } else {
2096            TerminalReporter::print_progress("Detecting CRUD operations...");
2097            let operations = parser.get_operations();
2098            CrudFlowDetector::detect_flows(&operations)
2099        };
2100
2101        if flows.is_empty() {
2102            return Err(BenchError::Other(
2103                "No CRUD flows detected in spec. Ensure spec has POST/GET/PUT/DELETE operations on related paths.".to_string(),
2104            ));
2105        }
2106
2107        if config.flows.is_empty() {
2108            TerminalReporter::print_success(&format!("Detected {} CRUD flow(s)", flows.len()));
2109        } else {
2110            TerminalReporter::print_success(&format!("Loaded {} custom flow(s)", flows.len()));
2111        }
2112
2113        for flow in &flows {
2114            TerminalReporter::print_progress(&format!(
2115                "  - {}: {} steps",
2116                flow.name,
2117                flow.steps.len()
2118            ));
2119        }
2120
2121        // Generate CRUD flow script
2122        let mut handlebars = handlebars::Handlebars::new();
2123        // Register json helper for serializing arrays/objects in templates
2124        handlebars.register_helper(
2125            "json",
2126            Box::new(
2127                |h: &handlebars::Helper,
2128                 _: &handlebars::Handlebars,
2129                 _: &handlebars::Context,
2130                 _: &mut handlebars::RenderContext,
2131                 out: &mut dyn handlebars::Output|
2132                 -> handlebars::HelperResult {
2133                    let param = h.param(0).map(|v| v.value()).unwrap_or(&serde_json::Value::Null);
2134                    out.write(&serde_json::to_string(param).unwrap_or_else(|_| "[]".to_string()))?;
2135                    Ok(())
2136                },
2137            ),
2138        );
2139        let template = include_str!("templates/k6_crud_flow.hbs");
2140
2141        let custom_headers = self.parse_headers()?;
2142
2143        // Load parameter overrides if provided (for body configurations)
2144        let param_overrides = if let Some(params_file) = &self.params_file {
2145            TerminalReporter::print_progress("Loading parameter overrides...");
2146            let overrides = ParameterOverrides::from_file(params_file)?;
2147            TerminalReporter::print_success(&format!(
2148                "Loaded parameter overrides ({} operation-specific, {} defaults)",
2149                overrides.operations.len(),
2150                if overrides.defaults.is_empty() { 0 } else { 1 }
2151            ));
2152            Some(overrides)
2153        } else {
2154            None
2155        };
2156
2157        // Generate stages from scenario
2158        let duration_secs = Self::parse_duration(&self.duration)?;
2159        let scenario =
2160            LoadScenario::from_str(&self.scenario).map_err(BenchError::InvalidScenario)?;
2161        let stages = scenario.generate_stages(duration_secs, self.vus);
2162
2163        // Resolve base path (CLI option takes priority over spec's servers URL)
2164        let api_base_path = self.resolve_base_path(parser);
2165        if let Some(ref bp) = api_base_path {
2166            TerminalReporter::print_progress(&format!("Using base path: {}", bp));
2167        }
2168
2169        // Build headers JSON string for the template
2170        let mut all_headers = custom_headers.clone();
2171        if let Some(auth) = &self.auth {
2172            all_headers.insert("Authorization".to_string(), auth.clone());
2173        }
2174        let headers_json = serde_json::to_string(&all_headers).unwrap_or_else(|_| "{}".to_string());
2175
2176        // Track all dynamic placeholders across all operations
2177        let mut all_placeholders: HashSet<DynamicPlaceholder> = HashSet::new();
2178
2179        let flows_data: Vec<serde_json::Value> = flows.iter().map(|f| {
2180            // Sanitize flow name for use as JavaScript variable and k6 metric names.
2181            // Use the metric-name sanitizer (caps at 112 chars + hash suffix) so
2182            // deeply nested flow names don't blow past k6's 128-char limit when
2183            // concatenated with `_step{i}_latency`. See issue #79.
2184            let sanitized_name = K6ScriptGenerator::sanitize_k6_metric_name(&f.name);
2185            serde_json::json!({
2186                "name": sanitized_name.clone(),  // Use sanitized name for variable names
2187                "display_name": f.name,          // Keep original for comments/display
2188                "base_path": f.base_path,
2189                "steps": f.steps.iter().enumerate().map(|(idx, s)| {
2190                    // Parse operation to get method and path
2191                    let parts: Vec<&str> = s.operation.splitn(2, ' ').collect();
2192                    let method_raw = if !parts.is_empty() {
2193                        parts[0].to_uppercase()
2194                    } else {
2195                        "GET".to_string()
2196                    };
2197                    let method = if !parts.is_empty() {
2198                        let m = parts[0].to_lowercase();
2199                        // k6 uses 'del' for DELETE
2200                        if m == "delete" { "del".to_string() } else { m }
2201                    } else {
2202                        "get".to_string()
2203                    };
2204                    let raw_path = if parts.len() >= 2 { parts[1] } else { "/" };
2205                    // Prepend API base path if configured
2206                    let path = if let Some(ref bp) = api_base_path {
2207                        format!("{}{}", bp, raw_path)
2208                    } else {
2209                        raw_path.to_string()
2210                    };
2211                    let is_get_or_head = method == "get" || method == "head";
2212                    // POST, PUT, PATCH typically have bodies
2213                    let has_body = matches!(method.as_str(), "post" | "put" | "patch");
2214
2215                    // Look up body from params file if available (use raw_path for matching)
2216                    let body_value = if has_body {
2217                        param_overrides.as_ref()
2218                            .map(|po| po.get_for_operation(None, &method_raw, raw_path))
2219                            .and_then(|oo| oo.body)
2220                            .unwrap_or_else(|| serde_json::json!({}))
2221                    } else {
2222                        serde_json::json!({})
2223                    };
2224
2225                    // Process body for dynamic placeholders like ${__VU}, ${__ITER}, etc.
2226                    let processed_body = DynamicParamProcessor::process_json_body(&body_value);
2227                    // Note: all_placeholders is captured by the closure but we can't mutate it directly
2228                    // We'll collect placeholders separately below
2229
2230                    // Also check for ${extracted.xxx} placeholders which need runtime substitution
2231                    let body_has_extracted_placeholders = processed_body.value.contains("${extracted.");
2232                    let body_is_dynamic = processed_body.is_dynamic || body_has_extracted_placeholders;
2233
2234                    serde_json::json!({
2235                        "operation": s.operation,
2236                        "method": method,
2237                        "path": path,
2238                        "extract": s.extract,
2239                        "use_values": s.use_values,
2240                        "use_body": s.use_body,
2241                        "merge_body": if s.merge_body.is_empty() { None } else { Some(&s.merge_body) },
2242                        "inject_attacks": s.inject_attacks,
2243                        "attack_types": s.attack_types,
2244                        "description": s.description,
2245                        "display_name": s.description.clone().unwrap_or_else(|| format!("Step {}", idx)),
2246                        "is_get_or_head": is_get_or_head,
2247                        "has_body": has_body,
2248                        "body": processed_body.value,
2249                        "body_is_dynamic": body_is_dynamic,
2250                        "_placeholders": processed_body.placeholders.iter().map(|p| format!("{:?}", p)).collect::<Vec<_>>(),
2251                    })
2252                }).collect::<Vec<_>>(),
2253            })
2254        }).collect();
2255
2256        // Collect all placeholders from all steps
2257        for flow_data in &flows_data {
2258            if let Some(steps) = flow_data.get("steps").and_then(|s| s.as_array()) {
2259                for step in steps {
2260                    if let Some(placeholders_arr) =
2261                        step.get("_placeholders").and_then(|p| p.as_array())
2262                    {
2263                        for p_str in placeholders_arr {
2264                            if let Some(p_name) = p_str.as_str() {
2265                                // Parse placeholder from debug string
2266                                match p_name {
2267                                    "VU" => {
2268                                        all_placeholders.insert(DynamicPlaceholder::VU);
2269                                    }
2270                                    "Iteration" => {
2271                                        all_placeholders.insert(DynamicPlaceholder::Iteration);
2272                                    }
2273                                    "Timestamp" => {
2274                                        all_placeholders.insert(DynamicPlaceholder::Timestamp);
2275                                    }
2276                                    "UUID" => {
2277                                        all_placeholders.insert(DynamicPlaceholder::UUID);
2278                                    }
2279                                    "Random" => {
2280                                        all_placeholders.insert(DynamicPlaceholder::Random);
2281                                    }
2282                                    "Counter" => {
2283                                        all_placeholders.insert(DynamicPlaceholder::Counter);
2284                                    }
2285                                    "Date" => {
2286                                        all_placeholders.insert(DynamicPlaceholder::Date);
2287                                    }
2288                                    "VuIter" => {
2289                                        all_placeholders.insert(DynamicPlaceholder::VuIter);
2290                                    }
2291                                    _ => {}
2292                                }
2293                            }
2294                        }
2295                    }
2296                }
2297            }
2298        }
2299
2300        // Get required imports and globals based on placeholders used
2301        let required_imports = DynamicParamProcessor::get_required_imports(&all_placeholders);
2302        let required_globals = DynamicParamProcessor::get_required_globals(&all_placeholders);
2303
2304        // Build invalid data config if error injection is enabled
2305        let invalid_data_config = self.build_invalid_data_config();
2306        let error_injection_enabled = invalid_data_config.is_some();
2307        let error_rate = self.error_rate.unwrap_or(0.0);
2308        let error_types: Vec<String> = invalid_data_config
2309            .as_ref()
2310            .map(|c| c.error_types.iter().map(|t| format!("{:?}", t)).collect())
2311            .unwrap_or_default();
2312
2313        if error_injection_enabled {
2314            TerminalReporter::print_progress(&format!(
2315                "Error injection enabled ({}% rate)",
2316                (error_rate * 100.0) as u32
2317            ));
2318        }
2319
2320        // Check if security testing is enabled
2321        let security_testing_enabled = self.wafbench_dir.is_some() || self.security_test;
2322
2323        let data = serde_json::json!({
2324            "base_url": self.target,
2325            "flows": flows_data,
2326            "extract_fields": config.default_extract_fields,
2327            "duration_secs": duration_secs,
2328            "max_vus": self.vus,
2329            "auth_header": self.auth,
2330            "custom_headers": custom_headers,
2331            "skip_tls_verify": self.skip_tls_verify,
2332            // Add missing template fields
2333            "stages": stages.iter().map(|s| serde_json::json!({
2334                "duration": s.duration,
2335                "target": s.target,
2336            })).collect::<Vec<_>>(),
2337            "threshold_percentile": self.threshold_percentile,
2338            "threshold_ms": self.threshold_ms,
2339            "max_error_rate": self.max_error_rate,
2340            "headers": headers_json,
2341            "dynamic_imports": required_imports,
2342            "dynamic_globals": required_globals,
2343            "extracted_values_output_path": self
2344                .output
2345                .join("crud_flow_extracted_values.json")
2346                .to_string_lossy(),
2347            // Error injection settings
2348            "error_injection_enabled": error_injection_enabled,
2349            "error_rate": error_rate,
2350            "error_types": error_types,
2351            // Security testing settings
2352            "security_testing_enabled": security_testing_enabled,
2353            "has_custom_headers": !custom_headers.is_empty(),
2354        });
2355
2356        let mut script = handlebars
2357            .render_template(template, &data)
2358            .map_err(|e| BenchError::ScriptGenerationFailed(e.to_string()))?;
2359
2360        // Enhance script with security testing support if enabled
2361        if security_testing_enabled {
2362            script = self.generate_enhanced_script(&script)?;
2363        }
2364
2365        // Validate the generated CRUD flow script
2366        TerminalReporter::print_progress("Validating CRUD flow script...");
2367        let validation_errors = K6ScriptGenerator::validate_script(&script);
2368        if !validation_errors.is_empty() {
2369            TerminalReporter::print_error("CRUD flow script validation failed");
2370            for error in &validation_errors {
2371                eprintln!("  {}", error);
2372            }
2373            return Err(BenchError::Other(format!(
2374                "CRUD flow script validation failed with {} error(s)",
2375                validation_errors.len()
2376            )));
2377        }
2378
2379        TerminalReporter::print_success("CRUD flow script generated");
2380
2381        // Write and execute script
2382        let script_path = if let Some(output) = &self.script_output {
2383            output.clone()
2384        } else {
2385            self.output.join("k6-crud-flow-script.js")
2386        };
2387
2388        if let Some(parent) = script_path.parent() {
2389            std::fs::create_dir_all(parent)?;
2390        }
2391        std::fs::write(&script_path, &script)?;
2392        TerminalReporter::print_success(&format!("Script written to: {}", script_path.display()));
2393
2394        if self.generate_only {
2395            println!("\nScript generated successfully. Run it with:");
2396            println!("  k6 run {}", script_path.display());
2397            return Ok(());
2398        }
2399
2400        // Execute k6
2401        TerminalReporter::print_progress("Executing CRUD flow test...");
2402        let executor = K6Executor::new()?.with_local_ips(self.source_ips.join(","));
2403        std::fs::create_dir_all(&self.output)?;
2404
2405        let results = executor.execute(&script_path, Some(&self.output), self.verbose).await?;
2406
2407        let duration_secs = Self::parse_duration(&self.duration)?;
2408        TerminalReporter::print_summary_with_mode(&results, duration_secs, self.no_keep_alive);
2409
2410        Ok(())
2411    }
2412
2413    /// Execute OpenAPI 3.0.0 conformance testing mode
2414    async fn execute_conformance_test(&self) -> Result<()> {
2415        use crate::conformance::generator::{ConformanceConfig, ConformanceGenerator};
2416        use crate::conformance::report::ConformanceReport;
2417        use crate::conformance::spec::ConformanceFeature;
2418
2419        TerminalReporter::print_progress("OpenAPI 3.0.0 Conformance Testing Mode");
2420
2421        // Conformance testing is a functional correctness check (1 VU, 1 iteration).
2422        // --vus and -d flags are always ignored in this mode.
2423        TerminalReporter::print_progress(
2424            "Conformance mode runs 1 VU, 1 iteration per endpoint (--vus and -d are ignored)",
2425        );
2426
2427        // Parse category filter
2428        let categories = self.conformance_categories.as_ref().map(|cats_str| {
2429            cats_str
2430                .split(',')
2431                .filter_map(|s| {
2432                    let trimmed = s.trim();
2433                    if let Some(canonical) = ConformanceFeature::category_from_cli_name(trimmed) {
2434                        Some(canonical.to_string())
2435                    } else {
2436                        TerminalReporter::print_warning(&format!(
2437                            "Unknown conformance category: '{}'. Valid categories: {}",
2438                            trimmed,
2439                            ConformanceFeature::cli_category_names()
2440                                .iter()
2441                                .map(|(cli, _)| *cli)
2442                                .collect::<Vec<_>>()
2443                                .join(", ")
2444                        ));
2445                        None
2446                    }
2447                })
2448                .collect::<Vec<String>>()
2449        });
2450
2451        // Parse custom headers from "Key: Value" format
2452        let custom_headers: Vec<(String, String)> = self
2453            .conformance_headers
2454            .iter()
2455            .filter_map(|h| {
2456                let (name, value) = h.split_once(':')?;
2457                Some((name.trim().to_string(), value.trim().to_string()))
2458            })
2459            .collect();
2460
2461        if !custom_headers.is_empty() {
2462            TerminalReporter::print_progress(&format!(
2463                "Using {} custom header(s) for authentication",
2464                custom_headers.len()
2465            ));
2466        }
2467
2468        if self.conformance_delay_ms > 0 {
2469            TerminalReporter::print_progress(&format!(
2470                "Using {}ms delay between conformance requests",
2471                self.conformance_delay_ms
2472            ));
2473        }
2474
2475        // Ensure output dir exists so canonicalize works for the report path
2476        std::fs::create_dir_all(&self.output)?;
2477
2478        let config = ConformanceConfig {
2479            target_url: self.target.clone(),
2480            api_key: self.conformance_api_key.clone(),
2481            basic_auth: self.conformance_basic_auth.clone(),
2482            skip_tls_verify: self.skip_tls_verify,
2483            categories,
2484            base_path: self.base_path.clone(),
2485            custom_headers,
2486            output_dir: Some(self.output.clone()),
2487            all_operations: self.conformance_all_operations,
2488            custom_checks_file: self.conformance_custom.clone(),
2489            request_delay_ms: self.conformance_delay_ms,
2490            custom_filter: self.conformance_custom_filter.clone(),
2491            export_requests: self.export_requests,
2492            validate_requests: self.validate_requests,
2493        };
2494
2495        // Branch: spec-driven mode vs reference mode
2496        // Annotate operations if spec is provided (used by both native and k6 paths)
2497        // Round 18.1 — resolve the spec's base path so the self-test
2498        // path can prepend it to every URL. Pre-fix, self-test
2499        // ignored `--base-path /api` and hit the bare spec path,
2500        // returning 404 for every request on specs whose server is
2501        // proxied behind a base prefix.
2502        let mut resolved_base_path: Option<String> = None;
2503        let annotated_ops = if !self.spec.is_empty() {
2504            TerminalReporter::print_progress("Spec-driven conformance mode: analyzing spec...");
2505            let parser = SpecParser::from_file(&self.spec[0]).await?;
2506            resolved_base_path = self.resolve_base_path(&parser);
2507
2508            // Issue #79 round 12 — Srikanth ran `--conformance --operations "GET,POST"`
2509            // and saw DELETE/PATCH exercised anyway. Conformance silently ignored
2510            // the filter. Apply it (and `--exclude-operations`) the same way the
2511            // regular bench path does so users can scope the run.
2512            let mut operations = if let Some(filter) = &self.operations {
2513                parser.filter_operations(filter)?
2514            } else {
2515                parser.get_operations()
2516            };
2517            if let Some(exclude) = &self.exclude_operations {
2518                let before_count = operations.len();
2519                operations = parser.exclude_operations(operations, exclude)?;
2520                let excluded_count = before_count - operations.len();
2521                if excluded_count > 0 {
2522                    TerminalReporter::print_progress(&format!(
2523                        "Excluded {} operations matching '{}'",
2524                        excluded_count, exclude
2525                    ));
2526                }
2527            }
2528
2529            let annotated =
2530                crate::conformance::spec_driven::SpecDrivenConformanceGenerator::annotate_operations(
2531                    &operations,
2532                    parser.spec(),
2533                );
2534            TerminalReporter::print_success(&format!(
2535                "Analyzed {} operations, found {} feature annotations",
2536                operations.len(),
2537                annotated.iter().map(|a| a.features.len()).sum::<usize>()
2538            ));
2539            Some(annotated)
2540        } else {
2541            None
2542        };
2543
2544        // Issue #79 round 13 (4) — `--conformance-self-test` replaces
2545        // the standard conformance run with a positive + per-category
2546        // negative driver that verifies the server actually rejects
2547        // bad requests with 4xx. Wires the spec-annotated operations
2548        // through `conformance::self_test::run_self_test` and prints
2549        // the resulting pass/fail matrix.
2550        if self.conformance_self_test {
2551            let Some(ops) = annotated_ops else {
2552                TerminalReporter::print_error(
2553                    "--conformance-self-test requires --spec; no operations to test",
2554                );
2555                return Ok(());
2556            };
2557            let cfg = crate::conformance::self_test::SelfTestConfig {
2558                target_url: self.target.clone(),
2559                skip_tls_verify: self.skip_tls_verify,
2560                timeout: std::time::Duration::from_secs(30),
2561                // `custom_headers` was already moved into the
2562                // `ConformanceConfig` above; re-derive from `self` so
2563                // we don't borrow it twice.
2564                extra_headers: self
2565                    .conformance_headers
2566                    .iter()
2567                    .filter_map(|h| {
2568                        let (n, v) = h.split_once(':')?;
2569                        Some((n.trim().to_string(), v.trim().to_string()))
2570                    })
2571                    .collect(),
2572                delay_between_requests: std::time::Duration::from_millis(self.conformance_delay_ms),
2573                // Round 18.1 — honour `--base-path` (or the spec's
2574                // own first server prefix) so a deployment served
2575                // under a path-prefix doesn't 404 every positive.
2576                base_path: resolved_base_path.clone(),
2577                // Round 18.5 — GEODB multi-source-IP. Parse CLI IP
2578                // lists (malformed entries log a warning and are
2579                // dropped). Empty lists keep pre-18.5 behaviour.
2580                source_ips: parse_ip_list(&self.source_ips, "source-ip"),
2581                geo_source_ips: parse_ip_list(&self.geo_source_ips, "geo-source-ip"),
2582                geo_source_headers: if self.geo_source_headers.is_empty() {
2583                    crate::conformance::self_test::default_geo_source_headers()
2584                } else {
2585                    self.geo_source_headers.clone()
2586                },
2587                // Round 23 (c-iii) — opt-in request/response capture.
2588                // Constructed here so the sink Arc outlives the run and
2589                // we can drain it for the JSONL write below.
2590                capture: if self.conformance_self_test_capture || self.validate_response_schemas {
2591                    // Schema validation reads the captured response
2592                    // body, so opt the user into capture implicitly
2593                    // when they ask for validation. The on-disk
2594                    // JSONL/HTML files only get written if the user
2595                    // also passed `--conformance-self-test-capture`.
2596                    Some(std::sync::Arc::new(std::sync::Mutex::new(Vec::new())))
2597                } else {
2598                    None
2599                },
2600                validate_response_schemas: self.validate_response_schemas,
2601                // Round 33 (#823) — basename of the spec, stamped on
2602                // every capture entry so the per-endpoint summary can
2603                // attribute rows back to the right spec on multi-spec
2604                // runs. Falls back to the full path string if the
2605                // basename can't be derived.
2606                spec_label: self.spec.first().map(|p| {
2607                    p.file_name()
2608                        .map(|s| s.to_string_lossy().into_owned())
2609                        .unwrap_or_else(|| p.to_string_lossy().into_owned())
2610                }),
2611                // Round 47 (#79) — always allocate the network-events
2612                // sink for self-test so the file is always written
2613                // (empty array when nothing failed — the cleanest
2614                // possible signal that connectivity stayed up). Caller
2615                // pays one Arc clone per probe, which is in the noise
2616                // next to the HTTP round-trip.
2617                network_events: Some(std::sync::Arc::new(std::sync::Mutex::new(Vec::new()))),
2618            };
2619            let capture_sink = cfg.capture.clone();
2620            let network_events_sink = cfg.network_events.clone();
2621            TerminalReporter::print_progress(&format!(
2622                "Self-test mode: driving {} operations with positive + per-category negative cases",
2623                ops.len()
2624            ));
2625            // Round 47 (#79) — repeat the matrix per --conformance-
2626            // self-test-iterations / --conformance-self-test-duration.
2627            // Duration wins when both are set; iterations becomes the
2628            // floor so the matrix always runs at least the configured
2629            // number of times. Reports from each iteration are merged
2630            // by the per-category counter sum on the report itself.
2631            let target_iterations = self.conformance_self_test_iterations.max(1);
2632            let duration_budget = self
2633                .conformance_self_test_duration
2634                .as_ref()
2635                .map(|s| Self::parse_duration(s))
2636                .transpose()?
2637                .map(std::time::Duration::from_secs);
2638            let start = std::time::Instant::now();
2639            let mut report = crate::conformance::self_test::run_self_test(&ops, &cfg)
2640                .await
2641                .map_err(|e| BenchError::Other(format!("self-test client error: {e}")))?;
2642            let mut iter_done: u32 = 1;
2643            loop {
2644                let by_iter = iter_done >= target_iterations;
2645                let by_dur = duration_budget.map(|d| start.elapsed() >= d).unwrap_or(true);
2646                if by_iter && by_dur {
2647                    break;
2648                }
2649                let next = crate::conformance::self_test::run_self_test(&ops, &cfg)
2650                    .await
2651                    .map_err(|e| BenchError::Other(format!("self-test client error: {e}")))?;
2652                report.merge_iteration(next);
2653                iter_done = iter_done.saturating_add(1);
2654            }
2655            if iter_done > 1 {
2656                TerminalReporter::print_progress(&format!(
2657                    "Self-test repeated {} iteration(s) ({:.1?} elapsed)",
2658                    iter_done,
2659                    start.elapsed(),
2660                ));
2661            }
2662            // Round 23 (c-iii) — drain the capture sink into a JSONL
2663            // file next to the JSON/HTML report. One CaseCapture per
2664            // line so the file is grep-able / streamable. Round 24
2665            // (d) — also emit a self-contained HTML viewer at
2666            // `conformance-self-test-requests.html` for users who
2667            // want to browse the capture without piping through `jq`.
2668            // Round 32 (#79 / Srikanth) — derive the per-endpoint
2669            // traffic summary from the same in-memory capture sink so
2670            // we don't re-parse the JSONL from disk later.
2671            let per_endpoint_summary: Vec<
2672                crate::conformance::per_endpoint_summary::PerEndpointSummary,
2673            >;
2674            if let Some(sink) = capture_sink {
2675                if let Ok(guard) = sink.lock() {
2676                    let jsonl_path = self.output.join("conformance-self-test-requests.jsonl");
2677                    let mut lines = String::with_capacity(guard.len() * 256);
2678                    for entry in guard.iter() {
2679                        if let Ok(line) = serde_json::to_string(entry) {
2680                            lines.push_str(&line);
2681                            lines.push('\n');
2682                        }
2683                    }
2684                    let _ = std::fs::write(&jsonl_path, lines);
2685                    let html_path = self.output.join("conformance-self-test-requests.html");
2686                    let html =
2687                        crate::conformance::capture_html::render_capture_html(guard.as_slice());
2688                    let _ = std::fs::write(&html_path, html);
2689
2690                    // Round 32 — per-endpoint summary derived once from
2691                    // the same slice. Written as a JSON sidecar for
2692                    // automation and spliced into the HTML report below.
2693                    per_endpoint_summary =
2694                        crate::conformance::per_endpoint_summary::build_summary(guard.as_slice());
2695                    let summary_path = self.output.join("conformance-per-endpoint.json");
2696                    if let Ok(json) = serde_json::to_string_pretty(&per_endpoint_summary) {
2697                        let _ = std::fs::write(&summary_path, json);
2698                        TerminalReporter::print_progress(&format!(
2699                            "Self-test request/response capture written to {} ({} entries) + {} + {}",
2700                            jsonl_path.display(),
2701                            guard.len(),
2702                            html_path.display(),
2703                            summary_path.display(),
2704                        ));
2705                    } else {
2706                        TerminalReporter::print_progress(&format!(
2707                            "Self-test request/response capture written to {} ({} entries) + {}",
2708                            jsonl_path.display(),
2709                            guard.len(),
2710                            html_path.display(),
2711                        ));
2712                    }
2713                } else {
2714                    per_endpoint_summary = Vec::new();
2715                }
2716            } else {
2717                per_endpoint_summary = Vec::new();
2718            }
2719            TerminalReporter::print_progress(&report.render_summary());
2720            // Round 47 (#79) — drain the self-test wire-level
2721            // network-events sink into `conformance-network-events.json`
2722            // so the user has the same grep-able file the native
2723            // executor's r46 path produces. Empty array when nothing
2724            // failed (the cleanest signal that connectivity stayed up
2725            // throughout the run).
2726            if let Some(sink) = network_events_sink {
2727                if let Ok(guard) = sink.lock() {
2728                    let path = self.output.join("conformance-network-events.json");
2729                    if let Ok(json) = serde_json::to_string_pretty(&*guard) {
2730                        let _ = std::fs::write(&path, json);
2731                        if guard.is_empty() {
2732                            TerminalReporter::print_progress(
2733                                "No wire-level network failures during self-test (file written empty)",
2734                            );
2735                        } else {
2736                            TerminalReporter::print_warning(&format!(
2737                                "Recorded {} wire-level network event(s) to {}",
2738                                guard.len(),
2739                                path.display()
2740                            ));
2741                        }
2742                    }
2743                }
2744            }
2745            // Persist the JSON report alongside the regular conformance
2746            // report so it's grep-able next to the buffer dump from the
2747            // admin endpoint.
2748            let json_path = self.output.join("conformance-self-test.json");
2749            if let Ok(json) = serde_json::to_string_pretty(&report) {
2750                let _ = std::fs::write(&json_path, json);
2751                TerminalReporter::print_progress(&format!(
2752                    "Self-test report written to {}",
2753                    json_path.display()
2754                ));
2755            }
2756            // Round 18.1 — surface the "every positive failed with
2757            // the same status" case loudly. Without this, a user
2758            // who forgot `--base-path /api` saw 404 for every
2759            // request, but the per-category negative rollup looked
2760            // all-green (because 404 is in the 4xx range the
2761            // negatives expect). Now the run is correctly called
2762            // out as misconfigured before showing the (meaningless)
2763            // negative results.
2764            if let Some(status) = report.detect_target_misconfiguration() {
2765                let hint = match status {
2766                    404 => " Likely cause: spec paths don't match deployed routes — check --base-path and the spec's `servers` block.",
2767                    401 | 403 => " Likely cause: authentication header is missing or invalid — check --conformance-header.",
2768                    _ => "",
2769                };
2770                TerminalReporter::print_warning(&format!(
2771                    "Self-test misconfiguration: every positive case returned {status}.{hint} Negative results below are meaningless under this condition."
2772                ));
2773            } else if !report.all_passed() {
2774                TerminalReporter::print_warning(
2775                    "Self-test detected gaps — server let through at least one request that should have been a 4xx",
2776                );
2777            } else {
2778                TerminalReporter::print_success(
2779                    "Self-test passed — all positive cases accepted and all negative cases rejected",
2780                );
2781            }
2782            // Round 17.6 — emit a self-contained HTML report alongside
2783            // the JSON. Groups by category and surfaces the missed-
2784            // negative list directly so a user doesn't need to grep
2785            // through the JSON to find which routes failed which
2786            // checks. Optionally folds in a round-17.4 spec audit
2787            // report if one exists in the same output directory.
2788            let html_path = self.output.join("conformance-report.html");
2789            let audit_path = self.output.join("conformance-spec-audit.json");
2790            let audit_value = std::fs::read_to_string(&audit_path)
2791                .ok()
2792                .and_then(|s| serde_json::from_str::<serde_json::Value>(&s).ok());
2793            // Round 21.1 — `--report-missed-cap N` lets the user
2794            // override the default 200-row HTML drill-down cap.
2795            // `--report-missed-cap 0` maps to `None` (no cap; show
2796            // everything). The JSON report always has the full set.
2797            let render_opts = crate::conformance::report_html::RenderOptions {
2798                missed_cap: match self.report_missed_cap {
2799                    Some(0) => None,
2800                    Some(n) => Some(n as usize),
2801                    None => Some(200),
2802                },
2803            };
2804            let mut html = crate::conformance::report_html::render_html_with_options(
2805                &report,
2806                audit_value.as_ref(),
2807                &render_opts,
2808            );
2809            // Round 32 (#79 / Srikanth) — splice the per-endpoint
2810            // summary just before the closing `</body>` so it lands at
2811            // the bottom of the report. Empty summary renders as an
2812            // empty string so we don't even introduce an extra newline
2813            // when there were no captures.
2814            let summary_section = crate::conformance::per_endpoint_summary::render_html_section(
2815                &per_endpoint_summary,
2816            );
2817            if !summary_section.is_empty() {
2818                if let Some(idx) = html.rfind("</body>") {
2819                    html.insert_str(idx, &summary_section);
2820                } else {
2821                    html.push_str(&summary_section);
2822                }
2823            }
2824            if std::fs::write(&html_path, html).is_ok() {
2825                TerminalReporter::print_progress(&format!(
2826                    "HTML report written to {}",
2827                    html_path.display()
2828                ));
2829            }
2830            return Ok(());
2831        }
2832
2833        // Request validation against OpenAPI spec (if --validate-requests is set)
2834        if self.validate_requests && !self.spec.is_empty() {
2835            TerminalReporter::print_progress("Validating requests against OpenAPI spec...");
2836            let violation_count = crate::conformance::request_validator::run_request_validation(
2837                &self.spec,
2838                self.conformance_custom.as_deref(),
2839                self.base_path.as_deref(),
2840                &self.output,
2841            )
2842            .await?;
2843            if violation_count > 0 {
2844                TerminalReporter::print_warning(&format!(
2845                    "{} request validation violation(s) found — see conformance-request-violations.json",
2846                    violation_count
2847                ));
2848            } else {
2849                TerminalReporter::print_success("All requests conform to the OpenAPI spec");
2850            }
2851        }
2852
2853        // If generate-only OR --use-k6, use the k6 script generation path
2854        if self.generate_only || self.use_k6 {
2855            let script = if let Some(annotated) = &annotated_ops {
2856                let gen = crate::conformance::spec_driven::SpecDrivenConformanceGenerator::new(
2857                    config,
2858                    annotated.clone(),
2859                );
2860                let op_count = gen.operation_count();
2861                let (script, check_count) = gen.generate()?;
2862                TerminalReporter::print_success(&format!(
2863                    "Conformance: {} operations analyzed, {} unique checks generated",
2864                    op_count, check_count
2865                ));
2866                script
2867            } else {
2868                let generator = ConformanceGenerator::new(config);
2869                generator.generate()?
2870            };
2871
2872            let script_path = self.output.join("k6-conformance.js");
2873            std::fs::write(&script_path, &script).map_err(|e| {
2874                BenchError::Other(format!("Failed to write conformance script: {}", e))
2875            })?;
2876            TerminalReporter::print_success(&format!(
2877                "Conformance script generated: {}",
2878                script_path.display()
2879            ));
2880
2881            if self.generate_only {
2882                println!("\nScript generated. Run with:");
2883                println!("  k6 run {}", script_path.display());
2884                return Ok(());
2885            }
2886
2887            // --use-k6: execute via k6
2888            if !K6Executor::is_k6_installed() {
2889                TerminalReporter::print_error("k6 is not installed");
2890                TerminalReporter::print_warning(
2891                    "Install k6 from: https://k6.io/docs/get-started/installation/",
2892                );
2893                return Err(BenchError::K6NotFound);
2894            }
2895
2896            TerminalReporter::print_progress("Running conformance tests via k6...");
2897            let executor = K6Executor::new()?.with_local_ips(self.source_ips.join(","));
2898            executor.execute(&script_path, Some(&self.output), self.verbose).await?;
2899
2900            let report_path = self.output.join("conformance-report.json");
2901            if report_path.exists() {
2902                let report = ConformanceReport::from_file(&report_path)?;
2903                report.print_report_with_options(self.conformance_all_operations);
2904                self.save_conformance_report(&report, &report_path)?;
2905            } else {
2906                TerminalReporter::print_warning(
2907                    "Conformance report not generated (k6 handleSummary may not have run)",
2908                );
2909            }
2910
2911            // Round 44 (#79) — Srikanth on 0.3.188: "Any reason why
2912            // validate-requests in mockforge client are not catching
2913            // all this query param or body params or path params
2914            // violation issues and record in conformance-request-
2915            // failure logs?" The custom-YAML validator only checks
2916            // the YAML shape at config time. Now, when both
2917            // `--validate-requests` and `--export-requests` are set,
2918            // also walk the emitted `conformance-requests.json` and
2919            // validate each actual wire-level request against the
2920            // spec. Violations are appended to
2921            // `conformance-request-violations.json`.
2922            if self.validate_requests && self.export_requests && !self.spec.is_empty() {
2923                let n = crate::conformance::request_validator::validate_emitted_requests_with_base_path(
2924                    &self.spec,
2925                    &self.output,
2926                    self.base_path.as_deref(),
2927                )
2928                .await?;
2929                if n > 0 {
2930                    TerminalReporter::print_warning(&format!(
2931                        "{} emitted request(s) violated the spec — see conformance-request-violations.json",
2932                        n
2933                    ));
2934                }
2935            }
2936
2937            return Ok(());
2938        }
2939
2940        // Default: Native Rust executor (no k6 dependency)
2941        TerminalReporter::print_progress("Running conformance tests (native executor)...");
2942
2943        let mut executor = crate::conformance::executor::NativeConformanceExecutor::new(config)?;
2944
2945        // Round 39 (#79) — when the user passed `--conformance-custom`
2946        // WITHOUT `--spec` and without `--conformance-self-test`, fire
2947        // only the YAML's checks. The built-in 47 reference checks
2948        // (`param:path:string`, etc.) hit `/conformance/...` paths that
2949        // do not exist on a real target, so a custom-only run against
2950        // a remote API produced a flood of irrelevant 404s in the
2951        // request log. Srikanth on 0.3.183: "In the exported request I
2952        // see it is sending request to api/conformance/params/hello
2953        // and some other URLs".
2954        let custom_only = annotated_ops.is_none() && self.conformance_custom.is_some();
2955        executor = if let Some(annotated) = &annotated_ops {
2956            executor.with_spec_driven_checks(annotated)
2957        } else if custom_only {
2958            executor
2959        } else {
2960            executor.with_reference_checks()
2961        };
2962        executor = executor.with_custom_checks()?;
2963
2964        TerminalReporter::print_success(&format!(
2965            "Executing {} conformance checks...",
2966            executor.check_count()
2967        ));
2968
2969        let report = executor.execute().await?;
2970        report.print_report_with_options(self.conformance_all_operations);
2971
2972        // Save failure details to a separate file for easy debugging
2973        let failure_details = report.failure_details();
2974        if !failure_details.is_empty() {
2975            let details_path = self.output.join("conformance-failure-details.json");
2976            if let Ok(json) = serde_json::to_string_pretty(&failure_details) {
2977                let _ = std::fs::write(&details_path, json);
2978                TerminalReporter::print_success(&format!(
2979                    "Failure details saved to: {}",
2980                    details_path.display()
2981                ));
2982            }
2983        }
2984
2985        // Save report
2986        let report_path = self.output.join("conformance-report.json");
2987        let report_json = serde_json::to_string_pretty(&report.to_json())
2988            .map_err(|e| BenchError::Other(format!("Failed to serialize report: {}", e)))?;
2989        std::fs::write(&report_path, &report_json)
2990            .map_err(|e| BenchError::Other(format!("Failed to write report: {}", e)))?;
2991        TerminalReporter::print_success(&format!("Report saved to: {}", report_path.display()));
2992
2993        self.save_conformance_report(&report, &report_path)?;
2994
2995        // Round 45 (#79) — Srikanth on 0.3.189: "I am still not seeing
2996        // any conformance failure logs or conformance-request logs are
2997        // also not capturing any failures info." His command does NOT
2998        // pass `--use-k6`, so the round-44 wiring (which only ran on
2999        // the k6 branch) never fired. Mirror the same retrospective
3000        // pass here: when both `--validate-requests` and
3001        // `--export-requests` are set, walk the native executor's
3002        // freshly-written `conformance-requests.json` and validate
3003        // each emitted request against the spec. Violations are
3004        // appended to `conformance-request-violations.json`.
3005        if self.validate_requests && self.export_requests && !self.spec.is_empty() {
3006            let n =
3007                crate::conformance::request_validator::validate_emitted_requests_with_base_path(
3008                    &self.spec,
3009                    &self.output,
3010                    self.base_path.as_deref(),
3011                )
3012                .await?;
3013            if n > 0 {
3014                TerminalReporter::print_warning(&format!(
3015                    "{} emitted request(s) violated the spec — see conformance-request-violations.json",
3016                    n
3017                ));
3018            }
3019        }
3020
3021        Ok(())
3022    }
3023
3024    /// Save conformance report in the requested format (SARIF or JSON copy)
3025    fn save_conformance_report(
3026        &self,
3027        report: &crate::conformance::report::ConformanceReport,
3028        report_path: &Path,
3029    ) -> Result<()> {
3030        if self.conformance_report_format == "sarif" {
3031            use crate::conformance::sarif::ConformanceSarifReport;
3032            ConformanceSarifReport::write(report, &self.target, &self.conformance_report)?;
3033            TerminalReporter::print_success(&format!(
3034                "SARIF report saved to: {}",
3035                self.conformance_report.display()
3036            ));
3037        } else if self.conformance_report != *report_path {
3038            std::fs::copy(report_path, &self.conformance_report)?;
3039            TerminalReporter::print_success(&format!(
3040                "Report saved to: {}",
3041                self.conformance_report.display()
3042            ));
3043        }
3044        Ok(())
3045    }
3046
3047    /// Execute conformance tests against multiple targets from a targets file.
3048    ///
3049    /// Uses the native `NativeConformanceExecutor` (no k6 dependency). Targets are
3050    /// tested sequentially to avoid overwhelming them, and per-target headers from
3051    /// the targets file are merged with the base `--conformance-header` headers.
3052    async fn execute_multi_target_conformance(&self, targets_file: &Path) -> Result<()> {
3053        use crate::conformance::generator::{ConformanceConfig, ConformanceGenerator};
3054        use crate::conformance::report::ConformanceReport;
3055        use crate::conformance::spec::ConformanceFeature;
3056
3057        TerminalReporter::print_progress("Multi-target OpenAPI 3.0.0 Conformance Testing Mode");
3058
3059        // Parse targets file
3060        TerminalReporter::print_progress("Parsing targets file...");
3061        let targets = parse_targets_file(targets_file)?;
3062        let num_targets = targets.len();
3063        TerminalReporter::print_success(&format!("Loaded {} targets", num_targets));
3064
3065        if targets.is_empty() {
3066            return Err(BenchError::Other("No targets found in file".to_string()));
3067        }
3068
3069        TerminalReporter::print_progress(
3070            "Conformance mode runs 1 VU, 1 iteration per endpoint (--vus and -d are ignored)",
3071        );
3072
3073        // Parse category filter (shared across all targets)
3074        let categories = self.conformance_categories.as_ref().map(|cats_str| {
3075            cats_str
3076                .split(',')
3077                .filter_map(|s| {
3078                    let trimmed = s.trim();
3079                    if let Some(canonical) = ConformanceFeature::category_from_cli_name(trimmed) {
3080                        Some(canonical.to_string())
3081                    } else {
3082                        TerminalReporter::print_warning(&format!(
3083                            "Unknown conformance category: '{}'. Valid categories: {}",
3084                            trimmed,
3085                            ConformanceFeature::cli_category_names()
3086                                .iter()
3087                                .map(|(cli, _)| *cli)
3088                                .collect::<Vec<_>>()
3089                                .join(", ")
3090                        ));
3091                        None
3092                    }
3093                })
3094                .collect::<Vec<String>>()
3095        });
3096
3097        // Parse base custom headers from --conformance-header flags
3098        let base_custom_headers: Vec<(String, String)> = self
3099            .conformance_headers
3100            .iter()
3101            .filter_map(|h| {
3102                let (name, value) = h.split_once(':')?;
3103                Some((name.trim().to_string(), value.trim().to_string()))
3104            })
3105            .collect();
3106
3107        if !base_custom_headers.is_empty() {
3108            TerminalReporter::print_progress(&format!(
3109                "Using {} base custom header(s) for authentication",
3110                base_custom_headers.len()
3111            ));
3112        }
3113
3114        // Load spec once if provided (shared across all targets)
3115        let annotated_ops = if !self.spec.is_empty() {
3116            TerminalReporter::print_progress("Spec-driven conformance mode: analyzing spec...");
3117            let parser = SpecParser::from_file(&self.spec[0]).await?;
3118            let operations = parser.get_operations();
3119            let annotated =
3120                crate::conformance::spec_driven::SpecDrivenConformanceGenerator::annotate_operations(
3121                    &operations,
3122                    parser.spec(),
3123                );
3124            TerminalReporter::print_success(&format!(
3125                "Analyzed {} operations, found {} feature annotations",
3126                operations.len(),
3127                annotated.iter().map(|a| a.features.len()).sum::<usize>()
3128            ));
3129            Some(annotated)
3130        } else {
3131            None
3132        };
3133
3134        // Ensure output dir exists
3135        std::fs::create_dir_all(&self.output)?;
3136
3137        // Collect per-target results for the summary
3138        struct TargetResult {
3139            url: String,
3140            passed: usize,
3141            failed: usize,
3142            elapsed: std::time::Duration,
3143            report_json: serde_json::Value,
3144            owasp_coverage: Vec<crate::conformance::report::OwaspCoverageEntry>,
3145        }
3146
3147        let mut target_results: Vec<TargetResult> = Vec::with_capacity(num_targets);
3148        let total_start = std::time::Instant::now();
3149
3150        for (idx, target) in targets.iter().enumerate() {
3151            tracing::info!(
3152                "Running conformance tests against target {}/{}: {}",
3153                idx + 1,
3154                num_targets,
3155                target.url
3156            );
3157            TerminalReporter::print_progress(&format!(
3158                "\n--- Target {}/{}: {} ---",
3159                idx + 1,
3160                num_targets,
3161                target.url
3162            ));
3163
3164            // Merge base headers with per-target headers
3165            let mut merged_headers = base_custom_headers.clone();
3166            if let Some(ref target_headers) = target.headers {
3167                for (name, value) in target_headers {
3168                    // Per-target headers override base headers with the same name
3169                    if let Some(existing) = merged_headers.iter_mut().find(|(n, _)| n == name) {
3170                        existing.1 = value.clone();
3171                    } else {
3172                        merged_headers.push((name.clone(), value.clone()));
3173                    }
3174                }
3175            }
3176            // Add auth header if present on target
3177            if let Some(ref auth) = target.auth {
3178                if let Some(existing) =
3179                    merged_headers.iter_mut().find(|(n, _)| n.eq_ignore_ascii_case("Authorization"))
3180                {
3181                    existing.1 = auth.clone();
3182                } else {
3183                    merged_headers.push(("Authorization".to_string(), auth.clone()));
3184                }
3185            }
3186
3187            // Per-target output dir (used by both native and k6 paths).
3188            // Created before the config so we can point the k6 script's
3189            // handleSummary at the per-target directory rather than the shared
3190            // parent output dir (otherwise every target would overwrite the
3191            // same conformance-report.json).
3192            let target_dir = self.output.join(format!("target_{}", idx));
3193            std::fs::create_dir_all(&target_dir)?;
3194
3195            let config = ConformanceConfig {
3196                target_url: target.url.clone(),
3197                api_key: self.conformance_api_key.clone(),
3198                basic_auth: self.conformance_basic_auth.clone(),
3199                skip_tls_verify: self.skip_tls_verify,
3200                categories: categories.clone(),
3201                base_path: self.base_path.clone(),
3202                custom_headers: merged_headers,
3203                output_dir: Some(target_dir.clone()),
3204                all_operations: self.conformance_all_operations,
3205                custom_checks_file: self.conformance_custom.clone(),
3206                request_delay_ms: self.conformance_delay_ms,
3207                custom_filter: self.conformance_custom_filter.clone(),
3208                export_requests: self.export_requests,
3209                validate_requests: self.validate_requests,
3210            };
3211
3212            let target_start = std::time::Instant::now();
3213            let report = if self.use_k6 {
3214                if !K6Executor::is_k6_installed() {
3215                    TerminalReporter::print_error("k6 is not installed");
3216                    TerminalReporter::print_warning(
3217                        "Install k6 from: https://k6.io/docs/get-started/installation/",
3218                    );
3219                    return Err(BenchError::K6NotFound);
3220                }
3221
3222                let script = if let Some(ref annotated) = annotated_ops {
3223                    let gen = crate::conformance::spec_driven::SpecDrivenConformanceGenerator::new(
3224                        config.clone(),
3225                        annotated.clone(),
3226                    );
3227                    let (script, _check_count) = gen.generate()?;
3228                    script
3229                } else {
3230                    let generator = ConformanceGenerator::new(config.clone());
3231                    generator.generate()?
3232                };
3233
3234                let script_path = target_dir.join("k6-conformance.js");
3235                std::fs::write(&script_path, &script).map_err(|e| {
3236                    BenchError::Other(format!("Failed to write conformance script: {}", e))
3237                })?;
3238                TerminalReporter::print_success(&format!(
3239                    "Conformance script generated: {}",
3240                    script_path.display()
3241                ));
3242
3243                TerminalReporter::print_progress(&format!(
3244                    "Running conformance tests via k6 against {}...",
3245                    target.url
3246                ));
3247                let k6 = K6Executor::new()?.with_local_ips(self.source_ips.join(","));
3248                // Unique k6 API port per target to avoid collisions.
3249                let api_port = 6565u16.saturating_add(idx as u16);
3250                k6.execute_with_port(&script_path, Some(&target_dir), self.verbose, Some(api_port))
3251                    .await?;
3252
3253                let report_path = target_dir.join("conformance-report.json");
3254                if report_path.exists() {
3255                    ConformanceReport::from_file(&report_path)?
3256                } else {
3257                    TerminalReporter::print_warning(&format!(
3258                        "Conformance report not generated for target {} (k6 handleSummary may not have run)",
3259                        target.url
3260                    ));
3261                    continue;
3262                }
3263            } else {
3264                let mut executor =
3265                    crate::conformance::executor::NativeConformanceExecutor::new(config)?;
3266
3267                // Round 39 (#79) — see custom_only comment above; same
3268                // logic applied to the multi-target branch.
3269                let custom_only = annotated_ops.is_none() && self.conformance_custom.is_some();
3270                executor = if let Some(ref annotated) = annotated_ops {
3271                    executor.with_spec_driven_checks(annotated)
3272                } else if custom_only {
3273                    executor
3274                } else {
3275                    executor.with_reference_checks()
3276                };
3277                executor = executor.with_custom_checks()?;
3278
3279                TerminalReporter::print_success(&format!(
3280                    "Executing {} conformance checks against {}...",
3281                    executor.check_count(),
3282                    target.url
3283                ));
3284
3285                executor.execute().await?
3286            };
3287            let target_elapsed = target_start.elapsed();
3288
3289            let report_json = report.to_json();
3290
3291            // Extract pass/fail from the summary in the JSON
3292            let passed = report_json["summary"]["passed"].as_u64().unwrap_or(0) as usize;
3293            let failed = report_json["summary"]["failed"].as_u64().unwrap_or(0) as usize;
3294            let total_checks = passed + failed;
3295            let rate = if total_checks == 0 {
3296                0.0
3297            } else {
3298                (passed as f64 / total_checks as f64) * 100.0
3299            };
3300
3301            TerminalReporter::print_success(&format!(
3302                "Target {}: {}/{} passed ({:.1}%) in {:.1}s",
3303                target.url,
3304                passed,
3305                total_checks,
3306                rate,
3307                target_elapsed.as_secs_f64()
3308            ));
3309
3310            // Save per-target report (target_dir created above)
3311            let target_report_path = target_dir.join("conformance-report.json");
3312            let report_str = serde_json::to_string_pretty(&report_json)
3313                .map_err(|e| BenchError::Other(format!("Failed to serialize report: {}", e)))?;
3314            std::fs::write(&target_report_path, &report_str)
3315                .map_err(|e| BenchError::Other(format!("Failed to write report: {}", e)))?;
3316
3317            // Save failure details if any
3318            let failure_details = report.failure_details();
3319            if !failure_details.is_empty() {
3320                let details_path = target_dir.join("conformance-failure-details.json");
3321                if let Ok(json) = serde_json::to_string_pretty(&failure_details) {
3322                    let _ = std::fs::write(&details_path, json);
3323                }
3324            }
3325
3326            // Round 45 (#79) — Srikanth on 0.3.189: `conformance-request-
3327            // violations.json` was never being written in his
3328            // multi-target self-test run. The round-44 wiring sat on
3329            // the single-target branch only. Mirror it here, per
3330            // target_dir, so the multi-target case (his typical
3331            // workflow) actually surfaces wire-level violations.
3332            if self.validate_requests && self.export_requests && !self.spec.is_empty() {
3333                let n = crate::conformance::request_validator::validate_emitted_requests_with_base_path(
3334                    &self.spec,
3335                    &target_dir,
3336                    self.base_path.as_deref(),
3337                )
3338                .await?;
3339                if n > 0 {
3340                    TerminalReporter::print_warning(&format!(
3341                        "Target {}: {} emitted request(s) violated the spec — see {}/conformance-request-violations.json",
3342                        target.url,
3343                        n,
3344                        target_dir.display()
3345                    ));
3346                }
3347            }
3348
3349            // Compute OWASP coverage for this target
3350            let owasp_coverage = report.owasp_coverage_data();
3351
3352            target_results.push(TargetResult {
3353                url: target.url.clone(),
3354                passed,
3355                failed,
3356                elapsed: target_elapsed,
3357                report_json,
3358                owasp_coverage,
3359            });
3360        }
3361
3362        let total_elapsed = total_start.elapsed();
3363
3364        // Print summary table
3365        println!("\n{}", "=".repeat(80));
3366        println!("  Multi-Target Conformance Summary");
3367        println!("{}", "=".repeat(80));
3368        println!(
3369            "  {:<40} {:>8} {:>8} {:>8} {:>8}",
3370            "Target URL", "Passed", "Failed", "Rate", "Time"
3371        );
3372        println!("  {}", "-".repeat(76));
3373
3374        let mut total_passed = 0usize;
3375        let mut total_failed = 0usize;
3376
3377        for result in &target_results {
3378            let total_checks = result.passed + result.failed;
3379            let rate = if total_checks == 0 {
3380                0.0
3381            } else {
3382                (result.passed as f64 / total_checks as f64) * 100.0
3383            };
3384
3385            // Truncate long URLs for display
3386            let display_url = if result.url.len() > 38 {
3387                format!("{}...", &result.url[..35])
3388            } else {
3389                result.url.clone()
3390            };
3391
3392            println!(
3393                "  {:<40} {:>8} {:>8} {:>7.1}% {:>6.1}s",
3394                display_url,
3395                result.passed,
3396                result.failed,
3397                rate,
3398                result.elapsed.as_secs_f64()
3399            );
3400
3401            total_passed += result.passed;
3402            total_failed += result.failed;
3403        }
3404
3405        let grand_total = total_passed + total_failed;
3406        let overall_rate = if grand_total == 0 {
3407            0.0
3408        } else {
3409            (total_passed as f64 / grand_total as f64) * 100.0
3410        };
3411
3412        println!("  {}", "-".repeat(76));
3413        println!(
3414            "  {:<40} {:>8} {:>8} {:>7.1}% {:>6.1}s",
3415            format!("TOTAL ({} targets)", num_targets),
3416            total_passed,
3417            total_failed,
3418            overall_rate,
3419            total_elapsed.as_secs_f64()
3420        );
3421        println!("{}", "=".repeat(80));
3422
3423        // Print per-target OWASP coverage
3424        for result in &target_results {
3425            println!("\n  OWASP API Security Top 10 Coverage for {}:", result.url);
3426            for entry in &result.owasp_coverage {
3427                let status = if !entry.tested {
3428                    "-"
3429                } else if entry.all_passed {
3430                    "pass"
3431                } else {
3432                    "FAIL"
3433                };
3434                let via = if entry.via_categories.is_empty() {
3435                    String::new()
3436                } else {
3437                    format!(" (via {})", entry.via_categories.join(", "))
3438                };
3439                println!("    {:<12} {:<40} {}{}", entry.id, entry.name, status, via);
3440            }
3441        }
3442
3443        // Save combined summary
3444        let per_target_summaries: Vec<serde_json::Value> = target_results
3445            .iter()
3446            .enumerate()
3447            .map(|(idx, r)| {
3448                let total_checks = r.passed + r.failed;
3449                let rate = if total_checks == 0 {
3450                    0.0
3451                } else {
3452                    (r.passed as f64 / total_checks as f64) * 100.0
3453                };
3454                let owasp_json: Vec<serde_json::Value> = r
3455                    .owasp_coverage
3456                    .iter()
3457                    .map(|e| {
3458                        serde_json::json!({
3459                            "id": e.id,
3460                            "name": e.name,
3461                            "tested": e.tested,
3462                            "all_passed": e.all_passed,
3463                            "via_categories": e.via_categories,
3464                        })
3465                    })
3466                    .collect();
3467                serde_json::json!({
3468                    "target_url": r.url,
3469                    "target_index": idx,
3470                    "checks_passed": r.passed,
3471                    "checks_failed": r.failed,
3472                    "total_checks": total_checks,
3473                    "pass_rate": rate,
3474                    "elapsed_seconds": r.elapsed.as_secs_f64(),
3475                    "report": r.report_json,
3476                    "owasp_coverage": owasp_json,
3477                })
3478            })
3479            .collect();
3480
3481        let combined_summary = serde_json::json!({
3482            "total_targets": num_targets,
3483            "total_checks_passed": total_passed,
3484            "total_checks_failed": total_failed,
3485            "overall_pass_rate": overall_rate,
3486            "total_elapsed_seconds": total_elapsed.as_secs_f64(),
3487            "targets": per_target_summaries,
3488        });
3489
3490        let summary_path = self.output.join("multi-target-conformance-summary.json");
3491        let summary_str = serde_json::to_string_pretty(&combined_summary)
3492            .map_err(|e| BenchError::Other(format!("Failed to serialize summary: {}", e)))?;
3493        std::fs::write(&summary_path, &summary_str)
3494            .map_err(|e| BenchError::Other(format!("Failed to write summary: {}", e)))?;
3495        TerminalReporter::print_success(&format!(
3496            "Combined summary saved to: {}",
3497            summary_path.display()
3498        ));
3499
3500        Ok(())
3501    }
3502
3503    /// Execute OWASP API Security Top 10 testing mode
3504    async fn execute_owasp_test(&self, parser: &SpecParser) -> Result<()> {
3505        TerminalReporter::print_progress("OWASP API Security Top 10 Testing Mode");
3506
3507        // Parse custom headers from CLI
3508        let custom_headers = self.parse_headers()?;
3509
3510        // Build OWASP configuration from CLI options
3511        let mut config = OwaspApiConfig::new()
3512            .with_auth_header(&self.owasp_auth_header)
3513            .with_verbose(self.verbose)
3514            .with_insecure(self.skip_tls_verify)
3515            .with_concurrency(self.vus as usize)
3516            .with_iterations(self.owasp_iterations as usize)
3517            .with_base_path(self.base_path.clone())
3518            .with_custom_headers(custom_headers);
3519
3520        // Set valid auth token if provided
3521        if let Some(ref token) = self.owasp_auth_token {
3522            config = config.with_valid_auth_token(token);
3523        }
3524
3525        // Parse categories if provided
3526        if let Some(ref cats_str) = self.owasp_categories {
3527            let categories: Vec<OwaspCategory> = cats_str
3528                .split(',')
3529                .filter_map(|s| {
3530                    let trimmed = s.trim();
3531                    match trimmed.parse::<OwaspCategory>() {
3532                        Ok(cat) => Some(cat),
3533                        Err(e) => {
3534                            TerminalReporter::print_warning(&e);
3535                            None
3536                        }
3537                    }
3538                })
3539                .collect();
3540
3541            if !categories.is_empty() {
3542                config = config.with_categories(categories);
3543            }
3544        }
3545
3546        // Load admin paths from file if provided
3547        if let Some(ref admin_paths_file) = self.owasp_admin_paths {
3548            config.admin_paths_file = Some(admin_paths_file.clone());
3549            if let Err(e) = config.load_admin_paths() {
3550                TerminalReporter::print_warning(&format!("Failed to load admin paths file: {}", e));
3551            }
3552        }
3553
3554        // Set ID fields if provided
3555        if let Some(ref id_fields_str) = self.owasp_id_fields {
3556            let id_fields: Vec<String> = id_fields_str
3557                .split(',')
3558                .map(|s| s.trim().to_string())
3559                .filter(|s| !s.is_empty())
3560                .collect();
3561            if !id_fields.is_empty() {
3562                config = config.with_id_fields(id_fields);
3563            }
3564        }
3565
3566        // Set report path and format
3567        if let Some(ref report_path) = self.owasp_report {
3568            config = config.with_report_path(report_path);
3569        }
3570        if let Ok(format) = self.owasp_report_format.parse::<ReportFormat>() {
3571            config = config.with_report_format(format);
3572        }
3573
3574        // Print configuration summary
3575        let categories = config.categories_to_test();
3576        TerminalReporter::print_success(&format!(
3577            "Testing {} OWASP categories: {}",
3578            categories.len(),
3579            categories.iter().map(|c| c.cli_name()).collect::<Vec<_>>().join(", ")
3580        ));
3581
3582        if config.valid_auth_token.is_some() {
3583            TerminalReporter::print_progress("Using provided auth token for baseline requests");
3584        }
3585
3586        // Create the OWASP generator
3587        TerminalReporter::print_progress("Generating OWASP security test script...");
3588        let generator = OwaspApiGenerator::new(config, self.target.clone(), parser);
3589
3590        // Generate the script
3591        let script = generator.generate()?;
3592        TerminalReporter::print_success("OWASP security test script generated");
3593
3594        // Write script to file
3595        let script_path = if let Some(output) = &self.script_output {
3596            output.clone()
3597        } else {
3598            self.output.join("k6-owasp-security-test.js")
3599        };
3600
3601        if let Some(parent) = script_path.parent() {
3602            std::fs::create_dir_all(parent)?;
3603        }
3604        std::fs::write(&script_path, &script)?;
3605        TerminalReporter::print_success(&format!("Script written to: {}", script_path.display()));
3606
3607        // If generate-only mode, exit here
3608        if self.generate_only {
3609            println!("\nOWASP security test script generated. Run it with:");
3610            println!("  k6 run {}", script_path.display());
3611            return Ok(());
3612        }
3613
3614        // Execute k6
3615        TerminalReporter::print_progress("Executing OWASP security tests...");
3616        let executor = K6Executor::new()?.with_local_ips(self.source_ips.join(","));
3617        std::fs::create_dir_all(&self.output)?;
3618
3619        let results = executor.execute(&script_path, Some(&self.output), self.verbose).await?;
3620
3621        let duration_secs = Self::parse_duration(&self.duration)?;
3622        TerminalReporter::print_summary_with_mode(&results, duration_secs, self.no_keep_alive);
3623
3624        println!("\nOWASP security test results saved to: {}", self.output.display());
3625
3626        Ok(())
3627    }
3628}
3629
3630#[cfg(test)]
3631mod tests {
3632    use super::*;
3633    use tempfile::tempdir;
3634
3635    #[test]
3636    fn test_parse_duration() {
3637        assert_eq!(BenchCommand::parse_duration("30s").unwrap(), 30);
3638        assert_eq!(BenchCommand::parse_duration("5m").unwrap(), 300);
3639        assert_eq!(BenchCommand::parse_duration("1h").unwrap(), 3600);
3640        assert_eq!(BenchCommand::parse_duration("60").unwrap(), 60);
3641    }
3642
3643    /// Round 22.4 — `start-end` IPv4 range syntax for non-power-of-2
3644    /// ranges. Srikanth (h): `--source-ip 10.0.0.5-10.0.0.27` for 23
3645    /// hosts without finding a clean prefix.
3646    #[test]
3647    fn parse_ip_list_ipv4_range_inclusive() {
3648        let v = parse_ip_list(&["10.0.0.5-10.0.0.27".into()], "source-ip");
3649        assert_eq!(v.len(), 23);
3650        assert_eq!(v.first().unwrap().to_string(), "10.0.0.5");
3651        assert_eq!(v.last().unwrap().to_string(), "10.0.0.27");
3652    }
3653
3654    /// Round 22.4 — range with start > end is rejected with a warning
3655    /// (returns nothing for that entry rather than wrapping around).
3656    #[test]
3657    fn parse_ip_list_range_rejects_backwards() {
3658        let v = parse_ip_list(&["10.0.0.10-10.0.0.5".into()], "source-ip");
3659        assert!(v.is_empty(), "backwards range should produce no IPs; got {v:?}");
3660    }
3661
3662    /// Round 22.4 — IPv6 ranges are intentionally rejected because
3663    /// `2001:db8::1-2001:db8::5` would ambiguously parse against the
3664    /// address literal's `:` separators. Users use CIDR for IPv6.
3665    #[test]
3666    fn parse_ip_list_rejects_ipv6_range_syntax() {
3667        let v = parse_ip_list(&["2001:db8::1-2001:db8::5".into()], "geo-source-ip");
3668        assert!(v.is_empty(), "IPv6 range should be rejected; got {v:?}");
3669    }
3670
3671    /// Round 22.4 — range cap is the same 256 host limit as CIDR.
3672    #[test]
3673    fn parse_ip_list_range_capped_at_256() {
3674        let v = parse_ip_list(&["10.0.0.0-10.0.5.0".into()], "source-ip");
3675        assert_eq!(v.len(), 256);
3676        assert_eq!(v.first().unwrap().to_string(), "10.0.0.0");
3677    }
3678
3679    /// Round 19 — single IPs and comma-separated lists already
3680    /// worked in 18.5; this regression-locks the parse paths.
3681    #[test]
3682    fn parse_ip_list_plain_and_comma() {
3683        let v = parse_ip_list(&["10.0.0.5".into(), "10.0.0.6,10.0.0.7".into()], "source-ip");
3684        assert_eq!(v.len(), 3);
3685        assert_eq!(v[0].to_string(), "10.0.0.5");
3686        assert_eq!(v[2].to_string(), "10.0.0.7");
3687    }
3688
3689    /// Round 19 — IPv4 CIDR expands to host count up to the cap.
3690    /// `/29` = 8 hosts (well under cap), all 8 enumerated.
3691    #[test]
3692    fn parse_ip_list_ipv4_cidr_29_expands_to_8() {
3693        let v = parse_ip_list(&["10.0.0.0/29".into()], "source-ip");
3694        assert_eq!(v.len(), 8);
3695        assert_eq!(v[0].to_string(), "10.0.0.0");
3696        assert_eq!(v[7].to_string(), "10.0.0.7");
3697    }
3698
3699    /// Round 19 — IPv4 CIDR larger than the cap is truncated, not
3700    /// rejected. Cap is 256; `/8` would be 16M without the guard.
3701    #[test]
3702    fn parse_ip_list_ipv4_cidr_8_capped_at_256() {
3703        let v = parse_ip_list(&["10.0.0.0/8".into()], "source-ip");
3704        assert_eq!(v.len(), 256);
3705        assert_eq!(v[0].to_string(), "10.0.0.0");
3706        assert_eq!(v[255].to_string(), "10.0.0.255");
3707    }
3708
3709    /// Round 19 — IPv6 CIDR also expands. `/126` = 4 hosts.
3710    #[test]
3711    fn parse_ip_list_ipv6_cidr_126_expands_to_4() {
3712        let v = parse_ip_list(&["2001:db8::/126".into()], "geo-source-ip");
3713        assert_eq!(v.len(), 4);
3714        assert!(v[0].is_ipv6());
3715        assert_eq!(v[0].to_string(), "2001:db8::");
3716        assert_eq!(v[3].to_string(), "2001:db8::3");
3717    }
3718
3719    /// Round 19 — mixed IPv4 + IPv6 + CIDR in one call works.
3720    #[test]
3721    fn parse_ip_list_mixed_v4_v6_cidr() {
3722        let v = parse_ip_list(&["10.0.0.0/30,2001:db8::1,203.0.113.42".into()], "geo-source-ip");
3723        assert_eq!(v.len(), 6); // 4 from /30 + 1 + 1
3724        assert!(v.iter().any(|ip| ip.to_string() == "2001:db8::1"));
3725        assert!(v.iter().any(|ip| ip.to_string() == "203.0.113.42"));
3726    }
3727
3728    /// Round 19 — malformed entries log and skip; the run continues
3729    /// with whatever resolved.
3730    #[test]
3731    fn parse_ip_list_skips_malformed() {
3732        let v = parse_ip_list(
3733            &[
3734                "10.0.0.5".into(),
3735                "not-an-ip".into(),
3736                "10.0.0.6".into(),
3737                "/24".into(),
3738                "1.2.3.4/200".into(),
3739            ],
3740            "source-ip",
3741        );
3742        assert_eq!(v.len(), 2);
3743        assert_eq!(v[0].to_string(), "10.0.0.5");
3744        assert_eq!(v[1].to_string(), "10.0.0.6");
3745    }
3746
3747    #[test]
3748    fn test_parse_duration_invalid() {
3749        assert!(BenchCommand::parse_duration("invalid").is_err());
3750        assert!(BenchCommand::parse_duration("30x").is_err());
3751    }
3752
3753    #[test]
3754    fn test_parse_headers() {
3755        let cmd = BenchCommand {
3756            spec: vec![PathBuf::from("test.yaml")],
3757            spec_dir: None,
3758            merge_conflicts: "error".to_string(),
3759            spec_mode: "merge".to_string(),
3760            dependency_config: None,
3761            target: "http://localhost".to_string(),
3762            base_path: None,
3763            duration: "1m".to_string(),
3764            vus: 10,
3765            scenario: "ramp-up".to_string(),
3766            operations: None,
3767            exclude_operations: None,
3768            auth: None,
3769            headers: vec![
3770                "X-API-Key:test123".to_string(),
3771                "X-Client-ID:client456".to_string(),
3772            ],
3773            output: PathBuf::from("output"),
3774            generate_only: false,
3775            script_output: None,
3776            threshold_percentile: "p(95)".to_string(),
3777            threshold_ms: 500,
3778            max_error_rate: 0.05,
3779            verbose: false,
3780            skip_tls_verify: false,
3781            chunked_request_bodies: false,
3782            target_rps: None,
3783            no_keep_alive: false,
3784            targets_file: None,
3785            max_concurrency: None,
3786            results_format: "both".to_string(),
3787            params_file: None,
3788            crud_flow: false,
3789            flow_config: None,
3790            extract_fields: None,
3791            parallel_create: None,
3792            data_file: None,
3793            data_distribution: "unique-per-vu".to_string(),
3794            data_mappings: None,
3795            per_uri_control: false,
3796            error_rate: None,
3797            error_types: None,
3798            security_test: false,
3799            security_payloads: None,
3800            security_categories: None,
3801            security_target_fields: None,
3802            wafbench_dir: None,
3803            wafbench_cycle_all: false,
3804            owasp_api_top10: false,
3805            owasp_categories: None,
3806            owasp_auth_header: "Authorization".to_string(),
3807            owasp_auth_token: None,
3808            owasp_admin_paths: None,
3809            owasp_id_fields: None,
3810            owasp_report: None,
3811            owasp_report_format: "json".to_string(),
3812            owasp_iterations: 1,
3813            conformance: false,
3814            conformance_api_key: None,
3815            conformance_basic_auth: None,
3816            conformance_report: PathBuf::from("conformance-report.json"),
3817            conformance_categories: None,
3818            conformance_report_format: "json".to_string(),
3819            conformance_headers: vec![],
3820            conformance_all_operations: false,
3821            conformance_custom: None,
3822            conformance_delay_ms: 0,
3823            use_k6: false,
3824            conformance_custom_filter: None,
3825            export_requests: false,
3826            validate_requests: false,
3827            conformance_self_test: false,
3828            conformance_self_test_capture: false,
3829            conformance_self_test_iterations: 1,
3830            conformance_self_test_duration: None,
3831            validate_response_schemas: false,
3832            source_ips: Vec::new(),
3833            geo_source_ips: Vec::new(),
3834            geo_source_headers: Vec::new(),
3835            report_missed_cap: None,
3836        };
3837
3838        let headers = cmd.parse_headers().unwrap();
3839        assert_eq!(headers.get("X-API-Key"), Some(&"test123".to_string()));
3840        assert_eq!(headers.get("X-Client-ID"), Some(&"client456".to_string()));
3841    }
3842
3843    #[test]
3844    fn test_parse_header_string_preserves_comma_in_value() {
3845        // #761: with one header per --headers flag, a comma in the value (e.g. a
3846        // Cookie expiry date) is preserved instead of being split into junk pairs.
3847        let inputs = vec![
3848            "Cookie:session=abc; expires=Thu, 01 Jan 2099 00:00:00 GMT".to_string(),
3849            "X-Trace:1".to_string(),
3850        ];
3851        let headers = parse_header_string(&inputs).unwrap();
3852        assert_eq!(
3853            headers.get("Cookie"),
3854            Some(&"session=abc; expires=Thu, 01 Jan 2099 00:00:00 GMT".to_string())
3855        );
3856        assert_eq!(headers.get("X-Trace"), Some(&"1".to_string()));
3857    }
3858
3859    #[test]
3860    fn test_get_spec_display_name() {
3861        let cmd = BenchCommand {
3862            spec: vec![PathBuf::from("test.yaml")],
3863            spec_dir: None,
3864            merge_conflicts: "error".to_string(),
3865            spec_mode: "merge".to_string(),
3866            dependency_config: None,
3867            target: "http://localhost".to_string(),
3868            base_path: None,
3869            duration: "1m".to_string(),
3870            vus: 10,
3871            scenario: "ramp-up".to_string(),
3872            operations: None,
3873            exclude_operations: None,
3874            auth: None,
3875            headers: Vec::new(),
3876            output: PathBuf::from("output"),
3877            generate_only: false,
3878            script_output: None,
3879            threshold_percentile: "p(95)".to_string(),
3880            threshold_ms: 500,
3881            max_error_rate: 0.05,
3882            verbose: false,
3883            skip_tls_verify: false,
3884            chunked_request_bodies: false,
3885            target_rps: None,
3886            no_keep_alive: false,
3887            targets_file: None,
3888            max_concurrency: None,
3889            results_format: "both".to_string(),
3890            params_file: None,
3891            crud_flow: false,
3892            flow_config: None,
3893            extract_fields: None,
3894            parallel_create: None,
3895            data_file: None,
3896            data_distribution: "unique-per-vu".to_string(),
3897            data_mappings: None,
3898            per_uri_control: false,
3899            error_rate: None,
3900            error_types: None,
3901            security_test: false,
3902            security_payloads: None,
3903            security_categories: None,
3904            security_target_fields: None,
3905            wafbench_dir: None,
3906            wafbench_cycle_all: false,
3907            owasp_api_top10: false,
3908            owasp_categories: None,
3909            owasp_auth_header: "Authorization".to_string(),
3910            owasp_auth_token: None,
3911            owasp_admin_paths: None,
3912            owasp_id_fields: None,
3913            owasp_report: None,
3914            owasp_report_format: "json".to_string(),
3915            owasp_iterations: 1,
3916            conformance: false,
3917            conformance_api_key: None,
3918            conformance_basic_auth: None,
3919            conformance_report: PathBuf::from("conformance-report.json"),
3920            conformance_categories: None,
3921            conformance_report_format: "json".to_string(),
3922            conformance_headers: vec![],
3923            conformance_all_operations: false,
3924            conformance_custom: None,
3925            conformance_delay_ms: 0,
3926            use_k6: false,
3927            conformance_custom_filter: None,
3928            export_requests: false,
3929            validate_requests: false,
3930            conformance_self_test: false,
3931            conformance_self_test_capture: false,
3932            conformance_self_test_iterations: 1,
3933            conformance_self_test_duration: None,
3934            validate_response_schemas: false,
3935            source_ips: Vec::new(),
3936            geo_source_ips: Vec::new(),
3937            geo_source_headers: Vec::new(),
3938            report_missed_cap: None,
3939        };
3940
3941        assert_eq!(cmd.get_spec_display_name(), "test.yaml");
3942
3943        // Test multiple specs
3944        let cmd_multi = BenchCommand {
3945            spec: vec![PathBuf::from("a.yaml"), PathBuf::from("b.yaml")],
3946            spec_dir: None,
3947            merge_conflicts: "error".to_string(),
3948            spec_mode: "merge".to_string(),
3949            dependency_config: None,
3950            target: "http://localhost".to_string(),
3951            base_path: None,
3952            duration: "1m".to_string(),
3953            vus: 10,
3954            scenario: "ramp-up".to_string(),
3955            operations: None,
3956            exclude_operations: None,
3957            auth: None,
3958            headers: Vec::new(),
3959            output: PathBuf::from("output"),
3960            generate_only: false,
3961            script_output: None,
3962            threshold_percentile: "p(95)".to_string(),
3963            threshold_ms: 500,
3964            max_error_rate: 0.05,
3965            verbose: false,
3966            skip_tls_verify: false,
3967            chunked_request_bodies: false,
3968            target_rps: None,
3969            no_keep_alive: false,
3970            targets_file: None,
3971            max_concurrency: None,
3972            results_format: "both".to_string(),
3973            params_file: None,
3974            crud_flow: false,
3975            flow_config: None,
3976            extract_fields: None,
3977            parallel_create: None,
3978            data_file: None,
3979            data_distribution: "unique-per-vu".to_string(),
3980            data_mappings: None,
3981            per_uri_control: false,
3982            error_rate: None,
3983            error_types: None,
3984            security_test: false,
3985            security_payloads: None,
3986            security_categories: None,
3987            security_target_fields: None,
3988            wafbench_dir: None,
3989            wafbench_cycle_all: false,
3990            owasp_api_top10: false,
3991            owasp_categories: None,
3992            owasp_auth_header: "Authorization".to_string(),
3993            owasp_auth_token: None,
3994            owasp_admin_paths: None,
3995            owasp_id_fields: None,
3996            owasp_report: None,
3997            owasp_report_format: "json".to_string(),
3998            owasp_iterations: 1,
3999            conformance: false,
4000            conformance_api_key: None,
4001            conformance_basic_auth: None,
4002            conformance_report: PathBuf::from("conformance-report.json"),
4003            conformance_categories: None,
4004            conformance_report_format: "json".to_string(),
4005            conformance_headers: vec![],
4006            conformance_all_operations: false,
4007            conformance_custom: None,
4008            conformance_delay_ms: 0,
4009            use_k6: false,
4010            conformance_custom_filter: None,
4011            export_requests: false,
4012            validate_requests: false,
4013            conformance_self_test: false,
4014            conformance_self_test_capture: false,
4015            conformance_self_test_iterations: 1,
4016            conformance_self_test_duration: None,
4017            validate_response_schemas: false,
4018            source_ips: Vec::new(),
4019            geo_source_ips: Vec::new(),
4020            geo_source_headers: Vec::new(),
4021            report_missed_cap: None,
4022        };
4023
4024        assert_eq!(cmd_multi.get_spec_display_name(), "2 spec files");
4025    }
4026
4027    #[test]
4028    fn test_parse_extracted_values_from_output_dir() {
4029        let dir = tempdir().unwrap();
4030        let path = dir.path().join("extracted_values.json");
4031        std::fs::write(
4032            &path,
4033            r#"{
4034  "pool_id": "abc123",
4035  "count": 0,
4036  "enabled": false,
4037  "metadata": { "owner": "team-a" }
4038}"#,
4039        )
4040        .unwrap();
4041
4042        let extracted = BenchCommand::parse_extracted_values(dir.path()).unwrap();
4043        assert_eq!(extracted.get("pool_id"), Some(&serde_json::json!("abc123")));
4044        assert_eq!(extracted.get("count"), Some(&serde_json::json!(0)));
4045        assert_eq!(extracted.get("enabled"), Some(&serde_json::json!(false)));
4046        assert_eq!(extracted.get("metadata"), Some(&serde_json::json!({"owner": "team-a"})));
4047    }
4048
4049    #[test]
4050    fn test_parse_extracted_values_missing_file() {
4051        let dir = tempdir().unwrap();
4052        let extracted = BenchCommand::parse_extracted_values(dir.path()).unwrap();
4053        assert!(extracted.values.is_empty());
4054    }
4055}