Skip to main content

mockforge_bench/conformance/
spec_driven.rs

1//! Spec-driven conformance testing
2//!
3//! Analyzes the user's OpenAPI spec to determine which features their API uses,
4//! then generates k6 conformance tests against their real endpoints.
5
6use super::generator::ConformanceConfig;
7use super::schema_validator::SchemaValidatorGenerator;
8use super::spec::ConformanceFeature;
9use crate::error::Result;
10use crate::request_gen::RequestGenerator;
11use crate::spec_parser::ApiOperation;
12use openapiv3::{
13    OpenAPI, Operation, Parameter, ParameterSchemaOrContent, ReferenceOr, RequestBody, Response,
14    Schema, SchemaKind, SecurityScheme, StringFormat, Type, VariantOrUnknownOrEmpty,
15};
16use std::collections::HashSet;
17
18/// Resolve `$ref` references against the OpenAPI components
19mod ref_resolver {
20    use super::*;
21
22    pub fn resolve_parameter<'a>(
23        param_ref: &'a ReferenceOr<Parameter>,
24        spec: &'a OpenAPI,
25    ) -> Option<&'a Parameter> {
26        match param_ref {
27            ReferenceOr::Item(param) => Some(param),
28            ReferenceOr::Reference { reference } => {
29                let name = reference.strip_prefix("#/components/parameters/")?;
30                let components = spec.components.as_ref()?;
31                match components.parameters.get(name)? {
32                    ReferenceOr::Item(param) => Some(param),
33                    ReferenceOr::Reference {
34                        reference: inner_ref,
35                    } => {
36                        // One level of recursive resolution
37                        let inner_name = inner_ref.strip_prefix("#/components/parameters/")?;
38                        match components.parameters.get(inner_name)? {
39                            ReferenceOr::Item(param) => Some(param),
40                            ReferenceOr::Reference { .. } => None,
41                        }
42                    }
43                }
44            }
45        }
46    }
47
48    pub fn resolve_request_body<'a>(
49        body_ref: &'a ReferenceOr<RequestBody>,
50        spec: &'a OpenAPI,
51    ) -> Option<&'a RequestBody> {
52        match body_ref {
53            ReferenceOr::Item(body) => Some(body),
54            ReferenceOr::Reference { reference } => {
55                let name = reference.strip_prefix("#/components/requestBodies/")?;
56                let components = spec.components.as_ref()?;
57                match components.request_bodies.get(name)? {
58                    ReferenceOr::Item(body) => Some(body),
59                    ReferenceOr::Reference {
60                        reference: inner_ref,
61                    } => {
62                        // One level of recursive resolution
63                        let inner_name = inner_ref.strip_prefix("#/components/requestBodies/")?;
64                        match components.request_bodies.get(inner_name)? {
65                            ReferenceOr::Item(body) => Some(body),
66                            ReferenceOr::Reference { .. } => None,
67                        }
68                    }
69                }
70            }
71        }
72    }
73
74    pub fn resolve_schema<'a>(
75        schema_ref: &'a ReferenceOr<Schema>,
76        spec: &'a OpenAPI,
77    ) -> Option<&'a Schema> {
78        resolve_schema_with_visited(schema_ref, spec, &mut HashSet::new())
79    }
80
81    fn resolve_schema_with_visited<'a>(
82        schema_ref: &'a ReferenceOr<Schema>,
83        spec: &'a OpenAPI,
84        visited: &mut HashSet<String>,
85    ) -> Option<&'a Schema> {
86        match schema_ref {
87            ReferenceOr::Item(schema) => Some(schema),
88            ReferenceOr::Reference { reference } => {
89                if !visited.insert(reference.clone()) {
90                    return None; // Cycle detected
91                }
92                let name = reference.strip_prefix("#/components/schemas/")?;
93                let components = spec.components.as_ref()?;
94                let nested = components.schemas.get(name)?;
95                resolve_schema_with_visited(nested, spec, visited)
96            }
97        }
98    }
99
100    /// Resolve a boxed schema reference (used by array items and object properties)
101    pub fn resolve_boxed_schema<'a>(
102        schema_ref: &'a ReferenceOr<Box<Schema>>,
103        spec: &'a OpenAPI,
104    ) -> Option<&'a Schema> {
105        match schema_ref {
106            ReferenceOr::Item(schema) => Some(schema.as_ref()),
107            ReferenceOr::Reference { reference } => {
108                // Delegate to the regular schema resolver
109                let name = reference.strip_prefix("#/components/schemas/")?;
110                let components = spec.components.as_ref()?;
111                let nested = components.schemas.get(name)?;
112                resolve_schema_with_visited(nested, spec, &mut HashSet::new())
113            }
114        }
115    }
116
117    pub fn resolve_response<'a>(
118        resp_ref: &'a ReferenceOr<Response>,
119        spec: &'a OpenAPI,
120    ) -> Option<&'a Response> {
121        match resp_ref {
122            ReferenceOr::Item(resp) => Some(resp),
123            ReferenceOr::Reference { reference } => {
124                let name = reference.strip_prefix("#/components/responses/")?;
125                let components = spec.components.as_ref()?;
126                match components.responses.get(name)? {
127                    ReferenceOr::Item(resp) => Some(resp),
128                    ReferenceOr::Reference {
129                        reference: inner_ref,
130                    } => {
131                        // One level of recursive resolution
132                        let inner_name = inner_ref.strip_prefix("#/components/responses/")?;
133                        match components.responses.get(inner_name)? {
134                            ReferenceOr::Item(resp) => Some(resp),
135                            ReferenceOr::Reference { .. } => None,
136                        }
137                    }
138                }
139            }
140        }
141    }
142}
143
144/// Resolved security scheme details for an operation
145#[derive(Debug, Clone)]
146pub enum SecuritySchemeInfo {
147    /// HTTP Bearer token
148    Bearer,
149    /// HTTP Basic auth
150    Basic,
151    /// API Key in header, query, or cookie
152    ApiKey {
153        location: ApiKeyLocation,
154        name: String,
155    },
156}
157
158/// Where an API key is transmitted
159#[derive(Debug, Clone, PartialEq)]
160pub enum ApiKeyLocation {
161    Header,
162    Query,
163    Cookie,
164}
165
166/// An API operation annotated with the conformance features it exercises
167#[derive(Debug, Clone)]
168pub struct AnnotatedOperation {
169    pub path: String,
170    pub method: String,
171    pub features: Vec<ConformanceFeature>,
172    pub request_body_content_type: Option<String>,
173    pub sample_body: Option<String>,
174    pub query_params: Vec<(String, String)>,
175    pub header_params: Vec<(String, String)>,
176    pub path_params: Vec<(String, String)>,
177    /// Response schema for validation (JSON string of the schema)
178    pub response_schema: Option<Schema>,
179    /// Round 25 — per-status response schemas (JSON values, pre-resolved
180    /// via $ref). Keyed by HTTP status code, populated for every
181    /// status declared in the spec that has an `application/json`
182    /// body. The self-test driver looks up the schema for each probe's
183    /// actual status and validates the response body against it
184    /// (closing round 21.3 / Srikanth's a2 / a3 ask). Empty when the
185    /// spec declares no JSON response bodies.
186    pub response_schemas: std::collections::BTreeMap<u16, serde_json::Value>,
187    /// Round 17.2 — the resolved request-body schema (application/json).
188    /// Used by the self-test driver to synthesise schema-aware
189    /// negative mutations (wrong type, min/max bounds, pattern, enum
190    /// out-of-range, required-field removal). Independent of
191    /// `sample_body`, which is the positive payload.
192    pub request_body_schema: Option<Schema>,
193    /// Security scheme details resolved from the OpenAPI spec
194    pub security_schemes: Vec<SecuritySchemeInfo>,
195}
196
197/// Generates spec-driven conformance k6 scripts
198pub struct SpecDrivenConformanceGenerator {
199    config: ConformanceConfig,
200    operations: Vec<AnnotatedOperation>,
201}
202
203impl SpecDrivenConformanceGenerator {
204    pub fn new(config: ConformanceConfig, operations: Vec<AnnotatedOperation>) -> Self {
205        Self { config, operations }
206    }
207
208    /// Annotate a list of API operations with conformance features
209    pub fn annotate_operations(
210        operations: &[ApiOperation],
211        spec: &OpenAPI,
212    ) -> Vec<AnnotatedOperation> {
213        operations.iter().map(|op| Self::annotate_operation(op, spec)).collect()
214    }
215
216    /// Analyze an operation and determine which conformance features it exercises
217    fn annotate_operation(op: &ApiOperation, spec: &OpenAPI) -> AnnotatedOperation {
218        let mut features = Vec::new();
219        let mut query_params = Vec::new();
220        let mut header_params = Vec::new();
221        let mut path_params = Vec::new();
222
223        // Detect HTTP method feature
224        match op.method.to_uppercase().as_str() {
225            "GET" => features.push(ConformanceFeature::MethodGet),
226            "POST" => features.push(ConformanceFeature::MethodPost),
227            "PUT" => features.push(ConformanceFeature::MethodPut),
228            "PATCH" => features.push(ConformanceFeature::MethodPatch),
229            "DELETE" => features.push(ConformanceFeature::MethodDelete),
230            "HEAD" => features.push(ConformanceFeature::MethodHead),
231            "OPTIONS" => features.push(ConformanceFeature::MethodOptions),
232            _ => {}
233        }
234
235        // Detect parameter features (resolves $ref)
236        for param_ref in &op.operation.parameters {
237            if let Some(param) = ref_resolver::resolve_parameter(param_ref, spec) {
238                Self::annotate_parameter(
239                    param,
240                    spec,
241                    &mut features,
242                    &mut query_params,
243                    &mut header_params,
244                    &mut path_params,
245                );
246            }
247        }
248
249        // Detect path parameters from the path template itself
250        for segment in op.path.split('/') {
251            if segment.starts_with('{') && segment.ends_with('}') {
252                let name = &segment[1..segment.len() - 1];
253                // Only add if not already found from parameters
254                if !path_params.iter().any(|(n, _)| n == name) {
255                    path_params.push((name.to_string(), "test-value".to_string()));
256                    // Determine type from path params we didn't already handle
257                    if !features.contains(&ConformanceFeature::PathParamString)
258                        && !features.contains(&ConformanceFeature::PathParamInteger)
259                    {
260                        features.push(ConformanceFeature::PathParamString);
261                    }
262                }
263            }
264        }
265
266        // Detect request body features (resolves $ref)
267        let mut request_body_content_type = None;
268        let mut sample_body = None;
269        let mut request_body_schema: Option<Schema> = None;
270
271        let resolved_body = op
272            .operation
273            .request_body
274            .as_ref()
275            .and_then(|b| ref_resolver::resolve_request_body(b, spec));
276
277        if let Some(body) = resolved_body {
278            for (content_type, _media) in &body.content {
279                match content_type.as_str() {
280                    "application/json" => {
281                        features.push(ConformanceFeature::BodyJson);
282                        request_body_content_type = Some("application/json".to_string());
283                        // Generate sample body from schema
284                        if let Ok(template) = RequestGenerator::generate_template(op) {
285                            if let Some(body_val) = &template.body {
286                                sample_body = Some(body_val.to_string());
287                            }
288                        }
289                    }
290                    "application/x-www-form-urlencoded" => {
291                        features.push(ConformanceFeature::BodyFormUrlencoded);
292                        request_body_content_type =
293                            Some("application/x-www-form-urlencoded".to_string());
294                    }
295                    "multipart/form-data" => {
296                        features.push(ConformanceFeature::BodyMultipart);
297                        request_body_content_type = Some("multipart/form-data".to_string());
298                    }
299                    _ => {}
300                }
301            }
302
303            // Detect schema features in request body (resolves $ref in schema)
304            if let Some(media) = body.content.get("application/json") {
305                if let Some(schema_ref) = &media.schema {
306                    if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
307                        Self::annotate_schema(schema, spec, &mut features);
308                        // Round 17.2 — keep a clone of the resolved
309                        // body schema so the self-test driver can walk
310                        // it to synthesise schema-aware negatives.
311                        request_body_schema = Some(schema.clone());
312                    }
313                }
314            }
315        }
316
317        // Detect response code features
318        Self::annotate_responses(&op.operation, spec, &mut features);
319
320        // Extract response schema for validation (resolves $ref)
321        let response_schema = Self::extract_response_schema(&op.operation, spec);
322        if response_schema.is_some() {
323            features.push(ConformanceFeature::ResponseValidation);
324        }
325        // Round 25 — per-status response schema map (closes round 21.3).
326        let response_schemas = Self::extract_response_schemas_per_status(&op.operation, spec);
327
328        // Detect content negotiation (response with multiple content types)
329        Self::annotate_content_negotiation(&op.operation, spec, &mut features);
330
331        // Detect security features and resolve scheme details
332        let mut security_schemes = Vec::new();
333        Self::annotate_security(&op.operation, spec, &mut features, &mut security_schemes);
334
335        // Deduplicate features
336        features.sort_by_key(|f| f.check_name());
337        features.dedup_by_key(|f| f.check_name());
338
339        AnnotatedOperation {
340            path: op.path.clone(),
341            method: op.method.to_uppercase(),
342            features,
343            request_body_content_type,
344            sample_body,
345            query_params,
346            header_params,
347            path_params,
348            response_schema,
349            response_schemas,
350            request_body_schema,
351            security_schemes,
352        }
353    }
354
355    /// Annotate parameter features
356    fn annotate_parameter(
357        param: &Parameter,
358        spec: &OpenAPI,
359        features: &mut Vec<ConformanceFeature>,
360        query_params: &mut Vec<(String, String)>,
361        header_params: &mut Vec<(String, String)>,
362        path_params: &mut Vec<(String, String)>,
363    ) {
364        let (location, data) = match param {
365            Parameter::Query { parameter_data, .. } => ("query", parameter_data),
366            Parameter::Path { parameter_data, .. } => ("path", parameter_data),
367            Parameter::Header { parameter_data, .. } => ("header", parameter_data),
368            Parameter::Cookie { .. } => {
369                features.push(ConformanceFeature::CookieParam);
370                return;
371            }
372        };
373
374        // Detect type from schema
375        let is_integer = Self::param_schema_is_integer(data, spec);
376        let is_array = Self::param_schema_is_array(data, spec);
377
378        // Generate sample value
379        let sample = if is_integer {
380            "42".to_string()
381        } else if is_array {
382            "a,b".to_string()
383        } else {
384            "test-value".to_string()
385        };
386
387        match location {
388            "path" => {
389                if is_integer {
390                    features.push(ConformanceFeature::PathParamInteger);
391                } else {
392                    features.push(ConformanceFeature::PathParamString);
393                }
394                path_params.push((data.name.clone(), sample));
395            }
396            "query" => {
397                if is_array {
398                    features.push(ConformanceFeature::QueryParamArray);
399                } else if is_integer {
400                    features.push(ConformanceFeature::QueryParamInteger);
401                } else {
402                    features.push(ConformanceFeature::QueryParamString);
403                }
404                query_params.push((data.name.clone(), sample));
405            }
406            "header" => {
407                features.push(ConformanceFeature::HeaderParam);
408                header_params.push((data.name.clone(), sample));
409            }
410            _ => {}
411        }
412
413        // Check for constraint features on the parameter (resolves $ref)
414        if let ParameterSchemaOrContent::Schema(schema_ref) = &data.format {
415            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
416                Self::annotate_schema(schema, spec, features);
417            }
418        }
419
420        // Required/optional
421        if data.required {
422            features.push(ConformanceFeature::ConstraintRequired);
423        } else {
424            features.push(ConformanceFeature::ConstraintOptional);
425        }
426    }
427
428    fn param_schema_is_integer(data: &openapiv3::ParameterData, spec: &OpenAPI) -> bool {
429        if let ParameterSchemaOrContent::Schema(schema_ref) = &data.format {
430            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
431                return matches!(&schema.schema_kind, SchemaKind::Type(Type::Integer(_)));
432            }
433        }
434        false
435    }
436
437    fn param_schema_is_array(data: &openapiv3::ParameterData, spec: &OpenAPI) -> bool {
438        if let ParameterSchemaOrContent::Schema(schema_ref) = &data.format {
439            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
440                return matches!(&schema.schema_kind, SchemaKind::Type(Type::Array(_)));
441            }
442        }
443        false
444    }
445
446    /// Annotate schema-level features (types, composition, formats, constraints)
447    fn annotate_schema(schema: &Schema, spec: &OpenAPI, features: &mut Vec<ConformanceFeature>) {
448        match &schema.schema_kind {
449            SchemaKind::Type(Type::String(s)) => {
450                features.push(ConformanceFeature::SchemaString);
451                // Check format
452                match &s.format {
453                    VariantOrUnknownOrEmpty::Item(StringFormat::Date) => {
454                        features.push(ConformanceFeature::FormatDate);
455                    }
456                    VariantOrUnknownOrEmpty::Item(StringFormat::DateTime) => {
457                        features.push(ConformanceFeature::FormatDateTime);
458                    }
459                    VariantOrUnknownOrEmpty::Unknown(fmt) => match fmt.as_str() {
460                        "email" => features.push(ConformanceFeature::FormatEmail),
461                        "uuid" => features.push(ConformanceFeature::FormatUuid),
462                        "uri" | "url" => features.push(ConformanceFeature::FormatUri),
463                        "ipv4" => features.push(ConformanceFeature::FormatIpv4),
464                        "ipv6" => features.push(ConformanceFeature::FormatIpv6),
465                        _ => {}
466                    },
467                    _ => {}
468                }
469                // Check constraints
470                if s.pattern.is_some() {
471                    features.push(ConformanceFeature::ConstraintPattern);
472                }
473                if !s.enumeration.is_empty() {
474                    features.push(ConformanceFeature::ConstraintEnum);
475                }
476                if s.min_length.is_some() || s.max_length.is_some() {
477                    features.push(ConformanceFeature::ConstraintMinMax);
478                }
479            }
480            SchemaKind::Type(Type::Integer(i)) => {
481                features.push(ConformanceFeature::SchemaInteger);
482                if i.minimum.is_some() || i.maximum.is_some() {
483                    features.push(ConformanceFeature::ConstraintMinMax);
484                }
485                if !i.enumeration.is_empty() {
486                    features.push(ConformanceFeature::ConstraintEnum);
487                }
488            }
489            SchemaKind::Type(Type::Number(n)) => {
490                features.push(ConformanceFeature::SchemaNumber);
491                if n.minimum.is_some() || n.maximum.is_some() {
492                    features.push(ConformanceFeature::ConstraintMinMax);
493                }
494            }
495            SchemaKind::Type(Type::Boolean(_)) => {
496                features.push(ConformanceFeature::SchemaBoolean);
497            }
498            SchemaKind::Type(Type::Array(arr)) => {
499                features.push(ConformanceFeature::SchemaArray);
500                if let Some(item_ref) = &arr.items {
501                    if let Some(item_schema) = ref_resolver::resolve_boxed_schema(item_ref, spec) {
502                        Self::annotate_schema(item_schema, spec, features);
503                    }
504                }
505            }
506            SchemaKind::Type(Type::Object(obj)) => {
507                features.push(ConformanceFeature::SchemaObject);
508                // Check required fields
509                if !obj.required.is_empty() {
510                    features.push(ConformanceFeature::ConstraintRequired);
511                }
512                // Walk properties (resolves $ref)
513                for (_name, prop_ref) in &obj.properties {
514                    if let Some(prop_schema) = ref_resolver::resolve_boxed_schema(prop_ref, spec) {
515                        Self::annotate_schema(prop_schema, spec, features);
516                    }
517                }
518            }
519            SchemaKind::OneOf { .. } => {
520                features.push(ConformanceFeature::CompositionOneOf);
521            }
522            SchemaKind::AnyOf { .. } => {
523                features.push(ConformanceFeature::CompositionAnyOf);
524            }
525            SchemaKind::AllOf { .. } => {
526                features.push(ConformanceFeature::CompositionAllOf);
527            }
528            _ => {}
529        }
530    }
531
532    /// Detect response code features (resolves $ref in responses)
533    fn annotate_responses(
534        operation: &Operation,
535        spec: &OpenAPI,
536        features: &mut Vec<ConformanceFeature>,
537    ) {
538        for (status_code, resp_ref) in &operation.responses.responses {
539            // Only count features for responses that actually resolve
540            if ref_resolver::resolve_response(resp_ref, spec).is_some() {
541                match status_code {
542                    openapiv3::StatusCode::Code(200) => {
543                        features.push(ConformanceFeature::Response200)
544                    }
545                    openapiv3::StatusCode::Code(201) => {
546                        features.push(ConformanceFeature::Response201)
547                    }
548                    openapiv3::StatusCode::Code(204) => {
549                        features.push(ConformanceFeature::Response204)
550                    }
551                    openapiv3::StatusCode::Code(400) => {
552                        features.push(ConformanceFeature::Response400)
553                    }
554                    openapiv3::StatusCode::Code(404) => {
555                        features.push(ConformanceFeature::Response404)
556                    }
557                    _ => {}
558                }
559            }
560        }
561    }
562
563    /// Round 25 — extract every declared response schema, keyed by the
564    /// numeric HTTP status. Only `application/json` content types are
565    /// included (the only body shape the self-test validates against).
566    /// Used by the self-test driver to validate response bodies against
567    /// the schema for the ACTUAL status returned, not just 200.
568    fn extract_response_schemas_per_status(
569        operation: &Operation,
570        spec: &OpenAPI,
571    ) -> std::collections::BTreeMap<u16, serde_json::Value> {
572        let mut out = std::collections::BTreeMap::new();
573        for (code, resp_ref) in &operation.responses.responses {
574            let openapiv3::StatusCode::Code(n) = code else {
575                continue; // skip "default" / range responses for now
576            };
577            let Some(response) = ref_resolver::resolve_response(resp_ref, spec) else {
578                continue;
579            };
580            let Some(media) = response.content.get("application/json") else {
581                continue;
582            };
583            let Some(schema_ref) = &media.schema else {
584                continue;
585            };
586            let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) else {
587                continue;
588            };
589            // Convert openapiv3::Schema → serde_json::Value so the
590            // validation step can hand it straight to jsonschema.
591            if let Ok(value) = serde_json::to_value(schema) {
592                out.insert(*n, value);
593            }
594        }
595        out
596    }
597
598    /// Extract the response schema for the primary success response (200 or 201)
599    /// Resolves $ref for both the response and the schema within it.
600    fn extract_response_schema(operation: &Operation, spec: &OpenAPI) -> Option<Schema> {
601        // Try 200 first, then 201
602        for code in [200u16, 201] {
603            if let Some(resp_ref) =
604                operation.responses.responses.get(&openapiv3::StatusCode::Code(code))
605            {
606                if let Some(response) = ref_resolver::resolve_response(resp_ref, spec) {
607                    if let Some(media) = response.content.get("application/json") {
608                        if let Some(schema_ref) = &media.schema {
609                            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
610                                return Some(schema.clone());
611                            }
612                        }
613                    }
614                }
615            }
616        }
617        None
618    }
619
620    /// Detect content negotiation: response supports multiple content types
621    fn annotate_content_negotiation(
622        operation: &Operation,
623        spec: &OpenAPI,
624        features: &mut Vec<ConformanceFeature>,
625    ) {
626        for (_status_code, resp_ref) in &operation.responses.responses {
627            if let Some(response) = ref_resolver::resolve_response(resp_ref, spec) {
628                if response.content.len() > 1 {
629                    features.push(ConformanceFeature::ContentNegotiation);
630                    return; // Only need to detect once per operation
631                }
632            }
633        }
634    }
635
636    /// Detect security scheme features.
637    /// Checks operation-level security first, falling back to global security requirements.
638    /// Resolves scheme names against SecurityScheme definitions in components.
639    fn annotate_security(
640        operation: &Operation,
641        spec: &OpenAPI,
642        features: &mut Vec<ConformanceFeature>,
643        security_schemes: &mut Vec<SecuritySchemeInfo>,
644    ) {
645        // Use operation-level security if present, otherwise fall back to global
646        let security_reqs = operation.security.as_ref().or(spec.security.as_ref());
647
648        if let Some(security) = security_reqs {
649            for security_req in security {
650                for scheme_name in security_req.keys() {
651                    // Try to resolve the scheme from components for accurate type detection
652                    if let Some(resolved) = Self::resolve_security_scheme(scheme_name, spec) {
653                        match resolved {
654                            SecurityScheme::HTTP { ref scheme, .. } => {
655                                if scheme.eq_ignore_ascii_case("bearer") {
656                                    features.push(ConformanceFeature::SecurityBearer);
657                                    security_schemes.push(SecuritySchemeInfo::Bearer);
658                                } else if scheme.eq_ignore_ascii_case("basic") {
659                                    features.push(ConformanceFeature::SecurityBasic);
660                                    security_schemes.push(SecuritySchemeInfo::Basic);
661                                }
662                            }
663                            SecurityScheme::APIKey { location, name, .. } => {
664                                features.push(ConformanceFeature::SecurityApiKey);
665                                let loc = match location {
666                                    openapiv3::APIKeyLocation::Query => ApiKeyLocation::Query,
667                                    openapiv3::APIKeyLocation::Header => ApiKeyLocation::Header,
668                                    openapiv3::APIKeyLocation::Cookie => ApiKeyLocation::Cookie,
669                                };
670                                security_schemes.push(SecuritySchemeInfo::ApiKey {
671                                    location: loc,
672                                    name: name.clone(),
673                                });
674                            }
675                            // OAuth2 and OpenIDConnect don't map to our current feature set
676                            _ => {}
677                        }
678                    } else {
679                        // Fallback: heuristic name matching for unresolvable schemes
680                        let name_lower = scheme_name.to_lowercase();
681                        if name_lower.contains("bearer") || name_lower.contains("jwt") {
682                            features.push(ConformanceFeature::SecurityBearer);
683                            security_schemes.push(SecuritySchemeInfo::Bearer);
684                        } else if name_lower.contains("api") && name_lower.contains("key") {
685                            features.push(ConformanceFeature::SecurityApiKey);
686                            security_schemes.push(SecuritySchemeInfo::ApiKey {
687                                location: ApiKeyLocation::Header,
688                                name: "X-API-Key".to_string(),
689                            });
690                        } else if name_lower.contains("basic") {
691                            features.push(ConformanceFeature::SecurityBasic);
692                            security_schemes.push(SecuritySchemeInfo::Basic);
693                        }
694                    }
695                }
696            }
697        }
698    }
699
700    /// Resolve a security scheme name to its SecurityScheme definition
701    fn resolve_security_scheme<'a>(name: &str, spec: &'a OpenAPI) -> Option<&'a SecurityScheme> {
702        let components = spec.components.as_ref()?;
703        match components.security_schemes.get(name)? {
704            ReferenceOr::Item(scheme) => Some(scheme),
705            ReferenceOr::Reference { .. } => None,
706        }
707    }
708
709    /// Returns the number of operations being tested
710    pub fn operation_count(&self) -> usize {
711        self.operations.len()
712    }
713
714    /// Generate the k6 conformance script.
715    /// Returns (script, check_count) where check_count is the number of unique checks emitted.
716    pub fn generate(&self) -> Result<(String, usize)> {
717        let mut script = String::with_capacity(16384);
718
719        // Imports
720        script.push_str("import http from 'k6/http';\n");
721        script.push_str("import { check, group } from 'k6';\n");
722        if self.config.request_delay_ms > 0 {
723            script.push_str("import { sleep } from 'k6';\n");
724        }
725        script.push('\n');
726
727        // Tell k6 that all HTTP status codes are "expected" in conformance mode.
728        // Without this, k6 counts 4xx responses (e.g. intentional 404 tests) as
729        // http_req_failed errors, producing a misleading error rate percentage.
730        script.push_str(
731            "http.setResponseCallback(http.expectedStatuses({ min: 100, max: 599 }));\n\n",
732        );
733
734        // Options
735        script.push_str("export const options = {\n");
736        script.push_str("  vus: 1,\n");
737        script.push_str("  iterations: 1,\n");
738        if self.config.skip_tls_verify {
739            script.push_str("  insecureSkipTLSVerify: true,\n");
740        }
741        script.push_str("  thresholds: {\n");
742        script.push_str("    checks: ['rate>0'],\n");
743        script.push_str("  },\n");
744        script.push_str("};\n\n");
745
746        // Base URL (includes base_path if configured)
747        script.push_str(&format!("const BASE_URL = '{}';\n\n", self.config.effective_base_url()));
748        script.push_str("const JSON_HEADERS = { 'Content-Type': 'application/json' };\n\n");
749
750        // Round 39 (#79) — emit init-scope code (e.g. `open()` calls
751        // for file uploads in custom checks) here, before any
752        // function declarations.
753        let custom_emit = self.config.generate_custom_group()?;
754        if let Some(emit) = &custom_emit {
755            if !emit.init_code.is_empty() {
756                script.push_str("// Round 39 (#79) — preloaded upload bytes for custom checks\n");
757                script.push_str(&emit.init_code);
758                script.push('\n');
759            }
760        }
761
762        // Failure detail collector — logs req/res info for failed checks via console.log
763        // (k6's handleSummary runs in a separate JS context, so we can't use module-level arrays)
764        script
765            .push_str("function __captureFailure(checkName, res, expected, schemaViolations) {\n");
766        script.push_str("  let bodyStr = '';\n");
767        script.push_str("  try { if (res.body) { const __n = res.body.length; bodyStr = res.body.substring(0, 65536); if (__n > 65536) bodyStr = bodyStr + ' <truncated at 65536 bytes; full body was ' + __n + ' bytes>'; } else { bodyStr = ''; } } catch(e) { bodyStr = '<unreadable>'; }\n");
768        script.push_str("  let reqHeaders = {};\n");
769        script.push_str(
770            "  if (res.request && res.request.headers) { reqHeaders = res.request.headers; }\n",
771        );
772        script.push_str("  let reqBody = '';\n");
773        script.push_str("  if (res.request && res.request.body) { try { const __m = res.request.body.length; reqBody = res.request.body.substring(0, 65536); if (__m > 65536) reqBody = reqBody + ' <truncated at 65536 bytes; full body was ' + __m + ' bytes>'; } catch(e) {} }\n");
774        script.push_str("  let payload = {\n");
775        script.push_str("    check: checkName,\n");
776        script.push_str("    request: {\n");
777        script.push_str("      method: res.request ? res.request.method : 'unknown',\n");
778        script.push_str("      url: res.request ? res.request.url : res.url || 'unknown',\n");
779        script.push_str("      headers: reqHeaders,\n");
780        script.push_str("      body: reqBody,\n");
781        script.push_str("    },\n");
782        script.push_str("    response: {\n");
783        script.push_str("      status: res.status,\n");
784        script.push_str("      headers: res.headers ? Object.fromEntries(Object.entries(res.headers).slice(0, 20)) : {},\n");
785        script.push_str("      body: bodyStr,\n");
786        script.push_str("    },\n");
787        script.push_str("    expected: expected,\n");
788        script.push_str("  };\n");
789        script.push_str("  if (schemaViolations && schemaViolations.length > 0) { payload.schema_violations = schemaViolations; }\n");
790        script.push_str("  console.log('MOCKFORGE_FAILURE:' + JSON.stringify(payload));\n");
791        script.push_str("}\n\n");
792
793        // Request/response capture for --export-requests
794        //
795        // Round 44 (#79) — mirror the resilience added in `generator.rs`:
796        // wrap the primary stringify in try/catch + fall back to a minimal
797        // entry + last-resort hand-rolled JSON so a multipart body that
798        // contains bytes JSON.stringify can't roundtrip never silently
799        // drops the row from the export. See `generator.rs` for the
800        // surfacing incident.
801        if self.config.export_requests {
802            script.push_str("function __captureExchange(checkName, res) {\n");
803            script.push_str("  try {\n");
804            script.push_str("    let bodyStr = '';\n");
805            script.push_str("    try { if (res.body) { const __n = res.body.length; bodyStr = res.body.substring(0, 65536); if (__n > 65536) bodyStr = bodyStr + ' <truncated at 65536 bytes; full body was ' + __n + ' bytes>'; } else { bodyStr = ''; } } catch(e) { bodyStr = '<unreadable>'; }\n");
806            script.push_str("    let reqHeaders = {};\n");
807            script.push_str(
808                "    if (res.request && res.request.headers) { reqHeaders = res.request.headers; }\n",
809            );
810            // Round 46 (#79) — mirror the structured multipart summary
811            // from `generator.rs`. See the long comment there; same
812            // rationale (k6 logfmt mangling on raw binary bytes).
813            script.push_str("    let reqBody = '';\n");
814            script.push_str("    {\n");
815            script.push_str(
816                "      const ct = (reqHeaders['Content-Type'] || reqHeaders['content-type'] || '').toString();\n",
817            );
818            script.push_str("      const isMultipart = ct.startsWith('multipart/');\n");
819            script.push_str(
820                "      if (isMultipart && res.request && res.request.body) {\n\
821                 \x20\x20\x20\x20\x20\x20\x20\x20try {\n\
822                 \x20\x20\x20\x20\x20\x20\x20\x20  const raw = res.request.body;\n\
823                 \x20\x20\x20\x20\x20\x20\x20\x20  let totalBytes = raw.length;\n\
824                 \x20\x20\x20\x20\x20\x20\x20\x20  const boundaryMatch = ct.match(/boundary=([^;]+)/);\n\
825                 \x20\x20\x20\x20\x20\x20\x20\x20  const boundary = boundaryMatch ? boundaryMatch[1].replace(/^\"|\"$/g, '') : '';\n\
826                 \x20\x20\x20\x20\x20\x20\x20\x20  const parts = [];\n\
827                 \x20\x20\x20\x20\x20\x20\x20\x20  if (boundary) {\n\
828                 \x20\x20\x20\x20\x20\x20\x20\x20    const sep = '--' + boundary;\n\
829                 \x20\x20\x20\x20\x20\x20\x20\x20    let cursor = raw.indexOf(sep);\n\
830                 \x20\x20\x20\x20\x20\x20\x20\x20    while (cursor !== -1 && parts.length < 100) {\n\
831                 \x20\x20\x20\x20\x20\x20\x20\x20      const next = raw.indexOf(sep, cursor + sep.length);\n\
832                 \x20\x20\x20\x20\x20\x20\x20\x20      if (next === -1) break;\n\
833                 \x20\x20\x20\x20\x20\x20\x20\x20      const slice = raw.substring(cursor + sep.length, next);\n\
834                 \x20\x20\x20\x20\x20\x20\x20\x20      const headerEnd = slice.indexOf('\\r\\n\\r\\n');\n\
835                 \x20\x20\x20\x20\x20\x20\x20\x20      const partHeaders = headerEnd === -1 ? slice : slice.substring(0, headerEnd);\n\
836                 \x20\x20\x20\x20\x20\x20\x20\x20      const partBody = headerEnd === -1 ? '' : slice.substring(headerEnd + 4);\n\
837                 \x20\x20\x20\x20\x20\x20\x20\x20      const nameMatch = partHeaders.match(/name=\"([^\"]+)\"/);\n\
838                 \x20\x20\x20\x20\x20\x20\x20\x20      const filenameMatch = partHeaders.match(/filename=\"([^\"]+)\"/);\n\
839                 \x20\x20\x20\x20\x20\x20\x20\x20      const partCtMatch = partHeaders.match(/Content-Type:\\s*([^\\r\\n]+)/i);\n\
840                 \x20\x20\x20\x20\x20\x20\x20\x20      parts.push({\n\
841                 \x20\x20\x20\x20\x20\x20\x20\x20        name: nameMatch ? nameMatch[1] : '',\n\
842                 \x20\x20\x20\x20\x20\x20\x20\x20        filename: filenameMatch ? filenameMatch[1] : '',\n\
843                 \x20\x20\x20\x20\x20\x20\x20\x20        contentType: partCtMatch ? partCtMatch[1].trim() : '',\n\
844                 \x20\x20\x20\x20\x20\x20\x20\x20        bytes: Math.max(0, partBody.length - 2),\n\
845                 \x20\x20\x20\x20\x20\x20\x20\x20      });\n\
846                 \x20\x20\x20\x20\x20\x20\x20\x20      cursor = next;\n\
847                 \x20\x20\x20\x20\x20\x20\x20\x20    }\n\
848                 \x20\x20\x20\x20\x20\x20\x20\x20  }\n\
849                 \x20\x20\x20\x20\x20\x20\x20\x20  // Round 47 #79 — overlay on-disk byte counts (see generator.rs).\n\
850                 \x20\x20\x20\x20\x20\x20\x20\x20  const __mfSizes = (globalThis.__mfUploadSizes || {})[checkName] || {};\n\
851                 \x20\x20\x20\x20\x20\x20\x20\x20  let __allKnown = parts.length > 0;\n\
852                 \x20\x20\x20\x20\x20\x20\x20\x20  parts.forEach(function (p) { if (typeof __mfSizes[p.name] === 'number') { p.bytes = __mfSizes[p.name]; } else { __allKnown = false; } });\n\
853                 \x20\x20\x20\x20\x20\x20\x20\x20  const partsTotal = parts.reduce(function (acc, p) { return acc + p.bytes; }, 0);\n\
854                 \x20\x20\x20\x20\x20\x20\x20\x20  if (__allKnown) totalBytes = partsTotal;\n\
855                 \x20\x20\x20\x20\x20\x20\x20\x20  // Round 49 #79 — total = disk-sum payload; wire = total + multipart envelope.\n\
856                 \x20\x20\x20\x20\x20\x20\x20\x20  const wireBytes = (typeof raw === 'string' && raw.length) ? raw.length : totalBytes;\n\
857                 \x20\x20\x20\x20\x20\x20\x20\x20  const summary = parts.map(function (p) { return '\\'' + p.name + '\\':\\'' + p.filename + '\\' (' + p.contentType + ', ' + p.bytes + ' bytes)'; }).join(', ');\n\
858                 \x20\x20\x20\x20\x20\x20\x20\x20  reqBody = '<multipart/form-data; boundary=' + boundary + '; ' + parts.length + ' part(s); total ' + totalBytes + ' bytes (wire ' + wireBytes + ' bytes w/ envelope): ' + summary + '>';\n\
859                 \x20\x20\x20\x20\x20\x20\x20\x20} catch (e) {\n\
860                 \x20\x20\x20\x20\x20\x20\x20\x20  reqBody = '<multipart upload; summary failed: ' + (e && e.message ? e.message : 'unknown') + '>';\n\
861                 \x20\x20\x20\x20\x20\x20\x20\x20}\n\
862                 \x20\x20\x20\x20\x20\x20} else if (isMultipart) {\n\
863                 \x20\x20\x20\x20\x20\x20\x20\x20reqBody = '<multipart upload; body bytes not surfaced by k6 res.request.body>';\n\
864                 \x20\x20\x20\x20\x20\x20} else if (res.request && res.request.body) {\n\
865                 \x20\x20\x20\x20\x20\x20\x20\x20try { const __m = res.request.body.length; reqBody = res.request.body.substring(0, 65536); if (__m > 65536) reqBody = reqBody + ' <truncated at 65536 bytes; full body was ' + __m + ' bytes>'; } catch (e) {}\n\
866                 \x20\x20\x20\x20\x20\x20}\n\
867                 \x20\x20\x20\x20}\n",
868            );
869            // Round 47 (#79) — mirror network-event emit from generator.rs.
870            script.push_str(
871                "    if (res && res.status === 0) {\n\
872                 \x20\x20\x20\x20\x20\x20const ec = (res.error_code != null) ? res.error_code : 0;\n\
873                 \x20\x20\x20\x20\x20\x20const em = (res.error != null) ? String(res.error) : '';\n\
874                 \x20\x20\x20\x20\x20\x20let kind = 'other';\n\
875                 \x20\x20\x20\x20\x20\x20if (ec >= 1200 && ec < 1300) kind = 'connect';\n\
876                 \x20\x20\x20\x20\x20\x20else if (ec >= 1300 && ec < 1400) kind = 'tls';\n\
877                 \x20\x20\x20\x20\x20\x20else if (ec >= 1400 && ec < 1500) kind = 'timeout';\n\
878                 \x20\x20\x20\x20\x20\x20else if (em.toLowerCase().indexOf('eof') !== -1) kind = 'connect';\n                 \x20\x20\x20\x20\x20\x20else if (em.toLowerCase().indexOf('timeout') !== -1) kind = 'timeout';\n\
879                 \x20\x20\x20\x20\x20\x20else if (em.toLowerCase().indexOf('tls') !== -1) kind = 'tls';\n\
880                 \x20\x20\x20\x20\x20\x20else if (em.toLowerCase().indexOf('connect') !== -1 || em.toLowerCase().indexOf('refused') !== -1) kind = 'connect';\n\
881                 \x20\x20\x20\x20\x20\x20console.log('MOCKFORGE_NETWORK_EVENT:' + JSON.stringify({\n\
882                 \x20\x20\x20\x20\x20\x20  timestamp: new Date().toISOString(),\n\
883                 \x20\x20\x20\x20\x20\x20  check: checkName,\n\
884                 \x20\x20\x20\x20\x20\x20  method: res.request ? res.request.method : 'unknown',\n\
885                 \x20\x20\x20\x20\x20\x20  url: res.request ? res.request.url : res.url || 'unknown',\n\
886                 \x20\x20\x20\x20\x20\x20  kind: kind,\n\
887                 \x20\x20\x20\x20\x20\x20  error_code: ec,\n\
888                 \x20\x20\x20\x20\x20\x20  message: em,\n\
889                 \x20\x20\x20\x20\x20\x20}));\n\
890                 \x20\x20\x20\x20}\n",
891            );
892            script.push_str("    console.log('MOCKFORGE_EXCHANGE:' + JSON.stringify({\n");
893            script.push_str("      check: checkName,\n");
894            script.push_str("      request: {\n");
895            script.push_str("        method: res.request ? res.request.method : 'unknown',\n");
896            script.push_str("        url: res.request ? res.request.url : res.url || 'unknown',\n");
897            script.push_str("        headers: reqHeaders,\n");
898            script.push_str("        body: reqBody,\n");
899            script.push_str("      },\n");
900            script.push_str("      response: {\n");
901            script.push_str("        status: res.status,\n");
902            script.push_str("        headers: res.headers ? Object.fromEntries(Object.entries(res.headers).slice(0, 30)) : {},\n");
903            script.push_str("        body: bodyStr,\n");
904            script.push_str("      },\n");
905            script.push_str("    }));\n");
906            script.push_str("  } catch (e) {\n");
907            script.push_str("    try {\n");
908            script.push_str("      console.log('MOCKFORGE_EXCHANGE:' + JSON.stringify({\n");
909            script.push_str("        check: checkName,\n");
910            script.push_str("        request: {\n");
911            script.push_str(
912                "          method: (res && res.request) ? res.request.method : 'unknown',\n",
913            );
914            script.push_str("          url: (res && res.request) ? res.request.url : (res && res.url) || 'unknown',\n");
915            script.push_str("          headers: {},\n");
916            script.push_str("          body: '<exchange capture failed: ' + (e && e.message ? e.message : 'unknown error') + '>',\n");
917            script.push_str("        },\n");
918            script.push_str("        response: {\n");
919            script.push_str("          status: (res && res.status) || 0,\n");
920            script.push_str("          headers: {},\n");
921            script.push_str("          body: '',\n");
922            script.push_str("        },\n");
923            script.push_str("        _export_error: (e && e.message) ? e.message : String(e),\n");
924            script.push_str("      }));\n");
925            script.push_str("    } catch (e2) {\n");
926            script.push_str("      console.log('MOCKFORGE_EXCHANGE:{\"check\":\"' + checkName + '\",\"request\":{\"method\":\"unknown\",\"url\":\"unknown\",\"headers\":{},\"body\":\"\"},\"response\":{\"status\":0,\"headers\":{},\"body\":\"\"},\"_export_error\":\"double-fault\"}');\n");
927            script.push_str("    }\n");
928            script.push_str("  }\n");
929            script.push_str("}\n\n");
930        }
931
932        // Default function
933        script.push_str("export default function () {\n");
934
935        if self.config.has_cookie_header() {
936            script.push_str(
937                "  // Clear cookie jar to prevent server Set-Cookie from duplicating custom Cookie header\n",
938            );
939            script.push_str("  http.cookieJar().clear(BASE_URL);\n\n");
940        }
941
942        // Group operations by category
943        let mut category_ops: std::collections::BTreeMap<
944            &'static str,
945            Vec<(&AnnotatedOperation, &ConformanceFeature)>,
946        > = std::collections::BTreeMap::new();
947
948        for op in &self.operations {
949            for feature in &op.features {
950                let category = feature.category();
951                if self.config.should_include_category(category) {
952                    category_ops.entry(category).or_default().push((op, feature));
953                }
954            }
955        }
956
957        // Emit grouped tests
958        let mut total_checks = 0usize;
959        for (category, ops) in &category_ops {
960            script.push_str(&format!("  group('{}', function () {{\n", category));
961
962            if self.config.all_operations {
963                // All-operations mode: test every operation, using path-qualified check names
964                let mut emitted_checks: HashSet<String> = HashSet::new();
965                for (op, feature) in ops {
966                    let qualified = format!("{}:{}", feature.check_name(), op.path);
967                    if emitted_checks.insert(qualified.clone()) {
968                        self.emit_check_named(&mut script, op, feature, &qualified);
969                        total_checks += 1;
970                    }
971                }
972            } else {
973                // Default: one representative operation per feature, with path-qualified
974                // check names so failures identify which endpoint was tested.
975                let mut emitted_features: HashSet<&str> = HashSet::new();
976                for (op, feature) in ops {
977                    if emitted_features.insert(feature.check_name()) {
978                        let qualified = format!("{}:{}", feature.check_name(), op.path);
979                        self.emit_check_named(&mut script, op, feature, &qualified);
980                        total_checks += 1;
981                    }
982                }
983            }
984
985            script.push_str("  });\n\n");
986        }
987
988        // Custom checks from YAML file — round 39: init-scope code
989        // was already emitted above; here we just splice the group
990        // body inside the default function.
991        if let Some(emit) = custom_emit {
992            script.push_str(&emit.group_body);
993        }
994
995        script.push_str("}\n\n");
996
997        // handleSummary
998        self.generate_handle_summary(&mut script);
999
1000        Ok((script, total_checks))
1001    }
1002
1003    /// Emit a single k6 check for an operation + feature with a custom check name
1004    fn emit_check_named(
1005        &self,
1006        script: &mut String,
1007        op: &AnnotatedOperation,
1008        feature: &ConformanceFeature,
1009        check_name: &str,
1010    ) {
1011        // Escape single quotes in check name since it's embedded in JS single-quoted strings
1012        let check_name = check_name.replace('\'', "\\'");
1013        let check_name = check_name.as_str();
1014
1015        script.push_str("    {\n");
1016
1017        // Build the URL path with parameters substituted
1018        let mut url_path = op.path.clone();
1019        for (name, value) in &op.path_params {
1020            url_path = url_path.replace(&format!("{{{}}}", name), value);
1021        }
1022
1023        // Build query string
1024        if !op.query_params.is_empty() {
1025            let qs: Vec<String> =
1026                op.query_params.iter().map(|(k, v)| format!("{}={}", k, v)).collect();
1027            url_path = format!("{}?{}", url_path, qs.join("&"));
1028        }
1029
1030        let full_url = format!("${{BASE_URL}}{}", url_path);
1031
1032        // Build effective headers: merge spec-derived headers with custom headers.
1033        // Custom headers override spec-derived ones with the same name.
1034        let mut effective_headers = self.effective_headers(&op.header_params);
1035
1036        // For non-default response code checks, add header to tell the mock server
1037        // which status code to return (the server defaults to the first declared status)
1038        if matches!(feature, ConformanceFeature::Response400 | ConformanceFeature::Response404) {
1039            let expected_code = match feature {
1040                ConformanceFeature::Response400 => "400",
1041                ConformanceFeature::Response404 => "404",
1042                _ => unreachable!(),
1043            };
1044            effective_headers
1045                .push(("X-Mockforge-Response-Status".to_string(), expected_code.to_string()));
1046        }
1047
1048        // For security checks AND for all requests on endpoints with security requirements,
1049        // inject auth credentials so the server doesn't reject with 401.
1050        // Only inject if the user hasn't already provided the header via --custom-headers.
1051        let needs_auth = matches!(
1052            feature,
1053            ConformanceFeature::SecurityBearer
1054                | ConformanceFeature::SecurityBasic
1055                | ConformanceFeature::SecurityApiKey
1056        ) || !op.security_schemes.is_empty();
1057
1058        if needs_auth {
1059            self.inject_security_headers(&op.security_schemes, &mut effective_headers);
1060        }
1061
1062        let has_headers = !effective_headers.is_empty();
1063        let headers_obj = if has_headers {
1064            Self::format_headers(&effective_headers)
1065        } else {
1066            String::new()
1067        };
1068
1069        // Determine HTTP method and emit request
1070        match op.method.as_str() {
1071            "GET" => {
1072                if has_headers {
1073                    script.push_str(&format!(
1074                        "      let res = http.get(`{}`, {{ headers: {} }});\n",
1075                        full_url, headers_obj
1076                    ));
1077                } else {
1078                    script.push_str(&format!("      let res = http.get(`{}`);\n", full_url));
1079                }
1080            }
1081            "POST" => {
1082                self.emit_request_with_body(script, "post", &full_url, op, &effective_headers);
1083            }
1084            "PUT" => {
1085                self.emit_request_with_body(script, "put", &full_url, op, &effective_headers);
1086            }
1087            "PATCH" => {
1088                self.emit_request_with_body(script, "patch", &full_url, op, &effective_headers);
1089            }
1090            "DELETE" => {
1091                if has_headers {
1092                    script.push_str(&format!(
1093                        "      let res = http.del(`{}`, null, {{ headers: {} }});\n",
1094                        full_url, headers_obj
1095                    ));
1096                } else {
1097                    script.push_str(&format!("      let res = http.del(`{}`);\n", full_url));
1098                }
1099            }
1100            "HEAD" => {
1101                if has_headers {
1102                    script.push_str(&format!(
1103                        "      let res = http.head(`{}`, {{ headers: {} }});\n",
1104                        full_url, headers_obj
1105                    ));
1106                } else {
1107                    script.push_str(&format!("      let res = http.head(`{}`);\n", full_url));
1108                }
1109            }
1110            "OPTIONS" => {
1111                if has_headers {
1112                    script.push_str(&format!(
1113                        "      let res = http.options(`{}`, null, {{ headers: {} }});\n",
1114                        full_url, headers_obj
1115                    ));
1116                } else {
1117                    script.push_str(&format!("      let res = http.options(`{}`);\n", full_url));
1118                }
1119            }
1120            _ => {
1121                if has_headers {
1122                    script.push_str(&format!(
1123                        "      let res = http.get(`{}`, {{ headers: {} }});\n",
1124                        full_url, headers_obj
1125                    ));
1126                } else {
1127                    script.push_str(&format!("      let res = http.get(`{}`);\n", full_url));
1128                }
1129            }
1130        }
1131
1132        // Capture request/response for --export-requests
1133        // (check_name is already escaped at line 829 above — don't double-escape)
1134        if self.config.export_requests {
1135            script.push_str(&format!(
1136                "      if (typeof __captureExchange === 'function') __captureExchange('{}', res);\n",
1137                check_name
1138            ));
1139        }
1140
1141        // Check: emit assertion based on feature type, with failure detail capture
1142        if matches!(
1143            feature,
1144            ConformanceFeature::Response200
1145                | ConformanceFeature::Response201
1146                | ConformanceFeature::Response204
1147                | ConformanceFeature::Response400
1148                | ConformanceFeature::Response404
1149        ) {
1150            let expected_code = match feature {
1151                ConformanceFeature::Response200 => 200,
1152                ConformanceFeature::Response201 => 201,
1153                ConformanceFeature::Response204 => 204,
1154                ConformanceFeature::Response400 => 400,
1155                ConformanceFeature::Response404 => 404,
1156                _ => 200,
1157            };
1158            script.push_str(&format!(
1159                "      {{ let ok = check(res, {{ '{}': (r) => r.status === {} }}); if (!ok) __captureFailure('{}', res, 'status === {}'); }}\n",
1160                check_name, expected_code, check_name, expected_code
1161            ));
1162        } else if matches!(feature, ConformanceFeature::ResponseValidation) {
1163            // Response schema validation — validate the response body against the schema
1164            // Uses inline field-level error collection so failure details include
1165            // which specific fields violated the schema (field_path, violation_type,
1166            // expected, actual) — matching the Ajv `errors` array structure.
1167            if let Some(schema) = &op.response_schema {
1168                let validation_js = SchemaValidatorGenerator::generate_validation(schema);
1169                let schema_json = serde_json::to_string(schema).unwrap_or_default();
1170                // Escape backticks and backslashes for JS template literal safety
1171                let schema_json_escaped = schema_json.replace('\\', "\\\\").replace('`', "\\`");
1172                script.push_str(&format!(
1173                    concat!(
1174                        "      try {{\n",
1175                        "        let body = res.json();\n",
1176                        "        let ok = check(res, {{ '{check}': (r) => ( {validation} ) }});\n",
1177                        "        if (!ok) {{\n",
1178                        "          let __violations = [];\n",
1179                        "          try {{\n",
1180                        "            let __schema = JSON.parse(`{schema}`);\n",
1181                        "            function __collectErrors(schema, data, path) {{\n",
1182                        "              if (!schema || typeof schema !== 'object') return;\n",
1183                        "              let st = schema.type || (schema.schema_kind && schema.schema_kind.Type && Object.keys(schema.schema_kind.Type)[0]);\n",
1184                        "              if (st) {{ st = st.toLowerCase(); }}\n",
1185                        "              if (st === 'object') {{\n",
1186                        "                if (typeof data !== 'object' || data === null) {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'object', actual: typeof data }}); return; }}\n",
1187                        "                let props = schema.properties || (schema.schema_kind && schema.schema_kind.Type && schema.schema_kind.Type.Object && schema.schema_kind.Type.Object.properties) || {{}};\n",
1188                        "                let req = schema.required || (schema.schema_kind && schema.schema_kind.Type && schema.schema_kind.Type.Object && schema.schema_kind.Type.Object.required) || [];\n",
1189                        "                for (let f of req) {{ if (!(f in data)) {{ __violations.push({{ field_path: path + '/' + f, violation_type: 'required', expected: 'present', actual: 'missing' }}); }} }}\n",
1190                        "                for (let [k, v] of Object.entries(props)) {{ if (data[k] !== undefined) {{ let ps = v.Item || v; __collectErrors(ps, data[k], path + '/' + k); }} }}\n",
1191                        "              }} else if (st === 'array') {{\n",
1192                        "                if (!Array.isArray(data)) {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'array', actual: typeof data }}); return; }}\n",
1193                        "                let items = schema.items || (schema.schema_kind && schema.schema_kind.Type && schema.schema_kind.Type.Array && schema.schema_kind.Type.Array.items);\n",
1194                        "                if (items) {{ let is = items.Item || items; for (let i = 0; i < Math.min(data.length, 5); i++) {{ __collectErrors(is, data[i], path + '/' + i); }} }}\n",
1195                        "              }} else if (st === 'string') {{\n",
1196                        "                if (typeof data !== 'string') {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'string', actual: typeof data }}); }}\n",
1197                        "              }} else if (st === 'integer') {{\n",
1198                        "                if (typeof data !== 'number' || !Number.isInteger(data)) {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'integer', actual: typeof data }}); }}\n",
1199                        "              }} else if (st === 'number') {{\n",
1200                        "                if (typeof data !== 'number') {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'number', actual: typeof data }}); }}\n",
1201                        "              }} else if (st === 'boolean') {{\n",
1202                        "                if (typeof data !== 'boolean') {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'boolean', actual: typeof data }}); }}\n",
1203                        "              }}\n",
1204                        "            }}\n",
1205                        "            __collectErrors(__schema, body, '');\n",
1206                        "          }} catch(_e) {{}}\n",
1207                        "          __captureFailure('{check}', res, 'schema validation', __violations);\n",
1208                        "        }}\n",
1209                        "      }} catch(e) {{ check(res, {{ '{check}': () => false }}); __captureFailure('{check}', res, 'JSON parse failed: ' + e.message); }}\n",
1210                    ),
1211                    check = check_name,
1212                    validation = validation_js,
1213                    schema = schema_json_escaped,
1214                ));
1215            }
1216        } else if matches!(
1217            feature,
1218            ConformanceFeature::SecurityBearer
1219                | ConformanceFeature::SecurityBasic
1220                | ConformanceFeature::SecurityApiKey
1221        ) {
1222            // Security checks verify the server accepts the auth credentials (not 401/403)
1223            script.push_str(&format!(
1224                "      {{ let ok = check(res, {{ '{}': (r) => r.status >= 200 && r.status < 400 }}); if (!ok) __captureFailure('{}', res, 'status >= 200 && status < 400 (auth accepted)'); }}\n",
1225                check_name, check_name
1226            ));
1227        } else {
1228            script.push_str(&format!(
1229                "      {{ let ok = check(res, {{ '{}': (r) => r.status >= 200 && r.status < 500 }}); if (!ok) __captureFailure('{}', res, 'status >= 200 && status < 500'); }}\n",
1230                check_name, check_name
1231            ));
1232        }
1233
1234        // Clear cookie jar after each request to prevent Set-Cookie leaking
1235        let has_cookie = self.config.has_cookie_header()
1236            || effective_headers.iter().any(|(h, _)| h.eq_ignore_ascii_case("Cookie"));
1237        if has_cookie {
1238            script.push_str("      http.cookieJar().clear(BASE_URL);\n");
1239        }
1240
1241        script.push_str("    }\n");
1242
1243        // Rate-limit delay between checks (to avoid 429 from target API)
1244        if self.config.request_delay_ms > 0 {
1245            script.push_str(&format!(
1246                "    sleep({:.3});\n",
1247                self.config.request_delay_ms as f64 / 1000.0
1248            ));
1249        }
1250    }
1251
1252    /// Emit an HTTP request with a body
1253    fn emit_request_with_body(
1254        &self,
1255        script: &mut String,
1256        method: &str,
1257        url: &str,
1258        op: &AnnotatedOperation,
1259        effective_headers: &[(String, String)],
1260    ) {
1261        if let Some(body) = &op.sample_body {
1262            let escaped_body = body.replace('\'', "\\'");
1263            let headers = if !effective_headers.is_empty() {
1264                format!(
1265                    "Object.assign({{}}, JSON_HEADERS, {})",
1266                    Self::format_headers(effective_headers)
1267                )
1268            } else {
1269                "JSON_HEADERS".to_string()
1270            };
1271            script.push_str(&format!(
1272                "      let res = http.{}(`{}`, '{}', {{ headers: {} }});\n",
1273                method, url, escaped_body, headers
1274            ));
1275        } else if !effective_headers.is_empty() {
1276            script.push_str(&format!(
1277                "      let res = http.{}(`{}`, null, {{ headers: {} }});\n",
1278                method,
1279                url,
1280                Self::format_headers(effective_headers)
1281            ));
1282        } else {
1283            script.push_str(&format!("      let res = http.{}(`{}`, null);\n", method, url));
1284        }
1285    }
1286
1287    /// Build effective headers by merging spec-derived headers with custom headers.
1288    /// Custom headers override spec-derived ones with the same name (case-insensitive).
1289    /// Custom headers not in the spec are appended.
1290    fn effective_headers(&self, spec_headers: &[(String, String)]) -> Vec<(String, String)> {
1291        let custom = &self.config.custom_headers;
1292        if custom.is_empty() {
1293            return spec_headers.to_vec();
1294        }
1295
1296        let mut result: Vec<(String, String)> = Vec::new();
1297
1298        // Start with spec headers, replacing values if a custom header matches
1299        for (name, value) in spec_headers {
1300            if let Some((_, custom_val)) =
1301                custom.iter().find(|(cn, _)| cn.eq_ignore_ascii_case(name))
1302            {
1303                result.push((name.clone(), custom_val.clone()));
1304            } else {
1305                result.push((name.clone(), value.clone()));
1306            }
1307        }
1308
1309        // Append custom headers that aren't already in spec headers
1310        for (name, value) in custom {
1311            if !spec_headers.iter().any(|(sn, _)| sn.eq_ignore_ascii_case(name)) {
1312                result.push((name.clone(), value.clone()));
1313            }
1314        }
1315
1316        result
1317    }
1318
1319    /// Inject security headers based on resolved security scheme details.
1320    /// Respects user-provided custom headers (won't overwrite if already set).
1321    fn inject_security_headers(
1322        &self,
1323        schemes: &[SecuritySchemeInfo],
1324        headers: &mut Vec<(String, String)>,
1325    ) {
1326        let mut to_add: Vec<(String, String)> = Vec::new();
1327
1328        let has_header = |name: &str, headers: &[(String, String)]| {
1329            headers.iter().any(|(h, _)| h.eq_ignore_ascii_case(name))
1330                || self.config.custom_headers.iter().any(|(h, _)| h.eq_ignore_ascii_case(name))
1331        };
1332
1333        // If user provides Cookie header, they're using session-based auth — skip auto auth
1334        let has_cookie_auth = has_header("Cookie", headers);
1335
1336        for scheme in schemes {
1337            match scheme {
1338                SecuritySchemeInfo::Bearer => {
1339                    if !has_cookie_auth && !has_header("Authorization", headers) {
1340                        // MockForge mock server accepts any Bearer token
1341                        to_add.push((
1342                            "Authorization".to_string(),
1343                            "Bearer mockforge-conformance-test-token".to_string(),
1344                        ));
1345                    }
1346                }
1347                SecuritySchemeInfo::Basic => {
1348                    if !has_cookie_auth && !has_header("Authorization", headers) {
1349                        let creds = self.config.basic_auth.as_deref().unwrap_or("test:test");
1350                        use base64::Engine;
1351                        let encoded =
1352                            base64::engine::general_purpose::STANDARD.encode(creds.as_bytes());
1353                        to_add.push(("Authorization".to_string(), format!("Basic {}", encoded)));
1354                    }
1355                }
1356                SecuritySchemeInfo::ApiKey { location, name } => match location {
1357                    ApiKeyLocation::Header => {
1358                        if !has_header(name, headers) {
1359                            let key = self
1360                                .config
1361                                .api_key
1362                                .as_deref()
1363                                .unwrap_or("mockforge-conformance-test-key");
1364                            to_add.push((name.clone(), key.to_string()));
1365                        }
1366                    }
1367                    ApiKeyLocation::Cookie => {
1368                        if !has_header("Cookie", headers) {
1369                            to_add.push((
1370                                "Cookie".to_string(),
1371                                format!("{}=mockforge-conformance-test-session", name),
1372                            ));
1373                        }
1374                    }
1375                    ApiKeyLocation::Query => {
1376                        // Query params are handled via URL, not headers — skip here
1377                    }
1378                },
1379            }
1380        }
1381
1382        headers.extend(to_add);
1383    }
1384
1385    /// Format header params as a JS object literal
1386    fn format_headers(headers: &[(String, String)]) -> String {
1387        let entries: Vec<String> = headers
1388            .iter()
1389            .map(|(k, v)| format!("'{}': '{}'", k, v.replace('\'', "\\'")))
1390            .collect();
1391        format!("{{ {} }}", entries.join(", "))
1392    }
1393
1394    /// handleSummary — same format as reference mode for report compatibility
1395    fn generate_handle_summary(&self, script: &mut String) {
1396        // Use absolute path for report output so k6 writes where the CLI expects
1397        let report_path = match &self.config.output_dir {
1398            Some(dir) => {
1399                let abs = std::fs::canonicalize(dir)
1400                    .unwrap_or_else(|_| dir.clone())
1401                    .join("conformance-report.json");
1402                abs.to_string_lossy().to_string()
1403            }
1404            None => "conformance-report.json".to_string(),
1405        };
1406
1407        script.push_str("export function handleSummary(data) {\n");
1408        script.push_str("  let checks = {};\n");
1409        script.push_str("  if (data.metrics && data.metrics.checks) {\n");
1410        script.push_str("    checks.overall_pass_rate = data.metrics.checks.values.rate;\n");
1411        script.push_str("  }\n");
1412        script.push_str("  let checkResults = {};\n");
1413        script.push_str("  function walkGroups(group) {\n");
1414        script.push_str("    if (group.checks) {\n");
1415        script.push_str("      for (let checkObj of group.checks) {\n");
1416        script.push_str("        checkResults[checkObj.name] = {\n");
1417        script.push_str("          passes: checkObj.passes,\n");
1418        script.push_str("          fails: checkObj.fails,\n");
1419        script.push_str("        };\n");
1420        script.push_str("      }\n");
1421        script.push_str("    }\n");
1422        script.push_str("    if (group.groups) {\n");
1423        script.push_str("      for (let subGroup of group.groups) {\n");
1424        script.push_str("        walkGroups(subGroup);\n");
1425        script.push_str("      }\n");
1426        script.push_str("    }\n");
1427        script.push_str("  }\n");
1428        script.push_str("  if (data.root_group) {\n");
1429        script.push_str("    walkGroups(data.root_group);\n");
1430        script.push_str("  }\n");
1431        script.push_str("  return {\n");
1432        script.push_str(&format!(
1433            "    '{}': JSON.stringify({{ checks: checkResults, overall: checks }}, null, 2),\n",
1434            report_path
1435        ));
1436        script.push_str("    'summary.json': JSON.stringify(data),\n");
1437        script.push_str("    stdout: textSummary(data, { indent: '  ', enableColors: true }),\n");
1438        script.push_str("  };\n");
1439        script.push_str("}\n\n");
1440        script.push_str("function textSummary(data, opts) {\n");
1441        script.push_str("  return JSON.stringify(data, null, 2);\n");
1442        script.push_str("}\n");
1443    }
1444}
1445
1446#[cfg(test)]
1447mod tests {
1448    use super::*;
1449    use openapiv3::{
1450        Operation, ParameterData, ParameterSchemaOrContent, PathStyle, Response, Schema,
1451        SchemaData, SchemaKind, StringType, Type,
1452    };
1453
1454    fn make_op(method: &str, path: &str, operation: Operation) -> ApiOperation {
1455        ApiOperation {
1456            method: method.to_string(),
1457            path: path.to_string(),
1458            operation,
1459            operation_id: None,
1460        }
1461    }
1462
1463    fn empty_spec() -> OpenAPI {
1464        OpenAPI::default()
1465    }
1466
1467    #[test]
1468    fn test_annotate_get_with_path_param() {
1469        let mut op = Operation::default();
1470        op.parameters.push(ReferenceOr::Item(Parameter::Path {
1471            parameter_data: ParameterData {
1472                name: "id".to_string(),
1473                description: None,
1474                required: true,
1475                deprecated: None,
1476                format: ParameterSchemaOrContent::Schema(ReferenceOr::Item(Schema {
1477                    schema_data: SchemaData::default(),
1478                    schema_kind: SchemaKind::Type(Type::String(StringType::default())),
1479                })),
1480                example: None,
1481                examples: Default::default(),
1482                explode: None,
1483                extensions: Default::default(),
1484            },
1485            style: PathStyle::Simple,
1486        }));
1487
1488        let api_op = make_op("get", "/users/{id}", op);
1489        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1490
1491        assert!(annotated.features.contains(&ConformanceFeature::MethodGet));
1492        assert!(annotated.features.contains(&ConformanceFeature::PathParamString));
1493        assert!(annotated.features.contains(&ConformanceFeature::ConstraintRequired));
1494        assert_eq!(annotated.path_params.len(), 1);
1495        assert_eq!(annotated.path_params[0].0, "id");
1496    }
1497
1498    #[test]
1499    fn test_annotate_post_with_json_body() {
1500        let mut op = Operation::default();
1501        let mut body = RequestBody {
1502            required: true,
1503            ..Default::default()
1504        };
1505        body.content
1506            .insert("application/json".to_string(), openapiv3::MediaType::default());
1507        op.request_body = Some(ReferenceOr::Item(body));
1508
1509        let api_op = make_op("post", "/items", op);
1510        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1511
1512        assert!(annotated.features.contains(&ConformanceFeature::MethodPost));
1513        assert!(annotated.features.contains(&ConformanceFeature::BodyJson));
1514    }
1515
1516    #[test]
1517    fn test_annotate_response_codes() {
1518        let mut op = Operation::default();
1519        op.responses
1520            .responses
1521            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(Response::default()));
1522        op.responses
1523            .responses
1524            .insert(openapiv3::StatusCode::Code(404), ReferenceOr::Item(Response::default()));
1525
1526        let api_op = make_op("get", "/items", op);
1527        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1528
1529        assert!(annotated.features.contains(&ConformanceFeature::Response200));
1530        assert!(annotated.features.contains(&ConformanceFeature::Response404));
1531    }
1532
1533    #[test]
1534    fn test_generate_spec_driven_script() {
1535        let config = ConformanceConfig {
1536            target_url: "http://localhost:3000".to_string(),
1537            api_key: None,
1538            basic_auth: None,
1539            skip_tls_verify: false,
1540            categories: None,
1541            base_path: None,
1542            custom_headers: vec![],
1543            output_dir: None,
1544            all_operations: false,
1545            custom_checks_file: None,
1546            request_delay_ms: 0,
1547            custom_filter: None,
1548            export_requests: false,
1549            validate_requests: false,
1550        };
1551
1552        let operations = vec![AnnotatedOperation {
1553            path: "/users/{id}".to_string(),
1554            method: "GET".to_string(),
1555            features: vec![
1556                ConformanceFeature::MethodGet,
1557                ConformanceFeature::PathParamString,
1558            ],
1559            request_body_content_type: None,
1560            sample_body: None,
1561            query_params: vec![],
1562            header_params: vec![],
1563            path_params: vec![("id".to_string(), "test-value".to_string())],
1564            response_schema: None,
1565            response_schemas: std::collections::BTreeMap::new(),
1566            request_body_schema: None,
1567            security_schemes: vec![],
1568        }];
1569
1570        let gen = SpecDrivenConformanceGenerator::new(config, operations);
1571        let (script, _check_count) = gen.generate().unwrap();
1572
1573        assert!(script.contains("import http from 'k6/http'"));
1574        assert!(script.contains("/users/test-value"));
1575        assert!(script.contains("param:path:string"));
1576        assert!(script.contains("method:GET"));
1577        assert!(script.contains("handleSummary"));
1578    }
1579
1580    #[test]
1581    fn test_generate_with_category_filter() {
1582        let config = ConformanceConfig {
1583            target_url: "http://localhost:3000".to_string(),
1584            api_key: None,
1585            basic_auth: None,
1586            skip_tls_verify: false,
1587            categories: Some(vec!["Parameters".to_string()]),
1588            base_path: None,
1589            custom_headers: vec![],
1590            output_dir: None,
1591            all_operations: false,
1592            custom_checks_file: None,
1593            request_delay_ms: 0,
1594            custom_filter: None,
1595            export_requests: false,
1596            validate_requests: false,
1597        };
1598
1599        let operations = vec![AnnotatedOperation {
1600            path: "/users/{id}".to_string(),
1601            method: "GET".to_string(),
1602            features: vec![
1603                ConformanceFeature::MethodGet,
1604                ConformanceFeature::PathParamString,
1605            ],
1606            request_body_content_type: None,
1607            sample_body: None,
1608            query_params: vec![],
1609            header_params: vec![],
1610            path_params: vec![("id".to_string(), "1".to_string())],
1611            response_schema: None,
1612            response_schemas: std::collections::BTreeMap::new(),
1613            request_body_schema: None,
1614            security_schemes: vec![],
1615        }];
1616
1617        let gen = SpecDrivenConformanceGenerator::new(config, operations);
1618        let (script, _check_count) = gen.generate().unwrap();
1619
1620        assert!(script.contains("group('Parameters'"));
1621        assert!(!script.contains("group('HTTP Methods'"));
1622    }
1623
1624    #[test]
1625    fn test_annotate_response_validation() {
1626        use openapiv3::ObjectType;
1627
1628        // Operation with a 200 response that has a JSON schema
1629        let mut op = Operation::default();
1630        let mut response = Response::default();
1631        let mut media = openapiv3::MediaType::default();
1632        let mut obj_type = ObjectType::default();
1633        obj_type.properties.insert(
1634            "name".to_string(),
1635            ReferenceOr::Item(Box::new(Schema {
1636                schema_data: SchemaData::default(),
1637                schema_kind: SchemaKind::Type(Type::String(StringType::default())),
1638            })),
1639        );
1640        obj_type.required = vec!["name".to_string()];
1641        media.schema = Some(ReferenceOr::Item(Schema {
1642            schema_data: SchemaData::default(),
1643            schema_kind: SchemaKind::Type(Type::Object(obj_type)),
1644        }));
1645        response.content.insert("application/json".to_string(), media);
1646        op.responses
1647            .responses
1648            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(response));
1649
1650        let api_op = make_op("get", "/users", op);
1651        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1652
1653        assert!(
1654            annotated.features.contains(&ConformanceFeature::ResponseValidation),
1655            "Should detect ResponseValidation when response has a JSON schema"
1656        );
1657        assert!(annotated.response_schema.is_some(), "Should extract the response schema");
1658
1659        // Verify generated script includes schema validation with try-catch
1660        let config = ConformanceConfig {
1661            target_url: "http://localhost:3000".to_string(),
1662            api_key: None,
1663            basic_auth: None,
1664            skip_tls_verify: false,
1665            categories: None,
1666            base_path: None,
1667            custom_headers: vec![],
1668            output_dir: None,
1669            all_operations: false,
1670            custom_checks_file: None,
1671            request_delay_ms: 0,
1672            custom_filter: None,
1673            export_requests: false,
1674            validate_requests: false,
1675        };
1676        let gen = SpecDrivenConformanceGenerator::new(config, vec![annotated]);
1677        let (script, _check_count) = gen.generate().unwrap();
1678
1679        assert!(
1680            script.contains("response:schema:validation"),
1681            "Script should contain the validation check name"
1682        );
1683        assert!(script.contains("try {"), "Script should wrap validation in try-catch");
1684        assert!(script.contains("res.json()"), "Script should parse response as JSON");
1685    }
1686
1687    #[test]
1688    fn test_annotate_global_security() {
1689        // Spec with global security requirement, operation without its own security
1690        let op = Operation::default();
1691        let mut spec = OpenAPI::default();
1692        let mut global_req = openapiv3::SecurityRequirement::new();
1693        global_req.insert("bearerAuth".to_string(), vec![]);
1694        spec.security = Some(vec![global_req]);
1695        // Define the security scheme in components
1696        let mut components = openapiv3::Components::default();
1697        components.security_schemes.insert(
1698            "bearerAuth".to_string(),
1699            ReferenceOr::Item(SecurityScheme::HTTP {
1700                scheme: "bearer".to_string(),
1701                bearer_format: Some("JWT".to_string()),
1702                description: None,
1703                extensions: Default::default(),
1704            }),
1705        );
1706        spec.components = Some(components);
1707
1708        let api_op = make_op("get", "/protected", op);
1709        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &spec);
1710
1711        assert!(
1712            annotated.features.contains(&ConformanceFeature::SecurityBearer),
1713            "Should detect SecurityBearer from global security + components"
1714        );
1715    }
1716
1717    #[test]
1718    fn test_annotate_security_scheme_resolution() {
1719        // Test that security scheme type is resolved from components, not just name heuristic
1720        let mut op = Operation::default();
1721        // Use a generic name that wouldn't match name heuristics
1722        let mut req = openapiv3::SecurityRequirement::new();
1723        req.insert("myAuth".to_string(), vec![]);
1724        op.security = Some(vec![req]);
1725
1726        let mut spec = OpenAPI::default();
1727        let mut components = openapiv3::Components::default();
1728        components.security_schemes.insert(
1729            "myAuth".to_string(),
1730            ReferenceOr::Item(SecurityScheme::APIKey {
1731                location: openapiv3::APIKeyLocation::Header,
1732                name: "X-API-Key".to_string(),
1733                description: None,
1734                extensions: Default::default(),
1735            }),
1736        );
1737        spec.components = Some(components);
1738
1739        let api_op = make_op("get", "/data", op);
1740        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &spec);
1741
1742        assert!(
1743            annotated.features.contains(&ConformanceFeature::SecurityApiKey),
1744            "Should detect SecurityApiKey from SecurityScheme::APIKey, not name heuristic"
1745        );
1746    }
1747
1748    #[test]
1749    fn test_annotate_content_negotiation() {
1750        let mut op = Operation::default();
1751        let mut response = Response::default();
1752        // Response with multiple content types
1753        response
1754            .content
1755            .insert("application/json".to_string(), openapiv3::MediaType::default());
1756        response
1757            .content
1758            .insert("application/xml".to_string(), openapiv3::MediaType::default());
1759        op.responses
1760            .responses
1761            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(response));
1762
1763        let api_op = make_op("get", "/items", op);
1764        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1765
1766        assert!(
1767            annotated.features.contains(&ConformanceFeature::ContentNegotiation),
1768            "Should detect ContentNegotiation when response has multiple content types"
1769        );
1770    }
1771
1772    #[test]
1773    fn test_no_content_negotiation_for_single_type() {
1774        let mut op = Operation::default();
1775        let mut response = Response::default();
1776        response
1777            .content
1778            .insert("application/json".to_string(), openapiv3::MediaType::default());
1779        op.responses
1780            .responses
1781            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(response));
1782
1783        let api_op = make_op("get", "/items", op);
1784        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1785
1786        assert!(
1787            !annotated.features.contains(&ConformanceFeature::ContentNegotiation),
1788            "Should NOT detect ContentNegotiation for a single content type"
1789        );
1790    }
1791
1792    #[test]
1793    fn test_spec_driven_with_base_path() {
1794        let annotated = AnnotatedOperation {
1795            path: "/users".to_string(),
1796            method: "GET".to_string(),
1797            features: vec![ConformanceFeature::MethodGet],
1798            path_params: vec![],
1799            query_params: vec![],
1800            header_params: vec![],
1801            request_body_content_type: None,
1802            sample_body: None,
1803            response_schema: None,
1804            response_schemas: std::collections::BTreeMap::new(),
1805            request_body_schema: None,
1806            security_schemes: vec![],
1807        };
1808        let config = ConformanceConfig {
1809            target_url: "https://192.168.2.86/".to_string(),
1810            api_key: None,
1811            basic_auth: None,
1812            skip_tls_verify: true,
1813            categories: None,
1814            base_path: Some("/api".to_string()),
1815            custom_headers: vec![],
1816            output_dir: None,
1817            all_operations: false,
1818            custom_checks_file: None,
1819            request_delay_ms: 0,
1820            custom_filter: None,
1821            export_requests: false,
1822            validate_requests: false,
1823        };
1824        let gen = SpecDrivenConformanceGenerator::new(config, vec![annotated]);
1825        let (script, _check_count) = gen.generate().unwrap();
1826
1827        assert!(
1828            script.contains("const BASE_URL = 'https://192.168.2.86/api'"),
1829            "BASE_URL should include the base_path. Got: {}",
1830            script.lines().find(|l| l.contains("BASE_URL")).unwrap_or("not found")
1831        );
1832    }
1833
1834    #[test]
1835    fn test_spec_driven_with_custom_headers() {
1836        let annotated = AnnotatedOperation {
1837            path: "/users".to_string(),
1838            method: "GET".to_string(),
1839            features: vec![ConformanceFeature::MethodGet],
1840            path_params: vec![],
1841            query_params: vec![],
1842            header_params: vec![
1843                ("X-Avi-Tenant".to_string(), "test-value".to_string()),
1844                ("X-CSRFToken".to_string(), "test-value".to_string()),
1845            ],
1846            request_body_content_type: None,
1847            sample_body: None,
1848            response_schema: None,
1849            response_schemas: std::collections::BTreeMap::new(),
1850            request_body_schema: None,
1851            security_schemes: vec![],
1852        };
1853        let config = ConformanceConfig {
1854            target_url: "https://192.168.2.86/".to_string(),
1855            api_key: None,
1856            basic_auth: None,
1857            skip_tls_verify: true,
1858            categories: None,
1859            base_path: Some("/api".to_string()),
1860            custom_headers: vec![
1861                ("X-Avi-Tenant".to_string(), "admin".to_string()),
1862                ("X-CSRFToken".to_string(), "real-csrf-token".to_string()),
1863                ("Cookie".to_string(), "sessionid=abc123".to_string()),
1864            ],
1865            output_dir: None,
1866            all_operations: false,
1867            custom_checks_file: None,
1868            request_delay_ms: 0,
1869            custom_filter: None,
1870            export_requests: false,
1871            validate_requests: false,
1872        };
1873        let gen = SpecDrivenConformanceGenerator::new(config, vec![annotated]);
1874        let (script, _check_count) = gen.generate().unwrap();
1875
1876        // Custom headers should override spec-derived test-value placeholders
1877        assert!(
1878            script.contains("'X-Avi-Tenant': 'admin'"),
1879            "Should use custom value for X-Avi-Tenant, not test-value"
1880        );
1881        assert!(
1882            script.contains("'X-CSRFToken': 'real-csrf-token'"),
1883            "Should use custom value for X-CSRFToken, not test-value"
1884        );
1885        // Custom headers not in spec should be appended
1886        assert!(
1887            script.contains("'Cookie': 'sessionid=abc123'"),
1888            "Should include Cookie header from custom_headers"
1889        );
1890        // test-value should NOT appear
1891        assert!(
1892            !script.contains("'test-value'"),
1893            "test-value placeholders should be replaced by custom values"
1894        );
1895    }
1896
1897    #[test]
1898    fn test_effective_headers_merging() {
1899        let config = ConformanceConfig {
1900            target_url: "http://localhost".to_string(),
1901            api_key: None,
1902            basic_auth: None,
1903            skip_tls_verify: false,
1904            categories: None,
1905            base_path: None,
1906            custom_headers: vec![
1907                ("X-Auth".to_string(), "real-token".to_string()),
1908                ("Cookie".to_string(), "session=abc".to_string()),
1909            ],
1910            output_dir: None,
1911            all_operations: false,
1912            custom_checks_file: None,
1913            request_delay_ms: 0,
1914            custom_filter: None,
1915            export_requests: false,
1916            validate_requests: false,
1917        };
1918        let gen = SpecDrivenConformanceGenerator::new(config, vec![]);
1919
1920        // Spec headers with a matching custom header
1921        let spec_headers = vec![
1922            ("X-Auth".to_string(), "test-value".to_string()),
1923            ("X-Other".to_string(), "keep-this".to_string()),
1924        ];
1925        let effective = gen.effective_headers(&spec_headers);
1926
1927        // X-Auth should be overridden
1928        assert_eq!(effective[0], ("X-Auth".to_string(), "real-token".to_string()));
1929        // X-Other should be kept as-is
1930        assert_eq!(effective[1], ("X-Other".to_string(), "keep-this".to_string()));
1931        // Cookie should be appended
1932        assert_eq!(effective[2], ("Cookie".to_string(), "session=abc".to_string()));
1933    }
1934}