Skip to main content

mockforge_bench/conformance/
spec_driven.rs

1//! Spec-driven conformance testing
2//!
3//! Analyzes the user's OpenAPI spec to determine which features their API uses,
4//! then generates k6 conformance tests against their real endpoints.
5
6use super::generator::ConformanceConfig;
7use super::schema_validator::SchemaValidatorGenerator;
8use super::spec::ConformanceFeature;
9use crate::error::Result;
10use crate::request_gen::RequestGenerator;
11use crate::spec_parser::ApiOperation;
12use openapiv3::{
13    OpenAPI, Operation, Parameter, ParameterSchemaOrContent, ReferenceOr, RequestBody, Response,
14    Schema, SchemaKind, SecurityScheme, StringFormat, Type, VariantOrUnknownOrEmpty,
15};
16use std::collections::HashSet;
17
18/// Resolve `$ref` references against the OpenAPI components
19mod ref_resolver {
20    use super::*;
21
22    pub fn resolve_parameter<'a>(
23        param_ref: &'a ReferenceOr<Parameter>,
24        spec: &'a OpenAPI,
25    ) -> Option<&'a Parameter> {
26        match param_ref {
27            ReferenceOr::Item(param) => Some(param),
28            ReferenceOr::Reference { reference } => {
29                let name = reference.strip_prefix("#/components/parameters/")?;
30                let components = spec.components.as_ref()?;
31                match components.parameters.get(name)? {
32                    ReferenceOr::Item(param) => Some(param),
33                    ReferenceOr::Reference {
34                        reference: inner_ref,
35                    } => {
36                        // One level of recursive resolution
37                        let inner_name = inner_ref.strip_prefix("#/components/parameters/")?;
38                        match components.parameters.get(inner_name)? {
39                            ReferenceOr::Item(param) => Some(param),
40                            ReferenceOr::Reference { .. } => None,
41                        }
42                    }
43                }
44            }
45        }
46    }
47
48    pub fn resolve_request_body<'a>(
49        body_ref: &'a ReferenceOr<RequestBody>,
50        spec: &'a OpenAPI,
51    ) -> Option<&'a RequestBody> {
52        match body_ref {
53            ReferenceOr::Item(body) => Some(body),
54            ReferenceOr::Reference { reference } => {
55                let name = reference.strip_prefix("#/components/requestBodies/")?;
56                let components = spec.components.as_ref()?;
57                match components.request_bodies.get(name)? {
58                    ReferenceOr::Item(body) => Some(body),
59                    ReferenceOr::Reference {
60                        reference: inner_ref,
61                    } => {
62                        // One level of recursive resolution
63                        let inner_name = inner_ref.strip_prefix("#/components/requestBodies/")?;
64                        match components.request_bodies.get(inner_name)? {
65                            ReferenceOr::Item(body) => Some(body),
66                            ReferenceOr::Reference { .. } => None,
67                        }
68                    }
69                }
70            }
71        }
72    }
73
74    pub fn resolve_schema<'a>(
75        schema_ref: &'a ReferenceOr<Schema>,
76        spec: &'a OpenAPI,
77    ) -> Option<&'a Schema> {
78        resolve_schema_with_visited(schema_ref, spec, &mut HashSet::new())
79    }
80
81    fn resolve_schema_with_visited<'a>(
82        schema_ref: &'a ReferenceOr<Schema>,
83        spec: &'a OpenAPI,
84        visited: &mut HashSet<String>,
85    ) -> Option<&'a Schema> {
86        match schema_ref {
87            ReferenceOr::Item(schema) => Some(schema),
88            ReferenceOr::Reference { reference } => {
89                if !visited.insert(reference.clone()) {
90                    return None; // Cycle detected
91                }
92                let name = reference.strip_prefix("#/components/schemas/")?;
93                let components = spec.components.as_ref()?;
94                let nested = components.schemas.get(name)?;
95                resolve_schema_with_visited(nested, spec, visited)
96            }
97        }
98    }
99
100    /// Resolve a boxed schema reference (used by array items and object properties)
101    pub fn resolve_boxed_schema<'a>(
102        schema_ref: &'a ReferenceOr<Box<Schema>>,
103        spec: &'a OpenAPI,
104    ) -> Option<&'a Schema> {
105        match schema_ref {
106            ReferenceOr::Item(schema) => Some(schema.as_ref()),
107            ReferenceOr::Reference { reference } => {
108                // Delegate to the regular schema resolver
109                let name = reference.strip_prefix("#/components/schemas/")?;
110                let components = spec.components.as_ref()?;
111                let nested = components.schemas.get(name)?;
112                resolve_schema_with_visited(nested, spec, &mut HashSet::new())
113            }
114        }
115    }
116
117    pub fn resolve_response<'a>(
118        resp_ref: &'a ReferenceOr<Response>,
119        spec: &'a OpenAPI,
120    ) -> Option<&'a Response> {
121        match resp_ref {
122            ReferenceOr::Item(resp) => Some(resp),
123            ReferenceOr::Reference { reference } => {
124                let name = reference.strip_prefix("#/components/responses/")?;
125                let components = spec.components.as_ref()?;
126                match components.responses.get(name)? {
127                    ReferenceOr::Item(resp) => Some(resp),
128                    ReferenceOr::Reference {
129                        reference: inner_ref,
130                    } => {
131                        // One level of recursive resolution
132                        let inner_name = inner_ref.strip_prefix("#/components/responses/")?;
133                        match components.responses.get(inner_name)? {
134                            ReferenceOr::Item(resp) => Some(resp),
135                            ReferenceOr::Reference { .. } => None,
136                        }
137                    }
138                }
139            }
140        }
141    }
142}
143
144/// Resolved security scheme details for an operation
145#[derive(Debug, Clone)]
146pub enum SecuritySchemeInfo {
147    /// HTTP Bearer token
148    Bearer,
149    /// HTTP Basic auth
150    Basic,
151    /// API Key in header, query, or cookie
152    ApiKey {
153        location: ApiKeyLocation,
154        name: String,
155    },
156}
157
158/// Where an API key is transmitted
159#[derive(Debug, Clone, PartialEq)]
160pub enum ApiKeyLocation {
161    Header,
162    Query,
163    Cookie,
164}
165
166/// An API operation annotated with the conformance features it exercises
167#[derive(Debug, Clone)]
168pub struct AnnotatedOperation {
169    pub path: String,
170    pub method: String,
171    pub features: Vec<ConformanceFeature>,
172    pub request_body_content_type: Option<String>,
173    pub sample_body: Option<String>,
174    pub query_params: Vec<(String, String)>,
175    pub header_params: Vec<(String, String)>,
176    pub path_params: Vec<(String, String)>,
177    /// Response schema for validation (JSON string of the schema)
178    pub response_schema: Option<Schema>,
179    /// Round 25 — per-status response schemas (JSON values, pre-resolved
180    /// via $ref). Keyed by HTTP status code, populated for every
181    /// status declared in the spec that has an `application/json`
182    /// body. The self-test driver looks up the schema for each probe's
183    /// actual status and validates the response body against it
184    /// (closing round 21.3 / Srikanth's a2 / a3 ask). Empty when the
185    /// spec declares no JSON response bodies.
186    pub response_schemas: std::collections::BTreeMap<u16, serde_json::Value>,
187    /// Round 17.2 — the resolved request-body schema (application/json).
188    /// Used by the self-test driver to synthesise schema-aware
189    /// negative mutations (wrong type, min/max bounds, pattern, enum
190    /// out-of-range, required-field removal). Independent of
191    /// `sample_body`, which is the positive payload.
192    pub request_body_schema: Option<Schema>,
193    /// Security scheme details resolved from the OpenAPI spec
194    pub security_schemes: Vec<SecuritySchemeInfo>,
195}
196
197/// Generates spec-driven conformance k6 scripts
198pub struct SpecDrivenConformanceGenerator {
199    config: ConformanceConfig,
200    operations: Vec<AnnotatedOperation>,
201}
202
203impl SpecDrivenConformanceGenerator {
204    pub fn new(config: ConformanceConfig, operations: Vec<AnnotatedOperation>) -> Self {
205        Self { config, operations }
206    }
207
208    /// Annotate a list of API operations with conformance features
209    pub fn annotate_operations(
210        operations: &[ApiOperation],
211        spec: &OpenAPI,
212    ) -> Vec<AnnotatedOperation> {
213        operations.iter().map(|op| Self::annotate_operation(op, spec)).collect()
214    }
215
216    /// Analyze an operation and determine which conformance features it exercises
217    fn annotate_operation(op: &ApiOperation, spec: &OpenAPI) -> AnnotatedOperation {
218        let mut features = Vec::new();
219        let mut query_params = Vec::new();
220        let mut header_params = Vec::new();
221        let mut path_params = Vec::new();
222
223        // Detect HTTP method feature
224        match op.method.to_uppercase().as_str() {
225            "GET" => features.push(ConformanceFeature::MethodGet),
226            "POST" => features.push(ConformanceFeature::MethodPost),
227            "PUT" => features.push(ConformanceFeature::MethodPut),
228            "PATCH" => features.push(ConformanceFeature::MethodPatch),
229            "DELETE" => features.push(ConformanceFeature::MethodDelete),
230            "HEAD" => features.push(ConformanceFeature::MethodHead),
231            "OPTIONS" => features.push(ConformanceFeature::MethodOptions),
232            _ => {}
233        }
234
235        // Detect parameter features (resolves $ref)
236        for param_ref in &op.operation.parameters {
237            if let Some(param) = ref_resolver::resolve_parameter(param_ref, spec) {
238                Self::annotate_parameter(
239                    param,
240                    spec,
241                    &mut features,
242                    &mut query_params,
243                    &mut header_params,
244                    &mut path_params,
245                );
246            }
247        }
248
249        // Detect path parameters from the path template itself
250        for segment in op.path.split('/') {
251            if segment.starts_with('{') && segment.ends_with('}') {
252                let name = &segment[1..segment.len() - 1];
253                // Only add if not already found from parameters
254                if !path_params.iter().any(|(n, _)| n == name) {
255                    path_params.push((name.to_string(), "test-value".to_string()));
256                    // Determine type from path params we didn't already handle
257                    if !features.contains(&ConformanceFeature::PathParamString)
258                        && !features.contains(&ConformanceFeature::PathParamInteger)
259                    {
260                        features.push(ConformanceFeature::PathParamString);
261                    }
262                }
263            }
264        }
265
266        // Detect request body features (resolves $ref)
267        let mut request_body_content_type = None;
268        let mut sample_body = None;
269        let mut request_body_schema: Option<Schema> = None;
270
271        let resolved_body = op
272            .operation
273            .request_body
274            .as_ref()
275            .and_then(|b| ref_resolver::resolve_request_body(b, spec));
276
277        if let Some(body) = resolved_body {
278            for (content_type, _media) in &body.content {
279                match content_type.as_str() {
280                    "application/json" => {
281                        features.push(ConformanceFeature::BodyJson);
282                        request_body_content_type = Some("application/json".to_string());
283                        // Generate sample body from schema
284                        if let Ok(template) = RequestGenerator::generate_template(op) {
285                            if let Some(body_val) = &template.body {
286                                sample_body = Some(body_val.to_string());
287                            }
288                        }
289                    }
290                    "application/x-www-form-urlencoded" => {
291                        features.push(ConformanceFeature::BodyFormUrlencoded);
292                        request_body_content_type =
293                            Some("application/x-www-form-urlencoded".to_string());
294                    }
295                    "multipart/form-data" => {
296                        features.push(ConformanceFeature::BodyMultipart);
297                        request_body_content_type = Some("multipart/form-data".to_string());
298                    }
299                    _ => {}
300                }
301            }
302
303            // Detect schema features in request body (resolves $ref in schema)
304            if let Some(media) = body.content.get("application/json") {
305                if let Some(schema_ref) = &media.schema {
306                    if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
307                        Self::annotate_schema(schema, spec, &mut features);
308                        // Round 17.2 — keep a clone of the resolved
309                        // body schema so the self-test driver can walk
310                        // it to synthesise schema-aware negatives.
311                        request_body_schema = Some(schema.clone());
312                    }
313                }
314            }
315        }
316
317        // Detect response code features
318        Self::annotate_responses(&op.operation, spec, &mut features);
319
320        // Extract response schema for validation (resolves $ref)
321        let response_schema = Self::extract_response_schema(&op.operation, spec);
322        if response_schema.is_some() {
323            features.push(ConformanceFeature::ResponseValidation);
324        }
325        // Round 25 — per-status response schema map (closes round 21.3).
326        let response_schemas = Self::extract_response_schemas_per_status(&op.operation, spec);
327
328        // Detect content negotiation (response with multiple content types)
329        Self::annotate_content_negotiation(&op.operation, spec, &mut features);
330
331        // Detect security features and resolve scheme details
332        let mut security_schemes = Vec::new();
333        Self::annotate_security(&op.operation, spec, &mut features, &mut security_schemes);
334
335        // Deduplicate features
336        features.sort_by_key(|f| f.check_name());
337        features.dedup_by_key(|f| f.check_name());
338
339        AnnotatedOperation {
340            path: op.path.clone(),
341            method: op.method.to_uppercase(),
342            features,
343            request_body_content_type,
344            sample_body,
345            query_params,
346            header_params,
347            path_params,
348            response_schema,
349            response_schemas,
350            request_body_schema,
351            security_schemes,
352        }
353    }
354
355    /// Annotate parameter features
356    fn annotate_parameter(
357        param: &Parameter,
358        spec: &OpenAPI,
359        features: &mut Vec<ConformanceFeature>,
360        query_params: &mut Vec<(String, String)>,
361        header_params: &mut Vec<(String, String)>,
362        path_params: &mut Vec<(String, String)>,
363    ) {
364        let (location, data) = match param {
365            Parameter::Query { parameter_data, .. } => ("query", parameter_data),
366            Parameter::Path { parameter_data, .. } => ("path", parameter_data),
367            Parameter::Header { parameter_data, .. } => ("header", parameter_data),
368            Parameter::Cookie { .. } => {
369                features.push(ConformanceFeature::CookieParam);
370                return;
371            }
372        };
373
374        // Detect type from schema
375        let is_integer = Self::param_schema_is_integer(data, spec);
376        let is_array = Self::param_schema_is_array(data, spec);
377
378        // Generate sample value
379        let sample = if is_integer {
380            "42".to_string()
381        } else if is_array {
382            "a,b".to_string()
383        } else {
384            "test-value".to_string()
385        };
386
387        match location {
388            "path" => {
389                if is_integer {
390                    features.push(ConformanceFeature::PathParamInteger);
391                } else {
392                    features.push(ConformanceFeature::PathParamString);
393                }
394                path_params.push((data.name.clone(), sample));
395            }
396            "query" => {
397                if is_array {
398                    features.push(ConformanceFeature::QueryParamArray);
399                } else if is_integer {
400                    features.push(ConformanceFeature::QueryParamInteger);
401                } else {
402                    features.push(ConformanceFeature::QueryParamString);
403                }
404                query_params.push((data.name.clone(), sample));
405            }
406            "header" => {
407                features.push(ConformanceFeature::HeaderParam);
408                header_params.push((data.name.clone(), sample));
409            }
410            _ => {}
411        }
412
413        // Check for constraint features on the parameter (resolves $ref)
414        if let ParameterSchemaOrContent::Schema(schema_ref) = &data.format {
415            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
416                Self::annotate_schema(schema, spec, features);
417            }
418        }
419
420        // Required/optional
421        if data.required {
422            features.push(ConformanceFeature::ConstraintRequired);
423        } else {
424            features.push(ConformanceFeature::ConstraintOptional);
425        }
426    }
427
428    fn param_schema_is_integer(data: &openapiv3::ParameterData, spec: &OpenAPI) -> bool {
429        if let ParameterSchemaOrContent::Schema(schema_ref) = &data.format {
430            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
431                return matches!(&schema.schema_kind, SchemaKind::Type(Type::Integer(_)));
432            }
433        }
434        false
435    }
436
437    fn param_schema_is_array(data: &openapiv3::ParameterData, spec: &OpenAPI) -> bool {
438        if let ParameterSchemaOrContent::Schema(schema_ref) = &data.format {
439            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
440                return matches!(&schema.schema_kind, SchemaKind::Type(Type::Array(_)));
441            }
442        }
443        false
444    }
445
446    /// Annotate schema-level features (types, composition, formats, constraints)
447    fn annotate_schema(schema: &Schema, spec: &OpenAPI, features: &mut Vec<ConformanceFeature>) {
448        match &schema.schema_kind {
449            SchemaKind::Type(Type::String(s)) => {
450                features.push(ConformanceFeature::SchemaString);
451                // Check format
452                match &s.format {
453                    VariantOrUnknownOrEmpty::Item(StringFormat::Date) => {
454                        features.push(ConformanceFeature::FormatDate);
455                    }
456                    VariantOrUnknownOrEmpty::Item(StringFormat::DateTime) => {
457                        features.push(ConformanceFeature::FormatDateTime);
458                    }
459                    VariantOrUnknownOrEmpty::Unknown(fmt) => match fmt.as_str() {
460                        "email" => features.push(ConformanceFeature::FormatEmail),
461                        "uuid" => features.push(ConformanceFeature::FormatUuid),
462                        "uri" | "url" => features.push(ConformanceFeature::FormatUri),
463                        "ipv4" => features.push(ConformanceFeature::FormatIpv4),
464                        "ipv6" => features.push(ConformanceFeature::FormatIpv6),
465                        _ => {}
466                    },
467                    _ => {}
468                }
469                // Check constraints
470                if s.pattern.is_some() {
471                    features.push(ConformanceFeature::ConstraintPattern);
472                }
473                if !s.enumeration.is_empty() {
474                    features.push(ConformanceFeature::ConstraintEnum);
475                }
476                if s.min_length.is_some() || s.max_length.is_some() {
477                    features.push(ConformanceFeature::ConstraintMinMax);
478                }
479            }
480            SchemaKind::Type(Type::Integer(i)) => {
481                features.push(ConformanceFeature::SchemaInteger);
482                if i.minimum.is_some() || i.maximum.is_some() {
483                    features.push(ConformanceFeature::ConstraintMinMax);
484                }
485                if !i.enumeration.is_empty() {
486                    features.push(ConformanceFeature::ConstraintEnum);
487                }
488            }
489            SchemaKind::Type(Type::Number(n)) => {
490                features.push(ConformanceFeature::SchemaNumber);
491                if n.minimum.is_some() || n.maximum.is_some() {
492                    features.push(ConformanceFeature::ConstraintMinMax);
493                }
494            }
495            SchemaKind::Type(Type::Boolean(_)) => {
496                features.push(ConformanceFeature::SchemaBoolean);
497            }
498            SchemaKind::Type(Type::Array(arr)) => {
499                features.push(ConformanceFeature::SchemaArray);
500                if let Some(item_ref) = &arr.items {
501                    if let Some(item_schema) = ref_resolver::resolve_boxed_schema(item_ref, spec) {
502                        Self::annotate_schema(item_schema, spec, features);
503                    }
504                }
505            }
506            SchemaKind::Type(Type::Object(obj)) => {
507                features.push(ConformanceFeature::SchemaObject);
508                // Check required fields
509                if !obj.required.is_empty() {
510                    features.push(ConformanceFeature::ConstraintRequired);
511                }
512                // Walk properties (resolves $ref)
513                for (_name, prop_ref) in &obj.properties {
514                    if let Some(prop_schema) = ref_resolver::resolve_boxed_schema(prop_ref, spec) {
515                        Self::annotate_schema(prop_schema, spec, features);
516                    }
517                }
518            }
519            SchemaKind::OneOf { .. } => {
520                features.push(ConformanceFeature::CompositionOneOf);
521            }
522            SchemaKind::AnyOf { .. } => {
523                features.push(ConformanceFeature::CompositionAnyOf);
524            }
525            SchemaKind::AllOf { .. } => {
526                features.push(ConformanceFeature::CompositionAllOf);
527            }
528            _ => {}
529        }
530    }
531
532    /// Detect response code features (resolves $ref in responses)
533    fn annotate_responses(
534        operation: &Operation,
535        spec: &OpenAPI,
536        features: &mut Vec<ConformanceFeature>,
537    ) {
538        for (status_code, resp_ref) in &operation.responses.responses {
539            // Only count features for responses that actually resolve
540            if ref_resolver::resolve_response(resp_ref, spec).is_some() {
541                match status_code {
542                    openapiv3::StatusCode::Code(200) => {
543                        features.push(ConformanceFeature::Response200)
544                    }
545                    openapiv3::StatusCode::Code(201) => {
546                        features.push(ConformanceFeature::Response201)
547                    }
548                    openapiv3::StatusCode::Code(204) => {
549                        features.push(ConformanceFeature::Response204)
550                    }
551                    openapiv3::StatusCode::Code(400) => {
552                        features.push(ConformanceFeature::Response400)
553                    }
554                    openapiv3::StatusCode::Code(404) => {
555                        features.push(ConformanceFeature::Response404)
556                    }
557                    _ => {}
558                }
559            }
560        }
561    }
562
563    /// Round 25 — extract every declared response schema, keyed by the
564    /// numeric HTTP status. Only `application/json` content types are
565    /// included (the only body shape the self-test validates against).
566    /// Used by the self-test driver to validate response bodies against
567    /// the schema for the ACTUAL status returned, not just 200.
568    fn extract_response_schemas_per_status(
569        operation: &Operation,
570        spec: &OpenAPI,
571    ) -> std::collections::BTreeMap<u16, serde_json::Value> {
572        let mut out = std::collections::BTreeMap::new();
573        for (code, resp_ref) in &operation.responses.responses {
574            let openapiv3::StatusCode::Code(n) = code else {
575                continue; // skip "default" / range responses for now
576            };
577            let Some(response) = ref_resolver::resolve_response(resp_ref, spec) else {
578                continue;
579            };
580            let Some(media) = response.content.get("application/json") else {
581                continue;
582            };
583            let Some(schema_ref) = &media.schema else {
584                continue;
585            };
586            let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) else {
587                continue;
588            };
589            // Convert openapiv3::Schema → serde_json::Value so the
590            // validation step can hand it straight to jsonschema.
591            if let Ok(value) = serde_json::to_value(schema) {
592                out.insert(*n, value);
593            }
594        }
595        out
596    }
597
598    /// Extract the response schema for the primary success response (200 or 201)
599    /// Resolves $ref for both the response and the schema within it.
600    fn extract_response_schema(operation: &Operation, spec: &OpenAPI) -> Option<Schema> {
601        // Try 200 first, then 201
602        for code in [200u16, 201] {
603            if let Some(resp_ref) =
604                operation.responses.responses.get(&openapiv3::StatusCode::Code(code))
605            {
606                if let Some(response) = ref_resolver::resolve_response(resp_ref, spec) {
607                    if let Some(media) = response.content.get("application/json") {
608                        if let Some(schema_ref) = &media.schema {
609                            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
610                                return Some(schema.clone());
611                            }
612                        }
613                    }
614                }
615            }
616        }
617        None
618    }
619
620    /// Detect content negotiation: response supports multiple content types
621    fn annotate_content_negotiation(
622        operation: &Operation,
623        spec: &OpenAPI,
624        features: &mut Vec<ConformanceFeature>,
625    ) {
626        for (_status_code, resp_ref) in &operation.responses.responses {
627            if let Some(response) = ref_resolver::resolve_response(resp_ref, spec) {
628                if response.content.len() > 1 {
629                    features.push(ConformanceFeature::ContentNegotiation);
630                    return; // Only need to detect once per operation
631                }
632            }
633        }
634    }
635
636    /// Detect security scheme features.
637    /// Checks operation-level security first, falling back to global security requirements.
638    /// Resolves scheme names against SecurityScheme definitions in components.
639    fn annotate_security(
640        operation: &Operation,
641        spec: &OpenAPI,
642        features: &mut Vec<ConformanceFeature>,
643        security_schemes: &mut Vec<SecuritySchemeInfo>,
644    ) {
645        // Use operation-level security if present, otherwise fall back to global
646        let security_reqs = operation.security.as_ref().or(spec.security.as_ref());
647
648        if let Some(security) = security_reqs {
649            for security_req in security {
650                for scheme_name in security_req.keys() {
651                    // Try to resolve the scheme from components for accurate type detection
652                    if let Some(resolved) = Self::resolve_security_scheme(scheme_name, spec) {
653                        match resolved {
654                            SecurityScheme::HTTP { ref scheme, .. } => {
655                                if scheme.eq_ignore_ascii_case("bearer") {
656                                    features.push(ConformanceFeature::SecurityBearer);
657                                    security_schemes.push(SecuritySchemeInfo::Bearer);
658                                } else if scheme.eq_ignore_ascii_case("basic") {
659                                    features.push(ConformanceFeature::SecurityBasic);
660                                    security_schemes.push(SecuritySchemeInfo::Basic);
661                                }
662                            }
663                            SecurityScheme::APIKey { location, name, .. } => {
664                                features.push(ConformanceFeature::SecurityApiKey);
665                                let loc = match location {
666                                    openapiv3::APIKeyLocation::Query => ApiKeyLocation::Query,
667                                    openapiv3::APIKeyLocation::Header => ApiKeyLocation::Header,
668                                    openapiv3::APIKeyLocation::Cookie => ApiKeyLocation::Cookie,
669                                };
670                                security_schemes.push(SecuritySchemeInfo::ApiKey {
671                                    location: loc,
672                                    name: name.clone(),
673                                });
674                            }
675                            // OAuth2 and OpenIDConnect don't map to our current feature set
676                            _ => {}
677                        }
678                    } else {
679                        // Fallback: heuristic name matching for unresolvable schemes
680                        let name_lower = scheme_name.to_lowercase();
681                        if name_lower.contains("bearer") || name_lower.contains("jwt") {
682                            features.push(ConformanceFeature::SecurityBearer);
683                            security_schemes.push(SecuritySchemeInfo::Bearer);
684                        } else if name_lower.contains("api") && name_lower.contains("key") {
685                            features.push(ConformanceFeature::SecurityApiKey);
686                            security_schemes.push(SecuritySchemeInfo::ApiKey {
687                                location: ApiKeyLocation::Header,
688                                name: "X-API-Key".to_string(),
689                            });
690                        } else if name_lower.contains("basic") {
691                            features.push(ConformanceFeature::SecurityBasic);
692                            security_schemes.push(SecuritySchemeInfo::Basic);
693                        }
694                    }
695                }
696            }
697        }
698    }
699
700    /// Resolve a security scheme name to its SecurityScheme definition
701    fn resolve_security_scheme<'a>(name: &str, spec: &'a OpenAPI) -> Option<&'a SecurityScheme> {
702        let components = spec.components.as_ref()?;
703        match components.security_schemes.get(name)? {
704            ReferenceOr::Item(scheme) => Some(scheme),
705            ReferenceOr::Reference { .. } => None,
706        }
707    }
708
709    /// Returns the number of operations being tested
710    pub fn operation_count(&self) -> usize {
711        self.operations.len()
712    }
713
714    /// Generate the k6 conformance script.
715    /// Returns (script, check_count) where check_count is the number of unique checks emitted.
716    pub fn generate(&self) -> Result<(String, usize)> {
717        let mut script = String::with_capacity(16384);
718
719        // Imports
720        script.push_str("import http from 'k6/http';\n");
721        script.push_str("import { check, group } from 'k6';\n");
722        if self.config.request_delay_ms > 0 {
723            script.push_str("import { sleep } from 'k6';\n");
724        }
725        script.push('\n');
726
727        // Tell k6 that all HTTP status codes are "expected" in conformance mode.
728        // Without this, k6 counts 4xx responses (e.g. intentional 404 tests) as
729        // http_req_failed errors, producing a misleading error rate percentage.
730        script.push_str(
731            "http.setResponseCallback(http.expectedStatuses({ min: 100, max: 599 }));\n\n",
732        );
733
734        // Options
735        script.push_str("export const options = {\n");
736        script.push_str("  vus: 1,\n");
737        script.push_str("  iterations: 1,\n");
738        if self.config.skip_tls_verify {
739            script.push_str("  insecureSkipTLSVerify: true,\n");
740        }
741        script.push_str("  thresholds: {\n");
742        script.push_str("    checks: ['rate>0'],\n");
743        script.push_str("  },\n");
744        script.push_str("};\n\n");
745
746        // Base URL (includes base_path if configured)
747        script.push_str(&format!("const BASE_URL = '{}';\n\n", self.config.effective_base_url()));
748        script.push_str("const JSON_HEADERS = { 'Content-Type': 'application/json' };\n\n");
749
750        // Round 39 (#79) — emit init-scope code (e.g. `open()` calls
751        // for file uploads in custom checks) here, before any
752        // function declarations.
753        let custom_emit = self.config.generate_custom_group()?;
754        if let Some(emit) = &custom_emit {
755            if !emit.init_code.is_empty() {
756                script.push_str("// Round 39 (#79) — preloaded upload bytes for custom checks\n");
757                script.push_str(&emit.init_code);
758                script.push('\n');
759            }
760        }
761
762        // Failure detail collector — logs req/res info for failed checks via console.log
763        // (k6's handleSummary runs in a separate JS context, so we can't use module-level arrays)
764        script
765            .push_str("function __captureFailure(checkName, res, expected, schemaViolations) {\n");
766        script.push_str("  let bodyStr = '';\n");
767        script.push_str("  try { if (res.body) { const __n = res.body.length; bodyStr = res.body.substring(0, 65536); if (__n > 65536) bodyStr = bodyStr + ' <truncated at 65536 bytes; full body was ' + __n + ' bytes>'; } else { bodyStr = ''; } } catch(e) { bodyStr = '<unreadable>'; }\n");
768        script.push_str("  let reqHeaders = {};\n");
769        script.push_str(
770            "  if (res.request && res.request.headers) { reqHeaders = res.request.headers; }\n",
771        );
772        script.push_str("  let reqBody = '';\n");
773        script.push_str("  if (res.request && res.request.body) { try { const __m = res.request.body.length; reqBody = res.request.body.substring(0, 65536); if (__m > 65536) reqBody = reqBody + ' <truncated at 65536 bytes; full body was ' + __m + ' bytes>'; } catch(e) {} }\n");
774        script.push_str("  let payload = {\n");
775        script.push_str("    check: checkName,\n");
776        script.push_str("    request: {\n");
777        script.push_str("      method: res.request ? res.request.method : 'unknown',\n");
778        script.push_str("      url: res.request ? res.request.url : res.url || 'unknown',\n");
779        script.push_str("      headers: reqHeaders,\n");
780        script.push_str("      body: reqBody,\n");
781        script.push_str("    },\n");
782        script.push_str("    response: {\n");
783        script.push_str("      status: res.status,\n");
784        script.push_str("      headers: res.headers ? Object.fromEntries(Object.entries(res.headers).slice(0, 20)) : {},\n");
785        script.push_str("      body: bodyStr,\n");
786        script.push_str("    },\n");
787        script.push_str("    expected: expected,\n");
788        script.push_str("  };\n");
789        script.push_str("  if (schemaViolations && schemaViolations.length > 0) { payload.schema_violations = schemaViolations; }\n");
790        script.push_str("  console.log('MOCKFORGE_FAILURE:' + JSON.stringify(payload));\n");
791        script.push_str("}\n\n");
792
793        // Request/response capture for --export-requests
794        //
795        // Round 44 (#79) — mirror the resilience added in `generator.rs`:
796        // wrap the primary stringify in try/catch + fall back to a minimal
797        // entry + last-resort hand-rolled JSON so a multipart body that
798        // contains bytes JSON.stringify can't roundtrip never silently
799        // drops the row from the export. See `generator.rs` for the
800        // surfacing incident.
801        if self.config.export_requests {
802            script.push_str("function __captureExchange(checkName, res) {\n");
803            script.push_str("  try {\n");
804            script.push_str("    let bodyStr = '';\n");
805            script.push_str("    try { if (res.body) { const __n = res.body.length; bodyStr = res.body.substring(0, 65536); if (__n > 65536) bodyStr = bodyStr + ' <truncated at 65536 bytes; full body was ' + __n + ' bytes>'; } else { bodyStr = ''; } } catch(e) { bodyStr = '<unreadable>'; }\n");
806            script.push_str("    let reqHeaders = {};\n");
807            script.push_str(
808                "    if (res.request && res.request.headers) { reqHeaders = res.request.headers; }\n",
809            );
810            // Round 46 (#79) — mirror the structured multipart summary
811            // from `generator.rs`. See the long comment there; same
812            // rationale (k6 logfmt mangling on raw binary bytes).
813            script.push_str("    let reqBody = '';\n");
814            script.push_str("    {\n");
815            script.push_str(
816                "      const ct = (reqHeaders['Content-Type'] || reqHeaders['content-type'] || '').toString();\n",
817            );
818            script.push_str("      const isMultipart = ct.startsWith('multipart/');\n");
819            script.push_str(
820                "      if (isMultipart && res.request && res.request.body) {\n\
821                 \x20\x20\x20\x20\x20\x20\x20\x20try {\n\
822                 \x20\x20\x20\x20\x20\x20\x20\x20  const raw = res.request.body;\n\
823                 \x20\x20\x20\x20\x20\x20\x20\x20  let totalBytes = raw.length;\n\
824                 \x20\x20\x20\x20\x20\x20\x20\x20  let envelopeBytes = 0;\n\
825                 \x20\x20\x20\x20\x20\x20\x20\x20  const boundaryMatch = ct.match(/boundary=([^;]+)/);\n\
826                 \x20\x20\x20\x20\x20\x20\x20\x20  const boundary = boundaryMatch ? boundaryMatch[1].replace(/^\"|\"$/g, '') : '';\n\
827                 \x20\x20\x20\x20\x20\x20\x20\x20  const parts = [];\n\
828                 \x20\x20\x20\x20\x20\x20\x20\x20  if (boundary) {\n\
829                 \x20\x20\x20\x20\x20\x20\x20\x20    const sep = '--' + boundary;\n\
830                 \x20\x20\x20\x20\x20\x20\x20\x20    let cursor = raw.indexOf(sep);\n\
831                 \x20\x20\x20\x20\x20\x20\x20\x20    while (cursor !== -1 && parts.length < 100) {\n\
832                 \x20\x20\x20\x20\x20\x20\x20\x20      const next = raw.indexOf(sep, cursor + sep.length);\n\
833                 \x20\x20\x20\x20\x20\x20\x20\x20      if (next === -1) break;\n\
834                 \x20\x20\x20\x20\x20\x20\x20\x20      const slice = raw.substring(cursor + sep.length, next);\n\
835                 \x20\x20\x20\x20\x20\x20\x20\x20      const headerEnd = slice.indexOf('\\r\\n\\r\\n');\n\
836                 \x20\x20\x20\x20\x20\x20\x20\x20      const partHeaders = headerEnd === -1 ? slice : slice.substring(0, headerEnd);\n\
837                 \x20\x20\x20\x20\x20\x20\x20\x20      const partBody = headerEnd === -1 ? '' : slice.substring(headerEnd + 4);\n\
838                 \x20\x20\x20\x20\x20\x20\x20\x20      // Round 50 #79 — ASCII envelope is byte-accurate (see generator.rs).\n\
839                 \x20\x20\x20\x20\x20\x20\x20\x20      envelopeBytes += sep.length + partHeaders.length + 6;\n\
840                 \x20\x20\x20\x20\x20\x20\x20\x20      const nameMatch = partHeaders.match(/name=\"([^\"]+)\"/);\n\
841                 \x20\x20\x20\x20\x20\x20\x20\x20      const filenameMatch = partHeaders.match(/filename=\"([^\"]+)\"/);\n\
842                 \x20\x20\x20\x20\x20\x20\x20\x20      const partCtMatch = partHeaders.match(/Content-Type:\\s*([^\\r\\n]+)/i);\n\
843                 \x20\x20\x20\x20\x20\x20\x20\x20      parts.push({\n\
844                 \x20\x20\x20\x20\x20\x20\x20\x20        name: nameMatch ? nameMatch[1] : '',\n\
845                 \x20\x20\x20\x20\x20\x20\x20\x20        filename: filenameMatch ? filenameMatch[1] : '',\n\
846                 \x20\x20\x20\x20\x20\x20\x20\x20        contentType: partCtMatch ? partCtMatch[1].trim() : '',\n\
847                 \x20\x20\x20\x20\x20\x20\x20\x20        bytes: Math.max(0, partBody.length - 2),\n\
848                 \x20\x20\x20\x20\x20\x20\x20\x20      });\n\
849                 \x20\x20\x20\x20\x20\x20\x20\x20      cursor = next;\n\
850                 \x20\x20\x20\x20\x20\x20\x20\x20    }\n\
851                 \x20\x20\x20\x20\x20\x20\x20\x20    if (parts.length) { envelopeBytes += sep.length + 4; }\n\
852                 \x20\x20\x20\x20\x20\x20\x20\x20  }\n\
853                 \x20\x20\x20\x20\x20\x20\x20\x20  // Round 47 #79 — overlay on-disk byte counts (see generator.rs).\n\
854                 \x20\x20\x20\x20\x20\x20\x20\x20  const __mfSizes = (globalThis.__mfUploadSizes || {})[checkName] || {};\n\
855                 \x20\x20\x20\x20\x20\x20\x20\x20  let __allKnown = parts.length > 0;\n\
856                 \x20\x20\x20\x20\x20\x20\x20\x20  parts.forEach(function (p) { if (typeof __mfSizes[p.name] === 'number') { p.bytes = __mfSizes[p.name]; } else { __allKnown = false; } });\n\
857                 \x20\x20\x20\x20\x20\x20\x20\x20  const partsTotal = parts.reduce(function (acc, p) { return acc + p.bytes; }, 0);\n\
858                 \x20\x20\x20\x20\x20\x20\x20\x20  if (__allKnown) totalBytes = partsTotal;\n\
859                 \x20\x20\x20\x20\x20\x20\x20\x20  // Round 49/50 #79 — total = disk-sum payload; wire = total +\n\
860                 \x20\x20\x20\x20\x20\x20\x20\x20  // ASCII envelope. raw.length UNDERcounts binary bodies, so\n\
861                 \x20\x20\x20\x20\x20\x20\x20\x20  // never use it for wire when part sizes are known.\n\
862                 \x20\x20\x20\x20\x20\x20\x20\x20  const wireBytes = __allKnown ? (partsTotal + envelopeBytes) : ((typeof raw === 'string' && raw.length) ? raw.length : totalBytes);\n\
863                 \x20\x20\x20\x20\x20\x20\x20\x20  const summary = parts.map(function (p) { return '\\'' + p.name + '\\':\\'' + p.filename + '\\' (' + p.contentType + ', ' + p.bytes + ' bytes)'; }).join(', ');\n\
864                 \x20\x20\x20\x20\x20\x20\x20\x20  reqBody = '<multipart/form-data; boundary=' + boundary + '; ' + parts.length + ' part(s); total ' + totalBytes + ' bytes (wire ' + wireBytes + ' bytes w/ envelope): ' + summary + '>';\n\
865                 \x20\x20\x20\x20\x20\x20\x20\x20} catch (e) {\n\
866                 \x20\x20\x20\x20\x20\x20\x20\x20  reqBody = '<multipart upload; summary failed: ' + (e && e.message ? e.message : 'unknown') + '>';\n\
867                 \x20\x20\x20\x20\x20\x20\x20\x20}\n\
868                 \x20\x20\x20\x20\x20\x20} else if (isMultipart) {\n\
869                 \x20\x20\x20\x20\x20\x20\x20\x20reqBody = '<multipart upload; body bytes not surfaced by k6 res.request.body>';\n\
870                 \x20\x20\x20\x20\x20\x20} else if (res.request && res.request.body) {\n\
871                 \x20\x20\x20\x20\x20\x20\x20\x20try { const __m = res.request.body.length; reqBody = res.request.body.substring(0, 65536); if (__m > 65536) reqBody = reqBody + ' <truncated at 65536 bytes; full body was ' + __m + ' bytes>'; } catch (e) {}\n\
872                 \x20\x20\x20\x20\x20\x20}\n\
873                 \x20\x20\x20\x20}\n",
874            );
875            // Round 47 (#79) — mirror network-event emit from generator.rs.
876            script.push_str(
877                "    if (res && res.status === 0) {\n\
878                 \x20\x20\x20\x20\x20\x20const ec = (res.error_code != null) ? res.error_code : 0;\n\
879                 \x20\x20\x20\x20\x20\x20const em = (res.error != null) ? String(res.error) : '';\n\
880                 \x20\x20\x20\x20\x20\x20let kind = 'other';\n\
881                 \x20\x20\x20\x20\x20\x20if (ec >= 1200 && ec < 1300) kind = 'connect';\n\
882                 \x20\x20\x20\x20\x20\x20else if (ec >= 1300 && ec < 1400) kind = 'tls';\n\
883                 \x20\x20\x20\x20\x20\x20else if (ec >= 1400 && ec < 1500) kind = 'timeout';\n\
884                 \x20\x20\x20\x20\x20\x20else if (em.toLowerCase().indexOf('eof') !== -1) kind = 'connect';\n                 \x20\x20\x20\x20\x20\x20else if (em.toLowerCase().indexOf('timeout') !== -1) kind = 'timeout';\n\
885                 \x20\x20\x20\x20\x20\x20else if (em.toLowerCase().indexOf('tls') !== -1) kind = 'tls';\n\
886                 \x20\x20\x20\x20\x20\x20else if (em.toLowerCase().indexOf('connect') !== -1 || em.toLowerCase().indexOf('refused') !== -1) kind = 'connect';\n\
887                 \x20\x20\x20\x20\x20\x20console.log('MOCKFORGE_NETWORK_EVENT:' + JSON.stringify({\n\
888                 \x20\x20\x20\x20\x20\x20  timestamp: new Date().toISOString(),\n\
889                 \x20\x20\x20\x20\x20\x20  check: checkName,\n\
890                 \x20\x20\x20\x20\x20\x20  method: res.request ? res.request.method : 'unknown',\n\
891                 \x20\x20\x20\x20\x20\x20  url: res.request ? res.request.url : res.url || 'unknown',\n\
892                 \x20\x20\x20\x20\x20\x20  kind: kind,\n\
893                 \x20\x20\x20\x20\x20\x20  error_code: ec,\n\
894                 \x20\x20\x20\x20\x20\x20  message: em,\n\
895                 \x20\x20\x20\x20\x20\x20}));\n\
896                 \x20\x20\x20\x20}\n",
897            );
898            script.push_str("    console.log('MOCKFORGE_EXCHANGE:' + JSON.stringify({\n");
899            script.push_str("      check: checkName,\n");
900            script.push_str("      request: {\n");
901            script.push_str("        method: res.request ? res.request.method : 'unknown',\n");
902            script.push_str("        url: res.request ? res.request.url : res.url || 'unknown',\n");
903            script.push_str("        headers: reqHeaders,\n");
904            script.push_str("        body: reqBody,\n");
905            script.push_str("      },\n");
906            script.push_str("      response: {\n");
907            script.push_str("        status: res.status,\n");
908            script.push_str("        headers: res.headers ? Object.fromEntries(Object.entries(res.headers).slice(0, 30)) : {},\n");
909            script.push_str("        body: bodyStr,\n");
910            script.push_str("      },\n");
911            script.push_str("    }));\n");
912            script.push_str("  } catch (e) {\n");
913            script.push_str("    try {\n");
914            script.push_str("      console.log('MOCKFORGE_EXCHANGE:' + JSON.stringify({\n");
915            script.push_str("        check: checkName,\n");
916            script.push_str("        request: {\n");
917            script.push_str(
918                "          method: (res && res.request) ? res.request.method : 'unknown',\n",
919            );
920            script.push_str("          url: (res && res.request) ? res.request.url : (res && res.url) || 'unknown',\n");
921            script.push_str("          headers: {},\n");
922            script.push_str("          body: '<exchange capture failed: ' + (e && e.message ? e.message : 'unknown error') + '>',\n");
923            script.push_str("        },\n");
924            script.push_str("        response: {\n");
925            script.push_str("          status: (res && res.status) || 0,\n");
926            script.push_str("          headers: {},\n");
927            script.push_str("          body: '',\n");
928            script.push_str("        },\n");
929            script.push_str("        _export_error: (e && e.message) ? e.message : String(e),\n");
930            script.push_str("      }));\n");
931            script.push_str("    } catch (e2) {\n");
932            script.push_str("      console.log('MOCKFORGE_EXCHANGE:{\"check\":\"' + checkName + '\",\"request\":{\"method\":\"unknown\",\"url\":\"unknown\",\"headers\":{},\"body\":\"\"},\"response\":{\"status\":0,\"headers\":{},\"body\":\"\"},\"_export_error\":\"double-fault\"}');\n");
933            script.push_str("    }\n");
934            script.push_str("  }\n");
935            script.push_str("}\n\n");
936        }
937
938        // Default function
939        script.push_str("export default function () {\n");
940
941        if self.config.has_cookie_header() {
942            script.push_str(
943                "  // Clear cookie jar to prevent server Set-Cookie from duplicating custom Cookie header\n",
944            );
945            script.push_str("  http.cookieJar().clear(BASE_URL);\n\n");
946        }
947
948        // Group operations by category
949        let mut category_ops: std::collections::BTreeMap<
950            &'static str,
951            Vec<(&AnnotatedOperation, &ConformanceFeature)>,
952        > = std::collections::BTreeMap::new();
953
954        for op in &self.operations {
955            for feature in &op.features {
956                let category = feature.category();
957                if self.config.should_include_category(category) {
958                    category_ops.entry(category).or_default().push((op, feature));
959                }
960            }
961        }
962
963        // Emit grouped tests
964        let mut total_checks = 0usize;
965        for (category, ops) in &category_ops {
966            script.push_str(&format!("  group('{}', function () {{\n", category));
967
968            if self.config.all_operations {
969                // All-operations mode: test every operation, using path-qualified check names
970                let mut emitted_checks: HashSet<String> = HashSet::new();
971                for (op, feature) in ops {
972                    let qualified = format!("{}:{}", feature.check_name(), op.path);
973                    if emitted_checks.insert(qualified.clone()) {
974                        self.emit_check_named(&mut script, op, feature, &qualified);
975                        total_checks += 1;
976                    }
977                }
978            } else {
979                // Default: one representative operation per feature, with path-qualified
980                // check names so failures identify which endpoint was tested.
981                let mut emitted_features: HashSet<&str> = HashSet::new();
982                for (op, feature) in ops {
983                    if emitted_features.insert(feature.check_name()) {
984                        let qualified = format!("{}:{}", feature.check_name(), op.path);
985                        self.emit_check_named(&mut script, op, feature, &qualified);
986                        total_checks += 1;
987                    }
988                }
989            }
990
991            script.push_str("  });\n\n");
992        }
993
994        // Custom checks from YAML file — round 39: init-scope code
995        // was already emitted above; here we just splice the group
996        // body inside the default function.
997        if let Some(emit) = custom_emit {
998            script.push_str(&emit.group_body);
999        }
1000
1001        script.push_str("}\n\n");
1002
1003        // handleSummary
1004        self.generate_handle_summary(&mut script);
1005
1006        Ok((script, total_checks))
1007    }
1008
1009    /// Emit a single k6 check for an operation + feature with a custom check name
1010    fn emit_check_named(
1011        &self,
1012        script: &mut String,
1013        op: &AnnotatedOperation,
1014        feature: &ConformanceFeature,
1015        check_name: &str,
1016    ) {
1017        // Escape single quotes in check name since it's embedded in JS single-quoted strings
1018        let check_name = check_name.replace('\'', "\\'");
1019        let check_name = check_name.as_str();
1020
1021        script.push_str("    {\n");
1022
1023        // Build the URL path with parameters substituted
1024        let mut url_path = op.path.clone();
1025        for (name, value) in &op.path_params {
1026            url_path = url_path.replace(&format!("{{{}}}", name), value);
1027        }
1028
1029        // Build query string
1030        if !op.query_params.is_empty() {
1031            let qs: Vec<String> =
1032                op.query_params.iter().map(|(k, v)| format!("{}={}", k, v)).collect();
1033            url_path = format!("{}?{}", url_path, qs.join("&"));
1034        }
1035
1036        let full_url = format!("${{BASE_URL}}{}", url_path);
1037
1038        // Build effective headers: merge spec-derived headers with custom headers.
1039        // Custom headers override spec-derived ones with the same name.
1040        let mut effective_headers = self.effective_headers(&op.header_params);
1041
1042        // For non-default response code checks, add header to tell the mock server
1043        // which status code to return (the server defaults to the first declared status)
1044        if matches!(feature, ConformanceFeature::Response400 | ConformanceFeature::Response404) {
1045            let expected_code = match feature {
1046                ConformanceFeature::Response400 => "400",
1047                ConformanceFeature::Response404 => "404",
1048                _ => unreachable!(),
1049            };
1050            effective_headers
1051                .push(("X-Mockforge-Response-Status".to_string(), expected_code.to_string()));
1052        }
1053
1054        // For security checks AND for all requests on endpoints with security requirements,
1055        // inject auth credentials so the server doesn't reject with 401.
1056        // Only inject if the user hasn't already provided the header via --custom-headers.
1057        let needs_auth = matches!(
1058            feature,
1059            ConformanceFeature::SecurityBearer
1060                | ConformanceFeature::SecurityBasic
1061                | ConformanceFeature::SecurityApiKey
1062        ) || !op.security_schemes.is_empty();
1063
1064        if needs_auth {
1065            self.inject_security_headers(&op.security_schemes, &mut effective_headers);
1066        }
1067
1068        let has_headers = !effective_headers.is_empty();
1069        let headers_obj = if has_headers {
1070            Self::format_headers(&effective_headers)
1071        } else {
1072            String::new()
1073        };
1074
1075        // Determine HTTP method and emit request
1076        match op.method.as_str() {
1077            "GET" => {
1078                if has_headers {
1079                    script.push_str(&format!(
1080                        "      let res = http.get(`{}`, {{ headers: {} }});\n",
1081                        full_url, headers_obj
1082                    ));
1083                } else {
1084                    script.push_str(&format!("      let res = http.get(`{}`);\n", full_url));
1085                }
1086            }
1087            "POST" => {
1088                self.emit_request_with_body(script, "post", &full_url, op, &effective_headers);
1089            }
1090            "PUT" => {
1091                self.emit_request_with_body(script, "put", &full_url, op, &effective_headers);
1092            }
1093            "PATCH" => {
1094                self.emit_request_with_body(script, "patch", &full_url, op, &effective_headers);
1095            }
1096            "DELETE" => {
1097                if has_headers {
1098                    script.push_str(&format!(
1099                        "      let res = http.del(`{}`, null, {{ headers: {} }});\n",
1100                        full_url, headers_obj
1101                    ));
1102                } else {
1103                    script.push_str(&format!("      let res = http.del(`{}`);\n", full_url));
1104                }
1105            }
1106            "HEAD" => {
1107                if has_headers {
1108                    script.push_str(&format!(
1109                        "      let res = http.head(`{}`, {{ headers: {} }});\n",
1110                        full_url, headers_obj
1111                    ));
1112                } else {
1113                    script.push_str(&format!("      let res = http.head(`{}`);\n", full_url));
1114                }
1115            }
1116            "OPTIONS" => {
1117                if has_headers {
1118                    script.push_str(&format!(
1119                        "      let res = http.options(`{}`, null, {{ headers: {} }});\n",
1120                        full_url, headers_obj
1121                    ));
1122                } else {
1123                    script.push_str(&format!("      let res = http.options(`{}`);\n", full_url));
1124                }
1125            }
1126            _ => {
1127                if has_headers {
1128                    script.push_str(&format!(
1129                        "      let res = http.get(`{}`, {{ headers: {} }});\n",
1130                        full_url, headers_obj
1131                    ));
1132                } else {
1133                    script.push_str(&format!("      let res = http.get(`{}`);\n", full_url));
1134                }
1135            }
1136        }
1137
1138        // Capture request/response for --export-requests
1139        // (check_name is already escaped at line 829 above — don't double-escape)
1140        if self.config.export_requests {
1141            script.push_str(&format!(
1142                "      if (typeof __captureExchange === 'function') __captureExchange('{}', res);\n",
1143                check_name
1144            ));
1145        }
1146
1147        // Check: emit assertion based on feature type, with failure detail capture
1148        if matches!(
1149            feature,
1150            ConformanceFeature::Response200
1151                | ConformanceFeature::Response201
1152                | ConformanceFeature::Response204
1153                | ConformanceFeature::Response400
1154                | ConformanceFeature::Response404
1155        ) {
1156            let expected_code = match feature {
1157                ConformanceFeature::Response200 => 200,
1158                ConformanceFeature::Response201 => 201,
1159                ConformanceFeature::Response204 => 204,
1160                ConformanceFeature::Response400 => 400,
1161                ConformanceFeature::Response404 => 404,
1162                _ => 200,
1163            };
1164            script.push_str(&format!(
1165                "      {{ let ok = check(res, {{ '{}': (r) => r.status === {} }}); if (!ok) __captureFailure('{}', res, 'status === {}'); }}\n",
1166                check_name, expected_code, check_name, expected_code
1167            ));
1168        } else if matches!(feature, ConformanceFeature::ResponseValidation) {
1169            // Response schema validation — validate the response body against the schema
1170            // Uses inline field-level error collection so failure details include
1171            // which specific fields violated the schema (field_path, violation_type,
1172            // expected, actual) — matching the Ajv `errors` array structure.
1173            if let Some(schema) = &op.response_schema {
1174                let validation_js = SchemaValidatorGenerator::generate_validation(schema);
1175                let schema_json = serde_json::to_string(schema).unwrap_or_default();
1176                // Escape backticks and backslashes for JS template literal safety
1177                let schema_json_escaped = schema_json.replace('\\', "\\\\").replace('`', "\\`");
1178                script.push_str(&format!(
1179                    concat!(
1180                        "      try {{\n",
1181                        "        let body = res.json();\n",
1182                        "        let ok = check(res, {{ '{check}': (r) => ( {validation} ) }});\n",
1183                        "        if (!ok) {{\n",
1184                        "          let __violations = [];\n",
1185                        "          try {{\n",
1186                        "            let __schema = JSON.parse(`{schema}`);\n",
1187                        "            function __collectErrors(schema, data, path) {{\n",
1188                        "              if (!schema || typeof schema !== 'object') return;\n",
1189                        "              let st = schema.type || (schema.schema_kind && schema.schema_kind.Type && Object.keys(schema.schema_kind.Type)[0]);\n",
1190                        "              if (st) {{ st = st.toLowerCase(); }}\n",
1191                        "              if (st === 'object') {{\n",
1192                        "                if (typeof data !== 'object' || data === null) {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'object', actual: typeof data }}); return; }}\n",
1193                        "                let props = schema.properties || (schema.schema_kind && schema.schema_kind.Type && schema.schema_kind.Type.Object && schema.schema_kind.Type.Object.properties) || {{}};\n",
1194                        "                let req = schema.required || (schema.schema_kind && schema.schema_kind.Type && schema.schema_kind.Type.Object && schema.schema_kind.Type.Object.required) || [];\n",
1195                        "                for (let f of req) {{ if (!(f in data)) {{ __violations.push({{ field_path: path + '/' + f, violation_type: 'required', expected: 'present', actual: 'missing' }}); }} }}\n",
1196                        "                for (let [k, v] of Object.entries(props)) {{ if (data[k] !== undefined) {{ let ps = v.Item || v; __collectErrors(ps, data[k], path + '/' + k); }} }}\n",
1197                        "              }} else if (st === 'array') {{\n",
1198                        "                if (!Array.isArray(data)) {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'array', actual: typeof data }}); return; }}\n",
1199                        "                let items = schema.items || (schema.schema_kind && schema.schema_kind.Type && schema.schema_kind.Type.Array && schema.schema_kind.Type.Array.items);\n",
1200                        "                if (items) {{ let is = items.Item || items; for (let i = 0; i < Math.min(data.length, 5); i++) {{ __collectErrors(is, data[i], path + '/' + i); }} }}\n",
1201                        "              }} else if (st === 'string') {{\n",
1202                        "                if (typeof data !== 'string') {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'string', actual: typeof data }}); }}\n",
1203                        "              }} else if (st === 'integer') {{\n",
1204                        "                if (typeof data !== 'number' || !Number.isInteger(data)) {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'integer', actual: typeof data }}); }}\n",
1205                        "              }} else if (st === 'number') {{\n",
1206                        "                if (typeof data !== 'number') {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'number', actual: typeof data }}); }}\n",
1207                        "              }} else if (st === 'boolean') {{\n",
1208                        "                if (typeof data !== 'boolean') {{ __violations.push({{ field_path: path || '/', violation_type: 'type', expected: 'boolean', actual: typeof data }}); }}\n",
1209                        "              }}\n",
1210                        "            }}\n",
1211                        "            __collectErrors(__schema, body, '');\n",
1212                        "          }} catch(_e) {{}}\n",
1213                        "          __captureFailure('{check}', res, 'schema validation', __violations);\n",
1214                        "        }}\n",
1215                        "      }} catch(e) {{ check(res, {{ '{check}': () => false }}); __captureFailure('{check}', res, 'JSON parse failed: ' + e.message); }}\n",
1216                    ),
1217                    check = check_name,
1218                    validation = validation_js,
1219                    schema = schema_json_escaped,
1220                ));
1221            }
1222        } else if matches!(
1223            feature,
1224            ConformanceFeature::SecurityBearer
1225                | ConformanceFeature::SecurityBasic
1226                | ConformanceFeature::SecurityApiKey
1227        ) {
1228            // Security checks verify the server accepts the auth credentials (not 401/403)
1229            script.push_str(&format!(
1230                "      {{ let ok = check(res, {{ '{}': (r) => r.status >= 200 && r.status < 400 }}); if (!ok) __captureFailure('{}', res, 'status >= 200 && status < 400 (auth accepted)'); }}\n",
1231                check_name, check_name
1232            ));
1233        } else {
1234            script.push_str(&format!(
1235                "      {{ let ok = check(res, {{ '{}': (r) => r.status >= 200 && r.status < 500 }}); if (!ok) __captureFailure('{}', res, 'status >= 200 && status < 500'); }}\n",
1236                check_name, check_name
1237            ));
1238        }
1239
1240        // Clear cookie jar after each request to prevent Set-Cookie leaking
1241        let has_cookie = self.config.has_cookie_header()
1242            || effective_headers.iter().any(|(h, _)| h.eq_ignore_ascii_case("Cookie"));
1243        if has_cookie {
1244            script.push_str("      http.cookieJar().clear(BASE_URL);\n");
1245        }
1246
1247        script.push_str("    }\n");
1248
1249        // Rate-limit delay between checks (to avoid 429 from target API)
1250        if self.config.request_delay_ms > 0 {
1251            script.push_str(&format!(
1252                "    sleep({:.3});\n",
1253                self.config.request_delay_ms as f64 / 1000.0
1254            ));
1255        }
1256    }
1257
1258    /// Emit an HTTP request with a body
1259    fn emit_request_with_body(
1260        &self,
1261        script: &mut String,
1262        method: &str,
1263        url: &str,
1264        op: &AnnotatedOperation,
1265        effective_headers: &[(String, String)],
1266    ) {
1267        if let Some(body) = &op.sample_body {
1268            let escaped_body = body.replace('\'', "\\'");
1269            let headers = if !effective_headers.is_empty() {
1270                format!(
1271                    "Object.assign({{}}, JSON_HEADERS, {})",
1272                    Self::format_headers(effective_headers)
1273                )
1274            } else {
1275                "JSON_HEADERS".to_string()
1276            };
1277            script.push_str(&format!(
1278                "      let res = http.{}(`{}`, '{}', {{ headers: {} }});\n",
1279                method, url, escaped_body, headers
1280            ));
1281        } else if !effective_headers.is_empty() {
1282            script.push_str(&format!(
1283                "      let res = http.{}(`{}`, null, {{ headers: {} }});\n",
1284                method,
1285                url,
1286                Self::format_headers(effective_headers)
1287            ));
1288        } else {
1289            script.push_str(&format!("      let res = http.{}(`{}`, null);\n", method, url));
1290        }
1291    }
1292
1293    /// Build effective headers by merging spec-derived headers with custom headers.
1294    /// Custom headers override spec-derived ones with the same name (case-insensitive).
1295    /// Custom headers not in the spec are appended.
1296    fn effective_headers(&self, spec_headers: &[(String, String)]) -> Vec<(String, String)> {
1297        let custom = &self.config.custom_headers;
1298        if custom.is_empty() {
1299            return spec_headers.to_vec();
1300        }
1301
1302        let mut result: Vec<(String, String)> = Vec::new();
1303
1304        // Start with spec headers, replacing values if a custom header matches
1305        for (name, value) in spec_headers {
1306            if let Some((_, custom_val)) =
1307                custom.iter().find(|(cn, _)| cn.eq_ignore_ascii_case(name))
1308            {
1309                result.push((name.clone(), custom_val.clone()));
1310            } else {
1311                result.push((name.clone(), value.clone()));
1312            }
1313        }
1314
1315        // Append custom headers that aren't already in spec headers
1316        for (name, value) in custom {
1317            if !spec_headers.iter().any(|(sn, _)| sn.eq_ignore_ascii_case(name)) {
1318                result.push((name.clone(), value.clone()));
1319            }
1320        }
1321
1322        result
1323    }
1324
1325    /// Inject security headers based on resolved security scheme details.
1326    /// Respects user-provided custom headers (won't overwrite if already set).
1327    fn inject_security_headers(
1328        &self,
1329        schemes: &[SecuritySchemeInfo],
1330        headers: &mut Vec<(String, String)>,
1331    ) {
1332        let mut to_add: Vec<(String, String)> = Vec::new();
1333
1334        let has_header = |name: &str, headers: &[(String, String)]| {
1335            headers.iter().any(|(h, _)| h.eq_ignore_ascii_case(name))
1336                || self.config.custom_headers.iter().any(|(h, _)| h.eq_ignore_ascii_case(name))
1337        };
1338
1339        // If user provides Cookie header, they're using session-based auth — skip auto auth
1340        let has_cookie_auth = has_header("Cookie", headers);
1341
1342        for scheme in schemes {
1343            match scheme {
1344                SecuritySchemeInfo::Bearer => {
1345                    if !has_cookie_auth && !has_header("Authorization", headers) {
1346                        // MockForge mock server accepts any Bearer token
1347                        to_add.push((
1348                            "Authorization".to_string(),
1349                            "Bearer mockforge-conformance-test-token".to_string(),
1350                        ));
1351                    }
1352                }
1353                SecuritySchemeInfo::Basic => {
1354                    if !has_cookie_auth && !has_header("Authorization", headers) {
1355                        let creds = self.config.basic_auth.as_deref().unwrap_or("test:test");
1356                        use base64::Engine;
1357                        let encoded =
1358                            base64::engine::general_purpose::STANDARD.encode(creds.as_bytes());
1359                        to_add.push(("Authorization".to_string(), format!("Basic {}", encoded)));
1360                    }
1361                }
1362                SecuritySchemeInfo::ApiKey { location, name } => match location {
1363                    ApiKeyLocation::Header => {
1364                        if !has_header(name, headers) {
1365                            let key = self
1366                                .config
1367                                .api_key
1368                                .as_deref()
1369                                .unwrap_or("mockforge-conformance-test-key");
1370                            to_add.push((name.clone(), key.to_string()));
1371                        }
1372                    }
1373                    ApiKeyLocation::Cookie => {
1374                        if !has_header("Cookie", headers) {
1375                            to_add.push((
1376                                "Cookie".to_string(),
1377                                format!("{}=mockforge-conformance-test-session", name),
1378                            ));
1379                        }
1380                    }
1381                    ApiKeyLocation::Query => {
1382                        // Query params are handled via URL, not headers — skip here
1383                    }
1384                },
1385            }
1386        }
1387
1388        headers.extend(to_add);
1389    }
1390
1391    /// Format header params as a JS object literal
1392    fn format_headers(headers: &[(String, String)]) -> String {
1393        let entries: Vec<String> = headers
1394            .iter()
1395            .map(|(k, v)| format!("'{}': '{}'", k, v.replace('\'', "\\'")))
1396            .collect();
1397        format!("{{ {} }}", entries.join(", "))
1398    }
1399
1400    /// handleSummary — same format as reference mode for report compatibility
1401    fn generate_handle_summary(&self, script: &mut String) {
1402        // Use absolute path for report output so k6 writes where the CLI expects
1403        let report_path = match &self.config.output_dir {
1404            Some(dir) => {
1405                let abs = std::fs::canonicalize(dir)
1406                    .unwrap_or_else(|_| dir.clone())
1407                    .join("conformance-report.json");
1408                abs.to_string_lossy().to_string()
1409            }
1410            None => "conformance-report.json".to_string(),
1411        };
1412
1413        script.push_str("export function handleSummary(data) {\n");
1414        script.push_str("  let checks = {};\n");
1415        script.push_str("  if (data.metrics && data.metrics.checks) {\n");
1416        script.push_str("    checks.overall_pass_rate = data.metrics.checks.values.rate;\n");
1417        script.push_str("  }\n");
1418        script.push_str("  let checkResults = {};\n");
1419        script.push_str("  function walkGroups(group) {\n");
1420        script.push_str("    if (group.checks) {\n");
1421        script.push_str("      for (let checkObj of group.checks) {\n");
1422        script.push_str("        checkResults[checkObj.name] = {\n");
1423        script.push_str("          passes: checkObj.passes,\n");
1424        script.push_str("          fails: checkObj.fails,\n");
1425        script.push_str("        };\n");
1426        script.push_str("      }\n");
1427        script.push_str("    }\n");
1428        script.push_str("    if (group.groups) {\n");
1429        script.push_str("      for (let subGroup of group.groups) {\n");
1430        script.push_str("        walkGroups(subGroup);\n");
1431        script.push_str("      }\n");
1432        script.push_str("    }\n");
1433        script.push_str("  }\n");
1434        script.push_str("  if (data.root_group) {\n");
1435        script.push_str("    walkGroups(data.root_group);\n");
1436        script.push_str("  }\n");
1437        script.push_str("  return {\n");
1438        script.push_str(&format!(
1439            "    '{}': JSON.stringify({{ checks: checkResults, overall: checks }}, null, 2),\n",
1440            report_path
1441        ));
1442        script.push_str("    'summary.json': JSON.stringify(data),\n");
1443        script.push_str("    stdout: textSummary(data, { indent: '  ', enableColors: true }),\n");
1444        script.push_str("  };\n");
1445        script.push_str("}\n\n");
1446        script.push_str("function textSummary(data, opts) {\n");
1447        script.push_str("  return JSON.stringify(data, null, 2);\n");
1448        script.push_str("}\n");
1449    }
1450}
1451
1452#[cfg(test)]
1453mod tests {
1454    use super::*;
1455    use openapiv3::{
1456        Operation, ParameterData, ParameterSchemaOrContent, PathStyle, Response, Schema,
1457        SchemaData, SchemaKind, StringType, Type,
1458    };
1459
1460    fn make_op(method: &str, path: &str, operation: Operation) -> ApiOperation {
1461        ApiOperation {
1462            method: method.to_string(),
1463            path: path.to_string(),
1464            operation,
1465            operation_id: None,
1466        }
1467    }
1468
1469    fn empty_spec() -> OpenAPI {
1470        OpenAPI::default()
1471    }
1472
1473    #[test]
1474    fn test_annotate_get_with_path_param() {
1475        let mut op = Operation::default();
1476        op.parameters.push(ReferenceOr::Item(Parameter::Path {
1477            parameter_data: ParameterData {
1478                name: "id".to_string(),
1479                description: None,
1480                required: true,
1481                deprecated: None,
1482                format: ParameterSchemaOrContent::Schema(ReferenceOr::Item(Schema {
1483                    schema_data: SchemaData::default(),
1484                    schema_kind: SchemaKind::Type(Type::String(StringType::default())),
1485                })),
1486                example: None,
1487                examples: Default::default(),
1488                explode: None,
1489                extensions: Default::default(),
1490            },
1491            style: PathStyle::Simple,
1492        }));
1493
1494        let api_op = make_op("get", "/users/{id}", op);
1495        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1496
1497        assert!(annotated.features.contains(&ConformanceFeature::MethodGet));
1498        assert!(annotated.features.contains(&ConformanceFeature::PathParamString));
1499        assert!(annotated.features.contains(&ConformanceFeature::ConstraintRequired));
1500        assert_eq!(annotated.path_params.len(), 1);
1501        assert_eq!(annotated.path_params[0].0, "id");
1502    }
1503
1504    #[test]
1505    fn test_annotate_post_with_json_body() {
1506        let mut op = Operation::default();
1507        let mut body = RequestBody {
1508            required: true,
1509            ..Default::default()
1510        };
1511        body.content
1512            .insert("application/json".to_string(), openapiv3::MediaType::default());
1513        op.request_body = Some(ReferenceOr::Item(body));
1514
1515        let api_op = make_op("post", "/items", op);
1516        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1517
1518        assert!(annotated.features.contains(&ConformanceFeature::MethodPost));
1519        assert!(annotated.features.contains(&ConformanceFeature::BodyJson));
1520    }
1521
1522    #[test]
1523    fn test_annotate_response_codes() {
1524        let mut op = Operation::default();
1525        op.responses
1526            .responses
1527            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(Response::default()));
1528        op.responses
1529            .responses
1530            .insert(openapiv3::StatusCode::Code(404), ReferenceOr::Item(Response::default()));
1531
1532        let api_op = make_op("get", "/items", op);
1533        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1534
1535        assert!(annotated.features.contains(&ConformanceFeature::Response200));
1536        assert!(annotated.features.contains(&ConformanceFeature::Response404));
1537    }
1538
1539    #[test]
1540    fn test_generate_spec_driven_script() {
1541        let config = ConformanceConfig {
1542            target_url: "http://localhost:3000".to_string(),
1543            api_key: None,
1544            basic_auth: None,
1545            skip_tls_verify: false,
1546            categories: None,
1547            base_path: None,
1548            custom_headers: vec![],
1549            output_dir: None,
1550            all_operations: false,
1551            custom_checks_file: None,
1552            request_delay_ms: 0,
1553            custom_filter: None,
1554            export_requests: false,
1555            validate_requests: false,
1556        };
1557
1558        let operations = vec![AnnotatedOperation {
1559            path: "/users/{id}".to_string(),
1560            method: "GET".to_string(),
1561            features: vec![
1562                ConformanceFeature::MethodGet,
1563                ConformanceFeature::PathParamString,
1564            ],
1565            request_body_content_type: None,
1566            sample_body: None,
1567            query_params: vec![],
1568            header_params: vec![],
1569            path_params: vec![("id".to_string(), "test-value".to_string())],
1570            response_schema: None,
1571            response_schemas: std::collections::BTreeMap::new(),
1572            request_body_schema: None,
1573            security_schemes: vec![],
1574        }];
1575
1576        let gen = SpecDrivenConformanceGenerator::new(config, operations);
1577        let (script, _check_count) = gen.generate().unwrap();
1578
1579        assert!(script.contains("import http from 'k6/http'"));
1580        assert!(script.contains("/users/test-value"));
1581        assert!(script.contains("param:path:string"));
1582        assert!(script.contains("method:GET"));
1583        assert!(script.contains("handleSummary"));
1584    }
1585
1586    #[test]
1587    fn test_generate_with_category_filter() {
1588        let config = ConformanceConfig {
1589            target_url: "http://localhost:3000".to_string(),
1590            api_key: None,
1591            basic_auth: None,
1592            skip_tls_verify: false,
1593            categories: Some(vec!["Parameters".to_string()]),
1594            base_path: None,
1595            custom_headers: vec![],
1596            output_dir: None,
1597            all_operations: false,
1598            custom_checks_file: None,
1599            request_delay_ms: 0,
1600            custom_filter: None,
1601            export_requests: false,
1602            validate_requests: false,
1603        };
1604
1605        let operations = vec![AnnotatedOperation {
1606            path: "/users/{id}".to_string(),
1607            method: "GET".to_string(),
1608            features: vec![
1609                ConformanceFeature::MethodGet,
1610                ConformanceFeature::PathParamString,
1611            ],
1612            request_body_content_type: None,
1613            sample_body: None,
1614            query_params: vec![],
1615            header_params: vec![],
1616            path_params: vec![("id".to_string(), "1".to_string())],
1617            response_schema: None,
1618            response_schemas: std::collections::BTreeMap::new(),
1619            request_body_schema: None,
1620            security_schemes: vec![],
1621        }];
1622
1623        let gen = SpecDrivenConformanceGenerator::new(config, operations);
1624        let (script, _check_count) = gen.generate().unwrap();
1625
1626        assert!(script.contains("group('Parameters'"));
1627        assert!(!script.contains("group('HTTP Methods'"));
1628    }
1629
1630    #[test]
1631    fn test_annotate_response_validation() {
1632        use openapiv3::ObjectType;
1633
1634        // Operation with a 200 response that has a JSON schema
1635        let mut op = Operation::default();
1636        let mut response = Response::default();
1637        let mut media = openapiv3::MediaType::default();
1638        let mut obj_type = ObjectType::default();
1639        obj_type.properties.insert(
1640            "name".to_string(),
1641            ReferenceOr::Item(Box::new(Schema {
1642                schema_data: SchemaData::default(),
1643                schema_kind: SchemaKind::Type(Type::String(StringType::default())),
1644            })),
1645        );
1646        obj_type.required = vec!["name".to_string()];
1647        media.schema = Some(ReferenceOr::Item(Schema {
1648            schema_data: SchemaData::default(),
1649            schema_kind: SchemaKind::Type(Type::Object(obj_type)),
1650        }));
1651        response.content.insert("application/json".to_string(), media);
1652        op.responses
1653            .responses
1654            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(response));
1655
1656        let api_op = make_op("get", "/users", op);
1657        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1658
1659        assert!(
1660            annotated.features.contains(&ConformanceFeature::ResponseValidation),
1661            "Should detect ResponseValidation when response has a JSON schema"
1662        );
1663        assert!(annotated.response_schema.is_some(), "Should extract the response schema");
1664
1665        // Verify generated script includes schema validation with try-catch
1666        let config = ConformanceConfig {
1667            target_url: "http://localhost:3000".to_string(),
1668            api_key: None,
1669            basic_auth: None,
1670            skip_tls_verify: false,
1671            categories: None,
1672            base_path: None,
1673            custom_headers: vec![],
1674            output_dir: None,
1675            all_operations: false,
1676            custom_checks_file: None,
1677            request_delay_ms: 0,
1678            custom_filter: None,
1679            export_requests: false,
1680            validate_requests: false,
1681        };
1682        let gen = SpecDrivenConformanceGenerator::new(config, vec![annotated]);
1683        let (script, _check_count) = gen.generate().unwrap();
1684
1685        assert!(
1686            script.contains("response:schema:validation"),
1687            "Script should contain the validation check name"
1688        );
1689        assert!(script.contains("try {"), "Script should wrap validation in try-catch");
1690        assert!(script.contains("res.json()"), "Script should parse response as JSON");
1691    }
1692
1693    #[test]
1694    fn test_annotate_global_security() {
1695        // Spec with global security requirement, operation without its own security
1696        let op = Operation::default();
1697        let mut spec = OpenAPI::default();
1698        let mut global_req = openapiv3::SecurityRequirement::new();
1699        global_req.insert("bearerAuth".to_string(), vec![]);
1700        spec.security = Some(vec![global_req]);
1701        // Define the security scheme in components
1702        let mut components = openapiv3::Components::default();
1703        components.security_schemes.insert(
1704            "bearerAuth".to_string(),
1705            ReferenceOr::Item(SecurityScheme::HTTP {
1706                scheme: "bearer".to_string(),
1707                bearer_format: Some("JWT".to_string()),
1708                description: None,
1709                extensions: Default::default(),
1710            }),
1711        );
1712        spec.components = Some(components);
1713
1714        let api_op = make_op("get", "/protected", op);
1715        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &spec);
1716
1717        assert!(
1718            annotated.features.contains(&ConformanceFeature::SecurityBearer),
1719            "Should detect SecurityBearer from global security + components"
1720        );
1721    }
1722
1723    #[test]
1724    fn test_annotate_security_scheme_resolution() {
1725        // Test that security scheme type is resolved from components, not just name heuristic
1726        let mut op = Operation::default();
1727        // Use a generic name that wouldn't match name heuristics
1728        let mut req = openapiv3::SecurityRequirement::new();
1729        req.insert("myAuth".to_string(), vec![]);
1730        op.security = Some(vec![req]);
1731
1732        let mut spec = OpenAPI::default();
1733        let mut components = openapiv3::Components::default();
1734        components.security_schemes.insert(
1735            "myAuth".to_string(),
1736            ReferenceOr::Item(SecurityScheme::APIKey {
1737                location: openapiv3::APIKeyLocation::Header,
1738                name: "X-API-Key".to_string(),
1739                description: None,
1740                extensions: Default::default(),
1741            }),
1742        );
1743        spec.components = Some(components);
1744
1745        let api_op = make_op("get", "/data", op);
1746        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &spec);
1747
1748        assert!(
1749            annotated.features.contains(&ConformanceFeature::SecurityApiKey),
1750            "Should detect SecurityApiKey from SecurityScheme::APIKey, not name heuristic"
1751        );
1752    }
1753
1754    #[test]
1755    fn test_annotate_content_negotiation() {
1756        let mut op = Operation::default();
1757        let mut response = Response::default();
1758        // Response with multiple content types
1759        response
1760            .content
1761            .insert("application/json".to_string(), openapiv3::MediaType::default());
1762        response
1763            .content
1764            .insert("application/xml".to_string(), openapiv3::MediaType::default());
1765        op.responses
1766            .responses
1767            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(response));
1768
1769        let api_op = make_op("get", "/items", op);
1770        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1771
1772        assert!(
1773            annotated.features.contains(&ConformanceFeature::ContentNegotiation),
1774            "Should detect ContentNegotiation when response has multiple content types"
1775        );
1776    }
1777
1778    #[test]
1779    fn test_no_content_negotiation_for_single_type() {
1780        let mut op = Operation::default();
1781        let mut response = Response::default();
1782        response
1783            .content
1784            .insert("application/json".to_string(), openapiv3::MediaType::default());
1785        op.responses
1786            .responses
1787            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(response));
1788
1789        let api_op = make_op("get", "/items", op);
1790        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1791
1792        assert!(
1793            !annotated.features.contains(&ConformanceFeature::ContentNegotiation),
1794            "Should NOT detect ContentNegotiation for a single content type"
1795        );
1796    }
1797
1798    #[test]
1799    fn test_spec_driven_with_base_path() {
1800        let annotated = AnnotatedOperation {
1801            path: "/users".to_string(),
1802            method: "GET".to_string(),
1803            features: vec![ConformanceFeature::MethodGet],
1804            path_params: vec![],
1805            query_params: vec![],
1806            header_params: vec![],
1807            request_body_content_type: None,
1808            sample_body: None,
1809            response_schema: None,
1810            response_schemas: std::collections::BTreeMap::new(),
1811            request_body_schema: None,
1812            security_schemes: vec![],
1813        };
1814        let config = ConformanceConfig {
1815            target_url: "https://192.168.2.86/".to_string(),
1816            api_key: None,
1817            basic_auth: None,
1818            skip_tls_verify: true,
1819            categories: None,
1820            base_path: Some("/api".to_string()),
1821            custom_headers: vec![],
1822            output_dir: None,
1823            all_operations: false,
1824            custom_checks_file: None,
1825            request_delay_ms: 0,
1826            custom_filter: None,
1827            export_requests: false,
1828            validate_requests: false,
1829        };
1830        let gen = SpecDrivenConformanceGenerator::new(config, vec![annotated]);
1831        let (script, _check_count) = gen.generate().unwrap();
1832
1833        assert!(
1834            script.contains("const BASE_URL = 'https://192.168.2.86/api'"),
1835            "BASE_URL should include the base_path. Got: {}",
1836            script.lines().find(|l| l.contains("BASE_URL")).unwrap_or("not found")
1837        );
1838    }
1839
1840    #[test]
1841    fn test_spec_driven_with_custom_headers() {
1842        let annotated = AnnotatedOperation {
1843            path: "/users".to_string(),
1844            method: "GET".to_string(),
1845            features: vec![ConformanceFeature::MethodGet],
1846            path_params: vec![],
1847            query_params: vec![],
1848            header_params: vec![
1849                ("X-Avi-Tenant".to_string(), "test-value".to_string()),
1850                ("X-CSRFToken".to_string(), "test-value".to_string()),
1851            ],
1852            request_body_content_type: None,
1853            sample_body: None,
1854            response_schema: None,
1855            response_schemas: std::collections::BTreeMap::new(),
1856            request_body_schema: None,
1857            security_schemes: vec![],
1858        };
1859        let config = ConformanceConfig {
1860            target_url: "https://192.168.2.86/".to_string(),
1861            api_key: None,
1862            basic_auth: None,
1863            skip_tls_verify: true,
1864            categories: None,
1865            base_path: Some("/api".to_string()),
1866            custom_headers: vec![
1867                ("X-Avi-Tenant".to_string(), "admin".to_string()),
1868                ("X-CSRFToken".to_string(), "real-csrf-token".to_string()),
1869                ("Cookie".to_string(), "sessionid=abc123".to_string()),
1870            ],
1871            output_dir: None,
1872            all_operations: false,
1873            custom_checks_file: None,
1874            request_delay_ms: 0,
1875            custom_filter: None,
1876            export_requests: false,
1877            validate_requests: false,
1878        };
1879        let gen = SpecDrivenConformanceGenerator::new(config, vec![annotated]);
1880        let (script, _check_count) = gen.generate().unwrap();
1881
1882        // Custom headers should override spec-derived test-value placeholders
1883        assert!(
1884            script.contains("'X-Avi-Tenant': 'admin'"),
1885            "Should use custom value for X-Avi-Tenant, not test-value"
1886        );
1887        assert!(
1888            script.contains("'X-CSRFToken': 'real-csrf-token'"),
1889            "Should use custom value for X-CSRFToken, not test-value"
1890        );
1891        // Custom headers not in spec should be appended
1892        assert!(
1893            script.contains("'Cookie': 'sessionid=abc123'"),
1894            "Should include Cookie header from custom_headers"
1895        );
1896        // test-value should NOT appear
1897        assert!(
1898            !script.contains("'test-value'"),
1899            "test-value placeholders should be replaced by custom values"
1900        );
1901    }
1902
1903    #[test]
1904    fn test_effective_headers_merging() {
1905        let config = ConformanceConfig {
1906            target_url: "http://localhost".to_string(),
1907            api_key: None,
1908            basic_auth: None,
1909            skip_tls_verify: false,
1910            categories: None,
1911            base_path: None,
1912            custom_headers: vec![
1913                ("X-Auth".to_string(), "real-token".to_string()),
1914                ("Cookie".to_string(), "session=abc".to_string()),
1915            ],
1916            output_dir: None,
1917            all_operations: false,
1918            custom_checks_file: None,
1919            request_delay_ms: 0,
1920            custom_filter: None,
1921            export_requests: false,
1922            validate_requests: false,
1923        };
1924        let gen = SpecDrivenConformanceGenerator::new(config, vec![]);
1925
1926        // Spec headers with a matching custom header
1927        let spec_headers = vec![
1928            ("X-Auth".to_string(), "test-value".to_string()),
1929            ("X-Other".to_string(), "keep-this".to_string()),
1930        ];
1931        let effective = gen.effective_headers(&spec_headers);
1932
1933        // X-Auth should be overridden
1934        assert_eq!(effective[0], ("X-Auth".to_string(), "real-token".to_string()));
1935        // X-Other should be kept as-is
1936        assert_eq!(effective[1], ("X-Other".to_string(), "keep-this".to_string()));
1937        // Cookie should be appended
1938        assert_eq!(effective[2], ("Cookie".to_string(), "session=abc".to_string()));
1939    }
1940}