Skip to main content

mockforge_bench/conformance/
spec_driven.rs

1//! Spec-driven conformance testing
2//!
3//! Analyzes the user's OpenAPI spec to determine which features their API uses,
4//! then generates k6 conformance tests against their real endpoints.
5
6use super::generator::ConformanceConfig;
7use super::schema_validator::SchemaValidatorGenerator;
8use super::spec::ConformanceFeature;
9use crate::error::Result;
10use crate::request_gen::RequestGenerator;
11use crate::spec_parser::ApiOperation;
12use openapiv3::{
13    OpenAPI, Operation, Parameter, ParameterSchemaOrContent, ReferenceOr, RequestBody, Response,
14    Schema, SchemaKind, SecurityScheme, StringFormat, Type, VariantOrUnknownOrEmpty,
15};
16use std::collections::HashSet;
17
18/// Resolve `$ref` references against the OpenAPI components
19mod ref_resolver {
20    use super::*;
21
22    pub fn resolve_parameter<'a>(
23        param_ref: &'a ReferenceOr<Parameter>,
24        spec: &'a OpenAPI,
25    ) -> Option<&'a Parameter> {
26        match param_ref {
27            ReferenceOr::Item(param) => Some(param),
28            ReferenceOr::Reference { reference } => {
29                let name = reference.strip_prefix("#/components/parameters/")?;
30                let components = spec.components.as_ref()?;
31                match components.parameters.get(name)? {
32                    ReferenceOr::Item(param) => Some(param),
33                    ReferenceOr::Reference { .. } => None, // No recursive ref chasing
34                }
35            }
36        }
37    }
38
39    pub fn resolve_request_body<'a>(
40        body_ref: &'a ReferenceOr<RequestBody>,
41        spec: &'a OpenAPI,
42    ) -> Option<&'a RequestBody> {
43        match body_ref {
44            ReferenceOr::Item(body) => Some(body),
45            ReferenceOr::Reference { reference } => {
46                let name = reference.strip_prefix("#/components/requestBodies/")?;
47                let components = spec.components.as_ref()?;
48                match components.request_bodies.get(name)? {
49                    ReferenceOr::Item(body) => Some(body),
50                    ReferenceOr::Reference { .. } => None,
51                }
52            }
53        }
54    }
55
56    pub fn resolve_schema<'a>(
57        schema_ref: &'a ReferenceOr<Schema>,
58        spec: &'a OpenAPI,
59    ) -> Option<&'a Schema> {
60        resolve_schema_with_visited(schema_ref, spec, &mut HashSet::new())
61    }
62
63    fn resolve_schema_with_visited<'a>(
64        schema_ref: &'a ReferenceOr<Schema>,
65        spec: &'a OpenAPI,
66        visited: &mut HashSet<String>,
67    ) -> Option<&'a Schema> {
68        match schema_ref {
69            ReferenceOr::Item(schema) => Some(schema),
70            ReferenceOr::Reference { reference } => {
71                if !visited.insert(reference.clone()) {
72                    return None; // Cycle detected
73                }
74                let name = reference.strip_prefix("#/components/schemas/")?;
75                let components = spec.components.as_ref()?;
76                let nested = components.schemas.get(name)?;
77                resolve_schema_with_visited(nested, spec, visited)
78            }
79        }
80    }
81
82    /// Resolve a boxed schema reference (used by array items and object properties)
83    pub fn resolve_boxed_schema<'a>(
84        schema_ref: &'a ReferenceOr<Box<Schema>>,
85        spec: &'a OpenAPI,
86    ) -> Option<&'a Schema> {
87        match schema_ref {
88            ReferenceOr::Item(schema) => Some(schema.as_ref()),
89            ReferenceOr::Reference { reference } => {
90                // Delegate to the regular schema resolver
91                let name = reference.strip_prefix("#/components/schemas/")?;
92                let components = spec.components.as_ref()?;
93                let nested = components.schemas.get(name)?;
94                resolve_schema_with_visited(nested, spec, &mut HashSet::new())
95            }
96        }
97    }
98
99    pub fn resolve_response<'a>(
100        resp_ref: &'a ReferenceOr<Response>,
101        spec: &'a OpenAPI,
102    ) -> Option<&'a Response> {
103        match resp_ref {
104            ReferenceOr::Item(resp) => Some(resp),
105            ReferenceOr::Reference { reference } => {
106                let name = reference.strip_prefix("#/components/responses/")?;
107                let components = spec.components.as_ref()?;
108                match components.responses.get(name)? {
109                    ReferenceOr::Item(resp) => Some(resp),
110                    ReferenceOr::Reference { .. } => None,
111                }
112            }
113        }
114    }
115}
116
117/// An API operation annotated with the conformance features it exercises
118#[derive(Debug, Clone)]
119pub struct AnnotatedOperation {
120    pub path: String,
121    pub method: String,
122    pub features: Vec<ConformanceFeature>,
123    pub request_body_content_type: Option<String>,
124    pub sample_body: Option<String>,
125    pub query_params: Vec<(String, String)>,
126    pub header_params: Vec<(String, String)>,
127    pub path_params: Vec<(String, String)>,
128    /// Response schema for validation (JSON string of the schema)
129    pub response_schema: Option<Schema>,
130}
131
132/// Generates spec-driven conformance k6 scripts
133pub struct SpecDrivenConformanceGenerator {
134    config: ConformanceConfig,
135    operations: Vec<AnnotatedOperation>,
136}
137
138impl SpecDrivenConformanceGenerator {
139    pub fn new(config: ConformanceConfig, operations: Vec<AnnotatedOperation>) -> Self {
140        Self { config, operations }
141    }
142
143    /// Annotate a list of API operations with conformance features
144    pub fn annotate_operations(
145        operations: &[ApiOperation],
146        spec: &OpenAPI,
147    ) -> Vec<AnnotatedOperation> {
148        operations.iter().map(|op| Self::annotate_operation(op, spec)).collect()
149    }
150
151    /// Analyze an operation and determine which conformance features it exercises
152    fn annotate_operation(op: &ApiOperation, spec: &OpenAPI) -> AnnotatedOperation {
153        let mut features = Vec::new();
154        let mut query_params = Vec::new();
155        let mut header_params = Vec::new();
156        let mut path_params = Vec::new();
157
158        // Detect HTTP method feature
159        match op.method.to_uppercase().as_str() {
160            "GET" => features.push(ConformanceFeature::MethodGet),
161            "POST" => features.push(ConformanceFeature::MethodPost),
162            "PUT" => features.push(ConformanceFeature::MethodPut),
163            "PATCH" => features.push(ConformanceFeature::MethodPatch),
164            "DELETE" => features.push(ConformanceFeature::MethodDelete),
165            "HEAD" => features.push(ConformanceFeature::MethodHead),
166            "OPTIONS" => features.push(ConformanceFeature::MethodOptions),
167            _ => {}
168        }
169
170        // Detect parameter features (resolves $ref)
171        for param_ref in &op.operation.parameters {
172            if let Some(param) = ref_resolver::resolve_parameter(param_ref, spec) {
173                Self::annotate_parameter(
174                    param,
175                    spec,
176                    &mut features,
177                    &mut query_params,
178                    &mut header_params,
179                    &mut path_params,
180                );
181            }
182        }
183
184        // Detect path parameters from the path template itself
185        for segment in op.path.split('/') {
186            if segment.starts_with('{') && segment.ends_with('}') {
187                let name = &segment[1..segment.len() - 1];
188                // Only add if not already found from parameters
189                if !path_params.iter().any(|(n, _)| n == name) {
190                    path_params.push((name.to_string(), "test-value".to_string()));
191                    // Determine type from path params we didn't already handle
192                    if !features.contains(&ConformanceFeature::PathParamString)
193                        && !features.contains(&ConformanceFeature::PathParamInteger)
194                    {
195                        features.push(ConformanceFeature::PathParamString);
196                    }
197                }
198            }
199        }
200
201        // Detect request body features (resolves $ref)
202        let mut request_body_content_type = None;
203        let mut sample_body = None;
204
205        let resolved_body = op
206            .operation
207            .request_body
208            .as_ref()
209            .and_then(|b| ref_resolver::resolve_request_body(b, spec));
210
211        if let Some(body) = resolved_body {
212            for (content_type, _media) in &body.content {
213                match content_type.as_str() {
214                    "application/json" => {
215                        features.push(ConformanceFeature::BodyJson);
216                        request_body_content_type = Some("application/json".to_string());
217                        // Generate sample body from schema
218                        if let Ok(template) = RequestGenerator::generate_template(op) {
219                            if let Some(body_val) = &template.body {
220                                sample_body = Some(body_val.to_string());
221                            }
222                        }
223                    }
224                    "application/x-www-form-urlencoded" => {
225                        features.push(ConformanceFeature::BodyFormUrlencoded);
226                        request_body_content_type =
227                            Some("application/x-www-form-urlencoded".to_string());
228                    }
229                    "multipart/form-data" => {
230                        features.push(ConformanceFeature::BodyMultipart);
231                        request_body_content_type = Some("multipart/form-data".to_string());
232                    }
233                    _ => {}
234                }
235            }
236
237            // Detect schema features in request body (resolves $ref in schema)
238            if let Some(media) = body.content.get("application/json") {
239                if let Some(schema_ref) = &media.schema {
240                    if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
241                        Self::annotate_schema(schema, spec, &mut features);
242                    }
243                }
244            }
245        }
246
247        // Detect response code features
248        Self::annotate_responses(&op.operation, spec, &mut features);
249
250        // Extract response schema for validation (resolves $ref)
251        let response_schema = Self::extract_response_schema(&op.operation, spec);
252        if response_schema.is_some() {
253            features.push(ConformanceFeature::ResponseValidation);
254        }
255
256        // Detect content negotiation (response with multiple content types)
257        Self::annotate_content_negotiation(&op.operation, spec, &mut features);
258
259        // Detect security features
260        Self::annotate_security(&op.operation, spec, &mut features);
261
262        // Deduplicate features
263        features.sort_by_key(|f| f.check_name());
264        features.dedup_by_key(|f| f.check_name());
265
266        AnnotatedOperation {
267            path: op.path.clone(),
268            method: op.method.to_uppercase(),
269            features,
270            request_body_content_type,
271            sample_body,
272            query_params,
273            header_params,
274            path_params,
275            response_schema,
276        }
277    }
278
279    /// Annotate parameter features
280    fn annotate_parameter(
281        param: &Parameter,
282        spec: &OpenAPI,
283        features: &mut Vec<ConformanceFeature>,
284        query_params: &mut Vec<(String, String)>,
285        header_params: &mut Vec<(String, String)>,
286        path_params: &mut Vec<(String, String)>,
287    ) {
288        let (location, data) = match param {
289            Parameter::Query { parameter_data, .. } => ("query", parameter_data),
290            Parameter::Path { parameter_data, .. } => ("path", parameter_data),
291            Parameter::Header { parameter_data, .. } => ("header", parameter_data),
292            Parameter::Cookie { .. } => {
293                features.push(ConformanceFeature::CookieParam);
294                return;
295            }
296        };
297
298        // Detect type from schema
299        let is_integer = Self::param_schema_is_integer(data, spec);
300        let is_array = Self::param_schema_is_array(data, spec);
301
302        // Generate sample value
303        let sample = if is_integer {
304            "42".to_string()
305        } else if is_array {
306            "a,b".to_string()
307        } else {
308            "test-value".to_string()
309        };
310
311        match location {
312            "path" => {
313                if is_integer {
314                    features.push(ConformanceFeature::PathParamInteger);
315                } else {
316                    features.push(ConformanceFeature::PathParamString);
317                }
318                path_params.push((data.name.clone(), sample));
319            }
320            "query" => {
321                if is_array {
322                    features.push(ConformanceFeature::QueryParamArray);
323                } else if is_integer {
324                    features.push(ConformanceFeature::QueryParamInteger);
325                } else {
326                    features.push(ConformanceFeature::QueryParamString);
327                }
328                query_params.push((data.name.clone(), sample));
329            }
330            "header" => {
331                features.push(ConformanceFeature::HeaderParam);
332                header_params.push((data.name.clone(), sample));
333            }
334            _ => {}
335        }
336
337        // Check for constraint features on the parameter (resolves $ref)
338        if let ParameterSchemaOrContent::Schema(schema_ref) = &data.format {
339            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
340                Self::annotate_schema(schema, spec, features);
341            }
342        }
343
344        // Required/optional
345        if data.required {
346            features.push(ConformanceFeature::ConstraintRequired);
347        } else {
348            features.push(ConformanceFeature::ConstraintOptional);
349        }
350    }
351
352    fn param_schema_is_integer(data: &openapiv3::ParameterData, spec: &OpenAPI) -> bool {
353        if let ParameterSchemaOrContent::Schema(schema_ref) = &data.format {
354            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
355                return matches!(&schema.schema_kind, SchemaKind::Type(Type::Integer(_)));
356            }
357        }
358        false
359    }
360
361    fn param_schema_is_array(data: &openapiv3::ParameterData, spec: &OpenAPI) -> bool {
362        if let ParameterSchemaOrContent::Schema(schema_ref) = &data.format {
363            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
364                return matches!(&schema.schema_kind, SchemaKind::Type(Type::Array(_)));
365            }
366        }
367        false
368    }
369
370    /// Annotate schema-level features (types, composition, formats, constraints)
371    fn annotate_schema(schema: &Schema, spec: &OpenAPI, features: &mut Vec<ConformanceFeature>) {
372        match &schema.schema_kind {
373            SchemaKind::Type(Type::String(s)) => {
374                features.push(ConformanceFeature::SchemaString);
375                // Check format
376                match &s.format {
377                    VariantOrUnknownOrEmpty::Item(StringFormat::Date) => {
378                        features.push(ConformanceFeature::FormatDate);
379                    }
380                    VariantOrUnknownOrEmpty::Item(StringFormat::DateTime) => {
381                        features.push(ConformanceFeature::FormatDateTime);
382                    }
383                    VariantOrUnknownOrEmpty::Unknown(fmt) => match fmt.as_str() {
384                        "email" => features.push(ConformanceFeature::FormatEmail),
385                        "uuid" => features.push(ConformanceFeature::FormatUuid),
386                        "uri" | "url" => features.push(ConformanceFeature::FormatUri),
387                        "ipv4" => features.push(ConformanceFeature::FormatIpv4),
388                        "ipv6" => features.push(ConformanceFeature::FormatIpv6),
389                        _ => {}
390                    },
391                    _ => {}
392                }
393                // Check constraints
394                if s.pattern.is_some() {
395                    features.push(ConformanceFeature::ConstraintPattern);
396                }
397                if !s.enumeration.is_empty() {
398                    features.push(ConformanceFeature::ConstraintEnum);
399                }
400                if s.min_length.is_some() || s.max_length.is_some() {
401                    features.push(ConformanceFeature::ConstraintMinMax);
402                }
403            }
404            SchemaKind::Type(Type::Integer(i)) => {
405                features.push(ConformanceFeature::SchemaInteger);
406                if i.minimum.is_some() || i.maximum.is_some() {
407                    features.push(ConformanceFeature::ConstraintMinMax);
408                }
409                if !i.enumeration.is_empty() {
410                    features.push(ConformanceFeature::ConstraintEnum);
411                }
412            }
413            SchemaKind::Type(Type::Number(n)) => {
414                features.push(ConformanceFeature::SchemaNumber);
415                if n.minimum.is_some() || n.maximum.is_some() {
416                    features.push(ConformanceFeature::ConstraintMinMax);
417                }
418            }
419            SchemaKind::Type(Type::Boolean(_)) => {
420                features.push(ConformanceFeature::SchemaBoolean);
421            }
422            SchemaKind::Type(Type::Array(arr)) => {
423                features.push(ConformanceFeature::SchemaArray);
424                if let Some(item_ref) = &arr.items {
425                    if let Some(item_schema) = ref_resolver::resolve_boxed_schema(item_ref, spec) {
426                        Self::annotate_schema(item_schema, spec, features);
427                    }
428                }
429            }
430            SchemaKind::Type(Type::Object(obj)) => {
431                features.push(ConformanceFeature::SchemaObject);
432                // Check required fields
433                if !obj.required.is_empty() {
434                    features.push(ConformanceFeature::ConstraintRequired);
435                }
436                // Walk properties (resolves $ref)
437                for (_name, prop_ref) in &obj.properties {
438                    if let Some(prop_schema) = ref_resolver::resolve_boxed_schema(prop_ref, spec) {
439                        Self::annotate_schema(prop_schema, spec, features);
440                    }
441                }
442            }
443            SchemaKind::OneOf { .. } => {
444                features.push(ConformanceFeature::CompositionOneOf);
445            }
446            SchemaKind::AnyOf { .. } => {
447                features.push(ConformanceFeature::CompositionAnyOf);
448            }
449            SchemaKind::AllOf { .. } => {
450                features.push(ConformanceFeature::CompositionAllOf);
451            }
452            _ => {}
453        }
454    }
455
456    /// Detect response code features (resolves $ref in responses)
457    fn annotate_responses(
458        operation: &Operation,
459        spec: &OpenAPI,
460        features: &mut Vec<ConformanceFeature>,
461    ) {
462        for (status_code, resp_ref) in &operation.responses.responses {
463            // Only count features for responses that actually resolve
464            if ref_resolver::resolve_response(resp_ref, spec).is_some() {
465                match status_code {
466                    openapiv3::StatusCode::Code(200) => {
467                        features.push(ConformanceFeature::Response200)
468                    }
469                    openapiv3::StatusCode::Code(201) => {
470                        features.push(ConformanceFeature::Response201)
471                    }
472                    openapiv3::StatusCode::Code(204) => {
473                        features.push(ConformanceFeature::Response204)
474                    }
475                    openapiv3::StatusCode::Code(400) => {
476                        features.push(ConformanceFeature::Response400)
477                    }
478                    openapiv3::StatusCode::Code(404) => {
479                        features.push(ConformanceFeature::Response404)
480                    }
481                    _ => {}
482                }
483            }
484        }
485    }
486
487    /// Extract the response schema for the primary success response (200 or 201)
488    /// Resolves $ref for both the response and the schema within it.
489    fn extract_response_schema(operation: &Operation, spec: &OpenAPI) -> Option<Schema> {
490        // Try 200 first, then 201
491        for code in [200u16, 201] {
492            if let Some(resp_ref) =
493                operation.responses.responses.get(&openapiv3::StatusCode::Code(code))
494            {
495                if let Some(response) = ref_resolver::resolve_response(resp_ref, spec) {
496                    if let Some(media) = response.content.get("application/json") {
497                        if let Some(schema_ref) = &media.schema {
498                            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
499                                return Some(schema.clone());
500                            }
501                        }
502                    }
503                }
504            }
505        }
506        None
507    }
508
509    /// Detect content negotiation: response supports multiple content types
510    fn annotate_content_negotiation(
511        operation: &Operation,
512        spec: &OpenAPI,
513        features: &mut Vec<ConformanceFeature>,
514    ) {
515        for (_status_code, resp_ref) in &operation.responses.responses {
516            if let Some(response) = ref_resolver::resolve_response(resp_ref, spec) {
517                if response.content.len() > 1 {
518                    features.push(ConformanceFeature::ContentNegotiation);
519                    return; // Only need to detect once per operation
520                }
521            }
522        }
523    }
524
525    /// Detect security scheme features.
526    /// Checks operation-level security first, falling back to global security requirements.
527    /// Resolves scheme names against SecurityScheme definitions in components.
528    fn annotate_security(
529        operation: &Operation,
530        spec: &OpenAPI,
531        features: &mut Vec<ConformanceFeature>,
532    ) {
533        // Use operation-level security if present, otherwise fall back to global
534        let security_reqs = operation.security.as_ref().or(spec.security.as_ref());
535
536        if let Some(security) = security_reqs {
537            for security_req in security {
538                for scheme_name in security_req.keys() {
539                    // Try to resolve the scheme from components for accurate type detection
540                    if let Some(resolved) = Self::resolve_security_scheme(scheme_name, spec) {
541                        match resolved {
542                            SecurityScheme::HTTP { ref scheme, .. } => {
543                                if scheme.eq_ignore_ascii_case("bearer") {
544                                    features.push(ConformanceFeature::SecurityBearer);
545                                } else if scheme.eq_ignore_ascii_case("basic") {
546                                    features.push(ConformanceFeature::SecurityBasic);
547                                }
548                            }
549                            SecurityScheme::APIKey { .. } => {
550                                features.push(ConformanceFeature::SecurityApiKey);
551                            }
552                            // OAuth2 and OpenIDConnect don't map to our current feature set
553                            _ => {}
554                        }
555                    } else {
556                        // Fallback: heuristic name matching for unresolvable schemes
557                        let name_lower = scheme_name.to_lowercase();
558                        if name_lower.contains("bearer") || name_lower.contains("jwt") {
559                            features.push(ConformanceFeature::SecurityBearer);
560                        } else if name_lower.contains("api") && name_lower.contains("key") {
561                            features.push(ConformanceFeature::SecurityApiKey);
562                        } else if name_lower.contains("basic") {
563                            features.push(ConformanceFeature::SecurityBasic);
564                        }
565                    }
566                }
567            }
568        }
569    }
570
571    /// Resolve a security scheme name to its SecurityScheme definition
572    fn resolve_security_scheme<'a>(name: &str, spec: &'a OpenAPI) -> Option<&'a SecurityScheme> {
573        let components = spec.components.as_ref()?;
574        match components.security_schemes.get(name)? {
575            ReferenceOr::Item(scheme) => Some(scheme),
576            ReferenceOr::Reference { .. } => None,
577        }
578    }
579
580    /// Returns the number of operations being tested
581    pub fn operation_count(&self) -> usize {
582        self.operations.len()
583    }
584
585    /// Generate the k6 conformance script.
586    /// Returns (script, check_count) where check_count is the number of unique checks emitted.
587    pub fn generate(&self) -> Result<(String, usize)> {
588        let mut script = String::with_capacity(16384);
589
590        // Imports
591        script.push_str("import http from 'k6/http';\n");
592        script.push_str("import { check, group } from 'k6';\n\n");
593
594        // Options
595        script.push_str("export const options = {\n");
596        script.push_str("  vus: 1,\n");
597        script.push_str("  iterations: 1,\n");
598        if self.config.skip_tls_verify {
599            script.push_str("  insecureSkipTLSVerify: true,\n");
600        }
601        script.push_str("  thresholds: {\n");
602        script.push_str("    checks: ['rate>0'],\n");
603        script.push_str("  },\n");
604        script.push_str("};\n\n");
605
606        // Base URL (includes base_path if configured)
607        script.push_str(&format!("const BASE_URL = '{}';\n\n", self.config.effective_base_url()));
608        script.push_str("const JSON_HEADERS = { 'Content-Type': 'application/json' };\n\n");
609
610        // Default function
611        script.push_str("export default function () {\n");
612
613        if self.config.has_cookie_header() {
614            script.push_str(
615                "  // Clear cookie jar to prevent server Set-Cookie from duplicating custom Cookie header\n",
616            );
617            script.push_str("  http.cookieJar().clear(BASE_URL);\n\n");
618        }
619
620        // Group operations by category
621        let mut category_ops: std::collections::BTreeMap<
622            &'static str,
623            Vec<(&AnnotatedOperation, &ConformanceFeature)>,
624        > = std::collections::BTreeMap::new();
625
626        for op in &self.operations {
627            for feature in &op.features {
628                let category = feature.category();
629                if self.config.should_include_category(category) {
630                    category_ops.entry(category).or_default().push((op, feature));
631                }
632            }
633        }
634
635        // Emit grouped tests
636        let mut total_checks = 0usize;
637        for (category, ops) in &category_ops {
638            script.push_str(&format!("  group('{}', function () {{\n", category));
639
640            if self.config.all_operations {
641                // All-operations mode: test every operation, using path-qualified check names
642                let mut emitted_checks: HashSet<String> = HashSet::new();
643                for (op, feature) in ops {
644                    let qualified = format!("{}:{}", feature.check_name(), op.path);
645                    if emitted_checks.insert(qualified.clone()) {
646                        self.emit_check_named(&mut script, op, feature, &qualified);
647                        total_checks += 1;
648                    }
649                }
650            } else {
651                // Default: one representative operation per feature check name
652                let mut emitted_checks: HashSet<&str> = HashSet::new();
653                for (op, feature) in ops {
654                    if emitted_checks.insert(feature.check_name()) {
655                        self.emit_check(&mut script, op, feature);
656                        total_checks += 1;
657                    }
658                }
659            }
660
661            script.push_str("  });\n\n");
662        }
663
664        script.push_str("}\n\n");
665
666        // handleSummary
667        self.generate_handle_summary(&mut script);
668
669        Ok((script, total_checks))
670    }
671
672    /// Emit a single k6 check for an operation + feature using the feature's default check name
673    fn emit_check(
674        &self,
675        script: &mut String,
676        op: &AnnotatedOperation,
677        feature: &ConformanceFeature,
678    ) {
679        self.emit_check_named(script, op, feature, feature.check_name());
680    }
681
682    /// Emit a single k6 check for an operation + feature with a custom check name
683    fn emit_check_named(
684        &self,
685        script: &mut String,
686        op: &AnnotatedOperation,
687        feature: &ConformanceFeature,
688        check_name: &str,
689    ) {
690        // Escape single quotes in check name since it's embedded in JS single-quoted strings
691        let check_name = check_name.replace('\'', "\\'");
692        let check_name = check_name.as_str();
693
694        script.push_str("    {\n");
695
696        // Build the URL path with parameters substituted
697        let mut url_path = op.path.clone();
698        for (name, value) in &op.path_params {
699            url_path = url_path.replace(&format!("{{{}}}", name), value);
700        }
701
702        // Build query string
703        if !op.query_params.is_empty() {
704            let qs: Vec<String> =
705                op.query_params.iter().map(|(k, v)| format!("{}={}", k, v)).collect();
706            url_path = format!("{}?{}", url_path, qs.join("&"));
707        }
708
709        let full_url = format!("${{BASE_URL}}{}", url_path);
710
711        // Build effective headers: merge spec-derived headers with custom headers.
712        // Custom headers override spec-derived ones with the same name.
713        let mut effective_headers = self.effective_headers(&op.header_params);
714
715        // For non-default response code checks, add header to tell the mock server
716        // which status code to return (the server defaults to the first declared status)
717        if matches!(feature, ConformanceFeature::Response400 | ConformanceFeature::Response404) {
718            let expected_code = match feature {
719                ConformanceFeature::Response400 => "400",
720                ConformanceFeature::Response404 => "404",
721                _ => unreachable!(),
722            };
723            effective_headers
724                .push(("X-Mockforge-Response-Status".to_string(), expected_code.to_string()));
725        }
726
727        let has_headers = !effective_headers.is_empty();
728        let headers_obj = if has_headers {
729            Self::format_headers(&effective_headers)
730        } else {
731            String::new()
732        };
733
734        // Determine HTTP method and emit request
735        match op.method.as_str() {
736            "GET" => {
737                if has_headers {
738                    script.push_str(&format!(
739                        "      let res = http.get(`{}`, {{ headers: {} }});\n",
740                        full_url, headers_obj
741                    ));
742                } else {
743                    script.push_str(&format!("      let res = http.get(`{}`);\n", full_url));
744                }
745            }
746            "POST" => {
747                self.emit_request_with_body(script, "post", &full_url, op, &effective_headers);
748            }
749            "PUT" => {
750                self.emit_request_with_body(script, "put", &full_url, op, &effective_headers);
751            }
752            "PATCH" => {
753                self.emit_request_with_body(script, "patch", &full_url, op, &effective_headers);
754            }
755            "DELETE" => {
756                if has_headers {
757                    script.push_str(&format!(
758                        "      let res = http.del(`{}`, null, {{ headers: {} }});\n",
759                        full_url, headers_obj
760                    ));
761                } else {
762                    script.push_str(&format!("      let res = http.del(`{}`);\n", full_url));
763                }
764            }
765            "HEAD" => {
766                if has_headers {
767                    script.push_str(&format!(
768                        "      let res = http.head(`{}`, {{ headers: {} }});\n",
769                        full_url, headers_obj
770                    ));
771                } else {
772                    script.push_str(&format!("      let res = http.head(`{}`);\n", full_url));
773                }
774            }
775            "OPTIONS" => {
776                if has_headers {
777                    script.push_str(&format!(
778                        "      let res = http.options(`{}`, null, {{ headers: {} }});\n",
779                        full_url, headers_obj
780                    ));
781                } else {
782                    script.push_str(&format!("      let res = http.options(`{}`);\n", full_url));
783                }
784            }
785            _ => {
786                if has_headers {
787                    script.push_str(&format!(
788                        "      let res = http.get(`{}`, {{ headers: {} }});\n",
789                        full_url, headers_obj
790                    ));
791                } else {
792                    script.push_str(&format!("      let res = http.get(`{}`);\n", full_url));
793                }
794            }
795        }
796
797        // Check: emit assertion based on feature type
798        if matches!(
799            feature,
800            ConformanceFeature::Response200
801                | ConformanceFeature::Response201
802                | ConformanceFeature::Response204
803                | ConformanceFeature::Response400
804                | ConformanceFeature::Response404
805        ) {
806            let expected_code = match feature {
807                ConformanceFeature::Response200 => 200,
808                ConformanceFeature::Response201 => 201,
809                ConformanceFeature::Response204 => 204,
810                ConformanceFeature::Response400 => 400,
811                ConformanceFeature::Response404 => 404,
812                _ => 200,
813            };
814            script.push_str(&format!(
815                "      check(res, {{ '{}': (r) => r.status === {} }});\n",
816                check_name, expected_code
817            ));
818        } else if matches!(feature, ConformanceFeature::ResponseValidation) {
819            // Response schema validation — validate the response body against the schema
820            if let Some(schema) = &op.response_schema {
821                let validation_js = SchemaValidatorGenerator::generate_validation(schema);
822                script.push_str(&format!(
823                    "      try {{ let body = res.json(); check(res, {{ '{}': (r) => {{ {} }} }}); }} catch(e) {{ check(res, {{ '{}': () => false }}); }}\n",
824                    check_name, validation_js, check_name
825                ));
826            }
827        } else {
828            script.push_str(&format!(
829                "      check(res, {{ '{}': (r) => r.status >= 200 && r.status < 500 }});\n",
830                check_name
831            ));
832        }
833
834        // Clear cookie jar after each request to prevent Set-Cookie leaking
835        if self.config.has_cookie_header() {
836            script.push_str("      http.cookieJar().clear(BASE_URL);\n");
837        }
838
839        script.push_str("    }\n");
840    }
841
842    /// Emit an HTTP request with a body
843    fn emit_request_with_body(
844        &self,
845        script: &mut String,
846        method: &str,
847        url: &str,
848        op: &AnnotatedOperation,
849        effective_headers: &[(String, String)],
850    ) {
851        if let Some(body) = &op.sample_body {
852            let escaped_body = body.replace('\'', "\\'");
853            let headers = if !effective_headers.is_empty() {
854                format!(
855                    "Object.assign({{}}, JSON_HEADERS, {})",
856                    Self::format_headers(effective_headers)
857                )
858            } else {
859                "JSON_HEADERS".to_string()
860            };
861            script.push_str(&format!(
862                "      let res = http.{}(`{}`, '{}', {{ headers: {} }});\n",
863                method, url, escaped_body, headers
864            ));
865        } else if !effective_headers.is_empty() {
866            script.push_str(&format!(
867                "      let res = http.{}(`{}`, null, {{ headers: {} }});\n",
868                method,
869                url,
870                Self::format_headers(effective_headers)
871            ));
872        } else {
873            script.push_str(&format!("      let res = http.{}(`{}`, null);\n", method, url));
874        }
875    }
876
877    /// Build effective headers by merging spec-derived headers with custom headers.
878    /// Custom headers override spec-derived ones with the same name (case-insensitive).
879    /// Custom headers not in the spec are appended.
880    fn effective_headers(&self, spec_headers: &[(String, String)]) -> Vec<(String, String)> {
881        let custom = &self.config.custom_headers;
882        if custom.is_empty() {
883            return spec_headers.to_vec();
884        }
885
886        let mut result: Vec<(String, String)> = Vec::new();
887
888        // Start with spec headers, replacing values if a custom header matches
889        for (name, value) in spec_headers {
890            if let Some((_, custom_val)) =
891                custom.iter().find(|(cn, _)| cn.eq_ignore_ascii_case(name))
892            {
893                result.push((name.clone(), custom_val.clone()));
894            } else {
895                result.push((name.clone(), value.clone()));
896            }
897        }
898
899        // Append custom headers that aren't already in spec headers
900        for (name, value) in custom {
901            if !spec_headers.iter().any(|(sn, _)| sn.eq_ignore_ascii_case(name)) {
902                result.push((name.clone(), value.clone()));
903            }
904        }
905
906        result
907    }
908
909    /// Format header params as a JS object literal
910    fn format_headers(headers: &[(String, String)]) -> String {
911        let entries: Vec<String> = headers
912            .iter()
913            .map(|(k, v)| format!("'{}': '{}'", k, v.replace('\'', "\\'")))
914            .collect();
915        format!("{{ {} }}", entries.join(", "))
916    }
917
918    /// handleSummary — same format as reference mode for report compatibility
919    fn generate_handle_summary(&self, script: &mut String) {
920        // Use absolute path for report output so k6 writes where the CLI expects
921        let report_path = match &self.config.output_dir {
922            Some(dir) => {
923                let abs = std::fs::canonicalize(dir)
924                    .unwrap_or_else(|_| dir.clone())
925                    .join("conformance-report.json");
926                abs.to_string_lossy().to_string()
927            }
928            None => "conformance-report.json".to_string(),
929        };
930
931        script.push_str("export function handleSummary(data) {\n");
932        script.push_str("  let checks = {};\n");
933        script.push_str("  if (data.metrics && data.metrics.checks) {\n");
934        script.push_str("    checks.overall_pass_rate = data.metrics.checks.values.rate;\n");
935        script.push_str("  }\n");
936        script.push_str("  let checkResults = {};\n");
937        script.push_str("  function walkGroups(group) {\n");
938        script.push_str("    if (group.checks) {\n");
939        script.push_str("      for (let checkObj of group.checks) {\n");
940        script.push_str("        checkResults[checkObj.name] = {\n");
941        script.push_str("          passes: checkObj.passes,\n");
942        script.push_str("          fails: checkObj.fails,\n");
943        script.push_str("        };\n");
944        script.push_str("      }\n");
945        script.push_str("    }\n");
946        script.push_str("    if (group.groups) {\n");
947        script.push_str("      for (let subGroup of group.groups) {\n");
948        script.push_str("        walkGroups(subGroup);\n");
949        script.push_str("      }\n");
950        script.push_str("    }\n");
951        script.push_str("  }\n");
952        script.push_str("  if (data.root_group) {\n");
953        script.push_str("    walkGroups(data.root_group);\n");
954        script.push_str("  }\n");
955        script.push_str("  return {\n");
956        script.push_str(&format!(
957            "    '{}': JSON.stringify({{ checks: checkResults, overall: checks }}, null, 2),\n",
958            report_path
959        ));
960        script.push_str("    stdout: textSummary(data, { indent: '  ', enableColors: true }),\n");
961        script.push_str("  };\n");
962        script.push_str("}\n\n");
963        script.push_str("function textSummary(data, opts) {\n");
964        script.push_str("  return JSON.stringify(data, null, 2);\n");
965        script.push_str("}\n");
966    }
967}
968
969#[cfg(test)]
970mod tests {
971    use super::*;
972    use openapiv3::{
973        Operation, ParameterData, ParameterSchemaOrContent, PathStyle, Response, Schema,
974        SchemaData, SchemaKind, StringType, Type,
975    };
976
977    fn make_op(method: &str, path: &str, operation: Operation) -> ApiOperation {
978        ApiOperation {
979            method: method.to_string(),
980            path: path.to_string(),
981            operation,
982            operation_id: None,
983        }
984    }
985
986    fn empty_spec() -> OpenAPI {
987        OpenAPI::default()
988    }
989
990    #[test]
991    fn test_annotate_get_with_path_param() {
992        let mut op = Operation::default();
993        op.parameters.push(ReferenceOr::Item(Parameter::Path {
994            parameter_data: ParameterData {
995                name: "id".to_string(),
996                description: None,
997                required: true,
998                deprecated: None,
999                format: ParameterSchemaOrContent::Schema(ReferenceOr::Item(Schema {
1000                    schema_data: SchemaData::default(),
1001                    schema_kind: SchemaKind::Type(Type::String(StringType::default())),
1002                })),
1003                example: None,
1004                examples: Default::default(),
1005                explode: None,
1006                extensions: Default::default(),
1007            },
1008            style: PathStyle::Simple,
1009        }));
1010
1011        let api_op = make_op("get", "/users/{id}", op);
1012        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1013
1014        assert!(annotated.features.contains(&ConformanceFeature::MethodGet));
1015        assert!(annotated.features.contains(&ConformanceFeature::PathParamString));
1016        assert!(annotated.features.contains(&ConformanceFeature::ConstraintRequired));
1017        assert_eq!(annotated.path_params.len(), 1);
1018        assert_eq!(annotated.path_params[0].0, "id");
1019    }
1020
1021    #[test]
1022    fn test_annotate_post_with_json_body() {
1023        let mut op = Operation::default();
1024        let mut body = openapiv3::RequestBody {
1025            required: true,
1026            ..Default::default()
1027        };
1028        body.content
1029            .insert("application/json".to_string(), openapiv3::MediaType::default());
1030        op.request_body = Some(ReferenceOr::Item(body));
1031
1032        let api_op = make_op("post", "/items", op);
1033        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1034
1035        assert!(annotated.features.contains(&ConformanceFeature::MethodPost));
1036        assert!(annotated.features.contains(&ConformanceFeature::BodyJson));
1037    }
1038
1039    #[test]
1040    fn test_annotate_response_codes() {
1041        let mut op = Operation::default();
1042        op.responses
1043            .responses
1044            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(Response::default()));
1045        op.responses
1046            .responses
1047            .insert(openapiv3::StatusCode::Code(404), ReferenceOr::Item(Response::default()));
1048
1049        let api_op = make_op("get", "/items", op);
1050        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1051
1052        assert!(annotated.features.contains(&ConformanceFeature::Response200));
1053        assert!(annotated.features.contains(&ConformanceFeature::Response404));
1054    }
1055
1056    #[test]
1057    fn test_generate_spec_driven_script() {
1058        let config = ConformanceConfig {
1059            target_url: "http://localhost:3000".to_string(),
1060            api_key: None,
1061            basic_auth: None,
1062            skip_tls_verify: false,
1063            categories: None,
1064            base_path: None,
1065            custom_headers: vec![],
1066            output_dir: None,
1067            all_operations: false,
1068        };
1069
1070        let operations = vec![AnnotatedOperation {
1071            path: "/users/{id}".to_string(),
1072            method: "GET".to_string(),
1073            features: vec![
1074                ConformanceFeature::MethodGet,
1075                ConformanceFeature::PathParamString,
1076            ],
1077            request_body_content_type: None,
1078            sample_body: None,
1079            query_params: vec![],
1080            header_params: vec![],
1081            path_params: vec![("id".to_string(), "test-value".to_string())],
1082            response_schema: None,
1083        }];
1084
1085        let gen = SpecDrivenConformanceGenerator::new(config, operations);
1086        let (script, _check_count) = gen.generate().unwrap();
1087
1088        assert!(script.contains("import http from 'k6/http'"));
1089        assert!(script.contains("/users/test-value"));
1090        assert!(script.contains("param:path:string"));
1091        assert!(script.contains("method:GET"));
1092        assert!(script.contains("handleSummary"));
1093    }
1094
1095    #[test]
1096    fn test_generate_with_category_filter() {
1097        let config = ConformanceConfig {
1098            target_url: "http://localhost:3000".to_string(),
1099            api_key: None,
1100            basic_auth: None,
1101            skip_tls_verify: false,
1102            categories: Some(vec!["Parameters".to_string()]),
1103            base_path: None,
1104            custom_headers: vec![],
1105            output_dir: None,
1106            all_operations: false,
1107        };
1108
1109        let operations = vec![AnnotatedOperation {
1110            path: "/users/{id}".to_string(),
1111            method: "GET".to_string(),
1112            features: vec![
1113                ConformanceFeature::MethodGet,
1114                ConformanceFeature::PathParamString,
1115            ],
1116            request_body_content_type: None,
1117            sample_body: None,
1118            query_params: vec![],
1119            header_params: vec![],
1120            path_params: vec![("id".to_string(), "1".to_string())],
1121            response_schema: None,
1122        }];
1123
1124        let gen = SpecDrivenConformanceGenerator::new(config, operations);
1125        let (script, _check_count) = gen.generate().unwrap();
1126
1127        assert!(script.contains("group('Parameters'"));
1128        assert!(!script.contains("group('HTTP Methods'"));
1129    }
1130
1131    #[test]
1132    fn test_annotate_response_validation() {
1133        use openapiv3::ObjectType;
1134
1135        // Operation with a 200 response that has a JSON schema
1136        let mut op = Operation::default();
1137        let mut response = Response::default();
1138        let mut media = openapiv3::MediaType::default();
1139        let mut obj_type = ObjectType::default();
1140        obj_type.properties.insert(
1141            "name".to_string(),
1142            ReferenceOr::Item(Box::new(Schema {
1143                schema_data: SchemaData::default(),
1144                schema_kind: SchemaKind::Type(Type::String(StringType::default())),
1145            })),
1146        );
1147        obj_type.required = vec!["name".to_string()];
1148        media.schema = Some(ReferenceOr::Item(Schema {
1149            schema_data: SchemaData::default(),
1150            schema_kind: SchemaKind::Type(Type::Object(obj_type)),
1151        }));
1152        response.content.insert("application/json".to_string(), media);
1153        op.responses
1154            .responses
1155            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(response));
1156
1157        let api_op = make_op("get", "/users", op);
1158        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1159
1160        assert!(
1161            annotated.features.contains(&ConformanceFeature::ResponseValidation),
1162            "Should detect ResponseValidation when response has a JSON schema"
1163        );
1164        assert!(annotated.response_schema.is_some(), "Should extract the response schema");
1165
1166        // Verify generated script includes schema validation with try-catch
1167        let config = ConformanceConfig {
1168            target_url: "http://localhost:3000".to_string(),
1169            api_key: None,
1170            basic_auth: None,
1171            skip_tls_verify: false,
1172            categories: None,
1173            base_path: None,
1174            custom_headers: vec![],
1175            output_dir: None,
1176            all_operations: false,
1177        };
1178        let gen = SpecDrivenConformanceGenerator::new(config, vec![annotated]);
1179        let (script, _check_count) = gen.generate().unwrap();
1180
1181        assert!(
1182            script.contains("response:schema:validation"),
1183            "Script should contain the validation check name"
1184        );
1185        assert!(script.contains("try {"), "Script should wrap validation in try-catch");
1186        assert!(script.contains("res.json()"), "Script should parse response as JSON");
1187    }
1188
1189    #[test]
1190    fn test_annotate_global_security() {
1191        // Spec with global security requirement, operation without its own security
1192        let op = Operation::default();
1193        let mut spec = OpenAPI::default();
1194        let mut global_req = openapiv3::SecurityRequirement::new();
1195        global_req.insert("bearerAuth".to_string(), vec![]);
1196        spec.security = Some(vec![global_req]);
1197        // Define the security scheme in components
1198        let mut components = openapiv3::Components::default();
1199        components.security_schemes.insert(
1200            "bearerAuth".to_string(),
1201            ReferenceOr::Item(SecurityScheme::HTTP {
1202                scheme: "bearer".to_string(),
1203                bearer_format: Some("JWT".to_string()),
1204                description: None,
1205                extensions: Default::default(),
1206            }),
1207        );
1208        spec.components = Some(components);
1209
1210        let api_op = make_op("get", "/protected", op);
1211        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &spec);
1212
1213        assert!(
1214            annotated.features.contains(&ConformanceFeature::SecurityBearer),
1215            "Should detect SecurityBearer from global security + components"
1216        );
1217    }
1218
1219    #[test]
1220    fn test_annotate_security_scheme_resolution() {
1221        // Test that security scheme type is resolved from components, not just name heuristic
1222        let mut op = Operation::default();
1223        // Use a generic name that wouldn't match name heuristics
1224        let mut req = openapiv3::SecurityRequirement::new();
1225        req.insert("myAuth".to_string(), vec![]);
1226        op.security = Some(vec![req]);
1227
1228        let mut spec = OpenAPI::default();
1229        let mut components = openapiv3::Components::default();
1230        components.security_schemes.insert(
1231            "myAuth".to_string(),
1232            ReferenceOr::Item(SecurityScheme::APIKey {
1233                location: openapiv3::APIKeyLocation::Header,
1234                name: "X-API-Key".to_string(),
1235                description: None,
1236                extensions: Default::default(),
1237            }),
1238        );
1239        spec.components = Some(components);
1240
1241        let api_op = make_op("get", "/data", op);
1242        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &spec);
1243
1244        assert!(
1245            annotated.features.contains(&ConformanceFeature::SecurityApiKey),
1246            "Should detect SecurityApiKey from SecurityScheme::APIKey, not name heuristic"
1247        );
1248    }
1249
1250    #[test]
1251    fn test_annotate_content_negotiation() {
1252        let mut op = Operation::default();
1253        let mut response = Response::default();
1254        // Response with multiple content types
1255        response
1256            .content
1257            .insert("application/json".to_string(), openapiv3::MediaType::default());
1258        response
1259            .content
1260            .insert("application/xml".to_string(), openapiv3::MediaType::default());
1261        op.responses
1262            .responses
1263            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(response));
1264
1265        let api_op = make_op("get", "/items", op);
1266        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1267
1268        assert!(
1269            annotated.features.contains(&ConformanceFeature::ContentNegotiation),
1270            "Should detect ContentNegotiation when response has multiple content types"
1271        );
1272    }
1273
1274    #[test]
1275    fn test_no_content_negotiation_for_single_type() {
1276        let mut op = Operation::default();
1277        let mut response = Response::default();
1278        response
1279            .content
1280            .insert("application/json".to_string(), openapiv3::MediaType::default());
1281        op.responses
1282            .responses
1283            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(response));
1284
1285        let api_op = make_op("get", "/items", op);
1286        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1287
1288        assert!(
1289            !annotated.features.contains(&ConformanceFeature::ContentNegotiation),
1290            "Should NOT detect ContentNegotiation for a single content type"
1291        );
1292    }
1293
1294    #[test]
1295    fn test_spec_driven_with_base_path() {
1296        let annotated = AnnotatedOperation {
1297            path: "/users".to_string(),
1298            method: "GET".to_string(),
1299            features: vec![ConformanceFeature::MethodGet],
1300            path_params: vec![],
1301            query_params: vec![],
1302            header_params: vec![],
1303            request_body_content_type: None,
1304            sample_body: None,
1305            response_schema: None,
1306        };
1307        let config = ConformanceConfig {
1308            target_url: "https://192.168.2.86/".to_string(),
1309            api_key: None,
1310            basic_auth: None,
1311            skip_tls_verify: true,
1312            categories: None,
1313            base_path: Some("/api".to_string()),
1314            custom_headers: vec![],
1315            output_dir: None,
1316            all_operations: false,
1317        };
1318        let gen = SpecDrivenConformanceGenerator::new(config, vec![annotated]);
1319        let (script, _check_count) = gen.generate().unwrap();
1320
1321        assert!(
1322            script.contains("const BASE_URL = 'https://192.168.2.86/api'"),
1323            "BASE_URL should include the base_path. Got: {}",
1324            script.lines().find(|l| l.contains("BASE_URL")).unwrap_or("not found")
1325        );
1326    }
1327
1328    #[test]
1329    fn test_spec_driven_with_custom_headers() {
1330        let annotated = AnnotatedOperation {
1331            path: "/users".to_string(),
1332            method: "GET".to_string(),
1333            features: vec![ConformanceFeature::MethodGet],
1334            path_params: vec![],
1335            query_params: vec![],
1336            header_params: vec![
1337                ("X-Avi-Tenant".to_string(), "test-value".to_string()),
1338                ("X-CSRFToken".to_string(), "test-value".to_string()),
1339            ],
1340            request_body_content_type: None,
1341            sample_body: None,
1342            response_schema: None,
1343        };
1344        let config = ConformanceConfig {
1345            target_url: "https://192.168.2.86/".to_string(),
1346            api_key: None,
1347            basic_auth: None,
1348            skip_tls_verify: true,
1349            categories: None,
1350            base_path: Some("/api".to_string()),
1351            custom_headers: vec![
1352                ("X-Avi-Tenant".to_string(), "admin".to_string()),
1353                ("X-CSRFToken".to_string(), "real-csrf-token".to_string()),
1354                ("Cookie".to_string(), "sessionid=abc123".to_string()),
1355            ],
1356            output_dir: None,
1357            all_operations: false,
1358        };
1359        let gen = SpecDrivenConformanceGenerator::new(config, vec![annotated]);
1360        let (script, _check_count) = gen.generate().unwrap();
1361
1362        // Custom headers should override spec-derived test-value placeholders
1363        assert!(
1364            script.contains("'X-Avi-Tenant': 'admin'"),
1365            "Should use custom value for X-Avi-Tenant, not test-value"
1366        );
1367        assert!(
1368            script.contains("'X-CSRFToken': 'real-csrf-token'"),
1369            "Should use custom value for X-CSRFToken, not test-value"
1370        );
1371        // Custom headers not in spec should be appended
1372        assert!(
1373            script.contains("'Cookie': 'sessionid=abc123'"),
1374            "Should include Cookie header from custom_headers"
1375        );
1376        // test-value should NOT appear
1377        assert!(
1378            !script.contains("'test-value'"),
1379            "test-value placeholders should be replaced by custom values"
1380        );
1381    }
1382
1383    #[test]
1384    fn test_effective_headers_merging() {
1385        let config = ConformanceConfig {
1386            target_url: "http://localhost".to_string(),
1387            api_key: None,
1388            basic_auth: None,
1389            skip_tls_verify: false,
1390            categories: None,
1391            base_path: None,
1392            custom_headers: vec![
1393                ("X-Auth".to_string(), "real-token".to_string()),
1394                ("Cookie".to_string(), "session=abc".to_string()),
1395            ],
1396            output_dir: None,
1397            all_operations: false,
1398        };
1399        let gen = SpecDrivenConformanceGenerator::new(config, vec![]);
1400
1401        // Spec headers with a matching custom header
1402        let spec_headers = vec![
1403            ("X-Auth".to_string(), "test-value".to_string()),
1404            ("X-Other".to_string(), "keep-this".to_string()),
1405        ];
1406        let effective = gen.effective_headers(&spec_headers);
1407
1408        // X-Auth should be overridden
1409        assert_eq!(effective[0], ("X-Auth".to_string(), "real-token".to_string()));
1410        // X-Other should be kept as-is
1411        assert_eq!(effective[1], ("X-Other".to_string(), "keep-this".to_string()));
1412        // Cookie should be appended
1413        assert_eq!(effective[2], ("Cookie".to_string(), "session=abc".to_string()));
1414    }
1415}