Skip to main content

mockforge_bench/conformance/
spec_driven.rs

1//! Spec-driven conformance testing
2//!
3//! Analyzes the user's OpenAPI spec to determine which features their API uses,
4//! then generates k6 conformance tests against their real endpoints.
5
6use super::generator::ConformanceConfig;
7use super::schema_validator::SchemaValidatorGenerator;
8use super::spec::ConformanceFeature;
9use crate::error::Result;
10use crate::request_gen::RequestGenerator;
11use crate::spec_parser::ApiOperation;
12use openapiv3::{
13    OpenAPI, Operation, Parameter, ParameterSchemaOrContent, ReferenceOr, RequestBody, Response,
14    Schema, SchemaKind, SecurityScheme, StringFormat, Type, VariantOrUnknownOrEmpty,
15};
16use std::collections::HashSet;
17
18/// Resolve `$ref` references against the OpenAPI components
19mod ref_resolver {
20    use super::*;
21
22    pub fn resolve_parameter<'a>(
23        param_ref: &'a ReferenceOr<Parameter>,
24        spec: &'a OpenAPI,
25    ) -> Option<&'a Parameter> {
26        match param_ref {
27            ReferenceOr::Item(param) => Some(param),
28            ReferenceOr::Reference { reference } => {
29                let name = reference.strip_prefix("#/components/parameters/")?;
30                let components = spec.components.as_ref()?;
31                match components.parameters.get(name)? {
32                    ReferenceOr::Item(param) => Some(param),
33                    ReferenceOr::Reference {
34                        reference: inner_ref,
35                    } => {
36                        // One level of recursive resolution
37                        let inner_name = inner_ref.strip_prefix("#/components/parameters/")?;
38                        match components.parameters.get(inner_name)? {
39                            ReferenceOr::Item(param) => Some(param),
40                            ReferenceOr::Reference { .. } => None,
41                        }
42                    }
43                }
44            }
45        }
46    }
47
48    pub fn resolve_request_body<'a>(
49        body_ref: &'a ReferenceOr<RequestBody>,
50        spec: &'a OpenAPI,
51    ) -> Option<&'a RequestBody> {
52        match body_ref {
53            ReferenceOr::Item(body) => Some(body),
54            ReferenceOr::Reference { reference } => {
55                let name = reference.strip_prefix("#/components/requestBodies/")?;
56                let components = spec.components.as_ref()?;
57                match components.request_bodies.get(name)? {
58                    ReferenceOr::Item(body) => Some(body),
59                    ReferenceOr::Reference {
60                        reference: inner_ref,
61                    } => {
62                        // One level of recursive resolution
63                        let inner_name = inner_ref.strip_prefix("#/components/requestBodies/")?;
64                        match components.request_bodies.get(inner_name)? {
65                            ReferenceOr::Item(body) => Some(body),
66                            ReferenceOr::Reference { .. } => None,
67                        }
68                    }
69                }
70            }
71        }
72    }
73
74    pub fn resolve_schema<'a>(
75        schema_ref: &'a ReferenceOr<Schema>,
76        spec: &'a OpenAPI,
77    ) -> Option<&'a Schema> {
78        resolve_schema_with_visited(schema_ref, spec, &mut HashSet::new())
79    }
80
81    fn resolve_schema_with_visited<'a>(
82        schema_ref: &'a ReferenceOr<Schema>,
83        spec: &'a OpenAPI,
84        visited: &mut HashSet<String>,
85    ) -> Option<&'a Schema> {
86        match schema_ref {
87            ReferenceOr::Item(schema) => Some(schema),
88            ReferenceOr::Reference { reference } => {
89                if !visited.insert(reference.clone()) {
90                    return None; // Cycle detected
91                }
92                let name = reference.strip_prefix("#/components/schemas/")?;
93                let components = spec.components.as_ref()?;
94                let nested = components.schemas.get(name)?;
95                resolve_schema_with_visited(nested, spec, visited)
96            }
97        }
98    }
99
100    /// Resolve a boxed schema reference (used by array items and object properties)
101    pub fn resolve_boxed_schema<'a>(
102        schema_ref: &'a ReferenceOr<Box<Schema>>,
103        spec: &'a OpenAPI,
104    ) -> Option<&'a Schema> {
105        match schema_ref {
106            ReferenceOr::Item(schema) => Some(schema.as_ref()),
107            ReferenceOr::Reference { reference } => {
108                // Delegate to the regular schema resolver
109                let name = reference.strip_prefix("#/components/schemas/")?;
110                let components = spec.components.as_ref()?;
111                let nested = components.schemas.get(name)?;
112                resolve_schema_with_visited(nested, spec, &mut HashSet::new())
113            }
114        }
115    }
116
117    pub fn resolve_response<'a>(
118        resp_ref: &'a ReferenceOr<Response>,
119        spec: &'a OpenAPI,
120    ) -> Option<&'a Response> {
121        match resp_ref {
122            ReferenceOr::Item(resp) => Some(resp),
123            ReferenceOr::Reference { reference } => {
124                let name = reference.strip_prefix("#/components/responses/")?;
125                let components = spec.components.as_ref()?;
126                match components.responses.get(name)? {
127                    ReferenceOr::Item(resp) => Some(resp),
128                    ReferenceOr::Reference {
129                        reference: inner_ref,
130                    } => {
131                        // One level of recursive resolution
132                        let inner_name = inner_ref.strip_prefix("#/components/responses/")?;
133                        match components.responses.get(inner_name)? {
134                            ReferenceOr::Item(resp) => Some(resp),
135                            ReferenceOr::Reference { .. } => None,
136                        }
137                    }
138                }
139            }
140        }
141    }
142}
143
144/// Resolved security scheme details for an operation
145#[derive(Debug, Clone)]
146pub enum SecuritySchemeInfo {
147    /// HTTP Bearer token
148    Bearer,
149    /// HTTP Basic auth
150    Basic,
151    /// API Key in header, query, or cookie
152    ApiKey {
153        location: ApiKeyLocation,
154        name: String,
155    },
156}
157
158/// Where an API key is transmitted
159#[derive(Debug, Clone, PartialEq)]
160pub enum ApiKeyLocation {
161    Header,
162    Query,
163    Cookie,
164}
165
166/// An API operation annotated with the conformance features it exercises
167#[derive(Debug, Clone)]
168pub struct AnnotatedOperation {
169    pub path: String,
170    pub method: String,
171    pub features: Vec<ConformanceFeature>,
172    pub request_body_content_type: Option<String>,
173    pub sample_body: Option<String>,
174    pub query_params: Vec<(String, String)>,
175    pub header_params: Vec<(String, String)>,
176    pub path_params: Vec<(String, String)>,
177    /// Response schema for validation (JSON string of the schema)
178    pub response_schema: Option<Schema>,
179    /// Security scheme details resolved from the OpenAPI spec
180    pub security_schemes: Vec<SecuritySchemeInfo>,
181}
182
183/// Generates spec-driven conformance k6 scripts
184pub struct SpecDrivenConformanceGenerator {
185    config: ConformanceConfig,
186    operations: Vec<AnnotatedOperation>,
187}
188
189impl SpecDrivenConformanceGenerator {
190    pub fn new(config: ConformanceConfig, operations: Vec<AnnotatedOperation>) -> Self {
191        Self { config, operations }
192    }
193
194    /// Annotate a list of API operations with conformance features
195    pub fn annotate_operations(
196        operations: &[ApiOperation],
197        spec: &OpenAPI,
198    ) -> Vec<AnnotatedOperation> {
199        operations.iter().map(|op| Self::annotate_operation(op, spec)).collect()
200    }
201
202    /// Analyze an operation and determine which conformance features it exercises
203    fn annotate_operation(op: &ApiOperation, spec: &OpenAPI) -> AnnotatedOperation {
204        let mut features = Vec::new();
205        let mut query_params = Vec::new();
206        let mut header_params = Vec::new();
207        let mut path_params = Vec::new();
208
209        // Detect HTTP method feature
210        match op.method.to_uppercase().as_str() {
211            "GET" => features.push(ConformanceFeature::MethodGet),
212            "POST" => features.push(ConformanceFeature::MethodPost),
213            "PUT" => features.push(ConformanceFeature::MethodPut),
214            "PATCH" => features.push(ConformanceFeature::MethodPatch),
215            "DELETE" => features.push(ConformanceFeature::MethodDelete),
216            "HEAD" => features.push(ConformanceFeature::MethodHead),
217            "OPTIONS" => features.push(ConformanceFeature::MethodOptions),
218            _ => {}
219        }
220
221        // Detect parameter features (resolves $ref)
222        for param_ref in &op.operation.parameters {
223            if let Some(param) = ref_resolver::resolve_parameter(param_ref, spec) {
224                Self::annotate_parameter(
225                    param,
226                    spec,
227                    &mut features,
228                    &mut query_params,
229                    &mut header_params,
230                    &mut path_params,
231                );
232            }
233        }
234
235        // Detect path parameters from the path template itself
236        for segment in op.path.split('/') {
237            if segment.starts_with('{') && segment.ends_with('}') {
238                let name = &segment[1..segment.len() - 1];
239                // Only add if not already found from parameters
240                if !path_params.iter().any(|(n, _)| n == name) {
241                    path_params.push((name.to_string(), "test-value".to_string()));
242                    // Determine type from path params we didn't already handle
243                    if !features.contains(&ConformanceFeature::PathParamString)
244                        && !features.contains(&ConformanceFeature::PathParamInteger)
245                    {
246                        features.push(ConformanceFeature::PathParamString);
247                    }
248                }
249            }
250        }
251
252        // Detect request body features (resolves $ref)
253        let mut request_body_content_type = None;
254        let mut sample_body = None;
255
256        let resolved_body = op
257            .operation
258            .request_body
259            .as_ref()
260            .and_then(|b| ref_resolver::resolve_request_body(b, spec));
261
262        if let Some(body) = resolved_body {
263            for (content_type, _media) in &body.content {
264                match content_type.as_str() {
265                    "application/json" => {
266                        features.push(ConformanceFeature::BodyJson);
267                        request_body_content_type = Some("application/json".to_string());
268                        // Generate sample body from schema
269                        if let Ok(template) = RequestGenerator::generate_template(op) {
270                            if let Some(body_val) = &template.body {
271                                sample_body = Some(body_val.to_string());
272                            }
273                        }
274                    }
275                    "application/x-www-form-urlencoded" => {
276                        features.push(ConformanceFeature::BodyFormUrlencoded);
277                        request_body_content_type =
278                            Some("application/x-www-form-urlencoded".to_string());
279                    }
280                    "multipart/form-data" => {
281                        features.push(ConformanceFeature::BodyMultipart);
282                        request_body_content_type = Some("multipart/form-data".to_string());
283                    }
284                    _ => {}
285                }
286            }
287
288            // Detect schema features in request body (resolves $ref in schema)
289            if let Some(media) = body.content.get("application/json") {
290                if let Some(schema_ref) = &media.schema {
291                    if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
292                        Self::annotate_schema(schema, spec, &mut features);
293                    }
294                }
295            }
296        }
297
298        // Detect response code features
299        Self::annotate_responses(&op.operation, spec, &mut features);
300
301        // Extract response schema for validation (resolves $ref)
302        let response_schema = Self::extract_response_schema(&op.operation, spec);
303        if response_schema.is_some() {
304            features.push(ConformanceFeature::ResponseValidation);
305        }
306
307        // Detect content negotiation (response with multiple content types)
308        Self::annotate_content_negotiation(&op.operation, spec, &mut features);
309
310        // Detect security features and resolve scheme details
311        let mut security_schemes = Vec::new();
312        Self::annotate_security(
313            &op.operation,
314            spec,
315            &mut features,
316            &mut security_schemes,
317        );
318
319        // Deduplicate features
320        features.sort_by_key(|f| f.check_name());
321        features.dedup_by_key(|f| f.check_name());
322
323        AnnotatedOperation {
324            path: op.path.clone(),
325            method: op.method.to_uppercase(),
326            features,
327            request_body_content_type,
328            sample_body,
329            query_params,
330            header_params,
331            path_params,
332            response_schema,
333            security_schemes,
334        }
335    }
336
337    /// Annotate parameter features
338    fn annotate_parameter(
339        param: &Parameter,
340        spec: &OpenAPI,
341        features: &mut Vec<ConformanceFeature>,
342        query_params: &mut Vec<(String, String)>,
343        header_params: &mut Vec<(String, String)>,
344        path_params: &mut Vec<(String, String)>,
345    ) {
346        let (location, data) = match param {
347            Parameter::Query { parameter_data, .. } => ("query", parameter_data),
348            Parameter::Path { parameter_data, .. } => ("path", parameter_data),
349            Parameter::Header { parameter_data, .. } => ("header", parameter_data),
350            Parameter::Cookie { .. } => {
351                features.push(ConformanceFeature::CookieParam);
352                return;
353            }
354        };
355
356        // Detect type from schema
357        let is_integer = Self::param_schema_is_integer(data, spec);
358        let is_array = Self::param_schema_is_array(data, spec);
359
360        // Generate sample value
361        let sample = if is_integer {
362            "42".to_string()
363        } else if is_array {
364            "a,b".to_string()
365        } else {
366            "test-value".to_string()
367        };
368
369        match location {
370            "path" => {
371                if is_integer {
372                    features.push(ConformanceFeature::PathParamInteger);
373                } else {
374                    features.push(ConformanceFeature::PathParamString);
375                }
376                path_params.push((data.name.clone(), sample));
377            }
378            "query" => {
379                if is_array {
380                    features.push(ConformanceFeature::QueryParamArray);
381                } else if is_integer {
382                    features.push(ConformanceFeature::QueryParamInteger);
383                } else {
384                    features.push(ConformanceFeature::QueryParamString);
385                }
386                query_params.push((data.name.clone(), sample));
387            }
388            "header" => {
389                features.push(ConformanceFeature::HeaderParam);
390                header_params.push((data.name.clone(), sample));
391            }
392            _ => {}
393        }
394
395        // Check for constraint features on the parameter (resolves $ref)
396        if let ParameterSchemaOrContent::Schema(schema_ref) = &data.format {
397            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
398                Self::annotate_schema(schema, spec, features);
399            }
400        }
401
402        // Required/optional
403        if data.required {
404            features.push(ConformanceFeature::ConstraintRequired);
405        } else {
406            features.push(ConformanceFeature::ConstraintOptional);
407        }
408    }
409
410    fn param_schema_is_integer(data: &openapiv3::ParameterData, spec: &OpenAPI) -> bool {
411        if let ParameterSchemaOrContent::Schema(schema_ref) = &data.format {
412            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
413                return matches!(&schema.schema_kind, SchemaKind::Type(Type::Integer(_)));
414            }
415        }
416        false
417    }
418
419    fn param_schema_is_array(data: &openapiv3::ParameterData, spec: &OpenAPI) -> bool {
420        if let ParameterSchemaOrContent::Schema(schema_ref) = &data.format {
421            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
422                return matches!(&schema.schema_kind, SchemaKind::Type(Type::Array(_)));
423            }
424        }
425        false
426    }
427
428    /// Annotate schema-level features (types, composition, formats, constraints)
429    fn annotate_schema(schema: &Schema, spec: &OpenAPI, features: &mut Vec<ConformanceFeature>) {
430        match &schema.schema_kind {
431            SchemaKind::Type(Type::String(s)) => {
432                features.push(ConformanceFeature::SchemaString);
433                // Check format
434                match &s.format {
435                    VariantOrUnknownOrEmpty::Item(StringFormat::Date) => {
436                        features.push(ConformanceFeature::FormatDate);
437                    }
438                    VariantOrUnknownOrEmpty::Item(StringFormat::DateTime) => {
439                        features.push(ConformanceFeature::FormatDateTime);
440                    }
441                    VariantOrUnknownOrEmpty::Unknown(fmt) => match fmt.as_str() {
442                        "email" => features.push(ConformanceFeature::FormatEmail),
443                        "uuid" => features.push(ConformanceFeature::FormatUuid),
444                        "uri" | "url" => features.push(ConformanceFeature::FormatUri),
445                        "ipv4" => features.push(ConformanceFeature::FormatIpv4),
446                        "ipv6" => features.push(ConformanceFeature::FormatIpv6),
447                        _ => {}
448                    },
449                    _ => {}
450                }
451                // Check constraints
452                if s.pattern.is_some() {
453                    features.push(ConformanceFeature::ConstraintPattern);
454                }
455                if !s.enumeration.is_empty() {
456                    features.push(ConformanceFeature::ConstraintEnum);
457                }
458                if s.min_length.is_some() || s.max_length.is_some() {
459                    features.push(ConformanceFeature::ConstraintMinMax);
460                }
461            }
462            SchemaKind::Type(Type::Integer(i)) => {
463                features.push(ConformanceFeature::SchemaInteger);
464                if i.minimum.is_some() || i.maximum.is_some() {
465                    features.push(ConformanceFeature::ConstraintMinMax);
466                }
467                if !i.enumeration.is_empty() {
468                    features.push(ConformanceFeature::ConstraintEnum);
469                }
470            }
471            SchemaKind::Type(Type::Number(n)) => {
472                features.push(ConformanceFeature::SchemaNumber);
473                if n.minimum.is_some() || n.maximum.is_some() {
474                    features.push(ConformanceFeature::ConstraintMinMax);
475                }
476            }
477            SchemaKind::Type(Type::Boolean(_)) => {
478                features.push(ConformanceFeature::SchemaBoolean);
479            }
480            SchemaKind::Type(Type::Array(arr)) => {
481                features.push(ConformanceFeature::SchemaArray);
482                if let Some(item_ref) = &arr.items {
483                    if let Some(item_schema) = ref_resolver::resolve_boxed_schema(item_ref, spec) {
484                        Self::annotate_schema(item_schema, spec, features);
485                    }
486                }
487            }
488            SchemaKind::Type(Type::Object(obj)) => {
489                features.push(ConformanceFeature::SchemaObject);
490                // Check required fields
491                if !obj.required.is_empty() {
492                    features.push(ConformanceFeature::ConstraintRequired);
493                }
494                // Walk properties (resolves $ref)
495                for (_name, prop_ref) in &obj.properties {
496                    if let Some(prop_schema) = ref_resolver::resolve_boxed_schema(prop_ref, spec) {
497                        Self::annotate_schema(prop_schema, spec, features);
498                    }
499                }
500            }
501            SchemaKind::OneOf { .. } => {
502                features.push(ConformanceFeature::CompositionOneOf);
503            }
504            SchemaKind::AnyOf { .. } => {
505                features.push(ConformanceFeature::CompositionAnyOf);
506            }
507            SchemaKind::AllOf { .. } => {
508                features.push(ConformanceFeature::CompositionAllOf);
509            }
510            _ => {}
511        }
512    }
513
514    /// Detect response code features (resolves $ref in responses)
515    fn annotate_responses(
516        operation: &Operation,
517        spec: &OpenAPI,
518        features: &mut Vec<ConformanceFeature>,
519    ) {
520        for (status_code, resp_ref) in &operation.responses.responses {
521            // Only count features for responses that actually resolve
522            if ref_resolver::resolve_response(resp_ref, spec).is_some() {
523                match status_code {
524                    openapiv3::StatusCode::Code(200) => {
525                        features.push(ConformanceFeature::Response200)
526                    }
527                    openapiv3::StatusCode::Code(201) => {
528                        features.push(ConformanceFeature::Response201)
529                    }
530                    openapiv3::StatusCode::Code(204) => {
531                        features.push(ConformanceFeature::Response204)
532                    }
533                    openapiv3::StatusCode::Code(400) => {
534                        features.push(ConformanceFeature::Response400)
535                    }
536                    openapiv3::StatusCode::Code(404) => {
537                        features.push(ConformanceFeature::Response404)
538                    }
539                    _ => {}
540                }
541            }
542        }
543    }
544
545    /// Extract the response schema for the primary success response (200 or 201)
546    /// Resolves $ref for both the response and the schema within it.
547    fn extract_response_schema(operation: &Operation, spec: &OpenAPI) -> Option<Schema> {
548        // Try 200 first, then 201
549        for code in [200u16, 201] {
550            if let Some(resp_ref) =
551                operation.responses.responses.get(&openapiv3::StatusCode::Code(code))
552            {
553                if let Some(response) = ref_resolver::resolve_response(resp_ref, spec) {
554                    if let Some(media) = response.content.get("application/json") {
555                        if let Some(schema_ref) = &media.schema {
556                            if let Some(schema) = ref_resolver::resolve_schema(schema_ref, spec) {
557                                return Some(schema.clone());
558                            }
559                        }
560                    }
561                }
562            }
563        }
564        None
565    }
566
567    /// Detect content negotiation: response supports multiple content types
568    fn annotate_content_negotiation(
569        operation: &Operation,
570        spec: &OpenAPI,
571        features: &mut Vec<ConformanceFeature>,
572    ) {
573        for (_status_code, resp_ref) in &operation.responses.responses {
574            if let Some(response) = ref_resolver::resolve_response(resp_ref, spec) {
575                if response.content.len() > 1 {
576                    features.push(ConformanceFeature::ContentNegotiation);
577                    return; // Only need to detect once per operation
578                }
579            }
580        }
581    }
582
583    /// Detect security scheme features.
584    /// Checks operation-level security first, falling back to global security requirements.
585    /// Resolves scheme names against SecurityScheme definitions in components.
586    fn annotate_security(
587        operation: &Operation,
588        spec: &OpenAPI,
589        features: &mut Vec<ConformanceFeature>,
590        security_schemes: &mut Vec<SecuritySchemeInfo>,
591    ) {
592        // Use operation-level security if present, otherwise fall back to global
593        let security_reqs = operation.security.as_ref().or(spec.security.as_ref());
594
595        if let Some(security) = security_reqs {
596            for security_req in security {
597                for scheme_name in security_req.keys() {
598                    // Try to resolve the scheme from components for accurate type detection
599                    if let Some(resolved) = Self::resolve_security_scheme(scheme_name, spec) {
600                        match resolved {
601                            SecurityScheme::HTTP { ref scheme, .. } => {
602                                if scheme.eq_ignore_ascii_case("bearer") {
603                                    features.push(ConformanceFeature::SecurityBearer);
604                                    security_schemes.push(SecuritySchemeInfo::Bearer);
605                                } else if scheme.eq_ignore_ascii_case("basic") {
606                                    features.push(ConformanceFeature::SecurityBasic);
607                                    security_schemes.push(SecuritySchemeInfo::Basic);
608                                }
609                            }
610                            SecurityScheme::APIKey {
611                                location,
612                                name,
613                                ..
614                            } => {
615                                features.push(ConformanceFeature::SecurityApiKey);
616                                let loc = match location {
617                                    openapiv3::APIKeyLocation::Query => ApiKeyLocation::Query,
618                                    openapiv3::APIKeyLocation::Header => ApiKeyLocation::Header,
619                                    openapiv3::APIKeyLocation::Cookie => ApiKeyLocation::Cookie,
620                                };
621                                security_schemes.push(SecuritySchemeInfo::ApiKey {
622                                    location: loc,
623                                    name: name.clone(),
624                                });
625                            }
626                            // OAuth2 and OpenIDConnect don't map to our current feature set
627                            _ => {}
628                        }
629                    } else {
630                        // Fallback: heuristic name matching for unresolvable schemes
631                        let name_lower = scheme_name.to_lowercase();
632                        if name_lower.contains("bearer") || name_lower.contains("jwt") {
633                            features.push(ConformanceFeature::SecurityBearer);
634                            security_schemes.push(SecuritySchemeInfo::Bearer);
635                        } else if name_lower.contains("api") && name_lower.contains("key") {
636                            features.push(ConformanceFeature::SecurityApiKey);
637                            security_schemes.push(SecuritySchemeInfo::ApiKey {
638                                location: ApiKeyLocation::Header,
639                                name: "X-API-Key".to_string(),
640                            });
641                        } else if name_lower.contains("basic") {
642                            features.push(ConformanceFeature::SecurityBasic);
643                            security_schemes.push(SecuritySchemeInfo::Basic);
644                        }
645                    }
646                }
647            }
648        }
649    }
650
651    /// Resolve a security scheme name to its SecurityScheme definition
652    fn resolve_security_scheme<'a>(name: &str, spec: &'a OpenAPI) -> Option<&'a SecurityScheme> {
653        let components = spec.components.as_ref()?;
654        match components.security_schemes.get(name)? {
655            ReferenceOr::Item(scheme) => Some(scheme),
656            ReferenceOr::Reference { .. } => None,
657        }
658    }
659
660    /// Returns the number of operations being tested
661    pub fn operation_count(&self) -> usize {
662        self.operations.len()
663    }
664
665    /// Generate the k6 conformance script.
666    /// Returns (script, check_count) where check_count is the number of unique checks emitted.
667    pub fn generate(&self) -> Result<(String, usize)> {
668        let mut script = String::with_capacity(16384);
669
670        // Imports
671        script.push_str("import http from 'k6/http';\n");
672        script.push_str("import { check, group } from 'k6';\n\n");
673
674        // Options
675        script.push_str("export const options = {\n");
676        script.push_str("  vus: 1,\n");
677        script.push_str("  iterations: 1,\n");
678        if self.config.skip_tls_verify {
679            script.push_str("  insecureSkipTLSVerify: true,\n");
680        }
681        script.push_str("  thresholds: {\n");
682        script.push_str("    checks: ['rate>0'],\n");
683        script.push_str("  },\n");
684        script.push_str("};\n\n");
685
686        // Base URL (includes base_path if configured)
687        script.push_str(&format!("const BASE_URL = '{}';\n\n", self.config.effective_base_url()));
688        script.push_str("const JSON_HEADERS = { 'Content-Type': 'application/json' };\n\n");
689
690        // Failure detail collector — logs req/res info for failed checks via console.log
691        // (k6's handleSummary runs in a separate JS context, so we can't use module-level arrays)
692        script.push_str("function __captureFailure(checkName, res, expected) {\n");
693        script.push_str("  let bodyStr = '';\n");
694        script.push_str("  try { bodyStr = res.body ? res.body.substring(0, 2000) : ''; } catch(e) { bodyStr = '<unreadable>'; }\n");
695        script.push_str("  let reqHeaders = {};\n");
696        script.push_str(
697            "  if (res.request && res.request.headers) { reqHeaders = res.request.headers; }\n",
698        );
699        script.push_str("  let reqBody = '';\n");
700        script.push_str("  if (res.request && res.request.body) { try { reqBody = res.request.body.substring(0, 2000); } catch(e) {} }\n");
701        script.push_str("  console.log('MOCKFORGE_FAILURE:' + JSON.stringify({\n");
702        script.push_str("    check: checkName,\n");
703        script.push_str("    request: {\n");
704        script.push_str("      method: res.request ? res.request.method : 'unknown',\n");
705        script.push_str("      url: res.request ? res.request.url : res.url || 'unknown',\n");
706        script.push_str("      headers: reqHeaders,\n");
707        script.push_str("      body: reqBody,\n");
708        script.push_str("    },\n");
709        script.push_str("    response: {\n");
710        script.push_str("      status: res.status,\n");
711        script.push_str("      headers: res.headers ? Object.fromEntries(Object.entries(res.headers).slice(0, 20)) : {},\n");
712        script.push_str("      body: bodyStr,\n");
713        script.push_str("    },\n");
714        script.push_str("    expected: expected,\n");
715        script.push_str("  }));\n");
716        script.push_str("}\n\n");
717
718        // Default function
719        script.push_str("export default function () {\n");
720
721        if self.config.has_cookie_header() {
722            script.push_str(
723                "  // Clear cookie jar to prevent server Set-Cookie from duplicating custom Cookie header\n",
724            );
725            script.push_str("  http.cookieJar().clear(BASE_URL);\n\n");
726        }
727
728        // Group operations by category
729        let mut category_ops: std::collections::BTreeMap<
730            &'static str,
731            Vec<(&AnnotatedOperation, &ConformanceFeature)>,
732        > = std::collections::BTreeMap::new();
733
734        for op in &self.operations {
735            for feature in &op.features {
736                let category = feature.category();
737                if self.config.should_include_category(category) {
738                    category_ops.entry(category).or_default().push((op, feature));
739                }
740            }
741        }
742
743        // Emit grouped tests
744        let mut total_checks = 0usize;
745        for (category, ops) in &category_ops {
746            script.push_str(&format!("  group('{}', function () {{\n", category));
747
748            if self.config.all_operations {
749                // All-operations mode: test every operation, using path-qualified check names
750                let mut emitted_checks: HashSet<String> = HashSet::new();
751                for (op, feature) in ops {
752                    let qualified = format!("{}:{}", feature.check_name(), op.path);
753                    if emitted_checks.insert(qualified.clone()) {
754                        self.emit_check_named(&mut script, op, feature, &qualified);
755                        total_checks += 1;
756                    }
757                }
758            } else {
759                // Default: one representative operation per feature, with path-qualified
760                // check names so failures identify which endpoint was tested.
761                let mut emitted_features: HashSet<&str> = HashSet::new();
762                for (op, feature) in ops {
763                    if emitted_features.insert(feature.check_name()) {
764                        let qualified = format!("{}:{}", feature.check_name(), op.path);
765                        self.emit_check_named(&mut script, op, feature, &qualified);
766                        total_checks += 1;
767                    }
768                }
769            }
770
771            script.push_str("  });\n\n");
772        }
773
774        script.push_str("}\n\n");
775
776        // handleSummary
777        self.generate_handle_summary(&mut script);
778
779        Ok((script, total_checks))
780    }
781
782    /// Emit a single k6 check for an operation + feature with a custom check name
783    fn emit_check_named(
784        &self,
785        script: &mut String,
786        op: &AnnotatedOperation,
787        feature: &ConformanceFeature,
788        check_name: &str,
789    ) {
790        // Escape single quotes in check name since it's embedded in JS single-quoted strings
791        let check_name = check_name.replace('\'', "\\'");
792        let check_name = check_name.as_str();
793
794        script.push_str("    {\n");
795
796        // Build the URL path with parameters substituted
797        let mut url_path = op.path.clone();
798        for (name, value) in &op.path_params {
799            url_path = url_path.replace(&format!("{{{}}}", name), value);
800        }
801
802        // Build query string
803        if !op.query_params.is_empty() {
804            let qs: Vec<String> =
805                op.query_params.iter().map(|(k, v)| format!("{}={}", k, v)).collect();
806            url_path = format!("{}?{}", url_path, qs.join("&"));
807        }
808
809        let full_url = format!("${{BASE_URL}}{}", url_path);
810
811        // Build effective headers: merge spec-derived headers with custom headers.
812        // Custom headers override spec-derived ones with the same name.
813        let mut effective_headers = self.effective_headers(&op.header_params);
814
815        // For non-default response code checks, add header to tell the mock server
816        // which status code to return (the server defaults to the first declared status)
817        if matches!(feature, ConformanceFeature::Response400 | ConformanceFeature::Response404) {
818            let expected_code = match feature {
819                ConformanceFeature::Response400 => "400",
820                ConformanceFeature::Response404 => "404",
821                _ => unreachable!(),
822            };
823            effective_headers
824                .push(("X-Mockforge-Response-Status".to_string(), expected_code.to_string()));
825        }
826
827        // For security checks AND for all requests on endpoints with security requirements,
828        // inject auth credentials so the server doesn't reject with 401.
829        // Only inject if the user hasn't already provided the header via --custom-headers.
830        let needs_auth = matches!(
831            feature,
832            ConformanceFeature::SecurityBearer
833                | ConformanceFeature::SecurityBasic
834                | ConformanceFeature::SecurityApiKey
835        ) || !op.security_schemes.is_empty();
836
837        if needs_auth {
838            self.inject_security_headers(&op.security_schemes, &mut effective_headers);
839        }
840
841        let has_headers = !effective_headers.is_empty();
842        let headers_obj = if has_headers {
843            Self::format_headers(&effective_headers)
844        } else {
845            String::new()
846        };
847
848        // Determine HTTP method and emit request
849        match op.method.as_str() {
850            "GET" => {
851                if has_headers {
852                    script.push_str(&format!(
853                        "      let res = http.get(`{}`, {{ headers: {} }});\n",
854                        full_url, headers_obj
855                    ));
856                } else {
857                    script.push_str(&format!("      let res = http.get(`{}`);\n", full_url));
858                }
859            }
860            "POST" => {
861                self.emit_request_with_body(script, "post", &full_url, op, &effective_headers);
862            }
863            "PUT" => {
864                self.emit_request_with_body(script, "put", &full_url, op, &effective_headers);
865            }
866            "PATCH" => {
867                self.emit_request_with_body(script, "patch", &full_url, op, &effective_headers);
868            }
869            "DELETE" => {
870                if has_headers {
871                    script.push_str(&format!(
872                        "      let res = http.del(`{}`, null, {{ headers: {} }});\n",
873                        full_url, headers_obj
874                    ));
875                } else {
876                    script.push_str(&format!("      let res = http.del(`{}`);\n", full_url));
877                }
878            }
879            "HEAD" => {
880                if has_headers {
881                    script.push_str(&format!(
882                        "      let res = http.head(`{}`, {{ headers: {} }});\n",
883                        full_url, headers_obj
884                    ));
885                } else {
886                    script.push_str(&format!("      let res = http.head(`{}`);\n", full_url));
887                }
888            }
889            "OPTIONS" => {
890                if has_headers {
891                    script.push_str(&format!(
892                        "      let res = http.options(`{}`, null, {{ headers: {} }});\n",
893                        full_url, headers_obj
894                    ));
895                } else {
896                    script.push_str(&format!("      let res = http.options(`{}`);\n", full_url));
897                }
898            }
899            _ => {
900                if has_headers {
901                    script.push_str(&format!(
902                        "      let res = http.get(`{}`, {{ headers: {} }});\n",
903                        full_url, headers_obj
904                    ));
905                } else {
906                    script.push_str(&format!("      let res = http.get(`{}`);\n", full_url));
907                }
908            }
909        }
910
911        // Check: emit assertion based on feature type, with failure detail capture
912        if matches!(
913            feature,
914            ConformanceFeature::Response200
915                | ConformanceFeature::Response201
916                | ConformanceFeature::Response204
917                | ConformanceFeature::Response400
918                | ConformanceFeature::Response404
919        ) {
920            let expected_code = match feature {
921                ConformanceFeature::Response200 => 200,
922                ConformanceFeature::Response201 => 201,
923                ConformanceFeature::Response204 => 204,
924                ConformanceFeature::Response400 => 400,
925                ConformanceFeature::Response404 => 404,
926                _ => 200,
927            };
928            script.push_str(&format!(
929                "      {{ let ok = check(res, {{ '{}': (r) => r.status === {} }}); if (!ok) __captureFailure('{}', res, 'status === {}'); }}\n",
930                check_name, expected_code, check_name, expected_code
931            ));
932        } else if matches!(feature, ConformanceFeature::ResponseValidation) {
933            // Response schema validation — validate the response body against the schema
934            if let Some(schema) = &op.response_schema {
935                let validation_js = SchemaValidatorGenerator::generate_validation(schema);
936                script.push_str(&format!(
937                    "      try {{ let body = res.json(); {{ let ok = check(res, {{ '{}': (r) => {{ {} }} }}); if (!ok) __captureFailure('{}', res, 'schema validation'); }} }} catch(e) {{ check(res, {{ '{}': () => false }}); __captureFailure('{}', res, 'JSON parse failed: ' + e.message); }}\n",
938                    check_name, validation_js, check_name, check_name, check_name
939                ));
940            }
941        } else if matches!(
942            feature,
943            ConformanceFeature::SecurityBearer
944                | ConformanceFeature::SecurityBasic
945                | ConformanceFeature::SecurityApiKey
946        ) {
947            // Security checks verify the server accepts the auth credentials (not 401/403)
948            script.push_str(&format!(
949                "      {{ let ok = check(res, {{ '{}': (r) => r.status >= 200 && r.status < 400 }}); if (!ok) __captureFailure('{}', res, 'status >= 200 && status < 400 (auth accepted)'); }}\n",
950                check_name, check_name
951            ));
952        } else {
953            script.push_str(&format!(
954                "      {{ let ok = check(res, {{ '{}': (r) => r.status >= 200 && r.status < 500 }}); if (!ok) __captureFailure('{}', res, 'status >= 200 && status < 500'); }}\n",
955                check_name, check_name
956            ));
957        }
958
959        // Clear cookie jar after each request to prevent Set-Cookie leaking
960        let has_cookie = self.config.has_cookie_header()
961            || effective_headers.iter().any(|(h, _)| h.eq_ignore_ascii_case("Cookie"));
962        if has_cookie {
963            script.push_str("      http.cookieJar().clear(BASE_URL);\n");
964        }
965
966        script.push_str("    }\n");
967    }
968
969    /// Emit an HTTP request with a body
970    fn emit_request_with_body(
971        &self,
972        script: &mut String,
973        method: &str,
974        url: &str,
975        op: &AnnotatedOperation,
976        effective_headers: &[(String, String)],
977    ) {
978        if let Some(body) = &op.sample_body {
979            let escaped_body = body.replace('\'', "\\'");
980            let headers = if !effective_headers.is_empty() {
981                format!(
982                    "Object.assign({{}}, JSON_HEADERS, {})",
983                    Self::format_headers(effective_headers)
984                )
985            } else {
986                "JSON_HEADERS".to_string()
987            };
988            script.push_str(&format!(
989                "      let res = http.{}(`{}`, '{}', {{ headers: {} }});\n",
990                method, url, escaped_body, headers
991            ));
992        } else if !effective_headers.is_empty() {
993            script.push_str(&format!(
994                "      let res = http.{}(`{}`, null, {{ headers: {} }});\n",
995                method,
996                url,
997                Self::format_headers(effective_headers)
998            ));
999        } else {
1000            script.push_str(&format!("      let res = http.{}(`{}`, null);\n", method, url));
1001        }
1002    }
1003
1004    /// Build effective headers by merging spec-derived headers with custom headers.
1005    /// Custom headers override spec-derived ones with the same name (case-insensitive).
1006    /// Custom headers not in the spec are appended.
1007    fn effective_headers(&self, spec_headers: &[(String, String)]) -> Vec<(String, String)> {
1008        let custom = &self.config.custom_headers;
1009        if custom.is_empty() {
1010            return spec_headers.to_vec();
1011        }
1012
1013        let mut result: Vec<(String, String)> = Vec::new();
1014
1015        // Start with spec headers, replacing values if a custom header matches
1016        for (name, value) in spec_headers {
1017            if let Some((_, custom_val)) =
1018                custom.iter().find(|(cn, _)| cn.eq_ignore_ascii_case(name))
1019            {
1020                result.push((name.clone(), custom_val.clone()));
1021            } else {
1022                result.push((name.clone(), value.clone()));
1023            }
1024        }
1025
1026        // Append custom headers that aren't already in spec headers
1027        for (name, value) in custom {
1028            if !spec_headers.iter().any(|(sn, _)| sn.eq_ignore_ascii_case(name)) {
1029                result.push((name.clone(), value.clone()));
1030            }
1031        }
1032
1033        result
1034    }
1035
1036    /// Inject security headers based on resolved security scheme details.
1037    /// Respects user-provided custom headers (won't overwrite if already set).
1038    fn inject_security_headers(
1039        &self,
1040        schemes: &[SecuritySchemeInfo],
1041        headers: &mut Vec<(String, String)>,
1042    ) {
1043        let mut to_add: Vec<(String, String)> = Vec::new();
1044
1045        let has_header = |name: &str, headers: &[(String, String)]| {
1046            headers.iter().any(|(h, _)| h.eq_ignore_ascii_case(name))
1047                || self
1048                    .config
1049                    .custom_headers
1050                    .iter()
1051                    .any(|(h, _)| h.eq_ignore_ascii_case(name))
1052        };
1053
1054        for scheme in schemes {
1055            match scheme {
1056                SecuritySchemeInfo::Bearer => {
1057                    if !has_header("Authorization", headers) {
1058                        // MockForge mock server accepts any Bearer token
1059                        to_add.push((
1060                            "Authorization".to_string(),
1061                            "Bearer mockforge-conformance-test-token".to_string(),
1062                        ));
1063                    }
1064                }
1065                SecuritySchemeInfo::Basic => {
1066                    if !has_header("Authorization", headers) {
1067                        let creds = self.config.basic_auth.as_deref().unwrap_or("test:test");
1068                        use base64::Engine;
1069                        let encoded =
1070                            base64::engine::general_purpose::STANDARD.encode(creds.as_bytes());
1071                        to_add.push((
1072                            "Authorization".to_string(),
1073                            format!("Basic {}", encoded),
1074                        ));
1075                    }
1076                }
1077                SecuritySchemeInfo::ApiKey { location, name } => match location {
1078                    ApiKeyLocation::Header => {
1079                        if !has_header(name, headers) {
1080                            let key = self
1081                                .config
1082                                .api_key
1083                                .as_deref()
1084                                .unwrap_or("mockforge-conformance-test-key");
1085                            to_add.push((name.clone(), key.to_string()));
1086                        }
1087                    }
1088                    ApiKeyLocation::Cookie => {
1089                        if !has_header("Cookie", headers) {
1090                            to_add.push((
1091                                "Cookie".to_string(),
1092                                format!("{}=mockforge-conformance-test-session", name),
1093                            ));
1094                        }
1095                    }
1096                    ApiKeyLocation::Query => {
1097                        // Query params are handled via URL, not headers — skip here
1098                    }
1099                },
1100            }
1101        }
1102
1103        headers.extend(to_add);
1104    }
1105
1106    /// Format header params as a JS object literal
1107    fn format_headers(headers: &[(String, String)]) -> String {
1108        let entries: Vec<String> = headers
1109            .iter()
1110            .map(|(k, v)| format!("'{}': '{}'", k, v.replace('\'', "\\'")))
1111            .collect();
1112        format!("{{ {} }}", entries.join(", "))
1113    }
1114
1115    /// handleSummary — same format as reference mode for report compatibility
1116    fn generate_handle_summary(&self, script: &mut String) {
1117        // Use absolute path for report output so k6 writes where the CLI expects
1118        let report_path = match &self.config.output_dir {
1119            Some(dir) => {
1120                let abs = std::fs::canonicalize(dir)
1121                    .unwrap_or_else(|_| dir.clone())
1122                    .join("conformance-report.json");
1123                abs.to_string_lossy().to_string()
1124            }
1125            None => "conformance-report.json".to_string(),
1126        };
1127
1128        script.push_str("export function handleSummary(data) {\n");
1129        script.push_str("  let checks = {};\n");
1130        script.push_str("  if (data.metrics && data.metrics.checks) {\n");
1131        script.push_str("    checks.overall_pass_rate = data.metrics.checks.values.rate;\n");
1132        script.push_str("  }\n");
1133        script.push_str("  let checkResults = {};\n");
1134        script.push_str("  function walkGroups(group) {\n");
1135        script.push_str("    if (group.checks) {\n");
1136        script.push_str("      for (let checkObj of group.checks) {\n");
1137        script.push_str("        checkResults[checkObj.name] = {\n");
1138        script.push_str("          passes: checkObj.passes,\n");
1139        script.push_str("          fails: checkObj.fails,\n");
1140        script.push_str("        };\n");
1141        script.push_str("      }\n");
1142        script.push_str("    }\n");
1143        script.push_str("    if (group.groups) {\n");
1144        script.push_str("      for (let subGroup of group.groups) {\n");
1145        script.push_str("        walkGroups(subGroup);\n");
1146        script.push_str("      }\n");
1147        script.push_str("    }\n");
1148        script.push_str("  }\n");
1149        script.push_str("  if (data.root_group) {\n");
1150        script.push_str("    walkGroups(data.root_group);\n");
1151        script.push_str("  }\n");
1152        script.push_str("  return {\n");
1153        script.push_str(&format!(
1154            "    '{}': JSON.stringify({{ checks: checkResults, overall: checks }}, null, 2),\n",
1155            report_path
1156        ));
1157        script.push_str("    stdout: textSummary(data, { indent: '  ', enableColors: true }),\n");
1158        script.push_str("  };\n");
1159        script.push_str("}\n\n");
1160        script.push_str("function textSummary(data, opts) {\n");
1161        script.push_str("  return JSON.stringify(data, null, 2);\n");
1162        script.push_str("}\n");
1163    }
1164}
1165
1166#[cfg(test)]
1167mod tests {
1168    use super::*;
1169    use openapiv3::{
1170        Operation, ParameterData, ParameterSchemaOrContent, PathStyle, Response, Schema,
1171        SchemaData, SchemaKind, StringType, Type,
1172    };
1173
1174    fn make_op(method: &str, path: &str, operation: Operation) -> ApiOperation {
1175        ApiOperation {
1176            method: method.to_string(),
1177            path: path.to_string(),
1178            operation,
1179            operation_id: None,
1180        }
1181    }
1182
1183    fn empty_spec() -> OpenAPI {
1184        OpenAPI::default()
1185    }
1186
1187    #[test]
1188    fn test_annotate_get_with_path_param() {
1189        let mut op = Operation::default();
1190        op.parameters.push(ReferenceOr::Item(Parameter::Path {
1191            parameter_data: ParameterData {
1192                name: "id".to_string(),
1193                description: None,
1194                required: true,
1195                deprecated: None,
1196                format: ParameterSchemaOrContent::Schema(ReferenceOr::Item(Schema {
1197                    schema_data: SchemaData::default(),
1198                    schema_kind: SchemaKind::Type(Type::String(StringType::default())),
1199                })),
1200                example: None,
1201                examples: Default::default(),
1202                explode: None,
1203                extensions: Default::default(),
1204            },
1205            style: PathStyle::Simple,
1206        }));
1207
1208        let api_op = make_op("get", "/users/{id}", op);
1209        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1210
1211        assert!(annotated.features.contains(&ConformanceFeature::MethodGet));
1212        assert!(annotated.features.contains(&ConformanceFeature::PathParamString));
1213        assert!(annotated.features.contains(&ConformanceFeature::ConstraintRequired));
1214        assert_eq!(annotated.path_params.len(), 1);
1215        assert_eq!(annotated.path_params[0].0, "id");
1216    }
1217
1218    #[test]
1219    fn test_annotate_post_with_json_body() {
1220        let mut op = Operation::default();
1221        let mut body = openapiv3::RequestBody {
1222            required: true,
1223            ..Default::default()
1224        };
1225        body.content
1226            .insert("application/json".to_string(), openapiv3::MediaType::default());
1227        op.request_body = Some(ReferenceOr::Item(body));
1228
1229        let api_op = make_op("post", "/items", op);
1230        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1231
1232        assert!(annotated.features.contains(&ConformanceFeature::MethodPost));
1233        assert!(annotated.features.contains(&ConformanceFeature::BodyJson));
1234    }
1235
1236    #[test]
1237    fn test_annotate_response_codes() {
1238        let mut op = Operation::default();
1239        op.responses
1240            .responses
1241            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(Response::default()));
1242        op.responses
1243            .responses
1244            .insert(openapiv3::StatusCode::Code(404), ReferenceOr::Item(Response::default()));
1245
1246        let api_op = make_op("get", "/items", op);
1247        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1248
1249        assert!(annotated.features.contains(&ConformanceFeature::Response200));
1250        assert!(annotated.features.contains(&ConformanceFeature::Response404));
1251    }
1252
1253    #[test]
1254    fn test_generate_spec_driven_script() {
1255        let config = ConformanceConfig {
1256            target_url: "http://localhost:3000".to_string(),
1257            api_key: None,
1258            basic_auth: None,
1259            skip_tls_verify: false,
1260            categories: None,
1261            base_path: None,
1262            custom_headers: vec![],
1263            output_dir: None,
1264            all_operations: false,
1265        };
1266
1267        let operations = vec![AnnotatedOperation {
1268            path: "/users/{id}".to_string(),
1269            method: "GET".to_string(),
1270            features: vec![
1271                ConformanceFeature::MethodGet,
1272                ConformanceFeature::PathParamString,
1273            ],
1274            request_body_content_type: None,
1275            sample_body: None,
1276            query_params: vec![],
1277            header_params: vec![],
1278            path_params: vec![("id".to_string(), "test-value".to_string())],
1279            response_schema: None,
1280            security_schemes: vec![],
1281        }];
1282
1283        let gen = SpecDrivenConformanceGenerator::new(config, operations);
1284        let (script, _check_count) = gen.generate().unwrap();
1285
1286        assert!(script.contains("import http from 'k6/http'"));
1287        assert!(script.contains("/users/test-value"));
1288        assert!(script.contains("param:path:string"));
1289        assert!(script.contains("method:GET"));
1290        assert!(script.contains("handleSummary"));
1291    }
1292
1293    #[test]
1294    fn test_generate_with_category_filter() {
1295        let config = ConformanceConfig {
1296            target_url: "http://localhost:3000".to_string(),
1297            api_key: None,
1298            basic_auth: None,
1299            skip_tls_verify: false,
1300            categories: Some(vec!["Parameters".to_string()]),
1301            base_path: None,
1302            custom_headers: vec![],
1303            output_dir: None,
1304            all_operations: false,
1305        };
1306
1307        let operations = vec![AnnotatedOperation {
1308            path: "/users/{id}".to_string(),
1309            method: "GET".to_string(),
1310            features: vec![
1311                ConformanceFeature::MethodGet,
1312                ConformanceFeature::PathParamString,
1313            ],
1314            request_body_content_type: None,
1315            sample_body: None,
1316            query_params: vec![],
1317            header_params: vec![],
1318            path_params: vec![("id".to_string(), "1".to_string())],
1319            response_schema: None,
1320            security_schemes: vec![],
1321        }];
1322
1323        let gen = SpecDrivenConformanceGenerator::new(config, operations);
1324        let (script, _check_count) = gen.generate().unwrap();
1325
1326        assert!(script.contains("group('Parameters'"));
1327        assert!(!script.contains("group('HTTP Methods'"));
1328    }
1329
1330    #[test]
1331    fn test_annotate_response_validation() {
1332        use openapiv3::ObjectType;
1333
1334        // Operation with a 200 response that has a JSON schema
1335        let mut op = Operation::default();
1336        let mut response = Response::default();
1337        let mut media = openapiv3::MediaType::default();
1338        let mut obj_type = ObjectType::default();
1339        obj_type.properties.insert(
1340            "name".to_string(),
1341            ReferenceOr::Item(Box::new(Schema {
1342                schema_data: SchemaData::default(),
1343                schema_kind: SchemaKind::Type(Type::String(StringType::default())),
1344            })),
1345        );
1346        obj_type.required = vec!["name".to_string()];
1347        media.schema = Some(ReferenceOr::Item(Schema {
1348            schema_data: SchemaData::default(),
1349            schema_kind: SchemaKind::Type(Type::Object(obj_type)),
1350        }));
1351        response.content.insert("application/json".to_string(), media);
1352        op.responses
1353            .responses
1354            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(response));
1355
1356        let api_op = make_op("get", "/users", op);
1357        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1358
1359        assert!(
1360            annotated.features.contains(&ConformanceFeature::ResponseValidation),
1361            "Should detect ResponseValidation when response has a JSON schema"
1362        );
1363        assert!(annotated.response_schema.is_some(), "Should extract the response schema");
1364
1365        // Verify generated script includes schema validation with try-catch
1366        let config = ConformanceConfig {
1367            target_url: "http://localhost:3000".to_string(),
1368            api_key: None,
1369            basic_auth: None,
1370            skip_tls_verify: false,
1371            categories: None,
1372            base_path: None,
1373            custom_headers: vec![],
1374            output_dir: None,
1375            all_operations: false,
1376        };
1377        let gen = SpecDrivenConformanceGenerator::new(config, vec![annotated]);
1378        let (script, _check_count) = gen.generate().unwrap();
1379
1380        assert!(
1381            script.contains("response:schema:validation"),
1382            "Script should contain the validation check name"
1383        );
1384        assert!(script.contains("try {"), "Script should wrap validation in try-catch");
1385        assert!(script.contains("res.json()"), "Script should parse response as JSON");
1386    }
1387
1388    #[test]
1389    fn test_annotate_global_security() {
1390        // Spec with global security requirement, operation without its own security
1391        let op = Operation::default();
1392        let mut spec = OpenAPI::default();
1393        let mut global_req = openapiv3::SecurityRequirement::new();
1394        global_req.insert("bearerAuth".to_string(), vec![]);
1395        spec.security = Some(vec![global_req]);
1396        // Define the security scheme in components
1397        let mut components = openapiv3::Components::default();
1398        components.security_schemes.insert(
1399            "bearerAuth".to_string(),
1400            ReferenceOr::Item(SecurityScheme::HTTP {
1401                scheme: "bearer".to_string(),
1402                bearer_format: Some("JWT".to_string()),
1403                description: None,
1404                extensions: Default::default(),
1405            }),
1406        );
1407        spec.components = Some(components);
1408
1409        let api_op = make_op("get", "/protected", op);
1410        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &spec);
1411
1412        assert!(
1413            annotated.features.contains(&ConformanceFeature::SecurityBearer),
1414            "Should detect SecurityBearer from global security + components"
1415        );
1416    }
1417
1418    #[test]
1419    fn test_annotate_security_scheme_resolution() {
1420        // Test that security scheme type is resolved from components, not just name heuristic
1421        let mut op = Operation::default();
1422        // Use a generic name that wouldn't match name heuristics
1423        let mut req = openapiv3::SecurityRequirement::new();
1424        req.insert("myAuth".to_string(), vec![]);
1425        op.security = Some(vec![req]);
1426
1427        let mut spec = OpenAPI::default();
1428        let mut components = openapiv3::Components::default();
1429        components.security_schemes.insert(
1430            "myAuth".to_string(),
1431            ReferenceOr::Item(SecurityScheme::APIKey {
1432                location: openapiv3::APIKeyLocation::Header,
1433                name: "X-API-Key".to_string(),
1434                description: None,
1435                extensions: Default::default(),
1436            }),
1437        );
1438        spec.components = Some(components);
1439
1440        let api_op = make_op("get", "/data", op);
1441        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &spec);
1442
1443        assert!(
1444            annotated.features.contains(&ConformanceFeature::SecurityApiKey),
1445            "Should detect SecurityApiKey from SecurityScheme::APIKey, not name heuristic"
1446        );
1447    }
1448
1449    #[test]
1450    fn test_annotate_content_negotiation() {
1451        let mut op = Operation::default();
1452        let mut response = Response::default();
1453        // Response with multiple content types
1454        response
1455            .content
1456            .insert("application/json".to_string(), openapiv3::MediaType::default());
1457        response
1458            .content
1459            .insert("application/xml".to_string(), openapiv3::MediaType::default());
1460        op.responses
1461            .responses
1462            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(response));
1463
1464        let api_op = make_op("get", "/items", op);
1465        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1466
1467        assert!(
1468            annotated.features.contains(&ConformanceFeature::ContentNegotiation),
1469            "Should detect ContentNegotiation when response has multiple content types"
1470        );
1471    }
1472
1473    #[test]
1474    fn test_no_content_negotiation_for_single_type() {
1475        let mut op = Operation::default();
1476        let mut response = Response::default();
1477        response
1478            .content
1479            .insert("application/json".to_string(), openapiv3::MediaType::default());
1480        op.responses
1481            .responses
1482            .insert(openapiv3::StatusCode::Code(200), ReferenceOr::Item(response));
1483
1484        let api_op = make_op("get", "/items", op);
1485        let annotated = SpecDrivenConformanceGenerator::annotate_operation(&api_op, &empty_spec());
1486
1487        assert!(
1488            !annotated.features.contains(&ConformanceFeature::ContentNegotiation),
1489            "Should NOT detect ContentNegotiation for a single content type"
1490        );
1491    }
1492
1493    #[test]
1494    fn test_spec_driven_with_base_path() {
1495        let annotated = AnnotatedOperation {
1496            path: "/users".to_string(),
1497            method: "GET".to_string(),
1498            features: vec![ConformanceFeature::MethodGet],
1499            path_params: vec![],
1500            query_params: vec![],
1501            header_params: vec![],
1502            request_body_content_type: None,
1503            sample_body: None,
1504            response_schema: None,
1505            security_schemes: vec![],
1506        };
1507        let config = ConformanceConfig {
1508            target_url: "https://192.168.2.86/".to_string(),
1509            api_key: None,
1510            basic_auth: None,
1511            skip_tls_verify: true,
1512            categories: None,
1513            base_path: Some("/api".to_string()),
1514            custom_headers: vec![],
1515            output_dir: None,
1516            all_operations: false,
1517        };
1518        let gen = SpecDrivenConformanceGenerator::new(config, vec![annotated]);
1519        let (script, _check_count) = gen.generate().unwrap();
1520
1521        assert!(
1522            script.contains("const BASE_URL = 'https://192.168.2.86/api'"),
1523            "BASE_URL should include the base_path. Got: {}",
1524            script.lines().find(|l| l.contains("BASE_URL")).unwrap_or("not found")
1525        );
1526    }
1527
1528    #[test]
1529    fn test_spec_driven_with_custom_headers() {
1530        let annotated = AnnotatedOperation {
1531            path: "/users".to_string(),
1532            method: "GET".to_string(),
1533            features: vec![ConformanceFeature::MethodGet],
1534            path_params: vec![],
1535            query_params: vec![],
1536            header_params: vec![
1537                ("X-Avi-Tenant".to_string(), "test-value".to_string()),
1538                ("X-CSRFToken".to_string(), "test-value".to_string()),
1539            ],
1540            request_body_content_type: None,
1541            sample_body: None,
1542            response_schema: None,
1543            security_schemes: vec![],
1544        };
1545        let config = ConformanceConfig {
1546            target_url: "https://192.168.2.86/".to_string(),
1547            api_key: None,
1548            basic_auth: None,
1549            skip_tls_verify: true,
1550            categories: None,
1551            base_path: Some("/api".to_string()),
1552            custom_headers: vec![
1553                ("X-Avi-Tenant".to_string(), "admin".to_string()),
1554                ("X-CSRFToken".to_string(), "real-csrf-token".to_string()),
1555                ("Cookie".to_string(), "sessionid=abc123".to_string()),
1556            ],
1557            output_dir: None,
1558            all_operations: false,
1559        };
1560        let gen = SpecDrivenConformanceGenerator::new(config, vec![annotated]);
1561        let (script, _check_count) = gen.generate().unwrap();
1562
1563        // Custom headers should override spec-derived test-value placeholders
1564        assert!(
1565            script.contains("'X-Avi-Tenant': 'admin'"),
1566            "Should use custom value for X-Avi-Tenant, not test-value"
1567        );
1568        assert!(
1569            script.contains("'X-CSRFToken': 'real-csrf-token'"),
1570            "Should use custom value for X-CSRFToken, not test-value"
1571        );
1572        // Custom headers not in spec should be appended
1573        assert!(
1574            script.contains("'Cookie': 'sessionid=abc123'"),
1575            "Should include Cookie header from custom_headers"
1576        );
1577        // test-value should NOT appear
1578        assert!(
1579            !script.contains("'test-value'"),
1580            "test-value placeholders should be replaced by custom values"
1581        );
1582    }
1583
1584    #[test]
1585    fn test_effective_headers_merging() {
1586        let config = ConformanceConfig {
1587            target_url: "http://localhost".to_string(),
1588            api_key: None,
1589            basic_auth: None,
1590            skip_tls_verify: false,
1591            categories: None,
1592            base_path: None,
1593            custom_headers: vec![
1594                ("X-Auth".to_string(), "real-token".to_string()),
1595                ("Cookie".to_string(), "session=abc".to_string()),
1596            ],
1597            output_dir: None,
1598            all_operations: false,
1599        };
1600        let gen = SpecDrivenConformanceGenerator::new(config, vec![]);
1601
1602        // Spec headers with a matching custom header
1603        let spec_headers = vec![
1604            ("X-Auth".to_string(), "test-value".to_string()),
1605            ("X-Other".to_string(), "keep-this".to_string()),
1606        ];
1607        let effective = gen.effective_headers(&spec_headers);
1608
1609        // X-Auth should be overridden
1610        assert_eq!(effective[0], ("X-Auth".to_string(), "real-token".to_string()));
1611        // X-Other should be kept as-is
1612        assert_eq!(effective[1], ("X-Other".to_string(), "keep-this".to_string()));
1613        // Cookie should be appended
1614        assert_eq!(effective[2], ("Cookie".to_string(), "session=abc".to_string()));
1615    }
1616}