tryaudex_core/

broker.rs

use std::collections::HashMap;
use std::time::Duration;

use serde::{Deserialize, Serialize};

use crate::error::{AvError, Result};
use crate::server::{CredentialRequest, CredentialResponse};

/// Broker client configuration.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct BrokerConfig {
    /// Audex server URL (e.g. "http://localhost:8080")
    pub url: String,
    /// API key for authentication
    pub api_key: Option<String>,
    /// Request timeout in seconds (default: 30)
    #[serde(default = "default_timeout")]
    pub timeout: u64,
    /// Default provider for requests
    pub default_provider: Option<String>,
    /// Default role ARN for requests
    pub default_role_arn: Option<String>,
}

fn default_timeout() -> u64 {
    30
}

impl Default for BrokerConfig {
    fn default() -> Self {
        Self {
            url: "http://localhost:8080".to_string(),
            api_key: None,
            timeout: default_timeout(),
            default_provider: None,
            default_role_arn: None,
        }
    }
}

/// Batch credential request — issue multiple scoped credentials in one call.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct BatchCredentialRequest {
    pub requests: Vec<CredentialRequest>,
}

/// Batch credential response.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct BatchCredentialResponse {
    pub results: Vec<BatchResultItem>,
    pub total: usize,
    pub succeeded: usize,
    pub failed: usize,
}

/// Individual result in a batch response.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct BatchResultItem {
    pub index: usize,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub credentials: Option<CredentialResponse>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub error: Option<String>,
}

/// Token exchange request — exchange a short-lived broker token for credentials.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct TokenExchangeRequest {
    /// Broker-issued token
    pub token: String,
}

/// Broker token — a short-lived, single-use token that can be exchanged for credentials.
/// Useful for passing to subprocesses without exposing the API key.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct BrokerToken {
    pub token: String,
    pub expires_at: String,
    /// The pre-configured credential request bound to this token.
    pub request: CredentialRequest,
}

/// Credential revocation request.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct RevokeRequest {
    pub session_id: String,
    pub reason: Option<String>,
}

/// Broker API client for programmatic credential requests.
pub struct BrokerClient {
    config: BrokerConfig,
}

impl BrokerClient {
    pub fn new(config: BrokerConfig) -> Self {
        Self { config }
    }

    /// Create from environment variables.
    /// Reads AUDEX_BROKER_URL and AUDEX_BROKER_API_KEY.
    pub fn from_env() -> Result<Self> {
        let url = std::env::var("AUDEX_BROKER_URL")
            .unwrap_or_else(|_| "http://localhost:8080".to_string());
        let api_key = std::env::var("AUDEX_BROKER_API_KEY").ok();
        Ok(Self::new(BrokerConfig {
            url,
            api_key,
            ..Default::default()
        }))
    }

    /// Request scoped credentials from the broker.
    pub async fn get_credentials(&self, request: &CredentialRequest) -> Result<CredentialResponse> {
        let url = format!("{}/v1/credentials", self.config.url);
        let body = serde_json::to_string(request)
            .map_err(|e| AvError::Sts(format!("Failed to serialize request: {}", e)))?;

        let response = self.http_post(&url, &body).await?;
        serde_json::from_str(&response)
            .map_err(|e| AvError::Sts(format!("Failed to parse credential response: {}", e)))
    }

    /// Request credentials with simple parameters (convenience method).
    pub async fn get_credentials_simple(
        &self,
        allow: &str,
        ttl: &str,
    ) -> Result<CredentialResponse> {
        let request = CredentialRequest {
            allow: Some(allow.to_string()),
            profile: None,
            resource: None,
            provider: self
                .config
                .default_provider
                .clone()
                .unwrap_or_else(|| "aws".to_string()),
            ttl: ttl.to_string(),
            role_arn: self.config.default_role_arn.clone(),
            command: vec![],
            agent_id: std::env::var("AUDEX_AGENT_ID").ok(),
        };
        self.get_credentials(&request).await
    }

    /// Batch request — issue multiple credentials in one API call.
    pub async fn batch_credentials(
        &self,
        requests: Vec<CredentialRequest>,
    ) -> Result<BatchCredentialResponse> {
        let url = format!("{}/v1/credentials/batch", self.config.url);
        let batch = BatchCredentialRequest { requests };
        let body = serde_json::to_string(&batch)
            .map_err(|e| AvError::Sts(format!("Failed to serialize batch request: {}", e)))?;

        let response = self.http_post(&url, &body).await?;
        serde_json::from_str(&response)
            .map_err(|e| AvError::Sts(format!("Failed to parse batch response: {}", e)))
    }

    /// Create a broker token — a single-use token that can be exchanged for credentials.
    /// Useful for passing to untrusted subprocesses.
    pub async fn create_token(&self, request: &CredentialRequest) -> Result<BrokerToken> {
        let url = format!("{}/v1/tokens", self.config.url);
        let body = serde_json::to_string(request)
            .map_err(|e| AvError::Sts(format!("Failed to serialize token request: {}", e)))?;

        let response = self.http_post(&url, &body).await?;
        serde_json::from_str(&response)
            .map_err(|e| AvError::Sts(format!("Failed to parse token response: {}", e)))
    }

    /// Exchange a broker token for credentials.
    pub async fn exchange_token(&self, token: &str) -> Result<CredentialResponse> {
        let url = format!("{}/v1/tokens/exchange", self.config.url);
        let req = TokenExchangeRequest {
            token: token.to_string(),
        };
        let body = serde_json::to_string(&req)
            .map_err(|e| AvError::Sts(format!("Failed to serialize exchange request: {}", e)))?;

        let response = self.http_post(&url, &body).await?;
        serde_json::from_str(&response)
            .map_err(|e| AvError::Sts(format!("Failed to parse exchange response: {}", e)))
    }

    /// Revoke a session's credentials.
    pub async fn revoke(&self, session_id: &str, reason: Option<&str>) -> Result<()> {
        crate::validate::session_id(session_id)?;
        let url = format!("{}/v1/sessions/{}/revoke", self.config.url, session_id);
        let req = RevokeRequest {
            session_id: session_id.to_string(),
            reason: reason.map(|r| r.to_string()),
        };
        let body = serde_json::to_string(&req)
            .map_err(|e| AvError::Sts(format!("Failed to serialize revoke request: {}", e)))?;

        self.http_post(&url, &body).await?;
        Ok(())
    }

    /// List active sessions from the broker.
    pub async fn list_sessions(&self) -> Result<String> {
        let url = format!("{}/v1/sessions", self.config.url);
        self.http_get(&url).await
    }

    /// Get server health status.
    pub async fn health(&self) -> Result<String> {
        let url = format!("{}/v1/health", self.config.url);
        self.http_get(&url).await
    }

    /// Make an HTTP POST request to the broker.
    async fn http_post(&self, url: &str, body: &str) -> Result<String> {
        self.http_request("POST", url, Some(body)).await
    }

    /// Make an HTTP GET request to the broker.
    async fn http_get(&self, url: &str) -> Result<String> {
        self.http_request("GET", url, None).await
    }

    /// Shared async HTTP client. Uses tokio::net::TcpStream so the executor
    /// is not blocked by the socket reads/writes, and wraps the whole
    /// exchange in a `tokio::time::timeout` to enforce the configured
    /// request deadline (std::net::TcpStream's set_read/write_timeout is
    /// a no-op inside async code, so the previous implementation had no
    /// effective timeout at all).
    async fn http_request(&self, method: &str, url: &str, body: Option<&str>) -> Result<String> {
        use tokio::io::{AsyncReadExt, AsyncWriteExt};

        let parsed = parse_url(url)?;

        // R6-M42: validate header values for CRLF so a malicious api_key
        // or AUDEX_AGENT_ID env var cannot inject additional HTTP headers
        // or smuggle a second request into the broker connection.
        let api_key = match &self.config.api_key {
            Some(k) => {
                validate_header_value("api_key", k)?;
                Some(k.clone())
            }
            None => None,
        };
        let agent_id = std::env::var("AUDEX_AGENT_ID").ok();
        if let Some(ref a) = agent_id {
            validate_header_value("AUDEX_AGENT_ID", a)?;
        }

        let mut request = String::new();
        request.push_str(&format!("{} {} HTTP/1.1\r\n", method, parsed.path));
        // IPv6 hosts must be bracketed in the Host header per RFC 7230.
        request.push_str(&format!("Host: {}\r\n", parsed.host_header));
        request.push_str("Connection: close\r\n");
        if let Some(b) = body {
            request.push_str("Content-Type: application/json\r\n");
            request.push_str(&format!("Content-Length: {}\r\n", b.len()));
        }
        if let Some(ref key) = api_key {
            request.push_str(&format!("Authorization: Bearer {}\r\n", key));
        }
        if let Some(ref a) = agent_id {
            request.push_str(&format!("X-Audex-Agent-Id: {}\r\n", a));
        }
        request.push_str("\r\n");
        if let Some(b) = body {
            request.push_str(b);
        }

        let deadline = Duration::from_secs(self.config.timeout);
        let exchange = async {
            let mut stream =
                tokio::net::TcpStream::connect(format!("{}:{}", parsed.connect_host, parsed.port))
                    .await
                    .map_err(|e| {
                        AvError::Sts(format!("Failed to connect to broker at {}: {}", url, e))
                    })?;

            stream
                .write_all(request.as_bytes())
                .await
                .map_err(|e| AvError::Sts(format!("Failed to send broker request: {}", e)))?;

            // R6-M43: bounded async read. `.take(2 MiB)` on tokio's
            // AsyncReadExt caps total bytes read from the socket so a
            // hostile/misbehaving server can't stream unbounded data into
            // the client.
            let mut response = Vec::new();
            let mut limited = stream.take(2 * 1024 * 1024);
            limited
                .read_to_end(&mut response)
                .await
                .map_err(|e| AvError::Sts(format!("Failed to read broker response: {}", e)))?;
            let response = String::from_utf8_lossy(&response).into_owned();
            extract_http_body(&response)
        };

        tokio::time::timeout(deadline, exchange)
            .await
            .map_err(|_| {
                AvError::Sts(format!(
                    "Broker request timed out after {}s",
                    deadline.as_secs()
                ))
            })?
    }
}

/// Reject header values containing CR, LF, or NUL to prevent header
/// injection (CRLF smuggling) via untrusted config values and env vars.
fn validate_header_value(name: &str, value: &str) -> Result<()> {
    if value.bytes().any(|b| b == b'\r' || b == b'\n' || b == 0) {
        return Err(AvError::InvalidPolicy(format!(
            "Broker header value for `{}` contains forbidden characters (CR/LF/NUL)",
            name
        )));
    }
    Ok(())
}

#[derive(Debug)]
struct ParsedUrl {
    /// Host suitable for logging and loopback comparison (no brackets for IPv6).
    #[allow(dead_code)] // read by unit tests
    host: String,
    /// Host for use in the HTTP Host header (brackets kept for IPv6).
    host_header: String,
    /// Host for tokio::net::TcpStream::connect (brackets kept for IPv6).
    connect_host: String,
    port: u16,
    path: String,
}

fn parse_url(url: &str) -> Result<ParsedUrl> {
    use std::net::IpAddr;
    use std::str::FromStr;

    // Reject HTTPS URLs — the broker client uses plain TCP and cannot
    // provide TLS. An HTTPS URL would send credentials in cleartext.
    if url.starts_with("https://") {
        return Err(AvError::InvalidPolicy(
            "Broker client does not support HTTPS. Use http:// or place the broker \
             behind a TLS-terminating reverse proxy."
                .to_string(),
        ));
    }

    let without_scheme = url.strip_prefix("http://").ok_or_else(|| {
        AvError::InvalidPolicy(format!("Invalid broker URL (expected http://): {}", url))
    })?;

    let default_port: u16 = 8080;

    let (host_port, path) = match without_scheme.find('/') {
        Some(idx) => (&without_scheme[..idx], &without_scheme[idx..]),
        None => (without_scheme, "/"),
    };

    // R6-M44: parse IPv6 bracketed hosts correctly. The previous
    // `rfind(':')` incorrectly split `[::1]` on the inner colon, producing
    // a host of `[:` and a port of `:1]` that would silently default to
    // 8080. Strictly split on the `]:` boundary for bracketed hosts.
    let (raw_host, port_str): (&str, Option<&str>) = if let Some(rest) = host_port.strip_prefix('[')
    {
        match rest.find(']') {
            Some(end) => {
                let host = &rest[..end];
                let after = &rest[end + 1..];
                let port = if after.is_empty() {
                    None
                } else if let Some(p) = after.strip_prefix(':') {
                    Some(p)
                } else {
                    return Err(AvError::InvalidPolicy(format!(
                        "Broker URL has malformed IPv6 host: {}",
                        url
                    )));
                };
                (host, port)
            }
            None => {
                return Err(AvError::InvalidPolicy(format!(
                    "Broker URL has unterminated IPv6 bracket: {}",
                    url
                )));
            }
        }
    } else {
        match host_port.rfind(':') {
            Some(idx) => (&host_port[..idx], Some(&host_port[idx + 1..])),
            None => (host_port, None),
        }
    };

    // R6-M45: fail loudly on unparseable ports instead of silently using
    // the default. A typo like `http://localhost:abcd` previously landed
    // on port 8080 without warning, which could mask misconfiguration or
    // (worse) route traffic to the wrong service.
    let port = match port_str {
        Some(s) => s.parse::<u16>().map_err(|_| {
            AvError::InvalidPolicy(format!("Broker URL has invalid port `{}` in {}", s, url))
        })?,
        None => default_port,
    };

    if raw_host.is_empty() {
        return Err(AvError::InvalidPolicy(format!(
            "Broker URL has empty host: {}",
            url
        )));
    }

    // R6-M46: use proper IP parsing for the loopback check.  The previous
    // string-literal allowlist rejected every loopback address other
    // than `127.0.0.1`/`::1`/`localhost`, while also accepting `0.0.0.0`
    // and similar addresses if someone shoehorned a literal into the
    // list by mistake.  Use IpAddr::is_loopback for IP literals, and
    // only treat the bareword `localhost` as loopback among hostnames.
    let is_loopback = if let Ok(ip) = IpAddr::from_str(raw_host) {
        ip.is_loopback()
    } else {
        raw_host.eq_ignore_ascii_case("localhost")
    };
    if !is_loopback {
        return Err(AvError::InvalidPolicy(format!(
            "Broker URL '{}' uses plaintext HTTP to a non-loopback host. \
             This would send credentials in cleartext. Use a loopback address \
             (localhost/127.0.0.1) or place the broker behind a TLS-terminating \
             reverse proxy and use the AUDEX_BROKER_URL env var with http://localhost.",
            url
        )));
    }

    // TcpStream::connect and the Host header both want IPv6 literals in
    // brackets; the plain `host` field (for logging/comparison) keeps them
    // unbracketed.
    let is_ipv6 = raw_host.contains(':');
    let (host_header, connect_host) = if is_ipv6 {
        (format!("[{}]", raw_host), format!("[{}]", raw_host))
    } else {
        (raw_host.to_string(), raw_host.to_string())
    };

    Ok(ParsedUrl {
        host: raw_host.to_string(),
        host_header,
        connect_host,
        port,
        path: path.to_string(),
    })
}

fn extract_http_body(response: &str) -> Result<String> {
    if let Some(idx) = response.find("\r\n\r\n") {
        let status_line = response.lines().next().unwrap_or("");
        let status_code: u16 = status_line
            .split_whitespace()
            .nth(1)
            .and_then(|s| s.parse().ok())
            .unwrap_or(0);

        let body = &response[idx + 4..];

        if status_code >= 400 {
            return Err(AvError::Sts(format!(
                "Broker returned HTTP {}: {}",
                status_code, body
            )));
        }

        Ok(body.to_string())
    } else {
        Err(AvError::Sts(
            "Invalid HTTP response from broker".to_string(),
        ))
    }
}

/// Generate environment variable export commands for credentials.
/// Useful for shell integration and subprocess injection.
pub fn credentials_to_env_script(resp: &CredentialResponse, shell: &str) -> String {
    let mut lines = Vec::new();
    let export = match shell {
        "fish" => "set -gx",
        "powershell" | "pwsh" => "$env:",
        _ => "export",
    };

    let creds = &resp.credentials;
    if let Some(ref key) = creds.aws_access_key_id {
        lines.push(format_env(export, "AWS_ACCESS_KEY_ID", key, shell));
    }
    if let Some(ref key) = creds.aws_secret_access_key {
        lines.push(format_env(export, "AWS_SECRET_ACCESS_KEY", key, shell));
    }
    if let Some(ref token) = creds.aws_session_token {
        lines.push(format_env(export, "AWS_SESSION_TOKEN", token, shell));
    }
    if let Some(ref token) = creds.gcp_access_token {
        lines.push(format_env(
            export,
            "CLOUDSDK_AUTH_ACCESS_TOKEN",
            token,
            shell,
        ));
    }
    if let Some(ref token) = creds.azure_token {
        lines.push(format_env(export, "AZURE_ACCESS_TOKEN", token, shell));
    }

    lines.join("\n")
}

fn format_env(export: &str, key: &str, value: &str, shell: &str) -> String {
    // Escape shell metacharacters to prevent command injection when the
    // output is eval'd. GCP/Azure tokens can contain arbitrary characters.
    let escaped = value
        .replace('\\', "\\\\")
        .replace('"', "\\\"")
        .replace('`', "\\`")
        .replace('$', "\\$")
        .replace('!', "\\!");
    match shell {
        "powershell" | "pwsh" => format!("{}{}=\"{}\"", export, key, escaped),
        "fish" => format!("{} {} \"{}\"", export, key, escaped),
        _ => format!("{} {}=\"{}\"", export, key, escaped),
    }
}

/// Generate a JSON credentials document suitable for file-based injection.
pub fn credentials_to_json(resp: &CredentialResponse) -> Result<String> {
    let mut map = HashMap::new();
    map.insert("session_id", resp.session_id.as_str());
    map.insert("provider", resp.provider.as_str());
    map.insert("expires_at", resp.expires_at.as_str());

    let creds = &resp.credentials;
    if let Some(ref v) = creds.aws_access_key_id {
        map.insert("aws_access_key_id", v);
    }
    if let Some(ref v) = creds.aws_secret_access_key {
        map.insert("aws_secret_access_key", v);
    }
    if let Some(ref v) = creds.aws_session_token {
        map.insert("aws_session_token", v);
    }
    if let Some(ref v) = creds.gcp_access_token {
        map.insert("gcp_access_token", v);
    }
    if let Some(ref v) = creds.azure_token {
        map.insert("azure_token", v);
    }

    serde_json::to_string_pretty(&map)
        .map_err(|e| AvError::Sts(format!("Failed to serialize credentials: {}", e)))
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::server::CredentialEnvVars;

    #[test]
    fn test_broker_config_default() {
        let config = BrokerConfig::default();
        assert_eq!(config.url, "http://localhost:8080");
        assert_eq!(config.timeout, 30);
        assert!(config.api_key.is_none());
    }

    #[test]
    fn test_broker_config_deserialize() {
        let toml_str = r#"
url = "https://audex.internal:8443"
api_key = "secret-key-123"
timeout = 60
default_provider = "gcp"
default_role_arn = "arn:aws:iam::123:role/MyRole"
"#;
        let config: BrokerConfig = toml::from_str(toml_str).unwrap();
        assert_eq!(config.url, "https://audex.internal:8443");
        assert_eq!(config.api_key.as_deref(), Some("secret-key-123"));
        assert_eq!(config.timeout, 60);
        assert_eq!(config.default_provider.as_deref(), Some("gcp"));
    }

    #[test]
    fn test_batch_request_serialization() {
        let batch = BatchCredentialRequest {
            requests: vec![CredentialRequest {
                allow: Some("s3:GetObject".to_string()),
                profile: None,
                resource: None,
                provider: "aws".to_string(),
                ttl: "15m".to_string(),
                role_arn: None,
                command: vec![],
                agent_id: None,
            }],
        };
        let json = serde_json::to_string(&batch).unwrap();
        assert!(json.contains("s3:GetObject"));
    }

    #[test]
    fn test_batch_response_deserialization() {
        let json = r#"{"results":[{"index":0,"credentials":{"session_id":"abc","provider":"aws","expires_at":"2026-01-01T00:00:00Z","ttl_seconds":900,"credentials":{"aws_access_key_id":"AKID"}},"error":null}],"total":1,"succeeded":1,"failed":0}"#;
        let resp: BatchCredentialResponse = serde_json::from_str(json).unwrap();
        assert_eq!(resp.total, 1);
        assert_eq!(resp.succeeded, 1);
    }

    #[test]
    fn test_credentials_to_env_script_bash() {
        let resp = mock_credential_response();
        let script = credentials_to_env_script(&resp, "bash");
        assert!(script.contains("export AWS_ACCESS_KEY_ID=\"AKID123\""));
        assert!(script.contains("export AWS_SECRET_ACCESS_KEY=\"secret\""));
        assert!(script.contains("export AWS_SESSION_TOKEN=\"token\""));
    }

    #[test]
    fn test_credentials_to_env_script_fish() {
        let resp = mock_credential_response();
        let script = credentials_to_env_script(&resp, "fish");
        assert!(script.contains("set -gx AWS_ACCESS_KEY_ID \"AKID123\""));
    }

    #[test]
    fn test_credentials_to_env_script_powershell() {
        let resp = mock_credential_response();
        let script = credentials_to_env_script(&resp, "powershell");
        assert!(script.contains("$env:AWS_ACCESS_KEY_ID=\"AKID123\""));
    }

    #[test]
    fn test_credentials_to_json() {
        let resp = mock_credential_response();
        let json = credentials_to_json(&resp).unwrap();
        assert!(json.contains("AKID123"));
        assert!(json.contains("session_id"));
    }

    #[test]
    fn test_parse_url_with_port() {
        let parsed = parse_url("http://localhost:9090/v1/credentials").unwrap();
        assert_eq!(parsed.host, "localhost");
        assert_eq!(parsed.port, 9090);
        assert_eq!(parsed.path, "/v1/credentials");
    }

    #[test]
    fn test_parse_url_default_port() {
        let parsed = parse_url("http://localhost/v1/health").unwrap();
        assert_eq!(parsed.port, 8080);
    }

    #[test]
    fn test_parse_url_https_rejected() {
        let result = parse_url("https://audex.internal/v1/health");
        assert!(result.is_err());
        let err = result.unwrap_err().to_string();
        assert!(err.contains("HTTPS"), "Error should mention HTTPS: {}", err);
    }

    #[test]
    fn test_parse_url_non_loopback_rejected() {
        let result = parse_url("http://10.0.0.5:8080/v1/credentials");
        assert!(result.is_err());
        let err = result.unwrap_err().to_string();
        assert!(
            err.contains("plaintext HTTP"),
            "Error should mention plaintext: {}",
            err
        );

        // remote hostname also rejected
        let result = parse_url("http://audex.internal:8080/v1/credentials");
        assert!(result.is_err());
    }

    #[test]
    fn test_parse_url_loopback_accepted() {
        assert!(parse_url("http://localhost:8080/v1/creds").is_ok());
        assert!(parse_url("http://127.0.0.1:8080/v1/creds").is_ok());
        assert!(parse_url("http://[::1]:8080/v1/creds").is_ok());
        // 127.0.0.0/8 is all loopback per RFC 6890; the string-literal
        // allowlist used to reject these.
        assert!(parse_url("http://127.0.0.2:8080/v1/creds").is_ok());
        assert!(parse_url("http://127.1.2.3:8080/v1/creds").is_ok());
    }

    #[test]
    fn test_parse_url_invalid_port_rejected() {
        // R6-M45: previously silently defaulted to 8080.
        let err = parse_url("http://localhost:abcd/v1/creds").unwrap_err();
        assert!(err.to_string().contains("invalid port"), "got: {}", err);
    }

    #[test]
    fn test_parse_url_unspecified_address_rejected() {
        // R6-M46: 0.0.0.0 is *not* loopback, despite binding loopback on
        // some kernels. Reject outright.
        assert!(parse_url("http://0.0.0.0:8080/v1/creds").is_err());
    }

    #[test]
    fn test_parse_url_ipv6_bracketed_with_no_port() {
        // R6-M44: rfind-based parser used to split `[::1]` on the inner
        // colon and silently fall back to the default port.
        let parsed = parse_url("http://[::1]/v1/creds").unwrap();
        assert_eq!(parsed.host, "::1");
        assert_eq!(parsed.port, 8080);
        assert_eq!(parsed.host_header, "[::1]");
    }

    #[test]
    fn test_validate_header_value_rejects_crlf() {
        // R6-M42: api_key/agent_id with embedded CRLF must be rejected.
        assert!(validate_header_value("api_key", "abc\r\nX-Evil: 1").is_err());
        assert!(validate_header_value("api_key", "abc\nevil").is_err());
        assert!(validate_header_value("api_key", "abc\0nul").is_err());
        assert!(validate_header_value("api_key", "normal-key").is_ok());
    }

    #[test]
    fn test_extract_http_body_success() {
        let resp = "HTTP/1.1 200 OK\r\nContent-Type: application/json\r\n\r\n{\"ok\":true}";
        let body = extract_http_body(resp).unwrap();
        assert_eq!(body, "{\"ok\":true}");
    }

    #[test]
    fn test_extract_http_body_error() {
        let resp = "HTTP/1.1 401 Unauthorized\r\n\r\n{\"error\":\"invalid key\"}";
        assert!(extract_http_body(resp).is_err());
    }

    #[test]
    fn test_broker_token_serialization() {
        let token = BrokerToken {
            token: "tok_abc123".to_string(),
            expires_at: "2026-01-01T00:15:00Z".to_string(),
            request: CredentialRequest {
                allow: Some("s3:GetObject".to_string()),
                profile: None,
                resource: None,
                provider: "aws".to_string(),
                ttl: "15m".to_string(),
                role_arn: None,
                command: vec![],
                agent_id: None,
            },
        };
        let json = serde_json::to_string(&token).unwrap();
        assert!(json.contains("tok_abc123"));
        assert!(json.contains("s3:GetObject"));
    }

    fn mock_credential_response() -> CredentialResponse {
        CredentialResponse {
            session_id: "test-session-123".to_string(),
            provider: "aws".to_string(),
            expires_at: "2026-01-01T00:15:00Z".to_string(),
            ttl_seconds: 900,
            credentials: CredentialEnvVars {
                aws_access_key_id: Some("AKID123".to_string()),
                aws_secret_access_key: Some("secret".to_string()),
                aws_session_token: Some("token".to_string()),
                gcp_access_token: None,
                azure_token: None,
            },
        }
    }
}