@enterprisestandard/esv 0.0.5-beta.20260115.1 → 0.0.5-beta.20260115.2

package/dist/workload/index.js

@@ -1,503 +1,433 @@
-import { createRequire } from "node:module";
-var __create = Object.create;
-var __getProtoOf = Object.getPrototypeOf;
-var __defProp = Object.defineProperty;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __toESM = (mod, isNodeMode, target) => {
-  target = mod != null ? __create(__getProtoOf(mod)) : {};
-  const to = isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target;
-  for (let key of __getOwnPropNames(mod))
-    if (!__hasOwnProp.call(to, key))
-      __defProp(to, key, {
-        get: () => mod[key],
-        enumerable: true
-      });
-  return to;
-};
-var __moduleCache = /* @__PURE__ */ new WeakMap;
-var __toCommonJS = (from) => {
-  var entry = __moduleCache.get(from), desc;
-  if (entry)
-    return entry;
-  entry = __defProp({}, "__esModule", { value: true });
-  if (from && typeof from === "object" || typeof from === "function")
-    __getOwnPropNames(from).map((key) => !__hasOwnProp.call(entry, key) && __defProp(entry, key, {
-      get: () => from[key],
-      enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
-    }));
-  __moduleCache.set(from, entry);
-  return entry;
-};
-var __commonJS = (cb, mod) => () => (mod || cb((mod = { exports: {} }).exports, mod), mod.exports);
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, {
-      get: all[name],
-      enumerable: true,
-      configurable: true,
-      set: (newValue) => all[name] = () => newValue
-    });
-};
-var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
-var __require = /* @__PURE__ */ createRequire(import.meta.url);
-
-// packages/esv/src/utils.ts
-function createFetcher(config) {
-  const timeout = config.timeout ?? 5000;
-  const headers = config.headers ?? {};
-  return async function fetcher(path, options = {}) {
-    const url = `${config.baseUrl}${path}`;
-    const controller = new AbortController;
-    const timeoutId = setTimeout(() => controller.abort(), timeout);
-    try {
-      const response = await fetch(url, {
-        ...options,
-        signal: controller.signal,
-        headers: {
-          ...headers,
-          ...options.headers
-        },
-        redirect: "manual"
-      });
-      return response;
-    } finally {
-      clearTimeout(timeoutId);
-    }
-  };
-}
-async function runTest(name, testFn) {
-  const start = performance.now();
-  try {
-    const result = await testFn();
-    return {
-      name,
-      passed: true,
-      duration: performance.now() - start,
-      details: result?.details
-    };
-  } catch (error) {
+/**
+ * Workload Validation Tests
+ *
+ * These tests validate that an application correctly implements
+ * Enterprise Standard Workload Identity authentication.
+ */
+import { assert, assertValid, createFetcher, runTest, skipTest } from '../utils';
+/**
+ * Gets a workload token response validator (workload tokens don't have id_token, only access_token)
+ * This is different from OIDC tokenResponse which includes id_token
+ */
+function getWorkloadTokenResponseValidator() {
     return {
-      name,
-      passed: false,
-      error: error instanceof Error ? error.message : String(error),
-      duration: performance.now() - start
+        '~standard': {
+            validate: (value) => {
+                if (typeof value !== 'object' || value === null) {
+                    return {
+                        issues: [{ message: `Expected object, got ${typeof value}` }],
+                    };
+                }
+                const token = value;
+                const issues = [];
+                if (typeof token.access_token !== 'string') {
+                    issues.push({ message: 'Expected access_token to be string', path: ['access_token'] });
+                }
+                if (typeof token.token_type !== 'string') {
+                    issues.push({ message: 'Expected token_type to be string', path: ['token_type'] });
+                }
+                // expires_in is optional but if present should be a number
+                if (token.expires_in !== undefined && typeof token.expires_in !== 'number') {
+                    issues.push({ message: 'Expected expires_in to be number or undefined', path: ['expires_in'] });
+                }
+                // scope is optional but if present should be a string
+                if (token.scope !== undefined && typeof token.scope !== 'string') {
+                    issues.push({ message: 'Expected scope to be string or undefined', path: ['scope'] });
+                }
+                if (issues.length > 0) {
+                    return { issues };
+                }
+                return { value };
+            },
+        },
     };
-  }
-}
-function skipTest(name, reason) {
-  return {
-    name,
-    passed: true,
-    duration: 0,
-    details: { skipped: true, reason }
-  };
-}
-function assert(condition, message) {
-  if (!condition) {
-    throw new Error(message);
-  }
-}
-function assertEqual(actual, expected, message) {
-  if (actual !== expected) {
-    throw new Error(message ?? `Expected ${JSON.stringify(expected)}, got ${JSON.stringify(actual)}`);
-  }
-}
-function assertValid(data, validator, message) {
-  const result = validator["~standard"].validate(data);
-  if (result instanceof Promise) {
-    throw new Error(message ?? "Async validators are not supported in assertValid. Use the validator directly with await.");
-  }
-  if ("issues" in result) {
-    const issues = result.issues;
-    const errorMessages = issues.map((issue) => {
-      const path = issue.path ? issue.path.map(String).join(".") : "";
-      return path ? `${path}: ${issue.message}` : issue.message;
-    });
-    throw new Error(message ?? `Validation failed: ${errorMessages.join("; ")}`);
-  }
-}
-function parseCookies(headers) {
-  const cookies = new Map;
-  const setCookieHeaders = headers.getSetCookie?.() ?? [];
-  for (const cookie of setCookieHeaders) {
-    const [pair] = cookie.split(";");
-    const [name, value] = pair.split("=");
-    if (name && value !== undefined) {
-      cookies.set(name.trim(), value.trim());
-    }
-  }
-  return cookies;
-}
-function buildCookieHeader(cookies) {
-  return Array.from(cookies.entries()).map(([name, value]) => `${name}=${value}`).join("; ");
-}
-
-// packages/esv/src/workload/index.ts
-var exports_workload = {};
-__export(exports_workload, {
-  validateWorkload: () => validateWorkload,
-  createWorkloadTests: () => createWorkloadTests
-});
-function getWorkloadTokenResponseValidator() {
-  return {
-    "~standard": {
-      validate: (value) => {
-        if (typeof value !== "object" || value === null) {
-          return {
-            issues: [{ message: `Expected object, got ${typeof value}` }]
-          };
-        }
-        const token = value;
-        const issues = [];
-        if (typeof token.access_token !== "string") {
-          issues.push({ message: "Expected access_token to be string", path: ["access_token"] });
-        }
-        if (typeof token.token_type !== "string") {
-          issues.push({ message: "Expected token_type to be string", path: ["token_type"] });
-        }
-        if (token.expires_in !== undefined && typeof token.expires_in !== "number") {
-          issues.push({ message: "Expected expires_in to be number or undefined", path: ["expires_in"] });
-        }
-        if (token.scope !== undefined && typeof token.scope !== "string") {
-          issues.push({ message: "Expected scope to be string or undefined", path: ["scope"] });
-        }
-        if (issues.length > 0) {
-          return { issues };
-        }
-        return { value };
-      }
-    }
-  };
 }
+/**
+ * Gets a JWKS key validator (simple inline validator for standard JWKS key structure)
+ */
 function getJwksKeyValidator() {
-  return {
-    "~standard": {
-      validate: (value) => {
-        if (typeof value !== "object" || value === null) {
-          return {
-            issues: [{ message: `Expected object, got ${typeof value}` }]
-          };
-        }
-        const key = value;
-        const issues = [];
-        if (typeof key.kty !== "string") {
-          issues.push({ message: "Expected kty to be string", path: ["kty"] });
-        }
-        if (typeof key.kid !== "string") {
-          issues.push({ message: "Expected kid to be string", path: ["kid"] });
-        }
-        if (issues.length > 0) {
-          return { issues };
-        }
-        return { value };
-      }
-    }
-  };
+    // JWKS keys have a standard structure - create a simple validator inline
+    // This validates the minimal required fields: kty and kid
+    return {
+        '~standard': {
+            validate: (value) => {
+                if (typeof value !== 'object' || value === null) {
+                    return {
+                        issues: [{ message: `Expected object, got ${typeof value}` }],
+                    };
+                }
+                const key = value;
+                const issues = [];
+                if (typeof key.kty !== 'string') {
+                    issues.push({ message: 'Expected kty to be string', path: ['kty'] });
+                }
+                if (typeof key.kid !== 'string') {
+                    issues.push({ message: 'Expected kid to be string', path: ['kid'] });
+                }
+                if (issues.length > 0) {
+                    return { issues };
+                }
+                return { value };
+            },
+        },
+    };
 }
+/**
+ * Gets a token validation result validator (simple inline validator)
+ */
 function getTokenValidationResultValidator() {
-  return {
-    "~standard": {
-      validate: (value) => {
-        if (typeof value !== "object" || value === null) {
-          return {
-            issues: [{ message: `Expected object, got ${typeof value}` }]
-          };
-        }
-        const result = value;
-        const issues = [];
-        if (typeof result.valid !== "boolean") {
-          issues.push({ message: "Expected valid to be boolean", path: ["valid"] });
-        }
-        if (issues.length > 0) {
-          return { issues };
-        }
-        return { value };
-      }
-    }
-  };
-}
-async function testJwksEndpoint(config, fetch2) {
-  return runTest("Workload JWKS Endpoint", async () => {
-    const response = await fetch2(config.jwksPath);
-    assert(response.status === 200, `Expected 200 OK, got ${response.status}`);
-    const data = await response.json();
-    assert(Array.isArray(data.keys), "JWKS response missing keys array");
-    const keyValidator = getJwksKeyValidator();
-    for (const key of data.keys) {
-      assertValid(key, keyValidator);
-    }
     return {
-      details: {
-        keyCount: data.keys.length,
-        algorithms: data.keys.map((k) => k.alg).filter(Boolean)
-      }
+        '~standard': {
+            validate: (value) => {
+                if (typeof value !== 'object' || value === null) {
+                    return {
+                        issues: [{ message: `Expected object, got ${typeof value}` }],
+                    };
+                }
+                const result = value;
+                const issues = [];
+                if (typeof result.valid !== 'boolean') {
+                    issues.push({ message: 'Expected valid to be boolean', path: ['valid'] });
+                }
+                if (issues.length > 0) {
+                    return { issues };
+                }
+                return { value };
+            },
+        },
     };
-  });
 }
-async function testTokenEndpoint(config, fetch2) {
-  const result = await runTest("Workload Token Endpoint", async () => {
-    const url = config.testScopes ? `${config.tokenPath}?scope=${encodeURIComponent(config.testScopes)}` : config.tokenPath;
-    const response = await fetch2(url);
-    if (response.status === 503) {
-      return {
-        details: {
-          skipped: true,
-          reason: "Workload authentication not configured"
+/**
+ * Default configuration for Workload validation
+ */
+const DEFAULT_CONFIG = {
+    tokenPath: '/api/workload/token',
+    validatePath: '/api/workload/validate',
+    jwksPath: '/api/workload/jwks',
+    refreshPath: '/api/workload/refresh',
+    esvUrl: 'http://localhost:3555',
+};
+/**
+ * Test: JWKS endpoint returns valid JWKS structure
+ */
+async function testJwksEndpoint(config, fetch) {
+    return runTest('Workload JWKS Endpoint', async () => {
+        const response = await fetch(config.jwksPath);
+        // Should return 200 OK
+        assert(response.status === 200, `Expected 200 OK, got ${response.status}`);
+        const data = await response.json();
+        // Should have JWKS structure
+        assert(Array.isArray(data.keys), 'JWKS response missing keys array');
+        // Each key should have required fields - validate using validator
+        const keyValidator = getJwksKeyValidator();
+        for (const key of data.keys) {
+            assertValid(key, keyValidator);
         }
-      };
-    }
-    assert(response.status === 200, `Expected 200 OK, got ${response.status}`);
-    const data = await response.json();
-    const validator = getWorkloadTokenResponseValidator();
-    assertValid(data, validator);
-    return {
-      details: {
-        tokenType: data.token_type,
-        hasToken: !!data.access_token,
-        token: data.access_token
-      }
-    };
-  });
-  return {
-    ...result,
-    token: result.details?.token
-  };
+        return {
+            details: {
+                keyCount: data.keys.length,
+                algorithms: data.keys.map((k) => k.alg).filter(Boolean),
+            },
+        };
+    });
 }
-async function testValidateEndpoint(config, fetch2, token) {
-  return runTest("Workload Validate Endpoint", async () => {
-    const response = await fetch2(config.validatePath, {
-      method: "POST",
-      headers: {
-        Authorization: `Bearer ${token}`
-      }
+/**
+ * Test: Token endpoint returns access token
+ */
+async function testTokenEndpoint(config, fetch) {
+    const result = await runTest('Workload Token Endpoint', async () => {
+        const url = config.testScopes
+            ? `${config.tokenPath}?scope=${encodeURIComponent(config.testScopes)}`
+            : config.tokenPath;
+        const response = await fetch(url);
+        // Should return 200 OK (or 503 if workload not configured)
+        if (response.status === 503) {
+            return {
+                details: {
+                    skipped: true,
+                    reason: 'Workload authentication not configured',
+                },
+            };
+        }
+        assert(response.status === 200, `Expected 200 OK, got ${response.status}`);
+        const data = await response.json();
+        // Should have token response structure - validate using workload-specific validator
+        // (workload tokens don't have id_token, only access_token)
+        const validator = getWorkloadTokenResponseValidator();
+        assertValid(data, validator);
+        return {
+            details: {
+                tokenType: data.token_type,
+                hasToken: !!data.access_token,
+                token: data.access_token,
+            },
+        };
     });
-    assert(response.status === 200, `Expected 200 OK for valid token, got ${response.status}`);
-    const data = await response.json();
-    const validationResultValidator = getTokenValidationResultValidator();
-    assertValid(data, validationResultValidator);
-    assert(data.valid === true, "Token should be valid");
     return {
-      details: {
-        valid: data.valid,
-        claims: data.claims
-      }
+        ...result,
+        token: result.details?.token,
     };
-  });
 }
-async function testValidateEndpointInvalid(config, fetch2) {
-  return runTest("Workload Validate Endpoint (Invalid Token)", async () => {
-    const response = await fetch2(config.validatePath, {
-      method: "POST",
-      headers: {
-        Authorization: "Bearer invalid.token.here"
-      }
+/**
+ * Test: Token validation endpoint works
+ */
+async function testValidateEndpoint(config, fetch, token) {
+    return runTest('Workload Validate Endpoint', async () => {
+        const response = await fetch(config.validatePath, {
+            method: 'POST',
+            headers: {
+                Authorization: `Bearer ${token}`,
+            },
+        });
+        // Should return 200 OK for valid token
+        assert(response.status === 200, `Expected 200 OK for valid token, got ${response.status}`);
+        const data = await response.json();
+        // Should have validation result structure - validate using validator
+        const validationResultValidator = getTokenValidationResultValidator();
+        assertValid(data, validationResultValidator);
+        assert(data.valid === true, 'Token should be valid');
+        return {
+            details: {
+                valid: data.valid,
+                claims: data.claims,
+            },
+        };
     });
-    assert(response.status === 401, `Expected 401 Unauthorized for invalid token, got ${response.status}`);
-    const data = await response.json();
-    const validationResultValidator = getTokenValidationResultValidator();
-    assertValid(data, validationResultValidator);
-    assert(data.valid === false, "Invalid token should not validate");
-    return {
-      details: {
-        valid: data.valid,
-        error: data.error
-      }
-    };
-  });
 }
-async function testValidateEndpointNoAuth(config, fetch2) {
-  return runTest("Workload Validate Endpoint (No Auth)", async () => {
-    const response = await fetch2(config.validatePath, {
-      method: "POST"
+/**
+ * Test: Token validation rejects invalid tokens
+ */
+async function testValidateEndpointInvalid(config, fetch) {
+    return runTest('Workload Validate Endpoint (Invalid Token)', async () => {
+        const response = await fetch(config.validatePath, {
+            method: 'POST',
+            headers: {
+                Authorization: 'Bearer invalid.token.here',
+            },
+        });
+        // Should return 401 for invalid token
+        assert(response.status === 401, `Expected 401 Unauthorized for invalid token, got ${response.status}`);
+        const data = await response.json();
+        // Should indicate token is invalid - validate using validator
+        const validationResultValidator = getTokenValidationResultValidator();
+        assertValid(data, validationResultValidator);
+        assert(data.valid === false, 'Invalid token should not validate');
+        return {
+            details: {
+                valid: data.valid,
+                error: data.error,
+            },
+        };
     });
-    assert(response.status === 401, `Expected 401 Unauthorized for missing auth, got ${response.status}`);
-    return {
-      details: {
-        status: response.status,
-        requiresAuth: true
-      }
-    };
-  });
 }
-async function testRefreshEndpoint(config, fetch2) {
-  return runTest("Workload Refresh Endpoint", async () => {
-    const response = await fetch2(config.refreshPath, {
-      method: "POST"
+/**
+ * Test: Token validation rejects missing authorization header
+ */
+async function testValidateEndpointNoAuth(config, fetch) {
+    return runTest('Workload Validate Endpoint (No Auth)', async () => {
+        const response = await fetch(config.validatePath, {
+            method: 'POST',
+        });
+        // Should return 401 for missing auth
+        assert(response.status === 401, `Expected 401 Unauthorized for missing auth, got ${response.status}`);
+        return {
+            details: {
+                status: response.status,
+                requiresAuth: true,
+            },
+        };
     });
-    if (response.status === 503) {
-      return {
-        details: {
-          skipped: true,
-          reason: "Workload authentication not configured"
+}
+/**
+ * Test: Refresh endpoint works
+ */
+async function testRefreshEndpoint(config, fetch) {
+    return runTest('Workload Refresh Endpoint', async () => {
+        const response = await fetch(config.refreshPath, {
+            method: 'POST',
+        });
+        // Should return 200 OK or 503 if not configured
+        if (response.status === 503) {
+            return {
+                details: {
+                    skipped: true,
+                    reason: 'Workload authentication not configured',
+                },
+            };
         }
-      };
-    }
-    assert(response.status === 200, `Expected 200 OK, got ${response.status}`);
-    const data = await response.json();
-    const validator = getWorkloadTokenResponseValidator();
-    assertValid(data, validator);
-    return {
-      details: {
-        tokenType: data.token_type,
-        hasToken: !!data.access_token
-      }
-    };
-  });
+        assert(response.status === 200, `Expected 200 OK, got ${response.status}`);
+        const data = await response.json();
+        // Should have token response structure - validate using workload-specific validator
+        // (workload tokens don't have id_token, only access_token)
+        const validator = getWorkloadTokenResponseValidator();
+        assertValid(data, validator);
+        return {
+            details: {
+                tokenType: data.token_type,
+                hasToken: !!data.access_token,
+            },
+        };
+    });
 }
+/**
+ * Test: Whoami endpoint with workload authentication
+ *
+ * This test calls the ESV mock server's /api/whoami endpoint to validate
+ * that the workload token issued by the application is valid and can be
+ * used for cross-service authentication. This allows each application to
+ * be tested independently without requiring other applications to be running.
+ */
 async function testWhoamiWithWorkload(config, token) {
-  return runTest("Workload Authentication (Whoami)", async () => {
-    const esvWhoamiUrl = `${config.esvUrl}/api/whoami`;
-    const response = await globalThis.fetch(esvWhoamiUrl, {
-      headers: {
-        Authorization: `Bearer ${token}`
-      }
-    });
-    if (response.status === 404) {
-      return {
-        details: {
-          skipped: true,
-          reason: "ESV whoami endpoint not available"
+    return runTest('Workload Authentication (Whoami)', async () => {
+        // Call the ESV mock server's whoami endpoint with the workload token
+        const esvWhoamiUrl = `${config.esvUrl}/api/whoami`;
+        const response = await globalThis.fetch(esvWhoamiUrl, {
+            headers: {
+                Authorization: `Bearer ${token}`,
+            },
+        });
+        // Should return 200 OK
+        if (response.status === 404) {
+            return {
+                details: {
+                    skipped: true,
+                    reason: 'ESV whoami endpoint not available',
+                },
+            };
         }
-      };
+        assert(response.status === 200, `Expected 200 OK, got ${response.status}`);
+        const data = await response.json();
+        // Should have workload identity in response
+        assert(data.workload !== undefined, 'Response should include workload identity');
+        return {
+            details: {
+                workloadId: data.workload?.workload_id,
+                clientId: data.workload?.client_id,
+            },
+        };
+    });
+}
+/**
+ * Runs all Workload validation tests
+ */
+export async function validateWorkload(config) {
+    const startTime = performance.now();
+    const mergedConfig = { ...DEFAULT_CONFIG, ...config };
+    const fetch = createFetcher(mergedConfig);
+    const tests = [];
+    // Test JWKS endpoint
+    tests.push(await testJwksEndpoint(mergedConfig, fetch));
+    // Test token endpoint and get a token for further tests
+    const tokenResult = await testTokenEndpoint(mergedConfig, fetch);
+    tests.push(tokenResult);
+    // Test validation endpoints
+    tests.push(await testValidateEndpointNoAuth(mergedConfig, fetch));
+    tests.push(await testValidateEndpointInvalid(mergedConfig, fetch));
+    // If we have a token, test validation with valid token
+    const token = tokenResult.token ?? config.validToken;
+    if (token) {
+        tests.push(await testValidateEndpoint(mergedConfig, fetch, token));
+        tests.push(await testWhoamiWithWorkload(mergedConfig, token));
+    }
+    else {
+        tests.push(skipTest('Workload Validate Endpoint', 'No valid token available'));
+        tests.push(skipTest('Workload Authentication (Whoami)', 'No valid token available'));
     }
-    assert(response.status === 200, `Expected 200 OK, got ${response.status}`);
-    const data = await response.json();
-    assert(data.workload !== undefined, "Response should include workload identity");
+    // Test refresh endpoint
+    tests.push(await testRefreshEndpoint(mergedConfig, fetch));
+    const duration = performance.now() - startTime;
+    const passed = tests.filter((t) => t.passed).length;
+    const failed = tests.filter((t) => !t.passed).length;
+    const skipped = tests.filter((t) => t.details?.skipped).length;
     return {
-      details: {
-        workloadId: data.workload?.workload_id,
-        clientId: data.workload?.client_id
-      }
+        suite: 'Workload',
+        passed: failed === 0,
+        tests,
+        duration,
+        summary: {
+            total: tests.length,
+            passed: passed - skipped,
+            failed,
+            skipped,
+        },
     };
-  });
-}
-async function validateWorkload(config) {
-  const startTime = performance.now();
-  const mergedConfig = { ...DEFAULT_CONFIG, ...config };
-  const fetch2 = createFetcher(mergedConfig);
-  const tests = [];
-  tests.push(await testJwksEndpoint(mergedConfig, fetch2));
-  const tokenResult = await testTokenEndpoint(mergedConfig, fetch2);
-  tests.push(tokenResult);
-  tests.push(await testValidateEndpointNoAuth(mergedConfig, fetch2));
-  tests.push(await testValidateEndpointInvalid(mergedConfig, fetch2));
-  const token = tokenResult.token ?? config.validToken;
-  if (token) {
-    tests.push(await testValidateEndpoint(mergedConfig, fetch2, token));
-    tests.push(await testWhoamiWithWorkload(mergedConfig, token));
-  } else {
-    tests.push(skipTest("Workload Validate Endpoint", "No valid token available"));
-    tests.push(skipTest("Workload Authentication (Whoami)", "No valid token available"));
-  }
-  tests.push(await testRefreshEndpoint(mergedConfig, fetch2));
-  const duration = performance.now() - startTime;
-  const passed = tests.filter((t) => t.passed).length;
-  const failed = tests.filter((t) => !t.passed).length;
-  const skipped = tests.filter((t) => t.details?.skipped).length;
-  return {
-    suite: "Workload",
-    passed: failed === 0,
-    tests,
-    duration,
-    summary: {
-      total: tests.length,
-      passed: passed - skipped,
-      failed,
-      skipped
-    }
-  };
 }
-function createWorkloadTests(config) {
-  const mergedConfig = { ...DEFAULT_CONFIG, ...config };
-  const fetch2 = createFetcher(mergedConfig);
-  let acquiredToken;
-  return [
-    {
-      name: "JWKS endpoint returns valid keys",
-      fn: async () => {
-        const result = await testJwksEndpoint(mergedConfig, fetch2);
-        if (!result.passed)
-          throw new Error(result.error);
-      }
-    },
-    {
-      name: "token endpoint returns access token",
-      fn: async () => {
-        const result = await testTokenEndpoint(mergedConfig, fetch2);
-        if (!result.passed && !result.details?.skipped)
-          throw new Error(result.error);
-        acquiredToken = result.token;
-      }
-    },
-    {
-      name: "validate endpoint rejects missing auth",
-      fn: async () => {
-        const result = await testValidateEndpointNoAuth(mergedConfig, fetch2);
-        if (!result.passed)
-          throw new Error(result.error);
-      }
-    },
-    {
-      name: "validate endpoint rejects invalid tokens",
-      fn: async () => {
-        const result = await testValidateEndpointInvalid(mergedConfig, fetch2);
-        if (!result.passed)
-          throw new Error(result.error);
-      }
-    },
-    {
-      name: "validate endpoint accepts valid token",
-      fn: async () => {
-        const token = acquiredToken ?? config.validToken;
-        if (!token) {
-          console.warn("Skipping: No valid token available");
-          return;
-        }
-        const result = await testValidateEndpoint(mergedConfig, fetch2, token);
-        if (!result.passed)
-          throw new Error(result.error);
-      }
-    },
-    {
-      name: "whoami endpoint works with workload authentication",
-      fn: async () => {
-        const token = acquiredToken ?? config.validToken;
-        if (!token) {
-          console.warn("Skipping: No valid token available");
-          return;
-        }
-        const result = await testWhoamiWithWorkload(mergedConfig, token);
-        if (!result.passed && !result.details?.skipped)
-          throw new Error(result.error);
-      }
-    },
-    {
-      name: "refresh endpoint works",
-      fn: async () => {
-        const result = await testRefreshEndpoint(mergedConfig, fetch2);
-        if (!result.passed && !result.details?.skipped)
-          throw new Error(result.error);
-      }
-    }
-  ];
+/**
+ * Creates Vitest-compatible test suite for Workload validation
+ */
+export function createWorkloadTests(config) {
+    const mergedConfig = { ...DEFAULT_CONFIG, ...config };
+    const fetch = createFetcher(mergedConfig);
+    // Store token for dependent tests
+    let acquiredToken;
+    return [
+        {
+            name: 'JWKS endpoint returns valid keys',
+            fn: async () => {
+                const result = await testJwksEndpoint(mergedConfig, fetch);
+                if (!result.passed)
+                    throw new Error(result.error);
+            },
+        },
+        {
+            name: 'token endpoint returns access token',
+            fn: async () => {
+                const result = await testTokenEndpoint(mergedConfig, fetch);
+                if (!result.passed && !result.details?.skipped)
+                    throw new Error(result.error);
+                acquiredToken = result.token;
+            },
+        },
+        {
+            name: 'validate endpoint rejects missing auth',
+            fn: async () => {
+                const result = await testValidateEndpointNoAuth(mergedConfig, fetch);
+                if (!result.passed)
+                    throw new Error(result.error);
+            },
+        },
+        {
+            name: 'validate endpoint rejects invalid tokens',
+            fn: async () => {
+                const result = await testValidateEndpointInvalid(mergedConfig, fetch);
+                if (!result.passed)
+                    throw new Error(result.error);
+            },
+        },
+        {
+            name: 'validate endpoint accepts valid token',
+            fn: async () => {
+                const token = acquiredToken ?? config.validToken;
+                if (!token) {
+                    console.warn('Skipping: No valid token available');
+                    return;
+                }
+                const result = await testValidateEndpoint(mergedConfig, fetch, token);
+                if (!result.passed)
+                    throw new Error(result.error);
+            },
+        },
+        {
+            name: 'whoami endpoint works with workload authentication',
+            fn: async () => {
+                const token = acquiredToken ?? config.validToken;
+                if (!token) {
+                    console.warn('Skipping: No valid token available');
+                    return;
+                }
+                const result = await testWhoamiWithWorkload(mergedConfig, token);
+                if (!result.passed && !result.details?.skipped)
+                    throw new Error(result.error);
+            },
+        },
+        {
+            name: 'refresh endpoint works',
+            fn: async () => {
+                const result = await testRefreshEndpoint(mergedConfig, fetch);
+                if (!result.passed && !result.details?.skipped)
+                    throw new Error(result.error);
+            },
+        },
+    ];
 }
-var DEFAULT_CONFIG;
-var init_workload = __esm(() => {
-  DEFAULT_CONFIG = {
-    tokenPath: "/api/workload/token",
-    validatePath: "/api/workload/validate",
-    jwksPath: "/api/workload/jwks",
-    refreshPath: "/api/workload/refresh",
-    esvUrl: "http://localhost:3555"
-  };
-});
-init_workload();
-
-export {
-  validateWorkload,
-  createWorkloadTests
-};
-
-//# debugId=A73B69B4545ADC4664756E2164756E21
+//# sourceMappingURL=index.js.map