@enterprisestandard/esv 0.0.5-beta.20260115.2 → 0.0.5-beta.20260115.4

package/dist/workload/index.js

@@ -1,433 +1,423 @@
-/**
- * Workload Validation Tests
- *
- * These tests validate that an application correctly implements
- * Enterprise Standard Workload Identity authentication.
- */
-import { assert, assertValid, createFetcher, runTest, skipTest } from '../utils';
-/**
- * Gets a workload token response validator (workload tokens don't have id_token, only access_token)
- * This is different from OIDC tokenResponse which includes id_token
- */
-function getWorkloadTokenResponseValidator() {
-    return {
-        '~standard': {
-            validate: (value) => {
-                if (typeof value !== 'object' || value === null) {
-                    return {
-                        issues: [{ message: `Expected object, got ${typeof value}` }],
-                    };
-                }
-                const token = value;
-                const issues = [];
-                if (typeof token.access_token !== 'string') {
-                    issues.push({ message: 'Expected access_token to be string', path: ['access_token'] });
-                }
-                if (typeof token.token_type !== 'string') {
-                    issues.push({ message: 'Expected token_type to be string', path: ['token_type'] });
-                }
-                // expires_in is optional but if present should be a number
-                if (token.expires_in !== undefined && typeof token.expires_in !== 'number') {
-                    issues.push({ message: 'Expected expires_in to be number or undefined', path: ['expires_in'] });
-                }
-                // scope is optional but if present should be a string
-                if (token.scope !== undefined && typeof token.scope !== 'string') {
-                    issues.push({ message: 'Expected scope to be string or undefined', path: ['scope'] });
-                }
-                if (issues.length > 0) {
-                    return { issues };
-                }
-                return { value };
-            },
+// src/utils.ts
+function createFetcher(config) {
+  const timeout = config.timeout ?? 5e3;
+  const headers = config.headers ?? {};
+  return async function fetcher(path, options = {}) {
+    const url = `${config.baseUrl}${path}`;
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    try {
+      const response = await fetch(url, {
+        ...options,
+        signal: controller.signal,
+        headers: {
+          ...headers,
+          ...options.headers
         },
-    };
+        redirect: "manual"
+        // Don't follow redirects automatically
+      });
+      return response;
+    } finally {
+      clearTimeout(timeoutId);
+    }
+  };
 }
-/**
- * Gets a JWKS key validator (simple inline validator for standard JWKS key structure)
- */
-function getJwksKeyValidator() {
-    // JWKS keys have a standard structure - create a simple validator inline
-    // This validates the minimal required fields: kty and kid
+async function runTest(name, testFn) {
+  const start = performance.now();
+  try {
+    const result = await testFn();
     return {
-        '~standard': {
-            validate: (value) => {
-                if (typeof value !== 'object' || value === null) {
-                    return {
-                        issues: [{ message: `Expected object, got ${typeof value}` }],
-                    };
-                }
-                const key = value;
-                const issues = [];
-                if (typeof key.kty !== 'string') {
-                    issues.push({ message: 'Expected kty to be string', path: ['kty'] });
-                }
-                if (typeof key.kid !== 'string') {
-                    issues.push({ message: 'Expected kid to be string', path: ['kid'] });
-                }
-                if (issues.length > 0) {
-                    return { issues };
-                }
-                return { value };
-            },
-        },
+      name,
+      passed: true,
+      duration: performance.now() - start,
+      details: result?.details
+    };
+  } catch (error) {
+    return {
+      name,
+      passed: false,
+      error: error instanceof Error ? error.message : String(error),
+      duration: performance.now() - start
     };
+  }
+}
+function skipTest(name, reason) {
+  return {
+    name,
+    passed: true,
+    duration: 0,
+    details: { skipped: true, reason }
+  };
+}
+function assert(condition, message) {
+  if (!condition) {
+    throw new Error(message);
+  }
+}
+function assertValid(data, validator, message) {
+  const result = validator["~standard"].validate(data);
+  if (result instanceof Promise) {
+    throw new Error(
+      message ?? "Async validators are not supported in assertValid. Use the validator directly with await."
+    );
+  }
+  if ("issues" in result) {
+    const issues = result.issues;
+    const errorMessages = issues.map((issue) => {
+      const path = issue.path ? issue.path.map(String).join(".") : "";
+      return path ? `${path}: ${issue.message}` : issue.message;
+    });
+    throw new Error(message ?? `Validation failed: ${errorMessages.join("; ")}`);
+  }
+}
+
+// src/workload/index.ts
+function getWorkloadTokenResponseValidator() {
+  return {
+    "~standard": {
+      validate: (value) => {
+        if (typeof value !== "object" || value === null) {
+          return {
+            issues: [{ message: `Expected object, got ${typeof value}` }]
+          };
+        }
+        const token = value;
+        const issues = [];
+        if (typeof token.access_token !== "string") {
+          issues.push({ message: "Expected access_token to be string", path: ["access_token"] });
+        }
+        if (typeof token.token_type !== "string") {
+          issues.push({ message: "Expected token_type to be string", path: ["token_type"] });
+        }
+        if (token.expires_in !== void 0 && typeof token.expires_in !== "number") {
+          issues.push({ message: "Expected expires_in to be number or undefined", path: ["expires_in"] });
+        }
+        if (token.scope !== void 0 && typeof token.scope !== "string") {
+          issues.push({ message: "Expected scope to be string or undefined", path: ["scope"] });
+        }
+        if (issues.length > 0) {
+          return { issues };
+        }
+        return { value };
+      }
+    }
+  };
+}
+function getJwksKeyValidator() {
+  return {
+    "~standard": {
+      validate: (value) => {
+        if (typeof value !== "object" || value === null) {
+          return {
+            issues: [{ message: `Expected object, got ${typeof value}` }]
+          };
+        }
+        const key = value;
+        const issues = [];
+        if (typeof key.kty !== "string") {
+          issues.push({ message: "Expected kty to be string", path: ["kty"] });
+        }
+        if (typeof key.kid !== "string") {
+          issues.push({ message: "Expected kid to be string", path: ["kid"] });
+        }
+        if (issues.length > 0) {
+          return { issues };
+        }
+        return { value };
+      }
+    }
+  };
 }
-/**
- * Gets a token validation result validator (simple inline validator)
- */
 function getTokenValidationResultValidator() {
+  return {
+    "~standard": {
+      validate: (value) => {
+        if (typeof value !== "object" || value === null) {
+          return {
+            issues: [{ message: `Expected object, got ${typeof value}` }]
+          };
+        }
+        const result = value;
+        const issues = [];
+        if (typeof result.valid !== "boolean") {
+          issues.push({ message: "Expected valid to be boolean", path: ["valid"] });
+        }
+        if (issues.length > 0) {
+          return { issues };
+        }
+        return { value };
+      }
+    }
+  };
+}
+var DEFAULT_CONFIG = {
+  tokenPath: "/api/workload/token",
+  validatePath: "/api/workload/validate",
+  jwksPath: "/api/workload/jwks",
+  refreshPath: "/api/workload/refresh",
+  esvUrl: "http://localhost:3555"
+};
+async function testJwksEndpoint(config, fetch2) {
+  return runTest("Workload JWKS Endpoint", async () => {
+    const response = await fetch2(config.jwksPath);
+    assert(response.status === 200, `Expected 200 OK, got ${response.status}`);
+    const data = await response.json();
+    assert(Array.isArray(data.keys), "JWKS response missing keys array");
+    const keyValidator = getJwksKeyValidator();
+    for (const key of data.keys) {
+      assertValid(key, keyValidator);
+    }
     return {
-        '~standard': {
-            validate: (value) => {
-                if (typeof value !== 'object' || value === null) {
-                    return {
-                        issues: [{ message: `Expected object, got ${typeof value}` }],
-                    };
-                }
-                const result = value;
-                const issues = [];
-                if (typeof result.valid !== 'boolean') {
-                    issues.push({ message: 'Expected valid to be boolean', path: ['valid'] });
-                }
-                if (issues.length > 0) {
-                    return { issues };
-                }
-                return { value };
-            },
-        },
+      details: {
+        keyCount: data.keys.length,
+        algorithms: data.keys.map((k) => k.alg).filter(Boolean)
+      }
     };
+  });
 }
-/**
- * Default configuration for Workload validation
- */
-const DEFAULT_CONFIG = {
-    tokenPath: '/api/workload/token',
-    validatePath: '/api/workload/validate',
-    jwksPath: '/api/workload/jwks',
-    refreshPath: '/api/workload/refresh',
-    esvUrl: 'http://localhost:3555',
-};
-/**
- * Test: JWKS endpoint returns valid JWKS structure
- */
-async function testJwksEndpoint(config, fetch) {
-    return runTest('Workload JWKS Endpoint', async () => {
-        const response = await fetch(config.jwksPath);
-        // Should return 200 OK
-        assert(response.status === 200, `Expected 200 OK, got ${response.status}`);
-        const data = await response.json();
-        // Should have JWKS structure
-        assert(Array.isArray(data.keys), 'JWKS response missing keys array');
-        // Each key should have required fields - validate using validator
-        const keyValidator = getJwksKeyValidator();
-        for (const key of data.keys) {
-            assertValid(key, keyValidator);
+async function testTokenEndpoint(config, fetch2) {
+  const result = await runTest("Workload Token Endpoint", async () => {
+    const url = config.testScopes ? `${config.tokenPath}?scope=${encodeURIComponent(config.testScopes)}` : config.tokenPath;
+    const response = await fetch2(url);
+    if (response.status === 503) {
+      return {
+        details: {
+          skipped: true,
+          reason: "Workload authentication not configured"
         }
-        return {
-            details: {
-                keyCount: data.keys.length,
-                algorithms: data.keys.map((k) => k.alg).filter(Boolean),
-            },
-        };
-    });
+      };
+    }
+    assert(response.status === 200, `Expected 200 OK, got ${response.status}`);
+    const data = await response.json();
+    const validator = getWorkloadTokenResponseValidator();
+    assertValid(data, validator);
+    return {
+      details: {
+        tokenType: data.token_type,
+        hasToken: !!data.access_token,
+        token: data.access_token
+      }
+    };
+  });
+  return {
+    ...result,
+    token: result.details?.token
+  };
 }
-/**
- * Test: Token endpoint returns access token
- */
-async function testTokenEndpoint(config, fetch) {
-    const result = await runTest('Workload Token Endpoint', async () => {
-        const url = config.testScopes
-            ? `${config.tokenPath}?scope=${encodeURIComponent(config.testScopes)}`
-            : config.tokenPath;
-        const response = await fetch(url);
-        // Should return 200 OK (or 503 if workload not configured)
-        if (response.status === 503) {
-            return {
-                details: {
-                    skipped: true,
-                    reason: 'Workload authentication not configured',
-                },
-            };
-        }
-        assert(response.status === 200, `Expected 200 OK, got ${response.status}`);
-        const data = await response.json();
-        // Should have token response structure - validate using workload-specific validator
-        // (workload tokens don't have id_token, only access_token)
-        const validator = getWorkloadTokenResponseValidator();
-        assertValid(data, validator);
-        return {
-            details: {
-                tokenType: data.token_type,
-                hasToken: !!data.access_token,
-                token: data.access_token,
-            },
-        };
+async function testValidateEndpoint(config, fetch2, token) {
+  return runTest("Workload Validate Endpoint", async () => {
+    const response = await fetch2(config.validatePath, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${token}`
+      }
     });
+    assert(response.status === 200, `Expected 200 OK for valid token, got ${response.status}`);
+    const data = await response.json();
+    const validationResultValidator = getTokenValidationResultValidator();
+    assertValid(data, validationResultValidator);
+    assert(data.valid === true, "Token should be valid");
     return {
-        ...result,
-        token: result.details?.token,
+      details: {
+        valid: data.valid,
+        claims: data.claims
+      }
     };
+  });
 }
-/**
- * Test: Token validation endpoint works
- */
-async function testValidateEndpoint(config, fetch, token) {
-    return runTest('Workload Validate Endpoint', async () => {
-        const response = await fetch(config.validatePath, {
-            method: 'POST',
-            headers: {
-                Authorization: `Bearer ${token}`,
-            },
-        });
-        // Should return 200 OK for valid token
-        assert(response.status === 200, `Expected 200 OK for valid token, got ${response.status}`);
-        const data = await response.json();
-        // Should have validation result structure - validate using validator
-        const validationResultValidator = getTokenValidationResultValidator();
-        assertValid(data, validationResultValidator);
-        assert(data.valid === true, 'Token should be valid');
-        return {
-            details: {
-                valid: data.valid,
-                claims: data.claims,
-            },
-        };
+async function testValidateEndpointInvalid(config, fetch2) {
+  return runTest("Workload Validate Endpoint (Invalid Token)", async () => {
+    const response = await fetch2(config.validatePath, {
+      method: "POST",
+      headers: {
+        Authorization: "Bearer invalid.token.here"
+      }
     });
+    assert(response.status === 401, `Expected 401 Unauthorized for invalid token, got ${response.status}`);
+    const data = await response.json();
+    const validationResultValidator = getTokenValidationResultValidator();
+    assertValid(data, validationResultValidator);
+    assert(data.valid === false, "Invalid token should not validate");
+    return {
+      details: {
+        valid: data.valid,
+        error: data.error
+      }
+    };
+  });
 }
-/**
- * Test: Token validation rejects invalid tokens
- */
-async function testValidateEndpointInvalid(config, fetch) {
-    return runTest('Workload Validate Endpoint (Invalid Token)', async () => {
-        const response = await fetch(config.validatePath, {
-            method: 'POST',
-            headers: {
-                Authorization: 'Bearer invalid.token.here',
-            },
-        });
-        // Should return 401 for invalid token
-        assert(response.status === 401, `Expected 401 Unauthorized for invalid token, got ${response.status}`);
-        const data = await response.json();
-        // Should indicate token is invalid - validate using validator
-        const validationResultValidator = getTokenValidationResultValidator();
-        assertValid(data, validationResultValidator);
-        assert(data.valid === false, 'Invalid token should not validate');
-        return {
-            details: {
-                valid: data.valid,
-                error: data.error,
-            },
-        };
+async function testValidateEndpointNoAuth(config, fetch2) {
+  return runTest("Workload Validate Endpoint (No Auth)", async () => {
+    const response = await fetch2(config.validatePath, {
+      method: "POST"
     });
+    assert(response.status === 401, `Expected 401 Unauthorized for missing auth, got ${response.status}`);
+    return {
+      details: {
+        status: response.status,
+        requiresAuth: true
+      }
+    };
+  });
 }
-/**
- * Test: Token validation rejects missing authorization header
- */
-async function testValidateEndpointNoAuth(config, fetch) {
-    return runTest('Workload Validate Endpoint (No Auth)', async () => {
-        const response = await fetch(config.validatePath, {
-            method: 'POST',
-        });
-        // Should return 401 for missing auth
-        assert(response.status === 401, `Expected 401 Unauthorized for missing auth, got ${response.status}`);
-        return {
-            details: {
-                status: response.status,
-                requiresAuth: true,
-            },
-        };
+async function testRefreshEndpoint(config, fetch2) {
+  return runTest("Workload Refresh Endpoint", async () => {
+    const response = await fetch2(config.refreshPath, {
+      method: "POST"
     });
-}
-/**
- * Test: Refresh endpoint works
- */
-async function testRefreshEndpoint(config, fetch) {
-    return runTest('Workload Refresh Endpoint', async () => {
-        const response = await fetch(config.refreshPath, {
-            method: 'POST',
-        });
-        // Should return 200 OK or 503 if not configured
-        if (response.status === 503) {
-            return {
-                details: {
-                    skipped: true,
-                    reason: 'Workload authentication not configured',
-                },
-            };
+    if (response.status === 503) {
+      return {
+        details: {
+          skipped: true,
+          reason: "Workload authentication not configured"
         }
-        assert(response.status === 200, `Expected 200 OK, got ${response.status}`);
-        const data = await response.json();
-        // Should have token response structure - validate using workload-specific validator
-        // (workload tokens don't have id_token, only access_token)
-        const validator = getWorkloadTokenResponseValidator();
-        assertValid(data, validator);
-        return {
-            details: {
-                tokenType: data.token_type,
-                hasToken: !!data.access_token,
-            },
-        };
-    });
+      };
+    }
+    assert(response.status === 200, `Expected 200 OK, got ${response.status}`);
+    const data = await response.json();
+    const validator = getWorkloadTokenResponseValidator();
+    assertValid(data, validator);
+    return {
+      details: {
+        tokenType: data.token_type,
+        hasToken: !!data.access_token
+      }
+    };
+  });
 }
-/**
- * Test: Whoami endpoint with workload authentication
- *
- * This test calls the ESV mock server's /api/whoami endpoint to validate
- * that the workload token issued by the application is valid and can be
- * used for cross-service authentication. This allows each application to
- * be tested independently without requiring other applications to be running.
- */
 async function testWhoamiWithWorkload(config, token) {
-    return runTest('Workload Authentication (Whoami)', async () => {
-        // Call the ESV mock server's whoami endpoint with the workload token
-        const esvWhoamiUrl = `${config.esvUrl}/api/whoami`;
-        const response = await globalThis.fetch(esvWhoamiUrl, {
-            headers: {
-                Authorization: `Bearer ${token}`,
-            },
-        });
-        // Should return 200 OK
-        if (response.status === 404) {
-            return {
-                details: {
-                    skipped: true,
-                    reason: 'ESV whoami endpoint not available',
-                },
-            };
-        }
-        assert(response.status === 200, `Expected 200 OK, got ${response.status}`);
-        const data = await response.json();
-        // Should have workload identity in response
-        assert(data.workload !== undefined, 'Response should include workload identity');
-        return {
-            details: {
-                workloadId: data.workload?.workload_id,
-                clientId: data.workload?.client_id,
-            },
-        };
+  return runTest("Workload Authentication (Whoami)", async () => {
+    const esvWhoamiUrl = `${config.esvUrl}/api/whoami`;
+    const response = await globalThis.fetch(esvWhoamiUrl, {
+      headers: {
+        Authorization: `Bearer ${token}`
+      }
     });
-}
-/**
- * Runs all Workload validation tests
- */
-export async function validateWorkload(config) {
-    const startTime = performance.now();
-    const mergedConfig = { ...DEFAULT_CONFIG, ...config };
-    const fetch = createFetcher(mergedConfig);
-    const tests = [];
-    // Test JWKS endpoint
-    tests.push(await testJwksEndpoint(mergedConfig, fetch));
-    // Test token endpoint and get a token for further tests
-    const tokenResult = await testTokenEndpoint(mergedConfig, fetch);
-    tests.push(tokenResult);
-    // Test validation endpoints
-    tests.push(await testValidateEndpointNoAuth(mergedConfig, fetch));
-    tests.push(await testValidateEndpointInvalid(mergedConfig, fetch));
-    // If we have a token, test validation with valid token
-    const token = tokenResult.token ?? config.validToken;
-    if (token) {
-        tests.push(await testValidateEndpoint(mergedConfig, fetch, token));
-        tests.push(await testWhoamiWithWorkload(mergedConfig, token));
-    }
-    else {
-        tests.push(skipTest('Workload Validate Endpoint', 'No valid token available'));
-        tests.push(skipTest('Workload Authentication (Whoami)', 'No valid token available'));
+    if (response.status === 404) {
+      return {
+        details: {
+          skipped: true,
+          reason: "ESV whoami endpoint not available"
+        }
+      };
     }
-    // Test refresh endpoint
-    tests.push(await testRefreshEndpoint(mergedConfig, fetch));
-    const duration = performance.now() - startTime;
-    const passed = tests.filter((t) => t.passed).length;
-    const failed = tests.filter((t) => !t.passed).length;
-    const skipped = tests.filter((t) => t.details?.skipped).length;
+    assert(response.status === 200, `Expected 200 OK, got ${response.status}`);
+    const data = await response.json();
+    assert(data.workload !== void 0, "Response should include workload identity");
     return {
-        suite: 'Workload',
-        passed: failed === 0,
-        tests,
-        duration,
-        summary: {
-            total: tests.length,
-            passed: passed - skipped,
-            failed,
-            skipped,
-        },
+      details: {
+        workloadId: data.workload?.workload_id,
+        clientId: data.workload?.client_id
+      }
     };
+  });
 }
-/**
- * Creates Vitest-compatible test suite for Workload validation
- */
-export function createWorkloadTests(config) {
-    const mergedConfig = { ...DEFAULT_CONFIG, ...config };
-    const fetch = createFetcher(mergedConfig);
-    // Store token for dependent tests
-    let acquiredToken;
-    return [
-        {
-            name: 'JWKS endpoint returns valid keys',
-            fn: async () => {
-                const result = await testJwksEndpoint(mergedConfig, fetch);
-                if (!result.passed)
-                    throw new Error(result.error);
-            },
-        },
-        {
-            name: 'token endpoint returns access token',
-            fn: async () => {
-                const result = await testTokenEndpoint(mergedConfig, fetch);
-                if (!result.passed && !result.details?.skipped)
-                    throw new Error(result.error);
-                acquiredToken = result.token;
-            },
-        },
-        {
-            name: 'validate endpoint rejects missing auth',
-            fn: async () => {
-                const result = await testValidateEndpointNoAuth(mergedConfig, fetch);
-                if (!result.passed)
-                    throw new Error(result.error);
-            },
-        },
-        {
-            name: 'validate endpoint rejects invalid tokens',
-            fn: async () => {
-                const result = await testValidateEndpointInvalid(mergedConfig, fetch);
-                if (!result.passed)
-                    throw new Error(result.error);
-            },
-        },
-        {
-            name: 'validate endpoint accepts valid token',
-            fn: async () => {
-                const token = acquiredToken ?? config.validToken;
-                if (!token) {
-                    console.warn('Skipping: No valid token available');
-                    return;
-                }
-                const result = await testValidateEndpoint(mergedConfig, fetch, token);
-                if (!result.passed)
-                    throw new Error(result.error);
-            },
-        },
-        {
-            name: 'whoami endpoint works with workload authentication',
-            fn: async () => {
-                const token = acquiredToken ?? config.validToken;
-                if (!token) {
-                    console.warn('Skipping: No valid token available');
-                    return;
-                }
-                const result = await testWhoamiWithWorkload(mergedConfig, token);
-                if (!result.passed && !result.details?.skipped)
-                    throw new Error(result.error);
-            },
-        },
-        {
-            name: 'refresh endpoint works',
-            fn: async () => {
-                const result = await testRefreshEndpoint(mergedConfig, fetch);
-                if (!result.passed && !result.details?.skipped)
-                    throw new Error(result.error);
-            },
-        },
-    ];
+async function validateWorkload(config) {
+  const startTime = performance.now();
+  const mergedConfig = { ...DEFAULT_CONFIG, ...config };
+  const fetch2 = createFetcher(mergedConfig);
+  const tests = [];
+  tests.push(await testJwksEndpoint(mergedConfig, fetch2));
+  const tokenResult = await testTokenEndpoint(mergedConfig, fetch2);
+  tests.push(tokenResult);
+  tests.push(await testValidateEndpointNoAuth(mergedConfig, fetch2));
+  tests.push(await testValidateEndpointInvalid(mergedConfig, fetch2));
+  const token = tokenResult.token ?? config.validToken;
+  if (token) {
+    tests.push(await testValidateEndpoint(mergedConfig, fetch2, token));
+    tests.push(await testWhoamiWithWorkload(mergedConfig, token));
+  } else {
+    tests.push(skipTest("Workload Validate Endpoint", "No valid token available"));
+    tests.push(skipTest("Workload Authentication (Whoami)", "No valid token available"));
+  }
+  tests.push(await testRefreshEndpoint(mergedConfig, fetch2));
+  const duration = performance.now() - startTime;
+  const passed = tests.filter((t) => t.passed).length;
+  const failed = tests.filter((t) => !t.passed).length;
+  const skipped = tests.filter((t) => t.details?.skipped).length;
+  return {
+    suite: "Workload",
+    passed: failed === 0,
+    tests,
+    duration,
+    summary: {
+      total: tests.length,
+      passed: passed - skipped,
+      failed,
+      skipped
+    }
+  };
+}
+function createWorkloadTests(config) {
+  const mergedConfig = { ...DEFAULT_CONFIG, ...config };
+  const fetch2 = createFetcher(mergedConfig);
+  let acquiredToken;
+  return [
+    {
+      name: "JWKS endpoint returns valid keys",
+      fn: async () => {
+        const result = await testJwksEndpoint(mergedConfig, fetch2);
+        if (!result.passed) throw new Error(result.error);
+      }
+    },
+    {
+      name: "token endpoint returns access token",
+      fn: async () => {
+        const result = await testTokenEndpoint(mergedConfig, fetch2);
+        if (!result.passed && !result.details?.skipped) throw new Error(result.error);
+        acquiredToken = result.token;
+      }
+    },
+    {
+      name: "validate endpoint rejects missing auth",
+      fn: async () => {
+        const result = await testValidateEndpointNoAuth(mergedConfig, fetch2);
+        if (!result.passed) throw new Error(result.error);
+      }
+    },
+    {
+      name: "validate endpoint rejects invalid tokens",
+      fn: async () => {
+        const result = await testValidateEndpointInvalid(mergedConfig, fetch2);
+        if (!result.passed) throw new Error(result.error);
+      }
+    },
+    {
+      name: "validate endpoint accepts valid token",
+      fn: async () => {
+        const token = acquiredToken ?? config.validToken;
+        if (!token) {
+          console.warn("Skipping: No valid token available");
+          return;
+        }
+        const result = await testValidateEndpoint(mergedConfig, fetch2, token);
+        if (!result.passed) throw new Error(result.error);
+      }
+    },
+    {
+      name: "whoami endpoint works with workload authentication",
+      fn: async () => {
+        const token = acquiredToken ?? config.validToken;
+        if (!token) {
+          console.warn("Skipping: No valid token available");
+          return;
+        }
+        const result = await testWhoamiWithWorkload(mergedConfig, token);
+        if (!result.passed && !result.details?.skipped) throw new Error(result.error);
+      }
+    },
+    {
+      name: "refresh endpoint works",
+      fn: async () => {
+        const result = await testRefreshEndpoint(mergedConfig, fetch2);
+        if (!result.passed && !result.details?.skipped) throw new Error(result.error);
+      }
+    }
+  ];
 }
+export {
+  createWorkloadTests,
+  validateWorkload
+};
 //# sourceMappingURL=index.js.map