@workos/oagen-emitters 0.16.1 → 0.18.0

package/test/node/discriminated-pure-oneof.test.ts

@@ -0,0 +1,108 @@
+import { describe, it, expect } from 'vitest';
+import type { EmitterContext, ApiSpec } from '@workos/oagen';
+import { defaultSdkBehavior } from '@workos/oagen';
+import {
+  detectDiscriminatedShape,
+  generateDiscriminatedFiles,
+  type DiscriminatedPlan,
+} from '../../src/node/discriminated-models.js';
+
+const emptySpec: ApiSpec = {
+  name: 'Test',
+  version: '1.0.0',
+  baseUrl: '',
+  services: [],
+  models: [],
+  enums: [],
+  sdk: defaultSdkBehavior(),
+};
+
+const ctx: EmitterContext = { namespace: 'workos', namespacePascal: 'WorkOS', spec: emptySpec };
+
+// A pure `oneOf` discriminated by a boolean `active` const — the Pipes token
+// response shape that previously collapsed into a flat all-optional interface.
+// `RawSchema` is internal to the emitter; the loose typing mirrors the raw
+// `components.schemas` shape `detectDiscriminatedShape` consumes at runtime.
+const rawSchemas: Record<string, any> = {
+  DataIntegrationAccessTokenResponse: {
+    oneOf: [
+      {
+        type: 'object',
+        properties: {
+          active: { type: 'boolean', const: true },
+          access_token: {
+            type: 'object',
+            properties: {
+              object: { type: 'string', const: 'access_token' },
+              access_token: { type: 'string' },
+              expires_at: { type: ['string', 'null'], format: 'date-time' },
+              scopes: { type: 'array', items: { type: 'string' } },
+              missing_scopes: { type: 'array', items: { type: 'string' } },
+            },
+            required: ['object', 'access_token', 'expires_at', 'scopes', 'missing_scopes'],
+          },
+        },
+        required: ['active', 'access_token'],
+      },
+      {
+        type: 'object',
+        properties: {
+          active: { type: 'boolean', const: false },
+          error: { type: 'string', enum: ['not_installed', 'needs_reauthorization'] },
+        },
+        required: ['active', 'error'],
+      },
+    ],
+  },
+};
+
+describe('detectDiscriminatedShape — pure oneOf with boolean discriminator', () => {
+  it('detects a two-variant inline union keyed on the boolean `active`', () => {
+    const shape = detectDiscriminatedShape('DataIntegrationAccessTokenResponse', rawSchemas);
+    expect(shape).not.toBeNull();
+    expect(shape!.inlineUnion).toBe(true);
+    expect(shape!.discriminatorProperty).toBe('active');
+    expect(shape!.variants).toHaveLength(2);
+    expect(shape!.variants.map((v) => v.discriminatorValue).sort()).toEqual(['false', 'true']);
+    expect(shape!.variants.every((v) => v.discriminatorIsBoolean)).toBe(true);
+  });
+
+  it('emits a discriminated union interface (not a flat optional bag)', () => {
+    const shape = detectDiscriminatedShape('DataIntegrationAccessTokenResponse', rawSchemas)!;
+    const plan: DiscriminatedPlan = { shape, modelDir: 'pipes', depDirMap: new Map() };
+    const files = generateDiscriminatedFiles(new Map([['DataIntegrationAccessTokenResponse', plan]]), ctx);
+
+    const iface = files.find((f) => f.path.endsWith('.interface.ts'))!;
+    expect(iface).toBeDefined();
+    // Union alias, two variants, boolean discriminator (unquoted), required fields.
+    expect(iface.content).toContain('export type DataIntegrationAccessTokenResponse =');
+    expect(iface.content).toContain('active: true');
+    expect(iface.content).toContain('active: false');
+    expect(iface.content).toContain('accessToken: DataIntegrationAccessTokenResponseAccessToken');
+    expect(iface.content).toContain("error: 'not_installed' | 'needs_reauthorization'");
+    // No optional discriminator — narrowing must work.
+    expect(iface.content).not.toContain('active?: true');
+
+    const ser = files.find((f) => f.path.endsWith('.serializer.ts'))!;
+    expect(ser.content).toContain('switch (response.active)');
+    expect(ser.content).toContain('case true:');
+    expect(ser.content).toContain('case false:');
+  });
+
+  it('resolves a cross-service inline-object dep to a relative import path', () => {
+    // The nested `access_token` object is a synthetic IR model. Its dep is
+    // carried in snake form (`Parent_field`) but keyed in depDirMap under the
+    // PascalCase IR name. When that model resolves to a different service dir,
+    // collectImports must emit a cross-service path rather than defaulting to
+    // a same-dir import.
+    const shape = detectDiscriminatedShape('DataIntegrationAccessTokenResponse', rawSchemas)!;
+    const depDirMap = new Map<string, string>([['DataIntegrationAccessTokenResponseAccessToken', 'connect']]);
+    const plan: DiscriminatedPlan = { shape, modelDir: 'pipes', depDirMap };
+    const files = generateDiscriminatedFiles(new Map([['DataIntegrationAccessTokenResponse', plan]]), ctx);
+
+    const iface = files.find((f) => f.path.endsWith('.interface.ts'))!;
+    expect(iface.content).toContain(
+      "from '../../connect/interfaces/data-integration-access-token-response-access-token.interface'",
+    );
+  });
+});

package/test/node/resources.test.ts

@@ -186,6 +186,153 @@ describe('generateResources', () => {
     expect(resourceFile!.content).toContain('async listGroupsForOrganizationMembership');
   });
 
+  it('urlBuilder: emits a synchronous string method that builds the URL via toQueryString', () => {
+    // Operations marked `urlBuilder` (e.g. GET /sso/authorize) are client-side
+    // URL constructors: the generated method must return a string synchronously,
+    // serialize visible query params + defaults + inferred client fields via
+    // toQueryString, and concatenate onto the client base URL — no HTTP call.
+    const operation = {
+      name: 'getAuthorizationUrl',
+      httpMethod: 'get' as const,
+      path: '/sso/authorize',
+      pathParams: [],
+      queryParams: [
+        { name: 'connection', type: { kind: 'primitive' as const, type: 'string' as const }, required: false },
+        { name: 'organization', type: { kind: 'primitive' as const, type: 'string' as const }, required: false },
+      ],
+      headerParams: [],
+      response: { kind: 'primitive' as const, type: 'unknown' as const },
+      errors: [],
+      injectIdempotencyKey: false,
+    };
+    const service: Service = { name: 'Sso', operations: [operation] };
+    const spec: ApiSpec = { ...emptySpec, services: [service] };
+    const ctxWithResolved: EmitterContext = {
+      ...ctx,
+      spec,
+      emitterOptions: { ownedServices: ['Sso'] },
+      resolvedOperations: [
+        {
+          operation,
+          service,
+          methodName: 'get_authorization_url',
+          mountOn: 'Sso',
+          defaults: { response_type: 'code' },
+          inferFromClient: ['client_id'],
+          urlBuilder: true,
+        },
+      ],
+    };
+
+    const result = nodeEmitter.generateResources(spec.services, ctxWithResolved);
+    const resourceFile = result.find((f) => f.path === 'src/sso/sso.ts');
+    expect(resourceFile).toBeDefined();
+    const content = resourceFile!.content;
+
+    // Synchronous, string-returning — not an async HTTP wrapper.
+    expect(content).toMatch(/getAuthorizationUrl\(options\??: [^)]*\): string \{/);
+    expect(content).not.toContain('async getAuthorizationUrl');
+    expect(content).not.toContain('this.workos.get(');
+    // Query assembled client-side: visible params + constant default + inferred field.
+    expect(content).toContain('const query = toQueryString(');
+    expect(content).toContain("response_type: 'code'");
+    expect(content).toContain('client_id: this.workos.options.clientId');
+    // URL is base URL + path + query.
+    expect(content).toContain('return `${this.workos.baseURL}/sso/authorize?${query}`;');
+    // The serializer helper is imported.
+    expect(content).toContain("import { toQueryString } from '../common/utils/query-string';");
+  });
+
+  it('urlBuilder: positional convention emits a no-arg method when only injected fields supply the query', () => {
+    // A url builder with no path params and no visible query params takes the
+    // positional branch (operationHasOptionsInput is false), so the signature
+    // is argument-less; the query is assembled purely from inferFromClient
+    // (and defaults) rather than a options object.
+    const operation = {
+      name: 'getLogoutUrl',
+      httpMethod: 'get' as const,
+      path: '/sso/logout',
+      pathParams: [],
+      queryParams: [],
+      headerParams: [],
+      response: { kind: 'primitive' as const, type: 'unknown' as const },
+      errors: [],
+      injectIdempotencyKey: false,
+    };
+    const service: Service = { name: 'Sso', operations: [operation] };
+    const spec: ApiSpec = { ...emptySpec, services: [service] };
+    const ctxWithResolved: EmitterContext = {
+      ...ctx,
+      spec,
+      emitterOptions: { ownedServices: ['Sso'] },
+      resolvedOperations: [
+        {
+          operation,
+          service,
+          methodName: 'get_logout_url',
+          mountOn: 'Sso',
+          defaults: {},
+          inferFromClient: ['client_id'],
+          urlBuilder: true,
+        },
+      ],
+    };
+
+    const result = nodeEmitter.generateResources(spec.services, ctxWithResolved);
+    const content = result.find((f) => f.path === 'src/sso/sso.ts')!.content;
+
+    // No options object and no path params: the signature takes no arguments.
+    expect(content).toMatch(/getLogoutUrl\(\): string \{/);
+    expect(content).not.toContain('async getLogoutUrl');
+    // Query built entirely from the injected client field.
+    expect(content).toContain('const query = toQueryString(');
+    expect(content).toContain('client_id: this.workos.options.clientId');
+    expect(content).toContain('return `${this.workos.baseURL}/sso/logout?${query}`;');
+  });
+
+  it('urlBuilder: with no query at all returns the bare base URL + path and skips the toQueryString import', () => {
+    // hasQuery is false (no visible params, defaults, or inferFromClient), so
+    // the method returns base URL + path with no `?${query}` segment, and the
+    // serializer import must not appear when nothing in the service uses it.
+    const operation = {
+      name: 'getJwksUrl',
+      httpMethod: 'get' as const,
+      path: '/sso/jwks',
+      pathParams: [],
+      queryParams: [],
+      headerParams: [],
+      response: { kind: 'primitive' as const, type: 'unknown' as const },
+      errors: [],
+      injectIdempotencyKey: false,
+    };
+    const service: Service = { name: 'Sso', operations: [operation] };
+    const spec: ApiSpec = { ...emptySpec, services: [service] };
+    const ctxWithResolved: EmitterContext = {
+      ...ctx,
+      spec,
+      emitterOptions: { ownedServices: ['Sso'] },
+      resolvedOperations: [
+        {
+          operation,
+          service,
+          methodName: 'get_jwks_url',
+          mountOn: 'Sso',
+          defaults: {},
+          inferFromClient: [],
+          urlBuilder: true,
+        },
+      ],
+    };
+
+    const result = nodeEmitter.generateResources(spec.services, ctxWithResolved);
+    const content = result.find((f) => f.path === 'src/sso/sso.ts')!.content;
+
+    expect(content).toMatch(/getJwksUrl\(\): string \{/);
+    expect(content).toContain('return `${this.workos.baseURL}/sso/jwks`;');
+    expect(content).not.toContain('toQueryString');
+    expect(content).not.toContain("import { toQueryString } from '../common/utils/query-string';");
+  });
+
   it('options-object: URL template binds to the SDK field name, not the spec path-param name', () => {
     // When the spec uses `omId` as a path-param name but the baseline options
     // interface exposes `organizationMembershipId`, both the destructure and

package/test/rust/resources.test.ts

@@ -214,15 +214,66 @@ describe('rust/resources', () => {
     const f = generateResources(services, ctxWithWrapper, new UnionRegistry()).find(
       (x) => x.path === 'src/resources/user_management.rs',
     )!;
-    // Inferred fields read from the runtime client, not empty literals.
-    expect(f.content).toContain('"client_id": self.client.client_id()');
-    expect(f.content).toContain('"client_secret": self.client.api_key()');
+    // Inferred fields read from the runtime client and inserted only when
+    // non-empty, so secretless clients (PKCE flows) omit them entirely.
+    expect(f.content).toContain('let mut body = serde_json::json!({');
+    expect(f.content).toContain('if !self.client.client_id().is_empty() {');
+    expect(f.content).toContain('body["client_id"] = serde_json::Value::String(self.client.client_id().to_string());');
+    expect(f.content).toContain('if !self.client.api_key().is_empty() {');
+    expect(f.content).toContain(
+      'body["client_secret"] = serde_json::Value::String(self.client.api_key().to_string());',
+    );
     expect(f.content).not.toContain('"client_id": "",');
     expect(f.content).not.toContain('"client_secret": "",');
+    expect(f.content).not.toContain('"client_secret": self.client.api_key()');
     // Defaults are still emitted as literal JSON values.
     expect(f.content).toContain('"grant_type": "authorization_code"');
   });
 
+  it('throws on an unrecognized inferFromClient field instead of dropping it', () => {
+    // With the `if !expr.is_empty()` guard, an unknown field falling back to an
+    // empty literal would silently vanish from every request body (and emit
+    // dead `if !"".is_empty()` Rust). Generation must fail loud instead so a
+    // missing accessor is caught at build time, not shipped in a broken SDK.
+    const services: Service[] = [
+      {
+        name: 'UserManagement',
+        operations: [
+          {
+            name: 'authenticate',
+            httpMethod: 'post',
+            path: '/user_management/authenticate',
+            pathParams: [],
+            queryParams: [],
+            headerParams: [],
+            response: { kind: 'model', name: 'AuthenticateResponse' },
+            errors: [],
+            injectIdempotencyKey: false,
+          },
+        ],
+      },
+    ];
+    const baseCtx = ctxWithResolved(services);
+    const ctxWithWrapper: EmitterContext = {
+      ...baseCtx,
+      resolvedOperations: baseCtx.resolvedOperations!.map((r) => ({
+        ...r,
+        wrappers: [
+          {
+            name: 'authenticate_with_code',
+            targetVariant: 'AuthorizationCodeSessionAuthenticateRequest',
+            defaults: { grant_type: 'authorization_code' },
+            inferFromClient: ['client_id', 'tenant_id'],
+            exposedParams: ['code'],
+            optionalParams: [],
+            responseModelName: null,
+          },
+        ],
+      })),
+    };
+    expect(() => generateResources(services, ctxWithWrapper, new UnionRegistry())).toThrow(/tenant_id/);
+  });
+
   it('renders spec-level parameter defaults as doc comments', () => {
     const services: Service[] = [
       {
@@ -663,6 +714,95 @@ describe('rust/resources', () => {
     expect(f.content).not.toContain('list_events_auto_paging');
   });
 
+  it('decodes inline-envelope list responses into Page<T> instead of Vec<T>', () => {
+    // Spec responses shaped `{ object, data: [...], list_metadata }` without a
+    // named component reach the IR as a bare array plus `pagination.dataPath`.
+    // The wire format is still the envelope, so the method must decode
+    // `crate::pagination::Page<T>` — `Vec<T>` fails with a serde type error.
+    const services: Service[] = [
+      {
+        name: 'Memberships',
+        operations: [
+          {
+            name: 'listMemberships',
+            httpMethod: 'get',
+            path: '/memberships',
+            pathParams: [],
+            queryParams: [
+              {
+                name: 'after',
+                type: { kind: 'primitive', type: 'string' },
+                required: false,
+              },
+            ],
+            headerParams: [],
+            response: { kind: 'array', items: { kind: 'model', name: 'Membership' } },
+            errors: [],
+            injectIdempotencyKey: false,
+            pagination: {
+              strategy: 'cursor',
+              param: 'after',
+              dataPath: 'data',
+              itemType: { kind: 'model', name: 'Membership' },
+            },
+          },
+        ],
+      },
+    ];
+    const baseCtx = ctxWithResolved(services);
+    const ctx: EmitterContext = {
+      ...baseCtx,
+      spec: { ...baseCtx.spec, models: [{ name: 'Membership', fields: [] }] },
+    };
+    const f = generateResources(services, ctx, new UnionRegistry()).find(
+      (x) => x.path === 'src/resources/memberships.rs',
+    )!;
+    expect(f.content).toContain('Result<crate::pagination::Page<Membership>, Error>');
+    expect(f.content).not.toContain('Result<Vec<Membership>, Error>');
+    // Page<T> carries `data` + `list_metadata.after`, so auto-paging works too.
+    expect(f.content).toContain('list_memberships_auto_paging');
+    expect(f.content).toContain('Ok((page.data, page.list_metadata.after))');
+  });
+
+  it('keeps Vec<T> for true bare-array responses without an envelope', () => {
+    // A response that really is a JSON array (e.g. /users/{id}/identities)
+    // has no pagination dataPath — it must keep decoding into Vec<T>.
+    const services: Service[] = [
+      {
+        name: 'Identities',
+        operations: [
+          {
+            name: 'getUserIdentities',
+            httpMethod: 'get',
+            path: '/users/{id}/identities',
+            pathParams: [
+              {
+                name: 'id',
+                type: { kind: 'primitive', type: 'string' },
+                required: true,
+              },
+            ],
+            queryParams: [],
+            headerParams: [],
+            response: { kind: 'array', items: { kind: 'model', name: 'Identity' } },
+            errors: [],
+            injectIdempotencyKey: false,
+          },
+        ],
+      },
+    ];
+    const baseCtx = ctxWithResolved(services);
+    const ctx: EmitterContext = {
+      ...baseCtx,
+      spec: { ...baseCtx.spec, models: [{ name: 'Identity', fields: [] }] },
+    };
+    const f = generateResources(services, ctx, new UnionRegistry()).find(
+      (x) => x.path === 'src/resources/identities.rs',
+    )!;
+    expect(f.content).toContain('Result<Vec<Identity>, Error>');
+    expect(f.content).not.toContain('crate::pagination::Page');
+  });
+
   it('adds serialize_with attribute on Vec query params with explode=false', () => {
     const services: Service[] = [
       {

package/test/shared/union-flatten.test.ts

@@ -0,0 +1,174 @@
+import { describe, expect, it } from 'vitest';
+import type { Model, TypeRef, UnionType } from '@workos/oagen';
+import { flattenDiscriminatedUnionFields } from '../../src/shared/union-flatten.js';
+
+/** The `ApiKey.owner` discriminated-union shape from the WorkOS spec. */
+function ownerUnion(): UnionType {
+  return {
+    kind: 'union',
+    compositionKind: 'oneOf',
+    discriminator: { property: 'type', mapping: { organization: 'ApiKeyOwner', user: 'UserApiKeyOwner' } },
+    variants: [
+      { kind: 'model', name: 'ApiKeyOwner' },
+      { kind: 'model', name: 'UserApiKeyOwner' },
+    ],
+  };
+}
+
+function baseModels(ownerType: TypeRef): Model[] {
+  return [
+    {
+      name: 'ApiKey',
+      fields: [{ name: 'owner', type: ownerType, required: true }],
+    },
+    {
+      name: 'ApiKeyOwner',
+      fields: [
+        { name: 'type', type: { kind: 'literal', value: 'organization' }, required: true },
+        { name: 'id', type: { kind: 'primitive', type: 'string' }, required: true },
+      ],
+    },
+    {
+      name: 'UserApiKeyOwner',
+      fields: [
+        { name: 'type', type: { kind: 'literal', value: 'user' }, required: true },
+        { name: 'id', type: { kind: 'primitive', type: 'string' }, required: true },
+        { name: 'organization_id', type: { kind: 'primitive', type: 'string' }, required: true },
+      ],
+    },
+  ];
+}
+
+describe('flattenDiscriminatedUnionFields', () => {
+  it('rewrites a discriminated-union field to a ref to the first variant', () => {
+    const out = flattenDiscriminatedUnionFields(baseModels(ownerUnion()));
+    const apiKey = out.find((m) => m.name === 'ApiKey')!;
+    expect(apiKey.fields[0].type).toEqual({ kind: 'model', name: 'ApiKeyOwner' });
+  });
+
+  it('merges later-variant fields into the canonical model as optional', () => {
+    const out = flattenDiscriminatedUnionFields(baseModels(ownerUnion()));
+    const canonical = out.find((m) => m.name === 'ApiKeyOwner')!;
+    const orgId = canonical.fields.find((f) => f.name === 'organization_id');
+    expect(orgId).toBeDefined();
+    expect(orgId!.required).toBe(false);
+    // Fields shared (and required) by every variant stay required.
+    expect(canonical.fields.find((f) => f.name === 'id')!.required).toBe(true);
+  });
+
+  it('widens the discriminator property to a union of its literal values', () => {
+    const out = flattenDiscriminatedUnionFields(baseModels(ownerUnion()));
+    const canonical = out.find((m) => m.name === 'ApiKeyOwner')!;
+    const typeField = canonical.fields.find((f) => f.name === 'type')!;
+    expect(typeField.type).toEqual({
+      kind: 'union',
+      variants: [
+        { kind: 'literal', value: 'organization' },
+        { kind: 'literal', value: 'user' },
+      ],
+    });
+  });
+
+  it('flattens the union when wrapped in nullable', () => {
+    const out = flattenDiscriminatedUnionFields(baseModels({ kind: 'nullable', inner: ownerUnion() }));
+    const apiKey = out.find((m) => m.name === 'ApiKey')!;
+    expect(apiKey.fields[0].type).toEqual({ kind: 'nullable', inner: { kind: 'model', name: 'ApiKeyOwner' } });
+  });
+
+  it('leaves a non-discriminated (untagged) primitive union untouched', () => {
+    // AuditLogEvent actor metadata: string | number | boolean — no discriminator.
+    const union: TypeRef = {
+      kind: 'union',
+      compositionKind: 'anyOf',
+      variants: [
+        { kind: 'primitive', type: 'string' },
+        { kind: 'primitive', type: 'number' },
+        { kind: 'primitive', type: 'boolean' },
+      ],
+    };
+    const models: Model[] = [{ name: 'Meta', fields: [{ name: 'value', type: union, required: false }] }];
+    expect(flattenDiscriminatedUnionFields(models)).toBe(models);
+  });
+
+  it('skips a union whose variants are dispatcher (discriminated) models', () => {
+    // Event-style union: each variant is itself a discriminated base. Must not flatten.
+    const union: UnionType = {
+      kind: 'union',
+      discriminator: { property: 'event', mapping: { a: 'EventA', b: 'EventB' } },
+      variants: [
+        { kind: 'model', name: 'EventA' },
+        { kind: 'model', name: 'EventB' },
+      ],
+    };
+    const models: Model[] = [
+      { name: 'Envelope', fields: [{ name: 'data', type: union, required: true }] },
+      { name: 'EventA', fields: [], discriminator: { property: 'x', mapping: {} } },
+      { name: 'EventB', fields: [], discriminator: { property: 'x', mapping: {} } },
+    ];
+    const out = flattenDiscriminatedUnionFields(models);
+    expect(out.find((m) => m.name === 'Envelope')!.fields[0].type).toBe(union);
+  });
+
+  it('does not throw when the same union is referenced by multiple container fields', () => {
+    // Re-planning the same union (canonical re-seen with an identical merge) is
+    // harmless and must not trip the collision guard.
+    const models = baseModels(ownerUnion());
+    models.push({ name: 'ApiKeyList', fields: [{ name: 'owner', type: ownerUnion(), required: false }] });
+    const out = flattenDiscriminatedUnionFields(models);
+    expect(out.find((m) => m.name === 'ApiKey')!.fields[0].type).toEqual({ kind: 'model', name: 'ApiKeyOwner' });
+    expect(out.find((m) => m.name === 'ApiKeyList')!.fields[0].type).toEqual({ kind: 'model', name: 'ApiKeyOwner' });
+  });
+
+  it('throws when two distinct unions share a first variant with differing merges', () => {
+    const unionA: UnionType = {
+      kind: 'union',
+      discriminator: { property: 'type', mapping: { shared: 'Shared', a: 'VariantA' } },
+      variants: [
+        { kind: 'model', name: 'Shared' },
+        { kind: 'model', name: 'VariantA' },
+      ],
+    };
+    const unionB: UnionType = {
+      kind: 'union',
+      discriminator: { property: 'type', mapping: { shared: 'Shared', b: 'VariantB' } },
+      variants: [
+        { kind: 'model', name: 'Shared' },
+        { kind: 'model', name: 'VariantB' },
+      ],
+    };
+    const models: Model[] = [
+      { name: 'C1', fields: [{ name: 'value', type: unionA, required: true }] },
+      { name: 'C2', fields: [{ name: 'value', type: unionB, required: true }] },
+      {
+        name: 'Shared',
+        fields: [{ name: 'type', type: { kind: 'literal', value: 'shared' }, required: true }],
+      },
+      {
+        name: 'VariantA',
+        fields: [{ name: 'foo', type: { kind: 'primitive', type: 'string' }, required: true }],
+      },
+      {
+        name: 'VariantB',
+        fields: [{ name: 'bar', type: { kind: 'primitive', type: 'string' }, required: true }],
+      },
+    ];
+    expect(() => flattenDiscriminatedUnionFields(models)).toThrow(/first variant of two distinct/);
+  });
+
+  it('throws when a field shared across variants has conflicting types', () => {
+    const models = baseModels(ownerUnion());
+    // Make `id` diverge: string on the org variant, number on the user variant.
+    const user = models.find((m) => m.name === 'UserApiKeyOwner')!;
+    user.fields = user.fields.map((f) => (f.name === 'id' ? { ...f, type: { kind: 'primitive', type: 'number' } } : f));
+    expect(() => flattenDiscriminatedUnionFields(models)).toThrow(/conflicting types/);
+  });
+
+  it('does not mutate the input models', () => {
+    const models = baseModels(ownerUnion());
+    const canonicalBefore = models.find((m) => m.name === 'ApiKeyOwner')!;
+    const fieldCountBefore = canonicalBefore.fields.length;
+    flattenDiscriminatedUnionFields(models);
+    expect(canonicalBefore.fields.length).toBe(fieldCountBefore);
+    expect(models.find((m) => m.name === 'ApiKey')!.fields[0].type).toEqual(ownerUnion());
+  });
+});