api-tests-coverage 1.0.17 → 1.0.19

package/dist/src/generation/template-renderer.js

@@ -0,0 +1,546 @@
+"use strict";
+/**
+ * Feature 28 — TemplateRenderer
+ * Renders test scaffolds from GenerationContext.
+ * Uses string-based templates (no external dependency required).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.renderTemplate = renderTemplate;
+// ─── Header comment (RULE-GEN01) ──────────────────────────────────────────────
+function autoGeneratedHeader(ctx) {
+    return [
+        `// AUTO-GENERATED by api-test-coverage-analyzer (Feature 28)`,
+        `// Gap: ${ctx.gap.id} | Risk: ${ctx.gap.riskScore} | Priority: ${ctx.gap.priority}`,
+        `// TODO: Review generated assertions and replace placeholder values`,
+        ``,
+    ].join('\n');
+}
+// ─── TypeScript / Jest unit + integration ─────────────────────────────────────
+function renderTypescriptJestUnit(ctx) {
+    var _a, _b, _c, _d;
+    const { endpoint, fixtures, project } = ctx;
+    const method = endpoint.method.toLowerCase();
+    const descName = (_a = endpoint.operationId) !== null && _a !== void 0 ? _a : `${endpoint.method} ${endpoint.path}`;
+    const authRequired = endpoint.auth.required;
+    const scheme = (_b = endpoint.auth.scheme) !== null && _b !== void 0 ? _b : 'Bearer';
+    const lines = [
+        autoGeneratedHeader(ctx),
+        `import request from 'supertest';`,
+        `import { app } from '${project.importPrefix}/app';`,
+        ``,
+        `const BASE_URL = process.env.TEST_BASE_URL ?? '${project.baseUrl}';`,
+        ``,
+        `// TODO: Replace with a valid JWT token from your test auth setup`,
+        `const VALID_AUTH_TOKEN = '${scheme} <your-test-token>';`,
+        ``,
+        `describe('${descName}', () => {`,
+    ];
+    // Happy path
+    lines.push(`  describe('happy path', () => {`);
+    lines.push(`    it('should succeed and return the expected response', async () => {`);
+    if (Object.keys(fixtures.validPayload).length > 0) {
+        lines.push(`      const payload = ${JSON.stringify(fixtures.validPayload, null, 8).replace(/\n/g, '\n      ')};`);
+        lines.push(`      // TODO: Replace with realistic test data`);
+        lines.push(``);
+    }
+    lines.push(`      const response = await request(app)`);
+    lines.push(`        .${method}('${endpoint.pathNormalized}')`);
+    if (authRequired) {
+        lines.push(`        .set('Authorization', VALID_AUTH_TOKEN)`);
+    }
+    if (Object.keys(fixtures.validPayload).length > 0) {
+        lines.push(`        .send(payload);`);
+    }
+    else {
+        lines.push(`        ;`);
+    }
+    lines.push(``);
+    // Find success status code
+    const successStatus = (_d = (_c = ctx.responses.find(r => r.statusCode >= 200 && r.statusCode < 300)) === null || _c === void 0 ? void 0 : _c.statusCode) !== null && _d !== void 0 ? _d : 200;
+    lines.push(`      expect(response.status).toBe(${successStatus});`);
+    lines.push(`      expect(response.body).toBeDefined();`);
+    lines.push(`    });`);
+    lines.push(`  });`);
+    lines.push(``);
+    // Auth tests (RULE-GEN03)
+    if (authRequired) {
+        lines.push(`  describe('authentication', () => {`);
+        lines.push(`    it('should return 401 when no auth token is provided', async () => {`);
+        lines.push(`      const response = await request(app)`);
+        lines.push(`        .${method}('${endpoint.pathNormalized}');`);
+        lines.push(``);
+        lines.push(`      expect(response.status).toBe(401);`);
+        lines.push(`    });`);
+        lines.push(``);
+        lines.push(`    it('should return 401 when an invalid auth token is provided', async () => {`);
+        lines.push(`      const response = await request(app)`);
+        lines.push(`        .${method}('${endpoint.pathNormalized}')`);
+        lines.push(`        .set('Authorization', '${scheme} invalid-token-value');`);
+        lines.push(``);
+        lines.push(`      expect(response.status).toBe(401);`);
+        lines.push(`    });`);
+        lines.push(`  });`);
+        lines.push(``);
+    }
+    // Validation / error tests
+    const requiredParams = ctx.parameters.filter(p => p.required && p.in === 'body');
+    if (requiredParams.length > 0) {
+        lines.push(`  describe('validation', () => {`);
+        for (const param of requiredParams.slice(0, 3)) {
+            lines.push(`    it('should return 422 when ${param.name} is missing', async () => {`);
+            const partialPayload = {};
+            for (const other of requiredParams) {
+                if (other.name !== param.name) {
+                    partialPayload[other.name] = 'test-value';
+                }
+            }
+            lines.push(`      const response = await request(app)`);
+            lines.push(`        .${method}('${endpoint.pathNormalized}')`);
+            if (authRequired) {
+                lines.push(`        .set('Authorization', VALID_AUTH_TOKEN)`);
+            }
+            lines.push(`        .send(${JSON.stringify(partialPayload)});`);
+            lines.push(``);
+            lines.push(`      expect(response.status).toBe(422);`);
+            lines.push(`      expect(response.body).toHaveProperty('errors');`);
+            lines.push(`    });`);
+            lines.push(``);
+        }
+        lines.push(`  });`);
+    }
+    lines.push(`});`);
+    lines.push(``);
+    return lines.join('\n');
+}
+// ─── TypeScript / Jest security ───────────────────────────────────────────────
+function renderTypescriptJestSecurity(ctx) {
+    var _a;
+    const { endpoint, project } = ctx;
+    const method = endpoint.method.toLowerCase();
+    const scheme = (_a = endpoint.auth.scheme) !== null && _a !== void 0 ? _a : 'Bearer';
+    const lines = [
+        autoGeneratedHeader(ctx),
+        `import request from 'supertest';`,
+        `import { app } from '${project.importPrefix}/app';`,
+        ``,
+        `// TODO: Replace with a valid JWT token from your test auth setup`,
+        `const VALID_AUTH_TOKEN = '${scheme} <your-test-token>';`,
+        ``,
+        `describe('Security: ${endpoint.method} ${endpoint.path} — Auth Controls', () => {`,
+        `  it('[SEC-AUTH-01] should reject requests with no Authorization header', async () => {`,
+        `    const response = await request(app)`,
+        `      .${method}('${endpoint.pathNormalized}');`,
+        ``,
+        `    expect(response.status).toBe(401);`,
+        `  });`,
+        ``,
+        `  it('[SEC-AUTH-02] should reject requests with malformed token', async () => {`,
+        `    const response = await request(app)`,
+        `      .${method}('${endpoint.pathNormalized}')`,
+        `      .set('Authorization', 'malformed-token-without-scheme');`,
+        ``,
+        `    expect(response.status).toBe(401);`,
+        `  });`,
+        ``,
+        `  it('[SEC-AUTH-03] should reject requests with expired token', async () => {`,
+        `    // TODO: Generate or use a known-expired JWT for your test environment`,
+        `    const expiredToken = '${scheme} eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2MDAwMDAwMDAsImV4cCI6MTYwMDAwMDAwMX0.TODO';`,
+        ``,
+        `    const response = await request(app)`,
+        `      .${method}('${endpoint.pathNormalized}')`,
+        `      .set('Authorization', expiredToken);`,
+        ``,
+        `    expect(response.status).toBe(401);`,
+        `  });`,
+        ``,
+        `  it('[SEC-AUTH-04] should reject requests with a token for a different user role', async () => {`,
+        `    // TODO: Get a token for a user WITHOUT the required permissions`,
+        `    const lowPrivToken = '${scheme} <low-privilege-token>';`,
+        ``,
+        `    const response = await request(app)`,
+        `      .${method}('${endpoint.pathNormalized}')`,
+        `      .set('Authorization', lowPrivToken);`,
+        ``,
+        `    // Expect either 401 (unauthenticated) or 403 (unauthorized)`,
+        `    expect([401, 403]).toContain(response.status);`,
+        `  });`,
+        `});`,
+        ``,
+        `describe('Security: ${endpoint.method} ${endpoint.path} — Injection Prevention', () => {`,
+        `  it('[SEC-INJ-01] should not execute SQL injection in request body', async () => {`,
+        `    const response = await request(app)`,
+        `      .${method}('${endpoint.pathNormalized}')`,
+        `      .set('Authorization', VALID_AUTH_TOKEN)`,
+        `      .send({ title: "'; DROP TABLE articles; --", body: 'Body', description: 'Desc' });`,
+        ``,
+        `    // Should either succeed (sanitized) or return 422 (rejected) — never 500`,
+        `    expect(response.status).not.toBe(500);`,
+        `    expect(response.status).not.toBe(503);`,
+        `  });`,
+        ``,
+        `  it('[SEC-INJ-02] should not execute XSS in request fields', async () => {`,
+        `    const response = await request(app)`,
+        `      .${method}('${endpoint.pathNormalized}')`,
+        `      .set('Authorization', VALID_AUTH_TOKEN)`,
+        `      .send({ title: '<script>alert("xss")</script>', body: 'Body', description: 'Desc' });`,
+        ``,
+        `    expect(response.status).not.toBe(500);`,
+        ``,
+        `    if (response.status >= 200 && response.status < 300) {`,
+        `      // If the server accepted it, it must have been sanitized`,
+        `      const body = JSON.stringify(response.body);`,
+        `      expect(body).not.toContain('<script>');`,
+        `    }`,
+        `  });`,
+        ``,
+        `  it('[SEC-INJ-03] should handle oversized payload gracefully', async () => {`,
+        `    const oversizedBody = 'x'.repeat(10_000_000); // 10 MB`,
+        ``,
+        `    const response = await request(app)`,
+        `      .${method}('${endpoint.pathNormalized}')`,
+        `      .set('Authorization', VALID_AUTH_TOKEN)`,
+        `      .send({ title: 'Test', body: oversizedBody, description: 'Desc' });`,
+        ``,
+        `    // Must not crash — 413 or 422 are acceptable`,
+        `    expect([413, 422, 400]).toContain(response.status);`,
+        `  });`,
+        `});`,
+        ``,
+    ];
+    return lines.join('\n');
+}
+// ─── TypeScript / Jest integration flow ───────────────────────────────────────
+function renderTypescriptJestIntegration(ctx) {
+    const { endpoint, project, flow } = ctx;
+    if (!flow) {
+        return renderTypescriptJestUnit(ctx);
+    }
+    const lines = [
+        autoGeneratedHeader(ctx),
+        `import request from 'supertest';`,
+        `import { app } from '${project.importPrefix}/app';`,
+        ``,
+        `describe('Integration Flow: ${flow.name}', () => {`,
+        `  let authToken: string;`,
+        ``,
+        `  // RULE-INT04: beforeAll (not beforeEach) for auth setup`,
+        `  beforeAll(async () => {`,
+        `    // TODO: Replace with your test user credentials`,
+        `    const loginResponse = await request(app)`,
+        `      .post('/api/users/login')`,
+        `      .send({ user: { email: 'test@example.com', password: 'testpassword' } });`,
+        ``,
+        `    expect(loginResponse.status).toBe(200);`,
+        `    authToken = \`Token \${loginResponse.body.user.token}\`;`,
+        `  });`,
+        ``,
+    ];
+    for (let i = 0; i < flow.steps.length; i++) {
+        const step = flow.steps[i];
+        const isMissing = i === flow.missingStepIndex;
+        const stepMethod = step.method.toLowerCase();
+        const stepPath = step.path;
+        if (isMissing) {
+            lines.push(`  // ⚠️ MISSING STEP — This step was detected as uncovered by the analyzer`);
+        }
+        lines.push(`  it('Step ${i + 1}: ${step.description}${isMissing ? ' (MISSING COVERAGE)' : ''}', async () => {`);
+        if (isMissing) {
+            lines.push(`    // TODO: This step was identified as missing. Implement the test.`);
+        }
+        lines.push(`    const response = await request(app)`);
+        lines.push(`      .${stepMethod}('${stepPath}')`);
+        lines.push(`      .set('Authorization', authToken);`);
+        lines.push(``);
+        lines.push(`    expect(response.status).toBe(200);`);
+        lines.push(`  });`);
+        lines.push(``);
+    }
+    lines.push(`});`);
+    lines.push(``);
+    return lines.join('\n');
+}
+// ─── TypeScript / Jest error scenario ────────────────────────────────────────
+function renderTypescriptJestErrorScenario(ctx) {
+    var _a, _b;
+    const { endpoint, project } = ctx;
+    const method = endpoint.method.toLowerCase();
+    const scheme = (_a = endpoint.auth.scheme) !== null && _a !== void 0 ? _a : 'Bearer';
+    const lines = [
+        autoGeneratedHeader(ctx),
+        `import request from 'supertest';`,
+        `import { app } from '${project.importPrefix}/app';`,
+        ``,
+        `// TODO: Replace with a valid JWT token from your test auth setup`,
+        `const VALID_AUTH_TOKEN = '${scheme} <your-test-token>';`,
+        ``,
+        `describe('Error Scenarios: ${endpoint.method} ${endpoint.path}', () => {`,
+    ];
+    for (const resp of ctx.responses.filter(r => r.statusCode >= 400)) {
+        lines.push(`  it('should return ${resp.statusCode} when ${(_b = resp.description) !== null && _b !== void 0 ? _b : `error ${resp.statusCode}`}', async () => {`);
+        lines.push(`    const response = await request(app)`);
+        lines.push(`      .${method}('${endpoint.pathNormalized}')`);
+        if (endpoint.auth.required) {
+            lines.push(`      .set('Authorization', VALID_AUTH_TOKEN)`);
+        }
+        lines.push(`      .send({});`);
+        lines.push(``);
+        lines.push(`    expect(response.status).toBe(${resp.statusCode});`);
+        lines.push(`  });`);
+        lines.push(``);
+    }
+    lines.push(`});`);
+    lines.push(``);
+    return lines.join('\n');
+}
+// ─── TypeScript / Jest business rule ─────────────────────────────────────────
+function renderTypescriptJestBusinessRule(ctx) {
+    var _a;
+    const { endpoint, project, businessRule } = ctx;
+    const method = endpoint.method.toLowerCase();
+    const scheme = (_a = endpoint.auth.scheme) !== null && _a !== void 0 ? _a : 'Bearer';
+    const rule = businessRule !== null && businessRule !== void 0 ? businessRule : { id: 'rule-1', description: 'Business rule', condition: 'When condition is met', acceptanceCriteria: ['Expected behavior is verified'] };
+    const lines = [
+        autoGeneratedHeader(ctx),
+        `import request from 'supertest';`,
+        `import { app } from '${project.importPrefix}/app';`,
+        ``,
+        `// TODO: Replace with a valid JWT token from your test auth setup`,
+        `const VALID_AUTH_TOKEN = '${scheme} <your-test-token>';`,
+        ``,
+        `describe('Business Rule: ${rule.id} — ${rule.description}', () => {`,
+        `  // Rule condition: ${rule.condition}`,
+    ];
+    for (const criterion of rule.acceptanceCriteria) {
+        lines.push(`  it('${criterion}', async () => {`);
+        lines.push(`    // TODO: Implement test for acceptance criterion: ${criterion}`);
+        lines.push(`    const response = await request(app)`);
+        lines.push(`      .${method}('${endpoint.pathNormalized}')`);
+        if (endpoint.auth.required) {
+            lines.push(`      .set('Authorization', VALID_AUTH_TOKEN)`);
+        }
+        lines.push(`      .send({});`);
+        lines.push(``);
+        lines.push(`    expect(response.status).toBeDefined();`);
+        lines.push(`    // TODO: Add specific assertions for this acceptance criterion`);
+        lines.push(`  });`);
+        lines.push(``);
+    }
+    lines.push(`});`);
+    lines.push(``);
+    return lines.join('\n');
+}
+// ─── Python / pytest ──────────────────────────────────────────────────────────
+function renderPythonPytestUnit(ctx) {
+    var _a, _b;
+    const { endpoint } = ctx;
+    const method = endpoint.method.toLowerCase();
+    const authRequired = endpoint.auth.required;
+    const lines = [
+        `# AUTO-GENERATED by api-test-coverage-analyzer (Feature 28)`,
+        `# Gap: ${ctx.gap.id} | Risk: ${ctx.gap.riskScore} | Priority: ${ctx.gap.priority}`,
+        `# TODO: Review generated assertions and replace placeholder values`,
+        ``,
+        `import pytest`,
+        ``,
+        `# TODO: Import your app factory and configure for testing`,
+        `# from app import create_app`,
+        ``,
+        `VALID_AUTH_TOKEN = 'Token <your-test-token>'  # TODO: Replace`,
+        ``,
+        ``,
+        `@pytest.fixture`,
+        `def client(app):`,
+        `    """TODO: Configure this fixture for your test setup."""`,
+        `    return app.test_client()`,
+        ``,
+        ``,
+        `class Test${toPascalCase(endpoint.method + '_' + endpoint.path.replace(/[^a-zA-Z0-9]/g, '_'))}:`,
+        `    """Tests for ${endpoint.method} ${endpoint.path}"""`,
+        ``,
+    ];
+    lines.push(`    def test_happy_path(self, client):`);
+    lines.push(`        """Should succeed with valid input."""`);
+    if (authRequired) {
+        lines.push(`        response = client.${method}(`);
+        lines.push(`            '${endpoint.path}',`);
+        lines.push(`            json={},`);
+        lines.push(`            headers={'Authorization': VALID_AUTH_TOKEN},`);
+        lines.push(`        )`);
+    }
+    else {
+        lines.push(`        response = client.${method}('${endpoint.path}')`);
+    }
+    lines.push(``);
+    const successStatus = (_b = (_a = ctx.responses.find(r => r.statusCode >= 200 && r.statusCode < 300)) === null || _a === void 0 ? void 0 : _a.statusCode) !== null && _b !== void 0 ? _b : 200;
+    lines.push(`        assert response.status_code == ${successStatus}`);
+    lines.push(``);
+    if (authRequired) {
+        lines.push(`    def test_requires_auth(self, client):`);
+        lines.push(`        """Should return 401 when no auth token is provided."""`);
+        lines.push(`        response = client.${method}('${endpoint.path}', json={})`);
+        lines.push(``);
+        lines.push(`        assert response.status_code == 401`);
+        lines.push(``);
+        lines.push(`    def test_invalid_token(self, client):`);
+        lines.push(`        """Should return 401 when an invalid token is provided."""`);
+        lines.push(`        response = client.${method}(`);
+        lines.push(`            '${endpoint.path}',`);
+        lines.push(`            json={},`);
+        lines.push(`            headers={'Authorization': 'Token invalid-token'},`);
+        lines.push(`        )`);
+        lines.push(``);
+        lines.push(`        assert response.status_code == 401`);
+        lines.push(``);
+    }
+    return lines.join('\n');
+}
+function toPascalCase(s) {
+    return s
+        .replace(/[^a-zA-Z0-9]+(.)/g, (_, c) => c.toUpperCase())
+        .replace(/^(.)/, (c) => c.toUpperCase());
+}
+// ─── Java / JUnit5 ────────────────────────────────────────────────────────────
+function renderJavaJunit5Unit(ctx) {
+    var _a, _b;
+    const { endpoint } = ctx;
+    const method = endpoint.method;
+    const authRequired = endpoint.auth.required;
+    const successStatus = (_b = (_a = ctx.responses.find(r => r.statusCode >= 200 && r.statusCode < 300)) === null || _a === void 0 ? void 0 : _a.statusCode) !== null && _b !== void 0 ? _b : 200;
+    const statusMatcher = successStatus === 201 ? 'isCreated()' : successStatus === 204 ? 'isNoContent()' : 'isOk()';
+    const lines = [
+        `// AUTO-GENERATED by api-test-coverage-analyzer (Feature 28)`,
+        `// Gap: ${ctx.gap.id} | Risk: ${ctx.gap.riskScore} | Priority: ${ctx.gap.priority}`,
+        `// TODO: Review generated assertions and replace placeholder values`,
+        ``,
+        `package generated;`,
+        ``,
+        `import org.junit.jupiter.api.Test;`,
+        `import org.springframework.beans.factory.annotation.Autowired;`,
+        `import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;`,
+        `import org.springframework.boot.test.context.SpringBootTest;`,
+        `import org.springframework.http.MediaType;`,
+        `import org.springframework.test.web.servlet.MockMvc;`,
+        ``,
+        `import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.${method.toLowerCase()};`,
+        `import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;`,
+        ``,
+        `@SpringBootTest`,
+        `@AutoConfigureMockMvc`,
+        `public class ${toPascalCase(method + '_' + endpoint.path.replace(/[^a-zA-Z0-9]/g, '_') + '_Test')} {`,
+        ``,
+        `    @Autowired`,
+        `    private MockMvc mockMvc;`,
+        ``,
+        `    // TODO: Replace with a valid JWT from your test auth setup`,
+        `    private static final String VALID_TOKEN = "Token <your-test-token>";`,
+        ``,
+        `    @Test`,
+        `    void happyPath_returns${successStatus}() throws Exception {`,
+        `        mockMvc.perform(${method.toLowerCase()}("${endpoint.path}")`,
+        ...(authRequired ? [`                .header("Authorization", VALID_TOKEN)`] : []),
+        `                .contentType(MediaType.APPLICATION_JSON)`,
+        `                .content("{}"))  // TODO: Replace with valid payload`,
+        `            .andExpect(status().${statusMatcher});`,
+        `    }`,
+        ``,
+    ];
+    if (authRequired) {
+        lines.push(`    @Test`);
+        lines.push(`    void noAuth_returns401() throws Exception {`);
+        lines.push(`        mockMvc.perform(${method.toLowerCase()}("${endpoint.path}")`);
+        lines.push(`                .contentType(MediaType.APPLICATION_JSON)`);
+        lines.push(`                .content("{}"))`);
+        lines.push(`            .andExpect(status().isUnauthorized());`);
+        lines.push(`    }`);
+        lines.push(``);
+    }
+    lines.push(`}`);
+    lines.push(``);
+    return lines.join('\n');
+}
+// ─── Cypress E2E ──────────────────────────────────────────────────────────────
+function renderCypressEndpoint(ctx) {
+    var _a, _b;
+    const { endpoint } = ctx;
+    const method = endpoint.method;
+    const authRequired = endpoint.auth.required;
+    const successStatus = (_b = (_a = ctx.responses.find(r => r.statusCode >= 200 && r.statusCode < 300)) === null || _a === void 0 ? void 0 : _a.statusCode) !== null && _b !== void 0 ? _b : 200;
+    const lines = [
+        `// AUTO-GENERATED by api-test-coverage-analyzer (Feature 28)`,
+        `// Gap: ${ctx.gap.id} | Risk: ${ctx.gap.riskScore} | Priority: ${ctx.gap.priority}`,
+        `// NOTE: add generated/ to your specPattern in cypress.config.js if not already included`,
+        ``,
+        `describe('${method} ${endpoint.path} — E2E', () => {`,
+    ];
+    if (authRequired) {
+        lines.push(`  let authToken;`);
+        lines.push(``);
+        lines.push(`  before(() => {`);
+        lines.push(`    // TODO: Replace with your Cypress login command or fixture`);
+        lines.push(`    cy.request('POST', '/api/users/login', {`);
+        lines.push(`      user: { email: Cypress.env('TEST_USER_EMAIL'), password: Cypress.env('TEST_USER_PASSWORD') },`);
+        lines.push(`    }).then((response) => {`);
+        lines.push(`      expect(response.status).to.eq(200);`);
+        lines.push(`      authToken = \`Token \${response.body.user.token}\`;`);
+        lines.push(`    });`);
+        lines.push(`  });`);
+        lines.push(``);
+    }
+    lines.push(`  it('should succeed with valid request', () => {`);
+    lines.push(`    cy.request({`);
+    lines.push(`      method: '${method}',`);
+    lines.push(`      url: '${endpoint.path}',`);
+    if (authRequired) {
+        lines.push(`      headers: { Authorization: authToken },`);
+    }
+    lines.push(`      body: {},  // TODO: Replace with valid payload`);
+    lines.push(`    }).then((response) => {`);
+    lines.push(`      expect(response.status).to.eq(${successStatus});`);
+    lines.push(`      expect(response.body).to.be.an('object');`);
+    lines.push(`    });`);
+    lines.push(`  });`);
+    lines.push(``);
+    if (authRequired) {
+        lines.push(`  it('should return 401 without auth token', () => {`);
+        lines.push(`    cy.request({`);
+        lines.push(`      method: '${method}',`);
+        lines.push(`      url: '${endpoint.path}',`);
+        lines.push(`      body: {},`);
+        lines.push(`      failOnStatusCode: false,  // RULE-CY03`);
+        lines.push(`    }).then((response) => {`);
+        lines.push(`      expect(response.status).to.eq(401);`);
+        lines.push(`    });`);
+        lines.push(`  });`);
+    }
+    lines.push(`});`);
+    lines.push(``);
+    return lines.join('\n');
+}
+function renderTemplate(ctx, opts) {
+    const { language, testType } = opts;
+    if (language === 'python') {
+        return renderPythonPytestUnit(ctx);
+    }
+    if (language === 'java' || language === 'kotlin') {
+        return renderJavaJunit5Unit(ctx);
+    }
+    // Default: TypeScript
+    switch (testType) {
+        case 'security':
+            return renderTypescriptJestSecurity(ctx);
+        case 'integration':
+            return renderTypescriptJestIntegration(ctx);
+        case 'cypress':
+            return renderCypressEndpoint(ctx);
+        default:
+            // Differentiate by gap type
+            switch (ctx.gap.type) {
+                case 'error':
+                    return renderTypescriptJestErrorScenario(ctx);
+                case 'business':
+                    return renderTypescriptJestBusinessRule(ctx);
+                default:
+                    return renderTypescriptJestUnit(ctx);
+            }
+    }
+}