api-tests-coverage 1.0.20 → 1.0.22

package/dist/src/generation/template-renderer.js

@@ -1,546 +1,526 @@
 "use strict";
-/**
- * Feature 28 — TemplateRenderer
- * Renders test scaffolds from GenerationContext.
- * Uses string-based templates (no external dependency required).
- */
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.OWASP_INJECTION_STRINGS = void 0;
+exports.renderFileHeader = renderFileHeader;
 exports.renderTemplate = renderTemplate;
-// ─── Header comment (RULE-GEN01) ──────────────────────────────────────────────
-function autoGeneratedHeader(ctx) {
+exports.getTemplateName = getTemplateName;
+/** Common OWASP injection strings for security tests */
+exports.OWASP_INJECTION_STRINGS = [
+    "' OR '1'='1",
+    "'; DROP TABLE users; --",
+    '<script>alert("xss")</script>',
+    '../../../etc/passwd',
+    '${7*7}',
+    '{{7*7}}',
+    '; ls -la',
+    '\\x00',
+    '%00',
+    '<img src=x onerror=alert(1)>',
+];
+/** Standard file header injected into every generated test file */
+function renderFileHeader(gapId, gapType) {
     return [
-        `// AUTO-GENERATED by api-test-coverage-analyzer (Feature 28)`,
-        `// Gap: ${ctx.gap.id} | Risk: ${ctx.gap.riskScore} | Priority: ${ctx.gap.priority}`,
-        `// TODO: Review generated assertions and replace placeholder values`,
-        ``,
+        '// AUTO-GENERATED by api-test-coverage-analyzer',
+        `// Gap ID: ${gapId} | Type: ${gapType}`,
+        '// DO NOT EDIT — regenerate with: node dist/src/index.js generate-tests',
+        '// TODO: Review and adjust before committing',
+        '',
     ].join('\n');
 }
-// ─── TypeScript / Jest unit + integration ─────────────────────────────────────
-function renderTypescriptJestUnit(ctx) {
+/** Simple string interpolation — replaces {{key}} tokens with values */
+function interpolate(template, vars) {
+    return template.replace(/\{\{(\w+)\}\}/g, (_, key) => { var _a; return (_a = vars[key]) !== null && _a !== void 0 ? _a : `{{${key}}}`; });
+}
+// ─── TypeScript / Jest templates ─────────────────────────────────────────────
+function renderEndpointMissing(gap, ctx) {
     var _a, _b, _c, _d;
-    const { endpoint, fixtures, project } = ctx;
-    const method = endpoint.method.toLowerCase();
-    const descName = (_a = endpoint.operationId) !== null && _a !== void 0 ? _a : `${endpoint.method} ${endpoint.path}`;
-    const authRequired = endpoint.auth.required;
-    const scheme = (_b = endpoint.auth.scheme) !== null && _b !== void 0 ? _b : 'Bearer';
-    const lines = [
-        autoGeneratedHeader(ctx),
-        `import request from 'supertest';`,
-        `import { app } from '${project.importPrefix}/app';`,
-        ``,
-        `const BASE_URL = process.env.TEST_BASE_URL ?? '${project.baseUrl}';`,
-        ``,
-        `// TODO: Replace with a valid JWT token from your test auth setup`,
-        `const VALID_AUTH_TOKEN = '${scheme} <your-test-token>';`,
-        ``,
-        `describe('${descName}', () => {`,
-    ];
-    // Happy path
-    lines.push(`  describe('happy path', () => {`);
-    lines.push(`    it('should succeed and return the expected response', async () => {`);
-    if (Object.keys(fixtures.validPayload).length > 0) {
-        lines.push(`      const payload = ${JSON.stringify(fixtures.validPayload, null, 8).replace(/\n/g, '\n      ')};`);
-        lines.push(`      // TODO: Replace with realistic test data`);
-        lines.push(``);
-    }
-    lines.push(`      const response = await request(app)`);
-    lines.push(`        .${method}('${endpoint.pathNormalized}')`);
-    if (authRequired) {
-        lines.push(`        .set('Authorization', VALID_AUTH_TOKEN)`);
-    }
-    if (Object.keys(fixtures.validPayload).length > 0) {
-        lines.push(`        .send(payload);`);
-    }
-    else {
-        lines.push(`        ;`);
-    }
-    lines.push(``);
-    // Find success status code
-    const successStatus = (_d = (_c = ctx.responses.find(r => r.statusCode >= 200 && r.statusCode < 300)) === null || _c === void 0 ? void 0 : _c.statusCode) !== null && _d !== void 0 ? _d : 200;
-    lines.push(`      expect(response.status).toBe(${successStatus});`);
-    lines.push(`      expect(response.body).toBeDefined();`);
-    lines.push(`    });`);
-    lines.push(`  });`);
-    lines.push(``);
-    // Auth tests (RULE-GEN03)
-    if (authRequired) {
-        lines.push(`  describe('authentication', () => {`);
-        lines.push(`    it('should return 401 when no auth token is provided', async () => {`);
-        lines.push(`      const response = await request(app)`);
-        lines.push(`        .${method}('${endpoint.pathNormalized}');`);
-        lines.push(``);
-        lines.push(`      expect(response.status).toBe(401);`);
-        lines.push(`    });`);
-        lines.push(``);
-        lines.push(`    it('should return 401 when an invalid auth token is provided', async () => {`);
-        lines.push(`      const response = await request(app)`);
-        lines.push(`        .${method}('${endpoint.pathNormalized}')`);
-        lines.push(`        .set('Authorization', '${scheme} invalid-token-value');`);
-        lines.push(``);
-        lines.push(`      expect(response.status).toBe(401);`);
-        lines.push(`    });`);
-        lines.push(`  });`);
-        lines.push(``);
-    }
-    // Validation / error tests
-    const requiredParams = ctx.parameters.filter(p => p.required && p.in === 'body');
-    if (requiredParams.length > 0) {
-        lines.push(`  describe('validation', () => {`);
-        for (const param of requiredParams.slice(0, 3)) {
-            lines.push(`    it('should return 422 when ${param.name} is missing', async () => {`);
-            const partialPayload = {};
-            for (const other of requiredParams) {
-                if (other.name !== param.name) {
-                    partialPayload[other.name] = 'test-value';
-                }
-            }
-            lines.push(`      const response = await request(app)`);
-            lines.push(`        .${method}('${endpoint.pathNormalized}')`);
-            if (authRequired) {
-                lines.push(`        .set('Authorization', VALID_AUTH_TOKEN)`);
-            }
-            lines.push(`        .send(${JSON.stringify(partialPayload)});`);
-            lines.push(``);
-            lines.push(`      expect(response.status).toBe(422);`);
-            lines.push(`      expect(response.body).toHaveProperty('errors');`);
-            lines.push(`    });`);
-            lines.push(``);
-        }
-        lines.push(`  });`);
-    }
-    lines.push(`});`);
-    lines.push(``);
-    return lines.join('\n');
+    const method = (_b = (_a = gap.endpoint) === null || _a === void 0 ? void 0 : _a.method) !== null && _b !== void 0 ? _b : 'GET';
+    const endpointPath = (_d = (_c = gap.endpoint) === null || _c === void 0 ? void 0 : _c.path) !== null && _d !== void 0 ? _d : '/unknown';
+    const methodLower = method.toLowerCase();
+    const header = renderFileHeader(gap.id, gap.type);
+    const body = `
+import request from 'supertest'; // TODO: adjust import path
+import app from '../../../src/app'; // TODO: adjust import path
+
+describe('${method} ${endpointPath}', () => {
+  it('should return 200 with valid response', async () => {
+    const response = await request(app)
+      .${methodLower}('${endpointPath}')
+      .set('Authorization', 'Bearer TODO_VALID_TOKEN'); // TODO: add valid token
+
+    expect(response.status).toBe(200);
+    expect(response.body).toMatchObject({}); // TODO: add expected shape
+  });
+
+  it('should return 401 when not authenticated', async () => {
+    const response = await request(app).${methodLower}('${endpointPath}');
+    expect(response.status).toBe(401);
+  });
+});
+`;
+    return header + body.trimStart();
 }
-// ─── TypeScript / Jest security ───────────────────────────────────────────────
-function renderTypescriptJestSecurity(ctx) {
-    var _a;
-    const { endpoint, project } = ctx;
-    const method = endpoint.method.toLowerCase();
-    const scheme = (_a = endpoint.auth.scheme) !== null && _a !== void 0 ? _a : 'Bearer';
-    const lines = [
-        autoGeneratedHeader(ctx),
-        `import request from 'supertest';`,
-        `import { app } from '${project.importPrefix}/app';`,
-        ``,
-        `// TODO: Replace with a valid JWT token from your test auth setup`,
-        `const VALID_AUTH_TOKEN = '${scheme} <your-test-token>';`,
-        ``,
-        `describe('Security: ${endpoint.method} ${endpoint.path} — Auth Controls', () => {`,
-        `  it('[SEC-AUTH-01] should reject requests with no Authorization header', async () => {`,
-        `    const response = await request(app)`,
-        `      .${method}('${endpoint.pathNormalized}');`,
-        ``,
-        `    expect(response.status).toBe(401);`,
-        `  });`,
-        ``,
-        `  it('[SEC-AUTH-02] should reject requests with malformed token', async () => {`,
-        `    const response = await request(app)`,
-        `      .${method}('${endpoint.pathNormalized}')`,
-        `      .set('Authorization', 'malformed-token-without-scheme');`,
-        ``,
-        `    expect(response.status).toBe(401);`,
-        `  });`,
-        ``,
-        `  it('[SEC-AUTH-03] should reject requests with expired token', async () => {`,
-        `    // TODO: Generate or use a known-expired JWT for your test environment`,
-        `    const expiredToken = '${scheme} eyJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE2MDAwMDAwMDAsImV4cCI6MTYwMDAwMDAwMX0.TODO';`,
-        ``,
-        `    const response = await request(app)`,
-        `      .${method}('${endpoint.pathNormalized}')`,
-        `      .set('Authorization', expiredToken);`,
-        ``,
-        `    expect(response.status).toBe(401);`,
-        `  });`,
-        ``,
-        `  it('[SEC-AUTH-04] should reject requests with a token for a different user role', async () => {`,
-        `    // TODO: Get a token for a user WITHOUT the required permissions`,
-        `    const lowPrivToken = '${scheme} <low-privilege-token>';`,
-        ``,
-        `    const response = await request(app)`,
-        `      .${method}('${endpoint.pathNormalized}')`,
-        `      .set('Authorization', lowPrivToken);`,
-        ``,
-        `    // Expect either 401 (unauthenticated) or 403 (unauthorized)`,
-        `    expect([401, 403]).toContain(response.status);`,
-        `  });`,
-        `});`,
-        ``,
-        `describe('Security: ${endpoint.method} ${endpoint.path} — Injection Prevention', () => {`,
-        `  it('[SEC-INJ-01] should not execute SQL injection in request body', async () => {`,
-        `    const response = await request(app)`,
-        `      .${method}('${endpoint.pathNormalized}')`,
-        `      .set('Authorization', VALID_AUTH_TOKEN)`,
-        `      .send({ title: "'; DROP TABLE articles; --", body: 'Body', description: 'Desc' });`,
-        ``,
-        `    // Should either succeed (sanitized) or return 422 (rejected) — never 500`,
-        `    expect(response.status).not.toBe(500);`,
-        `    expect(response.status).not.toBe(503);`,
-        `  });`,
-        ``,
-        `  it('[SEC-INJ-02] should not execute XSS in request fields', async () => {`,
-        `    const response = await request(app)`,
-        `      .${method}('${endpoint.pathNormalized}')`,
-        `      .set('Authorization', VALID_AUTH_TOKEN)`,
-        `      .send({ title: '<script>alert("xss")</script>', body: 'Body', description: 'Desc' });`,
-        ``,
-        `    expect(response.status).not.toBe(500);`,
-        ``,
-        `    if (response.status >= 200 && response.status < 300) {`,
-        `      // If the server accepted it, it must have been sanitized`,
-        `      const body = JSON.stringify(response.body);`,
-        `      expect(body).not.toContain('<script>');`,
-        `    }`,
-        `  });`,
-        ``,
-        `  it('[SEC-INJ-03] should handle oversized payload gracefully', async () => {`,
-        `    const oversizedBody = 'x'.repeat(10_000_000); // 10 MB`,
-        ``,
-        `    const response = await request(app)`,
-        `      .${method}('${endpoint.pathNormalized}')`,
-        `      .set('Authorization', VALID_AUTH_TOKEN)`,
-        `      .send({ title: 'Test', body: oversizedBody, description: 'Desc' });`,
-        ``,
-        `    // Must not crash — 413 or 422 are acceptable`,
-        `    expect([413, 422, 400]).toContain(response.status);`,
-        `  });`,
-        `});`,
-        ``,
-    ];
-    return lines.join('\n');
+function renderParameterMissing(gap, ctx) {
+    var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k;
+    const paramName = (_b = (_a = gap.parameter) === null || _a === void 0 ? void 0 : _a.name) !== null && _b !== void 0 ? _b : 'param';
+    const paramIn = (_d = (_c = gap.parameter) === null || _c === void 0 ? void 0 : _c.in) !== null && _d !== void 0 ? _d : 'query';
+    const required = (_f = (_e = gap.parameter) === null || _e === void 0 ? void 0 : _e.required) !== null && _f !== void 0 ? _f : false;
+    const endpointPath = (_h = (_g = gap.endpoint) === null || _g === void 0 ? void 0 : _g.path) !== null && _h !== void 0 ? _h : '/api/endpoint';
+    const method = (_k = (_j = gap.endpoint) === null || _j === void 0 ? void 0 : _j.method) !== null && _k !== void 0 ? _k : 'GET';
+    const methodLower = method.toLowerCase();
+    const header = renderFileHeader(gap.id, gap.type);
+    const body = `
+import request from 'supertest'; // TODO: adjust import path
+import app from '../../../src/app'; // TODO: adjust import path
+
+describe('${method} ${endpointPath} — parameter: ${paramName}', () => {
+  it('should accept a valid ${paramName} ${paramIn} parameter', async () => {
+    const response = await request(app)
+      .${methodLower}('${endpointPath}')
+      ${paramIn === 'query' ? `.query({ ${paramName}: 'valid-value' }) // TODO: provide valid value` : `.send({ ${paramName}: 'valid-value' }) // TODO: provide valid value`}
+      .set('Authorization', 'Bearer TODO_VALID_TOKEN'); // TODO: add valid token
+
+    expect(response.status).toBe(200);
+    expect(response.body).toMatchObject({}); // TODO: add expected shape
+  });
+${required
+        ? `
+  it('should return 400 when ${paramName} is missing', async () => {
+    const response = await request(app)
+      .${methodLower}('${endpointPath}')
+      .set('Authorization', 'Bearer TODO_VALID_TOKEN'); // TODO: add valid token
+
+    expect(response.status).toBe(400);
+  });
+`
+        : ''}
+  it('should return 400 when ${paramName} is invalid', async () => {
+    const response = await request(app)
+      .${methodLower}('${endpointPath}')
+      ${paramIn === 'query' ? `.query({ ${paramName}: 'INVALID_VALUE' }) // TODO: provide invalid value` : `.send({ ${paramName}: 'INVALID_VALUE' }) // TODO: provide invalid value`}
+      .set('Authorization', 'Bearer TODO_VALID_TOKEN'); // TODO: add valid token
+
+    expect(response.status).toBe(400);
+  });
+});
+`;
+    return header + body.trimStart();
 }
-// ─── TypeScript / Jest integration flow ───────────────────────────────────────
-function renderTypescriptJestIntegration(ctx) {
-    const { endpoint, project, flow } = ctx;
-    if (!flow) {
-        return renderTypescriptJestUnit(ctx);
-    }
-    const lines = [
-        autoGeneratedHeader(ctx),
-        `import request from 'supertest';`,
-        `import { app } from '${project.importPrefix}/app';`,
-        ``,
-        `describe('Integration Flow: ${flow.name}', () => {`,
-        `  let authToken: string;`,
-        ``,
-        `  // RULE-INT04: beforeAll (not beforeEach) for auth setup`,
-        `  beforeAll(async () => {`,
-        `    // TODO: Replace with your test user credentials`,
-        `    const loginResponse = await request(app)`,
-        `      .post('/api/users/login')`,
-        `      .send({ user: { email: 'test@example.com', password: 'testpassword' } });`,
-        ``,
-        `    expect(loginResponse.status).toBe(200);`,
-        `    authToken = \`Token \${loginResponse.body.user.token}\`;`,
-        `  });`,
-        ``,
-    ];
-    for (let i = 0; i < flow.steps.length; i++) {
-        const step = flow.steps[i];
-        const isMissing = i === flow.missingStepIndex;
-        const stepMethod = step.method.toLowerCase();
-        const stepPath = step.path;
-        if (isMissing) {
-            lines.push(`  // ⚠️ MISSING STEP — This step was detected as uncovered by the analyzer`);
-        }
-        lines.push(`  it('Step ${i + 1}: ${step.description}${isMissing ? ' (MISSING COVERAGE)' : ''}', async () => {`);
-        if (isMissing) {
-            lines.push(`    // TODO: This step was identified as missing. Implement the test.`);
-        }
-        lines.push(`    const response = await request(app)`);
-        lines.push(`      .${stepMethod}('${stepPath}')`);
-        lines.push(`      .set('Authorization', authToken);`);
-        lines.push(``);
-        lines.push(`    expect(response.status).toBe(200);`);
-        lines.push(`  });`);
-        lines.push(``);
-    }
-    lines.push(`});`);
-    lines.push(``);
-    return lines.join('\n');
+function renderParameterNotValidated(gap, ctx) {
+    var _a, _b, _c, _d, _e, _f;
+    const paramName = (_b = (_a = gap.parameter) === null || _a === void 0 ? void 0 : _a.name) !== null && _b !== void 0 ? _b : 'param';
+    const endpointPath = (_d = (_c = gap.endpoint) === null || _c === void 0 ? void 0 : _c.path) !== null && _d !== void 0 ? _d : '/api/endpoint';
+    const method = (_f = (_e = gap.endpoint) === null || _e === void 0 ? void 0 : _e.method) !== null && _f !== void 0 ? _f : 'GET';
+    const methodLower = method.toLowerCase();
+    const header = renderFileHeader(gap.id, gap.type);
+    const body = `
+import request from 'supertest'; // TODO: adjust import path
+import app from '../../../src/app'; // TODO: adjust import path
+
+describe('${method} ${endpointPath} — validation: ${paramName}', () => {
+  it('should reject empty ${paramName}', async () => {
+    const response = await request(app)
+      .${methodLower}('${endpointPath}')
+      .send({ ${paramName}: '' }) // TODO: adjust payload location
+      .set('Authorization', 'Bearer TODO_VALID_TOKEN');
+
+    expect(response.status).toBe(400);
+    expect(response.body).toMatchObject({ error: expect.any(String) }); // TODO: match actual error shape
+  });
+
+  it('should reject ${paramName} exceeding max length', async () => {
+    const response = await request(app)
+      .${methodLower}('${endpointPath}')
+      .send({ ${paramName}: 'x'.repeat(1000) }) // TODO: adjust max length
+      .set('Authorization', 'Bearer TODO_VALID_TOKEN');
+
+    expect(response.status).toBe(400);
+  });
+});
+`;
+    return header + body.trimStart();
 }
-// ─── TypeScript / Jest error scenario ────────────────────────────────────────
-function renderTypescriptJestErrorScenario(ctx) {
-    var _a, _b;
-    const { endpoint, project } = ctx;
-    const method = endpoint.method.toLowerCase();
-    const scheme = (_a = endpoint.auth.scheme) !== null && _a !== void 0 ? _a : 'Bearer';
-    const lines = [
-        autoGeneratedHeader(ctx),
-        `import request from 'supertest';`,
-        `import { app } from '${project.importPrefix}/app';`,
-        ``,
-        `// TODO: Replace with a valid JWT token from your test auth setup`,
-        `const VALID_AUTH_TOKEN = '${scheme} <your-test-token>';`,
-        ``,
-        `describe('Error Scenarios: ${endpoint.method} ${endpoint.path}', () => {`,
-    ];
-    for (const resp of ctx.responses.filter(r => r.statusCode >= 400)) {
-        lines.push(`  it('should return ${resp.statusCode} when ${(_b = resp.description) !== null && _b !== void 0 ? _b : `error ${resp.statusCode}`}', async () => {`);
-        lines.push(`    const response = await request(app)`);
-        lines.push(`      .${method}('${endpoint.pathNormalized}')`);
-        if (endpoint.auth.required) {
-            lines.push(`      .set('Authorization', VALID_AUTH_TOKEN)`);
-        }
-        lines.push(`      .send({});`);
-        lines.push(``);
-        lines.push(`    expect(response.status).toBe(${resp.statusCode});`);
-        lines.push(`  });`);
-        lines.push(``);
-    }
-    lines.push(`});`);
-    lines.push(``);
-    return lines.join('\n');
+function renderBusinessMissing(gap, ctx) {
+    var _a, _b, _c, _d;
+    const ruleId = (_b = (_a = gap.businessRule) === null || _a === void 0 ? void 0 : _a.id) !== null && _b !== void 0 ? _b : 'BR-XXX';
+    const description = (_d = (_c = gap.businessRule) === null || _c === void 0 ? void 0 : _c.description) !== null && _d !== void 0 ? _d : 'Business rule';
+    const header = renderFileHeader(gap.id, gap.type);
+    const body = `
+import request from 'supertest'; // TODO: adjust import path
+import app from '../../../src/app'; // TODO: adjust import path
+
+// Business Rule: ${ruleId} — ${description}
+describe('Business Rule ${ruleId}: ${description}', () => {
+  it('should enforce rule when conditions are met', async () => {
+    // TODO: set up test data that triggers the business rule
+    const response = await request(app)
+      .post('/api/TODO_ENDPOINT') // TODO: replace with actual endpoint
+      .send({
+        // TODO: add request body that triggers the rule
+      })
+      .set('Authorization', 'Bearer TODO_VALID_TOKEN');
+
+    expect(response.status).toBe(422); // TODO: adjust expected status
+    expect(response.body).toMatchObject({
+      error: expect.any(String), // TODO: match actual error shape
+    });
+  });
+
+  it('should allow the operation when the rule is satisfied', async () => {
+    const response = await request(app)
+      .post('/api/TODO_ENDPOINT') // TODO: replace with actual endpoint
+      .send({
+        // TODO: add request body that satisfies the rule
+      })
+      .set('Authorization', 'Bearer TODO_VALID_TOKEN');
+
+    expect(response.status).toBe(200); // TODO: adjust expected status
+  });
+});
+`;
+    return header + body.trimStart();
 }
-// ─── TypeScript / Jest business rule ─────────────────────────────────────────
-function renderTypescriptJestBusinessRule(ctx) {
-    var _a;
-    const { endpoint, project, businessRule } = ctx;
-    const method = endpoint.method.toLowerCase();
-    const scheme = (_a = endpoint.auth.scheme) !== null && _a !== void 0 ? _a : 'Bearer';
-    const rule = businessRule !== null && businessRule !== void 0 ? businessRule : { id: 'rule-1', description: 'Business rule', condition: 'When condition is met', acceptanceCriteria: ['Expected behavior is verified'] };
-    const lines = [
-        autoGeneratedHeader(ctx),
-        `import request from 'supertest';`,
-        `import { app } from '${project.importPrefix}/app';`,
-        ``,
-        `// TODO: Replace with a valid JWT token from your test auth setup`,
-        `const VALID_AUTH_TOKEN = '${scheme} <your-test-token>';`,
-        ``,
-        `describe('Business Rule: ${rule.id} — ${rule.description}', () => {`,
-        `  // Rule condition: ${rule.condition}`,
-    ];
-    for (const criterion of rule.acceptanceCriteria) {
-        lines.push(`  it('${criterion}', async () => {`);
-        lines.push(`    // TODO: Implement test for acceptance criterion: ${criterion}`);
-        lines.push(`    const response = await request(app)`);
-        lines.push(`      .${method}('${endpoint.pathNormalized}')`);
-        if (endpoint.auth.required) {
-            lines.push(`      .set('Authorization', VALID_AUTH_TOKEN)`);
-        }
-        lines.push(`      .send({});`);
-        lines.push(``);
-        lines.push(`    expect(response.status).toBeDefined();`);
-        lines.push(`    // TODO: Add specific assertions for this acceptance criterion`);
-        lines.push(`  });`);
-        lines.push(``);
-    }
-    lines.push(`});`);
-    lines.push(``);
-    return lines.join('\n');
+function renderIntegrationMissingStep(gap, ctx) {
+    var _a, _b, _c, _d, _e, _f;
+    const flowId = (_b = (_a = gap.integrationFlow) === null || _a === void 0 ? void 0 : _a.id) !== null && _b !== void 0 ? _b : 'flow-001';
+    const flowName = (_d = (_c = gap.integrationFlow) === null || _c === void 0 ? void 0 : _c.name) !== null && _d !== void 0 ? _d : 'Integration Flow';
+    const missingStep = (_f = (_e = gap.integrationFlow) === null || _e === void 0 ? void 0 : _e.missingStep) !== null && _f !== void 0 ? _f : 'step';
+    const header = renderFileHeader(gap.id, gap.type);
+    const body = `
+import request from 'supertest'; // TODO: adjust import path
+import app from '../../../src/app'; // TODO: adjust import path
+
+// Integration Flow: ${flowId} — ${flowName}
+describe('Integration Flow ${flowId}: ${flowName}', () => {
+  it('should complete the full flow including: ${missingStep}', async () => {
+    // Step 1: TODO — describe step 1
+    const step1 = await request(app)
+      .post('/api/TODO_STEP_1') // TODO: replace with actual endpoint
+      .send({}) // TODO: add step 1 body
+      .set('Authorization', 'Bearer TODO_VALID_TOKEN');
+    expect(step1.status).toBe(200);
+
+    // Step 2: ${missingStep} (this was the missing step)
+    const step2 = await request(app)
+      .post('/api/TODO_STEP_2') // TODO: replace with actual endpoint
+      .send({}) // TODO: add step 2 body
+      .set('Authorization', 'Bearer TODO_VALID_TOKEN');
+    expect(step2.status).toBe(200);
+    expect(step2.body).toMatchObject({}); // TODO: verify step 2 result
+  });
+});
+`;
+    return header + body.trimStart();
 }
-// ─── Python / pytest ──────────────────────────────────────────────────────────
-function renderPythonPytestUnit(ctx) {
-    var _a, _b;
-    const { endpoint } = ctx;
-    const method = endpoint.method.toLowerCase();
-    const authRequired = endpoint.auth.required;
-    const lines = [
-        `# AUTO-GENERATED by api-test-coverage-analyzer (Feature 28)`,
-        `# Gap: ${ctx.gap.id} | Risk: ${ctx.gap.riskScore} | Priority: ${ctx.gap.priority}`,
-        `# TODO: Review generated assertions and replace placeholder values`,
-        ``,
-        `import pytest`,
-        ``,
-        `# TODO: Import your app factory and configure for testing`,
-        `# from app import create_app`,
-        ``,
-        `VALID_AUTH_TOKEN = 'Token <your-test-token>'  # TODO: Replace`,
-        ``,
-        ``,
-        `@pytest.fixture`,
-        `def client(app):`,
-        `    """TODO: Configure this fixture for your test setup."""`,
-        `    return app.test_client()`,
-        ``,
-        ``,
-        `class Test${toPascalCase(endpoint.method + '_' + endpoint.path.replace(/[^a-zA-Z0-9]/g, '_'))}:`,
-        `    """Tests for ${endpoint.method} ${endpoint.path}"""`,
-        ``,
-    ];
-    lines.push(`    def test_happy_path(self, client):`);
-    lines.push(`        """Should succeed with valid input."""`);
-    if (authRequired) {
-        lines.push(`        response = client.${method}(`);
-        lines.push(`            '${endpoint.path}',`);
-        lines.push(`            json={},`);
-        lines.push(`            headers={'Authorization': VALID_AUTH_TOKEN},`);
-        lines.push(`        )`);
-    }
-    else {
-        lines.push(`        response = client.${method}('${endpoint.path}')`);
-    }
-    lines.push(``);
-    const successStatus = (_b = (_a = ctx.responses.find(r => r.statusCode >= 200 && r.statusCode < 300)) === null || _a === void 0 ? void 0 : _a.statusCode) !== null && _b !== void 0 ? _b : 200;
-    lines.push(`        assert response.status_code == ${successStatus}`);
-    lines.push(``);
-    if (authRequired) {
-        lines.push(`    def test_requires_auth(self, client):`);
-        lines.push(`        """Should return 401 when no auth token is provided."""`);
-        lines.push(`        response = client.${method}('${endpoint.path}', json={})`);
-        lines.push(``);
-        lines.push(`        assert response.status_code == 401`);
-        lines.push(``);
-        lines.push(`    def test_invalid_token(self, client):`);
-        lines.push(`        """Should return 401 when an invalid token is provided."""`);
-        lines.push(`        response = client.${method}(`);
-        lines.push(`            '${endpoint.path}',`);
-        lines.push(`            json={},`);
-        lines.push(`            headers={'Authorization': 'Token invalid-token'},`);
-        lines.push(`        )`);
-        lines.push(``);
-        lines.push(`        assert response.status_code == 401`);
-        lines.push(``);
-    }
-    return lines.join('\n');
+function renderErrorMissingStatus(gap, ctx) {
+    var _a, _b, _c, _d;
+    const endpointPath = (_b = (_a = gap.endpoint) === null || _a === void 0 ? void 0 : _a.path) !== null && _b !== void 0 ? _b : '/api/endpoint';
+    const method = (_d = (_c = gap.endpoint) === null || _c === void 0 ? void 0 : _c.method) !== null && _d !== void 0 ? _d : 'GET';
+    const methodLower = method.toLowerCase();
+    const header = renderFileHeader(gap.id, gap.type);
+    const body = `
+import request from 'supertest'; // TODO: adjust import path
+import app from '../../../src/app'; // TODO: adjust import path
+
+describe('${method} ${endpointPath} — error handling', () => {
+  it('should return 400 for invalid request body', async () => {
+    const response = await request(app)
+      .${methodLower}('${endpointPath}')
+      .send({ invalidField: 'bad-value' }) // TODO: craft invalid payload
+      .set('Authorization', 'Bearer TODO_VALID_TOKEN');
+
+    expect(response.status).toBe(400);
+    expect(response.body).toMatchObject({ error: expect.any(String) }); // TODO: match error shape
+  });
+
+  it('should return 401 when unauthenticated', async () => {
+    const response = await request(app).${methodLower}('${endpointPath}');
+    expect(response.status).toBe(401);
+  });
+
+  it('should return 404 for non-existent resource', async () => {
+    const response = await request(app)
+      .${methodLower}('${endpointPath.replace('{id}', 'nonexistent-99999')}')
+      .set('Authorization', 'Bearer TODO_VALID_TOKEN');
+    expect(response.status).toBe(404);
+  });
+
+  it('should return 500 when the service fails', async () => {
+    // TODO: mock the service to throw an error
+    // Example with jest.spyOn:
+    // jest.spyOn(someService, 'someMethod').mockRejectedValueOnce(new Error('Service error'));
+    const response = await request(app)
+      .${methodLower}('${endpointPath}')
+      .set('Authorization', 'Bearer TODO_VALID_TOKEN');
+    // TODO: trigger 500 condition
+    expect(response.status).toBeGreaterThanOrEqual(500);
+  });
+});
+`;
+    return header + body.trimStart();
 }
-function toPascalCase(s) {
-    return s
-        .replace(/[^a-zA-Z0-9]+(.)/g, (_, c) => c.toUpperCase())
-        .replace(/^(.)/, (c) => c.toUpperCase());
+function renderSecurityMissingAuth(gap, ctx) {
+    var _a, _b, _c, _d;
+    const endpointPath = (_b = (_a = gap.endpoint) === null || _a === void 0 ? void 0 : _a.path) !== null && _b !== void 0 ? _b : '/api/endpoint';
+    const method = (_d = (_c = gap.endpoint) === null || _c === void 0 ? void 0 : _c.method) !== null && _d !== void 0 ? _d : 'GET';
+    const methodLower = method.toLowerCase();
+    const header = renderFileHeader(gap.id, gap.type);
+    const body = `
+import request from 'supertest'; // TODO: adjust import path
+import app from '../../../src/app'; // TODO: adjust import path
+
+describe('${method} ${endpointPath} — authentication', () => {
+  it('should return 401 when no token is provided', async () => {
+    const response = await request(app).${methodLower}('${endpointPath}');
+    expect(response.status).toBe(401);
+  });
+
+  it('should return 401 when an invalid token is provided', async () => {
+    const response = await request(app)
+      .${methodLower}('${endpointPath}')
+      .set('Authorization', 'Bearer invalid-token-here');
+    expect(response.status).toBe(401);
+  });
+
+  it('should return 403 when the user lacks required permissions', async () => {
+    const response = await request(app)
+      .${methodLower}('${endpointPath}')
+      .set('Authorization', 'Bearer TODO_LOW_PRIVILEGE_TOKEN'); // TODO: provide a low-privilege token
+    expect(response.status).toBe(403);
+  });
+
+  it('should succeed when a valid authorized token is provided', async () => {
+    const response = await request(app)
+      .${methodLower}('${endpointPath}')
+      .set('Authorization', 'Bearer TODO_VALID_TOKEN'); // TODO: provide valid token
+    expect(response.status).toBe(200);
+  });
+});
+`;
+    return header + body.trimStart();
 }
-// ─── Java / JUnit5 ────────────────────────────────────────────────────────────
-function renderJavaJunit5Unit(ctx) {
-    var _a, _b;
-    const { endpoint } = ctx;
-    const method = endpoint.method;
-    const authRequired = endpoint.auth.required;
-    const successStatus = (_b = (_a = ctx.responses.find(r => r.statusCode >= 200 && r.statusCode < 300)) === null || _a === void 0 ? void 0 : _a.statusCode) !== null && _b !== void 0 ? _b : 200;
-    const statusMatcher = successStatus === 201 ? 'isCreated()' : successStatus === 204 ? 'isNoContent()' : 'isOk()';
-    const lines = [
-        `// AUTO-GENERATED by api-test-coverage-analyzer (Feature 28)`,
-        `// Gap: ${ctx.gap.id} | Risk: ${ctx.gap.riskScore} | Priority: ${ctx.gap.priority}`,
-        `// TODO: Review generated assertions and replace placeholder values`,
-        ``,
-        `package generated;`,
-        ``,
-        `import org.junit.jupiter.api.Test;`,
-        `import org.springframework.beans.factory.annotation.Autowired;`,
-        `import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;`,
-        `import org.springframework.boot.test.context.SpringBootTest;`,
-        `import org.springframework.http.MediaType;`,
-        `import org.springframework.test.web.servlet.MockMvc;`,
-        ``,
-        `import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.${method.toLowerCase()};`,
-        `import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;`,
-        ``,
-        `@SpringBootTest`,
-        `@AutoConfigureMockMvc`,
-        `public class ${toPascalCase(method + '_' + endpoint.path.replace(/[^a-zA-Z0-9]/g, '_') + '_Test')} {`,
-        ``,
-        `    @Autowired`,
-        `    private MockMvc mockMvc;`,
-        ``,
-        `    // TODO: Replace with a valid JWT from your test auth setup`,
-        `    private static final String VALID_TOKEN = "Token <your-test-token>";`,
-        ``,
-        `    @Test`,
-        `    void happyPath_returns${successStatus}() throws Exception {`,
-        `        mockMvc.perform(${method.toLowerCase()}("${endpoint.path}")`,
-        ...(authRequired ? [`                .header("Authorization", VALID_TOKEN)`] : []),
-        `                .contentType(MediaType.APPLICATION_JSON)`,
-        `                .content("{}"))  // TODO: Replace with valid payload`,
-        `            .andExpect(status().${statusMatcher});`,
-        `    }`,
-        ``,
-    ];
-    if (authRequired) {
-        lines.push(`    @Test`);
-        lines.push(`    void noAuth_returns401() throws Exception {`);
-        lines.push(`        mockMvc.perform(${method.toLowerCase()}("${endpoint.path}")`);
-        lines.push(`                .contentType(MediaType.APPLICATION_JSON)`);
-        lines.push(`                .content("{}"))`);
-        lines.push(`            .andExpect(status().isUnauthorized());`);
-        lines.push(`    }`);
-        lines.push(``);
+function renderSecurityInjection(gap, ctx) {
+    var _a, _b, _c, _d;
+    const endpointPath = (_b = (_a = gap.endpoint) === null || _a === void 0 ? void 0 : _a.path) !== null && _b !== void 0 ? _b : '/api/endpoint';
+    const method = (_d = (_c = gap.endpoint) === null || _c === void 0 ? void 0 : _c.method) !== null && _d !== void 0 ? _d : 'POST';
+    const methodLower = method.toLowerCase();
+    const injectionCases = exports.OWASP_INJECTION_STRINGS.slice(0, 4)
+        .map((s) => `    { input: ${JSON.stringify(s)}, label: 'injection: ${s.slice(0, 20)}...' },`)
+        .join('\n');
+    const header = renderFileHeader(gap.id, gap.type);
+    const body = `
+import request from 'supertest'; // TODO: adjust import path
+import app from '../../../src/app'; // TODO: adjust import path
+
+describe('${method} ${endpointPath} — injection security', () => {
+  const injectionPayloads = [
+${injectionCases}
+  ];
+
+  it.each(injectionPayloads)('should reject $label', async ({ input }) => {
+    const response = await request(app)
+      .${methodLower}('${endpointPath}')
+      .send({ field: input }) // TODO: replace 'field' with actual vulnerable field name
+      .set('Authorization', 'Bearer TODO_VALID_TOKEN');
+
+    expect(response.status).toBe(400); // TODO: adjust — may be 422 or 200 with sanitised output
+    expect(response.body).not.toMatchObject({ data: input }); // TODO: verify injection is blocked
+  });
+});
+`;
+    return header + body.trimStart();
+}
+function renderPerformanceMissingSla(gap, ctx) {
+    var _a, _b, _c, _d;
+    const endpointPath = (_b = (_a = gap.endpoint) === null || _a === void 0 ? void 0 : _a.path) !== null && _b !== void 0 ? _b : '/api/endpoint';
+    const method = (_d = (_c = gap.endpoint) === null || _c === void 0 ? void 0 : _c.method) !== null && _d !== void 0 ? _d : 'GET';
+    const methodLower = method.toLowerCase();
+    const header = renderFileHeader(gap.id, gap.type);
+    const body = `
+import request from 'supertest'; // TODO: adjust import path
+import app from '../../../src/app'; // TODO: adjust import path
+
+const SLA_RESPONSE_MS = 500; // TODO: adjust SLA threshold
+
+describe('${method} ${endpointPath} — performance SLA', () => {
+  it('should respond within SLA threshold', async () => {
+    const start = Date.now();
+    const response = await request(app)
+      .${methodLower}('${endpointPath}')
+      .set('Authorization', 'Bearer TODO_VALID_TOKEN');
+    const elapsed = Date.now() - start;
+
+    expect(response.status).toBe(200);
+    expect(elapsed).toBeLessThan(SLA_RESPONSE_MS);
+  });
+
+  it('should handle concurrent requests within SLA', async () => {
+    const concurrency = 5; // TODO: adjust concurrency level
+    const start = Date.now();
+    const responses = await Promise.all(
+      Array.from({ length: concurrency }, () =>
+        request(app)
+          .${methodLower}('${endpointPath}')
+          .set('Authorization', 'Bearer TODO_VALID_TOKEN'),
+      ),
+    );
+    const elapsed = Date.now() - start;
+
+    for (const response of responses) {
+      expect(response.status).toBe(200);
     }
-    lines.push(`}`);
-    lines.push(``);
-    return lines.join('\n');
+    expect(elapsed / concurrency).toBeLessThan(SLA_RESPONSE_MS);
+  });
+});
+`;
+    return header + body.trimStart();
 }
-// ─── Cypress E2E ──────────────────────────────────────────────────────────────
-function renderCypressEndpoint(ctx) {
-    var _a, _b;
-    const { endpoint } = ctx;
-    const method = endpoint.method;
-    const authRequired = endpoint.auth.required;
-    const successStatus = (_b = (_a = ctx.responses.find(r => r.statusCode >= 200 && r.statusCode < 300)) === null || _a === void 0 ? void 0 : _a.statusCode) !== null && _b !== void 0 ? _b : 200;
-    const lines = [
-        `// AUTO-GENERATED by api-test-coverage-analyzer (Feature 28)`,
-        `// Gap: ${ctx.gap.id} | Risk: ${ctx.gap.riskScore} | Priority: ${ctx.gap.priority}`,
-        `// NOTE: add generated/ to your specPattern in cypress.config.js if not already included`,
-        ``,
-        `describe('${method} ${endpoint.path} — E2E', () => {`,
-    ];
-    if (authRequired) {
-        lines.push(`  let authToken;`);
-        lines.push(``);
-        lines.push(`  before(() => {`);
-        lines.push(`    // TODO: Replace with your Cypress login command or fixture`);
-        lines.push(`    cy.request('POST', '/api/users/login', {`);
-        lines.push(`      user: { email: Cypress.env('TEST_USER_EMAIL'), password: Cypress.env('TEST_USER_PASSWORD') },`);
-        lines.push(`    }).then((response) => {`);
-        lines.push(`      expect(response.status).to.eq(200);`);
-        lines.push(`      authToken = \`Token \${response.body.user.token}\`;`);
-        lines.push(`    });`);
-        lines.push(`  });`);
-        lines.push(``);
+function renderResilienceMissingRetry(gap, ctx) {
+    var _a, _b, _c, _d;
+    const endpointPath = (_b = (_a = gap.endpoint) === null || _a === void 0 ? void 0 : _a.path) !== null && _b !== void 0 ? _b : '/api/endpoint';
+    const method = (_d = (_c = gap.endpoint) === null || _c === void 0 ? void 0 : _c.method) !== null && _d !== void 0 ? _d : 'GET';
+    const methodLower = method.toLowerCase();
+    const header = renderFileHeader(gap.id, gap.type);
+    const body = `
+import request from 'supertest'; // TODO: adjust import path
+import app from '../../../src/app'; // TODO: adjust import path
+
+describe('${method} ${endpointPath} — resilience / retry', () => {
+  it('should return 503 or retry-after header when service is unavailable', async () => {
+    // TODO: mock downstream dependency to simulate failure
+    // jest.spyOn(downstreamService, 'call').mockRejectedValueOnce(new Error('Downstream unavailable'));
+    const response = await request(app)
+      .${methodLower}('${endpointPath}')
+      .set('Authorization', 'Bearer TODO_VALID_TOKEN');
+
+    // Either the service retries successfully (200) or signals unavailability (503)
+    expect([200, 503]).toContain(response.status);
+    if (response.status === 503) {
+      expect(response.headers).toHaveProperty('retry-after'); // TODO: check actual header name
     }
-    lines.push(`  it('should succeed with valid request', () => {`);
-    lines.push(`    cy.request({`);
-    lines.push(`      method: '${method}',`);
-    lines.push(`      url: '${endpoint.path}',`);
-    if (authRequired) {
-        lines.push(`      headers: { Authorization: authToken },`);
+  });
+
+  it('should handle circuit-breaker open state gracefully', async () => {
+    // TODO: trigger circuit breaker open state
+    const response = await request(app)
+      .${methodLower}('${endpointPath}')
+      .set('Authorization', 'Bearer TODO_VALID_TOKEN');
+
+    expect(response.status).toBe(503); // TODO: adjust expected status
+    expect(response.body).toMatchObject({ error: expect.any(String) });
+  });
+});
+`;
+    return header + body.trimStart();
+}
+// ─── Python / pytest templates ────────────────────────────────────────────────
+function renderPythonEndpoint(gap, ctx) {
+    var _a, _b, _c, _d;
+    const method = (_b = (_a = gap.endpoint) === null || _a === void 0 ? void 0 : _a.method) !== null && _b !== void 0 ? _b : 'GET';
+    const endpointPath = (_d = (_c = gap.endpoint) === null || _c === void 0 ? void 0 : _c.path) !== null && _d !== void 0 ? _d : '/api/endpoint';
+    const methodLower = method.toLowerCase();
+    const header = renderFileHeader(gap.id, gap.type).replace(/\/\//g, '#');
+    const body = `
+import pytest
+import requests  # TODO: adjust import path
+
+BASE_URL = "${ctx.baseUrl}"  # TODO: adjust base URL
+AUTH_TOKEN = "TODO_VALID_TOKEN"  # TODO: add valid token
+
+
+class Test${method.charAt(0) + method.slice(1).toLowerCase()}${endpointPath.replace(/[^a-zA-Z0-9]/g, '_')}:
+    def test_returns_200_with_valid_request(self):
+        response = requests.${methodLower}(
+            f"{BASE_URL}${endpointPath}",
+            headers={"Authorization": f"Bearer {AUTH_TOKEN}"},
+        )
+        assert response.status_code == 200
+        assert response.json() is not None  # TODO: replace with specific assertion
+
+    def test_returns_401_when_unauthenticated(self):
+        response = requests.${methodLower}(f"{BASE_URL}${endpointPath}")
+        assert response.status_code == 401
+`;
+    return header + body.trimStart();
+}
+// ─── Java / JUnit5 templates ──────────────────────────────────────────────────
+function renderJavaEndpoint(gap, ctx) {
+    var _a, _b, _c, _d;
+    const method = (_b = (_a = gap.endpoint) === null || _a === void 0 ? void 0 : _a.method) !== null && _b !== void 0 ? _b : 'GET';
+    const endpointPath = (_d = (_c = gap.endpoint) === null || _c === void 0 ? void 0 : _c.path) !== null && _d !== void 0 ? _d : '/api/endpoint';
+    const className = `Test${gap.id.split('-').map((p) => p.charAt(0).toUpperCase() + p.slice(1)).join('')}`;
+    const header = renderFileHeader(gap.id, gap.type).replace(/\/\//g, '//');
+    const body = `
+package generated;
+
+import org.junit.jupiter.api.Test;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.test.web.servlet.MockMvc;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
+
+// TODO: Add @SpringBootTest or @WebMvcTest and adjust imports
+@SpringBootTest
+class ${className} {
+
+    @Autowired
+    private MockMvc mockMvc; // TODO: inject MockMvc
+
+    @Test
+    void shouldReturn200WithValidRequest() throws Exception {
+        mockMvc.perform(${method.toLowerCase()}("${endpointPath}")
+                .header("Authorization", "Bearer TODO_VALID_TOKEN")) // TODO: add valid token
+            .andExpect(status().isOk())
+            .andExpect(jsonPath("$").isNotEmpty()); // TODO: replace with specific assertion
     }
-    lines.push(`      body: {},  // TODO: Replace with valid payload`);
-    lines.push(`    }).then((response) => {`);
-    lines.push(`      expect(response.status).to.eq(${successStatus});`);
-    lines.push(`      expect(response.body).to.be.an('object');`);
-    lines.push(`    });`);
-    lines.push(`  });`);
-    lines.push(``);
-    if (authRequired) {
-        lines.push(`  it('should return 401 without auth token', () => {`);
-        lines.push(`    cy.request({`);
-        lines.push(`      method: '${method}',`);
-        lines.push(`      url: '${endpoint.path}',`);
-        lines.push(`      body: {},`);
-        lines.push(`      failOnStatusCode: false,  // RULE-CY03`);
-        lines.push(`    }).then((response) => {`);
-        lines.push(`      expect(response.status).to.eq(401);`);
-        lines.push(`    });`);
-        lines.push(`  });`);
+
+    @Test
+    void shouldReturn401WhenUnauthenticated() throws Exception {
+        mockMvc.perform(${method.toLowerCase()}("${endpointPath}"))
+            .andExpect(status().isUnauthorized());
     }
-    lines.push(`});`);
-    lines.push(``);
-    return lines.join('\n');
 }
-function renderTemplate(ctx, opts) {
-    const { language, testType } = opts;
+`;
+    return header + body.trimStart();
+}
+// ─── Public API ───────────────────────────────────────────────────────────────
+/** Render test file content for a given gap and context */
+function renderTemplate(gap, ctx) {
+    const { language } = ctx;
     if (language === 'python') {
-        return renderPythonPytestUnit(ctx);
+        return renderPythonEndpoint(gap, ctx);
     }
     if (language === 'java' || language === 'kotlin') {
-        return renderJavaJunit5Unit(ctx);
+        return renderJavaEndpoint(gap, ctx);
     }
-    // Default: TypeScript
-    switch (testType) {
-        case 'security':
-            return renderTypescriptJestSecurity(ctx);
-        case 'integration':
-            return renderTypescriptJestIntegration(ctx);
-        case 'cypress':
-            return renderCypressEndpoint(ctx);
+    // TypeScript / JavaScript (Jest, Cypress, Playwright)
+    switch (gap.type) {
+        case 'endpoint:missing':
+            return renderEndpointMissing(gap, ctx);
+        case 'parameter:missing':
+            return renderParameterMissing(gap, ctx);
+        case 'parameter:not-validated':
+            return renderParameterNotValidated(gap, ctx);
+        case 'business:missing':
+            return renderBusinessMissing(gap, ctx);
+        case 'integration:missing-step':
+            return renderIntegrationMissingStep(gap, ctx);
+        case 'error:missing-status':
+            return renderErrorMissingStatus(gap, ctx);
+        case 'security:missing-auth':
+            return renderSecurityMissingAuth(gap, ctx);
+        case 'security:injection':
+            return renderSecurityInjection(gap, ctx);
+        case 'performance:missing-sla':
+            return renderPerformanceMissingSla(gap, ctx);
+        case 'resilience:missing-retry':
+            return renderResilienceMissingRetry(gap, ctx);
         default:
-            // Differentiate by gap type
-            switch (ctx.gap.type) {
-                case 'error':
-                    return renderTypescriptJestErrorScenario(ctx);
-                case 'business':
-                    return renderTypescriptJestBusinessRule(ctx);
-                default:
-                    return renderTypescriptJestUnit(ctx);
-            }
+            return renderEndpointMissing(gap, ctx);
     }
 }
+/** Returns the template name used for a given gap type */
+function getTemplateName(gap, ctx) {
+    return `${ctx.language}/${ctx.framework}/${gap.type}`;
+}