fix(laravel): harden auto-assert config parsing and idempotency keying

Addresses PR #54 review feedback (silent-failure-hunter):

- Parse openapi-contract-testing.auto_assert with FILTER_VALIDATE_BOOLEAN
  so "true"/"1" strings from env() are accepted; unrecognized values now
  fail the test loudly instead of silently skipping validation.
- Key idempotency on (spec, method, path) tuples stored in a WeakMap so
  explicit calls against a different spec path re-run instead of being
  silently no-oped.
- Extract method/path from the Request Laravel passes to createTestResponse
  rather than calling app('request') later, removing container coupling.
- Replace the broad catch(Throwable) in LaravelConfigMock with a bound()
  precondition so genuine framework errors propagate.
- Correct the createTestResponse docblock to reference
  MakesHttpRequests (where the method lives) and add @param for $request.

Author: wadakatu

src/Laravel/ValidatesOpenApiSchema.php

@@ -4,27 +4,36 @@
 
 namespace Studio\OpenApiContractTesting\Laravel;
 
+use const FILTER_NULL_ON_FAILURE;
+use const FILTER_VALIDATE_BOOLEAN;
+
 use Illuminate\Testing\TestResponse;
 use JsonException;
 use Studio\OpenApiContractTesting\HttpMethod;
 use Studio\OpenApiContractTesting\OpenApiCoverageTracker;
 use Studio\OpenApiContractTesting\OpenApiResponseValidator;
 use Studio\OpenApiContractTesting\OpenApiSpecResolver;
+use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use WeakMap;
 
+use function filter_var;
+use function get_debug_type;
 use function is_numeric;
 use function is_string;
+use function sprintf;
 use function str_contains;
 use function strtolower;
+use function strtoupper;
+use function var_export;
 
 trait ValidatesOpenApiSchema
 {
     use OpenApiSpecResolver;
     private static ?OpenApiResponseValidator $cachedValidator = null;
     private static ?int $cachedMaxErrors = null;
 
-    /** @var null|WeakMap<TestResponse, true> */
+    /** @var null|WeakMap<TestResponse, array<string, true>> */
     private static ?WeakMap $validatedResponses = null;
 
     public static function resetValidatorCache(): void
@@ -35,16 +44,25 @@ public static function resetValidatorCache(): void
     }
 
     /**
-     * Overrides Illuminate\Foundation\Testing\TestCase::createTestResponse so
-     * every HTTP test call runs schema validation when auto_assert is enabled.
+     * Overrides Laravel's MakesHttpRequests::createTestResponse hook so every
+     * HTTP test call runs schema validation when auto_assert is enabled.
      * When the library is used outside Laravel, this method is never called.
      *
+     * Method and path are resolved from the Request passed in by Laravel
+     * rather than from app('request'), so auto-assert stays independent of
+     * container state and sees the exact values the framework dispatched.
+     *
      * @param Response $response
+     * @param null|Request $request
      */
     protected function createTestResponse($response, $request = null): TestResponse
     {
         $testResponse = parent::createTestResponse($response, $request);
-        $this->maybeAutoAssertOpenApiSchema($testResponse);
+
+        $method = $request !== null ? HttpMethod::tryFrom(strtoupper($request->getMethod())) : null;
+        $path = $request?->getPathInfo();
+
+        $this->maybeAutoAssertOpenApiSchema($testResponse, $method, $path);
 
         return $testResponse;
     }
@@ -54,11 +72,7 @@ protected function maybeAutoAssertOpenApiSchema(
         ?HttpMethod $method = null,
         ?string $path = null,
     ): void {
-        if (config('openapi-contract-testing.auto_assert') !== true) {
-            return;
-        }
-
-        if (self::isAlreadyValidated($response)) {
+        if (!$this->isAutoAssertEnabled()) {
             return;
         }
 
@@ -86,10 +100,8 @@ protected function assertResponseMatchesOpenApiSchema(
         ?HttpMethod $method = null,
         ?string $path = null,
     ): void {
-        if (self::isAlreadyValidated($response)) {
-            return;
-        }
-        self::markValidated($response);
+        $resolvedMethod = $method !== null ? $method->value : app('request')->getMethod();
+        $resolvedPath = $path ?? app('request')->getPathInfo();
 
         $specName = $this->resolveOpenApiSpec();
         if ($specName === '') {
@@ -101,8 +113,16 @@ protected function assertResponseMatchesOpenApiSchema(
             );
         }
 
-        $resolvedMethod = $method !== null ? $method->value : app('request')->getMethod();
-        $resolvedPath = $path ?? app('request')->getPathInfo();
+        // Idempotency key includes the spec so that validating the same
+        // response against a different spec (or a different method/path on
+        // the same spec) still runs — auto-assert's no-op only applies to
+        // exact repeats.
+        $signature = $specName . ':' . $resolvedMethod . ' ' . $resolvedPath;
+
+        if (self::isAlreadyValidated($response, $signature)) {
+            return;
+        }
+        self::markValidated($response, $signature);
 
         $content = $response->getContent();
         if ($content === false) {
@@ -124,6 +144,8 @@ protected function assertResponseMatchesOpenApiSchema(
         // Record coverage for any matched endpoint, including those where body
         // validation was skipped (e.g. non-JSON content types). "Covered" means
         // the endpoint was exercised in a test, not that its body was validated.
+        // Note: under auto_assert, this records coverage for every Laravel HTTP
+        // call — including responses with no explicit contract-test intent.
         if ($result->matchedPath() !== null) {
             OpenApiCoverageTracker::record(
                 $specName,
@@ -139,16 +161,18 @@ protected function assertResponseMatchesOpenApiSchema(
         );
     }
 
-    private static function isAlreadyValidated(TestResponse $response): bool
+    private static function isAlreadyValidated(TestResponse $response, string $signature): bool
     {
         return self::$validatedResponses !== null &&
-            isset(self::$validatedResponses[$response]);
+            isset(self::$validatedResponses[$response][$signature]);
     }
 
-    private static function markValidated(TestResponse $response): void
+    private static function markValidated(TestResponse $response, string $signature): void
     {
         self::$validatedResponses ??= new WeakMap();
-        self::$validatedResponses[$response] = true;
+        $signatures = self::$validatedResponses[$response] ?? [];
+        $signatures[$signature] = true;
+        self::$validatedResponses[$response] = $signatures;
     }
 
     private static function getOrCreateValidator(): OpenApiResponseValidator
@@ -164,6 +188,30 @@ private static function getOrCreateValidator(): OpenApiResponseValidator
         return self::$cachedValidator;
     }
 
+    private function isAutoAssertEnabled(): bool
+    {
+        $raw = config('openapi-contract-testing.auto_assert', false);
+
+        if ($raw === true) {
+            return true;
+        }
+        if ($raw === false || $raw === null) {
+            return false;
+        }
+
+        $parsed = filter_var($raw, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE);
+        if ($parsed === null) {
+            $this->fail(sprintf(
+                'openapi-contract-testing.auto_assert must be a boolean (or a boolean-compatible value '
+                . 'like "true"/"false"/"1"/"0"), got %s: %s.',
+                get_debug_type($raw),
+                var_export($raw, true),
+            ));
+        }
+
+        return $parsed;
+    }
+
     /** @return null|array<string, mixed> */
     private function extractJsonBody(TestResponse $response, string $content, string $contentType): ?array
     {

tests/Helpers/LaravelConfigMock.php

@@ -4,10 +4,10 @@
 
 namespace Studio\OpenApiContractTesting\Laravel;
 
-use Throwable;
+use Illuminate\Container\Container;
 
 use function array_key_exists;
-use function function_exists;
+use function class_exists;
 
 /**
  * Namespace-level config() mock for unit testing.
@@ -29,11 +29,16 @@
  * Resolution order:
  * 1. A unit-test override in $GLOBALS['__openapi_testing_config'] wins — unit
  *    tests set this explicitly to control what the trait sees.
- * 2. Otherwise, defer to the real framework helper when an app is running
- *    (integration tests using orchestra/testbench). The global helper is
- *    invoked via a variable function to bypass both PHP namespace resolution
- *    (which would recurse into this mock) and cs-fixer's global_namespace_import
- *    rule (which would strip a leading backslash and break the call).
+ * 2. When a Laravel container is bootstrapped and has a "config" binding (i.e.
+ *    integration tests using orchestra/testbench), delegate to the framework's
+ *    config() helper via a variable function. The variable call avoids both
+ *    PHP namespace resolution (which would recurse into this mock) and any
+ *    future auto-import of the global \config() by cs-fixer's
+ *    global_namespace_import rule (which would add a "use function config;"
+ *    and re-break this mock for the same reason as a manual import).
+ * 3. Otherwise (pure unit tests with no booted app), return the provided
+ *    default. The container-bound check avoids swallowing real binding errors:
+ *    only an unbootstrapped container falls through here.
  */
 function config(string $key, mixed $default = null): mixed
 {
@@ -44,14 +49,10 @@ function config(string $key, mixed $default = null): mixed
         return $GLOBALS['__openapi_testing_config'][$key];
     }
 
-    if (function_exists('config')) {
+    if (class_exists(Container::class) && Container::getInstance()->bound('config')) {
         $globalConfig = 'config';
 
-        try {
-            return $globalConfig($key, $default);
-        } catch (Throwable) {
-            return $default;
-        }
+        return $globalConfig($key, $default);
     }
 
     return $default;