barbacane-dev
diff --git a/‎BACKLOG.md‎
Lines changed: 4 additions & 5 deletions b/‎BACKLOG.md‎
Lines changed: 4 additions & 5 deletions
diff --git a/‎crates/barbacane-compiler/src/artifact.rs‎
Lines changed: 15 additions & 0 deletions b/‎crates/barbacane-compiler/src/artifact.rs‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎crates/barbacane-test/src/gateway.rs‎
Lines changed: 189 additions & 0 deletions b/‎crates/barbacane-test/src/gateway.rs‎
Lines changed: 189 additions & 0 deletions
diff --git a/‎crates/barbacane/src/main.rs‎
Lines changed: 4 additions & 33 deletions b/‎crates/barbacane/src/main.rs‎
Lines changed: 4 additions & 33 deletions
@@ -14,7 +14,7 @@ Items are tagged with their source ADR or SPEC for traceability.
 |--------|------|-------------|--------|
 | `request-transformer` | Middleware | Modify headers, query params, body before upstream | Competitive analysis |
 | `response-transformer` | Middleware | Modify response headers/body before client | Competitive analysis |
-| `ip-restriction` | Middleware | Allow/deny by IP or CIDR range | Competitive analysis |
+| ~~`ip-restriction`~~ | ~~Middleware~~ | ~~Allow/deny by IP or CIDR range~~ | **DONE** |
 | `basic-auth` | Middleware | Username/password authentication | Competitive analysis |
 | `http-log` | Middleware | Send request/response logs to HTTP endpoint | Competitive analysis |
 | ~~`correlation-id`~~ | ~~Middleware~~ | ~~Propagate/generate X-Correlation-ID header~~ | **DONE** |
@@ -25,10 +25,9 @@ Items are tagged with their source ADR or SPEC for traceability.
 |--------|------|-------------|--------|
 | `observability` | Middleware | Trace sampling, detailed validation logs, latency SLO monitoring | ADR-0010 |
 | `acl` | Middleware | Access control by consumer/group after auth | Competitive analysis |
-| `request-size-limit` | Middleware | Reject requests exceeding size (per-route) | Competitive analysis |
+| ~~`request-size-limit`~~ | ~~Middleware~~ | ~~Reject requests exceeding size (per-route)~~ | **DONE** |
 | `bot-detection` | Middleware | Block known bots by User-Agent patterns | Competitive analysis |
 | `redirect` | Middleware | URL redirections (301/302) | Competitive analysis |
-| `request-termination` | Middleware | Return static error without calling upstream | Competitive analysis |
 
 ### P2 — Nice to Have
 
@@ -122,11 +121,11 @@ Items are tagged with their source ADR or SPEC for traceability.
 | ~~Schema complexity limits~~ | E1051/E1052: Depth (32) and property (256) limits | P0 | **DONE** |
 | ~~Circular `$ref` detection~~ | E1053: Detect circular JSON Schema references | P0 | **DONE** |
 | ~~Move E1011 to compile~~ | E1011: Missing middleware name validation | P1 | **DONE** |
-| Move E1015 to compile | Move unknown extension warning from `validate` to `compile` | P1 | Tech review |
+| ~~Move E1015 to compile~~ | ~~Move unknown extension warning from `validate` to `compile`~~ | ~~P1~~ | **DONE** |
 | ~~Path template syntax validation~~ | E1054: Validate braces, param names, duplicates | P2 | **DONE** |
 | ~~Duplicate operationId detection~~ | E1055: Detect non-unique operationId | P2 | **DONE** |
 | Spec pointers in errors | Add JSON Pointer (e.g., `#/paths/~1users/get`) to all compile errors | P2 | Tech review |
-| Deterministic artifact builds | Sort plugin/spec/route collections before serialization | P2 | Tech review |
+| ~~Deterministic artifact builds~~ | ~~Sort plugin/spec/route collections before serialization~~ | ~~P2~~ | **DONE** |
 
 **Test cases added:**
 - `compile_detects_ambiguous_routes` ✓
 
@@ -422,6 +422,11 @@ pub fn compile_with_options(
     let encoder = archive.into_inner()?;
     encoder.finish()?;
 
+    // Sort warnings for deterministic output
+    warnings.sort_by(|a, b| {
+        (&a.location, &a.code, &a.message).cmp(&(&b.location, &b.code, &b.message))
+    });
+
     Ok(CompileResult { manifest, warnings })
 }
 
@@ -744,6 +749,11 @@ pub fn compile_with_manifest(
     let encoder = archive.into_inner()?;
     encoder.finish()?;
 
+    // Sort warnings for deterministic output
+    warnings.sort_by(|a, b| {
+        (&a.location, &a.code, &a.message).cmp(&(&b.location, &b.code, &b.message))
+    });
+
     Ok(CompileResult { manifest, warnings })
 }
 
@@ -1144,6 +1154,11 @@ pub fn compile_with_plugins(
     let encoder = archive.into_inner()?;
     encoder.finish()?;
 
+    // Sort warnings for deterministic output
+    warnings.sort_by(|a, b| {
+        (&a.location, &a.code, &a.message).cmp(&(&b.location, &b.code, &b.message))
+    });
+
     Ok(CompileResult { manifest, warnings })
 }
 
 
@@ -3302,4 +3302,193 @@ paths:
             "Response should include CORS header from global middleware"
         );
     }
+
+    // ==================== Request Size Limit Tests ====================
+
+    #[tokio::test]
+    async fn test_request_size_limit_allows_small_body() {
+        let gateway = TestGateway::from_spec("../../tests/fixtures/request-size-limit.yaml")
+            .await
+            .expect("failed to start gateway");
+
+        // Small body should be allowed (under 100 byte limit)
+        let resp = gateway
+            .request_builder(reqwest::Method::POST, "/limited")
+            .header("Content-Type", "application/json")
+            .body(r#"{"msg":"hi"}"#)
+            .send()
+            .await
+            .unwrap();
+
+        assert_eq!(resp.status(), 200);
+        let body: serde_json::Value = resp.json().await.unwrap();
+        assert_eq!(body["message"], "ok");
+    }
+
+    #[tokio::test]
+    async fn test_request_size_limit_blocks_large_body() {
+        let gateway = TestGateway::from_spec("../../tests/fixtures/request-size-limit.yaml")
+            .await
+            .expect("failed to start gateway");
+
+        // Large body should be rejected (over 100 byte limit)
+        let large_body = r#"{"data":"this is a very long message that exceeds the configured limit of 100 bytes for this endpoint"}"#;
+        let resp = gateway
+            .request_builder(reqwest::Method::POST, "/limited")
+            .header("Content-Type", "application/json")
+            .body(large_body)
+            .send()
+            .await
+            .unwrap();
+
+        assert_eq!(resp.status(), 413);
+        let body: serde_json::Value = resp.json().await.unwrap();
+        assert_eq!(body["type"], "urn:barbacane:error:payload-too-large");
+        assert_eq!(body["status"], 413);
+    }
+
+    #[tokio::test]
+    async fn test_request_size_limit_unlimited_endpoint() {
+        let gateway = TestGateway::from_spec("../../tests/fixtures/request-size-limit.yaml")
+            .await
+            .expect("failed to start gateway");
+
+        // Unlimited endpoint should accept large bodies
+        let large_body = r#"{"data":"this is a very long message that would be rejected on the limited endpoint but should pass here"}"#;
+        let resp = gateway
+            .request_builder(reqwest::Method::POST, "/unlimited")
+            .header("Content-Type", "application/json")
+            .body(large_body)
+            .send()
+            .await
+            .unwrap();
+
+        assert_eq!(resp.status(), 200);
+        let body: serde_json::Value = resp.json().await.unwrap();
+        assert_eq!(body["message"], "unlimited");
+    }
+
+    // ==================== IP Restriction Tests ====================
+
+    #[tokio::test]
+    async fn test_ip_restriction_allowlist_localhost() {
+        let gateway = TestGateway::from_spec("../../tests/fixtures/ip-restriction.yaml")
+            .await
+            .expect("failed to start gateway");
+
+        // Localhost should be allowed
+        let resp = gateway
+            .request_builder(reqwest::Method::GET, "/allowlist")
+            .send()
+            .await
+            .unwrap();
+
+        assert_eq!(resp.status(), 200);
+        let body: serde_json::Value = resp.json().await.unwrap();
+        assert_eq!(body["message"], "allowed");
+    }
+
+    #[tokio::test]
+    async fn test_ip_restriction_allowlist_denied_via_xff() {
+        let gateway = TestGateway::from_spec("../../tests/fixtures/ip-restriction.yaml")
+            .await
+            .expect("failed to start gateway");
+
+        // Request with X-Forwarded-For from non-allowed IP should be denied
+        let resp = gateway
+            .request_builder(reqwest::Method::GET, "/allowlist")
+            .header("X-Forwarded-For", "203.0.113.50")
+            .send()
+            .await
+            .unwrap();
+
+        assert_eq!(resp.status(), 403);
+        let body: serde_json::Value = resp.json().await.unwrap();
+        assert_eq!(body["type"], "urn:barbacane:error:ip-restricted");
+    }
+
+    #[tokio::test]
+    async fn test_ip_restriction_denylist_allowed() {
+        let gateway = TestGateway::from_spec("../../tests/fixtures/ip-restriction.yaml")
+            .await
+            .expect("failed to start gateway");
+
+        // Request from localhost (not in denylist) should be allowed
+        let resp = gateway
+            .request_builder(reqwest::Method::GET, "/denylist")
+            .send()
+            .await
+            .unwrap();
+
+        assert_eq!(resp.status(), 200);
+    }
+
+    #[tokio::test]
+    async fn test_ip_restriction_denylist_blocked() {
+        let gateway = TestGateway::from_spec("../../tests/fixtures/ip-restriction.yaml")
+            .await
+            .expect("failed to start gateway");
+
+        // Request from denied CIDR range should be blocked
+        let resp = gateway
+            .request_builder(reqwest::Method::GET, "/denylist")
+            .header("X-Forwarded-For", "10.1.2.3")
+            .send()
+            .await
+            .unwrap();
+
+        assert_eq!(resp.status(), 403);
+    }
+
+    #[tokio::test]
+    async fn test_ip_restriction_cidr_allowlist() {
+        let gateway = TestGateway::from_spec("../../tests/fixtures/ip-restriction.yaml")
+            .await
+            .expect("failed to start gateway");
+
+        // 127.0.0.1 is in 127.0.0.0/8 CIDR range
+        let resp = gateway
+            .request_builder(reqwest::Method::GET, "/cidr-allowlist")
+            .send()
+            .await
+            .unwrap();
+
+        assert_eq!(resp.status(), 200);
+    }
+
+    #[tokio::test]
+    async fn test_ip_restriction_custom_message() {
+        let gateway = TestGateway::from_spec("../../tests/fixtures/ip-restriction.yaml")
+            .await
+            .expect("failed to start gateway");
+
+        // Request from non-allowed IP should get custom status and message
+        let resp = gateway
+            .request_builder(reqwest::Method::GET, "/custom-message")
+            .send()
+            .await
+            .unwrap();
+
+        assert_eq!(resp.status(), 401);
+        let body: serde_json::Value = resp.json().await.unwrap();
+        assert!(body["detail"].as_str().unwrap().contains("not authorized"));
+    }
+
+    #[tokio::test]
+    async fn test_ip_restriction_public_endpoint() {
+        let gateway = TestGateway::from_spec("../../tests/fixtures/ip-restriction.yaml")
+            .await
+            .expect("failed to start gateway");
+
+        // Public endpoint without IP restriction
+        let resp = gateway
+            .request_builder(reqwest::Method::GET, "/public")
+            .send()
+            .await
+            .unwrap();
+
+        assert_eq!(resp.status(), 200);
+        let body: serde_json::Value = resp.json().await.unwrap();
+        assert_eq!(body["message"], "public");
+    }
 }
@@ -420,7 +420,8 @@ enum Commands {
 
     /// Validate OpenAPI spec(s) without compiling.
     ///
-    /// Checks for spec validity (E1001-E1004) and extension validity (E1010-E1015).
+    /// Checks for spec validity (E1001-E1004) and extension validity (E1010-E1014).
+    /// E1015 (unknown x-barbacane-* extension) is checked during compile.
     /// Does not resolve plugins or produce an artifact.
     Validate {
         /// Input spec file(s) (YAML or JSON).
@@ -1831,38 +1832,8 @@ fn run_validate(specs: &[String], output_format: &str) -> ExitCode {
                     }
                 }
 
-                // Check for unknown x-barbacane-* extensions (E1015 - warning)
-                // Note: x-sunset is not a barbacane extension (RFC 8594), so not in this list
-                // Note: Middleware functionality (rate-limit, cache, etc.) is configured via
-                // x-barbacane-middlewares with the plugin name, not as separate extensions.
-                // Backend connections are configured in the http-upstream dispatcher config.
-                // Keep in sync with KNOWN_EXTENSIONS in barbacane-compiler/src/artifact.rs
-                let known_extensions = [
-                    "x-barbacane-dispatch",    // Operation level
-                    "x-barbacane-middlewares", // Root or operation level
-                ];
-
-                for key in spec.extensions.keys() {
-                    if !known_extensions.contains(&key.as_str()) {
-                        warnings.push(ValidationIssue {
-                            code: "E1015".to_string(),
-                            message: format!("unknown extension: {}", key),
-                            location: Some(spec_path.clone()),
-                        });
-                    }
-                }
-
-                for op in &spec.operations {
-                    for key in op.extensions.keys() {
-                        if !known_extensions.contains(&key.as_str()) {
-                            warnings.push(ValidationIssue {
-                                code: "E1015".to_string(),
-                                message: format!("unknown extension: {}", key),
-                                location: Some(format!("{}:{} {}", spec_path, op.path, op.method)),
-                            });
-                        }
-                    }
-                }
+                // Note: E1015 (unknown x-barbacane-* extension) checking is done during compile,
+                // not validate, to avoid false positives on non-barbacane extensions.
 
                 // Store for cross-spec validation
                 parsed_specs.push((spec_path.clone(), spec));