test: extend identity injection and auth header regression coverage

[cursor]

Summary

Adds focused regression tests for recently merged identity-injection and auth-header behavior in the Harness MCP server.

Risky behavior now covered

• Wrapped-body identifier injection — buildBodyNormalized must inject connector_id / service_id / environment_id into wrapped YAML/JSON update bodies, not the outer envelope.
• Conflicting identifiers — update calls must fail before the API when resource_id and body identifier disagree (connectors, services, environments).
• Create vs update semantics — connector create must not silently substitute connector_id for a missing body identifier; explicit body identifiers are preserved.
• Case-insensitive auth headers — caller-provided Authorization / x-api-key must be honored regardless of header casing; FME requests must strip all x-api-key variants.
• FME duplicate x-api-key headers — when multiple x-api-key headers are present, the first non-placeholder value is used for bearer auth and all variants are removed before the request is sent.
• Disabled toolset resources — pipeline YAML and execution summary resources degrade gracefully when their toolsets are disabled.
• Scalar identifier coercion — numeric/boolean body identifiers are compared against string resource_id values without false conflicts.

Test files added/updated

File	Coverage
tests/utils/body-normalizer.test.ts	Wrapped/unwrapped injection, YAML parsing, conflict detection, injectFields with wrapKey, boolean/numeric coercion
tests/client/harness-client.test.ts	Case-insensitive auth preservation, FME x-api-key stripping, duplicate-header bearer selection
tests/tools/tool-handlers.test.ts	End-to-end harness_update / harness_create flows for connector, service, and environment identity handling
tests/resources/pipeline-yaml.test.ts	Disabled pipeline toolset discovery and direct-read fallback
tests/resources/execution-summary.test.ts	Disabled execution toolset skip behavior

Why this reduces regression risk

These paths sit on the boundary between agent input and Harness API calls — silent mis-injection or auth layering bugs cause hard-to-debug 4xx failures or credential leaks to third-party endpoints (Split.io). The tests lock the public contract at both the unit layer (body-normalizer, HarnessClient) and the tool dispatch layer (harness_update/harness_create), so refactors to shared body builders or header helpers cannot regress without a failing test.

Validation

pnpm test  # 2111 passed

  

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}