fix(restheart-mongo): noise Etag/Location + disable ACL cache for time-freeze compat

After fixing the Authorization-header-prefix bug in flow.sh (parent
commit), 214 admin-auth calls that previously 401'd now actually
mutate state and reach RESTHeart's normal write/read path. That
exposed two new categories of record/replay divergence the all-401
recording had hidden:

1) Etag header: RESTHeart auto-stamps a hash on every doc / collection
   response. body._etag is already in globalNoise, but the same hash
   also appears as a response header (Etag) — needs to be noised
   separately. Without it, ~85 of 306 tests fail on header.Etag diff.

2) Location header: POST /_sessions returns Location: /_sessions/<uuid>
   where the UUID is server-generated. 2 tests fail without noising.

Both added to keploy.yml.template's globalNoise.global.header.

Separate fix on the compose side: disable mongoAclAuthorizer's cache
(`/mongoAclAuthorizer/cache-enabled->false` via RHO). Default is
cache-enabled with TTL=5_000ms, backed by Caffeine. Caffeine's
internal ticker uses System.nanoTime, which keploy's --freezeTime
LD_PRELOAD shim intercepts — so at replay the wall-clock-bound TTL
never expires. flow.sh's `sleep 6` between `POST /acl` and the
writer-permission test works at record (clock advances, cache reloads
the new rule) but is ineffective at replay (cache stuck on whatever
it loaded first). Result: writer gets 403 at replay despite recorded
200. Disabling the cache makes ACL rules read-through from mongo on
every request — small perf cost in the test environment but
eliminates the time-freeze × cache-TTL interaction.

Local cell record-pr-replay-pr verified 306/306 PASSED with both
fixes in place. Test count went 296 → 306 (10 additional tests
captured because admin operations now mutate state and unlock paths
that previously 404'd).

Author: AkashKumar7902

restheart-mongo/docker-compose.yml

@@ -27,7 +27,7 @@ services:
       # --freezeTime keeps `exp` valid. Pinning the secret keeps
       # the bearer signature verifiable across record→replay
       # container restarts (deterministic key, deterministic JWT).
-      RHO: '/mclient/connection-string->"mongodb://${RESTHEART_MONGO_IP:-172.36.0.10}:27017";/http-listener/host->"0.0.0.0";/core/log-level->"INFO";/jwtConfigProvider/key->"keploy-fixed-jwt-secret-for-deterministic-recordings"'
+      RHO: '/mclient/connection-string->"mongodb://${RESTHEART_MONGO_IP:-172.36.0.10}:27017";/http-listener/host->"0.0.0.0";/core/log-level->"INFO";/jwtConfigProvider/key->"keploy-fixed-jwt-secret-for-deterministic-recordings";/mongoAclAuthorizer/cache-enabled->false'
       # Bound RESTHeart's JVM heap. RESTHeart 9.x's default uses
       # `MaxRAMPercentage=25` of cgroup memory, which on a typical
       # Woodpecker runner cgroup (~8GB) lands ~2GB heap. With three
@@ -44,6 +44,21 @@ services:
       # 512m is comfortable for the record/replay workload (peak
       # observed at ~280MB in single-cell local runs).
       JAVA_TOOL_OPTIONS: "-Xms128m -Xmx512m"
+      # Note on /mongoAclAuthorizer/cache-enabled->false in RHO:
+      # RESTHeart's mongoAclAuthorizer caches ACL rules with a 5s
+      # TTL backed by Caffeine, which uses System.nanoTime() to
+      # measure expiry. When the lane runs `keploy test --freezeTime`,
+      # the LD_PRELOADed clock-shim intercepts clock_gettime/
+      # gettimeofday — and Caffeine's nanoTime ticker is also
+      # frozen — so the cache TTL never expires. flow.sh's `sleep 6`
+      # between an `acl` rule POST and the writer-permission test
+      # works at record time (the wall clock advances and the cache
+      # reloads), but at replay the cache stays loaded with whatever
+      # state it had at the first request and never picks up the
+      # newly-POSTed rule. Result: writer gets 403 at replay
+      # despite recorded 200. Disabling the cache makes ACL rules
+      # read-through from mongo on every request — small perf cost,
+      # but eliminates the time-freeze x cache-ttl interaction.
     depends_on:
       mongo:
         condition: service_healthy

restheart-mongo/keploy.yml.template

@@ -44,6 +44,15 @@ test:
         Date: []
         Content-Length: []
         Auth-Token: []
+        # Etag is server-stamped per write/read on every doc and
+        # collection in RESTHeart. The body field _etag is already
+        # noised (below), but RESTHeart also exposes the same hash
+        # in the response header `Etag`, which differs per run.
+        Etag: []
+        # POST /_sessions returns a `Location: /_sessions/<uuid>`
+        # header where the UUID is server-generated per session.
+        # Each replay gets a fresh UUID; ignore the header to match.
+        Location: []
       body:
         _etag: []
         _oid: []