feat: ensure all handlers explicitly set HTTP status codes

Wrap ResponseWriter in ServeHTTP with a statusResponseWriter that
guarantees WriteHeader is always called explicitly. This allows
observability middleware to reliably capture status codes, which
was not possible when handlers relied on net/http's implicit 200
on first Write call.

The wrapper also guards against duplicate WriteHeader calls by
ignoring subsequent invocations after the first.

Closes #183

Co-Authored-By: iwarapter <iwarapter@users.noreply.github.com>

Author: q-uint

handlers_test.go

@@ -992,6 +992,101 @@ func newTestResourceHandler() ResourceHandler {
 	}
 }
 
+// statusRecordingResponseWriter wraps an http.ResponseWriter and records
+// whether WriteHeader was called explicitly, simulating logging middleware.
+type statusRecordingResponseWriter struct {
+	http.ResponseWriter
+	calledWriteHeader bool
+	status            int
+}
+
+func (w *statusRecordingResponseWriter) WriteHeader(status int) {
+	w.calledWriteHeader = true
+	w.status = status
+	w.ResponseWriter.WriteHeader(status)
+}
+
+func TestServerExplicitStatusCodes(t *testing.T) {
+	tests := []struct {
+		name           string
+		method         string
+		target         string
+		body           io.Reader
+		expectedStatus int
+	}{
+		{
+			name:           "GET resource",
+			method:         http.MethodGet,
+			target:         "/Users/0001",
+			expectedStatus: http.StatusOK,
+		},
+		{
+			name:           "GET resources",
+			method:         http.MethodGet,
+			target:         "/Users",
+			expectedStatus: http.StatusOK,
+		},
+		{
+			name:           "POST resource",
+			method:         http.MethodPost,
+			target:         "/Users",
+			body:           strings.NewReader(`{"userName": "test", "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"]}`),
+			expectedStatus: http.StatusCreated,
+		},
+		{
+			name:           "PUT resource",
+			method:         http.MethodPut,
+			target:         "/Users/0001",
+			body:           strings.NewReader(`{"userName": "test_replace", "schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"]}`),
+			expectedStatus: http.StatusOK,
+		},
+		{
+			name:           "DELETE resource",
+			method:         http.MethodDelete,
+			target:         "/Users/0001",
+			expectedStatus: http.StatusNoContent,
+		},
+		{
+			name:           "GET ResourceTypes",
+			method:         http.MethodGet,
+			target:         "/ResourceTypes",
+			expectedStatus: http.StatusOK,
+		},
+		{
+			name:           "GET ResourceType",
+			method:         http.MethodGet,
+			target:         "/ResourceTypes/User",
+			expectedStatus: http.StatusOK,
+		},
+		{
+			name:           "GET Schemas",
+			method:         http.MethodGet,
+			target:         "/Schemas",
+			expectedStatus: http.StatusOK,
+		},
+		{
+			name:           "GET ServiceProviderConfig",
+			method:         http.MethodGet,
+			target:         "/ServiceProviderConfig",
+			expectedStatus: http.StatusOK,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			req := httptest.NewRequest(tt.method, tt.target, tt.body)
+			rr := httptest.NewRecorder()
+			w := &statusRecordingResponseWriter{ResponseWriter: rr}
+			newTestServer(t).ServeHTTP(w, req)
+
+			if !w.calledWriteHeader {
+				t.Error("handler did not explicitly call WriteHeader")
+			}
+			assertEqualStatusCode(t, tt.expectedStatus, w.status)
+		})
+	}
+}
+
 func newTestServer(t *testing.T) Server {
 	userSchema := getUserSchema()
 	userSchemaExtension := getUserExtensionSchema()

server.go

@@ -86,9 +86,33 @@ func NewServer(args *ServerArgs, opts ...ServerOption) (Server, error) {
 	return *s, nil
 }
 
+// statusResponseWriter wraps http.ResponseWriter to ensure WriteHeader is
+// always called explicitly. If Write is called without a prior WriteHeader,
+// it defaults to http.StatusOK. Subsequent WriteHeader calls are ignored.
+// This allows observability middleware to reliably capture status codes.
+type statusResponseWriter struct {
+	http.ResponseWriter
+	wroteHeader bool
+}
+
+func (w *statusResponseWriter) WriteHeader(status int) {
+	if !w.wroteHeader {
+		w.wroteHeader = true
+		w.ResponseWriter.WriteHeader(status)
+	}
+}
+
+func (w *statusResponseWriter) Write(b []byte) (int, error) {
+	if !w.wroteHeader {
+		w.WriteHeader(http.StatusOK)
+	}
+	return w.ResponseWriter.Write(b)
+}
+
 // ServeHTTP dispatches the request to the handler whose pattern most closely matches the request URL.
 func (s Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/scim+json")
+	w = &statusResponseWriter{ResponseWriter: w}
 
 	path := strings.TrimPrefix(r.URL.Path, "/v2")