@apitap/core 1.6.0 → 1.6.1

package/src/replay/engine.ts

@@ -45,6 +45,15 @@ const BLOCKED_REPLAY_HEADERS = new Set([
   'sec-fetch-user',
 ]);
 
+export function safeParseJson(text: string): unknown {
+  if (text.length === 0) return text;
+  try {
+    return JSON.parse(text);
+  } catch {
+    return text;
+  }
+}
+
 export interface ReplayOptions {
   /** User-provided parameters for path, query, and body substitution */
   params?: Record<string, string>;
@@ -70,6 +79,8 @@ export interface ReplayResult {
   truncated?: boolean;
   /** Contract warnings from schema drift detection */
   contractWarnings?: ContractWarning[];
+  /** Upgrade hint: set when a low-confidence endpoint gets a 2xx response */
+  upgrade?: { confidence: 1.0; endpointProvenance: 'captured' };
 }
 
 /**
@@ -548,8 +559,8 @@ export async function replayEndpoint(
       let retryData: unknown;
       const retryCt = retryResponse.headers.get('content-type') ?? '';
       const retryText = await retryResponse.text();
-      if (retryCt.includes('json') && retryText.length > 0) {
-        retryData = JSON.parse(retryText);
+      if (retryCt.includes('json')) {
+        retryData = safeParseJson(retryText);
       } else {
         retryData = retryText;
       }
@@ -558,6 +569,11 @@ export async function replayEndpoint(
         ? wrapAuthError(retryResponse.status, retryData, skill.domain)
         : retryData;
 
+      const retryUpgrade = (endpoint.confidence !== undefined && endpoint.confidence < 1.0
+        && retryResponse.status >= 200 && retryResponse.status < 300)
+        ? { confidence: 1.0 as const, endpointProvenance: 'captured' as const }
+        : undefined;
+
       if (options.maxBytes) {
         const truncated = truncateResponse(retryFinalData, { maxBytes: options.maxBytes });
         return {
@@ -566,6 +582,7 @@ export async function replayEndpoint(
           data: truncated.data,
           refreshed,
           ...(truncated.truncated ? { truncated: true } : {}),
+          ...(retryUpgrade ? { upgrade: retryUpgrade } : {}),
         };
       }
 
@@ -574,6 +591,7 @@ export async function replayEndpoint(
         headers: retryHeaders,
         data: retryFinalData,
         refreshed,
+        ...(retryUpgrade ? { upgrade: retryUpgrade } : {}),
       };
     }
   }
@@ -586,8 +604,8 @@ export async function replayEndpoint(
   let data: unknown;
   const ct = response.headers.get('content-type') ?? '';
   const text = await response.text();
-  if (ct.includes('json') && text.length > 0) {
-    data = JSON.parse(text);
+  if (ct.includes('json')) {
+    data = safeParseJson(text);
   } else {
     data = text;
   }
@@ -606,6 +624,11 @@ export async function replayEndpoint(
     }
   }
 
+  const upgrade = (endpoint.confidence !== undefined && endpoint.confidence < 1.0
+    && response.status >= 200 && response.status < 300)
+    ? { confidence: 1.0 as const, endpointProvenance: 'captured' as const }
+    : undefined;
+
   // Apply truncation if maxBytes is set
   if (options.maxBytes) {
     const truncated = truncateResponse(finalData, { maxBytes: options.maxBytes });
@@ -616,10 +639,11 @@ export async function replayEndpoint(
       ...(refreshed ? { refreshed } : {}),
       ...(truncated.truncated ? { truncated: true } : {}),
       ...(contractWarnings ? { contractWarnings } : {}),
+      ...(upgrade ? { upgrade } : {}),
     };
   }
 
-  return { status: response.status, headers: responseHeaders, data: finalData, ...(refreshed ? { refreshed } : {}), ...(contractWarnings ? { contractWarnings } : {}) };
+  return { status: response.status, headers: responseHeaders, data: finalData, ...(refreshed ? { refreshed } : {}), ...(contractWarnings ? { contractWarnings } : {}), ...(upgrade ? { upgrade } : {}) };
 }
 
 // --- Batch replay ---

package/src/skill/apis-guru.ts

@@ -1,6 +1,29 @@
 // src/skill/apis-guru.ts
 import { resolveAndValidateUrl } from '../skill/ssrf.js';
 
+const MAX_SPEC_SIZE = 10 * 1024 * 1024;   // 10 MB per spec
+const MAX_LIST_SIZE = 100 * 1024 * 1024;  // 100 MB for APIs.guru list
+
+async function fetchWithSizeLimit(url: string, maxBytes: number, options?: RequestInit): Promise<string> {
+  const response = await fetch(url, {
+    signal: AbortSignal.timeout(30_000),
+    ...options,
+    headers: { 'User-Agent': 'apitap-import/1.0', ...(options?.headers as Record<string, string> || {}) },
+  });
+  if (!response.ok) {
+    throw new Error(`HTTP ${response.status} ${response.statusText} for ${url}`);
+  }
+  const contentLength = response.headers.get('content-length');
+  if (contentLength && parseInt(contentLength, 10) > maxBytes) {
+    throw new Error(`Response too large: ${contentLength} bytes (limit: ${maxBytes})`);
+  }
+  const text = await response.text();
+  if (text.length > maxBytes) {
+    throw new Error(`Response body too large: ${text.length} bytes (limit: ${maxBytes})`);
+  }
+  return text;
+}
+
 export interface ApisGuruEntry {
   apiId: string;           // e.g., "twilio.com:api"
   providerName: string;    // e.g., "twilio.com"
@@ -121,15 +144,7 @@ export async function fetchApisGuruList(): Promise<ApisGuruEntry[]> {
   if (!ssrf.safe) {
     throw new Error(`SSRF check failed for APIs.guru list URL: ${ssrf.reason}`);
   }
-  const response = await fetch(APIS_GURU_LIST_URL, {
-    signal: AbortSignal.timeout(30_000),
-  });
-  if (!response.ok) {
-    throw new Error(
-      `Failed to fetch APIs.guru list: ${response.status} ${response.statusText}`,
-    );
-  }
-  const text = await response.text();
+  const text = await fetchWithSizeLimit(APIS_GURU_LIST_URL, MAX_LIST_SIZE);
   try {
     return parseApisGuruList(JSON.parse(text) as Record<string, any>);
   } catch {
@@ -145,16 +160,7 @@ export async function fetchSpec(specUrl: string): Promise<Record<string, any>> {
   if (!ssrf.safe) {
     throw new Error(`SSRF check failed for spec URL ${specUrl}: ${ssrf.reason}`);
   }
-  const response = await fetch(specUrl, {
-    signal: AbortSignal.timeout(30_000),
-    redirect: 'error',
-  });
-  if (!response.ok) {
-    throw new Error(
-      `Failed to fetch spec at ${specUrl}: ${response.status} ${response.statusText}`,
-    );
-  }
-  const text = await response.text();
+  const text = await fetchWithSizeLimit(specUrl, MAX_SPEC_SIZE, { redirect: 'error' });
   try {
     return JSON.parse(text) as Record<string, any>;
   } catch {

package/src/skill/openapi-converter.ts

@@ -31,6 +31,14 @@ export function resolveRef(
     return merged;
   }
 
+  // Handle oneOf/anyOf: use first option as representative
+  if (obj.oneOf && Array.isArray(obj.oneOf) && obj.oneOf.length > 0) {
+    return resolveRef(obj.oneOf[0], spec, new Set(visited), depth + 1);
+  }
+  if (obj.anyOf && Array.isArray(obj.anyOf) && obj.anyOf.length > 0) {
+    return resolveRef(obj.anyOf[0], spec, new Set(visited), depth + 1);
+  }
+
   if (!obj.$ref) return obj;
 
   const ref = obj.$ref as string;

package/src/skill/signing.ts

@@ -44,6 +44,20 @@ export function signSkillFile(skill: SkillFile, key: Buffer): SkillFile {
   };
 }
 
+/**
+ * Sign a skill file with a specific provenance value.
+ * Use 'self' for captured files, 'imported-signed' for import-only files.
+ */
+export function signSkillFileAs(
+  skill: SkillFile,
+  key: Buffer,
+  provenance: 'self' | 'imported-signed',
+): SkillFile {
+  const payload = canonicalize(skill);
+  const signature = hmacSign(payload, key);
+  return { ...skill, provenance, signature };
+}
+
 /**
  * Verify a skill file's signature.
  * Returns true if the signature is valid for the given key.

package/src/skill/store.ts

@@ -1,5 +1,5 @@
 // src/skill/store.ts
-import { readFile, writeFile, mkdir, readdir, access } from 'node:fs/promises';
+import { readFile, writeFile, mkdir, readdir, access, rename } from 'node:fs/promises';
 import { join, dirname } from 'node:path';
 import { homedir } from 'node:os';
 import type { SkillFile, SkillSummary } from '../types.js';
@@ -40,7 +40,10 @@ export async function writeSkillFile(
   await mkdir(skillsDir, { recursive: true, mode: 0o700 });
   await ensureGitignore(skillsDir);
   const filePath = skillPath(skill.domain, skillsDir);
-  await writeFile(filePath, JSON.stringify(skill, null, 2) + '\n', { mode: 0o600 });
+  const tmpPath = `${filePath}.${process.pid}.tmp`;
+  const content = JSON.stringify(skill, null, 2) + '\n';
+  await writeFile(tmpPath, content, { mode: 0o600 });
+  await rename(tmpPath, filePath);
   return filePath;
 }
 
@@ -114,8 +117,9 @@ export async function listSkillFiles(
   let files: string[];
   try {
     files = await readdir(skillsDir);
-  } catch {
-    return [];
+  } catch (err: unknown) {
+    if ((err as NodeJS.ErrnoException).code === 'ENOENT') return [];
+    throw err;
   }
 
   const summaries: SkillSummary[] = [];

package/src/types.ts

@@ -162,7 +162,7 @@ export interface SkillFile {
       endpointsEnriched: number;
     }>;
   };
-  provenance: 'self' | 'imported' | 'unsigned';
+  provenance: 'self' | 'imported' | 'imported-signed' | 'unsigned';
   signature?: string;
   auth?: SkillAuth; // v0.8: top-level auth config
 }
@@ -215,7 +215,7 @@ export interface SkillSummary {
   skillFile: string;
   endpointCount: number;
   capturedAt: string;
-  provenance: 'self' | 'imported' | 'unsigned';
+  provenance: 'self' | 'imported' | 'imported-signed' | 'unsigned';
 }
 
 // --- Discovery types (Milestone 2: Smart Discovery) ---