@caplets/core 0.18.9 → 0.20.0

package/dist/{completion-RqzHpHRY.js → completion-CbazRAiL.js}

@@ -1,4 +1,5 @@
-import { Ct as resolveCapletsRoot, Et as resolveProjectConfigPath, Lt as __exportAll, Pt as CapletsError, St as DEFAULT_COMPLETION_CACHE_DIR, gt as loadConfigWithSources, wt as resolveConfigPath, xt as DEFAULT_AUTH_DIR } from "./options-DnOUjft1.js";
+import { St as resolveProjectConfigPath, Y as loadConfigWithSources, bt as resolveConfigPath, mt as DEFAULT_COMPLETION_CACHE_DIR, pt as DEFAULT_AUTH_DIR, vn as __exportAll, yt as resolveCapletsRoot } from "./service-D0MwLNyb.js";
+import { u as CapletsError } from "./validation-CdqbI2zN.js";
 import { mkdirSync, readFileSync, renameSync, writeFileSync } from "node:fs";
 import { dirname, join } from "node:path";
 import { createHash } from "node:crypto";
@@ -13,9 +14,13 @@ const completionShells = [
 const cliCommands = {
 	completion: "completion",
 	completeHidden: "__complete",
+	codeMode: "code-mode",
 	serve: "serve",
+	attach: "attach",
+	cloud: "cloud",
 	init: "init",
 	setup: "setup",
+	doctor: "doctor",
 	list: "list",
 	install: "install",
 	add: "add",
@@ -38,8 +43,12 @@ const cliCommands = {
 };
 const topLevelCommandNames = [
 	cliCommands.serve,
+	cliCommands.codeMode,
+	cliCommands.attach,
+	cliCommands.cloud,
 	cliCommands.init,
 	cliCommands.setup,
+	cliCommands.doctor,
 	cliCommands.list,
 	cliCommands.install,
 	cliCommands.add,
@@ -74,8 +83,18 @@ const cliSubcommands = {
 		"logout",
 		"list"
 	],
+	[cliCommands.cloud]: ["auth"],
+	[cliCommands.codeMode]: ["types"],
 	[cliCommands.completion]: [...completionShells],
 	[cliCommands.config]: ["path", "paths"],
+	[cliCommands.serve]: [
+		"start",
+		"stop",
+		"status",
+		"restart",
+		"enable",
+		"disable"
+	],
 	[cliCommands.setup]: [
 		"codex",
 		"claude-code",

package/dist/config/paths.d.ts

@@ -6,9 +6,11 @@ export declare function defaultCacheBaseDir(env?: PathEnv, home?: string, platfo
 export declare function defaultConfigPath(env?: PathEnv, home?: string, platform?: Platform): string;
 export declare function defaultAuthDir(env?: PathEnv, home?: string, platform?: Platform): string;
 export declare function defaultCompletionCacheDir(env?: PathEnv, home?: string, platform?: Platform): string;
+export declare function defaultObservedOutputShapeCacheDir(env?: PathEnv, home?: string, platform?: Platform): string;
 export declare const DEFAULT_CONFIG_PATH: string;
 export declare const DEFAULT_AUTH_DIR: string;
 export declare const DEFAULT_COMPLETION_CACHE_DIR: string;
+export declare const DEFAULT_OBSERVED_OUTPUT_SHAPE_CACHE_DIR: string;
 export declare const PROJECT_CONFIG_FILE: string;
 export declare function resolveConfigPath(path?: string): string;
 export declare function resolveProjectConfigPath(cwd?: string): string;

package/dist/config-runtime.d.ts

@@ -0,0 +1,183 @@
+export type RemoteAuthConfig = {
+    type: "none";
+} | {
+    type: "bearer";
+    token: string;
+} | {
+    type: "headers";
+    headers: Record<string, string>;
+} | {
+    type: "oauth2" | "oidc";
+    authorizationUrl?: string | undefined;
+    tokenUrl?: string | undefined;
+    issuer?: string | undefined;
+    resourceMetadataUrl?: string | undefined;
+    authorizationServerMetadataUrl?: string | undefined;
+    openidConfigurationUrl?: string | undefined;
+    clientMetadataUrl?: string | undefined;
+    clientId?: string | undefined;
+    clientSecret?: string | undefined;
+    scopes?: string[] | undefined;
+    redirectUri?: string | undefined;
+};
+export type CapletSetupCommandConfig = {
+    label: string;
+    command: string;
+    args?: string[] | undefined;
+    env?: Record<string, string> | undefined;
+    cwd?: string | undefined;
+    timeoutMs?: number | undefined;
+    maxOutputBytes?: number | undefined;
+};
+export type CapletSetupConfig = {
+    commands?: CapletSetupCommandConfig[] | undefined;
+    verify?: CapletSetupCommandConfig[] | undefined;
+};
+export type ProjectBindingConfig = {
+    required: true;
+};
+export type RuntimeFeature = "docker" | "browser";
+export type RuntimeResourceClass = "standard" | "large" | "heavy";
+export type RuntimeRequirementsConfig = {
+    features?: RuntimeFeature[] | undefined;
+    resources?: {
+        class?: RuntimeResourceClass | undefined;
+    } | undefined;
+};
+export type AgentSelectionHintsConfig = {
+    useWhen?: string | undefined;
+    avoidWhen?: string | undefined;
+};
+export type CapletExposure = "direct" | "progressive" | "code_mode" | "direct_and_code_mode" | "progressive_and_code_mode";
+export type CapletServerConfig = CommonCapletConfig & {
+    backend: "mcp";
+    transport: "stdio" | "http" | "sse";
+    command?: string | undefined;
+    args?: string[] | undefined;
+    env?: Record<string, string> | undefined;
+    cwd?: string | undefined;
+    url?: string | undefined;
+    auth?: RemoteAuthConfig | undefined;
+    startupTimeoutMs: number;
+    callTimeoutMs: number;
+    toolCacheTtlMs: number;
+};
+export type OpenApiAuthConfig = RemoteAuthConfig;
+export type OpenApiEndpointConfig = CommonCapletConfig & {
+    backend: "openapi";
+    specPath?: string | undefined;
+    specUrl?: string | undefined;
+    baseUrl?: string | undefined;
+    auth: OpenApiAuthConfig;
+    requestTimeoutMs: number;
+    operationCacheTtlMs: number;
+};
+export type GraphQlOperationConfig = AgentSelectionHintsConfig & {
+    document?: string | undefined;
+    documentPath?: string | undefined;
+    operationName?: string | undefined;
+    description?: string | undefined;
+};
+export type GraphQlEndpointConfig = CommonCapletConfig & {
+    backend: "graphql";
+    endpointUrl: string;
+    schemaPath?: string | undefined;
+    schemaUrl?: string | undefined;
+    introspection?: true | undefined;
+    operations?: Record<string, GraphQlOperationConfig> | undefined;
+    auth: OpenApiAuthConfig;
+    requestTimeoutMs: number;
+    operationCacheTtlMs: number;
+    selectionDepth: number;
+};
+export type HttpActionConfig = AgentSelectionHintsConfig & {
+    method: "GET" | "POST" | "PUT" | "PATCH" | "DELETE";
+    path: string;
+    description?: string | undefined;
+    inputSchema?: Record<string, unknown> | undefined;
+    outputSchema?: Record<string, unknown> | undefined;
+    query?: Record<string, string | number | boolean> | undefined;
+    headers?: Record<string, string | number | boolean> | undefined;
+    jsonBody?: unknown;
+};
+export type HttpApiConfig = CommonCapletConfig & {
+    backend: "http";
+    baseUrl: string;
+    auth: OpenApiAuthConfig;
+    actions: Record<string, HttpActionConfig>;
+    requestTimeoutMs: number;
+    maxResponseBytes: number;
+};
+export type CliToolActionConfig = AgentSelectionHintsConfig & {
+    description?: string | undefined;
+    inputSchema?: Record<string, unknown> | undefined;
+    outputSchema?: Record<string, unknown> | undefined;
+    command: string;
+    args?: string[] | undefined;
+    env?: Record<string, string> | undefined;
+    cwd?: string | undefined;
+    timeoutMs?: number | undefined;
+    maxOutputBytes?: number | undefined;
+    output?: {
+        type: "text" | "json";
+    } | undefined;
+    annotations?: {
+        readOnlyHint?: boolean | undefined;
+        destructiveHint?: boolean | undefined;
+        idempotentHint?: boolean | undefined;
+        openWorldHint?: boolean | undefined;
+    } | undefined;
+};
+export type CliToolsConfig = CommonCapletConfig & {
+    backend: "cli";
+    actions: Record<string, CliToolActionConfig>;
+    cwd?: string | undefined;
+    env?: Record<string, string> | undefined;
+    timeoutMs: number;
+    maxOutputBytes: number;
+};
+export type CapletSetConfig = CommonCapletConfig & {
+    backend: "caplets";
+    configPath?: string | undefined;
+    capletsRoot?: string | undefined;
+    defaultSearchLimit: number;
+    maxSearchLimit: number;
+    toolCacheTtlMs: number;
+};
+export type CapletConfig = CapletServerConfig | OpenApiEndpointConfig | GraphQlEndpointConfig | HttpApiConfig | CliToolsConfig | CapletSetConfig;
+export type CapletsConfig = {
+    version: 1;
+    options: {
+        defaultSearchLimit: number;
+        maxSearchLimit: number;
+        exposure: CapletExposure;
+        exposureDiscoveryTimeoutMs: number;
+        exposureDiscoveryConcurrency: number;
+        completion: {
+            discoveryTimeoutMs: number;
+            overallTimeoutMs: number;
+            cacheTtlMs: number;
+            negativeCacheTtlMs: number;
+        };
+    };
+    mcpServers: Record<string, CapletServerConfig>;
+    openapiEndpoints: Record<string, OpenApiEndpointConfig>;
+    graphqlEndpoints: Record<string, GraphQlEndpointConfig>;
+    httpApis: Record<string, HttpApiConfig>;
+    cliTools: Record<string, CliToolsConfig>;
+    capletSets: Record<string, CapletSetConfig>;
+};
+type CommonCapletConfig = AgentSelectionHintsConfig & {
+    server: string;
+    name: string;
+    description: string;
+    exposure?: CapletExposure | undefined;
+    tags?: string[] | undefined;
+    body?: string | undefined;
+    setup?: CapletSetupConfig | undefined;
+    projectBinding?: ProjectBindingConfig | undefined;
+    runtime?: RuntimeRequirementsConfig | undefined;
+    disabled: boolean;
+};
+export declare function parseConfig(input: unknown): CapletsConfig;
+export {};

package/dist/config-runtime.js

@@ -0,0 +1,421 @@
+import { _ as record, b as unknown, d as literal, l as discriminatedUnion, m as object, o as array, p as number, r as _enum, s as boolean, v as string, y as union } from "./schemas-BZ6BBrh7.js";
+import { a as isAllowedHttpBaseUrl, c as validateHttpActionHeaders, i as SERVER_ID_PATTERN, n as HEADER_NAME_PATTERN, o as isAllowedRemoteUrl, r as HTTP_BASE_URL_PATTERN, s as isUrl, t as FORBIDDEN_HEADERS, u as CapletsError } from "./validation-CdqbI2zN.js";
+//#region src/config-runtime.ts
+const stringMapSchema = record(string(), string());
+const authSchema = discriminatedUnion("type", [
+	object({ type: literal("none") }).strict(),
+	object({
+		type: literal("bearer"),
+		token: string().min(1)
+	}).strict(),
+	object({
+		type: literal("headers"),
+		headers: stringMapSchema
+	}).strict(),
+	oauthLikeSchema("oauth2"),
+	oauthLikeSchema("oidc")
+]);
+const setupCommandSchema = object({
+	label: string().min(1),
+	command: string().min(1),
+	args: array(string()).optional(),
+	env: stringMapSchema.optional(),
+	cwd: string().min(1).optional(),
+	timeoutMs: number().int().positive().optional(),
+	maxOutputBytes: number().int().positive().optional()
+}).strict();
+const setupSchema = object({
+	commands: array(setupCommandSchema).optional(),
+	verify: array(setupCommandSchema).optional()
+}).strict().refine((setup) => (setup.commands?.length ?? 0) > 0 || (setup.verify?.length ?? 0) > 0, "setup must define at least one command or verify step");
+const projectBindingSchema = object({ required: literal(true) }).strict();
+const runtimeRequirementsSchema = object({
+	features: array(_enum(["docker", "browser"])).refine((features) => new Set(features).size === features.length, { message: "runtime.features must not contain duplicate feature names" }).optional(),
+	resources: object({ class: _enum([
+		"standard",
+		"large",
+		"heavy"
+	]).optional() }).strict().optional()
+}).strict();
+const agentSelectionHintSchema = string().trim().min(1).max(500);
+const agentSelectionHintsSchema = {
+	useWhen: agentSelectionHintSchema.optional(),
+	avoidWhen: agentSelectionHintSchema.optional()
+};
+const exposureSchema = _enum([
+	"direct",
+	"progressive",
+	"code_mode",
+	"direct_and_code_mode",
+	"progressive_and_code_mode"
+]);
+const commonSchema = {
+	name: string().trim().min(1).max(80),
+	description: string().refine((value) => value.trim().length >= 10, "description must contain at least 10 non-whitespace characters").refine((value) => value.length <= 1500, "description must be at most 1500 characters"),
+	tags: array(string().trim().min(1).max(80)).optional(),
+	exposure: exposureSchema.optional(),
+	...agentSelectionHintsSchema,
+	body: string().optional(),
+	setup: setupSchema.optional(),
+	projectBinding: projectBindingSchema.optional(),
+	runtime: runtimeRequirementsSchema.optional(),
+	disabled: boolean().default(false)
+};
+const mcpServerSchema = object({
+	...commonSchema,
+	transport: _enum([
+		"stdio",
+		"http",
+		"sse"
+	]).optional(),
+	command: string().min(1).optional(),
+	args: array(string()).optional(),
+	env: stringMapSchema.optional(),
+	cwd: string().min(1).optional(),
+	url: string().min(1).optional(),
+	auth: authSchema.optional(),
+	startupTimeoutMs: number().int().positive().default(1e4),
+	callTimeoutMs: number().int().positive().default(6e4),
+	toolCacheTtlMs: number().int().nonnegative().default(3e4)
+}).strict();
+const openApiEndpointSchema = object({
+	...commonSchema,
+	specPath: string().min(1).optional(),
+	specUrl: string().min(1).optional(),
+	baseUrl: string().min(1).optional(),
+	auth: authSchema,
+	requestTimeoutMs: number().int().positive().default(6e4),
+	operationCacheTtlMs: number().int().nonnegative().default(3e4)
+}).strict();
+const graphQlOperationSchema = object({
+	document: string().min(1).optional(),
+	documentPath: string().min(1).optional(),
+	operationName: string().min(1).optional(),
+	description: string().min(1).optional(),
+	...agentSelectionHintsSchema
+}).strict().refine((operation) => Boolean(operation.document) !== Boolean(operation.documentPath), { message: "GraphQL operation must define exactly one document source" });
+const graphQlEndpointSchema = object({
+	...commonSchema,
+	endpointUrl: string().min(1),
+	schemaPath: string().min(1).optional(),
+	schemaUrl: string().min(1).optional(),
+	introspection: literal(true).optional(),
+	operations: record(string().regex(SERVER_ID_PATTERN), graphQlOperationSchema).optional(),
+	auth: authSchema,
+	requestTimeoutMs: number().int().positive().default(6e4),
+	operationCacheTtlMs: number().int().nonnegative().default(3e4),
+	selectionDepth: number().int().positive().max(5).default(2)
+}).strict();
+const scalarMapSchema = record(string(), union([
+	string(),
+	number(),
+	boolean()
+]));
+const httpActionSchema = object({
+	method: _enum([
+		"GET",
+		"POST",
+		"PUT",
+		"PATCH",
+		"DELETE"
+	]),
+	path: string().min(1).regex(/^\//, "HTTP action path must start with /").refine((value) => !value.startsWith("//"), "HTTP action path must not start with //").refine((value) => !isUrl(value), "HTTP action path must be a URL path, not a URL"),
+	description: string().min(1).optional(),
+	...agentSelectionHintsSchema,
+	inputSchema: record(string(), unknown()).optional(),
+	outputSchema: record(string(), unknown()).optional(),
+	query: scalarMapSchema.optional(),
+	headers: scalarMapSchema.optional(),
+	jsonBody: unknown().optional()
+}).strict().refine((action) => action.method !== "GET" || action.jsonBody === void 0, {
+	path: ["jsonBody"],
+	message: "HTTP GET actions must not define jsonBody"
+});
+const httpApiSchema = object({
+	...commonSchema,
+	baseUrl: string().min(1).regex(HTTP_BASE_URL_PATTERN, "HTTP API baseUrl must not include credentials, query, or fragment"),
+	auth: authSchema,
+	actions: record(string().regex(SERVER_ID_PATTERN), httpActionSchema).refine((actions) => Object.keys(actions).length > 0, "HTTP API must define at least one action"),
+	requestTimeoutMs: number().int().positive().default(6e4),
+	maxResponseBytes: number().int().positive().default(2e5)
+}).strict();
+const cliActionSchema = object({
+	description: string().min(1).optional(),
+	...agentSelectionHintsSchema,
+	inputSchema: record(string(), unknown()).optional(),
+	outputSchema: record(string(), unknown()).optional(),
+	command: string().min(1),
+	args: array(string()).optional(),
+	env: stringMapSchema.optional(),
+	cwd: string().min(1).optional(),
+	timeoutMs: number().int().positive().optional(),
+	maxOutputBytes: number().int().positive().optional(),
+	output: object({ type: _enum(["text", "json"]).default("text") }).strict().optional(),
+	annotations: object({
+		readOnlyHint: boolean().optional(),
+		destructiveHint: boolean().optional(),
+		idempotentHint: boolean().optional(),
+		openWorldHint: boolean().optional()
+	}).strict().optional()
+}).strict();
+const cliToolsSchema = object({
+	...commonSchema,
+	actions: record(string().regex(SERVER_ID_PATTERN), cliActionSchema).refine((actions) => Object.keys(actions).length > 0, "CLI tools backend must define at least one action"),
+	cwd: string().min(1).optional(),
+	env: stringMapSchema.optional(),
+	timeoutMs: number().int().positive().default(6e4),
+	maxOutputBytes: number().int().positive().default(2e5)
+}).strict();
+const capletSetSchema = object({
+	...commonSchema,
+	configPath: string().min(1).optional(),
+	capletsRoot: string().min(1).optional(),
+	defaultSearchLimit: number().int().positive().default(20),
+	maxSearchLimit: number().int().positive().max(50).default(50),
+	toolCacheTtlMs: number().int().nonnegative().default(3e4)
+}).strict();
+const configSchema = object({
+	version: literal(1).default(1),
+	defaultSearchLimit: number().int().positive().default(20),
+	maxSearchLimit: number().int().positive().max(50).default(50),
+	completion: object({
+		discoveryTimeoutMs: number().int().positive().default(750),
+		overallTimeoutMs: number().int().positive().default(1500),
+		cacheTtlMs: number().int().nonnegative().default(3e5),
+		negativeCacheTtlMs: number().int().nonnegative().default(3e4)
+	}).strict().default({
+		discoveryTimeoutMs: 750,
+		overallTimeoutMs: 1500,
+		cacheTtlMs: 3e5,
+		negativeCacheTtlMs: 3e4
+	}),
+	options: object({
+		exposure: exposureSchema.default("code_mode"),
+		exposureDiscoveryTimeoutMs: number().int().positive().default(15e3),
+		exposureDiscoveryConcurrency: number().int().positive().max(32).default(4)
+	}).strict().default({
+		exposure: "code_mode",
+		exposureDiscoveryTimeoutMs: 15e3,
+		exposureDiscoveryConcurrency: 4
+	}),
+	mcpServers: record(string().regex(SERVER_ID_PATTERN), mcpServerSchema).default({}),
+	openapiEndpoints: record(string().regex(SERVER_ID_PATTERN), openApiEndpointSchema).default({}),
+	graphqlEndpoints: record(string().regex(SERVER_ID_PATTERN), graphQlEndpointSchema).default({}),
+	httpApis: record(string().regex(SERVER_ID_PATTERN), httpApiSchema).default({}),
+	cliTools: record(string().regex(SERVER_ID_PATTERN), cliToolsSchema).default({}),
+	capletSets: record(string().regex(SERVER_ID_PATTERN), capletSetSchema).default({})
+}).strict().superRefine((config, ctx) => {
+	if (config.defaultSearchLimit > config.maxSearchLimit) ctx.addIssue({
+		code: "custom",
+		path: ["defaultSearchLimit"],
+		message: "defaultSearchLimit must be <= maxSearchLimit"
+	});
+	validateBackends(config, ctx);
+});
+function parseConfig(input) {
+	const parsed = configSchema.safeParse(input);
+	if (!parsed.success) throw new CapletsError("CONFIG_INVALID", "Caplets config is invalid", parsed.error.issues);
+	const config = parsed.data;
+	return {
+		version: 1,
+		options: {
+			defaultSearchLimit: config.defaultSearchLimit,
+			maxSearchLimit: config.maxSearchLimit,
+			exposure: config.options.exposure,
+			exposureDiscoveryTimeoutMs: config.options.exposureDiscoveryTimeoutMs,
+			exposureDiscoveryConcurrency: config.options.exposureDiscoveryConcurrency,
+			completion: config.completion
+		},
+		mcpServers: mapBackend(config.mcpServers, "mcp", (id, raw) => {
+			const server = raw;
+			return {
+				...server,
+				server: id,
+				transport: server.transport ?? (server.command ? "stdio" : "http")
+			};
+		}),
+		openapiEndpoints: mapBackend(config.openapiEndpoints, "openapi"),
+		graphqlEndpoints: mapBackend(config.graphqlEndpoints, "graphql"),
+		httpApis: mapBackend(config.httpApis, "http"),
+		cliTools: mapBackend(config.cliTools, "cli"),
+		capletSets: mapBackend(config.capletSets, "caplets")
+	};
+}
+function oauthLikeSchema(type) {
+	return object({
+		type: literal(type),
+		authorizationUrl: string().min(1).optional(),
+		tokenUrl: string().min(1).optional(),
+		issuer: string().min(1).optional(),
+		resourceMetadataUrl: string().min(1).optional(),
+		authorizationServerMetadataUrl: string().min(1).optional(),
+		openidConfigurationUrl: string().min(1).optional(),
+		clientMetadataUrl: string().min(1).optional(),
+		clientId: string().min(1).optional(),
+		clientSecret: string().min(1).optional(),
+		scopes: array(string().min(1)).optional(),
+		redirectUri: string().min(1).optional()
+	}).strict();
+}
+function validateBackends(config, ctx) {
+	for (const [server, raw] of Object.entries(config.mcpServers)) {
+		const effectiveTransport = raw.transport ?? (raw.command ? "stdio" : void 0);
+		if (Boolean(raw.command) === Boolean(raw.url)) ctx.addIssue({
+			code: "custom",
+			path: ["mcpServers", server],
+			message: "MCP server must define exactly one connection shape: command or url"
+		});
+		if (effectiveTransport === "stdio" && !raw.command) ctx.addIssue({
+			code: "custom",
+			path: [
+				"mcpServers",
+				server,
+				"command"
+			],
+			message: "stdio servers require command"
+		});
+		if ((effectiveTransport === "http" || effectiveTransport === "sse") && !raw.url) ctx.addIssue({
+			code: "custom",
+			path: [
+				"mcpServers",
+				server,
+				"url"
+			],
+			message: "remote servers require url"
+		});
+		if (raw.url && !hasEnvReference(raw.url) && !isAllowedRemoteUrl(raw.url)) ctx.addIssue({
+			code: "custom",
+			path: [
+				"mcpServers",
+				server,
+				"url"
+			],
+			message: "remote url must use https except loopback development urls"
+		});
+		validateAuthHeaders(raw.auth, ctx, [
+			"mcpServers",
+			server,
+			"auth"
+		]);
+	}
+	for (const [server, raw] of Object.entries(config.openapiEndpoints)) {
+		if (Boolean(raw.specPath) === Boolean(raw.specUrl)) ctx.addIssue({
+			code: "custom",
+			path: ["openapiEndpoints", server],
+			message: "OpenAPI endpoint must define exactly one spec source: specPath or specUrl"
+		});
+		if (raw.specUrl && !hasEnvReference(raw.specUrl) && !isAllowedRemoteUrl(raw.specUrl)) ctx.addIssue({
+			code: "custom",
+			path: [
+				"openapiEndpoints",
+				server,
+				"specUrl"
+			],
+			message: "OpenAPI specUrl must use https except loopback development urls"
+		});
+		if (raw.baseUrl && !hasEnvReference(raw.baseUrl) && !isAllowedRemoteUrl(raw.baseUrl)) ctx.addIssue({
+			code: "custom",
+			path: [
+				"openapiEndpoints",
+				server,
+				"baseUrl"
+			],
+			message: "OpenAPI baseUrl must use https except loopback development urls"
+		});
+		validateAuthHeaders(raw.auth, ctx, [
+			"openapiEndpoints",
+			server,
+			"auth"
+		]);
+	}
+	for (const [server, raw] of Object.entries(config.graphqlEndpoints)) {
+		if (Number(Boolean(raw.schemaPath)) + Number(Boolean(raw.schemaUrl)) + Number(raw.introspection === true) !== 1) ctx.addIssue({
+			code: "custom",
+			path: ["graphqlEndpoints", server],
+			message: "GraphQL endpoint must define exactly one schema source"
+		});
+		if (raw.endpointUrl && !hasEnvReference(raw.endpointUrl) && !isAllowedRemoteUrl(raw.endpointUrl)) ctx.addIssue({
+			code: "custom",
+			path: [
+				"graphqlEndpoints",
+				server,
+				"endpointUrl"
+			],
+			message: "GraphQL endpointUrl must use https except loopback development urls"
+		});
+		validateAuthHeaders(raw.auth, ctx, [
+			"graphqlEndpoints",
+			server,
+			"auth"
+		]);
+	}
+	for (const [server, raw] of Object.entries(config.httpApis)) {
+		if (raw.baseUrl && !hasEnvReference(raw.baseUrl) && !isAllowedHttpBaseUrl(raw.baseUrl)) ctx.addIssue({
+			code: "custom",
+			path: [
+				"httpApis",
+				server,
+				"baseUrl"
+			],
+			message: "HTTP API baseUrl must use https except loopback development urls and must not include credentials, query, or fragment"
+		});
+		validateAuthHeaders(raw.auth, ctx, [
+			"httpApis",
+			server,
+			"auth"
+		]);
+		for (const [actionName, action] of Object.entries(raw.actions)) if (action.headers) validateHttpActionHeaders(action.headers, ctx, [
+			"httpApis",
+			server,
+			"actions",
+			actionName,
+			"headers"
+		]);
+	}
+	for (const [server, raw] of Object.entries(config.capletSets)) {
+		if (!raw.configPath && !raw.capletsRoot) ctx.addIssue({
+			code: "custom",
+			path: ["capletSets", server],
+			message: "Caplet set must define at least one source: configPath or capletsRoot"
+		});
+		if (raw.defaultSearchLimit > raw.maxSearchLimit) ctx.addIssue({
+			code: "custom",
+			path: [
+				"capletSets",
+				server,
+				"defaultSearchLimit"
+			],
+			message: "defaultSearchLimit must be <= maxSearchLimit"
+		});
+	}
+}
+function validateAuthHeaders(auth, ctx, path) {
+	if (auth?.type !== "headers") return;
+	for (const headerName of Object.keys(auth.headers)) {
+		const normalized = headerName.toLowerCase();
+		if (!HEADER_NAME_PATTERN.test(headerName) || FORBIDDEN_HEADERS.has(normalized)) ctx.addIssue({
+			code: "custom",
+			path: [
+				...path,
+				"headers",
+				headerName
+			],
+			message: `header ${headerName} is not allowed`
+		});
+	}
+}
+function mapBackend(records, backend, prepare) {
+	return Object.fromEntries(Object.entries(records).map(([id, raw]) => [id, stripUndefined({
+		...prepare ? prepare(id, raw) : raw,
+		server: id,
+		backend
+	})]));
+}
+function stripUndefined(value) {
+	return Object.fromEntries(Object.entries(value).filter(([, nested]) => nested !== void 0));
+}
+function hasEnvReference(value) {
+	return /\$\{?[A-Z_][A-Z0-9_]*\}?|\$env:[A-Z_][A-Z0-9_]*/u.test(value);
+}
+//#endregion
+export { parseConfig };