npm - @caplets/core - Versions diffs - 0.20.0 → 0.20.2 - Mend

@caplets/core 0.20.0 → 0.20.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/auth.d.ts +2 -2
package/dist/{completion-CbazRAiL.js → completion-DZg_TWiX.js} +1 -1
package/dist/index.js +8 -4
package/dist/native.js +1 -1
package/dist/serve/options.d.ts +1 -0
package/dist/{service-D0MwLNyb.js → service-D3W-LuOx.js} +136 -33
package/package.json +1 -1

package/dist/auth.d.ts CHANGED Viewed

@@ -30,8 +30,8 @@ export type GenericAuthTarget = {
     requestTimeoutMs?: number | undefined;
 };
 export declare function staticRemoteHeaders(server: CapletServerConfig): Record<string, string>;
-export declare function oauthHeaders(server: CapletServerConfig, authDir?: string): Record<string, string>;
-export declare function genericOAuthHeaders(target: GenericAuthTarget, authDir?: string): Record<string, string>;
+export declare function oauthHeaders(server: CapletServerConfig, authDir?: string): Promise<Record<string, string>>;
+export declare function genericOAuthHeaders(target: GenericAuthTarget, authDir?: string): Promise<Record<string, string>>;
 export declare class FileOAuthProvider implements OAuthClientProvider {
     readonly server: CapletServerConfig;
     readonly redirectUrl: string;

package/dist/{completion-CbazRAiL.js → completion-DZg_TWiX.js} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { St as resolveProjectConfigPath, Y as loadConfigWithSources, bt as resolveConfigPath, mt as DEFAULT_COMPLETION_CACHE_DIR, pt as DEFAULT_AUTH_DIR, vn as __exportAll, yt as resolveCapletsRoot } from "./service-D0MwLNyb.js";
+import { St as resolveProjectConfigPath, Y as loadConfigWithSources, bt as resolveConfigPath, mt as DEFAULT_COMPLETION_CACHE_DIR, pt as DEFAULT_AUTH_DIR, vn as __exportAll, yt as resolveCapletsRoot } from "./service-D3W-LuOx.js";
 import { u as CapletsError } from "./validation-CdqbI2zN.js";
 import { mkdirSync, readFileSync, renameSync, writeFileSync } from "node:fs";
 import { dirname, join } from "node:path";

package/dist/index.js CHANGED Viewed

@@ -1,9 +1,9 @@
-import { $ as parseConfig, $t as ReadResourceRequestSchema, A as QuickJsCodeModeSandbox, At as toJsonSchemaCompat, B as CapletsEngine, Bt as ErrorCode, C as nativeCapletToolName, Ct as ReadBuffer, D as codeModeRunInputSchema, Dt as AjvJsonSchemaValidator, Et as assertToolsCallTaskCapability, F as redactCodeModeLogText, Ft as CreateMessageResultWithToolsSchema, G as handleServerTool, Gt as LATEST_PROTOCOL_VERSION, H as decodeDirectResourceUri, Ht as InitializeRequestSchema, I as codeModeDeclarationHash, It as CreateTaskResultSchema, J as loadConfig, Jt as ListResourcesRequestSchema, K as ServerRegistry, Kt as ListPromptsRequestSchema, L as generateCodeModeDeclarations, M as createCodeModeCapletsApi, Mt as CallToolResultSchema, N as listCodeModeCallableCaplets, Nt as CompleteRequestSchema, O as codeModeRunParamsSchema, Ot as Protocol, P as CodeModeLogStore, Pt as CreateMessageResultSchema, Q as loadProjectConfig, Qt as McpError, R as generateCodeModeRunToolDescription, Rt as ElicitResultSchema, S as nativeCapletToolDescription, St as resolveProjectConfigPath, T as nativeCodeModeToolId, Tt as assertClientRequestTaskCapability, U as findProjectRoot, Ut as InitializedNotificationSchema, V as resolveExposure, Vt as GetPromptRequestSchema, W as fingerprintProjectRoot, Wt as JSONRPCMessageSchema, X as loadGlobalConfig, Xt as ListToolsRequestSchema, Y as loadConfigWithSources, Yt as ListRootsResultSchema, Z as loadLocalOverlayConfigWithSources, Zt as LoggingLevelSchema, _ as controlUrlForBase, _n as safeParseAsync, _t as defaultConfigBaseDir, a as projectBindingError, an as isJSONRPCErrorResponse, at as markdownStructuredContent, b as resolveCapletsServer, bt as resolveConfigPath, c as cloudAuthPath, cn as getLiteralValue, ct as startGenericOAuthFlow, d as CloudAuthClient, dn as getSchemaDescription, dt as isTokenBundleExpired, en as SUPPORTED_PROTOCOL_VERSIONS, et as discoverCapletFiles, fn as isSchemaOptional, ft as readTokenBundle, g as resolveCapletsRemote, gn as safeParse, gt as defaultCacheBaseDir, hn as objectFromShape, ht as DEFAULT_OBSERVED_OUTPUT_SHAPE_CACHE_DIR, i as ProjectBindingError, in as isInitializeRequest, it as markdownCallToolResultContent, j as diagnoseCodeModeTypeScript, jt as CallToolRequestSchema, k as runCodeMode, kt as mergeCapabilities, l as migrateCredentials, ln as getObjectShape, lt as startOAuthFlow, m as buildProjectSyncManifest, mn as normalizeObjectSchema, n as resolveRemoteSelection, nn as assertCompleteRequestPrompt, nt as loadCapletFilesFromMap, o as projectBindingRecovery, on as isJSONRPCRequest, ot as runGenericOAuthFlow, p as createSdkRemoteCapletsClient, pn as isZ4Schema, q as capabilityDescription, qt as ListResourceTemplatesRequestSchema, r as PROJECT_BINDING_ERROR_CODES, rn as assertCompleteRequestResourceTemplate, rt as hasRenderableStructuredContent, s as CloudAuthStore, sn as isJSONRPCResultResponse, st as runOAuthFlow, t as createNativeCapletsService, tn as SetLevelRequestSchema, tt as validateCapletFile, u as redactedCloudAuthStatus, un as getParseErrorMessage, ut as deleteTokenBundle, v as parseServerBaseUrl, vt as defaultStateBaseDir, wt as serializeMessage, x as nativeCapletPromptGuidance, xt as resolveProjectCapletsRoot, y as resolveCapletsMode, yt as resolveCapletsRoot, z as minifyCodeModeDeclarationText, zt as EmptyResultSchema } from "./service-D0MwLNyb.js";
+import { $ as parseConfig, $t as ReadResourceRequestSchema, A as QuickJsCodeModeSandbox, At as toJsonSchemaCompat, B as CapletsEngine, Bt as ErrorCode, C as nativeCapletToolName, Ct as ReadBuffer, D as codeModeRunInputSchema, Dt as AjvJsonSchemaValidator, Et as assertToolsCallTaskCapability, F as redactCodeModeLogText, Ft as CreateMessageResultWithToolsSchema, G as handleServerTool, Gt as LATEST_PROTOCOL_VERSION, H as decodeDirectResourceUri, Ht as InitializeRequestSchema, I as codeModeDeclarationHash, It as CreateTaskResultSchema, J as loadConfig, Jt as ListResourcesRequestSchema, K as ServerRegistry, Kt as ListPromptsRequestSchema, L as generateCodeModeDeclarations, M as createCodeModeCapletsApi, Mt as CallToolResultSchema, N as listCodeModeCallableCaplets, Nt as CompleteRequestSchema, O as codeModeRunParamsSchema, Ot as Protocol, P as CodeModeLogStore, Pt as CreateMessageResultSchema, Q as loadProjectConfig, Qt as McpError, R as generateCodeModeRunToolDescription, Rt as ElicitResultSchema, S as nativeCapletToolDescription, St as resolveProjectConfigPath, T as nativeCodeModeToolId, Tt as assertClientRequestTaskCapability, U as findProjectRoot, Ut as InitializedNotificationSchema, V as resolveExposure, Vt as GetPromptRequestSchema, W as fingerprintProjectRoot, Wt as JSONRPCMessageSchema, X as loadGlobalConfig, Xt as ListToolsRequestSchema, Y as loadConfigWithSources, Yt as ListRootsResultSchema, Z as loadLocalOverlayConfigWithSources, Zt as LoggingLevelSchema, _ as controlUrlForBase, _n as safeParseAsync, _t as defaultConfigBaseDir, a as projectBindingError, an as isJSONRPCErrorResponse, at as markdownStructuredContent, b as resolveCapletsServer, bt as resolveConfigPath, c as cloudAuthPath, cn as getLiteralValue, ct as startGenericOAuthFlow, d as CloudAuthClient, dn as getSchemaDescription, dt as isTokenBundleExpired, en as SUPPORTED_PROTOCOL_VERSIONS, et as discoverCapletFiles, fn as isSchemaOptional, ft as readTokenBundle, g as resolveCapletsRemote, gn as safeParse, gt as defaultCacheBaseDir, hn as objectFromShape, ht as DEFAULT_OBSERVED_OUTPUT_SHAPE_CACHE_DIR, i as ProjectBindingError, in as isInitializeRequest, it as markdownCallToolResultContent, j as diagnoseCodeModeTypeScript, jt as CallToolRequestSchema, k as runCodeMode, kt as mergeCapabilities, l as migrateCredentials, ln as getObjectShape, lt as startOAuthFlow, m as buildProjectSyncManifest, mn as normalizeObjectSchema, n as resolveRemoteSelection, nn as assertCompleteRequestPrompt, nt as loadCapletFilesFromMap, o as projectBindingRecovery, on as isJSONRPCRequest, ot as runGenericOAuthFlow, p as createSdkRemoteCapletsClient, pn as isZ4Schema, q as capabilityDescription, qt as ListResourceTemplatesRequestSchema, r as PROJECT_BINDING_ERROR_CODES, rn as assertCompleteRequestResourceTemplate, rt as hasRenderableStructuredContent, s as CloudAuthStore, sn as isJSONRPCResultResponse, st as runOAuthFlow, t as createNativeCapletsService, tn as SetLevelRequestSchema, tt as validateCapletFile, u as redactedCloudAuthStatus, un as getParseErrorMessage, ut as deleteTokenBundle, v as parseServerBaseUrl, vt as defaultStateBaseDir, wt as serializeMessage, x as nativeCapletPromptGuidance, xt as resolveProjectCapletsRoot, y as resolveCapletsMode, yt as resolveCapletsRoot, z as minifyCodeModeDeclarationText, zt as EmptyResultSchema } from "./service-D3W-LuOx.js";
 import { _ as record, b as unknown, d as literal, m as object, n as ZodOptional, o as array, p as number, r as _enum, s as boolean, v as string, x as url } from "./schemas-BZ6BBrh7.js";
 import { f as redactSecrets, i as SERVER_ID_PATTERN, l as CAPLETS_ERROR_CODES, p as toSafeError, u as CapletsError } from "./validation-CdqbI2zN.js";
 import { generatedToolInputSchema, generatedToolInputSchemaForCaplet } from "./generated-tool-input-schema.js";
 import { f as observedOutputShapeKey, i as observeOutputShape, u as FileObservedOutputShapeStore } from "./observed-output-shapes-uzAMQPhg.js";
-import { a as formatCapletList, c as resolveCliConfigPaths, l as cliCommands$1, n as completionScript, o as formatConfigPaths, s as listCaplets, t as completeCliWords, u as completionShells } from "./completion-CbazRAiL.js";
+import { a as formatCapletList, c as resolveCliConfigPaths, l as cliCommands$1, n as completionScript, o as formatConfigPaths, s as listCaplets, t as completeCliWords, u as completionShells } from "./completion-DZg_TWiX.js";
 import { n as normalizeCapletSourcePath, t as FilesystemCapletSource } from "./filesystem-Kkg32TOJ.js";
 import { parseConfig as parseConfig$1 } from "./config-runtime.js";
 import fs, { accessSync, chmodSync, closeSync, constants, copyFileSync, cpSync, existsSync, lstatSync, mkdirSync, mkdtempSync, openSync, readFileSync, readdirSync, readlinkSync, realpathSync, rmSync, statSync, writeFileSync, writeSync } from "node:fs";
@@ -1553,7 +1553,7 @@ const EMPTY_COMPLETION_RESULT = { completion: {
 } };
 //#endregion
 //#region package.json
-var version = "0.20.0";
+var version = "0.20.2";
 //#endregion
 //#region src/serve/session.ts
 var CapletsMcpSession = class {
@@ -7110,6 +7110,7 @@ function resolveServeOptions(raw, env = process.env) {
 		path,
 		...serverUrl ? { publicOrigin: serverUrl.origin } : {},
 		auth,
+		allowUnauthenticatedHttp: raw.allowUnauthenticatedHttp === true,
 		warnUnauthenticatedNetwork: !loopback && !auth.enabled,
 		loopback,
 		trustProxy: raw.trustProxy === true
@@ -11135,13 +11136,16 @@ function safeEqual(left, right) {
 }
 function dnsRebindingOptions(options) {
 	const hostForHeader = options.host === "::1" ? "[::1]" : options.host;
+	const publicUrl = options.publicOrigin ? new URL(options.publicOrigin) : void 0;
+	const publicHosts = publicUrl && (options.auth.enabled || options.allowUnauthenticatedHttp) ? [publicUrl.hostname, publicUrl.host] : [];
 	return {
 		enableDnsRebindingProtection: true,
 		allowedHosts: [
 			options.host,
 			hostForHeader,
 			`${hostForHeader}:${options.port}`,
-			`localhost:${options.port}`
+			`localhost:${options.port}`,
+			...publicHosts
 		]
 	};
 }

package/dist/native.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { C as nativeCapletToolName, E as nativeCodeModeToolName, S as nativeCapletToolDescription, T as nativeCodeModeToolId, f as RemoteNativeCapletsService, h as resolveNativeCapletsServiceOptions, p as createSdkRemoteCapletsClient, t as createNativeCapletsService, w as nativeCapletsSystemGuidance, x as nativeCapletPromptGuidance } from "./service-D0MwLNyb.js";
+import { C as nativeCapletToolName, E as nativeCodeModeToolName, S as nativeCapletToolDescription, T as nativeCodeModeToolId, f as RemoteNativeCapletsService, h as resolveNativeCapletsServiceOptions, p as createSdkRemoteCapletsClient, t as createNativeCapletsService, w as nativeCapletsSystemGuidance, x as nativeCapletPromptGuidance } from "./service-D3W-LuOx.js";
 import { generatedToolInputJsonSchema, generatedToolInputSchema } from "./generated-tool-input-schema.js";
 //#region src/native/process-cleanup.ts
 function registerNativeCapletsProcessCleanup(service, options = {}) {

package/dist/serve/options.d.ts CHANGED Viewed

@@ -19,6 +19,7 @@ export type HttpServeOptions = {
     path: string;
     publicOrigin?: string | undefined;
     auth: HttpBasicAuthOptions;
+    allowUnauthenticatedHttp: boolean;
     warnUnauthenticatedNetwork: boolean;
     loopback: boolean;
     trustProxy: boolean;

package/dist/{service-D0MwLNyb.js → service-D3W-LuOx.js} RENAMED Viewed

@@ -17317,23 +17317,24 @@ function staticRemoteHeaders(server) {
 	if (server.auth?.type === "headers") return server.auth.headers;
 	return {};
 }
-function genericOAuthHeaders(target, authDir) {
+async function genericOAuthHeaders(target, authDir) {
 	if (target.auth?.type !== "oauth2" && target.auth?.type !== "oidc") return {};
 	const authConfig = target.auth;
-	const bundle = readTokenBundle(target.server, authDir);
-	if (!bundle?.accessToken) throw new CapletsError("AUTH_REQUIRED", `OAuth credentials required for ${target.server}`, {
+	let bundle = readTokenBundle(target.server, authDir);
+	if (!bundle?.accessToken && !bundle?.refreshToken) throw new CapletsError("AUTH_REQUIRED", `OAuth credentials required for ${target.server}`, {
 		server: target.server,
 		backend: target.backend,
 		authType: authConfig.type,
 		nextAction: "run_caplets_auth_login"
 	});
-	if (isTokenBundleExpired(bundle)) throw new CapletsError("AUTH_REFRESH_FAILED", `OAuth token for ${target.server} is expired`, {
+	assertTokenBundleMatchesTarget(bundle, target, authConfig);
+	if (!bundle.accessToken || isTokenBundleExpired(bundle)) bundle = await refreshGenericOAuthBundle(target, authConfig, bundle, authDir);
+	if (!bundle.accessToken || isTokenBundleExpired(bundle)) throw new CapletsError("AUTH_REFRESH_FAILED", `OAuth token for ${target.server} is expired`, {
 		server: target.server,
 		backend: target.backend,
 		authType: authConfig.type,
 		nextAction: "run_caplets_auth_login"
 	});
-	assertTokenBundleMatchesTarget(bundle, target, authConfig);
 	return { authorization: `${bundle.tokenType ?? "Bearer"} ${bundle.accessToken}` };
 }
 var FileOAuthProvider = class {
@@ -17441,7 +17442,7 @@ async function startOAuthFlow(server, options) {
 		complete: async (callbackUrl) => {
 			assertNoOAuthCallbackError(server, callbackUrl);
 			const completion = extractCompletion(callbackUrl);
-			if (completion.state !== provider.state()) throw new CapletsError("AUTH_FAILED", "OAuth callback state did not match");
+			if (completion.state !== provider.state()) throw oauthStateMismatchError(server.server);
 			try {
 				await auth(provider, {
 					serverUrl: server.url,
@@ -17535,7 +17536,7 @@ async function startGenericOAuthFlow(target, options) {
 		complete: async (callbackUrl) => {
 			assertNoOAuthCallbackError(target, callbackUrl);
 			const completion = extractCompletion(callbackUrl);
-			if (completion.state !== state) throw new CapletsError("AUTH_FAILED", "OAuth callback state did not match");
+			if (completion.state !== state) throw oauthStateMismatchError(target.server);
 			const params = new URLSearchParams({
 				grant_type: "authorization_code",
 				code: completion.code,
@@ -17613,7 +17614,7 @@ async function runGenericOAuthFlow(target, options = {}) {
 			code: callbackCode,
 			...callbackState ? { state: callbackState } : {}
 		} : void 0);
-		if (completion.state !== state) throw new CapletsError("AUTH_FAILED", "OAuth callback state did not match");
+		if (completion.state !== state) throw oauthStateMismatchError(target.server);
 		const params = new URLSearchParams({
 			grant_type: "authorization_code",
 			code: completion.code,
@@ -17658,9 +17659,9 @@ async function runGenericOAuthFlow(target, options = {}) {
 }
 function extractCompletion(input) {
 	try {
-		const url = new URL(input);
-		const code = url.searchParams.get("code");
-		const state = url.searchParams.get("state") ?? void 0;
+		const url = new URL(stripOAuthCallbackUrlWrapping(input));
+		const code = extractOAuthCallbackParam(url, "code");
+		const state = extractOAuthCallbackParam(url, "state");
 		if (!code) throw new Error("missing code");
 		return state ? {
 			code,
@@ -17670,6 +17671,27 @@ function extractCompletion(input) {
 		return { code: input.trim() };
 	}
 }
+function stripOAuthCallbackUrlWrapping(input) {
+	return input.replace(/\s+/g, "");
+}
+function extractOAuthCallbackParam(url, name) {
+	const query = url.search.startsWith("?") ? url.search.slice(1) : url.search;
+	for (const part of query.split("&")) {
+		const separator = part.indexOf("=");
+		const rawName = separator < 0 ? part : part.slice(0, separator);
+		const rawValue = separator < 0 ? "" : part.slice(separator + 1);
+		if (decodeOAuthCallbackQueryValue(rawName) === name) return decodeOAuthCallbackQueryValue(rawValue) || void 0;
+	}
+}
+function decodeOAuthCallbackQueryValue(value) {
+	return decodeURIComponent(value);
+}
+function oauthStateMismatchError(server) {
+	return new CapletsError("AUTH_FAILED", "OAuth callback state did not match. Re-run auth login and use the authorization URL and callback URL from the same attempt.", {
+		server,
+		nextAction: "rerun_caplets_auth_login"
+	});
+}
 function classifyRemoteAuthError(server, response) {
 	if (response.status !== 401 && response.status !== 403) return;
 	const challenge = extractWWWAuthenticateParams(response);
@@ -17768,6 +17790,87 @@ async function resolveGenericClient(target, authConfig, metadata, redirectUri, a
 		dynamic: true
 	};
 }
+async function refreshGenericOAuthBundle(target, authConfig, bundle, authDir) {
+	if (!bundle.refreshToken) throw new CapletsError("AUTH_REFRESH_FAILED", `OAuth token for ${target.server} is expired`, {
+		server: target.server,
+		backend: target.backend,
+		authType: authConfig.type,
+		nextAction: "run_caplets_auth_login"
+	});
+	const allowLoopbackHttp = isLoopbackDevelopmentTarget(target, authConfig);
+	let metadata = {};
+	let tokenEndpoint = authConfig.tokenUrl;
+	if (!tokenEndpoint) {
+		metadata = await discoverAuthorizationServer(target, authConfig, allowLoopbackHttp);
+		tokenEndpoint = metadata.token_endpoint;
+	}
+	if (!tokenEndpoint) throw new CapletsError("AUTH_REFRESH_FAILED", "OAuth metadata is missing token endpoint", {
+		server: target.server,
+		backend: target.backend,
+		authType: authConfig.type,
+		nextAction: "run_caplets_auth_login"
+	});
+	assertAllowedAuthUrl(tokenEndpoint, "token endpoint", allowLoopbackHttp);
+	const clientId = authConfig.clientId ?? authConfig.clientMetadataUrl ?? bundle.clientId;
+	if (!clientId) throw new CapletsError("AUTH_REFRESH_FAILED", "OAuth clientId is required to refresh tokens", {
+		server: target.server,
+		backend: target.backend,
+		authType: authConfig.type,
+		nextAction: "run_caplets_auth_login"
+	});
+	const clientSecret = authConfig.clientSecret ?? bundle.clientSecret;
+	const params = new URLSearchParams({
+		grant_type: "refresh_token",
+		refresh_token: bundle.refreshToken,
+		client_id: clientId
+	});
+	if (clientSecret) params.set("client_secret", clientSecret);
+	let tokenResponse;
+	try {
+		tokenResponse = await fetchJson(tokenEndpoint, target.requestTimeoutMs, {
+			method: "POST",
+			headers: { "content-type": "application/x-www-form-urlencoded" },
+			body: params.toString()
+		}, allowLoopbackHttp);
+	} catch (error) {
+		if (error instanceof CapletsError) throw new CapletsError("AUTH_REFRESH_FAILED", `OAuth token refresh failed`, {
+			server: target.server,
+			backend: target.backend,
+			authType: authConfig.type,
+			nextAction: "run_caplets_auth_login",
+			cause: error.details
+		});
+		throw error;
+	}
+	const idToken = asString(tokenResponse.id_token);
+	const idClaims = parseJwtPayload(idToken);
+	if (idToken) {
+		if (!metadata.issuer && !authConfig.issuer) metadata = await discoverAuthorizationServer(target, authConfig, allowLoopbackHttp);
+		validateOidcToken(authConfig, metadata, idToken, idClaims, clientId);
+	}
+	const refreshed = stripUndefined$1({
+		...bundle,
+		server: target.server,
+		authType: authConfig.type,
+		accessToken: requireString(tokenResponse.access_token, "access_token"),
+		refreshToken: asString(tokenResponse.refresh_token) ?? bundle.refreshToken,
+		tokenType: asString(tokenResponse.token_type) ?? bundle.tokenType,
+		expiresAt: refreshedExpiresAt(tokenResponse.expires_in, bundle.expiresAt),
+		scope: asString(tokenResponse.scope) ?? bundle.scope ?? scopesFor(authConfig),
+		idToken: idToken ?? bundle.idToken,
+		issuer: asString(idClaims?.iss) ?? bundle.issuer ?? metadata.issuer ?? authConfig.issuer,
+		subject: asString(idClaims?.sub) ?? bundle.subject,
+		clientId,
+		clientSecret,
+		protectedResourceOrigin: protectedResourceOrigin(target, authConfig)
+	});
+	writeTokenBundle(refreshed, authDir);
+	return refreshed;
+}
+function refreshedExpiresAt(expiresIn, fallback) {
+	if (typeof expiresIn === "number") return new Date(Date.now() + expiresIn * 1e3).toISOString();
+	if (fallback && Date.parse(fallback) > Date.now()) return fallback;
+}
 async function fetchOptionalJson(url, timeoutMs, allowLoopbackHttp = false) {
 	try {
 		return await fetchJson(url, timeoutMs, {}, allowLoopbackHttp);
@@ -49327,7 +49430,7 @@ var GraphQLManager = class {
 			const headers = new Headers({
 				"content-type": "application/json",
 				...staticHeaders(endpoint),
-				...genericOAuthHeaders({
+				...await genericOAuthHeaders({
 					server: endpoint.server,
 					backend: "graphql",
 					url: endpoint.endpointUrl,
@@ -49630,7 +49733,7 @@ async function postGraphQl(endpoint, url, payload, authDir) {
 			headers: {
 				"content-type": "application/json",
 				...staticHeaders(endpoint),
-				...genericOAuthHeaders({
+				...await genericOAuthHeaders({
 					server: endpoint.server,
 					backend: "graphql",
 					url: endpoint.endpointUrl,
@@ -49655,7 +49758,7 @@ async function fetchGraphQlText(endpoint, url, authDir, sendAuth = true) {
 		response = await fetch(url, {
 			redirect: "manual",
 			signal: controller.signal,
-			headers: { ...sendAuth ? schemaAuthHeaders(endpoint, authDir) : {} }
+			headers: { ...sendAuth ? await schemaAuthHeaders(endpoint, authDir) : {} }
 		});
 	} catch (error) {
 		if (isAbortError(error)) throw new CapletsError("TOOL_CALL_TIMEOUT", "GraphQL schema request timed out");
@@ -49667,10 +49770,10 @@ async function fetchGraphQlText(endpoint, url, authDir, sendAuth = true) {
 	if (!response.ok) throw new CapletsError("DOWNSTREAM_PROTOCOL_ERROR", "GraphQL schema request failed", { status: response.status });
 	return readGraphQlText(response);
 }
-function schemaAuthHeaders(endpoint, authDir) {
+async function schemaAuthHeaders(endpoint, authDir) {
 	return {
 		...staticHeaders(endpoint),
-		...genericOAuthHeaders({
+		...await genericOAuthHeaders({
 			server: endpoint.server,
 			backend: "graphql",
 			url: endpoint.endpointUrl,
@@ -49726,7 +49829,7 @@ var HttpActionManager = class {
 		try {
 			const operations = operationsFor(api);
 			validateBaseUrl(api);
-			authHeaders$1(api, this.options.authDir);
+			await authHeaders$1(api, this.options.authDir);
 			for (const operation of operations) validateAction(api, operation);
 			this.registry.setStatus(api.server, "available");
 			return {
@@ -49755,7 +49858,7 @@ var HttpActionManager = class {
 	async callTool(api, toolName, args) {
 		const operation = getOperation(api, toolName);
 		const startedAt = Date.now();
-		const request = buildRequest$1(api, operation, args, this.options.authDir);
+		const request = await buildRequest$1(api, operation, args, this.options.authDir);
 		const controller = new AbortController();
 		const timeout = setTimeout(() => controller.abort(), api.requestTimeoutMs);
 		try {
@@ -49836,14 +49939,14 @@ function getOperation(api, toolName) {
 	});
 	return operation;
 }
-function buildRequest$1(api, operation, args, authDir) {
+async function buildRequest$1(api, operation, args, authDir) {
 	validateBaseUrl(api);
 	validateAction(api, operation);
 	const url = buildActionUrl(api.baseUrl, substitutePath$1(operation.path, args, operation), { allowEncodedSlash: true });
 	const query = resolveMappingToRecord(operation.query, args, "query");
 	for (const [key, value] of Object.entries(query)) if (value !== void 0 && value !== null) url.searchParams.append(key, serializeHttpValue$1("query", key, value));
 	const headers = new Headers();
-	applyAuth$1(headers, api, authDir);
+	await applyAuth$1(headers, api, authDir);
 	const resolvedHeaders = resolveMappingToRecord(operation.headers, args, "headers");
 	for (const [key, value] of Object.entries(resolvedHeaders)) if (value !== void 0 && value !== null) {
 		validateResolvedHeader(api, operation, key);
@@ -49919,16 +50022,16 @@ function serializeHttpValue$1(location, name, value) {
 		default: throw new CapletsError("REQUEST_INVALID", `HTTP action ${location} parameter ${name} must be a string, number, or boolean`);
 	}
 }
-function applyAuth$1(headers, api, authDir) {
-	for (const [key, value] of Object.entries(authHeaders$1(api, authDir))) headers.set(key, value);
+async function applyAuth$1(headers, api, authDir) {
+	for (const [key, value] of Object.entries(await authHeaders$1(api, authDir))) headers.set(key, value);
 }
-function authHeaders$1(api, authDir) {
+async function authHeaders$1(api, authDir) {
 	switch (api.auth.type) {
 		case "none": return {};
 		case "bearer": return { authorization: `Bearer ${api.auth.token}` };
 		case "headers": return api.auth.headers;
 		case "oauth2":
-		case "oidc": return genericOAuthHeaders({
+		case "oidc": return await genericOAuthHeaders({
 			server: api.server,
 			backend: "http",
 			baseUrl: api.baseUrl,
@@ -59754,7 +59857,7 @@ var OpenApiManager = class {
 	}
 	async callTool(endpoint, toolName, args) {
 		const operation = await this.getOperation(endpoint, toolName);
-		const request = buildRequest(endpoint, operation, args, this.options.authDir);
+		const request = await buildRequest(endpoint, operation, args, this.options.authDir);
 		const controller = new AbortController();
 		const timeout = setTimeout(() => controller.abort(), endpoint.requestTimeoutMs);
 		try {
@@ -59868,7 +59971,7 @@ async function loadOpenApiSource(endpoint, authDir) {
 	if (endpoint.specPath) return endpoint.specPath;
 	if (!endpoint.specUrl) throw new CapletsError("CONFIG_INVALID", `${endpoint.server} is missing OpenAPI spec source`);
 	if (!endpoint.baseUrl) throw new CapletsError("CONFIG_INVALID", `${endpoint.server} must configure baseUrl when using remote specUrl`);
-	return parseOpenApiSourceText(await fetchWithLimit(endpoint.specUrl, endpoint.requestTimeoutMs, shouldSendSpecAuth(endpoint) ? authHeaders(endpoint, authDir) : {}));
+	return parseOpenApiSourceText(await fetchWithLimit(endpoint.specUrl, endpoint.requestTimeoutMs, shouldSendSpecAuth(endpoint) ? await authHeaders(endpoint, authDir) : {}));
 }
 function parseOpenApiSourceText(source) {
 	let parsed;
@@ -60039,13 +60142,13 @@ function rejectExternalRefs(value) {
 	if (typeof object.$ref === "string" && !object.$ref.startsWith("#/")) throw new CapletsError("CONFIG_INVALID", "External OpenAPI $ref values are not supported");
 	for (const nested of Object.values(object)) rejectExternalRefs(nested);
 }
-function buildRequest(endpoint, operation, args, authDir) {
+async function buildRequest(endpoint, operation, args, authDir) {
 	const base = endpoint.baseUrl ?? operation.baseUrl;
 	validateOperationBaseUrl(endpoint, base);
 	const url = buildOperationUrl(base, substitutePath(operation.path, asRecord(args.path), operation));
 	for (const [key, value] of Object.entries(asRecord(args.query))) if (value !== void 0 && value !== null) url.searchParams.append(key, serializeHttpValue("query", key, value));
 	const headers = new Headers();
-	applyAuth(headers, endpoint, authDir);
+	await applyAuth(headers, endpoint, authDir);
 	const configuredHeaderNames = configuredAuthHeaderNames(endpoint);
 	for (const [key, value] of Object.entries(operation.staticHeaders ?? {})) if (!headers.has(key) && !configuredHeaderNames.has(key.toLowerCase())) headers.set(key, value);
 	for (const [key, value] of Object.entries(asRecord(args.header))) if (value !== void 0 && value !== null) {
@@ -60090,19 +60193,19 @@ function serializeHttpValue(location, name, value) {
 function asRecord(value) {
 	return value && typeof value === "object" && !Array.isArray(value) ? value : {};
 }
-function applyAuth(headers, endpoint, authDir) {
-	for (const [key, value] of Object.entries(authHeaders(endpoint, authDir))) headers.set(key, value);
+async function applyAuth(headers, endpoint, authDir) {
+	for (const [key, value] of Object.entries(await authHeaders(endpoint, authDir))) headers.set(key, value);
 }
 function configuredAuthHeaderNames(endpoint) {
 	return endpoint.auth.type === "headers" ? new Set(Object.keys(endpoint.auth.headers).map((key) => key.toLowerCase())) : /* @__PURE__ */ new Set();
 }
-function authHeaders(endpoint, authDir) {
+async function authHeaders(endpoint, authDir) {
 	switch (endpoint.auth.type) {
 		case "none": return {};
 		case "bearer": return { authorization: `Bearer ${endpoint.auth.token}` };
 		case "headers": return endpoint.auth.headers;
 		case "oauth2":
-		case "oidc": return genericOAuthHeaders(endpoint, authDir);
+		case "oidc": return await genericOAuthHeaders(endpoint, authDir);
 	}
 }
 function shouldSendSpecAuth(endpoint) {
@@ -61697,7 +61800,7 @@ var CapletsEngine = class {
 		}
 	}
 	async completeCliWords(words) {
-		const { completeCliWords } = await import("./completion-CbazRAiL.js").then((n) => n.r);
+		const { completeCliWords } = await import("./completion-DZg_TWiX.js").then((n) => n.r);
 		return await completeCliWords(words, {
 			config: this.registry.config,
 			managers: {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@caplets/core",
-  "version": "0.20.0",
+  "version": "0.20.2",
   "description": "Core runtime library for Caplets Code Mode and progressive disclosure gateways.",
   "keywords": [
     "caplets",