@codemation/core-nodes 0.7.1 → 0.8.0

package/src/nodes/DeferredMetaToolStrategy.ts

@@ -0,0 +1,200 @@
+import type { ToolSet } from "ai";
+import { jsonSchema } from "ai";
+import { z } from "zod";
+import type { BM25Index } from "./BM25Index";
+import type {
+  FindToolsResult,
+  ToolLoadingStrategy,
+  ToolLoadingStrategyInitInput,
+  ToolLoadingStrategyTurnContext,
+} from "./ToolLoadingStrategy";
+
+const PINNED_TOOLS_SOFT_LIMIT = 8;
+const PINNED_TOOLS_HARD_LIMIT = 16;
+
+const FIND_TOOLS_NAME = "find_tools";
+const FIND_TOOLS_DEFAULT_LIMIT = 5;
+
+interface McpToolEntry {
+  readonly serverId: string;
+  readonly toolName: string;
+  readonly description: string;
+  readonly toolDef: ToolSet[string];
+}
+
+/**
+ * Default tool-loading strategy: BM25-indexed MCP tool deferral via a `find_tools` meta-tool.
+ *
+ * - Node-backed tools and pinned MCP tools are always included in every turn.
+ * - `find_tools(query, limit?)` is added to the tool set when MCP tools are indexed.
+ * - Tools surfaced by `find_tools` are included in subsequent turns.
+ *
+ * Not DI-managed; instantiated per agent execution by DeferredMetaToolStrategyFactory.
+ */
+export class DeferredMetaToolStrategy implements ToolLoadingStrategy {
+  private nodeBackedTools: ToolSet = {};
+  private pinnedTools: ToolSet = {};
+  private mcpEntries: McpToolEntry[] = [];
+  private toolsByServerId = new Map<string, Map<string, ToolSet[string]>>();
+  private foundToolIds = new Set<string>();
+
+  constructor(
+    private readonly bm25: BM25Index,
+    private readonly warnFn: (message: string) => void,
+  ) {}
+
+  async initialize(input: ToolLoadingStrategyInitInput): Promise<void> {
+    this.nodeBackedTools = { ...input.nodeBackedTools };
+
+    const pinnedIds = input.pinnedMcpTools ?? [];
+    if (pinnedIds.length > PINNED_TOOLS_HARD_LIMIT) {
+      throw new Error(
+        `Agent config error: pinnedMcpTools count (${pinnedIds.length}) exceeds hard limit of ${PINNED_TOOLS_HARD_LIMIT}.`,
+      );
+    }
+    if (pinnedIds.length > PINNED_TOOLS_SOFT_LIMIT) {
+      this.warnFn(
+        `Agent config: pinnedMcpTools count (${pinnedIds.length}) is above soft limit (${PINNED_TOOLS_SOFT_LIMIT}); consider deferring some via find_tools.`,
+      );
+    }
+
+    const indexTexts: string[] = [];
+    for (const [serverId, toolSet] of input.mcpToolsByServer.entries()) {
+      const serverMap = new Map<string, ToolSet[string]>();
+      this.toolsByServerId.set(serverId, serverMap);
+
+      for (const [toolName, toolDef] of Object.entries(toolSet)) {
+        serverMap.set(toolName, toolDef);
+        const entry: McpToolEntry = {
+          serverId,
+          toolName,
+          description: toolDef.description ?? "",
+          toolDef,
+        };
+        this.mcpEntries.push(entry);
+        indexTexts.push(`${toolName} ${entry.description}`);
+      }
+    }
+
+    if (indexTexts.length > 0) {
+      this.bm25.add(indexTexts);
+    }
+
+    this.pinnedTools = {};
+    for (const pinnedId of pinnedIds) {
+      const colonIdx = pinnedId.indexOf(":");
+      if (colonIdx === -1) continue;
+      const serverId = pinnedId.slice(0, colonIdx);
+      const toolName = pinnedId.slice(colonIdx + 1);
+      const serverMap = this.toolsByServerId.get(serverId);
+      const toolDef = serverMap?.get(toolName);
+      if (toolDef) {
+        this.pinnedTools[toolName] = toolDef;
+      }
+    }
+  }
+
+  getToolsForTurn(context: ToolLoadingStrategyTurnContext): ToolSet {
+    const result: ToolSet = { ...this.nodeBackedTools, ...this.pinnedTools };
+
+    const priorIds = context.previousFoundToolIds ?? [];
+    for (const foundId of priorIds) {
+      const colonIdx = foundId.indexOf(":");
+      if (colonIdx === -1) continue;
+      const serverId = foundId.slice(0, colonIdx);
+      const toolName = foundId.slice(colonIdx + 1);
+      const toolDef = this.toolsByServerId.get(serverId)?.get(toolName);
+      if (toolDef && !(toolName in result)) {
+        result[toolName] = toolDef;
+      }
+    }
+
+    if (this.mcpEntries.length > 0) {
+      result[FIND_TOOLS_NAME] = this.buildFindToolsDefinition();
+    }
+
+    return result;
+  }
+
+  ownsToolName(toolName: string): boolean {
+    if (toolName === FIND_TOOLS_NAME) return true;
+    // Any tool that came from an MCP server is strategy-owned so the coordinator
+    // does not attempt to dispatch it as a node-backed tool.
+    for (const serverMap of this.toolsByServerId.values()) {
+      if (serverMap.has(toolName)) return true;
+    }
+    return false;
+  }
+
+  async executeMetaTool(toolName: string, input: unknown): Promise<unknown> {
+    if (toolName === FIND_TOOLS_NAME) {
+      const parsed = z.object({ query: z.string(), limit: z.number().int().min(1).max(10).optional() }).parse(input);
+      const limit = parsed.limit ?? FIND_TOOLS_DEFAULT_LIMIT;
+      const hits = this.bm25.search(parsed.query, limit);
+      const results: FindToolsResult[] = hits.map((idx) => {
+        const entry = this.mcpEntries[idx];
+        return {
+          serverId: entry.serverId,
+          toolName: entry.toolName,
+          description: entry.description,
+          inputSchema: (entry.toolDef as unknown as { inputSchema?: unknown }).inputSchema,
+        };
+      });
+      return results;
+    }
+
+    // Route to the MCP tool's execute callback (injected by AgentMcpIntegrationImpl with
+    // telemetry + 403 detection wrapping).
+    for (const serverMap of this.toolsByServerId.values()) {
+      const toolDef = serverMap.get(toolName);
+      if (toolDef) {
+        const executeFn = (toolDef as unknown as { execute?: (input: unknown) => Promise<unknown> }).execute;
+        if (executeFn) {
+          return await executeFn(input);
+        }
+        throw new Error(`DeferredMetaToolStrategy: MCP tool "${toolName}" has no execute callback`);
+      }
+    }
+
+    throw new Error(`DeferredMetaToolStrategy: unknown meta-tool or MCP tool "${toolName}"`);
+  }
+
+  recordFoundTools(results: ReadonlyArray<FindToolsResult>): void {
+    for (const r of results) {
+      this.foundToolIds.add(`${r.serverId}:${r.toolName}`);
+    }
+  }
+
+  getFoundToolIds(): ReadonlyArray<string> {
+    return [...this.foundToolIds];
+  }
+
+  private buildFindToolsDefinition(): ToolSet[string] {
+    const inputSchemaRecord = {
+      type: "object" as const,
+      properties: {
+        query: {
+          type: "string" as const,
+          description: "Natural language description of what you want to do.",
+        },
+        limit: {
+          type: "integer" as const,
+          minimum: 1,
+          maximum: 10,
+          description: `Maximum number of tools to return (default ${FIND_TOOLS_DEFAULT_LIMIT}).`,
+        },
+      },
+      required: ["query"],
+      additionalProperties: false,
+    };
+
+    return {
+      description:
+        "Search for tools available from connected MCP servers. " +
+        "After this call, the tools listed in the result will be callable on your very next turn. " +
+        "Use this when you need a capability not visible in your current tool list. " +
+        "Do not attempt to call a tool name you have not seen yet — use find_tools to discover it first.",
+      inputSchema: jsonSchema(inputSchemaRecord),
+    } as unknown as ToolSet[string];
+  }
+}

package/src/nodes/DeferredMetaToolStrategyFactory.ts

@@ -0,0 +1,18 @@
+import { injectable } from "@codemation/core";
+import { BM25Index } from "./BM25Index";
+import { DeferredMetaToolStrategy } from "./DeferredMetaToolStrategy";
+import type { ToolLoadingStrategy, ToolLoadingStrategyInitInput } from "./ToolLoadingStrategy";
+
+/**
+ * Factory for creating and initializing a DeferredMetaToolStrategy per agent execution.
+ * Injected into AIAgentNode; each agent call creates its own initialized strategy instance.
+ * BM25Index is constructed here (this file is a composition root via the Factory suffix).
+ */
+@injectable()
+export class DeferredMetaToolStrategyFactory {
+  async create(input: ToolLoadingStrategyInitInput): Promise<ToolLoadingStrategy> {
+    const strategy = new DeferredMetaToolStrategy(new BM25Index(), (msg) => console.warn(msg));
+    await strategy.initialize(input);
+    return strategy;
+  }
+}

package/src/nodes/HttpRequestNodeFactory.ts

@@ -5,6 +5,7 @@ import type { CredentialSession, HttpRequestSpec } from "../http/httpRequest.typ
 import { HttpRequestExecutor } from "../http/HttpRequestExecutor";
 import { HttpBodyBuilder } from "../http/HttpBodyBuilder";
 import { HttpUrlBuilder } from "../http/HttpUrlBuilder";
+import { SsrfGuard } from "../http/SsrfGuard";
 import type { HttpRequestDownloadMode } from "./httpRequest";
 import { HttpRequest } from "./httpRequest";
 
@@ -41,7 +42,12 @@ export class HttpRequestNode implements RunnableNode<HttpRequest<any, any>> {
     // Build the request (headers, body encoding, URL query merge) once,
     // then make a SINGLE fetch call and decide what to do with the response.
     // This avoids a double-fetch regression for auto-mode binary responses.
-    const executor = new HttpRequestExecutor(globalThis.fetch, new HttpBodyBuilder(), new HttpUrlBuilder());
+    const executor = new HttpRequestExecutor(
+      globalThis.fetch,
+      new HttpBodyBuilder(),
+      new HttpUrlBuilder(),
+      new SsrfGuard(ctx.config.allowedOutboundHosts),
+    );
     const { url: resolvedUrl, init } = await executor.buildRequest(spec, item);
 
     const response = await globalThis.fetch(resolvedUrl, init);
@@ -175,10 +181,11 @@ export class HttpRequestNode implements RunnableNode<HttpRequest<any, any>> {
   private async resolveCredential(
     ctx: NodeExecutionContext<HttpRequest<any, any>>,
   ): Promise<CredentialSession | undefined> {
-    const slotKey = ctx.config.args.credentialSlot;
-    if (!slotKey) {
+    const rawSlot = ctx.config.args.credentialSlot;
+    if (!rawSlot) {
       return undefined;
     }
+    const slotKey = typeof rawSlot === "string" ? rawSlot : rawSlot.name;
     try {
       return await ctx.getCredential<CredentialSession>(slotKey);
     } catch {

package/src/nodes/ManualTriggerFactory.ts

@@ -1,4 +1,4 @@
-import type { Items, TriggerNodeConfig, TypeToken } from "@codemation/core";
+import type { Items, NodeInspectorSummaryRow, TriggerNodeConfig, TypeToken } from "@codemation/core";
 
 import { ItemsInputNormalizer } from "@codemation/core";
 
@@ -42,6 +42,21 @@ export class ManualTrigger<TOutputJson = unknown> implements TriggerNodeConfig<T
   ): string | undefined {
     return typeof value === "string" ? value : id;
   }
+
+  inspectorSummary(): ReadonlyArray<NodeInspectorSummaryRow> {
+    const rows: NodeInspectorSummaryRow[] = [{ label: "Trigger", value: "manual" }];
+    if (this.defaultItems && this.defaultItems.length > 0) {
+      const firstItem = this.defaultItems[0];
+      if (firstItem && typeof firstItem.json === "object" && firstItem.json !== null) {
+        const keys = Object.keys(firstItem.json as object);
+        if (keys.length > 0) {
+          rows.push({ label: "Initial input keys", value: keys.join(", ").slice(0, 80) });
+        }
+      }
+      rows.push({ label: "Default items", value: String(this.defaultItems.length) });
+    }
+    return rows;
+  }
 }
 
 export { ManualTriggerNode } from "./ManualTriggerNode";

package/src/nodes/ToolLoadingStrategy.ts

@@ -0,0 +1,28 @@
+import type { ToolSet } from "ai";
+
+export interface FindToolsResult {
+  readonly serverId: string;
+  readonly toolName: string;
+  readonly description: string;
+  readonly inputSchema: unknown;
+}
+
+export interface ToolLoadingStrategyTurnContext {
+  readonly turnIndex: number;
+  readonly previousFoundToolIds?: ReadonlyArray<string>;
+}
+
+export interface ToolLoadingStrategyInitInput {
+  readonly nodeBackedTools: ToolSet;
+  readonly mcpToolsByServer: ReadonlyMap<string, ToolSet>;
+  readonly pinnedMcpTools?: ReadonlyArray<string>;
+}
+
+export interface ToolLoadingStrategy {
+  initialize(input: ToolLoadingStrategyInitInput): Promise<void>;
+  getToolsForTurn(context: ToolLoadingStrategyTurnContext): ToolSet;
+  ownsToolName(toolName: string): boolean;
+  executeMetaTool(toolName: string, input: unknown): Promise<unknown>;
+  recordFoundTools(results: ReadonlyArray<FindToolsResult>): void;
+  getFoundToolIds(): ReadonlyArray<string>;
+}

package/src/nodes/WebhookTriggerFactory.ts

@@ -1,4 +1,11 @@
-import type { HttpMethod, Items, NodeExecutionContext, TriggerNodeConfig, TypeToken } from "@codemation/core";
+import type {
+  HttpMethod,
+  Items,
+  NodeExecutionContext,
+  NodeInspectorSummaryRow,
+  TriggerNodeConfig,
+  TypeToken,
+} from "@codemation/core";
 import type { ZodType } from "zod";
 import { WebhookTriggerNode } from "./webhookTriggerNode";
 
@@ -13,7 +20,7 @@ export class WebhookTrigger<
 > implements TriggerNodeConfig<unknown> {
   readonly kind = "trigger" as const;
   readonly type: TypeToken<unknown> = WebhookTriggerNode;
-  readonly icon = "lucide:webhook";
+  readonly icon = "lucide:globe";
 
   constructor(
     public readonly name: string,
@@ -48,4 +55,11 @@ export class WebhookTrigger<
   private static defaultHandler(items: Items): Items {
     return items;
   }
+
+  inspectorSummary(): ReadonlyArray<NodeInspectorSummaryRow> {
+    return [
+      { label: "Endpoint key", value: this.args.endpointKey },
+      { label: "Methods", value: this.args.methods.join(", ") },
+    ];
+  }
 }

package/src/nodes/aggregate.ts

@@ -1,5 +1,10 @@
-import type { Items, NodeExecutionContext, RunnableNodeConfig, TypeToken } from "@codemation/core";
-
+import type {
+  Items,
+  NodeExecutionContext,
+  NodeInspectorSummaryRow,
+  RunnableNodeConfig,
+  TypeToken,
+} from "@codemation/core";
 import { AggregateNode } from "./AggregateNode";
 
 export class Aggregate<TIn = unknown, TOut = unknown> implements RunnableNodeConfig<TIn, TOut> {
@@ -17,6 +22,12 @@ export class Aggregate<TIn = unknown, TOut = unknown> implements RunnableNodeCon
     ) => TOut | Promise<TOut>,
     public readonly id?: string,
   ) {}
+
+  inspectorSummary(): ReadonlyArray<NodeInspectorSummaryRow> | undefined {
+    const fnName = this.aggregate.name;
+    if (!fnName) return undefined;
+    return [{ label: "Aggregator", value: fnName }];
+  }
 }
 
 export { AggregateNode } from "./AggregateNode";

package/src/nodes/aiAgent.ts

@@ -17,3 +17,12 @@ export {
   type PlannedToolCall,
   type ResolvedTool,
 } from "./aiAgentSupport.types";
+export { BM25Index } from "./BM25Index";
+export { DeferredMetaToolStrategy } from "./DeferredMetaToolStrategy";
+export { DeferredMetaToolStrategyFactory } from "./DeferredMetaToolStrategyFactory";
+export type {
+  FindToolsResult,
+  ToolLoadingStrategy,
+  ToolLoadingStrategyInitInput,
+  ToolLoadingStrategyTurnContext,
+} from "./ToolLoadingStrategy";

package/src/nodes/assertion.ts

@@ -1,4 +1,11 @@
-import type { AssertionResult, Item, NodeExecutionContext, RunnableNodeConfig, TypeToken } from "@codemation/core";
+import type {
+  AssertionResult,
+  Item,
+  NodeExecutionContext,
+  NodeInspectorSummaryRow,
+  RunnableNodeConfig,
+  TypeToken,
+} from "@codemation/core";
 
 import { AssertionNode } from "./AssertionNode";
 
@@ -37,6 +44,12 @@ export class Assertion<TInputJson = unknown> implements RunnableNodeConfig<TInpu
     this.icon = options.icon ?? "lucide:check-circle";
     this.assertions = options.assertions;
   }
+
+  inspectorSummary(): ReadonlyArray<NodeInspectorSummaryRow> | undefined {
+    const fnName = this.assertions.name;
+    if (!fnName) return undefined;
+    return [{ label: "Assertions fn", value: fnName }];
+  }
 }
 
 export { AssertionNode } from "./AssertionNode";

package/src/nodes/collections/collectionDeleteNode.types.ts

@@ -10,6 +10,12 @@ export const collectionDeleteNode = defineNode({
     collectionName: z.string(),
     id: z.string(),
   }),
+  inspectorSummary({ config }) {
+    const name = config.collectionName ?? "";
+    if (!name) return [];
+    const truncated = name.length > 80 ? `${name.slice(0, 79)}…` : name;
+    return [{ label: "Collection", value: truncated }];
+  },
   async execute(_args, { config, execution }) {
     const store = execution.collections?.[config.collectionName];
     if (!store) {

package/src/nodes/collections/collectionFindOneNode.types.ts

@@ -10,6 +10,12 @@ export const collectionFindOneNode = defineNode({
     collectionName: z.string(),
     where: z.record(z.string(), z.unknown()),
   }),
+  inspectorSummary({ config }) {
+    const name = config.collectionName ?? "";
+    if (!name) return [];
+    const truncated = name.length > 80 ? `${name.slice(0, 79)}…` : name;
+    return [{ label: "Collection", value: truncated }];
+  },
   async execute(_args, { config, execution }) {
     const store = execution.collections?.[config.collectionName];
     if (!store) {

package/src/nodes/collections/collectionGetNode.types.ts

@@ -10,6 +10,12 @@ export const collectionGetNode = defineNode({
     collectionName: z.string(),
     id: z.string(),
   }),
+  inspectorSummary({ config }) {
+    const name = config.collectionName ?? "";
+    if (!name) return [];
+    const truncated = name.length > 80 ? `${name.slice(0, 79)}…` : name;
+    return [{ label: "Collection", value: truncated }];
+  },
   async execute(_args, { config, execution }) {
     const store = execution.collections?.[config.collectionName];
     if (!store) {

package/src/nodes/collections/collectionInsertNode.types.ts

@@ -10,6 +10,12 @@ export const collectionInsertNode = defineNode({
     collectionName: z.string(),
     data: z.record(z.string(), z.unknown()),
   }),
+  inspectorSummary({ config }) {
+    const name = config.collectionName ?? "";
+    if (!name) return [];
+    const truncated = name.length > 80 ? `${name.slice(0, 79)}…` : name;
+    return [{ label: "Collection", value: truncated }];
+  },
   async execute(_args, { config, execution }) {
     const store = execution.collections?.[config.collectionName];
     if (!store) {

package/src/nodes/collections/collectionListNode.types.ts

@@ -12,6 +12,12 @@ export const collectionListNode = defineNode({
     offset: z.number().int().nonnegative().optional(),
     where: z.record(z.string(), z.unknown()).optional(),
   }),
+  inspectorSummary({ config }) {
+    const name = config.collectionName ?? "";
+    if (!name) return [];
+    const truncated = name.length > 80 ? `${name.slice(0, 79)}…` : name;
+    return [{ label: "Collection", value: truncated }];
+  },
   async execute(_args, { config, execution }) {
     const store = execution.collections?.[config.collectionName];
     if (!store) {

package/src/nodes/collections/collectionUpdateNode.types.ts

@@ -11,6 +11,12 @@ export const collectionUpdateNode = defineNode({
     id: z.string(),
     patch: z.record(z.string(), z.unknown()),
   }),
+  inspectorSummary({ config }) {
+    const name = config.collectionName ?? "";
+    if (!name) return [];
+    const truncated = name.length > 80 ? `${name.slice(0, 79)}…` : name;
+    return [{ label: "Collection", value: truncated }];
+  },
   async execute(_args, { config, execution }) {
     const store = execution.collections?.[config.collectionName];
     if (!store) {

package/src/nodes/filter.ts

@@ -1,5 +1,11 @@
-import type { Item, Items, NodeExecutionContext, RunnableNodeConfig, TypeToken } from "@codemation/core";
-
+import type {
+  Item,
+  Items,
+  NodeExecutionContext,
+  NodeInspectorSummaryRow,
+  RunnableNodeConfig,
+  TypeToken,
+} from "@codemation/core";
 import { FilterNode } from "./FilterNode";
 
 export class Filter<TIn = unknown> implements RunnableNodeConfig<TIn, TIn> {
@@ -18,6 +24,12 @@ export class Filter<TIn = unknown> implements RunnableNodeConfig<TIn, TIn> {
     ) => boolean,
     public readonly id?: string,
   ) {}
+
+  inspectorSummary(): ReadonlyArray<NodeInspectorSummaryRow> | undefined {
+    const fnName = this.predicate.name;
+    if (!fnName) return undefined;
+    return [{ label: "Predicate", value: fnName }];
+  }
 }
 
 export { FilterNode } from "./FilterNode";

package/src/nodes/httpRequest.ts

@@ -1,11 +1,12 @@
 import {
   RetryPolicy,
+  type AnyCredentialType,
   type CredentialRequirement,
+  type NodeInspectorSummaryRow,
   type RetryPolicySpec,
   type RunnableNodeConfig,
   type TypeToken,
 } from "@codemation/core";
-
 import type { HttpBodySpec } from "../http/httpRequest.types";
 import {
   apiKeyCredentialType,
@@ -81,11 +82,19 @@ export class HttpRequest<
       /** Request body specification. For canvas use, pass a JSON string in `body.data`. */
       body?: HttpBodySpec;
       /**
-       * Credential slot key. When set, the node resolves a credential via
-       * `ctx.getCredential(credentialSlot)` and applies it to the request.
-       * The slot must be declared in `getCredentialRequirements()`.
+       * Credential slot.
+       *
+       * **String shorthand** (existing): `credentialSlot: "auth"` — the slot accepts all four
+       * default HTTP credential types (bearer, API-key, basic, OAuth2).
+       *
+       * **Object form** (new): narrows the accepted types to the caller-supplied list, useful
+       * when only a subset of credential types makes sense for a specific endpoint.
+       * ```ts
+       * credentialSlot: { name: "auth", acceptedTypes: [bearerTokenCredentialType] }
+       * ```
+       * The slot must be declared in `getCredentialRequirements()`, which is wired automatically.
        */
-      credentialSlot?: string;
+      credentialSlot?: string | Readonly<{ name: string; acceptedTypes?: ReadonlyArray<AnyCredentialType> }>;
       binaryName?: string;
       downloadMode?: HttpRequestDownloadMode;
       /**
@@ -109,6 +118,23 @@ export class HttpRequest<
        * Requests whose `Content-Length` exceeds this cap are rejected before the body is read.
        */
       responseSizeCapBytes?: number;
+      /**
+       * Operator-configurable outbound host allowlist.
+       *
+       * When set, every HTTP request target must match an entry in this list before the
+       * request is made — requests to any other host are rejected with {@link SSRFBlockedError}.
+       * Supports exact hostnames (`api.example.com`) and wildcard subdomain patterns
+       * (`*.example.com` matches `sub.example.com` but not `example.com` itself).
+       *
+       * When unset (default), the existing SSRF private-network guard applies:
+       * public hosts are allowed and private/loopback ranges are blocked.
+       *
+       * **Production warning**: when `NODE_ENV === "production"` and this is unset, a one-time
+       * warning is logged at workflow startup.
+       *
+       * Setting this to an empty array `[]` is equivalent to "block everything".
+       */
+      allowedOutboundHosts?: ReadonlyArray<string>;
       id?: string;
     }> = {},
     public readonly retryPolicy: RetryPolicySpec = RetryPolicy.defaultForHttp,
@@ -146,20 +172,58 @@ export class HttpRequest<
     return this.args.responseSizeCapBytes ?? DEFAULT_RESPONSE_SIZE_CAP_BYTES;
   }
 
+  get allowedOutboundHosts(): ReadonlyArray<string> | undefined {
+    return this.args.allowedOutboundHosts;
+  }
+
   getCredentialRequirements(): ReadonlyArray<CredentialRequirement> {
-    if (!this.args.credentialSlot) {
+    const slot = this.args.credentialSlot;
+    if (!slot) {
       return [];
     }
+    if (typeof slot === "string") {
+      return [
+        {
+          slotKey: slot,
+          label: "Authentication",
+          acceptedTypes: HTTP_REQUEST_ACCEPTED_CREDENTIAL_TYPES,
+          optional: true,
+          helpText: "Optional credential for authenticating the HTTP request.",
+        },
+      ];
+    }
+    // Object form: use caller-supplied acceptedTypes (mapped to typeIds), falling back to all defaults.
+    const acceptedTypes =
+      slot.acceptedTypes && slot.acceptedTypes.length > 0
+        ? slot.acceptedTypes.map((ct) => ct.definition.typeId)
+        : HTTP_REQUEST_ACCEPTED_CREDENTIAL_TYPES;
     return [
       {
-        slotKey: this.args.credentialSlot,
+        slotKey: slot.name,
         label: "Authentication",
-        acceptedTypes: HTTP_REQUEST_ACCEPTED_CREDENTIAL_TYPES,
+        acceptedTypes,
         optional: true,
         helpText: "Optional credential for authenticating the HTTP request.",
       },
     ];
   }
+
+  inspectorSummary(): ReadonlyArray<NodeInspectorSummaryRow> {
+    const rows: NodeInspectorSummaryRow[] = [{ label: "Method", value: this.method }];
+    if (this.args.url) {
+      const url = this.args.url.length > 80 ? `${this.args.url.slice(0, 79)}…` : this.args.url;
+      rows.push({ label: "URL", value: url });
+    } else if (this.args.urlField) {
+      rows.push({ label: "URL field", value: this.args.urlField });
+    }
+    if (this.args.responseFormat) {
+      rows.push({ label: "Response format", value: this.args.responseFormat });
+    }
+    if (this.args.body && this.args.body.kind !== "none") {
+      rows.push({ label: "Body", value: this.args.body.kind });
+    }
+    return rows;
+  }
 }
 
 export { HttpRequestNode } from "./HttpRequestNodeFactory";

package/src/nodes/if.ts

@@ -1,5 +1,11 @@
-import type { Item, Items, NodeExecutionContext, RunnableNodeConfig, TypeToken } from "@codemation/core";
-
+import type {
+  Item,
+  Items,
+  NodeExecutionContext,
+  NodeInspectorSummaryRow,
+  RunnableNodeConfig,
+  TypeToken,
+} from "@codemation/core";
 import { IfNode } from "./IfNode";
 
 export class If<TInputJson = unknown> implements RunnableNodeConfig<TInputJson, TInputJson> {
@@ -18,6 +24,12 @@ export class If<TInputJson = unknown> implements RunnableNodeConfig<TInputJson,
     ) => boolean,
     public readonly id?: string,
   ) {}
+
+  inspectorSummary(): ReadonlyArray<NodeInspectorSummaryRow> | undefined {
+    const fnName = this.predicate.name;
+    if (!fnName) return undefined;
+    return [{ label: "Predicate", value: fnName }];
+  }
 }
 
 export { IfNode } from "./IfNode";