@executor-js/plugin-openapi 0.0.1-beta.6 → 0.0.2

package/dist/chunk-ZZ7TQ4JC.js

@@ -0,0 +1,2602 @@
+// src/sdk/errors.ts
+import { Data, Schema } from "effect";
+var OpenApiParseError = class extends Schema.TaggedErrorClass()(
+  "OpenApiParseError",
+  {
+    message: Schema.String
+  },
+  { httpApiStatus: 400 }
+) {
+};
+var OpenApiExtractionError = class extends Schema.TaggedErrorClass()(
+  "OpenApiExtractionError",
+  {
+    message: Schema.String
+  },
+  { httpApiStatus: 400 }
+) {
+};
+var OpenApiInvocationError = class extends Data.TaggedError("OpenApiInvocationError") {
+};
+var OpenApiOAuthError = class extends Schema.TaggedErrorClass()(
+  "OpenApiOAuthError",
+  {
+    message: Schema.String
+  },
+  { httpApiStatus: 400 }
+) {
+};
+
+// src/sdk/parse.ts
+import { Duration, Effect } from "effect";
+import { HttpClient, HttpClientRequest } from "effect/unstable/http";
+import YAML from "yaml";
+var OpenApiExtractionErrorFromParse = class extends OpenApiExtractionError {
+};
+var fetchSpecText = Effect.fn("OpenApi.fetchSpecText")(function* (url, credentials) {
+  const client = yield* HttpClient.HttpClient;
+  const requestUrl = new URL(url);
+  for (const [name, value] of Object.entries(credentials?.queryParams ?? {})) {
+    requestUrl.searchParams.set(name, value);
+  }
+  let request = HttpClientRequest.get(requestUrl.toString()).pipe(
+    HttpClientRequest.setHeader("Accept", "application/json, application/yaml, text/yaml, */*")
+  );
+  for (const [name, value] of Object.entries(credentials?.headers ?? {})) {
+    request = HttpClientRequest.setHeader(request, name, value);
+  }
+  const response = yield* client.execute(request).pipe(
+    Effect.timeout(Duration.seconds(20)),
+    Effect.mapError(
+      (cause) => new OpenApiParseError({
+        message: `Failed to fetch OpenAPI document: ${cause instanceof Error ? cause.message : String(cause)}`
+      })
+    )
+  );
+  if (response.status < 200 || response.status >= 300) {
+    return yield* new OpenApiParseError({
+      message: `Failed to fetch OpenAPI document: HTTP ${response.status}`
+    });
+  }
+  return yield* response.text.pipe(
+    Effect.mapError(
+      (cause) => new OpenApiParseError({
+        message: `Failed to read OpenAPI document body: ${cause instanceof Error ? cause.message : String(cause)}`
+      })
+    )
+  );
+});
+var resolveSpecText = (input, credentials) => input.startsWith("http://") || input.startsWith("https://") ? fetchSpecText(input, credentials) : Effect.succeed(input);
+var parse = Effect.fn("OpenApi.parse")(function* (text) {
+  const api = yield* Effect.try({
+    try: () => parseTextToObject(text),
+    catch: (error) => new OpenApiParseError({
+      message: `Failed to parse OpenAPI document: ${error instanceof Error ? error.message : String(error)}`
+    })
+  });
+  if (!isOpenApi3(api)) {
+    return yield* new OpenApiExtractionErrorFromParse({
+      message: "Only OpenAPI 3.x documents are supported. Swagger 2.x documents should be converted first."
+    });
+  }
+  return api;
+});
+var isOpenApi3 = (doc) => "openapi" in doc && typeof doc.openapi === "string" && doc.openapi.startsWith("3.");
+var parseTextToObject = (text) => {
+  const trimmed = text.trim();
+  if (trimmed.length === 0) throw new Error("OpenAPI document is empty");
+  let parsed;
+  try {
+    parsed = JSON.parse(trimmed);
+  } catch {
+    parsed = YAML.parse(trimmed);
+  }
+  if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+    throw new Error("OpenAPI document must parse to an object");
+  }
+  return parsed;
+};
+
+// src/sdk/openapi-utils.ts
+import { Option } from "effect";
+var DocResolver = class {
+  constructor(doc) {
+    this.doc = doc;
+  }
+  doc;
+  /** Resolve a value that might be a $ref, returning the resolved object */
+  resolve(value) {
+    if (isRef(value)) {
+      const resolved = this.resolvePointer(value.$ref);
+      return resolved;
+    }
+    return value;
+  }
+  resolvePointer(ref) {
+    if (!ref.startsWith("#/")) return null;
+    const segments = ref.slice(2).split("/");
+    let current = this.doc;
+    for (const segment of segments) {
+      if (typeof current !== "object" || current === null) return null;
+      current = current[segment];
+    }
+    return current;
+  }
+};
+var isRef = (value) => typeof value === "object" && value !== null && "$ref" in value;
+var substituteUrlVariables = (url, values) => {
+  let out = url;
+  for (const [name, value] of Object.entries(values)) {
+    out = out.replaceAll(`{${name}}`, value);
+  }
+  return out;
+};
+var resolveBaseUrl = (servers) => {
+  const server = servers[0];
+  if (!server) return "";
+  if (!Option.isSome(server.variables)) return server.url;
+  const values = {};
+  for (const [name, v] of Object.entries(server.variables.value)) {
+    values[name] = typeof v === "string" ? v : v.default;
+  }
+  return substituteUrlVariables(server.url, values);
+};
+var declaredContents = (content) => {
+  if (!content) return [];
+  return Object.entries(content).map(([mediaType, media]) => ({ mediaType, media }));
+};
+var preferredContent = (content) => {
+  const first = declaredContents(content)[0];
+  return first ? first : void 0;
+};
+var preferredResponseContent = (content) => {
+  if (!content) return void 0;
+  const entries = Object.entries(content);
+  const pick = entries.find(([mt]) => mt === "application/json") ?? entries.find(([mt]) => mt.toLowerCase().includes("+json")) ?? entries.find(([mt]) => mt.toLowerCase().includes("json")) ?? entries[0];
+  return pick ? { mediaType: pick[0], media: pick[1] } : void 0;
+};
+
+// src/sdk/types.ts
+import { Schema as Schema2 } from "effect";
+import { ConnectionId, ScopeId, SecretBackedValue, SecretId } from "@executor-js/sdk/core";
+var OperationId = Schema2.String.pipe(Schema2.brand("OperationId"));
+var HttpMethod = Schema2.Literals([
+  "get",
+  "put",
+  "post",
+  "delete",
+  "patch",
+  "head",
+  "options",
+  "trace"
+]);
+var ParameterLocation = Schema2.Literals(["path", "query", "header", "cookie"]);
+var OperationParameter = class extends Schema2.Class("OperationParameter")({
+  name: Schema2.String,
+  location: ParameterLocation,
+  required: Schema2.Boolean,
+  schema: Schema2.OptionFromOptional(Schema2.Unknown),
+  style: Schema2.OptionFromOptional(Schema2.String),
+  explode: Schema2.OptionFromOptional(Schema2.Boolean),
+  allowReserved: Schema2.OptionFromOptional(Schema2.Boolean),
+  description: Schema2.OptionFromOptional(Schema2.String)
+}) {
+};
+var EncodingObject = class extends Schema2.Class("EncodingObject")({
+  contentType: Schema2.OptionFromOptional(Schema2.String),
+  style: Schema2.OptionFromOptional(Schema2.String),
+  explode: Schema2.OptionFromOptional(Schema2.Boolean),
+  allowReserved: Schema2.OptionFromOptional(Schema2.Boolean)
+}) {
+};
+var MediaBinding = class extends Schema2.Class("MediaBinding")({
+  contentType: Schema2.String,
+  schema: Schema2.OptionFromOptional(Schema2.Unknown),
+  encoding: Schema2.OptionFromOptional(Schema2.Record(Schema2.String, EncodingObject))
+}) {
+};
+var OperationRequestBody = class extends Schema2.Class(
+  "OperationRequestBody"
+)({
+  required: Schema2.Boolean,
+  /** Default media type — first declared in spec order (not JSON-first).
+   *  Used when the caller does not override via the tool's `contentType` arg. */
+  contentType: Schema2.String,
+  /** Schema of the default media type. Kept for backward compat with stored
+   *  bindings from before `contents` was added. */
+  schema: Schema2.OptionFromOptional(Schema2.Unknown),
+  /** All declared media types in spec order. Populated by `extract.ts`
+   *  going forward; older persisted bindings may have this unset and will
+   *  fall back to `{contentType, schema}`. */
+  contents: Schema2.OptionFromOptional(Schema2.Array(MediaBinding))
+}) {
+};
+var ExtractedOperation = class extends Schema2.Class("ExtractedOperation")({
+  operationId: OperationId,
+  method: HttpMethod,
+  pathTemplate: Schema2.String,
+  summary: Schema2.OptionFromOptional(Schema2.String),
+  description: Schema2.OptionFromOptional(Schema2.String),
+  tags: Schema2.Array(Schema2.String),
+  parameters: Schema2.Array(OperationParameter),
+  requestBody: Schema2.OptionFromOptional(OperationRequestBody),
+  inputSchema: Schema2.OptionFromOptional(Schema2.Unknown),
+  outputSchema: Schema2.OptionFromOptional(Schema2.Unknown),
+  deprecated: Schema2.Boolean
+}) {
+};
+var ServerVariable = class extends Schema2.Class("ServerVariable")({
+  default: Schema2.String,
+  enum: Schema2.OptionFromOptional(Schema2.Array(Schema2.String)),
+  description: Schema2.OptionFromOptional(Schema2.String)
+}) {
+};
+var ServerInfo = class extends Schema2.Class("ServerInfo")({
+  url: Schema2.String,
+  description: Schema2.OptionFromOptional(Schema2.String),
+  variables: Schema2.OptionFromOptional(Schema2.Record(Schema2.String, ServerVariable))
+}) {
+};
+var ExtractionResult = class extends Schema2.Class("ExtractionResult")({
+  title: Schema2.OptionFromOptional(Schema2.String),
+  version: Schema2.OptionFromOptional(Schema2.String),
+  servers: Schema2.Array(ServerInfo),
+  operations: Schema2.Array(ExtractedOperation)
+}) {
+};
+var OperationBinding = class extends Schema2.Class("OperationBinding")({
+  method: HttpMethod,
+  pathTemplate: Schema2.String,
+  parameters: Schema2.Array(OperationParameter),
+  requestBody: Schema2.OptionFromOptional(OperationRequestBody)
+}) {
+};
+var HeaderValue = SecretBackedValue;
+var ConfiguredHeaderBinding = class extends Schema2.Class(
+  "OpenApiConfiguredHeaderBinding"
+)({
+  kind: Schema2.Literal("binding"),
+  slot: Schema2.String,
+  prefix: Schema2.optional(Schema2.String)
+}) {
+};
+var ConfiguredHeaderValue = Schema2.Union([Schema2.String, ConfiguredHeaderBinding]);
+var OpenApiSourceBindingValue = Schema2.Union([
+  Schema2.Struct({
+    kind: Schema2.Literal("secret"),
+    secretId: SecretId
+  }),
+  Schema2.Struct({
+    kind: Schema2.Literal("connection"),
+    connectionId: ConnectionId
+  }),
+  Schema2.Struct({
+    kind: Schema2.Literal("text"),
+    text: Schema2.String
+  })
+]);
+var OpenApiSourceBindingInputSchema = Schema2.Struct({
+  sourceId: Schema2.String,
+  sourceScope: ScopeId,
+  scope: ScopeId,
+  slot: Schema2.String,
+  value: OpenApiSourceBindingValue
+});
+var OpenApiSourceBindingInput = class extends Schema2.Class(
+  "OpenApiSourceBindingInput"
+)(OpenApiSourceBindingInputSchema.fields) {
+};
+var OpenApiSourceBindingRef = class extends Schema2.Class(
+  "OpenApiSourceBindingRef"
+)({
+  sourceId: Schema2.String,
+  sourceScopeId: ScopeId,
+  scopeId: ScopeId,
+  slot: Schema2.String,
+  value: OpenApiSourceBindingValue,
+  createdAt: Schema2.Date,
+  updatedAt: Schema2.Date
+}) {
+};
+var OAuth2Flow = Schema2.Literals(["authorizationCode", "clientCredentials"]);
+var OAuth2Auth = class extends Schema2.Class("OpenApiOAuth2Auth")({
+  kind: Schema2.Literal("oauth2"),
+  /** Id of the Connection that owns this sign-in. Points at the core
+   *  `connection` table; resolve via `ctx.connections.get(id)` or
+   *  `ctx.connections.accessToken(id)`. Updated when the user signs in
+   *  again from the source detail UI (a fresh connection is minted and
+   *  this pointer is rewritten). */
+  connectionId: Schema2.String,
+  /** Key into `components.securitySchemes` this auth came from. Kept here
+   *  so a spec with multiple OAuth2 schemes can wire each one to its own
+   *  connection. */
+  securitySchemeName: Schema2.String,
+  /** OAuth2 grant type used for this source. Determines which flow the
+   *  sign-in button runs (authorizationCode opens a browser popup;
+   *  clientCredentials is server-to-server). */
+  flow: OAuth2Flow,
+  /** Absolute token endpoint URL. */
+  tokenUrl: Schema2.String,
+  /** Absolute authorization endpoint URL. Only used for authorizationCode
+   *  flows; clientCredentials has no user consent step. */
+  authorizationUrl: Schema2.NullOr(Schema2.String),
+  /** Expected issuer for ID token validation. Defaults to authorization origin. */
+  issuerUrl: Schema2.optional(Schema2.NullOr(Schema2.String)),
+  /** Secret id holding the OAuth client_id. */
+  clientIdSecretId: Schema2.String,
+  /** Secret id holding the OAuth client_secret. Optional for public
+   *  clients (PKCE-only authorizationCode). */
+  clientSecretSecretId: Schema2.NullOr(Schema2.String),
+  /** OAuth scopes requested on sign-in. Stored as a static list so the
+   *  sign-in button can re-request the same capabilities without having
+   *  to re-derive them from the OpenAPI spec. */
+  scopes: Schema2.Array(Schema2.String)
+}) {
+};
+var OAuth2SourceConfig = class extends Schema2.Class(
+  "OpenApiOAuth2SourceConfig"
+)({
+  kind: Schema2.Literal("oauth2"),
+  securitySchemeName: Schema2.String,
+  flow: OAuth2Flow,
+  tokenUrl: Schema2.String,
+  authorizationUrl: Schema2.NullOr(Schema2.String),
+  issuerUrl: Schema2.optional(Schema2.NullOr(Schema2.String)),
+  clientIdSlot: Schema2.String,
+  clientSecretSlot: Schema2.NullOr(Schema2.String),
+  connectionSlot: Schema2.String,
+  scopes: Schema2.Array(Schema2.String)
+}) {
+};
+var InvocationConfig = class extends Schema2.Class("InvocationConfig")({
+  baseUrl: Schema2.String,
+  /** Headers applied to every request. Values can reference secrets. */
+  headers: Schema2.optional(Schema2.Record(Schema2.String, HeaderValue)),
+  /**
+   * Optional OAuth2 auth — if set, the invoker resolves/refreshes the
+   * access token and injects `Authorization: Bearer <token>` on every
+   * request. Coexists with `headers` but wins for the Authorization header.
+   */
+  oauth2: Schema2.OptionFromOptional(OAuth2Auth)
+}) {
+};
+var InvocationResult = class extends Schema2.Class("InvocationResult")({
+  status: Schema2.Number,
+  headers: Schema2.Record(Schema2.String, Schema2.String),
+  data: Schema2.NullOr(Schema2.Unknown),
+  error: Schema2.NullOr(Schema2.Unknown)
+}) {
+};
+
+// src/sdk/extract.ts
+import { Effect as Effect2, Option as Option2 } from "effect";
+var HTTP_METHODS = [
+  "get",
+  "put",
+  "post",
+  "delete",
+  "patch",
+  "head",
+  "options",
+  "trace"
+];
+var VALID_PARAM_LOCATIONS = /* @__PURE__ */ new Set(["path", "query", "header", "cookie"]);
+var extractParameters = (pathItem, operation, r) => {
+  const merged = /* @__PURE__ */ new Map();
+  for (const raw of pathItem.parameters ?? []) {
+    const p = r.resolve(raw);
+    if (!p) continue;
+    merged.set(`${p.in}:${p.name}`, p);
+  }
+  for (const raw of operation.parameters ?? []) {
+    const p = r.resolve(raw);
+    if (!p) continue;
+    merged.set(`${p.in}:${p.name}`, p);
+  }
+  return [...merged.values()].filter((p) => VALID_PARAM_LOCATIONS.has(p.in)).map(
+    (p) => new OperationParameter({
+      name: p.name,
+      location: p.in,
+      required: p.in === "path" ? true : p.required === true,
+      schema: Option2.fromNullishOr(p.schema),
+      style: Option2.fromNullishOr(p.style),
+      explode: Option2.fromNullishOr(p.explode),
+      allowReserved: Option2.fromNullishOr("allowReserved" in p ? p.allowReserved : void 0),
+      description: Option2.fromNullishOr(p.description)
+    })
+  );
+};
+var buildEncodingRecord = (encoding) => {
+  if (!encoding) return void 0;
+  const out = {};
+  for (const [prop, raw] of Object.entries(encoding)) {
+    if (typeof raw !== "object" || raw === null) continue;
+    const e = raw;
+    out[prop] = new EncodingObject({
+      contentType: Option2.fromNullishOr(e.contentType),
+      style: Option2.fromNullishOr(e.style),
+      explode: Option2.fromNullishOr(e.explode),
+      allowReserved: Option2.fromNullishOr(e.allowReserved)
+    });
+  }
+  return Object.keys(out).length > 0 ? out : void 0;
+};
+var extractRequestBody = (operation, r) => {
+  if (!operation.requestBody) return void 0;
+  const body = r.resolve(operation.requestBody);
+  if (!body) return void 0;
+  const contents = declaredContents(body.content).map(
+    ({ mediaType, media }) => new MediaBinding({
+      contentType: mediaType,
+      schema: Option2.fromNullishOr(media.schema),
+      encoding: Option2.fromNullishOr(
+        buildEncodingRecord(
+          media.encoding
+        )
+      )
+    })
+  );
+  if (contents.length === 0) return void 0;
+  const defaultContent = contents[0];
+  return new OperationRequestBody({
+    required: body.required === true,
+    contentType: defaultContent.contentType,
+    schema: defaultContent.schema,
+    contents: Option2.some(contents)
+  });
+};
+var extractOutputSchema = (operation, r) => {
+  if (!operation.responses) return void 0;
+  const entries = Object.entries(operation.responses);
+  const preferred = [
+    ...entries.filter(([s]) => /^2\d\d$/.test(s)).sort(([a], [b]) => a.localeCompare(b)),
+    ...entries.filter(([s]) => s === "default")
+  ];
+  for (const [, ref] of preferred) {
+    const resp = r.resolve(ref);
+    if (!resp) continue;
+    const content = preferredResponseContent(resp.content);
+    if (content?.media.schema) return content.media.schema;
+  }
+  return void 0;
+};
+var buildInputSchema = (parameters, requestBody) => {
+  const properties = {};
+  const required = [];
+  for (const param of parameters) {
+    properties[param.name] = Option2.getOrElse(param.schema, () => ({ type: "string" }));
+    if (param.required) required.push(param.name);
+  }
+  if (requestBody) {
+    properties.body = Option2.getOrElse(requestBody.schema, () => ({ type: "object" }));
+    if (requestBody.required) required.push("body");
+    const contents = Option2.getOrUndefined(requestBody.contents);
+    if (contents && contents.length > 1) {
+      properties.contentType = {
+        type: "string",
+        enum: contents.map((c) => c.contentType),
+        default: requestBody.contentType,
+        description: "Content-Type for the request body. Declared media types for this operation, in spec order."
+      };
+    }
+  }
+  if (Object.keys(properties).length === 0) return void 0;
+  return {
+    type: "object",
+    properties,
+    ...required.length > 0 ? { required } : {},
+    additionalProperties: false
+  };
+};
+var deriveOperationId = (method, pathTemplate, operation) => operation.operationId ?? (`${method}_${pathTemplate.replace(/[^a-zA-Z0-9]+/g, "_")}`.replace(/^_+|_+$/g, "") || `${method}_operation`);
+var extractServers = (doc) => (doc.servers ?? []).flatMap((server) => {
+  if (!server.url) return [];
+  const vars = server.variables ? Object.fromEntries(
+    Object.entries(server.variables).flatMap(([name, v]) => {
+      if (v.default === void 0 || v.default === null) return [];
+      const enumValues = Array.isArray(v.enum) ? v.enum.filter((x) => typeof x === "string") : void 0;
+      return [
+        [
+          name,
+          new ServerVariable({
+            default: String(v.default),
+            enum: enumValues && enumValues.length > 0 ? Option2.some(enumValues) : Option2.none(),
+            description: Option2.fromNullishOr(v.description)
+          })
+        ]
+      ];
+    })
+  ) : void 0;
+  return [
+    new ServerInfo({
+      url: server.url,
+      description: Option2.fromNullishOr(server.description),
+      variables: vars && Object.keys(vars).length > 0 ? Option2.some(vars) : Option2.none()
+    })
+  ];
+});
+var extract = Effect2.fn("OpenApi.extract")(function* (doc) {
+  const paths = doc.paths;
+  if (!paths) {
+    return yield* new OpenApiExtractionError({
+      message: "OpenAPI document has no paths defined"
+    });
+  }
+  const r = new DocResolver(doc);
+  const operations = [];
+  for (const [pathTemplate, pathItem] of Object.entries(paths).sort(
+    ([a], [b]) => a.localeCompare(b)
+  )) {
+    if (!pathItem) continue;
+    for (const method of HTTP_METHODS) {
+      const operation = pathItem[method];
+      if (!operation) continue;
+      const parameters = extractParameters(pathItem, operation, r);
+      const requestBody = extractRequestBody(operation, r);
+      const inputSchema = buildInputSchema(parameters, requestBody);
+      const outputSchema = extractOutputSchema(operation, r);
+      const tags = (operation.tags ?? []).filter((t) => t.trim().length > 0);
+      operations.push(
+        new ExtractedOperation({
+          operationId: OperationId.make(deriveOperationId(method, pathTemplate, operation)),
+          method,
+          pathTemplate,
+          summary: Option2.fromNullishOr(operation.summary),
+          description: Option2.fromNullishOr(operation.description),
+          tags,
+          parameters,
+          requestBody: Option2.fromNullishOr(requestBody),
+          inputSchema: Option2.fromNullishOr(inputSchema),
+          outputSchema: Option2.fromNullishOr(outputSchema),
+          deprecated: operation.deprecated === true
+        })
+      );
+    }
+  }
+  return new ExtractionResult({
+    title: Option2.fromNullishOr(doc.info?.title),
+    version: Option2.fromNullishOr(doc.info?.version),
+    servers: extractServers(doc),
+    operations
+  });
+});
+
+// src/sdk/invoke.ts
+import { Effect as Effect3, Layer, Option as Option3 } from "effect";
+import { HttpClient as HttpClient2, HttpClientRequest as HttpClientRequest2 } from "effect/unstable/http";
+var CONTAINER_KEYS = {
+  path: ["path", "pathParams", "params"],
+  query: ["query", "queryParams", "params"],
+  header: ["headers", "header"],
+  cookie: ["cookies", "cookie"]
+};
+var readParamValue = (args, param) => {
+  const direct = args[param.name];
+  if (direct !== void 0) return direct;
+  for (const key of CONTAINER_KEYS[param.location] ?? []) {
+    const container = args[key];
+    if (typeof container === "object" && container !== null && !Array.isArray(container)) {
+      const nested = container[param.name];
+      if (nested !== void 0) return nested;
+    }
+  }
+  return void 0;
+};
+var resolvePath = Effect3.fn("OpenApi.resolvePath")(function* (pathTemplate, args, parameters) {
+  let resolved = pathTemplate;
+  for (const param of parameters) {
+    if (param.location !== "path") continue;
+    const value = readParamValue(args, param);
+    if (value === void 0 || value === null) {
+      if (param.required) {
+        return yield* new OpenApiInvocationError({
+          message: `Missing required path parameter: ${param.name}`,
+          statusCode: Option3.none()
+        });
+      }
+      continue;
+    }
+    resolved = resolved.replaceAll(`{${param.name}}`, encodeURIComponent(String(value)));
+  }
+  const remaining = [...resolved.matchAll(/\{([^{}]+)\}/g)].map((m) => m[1]).filter((v) => typeof v === "string");
+  for (const name of remaining) {
+    const value = args[name];
+    if (value !== void 0 && value !== null) {
+      resolved = resolved.replaceAll(`{${name}}`, encodeURIComponent(String(value)));
+    }
+  }
+  const unresolved = [...resolved.matchAll(/\{([^{}]+)\}/g)].map((m) => m[1]).filter((v) => typeof v === "string");
+  if (unresolved.length > 0) {
+    return yield* new OpenApiInvocationError({
+      message: `Unresolved path parameters: ${[...new Set(unresolved)].join(", ")}`,
+      statusCode: Option3.none()
+    });
+  }
+  return resolved;
+});
+var resolveHeaders = (headers, secrets) => {
+  const entries = Object.entries(headers);
+  const secretCount = entries.reduce(
+    (acc, [, value]) => typeof value === "string" ? acc : acc + 1,
+    0
+  );
+  return Effect3.gen(function* () {
+    const values = yield* Effect3.all(
+      entries.map(
+        ([name, value]) => typeof value === "string" ? Effect3.succeed({ name, value }) : secrets.get(value.secretId).pipe(
+          Effect3.mapError(
+            (err) => "_tag" in err && err._tag === "SecretOwnedByConnectionError" ? new OpenApiInvocationError({
+              message: `Failed to resolve secret "${value.secretId}" for header "${name}"`,
+              statusCode: Option3.none()
+            }) : err
+          ),
+          Effect3.flatMap(
+            (secret) => secret === null ? Effect3.fail(
+              new OpenApiInvocationError({
+                message: `Failed to resolve secret "${value.secretId}" for header "${name}"`,
+                statusCode: Option3.none()
+              })
+            ) : Effect3.succeed({
+              name,
+              value: value.prefix ? `${value.prefix}${secret}` : secret
+            })
+          )
+        )
+      ),
+      { concurrency: "unbounded" }
+    );
+    const resolved = {};
+    for (const { name, value } of values) resolved[name] = value;
+    return resolved;
+  }).pipe(
+    Effect3.withSpan("plugin.openapi.secret.resolve", {
+      attributes: {
+        "plugin.openapi.headers.total": entries.length,
+        "plugin.openapi.headers.secret_count": secretCount
+      }
+    })
+  );
+};
+var applyHeaders = (request, headers) => {
+  let req = request;
+  for (const [name, value] of Object.entries(headers)) {
+    req = HttpClientRequest2.setHeader(req, name, value);
+  }
+  return req;
+};
+var normalizeContentType = (ct) => ct?.split(";")[0]?.trim().toLowerCase() ?? "";
+var isJsonContentType = (ct) => {
+  const normalized = normalizeContentType(ct);
+  if (!normalized) return false;
+  return normalized === "application/json" || normalized.includes("+json") || normalized.includes("json");
+};
+var isFormUrlEncoded = (ct) => normalizeContentType(ct) === "application/x-www-form-urlencoded";
+var isMultipartFormData = (ct) => normalizeContentType(ct).startsWith("multipart/form-data");
+var isXmlContentType = (ct) => {
+  const normalized = normalizeContentType(ct);
+  if (!normalized) return false;
+  return normalized === "application/xml" || normalized === "text/xml" || normalized.endsWith("+xml");
+};
+var isTextContentType = (ct) => normalizeContentType(ct).startsWith("text/");
+var isOctetStream = (ct) => normalizeContentType(ct) === "application/octet-stream";
+var toUint8Array = (value) => {
+  if (value instanceof Uint8Array) return value;
+  if (value instanceof ArrayBuffer) return new Uint8Array(value);
+  if (ArrayBuffer.isView(value)) {
+    const view = value;
+    return new Uint8Array(view.buffer, view.byteOffset, view.byteLength);
+  }
+  if (Array.isArray(value) && value.every((v) => typeof v === "number")) {
+    return new Uint8Array(value);
+  }
+  return null;
+};
+var toArrayBuffer = (bytes) => {
+  const copy = new ArrayBuffer(bytes.byteLength);
+  new Uint8Array(copy).set(bytes);
+  return copy;
+};
+var DEFAULT_FORM_STYLE = {
+  style: "form",
+  explode: true,
+  allowReserved: false
+};
+var resolveStyleExplode = (e) => {
+  if (!e) return DEFAULT_FORM_STYLE;
+  return {
+    style: Option3.getOrElse(e.style, () => DEFAULT_FORM_STYLE.style),
+    explode: Option3.getOrElse(e.explode, () => DEFAULT_FORM_STYLE.explode),
+    allowReserved: Option3.getOrElse(e.allowReserved, () => DEFAULT_FORM_STYLE.allowReserved)
+  };
+};
+var RESERVED_UNENCODED_RE = /[A-Za-z0-9\-._~:/?#[\]@!$&'()*+,;=]/;
+var encodeFormValue = (v, allowReserved) => {
+  const raw = typeof v === "object" && v !== null ? JSON.stringify(v) : String(v);
+  if (!allowReserved) return encodeURIComponent(raw);
+  let out = "";
+  for (const ch of raw) {
+    out += RESERVED_UNENCODED_RE.test(ch) ? ch : encodeURIComponent(ch);
+  }
+  return out;
+};
+var serializeFormUrlEncoded = (value, encoding) => {
+  const parts = [];
+  for (const [key, raw] of Object.entries(value)) {
+    if (raw === void 0 || raw === null) continue;
+    const { style, explode, allowReserved } = resolveStyleExplode(encoding?.[key]);
+    const encKey = encodeURIComponent(key);
+    if (Array.isArray(raw)) {
+      if (explode) {
+        for (const v of raw) {
+          parts.push(`${encKey}=${encodeFormValue(v, allowReserved)}`);
+        }
+      } else {
+        const sep = style === "spaceDelimited" ? " " : style === "pipeDelimited" ? "|" : ",";
+        parts.push(
+          `${encKey}=${encodeFormValue(
+            raw.map((v) => typeof v === "object" ? JSON.stringify(v) : String(v)).join(sep),
+            allowReserved
+          )}`
+        );
+      }
+      continue;
+    }
+    if (typeof raw === "object") {
+      const entries = Object.entries(raw).filter(
+        ([, v]) => v !== void 0 && v !== null
+      );
+      if (style === "deepObject") {
+        for (const [subkey, subval] of entries) {
+          parts.push(
+            `${encodeURIComponent(`${key}[${subkey}]`)}=${encodeFormValue(
+              subval,
+              allowReserved
+            )}`
+          );
+        }
+      } else if (explode) {
+        for (const [subkey, subval] of entries) {
+          parts.push(
+            `${encodeURIComponent(subkey)}=${encodeFormValue(subval, allowReserved)}`
+          );
+        }
+      } else {
+        const flat = entries.flatMap(([k, v]) => [
+          k,
+          typeof v === "object" ? JSON.stringify(v) : String(v)
+        ]);
+        parts.push(`${encKey}=${encodeFormValue(flat.join(","), allowReserved)}`);
+      }
+      continue;
+    }
+    parts.push(`${encKey}=${encodeFormValue(raw, allowReserved)}`);
+  }
+  return parts.join("&");
+};
+var coerceFormDataRecord = (value, encoding) => {
+  const out = {};
+  for (const [key, raw] of Object.entries(value)) {
+    if (raw === void 0 || raw === null) continue;
+    const partType = encoding?.[key] ? Option3.getOrUndefined(encoding[key].contentType) : void 0;
+    if (partType) {
+      const isJson = partType.startsWith("application/json") || partType.includes("+json");
+      const serialized = typeof raw === "string" ? raw : isJson ? JSON.stringify(raw) : typeof raw === "object" ? JSON.stringify(raw) : String(raw);
+      out[key] = new Blob([serialized], { type: partType });
+      continue;
+    }
+    if (typeof raw === "string" || typeof raw === "number" || typeof raw === "boolean" || raw instanceof Blob || typeof File !== "undefined" && raw instanceof File) {
+      out[key] = raw;
+      continue;
+    }
+    if (Array.isArray(raw)) {
+      out[key] = raw.map(
+        (v) => typeof v === "string" || typeof v === "number" || typeof v === "boolean" || v instanceof Blob || typeof File !== "undefined" && v instanceof File ? v : JSON.stringify(v)
+      );
+      continue;
+    }
+    const bytes = toUint8Array(raw);
+    if (bytes) {
+      out[key] = new Blob([toArrayBuffer(bytes)]);
+      continue;
+    }
+    out[key] = JSON.stringify(raw);
+  }
+  return out;
+};
+var applyRequestBody = (request, contentType, bodyValue, encoding) => {
+  if (isJsonContentType(contentType)) {
+    if (typeof bodyValue === "string") {
+      return HttpClientRequest2.bodyText(request, bodyValue, contentType);
+    }
+    return HttpClientRequest2.bodyJsonUnsafe(request, bodyValue);
+  }
+  if (isFormUrlEncoded(contentType)) {
+    if (typeof bodyValue === "string") {
+      return HttpClientRequest2.bodyText(request, bodyValue, contentType);
+    }
+    if (typeof bodyValue === "object" && bodyValue !== null && !Array.isArray(bodyValue)) {
+      const serialized = serializeFormUrlEncoded(
+        bodyValue,
+        encoding
+      );
+      return HttpClientRequest2.bodyText(request, serialized, contentType);
+    }
+    return HttpClientRequest2.bodyUrlParams(
+      request,
+      bodyValue
+    );
+  }
+  if (isMultipartFormData(contentType)) {
+    if (bodyValue instanceof FormData) {
+      return HttpClientRequest2.bodyFormData(request, bodyValue);
+    }
+    if (typeof bodyValue === "object" && bodyValue !== null) {
+      return HttpClientRequest2.bodyFormDataRecord(
+        request,
+        coerceFormDataRecord(bodyValue, encoding)
+      );
+    }
+    return HttpClientRequest2.bodyText(request, String(bodyValue), contentType);
+  }
+  if (isOctetStream(contentType)) {
+    const bytes2 = toUint8Array(bodyValue);
+    if (bytes2) return HttpClientRequest2.bodyUint8Array(request, bytes2, contentType);
+    if (typeof bodyValue === "string") {
+      return HttpClientRequest2.bodyText(request, bodyValue, contentType);
+    }
+    return HttpClientRequest2.bodyText(request, JSON.stringify(bodyValue), contentType);
+  }
+  if (isXmlContentType(contentType) || isTextContentType(contentType)) {
+    if (typeof bodyValue === "string") {
+      return HttpClientRequest2.bodyText(request, bodyValue, contentType);
+    }
+    const bytes2 = toUint8Array(bodyValue);
+    if (bytes2) return HttpClientRequest2.bodyUint8Array(request, bytes2, contentType);
+    return HttpClientRequest2.bodyText(request, JSON.stringify(bodyValue), contentType);
+  }
+  if (typeof bodyValue === "string") {
+    return HttpClientRequest2.bodyText(request, bodyValue, contentType);
+  }
+  const bytes = toUint8Array(bodyValue);
+  if (bytes) return HttpClientRequest2.bodyUint8Array(request, bytes, contentType);
+  return HttpClientRequest2.bodyText(request, JSON.stringify(bodyValue), contentType);
+};
+var invoke = Effect3.fn("OpenApi.invoke")(function* (operation, args, resolvedHeaders, sourceQueryParams = {}) {
+  const client = yield* HttpClient2.HttpClient;
+  yield* Effect3.annotateCurrentSpan({
+    "http.method": operation.method.toUpperCase(),
+    "http.route": operation.pathTemplate,
+    "plugin.openapi.method": operation.method.toUpperCase(),
+    "plugin.openapi.path_template": operation.pathTemplate,
+    "plugin.openapi.headers.resolved_count": Object.keys(resolvedHeaders).length
+  });
+  const resolvedPath = yield* resolvePath(operation.pathTemplate, args, operation.parameters);
+  const path = resolvedPath.startsWith("/") ? resolvedPath : `/${resolvedPath}`;
+  let request = HttpClientRequest2.make(operation.method.toUpperCase())(path);
+  for (const [name, value] of Object.entries(sourceQueryParams)) {
+    request = HttpClientRequest2.setUrlParam(request, name, value);
+  }
+  for (const param of operation.parameters) {
+    if (param.location !== "query") continue;
+    const value = readParamValue(args, param);
+    if (value === void 0 || value === null) continue;
+    request = HttpClientRequest2.setUrlParam(request, param.name, String(value));
+  }
+  for (const param of operation.parameters) {
+    if (param.location !== "header") continue;
+    const value = readParamValue(args, param);
+    if (value === void 0 || value === null) continue;
+    request = HttpClientRequest2.setHeader(request, param.name, String(value));
+  }
+  if (Option3.isSome(operation.requestBody)) {
+    const rb = operation.requestBody.value;
+    const bodyValue = args.body ?? args.input;
+    if (bodyValue !== void 0) {
+      const contentsOpt = Option3.getOrUndefined(rb.contents);
+      const requestedCt = typeof args.contentType === "string" ? args.contentType : void 0;
+      const selected = contentsOpt && requestedCt ? contentsOpt.find((c) => c.contentType === requestedCt) : void 0;
+      const chosenCt = selected?.contentType ?? rb.contentType;
+      const chosenEncoding = selected ? Option3.getOrUndefined(selected.encoding) : contentsOpt && contentsOpt[0] ? Option3.getOrUndefined(contentsOpt[0].encoding) : void 0;
+      request = applyRequestBody(request, chosenCt, bodyValue, chosenEncoding);
+    }
+  }
+  request = applyHeaders(request, resolvedHeaders);
+  const response = yield* client.execute(request).pipe(
+    Effect3.mapError(
+      (err) => new OpenApiInvocationError({
+        message: `HTTP request failed: ${err.message}`,
+        statusCode: Option3.none(),
+        cause: err
+      })
+    )
+  );
+  const status = response.status;
+  yield* Effect3.annotateCurrentSpan({
+    "http.status_code": status
+  });
+  const responseHeaders = { ...response.headers };
+  const contentType = response.headers["content-type"] ?? null;
+  const mapBodyError = Effect3.mapError(
+    (err) => new OpenApiInvocationError({
+      message: `Failed to read response body: ${err.message ?? String(err)}`,
+      statusCode: Option3.some(status),
+      cause: err
+    })
+  );
+  const responseBody = status === 204 ? null : isJsonContentType(contentType) ? yield* response.json.pipe(
+    Effect3.catch(() => response.text),
+    mapBodyError
+  ) : yield* response.text.pipe(mapBodyError);
+  const ok = status >= 200 && status < 300;
+  return new InvocationResult({
+    status,
+    headers: responseHeaders,
+    data: ok ? responseBody : null,
+    error: ok ? null : responseBody
+  });
+});
+var invokeWithLayer = (operation, args, baseUrl, resolvedHeaders, sourceQueryParams, httpClientLayer) => {
+  const clientWithBaseUrl = baseUrl ? Layer.effect(
+    HttpClient2.HttpClient,
+    Effect3.map(
+      Effect3.service(HttpClient2.HttpClient),
+      HttpClient2.mapRequest(HttpClientRequest2.prependUrl(baseUrl))
+    )
+  ).pipe(Layer.provide(httpClientLayer)) : httpClientLayer;
+  return invoke(operation, args, resolvedHeaders, sourceQueryParams).pipe(
+    Effect3.provide(clientWithBaseUrl),
+    Effect3.withSpan("plugin.openapi.invoke", {
+      attributes: {
+        "plugin.openapi.method": operation.method.toUpperCase(),
+        "plugin.openapi.path_template": operation.pathTemplate,
+        "plugin.openapi.base_url": baseUrl
+      }
+    })
+  );
+};
+var REQUIRE_APPROVAL = /* @__PURE__ */ new Set(["post", "put", "patch", "delete"]);
+var annotationsForOperation = (method, pathTemplate) => {
+  const m = method.toLowerCase();
+  if (!REQUIRE_APPROVAL.has(m)) return {};
+  return {
+    requiresApproval: true,
+    approvalDescription: `${method.toUpperCase()} ${pathTemplate}`
+  };
+};
+
+// src/sdk/preview.ts
+import { Effect as Effect4, Option as Option4 } from "effect";
+import { Schema as Schema3 } from "effect";
+var OAuth2Scopes = Schema3.Record(Schema3.String, Schema3.String);
+var OAuth2AuthorizationCodeFlow = class extends Schema3.Class(
+  "OAuth2AuthorizationCodeFlow"
+)({
+  authorizationUrl: Schema3.String,
+  tokenUrl: Schema3.String,
+  refreshUrl: Schema3.OptionFromOptional(Schema3.String),
+  scopes: OAuth2Scopes
+}) {
+};
+var OAuth2ClientCredentialsFlow = class extends Schema3.Class(
+  "OAuth2ClientCredentialsFlow"
+)({
+  tokenUrl: Schema3.String,
+  refreshUrl: Schema3.OptionFromOptional(Schema3.String),
+  scopes: OAuth2Scopes
+}) {
+};
+var OAuth2Flows = class extends Schema3.Class("OAuth2Flows")({
+  authorizationCode: Schema3.OptionFromOptional(OAuth2AuthorizationCodeFlow),
+  clientCredentials: Schema3.OptionFromOptional(OAuth2ClientCredentialsFlow)
+}) {
+};
+var SecurityScheme = class extends Schema3.Class("SecurityScheme")({
+  /** Key name in components.securitySchemes (e.g. "api_token") */
+  name: Schema3.String,
+  /** OpenAPI security scheme type */
+  type: Schema3.Literals(["http", "apiKey", "oauth2", "openIdConnect"]),
+  /** For type: "http" — e.g. "bearer", "basic" */
+  scheme: Schema3.OptionFromOptional(Schema3.String),
+  /** For type: "http" with scheme "bearer" — e.g. "JWT" */
+  bearerFormat: Schema3.OptionFromOptional(Schema3.String),
+  /** For type: "apiKey" — where the key goes */
+  in: Schema3.OptionFromOptional(Schema3.Literals(["header", "query", "cookie"])),
+  /** For type: "apiKey" — the header/query/cookie name */
+  headerName: Schema3.OptionFromOptional(Schema3.String),
+  description: Schema3.OptionFromOptional(Schema3.String),
+  /** For type: "oauth2" — declared flows (authorizationCode / clientCredentials only; implicit and password are deprecated). */
+  flows: Schema3.OptionFromOptional(OAuth2Flows),
+  /** For type: "openIdConnect" — the discovery URL. */
+  openIdConnectUrl: Schema3.OptionFromOptional(Schema3.String)
+}) {
+};
+var AuthStrategy = class extends Schema3.Class("AuthStrategy")({
+  /** The security schemes required together for this strategy */
+  schemes: Schema3.Array(Schema3.String)
+}) {
+};
+var HeaderPreset = class extends Schema3.Class("HeaderPreset")({
+  /** Human-readable label for the UI (e.g. "Bearer Token", "API Key + Email") */
+  label: Schema3.String,
+  /** Headers this strategy needs. Value is null when the user must provide it. */
+  headers: Schema3.Record(Schema3.String, Schema3.NullOr(Schema3.String)),
+  /** Which headers should be stored as secrets */
+  secretHeaders: Schema3.Array(Schema3.String)
+}) {
+};
+var OAuth2Preset = class extends Schema3.Class("OAuth2Preset")({
+  /** Human-readable label for the UI (e.g. "OAuth2 (Authorization Code) — oauth_app") */
+  label: Schema3.String,
+  /** The source security scheme this preset came from (components.securitySchemes key). */
+  securitySchemeName: Schema3.String,
+  /** Which OAuth2 flow this preset uses. */
+  flow: Schema3.Literals(["authorizationCode", "clientCredentials"]),
+  /** For authorizationCode: user-agent redirect URL (from the spec). */
+  authorizationUrl: Schema3.OptionFromOptional(Schema3.String),
+  /** Token endpoint to exchange the code / refresh. */
+  tokenUrl: Schema3.String,
+  /** Optional refresh endpoint if the spec declares one separately. */
+  refreshUrl: Schema3.OptionFromOptional(Schema3.String),
+  /** Declared scopes for this flow: `{ scope: description }`. */
+  scopes: Schema3.Record(Schema3.String, Schema3.String)
+}) {
+};
+var PreviewOperation = class extends Schema3.Class("PreviewOperation")({
+  operationId: Schema3.String,
+  method: HttpMethod,
+  path: Schema3.String,
+  summary: Schema3.OptionFromOptional(Schema3.String),
+  tags: Schema3.Array(Schema3.String),
+  deprecated: Schema3.Boolean
+}) {
+};
+var SpecPreview = class extends Schema3.Class("SpecPreview")({
+  title: Schema3.OptionFromOptional(Schema3.String),
+  version: Schema3.OptionFromOptional(Schema3.String),
+  /** Reuses ServerInfo from extraction */
+  servers: Schema3.Array(ServerInfo),
+  operationCount: Schema3.Number,
+  /** Lightweight operation list for the add-source UI */
+  operations: Schema3.Array(PreviewOperation),
+  tags: Schema3.Array(Schema3.String),
+  securitySchemes: Schema3.Array(SecurityScheme),
+  /** Valid auth strategies (each is a set of schemes used together) */
+  authStrategies: Schema3.Array(AuthStrategy),
+  /** Pre-built header presets derived from auth strategies */
+  headerPresets: Schema3.Array(HeaderPreset),
+  /** OAuth2 presets — one per (oauth2 scheme × supported flow) combination */
+  oauth2Presets: Schema3.Array(OAuth2Preset)
+}) {
+};
+var stringRecord = (value) => {
+  if (!value || typeof value !== "object" || Array.isArray(value)) return {};
+  const out = {};
+  for (const [k, v] of Object.entries(value)) {
+    if (typeof v === "string") out[k] = v;
+  }
+  return out;
+};
+var extractFlows = (rawFlows) => {
+  if (!rawFlows || typeof rawFlows !== "object") return Option4.none();
+  const flows = rawFlows;
+  const parseFlow = (key) => flows[key];
+  let authorizationCode = Option4.none();
+  const authCodeRaw = parseFlow("authorizationCode");
+  if (authCodeRaw && typeof authCodeRaw === "object") {
+    const f = authCodeRaw;
+    const authUrl = typeof f.authorizationUrl === "string" ? f.authorizationUrl : null;
+    const tokenUrl = typeof f.tokenUrl === "string" ? f.tokenUrl : null;
+    if (authUrl && tokenUrl) {
+      authorizationCode = Option4.some(
+        new OAuth2AuthorizationCodeFlow({
+          authorizationUrl: authUrl,
+          tokenUrl,
+          refreshUrl: Option4.fromNullishOr(
+            typeof f.refreshUrl === "string" ? f.refreshUrl : void 0
+          ),
+          scopes: stringRecord(f.scopes)
+        })
+      );
+    }
+  }
+  let clientCredentials = Option4.none();
+  const ccRaw = parseFlow("clientCredentials");
+  if (ccRaw && typeof ccRaw === "object") {
+    const f = ccRaw;
+    const tokenUrl = typeof f.tokenUrl === "string" ? f.tokenUrl : null;
+    if (tokenUrl) {
+      clientCredentials = Option4.some(
+        new OAuth2ClientCredentialsFlow({
+          tokenUrl,
+          refreshUrl: Option4.fromNullishOr(
+            typeof f.refreshUrl === "string" ? f.refreshUrl : void 0
+          ),
+          scopes: stringRecord(f.scopes)
+        })
+      );
+    }
+  }
+  if (Option4.isNone(authorizationCode) && Option4.isNone(clientCredentials)) {
+    return Option4.none();
+  }
+  return Option4.some(new OAuth2Flows({ authorizationCode, clientCredentials }));
+};
+var extractSecuritySchemes = (rawSchemes, resolver) => Object.entries(rawSchemes).flatMap(([name, schemeOrRef]) => {
+  if (!schemeOrRef || typeof schemeOrRef !== "object") return [];
+  const resolved = resolver.resolve(
+    schemeOrRef
+  );
+  if (!resolved || typeof resolved !== "object") return [];
+  const scheme = resolved;
+  const type = scheme.type;
+  if (!["http", "apiKey", "oauth2", "openIdConnect"].includes(type)) return [];
+  return [
+    new SecurityScheme({
+      name,
+      type,
+      scheme: Option4.fromNullishOr(scheme.scheme),
+      bearerFormat: Option4.fromNullishOr(scheme.bearerFormat),
+      in: Option4.fromNullishOr(scheme.in),
+      headerName: Option4.fromNullishOr(scheme.name),
+      description: Option4.fromNullishOr(scheme.description),
+      flows: type === "oauth2" ? extractFlows(scheme.flows) : Option4.none(),
+      openIdConnectUrl: Option4.fromNullishOr(
+        scheme.openIdConnectUrl
+      )
+    })
+  ];
+});
+var buildHeaderPresets = (schemes, strategies) => {
+  const schemeMap = new Map(schemes.map((s) => [s.name, s]));
+  return strategies.flatMap((strategy) => {
+    const resolved = strategy.schemes.map((name) => schemeMap.get(name)).filter((s) => s !== void 0);
+    if (resolved.length === 0) return [];
+    const headers = {};
+    const secretHeaders = [];
+    const labelParts = [];
+    for (const scheme of resolved) {
+      if (scheme.type === "http" && Option4.getOrElse(scheme.scheme, () => "") === "bearer") {
+        headers["Authorization"] = null;
+        secretHeaders.push("Authorization");
+        labelParts.push("Bearer Token");
+      } else if (scheme.type === "http" && Option4.getOrElse(scheme.scheme, () => "") === "basic") {
+        headers["Authorization"] = null;
+        secretHeaders.push("Authorization");
+        labelParts.push("Basic Auth");
+      } else if (scheme.type === "apiKey" && Option4.getOrElse(scheme.in, () => "") === "header") {
+        const headerName = Option4.getOrElse(scheme.headerName, () => scheme.name);
+        headers[headerName] = null;
+        secretHeaders.push(headerName);
+        labelParts.push(scheme.name);
+      } else if (scheme.type === "apiKey") {
+        labelParts.push(`${scheme.name} (${Option4.getOrElse(scheme.in, () => "unknown")})`);
+      } else {
+        labelParts.push(scheme.name);
+      }
+    }
+    if (Object.keys(headers).length === 0 && resolved.length > 0) {
+      return [new HeaderPreset({ label: labelParts.join(" + "), headers: {}, secretHeaders: [] })];
+    }
+    return [new HeaderPreset({ label: labelParts.join(" + "), headers, secretHeaders })];
+  });
+};
+var buildOAuth2Presets = (schemes) => {
+  const presets = [];
+  for (const scheme of schemes) {
+    if (scheme.type !== "oauth2") continue;
+    if (Option4.isNone(scheme.flows)) continue;
+    const flows = scheme.flows.value;
+    if (Option4.isSome(flows.authorizationCode)) {
+      const flow = flows.authorizationCode.value;
+      presets.push(
+        new OAuth2Preset({
+          label: `OAuth2 Authorization Code \xB7 ${scheme.name}`,
+          securitySchemeName: scheme.name,
+          flow: "authorizationCode",
+          authorizationUrl: Option4.some(flow.authorizationUrl),
+          tokenUrl: flow.tokenUrl,
+          refreshUrl: flow.refreshUrl,
+          scopes: flow.scopes
+        })
+      );
+    }
+    if (Option4.isSome(flows.clientCredentials)) {
+      const flow = flows.clientCredentials.value;
+      presets.push(
+        new OAuth2Preset({
+          label: `OAuth2 Client Credentials \xB7 ${scheme.name}`,
+          securitySchemeName: scheme.name,
+          flow: "clientCredentials",
+          authorizationUrl: Option4.none(),
+          tokenUrl: flow.tokenUrl,
+          refreshUrl: flow.refreshUrl,
+          scopes: flow.scopes
+        })
+      );
+    }
+  }
+  return presets;
+};
+var collectTags = (result) => {
+  const tagSet = /* @__PURE__ */ new Set();
+  for (const op of result.operations) {
+    for (const tag of op.tags) tagSet.add(tag);
+  }
+  return [...tagSet].sort();
+};
+var previewSpec = Effect4.fn("OpenApi.previewSpec")(function* (input) {
+  const specText = yield* resolveSpecText(input);
+  const doc = yield* parse(specText);
+  const result = yield* extract(doc);
+  const resolver = new DocResolver(doc);
+  const securitySchemes = extractSecuritySchemes(
+    doc.components?.securitySchemes ?? {},
+    resolver
+  );
+  const rawSecurity = doc.security ?? [];
+  const declaredStrategies = rawSecurity.map(
+    (entry) => new AuthStrategy({ schemes: Object.keys(entry) })
+  );
+  const authStrategies = declaredStrategies.length > 0 ? declaredStrategies : securitySchemes.map((scheme) => new AuthStrategy({ schemes: [scheme.name] }));
+  return new SpecPreview({
+    title: result.title,
+    version: result.version,
+    servers: result.servers,
+    operationCount: result.operations.length,
+    operations: result.operations.map(
+      (op) => new PreviewOperation({
+        operationId: op.operationId,
+        method: op.method,
+        path: op.pathTemplate,
+        summary: op.summary,
+        tags: op.tags,
+        deprecated: op.deprecated
+      })
+    ),
+    tags: collectTags(result),
+    securitySchemes,
+    authStrategies,
+    headerPresets: buildHeaderPresets(securitySchemes, authStrategies),
+    oauth2Presets: buildOAuth2Presets(securitySchemes)
+  });
+});
+
+// src/sdk/store.ts
+import { Effect as Effect5, Schema as Schema4 } from "effect";
+import {
+  defineSchema,
+  ScopeId as ScopeId2,
+  StorageError
+} from "@executor-js/sdk/core";
+var openapiSchema = defineSchema({
+  openapi_source: {
+    fields: {
+      id: { type: "string", required: true },
+      scope_id: { type: "string", required: true, index: true },
+      name: { type: "string", required: true },
+      spec: { type: "string", required: true },
+      // Origin URL the spec was fetched from. Set when `addSpec` was
+      // invoked with an http(s) URL; null when the caller passed raw
+      // spec text. Drives `canRefresh` on the core source row and
+      // is the address re-fetched on `refreshSource`.
+      source_url: { type: "string", required: false },
+      base_url: { type: "string", required: false },
+      headers: { type: "json", required: false },
+      query_params: { type: "json", required: false },
+      oauth2: { type: "json", required: false },
+      invocation_config: { type: "json", required: true }
+    }
+  },
+  openapi_operation: {
+    fields: {
+      id: { type: "string", required: true },
+      scope_id: { type: "string", required: true, index: true },
+      source_id: { type: "string", required: true, index: true },
+      binding: { type: "json", required: true }
+    }
+  },
+  openapi_source_binding: {
+    fields: {
+      id: { type: "string", required: true },
+      source_id: { type: "string", required: true, index: true },
+      source_scope_id: { type: "string", required: true, index: true },
+      // Intentionally NOT named `scope_id`: this row is visible across
+      // scope stacks and is filtered manually by source/target scope.
+      // The target scope is credential ownership data, not adapter row
+      // ownership. Source owners must be able to delete all descendant
+      // bindings when a shared source is removed.
+      target_scope_id: { type: "string", required: true, index: true },
+      slot: { type: "string", required: true, index: true },
+      value: { type: "json", required: true },
+      created_at: { type: "date", required: true },
+      updated_at: { type: "date", required: true }
+    }
+  }
+});
+var StoredSourceSchema = class extends Schema4.Class(
+  "OpenApiStoredSource"
+)({
+  namespace: Schema4.String,
+  name: Schema4.String,
+  config: Schema4.Struct({
+    spec: Schema4.String,
+    sourceUrl: Schema4.optional(Schema4.String),
+    baseUrl: Schema4.optional(Schema4.String),
+    namespace: Schema4.optional(Schema4.String),
+    headers: Schema4.optional(
+      Schema4.Record(Schema4.String, ConfiguredHeaderValue)
+    ),
+    queryParams: Schema4.optional(
+      Schema4.Record(Schema4.String, HeaderValue)
+    ),
+    specFetchCredentials: Schema4.optional(
+      Schema4.Struct({
+        headers: Schema4.optional(
+          Schema4.Record(Schema4.String, HeaderValue)
+        ),
+        queryParams: Schema4.optional(
+          Schema4.Record(Schema4.String, HeaderValue)
+        )
+      })
+    ),
+    // Canonical source-owned OAuth config. Concrete client credentials
+    // and connection ids live in OpenAPI-owned scoped binding rows.
+    oauth2: Schema4.optional(OAuth2SourceConfig)
+  })
+}) {
+};
+var encodeBinding = Schema4.encodeSync(OperationBinding);
+var decodeBinding = Schema4.decodeUnknownSync(OperationBinding);
+var decodeOAuth2 = Schema4.decodeUnknownSync(OAuth2Auth);
+var encodeOAuth2SourceConfig = Schema4.encodeSync(OAuth2SourceConfig);
+var encodeSourceBindingValue = Schema4.encodeSync(OpenApiSourceBindingValue);
+var decodeSourceBindingValue = Schema4.decodeUnknownSync(
+  OpenApiSourceBindingValue
+);
+var asJsonObject = (value) => {
+  if (value == null) return {};
+  if (typeof value === "string")
+    return JSON.parse(value);
+  return value;
+};
+var toJsonRecord = (value) => value;
+var toConfiguredHeaderBinding = (value) => new ConfiguredHeaderBinding({
+  kind: "binding",
+  slot: String(value.slot ?? ""),
+  ...typeof value.prefix === "string" ? { prefix: value.prefix } : {}
+});
+var decodeHeaders = (value) => {
+  if (value == null) return {};
+  if (typeof value === "string")
+    return JSON.parse(value);
+  return value;
+};
+var slugifySlotPart = (value) => value.trim().toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "") || "default";
+var headerBindingSlot = (headerName) => `header:${slugifySlotPart(headerName)}`;
+var oauth2ClientIdSlot = (securitySchemeName) => `oauth2:${slugifySlotPart(securitySchemeName)}:client-id`;
+var oauth2ClientSecretSlot = (securitySchemeName) => `oauth2:${slugifySlotPart(securitySchemeName)}:client-secret`;
+var oauth2ConnectionSlot = (securitySchemeName) => `oauth2:${slugifySlotPart(securitySchemeName)}:connection`;
+var normalizeStoredHeaders = (value) => {
+  const raw = decodeHeaders(value);
+  const headers = {};
+  const legacy = {};
+  for (const [name, header] of Object.entries(raw)) {
+    if (typeof header === "string") {
+      headers[name] = header;
+      legacy[name] = header;
+      continue;
+    }
+    if (header && typeof header === "object" && "kind" in header && header.kind === "binding") {
+      headers[name] = toConfiguredHeaderBinding(header);
+      continue;
+    }
+    legacy[name] = header;
+    headers[name] = new ConfiguredHeaderBinding({
+      kind: "binding",
+      slot: headerBindingSlot(name),
+      prefix: header.prefix
+    });
+  }
+  return { headers, legacy };
+};
+var normalizeStoredOAuth2 = (value) => {
+  if (value == null) return {};
+  const parsed = typeof value === "string" ? JSON.parse(value) : value;
+  if (parsed && typeof parsed === "object" && "connectionSlot" in parsed) {
+    return {
+      oauth2: Schema4.decodeUnknownSync(OAuth2SourceConfig)(parsed)
+    };
+  }
+  const legacy = decodeOAuth2(parsed);
+  return {
+    legacy,
+    oauth2: new OAuth2SourceConfig({
+      kind: "oauth2",
+      securitySchemeName: legacy.securitySchemeName,
+      flow: legacy.flow,
+      tokenUrl: legacy.tokenUrl,
+      authorizationUrl: legacy.authorizationUrl,
+      clientIdSlot: oauth2ClientIdSlot(legacy.securitySchemeName),
+      clientSecretSlot: legacy.clientSecretSecretId ? oauth2ClientSecretSlot(legacy.securitySchemeName) : null,
+      connectionSlot: oauth2ConnectionSlot(legacy.securitySchemeName),
+      scopes: [...legacy.scopes]
+    })
+  };
+};
+var makeDefaultOpenapiStore = ({
+  adapter,
+  scopes
+}) => {
+  const scopeIds = scopes.map((scope) => scope.id);
+  const scopePrecedence = /* @__PURE__ */ new Map();
+  scopeIds.forEach((scope, index) => scopePrecedence.set(scope, index));
+  const scopeRank = (scopeId) => scopePrecedence.get(scopeId) ?? Infinity;
+  const encodeSyntheticRowIdPart = (value) => encodeURIComponent(value);
+  const sourceBindingRowId = (sourceId, sourceScopeId, slot, scopeId) => [
+    "openapi-source-binding",
+    encodeSyntheticRowIdPart(sourceScopeId),
+    encodeSyntheticRowIdPart(sourceId),
+    encodeSyntheticRowIdPart(slot),
+    encodeSyntheticRowIdPart(scopeId)
+  ].join("::");
+  const rowToSourceBinding = (row) => new OpenApiSourceBindingRef({
+    sourceId: row.source_id,
+    sourceScopeId: ScopeId2.make(row.source_scope_id),
+    scopeId: ScopeId2.make(row.target_scope_id),
+    slot: row.slot,
+    value: decodeSourceBindingValue(asJsonObject(row.value)),
+    createdAt: row.created_at instanceof Date ? row.created_at : new Date(row.created_at),
+    updatedAt: row.updated_at instanceof Date ? row.updated_at : new Date(row.updated_at)
+  });
+  const validateBindingTarget = (params) => Effect5.gen(function* () {
+    if (!scopeIds.includes(params.sourceScope)) {
+      return yield* Effect5.fail(
+        new StorageError({
+          message: `OpenAPI source binding references source scope "${params.sourceScope}" which is not in the executor's scope stack [${scopeIds.join(", ")}].`,
+          cause: void 0
+        })
+      );
+    }
+    if (!scopeIds.includes(params.targetScope)) {
+      return yield* Effect5.fail(
+        new StorageError({
+          message: `OpenAPI source binding targets scope "${params.targetScope}" which is not in the executor's scope stack [${scopeIds.join(", ")}].`,
+          cause: void 0
+        })
+      );
+    }
+    const source = yield* adapter.findOne({
+      model: "openapi_source",
+      where: [
+        { field: "id", value: params.sourceId },
+        { field: "scope_id", value: params.sourceScope }
+      ]
+    });
+    if (!source) {
+      return yield* Effect5.fail(
+        new StorageError({
+          message: `OpenAPI source "${params.sourceId}" does not exist at scope "${params.sourceScope}"`,
+          cause: void 0
+        })
+      );
+    }
+    if (scopeRank(params.targetScope) > scopeRank(params.sourceScope)) {
+      return yield* Effect5.fail(
+        new StorageError({
+          message: `OpenAPI source bindings for "${params.sourceId}" cannot be written at outer scope "${params.targetScope}" because the base source lives at "${params.sourceScope}"`,
+          cause: void 0
+        })
+      );
+    }
+    return source;
+  });
+  const rowToSource = (row) => {
+    const normalizedHeaders = normalizeStoredHeaders(row.headers);
+    const normalizedOAuth2 = normalizeStoredOAuth2(row.oauth2);
+    const invocationConfig = asJsonObject(row.invocation_config);
+    return {
+      namespace: row.id,
+      scope: row.scope_id,
+      name: row.name,
+      config: {
+        spec: row.spec,
+        sourceUrl: row.source_url ?? void 0,
+        baseUrl: row.base_url ?? void 0,
+        headers: normalizedHeaders.headers,
+        queryParams: decodeHeaders(row.query_params),
+        specFetchCredentials: invocationConfig.specFetchCredentials,
+        oauth2: normalizedOAuth2.oauth2
+      },
+      legacy: Object.keys(normalizedHeaders.legacy).length > 0 || normalizedOAuth2.legacy ? {
+        ...Object.keys(normalizedHeaders.legacy).length > 0 ? { headers: normalizedHeaders.legacy } : {},
+        ...normalizedOAuth2.legacy ? { oauth2: normalizedOAuth2.legacy } : {}
+      } : void 0
+    };
+  };
+  const rowToOperation = (row) => ({
+    toolId: row.id,
+    sourceId: row.source_id,
+    binding: decodeBinding(
+      typeof row.binding === "string" ? JSON.parse(row.binding) : row.binding
+    )
+  });
+  const deleteSource = (namespace, scope, options) => Effect5.gen(function* () {
+    yield* adapter.deleteMany({
+      model: "openapi_operation",
+      where: [
+        { field: "source_id", value: namespace },
+        { field: "scope_id", value: scope }
+      ]
+    });
+    yield* adapter.delete({
+      model: "openapi_source",
+      where: [
+        { field: "id", value: namespace },
+        { field: "scope_id", value: scope }
+      ]
+    });
+    if (options?.includeBindings) {
+      yield* adapter.deleteMany({
+        model: "openapi_source_binding",
+        where: [
+          { field: "source_id", value: namespace },
+          { field: "source_scope_id", value: scope }
+        ]
+      });
+    }
+  });
+  return {
+    upsertSource: (input, operations) => Effect5.gen(function* () {
+      yield* deleteSource(input.namespace, input.scope);
+      yield* adapter.create({
+        model: "openapi_source",
+        data: {
+          id: input.namespace,
+          scope_id: input.scope,
+          name: input.name,
+          spec: input.config.spec,
+          source_url: input.config.sourceUrl ?? void 0,
+          base_url: input.config.baseUrl ?? void 0,
+          headers: Object.fromEntries(
+            Object.entries(input.config.headers ?? {}).map(
+              ([name, value]) => [
+                name,
+                typeof value === "string" ? value : value.kind === "binding" ? {
+                  kind: value.kind,
+                  slot: value.slot,
+                  ...value.prefix ? { prefix: value.prefix } : {}
+                } : value
+              ]
+            )
+          ),
+          query_params: input.config.queryParams,
+          oauth2: input.config.oauth2 ? toJsonRecord(encodeOAuth2SourceConfig(input.config.oauth2)) : void 0,
+          invocation_config: {
+            ...input.config.specFetchCredentials ? { specFetchCredentials: input.config.specFetchCredentials } : {}
+          }
+        },
+        forceAllowId: true
+      });
+      if (operations.length > 0) {
+        yield* adapter.createMany({
+          model: "openapi_operation",
+          data: operations.map((op) => ({
+            id: op.toolId,
+            scope_id: input.scope,
+            source_id: op.sourceId,
+            binding: toJsonRecord(encodeBinding(op.binding))
+          })),
+          forceAllowId: true
+        });
+      }
+    }),
+    updateSourceMeta: (namespace, scope, patch) => Effect5.gen(function* () {
+      const existingRow = yield* adapter.findOne({
+        model: "openapi_source",
+        where: [
+          { field: "id", value: namespace },
+          { field: "scope_id", value: scope }
+        ]
+      });
+      if (!existingRow) return;
+      const existing = rowToSource(existingRow);
+      const nextName = patch.name?.trim() || existing.name;
+      const nextBaseUrl = patch.baseUrl !== void 0 ? patch.baseUrl : existing.config.baseUrl;
+      const nextHeaders = patch.headers !== void 0 ? patch.headers : existing.config.headers ?? {};
+      const nextQueryParams = patch.queryParams !== void 0 ? patch.queryParams : existing.config.queryParams ?? {};
+      const nextOAuth2 = patch.oauth2 !== void 0 ? patch.oauth2 : existing.config.oauth2;
+      yield* adapter.update({
+        model: "openapi_source",
+        where: [
+          { field: "id", value: namespace },
+          { field: "scope_id", value: scope }
+        ],
+        update: {
+          name: nextName,
+          base_url: nextBaseUrl ?? void 0,
+          headers: Object.fromEntries(
+            Object.entries(nextHeaders).map(([name, value]) => [
+              name,
+              typeof value === "string" ? value : {
+                kind: value.kind,
+                slot: value.slot,
+                ...value.prefix ? { prefix: value.prefix } : {}
+              }
+            ])
+          ),
+          query_params: nextQueryParams,
+          oauth2: nextOAuth2 ? toJsonRecord(encodeOAuth2SourceConfig(nextOAuth2)) : void 0,
+          invocation_config: asJsonObject(existingRow.invocation_config)
+        }
+      });
+    }),
+    getSource: (namespace, scope) => adapter.findOne({
+      model: "openapi_source",
+      where: [
+        { field: "id", value: namespace },
+        { field: "scope_id", value: scope }
+      ]
+    }).pipe(Effect5.map((row) => row ? rowToSource(row) : null)),
+    listSources: () => adapter.findMany({ model: "openapi_source" }).pipe(Effect5.map((rows) => rows.map(rowToSource))),
+    getOperationByToolId: (toolId, scope) => adapter.findOne({
+      model: "openapi_operation",
+      where: [
+        { field: "id", value: toolId },
+        { field: "scope_id", value: scope }
+      ]
+    }).pipe(Effect5.map((row) => row ? rowToOperation(row) : null)),
+    listOperationsBySource: (sourceId, scope) => adapter.findMany({
+      model: "openapi_operation",
+      where: [
+        { field: "source_id", value: sourceId },
+        { field: "scope_id", value: scope }
+      ]
+    }).pipe(Effect5.map((rows) => rows.map(rowToOperation))),
+    removeSource: (namespace, scope) => deleteSource(namespace, scope, { includeBindings: true }),
+    listSourceBindings: (sourceId, sourceScope) => Effect5.gen(function* () {
+      yield* validateBindingTarget({
+        sourceId,
+        sourceScope,
+        targetScope: sourceScope
+      });
+      const sourceScopeRank = scopeRank(sourceScope);
+      const rows = yield* adapter.findMany({
+        model: "openapi_source_binding",
+        where: [
+          { field: "source_id", value: sourceId },
+          { field: "source_scope_id", value: sourceScope }
+        ]
+      });
+      return rows.filter(
+        (row) => scopeRank(row.target_scope_id) <= sourceScopeRank
+      ).sort(
+        (a, b) => scopeRank(a.target_scope_id) - scopeRank(b.target_scope_id)
+      ).map(rowToSourceBinding);
+    }),
+    resolveSourceBinding: (sourceId, sourceScope, slot) => Effect5.gen(function* () {
+      yield* validateBindingTarget({
+        sourceId,
+        sourceScope,
+        targetScope: sourceScope
+      });
+      const rows = yield* adapter.findMany({
+        model: "openapi_source_binding",
+        where: [
+          { field: "source_id", value: sourceId },
+          { field: "source_scope_id", value: sourceScope },
+          { field: "slot", value: slot }
+        ]
+      });
+      const sourceScopeRank = scopeRank(sourceScope);
+      const row = rows.filter(
+        (candidate) => scopeRank(candidate.target_scope_id) <= sourceScopeRank
+      ).sort(
+        (a, b) => scopeRank(a.target_scope_id) - scopeRank(b.target_scope_id)
+      )[0];
+      return row ? rowToSourceBinding(row) : null;
+    }),
+    setSourceBinding: (input) => Effect5.gen(function* () {
+      yield* validateBindingTarget({
+        sourceId: input.sourceId,
+        sourceScope: input.sourceScope,
+        targetScope: input.scope
+      });
+      const id = sourceBindingRowId(
+        input.sourceId,
+        input.sourceScope,
+        input.slot,
+        input.scope
+      );
+      const now = /* @__PURE__ */ new Date();
+      yield* adapter.delete({
+        model: "openapi_source_binding",
+        where: [{ field: "id", value: id }]
+      });
+      yield* adapter.create({
+        model: "openapi_source_binding",
+        data: {
+          id,
+          source_id: input.sourceId,
+          source_scope_id: input.sourceScope,
+          target_scope_id: input.scope,
+          slot: input.slot,
+          value: toJsonRecord(encodeSourceBindingValue(input.value)),
+          created_at: now,
+          updated_at: now
+        },
+        forceAllowId: true
+      });
+      return new OpenApiSourceBindingRef({
+        sourceId: input.sourceId,
+        sourceScopeId: input.sourceScope,
+        scopeId: input.scope,
+        slot: input.slot,
+        value: input.value,
+        createdAt: now,
+        updatedAt: now
+      });
+    }),
+    removeSourceBinding: (sourceId, sourceScope, slot, scope) => Effect5.gen(function* () {
+      yield* validateBindingTarget({
+        sourceId,
+        sourceScope,
+        targetScope: scope
+      });
+      yield* adapter.delete({
+        model: "openapi_source_binding",
+        where: [
+          {
+            field: "id",
+            value: sourceBindingRowId(sourceId, sourceScope, slot, scope)
+          }
+        ]
+      });
+    })
+  };
+};
+
+// src/sdk/plugin.ts
+import { Effect as Effect6, Option as Option5, Schema as Schema5 } from "effect";
+import { FetchHttpClient } from "effect/unstable/http";
+import {
+  ConnectionId as ConnectionId2,
+  ScopeId as ScopeId3,
+  SecretId as SecretId2,
+  SourceDetectionResult,
+  definePlugin,
+  resolveSecretBackedMap
+} from "@executor-js/sdk/core";
+import {
+  headersToConfigValues
+} from "@executor-js/config";
+
+// src/sdk/definitions.ts
+var splitWords = (value) => value.replace(/([a-z0-9])([A-Z])/g, "$1 $2").replace(/([A-Z]+)([A-Z][a-z0-9]+)/g, "$1 $2").replace(/[^a-zA-Z0-9]+/g, " ").trim().split(/\s+/).filter((part) => part.length > 0);
+var normalizeWord = (value) => value.toLowerCase();
+var toCamelCase = (value) => {
+  const words = splitWords(value).map(normalizeWord);
+  if (words.length === 0) return "tool";
+  const [first, ...rest] = words;
+  return `${first}${rest.map((p) => `${p[0]?.toUpperCase() ?? ""}${p.slice(1)}`).join("")}`;
+};
+var toPascalCase = (value) => {
+  const camel = toCamelCase(value);
+  return `${camel[0]?.toUpperCase() ?? ""}${camel.slice(1)}`;
+};
+var VERSION_SEGMENT_REGEX = /^v\d+(?:[._-]\d+)?$/i;
+var IGNORED_PATH_SEGMENTS = /* @__PURE__ */ new Set(["api"]);
+var pathSegmentsFromTemplate = (pathTemplate) => pathTemplate.split("/").map((s) => s.trim()).filter((s) => s.length > 0);
+var isPathParameterSegment = (segment) => segment.startsWith("{") && segment.endsWith("}");
+var normalizeGroupSegment = (value) => {
+  const candidate = value?.trim();
+  if (!candidate) return null;
+  return toCamelCase(candidate);
+};
+var deriveVersionSegment = (pathTemplate) => pathSegmentsFromTemplate(pathTemplate).map((s) => s.toLowerCase()).find((s) => VERSION_SEGMENT_REGEX.test(s));
+var derivePathGroup = (pathTemplate) => {
+  for (const segment of pathSegmentsFromTemplate(pathTemplate)) {
+    const lower = segment.toLowerCase();
+    if (VERSION_SEGMENT_REGEX.test(lower)) continue;
+    if (IGNORED_PATH_SEGMENTS.has(lower)) continue;
+    if (isPathParameterSegment(segment)) continue;
+    return normalizeGroupSegment(segment) ?? "root";
+  }
+  return "root";
+};
+var splitOperationIdSegments = (value) => value.split(/[/.]+/).map((s) => s.trim()).filter((s) => s.length > 0);
+var deriveLeafSeed = (operationId, group) => {
+  const segments = splitOperationIdSegments(operationId);
+  if (segments.length > 1) {
+    const [first, ...rest] = segments;
+    if ((normalizeGroupSegment(first) ?? first) === group && rest.length > 0) {
+      return rest.join(" ");
+    }
+  }
+  return operationId;
+};
+var fallbackLeafSeed = (method, pathTemplate, group) => {
+  const relevantSegments = pathSegmentsFromTemplate(pathTemplate).filter((s) => !VERSION_SEGMENT_REGEX.test(s.toLowerCase())).filter((s) => !IGNORED_PATH_SEGMENTS.has(s.toLowerCase())).filter((s) => !isPathParameterSegment(s)).map((s) => normalizeGroupSegment(s) ?? s).filter((s) => s !== group);
+  const segmentSuffix = relevantSegments.map((s) => toPascalCase(s)).join("");
+  return `${method}${segmentSuffix || "Operation"}`;
+};
+var deriveLeaf = (operationId, method, pathTemplate, group) => {
+  const preferred = toCamelCase(deriveLeafSeed(operationId, group));
+  if (preferred.length > 0 && preferred !== group) return preferred;
+  return toCamelCase(fallbackLeafSeed(method, pathTemplate, group));
+};
+var resolveCollisions = (definitions) => {
+  const staged = definitions.map((d) => ({ ...d }));
+  const applyFactory = (items, factory) => {
+    const byPath = /* @__PURE__ */ new Map();
+    for (const item of items) {
+      const bucket = byPath.get(item.toolPath) ?? [];
+      bucket.push(item);
+      byPath.set(item.toolPath, bucket);
+    }
+    for (const bucket of byPath.values()) {
+      if (bucket.length < 2) continue;
+      for (const d of bucket) {
+        d.toolPath = factory(d);
+      }
+    }
+  };
+  applyFactory(
+    staged,
+    (d) => d.versionSegment ? `${d.group}.${d.versionSegment}.${d.leaf}` : d.toolPath
+  );
+  applyFactory(staged, (d) => {
+    const prefix = d.versionSegment ? `${d.group}.${d.versionSegment}` : d.group;
+    return `${prefix}.${d.leaf}${toPascalCase(d.method)}`;
+  });
+  applyFactory(staged, (d) => {
+    const prefix = d.versionSegment ? `${d.group}.${d.versionSegment}` : d.group;
+    return `${prefix}.${d.leaf}${toPascalCase(d.method)}${d.operationHash.slice(0, 8)}`;
+  });
+  return staged.map((d) => ({
+    toolPath: d.toolPath,
+    group: d.group,
+    leaf: d.leaf,
+    operationIndex: d.operationIndex,
+    operation: d.operation
+  }));
+};
+var stableHash = (value) => {
+  const str = JSON.stringify(value, Object.keys(value).sort());
+  let hash = 0;
+  for (let i = 0; i < str.length; i++) {
+    hash = (hash << 5) - hash + str.charCodeAt(i) | 0;
+  }
+  return Math.abs(hash).toString(36).padStart(8, "0");
+};
+var compileToolDefinitions = (operations) => {
+  const raw = operations.map((op, index) => {
+    const operationId = op.operationId;
+    const group = normalizeGroupSegment(op.tags[0]) ?? derivePathGroup(op.pathTemplate);
+    const leaf = deriveLeaf(operationId, op.method, op.pathTemplate, group);
+    const versionSegment = deriveVersionSegment(op.pathTemplate);
+    const operationHash = stableHash({
+      method: op.method,
+      path: op.pathTemplate,
+      operationId
+    });
+    return {
+      toolPath: `${group}.${leaf}`,
+      group,
+      leaf,
+      versionSegment,
+      method: op.method,
+      operationHash,
+      operationIndex: index,
+      operation: op
+    };
+  });
+  return resolveCollisions(raw).sort((a, b) => a.toolPath.localeCompare(b.toolPath));
+};
+
+// src/sdk/plugin.ts
+var PreviewSpecInputSchema = Schema5.Struct({
+  spec: Schema5.String,
+  specFetchCredentials: Schema5.optional(
+    Schema5.Struct({
+      headers: Schema5.optional(Schema5.Record(Schema5.String, HeaderValue)),
+      queryParams: Schema5.optional(Schema5.Record(Schema5.String, HeaderValue))
+    })
+  )
+});
+var AddSourceInputSchema = Schema5.Struct({
+  spec: Schema5.String,
+  baseUrl: Schema5.optional(Schema5.String),
+  namespace: Schema5.optional(Schema5.String),
+  headers: Schema5.optional(Schema5.Record(Schema5.String, HeaderValue)),
+  queryParams: Schema5.optional(Schema5.Record(Schema5.String, HeaderValue)),
+  specFetchCredentials: Schema5.optional(
+    Schema5.Struct({
+      headers: Schema5.optional(Schema5.Record(Schema5.String, HeaderValue)),
+      queryParams: Schema5.optional(Schema5.Record(Schema5.String, HeaderValue))
+    })
+  )
+});
+var normalizeOpenApiRefs = (node) => {
+  if (node == null || typeof node !== "object") return node;
+  if (Array.isArray(node)) {
+    let changed2 = false;
+    const out = node.map((item) => {
+      const n = normalizeOpenApiRefs(item);
+      if (n !== item) changed2 = true;
+      return n;
+    });
+    return changed2 ? out : node;
+  }
+  const obj = node;
+  if (typeof obj.$ref === "string") {
+    const match = obj.$ref.match(/^#\/components\/schemas\/(.+)$/);
+    if (match) return { ...obj, $ref: `#/$defs/${match[1]}` };
+    return obj;
+  }
+  let changed = false;
+  const result = {};
+  for (const [k, v] of Object.entries(obj)) {
+    const n = normalizeOpenApiRefs(v);
+    if (n !== v) changed = true;
+    result[k] = n;
+  }
+  return changed ? result : obj;
+};
+var toBinding = (def) => new OperationBinding({
+  method: def.operation.method,
+  pathTemplate: def.operation.pathTemplate,
+  parameters: [...def.operation.parameters],
+  requestBody: def.operation.requestBody
+});
+var descriptionFor = (def) => {
+  const op = def.operation;
+  return Option5.getOrElse(
+    op.description,
+    () => Option5.getOrElse(op.summary, () => `${op.method.toUpperCase()} ${op.pathTemplate}`)
+  );
+};
+var headerSlotFromName = (name) => `header:${name.trim().toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "") || "default"}`;
+var oauthClientIdSlot = (securitySchemeName) => `oauth2:${securitySchemeName.trim().toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "") || "default"}:client-id`;
+var oauthClientSecretSlot = (securitySchemeName) => `oauth2:${securitySchemeName.trim().toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "") || "default"}:client-secret`;
+var oauthConnectionSlot = (securitySchemeName) => `oauth2:${securitySchemeName.trim().toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "") || "default"}:connection`;
+var canonicalizeHeaders = (headers) => {
+  const nextHeaders = {};
+  const bindings = [];
+  for (const [name, value] of Object.entries(headers ?? {})) {
+    if (typeof value === "string") {
+      nextHeaders[name] = value;
+      continue;
+    }
+    if ("kind" in value) {
+      nextHeaders[name] = value;
+      continue;
+    }
+    const slot = headerSlotFromName(name);
+    nextHeaders[name] = new ConfiguredHeaderBinding({
+      kind: "binding",
+      slot,
+      prefix: value.prefix
+    });
+    bindings.push({
+      slot,
+      value: {
+        kind: "secret",
+        secretId: SecretId2.make(value.secretId)
+      }
+    });
+  }
+  return { headers: nextHeaders, bindings };
+};
+var canonicalizeOAuth2 = (oauth2) => {
+  if (!oauth2) return { bindings: [] };
+  if ("connectionSlot" in oauth2) {
+    return { oauth2, bindings: [] };
+  }
+  const bindings = [
+    {
+      slot: oauthClientIdSlot(oauth2.securitySchemeName),
+      value: {
+        kind: "secret",
+        secretId: SecretId2.make(oauth2.clientIdSecretId)
+      }
+    }
+  ];
+  if (oauth2.clientSecretSecretId) {
+    bindings.push({
+      slot: oauthClientSecretSlot(oauth2.securitySchemeName),
+      value: {
+        kind: "secret",
+        secretId: SecretId2.make(oauth2.clientSecretSecretId)
+      }
+    });
+  }
+  if (oauth2.connectionId) {
+    bindings.push({
+      slot: oauthConnectionSlot(oauth2.securitySchemeName),
+      value: {
+        kind: "connection",
+        connectionId: ConnectionId2.make(oauth2.connectionId)
+      }
+    });
+  }
+  return {
+    oauth2: new OAuth2SourceConfig({
+      kind: "oauth2",
+      securitySchemeName: oauth2.securitySchemeName,
+      flow: oauth2.flow,
+      tokenUrl: oauth2.tokenUrl,
+      authorizationUrl: oauth2.authorizationUrl,
+      clientIdSlot: oauthClientIdSlot(oauth2.securitySchemeName),
+      clientSecretSlot: oauth2.clientSecretSecretId ? oauthClientSecretSlot(oauth2.securitySchemeName) : null,
+      connectionSlot: oauthConnectionSlot(oauth2.securitySchemeName),
+      scopes: [...oauth2.scopes]
+    }),
+    bindings
+  };
+};
+var resolveEffectiveSourceConfig = (ctx, base) => Effect6.gen(function* () {
+  const rank = new Map(ctx.scopes.map((scope, index) => [scope.id, index]));
+  const baseRank = rank.get(base.scope) ?? Infinity;
+  let fallback = null;
+  for (let index = baseRank + 1; index < ctx.scopes.length; index++) {
+    const scope = ctx.scopes[index];
+    if (!scope) continue;
+    fallback = yield* ctx.storage.getSource(base.namespace, scope.id);
+    if (fallback) break;
+  }
+  if (!fallback) {
+    return {
+      config: base.config,
+      headersSource: base,
+      oauth2Source: base
+    };
+  }
+  const hasBaseHeaders = Object.keys(base.config.headers ?? {}).length > 0;
+  const hasBaseQueryParams = Object.keys(base.config.queryParams ?? {}).length > 0;
+  return {
+    config: {
+      ...base.config,
+      sourceUrl: base.config.sourceUrl ?? fallback.config.sourceUrl,
+      baseUrl: base.config.baseUrl || fallback.config.baseUrl,
+      namespace: base.config.namespace ?? fallback.config.namespace,
+      headers: hasBaseHeaders ? base.config.headers : fallback.config.headers,
+      queryParams: hasBaseQueryParams ? base.config.queryParams : fallback.config.queryParams,
+      specFetchCredentials: base.config.specFetchCredentials ?? fallback.config.specFetchCredentials,
+      oauth2: base.config.oauth2 ?? fallback.config.oauth2
+    },
+    headersSource: hasBaseHeaders ? base : fallback,
+    oauth2Source: base.config.oauth2 ? base : fallback
+  };
+});
+var resolveConfiguredHeaders = (ctx, params) => Effect6.gen(function* () {
+  const resolved = {};
+  for (const [name, value] of Object.entries(params.headers)) {
+    if (typeof value === "string") {
+      resolved[name] = value;
+      continue;
+    }
+    const binding = yield* ctx.storage.resolveSourceBinding(
+      params.sourceId,
+      params.sourceScope,
+      value.slot
+    );
+    if (binding?.value.kind === "secret") {
+      const secret = yield* ctx.secrets.get(binding.value.secretId).pipe(
+        Effect6.mapError(
+          (err) => "_tag" in err && err._tag === "SecretOwnedByConnectionError" ? new OpenApiOAuthError({
+            message: `Secret not found for header "${name}"`
+          }) : err
+        )
+      );
+      if (secret === null) {
+        return yield* new OpenApiOAuthError({
+          message: `Missing secret "${binding.value.secretId}" for header "${name}"`
+        });
+      }
+      resolved[name] = value.prefix ? `${value.prefix}${secret}` : secret;
+      continue;
+    }
+    if (binding?.value.kind === "text") {
+      resolved[name] = value.prefix ? `${value.prefix}${binding.value.text}` : binding.value.text;
+      continue;
+    }
+    const legacy = params.legacyHeaders?.[name];
+    if (legacy) {
+      const fallback = yield* resolveHeaders({ [name]: legacy }, ctx.secrets).pipe(
+        Effect6.map((headers) => headers[name]),
+        Effect6.mapError(
+          (err) => err instanceof OpenApiOAuthError ? err : new OpenApiOAuthError({ message: err.message })
+        )
+      );
+      resolved[name] = fallback;
+      continue;
+    }
+    return yield* new OpenApiOAuthError({
+      message: `Missing binding for header "${name}"`
+    });
+  }
+  return resolved;
+});
+var resolveHeaderValues = (ctx, values) => resolveSecretBackedMap({
+  values,
+  getSecret: ctx.secrets.get,
+  onMissing: (name) => new OpenApiOAuthError({
+    message: `Secret not found for "${name}"`
+  }),
+  onError: (err, name) => "_tag" in err && err._tag === "SecretOwnedByConnectionError" ? new OpenApiOAuthError({
+    message: `Secret not found for "${name}"`
+  }) : err
+}).pipe(
+  Effect6.mapError(
+    (err) => "_tag" in err && err._tag === "SecretOwnedByConnectionError" ? new OpenApiOAuthError({ message: "Secret resolution failed" }) : err
+  ),
+  Effect6.map((resolved) => resolved ?? {})
+);
+var resolveOAuthConnectionId = (ctx, params) => Effect6.gen(function* () {
+  const binding = yield* ctx.storage.resolveSourceBinding(
+    params.sourceId,
+    params.sourceScope,
+    params.oauth2.connectionSlot
+  );
+  if (binding?.value.kind === "connection") {
+    const connectionId = binding.value.connectionId;
+    const connection = yield* ctx.connections.get(connectionId);
+    return connection ? connectionId : null;
+  }
+  if (!params.legacyOAuth2?.connectionId) return null;
+  const legacyConnection = yield* ctx.connections.get(params.legacyOAuth2.connectionId);
+  return legacyConnection ? params.legacyOAuth2.connectionId : null;
+});
+var resolveSpecFetchCredentials = (ctx, credentials) => Effect6.gen(function* () {
+  if (!credentials) return void 0;
+  return {
+    headers: yield* resolveHeaderValues(ctx, credentials.headers),
+    queryParams: yield* resolveHeaderValues(ctx, credentials.queryParams)
+  };
+});
+var toOpenApiSourceConfig = (namespace, config) => {
+  const legacyHeaders = {};
+  for (const [name, value] of Object.entries(config.headers ?? {})) {
+    if (typeof value === "string" || !("kind" in value)) {
+      legacyHeaders[name] = value;
+    }
+  }
+  return {
+    kind: "openapi",
+    spec: config.spec,
+    baseUrl: config.baseUrl,
+    namespace,
+    headers: headersToConfigValues(
+      Object.keys(legacyHeaders).length > 0 ? legacyHeaders : void 0
+    )
+  };
+};
+var isHttpUrl = (s) => s.startsWith("http://") || s.startsWith("https://");
+var openApiPlugin = definePlugin((options) => {
+  const httpClientLayer = options?.httpClientLayer ?? FetchHttpClient.layer;
+  const rebuildSource = (ctx, input) => Effect6.gen(function* () {
+    const doc = yield* parse(input.specText);
+    const result = yield* extract(doc);
+    const namespace = input.namespace ?? Option5.getOrElse(result.title, () => "api").toLowerCase().replace(/[^a-z0-9]+/g, "_");
+    const hoistedDefs = {};
+    if (doc.components?.schemas) {
+      for (const [k, v] of Object.entries(doc.components.schemas)) {
+        hoistedDefs[k] = normalizeOpenApiRefs(v);
+      }
+    }
+    const baseUrl = input.baseUrl ?? resolveBaseUrl(result.servers);
+    const canonicalHeaders = canonicalizeHeaders(input.headers);
+    const canonicalOAuth2 = canonicalizeOAuth2(input.oauth2);
+    const definitions = compileToolDefinitions(result.operations);
+    const sourceName = input.name ?? Option5.getOrElse(result.title, () => namespace);
+    const sourceConfig = {
+      spec: input.specText,
+      sourceUrl: input.sourceUrl,
+      baseUrl,
+      namespace: input.namespace,
+      headers: canonicalHeaders.headers,
+      queryParams: input.queryParams,
+      specFetchCredentials: input.specFetchCredentials,
+      oauth2: canonicalOAuth2.oauth2
+    };
+    const storedSource = {
+      namespace,
+      scope: input.scope,
+      name: sourceName,
+      config: sourceConfig
+    };
+    const storedOps = definitions.map((def) => ({
+      toolId: `${namespace}.${def.toolPath}`,
+      sourceId: namespace,
+      binding: toBinding(def)
+    }));
+    yield* ctx.transaction(
+      Effect6.gen(function* () {
+        yield* ctx.storage.upsertSource(storedSource, storedOps);
+        yield* ctx.core.sources.register({
+          id: namespace,
+          scope: input.scope,
+          kind: "openapi",
+          name: sourceName,
+          url: baseUrl || void 0,
+          canRemove: true,
+          // `canRefresh` reflects whether we still know the
+          // origin URL — sources added from raw spec text have
+          // nothing to re-fetch, so refresh stays disabled.
+          canRefresh: input.sourceUrl != null,
+          canEdit: true,
+          tools: definitions.map((def) => ({
+            name: def.toolPath,
+            description: descriptionFor(def),
+            inputSchema: normalizeOpenApiRefs(Option5.getOrUndefined(def.operation.inputSchema)),
+            outputSchema: normalizeOpenApiRefs(Option5.getOrUndefined(def.operation.outputSchema))
+          }))
+        });
+        for (const binding of [...canonicalHeaders.bindings, ...canonicalOAuth2.bindings]) {
+          yield* ctx.storage.setSourceBinding(
+            new OpenApiSourceBindingInput({
+              sourceId: namespace,
+              sourceScope: ScopeId3.make(input.scope),
+              scope: ScopeId3.make(input.scope),
+              slot: binding.slot,
+              value: binding.value
+            })
+          );
+        }
+        if (Object.keys(hoistedDefs).length > 0) {
+          yield* ctx.core.definitions.register({
+            sourceId: namespace,
+            scope: input.scope,
+            definitions: hoistedDefs
+          });
+        }
+      })
+    );
+    return { sourceId: namespace, toolCount: definitions.length };
+  });
+  const refreshSourceInternal = (ctx, sourceId, scope) => Effect6.gen(function* () {
+    const existing = yield* ctx.storage.getSource(sourceId, scope);
+    if (!existing) return;
+    const effective = yield* resolveEffectiveSourceConfig(ctx, existing);
+    const resolvedConfig = effective.config;
+    const sourceUrl = resolvedConfig.sourceUrl;
+    if (!sourceUrl) return;
+    const credentials = yield* resolveSpecFetchCredentials(
+      ctx,
+      resolvedConfig.specFetchCredentials
+    );
+    const specText = yield* resolveSpecText(sourceUrl, credentials).pipe(
+      Effect6.provide(httpClientLayer)
+    );
+    yield* rebuildSource(ctx, {
+      specText,
+      scope,
+      sourceUrl,
+      name: existing.name,
+      baseUrl: resolvedConfig.baseUrl,
+      namespace: existing.namespace,
+      headers: existing.legacy?.headers ?? existing.config.headers,
+      queryParams: existing.config.queryParams,
+      specFetchCredentials: resolvedConfig.specFetchCredentials,
+      oauth2: existing.legacy?.oauth2 ?? existing.config.oauth2
+    });
+  });
+  return {
+    id: "openapi",
+    schema: openapiSchema,
+    storage: (deps) => makeDefaultOpenapiStore(deps),
+    extension: (ctx) => {
+      const addSpecInternal = (config) => Effect6.gen(function* () {
+        const credentials = yield* resolveSpecFetchCredentials(ctx, config.specFetchCredentials);
+        const specText = yield* resolveSpecText(config.spec, credentials).pipe(
+          Effect6.provide(httpClientLayer)
+        );
+        return yield* rebuildSource(ctx, {
+          specText,
+          scope: config.scope,
+          sourceUrl: isHttpUrl(config.spec) ? config.spec : void 0,
+          name: config.name,
+          baseUrl: config.baseUrl,
+          namespace: config.namespace,
+          headers: config.headers,
+          queryParams: config.queryParams,
+          specFetchCredentials: config.specFetchCredentials,
+          oauth2: config.oauth2
+        });
+      });
+      const configFile = options?.configFile;
+      return {
+        previewSpec: (input) => Effect6.gen(function* () {
+          const previewInput = typeof input === "string" ? { spec: input } : input;
+          const credentials = yield* resolveSpecFetchCredentials(
+            ctx,
+            previewInput.specFetchCredentials
+          );
+          const specText = yield* resolveSpecText(previewInput.spec, credentials).pipe(
+            Effect6.provide(httpClientLayer)
+          );
+          return yield* previewSpec(specText).pipe(Effect6.provide(httpClientLayer));
+        }),
+        addSpec: (config) => Effect6.gen(function* () {
+          const result = yield* addSpecInternal(config);
+          if (configFile) {
+            yield* configFile.upsertSource(toOpenApiSourceConfig(result.sourceId, config));
+          }
+          return result;
+        }),
+        removeSpec: (namespace, scope) => Effect6.gen(function* () {
+          yield* ctx.transaction(
+            Effect6.gen(function* () {
+              yield* ctx.storage.removeSource(namespace, scope);
+              yield* ctx.core.sources.unregister(namespace);
+            })
+          );
+          if (configFile) {
+            yield* configFile.removeSource(namespace);
+          }
+        }),
+        getSource: (namespace, scope) => Effect6.gen(function* () {
+          const source = yield* ctx.storage.getSource(namespace, scope);
+          if (!source) return null;
+          const effective = yield* resolveEffectiveSourceConfig(ctx, source);
+          return {
+            ...source,
+            config: effective.config
+          };
+        }),
+        updateSource: (namespace, scope, input) => Effect6.gen(function* () {
+          const existing = yield* ctx.storage.getSource(namespace, scope);
+          if (!existing) return;
+          const canonicalHeaders = input.headers !== void 0 ? canonicalizeHeaders(input.headers) : existing.legacy?.headers ? canonicalizeHeaders(existing.legacy.headers) : null;
+          const canonicalOAuth2 = input.oauth2 !== void 0 ? canonicalizeOAuth2(input.oauth2) : existing.legacy?.oauth2 ? canonicalizeOAuth2(existing.legacy.oauth2) : null;
+          yield* ctx.storage.updateSourceMeta(namespace, scope, {
+            name: input.name?.trim() || void 0,
+            baseUrl: input.baseUrl,
+            headers: canonicalHeaders?.headers,
+            queryParams: input.queryParams,
+            oauth2: canonicalOAuth2?.oauth2
+          });
+          for (const set of [canonicalHeaders?.bindings, canonicalOAuth2?.bindings]) {
+            for (const binding of set ?? []) {
+              yield* ctx.storage.setSourceBinding(
+                new OpenApiSourceBindingInput({
+                  sourceId: namespace,
+                  sourceScope: ScopeId3.make(scope),
+                  scope: ScopeId3.make(scope),
+                  slot: binding.slot,
+                  value: binding.value
+                })
+              );
+            }
+          }
+        }),
+        listSourceBindings: (sourceId, sourceScope) => ctx.storage.listSourceBindings(sourceId, sourceScope),
+        setSourceBinding: (input) => ctx.storage.setSourceBinding(input),
+        removeSourceBinding: (sourceId, sourceScope, slot, scope) => ctx.storage.removeSourceBinding(sourceId, sourceScope, slot, scope)
+      };
+    },
+    staticSources: (self) => [
+      {
+        id: "openapi",
+        kind: "control",
+        name: "OpenAPI",
+        tools: [
+          {
+            name: "previewSpec",
+            description: "Preview an OpenAPI document before adding it as a source",
+            inputSchema: {
+              type: "object",
+              properties: {
+                spec: { type: "string" },
+                specFetchCredentials: { type: "object" }
+              },
+              required: ["spec"]
+            },
+            handler: ({ args }) => self.previewSpec(args)
+          },
+          {
+            name: "addSource",
+            description: "Add an OpenAPI source and register its operations as tools",
+            inputSchema: {
+              type: "object",
+              properties: {
+                spec: { type: "string" },
+                name: { type: "string" },
+                baseUrl: { type: "string" },
+                namespace: { type: "string" },
+                headers: { type: "object" },
+                queryParams: { type: "object" },
+                oauth2: { type: "object" },
+                specFetchCredentials: { type: "object" }
+              },
+              required: ["spec"]
+            },
+            outputSchema: {
+              type: "object",
+              properties: {
+                sourceId: { type: "string" },
+                toolCount: { type: "number" }
+              },
+              required: ["sourceId", "toolCount"]
+            },
+            // Static-tool callers don't name a scope. Default to the
+            // outermost scope in the executor's stack — for a single-
+            // scope executor that's the only scope; for a per-user
+            // stack `[user, org]` it writes at `org` so the source is
+            // visible across every user.
+            handler: ({ ctx, args }) => self.addSpec({
+              ...args,
+              scope: ctx.scopes.at(-1).id
+            })
+          }
+        ]
+      }
+    ],
+    invokeTool: ({ ctx, toolRow, args }) => Effect6.gen(function* () {
+      const toolScope = toolRow.scope_id;
+      const op = yield* ctx.storage.getOperationByToolId(toolRow.id, toolScope);
+      if (!op) {
+        return yield* Effect6.fail(
+          new Error(`No OpenAPI operation found for tool "${toolRow.id}"`)
+        );
+      }
+      const source = yield* ctx.storage.getSource(op.sourceId, toolScope);
+      if (!source) {
+        return yield* Effect6.fail(new Error(`No OpenAPI source found for "${op.sourceId}"`));
+      }
+      const effective = yield* resolveEffectiveSourceConfig(ctx, source);
+      const config = effective.config;
+      const resolvedHeaders = yield* resolveConfiguredHeaders(ctx, {
+        sourceId: op.sourceId,
+        sourceScope: effective.headersSource.scope,
+        headers: config.headers ?? {},
+        legacyHeaders: effective.headersSource.legacy?.headers
+      }).pipe(Effect6.mapError((err) => new Error(err.message)));
+      const resolvedQueryParams = yield* resolveHeaderValues(ctx, config.queryParams).pipe(
+        Effect6.mapError((err) => new Error(err.message))
+      );
+      if (config.oauth2) {
+        const connectionId = yield* resolveOAuthConnectionId(ctx, {
+          sourceId: op.sourceId,
+          sourceScope: effective.oauth2Source.scope,
+          oauth2: config.oauth2,
+          legacyOAuth2: effective.oauth2Source.legacy?.oauth2
+        });
+        if (!connectionId) {
+          return yield* Effect6.fail(
+            new Error(`OAuth configuration for "${op.sourceId}" is missing a connection binding`)
+          );
+        }
+        const accessToken = yield* ctx.connections.accessToken(connectionId).pipe(
+          Effect6.mapError(
+            (err) => new Error(
+              `OAuth connection resolution failed: ${"message" in err ? err.message : String(err)}`
+            )
+          )
+        );
+        resolvedHeaders.authorization = `Bearer ${accessToken}`;
+      }
+      const result = yield* invokeWithLayer(
+        op.binding,
+        args ?? {},
+        config.baseUrl ?? "",
+        resolvedHeaders,
+        resolvedQueryParams,
+        httpClientLayer
+      );
+      return result;
+    }),
+    resolveAnnotations: ({ ctx, sourceId, toolRows }) => Effect6.gen(function* () {
+      const scopes = /* @__PURE__ */ new Set();
+      for (const row of toolRows) {
+        scopes.add(row.scope_id);
+      }
+      const entries = yield* Effect6.forEach(
+        [...scopes],
+        (scope) => Effect6.gen(function* () {
+          const ops = yield* ctx.storage.listOperationsBySource(sourceId, scope);
+          const byId = /* @__PURE__ */ new Map();
+          for (const op of ops) byId.set(op.toolId, op.binding);
+          return [scope, byId];
+        }),
+        { concurrency: "unbounded" }
+      );
+      const byScope = new Map(entries);
+      const out = {};
+      for (const row of toolRows) {
+        const binding = byScope.get(row.scope_id)?.get(row.id);
+        if (binding) {
+          out[row.id] = annotationsForOperation(binding.method, binding.pathTemplate);
+        }
+      }
+      return out;
+    }),
+    removeSource: ({ ctx, sourceId, scope }) => ctx.storage.removeSource(sourceId, scope),
+    // Re-fetch the spec from its origin URL (captured at addSpec time)
+    // and replay the same parse → extract → upsertSource → register
+    // path used by addSpec. Sources without a stored URL surface a
+    // typed `OpenApiParseError` — the executor only dispatches refresh
+    // when `canRefresh: true`, so a raw-text source reaching here
+    // means stale UI state, which is worth surfacing to the caller.
+    refreshSource: ({ ctx, sourceId, scope }) => refreshSourceInternal(ctx, sourceId, scope),
+    detect: ({ url }) => Effect6.gen(function* () {
+      const trimmed = url.trim();
+      if (!trimmed) return null;
+      const parsed = yield* Effect6.try({
+        try: () => new URL(trimmed),
+        catch: (error) => error
+      }).pipe(Effect6.option);
+      if (Option5.isNone(parsed)) return null;
+      const specText = yield* resolveSpecText(trimmed).pipe(
+        Effect6.provide(httpClientLayer),
+        Effect6.catch(() => Effect6.succeed(null))
+      );
+      if (specText === null) return null;
+      const doc = yield* parse(specText).pipe(Effect6.catch(() => Effect6.succeed(null)));
+      if (!doc) return null;
+      const result = yield* extract(doc).pipe(Effect6.catch(() => Effect6.succeed(null)));
+      if (!result) return null;
+      const namespace = Option5.getOrElse(result.title, () => "api").toLowerCase().replace(/[^a-z0-9]+/g, "_");
+      const name = Option5.getOrElse(result.title, () => namespace);
+      return new SourceDetectionResult({
+        kind: "openapi",
+        confidence: "high",
+        endpoint: trimmed,
+        name,
+        namespace
+      });
+    })
+  };
+});
+
+export {
+  OpenApiParseError,
+  OpenApiExtractionError,
+  OpenApiInvocationError,
+  OpenApiOAuthError,
+  fetchSpecText,
+  resolveSpecText,
+  parse,
+  DocResolver,
+  substituteUrlVariables,
+  resolveBaseUrl,
+  preferredContent,
+  OperationId,
+  HttpMethod,
+  ParameterLocation,
+  OperationParameter,
+  EncodingObject,
+  MediaBinding,
+  OperationRequestBody,
+  ExtractedOperation,
+  ServerVariable,
+  ServerInfo,
+  ExtractionResult,
+  OperationBinding,
+  OpenApiSourceBindingValue,
+  OpenApiSourceBindingInput,
+  OpenApiSourceBindingRef,
+  OAuth2Auth,
+  OAuth2SourceConfig,
+  InvocationConfig,
+  InvocationResult,
+  extract,
+  resolveHeaders,
+  invoke,
+  invokeWithLayer,
+  annotationsForOperation,
+  OAuth2AuthorizationCodeFlow,
+  OAuth2ClientCredentialsFlow,
+  OAuth2Flows,
+  SecurityScheme,
+  AuthStrategy,
+  HeaderPreset,
+  OAuth2Preset,
+  PreviewOperation,
+  SpecPreview,
+  previewSpec,
+  openapiSchema,
+  makeDefaultOpenapiStore,
+  openApiPlugin
+};
+//# sourceMappingURL=chunk-ZZ7TQ4JC.js.map