@executor-js/plugin-openapi 0.1.0 → 1.4.20

package/dist/chunk-OZ67JNID.js

@@ -0,0 +1,1447 @@
+import {
+  ConfiguredHeaderBinding,
+  ConfiguredHeaderValue,
+  HeaderValue,
+  InvocationResult,
+  OAuth2SourceConfig,
+  OpenApiCredentialInput,
+  OpenApiExtractionError,
+  OpenApiInvocationError,
+  OpenApiOAuthError,
+  OpenApiSourceBindingRef,
+  OperationBinding,
+  extract,
+  makeDefaultOpenapiStore,
+  openapiSchema,
+  parse,
+  previewSpec,
+  resolveBaseUrl,
+  resolveSpecText
+} from "./chunk-E7PZ2QGD.js";
+
+// src/sdk/invoke.ts
+import { Effect, Layer, Option } from "effect";
+import { HttpClient, HttpClientRequest } from "effect/unstable/http";
+var CONTAINER_KEYS = {
+  path: ["path", "pathParams", "params"],
+  query: ["query", "queryParams", "params"],
+  header: ["headers", "header"],
+  cookie: ["cookies", "cookie"]
+};
+var readParamValue = (args, param) => {
+  const direct = args[param.name];
+  if (direct !== void 0) return direct;
+  for (const key of CONTAINER_KEYS[param.location] ?? []) {
+    const container = args[key];
+    if (typeof container === "object" && container !== null && !Array.isArray(container)) {
+      const nested = container[param.name];
+      if (nested !== void 0) return nested;
+    }
+  }
+  return void 0;
+};
+var resolvePath = Effect.fn("OpenApi.resolvePath")(function* (pathTemplate, args, parameters) {
+  let resolved = pathTemplate;
+  for (const param of parameters) {
+    if (param.location !== "path") continue;
+    const value = readParamValue(args, param);
+    if (value === void 0 || value === null) {
+      if (param.required) {
+        return yield* new OpenApiInvocationError({
+          message: `Missing required path parameter: ${param.name}`,
+          statusCode: Option.none()
+        });
+      }
+      continue;
+    }
+    resolved = resolved.replaceAll(`{${param.name}}`, encodeURIComponent(String(value)));
+  }
+  const remaining = [...resolved.matchAll(/\{([^{}]+)\}/g)].map((m) => m[1]).filter((v) => typeof v === "string");
+  for (const name of remaining) {
+    const value = args[name];
+    if (value !== void 0 && value !== null) {
+      resolved = resolved.replaceAll(`{${name}}`, encodeURIComponent(String(value)));
+    }
+  }
+  const unresolved = [...resolved.matchAll(/\{([^{}]+)\}/g)].map((m) => m[1]).filter((v) => typeof v === "string");
+  if (unresolved.length > 0) {
+    return yield* new OpenApiInvocationError({
+      message: `Unresolved path parameters: ${[...new Set(unresolved)].join(", ")}`,
+      statusCode: Option.none()
+    });
+  }
+  return resolved;
+});
+var resolveHeaders = (headers, secrets) => {
+  const entries = Object.entries(headers);
+  const secretCount = entries.reduce(
+    (acc, [, value]) => typeof value === "string" ? acc : acc + 1,
+    0
+  );
+  return Effect.gen(function* () {
+    const values = yield* Effect.all(
+      entries.map(
+        ([name, value]) => typeof value === "string" ? Effect.succeed({ name, value }) : secrets.get(value.secretId).pipe(
+          Effect.catchTag(
+            "SecretOwnedByConnectionError",
+            () => Effect.fail(
+              new OpenApiInvocationError({
+                message: `Failed to resolve secret "${value.secretId}" for header "${name}"`,
+                statusCode: Option.none()
+              })
+            )
+          ),
+          Effect.flatMap(
+            (secret) => secret === null ? Effect.fail(
+              new OpenApiInvocationError({
+                message: `Failed to resolve secret "${value.secretId}" for header "${name}"`,
+                statusCode: Option.none()
+              })
+            ) : Effect.succeed({
+              name,
+              value: value.prefix ? `${value.prefix}${secret}` : secret
+            })
+          )
+        )
+      ),
+      { concurrency: "unbounded" }
+    );
+    const resolved = {};
+    for (const { name, value } of values) resolved[name] = value;
+    return resolved;
+  }).pipe(
+    Effect.withSpan("plugin.openapi.secret.resolve", {
+      attributes: {
+        "plugin.openapi.headers.total": entries.length,
+        "plugin.openapi.headers.secret_count": secretCount
+      }
+    })
+  );
+};
+var applyHeaders = (request, headers) => {
+  let req = request;
+  for (const [name, value] of Object.entries(headers)) {
+    req = HttpClientRequest.setHeader(req, name, value);
+  }
+  return req;
+};
+var normalizeContentType = (ct) => ct?.split(";")[0]?.trim().toLowerCase() ?? "";
+var isJsonContentType = (ct) => {
+  const normalized = normalizeContentType(ct);
+  if (!normalized) return false;
+  return normalized === "application/json" || normalized.includes("+json") || normalized.includes("json");
+};
+var isFormUrlEncoded = (ct) => normalizeContentType(ct) === "application/x-www-form-urlencoded";
+var isMultipartFormData = (ct) => normalizeContentType(ct).startsWith("multipart/form-data");
+var isXmlContentType = (ct) => {
+  const normalized = normalizeContentType(ct);
+  if (!normalized) return false;
+  return normalized === "application/xml" || normalized === "text/xml" || normalized.endsWith("+xml");
+};
+var isTextContentType = (ct) => normalizeContentType(ct).startsWith("text/");
+var isOctetStream = (ct) => normalizeContentType(ct) === "application/octet-stream";
+var toUint8Array = (value) => {
+  if (value instanceof Uint8Array) return value;
+  if (value instanceof ArrayBuffer) return new Uint8Array(value);
+  if (ArrayBuffer.isView(value)) {
+    const view = value;
+    return new Uint8Array(view.buffer, view.byteOffset, view.byteLength);
+  }
+  if (Array.isArray(value) && value.every((v) => typeof v === "number")) {
+    return new Uint8Array(value);
+  }
+  return null;
+};
+var toArrayBuffer = (bytes) => {
+  const copy = new ArrayBuffer(bytes.byteLength);
+  new Uint8Array(copy).set(bytes);
+  return copy;
+};
+var DEFAULT_FORM_STYLE = {
+  style: "form",
+  explode: true,
+  allowReserved: false
+};
+var resolveStyleExplode = (e) => {
+  if (!e) return DEFAULT_FORM_STYLE;
+  return {
+    style: Option.getOrElse(e.style, () => DEFAULT_FORM_STYLE.style),
+    explode: Option.getOrElse(e.explode, () => DEFAULT_FORM_STYLE.explode),
+    allowReserved: Option.getOrElse(e.allowReserved, () => DEFAULT_FORM_STYLE.allowReserved)
+  };
+};
+var RESERVED_UNENCODED_RE = /[A-Za-z0-9\-._~:/?#[\]@!$&'()*+,;=]/;
+var encodeFormValue = (v, allowReserved) => {
+  const raw = typeof v === "object" && v !== null ? JSON.stringify(v) : String(v);
+  if (!allowReserved) return encodeURIComponent(raw);
+  let out = "";
+  for (const ch of raw) {
+    out += RESERVED_UNENCODED_RE.test(ch) ? ch : encodeURIComponent(ch);
+  }
+  return out;
+};
+var serializeFormUrlEncoded = (value, encoding) => {
+  const parts = [];
+  for (const [key, raw] of Object.entries(value)) {
+    if (raw === void 0 || raw === null) continue;
+    const { style, explode, allowReserved } = resolveStyleExplode(encoding?.[key]);
+    const encKey = encodeURIComponent(key);
+    if (Array.isArray(raw)) {
+      if (explode) {
+        for (const v of raw) {
+          parts.push(`${encKey}=${encodeFormValue(v, allowReserved)}`);
+        }
+      } else {
+        const sep = style === "spaceDelimited" ? " " : style === "pipeDelimited" ? "|" : ",";
+        parts.push(
+          `${encKey}=${encodeFormValue(
+            raw.map((v) => typeof v === "object" ? JSON.stringify(v) : String(v)).join(sep),
+            allowReserved
+          )}`
+        );
+      }
+      continue;
+    }
+    if (typeof raw === "object") {
+      const entries = Object.entries(raw).filter(
+        ([, v]) => v !== void 0 && v !== null
+      );
+      if (style === "deepObject") {
+        for (const [subkey, subval] of entries) {
+          parts.push(
+            `${encodeURIComponent(`${key}[${subkey}]`)}=${encodeFormValue(subval, allowReserved)}`
+          );
+        }
+      } else if (explode) {
+        for (const [subkey, subval] of entries) {
+          parts.push(`${encodeURIComponent(subkey)}=${encodeFormValue(subval, allowReserved)}`);
+        }
+      } else {
+        const flat = entries.flatMap(([k, v]) => [
+          k,
+          typeof v === "object" ? JSON.stringify(v) : String(v)
+        ]);
+        parts.push(`${encKey}=${encodeFormValue(flat.join(","), allowReserved)}`);
+      }
+      continue;
+    }
+    parts.push(`${encKey}=${encodeFormValue(raw, allowReserved)}`);
+  }
+  return parts.join("&");
+};
+var coerceFormDataRecord = (value, encoding) => {
+  const out = {};
+  for (const [key, raw] of Object.entries(value)) {
+    if (raw === void 0 || raw === null) continue;
+    const partType = encoding?.[key] ? Option.getOrUndefined(encoding[key].contentType) : void 0;
+    if (partType) {
+      const isJson = partType.startsWith("application/json") || partType.includes("+json");
+      const serialized = typeof raw === "string" ? raw : isJson ? JSON.stringify(raw) : typeof raw === "object" ? JSON.stringify(raw) : String(raw);
+      out[key] = new Blob([serialized], { type: partType });
+      continue;
+    }
+    if (typeof raw === "string" || typeof raw === "number" || typeof raw === "boolean" || raw instanceof Blob || typeof File !== "undefined" && raw instanceof File) {
+      out[key] = raw;
+      continue;
+    }
+    if (Array.isArray(raw)) {
+      out[key] = raw.map(
+        (v) => typeof v === "string" || typeof v === "number" || typeof v === "boolean" || v instanceof Blob || typeof File !== "undefined" && v instanceof File ? v : JSON.stringify(v)
+      );
+      continue;
+    }
+    const bytes = toUint8Array(raw);
+    if (bytes) {
+      out[key] = new Blob([toArrayBuffer(bytes)]);
+      continue;
+    }
+    out[key] = JSON.stringify(raw);
+  }
+  return out;
+};
+var applyRequestBody = (request, contentType, bodyValue, encoding) => {
+  if (isJsonContentType(contentType)) {
+    if (typeof bodyValue === "string") {
+      return HttpClientRequest.bodyText(request, bodyValue, contentType);
+    }
+    return HttpClientRequest.bodyJsonUnsafe(request, bodyValue);
+  }
+  if (isFormUrlEncoded(contentType)) {
+    if (typeof bodyValue === "string") {
+      return HttpClientRequest.bodyText(request, bodyValue, contentType);
+    }
+    if (typeof bodyValue === "object" && bodyValue !== null && !Array.isArray(bodyValue)) {
+      const serialized = serializeFormUrlEncoded(bodyValue, encoding);
+      return HttpClientRequest.bodyText(request, serialized, contentType);
+    }
+    return HttpClientRequest.bodyUrlParams(
+      request,
+      bodyValue
+    );
+  }
+  if (isMultipartFormData(contentType)) {
+    if (bodyValue instanceof FormData) {
+      return HttpClientRequest.bodyFormData(request, bodyValue);
+    }
+    if (typeof bodyValue === "object" && bodyValue !== null) {
+      return HttpClientRequest.bodyFormDataRecord(
+        request,
+        coerceFormDataRecord(bodyValue, encoding)
+      );
+    }
+    return HttpClientRequest.bodyText(request, String(bodyValue), contentType);
+  }
+  if (isOctetStream(contentType)) {
+    const bytes2 = toUint8Array(bodyValue);
+    if (bytes2) return HttpClientRequest.bodyUint8Array(request, bytes2, contentType);
+    if (typeof bodyValue === "string") {
+      return HttpClientRequest.bodyText(request, bodyValue, contentType);
+    }
+    return HttpClientRequest.bodyText(request, JSON.stringify(bodyValue), contentType);
+  }
+  if (isXmlContentType(contentType) || isTextContentType(contentType)) {
+    if (typeof bodyValue === "string") {
+      return HttpClientRequest.bodyText(request, bodyValue, contentType);
+    }
+    const bytes2 = toUint8Array(bodyValue);
+    if (bytes2) return HttpClientRequest.bodyUint8Array(request, bytes2, contentType);
+    return HttpClientRequest.bodyText(request, JSON.stringify(bodyValue), contentType);
+  }
+  if (typeof bodyValue === "string") {
+    return HttpClientRequest.bodyText(request, bodyValue, contentType);
+  }
+  const bytes = toUint8Array(bodyValue);
+  if (bytes) return HttpClientRequest.bodyUint8Array(request, bytes, contentType);
+  return HttpClientRequest.bodyText(request, JSON.stringify(bodyValue), contentType);
+};
+var invoke = Effect.fn("OpenApi.invoke")(function* (operation, args, resolvedHeaders, sourceQueryParams = {}) {
+  const client = yield* HttpClient.HttpClient;
+  yield* Effect.annotateCurrentSpan({
+    "http.method": operation.method.toUpperCase(),
+    "http.route": operation.pathTemplate,
+    "plugin.openapi.method": operation.method.toUpperCase(),
+    "plugin.openapi.path_template": operation.pathTemplate,
+    "plugin.openapi.headers.resolved_count": Object.keys(resolvedHeaders).length
+  });
+  const resolvedPath = yield* resolvePath(operation.pathTemplate, args, operation.parameters);
+  const path = resolvedPath.startsWith("/") ? resolvedPath : `/${resolvedPath}`;
+  let request = HttpClientRequest.make(operation.method.toUpperCase())(path);
+  for (const [name, value] of Object.entries(sourceQueryParams)) {
+    request = HttpClientRequest.setUrlParam(request, name, value);
+  }
+  for (const param of operation.parameters) {
+    if (param.location !== "query") continue;
+    const value = readParamValue(args, param);
+    if (value === void 0 || value === null) continue;
+    request = HttpClientRequest.setUrlParam(request, param.name, String(value));
+  }
+  for (const param of operation.parameters) {
+    if (param.location !== "header") continue;
+    const value = readParamValue(args, param);
+    if (value === void 0 || value === null) continue;
+    request = HttpClientRequest.setHeader(request, param.name, String(value));
+  }
+  if (Option.isSome(operation.requestBody)) {
+    const rb = operation.requestBody.value;
+    const bodyValue = args.body ?? args.input;
+    if (bodyValue !== void 0) {
+      const contentsOpt = Option.getOrUndefined(rb.contents);
+      const requestedCt = typeof args.contentType === "string" ? args.contentType : void 0;
+      const selected = contentsOpt && requestedCt ? contentsOpt.find((c) => c.contentType === requestedCt) : void 0;
+      const chosenCt = selected?.contentType ?? rb.contentType;
+      const chosenEncoding = selected ? Option.getOrUndefined(selected.encoding) : contentsOpt && contentsOpt[0] ? Option.getOrUndefined(contentsOpt[0].encoding) : void 0;
+      request = applyRequestBody(request, chosenCt, bodyValue, chosenEncoding);
+    }
+  }
+  request = applyHeaders(request, resolvedHeaders);
+  const response = yield* client.execute(request).pipe(
+    Effect.mapError(
+      (err) => new OpenApiInvocationError({
+        message: "HTTP request failed",
+        statusCode: Option.none(),
+        cause: err
+      })
+    )
+  );
+  const status = response.status;
+  yield* Effect.annotateCurrentSpan({
+    "http.status_code": status
+  });
+  const responseHeaders = { ...response.headers };
+  const contentType = response.headers["content-type"] ?? null;
+  const mapBodyError = Effect.mapError(
+    (err) => new OpenApiInvocationError({
+      message: "Failed to read response body",
+      statusCode: Option.some(status),
+      cause: err
+    })
+  );
+  const responseBody = status === 204 ? null : isJsonContentType(contentType) ? yield* response.json.pipe(
+    Effect.catch(() => response.text),
+    mapBodyError
+  ) : yield* response.text.pipe(mapBodyError);
+  const ok = status >= 200 && status < 300;
+  return InvocationResult.make({
+    status,
+    headers: responseHeaders,
+    data: ok ? responseBody : null,
+    error: ok ? null : responseBody
+  });
+});
+var invokeWithLayer = (operation, args, baseUrl, resolvedHeaders, sourceQueryParams, httpClientLayer) => {
+  const clientWithBaseUrl = baseUrl ? Layer.effect(
+    HttpClient.HttpClient,
+    Effect.map(
+      Effect.service(HttpClient.HttpClient),
+      HttpClient.mapRequest(HttpClientRequest.prependUrl(baseUrl))
+    )
+  ).pipe(Layer.provide(httpClientLayer)) : httpClientLayer;
+  return invoke(operation, args, resolvedHeaders, sourceQueryParams).pipe(
+    Effect.provide(clientWithBaseUrl),
+    Effect.withSpan("plugin.openapi.invoke", {
+      attributes: {
+        "plugin.openapi.method": operation.method.toUpperCase(),
+        "plugin.openapi.path_template": operation.pathTemplate,
+        "plugin.openapi.base_url": baseUrl
+      }
+    })
+  );
+};
+var REQUIRE_APPROVAL = /* @__PURE__ */ new Set(["post", "put", "patch", "delete"]);
+var annotationsForOperation = (method, pathTemplate) => {
+  const m = method.toLowerCase();
+  if (!REQUIRE_APPROVAL.has(m)) return {};
+  return {
+    requiresApproval: true,
+    approvalDescription: `${method.toUpperCase()} ${pathTemplate}`
+  };
+};
+
+// src/sdk/plugin.ts
+import { Effect as Effect2, Option as Option2, Predicate, Schema } from "effect";
+import {
+  ScopeId,
+  SecretId,
+  SourceDetectionResult,
+  StorageError,
+  definePlugin,
+  tool,
+  resolveSecretBackedMap
+} from "@executor-js/sdk/core";
+import {
+  headersToConfigValues
+} from "@executor-js/config";
+
+// src/sdk/definitions.ts
+var splitWords = (value) => value.replace(/([a-z0-9])([A-Z])/g, "$1 $2").replace(/([A-Z]+)([A-Z][a-z0-9]+)/g, "$1 $2").replace(/[^a-zA-Z0-9]+/g, " ").trim().split(/\s+/).filter((part) => part.length > 0);
+var normalizeWord = (value) => value.toLowerCase();
+var toCamelCase = (value) => {
+  const words = splitWords(value).map(normalizeWord);
+  if (words.length === 0) return "tool";
+  const [first, ...rest] = words;
+  return `${first}${rest.map((p) => `${p[0]?.toUpperCase() ?? ""}${p.slice(1)}`).join("")}`;
+};
+var toPascalCase = (value) => {
+  const camel = toCamelCase(value);
+  return `${camel[0]?.toUpperCase() ?? ""}${camel.slice(1)}`;
+};
+var VERSION_SEGMENT_REGEX = /^v\d+(?:[._-]\d+)?$/i;
+var IGNORED_PATH_SEGMENTS = /* @__PURE__ */ new Set(["api"]);
+var pathSegmentsFromTemplate = (pathTemplate) => pathTemplate.split("/").map((s) => s.trim()).filter((s) => s.length > 0);
+var isPathParameterSegment = (segment) => segment.startsWith("{") && segment.endsWith("}");
+var normalizeGroupSegment = (value) => {
+  const candidate = value?.trim();
+  if (!candidate) return null;
+  return toCamelCase(candidate);
+};
+var deriveVersionSegment = (pathTemplate) => pathSegmentsFromTemplate(pathTemplate).map((s) => s.toLowerCase()).find((s) => VERSION_SEGMENT_REGEX.test(s));
+var derivePathGroup = (pathTemplate) => {
+  for (const segment of pathSegmentsFromTemplate(pathTemplate)) {
+    const lower = segment.toLowerCase();
+    if (VERSION_SEGMENT_REGEX.test(lower)) continue;
+    if (IGNORED_PATH_SEGMENTS.has(lower)) continue;
+    if (isPathParameterSegment(segment)) continue;
+    return normalizeGroupSegment(segment) ?? "root";
+  }
+  return "root";
+};
+var splitOperationIdSegments = (value) => value.split(/[/.]+/).map((s) => s.trim()).filter((s) => s.length > 0);
+var deriveLeafSeed = (operationId, group) => {
+  const segments = splitOperationIdSegments(operationId);
+  if (segments.length > 1) {
+    const [first, ...rest] = segments;
+    if ((normalizeGroupSegment(first) ?? first) === group && rest.length > 0) {
+      return rest.join(" ");
+    }
+  }
+  return operationId;
+};
+var fallbackLeafSeed = (method, pathTemplate, group) => {
+  const relevantSegments = pathSegmentsFromTemplate(pathTemplate).filter((s) => !VERSION_SEGMENT_REGEX.test(s.toLowerCase())).filter((s) => !IGNORED_PATH_SEGMENTS.has(s.toLowerCase())).filter((s) => !isPathParameterSegment(s)).map((s) => normalizeGroupSegment(s) ?? s).filter((s) => s !== group);
+  const segmentSuffix = relevantSegments.map((s) => toPascalCase(s)).join("");
+  return `${method}${segmentSuffix || "Operation"}`;
+};
+var deriveLeaf = (operationId, method, pathTemplate, group) => {
+  const preferred = toCamelCase(deriveLeafSeed(operationId, group));
+  if (preferred.length > 0 && preferred !== group) return preferred;
+  return toCamelCase(fallbackLeafSeed(method, pathTemplate, group));
+};
+var resolveCollisions = (definitions) => {
+  const staged = definitions.map((d) => ({ ...d }));
+  const applyFactory = (items, factory) => {
+    const byPath = /* @__PURE__ */ new Map();
+    for (const item of items) {
+      const bucket = byPath.get(item.toolPath) ?? [];
+      bucket.push(item);
+      byPath.set(item.toolPath, bucket);
+    }
+    for (const bucket of byPath.values()) {
+      if (bucket.length < 2) continue;
+      for (const d of bucket) {
+        d.toolPath = factory(d);
+      }
+    }
+  };
+  applyFactory(
+    staged,
+    (d) => d.versionSegment ? `${d.group}.${d.versionSegment}.${d.leaf}` : d.toolPath
+  );
+  applyFactory(staged, (d) => {
+    const prefix = d.versionSegment ? `${d.group}.${d.versionSegment}` : d.group;
+    return `${prefix}.${d.leaf}${toPascalCase(d.method)}`;
+  });
+  applyFactory(staged, (d) => {
+    const prefix = d.versionSegment ? `${d.group}.${d.versionSegment}` : d.group;
+    return `${prefix}.${d.leaf}${toPascalCase(d.method)}${d.operationHash.slice(0, 8)}`;
+  });
+  return staged.map((d) => ({
+    toolPath: d.toolPath,
+    group: d.group,
+    leaf: d.leaf,
+    operationIndex: d.operationIndex,
+    operation: d.operation
+  }));
+};
+var stableHash = (value) => {
+  const str = JSON.stringify(value, Object.keys(value).sort());
+  let hash = 0;
+  for (let i = 0; i < str.length; i++) {
+    hash = (hash << 5) - hash + str.charCodeAt(i) | 0;
+  }
+  return Math.abs(hash).toString(36).padStart(8, "0");
+};
+var compileToolDefinitions = (operations) => {
+  const raw = operations.map((op, index) => {
+    const operationId = op.operationId;
+    const group = normalizeGroupSegment(op.tags[0]) ?? derivePathGroup(op.pathTemplate);
+    const leaf = deriveLeaf(operationId, op.method, op.pathTemplate, group);
+    const versionSegment = deriveVersionSegment(op.pathTemplate);
+    const operationHash = stableHash({
+      method: op.method,
+      path: op.pathTemplate,
+      operationId
+    });
+    return {
+      toolPath: `${group}.${leaf}`,
+      group,
+      leaf,
+      versionSegment,
+      method: op.method,
+      operationHash,
+      operationIndex: index,
+      operation: op
+    };
+  });
+  return resolveCollisions(raw).sort((a, b) => a.toolPath.localeCompare(b.toolPath));
+};
+
+// src/sdk/plugin.ts
+var PreviewSpecInputSchema = Schema.Struct({
+  spec: Schema.String,
+  specFetchCredentials: Schema.optional(
+    Schema.Struct({
+      headers: Schema.optional(Schema.Record(Schema.String, HeaderValue)),
+      queryParams: Schema.optional(Schema.Record(Schema.String, HeaderValue))
+    })
+  )
+});
+var OpenApiHeaderInputSchema = Schema.Union([HeaderValue, ConfiguredHeaderValue]);
+var OpenApiOAuthInputSchema = OAuth2SourceConfig;
+var AddSourceInputSchema = Schema.Struct({
+  scope: Schema.String,
+  spec: Schema.String,
+  name: Schema.optional(Schema.String),
+  baseUrl: Schema.optional(Schema.String),
+  namespace: Schema.optional(Schema.String),
+  headers: Schema.optional(Schema.Record(Schema.String, OpenApiHeaderInputSchema)),
+  queryParams: Schema.optional(Schema.Record(Schema.String, OpenApiCredentialInput)),
+  oauth2: Schema.optional(OpenApiOAuthInputSchema),
+  credentialTargetScope: Schema.optional(Schema.String),
+  specFetchCredentials: Schema.optional(
+    Schema.Struct({
+      headers: Schema.optional(Schema.Record(Schema.String, HeaderValue)),
+      queryParams: Schema.optional(Schema.Record(Schema.String, HeaderValue))
+    })
+  )
+});
+var AddSourceOutputSchema = Schema.Struct({
+  sourceId: Schema.String,
+  toolCount: Schema.Number
+});
+var PreviewSpecInputStandardSchema = Schema.toStandardSchemaV1(
+  Schema.toStandardJSONSchemaV1(PreviewSpecInputSchema)
+);
+var AddSourceInputStandardSchema = Schema.toStandardSchemaV1(
+  Schema.toStandardJSONSchemaV1(AddSourceInputSchema)
+);
+var AddSourceOutputStandardSchema = Schema.toStandardSchemaV1(
+  Schema.toStandardJSONSchemaV1(AddSourceOutputSchema)
+);
+var normalizeOpenApiRefs = (node) => {
+  if (node == null || typeof node !== "object") return node;
+  if (Array.isArray(node)) {
+    let changed2 = false;
+    const out = node.map((item) => {
+      const n = normalizeOpenApiRefs(item);
+      if (n !== item) changed2 = true;
+      return n;
+    });
+    return changed2 ? out : node;
+  }
+  const obj = node;
+  if (typeof obj.$ref === "string") {
+    const match = obj.$ref.match(/^#\/components\/schemas\/(.+)$/);
+    if (match) return { ...obj, $ref: `#/$defs/${match[1]}` };
+    return obj;
+  }
+  let changed = false;
+  const result = {};
+  for (const [k, v] of Object.entries(obj)) {
+    const n = normalizeOpenApiRefs(v);
+    if (n !== v) changed = true;
+    result[k] = n;
+  }
+  return changed ? result : obj;
+};
+var toBinding = (def) => OperationBinding.make({
+  method: def.operation.method,
+  pathTemplate: def.operation.pathTemplate,
+  parameters: [...def.operation.parameters],
+  requestBody: def.operation.requestBody
+});
+var descriptionFor = (def) => {
+  const op = def.operation;
+  return Option2.getOrElse(
+    op.description,
+    () => Option2.getOrElse(op.summary, () => `${op.method.toUpperCase()} ${op.pathTemplate}`)
+  );
+};
+var slotPart = (value) => value.trim().toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "") || "default";
+var headerSlotFromName = (name) => `header:${slotPart(name)}`;
+var queryParamSlotFromName = (name) => `query_param:${slotPart(name)}`;
+var specFetchHeaderSlotFromName = (name) => `spec_fetch_header:${slotPart(name)}`;
+var specFetchQueryParamSlotFromName = (name) => `spec_fetch_query_param:${slotPart(name)}`;
+var canonicalizeHeaders = (headers) => {
+  const nextHeaders = {};
+  const bindings = [];
+  for (const [name, value] of Object.entries(headers ?? {})) {
+    if (typeof value === "string") {
+      nextHeaders[name] = value;
+      continue;
+    }
+    if ("kind" in value) {
+      nextHeaders[name] = value;
+      continue;
+    }
+    const slot = headerSlotFromName(name);
+    nextHeaders[name] = ConfiguredHeaderBinding.make({
+      kind: "binding",
+      slot,
+      prefix: value.prefix
+    });
+    bindings.push({
+      slot,
+      targetScope: "targetScope" in value ? value.targetScope : void 0,
+      value: {
+        kind: "secret",
+        secretId: SecretId.make(value.secretId),
+        ..."secretScopeId" in value && value.secretScopeId ? { secretScopeId: value.secretScopeId } : {}
+      }
+    });
+  }
+  return { headers: nextHeaders, bindings };
+};
+var canonicalizeCredentialMap = (values, slotForName) => {
+  const nextValues = {};
+  const bindings = [];
+  for (const [name, value] of Object.entries(values ?? {})) {
+    if (typeof value === "string") {
+      nextValues[name] = value;
+      continue;
+    }
+    if ("kind" in value) {
+      nextValues[name] = value;
+      continue;
+    }
+    const slot = slotForName(name);
+    nextValues[name] = ConfiguredHeaderBinding.make({
+      kind: "binding",
+      slot,
+      prefix: value.prefix
+    });
+    bindings.push({
+      slot,
+      targetScope: "targetScope" in value ? value.targetScope : void 0,
+      value: {
+        kind: "secret",
+        secretId: SecretId.make(value.secretId),
+        ..."secretScopeId" in value && value.secretScopeId ? { secretScopeId: value.secretScopeId } : {}
+      }
+    });
+  }
+  return { values: nextValues, bindings };
+};
+var canonicalizeSpecFetchCredentials = (credentials) => {
+  const headers = canonicalizeCredentialMap(credentials?.headers, specFetchHeaderSlotFromName);
+  const queryParams = canonicalizeCredentialMap(
+    credentials?.queryParams,
+    specFetchQueryParamSlotFromName
+  );
+  const nextCredentials = Object.keys(headers.values).length === 0 && Object.keys(queryParams.values).length === 0 ? void 0 : {
+    ...Object.keys(headers.values).length > 0 ? { headers: headers.values } : {},
+    ...Object.keys(queryParams.values).length > 0 ? { queryParams: queryParams.values } : {}
+  };
+  return {
+    credentials: nextCredentials,
+    bindings: [...headers.bindings, ...queryParams.bindings]
+  };
+};
+var canonicalizeOAuth2 = (oauth2) => {
+  if (!oauth2) return { bindings: [] };
+  return {
+    oauth2,
+    bindings: []
+  };
+};
+var OPENAPI_PLUGIN_ID = "openapi";
+var scopeRanks = (ctx) => new Map(ctx.scopes.map((scope, index) => [String(scope.id), index]));
+var scopeRank = (ranks, scopeId) => ranks.get(scopeId) ?? Infinity;
+var coreBindingToOpenApiBinding = (binding) => OpenApiSourceBindingRef.make({
+  sourceId: binding.sourceId,
+  sourceScopeId: binding.sourceScopeId,
+  scopeId: binding.scopeId,
+  slot: binding.slotKey,
+  value: binding.value,
+  createdAt: binding.createdAt,
+  updatedAt: binding.updatedAt
+});
+var listOpenApiSourceBindings = (ctx, sourceId, sourceScope) => Effect2.gen(function* () {
+  const ranks = scopeRanks(ctx);
+  const sourceSourceRank = scopeRank(ranks, sourceScope);
+  if (sourceSourceRank === Infinity) return [];
+  const bindings = yield* ctx.credentialBindings.listForSource({
+    pluginId: OPENAPI_PLUGIN_ID,
+    sourceId,
+    sourceScope: ScopeId.make(sourceScope)
+  });
+  return bindings.filter((binding) => scopeRank(ranks, binding.scopeId) <= sourceSourceRank).map(coreBindingToOpenApiBinding);
+});
+var resolveOpenApiSourceBinding = (ctx, sourceId, sourceScope, slot) => Effect2.gen(function* () {
+  const ranks = scopeRanks(ctx);
+  const sourceSourceRank = scopeRank(ranks, sourceScope);
+  if (sourceSourceRank === Infinity) return null;
+  const bindings = yield* ctx.credentialBindings.listForSource({
+    pluginId: OPENAPI_PLUGIN_ID,
+    sourceId,
+    sourceScope: ScopeId.make(sourceScope)
+  });
+  const binding = bindings.filter(
+    (candidate) => candidate.slotKey === slot && scopeRank(ranks, candidate.scopeId) <= sourceSourceRank
+  ).sort((a, b) => scopeRank(ranks, a.scopeId) - scopeRank(ranks, b.scopeId))[0];
+  return binding ? coreBindingToOpenApiBinding(binding) : null;
+});
+var validateOpenApiBindingTarget = (ctx, input) => Effect2.gen(function* () {
+  const ranks = scopeRanks(ctx);
+  const sourceSourceRank = scopeRank(ranks, input.sourceScope);
+  const targetRank = scopeRank(ranks, input.targetScope);
+  const scopeList = `[${ctx.scopes.map((s) => s.id).join(", ")}]`;
+  if (sourceSourceRank === Infinity) {
+    return yield* new StorageError({
+      message: `OpenAPI source binding references source scope "${input.sourceScope}" which is not in the executor's scope stack ${scopeList}.`,
+      cause: void 0
+    });
+  }
+  if (targetRank === Infinity) {
+    return yield* new StorageError({
+      message: `OpenAPI source binding targets scope "${input.targetScope}" which is not in the executor's scope stack ${scopeList}.`,
+      cause: void 0
+    });
+  }
+  if (targetRank > sourceSourceRank) {
+    return yield* new StorageError({
+      message: `OpenAPI source bindings for "${input.sourceId}" cannot be written at outer scope "${input.targetScope}" because the base source lives at "${input.sourceScope}"`,
+      cause: void 0
+    });
+  }
+});
+var targetScopeForBinding = (fallbackTargetScope, binding) => {
+  const targetScope = binding.targetScope ?? fallbackTargetScope;
+  if (targetScope) return Effect2.succeed(targetScope);
+  return Effect2.fail(
+    new OpenApiOAuthError({
+      message: "credentialTargetScope is required when adding direct OpenAPI credentials"
+    })
+  );
+};
+var findOuterSource = (ctx, namespace, scope) => Effect2.gen(function* () {
+  const ranks = scopeRanks(ctx);
+  const baseRank = scopeRank(ranks, scope);
+  for (let index = baseRank + 1; index < ctx.scopes.length; index++) {
+    const candidateScope = ctx.scopes[index];
+    if (!candidateScope) continue;
+    const source = yield* ctx.storage.getSource(namespace, candidateScope.id);
+    if (source) return source;
+  }
+  return null;
+});
+var resolveEffectiveSourceConfig = (ctx, base) => Effect2.gen(function* () {
+  const fallback = yield* findOuterSource(ctx, base.namespace, base.scope);
+  if (!fallback) {
+    return {
+      config: base.config,
+      headersSource: base,
+      queryParamsSource: base,
+      specFetchCredentialsSource: base,
+      oauth2Source: base
+    };
+  }
+  const hasBaseHeaders = Object.keys(base.config.headers ?? {}).length > 0;
+  const hasBaseQueryParams = Object.keys(base.config.queryParams ?? {}).length > 0;
+  const hasBaseSpecFetchCredentials = base.config.specFetchCredentials !== void 0;
+  return {
+    config: {
+      ...base.config,
+      sourceUrl: base.config.sourceUrl ?? fallback.config.sourceUrl,
+      baseUrl: fallback.config.baseUrl,
+      namespace: base.config.namespace ?? fallback.config.namespace,
+      headers: hasBaseHeaders ? base.config.headers : fallback.config.headers,
+      queryParams: hasBaseQueryParams ? base.config.queryParams : fallback.config.queryParams,
+      specFetchCredentials: base.config.specFetchCredentials ?? fallback.config.specFetchCredentials,
+      oauth2: base.config.oauth2 ?? fallback.config.oauth2
+    },
+    headersSource: hasBaseHeaders ? base : fallback,
+    queryParamsSource: hasBaseQueryParams ? base : fallback,
+    specFetchCredentialsSource: hasBaseSpecFetchCredentials ? base : fallback,
+    oauth2Source: base.config.oauth2 ? base : fallback
+  };
+});
+var resolveConfiguredValueMap = (ctx, params) => Effect2.gen(function* () {
+  const resolved = {};
+  for (const [name, value] of Object.entries(params.values)) {
+    if (typeof value === "string") {
+      resolved[name] = value;
+      continue;
+    }
+    const binding = yield* resolveOpenApiSourceBinding(
+      ctx,
+      params.sourceId,
+      params.sourceScope,
+      value.slot
+    );
+    if (binding?.value.kind === "secret") {
+      const secret = yield* ctx.secrets.getAtScope(binding.value.secretId, binding.value.secretScopeId ?? binding.scopeId).pipe(
+        Effect2.catchTag(
+          "SecretOwnedByConnectionError",
+          () => Effect2.fail(
+            new OpenApiOAuthError({
+              message: `Secret not found for header "${name}"`
+            })
+          )
+        )
+      );
+      if (secret === null) {
+        return yield* new OpenApiOAuthError({
+          message: `Missing secret "${binding.value.secretId}" for ${params.missingLabel} "${name}"`
+        });
+      }
+      resolved[name] = value.prefix ? `${value.prefix}${secret}` : secret;
+      continue;
+    }
+    if (binding?.value.kind === "text") {
+      resolved[name] = value.prefix ? `${value.prefix}${binding.value.text}` : binding.value.text;
+      continue;
+    }
+    return yield* new OpenApiOAuthError({
+      message: `Missing binding for ${params.missingLabel} "${name}"`
+    });
+  }
+  return resolved;
+});
+var resolveConfiguredHeaders = (ctx, params) => resolveConfiguredValueMap(ctx, {
+  sourceId: params.sourceId,
+  sourceScope: params.sourceScope,
+  values: params.headers,
+  missingLabel: "header"
+});
+var resolveSecretBackedValues = (ctx, values) => resolveSecretBackedMap({
+  values,
+  getSecret: ctx.secrets.get,
+  onMissing: (name) => new OpenApiOAuthError({
+    message: `Secret not found for "${name}"`
+  }),
+  onError: (err, name) => Predicate.isTagged("SecretOwnedByConnectionError")(err) ? new OpenApiOAuthError({
+    message: `Secret not found for "${name}"`
+  }) : err
+}).pipe(
+  Effect2.mapError(
+    (err) => Predicate.isTagged("SecretOwnedByConnectionError")(err) ? new OpenApiOAuthError({ message: "Secret resolution failed" }) : err
+  ),
+  Effect2.map((resolved) => resolved ?? {})
+);
+var resolveOAuthConnectionId = (ctx, params) => Effect2.gen(function* () {
+  const binding = yield* resolveOpenApiSourceBinding(
+    ctx,
+    params.sourceId,
+    params.sourceScope,
+    params.oauth2.connectionSlot
+  );
+  if (binding?.value.kind === "connection") {
+    const connectionId = binding.value.connectionId;
+    const connection = yield* ctx.connections.getAtScope(connectionId, binding.scopeId);
+    return connection ? { connectionId, scopeId: binding.scopeId } : null;
+  }
+  return null;
+});
+var resolveSpecFetchInputCredentials = (ctx, credentials) => Effect2.gen(function* () {
+  if (!credentials) return void 0;
+  return {
+    headers: yield* resolveSecretBackedValues(ctx, credentials.headers),
+    queryParams: yield* resolveSecretBackedValues(ctx, credentials.queryParams)
+  };
+});
+var resolveStoredSpecFetchCredentials = (ctx, params) => Effect2.gen(function* () {
+  if (!params.credentials) return void 0;
+  return {
+    headers: yield* resolveConfiguredValueMap(ctx, {
+      sourceId: params.sourceId,
+      sourceScope: params.sourceScope,
+      values: params.credentials.headers ?? {},
+      missingLabel: "spec fetch header"
+    }),
+    queryParams: yield* resolveConfiguredValueMap(ctx, {
+      sourceId: params.sourceId,
+      sourceScope: params.sourceScope,
+      values: params.credentials.queryParams ?? {},
+      missingLabel: "spec fetch query parameter"
+    })
+  };
+});
+var toOpenApiSourceConfig = (namespace, config) => {
+  const configHeaders = {};
+  for (const [name, value] of Object.entries(config.headers ?? {})) {
+    if (typeof value === "string" || !("kind" in value)) {
+      configHeaders[name] = value;
+    }
+  }
+  return {
+    kind: "openapi",
+    spec: config.spec,
+    baseUrl: config.baseUrl,
+    namespace,
+    headers: headersToConfigValues(
+      Object.keys(configHeaders).length > 0 ? configHeaders : void 0
+    )
+  };
+};
+var isHttpUrl = (s) => s.startsWith("http://") || s.startsWith("https://");
+var openApiPlugin = definePlugin((options) => {
+  const rebuildSource = (ctx, input) => Effect2.gen(function* () {
+    const doc = yield* parse(input.specText);
+    const result = yield* extract(doc);
+    const namespace = input.namespace ?? Option2.getOrElse(result.title, () => "api").toLowerCase().replace(/[^a-z0-9]+/g, "_");
+    const outerSource = yield* findOuterSource(ctx, namespace, input.scope);
+    if (outerSource && input.baseUrl !== void 0 && input.baseUrl.trim() !== "") {
+      return yield* new OpenApiOAuthError({
+        message: "OpenAPI source shadows inherit the outer source base URL"
+      });
+    }
+    const hoistedDefs = {};
+    if (doc.components?.schemas) {
+      for (const [k, v] of Object.entries(doc.components.schemas)) {
+        hoistedDefs[k] = normalizeOpenApiRefs(v);
+      }
+    }
+    const baseUrl = outerSource ? void 0 : input.baseUrl ?? resolveBaseUrl(result.servers);
+    const canonicalHeaders = canonicalizeHeaders(input.headers);
+    const canonicalQueryParams = canonicalizeCredentialMap(
+      input.queryParams,
+      queryParamSlotFromName
+    );
+    const canonicalSpecFetchCredentials = canonicalizeSpecFetchCredentials(
+      input.specFetchCredentials
+    );
+    const canonicalOAuth2 = canonicalizeOAuth2(input.oauth2);
+    const directBindings = [
+      ...canonicalHeaders.bindings,
+      ...canonicalQueryParams.bindings,
+      ...canonicalSpecFetchCredentials.bindings,
+      ...canonicalOAuth2.bindings
+    ];
+    for (const binding of directBindings) {
+      const bindingTargetScope = yield* targetScopeForBinding(
+        input.credentialTargetScope,
+        binding
+      );
+      yield* validateOpenApiBindingTarget(ctx, {
+        sourceId: namespace,
+        sourceScope: input.scope,
+        targetScope: bindingTargetScope
+      });
+    }
+    const definitions = compileToolDefinitions(result.operations);
+    const sourceName = input.name ?? Option2.getOrElse(result.title, () => namespace);
+    const sourceConfig = {
+      spec: input.specText,
+      sourceUrl: input.sourceUrl,
+      baseUrl,
+      namespace: input.namespace,
+      headers: canonicalHeaders.headers,
+      queryParams: canonicalQueryParams.values,
+      specFetchCredentials: canonicalSpecFetchCredentials.credentials,
+      oauth2: canonicalOAuth2.oauth2
+    };
+    const storedSource = {
+      namespace,
+      scope: input.scope,
+      name: sourceName,
+      config: sourceConfig
+    };
+    const storedOps = definitions.map((def) => ({
+      toolId: `${namespace}.${def.toolPath}`,
+      sourceId: namespace,
+      binding: toBinding(def)
+    }));
+    yield* ctx.transaction(
+      Effect2.gen(function* () {
+        yield* ctx.storage.upsertSource(storedSource, storedOps);
+        yield* ctx.core.sources.register({
+          id: namespace,
+          scope: input.scope,
+          kind: "openapi",
+          name: sourceName,
+          url: baseUrl || void 0,
+          canRemove: true,
+          // `canRefresh` reflects whether we still know the
+          // origin URL — sources added from raw spec text have
+          // nothing to re-fetch, so refresh stays disabled.
+          canRefresh: input.sourceUrl != null,
+          canEdit: true,
+          tools: definitions.map((def) => ({
+            name: def.toolPath,
+            description: descriptionFor(def),
+            inputSchema: normalizeOpenApiRefs(Option2.getOrUndefined(def.operation.inputSchema)),
+            outputSchema: normalizeOpenApiRefs(Option2.getOrUndefined(def.operation.outputSchema))
+          }))
+        });
+        if (directBindings.length > 0) {
+          for (const binding of directBindings) {
+            const bindingTargetScope = yield* targetScopeForBinding(
+              input.credentialTargetScope,
+              binding
+            );
+            yield* ctx.credentialBindings.set({
+              targetScope: ScopeId.make(bindingTargetScope),
+              pluginId: OPENAPI_PLUGIN_ID,
+              sourceId: namespace,
+              sourceScope: ScopeId.make(input.scope),
+              slotKey: binding.slot,
+              value: binding.value
+            });
+          }
+        }
+        if (Object.keys(hoistedDefs).length > 0) {
+          yield* ctx.core.definitions.register({
+            sourceId: namespace,
+            scope: input.scope,
+            definitions: hoistedDefs
+          });
+        }
+      })
+    );
+    return { sourceId: namespace, toolCount: definitions.length };
+  });
+  const refreshSourceInternal = (ctx, sourceId, scope) => Effect2.gen(function* () {
+    const httpClientLayer = options?.httpClientLayer ?? ctx.httpClientLayer;
+    const existing = yield* ctx.storage.getSource(sourceId, scope);
+    if (!existing) return;
+    const effective = yield* resolveEffectiveSourceConfig(ctx, existing);
+    const resolvedConfig = effective.config;
+    const sourceUrl = resolvedConfig.sourceUrl;
+    if (!sourceUrl) return;
+    const credentials = yield* resolveStoredSpecFetchCredentials(ctx, {
+      sourceId: existing.namespace,
+      sourceScope: effective.specFetchCredentialsSource.scope,
+      credentials: resolvedConfig.specFetchCredentials
+    });
+    const specText = yield* resolveSpecText(sourceUrl, credentials).pipe(
+      Effect2.provide(httpClientLayer)
+    );
+    yield* rebuildSource(ctx, {
+      specText,
+      scope,
+      sourceUrl,
+      name: existing.name,
+      baseUrl: resolvedConfig.baseUrl,
+      namespace: existing.namespace,
+      headers: existing.config.headers,
+      queryParams: existing.config.queryParams,
+      specFetchCredentials: existing.config.specFetchCredentials,
+      oauth2: existing.config.oauth2,
+      credentialTargetScope: scope
+    });
+  });
+  return {
+    id: "openapi",
+    packageName: "@executor-js/plugin-openapi",
+    schema: openapiSchema,
+    storage: (deps) => makeDefaultOpenapiStore(deps),
+    extension: (ctx) => {
+      const httpClientLayer = options?.httpClientLayer ?? ctx.httpClientLayer;
+      const addSpecInternal = (config) => Effect2.gen(function* () {
+        const credentials = yield* resolveSpecFetchInputCredentials(
+          ctx,
+          config.specFetchCredentials
+        );
+        const specText = yield* resolveSpecText(config.spec, credentials).pipe(
+          Effect2.provide(httpClientLayer)
+        );
+        return yield* rebuildSource(ctx, {
+          specText,
+          scope: config.scope,
+          sourceUrl: isHttpUrl(config.spec) ? config.spec : void 0,
+          name: config.name,
+          baseUrl: config.baseUrl,
+          namespace: config.namespace,
+          headers: config.headers,
+          queryParams: config.queryParams,
+          specFetchCredentials: config.specFetchCredentials,
+          oauth2: config.oauth2,
+          // Default to the source's own scope. refreshSource and editSource
+          // do the same; without this, config-sync's addSpec — which never
+          // passes the field — fails with "credentialTargetScope is
+          // required" the moment the jsonc declares any header secret.
+          credentialTargetScope: config.credentialTargetScope ?? config.scope
+        });
+      });
+      const configFile = options?.configFile;
+      return {
+        previewSpec: (input) => Effect2.gen(function* () {
+          const previewInput = typeof input === "string" ? { spec: input } : input;
+          const credentials = yield* resolveSpecFetchInputCredentials(
+            ctx,
+            previewInput.specFetchCredentials
+          );
+          const specText = yield* resolveSpecText(previewInput.spec, credentials).pipe(
+            Effect2.provide(httpClientLayer)
+          );
+          return yield* previewSpec(specText).pipe(Effect2.provide(httpClientLayer));
+        }),
+        addSpec: (config) => Effect2.gen(function* () {
+          const result = yield* addSpecInternal(config);
+          if (configFile) {
+            yield* configFile.upsertSource(toOpenApiSourceConfig(result.sourceId, config));
+          }
+          return result;
+        }),
+        removeSpec: (namespace, scope) => Effect2.gen(function* () {
+          yield* ctx.transaction(
+            Effect2.gen(function* () {
+              yield* ctx.credentialBindings.removeForSource({
+                pluginId: OPENAPI_PLUGIN_ID,
+                sourceId: namespace,
+                sourceScope: ScopeId.make(scope)
+              });
+              yield* ctx.storage.removeSource(namespace, scope);
+              yield* ctx.core.sources.unregister({
+                id: namespace,
+                targetScope: scope
+              });
+            })
+          );
+          if (configFile) {
+            yield* configFile.removeSource(namespace);
+          }
+        }),
+        getSource: (namespace, scope) => Effect2.gen(function* () {
+          const source = yield* ctx.storage.getSource(namespace, scope);
+          if (!source) return null;
+          const effective = yield* resolveEffectiveSourceConfig(ctx, source);
+          return {
+            ...source,
+            config: effective.config
+          };
+        }),
+        updateSource: (namespace, scope, input) => Effect2.gen(function* () {
+          const existing = yield* ctx.storage.getSource(namespace, scope);
+          if (!existing) return;
+          const canonicalHeaders = input.headers !== void 0 ? canonicalizeHeaders(input.headers) : null;
+          const canonicalOAuth2 = input.oauth2 !== void 0 ? canonicalizeOAuth2(input.oauth2) : null;
+          const canonicalQueryParams = input.queryParams !== void 0 ? canonicalizeCredentialMap(input.queryParams, queryParamSlotFromName) : null;
+          const directBindings = [
+            ...canonicalHeaders?.bindings ?? [],
+            ...canonicalQueryParams?.bindings ?? [],
+            ...canonicalOAuth2?.bindings ?? []
+          ];
+          const affectedPrefixes = [
+            ...input.headers !== void 0 ? ["header:"] : [],
+            ...input.queryParams !== void 0 ? ["query_param:"] : [],
+            ...input.oauth2 !== void 0 ? ["oauth2:"] : []
+          ];
+          const targetScope = input.credentialTargetScope ?? scope;
+          if (input.baseUrl !== void 0 && input.baseUrl.trim() !== "") {
+            const outerSource = yield* findOuterSource(ctx, namespace, scope);
+            if (outerSource) {
+              return yield* new OpenApiOAuthError({
+                message: "OpenAPI source shadows inherit the outer source base URL"
+              });
+            }
+          }
+          if (affectedPrefixes.length > 0 || directBindings.length > 0) {
+            yield* validateOpenApiBindingTarget(ctx, {
+              sourceId: namespace,
+              sourceScope: scope,
+              targetScope
+            });
+          }
+          yield* ctx.transaction(
+            Effect2.gen(function* () {
+              yield* ctx.storage.updateSourceMeta(namespace, scope, {
+                name: input.name?.trim() || void 0,
+                baseUrl: input.baseUrl,
+                headers: canonicalHeaders?.headers,
+                queryParams: canonicalQueryParams?.values,
+                oauth2: canonicalOAuth2?.oauth2
+              });
+              if (affectedPrefixes.length > 0 || directBindings.length > 0) {
+                yield* ctx.credentialBindings.replaceForSource({
+                  targetScope: ScopeId.make(targetScope),
+                  pluginId: OPENAPI_PLUGIN_ID,
+                  sourceId: namespace,
+                  sourceScope: ScopeId.make(scope),
+                  slotPrefixes: affectedPrefixes,
+                  bindings: directBindings.map((binding) => ({
+                    slotKey: binding.slot,
+                    value: binding.value
+                  }))
+                });
+              }
+            })
+          );
+        }),
+        listSourceBindings: (sourceId, sourceScope) => listOpenApiSourceBindings(ctx, sourceId, sourceScope),
+        setSourceBinding: (input) => Effect2.gen(function* () {
+          yield* validateOpenApiBindingTarget(ctx, {
+            sourceId: input.sourceId,
+            sourceScope: input.sourceScope,
+            targetScope: input.scope
+          });
+          const binding = yield* ctx.credentialBindings.set({
+            targetScope: input.scope,
+            pluginId: OPENAPI_PLUGIN_ID,
+            sourceId: input.sourceId,
+            sourceScope: input.sourceScope,
+            slotKey: input.slot,
+            value: input.value
+          });
+          return coreBindingToOpenApiBinding(binding);
+        }),
+        removeSourceBinding: (sourceId, sourceScope, slot, scope) => Effect2.gen(function* () {
+          yield* validateOpenApiBindingTarget(ctx, {
+            sourceId,
+            sourceScope,
+            targetScope: scope
+          });
+          yield* ctx.credentialBindings.remove({
+            targetScope: ScopeId.make(scope),
+            pluginId: OPENAPI_PLUGIN_ID,
+            sourceId,
+            sourceScope: ScopeId.make(sourceScope),
+            slotKey: slot
+          });
+        })
+      };
+    },
+    staticSources: (self) => [
+      {
+        id: "openapi",
+        kind: "executor",
+        name: "OpenAPI",
+        tools: [
+          tool({
+            name: "previewSpec",
+            description: "Preview an OpenAPI document before adding it as a source",
+            inputSchema: PreviewSpecInputStandardSchema,
+            execute: (input) => self.previewSpec(input)
+          }),
+          tool({
+            name: "addSource",
+            description: "Add an OpenAPI source and register its operations as tools",
+            annotations: {
+              requiresApproval: true,
+              approvalDescription: "Add an OpenAPI source"
+            },
+            inputSchema: AddSourceInputStandardSchema,
+            outputSchema: AddSourceOutputStandardSchema,
+            execute: (input) => self.addSpec(input)
+          })
+        ]
+      }
+    ],
+    invokeTool: ({ ctx, toolRow, args }) => Effect2.gen(function* () {
+      const httpClientLayer = options?.httpClientLayer ?? ctx.httpClientLayer;
+      const toolScope = toolRow.scope_id;
+      const op = yield* ctx.storage.getOperationByToolId(toolRow.id, toolScope);
+      if (!op) {
+        return yield* new OpenApiExtractionError({
+          message: `No OpenAPI operation found for tool "${toolRow.id}"`
+        });
+      }
+      const source = yield* ctx.storage.getSource(op.sourceId, toolScope);
+      if (!source) {
+        return yield* new OpenApiExtractionError({
+          message: `No OpenAPI source found for "${op.sourceId}"`
+        });
+      }
+      const effective = yield* resolveEffectiveSourceConfig(ctx, source);
+      const config = effective.config;
+      const resolvedHeaders = yield* resolveConfiguredHeaders(ctx, {
+        sourceId: op.sourceId,
+        sourceScope: effective.headersSource.scope,
+        headers: config.headers ?? {}
+      });
+      const resolvedQueryParams = yield* resolveConfiguredValueMap(ctx, {
+        sourceId: op.sourceId,
+        sourceScope: effective.queryParamsSource.scope,
+        values: config.queryParams ?? {},
+        missingLabel: "query parameter"
+      });
+      if (config.oauth2) {
+        const connection = yield* resolveOAuthConnectionId(ctx, {
+          sourceId: op.sourceId,
+          sourceScope: effective.oauth2Source.scope,
+          oauth2: config.oauth2
+        });
+        if (!connection) {
+          return yield* new OpenApiOAuthError({
+            message: `OAuth configuration for "${op.sourceId}" is missing a connection binding`
+          });
+        }
+        const accessToken = yield* ctx.connections.accessTokenAtScope(connection.connectionId, connection.scopeId).pipe(
+          Effect2.mapError(
+            () => new OpenApiOAuthError({
+              message: "OAuth connection resolution failed"
+            })
+          )
+        );
+        resolvedHeaders.authorization = `Bearer ${accessToken}`;
+      }
+      const result = yield* invokeWithLayer(
+        op.binding,
+        args ?? {},
+        config.baseUrl ?? "",
+        resolvedHeaders,
+        resolvedQueryParams,
+        httpClientLayer
+      );
+      return result;
+    }),
+    resolveAnnotations: ({ ctx, sourceId, toolRows }) => Effect2.gen(function* () {
+      const scopes = /* @__PURE__ */ new Set();
+      for (const row of toolRows) {
+        scopes.add(row.scope_id);
+      }
+      const entries = yield* Effect2.forEach(
+        [...scopes],
+        (scope) => Effect2.gen(function* () {
+          const ops = yield* ctx.storage.listOperationsBySource(sourceId, scope);
+          const byId = /* @__PURE__ */ new Map();
+          for (const op of ops) byId.set(op.toolId, op.binding);
+          return [scope, byId];
+        }),
+        { concurrency: "unbounded" }
+      );
+      const byScope = new Map(entries);
+      const out = {};
+      for (const row of toolRows) {
+        const binding = byScope.get(row.scope_id)?.get(row.id);
+        if (binding) {
+          out[row.id] = annotationsForOperation(binding.method, binding.pathTemplate);
+        }
+      }
+      return out;
+    }),
+    removeSource: ({ ctx, sourceId, scope }) => Effect2.gen(function* () {
+      yield* ctx.transaction(
+        Effect2.gen(function* () {
+          yield* ctx.credentialBindings.removeForSource({
+            pluginId: OPENAPI_PLUGIN_ID,
+            sourceId,
+            sourceScope: ScopeId.make(scope)
+          });
+          yield* ctx.storage.removeSource(sourceId, scope);
+        })
+      );
+      if (options?.configFile) {
+        yield* options.configFile.removeSource(sourceId);
+      }
+    }),
+    // OpenAPI credential usages are reported by the core `credential_binding`
+    // table. Source storage carries only source-owned slot structure.
+    usagesForSecret: () => Effect2.succeed([]),
+    usagesForConnection: () => Effect2.succeed([]),
+    // Re-fetch the spec from its origin URL (captured at addSpec time)
+    // and replay the same parse → extract → upsertSource → register
+    // path used by addSpec. Sources without a stored URL surface a
+    // typed `OpenApiParseError` — the executor only dispatches refresh
+    // when `canRefresh: true`, so a raw-text source reaching here
+    // means stale UI state, which is worth surfacing to the caller.
+    refreshSource: ({ ctx, sourceId, scope }) => refreshSourceInternal(ctx, sourceId, scope),
+    detect: ({ ctx, url }) => Effect2.gen(function* () {
+      const httpClientLayer = options?.httpClientLayer ?? ctx.httpClientLayer;
+      const trimmed = url.trim();
+      if (!trimmed) return null;
+      const parsed = yield* Effect2.try({
+        try: () => new URL(trimmed),
+        catch: (error) => error
+      }).pipe(Effect2.option);
+      if (Option2.isNone(parsed)) return null;
+      const specText = yield* resolveSpecText(trimmed).pipe(
+        Effect2.provide(httpClientLayer),
+        Effect2.catch(() => Effect2.succeed(null))
+      );
+      if (specText === null) return null;
+      const doc = yield* parse(specText).pipe(Effect2.catch(() => Effect2.succeed(null)));
+      if (!doc) return null;
+      const result = yield* extract(doc).pipe(Effect2.catch(() => Effect2.succeed(null)));
+      if (!result) return null;
+      const namespace = Option2.getOrElse(result.title, () => "api").toLowerCase().replace(/[^a-z0-9]+/g, "_");
+      const name = Option2.getOrElse(result.title, () => namespace);
+      return SourceDetectionResult.make({
+        kind: "openapi",
+        confidence: "high",
+        endpoint: trimmed,
+        name,
+        namespace
+      });
+    })
+  };
+});
+
+export {
+  resolveHeaders,
+  invoke,
+  invokeWithLayer,
+  annotationsForOperation,
+  openApiPlugin
+};
+//# sourceMappingURL=chunk-OZ67JNID.js.map