@executor-js/plugin-openapi 0.1.0 → 1.4.20

package/dist/chunk-TGDT6QCH.js

@@ -0,0 +1,1120 @@
+import {
+  addOpenApiSpecOptimistic,
+  previewOpenApiSpec,
+  setOpenApiSourceBinding
+} from "./chunk-GFQUEZUW.js";
+import {
+  ConfiguredHeaderBinding,
+  OAuth2SourceConfig,
+  OpenApiSourceBindingInput,
+  expandServerUrlOptions,
+  headerBindingSlot,
+  oauth2ClientIdSlot,
+  oauth2ClientSecretSlot,
+  oauth2ConnectionSlot,
+  queryParamBindingSlot
+} from "./chunk-E7PZ2QGD.js";
+
+// src/react/AddOpenApiSource.tsx
+import { useCallback, useEffect, useMemo, useRef, useState } from "react";
+import { useAtomSet } from "@effect/atom-react";
+import * as Exit from "effect/Exit";
+import * as Match from "effect/Match";
+import * as Option from "effect/Option";
+import * as Schema from "effect/Schema";
+import { ConnectionId, ScopeId, SecretId } from "@executor-js/sdk/core";
+import { startOAuth } from "@executor-js/react/api/atoms";
+import { useScope, useScopeStack } from "@executor-js/react/api/scope-context";
+import { connectionWriteKeys, sourceWriteKeys } from "@executor-js/react/api/reactivity-keys";
+import { HeadersList } from "@executor-js/react/plugins/headers-list";
+import {
+  HttpCredentialsEditor,
+  emptyHttpCredentials,
+  serializeHttpCredentials
+} from "@executor-js/react/plugins/http-credentials";
+import {
+  oauthCallbackUrl,
+  useOAuthPopupFlow
+} from "@executor-js/react/plugins/oauth-sign-in";
+import {
+  CreatableSecretPicker,
+  matchPresetKey
+} from "@executor-js/react/plugins/secret-header-auth";
+import { CredentialScopeDropdown } from "@executor-js/react/plugins/credential-target-scope";
+import { slugifyNamespace, useSourceIdentity } from "@executor-js/react/plugins/source-identity";
+import { useSecretPickerSecrets } from "@executor-js/react/plugins/use-secret-picker-secrets";
+import { Button } from "@executor-js/react/components/button";
+import { CopyButton } from "@executor-js/react/components/copy-button";
+import {
+  Collapsible,
+  CollapsibleContent,
+  CollapsibleTrigger
+} from "@executor-js/react/components/collapsible";
+import {
+  CardStack as CardStack2,
+  CardStackContent as CardStackContent2,
+  CardStackEntryField as CardStackEntryField2
+} from "@executor-js/react/components/card-stack";
+import { FieldLabel } from "@executor-js/react/components/field";
+import { FloatActions } from "@executor-js/react/components/float-actions";
+import { HelpTooltip } from "@executor-js/react/components/help-tooltip";
+import { Label } from "@executor-js/react/components/label";
+import { Textarea } from "@executor-js/react/components/textarea";
+import { Checkbox } from "@executor-js/react/components/checkbox";
+import { RadioGroup, RadioGroupItem } from "@executor-js/react/components/radio-group";
+import { IOSSpinner, Spinner } from "@executor-js/react/components/spinner";
+
+// src/react/OpenApiSourceDetailsFields.tsx
+import {
+  CardStack,
+  CardStackContent,
+  CardStackEntry,
+  CardStackEntryContent,
+  CardStackEntryDescription,
+  CardStackEntryField,
+  CardStackEntryTitle
+} from "@executor-js/react/components/card-stack";
+import {
+  FreeformCombobox
+} from "@executor-js/react/components/combobox";
+import { Input } from "@executor-js/react/components/input";
+import { SourceFavicon } from "@executor-js/react/components/source-favicon";
+import {
+  SourceIdentityFieldRows
+} from "@executor-js/react/plugins/source-identity";
+import { jsx, jsxs } from "react/jsx-runtime";
+function OpenApiSourceDetailsFields(props) {
+  const baseUrlOptions = props.baseUrlOptions ?? [];
+  return /* @__PURE__ */ jsx(CardStack, { children: /* @__PURE__ */ jsxs(CardStackContent, { className: "border-t-0", children: [
+    /* @__PURE__ */ jsxs(CardStackEntry, { children: [
+      props.faviconUrl && /* @__PURE__ */ jsx(SourceFavicon, { url: props.faviconUrl, size: 16 }),
+      /* @__PURE__ */ jsxs(CardStackEntryContent, { children: [
+        /* @__PURE__ */ jsx(CardStackEntryTitle, { children: props.title }),
+        props.description && /* @__PURE__ */ jsx(CardStackEntryDescription, { children: props.description })
+      ] }),
+      props.saveState && props.saveState !== "idle" && /* @__PURE__ */ jsx("span", { className: "text-xs text-muted-foreground", children: props.saveState === "saving" ? "Saving\u2026" : "Saved" })
+    ] }),
+    /* @__PURE__ */ jsx(
+      SourceIdentityFieldRows,
+      {
+        identity: props.identity,
+        namespaceReadOnly: props.namespaceReadOnly
+      }
+    ),
+    /* @__PURE__ */ jsxs("div", { className: "grid grid-cols-1 md:grid-cols-2", children: [
+      /* @__PURE__ */ jsxs(CardStackEntryField, { label: "Base URL", children: [
+        baseUrlOptions.length > 0 ? /* @__PURE__ */ jsx(
+          FreeformCombobox,
+          {
+            value: props.baseUrl,
+            onValueChange: props.onBaseUrlChange,
+            options: baseUrlOptions,
+            placeholder: "https://api.example.com",
+            className: "w-full",
+            inputClassName: "font-mono text-sm"
+          }
+        ) : /* @__PURE__ */ jsx(
+          Input,
+          {
+            value: props.baseUrl,
+            onChange: (e) => props.onBaseUrlChange(e.target.value),
+            placeholder: "https://api.example.com",
+            className: "font-mono text-sm"
+          }
+        ),
+        props.baseUrlMissingMessage && !props.baseUrl && /* @__PURE__ */ jsx("p", { className: "text-[11px] text-amber-600 dark:text-amber-400", children: props.baseUrlMissingMessage })
+      ] }),
+      props.specUrl !== void 0 && props.onSpecUrlChange && /* @__PURE__ */ jsx(CardStackEntryField, { label: "Spec URL", children: /* @__PURE__ */ jsx(
+        Input,
+        {
+          value: props.specUrl,
+          onChange: (e) => props.onSpecUrlChange?.(e.target.value),
+          placeholder: "https://api.example.com/openapi.json",
+          className: "font-mono text-sm",
+          disabled: props.specUrlDisabled
+        }
+      ) })
+    ] }),
+    props.footer && /* @__PURE__ */ jsx(CardStackEntry, { children: /* @__PURE__ */ jsx(CardStackEntryContent, { children: /* @__PURE__ */ jsx(CardStackEntryTitle, { children: props.footer }) }) })
+  ] }) });
+}
+
+// src/react/AddOpenApiSource.tsx
+import { Fragment, jsx as jsx2, jsxs as jsxs2 } from "react/jsx-runtime";
+var addSpecWriteKeys = [...sourceWriteKeys, ...connectionWriteKeys];
+var bindingWriteKeys = [...sourceWriteKeys, ...connectionWriteKeys];
+var OPENAPI_OAUTH_POPUP_NAME = "openapi-oauth";
+var OPENAPI_OAUTH_CALLBACK_PATH = "/api/oauth/callback";
+var ErrorMessage = Schema.Struct({ message: Schema.String });
+var decodeErrorMessage = Schema.decodeUnknownOption(ErrorMessage);
+var errorMessageFromExit = (exit, fallback) => Option.match(Option.flatMap(Exit.findErrorOption(exit), decodeErrorMessage), {
+  onNone: () => fallback,
+  onSome: ({ message }) => message
+});
+var openApiOAuthConnectionId = (namespaceSlug, flow) => flow === "clientCredentials" ? `openapi-oauth2-app-${namespaceSlug || "default"}` : `openapi-oauth2-user-${namespaceSlug || "default"}`;
+function resolveOAuthUrl(url, baseUrl) {
+  if (!url) return url;
+  try {
+    new URL(url);
+    return url;
+  } catch {
+    if (!baseUrl) return url;
+    try {
+      return new URL(url, baseUrl).toString();
+    } catch {
+      return url;
+    }
+  }
+}
+function inferOAuthIssuerUrl(authorizationUrl) {
+  try {
+    return new URL(authorizationUrl).origin;
+  } catch {
+    return null;
+  }
+}
+var serializeStrategy = (s) => Match.value(s).pipe(
+  Match.when({ kind: "none" }, () => "none"),
+  Match.when({ kind: "custom" }, () => "custom"),
+  Match.when({ kind: "header" }, (sel) => `header:${sel.presetIndex}`),
+  Match.when({ kind: "oauth2" }, (sel) => `oauth2:${sel.presetIndex}`),
+  Match.exhaustive
+);
+var parseStrategy = (value2) => {
+  if (value2 === "none") return { kind: "none" };
+  if (value2 === "custom") return { kind: "custom" };
+  if (value2.startsWith("header:")) {
+    return {
+      kind: "header",
+      presetIndex: Number(value2.slice("header:".length))
+    };
+  }
+  if (value2.startsWith("oauth2:")) {
+    return {
+      kind: "oauth2",
+      presetIndex: Number(value2.slice("oauth2:".length))
+    };
+  }
+  return { kind: "none" };
+};
+function prefixForHeader(preset, headerName) {
+  const label = preset.label.toLowerCase();
+  if (headerName.toLowerCase() === "authorization") {
+    if (label.includes("bearer")) return "Bearer ";
+    if (label.includes("basic")) return "Basic ";
+  }
+  return void 0;
+}
+function entriesFromSpecPreset(preset) {
+  return preset.secretHeaders.map((headerName) => {
+    const prefix = prefixForHeader(preset, headerName);
+    return {
+      name: headerName,
+      secretId: null,
+      prefix,
+      presetKey: matchPresetKey(headerName, prefix),
+      fromPreset: true
+    };
+  });
+}
+var secretStorageDescription = (label) => label === "Personal" ? "Only you can use this secret." : "Everyone in the organization can use this secret.";
+function AddOpenApiSource(props) {
+  const [specUrl, setSpecUrl] = useState(props.initialUrl ?? "");
+  const [analyzing, setAnalyzing] = useState(false);
+  const [analyzeError, setAnalyzeError] = useState(null);
+  const [preview, setPreview] = useState(null);
+  const [baseUrl, setBaseUrl] = useState("");
+  const identity = useSourceIdentity({
+    fallbackName: preview ? Option.getOrElse(preview.title, () => "") : "",
+    fallbackNamespace: props.initialNamespace
+  });
+  const [strategy, setStrategy] = useState({ kind: "none" });
+  const [customHeaders, setCustomHeaders] = useState([]);
+  const [specFetchCredentials, setSpecFetchCredentials] = useState(
+    () => emptyHttpCredentials()
+  );
+  const [specFetchCredentialsOpen, setSpecFetchCredentialsOpen] = useState(false);
+  const [runtimeCredentials, setRuntimeCredentials] = useState(
+    () => emptyHttpCredentials()
+  );
+  const [oauth2ClientIdSecretId, setOauth2ClientIdSecretId] = useState(null);
+  const [oauth2ClientSecretSecretId, setOauth2ClientSecretSecretId] = useState(null);
+  const [oauth2ClientIdScope, setOauth2ClientIdScope] = useState(null);
+  const [oauth2ClientSecretScope, setOauth2ClientSecretScope] = useState(null);
+  const [oauth2SelectedScopes, setOauth2SelectedScopes] = useState(/* @__PURE__ */ new Set());
+  const [oauth2AuthState, setOauth2AuthState] = useState(null);
+  const [startingOAuth, setStartingOAuth] = useState(false);
+  const [oauth2Error, setOauth2Error] = useState(null);
+  const [adding, setAdding] = useState(false);
+  const [addError, setAddError] = useState(null);
+  const scopeId = useScope();
+  const scopeStack = useScopeStack();
+  const credentialScopeOptions = useMemo(
+    () => scopeStack.map((entry, index) => ({
+      scopeId: entry.id,
+      label: index === 0 ? "Personal" : entry.name || "Organization",
+      description: secretStorageDescription(
+        index === 0 ? "Personal" : entry.name || "Organization"
+      )
+    })),
+    [scopeStack]
+  );
+  const defaultCredentialTargetScope = credentialScopeOptions[credentialScopeOptions.length - 1]?.scopeId ?? scopeId;
+  const defaultOAuthTokenTargetScope = credentialScopeOptions[0]?.scopeId ?? scopeId;
+  const [credentialTargetScope, setCredentialTargetScope] = useState(
+    defaultCredentialTargetScope
+  );
+  const [oauthTokenTargetScope, setOAuthTokenTargetScope] = useState(
+    defaultOAuthTokenTargetScope
+  );
+  const bindingScopeOptions = useMemo(
+    () => credentialScopeOptions.map((option) => ({ ...option })),
+    [credentialScopeOptions]
+  );
+  useEffect(() => {
+    if (!credentialScopeOptions.some((option) => option.scopeId === credentialTargetScope)) {
+      setCredentialTargetScope(defaultCredentialTargetScope);
+    }
+  }, [credentialScopeOptions, credentialTargetScope, defaultCredentialTargetScope]);
+  useEffect(() => {
+    if (!credentialScopeOptions.some((option) => option.scopeId === oauthTokenTargetScope)) {
+      setOAuthTokenTargetScope(defaultOAuthTokenTargetScope);
+    }
+  }, [credentialScopeOptions, defaultOAuthTokenTargetScope, oauthTokenTargetScope]);
+  const initialCredentialScopeOption = credentialScopeOptions.find((option) => option.scopeId === credentialTargetScope) ?? credentialScopeOptions[0];
+  const initialCredentialScopeOptions = initialCredentialScopeOption ? [initialCredentialScopeOption] : [];
+  const doPreview = useAtomSet(previewOpenApiSpec, { mode: "promiseExit" });
+  const doAdd = useAtomSet(addOpenApiSpecOptimistic(scopeId), {
+    mode: "promiseExit"
+  });
+  const doStartOAuth = useAtomSet(startOAuth, { mode: "promiseExit" });
+  const doSetBinding = useAtomSet(setOpenApiSourceBinding, {
+    mode: "promiseExit"
+  });
+  const secretList = useSecretPickerSecrets();
+  const initialCredentialSecrets = useMemo(
+    () => secretList.filter((secret) => secret.scopeId === String(credentialTargetScope)),
+    [credentialTargetScope, secretList]
+  );
+  const oauth = useOAuthPopupFlow({
+    popupName: OPENAPI_OAUTH_POPUP_NAME,
+    popupBlockedMessage: "OAuth popup was blocked by the browser",
+    popupClosedMessage: "OAuth cancelled - popup was closed before completing the flow.",
+    startErrorMessage: "Failed to start OAuth"
+  });
+  const handleAnalyzeRef = useRef(() => {
+  });
+  useEffect(() => {
+    const trimmed = specUrl.trim();
+    if (!trimmed) return;
+    if (preview) return;
+    const handle = setTimeout(() => {
+      handleAnalyzeRef.current();
+    }, 400);
+    return () => clearTimeout(handle);
+  }, [specUrl, preview]);
+  const expandServerOptions = (server) => {
+    return expandServerUrlOptions(server).map((value2) => ({
+      value: value2,
+      label: value2
+    }));
+  };
+  const servers = preview?.servers ?? [];
+  const baseUrlOptions = Array.from(
+    new Map(servers.flatMap(expandServerOptions).map((option) => [option.value, option])).values()
+  );
+  const resolvedBaseUrl = baseUrl.trim();
+  const configuredHeaders = {};
+  const headerBindings = [];
+  const configuredQueryParams = {};
+  const queryParamBindings = [];
+  for (const ch of customHeaders) {
+    if (!ch.name.trim()) continue;
+    const slot = headerBindingSlot(ch.name.trim());
+    configuredHeaders[ch.name.trim()] = ConfiguredHeaderBinding.make({
+      kind: "binding",
+      slot,
+      prefix: ch.prefix
+    });
+    if (ch.secretId) {
+      headerBindings.push({
+        slot,
+        secretId: ch.secretId,
+        scope: ch.targetScope ?? credentialTargetScope,
+        secretScope: ch.secretScope ?? ch.targetScope ?? credentialTargetScope
+      });
+    }
+  }
+  for (const param of runtimeCredentials.queryParams) {
+    const name = param.name.trim();
+    if (!name) continue;
+    if (param.secretId) {
+      const slot = queryParamBindingSlot(name);
+      configuredQueryParams[name] = ConfiguredHeaderBinding.make({
+        kind: "binding",
+        slot,
+        prefix: param.prefix
+      });
+      queryParamBindings.push({
+        slot,
+        secretId: param.secretId,
+        scope: param.targetScope ?? credentialTargetScope,
+        secretScope: param.secretScope ?? param.targetScope ?? credentialTargetScope
+      });
+      continue;
+    }
+    if (param.literalValue?.trim()) {
+      configuredQueryParams[name] = param.literalValue.trim();
+    }
+  }
+  const oauth2Presets = preview?.oauth2Presets ?? [];
+  const oauth2RedirectUrl = oauthCallbackUrl(OPENAPI_OAUTH_CALLBACK_PATH);
+  const resolvedSourceId = slugifyNamespace(identity.namespace) || (preview ? Option.getOrElse(preview.title, () => "openapi") : "openapi");
+  const selectedOAuth2Preset = strategy.kind === "oauth2" ? oauth2Presets[strategy.presetIndex] ?? null : null;
+  const selectedOAuth2Fingerprint = selectedOAuth2Preset ? [
+    resolvedSourceId,
+    resolvedBaseUrl,
+    selectedOAuth2Preset.securitySchemeName,
+    selectedOAuth2Preset.flow,
+    selectedOAuth2Preset.tokenUrl,
+    Option.getOrElse(selectedOAuth2Preset.authorizationUrl, () => "")
+  ].join("\n") : "";
+  const oauth2Auth = oauth2AuthState?.fingerprint === selectedOAuth2Fingerprint ? oauth2AuthState.auth : null;
+  const configuredOAuth2 = strategy.kind === "oauth2" && selectedOAuth2Preset ? OAuth2SourceConfig.make({
+    kind: "oauth2",
+    securitySchemeName: selectedOAuth2Preset.securitySchemeName,
+    flow: selectedOAuth2Preset.flow,
+    tokenUrl: resolveOAuthUrl(selectedOAuth2Preset.tokenUrl, resolvedBaseUrl),
+    authorizationUrl: selectedOAuth2Preset.flow === "authorizationCode" ? resolveOAuthUrl(
+      Option.getOrElse(selectedOAuth2Preset.authorizationUrl, () => ""),
+      resolvedBaseUrl
+    ) || null : null,
+    clientIdSlot: oauth2ClientIdSlot(selectedOAuth2Preset.securitySchemeName),
+    // Authorization-code specs can still be confidential clients
+    // (Spotify is one example). Persist the slot even when the value is
+    // deferred so the edit screen can collect the secret later.
+    clientSecretSlot: oauth2ClientSecretSlot(selectedOAuth2Preset.securitySchemeName),
+    connectionSlot: oauth2ConnectionSlot(selectedOAuth2Preset.securitySchemeName),
+    scopes: [...oauth2SelectedScopes]
+  }) : null;
+  const hasHeaders = Object.keys(configuredHeaders).length > 0;
+  const oauth2Busy = startingOAuth || oauth.busy;
+  const canConnectOAuth2 = Boolean(oauth2ClientIdSecretId) && resolvedBaseUrl.length > 0;
+  const hasIncompleteHeaderCredentials = strategy.kind !== "none" && strategy.kind !== "oauth2" && customHeaders.some((header) => header.name.trim() && !header.secretId);
+  const hasIncompleteQueryCredentials = runtimeCredentials.queryParams.some(
+    (param) => param.name.trim() && !param.secretId && !param.literalValue?.trim()
+  );
+  const willAddWithoutInitialCredentials = Boolean(selectedOAuth2Preset && !oauth2Auth) || hasIncompleteHeaderCredentials || hasIncompleteQueryCredentials;
+  const canAdd = preview !== null && resolvedBaseUrl.length > 0;
+  const handleAnalyze = async () => {
+    setAnalyzing(true);
+    setAnalyzeError(null);
+    setAddError(null);
+    const credentials = serializeHttpCredentials(specFetchCredentials);
+    const exit = await doPreview({
+      params: { scopeId },
+      payload: {
+        spec: specUrl,
+        specFetchCredentials: credentials
+      }
+    });
+    if (Exit.isFailure(exit)) {
+      setAnalyzeError(errorMessageFromExit(exit, "Failed to parse spec"));
+      setAnalyzing(false);
+      return;
+    }
+    const result = exit.value;
+    setPreview(result);
+    const firstServer = result.servers[0];
+    setBaseUrl(firstServer ? expandServerOptions(firstServer)[0]?.value ?? "" : "");
+    const firstPreset = result.headerPresets[0];
+    if (firstPreset) {
+      setStrategy({ kind: "header", presetIndex: 0 });
+      setCustomHeaders(entriesFromSpecPreset(firstPreset));
+    } else if (result.oauth2Presets[0]) {
+      setStrategy({ kind: "oauth2", presetIndex: 0 });
+      setCustomHeaders([]);
+      setOauth2SelectedScopes(new Set(Object.keys(result.oauth2Presets[0].scopes)));
+    } else {
+      setStrategy({ kind: "custom" });
+      setCustomHeaders([]);
+    }
+    setAnalyzing(false);
+  };
+  handleAnalyzeRef.current = handleAnalyze;
+  const selectStrategy = (next) => {
+    setStrategy(next);
+    if (next.kind !== "oauth2") {
+      setOauth2AuthState(null);
+      setOauth2Error(null);
+    }
+    Match.value(next).pipe(
+      Match.when({ kind: "none" }, () => {
+        setCustomHeaders([]);
+      }),
+      Match.when({ kind: "custom" }, () => {
+        const userHeaders = customHeaders.filter((h) => !h.fromPreset);
+        setCustomHeaders(userHeaders.length > 0 ? userHeaders : []);
+      }),
+      Match.when({ kind: "header" }, (n) => {
+        const preset = preview?.headerPresets[n.presetIndex];
+        if (!preset) return;
+        const userHeaders = customHeaders.filter((h) => !h.fromPreset);
+        setCustomHeaders([...entriesFromSpecPreset(preset), ...userHeaders]);
+      }),
+      Match.when({ kind: "oauth2" }, (n) => {
+        setCustomHeaders([]);
+        const preset = preview?.oauth2Presets[n.presetIndex];
+        if (preset) {
+          setOauth2SelectedScopes(new Set(Object.keys(preset.scopes)));
+        }
+      }),
+      Match.exhaustive
+    );
+  };
+  const handleHeadersChange = (next) => {
+    setCustomHeaders(next);
+    if (strategy.kind === "header" && next.every((h) => !h.fromPreset)) {
+      setStrategy(next.length === 0 ? { kind: "none" } : { kind: "custom" });
+    }
+  };
+  const setInitialCredentialScope = (targetScope) => {
+    setCredentialTargetScope(targetScope);
+    setCustomHeaders(
+      (headers) => headers.map((header) => ({
+        ...header,
+        targetScope,
+        ...header.secretScope && header.secretScope !== targetScope ? { secretId: null, secretScope: void 0 } : {}
+      }))
+    );
+    setOauth2ClientIdSecretId(null);
+    setOauth2ClientSecretSecretId(null);
+    setOauth2ClientIdScope(null);
+    setOauth2ClientSecretScope(null);
+    setOauth2AuthState(null);
+  };
+  const toggleOAuth2Scope = (scope) => {
+    setOauth2SelectedScopes((prev) => {
+      const copy = new Set(prev);
+      if (copy.has(scope)) copy.delete(scope);
+      else copy.add(scope);
+      return copy;
+    });
+    setOauth2AuthState(null);
+  };
+  const handleConnectOAuth2 = useCallback(async () => {
+    if (!selectedOAuth2Preset || !oauth2ClientIdSecretId || !preview) return;
+    oauth.cancel();
+    setOauth2Error(null);
+    const displayName = identity.name.trim() || selectedOAuth2Preset.securitySchemeName;
+    const tokenUrl = resolveOAuthUrl(selectedOAuth2Preset.tokenUrl, resolvedBaseUrl);
+    if (selectedOAuth2Preset.flow === "clientCredentials") {
+      if (!oauth2ClientSecretSecretId) {
+        setOauth2Error("client_credentials requires a client secret");
+        return;
+      }
+      setStartingOAuth(true);
+      const connectionId = openApiOAuthConnectionId(resolvedSourceId, selectedOAuth2Preset.flow);
+      const exit = await doStartOAuth({
+        params: { scopeId: oauthTokenTargetScope },
+        payload: {
+          endpoint: tokenUrl,
+          redirectUrl: tokenUrl,
+          connectionId,
+          tokenScope: oauthTokenTargetScope,
+          strategy: {
+            kind: "client-credentials",
+            tokenEndpoint: tokenUrl,
+            clientIdSecretId: oauth2ClientIdSecretId,
+            clientSecretSecretId: oauth2ClientSecretSecretId,
+            scopes: [...oauth2SelectedScopes]
+          },
+          pluginId: "openapi",
+          identityLabel: `${displayName} OAuth`
+        }
+      });
+      setStartingOAuth(false);
+      if (Exit.isFailure(exit)) {
+        setOauth2Error(errorMessageFromExit(exit, "Failed to start OAuth"));
+        return;
+      }
+      const response = exit.value;
+      if (!response.completedConnection) {
+        setOauth2Error("client_credentials flow did not mint a connection");
+        return;
+      }
+      setOauth2AuthState({
+        fingerprint: selectedOAuth2Fingerprint,
+        auth: { connectionId: response.completedConnection.connectionId }
+      });
+      setOauth2Error(null);
+      return;
+    }
+    const authorizationUrl = resolveOAuthUrl(
+      Option.getOrElse(selectedOAuth2Preset.authorizationUrl, () => ""),
+      resolvedBaseUrl
+    );
+    const issuerUrl = inferOAuthIssuerUrl(authorizationUrl);
+    await oauth.openAuthorization({
+      tokenScope: oauthTokenTargetScope,
+      run: async () => {
+        const exit = await doStartOAuth({
+          params: { scopeId: oauthTokenTargetScope },
+          payload: {
+            endpoint: authorizationUrl,
+            connectionId: openApiOAuthConnectionId(resolvedSourceId, selectedOAuth2Preset.flow),
+            tokenScope: oauthTokenTargetScope,
+            redirectUrl: oauth2RedirectUrl,
+            strategy: {
+              kind: "authorization-code",
+              authorizationEndpoint: authorizationUrl,
+              tokenEndpoint: tokenUrl,
+              issuerUrl,
+              clientIdSecretId: oauth2ClientIdSecretId,
+              clientSecretSecretId: oauth2ClientSecretSecretId ?? null,
+              scopes: [...oauth2SelectedScopes]
+            },
+            pluginId: "openapi",
+            identityLabel: `${displayName} OAuth`
+          }
+        });
+        if (Exit.isFailure(exit)) {
+          throw new Error(errorMessageFromExit(exit, "Failed to start OAuth"));
+        }
+        const response = exit.value;
+        if (response.authorizationUrl === null) {
+          throw new Error("Unexpected response flow from server");
+        }
+        return {
+          sessionId: response.sessionId,
+          authorizationUrl: response.authorizationUrl
+        };
+      },
+      onSuccess: (result) => {
+        setOauth2AuthState({
+          fingerprint: selectedOAuth2Fingerprint,
+          auth: { connectionId: result.connectionId }
+        });
+        setOauth2Error(null);
+      },
+      onError: (message) => {
+        setStartingOAuth(false);
+        setOauth2Error(message);
+      }
+    });
+  }, [
+    selectedOAuth2Preset,
+    oauth2ClientIdSecretId,
+    oauth2ClientSecretSecretId,
+    oauth2SelectedScopes,
+    oauth2RedirectUrl,
+    resolvedBaseUrl,
+    preview,
+    doStartOAuth,
+    identity.name,
+    resolvedSourceId,
+    selectedOAuth2Fingerprint,
+    oauth,
+    oauthTokenTargetScope
+  ]);
+  const handleCancelOAuth2 = useCallback(() => {
+    oauth.cancel();
+    setStartingOAuth(false);
+    setOauth2Error(null);
+  }, [oauth]);
+  const handleAdd = async () => {
+    setAdding(true);
+    setAddError(null);
+    const namespace = resolvedSourceId;
+    const displayName = identity.name.trim() || (preview ? Option.getOrElse(preview.title, () => namespace) : namespace);
+    const exit = await doAdd({
+      params: { scopeId },
+      payload: {
+        targetScope: scopeId,
+        credentialTargetScope,
+        spec: specUrl,
+        specFetchCredentials: serializeHttpCredentials(specFetchCredentials),
+        name: displayName,
+        namespace,
+        baseUrl: resolvedBaseUrl || void 0,
+        ...hasHeaders ? { headers: configuredHeaders } : {},
+        ...Object.keys(configuredQueryParams).length > 0 ? { queryParams: configuredQueryParams } : {},
+        ...configuredOAuth2 ? { oauth2: configuredOAuth2 } : {}
+      },
+      reactivityKeys: addSpecWriteKeys
+    });
+    if (Exit.isFailure(exit)) {
+      setAddError(errorMessageFromExit(exit, "Failed to add source"));
+      setAdding(false);
+      return;
+    }
+    const sourceId = exit.value.namespace;
+    const sourceScope = ScopeId.make(scopeId);
+    const bindingScope = ScopeId.make(credentialTargetScope);
+    const oauthTokenBindingScope = ScopeId.make(oauthTokenTargetScope);
+    const clientIdSecretScope = oauth2ClientIdScope ?? bindingScope;
+    const clientSecretSecretScope = oauth2ClientSecretScope ?? bindingScope;
+    for (const binding of headerBindings) {
+      const bindingExit = await doSetBinding({
+        params: { scopeId },
+        payload: OpenApiSourceBindingInput.make({
+          sourceId,
+          sourceScope,
+          scope: binding.scope,
+          slot: binding.slot,
+          value: {
+            kind: "secret",
+            secretId: SecretId.make(binding.secretId),
+            secretScopeId: binding.secretScope
+          }
+        }),
+        reactivityKeys: bindingWriteKeys
+      });
+      if (Exit.isFailure(bindingExit)) {
+        setAddError(errorMessageFromExit(bindingExit, "Failed to add source"));
+        setAdding(false);
+        return;
+      }
+    }
+    for (const binding of queryParamBindings) {
+      const bindingExit = await doSetBinding({
+        params: { scopeId },
+        payload: OpenApiSourceBindingInput.make({
+          sourceId,
+          sourceScope,
+          scope: binding.scope,
+          slot: binding.slot,
+          value: {
+            kind: "secret",
+            secretId: SecretId.make(binding.secretId),
+            secretScopeId: binding.secretScope
+          }
+        }),
+        reactivityKeys: bindingWriteKeys
+      });
+      if (Exit.isFailure(bindingExit)) {
+        setAddError(errorMessageFromExit(bindingExit, "Failed to add source"));
+        setAdding(false);
+        return;
+      }
+    }
+    if (configuredOAuth2 && oauth2ClientIdSecretId) {
+      const bindingExit = await doSetBinding({
+        params: { scopeId },
+        payload: OpenApiSourceBindingInput.make({
+          sourceId,
+          sourceScope,
+          scope: bindingScope,
+          slot: configuredOAuth2.clientIdSlot,
+          value: {
+            kind: "secret",
+            secretId: SecretId.make(oauth2ClientIdSecretId),
+            secretScopeId: clientIdSecretScope
+          }
+        }),
+        reactivityKeys: bindingWriteKeys
+      });
+      if (Exit.isFailure(bindingExit)) {
+        setAddError(errorMessageFromExit(bindingExit, "Failed to add source"));
+        setAdding(false);
+        return;
+      }
+    }
+    if (configuredOAuth2?.clientSecretSlot && oauth2ClientSecretSecretId) {
+      const bindingExit = await doSetBinding({
+        params: { scopeId },
+        payload: OpenApiSourceBindingInput.make({
+          sourceId,
+          sourceScope,
+          scope: bindingScope,
+          slot: configuredOAuth2.clientSecretSlot,
+          value: {
+            kind: "secret",
+            secretId: SecretId.make(oauth2ClientSecretSecretId),
+            secretScopeId: clientSecretSecretScope
+          }
+        }),
+        reactivityKeys: bindingWriteKeys
+      });
+      if (Exit.isFailure(bindingExit)) {
+        setAddError(errorMessageFromExit(bindingExit, "Failed to add source"));
+        setAdding(false);
+        return;
+      }
+    }
+    if (configuredOAuth2 && oauth2Auth) {
+      const bindingExit = await doSetBinding({
+        params: { scopeId },
+        payload: OpenApiSourceBindingInput.make({
+          sourceId,
+          sourceScope,
+          scope: oauthTokenBindingScope,
+          slot: configuredOAuth2.connectionSlot,
+          value: {
+            kind: "connection",
+            connectionId: ConnectionId.make(oauth2Auth.connectionId)
+          }
+        }),
+        reactivityKeys: bindingWriteKeys
+      });
+      if (Exit.isFailure(bindingExit)) {
+        setAddError(errorMessageFromExit(bindingExit, "Failed to add source"));
+        setAdding(false);
+        return;
+      }
+    }
+    props.onComplete();
+  };
+  return /* @__PURE__ */ jsxs2("div", { className: "flex flex-1 flex-col gap-6", children: [
+    /* @__PURE__ */ jsx2("div", { children: /* @__PURE__ */ jsx2("h1", { className: "text-xl font-semibold text-foreground", children: "Add OpenAPI Source" }) }),
+    !preview && /* @__PURE__ */ jsxs2(Fragment, { children: [
+      /* @__PURE__ */ jsx2(CardStack2, { children: /* @__PURE__ */ jsx2(CardStackContent2, { className: "border-t-0", children: /* @__PURE__ */ jsx2(
+        CardStackEntryField2,
+        {
+          label: "OpenAPI Spec",
+          hint: "Paste a URL or raw JSON/YAML content.",
+          children: /* @__PURE__ */ jsxs2("div", { className: "relative", children: [
+            /* @__PURE__ */ jsx2(
+              Textarea,
+              {
+                value: specUrl,
+                onChange: (e) => {
+                  setSpecUrl(e.target.value);
+                },
+                placeholder: "https://api.example.com/openapi.json",
+                rows: 3,
+                maxRows: 10,
+                className: "font-mono text-sm"
+              }
+            ),
+            analyzing && /* @__PURE__ */ jsx2("div", { className: "pointer-events-none absolute right-2 top-2", children: /* @__PURE__ */ jsx2(IOSSpinner, { className: "size-4" }) })
+          ] })
+        }
+      ) }) }),
+      /* @__PURE__ */ jsxs2(
+        Collapsible,
+        {
+          open: specFetchCredentialsOpen,
+          onOpenChange: setSpecFetchCredentialsOpen,
+          className: "space-y-3",
+          children: [
+            /* @__PURE__ */ jsx2(CollapsibleTrigger, { asChild: true, children: /* @__PURE__ */ jsx2(Button, { variant: "outline", size: "sm", className: "self-start", children: specFetchCredentialsOpen ? "Hide spec credentials" : "Add spec credentials" }) }),
+            /* @__PURE__ */ jsx2(CollapsibleContent, { children: /* @__PURE__ */ jsx2(
+              HttpCredentialsEditor,
+              {
+                credentials: specFetchCredentials,
+                onChange: setSpecFetchCredentials,
+                existingSecrets: secretList,
+                sourceName: identity.name,
+                targetScope: credentialTargetScope,
+                labels: {
+                  headers: "Spec fetch headers",
+                  queryParams: "Spec fetch query parameters"
+                }
+              }
+            ) })
+          ]
+        }
+      )
+    ] }),
+    preview ? /* @__PURE__ */ jsx2(
+      OpenApiSourceDetailsFields,
+      {
+        title: Option.getOrElse(preview.title, () => "API"),
+        description: `${Option.getOrElse(preview.version, () => "")}${Option.isSome(preview.version) ? " \xB7 " : ""}${preview.operationCount} operation${preview.operationCount !== 1 ? "s" : ""}${preview.tags.length > 0 ? ` \xB7 ${preview.tags.length} tag${preview.tags.length !== 1 ? "s" : ""}` : ""}`,
+        identity,
+        baseUrl: resolvedBaseUrl,
+        onBaseUrlChange: setBaseUrl,
+        baseUrlOptions,
+        specUrl,
+        onSpecUrlChange: (value2) => {
+          setSpecUrl(value2);
+          setPreview(null);
+          setBaseUrl("");
+          setCustomHeaders([]);
+          setStrategy({ kind: "none" });
+          setOauth2AuthState(null);
+          setOauth2Error(null);
+        },
+        faviconUrl: resolvedBaseUrl,
+        baseUrlMissingMessage: "A base URL is required to make requests."
+      }
+    ) : null,
+    analyzeError && /* @__PURE__ */ jsx2("div", { className: "rounded-lg border border-destructive/30 bg-destructive/5 px-3 py-2", children: /* @__PURE__ */ jsx2("p", { className: "text-[12px] text-destructive", children: analyzeError }) }),
+    preview && /* @__PURE__ */ jsxs2(Fragment, { children: [
+      /* @__PURE__ */ jsxs2("section", { className: "space-y-2.5", children: [
+        /* @__PURE__ */ jsx2(FieldLabel, { children: "Authentication method" }),
+        /* @__PURE__ */ jsxs2(
+          RadioGroup,
+          {
+            value: serializeStrategy(strategy),
+            onValueChange: (value2) => selectStrategy(parseStrategy(value2)),
+            className: "gap-1.5",
+            children: [
+              preview.headerPresets.map((preset, i) => {
+                const selected = strategy.kind === "header" && strategy.presetIndex === i;
+                return /* @__PURE__ */ jsxs2(
+                  Label,
+                  {
+                    className: `flex items-start gap-2.5 rounded-lg border px-3 py-2 cursor-pointer transition-colors ${selected ? "border-primary/50 bg-primary/[0.03]" : "border-border hover:bg-accent/50"}`,
+                    children: [
+                      /* @__PURE__ */ jsx2(RadioGroupItem, { value: `header:${i}`, className: "mt-0.5" }),
+                      /* @__PURE__ */ jsxs2("div", { className: "min-w-0 flex-1", children: [
+                        /* @__PURE__ */ jsx2("div", { className: "text-xs font-medium text-foreground", children: preset.label }),
+                        preset.secretHeaders.length > 0 && /* @__PURE__ */ jsx2("div", { className: "mt-0.5 font-mono text-[10px] text-muted-foreground", children: preset.secretHeaders.join(" \xB7 ") })
+                      ] })
+                    ]
+                  },
+                  `header-${i}`
+                );
+              }),
+              oauth2Presets.map((preset, i) => {
+                const selected = strategy.kind === "oauth2" && strategy.presetIndex === i;
+                const scopeCount = Object.keys(preset.scopes).length;
+                return /* @__PURE__ */ jsxs2(
+                  Label,
+                  {
+                    className: `flex items-start gap-2.5 rounded-lg border px-3 py-2 cursor-pointer transition-colors ${selected ? "border-primary/50 bg-primary/[0.03]" : "border-border hover:bg-accent/50"}`,
+                    children: [
+                      /* @__PURE__ */ jsx2(RadioGroupItem, { value: `oauth2:${i}`, className: "mt-0.5" }),
+                      /* @__PURE__ */ jsxs2("div", { className: "min-w-0 flex-1", children: [
+                        /* @__PURE__ */ jsx2("div", { className: "text-xs font-medium text-foreground", children: preset.label }),
+                        /* @__PURE__ */ jsxs2("div", { className: "mt-0.5 text-[10px] text-muted-foreground", children: [
+                          scopeCount,
+                          " scope",
+                          scopeCount === 1 ? "" : "s"
+                        ] })
+                      ] })
+                    ]
+                  },
+                  `oauth2-${i}`
+                );
+              }),
+              /* @__PURE__ */ jsxs2(
+                Label,
+                {
+                  className: `flex items-center gap-2.5 rounded-lg border px-3 py-2 cursor-pointer transition-colors ${strategy.kind === "custom" ? "border-primary/50 bg-primary/[0.03]" : "border-border hover:bg-accent/50"}`,
+                  children: [
+                    /* @__PURE__ */ jsx2(RadioGroupItem, { value: "custom" }),
+                    /* @__PURE__ */ jsx2("span", { className: "text-xs font-medium text-foreground", children: "Custom" })
+                  ]
+                }
+              ),
+              /* @__PURE__ */ jsxs2(
+                Label,
+                {
+                  className: `flex items-center gap-2.5 rounded-lg border px-3 py-2 cursor-pointer transition-colors ${strategy.kind === "none" ? "border-primary/50 bg-primary/[0.03]" : "border-border hover:bg-accent/50"}`,
+                  children: [
+                    /* @__PURE__ */ jsx2(RadioGroupItem, { value: "none" }),
+                    /* @__PURE__ */ jsx2("span", { className: "text-xs font-medium text-foreground", children: "None" })
+                  ]
+                }
+              )
+            ]
+          }
+        ),
+        strategy.kind !== "none" && strategy.kind !== "oauth2" && /* @__PURE__ */ jsx2("div", { className: "space-y-3", children: /* @__PURE__ */ jsx2(
+          HeadersList,
+          {
+            headers: customHeaders,
+            onHeadersChange: handleHeadersChange,
+            existingSecrets: secretList,
+            sourceName: identity.name,
+            targetScope: credentialTargetScope,
+            credentialScopeOptions: initialCredentialScopeOptions,
+            bindingScopeOptions,
+            restrictSecretsToTargetScope: true,
+            emptyLabel: "No credentials yet. Add the header value this method should use."
+          }
+        ) }),
+        /* @__PURE__ */ jsx2(
+          HttpCredentialsEditor,
+          {
+            credentials: runtimeCredentials,
+            onChange: setRuntimeCredentials,
+            existingSecrets: secretList,
+            sourceName: identity.name,
+            targetScope: credentialTargetScope,
+            credentialScopeOptions: initialCredentialScopeOptions,
+            bindingScopeOptions,
+            restrictSecretsToTargetScope: true,
+            sections: { headers: false, queryParams: true },
+            labels: { queryParams: "Runtime query parameters" }
+          }
+        ),
+        selectedOAuth2Preset && /* @__PURE__ */ jsx2("div", { className: "space-y-3 rounded-lg border border-border/60 bg-muted/10 p-3", children: /* @__PURE__ */ jsxs2("div", { className: "space-y-3", children: [
+          /* @__PURE__ */ jsxs2("div", { className: "space-y-1.5", children: [
+            /* @__PURE__ */ jsxs2(FieldLabel, { className: "text-[11px]", children: [
+              "Redirect URL",
+              " ",
+              /* @__PURE__ */ jsx2("span", { className: "text-muted-foreground", children: "\xB7 add this to your OAuth app's allowed redirects" })
+            ] }),
+            /* @__PURE__ */ jsxs2("div", { className: "flex items-center gap-1 rounded-md border border-border bg-background/50 px-2.5 py-1.5 font-mono text-[11px]", children: [
+              /* @__PURE__ */ jsx2("span", { className: "truncate flex-1 text-foreground", children: oauth2RedirectUrl }),
+              /* @__PURE__ */ jsx2(CopyButton, { value: oauth2RedirectUrl })
+            ] })
+          ] }),
+          /* @__PURE__ */ jsxs2("div", { className: "space-y-1.5", children: [
+            /* @__PURE__ */ jsx2(FieldLabel, { className: "text-[11px]", children: "Client ID secret" }),
+            /* @__PURE__ */ jsxs2("div", { className: "grid gap-2 md:grid-cols-2", children: [
+              /* @__PURE__ */ jsxs2("div", { className: "space-y-1.5", children: [
+                /* @__PURE__ */ jsxs2("div", { className: "flex items-center gap-1.5", children: [
+                  /* @__PURE__ */ jsx2(FieldLabel, { className: "text-[11px]", children: "Secret" }),
+                  /* @__PURE__ */ jsx2(HelpTooltip, { label: "Client ID secret", children: "Select or create the OAuth client ID secret." })
+                ] }),
+                /* @__PURE__ */ jsx2(
+                  CreatableSecretPicker,
+                  {
+                    value: oauth2ClientIdSecretId,
+                    onSelect: (id, secretScopeId) => {
+                      setOauth2ClientIdSecretId(id);
+                      setOauth2ClientIdScope(secretScopeId ?? credentialTargetScope);
+                      setOauth2AuthState(null);
+                    },
+                    secrets: initialCredentialSecrets,
+                    sourceName: identity.name,
+                    secretLabel: "Client ID",
+                    targetScope: oauth2ClientIdScope ?? credentialTargetScope,
+                    credentialScopeOptions: initialCredentialScopeOptions,
+                    onCreatedScope: setOauth2ClientIdScope
+                  }
+                )
+              ] }),
+              /* @__PURE__ */ jsx2(
+                CredentialScopeDropdown,
+                {
+                  value: credentialTargetScope,
+                  options: bindingScopeOptions,
+                  onChange: setInitialCredentialScope
+                }
+              )
+            ] })
+          ] }),
+          /* @__PURE__ */ jsxs2("div", { className: "space-y-1.5", children: [
+            /* @__PURE__ */ jsxs2(FieldLabel, { className: "text-[11px]", children: [
+              "Client secret",
+              " ",
+              /* @__PURE__ */ jsx2("span", { className: "text-muted-foreground", children: "\xB7 optional for public clients with PKCE" })
+            ] }),
+            /* @__PURE__ */ jsxs2("div", { className: "grid gap-2 md:grid-cols-2", children: [
+              /* @__PURE__ */ jsxs2("div", { className: "space-y-1.5", children: [
+                /* @__PURE__ */ jsxs2("div", { className: "flex items-center gap-1.5", children: [
+                  /* @__PURE__ */ jsx2(FieldLabel, { className: "text-[11px]", children: "Secret" }),
+                  /* @__PURE__ */ jsx2(HelpTooltip, { label: "Client secret", children: "Select or create the OAuth client secret." })
+                ] }),
+                /* @__PURE__ */ jsx2(
+                  CreatableSecretPicker,
+                  {
+                    value: oauth2ClientSecretSecretId,
+                    onSelect: (id, secretScopeId) => {
+                      setOauth2ClientSecretSecretId(id);
+                      setOauth2ClientSecretScope(secretScopeId ?? credentialTargetScope);
+                      setOauth2AuthState(null);
+                    },
+                    secrets: initialCredentialSecrets,
+                    sourceName: identity.name,
+                    secretLabel: "Client Secret",
+                    targetScope: oauth2ClientSecretScope ?? credentialTargetScope,
+                    credentialScopeOptions: initialCredentialScopeOptions,
+                    onCreatedScope: setOauth2ClientSecretScope
+                  }
+                )
+              ] }),
+              /* @__PURE__ */ jsx2(
+                CredentialScopeDropdown,
+                {
+                  value: credentialTargetScope,
+                  options: bindingScopeOptions,
+                  onChange: setInitialCredentialScope
+                }
+              )
+            ] })
+          ] }),
+          /* @__PURE__ */ jsxs2("div", { className: "space-y-1.5", children: [
+            /* @__PURE__ */ jsx2(FieldLabel, { className: "text-[11px]", children: "Scopes" }),
+            /* @__PURE__ */ jsx2("div", { className: "space-y-1 rounded-md border border-border/50 bg-background/50 p-2", children: Object.keys(selectedOAuth2Preset.scopes).length === 0 ? /* @__PURE__ */ jsx2("div", { className: "text-[11px] italic text-muted-foreground", children: "No scopes declared by the spec." }) : Object.entries(selectedOAuth2Preset.scopes).map(([scope, description]) => /* @__PURE__ */ jsxs2(Label, { className: "flex items-start gap-2 cursor-pointer py-1", children: [
+              /* @__PURE__ */ jsx2(
+                Checkbox,
+                {
+                  checked: oauth2SelectedScopes.has(scope),
+                  onCheckedChange: () => toggleOAuth2Scope(scope)
+                }
+              ),
+              /* @__PURE__ */ jsxs2("div", { className: "min-w-0 flex-1", children: [
+                /* @__PURE__ */ jsx2("div", { className: "font-mono text-[11px] text-foreground", children: scope }),
+                description && /* @__PURE__ */ jsx2("div", { className: "text-[10px] text-muted-foreground", children: description })
+              ] })
+            ] }, scope)) })
+          ] }),
+          oauth2Auth ? /* @__PURE__ */ jsxs2("div", { className: "flex items-center justify-between rounded-md border border-green-500/30 bg-green-500/5 px-3 py-2", children: [
+            /* @__PURE__ */ jsxs2("div", { className: "text-[11px] text-green-700 dark:text-green-400", children: [
+              "Connected \xB7 ",
+              oauth2SelectedScopes.size,
+              " scope",
+              oauth2SelectedScopes.size === 1 ? "" : "s",
+              " granted"
+            ] }),
+            /* @__PURE__ */ jsx2(Button, { variant: "ghost", size: "sm", onClick: () => setOauth2AuthState(null), children: "Disconnect" })
+          ] }) : oauth2Busy ? /* @__PURE__ */ jsxs2("div", { className: "flex items-center gap-2", children: [
+            /* @__PURE__ */ jsxs2("div", { className: "flex flex-1 items-center gap-2 rounded-md border border-border/60 bg-background/50 px-3 py-2 text-[11px] text-muted-foreground", children: [
+              /* @__PURE__ */ jsx2(Spinner, { className: "size-3.5" }),
+              "Waiting for OAuth\u2026 complete the flow in the popup, or cancel to retry."
+            ] }),
+            /* @__PURE__ */ jsx2(Button, { variant: "ghost", size: "sm", onClick: handleCancelOAuth2, children: "Cancel" }),
+            /* @__PURE__ */ jsx2(Button, { variant: "secondary", size: "sm", onClick: handleConnectOAuth2, children: "Retry" })
+          ] }) : /* @__PURE__ */ jsx2("div", { className: "flex flex-col gap-1.5", children: /* @__PURE__ */ jsxs2("div", { className: "grid gap-2 md:grid-cols-2", children: [
+            /* @__PURE__ */ jsxs2("div", { className: "space-y-1.5", children: [
+              /* @__PURE__ */ jsxs2("div", { className: "flex items-center gap-1.5", children: [
+                /* @__PURE__ */ jsx2(FieldLabel, { className: "text-[11px]", children: "OAuth sign-in" }),
+                /* @__PURE__ */ jsx2(HelpTooltip, { label: "OAuth sign-in", children: "Start the provider OAuth flow." })
+              ] }),
+              /* @__PURE__ */ jsx2(
+                Button,
+                {
+                  variant: "secondary",
+                  onClick: handleConnectOAuth2,
+                  disabled: !canConnectOAuth2,
+                  className: canConnectOAuth2 ? "w-full border border-green-500/30 bg-green-600 text-white hover:bg-green-700 focus-visible:ring-green-500/30 dark:bg-green-500 dark:text-white dark:hover:bg-green-600" : "w-full",
+                  children: "Connect via OAuth"
+                }
+              )
+            ] }),
+            /* @__PURE__ */ jsx2(
+              CredentialScopeDropdown,
+              {
+                value: oauthTokenTargetScope,
+                options: credentialScopeOptions,
+                onChange: (targetScope) => {
+                  setOAuthTokenTargetScope(targetScope);
+                  setOauth2AuthState(null);
+                },
+                label: "Token saved to",
+                help: "Choose who can use the signed-in OAuth token."
+              }
+            )
+          ] }) }),
+          oauth2Error && /* @__PURE__ */ jsx2("div", { className: "rounded-md border border-destructive/30 bg-destructive/5 px-3 py-2", children: /* @__PURE__ */ jsx2("p", { className: "text-[11px] text-destructive", children: oauth2Error }) })
+        ] }) })
+      ] }),
+      addError && /* @__PURE__ */ jsx2("div", { className: "rounded-lg border border-destructive/30 bg-destructive/5 px-3 py-2", children: /* @__PURE__ */ jsx2("p", { className: "text-[12px] text-destructive", children: addError }) })
+    ] }),
+    /* @__PURE__ */ jsxs2(FloatActions, { children: [
+      /* @__PURE__ */ jsx2(Button, { variant: "ghost", onClick: props.onCancel, disabled: adding, children: "Cancel" }),
+      preview && /* @__PURE__ */ jsxs2(Button, { onClick: handleAdd, disabled: !canAdd || adding, children: [
+        adding && /* @__PURE__ */ jsx2(Spinner, { className: "size-3.5" }),
+        adding ? "Adding\u2026" : willAddWithoutInitialCredentials ? "Add without credentials" : "Add source"
+      ] })
+    ] })
+  ] });
+}
+
+export {
+  OpenApiSourceDetailsFields,
+  OPENAPI_OAUTH_POPUP_NAME,
+  OPENAPI_OAUTH_CALLBACK_PATH,
+  openApiOAuthConnectionId,
+  resolveOAuthUrl,
+  inferOAuthIssuerUrl,
+  AddOpenApiSource
+};
+//# sourceMappingURL=chunk-TGDT6QCH.js.map