@executor-js/plugin-openapi 1.4.28 → 1.4.30

package/dist/{chunk-OZ67JNID.js → chunk-NIKLYJ3X.js}

@@ -1,23 +1,20 @@
+import {
+  openApiPresets
+} from "./chunk-BB5IAKRG.js";
 import {
   ConfiguredHeaderBinding,
-  ConfiguredHeaderValue,
   HeaderValue,
   InvocationResult,
   OAuth2SourceConfig,
-  OpenApiCredentialInput,
   OpenApiExtractionError,
   OpenApiInvocationError,
   OpenApiOAuthError,
-  OpenApiSourceBindingRef,
   OperationBinding,
   extract,
-  makeDefaultOpenapiStore,
-  openapiSchema,
   parse,
   previewSpec,
-  resolveBaseUrl,
   resolveSpecText
-} from "./chunk-E7PZ2QGD.js";
+} from "./chunk-EOXXE5DG.js";
 
 // src/sdk/invoke.ts
 import { Effect, Layer, Option } from "effect";
@@ -417,13 +414,236 @@ var annotationsForOperation = (method, pathTemplate) => {
   };
 };
 
-// src/sdk/plugin.ts
+// src/sdk/store.ts
 import { Effect as Effect2, Option as Option2, Predicate, Schema } from "effect";
+var openapiSchema = {};
+var SOURCE_COLLECTION = "source";
+var OPERATION_COLLECTION = "operation";
+var encodeBinding = Schema.encodeSync(OperationBinding);
+var decodeBinding = Schema.decodeUnknownSync(OperationBinding);
+var decodeBindingJson = Schema.decodeUnknownSync(Schema.fromJsonString(OperationBinding));
+var decodeOAuth2SourceConfigOption = Schema.decodeUnknownOption(OAuth2SourceConfig);
+var decodeOAuth2SourceConfigJsonOption = Schema.decodeUnknownOption(
+  Schema.fromJsonString(OAuth2SourceConfig)
+);
+var encodeOAuth2SourceConfig = Schema.encodeSync(OAuth2SourceConfig);
+var NullableString = Schema.NullOr(Schema.String);
+var OptionalNullableString = Schema.optional(NullableString);
+var ConfiguredHeaderBindingStorage = Schema.Struct({
+  kind: Schema.Literal("binding"),
+  slot: Schema.String,
+  prefix: OptionalNullableString
+});
+var ConfiguredHeaderValueStorage = Schema.Union([Schema.String, ConfiguredHeaderBindingStorage]);
+var ConfiguredHeaderMapStorage = Schema.Record(Schema.String, ConfiguredHeaderValueStorage);
+var SpecFetchCredentialsStorage = Schema.Struct({
+  headers: Schema.optional(ConfiguredHeaderMapStorage),
+  queryParams: Schema.optional(ConfiguredHeaderMapStorage)
+});
+var SourceConfigStorage = Schema.Struct({
+  spec: Schema.String,
+  sourceUrl: Schema.optional(Schema.String),
+  baseUrl: Schema.optional(Schema.String),
+  namespace: Schema.optional(Schema.String),
+  headers: Schema.optional(ConfiguredHeaderMapStorage),
+  queryParams: Schema.optional(ConfiguredHeaderMapStorage),
+  specFetchCredentials: Schema.optional(SpecFetchCredentialsStorage),
+  oauth2: Schema.optional(Schema.Unknown)
+});
+var SourceStorage = Schema.Struct({
+  namespace: Schema.String,
+  scope: Schema.String,
+  name: Schema.String,
+  config: SourceConfigStorage
+});
+var OperationStorage = Schema.Struct({
+  toolId: Schema.String,
+  sourceId: Schema.String,
+  binding: Schema.Unknown
+});
+var decodeSourceStorage = Schema.decodeUnknownOption(SourceStorage);
+var decodeOperationStorage = Schema.decodeUnknownOption(OperationStorage);
+var toJsonRecord = (value) => value;
+var normalizeStoredOAuth2 = (value) => {
+  if (value == null) return void 0;
+  const sourceConfig = typeof value === "string" ? decodeOAuth2SourceConfigJsonOption(value) : decodeOAuth2SourceConfigOption(value);
+  if (Option2.isSome(sourceConfig)) return sourceConfig.value;
+  return void 0;
+};
+var normalizeConfiguredMap = (values) => {
+  if (!values) return void 0;
+  const normalized = {};
+  for (const [name, value] of Object.entries(values)) {
+    if (typeof value === "string") {
+      normalized[name] = value;
+    } else {
+      normalized[name] = value.prefix != null ? ConfiguredHeaderBinding.make({
+        kind: "binding",
+        slot: value.slot,
+        prefix: value.prefix
+      }) : ConfiguredHeaderBinding.make({
+        kind: "binding",
+        slot: value.slot
+      });
+    }
+  }
+  return normalized;
+};
+var encodeSourceConfig = (config) => ({
+  spec: config.spec,
+  ...config.sourceUrl ? { sourceUrl: config.sourceUrl } : {},
+  ...config.baseUrl ? { baseUrl: config.baseUrl } : {},
+  ...config.namespace ? { namespace: config.namespace } : {},
+  ...config.headers ? { headers: config.headers } : {},
+  ...config.queryParams ? { queryParams: config.queryParams } : {},
+  ...config.specFetchCredentials ? { specFetchCredentials: config.specFetchCredentials } : {},
+  ...config.oauth2 ? { oauth2: toJsonRecord(encodeOAuth2SourceConfig(config.oauth2)) } : {}
+});
+var rowToSource = (row) => {
+  const decoded = decodeSourceStorage(row.data);
+  if (Option2.isNone(decoded)) return null;
+  const stored = decoded.value;
+  const oauth2 = normalizeStoredOAuth2(stored.config.oauth2);
+  return {
+    namespace: stored.namespace,
+    scope: stored.scope,
+    name: stored.name,
+    config: {
+      spec: stored.config.spec,
+      sourceUrl: stored.config.sourceUrl,
+      baseUrl: stored.config.baseUrl,
+      namespace: stored.config.namespace,
+      headers: normalizeConfiguredMap(stored.config.headers),
+      queryParams: normalizeConfiguredMap(stored.config.queryParams),
+      specFetchCredentials: stored.config.specFetchCredentials ? {
+        headers: normalizeConfiguredMap(stored.config.specFetchCredentials.headers),
+        queryParams: normalizeConfiguredMap(stored.config.specFetchCredentials.queryParams)
+      } : void 0,
+      oauth2
+    }
+  };
+};
+var rowToOperation = (row) => {
+  const decoded = decodeOperationStorage(row.data);
+  if (Option2.isNone(decoded)) return null;
+  const operation = decoded.value;
+  return {
+    toolId: operation.toolId,
+    sourceId: operation.sourceId,
+    binding: decodeBinding(
+      typeof operation.binding === "string" ? decodeBindingJson(operation.binding) : operation.binding
+    )
+  };
+};
+var makeDefaultOpenapiStore = ({
+  pluginStorage
+}) => {
+  const sourceData = (source) => ({
+    namespace: source.namespace,
+    scope: source.scope,
+    name: source.name,
+    config: encodeSourceConfig(source.config)
+  });
+  const operationData = (operation) => ({
+    toolId: operation.toolId,
+    sourceId: operation.sourceId,
+    binding: toJsonRecord(encodeBinding(operation.binding))
+  });
+  const listOperationRowsForSourceScope = (sourceId, scope) => pluginStorage.list({
+    collection: OPERATION_COLLECTION,
+    keyPrefix: `${sourceId}.`
+  }).pipe(
+    Effect2.map(
+      (rows) => rows.filter(
+        (row) => String(row.scopeId) === scope && rowToOperation(row)?.sourceId === sourceId
+      )
+    )
+  );
+  const removeOperationsForSourceScope = (sourceId, scope) => Effect2.gen(function* () {
+    const rows = yield* listOperationRowsForSourceScope(sourceId, scope);
+    for (const row of rows) {
+      yield* pluginStorage.remove({
+        scope,
+        collection: OPERATION_COLLECTION,
+        key: row.key
+      });
+    }
+  });
+  const deleteSource = (namespace, scope) => Effect2.gen(function* () {
+    yield* removeOperationsForSourceScope(namespace, scope);
+    yield* pluginStorage.remove({
+      scope,
+      collection: SOURCE_COLLECTION,
+      key: namespace
+    });
+  });
+  return {
+    upsertSource: (input, operations) => Effect2.gen(function* () {
+      yield* deleteSource(input.namespace, input.scope);
+      yield* pluginStorage.put({
+        scope: input.scope,
+        collection: SOURCE_COLLECTION,
+        key: input.namespace,
+        data: sourceData(input)
+      });
+      for (const operation of operations) {
+        yield* pluginStorage.put({
+          scope: input.scope,
+          collection: OPERATION_COLLECTION,
+          key: operation.toolId,
+          data: operationData(operation)
+        });
+      }
+    }),
+    updateSourceMeta: (namespace, scope, patch) => Effect2.gen(function* () {
+      const existing = yield* pluginStorage.getAtScope({
+        scope,
+        collection: SOURCE_COLLECTION,
+        key: namespace
+      });
+      if (!existing) return;
+      const source = rowToSource(existing);
+      if (!source) return;
+      const next = {
+        ...source,
+        name: patch.name?.trim() || source.name,
+        config: {
+          ...source.config,
+          ...patch.baseUrl !== void 0 ? { baseUrl: patch.baseUrl } : {},
+          ...patch.headers !== void 0 ? { headers: patch.headers } : {},
+          ...patch.queryParams !== void 0 ? { queryParams: patch.queryParams } : {},
+          ...patch.specFetchCredentials !== void 0 ? { specFetchCredentials: patch.specFetchCredentials } : {},
+          ...patch.oauth2 !== void 0 ? { oauth2: patch.oauth2 } : {}
+        }
+      };
+      yield* pluginStorage.put({
+        scope,
+        collection: SOURCE_COLLECTION,
+        key: namespace,
+        data: sourceData(next)
+      });
+    }),
+    getSource: (namespace, scope) => pluginStorage.getAtScope({ scope, collection: SOURCE_COLLECTION, key: namespace }).pipe(Effect2.map((row) => row ? rowToSource(row) : null)),
+    listSources: () => pluginStorage.list({ collection: SOURCE_COLLECTION }).pipe(Effect2.map((rows) => rows.map(rowToSource).filter(Predicate.isNotNull))),
+    getOperationByToolId: (toolId, scope) => pluginStorage.getAtScope({ scope, collection: OPERATION_COLLECTION, key: toolId }).pipe(Effect2.map((row) => row ? rowToOperation(row) : null)),
+    listOperationsBySource: (sourceId, scope) => listOperationRowsForSourceScope(sourceId, scope).pipe(
+      Effect2.map((rows) => rows.map(rowToOperation).filter(Predicate.isNotNull))
+    ),
+    removeSource: (namespace, scope) => deleteSource(namespace, scope)
+  };
+};
+
+// src/sdk/plugin.ts
+import { Effect as Effect3, Option as Option3, Predicate as Predicate2, Schema as Schema2 } from "effect";
 import {
+  ConnectionId,
+  CredentialBindingRef,
   ScopeId,
   SecretId,
   SourceDetectionResult,
   StorageError,
+  ToolResult,
+  defaultSourceInstallScopeId,
   definePlugin,
   tool,
   resolveSecretBackedMap
@@ -556,46 +776,313 @@ var compileToolDefinitions = (operations) => {
 };
 
 // src/sdk/plugin.ts
-var PreviewSpecInputSchema = Schema.Struct({
-  spec: Schema.String,
-  specFetchCredentials: Schema.optional(
-    Schema.Struct({
-      headers: Schema.optional(Schema.Record(Schema.String, HeaderValue)),
-      queryParams: Schema.optional(Schema.Record(Schema.String, HeaderValue))
+var STRINGIFIED_BODY_CAP = 1024;
+var UpstreamMessageBody = Schema2.Struct({ message: Schema2.String });
+var UpstreamErrorMessageBody = Schema2.Struct({ errorMessage: Schema2.String });
+var UpstreamNestedErrorBody = Schema2.Struct({ error: UpstreamMessageBody });
+var UpstreamErrorsArrayBody = Schema2.Struct({
+  errors: Schema2.Array(
+    Schema2.Struct({
+      detail: Schema2.optional(Schema2.String),
+      message: Schema2.optional(Schema2.String),
+      title: Schema2.optional(Schema2.String)
+    })
+  )
+});
+var UpstreamDescriptionBody = Schema2.Struct({
+  detail: Schema2.optional(Schema2.String),
+  title: Schema2.optional(Schema2.String),
+  description: Schema2.optional(Schema2.String)
+});
+var decodeUpstreamMessageBody = Schema2.decodeUnknownOption(UpstreamMessageBody);
+var decodeUpstreamErrorMessageBody = Schema2.decodeUnknownOption(UpstreamErrorMessageBody);
+var decodeUpstreamNestedErrorBody = Schema2.decodeUnknownOption(UpstreamNestedErrorBody);
+var decodeUpstreamErrorsArrayBody = Schema2.decodeUnknownOption(UpstreamErrorsArrayBody);
+var decodeUpstreamDescriptionBody = Schema2.decodeUnknownOption(UpstreamDescriptionBody);
+var clampedStringify = (value) => {
+  let s;
+  try {
+    s = JSON.stringify(value);
+  } catch {
+    s = String(value);
+  }
+  return s.length > STRINGIFIED_BODY_CAP ? `${s.slice(0, STRINGIFIED_BODY_CAP)}\u2026` : s;
+};
+var firstNonEmpty = (...values) => values.find((value) => value !== void 0 && value.length > 0);
+var extractUpstreamMessage = (body, status) => {
+  if (typeof body === "string") {
+    return body.length > 0 ? body : `Upstream returned HTTP ${status}`;
+  }
+  const nested = Option3.getOrUndefined(decodeUpstreamNestedErrorBody(body));
+  const messageBody = Option3.getOrUndefined(decodeUpstreamMessageBody(body));
+  const errorMessageBody = Option3.getOrUndefined(decodeUpstreamErrorMessageBody(body));
+  const errorsBody = Option3.getOrUndefined(decodeUpstreamErrorsArrayBody(body));
+  const descriptionBody = Option3.getOrUndefined(decodeUpstreamDescriptionBody(body));
+  const arrayMessage = errorsBody?.errors.map(
+    ({ detail, message: upstreamMessage, title }) => firstNonEmpty(detail, upstreamMessage, title)
+  ).find((message2) => message2 !== void 0);
+  const message = firstNonEmpty(
+    nested?.error.message,
+    messageBody?.message,
+    errorMessageBody?.errorMessage,
+    arrayMessage,
+    descriptionBody?.detail,
+    descriptionBody?.title,
+    descriptionBody?.description
+  );
+  if (message !== void 0) return message;
+  if (body !== null && typeof body === "object") {
+    return clampedStringify(body);
+  }
+  return `Upstream returned HTTP ${status}`;
+};
+var PreviewSpecInputSchema = Schema2.Struct({
+  spec: Schema2.String,
+  specFetchCredentials: Schema2.optional(
+    Schema2.Struct({
+      headers: Schema2.optional(Schema2.Record(Schema2.String, HeaderValue)),
+      queryParams: Schema2.optional(Schema2.Record(Schema2.String, HeaderValue))
     })
   )
 });
-var OpenApiHeaderInputSchema = Schema.Union([HeaderValue, ConfiguredHeaderValue]);
+var StaticPreviewServerVariableSchema = Schema2.Struct({
+  default: Schema2.String,
+  enum: Schema2.NullOr(Schema2.Array(Schema2.String)),
+  description: Schema2.NullOr(Schema2.String)
+});
+var StaticPreviewServerSchema = Schema2.Struct({
+  url: Schema2.String,
+  description: Schema2.NullOr(Schema2.String),
+  variables: Schema2.NullOr(Schema2.Record(Schema2.String, StaticPreviewServerVariableSchema))
+});
+var StaticPreviewOAuthAuthorizationCodeFlowSchema = Schema2.Struct({
+  authorizationUrl: Schema2.String,
+  tokenUrl: Schema2.String,
+  refreshUrl: Schema2.NullOr(Schema2.String),
+  scopes: Schema2.Record(Schema2.String, Schema2.String)
+});
+var StaticPreviewOAuthClientCredentialsFlowSchema = Schema2.Struct({
+  tokenUrl: Schema2.String,
+  refreshUrl: Schema2.NullOr(Schema2.String),
+  scopes: Schema2.Record(Schema2.String, Schema2.String)
+});
+var StaticPreviewOAuthFlowsSchema = Schema2.Struct({
+  authorizationCode: Schema2.NullOr(StaticPreviewOAuthAuthorizationCodeFlowSchema),
+  clientCredentials: Schema2.NullOr(StaticPreviewOAuthClientCredentialsFlowSchema)
+});
+var StaticPreviewSecuritySchemeSchema = Schema2.Struct({
+  name: Schema2.String,
+  type: Schema2.Literals(["http", "apiKey", "oauth2", "openIdConnect"]),
+  scheme: Schema2.NullOr(Schema2.String),
+  bearerFormat: Schema2.NullOr(Schema2.String),
+  in: Schema2.NullOr(Schema2.Literals(["header", "query", "cookie"])),
+  headerName: Schema2.NullOr(Schema2.String),
+  description: Schema2.NullOr(Schema2.String),
+  flows: Schema2.NullOr(StaticPreviewOAuthFlowsSchema),
+  openIdConnectUrl: Schema2.NullOr(Schema2.String)
+});
+var StaticPreviewOAuth2PresetSchema = Schema2.Struct({
+  label: Schema2.String,
+  securitySchemeName: Schema2.String,
+  flow: Schema2.Literals(["authorizationCode", "clientCredentials"]),
+  authorizationUrl: Schema2.NullOr(Schema2.String),
+  tokenUrl: Schema2.String,
+  refreshUrl: Schema2.NullOr(Schema2.String),
+  scopes: Schema2.Record(Schema2.String, Schema2.String)
+});
+var StaticPreviewSpecOutputSchema = Schema2.Struct({
+  title: Schema2.NullOr(Schema2.String),
+  version: Schema2.NullOr(Schema2.String),
+  servers: Schema2.Array(StaticPreviewServerSchema),
+  operationCount: Schema2.Number,
+  tags: Schema2.Array(Schema2.String),
+  securitySchemes: Schema2.Array(StaticPreviewSecuritySchemeSchema),
+  authStrategies: Schema2.Array(Schema2.Struct({ schemes: Schema2.Array(Schema2.String) })),
+  headerPresets: Schema2.Array(
+    Schema2.Struct({
+      label: Schema2.String,
+      headers: Schema2.Record(Schema2.String, Schema2.NullOr(Schema2.String)),
+      secretHeaders: Schema2.Array(Schema2.String)
+    })
+  ),
+  oauth2Presets: Schema2.Array(StaticPreviewOAuth2PresetSchema)
+});
+var OpenApiSpecInputSchema = Schema2.Union([
+  Schema2.Struct({ kind: Schema2.Literal("url"), url: Schema2.String }),
+  Schema2.Struct({ kind: Schema2.Literal("blob"), value: Schema2.String })
+]);
+var OpenApiSecretShapeInputSchema = Schema2.Struct({
+  kind: Schema2.Literal("secret"),
+  prefix: Schema2.optional(Schema2.String)
+});
+var OpenApiConfiguredValueInputSchema = Schema2.Union([
+  Schema2.String,
+  OpenApiSecretShapeInputSchema
+]);
+var OpenApiConfigureCredentialInputSchema = Schema2.Union([
+  Schema2.String,
+  Schema2.Struct({
+    kind: Schema2.Literal("text"),
+    text: Schema2.String,
+    prefix: Schema2.optional(Schema2.String)
+  }),
+  Schema2.Struct({
+    kind: Schema2.Literal("secret"),
+    secretId: Schema2.String,
+    secretScope: Schema2.optional(Schema2.String),
+    prefix: Schema2.optional(Schema2.String)
+  }),
+  Schema2.Struct({
+    kind: Schema2.Literal("connection"),
+    connectionId: Schema2.String
+  })
+]);
+var OpenApiConfigureInputSchema = Schema2.Struct({
+  scope: Schema2.String,
+  name: Schema2.optional(Schema2.String),
+  baseUrl: Schema2.optional(Schema2.String),
+  headers: Schema2.optional(Schema2.Record(Schema2.String, OpenApiConfigureCredentialInputSchema)),
+  queryParams: Schema2.optional(Schema2.Record(Schema2.String, OpenApiConfigureCredentialInputSchema)),
+  specFetchCredentials: Schema2.optional(
+    Schema2.Struct({
+      headers: Schema2.optional(Schema2.Record(Schema2.String, OpenApiConfigureCredentialInputSchema)),
+      queryParams: Schema2.optional(
+        Schema2.Record(Schema2.String, OpenApiConfigureCredentialInputSchema)
+      )
+    })
+  ),
+  oauth2: Schema2.optional(
+    Schema2.Struct({
+      clientId: Schema2.optional(OpenApiConfigureCredentialInputSchema),
+      clientSecret: Schema2.optional(OpenApiConfigureCredentialInputSchema),
+      connection: Schema2.optional(OpenApiConfigureCredentialInputSchema)
+    })
+  ),
+  oauth2Source: Schema2.optional(OAuth2SourceConfig)
+});
+var OpenApiConfigureSourceInputSchema = Schema2.Struct({
+  source: Schema2.Struct({
+    id: Schema2.String,
+    scope: Schema2.String
+  }),
+  ...OpenApiConfigureInputSchema.fields
+});
 var OpenApiOAuthInputSchema = OAuth2SourceConfig;
-var AddSourceInputSchema = Schema.Struct({
-  scope: Schema.String,
-  spec: Schema.String,
-  name: Schema.optional(Schema.String),
-  baseUrl: Schema.optional(Schema.String),
-  namespace: Schema.optional(Schema.String),
-  headers: Schema.optional(Schema.Record(Schema.String, OpenApiHeaderInputSchema)),
-  queryParams: Schema.optional(Schema.Record(Schema.String, OpenApiCredentialInput)),
-  oauth2: Schema.optional(OpenApiOAuthInputSchema),
-  credentialTargetScope: Schema.optional(Schema.String),
-  specFetchCredentials: Schema.optional(
-    Schema.Struct({
-      headers: Schema.optional(Schema.Record(Schema.String, HeaderValue)),
-      queryParams: Schema.optional(Schema.Record(Schema.String, HeaderValue))
+var AddSourceInputSchema = Schema2.Struct({
+  spec: OpenApiSpecInputSchema,
+  name: Schema2.String,
+  baseUrl: Schema2.String,
+  namespace: Schema2.String,
+  headers: Schema2.optional(Schema2.Record(Schema2.String, OpenApiConfiguredValueInputSchema)),
+  queryParams: Schema2.optional(Schema2.Record(Schema2.String, OpenApiConfiguredValueInputSchema)),
+  oauth2: Schema2.optional(OpenApiOAuthInputSchema),
+  specFetchCredentials: Schema2.optional(
+    Schema2.Struct({
+      headers: Schema2.optional(Schema2.Record(Schema2.String, OpenApiConfiguredValueInputSchema)),
+      queryParams: Schema2.optional(Schema2.Record(Schema2.String, OpenApiConfiguredValueInputSchema))
     })
   )
 });
-var AddSourceOutputSchema = Schema.Struct({
-  sourceId: Schema.String,
-  toolCount: Schema.Number
+var AddSourceOutputSchema = Schema2.Struct({
+  sourceId: Schema2.String,
+  source: Schema2.Struct({
+    id: Schema2.String,
+    scope: Schema2.String
+  }),
+  toolCount: Schema2.Number
+});
+var GetSourceInputSchema = Schema2.Struct({
+  namespace: Schema2.String,
+  scope: Schema2.String
 });
-var PreviewSpecInputStandardSchema = Schema.toStandardSchemaV1(
-  Schema.toStandardJSONSchemaV1(PreviewSpecInputSchema)
+var GetSourceOutputSchema = Schema2.Struct({
+  source: Schema2.NullOr(Schema2.Unknown)
+});
+var PreviewSpecInputStandardSchema = Schema2.toStandardSchemaV1(
+  Schema2.toStandardJSONSchemaV1(PreviewSpecInputSchema)
+);
+var PreviewSpecOutputStandardSchema = Schema2.toStandardSchemaV1(
+  Schema2.toStandardJSONSchemaV1(StaticPreviewSpecOutputSchema)
+);
+var AddSourceInputStandardSchema = Schema2.toStandardSchemaV1(
+  Schema2.toStandardJSONSchemaV1(AddSourceInputSchema)
+);
+var AddSourceOutputStandardSchema = Schema2.toStandardSchemaV1(
+  Schema2.toStandardJSONSchemaV1(AddSourceOutputSchema)
 );
-var AddSourceInputStandardSchema = Schema.toStandardSchemaV1(
-  Schema.toStandardJSONSchemaV1(AddSourceInputSchema)
+var OpenApiConfigureSourceInputStandardSchema = Schema2.toStandardSchemaV1(
+  Schema2.toStandardJSONSchemaV1(OpenApiConfigureSourceInputSchema)
 );
-var AddSourceOutputStandardSchema = Schema.toStandardSchemaV1(
-  Schema.toStandardJSONSchemaV1(AddSourceOutputSchema)
+var OpenApiConfigureSourceOutputStandardSchema = Schema2.toStandardSchemaV1(
+  Schema2.toStandardJSONSchemaV1(Schema2.Struct({ result: Schema2.Array(CredentialBindingRef) }))
+);
+var GetSourceInputStandardSchema = Schema2.toStandardSchemaV1(
+  Schema2.toStandardJSONSchemaV1(GetSourceInputSchema)
+);
+var GetSourceOutputStandardSchema = Schema2.toStandardSchemaV1(
+  Schema2.toStandardJSONSchemaV1(GetSourceOutputSchema)
+);
+var openApiToolFailure = (code, message, details) => ToolResult.fail({
+  code,
+  message,
+  ...details === void 0 ? {} : { details }
+});
+var staticPreviewOutput = (preview) => ({
+  title: Option3.getOrNull(preview.title),
+  version: Option3.getOrNull(preview.version),
+  servers: preview.servers.map((server) => ({
+    url: server.url,
+    description: Option3.getOrNull(server.description),
+    variables: Option3.getOrNull(server.variables) ? Object.fromEntries(
+      Object.entries(Option3.getOrNull(server.variables) ?? {}).map(([name, variable]) => [
+        name,
+        {
+          default: variable.default,
+          enum: Option3.getOrNull(variable.enum),
+          description: Option3.getOrNull(variable.description)
+        }
+      ])
+    ) : null
+  })),
+  operationCount: preview.operationCount,
+  tags: preview.tags,
+  securitySchemes: preview.securitySchemes.map((scheme) => ({
+    name: scheme.name,
+    type: scheme.type,
+    scheme: Option3.getOrNull(scheme.scheme),
+    bearerFormat: Option3.getOrNull(scheme.bearerFormat),
+    in: Option3.getOrNull(scheme.in),
+    headerName: Option3.getOrNull(scheme.headerName),
+    description: Option3.getOrNull(scheme.description),
+    flows: Option3.isSome(scheme.flows) ? {
+      authorizationCode: Option3.isSome(scheme.flows.value.authorizationCode) ? {
+        authorizationUrl: scheme.flows.value.authorizationCode.value.authorizationUrl,
+        tokenUrl: scheme.flows.value.authorizationCode.value.tokenUrl,
+        refreshUrl: Option3.getOrNull(scheme.flows.value.authorizationCode.value.refreshUrl),
+        scopes: scheme.flows.value.authorizationCode.value.scopes
+      } : null,
+      clientCredentials: Option3.isSome(scheme.flows.value.clientCredentials) ? {
+        tokenUrl: scheme.flows.value.clientCredentials.value.tokenUrl,
+        refreshUrl: Option3.getOrNull(scheme.flows.value.clientCredentials.value.refreshUrl),
+        scopes: scheme.flows.value.clientCredentials.value.scopes
+      } : null
+    } : null,
+    openIdConnectUrl: Option3.getOrNull(scheme.openIdConnectUrl)
+  })),
+  authStrategies: preview.authStrategies,
+  headerPresets: preview.headerPresets,
+  oauth2Presets: preview.oauth2Presets.map((preset) => ({
+    label: preset.label,
+    securitySchemeName: preset.securitySchemeName,
+    flow: preset.flow,
+    authorizationUrl: Option3.getOrNull(preset.authorizationUrl),
+    tokenUrl: preset.tokenUrl,
+    refreshUrl: Option3.getOrNull(preset.refreshUrl),
+    scopes: preset.scopes
+  }))
+});
+var resolveStaticScopeInput = (ctx, value) => String(
+  ctx.scopes.find((scope) => scope.name === value || String(scope.id) === value)?.id ?? value
 );
 var normalizeOpenApiRefs = (node) => {
   if (node == null || typeof node !== "object") return node;
@@ -631,9 +1118,9 @@ var toBinding = (def) => OperationBinding.make({
 });
 var descriptionFor = (def) => {
   const op = def.operation;
-  return Option2.getOrElse(
+  return Option3.getOrElse(
     op.description,
-    () => Option2.getOrElse(op.summary, () => `${op.method.toUpperCase()} ${op.pathTemplate}`)
+    () => Option3.getOrElse(op.summary, () => `${op.method.toUpperCase()} ${op.pathTemplate}`)
   );
 };
 var slotPart = (value) => value.trim().toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "") || "default";
@@ -643,13 +1130,12 @@ var specFetchHeaderSlotFromName = (name) => `spec_fetch_header:${slotPart(name)}
 var specFetchQueryParamSlotFromName = (name) => `spec_fetch_query_param:${slotPart(name)}`;
 var canonicalizeHeaders = (headers) => {
   const nextHeaders = {};
-  const bindings = [];
   for (const [name, value] of Object.entries(headers ?? {})) {
     if (typeof value === "string") {
       nextHeaders[name] = value;
       continue;
     }
-    if ("kind" in value) {
+    if (value.kind === "binding") {
       nextHeaders[name] = value;
       continue;
     }
@@ -659,27 +1145,17 @@ var canonicalizeHeaders = (headers) => {
       slot,
       prefix: value.prefix
     });
-    bindings.push({
-      slot,
-      targetScope: "targetScope" in value ? value.targetScope : void 0,
-      value: {
-        kind: "secret",
-        secretId: SecretId.make(value.secretId),
-        ..."secretScopeId" in value && value.secretScopeId ? { secretScopeId: value.secretScopeId } : {}
-      }
-    });
   }
-  return { headers: nextHeaders, bindings };
+  return { headers: nextHeaders };
 };
 var canonicalizeCredentialMap = (values, slotForName) => {
   const nextValues = {};
-  const bindings = [];
   for (const [name, value] of Object.entries(values ?? {})) {
     if (typeof value === "string") {
       nextValues[name] = value;
       continue;
     }
-    if ("kind" in value) {
+    if (value.kind === "binding") {
       nextValues[name] = value;
       continue;
     }
@@ -689,17 +1165,8 @@ var canonicalizeCredentialMap = (values, slotForName) => {
       slot,
       prefix: value.prefix
     });
-    bindings.push({
-      slot,
-      targetScope: "targetScope" in value ? value.targetScope : void 0,
-      value: {
-        kind: "secret",
-        secretId: SecretId.make(value.secretId),
-        ..."secretScopeId" in value && value.secretScopeId ? { secretScopeId: value.secretScopeId } : {}
-      }
-    });
   }
-  return { values: nextValues, bindings };
+  return { values: nextValues };
 };
 var canonicalizeSpecFetchCredentials = (credentials) => {
   const headers = canonicalizeCredentialMap(credentials?.headers, specFetchHeaderSlotFromName);
@@ -712,88 +1179,162 @@ var canonicalizeSpecFetchCredentials = (credentials) => {
     ...Object.keys(queryParams.values).length > 0 ? { queryParams: queryParams.values } : {}
   };
   return {
-    credentials: nextCredentials,
-    bindings: [...headers.bindings, ...queryParams.bindings]
+    credentials: nextCredentials
   };
 };
 var canonicalizeOAuth2 = (oauth2) => {
-  if (!oauth2) return { bindings: [] };
+  if (!oauth2) return {};
   return {
-    oauth2,
-    bindings: []
+    oauth2
   };
 };
-var OPENAPI_PLUGIN_ID = "openapi";
-var scopeRanks = (ctx) => new Map(ctx.scopes.map((scope, index) => [String(scope.id), index]));
-var scopeRank = (ranks, scopeId) => ranks.get(scopeId) ?? Infinity;
-var coreBindingToOpenApiBinding = (binding) => OpenApiSourceBindingRef.make({
-  sourceId: binding.sourceId,
-  sourceScopeId: binding.sourceScopeId,
-  scopeId: binding.scopeId,
-  slot: binding.slotKey,
-  value: binding.value,
-  createdAt: binding.createdAt,
-  updatedAt: binding.updatedAt
-});
-var listOpenApiSourceBindings = (ctx, sourceId, sourceScope) => Effect2.gen(function* () {
-  const ranks = scopeRanks(ctx);
-  const sourceSourceRank = scopeRank(ranks, sourceScope);
-  if (sourceSourceRank === Infinity) return [];
-  const bindings = yield* ctx.credentialBindings.listForSource({
-    pluginId: OPENAPI_PLUGIN_ID,
-    sourceId,
-    sourceScope: ScopeId.make(sourceScope)
-  });
-  return bindings.filter((binding) => scopeRank(ranks, binding.scopeId) <= sourceSourceRank).map(coreBindingToOpenApiBinding);
-});
-var resolveOpenApiSourceBinding = (ctx, sourceId, sourceScope, slot) => Effect2.gen(function* () {
-  const ranks = scopeRanks(ctx);
-  const sourceSourceRank = scopeRank(ranks, sourceScope);
-  if (sourceSourceRank === Infinity) return null;
-  const bindings = yield* ctx.credentialBindings.listForSource({
-    pluginId: OPENAPI_PLUGIN_ID,
-    sourceId,
-    sourceScope: ScopeId.make(sourceScope)
-  });
-  const binding = bindings.filter(
-    (candidate) => candidate.slotKey === slot && scopeRank(ranks, candidate.scopeId) <= sourceSourceRank
-  ).sort((a, b) => scopeRank(ranks, a.scopeId) - scopeRank(ranks, b.scopeId))[0];
-  return binding ? coreBindingToOpenApiBinding(binding) : null;
-});
-var validateOpenApiBindingTarget = (ctx, input) => Effect2.gen(function* () {
-  const ranks = scopeRanks(ctx);
-  const sourceSourceRank = scopeRank(ranks, input.sourceScope);
-  const targetRank = scopeRank(ranks, input.targetScope);
-  const scopeList = `[${ctx.scopes.map((s) => s.id).join(", ")}]`;
-  if (sourceSourceRank === Infinity) {
+var configuredValueFromConfigureInput = (slot, input) => {
+  if (typeof input === "string") {
+    return {
+      configured: ConfiguredHeaderBinding.make({ kind: "binding", slot }),
+      value: { kind: "text", text: input }
+    };
+  }
+  if (input.kind === "text") {
+    return {
+      configured: ConfiguredHeaderBinding.make({
+        kind: "binding",
+        slot,
+        prefix: input.prefix
+      }),
+      value: { kind: "text", text: input.text }
+    };
+  }
+  if (input.kind === "secret") {
+    return {
+      configured: ConfiguredHeaderBinding.make({
+        kind: "binding",
+        slot,
+        prefix: input.prefix
+      }),
+      value: {
+        kind: "secret",
+        secretId: SecretId.make(input.secretId),
+        ...input.secretScope ? { secretScopeId: ScopeId.make(input.secretScope) } : {}
+      }
+    };
+  }
+  return {
+    configured: ConfiguredHeaderBinding.make({ kind: "binding", slot }),
+    value: { kind: "connection", connectionId: ConnectionId.make(input.connectionId) }
+  };
+};
+var configureMap = (values, slotForName) => {
+  const configured = {};
+  const bindings = [];
+  for (const [name, input] of Object.entries(values ?? {})) {
+    const slotKey = slotForName(name);
+    const next = configuredValueFromConfigureInput(slotKey, input);
+    configured[name] = next.configured;
+    bindings.push({ slotKey, value: next.value });
+  }
+  return { configured, bindings };
+};
+var configureOpenApiSource = (ctx, source, input) => Effect3.gen(function* () {
+  const existing = yield* ctx.storage.getSource(source.id, source.scope);
+  if (!existing) {
     return yield* new StorageError({
-      message: `OpenAPI source binding references source scope "${input.sourceScope}" which is not in the executor's scope stack ${scopeList}.`,
+      message: `Cannot configure OpenAPI source "${source.id}" at scope "${source.scope}": source is not visible.`,
       cause: void 0
     });
   }
-  if (targetRank === Infinity) {
-    return yield* new StorageError({
-      message: `OpenAPI source binding targets scope "${input.targetScope}" which is not in the executor's scope stack ${scopeList}.`,
-      cause: void 0
+  const headers = configureMap(input.headers, headerSlotFromName);
+  const queryParams = configureMap(input.queryParams, queryParamSlotFromName);
+  const specFetchHeaders = configureMap(
+    input.specFetchCredentials?.headers,
+    specFetchHeaderSlotFromName
+  );
+  const specFetchQueryParams = configureMap(
+    input.specFetchCredentials?.queryParams,
+    specFetchQueryParamSlotFromName
+  );
+  const oauth2 = existing.config.oauth2;
+  const oauth2Bindings = [];
+  if (oauth2 && input.oauth2?.clientId) {
+    oauth2Bindings.push({
+      slotKey: oauth2.clientIdSlot,
+      value: configuredValueFromConfigureInput(oauth2.clientIdSlot, input.oauth2.clientId).value
     });
   }
-  if (targetRank > sourceSourceRank) {
-    return yield* new StorageError({
-      message: `OpenAPI source bindings for "${input.sourceId}" cannot be written at outer scope "${input.targetScope}" because the base source lives at "${input.sourceScope}"`,
-      cause: void 0
+  if (oauth2?.clientSecretSlot && input.oauth2?.clientSecret) {
+    oauth2Bindings.push({
+      slotKey: oauth2.clientSecretSlot,
+      value: configuredValueFromConfigureInput(oauth2.clientSecretSlot, input.oauth2.clientSecret).value
     });
   }
-});
-var targetScopeForBinding = (fallbackTargetScope, binding) => {
-  const targetScope = binding.targetScope ?? fallbackTargetScope;
-  if (targetScope) return Effect2.succeed(targetScope);
-  return Effect2.fail(
-    new OpenApiOAuthError({
-      message: "credentialTargetScope is required when adding direct OpenAPI credentials"
+  if (oauth2 && input.oauth2?.connection) {
+    oauth2Bindings.push({
+      slotKey: oauth2.connectionSlot,
+      value: configuredValueFromConfigureInput(oauth2.connectionSlot, input.oauth2.connection).value
+    });
+  }
+  const specFetchCredentials = input.specFetchCredentials === void 0 ? existing.config.specFetchCredentials : {
+    headers: specFetchHeaders.configured,
+    queryParams: specFetchQueryParams.configured
+  };
+  const affectedPrefixes = [
+    ...input.headers !== void 0 ? ["header:"] : [],
+    ...input.queryParams !== void 0 ? ["query_param:"] : [],
+    ...input.specFetchCredentials?.headers !== void 0 ? ["spec_fetch:header:"] : [],
+    ...input.specFetchCredentials?.queryParams !== void 0 ? ["spec_fetch:query_param:"] : [],
+    ...input.oauth2 !== void 0 ? ["oauth2:"] : []
+  ];
+  const bindings = [
+    ...headers.bindings,
+    ...queryParams.bindings,
+    ...specFetchHeaders.bindings,
+    ...specFetchQueryParams.bindings,
+    ...oauth2Bindings
+  ];
+  const nextConfiguredValues = (current, next, provided) => {
+    if (!provided) return current;
+    if (Object.keys(next).length === 0) return {};
+    return { ...current ?? {}, ...next };
+  };
+  return yield* ctx.transaction(
+    Effect3.gen(function* () {
+      yield* ctx.storage.updateSourceMeta(source.id, source.scope, {
+        headers: nextConfiguredValues(
+          existing.config.headers,
+          headers.configured,
+          input.headers !== void 0
+        ),
+        queryParams: nextConfiguredValues(
+          existing.config.queryParams,
+          queryParams.configured,
+          input.queryParams !== void 0
+        ),
+        specFetchCredentials
+      });
+      if (affectedPrefixes.length > 0 || bindings.length > 0) {
+        return yield* ctx.credentialBindings.replaceForSource({
+          targetScope: ScopeId.make(input.scope),
+          pluginId: OPENAPI_PLUGIN_ID,
+          sourceId: source.id,
+          sourceScope: ScopeId.make(source.scope),
+          slotPrefixes: affectedPrefixes,
+          bindings
+        });
+      }
+      return [];
     })
   );
-};
-var findOuterSource = (ctx, namespace, scope) => Effect2.gen(function* () {
+});
+var OPENAPI_PLUGIN_ID = "openapi";
+var scopeRanks = (ctx) => new Map(ctx.scopes.map((scope, index) => [String(scope.id), index]));
+var scopeRank = (ranks, scopeId) => ranks.get(scopeId) ?? Infinity;
+var resolveOpenApiCredentialBinding = (ctx, sourceId, sourceScope, slot) => ctx.credentialBindings.resolveBinding({
+  pluginId: OPENAPI_PLUGIN_ID,
+  sourceId,
+  sourceScope: ScopeId.make(sourceScope),
+  slotKey: slot
+});
+var findOuterSource = (ctx, namespace, scope) => Effect3.gen(function* () {
   const ranks = scopeRanks(ctx);
   const baseRank = scopeRank(ranks, scope);
   for (let index = baseRank + 1; index < ctx.scopes.length; index++) {
@@ -804,7 +1345,7 @@ var findOuterSource = (ctx, namespace, scope) => Effect2.gen(function* () {
   }
   return null;
 });
-var resolveEffectiveSourceConfig = (ctx, base) => Effect2.gen(function* () {
+var resolveEffectiveSourceConfig = (ctx, base) => Effect3.gen(function* () {
   const fallback = yield* findOuterSource(ctx, base.namespace, base.scope);
   if (!fallback) {
     return {
@@ -835,14 +1376,14 @@ var resolveEffectiveSourceConfig = (ctx, base) => Effect2.gen(function* () {
     oauth2Source: base.config.oauth2 ? base : fallback
   };
 });
-var resolveConfiguredValueMap = (ctx, params) => Effect2.gen(function* () {
+var resolveConfiguredValueMap = (ctx, params) => Effect3.gen(function* () {
   const resolved = {};
   for (const [name, value] of Object.entries(params.values)) {
     if (typeof value === "string") {
       resolved[name] = value;
       continue;
     }
-    const binding = yield* resolveOpenApiSourceBinding(
+    const binding = yield* resolveOpenApiCredentialBinding(
       ctx,
       params.sourceId,
       params.sourceScope,
@@ -850,9 +1391,9 @@ var resolveConfiguredValueMap = (ctx, params) => Effect2.gen(function* () {
     );
     if (binding?.value.kind === "secret") {
       const secret = yield* ctx.secrets.getAtScope(binding.value.secretId, binding.value.secretScopeId ?? binding.scopeId).pipe(
-        Effect2.catchTag(
+        Effect3.catchTag(
           "SecretOwnedByConnectionError",
-          () => Effect2.fail(
+          () => Effect3.fail(
             new OpenApiOAuthError({
               message: `Secret not found for header "${name}"`
             })
@@ -889,17 +1430,17 @@ var resolveSecretBackedValues = (ctx, values) => resolveSecretBackedMap({
   onMissing: (name) => new OpenApiOAuthError({
     message: `Secret not found for "${name}"`
   }),
-  onError: (err, name) => Predicate.isTagged("SecretOwnedByConnectionError")(err) ? new OpenApiOAuthError({
+  onError: (err, name) => Predicate2.isTagged("SecretOwnedByConnectionError")(err) ? new OpenApiOAuthError({
     message: `Secret not found for "${name}"`
   }) : err
 }).pipe(
-  Effect2.mapError(
-    (err) => Predicate.isTagged("SecretOwnedByConnectionError")(err) ? new OpenApiOAuthError({ message: "Secret resolution failed" }) : err
+  Effect3.mapError(
+    (err) => Predicate2.isTagged("SecretOwnedByConnectionError")(err) ? new OpenApiOAuthError({ message: "Secret resolution failed" }) : err
   ),
-  Effect2.map((resolved) => resolved ?? {})
+  Effect3.map((resolved) => resolved ?? {})
 );
-var resolveOAuthConnectionId = (ctx, params) => Effect2.gen(function* () {
-  const binding = yield* resolveOpenApiSourceBinding(
+var resolveOAuthConnectionId = (ctx, params) => Effect3.gen(function* () {
+  const binding = yield* resolveOpenApiCredentialBinding(
     ctx,
     params.sourceId,
     params.sourceScope,
@@ -912,14 +1453,14 @@ var resolveOAuthConnectionId = (ctx, params) => Effect2.gen(function* () {
   }
   return null;
 });
-var resolveSpecFetchInputCredentials = (ctx, credentials) => Effect2.gen(function* () {
+var resolveSpecFetchInputCredentials = (ctx, credentials) => Effect3.gen(function* () {
   if (!credentials) return void 0;
   return {
     headers: yield* resolveSecretBackedValues(ctx, credentials.headers),
     queryParams: yield* resolveSecretBackedValues(ctx, credentials.queryParams)
   };
 });
-var resolveStoredSpecFetchCredentials = (ctx, params) => Effect2.gen(function* () {
+var resolveStoredSpecFetchCredentials = (ctx, params) => Effect3.gen(function* () {
   if (!params.credentials) return void 0;
   return {
     headers: yield* resolveConfiguredValueMap(ctx, {
@@ -939,13 +1480,13 @@ var resolveStoredSpecFetchCredentials = (ctx, params) => Effect2.gen(function* (
 var toOpenApiSourceConfig = (namespace, config) => {
   const configHeaders = {};
   for (const [name, value] of Object.entries(config.headers ?? {})) {
-    if (typeof value === "string" || !("kind" in value)) {
+    if (typeof value === "string") {
       configHeaders[name] = value;
     }
   }
   return {
     kind: "openapi",
-    spec: config.spec,
+    spec: specInputToConfigString(config.spec),
     baseUrl: config.baseUrl,
     namespace,
     headers: headersToConfigValues(
@@ -953,12 +1494,12 @@ var toOpenApiSourceConfig = (namespace, config) => {
     )
   };
 };
-var isHttpUrl = (s) => s.startsWith("http://") || s.startsWith("https://");
+var specInputToConfigString = (spec) => spec.kind === "url" ? spec.url : spec.value;
 var openApiPlugin = definePlugin((options) => {
-  const rebuildSource = (ctx, input) => Effect2.gen(function* () {
+  const rebuildSource = (ctx, input) => Effect3.gen(function* () {
     const doc = yield* parse(input.specText);
     const result = yield* extract(doc);
-    const namespace = input.namespace ?? Option2.getOrElse(result.title, () => "api").toLowerCase().replace(/[^a-z0-9]+/g, "_");
+    const namespace = input.namespace;
     const outerSource = yield* findOuterSource(ctx, namespace, input.scope);
     if (outerSource && input.baseUrl !== void 0 && input.baseUrl.trim() !== "") {
       return yield* new OpenApiOAuthError({
@@ -971,7 +1512,7 @@ var openApiPlugin = definePlugin((options) => {
         hoistedDefs[k] = normalizeOpenApiRefs(v);
       }
     }
-    const baseUrl = outerSource ? void 0 : input.baseUrl ?? resolveBaseUrl(result.servers);
+    const baseUrl = outerSource ? void 0 : input.baseUrl;
     const canonicalHeaders = canonicalizeHeaders(input.headers);
     const canonicalQueryParams = canonicalizeCredentialMap(
       input.queryParams,
@@ -981,25 +1522,8 @@ var openApiPlugin = definePlugin((options) => {
       input.specFetchCredentials
     );
     const canonicalOAuth2 = canonicalizeOAuth2(input.oauth2);
-    const directBindings = [
-      ...canonicalHeaders.bindings,
-      ...canonicalQueryParams.bindings,
-      ...canonicalSpecFetchCredentials.bindings,
-      ...canonicalOAuth2.bindings
-    ];
-    for (const binding of directBindings) {
-      const bindingTargetScope = yield* targetScopeForBinding(
-        input.credentialTargetScope,
-        binding
-      );
-      yield* validateOpenApiBindingTarget(ctx, {
-        sourceId: namespace,
-        sourceScope: input.scope,
-        targetScope: bindingTargetScope
-      });
-    }
     const definitions = compileToolDefinitions(result.operations);
-    const sourceName = input.name ?? Option2.getOrElse(result.title, () => namespace);
+    const sourceName = input.name;
     const sourceConfig = {
       spec: input.specText,
       sourceUrl: input.sourceUrl,
@@ -1022,7 +1546,7 @@ var openApiPlugin = definePlugin((options) => {
       binding: toBinding(def)
     }));
     yield* ctx.transaction(
-      Effect2.gen(function* () {
+      Effect3.gen(function* () {
         yield* ctx.storage.upsertSource(storedSource, storedOps);
         yield* ctx.core.sources.register({
           id: namespace,
@@ -1039,26 +1563,10 @@ var openApiPlugin = definePlugin((options) => {
           tools: definitions.map((def) => ({
             name: def.toolPath,
             description: descriptionFor(def),
-            inputSchema: normalizeOpenApiRefs(Option2.getOrUndefined(def.operation.inputSchema)),
-            outputSchema: normalizeOpenApiRefs(Option2.getOrUndefined(def.operation.outputSchema))
+            inputSchema: normalizeOpenApiRefs(Option3.getOrUndefined(def.operation.inputSchema)),
+            outputSchema: normalizeOpenApiRefs(Option3.getOrUndefined(def.operation.outputSchema))
           }))
         });
-        if (directBindings.length > 0) {
-          for (const binding of directBindings) {
-            const bindingTargetScope = yield* targetScopeForBinding(
-              input.credentialTargetScope,
-              binding
-            );
-            yield* ctx.credentialBindings.set({
-              targetScope: ScopeId.make(bindingTargetScope),
-              pluginId: OPENAPI_PLUGIN_ID,
-              sourceId: namespace,
-              sourceScope: ScopeId.make(input.scope),
-              slotKey: binding.slot,
-              value: binding.value
-            });
-          }
-        }
         if (Object.keys(hoistedDefs).length > 0) {
           yield* ctx.core.definitions.register({
             sourceId: namespace,
@@ -1070,7 +1578,7 @@ var openApiPlugin = definePlugin((options) => {
     );
     return { sourceId: namespace, toolCount: definitions.length };
   });
-  const refreshSourceInternal = (ctx, sourceId, scope) => Effect2.gen(function* () {
+  const refreshSourceInternal = (ctx, sourceId, scope) => Effect3.gen(function* () {
     const httpClientLayer = options?.httpClientLayer ?? ctx.httpClientLayer;
     const existing = yield* ctx.storage.getSource(sourceId, scope);
     if (!existing) return;
@@ -1084,78 +1592,67 @@ var openApiPlugin = definePlugin((options) => {
       credentials: resolvedConfig.specFetchCredentials
     });
     const specText = yield* resolveSpecText(sourceUrl, credentials).pipe(
-      Effect2.provide(httpClientLayer)
+      Effect3.provide(httpClientLayer)
     );
     yield* rebuildSource(ctx, {
       specText,
       scope,
       sourceUrl,
       name: existing.name,
-      baseUrl: resolvedConfig.baseUrl,
+      baseUrl: existing.config.baseUrl,
       namespace: existing.namespace,
       headers: existing.config.headers,
       queryParams: existing.config.queryParams,
       specFetchCredentials: existing.config.specFetchCredentials,
-      oauth2: existing.config.oauth2,
-      credentialTargetScope: scope
+      oauth2: existing.config.oauth2
     });
   });
   return {
     id: "openapi",
     packageName: "@executor-js/plugin-openapi",
+    sourcePresets: openApiPresets,
     schema: openapiSchema,
     storage: (deps) => makeDefaultOpenapiStore(deps),
     extension: (ctx) => {
       const httpClientLayer = options?.httpClientLayer ?? ctx.httpClientLayer;
-      const addSpecInternal = (config) => Effect2.gen(function* () {
-        const credentials = yield* resolveSpecFetchInputCredentials(
-          ctx,
-          config.specFetchCredentials
-        );
-        const specText = yield* resolveSpecText(config.spec, credentials).pipe(
-          Effect2.provide(httpClientLayer)
-        );
+      const addSpecInternal = (config) => Effect3.gen(function* () {
+        const specText = config.spec.kind === "url" ? yield* resolveSpecText(config.spec.url).pipe(Effect3.provide(httpClientLayer)) : config.spec.value;
         return yield* rebuildSource(ctx, {
           specText,
           scope: config.scope,
-          sourceUrl: isHttpUrl(config.spec) ? config.spec : void 0,
+          sourceUrl: config.spec.kind === "url" ? config.spec.url : void 0,
           name: config.name,
           baseUrl: config.baseUrl,
           namespace: config.namespace,
           headers: config.headers,
           queryParams: config.queryParams,
           specFetchCredentials: config.specFetchCredentials,
-          oauth2: config.oauth2,
-          // Default to the source's own scope. refreshSource and editSource
-          // do the same; without this, config-sync's addSpec — which never
-          // passes the field — fails with "credentialTargetScope is
-          // required" the moment the jsonc declares any header secret.
-          credentialTargetScope: config.credentialTargetScope ?? config.scope
+          oauth2: config.oauth2
         });
       });
       const configFile = options?.configFile;
       return {
-        previewSpec: (input) => Effect2.gen(function* () {
+        previewSpec: (input) => Effect3.gen(function* () {
           const previewInput = typeof input === "string" ? { spec: input } : input;
           const credentials = yield* resolveSpecFetchInputCredentials(
             ctx,
             previewInput.specFetchCredentials
           );
           const specText = yield* resolveSpecText(previewInput.spec, credentials).pipe(
-            Effect2.provide(httpClientLayer)
+            Effect3.provide(httpClientLayer)
           );
-          return yield* previewSpec(specText).pipe(Effect2.provide(httpClientLayer));
+          return yield* previewSpec(specText).pipe(Effect3.provide(httpClientLayer));
         }),
-        addSpec: (config) => Effect2.gen(function* () {
+        addSpec: (config) => Effect3.gen(function* () {
           const result = yield* addSpecInternal(config);
           if (configFile) {
             yield* configFile.upsertSource(toOpenApiSourceConfig(result.sourceId, config));
           }
           return result;
         }),
-        removeSpec: (namespace, scope) => Effect2.gen(function* () {
+        removeSpec: (namespace, scope) => Effect3.gen(function* () {
           yield* ctx.transaction(
-            Effect2.gen(function* () {
+            Effect3.gen(function* () {
               yield* ctx.credentialBindings.removeForSource({
                 pluginId: OPENAPI_PLUGIN_ID,
                 sourceId: namespace,
@@ -1172,7 +1669,7 @@ var openApiPlugin = definePlugin((options) => {
             yield* configFile.removeSource(namespace);
           }
         }),
-        getSource: (namespace, scope) => Effect2.gen(function* () {
+        getSource: (namespace, scope) => Effect3.gen(function* () {
           const source = yield* ctx.storage.getSource(namespace, scope);
           if (!source) return null;
           const effective = yield* resolveEffectiveSourceConfig(ctx, source);
@@ -1181,95 +1678,31 @@ var openApiPlugin = definePlugin((options) => {
             config: effective.config
           };
         }),
-        updateSource: (namespace, scope, input) => Effect2.gen(function* () {
-          const existing = yield* ctx.storage.getSource(namespace, scope);
-          if (!existing) return;
-          const canonicalHeaders = input.headers !== void 0 ? canonicalizeHeaders(input.headers) : null;
-          const canonicalOAuth2 = input.oauth2 !== void 0 ? canonicalizeOAuth2(input.oauth2) : null;
-          const canonicalQueryParams = input.queryParams !== void 0 ? canonicalizeCredentialMap(input.queryParams, queryParamSlotFromName) : null;
-          const directBindings = [
-            ...canonicalHeaders?.bindings ?? [],
-            ...canonicalQueryParams?.bindings ?? [],
-            ...canonicalOAuth2?.bindings ?? []
-          ];
-          const affectedPrefixes = [
-            ...input.headers !== void 0 ? ["header:"] : [],
-            ...input.queryParams !== void 0 ? ["query_param:"] : [],
-            ...input.oauth2 !== void 0 ? ["oauth2:"] : []
-          ];
-          const targetScope = input.credentialTargetScope ?? scope;
+        configure: (source, input) => configureOpenApiSource(ctx, source, input)
+      };
+    },
+    sourceConfigure: {
+      type: "openapi",
+      schema: OpenApiConfigureInputSchema,
+      configure: ({ ctx, sourceId, sourceScope, config }) => Effect3.gen(function* () {
+        const input = config;
+        if (input.name !== void 0 || input.baseUrl !== void 0 || input.oauth2Source !== void 0) {
           if (input.baseUrl !== void 0 && input.baseUrl.trim() !== "") {
-            const outerSource = yield* findOuterSource(ctx, namespace, scope);
+            const outerSource = yield* findOuterSource(ctx, sourceId, sourceScope);
             if (outerSource) {
               return yield* new OpenApiOAuthError({
                 message: "OpenAPI source shadows inherit the outer source base URL"
               });
             }
           }
-          if (affectedPrefixes.length > 0 || directBindings.length > 0) {
-            yield* validateOpenApiBindingTarget(ctx, {
-              sourceId: namespace,
-              sourceScope: scope,
-              targetScope
-            });
-          }
-          yield* ctx.transaction(
-            Effect2.gen(function* () {
-              yield* ctx.storage.updateSourceMeta(namespace, scope, {
-                name: input.name?.trim() || void 0,
-                baseUrl: input.baseUrl,
-                headers: canonicalHeaders?.headers,
-                queryParams: canonicalQueryParams?.values,
-                oauth2: canonicalOAuth2?.oauth2
-              });
-              if (affectedPrefixes.length > 0 || directBindings.length > 0) {
-                yield* ctx.credentialBindings.replaceForSource({
-                  targetScope: ScopeId.make(targetScope),
-                  pluginId: OPENAPI_PLUGIN_ID,
-                  sourceId: namespace,
-                  sourceScope: ScopeId.make(scope),
-                  slotPrefixes: affectedPrefixes,
-                  bindings: directBindings.map((binding) => ({
-                    slotKey: binding.slot,
-                    value: binding.value
-                  }))
-                });
-              }
-            })
-          );
-        }),
-        listSourceBindings: (sourceId, sourceScope) => listOpenApiSourceBindings(ctx, sourceId, sourceScope),
-        setSourceBinding: (input) => Effect2.gen(function* () {
-          yield* validateOpenApiBindingTarget(ctx, {
-            sourceId: input.sourceId,
-            sourceScope: input.sourceScope,
-            targetScope: input.scope
-          });
-          const binding = yield* ctx.credentialBindings.set({
-            targetScope: input.scope,
-            pluginId: OPENAPI_PLUGIN_ID,
-            sourceId: input.sourceId,
-            sourceScope: input.sourceScope,
-            slotKey: input.slot,
-            value: input.value
-          });
-          return coreBindingToOpenApiBinding(binding);
-        }),
-        removeSourceBinding: (sourceId, sourceScope, slot, scope) => Effect2.gen(function* () {
-          yield* validateOpenApiBindingTarget(ctx, {
-            sourceId,
-            sourceScope,
-            targetScope: scope
+          yield* ctx.storage.updateSourceMeta(sourceId, sourceScope, {
+            name: input.name?.trim() || void 0,
+            baseUrl: input.baseUrl,
+            oauth2: input.oauth2Source
           });
-          yield* ctx.credentialBindings.remove({
-            targetScope: ScopeId.make(scope),
-            pluginId: OPENAPI_PLUGIN_ID,
-            sourceId,
-            sourceScope: ScopeId.make(sourceScope),
-            slotKey: slot
-          });
-        })
-      };
+        }
+        return yield* configureOpenApiSource(ctx, { id: sourceId, scope: sourceScope }, input);
+      })
     },
     staticSources: (self) => [
       {
@@ -1279,25 +1712,88 @@ var openApiPlugin = definePlugin((options) => {
         tools: [
           tool({
             name: "previewSpec",
-            description: "Preview an OpenAPI document before adding it as a source",
+            description: "Preview an OpenAPI document before adding it as a source. Call this first when the user provides a spec URL/blob so you can inspect servers, auth schemes, operation count, tags, and credential slots before `addSource`. This agent-facing preview intentionally omits the full operations list; use `operationCount` and `tags` for full-size specs. Do not collect API keys or OAuth client secrets in chat; use `executor.coreTools.secrets.create` for those values.",
             inputSchema: PreviewSpecInputStandardSchema,
-            execute: (input) => self.previewSpec(input)
+            outputSchema: PreviewSpecOutputStandardSchema,
+            execute: (input) => self.previewSpec(input).pipe(
+              Effect3.map((preview) => ToolResult.ok(staticPreviewOutput(preview))),
+              Effect3.catchTags({
+                OpenApiParseError: ({ message }) => Effect3.succeed(openApiToolFailure("openapi_parse_failed", message)),
+                OpenApiExtractionError: ({ message }) => Effect3.succeed(openApiToolFailure("openapi_extraction_failed", message)),
+                OpenApiOAuthError: ({ message }) => Effect3.succeed(openApiToolFailure("openapi_oauth_failed", message))
+              })
+            )
+          }),
+          tool({
+            name: "getSource",
+            description: "Inspect an existing OpenAPI source, including effective base URL, configured headers/query params, OAuth settings, and stored credential slots. Use this before repairing an existing source with `openapi.configureSource`, `secrets.create`, or `oauth.start`.",
+            inputSchema: GetSourceInputStandardSchema,
+            outputSchema: GetSourceOutputStandardSchema,
+            execute: (input, { ctx }) => Effect3.map(
+              self.getSource(input.namespace, resolveStaticScopeInput(ctx, input.scope)),
+              (source) => ToolResult.ok({ source })
+            )
           }),
           tool({
             name: "addSource",
-            description: "Add an OpenAPI source and register its operations as tools",
+            description: "Add an OpenAPI source and register its operations as tools. Executor chooses the source install scope (local scope locally, organization scope in cloud) and returns it as `source`. Recommended flow: call `previewSpec`, choose or confirm namespace/name/baseUrl from the preview (baseUrl is only needed when the spec cannot infer one or the user wants an override), declare credential slots here for sensitive headers/query params, then call `secrets.create` and `openapi.configureSource` with the user's chosen credential scope for per-scope bindings. Use `oauth.start` with `credentialScope` set to the user's chosen personal or organization credential scope for browser OAuth sign-in.",
             annotations: {
               requiresApproval: true,
               approvalDescription: "Add an OpenAPI source"
             },
             inputSchema: AddSourceInputStandardSchema,
             outputSchema: AddSourceOutputStandardSchema,
-            execute: (input) => self.addSpec(input)
+            execute: (input, { ctx }) => {
+              const sourceScope = defaultSourceInstallScopeId(ctx.scopes);
+              if (sourceScope === null) {
+                return Effect3.succeed(
+                  openApiToolFailure(
+                    "source_scope_unavailable",
+                    "Cannot add an OpenAPI source because this executor has no source install scope."
+                  )
+                );
+              }
+              return self.addSpec({ ...input, scope: sourceScope }).pipe(
+                Effect3.map(
+                  (result) => ToolResult.ok({
+                    ...result,
+                    source: { id: result.sourceId, scope: sourceScope }
+                  })
+                ),
+                Effect3.catchTags({
+                  OpenApiParseError: ({ message }) => Effect3.succeed(openApiToolFailure("openapi_parse_failed", message)),
+                  OpenApiExtractionError: ({ message }) => Effect3.succeed(openApiToolFailure("openapi_extraction_failed", message)),
+                  OpenApiOAuthError: ({ message }) => Effect3.succeed(openApiToolFailure("openapi_oauth_failed", message))
+                })
+              );
+            }
+          }),
+          tool({
+            name: "configureSource",
+            description: 'Configure an existing OpenAPI source with concrete fields. Use `source` returned by `openapi.addSource` or `sources.list`. The top-level `scope` is the credential target scope for bindings; in cloud, choose the user or organization credential scope deliberately. Pass secret refs as `{kind:"secret", secretId}` and OAuth connections as `{kind:"connection", connectionId}`.',
+            annotations: {
+              requiresApproval: true,
+              approvalDescription: "Configure an OpenAPI source"
+            },
+            inputSchema: OpenApiConfigureSourceInputStandardSchema,
+            outputSchema: OpenApiConfigureSourceOutputStandardSchema,
+            execute: (input, { ctx }) => {
+              const { source, ...config } = input;
+              const sourceScope = resolveStaticScopeInput(ctx, source.scope);
+              const targetScope = resolveStaticScopeInput(ctx, config.scope);
+              return Effect3.map(
+                self.configure(
+                  { id: source.id, scope: sourceScope },
+                  { ...config, scope: targetScope }
+                ),
+                (result) => ToolResult.ok({ result })
+              );
+            }
           })
         ]
       }
     ],
-    invokeTool: ({ ctx, toolRow, args }) => Effect2.gen(function* () {
+    invokeTool: ({ ctx, toolRow, args }) => Effect3.gen(function* () {
       const httpClientLayer = options?.httpClientLayer ?? ctx.httpClientLayer;
       const toolScope = toolRow.scope_id;
       const op = yield* ctx.storage.getOperationByToolId(toolRow.id, toolScope);
@@ -1337,7 +1833,7 @@ var openApiPlugin = definePlugin((options) => {
           });
         }
         const accessToken = yield* ctx.connections.accessTokenAtScope(connection.connectionId, connection.scopeId).pipe(
-          Effect2.mapError(
+          Effect3.mapError(
             () => new OpenApiOAuthError({
               message: "OAuth connection resolution failed"
             })
@@ -1353,16 +1849,29 @@ var openApiPlugin = definePlugin((options) => {
         resolvedQueryParams,
         httpClientLayer
       );
-      return result;
+      const ok = result.status >= 200 && result.status < 300;
+      if (!ok) {
+        return ToolResult.fail({
+          code: "upstream_http_error",
+          status: result.status,
+          message: extractUpstreamMessage(result.error, result.status),
+          details: result.error
+        });
+      }
+      return ToolResult.ok({
+        status: result.status,
+        headers: result.headers,
+        data: result.data
+      });
     }),
-    resolveAnnotations: ({ ctx, sourceId, toolRows }) => Effect2.gen(function* () {
+    resolveAnnotations: ({ ctx, sourceId, toolRows }) => Effect3.gen(function* () {
       const scopes = /* @__PURE__ */ new Set();
       for (const row of toolRows) {
         scopes.add(row.scope_id);
       }
-      const entries = yield* Effect2.forEach(
+      const entries = yield* Effect3.forEach(
         [...scopes],
-        (scope) => Effect2.gen(function* () {
+        (scope) => Effect3.gen(function* () {
           const ops = yield* ctx.storage.listOperationsBySource(sourceId, scope);
           const byId = /* @__PURE__ */ new Map();
           for (const op of ops) byId.set(op.toolId, op.binding);
@@ -1380,9 +1889,9 @@ var openApiPlugin = definePlugin((options) => {
       }
       return out;
     }),
-    removeSource: ({ ctx, sourceId, scope }) => Effect2.gen(function* () {
+    removeSource: ({ ctx, sourceId, scope }) => Effect3.gen(function* () {
       yield* ctx.transaction(
-        Effect2.gen(function* () {
+        Effect3.gen(function* () {
           yield* ctx.credentialBindings.removeForSource({
             pluginId: OPENAPI_PLUGIN_ID,
             sourceId,
@@ -1397,8 +1906,8 @@ var openApiPlugin = definePlugin((options) => {
     }),
     // OpenAPI credential usages are reported by the core `credential_binding`
     // table. Source storage carries only source-owned slot structure.
-    usagesForSecret: () => Effect2.succeed([]),
-    usagesForConnection: () => Effect2.succeed([]),
+    usagesForSecret: () => Effect3.succeed([]),
+    usagesForConnection: () => Effect3.succeed([]),
     // Re-fetch the spec from its origin URL (captured at addSpec time)
     // and replay the same parse → extract → upsertSource → register
     // path used by addSpec. Sources without a stored URL surface a
@@ -1406,26 +1915,26 @@ var openApiPlugin = definePlugin((options) => {
     // when `canRefresh: true`, so a raw-text source reaching here
     // means stale UI state, which is worth surfacing to the caller.
     refreshSource: ({ ctx, sourceId, scope }) => refreshSourceInternal(ctx, sourceId, scope),
-    detect: ({ ctx, url }) => Effect2.gen(function* () {
+    detect: ({ ctx, url }) => Effect3.gen(function* () {
       const httpClientLayer = options?.httpClientLayer ?? ctx.httpClientLayer;
       const trimmed = url.trim();
       if (!trimmed) return null;
-      const parsed = yield* Effect2.try({
+      const parsed = yield* Effect3.try({
         try: () => new URL(trimmed),
         catch: (error) => error
-      }).pipe(Effect2.option);
-      if (Option2.isNone(parsed)) return null;
+      }).pipe(Effect3.option);
+      if (Option3.isNone(parsed)) return null;
       const specText = yield* resolveSpecText(trimmed).pipe(
-        Effect2.provide(httpClientLayer),
-        Effect2.catch(() => Effect2.succeed(null))
+        Effect3.provide(httpClientLayer),
+        Effect3.catch(() => Effect3.succeed(null))
       );
       if (specText === null) return null;
-      const doc = yield* parse(specText).pipe(Effect2.catch(() => Effect2.succeed(null)));
+      const doc = yield* parse(specText).pipe(Effect3.catch(() => Effect3.succeed(null)));
       if (!doc) return null;
-      const result = yield* extract(doc).pipe(Effect2.catch(() => Effect2.succeed(null)));
+      const result = yield* extract(doc).pipe(Effect3.catch(() => Effect3.succeed(null)));
       if (!result) return null;
-      const namespace = Option2.getOrElse(result.title, () => "api").toLowerCase().replace(/[^a-z0-9]+/g, "_");
-      const name = Option2.getOrElse(result.title, () => namespace);
+      const namespace = Option3.getOrElse(result.title, () => "api").toLowerCase().replace(/[^a-z0-9]+/g, "_");
+      const name = Option3.getOrElse(result.title, () => namespace);
       return SourceDetectionResult.make({
         kind: "openapi",
         confidence: "high",
@@ -1442,6 +1951,8 @@ export {
   invoke,
   invokeWithLayer,
   annotationsForOperation,
+  openapiSchema,
+  makeDefaultOpenapiStore,
   openApiPlugin
 };
-//# sourceMappingURL=chunk-OZ67JNID.js.map
+//# sourceMappingURL=chunk-NIKLYJ3X.js.map