@executor-js/plugin-openapi 1.4.32 → 1.5.0

package/dist/chunk-PS5XP3DG.js

@@ -1,2086 +0,0 @@
-import {
-  openApiPresets
-} from "./chunk-BB5IAKRG.js";
-import {
-  ConfiguredHeaderBinding,
-  HeaderValue,
-  InvocationResult,
-  OAuth2SourceConfig,
-  OpenApiAuthRequiredError,
-  OpenApiExtractionError,
-  OpenApiInvocationError,
-  OpenApiOAuthError,
-  OperationBinding,
-  extract,
-  parse,
-  previewSpec,
-  resolveSpecText
-} from "./chunk-AN4HJFNP.js";
-
-// src/sdk/invoke.ts
-import { Effect, Layer, Option } from "effect";
-import { HttpClient, HttpClientRequest } from "effect/unstable/http";
-var CONTAINER_KEYS = {
-  path: ["path", "pathParams", "params"],
-  query: ["query", "queryParams", "params"],
-  header: ["headers", "header"],
-  cookie: ["cookies", "cookie"]
-};
-var readParamValue = (args, param) => {
-  const direct = args[param.name];
-  if (direct !== void 0) return direct;
-  for (const key of CONTAINER_KEYS[param.location] ?? []) {
-    const container = args[key];
-    if (typeof container === "object" && container !== null && !Array.isArray(container)) {
-      const nested = container[param.name];
-      if (nested !== void 0) return nested;
-    }
-  }
-  return void 0;
-};
-var resolvePath = Effect.fn("OpenApi.resolvePath")(function* (pathTemplate, args, parameters) {
-  let resolved = pathTemplate;
-  for (const param of parameters) {
-    if (param.location !== "path") continue;
-    const value = readParamValue(args, param);
-    if (value === void 0 || value === null) {
-      if (param.required) {
-        return yield* new OpenApiInvocationError({
-          message: `Missing required path parameter: ${param.name}`,
-          statusCode: Option.none()
-        });
-      }
-      continue;
-    }
-    resolved = resolved.replaceAll(`{${param.name}}`, encodeURIComponent(String(value)));
-  }
-  const remaining = [...resolved.matchAll(/\{([^{}]+)\}/g)].map((m) => m[1]).filter((v) => typeof v === "string");
-  for (const name of remaining) {
-    const value = args[name];
-    if (value !== void 0 && value !== null) {
-      resolved = resolved.replaceAll(`{${name}}`, encodeURIComponent(String(value)));
-    }
-  }
-  const unresolved = [...resolved.matchAll(/\{([^{}]+)\}/g)].map((m) => m[1]).filter((v) => typeof v === "string");
-  if (unresolved.length > 0) {
-    return yield* new OpenApiInvocationError({
-      message: `Unresolved path parameters: ${[...new Set(unresolved)].join(", ")}`,
-      statusCode: Option.none()
-    });
-  }
-  return resolved;
-});
-var resolveHeaders = (headers, secrets) => {
-  const entries = Object.entries(headers);
-  const secretCount = entries.reduce(
-    (acc, [, value]) => typeof value === "string" ? acc : acc + 1,
-    0
-  );
-  return Effect.gen(function* () {
-    const values = yield* Effect.all(
-      entries.map(
-        ([name, value]) => typeof value === "string" ? Effect.succeed({ name, value }) : secrets.get(value.secretId).pipe(
-          Effect.catchTag(
-            "SecretOwnedByConnectionError",
-            () => Effect.fail(
-              new OpenApiInvocationError({
-                message: `Failed to resolve secret "${value.secretId}" for header "${name}"`,
-                statusCode: Option.none()
-              })
-            )
-          ),
-          Effect.flatMap(
-            (secret) => secret === null ? Effect.fail(
-              new OpenApiInvocationError({
-                message: `Failed to resolve secret "${value.secretId}" for header "${name}"`,
-                statusCode: Option.none()
-              })
-            ) : Effect.succeed({
-              name,
-              value: value.prefix ? `${value.prefix}${secret}` : secret
-            })
-          )
-        )
-      ),
-      { concurrency: "unbounded" }
-    );
-    const resolved = {};
-    for (const { name, value } of values) resolved[name] = value;
-    return resolved;
-  }).pipe(
-    Effect.withSpan("plugin.openapi.secret.resolve", {
-      attributes: {
-        "plugin.openapi.headers.total": entries.length,
-        "plugin.openapi.headers.secret_count": secretCount
-      }
-    })
-  );
-};
-var applyHeaders = (request, headers) => {
-  let req = request;
-  for (const [name, value] of Object.entries(headers)) {
-    req = HttpClientRequest.setHeader(req, name, value);
-  }
-  return req;
-};
-var normalizeContentType = (ct) => ct?.split(";")[0]?.trim().toLowerCase() ?? "";
-var isJsonContentType = (ct) => {
-  const normalized = normalizeContentType(ct);
-  if (!normalized) return false;
-  return normalized === "application/json" || normalized.includes("+json") || normalized.includes("json");
-};
-var isFormUrlEncoded = (ct) => normalizeContentType(ct) === "application/x-www-form-urlencoded";
-var isMultipartFormData = (ct) => normalizeContentType(ct).startsWith("multipart/form-data");
-var isXmlContentType = (ct) => {
-  const normalized = normalizeContentType(ct);
-  if (!normalized) return false;
-  return normalized === "application/xml" || normalized === "text/xml" || normalized.endsWith("+xml");
-};
-var isTextContentType = (ct) => normalizeContentType(ct).startsWith("text/");
-var isOctetStream = (ct) => normalizeContentType(ct) === "application/octet-stream";
-var toUint8Array = (value) => {
-  if (value instanceof Uint8Array) return value;
-  if (value instanceof ArrayBuffer) return new Uint8Array(value);
-  if (ArrayBuffer.isView(value)) {
-    const view = value;
-    return new Uint8Array(view.buffer, view.byteOffset, view.byteLength);
-  }
-  if (Array.isArray(value) && value.every((v) => typeof v === "number")) {
-    return new Uint8Array(value);
-  }
-  return null;
-};
-var toArrayBuffer = (bytes) => {
-  const copy = new ArrayBuffer(bytes.byteLength);
-  new Uint8Array(copy).set(bytes);
-  return copy;
-};
-var DEFAULT_FORM_STYLE = {
-  style: "form",
-  explode: true,
-  allowReserved: false
-};
-var resolveStyleExplode = (e) => {
-  if (!e) return DEFAULT_FORM_STYLE;
-  return {
-    style: Option.getOrElse(e.style, () => DEFAULT_FORM_STYLE.style),
-    explode: Option.getOrElse(e.explode, () => DEFAULT_FORM_STYLE.explode),
-    allowReserved: Option.getOrElse(e.allowReserved, () => DEFAULT_FORM_STYLE.allowReserved)
-  };
-};
-var RESERVED_UNENCODED_RE = /[A-Za-z0-9\-._~:/?#[\]@!$&'()*+,;=]/;
-var encodeFormValue = (v, allowReserved) => {
-  const raw = typeof v === "object" && v !== null ? JSON.stringify(v) : String(v);
-  if (!allowReserved) return encodeURIComponent(raw);
-  let out = "";
-  for (const ch of raw) {
-    out += RESERVED_UNENCODED_RE.test(ch) ? ch : encodeURIComponent(ch);
-  }
-  return out;
-};
-var serializeFormUrlEncoded = (value, encoding) => {
-  const parts = [];
-  for (const [key, raw] of Object.entries(value)) {
-    if (raw === void 0 || raw === null) continue;
-    const { style, explode, allowReserved } = resolveStyleExplode(encoding?.[key]);
-    const encKey = encodeURIComponent(key);
-    if (Array.isArray(raw)) {
-      if (explode) {
-        for (const v of raw) {
-          parts.push(`${encKey}=${encodeFormValue(v, allowReserved)}`);
-        }
-      } else {
-        const sep = style === "spaceDelimited" ? " " : style === "pipeDelimited" ? "|" : ",";
-        parts.push(
-          `${encKey}=${encodeFormValue(
-            raw.map((v) => typeof v === "object" ? JSON.stringify(v) : String(v)).join(sep),
-            allowReserved
-          )}`
-        );
-      }
-      continue;
-    }
-    if (typeof raw === "object") {
-      const entries = Object.entries(raw).filter(
-        ([, v]) => v !== void 0 && v !== null
-      );
-      if (style === "deepObject") {
-        for (const [subkey, subval] of entries) {
-          parts.push(
-            `${encodeURIComponent(`${key}[${subkey}]`)}=${encodeFormValue(subval, allowReserved)}`
-          );
-        }
-      } else if (explode) {
-        for (const [subkey, subval] of entries) {
-          parts.push(`${encodeURIComponent(subkey)}=${encodeFormValue(subval, allowReserved)}`);
-        }
-      } else {
-        const flat = entries.flatMap(([k, v]) => [
-          k,
-          typeof v === "object" ? JSON.stringify(v) : String(v)
-        ]);
-        parts.push(`${encKey}=${encodeFormValue(flat.join(","), allowReserved)}`);
-      }
-      continue;
-    }
-    parts.push(`${encKey}=${encodeFormValue(raw, allowReserved)}`);
-  }
-  return parts.join("&");
-};
-var coerceFormDataRecord = (value, encoding) => {
-  const out = {};
-  for (const [key, raw] of Object.entries(value)) {
-    if (raw === void 0 || raw === null) continue;
-    const partType = encoding?.[key] ? Option.getOrUndefined(encoding[key].contentType) : void 0;
-    if (partType) {
-      const isJson = partType.startsWith("application/json") || partType.includes("+json");
-      const serialized = typeof raw === "string" ? raw : isJson ? JSON.stringify(raw) : typeof raw === "object" ? JSON.stringify(raw) : String(raw);
-      out[key] = new Blob([serialized], { type: partType });
-      continue;
-    }
-    if (typeof raw === "string" || typeof raw === "number" || typeof raw === "boolean" || raw instanceof Blob || typeof File !== "undefined" && raw instanceof File) {
-      out[key] = raw;
-      continue;
-    }
-    if (Array.isArray(raw)) {
-      out[key] = raw.map(
-        (v) => typeof v === "string" || typeof v === "number" || typeof v === "boolean" || v instanceof Blob || typeof File !== "undefined" && v instanceof File ? v : JSON.stringify(v)
-      );
-      continue;
-    }
-    const bytes = toUint8Array(raw);
-    if (bytes) {
-      out[key] = new Blob([toArrayBuffer(bytes)]);
-      continue;
-    }
-    out[key] = JSON.stringify(raw);
-  }
-  return out;
-};
-var applyRequestBody = (request, contentType, bodyValue, encoding) => {
-  if (isJsonContentType(contentType)) {
-    if (typeof bodyValue === "string") {
-      return HttpClientRequest.bodyText(request, bodyValue, contentType);
-    }
-    return HttpClientRequest.bodyJsonUnsafe(request, bodyValue);
-  }
-  if (isFormUrlEncoded(contentType)) {
-    if (typeof bodyValue === "string") {
-      return HttpClientRequest.bodyText(request, bodyValue, contentType);
-    }
-    if (typeof bodyValue === "object" && bodyValue !== null && !Array.isArray(bodyValue)) {
-      const serialized = serializeFormUrlEncoded(bodyValue, encoding);
-      return HttpClientRequest.bodyText(request, serialized, contentType);
-    }
-    return HttpClientRequest.bodyUrlParams(
-      request,
-      bodyValue
-    );
-  }
-  if (isMultipartFormData(contentType)) {
-    if (bodyValue instanceof FormData) {
-      return HttpClientRequest.bodyFormData(request, bodyValue);
-    }
-    if (typeof bodyValue === "object" && bodyValue !== null) {
-      return HttpClientRequest.bodyFormDataRecord(
-        request,
-        coerceFormDataRecord(bodyValue, encoding)
-      );
-    }
-    return HttpClientRequest.bodyText(request, String(bodyValue), contentType);
-  }
-  if (isOctetStream(contentType)) {
-    const bytes2 = toUint8Array(bodyValue);
-    if (bytes2) return HttpClientRequest.bodyUint8Array(request, bytes2, contentType);
-    if (typeof bodyValue === "string") {
-      return HttpClientRequest.bodyText(request, bodyValue, contentType);
-    }
-    return HttpClientRequest.bodyText(request, JSON.stringify(bodyValue), contentType);
-  }
-  if (isXmlContentType(contentType) || isTextContentType(contentType)) {
-    if (typeof bodyValue === "string") {
-      return HttpClientRequest.bodyText(request, bodyValue, contentType);
-    }
-    const bytes2 = toUint8Array(bodyValue);
-    if (bytes2) return HttpClientRequest.bodyUint8Array(request, bytes2, contentType);
-    return HttpClientRequest.bodyText(request, JSON.stringify(bodyValue), contentType);
-  }
-  if (typeof bodyValue === "string") {
-    return HttpClientRequest.bodyText(request, bodyValue, contentType);
-  }
-  const bytes = toUint8Array(bodyValue);
-  if (bytes) return HttpClientRequest.bodyUint8Array(request, bytes, contentType);
-  return HttpClientRequest.bodyText(request, JSON.stringify(bodyValue), contentType);
-};
-var invoke = Effect.fn("OpenApi.invoke")(function* (operation, args, resolvedHeaders, sourceQueryParams = {}) {
-  const client = yield* HttpClient.HttpClient;
-  yield* Effect.annotateCurrentSpan({
-    "http.method": operation.method.toUpperCase(),
-    "http.route": operation.pathTemplate,
-    "plugin.openapi.method": operation.method.toUpperCase(),
-    "plugin.openapi.path_template": operation.pathTemplate,
-    "plugin.openapi.headers.resolved_count": Object.keys(resolvedHeaders).length
-  });
-  const resolvedPath = yield* resolvePath(operation.pathTemplate, args, operation.parameters);
-  const path = resolvedPath.startsWith("/") ? resolvedPath : `/${resolvedPath}`;
-  let request = HttpClientRequest.make(operation.method.toUpperCase())(path);
-  for (const [name, value] of Object.entries(sourceQueryParams)) {
-    request = HttpClientRequest.setUrlParam(request, name, value);
-  }
-  for (const param of operation.parameters) {
-    if (param.location !== "query") continue;
-    const value = readParamValue(args, param);
-    if (value === void 0 || value === null) continue;
-    request = HttpClientRequest.setUrlParam(request, param.name, String(value));
-  }
-  for (const param of operation.parameters) {
-    if (param.location !== "header") continue;
-    const value = readParamValue(args, param);
-    if (value === void 0 || value === null) continue;
-    request = HttpClientRequest.setHeader(request, param.name, String(value));
-  }
-  if (Option.isSome(operation.requestBody)) {
-    const rb = operation.requestBody.value;
-    const bodyValue = args.body ?? args.input;
-    if (bodyValue !== void 0) {
-      const contentsOpt = Option.getOrUndefined(rb.contents);
-      const requestedCt = typeof args.contentType === "string" ? args.contentType : void 0;
-      const selected = contentsOpt && requestedCt ? contentsOpt.find((c) => c.contentType === requestedCt) : void 0;
-      const chosenCt = selected?.contentType ?? rb.contentType;
-      const chosenEncoding = selected ? Option.getOrUndefined(selected.encoding) : contentsOpt && contentsOpt[0] ? Option.getOrUndefined(contentsOpt[0].encoding) : void 0;
-      request = applyRequestBody(request, chosenCt, bodyValue, chosenEncoding);
-    }
-  }
-  request = applyHeaders(request, resolvedHeaders);
-  const response = yield* client.execute(request).pipe(
-    Effect.mapError(
-      (err) => new OpenApiInvocationError({
-        message: "HTTP request failed",
-        statusCode: Option.none(),
-        cause: err
-      })
-    )
-  );
-  const status = response.status;
-  yield* Effect.annotateCurrentSpan({
-    "http.status_code": status
-  });
-  const responseHeaders = { ...response.headers };
-  const contentType = response.headers["content-type"] ?? null;
-  const mapBodyError = Effect.mapError(
-    (err) => new OpenApiInvocationError({
-      message: "Failed to read response body",
-      statusCode: Option.some(status),
-      cause: err
-    })
-  );
-  const responseBody = status === 204 ? null : isJsonContentType(contentType) ? yield* response.json.pipe(
-    Effect.catch(() => response.text),
-    mapBodyError
-  ) : yield* response.text.pipe(mapBodyError);
-  const ok = status >= 200 && status < 300;
-  return InvocationResult.make({
-    status,
-    headers: responseHeaders,
-    data: ok ? responseBody : null,
-    error: ok ? null : responseBody
-  });
-});
-var invokeWithLayer = (operation, args, baseUrl, resolvedHeaders, sourceQueryParams, httpClientLayer) => {
-  const clientWithBaseUrl = baseUrl ? Layer.effect(
-    HttpClient.HttpClient,
-    Effect.map(
-      Effect.service(HttpClient.HttpClient),
-      HttpClient.mapRequest(HttpClientRequest.prependUrl(baseUrl))
-    )
-  ).pipe(Layer.provide(httpClientLayer)) : httpClientLayer;
-  return invoke(operation, args, resolvedHeaders, sourceQueryParams).pipe(
-    Effect.provide(clientWithBaseUrl),
-    Effect.withSpan("plugin.openapi.invoke", {
-      attributes: {
-        "plugin.openapi.method": operation.method.toUpperCase(),
-        "plugin.openapi.path_template": operation.pathTemplate,
-        "plugin.openapi.base_url": baseUrl
-      }
-    })
-  );
-};
-var REQUIRE_APPROVAL = /* @__PURE__ */ new Set(["post", "put", "patch", "delete"]);
-var annotationsForOperation = (method, pathTemplate) => {
-  const m = method.toLowerCase();
-  if (!REQUIRE_APPROVAL.has(m)) return {};
-  return {
-    requiresApproval: true,
-    approvalDescription: `${method.toUpperCase()} ${pathTemplate}`
-  };
-};
-
-// src/sdk/store.ts
-import { Effect as Effect2, Option as Option2, Predicate, Schema } from "effect";
-var openapiSchema = {};
-var SOURCE_COLLECTION = "source";
-var OPERATION_COLLECTION = "operation";
-var encodeBinding = Schema.encodeSync(OperationBinding);
-var decodeBinding = Schema.decodeUnknownSync(OperationBinding);
-var decodeBindingJson = Schema.decodeUnknownSync(Schema.fromJsonString(OperationBinding));
-var decodeOAuth2SourceConfigOption = Schema.decodeUnknownOption(OAuth2SourceConfig);
-var decodeOAuth2SourceConfigJsonOption = Schema.decodeUnknownOption(
-  Schema.fromJsonString(OAuth2SourceConfig)
-);
-var encodeOAuth2SourceConfig = Schema.encodeSync(OAuth2SourceConfig);
-var NullableString = Schema.NullOr(Schema.String);
-var OptionalNullableString = Schema.optional(NullableString);
-var ConfiguredHeaderBindingStorage = Schema.Struct({
-  kind: Schema.Literal("binding"),
-  slot: Schema.String,
-  prefix: OptionalNullableString
-});
-var ConfiguredHeaderValueStorage = Schema.Union([Schema.String, ConfiguredHeaderBindingStorage]);
-var ConfiguredHeaderMapStorage = Schema.Record(Schema.String, ConfiguredHeaderValueStorage);
-var SpecFetchCredentialsStorage = Schema.Struct({
-  headers: Schema.optional(ConfiguredHeaderMapStorage),
-  queryParams: Schema.optional(ConfiguredHeaderMapStorage)
-});
-var SourceConfigStorage = Schema.Struct({
-  spec: Schema.String,
-  sourceUrl: Schema.optional(Schema.String),
-  baseUrl: Schema.optional(Schema.String),
-  namespace: Schema.optional(Schema.String),
-  headers: Schema.optional(ConfiguredHeaderMapStorage),
-  queryParams: Schema.optional(ConfiguredHeaderMapStorage),
-  specFetchCredentials: Schema.optional(SpecFetchCredentialsStorage),
-  oauth2: Schema.optional(Schema.Unknown)
-});
-var SourceStorage = Schema.Struct({
-  namespace: Schema.String,
-  scope: Schema.String,
-  name: Schema.String,
-  config: SourceConfigStorage
-});
-var OperationStorage = Schema.Struct({
-  toolId: Schema.String,
-  sourceId: Schema.String,
-  binding: Schema.Unknown
-});
-var decodeSourceStorage = Schema.decodeUnknownOption(SourceStorage);
-var decodeOperationStorage = Schema.decodeUnknownOption(OperationStorage);
-var toJsonRecord = (value) => value;
-var normalizeStoredOAuth2 = (value) => {
-  if (value == null) return void 0;
-  const sourceConfig = typeof value === "string" ? decodeOAuth2SourceConfigJsonOption(value) : decodeOAuth2SourceConfigOption(value);
-  if (Option2.isSome(sourceConfig)) return sourceConfig.value;
-  return void 0;
-};
-var normalizeConfiguredMap = (values) => {
-  if (!values) return void 0;
-  const normalized = {};
-  for (const [name, value] of Object.entries(values)) {
-    if (typeof value === "string") {
-      normalized[name] = value;
-    } else {
-      normalized[name] = value.prefix != null ? ConfiguredHeaderBinding.make({
-        kind: "binding",
-        slot: value.slot,
-        prefix: value.prefix
-      }) : ConfiguredHeaderBinding.make({
-        kind: "binding",
-        slot: value.slot
-      });
-    }
-  }
-  return normalized;
-};
-var encodeSourceConfig = (config) => ({
-  spec: config.spec,
-  ...config.sourceUrl ? { sourceUrl: config.sourceUrl } : {},
-  ...config.baseUrl ? { baseUrl: config.baseUrl } : {},
-  ...config.namespace ? { namespace: config.namespace } : {},
-  ...config.headers ? { headers: config.headers } : {},
-  ...config.queryParams ? { queryParams: config.queryParams } : {},
-  ...config.specFetchCredentials ? { specFetchCredentials: config.specFetchCredentials } : {},
-  ...config.oauth2 ? { oauth2: toJsonRecord(encodeOAuth2SourceConfig(config.oauth2)) } : {}
-});
-var rowToSource = (row) => {
-  const decoded = decodeSourceStorage(row.data);
-  if (Option2.isNone(decoded)) return null;
-  const stored = decoded.value;
-  const oauth2 = normalizeStoredOAuth2(stored.config.oauth2);
-  return {
-    namespace: stored.namespace,
-    scope: stored.scope,
-    name: stored.name,
-    config: {
-      spec: stored.config.spec,
-      sourceUrl: stored.config.sourceUrl,
-      baseUrl: stored.config.baseUrl,
-      namespace: stored.config.namespace,
-      headers: normalizeConfiguredMap(stored.config.headers),
-      queryParams: normalizeConfiguredMap(stored.config.queryParams),
-      specFetchCredentials: stored.config.specFetchCredentials ? {
-        headers: normalizeConfiguredMap(stored.config.specFetchCredentials.headers),
-        queryParams: normalizeConfiguredMap(stored.config.specFetchCredentials.queryParams)
-      } : void 0,
-      oauth2
-    }
-  };
-};
-var rowToOperation = (row) => {
-  const decoded = decodeOperationStorage(row.data);
-  if (Option2.isNone(decoded)) return null;
-  const operation = decoded.value;
-  return {
-    toolId: operation.toolId,
-    sourceId: operation.sourceId,
-    binding: decodeBinding(
-      typeof operation.binding === "string" ? decodeBindingJson(operation.binding) : operation.binding
-    )
-  };
-};
-var makeDefaultOpenapiStore = ({
-  pluginStorage
-}) => {
-  const sourceData = (source) => ({
-    namespace: source.namespace,
-    scope: source.scope,
-    name: source.name,
-    config: encodeSourceConfig(source.config)
-  });
-  const operationData = (operation) => ({
-    toolId: operation.toolId,
-    sourceId: operation.sourceId,
-    binding: toJsonRecord(encodeBinding(operation.binding))
-  });
-  const listOperationRowsForSourceScope = (sourceId, scope) => pluginStorage.list({
-    collection: OPERATION_COLLECTION,
-    keyPrefix: `${sourceId}.`
-  }).pipe(
-    Effect2.map(
-      (rows) => rows.filter(
-        (row) => String(row.scopeId) === scope && rowToOperation(row)?.sourceId === sourceId
-      )
-    )
-  );
-  const removeOperationsForSourceScope = (sourceId, scope) => Effect2.gen(function* () {
-    const rows = yield* listOperationRowsForSourceScope(sourceId, scope);
-    for (const row of rows) {
-      yield* pluginStorage.remove({
-        scope,
-        collection: OPERATION_COLLECTION,
-        key: row.key
-      });
-    }
-  });
-  const deleteSource = (namespace, scope) => Effect2.gen(function* () {
-    yield* removeOperationsForSourceScope(namespace, scope);
-    yield* pluginStorage.remove({
-      scope,
-      collection: SOURCE_COLLECTION,
-      key: namespace
-    });
-  });
-  return {
-    upsertSource: (input, operations) => Effect2.gen(function* () {
-      yield* deleteSource(input.namespace, input.scope);
-      yield* pluginStorage.put({
-        scope: input.scope,
-        collection: SOURCE_COLLECTION,
-        key: input.namespace,
-        data: sourceData(input)
-      });
-      for (const operation of operations) {
-        yield* pluginStorage.put({
-          scope: input.scope,
-          collection: OPERATION_COLLECTION,
-          key: operation.toolId,
-          data: operationData(operation)
-        });
-      }
-    }),
-    updateSourceMeta: (namespace, scope, patch) => Effect2.gen(function* () {
-      const existing = yield* pluginStorage.getAtScope({
-        scope,
-        collection: SOURCE_COLLECTION,
-        key: namespace
-      });
-      if (!existing) return;
-      const source = rowToSource(existing);
-      if (!source) return;
-      const next = {
-        ...source,
-        name: patch.name?.trim() || source.name,
-        config: {
-          ...source.config,
-          ...patch.baseUrl !== void 0 ? { baseUrl: patch.baseUrl } : {},
-          ...patch.headers !== void 0 ? { headers: patch.headers } : {},
-          ...patch.queryParams !== void 0 ? { queryParams: patch.queryParams } : {},
-          ...patch.specFetchCredentials !== void 0 ? { specFetchCredentials: patch.specFetchCredentials } : {},
-          ...patch.oauth2 !== void 0 ? { oauth2: patch.oauth2 } : {}
-        }
-      };
-      yield* pluginStorage.put({
-        scope,
-        collection: SOURCE_COLLECTION,
-        key: namespace,
-        data: sourceData(next)
-      });
-    }),
-    getSource: (namespace, scope) => pluginStorage.getAtScope({ scope, collection: SOURCE_COLLECTION, key: namespace }).pipe(Effect2.map((row) => row ? rowToSource(row) : null)),
-    listSources: () => pluginStorage.list({ collection: SOURCE_COLLECTION }).pipe(Effect2.map((rows) => rows.map(rowToSource).filter(Predicate.isNotNull))),
-    getOperationByToolId: (toolId, scope) => pluginStorage.getAtScope({ scope, collection: OPERATION_COLLECTION, key: toolId }).pipe(Effect2.map((row) => row ? rowToOperation(row) : null)),
-    listOperationsBySource: (sourceId, scope) => listOperationRowsForSourceScope(sourceId, scope).pipe(
-      Effect2.map((rows) => rows.map(rowToOperation).filter(Predicate.isNotNull))
-    ),
-    removeSource: (namespace, scope) => deleteSource(namespace, scope)
-  };
-};
-
-// src/sdk/plugin.ts
-import { Effect as Effect3, Option as Option3, Predicate as Predicate2, Schema as Schema2 } from "effect";
-import {
-  ConnectionId,
-  CredentialBindingRef,
-  ScopeId,
-  SecretId,
-  SourceDetectionResult,
-  StorageError,
-  ToolResult,
-  authToolFailure,
-  defaultSourceInstallScopeId,
-  definePlugin,
-  tool,
-  resolveSecretBackedMap
-} from "@executor-js/sdk/core";
-import {
-  headersToConfigValues
-} from "@executor-js/config";
-
-// src/sdk/definitions.ts
-var splitWords = (value) => value.replace(/([a-z0-9])([A-Z])/g, "$1 $2").replace(/([A-Z]+)([A-Z][a-z0-9]+)/g, "$1 $2").replace(/[^a-zA-Z0-9]+/g, " ").trim().split(/\s+/).filter((part) => part.length > 0);
-var normalizeWord = (value) => value.toLowerCase();
-var toCamelCase = (value) => {
-  const words = splitWords(value).map(normalizeWord);
-  if (words.length === 0) return "tool";
-  const [first, ...rest] = words;
-  return `${first}${rest.map((p) => `${p[0]?.toUpperCase() ?? ""}${p.slice(1)}`).join("")}`;
-};
-var toPascalCase = (value) => {
-  const camel = toCamelCase(value);
-  return `${camel[0]?.toUpperCase() ?? ""}${camel.slice(1)}`;
-};
-var VERSION_SEGMENT_REGEX = /^v\d+(?:[._-]\d+)?$/i;
-var IGNORED_PATH_SEGMENTS = /* @__PURE__ */ new Set(["api"]);
-var pathSegmentsFromTemplate = (pathTemplate) => pathTemplate.split("/").map((s) => s.trim()).filter((s) => s.length > 0);
-var isPathParameterSegment = (segment) => segment.startsWith("{") && segment.endsWith("}");
-var normalizeGroupSegment = (value) => {
-  const candidate = value?.trim();
-  if (!candidate) return null;
-  return toCamelCase(candidate);
-};
-var deriveVersionSegment = (pathTemplate) => pathSegmentsFromTemplate(pathTemplate).map((s) => s.toLowerCase()).find((s) => VERSION_SEGMENT_REGEX.test(s));
-var derivePathGroup = (pathTemplate) => {
-  for (const segment of pathSegmentsFromTemplate(pathTemplate)) {
-    const lower = segment.toLowerCase();
-    if (VERSION_SEGMENT_REGEX.test(lower)) continue;
-    if (IGNORED_PATH_SEGMENTS.has(lower)) continue;
-    if (isPathParameterSegment(segment)) continue;
-    return normalizeGroupSegment(segment) ?? "root";
-  }
-  return "root";
-};
-var splitOperationIdSegments = (value) => value.split(/[/.]+/).map((s) => s.trim()).filter((s) => s.length > 0);
-var deriveLeafSeed = (operationId, group) => {
-  const segments = splitOperationIdSegments(operationId);
-  if (segments.length > 1) {
-    const [first, ...rest] = segments;
-    if ((normalizeGroupSegment(first) ?? first) === group && rest.length > 0) {
-      return rest.join(" ");
-    }
-  }
-  return operationId;
-};
-var fallbackLeafSeed = (method, pathTemplate, group) => {
-  const relevantSegments = pathSegmentsFromTemplate(pathTemplate).filter((s) => !VERSION_SEGMENT_REGEX.test(s.toLowerCase())).filter((s) => !IGNORED_PATH_SEGMENTS.has(s.toLowerCase())).filter((s) => !isPathParameterSegment(s)).map((s) => normalizeGroupSegment(s) ?? s).filter((s) => s !== group);
-  const segmentSuffix = relevantSegments.map((s) => toPascalCase(s)).join("");
-  return `${method}${segmentSuffix || "Operation"}`;
-};
-var deriveLeaf = (operationId, method, pathTemplate, group) => {
-  const preferred = toCamelCase(deriveLeafSeed(operationId, group));
-  if (preferred.length > 0 && preferred !== group) return preferred;
-  return toCamelCase(fallbackLeafSeed(method, pathTemplate, group));
-};
-var resolveCollisions = (definitions) => {
-  const staged = definitions.map((d) => ({ ...d }));
-  const applyFactory = (items, factory) => {
-    const byPath = /* @__PURE__ */ new Map();
-    for (const item of items) {
-      const bucket = byPath.get(item.toolPath) ?? [];
-      bucket.push(item);
-      byPath.set(item.toolPath, bucket);
-    }
-    for (const bucket of byPath.values()) {
-      if (bucket.length < 2) continue;
-      for (const d of bucket) {
-        d.toolPath = factory(d);
-      }
-    }
-  };
-  applyFactory(
-    staged,
-    (d) => d.versionSegment ? `${d.group}.${d.versionSegment}.${d.leaf}` : d.toolPath
-  );
-  applyFactory(staged, (d) => {
-    const prefix = d.versionSegment ? `${d.group}.${d.versionSegment}` : d.group;
-    return `${prefix}.${d.leaf}${toPascalCase(d.method)}`;
-  });
-  applyFactory(staged, (d) => {
-    const prefix = d.versionSegment ? `${d.group}.${d.versionSegment}` : d.group;
-    return `${prefix}.${d.leaf}${toPascalCase(d.method)}${d.operationHash.slice(0, 8)}`;
-  });
-  return staged.map((d) => ({
-    toolPath: d.toolPath,
-    group: d.group,
-    leaf: d.leaf,
-    operationIndex: d.operationIndex,
-    operation: d.operation
-  }));
-};
-var stableHash = (value) => {
-  const str = JSON.stringify(value, Object.keys(value).sort());
-  let hash = 0;
-  for (let i = 0; i < str.length; i++) {
-    hash = (hash << 5) - hash + str.charCodeAt(i) | 0;
-  }
-  return Math.abs(hash).toString(36).padStart(8, "0");
-};
-var compileToolDefinitions = (operations) => {
-  const raw = operations.map((op, index) => {
-    const operationId = op.operationId;
-    const group = normalizeGroupSegment(op.tags[0]) ?? derivePathGroup(op.pathTemplate);
-    const leaf = deriveLeaf(operationId, op.method, op.pathTemplate, group);
-    const versionSegment = deriveVersionSegment(op.pathTemplate);
-    const operationHash = stableHash({
-      method: op.method,
-      path: op.pathTemplate,
-      operationId
-    });
-    return {
-      toolPath: `${group}.${leaf}`,
-      group,
-      leaf,
-      versionSegment,
-      method: op.method,
-      operationHash,
-      operationIndex: index,
-      operation: op
-    };
-  });
-  return resolveCollisions(raw).sort((a, b) => a.toolPath.localeCompare(b.toolPath));
-};
-
-// src/sdk/plugin.ts
-var STRINGIFIED_BODY_CAP = 1024;
-var UpstreamMessageBody = Schema2.Struct({ message: Schema2.String });
-var UpstreamErrorMessageBody = Schema2.Struct({ errorMessage: Schema2.String });
-var UpstreamNestedErrorBody = Schema2.Struct({ error: UpstreamMessageBody });
-var UpstreamErrorsArrayBody = Schema2.Struct({
-  errors: Schema2.Array(
-    Schema2.Struct({
-      detail: Schema2.optional(Schema2.String),
-      message: Schema2.optional(Schema2.String),
-      title: Schema2.optional(Schema2.String)
-    })
-  )
-});
-var UpstreamDescriptionBody = Schema2.Struct({
-  detail: Schema2.optional(Schema2.String),
-  title: Schema2.optional(Schema2.String),
-  description: Schema2.optional(Schema2.String)
-});
-var decodeUpstreamMessageBody = Schema2.decodeUnknownOption(UpstreamMessageBody);
-var decodeUpstreamErrorMessageBody = Schema2.decodeUnknownOption(UpstreamErrorMessageBody);
-var decodeUpstreamNestedErrorBody = Schema2.decodeUnknownOption(UpstreamNestedErrorBody);
-var decodeUpstreamErrorsArrayBody = Schema2.decodeUnknownOption(UpstreamErrorsArrayBody);
-var decodeUpstreamDescriptionBody = Schema2.decodeUnknownOption(UpstreamDescriptionBody);
-var clampedStringify = (value) => {
-  let s;
-  try {
-    s = JSON.stringify(value);
-  } catch {
-    s = String(value);
-  }
-  return s.length > STRINGIFIED_BODY_CAP ? `${s.slice(0, STRINGIFIED_BODY_CAP)}\u2026` : s;
-};
-var firstNonEmpty = (...values) => values.find((value) => value !== void 0 && value.length > 0);
-var extractUpstreamMessage = (body, status) => {
-  if (typeof body === "string") {
-    return body.length > 0 ? body : `Upstream returned HTTP ${status}`;
-  }
-  const nested = Option3.getOrUndefined(decodeUpstreamNestedErrorBody(body));
-  const messageBody = Option3.getOrUndefined(decodeUpstreamMessageBody(body));
-  const errorMessageBody = Option3.getOrUndefined(decodeUpstreamErrorMessageBody(body));
-  const errorsBody = Option3.getOrUndefined(decodeUpstreamErrorsArrayBody(body));
-  const descriptionBody = Option3.getOrUndefined(decodeUpstreamDescriptionBody(body));
-  const arrayMessage = errorsBody?.errors.map(
-    ({ detail, message: upstreamMessage, title }) => firstNonEmpty(detail, upstreamMessage, title)
-  ).find((message2) => message2 !== void 0);
-  const message = firstNonEmpty(
-    nested?.error.message,
-    messageBody?.message,
-    errorMessageBody?.errorMessage,
-    arrayMessage,
-    descriptionBody?.detail,
-    descriptionBody?.title,
-    descriptionBody?.description
-  );
-  if (message !== void 0) return message;
-  if (body !== null && typeof body === "object") {
-    return clampedStringify(body);
-  }
-  return `Upstream returned HTTP ${status}`;
-};
-var PreviewSpecInputSchema = Schema2.Struct({
-  spec: Schema2.String,
-  specFetchCredentials: Schema2.optional(
-    Schema2.Struct({
-      headers: Schema2.optional(Schema2.Record(Schema2.String, HeaderValue)),
-      queryParams: Schema2.optional(Schema2.Record(Schema2.String, HeaderValue))
-    })
-  )
-});
-var StaticPreviewServerVariableSchema = Schema2.Struct({
-  default: Schema2.String,
-  enum: Schema2.NullOr(Schema2.Array(Schema2.String)),
-  description: Schema2.NullOr(Schema2.String)
-});
-var StaticPreviewServerSchema = Schema2.Struct({
-  url: Schema2.String,
-  description: Schema2.NullOr(Schema2.String),
-  variables: Schema2.NullOr(Schema2.Record(Schema2.String, StaticPreviewServerVariableSchema))
-});
-var StaticPreviewOAuthAuthorizationCodeFlowSchema = Schema2.Struct({
-  authorizationUrl: Schema2.String,
-  tokenUrl: Schema2.String,
-  refreshUrl: Schema2.NullOr(Schema2.String),
-  scopes: Schema2.Record(Schema2.String, Schema2.String)
-});
-var StaticPreviewOAuthClientCredentialsFlowSchema = Schema2.Struct({
-  tokenUrl: Schema2.String,
-  refreshUrl: Schema2.NullOr(Schema2.String),
-  scopes: Schema2.Record(Schema2.String, Schema2.String)
-});
-var StaticPreviewOAuthFlowsSchema = Schema2.Struct({
-  authorizationCode: Schema2.NullOr(StaticPreviewOAuthAuthorizationCodeFlowSchema),
-  clientCredentials: Schema2.NullOr(StaticPreviewOAuthClientCredentialsFlowSchema)
-});
-var StaticPreviewSecuritySchemeSchema = Schema2.Struct({
-  name: Schema2.String,
-  type: Schema2.Literals(["http", "apiKey", "oauth2", "openIdConnect"]),
-  scheme: Schema2.NullOr(Schema2.String),
-  bearerFormat: Schema2.NullOr(Schema2.String),
-  in: Schema2.NullOr(Schema2.Literals(["header", "query", "cookie"])),
-  headerName: Schema2.NullOr(Schema2.String),
-  description: Schema2.NullOr(Schema2.String),
-  flows: Schema2.NullOr(StaticPreviewOAuthFlowsSchema),
-  openIdConnectUrl: Schema2.NullOr(Schema2.String)
-});
-var StaticPreviewOAuth2PresetSchema = Schema2.Struct({
-  label: Schema2.String,
-  securitySchemeName: Schema2.String,
-  flow: Schema2.Literals(["authorizationCode", "clientCredentials"]),
-  authorizationUrl: Schema2.NullOr(Schema2.String),
-  tokenUrl: Schema2.String,
-  refreshUrl: Schema2.NullOr(Schema2.String),
-  scopes: Schema2.Record(Schema2.String, Schema2.String)
-});
-var StaticPreviewSpecOutputSchema = Schema2.Struct({
-  title: Schema2.NullOr(Schema2.String),
-  version: Schema2.NullOr(Schema2.String),
-  servers: Schema2.Array(StaticPreviewServerSchema),
-  operationCount: Schema2.Number,
-  tags: Schema2.Array(Schema2.String),
-  securitySchemes: Schema2.Array(StaticPreviewSecuritySchemeSchema),
-  authStrategies: Schema2.Array(Schema2.Struct({ schemes: Schema2.Array(Schema2.String) })),
-  headerPresets: Schema2.Array(
-    Schema2.Struct({
-      label: Schema2.String,
-      headers: Schema2.Record(Schema2.String, Schema2.NullOr(Schema2.String)),
-      secretHeaders: Schema2.Array(Schema2.String)
-    })
-  ),
-  oauth2Presets: Schema2.Array(StaticPreviewOAuth2PresetSchema)
-});
-var OpenApiSpecInputSchema = Schema2.Union([
-  Schema2.Struct({ kind: Schema2.Literal("url"), url: Schema2.String }),
-  Schema2.Struct({ kind: Schema2.Literal("blob"), value: Schema2.String })
-]);
-var OpenApiSecretShapeInputSchema = Schema2.Struct({
-  kind: Schema2.Literal("secret"),
-  prefix: Schema2.optional(Schema2.String)
-});
-var OpenApiConfiguredValueInputSchema = Schema2.Union([
-  Schema2.String,
-  OpenApiSecretShapeInputSchema
-]);
-var OpenApiConfigureCredentialInputSchema = Schema2.Union([
-  Schema2.String,
-  Schema2.Struct({
-    kind: Schema2.Literal("text"),
-    text: Schema2.String,
-    prefix: Schema2.optional(Schema2.String)
-  }),
-  Schema2.Struct({
-    kind: Schema2.Literal("secret"),
-    secretId: Schema2.String,
-    secretScope: Schema2.optional(Schema2.String),
-    prefix: Schema2.optional(Schema2.String)
-  }),
-  Schema2.Struct({
-    kind: Schema2.Literal("connection"),
-    connectionId: Schema2.String
-  })
-]);
-var OpenApiConfigureInputSchema = Schema2.Struct({
-  scope: Schema2.String,
-  name: Schema2.optional(Schema2.String),
-  baseUrl: Schema2.optional(Schema2.String),
-  headers: Schema2.optional(Schema2.Record(Schema2.String, OpenApiConfigureCredentialInputSchema)),
-  queryParams: Schema2.optional(Schema2.Record(Schema2.String, OpenApiConfigureCredentialInputSchema)),
-  specFetchCredentials: Schema2.optional(
-    Schema2.Struct({
-      headers: Schema2.optional(Schema2.Record(Schema2.String, OpenApiConfigureCredentialInputSchema)),
-      queryParams: Schema2.optional(
-        Schema2.Record(Schema2.String, OpenApiConfigureCredentialInputSchema)
-      )
-    })
-  ),
-  oauth2: Schema2.optional(
-    Schema2.Struct({
-      clientId: Schema2.optional(OpenApiConfigureCredentialInputSchema),
-      clientSecret: Schema2.optional(OpenApiConfigureCredentialInputSchema),
-      connection: Schema2.optional(OpenApiConfigureCredentialInputSchema)
-    })
-  ),
-  oauth2Source: Schema2.optional(OAuth2SourceConfig)
-});
-var OpenApiConfigureSourceInputSchema = Schema2.Struct({
-  source: Schema2.Struct({
-    id: Schema2.String,
-    scope: Schema2.String
-  }),
-  ...OpenApiConfigureInputSchema.fields
-});
-var OpenApiOAuthInputSchema = OAuth2SourceConfig;
-var AddSourceInputSchema = Schema2.Struct({
-  spec: OpenApiSpecInputSchema,
-  name: Schema2.String,
-  baseUrl: Schema2.String,
-  namespace: Schema2.String,
-  headers: Schema2.optional(Schema2.Record(Schema2.String, OpenApiConfiguredValueInputSchema)),
-  queryParams: Schema2.optional(Schema2.Record(Schema2.String, OpenApiConfiguredValueInputSchema)),
-  oauth2: Schema2.optional(OpenApiOAuthInputSchema),
-  specFetchCredentials: Schema2.optional(
-    Schema2.Struct({
-      headers: Schema2.optional(Schema2.Record(Schema2.String, OpenApiConfiguredValueInputSchema)),
-      queryParams: Schema2.optional(Schema2.Record(Schema2.String, OpenApiConfiguredValueInputSchema))
-    })
-  )
-});
-var AddSourceOutputSchema = Schema2.Struct({
-  sourceId: Schema2.String,
-  source: Schema2.Struct({
-    id: Schema2.String,
-    scope: Schema2.String
-  }),
-  toolCount: Schema2.Number
-});
-var GetSourceInputSchema = Schema2.Struct({
-  namespace: Schema2.String,
-  scope: Schema2.String
-});
-var GetSourceOutputSchema = Schema2.Struct({
-  source: Schema2.NullOr(Schema2.Unknown)
-});
-var PreviewSpecInputStandardSchema = Schema2.toStandardSchemaV1(
-  Schema2.toStandardJSONSchemaV1(PreviewSpecInputSchema)
-);
-var PreviewSpecOutputStandardSchema = Schema2.toStandardSchemaV1(
-  Schema2.toStandardJSONSchemaV1(StaticPreviewSpecOutputSchema)
-);
-var AddSourceInputStandardSchema = Schema2.toStandardSchemaV1(
-  Schema2.toStandardJSONSchemaV1(AddSourceInputSchema)
-);
-var AddSourceOutputStandardSchema = Schema2.toStandardSchemaV1(
-  Schema2.toStandardJSONSchemaV1(AddSourceOutputSchema)
-);
-var OpenApiConfigureSourceInputStandardSchema = Schema2.toStandardSchemaV1(
-  Schema2.toStandardJSONSchemaV1(OpenApiConfigureSourceInputSchema)
-);
-var OpenApiConfigureSourceOutputStandardSchema = Schema2.toStandardSchemaV1(
-  Schema2.toStandardJSONSchemaV1(Schema2.Struct({ result: Schema2.Array(CredentialBindingRef) }))
-);
-var GetSourceInputStandardSchema = Schema2.toStandardSchemaV1(
-  Schema2.toStandardJSONSchemaV1(GetSourceInputSchema)
-);
-var GetSourceOutputStandardSchema = Schema2.toStandardSchemaV1(
-  Schema2.toStandardJSONSchemaV1(GetSourceOutputSchema)
-);
-var openApiToolFailure = (code, message, details) => ToolResult.fail({
-  code,
-  message,
-  ...details === void 0 ? {} : { details }
-});
-var openApiAuthToolFailure = (failure) => authToolFailure({
-  code: failure.code,
-  message: failure.message,
-  source: { id: failure.sourceId, scope: failure.sourceScope },
-  credential: {
-    kind: failure.credentialKind,
-    ...failure.credentialLabel ? { label: failure.credentialLabel } : {},
-    ...failure.slotKey ? { slotKey: failure.slotKey } : {},
-    ...failure.secretId ? { secretId: failure.secretId } : {},
-    ...failure.connectionId ? { connectionId: failure.connectionId } : {}
-  },
-  ...failure.status !== void 0 ? { status: failure.status } : {},
-  ...failure.details !== void 0 ? {
-    upstream: {
-      ...failure.status !== void 0 ? { status: failure.status } : {},
-      details: failure.details
-    }
-  } : {},
-  recovery: { configureSourceTool: "executor.openapi.configureSource" }
-});
-var staticPreviewOutput = (preview) => ({
-  title: Option3.getOrNull(preview.title),
-  version: Option3.getOrNull(preview.version),
-  servers: preview.servers.map((server) => ({
-    url: server.url,
-    description: Option3.getOrNull(server.description),
-    variables: Option3.getOrNull(server.variables) ? Object.fromEntries(
-      Object.entries(Option3.getOrNull(server.variables) ?? {}).map(([name, variable]) => [
-        name,
-        {
-          default: variable.default,
-          enum: Option3.getOrNull(variable.enum),
-          description: Option3.getOrNull(variable.description)
-        }
-      ])
-    ) : null
-  })),
-  operationCount: preview.operationCount,
-  tags: preview.tags,
-  securitySchemes: preview.securitySchemes.map((scheme) => ({
-    name: scheme.name,
-    type: scheme.type,
-    scheme: Option3.getOrNull(scheme.scheme),
-    bearerFormat: Option3.getOrNull(scheme.bearerFormat),
-    in: Option3.getOrNull(scheme.in),
-    headerName: Option3.getOrNull(scheme.headerName),
-    description: Option3.getOrNull(scheme.description),
-    flows: Option3.isSome(scheme.flows) ? {
-      authorizationCode: Option3.isSome(scheme.flows.value.authorizationCode) ? {
-        authorizationUrl: scheme.flows.value.authorizationCode.value.authorizationUrl,
-        tokenUrl: scheme.flows.value.authorizationCode.value.tokenUrl,
-        refreshUrl: Option3.getOrNull(scheme.flows.value.authorizationCode.value.refreshUrl),
-        scopes: scheme.flows.value.authorizationCode.value.scopes
-      } : null,
-      clientCredentials: Option3.isSome(scheme.flows.value.clientCredentials) ? {
-        tokenUrl: scheme.flows.value.clientCredentials.value.tokenUrl,
-        refreshUrl: Option3.getOrNull(scheme.flows.value.clientCredentials.value.refreshUrl),
-        scopes: scheme.flows.value.clientCredentials.value.scopes
-      } : null
-    } : null,
-    openIdConnectUrl: Option3.getOrNull(scheme.openIdConnectUrl)
-  })),
-  authStrategies: preview.authStrategies,
-  headerPresets: preview.headerPresets,
-  oauth2Presets: preview.oauth2Presets.map((preset) => ({
-    label: preset.label,
-    securitySchemeName: preset.securitySchemeName,
-    flow: preset.flow,
-    authorizationUrl: Option3.getOrNull(preset.authorizationUrl),
-    tokenUrl: preset.tokenUrl,
-    refreshUrl: Option3.getOrNull(preset.refreshUrl),
-    scopes: preset.scopes
-  }))
-});
-var resolveStaticScopeInput = (ctx, value) => String(
-  ctx.scopes.find((scope) => scope.name === value || String(scope.id) === value)?.id ?? value
-);
-var normalizeOpenApiRefs = (node) => {
-  if (node == null || typeof node !== "object") return node;
-  if (Array.isArray(node)) {
-    let changed2 = false;
-    const out = node.map((item) => {
-      const n = normalizeOpenApiRefs(item);
-      if (n !== item) changed2 = true;
-      return n;
-    });
-    return changed2 ? out : node;
-  }
-  const obj = node;
-  if (typeof obj.$ref === "string") {
-    const match = obj.$ref.match(/^#\/components\/schemas\/(.+)$/);
-    if (match) return { ...obj, $ref: `#/$defs/${match[1]}` };
-    return obj;
-  }
-  let changed = false;
-  const result = {};
-  for (const [k, v] of Object.entries(obj)) {
-    const n = normalizeOpenApiRefs(v);
-    if (n !== v) changed = true;
-    result[k] = n;
-  }
-  return changed ? result : obj;
-};
-var toBinding = (def) => OperationBinding.make({
-  method: def.operation.method,
-  pathTemplate: def.operation.pathTemplate,
-  parameters: [...def.operation.parameters],
-  requestBody: def.operation.requestBody
-});
-var descriptionFor = (def) => {
-  const op = def.operation;
-  return Option3.getOrElse(
-    op.description,
-    () => Option3.getOrElse(op.summary, () => `${op.method.toUpperCase()} ${op.pathTemplate}`)
-  );
-};
-var slotPart = (value) => value.trim().toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "") || "default";
-var headerSlotFromName = (name) => `header:${slotPart(name)}`;
-var queryParamSlotFromName = (name) => `query_param:${slotPart(name)}`;
-var specFetchHeaderSlotFromName = (name) => `spec_fetch_header:${slotPart(name)}`;
-var specFetchQueryParamSlotFromName = (name) => `spec_fetch_query_param:${slotPart(name)}`;
-var canonicalizeHeaders = (headers) => {
-  const nextHeaders = {};
-  for (const [name, value] of Object.entries(headers ?? {})) {
-    if (typeof value === "string") {
-      nextHeaders[name] = value;
-      continue;
-    }
-    if (value.kind === "binding") {
-      nextHeaders[name] = value;
-      continue;
-    }
-    const slot = headerSlotFromName(name);
-    nextHeaders[name] = ConfiguredHeaderBinding.make({
-      kind: "binding",
-      slot,
-      prefix: value.prefix
-    });
-  }
-  return { headers: nextHeaders };
-};
-var canonicalizeCredentialMap = (values, slotForName) => {
-  const nextValues = {};
-  for (const [name, value] of Object.entries(values ?? {})) {
-    if (typeof value === "string") {
-      nextValues[name] = value;
-      continue;
-    }
-    if (value.kind === "binding") {
-      nextValues[name] = value;
-      continue;
-    }
-    const slot = slotForName(name);
-    nextValues[name] = ConfiguredHeaderBinding.make({
-      kind: "binding",
-      slot,
-      prefix: value.prefix
-    });
-  }
-  return { values: nextValues };
-};
-var canonicalizeSpecFetchCredentials = (credentials) => {
-  const headers = canonicalizeCredentialMap(credentials?.headers, specFetchHeaderSlotFromName);
-  const queryParams = canonicalizeCredentialMap(
-    credentials?.queryParams,
-    specFetchQueryParamSlotFromName
-  );
-  const nextCredentials = Object.keys(headers.values).length === 0 && Object.keys(queryParams.values).length === 0 ? void 0 : {
-    ...Object.keys(headers.values).length > 0 ? { headers: headers.values } : {},
-    ...Object.keys(queryParams.values).length > 0 ? { queryParams: queryParams.values } : {}
-  };
-  return {
-    credentials: nextCredentials
-  };
-};
-var canonicalizeOAuth2 = (oauth2) => {
-  if (!oauth2) return {};
-  return {
-    oauth2
-  };
-};
-var configuredValueFromConfigureInput = (slot, input) => {
-  if (typeof input === "string") {
-    return {
-      configured: ConfiguredHeaderBinding.make({ kind: "binding", slot }),
-      value: { kind: "text", text: input }
-    };
-  }
-  if (input.kind === "text") {
-    return {
-      configured: ConfiguredHeaderBinding.make({
-        kind: "binding",
-        slot,
-        prefix: input.prefix
-      }),
-      value: { kind: "text", text: input.text }
-    };
-  }
-  if (input.kind === "secret") {
-    return {
-      configured: ConfiguredHeaderBinding.make({
-        kind: "binding",
-        slot,
-        prefix: input.prefix
-      }),
-      value: {
-        kind: "secret",
-        secretId: SecretId.make(input.secretId),
-        ...input.secretScope ? { secretScopeId: ScopeId.make(input.secretScope) } : {}
-      }
-    };
-  }
-  return {
-    configured: ConfiguredHeaderBinding.make({ kind: "binding", slot }),
-    value: { kind: "connection", connectionId: ConnectionId.make(input.connectionId) }
-  };
-};
-var configureMap = (values, slotForName) => {
-  const configured = {};
-  const bindings = [];
-  for (const [name, input] of Object.entries(values ?? {})) {
-    const slotKey = slotForName(name);
-    const next = configuredValueFromConfigureInput(slotKey, input);
-    configured[name] = next.configured;
-    bindings.push({ slotKey, value: next.value });
-  }
-  return { configured, bindings };
-};
-var configureOpenApiSource = (ctx, source, input) => Effect3.gen(function* () {
-  const existing = yield* ctx.storage.getSource(source.id, source.scope);
-  if (!existing) {
-    return yield* new StorageError({
-      message: `Cannot configure OpenAPI source "${source.id}" at scope "${source.scope}": source is not visible.`,
-      cause: void 0
-    });
-  }
-  const headers = configureMap(input.headers, headerSlotFromName);
-  const queryParams = configureMap(input.queryParams, queryParamSlotFromName);
-  const specFetchHeaders = configureMap(
-    input.specFetchCredentials?.headers,
-    specFetchHeaderSlotFromName
-  );
-  const specFetchQueryParams = configureMap(
-    input.specFetchCredentials?.queryParams,
-    specFetchQueryParamSlotFromName
-  );
-  const oauth2 = existing.config.oauth2;
-  const oauth2Bindings = [];
-  if (oauth2 && input.oauth2?.clientId) {
-    oauth2Bindings.push({
-      slotKey: oauth2.clientIdSlot,
-      value: configuredValueFromConfigureInput(oauth2.clientIdSlot, input.oauth2.clientId).value
-    });
-  }
-  if (oauth2?.clientSecretSlot && input.oauth2?.clientSecret) {
-    oauth2Bindings.push({
-      slotKey: oauth2.clientSecretSlot,
-      value: configuredValueFromConfigureInput(oauth2.clientSecretSlot, input.oauth2.clientSecret).value
-    });
-  }
-  if (oauth2 && input.oauth2?.connection) {
-    oauth2Bindings.push({
-      slotKey: oauth2.connectionSlot,
-      value: configuredValueFromConfigureInput(oauth2.connectionSlot, input.oauth2.connection).value
-    });
-  }
-  const specFetchCredentials = input.specFetchCredentials === void 0 ? existing.config.specFetchCredentials : {
-    headers: specFetchHeaders.configured,
-    queryParams: specFetchQueryParams.configured
-  };
-  const affectedPrefixes = [
-    ...input.headers !== void 0 ? ["header:"] : [],
-    ...input.queryParams !== void 0 ? ["query_param:"] : [],
-    ...input.specFetchCredentials?.headers !== void 0 ? ["spec_fetch:header:"] : [],
-    ...input.specFetchCredentials?.queryParams !== void 0 ? ["spec_fetch:query_param:"] : [],
-    ...input.oauth2 !== void 0 ? ["oauth2:"] : []
-  ];
-  const bindings = [
-    ...headers.bindings,
-    ...queryParams.bindings,
-    ...specFetchHeaders.bindings,
-    ...specFetchQueryParams.bindings,
-    ...oauth2Bindings
-  ];
-  const nextConfiguredValues = (current, next, provided) => {
-    if (!provided) return current;
-    if (Object.keys(next).length === 0) return {};
-    return { ...current ?? {}, ...next };
-  };
-  return yield* ctx.transaction(
-    Effect3.gen(function* () {
-      yield* ctx.storage.updateSourceMeta(source.id, source.scope, {
-        headers: nextConfiguredValues(
-          existing.config.headers,
-          headers.configured,
-          input.headers !== void 0
-        ),
-        queryParams: nextConfiguredValues(
-          existing.config.queryParams,
-          queryParams.configured,
-          input.queryParams !== void 0
-        ),
-        specFetchCredentials
-      });
-      if (affectedPrefixes.length > 0 || bindings.length > 0) {
-        return yield* ctx.credentialBindings.replaceForSource({
-          targetScope: ScopeId.make(input.scope),
-          pluginId: OPENAPI_PLUGIN_ID,
-          sourceId: source.id,
-          sourceScope: ScopeId.make(source.scope),
-          slotPrefixes: affectedPrefixes,
-          bindings
-        });
-      }
-      return [];
-    })
-  );
-});
-var OPENAPI_PLUGIN_ID = "openapi";
-var scopeRanks = (ctx) => new Map(ctx.scopes.map((scope, index) => [String(scope.id), index]));
-var scopeRank = (ranks, scopeId) => ranks.get(scopeId) ?? Infinity;
-var resolveOpenApiCredentialBinding = (ctx, sourceId, sourceScope, slot) => ctx.credentialBindings.resolveBinding({
-  pluginId: OPENAPI_PLUGIN_ID,
-  sourceId,
-  sourceScope: ScopeId.make(sourceScope),
-  slotKey: slot
-});
-var findOuterSource = (ctx, namespace, scope) => Effect3.gen(function* () {
-  const ranks = scopeRanks(ctx);
-  const baseRank = scopeRank(ranks, scope);
-  for (let index = baseRank + 1; index < ctx.scopes.length; index++) {
-    const candidateScope = ctx.scopes[index];
-    if (!candidateScope) continue;
-    const source = yield* ctx.storage.getSource(namespace, candidateScope.id);
-    if (source) return source;
-  }
-  return null;
-});
-var resolveEffectiveSourceConfig = (ctx, base) => Effect3.gen(function* () {
-  const fallback = yield* findOuterSource(ctx, base.namespace, base.scope);
-  if (!fallback) {
-    return {
-      config: base.config,
-      headersSource: base,
-      queryParamsSource: base,
-      specFetchCredentialsSource: base,
-      oauth2Source: base
-    };
-  }
-  const hasBaseHeaders = Object.keys(base.config.headers ?? {}).length > 0;
-  const hasBaseQueryParams = Object.keys(base.config.queryParams ?? {}).length > 0;
-  const hasBaseSpecFetchCredentials = base.config.specFetchCredentials !== void 0;
-  return {
-    config: {
-      ...base.config,
-      sourceUrl: base.config.sourceUrl ?? fallback.config.sourceUrl,
-      baseUrl: fallback.config.baseUrl,
-      namespace: base.config.namespace ?? fallback.config.namespace,
-      headers: hasBaseHeaders ? base.config.headers : fallback.config.headers,
-      queryParams: hasBaseQueryParams ? base.config.queryParams : fallback.config.queryParams,
-      specFetchCredentials: base.config.specFetchCredentials ?? fallback.config.specFetchCredentials,
-      oauth2: base.config.oauth2 ?? fallback.config.oauth2
-    },
-    headersSource: hasBaseHeaders ? base : fallback,
-    queryParamsSource: hasBaseQueryParams ? base : fallback,
-    specFetchCredentialsSource: hasBaseSpecFetchCredentials ? base : fallback,
-    oauth2Source: base.config.oauth2 ? base : fallback
-  };
-});
-var resolveConfiguredValueMap = (ctx, params) => Effect3.gen(function* () {
-  const resolved = {};
-  for (const [name, value] of Object.entries(params.values)) {
-    if (typeof value === "string") {
-      resolved[name] = value;
-      continue;
-    }
-    const binding = yield* resolveOpenApiCredentialBinding(
-      ctx,
-      params.sourceId,
-      params.sourceScope,
-      value.slot
-    );
-    if (binding?.value.kind === "secret") {
-      const secretBinding = binding.value;
-      const secret = yield* ctx.secrets.getAtScope(secretBinding.secretId, secretBinding.secretScopeId ?? binding.scopeId).pipe(
-        Effect3.catchTag(
-          "SecretOwnedByConnectionError",
-          () => Effect3.fail(
-            new OpenApiAuthRequiredError({
-              code: "credential_secret_missing",
-              sourceId: params.sourceId,
-              sourceScope: params.sourceScope,
-              credentialKind: "secret",
-              credentialLabel: name,
-              slotKey: value.slot,
-              secretId: String(secretBinding.secretId),
-              message: `Secret not found for ${params.missingLabel} "${name}"`
-            })
-          )
-        )
-      );
-      if (secret === null) {
-        return yield* new OpenApiAuthRequiredError({
-          code: "credential_secret_missing",
-          sourceId: params.sourceId,
-          sourceScope: params.sourceScope,
-          credentialKind: "secret",
-          credentialLabel: name,
-          slotKey: value.slot,
-          secretId: String(secretBinding.secretId),
-          message: `Missing secret "${secretBinding.secretId}" for ${params.missingLabel} "${name}"`
-        });
-      }
-      resolved[name] = value.prefix ? `${value.prefix}${secret}` : secret;
-      continue;
-    }
-    if (binding?.value.kind === "text") {
-      resolved[name] = value.prefix ? `${value.prefix}${binding.value.text}` : binding.value.text;
-      continue;
-    }
-    return yield* new OpenApiAuthRequiredError({
-      code: "credential_binding_missing",
-      sourceId: params.sourceId,
-      sourceScope: params.sourceScope,
-      credentialKind: "secret",
-      credentialLabel: name,
-      slotKey: value.slot,
-      message: `Missing binding for ${params.missingLabel} "${name}"`
-    });
-  }
-  return resolved;
-});
-var resolveConfiguredHeaders = (ctx, params) => resolveConfiguredValueMap(ctx, {
-  sourceId: params.sourceId,
-  sourceScope: params.sourceScope,
-  values: params.headers,
-  missingLabel: "header"
-});
-var resolveSecretBackedValues = (ctx, values) => resolveSecretBackedMap({
-  values,
-  getSecret: ctx.secrets.get,
-  onMissing: (name) => new OpenApiOAuthError({
-    message: `Secret not found for "${name}"`
-  }),
-  onError: (err, name) => Predicate2.isTagged("SecretOwnedByConnectionError")(err) ? new OpenApiOAuthError({
-    message: `Secret not found for "${name}"`
-  }) : err
-}).pipe(
-  Effect3.mapError(
-    (err) => Predicate2.isTagged("SecretOwnedByConnectionError")(err) ? new OpenApiOAuthError({ message: "Secret resolution failed" }) : err
-  ),
-  Effect3.map((resolved) => resolved ?? {})
-);
-var resolveOAuthConnectionId = (ctx, params) => Effect3.gen(function* () {
-  const binding = yield* resolveOpenApiCredentialBinding(
-    ctx,
-    params.sourceId,
-    params.sourceScope,
-    params.oauth2.connectionSlot
-  );
-  if (binding?.value.kind === "connection") {
-    const connectionId = binding.value.connectionId;
-    const connection = yield* ctx.connections.getAtScope(connectionId, binding.scopeId);
-    return connection ? { connectionId, scopeId: binding.scopeId } : null;
-  }
-  return null;
-});
-var resolveSpecFetchInputCredentials = (ctx, credentials) => Effect3.gen(function* () {
-  if (!credentials) return void 0;
-  return {
-    headers: yield* resolveSecretBackedValues(ctx, credentials.headers),
-    queryParams: yield* resolveSecretBackedValues(ctx, credentials.queryParams)
-  };
-});
-var resolveStoredSpecFetchCredentials = (ctx, params) => Effect3.gen(function* () {
-  if (!params.credentials) return void 0;
-  return {
-    headers: yield* resolveConfiguredValueMap(ctx, {
-      sourceId: params.sourceId,
-      sourceScope: params.sourceScope,
-      values: params.credentials.headers ?? {},
-      missingLabel: "spec fetch header"
-    }),
-    queryParams: yield* resolveConfiguredValueMap(ctx, {
-      sourceId: params.sourceId,
-      sourceScope: params.sourceScope,
-      values: params.credentials.queryParams ?? {},
-      missingLabel: "spec fetch query parameter"
-    })
-  };
-}).pipe(
-  Effect3.catchTag(
-    "OpenApiAuthRequiredError",
-    ({ message }) => Effect3.fail(new OpenApiOAuthError({ message }))
-  )
-);
-var toOpenApiSourceConfig = (namespace, config) => {
-  const configHeaders = {};
-  for (const [name, value] of Object.entries(config.headers ?? {})) {
-    if (typeof value === "string") {
-      configHeaders[name] = value;
-    }
-  }
-  return {
-    kind: "openapi",
-    spec: specInputToConfigString(config.spec),
-    baseUrl: config.baseUrl,
-    namespace,
-    headers: headersToConfigValues(
-      Object.keys(configHeaders).length > 0 ? configHeaders : void 0
-    )
-  };
-};
-var specInputToConfigString = (spec) => spec.kind === "url" ? spec.url : spec.value;
-var openApiPlugin = definePlugin((options) => {
-  const rebuildSource = (ctx, input) => Effect3.gen(function* () {
-    const doc = yield* parse(input.specText);
-    const result = yield* extract(doc);
-    const namespace = input.namespace;
-    const outerSource = yield* findOuterSource(ctx, namespace, input.scope);
-    if (outerSource && input.baseUrl !== void 0 && input.baseUrl.trim() !== "") {
-      return yield* new OpenApiOAuthError({
-        message: "OpenAPI source shadows inherit the outer source base URL"
-      });
-    }
-    const hoistedDefs = {};
-    if (doc.components?.schemas) {
-      for (const [k, v] of Object.entries(doc.components.schemas)) {
-        hoistedDefs[k] = normalizeOpenApiRefs(v);
-      }
-    }
-    const baseUrl = outerSource ? void 0 : input.baseUrl;
-    const canonicalHeaders = canonicalizeHeaders(input.headers);
-    const canonicalQueryParams = canonicalizeCredentialMap(
-      input.queryParams,
-      queryParamSlotFromName
-    );
-    const canonicalSpecFetchCredentials = canonicalizeSpecFetchCredentials(
-      input.specFetchCredentials
-    );
-    const canonicalOAuth2 = canonicalizeOAuth2(input.oauth2);
-    const definitions = compileToolDefinitions(result.operations);
-    const sourceName = input.name;
-    const sourceConfig = {
-      spec: input.specText,
-      sourceUrl: input.sourceUrl,
-      baseUrl,
-      namespace: input.namespace,
-      headers: canonicalHeaders.headers,
-      queryParams: canonicalQueryParams.values,
-      specFetchCredentials: canonicalSpecFetchCredentials.credentials,
-      oauth2: canonicalOAuth2.oauth2
-    };
-    const storedSource = {
-      namespace,
-      scope: input.scope,
-      name: sourceName,
-      config: sourceConfig
-    };
-    const storedOps = definitions.map((def) => ({
-      toolId: `${namespace}.${def.toolPath}`,
-      sourceId: namespace,
-      binding: toBinding(def)
-    }));
-    yield* ctx.transaction(
-      Effect3.gen(function* () {
-        yield* ctx.storage.upsertSource(storedSource, storedOps);
-        yield* ctx.core.sources.register({
-          id: namespace,
-          scope: input.scope,
-          kind: "openapi",
-          name: sourceName,
-          url: baseUrl || void 0,
-          canRemove: true,
-          // `canRefresh` reflects whether we still know the
-          // origin URL — sources added from raw spec text have
-          // nothing to re-fetch, so refresh stays disabled.
-          canRefresh: input.sourceUrl != null,
-          canEdit: true,
-          tools: definitions.map((def) => ({
-            name: def.toolPath,
-            description: descriptionFor(def),
-            inputSchema: normalizeOpenApiRefs(Option3.getOrUndefined(def.operation.inputSchema)),
-            outputSchema: normalizeOpenApiRefs(Option3.getOrUndefined(def.operation.outputSchema))
-          }))
-        });
-        if (Object.keys(hoistedDefs).length > 0) {
-          yield* ctx.core.definitions.register({
-            sourceId: namespace,
-            scope: input.scope,
-            definitions: hoistedDefs
-          });
-        }
-      })
-    );
-    return { sourceId: namespace, toolCount: definitions.length };
-  });
-  const refreshSourceInternal = (ctx, sourceId, scope) => Effect3.gen(function* () {
-    const httpClientLayer = options?.httpClientLayer ?? ctx.httpClientLayer;
-    const existing = yield* ctx.storage.getSource(sourceId, scope);
-    if (!existing) return;
-    const effective = yield* resolveEffectiveSourceConfig(ctx, existing);
-    const resolvedConfig = effective.config;
-    const sourceUrl = resolvedConfig.sourceUrl;
-    if (!sourceUrl) return;
-    const credentials = yield* resolveStoredSpecFetchCredentials(ctx, {
-      sourceId: existing.namespace,
-      sourceScope: effective.specFetchCredentialsSource.scope,
-      credentials: resolvedConfig.specFetchCredentials
-    });
-    const specText = yield* resolveSpecText(sourceUrl, credentials).pipe(
-      Effect3.provide(httpClientLayer)
-    );
-    yield* rebuildSource(ctx, {
-      specText,
-      scope,
-      sourceUrl,
-      name: existing.name,
-      baseUrl: existing.config.baseUrl,
-      namespace: existing.namespace,
-      headers: existing.config.headers,
-      queryParams: existing.config.queryParams,
-      specFetchCredentials: existing.config.specFetchCredentials,
-      oauth2: existing.config.oauth2
-    });
-  });
-  return {
-    id: "openapi",
-    packageName: "@executor-js/plugin-openapi",
-    sourcePresets: openApiPresets,
-    schema: openapiSchema,
-    storage: (deps) => makeDefaultOpenapiStore(deps),
-    extension: (ctx) => {
-      const httpClientLayer = options?.httpClientLayer ?? ctx.httpClientLayer;
-      const addSpecInternal = (config) => Effect3.gen(function* () {
-        const specText = config.spec.kind === "url" ? yield* resolveSpecText(config.spec.url).pipe(Effect3.provide(httpClientLayer)) : config.spec.value;
-        return yield* rebuildSource(ctx, {
-          specText,
-          scope: config.scope,
-          sourceUrl: config.spec.kind === "url" ? config.spec.url : void 0,
-          name: config.name,
-          baseUrl: config.baseUrl,
-          namespace: config.namespace,
-          headers: config.headers,
-          queryParams: config.queryParams,
-          specFetchCredentials: config.specFetchCredentials,
-          oauth2: config.oauth2
-        });
-      });
-      const configFile = options?.configFile;
-      return {
-        previewSpec: (input) => Effect3.gen(function* () {
-          const previewInput = typeof input === "string" ? { spec: input } : input;
-          const credentials = yield* resolveSpecFetchInputCredentials(
-            ctx,
-            previewInput.specFetchCredentials
-          );
-          const specText = yield* resolveSpecText(previewInput.spec, credentials).pipe(
-            Effect3.provide(httpClientLayer)
-          );
-          return yield* previewSpec(specText).pipe(Effect3.provide(httpClientLayer));
-        }),
-        addSpec: (config) => Effect3.gen(function* () {
-          const result = yield* addSpecInternal(config);
-          if (configFile) {
-            yield* configFile.upsertSource(toOpenApiSourceConfig(result.sourceId, config));
-          }
-          return result;
-        }),
-        removeSpec: (namespace, scope) => Effect3.gen(function* () {
-          yield* ctx.transaction(
-            Effect3.gen(function* () {
-              yield* ctx.credentialBindings.removeForSource({
-                pluginId: OPENAPI_PLUGIN_ID,
-                sourceId: namespace,
-                sourceScope: ScopeId.make(scope)
-              });
-              yield* ctx.storage.removeSource(namespace, scope);
-              yield* ctx.core.sources.unregister({
-                id: namespace,
-                targetScope: scope
-              });
-            })
-          );
-          if (configFile) {
-            yield* configFile.removeSource(namespace);
-          }
-        }),
-        getSource: (namespace, scope) => Effect3.gen(function* () {
-          const source = yield* ctx.storage.getSource(namespace, scope);
-          if (!source) return null;
-          const effective = yield* resolveEffectiveSourceConfig(ctx, source);
-          return {
-            ...source,
-            config: effective.config
-          };
-        }),
-        configure: (source, input) => configureOpenApiSource(ctx, source, input)
-      };
-    },
-    sourceConfigure: {
-      type: "openapi",
-      schema: OpenApiConfigureInputSchema,
-      configure: ({ ctx, sourceId, sourceScope, config }) => Effect3.gen(function* () {
-        const input = config;
-        if (input.name !== void 0 || input.baseUrl !== void 0 || input.oauth2Source !== void 0) {
-          if (input.baseUrl !== void 0 && input.baseUrl.trim() !== "") {
-            const outerSource = yield* findOuterSource(ctx, sourceId, sourceScope);
-            if (outerSource) {
-              return yield* new OpenApiOAuthError({
-                message: "OpenAPI source shadows inherit the outer source base URL"
-              });
-            }
-          }
-          yield* ctx.storage.updateSourceMeta(sourceId, sourceScope, {
-            name: input.name?.trim() || void 0,
-            baseUrl: input.baseUrl,
-            oauth2: input.oauth2Source
-          });
-        }
-        return yield* configureOpenApiSource(ctx, { id: sourceId, scope: sourceScope }, input);
-      })
-    },
-    staticSources: (self) => [
-      {
-        id: "openapi",
-        kind: "executor",
-        name: "OpenAPI",
-        tools: [
-          tool({
-            name: "previewSpec",
-            description: "Preview an OpenAPI document before adding it as a source. Call this first when the user provides a spec URL/blob so you can inspect servers, auth schemes, operation count, tags, and credential slots before `addSource`. This agent-facing preview intentionally omits the full operations list; use `operationCount` and `tags` for full-size specs. Do not collect API keys or OAuth client secrets in chat; use `executor.coreTools.secrets.create` for those values.",
-            inputSchema: PreviewSpecInputStandardSchema,
-            outputSchema: PreviewSpecOutputStandardSchema,
-            execute: (input) => self.previewSpec(input).pipe(
-              Effect3.map((preview) => ToolResult.ok(staticPreviewOutput(preview))),
-              Effect3.catchTags({
-                OpenApiParseError: ({ message }) => Effect3.succeed(openApiToolFailure("openapi_parse_failed", message)),
-                OpenApiExtractionError: ({ message }) => Effect3.succeed(openApiToolFailure("openapi_extraction_failed", message)),
-                OpenApiOAuthError: ({ message }) => Effect3.succeed(openApiToolFailure("openapi_oauth_failed", message))
-              })
-            )
-          }),
-          tool({
-            name: "getSource",
-            description: "Inspect an existing OpenAPI source, including effective base URL, configured headers/query params, OAuth settings, and stored credential slots. Use this before repairing an existing source with `openapi.configureSource`, `secrets.create`, or `oauth.start`.",
-            inputSchema: GetSourceInputStandardSchema,
-            outputSchema: GetSourceOutputStandardSchema,
-            execute: (input, { ctx }) => Effect3.map(
-              self.getSource(input.namespace, resolveStaticScopeInput(ctx, input.scope)),
-              (source) => ToolResult.ok({ source })
-            )
-          }),
-          tool({
-            name: "addSource",
-            description: "Add an OpenAPI source and register its operations as tools. Executor chooses the source install scope (local scope locally, organization scope in cloud) and returns it as `source`. Recommended flow: call `previewSpec`, choose or confirm namespace/name/baseUrl from the preview (baseUrl is only needed when the spec cannot infer one or the user wants an override), declare credential slots here for sensitive headers/query params, then call `secrets.create` and `openapi.configureSource` with the user's chosen credential scope for per-scope bindings. Use `oauth.start` with `credentialScope` set to the user's chosen personal or organization credential scope for browser OAuth sign-in.",
-            annotations: {
-              requiresApproval: true,
-              approvalDescription: "Add an OpenAPI source"
-            },
-            inputSchema: AddSourceInputStandardSchema,
-            outputSchema: AddSourceOutputStandardSchema,
-            execute: (input, { ctx }) => {
-              const sourceScope = defaultSourceInstallScopeId(ctx.scopes);
-              if (sourceScope === null) {
-                return Effect3.succeed(
-                  openApiToolFailure(
-                    "source_scope_unavailable",
-                    "Cannot add an OpenAPI source because this executor has no source install scope."
-                  )
-                );
-              }
-              return self.addSpec({ ...input, scope: sourceScope }).pipe(
-                Effect3.map(
-                  (result) => ToolResult.ok({
-                    ...result,
-                    source: { id: result.sourceId, scope: sourceScope }
-                  })
-                ),
-                Effect3.catchTags({
-                  OpenApiParseError: ({ message }) => Effect3.succeed(openApiToolFailure("openapi_parse_failed", message)),
-                  OpenApiExtractionError: ({ message }) => Effect3.succeed(openApiToolFailure("openapi_extraction_failed", message)),
-                  OpenApiOAuthError: ({ message }) => Effect3.succeed(openApiToolFailure("openapi_oauth_failed", message))
-                })
-              );
-            }
-          }),
-          tool({
-            name: "configureSource",
-            description: 'Configure an existing OpenAPI source with concrete fields. Use `source` returned by `openapi.addSource` or `sources.list`. The top-level `scope` is the credential target scope for bindings; in cloud, choose the user or organization credential scope deliberately. Pass secret refs as `{kind:"secret", secretId}` and OAuth connections as `{kind:"connection", connectionId}`.',
-            annotations: {
-              requiresApproval: true,
-              approvalDescription: "Configure an OpenAPI source"
-            },
-            inputSchema: OpenApiConfigureSourceInputStandardSchema,
-            outputSchema: OpenApiConfigureSourceOutputStandardSchema,
-            execute: (input, { ctx }) => {
-              const { source, ...config } = input;
-              const sourceScope = resolveStaticScopeInput(ctx, source.scope);
-              const targetScope = resolveStaticScopeInput(ctx, config.scope);
-              return Effect3.map(
-                self.configure(
-                  { id: source.id, scope: sourceScope },
-                  { ...config, scope: targetScope }
-                ),
-                (result) => ToolResult.ok({ result })
-              );
-            }
-          })
-        ]
-      }
-    ],
-    invokeTool: ({ ctx, toolRow, args }) => Effect3.gen(function* () {
-      const httpClientLayer = options?.httpClientLayer ?? ctx.httpClientLayer;
-      const toolScope = toolRow.scope_id;
-      const op = yield* ctx.storage.getOperationByToolId(toolRow.id, toolScope);
-      if (!op) {
-        return yield* new OpenApiExtractionError({
-          message: `No OpenAPI operation found for tool "${toolRow.id}"`
-        });
-      }
-      const source = yield* ctx.storage.getSource(op.sourceId, toolScope);
-      if (!source) {
-        return yield* new OpenApiExtractionError({
-          message: `No OpenAPI source found for "${op.sourceId}"`
-        });
-      }
-      const effective = yield* resolveEffectiveSourceConfig(ctx, source);
-      const config = effective.config;
-      const resolvedHeaders = yield* resolveConfiguredHeaders(ctx, {
-        sourceId: op.sourceId,
-        sourceScope: effective.headersSource.scope,
-        headers: config.headers ?? {}
-      });
-      const resolvedQueryParams = yield* resolveConfiguredValueMap(ctx, {
-        sourceId: op.sourceId,
-        sourceScope: effective.queryParamsSource.scope,
-        values: config.queryParams ?? {},
-        missingLabel: "query parameter"
-      });
-      if (config.oauth2) {
-        const oauth2 = config.oauth2;
-        const connection = yield* resolveOAuthConnectionId(ctx, {
-          sourceId: op.sourceId,
-          sourceScope: effective.oauth2Source.scope,
-          oauth2
-        });
-        if (!connection) {
-          return yield* new OpenApiAuthRequiredError({
-            code: "oauth_connection_missing",
-            sourceId: op.sourceId,
-            sourceScope: effective.oauth2Source.scope,
-            credentialKind: "connection",
-            credentialLabel: oauth2.flow === "clientCredentials" ? "OAuth client connection" : "OAuth sign-in",
-            slotKey: oauth2.connectionSlot,
-            message: `OAuth configuration for "${op.sourceId}" is missing a connection binding`
-          });
-        }
-        const accessToken = yield* ctx.connections.accessTokenAtScope(connection.connectionId, connection.scopeId).pipe(
-          Effect3.catchTags({
-            ConnectionReauthRequiredError: ({ message, connectionId }) => Effect3.fail(
-              new OpenApiAuthRequiredError({
-                code: "oauth_reauth_required",
-                sourceId: op.sourceId,
-                sourceScope: effective.oauth2Source.scope,
-                credentialKind: "oauth",
-                credentialLabel: oauth2.flow === "clientCredentials" ? "OAuth client connection" : "OAuth sign-in",
-                slotKey: oauth2.connectionSlot,
-                connectionId: String(connectionId),
-                message: `OAuth connection "${connectionId}" needs re-authentication: ${message}`
-              })
-            ),
-            ConnectionNotFoundError: ({ connectionId }) => Effect3.fail(
-              new OpenApiAuthRequiredError({
-                code: "oauth_connection_missing",
-                sourceId: op.sourceId,
-                sourceScope: effective.oauth2Source.scope,
-                credentialKind: "connection",
-                credentialLabel: oauth2.flow === "clientCredentials" ? "OAuth client connection" : "OAuth sign-in",
-                slotKey: oauth2.connectionSlot,
-                connectionId: String(connectionId),
-                message: `OAuth connection "${connectionId}" was not found for "${op.sourceId}"`
-              })
-            ),
-            ConnectionProviderNotRegisteredError: ({ provider }) => Effect3.fail(
-              new OpenApiAuthRequiredError({
-                code: "oauth_connection_failed",
-                sourceId: op.sourceId,
-                sourceScope: effective.oauth2Source.scope,
-                credentialKind: "oauth",
-                credentialLabel: oauth2.flow === "clientCredentials" ? "OAuth client connection" : "OAuth sign-in",
-                slotKey: oauth2.connectionSlot,
-                connectionId: connection.connectionId,
-                message: `OAuth provider "${provider}" is not registered`
-              })
-            ),
-            ConnectionRefreshNotSupportedError: ({ provider, connectionId }) => Effect3.fail(
-              new OpenApiAuthRequiredError({
-                code: "oauth_connection_failed",
-                sourceId: op.sourceId,
-                sourceScope: effective.oauth2Source.scope,
-                credentialKind: "oauth",
-                credentialLabel: oauth2.flow === "clientCredentials" ? "OAuth client connection" : "OAuth sign-in",
-                slotKey: oauth2.connectionSlot,
-                connectionId: String(connectionId),
-                message: `OAuth provider "${provider}" cannot refresh connection "${connectionId}"`
-              })
-            ),
-            ConnectionRefreshError: ({ message, connectionId }) => Effect3.fail(
-              new OpenApiAuthRequiredError({
-                code: "oauth_connection_failed",
-                sourceId: op.sourceId,
-                sourceScope: effective.oauth2Source.scope,
-                credentialKind: "oauth",
-                credentialLabel: oauth2.flow === "clientCredentials" ? "OAuth client connection" : "OAuth sign-in",
-                slotKey: oauth2.connectionSlot,
-                connectionId: String(connectionId),
-                message: `OAuth connection "${connectionId}" refresh failed: ${message}`
-              })
-            )
-          })
-        );
-        resolvedHeaders.authorization = `Bearer ${accessToken}`;
-      }
-      const result = yield* invokeWithLayer(
-        op.binding,
-        args ?? {},
-        config.baseUrl ?? "",
-        resolvedHeaders,
-        resolvedQueryParams,
-        httpClientLayer
-      );
-      const ok = result.status >= 200 && result.status < 300;
-      if (!ok) {
-        if (result.status === 401 || result.status === 403) {
-          return authToolFailure({
-            code: "credential_rejected",
-            status: result.status,
-            message: `Upstream rejected credentials for "${op.sourceId}" with HTTP ${result.status}. Re-authenticate or update the source credentials before retrying this tool.`,
-            source: { id: op.sourceId, scope: toolScope },
-            credential: { kind: "upstream", label: "Upstream authorization" },
-            upstream: { status: result.status, details: result.error },
-            recovery: { configureSourceTool: "executor.openapi.configureSource" }
-          });
-        }
-        return ToolResult.fail({
-          code: "upstream_http_error",
-          status: result.status,
-          message: extractUpstreamMessage(result.error, result.status),
-          details: result.error
-        });
-      }
-      return ToolResult.ok({
-        status: result.status,
-        headers: result.headers,
-        data: result.data
-      });
-    }).pipe(
-      Effect3.catchTag(
-        "OpenApiAuthRequiredError",
-        (error) => Effect3.succeed(openApiAuthToolFailure(error))
-      )
-    ),
-    resolveAnnotations: ({ ctx, sourceId, toolRows }) => Effect3.gen(function* () {
-      const scopes = /* @__PURE__ */ new Set();
-      for (const row of toolRows) {
-        scopes.add(row.scope_id);
-      }
-      const entries = yield* Effect3.forEach(
-        [...scopes],
-        (scope) => Effect3.gen(function* () {
-          const ops = yield* ctx.storage.listOperationsBySource(sourceId, scope);
-          const byId = /* @__PURE__ */ new Map();
-          for (const op of ops) byId.set(op.toolId, op.binding);
-          return [scope, byId];
-        }),
-        { concurrency: "unbounded" }
-      );
-      const byScope = new Map(entries);
-      const out = {};
-      for (const row of toolRows) {
-        const binding = byScope.get(row.scope_id)?.get(row.id);
-        if (binding) {
-          out[row.id] = annotationsForOperation(binding.method, binding.pathTemplate);
-        }
-      }
-      return out;
-    }),
-    removeSource: ({ ctx, sourceId, scope }) => Effect3.gen(function* () {
-      yield* ctx.transaction(
-        Effect3.gen(function* () {
-          yield* ctx.credentialBindings.removeForSource({
-            pluginId: OPENAPI_PLUGIN_ID,
-            sourceId,
-            sourceScope: ScopeId.make(scope)
-          });
-          yield* ctx.storage.removeSource(sourceId, scope);
-        })
-      );
-      if (options?.configFile) {
-        yield* options.configFile.removeSource(sourceId);
-      }
-    }),
-    // OpenAPI credential usages are reported by the core `credential_binding`
-    // table. Source storage carries only source-owned slot structure.
-    usagesForSecret: () => Effect3.succeed([]),
-    usagesForConnection: () => Effect3.succeed([]),
-    // Re-fetch the spec from its origin URL (captured at addSpec time)
-    // and replay the same parse → extract → upsertSource → register
-    // path used by addSpec. Sources without a stored URL surface a
-    // typed `OpenApiParseError` — the executor only dispatches refresh
-    // when `canRefresh: true`, so a raw-text source reaching here
-    // means stale UI state, which is worth surfacing to the caller.
-    refreshSource: ({ ctx, sourceId, scope }) => refreshSourceInternal(ctx, sourceId, scope),
-    detect: ({ ctx, url }) => Effect3.gen(function* () {
-      const httpClientLayer = options?.httpClientLayer ?? ctx.httpClientLayer;
-      const trimmed = url.trim();
-      if (!trimmed) return null;
-      const parsed = yield* Effect3.try({
-        try: () => new URL(trimmed),
-        catch: (error) => error
-      }).pipe(Effect3.option);
-      if (Option3.isNone(parsed)) return null;
-      const specText = yield* resolveSpecText(trimmed).pipe(
-        Effect3.provide(httpClientLayer),
-        Effect3.catch(() => Effect3.succeed(null))
-      );
-      if (specText === null) return null;
-      const doc = yield* parse(specText).pipe(Effect3.catch(() => Effect3.succeed(null)));
-      if (!doc) return null;
-      const result = yield* extract(doc).pipe(Effect3.catch(() => Effect3.succeed(null)));
-      if (!result) return null;
-      const namespace = Option3.getOrElse(result.title, () => "api").toLowerCase().replace(/[^a-z0-9]+/g, "_");
-      const name = Option3.getOrElse(result.title, () => namespace);
-      return SourceDetectionResult.make({
-        kind: "openapi",
-        confidence: "high",
-        endpoint: trimmed,
-        name,
-        namespace
-      });
-    })
-  };
-});
-
-export {
-  resolveHeaders,
-  invoke,
-  invokeWithLayer,
-  annotationsForOperation,
-  openapiSchema,
-  makeDefaultOpenapiStore,
-  openApiPlugin
-};
-//# sourceMappingURL=chunk-PS5XP3DG.js.map