@executor-js/plugin-openapi 1.5.21 → 2.0.0

package/dist/{chunk-3O3PGRRG.js → chunk-DBA2BHE4.js}

@@ -1,16 +1,20 @@
 import {
   deriveAuthenticationTemplateFromPreview,
   firstBaseUrlForPreview
-} from "./chunk-MWF55JPY.js";
+} from "./chunk-IVRAOG3T.js";
 import {
   openApiPresets
-} from "./chunk-QQFCICLX.js";
+} from "./chunk-HG5JB2UJ.js";
 import {
   InvocationResult,
+  OAuth2AuthorizationCodeFlow,
+  OAuth2Flows,
+  OAuth2Preset,
   OpenApiExtractionError,
   OpenApiInvocationError,
   OpenApiParseError,
   OperationBinding,
+  SecurityScheme,
   buildInputSchema,
   compileToolDefinitions,
   extract,
@@ -23,7 +27,7 @@ import {
   streamOperationBindings,
   streamOperationBindingsFromStructure,
   structuralSplit
-} from "./chunk-R3X27XS6.js";
+} from "./chunk-WWZ7B34D.js";
 
 // src/sdk/config.ts
 import { Option, Schema } from "effect";
@@ -38,7 +42,9 @@ var OAuthAuthenticationSchema = Schema.Struct({
   kind: Schema.Literal("oauth2"),
   authorizationUrl: Schema.String,
   tokenUrl: Schema.String,
-  scopes: Schema.Array(Schema.String)
+  resource: Schema.optional(Schema.NullOr(Schema.String)),
+  scopes: Schema.Array(Schema.String),
+  supportsClientIdMetadataDocument: Schema.optional(Schema.Boolean)
 });
 var AuthenticationSchema = Schema.Union([OAuthAuthenticationSchema, ApiKeyAuthMethod]);
 var OpenApiIntegrationConfigSchema = Schema.Struct({
@@ -343,6 +349,23 @@ var bytesFromBase64Prefix = (base64) => {
   return bytes;
 };
 var sniffMimeTypeFromBase64 = (base64) => sniffMimeType(bytesFromBase64Prefix(base64));
+var base64ToUint8Array = (value) => {
+  let binary = "";
+  try {
+    binary = atob(normalizeBase64(value, "base64"));
+  } catch {
+    return null;
+  }
+  const bytes = new Uint8Array(binary.length);
+  for (let index = 0; index < binary.length; index += 1) {
+    bytes[index] = binary.charCodeAt(index);
+  }
+  return bytes;
+};
+var decodeBase64Body = (value) => {
+  const bytes = base64ToUint8Array(value);
+  return bytes ? { ok: true, bytes } : { ok: false };
+};
 var toUint8Array = (value) => {
   if (value instanceof Uint8Array) return value;
   if (value instanceof ArrayBuffer) return new Uint8Array(value);
@@ -355,6 +378,7 @@ var toUint8Array = (value) => {
   }
   return null;
 };
+var readNestedBodyBase64 = (value) => typeof value === "object" && value !== null && !Array.isArray(value) && Object.prototype.hasOwnProperty.call(value, "bodyBase64") ? value.bodyBase64 : void 0;
 var readHintString = (option, fallback) => Option3.getOrElse(option, () => fallback);
 var readHintMimeType = (hint, fallback) => Option3.getOrElse(hint.mimeType, () => fallback);
 var readHintEncoding = (hint) => Option3.getOrElse(hint.encoding, () => "base64");
@@ -573,12 +597,82 @@ var invoke = Effect2.fn("OpenApi.invoke")(function* (operation, args, resolvedHe
   }
   if (Option3.isSome(operation.requestBody)) {
     const rb = operation.requestBody.value;
-    const bodyValue = args.body ?? args.input;
+    const contentsOpt = Option3.getOrUndefined(rb.contents);
+    const requestedCt = typeof args.contentType === "string" ? args.contentType : void 0;
+    const octetStreamContent = contentsOpt?.find((c) => isOctetStream(c.contentType));
+    const bodyAcceptsOctetStream = Boolean(octetStreamContent) || isOctetStream(rb.contentType);
+    const hasBodyBase64 = Object.prototype.hasOwnProperty.call(args, "bodyBase64");
+    const bodyBase64Raw = args.bodyBase64;
+    const bodyBase64 = typeof bodyBase64Raw === "string" ? decodeBase64Body(bodyBase64Raw) : void 0;
+    if (hasBodyBase64 && typeof bodyBase64Raw !== "string") {
+      return yield* new OpenApiInvocationError({
+        message: "`bodyBase64` must be a base64 string",
+        statusCode: Option3.none()
+      });
+    }
+    if (bodyBase64?.ok === false) {
+      return yield* new OpenApiInvocationError({
+        message: "`bodyBase64` is not valid base64",
+        statusCode: Option3.none()
+      });
+    }
+    if (bodyBase64?.ok === true && !bodyAcceptsOctetStream) {
+      return yield* new OpenApiInvocationError({
+        message: "`bodyBase64` requires an application/octet-stream request body",
+        statusCode: Option3.none()
+      });
+    }
+    if (bodyBase64?.ok === true && requestedCt && !isOctetStream(requestedCt)) {
+      return yield* new OpenApiInvocationError({
+        message: "`bodyBase64` requires an application/octet-stream contentType",
+        statusCode: Option3.none()
+      });
+    }
+    const rawBodyValue = args.body ?? args.input;
+    const nestedBodyBase64Raw = readNestedBodyBase64(rawBodyValue);
+    const hasNestedBodyBase64 = nestedBodyBase64Raw !== void 0;
+    const nestedBodyBase64 = typeof nestedBodyBase64Raw === "string" ? decodeBase64Body(nestedBodyBase64Raw) : void 0;
+    if (hasNestedBodyBase64 && typeof nestedBodyBase64Raw !== "string") {
+      return yield* new OpenApiInvocationError({
+        message: "`body.bodyBase64` must be a base64 string",
+        statusCode: Option3.none()
+      });
+    }
+    if (nestedBodyBase64?.ok === false) {
+      return yield* new OpenApiInvocationError({
+        message: "`body.bodyBase64` is not valid base64",
+        statusCode: Option3.none()
+      });
+    }
+    if (nestedBodyBase64?.ok === true && !bodyAcceptsOctetStream) {
+      return yield* new OpenApiInvocationError({
+        message: "`body.bodyBase64` requires an application/octet-stream request body",
+        statusCode: Option3.none()
+      });
+    }
+    if (nestedBodyBase64?.ok === true && requestedCt && !isOctetStream(requestedCt)) {
+      return yield* new OpenApiInvocationError({
+        message: "`body.bodyBase64` requires an application/octet-stream contentType",
+        statusCode: Option3.none()
+      });
+    }
+    const binaryBody = bodyBase64?.ok === true ? bodyBase64 : nestedBodyBase64;
+    const bodyValue = binaryBody?.ok === true ? binaryBody.bytes : rawBodyValue;
+    if (rb.required && bodyValue === void 0) {
+      return yield* new OpenApiInvocationError({
+        message: bodyAcceptsOctetStream ? "Missing required request body: provide `bodyBase64`" : "Missing required request body",
+        statusCode: Option3.none()
+      });
+    }
     if (bodyValue !== void 0) {
-      const contentsOpt = Option3.getOrUndefined(rb.contents);
-      const requestedCt = typeof args.contentType === "string" ? args.contentType : void 0;
-      const selected = contentsOpt && requestedCt ? contentsOpt.find((c) => c.contentType === requestedCt) : void 0;
-      const chosenCt = selected?.contentType ?? rb.contentType;
+      const selected = binaryBody?.ok === true && octetStreamContent ? octetStreamContent : contentsOpt && requestedCt ? contentsOpt.find((c) => c.contentType === requestedCt) : void 0;
+      const chosenCt = binaryBody?.ok === true && !octetStreamContent && isOctetStream(rb.contentType) ? rb.contentType : selected?.contentType ?? rb.contentType;
+      if (isOctetStream(chosenCt) && toUint8Array(bodyValue) === null) {
+        return yield* new OpenApiInvocationError({
+          message: "application/octet-stream request body must be bytes; provide `bodyBase64`",
+          statusCode: Option3.none()
+        });
+      }
       const chosenEncoding = selected ? Option3.getOrUndefined(selected.encoding) : contentsOpt && contentsOpt[0] ? Option3.getOrUndefined(contentsOpt[0].encoding) : void 0;
       request = applyRequestBody(request, chosenCt, bodyValue, chosenEncoding);
     }
@@ -1082,15 +1176,14 @@ var invokeOpenApiBackedTool = (input) => Effect3.gen(function* () {
   });
 });
 var resolveOpenApiBackedAnnotations = (input) => Effect3.gen(function* () {
-  const ops = yield* input.ctx.storage.listOperations(String(input.integration));
-  const byName = /* @__PURE__ */ new Map();
-  for (const op of ops) byName.set(op.toolName, op.binding);
   const out = {};
   for (const row of input.toolRows) {
-    const binding = byName.get(row.name);
-    if (binding) {
-      out[row.name] = annotationsForOperation(binding.method, binding.pathTemplate);
-    }
+    const operation = yield* input.ctx.storage.getOperation(input.integration, row.name);
+    if (!operation) continue;
+    out[row.name] = annotationsForOperation(
+      operation.binding.method,
+      operation.binding.pathTemplate
+    );
   }
   return out;
 });
@@ -1154,13 +1247,15 @@ var StaticPreviewOAuth2PresetSchema = Schema4.Struct({
   flow: Schema4.Literals(["authorizationCode", "clientCredentials"]),
   authorizationUrl: Schema4.NullOr(Schema4.String),
   tokenUrl: Schema4.String,
+  resource: Schema4.NullOr(Schema4.String),
   refreshUrl: Schema4.NullOr(Schema4.String),
   scopes: Schema4.Record(Schema4.String, Schema4.String),
   identityScopes: Schema4.Union([
     Schema4.Literal("auto"),
     Schema4.Literal(false),
     Schema4.Array(Schema4.String)
-  ])
+  ]),
+  supportsClientIdMetadataDocument: Schema4.optional(Schema4.Boolean)
 });
 var StaticPreviewSpecOutputSchema = Schema4.Struct({
   title: Schema4.NullOr(Schema4.String),
@@ -1189,7 +1284,9 @@ var AuthenticationSchema2 = Schema4.Union([
     kind: Schema4.Literal("oauth2"),
     authorizationUrl: Schema4.String,
     tokenUrl: Schema4.String,
-    scopes: Schema4.Array(Schema4.String)
+    resource: Schema4.optional(Schema4.NullOr(Schema4.String)),
+    scopes: Schema4.Array(Schema4.String),
+    supportsClientIdMetadataDocument: Schema4.optional(Schema4.Boolean)
   }),
   // Credential methods are authored request-shaped - the ONE apikey input
   // dialect: `{ type: "apiKey", headers: { Authorization: ["Bearer ",
@@ -1276,12 +1373,135 @@ var staticPreviewOutput = (preview) => ({
     flow: preset.flow,
     authorizationUrl: Option5.getOrNull(preset.authorizationUrl),
     tokenUrl: preset.tokenUrl,
+    resource: Option5.getOrNull(preset.resource),
     refreshUrl: Option5.getOrNull(preset.refreshUrl),
     scopes: preset.scopes,
-    identityScopes: preset.identityScopes
+    identityScopes: preset.identityScopes,
+    supportsClientIdMetadataDocument: preset.supportsClientIdMetadataDocument
   }))
 });
 var specInputToSourceUrl = (spec) => spec.kind === "url" ? spec.url : void 0;
+var OAUTH_DISCOVERED_SCHEME_NAME = "DiscoveredOAuth2";
+var OPENAPI_HTTP_METHODS = /* @__PURE__ */ new Set([
+  "get",
+  "put",
+  "post",
+  "delete",
+  "patch",
+  "head",
+  "options",
+  "trace"
+]);
+var isRecord = (value) => typeof value === "object" && value !== null && !Array.isArray(value);
+var maybeUrl = (value) => {
+  try {
+    return new URL(value);
+  } catch {
+    return null;
+  }
+};
+var addProbeCandidate = (candidates, value) => {
+  const trimmed = value?.trim();
+  if (!trimmed) return;
+  const parsed = maybeUrl(trimmed);
+  if (!parsed || parsed.protocol !== "https:" && parsed.protocol !== "http:") return;
+  const normalized = parsed.toString();
+  const origin = parsed.origin;
+  if (!candidates.includes(normalized)) candidates.push(normalized);
+  if (!candidates.includes(origin)) candidates.push(origin);
+};
+var oauthProbeCandidates = (preview, sourceUrl, baseUrl) => {
+  const candidates = [];
+  addProbeCandidate(candidates, baseUrl);
+  for (const server of preview.servers) {
+    addProbeCandidate(
+      candidates,
+      resolveServerUrl(server.url, Option5.getOrUndefined(server.variables), {})
+    );
+  }
+  addProbeCandidate(candidates, sourceUrl);
+  return candidates;
+};
+var securityRequirementScopes = (security, targetSchemes) => {
+  if (!Array.isArray(security)) return [];
+  const scopes = /* @__PURE__ */ new Set();
+  for (const requirement of security) {
+    if (!isRecord(requirement)) continue;
+    for (const [scheme, rawScopes] of Object.entries(requirement)) {
+      if (targetSchemes.size > 0 && !targetSchemes.has(scheme)) continue;
+      if (!Array.isArray(rawScopes)) continue;
+      for (const scope of rawScopes) {
+        if (typeof scope === "string" && scope.trim().length > 0) scopes.add(scope.trim());
+      }
+    }
+  }
+  return [...scopes];
+};
+var collectDeclaredSecurityScopes = (doc, targetSchemes) => {
+  const scopes = /* @__PURE__ */ new Set();
+  if (!isRecord(doc)) return [];
+  for (const scope of securityRequirementScopes(doc.security, targetSchemes)) scopes.add(scope);
+  const paths = doc.paths;
+  if (!isRecord(paths)) return [...scopes].sort();
+  for (const pathItem of Object.values(paths)) {
+    if (!isRecord(pathItem)) continue;
+    for (const [method, operation] of Object.entries(pathItem)) {
+      if (!OPENAPI_HTTP_METHODS.has(method.toLowerCase()) || !isRecord(operation)) continue;
+      for (const scope of securityRequirementScopes(operation.security, targetSchemes)) {
+        scopes.add(scope);
+      }
+    }
+  }
+  return [...scopes].sort();
+};
+var nonOAuthSecuritySchemeNames = (preview) => new Set(
+  preview.securitySchemes.filter((scheme) => scheme.type === "http" || scheme.type === "apiKey").map((scheme) => scheme.name)
+);
+var discoveredOAuthPreview = (input) => {
+  const scopes = Object.fromEntries(input.scopes.map((scope) => [scope, ""]));
+  const flow = OAuth2AuthorizationCodeFlow.make({
+    authorizationUrl: input.authorizationUrl,
+    tokenUrl: input.tokenUrl,
+    refreshUrl: Option5.none(),
+    scopes
+  });
+  const flows = OAuth2Flows.make({
+    authorizationCode: Option5.some(flow),
+    clientCredentials: Option5.none()
+  });
+  return {
+    ...input.preview,
+    securitySchemes: [
+      ...input.preview.securitySchemes,
+      SecurityScheme.make({
+        name: OAUTH_DISCOVERED_SCHEME_NAME,
+        type: "oauth2",
+        scheme: Option5.none(),
+        bearerFormat: Option5.none(),
+        in: Option5.none(),
+        headerName: Option5.none(),
+        description: Option5.some("Discovered from OAuth authorization-server metadata"),
+        flows: Option5.some(flows),
+        openIdConnectUrl: Option5.none()
+      })
+    ],
+    oauth2Presets: [
+      ...input.preview.oauth2Presets,
+      OAuth2Preset.make({
+        label: `OAuth2 Authorization Code \xB7 ${OAUTH_DISCOVERED_SCHEME_NAME}`,
+        securitySchemeName: OAUTH_DISCOVERED_SCHEME_NAME,
+        flow: "authorizationCode",
+        authorizationUrl: Option5.some(input.authorizationUrl),
+        tokenUrl: input.tokenUrl,
+        resource: input.resource ? Option5.some(input.resource) : Option5.none(),
+        refreshUrl: Option5.none(),
+        scopes,
+        identityScopes: "auto",
+        ...input.supportsClientIdMetadataDocument === true ? { supportsClientIdMetadataDocument: true } : {}
+      })
+    ]
+  };
+};
 var describeOpenApiAuthMethods = (record) => {
   const config = decodeOpenApiIntegrationConfig(record.config);
   if (!config) return [];
@@ -1296,7 +1516,9 @@ var describeOpenApiAuthMethods = (record) => {
           oauth: {
             authorizationUrl: template.authorizationUrl,
             tokenUrl: template.tokenUrl,
-            scopes: template.scopes
+            resource: template.resource ?? null,
+            scopes: template.scopes,
+            supportsClientIdMetadataDocument: template.supportsClientIdMetadataDocument
           }
         };
       }
@@ -1330,13 +1552,50 @@ var openApiPlugin = definePlugin((options) => {
     storage: (deps) => makeDefaultOpenapiStore(deps),
     extension: (ctx) => {
       const httpClientLayer = options?.httpClientLayer ?? ctx.httpClientLayer;
+      const enrichPreviewWithDiscoveredOAuth = (input) => Effect4.gen(function* () {
+        if (input.preview.oauth2Presets.length > 0) return input.preview;
+        const candidates = oauthProbeCandidates(input.preview, input.sourceUrl, input.baseUrl);
+        if (candidates.length === 0) return input.preview;
+        for (const candidate of candidates) {
+          const oauth = yield* ctx.oauth.probe({ url: candidate }).pipe(
+            Effect4.map((result) => ({ ok: true, result })),
+            Effect4.catch(() => Effect4.succeed({ ok: false, result: null }))
+          );
+          if (!oauth.ok) continue;
+          const doc = yield* parse(input.specText);
+          const declaredScopes = collectDeclaredSecurityScopes(
+            doc,
+            nonOAuthSecuritySchemeNames(input.preview)
+          );
+          const supportedScopes = oauth.result.scopesSupported && oauth.result.scopesSupported.length > 0 ? new Set(oauth.result.scopesSupported) : null;
+          const scopes = supportedScopes ? declaredScopes.filter((scope) => supportedScopes.has(scope)) : declaredScopes;
+          return discoveredOAuthPreview({
+            preview: input.preview,
+            authorizationUrl: oauth.result.authorizationUrl,
+            tokenUrl: oauth.result.tokenUrl,
+            resource: oauth.result.resource ?? null,
+            scopes,
+            supportsClientIdMetadataDocument: oauth.result.clientIdMetadataDocumentSupported === true
+          });
+        }
+        return input.preview;
+      });
       const addSpec = (config) => Effect4.gen(function* () {
         const resolved = yield* resolveSpecForInput(config.spec, httpClientLayer);
         const compiled = yield* compileOpenApiSpec(resolved.specText);
         const explicitBaseUrl = config.baseUrl;
         const needsDerivedBaseUrl = explicitBaseUrl == null;
         const needsDerivedAuth = config.authenticationTemplate == null;
-        const preview = needsDerivedBaseUrl || needsDerivedAuth ? yield* previewSpecText(resolved.specText) : void 0;
+        const preview = needsDerivedBaseUrl || needsDerivedAuth ? yield* previewSpecText(resolved.specText).pipe(
+          Effect4.flatMap(
+            (rawPreview) => enrichPreviewWithDiscoveredOAuth({
+              specText: resolved.specText,
+              preview: rawPreview,
+              sourceUrl: specInputToSourceUrl(config.spec),
+              baseUrl: config.baseUrl
+            })
+          )
+        ) : void 0;
         const derivedBaseUrl = needsDerivedBaseUrl && preview ? firstBaseUrlForPreview(preview) : void 0;
         const effectiveBaseUrl = explicitBaseUrl ?? (derivedBaseUrl || void 0);
         const derivedAuthenticationTemplate = needsDerivedAuth && preview ? deriveAuthenticationTemplateFromPreview(preview, effectiveBaseUrl) : void 0;
@@ -1450,7 +1709,12 @@ var openApiPlugin = definePlugin((options) => {
           const specText = yield* resolveSpecText(previewInput.spec).pipe(
             Effect4.provide(httpClientLayer)
           );
-          return yield* previewSpecText(specText);
+          const preview = yield* previewSpecText(specText);
+          return yield* enrichPreviewWithDiscoveredOAuth({
+            specText,
+            preview,
+            sourceUrl: maybeUrl(previewInput.spec.trim()) ? previewInput.spec.trim() : void 0
+          });
         }),
         addSpec,
         updateSpec,
@@ -1639,4 +1903,4 @@ export {
   resolveOpenApiBackedAnnotations,
   openApiPlugin
 };
-//# sourceMappingURL=chunk-3O3PGRRG.js.map
+//# sourceMappingURL=chunk-DBA2BHE4.js.map