@executor-js/plugin-openapi 1.5.22 → 2.0.0

package/dist/{chunk-5YG34JIY.js → chunk-DBA2BHE4.js}

@@ -1,16 +1,20 @@
 import {
   deriveAuthenticationTemplateFromPreview,
   firstBaseUrlForPreview
-} from "./chunk-W6DGFLYT.js";
+} from "./chunk-IVRAOG3T.js";
 import {
   openApiPresets
-} from "./chunk-QQFCICLX.js";
+} from "./chunk-HG5JB2UJ.js";
 import {
   InvocationResult,
+  OAuth2AuthorizationCodeFlow,
+  OAuth2Flows,
+  OAuth2Preset,
   OpenApiExtractionError,
   OpenApiInvocationError,
   OpenApiParseError,
   OperationBinding,
+  SecurityScheme,
   buildInputSchema,
   compileToolDefinitions,
   extract,
@@ -23,7 +27,7 @@ import {
   streamOperationBindings,
   streamOperationBindingsFromStructure,
   structuralSplit
-} from "./chunk-XFJWX2CY.js";
+} from "./chunk-WWZ7B34D.js";
 
 // src/sdk/config.ts
 import { Option, Schema } from "effect";
@@ -38,7 +42,9 @@ var OAuthAuthenticationSchema = Schema.Struct({
   kind: Schema.Literal("oauth2"),
   authorizationUrl: Schema.String,
   tokenUrl: Schema.String,
-  scopes: Schema.Array(Schema.String)
+  resource: Schema.optional(Schema.NullOr(Schema.String)),
+  scopes: Schema.Array(Schema.String),
+  supportsClientIdMetadataDocument: Schema.optional(Schema.Boolean)
 });
 var AuthenticationSchema = Schema.Union([OAuthAuthenticationSchema, ApiKeyAuthMethod]);
 var OpenApiIntegrationConfigSchema = Schema.Struct({
@@ -1170,15 +1176,14 @@ var invokeOpenApiBackedTool = (input) => Effect3.gen(function* () {
   });
 });
 var resolveOpenApiBackedAnnotations = (input) => Effect3.gen(function* () {
-  const ops = yield* input.ctx.storage.listOperations(String(input.integration));
-  const byName = /* @__PURE__ */ new Map();
-  for (const op of ops) byName.set(op.toolName, op.binding);
   const out = {};
   for (const row of input.toolRows) {
-    const binding = byName.get(row.name);
-    if (binding) {
-      out[row.name] = annotationsForOperation(binding.method, binding.pathTemplate);
-    }
+    const operation = yield* input.ctx.storage.getOperation(input.integration, row.name);
+    if (!operation) continue;
+    out[row.name] = annotationsForOperation(
+      operation.binding.method,
+      operation.binding.pathTemplate
+    );
   }
   return out;
 });
@@ -1242,13 +1247,15 @@ var StaticPreviewOAuth2PresetSchema = Schema4.Struct({
   flow: Schema4.Literals(["authorizationCode", "clientCredentials"]),
   authorizationUrl: Schema4.NullOr(Schema4.String),
   tokenUrl: Schema4.String,
+  resource: Schema4.NullOr(Schema4.String),
   refreshUrl: Schema4.NullOr(Schema4.String),
   scopes: Schema4.Record(Schema4.String, Schema4.String),
   identityScopes: Schema4.Union([
     Schema4.Literal("auto"),
     Schema4.Literal(false),
     Schema4.Array(Schema4.String)
-  ])
+  ]),
+  supportsClientIdMetadataDocument: Schema4.optional(Schema4.Boolean)
 });
 var StaticPreviewSpecOutputSchema = Schema4.Struct({
   title: Schema4.NullOr(Schema4.String),
@@ -1277,7 +1284,9 @@ var AuthenticationSchema2 = Schema4.Union([
     kind: Schema4.Literal("oauth2"),
     authorizationUrl: Schema4.String,
     tokenUrl: Schema4.String,
-    scopes: Schema4.Array(Schema4.String)
+    resource: Schema4.optional(Schema4.NullOr(Schema4.String)),
+    scopes: Schema4.Array(Schema4.String),
+    supportsClientIdMetadataDocument: Schema4.optional(Schema4.Boolean)
   }),
   // Credential methods are authored request-shaped - the ONE apikey input
   // dialect: `{ type: "apiKey", headers: { Authorization: ["Bearer ",
@@ -1364,12 +1373,135 @@ var staticPreviewOutput = (preview) => ({
     flow: preset.flow,
     authorizationUrl: Option5.getOrNull(preset.authorizationUrl),
     tokenUrl: preset.tokenUrl,
+    resource: Option5.getOrNull(preset.resource),
     refreshUrl: Option5.getOrNull(preset.refreshUrl),
     scopes: preset.scopes,
-    identityScopes: preset.identityScopes
+    identityScopes: preset.identityScopes,
+    supportsClientIdMetadataDocument: preset.supportsClientIdMetadataDocument
   }))
 });
 var specInputToSourceUrl = (spec) => spec.kind === "url" ? spec.url : void 0;
+var OAUTH_DISCOVERED_SCHEME_NAME = "DiscoveredOAuth2";
+var OPENAPI_HTTP_METHODS = /* @__PURE__ */ new Set([
+  "get",
+  "put",
+  "post",
+  "delete",
+  "patch",
+  "head",
+  "options",
+  "trace"
+]);
+var isRecord = (value) => typeof value === "object" && value !== null && !Array.isArray(value);
+var maybeUrl = (value) => {
+  try {
+    return new URL(value);
+  } catch {
+    return null;
+  }
+};
+var addProbeCandidate = (candidates, value) => {
+  const trimmed = value?.trim();
+  if (!trimmed) return;
+  const parsed = maybeUrl(trimmed);
+  if (!parsed || parsed.protocol !== "https:" && parsed.protocol !== "http:") return;
+  const normalized = parsed.toString();
+  const origin = parsed.origin;
+  if (!candidates.includes(normalized)) candidates.push(normalized);
+  if (!candidates.includes(origin)) candidates.push(origin);
+};
+var oauthProbeCandidates = (preview, sourceUrl, baseUrl) => {
+  const candidates = [];
+  addProbeCandidate(candidates, baseUrl);
+  for (const server of preview.servers) {
+    addProbeCandidate(
+      candidates,
+      resolveServerUrl(server.url, Option5.getOrUndefined(server.variables), {})
+    );
+  }
+  addProbeCandidate(candidates, sourceUrl);
+  return candidates;
+};
+var securityRequirementScopes = (security, targetSchemes) => {
+  if (!Array.isArray(security)) return [];
+  const scopes = /* @__PURE__ */ new Set();
+  for (const requirement of security) {
+    if (!isRecord(requirement)) continue;
+    for (const [scheme, rawScopes] of Object.entries(requirement)) {
+      if (targetSchemes.size > 0 && !targetSchemes.has(scheme)) continue;
+      if (!Array.isArray(rawScopes)) continue;
+      for (const scope of rawScopes) {
+        if (typeof scope === "string" && scope.trim().length > 0) scopes.add(scope.trim());
+      }
+    }
+  }
+  return [...scopes];
+};
+var collectDeclaredSecurityScopes = (doc, targetSchemes) => {
+  const scopes = /* @__PURE__ */ new Set();
+  if (!isRecord(doc)) return [];
+  for (const scope of securityRequirementScopes(doc.security, targetSchemes)) scopes.add(scope);
+  const paths = doc.paths;
+  if (!isRecord(paths)) return [...scopes].sort();
+  for (const pathItem of Object.values(paths)) {
+    if (!isRecord(pathItem)) continue;
+    for (const [method, operation] of Object.entries(pathItem)) {
+      if (!OPENAPI_HTTP_METHODS.has(method.toLowerCase()) || !isRecord(operation)) continue;
+      for (const scope of securityRequirementScopes(operation.security, targetSchemes)) {
+        scopes.add(scope);
+      }
+    }
+  }
+  return [...scopes].sort();
+};
+var nonOAuthSecuritySchemeNames = (preview) => new Set(
+  preview.securitySchemes.filter((scheme) => scheme.type === "http" || scheme.type === "apiKey").map((scheme) => scheme.name)
+);
+var discoveredOAuthPreview = (input) => {
+  const scopes = Object.fromEntries(input.scopes.map((scope) => [scope, ""]));
+  const flow = OAuth2AuthorizationCodeFlow.make({
+    authorizationUrl: input.authorizationUrl,
+    tokenUrl: input.tokenUrl,
+    refreshUrl: Option5.none(),
+    scopes
+  });
+  const flows = OAuth2Flows.make({
+    authorizationCode: Option5.some(flow),
+    clientCredentials: Option5.none()
+  });
+  return {
+    ...input.preview,
+    securitySchemes: [
+      ...input.preview.securitySchemes,
+      SecurityScheme.make({
+        name: OAUTH_DISCOVERED_SCHEME_NAME,
+        type: "oauth2",
+        scheme: Option5.none(),
+        bearerFormat: Option5.none(),
+        in: Option5.none(),
+        headerName: Option5.none(),
+        description: Option5.some("Discovered from OAuth authorization-server metadata"),
+        flows: Option5.some(flows),
+        openIdConnectUrl: Option5.none()
+      })
+    ],
+    oauth2Presets: [
+      ...input.preview.oauth2Presets,
+      OAuth2Preset.make({
+        label: `OAuth2 Authorization Code \xB7 ${OAUTH_DISCOVERED_SCHEME_NAME}`,
+        securitySchemeName: OAUTH_DISCOVERED_SCHEME_NAME,
+        flow: "authorizationCode",
+        authorizationUrl: Option5.some(input.authorizationUrl),
+        tokenUrl: input.tokenUrl,
+        resource: input.resource ? Option5.some(input.resource) : Option5.none(),
+        refreshUrl: Option5.none(),
+        scopes,
+        identityScopes: "auto",
+        ...input.supportsClientIdMetadataDocument === true ? { supportsClientIdMetadataDocument: true } : {}
+      })
+    ]
+  };
+};
 var describeOpenApiAuthMethods = (record) => {
   const config = decodeOpenApiIntegrationConfig(record.config);
   if (!config) return [];
@@ -1384,7 +1516,9 @@ var describeOpenApiAuthMethods = (record) => {
           oauth: {
             authorizationUrl: template.authorizationUrl,
             tokenUrl: template.tokenUrl,
-            scopes: template.scopes
+            resource: template.resource ?? null,
+            scopes: template.scopes,
+            supportsClientIdMetadataDocument: template.supportsClientIdMetadataDocument
           }
         };
       }
@@ -1418,13 +1552,50 @@ var openApiPlugin = definePlugin((options) => {
     storage: (deps) => makeDefaultOpenapiStore(deps),
     extension: (ctx) => {
       const httpClientLayer = options?.httpClientLayer ?? ctx.httpClientLayer;
+      const enrichPreviewWithDiscoveredOAuth = (input) => Effect4.gen(function* () {
+        if (input.preview.oauth2Presets.length > 0) return input.preview;
+        const candidates = oauthProbeCandidates(input.preview, input.sourceUrl, input.baseUrl);
+        if (candidates.length === 0) return input.preview;
+        for (const candidate of candidates) {
+          const oauth = yield* ctx.oauth.probe({ url: candidate }).pipe(
+            Effect4.map((result) => ({ ok: true, result })),
+            Effect4.catch(() => Effect4.succeed({ ok: false, result: null }))
+          );
+          if (!oauth.ok) continue;
+          const doc = yield* parse(input.specText);
+          const declaredScopes = collectDeclaredSecurityScopes(
+            doc,
+            nonOAuthSecuritySchemeNames(input.preview)
+          );
+          const supportedScopes = oauth.result.scopesSupported && oauth.result.scopesSupported.length > 0 ? new Set(oauth.result.scopesSupported) : null;
+          const scopes = supportedScopes ? declaredScopes.filter((scope) => supportedScopes.has(scope)) : declaredScopes;
+          return discoveredOAuthPreview({
+            preview: input.preview,
+            authorizationUrl: oauth.result.authorizationUrl,
+            tokenUrl: oauth.result.tokenUrl,
+            resource: oauth.result.resource ?? null,
+            scopes,
+            supportsClientIdMetadataDocument: oauth.result.clientIdMetadataDocumentSupported === true
+          });
+        }
+        return input.preview;
+      });
       const addSpec = (config) => Effect4.gen(function* () {
         const resolved = yield* resolveSpecForInput(config.spec, httpClientLayer);
         const compiled = yield* compileOpenApiSpec(resolved.specText);
         const explicitBaseUrl = config.baseUrl;
         const needsDerivedBaseUrl = explicitBaseUrl == null;
         const needsDerivedAuth = config.authenticationTemplate == null;
-        const preview = needsDerivedBaseUrl || needsDerivedAuth ? yield* previewSpecText(resolved.specText) : void 0;
+        const preview = needsDerivedBaseUrl || needsDerivedAuth ? yield* previewSpecText(resolved.specText).pipe(
+          Effect4.flatMap(
+            (rawPreview) => enrichPreviewWithDiscoveredOAuth({
+              specText: resolved.specText,
+              preview: rawPreview,
+              sourceUrl: specInputToSourceUrl(config.spec),
+              baseUrl: config.baseUrl
+            })
+          )
+        ) : void 0;
         const derivedBaseUrl = needsDerivedBaseUrl && preview ? firstBaseUrlForPreview(preview) : void 0;
         const effectiveBaseUrl = explicitBaseUrl ?? (derivedBaseUrl || void 0);
         const derivedAuthenticationTemplate = needsDerivedAuth && preview ? deriveAuthenticationTemplateFromPreview(preview, effectiveBaseUrl) : void 0;
@@ -1538,7 +1709,12 @@ var openApiPlugin = definePlugin((options) => {
           const specText = yield* resolveSpecText(previewInput.spec).pipe(
             Effect4.provide(httpClientLayer)
           );
-          return yield* previewSpecText(specText);
+          const preview = yield* previewSpecText(specText);
+          return yield* enrichPreviewWithDiscoveredOAuth({
+            specText,
+            preview,
+            sourceUrl: maybeUrl(previewInput.spec.trim()) ? previewInput.spec.trim() : void 0
+          });
         }),
         addSpec,
         updateSpec,
@@ -1727,4 +1903,4 @@ export {
   resolveOpenApiBackedAnnotations,
   openApiPlugin
 };
-//# sourceMappingURL=chunk-5YG34JIY.js.map
+//# sourceMappingURL=chunk-DBA2BHE4.js.map