@executor-js/plugin-openapi 1.5.5 → 1.5.7

package/dist/chunk-RCBR3QMJ.js

@@ -0,0 +1,73 @@
+// src/react/auth-method-config.ts
+import { AuthTemplateSlug } from "@executor-js/sdk/shared";
+import {
+  authMethodFromSharedTemplate,
+  editorPlacementsFromWire,
+  editorValueFromSharedMethod,
+  wireAuthInputFromShared,
+  wirePlacementsFromEditor
+} from "@executor-js/react/lib/shared-auth-method-codec";
+var openApiWireAuthInput = (method) => method.kind === "oauth2" ? method : wireAuthInputFromShared(method);
+var oauthAuthMethod = (template) => {
+  const slug = String(template.slug);
+  return {
+    id: slug,
+    label: "OAuth2",
+    kind: "oauth",
+    source: slug.startsWith("custom_") ? "custom" : "spec",
+    template: AuthTemplateSlug.make(slug),
+    placements: [],
+    // Carry the integration's declared endpoints/scopes so the
+    // client-registration form pre-fills them.
+    oauth: {
+      authorizationUrl: template.authorizationUrl,
+      tokenUrl: template.tokenUrl,
+      scopes: template.scopes
+    }
+  };
+};
+function authMethodsFromConfig(templates) {
+  return templates.map((template) => {
+    if (template.kind === "oauth2") return oauthAuthMethod(template);
+    return authMethodFromSharedTemplate(template);
+  });
+}
+function templateFromPlacements(placements, slug) {
+  return {
+    slug: slug ?? "",
+    kind: "apikey",
+    placements: wirePlacementsFromEditor(placements)
+  };
+}
+function editorValueFromAuthentication(template) {
+  if (template.kind === "oauth2") {
+    return {
+      kind: "oauth",
+      authorizationUrl: template.authorizationUrl ?? "",
+      tokenUrl: template.tokenUrl ?? "",
+      scopes: template.scopes ?? []
+    };
+  }
+  return editorValueFromSharedMethod(template);
+}
+var oauthTemplateFromEditorValue = (value, slug) => ({
+  slug: AuthTemplateSlug.make(slug ?? ""),
+  kind: "oauth2",
+  authorizationUrl: value.authorizationUrl,
+  tokenUrl: value.tokenUrl,
+  scopes: [...value.scopes]
+});
+function authenticationFromEditorValue(value, slug) {
+  if (value.kind === "none") return null;
+  if (value.kind === "oauth") return oauthTemplateFromEditorValue(value, slug);
+  return templateFromPlacements(value.placements, slug);
+}
+
+export {
+  openApiWireAuthInput,
+  authMethodsFromConfig,
+  templateFromPlacements,
+  editorValueFromAuthentication,
+  authenticationFromEditorValue
+};
+//# sourceMappingURL=chunk-RCBR3QMJ.js.map

package/dist/chunk-RCBR3QMJ.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/react/auth-method-config.ts"],"sourcesContent":["// ---------------------------------------------------------------------------\n// OpenAPI ↔ generic auth-method converters — a thin oauth adapter over the\n// shared codec (`@executor-js/react/lib/shared-auth-method-codec`). The\n// apikey/none paths (multi-placement, multi-variable) live in the shared\n// codec; OpenAPI only contributes its oauth flavor: stored endpoints + scopes\n// (`kind: \"oauth2\"`, the core `OAuthAuthentication` shape) that pre-fill the client-registration form.\n// ---------------------------------------------------------------------------\n\nimport { AuthTemplateSlug } from \"@executor-js/sdk/shared\";\nimport type { AuthMethod, Placement } from \"@executor-js/react/lib/auth-placements\";\nimport type { AuthTemplateEditorValue } from \"@executor-js/react/components/auth-template-editor\";\nimport {\n  authMethodFromSharedTemplate,\n  editorPlacementsFromWire,\n  editorValueFromSharedMethod,\n  wireAuthInputFromShared,\n  wirePlacementsFromEditor,\n} from \"@executor-js/react/lib/shared-auth-method-codec\";\n\nimport type { APIKeyAuthentication, Authentication, AuthenticationInput } from \"../sdk/types\";\n\n/** Serialize a canonical method into the wire input union (apikey → the\n *  request-shaped dialect; oauth passes through). */\nexport const openApiWireAuthInput = (method: Authentication): AuthenticationInput =>\n  method.kind === \"oauth2\" ? method : (wireAuthInputFromShared(method) as AuthenticationInput);\n\nexport const placementsFromApiKey = (template: APIKeyAuthentication): readonly Placement[] =>\n  editorPlacementsFromWire(template.placements);\n\nconst oauthAuthMethod = (template: Extract<Authentication, { kind: \"oauth2\" }>): AuthMethod => {\n  const slug = String(template.slug);\n  return {\n    id: slug,\n    label: \"OAuth2\",\n    kind: \"oauth\",\n    source: slug.startsWith(\"custom_\") ? \"custom\" : \"spec\",\n    template: AuthTemplateSlug.make(slug),\n    placements: [],\n    // Carry the integration's declared endpoints/scopes so the\n    // client-registration form pre-fills them.\n    oauth: {\n      authorizationUrl: template.authorizationUrl,\n      tokenUrl: template.tokenUrl,\n      scopes: template.scopes,\n    },\n  };\n};\n\n/** Map each stored auth template to a generic `AuthMethod`. */\nexport function authMethodsFromConfig(templates: readonly Authentication[]): AuthMethod[] {\n  return templates.map((template: Authentication): AuthMethod => {\n    if (template.kind === \"oauth2\") return oauthAuthMethod(template);\n    return authMethodFromSharedTemplate(template);\n  });\n}\n\n/** Build an apikey method from generic placements. When `slug` is omitted the\n *  backend assigns a `custom_<id>` slug. */\nexport function templateFromPlacements(\n  placements: readonly Placement[],\n  slug?: string,\n): APIKeyAuthentication {\n  return {\n    slug: slug ?? \"\",\n    kind: \"apikey\",\n    placements: wirePlacementsFromEditor(placements),\n  };\n}\n\n// ---------------------------------------------------------------------------\n// Stored `Authentication` ⇆ generic `AuthTemplateEditorValue`.\n// ---------------------------------------------------------------------------\n\n/** Convert one stored `Authentication` template into a generic editor value. */\nexport function editorValueFromAuthentication(template: Authentication): AuthTemplateEditorValue {\n  if (template.kind === \"oauth2\") {\n    return {\n      kind: \"oauth\",\n      authorizationUrl: template.authorizationUrl ?? \"\",\n      tokenUrl: template.tokenUrl ?? \"\",\n      scopes: template.scopes ?? [],\n    };\n  }\n  return editorValueFromSharedMethod(template);\n}\n\n/** Build an `OAuthAuthentication` template from a generic oauth editor value. */\nconst oauthTemplateFromEditorValue = (\n  value: Extract<AuthTemplateEditorValue, { kind: \"oauth\" }>,\n  slug?: string,\n): Authentication => ({\n  slug: AuthTemplateSlug.make(slug ?? \"\"),\n  kind: \"oauth2\",\n  authorizationUrl: value.authorizationUrl,\n  tokenUrl: value.tokenUrl,\n  scopes: [...value.scopes],\n});\n\n/** Convert one generic editor value back into a stored `Authentication`, or\n *  `null` for `none` (no method to register). The optional `slug` names the\n *  template; when omitted the backend backfills `custom_<id>`. */\nexport function authenticationFromEditorValue(\n  value: AuthTemplateEditorValue,\n  slug?: string,\n): Authentication | null {\n  if (value.kind === \"none\") return null;\n  if (value.kind === \"oauth\") return oauthTemplateFromEditorValue(value, slug);\n  return templateFromPlacements(value.placements, slug);\n}\n"],"mappings":";AAQA,SAAS,wBAAwB;AAGjC;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAMA,IAAM,uBAAuB,CAAC,WACnC,OAAO,SAAS,WAAW,SAAU,wBAAwB,MAAM;AAKrE,IAAM,kBAAkB,CAAC,aAAsE;AAC7F,QAAM,OAAO,OAAO,SAAS,IAAI;AACjC,SAAO;AAAA,IACL,IAAI;AAAA,IACJ,OAAO;AAAA,IACP,MAAM;AAAA,IACN,QAAQ,KAAK,WAAW,SAAS,IAAI,WAAW;AAAA,IAChD,UAAU,iBAAiB,KAAK,IAAI;AAAA,IACpC,YAAY,CAAC;AAAA;AAAA;AAAA,IAGb,OAAO;AAAA,MACL,kBAAkB,SAAS;AAAA,MAC3B,UAAU,SAAS;AAAA,MACnB,QAAQ,SAAS;AAAA,IACnB;AAAA,EACF;AACF;AAGO,SAAS,sBAAsB,WAAoD;AACxF,SAAO,UAAU,IAAI,CAAC,aAAyC;AAC7D,QAAI,SAAS,SAAS,SAAU,QAAO,gBAAgB,QAAQ;AAC/D,WAAO,6BAA6B,QAAQ;AAAA,EAC9C,CAAC;AACH;AAIO,SAAS,uBACd,YACA,MACsB;AACtB,SAAO;AAAA,IACL,MAAM,QAAQ;AAAA,IACd,MAAM;AAAA,IACN,YAAY,yBAAyB,UAAU;AAAA,EACjD;AACF;AAOO,SAAS,8BAA8B,UAAmD;AAC/F,MAAI,SAAS,SAAS,UAAU;AAC9B,WAAO;AAAA,MACL,MAAM;AAAA,MACN,kBAAkB,SAAS,oBAAoB;AAAA,MAC/C,UAAU,SAAS,YAAY;AAAA,MAC/B,QAAQ,SAAS,UAAU,CAAC;AAAA,IAC9B;AAAA,EACF;AACA,SAAO,4BAA4B,QAAQ;AAC7C;AAGA,IAAM,+BAA+B,CACnC,OACA,UACoB;AAAA,EACpB,MAAM,iBAAiB,KAAK,QAAQ,EAAE;AAAA,EACtC,MAAM;AAAA,EACN,kBAAkB,MAAM;AAAA,EACxB,UAAU,MAAM;AAAA,EAChB,QAAQ,CAAC,GAAG,MAAM,MAAM;AAC1B;AAKO,SAAS,8BACd,OACA,MACuB;AACvB,MAAI,MAAM,SAAS,OAAQ,QAAO;AAClC,MAAI,MAAM,SAAS,QAAS,QAAO,6BAA6B,OAAO,IAAI;AAC3E,SAAO,uBAAuB,MAAM,YAAY,IAAI;AACtD;","names":[]}

package/dist/{chunk-V7VCHYOY.js → chunk-WJQIWTZF.js}

@@ -1,9 +1,11 @@
 import {
   convertGoogleDiscoveryBundleToOpenApi,
   convertGoogleDiscoveryToOpenApi,
+  deriveAuthenticationTemplateFromPreview,
   fetchGoogleDiscoveryDocument,
+  firstBaseUrlForPreview,
   isGoogleDiscoveryUrl
-} from "./chunk-OSIFYIQP.js";
+} from "./chunk-C6PH4R7Q.js";
 import {
   openApiPresets
 } from "./chunk-AQ7JDDRM.js";
@@ -12,48 +14,40 @@ import {
   OpenApiExtractionError,
   OpenApiInvocationError,
   OperationBinding,
-  TOKEN_VARIABLE,
   extract,
+  normalizeOpenApiAuthInputs,
   parse,
   previewSpec,
+  previewSpecText,
+  resolveServerUrl,
   resolveSpecText
-} from "./chunk-YVRI7KRC.js";
+} from "./chunk-C3IJX4AN.js";
 
 // src/sdk/config.ts
 import { Option, Schema } from "effect";
-var AuthenticationVariableSchema = Schema.Struct({
-  type: Schema.Literal("variable"),
-  name: Schema.String
-});
-var AuthenticationTemplateValueSchema = Schema.Union([
-  Schema.String,
-  Schema.Array(Schema.Union([Schema.String, AuthenticationVariableSchema]))
-]);
-var APIKeyAuthenticationSchema = Schema.Struct({
-  slug: Schema.String,
-  type: Schema.Literal("apiKey"),
-  headers: Schema.optional(Schema.Record(Schema.String, AuthenticationTemplateValueSchema)),
-  queryParams: Schema.optional(Schema.Record(Schema.String, AuthenticationTemplateValueSchema))
-});
+import {
+  ApiKeyAuthMethod,
+  TOKEN_VARIABLE,
+  renderAuthPlacements,
+  requiredPlacementVariables
+} from "@executor-js/sdk/http-auth";
 var OAuthAuthenticationSchema = Schema.Struct({
   slug: Schema.String,
-  type: Schema.Literal("oauth"),
+  kind: Schema.Literal("oauth2"),
   authorizationUrl: Schema.String,
   tokenUrl: Schema.String,
   scopes: Schema.Array(Schema.String)
 });
-var AuthenticationSchema = Schema.Union([
-  OAuthAuthenticationSchema,
-  APIKeyAuthenticationSchema
-]);
+var AuthenticationSchema = Schema.Union([OAuthAuthenticationSchema, ApiKeyAuthMethod]);
 var OpenApiIntegrationConfigSchema = Schema.Struct({
-  /** Inlined OpenAPI document text (resolved + parsed source of truth). */
-  spec: Schema.String,
+  /** Hex SHA-256 of the resolved spec text — the content address of the spec
+   *  blob (`spec/<hash>` in the plugin blob store). */
+  specHash: Schema.optional(Schema.String),
   /** Origin URL the spec was fetched from, when known. Enables refresh. */
   sourceUrl: Schema.optional(Schema.String),
   /** Google Discovery bundle URLs, when the spec came from a Google bundle. */
   googleDiscoveryUrls: Schema.optional(Schema.Array(Schema.String)),
-  /** Base URL override; falls back to the spec's first server. */
+  /** Optional base URL override. */
   baseUrl: Schema.optional(Schema.String),
   /** Static headers applied to every request (no secret material). */
   headers: Schema.optional(Schema.Record(Schema.String, Schema.String)),
@@ -64,40 +58,18 @@ var OpenApiIntegrationConfigSchema = Schema.Struct({
 });
 var decodeConfig = Schema.decodeUnknownOption(OpenApiIntegrationConfigSchema);
 var decodeOpenApiIntegrationConfig = (value) => Option.getOrNull(decodeConfig(value));
-var isVariable = (part) => typeof part !== "string";
-var renderTemplateValue = (template, values) => {
-  if (typeof template === "string") return template;
-  return template.map((part) => isVariable(part) ? values[part.name] ?? "" : part).join("");
-};
 var renderAuthTemplate = (template, values) => {
-  if (template.type === "oauth") {
+  if (template.kind === "oauth2") {
     return {
       headers: { authorization: `Bearer ${values[TOKEN_VARIABLE] ?? ""}` },
       queryParams: {}
     };
   }
-  const headers = {};
-  const queryParams = {};
-  for (const [name, tmpl] of Object.entries(template.headers ?? {})) {
-    headers[name] = renderTemplateValue(tmpl, values);
-  }
-  for (const [name, tmpl] of Object.entries(template.queryParams ?? {})) {
-    queryParams[name] = renderTemplateValue(tmpl, values);
-  }
-  return { headers, queryParams };
+  return renderAuthPlacements(template.placements, values);
 };
 var requiredTemplateVariables = (template) => {
-  if (template.type === "oauth") return [TOKEN_VARIABLE];
-  const names = /* @__PURE__ */ new Set();
-  const collect = (tmpl) => {
-    if (typeof tmpl === "string") return;
-    for (const part of tmpl) {
-      if (isVariable(part)) names.add(part.name);
-    }
-  };
-  for (const tmpl of Object.values(template.headers ?? {})) collect(tmpl);
-  for (const tmpl of Object.values(template.queryParams ?? {})) collect(tmpl);
-  return [...names];
+  if (template.kind === "oauth2") return [TOKEN_VARIABLE];
+  return requiredPlacementVariables(template.placements);
 };
 
 // src/sdk/invoke.ts
@@ -442,9 +414,21 @@ var invoke = Effect.fn("OpenApi.invoke")(function* (operation, args, resolvedHea
     error: ok ? null : responseBody
   });
 });
+var resolveRequestHost = (servers, serverArg, baseUrl) => {
+  if (baseUrl) return baseUrl;
+  if (servers.length === 0) return "";
+  const arg = typeof serverArg === "object" && serverArg !== null && !Array.isArray(serverArg) ? serverArg : {};
+  const chosen = servers.find((server) => server.url === arg.url) ?? servers[0];
+  const overrides = {};
+  if (typeof arg.variables === "object" && arg.variables !== null) {
+    for (const [name, value] of Object.entries(arg.variables)) {
+      if (value != null && value !== "") overrides[name] = String(value);
+    }
+  }
+  return resolveServerUrl(chosen.url, Option2.getOrUndefined(chosen.variables), overrides);
+};
 var invokeWithLayer = (operation, args, baseUrl, resolvedHeaders, sourceQueryParams, httpClientLayer) => {
-  const operationBaseUrl = operation.baseUrl;
-  const effectiveBaseUrl = operationBaseUrl ?? baseUrl;
+  const effectiveBaseUrl = resolveRequestHost(operation.servers ?? [], args.server, baseUrl);
   const clientWithBaseUrl = effectiveBaseUrl ? Layer.effect(
     HttpClient.HttpClient,
     Effect.map(
@@ -500,7 +484,8 @@ var rowToOperation = (row) => {
   };
 };
 var operationKey = (integration, toolName) => `${integration}.${toolName}`;
-var makeDefaultOpenapiStore = ({ pluginStorage }) => {
+var specBlobKey = (specHash) => `spec/${specHash}`;
+var makeDefaultOpenapiStore = ({ pluginStorage, blobs }) => {
   const operationData = (operation) => ({
     integration: operation.integration,
     toolName: operation.toolName,
@@ -534,14 +519,15 @@ var makeDefaultOpenapiStore = ({ pluginStorage }) => {
     listOperations: (integration) => listRows(integration).pipe(
       Effect2.map((rows) => rows.map(rowToOperation).filter(Predicate.isNotNull))
     ),
-    removeOperations
+    removeOperations,
+    putSpec: (specHash, specText) => blobs.put(specBlobKey(specHash), specText, { owner: STORE_OWNER }),
+    getSpec: (specHash) => blobs.get(specBlobKey(specHash))
   };
 };
 
 // src/sdk/plugin.ts
 import { Effect as Effect3, Option as Option5, Schema as Schema3 } from "effect";
 import {
-  AuthTemplateSlug,
   IntegrationAlreadyExistsError,
   IntegrationDetectionResult,
   IntegrationSlug,
@@ -549,6 +535,8 @@ import {
   ToolResult,
   authToolFailure,
   definePlugin,
+  mergeAuthTemplates,
+  sha256Hex,
   tool
 } from "@executor-js/sdk/core";
 
@@ -698,6 +686,7 @@ var compileToolDefinitions = (operations) => {
 };
 
 // src/sdk/plugin.ts
+import { ApiKeyAuthTemplate, describeApiKeyAuthMethod } from "@executor-js/sdk/http-auth";
 var STRINGIFIED_BODY_CAP = 1024;
 var UpstreamMessageBody = Schema3.Struct({ message: Schema3.String });
 var UpstreamErrorMessageBody = Schema3.Struct({ errorMessage: Schema3.String });
@@ -844,28 +833,18 @@ var OpenApiSpecInputSchema = Schema3.Union([
     urls: Schema3.Array(Schema3.String)
   })
 ]);
-var AuthenticationVariableSchema2 = Schema3.Struct({
-  type: Schema3.Literal("variable"),
-  name: Schema3.String
-});
-var AuthenticationTemplateValueSchema2 = Schema3.Union([
-  Schema3.String,
-  Schema3.Array(Schema3.Union([Schema3.String, AuthenticationVariableSchema2]))
-]);
 var AuthenticationSchema2 = Schema3.Union([
   Schema3.Struct({
     slug: Schema3.String,
-    type: Schema3.Literal("apiKey"),
-    headers: Schema3.optional(Schema3.Record(Schema3.String, AuthenticationTemplateValueSchema2)),
-    queryParams: Schema3.optional(Schema3.Record(Schema3.String, AuthenticationTemplateValueSchema2))
-  }),
-  Schema3.Struct({
-    slug: Schema3.String,
-    type: Schema3.Literal("oauth"),
+    kind: Schema3.Literal("oauth2"),
     authorizationUrl: Schema3.String,
     tokenUrl: Schema3.String,
     scopes: Schema3.Array(Schema3.String)
-  })
+  }),
+  // Credential methods are authored request-shaped — the ONE apikey input
+  // dialect: `{ type: "apiKey", headers: { Authorization: ["Bearer ",
+  // variable("token")] }, queryParams: { … } }`.
+  ApiKeyAuthTemplate
 ]);
 var AddSourceInputSchema = Schema3.Struct({
   spec: OpenApiSpecInputSchema,
@@ -998,7 +977,7 @@ var normalizeOpenApiRefs = (node) => {
 };
 var toBinding = (def) => OperationBinding.make({
   method: def.operation.method,
-  baseUrl: def.operation.baseUrl,
+  servers: def.operation.servers,
   pathTemplate: def.operation.pathTemplate,
   parameters: [...def.operation.parameters],
   requestBody: def.operation.requestBody
@@ -1010,84 +989,19 @@ var descriptionFor = (def) => {
     () => Option5.getOrElse(op.summary, () => `${op.method.toUpperCase()} ${op.pathTemplate}`)
   );
 };
-var openApiTransportOutputSchema = (dataSchema) => ({
-  type: "object",
-  additionalProperties: false,
-  required: ["status", "headers", "data"],
-  properties: {
-    status: { type: "integer" },
-    headers: {
-      type: "object",
-      additionalProperties: { type: "string" }
-    },
-    data: dataSchema ?? {}
-  }
-});
 var specInputToSourceUrl = (spec) => spec.kind === "url" || spec.kind === "googleDiscovery" ? spec.url : void 0;
 var specInputToGoogleBundle = (spec) => spec.kind === "googleDiscoveryBundle" ? spec.urls : void 0;
-var shortId = () => Math.random().toString(36).slice(2, 8);
-var freshCustomSlug = (taken) => {
-  let candidate = `custom_${shortId()}`;
-  while (taken.has(candidate)) candidate = `custom_${shortId()}`;
-  return AuthTemplateSlug.make(candidate);
-};
-var mergeAuthenticationTemplate = (existing, incoming) => {
-  const result = existing.map((entry) => entry);
-  const taken = new Set(result.map((entry) => String(entry.slug)));
-  for (const entry of incoming) {
-    const rawSlug = entry.slug;
-    const requested = typeof rawSlug === "string" ? rawSlug.trim() : "";
-    const existingIndex = result.findIndex((current) => String(current.slug) === requested);
-    if (requested.length > 0 && existingIndex >= 0) {
-      result[existingIndex] = entry;
-      continue;
-    }
-    const slug = requested.length > 0 && !taken.has(requested) ? AuthTemplateSlug.make(requested) : freshCustomSlug(taken);
-    taken.add(String(slug));
-    result.push({ ...entry, slug });
-  }
-  return result;
-};
-var parseTemplateValue = (value) => {
-  if (typeof value === "string") return { prefix: "", variable: TOKEN_VARIABLE };
-  const parts = [];
-  for (const part of value) {
-    if (typeof part !== "string" && part.type === "variable") {
-      return { prefix: parts.join(""), variable: part.name };
-    }
-    if (typeof part === "string") parts.push(part);
-  }
-  return { prefix: parts.join(""), variable: TOKEN_VARIABLE };
-};
-var placementsFromAuthentication = (template) => {
-  const placements = [];
-  for (const [name, value] of Object.entries(template.headers ?? {})) {
-    const { prefix, variable } = parseTemplateValue(value);
-    placements.push({ carrier: "header", name, prefix, variable });
-  }
-  for (const [name, value] of Object.entries(template.queryParams ?? {})) {
-    const { prefix, variable } = parseTemplateValue(value);
-    placements.push({ carrier: "query", name, prefix, variable });
-  }
-  return placements;
-};
-var apiKeyLabel = (slug, placements) => {
-  const first = placements[0];
-  if (first) return `API key (${first.name || (first.carrier === "header" ? "header" : "query")})`;
-  return `API key (${slug})`;
-};
 var describeOpenApiAuthMethods = (record) => {
   const config = decodeOpenApiIntegrationConfig(record.config);
   if (!config) return [];
   return (config.authenticationTemplate ?? []).map(
     (template) => {
-      const slug = String(template.slug);
-      if (template.type === "oauth") {
+      if (template.kind === "oauth2") {
         return {
-          id: slug,
+          id: String(template.slug),
           label: "OAuth2",
           kind: "oauth",
-          template: slug,
+          template: String(template.slug),
           oauth: {
             authorizationUrl: template.authorizationUrl,
             tokenUrl: template.tokenUrl,
@@ -1095,14 +1009,7 @@ var describeOpenApiAuthMethods = (record) => {
           }
         };
       }
-      const placements = placementsFromAuthentication(template);
-      return {
-        id: slug,
-        label: apiKeyLabel(slug, placements),
-        kind: "apikey",
-        template: slug,
-        placements
-      };
+      return describeApiKeyAuthMethod(template);
     }
   );
 };
@@ -1110,6 +1017,7 @@ var describeOpenApiIntegrationDisplay = (record) => {
   const config = decodeOpenApiIntegrationConfig(record.config);
   return { url: config?.baseUrl ?? config?.sourceUrl };
 };
+var loadSpecText = (storage, config) => config.specHash != null ? storage.getSpec(config.specHash) : Effect3.succeed(null);
 var compileSpec = (specText) => Effect3.gen(function* () {
   const doc = yield* parse(specText);
   const result = yield* extract(doc);
@@ -1130,9 +1038,10 @@ var toolDefsFromCompiled = (compiled) => compiled.definitions.map(
     name: ToolName.make(def.toolPath),
     description: descriptionFor(def),
     inputSchema: normalizeOpenApiRefs(Option5.getOrUndefined(def.operation.inputSchema)),
-    outputSchema: openApiTransportOutputSchema(
-      normalizeOpenApiRefs(Option5.getOrUndefined(def.operation.outputSchema))
-    ),
+    // The output schema is the upstream response body only — transport
+    // status/headers live in the ToolResult `http` side channel, not the
+    // payload (see the invoke handler).
+    outputSchema: normalizeOpenApiRefs(Option5.getOrUndefined(def.operation.outputSchema)),
     annotations: annotationsForOperation(def.operation.method, def.operation.pathTemplate)
   })
 );
@@ -1198,23 +1107,38 @@ var openApiPlugin = definePlugin((options) => {
       const addSpec = (config) => Effect3.gen(function* () {
         const resolved = yield* resolveSpecForInput(config.spec, httpClientLayer);
         const compiled = yield* compileSpec(resolved.specText);
+        const explicitBaseUrl = config.baseUrl ?? resolved.baseUrl;
+        const needsDerivedBaseUrl = explicitBaseUrl == null;
+        const needsDerivedAuth = config.authenticationTemplate == null && resolved.authenticationTemplate == null;
+        const preview = needsDerivedBaseUrl || needsDerivedAuth ? yield* previewSpecText(resolved.specText) : void 0;
+        const derivedBaseUrl = needsDerivedBaseUrl && preview ? firstBaseUrlForPreview(preview) : void 0;
+        const effectiveBaseUrl = explicitBaseUrl ?? (derivedBaseUrl || void 0);
+        const derivedAuthenticationTemplate = needsDerivedAuth && preview ? deriveAuthenticationTemplateFromPreview(preview, effectiveBaseUrl) : void 0;
         const slug = IntegrationSlug.make(config.slug);
         const existing = yield* ctx.core.integrations.get(slug);
         if (existing) {
           return yield* new IntegrationAlreadyExistsError({ slug });
         }
+        const specHash = yield* sha256Hex(resolved.specText);
         const integrationConfig = {
-          spec: resolved.specText,
+          specHash,
           ...specInputToSourceUrl(config.spec) !== void 0 ? { sourceUrl: specInputToSourceUrl(config.spec) } : {},
           ...specInputToGoogleBundle(config.spec) !== void 0 ? { googleDiscoveryUrls: specInputToGoogleBundle(config.spec) } : {},
-          ...config.baseUrl ?? resolved.baseUrl ? { baseUrl: config.baseUrl ?? resolved.baseUrl } : {},
+          // baseUrl is an optional override only. The host is otherwise
+          // resolved per call from the operation's `servers` (extracted from
+          // the spec), so we never bake a derived base URL into the config.
+          ...config.baseUrl ? { baseUrl: config.baseUrl } : {},
           ...config.headers ? { headers: config.headers } : {},
           ...config.queryParams ? { queryParams: config.queryParams } : {},
           // Prefer the caller's explicit template; otherwise adopt the one the
           // Google Discovery converter derived from the spec (the bundle add
-          // path relies on this — it has no preview to detect auth from).
-          ...config.authenticationTemplate ? { authenticationTemplate: config.authenticationTemplate } : resolved.authenticationTemplate ? { authenticationTemplate: resolved.authenticationTemplate } : {}
+          // path relies on this — it has no preview to detect auth from);
+          // otherwise derive from the spec's declared security schemes.
+          ...config.authenticationTemplate ? {
+            authenticationTemplate: normalizeOpenApiAuthInputs(config.authenticationTemplate)
+          } : resolved.authenticationTemplate ? { authenticationTemplate: resolved.authenticationTemplate } : derivedAuthenticationTemplate && derivedAuthenticationTemplate.length > 0 ? { authenticationTemplate: derivedAuthenticationTemplate } : {}
         };
+        yield* ctx.storage.putSpec(specHash, resolved.specText);
         yield* ctx.transaction(
           Effect3.gen(function* () {
             yield* ctx.core.integrations.register({
@@ -1276,10 +1200,8 @@ var openApiPlugin = definePlugin((options) => {
             if (!record) return [];
             const current = decodeOpenApiIntegrationConfig(record.config);
             if (!current) return [];
-            const merged = input.mode === "replace" ? input.authenticationTemplate : mergeAuthenticationTemplate(
-              current.authenticationTemplate ?? [],
-              input.authenticationTemplate
-            );
+            const incoming = normalizeOpenApiAuthInputs(input.authenticationTemplate);
+            const merged = input.mode === "replace" ? incoming : mergeAuthTemplates(current.authenticationTemplate ?? [], incoming);
             const next = {
               ...current,
               authenticationTemplate: merged
@@ -1314,7 +1236,7 @@ var openApiPlugin = definePlugin((options) => {
           }),
           tool({
             name: "addSpec",
-            description: "Add an OpenAPI integration to the catalog and persist its operations as tools. Recommended flow: call `previewSpec`, choose a `slug`, declare an `authenticationTemplate` for how a credential is applied (apiKey header/query, or oauth bearer), then create a connection for that integration with the user's API key or via `oauth.start`.",
+            description: "Add an OpenAPI integration to the catalog and persist its operations as tools. Recommended flow: call `previewSpec`, choose a `slug`, then create a connection for that integration with the user's API key or via `oauth.start`. When `baseUrl` is omitted it defaults to the spec's first server; when `authenticationTemplate` is omitted the auth methods are derived from the spec's declared security schemes (pass an explicit template to override how a credential is applied \u2014 apiKey header/query, or oauth bearer \u2014 or an empty array for no auth methods).",
             annotations: {
               requiresApproval: true,
               approvalDescription: "Add an OpenAPI integration"
@@ -1357,13 +1279,17 @@ var openApiPlugin = definePlugin((options) => {
     // Produce one tool per spec operation. Spec-derived, identical for every
     // connection on the integration — so `getValue` is never called here. The
     // operation bindings invokeTool needs are persisted at addSpec time; this
-    // hook only shapes the per-connection ToolDefs from the catalog config.
+    // hook only shapes the per-connection ToolDefs from the spec blob the
+    // catalog config points at.
     resolveTools: ({
-      config
+      config,
+      storage
     }) => Effect3.gen(function* () {
       const openApiConfig = decodeOpenApiIntegrationConfig(config);
       if (!openApiConfig) return { tools: [], definitions: {} };
-      const compiled = yield* compileSpec(openApiConfig.spec).pipe(
+      const specText = yield* loadSpecText(storage, openApiConfig);
+      if (specText == null) return { tools: [], definitions: {} };
+      const compiled = yield* compileSpec(specText).pipe(
         Effect3.catch(() => Effect3.succeed(null))
       );
       if (!compiled) return { tools: [], definitions: {} };
@@ -1383,9 +1309,10 @@ var openApiPlugin = definePlugin((options) => {
       const config = decodeOpenApiIntegrationConfig(credential.config);
       let binding = (yield* invokeCtx.storage.getOperation(integration, toolRow.name))?.binding;
       if (!binding && config) {
-        const compiled = yield* compileSpec(config.spec).pipe(
+        const specText = yield* loadSpecText(invokeCtx.storage, config).pipe(
           Effect3.catch(() => Effect3.succeed(null))
         );
+        const compiled = specText == null ? null : yield* compileSpec(specText).pipe(Effect3.catch(() => Effect3.succeed(null)));
         binding = compiled ? storedOperationsFromCompiled(integration, compiled).find(
           (op) => op.toolName === toolRow.name
         )?.binding : void 0;
@@ -1409,12 +1336,12 @@ var openApiPlugin = definePlugin((options) => {
         });
         if (missing.length > 0) {
           return openApiAuthToolFailure({
-            code: template.type === "oauth" ? "oauth_connection_missing" : "connection_value_missing",
+            code: template.kind === "oauth2" ? "oauth_connection_missing" : "connection_value_missing",
             message: `Connection "${credential.connection}" for "${integration}" has no resolvable credential value. Re-authenticate or update the connection.`,
             owner: credential.owner,
             integration,
             connection: String(credential.connection),
-            credentialKind: template.type === "oauth" ? "oauth" : "secret"
+            credentialKind: template.kind === "oauth2" ? "oauth" : "secret"
           });
         }
         const rendered = renderAuthTemplate(template, credential.values);
@@ -1451,10 +1378,8 @@ var openApiPlugin = definePlugin((options) => {
           details: result.error
         });
       }
-      return ToolResult.ok({
-        status: result.status,
-        headers: result.headers,
-        data: result.data
+      return ToolResult.ok(result.data, {
+        http: { status: result.status, headers: result.headers }
       });
     }),
     resolveAnnotations: ({
@@ -1541,4 +1466,4 @@ export {
   makeDefaultOpenapiStore,
   openApiPlugin
 };
-//# sourceMappingURL=chunk-V7VCHYOY.js.map
+//# sourceMappingURL=chunk-WJQIWTZF.js.map