npm - @frontmcp/adapters - Versions diffs - 0.6.1 → 0.6.2 - Mend

@frontmcp/adapters 0.6.1 → 0.6.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (31) hide show

package/esm/index.mjs +1168 -0
package/esm/openapi/index.mjs +1168 -0
package/esm/package.json +63 -0
package/index.js +1193 -0
package/openapi/index.js +1192 -0
package/package.json +29 -11
package/src/index.js +0 -8
package/src/index.js.map +0 -1
package/src/openapi/README.md +0 -1215
package/src/openapi/index.js +0 -8
package/src/openapi/index.js.map +0 -1
package/src/openapi/openapi.adapter.js +0 -434
package/src/openapi/openapi.adapter.js.map +0 -1
package/src/openapi/openapi.frontmcp-schema.js +0 -358
package/src/openapi/openapi.frontmcp-schema.js.map +0 -1
package/src/openapi/openapi.security.js +0 -242
package/src/openapi/openapi.security.js.map +0 -1
package/src/openapi/openapi.tool.js +0 -267
package/src/openapi/openapi.tool.js.map +0 -1
package/src/openapi/openapi.types.js +0 -29
package/src/openapi/openapi.types.js.map +0 -1
package/src/openapi/openapi.utils.js +0 -229
package/src/openapi/openapi.utils.js.map +0 -1
/package/{src/index.d.ts → index.d.ts} +0 -0
/package/{src/openapi → openapi}/index.d.ts +0 -0
/package/{src/openapi → openapi}/openapi.adapter.d.ts +0 -0
/package/{src/openapi → openapi}/openapi.frontmcp-schema.d.ts +0 -0
/package/{src/openapi → openapi}/openapi.security.d.ts +0 -0
/package/{src/openapi → openapi}/openapi.tool.d.ts +0 -0
/package/{src/openapi → openapi}/openapi.types.d.ts +0 -0
/package/{src/openapi → openapi}/openapi.utils.d.ts +0 -0

package/esm/index.mjs ADDED Viewed

@@ -0,0 +1,1168 @@
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __decorateClass = (decorators, target, key, kind) => {
+  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc(target, key) : target;
+  for (var i = decorators.length - 1, decorator; i >= 0; i--)
+    if (decorator = decorators[i])
+      result = (kind ? decorator(target, key, result) : decorator(result)) || result;
+  if (kind && result) __defProp(target, key, result);
+  return result;
+};
+// libs/adapters/src/openapi/openapi.adapter.ts
+import { Adapter, DynamicAdapter } from "@frontmcp/sdk";
+import { OpenAPIToolGenerator } from "mcp-from-openapi";
+// libs/adapters/src/openapi/openapi.tool.ts
+import { z as z2 } from "zod";
+import { tool } from "@frontmcp/sdk";
+import { convertJsonSchemaToZod } from "zod-from-json-schema";
+// libs/adapters/src/openapi/openapi.utils.ts
+function coerceToString(value, paramName, location) {
+  if (value === null || value === void 0) {
+    return "";
+  }
+  if (typeof value === "object") {
+    if (Array.isArray(value)) {
+      if (location === "query") {
+        return value.map(String).join(",");
+      }
+      throw new Error(`${location} parameter '${paramName}' cannot be an array. Received: ${JSON.stringify(value)}`);
+    }
+    throw new Error(`${location} parameter '${paramName}' cannot be an object. Received: ${JSON.stringify(value)}`);
+  }
+  return String(value);
+}
+function validateBaseUrl(url) {
+  try {
+    const parsed = new URL(url);
+    if (!["http:", "https:"].includes(parsed.protocol)) {
+      throw new Error(`Unsupported protocol: ${parsed.protocol}. Only http: and https: are supported.`);
+    }
+    return parsed;
+  } catch (err) {
+    if (err instanceof Error && err.message.includes("Unsupported protocol")) {
+      throw err;
+    }
+    throw new Error(`Invalid base URL: ${url}`);
+  }
+}
+function appendCookie(headers, name, value) {
+  if (!/^[\w!#$%&'*+\-.^`|~]+$/.test(name)) {
+    throw new Error(`Invalid cookie name: '${name}'. Cookie names must be valid tokens.`);
+  }
+  const existing = headers.get("Cookie") || "";
+  const cookiePair = `${name}=${encodeURIComponent(coerceToString(value, name, "cookie"))}`;
+  const combined = existing ? `${existing}; ${cookiePair}` : cookiePair;
+  headers.set("Cookie", combined);
+}
+function buildRequest(tool2, input, security, baseUrl) {
+  const rawBaseUrl = tool2.metadata.servers?.[0]?.url || baseUrl;
+  validateBaseUrl(rawBaseUrl);
+  const apiBaseUrl = rawBaseUrl.replace(/\/+$/, "");
+  let path = tool2.metadata.path;
+  const queryParams = new URLSearchParams();
+  const headers = new Headers({
+    accept: "application/json",
+    ...security.headers
+  });
+  let body;
+  for (const mapper of tool2.mapper) {
+    if (mapper.security) continue;
+    const value = input[mapper.inputKey];
+    if (value === void 0 || value === null) {
+      if (mapper.required) {
+        throw new Error(
+          `Required ${mapper.type} parameter '${mapper.key}' (input: '${mapper.inputKey}') is missing for operation '${tool2.name}'`
+        );
+      }
+      continue;
+    }
+    switch (mapper.type) {
+      case "path":
+        path = path.replaceAll(`{${mapper.key}}`, encodeURIComponent(coerceToString(value, mapper.key, "path")));
+        break;
+      case "query":
+        queryParams.set(mapper.key, coerceToString(value, mapper.key, "query"));
+        break;
+      case "header": {
+        const headerValue = coerceToString(value, mapper.key, "header");
+        if (/[\r\n\x00\f\v]/.test(headerValue)) {
+          throw new Error(
+            `Invalid header value for '${mapper.key}': contains control characters (possible header injection attack)`
+          );
+        }
+        headers.set(mapper.key, headerValue);
+        break;
+      }
+      case "cookie":
+        appendCookie(headers, mapper.key, value);
+        break;
+      case "body":
+        if (!body) body = {};
+        body[mapper.key] = value;
+        break;
+      default:
+        throw new Error(
+          `Unknown mapper type '${mapper.type}' for parameter '${mapper.key}' in operation '${tool2.name}'`
+        );
+    }
+  }
+  Object.entries(security.query).forEach(([key, value]) => {
+    if (queryParams.has(key)) {
+      throw new Error(
+        `Query parameter collision: '${key}' is provided both as user input and security parameter. This could indicate a security misconfiguration in operation '${tool2.name}'.`
+      );
+    }
+    queryParams.set(key, coerceToString(value, key, "security query"));
+  });
+  if (security.cookies && Object.keys(security.cookies).length > 0) {
+    Object.entries(security.cookies).forEach(([key, value]) => {
+      appendCookie(headers, key, value);
+    });
+  }
+  if (path.includes("{")) {
+    throw new Error(`Failed to resolve all path parameters in ${path} for operation ${tool2.name}`);
+  }
+  const queryString = queryParams.toString();
+  const url = `${apiBaseUrl}${path}${queryString ? `?${queryString}` : ""}`;
+  return { url, headers, body };
+}
+function applyAdditionalHeaders(headers, additionalHeaders) {
+  if (!additionalHeaders) return;
+  Object.entries(additionalHeaders).forEach(([key, value]) => {
+    headers.set(key, value);
+  });
+}
+var DEFAULT_MAX_RESPONSE_SIZE = 10 * 1024 * 1024;
+async function parseResponse(response, options) {
+  const maxSize = options?.maxResponseSize ?? DEFAULT_MAX_RESPONSE_SIZE;
+  if (!response.ok) {
+    throw new Error(`API request failed: ${response.status}`);
+  }
+  const contentLength = response.headers.get("content-length");
+  if (contentLength) {
+    const length = parseInt(contentLength, 10);
+    if (!isNaN(length) && isFinite(length) && length > maxSize) {
+      throw new Error(`Response size (${length} bytes) exceeds maximum allowed (${maxSize} bytes)`);
+    }
+  }
+  const text = await response.text();
+  const byteSize = new TextEncoder().encode(text).length;
+  if (byteSize > maxSize) {
+    throw new Error(`Response size (${byteSize} bytes) exceeds maximum allowed (${maxSize} bytes)`);
+  }
+  const contentType = response.headers.get("content-type");
+  if (contentType?.toLowerCase().includes("application/json")) {
+    try {
+      return { data: JSON.parse(text) };
+    } catch {
+      return { data: text };
+    }
+  }
+  return { data: text };
+}
+// libs/adapters/src/openapi/openapi.security.ts
+import { SecurityResolver, createSecurityContext } from "mcp-from-openapi";
+async function createSecurityContextFromAuth(tool2, ctx, options) {
+  if (options.securityResolver) {
+    return await options.securityResolver(tool2, ctx);
+  }
+  if (options.authProviderMapper) {
+    const context = createSecurityContext({});
+    const securitySchemes = /* @__PURE__ */ new Set();
+    for (const mapper of tool2.mapper) {
+      if (mapper.security?.scheme) {
+        securitySchemes.add(mapper.security.scheme);
+      }
+    }
+    for (const scheme of securitySchemes) {
+      const authExtractor = options.authProviderMapper[scheme];
+      if (authExtractor) {
+        try {
+          const token = authExtractor(ctx);
+          if (token !== void 0 && token !== null && typeof token !== "string") {
+            throw new Error(
+              `authProviderMapper['${scheme}'] must return a string or undefined, but returned: ${typeof token}`
+            );
+          }
+          if (token === "") {
+            throw new Error(
+              `authProviderMapper['${scheme}'] returned empty string. Return undefined/null if no token is available, or provide a valid token.`
+            );
+          }
+          if (token) {
+            const schemeMapper = tool2.mapper.find((m) => m.security?.scheme === scheme);
+            const schemeType = schemeMapper?.security?.type?.toLowerCase();
+            const httpScheme = schemeMapper?.security?.httpScheme?.toLowerCase();
+            if (schemeType === "apikey") {
+              if (!context.apiKey) {
+                context.apiKey = token;
+              }
+            } else if (schemeType === "http" && httpScheme === "basic") {
+              if (!context.basic) {
+                context.basic = token;
+              }
+            } else if (schemeType === "oauth2") {
+              if (!context.oauth2Token) {
+                context.oauth2Token = token;
+              }
+            } else {
+              if (!context.jwt) {
+                context.jwt = token;
+              }
+            }
+          }
+        } catch (err) {
+          if (err instanceof Error && err.message.includes("authProviderMapper")) {
+            throw err;
+          }
+          const errorMessage = err instanceof Error ? err.message : String(err);
+          throw new Error(`authProviderMapper['${scheme}'] threw an error: ${errorMessage}`);
+        }
+      }
+    }
+    const hasAnyAuth = context.jwt || context.apiKey || context.basic || context.oauth2Token;
+    const authToken = ctx.authInfo?.token;
+    if (!hasAnyAuth && authToken) {
+      if (typeof authToken !== "string") {
+        throw new Error(`authInfo.token must be a string, but got: ${typeof authToken}`);
+      }
+      context.jwt = authToken;
+    }
+    return context;
+  }
+  if (options.staticAuth) {
+    return createSecurityContext(options.staticAuth);
+  }
+  return createSecurityContext({
+    jwt: ctx.authInfo?.token
+  });
+}
+function extractSecuritySchemes(tools) {
+  const schemes = /* @__PURE__ */ new Set();
+  for (const tool2 of tools) {
+    for (const mapper of tool2.mapper) {
+      if (mapper.security?.scheme) {
+        schemes.add(mapper.security.scheme);
+      }
+    }
+  }
+  return schemes;
+}
+function validateSecurityConfiguration(tools, options) {
+  const result = {
+    valid: true,
+    missingMappings: [],
+    warnings: [],
+    securityRiskScore: "low"
+  };
+  const securitySchemes = extractSecuritySchemes(tools);
+  const includeSecurityInInput = options.generateOptions?.includeSecurityInInput ?? false;
+  if (includeSecurityInInput) {
+    result.securityRiskScore = "high";
+    result.warnings.push(
+      "SECURITY WARNING: includeSecurityInInput is enabled. Users will provide authentication directly in tool inputs. This increases security risk as credentials may be logged or exposed."
+    );
+    return result;
+  }
+  if (options.securityResolver) {
+    result.securityRiskScore = "low";
+    result.warnings.push(
+      "INFO: Using custom securityResolver. Ensure your resolver properly validates and secures credentials from context."
+    );
+    return result;
+  }
+  if (options.staticAuth && Object.keys(options.staticAuth).length > 0) {
+    result.securityRiskScore = "medium";
+    result.warnings.push(
+      "SECURITY INFO: Using staticAuth with hardcoded credentials. Ensure credentials are stored securely (environment variables, secrets manager)."
+    );
+    return result;
+  }
+  const schemesInInput = new Set(options.securitySchemesInInput || []);
+  if (options.authProviderMapper || schemesInInput.size > 0) {
+    result.securityRiskScore = schemesInInput.size > 0 ? "medium" : "low";
+    if (schemesInInput.size > 0) {
+      result.warnings.push(
+        `INFO: Per-scheme security control enabled. Schemes in input: ${Array.from(schemesInInput).join(", ")}`
+      );
+    }
+    for (const scheme of securitySchemes) {
+      if (schemesInInput.has(scheme)) {
+        continue;
+      }
+      if (!options.authProviderMapper?.[scheme]) {
+        result.valid = false;
+        result.missingMappings.push(scheme);
+      }
+    }
+    if (!result.valid) {
+      result.warnings.push(
+        `ERROR: Missing auth provider mappings for security schemes: ${result.missingMappings.join(", ")}`
+      );
+    }
+    return result;
+  }
+  if (securitySchemes.size > 0) {
+    result.securityRiskScore = "medium";
+    result.warnings.push(
+      `INFO: No auth configuration provided. Using default ctx.authInfo.token for all security schemes: ${Array.from(
+        securitySchemes
+      ).join(", ")}`
+    );
+    result.warnings.push(
+      "RECOMMENDATION: For multiple auth providers, use authProviderMapper or securityResolver to map each security scheme to the correct auth provider."
+    );
+  }
+  return result;
+}
+async function resolveToolSecurity(tool2, ctx, options) {
+  const securityResolver = new SecurityResolver();
+  const securityContext = await createSecurityContextFromAuth(tool2, ctx, options);
+  const hasAuth = securityContext.jwt || securityContext.apiKey || securityContext.basic || securityContext.oauth2Token || securityContext.apiKeys && Object.keys(securityContext.apiKeys).length > 0 || securityContext.customHeaders && Object.keys(securityContext.customHeaders).length > 0;
+  const requiresSecurity = tool2.mapper.some((m) => m.security && m.required === true);
+  if (requiresSecurity && !hasAuth) {
+    const requiredSchemes = tool2.mapper.filter((m) => m.security && m.required === true).map((m) => m.security?.scheme ?? "unknown");
+    const uniqueSchemes = [...new Set(requiredSchemes)];
+    const schemesStr = uniqueSchemes.join(", ") || "unknown";
+    const firstScheme = uniqueSchemes[0] || "BearerAuth";
+    throw new Error(
+      `Authentication required for tool '${tool2.name}' but no auth configuration found.
+Required security schemes: ${schemesStr}
+Solutions:
+  1. Add authProviderMapper: { '${firstScheme}': (ctx) => ctx.authInfo.user?.token }
+  2. Add securityResolver: (tool, ctx) => ({ jwt: ctx.authInfo.token })
+  3. Add staticAuth: { jwt: process.env.API_TOKEN }
+  4. Set generateOptions.includeSecurityInInput: true (not recommended for production)`
+    );
+  }
+  return await securityResolver.resolve(tool2.mapper, securityContext);
+}
+// libs/adapters/src/openapi/openapi.frontmcp-schema.ts
+import { z } from "zod";
+var FRONTMCP_SCHEMA_VERSION = "1.0";
+var SUPPORTED_VERSIONS = ["1.0"];
+var FrontMcpAnnotationsSchema = z.object({
+  /** Human-readable title for the tool */
+  title: z.string().optional(),
+  /** If true, the tool does not modify its environment */
+  readOnlyHint: z.boolean().optional(),
+  /** If true, the tool may perform destructive updates */
+  destructiveHint: z.boolean().optional(),
+  /** If true, calling repeatedly with same args has no additional effect */
+  idempotentHint: z.boolean().optional(),
+  /** If true, tool may interact with external entities */
+  openWorldHint: z.boolean().optional()
+});
+var FrontMcpCacheSchema = z.object({
+  /** Time-to-live in seconds for cached responses */
+  ttl: z.number().int().positive().optional(),
+  /** If true, cache window slides on each access */
+  slideWindow: z.boolean().optional()
+});
+var FrontMcpCodeCallSchema = z.object({
+  /** Whether this tool can be used via CodeCall */
+  enabledInCodeCall: z.boolean().optional(),
+  /** If true, stays visible in list_tools when CodeCall is active */
+  visibleInListTools: z.boolean().optional()
+});
+var FrontMcpExampleSchema = z.object({
+  /** Description of the example */
+  description: z.string(),
+  /** Example input values */
+  input: z.record(z.string(), z.any()),
+  /** Expected output (optional) */
+  output: z.any().optional()
+});
+var KNOWN_EXTENSION_FIELDS = /* @__PURE__ */ new Set([
+  "version",
+  "annotations",
+  "cache",
+  "codecall",
+  "tags",
+  "hideFromDiscovery",
+  "examples"
+]);
+var KNOWN_ANNOTATION_FIELDS = /* @__PURE__ */ new Set([
+  "title",
+  "readOnlyHint",
+  "destructiveHint",
+  "idempotentHint",
+  "openWorldHint"
+]);
+var KNOWN_CACHE_FIELDS = /* @__PURE__ */ new Set(["ttl", "slideWindow"]);
+var KNOWN_CODECALL_FIELDS = /* @__PURE__ */ new Set(["enabledInCodeCall", "visibleInListTools"]);
+function validateFrontMcpExtension(rawData, toolName, logger) {
+  const warnings = [];
+  if (rawData === null || rawData === void 0) {
+    return { success: true, data: null, warnings: [] };
+  }
+  if (typeof rawData !== "object" || Array.isArray(rawData)) {
+    warnings.push(`x-frontmcp must be an object, got ${Array.isArray(rawData) ? "array" : typeof rawData}`);
+    logger.warn(`[${toolName}] Invalid x-frontmcp extension: ${warnings[0]}`);
+    return { success: false, data: null, warnings };
+  }
+  const data = rawData;
+  const version = typeof data["version"] === "string" ? data["version"] : FRONTMCP_SCHEMA_VERSION;
+  if (!SUPPORTED_VERSIONS.includes(version)) {
+    warnings.push(`Unsupported x-frontmcp version '${version}'. Supported versions: ${SUPPORTED_VERSIONS.join(", ")}`);
+    logger.warn(`[${toolName}] ${warnings[0]}`);
+    return { success: false, data: null, warnings };
+  }
+  const validData = extractValidFields(data, version, warnings);
+  if (warnings.length > 0) {
+    logger.warn(`[${toolName}] x-frontmcp extension has invalid fields that were ignored:`);
+    warnings.forEach((w) => logger.warn(`  - ${w}`));
+  }
+  return {
+    success: true,
+    data: validData,
+    warnings
+  };
+}
+function extractValidFields(data, version, warnings) {
+  const result = {
+    version
+  };
+  for (const key of Object.keys(data)) {
+    if (!KNOWN_EXTENSION_FIELDS.has(key)) {
+      warnings.push(`Unknown field '${key}' in x-frontmcp (will be ignored)`);
+    }
+  }
+  if (data["annotations"] !== void 0) {
+    const annotationsResult = FrontMcpAnnotationsSchema.safeParse(data["annotations"]);
+    if (annotationsResult.success) {
+      result.annotations = annotationsResult.data;
+    } else {
+      const issues = formatZodIssues(annotationsResult.error.issues, "annotations");
+      warnings.push(...issues);
+      result.annotations = extractValidAnnotations(data["annotations"], warnings);
+    }
+  }
+  if (data["cache"] !== void 0) {
+    const cacheResult = FrontMcpCacheSchema.safeParse(data["cache"]);
+    if (cacheResult.success) {
+      result.cache = cacheResult.data;
+    } else {
+      const issues = formatZodIssues(cacheResult.error.issues, "cache");
+      warnings.push(...issues);
+      result.cache = extractValidCache(data["cache"], warnings);
+    }
+  }
+  if (data["codecall"] !== void 0) {
+    const codecallResult = FrontMcpCodeCallSchema.safeParse(data["codecall"]);
+    if (codecallResult.success) {
+      result.codecall = codecallResult.data;
+    } else {
+      const issues = formatZodIssues(codecallResult.error.issues, "codecall");
+      warnings.push(...issues);
+      result.codecall = extractValidCodeCall(data["codecall"], warnings);
+    }
+  }
+  if (data["tags"] !== void 0) {
+    const tagsSchema = z.array(z.string());
+    const tagsResult = tagsSchema.safeParse(data["tags"]);
+    if (tagsResult.success) {
+      result.tags = tagsResult.data;
+    } else {
+      warnings.push(`Invalid 'tags': expected array of strings`);
+      result.tags = extractValidTags(data["tags"]);
+    }
+  }
+  if (data["hideFromDiscovery"] !== void 0) {
+    if (typeof data["hideFromDiscovery"] === "boolean") {
+      result.hideFromDiscovery = data["hideFromDiscovery"];
+    } else {
+      warnings.push(`Invalid 'hideFromDiscovery': expected boolean, got ${typeof data["hideFromDiscovery"]}`);
+    }
+  }
+  if (data["examples"] !== void 0) {
+    const examplesSchema = z.array(FrontMcpExampleSchema);
+    const examplesResult = examplesSchema.safeParse(data["examples"]);
+    if (examplesResult.success) {
+      result.examples = examplesResult.data;
+    } else {
+      warnings.push(`Invalid 'examples': some examples have invalid format`);
+      result.examples = extractValidExamples(data["examples"], warnings);
+    }
+  }
+  return result;
+}
+function extractValidAnnotations(data, warnings) {
+  if (typeof data !== "object" || data === null) return void 0;
+  const obj = data;
+  const result = {};
+  for (const field of KNOWN_ANNOTATION_FIELDS) {
+    if (obj[field] !== void 0) {
+      if (field === "title" && typeof obj[field] === "string") {
+        result.title = obj[field];
+      } else if (field !== "title" && typeof obj[field] === "boolean") {
+        result[field] = obj[field];
+      }
+    }
+  }
+  for (const key of Object.keys(obj)) {
+    if (!KNOWN_ANNOTATION_FIELDS.has(key)) {
+      warnings.push(`Unknown field 'annotations.${key}' (will be ignored)`);
+    }
+  }
+  return Object.keys(result).length > 0 ? result : void 0;
+}
+function extractValidCache(data, warnings) {
+  if (typeof data !== "object" || data === null) return void 0;
+  const obj = data;
+  const result = {};
+  if (typeof obj["ttl"] === "number" && Number.isInteger(obj["ttl"]) && obj["ttl"] > 0) {
+    result.ttl = obj["ttl"];
+  } else if (obj["ttl"] !== void 0) {
+    warnings.push(`Invalid 'cache.ttl': expected positive integer`);
+  }
+  if (typeof obj["slideWindow"] === "boolean") {
+    result.slideWindow = obj["slideWindow"];
+  } else if (obj["slideWindow"] !== void 0) {
+    warnings.push(`Invalid 'cache.slideWindow': expected boolean`);
+  }
+  for (const key of Object.keys(obj)) {
+    if (!KNOWN_CACHE_FIELDS.has(key)) {
+      warnings.push(`Unknown field 'cache.${key}' (will be ignored)`);
+    }
+  }
+  return Object.keys(result).length > 0 ? result : void 0;
+}
+function extractValidCodeCall(data, warnings) {
+  if (typeof data !== "object" || data === null) return void 0;
+  const obj = data;
+  const result = {};
+  if (typeof obj["enabledInCodeCall"] === "boolean") {
+    result.enabledInCodeCall = obj["enabledInCodeCall"];
+  } else if (obj["enabledInCodeCall"] !== void 0) {
+    warnings.push(`Invalid 'codecall.enabledInCodeCall': expected boolean`);
+  }
+  if (typeof obj["visibleInListTools"] === "boolean") {
+    result.visibleInListTools = obj["visibleInListTools"];
+  } else if (obj["visibleInListTools"] !== void 0) {
+    warnings.push(`Invalid 'codecall.visibleInListTools': expected boolean`);
+  }
+  for (const key of Object.keys(obj)) {
+    if (!KNOWN_CODECALL_FIELDS.has(key)) {
+      warnings.push(`Unknown field 'codecall.${key}' (will be ignored)`);
+    }
+  }
+  return Object.keys(result).length > 0 ? result : void 0;
+}
+function extractValidTags(data) {
+  if (!Array.isArray(data)) return void 0;
+  const validTags = data.filter((item) => typeof item === "string");
+  return validTags.length > 0 ? validTags : void 0;
+}
+function extractValidExamples(data, warnings) {
+  if (!Array.isArray(data)) return void 0;
+  const validExamples = [];
+  for (let i = 0; i < data.length; i++) {
+    const item = data[i];
+    const result = FrontMcpExampleSchema.safeParse(item);
+    if (result.success) {
+      validExamples.push(result.data);
+    } else {
+      warnings.push(
+        `Invalid example at index ${i}: ${formatZodIssues(result.error.issues, `examples[${i}]`).join(", ")}`
+      );
+    }
+  }
+  return validExamples.length > 0 ? validExamples : void 0;
+}
+function formatZodIssues(issues, prefix) {
+  return issues.map((issue) => {
+    const path = issue.path.length > 0 ? `${prefix}.${issue.path.join(".")}` : prefix;
+    return `Invalid '${path}': ${issue.message}`;
+  });
+}
+// libs/adapters/src/openapi/openapi.tool.ts
+function createOpenApiTool(openapiTool, options, logger) {
+  const metadata = openapiTool.metadata;
+  const inputTransforms = metadata.adapter?.inputTransforms ?? [];
+  const toolTransform = metadata.adapter?.toolTransform ?? {};
+  const frontmcpValidation = validateFrontMcpExtension(metadata.frontmcp, openapiTool.name, logger);
+  const frontmcpExt = frontmcpValidation.data;
+  const schemaResult = getZodSchemaFromJsonSchema(openapiTool.inputSchema, openapiTool.name, logger);
+  const toolMetadata = {
+    id: openapiTool.name,
+    name: openapiTool.name,
+    description: openapiTool.description,
+    inputSchema: schemaResult.schema.shape || {},
+    rawInputSchema: openapiTool.inputSchema
+  };
+  if (schemaResult.conversionFailed) {
+    toolMetadata["_schemaConversionFailed"] = true;
+    toolMetadata["_schemaConversionError"] = schemaResult.error;
+  }
+  if (frontmcpExt) {
+    if (frontmcpExt.annotations) {
+      toolMetadata["annotations"] = { ...frontmcpExt.annotations };
+    }
+    if (frontmcpExt.tags) {
+      toolMetadata["tags"] = [...frontmcpExt.tags];
+    }
+    if (frontmcpExt.hideFromDiscovery !== void 0) {
+      toolMetadata["hideFromDiscovery"] = frontmcpExt.hideFromDiscovery;
+    }
+    if (frontmcpExt.examples) {
+      toolMetadata["examples"] = [...frontmcpExt.examples];
+    }
+    if (frontmcpExt.cache) {
+      toolMetadata["cache"] = { ...frontmcpExt.cache };
+    }
+    if (frontmcpExt.codecall) {
+      toolMetadata["codecall"] = { ...frontmcpExt.codecall };
+    }
+  }
+  if (toolTransform.annotations) {
+    toolMetadata["annotations"] = {
+      ...toolMetadata["annotations"] || {},
+      ...toolTransform.annotations
+    };
+  }
+  if (toolTransform.tags) {
+    const existingTags = toolMetadata["tags"] || [];
+    toolMetadata["tags"] = [...existingTags, ...toolTransform.tags];
+  }
+  if (toolTransform.hideFromDiscovery !== void 0) {
+    toolMetadata["hideFromDiscovery"] = toolTransform.hideFromDiscovery;
+  }
+  if (toolTransform.examples) {
+    const existingExamples = toolMetadata["examples"] || [];
+    toolMetadata["examples"] = [...existingExamples, ...toolTransform.examples];
+  }
+  if (toolTransform.ui) {
+    toolMetadata["ui"] = toolTransform.ui;
+  }
+  return tool(toolMetadata)(async (input, toolCtx) => {
+    const ctx = toolCtx.context;
+    const transformContext = {
+      ctx,
+      env: process.env,
+      tool: openapiTool
+    };
+    const injectedInput = await injectTransformedValues(
+      input,
+      inputTransforms,
+      transformContext
+    );
+    const security = await resolveToolSecurity(openapiTool, ctx, options);
+    const { url, headers, body: requestBody } = buildRequest(openapiTool, injectedInput, security, options.baseUrl);
+    applyAdditionalHeaders(headers, options.additionalHeaders);
+    if (options.headersMapper) {
+      try {
+        const mappedHeaders = options.headersMapper(ctx, headers);
+        if (mappedHeaders && typeof mappedHeaders.forEach === "function") {
+          mappedHeaders.forEach((value, key) => {
+            headers.set(key, value);
+          });
+        }
+      } catch (err) {
+        const errorMessage = err instanceof Error ? err.message : String(err);
+        throw new Error(`headersMapper failed for tool '${openapiTool.name}': ${errorMessage}`);
+      }
+    }
+    let finalBody = requestBody;
+    if (options.bodyMapper && requestBody) {
+      try {
+        finalBody = options.bodyMapper(ctx, requestBody);
+      } catch (err) {
+        const errorMessage = err instanceof Error ? err.message : String(err);
+        throw new Error(`bodyMapper failed for tool '${openapiTool.name}': ${errorMessage}`);
+      }
+    }
+    if (finalBody && !headers.has("content-type")) {
+      headers.set("content-type", "application/json");
+    }
+    let serializedBody;
+    if (finalBody) {
+      try {
+        serializedBody = JSON.stringify(finalBody);
+      } catch (err) {
+        const errorMessage = err instanceof Error ? err.message : String(err);
+        throw new Error(
+          `Failed to serialize request body for tool '${openapiTool.name}': ${errorMessage}. Body may contain circular references, BigInt, or non-serializable values.`
+        );
+      }
+      const maxRequestSize = options.maxRequestSize ?? DEFAULT_MAX_REQUEST_SIZE;
+      if (serializedBody.length > maxRequestSize) {
+        throw new Error(
+          `Request body size (${serializedBody.length} bytes) exceeds maximum allowed (${maxRequestSize} bytes)`
+        );
+      }
+    }
+    const requestTimeout = options.requestTimeoutMs ?? DEFAULT_REQUEST_TIMEOUT_MS;
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), requestTimeout);
+    try {
+      const response = await fetch(url, {
+        method: openapiTool.metadata.method.toUpperCase(),
+        headers,
+        body: serializedBody,
+        signal: controller.signal
+      });
+      return await parseResponse(response, { maxResponseSize: options.maxResponseSize });
+    } catch (err) {
+      if (err instanceof Error && err.name === "AbortError") {
+        throw new Error(`Request timeout after ${requestTimeout}ms for tool '${openapiTool.name}'`);
+      }
+      throw err;
+    } finally {
+      clearTimeout(timeoutId);
+    }
+  });
+}
+var DEFAULT_TRANSFORM_TIMEOUT_MS = 5e3;
+var DEFAULT_REQUEST_TIMEOUT_MS = 3e4;
+var DEFAULT_MAX_REQUEST_SIZE = 10 * 1024 * 1024;
+var RESERVED_KEYS = ["__proto__", "constructor", "prototype"];
+async function safeInject(transform, ctx, timeoutMs = DEFAULT_TRANSFORM_TIMEOUT_MS) {
+  let timeoutId;
+  try {
+    const result = await Promise.race([
+      Promise.resolve(transform.inject(ctx)),
+      new Promise((_, reject) => {
+        timeoutId = setTimeout(() => reject(new Error(`Transform timeout after ${timeoutMs}ms`)), timeoutMs);
+      })
+    ]);
+    return result;
+  } catch (err) {
+    const errorMessage = err instanceof Error ? err.message : String(err);
+    throw new Error(`Input transform for '${transform.inputKey}' failed: ${errorMessage}`);
+  } finally {
+    if (timeoutId !== void 0) {
+      clearTimeout(timeoutId);
+    }
+  }
+}
+function isPlainObject(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+async function injectTransformedValues(input, transforms, ctx) {
+  if (!isPlainObject(input)) {
+    throw new Error(`Invalid input type: expected object, got ${input === null ? "null" : typeof input}`);
+  }
+  if (transforms.length === 0) return input;
+  const result = { ...input };
+  for (const transform of transforms) {
+    if (RESERVED_KEYS.includes(transform.inputKey)) {
+      throw new Error(
+        `Invalid inputKey '${transform.inputKey}': reserved keys (${RESERVED_KEYS.join(", ")}) cannot be used`
+      );
+    }
+    const value = await safeInject(transform, ctx);
+    if (value !== void 0) {
+      result[transform.inputKey] = value;
+    }
+  }
+  return result;
+}
+function getZodSchemaFromJsonSchema(jsonSchema, toolName, logger) {
+  if (typeof jsonSchema !== "object" || jsonSchema === null) {
+    logger.warn(`[${toolName}] No valid JSON schema provided, using permissive schema`);
+    return { schema: z2.looseObject({}), conversionFailed: true, error: "No valid JSON schema" };
+  }
+  try {
+    const zodSchema = convertJsonSchemaToZod(jsonSchema);
+    if (typeof zodSchema?.parse !== "function") {
+      throw new Error("Conversion did not produce a valid Zod schema.");
+    }
+    return { schema: zodSchema, conversionFailed: false };
+  } catch (err) {
+    const errorMessage = err instanceof Error ? err.message : String(err);
+    logger.warn(
+      `[${toolName}] Failed to generate Zod schema, using permissive schema. Tool will accept any input but may fail at API level. Error: ${errorMessage}`
+    );
+    return { schema: z2.looseObject({}), conversionFailed: true, error: errorMessage };
+  }
+}
+// libs/adapters/src/openapi/openapi.adapter.ts
+var RESERVED_KEYS2 = ["__proto__", "constructor", "prototype"];
+function createConsoleLogger(prefix) {
+  const formatMessage = (level, msg) => `[${prefix}] ${level}: ${msg}`;
+  return {
+    verbose: (msg, ...args) => console.debug(formatMessage("VERBOSE", msg), ...args),
+    debug: (msg, ...args) => console.debug(formatMessage("DEBUG", msg), ...args),
+    info: (msg, ...args) => console.info(formatMessage("INFO", msg), ...args),
+    warn: (msg, ...args) => console.warn(formatMessage("WARN", msg), ...args),
+    error: (msg, ...args) => console.error(formatMessage("ERROR", msg), ...args),
+    child: (childPrefix) => createConsoleLogger(`${prefix}:${childPrefix}`)
+  };
+}
+var OpenapiAdapter = class extends DynamicAdapter {
+  generator;
+  logger;
+  options;
+  constructor(options) {
+    super();
+    this.options = options;
+    this.logger = options.logger ?? createConsoleLogger(`openapi:${options.name}`);
+  }
+  /**
+   * Receive the SDK logger. Called by the SDK before fetch().
+   */
+  setLogger(logger) {
+    this.logger = logger;
+  }
+  async fetch() {
+    if (!this.generator) {
+      this.generator = await this.initializeGenerator();
+    }
+    const hasPerSchemeControl = this.options.securitySchemesInInput && this.options.securitySchemesInInput.length > 0;
+    const includeSecurityInInput = hasPerSchemeControl || (this.options.generateOptions?.includeSecurityInInput ?? false);
+    let openapiTools = await this.generator.generateTools({
+      includeOperations: this.options.generateOptions?.includeOperations,
+      excludeOperations: this.options.generateOptions?.excludeOperations,
+      filterFn: this.options.generateOptions?.filterFn,
+      namingStrategy: this.options.generateOptions?.namingStrategy,
+      preferredStatusCodes: this.options.generateOptions?.preferredStatusCodes ?? [200, 201, 202, 204],
+      includeDeprecated: this.options.generateOptions?.includeDeprecated ?? false,
+      includeAllResponses: this.options.generateOptions?.includeAllResponses ?? true,
+      includeSecurityInInput,
+      maxSchemaDepth: this.options.generateOptions?.maxSchemaDepth,
+      includeExamples: this.options.generateOptions?.includeExamples
+    });
+    if (hasPerSchemeControl) {
+      openapiTools = openapiTools.map((tool2) => this.filterSecuritySchemes(tool2));
+    }
+    const validation = validateSecurityConfiguration(openapiTools, this.options);
+    this.logger.info("Security Analysis:");
+    this.logger.info(`  Security Risk Score: ${validation.securityRiskScore.toUpperCase()}`);
+    this.logger.info(`  Valid Configuration: ${validation.valid ? "YES" : "NO"}`);
+    if (validation.warnings.length > 0) {
+      this.logger.info("Messages:");
+      validation.warnings.forEach((warning) => {
+        if (warning.startsWith("ERROR:")) {
+          this.logger.error(`  - ${warning}`);
+        } else if (warning.startsWith("SECURITY WARNING:")) {
+          this.logger.warn(`  - ${warning}`);
+        } else {
+          this.logger.info(`  - ${warning}`);
+        }
+      });
+    }
+    if (!validation.valid) {
+      throw new Error(
+        `[OpenAPI Adapter: ${this.options.name}] Invalid security configuration.
+Missing auth provider mappings for security schemes: ${validation.missingMappings.join(", ")}
+Your OpenAPI spec requires these security schemes, but no auth configuration was provided.
+Add one of the following to your adapter configuration:
+1. authProviderMapper (recommended):
+   authProviderMapper: {
+` + validation.missingMappings.map((s) => `     '${s}': (authInfo) => authInfo.user?.${s.toLowerCase()}Token,`).join("\n") + `
+   }
+2. securityResolver:
+   securityResolver: (tool, authInfo) => ({ jwt: authInfo.token })
+3. staticAuth:
+   staticAuth: { jwt: process.env.API_TOKEN }
+4. Include security in input (NOT recommended for production):
+   generateOptions: { includeSecurityInInput: true }`
+      );
+    }
+    let transformedTools = openapiTools;
+    if (this.options.descriptionMode && this.options.descriptionMode !== "summaryOnly") {
+      transformedTools = transformedTools.map((tool2) => this.applyDescriptionMode(tool2));
+    }
+    if (this.options.toolTransforms) {
+      transformedTools = transformedTools.map((tool2) => this.applyToolTransforms(tool2));
+    }
+    if (this.options.inputTransforms) {
+      transformedTools = transformedTools.map((tool2) => this.applyInputTransforms(tool2));
+    }
+    const tools = transformedTools.map((openapiTool) => createOpenApiTool(openapiTool, this.options, this.logger));
+    return { tools };
+  }
+  /**
+   * Initialize the OpenAPI tool generator from URL or spec
+   * @private
+   */
+  async initializeGenerator() {
+    if ("url" in this.options) {
+      return await OpenAPIToolGenerator.fromURL(this.options.url, {
+        baseUrl: this.options.baseUrl,
+        validate: this.options.loadOptions?.validate ?? true,
+        dereference: this.options.loadOptions?.dereference ?? true,
+        headers: this.options.loadOptions?.headers,
+        timeout: this.options.loadOptions?.timeout,
+        followRedirects: this.options.loadOptions?.followRedirects
+      });
+    } else if ("spec" in this.options) {
+      return await OpenAPIToolGenerator.fromJSON(this.options.spec, {
+        baseUrl: this.options.baseUrl,
+        validate: this.options.loadOptions?.validate ?? true,
+        dereference: this.options.loadOptions?.dereference ?? true
+      });
+    } else {
+      throw new Error("Either url or spec must be provided in OpenApiAdapterOptions");
+    }
+  }
+  /**
+   * Apply description mode to generate description from summary/description
+   * @private
+   */
+  applyDescriptionMode(tool2) {
+    const mode = this.options.descriptionMode || "summaryOnly";
+    const metadata = tool2.metadata;
+    const summary = metadata["operationSummary"];
+    const opDescription = metadata["operationDescription"];
+    const operationId = metadata["operationId"];
+    const method = metadata["method"];
+    const path = metadata["path"];
+    let description;
+    switch (mode) {
+      case "descriptionOnly":
+        description = opDescription || summary || `${method.toUpperCase()} ${path}`;
+        break;
+      case "combined":
+        if (summary && opDescription) {
+          description = `${summary}
+${opDescription}`;
+        } else {
+          description = summary || opDescription || `${method.toUpperCase()} ${path}`;
+        }
+        break;
+      case "full": {
+        const parts = [];
+        if (summary) parts.push(summary);
+        if (opDescription && opDescription !== summary) parts.push(opDescription);
+        if (operationId) parts.push(`Operation: ${operationId}`);
+        parts.push(`${method.toUpperCase()} ${path}`);
+        description = parts.join("\n\n");
+        break;
+      }
+      default:
+        return tool2;
+    }
+    return {
+      ...tool2,
+      description
+    };
+  }
+  /**
+   * Collect tool transforms for a specific tool
+   * @private
+   */
+  collectToolTransforms(tool2) {
+    const result = {};
+    const opts = this.options.toolTransforms;
+    if (!opts) return result;
+    if (opts.global) {
+      Object.assign(result, opts.global);
+      if (opts.global.annotations) {
+        result.annotations = { ...opts.global.annotations };
+      }
+      if (opts.global.tags) {
+        result.tags = [...opts.global.tags];
+      }
+      if (opts.global.examples) {
+        result.examples = [...opts.global.examples];
+      }
+    }
+    if (opts.perTool?.[tool2.name]) {
+      const perTool = opts.perTool[tool2.name];
+      if (perTool.name) result.name = perTool.name;
+      if (perTool.description) result.description = perTool.description;
+      if (perTool.hideFromDiscovery !== void 0) result.hideFromDiscovery = perTool.hideFromDiscovery;
+      if (perTool.ui) result.ui = perTool.ui;
+      if (perTool.annotations) {
+        result.annotations = { ...result.annotations, ...perTool.annotations };
+      }
+      if (perTool.tags) {
+        result.tags = [...result.tags || [], ...perTool.tags];
+      }
+      if (perTool.examples) {
+        result.examples = [...result.examples || [], ...perTool.examples];
+      }
+    }
+    if (opts.generator) {
+      const generated = opts.generator(tool2);
+      if (generated) {
+        if (generated.name) result.name = generated.name;
+        if (generated.description) result.description = generated.description;
+        if (generated.hideFromDiscovery !== void 0) result.hideFromDiscovery = generated.hideFromDiscovery;
+        if (generated.ui) result.ui = generated.ui;
+        if (generated.annotations) {
+          result.annotations = { ...result.annotations, ...generated.annotations };
+        }
+        if (generated.tags) {
+          result.tags = [...result.tags || [], ...generated.tags];
+        }
+        if (generated.examples) {
+          result.examples = [...result.examples || [], ...generated.examples];
+        }
+      }
+    }
+    return result;
+  }
+  /**
+   * Apply tool transforms to an OpenAPI tool
+   * @private
+   */
+  applyToolTransforms(tool2) {
+    const transforms = this.collectToolTransforms(tool2);
+    if (Object.keys(transforms).length === 0) return tool2;
+    let newName = tool2.name;
+    let newDescription = tool2.description;
+    if (transforms.name) {
+      newName = typeof transforms.name === "function" ? transforms.name(tool2.name, tool2) : transforms.name;
+    }
+    if (transforms.description) {
+      newDescription = typeof transforms.description === "function" ? transforms.description(tool2.description, tool2) : transforms.description;
+    }
+    this.logger.debug(`Applied tool transforms to '${tool2.name}'`);
+    const metadataRecord = tool2.metadata;
+    const existingAdapter = metadataRecord["adapter"];
+    return {
+      ...tool2,
+      name: newName,
+      description: newDescription,
+      metadata: {
+        ...tool2.metadata,
+        adapter: {
+          ...existingAdapter || {},
+          toolTransform: transforms
+        }
+      }
+    };
+  }
+  /**
+   * Collect all input transforms for a specific tool
+   * @private
+   */
+  collectTransformsForTool(tool2) {
+    const transforms = [];
+    const opts = this.options.inputTransforms;
+    if (!opts) return transforms;
+    if (opts.global) {
+      transforms.push(...opts.global);
+    }
+    if (opts.perTool?.[tool2.name]) {
+      transforms.push(...opts.perTool[tool2.name]);
+    }
+    if (opts.generator) {
+      transforms.push(...opts.generator(tool2));
+    }
+    return transforms;
+  }
+  /**
+   * Apply input transforms to an OpenAPI tool
+   * - Removes transformed inputKeys from the inputSchema
+   * - Stores transform metadata for runtime injection
+   * @private
+   */
+  applyInputTransforms(tool2) {
+    const transforms = this.collectTransformsForTool(tool2);
+    if (transforms.length === 0) return tool2;
+    for (const transform of transforms) {
+      if (RESERVED_KEYS2.includes(transform.inputKey)) {
+        throw new Error(
+          `Invalid inputKey '${transform.inputKey}' in tool '${tool2.name}': reserved keys (${RESERVED_KEYS2.join(", ")}) cannot be used`
+        );
+      }
+    }
+    const transformedInputKeys = new Set(transforms.map((t) => t.inputKey));
+    const inputSchema = tool2.inputSchema;
+    const properties = inputSchema?.["properties"] || {};
+    const required = inputSchema?.["required"] || [];
+    const newProperties = { ...properties };
+    for (const key of transformedInputKeys) {
+      delete newProperties[key];
+    }
+    const newRequired = required.filter((key) => !transformedInputKeys.has(key));
+    this.logger.debug(`Applied ${transforms.length} input transforms to tool '${tool2.name}'`);
+    const metadataRecord = tool2.metadata;
+    const existingAdapter = metadataRecord["adapter"];
+    return {
+      ...tool2,
+      inputSchema: {
+        ...inputSchema,
+        properties: newProperties,
+        ...newRequired.length > 0 ? { required: newRequired } : {}
+      },
+      // Store transforms in metadata for runtime use
+      metadata: {
+        ...tool2.metadata,
+        adapter: {
+          ...existingAdapter || {},
+          inputTransforms: transforms
+        }
+      }
+    };
+  }
+  /**
+   * Filter security schemes in tool input based on securitySchemesInInput option.
+   * Removes security inputs that should be resolved from context instead of user input.
+   * @private
+   */
+  filterSecuritySchemes(tool2) {
+    const allowedSchemes = new Set(this.options.securitySchemesInInput || []);
+    if (allowedSchemes.size === 0) return tool2;
+    const schemesToRemove = /* @__PURE__ */ new Set();
+    const inputKeysToRemove = /* @__PURE__ */ new Set();
+    for (const mapper of tool2.mapper) {
+      if (mapper.security?.scheme && !allowedSchemes.has(mapper.security.scheme)) {
+        schemesToRemove.add(mapper.security.scheme);
+        inputKeysToRemove.add(mapper.inputKey);
+      }
+    }
+    if (inputKeysToRemove.size === 0) return tool2;
+    const inputSchema = tool2.inputSchema;
+    const properties = inputSchema?.["properties"] || {};
+    const required = inputSchema?.["required"] || [];
+    const newProperties = { ...properties };
+    for (const key of inputKeysToRemove) {
+      delete newProperties[key];
+    }
+    const newRequired = required.filter((key) => !inputKeysToRemove.has(key));
+    this.logger.debug(
+      `[${tool2.name}] Filtered security schemes from input: ${Array.from(schemesToRemove).join(", ")}. Kept in input: ${Array.from(allowedSchemes).filter((s) => !schemesToRemove.has(s)).join(", ") || "none"}`
+    );
+    const metadataRecord = tool2.metadata;
+    const existingAdapter = metadataRecord["adapter"];
+    return {
+      ...tool2,
+      inputSchema: {
+        ...inputSchema,
+        properties: newProperties,
+        ...newRequired.length > 0 ? { required: newRequired } : {}
+      },
+      // Store which security schemes are in input vs context for later resolution
+      metadata: {
+        ...tool2.metadata,
+        adapter: {
+          ...existingAdapter || {},
+          securitySchemesInInput: Array.from(allowedSchemes),
+          securitySchemesFromContext: Array.from(schemesToRemove)
+        }
+      }
+    };
+  }
+};
+OpenapiAdapter = __decorateClass([
+  Adapter({
+    name: "openapi",
+    description: "OpenAPI adapter for FrontMCP - Automatically generates MCP tools from OpenAPI specifications"
+  })
+], OpenapiAdapter);
+// libs/adapters/src/openapi/openapi.types.ts
+var FRONTMCP_EXTENSION_KEY = "x-frontmcp";
+export {
+  FRONTMCP_EXTENSION_KEY,
+  OpenapiAdapter
+};