@frontmcp/skills 1.0.3 → 1.0.4

package/catalog/frontmcp-development/SKILL.md

@@ -52,7 +52,8 @@ Entry point for building MCP server components. This skill helps you find the ri
 | Write instruction-only AI guidance (no code execution)   | `create-skill`                    | Skill entries with markdown instructions from files, strings, or URLs                         |
 | Write AI guidance that also orchestrates tools           | `create-skill-with-tools`         | Skill entries that combine instructions with registered tools                                 |
 | Look up any decorator signature or option                | `decorators-guide`                | Complete reference for @Tool, @Resource, @Prompt, @Agent, @App, @FrontMcp, and more           |
-| Integrate an external API via OpenAPI spec               | `official-adapters`               | OpenapiAdapter with auth, polling, inline specs, and multiple API composition                 |
+| Overview of all official adapters                        | `official-adapters`               | Router to all adapter types; adapter vs plugin comparison                                     |
+| Integrate an external API via OpenAPI spec               | `openapi-adapter`                 | OpenapiAdapter with auth, polling, filtering, transforms, format resolution, $ref security    |
 | Use official plugins (caching, remember, feature flags)  | `official-plugins`                | Built-in plugins for caching, session memory, approval, and feature flags (dashboard is beta) |
 | Connect to an external data source via a custom adapter  | `create-adapter`                  | Create custom adapters for external data sources                                              |
 | Configure LLM settings for an agent component            | `create-agent-llm-config`         | Configure LLM settings for agent components                                                   |
@@ -70,7 +71,7 @@ Entry point for building MCP server components. This skill helps you find the ri
 6. **`create-agent`** — Build autonomous AI loops (advanced)
 7. **`create-job`** / **`create-workflow`** — Background processing (advanced)
 8. **`create-skill`** / **`create-skill-with-tools`** — Author your own skills (meta)
-9. **`official-adapters`** — Integrate external APIs via OpenAPI specs
+9. **`official-adapters`** / **`openapi-adapter`** — Integrate external APIs via OpenAPI specs
 10. **`official-plugins`** — Add caching, session memory, feature flags, and more
 
 ## Cross-Cutting Patterns
@@ -123,4 +124,4 @@ Entry point for building MCP server components. This skill helps you find the ri
 ## Reference
 
 - [FrontMCP Overview](https://docs.agentfront.dev/frontmcp/fundamentals/overview)
-- Related skills: `create-tool`, `create-resource`, `create-prompt`, `create-agent`, `create-provider`, `create-job`, `create-workflow`, `create-skill`, `create-skill-with-tools`, `decorators-guide`, `official-adapters`, `official-plugins`
+- Related skills: `create-tool`, `create-resource`, `create-prompt`, `create-agent`, `create-provider`, `create-job`, `create-workflow`, `create-skill`, `create-skill-with-tools`, `decorators-guide`, `official-adapters`, `openapi-adapter`, `official-plugins`

package/catalog/frontmcp-development/examples/{official-adapters → openapi-adapter}/authenticated-adapter-with-polling.md

@@ -1,6 +1,6 @@
 ---
 name: authenticated-adapter-with-polling
-reference: official-adapters
+reference: openapi-adapter
 level: intermediate
 description: 'Demonstrates configuring authentication (API key and bearer token) and automatic spec polling for OpenAPI adapters.'
 tags: [development, auth, openapi, security, adapters, authenticated]
@@ -80,5 +80,5 @@ class MyServer {}
 
 ## Related
 
-- See `official-adapters` for inline specs, multiple adapter registration, and troubleshooting
+- See `openapi-adapter` for all five auth strategies, format resolution, and $ref security
 - See `decorators-guide` for the full `@App` and `@FrontMcp` field reference

package/catalog/frontmcp-development/examples/{official-adapters → openapi-adapter}/basic-openapi-adapter.md

@@ -1,6 +1,6 @@
 ---
 name: basic-openapi-adapter
-reference: official-adapters
+reference: openapi-adapter
 level: basic
 description: 'Demonstrates converting an OpenAPI specification into MCP tools automatically using `OpenapiAdapter` with minimal configuration.'
 tags: [development, openapi, adapters, adapter]
@@ -51,4 +51,4 @@ class MyServer {}
 
 ## Related
 
-- See `official-adapters` for authentication options, spec polling, and inline specs
+- See `openapi-adapter` for authentication, filtering, transforms, and security options

package/catalog/frontmcp-development/examples/openapi-adapter/format-resolution-and-custom-resolvers.md

@@ -0,0 +1,108 @@
+---
+name: format-resolution-and-custom-resolvers
+reference: openapi-adapter
+level: intermediate
+description: 'Demonstrates using built-in and custom format resolvers to enrich tool input schemas with concrete constraints from OpenAPI format values.'
+tags: [development, openapi, adapters, format, schema, validation]
+features:
+  - 'Enabling built-in format resolvers with `resolveFormats: true` for uuid, date-time, email, int32, etc.'
+  - 'Adding custom format resolvers for domain-specific formats (phone, currency)'
+  - 'Merging custom resolvers with built-ins where custom takes precedence'
+  - 'Using custom-only resolvers without built-ins for full control'
+---
+
+# Format Resolution and Custom Resolvers
+
+Demonstrates using built-in and custom format resolvers to enrich tool input schemas with concrete constraints from OpenAPI format values.
+
+## Code
+
+```typescript
+// src/server.ts
+import { FrontMcp, App } from '@frontmcp/sdk';
+import { OpenapiAdapter } from '@frontmcp/adapters';
+
+@App({
+  name: 'format-demo',
+  adapters: [
+    // Built-in format resolvers only
+    // uuid fields get regex patterns, date-time gets ISO 8601 format,
+    // int32 gets min/max constraints, email gets validation pattern
+    OpenapiAdapter.init({
+      name: 'users-api',
+      url: 'https://api.example.com/openapi.json',
+      baseUrl: 'https://api.example.com',
+      generateOptions: {
+        resolveFormats: true,
+      },
+    }),
+
+    // Built-in + custom format resolvers
+    // Custom resolvers are merged with built-ins; custom takes precedence
+    OpenapiAdapter.init({
+      name: 'payments-api',
+      url: 'https://payments.example.com/openapi.json',
+      baseUrl: 'https://payments.example.com',
+      generateOptions: {
+        resolveFormats: true,
+        formatResolvers: {
+          // Domain-specific formats
+          phone: (schema) => ({
+            ...schema,
+            pattern: '^\\+[1-9]\\d{1,14}$',
+            description: 'E.164 international phone number (e.g., +14155552671)',
+          }),
+          currency: (schema) => ({
+            ...schema,
+            pattern: '^[A-Z]{3}$',
+            description: 'ISO 4217 currency code (e.g., USD, EUR, GBP)',
+          }),
+          'country-code': (schema) => ({
+            ...schema,
+            pattern: '^[A-Z]{2}$',
+            description: 'ISO 3166-1 alpha-2 country code (e.g., US, GB, DE)',
+          }),
+        },
+      },
+    }),
+
+    // Custom resolvers only (no built-ins)
+    // Only the formats you explicitly define are resolved
+    OpenapiAdapter.init({
+      name: 'legacy-api',
+      url: 'https://legacy.example.com/openapi.json',
+      baseUrl: 'https://legacy.example.com',
+      generateOptions: {
+        // Without resolveFormats: true, only custom resolvers apply
+        formatResolvers: {
+          'social-security': (schema) => ({
+            ...schema,
+            pattern: '^\\d{3}-\\d{2}-\\d{4}$',
+            description: 'US Social Security Number (XXX-XX-XXXX)',
+          }),
+        },
+      },
+    }),
+  ],
+})
+class FormatDemoApp {}
+
+@FrontMcp({
+  info: { name: 'format-demo-server', version: '1.0.0' },
+  apps: [FormatDemoApp],
+  http: { port: 3000 },
+})
+class MyServer {}
+```
+
+## What This Demonstrates
+
+- Enabling built-in format resolvers with `resolveFormats: true` for uuid, date-time, email, int32, etc.
+- Adding custom format resolvers for domain-specific formats (phone, currency)
+- Merging custom resolvers with built-ins where custom takes precedence
+- Using custom-only resolvers without built-ins for full control
+
+## Related
+
+- See `openapi-adapter` for all generate options, authentication, and $ref security
+- See `create-tool` for building tools with manual schema definitions

package/catalog/frontmcp-development/examples/{official-adapters → openapi-adapter}/multi-api-hub-with-inline-spec.md

@@ -1,6 +1,6 @@
 ---
 name: multi-api-hub-with-inline-spec
-reference: official-adapters
+reference: openapi-adapter
 level: advanced
 description: 'Demonstrates registering multiple OpenAPI adapters from different APIs in a single app, including one with an inline spec definition instead of a remote URL.'
 tags: [development, openapi, remote, adapters, multi, api]
@@ -126,5 +126,5 @@ class MyServer {}
 
 ## Related
 
-- See `official-adapters` for spec polling, `securityResolver`, and the adapter vs plugin comparison
+- See `openapi-adapter` for spec polling, `securityResolver`, and filtering operations
 - See `decorators-guide` for the `@Adapter` decorator and how adapters fit in the hierarchy

package/catalog/frontmcp-development/examples/openapi-adapter/ref-security-and-filtering.md

@@ -0,0 +1,111 @@
+---
+name: ref-security-and-filtering
+reference: openapi-adapter
+level: intermediate
+description: 'Demonstrates configuring $ref resolution security to prevent SSRF attacks and filtering which API operations become MCP tools.'
+tags: [development, openapi, adapters, security, ssrf, filtering]
+features:
+  - 'Configuring `refResolution` to restrict which hosts and protocols are allowed for external `$ref` pointers'
+  - 'Using `allowedHosts` to restrict $refs to trusted schema servers'
+  - 'Using `allowedProtocols` to enable or disable file://, http://, https://, and other protocols'
+  - 'Filtering operations with `includeOperations`, `excludeOperations`, and `filterFn`'
+  - 'Combining security hardening with operation filtering for a production-ready setup'
+---
+
+# $ref Security and Operation Filtering
+
+Demonstrates configuring $ref resolution security to prevent SSRF attacks and filtering which API operations become MCP tools.
+
+## Code
+
+```typescript
+// src/server.ts
+import { FrontMcp, App } from '@frontmcp/sdk';
+import { OpenapiAdapter } from '@frontmcp/adapters';
+
+@App({
+  name: 'secure-app',
+  adapters: [
+    // Production-hardened: restrict $refs to trusted hosts + filter operations
+    OpenapiAdapter.init({
+      name: 'partner-api',
+      url: 'https://api.partner.com/openapi.json',
+      baseUrl: 'https://api.partner.com',
+      loadOptions: {
+        refResolution: {
+          // Only allow $refs pointing to the partner's own schema server
+          allowedHosts: ['schemas.partner.com', 'api.partner.com'],
+          // Block additional hosts known to be problematic
+          blockedHosts: ['internal.partner.com'],
+        },
+      },
+      generateOptions: {
+        // Only expose read operations to MCP clients
+        filterFn: (op) => op.method === 'get',
+        // Skip deprecated endpoints
+        includeDeprecated: false,
+      },
+      staticAuth: {
+        apiKey: process.env.PARTNER_API_KEY!,
+      },
+    }),
+
+    // Internal API: allow internal IPs but lock down to specific operations
+    OpenapiAdapter.init({
+      name: 'internal-api',
+      url: 'http://10.0.0.5:8080/openapi.json',
+      baseUrl: 'http://10.0.0.5:8080',
+      loadOptions: {
+        refResolution: {
+          // Allow internal IPs since this is a trusted internal service
+          allowInternalIPs: true,
+        },
+      },
+      generateOptions: {
+        // Only include specific safe operations
+        includeOperations: ['getStatus', 'listMetrics', 'getConfig'],
+      },
+    }),
+
+    // Maximum lockdown: no external $refs at all
+    OpenapiAdapter.init({
+      name: 'sandbox-api',
+      url: 'https://sandbox.example.com/openapi.json',
+      baseUrl: 'https://sandbox.example.com',
+      loadOptions: {
+        refResolution: {
+          // Block ALL external $ref resolution — only local #/ pointers work
+          allowedProtocols: [],
+        },
+      },
+      generateOptions: {
+        // Exclude admin and dangerous operations
+        excludeOperations: ['deleteAll', 'resetDatabase', 'adminPanel'],
+        // Only include billing-related paths
+        filterFn: (op) => op.path.startsWith('/billing') || op.path.startsWith('/invoices'),
+      },
+    }),
+  ],
+})
+class SecureApp {}
+
+@FrontMcp({
+  info: { name: 'secure-server', version: '1.0.0' },
+  apps: [SecureApp],
+  http: { port: 3000 },
+})
+class MyServer {}
+```
+
+## What This Demonstrates
+
+- Configuring `refResolution` to restrict which hosts and protocols are allowed for external `$ref` pointers
+- Using `allowedHosts` to restrict $refs to trusted schema servers
+- Using `allowedProtocols` to enable or disable file://, http://, https://, and other protocols
+- Filtering operations with `includeOperations`, `excludeOperations`, and `filterFn`
+- Combining security hardening with operation filtering for a production-ready setup
+
+## Related
+
+- See `openapi-adapter` for all `refResolution` options and the full blocked IP list
+- See `official-adapters` for the adapter vs plugin comparison

package/catalog/frontmcp-development/references/official-adapters.md

@@ -1,39 +1,41 @@
 ---
 name: official-adapters
-description: Convert OpenAPI specs and external definitions into MCP tools automatically
+description: Overview of all official FrontMCP adapters that convert external definitions into MCP primitives
 ---
 
 # Official Adapters
 
-Adapters convert external definitions (OpenAPI specs, Lambda functions, etc.) into MCP tools, resources, and prompts automatically.
+Adapters convert external definitions (OpenAPI specs, Lambda functions, etc.) into MCP tools, resources, and prompts automatically. They are registered in the `adapters` array of `@App`.
 
 ## When to Use This Skill
 
 ### Must Use
 
-- Converting an OpenAPI/Swagger specification into MCP tools automatically
-- Integrating a REST API that provides a public OpenAPI spec (Petstore, GitHub, Jira, Slack)
-- Setting up authentication (API key, bearer token, OAuth) for an adapter-generated API integration
+- Integrating an external API or service that has a machine-readable specification
+- Auto-generating MCP tools from an API definition instead of writing them manually
 
 ### Recommended
 
 - Registering multiple external APIs as namespaced tool sets in a single server
-- Enabling spec polling to auto-refresh tool definitions when the upstream API changes
-- Providing an inline OpenAPI spec for APIs without a hosted spec URL
+- Setting up authentication, polling, or transforms for adapter-generated tools
 
 ### Skip When
 
-- The external API has no OpenAPI spec and uses a custom protocol (see `create-adapter`)
+- The external API has no machine-readable spec and uses a custom protocol (see `create-adapter`)
 - You need cross-cutting behavior like caching or logging (see `create-plugin` or `official-plugins`)
 - You are building tools manually without an external spec (see `create-tool`)
 
-> **Decision:** Use this skill when you have an OpenAPI/Swagger spec and want to automatically generate MCP tools from it using `OpenapiAdapter`.
+> **Decision:** Use this skill when you have an external API definition and want to automatically generate MCP primitives from it.
 
-## OpenAPI Adapter
+## Available Adapters
 
-The primary official adapter. Converts OpenAPI/Swagger specifications into MCP tools — one tool per operation.
+| Adapter             | Package              | Description                                                                                                                                                                      | Dedicated Skill                         |
+| ------------------- | -------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------- |
+| **OpenAPI Adapter** | `@frontmcp/adapters` | Converts OpenAPI 3.x specifications into MCP tools — one tool per operation. Supports authentication, spec polling, filtering, transforms, format resolution, and $ref security. | [`openapi-adapter`](openapi-adapter.md) |
 
-### Installation
+> More adapters will be added in future releases. To build a custom adapter for a non-OpenAPI source, see `create-adapter`.
+
+## Quick Start
 
 ```typescript
 import { OpenapiAdapter } from '@frontmcp/adapters';
@@ -48,99 +50,10 @@ import { OpenapiAdapter } from '@frontmcp/adapters';
   ],
 })
 class MyApp {}
+// Generated tools: petstore:addPet, petstore:getPetById, petstore:deletePet, etc.
 ```
 
-Each OpenAPI operation becomes an MCP tool named `petstore:operationId`.
-
-### With Authentication
-
-```typescript
-// API Key via static auth
-OpenapiAdapter.init({
-  name: 'my-api',
-  url: 'https://api.example.com/openapi.json',
-  baseUrl: 'https://api.example.com',
-  staticAuth: {
-    apiKey: process.env.API_KEY!,
-  },
-});
-
-// API Key via additional headers
-OpenapiAdapter.init({
-  name: 'my-api',
-  url: 'https://api.example.com/openapi.json',
-  baseUrl: 'https://api.example.com',
-  additionalHeaders: {
-    'X-API-Key': process.env.API_KEY!,
-  },
-});
-
-// Bearer token via static auth
-OpenapiAdapter.init({
-  name: 'my-api',
-  url: 'https://api.example.com/openapi.json',
-  baseUrl: 'https://api.example.com',
-  staticAuth: {
-    jwt: process.env.API_TOKEN!,
-  },
-});
-
-// Dynamic auth per tool using securityResolver
-OpenapiAdapter.init({
-  name: 'my-api',
-  url: 'https://api.example.com/openapi.json',
-  baseUrl: 'https://api.example.com',
-  securityResolver: (tool, ctx) => {
-    return { jwt: ctx.authInfo?.token };
-  },
-});
-```
-
-### Spec Polling
-
-Automatically refresh the OpenAPI spec at intervals:
-
-```typescript
-OpenapiAdapter.init({
-  name: 'evolving-api',
-  url: 'https://api.example.com/openapi.json',
-  polling: {
-    intervalMs: 300000, // Re-fetch every 5 minutes
-  },
-});
-```
-
-### Inline Spec
-
-Provide the OpenAPI spec directly instead of fetching from URL:
-
-```typescript
-OpenapiAdapter.init({
-  name: 'my-api',
-  spec: {
-    openapi: '3.0.0',
-    info: { title: 'My API', version: '1.0.0' },
-    paths: { ... },
-  },
-})
-```
-
-### Multiple Adapters
-
-Register adapters from different APIs in the same app:
-
-```typescript
-@App({
-  name: 'IntegrationHub',
-  adapters: [
-    OpenapiAdapter.init({ name: 'github', url: 'https://api.github.com/openapi.json' }),
-    OpenapiAdapter.init({ name: 'jira', url: 'https://jira.example.com/openapi.json' }),
-    OpenapiAdapter.init({ name: 'slack', url: 'https://slack.com/openapi.json' }),
-  ],
-})
-class IntegrationHub {}
-// Tools: github:createIssue, jira:createTicket, slack:postMessage, etc.
-```
+For full configuration, authentication, security, and advanced features, see the [`openapi-adapter`](openapi-adapter.md) reference.
 
 ## Adapter vs Plugin
 
@@ -153,57 +66,15 @@ class IntegrationHub {}
 
 ## Common Patterns
 
-| Pattern              | Correct                                                                      | Incorrect                                           | Why                                                                              |
-| -------------------- | ---------------------------------------------------------------------------- | --------------------------------------------------- | -------------------------------------------------------------------------------- |
-| Adapter registration | `OpenapiAdapter.init({ name: 'petstore', url: '...' })` in `adapters` array  | Placing adapter in `plugins` array                  | Adapters go in `adapters`, not `plugins`; they serve different purposes          |
-| Tool naming          | Tools auto-named as `petstore:operationId` using adapter `name` as namespace | Expecting flat names like `listPets`                | Adapter name is prepended to prevent collisions across multiple adapters         |
-| Auth configuration   | `staticAuth: { jwt: process.env.API_TOKEN! }` or `additionalHeaders`         | Hardcoding secrets: `staticAuth: { jwt: 'sk-xxx' }` | Always use environment variables for secrets; never commit tokens                |
-| Spec source          | Use `url` for hosted specs or `spec` for inline definitions                  | Using both `url` and `spec` simultaneously          | Only one source should be provided; `spec` takes precedence and `url` is ignored |
-| Multiple APIs        | Register separate `OpenapiAdapter.init()` calls with unique `name` values    | Using the same `name` for different adapters        | Duplicate names cause tool naming collisions                                     |
-
-## Verification Checklist
-
-### Configuration
-
-- [ ] `@frontmcp/adapters` package is installed
-- [ ] `OpenapiAdapter.init()` is in the `adapters` array of `@App`
-- [ ] Adapter has a unique `name` for tool namespacing
-- [ ] `url` points to a valid, reachable OpenAPI JSON/YAML endpoint (or `spec` is inline)
-
-### Runtime
-
-- [ ] Generated tools appear in `tools/list` with `<name>:<operationId>` naming
-- [ ] Auth headers are sent correctly on API calls
-- [ ] Spec polling refreshes tool definitions at the configured interval
-- [ ] Invalid spec URL produces a clear startup error
-
-### Production
-
-- [ ] API tokens and secrets are loaded from environment variables
-- [ ] Polling interval is appropriate for the API's update frequency
-- [ ] Multiple adapter registrations use distinct names
-
-## Troubleshooting
-
-| Problem                            | Cause                                                  | Solution                                                                                                                                                                        |
-| ---------------------------------- | ------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| No tools generated from spec       | Spec URL returns non-OpenAPI content or is unreachable | Verify URL returns valid OpenAPI 3.x JSON; check network access                                                                                                                 |
-| Authentication errors on API calls | Wrong auth config or missing credentials               | Configure `staticAuth` for fixed credentials, `securityResolver`/`authProviderMapper` for dynamic auth, or `additionalHeaders` for header-based tokens; verify env vars are set |
-| Duplicate tool name error          | Two adapters registered with the same `name`           | Give each adapter a unique `name` (e.g., `'github'`, `'jira'`)                                                                                                                  |
-| Stale tools after API update       | Spec polling not configured                            | Add `polling: { intervalMs: 300000 }` to refresh every 5 minutes                                                                                                                |
-| TypeScript error importing adapter | Wrong import path                                      | Import from `@frontmcp/adapters`: `import { OpenapiAdapter } from '@frontmcp/adapters'`                                                                                         |
-
-## Examples
-
-| Example                                                                                                     | Level        | Description                                                                                                                                                   |
-| ----------------------------------------------------------------------------------------------------------- | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| [`authenticated-adapter-with-polling`](../examples/official-adapters/authenticated-adapter-with-polling.md) | Intermediate | Demonstrates configuring authentication (API key and bearer token) and automatic spec polling for OpenAPI adapters.                                           |
-| [`basic-openapi-adapter`](../examples/official-adapters/basic-openapi-adapter.md)                           | Basic        | Demonstrates converting an OpenAPI specification into MCP tools automatically using `OpenapiAdapter` with minimal configuration.                              |
-| [`multi-api-hub-with-inline-spec`](../examples/official-adapters/multi-api-hub-with-inline-spec.md)         | Advanced     | Demonstrates registering multiple OpenAPI adapters from different APIs in a single app, including one with an inline spec definition instead of a remote URL. |
-
-> See all examples in [`examples/official-adapters/`](../examples/official-adapters/)
+| Pattern              | Correct                                                                      | Incorrect                                    | Why                                                                      |
+| -------------------- | ---------------------------------------------------------------------------- | -------------------------------------------- | ------------------------------------------------------------------------ |
+| Adapter registration | `OpenapiAdapter.init({ ... })` in `adapters` array                           | Placing adapter in `plugins` array           | Adapters go in `adapters`, not `plugins`; they serve different purposes  |
+| Tool naming          | Tools auto-named as `<name>:<operationId>` using adapter `name` as namespace | Expecting flat names like `listPets`         | Adapter name is prepended to prevent collisions across multiple adapters |
+| Multiple APIs        | Register separate `OpenapiAdapter.init()` calls with unique `name` values    | Using the same `name` for different adapters | Duplicate names cause tool naming collisions                             |
 
 ## Reference
 
+- [`openapi-adapter`](openapi-adapter.md) — Full OpenAPI adapter reference
+- `create-adapter` — Build a custom adapter for non-OpenAPI sources
+- `create-plugin` — Build plugins for cross-cutting concerns
 - [Adapter Overview Documentation](https://docs.agentfront.dev/frontmcp/adapters/overview)
-- Related skills: `create-adapter`, `create-plugin`, `create-tool`

package/catalog/frontmcp-development/references/openapi-adapter.md

@@ -0,0 +1,431 @@
+---
+name: openapi-adapter
+description: Convert OpenAPI 3.x specifications into MCP tools with authentication, polling, transforms, format resolution, and $ref security
+---
+
+# OpenAPI Adapter
+
+The OpenAPI adapter converts OpenAPI 3.x specifications into MCP tools — one tool per operation. It supports authentication, spec polling, operation filtering, input/output/tool transforms, format resolution, and built-in SSRF protection.
+
+## When to Use This Skill
+
+### Must Use
+
+- Converting an OpenAPI/Swagger 3.x specification into MCP tools automatically
+- Integrating a REST API that provides a public OpenAPI spec (Petstore, GitHub, Jira, Slack)
+- Setting up authentication (API key, bearer token, OAuth) for adapter-generated tools
+
+### Recommended
+
+- Enriching tool schemas with format resolution (uuid, date-time, email, etc.)
+- Filtering which API operations become tools
+- Hiding sensitive inputs and injecting server-side values via input transforms
+- Enabling spec polling to auto-refresh tools when the upstream API changes
+
+### Skip When
+
+- The external API has no OpenAPI spec (see `create-adapter` for custom adapters)
+- You need to build tools manually with custom logic (see `create-tool`)
+- You only need adapters overview and comparison (see `official-adapters`)
+
+> **Decision:** Use this skill when you have an OpenAPI 3.x spec and want comprehensive guidance on `OpenapiAdapter` configuration.
+
+## Quick Start
+
+```typescript
+import { FrontMcp, App } from '@frontmcp/sdk';
+import { OpenapiAdapter } from '@frontmcp/adapters';
+
+@App({
+  name: 'MyApp',
+  adapters: [
+    OpenapiAdapter.init({
+      name: 'petstore',
+      url: 'https://petstore3.swagger.io/api/v3/openapi.json',
+    }),
+  ],
+})
+class MyApp {}
+
+@FrontMcp({
+  info: { name: 'my-server', version: '1.0.0' },
+  apps: [MyApp],
+  http: { port: 3000 },
+})
+class MyServer {}
+// Generated tools: petstore:addPet, petstore:getPetById, petstore:deletePet, etc.
+```
+
+Each OpenAPI operation becomes a tool named `<adapter-name>:<operationId>`.
+
+## Authentication
+
+Five strategies with different security risk levels:
+
+```typescript
+// 1. Static Headers (Medium Risk) — server-to-server APIs
+OpenapiAdapter.init({
+  name: 'my-api',
+  url: 'https://api.example.com/openapi.json',
+  baseUrl: 'https://api.example.com',
+  additionalHeaders: {
+    'x-api-key': process.env.API_KEY!,
+  },
+});
+
+// 2. Auth Provider Mapper (Low Risk) ⭐ Recommended — multi-provider
+OpenapiAdapter.init({
+  name: 'multi-auth-api',
+  url: 'https://api.example.com/openapi.json',
+  baseUrl: 'https://api.example.com',
+  authProviderMapper: {
+    GitHubAuth: (ctx) => ctx.authInfo.user?.githubToken,
+    SlackAuth: (ctx) => ctx.authInfo.user?.slackToken,
+  },
+});
+
+// 3. Custom Security Resolver (Low Risk) — full control
+OpenapiAdapter.init({
+  name: 'my-api',
+  url: 'https://api.example.com/openapi.json',
+  baseUrl: 'https://api.example.com',
+  securityResolver: (tool, ctx) => {
+    return { jwt: ctx.authInfo?.token };
+  },
+});
+
+// 4. Static Auth (Medium Risk) — fixed credentials
+OpenapiAdapter.init({
+  name: 'my-api',
+  url: 'https://api.example.com/openapi.json',
+  baseUrl: 'https://api.example.com',
+  staticAuth: {
+    jwt: process.env.API_TOKEN!,
+  },
+});
+
+// 5. Dynamic Headers & Body Mapping (Low Risk) — context injection
+OpenapiAdapter.init({
+  name: 'my-api',
+  url: 'https://api.example.com/openapi.json',
+  baseUrl: 'https://api.example.com',
+  headersMapper: (ctx, headers) => {
+    headers.set('Authorization', `Bearer ${ctx.authInfo?.token}`);
+    return headers;
+  },
+});
+```
+
+| Risk Level | Strategy                                   | Description                                          |
+| ---------- | ------------------------------------------ | ---------------------------------------------------- |
+| LOW        | `authProviderMapper` or `securityResolver` | Auth from user context, not exposed to clients       |
+| MEDIUM     | `staticAuth`, `additionalHeaders`          | Static credentials                                   |
+| HIGH       | `includeSecurityInInput: true`             | Auth fields exposed to MCP clients (not recommended) |
+
+## Spec Polling
+
+Auto-refresh tool definitions when the upstream API changes:
+
+```typescript
+OpenapiAdapter.init({
+  name: 'evolving-api',
+  url: 'https://api.example.com/openapi.json',
+  polling: {
+    enabled: true,
+    intervalMs: 300000, // Re-fetch every 5 minutes
+  },
+});
+```
+
+## Inline Spec
+
+Provide the OpenAPI spec directly instead of fetching from URL:
+
+```typescript
+OpenapiAdapter.init({
+  name: 'my-api',
+  spec: {
+    openapi: '3.0.0',
+    info: { title: 'My API', version: '1.0.0' },
+    paths: {
+      '/users': {
+        get: {
+          operationId: 'listUsers',
+          summary: 'List all users',
+          responses: { '200': { description: 'OK' } },
+        },
+      },
+    },
+  },
+});
+```
+
+## Multiple Adapters
+
+Register adapters from different APIs in the same app:
+
+```typescript
+@App({
+  name: 'IntegrationHub',
+  adapters: [
+    OpenapiAdapter.init({ name: 'github', url: 'https://api.github.com/openapi.json' }),
+    OpenapiAdapter.init({ name: 'jira', url: 'https://jira.example.com/openapi.json' }),
+    OpenapiAdapter.init({ name: 'slack', url: 'https://slack.com/openapi.json' }),
+  ],
+})
+class IntegrationHub {}
+// Tools: github:createIssue, jira:createTicket, slack:postMessage, etc.
+```
+
+## Filtering Operations
+
+Control which API operations become MCP tools:
+
+```typescript
+// Filter by path prefix
+OpenapiAdapter.init({
+  name: 'billing-api',
+  url: 'https://api.example.com/openapi.json',
+  generateOptions: {
+    filterFn: (op) => op.path.startsWith('/invoices') || op.path.startsWith('/customers'),
+  },
+});
+
+// Include only specific operations
+OpenapiAdapter.init({
+  name: 'my-api',
+  url: 'https://api.example.com/openapi.json',
+  generateOptions: {
+    includeOperations: ['getUser', 'createUser', 'updateUser'],
+  },
+});
+
+// Exclude specific operations
+OpenapiAdapter.init({
+  name: 'my-api',
+  url: 'https://api.example.com/openapi.json',
+  generateOptions: {
+    excludeOperations: ['deprecatedEndpoint', 'internalOnly'],
+  },
+});
+```
+
+## Input Transforms
+
+Hide inputs from AI/users and inject values server-side:
+
+```typescript
+OpenapiAdapter.init({
+  name: 'tenant-api',
+  url: 'https://api.example.com/openapi.json',
+  baseUrl: 'https://api.example.com',
+  inputTransforms: {
+    global: [
+      // Hide tenant header from AI, inject from user context
+      { inputKey: 'X-Tenant-Id', inject: (ctx) => ctx.authInfo.user?.tenantId },
+      // Add correlation ID to all requests
+      { inputKey: 'X-Correlation-Id', inject: () => crypto.randomUUID() },
+    ],
+    perTool: {
+      createAuditLog: [{ inputKey: 'userId', inject: (ctx) => ctx.authInfo.user?.id }],
+    },
+  },
+});
+```
+
+## Format Resolution
+
+Enrich generated tool schemas with concrete constraints from OpenAPI `format` values (uuid, date-time, email, int32, etc.):
+
+```typescript
+// Enable built-in format resolvers
+OpenapiAdapter.init({
+  name: 'my-api',
+  url: 'https://api.example.com/openapi.json',
+  generateOptions: {
+    resolveFormats: true,
+  },
+});
+
+// Add custom format resolvers (merged with built-ins when resolveFormats: true)
+OpenapiAdapter.init({
+  name: 'my-api',
+  url: 'https://api.example.com/openapi.json',
+  generateOptions: {
+    resolveFormats: true,
+    formatResolvers: {
+      phone: (schema) => ({
+        ...schema,
+        pattern: '^\\+[1-9]\\d{1,14}$',
+        description: 'E.164 phone number',
+      }),
+      currency: (schema) => ({
+        ...schema,
+        pattern: '^[A-Z]{3}$',
+        description: 'ISO 4217 currency code',
+      }),
+    },
+  },
+});
+
+// Custom resolvers only (no built-ins)
+OpenapiAdapter.init({
+  name: 'my-api',
+  url: 'https://api.example.com/openapi.json',
+  generateOptions: {
+    formatResolvers: {
+      phone: (schema) => ({ ...schema, pattern: '^\\+[1-9]\\d{1,14}$' }),
+    },
+  },
+});
+```
+
+| Option            | Type                             | Default     | Description                                                                                  |
+| ----------------- | -------------------------------- | ----------- | -------------------------------------------------------------------------------------------- |
+| `resolveFormats`  | `boolean`                        | `false`     | Enable built-in format resolvers (uuid, date-time, email, int32, etc.)                       |
+| `formatResolvers` | `Record<string, FormatResolver>` | `undefined` | Custom resolvers; merged with built-ins when `resolveFormats: true`, custom takes precedence |
+
+## $ref Resolution Security
+
+By default, the adapter blocks dangerous `$ref` resolution patterns to prevent SSRF attacks:
+
+- `file://` protocol is blocked (prevents local file reads)
+- Internal/private IPs are blocked (prevents cloud metadata theft, internal network probing)
+- `http://` and `https://` to public hosts are allowed
+
+Configure via `loadOptions.refResolution`:
+
+```typescript
+// Restrict $refs to specific hosts only
+OpenapiAdapter.init({
+  name: 'my-api',
+  url: 'https://api.example.com/openapi.json',
+  loadOptions: {
+    refResolution: {
+      allowedHosts: ['schemas.example.com'],
+    },
+  },
+});
+
+// Allow file:// protocol (for specs referencing local schema files)
+OpenapiAdapter.init({
+  name: 'my-api',
+  url: 'https://api.example.com/openapi.json',
+  loadOptions: {
+    refResolution: {
+      allowedProtocols: ['http', 'https', 'file'],
+    },
+  },
+});
+
+// Allow internal IPs (only in trusted environments)
+OpenapiAdapter.init({
+  name: 'internal-api',
+  url: 'http://10.0.0.5:8080/openapi.json',
+  loadOptions: {
+    refResolution: {
+      allowInternalIPs: true,
+    },
+  },
+});
+
+// Block ALL external refs (only resolve local #/ pointers)
+OpenapiAdapter.init({
+  name: 'my-api',
+  url: 'https://api.example.com/openapi.json',
+  loadOptions: {
+    refResolution: {
+      allowedProtocols: [],
+    },
+  },
+});
+```
+
+| Option             | Type       | Default             | Description                                                                               |
+| ------------------ | ---------- | ------------------- | ----------------------------------------------------------------------------------------- |
+| `allowedProtocols` | `string[]` | `['http', 'https']` | Protocols allowed for external `$ref` resolution (http, https, ftp, ws, etc.)             |
+| `allowedHosts`     | `string[]` | `undefined`         | When set, only refs to these hostnames are resolved                                       |
+| `blockedHosts`     | `string[]` | `undefined`         | Additional hostnames/IPs to block beyond the built-in list                                |
+| `allowInternalIPs` | `boolean`  | `false`             | Disable the built-in internal IP block list (127.x, 10.x, 172.16.x, 169.254.x, localhost) |
+
+## Load Options
+
+Configure how the OpenAPI spec is loaded:
+
+```typescript
+OpenapiAdapter.init({
+  name: 'my-api',
+  url: 'https://api.example.com/openapi.json',
+  baseUrl: 'https://api.example.com',
+  loadOptions: {
+    headers: { authorization: `Bearer ${process.env.SPEC_ACCESS_TOKEN}` },
+    timeout: 10000,
+    validate: true,
+    dereference: true,
+  },
+});
+```
+
+## Common Patterns
+
+| Pattern              | Correct                                                    | Incorrect                                           | Why                                             |
+| -------------------- | ---------------------------------------------------------- | --------------------------------------------------- | ----------------------------------------------- |
+| Adapter registration | `OpenapiAdapter.init({ ... })` in `adapters` array         | Placing adapter in `plugins` array                  | Adapters go in `adapters`, not `plugins`        |
+| Tool naming          | Tools auto-named as `<name>:<operationId>`                 | Expecting flat names like `listPets`                | Adapter name prevents collisions                |
+| Auth configuration   | `staticAuth: { jwt: process.env.API_TOKEN! }`              | Hardcoding secrets: `staticAuth: { jwt: 'sk-xxx' }` | Always use environment variables                |
+| Spec source          | Use `url` for hosted specs or `spec` for inline            | Using both `url` and `spec` simultaneously          | Only one source; `spec` takes precedence        |
+| Multiple APIs        | Separate `OpenapiAdapter.init()` with unique `name` values | Same `name` for different adapters                  | Duplicate names cause tool collisions           |
+| $ref security        | Use default `refResolution` (blocks file://, internal IPs) | Setting `allowInternalIPs: true` in production      | Default protects against SSRF                   |
+| Format resolution    | `generateOptions: { resolveFormats: true }`                | Writing manual patterns for standard formats        | Built-in resolvers handle uuid, date-time, etc. |
+
+## Verification Checklist
+
+### Configuration
+
+- [ ] `@frontmcp/adapters` package is installed
+- [ ] `OpenapiAdapter.init()` is in the `adapters` array of `@App`
+- [ ] Adapter has a unique `name` for tool namespacing
+- [ ] `url` points to a valid, reachable OpenAPI JSON/YAML endpoint (or `spec` is inline)
+
+### Runtime
+
+- [ ] Generated tools appear in `tools/list` with `<name>:<operationId>` naming
+- [ ] Auth headers are sent correctly on API calls
+- [ ] Spec polling refreshes tool definitions at the configured interval
+- [ ] Invalid spec URL produces a clear startup error
+
+### Production
+
+- [ ] API tokens and secrets are loaded from environment variables
+- [ ] Polling interval is appropriate for the API's update frequency
+- [ ] Multiple adapter registrations use distinct names
+- [ ] $ref resolution defaults are appropriate (or explicitly configured)
+
+## Troubleshooting
+
+| Problem                            | Cause                                                  | Solution                                                                                                  |
+| ---------------------------------- | ------------------------------------------------------ | --------------------------------------------------------------------------------------------------------- |
+| No tools generated from spec       | Spec URL returns non-OpenAPI content or is unreachable | Verify URL returns valid OpenAPI 3.x JSON; check network access                                           |
+| Authentication errors on API calls | Wrong auth config or missing credentials               | Configure `staticAuth`, `securityResolver`, `authProviderMapper`, or `additionalHeaders`; verify env vars |
+| Duplicate tool name error          | Two adapters with the same `name`                      | Give each adapter a unique `name`                                                                         |
+| Stale tools after API update       | Spec polling not configured                            | Add `polling: { intervalMs: 300000 }`                                                                     |
+| External $refs not resolving       | Default SSRF protection blocks external refs           | Add `loadOptions.refResolution.allowedHosts` or `allowedProtocols`                                        |
+| SSRF warning / $ref to internal IP | Spec contains $refs to internal services               | Blocked by default; use `refResolution.allowInternalIPs: true` only in trusted environments               |
+| TypeScript error importing adapter | Wrong import path                                      | Import from `@frontmcp/adapters`                                                                          |
+
+## Examples
+
+| Example                                                                                                           | Level        | Description                                                                                                                                                   |
+| ----------------------------------------------------------------------------------------------------------------- | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [`basic-openapi-adapter`](../examples/openapi-adapter/basic-openapi-adapter.md)                                   | Basic        | Demonstrates converting an OpenAPI specification into MCP tools automatically using `OpenapiAdapter` with minimal configuration.                              |
+| [`authenticated-adapter-with-polling`](../examples/openapi-adapter/authenticated-adapter-with-polling.md)         | Intermediate | Demonstrates configuring authentication (API key and bearer token) and automatic spec polling for OpenAPI adapters.                                           |
+| [`format-resolution-and-custom-resolvers`](../examples/openapi-adapter/format-resolution-and-custom-resolvers.md) | Intermediate | Demonstrates using built-in and custom format resolvers to enrich tool input schemas with concrete constraints from OpenAPI format values.                    |
+| [`ref-security-and-filtering`](../examples/openapi-adapter/ref-security-and-filtering.md)                         | Intermediate | Demonstrates configuring $ref resolution security to prevent SSRF attacks and filtering which API operations become MCP tools.                                |
+| [`multi-api-hub-with-inline-spec`](../examples/openapi-adapter/multi-api-hub-with-inline-spec.md)                 | Advanced     | Demonstrates registering multiple OpenAPI adapters from different APIs in a single app, including one with an inline spec definition instead of a remote URL. |
+
+> See all examples in [`examples/openapi-adapter/`](../examples/openapi-adapter/)
+
+## Reference
+
+- [OpenAPI Adapter Documentation](https://docs.agentfront.dev/frontmcp/adapters/openapi-adapter)
+- Related skills: `official-adapters`, `create-adapter`, `create-tool`

package/catalog/skills-manifest.json

@@ -1348,8 +1348,25 @@
         },
         {
           "name": "official-adapters",
-          "description": "Convert OpenAPI specs and external definitions into MCP tools automatically",
+          "description": "Overview of all official FrontMCP adapters that convert external definitions into MCP primitives",
+          "examples": []
+        },
+        {
+          "name": "openapi-adapter",
+          "description": "Convert OpenAPI 3.x specifications into MCP tools with authentication, polling, transforms, format resolution, and $ref security",
           "examples": [
+            {
+              "name": "basic-openapi-adapter",
+              "description": "Demonstrates converting an OpenAPI specification into MCP tools automatically using `OpenapiAdapter` with minimal configuration.",
+              "level": "basic",
+              "tags": ["development", "openapi", "adapters", "adapter"],
+              "features": [
+                "Using `OpenapiAdapter.init()` with just `name` and `url` to auto-generate MCP tools",
+                "Each OpenAPI operation becomes a tool named `<adapter-name>:<operationId>`",
+                "The adapter is registered in the `adapters` array of `@App`, not in `plugins`",
+                "The `name` field serves as the namespace prefix to prevent tool name collisions"
+              ]
+            },
             {
               "name": "authenticated-adapter-with-polling",
               "description": "Demonstrates configuring authentication (API key and bearer token) and automatic spec polling for OpenAPI adapters.",
@@ -1364,15 +1381,28 @@
               ]
             },
             {
-              "name": "basic-openapi-adapter",
-              "description": "Demonstrates converting an OpenAPI specification into MCP tools automatically using `OpenapiAdapter` with minimal configuration.",
-              "level": "basic",
-              "tags": ["development", "openapi", "adapters", "adapter"],
+              "name": "format-resolution-and-custom-resolvers",
+              "description": "Demonstrates using built-in and custom format resolvers to enrich tool input schemas with concrete constraints from OpenAPI format values.",
+              "level": "intermediate",
+              "tags": ["development", "openapi", "adapters", "format", "schema", "validation"],
               "features": [
-                "Using `OpenapiAdapter.init()` with just `name` and `url` to auto-generate MCP tools",
-                "Each OpenAPI operation becomes a tool named `<adapter-name>:<operationId>`",
-                "The adapter is registered in the `adapters` array of `@App`, not in `plugins`",
-                "The `name` field serves as the namespace prefix to prevent tool name collisions"
+                "Enabling built-in format resolvers with `resolveFormats: true` for uuid, date-time, email, int32, etc.",
+                "Adding custom format resolvers for domain-specific formats (phone, currency)",
+                "Merging custom resolvers with built-ins where custom takes precedence",
+                "Using custom-only resolvers without built-ins for full control"
+              ]
+            },
+            {
+              "name": "ref-security-and-filtering",
+              "description": "Demonstrates configuring $ref resolution security to prevent SSRF attacks and filtering which API operations become MCP tools.",
+              "level": "intermediate",
+              "tags": ["development", "openapi", "adapters", "security", "ssrf", "filtering"],
+              "features": [
+                "Configuring `refResolution` to restrict which hosts and protocols are allowed for external `$ref` pointers",
+                "Using `allowedHosts` to restrict $refs to trusted schema servers",
+                "Using `allowedProtocols` to enable or disable file://, http://, https://, and other protocols",
+                "Filtering operations with `includeOperations`, `excludeOperations`, and `filterFn`",
+                "Combining security hardening with operation filtering for a production-ready setup"
               ]
             },
             {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@frontmcp/skills",
-  "version": "1.0.3",
+  "version": "1.0.4",
   "description": "Curated skills catalog for FrontMCP projects",
   "author": "AgentFront <info@agentfront.dev>",
   "homepage": "https://docs.agentfront.dev",