@matimo/core 0.1.0-alpha.9 → 0.1.2

package/dist/errors/matimo-error.js.map

@@ -1 +1 @@
-{"version":3,"file":"matimo-error.js","sourceRoot":"","sources":["../../src/errors/matimo-error.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,CAAN,IAAY,SAYX;AAZD,WAAY,SAAS;IACnB,8CAAiC,CAAA;IACjC,kDAAqC,CAAA;IACrC,wCAA2B,CAAA;IAC3B,8CAAiC,CAAA;IACjC,8CAAiC,CAAA;IACjC,oDAAuC,CAAA;IACvC,wDAA2C,CAAA;IAC3C,gCAAmB,CAAA;IACnB,4CAA+B,CAAA;IAC/B,oDAAuC,CAAA;IACvC,4CAA+B,CAAA;AACjC,CAAC,EAZW,SAAS,KAAT,SAAS,QAYpB;AAED;;GAEG;AACH,MAAM,OAAO,WAAY,SAAQ,KAAK;IACpC,YACE,OAAe,EACR,IAAe,EACf,OAAiC;QAExC,KAAK,CAAC,OAAO,CAAC,CAAC;QAHR,SAAI,GAAJ,IAAI,CAAW;QACf,YAAO,GAAP,OAAO,CAA0B;QAGxC,IAAI,CAAC,IAAI,GAAG,aAAa,CAAC;IAC5B,CAAC;IAED,MAAM;QACJ,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,OAAO,EAAE,IAAI,CAAC,OAAO;SACtB,CAAC;IACJ,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CACnC,OAAe,EACf,OAAiC;IAEjC,OAAO,IAAI,WAAW,CAAC,OAAO,EAAE,SAAS,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC;AACxE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,OAAe,EACf,OAAiC;IAEjC,OAAO,IAAI,WAAW,CAAC,OAAO,EAAE,SAAS,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC;AACvE,CAAC"}
+{"version":3,"file":"matimo-error.js","sourceRoot":"","sources":["../../src/errors/matimo-error.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,CAAN,IAAY,SAcX;AAdD,WAAY,SAAS;IACnB,8CAAiC,CAAA;IACjC,kDAAqC,CAAA;IACrC,wCAA2B,CAAA;IAC3B,8CAAiC,CAAA;IACjC,8CAAiC,CAAA;IACjC,oDAAuC,CAAA;IACvC,wDAA2C,CAAA;IAC3C,gCAAmB,CAAA;IACnB,4CAA+B,CAAA;IAC/B,oDAAuC,CAAA;IACvC,4CAA+B,CAAA;IAC/B,4CAA+B,CAAA;IAC/B,wDAA2C,CAAA;AAC7C,CAAC,EAdW,SAAS,KAAT,SAAS,QAcpB;AAED;;GAEG;AACH,MAAM,OAAO,WAAY,SAAQ,KAAK;IAGpC,YACE,OAAe,EACR,IAAe,EACf,OAAiC,EACxC,KAAuB;QAEvB,KAAK,CAAC,OAAO,CAAC,CAAC;QAJR,SAAI,GAAJ,IAAI,CAAW;QACf,YAAO,GAAP,OAAO,CAA0B;QAIxC,IAAI,CAAC,IAAI,GAAG,aAAa,CAAC;QAC1B,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;IACrB,CAAC;IAED,MAAM;QACJ,OAAO;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,KAAK,EACH,IAAI,CAAC,KAAK,YAAY,KAAK;gBACzB,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE;gBACxD,CAAC,CAAC,IAAI,CAAC,KAAK;SACjB,CAAC;IACJ,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,KAAc,EAAE,OAAO,GAAG,qBAAqB;IAC3E,8CAA8C;IAC9C,MAAM,KAAK,GAAG,KAA4C,CAAC;IAC3D,MAAM,QAAQ,GAAG,KAAK,EAAE,QAA+C,CAAC;IACxE,MAAM,UAAU,GAAI,QAAQ,EAAE,MAA6B,IAAI,GAAG,CAAC;IACnE,MAAM,OAAO,GAAG,QAAQ,EAAE,IAA2C,CAAC;IACtE,MAAM,IAAI,GAA4B,EAAE,UAAU,EAAE,CAAC;IACrD,IAAI,OAAO,KAAK,SAAS;QAAE,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC;IAClD,oFAAoF;IACpF,IAAI,CAAC,aAAa,GAAG,KAAK,EAAE,OAAO,IAAI,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC;IAC3D,OAAO,IAAI,WAAW,CAAC,OAAO,EAAE,SAAS,CAAC,gBAAgB,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;AAC3E,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CACnC,OAAe,EACf,OAAiC;IAEjC,OAAO,IAAI,WAAW,CAAC,OAAO,EAAE,SAAS,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC;AACxE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,OAAe,EACf,OAAiC;IAEjC,OAAO,IAAI,WAAW,CAAC,OAAO,EAAE,SAAS,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC;AACvE,CAAC"}

package/dist/executors/command-executor.d.ts

@@ -1,4 +1,4 @@
-import { ToolDefinition } from '../core/schema';
+import { ToolDefinition } from '../core/schema.js';
 /**
  * CommandExecutor - Executes shell commands
  * Handles parameter templating, timeouts, and error capture
@@ -7,9 +7,16 @@ export declare class CommandExecutor {
     private cwd?;
     constructor(cwd?: string);
     /**
-     * Execute a tool that runs a shell command
+     * Execute a tool that runs a shell command.
+     *
+     * @param tool - Tool definition
+     * @param params - Tool parameters
+     * @param credentials - Optional per-call credential overrides. Keys must match the env-var
+     *   names used by the tool (e.g. `SLACK_BOT_TOKEN`). When provided they are merged on top of
+     *   `process.env` inside the child process so the spawned script sees them as normal env vars.
+     *   Values are never logged. Falls back to the current environment when not provided.
      */
-    execute(tool: ToolDefinition, params: Record<string, unknown>): Promise<unknown>;
+    execute(tool: ToolDefinition, params: Record<string, unknown>, credentials?: Record<string, string>): Promise<unknown>;
     /**
      * Replace parameter placeholders in a string
      */

package/dist/executors/command-executor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"command-executor.d.ts","sourceRoot":"","sources":["../../src/executors/command-executor.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAGhD;;;GAGG;AAEH,qBAAa,eAAe;IAC1B,OAAO,CAAC,GAAG,CAAC,CAAS;gBAET,GAAG,CAAC,EAAE,MAAM;IAIxB;;OAEG;IACG,OAAO,CAAC,IAAI,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC;IAqFtF;;OAEG;IACH,OAAO,CAAC,cAAc;CAQvB;AAED,eAAe,eAAe,CAAC"}
+{"version":3,"file":"command-executor.d.ts","sourceRoot":"","sources":["../../src/executors/command-executor.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAGnD;;;GAGG;AAEH,qBAAa,eAAe;IAC1B,OAAO,CAAC,GAAG,CAAC,CAAS;gBAET,GAAG,CAAC,EAAE,MAAM;IAIxB;;;;;;;;;OASG;IACG,OAAO,CACX,IAAI,EAAE,cAAc,EACpB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GACnC,OAAO,CAAC,OAAO,CAAC;IA4GnB;;OAEG;IACH,OAAO,CAAC,cAAc;CASvB;AAED,eAAe,eAAe,CAAC"}

package/dist/executors/command-executor.js

@@ -1,5 +1,5 @@
 import { spawn } from 'child_process';
-import { MatimoError, ErrorCode } from '../errors/matimo-error';
+import { MatimoError, ErrorCode } from '../errors/matimo-error.js';
 /**
  * CommandExecutor - Executes shell commands
  * Handles parameter templating, timeouts, and error capture
@@ -9,9 +9,16 @@ export class CommandExecutor {
         this.cwd = cwd;
     }
     /**
-     * Execute a tool that runs a shell command
+     * Execute a tool that runs a shell command.
+     *
+     * @param tool - Tool definition
+     * @param params - Tool parameters
+     * @param credentials - Optional per-call credential overrides. Keys must match the env-var
+     *   names used by the tool (e.g. `SLACK_BOT_TOKEN`). When provided they are merged on top of
+     *   `process.env` inside the child process so the spawned script sees them as normal env vars.
+     *   Values are never logged. Falls back to the current environment when not provided.
      */
-    async execute(tool, params) {
+    async execute(tool, params, credentials) {
         if (tool.execution.type !== 'command') {
             throw new MatimoError('Tool execution type is not command', ErrorCode.EXECUTION_FAILED, {
                 expectedType: 'command',
@@ -20,13 +27,29 @@ export class CommandExecutor {
         }
         const { command, args = [], timeout = 30000 } = tool.execution;
         const startTime = Date.now();
-        // Implement parameter templating
-        const templatedCommand = this.templateString(command, params);
+        // SECURITY: command must be a fixed executable — never a templated value.
+        // Only 'args' may contain {placeholder} tokens.
+        // ReDoS protection: commands are typically <256 chars; limit regex testing to 1024 chars
+        // to prevent polynomial backtracking on malicious inputs (e.g. repeated opening braces).
+        if (command.length <= 1024 && /\{[^}]+\}/u.test(command)) {
+            throw new MatimoError(`execution.command must not contain parameter placeholders — only 'args' may be templated. ` +
+                `Found: '${command}'. Move the dynamic part into 'args'.`, ErrorCode.EXECUTION_FAILED, { toolName: tool.name });
+        }
+        else if (command.length > 1024) {
+            throw new MatimoError(`execution.command exceeds maximum length (1024 chars): ${command.length} chars. ` +
+                'Command must be a simple executable path.', ErrorCode.EXECUTION_FAILED, { toolName: tool.name, length: command.length });
+        }
+        const templatedCommand = command; // Never template the executable
         const templatedArgs = args.map((arg) => this.templateString(arg, params));
         return new Promise((resolve) => {
             // eslint-disable-next-line @typescript-eslint/no-explicit-any
             const spawnOptions = {
                 stdio: ['pipe', 'pipe', 'pipe'],
+                // Merge per-call credentials on top of the current environment so that
+                // the spawned process sees them as ordinary env vars. This is safe:
+                // values are held only in memory for the duration of the spawn setup
+                // and are never written to disk or logged.
+                env: credentials ? { ...process.env, ...credentials } : process.env,
             };
             // Set working directory if provided
             if (this.cwd) {
@@ -89,7 +112,8 @@ export class CommandExecutor {
         let result = str;
         for (const [key, value] of Object.entries(params)) {
             const placeholder = `{${key}}`;
-            result = result.replace(new RegExp(placeholder, 'g'), String(value));
+            const replacement = String(value);
+            result = result.replace(new RegExp(placeholder, 'g'), () => replacement);
         }
         return result;
     }

package/dist/executors/command-executor.js.map

@@ -1 +1 @@
-{"version":3,"file":"command-executor.js","sourceRoot":"","sources":["../../src/executors/command-executor.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAC;AAEtC,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAEhE;;;GAGG;AAEH,MAAM,OAAO,eAAe;IAG1B,YAAY,GAAY;QACtB,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;IACjB,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,OAAO,CAAC,IAAoB,EAAE,MAA+B;QACjE,IAAI,IAAI,CAAC,SAAS,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YACtC,MAAM,IAAI,WAAW,CAAC,oCAAoC,EAAE,SAAS,CAAC,gBAAgB,EAAE;gBACtF,YAAY,EAAE,SAAS;gBACvB,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI;aAChC,CAAC,CAAC;QACL,CAAC;QAED,MAAM,EAAE,OAAO,EAAE,IAAI,GAAG,EAAE,EAAE,OAAO,GAAG,KAAK,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC;QAC/D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,iCAAiC;QACjC,MAAM,gBAAgB,GAAG,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC9D,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,cAAc,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC;QAE1E,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAC7B,8DAA8D;YAC9D,MAAM,YAAY,GAAQ;gBACxB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;aAChC,CAAC;YAEF,oCAAoC;YACpC,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;gBACb,YAAY,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC;YAC9B,CAAC;YAED,MAAM,KAAK,GAAG,KAAK,CAAC,gBAAgB,EAAE,aAAa,EAAE,YAAY,CAAC,CAAC;YAEnE,IAAI,MAAM,GAAG,EAAE,CAAC;YAChB,IAAI,MAAM,GAAG,EAAE,CAAC;YAChB,IAAI,QAAQ,GAAG,KAAK,CAAC;YAErB,iBAAiB;YACjB,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;gBAC5B,QAAQ,GAAG,IAAI,CAAC;gBAChB,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACxB,CAAC,EAAE,OAAO,CAAC,CAAC;YAEZ,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;gBAChC,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC5B,CAAC,CAAC,CAAC;YAEH,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;gBAChC,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC5B,CAAC,CAAC,CAAC;YAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;gBACzB,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;gBAExC,IAAI,QAAQ,EAAE,CAAC;oBACb,OAAO,CAAC;wBACN,OAAO,EAAE,KAAK;wBACd,KAAK,EAAE,SAAS;wBAChB,QAAQ,EAAE,CAAC,CAAC;wBACZ,QAAQ;qBACT,CAAC,CAAC;gBACL,CAAC;qBAAM,CAAC;oBACN,MAAM,QAAQ,GAAG,IAAI,IAAI,CAAC,CAAC;oBAC3B,MAAM,OAAO,GAAG,QAAQ,KAAK,CAAC,CAAC;oBAE/B,OAAO,CAAC;wBACN,OAAO;wBACP,MAAM,EAAE,MAAM,CAAC,IAAI,EAAE;wBACrB,MAAM,EAAE,MAAM,CAAC,IAAI,EAAE;wBACrB,QAAQ;wBACR,QAAQ;qBACT,CAAC,CAAC;gBACL,CAAC;YACH,CAAC,CAAC,CAAC;YAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE;gBAC1B,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;gBAExC,OAAO,CAAC;oBACN,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,KAAK,CAAC,OAAO;oBACpB,QAAQ,EAAE,CAAC,CAAC;oBACZ,QAAQ;iBACT,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACK,cAAc,CAAC,GAAW,EAAE,MAA+B;QACjE,IAAI,MAAM,GAAG,GAAG,CAAC;QACjB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAClD,MAAM,WAAW,GAAG,IAAI,GAAG,GAAG,CAAC;YAC/B,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,WAAW,EAAE,GAAG,CAAC,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;QACvE,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAED,eAAe,eAAe,CAAC"}
+{"version":3,"file":"command-executor.js","sourceRoot":"","sources":["../../src/executors/command-executor.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,eAAe,CAAC;AAEtC,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AAEnE;;;GAGG;AAEH,MAAM,OAAO,eAAe;IAG1B,YAAY,GAAY;QACtB,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC;IACjB,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,OAAO,CACX,IAAoB,EACpB,MAA+B,EAC/B,WAAoC;QAEpC,IAAI,IAAI,CAAC,SAAS,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;YACtC,MAAM,IAAI,WAAW,CAAC,oCAAoC,EAAE,SAAS,CAAC,gBAAgB,EAAE;gBACtF,YAAY,EAAE,SAAS;gBACvB,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI;aAChC,CAAC,CAAC;QACL,CAAC;QAED,MAAM,EAAE,OAAO,EAAE,IAAI,GAAG,EAAE,EAAE,OAAO,GAAG,KAAK,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC;QAC/D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,0EAA0E;QAC1E,gDAAgD;QAChD,yFAAyF;QACzF,yFAAyF;QACzF,IAAI,OAAO,CAAC,MAAM,IAAI,IAAI,IAAI,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YACzD,MAAM,IAAI,WAAW,CACnB,4FAA4F;gBAC1F,WAAW,OAAO,uCAAuC,EAC3D,SAAS,CAAC,gBAAgB,EAC1B,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CACxB,CAAC;QACJ,CAAC;aAAM,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,EAAE,CAAC;YACjC,MAAM,IAAI,WAAW,CACnB,0DAA0D,OAAO,CAAC,MAAM,UAAU;gBAChF,2CAA2C,EAC7C,SAAS,CAAC,gBAAgB,EAC1B,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAChD,CAAC;QACJ,CAAC;QACD,MAAM,gBAAgB,GAAG,OAAO,CAAC,CAAC,gCAAgC;QAClE,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,cAAc,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC,CAAC;QAE1E,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAC7B,8DAA8D;YAC9D,MAAM,YAAY,GAAQ;gBACxB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;gBAC/B,uEAAuE;gBACvE,oEAAoE;gBACpE,qEAAqE;gBACrE,2CAA2C;gBAC3C,GAAG,EAAE,WAAW,CAAC,CAAC,CAAC,EAAE,GAAG,OAAO,CAAC,GAAG,EAAE,GAAG,WAAW,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG;aACpE,CAAC;YAEF,oCAAoC;YACpC,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;gBACb,YAAY,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC;YAC9B,CAAC;YAED,MAAM,KAAK,GAAG,KAAK,CAAC,gBAAgB,EAAE,aAAa,EAAE,YAAY,CAAC,CAAC;YAEnE,IAAI,MAAM,GAAG,EAAE,CAAC;YAChB,IAAI,MAAM,GAAG,EAAE,CAAC;YAChB,IAAI,QAAQ,GAAG,KAAK,CAAC;YAErB,iBAAiB;YACjB,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;gBAC5B,QAAQ,GAAG,IAAI,CAAC;gBAChB,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACxB,CAAC,EAAE,OAAO,CAAC,CAAC;YAEZ,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;gBAChC,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC5B,CAAC,CAAC,CAAC;YAEH,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE;gBAChC,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC5B,CAAC,CAAC,CAAC;YAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAI,EAAE,EAAE;gBACzB,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;gBAExC,IAAI,QAAQ,EAAE,CAAC;oBACb,OAAO,CAAC;wBACN,OAAO,EAAE,KAAK;wBACd,KAAK,EAAE,SAAS;wBAChB,QAAQ,EAAE,CAAC,CAAC;wBACZ,QAAQ;qBACT,CAAC,CAAC;gBACL,CAAC;qBAAM,CAAC;oBACN,MAAM,QAAQ,GAAG,IAAI,IAAI,CAAC,CAAC;oBAC3B,MAAM,OAAO,GAAG,QAAQ,KAAK,CAAC,CAAC;oBAE/B,OAAO,CAAC;wBACN,OAAO;wBACP,MAAM,EAAE,MAAM,CAAC,IAAI,EAAE;wBACrB,MAAM,EAAE,MAAM,CAAC,IAAI,EAAE;wBACrB,QAAQ;wBACR,QAAQ;qBACT,CAAC,CAAC;gBACL,CAAC;YACH,CAAC,CAAC,CAAC;YAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,KAAK,EAAE,EAAE;gBAC1B,YAAY,CAAC,KAAK,CAAC,CAAC;gBACpB,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;gBAExC,OAAO,CAAC;oBACN,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,KAAK,CAAC,OAAO;oBACpB,QAAQ,EAAE,CAAC,CAAC;oBACZ,QAAQ;iBACT,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;OAEG;IACK,cAAc,CAAC,GAAW,EAAE,MAA+B;QACjE,IAAI,MAAM,GAAG,GAAG,CAAC;QACjB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAClD,MAAM,WAAW,GAAG,IAAI,GAAG,GAAG,CAAC;YAC/B,MAAM,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;YAClC,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,WAAW,EAAE,GAAG,CAAC,EAAE,GAAG,EAAE,CAAC,WAAW,CAAC,CAAC;QAC3E,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;CACF;AAED,eAAe,eAAe,CAAC"}

package/dist/executors/function-executor.d.ts

@@ -1,4 +1,4 @@
-import { ToolDefinition } from '../core/schema';
+import { ToolDefinition } from '../core/schema.js';
 /**
  * FunctionExecutor - Executes async functions
  * Supports functions defined in:
@@ -14,10 +14,17 @@ export declare class FunctionExecutor {
     private toolsPath;
     constructor(toolsPath?: string);
     /**
-     * Execute a tool that runs an async function
-     * Supports both embedded code and external .ts/.js files
+     * Execute a tool that runs an async function.
+     * Supports both embedded code and external .ts/.js files.
+     *
+     * @param tool - Tool definition
+     * @param params - Tool parameters
+     * @param credentials - Optional per-call credential overrides passed as `context.credentials`
+     *   to the tool function. The function can use them with:
+     *   `const token = context?.credentials?.MY_TOKEN ?? process.env.MY_TOKEN;`
+     *   Values are never logged. Falls back to undefined when not provided.
      */
-    execute(tool: ToolDefinition, params: Record<string, unknown>): Promise<unknown>;
+    execute(tool: ToolDefinition, params: Record<string, unknown>, credentials?: Record<string, string>): Promise<unknown>;
 }
 export default FunctionExecutor;
 //# sourceMappingURL=function-executor.d.ts.map

package/dist/executors/function-executor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"function-executor.d.ts","sourceRoot":"","sources":["../../src/executors/function-executor.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAIhD;;;;;;;;;;GAUG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,SAAS,CAAS;gBAEd,SAAS,CAAC,EAAE,MAAM;IAI9B;;;OAGG;IACG,OAAO,CAAC,IAAI,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC;CAkLvF;AAED,eAAe,gBAAgB,CAAC"}
+{"version":3,"file":"function-executor.d.ts","sourceRoot":"","sources":["../../src/executors/function-executor.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAInD;;;;;;;;;;GAUG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,SAAS,CAAS;gBAEd,SAAS,CAAC,EAAE,MAAM;IAI9B;;;;;;;;;;OAUG;IACG,OAAO,CACX,IAAI,EAAE,cAAc,EACpB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GACnC,OAAO,CAAC,OAAO,CAAC;CAkMpB;AAED,eAAe,gBAAgB,CAAC"}

package/dist/executors/function-executor.js

@@ -1,9 +1,7 @@
-import fs from 'fs';
 import path from 'path';
 import { pathToFileURL } from 'node:url';
-import axios from 'axios';
-import { MatimoError, ErrorCode } from '../errors/matimo-error';
-import { getGlobalMatimoLogger } from '../logging/logger';
+import { MatimoError, ErrorCode } from '../errors/matimo-error.js';
+import { getGlobalMatimoLogger } from '../logging/index.js';
 /**
  * FunctionExecutor - Executes async functions
  * Supports functions defined in:
@@ -20,10 +18,17 @@ export class FunctionExecutor {
         this.toolsPath = toolsPath || process.cwd();
     }
     /**
-     * Execute a tool that runs an async function
-     * Supports both embedded code and external .ts/.js files
+     * Execute a tool that runs an async function.
+     * Supports both embedded code and external .ts/.js files.
+     *
+     * @param tool - Tool definition
+     * @param params - Tool parameters
+     * @param credentials - Optional per-call credential overrides passed as `context.credentials`
+     *   to the tool function. The function can use them with:
+     *   `const token = context?.credentials?.MY_TOKEN ?? process.env.MY_TOKEN;`
+     *   Values are never logged. Falls back to undefined when not provided.
      */
-    async execute(tool, params) {
+    async execute(tool, params, credentials) {
         if (tool.execution.type !== 'function') {
             throw new MatimoError('Tool execution type is not function', ErrorCode.EXECUTION_FAILED, {
                 expectedType: 'function',
@@ -129,7 +134,7 @@ export class FunctionExecutor {
                     import(fileUrl)
                         .then((module) => {
                         const fn = (module.default || module);
-                        const result = fn(params);
+                        const result = fn(params, credentials ? { credentials } : undefined);
                         // Handle both Promise and non-Promise returns
                         if (result instanceof Promise) {
                             result.then(handleSuccess).catch(handleError);
@@ -141,28 +146,43 @@ export class FunctionExecutor {
                         .catch(handleError);
                 }
                 else {
-                    // Execute embedded code (legacy) - create function from string
-                    // SECURITY WARNING: Embedded code execution runs arbitrary JS with fs/path/axios access.
-                    // This is a potential RCE vector if tool YAML files come from untrusted sources.
-                    // Embedded code is DISABLED by default. Must explicitly opt-in via MATIMO_ALLOW_EMBEDDED_CODE=true
-                    const embeddedCodeDisabled = process.env.MATIMO_ALLOW_EMBEDDED_CODE !== 'true';
-                    if (embeddedCodeDisabled) {
-                        throw new MatimoError('Embedded code execution is disabled by default for security. Use external .ts/.js files instead.', ErrorCode.EXECUTION_FAILED, {
+                    // ── Embedded code execution ──────────────────────────────────────
+                    // Requires explicit admin opt-in: MATIMO_ALLOW_EMBEDDED_CODE=true
+                    // Even when enabled, a static security scan runs before evaluation
+                    // to block known exploit patterns. No dangerous globals are passed
+                    // into the sandbox — only `params` is accessible.
+                    if (process.env.MATIMO_ALLOW_EMBEDDED_CODE !== 'true') {
+                        throw new MatimoError(`Tool '${tool.name}': embedded code execution is disabled by default. ` +
+                            'Set MATIMO_ALLOW_EMBEDDED_CODE=true to enable, or use a colocated .ts/.js file instead ' +
+                            "(set execution.code to its relative path, e.g. './my-tool.ts').", ErrorCode.EXECUTION_FAILED, {
                             toolName: tool.name,
-                            recommendation: 'Create a separate .ts file in the tool directory instead of using embedded code',
-                            enableFeatureFlag: 'Set MATIMO_ALLOW_EMBEDDED_CODE=true to enable (not recommended)',
+                            recommendation: 'Create a separate .ts file in the tool directory and set execution.code to its relative path',
                         });
                     }
-                    // Log warning when embedded code is executed
+                    // Static security scan — reject code containing dangerous constructs
+                    // BEFORE new Function() is ever called.
+                    const BLOCKED_PATTERNS = [
+                        { re: /\brequire\s*\(/u, label: 'require()' },
+                        { re: /\bimport\s*\(/u, label: 'dynamic import()' },
+                        { re: /\bprocess\b/u, label: 'process object' },
+                        { re: /\b__dirname\b|\b__filename\b/u, label: '__dirname / __filename' },
+                        { re: /\beval\s*\(/u, label: 'eval()' },
+                        { re: /\bnew\s+Function\b/u, label: 'new Function()' },
+                        { re: /\bglobalThis\b|\bglobal\b/u, label: 'global / globalThis' },
+                    ];
+                    for (const { re, label } of BLOCKED_PATTERNS) {
+                        if (re.test(code)) {
+                            throw new MatimoError(`Embedded code in tool '${tool.name}' contains a blocked construct: '${label}'. ` +
+                                'Embedded code may only access the provided params argument.', ErrorCode.EXECUTION_FAILED, { toolName: tool.name, blockedConstruct: label });
+                        }
+                    }
                     const logger = getGlobalMatimoLogger();
-                    logger.warn(`⚠️  Warning: Executing embedded code from tool '${tool.name}'. This carries security risks if tool YAML is from untrusted sources.`, { toolName: tool.name });
-                    // In ESM modules, require is not available by default
-                    // We pass a safe require function that embedded code can use
-                    const functionBody = `return (${code})`;
-                    const fn = new Function(functionBody)();
-                    // Pass undefined for require in ESM - embedded code should use import syntax
-                    const result = fn(params, {}, fs, path, axios, undefined);
-                    // Handle both Promise and non-Promise returns
+                    logger.warn(`Executing embedded code for tool '${tool.name}'. Ensure this tool YAML is from a trusted source.`, { toolName: tool.name });
+                    // Execute with strict mode and only params in scope.
+                    // No fs, path, axios, or require are passed — embedded code is
+                    // intentionally limited to pure data transformation of params.
+                    const fn = new Function('params', '"use strict";\nreturn (' + code + ')(params);');
+                    const result = fn(params);
                     if (result instanceof Promise) {
                         result.then(handleSuccess).catch(handleError);
                     }

package/dist/executors/function-executor.js.map

@@ -1 +1 @@
-{"version":3,"file":"function-executor.js","sourceRoot":"","sources":["../../src/executors/function-executor.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,IAAI,CAAC;AACpB,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,KAAK,MAAM,OAAO,CAAC;AAE1B,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAChE,OAAO,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAE1D;;;;;;;;;;GAUG;AACH,MAAM,OAAO,gBAAgB;IAG3B,YAAY,SAAkB;QAC5B,IAAI,CAAC,SAAS,GAAG,SAAS,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IAC9C,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,OAAO,CAAC,IAAoB,EAAE,MAA+B;QACjE,IAAI,IAAI,CAAC,SAAS,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;YACvC,MAAM,IAAI,WAAW,CAAC,qCAAqC,EAAE,SAAS,CAAC,gBAAgB,EAAE;gBACvF,YAAY,EAAE,UAAU;gBACxB,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI;aAChC,CAAC,CAAC;QACL,CAAC;QAED,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,KAAK,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC;QAEjD,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,WAAW,CAAC,wBAAwB,EAAE,SAAS,CAAC,gBAAgB,EAAE;gBAC1E,QAAQ,EAAE,IAAI,CAAC,IAAI;aACpB,CAAC,CAAC;QACL,CAAC;QAED,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAC7B,IAAI,QAAQ,GAAG,KAAK,CAAC;YACrB,IAAI,OAAO,GAAG,KAAK,CAAC;YAEpB,0CAA0C;YAC1C,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;gBAC5B,QAAQ,GAAG,IAAI,CAAC;gBAChB,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,OAAO,GAAG,IAAI,CAAC;oBACf,OAAO,CAAC;wBACN,OAAO,EAAE,KAAK;wBACd,KAAK,EAAE,4BAA4B;wBACnC,IAAI,EAAE,SAAS,CAAC,gBAAgB;qBACjC,CAAC,CAAC;gBACL,CAAC;YACH,CAAC,EAAE,OAAO,CAAC,CAAC;YAEZ,MAAM,OAAO,GAAG,GAAG,EAAE;gBACnB,YAAY,CAAC,KAAK,CAAC,CAAC;YACtB,CAAC,CAAC;YAEF,MAAM,WAAW,GAAG,CAAC,KAAc,EAAE,EAAE;gBACrC,OAAO,EAAE,CAAC;gBACV,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,OAAO,GAAG,IAAI,CAAC;oBACf,gDAAgD;oBAChD,IAAI,KAAK,YAAY,WAAW,EAAE,CAAC;wBACjC,OAAO,CAAC;4BACN,OAAO,EAAE,KAAK;4BACd,KAAK,EAAE,KAAK,CAAC,OAAO;4BACpB,IAAI,EAAE,KAAK,CAAC,IAAI;4BAChB,OAAO,EAAE,KAAK,CAAC,OAAO;yBACvB,CAAC,CAAC;oBACL,CAAC;yBAAM,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;wBAClC,OAAO,CAAC;4BACN,OAAO,EAAE,KAAK;4BACd,KAAK,EAAE,KAAK,CAAC,OAAO;yBACrB,CAAC,CAAC;oBACL,CAAC;yBAAM,CAAC;wBACN,OAAO,CAAC;4BACN,OAAO,EAAE,KAAK;4BACd,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC;yBACrB,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC,CAAC;YAEF,MAAM,aAAa,GAAG,CAAC,IAAa,EAAE,EAAE;gBACtC,OAAO,EAAE,CAAC;gBACV,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,OAAO,GAAG,IAAI,CAAC;oBACf,IAAI,QAAQ,EAAE,CAAC;wBACb,OAAO,CAAC;4BACN,OAAO,EAAE,KAAK;4BACd,KAAK,EAAE,4BAA4B;4BACnC,IAAI,EAAE,SAAS,CAAC,gBAAgB;yBACjC,CAAC,CAAC;oBACL,CAAC;yBAAM,CAAC;wBACN,OAAO,CAAC,IAAI,CAAC,CAAC;oBAChB,CAAC;gBACH,CAAC;YACH,CAAC,CAAC;YAEF,IAAI,CAAC;gBACH,uEAAuE;gBACvE,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC1E,iDAAiD;oBACjD,4CAA4C;oBAE5C,wDAAwD;oBACxD,IAAI,YAAoB,CAAC;oBACzB,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;wBACzB,mEAAmE;wBACnE,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;wBACzD,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;oBACnD,CAAC;yBAAM,CAAC;wBACN,2DAA2D;wBAC3D,wDAAwD;wBACxD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC;wBAC3B,IAAI,OAAe,CAAC;wBACpB,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;4BAC3B,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;4BAClC,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;4BAC1B,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;wBAC1D,CAAC;6BAAM,CAAC;4BACN,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;wBAChD,CAAC;wBACD,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;oBAC7C,CAAC;oBAED,MAAM,OAAO,GAAG,aAAa,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC;oBAEjD,iFAAiF;oBACjF,MAAM,CAAC,OAAO,CAAC;yBACZ,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE;wBACf,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,OAAO,IAAI,MAAM,CAEf,CAAC;wBACtB,MAAM,MAAM,GAAG,EAAE,CAAC,MAAM,CAAC,CAAC;wBAE1B,8CAA8C;wBAC9C,IAAI,MAAM,YAAY,OAAO,EAAE,CAAC;4BAC9B,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;wBAChD,CAAC;6BAAM,CAAC;4BACN,aAAa,CAAC,MAAM,CAAC,CAAC;wBACxB,CAAC;oBACH,CAAC,CAAC;yBACD,KAAK,CAAC,WAAW,CAAC,CAAC;gBACxB,CAAC;qBAAM,CAAC;oBACN,+DAA+D;oBAC/D,yFAAyF;oBACzF,iFAAiF;oBACjF,mGAAmG;oBAEnG,MAAM,oBAAoB,GAAG,OAAO,CAAC,GAAG,CAAC,0BAA0B,KAAK,MAAM,CAAC;oBAC/E,IAAI,oBAAoB,EAAE,CAAC;wBACzB,MAAM,IAAI,WAAW,CACnB,kGAAkG,EAClG,SAAS,CAAC,gBAAgB,EAC1B;4BACE,QAAQ,EAAE,IAAI,CAAC,IAAI;4BACnB,cAAc,EACZ,iFAAiF;4BACnF,iBAAiB,EACf,iEAAiE;yBACpE,CACF,CAAC;oBACJ,CAAC;oBAED,6CAA6C;oBAC7C,MAAM,MAAM,GAAG,qBAAqB,EAAE,CAAC;oBACvC,MAAM,CAAC,IAAI,CACT,mDAAmD,IAAI,CAAC,IAAI,wEAAwE,EACpI,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CACxB,CAAC;oBAEF,sDAAsD;oBACtD,6DAA6D;oBAC7D,MAAM,YAAY,GAAG,WAAW,IAAI,GAAG,CAAC;oBACxC,MAAM,EAAE,GAAG,IAAI,QAAQ,CAAC,YAAY,CAAC,EAOhB,CAAC;oBACtB,6EAA6E;oBAC7E,MAAM,MAAM,GAAG,EAAE,CAAC,MAAM,EAAE,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;oBAE1D,8CAA8C;oBAC9C,IAAI,MAAM,YAAY,OAAO,EAAE,CAAC;wBAC9B,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;oBAChD,CAAC;yBAAM,CAAC;wBACN,aAAa,CAAC,MAAM,CAAC,CAAC;oBACxB,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,WAAW,CAAC,KAAK,CAAC,CAAC;YACrB,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAED,eAAe,gBAAgB,CAAC"}
+{"version":3,"file":"function-executor.js","sourceRoot":"","sources":["../../src/executors/function-executor.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAEzC,OAAO,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,2BAA2B,CAAC;AACnE,OAAO,EAAE,qBAAqB,EAAE,MAAM,qBAAqB,CAAC;AAE5D;;;;;;;;;;GAUG;AACH,MAAM,OAAO,gBAAgB;IAG3B,YAAY,SAAkB;QAC5B,IAAI,CAAC,SAAS,GAAG,SAAS,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IAC9C,CAAC;IAED;;;;;;;;;;OAUG;IACH,KAAK,CAAC,OAAO,CACX,IAAoB,EACpB,MAA+B,EAC/B,WAAoC;QAEpC,IAAI,IAAI,CAAC,SAAS,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;YACvC,MAAM,IAAI,WAAW,CAAC,qCAAqC,EAAE,SAAS,CAAC,gBAAgB,EAAE;gBACvF,YAAY,EAAE,UAAU;gBACxB,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI;aAChC,CAAC,CAAC;QACL,CAAC;QAED,MAAM,EAAE,IAAI,EAAE,OAAO,GAAG,KAAK,EAAE,GAAG,IAAI,CAAC,SAAS,CAAC;QAEjD,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACtC,MAAM,IAAI,WAAW,CAAC,wBAAwB,EAAE,SAAS,CAAC,gBAAgB,EAAE;gBAC1E,QAAQ,EAAE,IAAI,CAAC,IAAI;aACpB,CAAC,CAAC;QACL,CAAC;QAED,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;YAC7B,IAAI,QAAQ,GAAG,KAAK,CAAC;YACrB,IAAI,OAAO,GAAG,KAAK,CAAC;YAEpB,0CAA0C;YAC1C,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;gBAC5B,QAAQ,GAAG,IAAI,CAAC;gBAChB,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,OAAO,GAAG,IAAI,CAAC;oBACf,OAAO,CAAC;wBACN,OAAO,EAAE,KAAK;wBACd,KAAK,EAAE,4BAA4B;wBACnC,IAAI,EAAE,SAAS,CAAC,gBAAgB;qBACjC,CAAC,CAAC;gBACL,CAAC;YACH,CAAC,EAAE,OAAO,CAAC,CAAC;YAEZ,MAAM,OAAO,GAAG,GAAG,EAAE;gBACnB,YAAY,CAAC,KAAK,CAAC,CAAC;YACtB,CAAC,CAAC;YAEF,MAAM,WAAW,GAAG,CAAC,KAAc,EAAE,EAAE;gBACrC,OAAO,EAAE,CAAC;gBACV,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,OAAO,GAAG,IAAI,CAAC;oBACf,gDAAgD;oBAChD,IAAI,KAAK,YAAY,WAAW,EAAE,CAAC;wBACjC,OAAO,CAAC;4BACN,OAAO,EAAE,KAAK;4BACd,KAAK,EAAE,KAAK,CAAC,OAAO;4BACpB,IAAI,EAAE,KAAK,CAAC,IAAI;4BAChB,OAAO,EAAE,KAAK,CAAC,OAAO;yBACvB,CAAC,CAAC;oBACL,CAAC;yBAAM,IAAI,KAAK,YAAY,KAAK,EAAE,CAAC;wBAClC,OAAO,CAAC;4BACN,OAAO,EAAE,KAAK;4BACd,KAAK,EAAE,KAAK,CAAC,OAAO;yBACrB,CAAC,CAAC;oBACL,CAAC;yBAAM,CAAC;wBACN,OAAO,CAAC;4BACN,OAAO,EAAE,KAAK;4BACd,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC;yBACrB,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC,CAAC;YAEF,MAAM,aAAa,GAAG,CAAC,IAAa,EAAE,EAAE;gBACtC,OAAO,EAAE,CAAC;gBACV,IAAI,CAAC,OAAO,EAAE,CAAC;oBACb,OAAO,GAAG,IAAI,CAAC;oBACf,IAAI,QAAQ,EAAE,CAAC;wBACb,OAAO,CAAC;4BACN,OAAO,EAAE,KAAK;4BACd,KAAK,EAAE,4BAA4B;4BACnC,IAAI,EAAE,SAAS,CAAC,gBAAgB;yBACjC,CAAC,CAAC;oBACL,CAAC;yBAAM,CAAC;wBACN,OAAO,CAAC,IAAI,CAAC,CAAC;oBAChB,CAAC;gBACH,CAAC;YACH,CAAC,CAAC;YAEF,IAAI,CAAC;gBACH,uEAAuE;gBACvE,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC1E,iDAAiD;oBACjD,4CAA4C;oBAE5C,wDAAwD;oBACxD,IAAI,YAAoB,CAAC;oBACzB,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;wBACzB,mEAAmE;wBACnE,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;wBACzD,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,IAAI,CAAC,CAAC;oBACnD,CAAC;yBAAM,CAAC;wBACN,2DAA2D;wBAC3D,wDAAwD;wBACxD,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC;wBAC3B,IAAI,OAAe,CAAC;wBACpB,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;4BAC3B,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;4BAClC,MAAM,QAAQ,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;4BAC1B,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;wBAC1D,CAAC;6BAAM,CAAC;4BACN,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;wBAChD,CAAC;wBACD,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;oBAC7C,CAAC;oBAED,MAAM,OAAO,GAAG,aAAa,CAAC,YAAY,CAAC,CAAC,IAAI,CAAC;oBAEjD,iFAAiF;oBACjF,MAAM,CAAC,OAAO,CAAC;yBACZ,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE;wBACf,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC,OAAO,IAAI,MAAM,CAGf,CAAC;wBACtB,MAAM,MAAM,GAAG,EAAE,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;wBAErE,8CAA8C;wBAC9C,IAAI,MAAM,YAAY,OAAO,EAAE,CAAC;4BAC9B,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;wBAChD,CAAC;6BAAM,CAAC;4BACN,aAAa,CAAC,MAAM,CAAC,CAAC;wBACxB,CAAC;oBACH,CAAC,CAAC;yBACD,KAAK,CAAC,WAAW,CAAC,CAAC;gBACxB,CAAC;qBAAM,CAAC;oBACN,oEAAoE;oBACpE,kEAAkE;oBAClE,mEAAmE;oBACnE,mEAAmE;oBACnE,kDAAkD;oBAElD,IAAI,OAAO,CAAC,GAAG,CAAC,0BAA0B,KAAK,MAAM,EAAE,CAAC;wBACtD,MAAM,IAAI,WAAW,CACnB,SAAS,IAAI,CAAC,IAAI,qDAAqD;4BACrE,yFAAyF;4BACzF,iEAAiE,EACnE,SAAS,CAAC,gBAAgB,EAC1B;4BACE,QAAQ,EAAE,IAAI,CAAC,IAAI;4BACnB,cAAc,EACZ,8FAA8F;yBACjG,CACF,CAAC;oBACJ,CAAC;oBAED,qEAAqE;oBACrE,wCAAwC;oBACxC,MAAM,gBAAgB,GAAoC;wBACxD,EAAE,EAAE,EAAE,iBAAiB,EAAE,KAAK,EAAE,WAAW,EAAE;wBAC7C,EAAE,EAAE,EAAE,gBAAgB,EAAE,KAAK,EAAE,kBAAkB,EAAE;wBACnD,EAAE,EAAE,EAAE,cAAc,EAAE,KAAK,EAAE,gBAAgB,EAAE;wBAC/C,EAAE,EAAE,EAAE,+BAA+B,EAAE,KAAK,EAAE,wBAAwB,EAAE;wBACxE,EAAE,EAAE,EAAE,cAAc,EAAE,KAAK,EAAE,QAAQ,EAAE;wBACvC,EAAE,EAAE,EAAE,qBAAqB,EAAE,KAAK,EAAE,gBAAgB,EAAE;wBACtD,EAAE,EAAE,EAAE,4BAA4B,EAAE,KAAK,EAAE,qBAAqB,EAAE;qBACnE,CAAC;oBAEF,KAAK,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,gBAAgB,EAAE,CAAC;wBAC7C,IAAI,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;4BAClB,MAAM,IAAI,WAAW,CACnB,0BAA0B,IAAI,CAAC,IAAI,oCAAoC,KAAK,KAAK;gCAC/E,6DAA6D,EAC/D,SAAS,CAAC,gBAAgB,EAC1B,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,gBAAgB,EAAE,KAAK,EAAE,CACjD,CAAC;wBACJ,CAAC;oBACH,CAAC;oBAED,MAAM,MAAM,GAAG,qBAAqB,EAAE,CAAC;oBACvC,MAAM,CAAC,IAAI,CACT,qCAAqC,IAAI,CAAC,IAAI,oDAAoD,EAClG,EAAE,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE,CACxB,CAAC;oBAEF,qDAAqD;oBACrD,+DAA+D;oBAC/D,+DAA+D;oBAC/D,MAAM,EAAE,GAAG,IAAI,QAAQ,CAAC,QAAQ,EAAE,yBAAyB,GAAG,IAAI,GAAG,YAAY,CAE5D,CAAC;oBAEtB,MAAM,MAAM,GAAG,EAAE,CAAC,MAAM,CAAC,CAAC;oBAC1B,IAAI,MAAM,YAAY,OAAO,EAAE,CAAC;wBAC9B,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;oBAChD,CAAC;yBAAM,CAAC;wBACN,aAAa,CAAC,MAAM,CAAC,CAAC;oBACxB,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,WAAW,CAAC,KAAK,CAAC,CAAC;YACrB,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC;CACF;AAED,eAAe,gBAAgB,CAAC"}

package/dist/executors/http-executor.d.ts

@@ -1,24 +1,99 @@
-import { ToolDefinition } from '../core/schema';
+import { ToolDefinition } from '../core/schema.js';
 /**
  * HttpExecutor - Executes HTTP requests
  * Handles authentication, retries, and response validation
  */
 export declare class HttpExecutor {
     /**
-     * Execute a tool that makes an HTTP request
+     * Execute a tool that makes an HTTP request.
+     *
+     * @param tool - Tool definition
+     * @param params - Tool parameters (already env-injected by MatimoInstance)
+     * @param credentials - Optional per-call credential overrides. Used for
+     *   `authentication.type: basic` (username_env / password_env keys) instead of
+     *   reading from `process.env`. Other auth schemes (bearer, api_key) are handled
+     *   upstream via parameter templating in MatimoInstance.injectAuthParameters().
+     *   Values are never logged.
      */
-    execute(tool: ToolDefinition, params: Record<string, unknown>): Promise<unknown>;
+    execute(tool: ToolDefinition, params: Record<string, unknown>, credentials?: Record<string, string>): Promise<unknown>;
+    /**
+     * Automatically inject `Authorization: Basic <base64(username:password)>` when
+     * the tool declares `authentication.type: basic` with `username_env` and `password_env`.
+     *
+     * This is a zero-friction pattern: developers only set two natural env vars
+     * (e.g. TWILIO_ACCOUNT_SID + TWILIO_AUTH_TOKEN) and Matimo handles encoding.
+     * No pre-computed base64 credential string required.
+     *
+     * When `credentials` is provided the lookup order is:
+     *   1. `credentials[envVarName]`  (per-call override — multi-tenant use)
+     *   2. `process.env[envVarName]`  (singleton / single-tenant fallback)
+     *
+     * Credential values are never logged or included in error details.
+     */
+    private applyBasicAuth;
     /**
      * Replace parameter placeholders in a string
      */
     private templateString;
+    /**
+     * Check if a string is an unfilled placeholder
+     * Only matches single placeholders like "{param}", not "{...}" or embedded placeholders
+     */
+    private isUnfilledPlaceholder;
+    /**
+     * Validate that all URL parameters are provided
+     */
+    private validateUrlParameters;
     /**
      * Build query string from query_params, only including provided values
      */
     private buildQueryString;
     /**
-     * Replace parameter placeholders in an object (headers, body)
-     * Recursively handles nested objects
+     * Replace parameter placeholders in an object (headers, body, query params)
+     *
+     * CORE PRINCIPLE: "Define once in YAML, embed correctly at execution time"
+     *
+     * This method intelligently handles different parameter types:
+     * - STRING placeholders like "{title}": Always templated as strings
+     * - OBJECT placeholders like "{parent}": Embedded directly as JSON objects (not stringified) if paramDefinitions specifies type:object
+     * - ARRAY placeholders like "{items}": Embedded directly as JSON arrays (not stringified) if paramDefinitions specifies type:array
+     *
+     * Key behaviors:
+     * - Recursively processes nested objects
+     * - Skips keys with unfilled placeholders (e.g., "{sort_by}" when sort_by not provided)
+     * - Uses parameter schema type from YAML to determine how to embed values
+     * - Preserves JSON structure for complex types (objects/arrays) sent to APIs
+     *
+     * @example
+     * ```
+     * // YAML definition:
+     * parameters:
+     *   parent:
+     *     type: object  // <-- Tells executor to embed as-is, not stringify
+     *   items:
+     *     type: array   // <-- Tells executor to embed as-is, not stringify
+     *   title:
+     *     type: string  // <-- String templating applies
+     *
+     * body:
+     *   parent: "{parent}"  // Object embedded as {"id": "123", ...}
+     *   items: "{items}"    // Array embedded as [{"name": "a"}, ...]
+     *   title: "{title}"    // String embedded as "My Title"
+     *
+     * // JavaScript call:
+     * const result = await matimo.execute('notion_create_page', {
+     *   parent: { database_id: 'abc123' },  // JavaScript object
+     *   items: [{ type: 'text' }],          // JavaScript array
+     *   title: 'Create This Page'           // String
+     * });
+     *
+     * // HTTP body sent to API:
+     * {
+     *   "parent": {"database_id": "abc123"},     // Proper JSON object
+     *   "items": [{"type": "text"}],            // Proper JSON array
+     *   "title": "Create This Page"             // String
+     * }
+     * ```
      */
     private templateObject;
 }

package/dist/executors/http-executor.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"http-executor.d.ts","sourceRoot":"","sources":["../../src/executors/http-executor.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAIhD;;;GAGG;AAEH,qBAAa,YAAY;IACvB;;OAEG;IACG,OAAO,CAAC,IAAI,EAAE,cAAc,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,OAAO,CAAC;IAoFtF;;OAEG;IACH,OAAO,CAAC,cAAc;IAWtB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAexB;;;OAGG;IACH,OAAO,CAAC,cAAc;CA2BvB;AAED,eAAe,YAAY,CAAC"}
+{"version":3,"file":"http-executor.d.ts","sourceRoot":"","sources":["../../src/executors/http-executor.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AAInD;;;GAGG;AAEH,qBAAa,YAAY;IACvB;;;;;;;;;;OAUG;IACG,OAAO,CACX,IAAI,EAAE,cAAc,EACpB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GACnC,OAAO,CAAC,OAAO,CAAC;IAmHnB;;;;;;;;;;;;;OAaG;IACH,OAAO,CAAC,cAAc;IA4BtB;;OAEG;IACH,OAAO,CAAC,cAAc;IAatB;;;OAGG;IACH,OAAO,CAAC,qBAAqB;IAK7B;;OAEG;IACH,OAAO,CAAC,qBAAqB;IAyB7B;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAexB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA8CG;IACH,OAAO,CAAC,cAAc;CA+GvB;AAED,eAAe,YAAY,CAAC"}