@pikku/inspector 0.12.3 → 0.12.5

package/CHANGELOG.md

@@ -1,5 +1,47 @@
 ## 0.12.0
 
+## 0.12.5
+
+### Patch Changes
+
+- 65eccc6: Cache Zod schema generation between re-inspection passes and batch imports by source file. Schemas are cached using a fingerprint of schemaLookup entries + file mtimes, so reinspections skip Zod generation entirely when schemas haven't changed. Source file imports are grouped so each file is imported once instead of per-schema. Reduces `pikku all` from ~5 minutes to ~13 seconds on projects with many Zod schemas.
+- 0f59432: Add per-user credential system with CredentialService, OAuth2 route handlers, and KyselyCredentialService with envelope encryption
+- Updated dependencies [0f59432]
+- Updated dependencies [52b64d1]
+  - @pikku/core@0.12.10
+
+## 0.12.4
+
+### Patch Changes
+
+- 5866b66: Add critical error (PKU490) when Zod schemas and wiring calls (wireHTTPRoutes, addPermission, addHTTPMiddleware) coexist in the same file. The CLI uses tsImport to extract Zod schemas at runtime, which executes all top-level code — wiring side-effects crash in this context because pikku state metadata doesn't exist. Schemas and wirings must be in separate files.
+- e412b4d: Optimize CLI codegen performance: 12x faster `pikku all`
+
+  - Reuse schemas across re-inspections (skip redundant `ts-json-schema-generator` runs)
+  - Cache TS schemas to disk (`.pikku/schema-cache.json`) for cross-run reuse
+  - Pass `oldProgram` to `ts.createProgram` for incremental TS compilation
+  - Cache parsed tsconfig in schema generator between runs
+  - Auto-include direct `addPermission`/`addHTTPMiddleware` in bootstrap via side-effect imports
+  - Skip `pikkuAuth()` errors when nested inside `addPermission`/`addHTTPPermission`
+
+- Updated dependencies [e412b4d]
+- Updated dependencies [53dc8c8]
+- Updated dependencies [0a1cc51]
+- Updated dependencies [0a1cc51]
+- Updated dependencies [0a1cc51]
+- Updated dependencies [0a1cc51]
+- Updated dependencies [0a1cc51]
+- Updated dependencies [0a1cc51]
+- Updated dependencies [0a1cc51]
+- Updated dependencies [0a1cc51]
+- Updated dependencies [0a1cc51]
+- Updated dependencies [8b9b2e9]
+- Updated dependencies [8b9b2e9]
+- Updated dependencies [b973d44]
+- Updated dependencies [8b9b2e9]
+- Updated dependencies [8b9b2e9]
+  - @pikku/core@0.12.9
+
 ## 0.12.3
 
 ### Patch Changes

package/dist/add/add-credential.d.ts

@@ -0,0 +1,2 @@
+import type { AddWiring } from '../types.js';
+export declare const addCredential: AddWiring;

package/dist/add/add-credential.js

@@ -0,0 +1,118 @@
+import * as ts from 'typescript';
+import { getPropertyValue, getArrayPropertyValue, } from '../utils/get-property-value.js';
+import { ErrorCode } from '../error-codes.js';
+import { detectSchemaVendorOrError } from '../utils/detect-schema-vendor.js';
+export const addCredential = (logger, node, checker, state, _options) => {
+    if (!ts.isCallExpression(node)) {
+        return;
+    }
+    const args = node.arguments;
+    const firstArg = args[0];
+    const expression = node.expression;
+    if (!ts.isIdentifier(expression) || expression.text !== 'wireCredential') {
+        return;
+    }
+    if (!firstArg) {
+        return;
+    }
+    if (ts.isObjectLiteralExpression(firstArg)) {
+        const obj = firstArg;
+        const nameValue = getPropertyValue(obj, 'name');
+        const displayNameValue = getPropertyValue(obj, 'displayName');
+        const descriptionValue = getPropertyValue(obj, 'description');
+        const typeValue = getPropertyValue(obj, 'type');
+        if (!nameValue) {
+            logger.critical(ErrorCode.MISSING_NAME, "Credential is missing the required 'name' property.");
+            return;
+        }
+        if (!displayNameValue) {
+            logger.critical(ErrorCode.MISSING_NAME, `Credential '${nameValue}' is missing the required 'displayName' property.`);
+            return;
+        }
+        if (!typeValue || (typeValue !== 'singleton' && typeValue !== 'wire')) {
+            logger.critical(ErrorCode.MISSING_NAME, `Credential '${nameValue}' is missing or has invalid 'type' property. Must be 'singleton' or 'wire'.`);
+            return;
+        }
+        let schemaVariableName = null;
+        let schemaSourceFile = null;
+        let schemaIdentifier = null;
+        for (const prop of obj.properties) {
+            if (ts.isPropertyAssignment(prop) &&
+                ts.isIdentifier(prop.name) &&
+                prop.name.text === 'schema') {
+                if (ts.isIdentifier(prop.initializer)) {
+                    schemaVariableName = prop.initializer.text;
+                    schemaIdentifier = prop.initializer;
+                    const symbol = checker.getSymbolAtLocation(prop.initializer);
+                    if (symbol) {
+                        const decl = symbol.valueDeclaration || symbol.declarations?.[0];
+                        if (decl) {
+                            if (ts.isImportSpecifier(decl)) {
+                                const aliasedSymbol = checker.getAliasedSymbol(symbol);
+                                if (aliasedSymbol) {
+                                    const aliasedDecl = aliasedSymbol.valueDeclaration ||
+                                        aliasedSymbol.declarations?.[0];
+                                    if (aliasedDecl) {
+                                        schemaSourceFile = aliasedDecl.getSourceFile().fileName;
+                                    }
+                                }
+                            }
+                            else {
+                                schemaSourceFile = decl.getSourceFile().fileName;
+                            }
+                        }
+                    }
+                }
+                break;
+            }
+        }
+        let oauth2 = undefined;
+        const oauth2Prop = obj.properties.find((p) => ts.isPropertyAssignment(p) &&
+            ts.isIdentifier(p.name) &&
+            p.name.text === 'oauth2');
+        if (oauth2Prop &&
+            ts.isPropertyAssignment(oauth2Prop) &&
+            ts.isObjectLiteralExpression(oauth2Prop.initializer)) {
+            const oauth2Obj = oauth2Prop.initializer;
+            const appCredentialSecretId = getPropertyValue(oauth2Obj, 'appCredentialSecretId');
+            const tokenSecretId = getPropertyValue(oauth2Obj, 'tokenSecretId');
+            const authorizationUrl = getPropertyValue(oauth2Obj, 'authorizationUrl');
+            const tokenUrl = getPropertyValue(oauth2Obj, 'tokenUrl');
+            const scopes = getArrayPropertyValue(oauth2Obj, 'scopes');
+            const pkce = getPropertyValue(oauth2Obj, 'pkce');
+            if (appCredentialSecretId && authorizationUrl && tokenUrl && scopes) {
+                oauth2 = {
+                    appCredentialSecretId,
+                    tokenSecretId: tokenSecretId || undefined,
+                    authorizationUrl,
+                    tokenUrl,
+                    scopes,
+                    pkce: pkce || undefined,
+                };
+            }
+        }
+        const sourceFile = node.getSourceFile().fileName;
+        state.credentials.files.add(sourceFile);
+        let schemaLookupName;
+        if (schemaVariableName && schemaSourceFile && schemaIdentifier) {
+            const vendor = detectSchemaVendorOrError(schemaIdentifier, checker, logger, `Credential '${nameValue}'`, schemaSourceFile);
+            if (vendor) {
+                schemaLookupName = `CredentialSchema_${nameValue}`;
+                state.schemaLookup.set(schemaLookupName, {
+                    variableName: schemaVariableName,
+                    sourceFile: schemaSourceFile,
+                    vendor,
+                });
+            }
+        }
+        state.credentials.definitions.push({
+            name: nameValue,
+            displayName: displayNameValue,
+            description: descriptionValue || undefined,
+            type: typeValue,
+            schema: schemaLookupName,
+            oauth2,
+            sourceFile,
+        });
+    }
+};

package/dist/add/add-middleware.js

@@ -189,12 +189,10 @@ export const addMiddleware = (logger, node, checker, state) => {
             return;
         }
         const refs = extractMiddlewareRefs(middlewareArrayArg, checker, state.rootDir);
-        if (refs.length === 0) {
-            logger.warn(`• addMiddleware('${tag}', ...) has empty middleware array`);
-            return;
-        }
         const definitionIds = refs.map((r) => r.definitionId);
-        renameTempDefinitions(state, definitionIds, 'tag', tag);
+        if (definitionIds.length > 0) {
+            renameTempDefinitions(state, definitionIds, 'tag', tag);
+        }
         const sourceFile = node.getSourceFile().fileName;
         const instanceIds = [];
         for (let i = 0; i < refs.length; i++) {
@@ -273,12 +271,10 @@ export const addMiddleware = (logger, node, checker, state) => {
             return;
         }
         const refs = extractMiddlewareRefs(middlewareArrayArg, checker, state.rootDir);
-        if (refs.length === 0) {
-            logger.warn(`• addHTTPMiddleware('${pattern}', ...) has empty middleware array`);
-            return;
-        }
         const definitionIds = refs.map((r) => r.definitionId);
-        renameTempDefinitions(state, definitionIds, 'http', pattern);
+        if (definitionIds.length > 0) {
+            renameTempDefinitions(state, definitionIds, 'http', pattern);
+        }
         const sourceFile = node.getSourceFile().fileName;
         const instanceIds = [];
         for (let i = 0; i < refs.length; i++) {

package/dist/add/add-permission.js

@@ -21,12 +21,14 @@ function renameTempDefinitions(state, definitionIds, groupType, groupKey) {
         definitionIds[idx] = newId;
     }
 }
-function isInsidePermissionFactory(node) {
+function isInsidePermissionContainer(node) {
     let current = node.parent;
     while (current) {
         if (ts.isCallExpression(current) &&
             ts.isIdentifier(current.expression) &&
-            current.expression.text === 'pikkuPermissionFactory') {
+            (current.expression.text === 'pikkuPermissionFactory' ||
+                current.expression.text === 'addPermission' ||
+                current.expression.text === 'addHTTPPermission')) {
             return true;
         }
         current = current.parent;
@@ -47,7 +49,7 @@ export const addPermission = (logger, node, checker, state) => {
     // Handle pikkuPermission(...) - individual permission function definition
     if (expression.text === 'pikkuPermission') {
         // Skip if nested inside pikkuPermissionFactory — the factory handler extracts services itself
-        if (isInsidePermissionFactory(node))
+        if (isInsidePermissionContainer(node))
             return;
         const arg = args[0];
         if (!arg)
@@ -110,7 +112,7 @@ export const addPermission = (logger, node, checker, state) => {
         return;
     }
     if (expression.text === 'pikkuAuth') {
-        if (isInsidePermissionFactory(node))
+        if (isInsidePermissionContainer(node))
             return;
         const arg = args[0];
         if (!arg)
@@ -269,11 +271,9 @@ export const addPermission = (logger, node, checker, state) => {
         }
         // Extract permission pikkuFuncIds from array
         const permissionNames = extractPermissionPikkuNames(permissionsArrayArg, checker, state.rootDir);
-        if (permissionNames.length === 0) {
-            logger.warn(`• addPermission('${tag}', ...) has empty permissions array`);
-            return;
+        if (permissionNames.length > 0) {
+            renameTempDefinitions(state, permissionNames, 'tag', tag);
         }
-        renameTempDefinitions(state, permissionNames, 'tag', tag);
         const allServices = new Set();
         for (const permissionName of permissionNames) {
             const permissionMeta = state.permissions.definitions[permissionName];
@@ -348,11 +348,9 @@ export const addPermission = (logger, node, checker, state) => {
         }
         // Extract permission pikkuFuncIds from array
         const permissionNames = extractPermissionPikkuNames(permissionsArrayArg, checker, state.rootDir);
-        if (permissionNames.length === 0) {
-            logger.warn(`• addHTTPPermission('${pattern}', ...) has empty permissions array`);
-            return;
+        if (permissionNames.length > 0) {
+            renameTempDefinitions(state, permissionNames, 'http', pattern);
         }
-        renameTempDefinitions(state, permissionNames, 'http', pattern);
         const allServices = new Set();
         for (const permissionName of permissionNames) {
             const permissionMeta = state.permissions.definitions[permissionName];

package/dist/add/add-secret.d.ts

@@ -1,3 +1 @@
-import type { AddWiring } from '../types.js';
-export declare const addSecret: AddWiring;
-export declare const addOAuth2Credential: AddWiring;
+export declare const addSecret: import("../types.js").AddWiring;

package/dist/add/add-secret.js

@@ -1,6 +1,3 @@
-import * as ts from 'typescript';
-import { getPropertyValue, getArrayPropertyValue, } from '../utils/get-property-value.js';
-import { ErrorCode } from '../error-codes.js';
 import { createAddKeyedWiring } from './add-keyed-wiring.js';
 export const addSecret = createAddKeyedWiring({
     functionName: 'wireSecret',
@@ -9,74 +6,3 @@ export const addSecret = createAddKeyedWiring({
     schemaPrefix: 'SecretSchema',
     getState: (state) => state.secrets,
 });
-export const addOAuth2Credential = (logger, node, _checker, state, _options) => {
-    if (!ts.isCallExpression(node)) {
-        return;
-    }
-    const args = node.arguments;
-    const firstArg = args[0];
-    const expression = node.expression;
-    if (!ts.isIdentifier(expression) ||
-        expression.text !== 'wireOAuth2Credential') {
-        return;
-    }
-    if (!firstArg) {
-        return;
-    }
-    if (ts.isObjectLiteralExpression(firstArg)) {
-        const obj = firstArg;
-        const nameValue = getPropertyValue(obj, 'name');
-        const displayNameValue = getPropertyValue(obj, 'displayName');
-        const descriptionValue = getPropertyValue(obj, 'description');
-        const secretIdValue = getPropertyValue(obj, 'secretId');
-        const tokenSecretIdValue = getPropertyValue(obj, 'tokenSecretId');
-        const authorizationUrlValue = getPropertyValue(obj, 'authorizationUrl');
-        const tokenUrlValue = getPropertyValue(obj, 'tokenUrl');
-        const scopesValue = getArrayPropertyValue(obj, 'scopes');
-        const pkceValue = getPropertyValue(obj, 'pkce');
-        if (!nameValue) {
-            logger.critical(ErrorCode.MISSING_NAME, "OAuth2 Credential is missing the required 'name' property.");
-            return;
-        }
-        if (!displayNameValue) {
-            logger.critical(ErrorCode.MISSING_NAME, `OAuth2 Credential '${nameValue}' is missing the required 'displayName' property.`);
-            return;
-        }
-        if (!secretIdValue) {
-            logger.critical(ErrorCode.MISSING_NAME, `OAuth2 Credential '${nameValue}' is missing the required 'secretId' property.`);
-            return;
-        }
-        if (!tokenSecretIdValue) {
-            logger.critical(ErrorCode.MISSING_NAME, `OAuth2 Credential '${nameValue}' is missing the required 'tokenSecretId' property.`);
-            return;
-        }
-        if (!authorizationUrlValue) {
-            logger.critical(ErrorCode.MISSING_NAME, `OAuth2 Credential '${nameValue}' is missing the required 'authorizationUrl' property.`);
-            return;
-        }
-        if (!tokenUrlValue) {
-            logger.critical(ErrorCode.MISSING_NAME, `OAuth2 Credential '${nameValue}' is missing the required 'tokenUrl' property.`);
-            return;
-        }
-        if (!scopesValue || scopesValue.length === 0) {
-            logger.critical(ErrorCode.MISSING_NAME, `OAuth2 Credential '${nameValue}' is missing the required 'scopes' property.`);
-            return;
-        }
-        const sourceFile = node.getSourceFile().fileName;
-        state.secrets.files.add(sourceFile);
-        state.secrets.definitions.push({
-            name: nameValue,
-            displayName: displayNameValue,
-            description: descriptionValue || undefined,
-            secretId: secretIdValue,
-            oauth2: {
-                tokenSecretId: tokenSecretIdValue,
-                authorizationUrl: authorizationUrlValue,
-                tokenUrl: tokenUrlValue,
-                scopes: scopesValue,
-                pkce: pkceValue || undefined,
-            },
-            sourceFile,
-        });
-    }
-};

package/dist/add/add-workflow.js

@@ -3,7 +3,7 @@ import { extractFunctionName } from '../utils/extract-function-name.js';
 import { extractFunctionNode } from '../utils/extract-function-node.js';
 import { ErrorCode } from '../error-codes.js';
 import { extractStringLiteral, isStringLike, isFunctionLike, extractDescription, extractDuration, } from '../utils/extract-node-value.js';
-import { getCommonWireMetaData } from '../utils/get-property-value.js';
+import { getCommonWireMetaData, getPropertyValue, } from '../utils/get-property-value.js';
 import { extractDSLWorkflow } from '../utils/workflow/dsl/extract-dsl-workflow.js';
 /**
  * Recursively check if any step has inline type (non-serializable)
@@ -182,6 +182,7 @@ export const addWorkflow = (logger, node, checker, state) => {
     let summary;
     let description;
     let errors;
+    let inline;
     if (ts.isObjectLiteralExpression(firstArg)) {
         const metadata = getCommonWireMetaData(firstArg, 'Workflow', workflowName, logger);
         if (metadata.disabled)
@@ -190,6 +191,10 @@ export const addWorkflow = (logger, node, checker, state) => {
         summary = metadata.summary;
         description = metadata.description;
         errors = metadata.errors;
+        const inlineProp = getPropertyValue(firstArg, 'inline');
+        if (inlineProp === true) {
+            inline = true;
+        }
     }
     // Validate that we got a valid function
     if (ts.isObjectLiteralExpression(firstArg) &&
@@ -272,5 +277,6 @@ export const addWorkflow = (logger, node, checker, state) => {
         description,
         errors,
         tags,
+        inline,
     };
 };

package/dist/error-codes.d.ts

@@ -49,6 +49,7 @@ export declare enum ErrorCode {
     MANIFEST_INTEGRITY_ERROR = "PKU865",
     MISSING_MODEL = "PKU145",
     INVALID_MODEL = "PKU146",
+    SCHEMA_AND_WIRING_COLOCATED = "PKU490",
     SERVICES_NOT_DESTRUCTURED = "PKU410",
     WIRES_NOT_DESTRUCTURED = "PKU411",
     WORKFLOW_MULTI_QUEUE_NOT_SUPPORTED = "PKU901"

package/dist/error-codes.js

@@ -58,6 +58,8 @@ export var ErrorCode;
     // Model configuration errors
     ErrorCode["MISSING_MODEL"] = "PKU145";
     ErrorCode["INVALID_MODEL"] = "PKU146";
+    // File structure errors
+    ErrorCode["SCHEMA_AND_WIRING_COLOCATED"] = "PKU490";
     // Optimization diagnostics
     ErrorCode["SERVICES_NOT_DESTRUCTURED"] = "PKU410";
     ErrorCode["WIRES_NOT_DESTRUCTURED"] = "PKU411";

package/dist/inspector.js

@@ -4,7 +4,7 @@ import { visitSetup, visitRoutes } from './visit.js';
 import { TypesMap } from './types-map.js';
 import { getFilesAndMethods } from './utils/get-files-and-methods.js';
 import { findCommonAncestor } from './utils/find-root-dir.js';
-import { aggregateRequiredServices, validateAgentModels, validateAgentOverrides, validateSecretOverrides, validateVariableOverrides, computeResolvedIOTypes, computeMiddlewareGroupsMeta, computePermissionsGroupsMeta, computeRequiredSchemas, computeDiagnostics, } from './utils/post-process.js';
+import { aggregateRequiredServices, validateAgentModels, validateAgentOverrides, validateSecretOverrides, validateVariableOverrides, computeResolvedIOTypes, computeMiddlewareGroupsMeta, computePermissionsGroupsMeta, computeRequiredSchemas, computeDiagnostics, validateSchemaWiringSeparation, } from './utils/post-process.js';
 import { generateOpenAPISpec } from './utils/serialize-openapi-json.js';
 import { pikkuState } from '@pikku/core/internal';
 import { resolveLatestVersions } from './utils/resolve-versions.js';
@@ -118,6 +118,10 @@ export function getInitialInspectorState(rootDir) {
             definitions: [],
             files: new Set(),
         },
+        credentials: {
+            definitions: [],
+            files: new Set(),
+        },
         variables: {
             definitions: [],
             files: new Set(),
@@ -174,11 +178,11 @@ export function getInitialInspectorState(rootDir) {
         openAPISpec: null,
         diagnostics: [],
         addonFunctions: {},
+        program: null,
     };
 }
 export const inspect = async (logger, routeFiles, options = {}) => {
-    const startProgram = performance.now();
-    const program = ts.createProgram(routeFiles, {
+    const compilerOptions = {
         target: ts.ScriptTarget.ESNext,
         module: ts.ModuleKind.Node16,
         skipLibCheck: true,
@@ -187,8 +191,11 @@ export const inspect = async (logger, routeFiles, options = {}) => {
         types: [],
         allowJs: false,
         checkJs: false,
-    });
-    logger.debug(`Created program in ${(performance.now() - startProgram).toFixed(2)}ms`);
+    };
+    const startProgram = performance.now();
+    const program = ts.createProgram(routeFiles, compilerOptions, undefined, // host
+    options.oldProgram);
+    logger.debug(`Created program in ${(performance.now() - startProgram).toFixed(0)}ms (${routeFiles.length} files${options.oldProgram ? ', incremental' : ''})`);
     const startChecker = performance.now();
     const checker = program.getTypeChecker();
     logger.debug(`Got type checker in ${(performance.now() - startChecker).toFixed(2)}ms`);
@@ -207,7 +214,7 @@ export const inspect = async (logger, routeFiles, options = {}) => {
     for (const sourceFile of sourceFiles) {
         ts.forEachChild(sourceFile, (child) => visitSetup(logger, checker, child, state, options));
     }
-    logger.debug(`Visit setup phase completed in ${(performance.now() - startSetup).toFixed(2)}ms`);
+    logger.debug(`Visit setup phase completed in ${(performance.now() - startSetup).toFixed(0)}ms`);
     // Load addon function metadata so wirings can reference addon functions
     await loadAddonFunctionsMeta(logger, state);
     if (!options.setupOnly) {
@@ -216,10 +223,12 @@ export const inspect = async (logger, routeFiles, options = {}) => {
         for (const sourceFile of sourceFiles) {
             ts.forEachChild(sourceFile, (child) => visitRoutes(logger, checker, child, state, options));
         }
-        logger.debug(`Visit routes phase completed in ${(performance.now() - startRoutes).toFixed(2)}ms`);
+        logger.debug(`Visit routes phase completed in ${(performance.now() - startRoutes).toFixed(0)}ms`);
         resolveLatestVersions(state, logger);
         if (options.schemaConfig) {
+            const startSchemas = performance.now();
             state.schemas = await generateAllSchemas(logger, options.schemaConfig, state);
+            logger.debug(`generateAllSchemas took ${(performance.now() - startSchemas).toFixed(0)}ms`);
             computeContractHashes(state.schemas, state.functions.typesMap, state.functions.meta);
             computeRequiredSchemas(state, options);
         }
@@ -248,6 +257,7 @@ export const inspect = async (logger, routeFiles, options = {}) => {
         computeMiddlewareGroupsMeta(state);
         computePermissionsGroupsMeta(state);
         computeDiagnostics(state);
+        validateSchemaWiringSeparation(logger, state);
         if (options.openAPI) {
             state.openAPISpec = await generateOpenAPISpec(logger, state.functions.meta, state.http.meta, state.schemas, options.openAPI.additionalInfo, pikkuState(null, 'misc', 'errors'));
         }
@@ -256,5 +266,6 @@ export const inspect = async (logger, routeFiles, options = {}) => {
         validateSecretOverrides(logger, state);
         validateVariableOverrides(logger, state);
     }
+    state.program = program;
     return state;
 };

package/dist/types.d.ts

@@ -11,6 +11,7 @@ import type { AIAgentMeta } from '@pikku/core/ai-agent';
 import type { CLIMeta } from '@pikku/core/cli';
 import type { NodesMeta } from '@pikku/core/node';
 import type { SecretDefinitions } from '@pikku/core/secret';
+import type { CredentialDefinitions } from '@pikku/core/credential';
 import type { VariableDefinitions } from '@pikku/core/variable';
 import type { TypesMap } from './types-map.js';
 import type { FunctionsMeta, FunctionServicesMeta, FunctionWiresMeta, JSONValue } from '@pikku/core';
@@ -193,6 +194,7 @@ export type InspectorOptions = Partial<{
     tags: string[];
     manifest: VersionManifest;
     modelConfig: InspectorModelConfig;
+    oldProgram: ts.Program | undefined;
 }>;
 export interface InspectorLogger {
     info: (message: string) => void;
@@ -348,6 +350,10 @@ export interface InspectorState {
         definitions: SecretDefinitions;
         files: Set<string>;
     };
+    credentials: {
+        definitions: CredentialDefinitions;
+        files: Set<string>;
+    };
     variables: {
         definitions: VariableDefinitions;
         files: Set<string>;
@@ -393,4 +399,5 @@ export interface InspectorState {
     openAPISpec: Record<string, any> | null;
     diagnostics: InspectorDiagnostic[];
     addonFunctions: Record<string, FunctionsMeta>;
+    program: ts.Program | null;
 }

package/dist/utils/custom-types-generator.js

@@ -9,6 +9,7 @@ export function sanitizeTypeName(name) {
 }
 export function generateCustomTypes(typesMap, requiredTypes) {
     const typeDeclarations = Array.from(typesMap.customTypes.entries())
+        .sort(([a], [b]) => a.localeCompare(b))
         .filter(([_name, { type }]) => {
         const hasUndefinedGeneric = /\b(Name|In|Out|Key)\b/.test(type) && /\[.*\]/.test(type);
         return !hasUndefinedGeneric;

package/dist/utils/post-process.d.ts

@@ -22,4 +22,13 @@ export declare function computePermissionsGroupsMeta(state: InspectorState): voi
 export declare function computeRequiredSchemas(state: InspectorState, options: InspectorOptions): void;
 export declare function validateAgentModels(logger: InspectorLogger, state: InspectorState | Omit<InspectorState, 'typesLookup'>, modelConfig?: InspectorModelConfig): void;
 export declare function validateAgentOverrides(logger: InspectorLogger, state: InspectorState | Omit<InspectorState, 'typesLookup'>, modelConfig?: InspectorModelConfig): void;
+/**
+ * Validates that Zod schemas and wiring side-effects (wireHTTPRoutes,
+ * addPermission, addHTTPMiddleware, etc.) do not coexist in the same file.
+ *
+ * The CLI uses tsImport to extract Zod schemas at runtime, which executes
+ * all top-level code in the file. Wiring calls crash during this process
+ * because the pikku state metadata doesn't exist in the CLI context.
+ */
+export declare function validateSchemaWiringSeparation(logger: InspectorLogger, state: InspectorState): void;
 export declare function computeDiagnostics(state: InspectorState): void;

package/dist/utils/post-process.js

@@ -378,6 +378,52 @@ export function validateAgentOverrides(logger, state, modelConfig) {
         }
     }
 }
+/**
+ * Validates that Zod schemas and wiring side-effects (wireHTTPRoutes,
+ * addPermission, addHTTPMiddleware, etc.) do not coexist in the same file.
+ *
+ * The CLI uses tsImport to extract Zod schemas at runtime, which executes
+ * all top-level code in the file. Wiring calls crash during this process
+ * because the pikku state metadata doesn't exist in the CLI context.
+ */
+export function validateSchemaWiringSeparation(logger, state) {
+    // Collect files that contain schemas
+    const schemaFiles = new Set();
+    for (const ref of state.schemaLookup.values()) {
+        schemaFiles.add(ref.sourceFile);
+    }
+    // Collect files that contain wiring side-effects
+    const wiringFiles = new Set();
+    // HTTP route wirings
+    for (const file of state.http.files) {
+        wiringFiles.add(file);
+    }
+    // Permission wirings (addPermission calls)
+    for (const meta of state.permissions.tagPermissions.values()) {
+        wiringFiles.add(meta.sourceFile);
+    }
+    for (const meta of state.http.routePermissions.values()) {
+        wiringFiles.add(meta.sourceFile);
+    }
+    // Middleware wirings (addHTTPMiddleware calls)
+    for (const meta of state.http.routeMiddleware.values()) {
+        wiringFiles.add(meta.sourceFile);
+    }
+    for (const meta of state.middleware.tagMiddleware.values()) {
+        wiringFiles.add(meta.sourceFile);
+    }
+    // Check for overlap
+    for (const file of schemaFiles) {
+        if (wiringFiles.has(file)) {
+            const schemas = Array.from(state.schemaLookup.entries())
+                .filter(([, ref]) => ref.sourceFile === file)
+                .map(([name]) => name);
+            logger.critical(ErrorCode.SCHEMA_AND_WIRING_COLOCATED, `File '${file}' contains both Zod schemas (${schemas.join(', ')}) and wiring calls (wireHTTPRoutes, addPermission, etc.). ` +
+                `These must be in separate files because the CLI imports schema files at runtime, which triggers wiring side-effects that crash without server context. ` +
+                `Move the route/wiring definitions to a dedicated wiring file.`);
+        }
+    }
+}
 export function computeDiagnostics(state) {
     const diagnostics = [];
     for (const [id, meta] of Object.entries(state.functions.meta)) {

package/dist/utils/schema-generator.js

@@ -46,14 +46,25 @@ function primitiveTypeToSchema(typeStr) {
     }
     return null;
 }
+// Cached state for schema program reuse across inspect() calls
+let cachedSchemaProgram;
+let cachedParsedConfig;
+let cachedTsconfigPath;
+let cachedCustomTypesContent;
+let cachedTSSchemas;
 function createProgramWithVirtualFile(tsconfig, virtualFilePath, virtualFileContent) {
     const configPath = resolve(tsconfig);
-    const configFile = ts.readConfigFile(configPath, ts.sys.readFile);
-    const basePath = dirname(configPath);
-    const parsedConfig = ts.parseJsonConfigFileContent(configFile.config, ts.sys, basePath);
+    // Cache the parsed tsconfig — it doesn't change between runs
+    if (!cachedParsedConfig || cachedTsconfigPath !== configPath) {
+        const configFile = ts.readConfigFile(configPath, ts.sys.readFile);
+        const basePath = dirname(configPath);
+        cachedParsedConfig = ts.parseJsonConfigFileContent(configFile.config, ts.sys, basePath);
+        cachedTsconfigPath = configPath;
+        cachedSchemaProgram = undefined;
+    }
     const resolvedVirtualPath = resolve(virtualFilePath);
-    const fileNames = [...parsedConfig.fileNames, resolvedVirtualPath];
-    const defaultHost = ts.createCompilerHost(parsedConfig.options);
+    const fileNames = [...cachedParsedConfig.fileNames, resolvedVirtualPath];
+    const defaultHost = ts.createCompilerHost(cachedParsedConfig.options);
     const customHost = {
         ...defaultHost,
         getSourceFile(fileName, languageVersionOrOptions, onError, shouldCreateNewSourceFile) {
@@ -73,7 +84,10 @@ function createProgramWithVirtualFile(tsconfig, virtualFilePath, virtualFileCont
             return defaultHost.readFile(fileName);
         },
     };
-    return ts.createProgram(fileNames, parsedConfig.options, customHost);
+    const program = ts.createProgram(fileNames, cachedParsedConfig.options, customHost, cachedSchemaProgram // reuse previous program for incremental compilation
+    );
+    cachedSchemaProgram = program;
+    return program;
 }
 function generateTSSchemas(logger, tsconfig, customTypesContent, typesMap, functionMeta, httpWiringsMeta, additionalTypes, additionalProperties = false, schemaLookup) {
     const schemasSet = new Set(typesMap.customTypes.keys());
@@ -204,6 +218,12 @@ export async function generateAllSchemas(logger, config, state) {
     const zodSchemas = await generateZodSchemas(logger, state.schemaLookup, state.functions.typesMap);
     const requiredTypes = new Set();
     const customTypesContent = generateCustomTypes(state.functions.typesMap, requiredTypes);
+    if (cachedTSSchemas && cachedCustomTypesContent === customTypesContent) {
+        logger.debug('Reusing cached TS schemas (types unchanged)');
+        return { ...cachedTSSchemas, ...zodSchemas };
+    }
     const tsSchemas = generateTSSchemas(logger, config.tsconfig, customTypesContent, state.functions.typesMap, state.functions.meta, state.http.meta, config.schemasFromTypes, config.schema?.additionalProperties, state.schemaLookup);
+    cachedCustomTypesContent = customTypesContent;
+    cachedTSSchemas = tsSchemas;
     return { ...tsSchemas, ...zodSchemas };
 }