@scalar/workspace-store 0.45.0 → 0.46.1

package/CHANGELOG.md

@@ -1,5 +1,34 @@
 # @scalar/workspace-store
 
+## 0.46.1
+
+### Patch Changes
+
+- [#8862](https://github.com/scalar/scalar/pull/8862): add `python/aiohttp` as a supported code snippet client and expose it through shared snippet client types and config schemas
+- [#8911](https://github.com/scalar/scalar/pull/8911): feat: switch from Request to RequestPayload to support body with GET
+- [#8888](https://github.com/scalar/scalar/pull/8888): fix: resolve selected security schemes using selectedIndex
+
+## 0.46.0
+
+### Minor Changes
+
+- [#8632](https://github.com/scalar/scalar/pull/8632): feat: support generation of random data
+
+### Patch Changes
+
+- [#8791](https://github.com/scalar/scalar/pull/8791): fix test requests so exploded array query parameters keep all values instead of collapsing to the last one
+- [#8852](https://github.com/scalar/scalar/pull/8852): fix: Allows sending requests when scalar is framed in srcdoc
+- [#8817](https://github.com/scalar/scalar/pull/8817): feat(snippetz): add a Laravel HTTP client plugin for PHP snippets
+
+  Added a new `php/laravel` client generator in `@scalar/snippetz`, including comprehensive request coverage for headers, cookies, auth, query params, JSON, multipart, form-encoded, binary, and fallback bodies.
+
+  Updated generated client registries and schema wiring so the new client is available across Scalar:
+  - `@scalar/types` `GROUPED_CLIENTS` / `AVAILABLE_CLIENTS`
+  - `@scalar/workspace-store` reference-config schema
+  - generated docs and integration client enums
+
+  Updated api-client expectations for the increased total built-in client count.
+
 ## 0.45.0
 
 ### Minor Changes

package/dist/events/definitions/hooks.d.ts

@@ -1,4 +1,5 @@
 import type { OperationExampleMeta } from '../../events/definitions/operation.js';
+import type { RequestPayload } from '../../request-example/builder/build-request.js';
 /**
  * Event definitions for hooking into the API client lifecycle.
  *
@@ -26,7 +27,7 @@ export type HooksEvents = {
     'hooks:on:request:complete': {
         payload: {
             response: Response;
-            request: Request;
+            requestPayload: RequestPayload;
             duration: number;
             timestamp: number;
         } | undefined;

package/dist/events/definitions/hooks.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"hooks.d.ts","sourceRoot":"","sources":["../../../src/events/definitions/hooks.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAA;AAE1E;;;;;;GAMG;AACH,MAAM,MAAM,WAAW,GAAG;IACxB;;;;;OAKG;IACH,uBAAuB,EAAE;QACvB,IAAI,EAAE,oBAAoB,CAAA;KAC3B,CAAA;IACD;;;;;;OAMG;IACH,2BAA2B,EAAE;QAC3B,OAAO,EACH;YACE,QAAQ,EAAE,QAAQ,CAAA;YAClB,OAAO,EAAE,OAAO,CAAA;YAChB,QAAQ,EAAE,MAAM,CAAA;YAChB,SAAS,EAAE,MAAM,CAAA;SAClB,GACD,SAAS,CAAA;QACb,IAAI,EAAE,oBAAoB,CAAA;KAC3B,CAAA;IACD;;;;OAIG;IACH,mCAAmC,EAAE;QACnC,IAAI,EAAE;YACJ,YAAY,EAAE,MAAM,CAAA;SACrB,CAAA;KACF,CAAA;CACF,CAAA"}
+{"version":3,"file":"hooks.d.ts","sourceRoot":"","sources":["../../../src/events/definitions/hooks.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,gCAAgC,CAAA;AAC1E,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,yCAAyC,CAAA;AAE7E;;;;;;GAMG;AACH,MAAM,MAAM,WAAW,GAAG;IACxB;;;;;OAKG;IACH,uBAAuB,EAAE;QACvB,IAAI,EAAE,oBAAoB,CAAA;KAC3B,CAAA;IACD;;;;;;OAMG;IACH,2BAA2B,EAAE;QAC3B,OAAO,EACH;YACE,QAAQ,EAAE,QAAQ,CAAA;YAClB,cAAc,EAAE,cAAc,CAAA;YAC9B,QAAQ,EAAE,MAAM,CAAA;YAChB,SAAS,EAAE,MAAM,CAAA;SAClB,GACD,SAAS,CAAA;QACb,IAAI,EAAE,oBAAoB,CAAA;KAC3B,CAAA;IACD;;;;OAIG;IACH,mCAAmC,EAAE;QACnC,IAAI,EAAE;YACJ,YAAY,EAAE,MAAM,CAAA;SACrB,CAAA;KACF,CAAA;CACF,CAAA"}

package/dist/mutators/operation/helpers/fetch-request-to-har.d.ts

@@ -1,62 +1,52 @@
 import type { HarRequest } from '@scalar/snippetz';
+import type { RequestPayload } from '../../../request-example/builder/build-request.js';
 type FetchRequestToHarProps = {
-    /** The Fetch API Request object to convert */
-    request: Request;
+    /** The [url, RequestInit] tuple to convert, as returned by buildRequest */
+    requestPayload: RequestPayload;
     /**
      * Whether to include the request body in the HAR postData.
-     * Note: Reading the body consumes it, so the request will be cloned automatically.
      * @default true
      */
     includeBody?: boolean;
     /**
-     * HTTP version string to use (since Fetch API does not expose this)
+     * HTTP version string to use (Fetch API does not expose this).
      * @default 'HTTP/1.1'
      */
     httpVersion?: string;
     /**
-     * The maximum size of the request body to include in the HAR postData.
-     * @default 1MB
+     * Maximum body size in bytes to capture in the HAR postData. Bodies larger
+     * than this are omitted and recorded with bodySize -1.
+     * @default 1048576 (1 MB)
      */
     bodySizeLimit?: number;
 };
 /**
- * Converts a Fetch API Request object to HAR (HTTP Archive) Request format.
- *
- * This function transforms a standard JavaScript Fetch API Request into the
- * HAR format, which is useful for:
- * - Recording HTTP requests for replay or analysis
- * - Creating request fixtures from real API calls
- * - Debugging and monitoring HTTP traffic
- * - Storing request history in a standard format
- * - Generating API documentation from real requests
+ * Converts a RequestPayload (url + RequestInit tuple) to HAR (HTTP Archive) Request format.
  *
  * The conversion handles:
  * - Request method and URL
- * - Headers extraction (excluding sensitive headers if needed)
+ * - Headers extraction
  * - Query parameters extraction from URL
  * - Cookie extraction from headers
- * - Request body reading (with automatic cloning to preserve the original)
  * - Content-Type detection and MIME type extraction
  * - Size calculations for headers and body
- * - Form data bodies are converted to params array
- * - Other body types are read as text
- *
- * Note: The Fetch API does not expose the HTTP version, so it defaults to HTTP/1.1
- * unless specified otherwise.
+ * - FormData and URLSearchParams bodies are converted to a params array
+ * - String, Blob, and ArrayBuffer bodies are read as text
+ * - Binary (octet-stream) and ReadableStream bodies are skipped
  *
  * @see https://w3c.github.io/web-performance/specs/HAR/Overview.html
- * @see https://developer.mozilla.org/en-US/docs/Web/API/Request
  *
  * @example
- * const request = new Request('https://api.example.com/users', {
- *   method: 'POST',
- *   headers: { 'Content-Type': 'application/json' },
- *   body: JSON.stringify({ name: 'John' })
+ * const harRequest = await fetchRequestToHar({
+ *   requestPayload: ['https://api.example.com/users', {
+ *     method: 'POST',
+ *     headers: { 'Content-Type': 'application/json' },
+ *     body: JSON.stringify({ name: 'John' }),
+ *   }],
  * })
- * const harRequest = await fetchRequestToHar({ request })
  * console.log(harRequest.method) // 'POST'
  * console.log(harRequest.postData?.text) // '{"name":"John"}'
  */
-export declare const fetchRequestToHar: ({ request, includeBody, httpVersion, bodySizeLimit, }: FetchRequestToHarProps) => Promise<HarRequest>;
+export declare const fetchRequestToHar: ({ requestPayload, includeBody, httpVersion, bodySizeLimit, }: FetchRequestToHarProps) => Promise<HarRequest>;
 export {};
 //# sourceMappingURL=fetch-request-to-har.d.ts.map

package/dist/mutators/operation/helpers/fetch-request-to-har.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"fetch-request-to-har.d.ts","sourceRoot":"","sources":["../../../../src/mutators/operation/helpers/fetch-request-to-har.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAElD,KAAK,sBAAsB,GAAG;IAC5B,8CAA8C;IAC9C,OAAO,EAAE,OAAO,CAAA;IAChB;;;;OAIG;IACH,WAAW,CAAC,EAAE,OAAO,CAAA;IACrB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAA;CACvB,CAAA;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,eAAO,MAAM,iBAAiB,GAAU,uDAMrC,sBAAsB,KAAG,OAAO,CAAC,UAAU,CA+C7C,CAAA"}
+{"version":3,"file":"fetch-request-to-har.d.ts","sourceRoot":"","sources":["../../../../src/mutators/operation/helpers/fetch-request-to-har.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AAElD,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,yCAAyC,CAAA;AAE7E,KAAK,sBAAsB,GAAG;IAC5B,2EAA2E;IAC3E,cAAc,EAAE,cAAc,CAAA;IAC9B;;;OAGG;IACH,WAAW,CAAC,EAAE,OAAO,CAAA;IACrB;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,CAAA;CACvB,CAAA;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,eAAO,MAAM,iBAAiB,GAAU,8DAKrC,sBAAsB,KAAG,OAAO,CAAC,UAAU,CAoD7C,CAAA"}

package/dist/mutators/operation/helpers/fetch-request-to-har.js

@@ -1,56 +1,46 @@
 /**
- * Converts a Fetch API Request object to HAR (HTTP Archive) Request format.
- *
- * This function transforms a standard JavaScript Fetch API Request into the
- * HAR format, which is useful for:
- * - Recording HTTP requests for replay or analysis
- * - Creating request fixtures from real API calls
- * - Debugging and monitoring HTTP traffic
- * - Storing request history in a standard format
- * - Generating API documentation from real requests
+ * Converts a RequestPayload (url + RequestInit tuple) to HAR (HTTP Archive) Request format.
  *
  * The conversion handles:
  * - Request method and URL
- * - Headers extraction (excluding sensitive headers if needed)
+ * - Headers extraction
  * - Query parameters extraction from URL
  * - Cookie extraction from headers
- * - Request body reading (with automatic cloning to preserve the original)
  * - Content-Type detection and MIME type extraction
  * - Size calculations for headers and body
- * - Form data bodies are converted to params array
- * - Other body types are read as text
- *
- * Note: The Fetch API does not expose the HTTP version, so it defaults to HTTP/1.1
- * unless specified otherwise.
+ * - FormData and URLSearchParams bodies are converted to a params array
+ * - String, Blob, and ArrayBuffer bodies are read as text
+ * - Binary (octet-stream) and ReadableStream bodies are skipped
  *
  * @see https://w3c.github.io/web-performance/specs/HAR/Overview.html
- * @see https://developer.mozilla.org/en-US/docs/Web/API/Request
  *
  * @example
- * const request = new Request('https://api.example.com/users', {
- *   method: 'POST',
- *   headers: { 'Content-Type': 'application/json' },
- *   body: JSON.stringify({ name: 'John' })
+ * const harRequest = await fetchRequestToHar({
+ *   requestPayload: ['https://api.example.com/users', {
+ *     method: 'POST',
+ *     headers: { 'Content-Type': 'application/json' },
+ *     body: JSON.stringify({ name: 'John' }),
+ *   }],
  * })
- * const harRequest = await fetchRequestToHar({ request })
  * console.log(harRequest.method) // 'POST'
  * console.log(harRequest.postData?.text) // '{"name":"John"}'
  */
-export const fetchRequestToHar = async ({ request, includeBody = true, httpVersion = 'HTTP/1.1', 
-// Default to 1MB
-bodySizeLimit = 1048576, }) => {
+export const fetchRequestToHar = async ({ requestPayload, includeBody = true, httpVersion = 'HTTP/1.1', bodySizeLimit = 1048576, }) => {
+    const [originalUrl, requestInit] = requestPayload;
     // Extract query string from URL
-    const url = new URL(request.url);
+    const url = new URL(originalUrl);
     // Extract the query strings from the URL
     const queryString = Array.from(url.searchParams.entries()).map(([name, value]) => ({ name, value }));
-    // Extract the headers from the request
-    const { headers, headersSize, cookies } = processRequestHeaders(request);
+    // Normalize HeadersInit to a Headers instance so we can call .get() and .entries() safely
+    const _headers = new Headers(requestInit.headers);
     // Extract the MIME type from the request headers
-    const mimeType = request.headers.get('content-type')?.split(';')[0]?.trim() ?? 'text/plain';
+    const mimeType = _headers.get('content-type')?.split(';')[0]?.trim() ?? 'text/plain';
+    // Extract the headers from the request
+    const { headers, headersSize, cookies } = processRequestHeaders(_headers);
     // Read the request body if requested
     const bodyDetails = await (async () => {
-        if (includeBody && request.body) {
-            const details = await processRequestBody(request.clone());
+        if (includeBody && requestInit.body != null) {
+            const details = await processRequestBody(requestInit.body, mimeType);
             if (details.size <= bodySizeLimit) {
                 return details;
             }
@@ -59,8 +49,8 @@ bodySizeLimit = 1048576, }) => {
     })();
     // Create the HAR request object
     const harRequest = {
-        method: request.method,
-        url: request.url,
+        method: requestInit.method ?? 'GET',
+        url: originalUrl,
         httpVersion,
         headers,
         cookies,
@@ -79,50 +69,64 @@ bodySizeLimit = 1048576, }) => {
     };
     return harRequest;
 };
-const processRequestBody = async (request) => {
-    const formData = await tryGetRequestFormData(request.clone());
-    if (formData) {
-        return Array.from(formData.entries()).reduce((acc, [name, value]) => {
-            if (value instanceof File) {
-                const fileName = `@${value.name}`;
-                acc.params.push({ name, value: fileName });
-                acc.size += fileName.length;
-                return acc;
-            }
-            acc.params.push({ name, value });
-            acc.size += value.length;
-            return acc;
-        }, { params: [], size: 0 });
+/**
+ * Extracts HAR body details from a BodyInit value.
+ *
+ * Because we own the RequestInit tuple we can inspect the body by type directly —
+ * no stream cloning or header sniffing required.
+ */
+const processRequestBody = async (body, contentType) => {
+    // Structured form payloads become a params array so HAR viewers can render them as key/value tables
+    if (body instanceof FormData) {
+        return extractFormDataParams(body);
     }
-    // Skip binary bodies
-    if (request.headers.get('content-type')?.includes('application/octet-stream')) {
-        return { text: '', size: -1 };
+    if (body instanceof URLSearchParams) {
+        return extractUrlSearchParams(body);
     }
-    // Read the request body as text
-    const arrayBuffer = await request.arrayBuffer();
-    const size = arrayBuffer.byteLength;
-    return { size, text: new TextDecoder().decode(arrayBuffer) };
-};
-async function tryGetRequestFormData(request) {
-    if (typeof request.formData !== 'function') {
-        return null;
+    // HAR text fields cannot represent arbitrary binary; skip rather than corrupt the entry
+    if (contentType.includes('application/octet-stream')) {
+        return { text: '', size: -1 };
     }
-    if (request.bodyUsed) {
-        return null;
+    if (typeof body === 'string') {
+        // Use byte length, not character length, to match what the wire sends for multi-byte UTF-8
+        const size = new TextEncoder().encode(body).byteLength;
+        return { text: body, size };
     }
-    const contentType = request.headers.get('content-type') ?? '';
-    if (!contentType.includes('multipart/form-data') && !contentType.includes('application/x-www-form-urlencoded')) {
-        return null;
+    if (body instanceof Blob) {
+        const text = await body.text();
+        return { text, size: body.size };
     }
-    try {
-        return await request.formData();
+    if (body instanceof ArrayBuffer) {
+        return { text: new TextDecoder().decode(body), size: body.byteLength };
     }
-    catch {
-        return null;
+    if (ArrayBuffer.isView(body)) {
+        return { text: new TextDecoder().decode(body), size: body.byteLength };
     }
-}
-const processRequestHeaders = (request) => {
-    return Array.from(request.headers.entries()).reduce((acc, [name, value]) => {
+    // ReadableStream cannot be read without consuming it
+    return { text: '', size: -1 };
+};
+const extractFormDataParams = (formData) => {
+    return Array.from(formData.entries()).reduce((acc, [name, value]) => {
+        if (value instanceof File) {
+            const fileName = `@${value.name}`;
+            acc.params.push({ name, value: fileName });
+            acc.size += fileName.length;
+            return acc;
+        }
+        acc.params.push({ name, value });
+        acc.size += value.length;
+        return acc;
+    }, { params: [], size: 0 });
+};
+const extractUrlSearchParams = (params) => {
+    return Array.from(params.entries()).reduce((acc, [name, value]) => {
+        acc.params.push({ name, value });
+        acc.size += name.length + value.length;
+        return acc;
+    }, { params: [], size: 0 });
+};
+const processRequestHeaders = (headers) => {
+    return Array.from(headers.entries()).reduce((acc, [name, value]) => {
         if (name.toLowerCase() === 'cookie') {
             const parsedCookies = parseCookieHeader(value);
             acc.cookies.push(...parsedCookies.cookies);

package/dist/mutators/operation/history.js

@@ -24,7 +24,7 @@ export const addResponseToHistory = async (store, document, { payload, meta }) =
         }
         return acc;
     }, {});
-    const requestHar = await fetchRequestToHar({ request: payload.request });
+    const requestHar = await fetchRequestToHar({ requestPayload: payload.requestPayload });
     const responseHar = await fetchResponseToHar({ response: payload.response });
     store?.history.addHistory(documentName, meta.path, meta.method, {
         response: responseHar,

package/dist/request-example/builder/build-request.d.ts

@@ -1,9 +1,24 @@
 import type { RequestFactory } from '../../request-example/builder/request-factory.js';
-export declare const buildRequest: (request: RequestFactory, options: {
-    envVariables: Record<string, string>;
-}) => {
-    request: Request;
+/**
+ * The payload to build a request, useful when bypassing limitations of the browser Request object
+ */
+export type RequestPayload = [string, RequestInit];
+/**
+ * Built request response
+ *
+ * We no longer return a Request object, but a tuple of [url, init] that maps directly to the fetch() argument list so
+ * we can do things that the browser doesn't allow like GET + body
+ * */
+type BuildRequestResponse = {
+    /** Create a new request payload object with the replaced values ready to be sent to the server */
+    requestPayload: RequestPayload;
+    /** The abort controller */
     controller: AbortController;
+    /** The flag indicating if the request is being proxied */
     isUsingProxy: boolean;
 };
+export declare const buildRequest: (request: RequestFactory, options: {
+    envVariables: Record<string, string>;
+}) => BuildRequestResponse;
+export {};
 //# sourceMappingURL=build-request.d.ts.map

package/dist/request-example/builder/build-request.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"build-request.d.ts","sourceRoot":"","sources":["../../../src/request-example/builder/build-request.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,2CAA2C,CAAA;AAI/E,eAAO,MAAM,YAAY,GACvB,SAAS,cAAc,EACvB,SAAS;IACP,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CACrC;;;;CA4IF,CAAA"}
+{"version":3,"file":"build-request.d.ts","sourceRoot":"","sources":["../../../src/request-example/builder/build-request.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,2CAA2C,CAAA;AAK/E;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,MAAM,EAAE,WAAW,CAAC,CAAA;AAElD;;;;;KAKK;AACL,KAAK,oBAAoB,GAAG;IAC1B,kGAAkG;IAClG,cAAc,EAAE,cAAc,CAAA;IAC9B,2BAA2B;IAC3B,UAAU,EAAE,eAAe,CAAA;IAC3B,0DAA0D;IAC1D,YAAY,EAAE,OAAO,CAAA;CACtB,CAAA;AAED,eAAO,MAAM,YAAY,GACvB,SAAS,cAAc,EACvB,SAAS;IACP,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CACrC,KACA,oBA2JF,CAAA"}

package/dist/request-example/builder/build-request.js

@@ -4,21 +4,30 @@ import { encode as encodeBase64 } from 'js-base64';
 import { buildRequestCookieHeader } from '../../request-example/builder/header/build-request-cookie-header.js';
 import { applyAllowReservedToUrl } from '../../request-example/builder/helpers/apply-allow-reserved-to-url.js';
 import { resolveRequestFactoryUrl } from '../../request-example/builder/resolve-request-factory-url.js';
+import { contextFunctions, isContextFunctionName } from '../../request-example/functions.js';
 export const buildRequest = (request, options) => {
+    /** Replace the value with the environment variable or context function */
+    const replace = (value) => {
+        if (isContextFunctionName(value)) {
+            return contextFunctions[value].fn() ?? null;
+        }
+        return options.envVariables[value] ?? null;
+    };
+    /** Create a new abort controller */
     const controller = new AbortController();
+    /** Create a new headers object with the replaced values */
     const headers = (() => {
-        const variables = options.envVariables;
         const headers = new Headers();
         request.headers.forEach((value, key) => {
-            headers.set(replaceEnvVariables(key, variables), replaceEnvVariables(value, variables));
+            headers.set(replaceEnvVariables(key, replace), replaceEnvVariables(value, replace));
         });
         return headers;
     })();
+    /** Create a new body object with the replaced values */
     const body = (() => {
-        const variables = options.envVariables;
         if (request.body?.mode === 'raw') {
             if (typeof request.body.value === 'string') {
-                return replaceEnvVariables(request.body.value, variables);
+                return replaceEnvVariables(request.body.value, replace);
             }
             return request.body.value;
         }
@@ -26,33 +35,33 @@ export const buildRequest = (request, options) => {
             const form = new FormData();
             request.body.value.forEach((item) => {
                 if (item.type === 'text') {
-                    form.append(replaceEnvVariables(item.key, variables), replaceEnvVariables(item.value, variables));
+                    form.append(replaceEnvVariables(item.key, replace), replaceEnvVariables(item.value, replace));
                     return;
                 }
-                form.append(replaceEnvVariables(item.key, variables), item.value);
+                form.append(replaceEnvVariables(item.key, replace), item.value);
             });
             return form;
         }
         if (request.body?.mode === 'urlencoded') {
             return new URLSearchParams(request.body.value.map((item) => [
-                replaceEnvVariables(item.key, variables),
-                replaceEnvVariables(item.value, variables),
+                replaceEnvVariables(item.key, replace),
+                replaceEnvVariables(item.value, replace),
             ]));
         }
         return null;
     })();
     const securityQueryParams = new URLSearchParams();
     const securityCookies = [];
-    // Build the request security unless the consumer opted out via disableSecurity
+    /** Build the request security unless the consumer opted out via disableSecurity  */
     if (!request.options?.disableSecurity) {
         request.security.forEach((security) => {
-            const name = replaceEnvVariables(security.name, options.envVariables);
+            const name = replaceEnvVariables(security.name, replace);
             // Format the security value based on its authentication scheme.
             // - For 'basic': prefix with 'Basic' and base64-encode the value (username:password).
             // - For 'bearer': prefix with 'Bearer'.
             // - Otherwise: use the substituted value as is (for API keys, etc).
             const securityValue = (() => {
-                const substitutedValue = replaceEnvVariables(security.value, options.envVariables);
+                const substitutedValue = replaceEnvVariables(security.value, replace);
                 if (security.format === 'basic') {
                     return `Basic ${encodeBase64(substitutedValue)}`;
                 }
@@ -63,11 +72,11 @@ export const buildRequest = (request, options) => {
             })();
             if (security.in === 'header') {
                 // Set the header (use replaced header name so {{ env }} placeholders work)
-                headers.set(name, securityValue);
+                headers.append(name, securityValue);
                 return;
             }
             if (security.in === 'query') {
-                securityQueryParams.set(name, securityValue);
+                securityQueryParams.append(name, securityValue);
                 return;
             }
             if (security.in === 'cookie') {
@@ -79,42 +88,49 @@ export const buildRequest = (request, options) => {
             }
         });
     }
+    /** Resolve the request URL with the replaced values */
     const requestUrl = resolveRequestFactoryUrl(request, {
-        envVariables: options.envVariables,
+        envVariables: replace,
         securityQueryParams: securityQueryParams,
     });
+    /** Check if the request should be proxied */
     const isUsingProxy = shouldUseProxy(request.proxyUrl, requestUrl);
+    /** Create a new cookies array with the replaced values */
     const cookies = [...request.cookies, ...securityCookies].map((c) => ({
         ...c,
-        name: replaceEnvVariables(c.name, options.envVariables),
-        value: replaceEnvVariables(c.value, options.envVariables),
+        name: replaceEnvVariables(c.name, replace),
+        value: replaceEnvVariables(c.value, replace),
     }));
+    /** Build the request cookie header */
     const cookieHeader = buildRequestCookieHeader({
         cookies,
         originalCookieHeader: headers.get('cookie'),
         url: requestUrl,
         useCustomCookieHeader: (isUsingProxy || request.options?.isElectron) ?? false,
     });
-    // Add the cookie header to the headers
+    /** Add the cookie header to the headers */
     if (cookieHeader) {
         headers.set(cookieHeader.name, cookieHeader.value);
     }
-    // final url
+    /** Encode the URL with the allowed reserved query parameters */
     const encodedUrl = applyAllowReservedToUrl(requestUrl, request.allowedReservedQueryParameters ?? new Set());
     const finalUrl = isUsingProxy ? redirectToProxy(request.proxyUrl, encodedUrl) : encodedUrl;
     return {
-        request: new Request(finalUrl, {
-            /**
-             * Ensure that all methods are uppercased (though only needed for patch)
-             *
-             * @see https://github.com/whatwg/fetch/issues/50
-             */
-            method: request.method.toUpperCase(),
-            headers,
-            body,
-            cache: request.cache,
-            signal: controller.signal,
-        }),
+        requestPayload: [
+            finalUrl,
+            {
+                /**
+                 * Ensure that all methods are uppercased (though only needed for patch)
+                 *
+                 * @see https://github.com/whatwg/fetch/issues/50
+                 */
+                method: request.method.toUpperCase(),
+                headers,
+                body,
+                cache: request.cache,
+                signal: controller.signal,
+            },
+        ],
         controller,
         isUsingProxy,
     };

package/dist/request-example/builder/index.d.ts

@@ -1,6 +1,6 @@
 export { getExampleFromBody } from './body/get-request-body-example.js';
 export { getSelectedBodyContentType } from './body/get-selected-body-content-type.js';
-export { buildRequest } from './build-request.js';
+export { type RequestPayload, buildRequest } from './build-request.js';
 export { deSerializeParameter } from './header/de-serialize-parameter.js';
 export { filterGlobalCookie } from './header/filter-global-cookies.js';
 export { serializeContentValue, serializeDeepObjectStyle, serializeFormStyle, serializeFormStyleForCookies, serializePipeDelimitedStyle, serializeSimpleStyle, serializeSpaceDelimitedStyle, } from './header/serialize-parameter.js';

package/dist/request-example/builder/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/request-example/builder/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAA;AACpE,OAAO,EAAE,0BAA0B,EAAE,MAAM,uCAAuC,CAAA;AAClF,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAA;AAC9C,OAAO,EAAE,oBAAoB,EAAE,MAAM,iCAAiC,CAAA;AACtE,OAAO,EAAE,kBAAkB,EAAE,MAAM,gCAAgC,CAAA;AACnE,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,kBAAkB,EAClB,4BAA4B,EAC5B,2BAA2B,EAC3B,oBAAoB,EACpB,4BAA4B,GAC7B,MAAM,8BAA8B,CAAA;AACrC,OAAO,EAAE,uBAAuB,EAAE,MAAM,qCAAqC,CAAA;AAC7E,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAA;AAClD,OAAO,EAAE,oBAAoB,EAAE,MAAM,mCAAmC,CAAA;AACxE,OAAO,EAAE,cAAc,EAAE,MAAM,4BAA4B,CAAA;AAC3D,OAAO,EAAE,kBAAkB,EAAE,MAAM,gCAAgC,CAAA;AACnE,YAAY,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAA;AACvD,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAA;AAClD,OAAO,EAAE,oBAAoB,EAAE,MAAM,mCAAmC,CAAA;AACxE,YAAY,EACV,kBAAkB,EAClB,gBAAgB,EAChB,kBAAkB,EAClB,gCAAgC,EAChC,gCAAgC,EAChC,uBAAuB,EACvB,uBAAuB,EACvB,sBAAsB,EACtB,yBAAyB,EACzB,0BAA0B,GAC3B,MAAM,yBAAyB,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/request-example/builder/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAA;AACpE,OAAO,EAAE,0BAA0B,EAAE,MAAM,uCAAuC,CAAA;AAClF,OAAO,EAAE,KAAK,cAAc,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAA;AACnE,OAAO,EAAE,oBAAoB,EAAE,MAAM,iCAAiC,CAAA;AACtE,OAAO,EAAE,kBAAkB,EAAE,MAAM,gCAAgC,CAAA;AACnE,OAAO,EACL,qBAAqB,EACrB,wBAAwB,EACxB,kBAAkB,EAClB,4BAA4B,EAC5B,2BAA2B,EAC3B,oBAAoB,EACpB,4BAA4B,GAC7B,MAAM,8BAA8B,CAAA;AACrC,OAAO,EAAE,uBAAuB,EAAE,MAAM,qCAAqC,CAAA;AAC7E,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAA;AAClD,OAAO,EAAE,oBAAoB,EAAE,MAAM,mCAAmC,CAAA;AACxE,OAAO,EAAE,cAAc,EAAE,MAAM,4BAA4B,CAAA;AAC3D,OAAO,EAAE,kBAAkB,EAAE,MAAM,gCAAgC,CAAA;AACnE,YAAY,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAA;AACvD,OAAO,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAA;AAClD,OAAO,EAAE,oBAAoB,EAAE,MAAM,mCAAmC,CAAA;AACxE,YAAY,EACV,kBAAkB,EAClB,gBAAgB,EAChB,kBAAkB,EAClB,gCAAgC,EAChC,gCAAgC,EAChC,uBAAuB,EACvB,uBAAuB,EACvB,sBAAsB,EACtB,yBAAyB,EACzB,0BAA0B,GAC3B,MAAM,yBAAyB,CAAA"}

package/dist/request-example/builder/resolve-request-factory-url.d.ts

@@ -5,7 +5,7 @@ import type { RequestFactory } from '../../request-example/builder/request-facto
  * without proxy rewriting or reserved-query encoding.
  */
 export declare const resolveRequestFactoryUrl: (request: RequestFactory, options: {
-    envVariables: Record<string, string>;
+    envVariables: Record<string, string> | ((value: string) => string | null);
     securityQueryParams: URLSearchParams;
 }) => string;
 //# sourceMappingURL=resolve-request-factory-url.d.ts.map

package/dist/request-example/builder/resolve-request-factory-url.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"resolve-request-factory-url.d.ts","sourceRoot":"","sources":["../../../src/request-example/builder/resolve-request-factory-url.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,2CAA2C,CAAA;AAE/E;;;;GAIG;AACH,eAAO,MAAM,wBAAwB,GACnC,SAAS,cAAc,EACvB,SAAS;IAAE,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAAC,mBAAmB,EAAE,eAAe,CAAA;CAAE,KACtF,MA2BF,CAAA"}
+{"version":3,"file":"resolve-request-factory-url.d.ts","sourceRoot":"","sources":["../../../src/request-example/builder/resolve-request-factory-url.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,2CAA2C,CAAA;AAE/E;;;;GAIG;AACH,eAAO,MAAM,wBAAwB,GACnC,SAAS,cAAc,EACvB,SAAS;IACP,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,KAAK,MAAM,GAAG,IAAI,CAAC,CAAA;IACzE,mBAAmB,EAAE,eAAe,CAAA;CACrC,KACA,MAiCF,CAAA"}

package/dist/request-example/builder/resolve-request-factory-url.js

@@ -1,5 +1,5 @@
 import { replaceEnvVariables, replacePathVariables } from '@scalar/helpers/regex/replace-variables';
-import { mergeUrls } from '@scalar/helpers/url/merge-urls';
+import { mergeSearchParams, mergeUrls } from '@scalar/helpers/url/merge-urls';
 /**
  * Resolves the request URL string from a {@link RequestFactory} using the same
  * rules as {@link buildRequest} (path variables, query, security query params),
@@ -14,15 +14,20 @@ export const resolveRequestFactoryUrl = (request, options) => {
     const baseUrl = replaceEnvVariables(request.baseUrl, variables);
     const path = replacePathVariables(request.path.raw, pathVariables);
     const mergedUrl = mergeUrls(baseUrl, path);
-    const urlBase = globalThis.window?.location?.origin ?? 'http://localhost:3000';
+    // When rendered inside an iframe with srcdoc, the browser reports
+    // window.location.origin as the string "null" instead of a real origin.
+    // Fall back to localhost so relative URLs can still be resolved.
+    const origin = globalThis.window?.location?.origin;
+    const urlBase = origin && origin !== 'null' ? origin : 'http://localhost:3000';
     const url = new URL(mergedUrl, urlBase);
-    // Merge in operation query params
+    const operationQueryParams = new URLSearchParams();
     for (const [key, value] of request.query.entries()) {
-        url.searchParams.set(replaceEnvVariables(key, variables), replaceEnvVariables(value, variables));
+        operationQueryParams.append(replaceEnvVariables(key, variables), replaceEnvVariables(value, variables));
     }
-    // Merge in security query params
+    const securityQueryParams = new URLSearchParams();
     for (const [key, value] of options.securityQueryParams.entries()) {
-        url.searchParams.set(key, value);
+        securityQueryParams.append(key, value);
     }
+    url.search = mergeSearchParams(url.searchParams, operationQueryParams, securityQueryParams).toString();
     return url.toString();
 };

package/dist/request-example/context/get-request-example-context.d.ts

@@ -12,7 +12,7 @@ import type { OperationObject } from '../../schemas/v3.1/strict/operation.js';
 import type { SecurityRequirementObject } from '../../schemas/v3.1/strict/security-requirement.js';
 import type { ServerObject } from '../../schemas/v3.1/strict/server.js';
 import type { WorkspaceDocument } from '../../schemas/workspace.js';
-type BuildRequestExampleContext = {
+export type BuildRequestExampleContext = {
     operation: OperationObject;
     environment: {
         name: string | null;
@@ -56,5 +56,4 @@ export declare const getRequestExampleContext: (workspaceStore: WorkspaceStore,
      */
     fallbackDocument: WorkspaceDocument | null;
 }>) => Result<BuildRequestExampleContext>;
-export {};
 //# sourceMappingURL=get-request-example-context.d.ts.map