@stackwright-pro/openapi 0.1.0 → 0.1.1

package/dist/index.mjs

@@ -107,8 +107,8 @@ var require_compat_dotall_s_transform = __commonJS({
         this._hasUFlag = ast.flags.includes("u");
         return true;
       },
-      Char: function Char(path2) {
-        var node = path2.node;
+      Char: function Char(path3) {
+        var node = path3.node;
         if (node.kind !== "meta" || node.value !== ".") {
           return;
         }
@@ -118,7 +118,7 @@ var require_compat_dotall_s_transform = __commonJS({
           toValue = "\\u{10FFFF}";
           toSymbol = "\u{10FFFF}";
         }
-        path2.replace({
+        path3.replace({
           type: "CharacterClass",
           expressions: [{
             type: "ClassRange",
@@ -163,8 +163,8 @@ var require_compat_named_capturing_groups_transform = __commonJS({
       getExtra: function getExtra() {
         return this._groupNames;
       },
-      Group: function Group(path2) {
-        var node = path2.node;
+      Group: function Group(path3) {
+        var node = path3.node;
         if (!node.name) {
           return;
         }
@@ -172,8 +172,8 @@ var require_compat_named_capturing_groups_transform = __commonJS({
         delete node.name;
         delete node.nameRaw;
       },
-      Backreference: function Backreference(path2) {
-        var node = path2.node;
+      Backreference: function Backreference(path3) {
+        var node = path3.node;
         if (node.kind !== "name") {
           return;
         }
@@ -2015,8 +2015,8 @@ var require_node_path = __commonJS({
         value: function _rebuildIndex(parent, property) {
           var parentPath = NodePath2.getForNode(parent);
           for (var i = 0; i < parent[property].length; i++) {
-            var path2 = NodePath2.getForNode(parent[property][i], parentPath, property, i);
-            path2.index = i;
+            var path3 = NodePath2.getForNode(parent[property][i], parentPath, property, i);
+            path3.index = i;
           }
         }
         /**
@@ -2088,8 +2088,8 @@ var require_node_path = __commonJS({
          */
       }, {
         key: "hasEqualSource",
-        value: function hasEqualSource(path2) {
-          return JSON.stringify(this.node, jsonSkipLoc) === JSON.stringify(path2.node, jsonSkipLoc);
+        value: function hasEqualSource(path3) {
+          return JSON.stringify(this.node, jsonSkipLoc) === JSON.stringify(path3.node, jsonSkipLoc);
         }
         /**
          * JSON-encodes a node skipping location.
@@ -2140,18 +2140,18 @@ var require_node_path = __commonJS({
           if (!NodePath2.registry.has(node)) {
             NodePath2.registry.set(node, new NodePath2(node, parentPath, prop, index == -1 ? null : index));
           }
-          var path2 = NodePath2.registry.get(node);
+          var path3 = NodePath2.registry.get(node);
           if (parentPath !== null) {
-            path2.parentPath = parentPath;
-            path2.parent = path2.parentPath.node;
+            path3.parentPath = parentPath;
+            path3.parent = path3.parentPath.node;
           }
           if (prop !== null) {
-            path2.property = prop;
+            path3.property = prop;
           }
           if (index >= 0) {
-            path2.index = index;
+            path3.index = index;
           }
-          return path2;
+          return path3;
         }
         /**
          * Initializes the NodePath registry. The registry is a map from
@@ -2631,8 +2631,8 @@ var require_char_surrogate_pair_to_single_unicode_transform = __commonJS({
       shouldRun: function shouldRun(ast) {
         return ast.flags.includes("u");
       },
-      Char: function Char(path2) {
-        var node = path2.node;
+      Char: function Char(path3) {
+        var node = path3.node;
         if (node.kind !== "unicode" || !node.isSurrogatePair || isNaN(node.codePoint)) {
           return;
         }
@@ -2654,8 +2654,8 @@ var require_char_code_to_simple_char_transform = __commonJS({
     var DIGIT_0_CP = "0".codePointAt(0);
     var DIGIT_9_CP = "9".codePointAt(0);
     module.exports = {
-      Char: function Char(path2) {
-        var node = path2.node, parent = path2.parent;
+      Char: function Char(path3) {
+        var node = path3.node, parent = path3.parent;
         if (isNaN(node.codePoint) || node.kind === "simple") {
           return;
         }
@@ -2678,7 +2678,7 @@ var require_char_code_to_simple_char_transform = __commonJS({
         if (needsEscape(symbol, parent.type)) {
           newChar.escaped = true;
         }
-        path2.replace(newChar);
+        path3.replace(newChar);
       }
     };
     function isSimpleRange(classRange) {
@@ -2713,8 +2713,8 @@ var require_char_case_insensitive_lowercase_transform = __commonJS({
       shouldRun: function shouldRun(ast) {
         return ast.flags.includes("i");
       },
-      Char: function Char(path2) {
-        var node = path2.node, parent = path2.parent;
+      Char: function Char(path3) {
+        var node = path3.node, parent = path3.parent;
         if (isNaN(node.codePoint)) {
           return;
         }
@@ -2779,11 +2779,11 @@ var require_char_class_remove_duplicates_transform = __commonJS({
   "../../node_modules/.pnpm/regexp-tree@0.1.27/node_modules/regexp-tree/dist/optimizer/transforms/char-class-remove-duplicates-transform.js"(exports, module) {
     "use strict";
     module.exports = {
-      CharacterClass: function CharacterClass(path2) {
-        var node = path2.node;
+      CharacterClass: function CharacterClass(path3) {
+        var node = path3.node;
         var sources = {};
         for (var i = 0; i < node.expressions.length; i++) {
-          var childPath = path2.getChild(i);
+          var childPath = path3.getChild(i);
           var source = childPath.jsonEncode();
           if (sources.hasOwnProperty(source)) {
             childPath.remove();
@@ -2864,17 +2864,17 @@ var require_quantifiers_merge_transform = __commonJS({
     var _require = require_utils();
     var increaseQuantifierByOne = _require.increaseQuantifierByOne;
     module.exports = {
-      Repetition: function Repetition(path2) {
-        var node = path2.node, parent = path2.parent;
-        if (parent.type !== "Alternative" || !path2.index) {
+      Repetition: function Repetition(path3) {
+        var node = path3.node, parent = path3.parent;
+        if (parent.type !== "Alternative" || !path3.index) {
           return;
         }
-        var previousSibling = path2.getPreviousSibling();
+        var previousSibling = path3.getPreviousSibling();
         if (!previousSibling) {
           return;
         }
         if (previousSibling.node.type === "Repetition") {
-          if (!previousSibling.getChild().hasEqualSource(path2.getChild())) {
+          if (!previousSibling.getChild().hasEqualSource(path3.getChild())) {
             return;
           }
           var _extractFromTo = extractFromTo(previousSibling.node.quantifier), previousSiblingFrom = _extractFromTo.from, previousSiblingTo = _extractFromTo.to;
@@ -2894,7 +2894,7 @@ var require_quantifiers_merge_transform = __commonJS({
           }
           previousSibling.remove();
         } else {
-          if (!previousSibling.hasEqualSource(path2.getChild())) {
+          if (!previousSibling.hasEqualSource(path3.getChild())) {
             return;
           }
           increaseQuantifierByOne(node.quantifier);
@@ -2930,38 +2930,38 @@ var require_quantifier_range_to_symbol_transform = __commonJS({
   "../../node_modules/.pnpm/regexp-tree@0.1.27/node_modules/regexp-tree/dist/optimizer/transforms/quantifier-range-to-symbol-transform.js"(exports, module) {
     "use strict";
     module.exports = {
-      Quantifier: function Quantifier(path2) {
-        var node = path2.node;
+      Quantifier: function Quantifier(path3) {
+        var node = path3.node;
         if (node.kind !== "Range") {
           return;
         }
-        rewriteOpenZero(path2);
-        rewriteOpenOne(path2);
-        rewriteExactOne(path2);
+        rewriteOpenZero(path3);
+        rewriteOpenOne(path3);
+        rewriteExactOne(path3);
       }
     };
-    function rewriteOpenZero(path2) {
-      var node = path2.node;
+    function rewriteOpenZero(path3) {
+      var node = path3.node;
       if (node.from !== 0 || node.to) {
         return;
       }
       node.kind = "*";
       delete node.from;
     }
-    function rewriteOpenOne(path2) {
-      var node = path2.node;
+    function rewriteOpenOne(path3) {
+      var node = path3.node;
       if (node.from !== 1 || node.to) {
         return;
       }
       node.kind = "+";
       delete node.from;
     }
-    function rewriteExactOne(path2) {
-      var node = path2.node;
+    function rewriteExactOne(path3) {
+      var node = path3.node;
       if (node.from !== 1 || node.to !== 1) {
         return;
       }
-      path2.parentPath.replace(path2.parentPath.node.expression);
+      path3.parentPath.replace(path3.parentPath.node.expression);
     }
   }
 });
@@ -2971,13 +2971,13 @@ var require_char_class_classranges_to_chars_transform = __commonJS({
   "../../node_modules/.pnpm/regexp-tree@0.1.27/node_modules/regexp-tree/dist/optimizer/transforms/char-class-classranges-to-chars-transform.js"(exports, module) {
     "use strict";
     module.exports = {
-      ClassRange: function ClassRange(path2) {
-        var node = path2.node;
+      ClassRange: function ClassRange(path3) {
+        var node = path3.node;
         if (node.from.codePoint === node.to.codePoint) {
-          path2.replace(node.from);
+          path3.replace(node.from);
         } else if (node.from.codePoint === node.to.codePoint - 1) {
-          path2.getParent().insertChildAt(node.to, path2.index + 1);
-          path2.replace(node.from);
+          path3.getParent().insertChildAt(node.to, path3.index + 1);
+          path3.replace(node.from);
         }
       }
     };
@@ -3005,17 +3005,17 @@ var require_char_class_to_meta_transform = __commonJS({
         this._hasIFlag = ast.flags.includes("i");
         this._hasUFlag = ast.flags.includes("u");
       },
-      CharacterClass: function CharacterClass(path2) {
-        rewriteNumberRanges(path2);
-        rewriteWordRanges(path2, this._hasIFlag, this._hasUFlag);
-        rewriteWhitespaceRanges(path2);
+      CharacterClass: function CharacterClass(path3) {
+        rewriteNumberRanges(path3);
+        rewriteWordRanges(path3, this._hasIFlag, this._hasUFlag);
+        rewriteWhitespaceRanges(path3);
       }
     };
-    function rewriteNumberRanges(path2) {
-      var node = path2.node;
+    function rewriteNumberRanges(path3) {
+      var node = path3.node;
       node.expressions.forEach(function(expression, i) {
         if (isFullNumberRange(expression)) {
-          path2.getChild(i).replace({
+          path3.getChild(i).replace({
             type: "Char",
             value: "\\d",
             kind: "meta"
@@ -3023,8 +3023,8 @@ var require_char_class_to_meta_transform = __commonJS({
         }
       });
     }
-    function rewriteWordRanges(path2, hasIFlag, hasUFlag) {
-      var node = path2.node;
+    function rewriteWordRanges(path3, hasIFlag, hasUFlag) {
+      var node = path3.node;
       var numberPath = null;
       var lowerCasePath = null;
       var upperCasePath = null;
@@ -3033,17 +3033,17 @@ var require_char_class_to_meta_transform = __commonJS({
       var u212aPath = null;
       node.expressions.forEach(function(expression, i) {
         if (isMetaChar(expression, "\\d")) {
-          numberPath = path2.getChild(i);
+          numberPath = path3.getChild(i);
         } else if (isLowerCaseRange(expression)) {
-          lowerCasePath = path2.getChild(i);
+          lowerCasePath = path3.getChild(i);
         } else if (isUpperCaseRange(expression)) {
-          upperCasePath = path2.getChild(i);
+          upperCasePath = path3.getChild(i);
         } else if (isUnderscore(expression)) {
-          underscorePath = path2.getChild(i);
+          underscorePath = path3.getChild(i);
         } else if (hasIFlag && hasUFlag && isCodePoint(expression, 383)) {
-          u017fPath = path2.getChild(i);
+          u017fPath = path3.getChild(i);
         } else if (hasIFlag && hasUFlag && isCodePoint(expression, 8490)) {
-          u212aPath = path2.getChild(i);
+          u212aPath = path3.getChild(i);
         }
       });
       if (numberPath && (lowerCasePath && upperCasePath || hasIFlag && (lowerCasePath || upperCasePath)) && underscorePath && (!hasUFlag || !hasIFlag || u017fPath && u212aPath)) {
@@ -3080,8 +3080,8 @@ var require_char_class_to_meta_transform = __commonJS({
     })), [function(node) {
       return node.type === "ClassRange" && isCodePoint(node.from, 8192) && isCodePoint(node.to, 8202);
     }]);
-    function rewriteWhitespaceRanges(path2) {
-      var node = path2.node;
+    function rewriteWhitespaceRanges(path3) {
+      var node = path3.node;
       if (node.expressions.length < whitespaceRangeTests.length || !whitespaceRangeTests.every(function(test) {
         return node.expressions.some(function(expression) {
           return test(expression);
@@ -3098,9 +3098,9 @@ var require_char_class_to_meta_transform = __commonJS({
       node.expressions.map(function(expression, i) {
         return whitespaceRangeTests.some(function(test) {
           return test(expression);
-        }) ? path2.getChild(i) : void 0;
-      }).filter(Boolean).forEach(function(path3) {
-        return path3.remove();
+        }) ? path3.getChild(i) : void 0;
+      }).filter(Boolean).forEach(function(path4) {
+        return path4.remove();
       });
     }
     function isFullNumberRange(node) {
@@ -3133,9 +3133,9 @@ var require_char_class_to_single_char_transform = __commonJS({
   "../../node_modules/.pnpm/regexp-tree@0.1.27/node_modules/regexp-tree/dist/optimizer/transforms/char-class-to-single-char-transform.js"(exports, module) {
     "use strict";
     module.exports = {
-      CharacterClass: function CharacterClass(path2) {
-        var node = path2.node;
-        if (node.expressions.length !== 1 || !hasAppropriateSiblings(path2) || !isAppropriateChar(node.expressions[0])) {
+      CharacterClass: function CharacterClass(path3) {
+        var node = path3.node;
+        if (node.expressions.length !== 1 || !hasAppropriateSiblings(path3) || !isAppropriateChar(node.expressions[0])) {
           return;
         }
         var _node$expressions$ = node.expressions[0], value = _node$expressions$.value, kind = _node$expressions$.kind, escaped = _node$expressions$.escaped;
@@ -3145,7 +3145,7 @@ var require_char_class_to_single_char_transform = __commonJS({
           }
           value = getInverseMeta(value);
         }
-        path2.replace({
+        path3.replace({
           type: "Char",
           value,
           kind,
@@ -3164,8 +3164,8 @@ var require_char_class_to_single_char_transform = __commonJS({
     function getInverseMeta(value) {
       return /[dws]/.test(value) ? value.toUpperCase() : value.toLowerCase();
     }
-    function hasAppropriateSiblings(path2) {
-      var parent = path2.parent, index = path2.index;
+    function hasAppropriateSiblings(path3) {
+      var parent = path3.parent, index = path3.index;
       if (parent.type !== "Alternative") {
         return true;
       }
@@ -3196,18 +3196,18 @@ var require_char_escape_unescape_transform = __commonJS({
       init: function init(ast) {
         this._hasXFlag = ast.flags.includes("x");
       },
-      Char: function Char(path2) {
-        var node = path2.node;
+      Char: function Char(path3) {
+        var node = path3.node;
         if (!node.escaped) {
           return;
         }
-        if (shouldUnescape(path2, this._hasXFlag)) {
+        if (shouldUnescape(path3, this._hasXFlag)) {
           delete node.escaped;
         }
       }
     };
-    function shouldUnescape(path2, hasXFlag) {
-      var value = path2.node.value, index = path2.index, parent = path2.parent;
+    function shouldUnescape(path3, hasXFlag) {
+      var value = path3.node.value, index = path3.index, parent = path3.parent;
       if (parent.type !== "CharacterClass" && parent.type !== "ClassRange") {
         return !preservesEscape(value, index, parent, hasXFlag);
       }
@@ -3296,8 +3296,8 @@ var require_char_class_classranges_merge_transform = __commonJS({
       init: function init(ast) {
         this._hasIUFlags = ast.flags.includes("i") && ast.flags.includes("u");
       },
-      CharacterClass: function CharacterClass(path2) {
-        var node = path2.node;
+      CharacterClass: function CharacterClass(path3) {
+        var node = path3.node;
         var expressions = node.expressions;
         var metas = [];
         expressions.forEach(function(expression2) {
@@ -3515,8 +3515,8 @@ var require_disjunction_remove_duplicates_transform = __commonJS({
     var disjunctionToList = _require.disjunctionToList;
     var listToDisjunction = _require.listToDisjunction;
     module.exports = {
-      Disjunction: function Disjunction(path2) {
-        var node = path2.node;
+      Disjunction: function Disjunction(path3) {
+        var node = path3.node;
         var uniqueNodesMap = {};
         var parts = disjunctionToList(node).filter(function(part) {
           var encoded = part ? NodePath.getForNode(part).jsonEncode() : "null";
@@ -3526,7 +3526,7 @@ var require_disjunction_remove_duplicates_transform = __commonJS({
           uniqueNodesMap[encoded] = part;
           return true;
         });
-        path2.replace(listToDisjunction(parts));
+        path3.replace(listToDisjunction(parts));
       }
     };
   }
@@ -3537,8 +3537,8 @@ var require_group_single_chars_to_char_class = __commonJS({
   "../../node_modules/.pnpm/regexp-tree@0.1.27/node_modules/regexp-tree/dist/optimizer/transforms/group-single-chars-to-char-class.js"(exports, module) {
     "use strict";
     module.exports = {
-      Disjunction: function Disjunction(path2) {
-        var node = path2.node, parent = path2.parent;
+      Disjunction: function Disjunction(path3) {
+        var node = path3.node, parent = path3.parent;
         if (!handlers[parent.type]) {
           return;
         }
@@ -3552,20 +3552,20 @@ var require_group_single_chars_to_char_class = __commonJS({
             return charset.get(key);
           })
         };
-        handlers[parent.type](path2.getParent(), characterClass);
+        handlers[parent.type](path3.getParent(), characterClass);
       }
     };
     var handlers = {
-      RegExp: function RegExp2(path2, characterClass) {
-        var node = path2.node;
+      RegExp: function RegExp2(path3, characterClass) {
+        var node = path3.node;
         node.body = characterClass;
       },
-      Group: function Group(path2, characterClass) {
-        var node = path2.node;
+      Group: function Group(path3, characterClass) {
+        var node = path3.node;
         if (node.capturing) {
           node.expression = characterClass;
         } else {
-          path2.replace(characterClass);
+          path3.replace(characterClass);
         }
       }
     };
@@ -3599,16 +3599,16 @@ var require_remove_empty_group_transform = __commonJS({
   "../../node_modules/.pnpm/regexp-tree@0.1.27/node_modules/regexp-tree/dist/optimizer/transforms/remove-empty-group-transform.js"(exports, module) {
     "use strict";
     module.exports = {
-      Group: function Group(path2) {
-        var node = path2.node, parent = path2.parent;
-        var childPath = path2.getChild();
+      Group: function Group(path3) {
+        var node = path3.node, parent = path3.parent;
+        var childPath = path3.getChild();
         if (node.capturing || childPath) {
           return;
         }
         if (parent.type === "Repetition") {
-          path2.getParent().replace(node);
+          path3.getParent().replace(node);
         } else if (parent.type !== "RegExp") {
-          path2.remove();
+          path3.remove();
         }
       }
     };
@@ -3630,13 +3630,13 @@ var require_ungroup_transform = __commonJS({
       }
     }
     module.exports = {
-      Group: function Group(path2) {
-        var node = path2.node, parent = path2.parent;
-        var childPath = path2.getChild();
+      Group: function Group(path3) {
+        var node = path3.node, parent = path3.parent;
+        var childPath = path3.getChild();
         if (node.capturing || !childPath) {
           return;
         }
-        if (!hasAppropriateSiblings(path2)) {
+        if (!hasAppropriateSiblings(path3)) {
           return;
         }
         if (childPath.node.type === "Disjunction" && parent.type !== "RegExp") {
@@ -3646,20 +3646,20 @@ var require_ungroup_transform = __commonJS({
           return;
         }
         if (childPath.node.type === "Alternative") {
-          var parentPath = path2.getParent();
+          var parentPath = path3.getParent();
           if (parentPath.node.type === "Alternative") {
             parentPath.replace({
               type: "Alternative",
-              expressions: [].concat(_toConsumableArray(parent.expressions.slice(0, path2.index)), _toConsumableArray(childPath.node.expressions), _toConsumableArray(parent.expressions.slice(path2.index + 1)))
+              expressions: [].concat(_toConsumableArray(parent.expressions.slice(0, path3.index)), _toConsumableArray(childPath.node.expressions), _toConsumableArray(parent.expressions.slice(path3.index + 1)))
             });
           }
         } else {
-          path2.replace(childPath.node);
+          path3.replace(childPath.node);
         }
       }
     };
-    function hasAppropriateSiblings(path2) {
-      var parent = path2.parent, index = path2.index;
+    function hasAppropriateSiblings(path3) {
+      var parent = path3.parent, index = path3.index;
       if (parent.type !== "Alternative") {
         return true;
       }
@@ -3696,22 +3696,22 @@ var require_combine_repeating_patterns_transform = __commonJS({
     var _require = require_utils();
     var increaseQuantifierByOne = _require.increaseQuantifierByOne;
     module.exports = {
-      Alternative: function Alternative(path2) {
-        var node = path2.node;
+      Alternative: function Alternative(path3) {
+        var node = path3.node;
         var index = 1;
         while (index < node.expressions.length) {
-          var child = path2.getChild(index);
-          index = Math.max(1, combineRepeatingPatternLeft(path2, child, index));
+          var child = path3.getChild(index);
+          index = Math.max(1, combineRepeatingPatternLeft(path3, child, index));
           if (index >= node.expressions.length) {
             break;
           }
-          child = path2.getChild(index);
-          index = Math.max(1, combineWithPreviousRepetition(path2, child, index));
+          child = path3.getChild(index);
+          index = Math.max(1, combineWithPreviousRepetition(path3, child, index));
           if (index >= node.expressions.length) {
             break;
           }
-          child = path2.getChild(index);
-          index = Math.max(1, combineRepetitionWithPrevious(path2, child, index));
+          child = path3.getChild(index);
+          index = Math.max(1, combineRepetitionWithPrevious(path3, child, index));
           index++;
         }
       }
@@ -5842,8 +5842,8 @@ var SchemaResolver = class {
    * @param responseCode - Response code (default: '200')
    * @returns Schema object or undefined
    */
-  getResponseSchema(path2, method, responseCode = "200") {
-    const pathItem = this.document.paths?.[path2];
+  getResponseSchema(path3, method, responseCode = "200") {
+    const pathItem = this.document.paths?.[path3];
     if (!pathItem) return void 0;
     const operation = pathItem[method];
     if (!operation?.responses) return void 0;
@@ -5869,14 +5869,14 @@ var SchemaResolver = class {
    */
   getAllEndpoints() {
     const endpoints = [];
-    for (const [path2, pathItem] of Object.entries(this.document.paths || {})) {
+    for (const [path3, pathItem] of Object.entries(this.document.paths || {})) {
       if (!pathItem) continue;
       const methods = ["get", "post", "put", "patch", "delete", "options", "head"];
       for (const method of methods) {
         const operation = pathItem[method];
         if (operation) {
           endpoints.push({
-            path: path2,
+            path: path3,
             method,
             operationId: operation.operationId,
             summary: operation.summary,
@@ -5900,20 +5900,31 @@ var ZodSchemaGenerator = class {
    * @returns Zod schema code as string
    */
   generate(schema, options = {}) {
-    const { schemaName = "GeneratedSchema" } = options;
+    const { schemaName = "GeneratedSchema", bare = false } = options;
     const zodSchemaCode = this.schemaToZod(schema);
-    return `import { z } from 'zod';
-import isSafe from 'safe-regex';
-
-export const ${schemaName} = ${zodSchemaCode};
+    const body = `export const ${schemaName} = ${zodSchemaCode};
 
 export type ${schemaName}Type = z.infer<typeof ${schemaName}>;
 `;
+    if (bare) {
+      return body;
+    }
+    return `import { z } from 'zod';
+import isSafe from 'safe-regex';
+
+${body}`;
   }
   /**
    * Convert OpenAPI schema to Zod schema code
    */
   schemaToZod(schema, depth = 0) {
+    if ("$ref" in schema && schema.$ref) {
+      const refPath = schema.$ref;
+      console.warn(
+        `\u26A0\uFE0F  Unresolved $ref encountered: ${refPath} \u2014 generating z.unknown()`
+      );
+      return `z.unknown() /* unresolved $ref: ${refPath} */`;
+    }
     const isNullable = "nullable" in schema && schema.nullable === true;
     let baseSchema = this.schemaTypeToZod(schema);
     if (schema.description) {
@@ -5942,6 +5953,12 @@ export type ${schemaName}Type = z.infer<typeof ${schemaName}>;
       return this.handleComposition(schema.oneOf, "discriminatedUnion");
     }
     const type = schema.type;
+    if (!type && schema.properties) {
+      return this.objectToZod(schema);
+    }
+    if (!type && schema.additionalProperties !== void 0) {
+      return this.objectToZod(schema);
+    }
     switch (type) {
       case "string":
         return this.stringToZod(schema);
@@ -6196,7 +6213,8 @@ var CollectionProviderGenerator = class {
     const {
       providerName = this.generateProviderName(config),
       baseUrl = this.getBaseUrl(),
-      auth
+      auth,
+      bare = false
     } = options;
     const { endpoint, slugField, method = "get", name } = config;
     const collectionName = name || this.sanitizePath(endpoint);
@@ -6206,9 +6224,7 @@ var CollectionProviderGenerator = class {
       throw new Error(`No response schema found for ${method.toUpperCase()} ${endpoint}`);
     }
     const isArray = schema.type === "array";
-    const itemSchema = isArray ? schema.items : schema;
     const schemaName = `${this.capitalize(collectionName)}Schema`;
-    const typeName = `${this.capitalize(collectionName)}`;
     return this.generateProviderCode({
       providerName,
       collectionName,
@@ -6218,8 +6234,8 @@ var CollectionProviderGenerator = class {
       baseUrl,
       auth,
       schemaName,
-      typeName,
-      isArray
+      isArray,
+      bare
     });
   }
   /**
@@ -6235,14 +6251,17 @@ var CollectionProviderGenerator = class {
       baseUrl,
       auth,
       schemaName,
-      typeName,
-      isArray
+      isArray,
+      bare
     } = params;
     const authHeader = this.generateAuthHeader(auth);
-    return `import type { CollectionProvider, CollectionItem } from '@stackwright/collections';
-import { ${schemaName} } from './schemas';
+    const arraySchemaName = `${schemaName.replace(/Schema$/, "")}ArraySchema`;
+    const validationSchema = isArray ? arraySchemaName : schemaName;
+    const imports = bare ? "" : `import type { CollectionProvider, CollectionItem } from '@stackwright/collections';
+import { ${isArray ? arraySchemaName : schemaName} } from './schemas';
 
-/**
+`;
+    return `${imports}/**
  * CollectionProvider for ${collectionName}
  * 
  * Generated from OpenAPI endpoint: ${method.toUpperCase()} ${endpoint}
@@ -6293,7 +6312,7 @@ export class ${providerName} implements CollectionProvider {
     const data = await response.json();
     
     // Validate response with Zod schema
-    const validated = ${isArray ? schemaName : `[${schemaName}]`}.parse(data);
+    const validated = ${validationSchema}.parse(data);
     
     // Convert to CollectionItem format
     return ${isArray ? "validated" : "[validated]"}.map((item: any) => this.toCollectionItem(item));
@@ -6404,8 +6423,8 @@ export class ${providerName} implements CollectionProvider {
   /**
    * Sanitize path to valid identifier
    */
-  sanitizePath(path2) {
-    return path2.replace(/^\//, "").replace(/\//g, "-").replace(/[{}:]/g, "").replace(/-+/g, "-");
+  sanitizePath(path3) {
+    return path3.replace(/^\//, "").replace(/\//g, "-").replace(/[{}:]/g, "").replace(/-+/g, "-");
   }
   /**
    * Capitalize string
@@ -6430,10 +6449,12 @@ var ClientGenerator = class {
     this.resolver = new SchemaResolver(document);
     this.schemaMapping = schemaMapping;
     this.requiredSchemas = /* @__PURE__ */ new Set();
+    this.generatedRequestSchemas = /* @__PURE__ */ new Set();
   }
   resolver;
   schemaMapping;
   requiredSchemas;
+  generatedRequestSchemas;
   /**
    * Generate typed API client code from OpenAPI document
    */
@@ -6451,6 +6472,7 @@ var ClientGenerator = class {
       throw new Error("No endpoints found in OpenAPI document");
     }
     this.requiredSchemas.clear();
+    this.generatedRequestSchemas.clear();
     let code = this.generateImports(!!schemaMapping, validateResponses);
     code += "\n";
     if (schemaMapping) {
@@ -6525,6 +6547,7 @@ var ClientGenerator = class {
         code += `export const ${schemaName} = ${schemaCode};
 
 `;
+        this.generatedRequestSchemas.add(schemaName);
       }
     }
     return code;
@@ -6834,10 +6857,10 @@ ${paramSchemas.join(",\n")}
         continue;
       }
       const typeName = this.getOperationTypeName(endpoint);
-      if (mapping.requestSchema) {
-        this.addRequiredSchema(mapping.requestSchema);
-        code += `export type ${typeName}Request = z.infer<typeof ${mapping.requestSchema}>;
-`;
+      const requestSchemaName = mapping.requestSchema || typeName + "RequestSchema";
+      if (this.generatedRequestSchemas.has(requestSchemaName)) {
+        this.addRequiredSchema(requestSchemaName);
+        code += "export type " + typeName + "Request = z.infer<typeof " + requestSchemaName + ">;\n";
       }
       this.addRequiredSchema(mapping.responseSchema);
       code += `export type ${typeName}Response = z.infer<typeof schemas.${mapping.responseSchema}>;
@@ -7176,7 +7199,7 @@ ${paramSchemas.join(",\n")}
    * Generate a method for an endpoint with Zod validation (NEW)
    */
   generateMethodWithValidation(endpoint, includeJsDoc, schemaMapping) {
-    const { operation, path: path2, method } = endpoint;
+    const { operation, path: path3, method } = endpoint;
     const methodName = this.getMethodName(endpoint);
     const typeName = this.getOperationTypeName(endpoint);
     const operationId = endpoint.operationId || methodName;
@@ -7236,7 +7259,7 @@ ${paramSchemas.join(",\n")}
     if (pathParams.length > 0) {
       code += `    // Build URL with path parameters
 `;
-      code += `    let url = this.baseUrl + '${path2}'
+      code += `    let url = this.baseUrl + '${path3}'
 `;
       for (const param of pathParams) {
         code += `      .replace('{${param.name}}', encodeURIComponent(String(request.path.${param.name})))
@@ -7246,7 +7269,7 @@ ${paramSchemas.join(",\n")}
 
 `;
     } else {
-      code += `    const url = this.baseUrl + '${path2}';
+      code += `    const url = this.baseUrl + '${path3}';
 
 `;
     }
@@ -7258,7 +7281,7 @@ ${paramSchemas.join(",\n")}
       code += `    if (request.query) {
 `;
       for (const param of queryParams) {
-        code += `      if (request.query.${param.name} !== undefined) {
+        code += `      if (request.query.${param.name} != null) {
 `;
         code += `        searchParams.append('${param.name}', String(request.query.${param.name}));
 `;
@@ -7284,7 +7307,7 @@ ${paramSchemas.join(",\n")}
     code += `      method: '${method.toUpperCase()}',
 `;
     if (hasBody) {
-      code += `      body: request.body ? JSON.stringify(request.body) : undefined,
+      code += `      body: request.body ? JSON.stringify(request.body) : null,
 `;
     }
     if (headerParams.length > 0) {
@@ -7342,7 +7365,7 @@ ${paramSchemas.join(",\n")}
    * Generate a method for an endpoint (LEGACY)
    */
   generateMethodLegacy(endpoint, includeJsDoc) {
-    const { operation, path: path2, method } = endpoint;
+    const { operation, path: path3, method } = endpoint;
     const methodName = this.getMethodName(endpoint);
     const typeName = this.getOperationTypeName(endpoint);
     const params = this.getOperationParameters(operation);
@@ -7378,7 +7401,7 @@ ${paramSchemas.join(",\n")}
     if (pathParams.length > 0) {
       code += `    // Build URL with path parameters
 `;
-      code += `    let url = this.baseUrl + '${path2}'
+      code += `    let url = this.baseUrl + '${path3}'
 `;
       for (const param of pathParams) {
         code += `      .replace('{${param.name}}', encodeURIComponent(String(request.path.${param.name})))
@@ -7388,7 +7411,7 @@ ${paramSchemas.join(",\n")}
 
 `;
     } else {
-      code += `    const url = this.baseUrl + '${path2}';
+      code += `    const url = this.baseUrl + '${path3}';
 
 `;
     }
@@ -7401,7 +7424,7 @@ ${paramSchemas.join(",\n")}
       code += `    if (request.query) {
 `;
       for (const param of queryParams) {
-        code += `      if (request.query.${param.name} !== undefined) {
+        code += `      if (request.query.${param.name} != null) {
 `;
         code += `        searchParams.append('${param.name}', String(request.query.${param.name}));
 `;
@@ -7425,7 +7448,7 @@ ${paramSchemas.join(",\n")}
     code += `      method: '${method.toUpperCase()}',
 `;
     if (hasBody) {
-      code += `      body: request.body ? JSON.stringify(request.body) : undefined,
+      code += `      body: request.body ? JSON.stringify(request.body) : null,
 `;
     }
     const headerParams = params.filter((p) => p.in === "header");
@@ -7472,7 +7495,7 @@ ${paramSchemas.join(",\n")}
       const errorBody = await response.text().catch(() => null);
       
       // \u2705 SECURITY FIX: Safe JSON parsing with fallback
-      let parsedError: unknown = undefined;
+      let parsedError: unknown;
       if (errorBody) {
         try {
           parsedError = JSON.parse(errorBody);
@@ -7494,7 +7517,7 @@ ${paramSchemas.join(",\n")}
 
     // Handle empty responses (204 No Content, etc.)
     if (response.status === 204 || response.headers.get('content-length') === '0') {
-      return undefined as T;
+      return null as unknown as T;
     }
 
     // \u2705 SECURITY FIX: Validate Content-Type before parsing JSON
@@ -7520,14 +7543,14 @@ ${paramSchemas.join(",\n")}
    */
   getAllEndpoints() {
     const endpoints = [];
-    for (const [path2, pathItem] of Object.entries(this.document.paths || {})) {
+    for (const [path3, pathItem] of Object.entries(this.document.paths || {})) {
       if (!pathItem) continue;
       const methods = ["get", "post", "put", "patch", "delete", "options", "head"];
       for (const method of methods) {
         const operation = pathItem[method];
         if (operation) {
           endpoints.push({
-            path: path2,
+            path: path3,
             method,
             operationId: operation.operationId,
             summary: operation.summary,
@@ -7537,7 +7560,32 @@ ${paramSchemas.join(",\n")}
         }
       }
     }
-    return endpoints;
+    return this.deduplicateOperationIds(endpoints);
+  }
+  /**
+   * Deduplicate colliding operationIds by appending a path-based suffix.
+   *
+   * Real-world specs (e.g. SAM.gov) reuse the same operationId across
+   * versioned paths. We make each one unique so the generated client
+   * has no duplicate method names.
+   */
+  deduplicateOperationIds(endpoints) {
+    const seen = /* @__PURE__ */ new Map();
+    return endpoints.map((ep) => {
+      if (!ep.operationId) return ep;
+      const count = seen.get(ep.operationId) ?? 0;
+      seen.set(ep.operationId, count + 1);
+      if (count === 0) return ep;
+      const suffix = this.sanitizePath(ep.path);
+      return { ...ep, operationId: `${ep.operationId}_${suffix}` };
+    });
+  }
+  /**
+   * Turn an API path into a valid, readable identifier suffix.
+   * e.g. '/entity-information/v4/download-entities' -> 'entityInformationV4DownloadEntities'
+   */
+  sanitizePath(path3) {
+    return path3.split("/").filter((seg) => seg && !seg.startsWith("{")).join("-").replace(/[^a-zA-Z0-9]+(.)/g, (_, chr) => chr.toUpperCase()).replace(/^[A-Z]/, (chr) => chr.toLowerCase());
   }
   /**
    * Get parameters for an operation
@@ -7633,12 +7681,556 @@ var OpenAPICollectionProvider = class {
 };
 
 // src/prebuild/OpenAPIPlugin.ts
+import fs2 from "fs";
+import path2 from "path";
+
+// src/utils/EndpointFilter.ts
+var EndpointFilter = class {
+  include;
+  exclude;
+  constructor(filter) {
+    if (filter?.include !== void 0 && filter.include.length > 0) {
+      this.include = filter.include;
+    } else {
+      this.include = ["/**"];
+    }
+    this.exclude = filter?.exclude ?? [];
+  }
+  /**
+   * Check if a path should be included in code generation.
+   *
+   * Logic:
+   * 1. If path matches any exclude pattern → excluded
+   * 2. If path matches any include pattern → included
+   * 3. Otherwise → excluded (default deny)
+   */
+  matches(path3) {
+    const normalizedPath = path3.startsWith("/") ? path3 : `/${path3}`;
+    for (const pattern of this.exclude) {
+      if (this.matchPattern(normalizedPath, pattern)) {
+        return false;
+      }
+    }
+    for (const pattern of this.include) {
+      if (this.matchPattern(normalizedPath, pattern)) {
+        return true;
+      }
+    }
+    return false;
+  }
+  /**
+   * Match path against a pattern.
+   */
+  matchPattern(path3, pattern) {
+    const normalizedPattern = pattern.startsWith("/") ? pattern : `/${pattern}`;
+    if (normalizedPattern === "/") {
+      return true;
+    }
+    const regex = this.globToRegex(normalizedPattern);
+    if (regex.test(path3)) {
+      return true;
+    }
+    if (!normalizedPattern.endsWith("*")) {
+      const patternSegments = normalizedPattern.split("/");
+      const pathSegments = path3.split("/");
+      if (pathSegments.length >= patternSegments.length) {
+        let matches = true;
+        for (let i = 0; i < patternSegments.length; i++) {
+          const pSeg = patternSegments[i];
+          if (pSeg === "*" || pSeg === "**") {
+            continue;
+          }
+          if (pSeg.startsWith("{") && pSeg.endsWith("}")) {
+            continue;
+          }
+          if (pSeg !== pathSegments[i]) {
+            matches = false;
+            break;
+          }
+        }
+        if (matches) {
+          return true;
+        }
+      }
+    }
+    return false;
+  }
+  /**
+   * Convert a glob-like pattern to a RegExp.
+   *
+   * Pattern semantics:
+   * - `*` = single path segment (no slashes), minimum 1 character
+   * - `**` = multiple path segments (includes slashes), zero or more segments
+   * - `{param}` = single path segment parameter
+   * - Exact match segments are literal strings
+   */
+  globToRegex(pattern) {
+    let result = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&");
+    result = result.replace(/\*\*/g, "\u27EADOUBLESTAR\u27EB");
+    result = result.replace(/\*/g, "\u27EASTAR\u27EB");
+    if (result.startsWith("\u27EADOUBLESTAR\u27EB")) {
+      result = ".*" + result.slice("\u27EADOUBLESTAR\u27EB".length);
+    } else if (result.endsWith("\u27EADOUBLESTAR\u27EB") && result.endsWith("/\u27EADOUBLESTAR\u27EB")) {
+      result = result.slice(0, -"\u27EADOUBLESTAR\u27EB".length - 1) + "(?:/.*)?";
+    } else {
+      result = result.replace(/⟪DOUBLESTAR⟫/g, "(?:/.*)?");
+    }
+    result = result.replace(/⟪STAR⟫/g, "[^/]+");
+    result = result.replace(/\{[^}]+\}/g, "[^/]+");
+    return new RegExp(`^${result}$`);
+  }
+};
+
+// src/utils/ApprovedSpecsValidator.ts
+import crypto from "crypto";
 import fs from "fs";
+import https from "https";
+import http from "http";
+import { URL as URL2 } from "url";
 import path from "path";
+import { realpathSync } from "fs";
+import { isIP } from "net";
+var ApprovedSpecsValidator = class {
+  allowlist;
+  cache = /* @__PURE__ */ new Map();
+  skipHashVerification;
+  ALLOWED_DIRS;
+  MAX_RESPONSE_SIZE = 10 * 1024 * 1024;
+  // 10MB - prevents memory exhaustion attacks
+  /**
+   * Create a new ApprovedSpecsValidator
+   *
+   * @param config - Security configuration from stackwright.yml
+   * @param skipHashVerification - Skip hash check (for testing/development)
+   */
+  constructor(config, skipHashVerification = false) {
+    this.allowlist = config.allowlist || [];
+    this.skipHashVerification = skipHashVerification;
+    this.ALLOWED_DIRS = this.buildAllowedDirs();
+  }
+  /**
+   * Build list of allowed directories for path traversal prevention.
+   * Defaults to cwd, specs subdir, and .stackwright cache dir.
+   */
+  buildAllowedDirs() {
+    const cwd = process.cwd();
+    return [cwd, path.join(cwd, "specs"), path.join(cwd, ".stackwright")];
+  }
+  /**
+   * Validate that a file path is within allowed directories (path traversal prevention).
+   * Uses realpathSync to resolve symlinks and prevent symlink traversal attacks.
+   *
+   * @param filePath - File path to validate
+   * @returns true if path is allowed, false otherwise
+   */
+  isPathAllowed(filePath) {
+    try {
+      const realPath = realpathSync(filePath);
+      return this.ALLOWED_DIRS.some((dir) => {
+        const realDir = realpathSync(dir);
+        return realPath.startsWith(realDir + path.sep) || realPath === realDir;
+      });
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Check if a URL/path is a path traversal attempt.
+   * This is checked BEFORE the allowlist to prevent bypassing path security.
+   *
+   * @param specUrl - URL or path to check
+   * @returns true if this is a path traversal attempt
+   */
+  isPathTraversalAttempt(specUrl) {
+    if (specUrl.startsWith("file://")) {
+      return true;
+    }
+    if (fs.existsSync(specUrl)) {
+      return !this.isPathAllowed(specUrl);
+    }
+    if (!specUrl.startsWith("http://") && !specUrl.startsWith("https://")) {
+      if (specUrl.includes("../") || specUrl.includes("..\\")) {
+        return true;
+      }
+    }
+    return false;
+  }
+  /**
+   * Validate that a hex string is a valid SHA-256 hash (64 hex characters).
+   *
+   * @param hash - String to validate
+   * @returns true if valid SHA-256 hex format
+   */
+  isValidHex(hash) {
+    return /^[a-fA-F0-9]{64}$/.test(hash);
+  }
+  /**
+   * Validate that a redirect URL is safe (SSRF protection).
+   * Blocks:
+   * - HTTPS → HTTP downgrades
+   * - Private IP ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x, 127.x.x.x)
+   * - Localhost and loopback addresses
+   * - Cloud metadata endpoints
+   * - IPv6 private/link-local addresses
+   *
+   * @param location - Redirect location URL
+   * @param originalProtocol - Protocol of the original request
+   * @returns true if redirect is safe, false if it should be blocked
+   */
+  isRedirectSafe(location, originalProtocol) {
+    try {
+      const redirectUrl = new URL2(location);
+      if (redirectUrl.protocol === "http:" && originalProtocol === "https:") {
+        return false;
+      }
+      const blockedPatterns = [
+        "localhost",
+        "127.0.0.1",
+        "::1",
+        "0.0.0.0",
+        "169.254.169.254",
+        // AWS/GCP/Azure metadata
+        ".metadata.google.internal",
+        // GCP metadata
+        "metadata.google.internal",
+        "metadata.internal"
+      ];
+      for (const pattern of blockedPatterns) {
+        if (redirectUrl.hostname.includes(pattern)) {
+          return false;
+        }
+      }
+      const ipv4Match = redirectUrl.hostname.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
+      if (ipv4Match) {
+        const octets = ipv4Match.slice(1, 5).map(Number);
+        const [first, second] = octets;
+        if (first === 10) {
+          return false;
+        }
+        if (first === 172 && second >= 16 && second <= 31) {
+          return false;
+        }
+        if (first === 192 && second === 168) {
+          return false;
+        }
+        if (first === 127) {
+          return false;
+        }
+      }
+      const ipVersion = isIP(redirectUrl.hostname);
+      if (ipVersion === 6) {
+        const blockedPrefixes = [
+          "::1",
+          // Loopback
+          "fe80:",
+          // Link-local
+          "fc00:",
+          // Unique local
+          "fd",
+          // Unique local (short form)
+          "::ffff:"
+          // IPv4-mapped
+        ];
+        if (blockedPrefixes.some((p) => redirectUrl.hostname.startsWith(p))) {
+          return false;
+        }
+      }
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Atomically check if path is allowed and read content if so.
+   * Prevents TOCTOU race conditions by combining existence check,
+   * symlink resolution, path validation, and file read in a single operation.
+   *
+   * @param filePath - File path to check and read
+   * @returns Object with content if successful, or error message
+   */
+  readAllowedFile(filePath) {
+    try {
+      fs.lstatSync(filePath);
+      const realPath = fs.realpathSync(filePath);
+      if (!this.isPathAllowed(realPath)) {
+        return { error: "File path outside allowed directories (path traversal blocked)" };
+      }
+      return { content: fs.readFileSync(filePath, "utf8") };
+    } catch (e) {
+      const err = e;
+      if (err.code === "ENOENT") {
+        return { error: "File not found" };
+      }
+      return { error: String(e) };
+    }
+  }
+  /**
+   * Check if security enforcement is enabled
+   */
+  isEnabled() {
+    return this.allowlist.length > 0;
+  }
+  /**
+   * Get the allowlist count
+   */
+  getAllowlistCount() {
+    return this.allowlist.length;
+  }
+  /**
+   * Validate that a spec is on the approved list and matches expected hash.
+   *
+   * @param specUrl - URL or file path to the spec to validate
+   * @returns ValidationResult indicating if the spec is approved
+   */
+  async validate(specUrl) {
+    if (this.isPathTraversalAttempt(specUrl)) {
+      return {
+        valid: false,
+        errorCode: "DOWNLOAD_FAILED",
+        specUrl,
+        error: "File path outside allowed directories (path traversal blocked)"
+      };
+    }
+    const approved = this.allowlist.find((a) => this.urlsMatch(a.url, specUrl));
+    if (!approved) {
+      return {
+        valid: false,
+        errorCode: "SPEC_NOT_ON_ALLOWLIST",
+        specUrl,
+        error: this.formatAllowlistError(specUrl)
+      };
+    }
+    if (this.skipHashVerification) {
+      return { valid: true, specUrl };
+    }
+    const hashResult = await this.getHash(specUrl);
+    if (hashResult.error) {
+      return {
+        valid: false,
+        errorCode: "DOWNLOAD_FAILED",
+        specUrl,
+        error: `Failed to fetch spec '${specUrl}': ${hashResult.error}`
+      };
+    }
+    if (!this.isValidHex(hashResult.hash)) {
+      return {
+        valid: false,
+        errorCode: "DOWNLOAD_FAILED",
+        specUrl,
+        error: "Invalid hash format returned from download"
+      };
+    }
+    if (!this.isValidHex(approved.sha256)) {
+      return {
+        valid: false,
+        errorCode: "DOWNLOAD_FAILED",
+        specUrl,
+        error: "Invalid hash format in approved spec configuration"
+      };
+    }
+    if (!crypto.timingSafeEqual(
+      Buffer.from(hashResult.hash, "hex"),
+      Buffer.from(approved.sha256, "hex")
+    )) {
+      return {
+        valid: false,
+        errorCode: "SPEC_MODIFIED",
+        specUrl,
+        error: this.formatHashMismatchError(approved, hashResult.hash)
+      };
+    }
+    return { valid: true, specUrl };
+  }
+  /**
+   * Validate multiple specs at once (batch validation).
+   * Fails fast on first error.
+   *
+   * @param specUrls - Array of URLs/paths to validate
+   * @returns Map of URL to ValidationResult
+   */
+  async validateAll(specUrls) {
+    const results = /* @__PURE__ */ new Map();
+    for (const url of specUrls) {
+      const result = await this.validate(url);
+      results.set(url, result);
+      if (!result.valid) {
+        return results;
+      }
+    }
+    return results;
+  }
+  /**
+   * Validate all specs and return all results (non-fail-fast).
+   *
+   * @param specUrls - Array of URLs/paths to validate
+   * @returns Map of URL to ValidationResult
+   */
+  async validateAllComplete(specUrls) {
+    const results = /* @__PURE__ */ new Map();
+    for (const url of specUrls) {
+      const result = await this.validate(url);
+      results.set(url, result);
+    }
+    return results;
+  }
+  /**
+   * Get content hash from cache or download.
+   */
+  async getHash(url) {
+    const cached = this.cache.get(url);
+    if (cached) {
+      return { hash: cached.hash };
+    }
+    const contentResult = await this.download(url);
+    if (contentResult.error) {
+      return { error: contentResult.error };
+    }
+    const content = contentResult.content;
+    const hash = crypto.createHash("sha256").update(content).digest("hex");
+    this.cache.set(url, { content, hash });
+    return { hash };
+  }
+  /**
+   * Download content from URL or file.
+   * Includes path traversal and SSRF protection.
+   */
+  async download(url, originalProtocol = "") {
+    if (fs.existsSync(url)) {
+      return this.readAllowedFile(url);
+    }
+    if (!url.startsWith("http://") && !url.startsWith("https://")) {
+      return { error: `Invalid URL protocol. Expected http:// or https://, got: ${url}` };
+    }
+    const parsed = new URL2(url);
+    const requestProtocol = originalProtocol || parsed.protocol;
+    return new Promise((resolve) => {
+      const client = url.startsWith("https") ? https : http;
+      const req = client.get(url, { timeout: 3e4 }, (res) => {
+        if (res.statusCode && res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+          const location = res.headers.location;
+          if (!this.isRedirectSafe(location, requestProtocol)) {
+            resolve({ error: `Unsafe redirect target blocked: ${location}` });
+            return;
+          }
+          this.download(location, requestProtocol).then(resolve);
+          return;
+        }
+        if (res.statusCode !== 200) {
+          resolve({ error: `HTTP ${res.statusCode}` });
+          return;
+        }
+        let data = "";
+        let size = 0;
+        res.on("data", (chunk) => {
+          size += chunk.length;
+          if (size > this.MAX_RESPONSE_SIZE) {
+            req.destroy();
+            resolve({ error: `Response too large (>${this.MAX_RESPONSE_SIZE / 1024 / 1024}MB)` });
+            return;
+          }
+          data += chunk;
+        });
+        res.on("end", () => resolve({ content: data }));
+        res.on("error", (e) => resolve({ error: String(e) }));
+      });
+      req.on("error", (e) => resolve({ error: String(e) }));
+      req.on("timeout", () => {
+        req.destroy();
+        resolve({ error: "Request timeout (30s)" });
+      });
+    });
+  }
+  /**
+   * Check if two URLs match (handles trailing slashes, case sensitivity, etc.).
+   * Strips credentials and hash to prevent bypass via @ symbol.
+   */
+  urlsMatch(url1, url2) {
+    const normalize = (u) => {
+      try {
+        const parsed = new URL2(u);
+        const normalized = `${parsed.protocol}//${parsed.hostname}${parsed.pathname}`;
+        return normalized.replace(/\/$/, "").toLowerCase();
+      } catch {
+        return u.replace(/\/$/, "").replace(/\\/g, "/").toLowerCase();
+      }
+    };
+    return normalize(url1) === normalize(url2);
+  }
+  /**
+   * Format error message for spec not on allowlist
+   */
+  formatAllowlistError(specUrl) {
+    const lines = [`Spec '${specUrl}' is not on the approved list.`];
+    if (this.allowlist.length === 0) {
+      lines.push("");
+      lines.push("No approved specs are configured.");
+      lines.push("Add approved specs to stackwright.yml under prebuild.security.allowlist");
+    } else {
+      lines.push("");
+      lines.push("Allowed specs:");
+      for (const spec of this.allowlist) {
+        lines.push(`  \u2022 ${spec.name}`);
+        lines.push(`    ${spec.url}`);
+      }
+    }
+    return lines.join("\n");
+  }
+  /**
+   * Format error message for hash mismatch
+   */
+  formatHashMismatchError(approved, actualHash) {
+    const lines = [
+      `Spec '${approved.url}' has been modified since approval.`,
+      "",
+      "Expected hash (approved): " + approved.sha256,
+      "Actual hash (current):     " + actualHash,
+      "",
+      "This may indicate:",
+      "  \u2022 The spec has been updated on the server",
+      "  \u2022 Network corruption during download",
+      "  \u2022 A man-in-the-middle attack",
+      "",
+      "If this is expected, update the sha256 in stackwright.yml."
+    ];
+    return lines.join("\n");
+  }
+  /**
+   * Clear the download cache.
+   * Useful for long-running processes.
+   */
+  clearCache() {
+    this.cache.clear();
+  }
+};
+
+// src/prebuild/OpenAPIPlugin.ts
 var OpenAPIPlugin = class {
   name = "@stackwright-pro/openapi";
   async beforeBuild(context) {
     const { siteConfig, projectRoot } = context;
+    const prebuildConfig = siteConfig.prebuild || {};
+    const securityConfig = prebuildConfig.security;
+    let validator = null;
+    if (securityConfig?.enabled) {
+      const skipApprovedSpecs = process.argv.includes("--skip-approved-specs");
+      if (skipApprovedSpecs) {
+        const isProductionBuild = process.env.NODE_ENV === "production" || process.env.CI === "true";
+        if (isProductionBuild) {
+          console.error("\n\u274C FATAL: --skip-approved-specs not allowed in production/CI builds\n");
+          throw new Error(
+            "SECURITY_CONFIG_VIOLATION: Cannot use --skip-approved-specs in production or CI environments"
+          );
+        }
+        console.log(
+          "\n[@stackwright-pro/openapi] \u26A0\uFE0F  Approved-specs enforcement DISABLED (--skip-approved-specs)\n"
+        );
+        console.log("    This is ONLY allowed in development mode.\n");
+      } else {
+        validator = new ApprovedSpecsValidator(securityConfig);
+        console.log("\n[@stackwright-pro/openapi] \u{1F512} Approved-specs enforcement ENABLED");
+        console.log(`    Approved specs: ${validator.getAllowlistCount()}`);
+      }
+    }
     const integrations = siteConfig.integrations;
     if (!integrations || !Array.isArray(integrations)) {
       return;
@@ -7649,6 +8241,17 @@ var OpenAPIPlugin = class {
     if (openAPIIntegrations.length === 0) {
       return;
     }
+    if (validator) {
+      const specUrls = openAPIIntegrations.map((i) => i.spec);
+      const results = await validator.validateAll(specUrls);
+      for (const [url, result] of results) {
+        if (!result.valid) {
+          this.printSecurityRejection(result);
+          throw new Error(`SPEC_NOT_APPROVED: ${result.error}`);
+        }
+        console.log(`    \u2713 Approved: ${url}`);
+      }
+    }
     console.log(
       `
 [@stackwright-pro/openapi] Processing ${openAPIIntegrations.length} integration(s)...`
@@ -7658,23 +8261,74 @@ var OpenAPIPlugin = class {
     }
     console.log("[@stackwright-pro/openapi] Generation complete\n");
   }
+  /**
+   * Print a security rejection error in a formatted box
+   */
+  printSecurityRejection(result) {
+    const lines = [];
+    lines.push(
+      "\n\u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557"
+    );
+    lines.push(
+      "\u2551  \u{1F512} SECURITY REJECTED                                                             \u2551"
+    );
+    lines.push("\u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563");
+    lines.push(`\u2551  Error: ${(result.errorCode || "UNKNOWN").padEnd(73)} \u2551`);
+    lines.push("\u2560\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2563");
+    const errorLines = (result.error || "Unknown error").split("\n");
+    const maxLen = 76;
+    for (const line of errorLines) {
+      if (line.length <= maxLen) {
+        lines.push(`\u2551  ${line.padEnd(maxLen)} \u2551`);
+      } else {
+        let remaining = line;
+        while (remaining.length > 0) {
+          lines.push(`\u2551  ${remaining.substring(0, maxLen).padEnd(maxLen)} \u2551`);
+          remaining = remaining.substring(maxLen);
+        }
+      }
+    }
+    lines.push(
+      "\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255D\n"
+    );
+    for (const line of lines) {
+      console.error(line);
+    }
+  }
   async processIntegration(config, projectRoot) {
-    const { name, spec, auth, collections } = config;
+    const { name, spec, auth, mockUrl, collections, endpoints } = config;
     console.log(`  - Processing integration: ${name}`);
-    const specPath = spec.startsWith("http") ? spec : path.resolve(projectRoot, spec);
+    const specPath = spec.startsWith("http") ? spec : path2.resolve(projectRoot, spec);
     const parser = new OpenAPIParser();
     const { document } = await parser.parse(specPath);
-    const outputDir = path.join(projectRoot, "src", "generated", name);
-    fs.mkdirSync(outputDir, { recursive: true });
-    const schemaMapping = await this.generateSchemas(document, collections || [], outputDir, name);
+    if (mockUrl) {
+      const originalServer = document.servers?.[0]?.url || "unknown";
+      document.servers = [{ url: mockUrl }];
+      console.log(`    > Using mock URL: ${mockUrl} (was: ${originalServer})`);
+    }
+    const endpointFilter = new EndpointFilter(endpoints);
+    if (endpoints && (endpoints.include?.length || endpoints.exclude?.length)) {
+      const includeStr = endpoints.include?.join(", ") || "/**";
+      const excludeStr = endpoints.exclude?.length ? ` (exclude: ${endpoints.exclude.join(", ")})` : "";
+      console.log(`    > Filter: include [${includeStr}]${excludeStr}`);
+    }
+    const outputDir = path2.join(projectRoot, "src", "generated", name);
+    fs2.mkdirSync(outputDir, { recursive: true });
+    const schemaMapping = await this.generateSchemas(
+      document,
+      collections || [],
+      outputDir,
+      name,
+      endpointFilter
+    );
     await this.generateTypes(document, collections || [], outputDir, name);
     if (collections && collections.length > 0) {
       await this.generateProvider(document, config, outputDir, name);
     }
-    await this.generateClient(document, outputDir, name, schemaMapping);
-    console.log(`    \u2713 Generated code in src/generated/${name}/`);
+    await this.generateClient(document, outputDir, name, schemaMapping, endpointFilter);
+    console.log(`    > Generated code in src/generated/${name}/`);
   }
-  async generateSchemas(document, collections, outputDir, integrationName) {
+  async generateSchemas(document, collections, outputDir, integrationName, endpointFilter) {
     const resolver = new SchemaResolver(document);
     const zodGenerator = new ZodSchemaGenerator();
     let schemasCode = `/**
@@ -7694,14 +8348,14 @@ import { z } from 'zod';
         const method = "get";
         const schema = resolver.getResponseSchema(endpoint, method);
         if (!schema) {
-          console.warn(`    \u26A0  No schema found for ${method.toUpperCase()} ${endpoint}`);
+          console.warn(`    > No schema found for ${method.toUpperCase()} ${endpoint}`);
           continue;
         }
         const collectionName = this.sanitizeName(endpoint);
         const schemaName = `${this.capitalize(collectionName)}Schema`;
         const isArray = schema.type === "array";
         const itemSchema = isArray ? schema.items : schema;
-        const zodCode = zodGenerator.generate(itemSchema, { schemaName });
+        const zodCode = zodGenerator.generate(itemSchema, { schemaName, bare: true });
         schemasCode += zodCode + "\n";
         if (isArray) {
           schemasCode += `export const ${this.capitalize(collectionName)}ArraySchema = z.array(${schemaName});
@@ -7710,22 +8364,27 @@ import { z } from 'zod';
         }
       }
     }
-    schemasCode += "\n// Response schemas for all endpoints\n";
+    schemasCode += "\n// Response schemas for filtered endpoints\n";
     const generatedSchemas = /* @__PURE__ */ new Set();
+    let filteredCount = 0;
     const paths = document.paths || {};
-    for (const [path2, pathItem] of Object.entries(paths)) {
+    for (const [pathStr, pathItem] of Object.entries(paths)) {
+      if (!endpointFilter.matches(pathStr)) {
+        filteredCount++;
+        continue;
+      }
       const methods = ["get", "post", "put", "patch", "delete"];
       for (const method of methods) {
         const operation = pathItem[method];
         if (!operation) continue;
-        const opId = operation.operationId || this.generateOperationId(path2, method);
+        const opId = operation.operationId || this.generateOperationId(pathStr, method);
         const responseSchemaName = `${this.getOperationTypeName(opId)}ResponseSchema`;
         if (generatedSchemas.has(responseSchemaName)) {
           continue;
         }
-        const responseSchema = resolver.getResponseSchema(path2, method);
+        const responseSchema = resolver.getResponseSchema(pathStr, method);
         if (!responseSchema) {
-          console.warn(`    \u26A0  No response schema for ${method.toUpperCase()} ${path2}`);
+          console.warn(`    > No response schema for ${method.toUpperCase()} ${pathStr}`);
           continue;
         }
         const isArray = responseSchema.type === "array";
@@ -7740,32 +8399,44 @@ import { z } from 'zod';
 `;
           generatedSchemas.add(responseSchemaName);
         } else if (isArray) {
-          const zodCode = zodGenerator.generate(responseSchema, { schemaName: responseSchemaName });
+          const zodCode = zodGenerator.generate(responseSchema, {
+            schemaName: responseSchemaName,
+            bare: true
+          });
           schemasCode += zodCode + "\n";
           generatedSchemas.add(responseSchemaName);
         } else {
-          const zodCode = zodGenerator.generate(responseSchema, { schemaName: responseSchemaName });
+          const zodCode = zodGenerator.generate(responseSchema, {
+            schemaName: responseSchemaName,
+            bare: true
+          });
           schemasCode += zodCode + "\n";
           generatedSchemas.add(responseSchemaName);
         }
       }
     }
+    if (filteredCount > 0) {
+      console.log(`    > Skipped ${filteredCount} paths (filtered)`);
+    }
     const schemaMapping = {};
-    for (const [path2, pathItem] of Object.entries(paths)) {
+    for (const [pathStr, pathItem] of Object.entries(paths)) {
+      if (!endpointFilter.matches(pathStr)) {
+        continue;
+      }
       const methods = ["get", "post", "put", "patch", "delete"];
       for (const method of methods) {
         const operation = pathItem[method];
         if (!operation) continue;
-        const opId = operation.operationId || this.generateOperationId(path2, method);
+        const opId = operation.operationId || this.generateOperationId(pathStr, method);
         const responseSchemaName = `${this.getOperationTypeName(opId)}ResponseSchema`;
         schemaMapping[opId] = {
           requestSchema: null,
-          // Will be added when we generate request schemas
+          // ClientGenerator handles request schema generation + type inference
           responseSchema: responseSchemaName
         };
       }
     }
-    fs.writeFileSync(path.join(outputDir, "schemas.ts"), schemasCode);
+    fs2.writeFileSync(path2.join(outputDir, "schemas.ts"), schemasCode);
     return schemaMapping;
   }
   async generateTypes(document, collections, outputDir, integrationName) {
@@ -7790,7 +8461,7 @@ import type * as schemas from './schemas';
 `;
       }
     }
-    fs.writeFileSync(path.join(outputDir, "types.ts"), typesCode);
+    fs2.writeFileSync(path2.join(outputDir, "types.ts"), typesCode);
   }
   async generateProvider(document, config, outputDir, integrationName) {
     const generator = new CollectionProviderGenerator(document);
@@ -7798,22 +8469,15 @@ import type * as schemas from './schemas';
     if (!collections || collections.length === 0) {
       return;
     }
-    let providerCode = `/**
- * Generated CollectionProvider from OpenAPI spec
- * Integration: ${integrationName}
- * 
- * DO NOT EDIT - This file is auto-generated by @stackwright-pro/openapi
- * Regenerate by running: pnpm prebuild
- */
-
-`;
+    const schemaImports = /* @__PURE__ */ new Set();
+    const classBlocks = [];
     for (const collection of collections) {
       const collectionConfig = {
         endpoint: collection.endpoint,
         slugField: collection.slug_field,
         filters: collection.filters
       };
-      let providerOptions = {};
+      let providerOptions = { bare: true };
       if (auth) {
         if (auth.type === "bearer" || auth.type === "apiKey") {
           providerOptions.auth = {
@@ -7822,16 +8486,50 @@ import type * as schemas from './schemas';
           };
         } else if (auth.type === "oauth2") {
           console.warn(
-            `    \u26A0  OAuth2 auth not yet supported for ${collection.endpoint} (coming soon)`
+            `    > OAuth2 auth not yet supported for ${collection.endpoint} (coming soon)`
           );
         }
       }
       const code = generator.generate(collectionConfig, providerOptions);
-      providerCode += code + "\n";
+      classBlocks.push(code);
+      const collectionName = this.sanitizeName(collection.endpoint);
+      const resolver = new SchemaResolver(document);
+      const schema = resolver.getResponseSchema(collection.endpoint, "get");
+      const isArray = schema?.type === "array";
+      if (isArray) {
+        schemaImports.add(`${this.capitalize(collectionName)}ArraySchema`);
+      } else {
+        schemaImports.add(`${this.capitalize(collectionName)}Schema`);
+      }
     }
-    fs.writeFileSync(path.join(outputDir, "provider.ts"), providerCode);
+    let providerCode = `/**
+ * Generated CollectionProvider from OpenAPI spec
+ * Integration: ${integrationName}
+ * 
+ * DO NOT EDIT - This file is auto-generated by @stackwright-pro/openapi
+ * Regenerate by running: pnpm prebuild
+ */
+
+import type { CollectionProvider, CollectionItem } from '@stackwright/collections';
+import { ${Array.from(schemaImports).join(", ")} } from './schemas';
+
+`;
+    providerCode += classBlocks.join("\n");
+    fs2.writeFileSync(path2.join(outputDir, "provider.ts"), providerCode);
   }
-  async generateClient(document, outputDir, integrationName, schemaMapping) {
+  async generateClient(document, outputDir, integrationName, schemaMapping, endpointFilter) {
+    const paths = document.paths || {};
+    let filteredEndpoints = 0;
+    for (const pathStr of Object.keys(paths)) {
+      if (!endpointFilter.matches(pathStr)) {
+        filteredEndpoints++;
+      }
+    }
+    if (filteredEndpoints > 0) {
+      console.log(
+        `    > Generating client for ${Object.keys(paths).length - filteredEndpoints} endpoints (${filteredEndpoints} filtered)`
+      );
+    }
     const generator = new ClientGenerator(document);
     const className = `${this.capitalize(integrationName)}Client`;
     const clientCode = generator.generate({
@@ -7841,7 +8539,7 @@ import type * as schemas from './schemas';
       validateResponses: true,
       strictValidation: false
     });
-    fs.writeFileSync(path.join(outputDir, "client.ts"), clientCode);
+    fs2.writeFileSync(path2.join(outputDir, "client.ts"), clientCode);
   }
   extractComponentName(ref) {
     const parts = ref.split("/");
@@ -7850,20 +8548,20 @@ import type * as schemas from './schemas';
   getOperationTypeName(operationId) {
     return operationId.charAt(0).toUpperCase() + operationId.slice(1);
   }
-  generateOperationId(path2, method) {
-    const sanitized = this.sanitizeName(path2);
+  generateOperationId(pathStr, method) {
+    const sanitized = this.sanitizeName(pathStr);
     return `${method}${this.capitalize(sanitized)}`;
   }
-  getResponseSchemaName(path2, method) {
-    const sanitized = this.sanitizeName(path2);
+  getResponseSchemaName(pathStr, method) {
+    const sanitized = this.sanitizeName(pathStr);
     const baseName = this.capitalize(sanitized);
-    if (method === "get" && !path2.includes("{")) {
+    if (method === "get" && !pathStr.includes("{")) {
       return `${baseName}ArraySchema`;
     }
     return `${baseName}Schema`;
   }
-  sanitizeName(path2) {
-    return path2.replace(/^\//, "").replace(/\//g, "-").replace(/[{}:]/g, "").replace(/-+/g, "-");
+  sanitizeName(pathStr) {
+    return pathStr.replace(/^\//, "").replace(/\//g, "-").replace(/[{}:]/g, "").replace(/-+/g, "-");
   }
   capitalize(str) {
     return str.split("-").map((part) => part.charAt(0).toUpperCase() + part.slice(1)).join("");
@@ -7872,14 +8570,137 @@ import type * as schemas from './schemas';
 function createOpenAPIPlugin() {
   return new OpenAPIPlugin();
 }
+
+// src/sources/openapi.ts
+var BLOCKED_HOST_PATTERNS = [
+  /^localhost$/i,
+  /^127\./,
+  // Loopback (127.0.0.0/8)
+  /^10\./,
+  // Class A private (10.0.0.0/8)
+  /^172\.(1[6-9]|2[0-9]|3[0-1])\./,
+  // Class B private (172.16.0.0/12)
+  /^192\.168\./,
+  // Class C private (192.168.0.0/16)
+  /^169\.254\./,
+  // Link-local (169.254.0.0/16) - AWS/GCP metadata
+  /^0\./,
+  // Current network (0.0.0.0/8)
+  /^::1$/,
+  // IPv6 loopback (no brackets)
+  /^\[::1\]$/i,
+  // IPv6 loopback (with brackets)
+  /^[fF][cCdD][0-9a-fA-F]{2}:/,
+  // IPv6 private (fc00::/7)
+  /^169\.254\.169\.254$/i,
+  // AWS metadata endpoint
+  /^metadata\.googleapis\.com$/i,
+  // GCP metadata endpoint
+  /^100\.100\.100\.200$/
+  // Alibaba Cloud metadata
+];
+var ALLOWED_PROTOCOLS = ["http:", "https:"];
+function validateFetchUrl(baseUrl) {
+  let url;
+  try {
+    url = new URL(baseUrl);
+  } catch {
+    throw new Error("SSRF Prevention: baseUrl must be a valid absolute URL");
+  }
+  if (!ALLOWED_PROTOCOLS.includes(url.protocol)) {
+    throw new Error(
+      "SSRF Prevention: Only HTTP and HTTPS protocols are allowed, got " + url.protocol
+    );
+  }
+  const hostname = url.hostname.toLowerCase();
+  for (const pattern of BLOCKED_HOST_PATTERNS) {
+    if (pattern.test(hostname)) {
+      throw new Error("SSRF Prevention: Blocked internal network address: " + hostname);
+    }
+  }
+  const ip = url.hostname;
+  if (/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(ip)) {
+    const octets = ip.split(".").map(Number);
+    if (octets[0] === 127) {
+      throw new Error("SSRF Prevention: Blocked loopback address: " + ip);
+    }
+    if (octets[0] === 10) {
+      throw new Error("SSRF Prevention: Blocked private address: " + ip);
+    }
+    if (octets[0] === 172 && octets[1] >= 16 && octets[1] <= 31) {
+      throw new Error("SSRF Prevention: Blocked private address: " + ip);
+    }
+    if (octets[0] === 192 && octets[1] === 168) {
+      throw new Error("SSRF Prevention: Blocked private address: " + ip);
+    }
+    if (octets[0] === 169 && octets[1] === 254) {
+      throw new Error("SSRF Prevention: Blocked link-local address: " + ip);
+    }
+    if (octets[0] === 0) {
+      throw new Error("SSRF Prevention: Blocked current network address: " + ip);
+    }
+  }
+  return url;
+}
+function validateEndpoint(endpoint) {
+  if (endpoint.includes("..")) {
+    throw new Error("SSRF Prevention: Path traversal detected in endpoint");
+  }
+  if (endpoint.includes("\\")) {
+    throw new Error("SSRF Prevention: Backslash detected in endpoint");
+  }
+}
+function createOpenAPIFetcher(config) {
+  const { baseUrl, endpoint, method = "get", params, body, headers = {}, auth, schema } = config;
+  const validatedBaseUrl = validateFetchUrl(baseUrl);
+  validateEndpoint(endpoint);
+  return async () => {
+    const url = new URL(endpoint, validatedBaseUrl.toString());
+    if (params) {
+      Object.entries(params).forEach(([key, value]) => {
+        url.searchParams.append(key, String(value));
+      });
+    }
+    const requestHeaders = {
+      "Content-Type": "application/json",
+      Accept: "application/json",
+      ...headers
+    };
+    if (auth) {
+      if (auth.type === "bearer" && auth.token) {
+        requestHeaders["Authorization"] = `Bearer ${auth.token}`;
+      } else if (auth.type === "apiKey" && auth.apiKey) {
+        requestHeaders[auth.headerName ?? "X-API-Key"] = auth.apiKey;
+      }
+    }
+    const supportsBody = ["post", "put", "patch", "delete"].includes(method);
+    const response = await fetch(url.toString(), {
+      method: method.toUpperCase(),
+      headers: requestHeaders,
+      body: supportsBody && body ? JSON.stringify(body) : void 0
+    });
+    if (!response.ok) {
+      const safeStatus = response.status;
+      throw new Error("API error: " + safeStatus);
+    }
+    const result = await response.json();
+    if (schema) {
+      return schema.parse(result);
+    }
+    return result;
+  };
+}
 export {
+  ApprovedSpecsValidator,
   ClientGenerator,
   CollectionProviderGenerator,
+  EndpointFilter,
   OpenAPICollectionProvider,
   OpenAPIParser,
   OpenAPIPlugin,
   SchemaResolver,
   TypeGenerator,
   ZodSchemaGenerator,
+  createOpenAPIFetcher,
   createOpenAPIPlugin
 };