@techspokes/typescript-wsdl-client 0.17.0 → 0.19.2

package/dist/util/builder.js

@@ -40,7 +40,7 @@ export function buildOpenApiOptionsFromArgv(argv, format, servers) {
         opsFile: argv["openapi-ops-file"],
         pathStyle: argv["openapi-path-style"],
         pruneUnusedSchemas: argv["openapi-prune-unused-schemas"],
-        securityConfigFile: argv["openapi-security-file"],
+        securityConfigFile: (argv["openapi-security-config-file"] || argv["openapi-security-file"]),
         servers,
         skipValidate: false, // Always validate
         tagStyle: argv["openapi-tag-style"],

package/dist/util/runtimeSource.d.ts

@@ -1,2 +1,3 @@
 export declare function loadRuntimeSource(filename: string): string;
+export declare function loadRuntimeTemplate(filename: string): string;
 //# sourceMappingURL=runtimeSource.d.ts.map

package/dist/util/runtimeSource.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"runtimeSource.d.ts","sourceRoot":"","sources":["../../src/util/runtimeSource.ts"],"names":[],"mappings":"AAsCA,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAI1D"}
+{"version":3,"file":"runtimeSource.d.ts","sourceRoot":"","sources":["../../src/util/runtimeSource.ts"],"names":[],"mappings":"AAsCA,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAI1D;AAED,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAG5D"}

package/dist/util/runtimeSource.js

@@ -36,3 +36,7 @@ export function loadRuntimeSource(filename) {
     const raw = fs.readFileSync(abs, "utf-8");
     return HEADER(filename) + "\n" + raw;
 }
+export function loadRuntimeTemplate(filename) {
+    const abs = resolveRuntimeSourcePath(filename);
+    return fs.readFileSync(abs, "utf-8");
+}

package/dist/util/securityConfig.d.ts

@@ -0,0 +1,115 @@
+export type GatewayAuthScheme = "none" | "basic" | "bearer" | "apiKey" | "oauth2" | "mutualTLS" | "openIdConnect";
+export type SecurityHeaderConfig = {
+    name: string;
+    required?: boolean;
+    schema?: any;
+};
+export type GatewaySecurityGlobal = {
+    scheme?: GatewayAuthScheme;
+    apiKey?: {
+        in: "header" | "query" | "cookie";
+        name: string;
+    };
+    bearer?: {
+        bearerFormat?: string;
+    };
+    basic?: Record<string, never>;
+    oauth2?: {
+        flows: Record<string, any>;
+    };
+    openIdConnect?: {
+        openIdConnectUrl: string;
+    };
+    mutualTLS?: {
+        description?: string;
+    };
+    headers?: SecurityHeaderConfig[];
+};
+export type GatewaySecurityOperation = {
+    scheme?: GatewayAuthScheme;
+    headers?: SecurityHeaderConfig[];
+};
+export type UpstreamSecurityConfig = {
+    profile?: "none" | "basic" | "bearer" | "ws-security-username-token" | "client-ssl" | "client-ssl-pfx" | "x509" | "ntlm" | "custom";
+    usernameEnv?: string;
+    passwordEnv?: string;
+    tokenEnv?: string;
+    domainEnv?: string;
+    workstationEnv?: string;
+    keyFileEnv?: string;
+    certFileEnv?: string;
+    caFileEnv?: string;
+    pfxFileEnv?: string;
+    passphraseEnv?: string;
+    endpointEnv?: string;
+    wsdlHeaders?: Record<string, string>;
+    wsdlHeaderEnv?: Record<string, string>;
+    requestHeaders?: Record<string, string>;
+    requestHeaderEnv?: Record<string, string>;
+    wsSecurity?: {
+        passwordType?: "PasswordText" | "PasswordDigest";
+        hasTimeStamp?: boolean;
+        hasTokenCreated?: boolean;
+        hasNonce?: boolean;
+        mustUnderstand?: boolean;
+        actor?: string;
+    };
+};
+export type SecurityConfig = {
+    gateway?: {
+        global?: GatewaySecurityGlobal;
+        operations?: Record<string, GatewaySecurityOperation>;
+        overrides?: Record<string, GatewaySecurityOperation>;
+    };
+    upstream?: UpstreamSecurityConfig;
+    headers?: {
+        passThrough?: string[];
+        mappings?: Array<{
+            from: string;
+            to: string;
+            required?: boolean;
+        }>;
+    };
+};
+export type BuiltSecurity = {
+    securitySchemes?: Record<string, any>;
+    headerParameters: Record<string, any>;
+    opSecurity: Record<string, any[] | undefined>;
+    opHeaderParameters: Record<string, string[]>;
+    globalSecurity?: any[];
+};
+export declare class SecurityConfigError extends Error {
+    constructor(message: string);
+}
+/**
+ * Loads and normalizes a JSON security configuration file.
+ *
+ * @param filePath - Optional path to the JSON config. Undefined returns undefined.
+ * @returns Parsed security configuration, or undefined when no file is provided.
+ * @throws SecurityConfigError when the parsed JSON shape is invalid.
+ * @throws SyntaxError when the file is not valid JSON.
+ */
+export declare function loadSecurityConfigFile(filePath?: string): SecurityConfig | undefined;
+/**
+ * Normalizes the shared gateway and upstream SOAP security config.
+ *
+ * @param input - Raw JSON value from a security config file or programmatic caller.
+ * @returns Normalized security config with legacy OpenAPI-only shape mapped to `gateway`.
+ * @throws SecurityConfigError when a section or scheme is malformed.
+ */
+export declare function parseSecurityConfig(input: unknown): SecurityConfig;
+/**
+ * Builds the OpenAPI-facing security schemes, requirements, and header parameters.
+ *
+ * @param cfg - Normalized shared security config.
+ * @returns Deterministic OpenAPI security fragments consumed by the OpenAPI generator.
+ */
+export declare function buildSecurity(cfg?: SecurityConfig): BuiltSecurity;
+/**
+ * Checks whether a generated app needs an upstream SOAP security helper.
+ *
+ * @param cfg - Normalized shared security config.
+ * @returns True when `upstream.profile` is configured to anything other than `none`.
+ */
+export declare function hasUpstreamRuntimeSecurity(cfg?: SecurityConfig): boolean;
+//# sourceMappingURL=securityConfig.d.ts.map

package/dist/util/securityConfig.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"securityConfig.d.ts","sourceRoot":"","sources":["../../src/util/securityConfig.ts"],"names":[],"mappings":"AAGA,MAAM,MAAM,iBAAiB,GAAG,MAAM,GAAG,OAAO,GAAG,QAAQ,GAAG,QAAQ,GAAG,QAAQ,GAAG,WAAW,GAAG,eAAe,CAAC;AAElH,MAAM,MAAM,oBAAoB,GAAG;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,MAAM,CAAC,EAAE,GAAG,CAAC;CACd,CAAC;AAEF,MAAM,MAAM,qBAAqB,GAAG;IAClC,MAAM,CAAC,EAAE,iBAAiB,CAAC;IAC3B,MAAM,CAAC,EAAE;QAAC,EAAE,EAAE,QAAQ,GAAG,OAAO,GAAG,QAAQ,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAC,CAAC;IAC3D,MAAM,CAAC,EAAE;QAAC,YAAY,CAAC,EAAE,MAAM,CAAA;KAAC,CAAC;IACjC,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAC9B,MAAM,CAAC,EAAE;QAAC,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;KAAC,CAAC;IACtC,aAAa,CAAC,EAAE;QAAC,gBAAgB,EAAE,MAAM,CAAA;KAAC,CAAC;IAC3C,SAAS,CAAC,EAAE;QAAC,WAAW,CAAC,EAAE,MAAM,CAAA;KAAC,CAAC;IACnC,OAAO,CAAC,EAAE,oBAAoB,EAAE,CAAC;CAClC,CAAC;AAEF,MAAM,MAAM,wBAAwB,GAAG;IACrC,MAAM,CAAC,EAAE,iBAAiB,CAAC;IAC3B,OAAO,CAAC,EAAE,oBAAoB,EAAE,CAAC;CAClC,CAAC;AAEF,MAAM,MAAM,sBAAsB,GAAG;IACnC,OAAO,CAAC,EACJ,MAAM,GACN,OAAO,GACP,QAAQ,GACR,4BAA4B,GAC5B,YAAY,GACZ,gBAAgB,GAChB,MAAM,GACN,MAAM,GACN,QAAQ,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACrC,aAAa,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACvC,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACxC,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC1C,UAAU,CAAC,EAAE;QACX,YAAY,CAAC,EAAE,cAAc,GAAG,gBAAgB,CAAC;QACjD,YAAY,CAAC,EAAE,OAAO,CAAC;QACvB,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,QAAQ,CAAC,EAAE,OAAO,CAAC;QACnB,cAAc,CAAC,EAAE,OAAO,CAAC;QACzB,KAAK,CAAC,EAAE,MAAM,CAAC;KAChB,CAAC;CACH,CAAC;AAEF,MAAM,MAAM,cAAc,GAAG;IAC3B,OAAO,CAAC,EAAE;QACR,MAAM,CAAC,EAAE,qBAAqB,CAAC;QAC/B,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,wBAAwB,CAAC,CAAC;QACtD,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,wBAAwB,CAAC,CAAC;KACtD,CAAC;IACF,QAAQ,CAAC,EAAE,sBAAsB,CAAC;IAClC,OAAO,CAAC,EAAE;QACR,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;QACvB,QAAQ,CAAC,EAAE,KAAK,CAAC;YAAC,IAAI,EAAE,MAAM,CAAC;YAAC,EAAE,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,EAAE,OAAO,CAAA;SAAC,CAAC,CAAC;KAClE,CAAC;CACH,CAAC;AAEF,MAAM,MAAM,aAAa,GAAG;IAC1B,eAAe,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IACtC,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IACtC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,EAAE,GAAG,SAAS,CAAC,CAAC;IAC9C,kBAAkB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IAC7C,cAAc,CAAC,EAAE,GAAG,EAAE,CAAC;CACxB,CAAC;AAEF,qBAAa,mBAAoB,SAAQ,KAAK;gBAChC,OAAO,EAAE,MAAM;CAI5B;AAED;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS,CAIpF;AAED;;;;;;GAMG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,OAAO,GAAG,cAAc,CAuBlE;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,GAAG,CAAC,EAAE,cAAc,GAAG,aAAa,CA0DjE;AAED;;;;;GAKG;AACH,wBAAgB,0BAA0B,CAAC,GAAG,CAAC,EAAE,cAAc,GAAG,OAAO,CAExE"}

package/dist/util/securityConfig.js

@@ -0,0 +1,274 @@
+import fs from "node:fs";
+import { trimRepeatedEdgeChar } from "./tools.js";
+export class SecurityConfigError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "SecurityConfigError";
+    }
+}
+/**
+ * Loads and normalizes a JSON security configuration file.
+ *
+ * @param filePath - Optional path to the JSON config. Undefined returns undefined.
+ * @returns Parsed security configuration, or undefined when no file is provided.
+ * @throws SecurityConfigError when the parsed JSON shape is invalid.
+ * @throws SyntaxError when the file is not valid JSON.
+ */
+export function loadSecurityConfigFile(filePath) {
+    if (!filePath)
+        return undefined;
+    const raw = fs.readFileSync(filePath, "utf8");
+    return parseSecurityConfig(JSON.parse(raw));
+}
+/**
+ * Normalizes the shared gateway and upstream SOAP security config.
+ *
+ * @param input - Raw JSON value from a security config file or programmatic caller.
+ * @returns Normalized security config with legacy OpenAPI-only shape mapped to `gateway`.
+ * @throws SecurityConfigError when a section or scheme is malformed.
+ */
+export function parseSecurityConfig(input) {
+    if (!isRecord(input)) {
+        throw new SecurityConfigError("Security config must be a JSON object.");
+    }
+    const root = input;
+    const gatewaySource = isRecord(root.gateway)
+        ? root.gateway
+        : hasLegacyGatewayShape(root)
+            ? { global: root.global, overrides: root.overrides }
+            : undefined;
+    const cfg = {};
+    if (gatewaySource) {
+        cfg.gateway = parseGatewaySecurity(gatewaySource);
+    }
+    if (root.upstream !== undefined) {
+        cfg.upstream = parseUpstreamSecurity(root.upstream);
+    }
+    if (root.headers !== undefined) {
+        cfg.headers = parseHeaderForwarding(root.headers);
+    }
+    return cfg;
+}
+/**
+ * Builds the OpenAPI-facing security schemes, requirements, and header parameters.
+ *
+ * @param cfg - Normalized shared security config.
+ * @returns Deterministic OpenAPI security fragments consumed by the OpenAPI generator.
+ */
+export function buildSecurity(cfg) {
+    const securitySchemes = {};
+    const headerParameters = {};
+    const opSecurity = {};
+    const opHeaderParameters = {};
+    const gateway = cfg?.gateway;
+    const global = gateway?.global;
+    if (!global) {
+        return { securitySchemes: undefined, headerParameters, opSecurity, opHeaderParameters };
+    }
+    const schemeName = "defaultAuth";
+    const scheme = global.scheme || "none";
+    const hasGlobal = scheme !== "none";
+    if (hasGlobal) {
+        securitySchemes[schemeName] = buildSecurityScheme(scheme, global);
+    }
+    for (const h of global.headers || []) {
+        headerParameters[makeParamComponentName(h.name)] = buildHeaderParameter(h);
+    }
+    const operations = {
+        ...(gateway.overrides || {}),
+        ...(gateway.operations || {}),
+    };
+    for (const [opName, override] of Object.entries(operations)) {
+        const oScheme = override.scheme ?? scheme;
+        if (oScheme === "none") {
+            opSecurity[opName] = [{}];
+        }
+        else if (oScheme === scheme) {
+            opSecurity[opName] = hasGlobal ? [{ [schemeName]: [] }] : undefined;
+        }
+        else {
+            const altName = `${schemeName}_${oScheme}`;
+            if (!securitySchemes[altName]) {
+                securitySchemes[altName] = buildSecurityScheme(oScheme, global);
+            }
+            opSecurity[opName] = [{ [altName]: [] }];
+        }
+        const headers = [...(global.headers || []), ...(override.headers || [])];
+        opHeaderParameters[opName] = headers.map(h => makeParamComponentName(h.name));
+        for (const h of override.headers || []) {
+            const compName = makeParamComponentName(h.name);
+            if (!headerParameters[compName]) {
+                headerParameters[compName] = buildHeaderParameter(h);
+            }
+        }
+    }
+    return {
+        securitySchemes: Object.keys(securitySchemes).length ? securitySchemes : undefined,
+        headerParameters,
+        opSecurity,
+        opHeaderParameters,
+        globalSecurity: hasGlobal ? [{ [schemeName]: [] }] : undefined,
+    };
+}
+/**
+ * Checks whether a generated app needs an upstream SOAP security helper.
+ *
+ * @param cfg - Normalized shared security config.
+ * @returns True when `upstream.profile` is configured to anything other than `none`.
+ */
+export function hasUpstreamRuntimeSecurity(cfg) {
+    return !!cfg?.upstream && (cfg.upstream.profile ?? "none") !== "none";
+}
+function parseGatewaySecurity(input) {
+    const global = input.global === undefined ? undefined : parseGatewayGlobal(input.global);
+    const operations = input.operations === undefined ? undefined : parseGatewayOperations(input.operations, "operations");
+    const overrides = input.overrides === undefined ? undefined : parseGatewayOperations(input.overrides, "overrides");
+    return { global, operations, overrides };
+}
+function parseGatewayGlobal(input) {
+    if (!isRecord(input)) {
+        throw new SecurityConfigError("gateway.global must be an object.");
+    }
+    const scheme = parseGatewayScheme(input.scheme, "gateway.global.scheme");
+    return {
+        ...(scheme ? { scheme } : {}),
+        ...(isRecord(input.apiKey) ? { apiKey: parseApiKey(input.apiKey) } : {}),
+        ...(isRecord(input.bearer) ? { bearer: input.bearer } : {}),
+        ...(isRecord(input.basic) ? { basic: {} } : {}),
+        ...(isRecord(input.oauth2) ? { oauth2: input.oauth2 } : {}),
+        ...(isRecord(input.openIdConnect) ? { openIdConnect: input.openIdConnect } : {}),
+        ...(isRecord(input.mutualTLS) ? { mutualTLS: input.mutualTLS } : {}),
+        ...(input.headers !== undefined ? { headers: parseHeaders(input.headers, "gateway.global.headers") } : {}),
+    };
+}
+function parseGatewayOperations(input, label) {
+    if (!isRecord(input)) {
+        throw new SecurityConfigError(`gateway.${label} must be an object keyed by operation name.`);
+    }
+    const out = {};
+    for (const [opName, value] of Object.entries(input)) {
+        if (!isRecord(value)) {
+            throw new SecurityConfigError(`gateway.${label}.${opName} must be an object.`);
+        }
+        const scheme = parseGatewayScheme(value.scheme, `gateway.${label}.${opName}.scheme`);
+        out[opName] = {
+            ...(scheme ? { scheme } : {}),
+            ...(value.headers !== undefined ? { headers: parseHeaders(value.headers, `gateway.${label}.${opName}.headers`) } : {}),
+        };
+    }
+    return out;
+}
+function parseUpstreamSecurity(input) {
+    if (!isRecord(input)) {
+        throw new SecurityConfigError("upstream must be an object.");
+    }
+    const profile = input.profile === undefined ? undefined : String(input.profile);
+    const allowed = new Set(["none", "basic", "bearer", "ws-security-username-token", "client-ssl", "client-ssl-pfx", "x509", "ntlm", "custom"]);
+    if (profile && !allowed.has(profile)) {
+        throw new SecurityConfigError(`Unsupported upstream.profile '${profile}'.`);
+    }
+    return input;
+}
+function parseHeaderForwarding(input) {
+    if (!isRecord(input)) {
+        throw new SecurityConfigError("headers must be an object.");
+    }
+    const passThrough = input.passThrough === undefined ? undefined : parseStringArray(input.passThrough, "headers.passThrough");
+    const mappings = input.mappings === undefined ? undefined : parseMappings(input.mappings);
+    return {
+        ...(passThrough ? { passThrough } : {}),
+        ...(mappings ? { mappings } : {}),
+    };
+}
+function parseHeaders(input, label) {
+    if (!Array.isArray(input)) {
+        throw new SecurityConfigError(`${label} must be an array.`);
+    }
+    return input.map((entry, index) => {
+        if (!isRecord(entry) || typeof entry.name !== "string" || !entry.name.trim()) {
+            throw new SecurityConfigError(`${label}[${index}].name must be a non-empty string.`);
+        }
+        return {
+            name: entry.name,
+            ...(entry.required !== undefined ? { required: Boolean(entry.required) } : {}),
+            ...(entry.schema !== undefined ? { schema: entry.schema } : {}),
+        };
+    });
+}
+function parseGatewayScheme(input, label) {
+    if (input === undefined)
+        return undefined;
+    const scheme = String(input);
+    if (!["none", "basic", "bearer", "apiKey", "oauth2", "mutualTLS", "openIdConnect"].includes(scheme)) {
+        throw new SecurityConfigError(`Unsupported ${label} '${scheme}'.`);
+    }
+    return scheme;
+}
+function parseApiKey(input) {
+    const location = input.in === undefined ? "header" : String(input.in);
+    if (!["header", "query", "cookie"].includes(location)) {
+        throw new SecurityConfigError("apiKey.in must be header, query, or cookie.");
+    }
+    const name = input.name === undefined ? "X-API-Key" : String(input.name);
+    if (!name) {
+        throw new SecurityConfigError("apiKey.name must be a non-empty string.");
+    }
+    return { in: location, name };
+}
+function parseStringArray(input, label) {
+    if (!Array.isArray(input) || input.some(v => typeof v !== "string" || !v)) {
+        throw new SecurityConfigError(`${label} must be an array of non-empty strings.`);
+    }
+    return input;
+}
+function parseMappings(input) {
+    if (!Array.isArray(input)) {
+        throw new SecurityConfigError("headers.mappings must be an array.");
+    }
+    return input.map((entry, index) => {
+        if (!isRecord(entry) || typeof entry.from !== "string" || typeof entry.to !== "string" || !entry.from || !entry.to) {
+            throw new SecurityConfigError(`headers.mappings[${index}] must define non-empty from and to strings.`);
+        }
+        return {
+            from: entry.from,
+            to: entry.to,
+            ...(entry.required !== undefined ? { required: Boolean(entry.required) } : {}),
+        };
+    });
+}
+function buildSecurityScheme(scheme, global) {
+    switch (scheme) {
+        case "basic":
+            return { type: "http", scheme: "basic" };
+        case "bearer":
+            return { type: "http", scheme: "bearer", ...(global.bearer || {}) };
+        case "apiKey":
+            return { type: "apiKey", ...(global.apiKey || { in: "header", name: "X-API-Key" }) };
+        case "oauth2":
+            return { type: "oauth2", ...(global.oauth2 || { flows: {} }) };
+        case "mutualTLS":
+            return { type: "mutualTLS", ...(global.mutualTLS || {}) };
+        case "openIdConnect":
+            return { type: "openIdConnect", ...(global.openIdConnect || { openIdConnectUrl: "" }) };
+        case "none":
+            return undefined;
+    }
+}
+function buildHeaderParameter(h) {
+    return {
+        name: h.name,
+        in: "header",
+        required: !!h.required,
+        schema: h.schema || { type: "string" },
+    };
+}
+function makeParamComponentName(headerName) {
+    return trimRepeatedEdgeChar(headerName.replace(/[^A-Za-z0-9]+/g, "_"), "_")
+        || "X_Header";
+}
+function hasLegacyGatewayShape(root) {
+    return root.global !== undefined || root.overrides !== undefined;
+}
+function isRecord(value) {
+    return !!value && typeof value === "object" && !Array.isArray(value);
+}

package/dist/util/tools.d.ts

@@ -25,6 +25,14 @@ import type { CompiledCatalog } from "../compiler/schemaCompiler.js";
  * @returns {T[]} - Array containing the value(s) or empty array if null/undefined
  */
 export declare function normalizeArray<T>(x: T | T[] | undefined | null): T[];
+/**
+ * Removes one repeated edge character without regex backtracking.
+ *
+ * @param value - Value to trim.
+ * @param char - Single character to remove from both edges.
+ * @returns Input without repeated leading or trailing `char` values.
+ */
+export declare function trimRepeatedEdgeChar(value: string, char: string): string;
 /**
  * Collects direct children whose local name matches (prefix-agnostic)
  *

package/dist/util/tools.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tools.d.ts","sourceRoot":"","sources":["../../src/util/tools.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,KAAK,EAAC,eAAe,EAAC,MAAM,+BAA+B,CAAC;AAEnE;;;;;;;;;GASG;AACH,wBAAgB,cAAc,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,GAAG,SAAS,GAAG,IAAI,GAAG,CAAC,EAAE,CAGpE;AAED;;;;;;;;;GASG;AACH,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,GAAG,GAAG,EAAE,CASxE;AAED;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,GAAG,GAAG,GAAG,SAAS,CAK/E;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,MAAM,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CA6BxC;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,YAAY,CAC1B,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC/B;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAS/B;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,eAAe,GACxB,MAAM,CAWR;AAED;;;;;;;;GAQG;AACH,wBAAgB,aAAa,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAMjD;AAED;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAInD"}
+{"version":3,"file":"tools.d.ts","sourceRoot":"","sources":["../../src/util/tools.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,KAAK,EAAC,eAAe,EAAC,MAAM,+BAA+B,CAAC;AAEnE;;;;;;;;;GASG;AACH,wBAAgB,cAAc,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,GAAG,SAAS,GAAG,IAAI,GAAG,CAAC,EAAE,CAGpE;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAMxE;AAED;;;;;;;;;GASG;AACH,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,GAAG,GAAG,EAAE,CASxE;AAED;;;;;;;;;GASG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,GAAG,GAAG,GAAG,SAAS,CAK/E;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,MAAM,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CA6BxC;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,YAAY,CAC1B,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC/B;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAS/B;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,eAAe,GACxB,MAAM,CAWR;AAED;;;;;;;;GAQG;AACH,wBAAgB,aAAa,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAMjD;AAED;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAInD"}

package/dist/util/tools.js

@@ -13,6 +13,22 @@ export function normalizeArray(x) {
         return [];
     return Array.isArray(x) ? x : [x];
 }
+/**
+ * Removes one repeated edge character without regex backtracking.
+ *
+ * @param value - Value to trim.
+ * @param char - Single character to remove from both edges.
+ * @returns Input without repeated leading or trailing `char` values.
+ */
+export function trimRepeatedEdgeChar(value, char) {
+    let start = 0;
+    let end = value.length;
+    while (start < end && value[start] === char)
+        start += 1;
+    while (end > start && value[end - 1] === char)
+        end -= 1;
+    return value.slice(start, end);
+}
 /**
  * Collects direct children whose local name matches (prefix-agnostic)
  *

package/docs/README.md

@@ -12,7 +12,7 @@ Human-maintained reference documents for `@techspokes/typescript-wsdl-client`. T
 
 - [cli-reference.md](cli-reference.md): all 6 commands with flags and examples
 - [generated-code.md](generated-code.md): using clients, types, and operations
-- [configuration.md](configuration.md): security schemes, tags, operations config files
+- [configuration.md](configuration.md): gateway security, upstream SOAP security, tags, operations config files
 - [migration-playbook.md](migration-playbook.md): end-to-end SOAP modernization guide
 
 ## Operate
@@ -42,7 +42,7 @@ Human-maintained reference documents for `@techspokes/typescript-wsdl-client`. T
 - [Root README](../README.md): project overview, quick start, and authoritative Documentation section
 - [CONTRIBUTING.md](../CONTRIBUTING.md): development setup and workflow
 - [CHANGELOG.md](../CHANGELOG.md): version history
-- [examples/](../examples/): sample WSDL files and generated output
+- [examples](../examples/README.md): sample WSDL files and generated output
 
 ## Not Here
 

package/docs/api-reference.md

@@ -33,7 +33,7 @@ await compileWsdlToProject({
 ### Type Signature
 
 ```typescript
-function compileWsdlToProject(input: {
+declare function compileWsdlToProject(input: {
   wsdl: string;
   outDir: string;
   options?: Partial<CompilerOptions>;
@@ -92,7 +92,7 @@ const { doc, jsonPath, yamlPath } = await generateOpenAPI({
 ### Type Signature
 
 ```typescript
-function generateOpenAPI(opts: GenerateOpenAPIOptions): Promise<{
+declare function generateOpenAPI(opts: GenerateOpenAPIOptions): Promise<{
   doc: any;
   jsonPath?: string;
   yamlPath?: string;
@@ -129,6 +129,10 @@ interface GenerateOpenAPIOptions {
 }
 ```
 
+`securityConfigFile` accepts the shared security configuration documented in
+[Configuration](configuration.md#security-configuration). The config can describe
+gateway OpenAPI security and upstream SOAP runtime security for generated apps.
+
 ## generateGateway
 
 Generate Fastify gateway code from an OpenAPI specification.
@@ -150,7 +154,7 @@ await generateGateway({
 ### Type Signature
 
 ```typescript
-function generateGateway(opts: GenerateGatewayOptions): Promise<void>;
+declare function generateGateway(opts: GenerateGatewayOptions): Promise<void>;
 ```
 
 ### GenerateGatewayOptions
@@ -203,7 +207,7 @@ const { compiled, openapiDoc } = await runGenerationPipeline({
 ### Type Signature
 
 ```typescript
-function runGenerationPipeline(opts: PipelineOptions): Promise<{
+declare function runGenerationPipeline(opts: PipelineOptions): Promise<{
   compiled: CompiledCatalog;
   openapiDoc?: any;
 }>;
@@ -332,6 +336,26 @@ interface OperationStreamMetadata {
 
 Exactly one of `wsdlSource` or `catalogFile` must be set on each `ShapeCatalogRef`. `OperationStreamMetadata` is produced by the parser; `sourceOutputTypeName` is populated by the compiler when it binds the operation to the main WSDL.
 
+## Security Configuration Helpers
+
+Parse and build the shared security configuration used by OpenAPI generation and
+the app scaffold.
+
+```typescript
+import {
+  buildSecurity,
+  loadSecurityConfigFile,
+  parseSecurityConfig,
+} from "@techspokes/typescript-wsdl-client";
+
+const config = loadSecurityConfigFile("./security.json");
+const built = buildSecurity(config);
+console.log(built.securitySchemes);
+```
+
+`parseSecurityConfig` accepts the same JSON shape as `loadSecurityConfigFile`.
+`SecurityConfigError` is thrown for invalid schemes or malformed sections.
+
 ## End-to-End Example
 
 Compile with a stream config, verify the catalog carries the expected metadata, and run the full pipeline:

package/docs/architecture.md

@@ -53,7 +53,7 @@ generateClient.ts emits the client class with one method per operation. generate
 
 ### openapi/
 
-generateOpenAPI.ts orchestrates the complete OpenAPI document. generateSchemas.ts converts compiled types to JSON Schema. generatePaths.ts generates path items from operations. security.ts processes security configuration files. casing.ts handles path style transformation.
+generateOpenAPI.ts orchestrates the complete OpenAPI document. generateSchemas.ts converts compiled types to JSON Schema. generatePaths.ts generates path items from operations. security.ts adapts the shared security configuration model for OpenAPI. casing.ts handles path style transformation.
 
 ### gateway/
 

package/docs/cli-reference.md

@@ -92,7 +92,7 @@ The catalog is auto-placed alongside the first available output directory: `{cli
 | `--openapi-envelope-namespace` | `ResponseEnvelope` | Envelope component name suffix |
 | `--openapi-error-namespace` | `ErrorObject` | Error object name suffix |
 | `--openapi-validate` | `true` | Validate spec with swagger-parser |
-| `--openapi-security-config-file` | | Path to security.json |
+| `--openapi-security-config-file` | | Path to security.json; `--openapi-security-file` is accepted as an alias |
 | `--openapi-tags-file` | | Path to tags.json |
 | `--openapi-ops-file` | | Path to ops.json |
 
@@ -473,6 +473,7 @@ npx wsdl-tsc app \
 | `--prefix` | (empty) | Route prefix |
 | `--logger` | true | Enable Fastify logger |
 | `--openapi-mode` | copy | copy or reference |
+| `--security-config-file` | (none) | Path to security.json for upstream SOAP security scaffold |
 | `--force` | false | Overwrite existing scaffold files |
 
 ### Generated Structure
@@ -499,6 +500,8 @@ app/
 | `LOGGER` | true | Fastify logger |
 | `OPENAPI_SERVER_URL` | (empty) | Override OpenAPI spec server URL at runtime |
 
+When `--security-config-file` is supplied and it contains an `upstream` profile, `.env.example` also lists the environment variables referenced by that profile.
+
 ### Endpoints
 
 - `GET /health` returns `{ "ok": true }`

package/docs/configuration.md

@@ -8,28 +8,43 @@ See [CLI Reference](cli-reference.md) for flag details and [README](../README.md
 
 Pass via `--openapi-security-config-file`.
 
-Defines security schemes, headers, and per-operation overrides.
+Defines REST gateway security, request headers, and upstream SOAP security. The `gateway` section describes the generated REST API in OpenAPI and adds Fastify header validation. The `upstream` section is used by the generated app scaffold to build `node-soap` runtime options from environment variables.
 
 ```json
 {
-  "global": {
-    "scheme": "bearer",
-    "bearer": { "bearerFormat": "JWT" },
-    "headers": [
-      {
-        "name": "X-Correlation-Id",
-        "required": false,
-        "schema": { "type": "string" }
-      }
-    ]
+  "gateway": {
+    "global": {
+      "scheme": "bearer",
+      "bearer": { "bearerFormat": "JWT" },
+      "headers": [
+        {
+          "name": "X-Correlation-Id",
+          "required": false,
+          "schema": { "type": "string" }
+        }
+      ]
+    },
+    "operations": {
+      "CancelBooking": { "scheme": "apiKey" },
+      "HealthCheck": { "scheme": "none" }
+    }
   },
-  "overrides": {
-    "CancelBooking": { "scheme": "apiKey" }
+  "upstream": {
+    "profile": "ws-security-username-token",
+    "usernameEnv": "SOAP_USERNAME",
+    "passwordEnv": "SOAP_PASSWORD",
+    "endpointEnv": "SOAP_ENDPOINT"
   }
 }
 ```
 
-Supported schemes: none, basic, bearer, apiKey, oauth2.
+Gateway schemes: none, basic, bearer, apiKey, oauth2, mutualTLS, openIdConnect.
+
+Upstream SOAP profiles: none, basic, bearer, ws-security-username-token, client-ssl, client-ssl-pfx, x509, ntlm, custom.
+
+The older OpenAPI-only shape with top-level `global` and `overrides` is still accepted. New projects should use `gateway.global` and `gateway.operations`.
+
+The generated app scaffold reads upstream secrets from environment variables. It does not embed secret values in generated source and does not implement production JWT, OAuth, or API-key verification for inbound gateway requests. Add that verification in app hooks or your platform gateway.
 
 ## Tags Configuration
 
@@ -107,8 +122,8 @@ terminal-error policy.
 
 ## Example Files
 
-Example configuration files are available in the `examples/openapi/` directory:
+Example configuration files are available in the `examples/config/` directory:
 
-- `examples/openapi/security.json` for security scheme configuration
-- `examples/openapi/tags.json` for tag mapping
-- `examples/openapi/ops.json` for operation overrides
+- `examples/config/security.json` for gateway and upstream security configuration
+- `examples/config/tags.json` for tag mapping
+- `examples/config/ops.json` for operation overrides