caplets 0.17.2 → 0.17.3

package/README.md

@@ -548,7 +548,18 @@ This repository includes polished working examples under [`caplets/`](caplets/):
 - `linear`: Linear's hosted OAuth MCP endpoint.
 - `context7`: Context7 documentation lookup through `@upstash/context7-mcp`.
 - `repo-cli`: Read-oriented repository CLI workflows through `git` and package scripts.
-- `github-cli`: Read-oriented GitHub workflows through the `gh` CLI.
+- `ast-grep`: Structural code search, scan, rewrite, rule testing, and scaffolding through the `ast-grep` CLI.
+- `osv`: OSV.dev vulnerability lookups through explicit read-only HTTP actions.
+- `npm`: npm registry operations through npm's published OpenAPI spec URL.
+- `pypi`: PyPI project metadata, release metadata, and Simple API JSON through a curated OpenAPI spec.
+- `deepwiki`: Repository-focused documentation and architecture context through DeepWiki MCP.
+- `sourcegraph`: Cross-repository code search and navigation through Sourcegraph MCP.
+- `playwright`: Headless browser automation for frontend inspection and testing through Playwright MCP.
+- `coding-agent-toolkit`: A CapletSet that bundles high-value coding-agent examples; source children are symlinks to canonical top-level examples and installed copies are materialized as self-contained files/directories.
+- `github-cli`: Pre-existing secondary read-oriented GitHub workflows through the `gh` CLI; prefer the canonical `github` MCP example for the polished GitHub integration.
+
+GraphQL is intentionally skipped in this showcase batch so the examples can focus on HTTP,
+OpenAPI, MCP, CLI, and CapletSet coverage without duplicating GitHub or GitLab surfaces.
 
 Install every example from a repo's `caplets/` directory into the current project's
 `./.caplets` directory:

package/dist/index.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import { createRequire } from "node:module";
-import { accessSync, chmodSync, closeSync, constants, cpSync, existsSync, lstatSync, mkdirSync, mkdtempSync, openSync, readFileSync, readdirSync, renameSync, rmSync, statSync, watch, writeFileSync, writeSync } from "node:fs";
-import minpath, { basename, delimiter, dirname, extname, isAbsolute, join, parse, posix, relative, resolve, win32 } from "node:path";
+import { accessSync, chmodSync, closeSync, constants, copyFileSync, cpSync, existsSync, lstatSync, mkdirSync, mkdtempSync, openSync, readFileSync, readdirSync, readlinkSync, realpathSync, renameSync, rmSync, statSync, watch, writeFileSync, writeSync } from "node:fs";
+import minpath, { basename, delimiter, dirname, extname, isAbsolute, join, parse, posix, relative, resolve, sep, win32 } from "node:path";
 import { execFileSync, spawn } from "node:child_process";
 import process$1, { stdin, stdout } from "node:process";
 import { fileURLToPath } from "node:url";
@@ -4709,7 +4709,7 @@ function generatedToolInputJsonSchema() {
 	return generatedToolInputJsonSchemaForCaplet({ backend: "tool" });
 }
 //#endregion
-//#region ../core/dist/options-bnsSREid.js
+//#region ../core/dist/options-j9p3L3r1.js
 var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
@@ -56439,8 +56439,21 @@ async function loadOpenApiSource(endpoint, authDir) {
 	if (endpoint.specPath) return endpoint.specPath;
 	if (!endpoint.specUrl) throw new CapletsError("CONFIG_INVALID", `${endpoint.server} is missing OpenAPI spec source`);
 	if (!endpoint.baseUrl) throw new CapletsError("CONFIG_INVALID", `${endpoint.server} must configure baseUrl when using remote specUrl`);
-	const response = await fetchWithLimit(endpoint.specUrl, endpoint.requestTimeoutMs, shouldSendSpecAuth(endpoint) ? authHeaders(endpoint, authDir) : {});
-	return JSON.parse(response);
+	return parseOpenApiSourceText(await fetchWithLimit(endpoint.specUrl, endpoint.requestTimeoutMs, shouldSendSpecAuth(endpoint) ? authHeaders(endpoint, authDir) : {}));
+}
+function parseOpenApiSourceText(source) {
+	let parsed;
+	try {
+		parsed = JSON.parse(source);
+	} catch (jsonError) {
+		try {
+			parsed = (0, import_dist$1.parse)(source);
+		} catch {
+			throw jsonError instanceof Error ? jsonError : new Error(String(jsonError));
+		}
+	}
+	if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) throw new Error("OpenAPI source must parse to an object");
+	return parsed;
 }
 function extractOperations(endpoint, document) {
 	const operations = [];
@@ -56458,6 +56471,7 @@ function extractOperations(endpoint, document) {
 			const requestBody = requestBodyFor(operation);
 			const outputSchema = outputSchemaFor(operation);
 			const baseUrl = endpoint.baseUrl ?? firstServerUrl(document);
+			const staticHeaders = staticHeaderDefaultsFor(endpoint, parameters);
 			validateOperationBaseUrl(endpoint, baseUrl);
 			operations.push({
 				name,
@@ -56465,15 +56479,32 @@ function extractOperations(endpoint, document) {
 				path,
 				...typeof operation.summary === "string" ? { summary: operation.summary } : {},
 				...typeof operation.description === "string" ? { description: operation.description } : {},
-				inputSchema: inputSchemaFor(parameters, requestBody),
+				inputSchema: inputSchemaFor(parameters, requestBody, staticHeaders),
 				...outputSchema ? { outputSchema } : {},
 				...requestBody?.contentType ? { requestBodyContentType: requestBody.contentType } : {},
-				...baseUrl ? { baseUrl } : {}
+				...baseUrl ? { baseUrl } : {},
+				...Object.keys(staticHeaders).length ? { staticHeaders } : {}
 			});
 		}
 	}
 	return operations.sort((left, right) => left.name.localeCompare(right.name));
 }
+function staticHeaderDefaultsFor(endpoint, parameters) {
+	const configuredHeaderNames = configuredAuthHeaderNames(endpoint);
+	const headers = {};
+	for (const parameter of parameters) {
+		if (parameter?.in !== "header" || typeof parameter.name !== "string") continue;
+		const normalized = parameter.name.toLowerCase();
+		if (configuredHeaderNames.has(normalized) || FORBIDDEN_ARGUMENT_HEADERS.has(normalized) && normalized !== "accept") continue;
+		const defaultValue = parameter.schema?.default;
+		if ([
+			"string",
+			"number",
+			"boolean"
+		].includes(typeof defaultValue)) headers[parameter.name] = String(defaultValue);
+	}
+	return headers;
+}
 function requestBodyFor(operation) {
 	const requestBody = operation.requestBody;
 	if (!requestBody || typeof requestBody !== "object") return;
@@ -56534,19 +56565,20 @@ function structuredOutputSchema(bodySchema) {
 		}
 	};
 }
-function inputSchemaFor(parameters, requestBody) {
+function inputSchemaFor(parameters, requestBody, staticHeaders = {}) {
 	const schema = {
 		type: "object",
 		additionalProperties: false,
 		properties: {}
 	};
 	const required = [];
+	const protectedStaticHeaders = new Set(Object.keys(staticHeaders).map((key) => key.toLowerCase()).filter((key) => FORBIDDEN_ARGUMENT_HEADERS.has(key)));
 	for (const location of [
 		"path",
 		"query",
 		"header"
 	]) {
-		const locationParameters = parameters.filter((parameter) => parameter?.in === location);
+		const locationParameters = parameters.filter((parameter) => parameter?.in === location && !(location === "header" && protectedStaticHeaders.has(parameter.name?.toLowerCase())));
 		if (locationParameters.length === 0) continue;
 		const nestedRequired = locationParameters.filter((parameter) => parameter.required === true || location === "path").map((parameter) => parameter.name);
 		schema.properties[location] = {
@@ -56585,7 +56617,8 @@ function buildRequest(endpoint, operation, args, authDir) {
 	for (const [key, value] of Object.entries(asRecord(args.query))) if (value !== void 0 && value !== null) url.searchParams.append(key, serializeHttpValue("query", key, value));
 	const headers = new Headers();
 	applyAuth(headers, endpoint, authDir);
-	const configuredHeaderNames = endpoint.auth.type === "headers" ? new Set(Object.keys(endpoint.auth.headers).map((key) => key.toLowerCase())) : /* @__PURE__ */ new Set();
+	const configuredHeaderNames = configuredAuthHeaderNames(endpoint);
+	for (const [key, value] of Object.entries(operation.staticHeaders ?? {})) if (!headers.has(key) && !configuredHeaderNames.has(key.toLowerCase())) headers.set(key, value);
 	for (const [key, value] of Object.entries(asRecord(args.header))) if (value !== void 0 && value !== null) {
 		const normalized = key.toLowerCase();
 		if (FORBIDDEN_ARGUMENT_HEADERS.has(normalized) || configuredHeaderNames.has(normalized)) throw new CapletsError("REQUEST_INVALID", `Header ${key} cannot be supplied by arguments`);
@@ -56631,6 +56664,9 @@ function asRecord(value) {
 function applyAuth(headers, endpoint, authDir) {
 	for (const [key, value] of Object.entries(authHeaders(endpoint, authDir))) headers.set(key, value);
 }
+function configuredAuthHeaderNames(endpoint) {
+	return endpoint.auth.type === "headers" ? new Set(Object.keys(endpoint.auth.headers).map((key) => key.toLowerCase())) : /* @__PURE__ */ new Set();
+}
 function authHeaders(endpoint, authDir) {
 	switch (endpoint.auth.type) {
 		case "none": return {};
@@ -57625,7 +57661,7 @@ var CapletsEngine = class {
 		}
 	}
 	async completeCliWords(words) {
-		const { completeCliWords } = await Promise.resolve().then(() => completion_L23s2FGB_exports).then((n) => n.r);
+		const { completeCliWords } = await Promise.resolve().then(() => completion_Cq1z7ci2_exports).then((n) => n.r);
 		return await completeCliWords(words, {
 			config: this.registry.config,
 			managers: {
@@ -57963,8 +57999,8 @@ function hasEnv$1(value) {
 	return value !== void 0 && value.trim() !== "";
 }
 //#endregion
-//#region ../core/dist/completion-L23s2FGB.js
-var completion_L23s2FGB_exports = /* @__PURE__ */ __exportAll$1({
+//#region ../core/dist/completion-Cq1z7ci2.js
+var completion_Cq1z7ci2_exports = /* @__PURE__ */ __exportAll$1({
 	a: () => formatCapletList,
 	c: () => resolveCliConfigPaths,
 	i: () => trailingSpaceCompletionToken,
@@ -59827,7 +59863,7 @@ const EMPTY_COMPLETION_RESULT = { completion: {
 	values: [],
 	hasMore: false
 } };
-var version$1 = "0.18.2";
+var version$1 = "0.18.3";
 var CapletsMcpSession = class {
 	engine;
 	server;
@@ -63626,12 +63662,14 @@ function rejectCrossKindDestinationCollision(plan, destinationRoot) {
 function installPlan(caplet, options) {
 	const isDirectory = basename(caplet.path) === "CAPLET.md";
 	const sourcePath = isDirectory ? dirname(caplet.path) : caplet.path;
+	const sourceBoundary = dirname(sourcePath);
 	const sourcePathRelative = relative(options.repoRoot, sourcePath);
 	const destination = isDirectory ? join(options.destinationRoot, caplet.id) : join(options.destinationRoot, `${caplet.id}.md`);
 	return {
 		id: caplet.id,
 		source: `${options.sourceId}#${sourcePathRelative}`,
 		sourcePath,
+		sourceBoundary,
 		destination,
 		kind: isDirectory ? "directory" : "file"
 	};
@@ -63693,16 +63731,40 @@ function removeInstallPath(path, label, force) {
 }
 function copyInstallPath(plan) {
 	try {
+		if (plan.kind === "directory") {
+			copyDirectoryCaplet(plan.sourcePath, plan.destination, realpathSync(plan.sourceBoundary));
+			return;
+		}
 		cpSync(plan.sourcePath, plan.destination, {
-			recursive: plan.kind === "directory",
+			recursive: false,
 			force: false,
 			errorOnExist: true
 		});
 	} catch (error) {
+		if (error instanceof CapletsError) throw error;
 		if (isFsError(error, "EEXIST") || isFsError(error, "EISDIR")) throw new CapletsError("CONFIG_EXISTS", `Caplet ${plan.id} already exists at ${plan.destination}; pass --force to overwrite it`, toSafeError(error));
 		throw new CapletsError("CONFIG_INVALID", `Could not install Caplet ${plan.id} to ${plan.destination}`, toSafeError(error));
 	}
 }
+function copyDirectoryCaplet(source, destination, sourceBoundary, seenDirectories = /* @__PURE__ */ new Set()) {
+	const resolvedSource = lstatSync(source).isSymbolicLink() ? resolveDirectoryCapletSymlink(source, sourceBoundary) : source;
+	if (statSync(resolvedSource).isDirectory()) {
+		const realDirectory = realpathSync(resolvedSource);
+		if (seenDirectories.has(realDirectory)) throw new CapletsError("CONFIG_INVALID", `Directory Caplet symlink ${source} creates a copy cycle`);
+		const childSeenDirectories = new Set(seenDirectories);
+		childSeenDirectories.add(realDirectory);
+		mkdirSync(destination);
+		for (const entry of readdirSync(resolvedSource)) copyDirectoryCaplet(join(resolvedSource, entry), join(destination, entry), sourceBoundary, childSeenDirectories);
+		return;
+	}
+	copyFileSync(resolvedSource, destination);
+}
+function resolveDirectoryCapletSymlink(source, sourceBoundary) {
+	const target = readlinkSync(source);
+	const resolvedTarget = realpathSync(isAbsolute(target) ? target : resolve(dirname(source), target));
+	if (resolvedTarget !== sourceBoundary && !resolvedTarget.startsWith(`${sourceBoundary}${sep}`)) throw new CapletsError("CONFIG_INVALID", `Directory Caplet symlink ${source} resolves outside source Caplets boundary`);
+	return resolvedTarget;
+}
 function isFsError(error, code) {
 	return typeof error === "object" && error !== null && "code" in error && error.code === code;
 }
@@ -68811,7 +68873,7 @@ function writeAddResult(writeOut, label, result) {
 }
 //#endregion
 //#region package.json
-var version = "0.17.2";
+var version = "0.17.3";
 //#endregion
 //#region src/index.ts
 async function main() {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "caplets",
-  "version": "0.17.2",
+  "version": "0.17.3",
   "description": "Progressive disclosure gateway CLI for MCP servers and native Caplets adapters.",
   "keywords": [
     "caplets",
@@ -34,7 +34,7 @@
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.29.0",
-    "@caplets/core": "0.18.2"
+    "@caplets/core": "0.18.3"
   },
   "devDependencies": {
     "@types/node": "^25.9.1",