schema-components 1.19.0 → 1.21.0

package/dist/core/normalise.d.mts

@@ -1,13 +1,19 @@
-import { i as DiagnosticsOptions } from "../diagnostics-VgEKI_Ct.mjs";
-import { n as JsonSchemaDraft, r as OpenApiVersionInfo } from "../version-XNH7PRGP.mjs";
+import { i as DiagnosticsOptions } from "../diagnostics-CbBPsxSt.mjs";
+import { i as OpenApiVersionInfo, r as JsonSchemaDraft } from "../version-D-u7aMfy.mjs";
 
 //#region src/core/normalise.d.ts
 type NodeTransform = (node: Record<string, unknown>) => Record<string, unknown>;
 /**
  * Deep-normalise a JSON Schema object by applying a per-node transform
  * and recursing into every sub-schema location.
+ *
+ * The optional `visited` set guards against shared object references and
+ * cycles introduced upstream (e.g. by the OpenAPI bundler's
+ * `structuredClone`-based inlining of external refs). The walk skips
+ * already-seen nodes by returning the original reference rather than
+ * recursing forever.
  */
-declare function deepNormalise(schema: Record<string, unknown>, transform: NodeTransform): Record<string, unknown>;
+declare function deepNormalise(schema: Record<string, unknown>, transform: NodeTransform, visited?: WeakSet<object>): Record<string, unknown>;
 /**
  * Per-node context threaded through `deepNormaliseWithContext`.
  *

package/dist/core/normalise.mjs

@@ -1,2 +1,2 @@
-import { a as normaliseOpenApiSchemas, i as normaliseJsonSchema, n as deepNormaliseWithContext, r as normaliseDraft04Node, t as deepNormalise } from "../normalise-C0ofw3W6.mjs";
+import { a as normaliseOpenApiSchemas, i as normaliseJsonSchema, n as deepNormaliseWithContext, r as normaliseDraft04Node, t as deepNormalise } from "../normalise-DaSrnr8g.mjs";
 export { deepNormalise, deepNormaliseWithContext, normaliseDraft04Node, normaliseJsonSchema, normaliseOpenApiSchemas };

package/dist/core/openapi30.d.mts

@@ -23,6 +23,29 @@ declare function normaliseOpenApi30Node(node: Record<string, unknown>): Record<s
  * `mapping` or infers them from `$ref` fragment names.
  */
 declare function normaliseOpenApi30Discriminator(node: Record<string, unknown>): Record<string, unknown>;
+/**
+ * Document-level pre-pass for OpenAPI discriminators that are declared
+ * on a base schema and inherited by subtypes via `allOf`.
+ *
+ * The per-node {@link normaliseOpenApi30Discriminator} only handles
+ * discriminators that already sit alongside `oneOf`/`anyOf`. For the
+ * canonical "Cat extends Pet" pattern — where `Pet` carries the
+ * discriminator and `Cat`/`Dog` reference `Pet` via `allOf` — the
+ * discriminator is silently lost. This pre-pass:
+ *
+ * 1. Injects the discriminator `const` on each subtype's local
+ *    `properties` (so a direct render of the subtype validates the
+ *    discriminator value correctly).
+ * 2. Synthesises a `oneOf` on the base whenever it lacks one, listing
+ *    each subtype as `{ $ref, properties: { propertyName: { const } } }`.
+ *    The per-node discriminator transform then sees `oneOf` and clears
+ *    the `discriminator` keyword, and the walker's
+ *    `detectDiscriminated` finds the per-option `const`s.
+ *
+ * Mutates a shallow clone of `components/schemas` — the input document
+ * is never modified.
+ */
+declare function applyDiscriminatorAllOfPrepass(doc: Record<string, unknown>): Record<string, unknown>;
 /**
  * Combined OpenAPI 3.0.x node transform: Draft 04 + nullable + discriminator.
  * Applied to every schema node in an OpenAPI 3.0 document.
@@ -67,4 +90,4 @@ declare function deepNormaliseOpenApiDoc(doc: Record<string, unknown>, normalise
  */
 declare function deepNormaliseOpenApi30Doc(doc: Record<string, unknown>, deepNormalise: (schema: Record<string, unknown>, transform: NodeTransform) => Record<string, unknown>): Record<string, unknown>;
 //#endregion
-export { deepNormaliseOpenApi30Doc, deepNormaliseOpenApiDoc, normaliseOpenApi30Combined, normaliseOpenApi30Discriminator, normaliseOpenApi30Node };
+export { applyDiscriminatorAllOfPrepass, deepNormaliseOpenApi30Doc, deepNormaliseOpenApiDoc, normaliseOpenApi30Combined, normaliseOpenApi30Discriminator, normaliseOpenApi30Node };

package/dist/core/openapi30.mjs

@@ -1,2 +1,2 @@
-import { c as deepNormaliseOpenApiDoc, d as normaliseOpenApi30Node, l as normaliseOpenApi30Combined, s as deepNormaliseOpenApi30Doc, u as normaliseOpenApi30Discriminator } from "../normalise-C0ofw3W6.mjs";
-export { deepNormaliseOpenApi30Doc, deepNormaliseOpenApiDoc, normaliseOpenApi30Combined, normaliseOpenApi30Discriminator, normaliseOpenApi30Node };
+import { c as deepNormaliseOpenApi30Doc, d as normaliseOpenApi30Discriminator, f as normaliseOpenApi30Node, l as deepNormaliseOpenApiDoc, s as applyDiscriminatorAllOfPrepass, u as normaliseOpenApi30Combined } from "../normalise-DaSrnr8g.mjs";
+export { applyDiscriminatorAllOfPrepass, deepNormaliseOpenApi30Doc, deepNormaliseOpenApiDoc, normaliseOpenApi30Combined, normaliseOpenApi30Discriminator, normaliseOpenApi30Node };

package/dist/core/ref.d.mts

@@ -1,2 +1,2 @@
-import { a as findAnchor, i as dereference, n as RefOptions, o as resolveRef, r as countDistinctRefs, t as ExternalResolver } from "../ref-Bb43ZURY.mjs";
+import { a as findAnchor, i as dereference, n as RefOptions, o as resolveRef, r as countDistinctRefs, t as ExternalResolver } from "../ref-si8ViYun.mjs";
 export { ExternalResolver, RefOptions, countDistinctRefs, dereference, findAnchor, resolveRef };

package/dist/core/ref.mjs

@@ -1,5 +1,6 @@
 import { isObject } from "./guards.mjs";
 import { emitDiagnostic } from "./diagnostics.mjs";
+import { isPrototypePollutingKey } from "./uri.mjs";
 //#region src/core/ref.ts
 /**
 * $ref resolution for JSON Schema.
@@ -18,15 +19,27 @@ function getString(obj, key) {
 */
 function countDistinctRefs(root) {
 	const refs = /* @__PURE__ */ new Set();
-	collectRefs(root, refs);
+	collectRefs(root, refs, /* @__PURE__ */ new WeakSet());
 	return Math.max(refs.size, 1);
 }
-function collectRefs(node, refs) {
+/**
+* The OpenAPI bundler (`bundleOpenApiDoc`) inlines external refs via
+* `structuredClone`, which preserves shared object references and cycles.
+* Without the `visited` set this walk would recurse forever on cyclic or
+* diamond-shaped input. The set is a no-op for tree-shaped documents.
+*/
+function collectRefs(node, refs, visited) {
 	if (!isObject(node)) return;
+	if (visited.has(node)) return;
+	visited.add(node);
 	const ref = node.$ref;
 	if (typeof ref === "string") refs.add(ref);
-	for (const value of Object.values(node)) if (isObject(value)) collectRefs(value, refs);
-	else if (Array.isArray(value)) for (const item of value) collectRefs(item, refs);
+	for (const value of Object.values(node)) if (isObject(value)) collectRefs(value, refs, visited);
+	else if (Array.isArray(value)) {
+		if (visited.has(value)) continue;
+		visited.add(value);
+		for (const item of value) collectRefs(item, refs, visited);
+	}
 }
 /**
 * Resolve a `$ref` in a schema against a root document.
@@ -134,6 +147,7 @@ function dereference(ref, root) {
 		for (const part of parts) {
 			if (!isObject(current)) return void 0;
 			const decoded = part.replace(/~1/g, "/").replace(/~0/g, "~");
+			if (isPrototypePollutingKey(decoded)) return void 0;
 			current = current[decoded];
 		}
 		return isObject(current) ? current : void 0;
@@ -146,18 +160,29 @@ function dereference(ref, root) {
 /**
 * Recursively scan a schema document for a `$anchor` matching the given name.
 * Returns the schema object containing the anchor, or undefined.
+*
+* The optional `visited` set guards against shared object references and
+* cycles introduced by the OpenAPI bundler's `structuredClone`-based
+* inlining of external refs. Without it a recursive document would stack
+* overflow before reaching the matching anchor.
 */
-function findAnchor(node, anchorName) {
+function findAnchor(node, anchorName, visited = /* @__PURE__ */ new WeakSet()) {
 	if (!isObject(node)) return void 0;
+	if (visited.has(node)) return void 0;
+	visited.add(node);
 	if (node.$anchor === anchorName) return node;
 	for (const value of Object.values(node)) {
 		if (isObject(value)) {
-			const found = findAnchor(value, anchorName);
+			const found = findAnchor(value, anchorName, visited);
 			if (found !== void 0) return found;
 		}
-		if (Array.isArray(value)) for (const item of value) {
-			const found = findAnchor(item, anchorName);
-			if (found !== void 0) return found;
+		if (Array.isArray(value)) {
+			if (visited.has(value)) continue;
+			visited.add(value);
+			for (const item of value) {
+				const found = findAnchor(item, anchorName, visited);
+				if (found !== void 0) return found;
+			}
 		}
 	}
 }

package/dist/core/renderer.d.mts

@@ -1,2 +1,2 @@
-import { a as HtmlRenderProps, c as RenderFunction, d as getHtmlRenderFn, f as getRenderFunction, h as typeToKey, i as HtmlRenderFunction, l as RenderProps, m as mergeResolvers, n as BaseFieldProps, o as HtmlResolver, p as mergeHtmlResolvers, r as ComponentResolver, s as RESOLVER_KEYS, t as AllConstraints, u as buildRenderProps } from "../renderer-BQqiXUYP.mjs";
+import { a as HtmlRenderProps, c as RenderFunction, d as getHtmlRenderFn, f as getRenderFunction, h as typeToKey, i as HtmlRenderFunction, l as RenderProps, m as mergeResolvers, n as BaseFieldProps, o as HtmlResolver, p as mergeHtmlResolvers, r as ComponentResolver, s as RESOLVER_KEYS, t as AllConstraints, u as buildRenderProps } from "../renderer-DI6ZYf7a.mjs";
 export { AllConstraints, BaseFieldProps, ComponentResolver, HtmlRenderFunction, HtmlRenderProps, HtmlResolver, RESOLVER_KEYS, RenderFunction, RenderProps, buildRenderProps, getHtmlRenderFn, getRenderFunction, mergeHtmlResolvers, mergeResolvers, typeToKey };

package/dist/core/swagger2.d.mts

@@ -1,4 +1,4 @@
-import { i as DiagnosticsOptions } from "../diagnostics-VgEKI_Ct.mjs";
+import { i as DiagnosticsOptions } from "../diagnostics-CbBPsxSt.mjs";
 import { NodeTransform } from "./normalise.mjs";
 
 //#region src/core/swagger2.d.ts

package/dist/core/swagger2.mjs

@@ -1,2 +1,2 @@
-import { o as normaliseSwagger2Document } from "../normalise-C0ofw3W6.mjs";
+import { o as normaliseSwagger2Document } from "../normalise-DaSrnr8g.mjs";
 export { normaliseSwagger2Document };

package/dist/core/typeInference.d.mts

@@ -1,2 +1,2 @@
-import { a as InferResponseFields, c as PathOfType, d as UnsafeFields, f as __SchemaInferenceFellBack, i as InferRequestBodyFields, l as ResolveOpenAPIRef, n as FromJSONSchema, o as OpenAPIRequestBodyType, r as InferParameterOverrides, s as OpenAPIResponseType, t as DEFAULT_MAX_DEPTH, u as TypeAtPath } from "../typeInference-5JiqIZ8t.mjs";
-export { DEFAULT_MAX_DEPTH, FromJSONSchema, InferParameterOverrides, InferRequestBodyFields, InferResponseFields, OpenAPIRequestBodyType, OpenAPIResponseType, PathOfType, ResolveOpenAPIRef, TypeAtPath, UnsafeFields, __SchemaInferenceFellBack };
+import { a as InferResponseFields, c as PathOfType, d as TypeAtPath, f as UnrepresentableZodSchemaError, h as __SchemaInferenceFellBack, i as InferRequestBodyFields, l as RejectUnrepresentableZod, m as UnsafeFields, n as FromJSONSchema, o as OpenAPIRequestBodyType, p as UnrepresentableZodType, r as InferParameterOverrides, s as OpenAPIResponseType, t as DEFAULT_MAX_DEPTH, u as ResolveOpenAPIRef } from "../typeInference-Bxw3NOG1.mjs";
+export { DEFAULT_MAX_DEPTH, FromJSONSchema, InferParameterOverrides, InferRequestBodyFields, InferResponseFields, OpenAPIRequestBodyType, OpenAPIResponseType, PathOfType, RejectUnrepresentableZod, ResolveOpenAPIRef, TypeAtPath, UnrepresentableZodSchemaError, UnrepresentableZodType, UnsafeFields, __SchemaInferenceFellBack };

package/dist/core/types.d.mts

@@ -1,2 +1,2 @@
-import { A as UnionField, B as isNegationField, C as RecordField, D as StringConstraints, E as SchemaType, F as isConditionalField, G as isRecordField, H as isNullField, I as isDiscriminatedUnionField, J as isTupleField, K as isRecursiveField, L as isEnumField, M as WalkedField, N as isArrayField, O as StringField, P as isBooleanField, R as isFileField, S as ObjectField, T as SchemaMeta, U as isNumberField, V as isNeverField, W as isObjectField, X as isUnknownField, Y as isUnionField, Z as resolveEditability, _ as NeverField, a as DiscriminatedUnionField, b as NumberField, c as FieldBase, d as FieldOverrides, f as FileConstraints, g as NegationField, h as LiteralField, i as ConditionalField, j as UnknownField, k as TupleField, l as FieldConstraints, m as JsonObject, n as ArrayField, o as Editability, p as FileField, q as isStringField, r as BooleanField, s as EnumField, t as ArrayConstraints, u as FieldOverride, v as NullField, w as RecursiveField, x as ObjectConstraints, y as NumberConstraints, z as isLiteralField } from "../types-D_5ST7SS.mjs";
+import { A as UnionField, B as isNegationField, C as RecordField, D as StringConstraints, E as SchemaType, F as isConditionalField, G as isRecordField, H as isNullField, I as isDiscriminatedUnionField, J as isTupleField, K as isRecursiveField, L as isEnumField, M as WalkedField, N as isArrayField, O as StringField, P as isBooleanField, R as isFileField, S as ObjectField, T as SchemaMeta, U as isNumberField, V as isNeverField, W as isObjectField, X as isUnknownField, Y as isUnionField, Z as resolveEditability, _ as NeverField, a as DiscriminatedUnionField, b as NumberField, c as FieldBase, d as FieldOverrides, f as FileConstraints, g as NegationField, h as LiteralField, i as ConditionalField, j as UnknownField, k as TupleField, l as FieldConstraints, m as JsonObject, n as ArrayField, o as Editability, p as FileField, q as isStringField, r as BooleanField, s as EnumField, t as ArrayConstraints, u as FieldOverride, v as NullField, w as RecursiveField, x as ObjectConstraints, y as NumberConstraints, z as isLiteralField } from "../types-BnxPEElk.mjs";
 export { ArrayConstraints, ArrayField, BooleanField, ConditionalField, DiscriminatedUnionField, Editability, EnumField, FieldBase, FieldConstraints, FieldOverride, FieldOverrides, FileConstraints, FileField, JsonObject, LiteralField, NegationField, NeverField, NullField, NumberConstraints, NumberField, ObjectConstraints, ObjectField, RecordField, RecursiveField, SchemaMeta, SchemaType, StringConstraints, StringField, TupleField, UnionField, UnknownField, WalkedField, isArrayField, isBooleanField, isConditionalField, isDiscriminatedUnionField, isEnumField, isFileField, isLiteralField, isNegationField, isNeverField, isNullField, isNumberField, isObjectField, isRecordField, isRecursiveField, isStringField, isTupleField, isUnionField, isUnknownField, resolveEditability };

package/dist/core/uri.d.mts

@@ -0,0 +1,41 @@
+//#region src/core/uri.d.ts
+/**
+ * URI safety helpers shared by HTML and React renderers.
+ *
+ * User-supplied URI values flow into anchor `href` attributes. Without
+ * scheme validation a value such as `javascript:alert(1)` becomes a
+ * clickable XSS sink — HTML escaping does not help, since the dangerous
+ * payload sits inside the scheme rather than the body of the attribute.
+ *
+ * These helpers exist so the HTML renderer (`html/renderers.ts`) and the
+ * React renderer (`react/headlessRenderers.tsx`) apply identical rules
+ * when deciding whether a string is safe to render as an `href`.
+ */
+/**
+ * Decide whether `value` is safe to use as an anchor `href`.
+ *
+ * Returns `true` when the value is either a relative reference (no scheme
+ * component) or an absolute URI using `http`/`https`. Returns `false`
+ * for any other scheme, including dangerous ones like `javascript:` and
+ * `data:`.
+ */
+declare function isSafeHyperlink(value: string): boolean;
+/**
+ * Decide whether `value` is safe to interpolate into a `mailto:` URI.
+ *
+ * The check rejects values that do not match the standard email format
+ * pattern. The format pattern excludes whitespace, which means a CRLF
+ * sequence (or its percent-encoded form embedded by the caller) cannot
+ * pass — eliminating the SMTP/`mailto` header-injection vector.
+ */
+declare function isSafeMailtoAddress(value: string): boolean;
+/**
+ * Decide whether `key` is one of the prototype-polluting property names
+ * (`__proto__`, `constructor`, `prototype`).
+ *
+ * Used by JSON Pointer resolvers and by the JSON Schema `properties`
+ * walker to refuse traversal into these names.
+ */
+declare function isPrototypePollutingKey(key: string): boolean;
+//#endregion
+export { isPrototypePollutingKey, isSafeHyperlink, isSafeMailtoAddress };

package/dist/core/uri.mjs

@@ -0,0 +1,76 @@
+import { EMAIL_FORMAT_PATTERN } from "./formats.mjs";
+//#region src/core/uri.ts
+/**
+* URI safety helpers shared by HTML and React renderers.
+*
+* User-supplied URI values flow into anchor `href` attributes. Without
+* scheme validation a value such as `javascript:alert(1)` becomes a
+* clickable XSS sink — HTML escaping does not help, since the dangerous
+* payload sits inside the scheme rather than the body of the attribute.
+*
+* These helpers exist so the HTML renderer (`html/renderers.ts`) and the
+* React renderer (`react/headlessRenderers.tsx`) apply identical rules
+* when deciding whether a string is safe to render as an `href`.
+*/
+/**
+* Match the scheme portion of an absolute URI (RFC 3986 production
+* `scheme ":"`). Leading ASCII whitespace is tolerated because browsers
+* strip it before parsing the scheme; any other prefix (including raw
+* control characters) keeps the value out of the safe-scheme branch.
+*/
+const ABSOLUTE_URI_SCHEME = /^\s*([a-z][a-z0-9+\-.]*):/i;
+/**
+* Schemes safe to emit unmodified into an `href` attribute. Anything
+* outside this set — most importantly `javascript:`, `data:`, `vbscript:`
+* and `file:` — is rejected and rendered as text.
+*/
+const SAFE_HYPERLINK_SCHEMES = new Set(["http", "https"]);
+/**
+* Decide whether `value` is safe to use as an anchor `href`.
+*
+* Returns `true` when the value is either a relative reference (no scheme
+* component) or an absolute URI using `http`/`https`. Returns `false`
+* for any other scheme, including dangerous ones like `javascript:` and
+* `data:`.
+*/
+function isSafeHyperlink(value) {
+	const match = ABSOLUTE_URI_SCHEME.exec(value);
+	if (match === null) return true;
+	const scheme = match[1];
+	if (scheme === void 0) return false;
+	return SAFE_HYPERLINK_SCHEMES.has(scheme.toLowerCase());
+}
+/**
+* Decide whether `value` is safe to interpolate into a `mailto:` URI.
+*
+* The check rejects values that do not match the standard email format
+* pattern. The format pattern excludes whitespace, which means a CRLF
+* sequence (or its percent-encoded form embedded by the caller) cannot
+* pass — eliminating the SMTP/`mailto` header-injection vector.
+*/
+function isSafeMailtoAddress(value) {
+	return EMAIL_FORMAT_PATTERN.test(value);
+}
+/**
+* Property names that must never be traversed via dynamic indexing on an
+* untrusted object. Walking into any of these returns `Object.prototype`
+* (or similar) and lets an attacker plant fields visible to every plain
+* object in the runtime.
+*/
+const PROTOTYPE_POLLUTING_KEYS = new Set([
+	"__proto__",
+	"constructor",
+	"prototype"
+]);
+/**
+* Decide whether `key` is one of the prototype-polluting property names
+* (`__proto__`, `constructor`, `prototype`).
+*
+* Used by JSON Pointer resolvers and by the JSON Schema `properties`
+* walker to refuse traversal into these names.
+*/
+function isPrototypePollutingKey(key) {
+	return PROTOTYPE_POLLUTING_KEYS.has(key);
+}
+//#endregion
+export { isPrototypePollutingKey, isSafeHyperlink, isSafeMailtoAddress };

package/dist/core/version.d.mts

@@ -1,2 +1,2 @@
-import { a as detectOpenApiVersion, c as isOpenApi30, d as matchJsonSchemaDraftUri, i as detectJsonSchemaDraft, l as isOpenApi31, n as JsonSchemaDraft, o as inferJsonSchemaDraft, r as OpenApiVersionInfo, s as inferJsonSchemaDraftWithReason, t as InferredDraft, u as isSwagger2 } from "../version-XNH7PRGP.mjs";
-export { InferredDraft, JsonSchemaDraft, OpenApiVersionInfo, detectJsonSchemaDraft, detectOpenApiVersion, inferJsonSchemaDraft, inferJsonSchemaDraftWithReason, isOpenApi30, isOpenApi31, isSwagger2, matchJsonSchemaDraftUri };
+import { a as detectJsonSchemaDraft, c as inferJsonSchemaDraftWithReason, d as isSwagger2, f as matchJsonSchemaDraftUri, i as OpenApiVersionInfo, l as isOpenApi30, n as JsonSchemaDialectInfo, o as detectOpenApiVersion, p as readJsonSchemaDialect, r as JsonSchemaDraft, s as inferJsonSchemaDraft, t as InferredDraft, u as isOpenApi31 } from "../version-D-u7aMfy.mjs";
+export { InferredDraft, JsonSchemaDialectInfo, JsonSchemaDraft, OpenApiVersionInfo, detectJsonSchemaDraft, detectOpenApiVersion, inferJsonSchemaDraft, inferJsonSchemaDraftWithReason, isOpenApi30, isOpenApi31, isSwagger2, matchJsonSchemaDraftUri, readJsonSchemaDialect };

package/dist/core/version.mjs

@@ -157,5 +157,29 @@ function isOpenApi31(version) {
 function isSwagger2(version) {
 	return version.major === 2;
 }
+/**
+* Inspect an OpenAPI 3.1 document for a `jsonSchemaDialect` declaration.
+*
+* Per the OpenAPI 3.1 spec, an OpenAPI document may declare the default
+* JSON Schema dialect for its Schema Objects via the top-level
+* `jsonSchemaDialect` URI. Real-world 3.1 documents overwhelmingly omit
+* the keyword and rely on the spec-defined Draft 2020-12 default — this
+* helper surfaces the declaration so the normaliser can either honour a
+* known dialect or emit a diagnostic for an unknown one.
+*/
+function readJsonSchemaDialect(doc) {
+	const value = doc.jsonSchemaDialect;
+	if (typeof value !== "string") return { kind: "absent" };
+	const draft = matchJsonSchemaDraftUri(value);
+	if (draft === void 0) return {
+		kind: "unknown",
+		uri: value
+	};
+	return {
+		kind: "known",
+		uri: value,
+		draft
+	};
+}
 //#endregion
-export { detectJsonSchemaDraft, detectOpenApiVersion, inferJsonSchemaDraft, inferJsonSchemaDraftWithReason, isOpenApi30, isOpenApi31, isSwagger2, matchJsonSchemaDraftUri };
+export { detectJsonSchemaDraft, detectOpenApiVersion, inferJsonSchemaDraft, inferJsonSchemaDraftWithReason, isOpenApi30, isOpenApi31, isSwagger2, matchJsonSchemaDraftUri, readJsonSchemaDialect };

package/dist/core/walkBuilders.d.mts

@@ -1,6 +1,6 @@
-import { M as WalkedField, O as StringField, T as SchemaMeta, b as NumberField, c as FieldBase, j as UnknownField, o as Editability, p as FileField, r as BooleanField, v as NullField } from "../types-D_5ST7SS.mjs";
-import { i as DiagnosticsOptions } from "../diagnostics-VgEKI_Ct.mjs";
-import { t as ExternalResolver } from "../ref-Bb43ZURY.mjs";
+import { M as WalkedField, O as StringField, T as SchemaMeta, b as NumberField, c as FieldBase, j as UnknownField, o as Editability, p as FileField, r as BooleanField, v as NullField } from "../types-BnxPEElk.mjs";
+import { i as DiagnosticsOptions } from "../diagnostics-CbBPsxSt.mjs";
+import { t as ExternalResolver } from "../ref-si8ViYun.mjs";
 
 //#region src/core/walkBuilders.d.ts
 declare function getString(obj: Record<string, unknown>, key: string): string | undefined;
@@ -52,8 +52,16 @@ declare function buildBooleanField(schema: Record<string, unknown>, ctx: WalkCon
 declare function buildNullField(schema: Record<string, unknown>, ctx: WalkContext): NullField;
 declare function buildUnknownField(schema: Record<string, unknown>, ctx: WalkContext): UnknownField;
 declare function buildFileField(schema: Record<string, unknown>, ctx: WalkContext): FileField;
-/** Walk a map of sub-schemas (patternProperties, dependentSchemas). */
-declare function walkSubSchemaMap<T>(map: Record<string, unknown>, walkNode: (schema: Record<string, unknown>, ctx: WalkContext) => T, ctx: WalkContext): Record<string, T>;
+/**
+ * Walk a map of sub-schemas (patternProperties, dependentSchemas, $defs).
+ *
+ * The callback receives each value as `unknown` so the caller can route
+ * boolean schemas (`true`/`false`, valid per Draft 06+) through the
+ * walker's boolean dispatch alongside object schemas. Non-schema values
+ * (numbers, strings, arrays, undefined) are silently skipped — they
+ * cannot represent a JSON Schema and have no walk-time meaning.
+ */
+declare function walkSubSchemaMap<T>(map: Record<string, unknown>, walkSubSchema: (schema: unknown, ctx: WalkContext) => T, ctx: WalkContext): Record<string, T>;
 /** Walk a dependentRequired map (Record<string, string[]>). */
 declare function walkDependentRequiredMap(map: Record<string, unknown>): Record<string, string[]>;
 /**

package/dist/core/walkBuilders.mjs

@@ -124,10 +124,18 @@ function buildFileField(schema, ctx) {
 		constraints: extractFileConstraints(schema)
 	};
 }
-/** Walk a map of sub-schemas (patternProperties, dependentSchemas). */
-function walkSubSchemaMap(map, walkNode, ctx) {
+/**
+* Walk a map of sub-schemas (patternProperties, dependentSchemas, $defs).
+*
+* The callback receives each value as `unknown` so the caller can route
+* boolean schemas (`true`/`false`, valid per Draft 06+) through the
+* walker's boolean dispatch alongside object schemas. Non-schema values
+* (numbers, strings, arrays, undefined) are silently skipped — they
+* cannot represent a JSON Schema and have no walk-time meaning.
+*/
+function walkSubSchemaMap(map, walkSubSchema, ctx) {
 	const result = {};
-	for (const [key, value] of Object.entries(map)) if (isObject(value)) result[key] = walkNode(value, ctx);
+	for (const [key, value] of Object.entries(map)) if (isObject(value) || typeof value === "boolean") result[key] = walkSubSchema(value, ctx);
 	return result;
 }
 /** Walk a dependentRequired map (Record<string, string[]>). */

package/dist/core/walker.d.mts

@@ -1,4 +1,4 @@
-import { M as WalkedField } from "../types-D_5ST7SS.mjs";
+import { M as WalkedField } from "../types-BnxPEElk.mjs";
 import { WalkOptions } from "./walkBuilders.mjs";
 
 //#region src/core/walker.d.ts

package/dist/core/walker.mjs

@@ -1,5 +1,6 @@
 import { isObject } from "./guards.mjs";
 import { appendPointer, emitDiagnostic } from "./diagnostics.mjs";
+import { isPrototypePollutingKey } from "./uri.mjs";
 import { countDistinctRefs, resolveRef } from "./ref.mjs";
 import { extractArrayConstraints, extractObjectConstraints, stripInapplicableConstraints } from "./constraints.mjs";
 import { ANNOTATION_SIBLINGS, detectDiscriminated, mergeAllOf, mergeRefSiblings, normaliseAnyOf } from "./merge.mjs";
@@ -74,7 +75,11 @@ function walk(schema, options = {}) {
 }
 function walkNode(schema, ctx) {
 	const allOf = getArray(schema, "allOf");
-	if (allOf !== void 0 && allOf.length > 0) return walkNode(mergeAllOf(allOf, ctx.diagnostics, ctx.pointer), ctx);
+	if (allOf !== void 0 && allOf.length > 0) {
+		const merged = mergeAllOf(allOf, ctx.diagnostics, ctx.pointer);
+		if (merged === false) return walkBooleanSchema(false);
+		return walkNode(merged, ctx);
+	}
 	const anyOf = getArray(schema, "anyOf");
 	if (anyOf !== void 0) {
 		const nullable = normaliseAnyOf(anyOf);
@@ -86,6 +91,11 @@ function walkNode(schema, ctx) {
 	}
 	const oneOf = getArray(schema, "oneOf");
 	if (oneOf !== void 0) {
+		const nullable = normaliseAnyOf(oneOf);
+		if (nullable !== void 0) return walkNode(nullable.inner, {
+			...ctx,
+			isNullable: true
+		});
 		const discriminated = detectDiscriminated(oneOf, ctx.diagnostics, ctx.pointer);
 		if (discriminated !== void 0) return walkDiscriminatedUnion(discriminated, ctx);
 		return walkUnion(oneOf, ctx);
@@ -111,32 +121,27 @@ function walkNode(schema, ctx) {
 		Object.assign(placeholder, result);
 		return placeholder;
 	}
-	const ifSchema = getObject(schema, "if");
-	if (ifSchema !== void 0) {
+	if ("if" in schema) {
 		emitDiagnostic(ctx.diagnostics, {
 			code: "conditional-fallback",
 			message: "if/then/else rendered as base schema; conditionals require runtime evaluation",
 			pointer: ctx.pointer
 		});
-		const base = buildBase(withoutKeys(schema, [
-			"if",
-			"then",
-			"else"
-		]), ctx);
-		const thenSchema = getObject(schema, "then");
-		const elseSchema = getObject(schema, "else");
 		const conditional = {
-			...base,
+			...buildBase(withoutKeys(schema, [
+				"if",
+				"then",
+				"else"
+			]), ctx),
 			type: "conditional",
 			constraints: {},
-			ifClause: walkNode(ifSchema, ctx)
+			ifClause: walkSubSchema(schema.if, ctx)
 		};
-		if (thenSchema !== void 0) conditional.thenClause = walkNode(thenSchema, ctx);
-		if (elseSchema !== void 0) conditional.elseClause = walkNode(elseSchema, ctx);
+		if ("then" in schema) conditional.thenClause = walkSubSchema(schema.then, ctx);
+		if ("else" in schema) conditional.elseClause = walkSubSchema(schema.else, ctx);
 		return conditional;
 	}
-	const notSchema = getObject(schema, "not");
-	if (notSchema !== void 0) {
+	if ("not" in schema) {
 		emitDiagnostic(ctx.diagnostics, {
 			code: "type-negation-fallback",
 			message: "not schema rendered as negation; TypeScript cannot negate types",
@@ -146,7 +151,7 @@ function walkNode(schema, ctx) {
 			...buildBase(withoutKeys(schema, ["not"]), ctx),
 			type: "negation",
 			constraints: {},
-			negated: walkNode(notSchema, ctx)
+			negated: walkSubSchema(schema.not, ctx)
 		};
 	}
 	const enumValues = getArray(schema, "enum");
@@ -236,11 +241,28 @@ function walkBoolean(schema, ctx) {
 	return buildBooleanField(schema, ctx);
 }
 function walkEnum(schema, enumValues, ctx) {
+	const accepted = [];
+	for (let i = 0; i < enumValues.length; i++) {
+		const v = enumValues[i];
+		if (isPrimitive(v)) {
+			accepted.push(v);
+			continue;
+		}
+		emitDiagnostic(ctx.diagnostics, {
+			code: "enum-value-filtered",
+			message: `enum value at index ${String(i)} is not a primitive (${v === void 0 ? "undefined" : typeof v}); dropping the entry`,
+			pointer: appendPointer(ctx.pointer, `enum/${String(i)}`),
+			detail: {
+				index: i,
+				value: v
+			}
+		});
+	}
 	return {
 		...buildBase(schema, ctx),
 		type: "enum",
 		constraints: {},
-		enumValues: enumValues.filter((v) => typeof v === "string" || typeof v === "number" || typeof v === "boolean" || v === null)
+		enumValues: accepted
 	};
 }
 function walkLiteral(schema, ctx) {
@@ -254,9 +276,35 @@ function walkLiteral(schema, ctx) {
 	};
 }
 function walkObject(schema, properties, ctx) {
-	const requiredFields = getArray(schema, "required")?.filter((r) => typeof r === "string") ?? [];
+	const required = getArray(schema, "required");
+	const requiredFields = [];
+	if (required !== void 0) for (let i = 0; i < required.length; i++) {
+		const r = required[i];
+		if (typeof r === "string") {
+			requiredFields.push(r);
+			continue;
+		}
+		emitDiagnostic(ctx.diagnostics, {
+			code: "required-non-string",
+			message: `required[${String(i)}] is not a string (${r === null ? "null" : typeof r}); dropping the entry`,
+			pointer: appendPointer(ctx.pointer, `required/${String(i)}`),
+			detail: {
+				index: i,
+				value: r
+			}
+		});
+	}
 	const fields = {};
 	for (const [key, propSchema] of Object.entries(properties)) {
+		if (isPrototypePollutingKey(key)) {
+			emitDiagnostic(ctx.diagnostics, {
+				code: "prototype-polluting-property",
+				message: `Refusing to register prototype-polluting property name: ${key}`,
+				pointer: appendPointer(ctx.pointer, key),
+				detail: { propertyName: key }
+			});
+			continue;
+		}
 		const childOverride = extractChildOverride(ctx.fieldOverrides, key);
 		const isRequired = requiredFields.includes(key);
 		const childCtx = {
@@ -277,7 +325,7 @@ function walkObject(schema, properties, ctx) {
 		};
 	}
 	const patternProps = getObject(schema, "patternProperties");
-	const walkedPatternProps = patternProps !== void 0 ? walkSubSchemaMap(patternProps, walkNode, ctx) : void 0;
+	const walkedPatternProps = patternProps !== void 0 ? walkSubSchemaMap(patternProps, walkSubSchema, ctx) : void 0;
 	let additionalPropertiesClosed;
 	let additionalPropertiesSchema;
 	const additionalProps = schema.additionalProperties;
@@ -290,7 +338,7 @@ function walkObject(schema, properties, ctx) {
 	};
 	else if (isObject(additionalProps)) additionalPropertiesSchema = walkNode(additionalProps, ctx);
 	const depSchemas = getObject(schema, "dependentSchemas");
-	const walkedDepSchemas = depSchemas !== void 0 ? walkSubSchemaMap(depSchemas, walkNode, ctx) : void 0;
+	const walkedDepSchemas = depSchemas !== void 0 ? walkSubSchemaMap(depSchemas, walkSubSchema, ctx) : void 0;
 	const depReq = getObject(schema, "dependentRequired");
 	const walkedDepReq = depReq !== void 0 ? walkDependentRequiredMap(depReq) : void 0;
 	let unevaluatedProperties;
@@ -304,8 +352,7 @@ function walkObject(schema, properties, ctx) {
 		constraints: {}
 	};
 	else if (isObject(unevalProps)) unevaluatedProperties = walkNode(unevalProps, ctx);
-	const propertyNamesSchema = getObject(schema, "propertyNames");
-	const walkedPropertyNames = propertyNamesSchema !== void 0 ? walkNode(propertyNamesSchema, ctx) : void 0;
+	const walkedPropertyNames = "propertyNames" in schema ? walkSubSchema(schema.propertyNames, ctx) : void 0;
 	return {
 		...buildBase(schema, ctx),
 		type: "object",
@@ -340,14 +387,19 @@ function walkRecord(schema, valueSchema, ctx) {
 	};
 }
 function walkArray(schema, ctx) {
+	const walkedContains = "contains" in schema ? walkSubSchema(schema.contains, ctx) : void 0;
 	const prefixItems = getArray(schema, "prefixItems");
 	if (prefixItems !== void 0) {
 		const walkedItems = prefixItems.filter(isObject).map((item) => walkNode(item, ctx));
+		const restSchema = getObject(schema, "items");
+		const restItems = restSchema !== void 0 ? walkNode(restSchema, ctx) : void 0;
 		return {
 			...buildBase(schema, ctx),
 			type: "tuple",
 			constraints: extractArrayConstraints(schema),
-			prefixItems: walkedItems
+			prefixItems: walkedItems,
+			...restItems !== void 0 ? { restItems } : {},
+			...walkedContains !== void 0 ? { contains: walkedContains } : {}
 		};
 	}
 	const unevaluatedItemsSchema = getObject(schema, "unevaluatedItems");
@@ -363,14 +415,16 @@ function walkArray(schema, ctx) {
 				...ctx,
 				fieldOverrides: elementOverride
 			}),
-			...walkedUnevaluatedItems !== void 0 ? { unevaluatedItems: walkedUnevaluatedItems } : {}
+			...walkedUnevaluatedItems !== void 0 ? { unevaluatedItems: walkedUnevaluatedItems } : {},
+			...walkedContains !== void 0 ? { contains: walkedContains } : {}
 		};
 	}
 	return {
 		...buildBase(schema, ctx),
 		type: "array",
 		constraints: extractArrayConstraints(schema),
-		...walkedUnevaluatedItems !== void 0 ? { unevaluatedItems: walkedUnevaluatedItems } : {}
+		...walkedUnevaluatedItems !== void 0 ? { unevaluatedItems: walkedUnevaluatedItems } : {},
+		...walkedContains !== void 0 ? { contains: walkedContains } : {}
 	};
 }
 function walkUnion(options, ctx) {

package/dist/{diagnostics-VgEKI_Ct.d.mts → diagnostics-CbBPsxSt.d.mts}

@@ -16,7 +16,7 @@
  * Machine-readable codes identifying each class of diagnostic.
  * Stable across releases — consumers can pattern-match on these.
  */
-type DiagnosticCode = "unresolved-ref" | "unknown-keyword" | "unknown-format" | "invalid-const" | "unsupported-type" | "dropped-swagger-feature" | "external-ref" | "type-negation-fallback" | "conditional-fallback" | "assumed-draft" | "depth-exceeded" | "allof-conflict" | "discriminator-inconsistent" | "divisible-by-conflict" | "legacy-dependencies-split" | "dependent-required-invalid";
+type DiagnosticCode = "unresolved-ref" | "unknown-keyword" | "unknown-format" | "invalid-const" | "unsupported-type" | "dropped-swagger-feature" | "external-ref" | "type-negation-fallback" | "conditional-fallback" | "assumed-draft" | "depth-exceeded" | "allof-conflict" | "discriminator-inconsistent" | "divisible-by-conflict" | "legacy-dependencies-split" | "dependent-required-invalid" | "unknown-json-schema-dialect" | "relative-ref-resolved" | "bare-exclusive-bound" | "enum-value-filtered" | "required-non-string" | "pattern-invalid" | "duplicate-body-parameter" | "prototype-polluting-property";
 /**
  * A single diagnostic emitted during schema processing.
  */