schema-components 1.29.0 → 2.0.1

package/dist/{normalise-Db1xaxgx.mjs → normalise-DB-Xtjmn.mjs}

@@ -1,5 +1,6 @@
 import { isObject } from "./core/guards.mjs";
 import { appendPointer, emitDiagnostic } from "./core/diagnostics.mjs";
+import { isPrototypePollutingKey } from "./core/uri.mjs";
 import { RECURSIVE_ANCHOR_SENTINEL } from "./core/ref.mjs";
 import { isOpenApi30, isOpenApi31, isSwagger2, matchJsonSchemaDraftUri, readJsonSchemaDialect } from "./core/version.mjs";
 import { SWAGGER_2_METHODS, rewriteSwaggerRefPrefix } from "./core/openapiConstants.mjs";
@@ -801,7 +802,18 @@ function normaliseSwaggerOperation(operation, doc, path, method, diagnostics) {
 	const producesResolution = resolveSwaggerContentTypes(operation.produces, doc.produces);
 	const produces = producesResolution.types;
 	const consumes = consumesResolution.types;
-	for (const [key, value] of Object.entries(operation)) if (key !== "parameters" && key !== "responses" && key !== "produces" && key !== "consumes") result[key] = value;
+	for (const [key, value] of Object.entries(operation)) if (key !== "parameters" && key !== "responses" && key !== "produces" && key !== "consumes") {
+		if (isPrototypePollutingKey(key)) {
+			emitDiagnostic(diagnostics, {
+				code: "prototype-polluting-property",
+				message: `Refusing to copy prototype-polluting property name into normalised operation: ${key}`,
+				pointer: appendPointer(`/paths/${path}/${method}`, key),
+				detail: { propertyName: key }
+			});
+			continue;
+		}
+		result[key] = value;
+	}
 	const params = operation.parameters;
 	if (Array.isArray(params)) {
 		const nonBodyParams = [];
@@ -1038,6 +1050,15 @@ function normaliseSwaggerParameter(param, doc, diagnostics, pointer = "") {
 	const result = {};
 	for (const [key, value] of Object.entries(param)) {
 		if (PARAM_KEYWORDS_LIFTED_INTO_SCHEMA.has(key)) continue;
+		if (isPrototypePollutingKey(key)) {
+			emitDiagnostic(diagnostics, {
+				code: "prototype-polluting-property",
+				message: `Refusing to copy prototype-polluting property name into normalised parameter: ${key}`,
+				pointer: appendPointer(pointer, key),
+				detail: { propertyName: key }
+			});
+			continue;
+		}
 		result[key] = value;
 	}
 	if (typeof param.type === "string") if (param.type === "file" && param.in !== "formData") {
@@ -1186,7 +1207,18 @@ function normaliseSwaggerResponses(responses, doc, produces, producesSource, dia
 function normaliseSwaggerSingleResponse(response, doc, produces, producesSource = "synthesised", diagnostics, path, method, statusCode) {
 	const resolved = resolveSwaggerResponse(response, doc);
 	const normalised = {};
-	for (const [key, value] of Object.entries(resolved)) if (key !== "schema" && key !== "headers") normalised[key] = value;
+	for (const [key, value] of Object.entries(resolved)) if (key !== "schema" && key !== "headers") {
+		if (isPrototypePollutingKey(key)) {
+			emitDiagnostic(diagnostics, {
+				code: "prototype-polluting-property",
+				message: `Refusing to copy prototype-polluting property name into normalised response: ${key}`,
+				pointer: path !== void 0 && method !== void 0 && statusCode !== void 0 ? appendPointer(`/paths/${path}/${method}/responses/${statusCode}`, key) : key,
+				detail: { propertyName: key }
+			});
+			continue;
+		}
+		normalised[key] = value;
+	}
 	const schema = resolved.schema;
 	if (isObject(schema)) {
 		const content = {};
@@ -1232,6 +1264,15 @@ function normaliseSwaggerHeader(header, diagnostics, pointer = "") {
 	const result = {};
 	for (const [key, value] of Object.entries(header)) {
 		if (PARAM_KEYWORDS_LIFTED_INTO_SCHEMA.has(key)) continue;
+		if (isPrototypePollutingKey(key)) {
+			emitDiagnostic(diagnostics, {
+				code: "prototype-polluting-property",
+				message: `Refusing to copy prototype-polluting property name into normalised header: ${key}`,
+				pointer: appendPointer(pointer, key),
+				detail: { propertyName: key }
+			});
+			continue;
+		}
 		result[key] = value;
 	}
 	if (typeof header.type === "string") result.schema = buildSchemaFromSwaggerParameterShape(header);

package/dist/openapi/ApiCallbacks.d.mts

@@ -1,4 +1,4 @@
-import { w as SchemaMeta } from "../types-C2Ay1FEh.mjs";
+import { w as SchemaMeta } from "../types-BrYbjC7_.mjs";
 import { CallbackInfo } from "./parser.mjs";
 import { ReactNode } from "react";
 

package/dist/openapi/ApiLinks.d.mts

@@ -1,4 +1,4 @@
-import { w as SchemaMeta } from "../types-C2Ay1FEh.mjs";
+import { w as SchemaMeta } from "../types-BrYbjC7_.mjs";
 import { LinkInfo } from "./parser.mjs";
 import { ReactNode } from "react";
 

package/dist/openapi/ApiResponseHeaders.d.mts

@@ -1,4 +1,4 @@
-import { w as SchemaMeta } from "../types-C2Ay1FEh.mjs";
+import { w as SchemaMeta } from "../types-BrYbjC7_.mjs";
 import { HeaderInfo } from "./parser.mjs";
 import { ReactNode } from "react";
 

package/dist/openapi/ApiSecurity.d.mts

@@ -1,4 +1,4 @@
-import { w as SchemaMeta } from "../types-C2Ay1FEh.mjs";
+import { w as SchemaMeta } from "../types-BrYbjC7_.mjs";
 import { SecurityRequirement, SecurityScheme } from "./parser.mjs";
 import { ReactNode } from "react";
 

package/dist/openapi/ApiSecurity.mjs

@@ -1,4 +1,5 @@
 import { isObject } from "../core/guards.mjs";
+import { isSafeHyperlink } from "../core/uri.mjs";
 import { Fragment, jsx, jsxs } from "react/jsx-runtime";
 //#region src/openapi/ApiSecurity.tsx
 /**
@@ -113,11 +114,14 @@ function SchemeDetails({ scheme }) {
 			"data-security-apikey-in": true,
 			children: scheme.location
 		}),
-		scheme.openIdConnectUrl !== void 0 && /* @__PURE__ */ jsx("a", {
+		scheme.openIdConnectUrl !== void 0 && (isSafeHyperlink(scheme.openIdConnectUrl) ? /* @__PURE__ */ jsx("a", {
 			"data-security-openid-url": true,
 			href: scheme.openIdConnectUrl,
 			children: scheme.openIdConnectUrl
-		}),
+		}) : /* @__PURE__ */ jsx("span", {
+			"data-security-openid-url": true,
+			children: scheme.openIdConnectUrl
+		})),
 		flows.length > 0 && /* @__PURE__ */ jsx("section", {
 			"data-security-flows": true,
 			children: flows.map((flow) => /* @__PURE__ */ jsx(FlowDetails, { flow }, flow.name))
@@ -132,21 +136,30 @@ function FlowDetails({ flow }) {
 				"data-security-flow-name": true,
 				children: flow.name
 			}),
-			flow.authorizationUrl !== void 0 && /* @__PURE__ */ jsx("a", {
+			flow.authorizationUrl !== void 0 && (isSafeHyperlink(flow.authorizationUrl) ? /* @__PURE__ */ jsx("a", {
 				"data-security-flow-authorization-url": true,
 				href: flow.authorizationUrl,
 				children: flow.authorizationUrl
-			}),
-			flow.tokenUrl !== void 0 && /* @__PURE__ */ jsx("a", {
+			}) : /* @__PURE__ */ jsx("span", {
+				"data-security-flow-authorization-url": true,
+				children: flow.authorizationUrl
+			})),
+			flow.tokenUrl !== void 0 && (isSafeHyperlink(flow.tokenUrl) ? /* @__PURE__ */ jsx("a", {
 				"data-security-flow-token-url": true,
 				href: flow.tokenUrl,
 				children: flow.tokenUrl
-			}),
-			flow.refreshUrl !== void 0 && /* @__PURE__ */ jsx("a", {
+			}) : /* @__PURE__ */ jsx("span", {
+				"data-security-flow-token-url": true,
+				children: flow.tokenUrl
+			})),
+			flow.refreshUrl !== void 0 && (isSafeHyperlink(flow.refreshUrl) ? /* @__PURE__ */ jsx("a", {
 				"data-security-flow-refresh-url": true,
 				href: flow.refreshUrl,
 				children: flow.refreshUrl
-			}),
+			}) : /* @__PURE__ */ jsx("span", {
+				"data-security-flow-refresh-url": true,
+				children: flow.refreshUrl
+			})),
 			flow.scopes.size > 0 && /* @__PURE__ */ jsx("dl", {
 				"data-security-flow-scopes": true,
 				children: [...flow.scopes.entries()].map(([name, description]) => /* @__PURE__ */ jsxs("div", {

package/dist/openapi/bundle.d.mts

@@ -27,6 +27,37 @@
  * Resolver function for external documents.
  * Called with the URI portion of an external $ref (everything before `#`).
  * Returns the parsed JSON document.
+ *
+ * ### Security warning — SSRF and local-file disclosure
+ *
+ * Consumers MUST validate the URI before fetching the target document.
+ * The bundler hands the resolver the raw `$ref` URI from the OpenAPI
+ * document — which is typically user-controlled — and any network or
+ * filesystem access the resolver performs runs with the host
+ * application's full privileges. An attacker-crafted document that
+ * references an internal endpoint or a local filesystem path will
+ * happily exfiltrate or expose data the application never intended to
+ * surface.
+ *
+ * At a minimum the resolver should:
+ *
+ * - Refuse non-`https:` schemes by default. Permit `http:` only on an
+ *   explicit allow-list. Refuse `file:`, `data:`, `javascript:`,
+ *   `ftp:`, `gopher:`, and every other scheme outright.
+ * - Resolve the URI's hostname and refuse loopback addresses
+ *   (`127.0.0.0/8`, `::1`), link-local addresses (`169.254.0.0/16`,
+ *   `fe80::/10`), private ranges (`10.0.0.0/8`, `172.16.0.0/12`,
+ *   `192.168.0.0/16`, `fc00::/7`), and cloud-metadata IPs
+ *   (`169.254.169.254`, `fd00:ec2::254`).
+ * - Apply a strict allow-list of permitted hosts where possible.
+ * - Set request timeouts and a maximum response size.
+ * - Disable HTTP redirects, or re-validate the redirected URL against
+ *   the same denylist before following.
+ * - Reject responses that are not `application/json` or
+ *   `application/yaml`.
+ *
+ * The bundler itself performs no validation — that responsibility sits
+ * exclusively with the resolver implementation supplied by the caller.
  */
 type BundleResolver = (uri: string) => unknown;
 /**

package/dist/openapi/components.d.mts

@@ -1,7 +1,7 @@
-import { u as FieldOverride, w as SchemaMeta } from "../types-C2Ay1FEh.mjs";
-import { r as DiagnosticSink } from "../diagnostics-ByEzkjrA.mjs";
-import { InferParameterOverrides, InferRequestBodyFields, InferResponseFields } from "../core/typeInference.mjs";
-import { WidgetMap } from "../react/SchemaComponent.mjs";
+import { u as FieldOverride, w as SchemaMeta } from "../types-BrYbjC7_.mjs";
+import { r as DiagnosticSink } from "../diagnostics-BTrm3O6J.mjs";
+import { WidgetMap } from "../core/renderer.mjs";
+import { InferParameterOverrides, InferRequestBodyFields, InferResponseFields, OpenAPIRequestBodyType, OpenAPIResponseType } from "../core/typeInference.mjs";
 import { ReactNode } from "react";
 
 //#region src/openapi/components.d.ts
@@ -173,13 +173,30 @@ interface ApiDiagnosticsProps {
  *
  * @group OpenAPI
  */
-interface ApiOperationProps<Doc = unknown, Path extends PathKeysOf<Doc> = PathKeysOf<Doc>, Method extends MethodKeysOf<Doc, Path> = MethodKeysOf<Doc, Path>, ContentType extends RequestContentTypesOf<Doc, Path, Method> = RequestContentTypesOf<Doc, Path, Method>> extends ApiDiagnosticsProps {
+interface ApiOperationProps<Doc = unknown, Path extends PathKeysOf<Doc> = PathKeysOf<Doc>, Method extends MethodKeysOf<Doc, Path> = MethodKeysOf<Doc, Path>, ContentType extends RequestContentTypesOf<Doc, Path, Method> = RequestContentTypesOf<Doc, Path, Method>, ResponseStatus extends StatusKeysOf<Doc, Path, Method> = StatusKeysOf<Doc, Path, Method>, ResponseContentType extends ResponseContentTypesOf<Doc, Path, Method, ResponseStatus> = ResponseContentTypesOf<Doc, Path, Method, ResponseStatus>> extends ApiDiagnosticsProps {
   schema: Doc;
   path: Path;
   method: Method;
-  requestBodyValue?: unknown;
-  onRequestBodyChange?: (value: unknown) => void;
-  responseValue?: unknown;
+  /**
+   * Current request body value. Inferred from the operation's
+   * request body schema via {@link OpenAPIRequestBodyType} so a
+   * typed `schema` argument drives the rendered value's shape.
+   */
+  requestBodyValue?: OpenAPIRequestBodyType<Doc, Path & string, Method & string, ContentType & string>;
+  /**
+   * Called when the request body value changes. Parameter type
+   * mirrors {@link ApiOperationProps.requestBodyValue}.
+   */
+  onRequestBodyChange?: (value: OpenAPIRequestBodyType<Doc, Path & string, Method & string, ContentType & string>) => void;
+  /**
+   * Current response value. Inferred via {@link OpenAPIResponseType}
+   * from the operation's response schema for the supplied
+   * `responseStatus` (defaulting to the union of declared statuses)
+   * and `responseContentType` (defaulting to the union of declared
+   * media types). The same value is rendered against every response
+   * card the component emits.
+   */
+  responseValue?: OpenAPIResponseType<Doc, Path & string, Method & string, ResponseStatus & string, ResponseContentType & string>;
   meta?: SchemaMeta;
   /**
    * Media type whose request body schema drives `requestBodyFields`
@@ -190,6 +207,20 @@ interface ApiOperationProps<Doc = unknown, Path extends PathKeysOf<Doc> = PathKe
    * same precision as `<ApiRequestBody>`.
    */
   requestBodyContentType?: ContentType;
+  /**
+   * Status code whose response schema drives `responseValue`
+   * inference. Defaults to the union of declared statuses so
+   * callers can omit it; supply explicitly to narrow inference to
+   * a specific response (e.g. `"200"`).
+   */
+  responseStatus?: ResponseStatus;
+  /**
+   * Media type whose response schema drives `responseValue`
+   * inference. Defaults to the union of declared content types so
+   * callers can omit it; supply explicitly to narrow inference to
+   * a specific media type.
+   */
+  responseContentType?: ResponseContentType;
   requestBodyFields?: Doc extends Record<string, unknown> ? InferRequestBodyFields<Doc, Path & string, Method & string, ContentType & string> : Record<string, FieldOverride>;
   /** Instance-scoped widgets. */
   widgets?: WidgetMap;
@@ -213,7 +244,7 @@ interface ApiOperationProps<Doc = unknown, Path extends PathKeysOf<Doc> = PathKe
  * <ApiOperation schema={petStore} path="/pets" method="post" />
  * ```
  */
-declare function ApiOperation<Doc = unknown, Path extends PathKeysOf<Doc> = PathKeysOf<Doc>, Method extends MethodKeysOf<Doc, Path> = MethodKeysOf<Doc, Path>, ContentType extends RequestContentTypesOf<Doc, Path, Method> = RequestContentTypesOf<Doc, Path, Method>>({
+declare function ApiOperation<Doc = unknown, Path extends PathKeysOf<Doc> = PathKeysOf<Doc>, Method extends MethodKeysOf<Doc, Path> = MethodKeysOf<Doc, Path>, ContentType extends RequestContentTypesOf<Doc, Path, Method> = RequestContentTypesOf<Doc, Path, Method>, ResponseStatus extends StatusKeysOf<Doc, Path, Method> = StatusKeysOf<Doc, Path, Method>, ResponseContentType extends ResponseContentTypesOf<Doc, Path, Method, ResponseStatus> = ResponseContentTypesOf<Doc, Path, Method, ResponseStatus>>({
   schema: doc,
   path,
   method,
@@ -225,7 +256,7 @@ declare function ApiOperation<Doc = unknown, Path extends PathKeysOf<Doc> = Path
   widgets,
   onDiagnostic,
   strict
-}: ApiOperationProps<Doc, Path, Method, ContentType>): ReactNode;
+}: ApiOperationProps<Doc, Path, Method, ContentType, ResponseStatus, ResponseContentType>): ReactNode;
 /**
  * Props accepted by {@link ApiParameters}.
  *

package/dist/openapi/components.mjs

@@ -1,14 +1,15 @@
 import { isObject, toRecordOrUndefined } from "../core/guards.mjs";
 import { emitDiagnostic } from "../core/diagnostics.mjs";
+import { isSafeHyperlink } from "../core/uri.mjs";
 import { extractRootMetaFromJson } from "../core/adapter.mjs";
 import { walk } from "../core/walker.mjs";
 import { ApiCallbacks } from "./ApiCallbacks.mjs";
 import { ApiLinks } from "./ApiLinks.mjs";
 import { ApiResponseHeaders } from "./ApiResponseHeaders.mjs";
 import { ApiSecurity } from "./ApiSecurity.mjs";
-import { getExternalDocs, getLinks, getSecurityRequirements, getSecuritySchemes, getXmlInfo, listCallbacks, listWebhooks } from "./parser.mjs";
+import { extractExternalDocs, extractLinks, extractSecurityRequirements, extractSecuritySchemes, extractXmlInfo, listCallbacks, listWebhooks } from "./parser.mjs";
 import { joinPath, renderField, sanitisePrefix } from "../react/SchemaComponent.mjs";
-import { getParsed, resolveOperationFromParsed, resolveParametersFromParsed, resolveRequestBodyFromParsed, resolveResponseFromParsed, toDoc } from "./resolve.mjs";
+import { getParsed, resolveOperation, resolveParameters, resolveRequestBody, resolveResponse, toDoc } from "./resolve.mjs";
 import { Fragment, jsx, jsxs } from "react/jsx-runtime";
 import { useId } from "react";
 //#region src/openapi/components.tsx
@@ -78,11 +79,16 @@ function renderSchema(schema, rootDocument, options) {
 */
 function ExternalDocsLink({ externalDocs }) {
 	if (externalDocs === void 0) return null;
+	const label = externalDocs.description ?? externalDocs.url;
+	if (!isSafeHyperlink(externalDocs.url)) return /* @__PURE__ */ jsx("p", {
+		"data-external-docs": true,
+		children: /* @__PURE__ */ jsx("span", { children: label })
+	});
 	return /* @__PURE__ */ jsx("p", {
 		"data-external-docs": true,
 		children: /* @__PURE__ */ jsx("a", {
 			href: externalDocs.url,
-			children: externalDocs.description ?? externalDocs.url
+			children: label
 		})
 	});
 }
@@ -132,12 +138,12 @@ function ApiOperation({ schema: doc, path, method, requestBodyValue, onRequestBo
 	const rootDoc = resolveRootDoc(doc, diagnostics);
 	if (rootDoc === void 0) return null;
 	const parsed = getParsed(rootDoc, diagnostics);
-	const resolved = resolveOperationFromParsed(parsed, path, method, diagnostics);
-	const securityReqs = getSecurityRequirements(parsed, path, method);
-	const securitySchemes = getSecuritySchemes(parsed);
+	const resolved = resolveOperation(parsed, path, method, diagnostics);
+	const securityReqs = extractSecurityRequirements(parsed, path, method);
+	const securitySchemes = extractSecuritySchemes(parsed);
 	const callbacks = listCallbacks(parsed, path, method);
-	const operationExternalDocs = getExternalDocs(resolved.operation.operation);
-	const requestBodyXml = resolved.requestBody?.schema !== void 0 ? getXmlInfo(resolved.requestBody.schema) : void 0;
+	const operationExternalDocs = extractExternalDocs(resolved.operation.operation);
+	const requestBodyXml = resolved.requestBody?.schema !== void 0 ? extractXmlInfo(resolved.requestBody.schema) : void 0;
 	return /* @__PURE__ */ jsxs("section", {
 		"data-operation": `${method.toUpperCase()} ${path}`,
 		children: [
@@ -216,7 +222,7 @@ function ApiParameters({ schema: doc, path, method, meta, overrides, widgets, on
 	const instancePrefix = sanitisePrefix(useId());
 	const rootDoc = resolveRootDoc(doc, diagnostics);
 	if (rootDoc === void 0) return null;
-	const params = resolveParametersFromParsed(getParsed(rootDoc, diagnostics), path, method);
+	const params = resolveParameters(getParsed(rootDoc, diagnostics), path, method);
 	if (params.length === 0) return null;
 	return /* @__PURE__ */ jsxs("section", {
 		"data-parameters": true,
@@ -248,9 +254,9 @@ function ApiRequestBody({ schema: doc, path, method, value, onChange, meta, fiel
 	const instancePrefix = sanitisePrefix(useId());
 	const rootDoc = resolveRootDoc(doc, diagnostics);
 	if (rootDoc === void 0) return null;
-	const requestBody = resolveRequestBodyFromParsed(getParsed(rootDoc, diagnostics), path, method);
+	const requestBody = resolveRequestBody(getParsed(rootDoc, diagnostics), path, method);
 	if (requestBody?.schema === void 0) return null;
-	const requestBodyXml = getXmlInfo(requestBody.schema);
+	const requestBodyXml = extractXmlInfo(requestBody.schema);
 	return /* @__PURE__ */ jsxs("section", {
 		"data-request-body": true,
 		children: [
@@ -293,7 +299,7 @@ function ApiResponse({ schema: doc, path, method, status, value, meta, fields, w
 	const rootDoc = resolveRootDoc(doc, diagnostics);
 	if (rootDoc === void 0) return null;
 	const parsed = getParsed(rootDoc, diagnostics);
-	const response = resolveResponseFromParsed(parsed, path, method, status);
+	const response = resolveResponse(parsed, path, method, status);
 	if (response.schema === void 0) return /* @__PURE__ */ jsxs("div", {
 		"data-status": status,
 		children: [
@@ -449,7 +455,7 @@ function ResponseCard({ response, rootDoc, parsed, value, fields, meta, widgets,
 		]
 	});
 	let links = [];
-	if (path !== void 0 && method !== void 0) links = getLinks(parsed, path, method, response.statusCode);
+	if (path !== void 0 && method !== void 0) links = extractLinks(parsed, path, method, response.statusCode);
 	return /* @__PURE__ */ jsxs("div", {
 		"data-status": response.statusCode,
 		children: [

package/dist/openapi/parser.d.mts

@@ -1,5 +1,5 @@
-import { m as JsonObject } from "../types-C2Ay1FEh.mjs";
-import { i as DiagnosticsOptions } from "../diagnostics-ByEzkjrA.mjs";
+import { m as JsonObject } from "../types-BrYbjC7_.mjs";
+import { i as DiagnosticsOptions } from "../diagnostics-BTrm3O6J.mjs";
 
 //#region src/openapi/parser.d.ts
 /**
@@ -155,7 +155,7 @@ declare function parseOpenApiDocument(doc: JsonObject): OpenApiDocument;
  * resolved value for arbitrary fragment refs), or `undefined` when the
  * ref cannot be resolved.
  */
-declare function getSchema(parsed: OpenApiDocument, ref: string): JsonObject | undefined;
+declare function extractSchema(parsed: OpenApiDocument, ref: string): JsonObject | undefined;
 /**
  * List every operation declared under the document's `paths` map.
  * Follows Path Item `$ref` chains internally; cycles and over-deep
@@ -167,36 +167,36 @@ declare function listOperations(parsed: OpenApiDocument, diagnostics?: Diagnosti
  * parameters with operation-level overrides and following any
  * Parameter Object `$ref` chains.
  */
-declare function getParameters(parsed: OpenApiDocument, path: string, method: string, diagnostics?: DiagnosticsOptions): ParameterInfo[];
+declare function extractParameters(parsed: OpenApiDocument, path: string, method: string, diagnostics?: DiagnosticsOptions): ParameterInfo[];
 /**
  * Resolve the request body of a single operation, including its
  * declared content types and schema. Returns `undefined` when the
  * operation declares no request body.
  */
-declare function getRequestBody(parsed: OpenApiDocument, path: string, method: string): RequestBodyInfo | undefined;
+declare function extractRequestBody(parsed: OpenApiDocument, path: string, method: string): RequestBodyInfo | undefined;
 /**
  * Resolve the responses of a single operation, returning one
  * {@link ResponseInfo} per declared status code (including class
  * wildcards and `default`).
  */
-declare function getResponses(parsed: OpenApiDocument, path: string, method: string, diagnostics?: DiagnosticsOptions): ResponseInfo[];
+declare function extractResponses(parsed: OpenApiDocument, path: string, method: string, diagnostics?: DiagnosticsOptions): ResponseInfo[];
 /**
  * Resolve the effective security requirements for a single operation.
  * Operation-level requirements override the document-level defaults
  * when present.
  */
-declare function getSecurityRequirements(parsed: OpenApiDocument, path: string, method: string): SecurityRequirement[];
+declare function extractSecurityRequirements(parsed: OpenApiDocument, path: string, method: string): SecurityRequirement[];
 /**
  * Read the document's `components.securitySchemes` map as a map of
  * scheme names to {@link SecurityScheme} entries.
  */
-declare function getSecuritySchemes(parsed: OpenApiDocument): Map<string, SecurityScheme>;
+declare function extractSecuritySchemes(parsed: OpenApiDocument): Map<string, SecurityScheme>;
 /**
  * Resolve the headers of a single OpenAPI Response Object as a map of
  * header name to {@link HeaderInfo}. Follows Header Object `$ref`
  * chains via the optional document root.
  */
-declare function getResponseHeaders(response: JsonObject, doc?: JsonObject, diagnostics?: DiagnosticsOptions): Map<string, HeaderInfo>;
+declare function extractResponseHeaders(response: JsonObject, doc?: JsonObject, diagnostics?: DiagnosticsOptions): Map<string, HeaderInfo>;
 /**
  * List every OpenAPI 3.1 webhook declared under the document's
  * `webhooks` map, each with its name and resolved operations.
@@ -216,13 +216,13 @@ declare function listAllOperations(parsed: OpenApiDocument, diagnostics?: Diagno
  * (document, operation, tag, schema, ...) into an {@link ExternalDocs}
  * record. Returns `undefined` when absent or malformed.
  */
-declare function getExternalDocs(obj: JsonObject): ExternalDocs | undefined;
+declare function extractExternalDocs(obj: JsonObject): ExternalDocs | undefined;
 /**
  * Read the optional `xml` keyword on a JSON Schema object into an
  * {@link XmlInfo} record describing how the field is serialised in an
  * XML payload. Returns `undefined` when absent or malformed.
  */
-declare function getXmlInfo(schema: JsonObject): XmlInfo | undefined;
+declare function extractXmlInfo(schema: JsonObject): XmlInfo | undefined;
 /**
  * List the OpenAPI callback definitions declared on a single
  * operation. Each entry carries the callback name and the operations
@@ -234,6 +234,6 @@ declare function listCallbacks(parsed: OpenApiDocument, path: string, method: st
  * a single operation, returning each link's parsed
  * {@link LinkInfo} entry.
  */
-declare function getLinks(parsed: OpenApiDocument, path: string, method: string, statusCode: string, diagnostics?: DiagnosticsOptions): LinkInfo[];
+declare function extractLinks(parsed: OpenApiDocument, path: string, method: string, statusCode: string, diagnostics?: DiagnosticsOptions): LinkInfo[];
 //#endregion
-export { CallbackInfo, ExternalDocs, HeaderInfo, LinkInfo, OpenApiDocument, OperationInfo, ParameterInfo, ParameterLocation, RequestBodyInfo, ResponseInfo, SecurityRequirement, SecurityScheme, WebhookInfo, XmlInfo, getExternalDocs, getLinks, getParameters, getRequestBody, getResponseHeaders, getResponses, getSchema, getSecurityRequirements, getSecuritySchemes, getXmlInfo, listAllOperations, listCallbacks, listOperations, listWebhooks, parseOpenApiDocument };
+export { CallbackInfo, ExternalDocs, HeaderInfo, LinkInfo, OpenApiDocument, OperationInfo, ParameterInfo, ParameterLocation, RequestBodyInfo, ResponseInfo, SecurityRequirement, SecurityScheme, WebhookInfo, XmlInfo, extractExternalDocs, extractLinks, extractParameters, extractRequestBody, extractResponseHeaders, extractResponses, extractSchema, extractSecurityRequirements, extractSecuritySchemes, extractXmlInfo, listAllOperations, listCallbacks, listOperations, listWebhooks, parseOpenApiDocument };

package/dist/openapi/parser.mjs

@@ -58,7 +58,7 @@ function parseOpenApiDocument(doc) {
 * resolved value for arbitrary fragment refs), or `undefined` when the
 * ref cannot be resolved.
 */
-function getSchema(parsed, ref) {
+function extractSchema(parsed, ref) {
 	const cached = parsed.schemas.get(ref);
 	if (cached !== void 0) return cached;
 	const resolved = resolveRefInDoc(parsed.doc, ref);
@@ -174,7 +174,7 @@ function listOperations(parsed, diagnostics, seenIds = /* @__PURE__ */ new Map()
 * parameters with operation-level overrides and following any
 * Parameter Object `$ref` chains.
 */
-function getParameters(parsed, path, method, diagnostics) {
+function extractParameters(parsed, path, method, diagnostics) {
 	const pathItem = lookupPathItem(parsed, path);
 	if (pathItem === void 0) return [];
 	const operation = getProperty(pathItem, method);
@@ -275,7 +275,7 @@ function jsonPointerEscape(segment) {
 * declared content types and schema. Returns `undefined` when the
 * operation declares no request body.
 */
-function getRequestBody(parsed, path, method) {
+function extractRequestBody(parsed, path, method) {
 	const requestBodyRaw = getProperty(getProperty(lookupPathItem(parsed, path), method), "requestBody");
 	if (!isObject(requestBodyRaw)) return void 0;
 	const requestBody = resolveWrapperRef(parsed.doc, requestBodyRaw);
@@ -301,7 +301,7 @@ function getRequestBody(parsed, path, method) {
 * {@link ResponseInfo} per declared status code (including class
 * wildcards and `default`).
 */
-function getResponses(parsed, path, method, diagnostics) {
+function extractResponses(parsed, path, method, diagnostics) {
 	const responses = getProperty(getProperty(lookupPathItem(parsed, path), method), "responses");
 	if (!isObject(responses)) return [];
 	const result = [];
@@ -312,7 +312,7 @@ function getResponses(parsed, path, method, diagnostics) {
 		const content = getProperty(response, "content");
 		const contentTypes = isObject(content) ? Object.keys(content) : [];
 		const schema = isObject(content) ? extractSchemaFromContent(content) : void 0;
-		const headers = getResponseHeaders(response, parsed.doc, diagnostics);
+		const headers = extractResponseHeaders(response, parsed.doc, diagnostics);
 		result.push({
 			statusCode,
 			description: getString(response, "description"),
@@ -448,7 +448,7 @@ function resolveRefInDoc(doc, ref) {
 * Operation-level requirements override the document-level defaults
 * when present.
 */
-function getSecurityRequirements(parsed, path, method) {
+function extractSecurityRequirements(parsed, path, method) {
 	const opSecurity = getProperty(getProperty(lookupPathItem(parsed, path), method), "security");
 	const globalSecurity = getProperty(parsed.doc, "security");
 	const securityArray = Array.isArray(opSecurity) ? opSecurity : Array.isArray(globalSecurity) ? globalSecurity : [];
@@ -466,7 +466,7 @@ function getSecurityRequirements(parsed, path, method) {
 * Read the document's `components.securitySchemes` map as a map of
 * scheme names to {@link SecurityScheme} entries.
 */
-function getSecuritySchemes(parsed) {
+function extractSecuritySchemes(parsed) {
 	const result = /* @__PURE__ */ new Map();
 	const securitySchemes = getProperty(getProperty(parsed.doc, "components"), "securitySchemes");
 	if (!isObject(securitySchemes)) return result;
@@ -491,7 +491,7 @@ function getSecuritySchemes(parsed) {
 * header name to {@link HeaderInfo}. Follows Header Object `$ref`
 * chains via the optional document root.
 */
-function getResponseHeaders(response, doc, diagnostics) {
+function extractResponseHeaders(response, doc, diagnostics) {
 	const result = /* @__PURE__ */ new Map();
 	const headers = getProperty(response, "headers");
 	if (!isObject(headers)) return result;
@@ -562,7 +562,7 @@ function listAllOperations(parsed, diagnostics) {
 * (document, operation, tag, schema, ...) into an {@link ExternalDocs}
 * record. Returns `undefined` when absent or malformed.
 */
-function getExternalDocs(obj) {
+function extractExternalDocs(obj) {
 	const docs = getProperty(obj, "externalDocs");
 	if (!isObject(docs)) return void 0;
 	const url = getString(docs, "url");
@@ -577,7 +577,7 @@ function getExternalDocs(obj) {
 * {@link XmlInfo} record describing how the field is serialised in an
 * XML payload. Returns `undefined` when absent or malformed.
 */
-function getXmlInfo(schema) {
+function extractXmlInfo(schema) {
 	const xml = getProperty(schema, "xml");
 	if (!isObject(xml)) return void 0;
 	return {
@@ -631,7 +631,7 @@ function listCallbacks(parsed, path, method, diagnostics) {
 * a single operation, returning each link's parsed
 * {@link LinkInfo} entry.
 */
-function getLinks(parsed, path, method, statusCode, diagnostics) {
+function extractLinks(parsed, path, method, statusCode, diagnostics) {
 	const response = getProperty(getProperty(getProperty(lookupPathItem(parsed, path), method), "responses"), statusCode);
 	if (!isObject(response)) return [];
 	const links = getProperty(response, "links");
@@ -657,4 +657,4 @@ function getLinks(parsed, path, method, statusCode, diagnostics) {
 	return result;
 }
 //#endregion
-export { getExternalDocs, getLinks, getParameters, getRequestBody, getResponseHeaders, getResponses, getSchema, getSecurityRequirements, getSecuritySchemes, getXmlInfo, listAllOperations, listCallbacks, listOperations, listWebhooks, parseOpenApiDocument };
+export { extractExternalDocs, extractLinks, extractParameters, extractRequestBody, extractResponseHeaders, extractResponses, extractSchema, extractSecurityRequirements, extractSecuritySchemes, extractXmlInfo, listAllOperations, listCallbacks, listOperations, listWebhooks, parseOpenApiDocument };