openapi-cli4ai 0.1.1__tar.gz → 0.3.0__tar.gz

openapi_cli4ai-0.3.0/.github/release.yml

@@ -0,0 +1,20 @@
+changelog:
+  categories:
+    - title: New Features
+      labels:
+        - enhancement
+    - title: Bug Fixes
+      labels:
+        - bug
+    - title: Security
+      labels:
+        - security
+    - title: Dependencies
+      labels:
+        - dependencies
+    - title: Other Changes
+      labels:
+        - "*"
+  exclude:
+    labels:
+      - skip-changelog

{openapi_cli4ai-0.1.1 → openapi_cli4ai-0.3.0}/.github/workflows/ci.yml

@@ -17,7 +17,7 @@ jobs:
         python-version: ["3.11", "3.12", "3.13"]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
         with:
           enable-cache: true
       - name: Set up Python ${{ matrix.python-version }}
@@ -29,7 +29,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
       - name: Ruff check
         run: uvx ruff check .
       - name: Ruff format check

{openapi_cli4ai-0.1.1 → openapi_cli4ai-0.3.0}/.github/workflows/codeql.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: github/codeql-action/init@ebcb5b36ded6beda4ceefea6a8bc4cc885255bb3 # v3
+      - uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
         with:
           languages: python
-      - uses: github/codeql-action/analyze@ebcb5b36ded6beda4ceefea6a8bc4cc885255bb3 # v3
+      - uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1

{openapi_cli4ai-0.1.1 → openapi_cli4ai-0.3.0}/.github/workflows/publish.yml

@@ -14,7 +14,7 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
       - name: Build sdist and wheel
         run: uv build
       - name: Upload artifacts
@@ -42,7 +42,7 @@ jobs:
           name: dist
           path: dist/
       - name: Generate attestations
-        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
         with:
           subject-path: dist/*
       - name: Publish to PyPI

{openapi_cli4ai-0.1.1 → openapi_cli4ai-0.3.0}/CHANGELOG.md

@@ -4,6 +4,31 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/).
 
+## [0.3.0] - 2026-03-28
+
+### Added
+
+- OIDC Authorization Code + PKCE auth type (`auth.type = "oidc"`)
+- Browser-based login with localhost callback
+- `--no-browser` flag for headless/SSH environments
+- CSRF protection via state parameter validation
+- Tested with Auth0 and Keycloak
+
+## [0.2.0] - 2026-03-26
+
+### Added
+
+- `run` command — call API operations by name with auto-routed inputs
+- Case-insensitive operationId matching
+- Fuzzy suggestions when an operationId isn't found
+- Auto-generated release notes via `.github/release.yml`
+
+### Fixed
+
+- `typer>=0.12` crashed with click 8.2+ — bumped to `>=0.24` (#3)
+- `--format json` appended non-JSON summary line breaking machine parsing
+- `init` auto-detect ignored `--insecure` flag
+
 ## [0.1.0] - 2026-03-25
 
 ### Added

{openapi_cli4ai-0.1.1 → openapi_cli4ai-0.3.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: openapi-cli4ai
-Version: 0.1.1
+Version: 0.3.0
 Summary: Turn any REST API with an OpenAPI spec into an AI-ready CLI
 Project-URL: Homepage, https://github.com/dbgorilla/openapi-cli4ai
 Project-URL: Repository, https://github.com/dbgorilla/openapi-cli4ai
@@ -41,19 +41,24 @@ Let your AI coding agent (Claude Code, Cursor, Codex, Copilot) talk to any REST
 
 ## Install
 
-```bash
-# Requires uv (https://docs.astral.sh/uv/)
-uv pip install openapi-cli4ai
+**Requires:** [uv](https://docs.astral.sh/uv/getting-started/installation/)
 
-# Or run directly without installing
+```bash
+# Recommended — run directly, no install needed
 uvx openapi-cli4ai --help
+
+# Or install globally
+uv tool install openapi-cli4ai
+
+# Or install into a virtual environment
+uv pip install openapi-cli4ai
 ```
 
 ## Quick Start
 
 ```bash
-# Point it at any API with an OpenAPI spec
-openapi-cli4ai init petstore --url https://petstore3.swagger.io/api/v3
+# Point it at any API with an OpenAPI spec (prefix with uvx if not installed)
+uvx openapi-cli4ai init petstore --url https://petstore3.swagger.io/api/v3
 
 # Discover endpoints
 openapi-cli4ai endpoints
@@ -61,7 +66,10 @@ openapi-cli4ai endpoints
 # Search endpoints
 openapi-cli4ai endpoints -s pet
 
-# Call an endpoint
+# Run an operation by name (inputs auto-routed from the spec)
+openapi-cli4ai run findPetsByStatus --input '{"status": "available"}'
+
+# Or call an endpoint directly
 openapi-cli4ai call GET /pet/findByStatus --query status=available
 ```
 
@@ -118,6 +126,27 @@ openapi-cli4ai init myapi --url https://api.example.com --spec-url https://examp
 openapi-cli4ai -k init myapi --url https://staging.internal.example.com
 ```
 
+### `run` — Run an operation by name
+
+```bash
+# Query parameter — auto-routed from the spec
+openapi-cli4ai run findPetsByStatus --input '{"status": "available"}'
+
+# Path parameter — substituted into the URL
+openapi-cli4ai run getPetById --input '{"petId": 123}'
+
+# Request body — keys not matching a parameter go to the body
+openapi-cli4ai run addPet --input '{"name": "Rex", "status": "available"}'
+
+# Load input from a file
+openapi-cli4ai run addPet --input-file pet.json
+
+# Raw JSON output
+openapi-cli4ai run getInventory --json
+```
+
+The spec tells the tool where each parameter goes (path, query, header, body). You just pass a flat JSON object.
+
 ### `endpoints` — Discover API endpoints
 
 ```bash
@@ -193,6 +222,12 @@ openapi-cli4ai login --username admin --password-file /path/to/secret
 # Login with password from stdin
 echo "my-password" | openapi-cli4ai login --username admin --password-stdin
 
+# OIDC login (opens browser for Auth0, Keycloak, etc.)
+openapi-cli4ai login
+
+# OIDC login without browser (headless/SSH — prints URL, you paste redirect back)
+openapi-cli4ai login --no-browser
+
 # Logout (clear cached tokens)
 openapi-cli4ai logout
 ```
@@ -240,6 +275,22 @@ account_type = "USERNAME"
 
 Payload placeholders: `{username}` and `{password}` come from the login prompt. `{env:VAR_NAME}` pulls from environment variables or a `.env` file (loaded automatically).
 
+OIDC example (Auth0, Keycloak, or any OIDC provider):
+
+```toml
+[profiles.my-oidc-app]
+base_url = "https://api.example.com"
+openapi_path = "/openapi.json"
+
+[profiles.my-oidc-app.auth]
+type = "oidc"
+authorize_url = "https://your-idp.com/authorize"
+token_url = "https://your-idp.com/oauth/token"
+client_id = "your-client-id"
+scopes = "openid profile email"
+callback_port = 9876
+```
+
 ### Auth Types
 
 | Type | Use Case | Config Fields |
@@ -247,6 +298,7 @@ Payload placeholders: `{username}` and `{password}` come from the login prompt.
 | `none` | Public APIs | — |
 | `bearer` | Token from env var | `token_env_var` |
 | `bearer` | OAuth token endpoint | `token_endpoint`, `refresh_endpoint`, `payload` |
+| `oidc` | OIDC Authorization Code + PKCE | `authorize_url`, `token_url`, `client_id`, `scopes` |
 | `api-key` | API key in header | `env_var`, `header`, `prefix` |
 | `basic` | HTTP Basic auth | `username_env_var`, `password_env_var` |
 
@@ -263,6 +315,8 @@ Payload placeholders: `{username}` and `{password}` come from the login prompt.
 | [Jira Cloud](https://developer.atlassian.com/cloud/jira/platform/rest/v3/) | 581 | Basic | `init jira --url https://your-domain.atlassian.net --spec-url ... --auth basic` |
 | [OpenRouter](https://openrouter.ai) | 36 | Bearer | `init openrouter --url https://openrouter.ai/api/v1 --spec-url ... --auth bearer` |
 | [DBGorilla](https://dbgorilla.com) | 500+ | Token endpoint | See `examples/profiles.toml.example` |
+| [Auth0](https://auth0.com) | — | OIDC + PKCE | `init myapp --url https://api.example.com --auth oidc` |
+| [Keycloak](https://www.keycloak.org) | — | OIDC + PKCE | `init myapp --url https://api.example.com --auth oidc` |
 
 Works with any AI agent that has shell access — Claude Code, Cursor, GitHub Copilot, or anything that can run `endpoints` and `call`.
 

{openapi_cli4ai-0.1.1 → openapi_cli4ai-0.3.0}/README.md

@@ -13,19 +13,24 @@ Let your AI coding agent (Claude Code, Cursor, Codex, Copilot) talk to any REST
 
 ## Install
 
-```bash
-# Requires uv (https://docs.astral.sh/uv/)
-uv pip install openapi-cli4ai
+**Requires:** [uv](https://docs.astral.sh/uv/getting-started/installation/)
 
-# Or run directly without installing
+```bash
+# Recommended — run directly, no install needed
 uvx openapi-cli4ai --help
+
+# Or install globally
+uv tool install openapi-cli4ai
+
+# Or install into a virtual environment
+uv pip install openapi-cli4ai
 ```
 
 ## Quick Start
 
 ```bash
-# Point it at any API with an OpenAPI spec
-openapi-cli4ai init petstore --url https://petstore3.swagger.io/api/v3
+# Point it at any API with an OpenAPI spec (prefix with uvx if not installed)
+uvx openapi-cli4ai init petstore --url https://petstore3.swagger.io/api/v3
 
 # Discover endpoints
 openapi-cli4ai endpoints
@@ -33,7 +38,10 @@ openapi-cli4ai endpoints
 # Search endpoints
 openapi-cli4ai endpoints -s pet
 
-# Call an endpoint
+# Run an operation by name (inputs auto-routed from the spec)
+openapi-cli4ai run findPetsByStatus --input '{"status": "available"}'
+
+# Or call an endpoint directly
 openapi-cli4ai call GET /pet/findByStatus --query status=available
 ```
 
@@ -90,6 +98,27 @@ openapi-cli4ai init myapi --url https://api.example.com --spec-url https://examp
 openapi-cli4ai -k init myapi --url https://staging.internal.example.com
 ```
 
+### `run` — Run an operation by name
+
+```bash
+# Query parameter — auto-routed from the spec
+openapi-cli4ai run findPetsByStatus --input '{"status": "available"}'
+
+# Path parameter — substituted into the URL
+openapi-cli4ai run getPetById --input '{"petId": 123}'
+
+# Request body — keys not matching a parameter go to the body
+openapi-cli4ai run addPet --input '{"name": "Rex", "status": "available"}'
+
+# Load input from a file
+openapi-cli4ai run addPet --input-file pet.json
+
+# Raw JSON output
+openapi-cli4ai run getInventory --json
+```
+
+The spec tells the tool where each parameter goes (path, query, header, body). You just pass a flat JSON object.
+
 ### `endpoints` — Discover API endpoints
 
 ```bash
@@ -165,6 +194,12 @@ openapi-cli4ai login --username admin --password-file /path/to/secret
 # Login with password from stdin
 echo "my-password" | openapi-cli4ai login --username admin --password-stdin
 
+# OIDC login (opens browser for Auth0, Keycloak, etc.)
+openapi-cli4ai login
+
+# OIDC login without browser (headless/SSH — prints URL, you paste redirect back)
+openapi-cli4ai login --no-browser
+
 # Logout (clear cached tokens)
 openapi-cli4ai logout
 ```
@@ -212,6 +247,22 @@ account_type = "USERNAME"
 
 Payload placeholders: `{username}` and `{password}` come from the login prompt. `{env:VAR_NAME}` pulls from environment variables or a `.env` file (loaded automatically).
 
+OIDC example (Auth0, Keycloak, or any OIDC provider):
+
+```toml
+[profiles.my-oidc-app]
+base_url = "https://api.example.com"
+openapi_path = "/openapi.json"
+
+[profiles.my-oidc-app.auth]
+type = "oidc"
+authorize_url = "https://your-idp.com/authorize"
+token_url = "https://your-idp.com/oauth/token"
+client_id = "your-client-id"
+scopes = "openid profile email"
+callback_port = 9876
+```
+
 ### Auth Types
 
 | Type | Use Case | Config Fields |
@@ -219,6 +270,7 @@ Payload placeholders: `{username}` and `{password}` come from the login prompt.
 | `none` | Public APIs | — |
 | `bearer` | Token from env var | `token_env_var` |
 | `bearer` | OAuth token endpoint | `token_endpoint`, `refresh_endpoint`, `payload` |
+| `oidc` | OIDC Authorization Code + PKCE | `authorize_url`, `token_url`, `client_id`, `scopes` |
 | `api-key` | API key in header | `env_var`, `header`, `prefix` |
 | `basic` | HTTP Basic auth | `username_env_var`, `password_env_var` |
 
@@ -235,6 +287,8 @@ Payload placeholders: `{username}` and `{password}` come from the login prompt.
 | [Jira Cloud](https://developer.atlassian.com/cloud/jira/platform/rest/v3/) | 581 | Basic | `init jira --url https://your-domain.atlassian.net --spec-url ... --auth basic` |
 | [OpenRouter](https://openrouter.ai) | 36 | Bearer | `init openrouter --url https://openrouter.ai/api/v1 --spec-url ... --auth bearer` |
 | [DBGorilla](https://dbgorilla.com) | 500+ | Token endpoint | See `examples/profiles.toml.example` |
+| [Auth0](https://auth0.com) | — | OIDC + PKCE | `init myapp --url https://api.example.com --auth oidc` |
+| [Keycloak](https://www.keycloak.org) | — | OIDC + PKCE | `init myapp --url https://api.example.com --auth oidc` |
 
 Works with any AI agent that has shell access — Claude Code, Cursor, GitHub Copilot, or anything that can run `endpoints` and `call`.
 

{openapi_cli4ai-0.1.1 → openapi_cli4ai-0.3.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "openapi-cli4ai"
-version = "0.1.1"
+version = "0.3.0"
 description = "Turn any REST API with an OpenAPI spec into an AI-ready CLI"
 readme = "README.md"
 license = "MIT"

{openapi_cli4ai-0.1.1 → openapi_cli4ai-0.3.0}/src/openapi_cli4ai/cli.py

@@ -27,9 +27,13 @@ import hashlib
 import json
 import os
 import re
+import secrets
 import sys
 import time
 import tomllib
+import urllib.parse
+import webbrowser
+from http.server import BaseHTTPRequestHandler, HTTPServer
 from pathlib import Path
 from typing import Annotated, Optional
 
@@ -47,7 +51,7 @@ from rich.panel import Panel  # noqa: E402
 from rich.table import Table  # noqa: E402
 
 # ── Constants ──────────────────────────────────────────────────────────────────
-VERSION = "0.1.1"
+VERSION = "0.3.0"
 APP_NAME = "openapi-cli4ai"
 CONFIG_FILE = Path.home() / ".openapi-cli4ai.toml"
 CACHE_DIR = Path.home() / ".cache" / APP_NAME
@@ -376,6 +380,8 @@ def get_auth_headers(profile: dict, quiet: bool = False) -> dict:
         return {}
     elif auth_type == "bearer":
         return _bearer_auth(profile, auth_config, quiet)
+    elif auth_type == "oidc":
+        return _oidc_auth(profile, auth_config, quiet)
     elif auth_type == "api-key":
         return _api_key_auth(auth_config, quiet)
     elif auth_type == "basic":
@@ -469,6 +475,262 @@ def _try_refresh_token(profile: dict, auth_config: dict, cached: dict) -> dict |
     return None
 
 
+# ── OIDC (Authorization Code + PKCE) ─────────────────────────────────────────
+
+
+def _oidc_auth(profile: dict, auth_config: dict, quiet: bool = False) -> dict:
+    """Handle OIDC auth -- cached token with form-encoded refresh."""
+    profile_name = profile.get("_name", "default")
+    token_cache = CACHE_DIR / f"{profile_name}_token.json"
+
+    if token_cache.exists():
+        try:
+            cached = json.loads(token_cache.read_text())
+            expires_at = cached.get("expires_at", 0)
+
+            # Valid token -- use it
+            if time.time() < (expires_at - 300):
+                return {"Authorization": f"Bearer {cached['access_token']}"}
+
+            # Try refresh (form-encoded, standard OIDC)
+            if "refresh_token" in cached:
+                verify = profile.get("verify_ssl", True) and get_verify_ssl()
+                refreshed = _oidc_refresh(auth_config, cached, verify=verify)
+                if refreshed:
+                    refreshed["expires_at"] = time.time() + refreshed.get("expires_in", 300)
+                    ensure_dirs()
+                    token_cache.write_text(json.dumps(refreshed))
+                    token_cache.chmod(0o600)
+                    return {"Authorization": f"Bearer {refreshed['access_token']}"}
+        except (json.JSONDecodeError, OSError, KeyError):
+            pass
+
+    if not quiet:
+        console.print("[yellow]Token expired or missing. Run 'openapi-cli4ai login' to authenticate.[/yellow]")
+    raise typer.Exit(1)
+
+
+def _oidc_refresh(auth_config: dict, cached: dict, verify: bool = True) -> dict | None:
+    """Refresh an OIDC token using form-encoded POST (standard OIDC spec)."""
+    token_url = auth_config.get("token_url", "")
+    client_id = auth_config.get("client_id", "")
+    if not token_url or not client_id:
+        return None
+    try:
+        with httpx.Client(verify=verify, timeout=30.0) as client:
+            resp = client.post(
+                token_url,
+                data={
+                    "grant_type": "refresh_token",
+                    "client_id": client_id,
+                    "refresh_token": cached["refresh_token"],
+                },
+            )
+            if resp.status_code == 200:
+                return resp.json()
+    except Exception:
+        pass
+    return None
+
+
+class _OIDCCallbackHandler(BaseHTTPRequestHandler):
+    """HTTP handler that captures the OIDC authorization code callback."""
+
+    auth_code: str | None = None
+    error: str | None = None
+    expected_state: str | None = None
+
+    def do_GET(self) -> None:
+        params = urllib.parse.parse_qs(urllib.parse.urlparse(self.path).query)
+
+        # Validate state to prevent CSRF
+        received_state = params.get("state", [None])[0]
+        if _OIDCCallbackHandler.expected_state and received_state != _OIDCCallbackHandler.expected_state:
+            _OIDCCallbackHandler.error = "state_mismatch"
+            self.send_response(400)
+            self.send_header("Content-Type", "text/html")
+            self.end_headers()
+            self.wfile.write(
+                b"<html><body><h2>Login failed</h2><p>State mismatch - possible CSRF attack.</p></body></html>"
+            )
+            return
+
+        if "code" in params:
+            _OIDCCallbackHandler.auth_code = params["code"][0]
+            self.send_response(200)
+            self.send_header("Content-Type", "text/html")
+            self.end_headers()
+            self.wfile.write(
+                b"<html><body><h2>Login successful</h2>"
+                b"<p>You can close this tab and return to the terminal.</p>"
+                b"</body></html>"
+            )
+        else:
+            _OIDCCallbackHandler.error = params.get("error", ["unknown"])[0]
+            self.send_response(400)
+            self.send_header("Content-Type", "text/html")
+            self.end_headers()
+            self.wfile.write(
+                f"<html><body><h2>Login failed</h2><p>{_OIDCCallbackHandler.error}</p></body></html>".encode()
+            )
+
+    def log_message(self, format: str, *args: object) -> None:
+        pass  # Suppress HTTP server logging
+
+
+def _oidc_login(auth_config: dict, profile_name: str, no_browser: bool = False, verify: bool = True) -> None:
+    """Run OIDC Authorization Code + PKCE flow.
+
+    With browser (default): opens browser, listens on localhost for callback.
+    Without browser (--no-browser): prints URL, user pastes redirect URL back.
+    """
+    authorize_url = auth_config.get("authorize_url", "")
+    token_url = auth_config.get("token_url", "")
+    client_id = auth_config.get("client_id", "")
+    scopes = auth_config.get("scopes", "openid")
+    callback_port = auth_config.get("callback_port", 8484)
+    redirect_uri = auth_config.get("redirect_uri", f"http://localhost:{callback_port}/callback")
+
+    if not authorize_url or not token_url or not client_id:
+        console.print("[red]OIDC auth requires authorize_url, token_url, and client_id.[/red]")
+        raise typer.Exit(1)
+
+    # PKCE: generate code verifier + challenge
+    code_verifier = secrets.token_urlsafe(64)
+    code_challenge = base64.urlsafe_b64encode(hashlib.sha256(code_verifier.encode()).digest()).rstrip(b"=").decode()
+    state = secrets.token_urlsafe(32)
+
+    # Build authorization URL
+    auth_params = urllib.parse.urlencode(
+        {
+            "response_type": "code",
+            "client_id": client_id,
+            "redirect_uri": redirect_uri,
+            "scope": scopes,
+            "state": state,
+            "code_challenge": code_challenge,
+            "code_challenge_method": "S256",
+        }
+    )
+    full_auth_url = f"{authorize_url}?{auth_params}"
+
+    if no_browser:
+        auth_code = _oidc_login_no_browser(full_auth_url)
+    else:
+        auth_code = _oidc_login_browser(full_auth_url, callback_port, state)
+
+    # Exchange code for tokens
+    _oidc_exchange_code(
+        token_url=token_url,
+        client_id=client_id,
+        auth_code=auth_code,
+        redirect_uri=redirect_uri,
+        code_verifier=code_verifier,
+        profile_name=profile_name,
+        verify=verify,
+    )
+
+
+def _oidc_login_browser(full_auth_url: str, callback_port: int, state: str) -> str:
+    """Open browser and listen for the OIDC callback on localhost."""
+    _OIDCCallbackHandler.auth_code = None
+    _OIDCCallbackHandler.error = None
+    _OIDCCallbackHandler.expected_state = state
+    server = HTTPServer(("127.0.0.1", callback_port), _OIDCCallbackHandler)
+    server.timeout = 120
+
+    console.print(f"[dim]Listening on http://localhost:{callback_port}/callback[/dim]")
+    console.print("[bold]Opening browser for login...[/bold]")
+    webbrowser.open(full_auth_url)
+    console.print("[dim]Waiting for callback (120s timeout)...[/dim]")
+
+    server.handle_request()
+    server.server_close()
+
+    if _OIDCCallbackHandler.error:
+        console.print(f"[red]OIDC error: {_OIDCCallbackHandler.error}[/red]")
+        raise typer.Exit(1)
+    if not _OIDCCallbackHandler.auth_code:
+        console.print("[red]No authorization code received.[/red]")
+        raise typer.Exit(1)
+
+    return _OIDCCallbackHandler.auth_code
+
+
+def _oidc_login_no_browser(full_auth_url: str) -> str:
+    """Print the auth URL, user pastes back the redirect URL containing the code."""
+    console.print("\n[bold]Open this URL in any browser to log in:[/bold]\n")
+    console.print(f"  {full_auth_url}\n")
+    console.print(
+        "[dim]After login, your browser will redirect to a localhost URL.\n"
+        "Copy the full URL from your browser's address bar and paste it below.[/dim]\n"
+    )
+    redirect_input = typer.prompt("Paste the redirect URL")
+
+    # Extract the authorization code from the pasted URL
+    parsed = urllib.parse.urlparse(redirect_input.strip())
+    params = urllib.parse.parse_qs(parsed.query)
+
+    if "error" in params:
+        console.print(f"[red]OIDC error: {params['error'][0]}[/red]")
+        raise typer.Exit(1)
+
+    if "code" not in params:
+        console.print("[red]No authorization code found in the URL.[/red]")
+        console.print("[dim]Expected a URL like: http://localhost:.../callback?code=...&state=...[/dim]")
+        raise typer.Exit(1)
+
+    return params["code"][0]
+
+
+def _oidc_exchange_code(
+    *,
+    token_url: str,
+    client_id: str,
+    auth_code: str,
+    redirect_uri: str,
+    code_verifier: str,
+    profile_name: str,
+    verify: bool = True,
+) -> None:
+    """Exchange an authorization code for tokens and cache them."""
+    try:
+        with httpx.Client(verify=verify, timeout=30.0) as client:
+            resp = client.post(
+                token_url,
+                data={
+                    "grant_type": "authorization_code",
+                    "client_id": client_id,
+                    "code": auth_code,
+                    "redirect_uri": redirect_uri,
+                    "code_verifier": code_verifier,
+                },
+            )
+
+        if resp.status_code != 200:
+            console.print(f"[red]Token exchange failed ({resp.status_code}):[/red]")
+            console.print(resp.text)
+            raise typer.Exit(1)
+
+        token_data = resp.json()
+        if "expires_in" in token_data:
+            token_data["expires_at"] = time.time() + token_data["expires_in"]
+        elif "expires_at" not in token_data:
+            token_data["expires_at"] = time.time() + 86400
+
+        token_cache = CACHE_DIR / f"{profile_name}_token.json"
+        ensure_dirs()
+        token_cache.write_text(json.dumps(token_data))
+        token_cache.chmod(0o600)
+
+        console.print("[green]Logged in successfully![/green]")
+        console.print(f"[dim]Token cached at {token_cache}[/dim]")
+
+    except httpx.ConnectError:
+        console.print(f"[red]Cannot connect to {token_url}[/red]")
+        raise typer.Exit(1)
+
+
 def _api_key_auth(auth_config: dict, quiet: bool = False) -> dict:
     """Handle API key auth via custom header."""
     env_var = auth_config.get("env_var", "")
@@ -878,6 +1140,181 @@ def cmd_call(
             console.print(f"[dim]{elapsed:.2f}s[/dim]")
 
 
+# ── Commands: run ──────────────────────────────────────────────────────────────
+def _route_inputs(input_data: dict, parameters: list, has_request_body: bool) -> tuple[dict, dict, dict, dict | None]:
+    """Route flat input keys to path params, query params, headers, and body.
+
+    Returns (path_params, query_params, header_params, body).
+    """
+    path_params = {}
+    query_params = {}
+    header_params = {}
+    body_keys = {}
+
+    # Build a lookup of parameter names to their location
+    param_map: dict[str, str] = {}
+    for p in parameters:
+        if isinstance(p, dict) and "name" in p:
+            param_map[p["name"]] = p.get("in", "query")
+
+    for key, value in input_data.items():
+        location = param_map.get(key)
+        if location == "path":
+            path_params[key] = value
+        elif location == "query":
+            query_params[key] = value
+        elif location == "header":
+            header_params[key] = value
+        elif location:
+            # cookie or other — treat as query
+            query_params[key] = value
+        else:
+            # Not a declared parameter — goes into request body
+            body_keys[key] = value
+
+    body = body_keys if body_keys else None
+    # If there's a requestBody defined but no body keys collected,
+    # and the entire input looks like it could be the body, send it all
+    if has_request_body and not body and not param_map:
+        body = input_data
+
+    return path_params, query_params, header_params, body
+
+
+@app.command("run")
+def cmd_run(
+    operation: Annotated[
+        str, typer.Argument(help="Operation ID from the OpenAPI spec (e.g., findPetsByStatus, addPet)")
+    ],
+    input_data: Annotated[
+        Optional[str], typer.Option("--input", "-i", help="Input as JSON (keys auto-routed to path/query/body)")
+    ] = None,
+    input_file: Annotated[Optional[str], typer.Option("--input-file", "-f", help="Read input from a JSON file")] = None,
+    stream: Annotated[bool, typer.Option("--stream", help="Stream SSE response")] = False,
+    raw: Annotated[bool, typer.Option("--raw", help="Print raw response without formatting")] = False,
+    output_json_flag: Annotated[bool, typer.Option("--json", help="Output raw JSON")] = False,
+) -> None:
+    """Run an API operation by name. Inputs are auto-routed to the right place.
+
+    The spec defines where each parameter goes (path, query, header, body).
+    You just pass a flat JSON object and the tool figures it out.
+
+    Examples:
+        openapi-cli4ai run findPetsByStatus --input '{"status": "available"}'
+        openapi-cli4ai run getPetById --input '{"petId": 123}'
+        openapi-cli4ai run addPet --input '{"name": "Rex", "status": "available"}'
+        openapi-cli4ai run addPet --input-file pet.json
+    """
+    profile_name, profile = get_active_profile()
+    spec = fetch_spec(profile)
+
+    # Look up the operation in the spec
+    endpoint = extract_full_endpoint_schema(spec, operation)
+    if not endpoint:
+        # Try case-insensitive fuzzy match
+        all_eps = extract_endpoint_summaries(spec)
+        matches = [e for e in all_eps if e["operationId"].lower() == operation.lower()]
+        if matches:
+            endpoint = extract_full_endpoint_schema(spec, matches[0]["operationId"])
+
+    if not endpoint:
+        console.print(f"[red]Operation '{operation}' not found in spec.[/red]")
+        # Suggest similar operations
+        all_eps = extract_endpoint_summaries(spec)
+        op_lower = operation.lower()
+        suggestions = [e["operationId"] for e in all_eps if op_lower in e["operationId"].lower()][:5]
+        if suggestions:
+            console.print("[dim]Did you mean:[/dim]")
+            for s in suggestions:
+                console.print(f"  [cyan]{s}[/cyan]")
+        raise typer.Exit(1)
+
+    # Parse input
+    parsed_input = {}
+    if input_file:
+        fp = Path(input_file)
+        if not fp.exists():
+            console.print(f"[red]Input file not found: {input_file}[/red]")
+            raise typer.Exit(1)
+        try:
+            parsed_input = json.loads(fp.read_text())
+        except json.JSONDecodeError as e:
+            console.print(f"[red]Invalid JSON in {input_file}: {e}[/red]")
+            raise typer.Exit(1)
+    elif input_data:
+        try:
+            parsed_input = json.loads(input_data)
+        except json.JSONDecodeError as e:
+            console.print(f"[red]Invalid JSON input: {e}[/red]")
+            raise typer.Exit(1)
+
+    # Route inputs to the right places
+    method = endpoint["method"]
+    path_template = endpoint["path"]
+    parameters = endpoint.get("parameters", [])
+    has_request_body = endpoint.get("requestBody") is not None
+
+    path_params, query_params, header_params, json_body = _route_inputs(parsed_input, parameters, has_request_body)
+
+    # Substitute path parameters
+    full_path = path_template
+    for key, value in path_params.items():
+        full_path = full_path.replace(f"{{{key}}}", str(value))
+
+    # Check for unresolved path params
+    if "{" in full_path:
+        import re as _re
+
+        missing = _re.findall(r"\{(\w+)\}", full_path)
+        console.print(f"[red]Missing required path parameter(s): {', '.join(missing)}[/red]")
+        console.print(f'[dim]Provide them in --input, e.g. --input \'{{"{missing[0]}": "value"}}\'[/dim]')
+        raise typer.Exit(1)
+
+    # Build URL and make request
+    base_url = profile["base_url"].rstrip("/")
+    url = f"{base_url}{full_path}"
+
+    verify = profile.get("verify_ssl", True) and get_verify_ssl()
+    headers = dict(profile.get("headers", {}))
+    headers.update(get_auth_headers(profile))
+    headers.update(header_params)
+
+    start_time = time.perf_counter()
+    console.print(f"[dim]{method} {full_path}...[/dim]")
+
+    with httpx.Client(verify=verify, timeout=60.0, follow_redirects=True) as client:
+        if stream:
+            headers["Accept"] = "text/event-stream"
+            with client.stream(
+                method,
+                url,
+                json=json_body,
+                params=query_params or None,
+                headers=headers,
+            ) as response:
+                if response.status_code >= 400:
+                    response.read()
+                    _display_error(
+                        response.json() if "json" in response.headers.get("content-type", "") else response.text,
+                        response.status_code,
+                    )
+                    raise typer.Exit(1)
+                stream_sse(response)
+            elapsed = time.perf_counter() - start_time
+            console.print(f"[dim]Completed in {elapsed:.2f}s[/dim]")
+        else:
+            response = client.request(
+                method,
+                url,
+                json=json_body,
+                params=query_params or None,
+                headers=headers,
+            )
+            elapsed = time.perf_counter() - start_time
+            handle_response(response, raw=raw, json_output=output_json_flag)
+            console.print(f"[dim]{elapsed:.2f}s[/dim]")
+
+
 # ── Commands: init ─────────────────────────────────────────────────────────────
 @app.command("init")
 def cmd_init(
@@ -887,7 +1324,7 @@ def cmd_init(
         Optional[str], typer.Option("--spec", "-s", help="Path to OpenAPI spec (auto-detected if omitted)")
     ] = None,
     spec_url: Annotated[Optional[str], typer.Option("--spec-url", help="Full URL to OpenAPI spec file")] = None,
-    auth_type: Annotated[str, typer.Option("--auth", help="Auth type: bearer, api-key, basic, none")] = "none",
+    auth_type: Annotated[str, typer.Option("--auth", help="Auth type: bearer, oidc, api-key, basic, none")] = "none",
 ) -> None:
     """Initialize a new API profile with guided setup.
 
@@ -972,6 +1409,22 @@ def cmd_init(
                 "password": "{password}",
             }
             console.print("[dim]Run 'openapi-cli4ai login --username <user>' to authenticate.[/dim]")
+    elif auth_type == "oidc":
+        authorize_url = typer.prompt("Authorization URL (full URL)")
+        token_url = typer.prompt("Token URL (full URL)")
+        client_id_val = typer.prompt("Client ID")
+        scopes = typer.prompt("Scopes", default="openid")
+        redirect_uri_val = typer.prompt("Redirect URI (or leave blank for localhost callback)", default="")
+        if redirect_uri_val:
+            profile["auth"]["redirect_uri"] = redirect_uri_val
+        else:
+            cb_port = typer.prompt("Local callback port", default="8484")
+            profile["auth"]["callback_port"] = int(cb_port)
+        profile["auth"]["authorize_url"] = authorize_url
+        profile["auth"]["token_url"] = token_url
+        profile["auth"]["client_id"] = client_id_val
+        profile["auth"]["scopes"] = scopes
+        console.print("[dim]Run 'openapi-cli4ai login' to authenticate via browser.[/dim]")
     elif auth_type == "api-key":
         env_var = typer.prompt("Environment variable for API key", default=f"{name.upper()}_API_KEY")
         header_name = typer.prompt("Header name", default="Authorization")
@@ -1031,13 +1484,21 @@ def cmd_login(
     ] = "",
     password_file: Annotated[Optional[str], typer.Option("--password-file", help="Read password from file")] = None,
     password_stdin: Annotated[bool, typer.Option("--password-stdin", help="Read password from stdin")] = False,
+    no_browser: Annotated[
+        bool,
+        typer.Option("--no-browser", help="OIDC: print login URL instead of opening browser (for headless/SSH)"),
+    ] = False,
 ) -> None:
     """Login to an API that uses OAuth/token-endpoint authentication.
 
-    This is for APIs with auth.type=bearer and a token_endpoint configured.
-    For APIs using static tokens or API keys, just set the environment variable.
+    Supports two auth modes:
+        - auth.type=bearer with token_endpoint: username/password grant
+        - auth.type=oidc: Authorization Code + PKCE flow (browser or --no-browser)
 
-    Password input methods (in priority order):
+    For OIDC, use --no-browser on headless machines: prints the login URL,
+    then prompts you to paste back the redirect URL after authenticating.
+
+    Password input methods (bearer mode, in priority order):
         1. --password-file /path/to/file
         2. --password-stdin (piped input)
         3. --password flag (avoid for special characters)
@@ -1046,8 +1507,22 @@ def cmd_login(
     profile_name, profile = get_active_profile()
     auth_config = profile.get("auth", {})
 
+    # OIDC flow
+    if auth_config.get("type") == "oidc":
+        verify = profile.get("verify_ssl", True) and get_verify_ssl()
+        _oidc_login(auth_config, profile_name, no_browser=no_browser, verify=verify)
+        # Try fetching the spec now that we're authenticated
+        try:
+            spec = fetch_spec(profile, refresh=True)
+            endpoints = extract_endpoint_summaries(spec)
+            spec_title = spec.get("info", {}).get("title", "Unknown")
+            console.print(f"[green]Fetched spec: {spec_title} ({len(endpoints)} endpoints)[/green]")
+        except (typer.Exit, Exception):
+            pass
+        return
+
     if auth_config.get("type") != "bearer" or not auth_config.get("token_endpoint"):
-        console.print("[yellow]Login is for profiles with bearer auth + token_endpoint.[/yellow]")
+        console.print("[yellow]Login is for profiles with bearer auth + token_endpoint, or oidc.[/yellow]")
         console.print("[dim]If your API uses a static token or API key, set the environment variable instead.[/dim]")
         raise typer.Exit(1)
 
@@ -1154,7 +1629,7 @@ def cmd_profile_add(
     name: Annotated[str, typer.Argument(help="Profile name")],
     url: Annotated[str, typer.Option("--url", "-u", help="Base URL of the API")] = "",
     spec_path: Annotated[str, typer.Option("--spec", "-s", help="Path to OpenAPI spec")] = "/openapi.json",
-    auth_type: Annotated[str, typer.Option("--auth", help="Auth type: bearer, api-key, basic, none")] = "none",
+    auth_type: Annotated[str, typer.Option("--auth", help="Auth type: bearer, oidc, api-key, basic, none")] = "none",
 ) -> None:
     """Add a new API profile."""
     if not url:

openapi_cli4ai-0.3.0/tests/test_oidc.py

@@ -0,0 +1,130 @@
+"""Tests for OIDC Authorization Code + PKCE auth."""
+
+from __future__ import annotations
+
+import base64
+import hashlib
+import json
+import time
+
+import pytest
+from click.exceptions import Exit as ClickExit
+
+
+def test_oidc_auth_returns_cached_token(cli_module, tmp_config):
+    """Should return cached token when it's still valid."""
+    mod, tmp_path, cache_dir = tmp_config
+    token_data = {
+        "access_token": "oidc-token-123",
+        "expires_at": time.time() + 3600,
+    }
+    token_file = cache_dir / "testprofile_token.json"
+    token_file.write_text(json.dumps(token_data))
+    token_file.chmod(0o600)
+
+    profile = {
+        "_name": "testprofile",
+        "auth": {
+            "type": "oidc",
+            "authorize_url": "https://idp.example.com/authorize",
+            "token_url": "https://idp.example.com/token",
+            "client_id": "my-client",
+        },
+    }
+    headers = mod._oidc_auth(profile, profile["auth"])
+    assert headers == {"Authorization": "Bearer oidc-token-123"}
+
+
+def test_oidc_auth_expired_token_prompts_login(cli_module, tmp_config):
+    """Should exit with login prompt when token is expired and no refresh token."""
+    mod, tmp_path, cache_dir = tmp_config
+    token_data = {
+        "access_token": "expired-token",
+        "expires_at": time.time() - 100,
+    }
+    token_file = cache_dir / "testprofile_token.json"
+    token_file.write_text(json.dumps(token_data))
+
+    profile = {
+        "_name": "testprofile",
+        "auth": {
+            "type": "oidc",
+            "authorize_url": "https://idp.example.com/authorize",
+            "token_url": "https://idp.example.com/token",
+            "client_id": "my-client",
+        },
+    }
+    with pytest.raises((SystemExit, ClickExit)):
+        mod._oidc_auth(profile, profile["auth"])
+
+
+def test_oidc_auth_no_cache_prompts_login(cli_module, tmp_config):
+    """Should exit with login prompt when no cached token exists."""
+    mod, tmp_path, cache_dir = tmp_config
+    profile = {
+        "_name": "testprofile",
+        "auth": {
+            "type": "oidc",
+            "authorize_url": "https://idp.example.com/authorize",
+            "token_url": "https://idp.example.com/token",
+            "client_id": "my-client",
+        },
+    }
+    with pytest.raises((SystemExit, ClickExit)):
+        mod._oidc_auth(profile, profile["auth"])
+
+
+def test_oidc_refresh_missing_config(cli_module):
+    """Should return None when token_url or client_id is missing."""
+    result = cli_module._oidc_refresh({"client_id": "x"}, {"refresh_token": "rt"})
+    assert result is None
+    result = cli_module._oidc_refresh({"token_url": "x"}, {"refresh_token": "rt"})
+    assert result is None
+
+
+def test_pkce_challenge_computation(cli_module):
+    """Verify PKCE S256 challenge is computed correctly per RFC 7636."""
+    import secrets
+
+    verifier = secrets.token_urlsafe(64)
+    challenge = base64.urlsafe_b64encode(hashlib.sha256(verifier.encode()).digest()).rstrip(b"=").decode()
+
+    # Verify it's base64url without padding
+    assert "=" not in challenge
+    assert "+" not in challenge
+    assert "/" not in challenge
+    # Verify it decodes back to 32 bytes (SHA-256 output)
+    padded = challenge + "=" * (4 - len(challenge) % 4)
+    decoded = base64.urlsafe_b64decode(padded)
+    assert len(decoded) == 32
+
+
+def test_oidc_callback_handler_state_validation(cli_module):
+    """The callback handler class should have expected_state attribute."""
+    handler_cls = cli_module._OIDCCallbackHandler
+    assert hasattr(handler_cls, "expected_state")
+    assert hasattr(handler_cls, "auth_code")
+    assert hasattr(handler_cls, "error")
+
+
+def test_get_auth_headers_dispatches_oidc(cli_module, tmp_config):
+    """get_auth_headers should dispatch to _oidc_auth for type=oidc."""
+    mod, tmp_path, cache_dir = tmp_config
+    token_data = {
+        "access_token": "dispatched-token",
+        "expires_at": time.time() + 3600,
+    }
+    token_file = cache_dir / "testprofile_token.json"
+    token_file.write_text(json.dumps(token_data))
+
+    profile = {
+        "_name": "testprofile",
+        "auth": {
+            "type": "oidc",
+            "authorize_url": "https://idp.example.com/authorize",
+            "token_url": "https://idp.example.com/token",
+            "client_id": "my-client",
+        },
+    }
+    headers = mod.get_auth_headers(profile)
+    assert headers == {"Authorization": "Bearer dispatched-token"}

openapi_cli4ai-0.3.0/tests/test_run_command.py

@@ -0,0 +1,165 @@
+"""Tests for the run command and input routing."""
+
+from __future__ import annotations
+
+
+def test_route_inputs_path_params(cli_module):
+    """Should route path parameters correctly."""
+    parameters = [
+        {"name": "petId", "in": "path"},
+        {"name": "status", "in": "query"},
+    ]
+    input_data = {"petId": 123, "status": "available"}
+
+    path_params, query_params, header_params, body = cli_module._route_inputs(
+        input_data, parameters, has_request_body=False
+    )
+
+    assert path_params == {"petId": 123}
+    assert query_params == {"status": "available"}
+    assert header_params == {}
+    assert body is None
+
+
+def test_route_inputs_query_params(cli_module):
+    """Should route query parameters correctly."""
+    parameters = [
+        {"name": "status", "in": "query"},
+        {"name": "limit", "in": "query"},
+    ]
+    input_data = {"status": "available", "limit": 10}
+
+    path_params, query_params, header_params, body = cli_module._route_inputs(
+        input_data, parameters, has_request_body=False
+    )
+
+    assert path_params == {}
+    assert query_params == {"status": "available", "limit": 10}
+    assert body is None
+
+
+def test_route_inputs_header_params(cli_module):
+    """Should route header parameters correctly."""
+    parameters = [
+        {"name": "X-Request-Id", "in": "header"},
+    ]
+    input_data = {"X-Request-Id": "abc-123", "name": "Rex"}
+
+    path_params, query_params, header_params, body = cli_module._route_inputs(
+        input_data, parameters, has_request_body=True
+    )
+
+    assert header_params == {"X-Request-Id": "abc-123"}
+    assert body == {"name": "Rex"}
+
+
+def test_route_inputs_body_from_undeclared_keys(cli_module):
+    """Keys not matching any parameter should go to body."""
+    parameters = [
+        {"name": "petId", "in": "path"},
+    ]
+    input_data = {"petId": 1, "name": "Rex", "status": "available"}
+
+    path_params, query_params, header_params, body = cli_module._route_inputs(
+        input_data, parameters, has_request_body=True
+    )
+
+    assert path_params == {"petId": 1}
+    assert body == {"name": "Rex", "status": "available"}
+
+
+def test_route_inputs_all_body_when_no_params(cli_module):
+    """When no parameters declared and requestBody exists, send all as body."""
+    parameters = []
+    input_data = {"name": "Rex", "status": "available"}
+
+    path_params, query_params, header_params, body = cli_module._route_inputs(
+        input_data, parameters, has_request_body=True
+    )
+
+    assert body == {"name": "Rex", "status": "available"}
+
+
+def test_route_inputs_empty_input(cli_module):
+    """Should handle empty input gracefully."""
+    parameters = [
+        {"name": "status", "in": "query"},
+    ]
+
+    path_params, query_params, header_params, body = cli_module._route_inputs({}, parameters, has_request_body=False)
+
+    assert path_params == {}
+    assert query_params == {}
+    assert header_params == {}
+    assert body is None
+
+
+def test_route_inputs_no_body_when_not_declared(cli_module):
+    """Undeclared keys without requestBody should still go to body dict."""
+    parameters = []
+    input_data = {"name": "Rex"}
+
+    path_params, query_params, header_params, body = cli_module._route_inputs(
+        input_data, parameters, has_request_body=False
+    )
+
+    # No requestBody and no param_map — body_keys has content but not the fallback path
+    assert body == {"name": "Rex"}
+
+
+def test_route_inputs_mixed_all_locations(cli_module):
+    """Should correctly split input across path, query, header, and body."""
+    parameters = [
+        {"name": "userId", "in": "path"},
+        {"name": "format", "in": "query"},
+        {"name": "X-Trace-Id", "in": "header"},
+    ]
+    input_data = {
+        "userId": 42,
+        "format": "json",
+        "X-Trace-Id": "trace-abc",
+        "email": "user@example.com",
+        "name": "Alice",
+    }
+
+    path_params, query_params, header_params, body = cli_module._route_inputs(
+        input_data, parameters, has_request_body=True
+    )
+
+    assert path_params == {"userId": 42}
+    assert query_params == {"format": "json"}
+    assert header_params == {"X-Trace-Id": "trace-abc"}
+    assert body == {"email": "user@example.com", "name": "Alice"}
+
+
+def test_extract_full_endpoint_schema_has_parameters(cli_module, petstore_spec):
+    """Should extract parameters with 'in' locations from petstore spec."""
+    endpoint = cli_module.extract_full_endpoint_schema(petstore_spec, "findPetsByStatus")
+    assert endpoint is not None
+    assert endpoint["method"] == "GET"
+    assert endpoint["path"] == "/pet/findByStatus"
+    # findPetsByStatus has a 'status' query parameter
+    param_names = [p["name"] for p in endpoint["parameters"]]
+    assert "status" in param_names
+    status_param = next(p for p in endpoint["parameters"] if p["name"] == "status")
+    assert status_param["in"] == "query"
+
+
+def test_extract_full_endpoint_schema_path_param(cli_module, petstore_spec):
+    """Should extract path parameters from petstore spec."""
+    endpoint = cli_module.extract_full_endpoint_schema(petstore_spec, "getPetById")
+    assert endpoint is not None
+    assert endpoint["method"] == "GET"
+    assert "/pet/{petId}" == endpoint["path"]
+    param_names = [p["name"] for p in endpoint["parameters"]]
+    assert "petId" in param_names
+    pet_id_param = next(p for p in endpoint["parameters"] if p["name"] == "petId")
+    assert pet_id_param["in"] == "path"
+
+
+def test_extract_full_endpoint_schema_with_request_body(cli_module, petstore_spec):
+    """Should detect requestBody on POST endpoints."""
+    endpoint = cli_module.extract_full_endpoint_schema(petstore_spec, "addPet")
+    assert endpoint is not None
+    assert endpoint["method"] == "POST"
+    assert endpoint["requestBody"] is not None