Add generate mode, strict linting, policy controls, transforms, and CI hardening

Author: haasonsaas

.github/workflows/ci.yml

@@ -8,13 +8,18 @@ on:
 jobs:
   test:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        node-version: [20, 22]
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: ${{ matrix.node-version }}
           cache: npm
       - run: npm ci
       - run: npm run check
+      - run: npm run build
       - run: npm test
       - run: npm run smoke

.github/workflows/release.yml

@@ -17,8 +17,10 @@ jobs:
           node-version: 20
           cache: npm
       - run: npm ci
+      - run: npm run check
       - run: npm run build
       - run: npm test
+      - run: npm run smoke
       - run: npm pack
       - name: Create GitHub Release
         uses: softprops/action-gh-release@v2

README.md

@@ -18,10 +18,24 @@ OpenAPI 3.x to MCP server bridge in TypeScript.
   - AJV JSON Schema validation
   - Response schema validation by HTTP status
 - Typed TypeScript implementation
+- Strict lint mode for OpenAPI quality gates (`--strict`)
+- Configurable tool naming template (`--tool-name-template`)
+- Policy engine:
+  - allow/deny tool patterns
+  - allow methods/path prefixes
+  - allow hosts
+- Optional response transform hook (`--response-transform <module>`)
 - Multiple transports:
   - `stdio`
   - `streamable-http` (Hono)
   - `sse` (legacy compatibility transport)
+- Transport hardening:
+  - graceful shutdown
+  - SSE session caps/TTL
+- Observability:
+  - Prometheus metrics
+  - status counters
+  - latency histogram buckets
 - Built-in browser test clients:
   - `/test/streamable`
   - `/test/sse`
@@ -79,12 +93,16 @@ Endpoints:
 ```bash
 mcp-openapi --spec <openapi-file> [options]
 mcp-openapi init [dir]
+mcp-openapi generate --spec <openapi-file> [--out-dir ./generated]
 ```
 
 Options:
 
 - `--server-url <url>`
 - `--cache-path <file>`
+- `--out-dir <dir>`
+- `--strict`
+- `--tool-name-template <template>`
 - `--print-tools`
 - `--validate-spec`
 - `--transport stdio|streamable-http|sse`
@@ -96,6 +114,27 @@ Options:
 - `--max-response-bytes <n>`
 - `--max-concurrency <n>`
 - `--allow-hosts host1,host2`
+- `--allow-tools pattern1,pattern2`
+- `--deny-tools pattern1,pattern2`
+- `--allow-methods GET,POST`
+- `--allow-path-prefixes /v1,/public`
+- `--response-transform <module-path>`
+- `--sse-max-sessions <n>`
+- `--sse-session-ttl-ms <ms>`
+
+Template placeholders for `--tool-name-template`:
+- `{operationId}`
+- `{method}`
+- `{path}`
+- `{tag}`
+
+Response transform module example:
+
+```js
+export default function transform({ operation, response }) {
+  return { ...response.body, transformedBy: operation.operationId };
+}
+```
 
 ## Auth env vars
 

src/compile-cache.ts

@@ -3,17 +3,22 @@ import { mkdir, readFile, writeFile } from "node:fs/promises";
 import { dirname, resolve } from "node:path";
 import { compileOperations } from "./compiler.js";
 import { loadOpenApiDocument } from "./openapi.js";
-import type { OperationModel } from "./types.js";
+import type { CompileOptions, OperationModel } from "./types.js";
 
 interface CacheEntry {
   hash: string;
   operations: OperationModel[];
 }
 
-export async function loadFromCompileCache(specPath: string, serverUrl: string | undefined, cachePath: string): Promise<Map<string, OperationModel> | null> {
+export async function loadFromCompileCache(
+  specPath: string,
+  serverUrl: string | undefined,
+  cachePath: string,
+  options: CompileOptions = {}
+): Promise<Map<string, OperationModel> | null> {
   try {
     const doc = await loadOpenApiDocument(specPath);
-    const hash = computeHash({ doc, serverUrl });
+    const hash = computeHash({ doc, serverUrl, options });
     const raw = await readFile(resolve(cachePath), "utf8");
     const parsed = JSON.parse(raw) as CacheEntry;
     if (parsed.hash !== hash) {
@@ -26,16 +31,21 @@ export async function loadFromCompileCache(specPath: string, serverUrl: string |
   }
 }
 
-export async function compileWithCache(specPath: string, serverUrl: string | undefined, cachePath: string): Promise<Map<string, OperationModel>> {
-  const cached = await loadFromCompileCache(specPath, serverUrl, cachePath);
+export async function compileWithCache(
+  specPath: string,
+  serverUrl: string | undefined,
+  cachePath: string,
+  options: CompileOptions = {}
+): Promise<Map<string, OperationModel>> {
+  const cached = await loadFromCompileCache(specPath, serverUrl, cachePath, options);
   if (cached) {
     return cached;
   }
 
   const doc = await loadOpenApiDocument(specPath);
-  const operations = compileOperations(doc, serverUrl);
+  const operations = compileOperations(doc, serverUrl, options);
   const entry: CacheEntry = {
-    hash: computeHash({ doc, serverUrl }),
+    hash: computeHash({ doc, serverUrl, options }),
     operations: [...operations.values()]
   };
 

src/compiler.ts

@@ -1,8 +1,8 @@
-import type { AuthRequirement, JsonSchema, OperationModel, ParameterSpec, SecurityScheme, ToolAnnotations } from "./types.js";
+import type { AuthRequirement, CompileOptions, JsonSchema, OperationModel, ParameterSpec, SecurityScheme, ToolAnnotations } from "./types.js";
 
 const HTTP_METHODS = new Set(["get", "post", "put", "patch", "delete", "head", "options"]);
 
-export function compileOperations(doc: Record<string, unknown>, serverOverride?: string): Map<string, OperationModel> {
+export function compileOperations(doc: Record<string, unknown>, serverOverride?: string, options: CompileOptions = {}): Map<string, OperationModel> {
   const rootServers = getServerUrls(doc, serverOverride);
   const paths = (doc.paths ?? {}) as Record<string, unknown>;
   const globalSecurity = normalizeSecurity(doc.security);
@@ -25,7 +25,7 @@ export function compileOperations(doc: Record<string, unknown>, serverOverride?:
       }
 
       const operation = rawOperation as Record<string, unknown>;
-      const operationId = getOperationId(operation, method, pathTemplate, operations);
+      const operationId = getOperationId(operation, method, pathTemplate, operations, options.toolNameTemplate);
       const operationParameters = normalizeParameters(operation.parameters);
       const mergedParameters = mergeParameters(pathParameters, operationParameters);
       const requestBody = normalizeRequestBody(operation.requestBody);
@@ -40,6 +40,7 @@ export function compileOperations(doc: Record<string, unknown>, serverOverride?:
       const model: OperationModel = {
         operationId,
         title: typeof operation.summary === "string" ? operation.summary : undefined,
+        tags: Array.isArray(operation.tags) ? operation.tags.filter((x): x is string => typeof x === "string") : undefined,
         method: method.toUpperCase(),
         pathTemplate,
         description: String(operation.description ?? operation.summary ?? `${method.toUpperCase()} ${pathTemplate}`),
@@ -222,15 +223,29 @@ function getOperationId(
   operation: Record<string, unknown>,
   method: string,
   pathTemplate: string,
-  existing: Map<string, OperationModel>
+  existing: Map<string, OperationModel>,
+  toolNameTemplate?: string
 ): string {
   const rawId = typeof operation.operationId === "string" ? operation.operationId : undefined;
-  const fallback = `${method}_${pathTemplate}`
+  const pathName = `${method}_${pathTemplate}`
     .replace(/[{}]/g, "")
     .replace(/[^a-zA-Z0-9_-]+/g, "_")
     .replace(/^_+|_+$/g, "");
-
-  let id = normalizeToolName(rawId ?? (fallback || "operation"));
+  const tagName =
+    Array.isArray(operation.tags) && typeof operation.tags[0] === "string"
+      ? String(operation.tags[0]).replace(/[^a-zA-Z0-9_-]+/g, "_")
+      : "";
+  const fallback = pathName || "operation";
+
+  const template = typeof toolNameTemplate === "string" && toolNameTemplate.trim() ? toolNameTemplate : "{operationId}";
+  const renderedTemplate = template
+    .replaceAll("{operationId}", rawId ?? "")
+    .replaceAll("{method}", method)
+    .replaceAll("{path}", pathName)
+    .replaceAll("{tag}", tagName)
+    .trim();
+
+  let id = normalizeToolName(renderedTemplate || rawId || fallback);
   let i = 1;
   while (existing.has(id)) {
     i += 1;

src/http.ts

@@ -669,7 +669,14 @@ function withRuntimeDefaults(runtime: RuntimeOptions | Partial<RuntimeOptions>):
     retryDelayMs: runtime.retryDelayMs ?? 500,
     maxResponseBytes: runtime.maxResponseBytes ?? 2_000_000,
     allowedHosts: runtime.allowedHosts ?? [],
-    maxConcurrency: runtime.maxConcurrency ?? 8
+    maxConcurrency: runtime.maxConcurrency ?? 8,
+    allowToolPatterns: runtime.allowToolPatterns ?? [],
+    denyToolPatterns: runtime.denyToolPatterns ?? [],
+    allowedMethods: runtime.allowedMethods ?? [],
+    allowedPathPrefixes: runtime.allowedPathPrefixes ?? [],
+    responseTransformModule: runtime.responseTransformModule,
+    sseMaxSessions: runtime.sseMaxSessions ?? 100,
+    sseSessionTtlMs: runtime.sseSessionTtlMs ?? 300_000
   };
 }
 

src/lint.ts

@@ -0,0 +1,154 @@
+import type { CompileOptions, LintDiagnostic } from "./types.js";
+
+const HTTP_METHODS = new Set(["get", "post", "put", "patch", "delete", "head", "options"]);
+const SUPPORTED_REQUEST_MEDIA_TYPES = new Set([
+  "application/json",
+  "application/*+json",
+  "multipart/form-data",
+  "application/x-www-form-urlencoded",
+  "application/octet-stream",
+  "text/plain"
+]);
+
+export function lintOpenApiDocument(doc: Record<string, unknown>, options: CompileOptions = {}): LintDiagnostic[] {
+  const diagnostics: LintDiagnostic[] = [];
+  const strict = Boolean(options.strict);
+
+  const version = String(doc.openapi ?? "");
+  if (!/^3\./.test(version)) {
+    diagnostics.push({
+      level: strict ? "error" : "warning",
+      code: "OPENAPI_VERSION",
+      message: `Expected OpenAPI 3.x, got: ${version || "<missing>"}`,
+      location: "openapi"
+    });
+  }
+
+  const servers = Array.isArray(doc.servers) ? doc.servers : [];
+  if (servers.length === 0) {
+    diagnostics.push({
+      level: strict ? "error" : "warning",
+      code: "SERVERS_MISSING",
+      message: "Document has no servers[]; use --server-url override.",
+      location: "servers"
+    });
+  } else {
+    for (let i = 0; i < servers.length; i += 1) {
+      const server = servers[i] as Record<string, unknown>;
+      if (!isObject(server) || typeof server["url"] !== "string" || !String(server["url"]).trim()) {
+        diagnostics.push({
+          level: strict ? "error" : "warning",
+          code: "SERVER_URL_INVALID",
+          message: "Server entry is missing a valid url.",
+          location: `servers[${i}]`
+        });
+      }
+    }
+  }
+
+  if (isObject(doc.webhooks) && Object.keys(doc.webhooks).length > 0) {
+    diagnostics.push({
+      level: "warning",
+      code: "WEBHOOKS_PRESENT",
+      message: "webhooks are present; they are not auto-exposed as tools by default.",
+      location: "webhooks"
+    });
+  }
+
+  const seenOperationIds = new Set<string>();
+  const paths = isObject(doc.paths) ? (doc.paths as Record<string, unknown>) : {};
+  for (const [path, rawPathItem] of Object.entries(paths)) {
+    if (!isObject(rawPathItem)) continue;
+    const pathItem = rawPathItem as Record<string, unknown>;
+
+    if (isObject(pathItem.callbacks) && Object.keys(pathItem.callbacks).length > 0) {
+      diagnostics.push({
+        level: "warning",
+        code: "CALLBACKS_PRESENT",
+        message: "Path callbacks are present; callback operations are not auto-exposed as tools.",
+        location: `paths.${path}.callbacks`
+      });
+    }
+
+    for (const [method, rawOperation] of Object.entries(pathItem)) {
+      if (!HTTP_METHODS.has(method) || !isObject(rawOperation)) continue;
+      const operation = rawOperation as Record<string, unknown>;
+      const opLocation = `paths.${path}.${method}`;
+
+      if (typeof operation.operationId !== "string" || !operation.operationId.trim()) {
+        diagnostics.push({
+          level: strict ? "error" : "warning",
+          code: "OPERATION_ID_MISSING",
+          message: `Missing operationId for ${method.toUpperCase()} ${path}.`,
+          location: opLocation
+        });
+      } else {
+        const id = operation.operationId.trim();
+        if (seenOperationIds.has(id)) {
+          diagnostics.push({
+            level: strict ? "error" : "warning",
+            code: "OPERATION_ID_DUPLICATE",
+            message: `Duplicate operationId: ${id}`,
+            location: `${opLocation}.operationId`
+          });
+        }
+        seenOperationIds.add(id);
+      }
+
+      const requestBody = operation.requestBody;
+      if (isObject(requestBody) && isObject((requestBody as Record<string, unknown>)["content"])) {
+        const content = (requestBody as Record<string, unknown>)["content"] as Record<string, unknown>;
+        const mediaTypes = Object.keys(content);
+        if (mediaTypes.length > 0 && !mediaTypes.some((x) => SUPPORTED_REQUEST_MEDIA_TYPES.has(x))) {
+          diagnostics.push({
+            level: strict ? "error" : "warning",
+            code: "REQUEST_MEDIA_TYPE_UNSUPPORTED",
+            message: `No supported request media type for ${method.toUpperCase()} ${path}.`,
+            location: `${opLocation}.requestBody.content`
+          });
+        }
+      }
+
+      const responses = isObject(operation.responses) ? (operation.responses as Record<string, unknown>) : {};
+      for (const [status, response] of Object.entries(responses)) {
+        if (isObject(response) && isObject((response as Record<string, unknown>)["links"])) {
+          diagnostics.push({
+            level: "warning",
+            code: "LINKS_PRESENT",
+            message: "Response links are present; link relations are not translated into MCP tool semantics.",
+            location: `${opLocation}.responses.${status}.links`
+          });
+        }
+      }
+
+      const bodySchema = extractRequestSchema(operation);
+      if (isObject(bodySchema) && Array.isArray((bodySchema as Record<string, unknown>)["oneOf"])) {
+        const discriminator = (bodySchema as Record<string, unknown>)["discriminator"];
+        if (!isObject(discriminator)) {
+          diagnostics.push({
+            level: "warning",
+            code: "ONEOF_NO_DISCRIMINATOR",
+            message: "oneOf schema without discriminator can be ambiguous for runtime validation.",
+            location: `${opLocation}.requestBody`
+          });
+        }
+      }
+    }
+  }
+
+  return diagnostics;
+}
+
+function isObject(value: unknown): value is object {
+  return value !== null && typeof value === "object";
+}
+
+function extractRequestSchema(operation: Record<string, unknown>): unknown {
+  const requestBody = operation["requestBody"];
+  if (!isObject(requestBody)) return undefined;
+  const content = (requestBody as Record<string, unknown>)["content"];
+  if (!isObject(content)) return undefined;
+  const first = Object.values(content as Record<string, unknown>)[0];
+  if (!isObject(first)) return undefined;
+  return (first as Record<string, unknown>)["schema"];
+}