Harden spec loading and compile cache

Author: haasonsaas

src/compile-cache.ts

@@ -5,6 +5,8 @@ import { compileOperations } from "./compiler.js";
 import { loadOpenApiDocument } from "./openapi.js";
 import type { CompileOptions, OperationModel } from "./types.js";
 
+const CACHE_FORMAT_VERSION = 2;
+
 interface CacheEntry {
   hash: string;
   operations: OperationModel[];
@@ -17,8 +19,7 @@ export async function loadFromCompileCache(
   options: CompileOptions = {}
 ): Promise<Map<string, OperationModel> | null> {
   try {
-    const doc = await loadOpenApiDocument(specPath);
-    const hash = computeHash({ doc, serverUrl, options });
+    const hash = await computeSpecInputHash(specPath, serverUrl, options);
     const raw = await readFile(resolve(cachePath), "utf8");
     const parsed = JSON.parse(raw) as CacheEntry;
     if (parsed.hash !== hash) {
@@ -37,15 +38,26 @@ export async function compileWithCache(
   cachePath: string,
   options: CompileOptions = {}
 ): Promise<Map<string, OperationModel>> {
-  const cached = await loadFromCompileCache(specPath, serverUrl, cachePath, options);
+  const doc = await loadOpenApiDocument(specPath);
+  return compileDocumentWithCache(doc, specPath, serverUrl, cachePath, options);
+}
+
+export async function compileDocumentWithCache(
+  doc: Record<string, unknown>,
+  specPath: string,
+  serverUrl: string | undefined,
+  cachePath: string,
+  options: CompileOptions = {}
+): Promise<Map<string, OperationModel>> {
+  const hash = await computeSpecInputHash(specPath, serverUrl, options);
+  const cached = await readCacheEntry(cachePath, hash);
   if (cached) {
     return cached;
   }
 
-  const doc = await loadOpenApiDocument(specPath);
   const operations = compileOperations(doc, serverUrl, options);
   const entry: CacheEntry = {
-    hash: computeHash({ doc, serverUrl, options }),
+    hash,
     operations: [...operations.values()]
   };
 
@@ -56,6 +68,34 @@ export async function compileWithCache(
   return operations;
 }
 
+async function readCacheEntry(cachePath: string, hash: string): Promise<Map<string, OperationModel> | null> {
+  try {
+    const raw = await readFile(resolve(cachePath), "utf8");
+    const parsed = JSON.parse(raw) as CacheEntry;
+    if (parsed.hash !== hash) {
+      return null;
+    }
+
+    return new Map(parsed.operations.map((op) => [op.operationId, op]));
+  } catch {
+    return null;
+  }
+}
+
+async function computeSpecInputHash(
+  specPath: string,
+  serverUrl: string | undefined,
+  options: CompileOptions
+): Promise<string> {
+  const rawSpec = await readFile(resolve(specPath), "utf8");
+  return computeHash({
+    cacheFormatVersion: CACHE_FORMAT_VERSION,
+    rawSpec,
+    serverUrl,
+    options
+  });
+}
+
 function computeHash(value: unknown): string {
   return createHash("sha256").update(JSON.stringify(value)).digest("hex");
 }

src/lint.ts

@@ -55,6 +55,8 @@ export function lintOpenApiDocument(doc: Record<string, unknown>, options: Compi
     });
   }
 
+  collectBrokenInternalRefDiagnostics(doc, doc, diagnostics);
+
   const seenOperationIds = new Set<string>();
   const paths = isObject(doc.paths) ? (doc.paths as Record<string, unknown>) : {};
   for (const [path, rawPathItem] of Object.entries(paths)) {
@@ -139,6 +141,70 @@ export function lintOpenApiDocument(doc: Record<string, unknown>, options: Compi
   return diagnostics;
 }
 
+function collectBrokenInternalRefDiagnostics(
+  value: unknown,
+  root: Record<string, unknown>,
+  diagnostics: LintDiagnostic[],
+  location = "$"
+): void {
+  if (Array.isArray(value)) {
+    for (let index = 0; index < value.length; index += 1) {
+      collectBrokenInternalRefDiagnostics(value[index], root, diagnostics, `${location}[${index}]`);
+    }
+    return;
+  }
+
+  if (!isObject(value)) {
+    return;
+  }
+
+  const record = value as Record<string, unknown>;
+  const ref = typeof record["$ref"] === "string" ? record["$ref"] : undefined;
+  if (ref?.startsWith("#/") && resolveJsonPointer(root, ref) === undefined) {
+    diagnostics.push({
+      level: "warning",
+      code: "BROKEN_INTERNAL_REF",
+      message: `Broken internal $ref: ${ref}`,
+      location: `${location}.$ref`
+    });
+  }
+
+  for (const [key, child] of Object.entries(record)) {
+    collectBrokenInternalRefDiagnostics(child, root, diagnostics, `${location}.${key}`);
+  }
+}
+
+function resolveJsonPointer(root: unknown, ref: string): unknown {
+  if (ref === "#") {
+    return root;
+  }
+
+  const tokens = ref
+    .slice(2)
+    .split("/")
+    .map((token) => token.replace(/~1/g, "/").replace(/~0/g, "~"));
+
+  let current: unknown = root;
+  for (const token of tokens) {
+    if (Array.isArray(current)) {
+      const index = Number.parseInt(token, 10);
+      if (!Number.isFinite(index)) {
+        return undefined;
+      }
+      current = current[index];
+      continue;
+    }
+
+    if (!isObject(current)) {
+      return undefined;
+    }
+
+    current = (current as Record<string, unknown>)[token];
+  }
+
+  return current;
+}
+
 function isObject(value: unknown): value is object {
   return value !== null && typeof value === "object";
 }

src/openapi.ts

@@ -18,7 +18,7 @@ export async function loadOpenApiDocument(specPath: string): Promise<Record<stri
     validateShape(dereferenced as Record<string, unknown>, absPath);
     return dereferenced as Record<string, unknown>;
   } catch (error) {
-    if (!isMissingPointerError(error)) {
+    if (!isInternalMissingPointerError(error)) {
       throw error;
     }
 
@@ -184,13 +184,18 @@ function mergeObjects(base: Record<string, unknown>, overlay: Record<string, unk
   return merged;
 }
 
-function isMissingPointerError(error: unknown): boolean {
+function isInternalMissingPointerError(error: unknown): boolean {
   if (!error || typeof error !== "object") {
     return false;
   }
 
-  const candidate = error as { code?: unknown; name?: unknown };
-  return candidate.code === "EMISSINGPOINTER" || candidate.name === "MissingPointerError";
+  const candidate = error as { code?: unknown; name?: unknown; targetRef?: unknown };
+  const isMissingPointer = candidate.code === "EMISSINGPOINTER" || candidate.name === "MissingPointerError";
+  if (!isMissingPointer) {
+    return false;
+  }
+
+  return typeof candidate.targetRef === "string" && candidate.targetRef.startsWith("#");
 }
 
 function isRecord(value: unknown): value is Record<string, unknown> {

src/server.ts

@@ -25,7 +25,7 @@ import { paginateWithCursor } from "./pagination.js";
 import { observeLatency, observeStatus, renderPrometheus, metrics } from "./metrics.js";
 import type { CompileOptions, OperationModel, RuntimeOptions } from "./types.js";
 import { zodFromJsonSchema } from "./zod-schema.js";
-import { compileWithCache } from "./compile-cache.js";
+import { compileDocumentWithCache } from "./compile-cache.js";
 import { lintOpenApiDocument } from "./lint.js";
 import { loadOpenApiDocument } from "./openapi.js";
 
@@ -487,7 +487,7 @@ async function loadRuntimeState(specPath: string, serverUrl: string | undefined,
     process.stderr.write(`${warnings.map((d) => `Warning [${d.code}] ${d.message}${d.location ? ` (${d.location})` : ""}`).join("\n")}\n`);
   }
 
-  const operations = await compileWithCache(specPath, serverUrl, cachePath, compile);
+  const operations = await compileDocumentWithCache(doc, specPath, serverUrl, cachePath, compile);
   const validators = buildValidators(operations);
   return { operations, validators };
 }

test/compile-cache.test.ts

@@ -0,0 +1,94 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import { mkdtemp, rm, writeFile } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { compileDocumentWithCache } from "../src/compile-cache.js";
+import { loadOpenApiDocument } from "../src/openapi.js";
+
+test("compileDocumentWithCache keys cache off spec contents, not mutated in-memory docs", async (t) => {
+  const dir = await mkdtemp(join(tmpdir(), "mcp-openapi-cache-"));
+  t.after(async () => {
+    await rm(dir, { recursive: true, force: true });
+  });
+
+  const specPath = join(dir, "spec.json");
+  const cachePath = join(dir, "compile-cache.json");
+  const spec = {
+    openapi: "3.0.3",
+    info: { title: "Cache test", version: "1.0.0" },
+    servers: [{ url: "https://api.example.com" }],
+    paths: {
+      "/widgets": {
+        get: {
+          operationId: "listWidgets",
+          responses: {
+            "200": { description: "ok" }
+          }
+        }
+      }
+    }
+  };
+
+  await writeFile(specPath, JSON.stringify(spec), "utf8");
+
+  const doc = await loadOpenApiDocument(specPath);
+  const first = await compileDocumentWithCache(doc, specPath, undefined, cachePath);
+  assert.deepEqual([...first.keys()], ["listWidgets"]);
+
+  const mutatedDoc = structuredClone(doc);
+  delete ((mutatedDoc.paths as Record<string, unknown>)["/widgets"] as Record<string, unknown>).get;
+
+  const second = await compileDocumentWithCache(mutatedDoc, specPath, undefined, cachePath);
+  assert.deepEqual([...second.keys()], ["listWidgets"]);
+});
+
+test("compileDocumentWithCache invalidates when spec contents change", async (t) => {
+  const dir = await mkdtemp(join(tmpdir(), "mcp-openapi-cache-"));
+  t.after(async () => {
+    await rm(dir, { recursive: true, force: true });
+  });
+
+  const specPath = join(dir, "spec.json");
+  const cachePath = join(dir, "compile-cache.json");
+  const initialSpec = {
+    openapi: "3.0.3",
+    info: { title: "Cache test", version: "1.0.0" },
+    servers: [{ url: "https://api.example.com" }],
+    paths: {
+      "/widgets": {
+        get: {
+          operationId: "listWidgets",
+          responses: {
+            "200": { description: "ok" }
+          }
+        }
+      }
+    }
+  };
+
+  await writeFile(specPath, JSON.stringify(initialSpec), "utf8");
+
+  const firstDoc = await loadOpenApiDocument(specPath);
+  const first = await compileDocumentWithCache(firstDoc, specPath, undefined, cachePath);
+  assert.deepEqual([...first.keys()], ["listWidgets"]);
+
+  const updatedSpec = {
+    ...initialSpec,
+    paths: {
+      "/gadgets": {
+        post: {
+          operationId: "createGadget",
+          responses: {
+            "201": { description: "created" }
+          }
+        }
+      }
+    }
+  };
+  await writeFile(specPath, JSON.stringify(updatedSpec), "utf8");
+
+  const secondDoc = await loadOpenApiDocument(specPath);
+  const second = await compileDocumentWithCache(secondDoc, specPath, undefined, cachePath);
+  assert.deepEqual([...second.keys()], ["createGadget"]);
+});

test/lint.test.ts

@@ -47,3 +47,49 @@ test("lintOpenApiDocument warns on unsupported request media type", () => {
   const diagnostics = lintOpenApiDocument(doc, { strict: false });
   assert.ok(diagnostics.some((d) => d.code === "REQUEST_MEDIA_TYPE_UNSUPPORTED"));
 });
+
+test("lintOpenApiDocument warns on broken internal refs", () => {
+  const doc = {
+    openapi: "3.0.3",
+    servers: [{ url: "https://api.example.com" }],
+    paths: {
+      "/widgets": {
+        get: {
+          operationId: "listWidgets",
+          responses: {
+            "200": {
+              description: "ok",
+              content: {
+                "application/json": {
+                  schema: { $ref: "#/components/schemas/WidgetList" }
+                }
+              }
+            }
+          }
+        }
+      }
+    },
+    components: {
+      schemas: {
+        WidgetList: {
+          type: "object",
+          properties: {
+            items: {
+              type: "array",
+              items: { $ref: "#/components/schemas/MissingWidget" }
+            }
+          }
+        }
+      }
+    }
+  } as Record<string, unknown>;
+
+  const diagnostics = lintOpenApiDocument(doc, { strict: false });
+  assert.ok(
+    diagnostics.some(
+      (d) =>
+        d.code === "BROKEN_INTERNAL_REF" &&
+        d.location === "$.components.schemas.WidgetList.properties.items.items.$ref"
+    )
+  );
+});

test/openapi.test.ts

@@ -106,3 +106,41 @@ test("loadOpenApiDocument tolerates missing internal refs while preserving valid
   );
   assert.ok(op.successResponseSchema);
 });
+
+test("loadOpenApiDocument still fails on missing external refs", async (t) => {
+  const dir = await mkdtemp(join(tmpdir(), "mcp-openapi-"));
+  t.after(async () => {
+    await rm(dir, { recursive: true, force: true });
+  });
+
+  const specPath = join(dir, "missing-external-ref.json");
+  const spec = {
+    openapi: "3.0.3",
+    info: {
+      title: "Missing external ref",
+      version: "1.0.0"
+    },
+    servers: [{ url: "https://api.example.com" }],
+    paths: {
+      "/widgets": {
+        get: {
+          operationId: "listWidgets",
+          responses: {
+            "200": {
+              description: "ok",
+              content: {
+                "application/json": {
+                  schema: { $ref: "./schemas.json#/WidgetList" }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  };
+
+  await writeFile(specPath, JSON.stringify(spec), "utf8");
+
+  await assert.rejects(() => loadOpenApiDocument(specPath));
+});