Lines 191-231javascript
192 /** Default-deny policy for ops with no required-authorities (C1/C3). */
193 get unprotectedOps() {
194 return this.options.unprotectedOps;
197var SkilledOpenApiCredentialResolver = class {
200// plugins/plugin-skilled-openapi/src/skilled-openapi.types.ts
201import { bundleSourceSchema, signatureKeySchema } from "@frontmcp/adapters/skills";
202import { z } from "@frontmcp/lazy-zod";
204 bundleSourceSchema as bundleSourceSchema2,
207 signatureKeySchema as signatureKeySchema2,
209} from "@frontmcp/adapters/skills";
210var outboundOptionsSchema = z.object({
212 * Allow outbound connections to private/loopback/link-local IPs.
213 * MUST stay false in production. Set true only for self-hosted scenarios
HighCloud Metadata Access
Source reaches cloud instance metadata or link-local credential endpoints.
esm/index.mjsView on unpkg · L211 214 * where the customer's REST API legitimately lives on a private network.
216 allowPrivateNetworks: z.boolean().default(false),
217 /** Optional egress proxy URL (honors HTTPS_PROXY env if not set). */
218 egressProxy: z.string().url().optional(),
219 /** Per-host concurrent request cap. */
220 maxConcurrencyPerHost: z.number().int().positive().default(10),
221 /** Default per-op HTTP timeout in milliseconds. */
222 defaultTimeoutMs: z.number().int().positive().default(3e4),
223 /** Default response size cap in bytes. Per-op overrides apply. */
224 defaultMaxResponseBytes: z.number().int().positive().default(256 * 1024),
226 * Permit `http:` URLs in addition to `https:`. Off by default; only enable
227 * for local dev where the mock REST server doesn't have a TLS cert.
229 allowHttp: z.boolean().default(false)
231 allowPrivateNetworks: false,