fix: OpenAPI extractor correctness and pipeline robustness

Co-Authored-By: Claude <noreply@anthropic.com>

Author: salmad3

CHANGELOG.md

@@ -49,7 +49,7 @@ Initial public release.
 - SafeHtml branded types with DOMPurify sanitization
 - Input validation at system boundaries
 - Rate limiting on MCP server
-- CSP headers on rendered output
+- Symlink traversal prevention via `followSymbolicLinks: false` on file discovery
 
 ### Design System
 

packages/agent-metadata/src/emitters/agent-skills.ts

@@ -25,7 +25,22 @@ export function emitAgentSkills(
   _config: AgentMetadataConfig,
 ): AgentSkillsOutput {
   const relationships = metadata.relationships ?? [];
-  const skills = deriveSkills(metadata, relationships);
+  const rawSkills = deriveSkills(metadata, relationships);
+
+  // Filter prerequisites and composesWith to reference only emitted skills.
+  // Prevents phantom references to skills like "openapisecurity" that have
+  // no corresponding document.
+  const skillIds = new Set(rawSkills.map((s) => s.id));
+  const skills = rawSkills.map((s) => ({
+    ...s,
+    prerequisites: s.prerequisites?.filter((id) => skillIds.has(id)),
+    composesWith: s.composesWith?.filter((id) => skillIds.has(id)),
+  })).map((s) => ({
+    ...s,
+    prerequisites: s.prerequisites && s.prerequisites.length > 0 ? s.prerequisites : undefined,
+    composesWith: s.composesWith && s.composesWith.length > 0 ? s.composesWith : undefined,
+  }));
+
   const edges = deriveEdges(relationships, skills);
 
   return {
@@ -135,10 +150,13 @@ function deriveEdges(
 
 
 function makeSkillId(filePath: string): string {
+  // Preserve directory separators as distinct from hyphens in filenames
+  // to prevent collisions: docs/auth/setup.md → auth--setup
+  // while docs/auth-setup.md → auth-setup
   return filePath
     .replace(/^.*?docs\//, '')
     .replace(/\.(kd|kdx|md|mdx|adoc|rst)$/, '')
-    .replace(/\//g, '-')
+    .replace(/\//g, '--')
     .replace(/[^a-z0-9-]/gi, '')
     .replace(/^-+|-+$/g, '')
     || 'index';
@@ -159,8 +177,12 @@ function groupRelationshipsBySource(
 ): ReadonlyMap<string, readonly ExtractedRelationship[]> {
   const map = new Map<string, ExtractedRelationship[]>();
   for (const rel of relationships) {
-    const existing = map.get(rel.sourceDocPath) ?? [];
-    map.set(rel.sourceDocPath, [...existing, rel]);
+    let group = map.get(rel.sourceDocPath);
+    if (!group) {
+      group = [];
+      map.set(rel.sourceDocPath, group);
+    }
+    group.push(rel);
   }
   return map;
 }

packages/agent-metadata/src/emitters/index.ts

@@ -68,11 +68,7 @@ const ALL_EMITTERS: readonly EmitterName[] = [
   'agent-skills',
 ];
 
-/**
- * Default emitters for the reformed pipeline.
- * llms.txt is excluded: SE Ranking 300K-domain study showed zero
- * correlation with AI citations. Opt-in only.
- */
+/** Default emitters. All formats enabled; configure via AgentMetadataConfig.emitters to restrict. */
 const DEFAULT_EMITTERS: readonly EmitterName[] = [
   'a2a',
   'agents-json',

packages/agent-metadata/src/extractors/index.ts

@@ -10,12 +10,14 @@ import type { ExtractedMetadata, ExtractedRelationship, DocumentMetadata } from
 import { extractDocumentMetadata } from './document.js';
 import { extractRelationships } from './relationships.js';
 import { extractFromOpenApi } from './openapi.js';
+import { linkSpecAndProse } from './spec-prose-linker.js';
 
 export { extractInlineText, extractBlockText, estimateTokens, countWords } from './text.js';
 export { extractDocumentMetadata } from './document.js';
 export { inferAnnotations } from './infer-annotations.js';
 export { extractRelationships } from './relationships.js';
 export { extractFromOpenApi } from './openapi.js';
+export { linkSpecAndProse } from './spec-prose-linker.js';
 
 export interface ExtractAllOptions {
   /** Raw OpenAPI spec objects to extract alongside documentation. */
@@ -41,9 +43,16 @@ export function extractAll(
     specRelationships.push(...extracted.relationships);
   }
 
+  const allDocs = [...docs, ...specDocs];
+
+  // Cross-reference prose and spec documents when both exist
+  const crossSourceLinks = specDocs.length > 0
+    ? linkSpecAndProse(allDocs)
+    : [];
+
   return {
-    documents: [...docs, ...specDocs],
-    relationships: [...proseRelationships, ...specRelationships],
+    documents: allDocs,
+    relationships: [...proseRelationships, ...specRelationships, ...crossSourceLinks],
     siteTitle: config.title,
     siteUrl: config.siteUrl,
     baseUrl: config.baseUrl ?? '/',

packages/agent-metadata/src/extractors/openapi.test.ts

@@ -149,11 +149,12 @@ describe('OpenAPI extractor', () => {
     expect(depends.every((r) => r.targetSection.includes('api_key'))).toBe(true);
   });
 
-  it('extracts supersedes edges for deprecated operations', () => {
+  it('extracts constrains edges for deprecated operations', () => {
     const { relationships } = extractFromOpenApi(PETSTORE_SPEC as any);
-    const supersedes = relationships.filter((r) => r.type === 'supersedes');
-    expect(supersedes).toHaveLength(1);
-    expect(supersedes[0]!.sourceSection).toBe('GET /pet/{id}');
+    const deprecated = relationships.filter((r) => r.type === 'constrains' && r.evidence.includes('deprecated'));
+    expect(deprecated).toHaveLength(1);
+    expect(deprecated[0]!.sourceSection).toBe('GET /pet/{id}');
+    expect(deprecated[0]!.targetSection).toBe('[deprecated]');
   });
 
   it('extracts schema references via star topology with direct refs', () => {
@@ -187,7 +188,7 @@ describe('OpenAPI extractor', () => {
   it('produces all relationships at confidence 1.0 (structurally explicit)', () => {
     const { relationships } = extractFromOpenApi(PETSTORE_SPEC as any);
     const nonPerfect = relationships.filter(
-      (r) => r.confidence !== 1.0 && r.type !== 'supersedes',
+      (r) => r.confidence !== 1.0,
     );
     expect(nonPerfect).toHaveLength(0);
   });

packages/agent-metadata/src/extractors/openapi.ts

@@ -133,6 +133,14 @@ export function extractFromOpenApi(
   readonly documents: readonly DocumentMetadata[];
   readonly relationships: readonly ExtractedRelationship[];
 } {
+  // Validate minimum spec structure to prevent TypeError on malformed input
+  if (!spec || typeof spec !== 'object') {
+    return { documents: [], relationships: [] };
+  }
+  if (!spec.info || typeof spec.info !== 'object') {
+    return { documents: [], relationships: [] };
+  }
+
   const operations = parseOperations(spec);
   const documents = groupOperationsIntoDocuments(operations, spec);
   const rawRelationships = extractSpecRelationships(operations, spec);
@@ -214,7 +222,7 @@ function parseOperations(spec: OpenApiSpec): readonly ParsedOperation[] {
   const operations: ParsedOperation[] = [];
   const globalSecurity = spec.security ?? [];
 
-  for (const [path, pathItem] of Object.entries(spec.paths ?? {})) {
+  for (const [path, pathItem] of Object.entries(spec.paths || {})) {
     for (const method of ['get', 'post', 'put', 'patch', 'delete', 'head', 'options']) {
       const op = (pathItem as Record<string, OperationObject | undefined>)[method];
       if (!op) continue;
@@ -484,18 +492,21 @@ function extractSpecRelationships(
     }
   }
 
-  // 4. Deprecated operations → supersedes
+  // 4. Deprecated operations → constrains
+  // Without a documented replacement endpoint, a supersedes edge has
+  // no valid target. Instead, emit a constraint noting the deprecation
+  // so downstream consumers (agent skills) can flag it.
   for (const op of operations) {
     if (op.deprecated) {
       const tag = op.tags[0] ?? 'default';
       relationships.push({
         sourceDocPath: `openapi:${tag}`,
         sourceSection: `${op.method} ${op.path}`,
         targetDocPath: `openapi:${tag}`,
-        targetSection: `${op.method} ${op.path}`,
-        type: 'supersedes',
-        confidence: 0.8,
-        evidence: `deprecated operation: ${op.operationId}`,
+        targetSection: `[deprecated]`,
+        type: 'constrains',
+        confidence: 1.0,
+        evidence: `deprecated: ${op.operationId} is marked for removal`,
       });
     }
   }

packages/agent-metadata/src/extractors/spec-prose-linker.test.ts

@@ -0,0 +1,183 @@
+import { describe, it, expect } from 'vitest';
+import { linkSpecAndProse } from './spec-prose-linker.js';
+import type { DocumentMetadata } from '../types.js';
+
+function makeDoc(overrides: Partial<DocumentMetadata> & { filePath: string }): DocumentMetadata {
+  return {
+    title: 'Untitled',
+    description: undefined,
+    frontmatter: {},
+    blocks: [],
+    crossRefs: [],
+    links: [],
+    wordCount: 0,
+    headings: [],
+    ...overrides,
+  };
+}
+
+describe('spec-prose linker', () => {
+  it('links prose to spec by endpoint mention in text', () => {
+    // Use a title that does NOT match the tag name to isolate endpoint matching
+    const docs: DocumentMetadata[] = [
+      makeDoc({
+        filePath: 'docs/api-integration.md',
+        title: 'API Integration Guide',
+        blocks: [{
+          id: 'b1',
+          type: 'guide',
+          textContent: 'Use POST /pet to add a new pet.',
+          annotations: { audience: 'human' as const },
+          codeBlocks: [],
+          sourcePath: 'docs/api-integration.md',
+        }],
+      }),
+      makeDoc({
+        filePath: 'openapi:pet',
+        title: 'API — pet',
+        blocks: [{
+          id: 'op1',
+          type: 'reference',
+          headingText: 'POST /pet',
+          textContent: 'Add a new pet',
+          annotations: { type: 'reference' as const, audience: 'agent' as const },
+          codeBlocks: [],
+          sourcePath: 'openapi:pet',
+        }],
+      }),
+    ];
+
+    const links = linkSpecAndProse(docs);
+    expect(links.length).toBe(1);
+    expect(links[0]!.sourceDocPath).toBe('docs/api-integration.md');
+    expect(links[0]!.targetDocPath).toBe('openapi:pet');
+    expect(links[0]!.type).toBe('composes_with');
+    expect(links[0]!.evidence).toContain('endpoint mention');
+  });
+
+  it('links prose to spec by title similarity', () => {
+    const docs: DocumentMetadata[] = [
+      makeDoc({
+        filePath: 'docs/payments.md',
+        title: 'Payments',
+        blocks: [{
+          id: 'b1',
+          type: 'guide',
+          textContent: 'This guide covers payment processing.',
+          annotations: {},
+          codeBlocks: [],
+          sourcePath: 'docs/payments.md',
+        }],
+      }),
+      makeDoc({
+        filePath: 'openapi:payments',
+        title: 'API — payments',
+        blocks: [],
+      }),
+    ];
+
+    const links = linkSpecAndProse(docs);
+    expect(links.length).toBe(1);
+    expect(links[0]!.evidence).toContain('title match');
+  });
+
+  it('returns empty when no specs present', () => {
+    const docs: DocumentMetadata[] = [
+      makeDoc({ filePath: 'docs/guide.md', title: 'Guide' }),
+    ];
+    expect(linkSpecAndProse(docs)).toEqual([]);
+  });
+
+  it('returns empty when no prose present', () => {
+    const docs: DocumentMetadata[] = [
+      makeDoc({ filePath: 'openapi:pet', title: 'Pet' }),
+    ];
+    expect(linkSpecAndProse(docs)).toEqual([]);
+  });
+
+  it('skips openapi:schemas and openapi:security documents', () => {
+    const docs: DocumentMetadata[] = [
+      makeDoc({
+        filePath: 'docs/auth.md',
+        title: 'Authentication',
+        blocks: [{
+          id: 'b1',
+          type: 'guide',
+          textContent: 'Configure security for your API.',
+          annotations: {},
+          codeBlocks: [],
+          sourcePath: 'docs/auth.md',
+        }],
+      }),
+      makeDoc({ filePath: 'openapi:schemas', title: 'Schemas' }),
+      makeDoc({ filePath: 'openapi:security', title: 'Security' }),
+    ];
+
+    const links = linkSpecAndProse(docs);
+    expect(links).toEqual([]);
+  });
+
+  it('links multiple prose docs to different spec tags', () => {
+    const docs: DocumentMetadata[] = [
+      makeDoc({
+        filePath: 'docs/pet-guide.md',
+        title: 'Pet Guide',
+        blocks: [{
+          id: 'b1',
+          type: 'guide',
+          textContent: 'Use GET /pet/findByStatus to search.',
+          annotations: {},
+          codeBlocks: [],
+          sourcePath: 'docs/pet-guide.md',
+        }],
+      }),
+      makeDoc({
+        filePath: 'docs/store-guide.md',
+        title: 'Store Guide',
+        blocks: [{
+          id: 'b2',
+          type: 'guide',
+          textContent: 'Check inventory with GET /store/inventory.',
+          annotations: {},
+          codeBlocks: [],
+          sourcePath: 'docs/store-guide.md',
+        }],
+      }),
+      makeDoc({
+        filePath: 'openapi:pet',
+        title: 'API — pet',
+        blocks: [{
+          id: 'op1',
+          type: 'reference',
+          headingText: 'GET /pet/findByStatus',
+          textContent: 'Find pets by status',
+          annotations: { type: 'reference' as const },
+          codeBlocks: [],
+          sourcePath: 'openapi:pet',
+        }],
+      }),
+      makeDoc({
+        filePath: 'openapi:store',
+        title: 'API — store',
+        blocks: [{
+          id: 'op2',
+          type: 'reference',
+          headingText: 'GET /store/inventory',
+          textContent: 'Returns pet inventories',
+          annotations: { type: 'reference' as const },
+          codeBlocks: [],
+          sourcePath: 'openapi:store',
+        }],
+      }),
+    ];
+
+    const links = linkSpecAndProse(docs);
+    expect(links.length).toBe(2);
+
+    const petLink = links.find((l) => l.sourceDocPath === 'docs/pet-guide.md');
+    const storeLink = links.find((l) => l.sourceDocPath === 'docs/store-guide.md');
+
+    expect(petLink?.targetDocPath).toBe('openapi:pet');
+    expect(storeLink?.targetDocPath).toBe('openapi:store');
+  });
+});