Conversation
Reverts the oauth2 security scheme that #2961 added to the public OpenAPI spec. That change put two auth methods (apikey + oauth2) on every endpoint, which made Speakeasy's mcp-typescript generator drop ~300 of ~335 MCP tools on every nightly run — it cannot emit a tool when an operation declares more than one security scheme. The nightly regen kept opening "Update SDK" PRs that would gut the published @trycompai/mcp-server if merged. This removes ONLY the oauth2 scheme + the per-op oauth2 entries; the packages/docs/openapi.json diff is a pure inverse of #2961 (936 deletions, no other endpoint touched). public-docs-metadata.ts is restored byte-for-byte to its pre-#2961 state. All the actual OAuth work (better-auth provider, guards, McpOrgBinding, org picker from #2955) is UNTOUCHED and stays intact. Keyless OAuth will be wired at the hosting layer (self-host or Speakeasy Enterprise), never in the base spec. Adds a guardrail test in openapi-docs.spec.ts that fails if any operation ever declares more than one security scheme again, so this regression cannot silently recur. Note: an unrelated, pre-existing test ("curates high-value API pages" / expects "SOC 2" in the /v1/policies description) fails on main too — that description changed and the SEO assertion is stale. Left as-is to keep this revert surgical. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…e-generator fix(api): revert oauth2 spec scheme to restore the MCP generator
|
The latest updates on your projects. Learn more about Vercel for GitHub.
2 Skipped Deployments
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
|
🎉 This PR is included in version 3.70.3 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.
Summary by cubic
Reverts OAuth2 from the public OpenAPI spec to restore MCP tool generation and unblock nightly SDK runs. Adds a guardrail test to ensure every operation uses a single auth scheme while keeping API key gating.
apikey.packages/docs/openapi.jsonto reflect the revert; no endpoints changed beyond removing OAuth2.Written for commit ccb6edc. Summary will update on new commits.