Add MCP client plan

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

MCP_CLIENT_PLAN.md

@@ -0,0 +1,27 @@
+# MCP Client Plan
+
+## Goal
+Add an MCP client mode to Yaak so users can connect to and debug MCP servers.
+
+## Core Design
+- **Protocol layer:** Implement JSON‑RPC framing, message IDs, and notifications as the common core.
+- **Transport interface:** Define an async trait with `connect`, `send`, `receive`, and `close` methods.
+- **Transports:**
+  - Start with **Standard I/O** for local development.
+  - Reuse the existing HTTP stack for **HTTP streaming** next.
+  - Leave hooks for **WebSocket** support later.
+
+## Integration
+- Register MCP as a new request type alongside REST, GraphQL, gRPC, and WebSocket.
+- Allow per‑request transport selection (stdio or HTTP).
+- Map inbound messages into a new MCP response model that feeds existing timeline and debug views.
+
+## Testing and Dog‑fooding
+- Convert Yaak's own MCP server to Standard I/O for local testing.
+- Use it internally to validate protocol behavior and message flow.
+- Add unit and integration tests for JSON‑RPC messaging and transport abstractions.
+
+## Future Refinements
+- Add WebSocket transport support once core paths are stable.
+- Extend timelines for protocol‑level visualization layered over raw transport events.
+- Implement version and capability negotiation between client and server.

crates-cli/yaak-cli/PLAN.md

@@ -0,0 +1,198 @@
+# CLI Command Architecture Plan
+
+## Goal
+
+Redesign the yaak-cli command structure to use a resource-oriented `<resource> <action>`
+pattern that scales well, is discoverable, and supports both human and LLM workflows.
+
+## Command Architecture
+
+### Design Principles
+
+- **Resource-oriented**: top-level commands are nouns, subcommands are verbs
+- **Polymorphic requests**: `request` covers HTTP, gRPC, and WebSocket — the CLI
+  resolves the type via `get_any_request` and adapts behavior accordingly
+- **Simple creation, full-fidelity via JSON**: human-friendly flags for basic creation,
+  `--json` for full control (targeted at LLM and scripting workflows)
+- **Runtime schema introspection**: `request schema` outputs JSON Schema for the request
+  models, with dynamic auth fields populated from loaded plugins at runtime
+- **Destructive actions require confirmation**: `delete` commands prompt for user
+  confirmation before proceeding. Can be bypassed with `--yes` / `-y` for scripting
+
+### Commands
+
+```
+# Top-level shortcut
+yaakcli send <id> [-e <env_id>]          # id can be a request, folder, or workspace
+
+# Resource commands
+yaakcli workspace list
+yaakcli workspace show <id>
+yaakcli workspace create --name <name>
+yaakcli workspace create --json '{"name": "My Workspace"}'
+yaakcli workspace create '{"name": "My Workspace"}'              # positional JSON shorthand
+yaakcli workspace update --json '{"id": "wk_abc", "name": "New Name"}'
+yaakcli workspace delete <id>
+
+yaakcli request list <workspace_id>
+yaakcli request show <id>
+yaakcli request create <workspace_id> --name <name> --url <url> [--method GET]
+yaakcli request create --json '{"workspaceId": "wk_abc", "url": "..."}'
+yaakcli request update --json '{"id": "rq_abc", "url": "https://new.com"}'
+yaakcli request send <id> [-e <env_id>]
+yaakcli request delete <id>
+yaakcli request schema <http|grpc|websocket>
+
+yaakcli folder list <workspace_id>
+yaakcli folder show <id>
+yaakcli folder create <workspace_id> --name <name>
+yaakcli folder create --json '{"workspaceId": "wk_abc", "name": "Auth"}'
+yaakcli folder update --json '{"id": "fl_abc", "name": "New Name"}'
+yaakcli folder delete <id>
+
+yaakcli environment list <workspace_id>
+yaakcli environment show <id>
+yaakcli environment create <workspace_id> --name <name>
+yaakcli environment create --json '{"workspaceId": "wk_abc", "name": "Production"}'
+yaakcli environment update --json '{"id": "ev_abc", ...}'
+yaakcli environment delete <id>
+
+```
+
+### `send` — Top-Level Shortcut
+
+`yaakcli send <id>` is a convenience alias that accepts any sendable ID. It tries
+each type in order via DB lookups (short-circuiting on first match):
+
+1. Request (HTTP, gRPC, or WebSocket via `get_any_request`)
+2. Folder (sends all requests in the folder)
+3. Workspace (sends all requests in the workspace)
+
+ID prefixes exist (e.g. `rq_`, `fl_`, `wk_`) but are not relied upon — resolution
+is purely by DB lookup.
+
+`request send <id>` is the same but restricted to request IDs only.
+
+### Request Send — Polymorphic Behavior
+
+`send` means "execute this request" regardless of protocol:
+
+- **HTTP**: send request, print response, exit
+- **gRPC**: invoke the method; for streaming, stream output to stdout until done/Ctrl+C
+- **WebSocket**: connect, stream messages to stdout until closed/Ctrl+C
+
+### `request schema` — Runtime JSON Schema
+
+Outputs a JSON Schema describing the full request shape, including dynamic fields:
+
+1. Generate base schema from `schemars::JsonSchema` derive on the Rust model structs
+2. Load plugins, collect auth strategy definitions and their form inputs
+3. Merge plugin-defined auth fields into the `authentication` property as a `oneOf`
+4. Output the combined schema as JSON
+
+This lets an LLM call `schema`, read the shape, and construct valid JSON for
+`create --json` or `update --json`.
+
+## Implementation Steps
+
+### Phase 1: Restructure commands (no new functionality)
+
+Refactor `main.rs` into the new resource/action pattern using clap subcommand nesting.
+Existing behavior stays the same, just reorganized. Remove the `get` command.
+
+1. Create module structure: `commands/workspace.rs`, `commands/request.rs`, etc.
+2. Define nested clap enums:
+   ```rust
+   enum Commands {
+       Send(SendArgs),
+       Workspace(WorkspaceArgs),
+       Request(RequestArgs),
+       Folder(FolderArgs),
+       Environment(EnvironmentArgs),
+   }
+   ```
+3. Move existing `Workspaces` logic into `workspace list`
+4. Move existing `Requests` logic into `request list`
+5. Move existing `Send` logic into `request send`
+6. Move existing `Create` logic into `request create`
+7. Delete the `Get` command entirely
+8. Extract shared setup (DB init, plugin init, encryption) into a reusable context struct
+
+### Phase 2: Add missing CRUD commands
+
+1. `workspace show <id>`
+2. `workspace create --name <name>` (and `--json`)
+3. `workspace update --json`
+4. `workspace delete <id>`
+5. `request show <id>` (JSON output of the full request model)
+6. `request delete <id>`
+7. `folder list <workspace_id>`
+8. `folder show <id>`
+9. `folder create <workspace_id> --name <name>` (and `--json`)
+10. `folder update --json`
+11. `folder delete <id>`
+12. `environment list <workspace_id>`
+13. `environment show <id>`
+14. `environment create <workspace_id> --name <name>` (and `--json`)
+15. `environment update --json`
+16. `environment delete <id>`
+
+### Phase 3: JSON input for create/update
+
+Both commands accept JSON via `--json <string>` or as a positional argument (detected
+by leading `{`). They follow the same upsert pattern as the plugin API.
+
+- **`create --json`**: JSON must include `workspaceId`. Must NOT include `id` (or
+  use empty string `""`). Deserializes into the model with defaults for missing fields,
+  then upserts (insert).
+- **`update --json`**: JSON must include `id`. Performs a fetch-merge-upsert:
+  1. Fetch the existing model from DB
+  2. Serialize it to `serde_json::Value`
+  3. Deep-merge the user's partial JSON on top (JSON Merge Patch / RFC 7386 semantics)
+  4. Deserialize back into the typed model
+  5. Upsert (update)
+
+  This matches how the MCP server plugin already does it (fetch existing, spread, override),
+  but the CLI handles the merge server-side so callers don't have to.
+
+  Setting a field to `null` removes it (for `Option<T>` fields), per RFC 7386.
+
+Implementation:
+1. Add `--json` flag and positional JSON detection to `create` commands
+2. Add `update` commands with required `--json` flag
+3. Implement JSON merge utility (or use `json-patch` crate)
+
+### Phase 4: Runtime schema generation
+
+1. Add `schemars` dependency to `yaak-models`
+2. Derive `JsonSchema` on `HttpRequest`, `GrpcRequest`, `WebsocketRequest`, and their
+   nested types (`HttpRequestHeader`, `HttpUrlParameter`, etc.)
+3. Implement `request schema` command:
+   - Generate base schema from schemars
+   - Query plugins for auth strategy form inputs
+   - Convert plugin form inputs into JSON Schema properties
+   - Merge into the `authentication` field
+   - Print to stdout
+
+### Phase 5: Polymorphic send
+
+1. Update `request send` to use `get_any_request` to resolve the request type
+2. Match on `AnyRequest` variant and dispatch to the appropriate sender:
+   - `AnyRequest::HttpRequest` — existing HTTP send logic
+   - `AnyRequest::GrpcRequest` — gRPC invoke (future implementation)
+   - `AnyRequest::WebsocketRequest` — WebSocket connect (future implementation)
+3. gRPC and WebSocket send can initially return "not yet implemented" errors
+
+### Phase 6: Top-level `send` and folder/workspace send
+
+1. Add top-level `yaakcli send <id>` command
+2. Resolve ID by trying DB lookups in order: any_request → folder → workspace
+3. For folder: list all requests in folder, send each
+4. For workspace: list all requests in workspace, send each
+5. Add execution options: `--sequential` (default), `--parallel`, `--fail-fast`
+
+## Crate Changes
+
+- **yaak-cli**: restructure into modules, new clap hierarchy
+- **yaak-models**: add `schemars` dependency, derive `JsonSchema` on model structs
+  (current derives: `Debug, Clone, PartialEq, Serialize, Deserialize, Default, TS`)

crates-tauri/yaak-app/src/render.rs

@@ -38,9 +38,6 @@ pub async fn render_grpc_request<T: TemplateCallback>(
 
     let mut metadata = Vec::new();
     for p in r.metadata.clone() {
-        if !p.enabled {
-            continue;
-        }
         metadata.push(HttpRequestHeader {
             enabled: p.enabled,
             name: parse_and_render(p.name.as_str(), vars, cb, &opt).await?,
@@ -122,7 +119,6 @@ pub async fn render_http_request<T: TemplateCallback>(
 
     let mut body = BTreeMap::new();
     for (k, v) in r.body.clone() {
-        let v = if k == "form" { strip_disabled_form_entries(v) } else { v };
         body.insert(k, render_json_value_raw(v, vars, cb, &opt).await?);
     }
 
@@ -165,71 +161,3 @@ pub async fn render_http_request<T: TemplateCallback>(
 
     Ok(HttpRequest { url, url_parameters, headers, body, authentication, ..r.to_owned() })
 }
-
-/// Strip disabled entries from a JSON array of form objects.
-fn strip_disabled_form_entries(v: Value) -> Value {
-    match v {
-        Value::Array(items) => Value::Array(
-            items
-                .into_iter()
-                .filter(|item| item.get("enabled").and_then(|e| e.as_bool()).unwrap_or(true))
-                .collect(),
-        ),
-        v => v,
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use serde_json::json;
-
-    #[test]
-    fn test_strip_disabled_form_entries() {
-        let input = json!([
-            {"enabled": true, "name": "foo", "value": "bar"},
-            {"enabled": false, "name": "disabled", "value": "gone"},
-            {"enabled": true, "name": "baz", "value": "qux"},
-        ]);
-        let result = strip_disabled_form_entries(input);
-        assert_eq!(
-            result,
-            json!([
-                {"enabled": true, "name": "foo", "value": "bar"},
-                {"enabled": true, "name": "baz", "value": "qux"},
-            ])
-        );
-    }
-
-    #[test]
-    fn test_strip_disabled_form_entries_all_disabled() {
-        let input = json!([
-            {"enabled": false, "name": "a", "value": "b"},
-            {"enabled": false, "name": "c", "value": "d"},
-        ]);
-        let result = strip_disabled_form_entries(input);
-        assert_eq!(result, json!([]));
-    }
-
-    #[test]
-    fn test_strip_disabled_form_entries_missing_enabled_defaults_to_kept() {
-        let input = json!([
-            {"name": "no_enabled_field", "value": "kept"},
-            {"enabled": false, "name": "disabled", "value": "gone"},
-        ]);
-        let result = strip_disabled_form_entries(input);
-        assert_eq!(
-            result,
-            json!([
-                {"name": "no_enabled_field", "value": "kept"},
-            ])
-        );
-    }
-
-    #[test]
-    fn test_strip_disabled_form_entries_non_array_passthrough() {
-        let input = json!("just a string");
-        let result = strip_disabled_form_entries(input.clone());
-        assert_eq!(result, input);
-    }
-}

crates/yaak-ws/src/render.rs

@@ -16,9 +16,6 @@ pub async fn render_websocket_request<T: TemplateCallback>(
 
     let mut url_parameters = Vec::new();
     for p in r.url_parameters.clone() {
-        if !p.enabled {
-            continue;
-        }
         url_parameters.push(HttpUrlParameter {
             enabled: p.enabled,
             name: parse_and_render(&p.name, vars, cb, opt).await?,
@@ -29,9 +26,6 @@ pub async fn render_websocket_request<T: TemplateCallback>(
 
     let mut headers = Vec::new();
     for p in r.headers.clone() {
-        if !p.enabled {
-            continue;
-        }
         headers.push(HttpRequestHeader {
             enabled: p.enabled,
             name: parse_and_render(&p.name, vars, cb, opt).await?,

package-lock.json

@@ -12,7 +12,7 @@
         "packages/plugin-runtime",
         "packages/plugin-runtime-types",
         "plugins-external/mcp-server",
-        "plugins/template-function-faker",
+        "plugins-external/template-function-faker",
         "plugins-external/httpsnippet",
         "plugins/action-copy-curl",
         "plugins/action-copy-grpcurl",
@@ -3922,6 +3922,13 @@
         "@types/react": "*"
       }
     },
+    "node_modules/@types/shell-quote": {
+      "version": "1.7.5",
+      "resolved": "https://registry.npmjs.org/@types/shell-quote/-/shell-quote-1.7.5.tgz",
+      "integrity": "sha512-+UE8GAGRPbJVQDdxi16dgadcBfQ+KG2vgZhV1+3A1XmHbmwcdwhCUwIdy+d3pAGrbvgRoVSjeI9vOWyq376Yzw==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/@types/unist": {
       "version": "3.0.3",
       "resolved": "https://registry.npmjs.org/@types/unist/-/unist-3.0.3.tgz",
@@ -4153,10 +4160,6 @@
       "resolved": "plugins/auth-oauth2",
       "link": true
     },
-    "node_modules/@yaak/faker": {
-      "resolved": "plugins/template-function-faker",
-      "link": true
-    },
     "node_modules/@yaak/filter-jsonpath": {
       "resolved": "plugins/filter-jsonpath",
       "link": true
@@ -13402,7 +13405,6 @@
       "version": "1.8.3",
       "resolved": "https://registry.npmjs.org/shell-quote/-/shell-quote-1.8.3.tgz",
       "integrity": "sha512-ObmnIF4hXNg1BqhnHmgbDETF8dLPCggZWBjkQfhZpbszZnYur5DUljTcCHii5LC3J5E0yeO/1LIMyH+UvHQgyw==",
-      "dev": true,
       "license": "MIT",
       "engines": {
         "node": ">= 0.4"
@@ -13411,12 +13413,6 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
-    "node_modules/shlex": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/shlex/-/shlex-3.0.0.tgz",
-      "integrity": "sha512-jHPXQQk9d/QXCvJuLPYMOYWez3c43sORAgcIEoV7bFv5AJSJRAOyw5lQO12PMfd385qiLRCaDt7OtEzgrIGZUA==",
-      "license": "MIT"
-    },
     "node_modules/should": {
       "version": "13.2.3",
       "resolved": "https://registry.npmjs.org/should/-/should-13.2.3.tgz",
@@ -15959,7 +15955,7 @@
     },
     "plugins-external/httpsnippet": {
       "name": "@yaak/httpsnippet",
-      "version": "1.0.3",
+      "version": "1.0.0",
       "dependencies": {
         "@readme/httpsnippet": "^11.0.0"
       },
@@ -15987,7 +15983,7 @@
     },
     "plugins-external/mcp-server": {
       "name": "@yaak/mcp-server",
-      "version": "0.2.1",
+      "version": "0.1.7",
       "dependencies": {
         "@hono/mcp": "^0.2.3",
         "@hono/node-server": "^1.19.7",
@@ -16062,18 +16058,6 @@
       "name": "@yaak/auth-oauth2",
       "version": "0.1.0"
     },
-    "plugins/faker": {
-      "name": "@yaak/faker",
-      "version": "1.1.1",
-      "extraneous": true,
-      "dependencies": {
-        "@faker-js/faker": "^10.1.0"
-      },
-      "devDependencies": {
-        "@types/node": "^25.0.3",
-        "typescript": "^5.9.3"
-      }
-    },
     "plugins/filter-jsonpath": {
       "name": "@yaak/filter-jsonpath",
       "version": "0.1.0",
@@ -16096,7 +16080,10 @@
       "name": "@yaak/importer-curl",
       "version": "0.1.0",
       "dependencies": {
-        "shlex": "^3.0.0"
+        "shell-quote": "^1.8.1"
+      },
+      "devDependencies": {
+        "@types/shell-quote": "^1.7.5"
       }
     },
     "plugins/importer-insomnia": {
@@ -16151,33 +16138,6 @@
       "name": "@yaak/template-function-encode",
       "version": "0.1.0"
     },
-    "plugins/template-function-faker": {
-      "name": "@yaak/faker",
-      "version": "1.1.1",
-      "dependencies": {
-        "@faker-js/faker": "^10.1.0"
-      },
-      "devDependencies": {
-        "@types/node": "^25.0.3",
-        "typescript": "^5.9.3"
-      }
-    },
-    "plugins/template-function-faker/node_modules/@faker-js/faker": {
-      "version": "10.3.0",
-      "resolved": "https://registry.npmjs.org/@faker-js/faker/-/faker-10.3.0.tgz",
-      "integrity": "sha512-It0Sne6P3szg7JIi6CgKbvTZoMjxBZhcv91ZrqrNuaZQfB5WoqYYbzCUOq89YR+VY8juY9M1vDWmDDa2TzfXCw==",
-      "funding": [
-        {
-          "type": "opencollective",
-          "url": "https://opencollective.com/fakerjs"
-        }
-      ],
-      "license": "MIT",
-      "engines": {
-        "node": "^20.19.0 || ^22.13.0 || ^23.5.0 || >=24.0.0",
-        "npm": ">=10"
-      }
-    },
     "plugins/template-function-fs": {
       "name": "@yaak/template-function-fs",
       "version": "0.1.0"

package.json

@@ -11,7 +11,7 @@
     "packages/plugin-runtime",
     "packages/plugin-runtime-types",
     "plugins-external/mcp-server",
-    "plugins/template-function-faker",
+    "plugins-external/template-function-faker",
     "plugins-external/httpsnippet",
     "plugins/action-copy-curl",
     "plugins/action-copy-grpcurl",

plugins-external/faker/package.json

@@ -7,7 +7,7 @@
   "repository": {
     "type": "git",
     "url": "https://github.com/mountain-loop/yaak.git",
-    "directory": "plugins/template-function-faker"
+    "directory": "plugins-external/faker"
   },
   "scripts": {
     "build": "yaakcli build",

plugins-external/faker/tests/init.test.ts

@@ -0,0 +1,9 @@
+import { describe, expect, it } from 'vitest';
+
+describe('formatDatetime', () => {
+  it('returns formatted current date', async () => {
+    // Ensure the plugin imports properly
+    const faker = await import('../src/index');
+    expect(faker.plugin.templateFunctions?.length).toBe(226);
+  });
+});

plugins/importer-curl/package.json

@@ -10,6 +10,9 @@
     "test": "vitest --run tests"
   },
   "dependencies": {
-    "shlex": "^3.0.0"
+    "shell-quote": "^1.8.1"
+  },
+  "devDependencies": {
+    "@types/shell-quote": "^1.7.5"
   }
 }

plugins/importer-curl/src/index.ts

@@ -7,7 +7,8 @@ import type {
   PluginDefinition,
   Workspace,
 } from '@yaakapp/api';
-import { split } from 'shlex';
+import type { ControlOperator, ParseEntry } from 'shell-quote';
+import { parse } from 'shell-quote';
 
 type AtLeast<T, K extends keyof T> = Partial<T> & Pick<T, K>;
 
@@ -55,89 +56,31 @@ export const plugin: PluginDefinition = {
 };
 
 /**
- * Splits raw input into individual shell command strings.
- * Handles line continuations, semicolons, and newline-separated curl commands.
+ * Decodes escape sequences in shell $'...' strings
+ * Handles Unicode escape sequences (\uXXXX) and common escape codes
  */
-function splitCommands(rawData: string): string[] {
-  // Join line continuations (backslash-newline, and backslash-CRLF for Windows)
-  const joined = rawData.replace(/\\\r?\n/g, ' ');
+function decodeShellString(str: string): string {
+  return str
+    .replace(/\\u([0-9a-fA-F]{4})/g, (_, hex) => String.fromCharCode(parseInt(hex, 16)))
+    .replace(/\\x([0-9a-fA-F]{2})/g, (_, hex) => String.fromCharCode(parseInt(hex, 16)))
+    .replace(/\\n/g, '\n')
+    .replace(/\\r/g, '\r')
+    .replace(/\\t/g, '\t')
+    .replace(/\\'/g, "'")
+    .replace(/\\"/g, '"')
+    .replace(/\\\\/g, '\\');
+}
 
-  // Count consecutive backslashes immediately before position i.
-  // An even count means the quote at i is NOT escaped; odd means it IS escaped.
-  function isEscaped(i: number): boolean {
-    let backslashes = 0;
-    let j = i - 1;
-    while (j >= 0 && joined[j] === '\\') {
-      backslashes++;
-      j--;
-    }
-    return backslashes % 2 !== 0;
+/**
+ * Checks if a string might contain escape sequences that need decoding
+ * If so, decodes them; otherwise returns the string as-is
+ */
+function maybeDecodeEscapeSequences(str: string): string {
+  // Check if the string contains escape sequences that shell-quote might not handle
+  if (str.includes('\\u') || str.includes('\\x')) {
+    return decodeShellString(str);
   }
-
-  // Split on semicolons and newlines to separate commands
-  const commands: string[] = [];
-  let current = '';
-  let inSingleQuote = false;
-  let inDoubleQuote = false;
-  let inDollarQuote = false;
-
-  for (let i = 0; i < joined.length; i++) {
-    const ch = joined[i]!;
-    const next = joined[i + 1];
-
-    // Track quoting state to avoid splitting inside quoted strings
-    if (!inDoubleQuote && !inDollarQuote && ch === "'" && !inSingleQuote) {
-      inSingleQuote = true;
-      current += ch;
-      continue;
-    }
-    if (inSingleQuote && ch === "'") {
-      inSingleQuote = false;
-      current += ch;
-      continue;
-    }
-    if (!inSingleQuote && !inDollarQuote && ch === '"' && !inDoubleQuote) {
-      inDoubleQuote = true;
-      current += ch;
-      continue;
-    }
-    if (inDoubleQuote && ch === '"' && !isEscaped(i)) {
-      inDoubleQuote = false;
-      current += ch;
-      continue;
-    }
-    if (!inSingleQuote && !inDoubleQuote && !inDollarQuote && ch === '$' && next === "'") {
-      inDollarQuote = true;
-      current += ch + next;
-      i++; // Skip the opening quote
-      continue;
-    }
-    if (inDollarQuote && ch === "'" && !isEscaped(i)) {
-      inDollarQuote = false;
-      current += ch;
-      continue;
-    }
-
-    const inQuote = inSingleQuote || inDoubleQuote || inDollarQuote;
-
-    // Split on ;, newline, or CRLF when not inside quotes and not escaped
-    if (!inQuote && !isEscaped(i) && (ch === ';' || ch === '\n' || (ch === '\r' && next === '\n'))) {
-      if (ch === '\r') i++; // Skip the \n in \r\n
-      if (current.trim()) {
-        commands.push(current.trim());
-      }
-      current = '';
-      continue;
-    }
-
-    current += ch;
-  }
-
-  if (current.trim()) {
-    commands.push(current.trim());
-  }
-
-  return commands;
+  return str;
 }
 
 export function convertCurl(rawData: string) {
@@ -145,18 +88,69 @@ export function convertCurl(rawData: string) {
     return null;
   }
 
-  const commands: string[][] = splitCommands(rawData).map((cmd) => {
-    const tokens = split(cmd);
+  const commands: ParseEntry[][] = [];
 
-    // Break up squished arguments like `-XPOST` into `-X POST`
-    return tokens.flatMap((token) => {
-      if (token.startsWith('-') && !token.startsWith('--') && token.length > 2) {
-        return [token.slice(0, 2), token.slice(2)];
-      }
-      return token;
-    });
+  // Replace non-escaped newlines with semicolons to make parsing easier
+  // NOTE: This is really slow in debug build but fast in release mode
+  const normalizedData = rawData.replace(/\ncurl/g, '; curl');
+
+  let currentCommand: ParseEntry[] = [];
+
+  const parsed = parse(normalizedData);
+
+  // Break up `-XPOST` into `-X POST`
+  const normalizedParseEntries = parsed.flatMap((entry) => {
+    if (
+      typeof entry === 'string' &&
+      entry.startsWith('-') &&
+      !entry.startsWith('--') &&
+      entry.length > 2
+    ) {
+      return [entry.slice(0, 2), entry.slice(2)];
+    }
+    return entry;
   });
 
+  for (const parseEntry of normalizedParseEntries) {
+    if (typeof parseEntry === 'string') {
+      if (parseEntry.startsWith('$')) {
+        // Handle $'...' strings from shell-quote - decode escape sequences
+        currentCommand.push(decodeShellString(parseEntry.slice(1)));
+      } else {
+        // Decode escape sequences that shell-quote might not handle
+        currentCommand.push(maybeDecodeEscapeSequences(parseEntry));
+      }
+      continue;
+    }
+
+    if ('comment' in parseEntry) {
+      continue;
+    }
+
+    const { op } = parseEntry as { op: 'glob'; pattern: string } | { op: ControlOperator };
+
+    // `;` separates commands
+    if (op === ';') {
+      commands.push(currentCommand);
+      currentCommand = [];
+      continue;
+    }
+
+    if (op?.startsWith('$')) {
+      // Handle the case where literal like -H $'Header: \'Some Quoted Thing\''
+      const str = decodeShellString(op.slice(2, op.length - 1));
+
+      currentCommand.push(str);
+      continue;
+    }
+
+    if (op === 'glob') {
+      currentCommand.push((parseEntry as { op: 'glob'; pattern: string }).pattern);
+    }
+  }
+
+  commands.push(currentCommand);
+
   const workspace: ExportResources['workspaces'][0] = {
     model: 'workspace',
     id: generateId('workspace'),
@@ -175,12 +169,12 @@ export function convertCurl(rawData: string) {
   };
 }
 
-function importCommand(parseEntries: string[], workspaceId: string) {
+function importCommand(parseEntries: ParseEntry[], workspaceId: string) {
   // ~~~~~~~~~~~~~~~~~~~~~ //
   // Collect all the flags //
   // ~~~~~~~~~~~~~~~~~~~~~ //
   const flagsByName: FlagsByName = {};
-  const singletons: string[] = [];
+  const singletons: ParseEntry[] = [];
 
   // Start at 1 so we can skip the ^curl part
   for (let i = 1; i < parseEntries.length; i++) {

plugins/importer-curl/tests/index.test.ts

@@ -112,28 +112,9 @@ describe('importer-curl', () => {
     });
   });
 
-  test('Imports with Windows CRLF line endings', () => {
-    expect(
-      convertCurl('curl \\\r\n  -X POST \\\r\n  https://yaak.app'),
-    ).toEqual({
-      resources: {
-        workspaces: [baseWorkspace()],
-        httpRequests: [
-          baseRequest({ url: 'https://yaak.app', method: 'POST' }),
-        ],
-      },
-    });
-  });
-
-  test('Throws on malformed quotes', () => {
-    expect(() =>
-      convertCurl('curl -X POST -F "a=aaa" -F b=bbb" https://yaak.app'),
-    ).toThrow();
-  });
-
   test('Imports form data', () => {
     expect(
-      convertCurl('curl -X POST -F "a=aaa" -F b=bbb -F f=@filepath https://yaak.app'),
+      convertCurl('curl -X POST -F "a=aaa" -F b=bbb" -F f=@filepath https://yaak.app'),
     ).toEqual({
       resources: {
         workspaces: [baseWorkspace()],
@@ -495,130 +476,6 @@ describe('importer-curl', () => {
     });
   });
 
-  test('Imports JSON body with newlines in $quotes', () => {
-    expect(
-      convertCurl(
-        `curl 'https://yaak.app' -H 'Content-Type: application/json' --data-raw $'{\\n  "foo": "bar",\\n  "baz": "qux"\\n}' -X POST`,
-      ),
-    ).toEqual({
-      resources: {
-        workspaces: [baseWorkspace()],
-        httpRequests: [
-          baseRequest({
-            url: 'https://yaak.app',
-            method: 'POST',
-            headers: [{ name: 'Content-Type', value: 'application/json', enabled: true }],
-            bodyType: 'application/json',
-            body: { text: '{\n  "foo": "bar",\n  "baz": "qux"\n}' },
-          }),
-        ],
-      },
-    });
-  });
-
-  test('Handles double-quoted string ending with even backslashes before semicolon', () => {
-    // "C:\\" has two backslashes which escape each other, so the closing " is real.
-    // The ; after should split into a second command.
-    expect(
-      convertCurl(
-        'curl -d "C:\\\\" https://yaak.app;curl https://example.com',
-      ),
-    ).toEqual({
-      resources: {
-        workspaces: [baseWorkspace()],
-        httpRequests: [
-          baseRequest({
-            url: 'https://yaak.app',
-            method: 'POST',
-            bodyType: 'application/x-www-form-urlencoded',
-            body: {
-              form: [{ name: 'C:\\', value: '', enabled: true }],
-            },
-            headers: [
-              {
-                name: 'Content-Type',
-                value: 'application/x-www-form-urlencoded',
-                enabled: true,
-              },
-            ],
-          }),
-          baseRequest({ url: 'https://example.com' }),
-        ],
-      },
-    });
-  });
-
-  test('Handles $quoted string ending with a literal backslash before semicolon', () => {
-    // $'C:\\\\' has two backslashes which become one literal backslash.
-    // The closing ' must not be misinterpreted as escaped.
-    // The ; after should split into a second command.
-    expect(
-      convertCurl(
-        "curl -d $'C:\\\\' https://yaak.app;curl https://example.com",
-      ),
-    ).toEqual({
-      resources: {
-        workspaces: [baseWorkspace()],
-        httpRequests: [
-          baseRequest({
-            url: 'https://yaak.app',
-            method: 'POST',
-            bodyType: 'application/x-www-form-urlencoded',
-            body: {
-              form: [{ name: 'C:\\', value: '', enabled: true }],
-            },
-            headers: [
-              {
-                name: 'Content-Type',
-                value: 'application/x-www-form-urlencoded',
-                enabled: true,
-              },
-            ],
-          }),
-          baseRequest({ url: 'https://example.com' }),
-        ],
-      },
-    });
-  });
-
-  test('Imports $quoted header with escaped single quotes', () => {
-    expect(
-      convertCurl(
-        `curl https://yaak.app -H $'X-Custom: it\\'s a test'`,
-      ),
-    ).toEqual({
-      resources: {
-        workspaces: [baseWorkspace()],
-        httpRequests: [
-          baseRequest({
-            url: 'https://yaak.app',
-            headers: [{ name: 'X-Custom', value: "it's a test", enabled: true }],
-          }),
-        ],
-      },
-    });
-  });
-
-  test('Does not split on escaped semicolon outside quotes', () => {
-    // In shell, \; is a literal semicolon and should not split commands.
-    // This should be treated as a single curl command with the URL "https://yaak.app?a=1;b=2"
-    expect(
-      convertCurl('curl https://yaak.app?a=1\\;b=2'),
-    ).toEqual({
-      resources: {
-        workspaces: [baseWorkspace()],
-        httpRequests: [
-          baseRequest({
-            url: 'https://yaak.app',
-            urlParameters: [
-              { name: 'a', value: '1;b=2', enabled: true },
-            ],
-          }),
-        ],
-      },
-    });
-  });
-
   test('Imports multipart form data with text-only fields from --data-raw', () => {
     const curlCommand = `curl 'http://example.com/api' \
   -H 'Content-Type: multipart/form-data; boundary=----FormBoundary123' \

plugins/template-function-faker/tests/__snapshots__/init.test.ts.snap

@@ -1,233 +0,0 @@
-// Vitest Snapshot v1, https://vitest.dev/guide/snapshot.html
-
-exports[`template-function-faker > exports all expected template functions 1`] = `
-[
-  "faker.airline.aircraftType",
-  "faker.airline.airline",
-  "faker.airline.airplane",
-  "faker.airline.airport",
-  "faker.airline.flightNumber",
-  "faker.airline.recordLocator",
-  "faker.airline.seat",
-  "faker.animal.bear",
-  "faker.animal.bird",
-  "faker.animal.cat",
-  "faker.animal.cetacean",
-  "faker.animal.cow",
-  "faker.animal.crocodilia",
-  "faker.animal.dog",
-  "faker.animal.fish",
-  "faker.animal.horse",
-  "faker.animal.insect",
-  "faker.animal.lion",
-  "faker.animal.petName",
-  "faker.animal.rabbit",
-  "faker.animal.rodent",
-  "faker.animal.snake",
-  "faker.animal.type",
-  "faker.color.cmyk",
-  "faker.color.colorByCSSColorSpace",
-  "faker.color.cssSupportedFunction",
-  "faker.color.cssSupportedSpace",
-  "faker.color.hsl",
-  "faker.color.human",
-  "faker.color.hwb",
-  "faker.color.lab",
-  "faker.color.lch",
-  "faker.color.rgb",
-  "faker.color.space",
-  "faker.commerce.department",
-  "faker.commerce.isbn",
-  "faker.commerce.price",
-  "faker.commerce.product",
-  "faker.commerce.productAdjective",
-  "faker.commerce.productDescription",
-  "faker.commerce.productMaterial",
-  "faker.commerce.productName",
-  "faker.commerce.upc",
-  "faker.company.buzzAdjective",
-  "faker.company.buzzNoun",
-  "faker.company.buzzPhrase",
-  "faker.company.buzzVerb",
-  "faker.company.catchPhrase",
-  "faker.company.catchPhraseAdjective",
-  "faker.company.catchPhraseDescriptor",
-  "faker.company.catchPhraseNoun",
-  "faker.company.name",
-  "faker.database.collation",
-  "faker.database.column",
-  "faker.database.engine",
-  "faker.database.mongodbObjectId",
-  "faker.database.type",
-  "faker.date.anytime",
-  "faker.date.between",
-  "faker.date.betweens",
-  "faker.date.birthdate",
-  "faker.date.future",
-  "faker.date.month",
-  "faker.date.past",
-  "faker.date.recent",
-  "faker.date.soon",
-  "faker.date.timeZone",
-  "faker.date.weekday",
-  "faker.finance.accountName",
-  "faker.finance.accountNumber",
-  "faker.finance.amount",
-  "faker.finance.bic",
-  "faker.finance.bitcoinAddress",
-  "faker.finance.creditCardCVV",
-  "faker.finance.creditCardIssuer",
-  "faker.finance.creditCardNumber",
-  "faker.finance.currency",
-  "faker.finance.currencyCode",
-  "faker.finance.currencyName",
-  "faker.finance.currencyNumericCode",
-  "faker.finance.currencySymbol",
-  "faker.finance.ethereumAddress",
-  "faker.finance.iban",
-  "faker.finance.litecoinAddress",
-  "faker.finance.pin",
-  "faker.finance.routingNumber",
-  "faker.finance.transactionDescription",
-  "faker.finance.transactionType",
-  "faker.git.branch",
-  "faker.git.commitDate",
-  "faker.git.commitEntry",
-  "faker.git.commitMessage",
-  "faker.git.commitSha",
-  "faker.hacker.abbreviation",
-  "faker.hacker.adjective",
-  "faker.hacker.ingverb",
-  "faker.hacker.noun",
-  "faker.hacker.phrase",
-  "faker.hacker.verb",
-  "faker.image.avatar",
-  "faker.image.avatarGitHub",
-  "faker.image.dataUri",
-  "faker.image.personPortrait",
-  "faker.image.url",
-  "faker.image.urlLoremFlickr",
-  "faker.image.urlPicsumPhotos",
-  "faker.internet.displayName",
-  "faker.internet.domainName",
-  "faker.internet.domainSuffix",
-  "faker.internet.domainWord",
-  "faker.internet.email",
-  "faker.internet.emoji",
-  "faker.internet.exampleEmail",
-  "faker.internet.httpMethod",
-  "faker.internet.httpStatusCode",
-  "faker.internet.ip",
-  "faker.internet.ipv4",
-  "faker.internet.ipv6",
-  "faker.internet.jwt",
-  "faker.internet.jwtAlgorithm",
-  "faker.internet.mac",
-  "faker.internet.password",
-  "faker.internet.port",
-  "faker.internet.protocol",
-  "faker.internet.url",
-  "faker.internet.userAgent",
-  "faker.internet.username",
-  "faker.location.buildingNumber",
-  "faker.location.cardinalDirection",
-  "faker.location.city",
-  "faker.location.continent",
-  "faker.location.country",
-  "faker.location.countryCode",
-  "faker.location.county",
-  "faker.location.direction",
-  "faker.location.language",
-  "faker.location.latitude",
-  "faker.location.longitude",
-  "faker.location.nearbyGPSCoordinate",
-  "faker.location.ordinalDirection",
-  "faker.location.secondaryAddress",
-  "faker.location.state",
-  "faker.location.street",
-  "faker.location.streetAddress",
-  "faker.location.timeZone",
-  "faker.location.zipCode",
-  "faker.lorem.lines",
-  "faker.lorem.paragraph",
-  "faker.lorem.paragraphs",
-  "faker.lorem.sentence",
-  "faker.lorem.sentences",
-  "faker.lorem.slug",
-  "faker.lorem.text",
-  "faker.lorem.word",
-  "faker.lorem.words",
-  "faker.music.album",
-  "faker.music.artist",
-  "faker.music.genre",
-  "faker.music.songName",
-  "faker.number.bigInt",
-  "faker.number.binary",
-  "faker.number.float",
-  "faker.number.hex",
-  "faker.number.int",
-  "faker.number.octal",
-  "faker.number.romanNumeral",
-  "faker.person.bio",
-  "faker.person.firstName",
-  "faker.person.fullName",
-  "faker.person.gender",
-  "faker.person.jobArea",
-  "faker.person.jobDescriptor",
-  "faker.person.jobTitle",
-  "faker.person.jobType",
-  "faker.person.lastName",
-  "faker.person.middleName",
-  "faker.person.prefix",
-  "faker.person.sex",
-  "faker.person.sexType",
-  "faker.person.suffix",
-  "faker.person.zodiacSign",
-  "faker.phone.imei",
-  "faker.phone.number",
-  "faker.science.chemicalElement",
-  "faker.science.unit",
-  "faker.string.alpha",
-  "faker.string.alphanumeric",
-  "faker.string.binary",
-  "faker.string.fromCharacters",
-  "faker.string.hexadecimal",
-  "faker.string.nanoid",
-  "faker.string.numeric",
-  "faker.string.octal",
-  "faker.string.sample",
-  "faker.string.symbol",
-  "faker.string.ulid",
-  "faker.string.uuid",
-  "faker.system.commonFileExt",
-  "faker.system.commonFileName",
-  "faker.system.commonFileType",
-  "faker.system.cron",
-  "faker.system.directoryPath",
-  "faker.system.fileExt",
-  "faker.system.fileName",
-  "faker.system.filePath",
-  "faker.system.fileType",
-  "faker.system.mimeType",
-  "faker.system.networkInterface",
-  "faker.system.semver",
-  "faker.vehicle.bicycle",
-  "faker.vehicle.color",
-  "faker.vehicle.fuel",
-  "faker.vehicle.manufacturer",
-  "faker.vehicle.model",
-  "faker.vehicle.type",
-  "faker.vehicle.vehicle",
-  "faker.vehicle.vin",
-  "faker.vehicle.vrm",
-  "faker.word.adjective",
-  "faker.word.adverb",
-  "faker.word.conjunction",
-  "faker.word.interjection",
-  "faker.word.noun",
-  "faker.word.preposition",
-  "faker.word.sample",
-  "faker.word.verb",
-  "faker.word.words",
-]
-`;

plugins/template-function-faker/tests/init.test.ts

@@ -1,12 +0,0 @@
-import { describe, expect, it } from 'vitest';
-
-describe('template-function-faker', () => {
-  it('exports all expected template functions', async () => {
-    const { plugin } = await import('../src/index');
-    const names = plugin.templateFunctions?.map((fn) => fn.name).sort() ?? [];
-
-    // Snapshot the full list of exported function names so we catch any
-    // accidental additions, removals, or renames across faker upgrades.
-    expect(names).toMatchSnapshot();
-  });
-});