Snapshot faker template function names in test

Replace the brittle count assertion (toBe(226)) with a snapshot of all
exported function names. This catches accidental additions, removals,
or renames across faker upgrades with a clear diff.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

MCP_CLIENT_PLAN.md

@@ -1,27 +0,0 @@
-# MCP Client Plan
-
-## Goal
-Add an MCP client mode to Yaak so users can connect to and debug MCP servers.
-
-## Core Design
-- **Protocol layer:** Implement JSON‑RPC framing, message IDs, and notifications as the common core.
-- **Transport interface:** Define an async trait with `connect`, `send`, `receive`, and `close` methods.
-- **Transports:**
-  - Start with **Standard I/O** for local development.
-  - Reuse the existing HTTP stack for **HTTP streaming** next.
-  - Leave hooks for **WebSocket** support later.
-
-## Integration
-- Register MCP as a new request type alongside REST, GraphQL, gRPC, and WebSocket.
-- Allow per‑request transport selection (stdio or HTTP).
-- Map inbound messages into a new MCP response model that feeds existing timeline and debug views.
-
-## Testing and Dog‑fooding
-- Convert Yaak's own MCP server to Standard I/O for local testing.
-- Use it internally to validate protocol behavior and message flow.
-- Add unit and integration tests for JSON‑RPC messaging and transport abstractions.
-
-## Future Refinements
-- Add WebSocket transport support once core paths are stable.
-- Extend timelines for protocol‑level visualization layered over raw transport events.
-- Implement version and capability negotiation between client and server.

crates-cli/yaak-cli/PLAN.md

@@ -1,198 +0,0 @@
-# CLI Command Architecture Plan
-
-## Goal
-
-Redesign the yaak-cli command structure to use a resource-oriented `<resource> <action>`
-pattern that scales well, is discoverable, and supports both human and LLM workflows.
-
-## Command Architecture
-
-### Design Principles
-
-- **Resource-oriented**: top-level commands are nouns, subcommands are verbs
-- **Polymorphic requests**: `request` covers HTTP, gRPC, and WebSocket — the CLI
-  resolves the type via `get_any_request` and adapts behavior accordingly
-- **Simple creation, full-fidelity via JSON**: human-friendly flags for basic creation,
-  `--json` for full control (targeted at LLM and scripting workflows)
-- **Runtime schema introspection**: `request schema` outputs JSON Schema for the request
-  models, with dynamic auth fields populated from loaded plugins at runtime
-- **Destructive actions require confirmation**: `delete` commands prompt for user
-  confirmation before proceeding. Can be bypassed with `--yes` / `-y` for scripting
-
-### Commands
-
-```
-# Top-level shortcut
-yaakcli send <id> [-e <env_id>]          # id can be a request, folder, or workspace
-
-# Resource commands
-yaakcli workspace list
-yaakcli workspace show <id>
-yaakcli workspace create --name <name>
-yaakcli workspace create --json '{"name": "My Workspace"}'
-yaakcli workspace create '{"name": "My Workspace"}'              # positional JSON shorthand
-yaakcli workspace update --json '{"id": "wk_abc", "name": "New Name"}'
-yaakcli workspace delete <id>
-
-yaakcli request list <workspace_id>
-yaakcli request show <id>
-yaakcli request create <workspace_id> --name <name> --url <url> [--method GET]
-yaakcli request create --json '{"workspaceId": "wk_abc", "url": "..."}'
-yaakcli request update --json '{"id": "rq_abc", "url": "https://new.com"}'
-yaakcli request send <id> [-e <env_id>]
-yaakcli request delete <id>
-yaakcli request schema <http|grpc|websocket>
-
-yaakcli folder list <workspace_id>
-yaakcli folder show <id>
-yaakcli folder create <workspace_id> --name <name>
-yaakcli folder create --json '{"workspaceId": "wk_abc", "name": "Auth"}'
-yaakcli folder update --json '{"id": "fl_abc", "name": "New Name"}'
-yaakcli folder delete <id>
-
-yaakcli environment list <workspace_id>
-yaakcli environment show <id>
-yaakcli environment create <workspace_id> --name <name>
-yaakcli environment create --json '{"workspaceId": "wk_abc", "name": "Production"}'
-yaakcli environment update --json '{"id": "ev_abc", ...}'
-yaakcli environment delete <id>
-
-```
-
-### `send` — Top-Level Shortcut
-
-`yaakcli send <id>` is a convenience alias that accepts any sendable ID. It tries
-each type in order via DB lookups (short-circuiting on first match):
-
-1. Request (HTTP, gRPC, or WebSocket via `get_any_request`)
-2. Folder (sends all requests in the folder)
-3. Workspace (sends all requests in the workspace)
-
-ID prefixes exist (e.g. `rq_`, `fl_`, `wk_`) but are not relied upon — resolution
-is purely by DB lookup.
-
-`request send <id>` is the same but restricted to request IDs only.
-
-### Request Send — Polymorphic Behavior
-
-`send` means "execute this request" regardless of protocol:
-
-- **HTTP**: send request, print response, exit
-- **gRPC**: invoke the method; for streaming, stream output to stdout until done/Ctrl+C
-- **WebSocket**: connect, stream messages to stdout until closed/Ctrl+C
-
-### `request schema` — Runtime JSON Schema
-
-Outputs a JSON Schema describing the full request shape, including dynamic fields:
-
-1. Generate base schema from `schemars::JsonSchema` derive on the Rust model structs
-2. Load plugins, collect auth strategy definitions and their form inputs
-3. Merge plugin-defined auth fields into the `authentication` property as a `oneOf`
-4. Output the combined schema as JSON
-
-This lets an LLM call `schema`, read the shape, and construct valid JSON for
-`create --json` or `update --json`.
-
-## Implementation Steps
-
-### Phase 1: Restructure commands (no new functionality)
-
-Refactor `main.rs` into the new resource/action pattern using clap subcommand nesting.
-Existing behavior stays the same, just reorganized. Remove the `get` command.
-
-1. Create module structure: `commands/workspace.rs`, `commands/request.rs`, etc.
-2. Define nested clap enums:
-   ```rust
-   enum Commands {
-       Send(SendArgs),
-       Workspace(WorkspaceArgs),
-       Request(RequestArgs),
-       Folder(FolderArgs),
-       Environment(EnvironmentArgs),
-   }
-   ```
-3. Move existing `Workspaces` logic into `workspace list`
-4. Move existing `Requests` logic into `request list`
-5. Move existing `Send` logic into `request send`
-6. Move existing `Create` logic into `request create`
-7. Delete the `Get` command entirely
-8. Extract shared setup (DB init, plugin init, encryption) into a reusable context struct
-
-### Phase 2: Add missing CRUD commands
-
-1. `workspace show <id>`
-2. `workspace create --name <name>` (and `--json`)
-3. `workspace update --json`
-4. `workspace delete <id>`
-5. `request show <id>` (JSON output of the full request model)
-6. `request delete <id>`
-7. `folder list <workspace_id>`
-8. `folder show <id>`
-9. `folder create <workspace_id> --name <name>` (and `--json`)
-10. `folder update --json`
-11. `folder delete <id>`
-12. `environment list <workspace_id>`
-13. `environment show <id>`
-14. `environment create <workspace_id> --name <name>` (and `--json`)
-15. `environment update --json`
-16. `environment delete <id>`
-
-### Phase 3: JSON input for create/update
-
-Both commands accept JSON via `--json <string>` or as a positional argument (detected
-by leading `{`). They follow the same upsert pattern as the plugin API.
-
-- **`create --json`**: JSON must include `workspaceId`. Must NOT include `id` (or
-  use empty string `""`). Deserializes into the model with defaults for missing fields,
-  then upserts (insert).
-- **`update --json`**: JSON must include `id`. Performs a fetch-merge-upsert:
-  1. Fetch the existing model from DB
-  2. Serialize it to `serde_json::Value`
-  3. Deep-merge the user's partial JSON on top (JSON Merge Patch / RFC 7386 semantics)
-  4. Deserialize back into the typed model
-  5. Upsert (update)
-
-  This matches how the MCP server plugin already does it (fetch existing, spread, override),
-  but the CLI handles the merge server-side so callers don't have to.
-
-  Setting a field to `null` removes it (for `Option<T>` fields), per RFC 7386.
-
-Implementation:
-1. Add `--json` flag and positional JSON detection to `create` commands
-2. Add `update` commands with required `--json` flag
-3. Implement JSON merge utility (or use `json-patch` crate)
-
-### Phase 4: Runtime schema generation
-
-1. Add `schemars` dependency to `yaak-models`
-2. Derive `JsonSchema` on `HttpRequest`, `GrpcRequest`, `WebsocketRequest`, and their
-   nested types (`HttpRequestHeader`, `HttpUrlParameter`, etc.)
-3. Implement `request schema` command:
-   - Generate base schema from schemars
-   - Query plugins for auth strategy form inputs
-   - Convert plugin form inputs into JSON Schema properties
-   - Merge into the `authentication` field
-   - Print to stdout
-
-### Phase 5: Polymorphic send
-
-1. Update `request send` to use `get_any_request` to resolve the request type
-2. Match on `AnyRequest` variant and dispatch to the appropriate sender:
-   - `AnyRequest::HttpRequest` — existing HTTP send logic
-   - `AnyRequest::GrpcRequest` — gRPC invoke (future implementation)
-   - `AnyRequest::WebsocketRequest` — WebSocket connect (future implementation)
-3. gRPC and WebSocket send can initially return "not yet implemented" errors
-
-### Phase 6: Top-level `send` and folder/workspace send
-
-1. Add top-level `yaakcli send <id>` command
-2. Resolve ID by trying DB lookups in order: any_request → folder → workspace
-3. For folder: list all requests in folder, send each
-4. For workspace: list all requests in workspace, send each
-5. Add execution options: `--sequential` (default), `--parallel`, `--fail-fast`
-
-## Crate Changes
-
-- **yaak-cli**: restructure into modules, new clap hierarchy
-- **yaak-models**: add `schemars` dependency, derive `JsonSchema` on model structs
-  (current derives: `Debug, Clone, PartialEq, Serialize, Deserialize, Default, TS`)

crates-tauri/yaak-app/src/render.rs

@@ -38,6 +38,9 @@ pub async fn render_grpc_request<T: TemplateCallback>(
 
     let mut metadata = Vec::new();
     for p in r.metadata.clone() {
+        if !p.enabled {
+            continue;
+        }
         metadata.push(HttpRequestHeader {
             enabled: p.enabled,
             name: parse_and_render(p.name.as_str(), vars, cb, &opt).await?,
@@ -119,6 +122,7 @@ pub async fn render_http_request<T: TemplateCallback>(
 
     let mut body = BTreeMap::new();
     for (k, v) in r.body.clone() {
+        let v = if k == "form" { strip_disabled_form_entries(v) } else { v };
         body.insert(k, render_json_value_raw(v, vars, cb, &opt).await?);
     }
 
@@ -161,3 +165,71 @@ pub async fn render_http_request<T: TemplateCallback>(
 
     Ok(HttpRequest { url, url_parameters, headers, body, authentication, ..r.to_owned() })
 }
+
+/// Strip disabled entries from a JSON array of form objects.
+fn strip_disabled_form_entries(v: Value) -> Value {
+    match v {
+        Value::Array(items) => Value::Array(
+            items
+                .into_iter()
+                .filter(|item| item.get("enabled").and_then(|e| e.as_bool()).unwrap_or(true))
+                .collect(),
+        ),
+        v => v,
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use serde_json::json;
+
+    #[test]
+    fn test_strip_disabled_form_entries() {
+        let input = json!([
+            {"enabled": true, "name": "foo", "value": "bar"},
+            {"enabled": false, "name": "disabled", "value": "gone"},
+            {"enabled": true, "name": "baz", "value": "qux"},
+        ]);
+        let result = strip_disabled_form_entries(input);
+        assert_eq!(
+            result,
+            json!([
+                {"enabled": true, "name": "foo", "value": "bar"},
+                {"enabled": true, "name": "baz", "value": "qux"},
+            ])
+        );
+    }
+
+    #[test]
+    fn test_strip_disabled_form_entries_all_disabled() {
+        let input = json!([
+            {"enabled": false, "name": "a", "value": "b"},
+            {"enabled": false, "name": "c", "value": "d"},
+        ]);
+        let result = strip_disabled_form_entries(input);
+        assert_eq!(result, json!([]));
+    }
+
+    #[test]
+    fn test_strip_disabled_form_entries_missing_enabled_defaults_to_kept() {
+        let input = json!([
+            {"name": "no_enabled_field", "value": "kept"},
+            {"enabled": false, "name": "disabled", "value": "gone"},
+        ]);
+        let result = strip_disabled_form_entries(input);
+        assert_eq!(
+            result,
+            json!([
+                {"name": "no_enabled_field", "value": "kept"},
+            ])
+        );
+    }
+
+    #[test]
+    fn test_strip_disabled_form_entries_non_array_passthrough() {
+        let input = json!("just a string");
+        let result = strip_disabled_form_entries(input.clone());
+        assert_eq!(result, input);
+    }
+}

crates/yaak-ws/src/render.rs

@@ -16,6 +16,9 @@ pub async fn render_websocket_request<T: TemplateCallback>(
 
     let mut url_parameters = Vec::new();
     for p in r.url_parameters.clone() {
+        if !p.enabled {
+            continue;
+        }
         url_parameters.push(HttpUrlParameter {
             enabled: p.enabled,
             name: parse_and_render(&p.name, vars, cb, opt).await?,
@@ -26,6 +29,9 @@ pub async fn render_websocket_request<T: TemplateCallback>(
 
     let mut headers = Vec::new();
     for p in r.headers.clone() {
+        if !p.enabled {
+            continue;
+        }
         headers.push(HttpRequestHeader {
             enabled: p.enabled,
             name: parse_and_render(&p.name, vars, cb, opt).await?,

package-lock.json

@@ -12,7 +12,7 @@
         "packages/plugin-runtime",
         "packages/plugin-runtime-types",
         "plugins-external/mcp-server",
-        "plugins-external/template-function-faker",
+        "plugins/template-function-faker",
         "plugins-external/httpsnippet",
         "plugins/action-copy-curl",
         "plugins/action-copy-grpcurl",
@@ -3922,13 +3922,6 @@
         "@types/react": "*"
       }
     },
-    "node_modules/@types/shell-quote": {
-      "version": "1.7.5",
-      "resolved": "https://registry.npmjs.org/@types/shell-quote/-/shell-quote-1.7.5.tgz",
-      "integrity": "sha512-+UE8GAGRPbJVQDdxi16dgadcBfQ+KG2vgZhV1+3A1XmHbmwcdwhCUwIdy+d3pAGrbvgRoVSjeI9vOWyq376Yzw==",
-      "dev": true,
-      "license": "MIT"
-    },
     "node_modules/@types/unist": {
       "version": "3.0.3",
       "resolved": "https://registry.npmjs.org/@types/unist/-/unist-3.0.3.tgz",
@@ -4160,6 +4153,10 @@
       "resolved": "plugins/auth-oauth2",
       "link": true
     },
+    "node_modules/@yaak/faker": {
+      "resolved": "plugins/template-function-faker",
+      "link": true
+    },
     "node_modules/@yaak/filter-jsonpath": {
       "resolved": "plugins/filter-jsonpath",
       "link": true
@@ -13405,6 +13402,7 @@
       "version": "1.8.3",
       "resolved": "https://registry.npmjs.org/shell-quote/-/shell-quote-1.8.3.tgz",
       "integrity": "sha512-ObmnIF4hXNg1BqhnHmgbDETF8dLPCggZWBjkQfhZpbszZnYur5DUljTcCHii5LC3J5E0yeO/1LIMyH+UvHQgyw==",
+      "dev": true,
       "license": "MIT",
       "engines": {
         "node": ">= 0.4"
@@ -13413,6 +13411,12 @@
         "url": "https://github.com/sponsors/ljharb"
       }
     },
+    "node_modules/shlex": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/shlex/-/shlex-3.0.0.tgz",
+      "integrity": "sha512-jHPXQQk9d/QXCvJuLPYMOYWez3c43sORAgcIEoV7bFv5AJSJRAOyw5lQO12PMfd385qiLRCaDt7OtEzgrIGZUA==",
+      "license": "MIT"
+    },
     "node_modules/should": {
       "version": "13.2.3",
       "resolved": "https://registry.npmjs.org/should/-/should-13.2.3.tgz",
@@ -15955,7 +15959,7 @@
     },
     "plugins-external/httpsnippet": {
       "name": "@yaak/httpsnippet",
-      "version": "1.0.0",
+      "version": "1.0.3",
       "dependencies": {
         "@readme/httpsnippet": "^11.0.0"
       },
@@ -15983,7 +15987,7 @@
     },
     "plugins-external/mcp-server": {
       "name": "@yaak/mcp-server",
-      "version": "0.1.7",
+      "version": "0.2.1",
       "dependencies": {
         "@hono/mcp": "^0.2.3",
         "@hono/node-server": "^1.19.7",
@@ -16058,6 +16062,18 @@
       "name": "@yaak/auth-oauth2",
       "version": "0.1.0"
     },
+    "plugins/faker": {
+      "name": "@yaak/faker",
+      "version": "1.1.1",
+      "extraneous": true,
+      "dependencies": {
+        "@faker-js/faker": "^10.1.0"
+      },
+      "devDependencies": {
+        "@types/node": "^25.0.3",
+        "typescript": "^5.9.3"
+      }
+    },
     "plugins/filter-jsonpath": {
       "name": "@yaak/filter-jsonpath",
       "version": "0.1.0",
@@ -16080,10 +16096,7 @@
       "name": "@yaak/importer-curl",
       "version": "0.1.0",
       "dependencies": {
-        "shell-quote": "^1.8.1"
-      },
-      "devDependencies": {
-        "@types/shell-quote": "^1.7.5"
+        "shlex": "^3.0.0"
       }
     },
     "plugins/importer-insomnia": {
@@ -16138,6 +16151,33 @@
       "name": "@yaak/template-function-encode",
       "version": "0.1.0"
     },
+    "plugins/template-function-faker": {
+      "name": "@yaak/faker",
+      "version": "1.1.1",
+      "dependencies": {
+        "@faker-js/faker": "^10.1.0"
+      },
+      "devDependencies": {
+        "@types/node": "^25.0.3",
+        "typescript": "^5.9.3"
+      }
+    },
+    "plugins/template-function-faker/node_modules/@faker-js/faker": {
+      "version": "10.3.0",
+      "resolved": "https://registry.npmjs.org/@faker-js/faker/-/faker-10.3.0.tgz",
+      "integrity": "sha512-It0Sne6P3szg7JIi6CgKbvTZoMjxBZhcv91ZrqrNuaZQfB5WoqYYbzCUOq89YR+VY8juY9M1vDWmDDa2TzfXCw==",
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/fakerjs"
+        }
+      ],
+      "license": "MIT",
+      "engines": {
+        "node": "^20.19.0 || ^22.13.0 || ^23.5.0 || >=24.0.0",
+        "npm": ">=10"
+      }
+    },
     "plugins/template-function-fs": {
       "name": "@yaak/template-function-fs",
       "version": "0.1.0"

package.json

@@ -11,7 +11,7 @@
     "packages/plugin-runtime",
     "packages/plugin-runtime-types",
     "plugins-external/mcp-server",
-    "plugins-external/template-function-faker",
+    "plugins/template-function-faker",
     "plugins-external/httpsnippet",
     "plugins/action-copy-curl",
     "plugins/action-copy-grpcurl",

plugins-external/faker/tests/init.test.ts

@@ -1,9 +0,0 @@
-import { describe, expect, it } from 'vitest';
-
-describe('formatDatetime', () => {
-  it('returns formatted current date', async () => {
-    // Ensure the plugin imports properly
-    const faker = await import('../src/index');
-    expect(faker.plugin.templateFunctions?.length).toBe(226);
-  });
-});

plugins/importer-curl/package.json

@@ -10,9 +10,6 @@
     "test": "vitest --run tests"
   },
   "dependencies": {
-    "shell-quote": "^1.8.1"
-  },
-  "devDependencies": {
-    "@types/shell-quote": "^1.7.5"
+    "shlex": "^3.0.0"
   }
 }

plugins/importer-curl/src/index.ts

@@ -7,8 +7,7 @@ import type {
   PluginDefinition,
   Workspace,
 } from '@yaakapp/api';
-import type { ControlOperator, ParseEntry } from 'shell-quote';
-import { parse } from 'shell-quote';
+import { split } from 'shlex';
 
 type AtLeast<T, K extends keyof T> = Partial<T> & Pick<T, K>;
 
@@ -56,31 +55,89 @@ export const plugin: PluginDefinition = {
 };
 
 /**
- * Decodes escape sequences in shell $'...' strings
- * Handles Unicode escape sequences (\uXXXX) and common escape codes
+ * Splits raw input into individual shell command strings.
+ * Handles line continuations, semicolons, and newline-separated curl commands.
  */
-function decodeShellString(str: string): string {
-  return str
-    .replace(/\\u([0-9a-fA-F]{4})/g, (_, hex) => String.fromCharCode(parseInt(hex, 16)))
-    .replace(/\\x([0-9a-fA-F]{2})/g, (_, hex) => String.fromCharCode(parseInt(hex, 16)))
-    .replace(/\\n/g, '\n')
-    .replace(/\\r/g, '\r')
-    .replace(/\\t/g, '\t')
-    .replace(/\\'/g, "'")
-    .replace(/\\"/g, '"')
-    .replace(/\\\\/g, '\\');
-}
+function splitCommands(rawData: string): string[] {
+  // Join line continuations (backslash-newline, and backslash-CRLF for Windows)
+  const joined = rawData.replace(/\\\r?\n/g, ' ');
 
-/**
- * Checks if a string might contain escape sequences that need decoding
- * If so, decodes them; otherwise returns the string as-is
- */
-function maybeDecodeEscapeSequences(str: string): string {
-  // Check if the string contains escape sequences that shell-quote might not handle
-  if (str.includes('\\u') || str.includes('\\x')) {
-    return decodeShellString(str);
+  // Count consecutive backslashes immediately before position i.
+  // An even count means the quote at i is NOT escaped; odd means it IS escaped.
+  function isEscaped(i: number): boolean {
+    let backslashes = 0;
+    let j = i - 1;
+    while (j >= 0 && joined[j] === '\\') {
+      backslashes++;
+      j--;
+    }
+    return backslashes % 2 !== 0;
   }
-  return str;
+
+  // Split on semicolons and newlines to separate commands
+  const commands: string[] = [];
+  let current = '';
+  let inSingleQuote = false;
+  let inDoubleQuote = false;
+  let inDollarQuote = false;
+
+  for (let i = 0; i < joined.length; i++) {
+    const ch = joined[i]!;
+    const next = joined[i + 1];
+
+    // Track quoting state to avoid splitting inside quoted strings
+    if (!inDoubleQuote && !inDollarQuote && ch === "'" && !inSingleQuote) {
+      inSingleQuote = true;
+      current += ch;
+      continue;
+    }
+    if (inSingleQuote && ch === "'") {
+      inSingleQuote = false;
+      current += ch;
+      continue;
+    }
+    if (!inSingleQuote && !inDollarQuote && ch === '"' && !inDoubleQuote) {
+      inDoubleQuote = true;
+      current += ch;
+      continue;
+    }
+    if (inDoubleQuote && ch === '"' && !isEscaped(i)) {
+      inDoubleQuote = false;
+      current += ch;
+      continue;
+    }
+    if (!inSingleQuote && !inDoubleQuote && !inDollarQuote && ch === '$' && next === "'") {
+      inDollarQuote = true;
+      current += ch + next;
+      i++; // Skip the opening quote
+      continue;
+    }
+    if (inDollarQuote && ch === "'" && !isEscaped(i)) {
+      inDollarQuote = false;
+      current += ch;
+      continue;
+    }
+
+    const inQuote = inSingleQuote || inDoubleQuote || inDollarQuote;
+
+    // Split on ;, newline, or CRLF when not inside quotes and not escaped
+    if (!inQuote && !isEscaped(i) && (ch === ';' || ch === '\n' || (ch === '\r' && next === '\n'))) {
+      if (ch === '\r') i++; // Skip the \n in \r\n
+      if (current.trim()) {
+        commands.push(current.trim());
+      }
+      current = '';
+      continue;
+    }
+
+    current += ch;
+  }
+
+  if (current.trim()) {
+    commands.push(current.trim());
+  }
+
+  return commands;
 }
 
 export function convertCurl(rawData: string) {
@@ -88,68 +145,17 @@ export function convertCurl(rawData: string) {
     return null;
   }
 
-  const commands: ParseEntry[][] = [];
+  const commands: string[][] = splitCommands(rawData).map((cmd) => {
+    const tokens = split(cmd);
 
-  // Replace non-escaped newlines with semicolons to make parsing easier
-  // NOTE: This is really slow in debug build but fast in release mode
-  const normalizedData = rawData.replace(/\ncurl/g, '; curl');
-
-  let currentCommand: ParseEntry[] = [];
-
-  const parsed = parse(normalizedData);
-
-  // Break up `-XPOST` into `-X POST`
-  const normalizedParseEntries = parsed.flatMap((entry) => {
-    if (
-      typeof entry === 'string' &&
-      entry.startsWith('-') &&
-      !entry.startsWith('--') &&
-      entry.length > 2
-    ) {
-      return [entry.slice(0, 2), entry.slice(2)];
-    }
-    return entry;
-  });
-
-  for (const parseEntry of normalizedParseEntries) {
-    if (typeof parseEntry === 'string') {
-      if (parseEntry.startsWith('$')) {
-        // Handle $'...' strings from shell-quote - decode escape sequences
-        currentCommand.push(decodeShellString(parseEntry.slice(1)));
-      } else {
-        // Decode escape sequences that shell-quote might not handle
-        currentCommand.push(maybeDecodeEscapeSequences(parseEntry));
+    // Break up squished arguments like `-XPOST` into `-X POST`
+    return tokens.flatMap((token) => {
+      if (token.startsWith('-') && !token.startsWith('--') && token.length > 2) {
+        return [token.slice(0, 2), token.slice(2)];
       }
-      continue;
-    }
-
-    if ('comment' in parseEntry) {
-      continue;
-    }
-
-    const { op } = parseEntry as { op: 'glob'; pattern: string } | { op: ControlOperator };
-
-    // `;` separates commands
-    if (op === ';') {
-      commands.push(currentCommand);
-      currentCommand = [];
-      continue;
-    }
-
-    if (op?.startsWith('$')) {
-      // Handle the case where literal like -H $'Header: \'Some Quoted Thing\''
-      const str = decodeShellString(op.slice(2, op.length - 1));
-
-      currentCommand.push(str);
-      continue;
-    }
-
-    if (op === 'glob') {
-      currentCommand.push((parseEntry as { op: 'glob'; pattern: string }).pattern);
-    }
-  }
-
-  commands.push(currentCommand);
+      return token;
+    });
+  });
 
   const workspace: ExportResources['workspaces'][0] = {
     model: 'workspace',
@@ -169,12 +175,12 @@ export function convertCurl(rawData: string) {
   };
 }
 
-function importCommand(parseEntries: ParseEntry[], workspaceId: string) {
+function importCommand(parseEntries: string[], workspaceId: string) {
   // ~~~~~~~~~~~~~~~~~~~~~ //
   // Collect all the flags //
   // ~~~~~~~~~~~~~~~~~~~~~ //
   const flagsByName: FlagsByName = {};
-  const singletons: ParseEntry[] = [];
+  const singletons: string[] = [];
 
   // Start at 1 so we can skip the ^curl part
   for (let i = 1; i < parseEntries.length; i++) {

plugins/importer-curl/tests/index.test.ts

@@ -112,9 +112,28 @@ describe('importer-curl', () => {
     });
   });
 
+  test('Imports with Windows CRLF line endings', () => {
+    expect(
+      convertCurl('curl \\\r\n  -X POST \\\r\n  https://yaak.app'),
+    ).toEqual({
+      resources: {
+        workspaces: [baseWorkspace()],
+        httpRequests: [
+          baseRequest({ url: 'https://yaak.app', method: 'POST' }),
+        ],
+      },
+    });
+  });
+
+  test('Throws on malformed quotes', () => {
+    expect(() =>
+      convertCurl('curl -X POST -F "a=aaa" -F b=bbb" https://yaak.app'),
+    ).toThrow();
+  });
+
   test('Imports form data', () => {
     expect(
-      convertCurl('curl -X POST -F "a=aaa" -F b=bbb" -F f=@filepath https://yaak.app'),
+      convertCurl('curl -X POST -F "a=aaa" -F b=bbb -F f=@filepath https://yaak.app'),
     ).toEqual({
       resources: {
         workspaces: [baseWorkspace()],
@@ -476,6 +495,130 @@ describe('importer-curl', () => {
     });
   });
 
+  test('Imports JSON body with newlines in $quotes', () => {
+    expect(
+      convertCurl(
+        `curl 'https://yaak.app' -H 'Content-Type: application/json' --data-raw $'{\\n  "foo": "bar",\\n  "baz": "qux"\\n}' -X POST`,
+      ),
+    ).toEqual({
+      resources: {
+        workspaces: [baseWorkspace()],
+        httpRequests: [
+          baseRequest({
+            url: 'https://yaak.app',
+            method: 'POST',
+            headers: [{ name: 'Content-Type', value: 'application/json', enabled: true }],
+            bodyType: 'application/json',
+            body: { text: '{\n  "foo": "bar",\n  "baz": "qux"\n}' },
+          }),
+        ],
+      },
+    });
+  });
+
+  test('Handles double-quoted string ending with even backslashes before semicolon', () => {
+    // "C:\\" has two backslashes which escape each other, so the closing " is real.
+    // The ; after should split into a second command.
+    expect(
+      convertCurl(
+        'curl -d "C:\\\\" https://yaak.app;curl https://example.com',
+      ),
+    ).toEqual({
+      resources: {
+        workspaces: [baseWorkspace()],
+        httpRequests: [
+          baseRequest({
+            url: 'https://yaak.app',
+            method: 'POST',
+            bodyType: 'application/x-www-form-urlencoded',
+            body: {
+              form: [{ name: 'C:\\', value: '', enabled: true }],
+            },
+            headers: [
+              {
+                name: 'Content-Type',
+                value: 'application/x-www-form-urlencoded',
+                enabled: true,
+              },
+            ],
+          }),
+          baseRequest({ url: 'https://example.com' }),
+        ],
+      },
+    });
+  });
+
+  test('Handles $quoted string ending with a literal backslash before semicolon', () => {
+    // $'C:\\\\' has two backslashes which become one literal backslash.
+    // The closing ' must not be misinterpreted as escaped.
+    // The ; after should split into a second command.
+    expect(
+      convertCurl(
+        "curl -d $'C:\\\\' https://yaak.app;curl https://example.com",
+      ),
+    ).toEqual({
+      resources: {
+        workspaces: [baseWorkspace()],
+        httpRequests: [
+          baseRequest({
+            url: 'https://yaak.app',
+            method: 'POST',
+            bodyType: 'application/x-www-form-urlencoded',
+            body: {
+              form: [{ name: 'C:\\', value: '', enabled: true }],
+            },
+            headers: [
+              {
+                name: 'Content-Type',
+                value: 'application/x-www-form-urlencoded',
+                enabled: true,
+              },
+            ],
+          }),
+          baseRequest({ url: 'https://example.com' }),
+        ],
+      },
+    });
+  });
+
+  test('Imports $quoted header with escaped single quotes', () => {
+    expect(
+      convertCurl(
+        `curl https://yaak.app -H $'X-Custom: it\\'s a test'`,
+      ),
+    ).toEqual({
+      resources: {
+        workspaces: [baseWorkspace()],
+        httpRequests: [
+          baseRequest({
+            url: 'https://yaak.app',
+            headers: [{ name: 'X-Custom', value: "it's a test", enabled: true }],
+          }),
+        ],
+      },
+    });
+  });
+
+  test('Does not split on escaped semicolon outside quotes', () => {
+    // In shell, \; is a literal semicolon and should not split commands.
+    // This should be treated as a single curl command with the URL "https://yaak.app?a=1;b=2"
+    expect(
+      convertCurl('curl https://yaak.app?a=1\\;b=2'),
+    ).toEqual({
+      resources: {
+        workspaces: [baseWorkspace()],
+        httpRequests: [
+          baseRequest({
+            url: 'https://yaak.app',
+            urlParameters: [
+              { name: 'a', value: '1;b=2', enabled: true },
+            ],
+          }),
+        ],
+      },
+    });
+  });
+
   test('Imports multipart form data with text-only fields from --data-raw', () => {
     const curlCommand = `curl 'http://example.com/api' \
   -H 'Content-Type: multipart/form-data; boundary=----FormBoundary123' \

plugins/template-function-faker/package.json

@@ -7,7 +7,7 @@
   "repository": {
     "type": "git",
     "url": "https://github.com/mountain-loop/yaak.git",
-    "directory": "plugins-external/faker"
+    "directory": "plugins/template-function-faker"
   },
   "scripts": {
     "build": "yaakcli build",

plugins/template-function-faker/tests/__snapshots__/init.test.ts.snap

@@ -0,0 +1,233 @@
+// Vitest Snapshot v1, https://vitest.dev/guide/snapshot.html
+
+exports[`template-function-faker > exports all expected template functions 1`] = `
+[
+  "faker.airline.aircraftType",
+  "faker.airline.airline",
+  "faker.airline.airplane",
+  "faker.airline.airport",
+  "faker.airline.flightNumber",
+  "faker.airline.recordLocator",
+  "faker.airline.seat",
+  "faker.animal.bear",
+  "faker.animal.bird",
+  "faker.animal.cat",
+  "faker.animal.cetacean",
+  "faker.animal.cow",
+  "faker.animal.crocodilia",
+  "faker.animal.dog",
+  "faker.animal.fish",
+  "faker.animal.horse",
+  "faker.animal.insect",
+  "faker.animal.lion",
+  "faker.animal.petName",
+  "faker.animal.rabbit",
+  "faker.animal.rodent",
+  "faker.animal.snake",
+  "faker.animal.type",
+  "faker.color.cmyk",
+  "faker.color.colorByCSSColorSpace",
+  "faker.color.cssSupportedFunction",
+  "faker.color.cssSupportedSpace",
+  "faker.color.hsl",
+  "faker.color.human",
+  "faker.color.hwb",
+  "faker.color.lab",
+  "faker.color.lch",
+  "faker.color.rgb",
+  "faker.color.space",
+  "faker.commerce.department",
+  "faker.commerce.isbn",
+  "faker.commerce.price",
+  "faker.commerce.product",
+  "faker.commerce.productAdjective",
+  "faker.commerce.productDescription",
+  "faker.commerce.productMaterial",
+  "faker.commerce.productName",
+  "faker.commerce.upc",
+  "faker.company.buzzAdjective",
+  "faker.company.buzzNoun",
+  "faker.company.buzzPhrase",
+  "faker.company.buzzVerb",
+  "faker.company.catchPhrase",
+  "faker.company.catchPhraseAdjective",
+  "faker.company.catchPhraseDescriptor",
+  "faker.company.catchPhraseNoun",
+  "faker.company.name",
+  "faker.database.collation",
+  "faker.database.column",
+  "faker.database.engine",
+  "faker.database.mongodbObjectId",
+  "faker.database.type",
+  "faker.date.anytime",
+  "faker.date.between",
+  "faker.date.betweens",
+  "faker.date.birthdate",
+  "faker.date.future",
+  "faker.date.month",
+  "faker.date.past",
+  "faker.date.recent",
+  "faker.date.soon",
+  "faker.date.timeZone",
+  "faker.date.weekday",
+  "faker.finance.accountName",
+  "faker.finance.accountNumber",
+  "faker.finance.amount",
+  "faker.finance.bic",
+  "faker.finance.bitcoinAddress",
+  "faker.finance.creditCardCVV",
+  "faker.finance.creditCardIssuer",
+  "faker.finance.creditCardNumber",
+  "faker.finance.currency",
+  "faker.finance.currencyCode",
+  "faker.finance.currencyName",
+  "faker.finance.currencyNumericCode",
+  "faker.finance.currencySymbol",
+  "faker.finance.ethereumAddress",
+  "faker.finance.iban",
+  "faker.finance.litecoinAddress",
+  "faker.finance.pin",
+  "faker.finance.routingNumber",
+  "faker.finance.transactionDescription",
+  "faker.finance.transactionType",
+  "faker.git.branch",
+  "faker.git.commitDate",
+  "faker.git.commitEntry",
+  "faker.git.commitMessage",
+  "faker.git.commitSha",
+  "faker.hacker.abbreviation",
+  "faker.hacker.adjective",
+  "faker.hacker.ingverb",
+  "faker.hacker.noun",
+  "faker.hacker.phrase",
+  "faker.hacker.verb",
+  "faker.image.avatar",
+  "faker.image.avatarGitHub",
+  "faker.image.dataUri",
+  "faker.image.personPortrait",
+  "faker.image.url",
+  "faker.image.urlLoremFlickr",
+  "faker.image.urlPicsumPhotos",
+  "faker.internet.displayName",
+  "faker.internet.domainName",
+  "faker.internet.domainSuffix",
+  "faker.internet.domainWord",
+  "faker.internet.email",
+  "faker.internet.emoji",
+  "faker.internet.exampleEmail",
+  "faker.internet.httpMethod",
+  "faker.internet.httpStatusCode",
+  "faker.internet.ip",
+  "faker.internet.ipv4",
+  "faker.internet.ipv6",
+  "faker.internet.jwt",
+  "faker.internet.jwtAlgorithm",
+  "faker.internet.mac",
+  "faker.internet.password",
+  "faker.internet.port",
+  "faker.internet.protocol",
+  "faker.internet.url",
+  "faker.internet.userAgent",
+  "faker.internet.username",
+  "faker.location.buildingNumber",
+  "faker.location.cardinalDirection",
+  "faker.location.city",
+  "faker.location.continent",
+  "faker.location.country",
+  "faker.location.countryCode",
+  "faker.location.county",
+  "faker.location.direction",
+  "faker.location.language",
+  "faker.location.latitude",
+  "faker.location.longitude",
+  "faker.location.nearbyGPSCoordinate",
+  "faker.location.ordinalDirection",
+  "faker.location.secondaryAddress",
+  "faker.location.state",
+  "faker.location.street",
+  "faker.location.streetAddress",
+  "faker.location.timeZone",
+  "faker.location.zipCode",
+  "faker.lorem.lines",
+  "faker.lorem.paragraph",
+  "faker.lorem.paragraphs",
+  "faker.lorem.sentence",
+  "faker.lorem.sentences",
+  "faker.lorem.slug",
+  "faker.lorem.text",
+  "faker.lorem.word",
+  "faker.lorem.words",
+  "faker.music.album",
+  "faker.music.artist",
+  "faker.music.genre",
+  "faker.music.songName",
+  "faker.number.bigInt",
+  "faker.number.binary",
+  "faker.number.float",
+  "faker.number.hex",
+  "faker.number.int",
+  "faker.number.octal",
+  "faker.number.romanNumeral",
+  "faker.person.bio",
+  "faker.person.firstName",
+  "faker.person.fullName",
+  "faker.person.gender",
+  "faker.person.jobArea",
+  "faker.person.jobDescriptor",
+  "faker.person.jobTitle",
+  "faker.person.jobType",
+  "faker.person.lastName",
+  "faker.person.middleName",
+  "faker.person.prefix",
+  "faker.person.sex",
+  "faker.person.sexType",
+  "faker.person.suffix",
+  "faker.person.zodiacSign",
+  "faker.phone.imei",
+  "faker.phone.number",
+  "faker.science.chemicalElement",
+  "faker.science.unit",
+  "faker.string.alpha",
+  "faker.string.alphanumeric",
+  "faker.string.binary",
+  "faker.string.fromCharacters",
+  "faker.string.hexadecimal",
+  "faker.string.nanoid",
+  "faker.string.numeric",
+  "faker.string.octal",
+  "faker.string.sample",
+  "faker.string.symbol",
+  "faker.string.ulid",
+  "faker.string.uuid",
+  "faker.system.commonFileExt",
+  "faker.system.commonFileName",
+  "faker.system.commonFileType",
+  "faker.system.cron",
+  "faker.system.directoryPath",
+  "faker.system.fileExt",
+  "faker.system.fileName",
+  "faker.system.filePath",
+  "faker.system.fileType",
+  "faker.system.mimeType",
+  "faker.system.networkInterface",
+  "faker.system.semver",
+  "faker.vehicle.bicycle",
+  "faker.vehicle.color",
+  "faker.vehicle.fuel",
+  "faker.vehicle.manufacturer",
+  "faker.vehicle.model",
+  "faker.vehicle.type",
+  "faker.vehicle.vehicle",
+  "faker.vehicle.vin",
+  "faker.vehicle.vrm",
+  "faker.word.adjective",
+  "faker.word.adverb",
+  "faker.word.conjunction",
+  "faker.word.interjection",
+  "faker.word.noun",
+  "faker.word.preposition",
+  "faker.word.sample",
+  "faker.word.verb",
+  "faker.word.words",
+]
+`;

plugins/template-function-faker/tests/init.test.ts

@@ -0,0 +1,12 @@
+import { describe, expect, it } from 'vitest';
+
+describe('template-function-faker', () => {
+  it('exports all expected template functions', async () => {
+    const { plugin } = await import('../src/index');
+    const names = plugin.templateFunctions?.map((fn) => fn.name).sort() ?? [];
+
+    // Snapshot the full list of exported function names so we catch any
+    // accidental additions, removals, or renames across faker upgrades.
+    expect(names).toMatchSnapshot();
+  });
+});