From aa2aed1e04b02f13d0d1225ddc5a126e7e0eae73 Mon Sep 17 00:00:00 2001
From: Jon Langevin <codingsloth@pm.me>
Date: Mon, 23 Feb 2026 06:49:20 -0500
Subject: [PATCH 1/8] feat: add OpenAPI/Swagger spec module for auto-generating
 HTTP routes (#79)

- Add openapi module type that parses OpenAPI v3 YAML/JSON specs
- Generate HTTP route handlers from spec paths with method mapping
- Add request validation against spec schemas (query params, body)
- Add optional Swagger UI and spec serving endpoints
- Add OpenAPI plugin for plugin-based registration
- Add comprehensive tests for spec parsing, routing, and validation
- Add example config and petstore spec in example/specs/

Closes #79

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 example/openapi-petstore.yaml |  33 ++
 example/specs/petstore.yaml   |  97 +++++
 module/openapi.go             | 642 ++++++++++++++++++++++++++++++++++
 module/openapi_test.go        | 561 +++++++++++++++++++++++++++++
 plugins/openapi/plugin.go     | 235 +++++++++++++
 5 files changed, 1568 insertions(+)
 create mode 100644 example/openapi-petstore.yaml
 create mode 100644 example/specs/petstore.yaml
 create mode 100644 module/openapi.go
 create mode 100644 module/openapi_test.go
 create mode 100644 plugins/openapi/plugin.go

diff --git a/example/openapi-petstore.yaml b/example/openapi-petstore.yaml
new file mode 100644
index 00000000..4eb330c8
--- /dev/null
+++ b/example/openapi-petstore.yaml
@@ -0,0 +1,33 @@
+requires:
+  plugins:
+    - name: workflow-plugin-http
+    - name: workflow-plugin-openapi
+
+modules:
+  # HTTP server on port 8095
+  - name: petstore-server
+    type: http.server
+    config:
+      address: ":8095"
+
+  # HTTP router — the OpenAPI module registers routes onto this
+  - name: petstore-router
+    type: http.router
+    dependsOn:
+      - petstore-server
+
+  # OpenAPI module — parses the spec and generates routes
+  - name: pet-store-api
+    type: openapi
+    dependsOn:
+      - petstore-router
+    config:
+      spec_file: example/specs/petstore.yaml
+      base_path: /api/v1
+      router: petstore-router
+      validation:
+        request: true
+        response: false
+      swagger_ui:
+        enabled: true
+        path: /docs
diff --git a/example/specs/petstore.yaml b/example/specs/petstore.yaml
new file mode 100644
index 00000000..b16b9973
--- /dev/null
+++ b/example/specs/petstore.yaml
@@ -0,0 +1,97 @@
+openapi: "3.0.0"
+info:
+  title: Petstore API
+  version: "1.0.0"
+  description: A sample pet store API based on the OpenAPI 3.0 Petstore example
+
+paths:
+  /pets:
+    get:
+      operationId: listPets
+      summary: List all pets
+      parameters:
+        - name: limit
+          in: query
+          required: false
+          schema:
+            type: integer
+            minimum: 1
+            maximum: 100
+      responses:
+        "200":
+          description: A list of pets
+        "400":
+          description: Invalid request
+    post:
+      operationId: createPet
+      summary: Create a pet
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required:
+                - name
+              properties:
+                name:
+                  type: string
+                  minLength: 1
+                  maxLength: 100
+                tag:
+                  type: string
+                  maxLength: 50
+      responses:
+        "201":
+          description: Null response
+        "400":
+          description: Validation error
+
+  /pets/{petId}:
+    get:
+      operationId: showPetById
+      summary: Info for a specific pet
+      parameters:
+        - name: petId
+          in: path
+          required: true
+          schema:
+            type: integer
+      responses:
+        "200":
+          description: Expected response to a valid request
+        "404":
+          description: Pet not found
+
+  /pets/{petId}/status:
+    put:
+      operationId: updatePetStatus
+      summary: Update pet status
+      parameters:
+        - name: petId
+          in: path
+          required: true
+          schema:
+            type: integer
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required:
+                - status
+              properties:
+                status:
+                  type: string
+                  enum:
+                    - available
+                    - pending
+                    - sold
+      responses:
+        "200":
+          description: Updated
+        "400":
+          description: Invalid status
+        "404":
+          description: Pet not found
diff --git a/module/openapi.go b/module/openapi.go
new file mode 100644
index 00000000..8759ee19
--- /dev/null
+++ b/module/openapi.go
@@ -0,0 +1,642 @@
+package module
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"log/slog"
+	"net/http"
+	"os"
+	"regexp"
+	"strconv"
+	"strings"
+
+	"github.com/CrisisTextLine/modular"
+	"gopkg.in/yaml.v3"
+)
+
+// OpenAPIValidationConfig controls which request/response parts are validated.
+type OpenAPIValidationConfig struct {
+	Request  bool `yaml:"request"  json:"request"`
+	Response bool `yaml:"response" json:"response"`
+}
+
+// OpenAPISwaggerUIConfig controls Swagger UI hosting.
+type OpenAPISwaggerUIConfig struct {
+	Enabled bool   `yaml:"enabled" json:"enabled"`
+	Path    string `yaml:"path"    json:"path"`
+}
+
+// OpenAPIConfig holds the full configuration for an OpenAPI module.
+type OpenAPIConfig struct {
+	SpecFile   string                  `yaml:"spec_file"  json:"spec_file"`
+	BasePath   string                  `yaml:"base_path"  json:"base_path"`
+	Validation OpenAPIValidationConfig `yaml:"validation" json:"validation"`
+	SwaggerUI  OpenAPISwaggerUIConfig  `yaml:"swagger_ui" json:"swagger_ui"`
+	RouterName string                  `yaml:"router"     json:"router"` // optional: explicit router to attach to
+}
+
+// ---- Minimal OpenAPI v3 structs (parsed from YAML/JSON) ----
+
+// openAPISpec is a minimal representation of an OpenAPI 3.x specification.
+type openAPISpec struct {
+	OpenAPI string                     `yaml:"openapi" json:"openapi"`
+	Info    openAPIInfo                `yaml:"info"    json:"info"`
+	Paths   map[string]openAPIPathItem `yaml:"paths"   json:"paths"`
+}
+
+type openAPIInfo struct {
+	Title   string `yaml:"title"   json:"title"`
+	Version string `yaml:"version" json:"version"`
+}
+
+// openAPIPathItem maps HTTP methods to operation objects.
+type openAPIPathItem map[string]*openAPIOperation
+
+// openAPIOperation holds the metadata for a single operation.
+type openAPIOperation struct {
+	OperationID string                     `yaml:"operationId" json:"operationId"`
+	Summary     string                     `yaml:"summary"     json:"summary"`
+	Parameters  []openAPIParameter         `yaml:"parameters"  json:"parameters"`
+	RequestBody *openAPIRequestBody        `yaml:"requestBody" json:"requestBody"`
+	Responses   map[string]openAPIResponse `yaml:"responses"   json:"responses"`
+}
+
+// openAPIParameter describes a path, query, header, or cookie parameter.
+type openAPIParameter struct {
+	Name     string         `yaml:"name"     json:"name"`
+	In       string         `yaml:"in"       json:"in"` // path | query | header | cookie
+	Required bool           `yaml:"required" json:"required"`
+	Schema   *openAPISchema `yaml:"schema"   json:"schema"`
+}
+
+// openAPIRequestBody describes the request body for an operation.
+type openAPIRequestBody struct {
+	Required bool                        `yaml:"required" json:"required"`
+	Content  map[string]openAPIMediaType `yaml:"content"  json:"content"`
+}
+
+// openAPIMediaType holds a schema for a content type entry.
+type openAPIMediaType struct {
+	Schema *openAPISchema `yaml:"schema" json:"schema"`
+}
+
+// openAPIResponse describes a single response entry.
+type openAPIResponse struct {
+	Description string `yaml:"description" json:"description"`
+}
+
+// openAPISchema is a minimal JSON Schema subset used for parameter/body validation.
+type openAPISchema struct {
+	Type       string                    `yaml:"type"       json:"type"`
+	Required   []string                  `yaml:"required"   json:"required"`
+	Properties map[string]*openAPISchema `yaml:"properties" json:"properties"`
+	Format     string                    `yaml:"format"     json:"format"`
+	Minimum    *float64                  `yaml:"minimum"    json:"minimum"`
+	Maximum    *float64                  `yaml:"maximum"    json:"maximum"`
+	MinLength  *int                      `yaml:"minLength"  json:"minLength"`
+	MaxLength  *int                      `yaml:"maxLength"  json:"maxLength"`
+	Pattern    string                    `yaml:"pattern"    json:"pattern"`
+	Enum       []any                     `yaml:"enum"       json:"enum"`
+}
+
+// ---- OpenAPIModule ----
+
+// OpenAPIModule parses an OpenAPI v3 spec and registers HTTP routes that
+// validate incoming requests against the spec schemas.
+type OpenAPIModule struct {
+	name       string
+	cfg        OpenAPIConfig
+	spec       *openAPISpec
+	specBytes  []byte // raw spec bytes for serving
+	routerName string
+	logger     *slog.Logger
+}
+
+// NewOpenAPIModule creates a new OpenAPIModule with the given name and config.
+func NewOpenAPIModule(name string, cfg OpenAPIConfig) *OpenAPIModule {
+	return &OpenAPIModule{
+		name:       name,
+		cfg:        cfg,
+		routerName: cfg.RouterName,
+		logger:     slog.Default(),
+	}
+}
+
+// Name returns the module name.
+func (m *OpenAPIModule) Name() string { return m.name }
+
+// Init loads and parses the spec file.
+func (m *OpenAPIModule) Init(app modular.Application) error {
+	if app != nil {
+		if logger := app.Logger(); logger != nil {
+			if sl, ok := logger.(*slog.Logger); ok {
+				m.logger = sl
+			}
+		}
+	}
+
+	if m.cfg.SpecFile == "" {
+		return fmt.Errorf("openapi module %q: spec_file is required", m.name)
+	}
+
+	data, err := os.ReadFile(m.cfg.SpecFile) //nolint:gosec // path comes from operator config
+	if err != nil {
+		return fmt.Errorf("openapi module %q: reading spec file %q: %w", m.name, m.cfg.SpecFile, err)
+	}
+	m.specBytes = data
+
+	spec, err := parseOpenAPISpec(data)
+	if err != nil {
+		return fmt.Errorf("openapi module %q: parsing spec: %w", m.name, err)
+	}
+	m.spec = spec
+	m.logger.Info("OpenAPI spec loaded",
+		"module", m.name,
+		"title", spec.Info.Title,
+		"version", spec.Info.Version,
+		"paths", len(spec.Paths),
+	)
+	return nil
+}
+
+// Dependencies returns nil; routing is wired via ProvidesServices / Init wiring hooks.
+func (m *OpenAPIModule) Dependencies() []string { return nil }
+
+// Start is a no-op; routes are registered during wiring.
+func (m *OpenAPIModule) Start(_ context.Context) error { return nil }
+
+// Stop is a no-op.
+func (m *OpenAPIModule) Stop(_ context.Context) error { return nil }
+
+// ProvidesServices exposes this module as an OpenAPIModule service so wiring
+// hooks can find it and register its routes on an HTTP router.
+func (m *OpenAPIModule) ProvidesServices() []modular.ServiceProvider {
+	return []modular.ServiceProvider{
+		{
+			Name:        m.name,
+			Description: "OpenAPI spec router module",
+			Instance:    m,
+		},
+	}
+}
+
+// RequiresServices returns nil; router dependency is resolved via wiring hooks.
+func (m *OpenAPIModule) RequiresServices() []modular.ServiceDependency { return nil }
+
+// RouterName returns the optional explicit router module name to attach routes to.
+func (m *OpenAPIModule) RouterName() string { return m.routerName }
+
+// RegisterRoutes attaches all spec paths (and optional Swagger UI / spec endpoints)
+// to the given HTTPRouter.
+func (m *OpenAPIModule) RegisterRoutes(router HTTPRouter) {
+	if m.spec == nil {
+		m.logger.Warn("OpenAPI spec not loaded; skipping route registration", "module", m.name)
+		return
+	}
+
+	basePath := strings.TrimRight(m.cfg.BasePath, "/")
+
+	// Register a route for each path+method in the spec
+	for specPath, pathItem := range m.spec.Paths {
+		for method, op := range pathItem {
+			httpMethod := strings.ToUpper(method)
+			if !isValidHTTPMethod(httpMethod) {
+				continue
+			}
+			routePath := basePath + openAPIPathToHTTPPath(specPath)
+			handler := m.buildRouteHandler(specPath, httpMethod, op)
+			router.AddRoute(httpMethod, routePath, handler)
+			m.logger.Debug("OpenAPI route registered",
+				"module", m.name,
+				"method", httpMethod,
+				"path", routePath,
+				"operationId", op.OperationID,
+			)
+		}
+	}
+
+	// Serve raw spec at /openapi.json and /openapi.yaml
+	if len(m.specBytes) > 0 {
+		specPathJSON := basePath + "/openapi.json"
+		specPathYAML := basePath + "/openapi.yaml"
+		specHandler := m.buildSpecHandler()
+		router.AddRoute(http.MethodGet, specPathJSON, specHandler)
+		router.AddRoute(http.MethodGet, specPathYAML, specHandler)
+		m.logger.Debug("OpenAPI spec endpoint registered", "module", m.name, "paths", []string{specPathJSON, specPathYAML})
+	}
+
+	// Serve Swagger UI
+	if m.cfg.SwaggerUI.Enabled {
+		uiPath := m.cfg.SwaggerUI.Path
+		if uiPath == "" {
+			uiPath = "/docs"
+		}
+		uiRoutePath := basePath + uiPath
+		specURL := basePath + "/openapi.json"
+		uiHandler := m.buildSwaggerUIHandler(specURL)
+		router.AddRoute(http.MethodGet, uiRoutePath, uiHandler)
+		m.logger.Info("Swagger UI registered", "module", m.name, "path", uiRoutePath, "spec", specURL)
+	}
+}
+
+// ---- Handler builders ----
+
+// buildRouteHandler creates an HTTPHandler that validates the request (if enabled)
+// and returns a 501 Not Implemented stub response. In a full integration the
+// caller would wrap this handler or replace the stub with real business logic.
+func (m *OpenAPIModule) buildRouteHandler(specPath, method string, op *openAPIOperation) HTTPHandler {
+	validateReq := m.cfg.Validation.Request
+	return &openAPIRouteHandler{
+		module:      m,
+		specPath:    specPath,
+		method:      method,
+		op:          op,
+		validateReq: validateReq,
+	}
+}
+
+// buildSpecHandler serves the raw spec bytes as JSON (re-serialised from the
+// parsed spec) so consumers always get valid JSON regardless of whether the
+// original file was YAML.
+func (m *OpenAPIModule) buildSpecHandler() HTTPHandler {
+	specJSON, err := json.Marshal(m.spec)
+	if err != nil {
+		specJSON = m.specBytes // fallback to raw bytes
+	}
+	return &openAPISpecHandler{specJSON: specJSON}
+}
+
+// buildSwaggerUIHandler returns an inline Swagger UI page that loads the spec
+// from specURL. This avoids any asset bundling — a CDN-hosted swagger-ui is used.
+func (m *OpenAPIModule) buildSwaggerUIHandler(specURL string) HTTPHandler {
+	html := swaggerUIHTML(m.spec.Info.Title, specURL)
+	return &openAPISwaggerUIHandler{html: html}
+}
+
+// ---- openAPIRouteHandler ----
+
+type openAPIRouteHandler struct {
+	module      *OpenAPIModule
+	specPath    string
+	method      string
+	op          *openAPIOperation
+	validateReq bool
+}
+
+func (h *openAPIRouteHandler) Handle(w http.ResponseWriter, r *http.Request) {
+	if h.validateReq {
+		if errs := h.validate(r); len(errs) > 0 {
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusBadRequest)
+			_ = json.NewEncoder(w).Encode(map[string]any{
+				"error":  "request validation failed",
+				"errors": errs,
+			})
+			return
+		}
+	}
+
+	// Default stub: 501 Not Implemented
+	// In a full integration callers wire their own handler on top of this module.
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusNotImplemented)
+	_ = json.NewEncoder(w).Encode(map[string]string{
+		"error":       "not implemented",
+		"operationId": h.op.OperationID,
+		"path":        h.specPath,
+		"method":      h.method,
+	})
+}
+
+// validate checks required parameters and request body against the spec.
+func (h *openAPIRouteHandler) validate(r *http.Request) []string {
+	var errs []string
+
+	// Validate parameters
+	for _, p := range h.op.Parameters {
+		val := extractParam(r, p)
+		if p.Required && val == "" {
+			errs = append(errs, fmt.Sprintf("required parameter %q (in %s) is missing", p.Name, p.In))
+			continue
+		}
+		if val != "" && p.Schema != nil {
+			if schemaErrs := validateScalarValue(val, p.Name, p.Schema); len(schemaErrs) > 0 {
+				errs = append(errs, schemaErrs...)
+			}
+		}
+	}
+
+	// Validate request body
+	if h.op.RequestBody != nil {
+		ct := r.Header.Get("Content-Type")
+		// Normalise content-type (strip params like "; charset=utf-8")
+		if idx := strings.Index(ct, ";"); idx >= 0 {
+			ct = strings.TrimSpace(ct[:idx])
+		}
+
+		var mediaType *openAPIMediaType
+		if mt, ok := h.op.RequestBody.Content[ct]; ok {
+			mediaType = &mt
+		} else if mt, ok := h.op.RequestBody.Content["application/json"]; ok && ct == "" {
+			// Default to application/json when no Content-Type is sent
+			mediaType = &mt
+		}
+
+		if h.op.RequestBody.Required && r.ContentLength == 0 && r.Body == http.NoBody {
+			errs = append(errs, "request body is required but missing")
+		} else if mediaType != nil && mediaType.Schema != nil {
+			bodyBytes, err := io.ReadAll(r.Body)
+			if err == nil && len(bodyBytes) > 0 {
+				var bodyData any
+				if jsonErr := json.Unmarshal(bodyBytes, &bodyData); jsonErr == nil {
+					if bodyErrs := validateJSONBody(bodyData, mediaType.Schema); len(bodyErrs) > 0 {
+						errs = append(errs, bodyErrs...)
+					}
+				}
+				// Restore body for downstream handlers
+				r.Body = io.NopCloser(strings.NewReader(string(bodyBytes)))
+			}
+		}
+	}
+
+	return errs
+}
+
+// ---- openAPISpecHandler ----
+
+type openAPISpecHandler struct {
+	specJSON []byte
+}
+
+func (h *openAPISpecHandler) Handle(w http.ResponseWriter, _ *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	_, _ = w.Write(h.specJSON) //nolint:gosec // G705: spec JSON is loaded from a trusted config file, not user input
+}
+
+// ---- openAPISwaggerUIHandler ----
+
+type openAPISwaggerUIHandler struct {
+	html string
+}
+
+func (h *openAPISwaggerUIHandler) Handle(w http.ResponseWriter, _ *http.Request) {
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	w.WriteHeader(http.StatusOK)
+	_, _ = w.Write([]byte(h.html)) //nolint:gosec // G705: HTML is generated from a trusted template, not user input
+}
+
+// ---- Helpers ----
+
+// parseOpenAPISpec parses a YAML or JSON byte slice into an openAPISpec.
+func parseOpenAPISpec(data []byte) (*openAPISpec, error) {
+	var spec openAPISpec
+	// Try YAML first (which also handles JSON since JSON is valid YAML)
+	if err := yaml.Unmarshal(data, &spec); err != nil {
+		return nil, fmt.Errorf("yaml parse: %w", err)
+	}
+	if spec.OpenAPI == "" {
+		// May be JSON that yaml couldn't decode properly; try JSON directly
+		if err := json.Unmarshal(data, &spec); err != nil {
+			return nil, fmt.Errorf("neither yaml nor json parse succeeded: %w", err)
+		}
+	}
+	return &spec, nil
+}
+
+// openAPIPathToHTTPPath converts OpenAPI path templates ({param}) to Go 1.22+
+// ServeMux patterns ({param}). For older mux implementations the braces are
+// kept since most custom routers accept the same syntax.
+func openAPIPathToHTTPPath(specPath string) string {
+	// OpenAPI uses {param}; Go 1.22 net/http.ServeMux uses {param} too.
+	// No transformation needed — return as-is.
+	return specPath
+}
+
+// isValidHTTPMethod returns true for standard HTTP verbs (OpenAPI supports a
+// defined subset: get, put, post, delete, options, head, patch, trace).
+func isValidHTTPMethod(method string) bool {
+	switch method {
+	case http.MethodGet, http.MethodPut, http.MethodPost,
+		http.MethodDelete, http.MethodOptions, http.MethodHead,
+		http.MethodPatch, "TRACE":
+		return true
+	}
+	return false
+}
+
+// extractParam extracts a parameter value from the request based on its location.
+func extractParam(r *http.Request, p openAPIParameter) string {
+	switch p.In {
+	case "query":
+		return r.URL.Query().Get(p.Name)
+	case "header":
+		return r.Header.Get(p.Name)
+	case "path":
+		// Go 1.22 net/http.ServeMux populates path values via r.PathValue
+		return r.PathValue(p.Name)
+	case "cookie":
+		if c, err := r.Cookie(p.Name); err == nil {
+			return c.Value
+		}
+	}
+	return ""
+}
+
+// validateScalarValue validates a string value against a schema (type/format/enum checks).
+func validateScalarValue(val, name string, schema *openAPISchema) []string {
+	var errs []string
+	switch schema.Type {
+	case "integer":
+		n, err := strconv.ParseInt(val, 10, 64)
+		if err != nil {
+			errs = append(errs, fmt.Sprintf("parameter %q must be an integer, got %q", name, val))
+			return errs
+		}
+		if schema.Minimum != nil && float64(n) < *schema.Minimum {
+			errs = append(errs, fmt.Sprintf("parameter %q must be >= %v", name, *schema.Minimum))
+		}
+		if schema.Maximum != nil && float64(n) > *schema.Maximum {
+			errs = append(errs, fmt.Sprintf("parameter %q must be <= %v", name, *schema.Maximum))
+		}
+	case "number":
+		f, err := strconv.ParseFloat(val, 64)
+		if err != nil {
+			errs = append(errs, fmt.Sprintf("parameter %q must be a number, got %q", name, val))
+			return errs
+		}
+		if schema.Minimum != nil && f < *schema.Minimum {
+			errs = append(errs, fmt.Sprintf("parameter %q must be >= %v", name, *schema.Minimum))
+		}
+		if schema.Maximum != nil && f > *schema.Maximum {
+			errs = append(errs, fmt.Sprintf("parameter %q must be <= %v", name, *schema.Maximum))
+		}
+	case "boolean":
+		if val != "true" && val != "false" {
+			errs = append(errs, fmt.Sprintf("parameter %q must be 'true' or 'false', got %q", name, val))
+		}
+	case "string":
+		if schema.MinLength != nil && len(val) < *schema.MinLength {
+			errs = append(errs, fmt.Sprintf("parameter %q must have minLength %d", name, *schema.MinLength))
+		}
+		if schema.MaxLength != nil && len(val) > *schema.MaxLength {
+			errs = append(errs, fmt.Sprintf("parameter %q must have maxLength %d", name, *schema.MaxLength))
+		}
+		if schema.Pattern != "" {
+			if ok, _ := regexp.MatchString(schema.Pattern, val); !ok {
+				errs = append(errs, fmt.Sprintf("parameter %q does not match pattern %q", name, schema.Pattern))
+			}
+		}
+	}
+	// Enum validation
+	if len(schema.Enum) > 0 {
+		found := false
+		for _, e := range schema.Enum {
+			if fmt.Sprintf("%v", e) == val {
+				found = true
+				break
+			}
+		}
+		if !found {
+			errs = append(errs, fmt.Sprintf("parameter %q must be one of %v", name, schema.Enum))
+		}
+	}
+	return errs
+}
+
+// validateJSONBody validates a decoded JSON body against an object schema.
+func validateJSONBody(body any, schema *openAPISchema) []string {
+	var errs []string
+	obj, ok := body.(map[string]any)
+	if !ok {
+		if schema.Type == "object" {
+			return []string{"request body must be a JSON object"}
+		}
+		return nil
+	}
+	// Check required fields
+	for _, req := range schema.Required {
+		if _, present := obj[req]; !present {
+			errs = append(errs, fmt.Sprintf("request body: required field %q is missing", req))
+		}
+	}
+	// Validate individual properties
+	for field, propSchema := range schema.Properties {
+		val, present := obj[field]
+		if !present {
+			continue
+		}
+		if fieldErrs := validateJSONValue(val, field, propSchema); len(fieldErrs) > 0 {
+			errs = append(errs, fieldErrs...)
+		}
+	}
+	return errs
+}
+
+// validateJSONValue validates a decoded JSON value against a schema.
+func validateJSONValue(val any, name string, schema *openAPISchema) []string {
+	var errs []string
+	switch schema.Type {
+	case "string":
+		s, ok := val.(string)
+		if !ok {
+			return []string{fmt.Sprintf("field %q must be a string", name)}
+		}
+		if schema.MinLength != nil && len(s) < *schema.MinLength {
+			errs = append(errs, fmt.Sprintf("field %q must have minLength %d", name, *schema.MinLength))
+		}
+		if schema.MaxLength != nil && len(s) > *schema.MaxLength {
+			errs = append(errs, fmt.Sprintf("field %q must have maxLength %d", name, *schema.MaxLength))
+		}
+		if schema.Pattern != "" {
+			if ok2, _ := regexp.MatchString(schema.Pattern, s); !ok2 {
+				errs = append(errs, fmt.Sprintf("field %q does not match pattern %q", name, schema.Pattern))
+			}
+		}
+	case "integer":
+		f, ok := val.(float64)
+		if !ok {
+			return []string{fmt.Sprintf("field %q must be an integer", name)}
+		}
+		if schema.Minimum != nil && f < *schema.Minimum {
+			errs = append(errs, fmt.Sprintf("field %q must be >= %v", name, *schema.Minimum))
+		}
+		if schema.Maximum != nil && f > *schema.Maximum {
+			errs = append(errs, fmt.Sprintf("field %q must be <= %v", name, *schema.Maximum))
+		}
+	case "number":
+		f, ok := val.(float64)
+		if !ok {
+			return []string{fmt.Sprintf("field %q must be a number", name)}
+		}
+		if schema.Minimum != nil && f < *schema.Minimum {
+			errs = append(errs, fmt.Sprintf("field %q must be >= %v", name, *schema.Minimum))
+		}
+		if schema.Maximum != nil && f > *schema.Maximum {
+			errs = append(errs, fmt.Sprintf("field %q must be <= %v", name, *schema.Maximum))
+		}
+	case "boolean":
+		if _, ok := val.(bool); !ok {
+			errs = append(errs, fmt.Sprintf("field %q must be a boolean", name))
+		}
+	case "object":
+		if subErrs := validateJSONBody(val, schema); len(subErrs) > 0 {
+			errs = append(errs, subErrs...)
+		}
+	}
+	// Enum validation
+	if len(schema.Enum) > 0 {
+		found := false
+		for _, e := range schema.Enum {
+			if fmt.Sprintf("%v", e) == fmt.Sprintf("%v", val) {
+				found = true
+				break
+			}
+		}
+		if !found {
+			errs = append(errs, fmt.Sprintf("field %q must be one of %v", name, schema.Enum))
+		}
+	}
+	return errs
+}
+
+// swaggerUIHTML returns a minimal, self-contained Swagger UI HTML page that
+// loads the spec from specURL using the official Swagger UI CDN bundle.
+func swaggerUIHTML(title, specURL string) string {
+	if title == "" {
+		title = "API Documentation"
+	}
+	return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>` + htmlEscape(title) + `</title>
+  <link rel="stylesheet" href="https://unpkg.com/swagger-ui-dist@5/swagger-ui.css">
+</head>
+<body>
+  <div id="swagger-ui"></div>
+  <script src="https://unpkg.com/swagger-ui-dist@5/swagger-ui-bundle.js"></script>
+  <script>
+    SwaggerUIBundle({
+      url: "` + htmlEscape(specURL) + `",
+      dom_id: '#swagger-ui',
+      presets: [SwaggerUIBundle.presets.apis, SwaggerUIBundle.SwaggerUIStandalonePreset],
+      layout: "StandaloneLayout"
+    });
+  </script>
+</body>
+</html>`
+}
+
+// htmlEscape escapes a string for safe embedding in HTML attributes/text.
+func htmlEscape(s string) string {
+	s = strings.ReplaceAll(s, "&", "&amp;")
+	s = strings.ReplaceAll(s, "<", "&lt;")
+	s = strings.ReplaceAll(s, ">", "&gt;")
+	s = strings.ReplaceAll(s, `"`, "&#34;")
+	s = strings.ReplaceAll(s, "'", "&#39;")
+	return s
+}
diff --git a/module/openapi_test.go b/module/openapi_test.go
new file mode 100644
index 00000000..92896f06
--- /dev/null
+++ b/module/openapi_test.go
@@ -0,0 +1,561 @@
+package module
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+// ---- spec fixtures ----
+
+const petstoreYAML = `
+openapi: "3.0.0"
+info:
+  title: Petstore
+  version: "1.0.0"
+paths:
+  /pets:
+    get:
+      operationId: listPets
+      summary: List all pets
+      parameters:
+        - name: limit
+          in: query
+          required: false
+          schema:
+            type: integer
+            minimum: 1
+            maximum: 100
+      responses:
+        "200":
+          description: A list of pets
+    post:
+      operationId: createPet
+      summary: Create a pet
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required:
+                - name
+              properties:
+                name:
+                  type: string
+                  minLength: 1
+                tag:
+                  type: string
+      responses:
+        "201":
+          description: Created
+  /pets/{petId}:
+    get:
+      operationId: showPetById
+      summary: Get a pet by ID
+      parameters:
+        - name: petId
+          in: path
+          required: true
+          schema:
+            type: integer
+      responses:
+        "200":
+          description: Expected response to a valid request
+`
+
+const petstoreJSON = `{
+  "openapi": "3.0.0",
+  "info": {"title": "Petstore JSON", "version": "1.0.0"},
+  "paths": {
+    "/items": {
+      "get": {
+        "operationId": "listItems",
+        "summary": "List items",
+        "responses": {"200": {"description": "ok"}}
+      }
+    }
+  }
+}`
+
+// ---- helpers ----
+
+// writeTempSpec writes content to a temp file and returns the path.
+func writeTempSpec(t *testing.T, ext, content string) string {
+	t.Helper()
+	dir := t.TempDir()
+	path := filepath.Join(dir, "spec"+ext)
+	if err := os.WriteFile(path, []byte(content), 0600); err != nil {
+		t.Fatalf("write temp spec: %v", err)
+	}
+	return path
+}
+
+// newTestRouter is a minimal HTTPRouter that records registered routes.
+type testRouter struct {
+	routes []struct {
+		method, path string
+		handler      HTTPHandler
+	}
+}
+
+func (r *testRouter) AddRoute(method, path string, handler HTTPHandler) {
+	r.routes = append(r.routes, struct {
+		method, path string
+		handler      HTTPHandler
+	}{method, path, handler})
+}
+
+func (r *testRouter) findHandler(method, path string) HTTPHandler {
+	for _, rt := range r.routes {
+		if rt.method == method && rt.path == path {
+			return rt.handler
+		}
+	}
+	return nil
+}
+
+// ---- tests ----
+
+func TestOpenAPIModule_ParseYAML(t *testing.T) {
+	specPath := writeTempSpec(t, ".yaml", petstoreYAML)
+
+	mod := NewOpenAPIModule("petstore", OpenAPIConfig{
+		SpecFile: specPath,
+		BasePath: "/api/v1",
+	})
+
+	if err := mod.Init(nil); err != nil {
+		t.Fatalf("Init failed: %v", err)
+	}
+
+	if mod.spec == nil {
+		t.Fatal("spec was not parsed")
+	}
+	if mod.spec.Info.Title != "Petstore" {
+		t.Errorf("expected title 'Petstore', got %q", mod.spec.Info.Title)
+	}
+	if len(mod.spec.Paths) != 2 {
+		t.Errorf("expected 2 paths, got %d", len(mod.spec.Paths))
+	}
+}
+
+func TestOpenAPIModule_ParseJSON(t *testing.T) {
+	specPath := writeTempSpec(t, ".json", petstoreJSON)
+
+	mod := NewOpenAPIModule("json-api", OpenAPIConfig{
+		SpecFile: specPath,
+		BasePath: "/api",
+	})
+
+	if err := mod.Init(nil); err != nil {
+		t.Fatalf("Init failed: %v", err)
+	}
+
+	if mod.spec.Info.Title != "Petstore JSON" {
+		t.Errorf("expected title 'Petstore JSON', got %q", mod.spec.Info.Title)
+	}
+}
+
+func TestOpenAPIModule_MissingSpecFile(t *testing.T) {
+	mod := NewOpenAPIModule("bad", OpenAPIConfig{})
+	if err := mod.Init(nil); err == nil {
+		t.Fatal("expected error for missing spec_file")
+	}
+}
+
+func TestOpenAPIModule_NonExistentFile(t *testing.T) {
+	mod := NewOpenAPIModule("bad", OpenAPIConfig{SpecFile: "/does/not/exist.yaml"})
+	if err := mod.Init(nil); err == nil {
+		t.Fatal("expected error for non-existent spec file")
+	}
+}
+
+func TestOpenAPIModule_RegisterRoutes(t *testing.T) {
+	specPath := writeTempSpec(t, ".yaml", petstoreYAML)
+
+	mod := NewOpenAPIModule("petstore", OpenAPIConfig{
+		SpecFile: specPath,
+		BasePath: "/api/v1",
+	})
+	if err := mod.Init(nil); err != nil {
+		t.Fatalf("Init: %v", err)
+	}
+
+	router := &testRouter{}
+	mod.RegisterRoutes(router)
+
+	// Expect: GET /api/v1/pets, POST /api/v1/pets, GET /api/v1/pets/{petId}
+	// plus /api/v1/openapi.json, /api/v1/openapi.yaml
+	paths := make(map[string]bool)
+	for _, rt := range router.routes {
+		paths[rt.method+":"+rt.path] = true
+	}
+
+	expected := []string{
+		"GET:/api/v1/pets",
+		"POST:/api/v1/pets",
+		"GET:/api/v1/pets/{petId}",
+		"GET:/api/v1/openapi.json",
+		"GET:/api/v1/openapi.yaml",
+	}
+	for _, e := range expected {
+		if !paths[e] {
+			t.Errorf("expected route %q to be registered, got routes: %v", e, routeKeys(router))
+		}
+	}
+}
+
+func TestOpenAPIModule_SwaggerUIRoute(t *testing.T) {
+	specPath := writeTempSpec(t, ".yaml", petstoreYAML)
+
+	mod := NewOpenAPIModule("petstore", OpenAPIConfig{
+		SpecFile: specPath,
+		BasePath: "/api/v1",
+		SwaggerUI: OpenAPISwaggerUIConfig{
+			Enabled: true,
+			Path:    "/docs",
+		},
+	})
+	if err := mod.Init(nil); err != nil {
+		t.Fatalf("Init: %v", err)
+	}
+
+	router := &testRouter{}
+	mod.RegisterRoutes(router)
+
+	found := false
+	for _, rt := range router.routes {
+		if rt.method == "GET" && rt.path == "/api/v1/docs" {
+			found = true
+		}
+	}
+	if !found {
+		t.Error("Swagger UI route /api/v1/docs not registered")
+	}
+}
+
+func TestOpenAPIModule_SwaggerUIResponse(t *testing.T) {
+	specPath := writeTempSpec(t, ".yaml", petstoreYAML)
+
+	mod := NewOpenAPIModule("petstore", OpenAPIConfig{
+		SpecFile: specPath,
+		BasePath: "/api/v1",
+		SwaggerUI: OpenAPISwaggerUIConfig{
+			Enabled: true,
+			Path:    "/docs",
+		},
+	})
+	if err := mod.Init(nil); err != nil {
+		t.Fatalf("Init: %v", err)
+	}
+
+	router := &testRouter{}
+	mod.RegisterRoutes(router)
+
+	h := router.findHandler("GET", "/api/v1/docs")
+	if h == nil {
+		t.Fatal("swagger UI handler not found")
+	}
+
+	w := httptest.NewRecorder()
+	r := httptest.NewRequest(http.MethodGet, "/api/v1/docs", nil)
+	h.Handle(w, r)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d", w.Code)
+	}
+	if !strings.Contains(w.Body.String(), "swagger-ui") {
+		t.Error("swagger UI HTML not in response body")
+	}
+}
+
+func TestOpenAPIModule_SpecEndpoint(t *testing.T) {
+	specPath := writeTempSpec(t, ".yaml", petstoreYAML)
+
+	mod := NewOpenAPIModule("petstore", OpenAPIConfig{
+		SpecFile: specPath,
+		BasePath: "/api/v1",
+	})
+	if err := mod.Init(nil); err != nil {
+		t.Fatalf("Init: %v", err)
+	}
+
+	router := &testRouter{}
+	mod.RegisterRoutes(router)
+
+	h := router.findHandler("GET", "/api/v1/openapi.json")
+	if h == nil {
+		t.Fatal("spec handler not found")
+	}
+
+	w := httptest.NewRecorder()
+	r := httptest.NewRequest(http.MethodGet, "/api/v1/openapi.json", nil)
+	h.Handle(w, r)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("expected 200, got %d", w.Code)
+	}
+	var got map[string]any
+	if err := json.Unmarshal(w.Body.Bytes(), &got); err != nil {
+		t.Errorf("spec endpoint did not return valid JSON: %v", err)
+	}
+}
+
+func TestOpenAPIModule_RequestValidation_ValidQuery(t *testing.T) {
+	specPath := writeTempSpec(t, ".yaml", petstoreYAML)
+
+	mod := NewOpenAPIModule("petstore", OpenAPIConfig{
+		SpecFile:   specPath,
+		BasePath:   "/api/v1",
+		Validation: OpenAPIValidationConfig{Request: true},
+	})
+	if err := mod.Init(nil); err != nil {
+		t.Fatalf("Init: %v", err)
+	}
+
+	router := &testRouter{}
+	mod.RegisterRoutes(router)
+
+	h := router.findHandler("GET", "/api/v1/pets")
+	if h == nil {
+		t.Fatal("GET /api/v1/pets handler not found")
+	}
+
+	w := httptest.NewRecorder()
+	r := httptest.NewRequest(http.MethodGet, "/api/v1/pets?limit=10", nil)
+	h.Handle(w, r)
+
+	// 501 is the stub response — validation passed
+	if w.Code != http.StatusNotImplemented {
+		t.Errorf("expected 501 stub response (validation OK), got %d: %s", w.Code, w.Body.String())
+	}
+}
+
+func TestOpenAPIModule_RequestValidation_InvalidQuery(t *testing.T) {
+	specPath := writeTempSpec(t, ".yaml", petstoreYAML)
+
+	mod := NewOpenAPIModule("petstore", OpenAPIConfig{
+		SpecFile:   specPath,
+		BasePath:   "/api/v1",
+		Validation: OpenAPIValidationConfig{Request: true},
+	})
+	if err := mod.Init(nil); err != nil {
+		t.Fatalf("Init: %v", err)
+	}
+
+	router := &testRouter{}
+	mod.RegisterRoutes(router)
+
+	h := router.findHandler("GET", "/api/v1/pets")
+	if h == nil {
+		t.Fatal("GET /api/v1/pets handler not found")
+	}
+
+	// "limit" must be integer — send a non-integer
+	w := httptest.NewRecorder()
+	r := httptest.NewRequest(http.MethodGet, "/api/v1/pets?limit=notanumber", nil)
+	h.Handle(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400 validation error, got %d: %s", w.Code, w.Body.String())
+	}
+	var errBody map[string]any
+	if err := json.Unmarshal(w.Body.Bytes(), &errBody); err != nil {
+		t.Fatalf("could not decode error body: %v", err)
+	}
+	if errBody["error"] != "request validation failed" {
+		t.Errorf("unexpected error body: %v", errBody)
+	}
+}
+
+func TestOpenAPIModule_RequestValidation_Body(t *testing.T) {
+	specPath := writeTempSpec(t, ".yaml", petstoreYAML)
+
+	mod := NewOpenAPIModule("petstore", OpenAPIConfig{
+		SpecFile:   specPath,
+		BasePath:   "/api/v1",
+		Validation: OpenAPIValidationConfig{Request: true},
+	})
+	if err := mod.Init(nil); err != nil {
+		t.Fatalf("Init: %v", err)
+	}
+
+	router := &testRouter{}
+	mod.RegisterRoutes(router)
+
+	h := router.findHandler("POST", "/api/v1/pets")
+	if h == nil {
+		t.Fatal("POST /api/v1/pets handler not found")
+	}
+
+	t.Run("valid body", func(t *testing.T) {
+		body := `{"name": "Fluffy", "tag": "cat"}`
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodPost, "/api/v1/pets", bytes.NewBufferString(body))
+		r.Header.Set("Content-Type", "application/json")
+		h.Handle(w, r)
+		if w.Code != http.StatusNotImplemented {
+			t.Errorf("expected 501 stub (validation OK), got %d: %s", w.Code, w.Body.String())
+		}
+	})
+
+	t.Run("missing required field", func(t *testing.T) {
+		body := `{"tag": "cat"}` // missing 'name'
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodPost, "/api/v1/pets", bytes.NewBufferString(body))
+		r.Header.Set("Content-Type", "application/json")
+		h.Handle(w, r)
+		if w.Code != http.StatusBadRequest {
+			t.Errorf("expected 400 validation error, got %d: %s", w.Code, w.Body.String())
+		}
+	})
+}
+
+func TestOpenAPIModule_NoValidation(t *testing.T) {
+	specPath := writeTempSpec(t, ".yaml", petstoreYAML)
+
+	// Validation disabled — bad input still returns 501 (stub)
+	mod := NewOpenAPIModule("petstore", OpenAPIConfig{
+		SpecFile:   specPath,
+		BasePath:   "/api/v1",
+		Validation: OpenAPIValidationConfig{Request: false},
+	})
+	if err := mod.Init(nil); err != nil {
+		t.Fatalf("Init: %v", err)
+	}
+
+	router := &testRouter{}
+	mod.RegisterRoutes(router)
+
+	h := router.findHandler("GET", "/api/v1/pets")
+	if h == nil {
+		t.Fatal("handler not found")
+	}
+
+	w := httptest.NewRecorder()
+	r := httptest.NewRequest(http.MethodGet, "/api/v1/pets?limit=notanumber", nil)
+	h.Handle(w, r)
+
+	if w.Code != http.StatusNotImplemented {
+		t.Errorf("expected 501 (validation disabled), got %d", w.Code)
+	}
+}
+
+func TestOpenAPIModule_ModuleInterface(t *testing.T) {
+	specPath := writeTempSpec(t, ".yaml", petstoreYAML)
+	mod := NewOpenAPIModule("petstore", OpenAPIConfig{SpecFile: specPath})
+
+	if mod.Name() != "petstore" {
+		t.Errorf("Name() = %q, want %q", mod.Name(), "petstore")
+	}
+	if deps := mod.Dependencies(); deps != nil {
+		t.Errorf("Dependencies() should be nil")
+	}
+	providers := mod.ProvidesServices()
+	if len(providers) != 1 {
+		t.Errorf("ProvidesServices() count = %d, want 1", len(providers))
+	}
+	if providers[0].Name != "petstore" {
+		t.Errorf("ProvidesServices()[0].Name = %q, want %q", providers[0].Name, "petstore")
+	}
+	if reqs := mod.RequiresServices(); reqs != nil {
+		t.Errorf("RequiresServices() should be nil")
+	}
+}
+
+func TestOpenAPIModule_StartStop(t *testing.T) {
+	specPath := writeTempSpec(t, ".yaml", petstoreYAML)
+	mod := NewOpenAPIModule("petstore", OpenAPIConfig{SpecFile: specPath})
+	if err := mod.Init(nil); err != nil {
+		t.Fatalf("Init: %v", err)
+	}
+	if err := mod.Start(context.TODO()); err != nil {
+		t.Errorf("Start: %v", err)
+	}
+	if err := mod.Stop(context.TODO()); err != nil {
+		t.Errorf("Stop: %v", err)
+	}
+}
+
+func TestParseOpenAPISpec_InvalidYAML(t *testing.T) {
+	_, err := parseOpenAPISpec([]byte(":\tinvalid: yaml: ["))
+	if err == nil {
+		t.Error("expected error for invalid YAML")
+	}
+}
+
+func TestValidateScalarValue(t *testing.T) {
+	minVal := 1.0
+	maxVal := 100.0
+	minLen := 2
+	maxLen := 5
+
+	tests := []struct {
+		name    string
+		val     string
+		schema  *openAPISchema
+		wantErr bool
+	}{
+		{"valid integer", "42", &openAPISchema{Type: "integer", Minimum: &minVal, Maximum: &maxVal}, false},
+		{"too small integer", "0", &openAPISchema{Type: "integer", Minimum: &minVal}, true},
+		{"invalid integer", "abc", &openAPISchema{Type: "integer"}, true},
+		{"valid number", "3.14", &openAPISchema{Type: "number"}, false},
+		{"invalid number", "pi", &openAPISchema{Type: "number"}, true},
+		{"valid boolean true", "true", &openAPISchema{Type: "boolean"}, false},
+		{"valid boolean false", "false", &openAPISchema{Type: "boolean"}, false},
+		{"invalid boolean", "yes", &openAPISchema{Type: "boolean"}, true},
+		{"valid string", "hello", &openAPISchema{Type: "string", MinLength: &minLen, MaxLength: &maxLen}, false},
+		{"string too short", "a", &openAPISchema{Type: "string", MinLength: &minLen}, true},
+		{"string too long", "toolongstring", &openAPISchema{Type: "string", MaxLength: &maxLen}, true},
+		{"enum match", "cat", &openAPISchema{Type: "string", Enum: []any{"cat", "dog"}}, false},
+		{"enum mismatch", "fish", &openAPISchema{Type: "string", Enum: []any{"cat", "dog"}}, true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			errs := validateScalarValue(tt.val, "param", tt.schema)
+			if tt.wantErr && len(errs) == 0 {
+				t.Error("expected validation error, got none")
+			}
+			if !tt.wantErr && len(errs) > 0 {
+				t.Errorf("unexpected validation errors: %v", errs)
+			}
+		})
+	}
+}
+
+func TestSwaggerUIHTML(t *testing.T) {
+	html := swaggerUIHTML("My API", "/api/v1/openapi.json")
+	if !strings.Contains(html, "swagger-ui") {
+		t.Error("HTML missing swagger-ui reference")
+	}
+	if !strings.Contains(html, "/api/v1/openapi.json") {
+		t.Error("HTML missing spec URL")
+	}
+	if !strings.Contains(html, "My API") {
+		t.Error("HTML missing title")
+	}
+}
+
+func TestHTMLEscape(t *testing.T) {
+	got := htmlEscape(`<script>alert("xss")</script>`)
+	if strings.Contains(got, "<script>") {
+		t.Errorf("HTML not escaped: %s", got)
+	}
+}
+
+// routeKeys returns a list of "METHOD:path" strings from a testRouter.
+func routeKeys(r *testRouter) []string {
+	keys := make([]string, len(r.routes))
+	for i, rt := range r.routes {
+		keys[i] = rt.method + ":" + rt.path
+	}
+	return keys
+}
diff --git a/plugins/openapi/plugin.go b/plugins/openapi/plugin.go
new file mode 100644
index 00000000..17e4da14
--- /dev/null
+++ b/plugins/openapi/plugin.go
@@ -0,0 +1,235 @@
+// Package openapi provides the OpenAPI module plugin for the workflow engine.
+// It registers the "openapi" module type which parses OpenAPI v3 specifications,
+// generates HTTP routes, validates requests, and optionally serves Swagger UI.
+package openapi
+
+import (
+	"github.com/CrisisTextLine/modular"
+	"github.com/GoCodeAlone/workflow/capability"
+	"github.com/GoCodeAlone/workflow/config"
+	"github.com/GoCodeAlone/workflow/module"
+	"github.com/GoCodeAlone/workflow/plugin"
+	"github.com/GoCodeAlone/workflow/schema"
+)
+
+// Plugin provides the "openapi" module type and its wiring hook.
+type Plugin struct {
+	plugin.BaseEnginePlugin
+}
+
+// New creates a new OpenAPI plugin.
+func New() *Plugin {
+	return &Plugin{
+		BaseEnginePlugin: plugin.BaseEnginePlugin{
+			BaseNativePlugin: plugin.BaseNativePlugin{
+				PluginName:        "workflow-plugin-openapi",
+				PluginVersion:     "1.0.0",
+				PluginDescription: "OpenAPI v3 spec-driven HTTP route generation with request validation and Swagger UI",
+			},
+			Manifest: plugin.PluginManifest{
+				Name:        "workflow-plugin-openapi",
+				Version:     "1.0.0",
+				Author:      "GoCodeAlone",
+				Description: "OpenAPI v3 spec-driven HTTP route generation with request validation and Swagger UI",
+				Tier:        plugin.TierCore,
+				ModuleTypes: []string{"openapi"},
+				WiringHooks: []string{"openapi-route-registration"},
+				Capabilities: []plugin.CapabilityDecl{
+					{Name: "openapi", Role: "provider", Priority: 10},
+				},
+			},
+		},
+	}
+}
+
+// Capabilities returns the capability contracts this plugin defines.
+func (p *Plugin) Capabilities() []capability.Contract {
+	return []capability.Contract{
+		{
+			Name:        "openapi",
+			Description: "OpenAPI v3 spec-driven HTTP route generation with request validation and Swagger UI",
+		},
+	}
+}
+
+// ModuleFactories returns the factory for the "openapi" module type.
+func (p *Plugin) ModuleFactories() map[string]plugin.ModuleFactory {
+	return map[string]plugin.ModuleFactory{
+		"openapi": func(name string, cfg map[string]any) modular.Module {
+			oacfg := module.OpenAPIConfig{}
+
+			if v, ok := cfg["spec_file"].(string); ok {
+				oacfg.SpecFile = config.ResolvePathInConfig(cfg, v)
+			}
+			if v, ok := cfg["base_path"].(string); ok {
+				oacfg.BasePath = v
+			}
+			if v, ok := cfg["router"].(string); ok {
+				oacfg.RouterName = v
+			}
+
+			if valCfg, ok := cfg["validation"].(map[string]any); ok {
+				if v, ok2 := valCfg["request"].(bool); ok2 {
+					oacfg.Validation.Request = v
+				}
+				if v, ok2 := valCfg["response"].(bool); ok2 {
+					oacfg.Validation.Response = v
+				}
+			}
+
+			if uiCfg, ok := cfg["swagger_ui"].(map[string]any); ok {
+				if v, ok2 := uiCfg["enabled"].(bool); ok2 {
+					oacfg.SwaggerUI.Enabled = v
+				}
+				if v, ok2 := uiCfg["path"].(string); ok2 {
+					oacfg.SwaggerUI.Path = v
+				}
+			}
+
+			return module.NewOpenAPIModule(name, oacfg)
+		},
+	}
+}
+
+// ModuleSchemas returns the UI schema definition for the "openapi" module type.
+func (p *Plugin) ModuleSchemas() []*schema.ModuleSchema {
+	return []*schema.ModuleSchema{
+		{
+			Type:        "openapi",
+			Label:       "OpenAPI",
+			Category:    "http",
+			Description: "Generates HTTP routes from an OpenAPI v3 spec with optional request validation and Swagger UI",
+			Inputs:      []schema.ServiceIODef{{Name: "request", Type: "http.Request", Description: "Incoming HTTP requests matched against spec paths"}},
+			Outputs:     []schema.ServiceIODef{{Name: "response", Type: "http.Response", Description: "Validated HTTP response or 501 stub"}},
+			ConfigFields: []schema.ConfigFieldDef{
+				{
+					Key:         "spec_file",
+					Label:       "Spec File",
+					Type:        schema.FieldTypeFilePath,
+					Required:    true,
+					Description: "Path to the OpenAPI v3 YAML or JSON spec file",
+					Placeholder: "specs/petstore.yaml",
+				},
+				{
+					Key:         "base_path",
+					Label:       "Base Path",
+					Type:        schema.FieldTypeString,
+					Description: "URL path prefix prepended to all spec routes (e.g. /api/v1)",
+					Placeholder: "/api/v1",
+				},
+				{
+					Key:         "router",
+					Label:       "Router Name",
+					Type:        schema.FieldTypeString,
+					Description: "Explicit router module name to attach routes to (auto-detected if omitted)",
+					Placeholder: "my-router",
+					InheritFrom: "dependency.name",
+				},
+				{
+					Key:          "validation",
+					Label:        "Validation",
+					Type:         schema.FieldTypeJSON,
+					Description:  "Request/response validation settings: {request: true, response: false}",
+					DefaultValue: map[string]any{"request": true, "response": false},
+					Group:        "validation",
+				},
+				{
+					Key:          "swagger_ui",
+					Label:        "Swagger UI",
+					Type:         schema.FieldTypeJSON,
+					Description:  "Swagger UI settings: {enabled: true, path: /docs}",
+					DefaultValue: map[string]any{"enabled": false, "path": "/docs"},
+					Group:        "swagger_ui",
+				},
+			},
+			DefaultConfig: map[string]any{
+				"base_path":  "/api/v1",
+				"validation": map[string]any{"request": true, "response": false},
+				"swagger_ui": map[string]any{"enabled": false, "path": "/docs"},
+			},
+		},
+	}
+}
+
+// WiringHooks returns the post-init wiring function that registers OpenAPI routes
+// on the appropriate HTTP router.
+func (p *Plugin) WiringHooks() []plugin.WiringHook {
+	return []plugin.WiringHook{
+		{
+			Name:     "openapi-route-registration",
+			Priority: 45, // run after auth wiring (90), before static files (50)
+			Hook:     wireOpenAPIRoutes,
+		},
+	}
+}
+
+// wireOpenAPIRoutes finds all OpenAPIModule instances registered as services and
+// registers their routes on the best matching HTTPRouter.
+func wireOpenAPIRoutes(app modular.Application, cfg *config.WorkflowConfig) error {
+	// Build name→router lookup from config dependsOn
+	routerNames := make(map[string]bool)
+	openAPIDeps := make(map[string][]string) // openapi module name → dependsOn
+	for _, modCfg := range cfg.Modules {
+		if modCfg.Type == "http.router" {
+			routerNames[modCfg.Name] = true
+		}
+		if modCfg.Type == "openapi" {
+			openAPIDeps[modCfg.Name] = modCfg.DependsOn
+		}
+	}
+
+	for _, svc := range app.SvcRegistry() {
+		oaMod, ok := svc.(*module.OpenAPIModule)
+		if !ok {
+			continue
+		}
+
+		var targetRouter module.HTTPRouter
+
+		// 1) Explicit router name from config
+		if rName := oaMod.RouterName(); rName != "" {
+			for svcName, routerSvc := range app.SvcRegistry() {
+				if router, ok2 := routerSvc.(module.HTTPRouter); ok2 && svcName == rName {
+					targetRouter = router
+					break
+				}
+			}
+		}
+
+		// 2) dependsOn router reference
+		if targetRouter == nil {
+			for _, dep := range openAPIDeps[oaMod.Name()] {
+				if routerNames[dep] {
+					for svcName, routerSvc := range app.SvcRegistry() {
+						if router, ok2 := routerSvc.(module.HTTPRouter); ok2 && svcName == dep {
+							targetRouter = router
+							break
+						}
+					}
+					if targetRouter != nil {
+						break
+					}
+				}
+			}
+		}
+
+		// 3) Fall back to first available router
+		if targetRouter == nil {
+			for _, routerSvc := range app.SvcRegistry() {
+				if router, ok2 := routerSvc.(module.HTTPRouter); ok2 {
+					targetRouter = router
+					break
+				}
+			}
+		}
+
+		if targetRouter == nil {
+			// No router found — log and skip (not fatal; engine may be running without HTTP)
+			continue
+		}
+
+		oaMod.RegisterRoutes(targetRouter)
+	}
+
+	return nil
+}

From 037a746cba8b0c254433092340c3bd7dd5a9178a Mon Sep 17 00:00:00 2001
From: Jon Langevin <codingsloth@pm.me>
Date: Mon, 23 Feb 2026 06:58:30 -0500
Subject: [PATCH 2/8] fix: register openapi module type in schema and fix
 spec_file path resolution

- Add "openapi" to known module types and module schema registry
- Fix spec_file path in example config (relative to config dir, not project root)
- Add openapi plugin to test helpers allPlugins()

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 example/openapi-petstore.yaml |  2 +-
 schema/module_schema.go       | 19 +++++++++++++++++++
 schema/schema.go              |  1 +
 testhelpers_test.go           |  2 ++
 4 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/example/openapi-petstore.yaml b/example/openapi-petstore.yaml
index 4eb330c8..a4d3503c 100644
--- a/example/openapi-petstore.yaml
+++ b/example/openapi-petstore.yaml
@@ -22,7 +22,7 @@ modules:
     dependsOn:
       - petstore-router
     config:
-      spec_file: example/specs/petstore.yaml
+      spec_file: specs/petstore.yaml
       base_path: /api/v1
       router: petstore-router
       validation:
diff --git a/schema/module_schema.go b/schema/module_schema.go
index a69cdd53..66b5de59 100644
--- a/schema/module_schema.go
+++ b/schema/module_schema.go
@@ -780,6 +780,25 @@ func (r *ModuleSchemaRegistry) registerBuiltins() {
 
 	// ---- OpenAPI Category ----
 
+	r.Register(&ModuleSchema{
+		Type:        "openapi",
+		Label:       "OpenAPI Spec Server",
+		Category:    "integration",
+		Description: "Parses an OpenAPI v3 spec file and auto-generates HTTP routes with request validation and optional Swagger UI",
+		Inputs:      []ServiceIODef{{Name: "router", Type: "HTTPRouter", Description: "HTTP router to register generated routes on"}},
+		Outputs:     []ServiceIODef{{Name: "routes", Type: "OpenAPIRoutes", Description: "Auto-generated HTTP routes from the spec"}},
+		ConfigFields: []ConfigFieldDef{
+			{Key: "spec_file", Label: "Spec File", Type: FieldTypeFilePath, Required: true, Description: "Path to the OpenAPI v3 spec file (JSON or YAML)", Placeholder: "specs/petstore.yaml"},
+			{Key: "base_path", Label: "Base Path", Type: FieldTypeString, Description: "Base path prefix for all generated routes", Placeholder: "/api/v1"},
+			{Key: "router", Label: "Router Module", Type: FieldTypeString, Required: true, Description: "Name of the http.router module to register routes on", Placeholder: "my-router"},
+			{Key: "validation.request", Label: "Validate Requests", Type: FieldTypeBool, DefaultValue: true, Description: "Enable request validation against the OpenAPI schema"},
+			{Key: "validation.response", Label: "Validate Responses", Type: FieldTypeBool, DefaultValue: false, Description: "Enable response validation against the OpenAPI schema"},
+			{Key: "swagger_ui.enabled", Label: "Enable Swagger UI", Type: FieldTypeBool, DefaultValue: false, Description: "Serve Swagger UI for interactive API documentation"},
+			{Key: "swagger_ui.path", Label: "Swagger UI Path", Type: FieldTypeString, DefaultValue: "/docs", Description: "URL path for the Swagger UI", Placeholder: "/docs"},
+		},
+		DefaultConfig: map[string]any{"validation": map[string]any{"request": true, "response": false}, "swagger_ui": map[string]any{"enabled": false, "path": "/docs"}},
+	})
+
 	r.Register(&ModuleSchema{
 		Type:        "openapi.generator",
 		Label:       "OpenAPI Generator",
diff --git a/schema/schema.go b/schema/schema.go
index 5d2e60a7..20a70fa6 100644
--- a/schema/schema.go
+++ b/schema/schema.go
@@ -84,6 +84,7 @@ var coreModuleTypes = []string{
 	"metrics.collector",
 	"notification.slack",
 	"observability.otel",
+	"openapi",
 	"openapi.consumer",
 	"openapi.generator",
 	"persistence.store",
diff --git a/testhelpers_test.go b/testhelpers_test.go
index 9f4f0ec6..5f83e216 100644
--- a/testhelpers_test.go
+++ b/testhelpers_test.go
@@ -13,6 +13,7 @@ import (
 	pluginintegration "github.com/GoCodeAlone/workflow/plugins/integration"
 	pluginlicense "github.com/GoCodeAlone/workflow/plugins/license"
 	pluginmessaging "github.com/GoCodeAlone/workflow/plugins/messaging"
+	pluginopenapi "github.com/GoCodeAlone/workflow/plugins/openapi"
 	pluginmodcompat "github.com/GoCodeAlone/workflow/plugins/modularcompat"
 	pluginobs "github.com/GoCodeAlone/workflow/plugins/observability"
 	pluginpipeline "github.com/GoCodeAlone/workflow/plugins/pipelinesteps"
@@ -43,6 +44,7 @@ func allPlugins() []plugin.EnginePlugin {
 		pluginai.New(),
 		pluginplatform.New(),
 		pluginlicense.New(),
+		pluginopenapi.New(),
 	}
 }
 

From 6f5d7ee3eb4b12ba4ba4d62b11a20b84a4463bc5 Mon Sep 17 00:00:00 2001
From: Copilot <198982749+Copilot@users.noreply.github.com>
Date: Mon, 23 Feb 2026 11:29:08 -0500
Subject: [PATCH 3/8] =?UTF-8?q?fix(openapi):=20address=20review=20feedback?=
 =?UTF-8?q?=20=E2=80=94=20correctness,=20security,=20and=20performance=20i?=
 =?UTF-8?q?mprovements=20(#146)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Initial plan

* fix: apply all review feedback to OpenAPI module

Co-authored-by: intel352 <77607+intel352@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: intel352 <77607+intel352@users.noreply.github.com>
---
 example/openapi-petstore.yaml |   2 +
 module/openapi.go             | 199 +++++++++++++++++++++++-----------
 module/openapi_test.go        | 124 ++++++++++++++++++++-
 plugins/openapi/plugin.go     |  38 +++----
 4 files changed, 280 insertions(+), 83 deletions(-)

diff --git a/example/openapi-petstore.yaml b/example/openapi-petstore.yaml
index a4d3503c..c2b6f2d1 100644
--- a/example/openapi-petstore.yaml
+++ b/example/openapi-petstore.yaml
@@ -22,6 +22,8 @@ modules:
     dependsOn:
       - petstore-router
     config:
+      # NOTE: spec_file is resolved relative to this config file's directory
+      # via the _config_dir mechanism in config.ResolvePathInConfig.
       spec_file: specs/petstore.yaml
       base_path: /api/v1
       router: petstore-router
diff --git a/module/openapi.go b/module/openapi.go
index 8759ee19..eb5d92c8 100644
--- a/module/openapi.go
+++ b/module/openapi.go
@@ -4,8 +4,10 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"html"
 	"io"
 	"log/slog"
+	"math"
 	"net/http"
 	"os"
 	"regexp"
@@ -109,7 +111,8 @@ type OpenAPIModule struct {
 	name       string
 	cfg        OpenAPIConfig
 	spec       *openAPISpec
-	specBytes  []byte // raw spec bytes for serving
+	specBytes  []byte // raw spec bytes for serving (original file content)
+	specJSON   []byte // cached JSON-serialised spec for /openapi.json endpoint
 	routerName string
 	logger     *slog.Logger
 }
@@ -219,11 +222,26 @@ func (m *OpenAPIModule) RegisterRoutes(router HTTPRouter) {
 
 	// Serve raw spec at /openapi.json and /openapi.yaml
 	if len(m.specBytes) > 0 {
+		// Cache the JSON representation once per registration.
+		if m.specJSON == nil {
+			specJSON, err := json.Marshal(m.spec)
+			if err != nil {
+				specJSON = m.specBytes // fallback to raw bytes
+			}
+			m.specJSON = specJSON
+		}
+
 		specPathJSON := basePath + "/openapi.json"
 		specPathYAML := basePath + "/openapi.yaml"
-		specHandler := m.buildSpecHandler()
-		router.AddRoute(http.MethodGet, specPathJSON, specHandler)
-		router.AddRoute(http.MethodGet, specPathYAML, specHandler)
+
+		// JSON endpoint: serve re-serialised spec as JSON.
+		router.AddRoute(http.MethodGet, specPathJSON, &openAPISpecHandler{specJSON: m.specJSON})
+
+		// YAML endpoint: serve the original spec bytes with a YAML content-type.
+		// This preserves the source format; if the original file was YAML it is
+		// served as YAML, and if it was JSON it is served as-is (JSON is valid YAML).
+		router.AddRoute(http.MethodGet, specPathYAML, &openAPIRawSpecHandler{specBytes: m.specBytes, contentType: "application/yaml"})
+
 		m.logger.Debug("OpenAPI spec endpoint registered", "module", m.name, "paths", []string{specPathJSON, specPathYAML})
 	}
 
@@ -257,17 +275,6 @@ func (m *OpenAPIModule) buildRouteHandler(specPath, method string, op *openAPIOp
 	}
 }
 
-// buildSpecHandler serves the raw spec bytes as JSON (re-serialised from the
-// parsed spec) so consumers always get valid JSON regardless of whether the
-// original file was YAML.
-func (m *OpenAPIModule) buildSpecHandler() HTTPHandler {
-	specJSON, err := json.Marshal(m.spec)
-	if err != nil {
-		specJSON = m.specBytes // fallback to raw bytes
-	}
-	return &openAPISpecHandler{specJSON: specJSON}
-}
-
 // buildSwaggerUIHandler returns an inline Swagger UI page that loads the spec
 // from specURL. This avoids any asset bundling — a CDN-hosted swagger-ui is used.
 func (m *OpenAPIModule) buildSwaggerUIHandler(specURL string) HTTPHandler {
@@ -340,23 +347,36 @@ func (h *openAPIRouteHandler) validate(r *http.Request) []string {
 		if mt, ok := h.op.RequestBody.Content[ct]; ok {
 			mediaType = &mt
 		} else if mt, ok := h.op.RequestBody.Content["application/json"]; ok && ct == "" {
-			// Default to application/json when no Content-Type is sent
+			// NOTE: Intentionally treat a missing Content-Type as application/json for request body
+			// validation. Per HTTP semantics, an absent Content-Type would normally imply
+			// application/octet-stream, but this engine is primarily used for JSON APIs and this
+			// default simplifies client usage.
 			mediaType = &mt
 		}
 
-		if h.op.RequestBody.Required && r.ContentLength == 0 && r.Body == http.NoBody {
-			errs = append(errs, "request body is required but missing")
-		} else if mediaType != nil && mediaType.Schema != nil {
-			bodyBytes, err := io.ReadAll(r.Body)
-			if err == nil && len(bodyBytes) > 0 {
+		// Read the body once so we can both check for presence (when required)
+		// and validate against the schema. Restore it afterwards for downstream handlers.
+		bodyBytes, readErr := io.ReadAll(r.Body)
+		if readErr != nil {
+			h.module.logger.Error("failed to read request body for validation",
+				"module", h.module.name,
+				"path", h.specPath,
+				"error", readErr,
+			)
+			errs = append(errs, "failed to read request body")
+		} else {
+			// Always restore body for downstream handlers.
+			r.Body = io.NopCloser(strings.NewReader(string(bodyBytes)))
+
+			if h.op.RequestBody.Required && len(bodyBytes) == 0 {
+				errs = append(errs, "request body is required but missing")
+			} else if mediaType != nil && mediaType.Schema != nil && len(bodyBytes) > 0 {
 				var bodyData any
 				if jsonErr := json.Unmarshal(bodyBytes, &bodyData); jsonErr == nil {
 					if bodyErrs := validateJSONBody(bodyData, mediaType.Schema); len(bodyErrs) > 0 {
 						errs = append(errs, bodyErrs...)
 					}
 				}
-				// Restore body for downstream handlers
-				r.Body = io.NopCloser(strings.NewReader(string(bodyBytes)))
 			}
 		}
 	}
@@ -376,6 +396,21 @@ func (h *openAPISpecHandler) Handle(w http.ResponseWriter, _ *http.Request) {
 	_, _ = w.Write(h.specJSON) //nolint:gosec // G705: spec JSON is loaded from a trusted config file, not user input
 }
 
+// ---- openAPIRawSpecHandler ----
+
+// openAPIRawSpecHandler serves the raw spec bytes with the given content-type.
+// Used for the /openapi.yaml endpoint to preserve the original source format.
+type openAPIRawSpecHandler struct {
+	specBytes   []byte
+	contentType string
+}
+
+func (h *openAPIRawSpecHandler) Handle(w http.ResponseWriter, _ *http.Request) {
+	w.Header().Set("Content-Type", h.contentType)
+	w.WriteHeader(http.StatusOK)
+	_, _ = w.Write(h.specBytes) //nolint:gosec // G705: spec bytes are loaded from a trusted config file, not user input
+}
+
 // ---- openAPISwaggerUIHandler ----
 
 type openAPISwaggerUIHandler struct {
@@ -392,15 +427,18 @@ func (h *openAPISwaggerUIHandler) Handle(w http.ResponseWriter, _ *http.Request)
 
 // parseOpenAPISpec parses a YAML or JSON byte slice into an openAPISpec.
 func parseOpenAPISpec(data []byte) (*openAPISpec, error) {
+	if len(data) == 0 {
+		return nil, fmt.Errorf("openapi spec data is empty")
+	}
 	var spec openAPISpec
 	// Try YAML first (which also handles JSON since JSON is valid YAML)
 	if err := yaml.Unmarshal(data, &spec); err != nil {
 		return nil, fmt.Errorf("yaml parse: %w", err)
 	}
 	if spec.OpenAPI == "" {
-		// May be JSON that yaml couldn't decode properly; try JSON directly
+		// YAML parse succeeded but produced an empty OpenAPI field; try JSON directly.
 		if err := json.Unmarshal(data, &spec); err != nil {
-			return nil, fmt.Errorf("neither yaml nor json parse succeeded: %w", err)
+			return nil, fmt.Errorf("yaml parse produced empty OpenAPI field; json parse also failed: %w", err)
 		}
 	}
 	return &spec, nil
@@ -445,6 +483,28 @@ func extractParam(r *http.Request, p openAPIParameter) string {
 	return ""
 }
 
+// validateStringConstraints validates the string constraints (minLength, maxLength,
+// pattern) for a string value. The kind parameter ("parameter" or "field") is used
+// in error messages.
+func validateStringConstraints(s, name, kind string, schema *openAPISchema) []string {
+	var errs []string
+	if schema.MinLength != nil && len(s) < *schema.MinLength {
+		errs = append(errs, fmt.Sprintf("%s %q must have minLength %d", kind, name, *schema.MinLength))
+	}
+	if schema.MaxLength != nil && len(s) > *schema.MaxLength {
+		errs = append(errs, fmt.Sprintf("%s %q must have maxLength %d", kind, name, *schema.MaxLength))
+	}
+	if schema.Pattern != "" {
+		re, err := regexp.Compile(schema.Pattern)
+		if err != nil {
+			errs = append(errs, fmt.Sprintf("%s %q has an invalid pattern %q: %v", kind, name, schema.Pattern, err))
+		} else if !re.MatchString(s) {
+			errs = append(errs, fmt.Sprintf("%s %q does not match pattern %q", kind, name, schema.Pattern))
+		}
+	}
+	return errs
+}
+
 // validateScalarValue validates a string value against a schema (type/format/enum checks).
 func validateScalarValue(val, name string, schema *openAPISchema) []string {
 	var errs []string
@@ -478,22 +538,16 @@ func validateScalarValue(val, name string, schema *openAPISchema) []string {
 			errs = append(errs, fmt.Sprintf("parameter %q must be 'true' or 'false', got %q", name, val))
 		}
 	case "string":
-		if schema.MinLength != nil && len(val) < *schema.MinLength {
-			errs = append(errs, fmt.Sprintf("parameter %q must have minLength %d", name, *schema.MinLength))
-		}
-		if schema.MaxLength != nil && len(val) > *schema.MaxLength {
-			errs = append(errs, fmt.Sprintf("parameter %q must have maxLength %d", name, *schema.MaxLength))
-		}
-		if schema.Pattern != "" {
-			if ok, _ := regexp.MatchString(schema.Pattern, val); !ok {
-				errs = append(errs, fmt.Sprintf("parameter %q does not match pattern %q", name, schema.Pattern))
-			}
-		}
+		errs = append(errs, validateStringConstraints(val, name, "parameter", schema)...)
 	}
-	// Enum validation
+	// Enum validation: query/path parameters are always strings, so compare the
+	// string form of each enum value against the string parameter value.
 	if len(schema.Enum) > 0 {
 		found := false
 		for _, e := range schema.Enum {
+			if e == nil {
+				continue
+			}
 			if fmt.Sprintf("%v", e) == val {
 				found = true
 				break
@@ -542,23 +596,16 @@ func validateJSONValue(val any, name string, schema *openAPISchema) []string {
 	case "string":
 		s, ok := val.(string)
 		if !ok {
-			return []string{fmt.Sprintf("field %q must be a string", name)}
-		}
-		if schema.MinLength != nil && len(s) < *schema.MinLength {
-			errs = append(errs, fmt.Sprintf("field %q must have minLength %d", name, *schema.MinLength))
-		}
-		if schema.MaxLength != nil && len(s) > *schema.MaxLength {
-			errs = append(errs, fmt.Sprintf("field %q must have maxLength %d", name, *schema.MaxLength))
-		}
-		if schema.Pattern != "" {
-			if ok2, _ := regexp.MatchString(schema.Pattern, s); !ok2 {
-				errs = append(errs, fmt.Sprintf("field %q does not match pattern %q", name, schema.Pattern))
-			}
+			return []string{fmt.Sprintf("field %q must be a string, got %T", name, val)}
 		}
+		errs = append(errs, validateStringConstraints(s, name, "field", schema)...)
 	case "integer":
 		f, ok := val.(float64)
 		if !ok {
-			return []string{fmt.Sprintf("field %q must be an integer", name)}
+			return []string{fmt.Sprintf("field %q must be an integer, got %T", name, val)}
+		}
+		if f != math.Trunc(f) {
+			return []string{fmt.Sprintf("field %q must be an integer, got %v", name, f)}
 		}
 		if schema.Minimum != nil && f < *schema.Minimum {
 			errs = append(errs, fmt.Sprintf("field %q must be >= %v", name, *schema.Minimum))
@@ -569,7 +616,7 @@ func validateJSONValue(val any, name string, schema *openAPISchema) []string {
 	case "number":
 		f, ok := val.(float64)
 		if !ok {
-			return []string{fmt.Sprintf("field %q must be a number", name)}
+			return []string{fmt.Sprintf("field %q must be a number, got %T", name, val)}
 		}
 		if schema.Minimum != nil && f < *schema.Minimum {
 			errs = append(errs, fmt.Sprintf("field %q must be >= %v", name, *schema.Minimum))
@@ -579,21 +626,41 @@ func validateJSONValue(val any, name string, schema *openAPISchema) []string {
 		}
 	case "boolean":
 		if _, ok := val.(bool); !ok {
-			errs = append(errs, fmt.Sprintf("field %q must be a boolean", name))
+			errs = append(errs, fmt.Sprintf("field %q must be a boolean, got %T", name, val))
 		}
 	case "object":
 		if subErrs := validateJSONBody(val, schema); len(subErrs) > 0 {
 			errs = append(errs, subErrs...)
 		}
 	}
-	// Enum validation
+	// Enum validation: use type-aware comparison to prevent e.g. int 1 matching string "1".
 	if len(schema.Enum) > 0 {
 		found := false
 		for _, e := range schema.Enum {
-			if fmt.Sprintf("%v", e) == fmt.Sprintf("%v", val) {
+			if e == nil {
+				continue
+			}
+			// Direct equality covers string==string, bool==bool, float64==float64.
+			if e == val {
 				found = true
 				break
 			}
+			// Handle numeric type mismatch: YAML decodes integers as int, but JSON
+			// decodes all numbers as float64, so int(1) != float64(1) even though
+			// they represent the same value.
+			switch ev := e.(type) {
+			case int:
+				if fv, ok := val.(float64); ok && float64(ev) == fv {
+					found = true
+				}
+			case int64:
+				if fv, ok := val.(float64); ok && float64(ev) == fv {
+					found = true
+				}
+			}
+			if found {
+				break
+			}
 		}
 		if !found {
 			errs = append(errs, fmt.Sprintf("field %q must be one of %v", name, schema.Enum))
@@ -604,21 +671,33 @@ func validateJSONValue(val any, name string, schema *openAPISchema) []string {
 
 // swaggerUIHTML returns a minimal, self-contained Swagger UI HTML page that
 // loads the spec from specURL using the official Swagger UI CDN bundle.
+//
+// The base URL for the Swagger UI assets can be overridden via the
+// SWAGGER_UI_ASSETS_BASE_URL environment variable. If unset, it defaults to
+// "https://unpkg.com/swagger-ui-dist@5". This is useful for air-gapped
+// environments or when a local mirror is preferred.
 func swaggerUIHTML(title, specURL string) string {
 	if title == "" {
 		title = "API Documentation"
 	}
+	baseURL := os.Getenv("SWAGGER_UI_ASSETS_BASE_URL")
+	if baseURL == "" {
+		baseURL = "https://unpkg.com/swagger-ui-dist@5"
+	}
+	baseURL = strings.TrimRight(baseURL, "/")
+	cssURL := baseURL + "/swagger-ui.css"
+	jsURL := baseURL + "/swagger-ui-bundle.js"
 	return `<!DOCTYPE html>
 <html lang="en">
 <head>
   <meta charset="UTF-8">
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <title>` + htmlEscape(title) + `</title>
-  <link rel="stylesheet" href="https://unpkg.com/swagger-ui-dist@5/swagger-ui.css">
+  <link rel="stylesheet" href="` + htmlEscape(cssURL) + `">
 </head>
 <body>
   <div id="swagger-ui"></div>
-  <script src="https://unpkg.com/swagger-ui-dist@5/swagger-ui-bundle.js"></script>
+  <script src="` + htmlEscape(jsURL) + `"></script>
   <script>
     SwaggerUIBundle({
       url: "` + htmlEscape(specURL) + `",
@@ -632,11 +711,7 @@ func swaggerUIHTML(title, specURL string) string {
 }
 
 // htmlEscape escapes a string for safe embedding in HTML attributes/text.
+// It delegates to the standard library html.EscapeString for robust escaping.
 func htmlEscape(s string) string {
-	s = strings.ReplaceAll(s, "&", "&amp;")
-	s = strings.ReplaceAll(s, "<", "&lt;")
-	s = strings.ReplaceAll(s, ">", "&gt;")
-	s = strings.ReplaceAll(s, `"`, "&#34;")
-	s = strings.ReplaceAll(s, "'", "&#39;")
-	return s
+	return html.EscapeString(s)
 }
diff --git a/module/openapi_test.go b/module/openapi_test.go
index 92896f06..18527664 100644
--- a/module/openapi_test.go
+++ b/module/openapi_test.go
@@ -91,7 +91,7 @@ func writeTempSpec(t *testing.T, ext, content string) string {
 	t.Helper()
 	dir := t.TempDir()
 	path := filepath.Join(dir, "spec"+ext)
-	if err := os.WriteFile(path, []byte(content), 0600); err != nil {
+	if err := os.WriteFile(path, []byte(content), 0644); err != nil {
 		t.Fatalf("write temp spec: %v", err)
 	}
 	return path
@@ -551,6 +551,128 @@ func TestHTMLEscape(t *testing.T) {
 	}
 }
 
+func TestValidateScalarValue_Pattern(t *testing.T) {
+	t.Run("valid pattern match", func(t *testing.T) {
+		schema := &openAPISchema{Type: "string", Pattern: "^foo[0-9]+$"}
+		errs := validateScalarValue("foo123", "param", schema)
+		if len(errs) > 0 {
+			t.Errorf("expected no errors, got %v", errs)
+		}
+	})
+
+	t.Run("pattern mismatch", func(t *testing.T) {
+		schema := &openAPISchema{Type: "string", Pattern: "^foo[0-9]+$"}
+		errs := validateScalarValue("bar", "param", schema)
+		if len(errs) == 0 {
+			t.Error("expected validation error for non-matching pattern, got none")
+		}
+	})
+
+	t.Run("invalid regex pattern returns error", func(t *testing.T) {
+		schema := &openAPISchema{Type: "string", Pattern: "["}
+		errs := validateScalarValue("anything", "param", schema)
+		if len(errs) == 0 {
+			t.Error("expected validation error for invalid regex pattern, got none")
+		}
+	})
+}
+
+func TestValidateJSONValue_Pattern(t *testing.T) {
+	t.Run("valid pattern match", func(t *testing.T) {
+		schema := &openAPISchema{Type: "string", Pattern: "^foo[0-9]+$"}
+		errs := validateJSONValue("foo123", "body", schema)
+		if len(errs) > 0 {
+			t.Errorf("expected no errors, got %v", errs)
+		}
+	})
+
+	t.Run("pattern mismatch", func(t *testing.T) {
+		schema := &openAPISchema{Type: "string", Pattern: "^foo[0-9]+$"}
+		errs := validateJSONValue("bar", "body", schema)
+		if len(errs) == 0 {
+			t.Error("expected validation error for non-matching pattern, got none")
+		}
+	})
+
+	t.Run("invalid regex pattern returns error", func(t *testing.T) {
+		schema := &openAPISchema{Type: "string", Pattern: "["}
+		errs := validateJSONValue("anything", "body", schema)
+		if len(errs) == 0 {
+			t.Error("expected validation error for invalid regex pattern, got none")
+		}
+	})
+
+	t.Run("integer with fractional part rejected", func(t *testing.T) {
+		schema := &openAPISchema{Type: "integer"}
+		errs := validateJSONValue(float64(3.14), "count", schema)
+		if len(errs) == 0 {
+			t.Error("expected validation error for fractional integer, got none")
+		}
+	})
+
+	t.Run("integer without fractional part accepted", func(t *testing.T) {
+		schema := &openAPISchema{Type: "integer"}
+		errs := validateJSONValue(float64(3), "count", schema)
+		if len(errs) > 0 {
+			t.Errorf("expected no errors for whole integer, got %v", errs)
+		}
+	})
+
+	t.Run("type mismatch error includes actual type", func(t *testing.T) {
+		schema := &openAPISchema{Type: "string"}
+		errs := validateJSONValue(float64(42), "field", schema)
+		if len(errs) == 0 {
+			t.Error("expected validation error for wrong type, got none")
+		}
+		if len(errs) > 0 && !strings.Contains(errs[0], "float64") {
+			t.Errorf("expected error to mention actual type, got: %s", errs[0])
+		}
+	})
+}
+
+func TestOpenAPIModule_PathParameterValidation(t *testing.T) {
+	specPath := writeTempSpec(t, ".yaml", petstoreYAML)
+
+	mod := NewOpenAPIModule("petstore", OpenAPIConfig{
+		SpecFile:   specPath,
+		BasePath:   "/api/v1",
+		Validation: OpenAPIValidationConfig{Request: true},
+	})
+	if err := mod.Init(nil); err != nil {
+		t.Fatalf("Init: %v", err)
+	}
+
+	router := &testRouter{}
+	mod.RegisterRoutes(router)
+
+	h := router.findHandler("GET", "/api/v1/pets/{petId}")
+	if h == nil {
+		t.Fatal("GET /api/v1/pets/{petId} handler not found")
+	}
+
+	t.Run("valid integer path param", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodGet, "/api/v1/pets/42", nil)
+		// Simulate Go 1.22 path value extraction
+		r.SetPathValue("petId", "42")
+		h.Handle(w, r)
+		// 501 = stub response, meaning validation passed
+		if w.Code != http.StatusNotImplemented {
+			t.Errorf("expected 501 stub (validation OK), got %d: %s", w.Code, w.Body.String())
+		}
+	})
+
+	t.Run("invalid non-integer path param", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodGet, "/api/v1/pets/not-an-id", nil)
+		r.SetPathValue("petId", "not-an-id")
+		h.Handle(w, r)
+		if w.Code != http.StatusBadRequest {
+			t.Errorf("expected 400 validation error for non-integer petId, got %d: %s", w.Code, w.Body.String())
+		}
+	})
+}
+
 // routeKeys returns a list of "METHOD:path" strings from a testRouter.
 func routeKeys(r *testRouter) []string {
 	keys := make([]string, len(r.routes))
diff --git a/plugins/openapi/plugin.go b/plugins/openapi/plugin.go
index 17e4da14..d9cf4596 100644
--- a/plugins/openapi/plugin.go
+++ b/plugins/openapi/plugin.go
@@ -157,7 +157,7 @@ func (p *Plugin) WiringHooks() []plugin.WiringHook {
 	return []plugin.WiringHook{
 		{
 			Name:     "openapi-route-registration",
-			Priority: 45, // run after auth wiring (90), before static files (50)
+			Priority: 45, // run after auth wiring (90) and after static files (50)
 			Hook:     wireOpenAPIRoutes,
 		},
 	}
@@ -178,6 +178,19 @@ func wireOpenAPIRoutes(app modular.Application, cfg *config.WorkflowConfig) erro
 		}
 	}
 
+	// Build router lookup map and capture the first available router in a single pass.
+	// This reduces subsequent lookups from O(n) each to O(1).
+	routers := make(map[string]module.HTTPRouter)
+	var firstRouter module.HTTPRouter
+	for svcName, svc := range app.SvcRegistry() {
+		if router, ok := svc.(module.HTTPRouter); ok {
+			routers[svcName] = router
+			if firstRouter == nil {
+				firstRouter = router
+			}
+		}
+	}
+
 	for _, svc := range app.SvcRegistry() {
 		oaMod, ok := svc.(*module.OpenAPIModule)
 		if !ok {
@@ -188,25 +201,15 @@ func wireOpenAPIRoutes(app modular.Application, cfg *config.WorkflowConfig) erro
 
 		// 1) Explicit router name from config
 		if rName := oaMod.RouterName(); rName != "" {
-			for svcName, routerSvc := range app.SvcRegistry() {
-				if router, ok2 := routerSvc.(module.HTTPRouter); ok2 && svcName == rName {
-					targetRouter = router
-					break
-				}
-			}
+			targetRouter = routers[rName]
 		}
 
 		// 2) dependsOn router reference
 		if targetRouter == nil {
 			for _, dep := range openAPIDeps[oaMod.Name()] {
 				if routerNames[dep] {
-					for svcName, routerSvc := range app.SvcRegistry() {
-						if router, ok2 := routerSvc.(module.HTTPRouter); ok2 && svcName == dep {
-							targetRouter = router
-							break
-						}
-					}
-					if targetRouter != nil {
+					if router, found := routers[dep]; found {
+						targetRouter = router
 						break
 					}
 				}
@@ -215,12 +218,7 @@ func wireOpenAPIRoutes(app modular.Application, cfg *config.WorkflowConfig) erro
 
 		// 3) Fall back to first available router
 		if targetRouter == nil {
-			for _, routerSvc := range app.SvcRegistry() {
-				if router, ok2 := routerSvc.(module.HTTPRouter); ok2 {
-					targetRouter = router
-					break
-				}
-			}
+			targetRouter = firstRouter
 		}
 
 		if targetRouter == nil {

From 475de78f2cdb826e50d124a26edd82ce9923b80b Mon Sep 17 00:00:00 2001
From: Copilot <198982749+Copilot@users.noreply.github.com>
Date: Mon, 23 Feb 2026 15:14:58 -0500
Subject: [PATCH 4/8] fix(openapi): address remaining unresolved review
 comments on OpenAPI module (#149)

* Initial plan

* fix(openapi): document deferred spec_file validation and add enum scalar tests

Co-authored-by: intel352 <77607+intel352@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: intel352 <77607+intel352@users.noreply.github.com>
---
 module/openapi_test.go    | 6 ++++++
 plugins/openapi/plugin.go | 5 +++++
 2 files changed, 11 insertions(+)

diff --git a/module/openapi_test.go b/module/openapi_test.go
index 18527664..e8f0cadb 100644
--- a/module/openapi_test.go
+++ b/module/openapi_test.go
@@ -516,6 +516,12 @@ func TestValidateScalarValue(t *testing.T) {
 		{"string too long", "toolongstring", &openAPISchema{Type: "string", MaxLength: &maxLen}, true},
 		{"enum match", "cat", &openAPISchema{Type: "string", Enum: []any{"cat", "dog"}}, false},
 		{"enum mismatch", "fish", &openAPISchema{Type: "string", Enum: []any{"cat", "dog"}}, true},
+		// Query/path parameters are always strings; integer enum values from YAML
+		// (e.g. enum: [1, 2, 3]) are compared as their string representation.
+		// This is intentional: the parameter "1" should match the YAML integer 1.
+		{"enum integer yaml matches string param", "1", &openAPISchema{Type: "integer", Enum: []any{1, 2, 3}}, false},
+		{"enum integer yaml no match", "4", &openAPISchema{Type: "integer", Enum: []any{1, 2, 3}}, true},
+		{"enum nil values skipped", "a", &openAPISchema{Enum: []any{nil, "a", nil}}, false},
 	}
 
 	for _, tt := range tests {
diff --git a/plugins/openapi/plugin.go b/plugins/openapi/plugin.go
index d9cf4596..c9f5d90c 100644
--- a/plugins/openapi/plugin.go
+++ b/plugins/openapi/plugin.go
@@ -58,6 +58,11 @@ func (p *Plugin) ModuleFactories() map[string]plugin.ModuleFactory {
 		"openapi": func(name string, cfg map[string]any) modular.Module {
 			oacfg := module.OpenAPIConfig{}
 
+			// NOTE: spec_file existence is not validated here at configuration time.
+			// Path resolution is performed by ResolvePathInConfig (relative to the
+			// config file directory via the _config_dir key), but file existence and
+			// readability are checked lazily during Init(). Errors will surface at
+			// engine startup, after all modules have been constructed.
 			if v, ok := cfg["spec_file"].(string); ok {
 				oacfg.SpecFile = config.ResolvePathInConfig(cfg, v)
 			}

From 8b469c7d8a908229259d4ae69bb6e5749e9021fd Mon Sep 17 00:00:00 2001
From: Jon Langevin <codingsloth@pm.me>
Date: Mon, 23 Feb 2026 15:43:39 -0500
Subject: [PATCH 5/8] fix: add admin_test.go with corrected
 TestMergeInto_WithRealAdminConfig

Add admin/admin_test.go from main with the syntax error fixed:
TestMergeInto_WithRealAdminConfig was closed with `)` instead of `}`
and used 2-space indented brace in the inner if block, causing:
  expected statement, found ')'

This file doesn't exist on this branch (predates its addition to main)
but is needed so the PR's merge commit compiles and tests pass.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 admin/admin_test.go | 241 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 241 insertions(+)
 create mode 100644 admin/admin_test.go

diff --git a/admin/admin_test.go b/admin/admin_test.go
new file mode 100644
index 00000000..ad324864
--- /dev/null
+++ b/admin/admin_test.go
@@ -0,0 +1,241 @@
+package admin
+
+import (
+	"testing"
+
+	"github.com/GoCodeAlone/workflow/config"
+)
+
+func TestLoadConfigRaw(t *testing.T) {
+	t.Parallel()
+
+	data, err := LoadConfigRaw()
+	if err != nil {
+		t.Fatalf("LoadConfigRaw() error: %v", err)
+	}
+	if len(data) == 0 {
+		t.Fatal("LoadConfigRaw() returned empty data")
+	}
+}
+
+func TestLoadConfig(t *testing.T) {
+	t.Parallel()
+
+	cfg, err := LoadConfig()
+	if err != nil {
+		t.Fatalf("LoadConfig() error: %v", err)
+	}
+	if cfg == nil {
+		t.Fatal("LoadConfig() returned nil config")
+	}
+	if len(cfg.Modules) == 0 {
+		t.Error("expected at least one admin module")
+	}
+}
+
+func TestMergeInto(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name    string
+		primary *config.WorkflowConfig
+		admin   *config.WorkflowConfig
+		check   func(t *testing.T, result *config.WorkflowConfig)
+	}{
+		{
+			name: "merge modules appended",
+			primary: &config.WorkflowConfig{
+				Modules: []config.ModuleConfig{
+					{Name: "primary-mod", Type: "http.server"},
+				},
+				Workflows: map[string]any{"http": "primary-wf"},
+				Triggers:  map[string]any{"http": "primary-trigger"},
+			},
+			admin: &config.WorkflowConfig{
+				Modules: []config.ModuleConfig{
+					{Name: "admin-mod", Type: "http.server"},
+				},
+				Workflows: map[string]any{"http-admin": "admin-wf"},
+				Triggers:  map[string]any{"admin-trigger": "admin-cfg"},
+			},
+			check: func(t *testing.T, result *config.WorkflowConfig) {
+				if len(result.Modules) != 2 {
+					t.Errorf("expected 2 modules, got %d", len(result.Modules))
+				}
+				if result.Workflows["http-admin"] == nil {
+					t.Error("admin workflow not merged")
+				}
+				if result.Triggers["admin-trigger"] == nil {
+					t.Error("admin trigger not merged")
+				}
+			},
+		},
+		{
+			name: "workflows not overwritten",
+			primary: &config.WorkflowConfig{
+				Modules:   nil,
+				Workflows: map[string]any{"http": "primary"},
+				Triggers:  nil,
+			},
+			admin: &config.WorkflowConfig{
+				Modules:   nil,
+				Workflows: map[string]any{"http": "admin-should-not-replace"},
+				Triggers:  nil,
+			},
+			check: func(t *testing.T, result *config.WorkflowConfig) {
+				if result.Workflows["http"] != "primary" {
+					t.Errorf("primary workflow was overwritten: got %v", result.Workflows["http"])
+				}
+			},
+		},
+		{
+			name: "nil primary workflows map initialized",
+			primary: &config.WorkflowConfig{
+				Workflows: nil,
+				Triggers:  nil,
+			},
+			admin: &config.WorkflowConfig{
+				Workflows: map[string]any{"admin-wf": "cfg"},
+				Triggers:  nil,
+			},
+			check: func(t *testing.T, result *config.WorkflowConfig) {
+				if result.Workflows == nil {
+					t.Fatal("workflows map should have been initialized")
+				}
+				if result.Workflows["admin-wf"] == nil {
+					t.Error("admin workflow not merged into nil map")
+				}
+			},
+		},
+		{
+			name: "nil primary triggers map initialized",
+			primary: &config.WorkflowConfig{
+				Workflows: map[string]any{},
+				Triggers:  nil,
+			},
+			admin: &config.WorkflowConfig{
+				Workflows: nil,
+				Triggers:  map[string]any{"admin-trig": "cfg"},
+			},
+			check: func(t *testing.T, result *config.WorkflowConfig) {
+				if result.Triggers == nil {
+					t.Fatal("triggers map should have been initialized")
+				}
+				if result.Triggers["admin-trig"] == nil {
+					t.Error("admin trigger not merged into nil map")
+				}
+			},
+		},
+		{
+			name: "triggers not overwritten",
+			primary: &config.WorkflowConfig{
+				Workflows: map[string]any{},
+				Triggers:  map[string]any{"http": "primary"},
+			},
+			admin: &config.WorkflowConfig{
+				Triggers: map[string]any{"http": "admin-should-not-replace"},
+			},
+			check: func(t *testing.T, result *config.WorkflowConfig) {
+				if result.Triggers["http"] != "primary" {
+					t.Errorf("primary trigger was overwritten: got %v", result.Triggers["http"])
+				}
+			},
+		},
+		{
+			name: "empty admin triggers no-op",
+			primary: &config.WorkflowConfig{
+				Workflows: map[string]any{},
+				Triggers:  map[string]any{"existing": "val"},
+			},
+			admin: &config.WorkflowConfig{
+				Triggers: nil,
+			},
+			check: func(t *testing.T, result *config.WorkflowConfig) {
+				if len(result.Triggers) != 1 {
+					t.Errorf("expected 1 trigger, got %d", len(result.Triggers))
+				}
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			MergeInto(tt.primary, tt.admin)
+			tt.check(t, tt.primary)
+		})
+	}
+}
+
+func TestMergeInto_WithRealAdminConfig(t *testing.T) {
+	t.Parallel()
+
+	adminCfg, err := LoadConfig()
+	if err != nil {
+		t.Fatalf("LoadConfig failed: %v", err)
+	}
+
+	primary := config.NewEmptyWorkflowConfig()
+	primary.Modules = []config.ModuleConfig{
+		{Name: "user-server", Type: "http.server"},
+	}
+
+	initialModuleCount := len(primary.Modules)
+	MergeInto(primary, adminCfg)
+
+	if len(primary.Modules) <= initialModuleCount {
+		t.Error("expected admin modules to be appended")
+	}
+}
+
+func TestLoadConfig_Parses(t *testing.T) {
+	cfg, err := LoadConfig()
+	if err != nil {
+		t.Fatalf("LoadConfig: %v", err)
+	}
+	if cfg == nil {
+		t.Fatal("expected non-nil config")
+	}
+	if len(cfg.Modules) == 0 {
+		t.Error("expected at least one module in admin config")
+	}
+}
+
+func TestLoadConfigRaw_NonEmpty(t *testing.T) {
+	raw, err := LoadConfigRaw()
+	if err != nil {
+		t.Fatalf("LoadConfigRaw: %v", err)
+	}
+	if len(raw) == 0 {
+		t.Error("expected non-empty raw config data")
+	}
+}
+
+func TestLoadConfig_HasExpectedModules(t *testing.T) {
+	cfg, err := LoadConfig()
+	if err != nil {
+		t.Fatalf("LoadConfig: %v", err)
+	}
+
+	moduleNames := make(map[string]bool)
+	for _, m := range cfg.Modules {
+		moduleNames[m.Name] = true
+	}
+
+	required := []string{"admin-server", "admin-router", "admin-db", "admin-auth"}
+	for _, name := range required {
+		if !moduleNames[name] {
+			t.Errorf("expected module %q in admin config", name)
+		}
+	}
+}
+
+func TestLoadConfig_HasWorkflows(t *testing.T) {
+	cfg, err := LoadConfig()
+	if err != nil {
+		t.Fatalf("LoadConfig: %v", err)
+	}
+	if len(cfg.Workflows) == 0 {
+		t.Error("expected at least one workflow in admin config")
+	}
+}

From cee546ad02928f8d1b73bd13ba1ede18bd7e038e Mon Sep 17 00:00:00 2001
From: Copilot <198982749+Copilot@users.noreply.github.com>
Date: Mon, 23 Feb 2026 19:18:46 -0500
Subject: [PATCH 6/8] =?UTF-8?q?fix(openapi):=20address=20remaining=20revie?=
 =?UTF-8?q?w=20comments=20=E2=80=94=20validation,=20content-type,=20schema?=
 =?UTF-8?q?,=20defaults=20(#150)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Initial plan

* fix(openapi): address all remaining review comments — body bytes, JSON errors, content-type, schema, defaults, logging

Co-authored-by: intel352 <77607+intel352@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: intel352 <77607+intel352@users.noreply.github.com>
---
 module/openapi.go         | 42 +++++++++++++++++++++++++++++----------
 module/openapi_test.go    | 11 ++++++++++
 plugins/openapi/plugin.go | 12 +++++++++--
 schema/module_schema.go   |  8 +++-----
 4 files changed, 56 insertions(+), 17 deletions(-)

diff --git a/module/openapi.go b/module/openapi.go
index eb5d92c8..9698a0cc 100644
--- a/module/openapi.go
+++ b/module/openapi.go
@@ -1,6 +1,7 @@
 package module
 
 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"fmt"
@@ -237,10 +238,14 @@ func (m *OpenAPIModule) RegisterRoutes(router HTTPRouter) {
 		// JSON endpoint: serve re-serialised spec as JSON.
 		router.AddRoute(http.MethodGet, specPathJSON, &openAPISpecHandler{specJSON: m.specJSON})
 
-		// YAML endpoint: serve the original spec bytes with a YAML content-type.
-		// This preserves the source format; if the original file was YAML it is
-		// served as YAML, and if it was JSON it is served as-is (JSON is valid YAML).
-		router.AddRoute(http.MethodGet, specPathYAML, &openAPIRawSpecHandler{specBytes: m.specBytes, contentType: "application/yaml"})
+		// YAML endpoint: serve the original spec bytes with a content-type that
+		// matches the source format. JSON source files are served as application/json;
+		// YAML source files are served as application/yaml.
+		rawContentType := "application/yaml"
+		if trimmed := strings.TrimSpace(string(m.specBytes)); len(trimmed) > 0 && (trimmed[0] == '{' || trimmed[0] == '[') {
+			rawContentType = "application/json"
+		}
+		router.AddRoute(http.MethodGet, specPathYAML, &openAPIRawSpecHandler{specBytes: m.specBytes, contentType: rawContentType})
 
 		m.logger.Debug("OpenAPI spec endpoint registered", "module", m.name, "paths", []string{specPathJSON, specPathYAML})
 	}
@@ -250,6 +255,8 @@ func (m *OpenAPIModule) RegisterRoutes(router HTTPRouter) {
 		uiPath := m.cfg.SwaggerUI.Path
 		if uiPath == "" {
 			uiPath = "/docs"
+		} else if !strings.HasPrefix(uiPath, "/") {
+			uiPath = "/" + uiPath
 		}
 		uiRoutePath := basePath + uiPath
 		specURL := basePath + "/openapi.json"
@@ -352,6 +359,10 @@ func (h *openAPIRouteHandler) validate(r *http.Request) []string {
 			// application/octet-stream, but this engine is primarily used for JSON APIs and this
 			// default simplifies client usage.
 			mediaType = &mt
+		} else if ct != "" && len(h.op.RequestBody.Content) > 0 {
+			// Content-Type is present but not listed in the spec — reject with 400.
+			errs = append(errs, fmt.Sprintf("unsupported Content-Type %q; spec defines: %s",
+				ct, supportedContentTypes(h.op.RequestBody.Content)))
 		}
 
 		// Read the body once so we can both check for presence (when required)
@@ -365,17 +376,18 @@ func (h *openAPIRouteHandler) validate(r *http.Request) []string {
 			)
 			errs = append(errs, "failed to read request body")
 		} else {
-			// Always restore body for downstream handlers.
-			r.Body = io.NopCloser(strings.NewReader(string(bodyBytes)))
+			// Always restore body for downstream handlers using the original byte slice
+			// to avoid a bytes→string→bytes conversion that could corrupt non-UTF-8 payloads.
+			r.Body = io.NopCloser(bytes.NewReader(bodyBytes))
 
 			if h.op.RequestBody.Required && len(bodyBytes) == 0 {
 				errs = append(errs, "request body is required but missing")
 			} else if mediaType != nil && mediaType.Schema != nil && len(bodyBytes) > 0 {
 				var bodyData any
-				if jsonErr := json.Unmarshal(bodyBytes, &bodyData); jsonErr == nil {
-					if bodyErrs := validateJSONBody(bodyData, mediaType.Schema); len(bodyErrs) > 0 {
-						errs = append(errs, bodyErrs...)
-					}
+				if jsonErr := json.Unmarshal(bodyBytes, &bodyData); jsonErr != nil {
+					errs = append(errs, fmt.Sprintf("request body contains invalid JSON: %v", jsonErr))
+				} else if bodyErrs := validateJSONBody(bodyData, mediaType.Schema); len(bodyErrs) > 0 {
+					errs = append(errs, bodyErrs...)
 				}
 			}
 		}
@@ -715,3 +727,13 @@ func swaggerUIHTML(title, specURL string) string {
 func htmlEscape(s string) string {
 	return html.EscapeString(s)
 }
+
+// supportedContentTypes returns a comma-joined list of content types defined
+// in the requestBody.content map, used in validation error messages.
+func supportedContentTypes(content map[string]openAPIMediaType) string {
+	types := make([]string, 0, len(content))
+	for ct := range content {
+		types = append(types, ct)
+	}
+	return strings.Join(types, ", ")
+}
diff --git a/module/openapi_test.go b/module/openapi_test.go
index e8f0cadb..c7c867e0 100644
--- a/module/openapi_test.go
+++ b/module/openapi_test.go
@@ -416,6 +416,17 @@ func TestOpenAPIModule_RequestValidation_Body(t *testing.T) {
 			t.Errorf("expected 400 validation error, got %d: %s", w.Code, w.Body.String())
 		}
 	})
+
+	t.Run("invalid JSON", func(t *testing.T) {
+		body := `{"name": "Fluffy",` // malformed JSON
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodPost, "/api/v1/pets", bytes.NewBufferString(body))
+		r.Header.Set("Content-Type", "application/json")
+		h.Handle(w, r)
+		if w.Code != http.StatusBadRequest {
+			t.Errorf("expected 400 validation error for malformed JSON, got %d: %s", w.Code, w.Body.String())
+		}
+	})
 }
 
 func TestOpenAPIModule_NoValidation(t *testing.T) {
diff --git a/plugins/openapi/plugin.go b/plugins/openapi/plugin.go
index c9f5d90c..dd8d4be5 100644
--- a/plugins/openapi/plugin.go
+++ b/plugins/openapi/plugin.go
@@ -4,6 +4,8 @@
 package openapi
 
 import (
+	"log/slog"
+
 	"github.com/CrisisTextLine/modular"
 	"github.com/GoCodeAlone/workflow/capability"
 	"github.com/GoCodeAlone/workflow/config"
@@ -56,7 +58,10 @@ func (p *Plugin) Capabilities() []capability.Contract {
 func (p *Plugin) ModuleFactories() map[string]plugin.ModuleFactory {
 	return map[string]plugin.ModuleFactory{
 		"openapi": func(name string, cfg map[string]any) modular.Module {
-			oacfg := module.OpenAPIConfig{}
+			oacfg := module.OpenAPIConfig{
+				// Default: enable request validation unless explicitly overridden.
+				Validation: module.OpenAPIValidationConfig{Request: true},
+			}
 
 			// NOTE: spec_file existence is not validated here at configuration time.
 			// Path resolution is performed by ResolvePathInConfig (relative to the
@@ -227,7 +232,10 @@ func wireOpenAPIRoutes(app modular.Application, cfg *config.WorkflowConfig) erro
 		}
 
 		if targetRouter == nil {
-			// No router found — log and skip (not fatal; engine may be running without HTTP)
+			// No router found — log a warning and skip (not fatal; engine may be running without HTTP).
+			slog.Warn("openapi: no HTTP router found; skipping route registration",
+				"module", oaMod.Name(),
+			)
 			continue
 		}
 
diff --git a/schema/module_schema.go b/schema/module_schema.go
index 66b5de59..158e0487 100644
--- a/schema/module_schema.go
+++ b/schema/module_schema.go
@@ -790,11 +790,9 @@ func (r *ModuleSchemaRegistry) registerBuiltins() {
 		ConfigFields: []ConfigFieldDef{
 			{Key: "spec_file", Label: "Spec File", Type: FieldTypeFilePath, Required: true, Description: "Path to the OpenAPI v3 spec file (JSON or YAML)", Placeholder: "specs/petstore.yaml"},
 			{Key: "base_path", Label: "Base Path", Type: FieldTypeString, Description: "Base path prefix for all generated routes", Placeholder: "/api/v1"},
-			{Key: "router", Label: "Router Module", Type: FieldTypeString, Required: true, Description: "Name of the http.router module to register routes on", Placeholder: "my-router"},
-			{Key: "validation.request", Label: "Validate Requests", Type: FieldTypeBool, DefaultValue: true, Description: "Enable request validation against the OpenAPI schema"},
-			{Key: "validation.response", Label: "Validate Responses", Type: FieldTypeBool, DefaultValue: false, Description: "Enable response validation against the OpenAPI schema"},
-			{Key: "swagger_ui.enabled", Label: "Enable Swagger UI", Type: FieldTypeBool, DefaultValue: false, Description: "Serve Swagger UI for interactive API documentation"},
-			{Key: "swagger_ui.path", Label: "Swagger UI Path", Type: FieldTypeString, DefaultValue: "/docs", Description: "URL path for the Swagger UI", Placeholder: "/docs"},
+			{Key: "router", Label: "Router Module", Type: FieldTypeString, Description: "Name of the http.router module to register routes on (auto-detected if omitted)", Placeholder: "my-router"},
+			{Key: "validation", Label: "Validation", Type: FieldTypeJSON, DefaultValue: map[string]any{"request": true, "response": false}, Description: "Request/response validation settings, e.g. {\"request\": true, \"response\": false}"},
+			{Key: "swagger_ui", Label: "Swagger UI", Type: FieldTypeJSON, DefaultValue: map[string]any{"enabled": false, "path": "/docs"}, Description: "Swagger UI settings, e.g. {\"enabled\": false, \"path\": \"/docs\"}"},
 		},
 		DefaultConfig: map[string]any{"validation": map[string]any{"request": true, "response": false}, "swagger_ui": map[string]any{"enabled": false, "path": "/docs"}},
 	})

From 55e173da4261f41da0c7be83238a6b95d307e8e9 Mon Sep 17 00:00:00 2001
From: Copilot <198982749+Copilot@users.noreply.github.com>
Date: Mon, 23 Feb 2026 19:35:53 -0500
Subject: [PATCH 7/8] fix(cmd): restore missing multiWorkflowAddr flag
 definition (#152)

* Initial plan

* fix(cmd): restore missing multiWorkflowAddr flag definition

Co-authored-by: intel352 <77607+intel352@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: intel352 <77607+intel352@users.noreply.github.com>
---
 cmd/server/main.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/cmd/server/main.go b/cmd/server/main.go
index 04858923..fb831acd 100644
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -83,6 +83,7 @@ var (
 	anthropicModel = flag.String("anthropic-model", "", "Anthropic model name")
 
 	// Multi-workflow mode flags
+	multiWorkflowAddr = flag.String("multi-workflow-addr", ":8090", "HTTP listen address for multi-workflow REST API")
 	databaseDSN       = flag.String("database-dsn", "", "PostgreSQL connection string for multi-workflow mode")
 	jwtSecret         = flag.String("jwt-secret", "", "JWT signing secret for API authentication")
 	adminEmail    = flag.String("admin-email", "", "Initial admin user email (first-run bootstrap)")

From 9a622a868f0114cb0fc3893beddce0f0db2a8556 Mon Sep 17 00:00:00 2001
From: Copilot <198982749+Copilot@users.noreply.github.com>
Date: Mon, 23 Feb 2026 20:39:09 -0500
Subject: [PATCH 8/8] fix(openapi): harden body validation, determinism, and
 router wiring (#155)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Initial plan

* fix(openapi): address review feedback from thread 3844286430

- Add configurable max body size limit (default 1 MiB) via http.MaxBytesReader to
  prevent DoS from arbitrarily large request bodies
- Use validateJSONValue() for request body validation to handle non-object root schemas
  (primitives, arrays) that were previously silently skipped
- Only register /openapi.yaml endpoint when source spec is YAML; JSON sources already
  served via /openapi.json
- Sort supportedContentTypes() output for deterministic error messages
- Remove /api/v1 from plugin schema DefaultConfig to match factory (empty) default
- Add server→router mapping in wireOpenAPIRoutes for consistent router discovery
  when openapi module depends on http.server instead of http.router directly
- Tests: add TestOpenAPIModule_JSONSourceNoYAMLEndpoint and TestOpenAPIModule_MaxBodySize

Co-authored-by: intel352 <77607+intel352@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: intel352 <77607+intel352@users.noreply.github.com>
---
 module/openapi.go         | 71 +++++++++++++++++++++++++--------------
 module/openapi_test.go    | 64 +++++++++++++++++++++++++++++++++++
 plugins/openapi/plugin.go | 44 ++++++++++++++++++++----
 3 files changed, 147 insertions(+), 32 deletions(-)

diff --git a/module/openapi.go b/module/openapi.go
index 9698a0cc..be3ef561 100644
--- a/module/openapi.go
+++ b/module/openapi.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"html"
 	"io"
@@ -12,6 +13,7 @@ import (
 	"net/http"
 	"os"
 	"regexp"
+	"sort"
 	"strconv"
 	"strings"
 
@@ -33,13 +35,18 @@ type OpenAPISwaggerUIConfig struct {
 
 // OpenAPIConfig holds the full configuration for an OpenAPI module.
 type OpenAPIConfig struct {
-	SpecFile   string                  `yaml:"spec_file"  json:"spec_file"`
-	BasePath   string                  `yaml:"base_path"  json:"base_path"`
-	Validation OpenAPIValidationConfig `yaml:"validation" json:"validation"`
-	SwaggerUI  OpenAPISwaggerUIConfig  `yaml:"swagger_ui" json:"swagger_ui"`
-	RouterName string                  `yaml:"router"     json:"router"` // optional: explicit router to attach to
+	SpecFile     string                  `yaml:"spec_file"      json:"spec_file"`
+	BasePath     string                  `yaml:"base_path"      json:"base_path"`
+	Validation   OpenAPIValidationConfig `yaml:"validation"     json:"validation"`
+	SwaggerUI    OpenAPISwaggerUIConfig  `yaml:"swagger_ui"     json:"swagger_ui"`
+	RouterName   string                  `yaml:"router"         json:"router"`          // optional: explicit router to attach to
+	MaxBodyBytes int64                   `yaml:"max_body_bytes" json:"max_body_bytes"`  // max request body size (bytes); 0 = use default
 }
 
+// defaultMaxBodyBytes is the default request body size limit (1 MiB) applied
+// when Validation.Request is enabled and MaxBodyBytes is not explicitly set.
+const defaultMaxBodyBytes int64 = 1 << 20 // 1 MiB
+
 // ---- Minimal OpenAPI v3 structs (parsed from YAML/JSON) ----
 
 // openAPISpec is a minimal representation of an OpenAPI 3.x specification.
@@ -221,7 +228,7 @@ func (m *OpenAPIModule) RegisterRoutes(router HTTPRouter) {
 		}
 	}
 
-	// Serve raw spec at /openapi.json and /openapi.yaml
+	// Serve raw spec at /openapi.json and (when source is YAML) /openapi.yaml
 	if len(m.specBytes) > 0 {
 		// Cache the JSON representation once per registration.
 		if m.specJSON == nil {
@@ -233,21 +240,21 @@ func (m *OpenAPIModule) RegisterRoutes(router HTTPRouter) {
 		}
 
 		specPathJSON := basePath + "/openapi.json"
-		specPathYAML := basePath + "/openapi.yaml"
 
 		// JSON endpoint: serve re-serialised spec as JSON.
 		router.AddRoute(http.MethodGet, specPathJSON, &openAPISpecHandler{specJSON: m.specJSON})
 
-		// YAML endpoint: serve the original spec bytes with a content-type that
-		// matches the source format. JSON source files are served as application/json;
-		// YAML source files are served as application/yaml.
-		rawContentType := "application/yaml"
-		if trimmed := strings.TrimSpace(string(m.specBytes)); len(trimmed) > 0 && (trimmed[0] == '{' || trimmed[0] == '[') {
-			rawContentType = "application/json"
+		// YAML endpoint: only register /openapi.yaml when the source spec is YAML.
+		// When the source is JSON, clients can use /openapi.json instead.
+		trimmed := strings.TrimSpace(string(m.specBytes))
+		isJSONSource := len(trimmed) > 0 && (trimmed[0] == '{' || trimmed[0] == '[')
+		if !isJSONSource {
+			specPathYAML := basePath + "/openapi.yaml"
+			router.AddRoute(http.MethodGet, specPathYAML, &openAPIRawSpecHandler{specBytes: m.specBytes, contentType: "application/yaml"})
+			m.logger.Debug("OpenAPI spec endpoint registered", "module", m.name, "paths", []string{specPathJSON, specPathYAML})
+		} else {
+			m.logger.Debug("OpenAPI spec endpoint registered", "module", m.name, "paths", []string{specPathJSON})
 		}
-		router.AddRoute(http.MethodGet, specPathYAML, &openAPIRawSpecHandler{specBytes: m.specBytes, contentType: rawContentType})
-
-		m.logger.Debug("OpenAPI spec endpoint registered", "module", m.name, "paths", []string{specPathJSON, specPathYAML})
 	}
 
 	// Serve Swagger UI
@@ -365,16 +372,29 @@ func (h *openAPIRouteHandler) validate(r *http.Request) []string {
 				ct, supportedContentTypes(h.op.RequestBody.Content)))
 		}
 
+		// Enforce a max body size to prevent DoS via arbitrarily large payloads.
+		// The limit is configurable via OpenAPIConfig.MaxBodyBytes; default is 1 MiB.
+		maxBytes := h.module.cfg.MaxBodyBytes
+		if maxBytes <= 0 {
+			maxBytes = defaultMaxBodyBytes
+		}
+		r.Body = http.MaxBytesReader(nil, r.Body, maxBytes)
+
 		// Read the body once so we can both check for presence (when required)
 		// and validate against the schema. Restore it afterwards for downstream handlers.
 		bodyBytes, readErr := io.ReadAll(r.Body)
 		if readErr != nil {
-			h.module.logger.Error("failed to read request body for validation",
-				"module", h.module.name,
-				"path", h.specPath,
-				"error", readErr,
-			)
-			errs = append(errs, "failed to read request body")
+			var maxBytesErr *http.MaxBytesError
+			if errors.As(readErr, &maxBytesErr) {
+				errs = append(errs, fmt.Sprintf("request body exceeds maximum allowed size of %d bytes", maxBytes))
+			} else {
+				h.module.logger.Error("failed to read request body for validation",
+					"module", h.module.name,
+					"path", h.specPath,
+					"error", readErr,
+				)
+				errs = append(errs, "failed to read request body")
+			}
 		} else {
 			// Always restore body for downstream handlers using the original byte slice
 			// to avoid a bytes→string→bytes conversion that could corrupt non-UTF-8 payloads.
@@ -386,7 +406,7 @@ func (h *openAPIRouteHandler) validate(r *http.Request) []string {
 				var bodyData any
 				if jsonErr := json.Unmarshal(bodyBytes, &bodyData); jsonErr != nil {
 					errs = append(errs, fmt.Sprintf("request body contains invalid JSON: %v", jsonErr))
-				} else if bodyErrs := validateJSONBody(bodyData, mediaType.Schema); len(bodyErrs) > 0 {
+				} else if bodyErrs := validateJSONValue(bodyData, "body", mediaType.Schema); len(bodyErrs) > 0 {
 					errs = append(errs, bodyErrs...)
 				}
 			}
@@ -728,12 +748,13 @@ func htmlEscape(s string) string {
 	return html.EscapeString(s)
 }
 
-// supportedContentTypes returns a comma-joined list of content types defined
-// in the requestBody.content map, used in validation error messages.
+// supportedContentTypes returns a sorted, comma-joined list of content types
+// defined in the requestBody.content map, used in validation error messages.
 func supportedContentTypes(content map[string]openAPIMediaType) string {
 	types := make([]string, 0, len(content))
 	for ct := range content {
 		types = append(types, ct)
 	}
+	sort.Strings(types)
 	return strings.Join(types, ", ")
 }
diff --git a/module/openapi_test.go b/module/openapi_test.go
index c7c867e0..00942366 100644
--- a/module/openapi_test.go
+++ b/module/openapi_test.go
@@ -163,6 +163,35 @@ func TestOpenAPIModule_ParseJSON(t *testing.T) {
 	}
 }
 
+func TestOpenAPIModule_JSONSourceNoYAMLEndpoint(t *testing.T) {
+	specPath := writeTempSpec(t, ".json", petstoreJSON)
+
+	mod := NewOpenAPIModule("json-api", OpenAPIConfig{
+		SpecFile: specPath,
+		BasePath: "/api",
+	})
+	if err := mod.Init(nil); err != nil {
+		t.Fatalf("Init: %v", err)
+	}
+
+	router := &testRouter{}
+	mod.RegisterRoutes(router)
+
+	paths := make(map[string]bool)
+	for _, rt := range router.routes {
+		paths[rt.method+":"+rt.path] = true
+	}
+
+	// JSON source spec: /openapi.json should be registered
+	if !paths["GET:/api/openapi.json"] {
+		t.Error("expected GET:/api/openapi.json to be registered for JSON source")
+	}
+	// /openapi.yaml should NOT be registered for a JSON source spec
+	if paths["GET:/api/openapi.yaml"] {
+		t.Error("expected GET:/api/openapi.yaml NOT to be registered for JSON source")
+	}
+}
+
 func TestOpenAPIModule_MissingSpecFile(t *testing.T) {
 	mod := NewOpenAPIModule("bad", OpenAPIConfig{})
 	if err := mod.Init(nil); err == nil {
@@ -429,6 +458,41 @@ func TestOpenAPIModule_RequestValidation_Body(t *testing.T) {
 	})
 }
 
+func TestOpenAPIModule_MaxBodySize(t *testing.T) {
+	specPath := writeTempSpec(t, ".yaml", petstoreYAML)
+
+	mod := NewOpenAPIModule("petstore", OpenAPIConfig{
+		SpecFile:     specPath,
+		BasePath:     "/api/v1",
+		Validation:   OpenAPIValidationConfig{Request: true},
+		MaxBodyBytes: 10, // very small limit to trigger the check
+	})
+	if err := mod.Init(nil); err != nil {
+		t.Fatalf("Init: %v", err)
+	}
+
+	router := &testRouter{}
+	mod.RegisterRoutes(router)
+
+	h := router.findHandler("POST", "/api/v1/pets")
+	if h == nil {
+		t.Fatal("POST /api/v1/pets handler not found")
+	}
+
+	body := `{"name": "Fluffy", "tag": "cat"}` // 33 bytes, exceeds limit of 10
+	w := httptest.NewRecorder()
+	r := httptest.NewRequest(http.MethodPost, "/api/v1/pets", bytes.NewBufferString(body))
+	r.Header.Set("Content-Type", "application/json")
+	h.Handle(w, r)
+
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("expected 400 for oversized body, got %d: %s", w.Code, w.Body.String())
+	}
+	if !strings.Contains(w.Body.String(), "exceeds maximum") {
+		t.Errorf("expected error message about size limit, got: %s", w.Body.String())
+	}
+}
+
 func TestOpenAPIModule_NoValidation(t *testing.T) {
 	specPath := writeTempSpec(t, ".yaml", petstoreYAML)
 
diff --git a/plugins/openapi/plugin.go b/plugins/openapi/plugin.go
index dd8d4be5..5da7840e 100644
--- a/plugins/openapi/plugin.go
+++ b/plugins/openapi/plugin.go
@@ -77,6 +77,13 @@ func (p *Plugin) ModuleFactories() map[string]plugin.ModuleFactory {
 			if v, ok := cfg["router"].(string); ok {
 				oacfg.RouterName = v
 			}
+			if v, ok := cfg["max_body_bytes"].(int); ok && v > 0 {
+				oacfg.MaxBodyBytes = int64(v)
+			} else if v, ok := cfg["max_body_bytes"].(int64); ok && v > 0 {
+				oacfg.MaxBodyBytes = v
+			} else if v, ok := cfg["max_body_bytes"].(float64); ok && v > 0 {
+				oacfg.MaxBodyBytes = int64(v)
+			}
 
 			if valCfg, ok := cfg["validation"].(map[string]any); ok {
 				if v, ok2 := valCfg["request"].(bool); ok2 {
@@ -151,9 +158,16 @@ func (p *Plugin) ModuleSchemas() []*schema.ModuleSchema {
 					DefaultValue: map[string]any{"enabled": false, "path": "/docs"},
 					Group:        "swagger_ui",
 				},
+				{
+					Key:         "max_body_bytes",
+					Label:       "Max Body Size",
+					Type:        schema.FieldTypeNumber,
+					Description: "Maximum allowed request body size in bytes when validation is enabled (default: 1048576 = 1 MiB)",
+					Placeholder: "1048576",
+					Group:       "validation",
+				},
 			},
 			DefaultConfig: map[string]any{
-				"base_path":  "/api/v1",
 				"validation": map[string]any{"request": true, "response": false},
 				"swagger_ui": map[string]any{"enabled": false, "path": "/docs"},
 			},
@@ -178,12 +192,16 @@ func (p *Plugin) WiringHooks() []plugin.WiringHook {
 func wireOpenAPIRoutes(app modular.Application, cfg *config.WorkflowConfig) error {
 	// Build name→router lookup from config dependsOn
 	routerNames := make(map[string]bool)
-	openAPIDeps := make(map[string][]string) // openapi module name → dependsOn
+	serverToRouter := make(map[string]string) // http.server name → router name
+	openAPIDeps := make(map[string][]string)   // openapi module name → dependsOn
 	for _, modCfg := range cfg.Modules {
-		if modCfg.Type == "http.router" {
+		switch modCfg.Type {
+		case "http.router":
 			routerNames[modCfg.Name] = true
-		}
-		if modCfg.Type == "openapi" {
+			for _, dep := range modCfg.DependsOn {
+				serverToRouter[dep] = modCfg.Name
+			}
+		case "openapi":
 			openAPIDeps[modCfg.Name] = modCfg.DependsOn
 		}
 	}
@@ -214,7 +232,7 @@ func wireOpenAPIRoutes(app modular.Application, cfg *config.WorkflowConfig) erro
 			targetRouter = routers[rName]
 		}
 
-		// 2) dependsOn router reference
+		// 2) dependsOn: direct router reference
 		if targetRouter == nil {
 			for _, dep := range openAPIDeps[oaMod.Name()] {
 				if routerNames[dep] {
@@ -226,7 +244,19 @@ func wireOpenAPIRoutes(app modular.Application, cfg *config.WorkflowConfig) erro
 			}
 		}
 
-		// 3) Fall back to first available router
+		// 3) dependsOn: server reference → follow server→router mapping
+		if targetRouter == nil {
+			for _, dep := range openAPIDeps[oaMod.Name()] {
+				if rName, ok := serverToRouter[dep]; ok {
+					if router, found := routers[rName]; found {
+						targetRouter = router
+						break
+					}
+				}
+			}
+		}
+
+		// 4) Fall back to first available router
 		if targetRouter == nil {
 			targetRouter = firstRouter
 		}