Use executor HTTP layer for GraphQL discovery

[RhysSullivan]

What changed

• Remove the unguarded GraphQL FetchHttpClient fallback in resolveTools.
• Require GraphQL discovery to use the executor-supplied HTTP layer.
• Add a regression proving the plugin uses the injected layer during schema discovery.

Why

GraphQL account creation and discovery could perform server-side introspection through an unguarded network path.

Validation

• bun --bun vitest run src/sdk/plugin.test.ts src/sdk/multi-placement-auth.test.ts from packages/plugins/graphql
• bun run --cwd packages/plugins/graphql typecheck
• bun run --cwd packages/core/sdk typecheck

Stack

Base: fix/mcp-hosted-egress-guard

Previous: #1102

Next: fix/openapi-hosted-origin-guard

[github-actions]

Cloudflare preview

Torn down — the PR is closed.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	executor-marketing	5865d0c	Commit Preview URL Branch Preview URL	Jun 23 2026, 06:15 PM

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	executor-cloud	5865d0c	Jun 23 2026, 06:17 PM

[pkg-pr-new]

Open in StackBlitz

@executor-js/cli

npm i https://pkg.pr.new/@executor-js/cli@1103

@executor-js/config

npm i https://pkg.pr.new/@executor-js/config@1103

@executor-js/execution

npm i https://pkg.pr.new/@executor-js/execution@1103

@executor-js/sdk

npm i https://pkg.pr.new/@executor-js/sdk@1103

@executor-js/codemode-core

npm i https://pkg.pr.new/@executor-js/codemode-core@1103

@executor-js/runtime-quickjs

npm i https://pkg.pr.new/@executor-js/runtime-quickjs@1103

@executor-js/plugin-file-secrets

npm i https://pkg.pr.new/@executor-js/plugin-file-secrets@1103

@executor-js/plugin-graphql

npm i https://pkg.pr.new/@executor-js/plugin-graphql@1103

@executor-js/plugin-keychain

npm i https://pkg.pr.new/@executor-js/plugin-keychain@1103

@executor-js/plugin-mcp

npm i https://pkg.pr.new/@executor-js/plugin-mcp@1103

@executor-js/plugin-onepassword

npm i https://pkg.pr.new/@executor-js/plugin-onepassword@1103

@executor-js/plugin-openapi

npm i https://pkg.pr.new/@executor-js/plugin-openapi@1103

executor

npm i https://pkg.pr.new/executor@1103

commit: f2e5bc2

[greptile-apps]

Greptile Summary

This PR closes an unguarded egress path in GraphQL connection-time introspection. Previously, resolveTools fell back to FetchHttpClient.layer (raw fetch) when no plugin-level options.httpClientLayer was provided, bypassing the executor's controlled HTTP layer even though httpClientLayer was already present in ResolveToolsInput and passed by the executor.

• plugin.ts: Removes FetchHttpClient import and the httpClientLayerFallback constant; resolveTools now uses the executor-supplied httpClientLayer from its input as the default, matching the existing pattern in invokeTool and detect.
• plugin.test.ts: Adds a regression test that wires a spy HttpClient layer into createExecutor and asserts all introspection traffic flows through it, confirming the fix end-to-end.

Confidence Score: 5/5

Safe to merge. The change is a targeted, minimal fix: one fallback constant replaced by the executor-supplied layer, and a regression test that confirms the new path.

The patch removes an accidental raw-fetch escape hatch in resolveTools, wires the executor-provided layer in its place (matching the already-correct invokeTool and detect paths), and adds a spy-layer test that fails if the guard is ever re-bypassed. No behavioral regressions are introduced.

No files require special attention.

Important Files Changed

Filename	Overview
packages/plugins/graphql/src/sdk/plugin.ts	Removes unguarded FetchHttpClient fallback in resolveTools; now uses executor-supplied httpClientLayer, which was already present in ResolveToolsInput but was being ignored. The options?.httpClientLayer override is intentionally preserved for consistency with invokeTool and detect.
packages/plugins/graphql/src/sdk/plugin.test.ts	Adds a regression test that injects a spy HttpClient layer into createExecutor and asserts the plugin's connection-time introspection routes through it rather than a raw fetch.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant Executor as Executor (createExecutor)
    participant RT as resolveTools
    participant Introspect as introspect()
    participant HttpLayer as httpClientLayer (executor-supplied)

    note over Executor,HttpLayer: Before this PR
    Executor->>RT: "resolveTools({ config, httpClientLayer })"
    RT->>Introspect: introspect(endpoint)
    Introspect->>Introspect: Effect.provide(FetchHttpClient.layer)
    note right of Introspect: Bypasses executor guard

    note over Executor,HttpLayer: After this PR
    Executor->>RT: "resolveTools({ config, httpClientLayer })"
    RT->>Introspect: introspect(endpoint)
    Introspect->>HttpLayer: Effect.provide(options?.httpClientLayer ?? httpClientLayer)
    HttpLayer-->>Introspect: Guarded HTTP response
    Introspect-->>RT: IntrospectionResult

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant Executor as Executor (createExecutor)
    participant RT as resolveTools
    participant Introspect as introspect()
    participant HttpLayer as httpClientLayer (executor-supplied)

    note over Executor,HttpLayer: Before this PR
    Executor->>RT: "resolveTools({ config, httpClientLayer })"
    RT->>Introspect: introspect(endpoint)
    Introspect->>Introspect: Effect.provide(FetchHttpClient.layer)
    note right of Introspect: Bypasses executor guard

    note over Executor,HttpLayer: After this PR
    Executor->>RT: "resolveTools({ config, httpClientLayer })"
    RT->>Introspect: introspect(endpoint)
    Introspect->>HttpLayer: Effect.provide(options?.httpClientLayer ?? httpClientLayer)
    HttpLayer-->>Introspect: Guarded HTTP response
    Introspect-->>RT: IntrospectionResult

Loading

_{Reviews (2): Last reviewed commit: "Use executor HTTP layer for GraphQL disc..." | Re-trigger Greptile}

[RhysSullivan]

Superseded by batch merge #1106.