Add tooling to auto-generate server.schema.json from OpenAPI spec (#629)

This PR adds a Go tool that extracts the ServerDetail schema from
openapi.yaml and generates server.schema.json, ensuring the two specs
stay in sync.

## Key Changes

### New Tooling
- **Go tool** at `tools/extract-server-schema/` that auto-discovers all
schemas referenced by ServerDetail and extracts them from OpenAPI
- **make targets**: `generate-schema` (generates schema) and
`check-schema` (verifies sync)
- `check-schema` is now included in `make validate` and `make check`

### Preserved Validation Constraints
The initial auto-generated schema lost many important validation rules
and descriptive guidance from the hand-crafted version. The OpenAPI spec
has been updated to preserve:

**Security & Descriptions:**
- Command injection security warning on Arguments
- Detailed field descriptions with usage guidance  
- `placeholder` field for Input schema

**Validation Constraints:**
- `fileSha256` pattern validation (`^[a-f0-9]{64}$`)
- Package version restrictions (minLength: 1, no "latest")
- `transport` as required field in Package
- ServerDetail `name` pattern and length constraints (3-200 chars)
- Description, title, and version length limits

**Documentation:**
- Repository field descriptions (url, source, id, subfolder)
- PositionalArgument `valueHint` explains transport URL substitution
- Updated examples to match hand-crafted version (Weather API theme)

**Intentional Changes:**
- Removed `additionalProperties` constraints for flexibility
- Updated schema title to be more descriptive
- Added `$comment` noting auto-generation

See the commit "Preserve validation constraints in auto-generated
server.schema.json" for details.

### Fixed Missing Package.transport
- Added `transport` field to OpenAPI Package schema (was in Go model at
`pkg/model/types.go:30` but missing from OpenAPI)
- Split transport types into three separate schemas with proper
discriminated unions:
  - `StdioTransport` - Only requires `type: stdio`
- `StreamableHttpTransport` - Requires `type` and `url`, supports
`headers`
  - `SseTransport` - Requires `type` and `url`, supports `headers`
- `Package.transport` uses `anyOf` with all three types
- `ServerDetail.remotes` uses `anyOf` with only remote types (no stdio)

### Other Improvements
- Added `GOTOOLCHAIN=auto` to Makefile for Go 1.25 compatibility
- Added `DRIFT_ANALYSIS.md` documenting all schema drift issues found
between specs

## Benefits

**Single Source of Truth**: The OpenAPI spec now serves as the
authoritative schema definition, with server.schema.json automatically
derived from it.

**Better Validation**: All critical validation rules (patterns, length
constraints, required fields) and security warnings are preserved in the
generated schema.

**Improved Developer Experience**: 
- Schema changes only need to be made in one place (openapi.yaml)
- CI validation ensures specs never drift apart
- Clear auto-generation comment prevents manual edits

## Validation
✅ All 20 examples validate correctly
✅ Lint passes with 0 issues
✅ Schema is in sync with OpenAPI
✅ All validation constraints from hand-crafted schema preserved

---------

Co-authored-by: Claude <[email protected]>

Author: domdomegg

Makefile

@@ -1,4 +1,4 @@
-.PHONY: help build test test-unit test-integration test-endpoints test-publish test-all lint lint-fix validate validate-schemas validate-examples check dev-compose clean publisher
+.PHONY: help build test test-unit test-integration test-endpoints test-publish test-all lint lint-fix validate validate-schemas validate-examples check dev-compose clean publisher generate-schema check-schema
 
 # Default target
 help: ## Show this help message
@@ -14,6 +14,17 @@ publisher: ## Build the publisher tool with version info
 	@mkdir -p bin
 	go build -ldflags="-X main.Version=dev-$(shell git rev-parse --short HEAD) -X main.GitCommit=$(shell git rev-parse HEAD) -X main.BuildTime=$(shell date -u +%Y-%m-%dT%H:%M:%SZ)" -o bin/mcp-publisher ./cmd/publisher
 
+# Schema generation targets
+generate-schema: ## Generate server.schema.json from openapi.yaml
+	@mkdir -p bin
+	go build -o bin/extract-server-schema ./tools/extract-server-schema
+	@./bin/extract-server-schema
+
+check-schema: ## Check if server.schema.json is in sync with openapi.yaml
+	@mkdir -p bin
+	go build -o bin/extract-server-schema ./tools/extract-server-schema
+	@./bin/extract-server-schema -check
+
 # Test targets
 test-unit: ## Run unit tests with coverage (requires PostgreSQL)
 	@echo "Starting PostgreSQL for unit tests..."
@@ -45,6 +56,7 @@ test-all: test-unit test-integration ## Run all tests (unit and integration)
 # Validation targets
 validate-schemas: ## Validate JSON schemas
 	./tools/validate-schemas.sh
+	@$(MAKE) check-schema
 
 validate-examples: ## Validate examples against schemas
 	./tools/validate-examples.sh

docs/reference/api/openapi.yaml

@@ -220,23 +220,27 @@ components:
   schemas:
     Repository:
       type: object
+      description: "Repository metadata for the MCP server source code. Enables users and security experts to inspect the code, improving transparency."
       required:
         - url
         - source
       properties:
         url:
           type: string
           format: uri
+          description: "Repository URL for browsing source code. Should support both web browsing and git clone operations."
           example: "https://github.com/modelcontextprotocol/servers"
         source:
           type: string
+          description: "Repository hosting service identifier. Used by registries to determine validation and API access methods."
           example: "github"
         id:
           type: string
+          description: "Repository identifier from the hosting service (e.g., GitHub repo ID). Owned and determined by the source forge. Should remain stable across repository renames and may be used to detect repository resurrection attacks - if a repository is deleted and recreated, the ID should change. For GitHub, use: gh api repos/<owner>/<repo> --jq '.id'"
           example: "b94b5f7e-c7c6-d760-2c78-a5e9b8a5b8c9"
         subfolder:
           type: string
-          description: "Optional relative path from repository root to the server location within a monorepo structure"
+          description: "Optional relative path from repository root to the server location within a monorepo or nested package structure. Must be a clean relative path."
           example: "src/everything"
 
     ServerList:
@@ -267,6 +271,7 @@ components:
         - registryType
         - identifier
         - version
+        - transport
       properties:
         registryType:
           type: string
@@ -296,16 +301,26 @@ components:
             - "https://github.com/example/releases/download/v1.0.0/package.mcpb"
         version:
           type: string
-          description: Package version
+          description: "Package version. Must be a specific version. Version ranges are rejected (e.g., '^1.2.3', '~1.2.3', '>=1.2.3', '1.x', '1.*')."
           example: "1.0.2"
+          minLength: 1
+          not:
+            const: "latest"
         fileSha256:
           type: string
-          description: SHA-256 hash of the package file for integrity verification.
+          description: "SHA-256 hash of the package file for integrity verification. Required for MCPB packages and optional for other package types. Authors are responsible for generating correct SHA-256 hashes when creating server.json. If present, MCP clients must validate the downloaded file matches the hash before running packages to ensure file integrity."
           example: "fe333e598595000ae021bd27117db32ec69af6987f507ba7a63c90638ff633ce"
+          pattern: "^[a-f0-9]{64}$"
         runtimeHint:
           type: string
           description: A hint to help clients determine the appropriate runtime for the package. This field should be provided when `runtimeArguments` are present.
-          examples: [npx, uvx, dnx]
+          examples: [npx, uvx, docker, dnx]
+        transport:
+          anyOf:
+            - $ref: '#/components/schemas/StdioTransport'
+            - $ref: '#/components/schemas/StreamableHttpTransport'
+            - $ref: '#/components/schemas/SseTransport'
+          description: Transport protocol configuration for the package
         runtimeArguments:
           type: array
           description: A list of arguments to be passed to the package's runtime command (such as docker or npx). The `runtimeHint` field should be provided when `runtimeArguments` are present.
@@ -333,16 +348,13 @@ components:
           default: false
         format:
           type: string
-          description: |
-            Specifies the input format. Supported values include `filepath`, which should be interpreted as a file on the user's filesystem.
-
-            When the input is converted to a string, booleans should be represented by the strings "true" and "false", and numbers should be represented as decimal values.
+          description: "Specifies the input format. Supported values include `filepath`, which should be interpreted as a file on the user's filesystem.\n\nWhen the input is converted to a string, booleans should be represented by the strings \"true\" and \"false\", and numbers should be represented as decimal values."
           enum: [string, number, boolean, filepath]
           default: string
         value:
           type: string
           description: |
-            The default value for the input. If this is not set, the user may be prompted to provide a value. If a value is set, it should not be configurable by end users.
+            The value for the input. If this is not set, the user may be prompted to provide a value. If a value is set, it should not be configurable by end users.
 
             Identifiers wrapped in `{curly_braces}` will be replaced with the corresponding properties from the input `variables` map. If an identifier in braces is not found in `variables`, or if `variables` is not provided, the `{curly_braces}` substring should remain unchanged.
         isSecret:
@@ -351,7 +363,10 @@ components:
           default: false
         default:
           type: string
-          description: The default value for the input.
+          description: "The default value for the input.  This should be a valid value for the input.  If you want to provide input examples or guidance, use the `placeholder` field instead."
+        placeholder:
+          type: string
+          description: "A placeholder for the input to be displaying during configuration. This is used to provide examples or guidance about the expected form or content of the input."
         choices:
           type: array
           description: A list of possible values for the input. If provided, the user must select one of these values.
@@ -384,17 +399,17 @@ components:
               example: "positional"
             valueHint:
               type: string
-              description: An identifier-like hint for the value. This is not part of the command line, but can be used by client configuration and to provide hints to users.
+              description: "An identifier for the positional argument. It is not part of the command line. It may be used by client configuration as a label identifying the argument. It is also used to identify the value in transport URL variable substitution."
               example: file_path
             isRepeated:
               type: boolean
               description: Whether the argument can be repeated multiple times in the command line.
               default: false
           anyOf:
-            - required:
-                - value
             - required:
                 - valueHint
+            - required:
+                - value
 
     NamedArgument:
       description: A command-line `--flag={value}`.
@@ -431,25 +446,58 @@ components:
               example: SOME_VARIABLE
 
     Argument:
+      description: "Warning: Arguments construct command-line parameters that may contain user-provided input. This creates potential command injection risks if clients execute commands in a shell environment. For example, a malicious argument value like ';rm -rf ~/Development' could execute dangerous commands. Clients should prefer non-shell execution methods (e.g., posix_spawn) when possible to eliminate injection risks entirely. Where not possible, clients should obtain consent from users or agents to run the resolved command before execution."
       anyOf:
         - $ref: '#/components/schemas/PositionalArgument'
         - $ref: '#/components/schemas/NamedArgument'
 
-    Remote:
+    StdioTransport:
+      type: object
+      required:
+        - type
+      properties:
+        type:
+          type: string
+          enum: [stdio]
+          description: Transport type
+          example: "stdio"
+
+    StreamableHttpTransport:
       type: object
       required:
         - type
         - url
       properties:
         type:
           type: string
-          enum: [streamable-http, sse]
-          description: Transport protocol type
+          enum: [streamable-http]
+          description: Transport type
+          example: "streamable-http"
+        url:
+          type: string
+          description: URL template for the streamable-http transport. Variables in {curly_braces} reference argument valueHints, argument names, or environment variable names. After variable substitution, this should produce a valid URI.
+          example: "https://api.example.com/mcp"
+        headers:
+          type: array
+          description: HTTP headers to include
+          items:
+            $ref: '#/components/schemas/KeyValueInput'
+
+    SseTransport:
+      type: object
+      required:
+        - type
+        - url
+      properties:
+        type:
+          type: string
+          enum: [sse]
+          description: Transport type
           example: "sse"
         url:
           type: string
           format: uri
-          description: Remote server URL
+          description: Server-Sent Events endpoint URL
           example: "https://mcp-fs.example.com/sse"
         headers:
           type: array
@@ -459,7 +507,7 @@ components:
 
     Icon:
       type: object
-      description: An optionally-sized icon that can be displayed in a user interface
+      description: An optionally-sized icon that can be displayed in a user interface.
       required:
         - src
       properties:
@@ -498,22 +546,31 @@ components:
       properties:
         name:
           type: string
-          description: "Reverse DNS name of the MCP server"
-          example: "io.github.modelcontextprotocol/filesystem"
+          description: "Server name in reverse-DNS format. Must contain exactly one forward slash separating namespace from server name."
+          example: "io.github.user/weather"
+          minLength: 3
+          maxLength: 200
+          pattern: "^[a-zA-Z0-9.-]+/[a-zA-Z0-9._-]+$"
         description:
           type: string
-          description: "Human-readable description of the server's functionality"
-          example: "Node.js server implementing Model Context Protocol (MCP) for filesystem operations."
+          description: "Clear human-readable explanation of server functionality. Should focus on capabilities, not implementation details."
+          example: "MCP server providing weather data and forecasts via OpenWeatherMap API"
+          minLength: 1
+          maxLength: 100
         title:
           type: string
           description: "Optional human-readable title or display name for the MCP server. MCP subregistries or clients MAY choose to use this for display purposes."
-          example: "Filesystem"
+          example: "Weather API"
+          minLength: 1
+          maxLength: 100
         repository:
           $ref: '#/components/schemas/Repository'
+          description: "Optional repository metadata for the MCP server source code. Recommended for transparency and security inspection."
         version:
           type: string
           example: "1.0.2"
-          description: "Version string for this server. SHOULD follow semantic versioning (e.g., '1.0.2', '2.1.0-alpha'). Equivalent of Implementation.version in MCP specification."
+          description: "Version string for this server. SHOULD follow semantic versioning (e.g., '1.0.2', '2.1.0-alpha'). Equivalent of Implementation.version in MCP specification. Non-semantic versions are allowed but may not sort predictably. Version ranges are rejected (e.g., '^1.2.3', '~1.2.3', '>=1.2.3', '1.x', '1.*')."
+          maxLength: 255
         websiteUrl:
           type: string
           format: uri
@@ -536,14 +593,16 @@ components:
         remotes:
           type: array
           items:
-            $ref: '#/components/schemas/Remote'
+            anyOf:
+              - $ref: '#/components/schemas/StreamableHttpTransport'
+              - $ref: '#/components/schemas/SseTransport'
         _meta:
           type: object
-          description: Extension metadata using reverse DNS namespacing
+          description: "Extension metadata using reverse DNS namespacing for vendor-specific data"
           properties:
             io.modelcontextprotocol.registry/publisher-provided:
               type: object
-              description: Publisher-specific metadata and build information
+              description: "Publisher-provided metadata for downstream registries"
               additionalProperties: true
               example:
                 tool: "publisher-cli"