Adjust names of security schemes to match prefixed name

[StratusFearMe21]

This PR fixes how security schemes are referenced when there are multiple input files. Each security scheme referenced in each path should have the same prefixes that are applied to the securitySchemes component when multiple files are used.

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 91ab2b0

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

@StratusFearMe21 is attempting to deploy a commit to the Hey API Team on Vercel.

A member of the Team first needs to authorize it.

[pullfrog]

No new issues found.

TL;DR — When merging multiple OpenAPI specs, components.securitySchemes entries are renamed with a per-source prefix, but operation/path-level security requirements were not, leaving them pointing at the original (now non-existent) scheme names. This PR rewrites the keys of every security requirement object during cloneAndRewrite, so the references match the renamed components.

Key changes

• Prefix security requirement keys to match renamed schemes — In cloneAndRewrite, security requirement objects get each key rewritten to ${opIdPrefix}_${key}, matching the prefix applied to components.securitySchemes entries.

_{Summary ｜ 1 file ｜ 1 commit ｜ base: main ← fix-merged-security-schemes}

Before: Operation-level security: [{ apiKey: [] }] survived merging unchanged while the matching components.securitySchemes.apiKey was renamed to <prefix>_apiKey, leaving a dangling reference.
After: Both sides get the same <prefix>_apiKey name, so the merged document is internally consistent.

The new branch is placed before the operationId handler in the same per-key chain; opIdPrefix is the same per-source prefix used for the components rename at line 505, so the strings match exactly. Empty/opt-out shapes (security: [], security: [{}]) and AND-shaped multi-key requirements ({ a: [], b: [] }) are handled correctly by the plain Object.entries(s) walk.

packages/json-schema-ref-parser/src/index.ts

  ^{｜ View workflow run ｜ Using Claude Opus ｜ 𝕏}

[codecov]

Codecov Report

❌ Patch coverage is 93.75000% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 39.64%. Comparing base (1721aa6) to head (91ab2b0).
⚠️ Report is 10 commits behind head on main.

Files with missing lines	Patch %	Lines
packages/json-schema-ref-parser/src/index.ts	93.75%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3861      +/-   ##
==========================================
+ Coverage   39.58%   39.64%   +0.06%     
==========================================
  Files         532      532              
  Lines       19581    19592      +11     
  Branches     5835     5833       -2     
==========================================
+ Hits         7751     7768      +17     
+ Misses       9582     9575       -7     
- Partials     2248     2249       +1     

Flag	Coverage Δ
unittests	39.64% <93.75%> (+0.06%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[pkg-pr-new]

Open in StackBlitz

@hey-api/codegen-core

npm i https://pkg.pr.new/@hey-api/codegen-core@3861

@hey-api/json-schema-ref-parser

npm i https://pkg.pr.new/@hey-api/json-schema-ref-parser@3861

@hey-api/nuxt

npm i https://pkg.pr.new/@hey-api/nuxt@3861

@hey-api/openapi-ts

npm i https://pkg.pr.new/@hey-api/openapi-ts@3861

@hey-api/shared

npm i https://pkg.pr.new/@hey-api/shared@3861

@hey-api/spec-types

npm i https://pkg.pr.new/@hey-api/spec-types@3861

@hey-api/types

npm i https://pkg.pr.new/@hey-api/types@3861

@hey-api/vite-plugin

npm i https://pkg.pr.new/@hey-api/vite-plugin@3861

commit: 91ab2b0

[mrlubos]

@StratusFearMe21 can you add a test please?

[StratusFearMe21]

Done, the test has been added 👌. In order to make the bug testable, I did have to modify how the $id field is handled in the getResolvedInput function so that an $id can be added to an OpenAPI schema without it's type changing to url.