fix: resolve all validate-schemas violations#663
Conversation
- badge/api.yml: add BadgePayload schema; use it in POST requestBody instead of Badge - design/design.yaml: add additionalProperties: false at top level - design/api.yml: replace DELETE /api/content/patterns (with body) with POST /api/content/patterns/delete - event/api.yml: replace DELETE /events (with body) with POST /events/delete - invitation/api.yml: add InvitationPayload schema; use it in POST and PUT requestBodies instead of Invitation
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
There was a problem hiding this comment.
Pull request overview
This PR updates several v1beta1 OpenAPI/JSON schemas to satisfy make validate-schemas rules (notably: write-payload schemas for POST/PUT, additionalProperties: false on entity schemas, and avoiding DELETE request bodies by introducing POST /delete sub-resources).
Changes:
- Introduces dedicated
*Payloadschemas for badge and invitation write operations and updates POST/PUT request bodies to reference them. - Replaces bulk DELETE endpoints that used request bodies with POST
{resource}/deleteendpoints. - Tightens the Design entity JSON schema by setting
additionalProperties: falseat the top level.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| schemas/constructs/v1beta1/invitation/api.yml | Switches POST/PUT requestBody to InvitationPayload and adds the payload schema. |
| schemas/constructs/v1beta1/event/api.yml | Replaces bulk DELETE-with-body with POST /events/delete. |
| schemas/constructs/v1beta1/design/design.yaml | Adds additionalProperties: false at the top-level entity schema. |
| schemas/constructs/v1beta1/design/api.yml | Replaces bulk DELETE-with-body with POST /api/content/patterns/delete. |
| schemas/constructs/v1beta1/badge/api.yml | Switches requestBody to BadgePayload and adds the payload schema. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| owner_id: | ||
| $ref: "../../v1alpha1/core/api.yml#/components/schemas/uuid" | ||
| description: ID of the user who created the invitation. | ||
| x-oapi-codegen-extra-tags: | ||
| db: "owner_id" | ||
| json: "owner_id,omitempty" | ||
|
|
||
| is_default: | ||
| type: boolean | ||
| description: Indicates whether the invitation is a default invitation (open invite). | ||
| x-oapi-codegen-extra-tags: | ||
| db: "is_default" | ||
| json: "is_default,omitempty" | ||
|
|
There was a problem hiding this comment.
InvitationPayload is described as a client write payload, but it still exposes server-controlled fields like owner_id (and is_default immediately below) in the request schema. If the backend binds these fields, clients could spoof ownership / default-invite state. Consider removing these fields from the payload schema (or marking them readOnly and ensuring the server ignores them) so only client-settable fields are accepted.
| owner_id: | |
| $ref: "../../v1alpha1/core/api.yml#/components/schemas/uuid" | |
| description: ID of the user who created the invitation. | |
| x-oapi-codegen-extra-tags: | |
| db: "owner_id" | |
| json: "owner_id,omitempty" | |
| is_default: | |
| type: boolean | |
| description: Indicates whether the invitation is a default invitation (open invite). | |
| x-oapi-codegen-extra-tags: | |
| db: "is_default" | |
| json: "is_default,omitempty" |
| x-oapi-codegen-extra-tags: | ||
| db: "id" | ||
| json: "id,omitempty" | ||
|
|
||
| org_id: | ||
| $ref: "../../v1alpha1/core/api.yml#/components/schemas/uuid" | ||
| description: The ID of the organization in which this badge is available. | ||
| x-oapi-codegen-extra-tags: | ||
| db: "org_id" | ||
| json: "org_id" |
There was a problem hiding this comment.
BadgePayload includes db struct tags via x-oapi-codegen-extra-tags. In this repo, *Payload schemas typically only specify json (and sometimes yaml) tags and avoid db tags to keep request/response DTOs separate from DB models (e.g., ConnectionPayload in schemas/constructs/v1beta1/connection/api.yml). Consider removing the db tags from BadgePayload properties.
| required: | ||
| - label | ||
| - name | ||
| - org_id | ||
| - description | ||
| - image_url |
There was a problem hiding this comment.
BadgePayload marks label as required, but its description says it is auto generated. If label is server-generated, it shouldn’t be required/accepted in the write payload (and should be readOnly on the response schema). If it’s client-provided, update the description to match.
| content: | ||
| application/json: | ||
| schema: | ||
| $ref: "#/components/schemas/Badge" | ||
| $ref: "#/components/schemas/BadgePayload" | ||
| required: true |
There was a problem hiding this comment.
PR goal is to resolve validate-schemas violations, but this file still contains operationIds like deleteBadgeByID / getBadgeByID which violate Rule 3 (lower camelCase; "Id" suffix, not "ID"). These will keep make validate-schemas failing until renamed (e.g., deleteBadgeById, getBadgeById).
| x-oapi-codegen-extra-tags: | ||
| db: "owner_id" | ||
| json: "owner_id,omitempty" | ||
|
|
||
| is_default: | ||
| type: boolean | ||
| description: Indicates whether the invitation is a default invitation (open invite). | ||
| x-oapi-codegen-extra-tags: | ||
| db: "is_default" | ||
| json: "is_default,omitempty" |
There was a problem hiding this comment.
InvitationPayload properties include db tags via x-oapi-codegen-extra-tags. Other write payload schemas in this repo typically avoid db tags (keeping DB models separate from request DTOs). Consider removing db tags from InvitationPayload fields unless this payload type is intentionally used as a persistence model.
Summary
BadgePayloadschema with only client-settable fields; updatedPOST /api/organizations/badgesrequestBody to referenceBadgePayloadinstead ofBadgeadditionalProperties: falseat top level to prevent unknown fields in generated structsDELETE /api/content/patterns(with requestBody) withPOST /api/content/patterns/deleteper bulk-delete REST conventionDELETE /events(with requestBody) withPOST /events/deleteper bulk-delete REST conventionInvitationPayloadschema with only client-settable fields; updatedPOSTandPUTrequestBodies to referenceInvitationPayloadinstead ofInvitationTest plan
make validate-schemas— should report 0 violationsmake buildto verify generated Go structs and TypeScript types are validgo test ./...to verify no Go compilation errorsnpm run buildto verify TypeScript distribution builds cleanly