feat: publish OpenAPI 3.1 spec and add CI contract validation#207
Merged
robertocarlous merged 1 commit intoJun 23, 2026
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #165
What was implemented
docs/openapi.yaml— OpenAPI 3.1 specificationA complete machine-readable API contract covering all route groups mentioned in the issue:
healthGET /health,GET /health/readyauthGET /api/auth/challenge,POST /api/auth/verify,POST /api/auth/logoutportfolioGET /api/portfolio,POST /api/portfolio/query(NLP)transactionsGET /api/transactions(paginated, filterable by type)depositPOST /api/depositwithdrawPOST /api/withdrawvaultGET /api/vault,POST /api/vault/deposit,POST /api/vault/withdrawadminGET /api/admin/users,GET /api/admin/statsAll three security schemes are documented:
BearerAuth— JWT from/api/auth/verify, used on all authenticated routesAdminToken—X-Admin-Tokenheader for/api/admin/*InternalToken—X-Internal-Tokenfor service-to-service callsReusable schemas are defined for
ErrorResponse,Portfolio,Position,Transaction,VaultPosition,AuthChallengeResponse,AuthVerifyRequest/Response, andHealthResponse. Amount fields usestringtype throughout to avoid IEEE 754 precision loss on financial values..github/workflows/api-contract.yml— CI enforcementTwo-job pipeline that runs on any PR touching
docs/openapi.yamlorsrc/routes/**:validate-spec— installs@redocly/cli, runsredocly lint(catches schema errors, missing$reftargets, broken rules), thenredocly bundleto verify all references resolve.contract-tests— builds and starts the server, then runs smoke tests:GET /healthreturns HTTP 200status,timestamp,version,environment)/api/portfolio,/api/transactions,/api/vault) return 401 when called without a tokenREADME.md— API documentation entry pointAdded a root README with:
npx @redocly/cli preview-docs docs/openapi.yamlcommand for local rendering