feat(car-sharing): authz-aware OpenAPI generation#34
Conversation
Add OpenAPI v3.1 generation that reflects Connectum's proto authz, so the
published contract cannot drift from what the gateway enforces at runtime.
- buf.gen.openapi.yaml: separate template (inputs: proto) running the
sudorandom/protoc-gen-connect-openapi buf remote plugin, kept apart from the
offline buf.gen.yaml so the network plugin never runs during buf:generate.
- scripts/openapi-authz.ts: overlay that reads connectum.auth.v1 options via
resolveMethodAuth — the same reader createProtoAuthzInterceptor uses — and
injects per-operation security (bearerAuth), security: [] +
x-connectum-public for public methods, and x-connectum-required-roles/-scopes.
- openapi/{trips,fleet,billing}/v1/*.openapi.yaml: the committed showcase output.
- package.json: `pnpm openapi` script (base gen → authz overlay) + yaml devDep.
- README: "OpenAPI — the published contract reflects the authz" section.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01MdeH7fExPmiRHRirGuvGk3
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (7)
📝 WalkthroughWalkthroughAdds a two-step OpenAPI generation pipeline to the car-sharing example. A new ChangesOpenAPI Generation Pipeline
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Suggested labels
Poem
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
What
Adds OpenAPI v3.1 generation to the
car-sharingexample so the published contract reflects Connectum's proto authz — the same optionscreateProtoAuthzInterceptorenforces at runtime also drive the spec, so the two cannot drift.How
Two decoupled steps, run via
pnpm openapi:buf.gen.openapi.yaml(separate from the offlinebuf.gen.yaml) runs thesudorandom/protoc-gen-connect-openapibuf remote plugin → OpenAPI v3.1 underopenapi/. Isolated so the network plugin never runs duringbuf:generate/tests.scripts/openapi-authz.tsreadsconnectum.auth.v1options viaresolveMethodAuth(the same reader the runtime interceptor uses) and injects per-operationsecurity(bearerAuth),security: []+x-connectum-publicfor public methods, andx-connectum-required-roles/-scopes.Verified
TripService(4 methods):StartTrip/GetTrip→bearerAuth(secured);EndTrip/RecordTrip→security: []+x-connectum-public(tokenless worker RPCs). Confirmed against the generatedopenapi/trips/v1/trips.openapi.yamlpaths.FleetService.ListVehiclesis server-streaming → no operation in the base spec (overlay skips it);fleet/billingare public.pnpm typecheck✓ ·pnpm test39/39 ✓@connectum/auth1.0.0 (the./protosubpath export). No published-package change.Design rationale: ADR-030; usage: the OpenAPI guide (docs PR).
🤖 Generated with Claude Code
Summary by CodeRabbit
New Features
Documentation