extends: "spectral:oas" rules: # INFO / METADATA info-title-format: description: API title must start with "AhaSend" severity: warn given: "$.info.title" then: function: pattern functionOptions: match: "^AhaSend" info-description-required: description: API must have a non-empty description severity: error given: "$.info" then: field: description function: truthy info-version-required: description: API must specify a version severity: error given: "$.info" then: field: version function: truthy info-contact-email: description: API contact email should be provided severity: warn given: "$.info.contact" then: field: email function: truthy # OPENAPI VERSION openapi-version: description: Use OpenAPI 3.x severity: warn given: "$" then: field: openapi function: truthy # SERVERS servers-defined: description: Servers array must be defined and non-empty severity: error given: "$" then: field: servers function: truthy servers-https-only: description: Server URLs must use HTTPS severity: error given: "$.servers[*].url" then: function: pattern functionOptions: match: "^https://" # PATHS — NAMING CONVENTIONS paths-kebab-case: description: Path segments must use kebab-case severity: warn given: "$.paths[*]~" then: function: pattern functionOptions: match: "^(\/([a-z0-9{}-])+)*\/?$" paths-no-trailing-slash: description: Paths must not end with a trailing slash severity: warn given: "$.paths[*]~" then: function: pattern functionOptions: notMatch: "\/$" # OPERATIONS operation-summary-required: description: Every operation must have a summary severity: error given: "$.paths[*][get,post,put,patch,delete,head,options]" then: field: summary function: truthy operation-summary-prefix: description: Operation summaries must start with "AhaSend" severity: warn given: "$.paths[*][get,post,put,patch,delete].summary" then: function: pattern functionOptions: match: "^AhaSend" operation-description-required: description: Every operation must have a description severity: warn given: "$.paths[*][get,post,put,patch,delete,head,options]" then: field: description function: truthy operation-id-required: description: Every operation must have an operationId severity: error given: "$.paths[*][get,post,put,patch,delete,head,options]" then: field: operationId function: truthy operation-id-camel-case: description: operationId must use camelCase severity: warn given: "$.paths[*][get,post,put,patch,delete].operationId" then: function: pattern functionOptions: match: "^[a-z][a-zA-Z0-9]*$" operation-tags-required: description: Every operation must have at least one tag severity: warn given: "$.paths[*][get,post,put,patch,delete,head,options]" then: field: tags function: truthy # PARAMETERS parameter-description-required: description: All parameters must have a description severity: warn given: "$.paths[*][get,post,put,patch,delete].parameters[*]" then: field: description function: truthy parameter-schema-required: description: All parameters must have a schema severity: error given: "$.paths[*][get,post,put,patch,delete].parameters[*]" then: field: schema function: truthy # REQUEST BODIES request-body-description: description: Request bodies should have a description severity: warn given: "$.paths[*][post,put,patch].requestBody" then: field: description function: truthy # RESPONSES response-success-required: description: Operations must have a 2xx success response severity: error given: "$.paths[*][get,post,put,patch,delete].responses" then: function: schema functionOptions: schema: oneOf: - required: ["200"] - required: ["201"] - required: ["204"] response-description-required: description: All responses must have a description severity: error given: "$.paths[*][get,post,put,patch,delete].responses[*]" then: field: description function: truthy # SCHEMAS schema-property-description: description: Top-level schema properties should have descriptions severity: info given: "$.components.schemas[*].properties[*]" then: field: description function: truthy schema-type-required: description: Schema properties should have a type defined severity: warn given: "$.components.schemas[*].properties[*]" then: field: type function: truthy # SECURITY security-schemes-defined: description: Security schemes must be defined severity: error given: "$.components.securitySchemes" then: function: truthy security-bearer-format: description: Bearer auth token format should be documented severity: info given: "$.components.securitySchemes[*][?(@.scheme == 'bearer')]" then: field: bearerFormat function: truthy # HTTP METHOD CONVENTIONS get-no-request-body: description: GET operations must not have a request body severity: error given: "$.paths[*].get" then: field: requestBody function: falsy delete-no-request-body: description: DELETE operations should not have a request body severity: warn given: "$.paths[*].delete" then: field: requestBody function: falsy # GENERAL QUALITY no-empty-descriptions: description: Descriptions must not be empty strings severity: warn given: "$..description" then: function: truthy idempotency-key-documented: description: POST endpoints should document idempotency key header support severity: info given: "$.paths[*].post.parameters[*]" then: function: schema functionOptions: schema: properties: name: {}