# Spectral ruleset for the BlueCart API # Generated by the API Evangelist pipeline from openapi/bluecart-openapi.yml # Encodes the conventions observed across the BlueCart REST API: # - camelCase query parameters and schema properties # - camelCase operationIds with verb prefixes (search/retrieve/list/create/update/delete/place/modify/disable) # - Title Case tags # - AWS SigV4 + x-api-key header authentication # - nextToken cursor pagination on collections rules: # ── INFO / METADATA ─────────────────────────────────────────────── info-title-required: description: API must have a title. severity: error given: $.info then: field: title function: truthy info-title-bluecart-prefix: description: API title should reference BlueCart. severity: warn given: $.info.title then: function: pattern functionOptions: match: "BlueCart" info-description-required: description: API must have a meaningful description. severity: warn given: $.info then: field: description function: truthy info-version-required: description: API must declare a version. severity: error given: $.info then: field: version function: truthy info-contact-required: description: API should provide contact information. severity: info given: $.info then: field: contact function: truthy # ── OPENAPI VERSION ─────────────────────────────────────────────── openapi-version-3: description: Specs should be OpenAPI 3.0.x. severity: warn given: $.openapi then: function: pattern functionOptions: match: "^3\\.0\\." # ── SERVERS ─────────────────────────────────────────────────────── servers-defined: description: At least one server must be defined. severity: error given: $.servers then: function: truthy server-https: description: Servers must use HTTPS. severity: error given: $.servers[*].url then: function: pattern functionOptions: match: "^https" server-description: description: Servers should be described. severity: info given: $.servers[*] then: field: description function: truthy # ── PATHS ───────────────────────────────────────────────────────── path-no-query-string: description: Path keys must not contain a query string. severity: error given: $.paths[*]~ then: function: pattern functionOptions: notMatch: "\\?" # ── OPERATIONS ──────────────────────────────────────────────────── operation-operationId-required: description: Every operation must have an operationId. severity: error given: $.paths[*][get,post,put,delete,patch] then: field: operationId function: truthy operation-operationId-camelcase: description: operationId should be camelCase. severity: warn given: $.paths[*][get,post,put,delete,patch].operationId then: function: pattern functionOptions: match: "^[a-z][a-zA-Z0-9]*$" operation-operationId-verb-prefix: description: operationId should begin with a recognised verb. severity: info given: $.paths[*][get,post,put,delete,patch].operationId then: function: pattern functionOptions: match: "^(get|list|search|retrieve|create|update|delete|place|modify|disable|enable)" operation-summary-required: description: Every operation must have a summary. severity: warn given: $.paths[*][get,post,put,delete,patch] then: field: summary function: truthy operation-summary-title-case: description: Operation summaries should use Title Case (each word capitalised). severity: info given: $.paths[*][get,post,put,delete,patch].summary then: function: pattern functionOptions: match: "^([A-Z][A-Za-z0-9/-]*)(\\s[A-Za-z0-9/-]+)*$" operation-description-required: description: Every operation must have a description. severity: warn given: $.paths[*][get,post,put,delete,patch] then: field: description function: truthy operation-tags-required: description: Every operation must have at least one tag. severity: warn given: $.paths[*][get,post,put,delete,patch] then: field: tags function: truthy operation-microcks-extension: description: Operations should carry x-microcks-operation for mock compatibility. severity: info given: $.paths[*][get,post,put,delete,patch] then: field: x-microcks-operation function: truthy # ── TAGS ────────────────────────────────────────────────────────── tags-defined: description: Global tags array should be defined. severity: info given: $ then: field: tags function: truthy tag-description: description: Each global tag should have a description. severity: info given: $.tags[*] then: field: description function: truthy tag-title-case: description: Tag names should use Title Case. severity: warn given: $.tags[*].name then: function: pattern functionOptions: match: "^[A-Z][A-Za-z0-9]*( [A-Z][A-Za-z0-9]*)*$" # ── PARAMETERS ──────────────────────────────────────────────────── parameter-description: description: Parameters should have a description. severity: warn given: $.paths[*][*].parameters[*] then: field: description function: truthy parameter-schema: description: Parameters should declare a schema with a type. severity: warn given: $.paths[*][*].parameters[*].schema then: field: type function: truthy parameter-camelcase: description: Query and path parameters should be camelCase (BlueCart convention). severity: warn given: $.paths[*][*].parameters[?(@.in=='query' || @.in=='path')].name then: function: pattern functionOptions: match: "^[a-z][a-zA-Z0-9]*$" parameter-pagination-nexttoken: description: Cursor pagination parameters should be named nextToken (BlueCart convention). severity: info given: $.paths[*][*].parameters[?(@.in=='query')].name then: function: pattern functionOptions: notMatch: "^(offset|page|cursor|pageToken)$" # ── REQUEST BODIES ──────────────────────────────────────────────── request-body-json: description: Request bodies should use application/json. severity: warn given: $.paths[*][post,put,patch].requestBody.content then: field: application/json function: truthy # ── RESPONSES ───────────────────────────────────────────────────── response-success-defined: description: Operations should declare a 2xx success response. severity: warn given: $.paths[*][get,post,put,delete,patch].responses then: field: "200" function: truthy response-unauthorized: description: Operations should document a 401 response. severity: info given: $.paths[*][get,post,put,delete,patch].responses then: field: "401" function: truthy response-description: description: Every response must have a description. severity: warn given: $.paths[*][*].responses[*] then: field: description function: truthy error-schema-message: description: The Error schema should expose a message field. severity: info given: $.components.schemas.Error.properties then: field: message function: truthy # ── SCHEMAS ─────────────────────────────────────────────────────── schema-property-camelcase: description: Schema property names should be camelCase (BlueCart convention). severity: warn given: $.components.schemas[*].properties[*]~ then: function: pattern functionOptions: match: "^[a-z][a-zA-Z0-9]*$" schema-top-level-description: description: Top-level component schemas should have a description. severity: info given: $.components.schemas[*] then: field: description function: truthy schema-property-type: description: Schema properties should declare a type (or $ref). severity: info given: $.components.schemas[*].properties[*] then: function: defined # ── SECURITY ────────────────────────────────────────────────────── security-global-defined: description: A global security requirement should be defined. severity: warn given: $ then: field: security function: truthy security-schemes-defined: description: Security schemes must be defined in components. severity: error given: $.components.securitySchemes then: function: truthy security-apikey-header: description: The API key should be carried in the x-api-key header (BlueCart convention). severity: info given: $.components.securitySchemes.apiKey then: field: name function: pattern functionOptions: match: "^x-api-key$" # ── HTTP METHOD CONVENTIONS ─────────────────────────────────────── get-no-request-body: description: GET operations must not declare a request body. severity: error given: $.paths[*].get then: field: requestBody function: falsy delete-no-request-body: description: DELETE operations should not declare a request body. severity: warn given: $.paths[*].delete then: field: requestBody function: falsy