Cloudsmith · API Governance Rules

Cloudsmith API Rules

Spectral linting rules defining API design standards and conventions for Cloudsmith.

14 Rules error 4 warn 5 info 5
View Rules File View on GitHub

Rule Categories

cloudsmith

Rules

error
cloudsmith-info-contact
API contact information must be present.
$.info
warn
cloudsmith-info-license
API license must be declared.
$.info
error
cloudsmith-server-https
All server URLs must use HTTPS.
$.servers[*].url
warn
cloudsmith-host
Cloudsmith APIs must be served from api.cloudsmith.io.
$.servers[*].url
error
cloudsmith-auth-required
A security scheme must be declared (token-based apiKey).
$.components.securitySchemes
info
cloudsmith-token-prefix
API key descriptions should mention the "token" Authorization prefix.
$.components.securitySchemes[*]
error
cloudsmith-operation-id
Every operation must declare a unique operationId.
$.paths[*][get,post,put,patch,delete]
warn
cloudsmith-operation-summary
Every operation must include a short summary.
$.paths[*][get,post,put,patch,delete]
warn
cloudsmith-operation-tags
Every operation must declare at least one tag.
$.paths[*][get,post,put,patch,delete]
info
cloudsmith-known-tags
Operations should use known Cloudsmith tag groups.
$.paths[*][get,post,put,patch,delete].tags[*]
info
cloudsmith-pagination
List endpoints should support page/page_size pagination params.
$.paths[?(@property.match(/\/$/))].get.parameters[*].name
info
cloudsmith-owner-param
Owner-scoped paths should declare the {owner} path param.
$.paths[?(@property.match(/\{owner\}/))][*].parameters[?(@.in == 'path')].name
warn
cloudsmith-error-responses
Mutating operations should declare 4xx error responses.
$.paths[*][post,put,patch,delete].responses
info
cloudsmith-rate-limit
Rate-limited endpoints should document a 429 response.
$.paths[*][get,post,put,patch,delete].responses

Spectral Ruleset

Raw ↑ 
extends:
  - spectral:oas

# Spectral linting rules for the Cloudsmith API (v1).
# Validates Cloudsmith conventions: api.cloudsmith.io host, "token"
# Authorization scheme, page/page_size pagination, owner/repo path
# parameters, and JSON content types.
rules:
  cloudsmith-info-contact:
    description: API contact information must be present.
    severity: error
    given: "$.info"
    then:
      field: contact
      function: truthy

  cloudsmith-info-license:
    description: API license must be declared.
    severity: warn
    given: "$.info"
    then:
      field: license
      function: truthy

  cloudsmith-server-https:
    description: All server URLs must use HTTPS.
    severity: error
    given: "$.servers[*].url"
    then:
      function: pattern
      functionOptions:
        match: "^https://"

  cloudsmith-host:
    description: Cloudsmith APIs must be served from api.cloudsmith.io.
    severity: warn
    given: "$.servers[*].url"
    then:
      function: pattern
      functionOptions:
        match: "api\\.cloudsmith\\.io"

  cloudsmith-auth-required:
    description: A security scheme must be declared (token-based apiKey).
    severity: error
    given: "$.components.securitySchemes"
    then:
      function: truthy

  cloudsmith-token-prefix:
    description: API key descriptions should mention the "token" Authorization prefix.
    severity: info
    given: "$.components.securitySchemes[*]"
    then:
      field: description
      function: pattern
      functionOptions:
        match: "(?i)token"

  cloudsmith-operation-id:
    description: Every operation must declare a unique operationId.
    severity: error
    given: "$.paths[*][get,post,put,patch,delete]"
    then:
      field: operationId
      function: truthy

  cloudsmith-operation-summary:
    description: Every operation must include a short summary.
    severity: warn
    given: "$.paths[*][get,post,put,patch,delete]"
    then:
      field: summary
      function: truthy

  cloudsmith-operation-tags:
    description: Every operation must declare at least one tag.
    severity: warn
    given: "$.paths[*][get,post,put,patch,delete]"
    then:
      field: tags
      function: schema
      functionOptions:
        schema:
          type: array
          minItems: 1

  cloudsmith-known-tags:
    description: Operations should use known Cloudsmith tag groups.
    severity: info
    given: "$.paths[*][get,post,put,patch,delete].tags[*]"
    then:
      function: enumeration
      functionOptions:
        values:
          - audit-log
          - badges
          - broadcasts
          - bulk-action
          - distros
          - entitlements
          - files
          - formats
          - metrics
          - namespaces
          - orgs
          - packages
          - quota
          - rates
          - recycle-bin
          - repos
          - status
          - storage-regions
          - user
          - users
          - vulnerabilities
          - webhooks

  cloudsmith-pagination:
    description: List endpoints should support page/page_size pagination params.
    severity: info
    given: "$.paths[?(@property.match(/\\/$/))].get.parameters[*].name"
    then:
      function: enumeration
      functionOptions:
        values:
          - page
          - page_size
          - query
          - sort
          - search

  cloudsmith-owner-param:
    description: Owner-scoped paths should declare the {owner} path param.
    severity: info
    given: "$.paths[?(@property.match(/\\{owner\\}/))][*].parameters[?(@.in == 'path')].name"
    then:
      function: enumeration
      functionOptions:
        values:
          - owner
          - repo
          - identifier
          - slug
          - org
          - package
          - format

  cloudsmith-error-responses:
    description: Mutating operations should declare 4xx error responses.
    severity: warn
    given: "$.paths[*][post,put,patch,delete].responses"
    then:
      function: schema
      functionOptions:
        schema:
          type: object
          anyOf:
            - required: ["400"]
            - required: ["401"]
            - required: ["403"]
            - required: ["404"]
            - required: ["422"]

  cloudsmith-rate-limit:
    description: Rate-limited endpoints should document a 429 response.
    severity: info
    given: "$.paths[*][get,post,put,patch,delete].responses"
    then:
      function: schema
      functionOptions:
        schema:
          type: object
          anyOf:
            - required: ["429"]
            - required: ["200"]