Instabug (Luciq) · API Governance Rules

Instabug (Luciq) API Rules

Spectral linting rules defining API design standards and conventions for Instabug (Luciq).

Instabug (Luciq) API Rules is a Spectral governance ruleset published by Instabug (Luciq) on the APIs.io network, containing 9 lint rules.

The ruleset includes 5 error-severity rules and 4 warning-severity rules.

Tagged areas include Agentic AI, APM, Application Performance Monitoring, Bug Reporting, and Crash Reporting.

Rulesets can be applied to your own OpenAPI specs via Spectral to enforce the same governance standards.

9 Rules error 5 warn 4
View Rules File View on GitHub

Rule Categories

luciq

Rules

error
luciq-server-url-required
Every Luciq OpenAPI document must declare at least one server URL under the api.luciq.ai apex.
$.servers
error
luciq-operation-tagged
Every operation must have at least one tag aligned with the Luciq surface taxonomy.
$.paths[*][get,post,put,patch,delete].tags
error
luciq-tags-title-case
Top-level tags must use Title Case (e.g., "Crashes", "App Hangs", "Bugs").
$.tags[*].name
warn
luciq-summary-title-case
Operation summaries must be Title Case (e.g., "List Crashes", "Get Bug Details").
$.paths[*][get,post,put,patch,delete].summary
error
luciq-operation-id-camel
operationId must be camelCase (e.g., listCrashes, getOccurrenceDetails).
$.paths[*][get,post,put,patch,delete].operationId
error
luciq-security-required
Root-level security must declare at least one scheme (OAuth or PAT bearer).
$.security
warn
luciq-mcp-auth-schemes
The Luciq MCP Server OpenAPI must define both oauth2 and personalAccessToken security schemes.
$.components.securitySchemes
warn
luciq-401-defined
Every operation must define a 401 response so clients can handle auth failures uniformly.
$.paths[*][get,post,put,patch,delete].responses
warn
luciq-path-kebab-case
URL path segments must be lowercase, hyphen-separated (e.g., /app-hangs, /occurrence-tokens).
$.paths

Spectral Ruleset

Raw ↑ 
extends:
  - spectral:oas

functions: []

documentationUrl: https://docs.luciq.ai/

rules:
  # Servers must point at the Luciq production base.
  luciq-server-url-required:
    description: Every Luciq OpenAPI document must declare at least one server URL under the api.luciq.ai apex.
    severity: error
    given: $.servers
    then:
      - field: '[*].url'
        function: pattern
        functionOptions:
          match: '^https://(api|build|api\.eu)\.luciq\.ai(/.*)?$'

  # Operations must be tagged.
  luciq-operation-tagged:
    description: Every operation must have at least one tag aligned with the Luciq surface taxonomy.
    severity: error
    given: $.paths[*][get,post,put,patch,delete].tags
    then:
      function: length
      functionOptions:
        min: 1

  # Operation tags must be Title Case.
  luciq-tags-title-case:
    description: Top-level tags must use Title Case (e.g., "Crashes", "App Hangs", "Bugs").
    severity: error
    given: $.tags[*].name
    then:
      function: pattern
      functionOptions:
        match: '^[A-Z][A-Za-z0-9]*( [A-Z][A-Za-z0-9]*)*$'

  # Operation summaries must be Title Case.
  luciq-summary-title-case:
    description: Operation summaries must be Title Case (e.g., "List Crashes", "Get Bug Details").
    severity: warn
    given: $.paths[*][get,post,put,patch,delete].summary
    then:
      function: pattern
      functionOptions:
        match: '^[A-Z][A-Za-z0-9]*( [A-Z][A-Za-z0-9]*)*$'

  # Every operation needs operationId in camelCase.
  luciq-operation-id-camel:
    description: operationId must be camelCase (e.g., listCrashes, getOccurrenceDetails).
    severity: error
    given: $.paths[*][get,post,put,patch,delete].operationId
    then:
      function: pattern
      functionOptions:
        match: '^[a-z][a-zA-Z0-9]+$'

  # Security must be declared at root or per-operation.
  luciq-security-required:
    description: Root-level security must declare at least one scheme (OAuth or PAT bearer).
    severity: error
    given: $.security
    then:
      function: length
      functionOptions:
        min: 1

  # OAuth + PAT security schemes must both be present.
  luciq-mcp-auth-schemes:
    description: The Luciq MCP Server OpenAPI must define both oauth2 and personalAccessToken security schemes.
    severity: warn
    given: $.components.securitySchemes
    then:
      function: schema
      functionOptions:
        schema:
          type: object
          required: [oauth2, personalAccessToken]

  # 401 response defined for protected endpoints.
  luciq-401-defined:
    description: Every operation must define a 401 response so clients can handle auth failures uniformly.
    severity: warn
    given: $.paths[*][get,post,put,patch,delete].responses
    then:
      field: '401'
      function: truthy

  # Path style: lowercase, hyphen-separated.
  luciq-path-kebab-case:
    description: URL path segments must be lowercase, hyphen-separated (e.g., /app-hangs, /occurrence-tokens).
    severity: warn
    given: $.paths
    then:
      field: '@key'
      function: pattern
      functionOptions:
        match: '^(/[a-z0-9\-{}\.]+)+$'