Retool API Rules

extends: ["spectral:oas"]

rules:
  retool-operation-id-camel-case:
    description: Operation IDs should use camelCase following the Retool API convention.
    message: "Operation ID '{{value}}' should use camelCase (e.g., listUsers, createUser, deleteApp)."
    severity: warn
    given: "$.paths[*][*].operationId"
    then:
      function: pattern
      functionOptions:
        match: "^[a-z][a-zA-Z0-9]*$"

  retool-operation-summary-title-case:
    description: All operation summaries must use Title Case.
    message: "Summary '{{value}}' should use Title Case (capitalize each significant word)."
    severity: warn
    given: "$.paths[*][*].summary"
    then:
      function: pattern
      functionOptions:
        match: "^[A-Z][a-zA-Z0-9 ]*$"

  retool-tags-defined:
    description: All operations must have at least one tag for grouping in the API reference.
    message: "Operation is missing tags. Add at least one tag from the defined tags list."
    severity: error
    given: "$.paths[*][*]"
    then:
      field: tags
      function: truthy

  retool-response-200-schema:
    description: Successful GET responses must include a response schema.
    message: "GET operation '{{path}}' should define a response schema for 200 OK."
    severity: warn
    given: "$.paths[*].get.responses.200"
    then:
      field: content
      function: truthy

  retool-request-body-post-put:
    description: POST and PUT operations must include a request body.
    message: "POST/PUT operation must define a requestBody."
    severity: error
    given: "$.paths[*][post,put]"
    then:
      field: requestBody
      function: truthy

  retool-error-responses:
    description: Operations should document 401 and 403 error responses.
    message: "Operation should define 401 Unauthorized response."
    severity: warn
    given: "$.paths[*][get,post,put,delete].responses"
    then:
      field: "401"
      function: truthy

  retool-uuid-path-params:
    description: User ID path parameters should be named 'userId' and use UUID format.
    message: "User ID parameter should be named 'userId' with uuid format."
    severity: hint
    given: "$.paths[*][*].parameters[?(@.in == 'path' && @.name == 'id')]"
    then:
      function: falsy

  retool-bearer-auth-scheme:
    description: The Retool API uses Bearer token authentication exclusively.
    message: "Security scheme should use Bearer token (http, bearer)."
    severity: error
    given: "$.components.securitySchemes[*]"
    then:
      function: schema
      functionOptions:
        schema:
          oneOf:
            - properties:
                type:
                  const: http
                scheme:
                  const: bearer

  retool-pagination-parameters:
    description: List endpoints returning collections should support page and pageSize parameters.
    message: "List endpoint (GET returning array) should define pagination parameters."
    severity: hint
    given: "$.paths[*].get"
    then:
      function: truthy