Sandbox Banking · API Governance Rules

Sandbox Banking API Rules

Spectral linting rules defining API design standards and conventions for Sandbox Banking.

13 Rules error 4 warn 7 info 2
View Rules File View on GitHub

Rule Categories

sandbox

Rules

warn
sandbox-banking-operation-summary-title-case
Operation summaries must use Title Case.
$.paths[*][*].summary
warn
sandbox-banking-operation-id-camel-case
Operation IDs must use camelCase naming convention.
$.paths[*][*].operationId
warn
sandbox-banking-path-kebab-case
API path segments must use kebab-case.
$.paths
error
sandbox-banking-token-auth
Glyue API uses token-based authentication via Authorization header.
$.components.securitySchemes
warn
sandbox-banking-response-200-schema
All 200 responses must include a content schema.
$.paths[*][get,post,put].responses['200']
info
sandbox-banking-list-endpoint-pagination
List endpoints must support pagination parameters (page and page_size).
$.paths[?([email protected](/\{.*\}/))][get].parameters[*].name
error
sandbox-banking-no-trailing-slash
API paths must not end with a trailing slash.
$.paths
warn
sandbox-banking-tags-required
All operations must have at least one tag.
$.paths[*][get,post,put,patch,delete]
warn
sandbox-banking-description-required
All operations must include a description.
$.paths[*][get,post,put,patch,delete]
warn
sandbox-banking-401-defined
All API operations must declare a 401 Unauthorized response.
$.paths[*][get,post,put,patch,delete].responses
error
sandbox-banking-delete-no-body
DELETE operations must not include a request body.
$.paths[*][delete]
info
sandbox-banking-run-endpoint-naming
Integration execution endpoints must use /run suffix.
$.paths
error
sandbox-banking-audit-trail
API must expose run-history endpoint for regulatory compliance.
$.paths

Spectral Ruleset

Raw ↑ 
extends: "spectral:oas"

rules:
  # Sandbox Banking / Glyue Integration Gateway API conventions

  sandbox-banking-operation-summary-title-case:
    description: Operation summaries must use Title Case.
    message: "Summary '{{value}}' must use Title Case (capitalize each word)."
    severity: warn
    given: "$.paths[*][*].summary"
    then:
      function: pattern
      functionOptions:
        match: "^[A-Z][a-zA-Z0-9]*(\\s[A-Z][a-zA-Z0-9]*)*$"

  sandbox-banking-operation-id-camel-case:
    description: Operation IDs must use camelCase naming convention.
    message: "OperationId '{{value}}' must be camelCase."
    severity: warn
    given: "$.paths[*][*].operationId"
    then:
      function: pattern
      functionOptions:
        match: "^[a-z][a-zA-Z0-9]*$"

  sandbox-banking-path-kebab-case:
    description: API path segments must use kebab-case.
    message: "Path segment must use kebab-case (lowercase with hyphens)."
    severity: warn
    given: "$.paths"
    then:
      function: pattern
      functionOptions:
        match: "^(\\/([a-z0-9-]+|\\{[a-zA-Z][a-zA-Z0-9_]*\\}))*$"

  sandbox-banking-token-auth:
    description: Glyue API uses token-based authentication via Authorization header.
    message: "API must declare TokenAuth security scheme."
    severity: error
    given: "$.components.securitySchemes"
    then:
      field: TokenAuth
      function: truthy

  sandbox-banking-response-200-schema:
    description: All 200 responses must include a content schema.
    message: "Operation '{{path}}' 200 response should include a content schema."
    severity: warn
    given: "$.paths[*][get,post,put].responses['200']"
    then:
      field: content
      function: truthy

  sandbox-banking-list-endpoint-pagination:
    description: List endpoints must support pagination parameters (page and page_size).
    message: "GET list endpoint '{{path}}' should support page and page_size query parameters."
    severity: info
    given: "$.paths[?([email protected](/\\{.*\\}/))][get].parameters[*].name"
    then:
      function: enumeration
      functionOptions:
        values:
          - page
          - page_size
          - status
          - start_date
          - end_date
          - integration_id

  sandbox-banking-no-trailing-slash:
    description: API paths must not end with a trailing slash.
    message: "Path '{{path}}' must not end with a trailing slash."
    severity: error
    given: "$.paths"
    then:
      function: pattern
      functionOptions:
        notMatch: "\\/$"

  sandbox-banking-tags-required:
    description: All operations must have at least one tag.
    message: "Operation '{{path}}' must declare at least one tag."
    severity: warn
    given: "$.paths[*][get,post,put,patch,delete]"
    then:
      field: tags
      function: schema
      functionOptions:
        schema:
          type: array
          minItems: 1

  sandbox-banking-description-required:
    description: All operations must include a description.
    message: "Operation '{{path}}' must include a description."
    severity: warn
    given: "$.paths[*][get,post,put,patch,delete]"
    then:
      field: description
      function: truthy

  sandbox-banking-401-defined:
    description: All API operations must declare a 401 Unauthorized response.
    message: "Operation '{{path}}' must define a 401 response."
    severity: warn
    given: "$.paths[*][get,post,put,patch,delete].responses"
    then:
      field: "401"
      function: truthy

  sandbox-banking-delete-no-body:
    description: DELETE operations must not include a request body.
    message: "DELETE operation '{{path}}' must not have a request body."
    severity: error
    given: "$.paths[*][delete]"
    then:
      field: requestBody
      function: falsy

  sandbox-banking-run-endpoint-naming:
    description: Integration execution endpoints must use /run suffix.
    message: "Integration run endpoint should use '{integrationId}/run' naming pattern."
    severity: info
    given: "$.paths"
    then:
      function: pattern
      functionOptions:
        match: ".*(\\/run|\\/execute|\\/trigger).*|.*integrations.*"

  sandbox-banking-audit-trail:
    description: API must expose run-history endpoint for regulatory compliance.
    message: "Glyue API must include run-history endpoints for GLBA/FFIEC audit compliance."
    severity: error
    given: "$.paths"
    then:
      function: pattern
      functionOptions:
        match: ".*run-history.*"