Scispot · API Governance Rules

Scispot API Rules

Spectral linting rules defining API design standards and conventions for Scispot.

13 Rules error 2 warn 9 info 2
View Rules File View on GitHub

Rule Categories

scispot

Rules

error
scispot-apikey-auth-defined
Scispot API must use API key authentication via apiKey header
$.components.securitySchemes.*.type
warn
scispot-operation-id-camel-case
Operation IDs must use camelCase naming convention
$.paths.*.*.operationId
warn
scispot-path-kebab-case
API paths must use kebab-case segments
$.paths[*]~
warn
scispot-post-returns-201
POST endpoints that create resources must return 201 Created
$.paths.*.post.responses
warn
scispot-delete-returns-204
DELETE endpoints must return 204 No Content on success
$.paths.*.delete.responses
warn
scispot-auth-401-response
All authenticated endpoints must define a 401 Unauthorized response
$.paths.*.*.responses
warn
scispot-single-resource-404
Single-resource retrieval endpoints must define 404 response
$.paths[*][?(@property == 'get')].responses
error
scispot-post-put-require-body
POST and PUT endpoints must define a request body
$.paths.*[post,put]
warn
scispot-operation-description
All operations must have a description
$.paths.*.*
warn
scispot-operation-tags
All operations must be tagged
$.paths.*.*
info
scispot-list-pagination-params
List endpoints should support page and limit pagination parameters
$.paths.*.get.parameters[*].name
warn
scispot-server-versioned
Server URL must include API version prefix
$.servers[*].url
info
scispot-use-component-schemas
Response bodies should reference component schemas rather than inline definitions
$.paths.*.*.responses.*.content.*.schema

Spectral Ruleset

Raw ↑ 
extends: spectral:oas
rules:
  # Scispot API Conventions

  # Enforce API key authentication is defined
  scispot-apikey-auth-defined:
    description: Scispot API must use API key authentication via apiKey header
    message: Security scheme must define apiKey authentication in the header
    severity: error
    given: $.components.securitySchemes.*.type
    then:
      function: enumeration
      functionOptions:
        values:
          - apiKey

  # Enforce operation IDs use camelCase
  scispot-operation-id-camel-case:
    description: Operation IDs must use camelCase naming convention
    message: Operation ID {{value}} must use camelCase
    severity: warn
    given: $.paths.*.*.operationId
    then:
      function: pattern
      functionOptions:
        match: "^[a-z][a-zA-Z0-9]+$"

  # Enforce paths use kebab-case
  scispot-path-kebab-case:
    description: API paths must use kebab-case segments
    message: Path must use kebab-case
    severity: warn
    given: $.paths[*]~
    then:
      function: pattern
      functionOptions:
        match: "^(\\/[a-z0-9-{}]+)+$"

  # Enforce CRUD endpoints return 201 for creation
  scispot-post-returns-201:
    description: POST endpoints that create resources must return 201 Created
    message: POST endpoint at {{path}} must include a 201 response for successful creation
    severity: warn
    given: $.paths.*.post.responses
    then:
      field: "201"
      function: defined

  # Enforce DELETE returns 204 No Content
  scispot-delete-returns-204:
    description: DELETE endpoints must return 204 No Content on success
    message: DELETE endpoint at {{path}} must include a 204 response
    severity: warn
    given: $.paths.*.delete.responses
    then:
      field: "204"
      function: defined

  # Enforce 401 response on authenticated endpoints
  scispot-auth-401-response:
    description: All authenticated endpoints must define a 401 Unauthorized response
    message: Endpoint at {{path}} must include a 401 response for authentication failures
    severity: warn
    given: $.paths.*.*.responses
    then:
      field: "401"
      function: defined

  # Enforce 404 response for single-resource GET endpoints
  scispot-single-resource-404:
    description: Single-resource retrieval endpoints must define 404 response
    message: Single-resource GET at {{path}} must include a 404 response
    severity: warn
    given: $.paths[*][?(@property == 'get')].responses
    then:
      field: "404"
      function: defined

  # Enforce request body for POST and PUT
  scispot-post-put-require-body:
    description: POST and PUT endpoints must define a request body
    message: POST/PUT endpoint at {{path}} must include a requestBody
    severity: error
    given: $.paths.*[post,put]
    then:
      field: requestBody
      function: truthy

  # Require descriptions on all operations
  scispot-operation-description:
    description: All operations must have a description
    message: Operation at {{path}} must have a description
    severity: warn
    given: $.paths.*.*
    then:
      field: description
      function: truthy

  # Require tags on all operations
  scispot-operation-tags:
    description: All operations must be tagged
    message: Operation at {{path}} must include at least one tag
    severity: warn
    given: $.paths.*.*
    then:
      field: tags
      function: truthy

  # Enforce pagination parameters on list endpoints
  scispot-list-pagination-params:
    description: List endpoints should support page and limit pagination parameters
    message: List endpoint should support page and limit query parameters
    severity: info
    given: $.paths.*.get.parameters[*].name
    then:
      function: enumeration
      functionOptions:
        values:
          - page
          - limit
          - type
          - barcode
          - sampleId
          - notebookId
          - labsheetId

  # Enforce version prefix in server URL
  scispot-server-versioned:
    description: Server URL must include API version prefix
    message: Server URL must include version prefix (e.g., /v1)
    severity: warn
    given: $.servers[*].url
    then:
      function: pattern
      functionOptions:
        match: ".*\\/v[0-9]+$"

  # Enforce component schemas are reused
  scispot-use-component-schemas:
    description: Response bodies should reference component schemas rather than inline definitions
    message: Use $ref to component schemas for consistency
    severity: info
    given: $.paths.*.*.responses.*.content.*.schema
    then:
      field: "$ref"
      function: defined