Tomorrow.io · API Governance Rules

Tomorrow.io API Rules

Spectral linting rules defining API design standards and conventions for Tomorrow.io.

42 Rules error 19 warn 22 info 1
View Rules File View on GitHub

Rule Categories

delete global info no openapi operation parameter path post request response schema security server tag

Rules

error
info-title-tomorrow-prefix
API title must start with "Tomorrow.io".
$.info.title
error
info-description-required
API info.description is required and substantive.
$.info
error
info-version-required
API info.version is required.
$.info
warn
info-contact-required
API info.contact should be populated.
$.info
warn
info-license-required
API info.license should be populated.
$.info
error
openapi-version-3
OpenAPI version must be 3.0.x.
$.openapi
error
server-https-required
All server URLs must be HTTPS.
$.servers[*].url
warn
server-tomorrow-host
Servers should point at api.tomorrow.io.
$.servers[*].url
error
path-no-trailing-slash
Paths must not end with a trailing slash.
$.paths.*~
error
path-no-query-string
Paths must not contain a query string.
$.paths.*~
warn
path-kebab-case-segments
Path segments should be kebab-case (lowercase + hyphens). Path params are exempt.
$.paths.*~
error
operation-operationId-required
Every operation must have an operationId.
$.paths.*[get,post,put,patch,delete]
error
operation-operationId-camelcase
operationId must be camelCase.
$.paths.*[get,post,put,patch,delete].operationId
error
operation-summary-required
Every operation must have a summary.
$.paths.*[get,post,put,patch,delete]
warn
operation-summary-tomorrow-prefix
Operation summaries must start with "Tomorrow.io ".
$.paths.*[get,post,put,patch,delete].summary
warn
operation-description-required
Every operation should have a description.
$.paths.*[get,post,put,patch,delete]
error
operation-tags-required
Every operation must declare at least one tag.
$.paths.*[get,post,put,patch,delete]
info
operation-microcks-extension
Each operation should declare x-microcks-operation for mock compatibility.
$.paths.*[get,post,put,patch,delete]
warn
global-tags-defined
A global tags array must be defined.
$
warn
tag-description-required
Each tag should carry a description.
$.tags[*]
warn
tag-title-case
Tag names should be Title Case.
$.tags[*].name
warn
parameter-description-required
Every parameter should have a description.
$.paths.*[get,post,put,patch,delete].parameters[*]
error
parameter-schema-required
Every parameter must declare a schema with a type.
$.paths.*[get,post,put,patch,delete].parameters[*]
warn
parameter-camelcase
Parameter names should be camelCase (matches Tomorrow.io v4 convention).
$.paths.*[get,post,put,patch,delete].parameters[*].name
warn
parameter-api-key-not-in-query-public
Avoid taking API keys as ordinary parameters — declare them as a securityScheme.
$.paths.*[get,post,put,patch,delete].parameters[?(@.name=="apikey" || @.name=="api_key")]
error
request-body-json-content
Request bodies must declare application/json content.
$.paths.*[get,post,put,patch,delete].requestBody.content
error
response-success-required
Each operation must declare at least one 2xx response.
$.paths.*[get,post,put,patch,delete].responses
warn
response-401-on-writes
Write operations should document a 401 Unauthorized response.
$.paths.*[post,put,patch,delete].responses
warn
response-429-rate-limit
Operations should document a 429 Too Many Requests response.
$.paths.*[get,post,put,patch,delete].responses
error
response-description-required
Every response must have a description.
$.paths.*[get,post,put,patch,delete].responses.*
warn
schema-property-camelcase
Schema properties should be camelCase.
$.components.schemas.*.properties.*~
error
schema-property-type-required
Schema properties must declare a type or $ref.
$.components.schemas.*.properties.*
warn
schema-object-description
Top-level component schemas should carry a description.
$.components.schemas.*
warn
schema-error-shape
Error schema should expose code, type, and message fields (Tomorrow.io error envelope).
$.components.schemas.Error
error
security-defined
A global security requirement must be defined.
$
error
security-scheme-defined
securitySchemes must include the Tomorrow.io apikey query scheme.
$.components.securitySchemes
warn
security-apikey-query-name
API key parameter name should be `apikey` to match Tomorrow.io conventions.
$.components.securitySchemes.apiKeyQuery
error
no-get-request-body
GET operations must not declare a requestBody.
$.paths.*.get
warn
no-delete-request-body
DELETE operations should not declare a requestBody.
$.paths.*.delete
warn
post-put-request-body
POST/PUT/PATCH operations must declare a requestBody.
$.paths.*[post,put,patch]
warn
delete-returns-204
DELETE operations should return 204 No Content on success.
$.paths.*.delete.responses
warn
no-empty-descriptions
Descriptions should not be empty strings.
$..description

Spectral Ruleset

Raw ↑ 
# Tomorrow.io Weather API — Spectral Ruleset
#
# Opinionated rules enforcing the conventions observed in the Tomorrow.io v4
# API: kebab-case paths, camelCase parameters/properties, camelCase
# operationIds, summary prefix "Tomorrow.io ", apikey-in-query auth, and
# realistic response/error coverage.

formats:
  - oas3

rules:
  # ───────────────────────── INFO / METADATA ─────────────────────────
  info-title-tomorrow-prefix:
    description: API title must start with "Tomorrow.io".
    message: '{{property}} should start with "Tomorrow.io"'
    severity: error
    given: $.info.title
    then:
      function: pattern
      functionOptions:
        match: '^Tomorrow\.io'

  info-description-required:
    description: API info.description is required and substantive.
    message: 'info.description must be at least 40 characters'
    severity: error
    given: $.info
    then:
      field: description
      function: length
      functionOptions:
        min: 40

  info-version-required:
    description: API info.version is required.
    severity: error
    given: $.info
    then:
      field: version
      function: truthy

  info-contact-required:
    description: API info.contact should be populated.
    severity: warn
    given: $.info
    then:
      field: contact
      function: truthy

  info-license-required:
    description: API info.license should be populated.
    severity: warn
    given: $.info
    then:
      field: license
      function: truthy

  # ───────────────────────── OPENAPI VERSION ─────────────────────────
  openapi-version-3:
    description: OpenAPI version must be 3.0.x.
    severity: error
    given: $.openapi
    then:
      function: pattern
      functionOptions:
        match: '^3\.0\.'

  # ───────────────────────────── SERVERS ─────────────────────────────
  server-https-required:
    description: All server URLs must be HTTPS.
    severity: error
    given: $.servers[*].url
    then:
      function: pattern
      functionOptions:
        match: '^https://'

  server-tomorrow-host:
    description: Servers should point at api.tomorrow.io.
    severity: warn
    given: $.servers[*].url
    then:
      function: pattern
      functionOptions:
        match: '^https://api\.tomorrow\.io/v4'

  # ────────────────────── PATHS — NAMING CONVENTIONS ─────────────────
  path-no-trailing-slash:
    description: Paths must not end with a trailing slash.
    severity: error
    given: $.paths.*~
    then:
      function: pattern
      functionOptions:
        notMatch: '.+/$'

  path-no-query-string:
    description: Paths must not contain a query string.
    severity: error
    given: $.paths.*~
    then:
      function: pattern
      functionOptions:
        notMatch: '\?'

  path-kebab-case-segments:
    description: Path segments should be kebab-case (lowercase + hyphens). Path params are exempt.
    severity: warn
    given: $.paths.*~
    then:
      function: pattern
      functionOptions:
        match: '^(/(\{[A-Za-z][A-Za-z0-9]*\}|[a-z0-9]+(-[a-z0-9]+)*))+$'

  # ────────────────────────────── OPERATIONS ─────────────────────────
  operation-operationId-required:
    description: Every operation must have an operationId.
    severity: error
    given: '$.paths.*[get,post,put,patch,delete]'
    then:
      field: operationId
      function: truthy

  operation-operationId-camelcase:
    description: operationId must be camelCase.
    severity: error
    given: '$.paths.*[get,post,put,patch,delete].operationId'
    then:
      function: pattern
      functionOptions:
        match: '^[a-z][a-zA-Z0-9]*$'

  operation-summary-required:
    description: Every operation must have a summary.
    severity: error
    given: '$.paths.*[get,post,put,patch,delete]'
    then:
      field: summary
      function: truthy

  operation-summary-tomorrow-prefix:
    description: Operation summaries must start with "Tomorrow.io ".
    severity: warn
    given: '$.paths.*[get,post,put,patch,delete].summary'
    then:
      function: pattern
      functionOptions:
        match: '^Tomorrow\.io '

  operation-description-required:
    description: Every operation should have a description.
    severity: warn
    given: '$.paths.*[get,post,put,patch,delete]'
    then:
      field: description
      function: truthy

  operation-tags-required:
    description: Every operation must declare at least one tag.
    severity: error
    given: '$.paths.*[get,post,put,patch,delete]'
    then:
      field: tags
      function: truthy

  operation-microcks-extension:
    description: Each operation should declare x-microcks-operation for mock compatibility.
    severity: info
    given: '$.paths.*[get,post,put,patch,delete]'
    then:
      field: x-microcks-operation
      function: truthy

  # ────────────────────────────── TAGS ───────────────────────────────
  global-tags-defined:
    description: A global tags array must be defined.
    severity: warn
    given: $
    then:
      field: tags
      function: truthy

  tag-description-required:
    description: Each tag should carry a description.
    severity: warn
    given: $.tags[*]
    then:
      field: description
      function: truthy

  tag-title-case:
    description: Tag names should be Title Case.
    severity: warn
    given: $.tags[*].name
    then:
      function: pattern
      functionOptions:
        match: '^[A-Z][A-Za-z0-9]*( [A-Z][A-Za-z0-9]*)*$'

  # ────────────────────────── PARAMETERS ─────────────────────────────
  parameter-description-required:
    description: Every parameter should have a description.
    severity: warn
    given: '$.paths.*[get,post,put,patch,delete].parameters[*]'
    then:
      field: description
      function: truthy

  parameter-schema-required:
    description: Every parameter must declare a schema with a type.
    severity: error
    given: '$.paths.*[get,post,put,patch,delete].parameters[*]'
    then:
      field: schema
      function: truthy

  parameter-camelcase:
    description: Parameter names should be camelCase (matches Tomorrow.io v4 convention).
    severity: warn
    given: '$.paths.*[get,post,put,patch,delete].parameters[*].name'
    then:
      function: pattern
      functionOptions:
        match: '^[a-z][a-zA-Z0-9]*$'

  parameter-api-key-not-in-query-public:
    description: Avoid taking API keys as ordinary parameters — declare them as a securityScheme.
    severity: warn
    given: '$.paths.*[get,post,put,patch,delete].parameters[?(@.name=="apikey" || @.name=="api_key")]'
    then:
      function: falsy

  # ────────────────────────── REQUEST BODIES ─────────────────────────
  request-body-json-content:
    description: Request bodies must declare application/json content.
    severity: error
    given: '$.paths.*[get,post,put,patch,delete].requestBody.content'
    then:
      field: application/json
      function: truthy

  # ─────────────────────────── RESPONSES ─────────────────────────────
  response-success-required:
    description: Each operation must declare at least one 2xx response.
    severity: error
    given: '$.paths.*[get,post,put,patch,delete].responses'
    then:
      function: schema
      functionOptions:
        schema:
          anyOf:
            - required: ['200']
            - required: ['201']
            - required: ['202']
            - required: ['204']

  response-401-on-writes:
    description: Write operations should document a 401 Unauthorized response.
    severity: warn
    given: '$.paths.*[post,put,patch,delete].responses'
    then:
      field: '401'
      function: truthy

  response-429-rate-limit:
    description: Operations should document a 429 Too Many Requests response.
    severity: warn
    given: '$.paths.*[get,post,put,patch,delete].responses'
    then:
      field: '429'
      function: truthy

  response-description-required:
    description: Every response must have a description.
    severity: error
    given: '$.paths.*[get,post,put,patch,delete].responses.*'
    then:
      field: description
      function: truthy

  # ─────────────────────── SCHEMAS — PROPERTY NAMING ─────────────────
  schema-property-camelcase:
    description: Schema properties should be camelCase.
    severity: warn
    given: '$.components.schemas.*.properties.*~'
    then:
      function: pattern
      functionOptions:
        match: '^[a-z][a-zA-Z0-9]*$'

  schema-property-type-required:
    description: Schema properties must declare a type or $ref.
    severity: error
    given: '$.components.schemas.*.properties.*'
    then:
      function: schema
      functionOptions:
        schema:
          anyOf:
            - required: ['type']
            - required: ['$ref']
            - required: ['oneOf']
            - required: ['anyOf']
            - required: ['allOf']

  schema-object-description:
    description: Top-level component schemas should carry a description.
    severity: warn
    given: '$.components.schemas.*'
    then:
      field: description
      function: truthy

  schema-error-shape:
    description: Error schema should expose code, type, and message fields (Tomorrow.io error envelope).
    severity: warn
    given: '$.components.schemas.Error'
    then:
      function: schema
      functionOptions:
        schema:
          required: ['properties']
          properties:
            properties:
              required: ['code', 'type', 'message']

  # ──────────────────────────── SECURITY ─────────────────────────────
  security-defined:
    description: A global security requirement must be defined.
    severity: error
    given: $
    then:
      field: security
      function: truthy

  security-scheme-defined:
    description: securitySchemes must include the Tomorrow.io apikey query scheme.
    severity: error
    given: $.components.securitySchemes
    then:
      field: apiKeyQuery
      function: truthy

  security-apikey-query-name:
    description: API key parameter name should be `apikey` to match Tomorrow.io conventions.
    severity: warn
    given: '$.components.securitySchemes.apiKeyQuery'
    then:
      function: schema
      functionOptions:
        schema:
          required: ['type', 'in', 'name']
          properties:
            type:
              const: apiKey
            in:
              const: query
            name:
              const: apikey

  # ────────────────────── HTTP METHOD CONVENTIONS ────────────────────
  no-get-request-body:
    description: GET operations must not declare a requestBody.
    severity: error
    given: '$.paths.*.get'
    then:
      field: requestBody
      function: falsy

  no-delete-request-body:
    description: DELETE operations should not declare a requestBody.
    severity: warn
    given: '$.paths.*.delete'
    then:
      field: requestBody
      function: falsy

  post-put-request-body:
    description: POST/PUT/PATCH operations must declare a requestBody.
    severity: warn
    given: '$.paths.*[post,put,patch]'
    then:
      field: requestBody
      function: truthy

  delete-returns-204:
    description: DELETE operations should return 204 No Content on success.
    severity: warn
    given: '$.paths.*.delete.responses'
    then:
      field: '204'
      function: truthy

  # ──────────────────────────── GENERAL ──────────────────────────────
  no-empty-descriptions:
    description: Descriptions should not be empty strings.
    severity: warn
    given: '$..description'
    then:
      function: truthy