SpecDock v0.5.0

SpecDock v0.5.0 adds explicit contract diff workflows and self-hosted mock response generation for local and CI-assisted API contract work.

Highlights

• Compare any two OpenAPI specs from saved projects, files, or raw text.
• Filter contract diff findings by severity, method, path, and tag.
• Export contract diff reports as GitHub/GitLab-friendly Markdown or stable JSON.
• Detect breaking required request/response property additions.
• Generate self-hosted mock responses from OpenAPI examples first, then schema examples.
• Use the Mock Server panel to pick an endpoint/status, preview the generated response body, edit it, and copy a live-route cURL command.
• Save generated responses as live in-memory routes under /mock/... for external local calls while the API process is running.
• Generate selected 4xx/5xx mock responses from OpenAPI response schemas when described, with explicit fallback error bodies when they are not.
• Run contract diff from the CLI with optional --fail-on-breaking CI behavior.

Security

• Mock routes are disabled by default and are not registered in public demo mode.
• Diff exports include metadata, counts, and findings only; they do not include specs, request bodies, response bodies, auth headers, cookies, or API keys.
• Mock response bodies are size-limited.
• Imported specs are not persisted by the mock endpoint.
• Saved mock routes are process-local in memory.

Docker

docker run --rm -p 3000:3000 \
  -e PUBLIC_DEMO=true \
  -e PROXY_ENABLED=false \
  -e MOCK_SERVER_ENABLED=false \
  docker.io/d8vik/specdock:v0.5.0

For trusted self-hosted mock responses:

PUBLIC_DEMO=false
MOCK_SERVER_ENABLED=true
MOCK_MAX_RESPONSE_BYTES=10485760

Artifacts

• Git tag: v0.5.0
• Docker image: docker.io/d8vik/specdock:v0.5.0
• Docker manifest digest: sha256:39635b6577cfade585fa0a0f9be205ff7816dcb5bc0b3664aa4d275482e50f54
• Platforms: linux/amd64, linux/arm64

Verification

Validated before release:

nvm use
npm ci
npm run typecheck
npm run lint
npm run test
npm run test:sdk-smoke
npm run build
npm audit --audit-level=moderate

Docker smoke test passed:

• /api/health returns version 0.5.0.
• Bundled OpenAPI example is served.
• /mock/* is closed in public demo mode.

SpecDock v0.3.0

SpecDock v0.3.0 expands the local-first API contract workspace with broader import support, stronger request testing, and more configurable SDK output.

Highlights

• Swagger 2.0 import support, normalized into OpenAPI 3 internally.
• OpenAPI parameter serialization for path/query requests and cURL preview.
• Multipart/form-data and application/octet-stream request body support.
• SDK generation presets for package name, client name, naming style, and base URL strategy.
• Local .specdock.json project export/import with validation and secret redaction.
• cURL import can now create a new project or add requests into the active project.
• Fixed base URL state leaking between imported/switched contracts.

Security

• Public proxy behavior is unchanged.
• Project exports exclude auth secrets, manual headers, request bodies, response bodies, and file contents.
• Multipart and binary files stay in memory for the current browser session only.

Docker

docker run --rm -p 3000:3000 \
  -e PUBLIC_DEMO=true \
  -e PROXY_ENABLED=false \
  docker.io/d8vik/specdock:v0.3.0

SpecDock v0.2.3

SpecDock is a local-first API contract workspace for OpenAPI teams:

Import -> Explore -> Test -> Generate

This patch release is the recommended public/demo release tag. It includes the
public-demo Direct Browser Mode host restriction in the published release target
and aligns the public documentation with the auth profiles feature.

Use docker.io/d8vik/specdock:v0.2.3 for new deployments. Do not rely on
latest.

Why v0.2.3

v0.2.2 shipped the multi-language SDK generation release. After that tag, the
public demo policy was tightened so hosted demo deployments can restrict Direct
Browser Mode to known demo hosts. v0.2.3 publishes that public-demo behavior
as an immutable Docker tag and updates the docs around local credential storage.

Docker Quick Start

Pull the published image:

docker pull docker.io/d8vik/specdock:v0.2.3

Run public-demo mode locally:

docker run -d --name specdock \
  -p 127.0.0.1:3000:3000 \
  -e PUBLIC_DEMO=true \
  -e PROXY_ENABLED=false \
  docker.io/d8vik/specdock:v0.2.3

Open:

http://127.0.0.1:3000

Health check:

curl -fsS http://127.0.0.1:3000/api/health

Included In The MVP

• Import OpenAPI 3.0/3.1 specs from raw text, file upload, URL, or cURL.
• Explore endpoints grouped by tags with search and operation details.
• Build requests with path, query, header params, auth profiles, JSON bodies,
  and cURL previews.
• Execute requests in Direct Browser Mode.
• Use restricted Proxy Mode for trusted self-hosted deployments.
• Inspect in-session request/response exchanges per endpoint or latest request.
• Generate SDK files for TypeScript, Python, Go, Java, C#, and PHP.
• Download generated SDK output as ZIP files.
• Store projects, settings, auth profiles, safe request preferences, and history
  metadata locally in browser storage.

Public Demo Defaults

Public/demo deployments should use:

PUBLIC_DEMO=true
DEMO_DIRECT_ALLOWED_HOSTS=dummyjson.com,petstore3.swagger.io,httpbin.org
PROXY_ENABLED=false

In this mode:

• Backend proxy execution is disabled.
• Direct Browser Mode is limited to DEMO_DIRECT_ALLOWED_HOSTS.
• Browser CORS rules still decide which allowed upstream APIs can be called.
• Users should self-host SpecDock to test arbitrary custom API hosts.

Self-Hosted Proxy Mode

Proxy Mode is intended only for trusted self-hosted deployments:

PUBLIC_DEMO=false
PROXY_ENABLED=true
PROXY_ALLOWED_HOSTS=api.example.com,staging-api.example.com
PROXY_ALLOW_PRIVATE_TARGETS=false

Proxy requests are protected by explicit host allowlists, SSRF checks, timeout
limits, request/response size limits, and hop-by-hop header filtering. Do not
enable unrestricted public proxying.

Auth Profile Storage

Auth profiles are local browser data. They may contain bearer tokens, API keys,
basic-auth passwords, cookies, CSRF tokens, origin values, and referers.

SpecDock stores auth profiles in browser localStorage; it does not sync them
to a cloud backend. Avoid storing credentials on shared or public devices.
Manual request headers and bodies remain session-only by default.

Security Notes

• Public/demo deployments keep backend proxy mode disabled by default.
• Direct Browser Mode is restricted when PUBLIC_DEMO=true.
• Sensitive query values are redacted from saved request history.
• Generated SDK code is emitted as files and is not executed inside SpecDock.
• Generated output paths remain relative and traversal-safe.

Verified

Release checks passed on Node.js 20.19.0:

npm install --package-lock-only --ignore-scripts
npm run typecheck
npm run lint
npm run test
npm run test:sdk-smoke
npm run build
npm audit --audit-level=moderate

npm audit reported 0 vulnerabilities.

The Docker image was published as a multi-arch image for linux/amd64 and
linux/arm64.

SpecDock v0.2.2

Multi-language SDK generation release for SpecDock.

SpecDock now generates SDK files for TypeScript, Python, Go, Java, C#, and PHP, with generated SDK metadata, release smoke checks, and CI validation for the new generation flow.

Docker

Pull the published image:

docker pull docker.io/d8vik/specdock:v0.2.2

Run locally:

docker run -d --name specdock \
  -p 127.0.0.1:3000:3000 \
  -e PUBLIC_DEMO=true \
  -e PROXY_ENABLED=false \
  docker.io/d8vik/specdock:v0.2.2

Run with Docker Compose:

services:
  specdock:
    image: docker.io/d8vik/specdock:v0.2.2
    ports:
      - "127.0.0.1:3000:3000"
    environment:
      PUBLIC_DEMO: "true"
      PROXY_ENABLED: "false"

Open:

http://127.0.0.1:3000

Included

• OpenAPI 3.0/3.1 import from file, URL, or raw text.
• Endpoint explorer with search and operation details.
• Request builder with path, query, header, and JSON body support.
• Direct browser request mode for public/demo deployments.
• Restricted self-hosted proxy mode with allowlist and SSRF protections.
• Local-first project/settings/history storage.
• ZIP download for generated SDK files.

New In This Release

• TypeScript SDK generation with fetch or axios clients.
• Python SDK generation with httpx.
• Go SDK generation with the standard library.
• Java SDK generation with java.net.http.HttpClient and Jackson.
• C# SDK generation with HttpClient and System.Text.Json.
• PHP SDK generation with Guzzle.
• Generated SDK README.md for every language.
• Generated specdock.manifest.json with language, runtime target, naming style, generator version, and file list.
• Language selector in the Generate panel.
• Runtime target hints for every supported SDK language.
• Generated file diffs scoped to the active language output.
• SDK smoke checks in CI.
• GitLab CI verification alongside GitHub Actions.

Runtime Targets

Language	Runtime target	HTTP runtime
TypeScript	TypeScript 5.x, Node.js 20+ or modern browsers	fetch or axios
Python	Python >=3.11	httpx >=0.27.0
Go	Go 1.22	net/http
Java	Java 17	java.net.http + Jackson 2.17.2
C#	.NET 8.0	HttpClient + System.Text.Json
PHP	PHP >=8.1	Guzzle ^7.0

Fixed

• PHP generated SDK Composer metadata now passes strict validation.
• SDK smoke test timeout now supports CI environments with extra language toolchains installed.
• Composer root version is set during PHP SDK smoke validation.
• GitHub Actions workflows use Node-24-compatible action versions.
• Generated file names are easier to read in the UI.

Security

• Proxy behavior is unchanged.
• Public/demo deployments keep backend proxy mode disabled by default.
• Generated SDK code is emitted as files and is not executed inside SpecDock.
• Generated output paths remain relative and traversal-safe.
• No unrestricted public proxy behavior was added.

Verified

Release checks passed:

npm run typecheck
npm run lint
npm run test
npm run test:sdk-smoke
npm run build
npm audit --audit-level=moderate

npm audit reported 0 vulnerabilities.

SpecDock v0.1.2

First successful Docker image release for SpecDock.

Docker

Pull the published image:

docker pull docker.io/d8vik/specdock:v0.1.2

Run with Docker Compose:

services:
  specdock:
    image: docker.io/d8vik/specdock:v0.1.2
    ports:
      - "127.0.0.1:3000:3000"
    environment:
      PUBLIC_DEMO: "true"
      PROXY_ENABLED: "false"

Included

• OpenAPI 3.0/3.1 import from file, URL, or raw text
• Endpoint explorer with search and operation details
• Request builder with path, query, header, and JSON body support
• Direct browser request mode for public/demo deployments
• Response viewer and request history metadata
• TypeScript SDK generation
• ZIP export for generated files
• Docker deployment support

Fixed

• Fixed Docker workspace dependency handling during image build.
• Ensured Vite React plugin dependencies are available in the Docker builder stage.

Security Notes

Public deployments should keep backend proxy mode disabled:

PUBLIC_DEMO=true
PROXY_ENABLED=false

Proxy mode is intended only for trusted self-hosted deployments with an explicit allowed-host list.

SpecDock v0.1.0

Initial public release

Added

• OpenAPI import
• Swagger support
• SDK generation
• ZIP export
• Docker support

Notes

Proxy mode is disabled in public deployments.

See README.md for installation instructions.