Merge pull request #356 from trakrf/feat/tra-742-bb43-f1-f2-openapi-hygiene

feat(api): TRA-742 — BB43 F1+F2 openapi hygiene (contact URL + asset/location field-doc symmetry)

Author: mikestankavich

backend/internal/handlers/swaggerspec/swaggerspec.go

@@ -9,11 +9,8 @@
 package swaggerspec
 
 import (
-	"bytes"
 	_ "embed"
 	"net/http"
-	"os"
-	"sync"
 )
 
 //go:embed openapi.internal.json
@@ -28,44 +25,6 @@ var publicJSON []byte
 //go:embed openapi.public.yaml
 var publicYAML []byte
 
-// canonicalContactURL is the production-canonical info.contact.url emitted
-// by apispec/postprocess.go. The committed spec hard-codes it because the
-// build produces one artifact for every environment; environment-awareness
-// lives at serve time below (TRA-717 / BB34 F4).
-const canonicalContactURL = "https://app.trakrf.id/api"
-
-// previewContactURL is the equivalent on the preview deployment. The two
-// servers entries in info.servers[] already advertise both endpoints; this
-// keeps the contact URL aligned with whichever environment the running
-// backend is serving.
-const previewContactURL = "https://app.preview.trakrf.id/api"
-
-// publicJSONServed / publicYAMLServed are the byte slices returned by the
-// public spec handlers. They equal the embedded bytes in production and on
-// non-preview environments; on preview they carry the preview contact URL.
-// The substitution runs once at init() and the slices are immutable
-// thereafter.
-var (
-	publicSpecOnce   sync.Once
-	publicJSONServed []byte
-	publicYAMLServed []byte
-)
-
-func resolvePublicSpec() {
-	publicJSONServed = publicJSON
-	publicYAMLServed = publicYAML
-	if os.Getenv("APP_ENV") != "preview" {
-		return
-	}
-	// Targeted substitution: canonicalContactURL ("https://app.trakrf.id/api",
-	// trailing /api) appears only on info.contact.url. The servers[] entries
-	// use the bare hostnames without /api, so this does not affect them.
-	publicJSONServed = bytes.ReplaceAll(publicJSON,
-		[]byte(canonicalContactURL), []byte(previewContactURL))
-	publicYAMLServed = bytes.ReplaceAll(publicYAML,
-		[]byte(canonicalContactURL), []byte(previewContactURL))
-}
-
 // ServeJSON writes the embedded internal OpenAPI spec as JSON.
 func ServeJSON(w http.ResponseWriter, _ *http.Request) {
 	w.Header().Set("Content-Type", "application/json")
@@ -80,14 +39,12 @@ func ServeYAML(w http.ResponseWriter, _ *http.Request) {
 
 // ServePublicJSON writes the embedded public OpenAPI spec as JSON.
 func ServePublicJSON(w http.ResponseWriter, _ *http.Request) {
-	publicSpecOnce.Do(resolvePublicSpec)
 	w.Header().Set("Content-Type", "application/json")
-	_, _ = w.Write(publicJSONServed)
+	_, _ = w.Write(publicJSON)
 }
 
 // ServePublicYAML writes the embedded public OpenAPI spec as YAML.
 func ServePublicYAML(w http.ResponseWriter, _ *http.Request) {
-	publicSpecOnce.Do(resolvePublicSpec)
 	w.Header().Set("Content-Type", "application/yaml")
-	_, _ = w.Write(publicYAMLServed)
+	_, _ = w.Write(publicYAML)
 }

backend/internal/handlers/swaggerspec/swaggerspec_test.go

@@ -4,29 +4,11 @@ import (
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
-	"strings"
-	"sync"
 	"testing"
 
-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
-// resetPublicSpecResolution lets per-test environment changes take effect.
-// Production code resolves the spec lazily via sync.Once; tests need to
-// re-run the resolver after flipping APP_ENV.
-func resetPublicSpecResolution(t *testing.T) {
-	t.Helper()
-	publicSpecOnce = sync.Once{}
-	publicJSONServed = nil
-	publicYAMLServed = nil
-	t.Cleanup(func() {
-		publicSpecOnce = sync.Once{}
-		publicJSONServed = nil
-		publicYAMLServed = nil
-	})
-}
-
 func TestServePublicJSON(t *testing.T) {
 	req := httptest.NewRequest(http.MethodGet, "/api/v1/openapi.json", nil)
 	rec := httptest.NewRecorder()
@@ -52,50 +34,3 @@ func TestServePublicYAML(t *testing.T) {
 	require.NotEmpty(t, rec.Body.Bytes(), "body must be non-empty")
 	require.Contains(t, rec.Body.String(), "openapi:", "body should contain YAML key 'openapi:'")
 }
-
-// TRA-717 / BB34 F4: info.contact.url is environment-aware at serve
-// time. The committed spec hard-codes the production canonical URL;
-// when APP_ENV=preview the backend swaps it to the preview equivalent
-// so a spec pulled from app.preview.trakrf.id/api/v1/openapi.* reads
-// preview, matching the env-aware servers[] block.
-func TestPublicSpec_ContactURLPreviewSubstitution(t *testing.T) {
-	resetPublicSpecResolution(t)
-	t.Setenv("APP_ENV", "preview")
-
-	for _, c := range []struct {
-		name    string
-		handler http.HandlerFunc
-	}{
-		{"json", ServePublicJSON},
-		{"yaml", ServePublicYAML},
-	} {
-		c := c
-		t.Run(c.name, func(t *testing.T) {
-			resetPublicSpecResolution(t)
-			t.Setenv("APP_ENV", "preview")
-			rec := httptest.NewRecorder()
-			c.handler(rec, httptest.NewRequest(http.MethodGet, "/", nil))
-			body := rec.Body.String()
-			assert.Contains(t, body, previewContactURL,
-				"preview spec must carry the preview contact URL")
-			// The production marketing-app contact URL (with /api suffix) must
-			// be absent. Bare-hostname servers[] entries stay untouched.
-			assert.False(t, strings.Contains(body, canonicalContactURL),
-				"preview spec must not carry the production contact URL")
-		})
-	}
-}
-
-// On production (and any non-preview environment), the served spec
-// equals the committed bytes verbatim — no substitution.
-func TestPublicSpec_ContactURLProductionUnchanged(t *testing.T) {
-	resetPublicSpecResolution(t)
-	t.Setenv("APP_ENV", "production")
-
-	rec := httptest.NewRecorder()
-	ServePublicJSON(rec, httptest.NewRequest(http.MethodGet, "/", nil))
-	assert.Contains(t, rec.Body.String(), canonicalContactURL,
-		"non-preview spec must carry the production contact URL")
-	assert.False(t, strings.Contains(rec.Body.String(), previewContactURL),
-		"non-preview spec must not carry the preview contact URL")
-}

backend/internal/models/asset/asset.go

@@ -33,10 +33,13 @@ type Asset struct {
 // (GET /assets/{id}, GET /assets/{id}/history, GET /reports/asset-locations).
 // See PublicRejectCreateFields in the assets handler.
 type CreateAssetRequest struct {
-	OrgID       int                  `json:"-" swaggerignore:"true"`
-	ExternalKey string               `json:"external_key,omitempty" validate:"omitempty,min=1,max=255,external_key_pattern"`
-	Name        string               `json:"name" validate:"required,min=1,max=255,no_control_chars"`
-	Description *string              `json:"description,omitempty" validate:"omitempty,min=1,max=1024,no_control_chars"`
+	OrgID int `json:"-" swaggerignore:"true"`
+	// external_key is optional. Omit to receive a server-assigned key in the
+	// format ASSET-NNNN (per-organization sequence). When supplied, must
+	// satisfy the external_key_pattern.
+	ExternalKey string               `json:"external_key,omitempty" validate:"omitempty,min=1,max=255,external_key_pattern" example:"forklift-3"`
+	Name        string               `json:"name" validate:"required,min=1,max=255,no_control_chars" example:"Forklift 3"`
+	Description *string              `json:"description,omitempty" validate:"omitempty,min=1,max=1024,no_control_chars" example:"Main warehouse forklift"`
 	ValidFrom   *shared.FlexibleDate `json:"valid_from,omitempty" swaggertype:"string" example:"2025-01-01T00:00:00Z"`
 	ValidTo     *shared.FlexibleDate `json:"valid_to,omitempty" swaggertype:"string" example:"2026-01-01T00:00:00Z"`
 	Metadata    map[string]any       `json:"metadata,omitempty"`
@@ -101,8 +104,8 @@ var PublicReadOnlyFields = []string{"id", "created_at", "updated_at", "deleted_a
 // never written by PATCH; the only valid use is to echo the current value
 // back. The handler nils them out after the echo check passes.
 type UpdateAssetRequest struct {
-	Name        *string              `json:"name" validate:"omitempty,min=1,max=255,no_control_chars"`
-	Description *string              `json:"description" validate:"omitempty,min=1,max=1024,no_control_chars"`
+	Name        *string              `json:"name" validate:"omitempty,min=1,max=255,no_control_chars" example:"Forklift 3"`
+	Description *string              `json:"description" validate:"omitempty,min=1,max=1024,no_control_chars" example:"Updated description"`
 	ValidFrom   *shared.FlexibleDate `json:"valid_from,omitempty" swaggertype:"string" example:"2025-01-01T00:00:00Z"`
 	ValidTo     *shared.FlexibleDate `json:"valid_to,omitempty" swaggertype:"string" example:"2026-01-01T00:00:00Z"`
 	// TRA-699 natural-key echo fields. Decoded so the handler can compare
@@ -116,7 +119,7 @@ type UpdateAssetRequest struct {
 	ClearDescription bool            `json:"-" swaggerignore:"true"`
 	ClearValidTo     bool            `json:"-" swaggerignore:"true"`
 	Metadata         *map[string]any `json:"metadata"`
-	IsActive         *bool           `json:"is_active"`
+	IsActive         *bool           `json:"is_active" example:"true"`
 }
 
 // PublicRejectPatchFields names the JSON keys that PATCH /api/v1/assets/{id}

backend/internal/tools/apispec/postprocess.go

@@ -142,13 +142,11 @@ func postprocessPublic(doc *openapi3.T) error {
 		doc.Info.Contact.Email = "support@trakrf.id"
 	}
 	if doc.Info.Contact.URL == "" {
-		// Production canonical. The build emits a single artifact for every
-		// environment, so the committed spec must pin one value. The backend
-		// swaps this to the preview equivalent at serve time when
-		// APP_ENV=preview — see swaggerspec.resolvePublicSpec (TRA-717 / BB34
-		// F4). Keep the bare-hostname servers[] entries below untouched so
-		// the substitution remains targeted to contact.url alone.
-		doc.Info.Contact.URL = "https://app.trakrf.id/api"
+		// Per OpenAPI 3.0, info.contact.url is "the URL pointing to the
+		// contact information". Generator-default Help / Contact links
+		// land integrators on docs rather than the running API host;
+		// the bare-hostname servers[] entries below cover env routing.
+		doc.Info.Contact.URL = "https://docs.trakrf.id/"
 	}
 	doc.Servers = openapi3.Servers{
 		{

backend/internal/tools/apispec/postprocess_test.go

@@ -303,7 +303,7 @@ func TestPostprocess_SetsPublicInfoAndServers(t *testing.T) {
 	assert.Equal(t, "1.0.0", doc.Info.Version,
 		"info.version must be semver per Zalando must-use-semantic-versioning (TRA-672)")
 	require.NotNil(t, doc.Info.Contact, "info.contact must be present per Zalando must-have-info-contact-url (TRA-672)")
-	assert.Equal(t, "https://app.trakrf.id/api", doc.Info.Contact.URL)
+	assert.Equal(t, "https://docs.trakrf.id/", doc.Info.Contact.URL)
 	assert.Equal(t, "support@trakrf.id", doc.Info.Contact.Email)
 	require.Len(t, doc.Servers, 2)
 

docs/api/openapi.public.json

@@ -461,13 +461,16 @@
         "additionalProperties": false,
         "properties": {
           "description": {
+            "example": "Main warehouse forklift",
             "maxLength": 1024,
             "minLength": 1,
             "nullable": true,
             "pattern": "^[^\\x00-\\x08\\x0B\\x0C\\x0E-\\x1F\\x7F]*$",
             "type": "string"
           },
           "external_key": {
+            "description": "external_key is optional. Omit to receive a server-assigned key in the\nformat ASSET-NNNN (per-organization sequence). When supplied, must\nsatisfy the external_key_pattern.",
+            "example": "forklift-3",
             "maxLength": 255,
             "minLength": 1,
             "pattern": "^[A-Za-z0-9-]+$",
@@ -482,6 +485,7 @@
             "type": "object"
           },
           "name": {
+            "example": "Forklift 3",
             "maxLength": 255,
             "minLength": 1,
             "pattern": "^[^\\x00-\\x08\\x0B\\x0C\\x0E-\\x1F\\x7F]*$",
@@ -1184,20 +1188,23 @@
       "UpdateAssetRequest": {
         "properties": {
           "description": {
+            "example": "Updated description",
             "maxLength": 1024,
             "minLength": 1,
             "nullable": true,
             "pattern": "^[^\\x00-\\x08\\x0B\\x0C\\x0E-\\x1F\\x7F]*$",
             "type": "string"
           },
           "is_active": {
+            "example": true,
             "type": "boolean"
           },
           "metadata": {
             "additionalProperties": {},
             "type": "object"
           },
           "name": {
+            "example": "Forklift 3",
             "maxLength": 255,
             "minLength": 1,
             "pattern": "^[^\\x00-\\x08\\x0B\\x0C\\x0E-\\x1F\\x7F]*$",
@@ -1303,7 +1310,7 @@
     "contact": {
       "email": "support@trakrf.id",
       "name": "TrakRF Support",
-      "url": "https://app.trakrf.id/api"
+      "url": "https://docs.trakrf.id/"
     },
     "description": "TrakRF public REST API. See /api for the customer-facing reference.\n\nSpec available as YAML (/api/openapi.yaml) and JSON (/api/openapi.json).\n\nHTTP method coverage (HEAD, OPTIONS, 405 / Allow): /api/http-method-coverage\n\nSurrogate ID width: declared `format: int64` on the wire so SDK regeneration does not break when the ID namespace eventually outgrows int32. Service-side ID generation stays within int32 (2^31-1) during v1; values above that bound are rejected with 400 validation_error / `too_large`. The wider wire type is a long-horizon contract, not a claim that current values exceed int32.\n\nNullable field interpretation: OpenAPI 3.0's `nullable: true` keyword is interpreted differently across codegen targets. Verified-working: `openapi-typescript@7.x` emits `string | null` correctly, and the `openapi-generator-cli` python target emits `Optional[StrictStr]` correctly — both round-trip CRUD against null-bearing responses unmodified. Known-broken: `datamodel-codegen@0.57.0` emits `nullable: true` read-shape fields as non-Optional required fields, so Pydantic validation fails on every nullable field that is actually null. Integrators using `datamodel-codegen` should either switch to the `openapi-generator-cli` python target or apply `--use-annotated --use-union-operator` with a custom post-processing pass.",
     "license": {

docs/api/openapi.public.yaml

@@ -339,12 +339,18 @@ components:
             additionalProperties: false
             properties:
                 description:
+                    example: Main warehouse forklift
                     maxLength: 1024
                     minLength: 1
                     nullable: true
                     pattern: ^[^\x00-\x08\x0B\x0C\x0E-\x1F\x7F]*$
                     type: string
                 external_key:
+                    description: |-
+                        external_key is optional. Omit to receive a server-assigned key in the
+                        format ASSET-NNNN (per-organization sequence). When supplied, must
+                        satisfy the external_key_pattern.
+                    example: forklift-3
                     maxLength: 255
                     minLength: 1
                     pattern: ^[A-Za-z0-9-]+$
@@ -356,6 +362,7 @@ components:
                     additionalProperties: {}
                     type: object
                 name:
+                    example: Forklift 3
                     maxLength: 255
                     minLength: 1
                     pattern: ^[^\x00-\x08\x0B\x0C\x0E-\x1F\x7F]*$
@@ -880,17 +887,20 @@ components:
         UpdateAssetRequest:
             properties:
                 description:
+                    example: Updated description
                     maxLength: 1024
                     minLength: 1
                     nullable: true
                     pattern: ^[^\x00-\x08\x0B\x0C\x0E-\x1F\x7F]*$
                     type: string
                 is_active:
+                    example: true
                     type: boolean
                 metadata:
                     additionalProperties: {}
                     type: object
                 name:
+                    example: Forklift 3
                     maxLength: 255
                     minLength: 1
                     pattern: ^[^\x00-\x08\x0B\x0C\x0E-\x1F\x7F]*$
@@ -970,7 +980,7 @@ info:
     contact:
         email: support@trakrf.id
         name: TrakRF Support
-        url: https://app.trakrf.id/api
+        url: https://docs.trakrf.id/
     description: |-
         TrakRF public REST API. See /api for the customer-facing reference.