feat: add OpenAPI/Swagger spec module for auto-generating HTTP routes

[intel352]

Summary

• Add openapi module type that parses OpenAPI v3 YAML/JSON spec files
• Generate HTTP route handlers from spec paths with method mapping
• Add request validation against spec schemas (query params, request body)
• Add optional Swagger UI and spec serving endpoints
• Add OpenAPI plugin for plugin-based module registration
• Add example petstore config and OpenAPI spec
• 5 files, 1568 insertions

Test plan

• go build ./... compiles cleanly
• go test ./module/ -run OpenAPI — all tests pass
• golangci-lint run — 0 issues
• Tests cover: spec parsing, route generation, request validation, error cases

Closes #79

🤖 Generated with Claude Code

[Copilot]

Pull request overview

This PR adds comprehensive OpenAPI v3 specification support to the workflow engine, enabling automatic HTTP route generation, request validation, and optional Swagger UI hosting from OpenAPI spec files. The implementation introduces a new openapi module type via a dedicated plugin, allowing users to define API contracts declaratively and have the engine automatically wire up routes with validation.

Changes:

• New OpenAPI plugin with module factory, schema definitions, and wiring hooks for route registration
• Core OpenAPI module implementation with spec parsing (YAML/JSON), route generation, and request validation
• Comprehensive test suite covering spec parsing, route registration, validation scenarios, and edge cases
• Example petstore configuration and OpenAPI spec demonstrating the feature

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 21 comments.

Show a summary per file

File	Description
plugins/openapi/plugin.go	Plugin registration providing the "openapi" module type, schema definitions, and wiring hooks
module/openapi.go	Core OpenAPI module with spec parsing, HTTP route generation, request validation, and Swagger UI
module/openapi_test.go	Comprehensive test coverage for spec parsing, route registration, validation, and error handling
example/specs/petstore.yaml	Sample OpenAPI v3 spec file demonstrating supported features
example/openapi-petstore.yaml	Example workflow configuration showing how to use the openapi module

[Copilot]

There are no tests covering path parameter validation. The spec includes path parameters (e.g., petId in /pets/{petId}), but no tests verify that required path parameters are validated or that invalid path parameter types are rejected. This is important because path parameter extraction relies on Go 1.22's PathValue, and validation gaps here could allow invalid data into route handlers.

[Copilot]

The htmlEscape function provides basic HTML escaping but doesn't use Go's standard html.EscapeString from the html package, which is more thoroughly tested and maintained. While the current implementation covers the main XSS vectors, using the standard library function would be more robust and follow Go best practices. Consider replacing this custom implementation with html.EscapeString.

[Copilot]

The example configuration uses a relative path "example/specs/petstore.yaml" for the spec_file on line 25. This path is relative to where the engine binary is executed from, which could cause confusion if the config is run from a different directory. Consider either using an absolute path, or documenting in a comment that paths are resolved relative to the config file's directory (via the _config_dir mechanism in config.ResolvePathInConfig).

Suggested change

	config:
	config:
	# NOTE: spec_file is resolved relative to this config file's directory
	# via the _config_dir mechanism in config.ResolvePathInConfig.

[Copilot]

The validation logic for scalar values (validateScalarValue) and JSON values (validateJSONValue) has duplicated code for handling string validation (minLength, maxLength, pattern checks appear in both functions at lines 481-491 and 542-557). This duplication makes maintenance harder and increases the risk of inconsistencies. Consider extracting the common string validation logic into a separate helper function that both validation functions can call.

Suggested change

	// validateJSONValue validates a decoded JSON value against a schema.
	func validateJSONValue(val any, name string, schema *openAPISchema) []string {
	var errs []string
	switch schema.Type {
	case "string":
	s, ok := val.(string)
	if !ok {
	return []string{fmt.Sprintf("field %q must be a string", name)}
	}
	if schema.MinLength != nil && len(s) < *schema.MinLength {
	errs = append(errs, fmt.Sprintf("field %q must have minLength %d", name, *schema.MinLength))
	}
	if schema.MaxLength != nil && len(s) > *schema.MaxLength {
	errs = append(errs, fmt.Sprintf("field %q must have maxLength %d", name, *schema.MaxLength))
	}
	if schema.Pattern != "" {
	if ok2, _ := regexp.MatchString(schema.Pattern, s); !ok2 {
	errs = append(errs, fmt.Sprintf("field %q does not match pattern %q", name, schema.Pattern))
	}
	}
	// validateStringField validates a value as a string against string-related schema constraints.
	// It returns any validation errors and a boolean indicating whether the value passed type validation.
	func validateStringField(val any, name string, schema *openAPISchema) ([]string, bool) {
	s, ok := val.(string)
	if !ok {
	return []string{fmt.Sprintf("field %q must be a string", name)}, false
	}
	var errs []string
	if schema.MinLength != nil && len(s) < *schema.MinLength {
	errs = append(errs, fmt.Sprintf("field %q must have minLength %d", name, *schema.MinLength))
	}
	if schema.MaxLength != nil && len(s) > *schema.MaxLength {
	errs = append(errs, fmt.Sprintf("field %q must have maxLength %d", name, *schema.MaxLength))
	}
	if schema.Pattern != "" {
	if ok2, _ := regexp.MatchString(schema.Pattern, s); !ok2 {
	errs = append(errs, fmt.Sprintf("field %q does not match pattern %q", name, schema.Pattern))
	}
	}
	return errs, true
	}
	// validateJSONValue validates a decoded JSON value against a schema.
	func validateJSONValue(val any, name string, schema *openAPISchema) []string {
	var errs []string
	switch schema.Type {
	case "string":
	stringErrs, ok := validateStringField(val, name, schema)
	if !ok {
	return stringErrs
	}
	errs = append(errs, stringErrs...)

[intel352]

@copilot open a new pull request to apply changes based on the comments in this thread

[Copilot]

@intel352 I've opened a new pull request, #146, to work on those changes. Once the pull request is ready, I'll request review from you.

[intel352]

@copilot open a new pull request to apply changes based on the comments in this thread
Some comments appear to have been addressed already (affected code was touched), so I resolved those, but there are numerous unresolved concerns.

[Copilot]

@intel352 I've opened a new pull request, #149, to work on those changes. Once the pull request is ready, I'll request review from you.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 8 comments.

[Copilot]

swagger_ui.path is concatenated directly with base_path. If swagger_ui.path is configured without a leading slash (e.g. "docs"), the resulting route becomes invalid ("/api/v1docs"). Normalize swagger_ui.path to ensure it starts with "/" before building uiRoutePath.

Suggested change

	uiPath = "/docs"
	uiPath = "/docs"
	} else if !strings.HasPrefix(uiPath, "/") {
	uiPath = "/" + uiPath

[Copilot]

swaggerUIHTML defaults to loading assets from an unpinned CDN URL (swagger-ui-dist@5). Using a major-only tag is non-deterministic and increases supply-chain risk because contents can change over time. Prefer pinning to an exact version and/or serving local assets by default (with CDN as an opt-in).

[Copilot]

OpenAPIConfig's zero values mean request validation defaults to false unless explicitly set in YAML, but both the module schemas in this PR indicate validation.request should default to true. Consider setting oacfg.Validation.Request=true (and any other intended defaults like base_path) before applying cfg overrides, so runtime behavior matches the documented defaults.

Suggested change

	// Set documented defaults before applying configuration overrides.
	// validation.request is expected to default to true if not explicitly set in YAML.
	oacfg.Validation.Request = true
	// base_path may also have a documented default; use "/" unless overridden.
	oacfg.BasePath = "/"

[Copilot]

wireOpenAPIRoutes selects the fallback router by taking the first HTTPRouter encountered while iterating app.SvcRegistry(). Since map iteration order is randomized, with multiple routers this can non-deterministically attach generated routes to different routers across runs. Prefer a deterministic fallback (e.g., only when exactly one router exists, or based on config order) and log/return an error when ambiguous.

[Copilot]

If request validation is enabled and the body is present, but Content-Type isn't listed under requestBody.content, mediaType stays nil and the body isn't validated (and no error is returned). Consider treating an unknown/unsupported Content-Type as a validation failure (400), especially when requestBody is required.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 7 comments.

[Copilot]

The plugin’s ModuleSchema for type "openapi" describes inputs/outputs as http.Request→http.Response, but the actual module wires itself by registering routes onto an http.router via a wiring hook. This schema will mislead tooling/UI that relies on module I/O definitions; align it with the built-in schema (router input / routes output) or with how the module is actually intended to be composed.

Suggested change

	Inputs: []schema.ServiceIODef{{Name: "request", Type: "http.Request", Description: "Incoming HTTP requests matched against spec paths"}},
	Outputs: []schema.ServiceIODef{{Name: "response", Type: "http.Response", Description: "Validated HTTP response or 501 stub"}},
	Inputs: []schema.ServiceIODef{{Name: "router", Type: "http.router", Description: "HTTP router to attach generated routes to"}},
	Outputs: []schema.ServiceIODef{{Name: "routes", Type: "http.routes", Description: "Generated HTTP routes from the OpenAPI specification"}},

[Copilot]

Request-body validation is exercised for missing required fields, but there’s no test ensuring malformed JSON (invalid syntax) fails validation when Validation.Request is enabled. Adding a test case for invalid JSON would prevent regressions once JSON decode errors are handled as validation errors.

Suggested change

	})
	})
	t.Run("invalid JSON", func(t *testing.T) {
	body := `{"name": "Fluffy",` // malformed JSON
	w := httptest.NewRecorder()
	r := httptest.NewRequest(http.MethodPost, "/api/v1/pets", bytes.NewBufferString(body))
	r.Header.Set("Content-Type", "application/json")
	h.Handle(w, r)
	if w.Code != http.StatusBadRequest {
	t.Errorf("expected 400 validation error for malformed JSON, got %d: %s", w.Code, w.Body.String())
	}
	})

[Copilot]

Fallback router selection uses the first HTTPRouter encountered while iterating over app.SvcRegistry(), but map iteration order is randomized, so in apps with multiple routers the OpenAPI routes could attach non-deterministically. Prefer selecting deterministically (e.g., by using the first http.router defined in cfg.Modules, or by sorting router service names) and/or require an explicit router when multiple routers exist.

[Copilot]

If the request body is present and a JSON schema is defined, invalid JSON currently passes validation because json.Unmarshal errors are ignored. Treat JSON decode failures as validation errors (and consider returning a 400 with a helpful error) so malformed payloads don’t reach downstream handlers as “valid”.

[intel352]

@copilot open a new pull request to apply changes based on the comments in this thread

and #134 (review)

and #134 (review)

[Copilot]

@intel352 I've opened a new pull request, #150, to work on those changes. Once the pull request is ready, I'll request review from you.

[intel352]

@copilot Address all linter, build, and test errors, regardless whether they pre-exist or not. Get the build clean.

[Copilot]

@intel352 I've opened a new pull request, #152, to work on those changes. Once the pull request is ready, I'll request review from you.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 6 comments.

[Copilot]

Request-body validation only calls validateJSONBody, which validates object schemas but returns nil for non-object root schemas. That means endpoints whose requestBody schema is a primitive/array won’t be validated at all. Consider validating the decoded body against the root schema (e.g., dispatch to validateJSONValue for non-object types, and return a clear error for unsupported schema types).

[Copilot]

supportedContentTypes() iterates a map, so the returned list order is nondeterministic. This can produce unstable error messages and make tests/logs harder to diff. Consider sorting the collected content types before joining.

[Copilot]

The factory leaves BasePath empty unless base_path is provided, but the module schema in this plugin advertises a default base_path of /api/v1. This mismatch can cause configs generated from the schema/UI to behave differently at runtime. Consider either defaulting OpenAPIConfig.BasePath to /api/v1 here, or removing /api/v1 as the schema default so they match.

[intel352]

@copilot open a new pull request to apply changes based on the comments in this thread

[Copilot]

@intel352 I've opened a new pull request, #155, to work on those changes. Once the pull request is ready, I'll request review from you.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.