fix(openapi): address review feedback — correctness, security, and performance improvements#146
Merged
intel352 merged 2 commits intofeat/issue-79-openapifrom Feb 23, 2026
Merged
Conversation
4 tasks
Co-authored-by: intel352 <77607+intel352@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Add OpenAPI/Swagger spec module for generating HTTP routes
fix(openapi): address review feedback — correctness, security, and performance improvements
Feb 23, 2026
intel352
added a commit
that referenced
this pull request
Feb 24, 2026
…#134) * feat: add OpenAPI/Swagger spec module for auto-generating HTTP routes (#79) - Add openapi module type that parses OpenAPI v3 YAML/JSON specs - Generate HTTP route handlers from spec paths with method mapping - Add request validation against spec schemas (query params, body) - Add optional Swagger UI and spec serving endpoints - Add OpenAPI plugin for plugin-based registration - Add comprehensive tests for spec parsing, routing, and validation - Add example config and petstore spec in example/specs/ Closes #79 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: register openapi module type in schema and fix spec_file path resolution - Add "openapi" to known module types and module schema registry - Fix spec_file path in example config (relative to config dir, not project root) - Add openapi plugin to test helpers allPlugins() Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(openapi): address review feedback — correctness, security, and performance improvements (#146) * Initial plan * fix: apply all review feedback to OpenAPI module Co-authored-by: intel352 <77607+intel352@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: intel352 <77607+intel352@users.noreply.github.com> * fix(openapi): address remaining unresolved review comments on OpenAPI module (#149) * Initial plan * fix(openapi): document deferred spec_file validation and add enum scalar tests Co-authored-by: intel352 <77607+intel352@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: intel352 <77607+intel352@users.noreply.github.com> * fix: add admin_test.go with corrected TestMergeInto_WithRealAdminConfig Add admin/admin_test.go from main with the syntax error fixed: TestMergeInto_WithRealAdminConfig was closed with `)` instead of `}` and used 2-space indented brace in the inner if block, causing: expected statement, found ')' This file doesn't exist on this branch (predates its addition to main) but is needed so the PR's merge commit compiles and tests pass. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(openapi): address remaining review comments — validation, content-type, schema, defaults (#150) * Initial plan * fix(openapi): address all remaining review comments — body bytes, JSON errors, content-type, schema, defaults, logging Co-authored-by: intel352 <77607+intel352@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: intel352 <77607+intel352@users.noreply.github.com> * fix(cmd): restore missing multiWorkflowAddr flag definition (#152) * Initial plan * fix(cmd): restore missing multiWorkflowAddr flag definition Co-authored-by: intel352 <77607+intel352@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: intel352 <77607+intel352@users.noreply.github.com> * fix(openapi): harden body validation, determinism, and router wiring (#155) * Initial plan * fix(openapi): address review feedback from thread 3844286430 - Add configurable max body size limit (default 1 MiB) via http.MaxBytesReader to prevent DoS from arbitrarily large request bodies - Use validateJSONValue() for request body validation to handle non-object root schemas (primitives, arrays) that were previously silently skipped - Only register /openapi.yaml endpoint when source spec is YAML; JSON sources already served via /openapi.json - Sort supportedContentTypes() output for deterministic error messages - Remove /api/v1 from plugin schema DefaultConfig to match factory (empty) default - Add server→router mapping in wireOpenAPIRoutes for consistent router discovery when openapi module depends on http.server instead of http.router directly - Tests: add TestOpenAPIModule_JSONSourceNoYAMLEndpoint and TestOpenAPIModule_MaxBodySize Co-authored-by: intel352 <77607+intel352@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: intel352 <77607+intel352@users.noreply.github.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com> Co-authored-by: intel352 <77607+intel352@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Addresses a batch of correctness bugs, a security improvement, and code quality issues raised in the PR review of the OpenAPI module.
Correctness fixes
/openapi.yaml) now serves raw spec bytes withapplication/yamlcontent-type instead of re-serialised JSONr.Body == http.NoBody— broken check replaced: body is now read first, then length is checked for required-body validation; read errors are logged and returned rather than silently ignoredvalidateJSONValuenow rejects3.14for aninteger-typed field (math.Trunccheck)validateJSONValueuses type-aware equality (e == val) with explicitint/float64reconciliation to preventint(1)matchingstring("1")viafmt.Sprintf; nil enum values are skippedSecurity
htmlEscapereplaced withhtml.EscapeStringfrom the standard libraryImprovements
SWAGGER_UI_ASSETS_BASE_URLenv var (useful for air-gapped deployments); defaults unchangedwireOpenAPIRoutesreduced from O(n²) to O(n) by building aname→routermap once before iterating OpenAPI modulesspecJSONcached on the module struct duringRegisterRoutesinstead of being re-marshaled if called multiple times"field "x" must be a string, got float64")validateStringConstraintshelper shared by bothvalidateScalarValueandvalidateJSONValueto eliminate duplicationTests
integerfractional-value rejection and type-mismatch message content tests{petId}) validation tests usingr.SetPathValue0600→0644💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.