Universal Principles
- •Spec-First Development – OpenAPI contract MUST be authored (or updated) before implementation code is merged.
- •Versioning – API major version MUST appear in the path
(
/api/v{major}/…) and in theinfo.versionfield. - •Consistent Envelope – Error responses MUST follow
{ code, message, data }; success bodies SHOULD wrap data similarly. - •Security Schemes – Auth MUST be declared with
type: http,scheme: bearer,bearerFormat: JWT; scopes live undercomponents/securitySchemes. - •Traceability –
traceparentandbaggageheaders MUST be documented undercomponents/headersso clients propagate OpenTelemetry context. - •Pagination – Collections SHOULD use
limit/cursorparameters; responses MUST includenextcursor link. - •Rate Limits – Specs MUST declare
429response and documentRetry-Afterheader semantics. - •API Linting – PRs MUST pass the OpenAPI linter (
spectralwith company ruleset) at severity error = 0. - •Example Payloads – Each schema SHOULD include at least one example; sensitive data is tokenised.
- •Documentation – Rendered docs (Redoc or Stoplight) MUST auto-publish
on merge to
main.
New Code
- •OpenAPI 3.0 – New APIs MUST target spec v3.0; earlier versions are prohibited.
- •JSON Schema
$defs– Schema components SHOULD ref common$defspublished by the Platform team to avoid duplication.
Existing Code
- •Legacy Swagger 2.0 – Existing Swagger specs MUST migrate to OpenAPI 3.0+ when touched.
- •Inline Definitions – While migrating, inline schema refs are permissible only if externalising would break consumers; file a debt entry.