Two issues with info in app/config/openapi.js:
- Description undersells the API: says "Customer and time-entry records" — 16 entities ago. Operators reading the spec in Swagger UI / docs aggregators get a misleading impression of the surface.
- No
contact field: SECURITY.md documents the vuln-report channel (private advisory + email fallback) but Swagger UI's info panel never surfaces it. Operators reading the docs in a browser have to leave the spec page to find the policy.
Fix: expand description to mention the 16-entity surface + the operator-relevant feature set (idempotency, Link pagination, /metrics, CSV export). Add contact: { name, url } linking to the GH security policy.
Pin both with assertions in tests/api/openapi.test.js.
Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/
Two issues with
infoinapp/config/openapi.js:contactfield: SECURITY.md documents the vuln-report channel (private advisory + email fallback) but Swagger UI's info panel never surfaces it. Operators reading the docs in a browser have to leave the spec page to find the policy.Fix: expand description to mention the 16-entity surface + the operator-relevant feature set (idempotency, Link pagination, /metrics, CSV export). Add
contact: { name, url }linking to the GH security policy.Pin both with assertions in
tests/api/openapi.test.js.Proudly Made in Nebraska. Go Big Red! 🌽 https://xkcd.com/2347/