[DX-1015] Sync Control API spec with upstream swagger

[kennethkalmer]

Summary

• Adds missing APNs token-based (p8) authentication fields to app_post, app_patch, and app_response schemas — the immediate customer need from DX-1015
• Adds missing FCM config status fields, created/modified timestamps, and APNs config status booleans to app_response
• Adds revocableTokens to key schemas, mutableMessages/populateChannelRegistry to namespace schemas, appId to namespace_response
• Fixes me.token.id type from integer to string and adds expires_at field
• Adds 7 new rule types (21 schemas total): before-publish Lambda/webhook, Hive text/dashboard, Bodyguard, Tisane, and Azure text moderation
• Updates rule_post, rule_patch, rule_response discriminated unions with all new types
• All new fields have human-friendly descriptions and examples consistent with the existing docs style

Resolves DX-1015

Test plan

• Validate YAML parses without errors (yamllint passes — confirmed locally)
• Build the site (yarn build) and verify Redoc renders the new fields correctly
• Cross-reference new APNs fields against Martin's Slack summary to confirm field names match
• Spot-check a few new rule type schemas against upstream to confirm structural accuracy
• Review redoc on the review app

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features
  • Added support for seven new rule types: AWS Lambda and HTTP before-publish hooks, Hive text model and dashboard rules, and text moderation rules from Bodyguard, Tisane, and Azure.
  • Introduced revocable tokens and token expiration tracking for improved key management.
  • Enhanced APNs authentication configuration options.
  • Expanded namespace configuration with new settings.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 228c75b2-6847-41d1-bdde-e7fa0fab19f2

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

An OpenAPI specification update that expands rule type variants (AWS Lambda, HTTP, Hive, text-moderation services), adds corresponding schema components, and updates namespace, app, key, and authentication-related schemas with new properties and type modifications.

Changes

Cohort / File(s)	Summary
Rule Type Expansions static/open-specs/control-v1.yaml	Extended rule_post, rule_patch, and rule_response discriminator mappings to support 7 new ruleType variants: aws/lambda/before-publish, http/before-publish, hive/text-model-only, hive/dashboard, bodyguard/text-moderation, tisane/text-moderation, and azure/text-moderation. Added 21 new schema components (post/patch/response for each variant).
Namespace Schema Updates static/open-specs/control-v1.yaml	Added mutableMessages and populateChannelRegistry properties to namespace_post and namespace_patch; added appId property to namespace_response.
App & APNs Authentication Updates static/open-specs/control-v1.yaml	Extended app_post, app_patch, and app_response schemas with APNs authentication fields: apnsAuthType, apnsSigningKey, apnsSigningKeyId, apnsIssuerKey, apnsTopicHeader, and configuration flags. Added FCM and timestamp properties to app responses.
Key & Token Schema Changes static/open-specs/control-v1.yaml	Added revocableTokens property to key_post, key_patch, and key_response. Modified me.token.id from integer to string type; added expires_at (nullable date-time) to token structure.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 Whiskers twitch with glee—new schemas bloom!
Seven rule types hop through the room,
APNs dance, tokens evolve their form,
The spec now rich, properly reborn!
One file changed, yet vast and deep,
API contracts we shall keep! 🐇✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title 'DX-1015 Sync Control API spec with upstream swagger' directly and clearly summarizes the main change: syncing an API specification file with upstream, and includes the relevant issue identifier.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/update-swagger-spec

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[kennethkalmer]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

static/open-specs/control-v1.yaml (1)

7057-7099: Model APNs auth as mutually exclusive request shapes.

Now that apnsAuthType exists, these flat schemas still validate incomplete or mixed configurations—for example token auth without the p8 fields, or token and certificate fields together. A oneOf between certificate-based and token-based APNs configs would make the public contract much clearer for Redoc and codegen.

Also applies to: 7134-7176

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@static/open-specs/control-v1.yaml` around lines 7057 - 7099, The APNs fields
should be modeled as mutually exclusive shapes instead of flat optional fields:
replace the current flat properties (apnsAuthType, apnsCertificate,
apnsPrivateKey, apnsUseSandboxEndpoint, apnsAuthType, apnsSigningKey,
apnsSigningKeyId, apnsIssuerKey, apnsTopicHeader) with a oneOf at the parent
APNs config that defines two object schemas—a "certificate" schema
(apnsAuthType: "certificate", required apnsCertificate and optionally
apnsPrivateKey, apnsUseSandboxEndpoint, apnsTopicHeader) and a "token" schema
(apnsAuthType: "token", required apnsSigningKey, apnsSigningKeyId, apnsIssuerKey
and optionally apnsUseSandboxEndpoint, apnsTopicHeader); apply the same oneOf
refactor to the other APNs block indicated (lines ~7134-7176) so codegen/Redoc
will treat certificate vs token configs as exclusive.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@static/open-specs/control-v1.yaml`:
- Around line 5444-5470: The patch schemas hive_text_model_only_rule_patch,
bodyguard_text_moderation_rule_patch, tisane_text_moderation_rule_patch, and
azure_text_moderation_rule_patch currently enforce POST-style required fields
(ruleType, target, beforePublishConfig, invocationMode and apiKey inside
target); remove or relax these required entries so the schemas allow partial
PATCH bodies (e.g., only status or only target.thresholds). Specifically, edit
each schema to drop the top-level required array (or reduce it to match
http_rule_patch’s permissive pattern) and remove required entries inside target
(like apiKey) so partial updates validate correctly.
- Around line 4852-4853: The before_publish_aws_lambda_rule_patch schema
currently references rule_source making channelFilter and type required; change
its source $ref to refer to rule_source_patch (the patch variant with optional
fields) so partial updates are allowed—mirror what http_rule_patch and
kafka_rule_patch do by using rule_source_patch for
before_publish_aws_lambda_rule_patch.source to make fields optional.
- Around line 4980-4988: The response schema
before_publish_aws_lambda_rule_response currently references aws_access_keys
(which includes secretAccessKey) — change that $ref to aws_access_keys_response
to ensure secretAccessKey is omitted; similarly locate every moderation response
schema that currently exposes apiKey and replace or refactor them to use a
response-safe variant (e.g., api_key_response or remove apiKey) so raw API keys
are never present in responses; search for references to aws_access_keys and any
schema definitions that include apiKey in response schemas and update those
references to their _response-safe counterparts (or strip the sensitive field)
throughout the spec.

---

Nitpick comments:
In `@static/open-specs/control-v1.yaml`:
- Around line 7057-7099: The APNs fields should be modeled as mutually exclusive
shapes instead of flat optional fields: replace the current flat properties
(apnsAuthType, apnsCertificate, apnsPrivateKey, apnsUseSandboxEndpoint,
apnsAuthType, apnsSigningKey, apnsSigningKeyId, apnsIssuerKey, apnsTopicHeader)
with a oneOf at the parent APNs config that defines two object schemas—a
"certificate" schema (apnsAuthType: "certificate", required apnsCertificate and
optionally apnsPrivateKey, apnsUseSandboxEndpoint, apnsTopicHeader) and a
"token" schema (apnsAuthType: "token", required apnsSigningKey,
apnsSigningKeyId, apnsIssuerKey and optionally apnsUseSandboxEndpoint,
apnsTopicHeader); apply the same oneOf refactor to the other APNs block
indicated (lines ~7134-7176) so codegen/Redoc will treat certificate vs token
configs as exclusive.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: ad5e0e7c-c7a8-47e4-84dc-a9acceb86043

📥 Commits

Reviewing files that changed from the base of the PR and between 64f0618 and dd91174.

📒 Files selected for processing (1)

• static/open-specs/control-v1.yaml

[matt423]

Me and Claudicus are satisfied

[kennethkalmer]

Me and Claudicus are satisfied

My heartfelt gratitude to you both ♥️