Skip to content

fix: update API schema for v2 migration#1

Open
zsobpeter-code wants to merge 18 commits into
mainfrom
feature/api-v2
Open

fix: update API schema for v2 migration#1
zsobpeter-code wants to merge 18 commits into
mainfrom
feature/api-v2

Conversation

@zsobpeter-code

Copy link
Copy Markdown
Member

No description provided.

@coderifts

coderifts Bot commented Feb 24, 2026

Copy link
Copy Markdown

🟡 CodeRifts — Risk Score: 57/100 (Moderate)

🏷️ Suggested version bump: MAJOR 🔴 — 10 breaking changes detected

📌 Current version is v1.4.0 → next version should be v2.0.0

⚠️ PR title says fix: but schema has breaking changes — should this be a major version bump?

🛡️ Policy Violations

🔴 Breaking budget exceeded: 10/3 allowed
🔴 Endpoint deletion blocked by policy: /payments/refund
🔴 Endpoint deletion blocked by policy: /internal/health

🟡 Breaking changes detected but PR title doesn't indicate a version bump. Use feat!: prefix or include version number.

👤 Required Approvals

Approval needed Reason
🔑 cto_approval /payments/refund (payments domain)

Approval requirements are informational — configure GitHub branch protection rules to enforce them.

Risk Assessment

Dimension Score Detail
💰 Revenue Impact 25/25 Affects /payments/refund (payments — critical)
⚡ Blast Radius 15/25 6 public endpoint(s) affected, 10 breaking changes in single PR (high coupling)
📱 App Compatibility 12/25 Breaks iOS 3.2, Android 4.0
🔒 Security 5/25 OAuth scope changed

🔒 Security Analysis

Severity Finding Endpoint Details
🔴 Critical Auth removed POST /payments/charge Was: bearerAuth → Now: none

🔒 Security score: 6/10 (fair) — 1 critical finding

📊 API Stability Grade: C (moderate risk)
🔄 Rollback risk: 🔴 Hard to revert
⏱️ Review effort: 1+ hours
🚀 Deployment: Monitor closely after deploy

🔴 10 Breaking Changes Found

# Change Endpoint Risk Lifecycle Details
1 🔴 Path removed /payments/refund 💰 Critical 🪦 remove
2 🔴 Path removed /internal/health 📋 Internal 🪦 remove
3 Field added to response GET /users/{id} ⚡ Public 🆕 add
4 Field removed from request POST /users ⚡ Public 🪦 remove
5 Field added to response POST /users ⚡ Public 🆕 add
6 Field added to response GET /orders ⚡ Public 🆕 add
7 Field removed from request POST /orders ⚡ Public 🪦 remove
8 Field added to response POST /orders ⚡ Public 🆕 add
9 Field added to response GET /orders/{id} ⚡ Public 🆕 add
10 Field removed from request POST /webhooks/subscribe 🔗 Webhook 🪦 remove

🪦 REST in peace: /payments/refund · /internal/health — removed in this PR

📝 API Changelog

Breaking

  • Removed endpoint /payments/refund
  • Removed endpoint /internal/health
  • New field field in GET /users/{id} response
  • Removed field field from POST /users request
  • New field field in POST /users response
  • New field field in GET /orders response
  • Removed field field from POST /orders request
  • New field field in POST /orders response
  • New field field in GET /orders/{id} response
  • Removed field field from POST /webhooks/subscribe request

Added

  • New endpoint /users/{id}/avatar
  • New optional field field in POST /users request

Changed

  • Removed field field from GET /users/{id} response
  • Removed field field from POST /users response
  • Removed field field from GET /orders response
  • Removed field field from POST /orders response
  • Removed field field from GET /orders/{id} response

High change density: POST /users has 4 changes in this PR. Consider whether this endpoint needs a version bump or deprecation plan.

💡 Recommendations

  • 📢 Notify external consumers — public endpoint(s) affected, prepare migration communication
  • 📱 Mobile app update needed — Breaks iOS 3.2, Android 4.0
  • 🔒 Security review required — OAuth scope changed
  • 👤 Domain owner sign-off needed — critical domain affected
  • 💰 Estimated migration impact — ~15 eng. day(s), ~$45,000
  • 🔄 Consider creating replacement endpoints instead of removing:
    • /payments/refund → /v2/payments/refund

💾 Migration & Impact Assessment

Rollback risk: 🔴 Hard to revert
Review estimate: ⏳ 1+ hours

Icon Trigger Action needed
🔄 Response field field removed from GET /users/{id} Cached responses may contain this field — consider cache invalidation
💾 New required field field in POST /users Ensure database column exists with a default value for existing rows
🔄 Response field field removed from POST /users Cached responses may contain this field — consider cache invalidation
🔄 Response field field removed from GET /orders Cached responses may contain this field — consider cache invalidation
🔄 Response field field removed from POST /orders Cached responses may contain this field — consider cache invalidation
🔄 Response field field removed from GET /orders/{id} Cached responses may contain this field — consider cache invalidation
🗄️ New endpoint PUT /users/{id}/avatar New resource — verify database tables/collections exist

✅ Pre-merge checklist

  • Verify API documentation is updated
  • Notify downstream consumers of breaking changes
  • Update API client SDKs if applicable
  • Check mobile app compatibility
  • Run database migration before deploying
  • Verify migration is backward-compatible (can roll back)
  • Invalidate response caches after deploy
  • Add integration tests for new endpoint(s)

👥 No CODEOWNERS file found. Consider adding one to auto-assign reviewers for API changes:

# .github/CODEOWNERS
# Auto-generated from .coderifts.yml domains
api/openapi.yaml  @payments-team @backend-team

📍 No URL versioning detected. Consider adopting URL versioning (e.g. /v1/, /v2/) to manage breaking changes safely.

📏 API Design Lint — 8 warnings
Rule Endpoint Details
⚠️ Missing error responses POST /users Has 201 but no 4xx/5xx responses defined
⚠️ Missing error responses GET /orders Has 200 but no 4xx/5xx responses defined
⚠️ Missing error responses POST /orders Has 201 but no 4xx/5xx responses defined
⚠️ Missing error responses GET /orders/{id} Has 200 but no 4xx/5xx responses defined
⚠️ Missing error responses POST /webhooks/subscribe Has 201 but no 4xx/5xx responses defined
⚠️ Missing error responses PUT /users/{id}/avatar Has 200 but no 4xx/5xx responses defined
⚠️ Path naming /webhooks/subscribe Singular /subscribe — most paths use plural convention
⚠️ Path naming /users/{id}/avatar Singular /avatar — most paths use plural convention
📋 Raw diff details
  • path.remove — paths./payments/refund (api/openapi.yaml)
  • path.remove — paths./internal/health (api/openapi.yaml)
  • response.body.scope.add — paths./users/{id}.get.responses.200.content.application/json.schema (api/openapi.yaml)
  • request.body.scope.remove — paths./users.post.requestBody.content.application/json.schema (api/openapi.yaml)
  • response.body.scope.add — paths./users.post.responses.201.content.application/json.schema (api/openapi.yaml)
  • response.body.scope.add — paths./orders.get.responses.200.content.application/json.schema (api/openapi.yaml)
  • request.body.scope.remove — paths./orders.post.requestBody.content.application/json.schema (api/openapi.yaml)
  • response.body.scope.add — paths./orders.post.responses.201.content.application/json.schema (api/openapi.yaml)
  • response.body.scope.add — paths./orders/{id}.get.responses.200.content.application/json.schema (api/openapi.yaml)
  • request.body.scope.remove — paths./webhooks/subscribe.post.requestBody.content.application/json.schema (api/openapi.yaml)
  • path.add — paths./users/{id}/avatar (api/openapi.yaml)
  • response.body.scope.remove — paths./users/{id}.get.responses.200.content.application/json.schema (api/openapi.yaml)
  • request.body.scope.add — paths./users.post.requestBody.content.application/json.schema (api/openapi.yaml)
  • response.body.scope.remove — paths./users.post.responses.201.content.application/json.schema (api/openapi.yaml)
  • response.body.scope.remove — paths./orders.get.responses.200.content.application/json.schema (api/openapi.yaml)
  • response.body.scope.remove — paths./orders.post.responses.201.content.application/json.schema (api/openapi.yaml)
  • response.body.scope.remove — paths./orders/{id}.get.responses.200.content.application/json.schema (api/openapi.yaml)

👥 Breaking change in payments domain — notify @Payments-Team
👥 Breaking change in users domain — notify @backend-team

💸 Removed without deprecation period — compatibility debt: /payments/refund
💸 Removed without deprecation period — compatibility debt: /internal/health
💸 Breaking change in critical domain payments — high compatibility debt: /payments/refund

🏛️ Governance Health: A (95/100)


📊 API surface: 8 endpoints · 28 fields · 8 schemas
⚙️ Configure in .coderifts.yml · 🔗 CodeRifts


🎋 Gone but not forgotten
🎋 The endpoint served us so well
🎋 REST in peace, old friend


☁️ You're on the Free plan. Pro features (risk scoring, governance, deprecation enforcement) are included during the beta. Lock in Pro pricing →

🚩 Feature Flag Report

Flags in this PR

Flag Status Age File Action
new-checkout-flow 🟢 Active 5 days src/checkout.js:5 OK
FEATURE_DARK_MODE 🟢 Active 5 days src/checkout.js:9 OK
beta-payment-gateway 🟢 Active 5 days src/checkout.js:13 OK
holiday-promo-2024 🟢 Active 5 days src/checkout.js:18 OK
FF_ENABLE_ANALYTICS 🟢 Active 5 days src/checkout.js:22 OK

Summary

  • 5 feature flags found in changed files

💡 Configure thresholds in .coderifts.ymlflags.stale_days and flags.aging_days

⏱️ PR Review Insights

This PR

Metric Value Benchmark
Time to First Review Awaiting review
Review Rounds 0 🟢 Normal
PR Size +87 / -29 🟡 Medium

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants