Skip to content

fix(ci): regenerate SDK from public-spec.yaml, add narrowing guard#69

Merged
kj-podonos merged 3 commits into
mainfrom
kj-podonos/rome
Jul 2, 2026
Merged

fix(ci): regenerate SDK from public-spec.yaml, add narrowing guard#69
kj-podonos merged 3 commits into
mainfrom
kj-podonos/rome

Conversation

@kj-podonos

@kj-podonos kj-podonos commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary

  • regen.yml's spec-fetch step now pulls public-spec.yaml instead of api-spec.yaml. The backend spec repo added a narrowed --scope=public export excluding dashboard-only/credential-management endpoints (health, webhooks, api-keys, billing, provider-keys, workspace-aggregates, plus a self-serve billing path carve-out under users) from the customer-facing spec.
  • Added a fail-closed narrowing guard: refuses to generate if the fetched spec still contains an internal-only tag or the users/me/{subscription,payment-methods,invoices} path carve-out. Verified against the backend repo's actual public-spec.yaml (clean) and api-spec.yaml (correctly refuses).
  • BREAKING (found by review): the CLI's onepin health, onepin provider-keys, and onepin workspace stats commands call generated resources for 3 of the excluded tags (health, provider-keys, workspace-aggregates). Left in place, the next real SDK regen would silently break them at runtime. Removed the commands, their table entries, tests, docs (README generated block + hand-written examples, bundled agent-skill docs), and the now-broken examples/provider_keys.py; fixed quickstart.py's health-probe call and the version-compat gate's stale onepin health references (the gate itself fires on any API call, unaffected).
  • Doc comments kept generic (no repo names hardcoded) — this repo is public and the existing SPEC_REPO secret already avoids naming the backend repo directly.

Test plan

  • actionlint .github/workflows/regen.yml — clean
  • Narrowing-guard regex verified against the backend repo's real public-spec.yaml (passes) and api-spec.yaml (correctly refuses)
  • uv run pytest — 293 passed (incl. regenerated CLI manifest snapshot + README-sync drift gate)
  • uv run ruff check . — clean
  • Not run here (needs FERN_TOKEN/CI secrets): the actual fern generate + tests/build guard — will run in CI on this PR

🤖 Generated with Claude Code

@kj-podonos

Copy link
Copy Markdown
Contributor Author

@claude review

@kj-podonos

Copy link
Copy Markdown
Contributor Author

@codex review

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 173edce278

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread .github/workflows/regen.yml
The backend spec repo added a narrowed --scope=public export
(public-spec.yaml) that excludes dashboard-only/credential-management
endpoints (health, webhooks, api-keys, billing, provider-keys,
workspace-aggregates, plus a self-serve billing path carve-out under
users) from the customer-facing spec. api-spec.yaml is the backend's
full internal-dashboard mock/type source and was never meant to be
the surface this SDK self-generates from.

Also adds a fail-closed guard (mirrors the shaping check already
here): refuses to generate if the fetched spec still contains an
internal-only tag or the users/me path carve-out, so a regression
upstream can't silently publish internal endpoints into the public
SDK. Verified the regex against the backend repo's actual
public-spec.yaml (clean) and api-spec.yaml (correctly flags every
internal tag).
kdh-podonos
kdh-podonos previously approved these changes Jul 2, 2026

@kdh-podonos kdh-podonos left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

These 3 command groups (onepin health, onepin provider-keys,
onepin workspace stats) call generated SDK resources for tags that
are now excluded from public-spec.yaml (health, provider-keys,
workspace-aggregates are dashboard-only per the backend's
INTERNAL_TAGS classification). Left as-is, the next real SDK regen
would silently drop client.health/client.provider_keys/
client.workspace_aggregates and break these commands at runtime.

Removes the hand-rolled onepin/_cli/commands/health.py, the
table-driven provider-keys and workspace-stats Cmd entries in
_spec.py, and their registration in _registry.py. Updates the
version-compat gate's stale onepin-health references (the gate
itself fires on any API call, not specifically health -- unaffected
functionally), the bundled agent-skill docs (SKILL.md/reference.md),
the README's generated CLI reference (regenerated via
scripts/gen_cli_docs.py) and hand-written usage examples, and the
examples/ directory (quickstart.py's health-probe call, and the
now-broken provider_keys.py example, removed).

BREAKING CHANGE: `onepin health`, `onepin provider-keys`, and
`onepin workspace stats` are removed. Programmatic use of
client.health / client.provider_keys / client.workspace_aggregates
will also stop working once the next SDK regen lands (tracked
separately -- that PR is auto-generated by regen.yml, not this one).

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@kj-podonos

Copy link
Copy Markdown
Contributor Author

@claude review

@kj-podonos

Copy link
Copy Markdown
Contributor Author

@codex review

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex Review: Didn't find any major issues. Swish!

Reviewed commit: 80d2f333c0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Leftover from the health-command removal — the trailing comment in
_spec.py still pointed at commands/health.py, which no longer exists.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@kj-podonos kj-podonos merged commit 76a0b71 into main Jul 2, 2026
22 checks passed
@kj-podonos kj-podonos deleted the kj-podonos/rome branch July 2, 2026 06:53
kj-podonos added a commit that referenced this pull request Jul 3, 2026
🤖 I have created a release *beep* *boop*
---


##
[0.8.0](v0.7.1...v0.8.0)
(2026-07-03)


### Features

* sync SDK to OnePin API v0.40.2
([#64](#64))
([aa97888](aa97888))
* sync SDK to OnePin API v0.40.3
([#66](#66))
([2f2e765](2f2e765))
* sync SDK to OnePin API v0.41.33
([#70](#70))
([394f488](394f488))


### Bug Fixes

* **ci:** make PyPI promote idempotent for already-published versions
([#67](#67))
([9acc656](9acc656))
* **ci:** regenerate SDK from public-spec.yaml, add narrowing guard
([#69](#69))
([76a0b71](76a0b71))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants