[GH-ISSUE #591] feat: Add OpenAPI coverage audit tooling #163

New issue

Closed

opened 2026-02-26 21:33:51 +03:00 by kerem · 1 comment

kerem commented

2026-02-26 21:33:51 +03:00

Owner

Originally created by @rudrankriyam on GitHub (Feb 17, 2026).
Original GitHub issue: https://github.com/rudrankriyam/App-Store-Connect-CLI/issues/591

Summary

Add tooling that helps answer: “which App Store Connect OpenAPI endpoints are covered by asc?” and “what’s missing?”

This should be a developer-facing audit tool that produces a machine-readable report.

Why this matters

The project is already large and growing fast. A coverage audit:

helps prioritize missing endpoints
prevents accidental regressions when refactoring clients
makes it easier for contributors to find high-impact work

Current state (verified)

Offline OpenAPI snapshot exists at docs/openapi/latest.json.
Path index exists at docs/openapi/paths.txt (generated by scripts/update-openapi-index.py).
There is no tool that diffs CLI/client capabilities against the OpenAPI spec.

Proposed UX

Option A: Make target (developer tool)

make openapi-coverage

Outputs:

docs/openapi/coverage.json
optional human summary to stdout

Option B: CLI command

asc docs openapi coverage --output json

Coverage model (proposal)

At minimum, report:

specEndpoints[] (method + path)
implementedEndpoints[] (method + path)
missingEndpoints[]

Stretch:

grouping by resource
“unknown” calls (clients hitting endpoints not in spec)

Implementation ideas

Pick one (or combine):

Static scan: detect request path strings / route builders in internal/asc.
Runtime instrumentation (more accurate): wrap HTTP transport in tests to record method+path usage across cmdtest and unit tests.

The runtime instrumentation route is attractive because it reflects real behavior.

Test plan

unit tests for coverage diff logic
golden snapshot test for output determinism

Acceptance criteria

A deterministic coverage report can be generated locally.
Report includes missing endpoints relative to docs/openapi/latest.json.
Output is JSON-first and stable for CI.

Originally created by @rudrankriyam on GitHub (Feb 17, 2026). Original GitHub issue: https://github.com/rudrankriyam/App-Store-Connect-CLI/issues/591 ## Summary Add tooling that helps answer: “which App Store Connect OpenAPI endpoints are covered by `asc`?” and “what’s missing?” This should be a developer-facing audit tool that produces a machine-readable report. ## Why this matters The project is already large and growing fast. A coverage audit: - helps prioritize missing endpoints - prevents accidental regressions when refactoring clients - makes it easier for contributors to find high-impact work ## Current state (verified) - Offline OpenAPI snapshot exists at `docs/openapi/latest.json`. - Path index exists at `docs/openapi/paths.txt` (generated by `scripts/update-openapi-index.py`). - There is no tool that diffs CLI/client capabilities against the OpenAPI spec. ## Proposed UX ### Option A: Make target (developer tool) ```bash make openapi-coverage ``` Outputs: - `docs/openapi/coverage.json` - optional human summary to stdout ### Option B: CLI command ```bash asc docs openapi coverage --output json ``` ## Coverage model (proposal) At minimum, report: - `specEndpoints[]` (method + path) - `implementedEndpoints[]` (method + path) - `missingEndpoints[]` Stretch: - grouping by resource - “unknown” calls (clients hitting endpoints not in spec) ## Implementation ideas Pick one (or combine): 1) **Static scan**: detect request path strings / route builders in `internal/asc`. 2) **Runtime instrumentation** (more accurate): wrap HTTP transport in tests to record method+path usage across `cmdtest` and unit tests. The runtime instrumentation route is attractive because it reflects real behavior. ## Test plan - [ ] unit tests for coverage diff logic - [ ] golden snapshot test for output determinism ## Acceptance criteria - [ ] A deterministic coverage report can be generated locally. - [ ] Report includes missing endpoints relative to `docs/openapi/latest.json`. - [ ] Output is JSON-first and stable for CI.

kerem

2026-02-26 21:33:51 +03:00

closed this issue
added the
enhancement
label

kerem commented

2026-02-26 21:33:52 +03:00

Author

Owner

@rudrankriyam commented on GitHub (Feb 18, 2026):

Closing as not planned: opened by mistake. We already did the audit manually, so we don't plan to add separate OpenAPI coverage tooling right now. Reopen if/when we want an automated coverage report.

@rudrankriyam commented on GitHub (Feb 18, 2026): Closing as not planned: opened by mistake. We already did the audit manually, so we don't plan to add separate OpenAPI coverage tooling right now. Reopen if/when we want an automated coverage report.

kerem referenced this issue

2026-02-26 21:34:36 +03:00

[PR #170] [MERGED] audit: fix 7 code quality and security issues #332