npm - @apidiff/core - Versions diffs - 1.0.0 - Mend

@apidiff/core 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (249) hide show

package/dist/ast/hash.d.ts +2 -0
package/dist/ast/hash.d.ts.map +1 -0
package/dist/ast/index.d.ts +3 -0
package/dist/ast/index.d.ts.map +1 -0
package/dist/ast/traverse.d.ts +13 -0
package/dist/ast/traverse.d.ts.map +1 -0
package/dist/config/index.d.ts +9 -0
package/dist/config/index.d.ts.map +1 -0
package/dist/diff/auth-differ.d.ts +4 -0
package/dist/diff/auth-differ.d.ts.map +1 -0
package/dist/diff/endpoint-differ.d.ts +3 -0
package/dist/diff/endpoint-differ.d.ts.map +1 -0
package/dist/diff/index.d.ts +3 -0
package/dist/diff/index.d.ts.map +1 -0
package/dist/diff/schema-differ.d.ts +3 -0
package/dist/diff/schema-differ.d.ts.map +1 -0
package/dist/diff/server-differ.d.ts +3 -0
package/dist/diff/server-differ.d.ts.map +1 -0
package/dist/index.cjs +2902 -0
package/dist/index.d.ts +15 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +2855 -0
package/dist/loader/file-loader.d.ts +5 -0
package/dist/loader/file-loader.d.ts.map +1 -0
package/dist/loader/git-loader.d.ts +5 -0
package/dist/loader/git-loader.d.ts.map +1 -0
package/dist/loader/index.d.ts +7 -0
package/dist/loader/index.d.ts.map +1 -0
package/dist/loader/url-loader.d.ts +5 -0
package/dist/loader/url-loader.d.ts.map +1 -0
package/dist/output/html.d.ts +3 -0
package/dist/output/html.d.ts.map +1 -0
package/dist/output/index.d.ts +3 -0
package/dist/output/index.d.ts.map +1 -0
package/dist/output/json.d.ts +3 -0
package/dist/output/json.d.ts.map +1 -0
package/dist/output/markdown.d.ts +3 -0
package/dist/output/markdown.d.ts.map +1 -0
package/dist/output/terminal.d.ts +3 -0
package/dist/output/terminal.d.ts.map +1 -0
package/dist/parsers/base.d.ts +8 -0
package/dist/parsers/base.d.ts.map +1 -0
package/dist/parsers/graphql/index.d.ts +13 -0
package/dist/parsers/graphql/index.d.ts.map +1 -0
package/dist/parsers/index.d.ts +7 -0
package/dist/parsers/index.d.ts.map +1 -0
package/dist/parsers/openapi2/index.d.ts +9 -0
package/dist/parsers/openapi2/index.d.ts.map +1 -0
package/dist/parsers/openapi3/index.d.ts +9 -0
package/dist/parsers/openapi3/index.d.ts.map +1 -0
package/dist/parsers/openapi3/ref-resolver.d.ts +2 -0
package/dist/parsers/openapi3/ref-resolver.d.ts.map +1 -0
package/dist/parsers/openapi3/schema-normalizer.d.ts +3 -0
package/dist/parsers/openapi3/schema-normalizer.d.ts.map +1 -0
package/dist/parsers/openapi3/security-normalizer.d.ts +3 -0
package/dist/parsers/openapi3/security-normalizer.d.ts.map +1 -0
package/dist/parsers/protobuf/index.d.ts +14 -0
package/dist/parsers/protobuf/index.d.ts.map +1 -0
package/dist/rules/auth/oauth-scope-removed.d.ts +9 -0
package/dist/rules/auth/oauth-scope-removed.d.ts.map +1 -0
package/dist/rules/auth/security-added.d.ts +9 -0
package/dist/rules/auth/security-added.d.ts.map +1 -0
package/dist/rules/auth/security-removed.d.ts +9 -0
package/dist/rules/auth/security-removed.d.ts.map +1 -0
package/dist/rules/auth/security-scheme-type-changed.d.ts +9 -0
package/dist/rules/auth/security-scheme-type-changed.d.ts.map +1 -0
package/dist/rules/base.d.ts +19 -0
package/dist/rules/base.d.ts.map +1 -0
package/dist/rules/endpoint/endpoint-added.d.ts +9 -0
package/dist/rules/endpoint/endpoint-added.d.ts.map +1 -0
package/dist/rules/endpoint/endpoint-deprecated.d.ts +9 -0
package/dist/rules/endpoint/endpoint-deprecated.d.ts.map +1 -0
package/dist/rules/endpoint/endpoint-removed.d.ts +9 -0
package/dist/rules/endpoint/endpoint-removed.d.ts.map +1 -0
package/dist/rules/endpoint/http-method-changed.d.ts +9 -0
package/dist/rules/endpoint/http-method-changed.d.ts.map +1 -0
package/dist/rules/endpoint/path-changed.d.ts +9 -0
package/dist/rules/endpoint/path-changed.d.ts.map +1 -0
package/dist/rules/index.d.ts +4 -0
package/dist/rules/index.d.ts.map +1 -0
package/dist/rules/meta/server-removed.d.ts +9 -0
package/dist/rules/meta/server-removed.d.ts.map +1 -0
package/dist/rules/param/param-added.d.ts +9 -0
package/dist/rules/param/param-added.d.ts.map +1 -0
package/dist/rules/param/param-deprecated.d.ts +9 -0
package/dist/rules/param/param-deprecated.d.ts.map +1 -0
package/dist/rules/param/param-enum-value-added.d.ts +9 -0
package/dist/rules/param/param-enum-value-added.d.ts.map +1 -0
package/dist/rules/param/param-enum-value-removed.d.ts +9 -0
package/dist/rules/param/param-enum-value-removed.d.ts.map +1 -0
package/dist/rules/param/param-location-changed.d.ts +9 -0
package/dist/rules/param/param-location-changed.d.ts.map +1 -0
package/dist/rules/param/param-removed.d.ts +9 -0
package/dist/rules/param/param-removed.d.ts.map +1 -0
package/dist/rules/param/param-required-added.d.ts +9 -0
package/dist/rules/param/param-required-added.d.ts.map +1 -0
package/dist/rules/param/param-required-true-to-false.d.ts +9 -0
package/dist/rules/param/param-required-true-to-false.d.ts.map +1 -0
package/dist/rules/param/param-type-changed.d.ts +9 -0
package/dist/rules/param/param-type-changed.d.ts.map +1 -0
package/dist/rules/request/request-body-added-required.d.ts +9 -0
package/dist/rules/request/request-body-added-required.d.ts.map +1 -0
package/dist/rules/request/request-body-removed.d.ts +9 -0
package/dist/rules/request/request-body-removed.d.ts.map +1 -0
package/dist/rules/request/request-content-type-added.d.ts +9 -0
package/dist/rules/request/request-content-type-added.d.ts.map +1 -0
package/dist/rules/request/request-content-type-removed.d.ts +9 -0
package/dist/rules/request/request-content-type-removed.d.ts.map +1 -0
package/dist/rules/request/request-field-added-required.d.ts +9 -0
package/dist/rules/request/request-field-added-required.d.ts.map +1 -0
package/dist/rules/request/request-field-removed.d.ts +9 -0
package/dist/rules/request/request-field-removed.d.ts.map +1 -0
package/dist/rules/request/request-field-type-changed.d.ts +9 -0
package/dist/rules/request/request-field-type-changed.d.ts.map +1 -0
package/dist/rules/request/request-required-false-to-true.d.ts +9 -0
package/dist/rules/request/request-required-false-to-true.d.ts.map +1 -0
package/dist/rules/response/response-field-added.d.ts +9 -0
package/dist/rules/response/response-field-added.d.ts.map +1 -0
package/dist/rules/response/response-field-removed.d.ts +9 -0
package/dist/rules/response/response-field-removed.d.ts.map +1 -0
package/dist/rules/response/response-field-type-changed.d.ts +9 -0
package/dist/rules/response/response-field-type-changed.d.ts.map +1 -0
package/dist/rules/response/response-header-added-required.d.ts +9 -0
package/dist/rules/response/response-header-added-required.d.ts.map +1 -0
package/dist/rules/response/response-header-removed.d.ts +9 -0
package/dist/rules/response/response-header-removed.d.ts.map +1 -0
package/dist/rules/response/response-media-type-added.d.ts +9 -0
package/dist/rules/response/response-media-type-added.d.ts.map +1 -0
package/dist/rules/response/response-media-type-removed.d.ts +9 -0
package/dist/rules/response/response-media-type-removed.d.ts.map +1 -0
package/dist/rules/response/response-status-added.d.ts +9 -0
package/dist/rules/response/response-status-added.d.ts.map +1 -0
package/dist/rules/response/response-status-removed.d.ts +9 -0
package/dist/rules/response/response-status-removed.d.ts.map +1 -0
package/dist/types/ast.d.ts +140 -0
package/dist/types/ast.d.ts.map +1 -0
package/dist/types/config.d.ts +17 -0
package/dist/types/config.d.ts.map +1 -0
package/dist/types/diff.d.ts +43 -0
package/dist/types/diff.d.ts.map +1 -0
package/dist/types/errors.d.ts +21 -0
package/dist/types/errors.d.ts.map +1 -0
package/dist/types/index.d.ts +6 -0
package/dist/types/index.d.ts.map +1 -0
package/dist/types/semantic.d.ts +45 -0
package/dist/types/semantic.d.ts.map +1 -0
package/package.json +31 -0
package/src/ast/hash.ts +26 -0
package/src/ast/index.ts +2 -0
package/src/ast/traverse.ts +59 -0
package/src/config/index.ts +44 -0
package/src/diff/auth-differ.ts +72 -0
package/src/diff/endpoint-differ.ts +144 -0
package/src/diff/index.ts +13 -0
package/src/diff/schema-differ.ts +70 -0
package/src/diff/server-differ.ts +22 -0
package/src/index.ts +92 -0
package/src/loader/file-loader.ts +19 -0
package/src/loader/git-loader.ts +22 -0
package/src/loader/index.ts +32 -0
package/src/loader/url-loader.ts +25 -0
package/src/output/html.ts +177 -0
package/src/output/index.ts +16 -0
package/src/output/json.ts +5 -0
package/src/output/markdown.ts +29 -0
package/src/output/terminal.ts +37 -0
package/src/parsers/base.ts +8 -0
package/src/parsers/graphql/index.ts +181 -0
package/src/parsers/index.ts +61 -0
package/src/parsers/openapi2/index.ts +218 -0
package/src/parsers/openapi3/index.ts +223 -0
package/src/parsers/openapi3/ref-resolver.ts +101 -0
package/src/parsers/openapi3/schema-normalizer.ts +52 -0
package/src/parsers/openapi3/security-normalizer.ts +18 -0
package/src/parsers/protobuf/index.ts +208 -0
package/src/rules/auth/oauth-scope-removed.ts +34 -0
package/src/rules/auth/security-added.ts +32 -0
package/src/rules/auth/security-removed.ts +47 -0
package/src/rules/auth/security-scheme-type-changed.ts +30 -0
package/src/rules/base.ts +29 -0
package/src/rules/endpoint/endpoint-added.ts +26 -0
package/src/rules/endpoint/endpoint-deprecated.ts +29 -0
package/src/rules/endpoint/endpoint-removed.ts +26 -0
package/src/rules/endpoint/http-method-changed.ts +29 -0
package/src/rules/endpoint/path-changed.ts +29 -0
package/src/rules/index.ts +83 -0
package/src/rules/meta/server-removed.ts +26 -0
package/src/rules/param/param-added.ts +52 -0
package/src/rules/param/param-deprecated.ts +34 -0
package/src/rules/param/param-enum-value-added.ts +32 -0
package/src/rules/param/param-enum-value-removed.ts +32 -0
package/src/rules/param/param-location-changed.ts +43 -0
package/src/rules/param/param-removed.ts +52 -0
package/src/rules/param/param-required-added.ts +34 -0
package/src/rules/param/param-required-true-to-false.ts +34 -0
package/src/rules/param/param-type-changed.ts +32 -0
package/src/rules/request/request-body-added-required.ts +33 -0
package/src/rules/request/request-body-removed.ts +30 -0
package/src/rules/request/request-content-type-added.ts +31 -0
package/src/rules/request/request-content-type-removed.ts +31 -0
package/src/rules/request/request-field-added-required.ts +41 -0
package/src/rules/request/request-field-removed.ts +35 -0
package/src/rules/request/request-field-type-changed.ts +37 -0
package/src/rules/request/request-required-false-to-true.ts +56 -0
package/src/rules/response/response-field-added.ts +34 -0
package/src/rules/response/response-field-removed.ts +34 -0
package/src/rules/response/response-field-type-changed.ts +37 -0
package/src/rules/response/response-header-added-required.ts +47 -0
package/src/rules/response/response-header-removed.ts +32 -0
package/src/rules/response/response-media-type-added.ts +32 -0
package/src/rules/response/response-media-type-removed.ts +32 -0
package/src/rules/response/response-status-added.ts +31 -0
package/src/rules/response/response-status-removed.ts +31 -0
package/src/types/ast.ts +164 -0
package/src/types/config.ts +31 -0
package/src/types/diff.ts +49 -0
package/src/types/errors.ts +26 -0
package/src/types/index.ts +5 -0
package/src/types/semantic.ts +60 -0
package/test/integration/stripe-v1.yaml +36 -0
package/test/integration/stripe-v2.yaml +35 -0
package/tests/ast.test.ts +60 -0
package/tests/config.test.ts +43 -0
package/tests/diff/auth-differ.test.ts +55 -0
package/tests/diff/endpoint-differ.test.ts +42 -0
package/tests/diff/schema-differ.test.ts +46 -0
package/tests/diff/server-differ.test.ts +23 -0
package/tests/diff.test.ts +116 -0
package/tests/fixtures/openapi3/auth-added/v1.yaml +11 -0
package/tests/fixtures/openapi3/auth-added/v2.yaml +18 -0
package/tests/integration.test.ts +21 -0
package/tests/loader-more.test.ts +75 -0
package/tests/loader.test.ts +61 -0
package/tests/output.test.ts +58 -0
package/tests/parsers/openapi3-coverage.test.ts +77 -0
package/tests/parsers/openapi3.test.ts +41 -0
package/tests/parsers/parsers-other.test.ts +135 -0
package/tests/parsers/ref-resolver.test.ts +78 -0
package/tests/parsers/schema-normalizer.test.ts +30 -0
package/tests/rules/auth-meta.test.ts +87 -0
package/tests/rules/base.test.ts +44 -0
package/tests/rules/endpoint.test.ts +122 -0
package/tests/rules/param.test.ts +242 -0
package/tests/rules/request.test.ts +147 -0
package/tests/rules/response.test.ts +161 -0
package/tests/rules/rules-coverage.test.ts +64 -0
package/tests/types-errors.test.ts +22 -0
package/tsconfig.json +8 -0
package/tsconfig.tsbuildinfo +1 -0

package/src/parsers/protobuf/index.ts ADDED Viewed

@@ -0,0 +1,208 @@
+import protobuf from 'protobufjs';
+import type { NormalizedAST, Endpoint, Parameter, RequestBody, ResponseDef, ComponentMap, Schema } from '../../types/index.js';
+import type { RawSpec } from '../../loader/index.js';
+import type { ISpecParser } from '../base.js';
+import { ParseError } from '../../types/errors.js';
+export class ProtobufParser implements ISpecParser {
+  readonly format = 'protobuf';
+  canParse(raw: RawSpec): boolean {
+    return raw.format === 'protobuf' || raw.content.trim().startsWith('syntax = "proto');
+  }
+  async parse(raw: RawSpec): Promise<NormalizedAST> {
+    let root: protobuf.Root;
+    try {
+      // Create a virtual file to parse the content string
+      const parsed = protobuf.parse(raw.content, { keepCase: true });
+      root = parsed.root;
+    } catch (err: any) {
+      throw new ParseError('Failed to parse Protobuf spec', err.line, err.column, raw.sourcePath, err);
+    }
+    const meta = {
+      title: 'Protobuf API',
+      version: '1.0.0', // Protobuf doesn't have a standard version field
+      format: 'protobuf' as const,
+      rawVersion: '3' // Assume proto3 for now
+    };
+    const components: ComponentMap = {
+      schemas: {},
+      securitySchemes: {},
+      parameters: {},
+      responses: {},
+      headers: {},
+      requestBodies: {}
+    };
+    const endpoints: Endpoint[] = [];
+    // Recursively walk the AST
+    this.walkRoot(root, '', components, endpoints);
+    return {
+      meta,
+      servers: [],
+      endpoints,
+      components,
+      security: []
+    };
+  }
+  private walkRoot(node: protobuf.ReflectionObject, namespace: string, components: ComponentMap, endpoints: Endpoint[]) {
+    if (node instanceof protobuf.Type) {
+      // It's a Message
+      components.schemas[`${namespace}${node.name}`] = this.messageToSchema(node);
+    } else if (node instanceof protobuf.Enum) {
+      // It's an Enum
+      components.schemas[`${namespace}${node.name}`] = this.enumToSchema(node);
+    } else if (node instanceof protobuf.Service) {
+      // It's a Service
+      for (const method of node.methodsArray) {
+        endpoints.push(this.methodToEndpoint(method, `${namespace}${node.name}`));
+      }
+    } else if (node instanceof protobuf.Namespace) {
+      // Walk namespace children
+      const newNamespace = node.name ? `${namespace}${node.name}.` : namespace;
+      for (const child of node.nestedArray) {
+        this.walkRoot(child, newNamespace, components, endpoints);
+      }
+    }
+  }
+  private messageToSchema(message: protobuf.Type): Schema {
+    const properties: Record<string, Schema> = {};
+    const required: string[] = [];
+    for (const field of message.fieldsArray) {
+      const fieldSchema = this.typeToSchema(field);
+      // We attach the protobuf field number to an internal property so we can diff it
+      (fieldSchema as any).$protobufNumber = field.id;
+      properties[field.name] = fieldSchema;
+      if (field.required) {
+        required.push(field.name);
+      }
+    }
+    const schema: Schema = {
+      type: 'object',
+      properties
+    };
+    if (required.length > 0) {
+      schema.required = required;
+    }
+    return schema;
+  }
+  private enumToSchema(enumObj: protobuf.Enum): Schema {
+    return {
+      type: 'string',
+      enum: Object.keys(enumObj.values)
+    };
+  }
+  private typeToSchema(field: protobuf.Field): Schema {
+    let schema: Schema = {};
+    switch (field.type) {
+      case 'double':
+      case 'float':
+        schema.type = 'number';
+        schema.format = field.type;
+        break;
+      case 'int32':
+      case 'uint32':
+      case 'sint32':
+      case 'fixed32':
+      case 'sfixed32':
+        schema.type = 'integer';
+        schema.format = field.type;
+        break;
+      case 'int64':
+      case 'uint64':
+      case 'sint64':
+      case 'fixed64':
+      case 'sfixed64':
+        schema.type = 'integer';
+        schema.format = 'int64'; // or field.type
+        break;
+      case 'bool':
+        schema.type = 'boolean';
+        break;
+      case 'string':
+        schema.type = 'string';
+        break;
+      case 'bytes':
+        schema.type = 'string';
+        schema.format = 'byte';
+        break;
+      default:
+        // It's a reference to another message or enum
+        // In a real implementation we'd use a $ref, but we are flattening
+        // For simplicity, we just mark it as object and we could potentially reference it.
+        // Or if we can find the resolved type in the parent namespace:
+        schema.type = 'object'; // It's a message type ref
+        (schema as any).$ref = `#/components/schemas/${field.type}`;
+        break;
+    }
+    if (field.repeated) {
+      return {
+        type: 'array',
+        items: schema
+      };
+    }
+    return schema;
+  }
+  private methodToEndpoint(method: protobuf.Method, servicePath: string): Endpoint {
+    const id = `RPC:${servicePath}/${method.name}`;
+    const path = `${servicePath}/${method.name}`;
+    const requestBody: RequestBody = {
+      required: true,
+      content: {
+        'application/protobuf': {
+          schema: {
+            $ref: `#/components/schemas/${method.requestType}`
+          } as any
+        }
+      }
+    };
+    const responses: ResponseDef[] = [
+      {
+        statusCode: '200',
+        description: 'Successful response',
+        content: {
+          'application/protobuf': {
+            schema: {
+              $ref: `#/components/schemas/${method.responseType}`
+            } as any
+          }
+        },
+        headers: {}
+      }
+    ];
+    return {
+      id,
+      path,
+      method: 'RPC',
+      summary: method.comment || undefined,
+      tags: [servicePath],
+      deprecated: !!method.options?.deprecated,
+      security: [], // Protobuf doesn't specify security natively
+      parameters: [],
+      requestBody,
+      responses,
+      extensions: {}
+    };
+  }
+}

package/src/rules/auth/oauth-scope-removed.ts ADDED Viewed

@@ -0,0 +1,34 @@
+import { BaseRule } from '../base.js';
+import type { DiffSet, RuleContext, SemanticChange } from '../../types/index.js';
+export class OauthScopeRemovedRule extends BaseRule {
+  id = 'OAUTH_SCOPE_REMOVED';
+  description = 'An OAuth scope was removed from a security requirement';
+  severity = 'breaking' as const;
+  apply(diff: DiffSet, context: RuleContext): SemanticChange[] {
+    const changes: SemanticChange[] = [];
+    for (const ed of diff.endpointDiffs) {
+      if (ed.type !== 'changed') continue;
+      if (this.isIgnored(ed.path, context)) continue;
+      for (const fc of ed.fieldChanges) {
+        if (fc.fieldPath[0] === 'security' && fc.fieldPath[2] === 'scopes' && fc.changeType === 'removed') {
+          const schemeId = fc.fieldPath[1];
+          const scope = fc.oldValue as string;
+          changes.push(this.makeChange({
+            severity: 'breaking',
+            category: 'authentication',
+            message: `OAuth scope '${scope}' was removed from security requirement '${schemeId}'.`,
+            consequence: `Tokens granted with only the '${scope}' scope may no longer be accepted.`,
+            migration: `Ensure clients request one of the remaining supported scopes.`,
+            location: { path: ed.path, method: ed.method, field: fc.fieldPath.join('.') }
+          }, context));
+        }
+      }
+    }
+    return changes;
+  }
+}

package/src/rules/auth/security-added.ts ADDED Viewed

@@ -0,0 +1,32 @@
+import { BaseRule } from '../base.js';
+import type { DiffSet, RuleContext, SemanticChange } from '../../types/index.js';
+export class SecurityAddedRule extends BaseRule {
+  id = 'SECURITY_ADDED';
+  description = 'Authentication added to previously public endpoint';
+  severity = 'breaking' as const;
+  apply(diff: DiffSet, context: RuleContext): SemanticChange[] {
+    const changes: SemanticChange[] = [];
+    for (const ed of diff.endpointDiffs) {
+      if (ed.type !== 'changed') continue;
+      if (this.isIgnored(ed.path, context)) continue;
+      const oldSec = ed.oldEndpoint?.security ?? [];
+      const newSec = ed.newEndpoint?.security ?? [];
+      if (oldSec.length === 0 && newSec.length > 0) {
+        const schemes = newSec.map(s => s.schemeId).join(', ');
+        changes.push(this.makeChange({
+          severity: 'breaking',
+          category: 'authentication',
+          message: `${ed.method} ${ed.path} now requires authentication (${schemes}).`,
+          consequence: 'Clients without credentials receive 401 Unauthorized.',
+          migration: `Add Authorization header with required credentials to all ${ed.method} ${ed.path} requests.`,
+          location: { path: ed.path, method: ed.method }
+        }, context));
+      }
+    }
+    return changes;
+  }
+}

package/src/rules/auth/security-removed.ts ADDED Viewed

@@ -0,0 +1,47 @@
+import { BaseRule } from '../base.js';
+import type { DiffSet, RuleContext, SemanticChange } from '../../types/index.js';
+export class SecurityRemovedRule extends BaseRule {
+  id = 'SECURITY_REMOVED';
+  description = 'A global security scheme was removed';
+  severity = 'breaking' as const;
+  apply(diff: DiffSet, context: RuleContext): SemanticChange[] {
+    const changes: SemanticChange[] = [];
+    // Check global security scheme definitions
+    for (const sd of diff.securityDiffs) {
+      if (sd.changeType === 'removed') {
+        changes.push(this.makeChange({
+          severity: 'breaking',
+          category: 'authentication',
+          message: `Security scheme '${sd.schemeId}' was removed.`,
+          consequence: `Clients using '${sd.schemeId}' for authentication will fail to authenticate.`,
+          migration: `Update clients to use a different, supported security scheme.`,
+          location: { field: `securitySchemes['${sd.schemeId}']` }
+        }, context));
+      }
+    }
+    // Check endpoint-level security requirements removed
+    for (const ed of diff.endpointDiffs) {
+      if (ed.type !== 'changed') continue;
+      if (this.isIgnored(ed.path, context)) continue;
+      for (const fc of ed.fieldChanges) {
+        if (fc.fieldPath[0] === 'security' && fc.fieldPath.length === 2 && fc.changeType === 'removed') {
+          const schemeId = fc.oldValue as string;
+          changes.push(this.makeChange({
+            severity: 'breaking',
+            category: 'authentication',
+            message: `Security requirement '${schemeId}' was removed from the endpoint.`,
+            consequence: `Clients trying to authenticate with '${schemeId}' might fail if the server no longer accepts it.`,
+            migration: `Update clients to use one of the remaining security requirements.`,
+            location: { path: ed.path, method: ed.method, field: `security['${schemeId}']` }
+          }, context));
+        }
+      }
+    }
+    return changes;
+  }
+}

package/src/rules/auth/security-scheme-type-changed.ts ADDED Viewed

@@ -0,0 +1,30 @@
+import { BaseRule } from '../base.js';
+import type { DiffSet, RuleContext, SemanticChange } from '../../types/index.js';
+export class SecuritySchemeTypeChangedRule extends BaseRule {
+  id = 'SECURITY_SCHEME_TYPE_CHANGED';
+  description = 'The type of a security scheme was changed';
+  severity = 'breaking' as const;
+  apply(diff: DiffSet, context: RuleContext): SemanticChange[] {
+    const changes: SemanticChange[] = [];
+    for (const sd of diff.securityDiffs) {
+      if (sd.changeType === 'changed') {
+        for (const fc of sd.fieldChanges) {
+          if (fc.fieldPath[0] === 'type') {
+            changes.push(this.makeChange({
+              severity: 'breaking',
+              category: 'authentication',
+              message: `Security scheme '${sd.schemeId}' changed type from '${fc.oldValue}' to '${fc.newValue}'.`,
+              consequence: `Clients using the old authentication type will fail to authenticate.`,
+              migration: `Update clients to authenticate using the new type '${fc.newValue}'.`,
+              location: { field: `securitySchemes['${sd.schemeId}'].type` }
+            }, context));
+          }
+        }
+      }
+    }
+    return changes;
+  }
+}

package/src/rules/base.ts ADDED Viewed

@@ -0,0 +1,29 @@
+import type { DiffSet, RuleContext, SemanticChange, IRule, Severity, RuleCategory } from '../types/index.js';
+export abstract class BaseRule implements IRule {
+  abstract id: string;
+  abstract description: string;
+  abstract severity: Severity;
+  abstract apply(diff: DiffSet, context: RuleContext): SemanticChange[];
+  protected isIgnored(path: string, context: RuleContext): boolean {
+    for (const glob of context.config.ignorePaths) {
+      if (this.matchGlob(path, glob)) return true;
+    }
+    return false;
+  }
+  private matchGlob(path: string, glob: string): boolean {
+    const regex = glob.replace(/\*/g, '.*').replace(/\//g, '\\/');
+    return new RegExp(`^${regex}$`).test(path);
+  }
+  protected makeChange(details: { severity: Severity; category: RuleCategory; message: string; consequence: string; migration: string; location: SemanticChange['location']; ruleId?: string }, context: RuleContext): SemanticChange {
+    const { ruleId, ...rest } = details;
+    return {
+      ruleId: ruleId || this.id,
+      ...rest
+    };
+  }
+}

package/src/rules/endpoint/endpoint-added.ts ADDED Viewed

@@ -0,0 +1,26 @@
+import { BaseRule } from '../base.js';
+import type { DiffSet, RuleContext, SemanticChange } from '../../types/index.js';
+export class EndpointAddedRule extends BaseRule {
+  id = 'ENDPOINT_ADDED';
+  description = 'A new endpoint was added';
+  severity = 'info' as const;
+  apply(diff: DiffSet, context: RuleContext): SemanticChange[] {
+    const changes: SemanticChange[] = [];
+    for (const ed of diff.endpointDiffs) {
+      if (ed.type !== 'added') continue;
+      if (this.isIgnored(ed.path, context)) continue;
+      changes.push(this.makeChange({
+        severity: 'info',
+        category: 'endpoint',
+        message: `Endpoint ${ed.method} ${ed.path} was added.`,
+        consequence: 'Clients can now use this new endpoint.',
+        migration: 'No migration required.',
+        location: { path: ed.path, method: ed.method }
+      }, context));
+    }
+    return changes;
+  }
+}

package/src/rules/endpoint/endpoint-deprecated.ts ADDED Viewed

@@ -0,0 +1,29 @@
+import { BaseRule } from '../base.js';
+import type { DiffSet, RuleContext, SemanticChange } from '../../types/index.js';
+export class EndpointDeprecatedRule extends BaseRule {
+  id = 'ENDPOINT_DEPRECATED';
+  description = 'An existing endpoint was marked as deprecated';
+  severity = 'warning' as const;
+  apply(diff: DiffSet, context: RuleContext): SemanticChange[] {
+    const changes: SemanticChange[] = [];
+    for (const ed of diff.endpointDiffs) {
+      if (ed.type !== 'changed') continue;
+      if (this.isIgnored(ed.path, context)) continue;
+      const deprecatedChange = ed.fieldChanges.find(c => c.fieldPath[0] === 'deprecated' && c.newValue === true && c.oldValue === false);
+      if (deprecatedChange) {
+        changes.push(this.makeChange({
+          severity: 'warning',
+          category: 'endpoint',
+          message: `Endpoint ${ed.method} ${ed.path} was deprecated.`,
+          consequence: 'This endpoint is slated for future removal.',
+          migration: 'Plan to migrate away from this endpoint to its recommended alternative.',
+          location: { path: ed.path, method: ed.method }
+        }, context));
+      }
+    }
+    return changes;
+  }
+}

package/src/rules/endpoint/endpoint-removed.ts ADDED Viewed

@@ -0,0 +1,26 @@
+import { BaseRule } from '../base.js';
+import type { DiffSet, RuleContext, SemanticChange } from '../../types/index.js';
+export class EndpointRemovedRule extends BaseRule {
+  id = 'ENDPOINT_REMOVED';
+  description = 'An existing endpoint was removed entirely';
+  severity = 'breaking' as const;
+  apply(diff: DiffSet, context: RuleContext): SemanticChange[] {
+    const changes: SemanticChange[] = [];
+    for (const ed of diff.endpointDiffs) {
+      if (ed.type !== 'removed') continue;
+      if (this.isIgnored(ed.path, context)) continue;
+      changes.push(this.makeChange({
+        severity: 'breaking',
+        category: 'endpoint',
+        message: `Endpoint ${ed.method} ${ed.path} was removed.`,
+        consequence: 'Clients calling this endpoint will receive a 404 Not Found error.',
+        migration: 'Migrate clients to use an alternative endpoint before removing this one.',
+        location: { path: ed.path, method: ed.method }
+      }, context));
+    }
+    return changes;
+  }
+}

package/src/rules/endpoint/http-method-changed.ts ADDED Viewed

@@ -0,0 +1,29 @@
+import { BaseRule } from '../base.js';
+import type { DiffSet, RuleContext, SemanticChange } from '../../types/index.js';
+export class HttpMethodChangedRule extends BaseRule {
+  id = 'HTTP_METHOD_CHANGED';
+  description = 'The HTTP method for an endpoint changed';
+  severity = 'breaking' as const;
+  apply(diff: DiffSet, context: RuleContext): SemanticChange[] {
+    const changes: SemanticChange[] = [];
+    for (const ed of diff.endpointDiffs) {
+      if (ed.type !== 'changed') continue;
+      if (this.isIgnored(ed.path, context)) continue;
+      const methodChange = ed.fieldChanges.find(c => c.fieldPath[0] === 'method');
+      if (methodChange) {
+        changes.push(this.makeChange({
+          severity: 'breaking',
+          category: 'endpoint',
+          message: `Endpoint HTTP method changed from ${methodChange.oldValue} to ${methodChange.newValue}.`,
+          consequence: 'Clients using the old HTTP method will fail.',
+          migration: `Update client requests to use the ${methodChange.newValue} method.`,
+          location: { path: ed.path, method: ed.method }
+        }, context));
+      }
+    }
+    return changes;
+  }
+}

package/src/rules/endpoint/path-changed.ts ADDED Viewed

@@ -0,0 +1,29 @@
+import { BaseRule } from '../base.js';
+import type { DiffSet, RuleContext, SemanticChange } from '../../types/index.js';
+export class PathChangedRule extends BaseRule {
+  id = 'PATH_CHANGED';
+  description = 'The path string for an endpoint changed (e.g. parameter renamed)';
+  severity = 'info' as const;
+  apply(diff: DiffSet, context: RuleContext): SemanticChange[] {
+    const changes: SemanticChange[] = [];
+    for (const ed of diff.endpointDiffs) {
+      if (ed.type !== 'changed') continue;
+      if (this.isIgnored(ed.path, context)) continue;
+      const pathChange = ed.fieldChanges.find(c => c.fieldPath[0] === 'path');
+      if (pathChange) {
+        changes.push(this.makeChange({
+          severity: 'info',
+          category: 'endpoint',
+          message: `Endpoint path changed from ${pathChange.oldValue} to ${pathChange.newValue}.`,
+          consequence: 'Clients may need to update routing or parameter names.',
+          migration: 'Review the path syntax changes.',
+          location: { path: ed.path, method: ed.method }
+        }, context));
+      }
+    }
+    return changes;
+  }
+}

package/src/rules/index.ts ADDED Viewed

@@ -0,0 +1,83 @@
+import type { IRule, DiffSet, RuleContext, SemanticChange } from '../types/index.js';
+import { SecurityAddedRule } from './auth/security-added.js';
+import { EndpointRemovedRule } from './endpoint/endpoint-removed.js';
+import { EndpointAddedRule } from './endpoint/endpoint-added.js';
+import { EndpointDeprecatedRule } from './endpoint/endpoint-deprecated.js';
+import { HttpMethodChangedRule } from './endpoint/http-method-changed.js';
+import { PathChangedRule } from './endpoint/path-changed.js';
+import { ResponseFieldRemovedRule } from './response/response-field-removed.js';
+import { ParamRequiredAddedRule } from './param/param-required-added.js';
+import { ParamRemovedRule } from './param/param-removed.js';
+import { ParamAddedRule } from './param/param-added.js';
+import { ParamDeprecatedRule } from './param/param-deprecated.js';
+import { ParamTypeChangedRule } from './param/param-type-changed.js';
+import { ParamLocationChangedRule } from './param/param-location-changed.js';
+import { ParamEnumValueRemovedRule } from './param/param-enum-value-removed.js';
+import { ParamEnumValueAddedRule } from './param/param-enum-value-added.js';
+import { ParamRequiredTrueToFalseRule } from './param/param-required-true-to-false.js';
+import { RequestBodyAddedRequiredRule } from './request/request-body-added-required.js';
+import { RequestBodyRemovedRule } from './request/request-body-removed.js';
+import { RequestContentTypeAddedRule } from './request/request-content-type-added.js';
+import { RequestContentTypeRemovedRule } from './request/request-content-type-removed.js';
+import { RequestFieldRemovedRule } from './request/request-field-removed.js';
+import { RequestFieldAddedRequiredRule } from './request/request-field-added-required.js';
+import { RequestFieldTypeChangedRule } from './request/request-field-type-changed.js';
+import { RequestRequiredFalseToTrueRule } from './request/request-required-false-to-true.js';
+import { ResponseFieldAddedRule } from './response/response-field-added.js';
+import { ResponseFieldTypeChangedRule } from './response/response-field-type-changed.js';
+import { ResponseStatusRemovedRule } from './response/response-status-removed.js';
+import { ResponseStatusAddedRule } from './response/response-status-added.js';
+import { ResponseMediaTypeRemovedRule } from './response/response-media-type-removed.js';
+import { ResponseMediaTypeAddedRule } from './response/response-media-type-added.js';
+import { ResponseHeaderRemovedRule } from './response/response-header-removed.js';
+import { ResponseHeaderAddedRequiredRule } from './response/response-header-added-required.js';
+import { SecurityRemovedRule } from './auth/security-removed.js';
+import { SecuritySchemeTypeChangedRule } from './auth/security-scheme-type-changed.js';
+import { OauthScopeRemovedRule } from './auth/oauth-scope-removed.js';
+import { ServerRemovedRule } from './meta/server-removed.js';
+export const BUILT_IN_RULES: IRule[] = [
+  new SecurityAddedRule(),
+  new EndpointRemovedRule(),
+  new EndpointAddedRule(),
+  new EndpointDeprecatedRule(),
+  new HttpMethodChangedRule(),
+  new PathChangedRule(),
+  new ResponseFieldRemovedRule(),
+  new ParamRequiredAddedRule(),
+  new ParamRemovedRule(),
+  new ParamAddedRule(),
+  new ParamDeprecatedRule(),
+  new ParamTypeChangedRule(),
+  new ParamLocationChangedRule(),
+  new ParamEnumValueRemovedRule(),
+  new ParamEnumValueAddedRule(),
+  new ParamRequiredTrueToFalseRule(),
+  new RequestBodyAddedRequiredRule(),
+  new RequestBodyRemovedRule(),
+  new RequestContentTypeAddedRule(),
+  new RequestContentTypeRemovedRule(),
+  new RequestFieldRemovedRule(),
+  new RequestFieldAddedRequiredRule(),
+  new RequestFieldTypeChangedRule(),
+  new RequestRequiredFalseToTrueRule(),
+  new ResponseFieldAddedRule(),
+  new ResponseFieldTypeChangedRule(),
+  new ResponseStatusRemovedRule(),
+  new ResponseStatusAddedRule(),
+  new ResponseMediaTypeRemovedRule(),
+  new ResponseMediaTypeAddedRule(),
+  new ResponseHeaderRemovedRule(),
+  new ResponseHeaderAddedRequiredRule(),
+  new SecurityRemovedRule(),
+  new SecuritySchemeTypeChangedRule(),
+  new OauthScopeRemovedRule(),
+  new ServerRemovedRule()
+];
+export function runRules(diff: DiffSet, context: RuleContext): SemanticChange[] {
+  const enabledRules = BUILT_IN_RULES.filter(
+    r => !context.config.disabledRules.includes(r.id)
+  );
+  return enabledRules.flatMap(r => r.apply(diff, context));
+}

package/src/rules/meta/server-removed.ts ADDED Viewed

@@ -0,0 +1,26 @@
+import { BaseRule } from '../base.js';
+import type { DiffSet, RuleContext, SemanticChange } from '../../types/index.js';
+export class ServerRemovedRule extends BaseRule {
+  id = 'SERVER_REMOVED';
+  description = 'A server was removed from the API';
+  severity = 'breaking' as const;
+  apply(diff: DiffSet, context: RuleContext): SemanticChange[] {
+    const changes: SemanticChange[] = [];
+    for (const sd of diff.serverDiffs) {
+      if (sd.changeType === 'removed' && sd.oldServer) {
+        changes.push(this.makeChange({
+          severity: 'breaking',
+          category: 'server',
+          message: `Server URL '${sd.oldServer.url}' was removed.`,
+          consequence: `Clients routing traffic to '${sd.oldServer.url}' will eventually fail if the server is decommissioned.`,
+          migration: `Update clients to use one of the remaining server URLs.`,
+          location: { field: `servers` }
+        }, context));
+      }
+    }
+    return changes;
+  }
+}