dexcord/priv/coverage_allowlist.exs
Luna 0a84650025 feat(coverage): mix dexcord.coverage gate with pinned OpenAPI spec + CI workflow
Adds `Dexcord.Api.Coverage`, a testable core that diffs the compiled
endpoint route table against a pinned snapshot of Discord's official
OpenAPI spec (`priv/discord_openapi.json`). The spec is a coverage
CHECKLIST, not codegen input: it is refreshed only by the deliberate
`mix dexcord.coverage.refresh`, so upstream churn never breaks CI
spontaneously.

- `mix dexcord.coverage` compiles then exits non-zero on any in-scope
  endpoint missing from the declared surface (AC1.8/AC1.9).
- `mix dexcord.coverage.refresh` pins the spec via :httpc + castore,
  adding inets/ssl to the code path since Mix prunes them.
- `priv/coverage_allowlist.exs` records out-of-scope spec routes with a
  comment per family; reconciled against the real pin (Social SDK
  lobbies/partner-sdk, OIDC, application-by-id, scheduled-event
  exceptions, join requests, thread search, monetization).
- `.gitea/workflows/ci.yml` runs the suite + gate (Actions must be
  enabled on the Gitea remote).
- ratelimit_test.exs gains AC1.10 spot-checks proving the new Phase 5
  route shapes collapse to bounded, id-collapsed keys.
2026-07-05 06:46:09 -03:00

95 lines
3.9 KiB
Elixir

# Routes present in the pinned OpenAPI spec but deliberately NOT declared.
# Everything here remains reachable via Dexcord.Api.request/4.
[
# -- monetization (out of scope) --
"GET /applications/*/skus",
"GET /applications/*/entitlements*",
"POST /applications/*/entitlements*",
"DELETE /applications/*/entitlements*",
"GET /applications/*/subscriptions*",
"GET /skus/*/subscriptions*",
# -- soundboard (out of scope) --
"GET /soundboard-default-sounds",
"GET /guilds/*/soundboard-sounds*",
"POST /guilds/*/soundboard-sounds",
"PATCH /guilds/*/soundboard-sounds/*",
"DELETE /guilds/*/soundboard-sounds/*",
"POST /channels/*/send-soundboard-sound",
# -- stage instances (out of scope) --
"GET /stage-instances/*",
"POST /stage-instances",
"PATCH /stage-instances/*",
"DELETE /stage-instances/*",
# -- guild templates (out of scope) --
"GET /guilds/templates/*",
"POST /guilds/templates/*",
"GET /guilds/*/templates",
"POST /guilds/*/templates",
"PUT /guilds/*/templates/*",
"PATCH /guilds/*/templates/*",
"DELETE /guilds/*/templates/*",
# -- Bearer-only / not bot-usable --
"GET /oauth2/@me",
"GET /users/@me/applications/*/role-connection",
"PUT /users/@me/applications/*/role-connection",
"DELETE /users/@me/applications/*/role-connection",
"GET /applications/*/role-connections/metadata",
"PUT /applications/*/role-connections/metadata",
"PUT /applications/*/guilds/*/commands/*/permissions",
"PUT /applications/*/guilds/*/commands/permissions",
# -- deprecated routes kept out of the typed surface --
"GET /channels/*/pins",
"PUT /channels/*/pins/*",
"DELETE /channels/*/pins/*",
"PATCH /guilds/*/members/@me/nick",
# -- removed from official docs (2026-07); spec may still carry them --
"POST /guilds",
"DELETE /guilds/*",
"POST /guilds/*/mfa",
# -- special CSV multipart (guest invites); escape hatch --
"GET /invites/*/target-users*",
"PUT /invites/*/target-users",
# -- activities --
"GET /applications/*/activity-instances/*",
# -- OAuth2 token machinery (not a bot-library concern) --
"POST /oauth2/token*",
"POST /oauth2/token/revoke",
# -- OpenID Connect / key-discovery (bearer/OIDC, not bot-token) --
"GET /oauth2/keys",
"GET /oauth2/userinfo",
# ---------------------------------------------------------------------------
# Reconciliation against the pinned spec (2026-07-05). Everything below is
# present upstream but NOT in the plan's authoritative declared surface: all
# are Social-SDK-era or post-inventory additions, none documented as part of
# the bot-token REST surface the design scoped. Reachable via request/4.
# ---------------------------------------------------------------------------
#
# -- Social SDK: Lobbies (whole resource family, out of scope) --
"PUT /lobbies*",
"POST /lobbies*",
"GET /lobbies*",
"PATCH /lobbies*",
"DELETE /lobbies*",
# -- Social SDK: Partner SDK token + provisional accounts + DM moderation --
"POST /partner-sdk*",
"PUT /partner-sdk*",
# -- Application-by-id (Social SDK / OAuth variants of the @me routes we
# declare) + application attachment upload --
"GET /applications/*",
"PATCH /applications/*",
"POST /applications/*/attachment",
# -- Guild scheduled-event exceptions & user counts (recurring-event feature;
# the base scheduled-events family IS declared — only these extras aren't) --
"POST /guilds/*/scheduled-events/*/exceptions",
"PATCH /guilds/*/scheduled-events/*/exceptions/*",
"GET /guilds/*/scheduled-events/*/users/counts",
"GET /guilds/*/scheduled-events/*/*/users",
# -- Guild join requests / membership application flow (newer feature) --
"GET /guilds/*/new-member-welcome",
"GET /guilds/*/requests",
"PATCH /guilds/*/requests/*",
# -- Thread search (not in the documented channel bot surface) --
"GET /channels/*/threads/search",
# -- monetization: per-user application entitlements (monetization excluded) --
"GET /users/@me/applications/*/entitlements"
]