fix: uppercase common files

[Flo4604]

What does this PR do?

Renames all the common files to uppercase instead of having mixed cases...

Fixes # (issue)

If there is not an issue for this, please create one first. This is used to tracking purposes and also helps use understand why this PR exists

Type of change

• Bug fix (non-breaking change which fixes an issue)
• Chore (refactoring code, technical debt, workflow improvements)
• Enhancement (small improvements)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How should this be tested?

• Test A
• Test B

Checklist

Required

• Filled out the "How to test" section in this PR
• Read Contributing Guide
• Self-reviewed my own code
• Commented on my code in hard-to-understand areas
• Ran pnpm build
• Ran pnpm fmt
• Checked for warnings, there are none
• Removed all console.logs
• Merged the latest changes from main onto my branch with git pull origin main
• My changes don't cause any responsiveness issues

Appreciated

• If a UI change was made: Added a screen recording or screenshots to this PR
• Updated the Unkey Docs if changes were necessary

Summary by CodeRabbit

• New Features

  • Introduced new API response and error schemas, including standardized error formats and detailed validation error reporting.
  • Added schemas for Identity, Permission, Role, Ratelimit, Pagination, and Key Credits Refill objects to enhance API documentation and consistency.

• Documentation

  • Improved OpenAPI documentation with new and updated schema definitions, including enhanced descriptions and stricter validation rules.
  • Standardized naming conventions in schema references (e.g., "Role" now consistently capitalized).

• Style

  • Reformatted API route descriptions for improved readability; no changes to logic or functionality.

[changeset-bot]

⚠️ No Changeset found

Latest commit: f5e283f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

2 Skipped Deployments

Name	Status	Preview	Comments	Updated (UTC)
dashboard	⬜️ Ignored (Inspect)	Visit Preview		Jul 30, 2025 10:35am
engineering	⬜️ Ignored (Inspect)	Visit Preview		Jul 30, 2025 10:35am

[coderabbitai]

📝 Walkthrough

Walkthrough

This change introduces new OpenAPI schema definitions for common objects and standardized error responses, corrects schema reference casing for "Role" across OpenAPI files, and reformats route description strings in multiple TypeScript API route files for improved readability. Additionally, the Go OpenAPI generator consolidates the Role struct definition and updates schema references for consistency.

Changes

Cohort / File(s)	Change Summary
OpenAPI: New Common Schemas go/apps/api/openapi/spec/common/Identity.yaml, go/apps/api/openapi/spec/common/KeyCreditsRefill.yaml, go/apps/api/openapi/spec/common/Meta.yaml, go/apps/api/openapi/spec/common/Pagination.yaml, go/apps/api/openapi/spec/common/Permission.yaml, go/apps/api/openapi/spec/common/RatelimitOverride.yaml, go/apps/api/openapi/spec/common/RatelimitRequest.yaml, go/apps/api/openapi/spec/common/RatelimitResponse.yaml, go/apps/api/openapi/spec/common/Role.yaml	Adds new OpenAPI schema definitions for Identity, KeyCreditsRefill, Meta, Pagination, Permission, RatelimitOverride, RatelimitRequest, RatelimitResponse, and Role objects.
OpenAPI: New Standardized Error Schemas go/apps/api/openapi/spec/error/BadRequestErrorDetails.yaml, go/apps/api/openapi/spec/error/BadRequestErrorResponse.yaml, go/apps/api/openapi/spec/error/BaseError.yaml, go/apps/api/openapi/spec/error/ConflictErrorResponse.yaml, go/apps/api/openapi/spec/error/ForbiddenErrorResponse.yaml, go/apps/api/openapi/spec/error/InternalServerErrorResponse.yaml, go/apps/api/openapi/spec/error/NotFoundErrorResponse.yaml, go/apps/api/openapi/spec/error/UnauthorizedErrorResponse.yaml, go/apps/api/openapi/spec/error/ValidationError.yaml	Introduces new OpenAPI schemas for standardized error responses, including base error structure, validation error details, and specific error response types for various HTTP error scenarios.
OpenAPI: Role Schema Reference Casing go/apps/api/openapi/openapi-generated.yaml, go/apps/api/openapi/spec/paths/v2/keys/addRoles/V2KeysAddRolesResponseData.yaml, go/apps/api/openapi/spec/paths/v2/keys/removeRoles/V2KeysRemoveRolesResponseData.yaml, go/apps/api/openapi/spec/paths/v2/keys/setRoles/V2KeysSetRolesResponseData.yaml, go/apps/api/openapi/spec/paths/v2/permissions/getRole/V2PermissionsGetRoleResponseData.yaml, go/apps/api/openapi/spec/paths/v2/permissions/listRoles/V2PermissionsListRolesResponseData.yaml	Updates all references and schema definitions from lowercase "role" to capitalized "Role" for consistency in OpenAPI files.
Go OpenAPI Generator: Struct Consolidation go/apps/api/openapi/gen.go	Removes duplicate Role struct definition and consolidates it near the top of the file, updating its location without altering its fields.
TypeScript API Routes: Description Formatting apps/api/src/routes/v1_analytics_getVerifications.ts, apps/api/src/routes/v1_apis_createApi.ts, apps/api/src/routes/v1_apis_deleteApi.ts, apps/api/src/routes/v1_apis_deleteKeys.ts, apps/api/src/routes/v1_apis_getApi.ts, apps/api/src/routes/v1_apis_listKeys.ts, apps/api/src/routes/v1_identities_createIdentity.ts, apps/api/src/routes/v1_identities_deleteIdentity.ts, apps/api/src/routes/v1_identities_getIdentity.ts, apps/api/src/routes/v1_identities_listIdentities.ts, apps/api/src/routes/v1_identities_updateIdentity.ts, apps/api/src/routes/v1_keys_addPermissions.ts, apps/api/src/routes/v1_keys_addRoles.ts, apps/api/src/routes/v1_keys_createKey.ts, apps/api/src/routes/v1_keys_deleteKey.ts, apps/api/src/routes/v1_keys_getKey.ts, apps/api/src/routes/v1_keys_getVerifications.ts, apps/api/src/routes/v1_keys_removePermissions.ts, apps/api/src/routes/v1_keys_removeRoles.ts, apps/api/src/routes/v1_keys_setPermissions.ts, apps/api/src/routes/v1_keys_setRoles.ts, apps/api/src/routes/v1_keys_updateKey.ts, apps/api/src/routes/v1_keys_updateRemaining.ts, apps/api/src/routes/v1_keys_verifyKey.ts, apps/api/src/routes/v1_keys_whoami.ts, apps/api/src/routes/v1_liveness.ts, apps/api/src/routes/v1_migrations_createKey.ts, apps/api/src/routes/v1_migrations_enqueueKeys.ts, apps/api/src/routes/v1_permissions_createPermission.ts, apps/api/src/routes/v1_permissions_createRole.ts, apps/api/src/routes/v1_permissions_deletePermission.ts, apps/api/src/routes/v1_permissions_deleteRole.ts, apps/api/src/routes/v1_permissions_getPermission.ts, apps/api/src/routes/v1_permissions_getRole.ts, apps/api/src/routes/v1_permissions_listPermissions.ts, apps/api/src/routes/v1_permissions_listRoles.ts, apps/api/src/routes/v1_ratelimits_deleteOverride.ts, apps/api/src/routes/v1_ratelimits_getOverride.ts, apps/api/src/routes/v1_ratelimits_limit.ts, apps/api/src/routes/v1_ratelimits_listOverrides.ts, apps/api/src/routes/v1_ratelimits_setOverride.ts	Reformats description string literals in API route definitions from single-line to multi-line or indented format for readability. No logic or functional changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• docs: analytics quickstarts #2807: Modifies the same v1_analytics_getVerifications.ts file, introducing input validation and error handling logic, which is related to this PR's formatting changes in the same file.

Suggested labels

Core Team

Suggested reviewers

• perkinsjr
• imeyer
• mcstepp
• MichaelUnkey
• ogzhanolguncu
• chronark

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/common-schema-names

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-actions]

Thank you for following the naming conventions for pull request titles! 🙏

[graphite-app]

Graphite Automations

"Notify author when CI fails" took an action on this PR • (07/30/25)

1 teammate was notified to this PR based on Andreas Thomas's automation.

"Post a GIF when PR approved" took an action on this PR • (07/30/25)

1 gif was posted to this PR based on Andreas Thomas's automation.

[chronark]

If we add all of these new definitions but don't remove the existing ones, we will have a bad time

[Flo4604]

[chronark]

CleanShot 2025-07-30 at 12.33.00@2x.png

[Flo4604]

thats due to the merge

[Flo4604]

sec

[Flo4604]

mind trying again

[chronark]

CleanShot 2025-07-30 at 12.34.49@2x.png

[chronark]

speakeasy lint openapi -s https://raw.githubusercontent.com/unkeyed/unkey/refs/heads/fix/common-schema-names/go/apps/api/openapi/openapi-generated.yaml

[Flo4604]

my newest commit fixes it, loads fine now

you kind of have to actually generate the new spec after doing changes

[Flo4604]

CleanShot 2025-07-30 at 12.36.07.png

[chronark]

ok cool, ty

[graphite-app]

[coderabbitai]

Actionable comments posted: 25

🔭 Outside diff range comments (7)

apps/api/src/routes/v1_permissions_getPermission.ts (1)

27-30: Response description says “The Role” but returns a Permission.

This is misleading for SDK generators and human readers.

-      description: "The Role",
+      description: "The Permission",

apps/api/src/routes/v1_keys_removeRoles.ts (2)

115-124: Incorrect filtering – only the first delete-request is evaluated

Because return is executed inside the inner for-of, the callback exits on the first deleteRequest, so at most one comparison is performed per connectedRole. Roles appearing later in req.roles are silently ignored.

-const deleteRoles = connectedRoles.filter((cr) => {
-  for (const deleteRequest of req.roles) {
-    if ("id" in deleteRequest) {
-      return cr.roleId === deleteRequest.id;
-    }
-    if ("name" in deleteRequest) {
-      return cr.role.name === deleteRequest.name;
-    }
-  }
-});
+const deleteRoles = connectedRoles.filter((cr) =>
+  req.roles.some((del) =>
+    "id" in del ? cr.roleId === del.id : cr.role.name === del.name,
+  ),
+);

Without this fix, attempting to remove multiple roles can leave some roles untouched, leading to confusing, partial updates.

---

146-152: Typo in audit-log description

"Disonnected" → "Disconnected". Minor, but shows up in customer audit trails and search queries.

-  description: `Disonnected ${r.roleId} and ${req.keyId}`,
+  description: `Disconnected ${r.roleId} and ${req.keyId}`,

apps/api/src/routes/v1_ratelimits_limit.ts (1)

302-323: Computed async flag is ignored when calling the rate-limiter

You correctly derive async (line 306) from an override or the request, but the value passed to rateLimiter.limit (line 322) is still req.async. Overrides therefore never take effect.

Recommend:

-const async = typeof override?.async !== "undefined" ? override.async : req.async;
+const isAsync = typeof override?.async !== "undefined" ? override.async : req.async;
…
-  identifier: [namespace.id, req.identifier, limit, duration, async].join("::"),
+  identifier: [namespace.id, req.identifier, limit, duration, isAsync].join("::"),
…
-  async: req.async,
+  async: isAsync,

Renaming the variable also avoids shadowing the reserved keyword async.

go/apps/api/openapi/spec/error/ForbiddenErrorResponse.yaml (1)

1-17: Add additionalProperties: false for stricter validation

All other new schemas (e.g., RatelimitResponse) explicitly forbid extra fields, but error responses don’t. Omitting this leads to silent acceptance of typos / unexpected payload in error objects and breaks consistency.

   - Access to the requested resource is restricted based on workspace settings

   To resolve this error, ensure your root key has the necessary permissions or contact your workspace administrator.
+
+additionalProperties: false

go/apps/api/openapi/spec/error/ConflictErrorResponse.yaml (1)

1-17: Mirror validation rules used elsewhere

Same concern as in ForbiddenErrorResponse: disallowing unknown fields keeps error contracts tight.

   - Violating unique constraints or business rules

   To resolve this error, check the current state of the resource and adjust your request accordingly.
+
+additionalProperties: false

go/apps/api/openapi/spec/common/RatelimitRequest.yaml (1)

50-56: Forbid extra fields & stay consistent with response schema

RatelimitResponse sets additionalProperties: false; request schema should do the same.

   default: false
+
+additionalProperties: false

♻️ Duplicate comments (3)

apps/api/src/routes/v1_permissions_createRole.ts (1)

18-19: Same comment as earlier – duplicated deprecation text

See remark on v1_apis_createApi.ts.

apps/api/src/routes/v1_migrations_enqueueKeys.ts (1)

16-17: Duplicate deprecation-text note

Same optional refactor suggestion as in v1_apis_createApi.ts.

apps/api/src/routes/v1_permissions_listRoles.ts (1)

13-14: Duplicate deprecation-text note

Same optional refactor suggestion as in v1_apis_createApi.ts.

[coderabbitai]

Actionable comments posted: 31

♻️ Duplicate comments (5)

go/apps/api/openapi/spec/paths/v2/keys/setRoles/V2KeysSetRolesResponseData.yaml (1)

17-17: Same uppercase-ref consistency check

The ref was updated to Role.yaml. Please run the same verification to catch any dangling lowercase references.

apps/api/src/routes/v1_keys_whoami.ts (1)

14-15: Reuse of the same deprecation notice—see earlier comment about introducing DEPRECATED_V1_DESCRIPTION.

apps/api/src/routes/v1_permissions_getPermission.ts (1)

13-14: Same duplicated deprecation notice—refer to the suggestion in v1_permissions_listPermissions.ts.

apps/api/src/routes/v1_apis_getApi.ts (1)

13-14: Deprecation text duplication—covered by prior comment regarding a shared constant.

apps/api/src/routes/v1_liveness.ts (1)

10-11: Deprecation message duplication—see first file for DRY refactor suggestion.

[coderabbitai]

Actionable comments posted: 24

🔭 Outside diff range comments (6)

apps/api/src/routes/v1_ratelimits_limit.ts (1)

361-367: Typo in meta payload: namespacId → namespaceId

Down-stream consumers will silently miss this field.

-        meta: {
-          requestId: c.get("requestId"),
-          namespacId: namespace.id,
+        meta: {
+          requestId: c.get("requestId"),
+          namespaceId: namespace.id,

apps/api/src/routes/v1_ratelimits_getOverride.ts (1)

79-84: Handle conflicting namespace parameters

If both namespaceId and namespaceName are provided, the current logic silently prefers namespaceId. Explicitly rejecting this ambiguous input will prevent accidental mismatches.

 if (!namespaceId && !namespaceName) {
   throw new UnkeyApiError({
     code: "BAD_REQUEST",
     message: "You must provide a namespaceId or a namespaceName",
   });
+}
+if (namespaceId && namespaceName) {
+  throw new UnkeyApiError({
+    code: "BAD_REQUEST",
+    message: "Provide either namespaceId or namespaceName, not both",
+  });
 }

go/apps/api/openapi/spec/common/Identity.yaml (1)

1-17: Consider locking the schema with additionalProperties: false

Unless you intentionally allow arbitrary keys on Identity, add the flag to keep payloads tight and predictable.

 type: object
 properties:
   ...
 required:
   - externalId
   - ratelimits
+additionalProperties: false

go/apps/api/openapi/spec/error/NotFoundErrorResponse.yaml (2)

10-17: Add HTTP-status context & example for faster consumer onboarding

The schema is technically correct, but the description omits the explicit HTTP status code (404) and an example payload. A short status note + example helps SDK generators surface better docs and speeds up consumer debugging.

 description: |-
   Error response when the requested resource cannot be found (HTTP 404).
@@
   To resolve this error, verify the resource ID is correct and that you have access to it.
+example:
+  meta:
+    requestId: "req_123456789"
+  error:
+    title: "Not Found"
+    detail: "Key with id 'key_abc' does not exist"
+    status: 404
+    type: "https://docs.unkey.dev/errors/not_found"

---

1-17: Use validate (not lint) with Redocly’s OpenAPI CLI

The Redocly CLI doesn’t support a lint command—use validate to catch unresolved $ref targets or circular references after adding new components.

Updated validation step:

# Validate entire OpenAPI document for unresolved $ref or circular refs
# Requires openapi-cli; skip cloning because it needs the repo.

npx -y @redocly/openapi-cli validate go/apps/api/openapi/openapi.yaml

go/apps/api/openapi/spec/error/InternalServerErrorResponse.yaml (1)

10-17: Consider supplying retry guidance via Retry-After header example

Since the description recommends retrying, an example illustrating a Retry-After header (or note that none is returned) would remove ambiguity for API consumers.

[coderabbitai]

⚠️ Potential issue

Possible schema violation when externalId is missing

externalId is defined as a required string in the OpenAPI response schema (Line 165-169) but can become undefined when identitiesById lacks the entry (e.g. cache miss or DB inconsistency). Serialising undefined will either drop the key (violating the schema) or break strict clients.

Diff suggesting a defensive guard:

-        identity: row.identityId
-          ? {
-              id: row.identityId,
-              externalId: identitiesById[row.identityId]?.externalId,
-            }
-          : undefined,
+        identity:
+          row.identityId && identitiesById[row.identityId]
+            ? {
+                id: row.identityId,
+                externalId: identitiesById[row.identityId].externalId,
+              }
+            : undefined,

This ensures we only emit identity when both id and externalId are present, keeping the runtime payload consistent with the declared schema.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	identity: row.identityId
	? {
	id: row.identityId,
	externalId: identitiesById[row.identityId]?.externalId,
	}
	id: row.identityId,
	externalId: identitiesById[row.identityId]?.externalId,
	}
	: undefined,
	})),
	identity:
	row.identityId && identitiesById[row.identityId]
	? {
	id: row.identityId,
	externalId: identitiesById[row.identityId].externalId,
	}
	: undefined,
	})),

🤖 Prompt for AI Agents

In apps/api/src/routes/v1_analytics_getVerifications.ts around lines 512 to 518,
the externalId field can be undefined if identitiesById lacks the entry, which
violates the OpenAPI schema requiring externalId as a string. To fix this, add a
defensive check to only include the identity object when both identityId and
externalId are present, otherwise set identity to undefined. This ensures the
response payload matches the declared schema and avoids runtime issues.

[coderabbitai]

🧹 Nitpick (assertive)

Unify tag naming for ratelimit routes

This file uses the singular tag "ratelimit" (Line 13) while sibling routes use "ratelimits". Consider sticking to one spelling to keep the generated docs grouped consistently.

-  tags: ["ratelimit"],
+  tags: ["ratelimits"],

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	tags: ["ratelimit"],
	operationId: "setOverride",
	summary: "Set rate limit override",
	description: "**DEPRECATED**: This API version is deprecated. Please migrate to v2. See https://www.unkey.com/docs/api-reference/v1/migration for more information.",
	description:
	"**DEPRECATED**: This API version is deprecated. Please migrate to v2. See https://www.unkey.com/docs/api-reference/v1/migration for more information.",
	tags: ["ratelimits"],
	operationId: "setOverride",
	summary: "Set rate limit override",
	description:
	"**DEPRECATED**: This API version is deprecated. Please migrate to v2. See https://www.unkey.com/docs/api-reference/v1/migration for more information.",

🤖 Prompt for AI Agents

In apps/api/src/routes/v1_ratelimits_setOverride.ts around lines 13 to 17, the
tag used is the singular "ratelimit" while sibling routes use the plural
"ratelimits". Change the tag from "ratelimit" to "ratelimits" to unify tag
naming and ensure consistent grouping in the generated documentation.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Confirm there is now only ONE Role definition

Great to see the duplicate Role struct consolidated. A second definition anywhere else would break compilation, so please double-check that the old copy was fully removed.

Run once to be sure:

The command should return nothing. If it prints another location, delete the leftover struct.

---

🏁 Script executed:

#!/bin/bash
# Find any additional Role struct definitions.
rg --no-heading --line-number $'^type\\s+Role\\s+struct' | grep -v 'openapi/gen.go'

Length of output: 133

---

Remove the stale Role struct in models_generated.go

The ripgrep check found a second Role definition here:

• go/pkg/db/models_generated.go:813

Please delete or consolidate this outdated struct so there’s only one Role type (in openapi/gen.go).

🤖 Prompt for AI Agents

In go/apps/api/openapi/gen.go lines 420 to 445, there is a duplicate Role struct
defined also in go/pkg/db/models_generated.go at line 813. To fix this, remove
the stale Role struct from models_generated.go to avoid duplication and ensure
only the Role struct in openapi/gen.go is used throughout the codebase.

[coderabbitai]

🛠️ Refactor suggestion

Leverage the shared Meta schema instead of an untyped object

The meta field is declared as a bare object, forfeiting the strong typing you just introduced in Meta.yaml. Re-use that definition for consistency and automatic validation.

-  meta:
-    type: object
-    description: Identity metadata
+  meta:
+    "$ref": "./Meta.yaml"
+    description: Identity metadata

🤖 Prompt for AI Agents

In go/apps/api/openapi/spec/common/Identity.yaml around lines 6 to 8, replace
the current untyped object declaration of the `meta` field with a reference to
the shared `Meta` schema defined in Meta.yaml. This involves changing the type
from a bare object to a $ref pointing to the Meta schema to ensure consistent
typing and automatic validation.

[coderabbitai]

⚠️ Potential issue

description is mistakenly declared as a property, not a field-description

Because it’s indented at the same level as externalId, meta, and ratelimits, the parser treats description as an additional object property rather than as the description of ratelimits.
This creates an unintended description field on every Identity object and leaves ratelimits undocumented.

   ratelimits:
     type: array
     items:
       "$ref": "./RatelimitResponse.yaml"
-  description: Identity ratelimits
+    description: Identity ratelimits

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	ratelimits:
	type: array
	items:
	"$ref": "./RatelimitResponse.yaml"
	description: Identity ratelimits
	ratelimits:
	type: array
	items:
	"$ref": "./RatelimitResponse.yaml"
	description: Identity ratelimits

🤖 Prompt for AI Agents

In go/apps/api/openapi/spec/common/Identity.yaml around lines 9 to 13, the
description for the ratelimits property is incorrectly indented as a sibling
property, causing it to be treated as a separate field. To fix this, move the
description line so it is nested under the ratelimits property, properly
associating it as the description of ratelimits rather than an independent
property of Identity.

[coderabbitai]

🧹 Nitpick (assertive)

Mirror validation strictness of other error schemas

For consistency with ForbiddenErrorResponse.yaml (and common schemas), disable extra properties.

   $ref: "./BaseError.yaml"
+additionalProperties: false

🤖 Prompt for AI Agents

In go/apps/api/openapi/spec/error/ConflictErrorResponse.yaml lines 1 to 9, the
schema currently allows extra properties which is inconsistent with
ForbiddenErrorResponse.yaml and other common error schemas. Add
"additionalProperties: false" at the root level of the schema to disable extra
properties and enforce strict validation.

[coderabbitai]

🧹 Nitpick (assertive)

Add additionalProperties: false for stricter validation

All other newly-added schemas (e.g. Role.yaml) explicitly disable unknown properties. Doing the same here keeps the error response shape tight and prevents accidental leakage of extra fields.

   $ref: "./BaseError.yaml"
+additionalProperties: false

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In go/apps/api/openapi/spec/error/ForbiddenErrorResponse.yaml lines 1 to 9, the
schema lacks the `additionalProperties: false` setting, which is needed to
prevent unknown properties from being included in the error response. Add
`additionalProperties: false` at the root level of the schema to enforce strict
validation and disallow any properties other than those explicitly defined.

[coderabbitai]

🧹 Nitpick (assertive)

Clarify credential type in description

“root key” is Unkey-specific jargon. Down-stream consumers may send bearer tokens or session cookies. Consider broadening wording or adding a concrete header example.

-  To resolve this error, ensure you're including a valid root key in the Authorization header.
+  To resolve this error, include valid credentials, e.g.  
+  `Authorization: Bearer <root-key|access-token>`.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	description: |-
	Error response when authentication has failed or credentials are missing. This occurs when:
	- No authentication token is provided in the request
	- The provided token is invalid, expired, or malformed
	- The token format doesn't match expected patterns
	To resolve this error, ensure you're including a valid root key in the Authorization header.
	description: |-
	Error response when authentication has failed or credentials are missing. This occurs when:
	- No authentication token is provided in the request
	- The provided token is invalid, expired, or malformed
	- The token format doesn't match expected patterns
	To resolve this error, include valid credentials, e.g.
	`Authorization: Bearer <root-key|access-token>`.

🤖 Prompt for AI Agents

In go/apps/api/openapi/spec/error/UnauthorizedErrorResponse.yaml around lines 10
to 16, the description uses the term "root key," which is unclear to downstream
consumers. Update the description to use more general terms like "valid
authentication credentials" and provide a concrete example, such as including a
valid token in the Authorization header (e.g., Bearer token), to clarify the
expected credential type.

[coderabbitai]

⚠️ Potential issue

Add missing newline at EOF to satisfy YAML linting

yamllint fails with new-line-at-end-of-file. CI will break until a trailing newline is present.

   enabling efficient error resolution.
+

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	additionalProperties: false
	properties:
	location:
	description: |-
	JSON path indicating exactly where in the request the error occurred. This helps pinpoint the problematic field or parameter. Examples include:
	- 'body.name' (field in request body)
	- 'body.items[3].tags' (nested array element)
	- 'path.apiId' (path parameter)
	- 'query.limit' (query parameter)
	Use this location to identify exactly which part of your request needs correction.
	type: string
	example: body.permissions[0].name
	message:
	description: Detailed error message explaining what validation rule was
	violated. This provides specific information about why the field or parameter
	was rejected, such as format errors, invalid values, or constraint violations.
	type: string
	example: Must be at least 3 characters long
	fix:
	description: A human-readable suggestion describing how to fix the error.
	This provides practical guidance on what changes would satisfy the validation
	requirements. Not all validation errors include fix suggestions, but when
	present, they offer specific remediation advice.
	type: string
	example: Ensure the name uses only alphanumeric characters, underscores,
	and hyphens
	required:
	- location
	- message
	type: object
	description:
	Individual validation error details. Each validation error provides
	precise information about what failed, where it failed, and how to fix it,
	enabling efficient error resolution.
	enabling efficient error resolution.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 34-34: no new line character at the end of file

(new-line-at-end-of-file)

🤖 Prompt for AI Agents

In go/apps/api/openapi/spec/error/ValidationError.yaml at the end of the file
(line 34), add a newline character after the last line to satisfy YAML linting
rules and prevent CI failures due to missing EOF newline.

[coderabbitai]

🧹 Nitpick (assertive)

Consider constraining location with a pattern

A simple pattern such as ^(body|path|query)\.[A-Za-z0-9_.[\]]+$ would prevent impossible paths and catch typos early.

🤖 Prompt for AI Agents

In go/apps/api/openapi/spec/error/ValidationError.yaml around lines 3 to 12, the
'location' field currently accepts any string, which may allow invalid or
impossible JSON paths. To fix this, add a pattern constraint to the 'location'
property using a regex like ^(body|path|query)\.[A-Za-z0-9_.[\]]+$ to ensure
only valid paths starting with 'body', 'path', or 'query' followed by valid
characters are accepted. This will help catch typos and invalid paths early.