Skip to content

Commit d7d01f7

Browse files
author
Peter Hauge
committed
String sensitivity audit across repo
1 parent a377701 commit d7d01f7

12 files changed

Lines changed: 14 additions & 23 deletions

File tree

.squad/agents/apicexpert/history.md

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,6 @@
55
- **Project:** apiops-cli — TypeScript CLI for Azure API Management and API Center
66
- **Spec:** `specs/001-apiops-cli/spec.md`
77
- **Constitution:** `.squad/identity/constitution.md` (v2.1.0)
8-
- **User:** Elizabeth Maher
98
- **Stack:** TypeScript 6.x, Node.js 22 LTS, `@azure/identity` for auth, raw APIC REST API (no SDK for payloads)
109
- **APIC REST API base:** `https://management.azure.com/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.ApiCenter/services/{svc}`
1110
- **Key distinction:** APIC and APIM are separate Azure services with separate REST APIs, separate RBAC, and different resource models.

.squad/agents/apimexpert/history.md

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,6 @@
55
- **Project:** apiops-cli — TypeScript CLI for Azure API Management (`apiops extract`, `apiops publish`, `apiops init`)
66
- **Spec:** `specs/001-apiops-cli/spec.md`
77
- **Constitution:** `.squad/identity/constitution.md` (v2.1.0)
8-
- **User:** Elizabeth Maher
98
- **Stack:** TypeScript 6.x, Node.js 22 LTS, `@azure/identity` for auth, raw APIM REST API (no SDK for payloads)
109
- **APIM REST API base:** `https://management.azure.com/subscriptions/{sub}/resourceGroups/{rg}/providers/Microsoft.ApiManagement/service/{svc}`
1110
- **Key rule:** Resource bodies are `Record<string, unknown>` — never typed DTOs. Unknown properties MUST be preserved.
@@ -54,7 +53,7 @@
5453

5554
Detection strategy in `api-extractor.ts#hasGraphQLSchemaResource`: list ApiSchema children, check for `contentType` containing `'graphql'`. If yes → skip export.
5655

57-
**SOAP 500 divergence from Azure/apiops:** The reference tool at `C:\Users\enewman\source\repos\azure\apiops` catches HTTP 500 on XML exports and skips the spec with comment *"Don't export XML specifications, as the non-link exports cannot be reimported."* This is incorrect — inline `format=wsdl` output **is** re-importable via PUT `?import=true&format=wsdl`. Our implementation uses this fallback to preserve round-trip capability.
56+
**SOAP 500 divergence from Azure/apiops:** The reference tool catches HTTP 500 on XML exports and skips the spec with comment *"Don't export XML specifications, as the non-link exports cannot be reimported."* This is incorrect — inline `format=wsdl` output **is** re-importable via PUT `?import=true&format=wsdl`. Our implementation uses this fallback to preserve round-trip capability.
5857

5958
**Retry policy for XML exports:** Pass `noRetryOn5xx=true` to `request()` for wsdl-link/wadl-link. The 500s are deterministic, not transient, so retries waste time. Fall back to inline format immediately.
6059

.squad/agents/apiopslead/history.md

Lines changed: 4 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,6 @@
55
- **Project:** apiops-cli — TypeScript CLI for Azure API Management (`apiops extract`, `apiops publish`, `apiops init`)
66
- **Spec:** `specs/001-apiops-cli/spec.md`
77
- **Constitution:** `.squad/identity/constitution.md` (v2.1.0) — supreme governance document
8-
- **User:** Elizabeth Maher
98
- **Stack:** TypeScript 6.x, Node.js 22 LTS, Commander, `@azure/identity`, Vitest, ESLint
109
- **Key constraint:** No `@azure/arm-apimanagement` SDK for resource payloads — raw REST only
1110

@@ -38,9 +37,9 @@
3837

3938
### 2026-06-02: APIM v1 → v2 SKU Migration Proposal
4039

41-
**What:** Wrote `specs/sku-upgrade.md` — a comprehensive proposal for enabling APIM v1-to-v2 SKU migration via apiops-cli. Requested by Peter Hauge.
40+
**What:** Wrote `specs/sku-upgrade.md` — a comprehensive proposal for enabling APIM v1-to-v2 SKU migration via apiops-cli. Requested by project maintainer.
4241

43-
**Decision:** Phase 1 MVP uses existing `extract` + `publish` commands with migration documentation — no new command needed. The `ApimServiceContext` is already parameterized, so source (v1) and target (v2) are just two different context instances. Phase 2 would add `apiops copy` for direct source→target streaming if demand warrants.
42+
**Decision:** Phase 1 MVP uses existing `extract` + `publish` commands with migration documentation — no new command needed.The `ApimServiceContext` is already parameterized, so source (v1) and target (v2) are just two different context instances. Phase 2 would add `apiops copy` for direct source→target streaming if demand warrants.
4443

4544
**Key findings:**
4645
1. All 34 `ResourceType` enum values are supported for round-trip extract/publish — covers APIs, products, policies, backends, named values, gateways, workspaces, GraphQL resolvers, etc.
@@ -58,9 +57,9 @@
5857

5958
### 2026-06-02: APIM v1 → v2 SKU Migration Proposal
6059

61-
**What:** Wrote `specs/sku-upgrade.md` — a comprehensive proposal for enabling APIM v1-to-v2 SKU migration via apiops-cli. Requested by Peter Hauge.
60+
**What:** Wrote `specs/sku-upgrade.md` — a comprehensive proposal for enabling APIM v1-to-v2 SKU migration via apiops-cli. Requested by project maintainer.
6261

63-
**Decision:** Phase 1 MVP uses existing `extract` + `publish` commands with migration documentation — no new command needed. The `ApimServiceContext` is already parameterized, so source (v1) and target (v2) are just two different context instances. Phase 2 would add `apiops copy` for direct source→target streaming if demand warrants.
62+
**Decision:** Phase 1 MVP uses existing `extract` + `publish` commands with migration documentation — no new command needed.The `ApimServiceContext` is already parameterized, so source (v1) and target (v2) are just two different context instances. Phase 2 would add `apiops copy` for direct source→target streaming if demand warrants.
6463

6564
**Key findings:**
6665
1. All 34 `ResourceType` enum values are supported for round-trip extract/publish — covers APIs, products, policies, backends, named values, gateways, workspaces, GraphQL resolvers, etc.

.squad/agents/nodejsdev/history.md

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,6 @@
55
- **Project:** apiops-cli — TypeScript CLI for Azure API Management (`apiops extract`, `apiops publish`, `apiops init`)
66
- **Spec:** `specs/001-apiops-cli/spec.md`
77
- **Constitution:** `.squad/identity/constitution.md` (v2.1.0)
8-
- **User:** Elizabeth Maher
98
- **Stack:** Node.js 22 LTS, Commander CLI framework, ESM, npm
109
- **CLI commands:** `apiops extract [options]`, `apiops publish [options]`, `apiops init [options]`
1110
- **Key rule (Constitution §I):** Every interactive input MUST have a non-interactive flag equivalent. Non-interactive mode required when stdout is not a TTY.

.squad/agents/opensourceexpert/history.md

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,6 @@
55
- **Project:** apiops-cli — TypeScript CLI for Azure API Management (planned public release)
66
- **Spec:** `specs/001-apiops-cli/spec.md`
77
- **Constitution:** `.squad/identity/constitution.md` (v2.1.0)
8-
- **User:** Elizabeth Maher
98
- **OSS Authority:** https://opensource.microsoft.com/program
109
- **Target license:** MIT or Apache 2.0 (permissive required for public npm package)
1110
- **Required health files:** LICENSE, CODE_OF_CONDUCT.md, CONTRIBUTING.md, SECURITY.md, README.md

.squad/agents/securityexpert/history.md

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,6 @@
44

55
- **Project:** apiops-cli — TypeScript CLI for Azure API Management operations
66
- **Stack:** TypeScript 5.x, Node.js 22.x, Commander, @azure/identity, js-yaml, simple-git
7-
- **User:** Elizabeth Maher
87
- **Repo:** Azure/apiops-cli (public, open source)
98
- **Security posture:** AI-first repo with strict human-in-the-loop policy
109

@@ -20,6 +19,6 @@
2019
## Learnings
2120

2221
### 2026-06-12: Open-Source Sensitivity Audit
23-
Performed a thorough read-only sensitivity audit across all 326 tracked files in preparation for open-source publication. Scanned for secrets/credentials, internal Microsoft URLs, PII, internal comments, internal tool configs, sensitive paths, draft docs, hardcoded Azure resource IDs, and internal dependency references. Findings delivered to Peter Hauge for compliance sign-off. No live credentials, certificates, or storage keys were found. All Azure GUIDs encountered were either zero-padded placeholders, the documented Azure DevOps app GUID `499b84ac-...`, or public Azure built-in role definition IDs. Primary cleanup items: a developer machine path `C:\Users\enewman\...` and three `enewman` alias references in `.squad/` history/decisions; the alias is also tied to the only real-looking storage account name `apigblstorageprdmwh.blob.core.windows.net` reflected in a test fixture.
22+
Performed a thorough read-only sensitivity audit across all tracked files in preparation for open-source publication. Scanned for secrets/credentials, internal Microsoft URLs, PII, internal comments, internal tool configs, sensitive paths, draft docs, hardcoded Azure resource IDs, and internal dependency references. Findings delivered for compliance sign-off. No live credentials, certificates, or storage keys were found. All Azure GUIDs encountered were either zero-padded placeholders or public Azure built-in role definition IDs. Primary cleanup items: a developer machine path and alias references in `.squad/` history/decisions; one real-looking storage account name in a test fixture.
2423

2524
**Findings Summary:** 2 MEDIUM items, 3 LOW items. Orchestration log: `.squad/orchestration-log/2026-05-19T22-01-securityexpert.md`

.squad/agents/testengineer/history.md

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,6 @@
55
- **Project:** apiops-cli — TypeScript CLI for Azure API Management (`apiops extract`, `apiops publish`, `apiops init`)
66
- **Spec:** `specs/001-apiops-cli/spec.md` — acceptance criteria are the primary source for test cases
77
- **Constitution:** `.squad/identity/constitution.md` (v2.1.0)
8-
- **User:** Elizabeth Maher
98
- **Stack:** Vitest (native ESM + TypeScript), Node.js 22 LTS
109
- **Key rule (Constitution §VI):** All business logic MUST be testable in isolation without requiring live Azure resources.
1110
- **Test strategy:** Unit tests (no network, no disk I/O) are mandatory. Integration tests (real Azure) are complementary.

.squad/agents/typescriptdev/history.md

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,6 @@
55
- **Project:** apiops-cli — TypeScript CLI for Azure API Management (`apiops extract`, `apiops publish`, `apiops init`)
66
- **Spec:** `specs/001-apiops-cli/spec.md`
77
- **Constitution:** `.squad/identity/constitution.md` (v2.1.0)
8-
- **User:** Elizabeth Maher
98
- **Stack:** TypeScript 5.x strict mode, Node.js 22 LTS, ESLint with @typescript-eslint
109
- **Key principle (Constitution §VI):** Core operations MUST depend on abstractions, not concrete HTTP/file-system implementations.
1110
- **Key principle (Constitution §VII):** Resource bodies are `Record<string, unknown>` — opaque passthrough, no typed DTOs.

.squad/decisions.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -93,19 +93,19 @@
9393
**Why:** After publishing to npm as `@peterhauge/apiops-cli`, requiring users to download the package and run `apiops init --cli-package ./tarball.tgz` added unnecessary friction. Most users want to reference the public package directly. The change is backward compatible — existing workflows with `--cli-package` continue to work unchanged. Improves user experience with simpler onboarding.
9494

9595
### 2026-04-21T19:35:00Z: SOAP/WADL spec extraction prefers link format with inline XML fallback
96-
**By:** ApimExpert (via Squad session with enewman)
96+
**By:** ApimExpert (via Squad session with a user)
9797
**Status:** Implemented
9898
**What:** For soap-type APIs, `getApiSpecification` requests `format=wsdl-link` first. On HTTP 5xx, it falls back to the inline (non-link) `format=wsdl` export which returns raw WSDL XML in `properties.value`. WADL follows the same pattern (`wadl-link``format=wadl` fallback). The XML fallback content is saved as `specification.wsdl` / `specification.wadl` and is re-importable via PUT `?import=true&format=wsdl` (or `wadl-xml`).
99-
**Why:** User requires full round-trip fidelity — SOAP APIs must be re-importable to a new APIM instance. APIM's `wsdl-link` emitter deterministically returns HTTP 500 on many real-world SOAP APIs (observed: 270 of 272 soap APIs in a production tenant). Azure/apiops reference tool skips XML specs on 500 with comment "non-link exports cannot be reimported" — this is inaccurate; the inline form IS re-importable. Converting SOAP → OpenAPI via `openapi-link` works but loses SOAP semantics on round-trip.
99+
**Why:** User requires full round-trip fidelity — SOAP APIs must be re-importable to a new APIM instance. APIM's `wsdl-link` emitter deterministically returns HTTP 500 on many real-world SOAP APIs. Azure/apiops reference tool skips XML specs on 500 with comment "non-link exports cannot be reimported" — this is inaccurate; the inline form IS re-importable. Converting SOAP → OpenAPI via `openapi-link` works but loses SOAP semantics on round-trip.
100100

101101
### 2026-04-21T19:34:00Z: Synthetic GraphQL APIs skip the graphql-link export call
102-
**By:** ApimExpert (via Squad session with enewman)
102+
**By:** ApimExpert (via Squad session with a user)
103103
**Status:** Implemented
104104
**What:** Before calling `graphql-link` export, `api-extractor.ts` probes ApiSchema children via `hasGraphQLSchemaResource` and checks for `contentType` containing 'graphql'. If found (synthetic GraphQL — SDL stored as an ApiSchema resource), the export call is skipped. If not found (pass-through GraphQL), `graphql-link` is called normally.
105105
**Why:** APIM returns HTTP 406 on `graphql-link` export for synthetic GraphQL APIs because there is nothing to export — the SDL is already held as an ApiSchema child resource and is captured by standard ApiSchema extraction. Skipping the redundant call avoids the error without losing fidelity.
106106

107107
### 2026-04-21T19:33:00Z: XML export fallback bypasses the default 5xx retry loop
108-
**By:** ApimExpert (via Squad session with enewman)
108+
**By:** ApimExpert (via Squad session with user)
109109
**Status:** Implemented
110110
**What:** `getApiSpecification` passes `noRetryOn5xx=true` to `request()` when exporting `wsdl-link` or `wadl-link`. The fallback to inline format runs immediately on HTTP 5xx rather than after three retries.
111111
**Why:** APIM's wsdl-link/wadl-link 500 errors are deterministic failures in APIM's XML emitter, not transient. Retrying wastes time and delays the fallback. The inline format path is fast and reliable.

specs/APIM-RestAPI-Coverage.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,7 @@ Comprehensive mapping of all APIM REST API resource types against v1 APIOps cove
6262
| 34 | GraphQL Api Resolver | `/apis/{name}/resolvers/{resolver}` |||| **NEW in v2.** GraphQL field resolvers. |
6363
| 35 | GraphQL Api Resolver Policy | `/apis/{name}/resolvers/{resolver}/policies/policy` |||| **NEW in v2.** Policies on GraphQL resolvers. |
6464
| 36 | Api Revision | `/apis/{name}/revisions` |||| List-only API; revisions extracted via API entity. |
65-
| 37 | Api Export | `/apis/{name}?export=true` |||| Read-only export. Used internally for spec extraction. |
65+
| 37 | Api Export | `/apis/{name}?export=true` |||| Read-only export. Used by apiops-cli for spec extraction. |
6666
| 38 | Api Product | `/apis/{name}/products` |||| Read-only reverse lookup. Managed via Product Api (#17). |
6767
| 39 | Api Issue | `/apis/{name}/issues/{issue}` |||| Instance-specific. User-reported issues on dev portal. |
6868
| 40 | Api Issue Attachment | `/apis/{name}/issues/{issue}/attachments/{att}` |||| Instance-specific. Child of Api Issue. |

0 commit comments

Comments
 (0)