Skip to content

Add cross-org ecosystem inventory and shared automation OpenAPI contract#3

Merged
Pmaster-dev merged 4 commits into
developfrom
copilot/scan-html-md-pkg-workflows
Jul 2, 2026
Merged

Add cross-org ecosystem inventory and shared automation OpenAPI contract#3
Pmaster-dev merged 4 commits into
developfrom
copilot/scan-html-md-pkg-workflows

Conversation

Copilot AI commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

This PR implements the first phase of the ecosystem alignment plan by documenting the pinkycollie + Pmaster-dev operating model and introducing a reusable API contract for automation workflows. It establishes a concrete source of truth in server for cross-org orchestration and contract-driven integration.

  • Ecosystem inventory (cross-org map)

    • Added docs/pinkycollie-ecosystem-inventory.md with the six-layer strategy:
      • org-level template hubs
      • standardized CI/CD lifecycle
      • framework/repo instance mapping
      • REST vs webhook decision rules
      • webhook bridge flow
      • versioned artifact locations
    • Captures ordered next actions to drive rollout across repos.
  • Shared automation API contract

    • Added docs/openapi/automation.yaml (OpenAPI 3.1) defining core automation endpoints:
      • trigger events
      • manage automation definitions
      • inspect run history and aggregate stats
    • Includes typed schemas for definitions, run results, status enums, and stats to support consistent producer/consumer integration across repos.
  • Contract clarity improvements

    • Set environment-neutral server base URL (/) for deployment-specific resolution.
    • Tightened schema documentation for payload semantics and step/variable identifier fields.
paths:
  /automation/events/trigger:
    post:
      operationId: triggerAutomationEvent
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/TriggerEventRequest'

Copilot AI requested a review from Pmaster-dev July 2, 2026 07:32
@Pmaster-dev Pmaster-dev marked this pull request as ready for review July 2, 2026 12:17
Copilot AI review requested due to automatic review settings July 2, 2026 12:17
@Pmaster-dev Pmaster-dev added documentation Improvements or additions to documentation enhancement New feature or request labels Jul 2, 2026
@qodo-code-review

Copy link
Copy Markdown

PR Summary by Qodo

Add cross-org ecosystem inventory and shared automation OpenAPI contract

📝 Documentation ✨ Enhancement ⚙️ Configuration changes 🕐 20-40 Minutes

Grey Divider

AI Description

• Document the pinkycollie + Pmaster-dev operating model and rollout priorities.
• Introduce a shared OpenAPI 3.1 contract for cross-repo automation orchestration.
• Fix Pyre GitHub Action invocation and allow non-blocking SARIF generation.
Diagram

graph TD
  subgraph Docs
    INV["Ecosystem inventory (MD)"] --> OAS["Automation OpenAPI (YAML)"] --> CONS["Producers/consumers across repos"]
  end
  subgraph CI
    WF["GitHub Actions: pyre.yml"] --> PYRE["pyre check (SARIF)"] --> SARIF["pyre-results.sarif"] --> GHCS["GitHub code scanning"]
  end
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Model event triggers with AsyncAPI (and keep REST for CRUD)
  • ➕ More natural fit for webhook/event-driven automation triggers
  • ➕ Stronger semantics for brokers, topics, and event payload evolution
  • ➖ Adds another spec type to maintain alongside OpenAPI
  • ➖ Tooling and governance becomes more complex for phase 1
2. Code-first contract generation (server generates OpenAPI)
  • ➕ Prevents spec drift if endpoints are implemented in the same repo
  • ➕ Can auto-validate request/response examples against code
  • ➖ Requires an implementation to exist (or scaffolding) before the contract is stable
  • ➖ Harder to use as a pure cross-org planning artifact early on
3. Publish versioned contract as an artifact (npm/pypi/OCI) + CI validation
  • ➕ Clear versioning/upgrade path for multiple repos
  • ➕ Enables automated compatibility checks (breaking-change detection)
  • ➖ Extra release process overhead and tooling setup
  • ➖ Might be premature until endpoints/schemas stabilize

Recommendation: For phase 1, the PR’s doc-first OpenAPI contract in-repo is the right tradeoff: it creates a concrete shared source of truth without requiring implementation coupling. Consider adding lightweight CI validation (spectral/openapi-cli) and an explicit versioning policy (e.g., semver + changelog) before multiple repos begin to depend on the schemas.

Files changed (3) +345 / -1

Documentation (2) +343 / -0
automation.yamlAdd OpenAPI 3.1 contract for shared automation endpoints +269/-0

Add OpenAPI 3.1 contract for shared automation endpoints

• Introduces a versioned OpenAPI 3.1 spec defining endpoints for triggering events, managing automation definitions, listing runs, and retrieving aggregate stats. Adds core schemas (definitions, run results, component outputs, status enum, and stats) and uses an environment-neutral base URL (/).

docs/openapi/automation.yaml

pinkycollie-ecosystem-inventory.mdDocument cross-org ecosystem map and rollout sequence +74/-0

Document cross-org ecosystem map and rollout sequence

• Adds an ecosystem inventory describing the six-layer alignment strategy across pinkycollie and Pmaster-dev, including template hubs, pipeline lifecycle, integration rules, webhook bridge flow, and artifact locations. Captures a prioritized next-action sequence for rollout across repositories.

docs/pinkycollie-ecosystem-inventory.md

Other (1) +2 / -1
pyre.ymlFix Pyre SARIF generation and make the step non-blocking +2/-1

Fix Pyre SARIF generation and make the step non-blocking

• Updates the Pyre invocation to current CLI flags and explicitly sets source directories. Marks the Pyre run step as continue-on-error so failures don’t block SARIF upload while still producing scan artifacts when possible.

.github/workflows/pyre.yml

@qodo-code-review

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (3) 📘 Rule violations (0) 📜 Skill insights (0)

Grey Divider


Action required

1. Payload type mismatch 🐞 Bug ≡ Correctness
Description
TriggerEventRequest.payload is constrained to an object in the OpenAPI contract, but the
automation engine accepts arbitrary payload types (and the repo’s own example passes a string). This
makes the contract reject valid events or forces clients to wrap non-object payloads, diverging from
current runtime behavior.
Code

docs/openapi/automation.yaml[R153-160]

+        event_type:
+          type: string
+        payload:
+          description: Event payload forwarded to automation steps.
+          type: object
+          additionalProperties: true
+          nullable: true
+        metadata:
Evidence
The new OpenAPI contract restricts payload to an object, while the implementation and examples
clearly pass and accept non-object payloads (e.g., strings).

docs/openapi/automation.yaml[150-164]
src/automation/engine.py[59-67]
src/automation/init.py[18-28]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The OpenAPI schema for `TriggerEventRequest.payload` is `type: object`, but the implementation treats payload as `Any` and examples pass strings. This makes the contract incompatible with the current engine usage.

## Issue Context
- `TriggerEvent.payload` is typed as `Any`.
- Quick-start uses `payload="world"` (a string).

## Fix approach
Update `TriggerEventRequest.payload` to accept any JSON value (object/array/string/number/boolean/null). In OpenAPI 3.1 (JSON Schema 2020-12), express this using `anyOf` (or omit `type` entirely) rather than forcing `type: object`.

## Fix Focus Areas
- docs/openapi/automation.yaml[150-164]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools



Remediation recommended

2. OAS3.1 nullable keyword 🐞 Bug ⚙ Maintainability
Description
The OpenAPI document declares openapi: 3.1.0 but uses nullable: true in multiple schemas, which
reduces interoperability with JSON-Schema-based OpenAPI 3.1 tooling. This can lead to
clients/validators treating fields as non-nullable or failing validation depending on the toolchain.
Code

docs/openapi/automation.yaml[R234-248]

+        started_at:
+          type: string
+          format: date-time
+          nullable: true
+        finished_at:
+          type: string
+          format: date-time
+          nullable: true
+        duration_ms:
+          type: number
+          nullable: true
+        error:
+          type: string
+          nullable: true
+      required: [run_id, trigger, status, outputs]
Evidence
The spec declares OpenAPI 3.1.0 at the top of the file, but later schemas rely on nullable: true,
creating a 3.0-style nullability pattern inside a 3.1 contract.

docs/openapi/automation.yaml[1-9]
docs/openapi/automation.yaml[234-248]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`docs/openapi/automation.yaml` declares OpenAPI 3.1.0 while using `nullable: true` across schemas. In 3.1, schemas are JSON Schema; nullability is typically expressed via unions (e.g., `anyOf` including `{ "type": "null" }`), improving portability across validators/generators.

## Issue Context
Affected examples include `started_at`, `finished_at`, `duration_ms`, `error`, and others.

## Fix approach
Replace `nullable: true` usages with JSON Schema unions:
- For a nullable string: `anyOf: [{type: string}, {type: "null"}]`
- For `date-time`: include `format: date-time` on the string branch
- For nullable numbers: `anyOf: [{type: number}, {type: "null"}]`
- For payload/result where type is flexible: model explicitly with `anyOf` branches or use an unconstrained schema plus explicit null allowance.

## Fix Focus Areas
- docs/openapi/automation.yaml[150-164]
- docs/openapi/automation.yaml[195-211]
- docs/openapi/automation.yaml[234-248]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


3. Pyre failures masked 🐞 Bug ☼ Reliability
Description
The Pyre SARIF generation step is marked continue-on-error: true, so the workflow can succeed even
when Pyre fails to run, weakening CI enforcement and making type-check regressions easier to miss.
Since SARIF upload is gated with if: always(), this also reduces the ability to use job status as
a reliable signal that analysis executed successfully.
Code

.github/workflows/pyre.yml[R53-58]

      - name: Run Pyre (generate SARIF)
-        run: pyre check --output-format sarif > pyre-results.sarif
+        continue-on-error: true
+        run: pyre --output sarif --source-directory src --source-directory auth check > pyre-results.sarif

      - name: Upload Pyre results to GitHub Code Scanning
        if: always()
Evidence
The workflow explicitly allows the Pyre step to fail without failing the job and always proceeds to
the SARIF upload step, reducing the reliability of CI status as an indicator of successful analysis.

.github/workflows/pyre.yml[53-61]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
The Pyre step is configured with `continue-on-error: true`, so failures don’t fail the job, reducing CI signal.

## Issue Context
If the intent is to keep code scanning results while still failing the job when Pyre can’t execute (misconfiguration, crash, etc.), `continue-on-error` is too coarse.

## Fix approach
Choose one:
1) Remove `continue-on-error: true` to make Pyre a real gate again.
2) Replace `continue-on-error` with a shell wrapper that captures the exit code and only suppresses expected “type errors” exits while still failing on execution/configuration errors (if Pyre exit codes are well-defined in your environment).
3) If you intentionally don’t want gating, add an explicit step that emits a GitHub Actions annotation / summary when the Pyre step fails so it’s visible, and consider marking the SARIF upload step `continue-on-error: true` to avoid secondary failures.

## Fix Focus Areas
- .github/workflows/pyre.yml[53-61]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Qodo Logo

Comment on lines +153 to +160
event_type:
type: string
payload:
description: Event payload forwarded to automation steps.
type: object
additionalProperties: true
nullable: true
metadata:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. Payload type mismatch 🐞 Bug ≡ Correctness

TriggerEventRequest.payload is constrained to an object in the OpenAPI contract, but the
automation engine accepts arbitrary payload types (and the repo’s own example passes a string). This
makes the contract reject valid events or forces clients to wrap non-object payloads, diverging from
current runtime behavior.
Agent Prompt
## Issue description
The OpenAPI schema for `TriggerEventRequest.payload` is `type: object`, but the implementation treats payload as `Any` and examples pass strings. This makes the contract incompatible with the current engine usage.

## Issue Context
- `TriggerEvent.payload` is typed as `Any`.
- Quick-start uses `payload="world"` (a string).

## Fix approach
Update `TriggerEventRequest.payload` to accept any JSON value (object/array/string/number/boolean/null). In OpenAPI 3.1 (JSON Schema 2020-12), express this using `anyOf` (or omit `type` entirely) rather than forcing `type: object`.

## Fix Focus Areas
- docs/openapi/automation.yaml[150-164]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Comment on lines +234 to +248
started_at:
type: string
format: date-time
nullable: true
finished_at:
type: string
format: date-time
nullable: true
duration_ms:
type: number
nullable: true
error:
type: string
nullable: true
required: [run_id, trigger, status, outputs]

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remediation recommended

2. Oas3.1 nullable keyword 🐞 Bug ⚙ Maintainability

The OpenAPI document declares openapi: 3.1.0 but uses nullable: true in multiple schemas, which
reduces interoperability with JSON-Schema-based OpenAPI 3.1 tooling. This can lead to
clients/validators treating fields as non-nullable or failing validation depending on the toolchain.
Agent Prompt
## Issue description
`docs/openapi/automation.yaml` declares OpenAPI 3.1.0 while using `nullable: true` across schemas. In 3.1, schemas are JSON Schema; nullability is typically expressed via unions (e.g., `anyOf` including `{ "type": "null" }`), improving portability across validators/generators.

## Issue Context
Affected examples include `started_at`, `finished_at`, `duration_ms`, `error`, and others.

## Fix approach
Replace `nullable: true` usages with JSON Schema unions:
- For a nullable string: `anyOf: [{type: string}, {type: "null"}]`
- For `date-time`: include `format: date-time` on the string branch
- For nullable numbers: `anyOf: [{type: number}, {type: "null"}]`
- For payload/result where type is flexible: model explicitly with `anyOf` branches or use an unconstrained schema plus explicit null allowance.

## Fix Focus Areas
- docs/openapi/automation.yaml[150-164]
- docs/openapi/automation.yaml[195-211]
- docs/openapi/automation.yaml[234-248]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Comment thread .github/workflows/pyre.yml

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces cross-org documentation and a reusable automation OpenAPI contract to serve as a shared “source of truth” for orchestration between pinkycollie and Pmaster-dev.

Changes:

  • Added an ecosystem inventory document describing the cross-org operating model, lifecycle layers, and rollout sequence.
  • Added an OpenAPI 3.1 contract (docs/openapi/automation.yaml) defining automation trigger, definition management, run history, and stats endpoints/schemas.
  • Updated the Pyre GitHub Actions workflow command/options for SARIF generation and upload.

Reviewed changes

Copilot reviewed 3 out of 8 changed files in this pull request and generated 8 comments.

File Description
docs/pinkycollie-ecosystem-inventory.md Adds cross-org ecosystem inventory + rollout plan documentation.
docs/openapi/automation.yaml Introduces OpenAPI 3.1 contract for shared automation workflows and data schemas.
.github/workflows/pyre.yml Adjusts Pyre invocation and makes the Pyre step non-blocking while still uploading SARIF.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread docs/pinkycollie-ecosystem-inventory.md Outdated
Comment on lines +155 to +159
payload:
description: Event payload forwarded to automation steps.
type: object
additionalProperties: true
nullable: true
Comment on lines +202 to +203
result:
nullable: true
Comment on lines +204 to +206
error:
type: string
nullable: true
Comment on lines +234 to +237
started_at:
type: string
format: date-time
nullable: true
Comment on lines +238 to +241
finished_at:
type: string
format: date-time
nullable: true
Comment on lines +242 to +244
duration_ms:
type: number
nullable: true
Comment on lines +245 to +247
error:
type: string
nullable: true
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@Pmaster-dev Pmaster-dev merged commit 27f2f23 into develop Jul 2, 2026
5 checks passed
@Pmaster-dev Pmaster-dev added the bug Something isn't working label Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working documentation Improvements or additions to documentation enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants