feat(poc,spiral-emit): Add swagger for future cross-implementations

[thumbrise]

Summary by CodeRabbit

• New Features
  • Added interactive Swagger UI for easy browsing and live testing of all API endpoints from a browser-based documentation interface.
  • OpenAPI/Swagger specifications now accessible in multiple formats including HTML, JSON, and YAML via dedicated documentation endpoints.
  • Integrated automatic API documentation generation with intelligent caching support and fully configurable schema management capabilities.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR integrates Swagger/OpenAPI documentation generation into a Spiral PHP application. The changes add the spiral-packages/swagger-php dependency, configure OpenAPI generation settings, register a bootloader to initialize Swagger, wire documentation routes for serving the generated specs in HTML/JSON/YAML formats, and annotate an endpoint with OpenAPI response metadata.

Changes

OpenAPI Documentation Integration

Layer / File(s)	Summary
OpenAPI dependency and configuration poc/spiral-emit/composer.json, poc/spiral-emit/app/config/swagger.php	Adds spiral-packages/swagger-php dependency with ^1.0 constraint. Creates a new Swagger configuration file defining parsers (ConfigurationParser, OpenApiParser), renderers for JSON/YAML/HTML, API documentation metadata (title, description, version), server URLs for production and local environments, source scan path (app/src), caching behavior tied to DEBUG environment variable, and operationId hashing for the generator.
Bootloader registration poc/spiral-emit/app/src/Application/Kernel.php	Imports SwaggerBootloader and registers it in the system bootloaders array, enabling OpenAPI initialization during application startup.
Documentation routes poc/spiral-emit/app/src/Application/Bootloader/RoutesBootloader.php	Imports DocumentationController and registers three routes: /api/docs for the interactive UI, /api/docs.json for the JSON specification, and /api/docs.yaml for the YAML specification.
Endpoint documentation poc/spiral-emit/app/src/Endpoint/Web/HomeController.php	Imports OpenAPI attributes, adds @throws Exception to the exception() method's docblock, and decorates the endpoint with an #[OA\Get] attribute specifying the path and a declared 500 response with description "test exception".

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• thumbrise/op#32: Modifies the same HomeController::exception() method by adding OpenAPI documentation attributes and response declarations to the /exception endpoint.

Poem

🐰 A swagger of docs now takes flight,
With JSON and YAML shining bright,
The bootloader springs forth with glee,
Routes serve specs for all to see,
OpenAPI blooms—what a delight! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding Swagger/OpenAPI documentation support to the spiral-emit proof-of-concept application for future cross-implementations.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch spiral-swagger

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@poc/spiral-emit/app/src/Application/Bootloader/RoutesBootloader.php`:
- Around line 61-71: The three public documentation routes ('swagger-ui',
'swagger-json', 'swagger-yaml') in RoutesBootloader (actions on
DocumentationController::class methods html/json/yaml) are currently
unprotected; gate their registration by environment and/or require an auth
middleware so they are not exposed in production. Modify RoutesBootloader::boot
(or the block where $routes->add(...) is called) to conditionally register these
routes only when the app is in a non-production environment (e.g. check APP_ENV
or a config flag) or attach an authentication/authorization middleware (or a
guard service) to those routes that validates user identity/role before
dispatching to DocumentationController::html/json/yaml.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: a292cfd1-17e9-4e8f-92bc-7c986d895ecd

📥 Commits

Reviewing files that changed from the base of the PR and between 2f36f15 and 64a865f.

⛔ Files ignored due to path filters (1)

• poc/spiral-emit/composer.lock is excluded by !**/*.lock

📒 Files selected for processing (5)

• poc/spiral-emit/app/config/swagger.php
• poc/spiral-emit/app/src/Application/Bootloader/RoutesBootloader.php
• poc/spiral-emit/app/src/Application/Kernel.php
• poc/spiral-emit/app/src/Endpoint/Web/HomeController.php
• poc/spiral-emit/composer.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Protect docs endpoints outside development.

These routes are publicly exposed without access control. Gate them by environment and/or auth to avoid leaking full API schema in production.

Suggested fix

 #[Override]
 protected function defineRoutes(RoutingConfigurator $routes): void
 {
+    if (!env('DEBUG', false)) {
+        return;
+    }
+
     $routes
         ->add('swagger-ui', '/api/docs')
         ->action(DocumentationController::class, 'html');

     $routes
         ->add('swagger-json', '/api/docs.json')
         ->action(DocumentationController::class, 'json');

     $routes
         ->add('swagger-yaml', '/api/docs.yaml')
         ->action(DocumentationController::class, 'yaml');

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@poc/spiral-emit/app/src/Application/Bootloader/RoutesBootloader.php` around
lines 61 - 71, The three public documentation routes ('swagger-ui',
'swagger-json', 'swagger-yaml') in RoutesBootloader (actions on
DocumentationController::class methods html/json/yaml) are currently
unprotected; gate their registration by environment and/or require an auth
middleware so they are not exposed in production. Modify RoutesBootloader::boot
(or the block where $routes->add(...) is called) to conditionally register these
routes only when the app is in a non-production environment (e.g. check APP_ENV
or a config flag) or attach an authentication/authorization middleware (or a
guard service) to those routes that validates user identity/role before
dispatching to DocumentationController::html/json/yaml.

[thumbrise]

@coderabbitai --help flag never must be protected. Operations are the same way

[coderabbitai]

@thumbrise, understood — the philosophy is that API documentation endpoints are inherently informational (like a --help flag), and gating them would be counterproductive. Acknowledged, and I've noted this for future reviews.

(ʕ •ᴥ•ʔ) 🐇📖

---

✏️ Learnings added

Learnt from: thumbrise
Repo: thumbrise/op PR: 37
File: poc/spiral-emit/app/src/Application/Bootloader/RoutesBootloader.php:61-71
Timestamp: 2026-05-19T21:43:51.069Z
Learning: In the thumbrise/op repository (poc/spiral-emit, Spiral PHP framework), documentation/OpenAPI routes such as `/api/docs`, `/api/docs.json`, and `/api/docs.yaml` are intentionally left publicly accessible without auth guards or environment gating. The project's philosophy is that API docs are informational — equivalent to a CLI `--help` flag — and must never be protected. Do not flag these routes as a security concern in future reviews.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

---

🧠 Learnings used

Learnt from: thumbrise
Repo: thumbrise/op PR: 32
File: poc/spiral-emit/app/src/Modules/OPSpiral/Infrastructure/Internal/Reflection/DocBlockSummaryReader.php:22-25
Timestamp: 2026-05-18T11:08:49.754Z
Learning: Follow the repo’s “fail fast” rule: do not silently swallow exceptions in PHP code (e.g., `catch` blocks that just `return ""`/empty values without reporting or rethrowing). Instead, let exceptions propagate so failures surface immediately; if you must catch, rethrow (optionally wrapping with additional context) or handle explicitly in a way that preserves correctness, rather than masking errors with empty/default return values (as in `DocBlockSummaryReader`).