feat(spec): validate webhookEndpoint format on PATCH /config

[jklein24]

Summary

Tightens the OpenAPI schema for webhookEndpoint on PATCH /config so SDK
clients and bundler-level validation reject obvious garbage URLs:

• format: uri
• pattern: ^https://
• minLength: 9
• Description clarifies acceptable values

Why

The error audit (parent epic AT-5324) found the server currently accepts
not-a-url, http://..., https://localhost:..., and empty string for
webhookEndpoint with HTTP 200. Spec-side tightening helps SDKs catch this
early; the server-side validation fix is tracked in AT-5334.

Test plan

• make build clean
• make lint clean
• Reviewer to verify generated bundle in mintlify/openapi.yaml and
  confirm the description renders correctly in docs preview.

Refs AT-5334

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
grid-flow-builder	Ready	Preview, Comment	May 23, 2026 4:27am

[jklein24]

• feat(spec): validate webhookEndpoint format on PATCH /config #496 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

✱ Stainless preview builds for grid

This PR will update the grid SDKs with the following commit messages.

cli

docs(api): add usage documentation for webhook-endpoint parameter

csharp

docs(api): add documentation for webhook_endpoint in config

go

fix(types): add URI format validation to webhook_endpoint in config update

kotlin

docs(api): improve webhookEndpoint parameter docs in config

openapi

feat(types): add validation constraints to webhookEndpoint field

php

docs(api): document webhook_endpoint parameter in config

python

docs(api): add webhook_endpoint parameter documentation to config update

ruby

docs(api): document webhook_endpoint parameter in config

typescript

docs(api): add webhookEndpoint parameter description in config

Edit this comment to update them. They will appear in their respective SDK's changelogs.

✅ grid-cli studio · code · diff

Your SDK build had at least one "error" diagnostic, but this did not represent a regression.
generate ❗ → build ❗ → lint ❗ → test ❗

✅ grid-go studio · code · diff

Your SDK build had at least one "error" diagnostic, but this did not represent a regression.
generate ❗ → build ✅ → lint ❗ → test ❗

go get github.com/stainless-sdks/grid-go@9f32be755ec2533370b6b208e705c00dcda4b127

✅ grid-openapi studio · code · diff

Your SDK build had at least one "error" diagnostic, but this did not represent a regression.
generate ❗

✅ grid-ruby studio · code · diff

Your SDK build had at least one "error" diagnostic, but this did not represent a regression.
generate ❗ → build ✅ → lint ❗ → test ✅

✅ grid-typescript studio · code · diff

Your SDK build had at least one "error" diagnostic, but this did not represent a regression.
generate ❗ → build ❗ → lint ❗ → test ❗

✅ grid-kotlin studio · code · diff

Your SDK build had at least one "error" diagnostic, but this did not represent a regression.
generate ❗ → build ✅ → lint ✅ → test ❗

✅ grid-python studio · code · diff

Your SDK build had at least one "error" diagnostic, but this did not represent a regression.
generate ❗ → build ✅ → lint ✅ → test ✅

pip install https://pkg.stainless.com/s/grid-python/fe48c5ee1e413796440bb07c761515ff9136e198/grid-0.0.1-py3-none-any.whl

✅ grid-php studio · code · diff

Your SDK build had at least one "error" diagnostic, but this did not represent a regression.
generate ❗ → lint ✅ (prev: lint ❗) → test ✅

⏳ grid-csharp studio · code · diff

generate ❗ → build ❗ → lint ❗ → test ⏳

⏳ These are partial results; builds are still running.

---

This comment is auto-generated by GitHub Actions and is automatically kept up to date as you push.
If you push custom code to the preview branch, re-run this workflow to update the comment.
Last updated: 2026-05-23 04:34:25 UTC

[greptile-apps]

Greptile Summary

This PR adds format: uri, pattern: '^https://', minLength: 9, and a description to the webhookEndpoint field on PlatformConfigUpdateRequest, providing client-side validation hints that reject HTTP, empty strings, and raw hostnames before they reach the server. The source schema (openapi/components/schemas/config/PlatformConfigUpdateRequest.yaml) is the authoritative edit, and both generated bundles (openapi.yaml, mintlify/openapi.yaml) are updated consistently via make build as expected.

• minLength: 9 is very permissive — it only blocks the bare https:// prefix (8 chars), allowing values like https://x. A value of 11+ would ensure at least a minimal host+TLD, and a complementary no-whitespace pattern would handle cases that format: uri misses in validators that treat format as annotation-only.
• Localhost and private-hostname blocking is deferred to server-side validation, which is clearly noted in the description and the PR.

Confidence Score: 4/5

Safe to merge — changes are additive spec annotations with no breaking effect on existing valid requests.

The source schema and both generated bundles are updated consistently. The constraints work as intended for common cases, but minLength:9 is loose enough to let obviously malformed values like https://x slip through, and format:uri may be treated as annotation-only by some validators, leaving whitespace-containing values unblocked on the client side.

openapi/components/schemas/config/PlatformConfigUpdateRequest.yaml — the minLength value and format:uri reliability are worth a second look.

Important Files Changed

Filename	Overview
openapi/components/schemas/config/PlatformConfigUpdateRequest.yaml	Adds format:uri, pattern, minLength, and description to webhookEndpoint — the source-of-truth change. Minor concern: minLength:9 is very permissive (allows https://x) and format:uri enforcement varies by validator.
openapi.yaml	Generated bundle updated consistently with the source schema change via make build; changes are correct and match the source.
mintlify/openapi.yaml	Mintlify bundle updated consistently with the source schema change; identical delta to openapi.yaml.

Sequence Diagram

sequenceDiagram
    participant Client as SDK / Client
    participant Spec as OpenAPI Schema Validator
    participant Server as Grid API Server

    Client->>Spec: "PATCH /config {webhookEndpoint: "..."}"
    alt Fails pattern (^https://) or minLength or format:uri
        Spec-->>Client: Validation error (rejected client-side)
    else Passes schema constraints
        Spec->>Server: Request forwarded
        Server-->>Client: 200 OK (or server-side error for localhost/private host)
    end

Loading

Prompt To Fix All With AI

Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 2
openapi/components/schemas/config/PlatformConfigUpdateRequest.yaml:8-10
`minLength: 9` is derived from `len("https://") + 1 = 9`, which means `https://x` technically passes all three constraints (pattern, minLength, and loosely format:uri). The description already calls out that raw hostnames are rejected, but a value of `minLength: 11` would guarantee at least a minimal `host.tld` form. Consider either raising the value to match your shortest real-world endpoint or dropping it in favour of relying solely on `format: uri` + `pattern`.

```suggestion
    format: uri
    pattern: '^https://'
    minLength: 11
```

### Issue 2 of 2
openapi/components/schemas/config/PlatformConfigUpdateRequest.yaml:8-9
`format: uri` enforcement is optional in JSON Schema Draft 2019-09 and later — validators are permitted to treat it as an annotation rather than a constraint. SDK generators that follow the spec loosely may skip it entirely, leaving `pattern: '^https://'` as the only reliably-enforced check. A string like `https://not a url` or `https:// spaces` would pass pattern + minLength but fail a strict URI parse. Adding `pattern: '^https://[^\s]+'` (or a stricter host regex) would give deterministic client-side rejection regardless of validator behaviour.

_{Reviews (1): Last reviewed commit: "feat(spec): validate webhookEndpoint for..." | Re-trigger Greptile}

[greptile-apps]

minLength: 9 is derived from len("https://") + 1 = 9, which means https://x technically passes all three constraints (pattern, minLength, and loosely format:uri). The description already calls out that raw hostnames are rejected, but a value of minLength: 11 would guarantee at least a minimal host.tld form. Consider either raising the value to match your shortest real-world endpoint or dropping it in favour of relying solely on format: uri + pattern.

Suggested change

	format: uri
	pattern: '^https://'
	minLength: 9
	format: uri
	pattern: '^https://'
	minLength: 11

Prompt To Fix With AI

This is a comment left during a code review.
Path: openapi/components/schemas/config/PlatformConfigUpdateRequest.yaml
Line: 8-10

Comment:
`minLength: 9` is derived from `len("https://") + 1 = 9`, which means `https://x` technically passes all three constraints (pattern, minLength, and loosely format:uri). The description already calls out that raw hostnames are rejected, but a value of `minLength: 11` would guarantee at least a minimal `host.tld` form. Consider either raising the value to match your shortest real-world endpoint or dropping it in favour of relying solely on `format: uri` + `pattern`.

```suggestion
    format: uri
    pattern: '^https://'
    minLength: 11
```

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

format: uri enforcement is optional in JSON Schema Draft 2019-09 and later — validators are permitted to treat it as an annotation rather than a constraint. SDK generators that follow the spec loosely may skip it entirely, leaving pattern: '^https://' as the only reliably-enforced check. A string like https://not a url or https:// spaces would pass pattern + minLength but fail a strict URI parse. Adding pattern: '^https://[^\s]+' (or a stricter host regex) would give deterministic client-side rejection regardless of validator behaviour.

Prompt To Fix With AI

This is a comment left during a code review.
Path: openapi/components/schemas/config/PlatformConfigUpdateRequest.yaml
Line: 8-9

Comment:
`format: uri` enforcement is optional in JSON Schema Draft 2019-09 and later — validators are permitted to treat it as an annotation rather than a constraint. SDK generators that follow the spec loosely may skip it entirely, leaving `pattern: '^https://'` as the only reliably-enforced check. A string like `https://not a url` or `https:// spaces` would pass pattern + minLength but fail a strict URI parse. Adding `pattern: '^https://[^\s]+'` (or a stricter host regex) would give deterministic client-side rejection regardless of validator behaviour.

How can I resolve this? If you propose a fix, please make it concise.

[jklein24]

Closing — the underlying defects (filed under epic AT-5324) are server-side runtime issues that need to be fixed in sparkcore, not here in the spec. These spec-level clarifications can be reopened as follow-ups once the server fixes land if still useful.