From bc23f3be87fb2612d0c3eaa542d2e71f3c859c09 Mon Sep 17 00:00:00 2001
From: Jeremy Klein <jklein24@gmail.com>
Date: Fri, 22 May 2026 21:24:12 -0700
Subject: [PATCH] feat(spec): validate webhookEndpoint format on PATCH /config

Adds format:uri and pattern constraints to PlatformConfigUpdateRequest.webhookEndpoint
so SDK clients and the bundler catch malformed URLs before they reach the server.
The audit found the server currently accepts not-a-url, http://, localhost, and
empty string. Server-side validation tracked separately.

Refs AT-5334
---
 mintlify/openapi.yaml                                     | 8 ++++++++
 openapi.yaml                                              | 8 ++++++++
 .../schemas/config/PlatformConfigUpdateRequest.yaml       | 8 ++++++++
 3 files changed, 24 insertions(+)

diff --git a/mintlify/openapi.yaml b/mintlify/openapi.yaml
index 6a2a8401..15090ca1 100644
--- a/mintlify/openapi.yaml
+++ b/mintlify/openapi.yaml
@@ -8104,6 +8104,14 @@ components:
           example: mycompany.com
         webhookEndpoint:
           type: string
+          format: uri
+          pattern: ^https://
+          minLength: 9
+          description: |
+            HTTPS URL where Grid will POST webhook events. Must use the `https://` scheme;
+            `http://`, raw hostnames, and empty strings are rejected. Localhost and private
+            hostnames are not supported in production. To clear the webhook endpoint, omit
+            this field from the request rather than sending an empty string.
           example: https://api.mycompany.com/webhooks/uma
         supportedCurrencies:
           type: array
diff --git a/openapi.yaml b/openapi.yaml
index 6a2a8401..15090ca1 100644
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -8104,6 +8104,14 @@ components:
           example: mycompany.com
         webhookEndpoint:
           type: string
+          format: uri
+          pattern: ^https://
+          minLength: 9
+          description: |
+            HTTPS URL where Grid will POST webhook events. Must use the `https://` scheme;
+            `http://`, raw hostnames, and empty strings are rejected. Localhost and private
+            hostnames are not supported in production. To clear the webhook endpoint, omit
+            this field from the request rather than sending an empty string.
           example: https://api.mycompany.com/webhooks/uma
         supportedCurrencies:
           type: array
diff --git a/openapi/components/schemas/config/PlatformConfigUpdateRequest.yaml b/openapi/components/schemas/config/PlatformConfigUpdateRequest.yaml
index 9222e4c1..da93c8bd 100644
--- a/openapi/components/schemas/config/PlatformConfigUpdateRequest.yaml
+++ b/openapi/components/schemas/config/PlatformConfigUpdateRequest.yaml
@@ -5,6 +5,14 @@ properties:
     example: mycompany.com
   webhookEndpoint:
     type: string
+    format: uri
+    pattern: '^https://'
+    minLength: 9
+    description: |
+      HTTPS URL where Grid will POST webhook events. Must use the `https://` scheme;
+      `http://`, raw hostnames, and empty strings are rejected. Localhost and private
+      hostnames are not supported in production. To clear the webhook endpoint, omit
+      this field from the request rather than sending an empty string.
     example: https://api.mycompany.com/webhooks/uma
   supportedCurrencies:
     type: array