Exclude snapshots/volumes endpoints, merge auth tests into Teams phase

Author: beran-t

openapi-public.yml

@@ -1266,79 +1266,6 @@ paths:
       operationId: postSandboxRefreshes
     servers:
     - *id006
-  /sandboxes/{sandboxID}/snapshots:
-    post:
-      description: Create a persistent snapshot from the sandbox's current state.
-        Snapshots can be used to create new sandboxes and persist beyond the original
-        sandbox's lifetime.
-      tags:
-      - sandboxes
-      security:
-      - ApiKeyAuth: []
-      parameters:
-      - $ref: '#/components/parameters/sandboxID'
-      requestBody:
-        required: true
-        content:
-          application/json:
-            schema:
-              type: object
-              properties:
-                name:
-                  type: string
-                  description: Optional name for the snapshot template. If a snapshot
-                    template with this name already exists, a new build will be assigned
-                    to the existing template instead of creating a new one.
-      responses:
-        '201':
-          description: Snapshot created successfully
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/SnapshotInfo'
-        '400':
-          $ref: '#/components/responses/400'
-        '401':
-          $ref: '#/components/responses/401'
-        '404':
-          $ref: '#/components/responses/404'
-        '500':
-          $ref: '#/components/responses/500'
-      operationId: postSandboxSnapshots
-    servers:
-    - *id006
-  /snapshots:
-    get:
-      description: List all snapshots for the team
-      tags:
-      - snapshots
-      security:
-      - ApiKeyAuth: []
-      parameters:
-      - name: sandboxID
-        in: query
-        required: false
-        schema:
-          type: string
-          description: Filter snapshots by source sandbox ID
-      - $ref: '#/components/parameters/paginationLimit'
-      - $ref: '#/components/parameters/paginationNextToken'
-      responses:
-        '200':
-          description: Successfully returned snapshots
-          content:
-            application/json:
-              schema:
-                type: array
-                items:
-                  $ref: '#/components/schemas/SnapshotInfo'
-        '401':
-          $ref: '#/components/responses/401'
-        '500':
-          $ref: '#/components/responses/500'
-      operationId: listSnapshots
-    servers:
-    - *id006
   /v3/templates:
     post:
       description: Create a new template
@@ -1896,102 +1823,6 @@ paths:
       operationId: getTemplatesAlias
     servers:
     - *id006
-  /volumes:
-    get:
-      description: List all team volumes
-      tags:
-      - volumes
-      security:
-      - AccessTokenAuth: []
-      - ApiKeyAuth: []
-      responses:
-        '200':
-          description: Successfully listed all team volumes
-          content:
-            application/json:
-              schema:
-                type: array
-                items:
-                  $ref: '#/components/schemas/Volume'
-        '401':
-          $ref: '#/components/responses/401'
-        '500':
-          $ref: '#/components/responses/500'
-      operationId: listVolumes
-    post:
-      description: Create a new team volume
-      tags:
-      - volumes
-      security:
-      - AccessTokenAuth: []
-      - ApiKeyAuth: []
-      requestBody:
-        required: true
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/NewVolume'
-      responses:
-        '201':
-          description: Successfully created a new team volume
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/Volume'
-        '400':
-          $ref: '#/components/responses/400'
-        '401':
-          $ref: '#/components/responses/401'
-        '500':
-          $ref: '#/components/responses/500'
-      operationId: postVolumes
-    servers:
-    - *id006
-  /volumes/{volumeID}:
-    get:
-      description: Get team volume info
-      tags:
-      - volumes
-      security:
-      - AccessTokenAuth: []
-      - ApiKeyAuth: []
-      parameters:
-      - $ref: '#/components/parameters/volumeID'
-      responses:
-        '200':
-          description: Successfully retrieved a team volume
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/Volume'
-        '401':
-          $ref: '#/components/responses/401'
-        '404':
-          $ref: '#/components/responses/404'
-        '500':
-          $ref: '#/components/responses/500'
-      operationId: getVolume
-    delete:
-      description: Delete a team volume
-      tags:
-      - volumes
-      security:
-      - AccessTokenAuth: []
-      - ApiKeyAuth: []
-      parameters:
-      - $ref: '#/components/parameters/volumeID'
-      responses:
-        '204':
-          description: Successfully deleted a team volume
-        '401':
-          $ref: '#/components/responses/401'
-        '404':
-          $ref: '#/components/responses/404'
-        '500':
-          $ref: '#/components/responses/500'
-      operationId: deleteVolume
-    servers:
-    - *id006
 components:
   securitySchemes:
     AccessTokenAuth:
@@ -3053,23 +2884,6 @@ components:
       enum:
       - running
       - paused
-    SnapshotInfo:
-      type: object
-      required:
-      - snapshotID
-      - names
-      properties:
-        snapshotID:
-          type: string
-          description: Identifier of the snapshot template including the tag. Uses
-            namespace/alias when a name was provided (e.g. team-slug/my-snapshot:default),
-            otherwise falls back to the raw template ID (e.g. abc123:default).
-        names:
-          type: array
-          items:
-            type: string
-          description: Full names of the snapshot template including team namespace
-            and tag (e.g. team-slug/my-snapshot:v2)
     Mcp:
       type: object
       description: MCP configuration for the sandbox
@@ -4133,27 +3947,6 @@ components:
           items:
             type: string
       type: object
-    Volume:
-      type: object
-      properties:
-        volumeID:
-          type: string
-          description: ID of the volume
-        name:
-          type: string
-          description: Name of the volume
-      required:
-      - volumeID
-      - name
-    NewVolume:
-      type: object
-      properties:
-        name:
-          type: string
-          description: Name of the volume
-          pattern: ^[a-zA-Z0-9_-]+$
-      required:
-      - name
 tags:
 - name: files
 - name: filesystem.Filesystem

scripts/generate_openapi_reference.py

@@ -1056,8 +1056,9 @@ def filter_paths(spec: dict[str, Any]) -> None:
     - Removes Supabase and AdminToken securityScheme definitions
     """
     # Remove excluded paths
-    excluded_prefixes = ("/access-tokens", "/api-keys")
-    excluded_exact = {"/v2/sandboxes/{sandboxID}/logs", "/init"}
+    excluded_prefixes = ("/access-tokens", "/api-keys", "/volumes", "/snapshots")
+    excluded_exact = {"/v2/sandboxes/{sandboxID}/logs", "/init",
+                      "/sandboxes/{sandboxID}/snapshots"}
     to_remove = [
         p for p in spec["paths"]
         if p.startswith(excluded_prefixes) or p in excluded_exact
@@ -1071,7 +1072,7 @@ def filter_paths(spec: dict[str, Any]) -> None:
     for path in to_remove:
         del spec["paths"][path]
     if to_remove:
-        print(f"==> Removed {len(to_remove)} paths (volumes + admin)")
+        print(f"==> Removed {len(to_remove)} paths (volumes, snapshots, admin, internal)")
 
     # Strip supabase security entries from all operations
     for path_item in spec["paths"].values():

scripts/validate_api_reference.py

@@ -844,12 +844,15 @@ def _collect_refs(node, refs: set):
 
 def run_phase_1_teams(api_key: str, team_id: str | None, spec: dict,
                       access_token: str | None = None) -> list[EndpointResult]:
-    """Phase 1: Platform — Teams."""
+    """Phase 1: Platform — Teams (auth checks + teams read)."""
     results = []
     h = api_key_hdr(api_key)
 
+    # Auth tests: 401 for all endpoints without API key
+    results.extend(run_auth_tests(api_key))
+
     # GET /teams (requires AccessTokenAuth — Bearer token, not ApiKeyAuth)
-    print("\n  Phase 1: Platform — Teams")
+    print("\n  Teams")
     print("  GET /teams")
     ep = EndpointResult("GET", "/teams", surface="platform")
     if access_token:
@@ -2139,7 +2142,7 @@ def run_auth_tests(api_key: str) -> list[EndpointResult]:
     """Test 401 for all control plane endpoints without auth."""
     results = []
 
-    print("\n  Auth Tests: 401 for control plane without API key")
+    print("\n  401 checks (no API key)")
 
     endpoints = [
         ("GET", "/sandboxes", None),
@@ -2428,11 +2431,7 @@ def should_run(phase: int) -> bool:
         return phase_filter is None or phase_filter == phase
 
     try:
-        # Auth tests (always run)
-        if should_run(0):
-            all_results.extend(run_auth_tests(api_key))
-
-        # Phase 1: Teams
+        # Phase 1: Teams (includes 401 auth checks)
         if should_run(1):
             all_results.extend(run_phase_1_teams(api_key, team_id, spec, access_token=access_token))