From ring-dev-team
Orchestrates adoption of the lib-commons Huma OpenAPI wrapper and RFC 9457 problem model in a Go service. Wires openapi.New/ServeSpec and problem.Install for standardized error handling and spec generation.
How this skill is triggered — by the user, by Claude, or both
Slash command
/ring-dev-team:adopting-lib-commons-huma-wrapperThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- A Go service needs code-first OpenAPI 3.1 over Fiber (Huma) with RFC 9457 `application/problem+json` errors
application/problem+json errorsinternal/shared/adapters/openapi, shared/openapi, shared/humaerr, a hand-rolled huma.NewError override) and should move onto the shared lib-commons/v5/commons/net/http/{openapi,problem}You orchestrate. Agents implement. NEVER use Edit/Write/Bash on Go source files — all code changes go through Task(subagent_type="ring:backend-go"). TDD mandatory for implementation gates (RED → GREEN → REFACTOR). The orchestrator owns git (commit/push/PR/release) and NEVER commits without the user's go-ahead.
The wrapper is two packages in lib-commons/v5 (minimum v5.6.0):
| Alias | Import Path | Purpose |
|---|---|---|
openapi | github.com/LerianStudio/lib-commons/v5/commons/net/http/openapi | Config, New (builds the humafiber API), DeclareBearerAuth, ServeSpec |
problem | github.com/LerianStudio/lib-commons/v5/commons/net/http/problem | Install (global huma.NewError override), MapError, Detail, BaseURI |
openapi.New(app, group, cfg) constructs the Fiber-v2 Huma API via humafiber.NewV2WithGroup (the default humafiber.New targets Fiber v3 — wrong major), strips Transformers/OnAddOperation/CreateHooks, and clears the auto-mounted /openapi.json + /docs (auto-mount is a latent production exposure — the spec must be served explicitly and gated). Config{Title, Version, Description, Servers}.
openapi.ServeSpec(app, api, logger, prefix, title) mounts {prefix}/openapi.json, {prefix}/openapi.yaml, {prefix}/docs (Scalar UI). It normalizes prefix (leading slash, no trailing) and HTML-escapes the docs-page title and spec URL. Gate this behind the service's Swagger.Enabled flag — never serve unconditionally.
openapi.DeclareBearerAuth(api) registers the BearerAuth security scheme component (components.securitySchemes) so Security references resolve — it does NOT attach the requirement to anything. The scheme component alone advertises ZERO secured operations. To make the spec say "auth required" you MUST also attach a requirement, one of:
api.OpenAPI().Security = []map[string][]string{{"BearerAuth": {}}} right after openapi.New.Security: []map[string][]string{{"BearerAuth": {}}} on each huma.Operation.DeclareBearerAuth without a requirement is the classic regression: a JWT-enforced API whose spec advertises every endpoint as public. Public endpoints (no auth middleware at runtime) must override the global default with an explicit empty requirement: Security: []map[string][]string{} on the operation — a non-nil empty slice, which Huma renders as security: [] because Operation.Security marshals with omitNil (Go json:"...,omitempty" would drop it and silently re-inherit the global default). Getting this wrong makes the spec lie about which routes need a token — see also the constraint-as-validation caveat under Dependency facts.
problem.Install() is the crux. It is a sync.Once override of the process-global huma.NewError, so EVERY error Huma builds — domain errors via MapError and the framework's own validation/404/422 errors — becomes a *problem.Detail. Merge semantics:
"internal error", NO errs folded. This is the central info-leak guard — even a careless huma.Error500(rawErr.Error()) cannot leak an internal cause.msg passes through and errs fold into Errors[] in order (skip nil, honor huma.ErrorDetailer) — native 422 field errors are preserved.problem.MapError(err, codeOf, statusOf, fallbackCode) is the per-rail flex seam — the one place each service injects its own taxonomy:
codeOf func(error) (code, msg string, ok bool) — extract a domain code; ok=false → unrecognized → sanitized 500 carrying fallbackCode.statusOf func(code string) int — map code → HTTP status.fallbackCode — code carried when the error is nil/unrecognized."SPB-9000"); a bare service passes an empty fallback and code is dropped (omitempty).problem.Detail embeds huma.ErrorModel + an omitempty Code. Services that never set a code emit a bare RFC 9457 body; coded errors mapped through MapError carry the machine code in Code + a flat Type URI (BaseURI + "/" + code). Type is set only on the MapError coded path — framework-built errors (native 422/404 via Install) keep Type at about:blank with empty Code.
danielgtaylor/huma/v2 v2.38.0 at v5.6.0). A mismatch is module-graph skew that the security-scan/SBOM gate will flag.humafiber drags gofiber/fiber/v3 as an indirect dep — this is EXPECTED, not a bug. humafiber is one package importing both Fiber majors; Go compiles the whole package, so importing it for the v2 funcs pulls v3 into the graph. Only the v2 path compiles into the binary. govulncheck stays quiet (v3 unreachable); Trivy/SBOM may flag future fiber/v3 CVEs — a waivable false positive, NOT a reason to avoid the wrapper.*fiber.App via app.Test, not humatest (the humatest adapter diverges on Unwrap).minLength/maxLength/minItems/maxItems/minimum/maximum/pattern/enum are enforced by Huma at the framework layer — a violating request is rejected with a 422 before the handler runs. Adding one to "make the spec match the runtime limit" silently relocates rejection from the handler (its domain 400/coded error) to Huma's 422, changing the error contract and making the handler's coded path unreachable for that field. The runtime limit is usually already enforced by a validate: tag (go-playground); duplicating it as a Huma constraint moves the enforcement layer. Treat constraint tags as a behavioral change (needs error-contract + test updates), never a doc-only edit. By contrast doc:/example: tags ARE pure documentation and safe to add freely. Decisive test: if a unit test's expected status flips, it's behavioral.Mandatory agent instruction (include in EVERY dispatch):
Use the canonical imports
github.com/LerianStudio/lib-commons/v5/commons/net/http/openapiand.../problem. Do NOT reintroduce a local openapi/humaerr wrapper or a hand-rolledhuma.NewErroroverride —problem.Install()owns that globally.problem.Install()MUST be called before ANY Huma operation is registered, on BOTH the runtime API and any spec-gen API, or the runtime error bodies and the committed spec diverge. Match the huma version the pinned lib-commons uses (v2.38.0 @ v5.6.0). The indirectfiber/v3is expected — do not try to remove it. Serve the spec only viaopenapi.ServeSpec, gated on the Swagger-enabled flag. Never rely on Huma auto-mount. If the API uses bearer auth,DeclareBearerAuthalone advertises nothing — attach a security requirement (globalapi.OpenAPI().Securitydefault or per-op) and override genuinely-public ops withSecurity: []map[string][]string{}. Make the generated spec rich, not hollow:doc:+example:tags on request/response DTO fields, andinfo.Contact/info.License+ top-levelTags(with descriptions) on the document. Do NOT addminLength/maxLength/maxItemsetc. as a doc gesture — those are enforced validation (see Dependency facts). Preserve the service's existing per-rail code taxonomy verbatim — only rewire the wrapper call intoproblem.MapError. TDD: RED → GREEN → REFACTOR for every gate. Test viaapp.Test, not humatest.
| Gate | Name | Condition | Agent |
|---|---|---|---|
| 0 | Stack Detection + Compliance Audit | Always | Orchestrator |
| 1 | Codebase Analysis (HTTP + error focus) | Always | ring:codebase-explorer |
| 1.5 | Implementation Preview | Always | ring:visualizing |
| 2 | lib-commons v5.6.0+ + huma version alignment | Always | ring:backend-go |
| 3 | openapi.New + problem.Install on BOTH paths | Always | ring:backend-go |
| 4 | Per-rail problem.MapError wiring | Skip only if zero domain-error mapping (bare framework errors only) | ring:backend-go |
| 5 | ServeSpec (gated) + bearer auth (scheme + requirement + public overrides) | Always | ring:backend-go |
| 5.5 | Spec richness + document metadata (doc:/example:, contact/license/tags) | If the API advertises a spec to clients | ring:backend-go |
| 6 | Delete the local wrapper | Migration mode only (skip for greenfield) | ring:backend-go |
| 7 | Regenerate spec + prove rename-only | Always | ring:backend-go |
| 8 | Tests (build + unit -race + spec-drift gate) | Always | ring:backend-go |
| 9 | Code Review | Always | 9 defaults + triggered specialists |
| 10 | User Validation | Always | User |
| 11 | Release/pin discipline (cross-repo) | Only if the wrapper version is unreleased | Orchestrator + User |
Gates execute sequentially. Any surviving local wrapper or hand-rolled huma.NewError override = NON-COMPLIANT = gates cannot be skipped.
Orchestrator executes directly.
grep -n "lib-commons/v5" go.mod # version (need >= v5.6.0)
grep -n "danielgtaylor/huma" go.mod # huma version (match the lib build)
grep -rn "humafiber\|huma.Register\|huma.Get\|huma.Post" internal/ cmd/ # existing Huma usage
grep -rln "huma.NewError" internal/ cmd/ # hand-rolled overrides (must go)
grep -rn "shared/openapi\|shared/humaerr\|adapters/openapi" --include='*.go' . # LOCAL wrapper (migration mode)
grep -rn "swaggo\|gofiber/swagger\|// @" --include='*.go' . docs/ # legacy swaggo (migrating from 2.0)
grep -rn "ServeSpec\|openapi.New\|problem.Install" internal/ cmd/ # already partially adopted?
grep -rn "Swagger.Enabled\|SWAGGER_ENABLED" internal/ # the serving gate flag
Mode detection:
openapi/humaerr package or a hand-rolled huma.NewError override exists → Gate 6 runs.Compliance audit (if any Huma code detected):
problem.Install() present on the runtime path AND the spec-gen pathhuma.NewError overrideServeSpec, gated; no auto-mountEnsure go.mod requires lib-commons/v5 >= v5.6.0 and danielgtaylor/huma/v2 at the version that lib-commons build uses. go mod tidy; expect fiber/v3 to appear/stay indirect (expected). If validating against an unreleased wrapper version, use a local replace => ../lib-commons (see Gate 11) — never pin a pre-release for merge.
openapi.New + problem.Install — BOTH pathsThe single most common defect is wiring problem.Install() on only one path. Huma resolves the error response schema at operation-registration time, and Install swaps a process-global, so it must run before every huma.Register/Get/Post on:
cmd/huma-spec-style builder that writes the committed openapi.yaml).If the two disagree on whether Install ran, the served error bodies and the committed spec diverge. openapi.New itself registers no operations (auto-mount cleared), so the correct order is: api := openapi.New(...) → problem.Install() → register operations.
problem.MapErrorReplace the service's existing domain-error→HTTP translation with problem.MapError, preserving its code taxonomy verbatim. Wire codeOf/statusOf/fallbackCode:
codeOf reads the service's domain-error code, statusOf is its code→status table, fallbackCode is the house "unknown" code.fallbackCode; Code is omitted from the body.
Verify the mapped status semantics are unchanged from before (this gate is a rewire, not a re-design).ServeSpec (gated) + bearer auth (scheme + requirement + public overrides)Mount the spec via openapi.ServeSpec(app, api, logger, prefix, title) behind the Swagger-enabled flag. Confirm the served paths match the service's existing convention (no path drift).
If the API uses bearer auth, wiring it correctly is THREE steps, not one:
openapi.DeclareBearerAuth(api) before registration — registers the scheme component.api.OpenAPI().Security = []map[string][]string{{"BearerAuth": {}}} (one line, covers all ops, drift-safe) or per-operation Security on each huma.Operation.Security: []map[string][]string{} (non-nil empty → Huma renders security: []). Skipping this makes the spec claim a token is required where it isn't.Cross-check the spec's security against the real middleware chains: every op the spec marks secured must actually enforce auth at runtime, and every public route must carry the empty override. A spec that disagrees with the middleware is a contract bug, not cosmetics.
Only when the service advertises a spec to clients. A spec that lints but carries hollow schemas is low-value. Ensure:
doc: and example: tags on request/response DTO fields (the leaf structs Huma reflects — for a Body <Type> marker the leaf lives in the sibling DTO file, not the *_huma.go wrapper; only structs reachable from a registered huma.Register Input/Output or r.Schema(reflect.TypeOf(...)) are reflected, so tags on inert internal structs do nothing — confirm each example appears in the regenerated spec).info.Contact, info.License, document Servers (via openapi.Config.Servers), and a top-level Tags array whose entries carry descriptions covering every operation-tag string in use. Contact/License/Tags are set post-New (api.OpenAPI().Info/.Tags); like every spec mutation they must be applied identically on BOTH the runtime and spec-gen assembly paths if the service has two (the drift/byte-identity gate enforces this).minLength/maxLength/maxItems to "enrich" — those are enforced validation, not docs (see Dependency facts). doc:/example: are the documentation surface.Remove the local openapi/humaerr packages and any hand-rolled huma.NewError override. Then:
grep -rn for the old import paths/symbols → must be EMPTY in Go code.Regenerate the committed OpenAPI spec(s). The diff should be only the error-schema rename (ErrorModel→Detail, or a local ProblemDetail→Detail) + the additive code property + $ref re-targets. Do not trust the diff-stat — an alphabetical component re-sort inflates insert/delete counts. Prove rename-only with an order-independent comparison:
diff <(git show HEAD:path/to/openapi.yaml | sed 's/ProblemDetail/Detail/g' | sort) <(sort path/to/openapi.yaml)
# EMPTY => pure rename (HEAD+rename equals worktree as a line multiset)
Confirm/refresh the committed-spec drift gate so a stale spec fails CI.
Build + unit -race + the spec-drift gate. Error-policy assertions (the highest-value tests in the migration): a forced >=500 asserts detail == "internal error" AND Errors == nil (no leaked cause); a <500 validation error keeps its Errors[] field list. Note: huma.ErrorModel.Type is omitempty and is set only on the MapError coded path — assert type only on coded-domain responses, never on native 422/404 (where it stays about:blank/absent). Always assert title/status/detail/code.
Relevant only when this adoption rides an unreleased lib-commons wrapper change (you modified the wrapper too). The shared security-scan gate reds any PR pinned to a pre-release version. So:
replace => path/to/lib-commons (the require can lag; replace overrides resolution).replace, bump require to the stable tag (a stale require masked by a replace will break the build when the replace is removed — bump them together), go mod tidy && go mod verify.replace directives (module wiring within a multi-module repo) are fine and version-scoped; the gate targets pre-release versions, not the existence of a replace.| Severity | Criteria |
|---|---|
| CRITICAL | problem.Install() missing on the runtime OR spec-gen path (runtime/spec divergence); a surviving hand-rolled huma.NewError override or local wrapper still in the binary; a >=500 body leaking a raw cause (bypassing the central scrub) |
| HIGH | Per-rail MapError not wired (errors not RFC 9457); local wrapper not fully deleted (dangling refs / dead code); committed spec not regenerated (drift gate red); a consumer PR pinned to a pre-release lib-commons version (merge gate red); DeclareBearerAuth wired but NO security requirement attached (global or per-op) — the spec advertises every operation as unauthenticated while the runtime enforces JWT (the spec lies about the security contract); a genuinely-public route missing its Security: []map[string][]string{} override (spec demands a token the route doesn't); a Huma schema-constraint tag (minLength/maxLength/maxItems…) added as a doc gesture, silently moving rejection from the handler's 400 to Huma's 422 (error-contract change) |
| MEDIUM | huma version skew vs the lib-commons build (graph/SBOM flag); ServeSpec not gated on the Swagger flag (prod spec exposure); treating the indirect fiber/v3 as a bug to remove; a client-facing spec with hollow schemas — DTO fields lacking doc:/example: — or missing document metadata (contact / license / top-level tags with descriptions) |
| LOW | DeclareBearerAuth omitted entirely on a bearer API (scheme undocumented — less harmful than a scheme with no requirement, which actively misleads); asserting on the absent type field; spec Servers left unset when the service should advertise one |
Complementary: ring:using-lib-commons (the broader non-observability lib-commons surface; this wrapper lives under its commons/net/http)
Similar: ring:migrating-to-lib-systemplane, ring:migrating-to-lib-observability
Skills orchestrated:
npx claudepluginhub p/lerianstudio-ring-dev-team-dev-teamGenerates and validates OpenAPI specifications from codebase. Covers endpoint design, schema validation, and documentation generation.
Generates OpenAPI 3.0+ specs from existing API code, enhances with schemas/examples/errors, creates interactive docs/SDKs, and validates compliance.
Guides REST, GraphQL, and gRPC API design. Produces OpenAPI specs, GraphQL schemas, or proto definitions with versioning strategies and consistency validation.