hypercall_api/

openapi.rs

use utoipa::{
    openapi::security::{ApiKey, ApiKeyValue, Http, HttpAuthScheme, SecurityScheme},
    Modify, OpenApi,
};

use std::collections::{BTreeSet, VecDeque};

#[derive(utoipa::ToSchema)]
#[schema(as = ApiResponse)]
#[allow(dead_code)]
struct OpenApiApiResponse {
    success: bool,
    data: Option<serde_json::Value>,
    error: Option<String>,
}

/// Security addon for authentication schemes
pub struct SecurityAddon;

impl Modify for SecurityAddon {
    fn modify(&self, openapi: &mut utoipa::openapi::OpenApi) {
        if let Some(components) = openapi.components.as_mut() {
            // EIP-712 Signature Authentication (documented as Bearer for visibility)
            let mut http_auth = Http::new(HttpAuthScheme::Bearer);
            http_auth.bearer_format = Some("EIP-712".to_string());
            http_auth.description = Some(
                "EIP-712 typed signature authentication. Include 'wallet', 'nonce', \
                 and 'signature' fields in the request body."
                    .to_string(),
            );
            components.add_security_scheme("eip712_signature", SecurityScheme::Http(http_auth));

            // Wallet Query Parameter (for read endpoints)
            components.add_security_scheme(
                "wallet_query",
                SecurityScheme::ApiKey(ApiKey::Query(ApiKeyValue::new("wallet"))),
            );

            // Admin API Key (for monitoring endpoints)
            components.add_security_scheme(
                "admin_key",
                SecurityScheme::ApiKey(ApiKey::Header(ApiKeyValue::new("X-Admin-Key"))),
            );
        }
    }
}

#[derive(OpenApi)]
#[openapi(
    info(
        title = "Hypercall Trading API",
        version = "0.0.1",
        description = "Options and perpetuals trading API with EIP-712 signature authentication.\n\n\
            ## Base URLs\n\n\
            - **Testnet**: `https://testnet-api.hypercall.xyz`\n\
            - **Production**: `https://api.hypercall.xyz`\n\n\
            ## Content Types\n\n\
            - **Requests**: `application/json` for write endpoints\n\
            - **Responses**: `application/json`\n\n\
            ## Authentication\n\n\
            ### EIP-712 Signature (Write Operations)\n\n\
            Write operations require an EIP-712 typed signature in the request body:\n\
            - `wallet`: The wallet address performing the action\n\
            - `nonce`: Unique nonce for replay protection\n\
            - `signature`: EIP-712 signature from wallet owner or authorized agent\n\n\
            **Bulk endpoints** verify signatures per-item in the handler (not via middleware).\n\n\
            ### Wallet Query Parameter (Read Operations)\n\n\
            Read endpoints are public and accept query parameters (including `wallet`) without proof of ownership. \
            No ownership verification for read endpoints; treat as sensitive data.\n\n\
            ### Agent Authorization\n\n\
            A signer is authorized if:\n\
            - `signer == wallet` (direct signing), OR\n\
            - Signer has been approved via `POST /approve-agent` for the wallet (engine-owned state, read from lock-free snapshot)\n\n\
            ## Price and Size Encoding\n\n\
            **For signed endpoints**:\n\
            - `price` and `size` **MUST be strings** in JSON\n\
            - Must match exactly what was signed (string formatting matters)\n\
            - Price must have ≤ 5 significant figures\n\n\
            **Size conversion**: Human-readable size → contract units: `(size * 1_000_000) as u64` (truncates)\n\n\
            **Orderbook size units**: `/orderbook`, `/expiry-summary`, and WebSocket `OrderbookUpdate` sizes are human-readable contracts.\n\n\
            ## Symbol Format\n\n\
            Options symbols: `UNDERLYING-YYYYMMDD-STRIKE-(C|P)`\n\n\
            Also accepts Deribit-style expiry `DDMMMYY` (e.g., `BTC-30AUG25-95000-C`)\n\n\
            ## Time in Force\n\n\
            - `gtc`: Good Till Cancelled\n\
            - `ioc`: Immediate or Cancel\n\
            - `fok`: Fill or Kill\n\n\
            ## Rate Limits\n\n\
            Rate limiting is not enforced; self-throttle as needed.",
        license(name = "Proprietary"),
        contact(name = "Hypercall", url = "https://hypercall.xyz")
    ),
    servers(
        (url = "https://testnet-api.hypercall.xyz", description = "Testnet"),
        (url = "https://api.hypercall.xyz", description = "Production"),
    ),
    tags(
        (name = "Health", description = "Health check and readiness endpoints for monitoring and load balancers."),
        (name = "Markets", description = "Market data, instruments, orderbooks, and greeks. Public endpoints with no authentication required."),
        (name = "Trading", description = "Order placement and cancellation. Requires EIP-712 signature authentication. Price and size must be strings for signature verification."),
        (name = "Portfolio", description = "Account portfolio, open orders, and trade history. Public endpoints accepting wallet query parameter."),
        (name = "MMP", description = "Market Maker Protection configuration. Allows setting limits on cumulative delta, vega, and quantity within a time window to automatically freeze trading."),
        (name = "Admin", description = "User tier management (tier1/tier2) and margin mode selection (standard/portfolio)."),
        (name = "Agents", description = "Agent authorization management. Allows delegating signing authority to agent wallets."),
        (name = "Competition", description = "Competition lifecycle, leaderboard rankings, and profile competition stats."),
        (name = "WebSocket", description = "Real-time data streaming via WebSocket.\n\n\
            ## Connection\n\n\
            Connect to `ws://HOST/ws` (or `wss://` for TLS). Query parameters:\n\
            - `wallet` (optional): Wallet address for authenticated channels\n\n\
            ## Message Format\n\n\
            All messages are JSON with a `type` field.\n\n\
            ### Client Messages\n\n\
            **Subscribe**: `{\"type\": \"Subscribe\", \"channel\": \"orderbook\"}`\n\n\
            **Subscribe (options chain with filters)**: `{\"type\": \"Subscribe\", \"channel\": \"options_chain\", \"symbols\": [\"BTC-20260331-100000-C\"], \"expiry\": \"2026-03-31\", \"option_type\": \"both\"}`\n\n\
            **Unsubscribe**: `{\"type\": \"Unsubscribe\", \"channel\": \"orderbook\"}`\n\n\
            **Unsubscribe (options chain with filters)**: `{\"type\": \"Unsubscribe\", \"channel\": \"options_chain\", \"symbols\": [\"BTC-20260331-100000-C\"], \"expiry\": \"2026-03-31\", \"option_type\": \"both\"}`\n\n\
            For `options_chain`, all filter fields are optional. `symbols` supports multiple symbols, `expiry` uses `YYYY-MM-DD`, and `option_type` is `call|put|both`.\n\n\
            ### Available Channels\n\n\
            | Channel | Auth | Description |\n\
            |---------|------|-------------|\n\
            | `orderbook` | No | L2 orderbook updates (all symbols) |\n\
            | `options_chain` | No | Incremental options chain updates |\n\
            | `trades` | No | Public trade feed |\n\
            | `market_updates` | No | Market listing changes |\n\
            | `candles:<UNDERLYING>:<RESOLUTION>` | No | Realtime underlying candle updates |\n\
            | `order_updates` | Yes | Your order status changes |\n\
            | `fills` | Yes | Your trade fills |\n\
            | `portfolio` | Yes | Your position/balance updates |\n\
            | `liquidation` | Yes | Your liquidation state changes |\n\
            | `competition` | Yes | Your competition rank/final stats |\n\
            | `competition_engagement` | Yes | Your rank jumps, gap-to-next, and final standing |\n\n\
            ### Server Messages\n\n\
            **Subscribed**: `{\"type\": \"Subscribed\", \"channel\": \"orderbook\"}`\n\n\
            **OrderbookUpdate**: `{\"type\": \"OrderbookUpdate\", \"symbol\": \"BTC-...\", \"option_token_address\": \"0x...\", \"bids\": [[price, size]], \"asks\": [[price, size]], \"timestamp\": 123}`\n\n\
            **OptionsChainUpdate (Upsert)**: `{\"type\": \"OptionsChainUpdate\", \"action\": \"Upsert\", \"currency\": \"BTC\", \"expiry\": 1774944000, \"row\": {\"strike\": 100000.0, \"call\": {\"symbol\": \"BTC-20260331-100000-C\", \"bid_price_usd\": 100.0, \"ask_price_usd\": 101.0}, \"put\": null}, \"timestamp\": 123}`\n\n\
            **OptionsChainUpdate (Remove)**: `{\"type\": \"OptionsChainUpdate\", \"action\": \"Remove\", \"currency\": \"BTC\", \"expiry\": 1774944000, \"strike\": 100000.0, \"option_type\": \"call\", \"symbol\": \"BTC-20260331-100000-C\", \"timestamp\": 124}`\n\n\
            **Trade**: `{\"type\": \"Trade\", \"symbol\": \"BTC-...\", \"price\": \"100.5\", \"size\": \"1.0\", \"side\": \"buy\", \"timestamp\": 123}`\n\n\
            **CandleUpdate**: `{\"type\": \"CandleUpdate\", \"underlying\": \"BTC\", \"resolution\": \"1m\", \"start_time_ms\": 123, \"end_time_ms\": 456, \"open\": 100.0, \"high\": 101.0, \"low\": 99.0, \"close\": 100.5, \"volume\": 12.3}`\n\n\
            **OrderUpdate**: `{\"type\": \"OrderUpdate\", \"order_id\": 123, \"status\": \"filled\", ...}`\n\n\
            **Fill**: `{\"type\": \"Fill\", \"order_id\": 123, \"fill_id\": 456, \"price\": \"100.5\", \"size\": \"1.0\", ...}`\n\n\
            **PortfolioUpdate**: `{\"type\": \"PortfolioUpdate\", \"wallet\": \"0x...\", \"positions\": {...}, \"balance\": {...}}`\n\n\
            **CompetitionRankChange**: `{\"type\": \"CompetitionRankChange\", \"wallet_address\": \"0x...\", \"competition_id\": 12, \"from_rank\": 20, \"to_rank\": 17, \"delta_places\": 3, \"pnl\": \"125.5\", \"timestamp\": 123}`\n\n\
            **CompetitionGapUpdate**: `{\"type\": \"CompetitionGapUpdate\", \"wallet_address\": \"0x...\", \"competition_id\": 12, \"rank\": 17, \"next_rank\": 16, \"gap_metric_value\": \"200\", \"timestamp\": 123}` (gap measured in the competition's `primary_win_condition` metric)\n\n\
            **CompetitionFinalStanding**: `{\"type\": \"CompetitionFinalStanding\", \"wallet_address\": \"0x...\", \"competition_id\": 12, \"rank\": 2, \"pnl\": \"320.1\", \"volume\": \"1500\", \"efficiency\": \"0.2134\", \"medal\": 2, \"timestamp\": 123}`\n\n\
            **Error**: `{\"type\": \"Error\", \"message\": \"...\"}`"),
        (name = "Username", description = "Wallet display-name management. Public lookup by wallet or username; authenticated set/delete via EIP-712 signature."),
        (name = "Push Notifications", description = "Web Push subscription management. Register browser push subscriptions to receive fill and liquidation notifications even when the app is not open."),
        (name = "Monitoring", description = "System integrity and debugging endpoints. Protected by X-Admin-Key header.")
    ),
    modifiers(&SecurityAddon),
    paths(
        // Health
        crate::handlers::health::health,
        crate::handlers::health::version,
        crate::handlers::health::ready,
        // Markets
        crate::handlers::account::get_trades,
        crate::handlers::account::get_markets,
        crate::handlers::market_data::get_instruments,
        crate::handlers::market_data::get_instrument_specs,
        crate::handlers::market_data::get_options_summary,
        crate::handlers::options_chain::get_options_chain,
        crate::handlers::market_data::get_expiry_summary,
        crate::handlers::options_chain::get_orderbook,
        crate::handlers::gas_provider::get_gas_provider,
        crate::handlers::candles::get_candles,
        crate::handlers::greeks::get_greeks,
        crate::handlers::historical_theos::get_historical_theos,
        crate::handlers::historical_theos::get_historical_theos_batch,
        // Portfolio
        crate::handlers::account::get_portfolio,
        crate::handlers::greeks::get_portfolio_greeks,
        crate::handlers::account::get_fills,
        crate::handlers::historical_pnl::get_historical_pnl,
        crate::handlers::settlement::get_settlement_payouts,
        crate::handlers::settlement::mark_settlement_payouts_seen,
        crate::handlers::competition::list_competitions,
        crate::handlers::competition::get_competition,
        crate::handlers::competition::get_competition_leaderboard,
        crate::handlers::competition::get_profile,
        crate::handlers::competition::get_profile_trades,
        crate::handlers::profile_image::set_profile_image,
        // Trading
        crate::handlers::account::get_orders,
        crate::handlers::orders::place_order,
        crate::handlers::orders::cancel_order,
        crate::handlers::orders::cancel_order_by_cloid,
        crate::handlers::bulk_orders::bulk_place_order,
        crate::handlers::replace_orders::replace_order,
        crate::handlers::replace_orders::bulk_replace_order,
        crate::handlers::bulk_orders::bulk_cancel_order,
        crate::handlers::bulk_orders::bulk_cancel_order_by_cloid,
        // MMP
        crate::handlers::admin::get_mmp_config,
        crate::handlers::admin::set_mmp_config,
        crate::handlers::admin::delete_mmp_config,
        crate::handlers::admin::reset_mmp,
        // Admin
        crate::handlers::admin::get_user_tier,
        crate::handlers::admin::set_user_tier,
        crate::handlers::admin::delete_user_tier,
        crate::handlers::account::set_margin_mode,
        // Username
        crate::handlers::username::get_username,
        crate::handlers::username::set_username,
        crate::handlers::username::delete_username,
        // Agents
        crate::handlers::agents::approve_agent,
        crate::handlers::agents::revoke_agent,
        crate::handlers::agents::get_authorized_agents,
        // Push Notifications
        crate::handlers::push::push_subscribe,
        crate::handlers::push::push_unsubscribe,
        crate::handlers::push::push_preferences,
        // Admin / monitoring paths live in the `hypercall-admin` crate and are
        // merged in by the api-spec-exporter via `hypercall_admin::admin_openapi()`.
    ),
    components(schemas(
        // Core types
        hypercall_types::WalletAddress,
        OpenApiApiResponse,
        crate::models::InstrumentStatus,
        crate::models::Pagination,
        // Margin types (used in Portfolio)
        crate::models::MarginSummary,
        crate::models::SpanMarginSummary,
        // Response types from models.rs
        crate::models::TradeApiResponse,
        crate::models::Portfolio,
        crate::models::PositionWithMetrics,
        crate::models::Position,
        crate::models::AccountBalance,
        crate::models::TradesResponse,
        crate::models::Pagination,
        crate::models::MarketsResponse,
        crate::models::MarketInfo,
        crate::models::Instrument,
        hypercall_types::InstrumentSpecResponse,
        crate::models::FillApiResponse,
        crate::models::FillsResponse,
        crate::models::CompetitionData,
        crate::models::CompetitionStateValue,
        crate::models::CompetitionSortByValue,
        crate::models::CompetitionSortOrderValue,
        crate::models::CompetitionWinConditionValue,
        crate::models::CompetitionsResponse,
        crate::models::CompetitionResponse,
        crate::models::LeaderboardRow,
        crate::models::ConnectedUserRank,
        crate::models::CompetitionLeaderboardResponse,
        crate::models::ProfileMarginStats,
        crate::models::ProfilePnlStats,
        crate::models::ProfileMetricMedals,
        crate::models::ProfileCompetitionRankSummary,
        crate::models::ProfileData,
        crate::models::ProfileResponse,
        crate::models::ProfileTradesResponse,
        crate::models::CompetitionUpsertRequest,
        crate::models::CompetitionUpdateRequest,
        crate::handlers::username::SetUsernameRequest,
        crate::handlers::username::UsernameResponse,
        crate::handlers::username::DeleteUsernameResponse,
        crate::handlers::profile_image::SetProfileImageRequest,
        crate::handlers::profile_image::SetProfileImageResponse,
        crate::handlers::settlement::SettlementPayoutsResponse,
        crate::handlers::settlement::SettlementPayoutEntry,
        hypercall_types::HistoricalPnlInterval,
        hypercall_types::HistoricalPnlPoint,
        hypercall_types::HistoricalPnlResponse,
        hypercall_types::HistoricalTheoInterval,
        hypercall_types::HistoricalTheoPoint,
        hypercall_types::HistoricalTheoResponse,
        crate::handlers::historical_pnl::HistoricalPnlApiResponse,
        crate::handlers::historical_theos::HistoricalTheoApiResponse,
        crate::handlers::historical_theos::BatchHistoricalTheoApiResponse,
        crate::handlers::settlement::SettlementPayoutSeenRequest,
        crate::handlers::settlement::SettlementPayoutSeenMutationResponse,
        crate::models::Order,
        crate::models::OrdersResponse,
        crate::models::MmpConfigData,
        crate::models::MmpConfigResponse,
        crate::models::UserTierData,
        crate::models::UserTierResponse,
        // Handler response types
        hypercall_types::InstrumentResponse,
        hypercall_types::TickSizeStep,
        crate::handlers::market_data::OptionSummary,
        crate::handlers::market_data::InstrumentWithOrderbook,
        crate::handlers::gas_provider::GasProviderErrorResponse,
        crate::handlers::gas_provider::GasProviderFeeTierResponse,
        crate::handlers::gas_provider::GasProviderResponse,
        crate::models::OptionsChainSnapshotResponse,
        crate::models::OptionsChainStrikeRow,
        crate::models::OptionsChainLeg,
        crate::models::OptionsChainGreeksAbs,
        crate::models::OptionsChainGreeksCash,
        crate::candles::CandleResolution,
        crate::candles::UnderlyingCandle,
        crate::candles::UnderlyingCandlesResponse,
        crate::handlers::candles::CandlesApiResponse,
        crate::handlers::candles::CandlesResponse,
        hypercall_types::OrderBookResponse,
        hypercall_types::OrderBookStats,
        hypercall_types::OrderBookGreeks,
        hypercall_types::ApproveAgentResponse,
        hypercall_types::RevokeAgentResponse,
        hypercall_types::AuthorizedAgentsResponse,
        // Request types from hypercall_types
        hypercall_types::PlaceOrderRequest,
        hypercall_types::CancelOrderRequest,
        hypercall_types::CancelOrderByCloidRequest,
        crate::handlers::bulk_orders::BulkPlaceOrderRequest,
        crate::handlers::bulk_orders::BulkPlaceOrderResponse,
        crate::handlers::bulk_orders::BulkCancelOrderRequest,
        crate::handlers::bulk_orders::BulkCancelOrderByCloidRequest,
        crate::handlers::bulk_orders::BulkCancelOrderResponse,
        crate::handlers::BulkOrderResult,
        hypercall_types::ReplaceOrderRequest,
        crate::handlers::replace_orders::BulkReplaceOrderRequest,
        crate::handlers::replace_orders::BulkReplaceOrderResponse,
        hypercall_types::ApproveAgentRequest,
        hypercall_types::RevokeAgentRequest,
        hypercall_types::MarketResponse,
        // Auth types
        hypercall_auth::SignatureRequest,
        // MMP and User Tier request types from models
        crate::models::SetMmpConfigRequest,
        crate::models::DeleteMmpConfigRequest,
        crate::models::ResetMmpRequest,
        crate::models::SetUserTierRequest,
        crate::models::DeleteUserTierRequest,
        crate::models::SetMarginModeRequest,
        crate::models::MarginModeResponse,
        hypercall_types::api_models::MarginModeApiResponse,
        // Shared message types
        hypercall_types::TimeInForce,
        hypercall_types::OrderInfo,
        hypercall_types::OrderUpdateMessage,
        hypercall_types::OrderUpdateStatus,
        hypercall_types::Market,
        hypercall_types::MarketUpdateMessage,
        hypercall_types::MarketUpdateStatus,
        hypercall_types::OptionType,
        // Orderbook types
        hypercall_types::Side,
        // Greeks types
        crate::handlers::greeks::GreeksResponse,
        crate::handlers::greeks::GreeksApiResponse,
        crate::handlers::greeks::PortfolioGreeksApiResponse,
        crate::models::PortfolioGreeksResponse,
        crate::models::PositionGreeksLeg,
        crate::models::PortfolioGreeksAggregate,
        crate::models::SimulatedGreeksOrder,
        // Admin / monitoring schemas live in the `hypercall-admin` crate and are
        // merged in by the api-spec-exporter via `hypercall_admin::admin_openapi()`.
        // Push notification types
        crate::handlers::push::PushSubscribeRequest,
        crate::handlers::push::PushSubscribeResponse,
        crate::handlers::push::PushUnsubscribeRequest,
        crate::handlers::push::PushUnsubscribeResponse,
        crate::handlers::push::PushPreferencesRequest,
        crate::handlers::push::PushPreferencesResponse,
        // Health response types
        crate::models::HealthResponse,
        crate::models::VersionResponse,
        crate::models::ReadyResponse,
        crate::models::ReadinessComponentReport,
    ))
)]
pub struct ApiDoc;

#[cfg(feature = "rsm-state")]
#[derive(OpenApi)]
#[openapi(
    paths(crate::handlers::rsm_rpc::rsm_rpc),
    components(schemas(
        hypercall_rsm_rpc::RsmRpcError,
        hypercall_rsm_rpc::RsmRpcRequest,
        hypercall_rsm_rpc::RsmRpcResponse,
    )),
    tags((name = "RSM", description = "Validator RSM block inspection JSON-RPC endpoint. Feature-gated behind rsm-state."))
)]
struct RsmApiDoc;

/// Tags considered internal-only (hidden from public API docs).
const HIDDEN_TAGS: &[&str] = &["Monitoring", "Admin"];

/// Returns the complete internal OpenAPI spec.
///
/// The testnet agent-authorization doc moved to `hypercall-admin`
/// (`TestEndpointsApiDoc` there, merged by `admin_openapi()` when its
/// `test-endpoints` feature is on).
pub fn internal_openapi() -> utoipa::openapi::OpenApi {
    #[cfg(not(feature = "rsm-state"))]
    {
        ApiDoc::openapi()
    }

    #[cfg(feature = "rsm-state")]
    {
        let mut spec = ApiDoc::openapi();
        spec.merge(RsmApiDoc::openapi());
        spec
    }
}

/// Returns the public OpenAPI spec with hidden tags filtered out.
pub fn public_openapi() -> utoipa::openapi::OpenApi {
    filter_hidden_tags(internal_openapi())
}

/// Normalizes schema refs that utoipa emits with Rust module prefixes.
pub fn normalize_openapi_schema_refs(mut json: String) -> String {
    json = json.replace(
        "#/components/schemas/crate.api_server.models.",
        "#/components/schemas/",
    );
    json = json.replace(
        "#/components/schemas/crate.boundary.",
        "#/components/schemas/",
    );
    json = json.replace("#/components/schemas/models.", "#/components/schemas/");
    json = json.replace("#/components/schemas/boundary.", "#/components/schemas/");
    // Boundary port traits moved into hypercall-runtime-api; their schemas are
    // still registered under short names, so strip the new module-qualified path.
    json = json.replace(
        "#/components/schemas/hypercall_runtime_api.boundary.engine.",
        "#/components/schemas/",
    );
    json = json.replace(
        "#/components/schemas/hypercall_runtime_api.boundary.read_models.",
        "#/components/schemas/",
    );
    json = json.replace(
        "#/components/schemas/hypercall_runtime_api.boundary.market_inputs.",
        "#/components/schemas/",
    );
    json = json.replace(
        "#/components/schemas/hypercall_types.api_models.",
        "#/components/schemas/",
    );
    json = json.replace(
        "#/components/schemas/super.models.",
        "#/components/schemas/",
    );
    json = json.replace(
        "#/components/schemas/crate.vol_oracle.",
        "#/components/schemas/",
    );
    json = json.replace(
        "#/components/schemas/hypercall_vol_oracle.",
        "#/components/schemas/",
    );
    json = json.replace(
        "#/components/schemas/crate.rsm.rpc.",
        "#/components/schemas/",
    );
    json = json.replace(
        "#/components/schemas/crate.rsm.engine_snapshot.",
        "#/components/schemas/",
    );
    json = json.replace(
        "#/components/schemas/hypercall_signer.",
        "#/components/schemas/",
    );
    json = json.replace("#/components/schemas/crate.", "#/components/schemas/");
    json
}

pub fn filter_hidden_tags(mut spec: utoipa::openapi::OpenApi) -> utoipa::openapi::OpenApi {
    // 1. Remove hidden operations, then remove path items with no visible operations.
    spec.paths.paths.retain(|_path, item| {
        item.operations.retain(|_method, op| {
            op.tags
                .as_ref()
                .is_none_or(|tags| tags.iter().any(|t| !HIDDEN_TAGS.contains(&t.as_str())))
        });

        !item.operations.is_empty()
    });

    // 2. Remove hidden tag definitions
    if let Some(tags) = spec.tags.as_mut() {
        tags.retain(|t| !HIDDEN_TAGS.contains(&t.name.as_str()));
    }

    // 3. Remove the admin_key security scheme (only used by hidden endpoints)
    if let Some(components) = spec.components.as_mut() {
        components
            .security_schemes
            .retain(|name, _| name != "admin_key");
    }

    // 4. Remove schemas that were only reachable from hidden paths. utoipa emits all
    // registered component schemas up front, so path filtering alone can leak
    // internal-only response/request shapes into the public spec.
    prune_unreachable_schemas(&mut spec);

    spec
}

fn prune_unreachable_schemas(spec: &mut utoipa::openapi::OpenApi) {
    let mut entrypoint =
        serde_json::to_value(&*spec).expect("OpenAPI document should serialize for schema pruning");
    if let Some(components) = entrypoint
        .get_mut("components")
        .and_then(serde_json::Value::as_object_mut)
    {
        components.insert(
            "schemas".to_string(),
            serde_json::Value::Object(Default::default()),
        );
        components.insert(
            "responses".to_string(),
            serde_json::Value::Object(Default::default()),
        );
    }

    let Some(components) = spec.components.as_mut() else {
        return;
    };

    if components.schemas.is_empty() {
        return;
    }

    let responses = serde_json::to_value(&components.responses)
        .expect("OpenAPI component responses should serialize");
    let schemas = serde_json::to_value(&components.schemas)
        .expect("OpenAPI component schemas should serialize");
    let original_schemas = components.schemas.clone();

    let mut reachable_schemas = BTreeSet::new();
    let mut pending_schemas = VecDeque::new();
    let mut reachable_responses = BTreeSet::new();
    let mut pending_responses = VecDeque::new();

    collect_component_refs(
        &entrypoint,
        &mut reachable_schemas,
        &mut pending_schemas,
        &mut reachable_responses,
        &mut pending_responses,
    );

    while let Some(response_name) = pending_responses.pop_front() {
        if let Some(response) = responses.get(&response_name) {
            collect_component_refs(
                response,
                &mut reachable_schemas,
                &mut pending_schemas,
                &mut reachable_responses,
                &mut pending_responses,
            );
        }
    }

    while let Some(schema_name) = pending_schemas.pop_front() {
        if let Some(schema) = schemas.get(&schema_name) {
            collect_component_refs(
                schema,
                &mut reachable_schemas,
                &mut pending_schemas,
                &mut reachable_responses,
                &mut pending_responses,
            );
        }
    }

    components.schemas.retain(|name, _schema| {
        reachable_schemas.contains(name)
            || reachable_schemas.contains(canonical_schema_ref_name(name))
    });

    restore_serialized_schema_refs(spec, &original_schemas);
}

fn restore_serialized_schema_refs(
    spec: &mut utoipa::openapi::OpenApi,
    original_schemas: &std::collections::BTreeMap<
        String,
        utoipa::openapi::RefOr<utoipa::openapi::schema::Schema>,
    >,
) {
    loop {
        let serialized = serde_json::to_value(&*spec)
            .expect("OpenAPI document should serialize for schema ref reconciliation");
        let mut referenced_schemas = BTreeSet::new();
        let mut pending_schemas = VecDeque::new();
        let mut referenced_responses = BTreeSet::new();
        let mut pending_responses = VecDeque::new();

        collect_component_refs(
            &serialized,
            &mut referenced_schemas,
            &mut pending_schemas,
            &mut referenced_responses,
            &mut pending_responses,
        );

        let Some(components) = spec.components.as_mut() else {
            return;
        };

        let mut restored = false;
        for schema_name in referenced_schemas {
            if components.schemas.contains_key(&schema_name) {
                continue;
            }

            if let Some(schema) = original_schemas.get(&schema_name) {
                components
                    .schemas
                    .insert(schema_name.to_string(), schema.clone());
                restored = true;
            } else if let Some((original_name, schema)) = original_schemas
                .iter()
                .find(|(name, _schema)| canonical_schema_ref_name(name) == schema_name)
            {
                components
                    .schemas
                    .insert(original_name.to_string(), schema.clone());
                restored = true;
            }
        }

        if !restored {
            break;
        }
    }
}

fn collect_component_refs(
    value: &serde_json::Value,
    reachable_schemas: &mut BTreeSet<String>,
    pending_schemas: &mut VecDeque<String>,
    reachable_responses: &mut BTreeSet<String>,
    pending_responses: &mut VecDeque<String>,
) {
    match value {
        serde_json::Value::Object(map) => {
            if let Some(ref_value) = map.get("$ref").and_then(serde_json::Value::as_str) {
                if let Some(name) = ref_value.strip_prefix("#/components/schemas/") {
                    let name = canonical_schema_ref_name(name).to_string();
                    if reachable_schemas.insert(name.clone()) {
                        pending_schemas.push_back(name);
                    }
                } else if let Some(name) = ref_value.strip_prefix("#/components/responses/") {
                    let name = name.to_string();
                    if reachable_responses.insert(name.clone()) {
                        pending_responses.push_back(name);
                    }
                }
            }

            for nested in map.values() {
                collect_component_refs(
                    nested,
                    reachable_schemas,
                    pending_schemas,
                    reachable_responses,
                    pending_responses,
                );
            }
        }
        serde_json::Value::Array(values) => {
            for nested in values {
                collect_component_refs(
                    nested,
                    reachable_schemas,
                    pending_schemas,
                    reachable_responses,
                    pending_responses,
                );
            }
        }
        _ => {}
    }
}

fn canonical_schema_ref_name(name: &str) -> &str {
    name.strip_prefix("crate.api_server.models.")
        .or_else(|| name.strip_prefix("crate.boundary."))
        .or_else(|| name.strip_prefix("models."))
        .or_else(|| name.strip_prefix("boundary."))
        .or_else(|| name.strip_prefix("hypercall_types.api_models."))
        .or_else(|| name.strip_prefix("super.models."))
        .or_else(|| name.strip_prefix("crate.vol_oracle."))
        .or_else(|| name.strip_prefix("hypercall_vol_oracle."))
        .or_else(|| name.strip_prefix("crate.rsm.rpc."))
        .or_else(|| name.strip_prefix("crate.rsm.engine_snapshot."))
        .or_else(|| name.strip_prefix("hypercall_signer."))
        .or_else(|| name.strip_prefix("crate."))
        .unwrap_or(name)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn public_openapi_prunes_private_only_component_schemas() {
        let mut spec = ApiDoc::openapi();
        let mut private_path = spec
            .paths
            .paths
            .get("/gas-provider/{chain_id}")
            .expect("gas provider path should be present")
            .clone();
        for operation in private_path.operations.values_mut() {
            operation.tags = Some(vec!["Monitoring".to_string()]);
        }
        spec.paths
            .paths
            .insert("/monitoring/private-only-test".to_string(), private_path);

        let components = spec
            .components
            .as_mut()
            .expect("components should be present");
        let private_schema = components
            .schemas
            .get("GasProviderErrorResponse")
            .expect("gas provider error schema should be present")
            .clone();
        components
            .schemas
            .insert("PrivateOnlyTestSchema".to_string(), private_schema);

        let public =
            serde_json::to_value(filter_hidden_tags(spec)).expect("OpenAPI should serialize");

        assert!(public["paths"]["/monitoring/private-only-test"].is_null());
        assert!(public["components"]["schemas"]["PrivateOnlyTestSchema"].is_null());
    }

    #[test]
    fn public_openapi_excludes_engine_state_digest_when_route_is_hidden() {
        // The engine-state-digest path and its EngineStateDigest schema now live
        // in the `hypercall-admin` crate; the api public spec must not contain
        // them. (Hidden-tag filtering of the merged admin spec is exercised in
        // the api-spec-exporter.)
        let public = serde_json::to_value(public_openapi()).expect("OpenAPI should serialize");

        assert!(public["paths"]["/monitoring/engine-state-digest"].is_null());
        assert!(public["components"]["schemas"]["EngineStateDigest"].is_null());
    }

    #[test]
    fn public_openapi_keeps_export_normalized_refs_reachable() {
        let json = public_openapi()
            .to_pretty_json()
            .expect("OpenAPI should serialize");
        let public: serde_json::Value = serde_json::from_str(&normalize_openapi_schema_refs(json))
            .expect("normalized OpenAPI should parse as JSON");

        assert!(public["paths"]["/margin-mode"]["post"].is_object());
        assert!(public["components"]["schemas"]["MarginModeApiResponse"].is_object());
        assert!(public["components"]["schemas"]["EngineStateDigest"].is_null());
    }
}