AEP Compliance Gap Analysis & Implementation Plan

.spectral.yaml

@@ -12,3 +12,21 @@ rules:
       functionOptions:
         schema:
           type: object
+
+  aep-132-list-results-field:
+    description: List response array field must be named 'results' per AEP-132
+    message: "List response schema must use 'results' as the array field name"
+    severity: warn
+    given: $.components.schemas[?(@.properties.next_page_token)].properties
+    then:
+      field: results
+      function: truthy
+
+  aep-133-create-location-header:
+    description: Create (201) response must include Location header per AEP-133
+    message: "Create operation 201 response must include a Location header"
+    severity: warn
+    given: $.paths[*].post.responses.201
+    then:
+      field: headers.Location
+      function: truthy

api/v1alpha1/openapi.yaml

@@ -485,9 +485,9 @@ components:
 
         Implements AEP-132 List standard method requirements.
       required:
-        - policies
+        - results
       properties:
-        policies:
+        results:
           type: array
           description: List of policy resources matching the request criteria
           items:

internal/apiserver/server.go

@@ -14,6 +14,7 @@ import (
 	"github.com/dcm-project/policy-manager/internal/api/server"
 	"github.com/dcm-project/policy-manager/internal/config"
 	"github.com/dcm-project/policy-manager/internal/logging"
+	custommiddleware "github.com/dcm-project/policy-manager/internal/middleware"
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
 )
@@ -43,6 +44,7 @@ func (s *Server) Run(ctx context.Context) error {
 	router.Use(logging.RequestLogger)
 	router.Use(middleware.Logger)
 	router.Use(middleware.Recoverer)
+	router.Use(custommiddleware.ProblemJSON)
 
 	swagger, err := v1alpha1.GetSwagger()
 	if err != nil {

internal/engineserver/server.go

@@ -14,6 +14,7 @@ import (
 	engineserver "github.com/dcm-project/policy-manager/internal/api/engine"
 	"github.com/dcm-project/policy-manager/internal/config"
 	"github.com/dcm-project/policy-manager/internal/logging"
+	custommiddleware "github.com/dcm-project/policy-manager/internal/middleware"
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
 )
@@ -43,6 +44,7 @@ func (s *Server) Run(ctx context.Context) error {
 	router.Use(logging.RequestLogger)
 	router.Use(middleware.Logger)
 	router.Use(middleware.Recoverer)
+	router.Use(custommiddleware.ProblemJSON)
 
 	swagger, err := engineserverapi.GetSwagger()
 	if err != nil {

internal/handlers/v1alpha1/converters.go

@@ -48,12 +48,12 @@ func policyV1Alpha1ToServer(p v1alpha1.Policy) server.Policy {
 }
 
 func listResponseV1Alpha1ToServer(r v1alpha1.PolicyList) server.PolicyList {
-	policies := make([]server.Policy, len(r.Policies))
-	for i, p := range r.Policies {
+	policies := make([]server.Policy, len(r.Results))
+	for i, p := range r.Results {
 		policies[i] = policyV1Alpha1ToServer(p)
 	}
 	return server.PolicyList{
 		NextPageToken: r.NextPageToken,
-		Policies:      policies,
+		Results:       policies,
 	}
 }

internal/handlers/v1alpha1/policy.go

@@ -3,6 +3,7 @@ package v1alpha1
 
 import (
 	"context"
+	"fmt"
 
 	"github.com/dcm-project/policy-manager/api/v1alpha1"
 	"github.com/dcm-project/policy-manager/internal/api/server"
@@ -62,9 +63,11 @@ func (h *PolicyHandler) CreatePolicy(ctx context.Context, request server.CreateP
 	}
 
 	log.Info("Policy created", "policy_id", *created.Id)
-	// Convert back to server.Policy
 	return server.CreatePolicy201JSONResponse{
 		Body: policyV1Alpha1ToServer(*created),
+		Headers: server.CreatePolicy201ResponseHeaders{
+			Location: fmt.Sprintf("/api/v1alpha1/policies/%s", *created.Id),
+		},
 	}, nil
 }
 
@@ -107,7 +110,7 @@ func (h *PolicyHandler) ListPolicies(ctx context.Context, request server.ListPol
 		return h.handleListPoliciesError(err, request), nil
 	}
 
-	log.Debug("ListPolicies completed", "count", len(result.Policies))
+	log.Debug("ListPolicies completed", "count", len(result.Results))
 	return server.ListPolicies200JSONResponse(listResponseV1Alpha1ToServer(*result)), nil
 }
 

internal/handlers/v1alpha1/policy_test.go

@@ -126,6 +126,7 @@ var _ = Describe("PolicyHandler", func() {
 			createResponse, ok := response.(server.CreatePolicy201JSONResponse)
 			Expect(ok).To(BeTrue(), "response should be CreatePolicy201JSONResponse")
 			Expect(*createResponse.Body.Id).To(Equal("test-policy"))
+			Expect(createResponse.Headers.Location).To(Equal("/api/v1alpha1/policies/test-policy"))
 		})
 
 		It("should return 400 when body is nil", func() {
@@ -227,7 +228,7 @@ var _ = Describe("PolicyHandler", func() {
 			pt2 := v1alpha1.USER
 			mockService.ListPoliciesFn = func(_ context.Context, _ *string, _ *string, _ *string, _ *int32) (*v1alpha1.PolicyList, error) {
 				return &v1alpha1.PolicyList{
-					Policies: []v1alpha1.Policy{
+					Results: []v1alpha1.Policy{
 						{
 							Id:          &policyID1,
 							Path:        &path1,
@@ -254,9 +255,9 @@ var _ = Describe("PolicyHandler", func() {
 			Expect(err).NotTo(HaveOccurred())
 			listResponse, ok := response.(server.ListPolicies200JSONResponse)
 			Expect(ok).To(BeTrue(), "response should be ListPolicies200JSONResponse")
-			Expect(listResponse.Policies).To(HaveLen(2))
-			Expect(*listResponse.Policies[0].Id).To(Equal("policy-1"))
-			Expect(*listResponse.Policies[1].Id).To(Equal("policy-2"))
+			Expect(listResponse.Results).To(HaveLen(2))
+			Expect(*listResponse.Results[0].Id).To(Equal("policy-1"))
+			Expect(*listResponse.Results[1].Id).To(Equal("policy-2"))
 		})
 
 		It("should pass filter parameter to service", func() {
@@ -267,7 +268,7 @@ var _ = Describe("PolicyHandler", func() {
 			mockService.ListPoliciesFn = func(_ context.Context, filter *string, _ *string, _ *string, _ *int32) (*v1alpha1.PolicyList, error) {
 				receivedFilter = filter
 				return &v1alpha1.PolicyList{
-					Policies: []v1alpha1.Policy{},
+					Results: []v1alpha1.Policy{},
 				}, nil
 			}
 
@@ -293,7 +294,7 @@ var _ = Describe("PolicyHandler", func() {
 				receivedPageToken = pageToken
 				receivedPageSize = pageSize
 				return &v1alpha1.PolicyList{
-					Policies: []v1alpha1.Policy{},
+					Results: []v1alpha1.Policy{},
 				}, nil
 			}
 

internal/middleware/problemjson.go

@@ -0,0 +1,42 @@
+package middleware
+
+import (
+	"net/http"
+	"strings"
+)
+
+// ProblemJSON is a Chi middleware that rewrites the Content-Type header
+// from application/json to application/problem+json for error responses
+// (status >= 400), per AEP-193 and RFC 9457.
+func ProblemJSON(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		next.ServeHTTP(&problemJSONWriter{ResponseWriter: w}, r)
+	})
+}
+
+type problemJSONWriter struct {
+	http.ResponseWriter
+	wroteHeader bool
+}
+
+func (w *problemJSONWriter) WriteHeader(code int) {
+	if !w.wroteHeader && code >= 400 {
+		ct := w.Header().Get("Content-Type")
+		if strings.HasPrefix(ct, "application/json") {
+			w.Header().Set("Content-Type", strings.Replace(ct, "application/json", "application/problem+json", 1))
+		}
+	}
+	w.wroteHeader = true
+	w.ResponseWriter.WriteHeader(code)
+}
+
+func (w *problemJSONWriter) Write(b []byte) (int, error) {
+	if !w.wroteHeader {
+		w.WriteHeader(http.StatusOK)
+	}
+	return w.ResponseWriter.Write(b)
+}
+
+func (w *problemJSONWriter) Unwrap() http.ResponseWriter {
+	return w.ResponseWriter
+}

internal/middleware/problemjson_test.go

@@ -0,0 +1,60 @@
+package middleware
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func TestMiddleware(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Middleware Suite")
+}
+
+var _ = Describe("ProblemJSON", func() {
+	makeHandler := func(status int, contentType string) http.Handler {
+		return ProblemJSON(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+			w.Header().Set("Content-Type", contentType)
+			w.WriteHeader(status)
+			w.Write([]byte(`{"type":"INTERNAL","status":500,"title":"error"}`))
+		}))
+	}
+
+	It("should rewrite Content-Type for 400 responses", func() {
+		rec := httptest.NewRecorder()
+		makeHandler(400, "application/json").ServeHTTP(rec, httptest.NewRequest("GET", "/", nil))
+		Expect(rec.Header().Get("Content-Type")).To(Equal("application/problem+json"))
+	})
+
+	It("should rewrite Content-Type for 500 responses", func() {
+		rec := httptest.NewRecorder()
+		makeHandler(500, "application/json").ServeHTTP(rec, httptest.NewRequest("GET", "/", nil))
+		Expect(rec.Header().Get("Content-Type")).To(Equal("application/problem+json"))
+	})
+
+	It("should preserve Content-Type for 200 responses", func() {
+		rec := httptest.NewRecorder()
+		handler := ProblemJSON(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(200)
+			w.Write([]byte(`{"status":"ok"}`))
+		}))
+		handler.ServeHTTP(rec, httptest.NewRequest("GET", "/", nil))
+		Expect(rec.Header().Get("Content-Type")).To(Equal("application/json"))
+	})
+
+	It("should preserve Content-Type with charset for 400 responses", func() {
+		rec := httptest.NewRecorder()
+		makeHandler(404, "application/json; charset=utf-8").ServeHTTP(rec, httptest.NewRequest("GET", "/", nil))
+		Expect(rec.Header().Get("Content-Type")).To(Equal("application/problem+json; charset=utf-8"))
+	})
+
+	It("should not touch non-JSON content types on errors", func() {
+		rec := httptest.NewRecorder()
+		makeHandler(500, "text/plain").ServeHTTP(rec, httptest.NewRequest("GET", "/", nil))
+		Expect(rec.Header().Get("Content-Type")).To(Equal("text/plain"))
+	})
+})

internal/service/policy.go

@@ -275,7 +275,7 @@ func (s *PolicyServiceImpl) ListPolicies(ctx context.Context, filter *string, or
 
 	// Build response
 	response := &v1alpha1.PolicyList{
-		Policies: apiPolicies,
+		Results: apiPolicies,
 	}
 
 	if result.NextPageToken != "" {