feat(portal-sdk): add approval API

[LiteSun]

What

Adds an approval resource to the portal SDK, wrapping the developer-portal approval workflow endpoints:

Method	Endpoint	Maps to
client.approval.list(query?)	GET /api/approvals	listApprovals
client.approval.accept(id, body?)	POST /api/approvals/{approval_id}/accept	acceptApproval
client.approval.reject(id, body?)	POST /api/approvals/{approval_id}/reject	rejectApproval

Wired into both the server (src/index.ts) and browser (src/browser.ts) API7Portal clients.

const { list } = await client.approval.list({ status: 'pending' });
await client.approval.accept(id, { metadata });
await client.approval.reject(id, { metadata });

Scope kept minimal

openapi.yaml is not wholesale re-bundled — every existing line (and its double-quote
formatting) is left byte-for-byte unchanged. The only additions are:

• the three approval paths, and
• the once-only credential secret fields on the credential response schemas:
  key-auth.key, basic-auth.username / basic-auth.password (returned only on create/regenerate).

→ openapi.yaml: 206 insertions, 0 deletions.

src/generated/** likewise carries only the approval additions (new operations, types,
transformer, exports) grafted onto the existing generated output — no unrelated regeneration
churn (no generator-version reformatting, no touched core/ or client/ files).

Verification

• nx lint portal-sdk ✅
• nx build portal-sdk ✅ (ESM + CJS + d.ts)
• nx typecheck portal-sdk ✅
• nx test portal-sdk — no test files in repo (pre-existing)

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features
  • Added approval management API: list approvals (filterable), accept approvals, and reject approvals.
  • Listing supports pagination, sorting and free-text search.
  • SDK now exposes an approval sub-API on the main client for interacting with approvals.
• Bug Fixes / Updates
  • Credential schemas updated to include returned-on-creation keys and passwords.
• Chores
  • Type re-exports simplified for easier access.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR adds a complete approval workflow API to the portal SDK. It extends the OpenAPI specification with three new endpoints under /api/approvals (list, accept, reject), wraps those generated operations in an ApprovalAPI SDK class, and integrates that class into the main API7Portal client. Supporting changes include wildcard type re-exports and a minor axios version bump.

Changes

Approval Workflow Implementation

Layer / File(s)	Summary
OpenAPI approval contract and schemas packages/portal-sdk/openapi.yaml	Adds /api/approvals GET (with filtering, pagination, sorting, search), /api/approvals/{approval_id}/accept POST, and /api/approvals/{approval_id}/reject POST endpoints. Introduces ApprovalStatus, ApprovalResult, ApprovalEvent, ApprovalResourceType enums; ApprovalActionReq schema with opaque metadata field; ApprovalID path parameter; and ListApprovalResponse with paginated approval items that include workflow state, resource/applicant/operator details, and timestamps. Updates KeyAuthApplicationCredentialBasics and BasicAuthApplicationCredentialBasics with key/username/password fields.
ApprovalAPI SDK wrapper implementation packages/portal-sdk/src/approval.ts	Exports ApprovalAPI class that wraps the generated approval operations. Implements list(query?) to forward query parameters and return transformed response; accept(id, data?) to call acceptApproval and resolve as void; reject(id, data?) to call rejectApproval and resolve as void.
API7Portal client integration packages/portal-sdk/src/browser.ts, packages/portal-sdk/src/index.ts	Adds ApprovalAPI import and public approval property to API7Portal class; initializes the property in the constructor using the generated client in both entry points.
Type exports and dependency updates packages/portal-sdk/src/unstable/typing.ts, packages/portal-sdk/package.json, .nx/version-plans/*	Replaces explicit named re-exports with wildcard re-export from generated index in unstable/typing.ts; updates axios dependency from ^1.16.1 to ^1.17.0; adds version-plan entry for portal-sdk.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 5 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
E2e Test Quality Review	⚠️ Warning	PR contains NO E2E tests. Repository has no test files. E2E test completeness is blocking per custom check requirements. Code is correctly implemented.	Add E2E tests covering: list() with filters, accept/reject success/errors, API integration, and proper APIError propagation.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Security Check	✅ Passed	Client SDK adds approval API endpoints with no logging of Bearer tokens, no unencrypted storage, and proper server-side authorization. Metadata field design is intentional.
Title check	✅ Passed	The pull request title 'feat(portal-sdk): add approval API' directly and concisely describes the main change—adding a new approval API resource to the portal SDK with three endpoints.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/approval-api

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/portal-sdk/openapi.yaml (1)

1124-1153: 🛠️ Refactor suggestion | 🟠 Major | 🏗️ Heavy lift

Separate secret-bearing credential payloads from general credential responses.

At Line [1125], Line [1152], and Line [1182], secret fields are part of shared credential response schemas, and that shared schema is reused by list/get responses at Line [1845] and Line [1860]. This broadens the contract surface for secrets and increases accidental leakage risk in downstream logging/telemetry.

Use dedicated create/regenerate response schemas for secret-bearing fields, and keep list/get schemas secret-free.

Proposed contract split (illustrative)

- ApplicationCredentialResponse:
-   content:
-     application/json:
-       schema:
-         $ref: '`#/components/schemas/ApplicationCredential`'
+ ApplicationCredentialResponse:
+   content:
+     application/json:
+       schema:
+         $ref: '`#/components/schemas/ApplicationCredentialPublic`'

+ ApplicationCredentialCreateOrRegenerateResponse:
+   content:
+     application/json:
+       schema:
+         $ref: '`#/components/schemas/ApplicationCredentialWithSecrets`'

Also applies to: 1182-1184, 1840-1861

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/portal-sdk/openapi.yaml` around lines 1124 - 1153, The shared
credential response schema (ApplicationCredentialBasicsCommon /
BasicAuthApplicationCredentialBasics) currently includes secret fields (e.g.,
properties.key and basic-auth.password); refactor by splitting into two schemas:
keep a secret-free common response (e.g., ApplicationCredentialBasicsPublic or
keep ApplicationCredentialBasicsCommon) used by list/get responses, and add a
separate creation/regeneration response schema (e.g.,
ApplicationCredentialWithSecret or BasicAuthApplicationCredentialSecret) that
contains secret-bearing properties (key, basic-auth.password). Update all
references so list/get endpoints reference the public schema and only
create/regenerate endpoints reference the secret schema, and ensure
enum/type/name definitions remain shared as needed.

🧹 Nitpick comments (1)

packages/portal-sdk/openapi.yaml (1)

641-647: ⚡ Quick win

Avoid positional $ref pointers for response field enums.

At Line [641]-Line [647], response properties depend on /paths/.../parameters/{index} references. This is brittle: reordering parameters can silently change response typing. Prefer named component schemas and reference those from both parameters and response properties.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/portal-sdk/openapi.yaml` around lines 641 - 647, The response schema
uses positional parameter $ref pointers (e.g., refs to
/paths/~1api~1approvals/get/parameters/0/schema, /parameters/1/schema,
/parameters/2/schema, /parameters/3/schema) for properties like status, result,
and resource_type which is brittle; instead add named component schemas (for
example components/schemas/ApprovalStatus, ApprovalResult, ResourceType) and
update both the parameters in the GET /api/approvals operation and the response
properties (status, result, resource_type) to reference those new component
schema names so the enums are stable and independent of parameter ordering.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@packages/portal-sdk/openapi.yaml`:
- Around line 1124-1153: The shared credential response schema
(ApplicationCredentialBasicsCommon / BasicAuthApplicationCredentialBasics)
currently includes secret fields (e.g., properties.key and basic-auth.password);
refactor by splitting into two schemas: keep a secret-free common response
(e.g., ApplicationCredentialBasicsPublic or keep
ApplicationCredentialBasicsCommon) used by list/get responses, and add a
separate creation/regeneration response schema (e.g.,
ApplicationCredentialWithSecret or BasicAuthApplicationCredentialSecret) that
contains secret-bearing properties (key, basic-auth.password). Update all
references so list/get endpoints reference the public schema and only
create/regenerate endpoints reference the secret schema, and ensure
enum/type/name definitions remain shared as needed.

---

Nitpick comments:
In `@packages/portal-sdk/openapi.yaml`:
- Around line 641-647: The response schema uses positional parameter $ref
pointers (e.g., refs to /paths/~1api~1approvals/get/parameters/0/schema,
/parameters/1/schema, /parameters/2/schema, /parameters/3/schema) for properties
like status, result, and resource_type which is brittle; instead add named
component schemas (for example components/schemas/ApprovalStatus,
ApprovalResult, ResourceType) and update both the parameters in the GET
/api/approvals operation and the response properties (status, result,
resource_type) to reference those new component schema names so the enums are
stable and independent of parameter ordering.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 82bb55e0-513b-41d0-868b-90d19fd24373

📥 Commits

Reviewing files that changed from the base of the PR and between 9e2bbf4 and ba451c9.

⛔ Files ignored due to path filters (15)

• packages/portal-sdk/src/generated/client.gen.ts is excluded by !**/generated/**
• packages/portal-sdk/src/generated/client/client.gen.ts is excluded by !**/generated/**
• packages/portal-sdk/src/generated/client/index.ts is excluded by !**/generated/**
• packages/portal-sdk/src/generated/client/types.gen.ts is excluded by !**/generated/**
• packages/portal-sdk/src/generated/client/utils.gen.ts is excluded by !**/generated/**
• packages/portal-sdk/src/generated/core/auth.gen.ts is excluded by !**/generated/**
• packages/portal-sdk/src/generated/core/params.gen.ts is excluded by !**/generated/**
• packages/portal-sdk/src/generated/core/pathSerializer.gen.ts is excluded by !**/generated/**
• packages/portal-sdk/src/generated/core/queryKeySerializer.gen.ts is excluded by !**/generated/**
• packages/portal-sdk/src/generated/core/serverSentEvents.gen.ts is excluded by !**/generated/**
• packages/portal-sdk/src/generated/core/utils.gen.ts is excluded by !**/generated/**
• packages/portal-sdk/src/generated/index.ts is excluded by !**/generated/**
• packages/portal-sdk/src/generated/sdk.gen.ts is excluded by !**/generated/**
• packages/portal-sdk/src/generated/transformers.gen.ts is excluded by !**/generated/**
• packages/portal-sdk/src/generated/types.gen.ts is excluded by !**/generated/**

📒 Files selected for processing (4)

• packages/portal-sdk/openapi.yaml
• packages/portal-sdk/src/approval.ts
• packages/portal-sdk/src/browser.ts
• packages/portal-sdk/src/index.ts

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/portal-sdk/openapi.yaml (1)

1040-1072: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Don't put one-time secrets on the shared credential read model.

ApplicationCredential is reused by the generic credential GET/list responses, so adding key-auth.key and basic-auth.password here makes those broad read endpoints advertise API keys/passwords as ordinary response fields. That is a security contract regression and causes the generated SDK to treat secret material as normal read data instead of create/regenerate-only output. Split secret-bearing create/regenerate responses from the redacted read/list schema.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/portal-sdk/openapi.yaml` around lines 1040 - 1072, The current
shared read/list model exposes one-time secrets (key-auth.key and
basic-auth.password) via
ApplicationCredential/BasicAuthApplicationCredentialBasics; remove those secret
properties from the public/read schemas and create separate create/regenerate
response schemas that include the secrets. Concretely: delete key-auth.key and
basic-auth.password from the read/list schema (ApplicationCredential /
BasicAuthApplicationCredentialBasics), introduce new response schemas (e.g.,
ApplicationCredentialCreateResponse and
BasicAuthApplicationCredentialCreateResponse) that extend the common
ApplicationCredentialBasics and add the secret fields for creation/regeneration
only, and update the POST/regenerate endpoints to return the new secret-bearing
schemas while keeping GET/list endpoints returning the redacted read schemas.
Ensure enum/type names (BasicAuthApplicationCredentialBasics, key-auth,
basic-auth, ApplicationCredential) are used to locate and refactor the
definitions.

🧹 Nitpick comments (2)

packages/portal-sdk/openapi.yaml (2)

1480-1485: ⚡ Quick win

Close ApprovalActionReq to unsupported fields.

This schema currently allows arbitrary extra JSON members on accept/reject because additionalProperties defaults to true. For a workflow-changing endpoint, it is better to fail fast on unexpected payloads.

🔧 Suggested schema tweak

     ApprovalActionReq:
       type: object
+      additionalProperties: false
       properties:
         metadata:
           type: string
           description: Opaque JSON string stored on the approval. The developer portal uses it to carry the acting platform admin's identity.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/portal-sdk/openapi.yaml` around lines 1480 - 1485, The
ApprovalActionReq schema currently allows arbitrary extra properties; update the
ApprovalActionReq definition to disallow unknown fields by adding
additionalProperties: false under the ApprovalActionReq object and explicitly
declare any intended fields (e.g., metadata) so unexpected payload members cause
validation errors; if you plan future optional fields, add them to the
properties list rather than relying on open objects.

---

1949-1989: 🏗️ Heavy lift

Model pending and finished approvals as separate shapes.

status is coupled to fields like result and operated_at, but this response flattens everything into one mostly-optional object. The generated TypeScript type therefore permits impossible states such as a "finished" approval with no outcome, which leaks avoidable ambiguity into the SDK surface. A oneOf for pending vs finished approvals would make the contract much more accurate.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/portal-sdk/openapi.yaml` around lines 1949 - 1989, Split the
flattened approval object into two explicit shapes and use oneOf to distinguish
them: create an ApprovalPending (allOf ResourceBasics + object requiring event,
status (value 'pending'), resource_type, applied_at and excluding finished-only
fields like result and operated_at) and an ApprovalFinished (allOf
ResourceBasics + object requiring status (value 'finished'), result,
operated_at, resource_type and the operator_* fields as appropriate); then
replace the current combined schema with oneOf:
[`#/components/schemas/ApprovalPending`, `#/components/schemas/ApprovalFinished`].
Ensure you keep refs to ApprovalEvent, ApprovalStatus, ApprovalResult and
preserve metadata, resource_id, resource_name, applicant_id/applicant_name but
move required constraints (result, operated_at) into ApprovalFinished and
applied_at into ApprovalPending so impossible states are no longer
representable.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test.ts`:
- Around line 7-8: Remove the hardcoded bearer token string in test.ts and load
it from an environment variable instead (e.g., process.env.API_SEVEN_TOKEN);
update the code that currently includes the literal
'a7prt-...294c60bb05f988072fee33' to read the token from env, validate presence
at startup and fail with a clear error if missing, and ensure the token is never
logged or committed—also add a note to docs/.env example and confirm secrets are
excluded from VCS (.gitignore, and rotate the exposed token immediately).
- Around line 39-49: The catch block currently only handles APIError via
APIError.isAPIError(error) and silently ignores all other exceptions; update the
catch to handle non-APIError cases as well — for any error that is not APIError,
log the error (including stack) and rethrow it (or return a rejected promise) so
failures aren't swallowed; keep the existing APIError handling (including usage
of error.rawError()) and ensure the catch block always either handles or
rethrows the error.
- Around line 6-9: The code is calling new API7Portal with positional args but
the class defines constructor(opts: Options); change the instantiation to pass a
single options object to match the constructor contract (e.g. new API7Portal({
baseUrl: 'https://developer.apiseven.com', apiKey: 'a7prt-...'})) so the
API7Portal constructor(opts: Options) receives the expected properties; update
any tests/usages that construct API7Portal to use the same object form.
- Around line 14-38: The test prints full SDK responses (console.log(res),
console.log(res1), console.log('Created application:', res2),
console.log('Updated application:', res3), console.log('Deleted application:',
res2.id), console.log(res4), console.log(res5.raw_openapis)) which can leak
secrets; change these to log only minimal/redacted fields (e.g., id, name,
status) or use a shared redactResponse helper before logging, and ensure you do
not print raw_openapis or full response bodies from client.application.* and
client.apiProduct.* — instead log safe properties (res2.id, res2.name,
res3.id/status, res1.length or ids, and a redacted/boolean indicator for
apiProduct content).

---

Outside diff comments:
In `@packages/portal-sdk/openapi.yaml`:
- Around line 1040-1072: The current shared read/list model exposes one-time
secrets (key-auth.key and basic-auth.password) via
ApplicationCredential/BasicAuthApplicationCredentialBasics; remove those secret
properties from the public/read schemas and create separate create/regenerate
response schemas that include the secrets. Concretely: delete key-auth.key and
basic-auth.password from the read/list schema (ApplicationCredential /
BasicAuthApplicationCredentialBasics), introduce new response schemas (e.g.,
ApplicationCredentialCreateResponse and
BasicAuthApplicationCredentialCreateResponse) that extend the common
ApplicationCredentialBasics and add the secret fields for creation/regeneration
only, and update the POST/regenerate endpoints to return the new secret-bearing
schemas while keeping GET/list endpoints returning the redacted read schemas.
Ensure enum/type names (BasicAuthApplicationCredentialBasics, key-auth,
basic-auth, ApplicationCredential) are used to locate and refactor the
definitions.

---

Nitpick comments:
In `@packages/portal-sdk/openapi.yaml`:
- Around line 1480-1485: The ApprovalActionReq schema currently allows arbitrary
extra properties; update the ApprovalActionReq definition to disallow unknown
fields by adding additionalProperties: false under the ApprovalActionReq object
and explicitly declare any intended fields (e.g., metadata) so unexpected
payload members cause validation errors; if you plan future optional fields, add
them to the properties list rather than relying on open objects.
- Around line 1949-1989: Split the flattened approval object into two explicit
shapes and use oneOf to distinguish them: create an ApprovalPending (allOf
ResourceBasics + object requiring event, status (value 'pending'),
resource_type, applied_at and excluding finished-only fields like result and
operated_at) and an ApprovalFinished (allOf ResourceBasics + object requiring
status (value 'finished'), result, operated_at, resource_type and the operator_*
fields as appropriate); then replace the current combined schema with oneOf:
[`#/components/schemas/ApprovalPending`, `#/components/schemas/ApprovalFinished`].
Ensure you keep refs to ApprovalEvent, ApprovalStatus, ApprovalResult and
preserve metadata, resource_id, resource_name, applicant_id/applicant_name but
move required constraints (result, operated_at) into ApprovalFinished and
applied_at into ApprovalPending so impossible states are no longer
representable.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 065255f2-ecf2-4fdc-aa87-7e4da2c79c19

📥 Commits

Reviewing files that changed from the base of the PR and between 31f136a and ae61481.

⛔ Files ignored due to path filters (14)

• packages/portal-sdk/src/generated/client.gen.ts is excluded by !**/generated/**
• packages/portal-sdk/src/generated/client/client.gen.ts is excluded by !**/generated/**
• packages/portal-sdk/src/generated/client/index.ts is excluded by !**/generated/**
• packages/portal-sdk/src/generated/client/types.gen.ts is excluded by !**/generated/**
• packages/portal-sdk/src/generated/client/utils.gen.ts is excluded by !**/generated/**
• packages/portal-sdk/src/generated/core/auth.gen.ts is excluded by !**/generated/**
• packages/portal-sdk/src/generated/core/params.gen.ts is excluded by !**/generated/**
• packages/portal-sdk/src/generated/core/pathSerializer.gen.ts is excluded by !**/generated/**
• packages/portal-sdk/src/generated/core/queryKeySerializer.gen.ts is excluded by !**/generated/**
• packages/portal-sdk/src/generated/core/serverSentEvents.gen.ts is excluded by !**/generated/**
• packages/portal-sdk/src/generated/core/utils.gen.ts is excluded by !**/generated/**
• packages/portal-sdk/src/generated/index.ts is excluded by !**/generated/**
• packages/portal-sdk/src/generated/sdk.gen.ts is excluded by !**/generated/**
• packages/portal-sdk/src/generated/types.gen.ts is excluded by !**/generated/**

📒 Files selected for processing (5)

• packages/portal-sdk/eslint.config.mjs
• packages/portal-sdk/openapi.yaml
• packages/portal-sdk/src/approval.ts
• packages/portal-sdk/src/unstable/typing.ts
• test.ts

✅ Files skipped from review due to trivial changes (1)

• packages/portal-sdk/src/unstable/typing.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/portal-sdk/src/approval.ts