feat: add Cycleball EU Rest API for migration phase

[hoegertn]

Summary by CodeRabbit

• New Features
  • Added comprehensive integration with the Cycleball EU API, enabling access to leagues, teams, clubs, matchdays, and calendar data through standardized endpoints.
  • Automated type generation from API specifications for enhanced developer experience.

[amazon-inspector-frankfurt]

⏳ I'm reviewing this pull request for security vulnerabilities and code quality issues. I'll provide an update when I'm done

[coderabbitai]

Walkthrough

This PR introduces a new OpenAPI code generation task generate:api:restCB that processes the Cycleball EU API specification and generates TypeScript types. The task is integrated into the pre-compile pipeline via configuration in .projen/tasks.json, .projenrc.ts, and package.json, alongside a comprehensive OpenAPI 3.0.1 specification file.

Changes

Cohort / File(s)	Change Summary
Build Task Configuration .projen/tasks.json, .projenrc.ts, package.json	Added new generate:api:restCB task that executes openapi-typescript cycleball-api.yaml --output src/generated/rest.cycleball.model.generated.ts. Task prepended to pre-compile pipeline to run before existing generate:api:rest and generate:api:graphql tasks. Corresponding npm script added to package.json.
API Specification cycleball-api.yaml	Introduced OpenAPI 3.0.1 specification for Cycleball EU API with endpoints for leagues, matchdays, teams, clubs, and calendar management. Defines 13 public endpoints with nested entity schemas including League, Team, Matchday, Game, Ranking, and Club. Implements OpenID Connect security scheme.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

• cycleball-api.yaml: Verify OpenAPI schema validity, endpoint definitions, request/response structures, and nested entity relationships
• Task configuration: Cross-check consistency between .projen/tasks.json and .projenrc.ts task declarations and confirm correct output path for generated types

Poem

🐰 A new API spec hops into view,
With endpoints and schemas, all shiny and new,
The cycleball dances through cyberspace wide,
As openapi-typescript runs with pride,
Type safety blooms in the pre-compile light! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request description is completely empty and does not follow the provided template, missing all required sections like change type, current behavior, and new behavior.	Add a comprehensive description following the template: specify the change type (feature), explain the current behavior, describe the new API capabilities, and confirm no breaking changes.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding a new Cycleball EU REST API specification and TypeScript code generation setup for a migration phase.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch cycleball-api

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[amazon-inspector-frankfurt]

✅ I finished the code review, and didn't find any security or code quality issues.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (2)

cycleball-api.yaml (2)

169-191: Remove commented-out code or implement the endpoint.

The PDF print endpoint is commented out. Either remove it if not needed, or implement it if it's part of the API surface.

---

30-32: Consider adding maxItems constraints to arrays.

Array responses without maximum item constraints could potentially cause performance issues or be exploited for DoS attacks. Consider adding reasonable maxItems constraints.

Example:

schema:
  type: array
  maxItems: 1000
  items:
    $ref: '#/components/schemas/League'

Also applies to: 76-78, 97-99, 117-120, 270-273, 305-307, 320-322

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2d4cf69 and 5fd660c.

⛔ Files ignored due to path filters (1)

• src/generated/rest.cycleball.model.generated.ts is excluded by !**/generated/**

📒 Files selected for processing (7)

• .projen/tasks.json (2 hunks)
• .projenrc.ts (1 hunks)
• cycleball-api.yaml (1 hunks)
• docs/assets/hierarchy.js (1 hunks)
• docs/assets/navigation.js (1 hunks)
• docs/assets/search.js (1 hunks)
• package.json (1 hunks)

🧰 Additional context used

🪛 Checkov (3.2.334)

cycleball-api.yaml

[high] 1-612: Ensure that the global security field has rules defined

(CKV_OPENAPI_4)

---

[high] 1-612: Ensure that security operations is not empty.

(CKV_OPENAPI_5)

---

[medium] 30-34: Ensure that arrays have a maximum number of items

(CKV_OPENAPI_21)

🔇 Additional comments (6)

docs/assets/navigation.js (1)

1-1: Documentation asset update looks correct.

This appears to be an auto-generated documentation file with updated navigation data, consistent with the new API additions.

docs/assets/search.js (1)

1-1: Documentation asset update looks correct.

Auto-generated search data update is consistent with the documentation regeneration.

docs/assets/hierarchy.js (1)

1-1: Documentation asset update looks correct.

Auto-generated hierarchy data update is as expected.

package.json (1)

19-19: New codegen script properly integrated.

The new generate:api:restCB script follows the existing naming conventions and is correctly positioned in the scripts section.

.projen/tasks.json (1)

148-156: Code generation task properly configured.

The new generate:api:restCB task is correctly defined and integrated into the pre-compile sequence. The execution order (restCB → rest → graphql) ensures all API types are generated before compilation.

Also applies to: 204-206

.projenrc.ts (1)

109-113: New codegen task properly integrated.

The new generate:api:restCB task is correctly defined and will execute before the existing REST and GraphQL codegen tasks due to the prependSpawn behavior (tasks execute in reverse order of prepending).

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

cycleball-api.yaml (1)

324-327: ⚠️ [Duplicate] Apply security requirements to endpoints and document x-pin as a security scheme.

The OpenID Connect security scheme is defined (lines 324–327), but no endpoints reference it. Additionally, the x-pin header used for authentication on lines 150–151, 198–199, and 232–233 is not formally documented as a security scheme. This leaves all endpoints effectively public and the API contract unclear regarding PIN-based authentication.

Per the previous review feedback: Add a PinAuth security scheme and apply security requirements to protected endpoints.

Apply this diff to formalize x-pin authentication and secure protected endpoints:

  securitySchemes:
    OpenID:
      type: openIdConnect
      openIdConnectUrl: https://auth.cycleball.eu/.well-known/openid-configuration
+   PinAuth:
+     type: apiKey
+     in: header
+     name: x-pin
+     description: PIN-based authentication for matchday updates

Then add security blocks to protected operations. For example:

  '/leagues/{oid}/matchdays/{dayId}/teams/{teamId}':
    put:
      tags:
      - leagues
      summary: update a single team of a matchday
      operationId: updateMatchdayTeam
+     security:
+       - PinAuth: []
      parameters:

Apply the same pattern to the other PUT operation (line 225–258) and the GET operation with x-pin (lines 144–168).

Also applies to: 18-322

🧹 Nitpick comments (1)

cycleball-api.yaml (1)

30-34: Add maxItems constraint to array responses.

Array responses should define a maximum number of items to prevent unbounded responses and aid validation. The array at lines 30–34 (GET /leagues response) lacks a maxItems constraint.

Apply this diff:

    description: successful operation
    content:
      application/json:
        schema:
          type: array
+         maxItems: 1000
          items:
            $ref: '#/components/schemas/League'

Consider applying similar constraints to other array responses throughout the specification (e.g., lines 76–78, 97–99, 118–120, 270–273, 304–307, 319–322).

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5fd660c and 75e177e.

📒 Files selected for processing (1)

• cycleball-api.yaml (1 hunks)

🧰 Additional context used

🪛 Checkov (3.2.334)

cycleball-api.yaml

[high] 1-612: Ensure that the global security field has rules defined

(CKV_OPENAPI_4)

---

[high] 1-612: Ensure that security operations is not empty.

(CKV_OPENAPI_5)

---

[medium] 30-34: Ensure that arrays have a maximum number of items

(CKV_OPENAPI_21)

🔇 Additional comments (1)

cycleball-api.yaml (1)

12-12: HTTPS server URL confirmed.

The server URL correctly uses HTTPS. This addresses the security concern from the previous review.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add schema definitions to x-pin header parameters.

The x-pin header parameters lack schema definitions, making the parameter contract incomplete. This can cause issues during code generation and client validation.

Apply this diff to add schema to each x-pin parameter:

  - name: x-pin
    in: header
+   schema:
+     type: string
+   description: PIN for accessing matchday information

Repeat this fix for all three occurrences at line ranges 150–151, 198–199, and 232–233.

Also applies to: 198-199, 232-233

🤖 Prompt for AI Agents

In cycleball-api.yaml around lines 150-151, 198-199 and 232-233 the x-pin header
parameters lack schema definitions; update each x-pin parameter entry to include
a schema object (type: string, format: uuid if applicable or simple string)
under the header parameter so the contract is explicit for codegen and
validation; apply the same schema pattern to all three occurrences and ensure
indentation and YAML structure match surrounding parameters.