feat: support x-security schemeName at workflow; add lint rules (#2370)

Author: vadyvas

.changeset/neat-numbers-knock.md

@@ -0,0 +1,6 @@
+---
+"@redocly/respect-core": minor
+"@redocly/openapi-core": minor
+---
+
+Added support for `schemeName` in `x-security` at the workflow level (Arazzo). Added new lint rules: `arazzo/no-x-security-both-scheme-and-scheme-name` and `arazzo/x-security-scheme-name-link`. Updated core configs to include new rules.

docs/@v2/rules/built-in-rules.md

@@ -142,10 +142,11 @@ Within the Arazzo family of rules, there are rules for the main Arazzo specifica
 The below rules are being migrated to Respect:
 
 - [no-criteria-xpath](./respect/no-criteria-xpath.md): the `xpath` type criteria is not supported by Respect.
-- [respect-supported-versions](./respect/respect-supported-versions.md): the `version` property must be one of the supported values.
+- [no-x-security-both-scheme-and-scheme-name](./respect/no-x-security-both-scheme-and-scheme-name.md): forbids using both `scheme` and `schemeName` in the same `x-security` item
 - [no-x-security-scheme-name-without-openapi](./respect/no-x-security-scheme-name-without-openapi.md): the `x-security` can't use `schemeName` when Step request is described with `x-operation`.
+- [respect-supported-versions](./respect/respect-supported-versions.md): the `version` property must be one of the supported values.
+- [x-security-scheme-name-reference](./respect/x-security-scheme-name-reference.md): when multiple `sourceDescriptions` exist, `workflow.x-security.schemeName` must reference a source description (for example, `$sourceDescriptions.{name}.schemeName`)
 - [x-security-scheme-required-values](./respect/x-security-scheme-required-values.md) validate that `x-security` have all required `values` described according to the used `scheme`.
-- [no-x-security-scheme-name-in-workflow](./respect/no-x-security-scheme-name-in-workflow.md) the `x-security` can't use `schemeName` when described in Workflow.
 
 ## Resources
 

docs/@v2/rules/respect/no-x-security-both-scheme-and-scheme-name.md

@@ -0,0 +1,74 @@
+# no-x-security-both-scheme-and-scheme-name
+
+Forbids using both `scheme` and `schemeName` in the same `x-security` item.
+
+| Arazzo | Compatibility |
+| ------ | ------------- |
+| 1.x    | ✅            |
+
+## Rationale
+
+Each `x-security` entry must reference a security scheme in exactly one way—either embed the `scheme` object or reference it via `schemeName`.
+You can include multiple `x-security` entries in a workflow; this rule applies to each entry individually. Using both `scheme` and `schemeName` in the same entry is ambiguous and is rejected by the runtime.
+
+## Configuration
+
+| Option   | Type   | Description                                             |
+| -------- | ------ | ------------------------------------------------------- |
+| severity | string | Possible values: `off`, `warn`, `error`. Default `off`. |
+
+Example:
+
+```yaml
+rules:
+  no-x-security-both-scheme-and-scheme-name: error
+```
+
+## Examples
+
+Incorrect — both present:
+
+```yaml
+workflows:
+  - workflowId: get-museum-hours
+    x-security:
+      - scheme:
+          type: http
+          scheme: bearer
+        schemeName: BearerAuth
+        values:
+          token: some-token
+```
+
+Correct — only `scheme`:
+
+```yaml
+workflows:
+  - workflowId: get-museum-hours
+    x-security:
+      - scheme:
+          type: http
+          scheme: bearer
+        values:
+          token: some-token
+```
+
+Correct — only `schemeName`:
+
+```yaml
+workflows:
+  - workflowId: get-museum-hours
+    x-security:
+      - schemeName: BearerAuth
+        values:
+          token: some-token
+```
+
+## Related rules
+
+- [x-security-scheme-name-reference](./x-security-scheme-name-reference.md)
+- [x-security-scheme-required-values](./x-security-scheme-required-values.md)
+
+## Resources
+
+- Rule source: https://github.com/Redocly/redocly-cli/blob/main/packages/core/src/rules/respect/no-x-security-both-scheme-and-scheme-name.ts

docs/@v2/rules/respect/no-x-security-scheme-name-in-workflow.md

@@ -44,7 +44,6 @@ arazzo: 1.0.1
 - [no-criteria-xpath](./no-criteria-xpath.md)
 - [no-x-security-scheme-name-without-openapi](./no-x-security-scheme-name-without-openapi.md)
 - [x-security-scheme-required-values](./x-security-scheme-required-values.md)
-- [no-x-security-scheme-name-in-workflow](./no-x-security-scheme-name-in-workflow.md)
 
 ## Resources
 

docs/@v2/rules/respect/respect-supported-versions.md

@@ -0,0 +1,99 @@
+# x-security-scheme-name-reference
+
+When multiple `sourceDescriptions` exist, `workflow.x-security.schemeName` must be a reference to a specific source description (for example, `$sourceDescriptions.{name}.{schemeName}`). If there is only one source description, a plain string is allowed.
+
+| Arazzo | Compatibility |
+| ------ | ------------- |
+| 1.x    | ✅            |
+
+## Design principles
+
+With multiple source descriptions, using a plain `schemeName` is ambiguous. Requiring a reference of the form `$sourceDescriptions.{name}.{schemeName}` disambiguates which source description provides the security scheme.
+
+## Configuration
+
+| Option   | Type   | Description                                             |
+| -------- | ------ | ------------------------------------------------------- |
+| severity | string | Possible values: `off`, `warn`, `error`. Default `off`. |
+
+An example configuration:
+
+```yaml
+rules:
+  x-security-scheme-name-reference: error
+```
+
+## Examples
+
+Given the following configuration:
+
+```yaml
+rules:
+  x-security-scheme-name-reference: error
+```
+
+Example with multiple source descriptions — incorrect (plain string `schemeName`):
+
+```yaml
+sourceDescriptions:
+  - name: museum-api
+    type: openapi
+    url: ./museum.yaml
+  - name: pets-api
+    type: openapi
+    url: ./pets.yaml
+
+workflows:
+  - workflowId: list-users
+    x-security:
+      - schemeName: BasicAuth   # <- must be a reference when multiple sources exist
+        values:
+          username: test@example.com
+          password: 123456
+```
+
+Example with multiple source descriptions — correct (referenced `schemeName`):
+
+```yaml
+sourceDescriptions:
+  - name: museum-api
+    type: openapi
+    url: ./museum.yaml
+  - name: pets-api
+    type: openapi
+    url: ./pets.yaml
+
+workflows:
+  - workflowId: list-users
+    x-security:
+      - schemeName: $sourceDescriptions.museum-api.MuseumPlaceholderAuth
+        values:
+          username: test@example.com
+          password: 123456
+```
+
+Example with a single source description — allowed (plain string `schemeName`):
+
+```yaml
+sourceDescriptions:
+  - name: museum-api
+    type: openapi
+    url: ./museum.yaml
+
+workflows:
+  - workflowId: list-users
+    x-security:
+      - schemeName: BasicAuth
+        values:
+          username: test@example.com
+          password: 123456
+```
+
+## Related rules
+
+- [no-x-security-both-scheme-and-scheme-name](./no-x-security-both-scheme-and-scheme-name.md)
+- [x-security-scheme-required-values](./x-security-scheme-required-values.md)
+
+## Resources
+
+- Rule source: https://github.com/Redocly/redocly-cli/blob/main/packages/core/src/rules/respect/x-security-scheme-name-reference.ts

docs/@v2/rules/respect/x-security-scheme-name-reference.md

@@ -149,9 +149,10 @@
             - separator: Arazzo
             - page: rules/respect/no-criteria-xpath.md
             - page: rules/respect/respect-supported-versions.md
+            - page: rules/respect/no-x-security-both-scheme-and-scheme-name.md
             - page: rules/respect/no-x-security-scheme-name-without-openapi.md
+            - page: rules/respect/x-security-scheme-name-reference.md
             - page: rules/respect/x-security-scheme-required-values.md
-            - page: rules/respect/no-x-security-scheme-name-in-workflow.md
             - page: rules/arazzo/criteria-unique.md
             - page: rules/arazzo/parameters-unique.md
             - page: rules/arazzo/requestBody-replacements-unique.md

docs/@v2/sidebars.yaml

@@ -10,7 +10,7 @@ exports[`resolveConfig > should ignore minimal from the root and read local file
     "no-enum-type-mismatch": "error",
     "no-required-schema-properties-undefined": "warn",
     "no-schema-type-mismatch": "error",
-    "no-x-security-scheme-name-in-workflow": "off",
+    "no-x-security-both-scheme-and-scheme-name": "off",
     "no-x-security-scheme-name-without-openapi": "off",
     "parameters-unique": "error",
     "requestBody-replacements-unique": "warn",
@@ -23,6 +23,7 @@ exports[`resolveConfig > should ignore minimal from the root and read local file
     "stepId-unique": "error",
     "workflow-dependsOn": "error",
     "workflowId-unique": "error",
+    "x-security-scheme-name-reference": "off",
     "x-security-scheme-required-values": "off",
   },
   "async2Decorators": {},
@@ -380,7 +381,7 @@ exports[`resolveConfig > should resolve extends with local file config which con
     "no-enum-type-mismatch": "error",
     "no-required-schema-properties-undefined": "warn",
     "no-schema-type-mismatch": "error",
-    "no-x-security-scheme-name-in-workflow": "off",
+    "no-x-security-both-scheme-and-scheme-name": "off",
     "no-x-security-scheme-name-without-openapi": "off",
     "parameters-unique": "error",
     "requestBody-replacements-unique": "warn",
@@ -393,6 +394,7 @@ exports[`resolveConfig > should resolve extends with local file config which con
     "stepId-unique": "error",
     "workflow-dependsOn": "error",
     "workflowId-unique": "error",
+    "x-security-scheme-name-reference": "off",
     "x-security-scheme-required-values": "off",
   },
   "async2Decorators": {},

packages/core/src/config/__tests__/__snapshots__/config-resolvers.test.ts.snap

@@ -131,7 +131,7 @@ describe('loadConfig', () => {
               "no-enum-type-mismatch": "warn",
               "no-required-schema-properties-undefined": "warn",
               "no-schema-type-mismatch": "warn",
-              "no-x-security-scheme-name-in-workflow": "off",
+              "no-x-security-both-scheme-and-scheme-name": "off",
               "no-x-security-scheme-name-without-openapi": "off",
               "parameters-unique": "off",
               "requestBody-replacements-unique": "off",
@@ -144,6 +144,7 @@ describe('loadConfig', () => {
               "stepId-unique": "error",
               "workflow-dependsOn": "off",
               "workflowId-unique": "error",
+              "x-security-scheme-name-reference": "off",
               "x-security-scheme-required-values": "off",
             },
             "async2Decorators": {},
@@ -438,7 +439,7 @@ describe('loadConfig', () => {
               "no-enum-type-mismatch": "error",
               "no-required-schema-properties-undefined": "warn",
               "no-schema-type-mismatch": "error",
-              "no-x-security-scheme-name-in-workflow": "off",
+              "no-x-security-both-scheme-and-scheme-name": "off",
               "no-x-security-scheme-name-without-openapi": "off",
               "parameters-unique": "error",
               "requestBody-replacements-unique": "warn",
@@ -451,6 +452,7 @@ describe('loadConfig', () => {
               "stepId-unique": "error",
               "workflow-dependsOn": "error",
               "workflowId-unique": "error",
+              "x-security-scheme-name-reference": "off",
               "x-security-scheme-required-values": "off",
             },
             "async2Decorators": {},
@@ -750,7 +752,7 @@ describe('loadConfig', () => {
               "no-enum-type-mismatch": "warn",
               "no-required-schema-properties-undefined": "warn",
               "no-schema-type-mismatch": "warn",
-              "no-x-security-scheme-name-in-workflow": "off",
+              "no-x-security-both-scheme-and-scheme-name": "off",
               "no-x-security-scheme-name-without-openapi": "off",
               "parameters-unique": "off",
               "requestBody-replacements-unique": "off",
@@ -763,6 +765,7 @@ describe('loadConfig', () => {
               "stepId-unique": "error",
               "workflow-dependsOn": "off",
               "workflowId-unique": "error",
+              "x-security-scheme-name-reference": "off",
               "x-security-scheme-required-values": "off",
             },
             "async2Decorators": {},

packages/core/src/config/__tests__/load.test.ts

@@ -276,23 +276,24 @@ const all: RawGovernanceConfig<'built-in'> = {
   arazzo1Rules: {
     'criteria-unique': 'error',
     'no-criteria-xpath': 'off',
+    'no-enum-type-mismatch': 'error',
+    'no-required-schema-properties-undefined': 'error',
+    'no-schema-type-mismatch': 'error',
+    'no-x-security-both-scheme-and-scheme-name': 'off',
+    'no-x-security-scheme-name-without-openapi': 'off',
     'parameters-unique': 'error',
     'requestBody-replacements-unique': 'error',
+    'respect-supported-versions': 'off',
+    'sourceDescription-name-unique': 'error',
     'sourceDescription-type': 'error',
-    'step-onSuccess-unique': 'error',
+    'sourceDescriptions-not-empty': 'error',
     'step-onFailure-unique': 'error',
+    'step-onSuccess-unique': 'error',
     'stepId-unique': 'error',
-    'sourceDescription-name-unique': 'error',
-    'sourceDescriptions-not-empty': 'error',
-    'respect-supported-versions': 'off',
-    'workflowId-unique': 'error',
     'workflow-dependsOn': 'error',
-    'no-x-security-scheme-name-without-openapi': 'off',
+    'workflowId-unique': 'error',
+    'x-security-scheme-name-reference': 'off',
     'x-security-scheme-required-values': 'off',
-    'no-x-security-scheme-name-in-workflow': 'off',
-    'no-required-schema-properties-undefined': 'error',
-    'no-enum-type-mismatch': 'error',
-    'no-schema-type-mismatch': 'error',
   },
   overlay1Rules: {
     'info-contact': 'error',