feat(api): add OpenAPI documentation with hono-openapi (#1954)

* feat(api): add OpenAPI documentation with hono-openapi

- Add @hono/zod-openapi package to apps/api
- Refactor API routes to use OpenAPIHono with proper schemas and tags
- Add API tags: internal (health checks), app (authenticated endpoints), webhook (external callbacks)
- Add /openapi.json endpoint to serve OpenAPI spec
- Create OpenAPIDocs component for rendering API docs in apps/web
- Add API Reference documentation page in developers section

Co-Authored-By: yujonglee <yujonglee.dev@gmail.com>

* feat(api): add build script to generate openapi.yaml

- Create shared openapi-config.ts module for OpenAPI metadata
- Add generate-openapi.ts script that extracts spec from route definitions
- Add yaml dependency for YAML output
- Add build script that runs generate-openapi
- Add openapi.yaml to .gitignore (treated as build artifact)

Co-Authored-By: yujonglee <yujonglee.dev@gmail.com>

* fix(api): add proper type bindings for stripeEvent context variable

- Create hono-bindings.ts with AppBindings type
- Use OpenAPIHono<AppBindings> for proper type inference
- Remove 'as never' cast on c.get('stripeEvent')

Addresses CodeRabbit feedback on type safety

Co-Authored-By: yujonglee <yujonglee.dev@gmail.com>

* kind-of-rewrite

---------

Co-authored-by: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>

Author: yujonglee

apps/api/.gitignore

@@ -1,2 +1,5 @@
 .env
 .env.prod
+
+# Generated OpenAPI spec (build artifact)
+openapi.yaml

apps/api/package.json

@@ -7,12 +7,16 @@
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
-    "@sentry/bun": "^10.26.0",
-    "@supabase/supabase-js": "^2.84.0",
+    "@hono/zod-validator": "^0.7.5",
+    "@scalar/hono-api-reference": "^0.5.184",
+    "@sentry/bun": "^10.27.0",
+    "@supabase/supabase-js": "^2.86.0",
     "@t3-oss/env-core": "^0.13.8",
-    "hono": "^4.10.6",
+    "hono": "^4.10.7",
+    "hono-openapi": "^0.4.8",
     "stripe": "^19.3.1",
-    "zod": "^4.1.13"
+    "zod": "^4.1.13",
+    "zod-openapi": "^5.4.5"
   },
   "devDependencies": {
     "@types/bun": "^1.3.3",

apps/api/src/hono-bindings.ts

@@ -0,0 +1,7 @@
+import type Stripe from "stripe";
+
+export type AppBindings = {
+  Variables: {
+    stripeEvent: Stripe.Event;
+  };
+};

apps/api/src/index.ts

@@ -1,18 +1,20 @@
 import "./instrument";
 
+import { apiReference } from "@scalar/hono-api-reference";
 import { Hono } from "hono";
+import { openAPISpecs } from "hono-openapi";
 import { bodyLimit } from "hono/body-limit";
 import { websocket } from "hono/bun";
 import { cors } from "hono/cors";
 import { logger } from "hono/logger";
 
-import { syncBillingForStripeEvent } from "./billing";
 import { env } from "./env";
-import { listenSocketHandler } from "./listen";
+import type { AppBindings } from "./hono-bindings";
+import { API_TAGS, routes } from "./routes";
 import { verifyStripeWebhook } from "./stripe";
 import { requireSupabaseAuth } from "./supabase";
 
-const app = new Hono();
+const app = new Hono<AppBindings>();
 
 app.use(logger());
 app.use(bodyLimit({ maxSize: 1024 * 1024 * 5 }));
@@ -36,76 +38,75 @@ app.use("*", (c, next) => {
   return corsMiddleware(c, next);
 });
 
-app.get("/health", (c) => c.json({ status: "ok" }));
-app.notFound((c) => c.text("not_found", 404));
-
-app.post("/chat/completions", requireSupabaseAuth, async (c) => {
-  const requestBody = await c.req.json<
-    {
-      model?: unknown;
-      tools?: unknown;
-      tool_choice?: unknown;
-    } & Record<string, unknown>
-  >();
+app.use("/chat/completions", requireSupabaseAuth);
+app.use("/webhook/stripe", verifyStripeWebhook);
 
-  const toolChoice = requestBody.tool_choice;
-  const needsToolCalling =
-    Array.isArray(requestBody.tools) &&
-    !(typeof toolChoice === "string" && toolChoice === "none");
+if (env.NODE_ENV !== "development") {
+  app.use("/listen", requireSupabaseAuth);
+}
 
-  // https://openrouter.ai/docs/features/exacto-variant
-  const modelsToUse = needsToolCalling
-    ? [
-        "moonshotai/kimi-k2-0905:exacto",
-        "anthropic/claude-haiku-4.5",
-        "openai/gpt-oss-120b:exacto",
-      ]
-    : ["openai/chatgpt-4o-latest", "moonshotai/kimi-k2-0905"];
+app.route("/", routes);
 
-  const { model: _ignoredModel, ...bodyWithoutModel } = requestBody;
+app.notFound((c) => c.text("not_found", 404));
 
-  // https://openrouter.ai/docs/features/provider-routing#provider-sorting
-  const response = await fetch(
-    "https://openrouter.ai/api/v1/chat/completions",
-    {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        Authorization: `Bearer ${env.OPENROUTER_API_KEY}`,
+app.get(
+  "/openapi.json",
+  openAPISpecs(routes, {
+    documentation: {
+      openapi: "3.1.0",
+      info: {
+        title: "Hyprnote API",
+        version: "1.0.0",
+        description:
+          "API for Hyprnote - AI-powered meeting notes application. APIs are categorized by tags: 'internal' for health checks and internal use, 'app' for endpoints used by the Hyprnote application (requires authentication), and 'webhook' for external service callbacks.",
       },
-      body: JSON.stringify({
-        ...bodyWithoutModel,
-        models: modelsToUse,
-        provider: { sort: "latency" },
-      }),
+      tags: [
+        {
+          name: API_TAGS.INTERNAL,
+          description: "Internal endpoints for health checks and monitoring",
+        },
+        {
+          name: API_TAGS.APP,
+          description:
+            "Endpoints used by the Hyprnote application. Requires Supabase authentication.",
+        },
+        {
+          name: API_TAGS.WEBHOOK,
+          description: "Webhook endpoints for external service callbacks",
+        },
+      ],
+      components: {
+        securitySchemes: {
+          Bearer: {
+            type: "http",
+            scheme: "bearer",
+            description: "Supabase JWT token",
+          },
+        },
+      },
+      servers: [
+        {
+          url: "https://api.hyprnote.com",
+          description: "Production server",
+        },
+        {
+          url: "http://localhost:4000",
+          description: "Local development server",
+        },
+      ],
     },
-  );
-
-  return new Response(response.body, {
-    status: response.status,
-    headers: {
-      "Content-Type":
-        response.headers.get("Content-Type") ?? "application/json",
+  }),
+);
+
+app.get(
+  "/docs",
+  apiReference({
+    theme: "saturn",
+    spec: {
+      url: "/openapi.json",
     },
-  });
-});
-
-app.post("/webhook/stripe", verifyStripeWebhook, async (c) => {
-  try {
-    await syncBillingForStripeEvent(c.var.stripeEvent);
-  } catch (error) {
-    console.error(error);
-    return c.json({ error: "stripe_billing_sync_failed" }, 500);
-  }
-
-  return c.json({ ok: true });
-});
-
-if (env.NODE_ENV === "development") {
-  app.get("/listen", listenSocketHandler);
-} else {
-  app.get("/listen", requireSupabaseAuth, listenSocketHandler);
-}
+  }),
+);
 
 export default {
   port: env.PORT,