docs(openapi): hide websiteOnlyCors routes from public docs

[trevormil]

Summary

Flip x-internal: false to x-internal: true on four routes whose indexer handlers are wrapped in the websiteOnlyCors middleware (origin-locked to bitbadges.io).

Public docs were advertising these as callable, which would cause 3rd-party devs to hit CORS errors when calling them. The invariant per the docs-watch spec is: every websiteOnlyCors route MUST be absent from routes.yaml or have x-internal: true.

Routes affected

Method	Path	Handler
POST	/dynamicStores	createDynamicDataStore
PUT	/dynamicStores	updateDynamicDataStore
DELETE	/dynamicStores	deleteDynamicDataStore
GET	/swapActivities	getSwapActivities

Why hide instead of expose

These are mutations that require the Manage Dynamic Stores scope or return user-activity feeds; not core 3p-dev integration surface. Dynamic data stores are managed via the frontend UI today — exposing public docs for routes that then CORS-reject third-party origins is worse than hiding them.

If any of these should actually be publicly callable, the indexer middleware needs to change (remove websiteOnlyCors) — that's a separate security-shaped call and a human should make it.

Test plan

• CI: genapi.yml runs cleanly on merge and opens the usual update-openapi-hosted PR
• Stoplight re-renders and these four operations no longer appear in the public navigation
• Frontend (which calls these via same-origin) is unaffected — no indexer change

Detected by docs-watch agent, 2026-04-24.

Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com

[greptile-apps]

Greptile Summary

This PR hides four websiteOnlyCors-gated routes from the public OpenAPI docs by flipping x-internal: false to x-internal: true on POST /dynamicStores, PUT /dynamicStores, DELETE /dynamicStores, and GET /swapActivities. The change is correct — these routes are origin-locked to bitbadges.io at the middleware level, so advertising them in public docs was misleading third-party developers into hitting CORS rejections.

Confidence Score: 5/5

Safe to merge — documentation-only change with no runtime impact.

All four changes are minimal, targeted, and correct. No logic, runtime behavior, or security posture is affected — only which routes appear in the public Stoplight docs. No P0/P1 findings.

No files require special attention.

Important Files Changed

Filename	Overview
packages/bitbadgesjs-sdk/openapitypes-helpers/routes.yaml	Flips x-internal from false to true on four websiteOnlyCors-gated routes (POST/PUT/DELETE /dynamicStores and GET /swapActivities) to hide them from public API docs.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[routes.yaml] --> B{x-internal?}
    B -->|true| C[Hidden from public docs\nStoplight / public navigation]
    B -->|false| D[Visible in public docs]

    subgraph Changed Routes
        E["POST /dynamicStores\n(createDynamicDataStore)"]
        F["PUT /dynamicStores\n(updateDynamicDataStore)"]
        G["DELETE /dynamicStores\n(deleteDynamicDataStore)"]
        H["GET /swapActivities\n(getSwapActivities)"]
    end

    E -->|false → true| C
    F -->|false → true| C
    G -->|false → true| C
    H -->|false → true| C

    C --> I[websiteOnlyCors middleware\norigin-locked to bitbadges.io]
    I --> J[3rd-party calls CORS-rejected\nbefore this fix: docs advertised them]

Loading

_{Reviews (1): Last reviewed commit: "docs(openapi): hide websiteOnlyCors rout..." | Re-trigger Greptile}