docs: Add documentation for GET /api/v0/projects/ endpoint

[erick-cloudsec]

Proposed change

Resolves #3062
Refs #3062

Adds initial documentation for the Projects list endpoint: GET /api/v0/projects/

This doc covers:

• Endpoint purpose and how it’s used to discover project keys/IDs for follow-up calls.
• Authentication behavior differences between local development and non-local environments (API key via X-API-Key, plus notes on rate limiting/throttling behavior as documented).
• Supported query parameters (level, ordering, page, page_size) and expected validation behavior.
• Example requests for local dev and non-local usage.
• Response envelope and field overview, including a realistic 200 OK example (truncated for readability).
• Notes for pre-sync local behavior where items can be empty.
• Error examples for page out of range (404) and invalid query params (422), based on observed local behavior.

Checklist

• Required: I read and followed the contributing guidelines
• Required: I ran make check-test locally and all tests passed
• I used AI for code, documentation, or tests in this PR

[coderabbitai]

Summary by CodeRabbit

• Documentation
  • Added comprehensive API docs for the projects listing endpoint: overview of retrieving paginated project lists, authentication differences and rate limits, request parameters with valid values and defaults, example requests for local/non-local environments, response schema with pagination and sample items, and error handling guidance for invalid parameters and out-of-range pages.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Walkthrough

Adds a new API documentation file describing the GET /api/v0/projects/ endpoint: authentication rules for local vs non-local, query parameters, example curl requests, 200 response schema with pagination and sample items, and 404/422 error cases with example payloads and guidance.

Changes

Cohort / File(s)	Summary
API documentation file docs/api/projects.md	New docs page for GET /api/v0/projects/ covering: auth differences (local no-auth vs non-local API key + 10 req/s), request parameters (level, ordering, page, page_size) with valid values/defaults, example local and non-local curl commands, 200 OK paginated response schema and field descriptions, 404 for out-of-range pages, 422 error schema with examples and guidance.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding documentation for the GET /api/v0/projects/ endpoint.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, covering the documentation added including endpoint purpose, authentication, parameters, examples, and error handling.
Linked Issues check	✅ Passed	The PR fulfills the objectives of linked issue #3062 by adding detailed REST API documentation including pagination, authentication notes, request/response examples, error handling, and consistent formatting.
Out of Scope Changes check	✅ Passed	All changes are in-scope documentation additions for the GET /api/v0/projects/ endpoint, aligned with the REST API documentation improvement objectives in issue #3062.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

docs/api/projects.md (1)

125-204: Thorough and actionable error documentation.

Error cases are comprehensively covered with realistic payloads, clear remediation guidance, and helpful context (e.g., pre-sync local behavior). The distinction between error types (enum, literal, greater-than-equal validation) provides developers with clear debugging paths.

One optional consideration: The documentation could clarify validation behavior for page_size (e.g., any positive integer, max size limits if applicable) for completeness, though this may not be necessary if the current implementation is lenient.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a2352b9 and 5a919c9.

📒 Files selected for processing (1)

• docs/api/projects.md

🧰 Additional context used

🪛 Gitleaks (8.30.0)

docs/api/projects.md

[high] 68-71: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

🪛 markdownlint-cli2 (0.18.1)

docs/api/projects.md

63-63: Bare URL used

(MD034, no-bare-urls)

🔇 Additional comments (3)

docs/api/projects.md (3)

1-27: Excellent overview and authentication documentation.

The overview clearly communicates the endpoint's purpose, and the authentication section effectively documents environment-specific behavior with explicit callouts for local vs. non-local differences. Rate limiting and error handling are well-covered.

---

30-71: Clear parameter documentation with practical examples.

Query parameters are well-documented with validation constraints and defaults. The dual examples (local and non-local) are helpful for developers across environments.

Note on static analysis hints: The bare URL warning on line 63 is a false positive (the curl command is properly indented as a code block). The gitleaks warning on lines 68–71 is also a false positive (clearly a placeholder). However, to reduce future tooling noise, consider explicitly labeling the placeholder more clearly (e.g., X-API-Key: YOUR_API_KEY_HERE or a comment like # Replace with your actual API key).

---

75-122: Comprehensive response documentation.

The 200 OK response is well-documented with a realistic, truncated example that clearly shows the paginated envelope. The field overview provides quick reference without redundancy. The truncation note demonstrates good documentation practice.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

docs/api/projects.md (2)

71-75: Clarify that API key example is a placeholder.

The curl example includes X-API-Key: YOUR_API_KEY_VALUE, which Gitleaks flagged as a potential credential. While YOUR_API_KEY_VALUE is clearly a placeholder, add an explicit note to prevent readers from accidentally sharing real API keys in similar examples.

Consider adding a callout or comment like:

  curl -X 'GET' \
    'https://<nest-base-url>/api/v0/projects/?level=flagship&ordering=created_at&page=1&page_size=100' \
    -H 'accept: application/json' \
-   -H 'X-API-Key: YOUR_API_KEY_VALUE'
+   -H 'X-API-Key: YOUR_API_KEY_VALUE'  # Replace with your actual API key; never commit real keys

---

115-127: Enhance field overview with type information.

The field overview is helpful but lacks type hints, making it harder for API consumers to understand the expected data types. Consider restructuring to include types:

🔎 Proposed enhancement to field overview

 Field overview (based on the schema):

-- current_page
-- has_next
-- has_previous
-- items[] (array of project objects when present):
+- **current_page** (integer): Current page number
+- **has_next** (boolean): Whether a next page exists
+- **has_previous** (boolean): Whether a previous page exists
+- **items[]** (array of objects): Project objects (when present):
   - created_at
   - key
   - level
   - name
   - updated_at
-- total_count
-- total_pages
+- **total_count** (integer): Total number of projects matching the filter
+- **total_pages** (integer): Total number of pages

This makes it clearer what type each field is and improves usability for API consumers.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5a919c9 and 1312725.

📒 Files selected for processing (1)

• docs/api/projects.md

🧰 Additional context used

🪛 Gitleaks (8.30.0)

docs/api/projects.md

[high] 71-74: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

🔇 Additional comments (1)

docs/api/projects.md (1)

1-217: Comprehensive documentation with good examples and error coverage.

The documentation is well-structured, covers authentication differences between local and non-local environments, documents all query parameters with valid values and defaults, includes realistic example requests and responses, and provides concrete error examples. The pre-sync local development behavior note is a nice touch for developers setting up locally. All key aspects of the endpoint (pagination, filtering, ordering, rate limits, error handling) are addressed.

[arkid15r]

I added some formatting updates.
The major point though is that API docs needs to be kept within the code here --

Nest/backend/apps/api/rest/v0/project.py

Line 68 in 6ccd528

def list_projects(

in order to be parsed automatically by tools like Swagger.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[erick-cloudsec]

I added some formatting updates. The major point though is that API docs needs to be kept within the code here --

Nest/backend/apps/api/rest/v0/project.py

Line 68 in 6ccd528

def list_projects(

in order to be parsed automatically by tools like Swagger.

@arkid15r Are you saying that the API documentation should be a comment block inside the corresponding python file? I want to make sure I'm clear on what the desired end product should look like.

Thanks again for the patience as I try to work through things :-)

[arkid15r]

I added some formatting updates. The major point though is that API docs needs to be kept within the code here --

Nest/backend/apps/api/rest/v0/project.py

Line 68 in 6ccd528

def list_projects(

in order to be parsed automatically by tools like Swagger.

@arkid15r Are you saying that the API documentation should be a comment block inside the corresponding python file? I want to make sure I'm clear on what the desired end product should look like.

Thanks again for the patience as I try to work through things :-)

My recommendation is very high-level and doesn't carry any implementation specifics. The idea is having it all in a single place available via Swagger -- https://nest.owasp.org/api/v0/docs