docs: fix ~40 API correctness defects across the docs set#285
Merged
Conversation
Follow-up to the App Actions V3 return-shape fix (#284). A full audit of the API/REST doc tree against source found the same bug class recurring: documented example code that throws or silently misbehaves. HIGH (example code throws / wrong data): - core/organizations.md: Settings examples used singular Fliplet.Organization (namespace is plural Fliplet.Organizations) -> TypeError - fliplet-content.md: query() filter passed at top level, lib reads where.content -> filter silently ignored, returns ALL entries - fliplet-datasources.md: subscribe() callback threw on update-only changes; guarded the optional inserted/updated/deleted keys - v3/auth.md: dataSource.validate example omitted the required match column -> 400 - components/record-container.md: removed 4 non-existent instance props; hook payload key vm -> instance (matches source) - components/dynamic-container.md: removed non-existent container.load(); get() is by id not name - fliplet-table.md: search event is search:change {term,data}; removed sort:change/row:click/page:change (never fired) - helpers/references/fields.md: item.get() -> item.field('name').get() - fliplet-ui-panzoom.md: marker.vars is a property, not marker.vars() MED/LOW: oauth2 grantType implicit->token and Returns-null fix; encryption getKey resolves the key string not {key}; datasources upload folderId (not mediaFolderId) and delete-query returns entries not a count; notifications instance.remove; ui-typeahead returns Array; ui-actions/ui-timerange copy-paste fixes; router no-session reason code; gamify dependency name; payments webhook URL path; like-buttons title; biometrics return values; helpers views type + ready() syntax; v3 analytics _route/_pageTitle; csv malformed example; REST status codes (apps publish 201, ds entry 200) and a copy-pasted analytics heading. Security: v3/auth.md sendValidation's false "no information leak / 204 regardless" claim removed (the standard flow actually rejects unknown emails with 400). Reworded to the success contract only, without documenting the distinguisher. The underlying enumeration divergence is raised separately for engineering. Regenerated the .well-known AI indexes (llms.txt, llms-full.txt, agent-skills, mcp, v3 catalog) so the LLM-facing index reflects these fixes and the already-merged #284 changes. All fixes verified against fliplet-api / widget source at master. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Follow-up to #284 (App Actions V3 return-shape fix). Yuliia Kovalenko's finding turned out to be one instance of a recurring bug class, so the entire
API/+REST-API/doc tree (144 verifiable pages) was audited against source. ~40 confirmed discrepancies fixed here. Each was re-verified againstfliplet-api/widget source atmasterbefore editing; nothing was changed on a guess.Full audit report:
AUDIT/audits/docs-correctness-audit-2026-06-30.md.HIGH — documented example threw or returned wrong data
Fliplet.Organization(namespace is pluralFliplet.Organizations) →TypeError.query()example passed the filter at top level; the lib readswhere.content, so the filter was silently ignored and ALL entries returned. Now nested underwhere.subscribe()callback accessedchanges.inserted.lengthetc. unconditionally; threw on update-only changes. Guarded.dataSource.validateexample omitted the required match column → HTTP 400.vm→instance.container.load();get()is by id, not name.searchevent is actuallysearch:change{term,data}; removedsort:change/row:click/page:change(never fired in source).item.get()→item.field('name').get().marker.varsis a property, notmarker.vars().MED / LOW
oauth2
grantType: 'implicit'→'token'and the "Returns null" fix; encryptiongetKey()resolves the key string (not{key}); datasources uploadfolderId(notmediaFolderId) and delete-query resolves entries (not a count); notificationsinstance.remove; ui-typeahead returns Array; ui-actions/ui-timerange copy-paste fixes; routerno-sessionreason code; gamify dependency name; payments webhook URL path; like-buttons title; biometrics return values; helpersviewstype +ready()syntax; v3 analytics_route/_pageTitle; csv malformed example literal; REST status codes (apps publish 201, data-source entry 200) and a copy-pasted analytics heading.Security
v3/auth.mdsendValidationcarried a false "no information leak / returns 204 regardless of whether the email exists" claim. The standard (non-domain) flow actually rejects an unknown email with a 400. The false claim is removed and reworded to the success contract only, deliberately without documenting the distinguisher (so the doc doesn't hand out an enumeration recipe). The underlying implementation divergence (likely email-enumeration oracle) is being raised separately for engineering, not addressed here.AI indexes
Regenerated
.well-known/{llms.txt,llms-full.txt,agent-skills,mcp,llms-v3-libraries.json}+v3/capabilities.mdviabin/build-agent-indexes.mjsso the LLM-facing index reflects these fixes (it also folds in #284, which never regenerated the index).check:docs --strictpasses.Not in this PR (follow-ups)
fliplet-media media.js:464:images.push = imageInfo;(should beimages.push(imageInfo)) — overwrites the array'spushin the native getCachedImages path. Needs a Jira ticket + code fix.sendValidationemail-enumeration divergence above.Docs-only; auto-deploys to developers.fliplet.com via Cloudflare Pages on merge.
🤖 Generated with Claude Code