fix: align demo with External API docs & flow; cover all endpoints#1
Merged
Conversation
Fixes the QA-report demo findings and brings the CLI, examples, and docs in line
with the lexselect OpenAPI contract.
Upload flow (S2-01/02/03/05):
- Send content_hash_sha256 (hex) on completion in all three clients (Go CLI, TS,
Python) — the API now requires and verifies it against the uploaded bytes.
- Send x-amz-checksum-sha256 (base64) on the S3 PUT so the server can verify
integrity from object metadata.
- TS/Python now send the inferred Content-Type, not application/octet-stream.
Go CLI:
- root: stop using the loaded API key as the --api-key flag default (S2-06 — it
leaked the key in --help and on usage errors). Flags now override env/.env.
- config: find .env by walking up from the CWD, not only the CWD (S2-09).
- list: register the --flat flag that was read but never defined (S2-07).
- upload: comma-ok type assertions on the create response (S2-14); add a
--single-request flag for POST /documents/upload.
- new commands: parse (GET /documents/{id}/parse) and render
(GET /documents/{id}/render) — closes the S2-11/S2-13 coverage gaps. The CLI
now exercises every API endpoint.
Docs:
- README + cli/README describe every endpoint, the corrected 3-step and
single-request upload flows, the error model (RFC 9457 + X-Request-Id, limit
reject-not-clamp), the server-to-server/no-CORS note, and the local-dev TLS caveat.
- notebook: stop referencing a missing sample.pdf, clarify the page-scoped `total`
(S2-15), and add a parse + render demonstration.
Verified: go build / vet / gofmt clean; CLI --help no longer prints the API key;
parse and render commands registered.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
Author
|
Update — now verified end-to-end against a local stack (the earlier "couldn't run e2e" note was during a window where the worker was down). Ran the built CLI against the live API with a real processed document and a real upload:
Both upload flows complete, so the |
Contributor
Author
|
@specialistvlad — requesting your review since this is your repo (and your QA report surfaced these). This PR closes the demo-repo findings from the 2026-05-28 External API QA report:
Verified end-to-end against a local stack — every command runs green (see the verification comment above). Over to you for the repo-owner review. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Brings the demo in line with the LexSelect External API contract and fixes the QA-report demo findings (S2-*). The CLI now exercises every API endpoint and the docs describe all of them.
Upload flow — the headline fix (S2-01/02/03/05)
The upload happy path was broken in all three clients: they never sent
content_hash_sha256, which the API requires and now verifies.PUT /documents/{id}), and base64 asx-amz-checksum-sha256on the S3 PUT so the server verifies integrity from object metadata.application/octet-stream(the S3 signature requires the matching type).Go CLI
root.go— stop using the loaded API key as the--api-keyflag default. It was leaked verbatim in--helpand on usage errors (S2-06, the most security-sensitive finding). Flags now override env/.envviaPersistentPreRun.config.go— find.envby walking up from the CWD, so a repo-root.envworks when run fromcli/(S2-09).list.go— register the--flatflag that was read but never defined (S2-07).upload.go— comma-ok type assertions on the create response (S2-14); add--single-requestfor the multipartPOST /documents/upload.parse(GET /documents/{id}/parse) andrender(GET /documents/{id}/render) — closes the S2-11/S2-13 coverage gaps.Examples
/parsefetch; documents the local-dev TLS caveat (S2-04).sample.pdf(S2-10), clarifies the page-scopedtotal(S2-15), and adds aparse+renderdemonstration.Docs
README.md+cli/README.mdnow document every endpoint (table), the corrected 3-step and single-request flows, the RFC 9457 error model (X-Request-Id,limitreject-not-clamp), the server-to-server / no-CORS stance, and the local-dev TLS caveat.Verification
go build/go vet/gofmt -lall clean.--helpno longer prints the API key (verified with a fake secret: 0 occurrences).parseandrendercommands registered and listed.🤖 Generated with Claude Code