@@ -539,11 +539,17 @@ <h3><a class="toc-backref" href="#toc-entry-2">19.0.2.1.0</a></h3>
539539< li > Auth middleware: replace the plain < tt class ="docutils literal "> HTTPBearer</ tt > scheme with an
540540OAuth2 client-credentials security scheme so the OpenAPI document
541541advertises the token endpoint and consumers (Swagger UI, QGIS, etc.)
542- can discover how to authenticate; strip the < tt class ="docutils literal "> Bearer</ tt > prefix from the
543- raw Authorization header value</ li >
544- < li > Bundle schemas: document < tt class ="docutils literal "> BundleEntry.resource</ tt > as a polymorphic
545- Individual/Group body instead of an opaque dict, so bundle payloads
546- are fully described in the OpenAPI document</ li >
542+ can discover how to authenticate. The advertised < tt class ="docutils literal "> tokenUrl</ tt > is
543+ absolutized against the endpoint’s mount path at generation time so
544+ strict RFC 3986 clients resolve it correctly. The < tt class ="docutils literal "> Bearer</ tt > prefix is
545+ stripped from the Authorization header when present; a raw token
546+ without the prefix is also accepted</ li >
547+ < li > Bundle schemas: registrant-serving endpoints document bundle entries
548+ as polymorphic Individual/Group bodies via new
549+ < tt class ="docutils literal "> RegistrantBundle</ tt > /< tt class ="docutils literal "> RegistrantBundleEntry</ tt > subtypes, so their
550+ payloads are fully described in the OpenAPI document; the shared
551+ < tt class ="docutils literal "> BundleEntry</ tt > stays generic because other modules reuse it for
552+ non-registrant resources</ li >
547553< li > Add OpenAPI contract tests covering bundle schema rendering, the
548554polymorphic utilities, and the overall OpenAPI document contract</ li >
549555</ ul >
0 commit comments