Make hub discovery public

Test/Main.hs

@@ -3,7 +3,9 @@ module Main where
 import Test.Hspec
 import IHP.Prelude
 import qualified Test.Architecture.LayerBoundarySpec as LayerBoundary
-import Data.Aeson (object, toJSON, (.=))
+import Data.Aeson (Value(..), object, toJSON, (.=))
+import qualified Data.Aeson.Key as K
+import qualified Data.Aeson.KeyMap as KM
 import Web.Controller.Api.V2.InteractionEvents
     ( declaredEventTypeNames, manifestAllowsEvent, metadataFromJsonBody
     , metadataParamOrEmpty
@@ -14,6 +16,7 @@ import Web.Controller.Api.V2.Hubs
 import Web.Controller.Api.V2.HubCapabilityManifests
     ( jsonArrayTexts, textArrayFieldFromJsonBody )
 import Web.Controller.Api.V2.ApiConsumers (positiveLimit)
+import Web.Controller.Api.V2.OpenApi (buildPaths)
 import Web.Controller.Api.V2.Widgets (missingWidgetCreateFields, validWidgetStatus)
 
 main :: IO ()
@@ -108,4 +111,24 @@ main = hspec do
             positiveLimit 0 `shouldBe` False
             positiveLimit (-1) `shouldBe` False
 
+    describe "API v2 OpenAPI auth contract" do
+        it "documents unauthenticated hub discovery for bootstrap clients" do
+            openApiOperationSecurity "/hubs" "get" buildPaths
+                `shouldBe` Just (toJSON ([] :: [Value]))
+
+        it "keeps hub creation authenticated" do
+            openApiOperationSecurity "/hubs" "post" buildPaths
+                `shouldBe` Just (toJSON [object ["BearerAuth" .= ([] :: [Text])]])
+
+        it "marks public vocabulary registries as unauthenticated" do
+            openApiOperationSecurity "/policy-scopes" "get" buildPaths
+                `shouldBe` Just (toJSON ([] :: [Value]))
+
     LayerBoundary.spec
+
+openApiOperationSecurity :: Text -> Text -> Value -> Maybe Value
+openApiOperationSecurity path method (Object paths) = do
+    Object pathSpec <- KM.lookup (K.fromText path) paths
+    Object operation <- KM.lookup (K.fromText method) pathSpec
+    KM.lookup (K.fromText "security") operation
+openApiOperationSecurity _ _ _ = Nothing