@W-22726280 API Browser custom API paths and security-scheme type detection

[clavery]

Summary

• Custom APIs: rewrite path keys to include the runtime /organizations/{organizationId} prefix and inject the matching path parameter so Swagger UI displays — and "Try it out" calls — the correct URL. The platform routes Custom APIs as …/custom/{apiName}/{apiVersion}/organizations/{organizationId}/{userPath} but the spec stored by the schemas service only describes the developer-authored {userPath} portion.
• Shopper/Admin detection: replace the apiFamily.startsWith('shopper') heuristic with security-scheme detection (ShopperToken / ShopperTokenTaob → Shopper; AmOAuth2 / BearerToken → Admin), with apiName.startsWith('shopper-') as the tiebreaker for mixed specs and a fallback to the old name/family heuristic for unrecognized schemes. This fixes token selection for shopper-named APIs that live under non-shopper families (product/shopper-products, checkout/shopper-baskets, …) and for Custom APIs which can be either type.
• Tree tooltip: now labels Custom APIs as (Custom) and uses the corrected name-based heuristic for the rest, since authoritative classification requires the loaded spec.

Validated against all 69 schemas on a live tenant: 31 reclassifications, all justified by the actual declared security scheme.

Related

• Fixes VS Code API Browser: Custom APIs missing organization prefix #453
• GUS: W-22726280

Test plan

• New unit tests for `detectApiType` (8 scenarios) and `injectCustomApiOrgPathPrefix` (4 scenarios)
• `pnpm --filter b2c-vs-extension run test` — 78 passing
• `pnpm --filter b2c-vs-extension run typecheck:agent`
• `pnpm --filter b2c-vs-extension run lint:agent`
• `pnpm --filter b2c-vs-extension run format:check`
• Manual smoke: open a Custom API and a standard SCAPI shopper API in the API Browser, confirm paths render with `/organizations/{organizationId}/...` and the auto-fetched token matches the API type.