refactor: remove rate limiting and CORS references

Removes all rate limiting and CORS references across agents, skills, commands, and standards. These features had no dedicated standard — only scattered checklist items and examples. Cleans up 17 files including security-reviewer checklist, API doc status codes, severity examples, and log examples. X-Lerian-Ref: 0x1
2026-04-21 13:37:27 +00:00 · 2026-02-07 20:19:34 -03:00 · 2026-02-07 20:19:34 -03:00 · 5f4f8afd63
commit 5f4f8afd63
parent 9717361f7e
17 changed files with 12 additions and 25 deletions
--- a/default/agents/codebase-explorer.md
+++ b/default/agents/codebase-explorer.md
@ -520,7 +520,6 @@ Login Request → AuthController → AuthService (validate credentials) → JwtS

 ### Related Areas to Explore
 - Session management: Currently stateless, consider `src/config/session.ts` if adding sessions
- Rate limiting: `src/middleware/rate-limit.middleware.ts` protects auth endpoints

 ### Potential Concerns Noticed
 - Refresh tokens stored in localStorage (XSS risk) - consider httpOnly cookies
--- a/default/agents/security-reviewer.md
+++ b/default/agents/security-reviewer.md
@ -113,8 +113,6 @@ This reviewer focuses on:

 ### 4. API & Web Security
 - [ ] CSRF protection enabled
- [ ] CORS configured restrictively (not `*`)
- [ ] Rate limiting implemented
 - [ ] Security headers present (HSTS, X-Frame-Options, CSP)
 - [ ] No information disclosure in errors

--- a/default/commands/write-plan.md
+++ b/default/commands/write-plan.md
@ -16,7 +16,7 @@ Create a comprehensive implementation plan for a feature, with exact file paths,

 | Argument | Required | Description |
 |----------|----------|-------------|
-| `feature-name` | Yes | Descriptive name for the feature (e.g., "user-authentication", "payment-webhooks", "api-rate-limiting") |
+| `feature-name` | Yes | Descriptive name for the feature (e.g., "user-authentication", "payment-webhooks", "email-notifications") |

 ## Examples

--- a/default/skills/release-guide-info/SKILL.md
+++ b/default/skills/release-guide-info/SKILL.md
@ -271,7 +271,7 @@ From the diff, identify:
 | **Messaging** | Topics, payloads, headers, idempotency, ordering |
 | **Config/Env** | New vars, changed defaults |
 | **Auth** | Permissions, roles, tokens |
-| **Performance** | Rate-limits, timeouts, retries |
+| **Performance** | Timeouts, retries, connection pools |
 | **Dependencies** | Bumps with runtime behavior impact |
 | **Observability** | Logging, metrics, tracing changes |
 | **Operations** | Scripts, cron, job schedules |
--- a/default/skills/subagent-driven-development/SKILL.md
+++ b/default/skills/subagent-driven-development/SKILL.md
@ -102,7 +102,7 @@ After final review passes:

 **Task 1:** Implement → All 3 reviewers PASS → Mark complete.

-**Task 2:** Implement → Review finds: Critical (hardcoded secret), High (missing password reset, no rate limiting), Low (extract token logic) → Dispatch fix subagent → Re-run reviewers → All PASS → Add TODO for Low → Mark complete.
+**Task 2:** Implement → Review finds: Critical (hardcoded secret), High (missing password reset, missing input validation), Low (extract token logic) → Dispatch fix subagent → Re-run reviewers → All PASS → Add TODO for Low → Mark complete.

 **Final:** All 3 reviewers PASS entire implementation → Done.

--- a/default/skills/testing-agents-with-subagents/SKILL.md
+++ b/default/skills/testing-agents-with-subagents/SKILL.md
@ -156,7 +156,7 @@ Write/update agent definition addressing specific failures documented in RED pha

 **RED Failure:** Agent marked hardcoded password as MEDIUM instead of CRITICAL

-**GREEN Fix:** Add severity calibration: CRITICAL (hardcoded secrets, SQL injection, auth bypass), HIGH (missing validation, error exposure), MEDIUM (rate limiting, verbose errors), LOW (headers, deps)
+**GREEN Fix:** Add severity calibration: CRITICAL (hardcoded secrets, SQL injection, auth bypass), HIGH (missing validation, error exposure), MEDIUM (verbose errors, missing security headers), LOW (headers, deps)

 ### Re-run Tests

--- a/dev-team/agents/backend-engineer-typescript.md
+++ b/dev-team/agents/backend-engineer-typescript.md
@ -207,7 +207,6 @@ Invoke this agent when the task involves:
 - Worker threads for CPU-intensive operations
 - Stream processing for large datasets
 - Circuit breaker patterns with typed states
- Rate limiting with typed quota tracking
 - Graceful shutdown with cleanup handlers

 ### Serverless (AWS Lambda, Vercel, Cloudflare Workers)
@ -1100,7 +1099,6 @@ Coverage: 89.2%

 - Add password hashing integration
 - Implement email verification flow
- Add rate limiting to registration endpoint
 ```

 ## What This Agent Does not Handle
--- a/dev-team/agents/frontend-bff-engineer-typescript.md
+++ b/dev-team/agents/frontend-bff-engineer-typescript.md
@ -751,7 +751,6 @@ Every BFF endpoint MUST document:
 | Response Types | Yes | Full TypeScript types |
 | Error Responses | Yes | All possible error codes |
 | Auth Requirements | Yes | Authentication needed |
-| Rate Limits | If applicable | Requests per minute/hour |
 | Caching | If applicable | Cache duration |

 ### Type Export Responsibilities
@ -952,7 +951,6 @@ Coverage: 88.5%

 - Add caching layer for balance queries
 - Implement error handling middleware
- Add request rate limiting
 ```

 ## What This Agent Does not Handle
--- a/dev-team/agents/qa-analyst.md
+++ b/dev-team/agents/qa-analyst.md
@ -196,7 +196,6 @@ Invoke this agent when the task involves:
 - Request/response schema validation
 - Authentication and authorization testing
 - Error handling verification
- Rate limiting and throttling tests
 - API versioning compatibility tests

 ### End-to-End Testing
--- a/dev-team/docs/standards/golang/quality.md
+++ b/dev-team/docs/standards/golang/quality.md
@ -61,7 +61,7 @@ logger, tracer, _, _ := libCommons.NewTrackingFromContext(ctx)

 // CORRECT: Log with context correlation
 logger.Infof("Processing entity: %s", entityID)
-logger.Warnf("Rate limit approaching: %d/%d", current, limit)
+logger.Warnf("Connection pool low: %d/%d", current, limit)
 logger.Errorf("Failed to save entity: %v", err)
 ```

--- a/dev-team/docs/standards/sre.md
+++ b/dev-team/docs/standards/sre.md
@ -71,7 +71,7 @@ This file defines the specific standards for Site Reliability Engineering and ob
 | Level | Usage | Examples |
 |-------|-------|----------|
 | **ERROR** | Failures requiring attention | Database connection failed, API error |
-| **WARN** | Potential issues | Retry attempt, rate limit approaching |
+| **WARN** | Potential issues | Retry attempt, connection pool low |
 | **INFO** | Normal operations | Request completed, user logged in |
 | **DEBUG** | Detailed debugging | Query parameters, internal state |
 | **TRACE** | Very detailed (rarely used) | Full request/response bodies |
--- a/docs/coderabbit-instructions.md
+++ b/docs/coderabbit-instructions.md
@ -202,8 +202,6 @@ async function processOrder(orderId) {

 #### API & Web Security
 - [ ] CSRF protection enabled
- [ ] CORS configured restrictively (not `*` in production)
- [ ] Rate limiting implemented
 - [ ] Security headers present (HSTS, X-Frame-Options, X-Content-Type-Options, CSP)
 - [ ] No information disclosure in error messages

--- a/pm-team/commands/pre-dev-feature.md
+++ b/pm-team/commands/pre-dev-feature.md
@ -27,7 +27,7 @@ Use the AskUserQuestion tool to gather:
 **Question 1:** "What is the name of your feature?"
 - Header: "Feature Name"
 - This will be used for the directory name
- Use kebab-case (e.g., "user-logout", "email-validation", "rate-limiting")
+- Use kebab-case (e.g., "user-logout", "email-validation", "payment-webhooks")

 **Question 2 (CONDITIONAL):** "Does this feature require authentication or authorization?"
 - **Auto-detection:** Before asking, check if `go.mod` contains `github.com/LerianStudio/lib-auth`
--- a/pm-team/skills/pre-dev-api-design/SKILL.md
+++ b/pm-team/skills/pre-dev-api-design/SKILL.md
@ -158,13 +158,13 @@ Proceed with standard naming conventions:
 |-------|------------|
 | **0. API Standards Discovery** | Check for organizational field naming standards (data dictionary); load from URL or file if provided; extract field conventions, types, validation patterns; save to `api-standards-ref.md` for reference throughout gate |
 | **1. Contract Analysis** | Load approved TRD (Gate 3), Feature Map (Gate 2), PRD (Gate 1); identify integration points from TRD component diagram; extract data flows |
-| **2. Contract Definition** | Per interface: define operations, specify inputs/outputs, define errors, document events, set constraints (validation, rate limits), version contracts; **apply standards from Phase 0 if available** |
+| **2. Contract Definition** | Per interface: define operations, specify inputs/outputs, define errors, document events, set constraints (validation), version contracts; **apply standards from Phase 0 if available** |
 | **3. Gate 4 Validation** | Verify all checkboxes in validation checklist before proceeding to Data Modeling |

 ## Explicit Rules

 ### ✅ DO Include
-Operation names/descriptions, input parameters (name, type, required/optional, constraints), output structure (fields, types, nullable), error codes/descriptions, event types/payloads, validation rules, rate limits/quotas, idempotency requirements, auth/authz needs (abstract), versioning strategy
+Operation names/descriptions, input parameters (name, type, required/optional, constraints), output structure (fields, types, nullable), error codes/descriptions, event types/payloads, validation rules, idempotency requirements, auth/authz needs (abstract), versioning strategy

 ### ❌ NEVER Include
 HTTP verbs (GET/POST/PUT), gRPC/GraphQL/WebSocket details, URL paths/routes, serialization formats (JSON/Protobuf), framework code, database queries, infrastructure, specific auth libraries
@ -221,7 +221,7 @@ If you catch yourself writing any of these in API Design, **STOP**:
 | **Data Specification** | All inputs typed and documented; required vs optional explicit; outputs complete; null/empty cases handled |
 | **Error Handling** | All scenarios identified; error codes/types defined; actionable messages; retry/recovery documented |
 | **Event Contracts** | All events named/described; payloads specified; ordering/delivery semantics documented; versioning defined |
-| **Constraints & Policies** | Validation rules explicit; rate limits defined; timeouts specified; backward compatibility exists |
+| **Constraints & Policies** | Validation rules explicit; timeouts specified; backward compatibility exists |
 | **Technology Agnostic** | No protocol specifics; no serialization formats; no framework names; implementable in any protocol |

 **Gate Result:** ✅ PASS (all checked) → Data Modeling | ⚠️ CONDITIONAL (remove protocol details) | ❌ FAIL (incomplete)
@ -267,7 +267,6 @@ Output to `docs/pre-dev/{feature-name}/api-design.md` with these sections:
 | **External System Contracts** | Operations exposed to us, operations we expose, per-operation details |
 | **Custom Type Definitions** | Per type: base type, format, constraints, example |
 | **Naming Conventions** | Operations (verb+noun), parameters (camelCase), events (past tense), errors (noun+condition) |
-| **Rate Limiting & Quotas** | Per-operation limits table, quota policies, exceeded limit behavior |
 | **Backward Compatibility** | Breaking vs non-breaking changes, deprecation timeline |
 | **Testing Contracts** | Contract testing strategy, example test scenarios |
 | **Gate 4 Validation** | Date, validator, checklist, approval status |
--- a/tw-team/agents/api-writer.md
+++ b/tw-team/agents/api-writer.md
@ -308,7 +308,6 @@ Brief description of what this endpoint does.
 | 404 Not Found | Resource doesn't exist |
 | 409 Conflict | Resource state conflict |
 | 422 Unprocessable Entity | Invalid semantics |
-| 429 Too Many Requests | Rate limit exceeded |
 | 500 Internal Server Error | Server error |

 ## Example Quality Standards
--- a/tw-team/commands/write-api.md
+++ b/tw-team/commands/write-api.md
@ -140,7 +140,7 @@ Task tool:

 **Success:** 200 (GET/PUT), 201 (POST), 204 (DELETE)

-**Errors:** 400 (Bad Request), 401 (Unauthorized), 403 (Forbidden), 404 (Not Found), 409 (Conflict), 422 (Invalid), 429 (Rate Limited), 500 (Server Error)
+**Errors:** 400 (Bad Request), 401 (Unauthorized), 403 (Forbidden), 404 (Not Found), 409 (Conflict), 422 (Invalid), 500 (Server Error)

 ## Proceed

--- a/tw-team/skills/writing-api-docs/SKILL.md
+++ b/tw-team/skills/writing-api-docs/SKILL.md
@ -106,7 +106,6 @@ API reference documentation describes what each endpoint does, its parameters, r
 | 404 | NOT_FOUND | Resource doesn't exist | Verify resource ID |
 | 409 | CONFLICT | Resource already exists | Use different identifier |
 | 422 | UNPROCESSABLE_ENTITY | Business rule violation | Check constraints |
-| 429 | TOO_MANY_REQUESTS | Rate limit exceeded | Retry after delay |
 | 500 | INTERNAL_ERROR | Server error | Retry or contact support |

 ---
@ -115,7 +114,7 @@ API reference documentation describes what each endpoint does, its parameters, r

 **Success:** 200 (GET/PUT/PATCH), 201 (POST creates), 204 (DELETE)

-**Client errors:** 400 (malformed), 401 (no auth), 403 (no permission), 404 (not found), 409 (conflict), 422 (invalid semantics), 429 (rate limit)
+**Client errors:** 400 (malformed), 401 (no auth), 403 (no permission), 404 (not found), 409 (conflict), 422 (invalid semantics)

 **Server errors:** 500 (internal)