diff --git a/default/agents/codebase-explorer.md b/default/agents/codebase-explorer.md index 830c719b..a8d065a9 100644 --- a/default/agents/codebase-explorer.md +++ b/default/agents/codebase-explorer.md @@ -520,7 +520,6 @@ Login Request → AuthController → AuthService (validate credentials) → JwtS ### Related Areas to Explore - Session management: Currently stateless, consider `src/config/session.ts` if adding sessions -- Rate limiting: `src/middleware/rate-limit.middleware.ts` protects auth endpoints ### Potential Concerns Noticed - Refresh tokens stored in localStorage (XSS risk) - consider httpOnly cookies diff --git a/default/agents/security-reviewer.md b/default/agents/security-reviewer.md index 66c7d7e4..c31ea2e8 100644 --- a/default/agents/security-reviewer.md +++ b/default/agents/security-reviewer.md @@ -113,8 +113,6 @@ This reviewer focuses on: ### 4. API & Web Security - [ ] CSRF protection enabled -- [ ] CORS configured restrictively (not `*`) -- [ ] Rate limiting implemented - [ ] Security headers present (HSTS, X-Frame-Options, CSP) - [ ] No information disclosure in errors diff --git a/default/commands/write-plan.md b/default/commands/write-plan.md index 5d813b91..569cec9b 100644 --- a/default/commands/write-plan.md +++ b/default/commands/write-plan.md @@ -16,7 +16,7 @@ Create a comprehensive implementation plan for a feature, with exact file paths, | Argument | Required | Description | |----------|----------|-------------| -| `feature-name` | Yes | Descriptive name for the feature (e.g., "user-authentication", "payment-webhooks", "api-rate-limiting") | +| `feature-name` | Yes | Descriptive name for the feature (e.g., "user-authentication", "payment-webhooks", "email-notifications") | ## Examples diff --git a/default/skills/release-guide-info/SKILL.md b/default/skills/release-guide-info/SKILL.md index e055fc22..5c1d3620 100644 --- a/default/skills/release-guide-info/SKILL.md +++ b/default/skills/release-guide-info/SKILL.md @@ -271,7 +271,7 @@ From the diff, identify: | **Messaging** | Topics, payloads, headers, idempotency, ordering | | **Config/Env** | New vars, changed defaults | | **Auth** | Permissions, roles, tokens | -| **Performance** | Rate-limits, timeouts, retries | +| **Performance** | Timeouts, retries, connection pools | | **Dependencies** | Bumps with runtime behavior impact | | **Observability** | Logging, metrics, tracing changes | | **Operations** | Scripts, cron, job schedules | diff --git a/default/skills/subagent-driven-development/SKILL.md b/default/skills/subagent-driven-development/SKILL.md index 11f30327..0421d4c9 100644 --- a/default/skills/subagent-driven-development/SKILL.md +++ b/default/skills/subagent-driven-development/SKILL.md @@ -102,7 +102,7 @@ After final review passes: **Task 1:** Implement → All 3 reviewers PASS → Mark complete. -**Task 2:** Implement → Review finds: Critical (hardcoded secret), High (missing password reset, no rate limiting), Low (extract token logic) → Dispatch fix subagent → Re-run reviewers → All PASS → Add TODO for Low → Mark complete. +**Task 2:** Implement → Review finds: Critical (hardcoded secret), High (missing password reset, missing input validation), Low (extract token logic) → Dispatch fix subagent → Re-run reviewers → All PASS → Add TODO for Low → Mark complete. **Final:** All 3 reviewers PASS entire implementation → Done. diff --git a/default/skills/testing-agents-with-subagents/SKILL.md b/default/skills/testing-agents-with-subagents/SKILL.md index d547d723..abd975e1 100644 --- a/default/skills/testing-agents-with-subagents/SKILL.md +++ b/default/skills/testing-agents-with-subagents/SKILL.md @@ -156,7 +156,7 @@ Write/update agent definition addressing specific failures documented in RED pha **RED Failure:** Agent marked hardcoded password as MEDIUM instead of CRITICAL -**GREEN Fix:** Add severity calibration: CRITICAL (hardcoded secrets, SQL injection, auth bypass), HIGH (missing validation, error exposure), MEDIUM (rate limiting, verbose errors), LOW (headers, deps) +**GREEN Fix:** Add severity calibration: CRITICAL (hardcoded secrets, SQL injection, auth bypass), HIGH (missing validation, error exposure), MEDIUM (verbose errors, missing security headers), LOW (headers, deps) ### Re-run Tests diff --git a/dev-team/agents/backend-engineer-typescript.md b/dev-team/agents/backend-engineer-typescript.md index 569170b3..5620e84b 100644 --- a/dev-team/agents/backend-engineer-typescript.md +++ b/dev-team/agents/backend-engineer-typescript.md @@ -207,7 +207,6 @@ Invoke this agent when the task involves: - Worker threads for CPU-intensive operations - Stream processing for large datasets - Circuit breaker patterns with typed states -- Rate limiting with typed quota tracking - Graceful shutdown with cleanup handlers ### Serverless (AWS Lambda, Vercel, Cloudflare Workers) @@ -1100,7 +1099,6 @@ Coverage: 89.2% - Add password hashing integration - Implement email verification flow -- Add rate limiting to registration endpoint ``` ## What This Agent Does not Handle diff --git a/dev-team/agents/frontend-bff-engineer-typescript.md b/dev-team/agents/frontend-bff-engineer-typescript.md index 75e914d5..661f647a 100644 --- a/dev-team/agents/frontend-bff-engineer-typescript.md +++ b/dev-team/agents/frontend-bff-engineer-typescript.md @@ -751,7 +751,6 @@ Every BFF endpoint MUST document: | Response Types | Yes | Full TypeScript types | | Error Responses | Yes | All possible error codes | | Auth Requirements | Yes | Authentication needed | -| Rate Limits | If applicable | Requests per minute/hour | | Caching | If applicable | Cache duration | ### Type Export Responsibilities @@ -952,7 +951,6 @@ Coverage: 88.5% - Add caching layer for balance queries - Implement error handling middleware -- Add request rate limiting ``` ## What This Agent Does not Handle diff --git a/dev-team/agents/qa-analyst.md b/dev-team/agents/qa-analyst.md index 132aa4bb..326a77be 100644 --- a/dev-team/agents/qa-analyst.md +++ b/dev-team/agents/qa-analyst.md @@ -196,7 +196,6 @@ Invoke this agent when the task involves: - Request/response schema validation - Authentication and authorization testing - Error handling verification -- Rate limiting and throttling tests - API versioning compatibility tests ### End-to-End Testing diff --git a/dev-team/docs/standards/golang/quality.md b/dev-team/docs/standards/golang/quality.md index d407bd21..8c860a13 100644 --- a/dev-team/docs/standards/golang/quality.md +++ b/dev-team/docs/standards/golang/quality.md @@ -61,7 +61,7 @@ logger, tracer, _, _ := libCommons.NewTrackingFromContext(ctx) // CORRECT: Log with context correlation logger.Infof("Processing entity: %s", entityID) -logger.Warnf("Rate limit approaching: %d/%d", current, limit) +logger.Warnf("Connection pool low: %d/%d", current, limit) logger.Errorf("Failed to save entity: %v", err) ``` diff --git a/dev-team/docs/standards/sre.md b/dev-team/docs/standards/sre.md index 9dac5a9e..2975973c 100644 --- a/dev-team/docs/standards/sre.md +++ b/dev-team/docs/standards/sre.md @@ -71,7 +71,7 @@ This file defines the specific standards for Site Reliability Engineering and ob | Level | Usage | Examples | |-------|-------|----------| | **ERROR** | Failures requiring attention | Database connection failed, API error | -| **WARN** | Potential issues | Retry attempt, rate limit approaching | +| **WARN** | Potential issues | Retry attempt, connection pool low | | **INFO** | Normal operations | Request completed, user logged in | | **DEBUG** | Detailed debugging | Query parameters, internal state | | **TRACE** | Very detailed (rarely used) | Full request/response bodies | diff --git a/docs/coderabbit-instructions.md b/docs/coderabbit-instructions.md index d9249ecf..964c616f 100644 --- a/docs/coderabbit-instructions.md +++ b/docs/coderabbit-instructions.md @@ -202,8 +202,6 @@ async function processOrder(orderId) { #### API & Web Security - [ ] CSRF protection enabled -- [ ] CORS configured restrictively (not `*` in production) -- [ ] Rate limiting implemented - [ ] Security headers present (HSTS, X-Frame-Options, X-Content-Type-Options, CSP) - [ ] No information disclosure in error messages diff --git a/pm-team/commands/pre-dev-feature.md b/pm-team/commands/pre-dev-feature.md index 4724a669..9f40765c 100644 --- a/pm-team/commands/pre-dev-feature.md +++ b/pm-team/commands/pre-dev-feature.md @@ -27,7 +27,7 @@ Use the AskUserQuestion tool to gather: **Question 1:** "What is the name of your feature?" - Header: "Feature Name" - This will be used for the directory name -- Use kebab-case (e.g., "user-logout", "email-validation", "rate-limiting") +- Use kebab-case (e.g., "user-logout", "email-validation", "payment-webhooks") **Question 2 (CONDITIONAL):** "Does this feature require authentication or authorization?" - **Auto-detection:** Before asking, check if `go.mod` contains `github.com/LerianStudio/lib-auth` diff --git a/pm-team/skills/pre-dev-api-design/SKILL.md b/pm-team/skills/pre-dev-api-design/SKILL.md index b2dbbaf8..64403afc 100644 --- a/pm-team/skills/pre-dev-api-design/SKILL.md +++ b/pm-team/skills/pre-dev-api-design/SKILL.md @@ -158,13 +158,13 @@ Proceed with standard naming conventions: |-------|------------| | **0. API Standards Discovery** | Check for organizational field naming standards (data dictionary); load from URL or file if provided; extract field conventions, types, validation patterns; save to `api-standards-ref.md` for reference throughout gate | | **1. Contract Analysis** | Load approved TRD (Gate 3), Feature Map (Gate 2), PRD (Gate 1); identify integration points from TRD component diagram; extract data flows | -| **2. Contract Definition** | Per interface: define operations, specify inputs/outputs, define errors, document events, set constraints (validation, rate limits), version contracts; **apply standards from Phase 0 if available** | +| **2. Contract Definition** | Per interface: define operations, specify inputs/outputs, define errors, document events, set constraints (validation), version contracts; **apply standards from Phase 0 if available** | | **3. Gate 4 Validation** | Verify all checkboxes in validation checklist before proceeding to Data Modeling | ## Explicit Rules ### ✅ DO Include -Operation names/descriptions, input parameters (name, type, required/optional, constraints), output structure (fields, types, nullable), error codes/descriptions, event types/payloads, validation rules, rate limits/quotas, idempotency requirements, auth/authz needs (abstract), versioning strategy +Operation names/descriptions, input parameters (name, type, required/optional, constraints), output structure (fields, types, nullable), error codes/descriptions, event types/payloads, validation rules, idempotency requirements, auth/authz needs (abstract), versioning strategy ### ❌ NEVER Include HTTP verbs (GET/POST/PUT), gRPC/GraphQL/WebSocket details, URL paths/routes, serialization formats (JSON/Protobuf), framework code, database queries, infrastructure, specific auth libraries @@ -221,7 +221,7 @@ If you catch yourself writing any of these in API Design, **STOP**: | **Data Specification** | All inputs typed and documented; required vs optional explicit; outputs complete; null/empty cases handled | | **Error Handling** | All scenarios identified; error codes/types defined; actionable messages; retry/recovery documented | | **Event Contracts** | All events named/described; payloads specified; ordering/delivery semantics documented; versioning defined | -| **Constraints & Policies** | Validation rules explicit; rate limits defined; timeouts specified; backward compatibility exists | +| **Constraints & Policies** | Validation rules explicit; timeouts specified; backward compatibility exists | | **Technology Agnostic** | No protocol specifics; no serialization formats; no framework names; implementable in any protocol | **Gate Result:** ✅ PASS (all checked) → Data Modeling | ⚠️ CONDITIONAL (remove protocol details) | ❌ FAIL (incomplete) @@ -267,7 +267,6 @@ Output to `docs/pre-dev/{feature-name}/api-design.md` with these sections: | **External System Contracts** | Operations exposed to us, operations we expose, per-operation details | | **Custom Type Definitions** | Per type: base type, format, constraints, example | | **Naming Conventions** | Operations (verb+noun), parameters (camelCase), events (past tense), errors (noun+condition) | -| **Rate Limiting & Quotas** | Per-operation limits table, quota policies, exceeded limit behavior | | **Backward Compatibility** | Breaking vs non-breaking changes, deprecation timeline | | **Testing Contracts** | Contract testing strategy, example test scenarios | | **Gate 4 Validation** | Date, validator, checklist, approval status | diff --git a/tw-team/agents/api-writer.md b/tw-team/agents/api-writer.md index 4a96bfa1..1032283e 100644 --- a/tw-team/agents/api-writer.md +++ b/tw-team/agents/api-writer.md @@ -308,7 +308,6 @@ Brief description of what this endpoint does. | 404 Not Found | Resource doesn't exist | | 409 Conflict | Resource state conflict | | 422 Unprocessable Entity | Invalid semantics | -| 429 Too Many Requests | Rate limit exceeded | | 500 Internal Server Error | Server error | ## Example Quality Standards diff --git a/tw-team/commands/write-api.md b/tw-team/commands/write-api.md index 2de99cde..b49c219e 100644 --- a/tw-team/commands/write-api.md +++ b/tw-team/commands/write-api.md @@ -140,7 +140,7 @@ Task tool: **Success:** 200 (GET/PUT), 201 (POST), 204 (DELETE) -**Errors:** 400 (Bad Request), 401 (Unauthorized), 403 (Forbidden), 404 (Not Found), 409 (Conflict), 422 (Invalid), 429 (Rate Limited), 500 (Server Error) +**Errors:** 400 (Bad Request), 401 (Unauthorized), 403 (Forbidden), 404 (Not Found), 409 (Conflict), 422 (Invalid), 500 (Server Error) ## Proceed diff --git a/tw-team/skills/writing-api-docs/SKILL.md b/tw-team/skills/writing-api-docs/SKILL.md index fdb02ab7..1affb1e8 100644 --- a/tw-team/skills/writing-api-docs/SKILL.md +++ b/tw-team/skills/writing-api-docs/SKILL.md @@ -106,7 +106,6 @@ API reference documentation describes what each endpoint does, its parameters, r | 404 | NOT_FOUND | Resource doesn't exist | Verify resource ID | | 409 | CONFLICT | Resource already exists | Use different identifier | | 422 | UNPROCESSABLE_ENTITY | Business rule violation | Check constraints | -| 429 | TOO_MANY_REQUESTS | Rate limit exceeded | Retry after delay | | 500 | INTERNAL_ERROR | Server error | Retry or contact support | --- @@ -115,7 +114,7 @@ API reference documentation describes what each endpoint does, its parameters, r **Success:** 200 (GET/PUT/PATCH), 201 (POST creates), 204 (DELETE) -**Client errors:** 400 (malformed), 401 (no auth), 403 (no permission), 404 (not found), 409 (conflict), 422 (invalid semantics), 429 (rate limit) +**Client errors:** 400 (malformed), 401 (no auth), 403 (no permission), 404 (not found), 409 (conflict), 422 (invalid semantics) **Server errors:** 500 (internal)