Skip to content

improve(api-security): add cursor tenant-isolation review gates#2701

Closed
brohebot wants to merge 1 commit into
UnitOneAI:mainfrom
brohebot:improve/api-security-cursor-isolation-gates
Closed

improve(api-security): add cursor tenant-isolation review gates#2701
brohebot wants to merge 1 commit into
UnitOneAI:mainfrom
brohebot:improve/api-security-cursor-isolation-gates

Conversation

@brohebot

Copy link
Copy Markdown

Closes #2649

Tightened the api-security skill around cursor-based pagination reviews so it is a little more precise and a little harder to game.

What changed:

  • added BOLA checklist coverage for cursor replay across tenant and filter boundaries
  • added a benign exception so opaque cursors that are revalidated server-side do not get flagged by default
  • added remediation guidance and a regression expectation for cross-tenant cursor replay after auth or membership changes
  • called out cursor scope checks in the main SKILL flow and common pitfalls

Validation:

  • ruby scripts/validate_skill_schema.rb
  • git diff --check

@brohebot brohebot requested a review from kamalsrini as a code owner June 16, 2026 12:23
@github-actions github-actions Bot added the needs-approved-issue PR has no linked maintainer-approved issue label Jun 16, 2026
@github-actions

Copy link
Copy Markdown

Thanks for the submission! 🙏 SecuritySkills is now issue-first: contributions need a linked issue that a maintainer has marked approved before a PR is opened.

Please open an issue describing the skill, wait for the approved label, then reopen this PR with Closes #<issue> in the description. The PR template lists everything we'll look for (including an independently runnable reproduction).

@github-actions github-actions Bot closed this Jun 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-approved-issue PR has no linked maintainer-approved issue

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[REVIEW] api-security: add pagination cursor tenant isolation gates

2 participants