feat(core): add asyncapi-operation-security-defined lint rule

[harshit078]

What/Why/How?

• Added asyncapi-operation-security-defined rule for AsyncAPI 2.x which reports when a security scheme referenced from an operation or server security array is not defined in ``components.securitySchemes.

Reference

#2667

Testing

Screenshots (optional)

Check yourself

• This PR follows the contributing guide
• All new/updated code is covered by tests
• Core code changed? - Tested with other Redocly products (internal contributions only)
• New package installed? - Tested in different environments (browser/node)
• Documentation update has been considered

Security

• The security impact of the change has been considered
• Code follows company security practices and guidelines

---

Note

Medium Risk
Adds a new built-in AsyncAPI rule and enables it by default in the recommended/all configs, which can introduce new lint failures for existing AsyncAPI specs when upgrading.

Overview
Adds a new built-in AsyncAPI 2.x rule (security-defined) that reports operations/servers referencing security schemes not present in components.securitySchemes, with new unit tests covering missing and valid references.

Updates default rulesets/config resolution outputs to include the rule (off/warn/error depending on spec/minimal/recommended), and extends the docs/sidebars and ruleset templates to document and surface the new AsyncAPI security validation rule.

^{Reviewed by Cursor Bugbot for commit c970602. Bugbot is set up for automated code reviews on this repo. Configure here.}

[changeset-bot]

🦋 Changeset detected

Latest commit: c970602

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@redocly/openapi-core	Minor
@redocly/cli	Minor
@redocly/respect-core	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vadyvas]

I would suggest a slightly different approach:

1. keep the AsyncAPI logic separate and do not reuse shared logic from the OAS rule
2. use the same rule name, security-defined, for AsyncAPI as well, and register the AsyncAPI implementation in the AsyncAPI ruleset
3. do not update the v1 docs in this PR

I think this would make the change smaller, clearer, and safer.

Thank you for the contribution, overall the PR looks good

[vadyvas]

left a few comments, could you take a look?

[vadyvas]

Please add support for AsyncAPI 3 as well. Right now the rule only applies to AsyncAPI2

[harshit078]

okay sure !

[vadyvas]

The code uses the rule name security-defined, but the docs still say asyncapi-operation-security-defined
Can you update related changes?

[vadyvas]

Please don’t add this rule to the v1 docs

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit c970602. Configure here.}

[cursor]

AsyncAPI 3 remains unsupported

Medium Severity

This violates the PR discussion request to add AsyncAPI 3 support: security-defined is only registered for AsyncAPI 2, while async3Rules and builtInAsync3Rules omit it. AsyncAPI 3 documents won't run the new check.

 

^{Reviewed by Cursor Bugbot for commit c970602. Configure here.}

[cursor]

V1 docs were changed

Low Severity

This violates the PR discussion request to skip v1 docs: the new AsyncAPI rule was added to docs/@v1, including snippets that reference a non-existent asyncapi-operation-security-defined rule/page.

Additional Locations (2)

• docs/@v1/rules/ruleset-templates.md#L212-L213
• docs/@v1/rules/ruleset-templates.md#L441-L442

 

^{Reviewed by Cursor Bugbot for commit c970602. Configure here.}