Skip to content

improve: enhance api-architect with GraphQL, security, and scoped tooling#561

Merged
davila7 merged 1 commit into
mainfrom
review/api-architect-2026-05-03
May 3, 2026
Merged

improve: enhance api-architect with GraphQL, security, and scoped tooling#561
davila7 merged 1 commit into
mainfrom
review/api-architect-2026-05-03

Conversation

@davila7

@davila7 davila7 commented May 3, 2026
edited by cubic-dev-ai Bot
Loading

Copy link
Copy Markdown
Owner

Automated Component Improvement

Changes

  • Rich description with trigger examples: Rewrote the one-line vague description with a proper multi-sentence description plus 3 <example>/<commentary> blocks covering GraphQL schema design, resilient REST client generation, and API-style selection — matching the pattern used by security-auditor and fullstack-developer.
  • Full GraphQL architecture section: Added SDL-first vs code-first design choice, resolver organisation by domain, DataLoader for N+1 elimination, query-depth limiting (max ≤ 10), query-complexity scoring, production introspection disabling, and Apollo Federation subgraph directives.
  • Removed "Code Interpreter" reference: Replaced the erroneous OpenAI-specific instruction with a directive to use the Write or Edit tool for file output.
  • Mandatory Security Checklist: New section covering TLS enforcement, input sanitisation, rate limiting, OWASP API Security Top 10 reference, auth scheme implementation (OAuth 2.0/API key/mTLS/JWT), REST security headers, and GraphQL-specific controls (introspection, depth/complexity limits, context-layer auth).
  • Scoped tool access: Removed Bash from tools; list is now Read, Grep, Glob, Edit, Write. Added permissionMode: acceptEdits.
  • API versioning and lifecycle guidance: REST versioning strategies (URL path / header / query param) with deprecation header; GraphQL @deprecated directive lifecycle rule.
  • New frontmatter fields: Added model: sonnet and color: blue.

Research Summary

The original component had a narrow REST-only scope despite living in the api-graphql category, a vague description that provided no delegation signal, an erroneous "Code Interpreter" reference, and no security guidance. The improvements expand the scope to match the category, make the agent delegatable through concrete examples, and enforce security as a first-class concern.

Validation

  • component-reviewer: PASSED (all required fields present, kebab-case naming, no hardcoded secrets, no absolute paths, no Bash in tools)

Automated review cycle by Component Improvement Loop

Summary by cubic

Enhanced the api-architect component with full GraphQL guidance, a mandatory security checklist, API versioning rules, and scoped tooling to produce safer, more robust API designs and code.

  • Area: components (cli-tool/components/); modified agents/api-graphql/api-architect.md. No new components; catalog (docs/components.json) regen not needed. No new environment variables or secrets.
  • Added GraphQL architecture guidance: SDL vs code-first, domain-based resolvers with DataLoader, query depth/complexity limits, production introspection off, and Apollo Federation support.
  • Introduced a mandatory security checklist for REST and GraphQL: TLS, input validation, rate limiting, auth schemes (OAuth 2.0/API key/mTLS/JWT), REST security headers, and context-layer auth.
  • Scoped tooling and generation: removed Bash; tools are Read, Grep, Glob, Edit, Write; added permissionMode: acceptEdits; replaced “Code Interpreter” reference with Write/Edit usage; clarified “say 'generate' before code” rule.
  • Added API versioning and lifecycle guidance (REST path/header/query strategies with deprecation headers; GraphQL @deprecated directive), plus new frontmatter fields model: sonnet and color: blue.

Written for commit ca3296b. Summary will update on new commits.

@davila7
improve: enhance api-architect with GraphQL, security, and scoped too…
ca3296b 
…ling

- Rewrote description with 3 trigger examples using <example>/<commentary> tags
- Expanded scope to cover full GraphQL architecture: SDL-first vs code-first,
  resolver pattern, DataLoader for N+1 prevention, federation, persisted queries,
  query depth/complexity limiting, and production introspection disabling
- Removed erroneous "Code Interpreter" reference; replaced with Write/Edit tool instruction
- Added mandatory Security Checklist section covering TLS, auth schemes, rate limiting,
  OWASP API Security Top 10, and GraphQL-specific controls
- Removed Bash from tools (Read, Grep, Glob, Edit, Write only); added permissionMode: acceptEdits
- Added API versioning and lifecycle guidance (URL/header/query-param for REST,
  @deprecated directive lifecycle for GraphQL)
- Added model: sonnet and color: blue frontmatter fields

Automated review cycle | Co-Authored-By: Claude Code <noreply@anthropic.com>
@vercel

vercel Bot commented May 3, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
aitmpl-dashboard Ready Ready Preview, Comment May 3, 2026 8:30pm
claude-code-templates Ready Ready Preview, Comment May 3, 2026 8:30pm

@github-actions github-actions Bot added the review-pending Component PR awaiting maintainer review label May 3, 2026
@github-actions

github-actions Bot commented May 3, 2026

Copy link
Copy Markdown
Contributor

👋 Thanks for contributing, @davila7!

This PR touches cli-tool/components/** and has been marked review-pending.

What happens next

  1. 🤖 Automated security audit runs and posts results on this PR.
  2. 👀 Maintainer review — a human reviewer validates the component with the component-reviewer agent (format, naming, security, clarity).
  3. Merge — once approved, your PR is merged to main.
  4. 📦 Catalog regeneration — the component catalog is rebuilt automatically.
  5. 🚀 Live on aitmpl.com — your component appears on the website after deploy.

While you wait

  • Check the Security Audit comment below for any issues to fix.
  • Make sure your component follows the contribution guide.

This is an automated message. No action is required from you right now — a maintainer will review soon.

@github-actions

github-actions Bot commented May 3, 2026

Copy link
Copy Markdown
Contributor

⚠️ Security Audit Report

Status: ❌ FAILED

Metric Count
Total Components 763
✅ Passed 359
❌ Failed 404
⚠️ Warnings 1005

❌ Failed Components (Top 5)

Component Errors Warnings Score
vercel-edge-function 3 4 81/100
prompt-engineer 2 0 90/100
neon-expert 2 2 88/100
agent-overview 2 1 89/100
unused-code-cleaner 2 1 89/100

...and 399 more failed component(s)

📊 View Full Report for detailed error messages and all components

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 3, 2026
View reviewed changes

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

@davila7 davila7 merged commit d9e3036 into main May 3, 2026
7 checks passed
@davila7 davila7 deleted the review/api-architect-2026-05-03 branch May 3, 2026 21:10
davila7 added a commit that referenced this pull request May 3, 2026
@davila7
chore: regenerate catalog after #561
32e0ec0 
Reflects merged improvements to cli-tool/components/agents/api-graphql/api-architect.md.

Automated by pr-verification cycle | Co-Authored-By: Claude Code <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

review-pending Component PR awaiting maintainer review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@davila7