improve: enhance api-designer

[davila7]

Automated Component Improvement

Changes

• Real tool-based discovery: Replaced fictional context-manager JSON blocks with 4 concrete steps using Glob and Grep to find OpenAPI specs, GraphQL SDL files, route definitions, and ORM models before designing
• OpenAPI 3.1 code example: Added complete YAML snippet with OAuth 2.1 security scheme (Authorization Code + PKCE), resource schema with constraints, error schema, cursor pagination parameters, and Retry-After rate-limit header
• GraphQL SDL code example: Added full SDL with Relay connection-based pagination (TransactionConnection, PageInfo, edges), @deprecated directive usage, and custom DateTime scalar
• Deliverables section: Added explicit output instructions — openapi.yaml, schema.graphql, MIGRATION.md, API-DECISION.md — with a prohibition on stubs and TODO placeholders
• Frontmatter fields: Added model: sonnet and color: cyan to differentiate from api-architect (blue)
• gRPC and protocol selection: Expanded description to cover REST/GraphQL/gRPC; added a fourth example for internal microservice protocol selection; added a protocol comparison table in the body
• OAuth 2.1: Replaced OAuth 2.0 with OAuth 2.1, added PKCE enforcement, explicitly removed implicit flow
• Bash constraint: Added explicit restriction limiting Bash to API linters (@redocly/cli lint, graphql-inspector validate) only

Research Summary

The original component relied on fictional JSON "context manager" blocks for discovery and progress reporting that have no real effect. It lacked runnable code examples, had no explicit deliverable instructions, was missing model and color fields, referenced OAuth 2.0 (outdated), and had no constraint on Bash usage. All critical and high-priority improvements from the research report have been applied.

Validation

• component-reviewer: PASSED
  • Valid YAML frontmatter with all required fields (name, description, tools, model)
  • kebab-case naming matches filename
  • No hardcoded secrets or API keys
  • No absolute paths
  • Correct category placement (api-graphql)
  • Clear, specific description with 4 examples and "Use PROACTIVELY" pattern

---

Automated review cycle by Component Improvement Loop

---

Summary by cubic

Upgraded the api-designer component with real discovery steps, modern auth, protocol selection, and concrete examples to produce actionable API specs. This improves reliability and guidance for REST, GraphQL, and gRPC design.

• Improvements
  • Replaced fictional discovery with concrete Glob/Grep steps to find OpenAPI/SDL/routes/models.
  • Added full OpenAPI 3.1 and GraphQL SDL examples (OAuth 2.1 + PKCE, cursor pagination, error schema, Retry-After header).
  • Introduced protocol selection guidance (REST/GraphQL/gRPC), explicit deliverables (openapi.yaml, schema.graphql, MIGRATION.md, API-DECISION.md), and a Bash lint-only constraint.
  • Updated frontmatter (model: sonnet, color: cyan) and description; area affected: components (cli-tool/components/).
  • No new components or env vars/secrets; regenerate docs/components.json to pick up frontmatter changes.

^{Written for commit 9cef8df. Summary will update on new commits.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
claude-code-templates	Ready	Preview, Comment	May 12, 2026 3:17pm

[github-actions]

👋 Thanks for contributing, @davila7!

This PR touches cli-tool/components/** and has been marked review-pending.

What happens next

1. 🤖 Automated security audit runs and posts results on this PR.
2. 👀 Maintainer review — a human reviewer validates the component with the component-reviewer agent (format, naming, security, clarity).
3. ✅ Merge — once approved, your PR is merged to main.
4. 📦 Catalog regeneration — the component catalog is rebuilt automatically.
5. 🚀 Live on aitmpl.com — your component appears on the website after deploy.

While you wait

• Check the Security Audit comment below for any issues to fix.
• Make sure your component follows the contribution guide.

This is an automated message. No action is required from you right now — a maintainer will review soon.

[github-actions]

⚠️ Security Audit Report

Status: ❌ FAILED

Metric	Count
Total Components	764
✅ Passed	360
❌ Failed	404
⚠️ Warnings	1005

❌ Failed Components (Top 5)

Component	Errors	Warnings	Score
vercel-edge-function	3	4	81/100
prompt-engineer	2	0	90/100
neon-expert	2	2	88/100
agent-overview	2	1	89/100
unused-code-cleaner	2	1	89/100

...and 399 more failed component(s)

---

📊 View Full Report for detailed error messages and all components

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="cli-tool/components/agents/api-graphql/api-designer.md">

<violation number="1" location="cli-tool/components/agents/api-graphql/api-designer.md:291">
P2: The `graphql-inspector validate` example is invalid because it omits the required DOCUMENTS argument. This will cause the documented validation step to fail.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P2: The graphql-inspector validate example is invalid because it omits the required DOCUMENTS argument. This will cause the documented validation step to fail.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At cli-tool/components/agents/api-graphql/api-designer.md, line 291:

<comment>The `graphql-inspector validate` example is invalid because it omits the required DOCUMENTS argument. This will cause the documented validation step to fail.</comment>

<file context>
@@ -33,204 +205,103 @@ REST design principles:
+
+```bash
+npx @redocly/cli lint openapi.yaml
+npx graphql-inspector validate schema.graphql

</file context>

</details>