You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/specification/spec.md
+28-28Lines changed: 28 additions & 28 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -712,8 +712,8 @@ This value is NOT the same as “operations that declare security”, it reflect
712
712
As a guiding principle, an operation SHOULD be classified as a _sensitive operation_ if any of the following are true:
713
713
714
714
- it performs a state changing action
715
-
- uses HTTP methods such as: `POST`, `PUT`, `PATCH`, `DELETE`
716
-
- has summaries/descriptions which suggest state change (e.g., "approve", "update", "assign", "create", "cancel"), even if HTTP verb is misused
715
+
- uses HTTP methods such as: `POST`, `PUT`, `PATCH`, `DELETE`
716
+
- has summaries/descriptions which suggest state change (e.g., "approve", "update", "assign", "create", "cancel"), even if HTTP verb is misused
717
717
- it accesses or returns sensitive or personal data (customer records, user profiles, payment data, or any OpenAPI Schema Object containing detected PII fields)
718
718
- it performs privileged or administrative actions
719
719
- it exposes operational or system-level behaviours (configuration management details, system logs, workflow executions)
|`http / bearer (opaque)`|Opaque bearer token |`scheme: bearer`|`0.60`|Security depends entirely on token distribution ([RFC6750](https://tools.ietf.org/html/rfc6750)). |
749
+
|`http / vapid`| WebPush VAPID |`scheme: vapid`|`0.60`|Token model similar to bearer; moderate trust ([RFC8292](https://tools.ietf.org/html/rfc8292)). |
750
+
|`http / scram-sha-256`| SCRAM with SHA-256 |`scheme: scram-sha-256`|`0.65`|Modern and stronger, still password-based ([RFC7804](https://tools.ietf.org/html/rfc7804)). |
If no security schemes are defined, auth_strength MUST return `1.0` (not applicable—no schemes to evaluate).
@@ -1362,7 +1362,7 @@ Gating rules MUST override or constrain dimension scores to ensure safety and co
1362
1362
They MUST be applied immediately before readiness-level classification.
1363
1363
1364
1364
| Condition | Effect | Rationale |
1365
-
|-----------|--------|-----------|
1365
+
|---------|------|---------|
1366
1366
| Foundational Compliance score < 40 | API MUST be classified as Level 0 ("Non-Compliant") | If the API cannot be structurally validated, no higher-order AI reasoning is safe or possible. |
1367
1367
| Hardcoded credentials detected | Security score MUST be capped at `20`| Hardcoded secrets represent an immediate, systemic security failure and cannot be compensated for by other strengths. |
1368
1368
| Sensitive operations lacking auth (internal) | Security score MUST be capped at `40`| Internal APIs may permit limited trust boundaries, but unauthenticated sensitive operations remain high-risk. |
0 commit comments