ArchPilotExecutable architecture guardrails

Search docs

Docs search

Validation rule

Back to Rule Catalog
AP-API-011API Design

Bulk operation risk

Flags bulk API operations that lack clear safeguards.

warningviolationNo auto-fix

How to fix

  1. Add request size limits and validation.
  2. Require explicit authorization for bulk actions.
  3. Document idempotency, failure behavior, and audit expectations.

What it means

A bulk endpoint appears to mutate or process many records without guardrails.

Why it matters

Bulk operations amplify mistakes, authorization gaps, and performance problems.

Common causes

  • A batch mutation lacks max item limits.
  • Bulk behavior is not documented in the contract.
  • The endpoint has no idempotency or dry-run strategy.

Example bad pattern

POST /repositories/delete accepts an arbitrary list of ids with no max size or audit context.

Example good pattern

The bulk endpoint enforces a max size, validates ownership, and records audit metadata.

Related files/config

  • contracts/openapi.yaml
  • apps/api/src

Related CLI commands

  • archpilot validate
  • archpilot validate --ci

Related docs

Rule CatalogAPI DesignAuthorization
AP-API-011 - Bulk operation risk | ArchPilot Docs