Add API cursor pagination evidence gates

[Errordog2]

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: api-security
Skill path: skills/appsec/api-security/

What Was Wrong

Issue #2254 points out that the current API4 pagination guidance focuses on capped page size, which is necessary but not sufficient for cursor pagination.

Cursor values can carry authorization, tenant, filter, sort, and snapshot state. A capped page size can still be unsafe when the cursor is client-controlled, base64-only, reusable across endpoints, missing expiry, or not revalidated against the current principal.

What This PR Fixes

This PR adds cursor pagination evidence gates to api-security:

• adds list/pagination pattern discovery to API inventory;
• adds a Cursor and Pagination Evidence output table;
• adds API1/BOLA guidance for client-controlled cursor tenant/filter scope changes;
• adds secure cursor examples requiring server-issued, integrity-protected, tenant/principal-bound, audience-bound, and current-authz-revalidated cursors;
• adds API4 guidance for server-side page size, stable unique sort tuples, snapshot/high-watermark behavior, cursor expiry, replay handling, and repeated-scan monitoring;
• adds common pitfalls for treating cursor pagination as only page-size control and for treating base64 as opacity;
• bumps api-security to v1.0.1 with a changelog entry.

Evidence

Before:

The skill asked reviewers to enforce a maximum pagination size, but did not require evidence for cursor integrity, endpoint audience, tenant/principal binding, stable ordering, cursor expiry, or replay behavior.

After:

The review output now includes:

## Cursor and Pagination Evidence

| Endpoint / Operation | Pagination Pattern | Page Size Enforcement | Cursor Integrity | Principal/Tenant Binding | Sort/Snapshot Evidence | Replay/Expiry | Status |
|---|---|---|---|---|---|---|---|

And the detailed checklist now includes vulnerable and secure cursor examples plus concrete API1/API4 review checklist items.

Test Cases Added/Updated

• Added vulnerable test cases (tests/vulnerable/) - N/A; existing repository format for this skill stores examples in Markdown guidance files.
• Added benign test cases (tests/benign/) - N/A; safe and vulnerable examples are included in api-top10-checklist.md.
• Existing tests still pass

Bounty Tier

• Minor ($50) - Doc update, small logic tweak, typo fix
• Moderate ($100) - New edge case coverage, FP reduction with evidence
• Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: Can provide privately if accepted

Pull Request Checklist

• Skill follows the format specification in CONTRIBUTING.md
• At least one real framework is cited with correct control IDs
• All framework references verified against primary sources (not blogs or AI output)
• Prompt Injection Safety Notice section included
• injection-hardened: true set in frontmatter
• allowed-tools scoped to minimum necessary permissions
• Tested with at least one AI coding agent (which one: OpenAI Codex)
• No prohibited patterns per SECURITY.md
• index.yaml updated with new skill entry (not applicable: existing skill only)

Framework References

• OWASP API Security Top 10:2023 API1 Broken Object Level Authorization
• OWASP API Security Top 10:2023 API4 Unrestricted Resource Consumption
• OWASP API Security Top 10:2023 API9 Improper Inventory Management

Testing

• git diff --check
• Frontmatter required-field check over skills/ and roles/
• index.yaml path existence check
• Workflow-equivalent prompt-injection pattern scan from .github/workflows/injection-scan.yml
• Targeted rg checks for Cursor and Pagination Evidence, Cursor Pagination Authorization Gate, stable unique sort tuple, endpoint/audience, snapshot, high-watermark, replay, and v1.0.1

Fixes #2254