feat(core): add asyncapi-operation-security-defined lint rule

[harshit078]

What/Why/How?

• Added asyncapi-operation-security-defined rule for AsyncAPI 2.x which reports when a security scheme referenced from an operation or server security array is not defined in ``components.securitySchemes.

Reference

#2667

Testing

Screenshots (optional)

Check yourself

• This PR follows the contributing guide
• All new/updated code is covered by tests
• Core code changed? - Tested with other Redocly products (internal contributions only)
• New package installed? - Tested in different environments (browser/node)
• Documentation update has been considered

Security

• The security impact of the change has been considered
• Code follows company security practices and guidelines

---

Note

Medium Risk
New recommended-rule errors can break existing CI for AsyncAPI, and the rule enforces security documentation correctness (not runtime auth), with nuanced server/channel/trait behavior that users must align with.

Overview
Adds the security-defined built-in lint rule for AsyncAPI 2.x and 3.x, mirroring the OpenAPI rule: it validates security scheme references on operations and servers, and requires operations to declare security when applicable servers do not cover it.

AsyncAPI 2.x checks named schemes in security requirements against components.securitySchemes, tracks root server security (ignoring components.servers), and considers channel server bindings and operation traits via new isOperationSecured helper and expanded Async2 visitor hooks.

AsyncAPI 3.x validates $ref targets under #/components/securitySchemes/, enforces operation security on root operations (not reusable components.operations), and applies channel/server applicability similar to 2.x.

The rule is wired into async2Rules / async3Rules presets (error in recommended / all, warn in minimal, off in spec). Docs, changeset, and sidebar are updated. AsyncAPI typings are tightened to support the walkers; CLI split code gets a small AnyAsyncApiComponents typing refactor only.

Breaking: AsyncAPI specs using recommended may newly fail lint until security references and missing operation security are fixed.

^{Reviewed by Cursor Bugbot for commit 75389dc. Bugbot is set up for automated code reviews on this repo. Configure here.}

[changeset-bot]

🦋 Changeset detected

Latest commit: 75389dc

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@redocly/openapi-core	Minor
@redocly/cli	Minor
@redocly/respect-core	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vadyvas]

I would suggest a slightly different approach:

1. keep the AsyncAPI logic separate and do not reuse shared logic from the OAS rule
2. use the same rule name, security-defined, for AsyncAPI as well, and register the AsyncAPI implementation in the AsyncAPI ruleset
3. do not update the v1 docs in this PR

I think this would make the change smaller, clearer, and safer.

Thank you for the contribution, overall the PR looks good

[vadyvas]

left a few comments, could you take a look?

[vadyvas]

Please add support for AsyncAPI 3 as well. Right now the rule only applies to AsyncAPI2

[harshit078]

okay sure !

[vadyvas]

The code uses the rule name security-defined, but the docs still say asyncapi-operation-security-defined
Can you update related changes?

[vadyvas]

Please don’t add this rule to the v1 docs

[harshit078]

Hi @AlbinaBlazhko17 , I have addressed all the refactoring you mentioned and fixed all comments by cursor. Can you check again ? Thanks for the patience to go back and forth !

[AlbinaBlazhko17]

Please, add warning here, because it is breaking change due to adding new rule in recommended ruleset with error severity.
e.g.
**Warning**: this change may break workflows that relied on root-level server inheritance.
And, i think, we need to remove second sentence, which explain how rule works.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit cc37359. Configure here.}

[AlbinaBlazhko17]

I provided to you just an example from another PR. Please update this warning to align with this PR.

[harshit078]

I just realiased that and completely missed that in hurry. Aplogies !

[AlbinaBlazhko17]

No worries! Please, fix the issue from bugbot and i will review PR one more time. Thanks!

[harshit078]

Addressed cursor bot comment. The Pr is good to review again. Thanks !