feat(core): add asyncapi security-defined lint rule

[harshit078]

What/Why/How?

• Added asyncapi-operation-security-defined rule for AsyncAPI 2.x which reports when a security scheme referenced from an operation or server security array is not defined in ``components.securitySchemes.

Reference

#2667

Testing

Screenshots (optional)

Check yourself

• This PR follows the contributing guide
• All new/updated code is covered by tests
• Core code changed? - Tested with other Redocly products (internal contributions only)
• New package installed? - Tested in different environments (browser/node)
• Documentation update has been considered

Security

• The security impact of the change has been considered
• Code follows company security practices and guidelines

---

Note

Medium Risk
New default error in recommended AsyncAPI rulesets can break existing CI for specs with loose security; the rule touches security semantics (refs, server applicability, traits) where edge-case behavior matters.

Overview
Adds a built-in security-defined lint rule for AsyncAPI 2.x and 3.0, mirroring the OpenAPI rule’s intent: catch bad or missing security configuration at lint time instead of at runtime.

For AsyncAPI 2.x, the rule validates scheme names on operation/server security against components.securitySchemes, and flags operations with no operation-level security when every applicable server also lacks security (with channel server bindings, traits, and component servers handled).

For AsyncAPI 3.0, it validates $refs under security (must target #/components/securitySchemes/... and resolve), and applies the same “operation must be secured” checks on root operations (including $ref into components.operations), while skipping reusable definitions under components.operations.

The rule is registered in async2/async3 rule sets, included in minimal/recommended/all presets (error in recommended; warn in minimal), and documented (new async rule page, guides, sidebars). Visitor typings and isOperationSecured support trait-aware checks.

Breaking note: with recommended, AsyncAPI specs that previously passed may now fail on undefined security refs or unsecured operations.

Minor unrelated changes: AsyncAPI split CLI code gets stricter components typing; respect-core gains a test for Arazzo workflow context resolution without a workflows path segment.

^{Reviewed by Cursor Bugbot for commit 959b639. Bugbot is set up for automated code reviews on this repo. Configure here.}

[changeset-bot]

🦋 Changeset detected

Latest commit: 959b639

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages

Name	Type
@redocly/openapi-core	Minor
@redocly/cli	Minor
@redocly/respect-core	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vadyvas]

I would suggest a slightly different approach:

1. keep the AsyncAPI logic separate and do not reuse shared logic from the OAS rule
2. use the same rule name, security-defined, for AsyncAPI as well, and register the AsyncAPI implementation in the AsyncAPI ruleset
3. do not update the v1 docs in this PR

I think this would make the change smaller, clearer, and safer.

Thank you for the contribution, overall the PR looks good

[vadyvas]

left a few comments, could you take a look?

[vadyvas]

Please add support for AsyncAPI 3 as well. Right now the rule only applies to AsyncAPI2

[harshit078]

okay sure !

[vadyvas]

The code uses the rule name security-defined, but the docs still say asyncapi-operation-security-defined
Can you update related changes?

[vadyvas]

Please don’t add this rule to the v1 docs

[harshit078]

Hi @AlbinaBlazhko17 , I have addressed all the refactoring you mentioned and fixed all comments by cursor. Can you check again ? Thanks for the patience to go back and forth !

[AlbinaBlazhko17]

Please, add warning here, because it is breaking change due to adding new rule in recommended ruleset with error severity.
e.g.
**Warning**: this change may break workflows that relied on root-level server inheritance.
And, i think, we need to remove second sentence, which explain how rule works.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit cc37359. Configure here.}

[harshit078]

Hi @AlbinaBlazhko17 , I have addressed all the last comments you left and Pr is good to review again. Thanks !

[DmitryAnansky]

This function seems to work only with Async2 and Async3 but located in utils and have general naming.
If it is only work with Async, will it make sense to change its name to isAsyncOperationSecured ?
Also please consider file ranaming.

[harshit078]

Hi @DmitryAnansky , I renamed and shifted this function to utils for a shared logic as guided by -

#2759 (comment)