api-platform-security_skill

Overview

This skill delivers robust API Platform contracts in Symfony with explicit operations, mapping, and policy-safe behavior. It helps you define operation-level boundaries, implement DTOs/providers/processors, and align serialization, validation, and security. The goal is predictable, version-aware APIs that avoid accidental exposure of internal entity fields.

How this skill works

The skill inspects your resource definitions and operation configurations, then suggests explicit contracts and payload mappings. It identifies gaps between serialization groups, validation rules, and security expressions, and recommends code-level changes to providers, processors, or DTOs. Finally, it produces a concise output contract listing artifacts changed, security decisions, and functional verification results.

When to use it

• Designing or evolving API Platform resources and operations
• Aligning serialization groups, validation, and security expressions
• Preventing implicit exposure of internal entity fields
• Preparing a version-aware contract for client integration
• Auditing API behavior across happy and negative paths

Best practices

• Define operation-level DTOs to decouple API payloads from entities
• Keep contracts explicit and track version changes in the API spec
• Apply validation and security rules at the operation level, not only at the entity
• Map providers and processors clearly so behavior is predictable
• Run functional checks for both permitted and denied access scenarios

Example use cases

• Creating a PATCH operation with a dedicated DTO and processor to restrict writable fields
• Migrating an entity-backed resource to use read-only DTOs for responses
• Auditing a collection endpoint for leaked internal fields through serializer groups
• Implementing operation-specific security expressions that differ between GET and POST
• Documenting contract decisions for a breaking change prior to a new API version