All examples for Acceptance Criteria Edge Case Identifier

API Rate Limiting Technical Edge Cases

Analyzes an API rate limiting feature to identify missing boundary conditions, race conditions, and distributed systems edge cases. Demonstrates technical infrastructure-level analysis including off-by-one errors, concurrent request handling, and failure mode decisions.

Input

What you provide to the skill

API rate limiting feature - users limited to 100 requests/minute. AC: requests counted, 429 returned when exceeded

Output

What the skill generates for you

Edge Case Analysis: API Rate Limiting Feature

Current AC Coverage: 40% (basic functionality only, missing critical edge cases around boundaries, errors, concurrency, and user experience)

Missing Edge Cases Identified (15 cases)

Category: Boundary Conditions

Edge Case 1: What happens at exactly 100 requests/minute? 🔴 CRITICAL PRIORITY
Current Status: Not defined
Suggested AC:

  • “Request #100 within a minute is allowed and succeeds”
  • “Request #101 within the same minute returns 429”
  • “Counter resets precisely 60 seconds from the first request in the window”

Why Important: Off-by-one errors are extremely common; must clarify whether 100 is inclusive or exclusive

Edge Case 2: What happens at request #99, #100, and #101? 🔴 HIGH PRIORITY
Current Status: Not defined
Suggested AC:

  • “Request #99 succeeds with normal response”
  • “Request #100 succeeds with normal response”
  • “Request #101 returns 429 with rate limit headers”
  • “All three scenarios are tested explicitly”

Why Important: Boundary testing prevents off-by-one bugs that commonly slip through

Edge Case 3: What happens when user makes exactly 0 requests? 🟡 LOW PRIORITY
Current Status: Not defined
Suggested AC:

  • “Users with 0 requests in current window can make requests normally”
  • “Rate limit counter starts at 0 for new users”

Why Important: Edge case for new users or users during window reset

Category: Empty/Null States

Edge Case 4: What if user identifier is missing or invalid? 🔴 CRITICAL PRIORITY
Current Status: Not defined (could allow unlimited requests)
Suggested AC:

  • “Requests without valid user identifier return 401 Unauthorized”
  • “Anonymous requests are not rate limited (or have separate limit if supported)”
  • “Invalid user tokens are rejected before rate limiting check”

Why Important: Security risk - missing user ID could bypass rate limiting entirely

Edge Case 5: What if user makes first API request ever? 🟡 MEDIUM PRIORITY
Current Status: Not defined
Suggested AC:

  • “New user’s first request initializes rate limit counter”
  • “First request is always allowed (counts as 1/100)”
  • “Rate limit window starts from first request timestamp”

Why Important: Ensures smooth onboarding for new users

Category: Error Scenarios

Edge Case 6: What if rate limit storage (Redis/DB) is unavailable? 🔴 CRITICAL PRIORITY
Current Status: Not defined (system could fail open or closed)
Suggested AC:

  • “If rate limit storage is unavailable, fail closed (return 503 Service Unavailable)”
  • “Include error message: ‘Service temporarily unavailable. Please try again.’”
  • “Log storage failures for ops monitoring”
  • “OR specify fail-open behavior with justification”

Why Important: Critical decision - determines whether system prioritizes availability or security during outages

Edge Case 7: What if rate limit counter corruption occurs? 🔴 HIGH PRIORITY
Current Status: Not defined
Suggested AC:

  • “If counter value is invalid/corrupted, reset to 0 and allow request”
  • “Log corruption events for investigation”
  • “System recovers gracefully without blocking users”

Why Important: Data corruption shouldn’t permanently block users

Edge Case 8: What if system clock is adjusted (time goes backward)? 🟡 MEDIUM PRIORITY
Current Status: Not defined
Suggested AC:

  • “Use monotonic clock for rate limit windows when available”
  • “If time goes backward, maintain existing window or reset gracefully”
  • “Document time synchronization requirements”

Why Important: Clock skew can cause unexpected rate limit behavior

Category: Concurrent/Conflict Scenarios

Edge Case 9: What if requests #99, #100, and #101 arrive simultaneously? 🔴 CRITICAL PRIORITY
Current Status: Not defined (race condition risk)
Suggested AC:

  • “Rate limit counter uses atomic increment operations”
  • “Concurrent requests at the limit are handled consistently”
  • “Maximum 1 request exceeds limit per concurrent batch (not multiple)”
  • “Use distributed lock or atomic operations (Redis INCR, DB transactions)”

Why Important: Race conditions could allow users to exceed rate limit significantly

Edge Case 10: What if multiple API nodes handle requests from same user? 🔴 HIGH PRIORITY
Current Status: Not defined (distributed system concern)
Suggested AC:

  • “Rate limiting is enforced across all API nodes (centralized counter)”
  • “Counter storage is shared (Redis, database, etc.)”
  • “Counter updates are atomic and consistent”

Why Important: Distributed systems can leak rate limits without centralized enforcement

Edge Case 11: What if user resets/changes their user ID? 🟡 MEDIUM PRIORITY
Current Status: Not defined
Suggested AC:

  • “Each unique user ID has independent rate limit counter”
  • “User ID changes result in new rate limit window”
  • “Document user identifier used (API key, user ID, session ID, etc.)”

Why Important: Clarifies rate limiting scope and prevents abuse

Category: Input Validation

Edge Case 12: What if request timestamp is in the future? 🟡 MEDIUM PRIORITY
Current Status: Not defined
Suggested AC:

  • “Requests with future timestamps are treated as current time”
  • “Reject requests with timestamps >5 minutes in future (clock skew tolerance)”

Why Important: Prevents time manipulation attacks

Category: Network/Performance

Edge Case 13: What if 429 response delivery fails or is slow? 🟡 MEDIUM PRIORITY
Current Status: Not defined
Suggested AC:

  • “429 responses are generated quickly (no expensive operations)”
  • “Failed 429 delivery still counts against rate limit”
  • “Rate limit headers are included even if response body fails”

Why Important: Rate limiting shouldn’t itself cause performance issues

Category: User Experience

Edge Case 14: What information is included in 429 response? 🔴 HIGH PRIORITY
Current Status: Partially defined (429 mentioned, but not response details)
Suggested AC:

  • “429 response includes Retry-After header with seconds until window reset”
  • “Response includes X-RateLimit-Limit: 100 header”
  • “Response includes X-RateLimit-Remaining header with requests left”
  • “Response includes X-RateLimit-Reset header with reset timestamp”
  • “Response body includes JSON: {'error': 'Rate limit exceeded', 'retry_after': <seconds>}

Why Important: Standard rate limit headers allow clients to implement proper retry logic

Edge Case 15: What happens when rate limit window resets? 🔴 HIGH PRIORITY
Current Status: Not defined (sliding window vs fixed window)
Suggested AC:

  • “Specify window type: Fixed window (resets at 60-second intervals) OR Sliding window (per-user 60-second rolling window)”
  • “Fixed window: All users’ counters reset at same intervals (e.g., top of each minute)”
  • “Sliding window: Each user’s counter tracks last 60 seconds of requests”
  • “Document choice and reasoning”

Why Important: Fundamentally different behaviors - sliding window is fairer but more complex

Priority Summary

CRITICAL/HIGH (11 cases) - Must address:

  • Boundary at exactly 100 requests (off-by-one errors)
  • Requests #99, #100, #101 behavior
  • Missing/invalid user identifier handling
  • Storage unavailable failure mode (fail open vs fail closed)
  • Counter corruption recovery
  • Concurrent request race conditions
  • Distributed system consistency
  • 429 response headers and body format
  • Rate limit window reset mechanism (fixed vs sliding)
  • Rate limit headers on all responses
  • Deleted counter corruption

MEDIUM (5 cases) - Should address:

  • First request initialization
  • System clock adjustment
  • User ID changes
  • Future timestamp handling
  • Repeated 429 requests counting
  • Internal/admin request handling

LOW (2 cases) - Nice to have:

  • Zero requests edge case
  • 429 response performance

Coverage Improvement

Before: 2 acceptance criteria (basic happy path only)
After: 20 acceptance criteria (2 original + 18 edge cases)

Estimated Bugs Prevented: 12-15 (including critical race conditions, off-by-one errors, and security bypasses)

Recommended Next Steps:

  1. URGENT: Review critical cases with engineering team (30-45 min):
    • Window reset strategy (fixed vs sliding) - architectural decision
    • Failure mode when storage unavailable (fail open vs fail closed)
    • Concurrent request handling strategy (atomic operations)
    • User identification method (API key, session, JWT)
  2. Define 429 response format with standard rate limit headers
  3. Add integration tests for boundary conditions (#99, #100, #101)
  4. Add concurrent request tests (load testing)
  5. Document rate limiting architecture for ops team (monitoring, troubleshooting)
  6. Consider future: burst allowance, different limits per endpoint, premium user tiers
View all examples for Acceptance Criteria Edge Case Identifier

About This Skill

Systematically analyzes feature descriptions and existing acceptance criteria to identify missing edge cases across six categories. Generates specific, testable acceptance criteria for each missing edge case with priority ratings.

View Skill Details

More Examples

Password Reset Feature Security Analysis

Analyzes a basic password reset flow to identify missing security, validation, and error handling edge cases. Demonstrates comprehensive coverage of authentication-related features including email enumeration prevention, rate limiting, and token expiration.

Subscription Checkout Payment Edge Cases

Analyzes a subscription checkout flow to identify missing payment failures, validation, and concurrent user edge cases. Demonstrates handling of e-commerce scenarios including card declines, gateway failures, and duplicate submission prevention.

View all examples