Howto Guides Index
Task-focused guides for building with NENE2. Each guide is self-contained and links to related topics.
Three ways to find a guide:
- By goal — the hand-picked "I want to…" table below.
- By category — auto-generated from guide frontmatter; lists every guide.
- By tag — see Browse by tag.
🔍 Find by what you want to build
Can't find the right guide by technical name? Start here.
| I want to… | Guide |
|---|---|
Filter a list by optional query params (?status=, ?price_max=) | dynamic-filter-query.md |
| Filter by multiple tags / skills (AND: must have all) | multi-value-tag-filter.md |
Sort by a query param safely (?sort=name&order=asc) | dynamic-sort-order-injection.md |
| Add pagination to a list endpoint | add-pagination.md |
| Store and calculate money without rounding errors | money-integer-arithmetic.md |
| Manage status transitions (draft → published → archived) | state-machine-workflow-api.md |
| Build a hierarchy (categories, folders, org chart, regions) | hierarchical-data.md |
| Store events / history (append-only, never update) | event-sourcing-cqrs-api.md |
| Prevent double-booking (hotel, meeting room, appointment) | prevent-double-booking.md |
| Prevent race conditions on limited stock or seats | flash-sale-api.md |
| Record who changed what and when (audit trail) | audit-trail.md |
| Implement votes / likes (one per user) | upvote-downvote-api.md |
| Add threaded comments or nested replies | threaded-comments-api.md |
| Generate a secure token (invite link, download URL, API key) | api-key-management.md |
| Handle timezones and UTC storage | handle-timezones.md |
| Add JWT authentication | jwt-authentication.md |
| Add multi-tenant isolation (per-tenant data separation) | jwt-tenant-isolation.md |
| Hash passwords and verify on login | password-auth-argon2id.md |
| Add leaderboard / ranking | game-score-leaderboard-api.md |
| Upload and serve files securely | file-upload.md |
| Full-text search | sqlite-fts5-search.md |
| Use database transactions (wrap multiple writes atomically) | use-transactions.md |
| Soft-delete (hide without permanently removing) | soft-delete.md |
| Send a webhook when something happens | webhook-delivery-api.md |
| Implement an approval / review workflow | approval-workflow.md |
| Manage points, credits, or a balance ledger | point-ledger-api.md |
| Manage coupons and discounts | coupon-discount-api.md |
| Implement rate limiting | add-rate-limiting.md |
| Build a subscription / membership | subscription-plan-management.md |
Browse by category
Auto-generated from each guide's frontmatter (category / difficulty / tags); lists every guide. See also Browse by tag. Regenerate with composer howto:index.
Getting Started (9)
| Guide | Difficulty | Tags |
|---|---|---|
| Add a Custom Route | beginner | routing http |
| Add a Database-backed Endpoint | beginner | database endpoint repository usecase dto |
| Add a Health Check | beginner | health-check monitoring endpoint |
| Add a Second Domain Entity | beginner | domain entity repository usecase multi-entity |
| Add HTML Views | beginner | html views templates server-rendering |
| FT Registry | beginner | field-trial registry reference |
| How to add a domain exception handler | intermediate | error-handling exceptions middleware domain |
| How to pass request-scoped state between middleware and handlers | intermediate | middleware request-context dependency-injection holder-pattern |
| Quality Tools | beginner | phpstan php-cs-fixer static-analysis code-style |
Authentication & Authorization (27)
| Guide | Difficulty | Tags |
|---|---|---|
| Add JWT Authentication | intermediate | jwt bearer authentication |
| API Key Management | intermediate | api-keys sha256 scopes rotation authentication |
| How to Build a Multi-Device Session Manager | intermediate | session multi-device idor token revocation |
| How to Build Access Token Management with NENE2 | intermediate | access-token pat api-keys sha256 scopes |
| How to Build Numeric Verification Code | intermediate | verification-code otp brute-force-protection sms email |
| How to use Bearer token authentication | beginner | bearer jwt middleware authentication |
| How-to: API Token Lifecycle Management | advanced | api-key token sha256 scope revocation |
| How-to: Bearer Token Middleware (JWT Auth Edge Cases) | advanced | jwt bearer middleware authentication security |
| How-to: Delegated Access Grants | advanced | delegation access-control scoped-access time-limited rbac |
| How-To: JWT Authentication | intermediate | jwt bearer authentication argon2id password |
| How-to: JWT Multi-Tenant Isolation | advanced | jwt multi-tenant isolation idor |
| How-To: JWT Refresh Token Rotation | intermediate | refresh-token jwt token-rotation replay-attack session |
| How-to: Magic Link Authentication | intermediate | magic-link passwordless token ttl |
| How-to: OTP Authentication System | advanced | otp passwordless brute-force-protection session-token lockout |
| How-to: Password Authentication with Argon2id | intermediate | password argon2id authentication user-enumeration-prevention rehash |
| How-To: Password Hashing | beginner | password hashing argon2id bcrypt security |
| How-to: Password Reset Flow | intermediate | password-reset token single-use user-enumeration-prevention argon2id |
| How-to: RBAC + JWT Authentication | intermediate | rbac jwt argon2id bearer-token authorization |
| How-to: Refresh Token Pattern | intermediate | refresh-token jwt token-rotation replay-attack |
| How-To: Role-Based Access Control (RBAC) | intermediate | rbac jwt bearer-token authorization roles |
| How-to: Session / Token Management API (ATK-01~12) | intermediate | session token revocation attack-hardening opaque-token |
| OAuth2 Social Login の実装ガイド | advanced | oauth2 social-login authorization-code-flow jwt |
| Password Reset Flow | beginner | password-reset token email security |
| Passwordless Auth (Magic Link) | intermediate | passwordless magic-link one-time-token email-auth |
| PIN 認証・ロックアウト | intermediate | pin lockout brute-force-protection verification |
| TOTP 二要素認証の実装ガイド | advanced | totp two-factor otp authentication |
| User Invitation System | intermediate | invitation token expiry email |
Security (36)
| Guide | Difficulty | Tags |
|---|---|---|
| Account Lockout (Brute-Force Protection) | intermediate | brute-force lockout argon2id rate-limiting authentication |
| Add Rate Limiting | beginner | rate-limiting throttle middleware protection |
| CSRF and JSON APIs | intermediate | csrf cors json-api security bearer-token |
| How to Add Data Masking | intermediate | pii masking admin audit privacy |
| How to Build Encrypted Field Storage | advanced | encryption aes-256-gcm pii blind-index field-level-encryption |
| How to Build Privacy Consent Management | intermediate | gdpr consent privacy idor-prevention audit-log |
| How to enforce resource ownership (IDOR prevention) | intermediate | idor ownership access-control authorization security |
| How to Prevent SQL ORDER BY Injection | beginner | sql-injection orderby-injection allowlist parameterized-queries |
| How to validate Unicode input | beginner | unicode validation multibyte encoding |
| How-to: Data Export API | intermediate | gdpr data-export pii token async |
| How-to: Dynamic Sort & Filter with ORDER BY Injection Prevention | intermediate | sql-injection order-by allowlist sorting filtering |
| How-to: File Upload Metadata API (VULN-A~L) | advanced | file-upload metadata vulnerability-assessment ownership |
| How-to: Fixed-window Rate Limiter | intermediate | rate-limiting fixed-window sqlite throttle |
| How-to: Mass Assignment Defence with Explicit DTO | intermediate | mass-assignment dto whitelist input-validation |
| How-To: Multi-Tenant Isolation | advanced | multi-tenant isolation idor authorization jwt |
| How-To: One-Time Secret API & ATK-01~12 Cracker Attack Test | advanced | one-time-secret token atomic-consumption brute-force-protection |
| How-to: Pagination Boundary & Limit Injection | intermediate | pagination limit-injection integer-validation boundary-attack |
| How-to: Pagination Boundary & Limit Injection Prevention | intermediate | pagination limit-injection integer-validation redos |
| How-To: Personal Secret Vault API | intermediate | hmac idor-prevention encrypted-storage admin-auth user-isolation |
| How-to: PII Masking API | intermediate | pii masking rbac audit-trail data-privacy |
| How-to: Signed URL for Secure Downloads | intermediate | signed-url hmac time-limited file-download tamper-detection |
| How-to: SQL Injection Defence | intermediate | sql-injection parameterized-queries like-injection orderby-injection attack-hardening |
| How-to: Tenant Isolation & Cross-Tenant IDOR Prevention | advanced | multi-tenant idor isolation authorization |
| How-to: Tenant Isolation & IDOR Prevention | advanced | multi-tenant idor isolation authorization |
| How-to: Unicode-Aware Text API | intermediate | unicode validation encoding null-byte multibyte |
| How-to: URL Shortener with SSRF Prevention | advanced | ssrf url-shortener private-ip mass-assignment |
| How-to: Webhook Signature Verification with HMAC-SHA256 | advanced | webhook hmac signature replay-attack timing-safe |
| HOWTO: Audit Trail — Recording Who Changed What | intermediate | audit-trail immutable-log jwt change-tracking compliance |
| Live Container Penetration Testing | advanced | penetration-testing cracker-mindset live-test security-hardening atk |
| Mass Assignment Defence | beginner | mass-assignment dto whitelist input-validation |
| Personal Data Export | intermediate | gdpr data-export pii download-token expiry |
| Prevent CSV / Spreadsheet Formula Injection on Export | intermediate | csv formula-injection export sanitization rfc-4180 |
| Signed URLs | intermediate | signed-url hmac presigned time-limited token |
| SQL injection defense | intermediate | sql-injection pdo validation |
| URL Shortener API & SSRF Prevention | advanced | ssrf url-shortener vulnerability-assessment |
| Webhook Signature Verification | intermediate | webhook hmac signature timing-safe |
Database (18)
| Guide | Difficulty | Tags |
|---|---|---|
| Database Transactions | beginner | transactions atomic rollback database |
| Hierarchical Data — Self-Referential FK + Materialized Path | advanced | hierarchical tree materialized-path self-referential |
| How to add optimistic concurrency control (ETag / If-Match) | intermediate | optimistic-locking etag concurrency lost-update |
| How to prevent double-booking (reservation and capacity enforcement) | advanced | booking double-booking capacity transactions concurrency |
| How to use PostgreSQL | beginner | postgresql pdo adapter database |
| How-to: Optimistic Concurrency Control (Version Field) | intermediate | optimistic-locking concurrency version-field lost-update |
| How-to: Optimistic Lock with PATCH + Version Field | intermediate | optimistic-locking patch version-field concurrency |
| How-to: Optimistic Locking with ETag / If-Match | intermediate | optimistic-locking etag if-match concurrency http-headers |
| How-to: Soft Delete, Restore, and Permanent Delete | beginner | soft-delete restore hard-delete deleted-at |
| How-to: Soft Delete, Trash & Restore API | intermediate | soft-delete trash restore hard-delete bulk-purge |
| How-to: Soft Delete, Trash Bin, and Permanent Purge | beginner | soft-delete trash purge deleted-at lifecycle |
| How-to: SQLite FTS5 Full-Text Search | intermediate | sqlite fts5 full-text-search virtual-table triggers |
| How-to: Transaction Scope Pattern | intermediate | transactions atomic database inventory |
| Optimistic Locking | intermediate | optimistic-locking concurrency lost-update version-field |
| Soft Delete (Logical Deletion) | beginner | soft-delete deleted-at logical-deletion audit-trail |
| Use Database Transactions | intermediate | transactions atomicity rollback |
| Use SQLite FTS5 Full-Text Search | intermediate | fts5 sqlite full-text-search inverted-index |
| Use SQLite Window Functions | intermediate | window-functions sqlite ranking running-total lag-lead |
API Design (32)
| Guide | Difficulty | Tags |
|---|---|---|
| Add pagination | beginner | pagination query-params |
| Bulk Reorder (Drag-and-Drop Ordering) API | intermediate | ordering bulk-update case-when idor atomicity |
| Content negotiation | beginner | content-negotiation json accept-header problem-json |
| CSV バルクインポート API の実装ガイド | intermediate | csv bulk-import partial-success validation history |
| ETag & Conditional Requests | intermediate | etag conditional-request cache optimistic-locking http |
| File upload (base64 JSON) | beginner | file-upload base64 json-api request-body |
| How to Add Geolocation Search | intermediate | geolocation proximity-search coordinates bounding-box |
| How to Add Request Deduplication | intermediate | idempotency deduplication idempotency-key retry |
| How to handle timezones | intermediate | timezone datetime iso-8601 validation |
| How to Validate ISO 8601 Datetimes with Timezone | intermediate | datetime iso-8601 timezone validation |
| How-to: API Versioning | intermediate | versioning deprecation url-path headers sunset |
| How-to: Batch API with Partial Success | intermediate | batch partial-success validation bulk-operations |
| How-to: Bulk Operations with Partial-Success Semantics | intermediate | bulk partial-success multi-status http-207 validation |
| How-to: Bulk Status Update API | intermediate | bulk status-update batch state-machine |
| How-to: Content Negotiation — JSON API | beginner | content-negotiation accept-header json problem-details |
| How-to: Cursor-Based Pagination | intermediate | pagination cursor keyset performance |
| How-to: Dynamic Filter Query (Dynamic WHERE Clause) | beginner | filtering query-params sql where-clause list-endpoint |
| How-to: Geolocation API | intermediate | geolocation proximity-search coordinates haversine |
| How-to: Idempotency Key (Request Deduplication) | intermediate | idempotency deduplication retry ttl |
| How-to: Idempotency Key API | intermediate | idempotency deduplication payment retry |
| How-to: Idempotency-Key Pattern | intermediate | idempotency deduplication race-condition retry |
| How-to: Implement a Bulk Create Endpoint | intermediate | bulk batch validation partial-success |
| How-to: Implement a PATCH Endpoint | intermediate | patch partial-update json-merge-patch dto |
| How-to: JSON Merge Patch & ETag Conflict Detection | intermediate | patch json-merge-patch etag conflict-detection |
| How-to: Money and Integer Arithmetic | intermediate | money integer-arithmetic precision financial |
| How-to: Multi-value Tag Filter API | intermediate | filtering tags query-params many-to-many |
| How-to: Nested JSON Validation | intermediate | validation nested-json error-paths line-items |
| How-to: Offset & Cursor Pagination | intermediate | pagination offset cursor keyset |
| How-to: PATCH Partial Update (JSON Merge Patch) | intermediate | patch json-merge-patch partial-update etag immutable-fields |
| How-to: Timezone-aware Event Scheduling | intermediate | timezone utc scheduling datetime iana |
| Pagination | beginner | pagination offset cursor keyset |
| 全文検索・オートコンプリート API の実装ガイド | intermediate | search autocomplete full-text-search like-query |
Background & Infrastructure (32)
| Guide | Difficulty | Tags |
|---|---|---|
| Add MCP Tools | intermediate | mcp ai-integration tools api-exposure |
| Application Caching の実装ガイド | intermediate | caching cache-aside ttl invalidation performance |
| Background Job Queue with Retry and Idempotency | intermediate | job-queue retry idempotency priority-queue |
| Content Scheduling — Time-Based Publish with Lifecycle States | intermediate | scheduling state-machine content cron publish |
| Deploy to Production | intermediate | deploy docker production environment reverse-proxy |
| Distributed Locking | advanced | distributed-lock concurrency database ttl critical-section |
| Event Sourcing (Basic) | intermediate | event-sourcing append-only immutable replay domain-events |
| How to Add an Inbound Webhook Receiver | intermediate | webhook hmac signature-verification idempotency |
| How-to: API Usage Metering & Quota Management | intermediate | metering quota rate-limiting idor-prevention usage-tracking |
| How-to: Background Job Queue with Retry and Idempotency | intermediate | job-queue retry idempotency background-jobs |
| How-to: Circuit Breaker | advanced | circuit-breaker resilience state-machine fault-tolerance |
| How-to: CQRS Pattern | advanced | cqrs read-model write-model event-sourcing architecture |
| How-to: Dead Letter Queue (DLQ) | advanced | queue dead-letter-queue retry backoff reliability |
| How-to: Distributed Lock | advanced | distributed-lock concurrency ttl database race-condition |
| How-to: Event Analytics API | intermediate | analytics event-tracking aggregation json-extract statistics |
| How-to: Event Analytics API | intermediate | analytics event-tracking aggregation json-extract statistics |
| How-to: Event Sourcing & CQRS API | advanced | event-sourcing cqrs append-only read-model projection |
| How-to: Event Sourcing Ledger | advanced | event-sourcing ledger append-only balance replay |
| How-to: Feature Flag API | intermediate | feature-flags rollout environment override gradual-rollout |
| How-to: Feature Flags API | intermediate | feature-flags rollout percentage kill-switch tenant |
| How-to: Inbound Webhook Gateway | intermediate | webhook hmac signature-verification idempotency |
| How-to: Notification Queue API | intermediate | notifications queue admin messaging |
| How-to: Quota Management API | intermediate | quota rate-limiting windowed-counter http-429 |
| How-to: Sliding-Window Rate Limiter | intermediate | rate-limiting sliding-window http-429 per-user |
| How-to: State Machine with Audit Log | intermediate | state-machine audit-log transitions domain-events workflow |
| How-to: State Machine Workflow API | intermediate | state-machine workflow transitions terminal-state audit-log |
| How-to: Step-Based Workflow with Approval | advanced | workflow state-machine approval multi-step |
| How-to: Webhook Delivery API | intermediate | webhook delivery retry event-dispatch |
| How-to: Webhook Delivery System | advanced | webhook ssrf hmac signature secret-hashing |
| Outbound Webhook Delivery | intermediate | webhook outbound ssrf signature |
| Payment Webhook 受信の実装ガイド | intermediate | webhook payment signature-verification idempotency |
| Rate Limiting | intermediate | rate-limiting throttle fixed-window middleware http-429 |
Product Features (107)
| Guide | Difficulty | Tags |
|---|---|---|
| Add a Disposable Demo | advanced | demo multi-tenant provisioning seeding rate-limiting cron |
| Bookmark System | beginner | bookmarks collections idempotent user-scoped |
| Content Pinning | intermediate | pinning ordering idempotent position-management |
| Content Relations — Typed M:N Self-Referential Links | intermediate | relations self-referential many-to-many inverse typed-links |
| Content Report & Moderation | intermediate | moderation reporting rbac idor-prevention state-machine |
| Content Versioning の実装ガイド | intermediate | versioning append-only rollback history content |
| How to Add a Multi-step Workflow | intermediate | workflow approval state-machine multi-step |
| How to Add Admin Report Aggregation | intermediate | admin reporting aggregation dashboard date-range |
| How to Build a Content Draft Lifecycle (Draft → Published → Archived) with NENE2 | intermediate | draft publish state-machine content lifecycle |
| How to Build a Direct Messaging System with NENE2 | intermediate | messaging conversation threading access-control idempotency |
| How to Build a Flash Sale System with NENE2 | advanced | flash-sale inventory time-window race-condition |
| How to Build a Guest Order System (Cart → Order → Order Items) with NENE2 | intermediate | order cart inventory price-snapshot guest |
| How to Build a Leaderboard (Ranking System) with NENE2 | intermediate | leaderboard ranking scores personal-best |
| How to Build a User Follow System with NENE2 | intermediate | follow social mutual-follow many-to-many |
| How to Build an Emoji Reaction System with NENE2 | intermediate | emoji reactions unique-constraint group-by social |
| How to Build Group Membership Management with NENE2 | intermediate | group membership roles invitation |
| How to Build System Announcement Management | intermediate | announcement admin dismissal priority |
| How-to: A/B Testing Framework | advanced | ab-testing experimentation state-machine analytics |
| How-to: Activity Feed / Timeline API | intermediate | activity-feed timeline pagination idor-prevention |
| How-to: Aggregate Reporting API | intermediate | reporting aggregation analytics sql grouping |
| How-to: Approval Workflow API | intermediate | workflow approval state-machine multi-step |
| How-to: Article Relations API | intermediate | relations many-to-many self-referential inverse content |
| How-to: Article Versioning API | intermediate | versioning content snapshot history draft |
| How-To: Asset Check-out / Check-in Management | intermediate | asset-management checkout exclusive-lock audit-log |
| How-to: Bookmark API | beginner | bookmarks collections deduplication idor-prevention |
| How-to: Budget Tracking API | intermediate | budget finance tracking spending categories |
| How-to: Category Hierarchy Tree API | advanced | hierarchy tree recursive-cte parent-child categories |
| How-to: Collection API (User Curated Lists) | intermediate | collections curated-lists visibility ordering deduplication |
| How-to: Comment Thread API | intermediate | comments threads pagination moderation rbac |
| How-to: Contact Management API | intermediate | contacts crud many-to-many owner-scoped tagging |
| How-to: Content Approval Workflow | intermediate | approval workflow state-machine content moderation |
| How-to: Content Reporting System | intermediate | reporting moderation enum state-machine idempotent |
| How-to: Coupon / Discount Code Redemption API | intermediate | coupon redemption discount usage-limit expiry |
| How-to: Coupon Discount Code API | intermediate | coupon discount redemption admin usage-limit |
| How-to: Credit Ledger API | intermediate | ledger credits append-only balance idempotency |
| How-To: Document Template Engine | beginner | template substitution admin crud rendering |
| How-to: Document Versioning API | intermediate | versioning append-only rollback transactions document |
| How-to: Draft → Publish → Archive Workflow | intermediate | state-machine draft publish archive content-lifecycle |
| How-to: Emoji Reactions API | intermediate | emoji reactions unique-constraint social unicode |
| How-to: Emoji Reactions with Toggle and Grouped Counts | intermediate | emoji reactions toggle concurrency unique-constraint |
| How-To: Event Ticket Booking | intermediate | booking tickets capacity concurrency inventory |
| How-to: Expense Tracker API | beginner | expense tracker categories date-range aggregation |
| How-to: Expense Tracking API | intermediate | expense tracking pagination patch aggregation |
| How-to: Feedback Collection API | beginner | feedback rating aggregation admin score |
| How-to: File Sharing API | intermediate | file-sharing permissions visibility access-control ownership |
| How-to: Flash Sale API | advanced | flash-sale inventory race-condition time-window |
| How-to: Follow / Unfollow API | intermediate | follow social graph pagination |
| How-to: Game Leaderboard & Ranking API | intermediate | leaderboard ranking scores personal-best |
| How-to: Game Score & Leaderboard API | intermediate | leaderboard scores ranking bulk-insert pagination |
| How-to: Group Member Management | advanced | group membership rbac role-hierarchy idor |
| How-to: Habit Tracker API | intermediate | habit streak tracking daily |
| How-to: Inventory Management API | intermediate | inventory stock adjustment history |
| How-to: Inventory Stock Management | intermediate | inventory stock sku transactions |
| How-to: Invitation / Referral API | intermediate | invitation referral token one-time-use |
| How-to: Invitation System | intermediate | invitation token one-time-use entropy |
| How-to: Leaderboard & Score Tracking API | intermediate | leaderboard scores ranking aggregation |
| How-to: Leaderboard Ranking API | intermediate | leaderboard ranking personal-best scores |
| How-to: Live Poll System | intermediate | poll voting deduplication lifecycle |
| How-to: Media Watchlist API | beginner | watchlist media enum status |
| How-to: Multi-Currency Money Ledger with Integer Cents | advanced | money ledger multi-currency integer-arithmetic transactions |
| How-To: Multi-Currency Wallet | advanced | wallet multi-currency deposit withdraw transfer |
| How-to: Multilingual Content API | intermediate | i18n multilingual localization content |
| How-to: Note Management with Ownership | intermediate | notes ownership idor crud authorization |
| How-to: Note Management with Tags | intermediate | notes tags full-text-search ownership crud |
| How-to: Notification Inbox API | intermediate | notifications inbox pagination mark-as-read idor |
| How-to: Order Management API | intermediate | orders status-lifecycle line-items idor admin |
| How-to: Pin / Bookmark with Ordering | intermediate | pins bookmarks ordering reorder user-isolation |
| How-to: Point Ledger API | intermediate | points ledger loyalty idempotency overdraft-prevention |
| How-to: Poll / Survey API | intermediate | poll survey voting duplicate-prevention |
| How-to: Product Catalog API (ATK-01~12) | intermediate | catalog soft-delete search admin-auth attack-hardening |
| How-to: Product Price History API | intermediate | price history timeline temporal-data |
| How-to: Project and Task Management with Nested Resources | intermediate | nested-resources patch task-management pagination |
| How-to: Rating & Review API | intermediate | rating review upsert aggregate distribution |
| How-to: Reservation & Availability API | intermediate | reservation booking availability overlap-detection cancel |
| How-to: Resource Booking System | intermediate | booking capacity double-booking idor soft-delete |
| How-to: Resource Reservation & Booking API | intermediate | reservation booking overlap-prevention idor admin-auth |
| How-to: Resource Reservation / Time Slot Booking API | intermediate | reservation time-slot overlap-detection idor |
| How-to: Scheduled Publish Article | intermediate | content-scheduling state-machine draft publish lifecycle |
| How-to: Scheduled Reminders API | intermediate | reminders scheduling timezone idor ownership |
| How-To: Service Status Page API | intermediate | status-page incident-management admin-auth state-machine |
| How-to: Shift Management API | intermediate | scheduling shift overlap-detection employee transactions |
| How-to: Shopping Cart API | intermediate | shopping-cart upsert integer-money per-user |
| How-to: Slug URL Management with History | intermediate | slug url redirect history collision |
| How-to: Subscription / Plan Management API (VULN-A~L) | advanced | subscription plan idor security-assessment |
| How-to: Subscription Plan Management | intermediate | subscription plan lifecycle billing |
| How-to: Tag / Label API | intermediate | tagging label many-to-many entity |
| How-to: Threaded Comments API | intermediate | comments threaded tombstone depth-limit |
| How-to: Time Tracking API | intermediate | time-tracking stopwatch timer duration |
| How-to: Upvote / Downvote API | intermediate | voting upvote downvote toggle score |
| How-to: URL Bookmark API with Tag Filtering | intermediate | bookmark url tagging filtering |
| How-to: User Preferences API | intermediate | preferences settings typed-values defaults |
| How-to: User Profile API | intermediate | profile user ownership validation url-security |
| How-to: Waitlist System | intermediate | waitlist state-machine queue approval |
| How-to: Wish List API (VULN-A~L Security Assessment) | advanced | wishlist crud idor security-assessment |
| Product Review & Rating System | intermediate | review rating cursor-pagination ownership |
| Slug Management — Unique URL Slugs with Collision Resolution and History | intermediate | slug url collision-resolution redirect history |
| Tagging System (M:N) | intermediate | tagging many-to-many atomic-update n-plus-one |
| Threaded Comments | intermediate | comments threaded soft-delete depth-limit |
| User Preferences Management | intermediate | preferences settings typed-values ownership |
| User Profile Management | beginner | profile user bio avatar |
| Voting System (Upvote / Downvote) | intermediate | voting upvote downvote toggle |
| ウィッシュリスト管理 | intermediate | wishlist priority visibility idor |
| ウェイティングリスト管理 | intermediate | waitlist state-machine queue admin |
| クーポン・プロモコード管理 | intermediate | coupon promo-code rbac discount expiry |
| コンテンツコレクション | intermediate | collections visibility idor-prevention idempotent ordering |
| ファイルメタデータ管理・共有 API の実装ガイド | intermediate | file-sharing metadata permissions access-control visibility |
| ポイント・ロイヤルティシステム | intermediate | points loyalty idempotency rbac balance |