{
  "tasks": [
    {
      "id": "basic_validation",
      "name": "Basic Endpoint Validation",
      "difficulty": "easy",
      "description": "Test all CRUD endpoints with valid inputs and verify correct status codes.",
      "max_steps": 25,
      "bugs": ["BUG_TASK_01", "BUG_TASK_02", "BUG_TASK_03"]
    },
    {
      "id": "edge_cases",
      "name": "Edge Cases & Error Handling",
      "difficulty": "medium",
      "description": "Test boundary conditions, invalid inputs, and error responses.",
      "max_steps": 35,
      "bugs": [
        "BUG_TASK_01", "BUG_TASK_02", "BUG_TASK_03",
        "BUG_TASK_04", "BUG_TASK_05", "BUG_TASK_06",
        "BUG_USER_01", "BUG_USER_02", "BUG_AUTH_02"
      ]
    },
    {
      "id": "security_workflows",
      "name": "Security & Multi-Step Workflows",
      "difficulty": "hard",
      "description": "Discover authorization flaws, injection vulnerabilities, and workflow bugs.",
      "max_steps": 45,
      "bugs": [
        "BUG_TASK_01", "BUG_TASK_02", "BUG_TASK_03",
        "BUG_TASK_04", "BUG_TASK_05", "BUG_TASK_06",
        "BUG_TASK_07", "BUG_TASK_08", "BUG_TASK_09",
        "BUG_USER_01", "BUG_USER_02",
        "BUG_AUTH_01", "BUG_AUTH_02"
      ]
    }
  ],
  "bug_registry": {
    "BUG_TASK_01": {
      "severity": "easy",
      "category": "status_code",
      "owasp": "API8:2023 Security Misconfiguration",
      "description": "GET /tasks/{id} returns 200 with null for non-existent task",
      "recommendation": "Return 404 Not Found for non-existent resources"
    },
    "BUG_TASK_02": {
      "severity": "easy",
      "category": "validation",
      "owasp": "API8:2023 Security Misconfiguration",
      "description": "POST /tasks with missing title returns 500 instead of 400",
      "recommendation": "Validate required fields and return 400/422 with descriptive error"
    },
    "BUG_TASK_03": {
      "severity": "easy",
      "category": "validation",
      "owasp": "API8:2023 Security Misconfiguration",
      "description": "GET /tasks?page=-1 returns 200 instead of 400",
      "recommendation": "Validate pagination parameters: page >= 1, limit > 0"
    },
    "BUG_TASK_04": {
      "severity": "medium",
      "category": "validation",
      "owasp": "API8:2023 Security Misconfiguration",
      "description": "PUT /tasks/{id} accepts invalid email format",
      "recommendation": "Validate email format with regex before accepting"
    },
    "BUG_TASK_05": {
      "severity": "medium",
      "category": "status_code",
      "owasp": "API8:2023 Security Misconfiguration",
      "description": "DELETE /tasks/{id} returns 200 for non-existent task",
      "recommendation": "Check resource existence before deletion, return 404 if missing"
    },
    "BUG_TASK_06": {
      "severity": "medium",
      "category": "validation",
      "owasp": "API4:2023 Unrestricted Resource Consumption",
      "description": "No pagination cap on limit parameter",
      "recommendation": "Cap pagination limit at 100, reject values above maximum"
    },
    "BUG_TASK_07": {
      "severity": "hard",
      "category": "security",
      "owasp": "API1:2023 Broken Object Level Authorization",
      "description": "BOLA: any user can access any task",
      "recommendation": "Verify resource ownership: check task.owner_id matches authenticated user"
    },
    "BUG_TASK_08": {
      "severity": "hard",
      "category": "validation",
      "owasp": "API4:2023 Unrestricted Resource Consumption",
      "description": "Long title causes 500 error",
      "recommendation": "Add input length validation: title max 200 chars"
    },
    "BUG_TASK_09": {
      "severity": "hard",
      "category": "security",
      "owasp": "API8:2023 Security Misconfiguration",
      "description": "SQL injection payload stored verbatim",
      "recommendation": "Sanitize user input before storage, escape HTML/SQL special characters"
    },
    "BUG_USER_01": {
      "severity": "medium",
      "category": "validation",
      "owasp": "API8:2023 Security Misconfiguration",
      "description": "POST /users accepts invalid email",
      "recommendation": "Validate email format server-side before creating user"
    },
    "BUG_USER_02": {
      "severity": "medium",
      "category": "security",
      "owasp": "API3:2023 Broken Object Property Level Authorization",
      "description": "Response exposes password hash",
      "recommendation": "Never return sensitive fields (password_hash) in API responses"
    },
    "BUG_AUTH_01": {
      "severity": "hard",
      "category": "security",
      "owasp": "API1:2023 Broken Object Level Authorization",
      "description": "Broken authorization: cross-user token access",
      "recommendation": "Enforce ownership check on all write operations (PUT/DELETE)"
    },
    "BUG_AUTH_02": {
      "severity": "medium",
      "category": "security",
      "owasp": "API2:2023 Broken Authentication",
      "description": "Empty password login succeeds",
      "recommendation": "Validate password is non-empty and verify against stored hash"
    }
  }
}