{
  "instruction": "Authenticate WebSocket connections during the handshake, not after",
  "relevant_when": "Agent implements WebSocket or Socket.IO server endpoints that handle sensitive data or user-specific updates",
  "context": "WebSocket connections that authenticate after the connection is established allow unauthenticated clients to consume server resources. Authentication must happen during the upgrade handshake (Socket.IO middleware, or verifying tokens in the HTTP upgrade request) so that invalid connections are rejected before they are established.",
  "sources": [
    {
      "type": "file",
      "filename": "skills/realtime-web-patterns/SKILL.md",
      "tile": "tessl-labs/realtime-web-patterns@0.2.0"
    }
  ],
  "checklist": [
    {
      "name": "auth-during-handshake",
      "rule": "Authentication is performed during the WebSocket upgrade handshake (e.g., Socket.IO io.use() middleware, or verifying a token from the upgrade request headers/query) rather than after the connection is established",
      "relevant_when": "Agent implements WebSocket or Socket.IO server with authentication"
    },
    {
      "name": "auth-on-room-join",
      "rule": "When a client requests to join a room or subscribe to a channel, the server verifies that the user is authorized to access that resource",
      "relevant_when": "Agent implements room/channel subscriptions for user-specific data"
    }
  ]
}