بنقرة واحدة
api-design-standards
Apply when designing or reviewing HTTP APIs — enforces TCP API design standards.
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
القائمة
Apply when designing or reviewing HTTP APIs — enforces TCP API design standards.
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
استنادا إلى تصنيف SOC المهني
Apply when writing or reviewing TypeScript — enforces TCP TypeScript standards.
Use when starting any development task — scans files in scope and loads the correct TCP coding standards before any code is written.
Use when reviewing TypeScript/Bun code in this project — flags anti-patterns to raise and enforces test philosophy
Use when building or modifying review/src/agents/ using @github/copilot-sdk, or migrating from @opencode-ai/sdk, or asking how to run parallel agent sessions, get structured JSON output, configure custom OpenAI providers, use hooks, MCP servers, custom agents/skills, session persistence, observability, or troubleshoot SDK issues.
everything you need to know about octokit.js, form github's official SDK for REST and GraphQL API requests, GitHub App authentication, and webhooks
| name | api-design-standards |
| description | Apply when designing or reviewing HTTP APIs — enforces TCP API design standards. |
These are what NOT to do rules. Each rule describes a prohibited pattern, why it matters, and shows a bad/good example.
Rule: Use nouns and HTTP methods to express intent. Verbs in paths are not permitted.
Why it matters: Verb-based paths fracture the API surface and make routes unpredictable for consumers.
# ❌ Bad
POST /createOrder
GET /fetchUser/42
POST /deleteAccount
# ✅ Good
POST /orders
GET /users/42
DELETE /accounts/{id}
Rule: Never return stack traces, internal class names, or database error messages in API responses. Return a safe human-readable message and an opaque error code.
Why it matters: Leaked internals give attackers a map of your stack and reveal exploitable implementation details.
# ❌ Bad
{
"error": "NullPointerException at com.tcp.OrderService.java:142",
"detail": "column 'usr_id' of relation 'orders' does not exist"
}
# ✅ Good
{
"error": {
"code": "ORDER_CREATE_FAILED",
"message": "Unable to create order. Please try again or contact support."
}
}
Rule: Credentials, tokens, and PII must not be passed in query parameters. Use request headers or the request body instead.
Why it matters: Query parameters are logged by web servers, proxies, and CDNs, and persist in browser history — sensitive values are trivially exposed.
# ❌ Bad
GET /reports?api_key=sk-secret123&user_email=jane@example.com
# ✅ Good
GET /reports
Authorization: Bearer sk-secret123
# PII sent in POST body or retrieved via authenticated session
Rule: Every endpoint in a service must return the same response envelope. Mixing shapes across endpoints is not permitted.
Why it matters: Inconsistent shapes force clients to write per-endpoint parsing logic, increasing coupling and the blast radius of changes.
# ❌ Bad
# /orders returns: { "order": { ... } }
# /users returns: { "data": { ... }, "meta": { ... } }
# /products returns: [ { ... } ]
# ✅ Good — every endpoint uses the same envelope
{
"data": { ... }, # null on error
"error": null, # null on success; { code, message } on error
"meta": { ... } # pagination, request ID, etc.
}
Rule: GET requests must be safe and idempotent. Any operation that mutates state must use POST, PUT, PATCH, or DELETE.
Why it matters: Clients, proxies, and crawlers may call GET endpoints multiple times. Unintended side effects on repeat calls cause data corruption and unpredictable behaviour.
# ❌ Bad
GET /emails/456/markAsRead # mutates state on read
GET /jobs/trigger?type=invoice # triggers a background job
# ✅ Good
PATCH /emails/456 body: { "read": true }
POST /jobs body: { "type": "invoice" }
Trigger this skill when:
routes/, controllers/, handlers/, or api/ directories for violations.