一键导入
api-review
[pr-review-focus-area: API Routes] Review API routes for auth, input validation, error handling consistency, HTTP conventions, and test coverage.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
[pr-review-focus-area: API Routes] Review API routes for auth, input validation, error handling consistency, HTTP conventions, and test coverage.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Research a work item, draft an implementation plan, and begin work after approval.
Guided one-shot install — discover installed plugins (or help install new ones), pick install scope, calibrate risk tolerance into a concrete allowlist + hooks, scaffold or merge CLAUDE.md, and sanity-check the result.
Finalize work — commit via /commit, push, and create PRs on feature branches.
Reviewer-side PR workflow — checks out the branch in a worktree, runs focus-area reviews plus a senior-engineering pass, optionally cross-checks against an autonomous reviewer, and posts inline findings only on explicit approval. Read-only — never edits, commits, or pushes.
Fetch PR review comments, classify by severity and confidence, and fix the selected subset.
Triage CVE and SBOM scanner output (Trivy, Grype, Snyk, Docker Scout, Dependabot) into a ranked, deduplicated action list.
| name | api-review |
| description | [pr-review-focus-area: API Routes] Review API routes for auth, input validation, error handling consistency, HTTP conventions, and test coverage. |
| user-invocable | true |
| disable-model-invocation | true |
| allowed-tools | ["Read","Grep","Glob"] |
Review API routes for security, correctness, and consistency.
/api-review — reviews all changed API route files, or all API routes if no changes detected.
CLAUDE.md to identify:
src/app/api/, src/routes/, pages/api/, server/routes/)git diff --name-only.Every API route must use the project's auth middleware or wrapper (as documented in CLAUDE.md).
All POST, PUT, and PATCH routes must validate the request body before use.
All error responses must follow the project's standard error format.
{ error }, others { message }, others raw strings).GET routes return 200, never modify state.POST routes return 201 for creation, 200 for actions.PUT/PATCH routes return 200.DELETE routes return 200 or 204.No any type in response payloads. Response data should be explicitly typed.
as any, untyped object literals, or any in return type.Each API route file should have a corresponding test file.
Dispatch to the principal-frontend subagent with the analysis from the prior checks. Ask it to apply its senior lens — type discipline at the boundary, error-handling architecture, auth contract — to the findings. Integrate its top findings into the Report Format below; do not replace the skill's verdict contract.
Invocation:
Agent({
subagent_type: "principal-frontend",
description: "API route senior review",
prompt: "Review these API route findings: <summary of auth, validation, error shape, HTTP, typing, and coverage findings from checks 1-6>. Apply senior scrutiny to type discipline at the request/response boundary, error-handling architecture across the route surface, and the auth contract. Return top architectural risks in severity order."
})
## API Review: /api/users
| Check | Status | Notes |
| ----------------- | ------ | ------------------------------- |
| Auth Applied | PASS | Uses standard auth wrapper |
| Input Validation | FAIL | POST body not validated |
| Error Shape | PASS | Consistent error format |
| HTTP Conventions | WARN | POST returns 200, should be 201 |
| Response Typing | PASS | All responses typed |
| Test Coverage | FAIL | No test file found |
### Recommendations
1. Add validation schema for POST /api/users request body
2. Create test file covering auth, validation, and error cases
Report each route separately, then provide an overall summary.