一键导入
api-design-standards
Apply when designing or reviewing HTTP APIs — enforces TCP API design standards.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Apply when designing or reviewing HTTP APIs — enforces TCP API design standards.
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Apply when writing or reviewing TypeScript — enforces TCP TypeScript standards.
Use when starting any development task — scans files in scope and loads the correct TCP coding standards before any code is written.
Use when reviewing TypeScript/Bun code in this project — flags anti-patterns to raise and enforces test philosophy
Use when building or modifying review/src/agents/ using @github/copilot-sdk, or migrating from @opencode-ai/sdk, or asking how to run parallel agent sessions, get structured JSON output, configure custom OpenAI providers, use hooks, MCP servers, custom agents/skills, session persistence, observability, or troubleshoot SDK issues.
everything you need to know about octokit.js, form github's official SDK for REST and GraphQL API requests, GitHub App authentication, and webhooks
| name | api-design-standards |
| description | Apply when designing or reviewing HTTP APIs — enforces TCP API design standards. |
These are what NOT to do rules. Each rule describes a prohibited pattern, why it matters, and shows a bad/good example.
Rule: Use nouns and HTTP methods to express intent. Verbs in paths are not permitted.
Why it matters: Verb-based paths fracture the API surface and make routes unpredictable for consumers.
# ❌ Bad
POST /createOrder
GET /fetchUser/42
POST /deleteAccount
# ✅ Good
POST /orders
GET /users/42
DELETE /accounts/{id}
Rule: Never return stack traces, internal class names, or database error messages in API responses. Return a safe human-readable message and an opaque error code.
Why it matters: Leaked internals give attackers a map of your stack and reveal exploitable implementation details.
# ❌ Bad
{
"error": "NullPointerException at com.tcp.OrderService.java:142",
"detail": "column 'usr_id' of relation 'orders' does not exist"
}
# ✅ Good
{
"error": {
"code": "ORDER_CREATE_FAILED",
"message": "Unable to create order. Please try again or contact support."
}
}
Rule: Credentials, tokens, and PII must not be passed in query parameters. Use request headers or the request body instead.
Why it matters: Query parameters are logged by web servers, proxies, and CDNs, and persist in browser history — sensitive values are trivially exposed.
# ❌ Bad
GET /reports?api_key=sk-secret123&user_email=jane@example.com
# ✅ Good
GET /reports
Authorization: Bearer sk-secret123
# PII sent in POST body or retrieved via authenticated session
Rule: Every endpoint in a service must return the same response envelope. Mixing shapes across endpoints is not permitted.
Why it matters: Inconsistent shapes force clients to write per-endpoint parsing logic, increasing coupling and the blast radius of changes.
# ❌ Bad
# /orders returns: { "order": { ... } }
# /users returns: { "data": { ... }, "meta": { ... } }
# /products returns: [ { ... } ]
# ✅ Good — every endpoint uses the same envelope
{
"data": { ... }, # null on error
"error": null, # null on success; { code, message } on error
"meta": { ... } # pagination, request ID, etc.
}
Rule: GET requests must be safe and idempotent. Any operation that mutates state must use POST, PUT, PATCH, or DELETE.
Why it matters: Clients, proxies, and crawlers may call GET endpoints multiple times. Unintended side effects on repeat calls cause data corruption and unpredictable behaviour.
# ❌ Bad
GET /emails/456/markAsRead # mutates state on read
GET /jobs/trigger?type=invoice # triggers a background job
# ✅ Good
PATCH /emails/456 body: { "read": true }
POST /jobs body: { "type": "invoice" }
Trigger this skill when:
routes/, controllers/, handlers/, or api/ directories for violations.