bkinsey808/hono-best-practices
skills/hono-best-practices/SKILL.md
Hono route handlers, Effect-TS integration, error mapping, middleware, validation, and architectural conventions for the API layer (`api/`). Use when creating or editing any handler, middleware, or route registration. Supersedes the former hono-api-patterns skill.
$ install --global
skillsauthnpx skillsauth add bkinsey808/songshare-effect hono-best-practicesInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 15, 2026, 11:43 PM16.8s2 files scanned
SKILL.md
- name:
- hono-best-practices
- description:
- >
Requires: file-read, terminal (linting/testing). No network access needed.
Full reference: /docs/server/hono-best-practices.md
Add-endpoint workflow: Read .agent/workflows/add-api-endpoint.md before writing any handler code.
Companion skills (load on demand):
- Effect-TS fiber/generator patterns → effect-ts-patterns/SKILL.md
- Auth token verification → authentication-system/SKILL.md
- Unit testing handlers → unit-test-best-practices/SKILL.md
- Lint failures → lint-error-resolution/SKILL.md
Preconditions
- Read the add-endpoint workflow doc before writing any handler.
- Check
docs/ai/rules.mdfor repo-wide constraints.
Execution workflow
- Read
.agent/workflows/add-api-endpoint.md. - Place schemas in
shared/src/validation/— never inapi/src/. - Keep endpoint logic in Effect; route through
handleHttpEndpoint. - Validate input with
decodeUnknownSyncOrThrow+ dedicated extract function. - Reuse existing middleware before creating new abstractions.
- Run
npm run lint— do not skip.
Key rules
-
Handlers, not controllers — one handler function per action file; no class-based controllers. Path-param type inference breaks inside classes. → full detail
-
ReadonlyContext— neverContext<{ Bindings: Bindings }>. → full detail -
handleHttpEndpoint— all Effect handlers register through this wrapper inserver.ts. → full detail -
Path constants only — import from
shared/src/paths.ts; never hardcode route strings. → full detail -
Keep handlers thin — HTTP glue only; business logic in pure service functions with no Hono imports. → full detail
-
Extract function for validation — schema in
shared/src/validation/,decodeUnknownSyncOrThrowin a dedicatedextract*.ts; catch and fail withValidationError. → full detail -
Throw inside Supabase
try— throw onresult.errorinside thetrycallback so onecatchhandles all branches; prevents "all if-else branches same code" lint error. → full detail -
Always check ownership — fetch
user_idfrom DB and compare before any mutation. → full detail -
No
client as any— use typedif/elsechains or a shared helper for dynamic table names. → full detail -
Descriptive query-param variable names — minimum 2 characters (
id-lengthrule). → full detail -
Correct error class —
ValidationError→400,AuthenticationError→401,AuthorizationError→403,NotFoundError→404,DatabaseError→500. → full detail -
app.route()for scale — mount feature sub-apps; don't growserver.tsunboundedly. → full detail -
Typed context variables — define
AppVariablesand passHono<{ Variables: AppVariables }>when middleware sets values handlers need. → full detail -
Global handlers — register
app.onError()andapp.notFound()after all route definitions. → full detail -
Test with
app.request()— exercises the full Hono stack; prefer over constructing mock contexts. → full detail
Output format
Write code changes directly. After edits, output a brief bullet list of which conventions were applied and which validation commands were run.
Error handling
- If
npm run lintornpx tsc -p api/tsconfig.json --noEmitfails, report verbatim and fix before declaring success. - If a lint error pattern is not obvious, load
lint-error-resolution.
Validation
npx tsc -p api/tsconfig.json --noEmit # type-check API only
npm run lint # full lint suite
Evaluations (I/O examples)
Input: "Add a DELETE /api/songs/:id endpoint"
Expected: Reads add-api-endpoint workflow, creates api/src/songs/delete/deleteSongHandler.ts using ReadonlyContext, creates extract function in api/src/songs/delete/extractDeleteSongRequest.ts, adds path constant to shared/src/paths.ts, registers in server.ts via handleHttpEndpoint, runs lint and tsc.
Input: "Why does my Supabase insert return an error even though the tryPromise catch isn't firing?"
Expected: Explains that Supabase puts errors in the response object, not as thrown exceptions; must throw result.error inside the try callback so the catch branch sees it.
Input: "Add middleware that attaches a request ID to every request"
Expected: Defines AppVariables type with requestId: string, passes it as Hono<{ Variables: AppVariables }>, creates middleware using c.set('requestId', crypto.randomUUID()), registers with app.use('*', ...).
Do not
- Use
Context<{ Bindings: Bindings }>— useReadonlyContext. - Put schemas in
api/src/— they belong inshared/src/validation/. - Use
client as anyfor dynamic table names. - Hardcode route strings — always use path constants.
- Run
npx eslintdirectly — alwaysnpm run lint. - Add broad lint/type suppressions without explicit justification.
- Violate repo-wide rules in
docs/ai/rules.md.
Skill handoffs
- Effect-TS patterns → load
effect-ts-patterns. - Auth token verification → load
authentication-system. - Lint errors → load
lint-error-resolution. - Unit testing handlers → load
unit-test-best-practices.
Related Skills
bkinsey808/zustand-best-practices
tools
VerifiedTrustedCommunity
Zustand state management patterns for this project — store creation, selectors, Immer middleware, async actions with loading states, devtools, persist, and testing. Use when authoring or editing Zustand stores (use*Store files) or components that subscribe to stores. Do NOT use for React component structure or TypeScript-only utilities.
2SKILL.mdUpdated Apr 15, 2026
bkinsey808/write-skill
testing
VerifiedTrustedCommunity
How to write, update, or split skill files in this repo. Use when creating a new SKILL.md, updating an existing one, or deciding whether to put content in a skill vs. docs/.
2SKILL.mdUpdated Apr 15, 2026
bkinsey808/unit-test-hook-best-practices
development
VerifiedTrustedCommunity
Complete guide for testing React hooks — renderHook, Documentation by Harness, installStore, fixtures, subscription patterns, lint/compiler traps, and pre-completion checklist. Read docs/testing/unit-test-hook-best-practices.md for the full reference.
2SKILL.mdUpdated Apr 15, 2026
bkinsey808/unit-test-best-practices
development
VerifiedTrustedCommunity
Vitest unit test authoring for this repo — setup, mocking, API handler testing, and common pitfalls for non-hook code. Use when the user asks to add, update, fix, or review unit tests for utilities, components, API handlers, or scripts. Do NOT use for React hook tests — load unit-test-hook-best-practices instead.
2SKILL.mdUpdated Apr 15, 2026