codebar-ag/formrequests
resources/boost/skills/formrequests/SKILL.md
Dedicated validation classes for all controller input. Form Requests encapsulate validation rules, authorization, and error messages outside of controllers.
$ install --global
skillsauthnpx skillsauth add codebar-ag/coding-guidelines formrequestsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 18, 2026, 7:50 AM22.9s1 file scanned
SKILL.md
- name:
- formrequests
- description:
- Dedicated validation classes for all controller input. Form Requests encapsulate validation rules, authorization, and error messages outside of controllers.
Form Requests
When to Use
- For controller endpoints that accept user input and need validation + authorization.
- When you want reusable, testable validation outside controllers.
- When localized or domain-specific validation messages are required.
When NOT to Use
- For read-only endpoints with no user input to validate.
- For internal-only workflows that do not pass through HTTP controllers.
- For cross-cutting protocol checks better handled in middleware (for example signature headers).
Rules
- Every controller action that accepts user input must use a dedicated
FormRequestclass (keeps controllers thin and validations testable) - Never call
$request->validate()orValidator::make()inside a controller (avoid duplicated inline rules) - Place Form Requests in
app/Http/Requests/or a subdirectory matching the domain (e.g.Auth/) - Naming pattern:
Store{Resource}Request,Update{Resource}Request - Match the resource name to the controller:
StoreSprintController→StoreSprintRequest - Define
authorize(): boolwith proper authorization logic — never leave it as a passivereturn truewithout intention - Define
rules(): arraywith a PHPDoc@returnarray shape - Use array-based rule definitions, not pipe-delimited strings
- Add
messages(): arraywhen validation messages need localization or extra clarity - Prefer
$this->user()over global helpers for request-bound auth access insideauthorize()andrules()
Examples
use Illuminate\Validation\Rule;
class StoreSprintRequest extends FormRequest
{
public function authorize(): bool
{
return $this->user() !== null;
}
/**
* @return array<string, array<int, string|object>>
*/
public function rules(): array
{
return [
'title' => ['required', 'string', 'max:255'],
'locale' => ['required', Locale::validationRule()],
'billing_code' => Rule::when(
$this->user()?->isAdmin() === true,
['required', 'string', 'max:50'],
['nullable']
),
];
}
public function messages(): array
{
return [
'title.required' => __('A title is required.'),
];
}
}
// Controller usage — inject the FormRequest
class StoreSprintController extends Controller
{
public function __invoke(StoreSprintRequest $request, CreateSprint $action): JsonResponse
{
$sprint = $action->execute($request->validated());
return new JsonResponse(new SprintResource($sprint), 201);
}
}
// Authorization using a policy
public function authorize(): bool
{
return $this->user()->can('create', Post::class);
}
// Scoped to an admin role
public function authorize(): bool
{
return $this->user()->isAdmin();
}
Anti-Patterns
- Calling
$request->validate()inside a controller — always use a FormRequest - Using pipe-delimited rule strings:
'required|string|max:255'instead of['required', 'string', 'max:255'] - Leaving
authorize()asreturn truewithout documenting why all users are permitted - Not adding a
messages()method for user-facing validation errors that need clarity
References
- Laravel Form Requests
- Related:
Controllers/SKILL.md— controllers that use Form Requests - Related:
Policies/SKILL.md—can()used inauthorize()method
Related Skills
codebar-ag/translations
testing
VerifiedTrustedCommunity
Translation and localization conventions for Laravel. Use when adding user-facing strings, creating translation files, or working with lang/ directory.
1SKILL.mdUpdated Apr 18, 2026
codebar-ag/traits
tools
VerifiedTrustedCommunity
Reusable behaviour shared across multiple unrelated classes. Traits provide shared Eloquent scopes, accessors, lifecycle hooks, and small stateless helper methods.
1SKILL.mdUpdated Apr 18, 2026
codebar-ag/tailwind
development
VerifiedTrustedCommunity
Tailwind CSS v4 styling conventions. Use when working with CSS, Tailwind utilities, or customizing the theme in Laravel projects.
1SKILL.mdUpdated Apr 18, 2026
codebar-ag/services
development
VerifiedTrustedCommunity
Orchestration classes that coordinate multiple Actions, external APIs, or domain operations into a cohesive workflow. Services own transaction boundaries and third-party API integrations.
1SKILL.mdUpdated Apr 18, 2026