Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

codebar-ag/requests

Name: requests
Author: codebar-ag

resources/boost/skills/requests/SKILL.md

npx skillsauth add codebar-ag/coding-guidelines requests

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Requests

When to Use

When HTTP endpoints accept client-provided input.
When authorization and validation should be reusable and independently testable.
When request payloads include nested structures or conditional fields.
During implementation (new endpoints) and refactoring (moving inline validation out of controllers).

When NOT to Use

For endpoints with no input payload to validate.
For internal jobs/actions that are not request-driven.
For protocol-level checks that belong in middleware.

Preconditions

Standard Laravel app/Http/Requests/ structure exists.
Gate/Policy setup is available for authorization checks.
Controllers are injecting Form Requests rather than validating inline.

Rules

Every controller action that accepts user input must use a dedicated FormRequest class
Never call $request->validate() or Validator::make() inside a controller
Place Form Requests in app/Http/Requests/ or a subdirectory matching the domain (e.g. Auth/)
Naming: Store{Resource}Request, Update{Resource}Request
Define authorize(): bool with intentional access control
Define rules(): array with a PHPDoc @return array shape annotation
Use array-based rule definitions — not pipe-delimited strings
Override messages(): array for user-friendly or localized error messages
Treat return true in authorize() as explicit and safe only for genuinely public/non-sensitive operations
Prefer FormRequest helpers over raw input access: validated(), safe(), and typed retrieval methods where needed

Examples

class StoreInvoiceRequest extends FormRequest
{
    public function authorize(): bool
    {
        return $this->user()->can('create', Invoice::class);
    }

    /**
     * @return array<string, array<int, string|object>>
     */
    public function rules(): array
    {
        return [
            'order_id' => ['required', 'integer', 'exists:orders,id'],
            'due_date' => ['required', 'date', 'after:today'],
            'notes'    => ['nullable', 'string', 'max:1000'],
        ];
    }

    public function messages(): array
    {
        return [
            'order_id.exists'  => __('The selected order does not exist.'),
            'due_date.after'   => __('The due date must be a future date.'),
        ];
    }
}

// Custom authorization logic options
public function authorize(): bool
{
    // Allow all authenticated users
    return $this->user() !== null;

    // Scope to admin role
    return $this->user()->isAdmin();

    // Delegate to a policy
    return $this->user()->can('update', $this->route('invoice'));
}

// Nested + conditional validation example
use Illuminate\Validation\Rule;

public function rules(): array
{
    return [
        'lines' => ['required', 'array', 'min:1'],
        'lines.*.sku' => ['required', 'string'],
        'lines.*.quantity' => ['required', 'integer', 'min:1'],
        'internal_note' => Rule::when(
            $this->user()?->isAdmin() === true,
            ['nullable', 'string', 'max:500'],
            ['prohibited']
        ),
    ];
}

Refactor Workflow (Inline Validation to FormRequest)

Move inline validation rules from controller to a new FormRequest.
Move authorization logic from controller conditionals to authorize().
Inject the new FormRequest into the controller action signature.
Replace raw input usage with $request->validated().
Add targeted tests for validation rules and authorization outcomes.

// Before: controller owns validation and input concerns
public function store(Request $request): JsonResponse
{
    $validated = $request->validate([
        'name' => ['required', 'string', 'max:255'],
    ]);

    $project = Project::create($validated);

    return response()->json($project, 201);
}

// After: controller delegates to FormRequest
public function store(StoreProjectRequest $request): JsonResponse
{
    $project = Project::create($request->validated());
    $meta = $request->safe()->only(['name']);

    return response()->json(['data' => $project, 'meta' => $meta], 201);
}

Anti-Patterns

Using $request->validate([...]) inside a controller
Using pipe-delimited rules: 'required|string|max:255' instead of ['required', 'string', 'max:255']
Leaving authorize() as a passive return true without a comment explaining intent
Not using a messages() method when default Laravel messages are unclear to end users
Skipping the @return PHPDoc annotation on rules() (breaks PHPStan analysis)

References

Laravel Form Requests
Related: Controllers/SKILL.md — controllers that inject and use Form Requests
Related: Policies/SKILL.md — policies referenced in authorize()

codebar-ag/requests

resources/boost/skills/requests/SKILL.md

Dedicated Form Request validation classes for all controller input. Every endpoint that accepts user input must use a `FormRequest` class — validation never happens directly inside a controller.

1 stars

tools

Updated Apr 18, 2026

$ install --global

skillsauth

npx skillsauth add codebar-ag/coding-guidelines requests

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 18, 2026, 8:21 AM20.4s1 file scanned

SKILL.md

name:: requests
description:: Dedicated Form Request validation classes for all controller input. Every endpoint that accepts user input must use a `FormRequest` class — validation never happens directly inside a controller.

Requests

When to Use

When HTTP endpoints accept client-provided input.
When authorization and validation should be reusable and independently testable.
When request payloads include nested structures or conditional fields.
During implementation (new endpoints) and refactoring (moving inline validation out of controllers).

When NOT to Use

For endpoints with no input payload to validate.
For internal jobs/actions that are not request-driven.
For protocol-level checks that belong in middleware.

Preconditions

Standard Laravel app/Http/Requests/ structure exists.
Gate/Policy setup is available for authorization checks.
Controllers are injecting Form Requests rather than validating inline.

Rules

Every controller action that accepts user input must use a dedicated FormRequest class
Never call $request->validate() or Validator::make() inside a controller
Place Form Requests in app/Http/Requests/ or a subdirectory matching the domain (e.g. Auth/)
Naming: Store{Resource}Request, Update{Resource}Request
Define authorize(): bool with intentional access control
Define rules(): array with a PHPDoc @return array shape annotation
Use array-based rule definitions — not pipe-delimited strings
Override messages(): array for user-friendly or localized error messages
Treat return true in authorize() as explicit and safe only for genuinely public/non-sensitive operations
Prefer FormRequest helpers over raw input access: validated(), safe(), and typed retrieval methods where needed

Examples

class StoreInvoiceRequest extends FormRequest
{
    public function authorize(): bool
    {
        return $this->user()->can('create', Invoice::class);
    }

    /**
     * @return array<string, array<int, string|object>>
     */
    public function rules(): array
    {
        return [
            'order_id' => ['required', 'integer', 'exists:orders,id'],
            'due_date' => ['required', 'date', 'after:today'],
            'notes'    => ['nullable', 'string', 'max:1000'],
        ];
    }

    public function messages(): array
    {
        return [
            'order_id.exists'  => __('The selected order does not exist.'),
            'due_date.after'   => __('The due date must be a future date.'),
        ];
    }
}

// Custom authorization logic options
public function authorize(): bool
{
    // Allow all authenticated users
    return $this->user() !== null;

    // Scope to admin role
    return $this->user()->isAdmin();

    // Delegate to a policy
    return $this->user()->can('update', $this->route('invoice'));
}

// Nested + conditional validation example
use Illuminate\Validation\Rule;

public function rules(): array
{
    return [
        'lines' => ['required', 'array', 'min:1'],
        'lines.*.sku' => ['required', 'string'],
        'lines.*.quantity' => ['required', 'integer', 'min:1'],
        'internal_note' => Rule::when(
            $this->user()?->isAdmin() === true,
            ['nullable', 'string', 'max:500'],
            ['prohibited']
        ),
    ];
}

Refactor Workflow (Inline Validation to FormRequest)

Move inline validation rules from controller to a new FormRequest.
Move authorization logic from controller conditionals to authorize().
Inject the new FormRequest into the controller action signature.
Replace raw input usage with $request->validated().
Add targeted tests for validation rules and authorization outcomes.

// Before: controller owns validation and input concerns
public function store(Request $request): JsonResponse
{
    $validated = $request->validate([
        'name' => ['required', 'string', 'max:255'],
    ]);

    $project = Project::create($validated);

    return response()->json($project, 201);
}

// After: controller delegates to FormRequest
public function store(StoreProjectRequest $request): JsonResponse
{
    $project = Project::create($request->validated());
    $meta = $request->safe()->only(['name']);

    return response()->json(['data' => $project, 'meta' => $meta], 201);
}

Anti-Patterns

Using $request->validate([...]) inside a controller
Using pipe-delimited rules: 'required|string|max:255' instead of ['required', 'string', 'max:255']
Leaving authorize() as a passive return true without a comment explaining intent
Not using a messages() method when default Laravel messages are unclear to end users
Skipping the @return PHPDoc annotation on rules() (breaks PHPStan analysis)

References

Laravel Form Requests
Related: Controllers/SKILL.md — controllers that inject and use Form Requests
Related: Policies/SKILL.md — policies referenced in authorize()

Related Skills

codebar-ag/translations

testing

VerifiedTrustedCommunity

Translation and localization conventions for Laravel. Use when adding user-facing strings, creating translation files, or working with lang/ directory.

1SKILL.mdUpdated Apr 18, 2026

codebar-ag/translations

codebar-ag/traits

tools

VerifiedTrustedCommunity

Reusable behaviour shared across multiple unrelated classes. Traits provide shared Eloquent scopes, accessors, lifecycle hooks, and small stateless helper methods.

1SKILL.mdUpdated Apr 18, 2026

codebar-ag/tailwind

development

VerifiedTrustedCommunity

Tailwind CSS v4 styling conventions. Use when working with CSS, Tailwind utilities, or customizing the theme in Laravel projects.

1SKILL.mdUpdated Apr 18, 2026

codebar-ag/services

development

VerifiedTrustedCommunity

Orchestration classes that coordinate multiple Actions, external APIs, or domain operations into a cohesive workflow. Services own transaction boundaries and third-party API integrations.

1SKILL.mdUpdated Apr 18, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/codebar-ag/coding-guidelines.git

# Copy into Claude Code skills folder (global)
cp -r coding-guidelines/resources/boost/skills/requests ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

codebar-ag/coding-guidelines

1 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT