hmislk/api-development
.claude/skills/api-development/SKILL.md
REST API development guide for the HMIS project. Use when creating or extending any REST API endpoint — covers file structure, auth pattern, response format, ApplicationConfig registration, CapabilityStatementResource update, AnthropicApiService integration (system prompt module + tool handler), and the full post-implementation checklist.
$ install --global
skillsauthnpx skillsauth add hmislk/hmis api-developmentInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 15, 2026, 3:24 PM114.4s1 file scanned
SKILL.md
- name:
- api-development
- description:
- >
- user-invocable:
- true
HMIS REST API Development Guide
When This Applies
Any time a new @Path class is created under com.divudi.ws.*, or an existing API gets new endpoints.
Mandatory Checklist — Every New API
1. File placement
- REST class:
src/main/java/com/divudi/ws/<module>/<Name>Api.java @Path("<name>"),@RequestScoped- No
@Statelesson the REST class itself
2. Auth — always Finance header (unless module uses a different scheme)
String key = requestContext.getHeader("Finance");
if (validateApiKey(key) == null) return errorResponse("Not a valid key", 401);
Copy validateApiKey, errorResponse, successResponse verbatim from DepartmentApi.java (lines 437–488). Do not reinvent.
3. Response envelope — always this shape
{"status":"success","code":200,"data":{...}}
{"status":"error","code":400,"message":"..."}
For POST duplicate-detection: {"status":"already_exists","id":...,"name":...} (no wrapping envelope).
4. Gson
private static final Gson gson = new GsonBuilder().setDateFormat("yyyy-MM-dd HH:mm:ss").create();
5. Register in ApplicationConfig
src/main/java/com/divudi/ws/common/ApplicationConfig.java — add one line to addRestResourceClasses():
resources.add(com.divudi.ws.<module>.<Name>Api.class);
6. Document in CapabilityStatementResource
src/main/java/com/divudi/ws/common/CapabilityStatementResource.java — add a resource(...) entry to buildResources().
7. Expose to AI Chat (AnthropicApiService) — TWO places
Both are required every time:
a) buildSystemPrompt — add an appendModule(...) block so the system prompt tells Claude what the endpoint does:
appendModule(sb, "My Module", "/my_module",
"Description of what this module manages.",
null, // or githubUrl(branch, "developer_docs/API_MY_MODULE.md")
new String[][]{
{"GET", "/my_module", "List entries. Supports query, page, size"},
{"POST", "/my_module", "Create a new entry. Body: {name, code}"},
{"PUT", "/my_module/{id}", "Update an entry by ID"},
{"DELETE", "/my_module/{id}", "Soft-delete an entry by ID"}
});
b) buildToolsArray + executeToolCall — add a tool so Claude can actually call the API:
- Add a
JsonObject myModuleToolinbuildToolsArray()and include it in the returned array. - Add a
case "my_tool_name":inexecuteToolCall(...)that calls a privatecallMyModuleApi(...)method. - The
callMyModuleApimethod useshmisBaseUrl+hmisApiKey(both available as params toexecuteToolCall). AiChatController.sendMessage(...)already passeshmisApiBaseUrlanduserHmisApiKeythrough toexecuteToolCall— use them.
See ClinicalMetadataApi + manage_clinical_metadata tool in AnthropicApiService as a reference implementation.
8. Write a developer_docs API file (optional but recommended)
developer_docs/API_<MODULE>.md — list all endpoints, params, example request/response.
Reference it in the appendModule(...) call via githubUrl(branch, "developer_docs/API_<MODULE>.md").
JPQL Patterns for Simple CRUD APIs
List (with optional text search + limit)
Map<String, Object> params = new HashMap<>();
params.put("t", symanticType); // if filtering by type
String jpql;
if (query != null && !query.isEmpty()) {
jpql = "select c from MyEntity c where c.retired=false and c.symanticType=:t"
+ " and upper(c.name) like :n order by c.name";
params.put("n", "%" + query.trim().toUpperCase() + "%");
} else {
jpql = "select c from MyEntity c where c.retired=false and c.symanticType=:t order by c.name";
}
List<MyEntity> items = facade.findByJpql(jpql, params, size); // 3-arg: (jpql, map, maxRecords)
Duplicate check before POST
MyEntity existing = facade.findFirstByJpql(
"select c from MyEntity c where c.retired=false and upper(c.name)=:n",
Map.of("n", name.toUpperCase()));
if (existing != null) {
// return already_exists response
}
Soft delete
entity.setRetired(true);
entity.setRetiredAt(new Date());
facade.edit(entity);
No-service-layer Rule
For thin CRUD over a single entity (like ClinicalMetadataApi), no @Stateless service EJB is needed — inject facades directly into the REST class. Only add a service layer when there is real business logic, multiple entity coordination, or the method is reused elsewhere.
Testing After Implementation
# List
curl -s -H "Finance: <key>" "http://localhost:9090/rh/api/<path>?type=X"
# Create
curl -s -H "Finance: <key>" -H "Content-Type: application/json" \
-X POST "http://localhost:9090/rh/api/<path>?type=X" \
-d '{"name":"Test"}' | python -m json.tool
# Duplicate check (POST same name again — must return already_exists)
# same command as above
# Update
curl -s -H "Finance: <key>" -H "Content-Type: application/json" \
-X PUT "http://localhost:9090/rh/api/<path>/<id>" \
-d '{"name":"Updated"}' | python -m json.tool
# Delete
curl -s -H "Finance: <key>" -X DELETE "http://localhost:9090/rh/api/<path>/<id>" | python -m json.tool
# Capabilities (confirm new entry appears)
curl -s http://localhost:9090/rh/api/capabilities | python -m json.tool
For complete reference: developer_docs/api/rest-api-development-guide.md
Related Skills
openclaw/taskflow
tools
VerifiedTrustedCommunity
Use when work should span one or more detached tasks but still behave like one job with a single owner context. TaskFlow is the durable flow substrate under authoring layers like Lobster, ACPX, plugins, or plain code. Keep conditional logic in the caller; use TaskFlow for flow identity, child-task linkage, waiting state, revision-checked mutations, and user-facing emergence.
357,764SKILL.mdUpdated Apr 10, 2026
openclaw/extensions/lobster
tools
VerifiedTrustedCommunity
# Lobster Lobster executes multi-step workflows with approval checkpoints. Use it when: - User wants a repeatable automation (triage, monitor, sync) - Actions need human approval before executing (send, post, delete) - Multiple tool calls should run as one deterministic operation ## When to use Lobster | User intent | Use Lobster? | | ------------------------------------------------------ | --------------------------
357,764SKILL.mdUpdated Apr 10, 2026
steipete/extensions/lobster
tools
VerifiedTrustedCommunity
# Lobster Lobster executes multi-step workflows with approval checkpoints. Use it when: - User wants a repeatable automation (triage, monitor, sync) - Actions need human approval before executing (send, post, delete) - Multiple tool calls should run as one deterministic operation ## When to use Lobster | User intent | Use Lobster? | | ------------------------------------------------------ | --------------------------
357,588SKILL.mdUpdated Apr 13, 2026
steipete/xurl
tools
VerifiedTrustedCommunity
A CLI tool for making authenticated requests to the X (Twitter) API. Use this skill when you need to post tweets, reply, quote, search, read posts, manage followers, send DMs, upload media, or interact with any X API v2 endpoint.
356,423SKILL.mdUpdated Apr 13, 2026