malhajri07/add-api-route
.claude/skills/add-api-route/SKILL.md
Scaffold a new Express API route file with JWT auth, org-isolation middleware, zod validation, Prisma queries, and standard error handling. Use when the user asks to "add an API endpoint", "create a route", or "expose X over HTTP".
development
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add malhajri07/real-estate-CRM-project add-api-routeInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 12:55 AM4.6s1 file scanned
SKILL.md
- name:
- add-api-route
- description:
- Scaffold a new Express API route file with JWT auth, org-isolation middleware, zod validation, Prisma queries, and standard error handling. Use when the user asks to "add an API endpoint", "create a route", or "expose X over HTTP".
add-api-route
Create a new route file under apps/api/routes/ that follows the project's conventions. Org isolation is non-negotiable — every route handler must apply injectOrgFilter (reads) or injectWriteFilter (writes) unless the user is WEBSITE_ADMIN.
Inputs to gather
- Route name (e.g.
commissions) - Mount path (e.g.
/api/commissions) - Endpoints needed (GET list, GET :id, POST, PATCH :id, DELETE :id, custom)
- Owning Prisma model (must already exist — if not, run
/add-prisma-modelfirst) - Required roles for write endpoints
Steps
- Read a sibling route as reference. Default:
apps/api/routes/leads.ts(post-E2 conventions: org isolation, calculated fields, batch endpoints). - Create
apps/api/routes/{name}.tscontaining:import { Router } from "express"+authenticateToken+injectOrgFilter/injectWriteFilterimport { z } from "zod"for request validation- One zod schema per write endpoint
- Try/catch with
console.error+ 500 fallback res.json(...)with consistent shape (data, or array)
- Mount the router in
apps/api/index.ts(orapps/api/server.ts) under the chosen path. - Apply org isolation — every handler that touches multi-tenant data must:
- Use
req.user.organizationIdfrom JWT (never accept it from body) - Use the middleware (preferred) OR explicit
where: { organizationId: req.user.organizationId }
- Use
- Add rate limiting if it's a public/auth-adjacent endpoint (the global 100/min limiter applies automatically; use the stricter limiter for sensitive routes).
- Run
/typecheckthen/audit-org-isolationto verify scoping. - Update the vault: append the new endpoint to
Aqarkom_Knowledge/Architecture/API Routes.mdunder the matching domain.
Verification checklist
- [ ] Mounted in the main router
- [ ] Every handler reaches Prisma through the org filter
- [ ] zod validation on every body-accepting endpoint
- [ ] No
req.body.organizationIdused (security risk) - [ ]
/typecheckpasses - [ ]
/audit-org-isolationshows zero violations - [ ] curl test: returns 401 without token, 200 with token, scoped data only
Anti-patterns
- Don't bypass
injectOrgFilter"just for an admin endpoint" — gate by role instead - Don't return raw Prisma errors to the client (they leak schema)
- Don't paginate via offset alone for big tables — use cursor pagination matching
leads.ts
Related Skills
malhajri07/obsidian-markdown
testing
VerifiedTrustedCommunity
Create and edit Obsidian Flavored Markdown with wikilinks, embeds, callouts, properties, and other Obsidian-specific syntax. Use when working with .md files in Obsidian, or when the user mentions wikilinks, callouts, frontmatter, tags, embeds, or Obsidian notes.
SKILL.mdUpdated Apr 16, 2026
malhajri07/obsidian-cli
tools
VerifiedTrustedCommunity
Interact with Obsidian vaults using the Obsidian CLI to read, create, search, and manage notes, tasks, properties, and more. Also supports plugin and theme development with commands to reload plugins, run JavaScript, capture errors, take screenshots, and inspect the DOM. Use when the user asks to interact with their Obsidian vault, manage notes, search vault content, perform vault operations from the command line, or develop and debug Obsidian plugins and themes.
SKILL.mdUpdated Apr 16, 2026
malhajri07/obsidian-bases
data-ai
VerifiedTrustedCommunity
Create and edit Obsidian Bases (.base files) with views, filters, formulas, and summaries. Use when working with .base files, creating database-like views of notes, or when the user mentions Bases, table views, card views, filters, or formulas in Obsidian.
SKILL.mdUpdated Apr 16, 2026
malhajri07/json-canvas
tools
VerifiedTrustedCommunity
Create and edit JSON Canvas files (.canvas) with nodes, edges, groups, and connections. Use when working with .canvas files, creating visual canvases, mind maps, flowcharts, or when the user mentions Canvas files in Obsidian.
SKILL.mdUpdated Apr 16, 2026