michaelalber/fastapi-scaffolder
skills/team/fastapi-scaffolder/SKILL.md
Scaffolds FastAPI endpoints with OpenAPI documentation, Pydantic v2 request/response models, JWT authentication, rate limiting, and health checks. Python analog of minimal-api-scaffolder. Use when creating REST APIs, adding endpoints, setting up FastAPI projects, or configuring API infrastructure. Triggers on phrases like "scaffold fastapi", "create fastapi endpoint", "fastapi router", "add fastapi route", "fastapi api", "python rest api", "fastapi project setup", "fastapi authentication", "fastapi openapi".
development
Updated Jun 4, 2026
$ install --global
skillsauthnpx skillsauth add michaelalber/ai-toolkit fastapi-scaffolderInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 4, 2026, 8:42 AM116.6s5 files scanned
SKILL.md
- name:
- fastapi-scaffolder
- audience:
- team
- description:
- Scaffolds FastAPI endpoints with OpenAPI documentation, Pydantic v2 request/response models, JWT authentication, rate limiting, and health checks. Python analog of minimal-api-scaffolder. Use when creating REST APIs, adding endpoints, setting up FastAPI projects, or configuring API infrastructure. Triggers on phrases like "scaffold fastapi", "create fastapi endpoint", "fastapi router", "add fastapi route", "fastapi api", "python rest api", "fastapi project setup", "fastapi authentication", "fastapi openapi".
FastAPI Scaffolder
"An API is a contract — make it explicit, versioned, and documented. Security by default means the insecure path requires more work than the secure path."
Core Philosophy
FastAPI has OpenAPI documentation built in — but built-in is not automatic. Every endpoint needs
explicit metadata (summary, description, response_model, responses) to produce docs useful to
consumers; an endpoint without metadata is a black box. Security by default means every router
requires authentication unless an endpoint explicitly, intentionally opts out — an unauthenticated
endpoint is a deliberate decision, not an oversight.
Non-Negotiable Constraints:
- OPENAPI-FIRST — every endpoint has
summary,description,response_model, and aresponsesdict. - VERSIONING FROM DAY ONE —
/api/v1/prefix viaAPIRouter(prefix="/api/v1"); changing it later is breaking. - SECURITY BY DEFAULT —
Depends(get_current_user)at router level; anonymous access is an explicit opt-out. - PYDANTIC V2 MODELS — all request/response types are
BaseModelsubclasses; no baredict/Anyreturns. - TYPED RESPONSES — explicit
response_model=on every route; no implicit response inference.
Full principle table, KB lookups, discipline rules, anti-patterns, and error recovery live in
references/conventions.md.
Workflow
DETECT Find the app entry point (main.py/app.py); check existing versioning, auth
(get_current_user/OAuth2/HTTPBearer), and middleware (CORS) via grep.
CONFIGURE Project-level setup: app creation, config (pydantic-settings), shared dependencies,
exception handlers, CORS, health. (Structure in output-templates.md.)
SCAFFOLD Create the endpoint with full OpenAPI metadata, Pydantic v2 request/response models, and
security. (Complete scaffold in references/router-template.md.)
SECURE Add authentication, authorization (role factories), and rate limiting (stricter on auth
endpoints). (JWT + API-key patterns in references/security-patterns.md.)
DOCUMENT uvicorn up; verify /openapi.json and /docs render the new endpoints with metadata.
VERIFY App starts; /health passes; /docs renders; pytest passes; ruff check; mypy app/.
Exit criteria: router registered under /api/v1 with router-level auth; every route has
response_model, summary, and a responses dict; rate limiting applied (strict on auth); health
endpoints present; app starts, /docs renders, tests/ruff/mypy pass.
State Block
<fastapi-scaffold-state>
phase: DETECT | CONFIGURE | SCAFFOLD | SECURE | DOCUMENT | VERIFY | COMPLETE
project_structure: new | existing
versioning_configured: true | false
auth_configured: true | false
cors_configured: true | false
rate_limiting_configured: true | false
health_checks_added: true | false
openapi_complete: true | false
last_action: [description]
next_action: [description]
</fastapi-scaffold-state>
Output Template
- Endpoint scaffold checklist, project structure —
references/output-templates.md. - Complete endpoint scaffold (router, models, OpenAPI metadata) —
references/router-template.md. - JWT authentication, API key, role factory, rate limiting patterns —
references/security-patterns.md. - Principle table, KB lookups, discipline rules, anti-patterns, error recovery —
references/conventions.md.
Integration with Other Skills
| Skill | Relationship |
|-------|-------------|
| python-feature-slice | Feature slice provides the service layer; this skill provides endpoint quality (OpenAPI, security, rate limiting). Use together for complete feature scaffolding. |
| python-security-review | After scaffolding, verify authentication, authorization, and input validation. |
| alembic-migration-manager | When new endpoints require schema changes, use it for the migration lifecycle. |
| minimal-api-scaffolder | Parallel skill for .NET Minimal API — same OpenAPI-first, security-by-default philosophy, different ecosystem. |
Related Skills
michaelalber/security-review-federal
development
VerifiedTrustedCommunity
Federal / government security overlay applied ON TOP OF a base language security review (dotnet/python/php/rust/react). Language-agnostic: adds NIST SP 800-53 control mapping, FIPS 140-2/3 cryptographic compliance (with a per-language crypto table), CUI handling, EO 14028 supply-chain requirements, and DOE Order 205.1B, and emits POA&M-ready findings with FIPS 199 impact levels. Use for federal/DOE/DOD/national-laboratory systems. Triggers on "federal security review", "NIST compliance", "NIST 800-53", "FISMA", "CUI", "FIPS audit", "DOE security", "POA&M", "ATO review". Do NOT use alone — run the matching <lang>-security-review FIRST; this overlay maps and extends it.
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-security-review
tools
VerifiedTrustedCommunity
OWASP-based security review of React / TypeScript front-end applications. Detects the framework (Vite/CRA/Next), entry points, and data flows, scans against the OWASP Top 10 (2025) mapped to React client-side patterns (XSS via raw HTML, URL/protocol injection, secrets in the bundle, insecure token storage, dependency CVEs, missing CSP, open redirects), and produces a manager-friendly executive summary plus a graded technical findings table. Use to audit React code for vulnerabilities. Triggers on "react security review", "frontend security audit", "audit react for vulnerabilities", "owasp react", "react xss", "react security posture", "npm audit review". For federal / gov / DOE / NIST / FIPS / CUI context, run security-review-federal after this base review. Do NOT use to grade architecture/structure — use react-architecture-checklist.
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-modernization-analyzer
tools
VerifiedTrustedCommunity
Analyzes legacy React codebases and produces actionable modernization plans. Primary migration paths include class components to function components + hooks, Create React App to Vite, React 16/17 to 18 to 19, JavaScript to TypeScript, Enzyme to React Testing Library, legacy Redux to Redux Toolkit / Zustand / Context, and deprecated lifecycle/API removal. Does NOT perform the migration — assesses, quantifies risk, and plans. Triggers on phrases like "modernize react", "class to hooks", "upgrade react", "migrate CRA to vite", "react legacy migration", "react 17 to 18", "react js to typescript", "react technical debt", "enzyme to RTL".
SKILL.mdUpdated Jun 4, 2026
michaelalber/react-feature-slice
development
VerifiedTrustedCommunity
Scaffolds feature-based React / TypeScript architecture using feature folders, presentational + container components, custom hooks, a typed data layer, and structural CQRS (query hooks vs mutation hooks). React analog of dotnet-vertical-slice and python-feature-slice — no DI framework; uses props/context for dependency injection and a query cache for server state. Use when creating feature-based React projects, adding React features, organizing components by feature rather than by technical type, or scaffolding a feature's data layer. Triggers on phrases like "scaffold react feature", "create react slice", "react feature folder", "react vertical slice", "add react feature", "react feature architecture", "organize react by feature".
SKILL.mdUpdated Jun 4, 2026