monkilabs/api-patterns
src/orchestrator/skills/api-patterns/SKILL.md
Creates API route handlers, implements Server Actions with Zod schema validation, integrates external REST APIs with error handling. Use when adding endpoints, building request handlers, or wiring external services (endpoint, REST API, request handling, fetch, .ts route files).
$ install --global
skillsauthnpx skillsauth add monkilabs/opencastle api-patternsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 19, 2026, 7:25 AM140.7s1 file scanned
SKILL.md
- name:
- api-patterns
- description:
- Creates API route handlers, implements Server Actions with Zod schema validation, integrates external REST APIs with error handling. Use when adding endpoints, building request handlers, or wiring external services (endpoint, REST API, request handling, fetch, .ts route files).
API Patterns
Project-specific config: api-config.md.
Architecture
| Layer | Use for |
|-------|---------|
| Server Actions (preferred) | mutations, form submissions, data writes, auth |
| Route Handlers (route.ts) | analytics, autocomplete, external integrations |
| Proxy layer | IP rate limiting, fingerprinting, bot detection |
Code Patterns
Route Handler
// app/api/example/route.ts
import { NextRequest, NextResponse } from 'next/server';
import { z } from 'zod';
const schema = z.object({ query: z.string().min(1).max(200) });
export async function GET(request: NextRequest) {
const result = schema.safeParse(Object.fromEntries(request.nextUrl.searchParams));
if (!result.success) return NextResponse.json({ error: 'Invalid input' }, { status: 400 });
return NextResponse.json(data);
}
Fetching external APIs — example with retry and error handling
import fetch from 'node-fetch';
async function fetchWithRetry(url:string, opts={}, retries=2){
for(let i=0;i<=retries;i++){
try{ const res = await fetch(url, opts); if(!res.ok) throw new Error(`HTTP ${res.status}`); return await res.json(); }
catch(e){ if(i===retries) throw e; await new Promise(r=>setTimeout(r, 500*(i+1))); }
}
}
// usage
const data = await fetchWithRetry('https://api.example.com/data');
### Server Action
```typescript
'use server';
import { createServerClient } from '@libs/auth';
import { revalidatePath } from 'next/cache';
export async function submitAction(formData: FormData) {
const { data: { user } } = await (await createServerClient()).auth.getUser();
if (!user) return { error: 'Unauthorized' };
revalidatePath('/places');
return { success: true };
}
Quick Workflow
- Create route file:
app/api/<name>/route.tsorapp/<segment>/route.ts - Add Zod schema; validate input at top of handler
- Implement handler logic with explicit error/response shapes
- Add unit/integration tests for validation, happy/error paths
- Verification: run a quick smoke test (example):
curl -fsS "http://localhost:3000/api/<name>?query=test" || (echo "route failed" && exit 1)
Design Rules
- Server Actions for mutations; Route Handlers for external/public endpoints
- Validate all input with Zod on server
- RESTful nouns:
/api/v1/places/:slug; HTTP methods:GETread,POSTcreate,PATCHupdate,DELETEremove - Response envelope:
{ "data": ..., "meta": { "total": 42, "page": 1 } } - Error shape:
{ "error": { "code": "VALIDATION_ERROR", "message": "...", "details": [...] } } - Status codes: 400, 401, 403, 404, 422, 429, 500 — never leak stack traces
- Pagination: cursor-based preferred; params:
limit,cursor,sort,order - Versioning:
/api/v1/...; add fields only, never remove/rename; deprecation headers before removal - Rate-limit public endpoints; set
Cache-Control,ETag/If-None-Matchheaders
Related Skills
monkilabs/validation-gates
development
VerifiedTrustedCommunity
Defines 10 sequential validation gates: secret scanning, lint/test/build checks, blast radius analysis, dependency auditing, browser testing, cache management, regression checks, smoke tests. Use when running pre-deploy validation or CI checks, CI/CD pipelines, deployment pipeline validation, pre-merge checks, continuous integration, or pull request validation.
44SKILL.mdUpdated Apr 21, 2026
monkilabs/testing-workflow
development
VerifiedTrustedCommunity
Generates test plans, writes unit/integration/E2E test files, identifies coverage gaps, flags common testing anti-patterns. Use when writing tests, creating test suites, planning test strategies, mocking dependencies, measuring code coverage, or test planning.
44SKILL.mdUpdated Apr 21, 2026
monkilabs/team-lead-reference
development
VerifiedTrustedCommunity
Provides model routing rules, validates delegation prerequisites, supplies cost tracking templates, defines dead-letter queue formats for Team Lead orchestration. Load when assigning tasks to agents, choosing model tiers, starting delegation session, running multi-agent workflow, delegating work, choosing which model to use, or assigning tasks.
44SKILL.mdUpdated Apr 21, 2026
monkilabs/session-checkpoints
testing
VerifiedTrustedCommunity
Saves, restores session state including task progress, file changes, delegation history. Use when saving progress, resuming interrupted work, picking up where you left off, or checkpointing current work.
44SKILL.mdUpdated Apr 21, 2026