oornnery/python
skills/python/SKILL.md
Python guidance for project onboarding, uv, typing, testing, async, configuration, packaging, observability, resilience, resource management, FastAPI conventions, and common debug/build-fix patterns. Load when writing, reviewing, debugging, or maintaining Python code.
development
Updated Jun 3, 2026
$ install --global
skillsauthnpx skillsauth add oornnery/.agents pythonInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 3, 2026, 2:22 AM17.3s22 files scanned
SKILL.md
- name:
- python
- description:
- Python guidance for project onboarding, uv, typing, testing, async, configuration, packaging, observability, resilience, resource management, FastAPI conventions, and common debug/build-fix patterns. Load when writing, reviewing, debugging, or maintaining Python code.
Python
Policy-level Python guidance. Load one focused ref for deep detail; keep this file as router + defaults.
Reference Map
| Need | Ref |
| ----------------------- | ---------------------------------------- |
| uv, deps, venv, Python | references/uv.md |
| package/module layout | references/structure.md |
| env/settings/secrets | references/config.md |
| packaging/publishing | references/packaging.md |
| style/ruff/naming | references/style.md |
| typing/protocols | references/types.md |
| validation/exceptions | references/errors.md |
| design/SRP/composition | references/design.md |
| anti-pattern review | references/anti-patterns.md |
| asyncio/concurrency | references/async.md |
| jobs/workers/queues | references/jobs.md |
| resources/cleanup | references/resources.md |
| retries/timeouts | references/resilience.md |
| logs/metrics/tracing | references/observability.md |
| profiling/perf | references/perf.md |
| pytest/testing | references/tests.md |
Assets
assets/project/pyproject.tomlassets/project/src/myapp/main.pyassets/project/src/myapp/settings.pyassets/project/tests/test_main.pyassets/project/scripts/report.py
Onboarding
Detect:
ls pyproject.toml 2>/dev/null
Before edit:
- verify tools
- find validation entrypoints
- inspect layout/config/tests
- check momentum:
git log --oneline -10
Validation discovery order:
- task aliases in
pyproject.toml - direct
uv run ... - README/scripts
- CI config
Default Stack
- Python 3.12+
uvrufftypyrightpytestrumdltaskipypre-commitbanditrtk
Validation
uv run ruff format --check .
uv run ruff check .
uv run rumdl check .
uv run ty check
uv run pyright
uv run pytest -v
Prefer task aliases when repo defines them:
uv run task lint
uv run task fmt
uv run task type
uv run task test
uv run task test-cov
uv run task sec
Verify tools:
uv --version
python --version
uv run ruff --version
uv run ty --version
uv run pyright --version
uv run pytest --version
uv run rumdl --version
uv run task --version
uv run pre-commit --version
uv run bandit --version
Install deps:
uv sync
Core Defaults
- use
uv,uv run,uv add; avoid directpip - format with
ruff - prefer
pathlib, f-strings, absolute imports - type public APIs; use
Protocolat boundaries; containAny - externalize config/secrets with typed settings loaded at startup
- validate external input at boundaries; convert raw payloads early
- keep IO at edges; avoid leaking ORM/transport types
- prefer composition/focused modules over clever abstractions
- default sync unless real concurrent I/O pressure exists
- keep async path async end-to-end when used
- centralize retries, timeouts, cleanup
- make background jobs idempotent and explicit about state/ownership
- keep observability structured and outside core business logic
- test behavior and boundaries; avoid framework-heavy tests when simple tests suffice
- optimize only after measuring bottleneck
Build-Fix
Order:
- format
- lint
- markdown
- typing
- tests
After each fix, rerun failing check. Stop/report if fix needs architecture change.
Run uv run task sec for explicit security review; do not treat it as part of the default quick check unless the repo opts in.
Common fixes:
| Tool | Signal | Fix | | ------- | ------------------------ | ------------------------------------ | | ruff | formatting/import/style | format or remove/fix code | | ty | type/import mismatch | fix type, import path, or dependency | | pyright | type/import mismatch | fix type, import path, or dependency | | pytest | assertion/import/fixture | fix logic, path, or fixture |
Debug
- reproduce exactly
- record env
- read traceback bottom-up
- inspect
git log --oneline -10andgit diff - isolate boundary
- use
git bisectif regression likely - confirm fix with failing test/command
- remove temp debug/breakpoints
Rules: do not guess first; fix root cause; one hypothesis at time; do not silence with broad try/except; do not change tests to match bug.
FastAPI Cues
- use
AnnotatedforPath,Query,Header,Depends - reusable dependency aliases only when repeated signatures simplify
- no ellipsis
...for required FastAPI/Pydantic fields - explicit return type or
response_model - router-level
prefix,tags, dependencies - default
defif internals may block - no blocking code inside async handlers
- prefer HTTPX over Requests
- no deprecated
ORJSONResponse/UJSONResponseperformance crutch - no
RootModelwhen normal typed structure is enough
Review Focus
- correctness: edge cases, error paths, races
- security: boundary validation, secrets, injection, auth
- performance: blocking async, N+1, unbounded loops
- maintainability: SRP, dead code, magic values, noisy comments
- conventions: naming, style, project patterns
Skip style already enforced by tools.
Refactoring
- preserve behavior
- no hidden feature work
- do not rewrite stable code just because old
- reduce complexity only with clear maintenance gain
- one logical change at time
Workflow Cues
- API contract shape -> pair
design - architecture/boundaries -> pair
arch - test-first or failure diagnosis -> pair
quality
Related Skills
oornnery/skills/verification
development
VerifiedTrustedCommunity
--- name: verification description: Discover and run project validation gates: format, lint, typecheck, LSP diagnostics, tests, build, static security checks, dependency audits, and RTK output handling. Use before claiming work is complete, when fixing broken checks, or when setting up a validation plan. --- # Verification Use this skill to prove changes with the strongest practical checks the repo already supports. ## Discovery Order 1. Read task aliases: `package.json`, `pyproject.toml`, `
SKILL.mdUpdated Jun 4, 2026
oornnery/uv-script
tools
VerifiedTrustedCommunity
Build, review, or validate standalone Python scripts run with uv inline metadata. Use for one-file automation, operational scripts, script dependencies, shebangs, idempotency, safety, representative runs, and promoting scripts to packages.
SKILL.mdUpdated Jun 4, 2026
oornnery/python-library
development
VerifiedTrustedCommunity
Build, review, or validate Python packages and libraries where public API stability, packaging metadata, imports, examples, changelogs, build output, and compatibility matter.
SKILL.mdUpdated Jun 4, 2026
oornnery/python-cli
tools
VerifiedTrustedCommunity
Build, review, or validate Python command-line applications and terminal tools. Use for argparse, Typer, Rich, Textual-adjacent CLI UX, stdout/stderr contracts, exit codes, automation-friendly flags, help output, and CLI tests.
SKILL.mdUpdated Jun 4, 2026