pavanakurathi/hono-api
.skill-staging/hono-api/SKILL.md
Use when working on a Hono backend or reviewing Hono API structure, especially in repos where Hono owns the transport layer and shared packages hold business logic. Covers route modules, middleware, request validation, runtime adapters, and Hono-specific pitfalls like OpenAPI/version mismatches.
development
Updated Apr 17, 2026
$ install --global
skillsauthnpx skillsauth add pavanakurathi/pavn hono-apiInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 17, 2026, 8:07 AM4.9s3 files scanned
SKILL.md
- name:
- hono-api
- description:
- Use when working on a Hono backend or reviewing Hono API structure, especially in repos where Hono owns the transport layer and shared packages hold business logic. Covers route modules, middleware, request validation, runtime adapters, and Hono-specific pitfalls like OpenAPI/version mismatches.
Hono API
Overview
Use this skill when the task is about the Hono API layer itself: routes, middleware, request/response boundaries, runtime behavior, or API documentation. In this repo, Hono should stay in apps/api; packages/* should stay pure business logic and must not depend on Context, route wiring, or transport details.
Workflow
- Confirm the layer boundary first.
apps/api: Hono app, route registration, auth/session checks, tenant headers, request parsing, response shaping, OpenAPI docs.packages/*: business rules, DB access, notifications, geofence logic, reusable schemas/types that are transport-agnostic.
- Keep route handlers thin.
- Parse request data at the API boundary.
- Call package functions with plain values.
- Return JSON/HTTP semantics only from the Hono layer.
- Put cross-cutting concerns in middleware or app setup.
- CORS, auth/session lookup, org scoping, request IDs, timeouts, and error handling belong in
apps/api/src/index.tsor middleware modules.
- CORS, auth/session lookup, org scoping, request IDs, timeouts, and error handling belong in
- Preserve Web Standards assumptions.
- Prefer standard
Request/Response-style behavior and avoid Node-only patterns unless the runtime truly requires them.
- Prefer standard
- Treat runtime-specific fixes explicitly.
- Bun local and Vercel Node can differ. If a dependency needs a Node adapter or WebSocket constructor, document that in the API/runtime layer rather than leaking it into route logic.
Repo Pattern
For this repo, default to this structure:
- Hono app shell in
apps/api/src/index.ts - Route modules in
apps/api/src/routes/*.ts - Middleware in
apps/api/src/middleware/*.ts - Business logic in
packages/scheduling-timekeeping,packages/geofence,packages/auth,packages/notifications,packages/database
Do not move Hono request handling into packages. Packages should accept plain inputs and return plain data or throw domain errors.
OpenAPI And Validation
Use @hono/zod-openapi only with care.
- Response schemas and request schemas used by
createRoutemust be compatible with the installed@hono/zod-openapiandzodversions. - Query/path/header schemas need OpenAPI parameter metadata, not just raw Zod fields.
- If
/openapi.jsonfails, check version compatibility before debugging every route by hand.
In this repo specifically, read references/hono-notes.md before changing OpenAPI behavior.
When To Read References
- Read references/hono-notes.md when touching route architecture, middleware boundaries, runtime adapters, or OpenAPI generation.
Related Skills
openclaw/openclaw-secret-scanning-maintainer
development
VerifiedTrustedCommunity
Maintainer-only workflow for handling GitHub Secret Scanning alerts on OpenClaw. Use when Codex needs to triage, redact, clean up, and resolve secret leakage found in issue comments, issue bodies, PR comments, or other GitHub content.
357,764SKILL.mdUpdated Apr 15, 2026
openclaw/openclaw-release-maintainer
development
VerifiedTrustedCommunity
Maintainer workflow for OpenClaw releases, prereleases, changelog release notes, and publish validation. Use when Codex needs to prepare or verify stable or beta release steps, align version naming, assemble release notes, check release auth requirements, or validate publish-time commands and artifacts.
357,764SKILL.mdUpdated Apr 10, 2026
openclaw/openclaw-qa-testing
development
VerifiedTrustedCommunity
Run, watch, debug, and extend OpenClaw QA testing with qa-lab and qa-channel. Use when Codex needs to execute the repo-backed QA suite, inspect live QA artifacts, debug failing scenarios, add new QA scenarios, or explain the OpenClaw QA workflow. Prefer the live OpenAI lane with regular openai/gpt-5.4 in fast mode; do not use gpt-5.4-pro or gpt-5.4-mini unless the user explicitly overrides that policy.
357,764SKILL.mdUpdated Apr 10, 2026
openclaw/openclaw-parallels-smoke
development
VerifiedTrustedCommunity
End-to-end Parallels smoke, upgrade, and rerun workflow for OpenClaw across macOS, Windows, and Linux guests. Use when Codex needs to run, rerun, debug, or interpret VM-based install, onboarding, gateway smoke tests, latest-release-to-main upgrade checks, fresh snapshot retests, or optional Discord roundtrip verification under Parallels.
357,764SKILL.mdUpdated Apr 10, 2026