AgentSkillsCN

Api

适用于设计 REST 端点、定义 Pydantic 请求/响应模式、配置中间件,或规划与外部服务的集成合约时使用。

SKILL.md
--- frontmatter
description: "Use when designing REST endpoints, defining Pydantic request/response schemas, configuring middleware, or planning integration contracts with external services."

PatriotForge API Conventions

Stack: FastAPI · Pydantic v2 · Redis sessions · CSRF protection · Rate limiting

RESTful Endpoint Design

ActionVerbStatusExample
CreatePOST201POST /api/quotes
ListGET200GET /api/quotes?page=1&per_page=25
DetailGET200GET /api/quotes/{id}
UpdatePATCH200PATCH /api/quotes/{id}
DeleteDELETE204DELETE /api/quotes/{id} (soft delete)

Always declare response_model and status_code on every endpoint.

Pydantic Schema Patterns

python
# Request — reject unknown fields
class CreateQuoteRequest(BaseModel):
    model_config = ConfigDict(extra='forbid')
    customer_id: UUID
    notes: str = Field(max_length=2000, default="")

# Response — ORM-compatible
class QuoteResponse(BaseModel):
    model_config = ConfigDict(from_attributes=True)
    id: UUID
    customer_id: UUID
    status: str
    created_at: datetime

Paginated List Response

python
class PaginatedResponse(BaseModel, Generic[T]):
    total: int
    page: int
    per_page: int
    items: list[T]

Default: page=1, per_page=25, max per_page=100.

Authentication & Security Middleware

  • Session cookie: HTTP-only, Secure, SameSite=Lax — set on login
  • CSRF: X-CSRF-Token header required on POST/PATCH/DELETE
  • Rate limiting: 5 attempts/min per IP on auth endpoints; 10/min per account
  • CORS: Single allowed origin https://forge.patriotpf.com, credentials enabled
  • Security headers: Cache-Control: no-store on auth responses

Error Response Format

json
{
  "detail": "Human-readable message",
  "code": "DUPLICATE_EMAIL",
  "correlation_id": "uuid"
}
  • Never expose stack traces, internal paths, or SQL errors
  • Log full details server-side with correlation ID

Integration Contracts

SystemProtocolAuthKey Pattern
Floor TrackerHTTPS RESTAPI keyPush WOs, poll status
ShipStationREST v2API keyRate shop, create shipments
StripeCheckout SessionsSecret keyWebhooks w/ signature verification
QuickBooksREST + OAuth 2.0OAuth tokensBatch export queue
OnPrintShopZapier webhookShared secretInbound SO creation
Email (M365)Graph APIOAuthClaude-parsed → pending_review quote
Artworker.ioWebhooksSignatureProof approval status

All webhooks: verify signature → deduplicate by event ID → return 200 immediately → process async.

📖 Full details: backend/app/routers/auth.py, docs/plans/2026-01-24-integrations.md