fastapi-verification
Verification loop for FastAPI projects: type checking, linting, tests with coverage, security scans, and API schema validation before release or PR.
Best use case
fastapi-verification is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Verification loop for FastAPI projects: type checking, linting, tests with coverage, security scans, and API schema validation before release or PR.
Teams using fastapi-verification should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/fastapi-verification/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How fastapi-verification Compares
| Feature / Agent | fastapi-verification | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Verification loop for FastAPI projects: type checking, linting, tests with coverage, security scans, and API schema validation before release or PR.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# FastAPI Verification Loop
Run before PRs, after major changes, and pre-deploy to ensure FastAPI application quality and security.
## When to Activate
- Before opening a pull request for a FastAPI project
- After adding or modifying endpoints, Pydantic models, or dependencies
- Pre-deployment verification for staging or production
- Running full environment → lint → test → security → schema pipeline
- Validating Pydantic model correctness and test coverage
## Phase 1: Environment Check
```bash
# Verify Python version
python --version # Should match project requirements (3.11+)
# Check virtual environment
which python
pip list --outdated
# Verify required env vars
python -c "
import os
required = ['DATABASE_URL', 'SECRET_KEY']
for var in required:
status = 'SET' if os.environ.get(var) else 'MISSING'
print(f'{status}: {var}')
"
```
If environment is misconfigured, stop and fix before proceeding.
## Phase 2: Type Checking & Linting
```bash
# Type checking with mypy
mypy app/ --strict 2>&1 | tail -20
# Linting and formatting with ruff
ruff check . --fix
ruff format . --check
# Type stubs check (Pydantic v2)
python -c "from pydantic import BaseModel; print('Pydantic OK')"
```
Common issues:
- Missing type annotations on route functions
- `Any` types in Pydantic models
- Untyped `Depends()` parameters
## Phase 3: Tests + Coverage
```bash
# Run all tests
pytest tests/ -v --cov=app --cov-report=term-missing --cov-report=html
# Run only unit tests (fast)
pytest tests/unit/ -v
# Run integration tests (requires DB)
pytest tests/integration/ -v
# Coverage threshold check
pytest --cov=app --cov-fail-under=80
```
Coverage targets:
| Component | Target |
|-----------|--------|
| Routes | 85%+ |
| Services | 90%+ |
| Domain Models | 95%+ |
| Overall | 80%+ |
## Phase 4: Security Scan
```bash
# Dependency vulnerabilities
pip-audit
safety check --full-report
# Bandit security linter
bandit -r app/ -ll -f text 2>&1 | head -40
# Secret scanning
gitleaks detect --source . --verbose 2>/dev/null || echo "gitleaks not installed"
# Check for hardcoded secrets
grep -rn "secret\|password\|api_key\|token" app/ --include="*.py" | grep -v "test\|example\|env\|settings" | grep -v "\.pyc"
```
## Phase 5: API Schema Validation
```bash
# Start server and generate OpenAPI schema
uvicorn app.main:app --host 0.0.0.0 --port 8000 &
sleep 2
# Fetch and validate OpenAPI schema
curl -s http://localhost:8000/openapi.json | python -m json.tool > /dev/null && echo "Schema: valid JSON"
# Save schema snapshot
curl -s http://localhost:8000/openapi.json > openapi-snapshot.json
# Compare with previous schema (breaking change detection)
# diff openapi-previous.json openapi-snapshot.json
# Stop server
kill %1
```
Schema checklist:
- All endpoints have summary and description
- All response models are typed (no `Any`)
- Error responses use RFC 7807 Problem Details format
- Authentication is documented (Bearer, OAuth2, etc.)
## Phase 6: Performance Spot Check
```bash
# Check for N+1 queries (requires SQLAlchemy event listener)
python -c "
import asyncio
from app.database import get_session
# Run suspicious endpoints and check query count
print('Run dev server with SQL echo=True to detect N+1')
"
# Response time spot check
uvicorn app.main:app --host 0.0.0.0 --port 8000 &
sleep 2
curl -o /dev/null -s -w "Response time: %{time_total}s\n" http://localhost:8000/health
kill %1
```
## Phase 7: Diff Review
```bash
# Show changes
git diff --stat
git diff | grep -E "todo|fixme|hack|xxx" -i
git diff | grep "print(" # Debug statements
git diff | grep "raise Exception" # Generic exceptions
```
Checklist:
- No `print()` debug statements — use `logging` or `structlog`
- No bare `except:` clauses
- No hardcoded secrets or credentials
- Pydantic response models cover all fields
- Background tasks have error handling
## Output Template
```
FASTAPI VERIFICATION REPORT
============================
Phase 1: Environment
✓ Python 3.13.x
✓ Virtual environment active
✓ DATABASE_URL set
✗ REDIS_URL missing (optional — feature disabled)
Phase 2: Type Checking & Linting
✓ mypy: No type errors
✓ ruff: No issues
✓ ruff format: Formatted correctly
Phase 3: Tests + Coverage
Tests: 183 passed, 0 failed, 2 skipped
Coverage:
Overall: 86%
routes: 88%
services: 91%
domain: 96%
Phase 4: Security
✓ pip-audit: No vulnerabilities
✓ bandit: No high-severity issues
✓ No secrets detected
Phase 5: API Schema
✓ Schema valid JSON
✓ 23 endpoints documented
✓ All responses typed
Phase 6: Performance
Response time /health: 0.008s
Phase 7: Diff Review
Files changed: 7
+210, -45 lines
✓ No debug statements
✓ No hardcoded secrets
RECOMMENDATION: ✓ Ready to merge
```
## Pre-Deployment Checklist
- [ ] All tests passing with 80%+ coverage
- [ ] No security vulnerabilities (pip-audit clean)
- [ ] SECRET_KEY not hardcoded, set from environment
- [ ] CORS origins restricted (not `*` in production)
- [ ] Rate limiting configured on sensitive endpoints
- [ ] Database connection pooling configured
- [ ] Alembic migrations applied
- [ ] Health check endpoint returns 200
- [ ] Error monitoring (Sentry) configured
- [ ] Structured logging (structlog) enabled
## Related Skills
- **`fastapi-patterns`** — Architecture patterns, Pydantic models, dependency injection
- **`python-testing`** — pytest fixtures, HTTPX async client, factory patterns
- **`django-verification`** — Similar loop for Django projects
- **`verification-loop`** — General-purpose verification for any projectRelated Skills
springboot-verification
Verification loop for Spring Boot projects: build, static analysis, tests with coverage, security scans, and diff review before release or PR.
fastapi-patterns
FastAPI architecture patterns — async endpoints, Pydantic models, dependency injection, OpenAPI, background tasks, and testing with pytest + HTTPX.
django-verification
Verification loop for Django projects: migrations, linting, tests with coverage, security scans, and deployment readiness checks before release or PR.
verification-loop
A comprehensive verification system for Claude Code sessions.
zero-trust-patterns
Zero-Trust security patterns — mTLS between microservices (Istio/SPIFFE), SPIRE workload identity, OPA/Envoy authorization, NetworkPolicy default-deny-all, short-lived credentials, service mesh security, and Kubernetes RBAC hardening.
wireframing
Wireframing and prototyping workflow: fidelity levels (lo-fi sketch → mid-fi wireframe → hi-fi prototype), tool selection (Figma, Excalidraw, Balsamiq), user flow diagrams, wireframe annotation standards, information architecture (IA) mapping, and the handoff from wireframe to visual design. For developers who need to communicate UI structure before writing code.
webrtc-patterns
WebRTC patterns — peer connection setup, ICE/STUN/TURN configuration, signaling server design, SFU vs mesh topology, screen sharing, media track management, and reconnect/ICE restart handling.
webhook-patterns
Webhook patterns for receiving, verifying (HMAC), and idempotently processing third-party events. Covers Stripe, GitHub, and generic webhook patterns, delivery guarantees, retry handling, and testing.
web-performance
Web performance optimization: Core Web Vitals (LCP, CLS, INP), Lighthouse CI with budget configuration, bundle analysis (webpack-bundle-analyzer, vite-bundle-visualizer), hydration performance, network waterfall reading, image optimization (WebP/AVIF, srcset), and font performance.
wasm-performance
WebAssembly performance: wasm-opt binary optimization, size reduction (panic=abort, LTO, strip), profiling WASM in Chrome DevTools, memory management (linear memory, avoiding GC pressure), SIMD, and multi-threading with SharedArrayBuffer.
wasm-patterns
WebAssembly patterns: wasm-pack, wasm-bindgen (JS↔Wasm interop), WASI, Component Model, wasm-opt, Rust-to-WASM compilation, JS integration (web workers, streaming instantiation), and production deployment (CDN, Content-Type headers).
visual-testing
Visual Regression Testing: tool comparison (Chromatic/Percy/Playwright screenshots/BackstopJS), pixel-diff vs AI-based comparison, baseline management, flakiness strategies (masks, tolerances, waitForLoadState), CI integration with GitHub Actions, and Storybook integration.