fastapi-verification

Verification loop for FastAPI projects: type checking, linting, tests with coverage, security scans, and API schema validation before release or PR.

8 stars

Best use case

fastapi-verification is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Verification loop for FastAPI projects: type checking, linting, tests with coverage, security scans, and API schema validation before release or PR.

Teams using fastapi-verification should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/fastapi-verification/SKILL.md --create-dirs "https://raw.githubusercontent.com/marvinrichter/clarc/main/skills/fastapi-verification/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/fastapi-verification/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How fastapi-verification Compares

Feature / Agentfastapi-verificationStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Verification loop for FastAPI projects: type checking, linting, tests with coverage, security scans, and API schema validation before release or PR.

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# FastAPI Verification Loop

Run before PRs, after major changes, and pre-deploy to ensure FastAPI application quality and security.

## When to Activate

- Before opening a pull request for a FastAPI project
- After adding or modifying endpoints, Pydantic models, or dependencies
- Pre-deployment verification for staging or production
- Running full environment → lint → test → security → schema pipeline
- Validating Pydantic model correctness and test coverage

## Phase 1: Environment Check

```bash
# Verify Python version
python --version  # Should match project requirements (3.11+)

# Check virtual environment
which python
pip list --outdated

# Verify required env vars
python -c "
import os
required = ['DATABASE_URL', 'SECRET_KEY']
for var in required:
    status = 'SET' if os.environ.get(var) else 'MISSING'
    print(f'{status}: {var}')
"
```

If environment is misconfigured, stop and fix before proceeding.

## Phase 2: Type Checking & Linting

```bash
# Type checking with mypy
mypy app/ --strict 2>&1 | tail -20

# Linting and formatting with ruff
ruff check . --fix
ruff format . --check

# Type stubs check (Pydantic v2)
python -c "from pydantic import BaseModel; print('Pydantic OK')"
```

Common issues:
- Missing type annotations on route functions
- `Any` types in Pydantic models
- Untyped `Depends()` parameters

## Phase 3: Tests + Coverage

```bash
# Run all tests
pytest tests/ -v --cov=app --cov-report=term-missing --cov-report=html

# Run only unit tests (fast)
pytest tests/unit/ -v

# Run integration tests (requires DB)
pytest tests/integration/ -v

# Coverage threshold check
pytest --cov=app --cov-fail-under=80
```

Coverage targets:

| Component | Target |
|-----------|--------|
| Routes | 85%+ |
| Services | 90%+ |
| Domain Models | 95%+ |
| Overall | 80%+ |

## Phase 4: Security Scan

```bash
# Dependency vulnerabilities
pip-audit
safety check --full-report

# Bandit security linter
bandit -r app/ -ll -f text 2>&1 | head -40

# Secret scanning
gitleaks detect --source . --verbose 2>/dev/null || echo "gitleaks not installed"

# Check for hardcoded secrets
grep -rn "secret\|password\|api_key\|token" app/ --include="*.py" | grep -v "test\|example\|env\|settings" | grep -v "\.pyc"
```

## Phase 5: API Schema Validation

```bash
# Start server and generate OpenAPI schema
uvicorn app.main:app --host 0.0.0.0 --port 8000 &
sleep 2

# Fetch and validate OpenAPI schema
curl -s http://localhost:8000/openapi.json | python -m json.tool > /dev/null && echo "Schema: valid JSON"

# Save schema snapshot
curl -s http://localhost:8000/openapi.json > openapi-snapshot.json

# Compare with previous schema (breaking change detection)
# diff openapi-previous.json openapi-snapshot.json

# Stop server
kill %1
```

Schema checklist:
- All endpoints have summary and description
- All response models are typed (no `Any`)
- Error responses use RFC 7807 Problem Details format
- Authentication is documented (Bearer, OAuth2, etc.)

## Phase 6: Performance Spot Check

```bash
# Check for N+1 queries (requires SQLAlchemy event listener)
python -c "
import asyncio
from app.database import get_session
# Run suspicious endpoints and check query count
print('Run dev server with SQL echo=True to detect N+1')
"

# Response time spot check
uvicorn app.main:app --host 0.0.0.0 --port 8000 &
sleep 2
curl -o /dev/null -s -w "Response time: %{time_total}s\n" http://localhost:8000/health
kill %1
```

## Phase 7: Diff Review

```bash
# Show changes
git diff --stat
git diff | grep -E "todo|fixme|hack|xxx" -i
git diff | grep "print("       # Debug statements
git diff | grep "raise Exception"  # Generic exceptions
```

Checklist:
- No `print()` debug statements — use `logging` or `structlog`
- No bare `except:` clauses
- No hardcoded secrets or credentials
- Pydantic response models cover all fields
- Background tasks have error handling

## Output Template

```
FASTAPI VERIFICATION REPORT
============================

Phase 1: Environment
  ✓ Python 3.13.x
  ✓ Virtual environment active
  ✓ DATABASE_URL set
  ✗ REDIS_URL missing (optional — feature disabled)

Phase 2: Type Checking & Linting
  ✓ mypy: No type errors
  ✓ ruff: No issues
  ✓ ruff format: Formatted correctly

Phase 3: Tests + Coverage
  Tests: 183 passed, 0 failed, 2 skipped
  Coverage:
    Overall: 86%
    routes: 88%
    services: 91%
    domain: 96%

Phase 4: Security
  ✓ pip-audit: No vulnerabilities
  ✓ bandit: No high-severity issues
  ✓ No secrets detected

Phase 5: API Schema
  ✓ Schema valid JSON
  ✓ 23 endpoints documented
  ✓ All responses typed

Phase 6: Performance
  Response time /health: 0.008s

Phase 7: Diff Review
  Files changed: 7
  +210, -45 lines
  ✓ No debug statements
  ✓ No hardcoded secrets

RECOMMENDATION: ✓ Ready to merge
```

## Pre-Deployment Checklist

- [ ] All tests passing with 80%+ coverage
- [ ] No security vulnerabilities (pip-audit clean)
- [ ] SECRET_KEY not hardcoded, set from environment
- [ ] CORS origins restricted (not `*` in production)
- [ ] Rate limiting configured on sensitive endpoints
- [ ] Database connection pooling configured
- [ ] Alembic migrations applied
- [ ] Health check endpoint returns 200
- [ ] Error monitoring (Sentry) configured
- [ ] Structured logging (structlog) enabled

## Related Skills

- **`fastapi-patterns`** — Architecture patterns, Pydantic models, dependency injection
- **`python-testing`** — pytest fixtures, HTTPX async client, factory patterns
- **`django-verification`** — Similar loop for Django projects
- **`verification-loop`** — General-purpose verification for any project

Related Skills

springboot-verification

8
from marvinrichter/clarc

Verification loop for Spring Boot projects: build, static analysis, tests with coverage, security scans, and diff review before release or PR.

fastapi-patterns

8
from marvinrichter/clarc

FastAPI architecture patterns — async endpoints, Pydantic models, dependency injection, OpenAPI, background tasks, and testing with pytest + HTTPX.

django-verification

8
from marvinrichter/clarc

Verification loop for Django projects: migrations, linting, tests with coverage, security scans, and deployment readiness checks before release or PR.

verification-loop

8
from marvinrichter/clarc

A comprehensive verification system for Claude Code sessions.

zero-trust-patterns

8
from marvinrichter/clarc

Zero-Trust security patterns — mTLS between microservices (Istio/SPIFFE), SPIRE workload identity, OPA/Envoy authorization, NetworkPolicy default-deny-all, short-lived credentials, service mesh security, and Kubernetes RBAC hardening.

wireframing

8
from marvinrichter/clarc

Wireframing and prototyping workflow: fidelity levels (lo-fi sketch → mid-fi wireframe → hi-fi prototype), tool selection (Figma, Excalidraw, Balsamiq), user flow diagrams, wireframe annotation standards, information architecture (IA) mapping, and the handoff from wireframe to visual design. For developers who need to communicate UI structure before writing code.

webrtc-patterns

8
from marvinrichter/clarc

WebRTC patterns — peer connection setup, ICE/STUN/TURN configuration, signaling server design, SFU vs mesh topology, screen sharing, media track management, and reconnect/ICE restart handling.

webhook-patterns

8
from marvinrichter/clarc

Webhook patterns for receiving, verifying (HMAC), and idempotently processing third-party events. Covers Stripe, GitHub, and generic webhook patterns, delivery guarantees, retry handling, and testing.

web-performance

8
from marvinrichter/clarc

Web performance optimization: Core Web Vitals (LCP, CLS, INP), Lighthouse CI with budget configuration, bundle analysis (webpack-bundle-analyzer, vite-bundle-visualizer), hydration performance, network waterfall reading, image optimization (WebP/AVIF, srcset), and font performance.

wasm-performance

8
from marvinrichter/clarc

WebAssembly performance: wasm-opt binary optimization, size reduction (panic=abort, LTO, strip), profiling WASM in Chrome DevTools, memory management (linear memory, avoiding GC pressure), SIMD, and multi-threading with SharedArrayBuffer.

wasm-patterns

8
from marvinrichter/clarc

WebAssembly patterns: wasm-pack, wasm-bindgen (JS↔Wasm interop), WASI, Component Model, wasm-opt, Rust-to-WASM compilation, JS integration (web workers, streaming instantiation), and production deployment (CDN, Content-Type headers).

visual-testing

8
from marvinrichter/clarc

Visual Regression Testing: tool comparison (Chromatic/Percy/Playwright screenshots/BackstopJS), pixel-diff vs AI-based comparison, baseline management, flakiness strategies (masks, tolerances, waitForLoadState), CI integration with GitHub Actions, and Storybook integration.