From fullstack-agents
Audit fetch pattern compliance — checks server actions use /backend/ URLs, API routes use backendFetch with (token, headers), client uses api not fetchClient, and CSRF flows correctly.
npx claudepluginhub adelabdelgawad/fullstack-agents --plugin fullstack-agentsThis skill uses the workspace's default tool permissions.
Validate that the codebase follows the correct fetch architecture. Run after code generation, during review, or when debugging data-flow issues.
Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.
Searches prompts.chat for AI prompt templates by keyword or category, retrieves by ID with variable handling, and improves prompts via AI. Use for discovering or enhancing prompts.
Checks Next.js compilation errors using a running Turbopack dev server after code edits. Fixes actionable issues before reporting complete. Replaces `next build`.
Validate that the codebase follows the correct fetch architecture. Run after code generation, during review, or when debugging data-flow issues.
/fetch-validate # Full codebase audit
/fetch-validate server-actions # Only check server actions
/fetch-validate api-routes # Only check API routes
/fetch-validate client # Only check client components
For full architecture details, see fetch-architecture/SKILL.md. Quick summary:
SERVER PATH (1 hop): Server Action → directBackendFetch() → FastAPI
URLs: /backend/setting/users
CLIENT PATH (2 hops): Client → api.post() → /api/... → withAuth() → backendFetch() → FastAPI
| File | Who imports it |
|---|---|
lib/fetch/server.ts | Server actions only (lib/actions/) |
lib/fetch/client.ts | Client components only |
lib/fetch/backend.ts | API routes only (app/api/) |
lib/fetch/api-route-helper.ts | API routes only (app/api/) |
Run these sequentially. Report violations with file:line references.
Scan all files in lib/actions/ (and subdirectories).
Rules:
/backend/ prefix (not /api/)backendFetchapi-route-helperGrep pattern="serverGet|serverPost|serverPut|serverDelete" path="lib/actions/" output_mode="content"
→ Filter for lines containing '/api/' — each match is a violation
Grep pattern="from.*fetch/backend" path="lib/actions/"
→ Should return ZERO results
Grep pattern="from.*api-route-helper" path="lib/actions/"
→ Should return ZERO results
Fix for violations:
/api/setting/X → /backend/setting/XbackendFetch imports — use serverGet/Post/Put/Delete insteadScan all files in app/api/.
Rules:
backendFetch from @/lib/fetch/backend (NOT from ./server)backendGet/Post/Put/Delete helper functions(token) callback(token, headers) callback{ headers } to backendFetchGrep pattern="backendFetch.*from.*server" path="app/api/"
→ Should return ZERO results
Grep pattern="backendGet|backendPost|backendPut|backendDelete" path="app/api/"
→ Should return ZERO results
For each mutation route, check withAuth callback includes "headers":
Grep pattern="withAuth" path="app/api/" output_mode="content"
→ Review: POST/PUT/PATCH/DELETE handlers should have (token, headers)
Fix for violations:
from '@/lib/fetch/server' → from '@/lib/fetch/backend'backendGet('/path', token) → backendFetch('/path', token)backendPost('/path', token, body) → backendFetch('/path', token, { method: 'POST', body, headers })(token) => on mutations → (token, headers) => and add { headers } to optionsScan app/ and components/ for .tsx and .ts files.
Rules:
fetchClient usage (deprecated)api.get/post/put/patch/delete which returns T directly{ data: ... } destructuring from API callsGrep pattern="fetchClient" path="app/" glob="*.{ts,tsx}"
→ Should return ZERO results
Grep pattern="fetchClient" path="components/" glob="*.{ts,tsx}"
→ Should return ZERO results
Fix for violations:
fetchClient.get<T>(url) → api.get<T>(url) (returns T directly)const { data: result } = await fetchClient.put(...) → const result = await api.put(...)Verify CSRF is wired through all three layers.
Grep pattern="getServerCsrfToken" path="lib/fetch/server.ts"
→ Must find the function
Grep pattern="csrfManager" path="lib/fetch/client.ts"
→ Must find csrfManager.getToken() usage
Grep pattern="X-CSRF-Token" path="lib/fetch/api-route-helper.ts"
→ Must find CSRF header forwarding
Grep pattern="from ['\"]swr['\"]|useSWR" path="app/" glob="*.{ts,tsx}"
→ Should return ZERO results (Strategy A only)
Grep pattern="from ['\"]swr['\"]|useSWR" path="components/" glob="*.{ts,tsx}"
→ Should return ZERO results
## Fetch Validation Report
### Summary
- **Passed**: X checks
- **Failed**: Y checks
- **Warnings**: Z checks
### Server Actions (lib/actions/)
- [x] All URLs use /backend/ prefix
- [x] No backendFetch imports
- [ ] FAIL: lib/actions/users.actions.ts:42 — uses /api/setting/users
### API Routes (app/api/)
- [x] All import from @/lib/fetch/backend
- [x] No backendGet/Post/Put/Delete helpers
- [ ] WARN: app/api/dialer/queue/leads/[id]/reset-stuck/route.ts:4 — POST uses (token) not (token, headers)
### Client Components
- [x] No fetchClient usage
- [x] No { data } destructuring
### CSRF
- [x] Server: getServerCsrfToken present
- [x] Client: csrfManager present
- [x] API Routes: forwardHeaders present
### Data Strategy
- [x] No SWR imports (Strategy A)
For CI or quick checks, run the helper script from src/frontend/:
cd src/frontend/
python3 /path/to/fullstack-agents/skills/fetch-architecture/scripts/helper.py validate