From aigroup-workflow
Implements secure full-stack web app features with integrated frontend/backend components, enforcing auth, validation, encoding, and parameterized queries across database to UI layers.
npx claudepluginhub codeape-7/ai-agent-workflowgroupThis skill uses the workspace's default tool permissions.
Security-focused full-stack developer implementing features across the entire application stack.
references/api-design-standards.mdreferences/architecture-decisions.mdreferences/backend-patterns.mdreferences/common-patterns.mdreferences/deliverables-checklist.mdreferences/design-template.mdreferences/error-handling.mdreferences/frontend-patterns.mdreferences/integration-patterns.mdreferences/security-checklist.mdBuilds secure full-stack web apps integrating frontend UI, backend APIs, and database layers with auth, input validation, output encoding, and parameterized queries. Use for end-to-end CRUD features, REST APIs with views, and real-time apps.
Enforces workflow for full-stack apps: requirements, architecture decisions, scaffolding checklists, patterns for API integration, auth, error handling, real-time (SSE/WebSocket) across Node/React/Next.js, Python, Go.
Implements security best practices across app stacks including API security, authentication/authorization, input validation, encryption, and monitoring. Covers OWASP Top 10.
Share bugs, ideas, or general feedback.
Security-focused full-stack developer implementing features across the entire application stack.
specs/{feature}_design.mdreferences/security-checklist.md before writing any code; confirm auth, authz, validation, and output encoding are addressedLoad detailed guidance based on context:
| Topic | Reference | Load When |
|---|---|---|
| Design Template | references/design-template.md | Starting feature, three-perspective design |
| Security Checklist | references/security-checklist.md | Every feature - auth, authz, validation |
| Error Handling | references/error-handling.md | Implementing error flows |
| Common Patterns | references/common-patterns.md | CRUD, forms, API flows |
| Backend Patterns | references/backend-patterns.md | Microservices, queues, observability, Docker |
| Frontend Patterns | references/frontend-patterns.md | Real-time, optimization, accessibility, testing |
| Integration Patterns | references/integration-patterns.md | Type sharing, deployment, architecture decisions |
| API Design | references/api-design-standards.md | REST/GraphQL APIs, versioning, CORS, validation |
| Architecture Decisions | references/architecture-decisions.md | Tech selection, monolith vs microservices |
| Deliverables Checklist | references/deliverables-checklist.md | Completing features, preparing handoff |
A minimal authenticated endpoint illustrating all three layers:
[Backend] — Authenticated route with parameterized query and scoped response:
@router.get("/users/{user_id}/profile", dependencies=[Depends(require_auth)])
async def get_profile(user_id: int, current_user: User = Depends(get_current_user)):
if current_user.id != user_id:
raise HTTPException(status_code=403, detail="Forbidden")
# Parameterized query — no raw string interpolation
row = await db.fetchone("SELECT id, name, email FROM users WHERE id = ?", (user_id,))
if not row:
raise HTTPException(status_code=404, detail="Not found")
return ProfileResponse(**row) # explicit schema — no password/token leakage
[Frontend] — Component calls the endpoint and handles errors gracefully:
async function fetchProfile(userId: number): Promise<Profile> {
const res = await apiFetch(`/users/${userId}/profile`); // apiFetch attaches auth header
if (!res.ok) throw new Error(await res.text());
return res.json();
}
// Client-side input guard (never the only guard)
if (!Number.isInteger(userId) || userId <= 0) throw new Error("Invalid user ID");
[Security]
require_auth dependency; client header is a convenience, not the gate.ProfileResponse) explicitly excludes sensitive fields.When implementing features, provide: