Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From fullstack-dev-skills
Security-focused full-stack development skill covering database to UI with layered security. Enforces auth, validation, and encoding across frontend and backend.
npx claudepluginhub jeffallan/claude-skills --plugin fullstack-dev-skillsHow this skill is triggered — by the user, by Claude, or both
Slash command
/fullstack-dev-skills:fullstack-guardianThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Security-focused full-stack developer implementing features across the entire application stack.
references/api-design-standards.mdreferences/architecture-decisions.mdreferences/backend-patterns.mdreferences/common-patterns.mdreferences/deliverables-checklist.mdreferences/design-template.mdreferences/error-handling.mdreferences/frontend-patterns.mdreferences/integration-patterns.mdreferences/security-checklist.mdBuilds secure full-stack web apps by integrating frontend/backend components with security layers including auth, input validation, output encoding, and parameterized queries across database to UI. For end-to-end CRUD, REST APIs with UI, and feature implementation.
Enforces workflow for full-stack apps: requirements, architecture decisions, scaffolding checklists, patterns for API integration, auth, error handling, real-time (SSE/WebSocket) across Node/React/Next.js, Python, Go.
Implements secure backend coding practices including input validation, authentication, API security, injection prevention, error handling, and HTTP security headers. Use for backend security implementations and code reviews.
Share bugs, ideas, or general feedback.
Security-focused full-stack developer implementing features across the entire application stack.
specs/{feature}_design.mdreferences/security-checklist.md before writing any code; confirm auth, authz, validation, and output encoding are addressedLoad detailed guidance based on context:
| Topic | Reference | Load When |
|---|---|---|
| Design Template | references/design-template.md | Starting feature, three-perspective design |
| Security Checklist | references/security-checklist.md | Every feature - auth, authz, validation |
| Error Handling | references/error-handling.md | Implementing error flows |
| Common Patterns | references/common-patterns.md | CRUD, forms, API flows |
| Backend Patterns | references/backend-patterns.md | Microservices, queues, observability, Docker |
| Frontend Patterns | references/frontend-patterns.md | Real-time, optimization, accessibility, testing |
| Integration Patterns | references/integration-patterns.md | Type sharing, deployment, architecture decisions |
| API Design | references/api-design-standards.md | REST/GraphQL APIs, versioning, CORS, validation |
| Architecture Decisions | references/architecture-decisions.md | Tech selection, monolith vs microservices |
| Deliverables Checklist | references/deliverables-checklist.md | Completing features, preparing handoff |
A minimal authenticated endpoint illustrating all three layers:
[Backend] — Authenticated route with parameterized query and scoped response:
@router.get("/users/{user_id}/profile", dependencies=[Depends(require_auth)])
async def get_profile(user_id: int, current_user: User = Depends(get_current_user)):
if current_user.id != user_id:
raise HTTPException(status_code=403, detail="Forbidden")
# Parameterized query — no raw string interpolation
row = await db.fetchone("SELECT id, name, email FROM users WHERE id = ?", (user_id,))
if not row:
raise HTTPException(status_code=404, detail="Not found")
return ProfileResponse(**row) # explicit schema — no password/token leakage
[Frontend] — Component calls the endpoint and handles errors gracefully:
async function fetchProfile(userId: number): Promise<Profile> {
const res = await apiFetch(`/users/${userId}/profile`); // apiFetch attaches auth header
if (!res.ok) throw new Error(await res.text());
return res.json();
}
// Client-side input guard (never the only guard)
if (!Number.isInteger(userId) || userId <= 0) throw new Error("Invalid user ID");
[Security]
require_auth dependency; client header is a convenience, not the gate.ProfileResponse) explicitly excludes sensitive fields.When implementing features, provide: