Skill

fastapi-verification

Verification loop for FastAPI projects: type checking, linting, tests with coverage, security scans, and API schema validation before release or PR.

From clarc

Install

Run in your terminal

npx claudepluginhub marvinrichter/clarc --plugin clarc

Tool Access

This skill uses the workspace's default tool permissions.

Skill Content

Similar Skills

agent-harness-construction

Designs and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.

everything-claude-code

139.9k

agent-payment-x402

Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.

everything-claude-code

139.9k

agent-eval

Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.

everything-claude-code

139.9k

Stats

Stars7

Forks0

Last CommitMar 9, 2026

Actions

View Source View Plugin View on GitHub View README

FastAPI Verification Loop

Run before PRs, after major changes, and pre-deploy to ensure FastAPI application quality and security.

When to Activate

Before opening a pull request for a FastAPI project
After adding or modifying endpoints, Pydantic models, or dependencies
Pre-deployment verification for staging or production
Running full environment → lint → test → security → schema pipeline
Validating Pydantic model correctness and test coverage

Phase 1: Environment Check

# Verify Python version
python --version  # Should match project requirements (3.11+)

# Check virtual environment
which python
pip list --outdated

# Verify required env vars
python -c "
import os
required = ['DATABASE_URL', 'SECRET_KEY']
for var in required:
    status = 'SET' if os.environ.get(var) else 'MISSING'
    print(f'{status}: {var}')
"

If environment is misconfigured, stop and fix before proceeding.

Phase 2: Type Checking & Linting

# Type checking with mypy
mypy app/ --strict 2>&1 | tail -20

# Linting and formatting with ruff
ruff check . --fix
ruff format . --check

# Type stubs check (Pydantic v2)
python -c "from pydantic import BaseModel; print('Pydantic OK')"

Common issues:

Missing type annotations on route functions
Any types in Pydantic models
Untyped Depends() parameters

Phase 3: Tests + Coverage

# Run all tests
pytest tests/ -v --cov=app --cov-report=term-missing --cov-report=html

# Run only unit tests (fast)
pytest tests/unit/ -v

# Run integration tests (requires DB)
pytest tests/integration/ -v

# Coverage threshold check
pytest --cov=app --cov-fail-under=80

Coverage targets:

Component	Target
Routes	85%+
Services	90%+
Domain Models	95%+
Overall	80%+

Phase 4: Security Scan

# Dependency vulnerabilities
pip-audit
safety check --full-report

# Bandit security linter
bandit -r app/ -ll -f text 2>&1 | head -40

# Secret scanning
gitleaks detect --source . --verbose 2>/dev/null || echo "gitleaks not installed"

# Check for hardcoded secrets
grep -rn "secret\|password\|api_key\|token" app/ --include="*.py" | grep -v "test\|example\|env\|settings" | grep -v "\.pyc"

Phase 5: API Schema Validation

# Start server and generate OpenAPI schema
uvicorn app.main:app --host 0.0.0.0 --port 8000 &
sleep 2

# Fetch and validate OpenAPI schema
curl -s http://localhost:8000/openapi.json | python -m json.tool > /dev/null && echo "Schema: valid JSON"

# Save schema snapshot
curl -s http://localhost:8000/openapi.json > openapi-snapshot.json

# Compare with previous schema (breaking change detection)
# diff openapi-previous.json openapi-snapshot.json

# Stop server
kill %1

Schema checklist:

All endpoints have summary and description
All response models are typed (no Any)
Error responses use RFC 7807 Problem Details format
Authentication is documented (Bearer, OAuth2, etc.)

Phase 6: Performance Spot Check

# Check for N+1 queries (requires SQLAlchemy event listener)
python -c "
import asyncio
from app.database import get_session
# Run suspicious endpoints and check query count
print('Run dev server with SQL echo=True to detect N+1')
"

# Response time spot check
uvicorn app.main:app --host 0.0.0.0 --port 8000 &
sleep 2
curl -o /dev/null -s -w "Response time: %{time_total}s\n" http://localhost:8000/health
kill %1

Phase 7: Diff Review

# Show changes
git diff --stat
git diff | grep -E "todo|fixme|hack|xxx" -i
git diff | grep "print("       # Debug statements
git diff | grep "raise Exception"  # Generic exceptions

Checklist:

No print() debug statements — use logging or structlog
No bare except: clauses
No hardcoded secrets or credentials
Pydantic response models cover all fields
Background tasks have error handling

Output Template

FASTAPI VERIFICATION REPORT
============================

Phase 1: Environment
  ✓ Python 3.13.x
  ✓ Virtual environment active
  ✓ DATABASE_URL set
  ✗ REDIS_URL missing (optional — feature disabled)

Phase 2: Type Checking & Linting
  ✓ mypy: No type errors
  ✓ ruff: No issues
  ✓ ruff format: Formatted correctly

Phase 3: Tests + Coverage
  Tests: 183 passed, 0 failed, 2 skipped
  Coverage:
    Overall: 86%
    routes: 88%
    services: 91%
    domain: 96%

Phase 4: Security
  ✓ pip-audit: No vulnerabilities
  ✓ bandit: No high-severity issues
  ✓ No secrets detected

Phase 5: API Schema
  ✓ Schema valid JSON
  ✓ 23 endpoints documented
  ✓ All responses typed

Phase 6: Performance
  Response time /health: 0.008s

Phase 7: Diff Review
  Files changed: 7
  +210, -45 lines
  ✓ No debug statements
  ✓ No hardcoded secrets

RECOMMENDATION: ✓ Ready to merge

Pre-Deployment Checklist

Related Skills

fastapi-patterns — Architecture patterns, Pydantic models, dependency injection
python-testing — pytest fixtures, HTTPX async client, factory patterns
django-verification — Similar loop for Django projects
verification-loop — General-purpose verification for any project