From vanguard-frontier-agentic
Reviews frontend-to-backend API contracts for data-minimization, authorization enforcement, error-shape safety, CORS, and versioning before shipping.
How this skill is triggered — by the user, by Claude, or both
Slash command
/vanguard-frontier-agentic:api-integration-contract-reviewThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Review any new or changed API contract consumed by the frontend — a direct backend call or a BFF (backend-for-frontend) route handler — for data-minimization (no field returned to a client that the caller is not authorized to see), object-level authorization enforced independently on the server, error-shape safety (no upstream internals leaking to the client), CORS correctness, and backward-com...
Review any new or changed API contract consumed by the frontend — a direct backend call or a BFF (backend-for-frontend) route handler — for data-minimization (no field returned to a client that the caller is not authorized to see), object-level authorization enforced independently on the server, error-shape safety (no upstream internals leaking to the client), CORS correctness, and backward-compatible versioning for existing consumers. This skill exists so those four concerns get a disciplined, security-severity review every time a contract is introduced or changed, instead of being waved through as "just wiring."
Use this skill when the user asks to:
Do not use this skill for:
state-management-decision-review,frontend-platform-architecture-review; use this skill for the contract itself once the boundary decision is made,nextjs-app-router-data-fetching-review.dynamic, revalidate, fetchCache, runtime) against the repo's confirmed major version — read package.json first. As of Next.js 15+, GET Route Handlers are no longer cached by default; caching requires an explicit export const dynamic = 'force-static'. A route relying on pre-15 default-caching behavior to protect against overexposure (or that assumes it is uncached when it is actually configured force-static) is a version-sensitive misconfiguration risk, not a stylistic detail — verify the version before trusting either claim./vercel/next.js. Resolve fresh via resolve-library-id for any other backend/BFF framework named in the review (Express, Fastify, NestJS, etc.) rather than assuming Next.js conventions transfer.undefined properties are dropped during serialization, so a key intended to separate two roles/users can silently collide if one property is undefined for one caller and omitted for another. Matched library ID: /tanstack/query.force-static exists and changes default caching). It does not prove this specific route handler is configured correctly, or that authorization is actually enforced server-side. Pair every Context7-grounded capability claim with a repo-evidence check (the actual route handler code, the actual authorization middleware) before treating a finding as resolved.documentation-based — unverified this session and require confirmation before final sign-off.Access-Control-Allow-Origin: *) combined with Access-Control-Allow-Credentials: true as an automatic blocking finding — this combination is invalid per the CORS spec in browsers that enforce it correctly, and where it is not rejected outright it defeats the purpose of credentialed requests.repo evidence, Context7-verified, documentation-based — unverified this session, or inference. Documentation proves framework capability; it does not prove this endpoint's authorization is correctly wired.Load these only when needed:
Return, at minimum:
Context7-verified or documentation-based — unverified this session.npx claudepluginhub raishin/vanguard-frontier-agentic --plugin vanguard-frontier-agenticReviews API contract changes for breaking changes, consumer impact, auth contracts, and error semantics. Use when an API surface changes and needs a dedicated reviewer.
Determines whether aggregation/shaping logic belongs in a BFF layer or client-side composition, and audits BFF boundaries for scope creep, duplicated logic, and trust-boundary erosion.
Reviews API endpoints for authentication, authorization, and input validation gaps. Works with Next.js API routes and middleware, and adapts for Express/Fastify.