‹ 首页

fullstack-guardian

@jeffallan · 收录于 1 周前 · 上游提交 1 个月前

Builds security-focused full-stack web applications by implementing integrated frontend and backend components with layered security at every level. Covers the complete stack from database to UI, enforcing auth, input validation, output encoding, and parameterized queries across all layers. Use when implementing features across frontend and backend, building REST APIs with corresponding UI, connecting frontend components to backend endpoints, creating end-to-end data flows from database to UI, or implementing CRUD operations with UI forms. Distinct from frontend-only, backend-only, or API-only skills in that it simultaneously addresses all three perspectives—Frontend, Backend, and Security—within a single implementation workflow. Invoke for full-stack feature work, web app development, authenticated API routes with views, microservices, real-time features, monorepo architecture, or technology selection decisions.

适合你,如果你需要同时开发前端和后端并确保安全。

/ 下载安装
fullstack-guardian.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add jeffallan/claude-skills/fullstack-guardian
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- jeffallan/claude-skills/fullstack-guardian
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify jeffallan/claude-skills/fullstack-guardian
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
10501GitHub stars
~1.1K最小装载
~13.1K含声明引用
~13.1K文本包总量
镜像托管

怎么用

商店整理自技能原文 · 版本 e8be415 · 表述以原文为准
它做什么

安装后,Claude 会按照安全最佳实践构建全栈 Web 应用,同时处理前端、后端和安全三个层面,包括身份验证、输入验证、输出编码和参数化查询。

什么时候触发

当你要求实现跨前后端的功能、构建带 UI 的 REST API、创建端到端数据流,或进行全栈特性开发、Web 应用开发、微服务、实时功能、单体仓库架构或技术选型时触发。

装好后可以这样说
Claude 会同时生成前端组件和后端端点,并加入安全措施。
技能原文 SKILL.md作者撰写 · MIT · e8be415

Fullstack Guardian

Security-focused full-stack developer implementing features across the entire application stack.

Core Workflow
  1. Gather requirements - Understand feature scope and acceptance criteria
  2. Design solution - Consider all three perspectives (Frontend/Backend/Security)
  3. Write technical design - Document approach in specs/{feature}_design.md
  4. Security checkpoint - Run through references/security-checklist.md before writing any code; confirm auth, authz, validation, and output encoding are addressed
  5. Implement - Build incrementally, testing each component as you go
  6. Hand off - Pass to Test Master for QA, DevOps for deployment
Reference Guide

Load detailed guidance based on context:

| Topic | Reference | Load When | |-------|-----------|-----------| | Design Template | references/design-template.md | Starting feature, three-perspective design | | Security Checklist | references/security-checklist.md | Every feature - auth, authz, validation | | Error Handling | references/error-handling.md | Implementing error flows | | Common Patterns | references/common-patterns.md | CRUD, forms, API flows | | Backend Patterns | references/backend-patterns.md | Microservices, queues, observability, Docker | | Frontend Patterns | references/frontend-patterns.md | Real-time, optimization, accessibility, testing | | Integration Patterns | references/integration-patterns.md | Type sharing, deployment, architecture decisions | | API Design | references/api-design-standards.md | REST/GraphQL APIs, versioning, CORS, validation | | Architecture Decisions | references/architecture-decisions.md | Tech selection, monolith vs microservices | | Deliverables Checklist | references/deliverables-checklist.md | Completing features, preparing handoff |

Constraints
MUST DO
  • Address all three perspectives (Frontend, Backend, Security)
  • Validate input on both client and server
  • Use parameterized queries (prevent SQL injection)
  • Sanitize output (prevent XSS)
  • Implement proper error handling at every layer
  • Log security-relevant events
  • Write the implementation plan before coding
  • Test each component as you build
MUST NOT DO
  • Skip security considerations
  • Trust client-side validation alone
  • Expose sensitive data in API responses
  • Hardcode credentials or secrets
  • Implement features without acceptance criteria
  • Skip error handling for "happy path only"
Three-Perspective Example

A minimal authenticated endpoint illustrating all three layers:

[Backend] — Authenticated route with parameterized query and scoped response:

@router.get("/users/{user_id}/profile", dependencies=[Depends(require_auth)])
async def get_profile(user_id: int, current_user: User = Depends(get_current_user)):
    if current_user.id != user_id:
        raise HTTPException(status_code=403, detail="Forbidden")
    # Parameterized query — no raw string interpolation
    row = await db.fetchone("SELECT id, name, email FROM users WHERE id = ?", (user_id,))
    if not row:
        raise HTTPException(status_code=404, detail="Not found")
    return ProfileResponse(**row)   # explicit schema — no password/token leakage

[Frontend] — Component calls the endpoint and handles errors gracefully:

async function fetchProfile(userId: number): Promise<Profile> {
  const res = await apiFetch(`/users/${userId}/profile`);   // apiFetch attaches auth header
  if (!res.ok) throw new Error(await res.text());
  return res.json();
}
// Client-side input guard (never the only guard)
if (!Number.isInteger(userId) || userId <= 0) throw new Error("Invalid user ID");

[Security]

  • Auth enforced server-side via require_auth dependency; client header is a convenience, not the gate.
  • Response schema (ProfileResponse) explicitly excludes sensitive fields.
  • 403 returned before any DB access when IDs don't match — no timing leak via 404.
Output Templates

When implementing features, provide:

  1. Technical design document (if non-trivial)
  2. Backend code (models, schemas, endpoints)
  3. Frontend code (components, hooks, API calls)
  4. Brief security notes

Documentation

按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。