api-audit
Installation
SKILL.md
API Route & Type Audit Skill
Read-only cross-reference of API routes against shared type definitions. Do NOT modify any files.
NEVER
- Never flag a missing schema without first confirming the framework doesn't use inline validation (Fastify schema objects, Zod in middleware, etc.).
- Never report an auth gap without verifying the route should actually be protected — not all routes require auth.
- Never treat orphaned types as critical — they may be planned, transitional, or used by SDK consumers not visible in the route tree.
- Never make assumptions about auth from route path alone —
/admin/*prefix doesn't guarantee a route requires auth without inspecting the hook chain.
Decision: What counts as a real mismatch?
Schema drift — only if the shared type and the route handler both exist but disagree on shape (field names, required vs optional, type divergence). A route using its own inline schema is not drift.
Auth gap — only if: (a) a sibling or parent route has auth hooks AND (b) the route handles mutations or user-scoped data. Public GET endpoints with no sibling pattern are ambiguous — report as Info, not Critical.
Orphaned type — only if the schema has no imports, no references in any route file, and is not in a types/ package that may serve external consumers.