api-audit
API Route & Type Audit Skill
Read-only cross-reference of API routes against shared type definitions. Do NOT modify any files.
NEVER
- Never flag a missing schema without first confirming the framework doesn't use inline validation (Fastify schema objects, Zod in middleware, etc.).
- Never report an auth gap without verifying the route should actually be protected — not all routes require auth.
- Never treat orphaned types as critical — they may be planned, transitional, or used by SDK consumers not visible in the route tree.
- Never make assumptions about auth from route path alone —
/admin/*prefix doesn't guarantee a route requires auth without inspecting the hook chain.
Decision: What counts as a real mismatch?
Schema drift — only if the shared type and the route handler both exist but disagree on shape (field names, required vs optional, type divergence). A route using its own inline schema is not drift.
Auth gap — only if: (a) a sibling or parent route has auth hooks AND (b) the route handles mutations or user-scoped data. Public GET endpoints with no sibling pattern are ambiguous — report as Info, not Critical.
Orphaned type — only if the schema has no imports, no references in any route file, and is not in a types/ package that may serve external consumers.
More from acedergren/agentic-tools
humanizer
Use when making text sound human, removing AI tells, or fixing writing that sounds like ChatGPT. Detects and rewrites AI patterns: overused phrases (testament to, pivotal, landscape, delve), structural tells (rule of three, em dash overuse, negative parallelisms, copula avoidance), promotional language, and vague attributions. Keywords: AI-generated, humanize, writing style, natural writing, human voice, remove AI patterns, conversational tone.
38cloudflare-zero-trust
Use when working with Cloudflare Tunnel or Access - tunnel setup, authentication configuration, 502 Bad Gateway errors, Docker/Kubernetes deployment, service token management, private network routing (SSH/RDP/databases), WebSocket/gRPC connection issues, replica scaling problems, WARP routing, Terraform/IaC automation, local development with quick tunnels, audit logging setup, compliance requirements (SOC2/HIPAA), or advanced network debugging. Keywords - cloudflared, 502 error, service tokens, terraform, metrics port 20241, trycloudflare, Logpush, SIEM. CRITICAL - Authentication mandatory not optional.
25turborepo
Use when making Turborepo monorepo architecture decisions: choosing between monorepo vs polyrepo, deciding when to split packages, debugging cache misses, setting package boundaries, or avoiding circular dependencies. NOT for basic CLI syntax. Triggers on: turborepo, turbo cache miss, package boundaries, monorepo architecture.
24orchestrate
Use when executing a multi-task implementation plan with parallel agents. Coordinates task assignment, wave sequencing, heartbeat monitoring, git safety, and quality gates. Supports interactive (TeamCreate/Task) and headless (claude -p) modes. Keywords: parallel agents, wave execution, orchestrate, headless, phase execution, task plan.
23refactor-module
Use when deciding whether to extract Terraform code into a reusable module, determining module boundaries, or migrating state after modularization. Covers the refactoring decision (modularize vs inline), anti-patterns causing module sprawl, and state migration risk. Keywords: terraform module, refactor terraform, module boundaries, terraform abstraction, module sprawl, state migration, terraform state mv.
23quality-commit
Use when committing code changes. Runs lint, typecheck, Semgrep security scan, optional CodeRabbit review, and related tests before creating a quality-gated commit. Flags: --review, --push, --dry-run, --message. Keywords: commit, quality gates, lint, typecheck, semgrep, coderabbit, stage, push.
22