cobol-java-v3/.claude/skills/code-review/references/python-fastapi.md

Python FastAPI Review Checklist

Extends the generic checklist with FastAPI-specific items.

Interface Layer (FastAPI Routes)

• Pydantic models used for request/response schemas
• Pydantic validators (@validator, @field_validator) for custom logic
• response_model specified on all endpoints
• Query/Path parameters have title, description, examples
• status_code set explicitly on non-200 responses
• Dependency injection used for shared logic (auth, DB session)

Business Layer

• Business logic separated from route handlers
• Depends(get_db) pattern for database session management
• Background tasks (BackgroundTasks) used for non-blocking operations

Data Layer (SQLAlchemy / asyncpg)

• SQLAlchemy: session management via dependency injection
• SQLAlchemy: selectinload() / joinedload() for eager loading
• SQLAlchemy async: proper async session usage (AsyncSession)
• Raw SQL: always parameterized, never f-string interpolation

Error Handling

• Custom exception handlers registered (@app.exception_handler)
• HTTPException with appropriate status codes
• Validation errors return structured response (Pydantic error format)
• Unhandled exceptions caught by global handler

Security

• CORSMiddleware with specific origins, not allow_origins=["*"]
• OAuth2 / JWT integration via FastAPI security utilities
• Security() or Depends() for auth checks (not manual header parsing)
• Rate limiting middleware (e.g., slowapi)
• Secrets loaded from environment or secret manager

Performance

• Async endpoints (async def) where I/O-bound
• httpx.AsyncClient with connection pooling for external API calls
• Response compression middleware (GZipMiddleware)
• Database connection pool size tuned