cobol-java-v3/.claude/skills/code-review/references/python-fastapi.md

# Python FastAPI Review Checklist

Extends the generic checklist with FastAPI-specific items.

## Interface Layer (FastAPI Routes)

- [ ] Pydantic models used for request/response schemas
- [ ] Pydantic validators (`@validator`, `@field_validator`) for custom logic
- [ ] `response_model` specified on all endpoints
- [ ] Query/Path parameters have `title`, `description`, `examples`
- [ ] `status_code` set explicitly on non-200 responses
- [ ] Dependency injection used for shared logic (auth, DB session)

## Business Layer

- [ ] Business logic separated from route handlers
- [ ] `Depends(get_db)` pattern for database session management
- [ ] Background tasks (`BackgroundTasks`) used for non-blocking operations

## Data Layer (SQLAlchemy / asyncpg)

- [ ] SQLAlchemy: session management via dependency injection
- [ ] SQLAlchemy: `selectinload()` / `joinedload()` for eager loading
- [ ] SQLAlchemy async: proper async session usage (`AsyncSession`)
- [ ] Raw SQL: always parameterized, never f-string interpolation

## Error Handling

- [ ] Custom exception handlers registered (`@app.exception_handler`)
- [ ] HTTPException with appropriate status codes
- [ ] Validation errors return structured response (Pydantic error format)
- [ ] Unhandled exceptions caught by global handler

## Security

- [ ] `CORSMiddleware` with specific origins, not `allow_origins=["*"]`
- [ ] OAuth2 / JWT integration via FastAPI security utilities
- [ ] `Security()` or `Depends()` for auth checks (not manual header parsing)
- [ ] Rate limiting middleware (e.g., slowapi)
- [ ] Secrets loaded from environment or secret manager

## Performance

- [ ] Async endpoints (`async def`) where I/O-bound
- [ ] `httpx.AsyncClient` with connection pooling for external API calls
- [ ] Response compression middleware (`GZipMiddleware`)
- [ ] Database connection pool size tuned