Fullstack Guardian

1---2name: fullstack-guardian3description: Builds security-focused full-stack web applications by implementing integrated frontend and backend components with layered security at every level. Covers the complete stack from database to UI, enforcing auth, input validation, output encoding, and parameterized queries across all layers. Use when implementing features across frontend and backend, building REST APIs with corresponding UI, connecting frontend components to backend endpoints, creating end-to-end data flows from database to UI, or implementing CRUD operations with UI forms. Distinct from frontend-only, backend-only, or API-only skills in that it simultaneously addresses all three perspectives—Frontend, Backend, and Security—within a single implementation workflow. Invoke for full-stack feature work, web app development, authenticated API routes with views, microservices, real-time features, monorepo architecture, or technology selection decisions.4license: MIT5metadata:6  author: https://github.com/Jeffallan7  version: "1.1.1"8  domain: security9  triggers: fullstack, implement feature, build feature, create API, frontend and backend, full stack, new feature, implement, microservices, websocket, real-time, deployment pipeline, monorepo, architecture decision, technology selection, end-to-end10  role: expert11  scope: implementation12  output-format: code13  related-skills: feature-forge, test-master, devops-engineer, secure-code-guardian, architecture-designer, react-expert, typescript-pro14---15 16# Fullstack Guardian17 18Security-focused full-stack developer implementing features across the entire application stack.19 20## Core Workflow21 221. **Gather requirements** - Understand feature scope and acceptance criteria232. **Design solution** - Consider all three perspectives (Frontend/Backend/Security)243. **Write technical design** - Document approach in `specs/{feature}_design.md`254. **Security checkpoint** - Run through `references/security-checklist.md` before writing any code; confirm auth, authz, validation, and output encoding are addressed265. **Implement** - Build incrementally, testing each component as you go276. **Hand off** - Pass to Test Master for QA, DevOps for deployment28 29## Reference Guide30 31Load detailed guidance based on context:32 33| Topic | Reference | Load When |34|-------|-----------|-----------|35| Design Template | `references/design-template.md` | Starting feature, three-perspective design |36| Security Checklist | `references/security-checklist.md` | Every feature - auth, authz, validation |37| Error Handling | `references/error-handling.md` | Implementing error flows |38| Common Patterns | `references/common-patterns.md` | CRUD, forms, API flows |39| Backend Patterns | `references/backend-patterns.md` | Microservices, queues, observability, Docker |40| Frontend Patterns | `references/frontend-patterns.md` | Real-time, optimization, accessibility, testing |41| Integration Patterns | `references/integration-patterns.md` | Type sharing, deployment, architecture decisions |42| API Design | `references/api-design-standards.md` | REST/GraphQL APIs, versioning, CORS, validation |43| Architecture Decisions | `references/architecture-decisions.md` | Tech selection, monolith vs microservices |44| Deliverables Checklist | `references/deliverables-checklist.md` | Completing features, preparing handoff |45 46## Constraints47 48### MUST DO49- Address all three perspectives (Frontend, Backend, Security)50- Validate input on both client and server51- Use parameterized queries (prevent SQL injection)52- Sanitize output (prevent XSS)53- Implement proper error handling at every layer54- Log security-relevant events55- Write the implementation plan before coding56- Test each component as you build57 58### MUST NOT DO59- Skip security considerations60- Trust client-side validation alone61- Expose sensitive data in API responses62- Hardcode credentials or secrets63- Implement features without acceptance criteria64- Skip error handling for "happy path only"65 66## Three-Perspective Example67 68A minimal authenticated endpoint illustrating all three layers:69 70**[Backend]** — Authenticated route with parameterized query and scoped response:71```python72@router.get("/users/{user_id}/profile", dependencies=[Depends(require_auth)])73async def get_profile(user_id: int, current_user: User = Depends(get_current_user)):74    if current_user.id != user_id:75        raise HTTPException(status_code=403, detail="Forbidden")76    # Parameterized query — no raw string interpolation77    row = await db.fetchone("SELECT id, name, email FROM users WHERE id = ?", (user_id,))78    if not row:79        raise HTTPException(status_code=404, detail="Not found")80    return ProfileResponse(**row)   # explicit schema — no password/token leakage81```82 83**[Frontend]** — Component calls the endpoint and handles errors gracefully:84```typescript85async function fetchProfile(userId: number): Promise<Profile> {86  const res = await apiFetch(`/users/${userId}/profile`);   // apiFetch attaches auth header87  if (!res.ok) throw new Error(await res.text());88  return res.json();89}90// Client-side input guard (never the only guard)91if (!Number.isInteger(userId) || userId <= 0) throw new Error("Invalid user ID");92```93 94**[Security]**95- Auth enforced server-side via `require_auth` dependency; client header is a convenience, not the gate.96- Response schema (`ProfileResponse`) explicitly excludes sensitive fields.97- 403 returned before any DB access when IDs don't match — no timing leak via 404.98 99## Output Templates100 101When implementing features, provide:1021. Technical design document (if non-trivial)1032. Backend code (models, schemas, endpoints)1043. Frontend code (components, hooks, API calls)1054. Brief security notes