docs: salvage FastAPI review patterns

rules/python/fastapi.md

@@ -0,0 +1,58 @@
+---
+paths:
+  - "**/app/**/*.py"
+  - "**/fastapi/**/*.py"
+  - "**/*_api.py"
+---
+# FastAPI Rules
+
+Use these rules for FastAPI projects alongside the general Python rules.
+
+## Structure
+
+- Put app construction in `create_app()`.
+- Keep routers thin; move persistence and business behavior into services or CRUD helpers.
+- Keep request schemas, update schemas, and response schemas separate.
+- Keep database sessions and auth in dependencies.
+
+## Async
+
+- Use `async def` for endpoints that perform I/O.
+- Use async database and HTTP clients from async endpoints.
+- Do not call `requests`, sync SQLAlchemy sessions, or blocking file/network operations from async routes.
+
+## Dependency Injection
+
+```python
+@router.get("/users/{user_id}")
+async def get_user(
+    user_id: str,
+    db: AsyncSession = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    ...
+```
+
+Do not create `SessionLocal()` or long-lived clients inside route handlers.
+
+## Schemas
+
+- Never include passwords, password hashes, access tokens, refresh tokens, or internal auth state in response models.
+- Use `response_model` on endpoints that return application data.
+- Use field constraints instead of hand-written validation when Pydantic can express the rule.
+
+## Security
+
+- Keep CORS origins environment-specific.
+- Do not combine wildcard origins with credentialed CORS.
+- Validate JWT expiry, issuer, audience, and algorithm.
+- Rate-limit auth and write-heavy endpoints.
+- Redact credentials, cookies, authorization headers, and tokens from logs.
+
+## Testing
+
+- Override the exact dependency used by `Depends`.
+- Clear `app.dependency_overrides` after tests.
+- Prefer async test clients for async applications.
+
+See skill: `fastapi-patterns`.