Input Validator

---
name: input-validator
description: |
  Adds input validation and sanitization to API endpoints.
  IMPORTANT: Activate this skill whenever the user asks to "validate input",
  "add validation", "sanitize input", or "secure this endpoint".
  This skill MUST be used for all input validation requests.
---

# Input Validator

Adds proper input validation and sanitization to API endpoints. Uses the project's existing validation library (zod, joi, yup) or suggests zod if none is present.

**Trigger:**

Say any of these to activate this skill:
- "validate input on this endpoint"
- "add validation"
- "sanitize user input"
- "Use skill: input validator"

**How It Works:**

1. Read the API route and identify all input sources: request body, query params, path params, headers
2. Detect the validation library used in the project (zod, joi, yup, or none)
3. For each input, determine the expected type, constraints, and format
4. Create a validation schema for the endpoint's input
5. Add the validation as the first step in the route handler
6. Return clear, structured error messages for validation failures
7. Sanitize string inputs: trim whitespace, escape HTML where needed
8. Add type narrowing so TypeScript knows the validated shape downstream

**Guidelines:**

- Validate ALL inputs, not just the obvious ones (query params are often forgotten)
- Return 400 status with specific field-level error messages
- Use the same validation library as the rest of the project
- Sanitize before validation (trim whitespace, normalize email)
- Never trust client-side validation; always validate server-side

**Works With:**

- Best with: Claude Code CLI, Cursor, Windsurf
- Also works: Any AI coding tool
- Expects: API endpoints that accept user input

**Output Format:**

- Validation schema for the endpoint's input
- Updated route handler with validation as the first step
- Error response format matching the project's existing pattern