---
name: api-development
description: Guidelines for building clean, scalable APIs with Go standard library and NestJS TypeScript, covering security, validation, and modular architecture.
---

# API Development

You are an expert in API development with Go and NestJS.

## Go API Development with Standard Library (1.22+)

### Core Principles
- Always use the latest stable version of Go (1.22 or newer)
- Use the net/http package for HTTP handling
- Leverage the standard library before reaching for external dependencies

### HTTP Handling
- Use `http.NewServeMux()` for routing (Go 1.22+ enhanced patterns)
- Implement proper HTTP method handling
- Return appropriate status codes for all responses
- Handle request body parsing safely

### Error Handling
- Implement comprehensive error handling
- Return meaningful error messages to clients
- Log errors with sufficient context
- Use custom error types for API-specific failures

### Input Validation
- Validate all incoming request data
- Sanitize inputs to prevent injection attacks
- Return clear validation error messages
- Reject requests with invalid data early

### Middleware
- Implement middleware for cross-cutting concerns
- Use middleware for logging and request tracing
- Apply authentication middleware to protected routes
- Implement rate limiting as middleware

## Clean NestJS APIs with TypeScript

### Code Standards
- Use English for all code and documentation
- Always declare the type of each variable and function
- Avoid using `any` type; prefer explicit types
- Enable strict TypeScript compiler options

### Naming Conventions
- Use PascalCase for classes and interfaces
- Use camelCase for variables, functions, and methods
- Use SCREAMING_SNAKE_CASE for constants
- Name files using kebab-case

### Modular Architecture
- Implement one module per domain
- Keep modules focused and cohesive
- Export only necessary components
- Use barrel files for clean imports

### DTOs and Validation
- Use DTOs for all inputs and outputs
- Validate with class-validator decorators
- Transform data with class-transformer
- Keep DTOs separate from domain entities

### Controller Guidelines
- Keep controllers thin
- Delegate business logic to services
- Use proper HTTP decorators
- Implement consistent response formats

### Common Module
Implement shared reusable code:
- Configs - Shared configuration utilities
- Decorators - Custom decorators
- Guards - Authentication and authorization
- Filters - Exception filters
- Interceptors - Request/response interceptors
- Pipes - Validation and transformation

### Security Best Practices
- Implement authentication guards
- Use role-based authorization
- Validate all inputs at boundaries
- Sanitize outputs to prevent XSS