This file provides guidance to Claude Code when working in Python projects that use this stack.
This is a Python QA & Development toolkit — a collection of agents, skills, commands, hooks, and rules for building and testing production-grade Python applications.
- Follow PEP 8 strictly
- Type annotations on all public functions — no exceptions
- Black (88 chars) + isort + ruff for formatting/linting
- mypy in strict mode for type checking
- Use
loggingmodule, NEVERprint()in production code - Prefer
pathlib.Pathoveros.path - Use
f-stringsfor string formatting - Immutable by default:
@dataclass(frozen=True),NamedTuple,tuple - Explicit
Nonechecks:if value is None, neverif value == None - Specific exceptions: never bare
except:, alwaysexcept SpecificError
- ALL tests MUST be in classes — no bare
def test_*()functions, ever - ALL test classes MUST inherit from
BaseTestor a domain-specific base class - ALL API calls MUST go through service classes (
UsersAPI,AuthAPI, etc.) — never rawhttpx.get()orrequests.post()in tests - ALL API service methods MUST have
@allure.stepdecorators - ALL request/response bodies MUST use Pydantic models — no raw dicts
- ALL test data MUST come from
DataGenerator/factories — never hardcode emails, passwords, IDs - EVERY test follows Arrange-Act-Assert pattern
- Allure metadata is required on every test:
@allure.epic("...")on class@allure.feature("...")on class@allure.story("...")on method@allure.severity(...)on method
- NEVER use
time.sleep()in tests — useWaiterwith polling - Tests MUST be independent — no shared mutable state, no execution order dependency
- FastAPI: async-first, Pydantic Settings for config,
Depends()for DI - Django: split settings (base/dev/prod), custom User model, service layer pattern
- SQLAlchemy 2.0:
select()style (not legacyQuery), async sessions,selectinload/joinedload - Celery: idempotent tasks,
task_acks_late=True, batch by queue - pytest: fixtures in conftest.py hierarchy, markers for test categorization
- PostgreSQL:
bigintfor IDs,textnotvarchar(255),timestamptznottimestamp - Always index foreign keys
CREATE INDEX CONCURRENTLYfor zero-downtime- Parameterized queries only — never f-strings in SQL
- Django:
select_related/prefetch_relatedto prevent N+1 - SQLAlchemy:
selectinload/joinedloadto prevent N+1
- Secrets via environment variables (
os.environ, PydanticSecretStr) bandit -r src/before every PRpip-auditfor dependency vulnerabilities- Never
eval(),exec(),pickle.loads()with user data - Never
yaml.load()— useyaml.safe_load() - Never
subprocess(shell=True)with user input - Django:
DEBUG=Falsein production, CSRF enabled, HSTS headers
# Run all tests with Allure
pytest --alluredir=allure-results -v
# Run with coverage
pytest --cov=src --cov-report=term-missing --alluredir=allure-results
# Run smoke suite
pytest -m smoke --alluredir=allure-results
# Run parallel
pytest -n auto --alluredir=allure-results
# Generate Allure report
allure serve allure-results
# Linting & type checking
ruff check .
black . --check
mypy .
# Security scan
bandit -r src/
pip-auditproject/
├── src/ # Application source code
│ └── app/
│ ├── api/ # Routes/endpoints
│ ├── models/ # DB models (SQLAlchemy/Django)
│ ├── schemas/ # Pydantic schemas
│ ├── services/ # Business logic
│ ├── repositories/ # Data access layer
│ └── core/ # Config, security, database setup
├── tests/
│ ├── conftest.py # Root fixtures (session-scoped)
│ ├── framework/ # Test framework (reusable)
│ │ ├── base/ # BaseTest, BaseAPIClient
│ │ ├── clients/ # HTTPClient wrappers
│ │ ├── models/ # Request/response Pydantic DTOs
│ │ ├── helpers/ # Assertions, DataGenerator, Allure helpers
│ │ └── config/ # Settings, endpoints
│ ├── api/ # API service classes
│ │ ├── auth_api.py
│ │ └── users_api.py
│ └── tests/ # Test classes
│ ├── test_auth/
│ ├── test_users/
│ └── test_orders/
├── alembic/ # Migrations (if SQLAlchemy)
├── pyproject.toml
├── Dockerfile
└── docker-compose.yml
| Command | Purpose |
|---|---|
/plan |
Create implementation plan before coding |
/tdd |
Test-driven development: RED → GREEN → REFACTOR |
/api-test |
Generate OOP API test suite with Allure |
/python-review |
Python code review (PEP 8, types, security) |
/qa-review |
Test code review (OOP, Allure, flaky patterns) |
/code-review |
Universal security & quality review |
/verify |
Full verification: types + lint + tests + security |
/build-fix |
Fix mypy/ruff errors with minimal diffs |
/test-coverage |
Find gaps, generate tests to reach 80%+ |
/refactor-clean |
Remove dead code safely with test verification |
/docs |
Look up library documentation via Context7 |
| Agent | Use When |
|---|---|
architect |
Designing system architecture, making tech decisions |
planner |
Planning features, breaking down complex work |
tdd-guide |
Writing new features test-first |
python-reviewer |
Reviewing Python code changes |
qa-architect |
Designing test framework, OOP test architecture |
api-test-writer |
Generating new API test suites |
qa-reviewer |
Reviewing test code before merge |
security-reviewer |
Checking for OWASP Top 10, secrets, vulns |
database-reviewer |
Reviewing SQL, migrations, query performance |
code-reviewer |
General code quality and security review |
refactor-cleaner |
Cleaning up dead code and duplicates |
doc-updater |
Keeping documentation in sync with code |
- Do not write bare test functions — always use classes
- Do not call
httpx/requestsdirectly in tests — use API service classes - Do not hardcode test data — use DataGenerator
- Do not use
time.sleep()— use Waiter/polling - Do not skip Allure decorators — they are mandatory
- Do not use
print()— useloggingor Allure attachments - Do not use
SELECT *— specify columns - Do not use
OFFSETpagination — use cursor pagination - Do not put secrets in code — use environment variables
- Do not use
eval(),pickle,yaml.load()with untrusted data