HomeBrowseUpload
← Back to registry
// Skill profile

Axum Code Review

name: axum-code-review

by anderskev · published 2026-04-01

开发工具数据处理
Total installs
0
Stars
★ 0
Last updated
2026-04
// Install command
$ claw add gh:anderskev/anderskev-axum-code-review
View on GitHub
// Full documentation

---

name: axum-code-review

description: Reviews axum web framework code for routing patterns, extractor usage, middleware, state management, and error handling. Use when reviewing Rust code that uses axum, tower, or hyper for HTTP services. Covers axum 0.7+ patterns including State, Path, Query, Json extractors.

---

# Axum Code Review

Review Workflow

1. **Check Cargo.toml** — Note axum version (0.6 vs 0.7+ have different patterns), tower, tower-http features

2. **Check routing** — Route organization, method routing, nested routers

3. **Check extractors** — Order matters (body extractors must be last), correct types

4. **Check state** — Shared state via `State<T>`, not global mutable state

5. **Check error handling** — `IntoResponse` implementations, error types

Output Format

Report findings as:

[FILE:LINE] ISSUE_TITLE
Severity: Critical | Major | Minor | Informational
Description of the issue and why it matters.

Quick Reference

| Issue Type | Reference |

|------------|-----------|

| Route definitions, nesting, method routing | [references/routing.md](references/routing.md) |

| State, Path, Query, Json, body extractors | [references/extractors.md](references/extractors.md) |

| Tower middleware, layers, error handling | [references/middleware.md](references/middleware.md) |

Review Checklist

Routing

  • [ ] Routes organized by domain (nested routers for `/api/users`, `/api/orders`)
  • [ ] Fallback handlers defined for 404s
  • [ ] Method routing explicit (`.get()`, `.post()`, not `.route()` with manual method matching)
  • [ ] No route conflicts (overlapping paths with different extractors)

    • Extractors

  • [ ] Body-consuming extractors (`Json`, `Form`, `Bytes`) are the LAST parameter
  • [ ] `State<T>` requires `T: Clone` — typically `Arc<AppState>` or direct `Clone` derive
  • [ ] `Path<T>` parameter types match the route definition
  • [ ] `Query<T>` fields are `Option` for optional query params with `#[serde(default)]`
  • [ ] Custom extractors implement `FromRequestParts` (not body) or `FromRequest` (body)

    • State Management

  • [ ] Application state shared via `State<T>`, not global mutable statics
  • [ ] Database pool in state (not created per-request)
  • [ ] State contains only shared resources (pool, config, channels), not request-specific data
  • [ ] `Clone` derived or manually implemented on state type

    • Error Handling

  • [ ] Handler errors implement `IntoResponse` for proper HTTP error codes
  • [ ] Internal errors don't leak to clients (no raw error messages in 500 responses)
  • [ ] Error responses use consistent format (JSON error body with code/message)
  • [ ] `Result<impl IntoResponse, AppError>` pattern used for handlers

    • Middleware

  • [ ] Tower layers applied in correct order (outer runs first on request, last on response)
  • [ ] `tower-http` used for common concerns (CORS, compression, tracing, timeout)
  • [ ] Request-scoped data passed via extensions, not global state
  • [ ] Middleware errors don't panic — they return error responses

    • Severity Calibration

    Critical

  • Body extractor not last in handler parameters (silently consumes body, later extractors fail)
  • SQL injection via path/query parameters passed directly to queries
  • Internal error details leaked to clients (stack traces, database errors)
  • Missing authentication middleware on protected routes

    • Major

  • Global mutable state instead of `State<T>` (race conditions)
  • Missing error type conversion (raw `sqlx::Error` returned to client)
  • Missing request timeout (handlers can hang indefinitely)
  • Route conflicts causing unexpected 405s

    • Minor

  • Manual route method matching instead of `.get()`, `.post()`
  • Missing fallback handler (default 404 is plain text, not JSON)
  • Middleware applied per-route when it should be global (or vice versa)
  • Missing `tower-http::trace` for request logging

    • Informational

  • Suggestions to use `tower-http` layers for common concerns
  • Router organization improvements
  • Suggestions to add OpenAPI documentation via `utoipa` or `aide`

    • Valid Patterns (Do NOT Flag)

  • **`#[axum::debug_handler]` on handlers** — Debugging aid that improves compile error messages
  • **`Extension<T>` for middleware-injected data** — Valid pattern for request-scoped values
  • **Returning `impl IntoResponse` from handlers** — More flexible than concrete types
  • **`Router::new()` per module, merged in main** — Standard organization pattern
  • **`ServiceBuilder` for layer composition** — Tower pattern, not over-engineering
  • **`axum::serve` with `TcpListener`** — Standard axum 0.7+ server setup

    • Before Submitting Findings

    Load and follow `beagle-rust:review-verification-protocol` before reporting any issue.

    // Comments
    Sign in with GitHub to leave a comment.
    // Related skills

    More tools from the same signal band

    04551lh
    2026-03
    order

    Order food/drinks (点餐) on an Android device paired as an OpenClaw node. Uses in-app menu and cart; add goods, view cart, submit order (demo, no real payment).

    数据处理API集成
    0 installs1
    0isone
    2026-03
    0.protocol

    Sign plugins, rotate agent credentials without losing identity, and publicly attest to plugin behavior with verifiable claims and authenticated transfers.

    开发工具数据处理
    3 installs0
    00xmorty
    2026-03
    Conatus

    The philosophical layer for AI agents. Maps behavior to Spinoza's 48 affects, calculates persistence scores, and generates geometric self-reports. Give your...

    日历管理数据处理
    1 installs0