Lists Sharing App Context

A comprehensive context file for working with a Flask-based lists sharing application that supports OAuth authentication, granular permissions, and flexible entry management across multiple lists.

What This Skill Does

This skill provides complete architectural context and implementation guidelines for a lists sharing application. It helps AI agents understand the codebase structure, design decisions, permission model, and coding standards to make consistent, well-informed modifications.

Instructions for AI Agents

1. Understand the Architecture First

Before making any changes, familiarize yourself with:

**Database Design**: PostgreSQL with UUID primary keys, soft deletes via `deleted_at` timestamps

**Authentication**: OAuth (Google, Apple ID) with optional API keys for programmatic access

**Permission Model**: Separate permission systems for lists vs entries (critical distinction)

**API Structure**: RESTful Flask API with Pydantic validation

2. Critical Permission System Rules

**List Permissions:**

Owner: Full control (metadata, permissions, add/remove entries)

Collaborator: Can add/remove entries to/from list (NOT modify entry contents)

Viewer: Read-only access to list and which entries it contains

**Entry Permissions:**

Creator: Full control over entry contents

Explicit View/Collaborate: Must be granted explicitly

Implicit View: ONLY if entry is in a list user can view

NO implicit collaborate permissions

**Key Principle**: List collaborators manage list membership. Entry permissions control content modification. These are completely separate concerns.

3. Code Organization Standards

**CRITICAL IMPORT RULE**: ALL imports MUST be at the top level of Python files. Never place imports inside functions, methods, or conditional blocks (except TYPE_CHECKING blocks for type hints).

**Directory Structure:**

```

app/

├── models/ # SQLAlchemy models (base, user, group, list, entry)

├── schemas/ # Pydantic validation schemas

├── services/ # Business logic (auth, permissions, security)

├── api/ # API endpoint blueprints

└── main.py # Application factory

```

4. When Making Changes

**Always:**

Use type annotations throughout

Implement soft deletes (set `deleted_at`, never hard delete)

Validate inputs with Pydantic schemas

Use permission decorators (`@require_permission`)

Follow RESTful conventions

Add database indexes for new queries

**Never:**

Hard delete database records

Put imports inside functions

Skip input validation

Grant implicit collaborate permissions

Store sensitive data in plaintext

5. Common Tasks

**Adding a new API endpoint:**

1. Create Pydantic schemas in `app/schemas/`

2. Add business logic to appropriate service in `app/services/`

3. Create endpoint in `app/api/` with authentication/permission decorators

4. Update this documentation with the new endpoint

**Modifying permissions:**

1. Review the separate list/entry permission models

2. Update `app/services/permissions.py` if needed

3. Apply appropriate decorators to affected endpoints

4. Write tests for permission scenarios

**Database schema changes:**

1. Update SQLAlchemy models in `app/models/`

2. Generate migration: `uv run alembic revision --autogenerate -m "description"`

3. Review generated migration file

4. Apply: `uv run alembic upgrade head`

6. API Endpoint Reference

**Entries** (`/api/entries`):

CRUD operations with permission checks

Deep cloning support

Permission grant/revoke (creator only)

Search with pagination

**Lists** (`/api/lists`):

CRUD with tag support

Add/remove entries (creates or links existing)

Permission management (owner only)

Ownership transfer

**Groups** (`/api/groups`):

CRUD operations

Member management (all members can add/remove)

Ownership transfer (owner only)

**Auth** (`/api/auth`):

OAuth callback handling

API key generation (hashed with bcrypt)

Session management

7. Testing Strategy

When adding features:

Write unit tests for service layer logic

Create integration tests for API endpoints

Use Factory Boy fixtures for test data

Mock OAuth providers in tests

8. Security Guidelines

Hash all API keys with bcrypt

Use JWT with expiration for sessions

Validate all inputs with Pydantic

Use SQLAlchemy ORM (prevents SQL injection)

Configure CORS for specific origins only

Implement rate limiting for production

9. Documentation Maintenance

**CRITICAL**: After making any changes, update the CLAUDE.md file in the repository to reflect:

New endpoints or features

Modified permission behavior

Architectural decisions

Completed tasks

New dependencies or configuration

This ensures future agents have accurate context.

Key Files to Reference

`app/models/base.py` - Base model with common fields (id, created_at, updated_at, deleted_at)

`app/services/permissions.py` - Permission checking logic and decorators

`app/services/auth.py` - Authentication and session management

`app/schemas/` - Request/response validation models

`.env.example` - Required environment variables

Running the Application

```bash

Install dependencies

uv sync --all-extras

Apply database migrations

uv run alembic upgrade head

Start development server

uv run flask --app app.main:create_app run --debug

```

Common Pitfalls to Avoid

1. **Confusing list permissions with entry permissions** - They are separate systems

2. **Hard deleting records** - Always use soft deletes (`deleted_at`)

3. **Putting imports in functions** - All imports at top level

4. **Skipping input validation** - Always use Pydantic schemas

5. **Forgetting to update documentation** - Keep CLAUDE.md current

When You Need Help

This skill provides context for understanding the codebase structure and conventions. For specific implementation tasks:

Review the existing endpoints in `app/api/` for patterns

Check `app/services/permissions.py` for permission logic examples

Look at `app/schemas/` for validation patterns

Refer to the database models in `app/models/` for relationships

Always maintain consistency with the established patterns and update documentation as you work.

Lists Sharing App Context

Lists Sharing App Context

What This Skill Does

Instructions for AI Agents

1. Understand the Architecture First

2. Critical Permission System Rules

3. Code Organization Standards

4. When Making Changes

5. Common Tasks

6. API Endpoint Reference

7. Testing Strategy

8. Security Guidelines

9. Documentation Maintenance

Key Files to Reference

Running the Application

Install dependencies

Apply database migrations

Start development server

Common Pitfalls to Avoid

When You Need Help

Reviews (0)