fix: address CodeRabbit review — idempotency_key naming, contextvars import, single-writer generalization, alphabetical order

yerdaulet-damir · yerdaulet-damir · commit 7ba2d01bdb66 · 2026-04-28T22:41:21.000+05:00
diff --git a/README.md b/README.md
@@ -148,12 +148,12 @@ By creating a `.cursorrules` file in your project's root directory, you can leve
 - [Python (Django Best Practices)](./rules/python-django-best-practices-cursorrules-prompt-fi/.cursorrules) - Cursor rules for Python Django development with best practices.
 - [Python (FastAPI Best Practices)](./rules/python-fastapi-best-practices-cursorrules-prompt-f/.cursorrules) - Cursor rules for Python FastAPI development with best practices.
 - [Python (FastAPI Scalable API)](./rules/python-fastapi-scalable-api-cursorrules-prompt-fil/.cursorrules) - Cursor rules for Python FastAPI development with scalable API integration.
-- [vibecodex FastAPI Production](./rules/vibecodex-fastapi-production-cursorrules-prompt-file/.cursorrules) - Production architecture rules: Router→Service→Repository, ACL, bulkhead isolation, single-writer principle
 - [Python (Flask JSON Guide)](./rules/python-flask-json-guide-cursorrules-prompt-file/.cursorrules) - Cursor rules for Python Flask development with JSON guide.
 - [Python LLM & ML Workflow](./rules/python-llm-ml-workflow-cursorrules-prompt-file/.cursorrules) - Cursor rules for Python LLM & ML development with workflow integration.
 - [Salesforce (Apex)](./rules/salesforce-apex-cursorrules-prompt-file/.cursorrules.txt) - Cursor rules for Salesforce development with Apex integration.
 - [TypeScript (NestJS Best Practices)](./rules/typescript-nestjs-best-practices-cursorrules-promp/.cursorrules) - Cursor rules for TypeScript development with NestJS best practices.
 - [TYPO3 CMS Extension](./rules/typo3cms-extension-cursorrules-prompt-file/.cursorrules) - Cursor rules for TYPO3 CMS development with extension integration.
+- [vibecodex FastAPI Production](./rules/vibecodex-fastapi-production-cursorrules-prompt-file/.cursorrules) - Production architecture rules: Router→Service→Repository, ACL, bulkhead isolation, single-writer principle
 - [WordPress (PHP, Guzzle, Gutenberg)](./rules/wordpress-php-guzzle-gutenberg-cursorrules-prompt-/.cursorrules) - Cursor rules for WordPress development with PHP, Guzzle, and Gutenberg integration.
 - [WordPress (macOS)](./rules/cursorrules-cursor-ai-wordpress-draft-macos-prompt/.cursorrules) - Cursor rules for WordPress development on macOS.
 
diff --git a/rules/vibecodex-fastapi-production-cursorrules-prompt-file/.cursorrules b/rules/vibecodex-fastapi-production-cursorrules-prompt-file/.cursorrules
@@ -22,7 +22,11 @@ async def charge(
     user_id: str = Depends(get_current_user_id),
     svc: WalletUserService = Depends(get_wallet_service),
 ) -> WalletResponse:
-    wallet = await svc.charge(user_id=user_id, amount=req.amount, key=req.idempotency_key)
+    wallet = await svc.charge(
+        user_id=user_id,
+        amount=req.amount,
+        idempotency_key=req.idempotency_key,
+    )
     return WalletResponse.from_domain(wallet)
 
 BAD (business logic + SQL in router):
@@ -130,13 +134,21 @@ Every side-effect operation accepts an idempotency_key: UUID. Look up before ret
 ### Rule 4: Structured Logging with contextvars
 Use ContextVar to thread provider, user_id, request_id through async call stacks.
 
-provider_var = contextvars.ContextVar[str | None]("provider", default=None)
-user_id_var = contextvars.ContextVar[str | None]("user_id", default=None)
+import contextvars
+
+provider_var   = contextvars.ContextVar[str | None]("provider", default=None)
+user_id_var    = contextvars.ContextVar[str | None]("user_id", default=None)
+request_id_var = contextvars.ContextVar[str | None]("request_id", default=None)
+
+# Read in logs: provider_var.get(), user_id_var.get(), request_id_var.get()
+# JSON formatter picks these up automatically via extra={} or ContextVar.get()
 
 ### Rule 5: Single-Writer Principle (Principle B10)
-For safety-critical state: exactly ONE function does the writing.
-repo.hold() may only be called from services/credits/user.py.
-No router, no admin service, no provider may call repo.hold() directly.
+For safety-critical state: exactly ONE service-layer module does the writing.
+Only service-layer modules may call repo.hold().
+Routers, providers, and admin services must NOT call repo.hold() directly.
+Enforce via: code-review grep check (`grep -r "repo\.hold(" --include="*.py"`)
+and unit tests that assert call-origin of repo.hold().
 
 ## ANTI-PATTERNS — REJECT ON SIGHT
 
