Input Validation with Claude Code: Zod Schemas for Every API Endpoint

The Problem: Claude Code Without Validation Rules Without constraints, Claude Code generates code with common validation mistakes: Passing req.body fields directly to a database without type checks Using scattered manual checks like typeof req.body.name === 'string' No validation at all on query parameters or nested objects Specifying Zod as the standard in CLAUDE.md fixes this at the source. Define Validation Rules in CLAUDE.md ## Validation Policy - Use Zod for all input validation (no manual if-checks like typeof/instanceof) - Place Zod schemas in `src/schemas/` — keep them separate from route handlers - Use `z.safeParse()` instead of `z.parse()` to handle errors gracefully - Use `.strict()` to reject unknown fields - Return HTTP 422 Unprocessable Entity for validation errors - Error body format: `{ errors: [{ field: string, message: string }] }` Once this is in CLAUDE.md, Claude Code will generate Zod schemas automatically every time it creates a new API endpoint. Generating Zod Sc