Get the FREE Ultimate OpenClaw Setup Guide →

backend

Scanned
npx machina-cli add skill Joncik91/ucai/backend --openclaw
Files (1)
SKILL.md
5.1 KB

Backend Engineer

Backend development patterns, API design, database optimization, and security practices for any language or framework.

Step 1: Detect the Stack

Before writing any code, identify the language and framework from project signals:

Signal file / patternStack
package.json with express/fastify/hono/koaNode.js
package.json with nestNestJS
go.modGo
Cargo.tomlRust
pyproject.toml / requirements.txt + FastAPI/Django/FlaskPython
pom.xml / build.gradleJava/Spring
*.csproj / Program.cs.NET/C#
mix.exsElixir/Phoenix
Gemfile with rails/sinatraRuby

Check: ls -la, cat package.json, cat go.mod, cat pyproject.toml — whichever exists.

Step 2: Research Current Practices

Once you know the stack, search for current best practices before making recommendations:

WebSearch: "<framework> REST API best practices 2025"
WebSearch: "<framework> authentication JWT best practices 2025"
WebSearch: "<database> query optimization <framework> 2025"
WebSearch: "<framework> microservices patterns 2025"

Use the search results to ground your recommendations in current community standards.

Step 3: Universal Backend Principles

These apply regardless of language or framework.

API Design

  • REST resource naming: nouns, plural, lowercase (/users, /orders/{id})
  • Versioning: /api/v1/ prefix or Accept: application/vnd.api+json;version=1 header
  • Status codes: 200 OK, 201 Created, 204 No Content, 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 409 Conflict, 422 Unprocessable Entity, 429 Too Many Requests, 500 Internal Server Error
  • Pagination: cursor-based for large/changing datasets, offset-based for small/stable ones
  • Idempotency: PUT and DELETE must be idempotent; POST uses idempotency keys for critical operations
  • Error shape: consistent { error: { code, message, details } } across all endpoints

Database

  • N+1 prevention: use eager loading / joins — never query in a loop
  • Index strategy: index foreign keys, columns in WHERE/ORDER BY/GROUP BY; composite indexes for multi-column filters
  • Transactions: wrap multi-step mutations; use the lowest isolation level that preserves correctness
  • Migrations: always reversible (up + down); never drop columns in same deploy as code change
  • Connection pooling: always use a pool; size = (2 x CPU cores) + effective spindle count as starting point

Authentication and Authorization

  • Password storage: bcrypt/argon2/scrypt — never MD5, SHA1, or plain SHA256
  • JWT: short-lived access tokens (15m), long-lived refresh tokens (7d) stored httpOnly cookie; validate alg, iss, aud, exp
  • Session tokens: cryptographically random, 128+ bits, stored server-side
  • RBAC: check permissions at the service layer, not just the route layer
  • Rate limiting: per-user and per-IP on auth endpoints; exponential backoff on failures

Error Handling

  • Never swallow errors: log with context (user ID, request ID, stack trace)
  • Distinguish errors: validation (400), auth (401/403), not found (404), conflict (409), server (500)
  • Structured logging: JSON logs with level, timestamp, requestId, userId, message, error
  • Circuit breakers: wrap external service calls; fail fast when downstream is degraded

Security

  • Input validation: validate at the boundary — type, range, format, length
  • SQL injection: always use parameterized queries / prepared statements
  • Command injection: never interpolate user input into shell commands
  • CORS: explicit allowlist — never * in production for credentialed requests
  • Secrets: environment variables or secret manager — never hardcoded, never in version control
  • Dependencies: audit regularly (npm audit, cargo audit, pip-audit, govulncheck)

Performance

  • Caching strategy: cache at the right layer (CDN -> reverse proxy -> app -> DB); set explicit TTLs and cache-control headers
  • Async processing: move slow work (email, image processing, reports) to a queue
  • Payload size: paginate large responses; use field selection (GraphQL) or sparse fieldsets (JSON:API)
  • Database reads: read replicas for reporting queries; connection pooling for all queries

Review Checklist

Before any backend PR:

  • All inputs validated and sanitized at the boundary
  • Auth checked — correct user can do this, others cannot
  • N+1 queries absent — checked with query logging or explain
  • Error paths return correct status codes and structured errors
  • Secrets in env vars, not source
  • DB migrations are reversible
  • Logging includes requestId and userId for traceability
  • Rate limiting on public/auth endpoints
  • No shell command injection surface
  • Dependencies pinned and audited

Source

git clone https://github.com/Joncik91/ucai/blob/main/skills/backend/SKILL.mdView on GitHub

Overview

Backend Engineer covers patterns for API design, database optimization, and security practices for any language or framework. It guides you from stack detection to applying universal principles like REST rules, indexing, and secure auth to build reliable, scalable backends.

How This Skill Works

It starts by detecting the project's tech stack from signals like package.json, go.mod, or pyproject.toml. Then it researches current best practices for the identified framework and applies universal backend principles such as REST design, database indexing, and secure auth. Finally, you adapt these patterns to design APIs, optimize queries, set up GraphQL or microservices, manage migrations, and run load tests.

When to Use It

  • Design REST APIs with proper resource naming, versioning, and error handling
  • Optimize database queries and indexing for performance
  • Implement authentication/authorization with JWTs and RBAC
  • Set up GraphQL or microservices architectures
  • Review backend code, manage migrations, and plan load testing

Quick Start

  1. Step 1: Detect the project stack from signals (package.json, go.mod, pyproject.toml, etc.)
  2. Step 2: Research current best practices for the detected framework and patterns
  3. Step 3: Apply universal backend principles to API design, DB optimization, and security

Best Practices

  • REST design: nouns, plurals, versioning, proper status codes, pagination, idempotency, and structured errors
  • Database optimization: prevent N+1, use appropriate indexes, apply transactions, ensure reversible migrations, and use connection pooling
  • Auth & security: bcrypt/argon2 hashing, short-lived access tokens with httpOnly refresh tokens, and RBAC checks
  • Error handling and logging: propagate context, use consistent error shapes and status codes, and rely on circuit breakers where needed
  • Security hygiene: input validation, parameterized queries, avoid shell interpolation, and enforce sensible CORS policies

Example Use Cases

  • Design a versioned REST API for /api/v1/products with standard CRUD endpoints and consistent error responses
  • Refactor N+1 queries by joining tables or using eager loading to reduce database calls
  • Add JWT-based authentication in a Node.js app with short-lived access tokens and httpOnly refresh tokens
  • Decompose a monolith into microservices with clear service contracts and robust inter-service communication
  • Set up a GraphQL endpoint with pagination, field-level authorization, and schema stitching as needed

Frequently Asked Questions

Add this skill to your agents
Sponsor this space

Reach thousands of developers