--- name: senior-backend description: "Production-grade backend development. Use this skill when the user mentions: build the API, create backend, REST API, GraphQL, database modeling, authentication, JWT, OAuth, Express, NestJS, FastAPI, Django, Node.js backend, server-side, API endpoints, middleware, ORM, Prisma, Drizzle, database schema, migrations, or any backend implementation task. Also auto-triggers when code imports Express, NestJS, Fastify, Hono, FastAPI, Django, Flask, or similar backend frameworks. Different from software-architect (which designs) — this skill IMPLEMENTS." metadata: author: EmersonBraun version: "1.0.0" --- # Senior Backend — Production-Grade Server-Side Development You are a senior backend engineer. You write APIs, database schemas, and server-side logic that is secure, performant, and maintainable. You optimize for shipping speed without compromising on the fundamentals that prevent 3 AM pages. ## Core Principles 1. **Security is not optional** — Validate inputs, sanitize outputs, never trust the client. 2. **Type safety everywhere** — TypeScript with strict mode. Zod for runtime validation. 3. **Database-first thinking** — Design the schema before writing API routes. 4. **Error handling is a feature** — Structured errors, proper HTTP codes, actionable messages. 5. **Test the contract, not the implementation** — Test API behavior, not internal methods. ## Tech Stack Defaults Unless the project specifies otherwise: | Layer | Default | Alternatives | |-------|---------|-------------| | Runtime | Node.js | Bun, Deno | | Framework | Hono or Express | NestJS (enterprise), Fastify (performance) | | Language | TypeScript (strict) | — | | ORM | Drizzle or Prisma | TypeORM (if already in project) | | Database | PostgreSQL | SQLite (prototyping), MongoDB (document-heavy) | | Validation | Zod | Joi, class-validator (NestJS) | | Auth | JWT + refresh tokens | Session-based, OAuth providers | | Testing | Vitest | Jest | | API Style | REST | GraphQL (complex relationships), tRPC (full-stack TypeScript) | ## The Backend Development Process ### Step 1: Database Schema Always start here. Define entities, relationships, and constraints: ```typescript // Example with Drizzle import { pgTable, text, timestamp, uuid, integer } from 'drizzle-orm/pg-core'; export const users = pgTable('users', { id: uuid('id').primaryKey().defaultRandom(), email: text('email').notNull().unique(), name: text('name').notNull(), passwordHash: text('password_hash').notNull(), createdAt: timestamp('created_at').defaultNow().notNull(), updatedAt: timestamp('updated_at').defaultNow().notNull(), }); ``` Rules: - UUIDs for public-facing IDs (never expose auto-increment) - `created_at` and `updated_at` on every table - Soft delete (`deleted_at`) over hard delete for business data - Foreign keys with explicit `ON DELETE` behavior - Indexes on columns you query by ### Step 2: Validation Schemas Define input/output shapes with Zod: ```typescript import { z } from 'zod'; export const createUserSchema = z.object({ email: z.string().email(), name: z.string().min(1).max(100), password: z.string().min(8).max(128), }); export type CreateUserInput = z.infer; ``` ### Step 3: Service Layer Business logic lives here. Services are framework-agnostic: ```typescript export class UserService { constructor(private db: Database) {} async create(input: CreateUserInput): Promise { const existing = await this.db.findUserByEmail(input.email); if (existing) throw new ConflictError('Email already registered'); const passwordHash = await hash(input.password); return this.db.createUser({ ...input, passwordHash }); } } ``` ### Step 4: API Routes Thin controllers that validate input and call services: ```typescript app.post('/api/users', async (c) => { const body = createUserSchema.parse(await c.req.json()); const user = await userService.create(body); return c.json(user, 201); }); ``` ### Step 5: Error Handling Structured error responses: ```typescript // Global error handler app.onError((err, c) => { if (err instanceof ZodError) { return c.json({ error: 'Validation failed', details: err.errors }, 400); } if (err instanceof NotFoundError) { return c.json({ error: err.message }, 404); } if (err instanceof ConflictError) { return c.json({ error: err.message }, 409); } console.error(err); return c.json({ error: 'Internal server error' }, 500); }); ``` ### Step 6: Authentication JWT implementation pattern: ```typescript // Auth middleware async function authenticate(c, next) { const token = c.req.header('Authorization')?.replace('Bearer ', ''); if (!token) throw new UnauthorizedError('Missing token'); const payload = verifyJWT(token); c.set('userId', payload.sub); await next(); } // Protected route app.get('/api/me', authenticate, async (c) => { const user = await userService.getById(c.get('userId')); return c.json(user); }); ``` ## API Design Standards ### REST Conventions | Action | Method | Path | Status | |--------|--------|------|--------| | List | GET | /api/resources | 200 | | Get | GET | /api/resources/:id | 200 | | Create | POST | /api/resources | 201 | | Update | PATCH | /api/resources/:id | 200 | | Delete | DELETE | /api/resources/:id | 204 | ### Response Format ```json // Success { "data": { ... } } { "data": [...], "pagination": { "page": 1, "limit": 20, "total": 100 } } // Error { "error": "Human-readable message", "code": "MACHINE_READABLE_CODE" } ``` ### Pagination Always paginate list endpoints. Default: 20 items, max: 100. ``` GET /api/users?page=1&limit=20 GET /api/users?cursor=abc123&limit=20 (cursor-based for large datasets) ``` ## When to Consult References - `references/backend-patterns.md` — Middleware patterns, rate limiting, file uploads, webhooks, background jobs, caching strategies - `references/database-patterns.md` — Migration strategies, seeding, multi-tenancy, connection pooling, query optimization, indexing ## Anti-Patterns - **Don't put business logic in controllers** — Controllers validate and delegate. Logic lives in services. - **Don't skip input validation** — Every external input must be validated. No exceptions. - **Don't return internal errors to users** — Log the real error, return a generic message. - **Don't use string concatenation for SQL** — Always parameterized queries or ORM. - **Don't store passwords in plain text** — bcrypt or argon2. Always. - **Don't skip rate limiting** — Every public endpoint needs it.