backend-fundamentals
Auto-invoke when reviewing API routes, server logic, Express/Node.js code, or backend architecture. Enforces REST conventions, middleware patterns, and separation of concerns.
Best use case
backend-fundamentals is best used when you need a repeatable AI agent workflow instead of a one-off prompt. It is especially useful for teams working in multi. Auto-invoke when reviewing API routes, server logic, Express/Node.js code, or backend architecture. Enforces REST conventions, middleware patterns, and separation of concerns.
Auto-invoke when reviewing API routes, server logic, Express/Node.js code, or backend architecture. Enforces REST conventions, middleware patterns, and separation of concerns.
Users should expect a more consistent workflow output, faster repeated execution, and less time spent rewriting prompts from scratch.
Practical example
Example input
Use the "backend-fundamentals" skill to help with this workflow task. Context: Auto-invoke when reviewing API routes, server logic, Express/Node.js code, or backend architecture. Enforces REST conventions, middleware patterns, and separation of concerns.
Example output
A structured workflow result with clearer steps, more consistent formatting, and an output that is easier to reuse in the next run.
When to use this skill
- Use this skill when you want a reusable workflow rather than writing the same prompt again and again.
When not to use this skill
- Do not use this when you only need a one-off answer and do not need a reusable workflow.
- Do not use it if you cannot install or maintain the related files, repository context, or supporting tools.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/backend-fundamentals/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How backend-fundamentals Compares
| Feature / Agent | backend-fundamentals | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Auto-invoke when reviewing API routes, server logic, Express/Node.js code, or backend architecture. Enforces REST conventions, middleware patterns, and separation of concerns.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Backend Fundamentals Review
> "APIs are contracts. Break them, and you break trust."
## When to Apply
Activate this skill when reviewing:
- API route handlers
- Express/Fastify/Hono middleware
- Database queries and models
- Authentication/authorization logic
- Server-side business logic
---
## Review Checklist
### API Design
- [ ] **RESTful**: Do routes follow REST conventions? (GET for read, POST for create, etc.)
- [ ] **Naming**: Are endpoints nouns, not verbs? (`/users` not `/getUsers`)
- [ ] **Versioning**: Is API versioned for future changes? (`/api/v1/`)
- [ ] **Status Codes**: Are correct HTTP status codes returned?
### Separation of Concerns
- [ ] **Routes**: Do routes only handle HTTP concerns (req/res)?
- [ ] **Controllers**: Is business logic in controllers/services, not routes?
- [ ] **Services**: Is data access abstracted from business logic?
- [ ] **Models**: Are models responsible only for data shape/validation?
### Error Handling
- [ ] **Try/Catch**: Are async operations wrapped properly?
- [ ] **Error Responses**: Are errors returned with proper status codes?
- [ ] **Logging**: Are errors logged with context?
- [ ] **No Leaks**: Are internal errors hidden from clients?
### Security
- [ ] **Input Validation**: Is ALL input validated before use?
- [ ] **Authentication**: Are protected routes actually protected?
- [ ] **Authorization**: Can users only access their own data?
- [ ] **Rate Limiting**: Are endpoints protected from abuse?
---
## Common Mistakes (Anti-Patterns)
### 1. Fat Routes
```
❌ app.post('/users', async (req, res) => {
// 100 lines of validation, business logic, DB queries
});
✅ app.post('/users', validateUser, userController.create);
```
### 2. No Input Validation
```
❌ const { email } = req.body;
await db.query(`SELECT * FROM users WHERE email = '${email}'`);
✅ const { email } = validateBody(req.body, userSchema);
await User.findByEmail(email); // parameterized
```
### 3. Wrong Status Codes
```
❌ res.status(200).json({ error: 'Not found' });
✅ res.status(404).json({ error: 'User not found' });
```
### 4. Leaking Internal Errors
```
❌ catch (error) {
res.status(500).json({ error: error.message, stack: error.stack });
}
✅ catch (error) {
logger.error('User creation failed', { error, userId });
res.status(500).json({ error: 'Something went wrong' });
}
```
---
## Socratic Questions
Ask the junior these questions instead of giving answers:
1. **Architecture**: "If I wanted to switch from Express to Fastify, what would need to change?"
2. **Validation**: "What happens if someone sends malformed JSON?"
3. **Auth**: "How do you know this user owns this resource?"
4. **Errors**: "What does the client see when the database is down?"
5. **Testing**: "How would you test this endpoint in isolation?"
---
## HTTP Status Code Reference
| Code | When to Use |
|------|-------------|
| 200 | Success (with body) |
| 201 | Created (after POST) |
| 204 | Success (no content, after DELETE) |
| 400 | Bad request (validation failed) |
| 401 | Unauthorized (not logged in) |
| 403 | Forbidden (logged in but not allowed) |
| 404 | Not found |
| 409 | Conflict (duplicate resource) |
| 500 | Server error (hide details from client) |
---
## Architecture Layers
```
Request → Route → Controller → Service → Repository → Database
↓
Middleware (auth, validation, logging)
```
| Layer | Responsibility |
|-------|----------------|
| Route | HTTP verbs, paths, middleware chain |
| Controller | Request/response handling, calling services |
| Service | Business logic, orchestration |
| Repository | Data access, queries |
---
## Red Flags to Call Out
| Flag | Question to Ask |
|------|-----------------|
| SQL in route handler | "Should data access be in a separate layer?" |
| No try/catch on async | "What happens if this fails?" |
| req.body used directly | "What if someone sends unexpected fields?" |
| Hardcoded secrets | "How would this work in production?" |
| No pagination on list endpoints | "What if there are 10,000 records?" |Related Skills
woocommerce-backend-dev
Add or modify WooCommerce backend PHP code following project conventions. Use when creating new classes, methods, hooks, or modifying existing backend code. **MUST be invoked before writing any PHP unit tests.**
routeros-fundamentals
RouterOS v7 domain knowledge for AI agents. Use when: working with MikroTik RouterOS, writing RouterOS CLI/script commands, calling RouterOS REST API, debugging why a Linux command fails on RouterOS, or when the user mentions MikroTik, RouterOS, CHR, or /ip /system /interface paths. Scope: RouterOS 7.x (long-term and newer) only — v6 is NOT covered and accuracy for v6 problems will be low.
backend-testing
Write comprehensive backend tests including unit tests, integration tests, and API tests. Use when testing REST APIs, database operations, authentication flows, or business logic. Handles Jest, Pytest, Mocha, testing strategies, mocking, and test coverage.
nodejs-backend-patterns
Build production-ready Node.js backend services with Express/Fastify, implementing middleware patterns, error handling, authentication, database integration, and API design best practices. Use when creating Node.js servers, REST APIs, GraphQL backends, or microservices architectures.
geo-fundamentals
Generative Engine Optimization for AI search engines (ChatGPT, Claude, Perplexity).
dotnet-backend
Build ASP.NET Core 8+ backend services with EF Core, auth, background jobs, and production API patterns.
dotnet-backend-patterns
Master C#/.NET backend development patterns for building robust APIs, MCP servers, and enterprise applications. Covers async/await, dependency injection, Entity Framework Core, Dapper, configuration, caching, and testing with xUnit. Use when developing .NET backends, reviewing C# code, or designing API architectures.
cc-skill-backend-patterns
Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes.
backend-security-coder
Expert in secure backend coding practices specializing in input validation, authentication, and API security. Use PROACTIVELY for backend security implementations or security code reviews.
backend-patterns
Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes.
backend-development-feature-development
Orchestrate end-to-end backend feature development from requirements to deployment. Use when coordinating multi-phase feature delivery across teams and services.
when-building-backend-api-orchestrate-api-development
Use when building a production-ready REST API from requirements through deployment. Orchestrates 8-12 specialist agents across 5 phases using Test-Driven Development methodology. Covers planning, architecture, TDD implementation, comprehensive testing, documentation, and blue-green deployment over a 2-week timeline with emphasis on quality and reliability.