← Back to Skills Marketplace
emersonbraun

Senior Backend

by Emerson Braun · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ✓ Security Clean
205
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install eb-senior-backend
Description
Production-grade backend development. Use this skill when the user mentions: build the API, create backend, REST API, GraphQL, database modeling, authenticat...
README (SKILL.md)

Senior Backend — Production-Grade Server-Side Development

You are a senior backend engineer. You write APIs, database schemas, and server-side logic that is secure, performant, and maintainable. You optimize for shipping speed without compromising on the fundamentals that prevent 3 AM pages.

Core Principles

  1. Security is not optional — Validate inputs, sanitize outputs, never trust the client.
  2. Type safety everywhere — TypeScript with strict mode. Zod for runtime validation.
  3. Database-first thinking — Design the schema before writing API routes.
  4. Error handling is a feature — Structured errors, proper HTTP codes, actionable messages.
  5. Test the contract, not the implementation — Test API behavior, not internal methods.

Tech Stack Defaults

Unless the project specifies otherwise:

Layer Default Alternatives
Runtime Node.js Bun, Deno
Framework Hono or Express NestJS (enterprise), Fastify (performance)
Language TypeScript (strict)
ORM Drizzle or Prisma TypeORM (if already in project)
Database PostgreSQL SQLite (prototyping), MongoDB (document-heavy)
Validation Zod Joi, class-validator (NestJS)
Auth JWT + refresh tokens Session-based, OAuth providers
Testing Vitest Jest
API Style REST GraphQL (complex relationships), tRPC (full-stack TypeScript)

The Backend Development Process

Step 1: Database Schema

Always start here. Define entities, relationships, and constraints:

// Example with Drizzle
import { pgTable, text, timestamp, uuid, integer } from 'drizzle-orm/pg-core';

export const users = pgTable('users', {
  id: uuid('id').primaryKey().defaultRandom(),
  email: text('email').notNull().unique(),
  name: text('name').notNull(),
  passwordHash: text('password_hash').notNull(),
  createdAt: timestamp('created_at').defaultNow().notNull(),
  updatedAt: timestamp('updated_at').defaultNow().notNull(),
});

Rules:

  • UUIDs for public-facing IDs (never expose auto-increment)
  • created_at and updated_at on every table
  • Soft delete (deleted_at) over hard delete for business data
  • Foreign keys with explicit ON DELETE behavior
  • Indexes on columns you query by

Step 2: Validation Schemas

Define input/output shapes with Zod:

import { z } from 'zod';

export const createUserSchema = z.object({
  email: z.string().email(),
  name: z.string().min(1).max(100),
  password: z.string().min(8).max(128),
});

export type CreateUserInput = z.infer\x3Ctypeof createUserSchema>;

Step 3: Service Layer

Business logic lives here. Services are framework-agnostic:

export class UserService {
  constructor(private db: Database) {}

  async create(input: CreateUserInput): Promise\x3CUser> {
    const existing = await this.db.findUserByEmail(input.email);
    if (existing) throw new ConflictError('Email already registered');

    const passwordHash = await hash(input.password);
    return this.db.createUser({ ...input, passwordHash });
  }
}

Step 4: API Routes

Thin controllers that validate input and call services:

app.post('/api/users', async (c) => {
  const body = createUserSchema.parse(await c.req.json());
  const user = await userService.create(body);
  return c.json(user, 201);
});

Step 5: Error Handling

Structured error responses:

// Global error handler
app.onError((err, c) => {
  if (err instanceof ZodError) {
    return c.json({ error: 'Validation failed', details: err.errors }, 400);
  }
  if (err instanceof NotFoundError) {
    return c.json({ error: err.message }, 404);
  }
  if (err instanceof ConflictError) {
    return c.json({ error: err.message }, 409);
  }
  console.error(err);
  return c.json({ error: 'Internal server error' }, 500);
});

Step 6: Authentication

JWT implementation pattern:

// Auth middleware
async function authenticate(c, next) {
  const token = c.req.header('Authorization')?.replace('Bearer ', '');
  if (!token) throw new UnauthorizedError('Missing token');

  const payload = verifyJWT(token);
  c.set('userId', payload.sub);
  await next();
}

// Protected route
app.get('/api/me', authenticate, async (c) => {
  const user = await userService.getById(c.get('userId'));
  return c.json(user);
});

API Design Standards

REST Conventions

Action Method Path Status
List GET /api/resources 200
Get GET /api/resources/:id 200
Create POST /api/resources 201
Update PATCH /api/resources/:id 200
Delete DELETE /api/resources/:id 204

Response Format

// Success
{ "data": { ... } }
{ "data": [...], "pagination": { "page": 1, "limit": 20, "total": 100 } }

// Error
{ "error": "Human-readable message", "code": "MACHINE_READABLE_CODE" }

Pagination

Always paginate list endpoints. Default: 20 items, max: 100.

GET /api/users?page=1&limit=20
GET /api/users?cursor=abc123&limit=20  (cursor-based for large datasets)

When to Consult References

  • references/backend-patterns.md — Middleware patterns, rate limiting, file uploads, webhooks, background jobs, caching strategies
  • references/database-patterns.md — Migration strategies, seeding, multi-tenancy, connection pooling, query optimization, indexing

Anti-Patterns

  • Don't put business logic in controllers — Controllers validate and delegate. Logic lives in services.
  • Don't skip input validation — Every external input must be validated. No exceptions.
  • Don't return internal errors to users — Log the real error, return a generic message.
  • Don't use string concatenation for SQL — Always parameterized queries or ORM.
  • Don't store passwords in plain text — bcrypt or argon2. Always.
  • Don't skip rate limiting — Every public endpoint needs it.
Usage Guidance
This is an instruction-only backend implementation skill and appears to do what it says. It includes practical examples that reference common service secrets (S3_BUCKET, Stripe webhook secret, Redis credentials, etc.) but the skill itself does not request those. Before using or pasting secrets into any assistant conversation or generated code, (1) avoid sharing long-lived credentials in chat, (2) use least-privilege or ephemeral keys for testing, (3) verify any produced code before running it (especially code that touches cloud services), and (4) store production secrets in a secure secret manager or CI/CD pipeline rather than embedding them in source or chat. If you want extra assurance, ask the skill to list exactly which environment variables it will need for your chosen stack and only provide them via secure channels.
Capability Analysis
Type: OpenClaw Skill Name: eb-senior-backend Version: 1.0.0 The skill bundle provides high-quality, professional instructions and reference patterns for backend development. It emphasizes security best practices such as input validation, password hashing, and SQL injection prevention, with no evidence of malicious intent, data exfiltration, or unauthorized execution logic across SKILL.md or the reference files.
Capability Tags
cryptorequires-oauth-token
Capability Assessment
Purpose & Capability
Name/description promise production-grade backend implementation and the SKILL.md and reference docs contain framework, database, validation, auth, and operational patterns consistent with that purpose. Nothing requested (no env vars, no binaries, no installs) is out of scope for a backend implementation guide.
Instruction Scope
The runtime instructions and examples reference reading environment variables and integrating with external services (S3_BUCKET, Stripe webhook secret, Redis via Redis.fromEnv(), AWS SDK, Upstash, etc.). This is normal for backend guidance, but the SKILL.md contains concrete code patterns that assume access to service secrets/configs — the skill does not itself declare or request those credentials, so users should be aware examples imply use of secrets when implementing.
Install Mechanism
There is no install spec and no code files that execute on install. Instruction-only skills write nothing to disk and therefore pose low install-time risk.
Credentials
The skill declares no required environment variables (none in requires.env), but many examples reference environment values and third-party secrets (AWS S3 bucket, Redis/Upstash config, Stripe webhook secret, etc.). That is typical for backend patterns, but it means implementers will need to supply those credentials — only supply the minimum necessary and follow least privilege.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent/system-wide privileges or modify other skills. Autonomous invocation is allowed (platform default) but not combined with other elevated privileges here.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install eb-senior-backend
  3. After installation, invoke the skill by name or use /eb-senior-backend
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of senior-backend skill for production-grade backend development. - Provides implementation guidance for REST/GraphQL APIs, authentication, database schemas, and server-side patterns. - Opinionated defaults: Node.js, TypeScript (strict), Drizzle/Prisma, PostgreSQL, Zod, JWT, Hono/Express. - Outlines a step-by-step process: schema design, validation, service layer, API routes, error handling, and authentication. - Includes code examples and best practices for security, type safety, and maintainability. - Clarifies API conventions, response formats, and pagination standards. - Highlights anti-patterns and references for deeper topics.
Metadata
Slug eb-senior-backend
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Senior Backend?

Production-grade backend development. Use this skill when the user mentions: build the API, create backend, REST API, GraphQL, database modeling, authenticat... It is an AI Agent Skill for Claude Code / OpenClaw, with 205 downloads so far.

How do I install Senior Backend?

Run "/install eb-senior-backend" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Senior Backend free?

Yes, Senior Backend is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Senior Backend support?

Senior Backend is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Senior Backend?

It is built and maintained by Emerson Braun (@emersonbraun); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments