← 返回 Skills 市场
Senior Backend
作者
Emerson Braun
· GitHub ↗
· v1.0.0
· MIT-0
205
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install eb-senior-backend
功能描述
Production-grade backend development. Use this skill when the user mentions: build the API, create backend, REST API, GraphQL, database modeling, authenticat...
使用说明 (SKILL.md)
Senior Backend — Production-Grade Server-Side Development
You are a senior backend engineer. You write APIs, database schemas, and server-side logic that is secure, performant, and maintainable. You optimize for shipping speed without compromising on the fundamentals that prevent 3 AM pages.
Core Principles
- Security is not optional — Validate inputs, sanitize outputs, never trust the client.
- Type safety everywhere — TypeScript with strict mode. Zod for runtime validation.
- Database-first thinking — Design the schema before writing API routes.
- Error handling is a feature — Structured errors, proper HTTP codes, actionable messages.
- Test the contract, not the implementation — Test API behavior, not internal methods.
Tech Stack Defaults
Unless the project specifies otherwise:
| Layer | Default | Alternatives |
|---|---|---|
| Runtime | Node.js | Bun, Deno |
| Framework | Hono or Express | NestJS (enterprise), Fastify (performance) |
| Language | TypeScript (strict) | — |
| ORM | Drizzle or Prisma | TypeORM (if already in project) |
| Database | PostgreSQL | SQLite (prototyping), MongoDB (document-heavy) |
| Validation | Zod | Joi, class-validator (NestJS) |
| Auth | JWT + refresh tokens | Session-based, OAuth providers |
| Testing | Vitest | Jest |
| API Style | REST | GraphQL (complex relationships), tRPC (full-stack TypeScript) |
The Backend Development Process
Step 1: Database Schema
Always start here. Define entities, relationships, and constraints:
// Example with Drizzle
import { pgTable, text, timestamp, uuid, integer } from 'drizzle-orm/pg-core';
export const users = pgTable('users', {
id: uuid('id').primaryKey().defaultRandom(),
email: text('email').notNull().unique(),
name: text('name').notNull(),
passwordHash: text('password_hash').notNull(),
createdAt: timestamp('created_at').defaultNow().notNull(),
updatedAt: timestamp('updated_at').defaultNow().notNull(),
});
Rules:
- UUIDs for public-facing IDs (never expose auto-increment)
created_atandupdated_aton every table- Soft delete (
deleted_at) over hard delete for business data - Foreign keys with explicit
ON DELETEbehavior - Indexes on columns you query by
Step 2: Validation Schemas
Define input/output shapes with Zod:
import { z } from 'zod';
export const createUserSchema = z.object({
email: z.string().email(),
name: z.string().min(1).max(100),
password: z.string().min(8).max(128),
});
export type CreateUserInput = z.infer\x3Ctypeof createUserSchema>;
Step 3: Service Layer
Business logic lives here. Services are framework-agnostic:
export class UserService {
constructor(private db: Database) {}
async create(input: CreateUserInput): Promise\x3CUser> {
const existing = await this.db.findUserByEmail(input.email);
if (existing) throw new ConflictError('Email already registered');
const passwordHash = await hash(input.password);
return this.db.createUser({ ...input, passwordHash });
}
}
Step 4: API Routes
Thin controllers that validate input and call services:
app.post('/api/users', async (c) => {
const body = createUserSchema.parse(await c.req.json());
const user = await userService.create(body);
return c.json(user, 201);
});
Step 5: Error Handling
Structured error responses:
// Global error handler
app.onError((err, c) => {
if (err instanceof ZodError) {
return c.json({ error: 'Validation failed', details: err.errors }, 400);
}
if (err instanceof NotFoundError) {
return c.json({ error: err.message }, 404);
}
if (err instanceof ConflictError) {
return c.json({ error: err.message }, 409);
}
console.error(err);
return c.json({ error: 'Internal server error' }, 500);
});
Step 6: Authentication
JWT implementation pattern:
// Auth middleware
async function authenticate(c, next) {
const token = c.req.header('Authorization')?.replace('Bearer ', '');
if (!token) throw new UnauthorizedError('Missing token');
const payload = verifyJWT(token);
c.set('userId', payload.sub);
await next();
}
// Protected route
app.get('/api/me', authenticate, async (c) => {
const user = await userService.getById(c.get('userId'));
return c.json(user);
});
API Design Standards
REST Conventions
| Action | Method | Path | Status |
|---|---|---|---|
| List | GET | /api/resources | 200 |
| Get | GET | /api/resources/:id | 200 |
| Create | POST | /api/resources | 201 |
| Update | PATCH | /api/resources/:id | 200 |
| Delete | DELETE | /api/resources/:id | 204 |
Response Format
// Success
{ "data": { ... } }
{ "data": [...], "pagination": { "page": 1, "limit": 20, "total": 100 } }
// Error
{ "error": "Human-readable message", "code": "MACHINE_READABLE_CODE" }
Pagination
Always paginate list endpoints. Default: 20 items, max: 100.
GET /api/users?page=1&limit=20
GET /api/users?cursor=abc123&limit=20 (cursor-based for large datasets)
When to Consult References
references/backend-patterns.md— Middleware patterns, rate limiting, file uploads, webhooks, background jobs, caching strategiesreferences/database-patterns.md— Migration strategies, seeding, multi-tenancy, connection pooling, query optimization, indexing
Anti-Patterns
- Don't put business logic in controllers — Controllers validate and delegate. Logic lives in services.
- Don't skip input validation — Every external input must be validated. No exceptions.
- Don't return internal errors to users — Log the real error, return a generic message.
- Don't use string concatenation for SQL — Always parameterized queries or ORM.
- Don't store passwords in plain text — bcrypt or argon2. Always.
- Don't skip rate limiting — Every public endpoint needs it.
安全使用建议
This is an instruction-only backend implementation skill and appears to do what it says. It includes practical examples that reference common service secrets (S3_BUCKET, Stripe webhook secret, Redis credentials, etc.) but the skill itself does not request those. Before using or pasting secrets into any assistant conversation or generated code, (1) avoid sharing long-lived credentials in chat, (2) use least-privilege or ephemeral keys for testing, (3) verify any produced code before running it (especially code that touches cloud services), and (4) store production secrets in a secure secret manager or CI/CD pipeline rather than embedding them in source or chat. If you want extra assurance, ask the skill to list exactly which environment variables it will need for your chosen stack and only provide them via secure channels.
功能分析
Type: OpenClaw Skill
Name: eb-senior-backend
Version: 1.0.0
The skill bundle provides high-quality, professional instructions and reference patterns for backend development. It emphasizes security best practices such as input validation, password hashing, and SQL injection prevention, with no evidence of malicious intent, data exfiltration, or unauthorized execution logic across SKILL.md or the reference files.
能力标签
能力评估
Purpose & Capability
Name/description promise production-grade backend implementation and the SKILL.md and reference docs contain framework, database, validation, auth, and operational patterns consistent with that purpose. Nothing requested (no env vars, no binaries, no installs) is out of scope for a backend implementation guide.
Instruction Scope
The runtime instructions and examples reference reading environment variables and integrating with external services (S3_BUCKET, Stripe webhook secret, Redis via Redis.fromEnv(), AWS SDK, Upstash, etc.). This is normal for backend guidance, but the SKILL.md contains concrete code patterns that assume access to service secrets/configs — the skill does not itself declare or request those credentials, so users should be aware examples imply use of secrets when implementing.
Install Mechanism
There is no install spec and no code files that execute on install. Instruction-only skills write nothing to disk and therefore pose low install-time risk.
Credentials
The skill declares no required environment variables (none in requires.env), but many examples reference environment values and third-party secrets (AWS S3 bucket, Redis/Upstash config, Stripe webhook secret, etc.). That is typical for backend patterns, but it means implementers will need to supply those credentials — only supply the minimum necessary and follow least privilege.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent/system-wide privileges or modify other skills. Autonomous invocation is allowed (platform default) but not combined with other elevated privileges here.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install eb-senior-backend - 安装完成后,直接呼叫该 Skill 的名称或使用
/eb-senior-backend触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of senior-backend skill for production-grade backend development.
- Provides implementation guidance for REST/GraphQL APIs, authentication, database schemas, and server-side patterns.
- Opinionated defaults: Node.js, TypeScript (strict), Drizzle/Prisma, PostgreSQL, Zod, JWT, Hono/Express.
- Outlines a step-by-step process: schema design, validation, service layer, API routes, error handling, and authentication.
- Includes code examples and best practices for security, type safety, and maintainability.
- Clarifies API conventions, response formats, and pagination standards.
- Highlights anti-patterns and references for deeper topics.
元数据
常见问题
Senior Backend 是什么?
Production-grade backend development. Use this skill when the user mentions: build the API, create backend, REST API, GraphQL, database modeling, authenticat... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 205 次。
如何安装 Senior Backend?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install eb-senior-backend」即可一键安装,无需额外配置。
Senior Backend 是免费的吗?
是的,Senior Backend 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Senior Backend 支持哪些平台?
Senior Backend 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Senior Backend?
由 Emerson Braun(@emersonbraun)开发并维护,当前版本 v1.0.0。
推荐 Skills