playbooks

home / skills / samhvw8 / dotfiles / backend-development

backend-development skill

/dot_ccp/hub/skills/backend-development

This skill helps design, secure, and optimize production-grade backends across Node/Python stacks with scalable APIs and robust security.

npx playbooks add skill samhvw8/dotfiles --skill backend-development

Review the files below or copy the command above to add this skill to your agents.

Files (12)
SKILL.md
4.6 KB
---
name: backend-development
description: "Production backend systems development. Stack: Node.js/TypeScript, Python, Go, Rust | NestJS, FastAPI, Django, Express | PostgreSQL, MongoDB, Redis. Capabilities: REST/GraphQL/gRPC APIs, OAuth 2.1/JWT auth, OWASP security, microservices, caching, load balancing, Docker/K8s deployment. Actions: design, build, implement, secure, optimize, deploy, test APIs and services. Keywords: API design, REST, GraphQL, gRPC, authentication, OAuth, JWT, RBAC, database, PostgreSQL, MongoDB, Redis, caching, microservices, Docker, Kubernetes, CI/CD, OWASP, security, performance, scalability, NestJS, FastAPI, Express, middleware, rate limiting. Use when: designing APIs, implementing auth/authz, optimizing queries, building microservices, securing endpoints, deploying containers, setting up CI/CD."
license: MIT
version: 1.0.0
---

# Backend Development Skill

Production-ready backend development with modern technologies, best practices, and proven patterns.

## When to Use

- Designing RESTful, GraphQL, or gRPC APIs
- Building authentication/authorization systems
- Optimizing database queries and schemas
- Implementing caching and performance optimization
- OWASP Top 10 security mitigation
- Designing scalable microservices
- Testing strategies (unit, integration, E2E)
- CI/CD pipelines and deployment
- Monitoring and debugging production systems

## Technology Selection Guide

**Languages:** Node.js/TypeScript (full-stack), Python (data/ML), Go (concurrency), Rust (performance)
**Frameworks:** NestJS, FastAPI, Django, Express, Gin
**Databases:** PostgreSQL (ACID), MongoDB (flexible schema), Redis (caching)
**APIs:** REST (simple), GraphQL (flexible), gRPC (performance)

See: `references/backend-technologies.md` for detailed comparisons

## Reference Navigation

**Core Technologies:**
- `backend-technologies.md` - Languages, frameworks, databases, message queues, ORMs
- `backend-api-design.md` - REST, GraphQL, gRPC patterns and best practices

**Security & Authentication:**
- `backend-security.md` - OWASP Top 10 2025, security best practices, input validation
- `backend-authentication.md` - OAuth 2.1, JWT, RBAC, MFA, session management

**Performance & Architecture:**
- `backend-performance.md` - Caching, query optimization, load balancing, scaling
- `backend-architecture.md` - Microservices, event-driven, CQRS, saga patterns

**Quality & Operations:**
- `backend-testing.md` - Testing strategies, frameworks, tools, CI/CD testing
- `backend-code-quality.md` - SOLID principles, design patterns, clean code
- `backend-devops.md` - Docker, Kubernetes, deployment strategies, monitoring
- `backend-debugging.md` - Debugging strategies, profiling, logging, production debugging
- `backend-mindset.md` - Problem-solving, architectural thinking, collaboration

## Key Best Practices (2025)

**Security:** Argon2id passwords, parameterized queries (98% SQL injection reduction), OAuth 2.1 + PKCE, rate limiting, security headers

**Performance:** Redis caching (90% DB load reduction), database indexing (30% I/O reduction), CDN (50%+ latency cut), connection pooling

**Testing:** 70-20-10 pyramid (unit-integration-E2E), Vitest 50% faster than Jest, contract testing for microservices, 83% migrations fail without tests

**DevOps:** Blue-green/canary deployments, feature flags (90% fewer failures), Kubernetes 84% adoption, Prometheus/Grafana monitoring, OpenTelemetry tracing

## Quick Decision Matrix

| Need | Choose |
|------|--------|
| Fast development | Node.js + NestJS |
| Data/ML integration | Python + FastAPI |
| High concurrency | Go + Gin |
| Max performance | Rust + Axum |
| ACID transactions | PostgreSQL |
| Flexible schema | MongoDB |
| Caching | Redis |
| Internal services | gRPC |
| Public APIs | GraphQL/REST |
| Real-time events | Kafka |

## Implementation Checklist

**API:** Choose style → Design schema → Validate input → Add auth → Rate limiting → Documentation → Error handling

**Database:** Choose DB → Design schema → Create indexes → Connection pooling → Migration strategy → Backup/restore → Test performance

**Security:** OWASP Top 10 → Parameterized queries → OAuth 2.1 + JWT → Security headers → Rate limiting → Input validation → Argon2id passwords

**Testing:** Unit 70% → Integration 20% → E2E 10% → Load tests → Migration tests → Contract tests (microservices)

**Deployment:** Docker → CI/CD → Blue-green/canary → Feature flags → Monitoring → Logging → Health checks

## Resources

- OWASP Top 10: https://owasp.org/www-project-top-ten/
- OAuth 2.1: https://oauth.net/2.1/
- OpenTelemetry: https://opentelemetry.io/

Overview

This skill provides production-ready backend development practices for building scalable, secure, and high-performance services using Node.js/TypeScript, Python, Go, and Rust. It covers API design (REST, GraphQL, gRPC), authentication and authorization, database design, caching, security hardening, testing, and containerized deployment. The guidance is pragmatic and focused on outcomes: secure endpoints, reliable deployments, and measurable performance improvements.

How this skill works

I inspect your functional and non-functional requirements, select an appropriate language and framework, and apply proven patterns for APIs, auth, data access, and DevOps. I design schema and indexes, implement auth (OAuth 2.1, JWT, RBAC), add security controls (OWASP mitigations, rate limiting, headers), and plan CI/CD, observability, and deployment (Docker/Kubernetes). Finally, I validate via tests, profiling, and load tests to ensure production readiness.

When to use it

  • Designing new REST/GraphQL/gRPC APIs for production systems
  • Implementing authentication and authorization (OAuth 2.1, JWT, RBAC)
  • Optimizing database queries, indexing, and caching (PostgreSQL, MongoDB, Redis)
  • Building or refactoring microservices with service boundaries, messaging, and tracing
  • Securing endpoints against OWASP Top 10 and adding rate limiting and input validation
  • Deploying containers with CI/CD, blue-green/canary, and production monitoring

Best practices

  • Choose tech by intent: NestJS for rapid Node APIs, FastAPI for Python data services, Go for concurrency, Rust for performance
  • Enforce input validation and parameterized queries to prevent injection and common OWASP issues
  • Use OAuth 2.1 + PKCE for delegated auth, sign access tokens with short TTLs and refresh securely
  • Cache judiciously (Redis) and add proper cache invalidation and connection pooling
  • Adopt 70-20-10 testing pyramid, contract tests for microservices, and automated migration tests
  • Deploy via Docker/Kubernetes with health checks, feature flags, tracing (OpenTelemetry), and Prometheus/Grafana monitoring

Example use cases

  • Design and implement a public REST+GraphQL API with rate limiting, docs, and pagination
  • Migrate a monolith to microservices with gRPC internal RPCs, event-driven communication, and contract tests
  • Add OAuth 2.1 login, RBAC, and MFA to an existing API with secure token handling
  • Optimize slow endpoints by adding indexes, caching hot queries in Redis, and profiling DB calls
  • Set up CI/CD pipelines that build images, run unit/integration tests, and deploy with canary releases

FAQ

Which stack should I pick for rapid development?

For fastest developer productivity choose Node.js with NestJS or Express; use TypeScript for type safety and maintainability.

How do I secure tokens and sessions in production?

Issue short-lived access tokens, use refresh tokens stored securely (httpOnly cookies or secure storage), rotate secrets, and enforce token revocation and MFA for sensitive flows.