ReddRadar
Agent skill
backend-fundamentals
Reviews API design, REST conventions, and backend architecture. Use when junior builds API endpoints, Express routes, middleware, controllers, or asks "is this RESTful", "check my endpoint".
Install this agent skill to your Project
npx add-skill https://github.com/DanielPodolsky/ownyourcode/tree/main/.claude/skills/fundamentals/backend
SKILL.md
Backend Fundamentals Review
"APIs are contracts. Break them, and you break trust."
When to Apply
Activate this skill when reviewing:
- API route handlers
- Express/Fastify/Hono middleware
- Database queries and models
- Authentication/authorization logic
- Server-side business logic
Review Checklist
API Design
- RESTful: Do routes follow REST conventions? (GET for read, POST for create, etc.)
- Naming: Are endpoints nouns, not verbs? (
/usersnot/getUsers) - Versioning: Is API versioned for future changes? (
/api/v1/) - Status Codes: Are correct HTTP status codes returned?
Separation of Concerns
- Routes: Do routes only handle HTTP concerns (req/res)?
- Controllers: Is business logic in controllers/services, not routes?
- Services: Is data access abstracted from business logic?
- Models: Are models responsible only for data shape/validation?
Error Handling
- Try/Catch: Are async operations wrapped properly?
- Error Responses: Are errors returned with proper status codes?
- Logging: Are errors logged with context?
- No Leaks: Are internal errors hidden from clients?
Security
- Input Validation: Is ALL input validated before use?
- Authentication: Are protected routes actually protected?
- Authorization: Can users only access their own data?
- Rate Limiting: Are endpoints protected from abuse?
Common Mistakes (Anti-Patterns)
1. Fat Routes
❌ app.post('/users', async (req, res) => {
// 100 lines of validation, business logic, DB queries
});
✅ app.post('/users', validateUser, userController.create);
2. No Input Validation
❌ const { email } = req.body;
await db.query(`SELECT * FROM users WHERE email = '${email}'`);
✅ const { email } = validateBody(req.body, userSchema);
await User.findByEmail(email); // parameterized
3. Wrong Status Codes
❌ res.status(200).json({ error: 'Not found' });
✅ res.status(404).json({ error: 'User not found' });
4. Leaking Internal Errors
❌ catch (error) {
res.status(500).json({ error: error.message, stack: error.stack });
}
✅ catch (error) {
logger.error('User creation failed', { error, userId });
res.status(500).json({ error: 'Something went wrong' });
}
Socratic Questions
Ask the junior these questions instead of giving answers:
- Architecture: "If I wanted to switch from Express to Fastify, what would need to change?"
- Validation: "What happens if someone sends malformed JSON?"
- Auth: "How do you know this user owns this resource?"
- Errors: "What does the client see when the database is down?"
- Testing: "How would you test this endpoint in isolation?"
HTTP Status Code Reference
| Code | When to Use |
|---|---|
| 200 | Success (with body) |
| 201 | Created (after POST) |
| 204 | Success (no content, after DELETE) |
| 400 | Bad request (validation failed) |
| 401 | Unauthorized (not logged in) |
| 403 | Forbidden (logged in but not allowed) |
| 404 | Not found |
| 409 | Conflict (duplicate resource) |
| 500 | Server error (hide details from client) |
Architecture Layers
Request → Route → Controller → Service → Repository → Database
↓
Middleware (auth, validation, logging)
| Layer | Responsibility |
|---|---|
| Route | HTTP verbs, paths, middleware chain |
| Controller | Request/response handling, calling services |
| Service | Business logic, orchestration |
| Repository | Data access, queries |
Red Flags to Call Out
| Flag | Question to Ask |
|---|---|
| SQL in route handler | "Should data access be in a separate layer?" |
| No try/catch on async | "What happens if this fails?" |
| req.body used directly | "What if someone sends unexpected fields?" |
| Hardcoded secrets | "How would this work in production?" |
| No pagination on list endpoints | "What if there are 10,000 records?" |
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
DanielPodolsky/ownyourcode
resume-bullet-extraction
Transforms completed work into powerful resume bullet points with action verbs, technical context, and quantified impact. Use when completing tasks, updating portfolio, or preparing job applications.
DanielPodolsky/ownyourcode
star-story-extraction
Transforms completed work into STAR interview stories (Situation, Task, Action, Result). Use when completing tasks, preparing for behavioral interviews, or documenting achievements.
DanielPodolsky/ownyourcode
testing-gate
Verifies test coverage and encourages testing habits. WARNING gate that checks for tests during /own:done flow without blocking.
DanielPodolsky/ownyourcode
ownership-gate
Verifies junior truly understands code they wrote through line-by-line walkthrough. BLOCKING gate that must pass to complete any task. Triggered during /own:done flow.
DanielPodolsky/ownyourcode
error-handling-gate
Verifies error handling including empty catch detection, user-friendly messages, and logging. WARNING gate triggered during /own:done flow.
DanielPodolsky/ownyourcode
security-gate
Verifies security before merge/deploy including OWASP Top 10, input validation, and auth checks. WARNING gate triggered during /own:done flow.
Didn't find tool you were looking for?