Jeden Skill in Manus ausführen
mit einem Klick

Jeden Skill in Manus mit einem Klick ausführen

backend-dev

Sterne1.111

Forks713

Aktualisiert18. Juni 2026 um 15:50

Coding practices for backend development in Atomic CRM. Use when deciding whether backend logic is needed, or when creating/modifying database migrations, views, triggers, RLS policies, edge functions, or custom dataProvider methods that call Supabase APIs.

Installation

Mit Codex oder Claude installieren Kopieren Sie diesen Prompt, fügen Sie ihn in Codex, Claude oder einen anderen Assistant ein und lassen Sie die Skill-Seite prüfen und installieren.

In Manus ausführen

Quelle

marmelab

marmelab/atomic-crm

GitHub-Repository öffnen Creator-Repositorys ansehen

Download

In Manus ausführen

SKILL.md

readonly

name	backend-dev
description	Coding practices for backend development in Atomic CRM. Use when deciding whether backend logic is needed, or when creating/modifying database migrations, views, triggers, RLS policies, edge functions, or custom dataProvider methods that call Supabase APIs.

Backend Development

Reference for backend conventions. There is no custom backend server all server-side logic uses Supabase: PostgreSQL (tables, views, triggers, RLS), Auth API, Storage, and Edge Functions. Read the relevant section before writing backend code, then check the Red Flags and Verification list.

When to Use

Deciding whether a change needs backend logic at all (default: prefer the frontend).
Creating or modifying database views, triggers, or RLS policies.
Writing or changing a Supabase edge function, or a custom dataProvider method that calls Supabase.

For the SQL migration mechanics themselves, see Skill({skill: "writing-migrations"}). For the frontend side of a dataProvider method, see Skill({skill: "frontend-dev"}).

Deciding where logic belongs

Prefer frontend-only solutions via custom dataProvider methods calling the PostgREST API.

When backend logic is needed:

Aggregation/read optimization: Create a database view (CREATE OR REPLACE VIEW in a new migration). PostgREST exposes views like tables. When underlying table columns change, update the contacts_summary and companies_summary views too.
Complex mutations (multi-table writes): Create a Supabase edge function in Deno. Stored procedures via RPC are less preferred (code lives in migrations, harder to maintain). On the frontend, expose the edge function as a custom dataProvider method (using httpClient(${supabaseUrl}/functions/v1/)) and call it via react-query. (e.g. salesCreate() → /functions/v1/users, mergeContacts() → /functions/v1/merge_contacts)

Edge function conventions

Shared utils in supabase/functions/_shared/ — reuse authentication.ts, supabaseAdmin.ts, cors.ts, utils.ts
Follow the middleware chain pattern: CORS preflight → authenticate() → handler
verify_jwt = false in config.toml, so JWT validation is manual via authenticate()

Other conventions

New tables need RLS policies and the auto-set sales_id trigger (see migration 20260108160722)

RLS enforcement pitfalls (security-critical)

A trigger/function that counts rows to enforce a limit (capacity, quota, balance, subscription depletion) must be SECURITY DEFINER with a fixed search_path, or delegate to one. A SECURITY INVOKER count runs under the caller's RLS, sees only the rows that caller may read, under-counts, and the limit silently never fires (e.g. session_booked_count is DEFINER for exactly this reason).
A WITH CHECK clause must constrain every column a non-admin may set, not just ownership. with check (contact_id = current_user_contact()) alone lets the caller forge any other column (status, type, amounts, flags) via PostgREST — privilege escalation / payment bypass. Whitelist allowed values in the policy, a trigger, or a CHECK constraint; never trust a client-chosen status/type.

Red Flags

Reaching for an edge function or RPC where a custom dataProvider method against PostgREST would do.
Adding a column to a table that feeds contacts_summary/companies_summary without updating the view.
A new table without RLS policies or the sales_id trigger.
A row-counting limit enforced by a SECURITY INVOKER function it under-counts and never fires.
A WITH CHECK that constrains only ownership while leaving status/type/amounts client-settable.
An edge function handler that runs before authenticate() in the middleware chain.

Verification

The logic genuinely needs the backend no frontend-only path was available.
New/changed views keep contacts_summary and companies_summary in sync.
New tables have RLS policies and the sales_id trigger.
Any limit-enforcing count runs SECURITY DEFINER with a fixed search_path.
Every column a non-admin can set is constrained by policy, trigger, or CHECK.
Edge functions follow CORS → authenticate() → handler.

Mehr aus diesem Repository

gleiches Repository

adr-writing

marmelab/atomic-crm

Architecture Decision Record format and rules for the developer agent. Load when the implementation introduces a structural decision worth remembering 6 months later — new pattern, new dependency, deliberate departure from convention, non-obvious schema choice. Skip for naming and file-layout micro-choices. No ADR is the default.

2026-06-181.1k

delete-initial-resource

marmelab/atomic-crm

Remove one or more of the initial CRM resources (contacts, companies, deals, tags, tasks) from the codebase. Use when the user asks to delete, remove, or strip out one or several of these built-in resources. Runs the delete-initial-resource.ts script to drop each resource's own folder, then guides cleanup of every file that references them.

2026-06-181.1k

playwright-testing

marmelab/atomic-crm

Playwright E2E testing patterns — web-first assertions, user-visible locators, network interception, fixtures, authentication, and parallel execution. Use when building or reviewing E2E tests with Playwright, when setting up browser testing for a web app, or when migrating from Cypress or Selenium.

2026-06-181.1k

setup-interview

marmelab/atomic-crm

Domain-by-domain interview to produce $CLAUDE_PROJECT_DIR/docs/project-context.json. Invoked once by the orchestrator; the orchestrator then conducts all turns directly using Read/Write/Edit — no agent dispatching.

2026-06-181.1k

shadcn-customization

marmelab/atomic-crm

Shadcn/ui theming and component customization — CSS variables, OKLCH colors, dark mode, variants, wrappers. Load for any ticket involving colors, theme, UI layout, or component styling.

2026-06-181.1k

update-branding

marmelab/atomic-crm

Rebrand Atomic CRM — change the application logo (the wordmark in the header and on the login/signup pages) and/or the title/name. Use when the user wants to change, swap, update, or rebrand the CRM logo or title. Handles the two light/dark-mode logo variants, the three places the title is hardcoded, the config that points at them, and — optionally — the browser favicon and PWA app icons.

2026-06-181.1k

name	backend-dev
description	Coding practices for backend development in Atomic CRM. Use when deciding whether backend logic is needed, or when creating/modifying database migrations, views, triggers, RLS policies, edge functions, or custom dataProvider methods that call Supabase APIs.

Backend Development

When to Use

Deciding whether a change needs backend logic at all (default: prefer the frontend).
Creating or modifying database views, triggers, or RLS policies.
Writing or changing a Supabase edge function, or a custom dataProvider method that calls Supabase.

For the SQL migration mechanics themselves, see Skill({skill: "writing-migrations"}). For the frontend side of a dataProvider method, see Skill({skill: "frontend-dev"}).

Deciding where logic belongs

Prefer frontend-only solutions via custom dataProvider methods calling the PostgREST API.

When backend logic is needed:

Aggregation/read optimization: Create a database view (CREATE OR REPLACE VIEW in a new migration). PostgREST exposes views like tables. When underlying table columns change, update the contacts_summary and companies_summary views too.
Complex mutations (multi-table writes): Create a Supabase edge function in Deno. Stored procedures via RPC are less preferred (code lives in migrations, harder to maintain). On the frontend, expose the edge function as a custom dataProvider method (using httpClient(${supabaseUrl}/functions/v1/)) and call it via react-query. (e.g. salesCreate() → /functions/v1/users, mergeContacts() → /functions/v1/merge_contacts)

Edge function conventions

Shared utils in supabase/functions/_shared/ — reuse authentication.ts, supabaseAdmin.ts, cors.ts, utils.ts
Follow the middleware chain pattern: CORS preflight → authenticate() → handler
verify_jwt = false in config.toml, so JWT validation is manual via authenticate()

Other conventions

New tables need RLS policies and the auto-set sales_id trigger (see migration 20260108160722)

RLS enforcement pitfalls (security-critical)

A trigger/function that counts rows to enforce a limit (capacity, quota, balance, subscription depletion) must be SECURITY DEFINER with a fixed search_path, or delegate to one. A SECURITY INVOKER count runs under the caller's RLS, sees only the rows that caller may read, under-counts, and the limit silently never fires (e.g. session_booked_count is DEFINER for exactly this reason).
A WITH CHECK clause must constrain every column a non-admin may set, not just ownership. with check (contact_id = current_user_contact()) alone lets the caller forge any other column (status, type, amounts, flags) via PostgREST — privilege escalation / payment bypass. Whitelist allowed values in the policy, a trigger, or a CHECK constraint; never trust a client-chosen status/type.

Red Flags

Reaching for an edge function or RPC where a custom dataProvider method against PostgREST would do.
Adding a column to a table that feeds contacts_summary/companies_summary without updating the view.
A new table without RLS policies or the sales_id trigger.
A row-counting limit enforced by a SECURITY INVOKER function it under-counts and never fires.
A WITH CHECK that constrains only ownership while leaving status/type/amounts client-settable.
An edge function handler that runs before authenticate() in the middleware chain.

Verification

The logic genuinely needs the backend no frontend-only path was available.
New/changed views keep contacts_summary and companies_summary in sync.
New tables have RLS policies and the sales_id trigger.
Any limit-enforcing count runs SECURITY DEFINER with a fixed search_path.
Every column a non-admin can set is constrained by policy, trigger, or CHECK.
Edge functions follow CORS → authenticate() → handler.