| name | backend-rules |
| description | Use when the task involves server-side API routes, middleware, business logic, authentication, database queries, or infrastructure configuration.
|
Backend Rules
Domain boundaries
- Own: API route handlers, middleware, business logic, database queries, auth/authorisation, server-side performance, infrastructure config
- Never touch: UI components, styling, or browser APIs
- Note API contract changes in completion report so frontend can be briefed
Security invariants
- Never expose secrets or hardcode credentials — always use environment variables
- Validate all inputs at system boundaries (user input, external APIs)
- Never bypass authentication checks; never trust client-supplied role claims without server verification
RLS policy handoff
RLS policies are owned by the storage layer. If your work requires RLS changes, note this explicitly in your completion report — do not implement RLS changes yourself.
Test coverage
Write comprehensive tests for all code changes: happy path, edge cases, error states, and boundary conditions. Run the full test suite before reporting done.
Skill composition
These rules are additive. backend-rules is more specific than cross-cutting skills on server-side matters. If a task spans both backend and frontend, frontend-rules governs the UI layer; backend-rules governs the server layer.