// Reviews API design, REST conventions, and backend architecture. Use when junior builds API endpoints, Express routes, middleware, controllers, or asks "is this RESTful", "check my endpoint".
Transforms completed work into powerful resume bullet points with action verbs, technical context, and quantified impact. Use when completing tasks, updating portfolio, or preparing job applications.
Transforms completed work into STAR interview stories (Situation, Task, Action, Result). Use when completing tasks, preparing for behavioral interviews, or documenting achievements.
Reviews accessibility including WCAG, ARIA, keyboard navigation. Use when junior builds forms, buttons, modals, interactive elements, or asks "is this accessible", "a11y", "screen reader".
Reviews schema design, SQL queries, ORM patterns. Use when junior creates schema, writes queries, adds migrations, works with Prisma/MongoDB/PostgreSQL, or asks "is this SQL safe", "N+1", "index".
Guides systematic debugging through Protocol D (READ, ISOLATE, DOCS, HYPOTHESIZE, VERIFY). Use when junior says "stuck", "not working", "broken", "bug", "error", "crashed", "failing", "can't figure out", or expresses frustration. Do NOT use for general questions.
Guides documentation standards including READMEs, JSDoc, and code comments. Use when writing documentation, adding comments, or explaining code. Enforces "WHY not WHAT" principle.
| name | backend-fundamentals |
| description | Reviews API design, REST conventions, and backend architecture. Use when junior builds API endpoints, Express routes, middleware, controllers, or asks "is this RESTful", "check my endpoint". |
"APIs are contracts. Break them, and you break trust."
Activate this skill when reviewing:
/users not /getUsers)/api/v1/)❌ app.post('/users', async (req, res) => {
// 100 lines of validation, business logic, DB queries
});
✅ app.post('/users', validateUser, userController.create);
❌ const { email } = req.body;
await db.query(`SELECT * FROM users WHERE email = '${email}'`);
✅ const { email } = validateBody(req.body, userSchema);
await User.findByEmail(email); // parameterized
❌ res.status(200).json({ error: 'Not found' });
✅ res.status(404).json({ error: 'User not found' });
❌ catch (error) {
res.status(500).json({ error: error.message, stack: error.stack });
}
✅ catch (error) {
logger.error('User creation failed', { error, userId });
res.status(500).json({ error: 'Something went wrong' });
}
Ask the junior these questions instead of giving answers:
| Code | When to Use |
|---|---|
| 200 | Success (with body) |
| 201 | Created (after POST) |
| 204 | Success (no content, after DELETE) |
| 400 | Bad request (validation failed) |
| 401 | Unauthorized (not logged in) |
| 403 | Forbidden (logged in but not allowed) |
| 404 | Not found |
| 409 | Conflict (duplicate resource) |
| 500 | Server error (hide details from client) |
Request → Route → Controller → Service → Repository → Database
↓
Middleware (auth, validation, logging)
| Layer | Responsibility |
|---|---|
| Route | HTTP verbs, paths, middleware chain |
| Controller | Request/response handling, calling services |
| Service | Business logic, orchestration |
| Repository | Data access, queries |
| Flag | Question to Ask |
|---|---|
| SQL in route handler | "Should data access be in a separate layer?" |
| No try/catch on async | "What happens if this fails?" |
| req.body used directly | "What if someone sends unexpected fields?" |
| Hardcoded secrets | "How would this work in production?" |
| No pagination on list endpoints | "What if there are 10,000 records?" |