| name | backend-engineer |
| description | Expert in Lighthouse Journey Timeline backend architecture, service patterns, testing, and API development using Express.js, TypeScript, and Drizzle ORM. Use when implementing backend services, APIs, controllers, database queries, authentication, permissions, error handling, testing server code, or writing migrations. |
Lighthouse Backend Engineer
Expert knowledge of backend patterns and architecture for the Lighthouse Journey Timeline.
🏗️ Core Architecture
Technology Stack
- Runtime: Node.js with TypeScript
- Framework: Express.js
- Database: PostgreSQL with Drizzle ORM
- DI Container: Awilix (Proxy injection mode)
- Testing: Vitest with vitest-mock-extended
- Validation: Zod schemas (CRITICAL: Use across ALL layers)
- Documentation: express-jsdoc-swagger → OpenAPI
Service Layer Architecture
HTTP Request → Routes → Middleware → Controller → Service → Repository → Database
↓ ↓ ↓
Validation Business Drizzle
& Mapping Logic ORM
📍 CRITICAL: Where to Look Before Making Changes
Pattern References (ALWAYS CHECK THESE FIRST)
| Pattern | Primary Reference | Example Implementation |
|---|
| New Service | src/services/hierarchy-service.ts | Complex service with multiple dependencies |
| New Controller | src/controllers/user.controller.ts | Request validation, error handling, response mapping |
| New Repository | src/repositories/user-repository.ts | Drizzle patterns, complex queries |
| New Route | src/routes/hierarchy.routes.ts | DI scope resolution, middleware chain |
| Response Mapper | src/mappers/user.mapper.ts | DTO transformation patterns |
| Unit Tests | src/services/__tests__/*.test.ts | Mock setup, test structure |
| Error Codes | src/core/error-codes.ts | 70+ standardized error codes |
| API Documentation | openapi-schema.yaml | Current API specs - MUST UPDATE |
⚡ CRITICAL: Zod Validation Across All Layers
Why Zod Everywhere?
Strong typing with Zod schemas ensures type safety between server and client, catching errors at compile/validation time rather than runtime. EVERY data boundary must have Zod validation.
🎯 CRITICAL: Use Enums and Constants, Not Magic Strings
Never use magic strings. Always use enums or constants for:
- Error codes:
src/core/error-codes.ts - STRING enums (not numbers)
- Node types:
z.enum(['job', 'education', 'project', 'event'])
- Permission levels: Define as const objects or Zod enums
- Status values: Use Zod enums for type safety
- Configuration: Store in constants files, not inline strings
Example - Error Codes:
export enum ErrorCode {
USER_NOT_FOUND = 'USER_NOT_FOUND',
INVALID_PERMISSION = 'INVALID_PERMISSION',
}
throw new AppError(ErrorCode.USER_NOT_FOUND);
throw new AppError('USER_NOT_FOUND');
Example - Zod Enums:
const NodeTypeSchema = z.enum(['job', 'education', 'project']);
type NodeType = z.infer<typeof NodeTypeSchema>;
type NodeType = string;
Layer-by-Layer Validation
1. Controller Layer (Request Validation)
const CreateNodeRequestSchema = z.object({
type: z.enum(['job', 'education', 'project', 'event']),
parentId: z.string().uuid().optional(),
meta: z.object({
title: z.string().min(1).max(200),
company: z.string().optional(),
startDate: z.string().datetime(),
endDate: z.string().datetime().optional(),
description: z.string().optional()
})
});
async createNode(req: Request, res: Response) {
const validatedData = CreateNodeRequestSchema.parse(req.body);
const result = await this.nodeService.create(validatedData);
}
2. Service Layer (Business Logic Validation)
const ServiceCreateNodeSchema = z.object({
userId: z.number().positive(),
type: z.enum(['job', 'education', 'project']),
parentId: z.string().uuid().optional(),
meta: z.record(z.any())
});
async create(input: z.infer<typeof ServiceCreateNodeSchema>) {
const validated = ServiceCreateNodeSchema.parse(input);
if (validated.parentId) {
await this.validateParentAccess(validated.parentId, validated.userId);
}
return await this.repository.create(validated);
}
3. Repository Layer (Database Schema Validation)
const DbNodeInsertSchema = z.object({
id: z.string().uuid().default(() => crypto.randomUUID()),
type: z.string(),
userId: z.number(),
parentId: z.string().uuid().nullable(),
meta: z.any(),
createdAt: z.date().default(() => new Date()),
updatedAt: z.date().default(() => new Date())
});
async create(data: unknown) {
const dbData = DbNodeInsertSchema.parse(data);
return await this.db.insert(nodes).values(dbData);
}
4. Response Validation (DTO Layer)
const NodeResponseSchema = z.object({
id: z.string().uuid(),
type: z.string(),
meta: z.object({
title: z.string(),
}),
createdAt: z.string().datetime(),
permissions: z.object({
canView: z.boolean(),
canEdit: z.boolean(),
canDelete: z.boolean()
})
});
static toDto(node: unknown): NodeResponseDto {
return NodeResponseSchema.parse({
id: node.id,
type: node.type,
});
}
Shared Schema Patterns
Location Strategy
packages/
├── schema/
│ └── src/
│ ├── api/ # ⭐ API Contracts (PRIMARY - ALWAYS USE)
│ │ ├── auth.schemas.ts # Auth request/response schemas
│ │ ├── user.schemas.ts # User request/response schemas
│ │ ├── timeline.schemas.ts # Timeline request/response schemas
│ │ ├── files.schemas.ts # File upload schemas
│ │ ├── common.schemas.ts # Shared API schemas (pagination, etc.)
│ │ ├── validation-helpers.ts # Reusable validators
│ │ └── index.ts # Re-exports all API schemas
│ ├── schema.ts # Drizzle database schema
│ └── types.ts # Database type exports
└── server/
└── src/
├── controllers/ # Import from @journey/schema/src/api
├── services/ # Import from @journey/schema/src/api
└── mappers/ # Transform DB types → API response types
CRITICAL:
- All API request/response contracts MUST be defined in
@journey/schema/src/api/
- Never create validation schemas in
server/src/ - always use @journey/schema/src/api/
- Controllers import and use these schemas directly
- This ensures type safety between frontend and backend
Reusable Schema Components
export const uuidSchema = z.string().uuid();
export const dateTimeSchema = z.string().datetime();
export const paginationSchema = z.object({
page: z.number().positive().default(1),
limit: z.number().positive().max(100).default(20),
});
import { uuidSchema, paginationSchema } from './common.schemas';
export const getNodesRequestSchema = z.object({
userId: uuidSchema,
...paginationSchema.shape,
});
export type GetNodesRequest = z.infer<typeof getNodesRequestSchema>;
Zod with Drizzle ORM
import { createInsertSchema, createSelectSchema } from 'drizzle-zod';
import { users } from '@journey/schema';
export const insertUserSchema = createInsertSchema(users);
export const selectUserSchema = createSelectSchema(users);
export const createUserSchema = insertUserSchema
.extend({
email: z.string().email(),
password: z.string().min(8).max(100),
})
.omit({ id: true, createdAt: true });
Error Handling for Zod Validation
import { ZodError } from 'zod';
import { fromZodError } from 'zod-validation-error';
try {
const validated = schema.parse(req.body);
} catch (error) {
if (error instanceof ZodError) {
const validationError = fromZodError(error);
return res.status(400).json({
success: false,
error: {
code: 'VALIDATION_ERROR',
message: validationError.toString(),
details: error.issues,
},
});
}
throw error;
}
Type Inference Pattern
const NodeCreateSchema = z.object({
type: z.enum(['job', 'education']),
meta: z.object({
title: z.string(),
company: z.string().optional(),
}),
});
type NodeCreateInput = z.infer<typeof NodeCreateSchema>;
class NodeService {
async create(input: NodeCreateInput) {
}
}
Testing Zod Schemas
describe('NodeCreateSchema', () => {
it('should validate correct input', () => {
const input = {
type: 'job',
meta: { title: 'Software Engineer' },
};
expect(() => NodeCreateSchema.parse(input)).not.toThrow();
});
it('should reject invalid type', () => {
const input = {
type: 'invalid',
meta: { title: 'Test' },
};
expect(() => NodeCreateSchema.parse(input)).toThrow(ZodError);
});
});
Best Practices
- Parse, Don't Validate: Use
parse() for runtime validation, safeParse() when you need to handle errors
- Single Source of Truth: Define schemas once in
@journey/schema package
- Compose Schemas: Build complex schemas from simple, reusable parts
- Type Inference: Use
z.infer<> instead of manually defining types
- Validate Early: Validate at system boundaries (API endpoints, external services)
- Document Schemas: Add descriptions for better OpenAPI generation
z.string().describe('User email address');
🔐 Authentication Patterns
JWT Implementation
- Access Token: 15min expiry, contains userId and basic claims
- Refresh Token: 7 days, stored in DB, rotated on use
- Token Service:
src/services/jwt.service.ts
- Refresh Service:
src/services/refresh-token.service.ts
Auth Middleware Stack
requireAuth;
optionalAuth;
requireGuest;
requireRole(role);
requirePermission();
Token Refresh Flow
- Client sends refresh token to
/api/auth/refresh
- Validate refresh token exists in DB and not expired
- Rotate: Mark old token as used, create new token pair
- Return new access + refresh tokens
- Clean up expired tokens periodically
🧪 Unit Testing Patterns
Test Structure (TDD Approach)
import { describe, it, expect, beforeEach, vi } from 'vitest';
import { mock, mockDeep } from 'vitest-mock-extended';
describe('ServiceName', () => {
let service: ServiceName;
let mockRepo: MockType<Repository>;
beforeEach(() => {
vi.clearAllMocks();
mockRepo = mock<Repository>();
service = new ServiceName(mockRepo);
});
describe('methodName', () => {
it('should handle success case', async () => {
const input = {
};
const expected = {
};
mockRepo.findById.mockResolvedValue(expected);
const result = await service.method(input);
expect(result).toEqual(expected);
expect(mockRepo.findById).toHaveBeenCalledWith(input.id);
});
it('should handle error case', async () => {
});
});
});
Common Mock Patterns
mockService.method.mockResolvedValue(result);
mockService.method.mockImplementation(async (id) => {
return id === 'valid' ? data : null;
});
const mockQuery = {
select: vi.fn().mockReturnThis(),
from: vi.fn().mockReturnThis(),
where: vi.fn().mockReturnThis(),
limit: vi.fn().mockResolvedValue([result]),
};
mockReset(mockService);
mockClear(mockService);
🗄️ Database & Schema
Schema Management
Drizzle ORM Patterns
class UserRepository {
constructor(private db: NodePgDatabase) {}
async findById(id: number) {
return this.db.query.users.findFirst({
where: eq(users.id, id),
});
}
async search(term: string) {
return this.db
.select()
.from(users)
.where(
or(
ilike(users.firstName, `%${term}%`),
ilike(users.lastName, `%${term}%`)
)
)
.limit(20);
}
}
🔒 Permission Cascade Pattern
Hierarchy
Node Level (most specific)
↓
Organization Level (if node belongs to org member)
↓
User Level (node owner)
↓
Public Level (if explicitly set)
Permission Check Flow
-
Check Node Policies (node_policies table)
- Direct user permissions
- Organization permissions (if user is org member)
- Public permissions
-
Check Ownership
- Node owner has full access
- Parent node owners have view access
-
Apply Most Permissive
- If multiple policies exist, most permissive wins
- DENY effects override ALLOW
Implementation Reference
- Service:
src/services/node-permission.service.ts
- Repository:
src/repositories/node-permission.repository.ts
- SQL CTE:
src/repositories/sql/permission-cte.ts
❌ Error Handling
Error Code Reference
export enum ErrorCode {
AUTHENTICATION_REQUIRED = 'AUTHENTICATION_REQUIRED',
INVALID_TOKEN = 'INVALID_TOKEN',
TOKEN_EXPIRED = 'TOKEN_EXPIRED',
VALIDATION_ERROR = 'VALIDATION_ERROR',
INVALID_REQUEST = 'INVALID_REQUEST',
NOT_FOUND = 'NOT_FOUND',
ALREADY_EXISTS = 'ALREADY_EXISTS',
BUSINESS_RULE_VIOLATION = 'BUSINESS_RULE_VIOLATION',
CIRCULAR_REFERENCE = 'CIRCULAR_REFERENCE',
MAX_DEPTH_EXCEEDED = 'MAX_DEPTH_EXCEEDED',
INTERNAL_ERROR = 'INTERNAL_ERROR',
DATABASE_ERROR = 'DATABASE_ERROR',
EXTERNAL_SERVICE_ERROR = 'EXTERNAL_SERVICE_ERROR',
}
Error Usage Pattern
throw new ValidationError(ErrorCode.VALIDATION_ERROR, 'Detailed error message');
📝 API Documentation
JSDoc Requirements
async createNode(req: Request, res: Response) {
}
OpenAPI Verification
- Schema File:
packages/server/openapi-schema.yaml
- Generation: Automatic from JSDoc comments
- Verification: After API changes, verify schema is updated:
pnpm generate:swagger
📜 One-Time Scripts Pattern
Script Structure
#!/usr/bin/env tsx
import { Container } from '../src/core/container-setup';
import { CONTAINER_TOKENS } from '../src/core/container-tokens';
async function main() {
console.log('🚀 Starting script...');
await Container.configure(console);
const container = Container.getRootContainer();
const userService = container.resolve(CONTAINER_TOKENS.USER_SERVICE);
const hierarchyService = container.resolve(
CONTAINER_TOKENS.HIERARCHY_SERVICE
);
try {
const users = await userService.getAllUsers();
console.log('✅ Script completed successfully');
} catch (error) {
console.error('❌ Script failed:', error);
process.exit(1);
}
}
if (import.meta.url === `file://${process.argv[1]}`) {
main().catch(console.error);
}
Script Locations
- Database Scripts:
packages/server/scripts/
- Migration Scripts:
packages/schema/migrations/
- Package Commands: See
package.json scripts section
🔄 Response Mapping Patterns
Mapper Location Strategy
src / mappers / [entity].mapper.ts;
src / mappers / user.mapper.ts;
src / mappers / experience.mapper.ts;
class EntityMapper {
static toDto(entity: Entity): EntityDto {
return {
id: entity.id,
};
}
static toDtoArray(entities: Entity[]): EntityDto[] {
return entities.map((e) => this.toDto(e));
}
}
Response Wrapper
interface ApiSuccessResponse<T> {
success: true;
data: T;
}
return res.status(200).json({
success: true,
data: UserMapper.toDto(user),
});
🎯 Development Workflow
Before Making Changes
- Check Pattern References (table above)
- Read Existing Implementation of similar feature
- Check Error Codes for appropriate errors
- Write Tests First (TDD approach)
- Update OpenAPI documentation via JSDoc
Common Commands
pnpm test:unit
pnpm test
pnpm dev
pnpm vitest run --no-coverage src/services/__tests__/user.service.test.ts
pnpm test:changed
pnpm test:changed:all
📚 Learning & Skill Updates
How to Update This Skill
- Identify New Pattern: During implementation, notice repeated pattern
- Verify Pattern: Ensure it's used in multiple places
- Document Location: Add to "Pattern References" table
- Add Example: Include minimal code example if complex
- Update Skill: Edit this file at
.claude/skills/backend-engineer/SKILL.md
What to Document
- ✅ New service patterns that differ from existing
- ✅ Complex query patterns (CTEs, joins)
- ✅ New middleware patterns
- ✅ Integration patterns with external services
- ✅ Performance optimization patterns
- ❌ One-off implementations
- ❌ Temporary workarounds
- ❌ Feature-specific business logic
Memory Integration
- Project Patterns: Document in Serena memory via
mcp__serena__write_memory
- Reusable Patterns: Save to Memory MCP via
mcp__memory__create_entities
- Skill Updates: Direct edits to this file
🚀 Quick Reference
DI Container Tokens
CONTAINER_TOKENS.DATABASE;
CONTAINER_TOKENS.LOGGER;
CONTAINER_TOKENS.USER_SERVICE;
CONTAINER_TOKENS.HIERARCHY_SERVICE;
CONTAINER_TOKENS.NODE_PERMISSION_SERVICE;
CONTAINER_TOKENS.USER_CONTROLLER;
CONTAINER_TOKENS.HIERARCHY_CONTROLLER;
Test Coverage Requirements
- Target: 80% coverage minimum
- Critical Paths: 100% coverage for auth, permissions
- Check Coverage:
pnpm test:coverage
- View Report:
pnpm coverage:html
Performance Considerations
- Query Optimization: Use Drizzle's query builder over raw SQL
- Pagination: Always paginate lists (default 20, max 100)
- N+1 Prevention: Use joins or batch queries
- Caching: Consider Redis for frequently accessed data
Remember: Always check existing patterns before implementing new ones. This maintains consistency and reduces technical debt.
