Install
openclaw skills install @jinyu12166/backend-engineerBackend, API, infrastructure, cloud, integration, networking, DevOps, deployment, and Terraform engineering. Use when the user asks to build, design, debug, deploy, integrate, or optimize backend systems, APIs, microservices, cloud infrastructure, CI/CD pipelines, databases, or networks. Covers REST, GraphQL, gRPC, message brokers, container orchestration, IaC (Terraform/CloudFormation), observability, performance, payments, IP/copyright, and developer experience.
openclaw skills install @jinyu12166/backend-engineerComprehensive backend, API, integration, cloud, DevOps, networking, deployment, and performance engineering — from design through production and ongoing operation.
This skill covers the full lifecycle of backend systems: architecture and API design, implementation, integration, testing, deployment, monitoring, troubleshooting, optimization, and compliance. It activates when users work with backend code, infrastructure, cloud services, CI/CD, networking, or cross-system integration.
Primary domains: Backend, API, infrastructure, cloud, integration, DevOps.
Activation triggers: "build API", "microservice", "backend system", "backend engineer", "deploy", "cloud infrastructure", "integrate systems", "Terraform", "Docker", "Kubernetes", "database design", "CI/CD", and any task involving backend development, API design, or infrastructure automation.
Select one mode based on the user's primary task context. Announce the mode at the start of the response. If multiple modes apply, pick the most specific one and note that other modes are available.
Activated when the user is designing a new system from scratch, defining service boundaries, or creating API contracts before implementation begins.
Core principles:
RESTful API design:
GET /v1/orders/{orderId}/items, not GET /v1/getOrderItems./v1/) or header (Accept: application/vnd.api.v1+json).
URL versioning is preferred for simplicity and discoverability.{
"error": {
"code": "INSUFFICIENT_INVENTORY",
"message": "Only 3 units of SKU-789 are available.",
"details": [
{ "field": "items[2].quantity", "reason": "requested 10, available 3" }
],
"requestId": "req_abc123"
}
}
{
"data": [...],
"pagination": {
"cursor": "eyJsYXN0SWQiOiA5OTl9",
"hasMore": true,
"total": 1423
}
}
?status=active&role=admin), sorting (?sort=-createdAt), and field
selection (?fields=id,name,email).Service boundary definition:
Database schema design:
deleted_at timestamp) for critical data; hard deletes for ephemeral data.Caching strategies:
Basic security patterns:
Retry-After header.API contract-first design:
$ref to keep the spec DRY — reusable schemas for common types, parameters, and responses.Architecture diagrams:
Example workflow (diagram and concrete API contract provided together):
Activated when working inside a large existing codebase with established conventions, shared services, and platform teams.
Core principles:
Platform services and shared components:
Testing pyramid:
Observability:
correlationId, userId, serviceName,
timestamp on every line. Log at boundaries (request received, response sent, external
call made) and on every error./metrics endpoint.traceparent header (W3C Trace Context). Instrument
every external call, DB query, and message publish/consume.Boy Scout Rule:
Structured file/directory conventions:
src/
orders/
api/ # HTTP controllers, DTOs
domain/ # entities, value objects, domain services
application/ # use cases, ports (interfaces)
infrastructure/ # adapters (DB repos, message publishers, external API clients)
payments/
...
shared/
kernel/ # base classes, utility types
testing/ # test helpers, fixtures, mocks
config/default.yml, config/production.yml, overridden
by env vars (12-factor app).migrations/20260714_add_order_indexes.sql.Activated when the user is designing or implementing a GraphQL API, especially with federation or complex schema requirements.
Core principles:
@apollo/federation) to compose a unified graph from multiple subgraphs,
each owned by a different team. The gateway handles query planning and execution.Schema design:
interface Node { id: ID! } for global identification.DateTime, JSON, URL, EmailAddress.@deprecated(reason: "...") instead of removing fields; provide migration guidance.DataLoader for N+1 elimination:
WHERE id IN (...)) instead of N individual queries.Subscriptions:
graphql-ws protocol. Fall back to polling for environments that cannot support
persistent connections.Query complexity analysis:
Field-level authorization:
@auth(requires: ADMIN) on fields that require elevated permissions.Pagination:
orders(first: 20, after: "cursor") -> { edges { node { ... } cursor }, pageInfo { hasNextPage } }.skip/limit) only for stable, small datasets where cursor
semantics add unnecessary complexity (e.g., admin list views).Apollo Server stack:
@apollo/server (v4+) with Express or Fastify integration.@apollo/gateway for federation; @apollo/subgraph for subgraph servers.@apollo/rover CLI for schema composition validation in CI.Activated when connecting disparate systems, building ETL pipelines, or implementing enterprise integration patterns with platforms like MuleSoft, Boomi, or Apache Camel.
Core principles:
System connectivity:
ETL and data transformation:
Enterprise platforms:
Identity federation:
Resilience patterns:
min(initialBackoff * 2^attempt, maxBackoff).
Add random jitter to avoid thundering herd.Compliance:
Activated when designing or reviewing cloud infrastructure on AWS, Azure, or GCP.
Core principles:
AWS/Azure/GCP infrastructure design:
AWS Azure GCP Use Case
EC2 VM Compute Engine VM-based workloads
Lambda Functions Cloud Functions Event-driven serverless
ECS/EKS AKS GKE Container orchestration
RDS SQL Database Cloud SQL Managed relational DB
DynamoDB Cosmos DB Firestore NoSQL document/key-value
S3 Blob Storage Cloud Storage Object storage
SQS/SNS Service Bus Pub/Sub Messaging
CloudFront CDN / Front Door CDN
Route 53 DNS Cloud DNS DNS
IAM Entra ID (AAD) IAM Identity & access
Terraform IaC:
terraform plan -out=tfplan and review the plan before applying. Store the plan
artifact in CI for auditability.Environment, Service, Owner, CostCenter. Tags are the gateway
to cost allocation, automation, and incident response.required_providers { aws = { source = "hashicorp/aws", version = "~> 5.0" } }.FinOps cost optimization:
Auto-scaling and load balancing:
Serverless:
VPC, IAM, encryption:
ReadOnlyAccess and grant specific actions
as needed. Use permission boundaries to limit the maximum scope.Multi-AZ/region for failure:
Cost breakdowns: For every architecture recommendation, provide a rough monthly cost estimate with the three largest line items identified, plus at least one cost-saving alternative considered and its trade-off.
Activated when creating, improving, or reviewing API documentation, SDKs, or interactive developer resources.
Core principles:
OpenAPI 3.0 / Swagger:
example: "usr_29a8dh3k" not example: "string".
Multiple examples using the examples keyword when behavior differs significantly
based on input.Generate SDKs and client libraries:
openapi-typescript to generate client SDKs and server stubs
in CI. The generated code is never committed manually.Interactive docs:
Content guidelines:
Versioning:
deprecated: true flag in OpenAPI.
Include a Sunset HTTP header. Provide a migration guide link in the description.Activated when debugging connectivity issues, designing network topologies, configuring DNS, or optimizing network performance.
Core principles:
DNS configuration and debugging:
dig +trace example.com to follow the full resolution path.dig example.com A — check the answer section.dig example.com NS — verify authoritative nameservers.dig @ns1.example.com example.com SOA — query directly against authoritative server.<link rel="dns-prefetch"> in HTML head.Load balancers:
upstream blocks
with least_conn or ip_hash for session persistence. Enable HTTP/2.mode tcp for
protocols where HTTP inspection adds no value.SSL/TLS:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload.Network performance and latency:
iperf3 for throughput testing, mtr for continuous traceroute with packet loss stats.CDN and cache strategies:
Cache-Control: public, max-age=31536000, immutable for versioned assets with hashed filenames.Cache-Control: public, s-maxage=60, stale-while-revalidate=300./*). Avoid single-object invalidation at scale.Firewall rules and security groups:
sg-xxxx as source) instead of CIDR blocks —
avoids hardcoding IPs when services scale.Packet-level debugging:
tcpdump -i eth0 -w capture.pcap port 443 — capture traffic for later analysis.tcp.analysis.retransmission),
check TLS handshake timing, look for RST packets indicating connection refusal.ip link show — interface up?ping <gateway> — local routing works?nc -zv <host> <port> — TCP handshake succeeds?openssl s_client -connect <host>:443 — certificate valid?curl -v https://<host>/health — application responds?Activated when building CI/CD pipelines, containerizing applications, or planning production deployments.
Core principles:
CI/CD pipelines:
GitHub Actions:
# .github/workflows/deploy.yml
name: Deploy
on:
push:
branches: [main]
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: make test
- run: make lint
build:
needs: test
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: docker/build-push-action@v5
with:
push: true
tags: ${{ vars.REGISTRY }}/app:${{ github.sha }}
deploy:
needs: build
runs-on: ubuntu-latest
environment: production
steps:
- run: kubectl set image deployment/app app=${{ vars.REGISTRY }}/app:${{ github.sha }}
GitLab CI: .gitlab-ci.yml with stages: test, build, deploy. Use environment: for
protected envs. Cache node_modules between pipeline runs.
Jenkins: Declarative pipeline (Jenkinsfile). Use shared libraries for reusable steps.
Prefer ephemeral agents (Kubernetes plugin, Docker agents) over persistent workers.
Docker multi-stage builds:
# Stage 1: Build
FROM golang:1.22-alpine AS builder
WORKDIR /src
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 go build -o /app ./cmd/server
# Stage 2: Runtime
FROM gcr.io/distroless/static-debian12:nonroot
COPY --from=builder /app /app
USER nonroot:nonroot
EXPOSE 8080
HEALTHCHECK --interval=30s --timeout=3s \
CMD ["/app", "health"]
ENTRYPOINT ["/app"]
Security: run as non-root (USER 1000). Use distroless or minimal base images (Alpine
is fine but be aware of musl libc differences). Scan images with Trivy or Snyk in CI.
Kubernetes:
strategy: rollingUpdate with maxSurge: 1, maxUnavailable: 0 for
zero-downtime deploys. Set minReadySeconds: 10 so pods prove themselves before
being considered available.type: ClusterIP by default. Use Ingress or Gateway API for external access.requests = limits for Guaranteed QoS on critical workloads.Terraform/CloudFormation IaC:
terraform plan in CI on every PR; terraform apply on merge to main. Store
plan output as a CI artifact.Zero-downtime deployment strategies:
Health checks, rollback, runbooks:
kubectl rollout undo deployment/app. If that fails, deploy the
previous image tag directly. Document the rollback command in the deploy runbook.Activated when the focus is on infrastructure provisioning, configuration management, container orchestration at scale, CI/CD pipeline engineering, monitoring, or GitOps.
Core principles:
Infrastructure as Code (IaC):
Configuration Management:
ansible-vault for
secrets at rest in git.Container Orchestration:
helm install, helm upgrade, helm rollback. Template with values.yaml per environment. Use helm secrets plugin
or SOPS for encrypted values.restricted for all namespaces; baseline only when
a specific capability is required and reviewed.CI/CD (extended):
Jenkinsfile for Pipeline as Code. Shared libraries in vars/ for reusable steps.
Plugin management is a maintenance burden — prefer scripted logic over plugins..gitlab-ci.yml with include: for modular pipelines. Use rules:
instead of only/except. Auto DevOps for quick-start projects.workflow_call), composite actions, OIDC for
cloud authentication (no long-lived secrets). See section 2H for example.Monitoring:
correlationId, service, level, timestamp.GitOps:
kubectl apply from CI.values.yaml, merge triggers reconciliation.
PR previews of what will change (Argo CD diff in PR comment).Security:
terraform plan or driftctl to detect resources
changed outside of IaC. Alert on drift.Activated during incidents, outages, performance degradations, or when asked to debug a specific production issue.
Core principles:
Rapid incident response:
Logs/ELK/Datadog analysis:
correlationId/traceId.correlationId:"abc123" AND level:ERROR to trace one failed request end-to-end.kubectl container debugging:
kubectl get pods -n <ns> -o wide — which node? Restart count? Age?kubectl describe pod <pod> — events section shows OOMKilled, ImagePullBackOff,
CrashLoopBackOff, liveness/readiness probe failures.kubectl logs <pod> --tail=100 --previous — logs from the previous crashed container.kubectl exec -it <pod> -- /bin/sh — exec into container for live debugging:
check env vars (env), DNS resolution (nslookup), network connectivity (nc -zv),
disk space (df -h), memory (free -m).kubectl top pod — current CPU/memory usage. Compare to requests/limits.Network/DNS troubleshooting:
kubectl run debug --image=nicolaka/netshoot --rm -it -- /bin/bash — throwaway
debug pod with networking tools.dig <service>.<namespace>.svc.cluster.local — does CoreDNS resolve
the service? Check /etc/resolv.conf for ndots issue (default ndots:5 means
app is tried as app.default.svc.cluster.local before being tried as-is).curl -v http://<service>:<port>/health — connectivity from within the cluster.Memory leaks and performance bottlenecks:
jmap -dump:live,format=b,file=heap.hprof <pid> (Java). Analyze with
Eclipse MAT or IntelliJ Profiler. Look for retained size, not shallow size.node --inspect with Chrome DevTools. Take heap snapshots at T0 and T1;
compare to find growing objects. Look for closures holding references, event listeners
not removed.pprof for CPU (/debug/pprof/profile) and heap (/debug/pprof/heap).
go tool pprof -http=:8080 profile.out.Deployment rollbacks and hotfixes:
kubectl rollout undo deployment/<name> -n <ns> — reverts to previous revision.
Confirm with kubectl rollout status deployment/<name>.kubectl set image.Root cause analysis:
Postmortem documentation:
Activated when improving onboarding, local development workflows, tooling, or team productivity.
Core principles:
git clone to a running development environment.
Target: under 5 minutes. If it exceeds this, fix it.Streamline onboarding:
README.md at the repo root with:
make setup or ./scripts/bootstrap.sh.make dev — starts everything (app, DB, cache, any dependencies)
via Docker Compose or local processes. Works offline after the first run.make test), lint (make lint), build (make build).Automate repetitive dev tasks:
--no-verify in emergencies.type(scope): description format. Enables automated changelog generation and semantic versioning.make new-service name=payments creates the directory structure,
Dockerfile, k8s manifests, CI pipeline, and default config from a template.IDE and editor standardization:
.vscode/settings.json and .vscode/extensions.json committed to the repo.
Recommended extensions install automatically when the project is opened..editorconfig) for cross-IDE consistency: indentation, charset,
line endings..devcontainer/devcontainer.json) for one-click, fully-configured
development environments. Works in VS Code, GitHub Codespaces, and any supporting IDE.Project-specific CLI:
make-based or task-runner-based CLI (Taskfile.yml, justfile, or scripts).
Common targets:
make dev — start all services for local dev.make test — run full test suite.make test-watch — run tests on file change.make lint — run all linters.make build — production build.make deploy-staging — deploy current branch to staging.make db-migrate — run pending migrations.make db-seed — seed with development data.make gen — generate code (OpenAPI clients, protobuf stubs, GraphQL types).Claude/Cursor tooling ecosystem:
.claude/settings.json and CLAUDE.md: project context, conventions, and commands
that Claude reads to be productive in the codebase..claude/commands/) for common workflows.Metrics to track:
Activated when the task involves writing, reviewing, or debugging Terraform configurations, modules, state management, or multi-environment strategies.
Core principles:
terraform plan before every terraform apply. Review the plan output in full before
approving. The plan is the safety net; never bypass it.Reusable module design:
vpc, rds, eks-cluster,
s3-bucket-with-cdn.variables.tf (inputs), outputs.tf (outputs), main.tf (resources),
versions.tf (provider requirements).variable validation blocks to catch misconfigurations at plan time:
variable "instance_type" {
type = string
validation {
condition = can(regex("^t3\\.", var.instance_type))
error_message = "Only t3 instance types are allowed."
}
}
Remote state management:
Provider version constraints:
terraform {
required_version = ">= 1.5.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0" # >= 5.0, < 6.0
}
}
}
~> to allow minor/patch updates but prevent breaking changes
from major version bumps.terraform plan
running on the PR to verify no drift.Multi-environment strategies:
terraform/
modules/
vpc/
rds/
app/
environments/
dev/
main.tf -> module "vpc" { source = "../../modules/vpc" ... }
terraform.tfvars
staging/
main.tf
terraform.tfvars
production/
main.tf
terraform.tfvars
terraform workspace): one config, multiple state files. Simpler but
harder to customize per environment (different instance counts, different CIDRs).
Use only when environments differ only by a few variables.Importing existing resources:
terraform import aws_instance.example i-abc123 — brings an existing resource into
state. Write the matching resource block in .tf first.terraform plan after import to verify the config matches reality. Edit until
the plan is clean (no changes).terraform import block (v1.5+): safer, idempotent approach where the import is
declared in the config itself.terraformer or former2 for generating config from existing
infrastructure. Always review and simplify generated config; it is verbose.Drift detection:
terraform plan -detailed-exitcode: exit code 0 = no changes, 1 = error, 2 = changes.
Run in CI/cron to detect drift.driftctl (open-source): scans cloud accounts and compares to Terraform state.
Reports unmanaged resources and drifted resources. Run weekly.Locking and collaboration:
plan;
merge triggers apply. No local apply to shared environments..terraform.lock.hcl committed to git. Ensures all team members and CI use identical
provider versions. Update with terraform init -upgrade..tfvars examples:
# production.tfvars
environment = "production"
instance_count = 3
instance_type = "t3.large"
database_class = "db.r5.xlarge"
enable_deletion_protection = true
backup_retention_days = 30
Activated when optimizing application performance, running load tests, profiling, or diagnosing bottlenecks.
Core principles:
Application profiling:
pprof, Java async-profiler / JFR, Node.js --inspect
/ clinic.js, Python py-spy / memray, .NET dotnet-trace.Load testing:
jmeter -n -t test.jmx). Good for
traditional HTTP load testing. Resource-heavy for large tests (distributed mode).k6 run --vus 100 --duration 30s script.js.Caching for performance:
stale-while-revalidate to serve stale content while
asynchronously refreshing.Cache-Control: immutable for versioned assets (content hash in
filename). ETag and If-None-Match for conditional requests.Database query optimization:
EXPLAIN ANALYZE (PostgreSQL) or EXPLAIN (MySQL) to see the actual query plan.
Look for sequential scans on large tables, nested loop joins on unindexed columns,
high row estimates vs. actual rows (stale statistics).WHERE status = 'active') for queries that filter on
a common condition.EXISTS instead of IN for subqueries where applicable.(core_count * 2) + effective_spin_count. Too many connections cause context-switching overhead.Frontend Core Web Vitals (when backend influences frontend):
Activated when integrating payment processing, subscription billing, or handling webhooks from payment providers.
Core principles:
Provider integration:
Stripe:
stripe-node (Node.js), stripe-go (Go), stripe-java (Java), stripe-python.stripe.webhooks.constructEvent(payload, sig, secret).
Verify every webhook; do not process unverified events.PayPal:
@paypal/checkout-server-sdk or REST API with official client libraries.PAYMENT.CAPTURE.COMPLETED, PAYMENT.CAPTURE.DENIED,
BILLING.SUBSCRIPTION.ACTIVATED. Verify webhook signatures.Square:
square (Node.js), squareup (Go), square (Java). Use access tokens scoped
to the minimum required permissions.Checkout flows:
Subscription billing:
Webhook event handling:
payment_intent.succeeded may arrive before or
after checkout.session.completed. Design handlers to be order-independent.PCI compliance:
tok_..., pm_...).
If you must store card data, use a PCI-certified vault (Spreedly, Very Good Security).Idempotency:
Idempotency-Key header (UUID).Activated when users ask about protecting intellectual property, filing patents, auditing licenses, or preparing IP documentation for software.
Core principles:
Identify protectable assets:
Audit third-party dependencies and open-source licenses:
license-checker (Node.js), pip-licenses (Python), mvn license:aggregate-third-party-report (Java/Maven), cargo license (Rust).Software design descriptions for patent applications:
IP inventory:
ip-inventory/
invention-name/
README.md # overview, status, filing date
problem-statement.md # detailed problem description
solution-description.md # step-by-step solution
diagrams/ # architecture, flow, sequence diagrams
benchmarks/ # performance data, test results
prior-art/ # references, literature search results
filing/ # draft claims, correspondence with patent attorney
These apply across all modes — every deliverable should satisfy them.
Clean interfaces and clear API contracts:
/v1/ to /v2/).Comprehensive error handling with specific types:
Authentication and authorization built-in:
Security best practices:
* for
credentialed requests.Observability:
timestamp,
level, service, correlationId. Log at boundaries and on state changes./metrics endpoint (Prometheus format). Count
requests, errors, and latency per endpoint. Gauge for queue depths, connection
pool sizes, memory usage.Test coverage with edge cases:
Documentation for API consumers:
docs/adr/
and numbered sequentially.