antigravity-claudekit/skills/ck-backend-development/SKILL.md

---
name: ck-backend-development
description: Build production-ready backends with Node.js, Python, Go. Use for REST/GraphQL/gRPC APIs, authentication (OAuth, JWT), database design, microservices, OWASP security, Docker and Kubernetes deployment.
---

# ck-backend-development

Production-ready backend development with modern technologies, best practices, and proven patterns.

## When to Use

- Designing RESTful, GraphQL, or gRPC APIs
- Building authentication and authorization systems
- Optimizing database queries and schemas
- Implementing caching and performance optimization
- OWASP Top 10 security mitigation
- Designing scalable microservices
- Testing strategies (unit, integration, E2E)
- CI/CD pipelines and deployment
- Monitoring and debugging production systems

## Don't Use When

- Frontend UI work — use `ck-frontend-development` or `ck-frontend-design`
- Infrastructure-only work (K8s manifests, Dockerfiles) — use `ck-devops`
- Database schema design only — use `ck-databases`

## Technology Selection

**Languages:**
- Node.js/TypeScript — full-stack teams, fast iteration
- Python — data/ML integration, scientific computing
- Go — high concurrency, performance-critical services
- Rust — maximum performance, memory safety

**Frameworks:** NestJS, FastAPI, Django, Express, Gin

**Databases:** PostgreSQL (ACID), MongoDB (flexible schema), Redis (caching)

**APIs:** REST (simple/public), GraphQL (flexible queries), gRPC (internal services, performance)

## Quick Decision Matrix

| Need | Choose |
|------|--------|
| Fast development | Node.js + NestJS |
| Data/ML integration | Python + FastAPI |
| High concurrency | Go + Gin |
| ACID transactions | PostgreSQL |
| Flexible schema | MongoDB |
| Caching | Redis |
| Internal services | gRPC |
| Public APIs | GraphQL/REST |
| Real-time events | Kafka |

## Key Best Practices (2025)

**Security:**
- Argon2id for password hashing
- Parameterized queries (eliminates SQL injection)
- OAuth 2.1 + PKCE for authentication
- Rate limiting on all public endpoints
- Security headers (HSTS, CSP, X-Frame-Options)

**Performance:**
- Redis caching (reduces DB load significantly)
- Database indexing on frequently queried columns
- CDN for static assets
- Connection pooling (pgBouncer for PostgreSQL)

**Testing:** 70% unit / 20% integration / 10% E2E pyramid

**DevOps:** Blue-green or canary deployments, feature flags, Prometheus/Grafana monitoring

## Implementation Checklists

**API:**
Choose style → Design schema → Validate input → Add auth → Rate limiting → Documentation → Error handling

**Database:**
Choose DB → Design schema → Create indexes → Connection pooling → Migration strategy → Backup/restore → Test performance

**Security:**
OWASP Top 10 → Parameterized queries → OAuth 2.1 + JWT → Security headers → Rate limiting → Input validation → Argon2id

**Testing:**
Unit 70% → Integration 20% → E2E 10% → Load tests → Migration tests

**Deployment:**
Docker → CI/CD → Blue-green/canary → Feature flags → Monitoring → Logging → Health checks

## Domain References

- **API Design**: REST/GraphQL/gRPC patterns and best practices
- **Security**: OWASP Top 10 2025, input validation, auth patterns
- **Authentication**: OAuth 2.1, JWT, RBAC, MFA, session management
- **Performance**: Caching, query optimization, load balancing, scaling
- **Architecture**: Microservices, event-driven, CQRS, saga patterns
- **Testing**: Testing strategies, frameworks, CI/CD testing
- **DevOps**: Docker, Kubernetes, deployment strategies, monitoring

## Resources

- OWASP Top 10: https://owasp.org/www-project-top-ten/
- OAuth 2.1: https://oauth.net/2.1/
- OpenTelemetry: https://opentelemetry.io/