backend-dev-guidelines
by aiskillstore
Security-audited skills for Claude, Codex & Claude Code. One-click install, quality verified.
Run in ManusSKILL.md
name: backend-dev-guidelines description: Comprehensive backend development guide for Supabase Edge Functions + PostgreSQL. Use when working with Supabase (database, auth, storage, realtime), Edge Functions, PostgreSQL, Row-Level Security (RLS), Resend email, Stripe payments, or TypeScript backend patterns. Covers database design, auth flows, Edge Function patterns, RLS policies, email integration, payment processing, and deployment to Supabase.
📋 OPINIONATED SCAFFOLD: Modern Supabase + Edge Functions stack
Default Stack:
- Backend: Supabase Edge Functions (Deno runtime)
- Database: Supabase PostgreSQL + Row-Level Security
- Auth: Supabase Auth (JWT-based)
- Storage: Supabase Storage
- Email: Resend (transactional emails)
- Payments: Stripe (subscriptions + one-time)
- Language: TypeScript
- Deployment: Git push to Supabase
To customize: Run
/customize-scaffold backendor use the scaffold-customizer agent to adapt for Express, NestJS, Fastify, Django, Rails, Go, or other frameworks.
Backend Development Guidelines
Purpose
Establish consistency and best practices for Supabase-powered backends using Edge Functions, PostgreSQL with Row-Level Security, and TypeScript. This skill covers database design, authentication flows, API patterns, email integration, and payment processing.
When to Use This Skill
Automatically activates when working on:
- Creating or modifying Supabase Edge Functions
- Designing PostgreSQL database schemas
- Implementing Row-Level Security (RLS) policies
- Building authentication flows with Supabase Auth
- Integrating Supabase Storage for file uploads
- Sending transactional emails with Resend
- Processing payments with Stripe
- Input validation with Zod
- Testing with Supabase CLI
- Backend deployment and configuration
Quick Start
New Edge Function Checklist
- Function: Create in
supabase/functions/[name]/index.ts - Validation: Zod schema for input
- Auth: JWT verification with Supabase client
- Database: Use Supabase client with RLS
- Error handling: Try/catch with proper responses
- CORS: Configure allowed origins
- Tests: Local testing with Supabase CLI
- Deploy:
supabase functions deploy [name]
New Feature Checklist
- Database: Create migration with schema changes
- RLS: Add appropriate security policies
- Edge Function: Implement API endpoint
- Frontend Integration: Update Supabase client calls
- Testing: Test locally before deploy
- Monitoring: Check logs after deployment
Architecture Overview
Supabase Stack Architecture
HTTP Request
↓
Edge Function (Deno runtime)
↓
Supabase Client (Auth + validation)
↓
PostgreSQL Database (with RLS)
↓
Response with JSON
Key Principle: Edge Functions are stateless, RLS enforces data security.
Integrations:
- Supabase Auth → JWT-based authentication
- Supabase Storage → File uploads and CDN
- Supabase Realtime → WebSocket subscriptions
- Resend → Transactional emails
- Stripe → Payment processing
See architecture-overview.md for complete details.
Directory Structure
project/
├── supabase/
│ ├── functions/ # Edge Functions
│ │ ├── create-user/
│ │ │ └── index.ts
│ │ ├── send-email/
│ │ │ └── index.ts
│ │ └── process-payment/
│ │ └── index.ts
│ ├── migrations/ # Database migrations
│ │ ├── 001_initial_schema.sql
│ │ ├── 002_add_rls.sql
│ │ └── 003_add_indexes.sql
│ ├── seed.sql # Test data
│ └── config.toml # Supabase config
├── lib/
│ └── supabase/
│ ├── client.ts # Supabase client setup
│ ├── auth.ts # Auth utilities
│ └── types.ts # Database types
└── types/
└── database.types.ts # Generated from schema
Naming Conventions:
- Edge Functions:
kebab-case-create-user,send-email - Database tables:
snake_case-user_profiles,subscription_plans - RLS policies:
snake_case-users_select_own,posts_insert_authenticated - TypeScript types:
PascalCase-UserProfile,SubscriptionPlan
Core Principles (7 Key Rules)
1. Edge Functions are Simple and Focused
// ❌ NEVER: 500-line Edge Function
Deno.serve(async (req) => {
// Massive logic...
});
// ✅ ALWAYS: Focused, single-purpose functions
Deno.serve(async (req) => {
const user = await getUserFromRequest(req);
const result = await createPost(user.id, req);
return new Response(JSON.stringify(result), { status: 201 });
});
2. Always Verify JWT Tokens
import { createClient } from '@supabase/supabase-js';
const supabase = createClient(
Deno.env.get('SUPABASE_URL')!,
Deno.env.get('SUPABASE_ANON_KEY')!,
{
global: {
headers: { Authorization: req.headers.get('Authorization')! }
}
}
);
const { data: { user }, error } = await supabase.auth.getUser();
if (error || !user) {
return new Response('Unauthorized', { status: 401 });
}
3. Use RLS for Data Security
-- Enable RLS on all tables
ALTER TABLE posts ENABLE ROW LEVEL SECURITY;
-- Users can only read their own data
CREATE POLICY "users_select_own" ON posts
FOR SELECT
USING (auth.uid() = user_id);
-- Users can only insert their own data
CREATE POLICY "posts_insert_own" ON posts
FOR INSERT
WITH CHECK (auth.uid() = user_id);
4. Validate All Input with Zod
import { z } from 'zod';
const CreatePostSchema = z.object({
title: z.string().min(1).max(200),
content: z.string().min(1),
tags: z.array(z.string()).optional()
});
const body = await req.json();
const validated = CreatePostSchema.parse(body); // Throws if invalid
5. Use Environment Variables via Deno.env
// ❌ NEVER: Hardcode secrets
const apiKey = 'sk_live_abc123';
// ✅ ALWAYS: Use environment variables
const apiKey = Deno.env.get('STRIPE_API_KEY')!;
const resendKey = Deno.env.get('RESEND_API_KEY')!;
6. Handle Errors Gracefully
try {
const result = await performOperation();
return new Response(JSON.stringify({ success: true, data: result }), {
status: 200,
headers: { 'Content-Type': 'application/json' }
});
} catch (error) {
console.error('Operation failed:', error);
return new Response(JSON.stringify({
success: false,
error: error.message
}), {
status: 500,
headers: { 'Content-Type': 'application/json' }
});
}
7. Test Locally Before Deploying
# Start Supabase locally
supabase start
# Test Edge Function locally
supabase functions serve create-user --env-file .env.local
# Run tests
curl -i http://localhost:54321/functions/v1/create-user \
-H "Authorization: Bearer YOUR_TOKEN" \
-d '{"email":"test@example.com"}'
Common Imports
// Supabase
import { createClient } from '@supabase/supabase-js';
import type { Database } from '../types/database.types.ts';
// Validation
import { z } from 'zod';
// Email (Resend)
import { Resend } from 'resend';
// Payments (Stripe)
import Stripe from 'stripe';
// CORS helper
import { corsHeaders } from '../_shared/cors.ts';
Quick Reference
HTTP Status Codes
| Code | Use Case |
|---|---|
| 200 | Success |
| 201 | Created |
| 204 | No Content (DELETE success) |
| 400 | Bad Request (validation error) |
| 401 | Unauthorized (no/invalid token) |
| 403 | Forbidden (valid token, no permission) |
| 404 | Not Found |
| 500 | Server Error |
Common Edge Function Patterns
Auth Check → Verify JWT, get user CRUD Operations → Create, Read, Update, Delete with RLS Email Sending → Resend integration Payment Processing → Stripe webhooks and charges File Upload → Supabase Storage integration
Anti-Patterns to Avoid
❌ Skipping JWT verification ❌ Querying database without RLS ❌ No input validation ❌ Exposing secrets in code ❌ Missing error handling ❌ Deploying without local testing ❌ Direct database access (bypassing RLS) ❌ console.log for production errors (use proper logging)
Example Resource Files
📝 Note: This is a scaffold skill with example resources. The provided resources demonstrate the pattern - you should generate additional resources as needed for your specific project.
✅ Provided Examples
architecture-overview.md - Complete Supabase stack architecture edge-functions-guide.md - Edge Function patterns and deployment database-and-rls.md - Database design and RLS policies
📋 Generate On-Demand
When you need guidance on a specific topic, ask Claude to generate a resource file following the same pattern as the examples above. Common topics:
- Validation patterns - Zod schemas and error handling
- Auth patterns - JWT verification, session management
- Storage patterns - File uploads, CDN, signed URLs
- Email integration - Resend templates and sending
- Stripe integration - Payments, subscriptions, webhooks
- Testing guide - Local testing, integration tests
- Complete examples - Full working Edge Function examples
How to request: "Generate a resource file for [topic] following the pattern in architecture-overview.md"
Customization Instructions
For Your Tech Stack
Not using Supabase? Use the scaffold-customizer agent or manual replacement:
# Option 1: Automated
# Claude will detect your stack and offer to customize
# Option 2: Manual find-and-replace
Supabase → Your database (Prisma, TypeORM, etc.)
Edge Functions → Your backend (Express, NestJS, etc.)
PostgreSQL → Your database (MySQL, MongoDB, etc.)
RLS → Your auth strategy
For Your Domain
Replace the generic examples with your domain:
- Update "posts" table → your entities
- Update "users" → your user model
- Update business logic examples
For Your Patterns
Adapt the principles to your architecture:
- Keep security-first approach
- Keep validation patterns
- Keep error handling patterns
- Adjust structure to your needs
Related Skills
- frontend-dev-guidelines - Next.js + React patterns for Supabase integration
- memory-management - Track architectural decisions
- skill-developer - Meta-skill for creating and managing skills
Skill Status: SCAFFOLD ✅ Line Count: < 500 ✅ Progressive Disclosure: Example resources + generation instructions ✅
Score
Total Score
Based on repository quality metrics
SKILL.mdファイルが含まれている
ライセンスが設定されている
100文字以上の説明がある
GitHub Stars 100以上
1ヶ月以内に更新
10回以上フォークされている
オープンIssueが50未満
プログラミング言語が設定されている
1つ以上のタグが設定されている
Reviews
Reviews coming soon
