software-backend
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSoftware Backend Engineering
软件后端工程
Use this skill to design, implement, and review production-grade backend services: API boundaries, data layer, auth, caching, observability, error handling, testing, and deployment.
Defaults to bias toward: type-safe boundaries (validation at the edge), OpenTelemetry for observability, zero-trust assumptions, idempotency for retries, RFC 9457 errors, Postgres + pooling, structured logs, timeouts, and rate limiting.
使用此技能设计、实现和评审生产级后端服务:包括API边界、数据层、身份认证、缓存、可观测性、错误处理、测试和部署。
默认遵循以下原则:类型安全边界(边缘层校验)、基于OpenTelemetry的可观测性、零信任假设、重试幂等性、RFC 9457错误规范、PostgreSQL + 连接池、结构化日志、超时配置和限流。
Quick Reference
快速参考
| Task | Default Picks | Notes |
|---|---|---|
| REST API | Fastify / Express / NestJS | Prefer typed boundaries + explicit timeouts |
| Edge API | Hono / platform-native handlers | Keep work stateless, CPU-light |
| Type-Safe API | tRPC | Prefer for TS monorepos and internal APIs |
| GraphQL API | Apollo Server / Pothos | Prefer for complex client-driven queries |
| Database | PostgreSQL | Use pooling + migrations + query budgets |
| ORM / Query Layer | Prisma / Drizzle / SQLAlchemy / GORM / SeaORM | Prefer explicit transactions |
| Authentication | OIDC/OAuth + sessions/JWT | Prefer httpOnly cookies for browsers |
| Validation | Zod / Pydantic / validator libs | Validate at the boundary, not deep inside |
| Caching | Redis (or managed) | Use TTLs + invalidation strategy |
| Background Jobs | BullMQ / platform queues | Make jobs idempotent + retry-safe |
| Testing | Unit + integration + contract/E2E | Keep most tests below the UI layer |
| Observability | Structured logs + OpenTelemetry | Correlation IDs end-to-end |
| 任务 | 默认选型 | 说明 |
|---|---|---|
| REST API | Fastify / Express / NestJS | 优先选择类型安全边界 + 显式超时配置 |
| 边缘API | Hono / 平台原生处理器 | 保持无状态、低CPU消耗 |
| 类型安全API | tRPC | 适用于TypeScript单体仓库和内部API |
| GraphQL API | Apollo Server / Pothos | 适用于复杂的客户端驱动查询场景 |
| 数据库 | PostgreSQL | 使用连接池 + 迁移 + 查询预算 |
| ORM / 查询层 | Prisma / Drizzle / SQLAlchemy / GORM / SeaORM | 优先选择显式事务 |
| 身份认证 | OIDC/OAuth + 会话/JWT | 浏览器场景优先使用httpOnly Cookie |
| 校验 | Zod / Pydantic / 校验类库 | 在API边界处校验,而非业务逻辑内部 |
| 缓存 | Redis(或托管服务) | 使用TTL + 失效策略 |
| 后台任务 | BullMQ / 平台队列 | 确保任务幂等 + 可安全重试 |
| 测试 | 单元测试 + 集成测试 + 契约/端到端测试 | 大部分测试聚焦在UI层以下 |
| 可观测性 | 结构化日志 + OpenTelemetry | 全链路关联ID追踪 |
Scope
适用范围
Use this skill to:
- Design and implement REST/GraphQL/tRPC APIs
- Model data schemas and run safe migrations
- Implement authentication/authorization (OIDC/OAuth, sessions/JWT)
- Add validation, error handling, rate limiting, caching, and background jobs
- Ship production readiness (timeouts, observability, deploy/runbooks)
使用此技能可完成以下工作:
- 设计和实现REST/GraphQL/tRPC API
- 建模数据Schema并执行安全迁移
- 实现身份认证/授权(OIDC/OAuth、会话/JWT)
- 添加校验、错误处理、限流、缓存和后台任务
- 实现生产就绪配置(超时、可观测性、部署/运行手册)
When NOT to Use This Skill
不适用场景
Use a different skill when:
- Frontend-only concerns -> See software-frontend
- Infrastructure provisioning (Terraform, K8s manifests) -> See ops-devops-platform
- API design patterns only (no implementation) -> See dev-api-design
- SQL query optimization and indexing -> See data-sql-optimization
- Security audits and threat modeling -> See software-security-appsec
- System architecture (beyond single service) -> See software-architecture-design
以下场景请使用其他技能:
- 纯前端相关问题 -> 参考software-frontend
- 基础设施编排(Terraform、K8s清单) -> 参考ops-devops-platform
- 仅API设计模式(无需实现) -> 参考dev-api-design
- SQL查询优化和索引 -> 参考data-sql-optimization
- 安全审计和威胁建模 -> 参考software-security-appsec
- 系统架构(单服务之外的设计) -> 参考software-architecture-design
Decision Tree: Backend Technology Selection
后端技术选型决策树
text
Backend project needs: [API Type]
- REST API?
- Simple CRUD -> Express/Fastify + Prisma/Drizzle
- Enterprise features -> NestJS (DI, modules)
- High performance -> Fastify (tight request lifecycle)
- Edge/Serverless -> Hono (Cloudflare Workers, Vercel Edge)
- Type-Safe API?
- Full-stack TypeScript monorepo -> tRPC (no schema, no codegen)
- Public API with docs -> REST + OpenAPI
- Flexible data fetching -> GraphQL + Pothos/Apollo
- GraphQL API?
- Code-first -> Pothos GraphQL (TypeScript)
- Schema-first -> Apollo Server + GraphQL Codegen
- Runtime Selection?
- Enterprise stable -> Node.js (current LTS)
- Performance-critical -> Bun (verify runtime constraints)
- Security-focused -> Deno (verify platform support)
- Authentication Strategy?
- Browser sessions -> httpOnly cookies + server-side session store
- OAuth/Social -> OIDC/OAuth library (or platform auth)
- Service-to-service -> short-lived JWT + mTLS where possible
- Database Layer?
- Type-safe ORM -> Prisma (migrations, Studio)
- SQL-first/perf -> Drizzle (SQL-like API)
- Raw SQL -> driver + query builder (Kysely/sqlc/SQLx)
- Edge-compatible -> driver/ORM + Neon/Turso/D1
- Caching Strategy?
- Distributed cache -> Redis (multi-server)
- Serverless cache -> managed Redis (e.g., Upstash)
- In-memory cache -> process memory (single instance only)
- Edge Deployment?
- Global low-latency -> Cloudflare Workers
- Next.js integration -> Vercel Edge Functions
- AWS ecosystem -> Lambda@Edge
- Background Jobs?
- Complex workflows -> BullMQ (Redis-backed, retries)
- Serverless workflows -> AWS Step Functions
- Simple scheduling -> cron + durable storageRuntime & Language Alternatives:
- Node.js (current LTS) (Express/Fastify/NestJS + Prisma/Drizzle): default for broad ecosystem + mature tooling
- Bun (Hono/Elysia + Drizzle): consider for perf-sensitive workloads (verify runtime constraints)
- Python (FastAPI + SQLAlchemy): strong for data-heavy services and ML integration
- Go (Fiber/Gin + GORM/sqlc): strong for concurrency and simple deploys
- Rust (Axum + SeaORM/SQLx): strong for safety/performance-critical services
See assets/ for language-specific starter templates and references/edge-deployment-guide.md for edge computing patterns.
text
后端项目需求: [API类型]
- REST API?
- 简单CRUD -> Express/Fastify + Prisma/Drizzle
- 企业级特性 -> NestJS(依赖注入、模块化)
- 高性能场景 -> Fastify(紧凑的请求生命周期)
- 边缘/无服务器 -> Hono(Cloudflare Workers、Vercel Edge)
- 类型安全API?
- 全栈TypeScript单体仓库 -> tRPC(无需Schema、无需代码生成)
- 带文档的公开API -> REST + OpenAPI
- 灵活的数据获取 -> GraphQL + Pothos/Apollo
- GraphQL API?
- 代码优先 -> Pothos GraphQL(TypeScript)
- Schema优先 -> Apollo Server + GraphQL Codegen
- 运行时选择?
- 企业级稳定 -> Node.js(当前LTS版本)
- 性能敏感场景 -> Bun(需验证运行时约束)
- 安全优先 -> Deno(需验证平台支持)
- 身份认证策略?
- 浏览器会话 -> httpOnly Cookie + 服务端会话存储
- OAuth/社交登录 -> OIDC/OAuth类库(或平台认证服务)
- 服务间通信 -> 短期JWT + 尽可能使用mTLS
- 数据库层?
- 类型安全ORM -> Prisma(迁移、Studio工具)
- SQL优先/高性能 -> Drizzle(类SQL API)
- 原生SQL -> 驱动 + 查询构建器(Kysely/sqlc/SQLx)
- 边缘兼容 -> 驱动/ORM + Neon/Turso/D1
- 缓存策略?
- 分布式缓存 -> Redis(多服务器)
- 无服务器缓存 -> 托管Redis(如Upstash)
- 内存缓存 -> 进程内存(仅单实例场景)
- 边缘部署?
- 全球低延迟 -> Cloudflare Workers
- Next.js集成 -> Vercel Edge Functions
- AWS生态 -> Lambda@Edge
- 后台任务?
- 复杂工作流 -> BullMQ(基于Redis,支持重试)
- 无服务器工作流 -> AWS Step Functions
- 简单调度 -> cron + 持久化存储运行时与语言替代方案:
- Node.js(当前LTS版本)(Express/Fastify/NestJS + Prisma/Drizzle):生态完善、工具成熟的默认选择
- Bun(Hono/Elysia + Drizzle):适用于性能敏感型工作负载(需验证运行时约束)
- Python(FastAPI + SQLAlchemy):在数据密集型服务和ML集成场景表现出色
- Go(Fiber/Gin + GORM/sqlc):并发能力强、部署简单
- Rust(Axum + SeaORM/SQLx):适用于安全/性能关键型服务
查看assets/获取语言特定的启动模板,查看references/edge-deployment-guide.md获取边缘计算模式。
API Design Patterns (Dec 2025)
API设计模式(2025年12月)
Idempotency Patterns
幂等性模式
All mutating operations MUST support idempotency for retry safety.
Implementation:
typescript
// Idempotency key header
const idempotencyKey = request.headers['idempotency-key'];
const cached = await redis.get(`idem:${idempotencyKey}`);
if (cached) return JSON.parse(cached);
const result = await processOperation();
await redis.set(`idem:${idempotencyKey}`, JSON.stringify(result), 'EX', 86400);
return result;| Do | Avoid |
|---|---|
| Store idempotency keys with TTL (24h typical) | Processing duplicate requests |
| Return cached response for duplicate keys | Different responses for same key |
| Use client-generated UUIDs | Server-generated keys |
所有写操作必须支持幂等性,以确保重试安全。
实现示例:
typescript
// 幂等性Key请求头
const idempotencyKey = request.headers['idempotency-key'];
const cached = await redis.get(`idem:${idempotencyKey}`);
if (cached) return JSON.parse(cached);
const result = await processOperation();
await redis.set(`idem:${idempotencyKey}`, JSON.stringify(result), 'EX', 86400);
return result;| 正确做法 | 避免做法 |
|---|---|
| 为幂等性Key设置TTL(通常24小时) | 处理重复请求 |
| 重复Key返回缓存响应 | 同一Key返回不同响应 |
| 使用客户端生成的UUID | 服务端生成Key |
Pagination Patterns
分页模式
| Pattern | Use When | Example |
|---|---|---|
| Cursor-based | Large datasets, real-time data | |
| Offset-based | Small datasets, random access | |
| Keyset | Sorted data, high performance | |
Prefer cursor-based pagination for APIs with frequent inserts.
| 模式 | 适用场景 | 示例 |
|---|---|---|
| 游标分页 | 大数据集、实时数据 | |
| 偏移分页 | 小数据集、随机访问 | |
| 键集分页 | 排序数据、高性能 | |
优先选择游标分页用于频繁插入数据的API。
Error Response Standard (Problem Details)
错误响应标准(问题详情)
Use a consistent machine-readable error format (RFC 9457 Problem Details): https://www.rfc-editor.org/rfc/rfc9457
json
{
"type": "https://example.com/problems/invalid-request",
"title": "Invalid request",
"status": 400,
"detail": "email is required",
"instance": "/v1/users"
}使用统一的机器可读错误格式(RFC 9457 问题详情):https://www.rfc-editor.org/rfc/rfc9457
json
{
"type": "https://example.com/problems/invalid-request",
"title": "Invalid request",
"status": 400,
"detail": "email is required",
"instance": "/v1/users"
}Health Check Patterns
健康检查模式
typescript
// Liveness: Is the process running?
app.get('/health/live', (req, res) => {
res.status(200).json({ status: 'ok' });
});
// Readiness: Can the service handle traffic?
app.get('/health/ready', async (req, res) => {
const dbOk = await checkDatabase();
const cacheOk = await checkRedis();
if (dbOk && cacheOk) {
res.status(200).json({ status: 'ready', db: 'ok', cache: 'ok' });
} else {
res.status(503).json({ status: 'not ready', db: dbOk, cache: cacheOk });
}
});typescript
// 存活检查:进程是否在运行?
app.get('/health/live', (req, res) => {
res.status(200).json({ status: 'ok' });
});
// 就绪检查:服务能否处理流量?
app.get('/health/ready', async (req, res) => {
const dbOk = await checkDatabase();
const cacheOk = await checkRedis();
if (dbOk && cacheOk) {
res.status(200).json({ status: 'ready', db: 'ok', cache: 'ok' });
} else {
res.status(503).json({ status: 'not ready', db: dbOk, cache: cacheOk });
}
});Migration Rollback Strategies
迁移回滚策略
| Strategy | Description | Use When |
|---|---|---|
| Backward-compatible | New code works with old schema | Zero-downtime deployments |
| Expand-contract | Add new, migrate, remove old | Schema changes |
| Shadow tables | Write to both during transition | High-risk migrations |
| 策略 | 描述 | 适用场景 |
|---|---|---|
| 向后兼容 | 新代码兼容旧Schema | 零停机部署 |
| 扩展-收缩 | 添加新字段、迁移数据、移除旧字段 | Schema变更 |
| 影子表 | 过渡期间同时写入新旧表 | 高风险迁移 |
Common Backend Mistakes to Avoid
需避免的常见后端错误
| FAIL Avoid | PASS Instead | Why |
|---|---|---|
| Storing sessions in memory | Use Redis/Upstash | Memory lost on restart, no horizontal scaling |
| Synchronous file I/O | Use | Blocks event loop, kills throughput |
| Unbounded queries | Always use | Memory exhaustion, slow responses |
| Trusting client input | Validate with Zod at API boundaries | Injection attacks, type coercion bugs |
| Hardcoded secrets | Use env vars + secret manager (Vault, AWS SM) | Security breach on repo exposure |
| N+1 database queries | Use | 10-100x performance degradation |
| Use structured logging (Pino/Winston) | No correlation IDs, unqueryable logs |
| Catching errors silently | Log + rethrow or handle explicitly | Hidden failures, debugging nightmares |
| Missing connection pooling | Use Prisma connection pool or PgBouncer | Connection exhaustion under load |
| No request timeouts | Set timeouts on HTTP clients and DB queries | Resource leaks, cascading failures |
Security anti-patterns:
- FAIL Don't use MD5/SHA1 for passwords -> Use Argon2id
- FAIL Don't store JWTs in localStorage -> Use httpOnly cookies
- FAIL Don't trust without validation -> Configure trusted proxies
X-Forwarded-For - FAIL Don't skip rate limiting -> Use sliding window (Redis) or token bucket
- FAIL Don't log sensitive data -> Redact PII, tokens, passwords
| 错误做法 | 正确做法 | 原因 |
|---|---|---|
| 内存中存储会话 | 使用Redis/Upstash | 重启会丢失内存数据,无法水平扩展 |
| 同步文件I/O | 使用 | 阻塞事件循环,降低吞吐量 |
| 无限制查询 | 始终使用 | 内存耗尽、响应缓慢 |
| 信任客户端输入 | 在API边界使用Zod校验 | 注入攻击、类型转换Bug |
| 硬编码密钥 | 使用环境变量 + 密钥管理器(Vault、AWS SM) | 代码库泄露会导致安全漏洞 |
| N+1数据库查询 | 使用 | 性能下降10-100倍 |
生产环境使用 | 使用结构化日志(Pino/Winston) | 无关联ID、日志无法查询 |
| 静默捕获错误 | 记录日志 + 重新抛出或显式处理 | 隐藏故障、调试困难 |
| 未使用连接池 | 使用Prisma连接池或PgBouncer | 高负载下连接耗尽 |
| 未设置请求超时 | 为HTTP客户端和数据库查询设置超时 | 资源泄漏、级联故障 |
安全反模式:
- 错误:不要使用MD5/SHA1存储密码 -> 正确:使用Argon2id
- 错误:不要在localStorage中存储JWT -> 正确:使用httpOnly Cookie
- 错误:未验证就信任-> 正确:配置可信代理
X-Forwarded-For - 错误:未设置限流 -> 正确:使用滑动窗口(Redis)或令牌桶算法
- 错误:记录敏感数据 -> 正确:脱敏PII、令牌、密码
Optional: AI/Automation Extensions
可选:AI/自动化扩展
Note: AI-assisted backend patterns. Skip if not using AI tooling.
注意:AI辅助后端开发模式。若不使用AI工具可跳过。
AI-Assisted Code Generation
AI辅助代码生成
| Tool | Use Case |
|---|---|
| GitHub Copilot | Inline suggestions, boilerplate |
| Cursor | AI-first IDE, context-aware |
| Claude Code | CLI-based development |
Review requirements for AI-generated code:
- All imports verified against package.json
- Type checker passes (strict mode)
- Security scan passes
- Tests cover generated code
| 工具 | 适用场景 |
|---|---|
| GitHub Copilot | 行内建议、样板代码生成 |
| Cursor | AI优先IDE、上下文感知 |
| Claude Code | 基于CLI的开发 |
AI生成代码的评审要求:
- 所有导入需与package.json验证一致
- 类型检查通过(严格模式)
- 安全扫描通过
- 测试覆盖生成代码
Infrastructure Economics and Business Impact
基础设施经济性与业务影响
Why this matters: Backend decisions directly impact revenue. A 100ms latency increase can reduce conversions by 7%. A poorly chosen architecture can cost 10x more in cloud spend. Performance SLAs are revenue commitments.
重要性:后端决策直接影响收入。延迟增加100ms可能导致转化率下降7%。架构选型不当会使云成本增加10倍。性能SLA是收入承诺。
Cost Modeling Quick Reference
成本建模快速参考
| Decision | Cost Impact | Revenue Impact |
|---|---|---|
| Edge vs. Origin | 60-80% latency reduction | +2-5% conversion rate |
| Serverless vs. Containers | Variable cost, scales to zero | Better unit economics at low scale |
| Reserved vs. On-Demand | 30-60% cost savings | Predictable COGS |
| Connection pooling | 50-70% fewer DB connections | Lower database costs |
| Caching layer | 80-95% fewer origin requests | Reduced compute costs |
| 决策 | 成本影响 | 收入影响 |
|---|---|---|
| 边缘 vs 源站 | 延迟降低60-80% | 转化率提升2-5% |
| 无服务器 vs 容器 | 可变成本、可缩容至零 | 低流量场景单位经济效益更好 |
| 预留实例 vs 按需实例 | 成本节省30-60% | 可预测的销货成本 |
| 连接池 | 数据库连接数减少50-70% | 降低数据库成本 |
| 缓存层 | 源站请求减少80-95% | 降低计算成本 |
Performance SLA -> Revenue Mapping
性能SLA -> 收入映射
text
SLA Target -> Business Metric
P50 latency < 100ms -> Baseline user experience
P95 latency < 500ms -> 95% users satisfied
P99 latency < 1000ms -> Enterprise SLA compliance
Uptime 99.9% (43.8m downtime/month) -> Standard SLA tier
Uptime 99.99% (4.4m downtime/month) -> Enterprise tier ($$$)text
SLA目标 -> 业务指标
P50延迟 < 100ms -> 基准用户体验
P95延迟 < 500ms -> 95%用户满意度
P99延迟 < 1000ms -> 企业级SLA合规
可用性99.9%(每月停机43.8分钟) -> 标准SLA层级
可用性99.99%(每月停机4.4分钟) -> 企业级层级(高价值)Unit Economics Checklist
单位经济效益检查清单
Before deploying any backend service, calculate:
- Cost per request: Total infra cost / monthly requests
- Cost per user: Total infra cost / MAU
- Gross margin impact: How does infra cost affect product margin?
- Scale economics: At 10x traffic, does cost scale linearly or worse?
- Break-even point: At what traffic level does this architecture pay for itself?
部署任何后端服务前,计算以下指标:
- 每请求成本:总基础设施成本 / 月请求量
- 每用户成本:总基础设施成本 / 月活跃用户数
- 毛利率影响:基础设施成本如何影响产品毛利率?
- 规模经济效益:流量增长10倍时,成本是否线性增长或更差?
- 收支平衡点:流量达到多少时,该架构能收回成本?
Architecture Decision -> Business Impact
架构决策 -> 业务影响
| Architecture Choice | Technical Benefit | Business Impact |
|---|---|---|
| CDN + Edge caching | Lower latency | Higher conversion, better SEO |
| Read replicas | Scale reads | Handle traffic spikes without degradation |
| Queue-based processing | Decouple services | Smoother UX during high load |
| Multi-region deployment | Fault tolerance | Enterprise SLA compliance |
| Auto-scaling | Right-sized infra | Lower COGS, better margins |
| 架构选择 | 技术收益 | 业务影响 |
|---|---|---|
| CDN + 边缘缓存 | 更低延迟 | 更高转化率、更好的SEO |
| 只读副本 | 扩展读能力 | 处理流量峰值而不降级 |
| 队列处理 | 解耦服务 | 高负载下更流畅的用户体验 |
| 多区域部署 | 容错能力 | 企业级SLA合规 |
| 自动扩缩容 | 资源按需分配 | 更低的销货成本、更好的毛利率 |
FinOps Practices for Backend Teams
后端团队的FinOps实践
- Tag all resources - Every resource tagged with ,
team,serviceenvironment - Set billing alerts - Alert at 50%, 80%, 100% of budget
- Review weekly - 15-minute weekly cost review meeting
- Right-size monthly - Check CPU/memory utilization, downsize overprovisioned
- Spot/Preemptible for non-prod - 60-90% savings on dev/staging
See references/infrastructure-economics.md for detailed cost modeling, cloud provider comparisons, and ROI calculators.
- 标记所有资源 - 每个资源标记、
team、serviceenvironment - 设置账单告警 - 预算达到50%、80%、100%时触发告警
- 每周评审 - 15分钟的每周成本评审会议
- 每月优化资源规格 - 检查CPU/内存利用率,缩小过度配置的资源
- 非生产环境使用竞价/抢占式实例 - 开发/ staging环境节省60-90%成本
查看references/infrastructure-economics.md获取详细成本建模、云服务商对比和ROI计算器。
Navigation
导航
Resources
- references/backend-best-practices.md - Template authoring guide, quality checklist, and shared utilities pointers
- references/edge-deployment-guide.md - Edge computing patterns, Cloudflare Workers vs Vercel Edge, tRPC, Hono, Bun
- references/infrastructure-economics.md - Cost modeling, performance SLAs -> revenue, FinOps practices, cloud optimization
- references/go-best-practices.md - Go idioms, concurrency, error handling, GORM usage, testing, profiling
- references/rust-best-practices.md - Ownership, async, Axum, SeaORM, error handling, testing
- references/python-best-practices.md - FastAPI, SQLAlchemy, async patterns, validation, testing, performance
- data/sources.json - External references per language/runtime
- Shared checklists: ../software-clean-code-standard/assets/checklists/backend-api-review-checklist.md, ../software-clean-code-standard/assets/checklists/secure-code-review-checklist.md
Shared Utilities (Centralized patterns - extract, don't duplicate)
- ../software-clean-code-standard/utilities/auth-utilities.md - Argon2id, jose JWT, OAuth 2.1/PKCE
- ../software-clean-code-standard/utilities/error-handling.md - Effect Result types, correlation IDs
- ../software-clean-code-standard/utilities/config-validation.md - Zod 3.24+, Valibot, secrets management
- ../software-clean-code-standard/utilities/resilience-utilities.md - p-retry v6, opossum v8, OTel spans
- ../software-clean-code-standard/utilities/logging-utilities.md - pino v9 + OpenTelemetry integration
- ../software-clean-code-standard/utilities/testing-utilities.md - Vitest, MSW v2, factories, fixtures
- ../software-clean-code-standard/utilities/observability-utilities.md - OpenTelemetry SDK, tracing, metrics
- ../software-clean-code-standard/references/clean-code-standard.md - Canonical clean code rules () for citation
CC-*
Templates
- assets/nodejs/template-nodejs-prisma-postgres.md - Node.js + Prisma + PostgreSQL
- assets/go/template-go-fiber-gorm.md - Go + Fiber + GORM + PostgreSQL
- assets/rust/template-rust-axum-seaorm.md - Rust + Axum + SeaORM + PostgreSQL
- assets/python/template-python-fastapi-sqlalchemy.md - Python + FastAPI + SQLAlchemy + PostgreSQL
Related Skills
- ../software-architecture-design/SKILL.md - System decomposition, SLAs, and data flows
- ../software-security-appsec/SKILL.md - Authentication/authorization and secure API design
- ../ops-devops-platform/SKILL.md - CI/CD, infrastructure, and deployment safety
- ../qa-resilience/SKILL.md - Resilience, retries, and failure playbooks
- ../software-code-review/SKILL.md - Review checklists and standards for backend changes
- ../qa-testing-strategy/SKILL.md - Testing strategies, test pyramids, and coverage goals
- ../dev-api-design/SKILL.md - RESTful design, GraphQL, and API versioning patterns
- ../data-sql-optimization/SKILL.md - SQL optimization, indexing, and query tuning patterns
资源
- references/backend-best-practices.md - 模板编写指南、质量检查清单和共享工具指针
- references/edge-deployment-guide.md - 边缘计算模式、Cloudflare Workers vs Vercel Edge、tRPC、Hono、Bun
- references/infrastructure-economics.md - 成本建模、性能SLA->收入、FinOps实践、云优化
- references/go-best-practices.md - Go语言 idioms、并发、错误处理、GORM使用、测试、性能分析
- references/rust-best-practices.md - 所有权、异步、Axum、SeaORM、错误处理、测试
- references/python-best-practices.md - FastAPI、SQLAlchemy、异步模式、校验、测试、性能
- data/sources.json - 各语言/运行时的外部参考资料
- 共享检查清单:../software-clean-code-standard/assets/checklists/backend-api-review-checklist.md, ../software-clean-code-standard/assets/checklists/secure-code-review-checklist.md
共享工具(集中式模式 - 复用而非重复实现)
- ../software-clean-code-standard/utilities/auth-utilities.md - Argon2id、jose JWT、OAuth 2.1/PKCE
- ../software-clean-code-standard/utilities/error-handling.md - Effect Result类型、关联ID
- ../software-clean-code-standard/utilities/config-validation.md - Zod 3.24+、Valibot、密钥管理
- ../software-clean-code-standard/utilities/resilience-utilities.md - p-retry v6、opossum v8、OTel链路
- ../software-clean-code-standard/utilities/logging-utilities.md - pino v9 + OpenTelemetry集成
- ../software-clean-code-standard/utilities/testing-utilities.md - Vitest、MSW v2、工厂、测试数据
- ../software-clean-code-standard/utilities/observability-utilities.md - OpenTelemetry SDK、追踪、指标
- ../software-clean-code-standard/references/clean-code-standard.md - 规范的整洁代码规则()用于引用
CC-*
模板
- assets/nodejs/template-nodejs-prisma-postgres.md - Node.js + Prisma + PostgreSQL
- assets/go/template-go-fiber-gorm.md - Go + Fiber + GORM + PostgreSQL
- assets/rust/template-rust-axum-seaorm.md - Rust + Axum + SeaORM + PostgreSQL
- assets/python/template-python-fastapi-sqlalchemy.md - Python + FastAPI + SQLAlchemy + PostgreSQL
相关技能
- ../software-architecture-design/SKILL.md - 系统拆分、SLA、数据流
- ../software-security-appsec/SKILL.md - 身份认证/授权、安全API设计
- ../ops-devops-platform/SKILL.md - CI/CD、基础设施、部署安全
- ../qa-resilience/SKILL.md - 韧性、重试、故障手册
- ../software-code-review/SKILL.md - 后端变更的评审检查清单和标准
- ../qa-testing-strategy/SKILL.md - 测试策略、测试金字塔、覆盖率目标
- ../dev-api-design/SKILL.md - RESTful设计、GraphQL、API版本化模式
- ../data-sql-optimization/SKILL.md - SQL优化、索引、查询调优模式
Freshness Protocol
新鲜度协议
When users ask version-sensitive recommendation questions, do a quick freshness check before asserting "best" choices or quoting versions.
当用户询问版本敏感的推荐问题时,在断言“最佳”选择或引用版本前,先进行快速新鲜度检查。
Trigger Conditions
触发条件
- "What's the best backend framework for [use case]?"
- "What should I use for [API design/auth/database]?"
- "What's the latest in Node.js/Go/Rust?"
- "Current best practices for [REST/GraphQL/tRPC]?"
- "Is [framework/runtime] still relevant in 2026?"
- "[Express] vs [Fastify] vs [Hono]?"
- "Best ORM for [database/use case]?"
- “[场景]的最佳后端框架是什么?”
- “[API设计/认证/数据库]应该用什么?”
- “Node.js/Go/Rust的最新动态是什么?”
- “[REST/GraphQL/tRPC]的当前最佳实践是什么?”
- “[框架/运行时]在2026年还适用吗?”
- “[Express] vs [Fastify] vs [Hono]?”
- “[数据库/场景]的最佳ORM是什么?”
How to Freshness-Check
新鲜度检查方法
- Start from (official docs, release notes, support policies).
data/sources.json - Run a targeted web search for the specific component and open release notes/support policy pages.
- Prefer official sources over blogs for versions and support windows.
- 从开始(官方文档、发布说明、支持政策)。
data/sources.json - 针对特定组件进行定向网络搜索,查看发布说明/支持政策页面。
- 版本和支持窗口优先参考官方来源而非博客。
What to Report
需报告的内容
- Current landscape: what is stable and widely used now
- Emerging trends: what is gaining traction (and why)
- Deprecated/declining: what is falling out of favor (and why)
- Recommendation: default choice + 1-2 alternatives, with trade-offs
- 当前格局:目前稳定且广泛使用的技术
- 新兴趋势:正在获得关注的技术(及原因)
- 已弃用/衰退:逐渐被淘汰的技术(及原因)
- 推荐:默认选择 + 1-2个替代方案,包含权衡点
Example Topics (verify with fresh search)
示例主题(需通过新鲜搜索验证)
- Node.js LTS support window and major changes
- Bun vs Deno vs Node.js
- Hono, Elysia, and edge-first frameworks
- Drizzle vs Prisma for TypeScript
- tRPC and end-to-end type safety
- Edge computing and serverless patterns
- Node.js LTS支持窗口和重大变更
- Bun vs Deno vs Node.js
- Hono、Elysia和边缘优先框架
- TypeScript的Drizzle vs Prisma
- tRPC和端到端类型安全
- 边缘计算和无服务器模式
Operational Playbooks
运营手册
- references/operational-playbook.md - Full backend architecture patterns, checklists, TypeScript notes, and decision tables
- references/operational-playbook.md - 完整的后端架构模式、检查清单、TypeScript说明和决策表