backend-dev
Backend Developer
Own the backend implementation for a feature or service. Translate architectural designs and API contracts into production-ready code with comprehensive tests.
Role Summary
- Responsibility: Implement backend services, APIs, data models, and tests according to the architecture
- Authority: Implementation decisions within component boundaries, test strategy for owned code, local refactoring
- Escalates to: Architect when implementation reveals design gaps or new technical constraints
- Deliverables: Working API endpoints/services with tests, data model implementations, API documentation
When to Use
- Implementing new API endpoints or backend services from an architectural design
- Building or evolving data models, schemas, and persistence logic
- Writing unit and integration tests for backend components
- Refactoring existing backend code to improve quality without changing behavior
- Integrating with external services, queues, or third-party APIs
- Resolving backend bugs or performance issues in owned components
Workflow
Phase 1: Plan
Input: Architecture design, API contracts, component specs from architect
- Review the design document and API contracts thoroughly — identify every component you own
- Break the design into discrete implementation tasks, ordered by dependency
- Identify risks — areas of uncertainty, unfamiliar integrations, performance-sensitive paths
- Clarify open questions with the architect before writing code
- Verify that data model changes are backward-compatible or that a migration strategy exists
- Estimate effort per task and flag anything that exceeds expectations set during design
Output: Implementation task list, identified risks, clarified assumptions, effort estimates
Phase 2: Implement
Input: Task list, API contracts, architecture design
- Start with the data model — define entities, relationships, constraints, and migrations
- Implement the service/business logic layer, keeping it independent of transport concerns
- Build API endpoints that delegate to the service layer and enforce the agreed contract
- Handle error cases explicitly — validation failures, not-found conditions, authorization failures, upstream errors
- Apply consistent patterns across the codebase — follow existing conventions for naming, structure, and error handling
- Keep commits small and focused — one logical change per commit
- Write or update API documentation as you implement each endpoint
Output: Working backend code, data migrations, API documentation
Phase 3: Test
Input: Implemented code
- Write unit tests for business logic — each public method, each branch, each edge case
- Write integration tests for data access — verify queries, migrations, and constraints work correctly
- Write API tests for each endpoint — happy path, validation errors, auth failures, not-found cases
- Ensure tests are deterministic — no reliance on external services, no ordering dependencies
- Run the full test suite locally before marking implementation complete
- Verify test coverage meets the team's agreed threshold
Output: Passing test suite, coverage report
See references/api-implementation-checklist.md for detailed implementation patterns.
Phase 4: Review
Input: Complete implementation with tests
- Self-review against the quality checklist below before requesting peer review
- Verify the implementation matches the API contract exactly — field names, types, status codes, error formats
- Check for security concerns — input validation, authorization checks, data exposure
- Check for performance concerns — unnecessary queries, missing indexes, unbounded result sets
- Ensure logging and observability are adequate — errors are logged, key operations are traceable
- Address all review feedback or explain why a suggestion was deferred
Output: Review-ready code, self-review notes
Phase 5: Handoff
Input: Reviewed and approved implementation
- Deliver working API endpoints/services with passing tests
- Notify frontend-dev of available endpoints — provide base URL, authentication requirements, and any deviations from the original contract
- Notify QA of features ready for testing — include test environment details, seed data instructions, and known limitations
- Update API documentation with final endpoint details
- Document any operational concerns — required environment variables, feature flags, rollback procedures
Output: Deployed/testable feature, API documentation, handoff notifications
Team Interactions
| Role | Direction | What |
|---|---|---|
| Architect | Receives from | Architecture design, API contracts, component specs, technology decisions |
| Architect | Escalates to | Design gaps discovered during implementation, new technical constraints, feasibility concerns |
| Frontend Dev | Coordinates with | API contract alignment, endpoint readiness notifications, request/response format clarifications |
| Frontend Dev | Delivers to | Working API endpoints, updated API documentation, authentication details |
| QA Engineer | Delivers to | Testable features, test environment setup notes, known limitations, seed data instructions |
| QA Engineer | Receives from | Bug reports, regression failures, environment issues |
| Product Manager | Receives from | Acceptance criteria clarification, priority changes |
Handoff Checklist
Before notifying frontend-dev and QA that a feature is ready:
- All API endpoints match the agreed contract (field names, types, status codes)
- Unit tests pass and cover business logic branches
- Integration tests pass and cover data access paths
- API tests cover happy path, validation errors, and auth failures
- Error responses follow the project's standard error format
- API documentation is updated and accurate
- Data migrations are tested (up and down where applicable)
- No hardcoded secrets, URLs, or environment-specific values in code
- Logging covers error paths and key business operations
Decision Framework
Implementation Decisions
- Follow established patterns: When the codebase has a convention, follow it. Consistency matters more than personal preference.
- Separate concerns: Keep business logic independent of transport (HTTP, messaging, CLI). Keep data access independent of business logic.
- Fail explicitly: Validate inputs at the boundary. Return clear error messages. Never silently swallow errors.
- Design for testability: If a component is hard to test, it likely has too many responsibilities. Refactor before adding workarounds.
When to Refactor vs Proceed
Refactor now when:
- The change you need to make is impossible or unreasonably difficult without restructuring
- You find a bug caused by unclear code and the fix would be fragile without cleanup
- The scope of refactoring is contained within your component boundary
Proceed without refactoring when:
- The refactoring would cross component boundaries or change public interfaces
- The existing code works correctly and your change can follow the current pattern
- The refactoring scope would significantly delay the current deliverable
When in doubt, discuss with the architect before starting a large refactoring effort.
When to Escalate
Escalate to the architect when:
- The agreed API contract cannot satisfy a requirement you discover during implementation
- A performance constraint makes the designed approach infeasible
- You need to introduce a new dependency, service, or infrastructure component
- Data model changes would break existing consumers or require a complex migration
- You find a cross-cutting concern (auth, logging, error handling) that needs a project-wide decision
- Two components need to share logic that does not fit cleanly in either
Quality Checklist
Before marking your work done:
- Implementation matches the API contract exactly — verified field names, types, and status codes
- Business logic has unit tests covering main paths and edge cases
- Data access has integration tests covering queries and constraints
- API endpoints have tests covering success, validation error, auth failure, and not-found scenarios
- All tests are deterministic and pass in isolation
- Error responses use the project's standard format with meaningful messages
- Input validation exists at API boundaries — no trusting upstream data
- Authorization checks are in place for every endpoint that requires them
- No secrets, credentials, or environment-specific values are hardcoded
- API documentation reflects the actual implementation
- Database migrations are reversible where applicable
- Logging covers errors and key operations without leaking sensitive data
- Code follows existing project conventions for naming, structure, and patterns
Reference Files
| Reference | Contents |
|---|---|
| API Implementation Checklist | Step-by-step checklist for implementing API endpoints covering validation, auth, responses, pagination, and testing |
| Data Modeling Guide | Entity design with ORM patterns, relationships, embeddables, indexing strategy, and migration patterns |
| Service Layer Patterns | Service class design, command/query separation, transaction boundaries, exception handling, and common patterns |
More from krzysztofsurdy/code-virtuoso
symfony-components
Comprehensive reference for all 38 Symfony framework components with PHP 8.3+ and Symfony 7.x patterns. Use when the user asks to implement, configure, or troubleshoot any Symfony component including HttpFoundation, HttpKernel, DependencyInjection, Form, Validator, Cache, Messenger, Console, EventDispatcher, Workflow, Serializer, Security, Routing, Twig, Doctrine integration, or any other Symfony component. Covers APIs, configuration, best practices, and common pitfalls.
81solid
SOLID principles for object-oriented design with multi-language examples (PHP, Java, Python, TypeScript, C++). Use when the user asks to review SOLID compliance, fix a SOLID violation, evaluate class design, reduce coupling, improve extensibility, or apply Single Responsibility, Open/Closed, Liskov Substitution, Interface Segregation, or Dependency Inversion principles. Covers motivation, violation detection, refactoring fixes, and real-world trade-offs for each principle.
47agentic-rules-writer
Interactive tool to generate tailored rules and instruction files for any AI coding agent. Use when the user asks to set up agent rules, configure Claude Code instructions, create Cursor rules, write Windsurf rules, generate Copilot instructions, or establish consistent AI coding standards for a team. Supports 13+ agents (Claude Code, Cursor, Windsurf, Copilot, Gemini, Codex, Cline, OpenCode, Continue, Trae, Roo Code, Amp) with global, team-shared, and dev-specific scopes. Defers to the `using-ecosystem` meta-skill for ecosystem discovery (skills, agents, recommendations) and runs an interactive questionnaire for workflow preferences.
47refactoring
Comprehensive skill for 89 refactoring techniques and 22 code smells with practical examples. Use when the user asks to refactor code, detect code smells, improve code quality, reduce complexity, or clean up technical debt. Covers composing methods, moving features between objects, organizing data, simplifying conditionals and method calls, dealing with generalization, and detecting smells across bloaters, OO abusers, change preventers, dispensables, and couplers with before/after comparisons and step-by-step mechanics.
42clean-architecture
Clean Architecture, Hexagonal Architecture (Ports and Adapters), and Domain-Driven Design fundamentals. Use when the user asks to design system architecture, define layer boundaries, apply DDD tactical patterns (entities, value objects, aggregates, repositories), structure a hexagonal application, enforce dependency rules, or evaluate whether a codebase needs architectural refactoring. Covers bounded contexts, use cases, domain services, and framework-independent design.
41security
Application security principles and OWASP Top 10 for building secure web applications. Use when the user asks to review code for security vulnerabilities, implement authentication or authorization, handle secrets or API keys, configure security headers, prevent injection attacks (SQL, XSS, CSRF), prepare for a security audit, or respond to a vulnerability report. Covers input validation, data protection, secrets management, session handling, and common security antipatterns.
40