Cleanly

Production-grade backend skills for AI agents

AI agents write code that works on the happy path. Production needs code that handles the unhappy path — malformed input, timeouts, race conditions, missing auth, N+1 queries. Cleanly teaches agents to write backend code that survives contact with real users.

14 Skills
7 Reference Docs
0 Happy-path-only code
Get Started View Skills
Works with
Cursor Claude Code Gemini CLI Codex CLI VS Code Copilot
Without Cleanly 
// "It works on my machine"
app.post('/users', async (req, res) => {
  const user = await db.create(req.body);
  res.json(user);
});
No input validation No error handling No auth check No status code
With Cleanly 
app.post('/users',
  authenticate,
  validate(createUserSchema),
  rateLimit({ max: 10, window: '1m' }),
  async (req, res) => {
    const user = await userService
      .create(req.validatedBody);
    res.status(201).json({
      data: serialize(user),
      requestId: req.id
    });
});
01

The Problem

AI-generated backend code has predictable failure modes. Cleanly detects and prevents all of them.

Happy-Path-Only

No error handling on external calls. No timeouts. No retry logic. No validation. No thought about what happens when things fail.

🛡

Security Negligence

Secrets in code. String concatenation for SQL. No auth checks. No rate limiting. Rolling custom crypto instead of using libraries.

Over-Abstraction

AbstractServiceManagerProviderFactory. Generic CRUD wrappers. Repository pattern wrapping an ORM that already IS a repository.

📈

Data Access Sins

N+1 queries inside loops. SELECT * everywhere. No pagination. Missing indexes. ORM .save() in a loop instead of bulk operations.

👁

Observability Theater

console.log as the logging strategy. No structured logging. No correlation IDs. No metrics. Logging passwords and PII.

🚧

Structural Smells

God endpoints doing 15 things. Business logic in route handlers. Validation, logic, persistence, and HTTP mixed in one function.

02

The Skills

14 skills organized by concern. Each one tackles a specific dimension of backend quality.

Write

/backend-design

Write production-grade code with error handling, security, performance, and observability baked in.

Harden

/secure-backend

OWASP Top 10, dependency audit, secrets scanning, auth hardening, injection prevention.

/harden-backend

Input validation, auth checks, rate limiting, error boundaries, defensive patterns.

Optimize

/optimize-backend

Detect N+1 queries, improve caching, tune connection pools, reduce latency.

/scale-backend

Identify scalability bottlenecks and assess horizontal scaling readiness.

Observe

/observe-backend

Structured logging, metrics, distributed tracing, health checks, alerting rules.

/audit-backend

Read-only audit across security, performance, reliability, and observability.

Quality

/test-backend

Identify test gaps, design strategies, generate scaffolding for unit and integration tests.

/polish-backend

Consistent naming, remove dead code, align patterns, improve readability.

/extract-backend

Extract shared services, middleware, utilities from duplicated code.

Operate

/migrate-backend

Review migrations for zero-downtime safety, reversibility, data preservation.

Understand

/explain-backend

Mermaid diagrams, annotated code, plain-language walkthroughs of architecture and flows.

/document-backend

Generate API docs, OpenAPI specs, README files, inline documentation.

/teach-backend

One-time setup to gather your stack, conventions, and infrastructure context.

03

Core Principles

01

Fail Explicitly, Recover Gracefully

Errors are data, not exceptions to hide. Return meaningful responses. Use circuit breakers. Serve stale cache when upstream fails.

02

Validate at the Boundary, Trust Internally

Validate ALL external input at the entry point. Internal function calls between trusted modules should not re-validate.

03

Design for Observability from Day One

Structured logging. Correlation IDs. Business metrics. Distributed tracing. If you can't observe it, you can't debug it.

04

Concurrency Is Not Optional

Race conditions happen in production. Use optimistic locking. Implement idempotency keys. Use atomic operations.

05

Keep It Boring

Prefer battle-tested patterns over clever abstractions. A straightforward if/else beats a monad chain. Optimize for the reader.

06

Optimize for the Read Path

Most systems are read-heavy. Cache aggressively. Denormalize strategically. But always measure before optimizing.

04

Install

One command. Every provider.

install
All tools
$ npx skills add S4M3R/cleanly
Auto-detects your AI harness and installs to the right location
Claude Code
$ /install-skills S4M3R/cleanly
Install directly from Claude Code
Works with
Cursor Cursor
Claude Code Claude Code
Gemini CLI Gemini CLI
Codex CLI Codex CLI
VS Code Copilot Copilot
05

FAQ

What languages/frameworks does this work with?

Cleanly is language and framework agnostic. The skills teach patterns and principles that apply to Node.js, Python, Go, Rust, Java, and any backend stack. The agent adapts the guidance to whatever you're building with.

Will this slow down my AI agent?

No. Skills use progressive disclosure — only ~100 tokens load at startup for metadata. The full skill content loads only when the agent decides it's relevant to your task. Reference docs load on demand.

Do I need all 14 skills?

Install the full set. Skills are activated automatically based on what you're doing — if you're writing an endpoint, backend-design activates. If you're reviewing security, secure-backend kicks in. You don't manage them manually.

How is this different from just prompting "write production code"?

Prompts are vague and inconsistent. Skills provide structured, comprehensive checklists that the agent follows every time. It's the difference between "be careful" and a 50-point safety inspection.