Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

popup-studio-ai/phase-4-api

Name: phase-4-api
Author: popup-studio-ai

skills/phase-4-api/SKILL.md

npx skillsauth add popup-studio-ai/bkit-claude-code phase-4-api

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Phase 4: API Design/Implementation + Zero Script QA

Backend API implementation and script-free QA

Purpose

Implement backend APIs that can store and retrieve data. Validate with structured logs instead of test scripts.

What to Do in This Phase

API Design: Define endpoints, requests/responses
API Implementation: Write actual backend code
Zero Script QA: Log-based validation

Deliverables

docs/02-design/
└── api-spec.md             # API specification

src/api/                    # API implementation
├── routes/
├── controllers/
└── services/

docs/03-analysis/
└── api-qa.md               # QA results

PDCA Application

Plan: Define required API list
Design: Design endpoints, requests/responses
Do: Implement APIs
Check: Validate with Zero Script QA
Act: Fix bugs and proceed to Phase 5

Level-wise Application

| Level | Application Method | |-------|-------------------| | Starter | Skip this Phase (no API) | | Dynamic | Use bkend.ai BaaS (see below) | | Enterprise | Implement APIs directly |

Dynamic Level: bkend.ai BaaS API Implementation

Step 1: MCP Setup

claude mcp add bkend --transport http https://api.bkend.ai/mcp

Step 2: Table Design (via MCP tools)

Natural language request: "Create a users table with name(required), email(required, unique), age fields" -> MCP backend_table_create auto-invoked

Step 3: Service API Integration

| Method | Endpoint | Description | |--------|----------|-------------| | GET | /v1/data/{table} | List (filter, sort, page) | | POST | /v1/data/{table} | Create data | | GET | /v1/data/{table}/{id} | Get single | | PATCH | /v1/data/{table}/{id} | Partial update | | DELETE | /v1/data/{table}/{id} | Delete |

Required Headers: x-project-id, x-environment, Authorization

Step 4: Auth Implementation

Reference MCP tools 3_howto_implement_auth and 6_code_examples_auth

Step 5: Zero Script QA

Check bkend REST API call logs in browser DevTools Network tab
Verify API behavior via response code/body

What is Zero Script QA?

Instead of writing test scripts, validate with structured debug logs

[API] POST /api/users
[INPUT] { "email": "[email protected]", "name": "Test" }
[PROCESS] Email duplicate check → Passed
[PROCESS] Password hash → Complete
[PROCESS] DB save → Success
[OUTPUT] { "id": 1, "email": "[email protected]" }
[RESULT] ✅ Success

Advantages:
- Save test code writing time
- See actual behavior with your eyes
- Easy debugging

RESTful API Principles

What is REST?

REpresentational State Transfer - an architecture style for designing web services.

6 Core Principles

| Principle | Description | Example | |-----------|-------------|---------| | 1. Client-Server | Separation of concerns between client and server | UI ↔ Data storage separated | | 2. Stateless | Each request is independent, server doesn't store client state | Auth token included with each request | | 3. Cacheable | Responses must indicate if cacheable | Cache-Control header | | 4. Uniform Interface | Interact through consistent interface | Detailed below | | 5. Layered System | Allow layered system architecture | Load balancer, proxy | | 6. Code on Demand | (Optional) Server can send code to client | JavaScript delivery |

Uniform Interface Details

The core of RESTful APIs is a uniform interface.

1. Resource-Based URLs

✅ Good (nouns, plural)
GET    /users          # User list
GET    /users/123      # Specific user
POST   /users          # Create user
PUT    /users/123      # Update user
DELETE /users/123      # Delete user

❌ Bad (using verbs)
GET    /getUsers
POST   /createUser
POST   /deleteUser/123

2. HTTP Method Meanings

| Method | Purpose | Idempotent | Safe | |--------|---------|:----------:|:----:| | GET | Read | ✅ | ✅ | | POST | Create | ❌ | ❌ | | PUT | Full update | ✅ | ❌ | | PATCH | Partial update | ❌ | ❌ | | DELETE | Delete | ✅ | ❌ |

Idempotent: Same result even if requested multiple times Safe: Doesn't change server state

3. HTTP Status Codes

2xx Success
├── 200 OK              # Success (read, update)
├── 201 Created         # Creation success
└── 204 No Content      # Success but no response body (delete)

4xx Client Error
├── 400 Bad Request     # Invalid request (validation failure)
├── 401 Unauthorized    # Authentication required
├── 403 Forbidden       # No permission
├── 404 Not Found       # Resource not found
└── 409 Conflict        # Conflict (duplicate, etc.)

5xx Server Error
├── 500 Internal Error  # Internal server error
└── 503 Service Unavailable  # Service unavailable

4. Consistent Response Format

// Success response
{
  "data": {
    "id": 123,
    "email": "[email protected]",
    "name": "John Doe"
  },
  "meta": {
    "timestamp": "2026-01-08T10:00:00Z"
  }
}

// Error response
{
  "error": {
    "code": "VALIDATION_ERROR",
    "message": "Email format is invalid.",
    "details": [
      { "field": "email", "message": "Please enter a valid email" }
    ]
  }
}

// List response (pagination)
{
  "data": [...],
  "pagination": {
    "page": 1,
    "limit": 20,
    "total": 100,
    "totalPages": 5
  }
}

URL Design Rules

1. Use lowercase
   ✅ /users/123/orders
   ❌ /Users/123/Orders

2. Use hyphens (-), avoid underscores (_)
   ✅ /user-profiles
   ❌ /user_profiles

3. Express hierarchical relationships
   ✅ /users/123/orders/456

4. Filtering via query parameters
   ✅ /users?status=active&sort=created_at
   ❌ /users/active/sort/created_at

5. Version management
   ✅ /api/v1/users
   ✅ Header: Accept: application/vnd.api+json;version=1

API Documentation Tools

| Tool | Features | |------|----------| | OpenAPI (Swagger) | Industry standard, auto documentation | | Postman | Testing + documentation | | Insomnia | Lightweight API client |

API Design Checklist

[ ] RESTful Principles Compliance
- [ ] Resource-based URLs (nouns, plural)
- [ ] Appropriate HTTP methods
- [ ] Correct status codes
[ ] Unified error response format
[ ] Authentication/authorization method defined
[ ] Pagination method defined
[ ] Versioning method (optional)

Templates

templates/pipeline/phase-4-api.template.md
templates/pipeline/zero-script-qa.template.md

Next Phase

Phase 5: Design System → APIs are ready, now build UI components

popup-studio-ai/phase-4-api

skills/phase-4-api/SKILL.md

Design and implement backend APIs with Zero Script QA validation. Triggers: API design, REST API, backend, endpoint, 백엔드 API, API 설계.

535 stars

development

Updated May 9, 2026

$ install --global

skillsauth

npx skillsauth add popup-studio-ai/bkit-claude-code phase-4-api

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 9, 2026, 7:24 AM123.4s1 file scanned

SKILL.md

name:: phase-4-api
context:: fork
classification:: capability
classification-reason:: Pattern guidance may overlap with model's built-in knowledge as it improves
deprecation-risk:: medium
effort:: high
user-invocable:: false
description:: |
Triggers:: API design, REST API, backend, endpoint, 백엔드 API, API 설계.
agent:: bkit:qa-monitor
next-skill:: phase-5-design-system
pdca-phase:: do
task-template:: [Phase-4] {feature}

Phase 4: API Design/Implementation + Zero Script QA

Backend API implementation and script-free QA

Purpose

Implement backend APIs that can store and retrieve data. Validate with structured logs instead of test scripts.

What to Do in This Phase

API Design: Define endpoints, requests/responses
API Implementation: Write actual backend code
Zero Script QA: Log-based validation

Deliverables

docs/02-design/
└── api-spec.md             # API specification

src/api/                    # API implementation
├── routes/
├── controllers/
└── services/

docs/03-analysis/
└── api-qa.md               # QA results

PDCA Application

Plan: Define required API list
Design: Design endpoints, requests/responses
Do: Implement APIs
Check: Validate with Zero Script QA
Act: Fix bugs and proceed to Phase 5

Level-wise Application

| Level | Application Method | |-------|-------------------| | Starter | Skip this Phase (no API) | | Dynamic | Use bkend.ai BaaS (see below) | | Enterprise | Implement APIs directly |

Dynamic Level: bkend.ai BaaS API Implementation

Step 1: MCP Setup

claude mcp add bkend --transport http https://api.bkend.ai/mcp

Step 2: Table Design (via MCP tools)

Natural language request: "Create a users table with name(required), email(required, unique), age fields" -> MCP backend_table_create auto-invoked

Step 3: Service API Integration

Required Headers: x-project-id, x-environment, Authorization

Step 4: Auth Implementation

Reference MCP tools 3_howto_implement_auth and 6_code_examples_auth

Step 5: Zero Script QA

Check bkend REST API call logs in browser DevTools Network tab
Verify API behavior via response code/body

What is Zero Script QA?

Instead of writing test scripts, validate with structured debug logs

[API] POST /api/users
[INPUT] { "email": "[email protected]", "name": "Test" }
[PROCESS] Email duplicate check → Passed
[PROCESS] Password hash → Complete
[PROCESS] DB save → Success
[OUTPUT] { "id": 1, "email": "[email protected]" }
[RESULT] ✅ Success

Advantages:
- Save test code writing time
- See actual behavior with your eyes
- Easy debugging

RESTful API Principles

What is REST?

REpresentational State Transfer - an architecture style for designing web services.

6 Core Principles

Uniform Interface Details

The core of RESTful APIs is a uniform interface.

1. Resource-Based URLs

✅ Good (nouns, plural)
GET    /users          # User list
GET    /users/123      # Specific user
POST   /users          # Create user
PUT    /users/123      # Update user
DELETE /users/123      # Delete user

❌ Bad (using verbs)
GET    /getUsers
POST   /createUser
POST   /deleteUser/123

2. HTTP Method Meanings

Idempotent: Same result even if requested multiple times Safe: Doesn't change server state

3. HTTP Status Codes

2xx Success
├── 200 OK              # Success (read, update)
├── 201 Created         # Creation success
└── 204 No Content      # Success but no response body (delete)

4xx Client Error
├── 400 Bad Request     # Invalid request (validation failure)
├── 401 Unauthorized    # Authentication required
├── 403 Forbidden       # No permission
├── 404 Not Found       # Resource not found
└── 409 Conflict        # Conflict (duplicate, etc.)

5xx Server Error
├── 500 Internal Error  # Internal server error
└── 503 Service Unavailable  # Service unavailable

4. Consistent Response Format

// Success response
{
  "data": {
    "id": 123,
    "email": "[email protected]",
    "name": "John Doe"
  },
  "meta": {
    "timestamp": "2026-01-08T10:00:00Z"
  }
}

// Error response
{
  "error": {
    "code": "VALIDATION_ERROR",
    "message": "Email format is invalid.",
    "details": [
      { "field": "email", "message": "Please enter a valid email" }
    ]
  }
}

// List response (pagination)
{
  "data": [...],
  "pagination": {
    "page": 1,
    "limit": 20,
    "total": 100,
    "totalPages": 5
  }
}

URL Design Rules

1. Use lowercase
   ✅ /users/123/orders
   ❌ /Users/123/Orders

2. Use hyphens (-), avoid underscores (_)
   ✅ /user-profiles
   ❌ /user_profiles

3. Express hierarchical relationships
   ✅ /users/123/orders/456

4. Filtering via query parameters
   ✅ /users?status=active&sort=created_at
   ❌ /users/active/sort/created_at

5. Version management
   ✅ /api/v1/users
   ✅ Header: Accept: application/vnd.api+json;version=1

API Documentation Tools

| Tool | Features | |------|----------| | OpenAPI (Swagger) | Industry standard, auto documentation | | Postman | Testing + documentation | | Insomnia | Lightweight API client |

API Design Checklist

[ ] RESTful Principles Compliance
- [ ] Resource-based URLs (nouns, plural)
- [ ] Appropriate HTTP methods
- [ ] Correct status codes
[ ] Unified error response format
[ ] Authentication/authorization method defined
[ ] Pagination method defined
[ ] Versioning method (optional)

Templates

templates/pipeline/phase-4-api.template.md
templates/pipeline/zero-script-qa.template.md

Next Phase

Phase 5: Design System → APIs are ready, now build UI components

Related Skills

popup-studio-ai/sprint

testing

VerifiedTrustedCommunity

Sprint Management — generic sprint capability for ANY bkit user. 16 sub-actions: init, start, status, watch, phase, iterate, qa, report, archive, list, feature, pause, resume, fork, help, master-plan. Triggers: sprint, sprint start, sprint init, sprint status, sprint list, 스프린트, 스프린트 시작, 스프린트 상태, スプリント, スプリント開始, スプリント状態, 冲刺, 冲刺开始, 冲刺状态, sprint, iniciar sprint, estado sprint, sprint, demarrer sprint, statut sprint, Sprint, Sprint starten, Sprint Status, sprint, avviare sprint, stato sprint, master plan, multi-sprint plan, sprint master plan, 마스터 플랜, 멀티 스프린트 계획, 스프린트 마스터 플랜, マスタープラン, マルチスプリント計画, スプリントマスタープラン, 主计划, 多冲刺计划, 冲刺主计划, plan maestro, plan multi-sprint, plan maestro sprint, plan maître, plan multi-sprint, plan maître sprint, Masterplan, Multi-Sprint-Plan, Sprint-Masterplan, piano principale, piano multi-sprint, piano principale sprint.

548SKILL.mdUpdated May 13, 2026

popup-studio-ai/sprint

popup-studio-ai/cc-version-analysis

tools

VerifiedTrustedCommunity

CC CLI version upgrade impact analysis — research changes, analyze bkit impact, generate report. Triggers: cc-version-analysis, CC upgrade, version analysis, CC 버전 분석, 버전 영향.

545SKILL.mdUpdated Apr 18, 2026

popup-studio-ai/cc-version-analysis

popup-studio-ai/rollback

testing

VerifiedTrustedCommunity

Manage PDCA checkpoints and rollback — create, list, restore for safe recovery. Rollback events are recorded via lib/audit/audit-logger ACTION_TYPES.rollback_executed. For sprint-level recovery, individual feature rollbacks may be triggered from within sprint phases (sprint itself is forward-only — terminal state is `archived`, not rolled back; v2.1.13). Triggers: rollback, checkpoint, restore, undo, 롤백, 체크포인트, 복원.

539SKILL.mdUpdated Apr 18, 2026

popup-studio-ai/rollback

popup-studio-ai/qa-phase

testing

VerifiedTrustedCommunity

QA Phase execution — L1-L5 test planning, generation, execution, and reporting for a single feature. For sprint-level QA (7-Layer dataFlowIntegrity / S1 gate across multiple features) use /sprint qa <sprintId> which delegates to sprint-qa-flow agent (v2.1.13). Triggers: qa phase, QA test, qa run, QA 실행, QAフェーズ, QA阶段, fase QA, phase QA, QA-Phase, fase QA.

539SKILL.mdUpdated Apr 18, 2026

popup-studio-ai/qa-phase

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/popup-studio-ai/bkit-claude-code.git

# Copy into Claude Code skills folder (global)
cp -r bkit-claude-code/skills/phase-4-api ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

popup-studio-ai/bkit-claude-code

535 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT