xoai/skills/baas
skills/baas/SKILL.md
--- name: "baas" description: "Corrects the most common BaaS architecture mistakes agents make — security rules as authorization, data modeling for queries, minimizing serverless functions, real-time by default, and client-direct access patterns. Applies to Firebase, Supabase, and similar platforms." version: "1.0.0" type: knowledge layer: domain requires: sage: ">=1.0.0" activates-when: detected: [firebase, @firebase/app, @supabase/supabase-js, supabase, firebase-admin, @angular/fire, react
$ install --global
skillsauthnpx skillsauth add xoai/sage skills/baasInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 25, 2026, 2:01 PM135.8s6 files scanned
SKILL.md
- name:
- baas
- description:
- Corrects the most common BaaS architecture mistakes agents make — security rules as authorization, data modeling for queries, minimizing serverless functions, real-time by default, and client-direct access patterns. Applies to Firebase, Supabase, and similar platforms.
- version:
- 1.0.0
- type:
- knowledge
- layer:
- domain
- sage:
- >=1.0.0
- detected:
- [firebase, @firebase/app, @supabase/supabase-js, supabase, firebase-admin, @angular/fire, reactfire, flutterfire]
- tags:
- [firebase,@firebase/app,@supabase/supabase-js,supabase,firebase-admin]
baas
Layer 1 — Domain Foundation
Universal Backend-as-a-Service principles that apply regardless of platform. Firebase, Supabase, Appwrite — these principles hold.
Philosophy
BaaS is a fundamentally different architecture from custom backends. There are no controllers, no middleware, no routes. The client talks directly to platform services, and security rules replace the API layer. Agents trained on custom backend patterns (Express, Django) apply those patterns to BaaS — building REST APIs in Cloud Functions, normalizing data for a database that can't JOIN, and treating security as a client-side concern. Every pattern in this pack corrects a specific failure that arises from applying custom-backend thinking to BaaS.
What's Included
| Type | Count | Coverage | |------|-------|----------| | Patterns | 8 | Security rules as auth, data modeling for queries, minimize functions, real-time by default, platform auth, offline support, typed models, cost management | | Anti-patterns | 7 | Open rules in production, REST API in functions, client-side auth, relational normalization in NoSQL, untyped raw data, one-time fetches everywhere, no billing awareness | | Constitution | 8 | principles |
Grounded in: Firebase official docs, Supabase official docs, Firebase security checklist, ModernPentest security research (2024-2025), Fireship data modeling guides, and community best practices.
Activation
Loads when the project is detected as using a BaaS platform (Firebase SDK, Supabase client, or similar in dependencies).
What This Pack Does NOT Cover
- Platform-specific API details (see future
firebase,supabase) - Framework integration patterns (see
stack-flutter-firebase, etc.) - Custom backend patterns (see
apifor custom API development)
Related Skills
xoai/git-discipline
development
VerifiedTrustedCommunity
Branch-per-initiative git discipline for all delivery workflows. Defines branch naming by workflow, the propose-confirm creation protocol, dirty-tree and detached-HEAD handling, the always user-gated merge protocol, worktree support for parallel sessions, and abandonment cleanup. Activates only in git repositories — silently inactive everywhere else. Use when starting /build, /fix, /architect, or /build-x at Standard+ scope, when resuming an initiative, when offering a merge at a completion checkpoint, or when the user wants a second concurrent initiative.
18SKILL.mdUpdated Jun 13, 2026
xoai/build-loop
development
VerifiedTrustedCommunity
Drives task-by-task execution from an approved plan with quality gates between each task. Reads the plan, finds the next incomplete task, dispatches implementation, validates, updates progress, and continues. Use after a plan is approved and the user says "go", "start building", "execute the plan", or "implement the feature".
18SKILL.mdUpdated Apr 25, 2026
xoai/session-bridge
testing
VerifiedTrustedCommunity
Preserves and restores context across agent sessions using plan file checkboxes as source of truth. Use when starting a new session, resuming previous work, ending a session, or when the user says "continue from last time", "what was I doing", or "save progress".
18SKILL.mdUpdated Apr 25, 2026
xoai/sage-self-learning
tools
VerifiedTrustedCommunity
Captures agent mistakes, corrections, and discovered gotchas so they are not repeated. Use when: (1) a command or operation fails unexpectedly, (2) the user corrects the agent, (3) the agent discovers non-obvious behavior through debugging, (4) an API or tool behaves differently than expected, (5) a better approach is found for a recurring task. Also searches past learnings before starting tasks to avoid known pitfalls. Activate alongside the sage-memory skill — they share the same MCP backend but serve different purposes (sage-memory = codebase knowledge, sage-self-learning = agent mistakes and gotchas).
17SKILL.mdUpdated May 20, 2026