xoai/tools/sage-claude-plugin/skills/baas
tools/sage-claude-plugin/skills/baas/SKILL.md
--- name: "baas" description: "Corrects the most common BaaS architecture mistakes agents make — security rules as authorization, data modeling for queries, minimizing serverless functions, real-time by default, and client-direct access patterns. Applies to Firebase, Supabase, and similar platforms." version: "1.0.0" type: knowledge layer: domain requires: sage: ">=1.0.0" activates-when: detected: [firebase, @firebase/app, @supabase/supabase-js, supabase, firebase-admin, @angular/fire, react
$ install --global
skillsauthnpx skillsauth add xoai/sage tools/sage-claude-plugin/skills/baasInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 25, 2026, 2:13 PM163.8s1 file scanned
SKILL.md
- name:
- baas
- description:
- Corrects the most common BaaS architecture mistakes agents make — security rules as authorization, data modeling for queries, minimizing serverless functions, real-time by default, and client-direct access patterns. Applies to Firebase, Supabase, and similar platforms.
- version:
- 1.0.0
- type:
- knowledge
- layer:
- domain
- sage:
- >=1.0.0
- detected:
- [firebase, @firebase/app, @supabase/supabase-js, supabase, firebase-admin, @angular/fire, reactfire, flutterfire]
- tags:
- [firebase,@firebase/app,@supabase/supabase-js,supabase,firebase-admin]
baas
Layer 1 — Domain Foundation
Universal Backend-as-a-Service principles that apply regardless of platform. Firebase, Supabase, Appwrite — these principles hold.
Philosophy
BaaS is a fundamentally different architecture from custom backends. There are no controllers, no middleware, no routes. The client talks directly to platform services, and security rules replace the API layer. Agents trained on custom backend patterns (Express, Django) apply those patterns to BaaS — building REST APIs in Cloud Functions, normalizing data for a database that can't JOIN, and treating security as a client-side concern. Every pattern in this pack corrects a specific failure that arises from applying custom-backend thinking to BaaS.
What's Included
| Type | Count | Coverage | |------|-------|----------| | Patterns | 8 | Security rules as auth, data modeling for queries, minimize functions, real-time by default, platform auth, offline support, typed models, cost management | | Anti-patterns | 7 | Open rules in production, REST API in functions, client-side auth, relational normalization in NoSQL, untyped raw data, one-time fetches everywhere, no billing awareness | | Constitution | 8 | principles |
Grounded in: Firebase official docs, Supabase official docs, Firebase security checklist, ModernPentest security research (2024-2025), Fireship data modeling guides, and community best practices.
Activation
Loads when the project is detected as using a BaaS platform (Firebase SDK, Supabase client, or similar in dependencies).
What This Pack Does NOT Cover
- Platform-specific API details (see future
firebase,supabase) - Framework integration patterns (see
stack-flutter-firebase, etc.) - Custom backend patterns (see
apifor custom API development)
Related Skills
xoai/sage-self-learning
tools
VerifiedTrustedCommunity
Captures agent mistakes, corrections, and discovered gotchas so they are not repeated. Use when: (1) a command or operation fails unexpectedly, (2) the user corrects the agent, (3) the agent discovers non-obvious behavior through debugging, (4) an API or tool behaves differently than expected, (5) a better approach is found for a recurring task. Also searches past learnings before starting tasks to avoid known pitfalls. Activate alongside the sage-memory skill — they share the same MCP backend but serve different purposes (sage-memory = codebase knowledge, sage-self-learning = agent mistakes and gotchas).
17SKILL.mdUpdated May 20, 2026
xoai/sage-ontology
development
VerifiedTrustedCommunity
Typed knowledge graph stored in sage-memory. Use when creating or querying structured entities (Person, Project, Task, Event, Document), linking related objects, checking dependencies, planning multi-step actions as graph transformations, or when skills need to share structured state. Trigger on "remember that X is Y", "what do I know about", "link X to Y", "show dependencies", "what blocks X", entity CRUD, cross-skill data access, or any request involving structured relationships between things.
17SKILL.mdUpdated May 20, 2026
xoai/sage-memory
tools
VerifiedTrustedCommunity
Integrates sage-memory into Sage workflows. Teaches the agent when to remember (store findings during work), when to recall (search memory at session start and task start), and how to learn (structured knowledge capture via sage learn). Use when the user mentions memory, remember, recall, learn, capture knowledge, onboard to codebase, or when starting any session where sage-memory MCP tools are available.
17SKILL.mdUpdated May 20, 2026
xoai/sage-self-learning
tools
VerifiedTrustedCommunity
Captures agent mistakes, corrections, and discovered gotchas so they are not repeated. Use when: (1) a command or operation fails unexpectedly, (2) the user corrects the agent, (3) the agent discovers non-obvious behavior through debugging, (4) an API or tool behaves differently than expected, (5) a better approach is found for a recurring task. Also searches past learnings before starting tasks to avoid known pitfalls. Activate alongside the sage-memory skill — they share the same MCP backend but serve different purposes (sage-memory = codebase knowledge, sage-self-learning = agent mistakes and gotchas).
17SKILL.mdUpdated May 20, 2026