Skip to main content
Back to the field guide

A field guide to the /spine-review skill

AI Backend and API Code Review

Production-readiness review for backend code: REST conventions, auth coverage, validation, error handling, pagination, rate limiting, test coverage on critical paths.

Spine · Backend7 min readFebruary 8, 2026

Backend code reviews tend to fall into the trap of reviewing what is in front of the reviewer rather than what should be in front of them. The reviewer reads the diff and approves it because it looks right. The diff was right; the surrounding code that should have changed alongside it was not in the diff. The auth middleware was not added to the new route. Validation was not extended to the new field. Pagination is missing on the new list endpoint. Rate limiting is configured for the existing routes but not the new one. Each gap is invisible from the diff alone.

The /spine-review skill applies the production-readiness checklist to the body of work being reviewed. REST conventions matched to the rest of the API. Auth and authz coverage on every protected route. Input validation on every user-supplied field. Error handling for the failure modes that can actually occur. Pagination on every list endpoint. Rate limiting calibrated to the route's risk profile. Test coverage on the critical paths. The output is the production-readiness review the team would otherwise do by hand if they had the time.

What the review covers

Seven categories. Convention adherence (HTTP method, status codes, error envelope, casing). Auth coverage (every protected route has the middleware applied). Validation (every input field validated against a schema). Error handling (every documented failure has a clear response shape). Pagination (every list endpoint paginates with a documented strategy). Rate limiting (calibrated to route risk: stricter on auth, looser on read). Test coverage (critical paths covered with integration tests).

How /spine-review works

The skill reads the body of work being reviewed and the surrounding API surface. It compares the new routes and changes against the conventions in place, the auth pattern, the validation library, the pagination convention, the rate limit configuration, and the test strategy. Findings are produced with severity, file references, and proposed fixes.

Tonone's /spine-review skill reviews backend code against production readiness criteria: REST conventions, auth, validation, error handling, pagination, rate limiting, and test coverage.

SpineBackend

/spine-review

Reviews a backend codebase or API against production readiness criteria: REST convention adherence, authentication and authorization coverage, input validation completeness, error handling for all failure modes, pagination on every list endpoint, rate limiting, and test coverage of the critical path.

Before launching a new API to external users or th

Related skills

SpineBackend

/spine-api

Designs and builds an API contract-first: the interface is defined and agreed before implementation begins. Produces endpoint specs with request and response schemas, validation rules, auth requirements, error codes, and pagination patterns, then implements the full API against that spec.

When building a new REST or GraphQL API from scrat
ApexPlanning

/apex-review

Reviews a completed body of work across all layers: API design, data model, security, observability, tests, and documentation. Catches the integration gaps that happen when specialists work in their own lane: not errors any one specialist would make, but the things that only appear when you look at the whole.

After completing a significant feature, before a p

Install

/spine-review ships with the Spine agent in Tonone for Claude Code. Install Tonone, invoke against the body of work, and the skill produces the review.

1. Add to marketplace

$ claude plugin marketplace add tonone-ai/tonone

2. Install Spine

$ claude plugin install spine@tonone-ai

Frequently asked questions

What does /spine-review do?
It reviews backend code against a production-readiness checklist covering REST conventions, auth, validation, error handling, pagination, rate limiting, and test coverage.
How do I install /spine-review?
Install Tonone for Claude Code via tonone.ai/get-started. /spine-review ships with the Spine agent.

Pairs well with

Spine

APIs and services built for production, not tutorials.

Warden

Security review and hardening, before attackers do it for you.

Apex

The lead who decides what to build, who builds it, and how deep to go.

Machine-readable version →Raw JSON →Install Spine