> nestjs-security-isolation
Enforce multi-tenant isolation and PostgreSQL Row Level Security in NestJS. Use when enforcing tenant isolation or PostgreSQL RLS in NestJS multi-tenant apps. (triggers: src/modules/**, SECURITY.md, src/migrations/**, RLS, Row Level Security, childId, isolation, access policy)
curl "https://skillshub.wtf/HoangNguyen0403/agent-skills-standard/nestjs-security-isolation?format=md"Priority: P0 (CRITICAL)
Strict multi-tenant isolation. All child-centric data must be secured via PostgreSQL RLS and service-level validation.
RLS Enforcement Workflow
- Migration: Create tables with
ENABLE ROW LEVEL SECURITY. Define policies usingcurrent_setting('app.current_user_id'). - Entity Logic: Add
@SecurityJSDoc to the entity class. - Security Doc: Update
SECURITY.mdwith the new table and its access logic. - Service Validation: Call
childrenService.validateChildAccess(childId, userId)before any persistence operation.
Core Guidelines
- Mandatory RLS: Every new table linking to a
childorfamilyMUST have RLS enabled in its creation migration. - Centralized Validation: Never reimplement access logic. Use
ChildrenServicefor child/family membership checks. - Traceable Security:
SECURITY.mdis the source of truth. Any change to RLS policies must be reflected there immediately. - Nested Route Constraint: Data isolation is enforced at the controller level via nested routes:
/children/:childId/.... - No Direct Entity exposure: Use Response DTOs to prevent leaking internal database IDs or metadata that could bypass security filters.
Anti-Patterns
- No Public Tables: Don't create child-linked tables without RLS.
- No Manual Policy Checks: Don't write raw SQL access checks in services. Use the centralized validator.
- No Stale Docs: Don't merge RLS changes without updating
SECURITY.mdand entity JSDoc. - No Root IDs: Don't use
/domain/:idfor child data. Always scope by:childId.
References
> related_skills --same-repo
> common-store-changelog
Generate user-facing release notes for the Apple App Store and Google Play Store by collecting git history, triaging user-impacting changes, and drafting store-compliant changelogs. Enforces character limits (App Store ≤4000, Google Play ≤500), tone, and bullet format. Use when generating release notes, app store changelog, play store release, what's new, or version release notes for any mobile app. (triggers: generate changelog, app store notes, play store release, what's new, release notes, ve
> golang-tooling
Go developer toolchain — gopls LSP diagnostics, linting, formatting, and vet. Use when setting up Go tooling, running linters, or integrating gopls with Claude Code. (triggers: gopls, golangci-lint, golangci.yml, go vet, goimports, staticcheck, go tooling, go lint)
> common-ui-design
Design distinctive, production-grade frontend UI with bold aesthetic choices. Use when building web components, pages, interfaces, dashboards, or applications in any framework (React, Next.js, Angular, Vue, HTML/CSS). (triggers: build a page, create a component, design a dashboard, landing page, UI for, build a layout, make it look good, improve the design, build UI, create interface, design screen)
> common-owasp
OWASP Top 10 audit checklist for Web Applications (2021) and APIs (2023). Load during any security review, PR review, or codebase audit touching web, mobile backend, or API code. (triggers: security review, OWASP, broken access control, IDOR, BOLA, injection, broken auth, API review, authorization, access control)