> nextjs-data-access-layer
Build secure, reusable data access patterns with DTOs, taint checks, and colocated authorization in Next.js. Use when centralizing database queries, transforming raw data to DTOs, adding server-only guards, or preventing sensitive data from reaching Client Components. (triggers: **/lib/data.ts, **/services/*.ts, **/dal/**, DAL, Data Access Layer, server-only, DTO)
curl "https://skillshub.wtf/HoangNguyen0403/agent-skills-standard/nextjs-data-access-layer?format=md"Data Access Layer (DAL)
Priority: P1 (HIGH)
Centralize all data access (Database & External APIs) to ensure consistent security, authorization, and caching.
Workflow
- Create DAL module in
services/orlib/data.tswithimport 'server-only'. - Verify auth inside every DAL function using
await auth(). - Transform raw DB/API data into DTOs before returning to components.
- Wrap with
cache()from React to deduplicate requests within a render cycle. - Taint-check sensitive objects to prevent accidental client exposure.
Implementation Guidelines
- DTOs: Always transform raw data into plain objects. Never return ORM model instances.
- Security: Use
taintObjectReferenceortaintUniqueValuefrom the experimental taint API to guard sensitive data. - Authorization: Colocate auth checks inside every DAL function. Never rely on the UI layer.
- Caching: Wrap DAL functions in
cache()to deduplicate within a single render. - Error Handling: Throw standardized errors (
NotFoundError,UnauthorizedError) caught byerror.tsxornotFound().
Limitations
- Client Components cannot import DAL files. Use Server Actions or Route Handlers as bridges.
Anti-Patterns
- No auth checks outside DAL: Auth verification must live inside DAL functions.
- No raw ORM instances returned: Transform to plain DTO objects before returning.
- No
fetch('localhost/api')in Server Components: Call DAL functions directly. - No DAL imports in Client Components: Use Server Actions or Route Handlers as bridges.
> related_skills --same-repo
> common-store-changelog
Generate user-facing release notes for the Apple App Store and Google Play Store by collecting git history, triaging user-impacting changes, and drafting store-compliant changelogs. Enforces character limits (App Store ≤4000, Google Play ≤500), tone, and bullet format. Use when generating release notes, app store changelog, play store release, what's new, or version release notes for any mobile app. (triggers: generate changelog, app store notes, play store release, what's new, release notes, ve
> golang-tooling
Go developer toolchain — gopls LSP diagnostics, linting, formatting, and vet. Use when setting up Go tooling, running linters, or integrating gopls with Claude Code. (triggers: gopls, golangci-lint, golangci.yml, go vet, goimports, staticcheck, go tooling, go lint)
> common-ui-design
Design distinctive, production-grade frontend UI with bold aesthetic choices. Use when building web components, pages, interfaces, dashboards, or applications in any framework (React, Next.js, Angular, Vue, HTML/CSS). (triggers: build a page, create a component, design a dashboard, landing page, UI for, build a layout, make it look good, improve the design, build UI, create interface, design screen)
> common-owasp
OWASP Top 10 audit checklist for Web Applications (2021) and APIs (2023). Load during any security review, PR review, or codebase audit touching web, mobile backend, or API code. (triggers: security review, OWASP, broken access control, IDOR, BOLA, injection, broken auth, API review, authorization, access control)