AHMADJAN-New/nazim-multi-tenancy
.cursor/skills/nazim-multi-tenancy/SKILL.md
Enforces organization and school isolation for the Nazim multi-tenant SaaS. Use when adding tables, hooks, API calls, controllers, or storage paths. Covers organization_id, school_id, query keys, getCurrentSchoolId(), and RLS.
development
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add AHMADJAN-New/nazim-web nazim-multi-tenancyInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 10:49 PM4.4s2 files scanned
SKILL.md
- name:
- nazim-multi-tenancy
- description:
- Enforces organization and school isolation for the Nazim multi-tenant SaaS. Use when adding tables, hooks, API calls, controllers, or storage paths. Covers organization_id, school_id, query keys, getCurrentSchoolId(), and RLS.
Nazim Multi-Tenancy
The Nazim app is a multi-tenant SaaS. Every tenant table, hook, API call, and controller must enforce organization and school isolation.
Core Rules
- Every tenant table:
organization_id+school_id(for school-scoped) - Frontend hooks:
queryKeyincludesprofile?.organization_idANDprofile?.default_school_id - API calls: pass both
organization_idandschool_id - Backend: use
getCurrentSchoolId($request)— never trust clientschool_id - Storage paths: include
organization_id(andschool_idwhen applicable)
Frontend Patterns
Query Key (REQUIRED)
queryKey: ['resource', profile?.organization_id, profile?.default_school_id ?? null, ...otherKeys]
API Call (REQUIRED)
await apiClient.resource.list({
organization_id: profile.organization_id,
school_id: profile.default_school_id,
});
Hook enabled
enabled: !!user && !!profile && !!profile.organization_id && !!profile.default_school_id
Mutations
- Create: use
profile.organization_idandprofile.default_school_id(ignore client values) - Update: validate
organization_idmatches; rejectorganization_idchanges - Delete: backend validates; frontend invalidates + refetches
Backend Patterns
Controller
$profile = DB::table('profiles')->where('id', $user->id)->first();
if (!$profile || !$profile->organization_id) {
return response()->json(['error' => 'User must be assigned to an organization'], 403);
}
$currentSchoolId = $this->getCurrentSchoolId($request); // From middleware, NOT client
$query = YourModel::whereNull('deleted_at')
->where('organization_id', $profile->organization_id)
->where('school_id', $currentSchoolId);
getCurrentSchoolId()
- Provided by base Controller
- Reads
current_school_idfrom request (injected byschool.contextmiddleware) - Never use client-provided
school_idfor filtering
Database
- Tenant tables:
organization_id UUID NOT NULL,school_id UUID(school-scoped) - Index on
organization_idandschool_id - RLS enabled; policies enforce
organization_id = (SELECT organization_id FROM profiles WHERE id = auth.uid())
Checklist
- [ ] Table has
organization_id(andschool_idif school-scoped) - [ ] Query key includes
default_school_id - [ ] API passes
school_id - [ ] Controller uses
getCurrentSchoolId()not clientschool_id - [ ] Mutations validate organization scope
Additional Resources
- Full RLS policy pattern and security checklist: reference.md
Related Skills
AHMADJAN-New/nazim-toast
tools
VerifiedTrustedCommunity
Toast notifications for Nazim. Use when showing success/error/info messages. ALWAYS use showToast from @/lib/toast with translation keys; never toast from sonner directly. RTL positioning is automatic.
SKILL.mdUpdated Apr 16, 2026
AHMADJAN-New/nazim-status-badges
tools
VerifiedTrustedCommunity
Enforces status badge patterns for Nazim UI. Use when displaying status in tables, cards, or dialogs. Covers Badge variants, semantic colors, statusBadgeVariant, statusOptions with color.
SKILL.mdUpdated Apr 16, 2026
AHMADJAN-New/nazim-responsive
development
VerifiedTrustedCommunity
Enforces mobile-first responsive patterns for Nazim UI. Use when building pages, tables, forms, charts, or buttons. Covers page container, FilterPanel, tabs, grids, tables, charts, cards, buttons.
SKILL.mdUpdated Apr 16, 2026
AHMADJAN-New/nazim-reports
development
VerifiedTrustedCommunity
PDF and Excel report generation for Nazim. Use when adding or changing reports. Backend uses ReportService and ReportConfig; frontend uses useServerReport. Covers branding, DateConversionService, RTL, acceptance criteria.
SKILL.mdUpdated Apr 16, 2026