adteco/glapi-rls-guide
.claude/skills/glapi-rls-guide/SKILL.md
Row Level Security (RLS) implementation guide for GLAPI multi-tenant database isolation. Covers PostgreSQL RLS policies, session variables, contextual database connections, tRPC middleware, and common troubleshooting. Use when working with RLS, multi-tenancy, organization isolation, database security, or debugging RLS policy violations.
development
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add adteco/glapi glapi-rls-guideInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 9:30 PM4.6s1 file scanned
SKILL.md
- name:
- glapi-rls-guide
- description:
- Row Level Security (RLS) implementation guide for GLAPI multi-tenant database isolation. Covers PostgreSQL RLS policies, session variables, contextual database connections, tRPC middleware, and common troubleshooting. Use when working with RLS, multi-tenancy, organization isolation, database security, or debugging RLS policy violations.
GLAPI Row Level Security (RLS) Guide
Purpose
This skill documents how Row Level Security is implemented in GLAPI to ensure multi-tenant data isolation. All database tables containing organization-specific data use RLS policies to prevent cross-tenant data access.
Architecture Overview
Flow Summary
Request → tRPC Middleware → Set Session Variable → RLS Policy Check → Query Execution
- Clerk Auth provides organization ID (resolved to database UUID)
- tRPC middleware creates contextual DB connection with session variable set
- PostgreSQL RLS policies check
current_setting('app.current_organization_id')against row'sorganization_id - Queries filtered automatically - users only see their organization's data
Key Components
1. Session Variable
The foundation of RLS is the PostgreSQL session variable:
-- Set on each connection before queries
SELECT set_config('app.current_organization_id', '<uuid>', false);
- Must be a valid UUID (database organization ID, NOT Clerk org ID)
- Set per-connection, persists for connection lifetime
- Retrieved via
current_setting('app.current_organization_id', true)
2. RLS Policy Pattern
IMPORTANT: Policies must use current_setting() directly, NOT the get_current_organization_id() function for INSERT operations:
-- CORRECT: Use current_setting directly
CREATE POLICY "org_isolation_insert_tablename" ON tablename
FOR INSERT WITH CHECK (
organization_id::text = current_setting('app.current_organization_id', true)
);
-- For SELECT/UPDATE/DELETE, either works but direct is safer
CREATE POLICY "org_isolation_select_tablename" ON tablename
FOR SELECT USING (
organization_id::text = current_setting('app.current_organization_id', true)
);
Why cast to text? The organization_id column may be UUID type, but current_setting() returns text. Casting both to text ensures consistent comparison.
3. Context Module (packages/database/src/context.ts)
Primary functions for RLS context:
// Create a contextual DB with RLS set (used by tRPC)
const { db, release, client } = await createContextualDb({
organizationId: 'uuid-here',
userId: 'user-uuid',
});
// For one-off operations with automatic cleanup
await withOrganizationContext(
{ organizationId: 'uuid' },
async (db) => {
return db.select().from(table);
}
);
// For transactions
await withOrganizationContextTransaction(
{ organizationId: 'uuid' },
async (db) => {
await db.insert(table).values({...});
}
);
4. tRPC Middleware (packages/trpc/src/trpc.ts)
The authenticatedProcedure middleware:
- Validates user has organizationId
- Validates organizationId is UUID format
- Creates contextual DB connection
- Verifies RLS context was set correctly
- Passes
ctx.db(RLS-protected) to procedures - Releases connection in finally block
Common Issues & Solutions
Issue: "new row violates row-level security policy"
Cause: The session variable value doesn't match the organization_id being inserted.
Debug Steps:
- Check what's being inserted vs what's in session:
// Add debug in repository
const check = await this.db.execute(
sql`SELECT current_setting('app.current_organization_id', true) as rls_org`
);
console.log('RLS org:', check.rows[0]?.rls_org);
console.log('Inserting org:', organizationId);
- Verify the repository is using
ctx.dbnot globaldb:
// In service constructor - MUST pass options.db
this.repository = new SomeRepository(options.db);
// In router - MUST pass ctx.db
const service = new SomeService(ctx.serviceContext, { db: ctx.db });
Issue: RLS policies blocking all operations
Cause: Session variable not set (returns NULL).
Solution: Ensure repository receives contextual db:
// BaseRepository falls back to globalDb if no db passed
constructor(db?: ContextualDatabase) {
this.db = db ?? globalDb; // globalDb has NO RLS context!
}
Issue: Function type mismatch
Cause: get_current_organization_id() returns UUID, but comparison fails.
Solution: Use current_setting() directly in policies:
-- Instead of: get_current_organization_id()::text
-- Use: current_setting('app.current_organization_id', true)
Creating RLS for New Tables
Step 1: Enable RLS on table
ALTER TABLE new_table ENABLE ROW LEVEL SECURITY;
ALTER TABLE new_table FORCE ROW LEVEL SECURITY;
Step 2: Create policies
-- SELECT
CREATE POLICY "org_isolation_select_new_table" ON new_table
FOR SELECT USING (
organization_id::text = current_setting('app.current_organization_id', true)
);
-- INSERT
CREATE POLICY "org_isolation_insert_new_table" ON new_table
FOR INSERT WITH CHECK (
organization_id::text = current_setting('app.current_organization_id', true)
);
-- UPDATE
CREATE POLICY "org_isolation_update_new_table" ON new_table
FOR UPDATE
USING (organization_id::text = current_setting('app.current_organization_id', true))
WITH CHECK (organization_id::text = current_setting('app.current_organization_id', true));
-- DELETE
CREATE POLICY "org_isolation_delete_new_table" ON new_table
FOR DELETE USING (
organization_id::text = current_setting('app.current_organization_id', true)
);
Step 3: Create migration file
Add to packages/database/drizzle/NNNN_tablename_rls.sql
Repository Pattern Requirements
Every repository that accesses RLS-protected tables MUST:
- Accept optional
dbin constructor - Use
this.dbfor all queries (not imported global db) - Be instantiated with
ctx.dbfrom tRPC context
// Repository
export class MyRepository extends BaseRepository {
constructor(db?: ContextualDatabase) {
super(db); // BaseRepository sets this.db
}
async findAll() {
return this.db.select().from(myTable); // Uses contextual db
}
}
// Service
export class MyService extends BaseService {
private repo: MyRepository;
constructor(context: ServiceContext, options: { db?: ContextualDatabase } = {}) {
super(context);
this.repo = new MyRepository(options.db); // Pass db through!
}
}
// Router
const service = new MyService(ctx.serviceContext, { db: ctx.db });
Quick Reference
| Component | Location | Purpose |
|-----------|----------|---------|
| Context functions | packages/database/src/context.ts | Set session variables |
| tRPC middleware | packages/trpc/src/trpc.ts | Create RLS db per request |
| Base repository | packages/database/src/repositories/base-repository.ts | Fallback logic |
| Migration files | packages/database/drizzle/*.sql | RLS policy definitions |
Session Variable Reference
| Variable | Purpose |
|----------|---------|
| app.current_organization_id | Organization UUID for RLS |
| app.current_user_id | User UUID for audit trails |
Related Skills
adteco/skill-developer
tools
VerifiedTrustedCommunity
Create and manage Claude Code skills following Anthropic best practices. Use when creating new skills, modifying skill-rules.json, understanding trigger patterns, working with hooks, debugging skill activation, or implementing progressive disclosure. Covers skill structure, YAML frontmatter, trigger types (keywords, intent patterns, file paths, content patterns), enforcement levels (block, suggest, warn), hook mechanisms (UserPromptSubmit, PreToolUse), session tracking, and the 500-line rule.
SKILL.mdUpdated Apr 16, 2026
adteco/.claude/skills/pre-deploy-checklist
development
VerifiedTrustedCommunity
# Pre-Deployment Checklist Skill ## Purpose Run comprehensive quality checks before committing code and creating pull requests. This skill ensures code quality, documentation, API specs, and tests are all in order before deployment. ## When to Use This Skill - Before committing significant changes - Before creating a pull request - When user invokes `/ship`, `/pre-deploy`, or `/checklist` - When preparing code for production deployment ## Checklist Items ### 1. TypeScript Compilation **Com
SKILL.mdUpdated Apr 16, 2026
adteco/adteco-frontend-guidelines
development
VerifiedTrustedCommunity
Frontend development guidelines for Adteco's React 18/19 + ShadCN/Radix UI + Tailwind stack. Patterns for building accessible, performant components with type safety, TanStack Query data fetching, and modern styling.
SKILL.mdUpdated Apr 16, 2026
adteco/glapi-backend-guidelines
development
VerifiedTrustedCommunity
GLAPI backend development guide for Next.js + TRPC + Drizzle ORM + PostgreSQL + Clerk. TRPC for internal type-safety, REST API exposure via OpenAPI. Covers layered architecture (routers → services → Drizzle), dual TRPC/REST endpoints, Clerk authentication, and testing strategies.
SKILL.mdUpdated Apr 16, 2026