hoangnguyen0403/nestjs-security-isolation
skills/nestjs/nestjs-security-isolation/SKILL.md
Enforce multi-tenant isolation and PostgreSQL Row Level Security in NestJS. Use when enforcing tenant isolation or PostgreSQL RLS in NestJS multi-tenant apps.
$ install --global
skillsauthnpx skillsauth add hoangnguyen0403/agent-skills-standard nestjs-security-isolationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 19, 2026, 3:37 AM153.1s5 files scanned
SKILL.md
- name:
- nestjs-security-isolation
- description:
- Enforce multi-tenant isolation and PostgreSQL Row Level Security in NestJS. Use when enforcing tenant isolation or PostgreSQL RLS in NestJS multi-tenant apps.
Priority: P0 (CRITICAL)
Strict multi-tenant isolation. All child-centric data must secured via PostgreSQL RLS and service-level validation.
RLS Enforcement Workflow
- Migration: Create tables with
ENABLE ROW LEVEL SECURITY. Define policies usingcurrent_setting('app.current_user_id'). - Entity Logic: Add
@SecurityJSDoc to entity class. - Security Doc: Update
SECURITY.mdwith new table and its access logic. - Service Validation: Call
childrenService.validateChildAccess(childId, userId)before any persistence operation.
Core Guidelines
- Mandatory RLS: Every new table linking to
childorfamilyMUST RLS enabled in its creation migration. - Centralized Validation: Never reimplement access logic. Use
ChildrenServicefor child/family membership checks. - Traceable Security:
SECURITY.mdsource of truth. Any change to RLS policies must reflected there immediately. - Nested Route Constraint: Data isolation enforced at controller level via nested routes:
/children/:childId/.... - No Direct Entity exposure: Use Response DTOs to prevent leaking internal database IDs or metadata that could bypass security filters.
Anti-Patterns
- No Public Tables: Don't create child-linked tables without RLS.
- No Manual Policy Checks: Don't write raw SQL access checks in services. Use centralized validator.
- No Stale Docs: Don't merge RLS changes without updating
SECURITY.mdand entity JSDoc. - No Root IDs: Don't use
/domain/:idfor child data. Always scope by:childId.
References
- Implementation Patterns
- RLS Migration Patterns
- Centralized Auth Logic
Related Skills
hoangnguyen0403/common-software-requirements
development
VerifiedTrustedCommunity
Standardize SRS and FRS specifications for technical behavior, interfaces, data contracts, quality constraints, and verification mapping. Use when writing SRS, functional specification, system behavior requirements, API/data contracts, or non-functional thresholds.
503SKILL.mdUpdated May 23, 2026
hoangnguyen0403/common-business-requirements
development
VerifiedTrustedCommunity
Standardize BRD and BRD-lite discovery for business goals, stakeholder impact, current-to-future state, and measurable value outcomes. Use when creating BRD, business case, project justification, ROI narrative, or AS-IS to TO-BE scope.
503SKILL.mdUpdated May 23, 2026
hoangnguyen0403/common-tdd
development
VerifiedTrustedCommunity
Implements a strict Red-Green-Refactor loop to ensure zero production code is written without a prior failing test. Use when: creating new features, fixing bugs, or expanding test coverage.
503SKILL.mdUpdated May 10, 2026
hoangnguyen0403/common-product-requirements
testing
VerifiedTrustedCommunity
Standardize PRD discovery and drafting for product scope, user outcomes, requirement IDs, and acceptance criteria. Use when creating PRD, product requirements, feature specification, or acceptance criteria plan.
503SKILL.mdUpdated May 10, 2026