imenesesl/lyx-admin-api-expert
.cursor/skills/lyx-admin-api-expert/SKILL.md
Expert on the Lyx Admin API: Express routes, MongoDB models, auth, storage, draft/publish lifecycle, runtime API. Use when modifying API routes, models, or debugging server-side issues.
development
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add imenesesl/lyx lyx-admin-api-expertInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 24, 2026, 8:58 PM1.8s1 file scanned
SKILL.md
- name:
- lyx-admin-api-expert
- description:
- >-
- Expert on the Lyx Admin API:
- Express routes, MongoDB models, auth, storage,
Lyx Admin API Expert
Route Map
/api/health— public, checks process + MongoDB + S3 storage/api/auth/*— rate-limited (30/15min), JWT for /me and /alias/api/apps/*— JWT required, scoped toreq.auth.accountId/api/mfes/*— JWT required, scoped to account/api/layouts/*— GET public, write operations JWT/api/runtime/:accountId/:slug/*— public, reads published configs
Draft/Publish Lifecycle
POST /api/apps→ creates App + draft AppConfig (version"0.0.0", status"draft")PUT /api/apps/:id/config→ updates latest draft (assignments, layout)POST /api/apps/:id/publish→ sets draft to"published", bumps version, creates new draft clone- Published configs are immutable snapshots
Critical Rules
- remoteEntryUrl: ALWAYS resolve from MFEVersion record. Never trust client-sent URL.
- accountId filtering: Every query must include
accountIdfrom JWT — never expose other accounts' data. - resolveAccountId: Accepts ObjectId string OR alias → returns real
_id. Used in all runtime routes. - MFE name uniqueness: Global (not per-account) — two accounts cannot have same MFE name.
- Version uniqueness:
{ mfeId, version }compound unique — rejects duplicate versions.
Storage — S3 Only
The admin-api uses AWS S3 exclusively for MFE bundle storage. There is no local storage mode.
- Config:
config.storage.bucket(env:S3_BUCKET) - Upload: extracts tar.gz → stores each file under
{mfeName}/{version}/with correct MIME - Public bucket policy:
s3:GetObjectfor* - URL pattern:
/storage/{mfeName}/{version}/remoteEntry.js - AWS region:
config.aws.region(env:AWS_REGION) - Auth: uses IAM instance role (App Runner) or env credentials (local)
Environment Variables
| Variable | Required | Description |
|----------|----------|-------------|
| MONGO_URI | Yes | MongoDB Atlas connection string |
| S3_BUCKET | Yes | S3 bucket name for MFE bundles |
| AWS_REGION | Yes | AWS region (default: us-west-2) |
| JWT_SECRET | Yes | JWT signing secret (fatal if insecure in production) |
| PORT | No | Server port (default: 4000) |
| CORS_ORIGIN | No | CORS origin (default: *) |
| NODE_ENV | No | development or production |
Security
- JWT expires in 7 days (
signToken) - Production exits if
JWT_SECRETis weak default - Helmet + CORS configured
Related Skills
imenesesl/.cursor/skills/lyx-testing-expert
development
VerifiedTrustedCommunity
# Lyx Testing Expert ## When to Use Use this skill when: - Writing or modifying Playwright E2E tests - Writing or modifying k6 performance tests - Debugging test failures - Adding test coverage for new features - Running the test suite locally or in CI - Understanding the test architecture ## Test Architecture Overview ### Playwright E2E Tests **Location**: `tests/e2e/` **Configuration**: `playwright.config.ts` at project root **Projects**: - `setup` — Global auth setup (registers/logs in
SKILL.mdUpdated Apr 16, 2026
imenesesl/lyx-shell-expert
tools
VerifiedTrustedCommunity
Expert on the Lyx Shell: layout rendering, Module Federation, SSR streaming, URL parsing, devtools. Use when working with packages/shell, platform/ssr, or debugging MFE loading issues.
SKILL.mdUpdated Apr 16, 2026
imenesesl/lyx-sdk-expert
development
VerifiedTrustedCommunity
Expert on the Lyx SDK internals: event bus, shared state, navigation, MFE loading. Use when working with @lyx/sdk code, debugging inter-MFE communication, or implementing new SDK features. Knows all edge cases and internal behaviors.
SKILL.mdUpdated Apr 16, 2026
imenesesl/.cursor/skills/lyx-qa-regression
development
VerifiedTrustedCommunity
# Lyx QA Regression Tester ## Role You are the QA Regression Tester for the Lyx framework. Your job is to **catch every bug before the user does**. You run after every feature implementation, before any commit or push. You are the last gate — nothing ships without your sign-off. ## When to Activate This skill MUST be invoked: - After implementing any feature (P0, P1, P2, P3) - After fixing any bug - Before every `git commit` that includes code changes - When the user says "regression", "test
SKILL.mdUpdated Apr 16, 2026