malhajri07/audit-org-isolation
.claude/skills/audit-org-isolation/SKILL.md
Find Express route handlers that touch multi-tenant Prisma models without going through injectOrgFilter / injectWriteFilter. Use after adding new routes, before committing, and during security review.
development
Updated Apr 16, 2026
$ install --global
skillsauthnpx skillsauth add malhajri07/real-estate-CRM-project audit-org-isolationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 12:55 AM4.6s1 file scanned
SKILL.md
- name:
- audit-org-isolation
- description:
- Find Express route handlers that touch multi-tenant Prisma models without going through injectOrgFilter / injectWriteFilter. Use after adding new routes, before committing, and during security review.
audit-org-isolation
Multi-tenant data isolation is the project's #1 security invariant. This skill greps for any handler that bypasses it.
Background
The middleware injectOrgFilter (reads) and injectWriteFilter (writes) live at apps/api/middleware/org-isolation.ts. They append organizationId = req.user.organizationId to Prisma queries automatically. Any handler that talks to a multi-tenant model without these middlewares is a leak risk.
Steps
- List multi-tenant models by grepping
data/schema/prisma/schema.prismafororganizationId. - For each model, grep
apps/api/routes/for direct usage:prisma.<modelName>.find prisma.<modelName>.update prisma.<modelName>.delete prisma.<modelName>.create - For each match, check the surrounding handler:
- Is the route mounted with
authenticateToken+ the org-isolation middleware? - OR does the handler explicitly include
organizationId: req.user.organizationIdinwhere?
- Is the route mounted with
- Flag violations — handlers that touch a multi-tenant model with neither protection.
- Report as a table:
File:line Model Operation Risk - Do not fix automatically — show the user the violations first. They may have intentional admin-only routes.
Verification
- [ ] All multi-tenant models scanned
- [ ] Report grouped by file
- [ ] Each violation includes file:line for easy navigation
Notes
WEBSITE_ADMINroutes are allowed to bypass — flag them but mark as[admin]- The
usersandorganizationstables themselves have special rules — check existing patterns before flagging - See [[Architecture/Org Isolation]] in the vault for full context
Related Skills
malhajri07/obsidian-markdown
testing
VerifiedTrustedCommunity
Create and edit Obsidian Flavored Markdown with wikilinks, embeds, callouts, properties, and other Obsidian-specific syntax. Use when working with .md files in Obsidian, or when the user mentions wikilinks, callouts, frontmatter, tags, embeds, or Obsidian notes.
SKILL.mdUpdated Apr 16, 2026
malhajri07/obsidian-cli
tools
VerifiedTrustedCommunity
Interact with Obsidian vaults using the Obsidian CLI to read, create, search, and manage notes, tasks, properties, and more. Also supports plugin and theme development with commands to reload plugins, run JavaScript, capture errors, take screenshots, and inspect the DOM. Use when the user asks to interact with their Obsidian vault, manage notes, search vault content, perform vault operations from the command line, or develop and debug Obsidian plugins and themes.
SKILL.mdUpdated Apr 16, 2026
malhajri07/obsidian-bases
data-ai
VerifiedTrustedCommunity
Create and edit Obsidian Bases (.base files) with views, filters, formulas, and summaries. Use when working with .base files, creating database-like views of notes, or when the user mentions Bases, table views, card views, filters, or formulas in Obsidian.
SKILL.mdUpdated Apr 16, 2026
malhajri07/json-canvas
tools
VerifiedTrustedCommunity
Create and edit JSON Canvas files (.canvas) with nodes, edges, groups, and connections. Use when working with .canvas files, creating visual canvases, mind maps, flowcharts, or when the user mentions Canvas files in Obsidian.
SKILL.mdUpdated Apr 16, 2026