rzyfront/vendix-monorepo-workspaces
skills/vendix-monorepo-workspaces/SKILL.md
Monorepo workspaces, dependency placement, Docker, and CI/CD patterns for Vendix. Trigger: When installing dependencies, modifying package.json, adding/removing workspaces, creating Dockerfiles, or configuring CI/CD.
$ install --global
skillsauthnpx skillsauth add rzyfront/vendix vendix-monorepo-workspacesInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 16, 2026, 5:12 AM269.3s1 file scanned
SKILL.md
- name:
- vendix-monorepo-workspaces
- description:
- >
- Trigger:
- When installing dependencies, modifying package.json, adding/removing workspaces, creating Dockerfiles, or configuring CI/CD.
- license:
- MIT
- author:
- rzyfront
- version:
- 1.0
- scope:
- [root]
Vendix Monorepo Workspaces
Purpose
Use this skill for npm workspaces, dependency placement, app package boundaries, Docker build contexts, and CI/CD commands. Architecture ownership belongs to vendix-core.
Current Workspace Map
| Workspace | Path | Notes |
| --- | --- | --- |
| Backend | apps/backend | NestJS API with its own dependencies and Dockerfiles |
| Frontend web | apps/frontend | Angular app with its own dependencies and Dockerfiles |
| Mobile | apps/mobile | Expo/React Native app with its own dependencies |
| Shared types | libs/shared-types | Local package consumed by apps, e.g. @vendix/shared-types |
Root package.json orchestrates scripts and workspaces. Production/runtime dependencies should normally live in the workspace that imports them. Root dependencies should be treated as exceptions and reviewed before adding more; the current repo already has at least one root runtime exception, so do not assume dependencies is empty.
Dependency Rules
- If code in one workspace imports a package, that workspace must declare the dependency.
- If frontend and backend both import the same package, install it in both workspaces.
- If mobile imports a package, install it in
apps/mobile. - Shared libraries should declare their own package metadata and avoid hidden app dependencies.
- Root should mainly contain orchestration scripts and shared dev tooling, unless an explicit repo-level exception is required and documented.
- Do not rely on hoisting as the reason a workspace can build.
Commands
# Install all workspaces from root
npm install
# Install in a specific workspace
npm install <package> -w apps/frontend
npm install <package> -w apps/backend
npm install <package> -w apps/mobile
# Run workspace scripts
npm run start -w apps/frontend
npm run start:dev -w apps/backend
npm run start -w apps/mobile
# Root orchestration scripts
npm run dev
npm run mobile:start
npm run mobile:ios
npm run mobile:android
Do not run production build commands unless the human explicitly requests production verification; use buildcheck-dev for normal development verification.
Docker Rules
- Docker build contexts for app containers should point at the workspace, not the repo root.
- Current dev containers use
apps/backend/Dockerfile.devandapps/frontend/Dockerfile.dev. - Backend and frontend containers mount their workspace and isolate
/app/node_modules. - Mobile currently does not have a Dockerfile in this repo; treat mobile Dockerization as a knowledge gap unless added intentionally.
Current compose services include db, redis, backend, frontend, nginx, and docker-cleanup.
Docker Commands
# Start development services
docker compose up -d
# Rebuild services after Dockerfile/package changes
docker compose up --build -d
# Stop services
docker compose down
Prefer the root docker scripts already present in package.json when useful: docker:up, docker:rebuild, docker:down, docker:down-v.
Use buildcheck-dev for log-based verification after development changes.
CI/CD Rules
- Install dependencies from root with workspace-aware npm commands.
- Build or lint the specific workspace being validated.
- Keep Docker image builds scoped to the app workspace unless the Dockerfile explicitly requires repo context.
- Do not add root-level production dependencies to make CI pass; fix the workspace package instead.
Adding Or Removing Workspaces
When adding a workspace:
- Place it under
apps/orlibs/so root workspaces detect it. - Give it its own
package.jsonwith accurate dependencies. - Add root scripts only when cross-team orchestration is useful.
- Add or update app-specific skills if the workspace introduces new patterns.
When removing a workspace:
- Remove root scripts that reference it.
- Remove dependent workspace references and local file dependencies.
- Run
npm installfrom root to update the lockfile.
Verification
- Check the importing workspace declares each package it uses.
- Check root
package.jsondid not gain unnecessary production dependencies. - Check Docker contexts still match
docker-compose.yml. - Run
./skills/skill-sync/assets/sync.shand./skills/setup.sh --syncafter skill metadata changes.
Related Skills
vendix-core- Architecture map and app boundariesbuildcheck-dev- Development verificationvendix-zoneless-signals- Frontend web build-sensitive patterns
Related Skills
rzyfront/mobile-dev
development
VerifiedTrustedCommunity
Mobile app development rules for Vendix Expo/React Native project. Trigger: When editing, creating, or modifying any file under apps/mobile, or when developing mobile-specific features.
5SKILL.mdUpdated May 29, 2026
rzyfront/vendix-subscription-gate
development
VerifiedTrustedCommunity
Feature gating by store subscription state: global store write guard, AI feature gate, Redis feature resolution, quota consumption, frontend paywall interceptor, banner, and subscription UI states. Trigger: When adding feature gates, paywalls, subscription-based access control, protecting store write operations, AI feature gates, or rollout flags.
5SKILL.mdUpdated May 16, 2026
rzyfront/vendix-saas-billing
testing
VerifiedTrustedCommunity
SaaS subscription billing for Vendix stores: plan pricing, invoices, Wompi platform payments, manual payments, partner commissions, payouts, proration, and dunning. Trigger: When creating SaaS invoices, working with partner rev-share, margin/surcharge pricing, invoice sequence allocation, partner payout batches, subscription payments, manual payments, or dunning flows.
5SKILL.mdUpdated May 16, 2026
rzyfront/vendix-redis-quota
development
VerifiedTrustedCommunity
Periodic quota counters with Redis, UTC period keys, Lua-based idempotent AI quota consumption, request-id deduplication, and post-success consumption. Trigger: When building quota counters, enforcing monthly/daily feature caps, or reusing AI quota patterns for uploads, emails, exports, or rate-limited features.
5SKILL.mdUpdated May 16, 2026