rzyfront/vendix-multi-tenant-context
skills/vendix-multi-tenant-context/SKILL.md
Backend tenant context bridge from ecommerce domain resolution and JWT user context into AsyncLocalStorage. Trigger: Handling store context, implementing multi-tenant logic, or fixing Forbidden/403 errors in scoped services.
$ install --global
skillsauthnpx skillsauth add rzyfront/vendix vendix-multi-tenant-contextInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 16, 2026, 5:10 AM158.6s1 file scanned
SKILL.md
- name:
- vendix-multi-tenant-context
- description:
- >
- Trigger:
- Handling store context, implementing multi-tenant logic, or fixing Forbidden/403 errors in scoped services.
- license:
- Apache-2.0
- author:
- rzyfront
- version:
- 1.0
- scope:
- [root]
Vendix Multi-Tenant Context
Purpose
Use this skill for backend request context: how store/organization/user data reaches RequestContextService and scoped Prisma services.
Real Context Flow
DomainResolverMiddlewareis registered globally, but it only resolves domain context for URLs containing/ecommerce/.- For ecommerce routes, it first accepts
x-store-idheader orstore_idquery param. - If no explicit store is provided, it resolves hostname through cache and
PublicDomainsService.resolveDomain(). - It writes
{ store_id, organization_id? }toreq['domain_context']and continues even if resolution fails. RequestContextInterceptormerges JWTreq.useranddomain_contextinto AsyncLocalStorage.
Key files:
apps/backend/src/common/middleware/domain-resolver.middleware.tsapps/backend/src/common/interceptors/request-context.interceptor.tsapps/backend/src/common/context/request-context.service.ts
Precedence Rules
- JWT user context fills
user_id,organization_id,store_id, roles, permissions, and flags first. - Ecommerce
domain_context.store_idoverwritescontext.store_id. - Ecommerce
domain_context.organization_idfillsorganization_idonly when JWT did not provide one. - Non-ecommerce routes usually rely on JWT/user context, not hostname resolution.
Scoped Prisma Services
| Service | Scope |
| --- | --- |
| GlobalPrismaService | No tenant scope; use for superadmin/system operations only |
| OrganizationPrismaService | Organization-scoped models |
| StorePrismaService | Store/organization-scoped models |
| EcommercePrismaService | Ecommerce store/customer scoped access |
Model lists change over time. Treat the arrays inside the Prisma scoped service files as canonical instead of copying exhaustive lists into skills.
Guardrails
- Do not use
GlobalPrismaServicefor tenant data unless the use case is explicitly system-level or the code manually scopes the query. - Do not rely on frontend-selected store IDs for authorization.
- Raw SQL and Prisma
$queryRawbypass scoped-service extensions; add explicit tenant filters. - The current
RequestContextServicehas a staticcurrentContextfallback; treat it as existing behavior, not a pattern to expand.
Debugging 403 / Missing Context
Check:
- Is the route ecommerce? If not, domain middleware will not resolve hostname context.
- Does JWT include the expected
organization_idandstore_id? - For ecommerce, is
x-store-id,store_idquery, or host domain resolving correctly? - Is the model registered in the correct scoped Prisma service?
- Is raw SQL missing explicit tenant filters?
Related Skills
vendix-prisma-scopes- Scoped Prisma model registrationvendix-backend-auth- JWT, public routes, guardsvendix-app-architecture- App/domain conceptsvendix-mcp-server- MCP auth/context injection
Related Skills
rzyfront/mobile-dev
development
VerifiedTrustedCommunity
Mobile app development rules for Vendix Expo/React Native project. Trigger: When editing, creating, or modifying any file under apps/mobile, or when developing mobile-specific features.
5SKILL.mdUpdated May 29, 2026
rzyfront/vendix-subscription-gate
development
VerifiedTrustedCommunity
Feature gating by store subscription state: global store write guard, AI feature gate, Redis feature resolution, quota consumption, frontend paywall interceptor, banner, and subscription UI states. Trigger: When adding feature gates, paywalls, subscription-based access control, protecting store write operations, AI feature gates, or rollout flags.
5SKILL.mdUpdated May 16, 2026
rzyfront/vendix-saas-billing
testing
VerifiedTrustedCommunity
SaaS subscription billing for Vendix stores: plan pricing, invoices, Wompi platform payments, manual payments, partner commissions, payouts, proration, and dunning. Trigger: When creating SaaS invoices, working with partner rev-share, margin/surcharge pricing, invoice sequence allocation, partner payout batches, subscription payments, manual payments, or dunning flows.
5SKILL.mdUpdated May 16, 2026
rzyfront/vendix-redis-quota
development
VerifiedTrustedCommunity
Periodic quota counters with Redis, UTC period keys, Lua-based idempotent AI quota consumption, request-id deduplication, and post-success consumption. Trigger: When building quota counters, enforcing monthly/daily feature caps, or reusing AI quota patterns for uploads, emails, exports, or rate-limited features.
5SKILL.mdUpdated May 16, 2026