rzyfront/vendix-s3-storage
skills/vendix-s3-storage/SKILL.md
S3 storage patterns for Vendix uploads: store S3 keys, never signed URLs, validate safe keys, centralize upload paths, use image presets, and sign URLs only for reads. Trigger: When uploading files, handling S3 URLs, or saving image/logo/favicon URLs to database.
$ install --global
skillsauthnpx skillsauth add rzyfront/vendix vendix-s3-storageInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 16, 2026, 5:14 AM190.7s1 file scanned
SKILL.md
- name:
- vendix-s3-storage
- description:
- >
- S3 storage patterns for Vendix uploads:
- store S3 keys, never signed URLs, validate safe
- license:
- MIT
- author:
- rzyfront
- version:
- 2.0
- scope:
- [root]
- auto_invoke:
- Uploading files, handling S3 URLs, or saving image URLs to database
Vendix S3 Storage
Source of Truth
apps/backend/src/common/services/s3.service.tsapps/backend/src/common/helpers/s3-url.helper.tsapps/backend/src/common/helpers/s3-path.helper.tsapps/backend/src/common/config/image-presets.tsapps/backend/src/common/decorators/is-safe-s3-key.decorator.ts
Core Rule
Persist S3 keys, not presigned URLs. Signed URLs expire and will break stored images.
Correct flow:
upload -> key stored in DB -> read response signs key -> frontend receives fresh URL
Use S3Service.sanitizeForStorage(urlOrKey) before saving image/logo/favicon fields. It delegates to extractS3KeyFromUrl().
Safety Rules
- Validate read/delete keys with
isSafeS3Key()/validateS3Key(). - Use
@IsSafeS3Keyfor DTO fields that should contain S3 keys. - Centralize upload paths with
S3PathHelper; do not hand-build ad-hoc key prefixes in services. - Use image contexts/presets from
image-presets.tsfor resizing/optimization behavior. - Allow external absolute URLs only when the owning flow explicitly supports external assets.
Save Pattern
const image_url = this.s3Service.sanitizeForStorage(dto.image_url);
await this.prisma.products.update({ data: { image_url } });
Read Pattern
return {
...record,
image_url: await this.s3Service.signUrl(record.image_url),
};
Common Fields
- Product/category image fields.
- Brand/store/organization logos.
- Settings
logo_url/favicon_url. - Ecommerce slider/gallery image keys.
Related Skills
vendix-validationvendix-backendvendix-settings-system
Related Skills
rzyfront/mobile-dev
development
VerifiedTrustedCommunity
Mobile app development rules for Vendix Expo/React Native project. Trigger: When editing, creating, or modifying any file under apps/mobile, or when developing mobile-specific features.
5SKILL.mdUpdated May 29, 2026
rzyfront/vendix-subscription-gate
development
VerifiedTrustedCommunity
Feature gating by store subscription state: global store write guard, AI feature gate, Redis feature resolution, quota consumption, frontend paywall interceptor, banner, and subscription UI states. Trigger: When adding feature gates, paywalls, subscription-based access control, protecting store write operations, AI feature gates, or rollout flags.
5SKILL.mdUpdated May 16, 2026
rzyfront/vendix-saas-billing
testing
VerifiedTrustedCommunity
SaaS subscription billing for Vendix stores: plan pricing, invoices, Wompi platform payments, manual payments, partner commissions, payouts, proration, and dunning. Trigger: When creating SaaS invoices, working with partner rev-share, margin/surcharge pricing, invoice sequence allocation, partner payout batches, subscription payments, manual payments, or dunning flows.
5SKILL.mdUpdated May 16, 2026
rzyfront/vendix-redis-quota
development
VerifiedTrustedCommunity
Periodic quota counters with Redis, UTC period keys, Lua-based idempotent AI quota consumption, request-id deduplication, and post-success consumption. Trigger: When building quota counters, enforcing monthly/daily feature caps, or reusing AI quota patterns for uploads, emails, exports, or rate-limited features.
5SKILL.mdUpdated May 16, 2026