Agent-Skills.md

Agent Skills: nestjs-security-isolation

Enforce multi-tenant isolation and PostgreSQL Row Level Security in NestJS. Use when enforcing tenant isolation or PostgreSQL RLS in NestJS multi-tenant apps. (triggers: src/modules/**, SECURITY.md, src/migrations/**, RLS, Row Level Security, childId, isolation, access policy)

UncategorizedID: hoangnguyen0403/agent-skills-standard/nestjs-security-isolation

Repository

hoangnguyen0403/agent-skills-standard
HoangNguyen0403License: Apache-2.0
362103

Install this agent skill to your local

pnpm dlx add-skill https://github.com/HoangNguyen0403/agent-skills-standard/tree/HEAD/skills/nestjs/nestjs-security-isolation

Skill Files

Browse the full folder contents for nestjs-security-isolation.

Download Skill

Loading file tree…

skills/nestjs/nestjs-security-isolation/SKILL.md

Skill Metadata

Name
nestjs-security-isolation
Description
"Enforce multi-tenant isolation and PostgreSQL Row Level Security in NestJS. Use when enforcing tenant isolation or PostgreSQL RLS in NestJS multi-tenant apps. (triggers: src/modules/**, SECURITY.md, src/migrations/**, RLS, Row Level Security, childId, isolation, access policy)"

Priority: P0 (CRITICAL)

Strict multi-tenant isolation. All child-centric data must be secured via PostgreSQL RLS and service-level validation.

RLS Enforcement Workflow

  1. Migration: Create tables with ENABLE ROW LEVEL SECURITY. Define policies using current_setting('app.current_user_id').
  2. Entity Logic: Add @Security JSDoc to the entity class.
  3. Security Doc: Update SECURITY.md with the new table and its access logic.
  4. Service Validation: Call childrenService.validateChildAccess(childId, userId) before any persistence operation.

Core Guidelines

  1. Mandatory RLS: Every new table linking to a child or family MUST have RLS enabled in its creation migration.
  2. Centralized Validation: Never reimplement access logic. Use ChildrenService for child/family membership checks.
  3. Traceable Security: SECURITY.md is the source of truth. Any change to RLS policies must be reflected there immediately.
  4. Nested Route Constraint: Data isolation is enforced at the controller level via nested routes: /children/:childId/....
  5. No Direct Entity exposure: Use Response DTOs to prevent leaking internal database IDs or metadata that could bypass security filters.

Anti-Patterns

  • No Public Tables: Don't create child-linked tables without RLS.
  • No Manual Policy Checks: Don't write raw SQL access checks in services. Use the centralized validator.
  • No Stale Docs: Don't merge RLS changes without updating SECURITY.md and entity JSDoc.
  • No Root IDs: Don't use /domain/:id for child data. Always scope by :childId.

References