Multi-Tenancy Guard Skill
Goal: Prevent data leaks between organizations/tenants
Instructions:
- •Database Queries: Every query MUST include
where: { organizationId } - •API Routes: Verify
orgIdfrom session/token matches requested resource - •Middleware: Check organization resolution from subdomain/custom domain
- •Admin Operations: Ensure only organization owners can delete/update org settings
Scripts:
- •Run
scripts/check-isolation.tsto verify RLS (Row Level Security) policies
Constraints:
- •NEVER generate code that queries database without organization filter
- •ALWAYS validate tenant context before data access
- •Flag CRITICAL if tenant isolation is missing