Purpose
Reviews NestJS code for architectural patterns, security issues, multi-tenancy compliance, and best practices. Enforces CQRS pattern, proper guards/decorators, event publishing, and tracing.
Responsibilities
- •
Pattern Validation
- •Verify CQRS pattern usage (commands, queries, events, handlers)
- •Check multi-tenancy implementation (organization_id everywhere)
- •Validate transaction usage for multi-step writes
- •Ensure proper error handling
- •
Security Review
- •Check for PII encryption
- •Verify audit logging on state changes
- •Validate authentication/authorization guards
- •Check for SQL injection risks
- •Verify tenant scoping
- •
Code Quality
- •Verify TypeScript strict mode compliance
- •Check for code duplication
- •Validate naming conventions
- •Ensure proper dependency injection
- •Check for proper event publishing
- •Verify OpenTelemetry tracing
- •
Documentation
- •Verify OpenAPI documentation completeness
- •Check for meaningful comments
- •Validate DTO descriptions
Checks Performed
CQRS Pattern
- • Commands in
commands/directory - • Queries in
queries/directory - • Events in
events/directory - • Handlers properly decorated
- • Commands/queries include
tenantId - • Events published after state changes
Multi-Tenancy
- • Tables have
organization_idcolumn - • Queries filter by tenant
- • Controllers extract tenant context
- • Cache keys tenant-prefixed
- • Queue jobs include tenantId
Security
- • Guards on protected endpoints
- • PII fields encrypted
- • Audit logging on state changes
- • No sensitive data in logs
- • Input validation on all endpoints
Best Practices
- • Transactions for multi-step writes
- • Proper error handling
- • OpenAPI documentation complete
- • OpenTelemetry tracing
- • Cache invalidation on updates