Execute qualquer Skill no Manus
com um clique

Execute qualquer Skill no Manus com um clique

Começar

$pwd:

audit-rbac

Name: Audit Rbac
Author: trycompai

// Audit & fix RBAC and audit log compliance in API endpoints and frontend components

Executar no Manus

$ git log --oneline --stat

stars:1.596

forks:317

updated:27 de abril de 2026 às 13:56

SKILL.md

readonly

name	audit-rbac
description	Audit & fix RBAC and audit log compliance in API endpoints and frontend components

Audit the specified files or directories for RBAC and audit log compliance. Fix every issue found immediately.

Rules

API Endpoints (NestJS — `apps/api/src/`)

Every mutation endpoint (POST, PATCH, PUT, DELETE) MUST have @RequirePermission('resource', 'action'). If missing, add it.
Read endpoints (GET) should have @RequirePermission('resource', 'read'). If missing, add it.
Self-endpoints (e.g., /me/preferences) may skip @RequirePermission — authentication via HybridAuthGuard is sufficient.
Controller format: Must use @Controller({ path: 'name', version: '1' }), NOT @Controller('v1/name'). If wrong, fix it.
Guards: Use @UseGuards(HybridAuthGuard, PermissionGuard) at controller or endpoint level. Never skip PermissionGuard.
Webhooks: External webhook endpoints use @Public() — no auth required.

Frontend Components (`apps/app/src/`)

Every mutation element (button, form submit, toggle, switch, file upload) MUST be gated with usePermissions from @/hooks/use-permissions. If not:
- Create/Add buttons: Wrap with {hasPermission('resource', 'create') && <Button>...
- Edit/Delete in dropdown menus: Wrap the menu item
- Inline form fields on detail pages: Add disabled={!canUpdate}
- Status/property selectors: Add disabled={!canUpdate}
Actions columns in tables: hide entire column when user lacks write permission.
No manual role string parsing (role.includes('admin')) — use hasPermission().
Nav items: gate with canAccessRoute(permissions, 'routeSegment').
Page-level: call requireRoutePermission('segment', orgId) server-side.

Permission Resources

organization, member, control, evidence, policy, risk, vendor, task, framework, audit, finding, questionnaire, integration, apiKey, trust, pentest, app, compliance

Multi-Product RBAC

Products (compliance, pen testing) are org-level feature flags — NOT RBAC
app:read gates compliance dashboard; pentest:read gates security product
Custom roles can grant access to any combination of resources
Portal-only resources (policy, compliance) do NOT grant app access

Process

Read files specified in $ARGUMENTS (or scan the directory)
Check each rule above
Fix every violation immediately — don't just report
Run typecheck to verify: bunx turbo run typecheck --filter=@trycompai/api --filter=@trycompai/app

related-skills.json

mesmo repositório

api-endpoint-contract.md

from "trycompai/comp"

The contract every new or modified API endpoint must follow so it is correct for the public OpenAPI spec, the MCP server (npm @trycompai/mcp-server), the ValidationPipe, and the docs. Triggers on "new endpoint", "add API", "new DTO", "@Body", "@RequirePermission", "MCP tool", "edit controller in apps/api", "OpenAPI", or whenever editing controllers under apps/api/src/.

2026-05-281.6k

cleanup.md

from "trycompai/comp"

MUST run after writing or modifying code — reviews changed files for verbose patterns, inconsistencies, and readability issues before considering work done

2026-05-131.6k

billing.md

from "trycompai/comp"

Use when changing Comp AI billing, Stripe products/prices, subscription checkout, org payment methods, entitlements, usage ledgers, invoices, or billing webhooks.

2026-05-011.6k

audit-design-system.md

from "trycompai/comp"

Audit & fix design system usage — migrate @trycompai/ui and lucide-react to @trycompai/design-system

2026-04-271.6k

audit-hooks.md

from "trycompai/comp"

Audit & fix hooks and API usage patterns — eliminate server actions, raw fetch, and stale patterns

2026-04-271.6k

audit-tests.md

from "trycompai/comp"

Audit & fix unit tests for permission-gated components

2026-04-271.6k

package.json

"author": "trycompai"

"repository": "trycompai/comp"

Abrir repositório GitHub Ver repositórios do creator

$ install --global

$ download --local

Executar no Manus

$ useful --forSOC

Analistas de segurança da informaçãoInformática e Matemática15-1212L4

name	audit-rbac
description	Audit & fix RBAC and audit log compliance in API endpoints and frontend components

Audit the specified files or directories for RBAC and audit log compliance. Fix every issue found immediately.

Rules

API Endpoints (NestJS — `apps/api/src/`)

Every mutation endpoint (POST, PATCH, PUT, DELETE) MUST have @RequirePermission('resource', 'action'). If missing, add it.
Read endpoints (GET) should have @RequirePermission('resource', 'read'). If missing, add it.
Self-endpoints (e.g., /me/preferences) may skip @RequirePermission — authentication via HybridAuthGuard is sufficient.
Controller format: Must use @Controller({ path: 'name', version: '1' }), NOT @Controller('v1/name'). If wrong, fix it.
Guards: Use @UseGuards(HybridAuthGuard, PermissionGuard) at controller or endpoint level. Never skip PermissionGuard.
Webhooks: External webhook endpoints use @Public() — no auth required.

Frontend Components (`apps/app/src/`)

Every mutation element (button, form submit, toggle, switch, file upload) MUST be gated with usePermissions from @/hooks/use-permissions. If not:
- Create/Add buttons: Wrap with {hasPermission('resource', 'create') && <Button>...
- Edit/Delete in dropdown menus: Wrap the menu item
- Inline form fields on detail pages: Add disabled={!canUpdate}
- Status/property selectors: Add disabled={!canUpdate}
Actions columns in tables: hide entire column when user lacks write permission.
No manual role string parsing (role.includes('admin')) — use hasPermission().
Nav items: gate with canAccessRoute(permissions, 'routeSegment').
Page-level: call requireRoutePermission('segment', orgId) server-side.

Permission Resources

organization, member, control, evidence, policy, risk, vendor, task, framework, audit, finding, questionnaire, integration, apiKey, trust, pentest, app, compliance

Multi-Product RBAC

Products (compliance, pen testing) are org-level feature flags — NOT RBAC
app:read gates compliance dashboard; pentest:read gates security product
Custom roles can grant access to any combination of resources
Portal-only resources (policy, compliance) do NOT grant app access

Process

Read files specified in $ARGUMENTS (or scan the directory)
Check each rule above
Fix every violation immediately — don't just report
Run typecheck to verify: bunx turbo run typecheck --filter=@trycompai/api --filter=@trycompai/app

audit-rbac

Rules

API Endpoints (NestJS — apps/api/src/)

Frontend Components (apps/app/src/)

Permission Resources

Multi-Product RBAC

Process

Mais deste repositório

Mais deste repositório

Rules

API Endpoints (NestJS — apps/api/src/)

Frontend Components (apps/app/src/)

Permission Resources

Multi-Product RBAC

Process

API Endpoints (NestJS — `apps/api/src/`)

Frontend Components (`apps/app/src/`)

API Endpoints (NestJS — `apps/api/src/`)

Frontend Components (`apps/app/src/`)