Run any Skill in Manus with one click

Get Started

$pwd:

audit-rbac

Name: Audit Rbac
Author: trycompai

// Audit & fix RBAC and audit log compliance in API endpoints and frontend components

Run Skill in Manus

$ git log --oneline --stat

stars:1,596

forks:317

updated:April 27, 2026 at 13:56

SKILL.md

readonly

name	audit-rbac
description	Audit & fix RBAC and audit log compliance in API endpoints and frontend components

Audit the specified files or directories for RBAC and audit log compliance. Fix every issue found immediately.

Rules

API Endpoints (NestJS — `apps/api/src/`)

Every mutation endpoint (POST, PATCH, PUT, DELETE) MUST have @RequirePermission('resource', 'action'). If missing, add it.
Read endpoints (GET) should have @RequirePermission('resource', 'read'). If missing, add it.
Self-endpoints (e.g., /me/preferences) may skip @RequirePermission — authentication via HybridAuthGuard is sufficient.
Controller format: Must use @Controller({ path: 'name', version: '1' }), NOT @Controller('v1/name'). If wrong, fix it.
Guards: Use @UseGuards(HybridAuthGuard, PermissionGuard) at controller or endpoint level. Never skip PermissionGuard.
Webhooks: External webhook endpoints use @Public() — no auth required.

Frontend Components (`apps/app/src/`)

Every mutation element (button, form submit, toggle, switch, file upload) MUST be gated with usePermissions from @/hooks/use-permissions. If not:
- Create/Add buttons: Wrap with {hasPermission('resource', 'create') && <Button>...
- Edit/Delete in dropdown menus: Wrap the menu item
- Inline form fields on detail pages: Add disabled={!canUpdate}
- Status/property selectors: Add disabled={!canUpdate}
Actions columns in tables: hide entire column when user lacks write permission.
No manual role string parsing (role.includes('admin')) — use hasPermission().
Nav items: gate with canAccessRoute(permissions, 'routeSegment').
Page-level: call requireRoutePermission('segment', orgId) server-side.

Permission Resources

organization, member, control, evidence, policy, risk, vendor, task, framework, audit, finding, questionnaire, integration, apiKey, trust, pentest, app, compliance

Multi-Product RBAC

Products (compliance, pen testing) are org-level feature flags — NOT RBAC
app:read gates compliance dashboard; pentest:read gates security product
Custom roles can grant access to any combination of resources
Portal-only resources (policy, compliance) do NOT grant app access

Process

Read files specified in $ARGUMENTS (or scan the directory)
Check each rule above
Fix every violation immediately — don't just report
Run typecheck to verify: bunx turbo run typecheck --filter=@trycompai/api --filter=@trycompai/app

related-skills.json

same repository

api-endpoint-contract.md

from "trycompai/comp"

The contract every new or modified API endpoint must follow so it is correct for the public OpenAPI spec, the MCP server (npm @trycompai/mcp-server), the ValidationPipe, and the docs. Triggers on "new endpoint", "add API", "new DTO", "@Body", "@RequirePermission", "MCP tool", "edit controller in apps/api", "OpenAPI", or whenever editing controllers under apps/api/src/.

2026-05-281.6k

cleanup.md

from "trycompai/comp"

MUST run after writing or modifying code — reviews changed files for verbose patterns, inconsistencies, and readability issues before considering work done

2026-05-131.6k

billing.md

from "trycompai/comp"

Use when changing Comp AI billing, Stripe products/prices, subscription checkout, org payment methods, entitlements, usage ledgers, invoices, or billing webhooks.

2026-05-011.6k

audit-design-system.md

from "trycompai/comp"

Audit & fix design system usage — migrate @trycompai/ui and lucide-react to @trycompai/design-system

2026-04-271.6k

audit-hooks.md

from "trycompai/comp"

Audit & fix hooks and API usage patterns — eliminate server actions, raw fetch, and stale patterns

2026-04-271.6k

audit-tests.md

from "trycompai/comp"

Audit & fix unit tests for permission-gated components

2026-04-271.6k

package.json

"author": "trycompai"

"repository": "trycompai/comp"

View GitHub Repository View Creator Repositories

$ install --global

$ download --local

Run Skill in Manus

$ useful --forSOC

Information Security AnalystsComputer and Mathematical Occupations15-1212L4

name	audit-rbac
description	Audit & fix RBAC and audit log compliance in API endpoints and frontend components

Audit the specified files or directories for RBAC and audit log compliance. Fix every issue found immediately.

Rules

API Endpoints (NestJS — `apps/api/src/`)

Every mutation endpoint (POST, PATCH, PUT, DELETE) MUST have @RequirePermission('resource', 'action'). If missing, add it.
Read endpoints (GET) should have @RequirePermission('resource', 'read'). If missing, add it.
Self-endpoints (e.g., /me/preferences) may skip @RequirePermission — authentication via HybridAuthGuard is sufficient.
Controller format: Must use @Controller({ path: 'name', version: '1' }), NOT @Controller('v1/name'). If wrong, fix it.
Guards: Use @UseGuards(HybridAuthGuard, PermissionGuard) at controller or endpoint level. Never skip PermissionGuard.
Webhooks: External webhook endpoints use @Public() — no auth required.

Frontend Components (`apps/app/src/`)

Every mutation element (button, form submit, toggle, switch, file upload) MUST be gated with usePermissions from @/hooks/use-permissions. If not:
- Create/Add buttons: Wrap with {hasPermission('resource', 'create') && <Button>...
- Edit/Delete in dropdown menus: Wrap the menu item
- Inline form fields on detail pages: Add disabled={!canUpdate}
- Status/property selectors: Add disabled={!canUpdate}
Actions columns in tables: hide entire column when user lacks write permission.
No manual role string parsing (role.includes('admin')) — use hasPermission().
Nav items: gate with canAccessRoute(permissions, 'routeSegment').
Page-level: call requireRoutePermission('segment', orgId) server-side.

Permission Resources

organization, member, control, evidence, policy, risk, vendor, task, framework, audit, finding, questionnaire, integration, apiKey, trust, pentest, app, compliance

Multi-Product RBAC

Products (compliance, pen testing) are org-level feature flags — NOT RBAC
app:read gates compliance dashboard; pentest:read gates security product
Custom roles can grant access to any combination of resources
Portal-only resources (policy, compliance) do NOT grant app access

Process

Read files specified in $ARGUMENTS (or scan the directory)
Check each rule above
Fix every violation immediately — don't just report
Run typecheck to verify: bunx turbo run typecheck --filter=@trycompai/api --filter=@trycompai/app

audit-rbac

Rules

API Endpoints (NestJS — apps/api/src/)

Frontend Components (apps/app/src/)

Permission Resources

Multi-Product RBAC

Process

More from this repository

Rules

API Endpoints (NestJS — apps/api/src/)

Frontend Components (apps/app/src/)

Permission Resources

Multi-Product RBAC

Process

More from this repository

API Endpoints (NestJS — `apps/api/src/`)

Frontend Components (`apps/app/src/`)

API Endpoints (NestJS — `apps/api/src/`)

Frontend Components (`apps/app/src/`)