zenstack_skill
- Shell
0
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill beshkenadze/claude-skills-marketplace --skill zenstack- SKILL.md13.8 KB
Overview
This skill provides ZenStack integration patterns, access policy examples, and Prisma/tRPC setup recipes to add type-safe, schema-level authorization to your app. It focuses on ZModel policy syntax (@@allow/@@deny and field-level directives), enhanced Prisma clients, and v3 Kysely-based features. Use it to implement RBAC/ABAC/multi-tenant rules and to generate tRPC routers and validations from schema.
How this skill works
The skill inspects ZModel schema snippets and shows how to declare model- and field-level allow/deny policies, validation attributes, and common patterns (soft delete, time-based, hierarchical access). It explains how to enhance a Prisma client with user context using enhance(), generate tRPC routers, and run ZenStack CLI commands. It also contrasts v2 (Prisma) and v3 (Kysely) runtimes and demonstrates migration steps.
When to use it
- You need schema-level access control (RBAC/ABAC/ReBAC/PBAC) in Prisma-based apps
- Generating type-safe tRPC routers from your ZModel schemas
- Implementing multi-tenant data isolation or organization-scoped access
- Hiding sensitive fields and adding field-level validations
- Migrating from Prisma or from ZenStack v2 to v3 (Kysely-based)
Best practices
- Start with deny-by-default and whitelist specific allows
- Always guard auth() checks for null (auth() != null)
- Prefer schema-level validation attributes over ad-hoc app checks
- Keep policy expressions simple; move complex logic to helpers
- Use check() to test permissions without hitting the DB
- Use v3 for new projects when you need Kysely dual-API and smaller footprint
Example use cases
- Add RBAC to an existing Post model with @@allow and @@deny rules
- Auto-generate tRPC routers and wire them into a Next.js API context
- Implement soft delete where deleted records are hidden and updates set deleted flag
- Isolate tenant data by referencing org.members in @@allow rules
- Protect sensitive fields (email/password/ssn) with field-level @allow/@deny
FAQ
@@deny takes precedence over @@allow; always assume a deny will override any allow matching the same operation.
Can I test permissions without running a query?
Yes—use check() from @zenstackhq/runtime to evaluate create/read/update/delete permission checks and get allowed/reason results.