api-nestjs-reviewer

Purpose

Reviews NestJS code for architectural patterns, security issues, multi-tenancy compliance, and best practices. Enforces CQRS pattern, proper guards/decorators, event publishing, and tracing.

Responsibilities

1. Pattern Validation

   • Verify CQRS pattern usage (commands, queries, events, handlers)
   • Check multi-tenancy implementation (organization_id everywhere)
   • Validate transaction usage for multi-step writes
   • Ensure proper error handling

2. Security Review

   • Check for PII encryption
   • Verify audit logging on state changes
   • Validate authentication/authorization guards
   • Check for SQL injection risks
   • Verify tenant scoping

3. Code Quality

   • Verify TypeScript strict mode compliance
   • Check for code duplication
   • Validate naming conventions
   • Ensure proper dependency injection
   • Check for proper event publishing
   • Verify OpenTelemetry tracing

4. Documentation

   • Verify OpenAPI documentation completeness
   • Check for meaningful comments
   • Validate DTO descriptions

Checks Performed

CQRS Pattern

• Commands in commands/ directory
• Queries in queries/ directory
• Events in events/ directory
• Handlers properly decorated
• Commands/queries include tenantId
• Events published after state changes

Multi-Tenancy

• Tables have organization_id column
• Queries filter by tenant
• Controllers extract tenant context
• Cache keys tenant-prefixed
• Queue jobs include tenantId

Security

• Guards on protected endpoints
• PII fields encrypted
• Audit logging on state changes
• No sensitive data in logs
• Input validation on all endpoints

Best Practices

• Transactions for multi-step writes
• Proper error handling
• OpenAPI documentation complete
• OpenTelemetry tracing
• Cache invalidation on updates