npm - @nextsparkjs/ai-workflow - Versions diffs - 0.1.0-beta.100 - Mend

@nextsparkjs/ai-workflow 0.1.0-beta.100

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (272) hide show

package/LICENSE +21 -0
package/README.md +115 -0
package/claude/_docs/workflows-optimizations.md +359 -0
package/claude/agents/api-tester.md +634 -0
package/claude/agents/architecture-supervisor.md +1351 -0
package/claude/agents/backend-developer.md +997 -0
package/claude/agents/backend-validator.md +417 -0
package/claude/agents/bdd-docs-writer.md +737 -0
package/claude/agents/block-developer.md +677 -0
package/claude/agents/code-reviewer.md +1432 -0
package/claude/agents/db-developer.md +721 -0
package/claude/agents/db-validator.md +407 -0
package/claude/agents/demo-video-generator.md +493 -0
package/claude/agents/documentation-writer.md +1268 -0
package/claude/agents/frontend-developer.md +1234 -0
package/claude/agents/frontend-validator.md +777 -0
package/claude/agents/functional-validator.md +630 -0
package/claude/agents/mock-analyst.md +387 -0
package/claude/agents/product-manager.md +963 -0
package/claude/agents/qa-automation.md +1762 -0
package/claude/agents/release-manager.md +634 -0
package/claude/agents/selectors-translator.md +262 -0
package/claude/agents/unit-test-writer.md +785 -0
package/claude/agents/visual-comparator.md +329 -0
package/claude/agents/workflow-maintainer.md +352 -0
package/claude/commands/do/README.md +88 -0
package/claude/commands/do/create-api.md +64 -0
package/claude/commands/do/create-entity.md +66 -0
package/claude/commands/do/create-migration.md +64 -0
package/claude/commands/do/create-plugin.md +56 -0
package/claude/commands/do/create-theme.md +70 -0
package/claude/commands/do/mock-data.md +67 -0
package/claude/commands/do/reset-db.md +71 -0
package/claude/commands/do/setup-scheduled-action.md +75 -0
package/claude/commands/do/sync-code-review.md +117 -0
package/claude/commands/do/update-selectors.md +112 -0
package/claude/commands/do/use-skills.md +90 -0
package/claude/commands/do/validate-blocks.md +69 -0
package/claude/commands/how-to/README.md +261 -0
package/claude/commands/how-to/add-metadata.md +692 -0
package/claude/commands/how-to/add-taxonomies.md +806 -0
package/claude/commands/how-to/add-translations.md +571 -0
package/claude/commands/how-to/create-api.md +577 -0
package/claude/commands/how-to/create-block.md +575 -0
package/claude/commands/how-to/create-child-entities.md +771 -0
package/claude/commands/how-to/create-entity.md +597 -0
package/claude/commands/how-to/create-migrations.md +605 -0
package/claude/commands/how-to/create-plugin.md +654 -0
package/claude/commands/how-to/customize-app.md +481 -0
package/claude/commands/how-to/customize-dashboard.md +553 -0
package/claude/commands/how-to/customize-theme.md +438 -0
package/claude/commands/how-to/define-features-flows.md +632 -0
package/claude/commands/how-to/deploy.md +507 -0
package/claude/commands/how-to/handle-file-uploads.md +746 -0
package/claude/commands/how-to/implement-search.md +1001 -0
package/claude/commands/how-to/install-plugins.md +352 -0
package/claude/commands/how-to/manage-test-coverage.md +984 -0
package/claude/commands/how-to/run-tests.md +400 -0
package/claude/commands/how-to/set-app-languages.md +601 -0
package/claude/commands/how-to/set-plans-and-permissions.md +575 -0
package/claude/commands/how-to/set-scheduled-actions.md +527 -0
package/claude/commands/how-to/set-user-roles-and-permissions.md +550 -0
package/claude/commands/how-to/setup-authentication.md +388 -0
package/claude/commands/how-to/setup-claude-code.md +440 -0
package/claude/commands/how-to/setup-database.md +274 -0
package/claude/commands/how-to/setup-email-providers.md +598 -0
package/claude/commands/how-to/setup-mobile-dev.md +627 -0
package/claude/commands/how-to/start.md +500 -0
package/claude/commands/how-to/use-devtools.md +639 -0
package/claude/commands/how-to/use-superadmin.md +622 -0
package/claude/commands/session/README.md +193 -0
package/claude/commands/session/block-create.md +190 -0
package/claude/commands/session/block-list.md +203 -0
package/claude/commands/session/block-update.md +192 -0
package/claude/commands/session/block-validate.md +218 -0
package/claude/commands/session/changelog.md +115 -0
package/claude/commands/session/close.md +225 -0
package/claude/commands/session/commit.md +174 -0
package/claude/commands/session/db-entity.md +206 -0
package/claude/commands/session/db-fix.md +212 -0
package/claude/commands/session/db-sample.md +206 -0
package/claude/commands/session/demo.md +178 -0
package/claude/commands/session/doc-bdd.md +207 -0
package/claude/commands/session/doc-feature.md +218 -0
package/claude/commands/session/doc-read.md +225 -0
package/claude/commands/session/execute.md +204 -0
package/claude/commands/session/explain.md +202 -0
package/claude/commands/session/fix-bug.md +210 -0
package/claude/commands/session/fix-build.md +182 -0
package/claude/commands/session/fix-test.md +189 -0
package/claude/commands/session/pending.md +232 -0
package/claude/commands/session/refine.md +188 -0
package/claude/commands/session/resume.md +192 -0
package/claude/commands/session/review.md +192 -0
package/claude/commands/session/scope-change.md +181 -0
package/claude/commands/session/start-blocks.md +347 -0
package/claude/commands/session/start.md +604 -0
package/claude/commands/session/status.md +169 -0
package/claude/commands/session/test-fix.md +221 -0
package/claude/commands/session/test-run.md +203 -0
package/claude/commands/session/test-write.md +242 -0
package/claude/commands/session/validate.md +162 -0
package/claude/config/context.json +40 -0
package/claude/config/github.json +69 -0
package/claude/config/github.schema.json +106 -0
package/claude/config/team.json +46 -0
package/claude/config/team.schema.json +106 -0
package/claude/config/workspace.json +43 -0
package/claude/config/workspace.schema.json +75 -0
package/claude/skills/README.md +228 -0
package/claude/skills/accessibility/SKILL.md +573 -0
package/claude/skills/api-bypass-layers/SKILL.md +550 -0
package/claude/skills/asana-integration/SKILL.md +499 -0
package/claude/skills/better-auth/SKILL.md +666 -0
package/claude/skills/billing-subscriptions/SKILL.md +660 -0
package/claude/skills/block-decision-matrix/SKILL.md +359 -0
package/claude/skills/clickup-integration/SKILL.md +434 -0
package/claude/skills/core-theme-responsibilities/SKILL.md +485 -0
package/claude/skills/create-plugin/SKILL.md +425 -0
package/claude/skills/create-theme/SKILL.md +331 -0
package/claude/skills/cypress-api/SKILL.md +511 -0
package/claude/skills/cypress-api/scripts/generate-api-controller.py +329 -0
package/claude/skills/cypress-api/scripts/generate-api-test.py +930 -0
package/claude/skills/cypress-e2e/SKILL.md +526 -0
package/claude/skills/cypress-e2e/scripts/extract-selectors.py +383 -0
package/claude/skills/cypress-e2e/scripts/generate-uat-test.py +788 -0
package/claude/skills/cypress-selectors/SKILL.md +309 -0
package/claude/skills/cypress-selectors/scripts/extract-missing.py +243 -0
package/claude/skills/cypress-selectors/scripts/generate-block-selectors.py +283 -0
package/claude/skills/cypress-selectors/scripts/validate-selectors.py +145 -0
package/claude/skills/database-migrations/SKILL.md +335 -0
package/claude/skills/database-migrations/scripts/generate-sample-data.py +284 -0
package/claude/skills/database-migrations/scripts/validate-migration.py +323 -0
package/claude/skills/design-system/SKILL.md +682 -0
package/claude/skills/documentation/SKILL.md +540 -0
package/claude/skills/entity-api/SKILL.md +482 -0
package/claude/skills/entity-system/SKILL.md +635 -0
package/claude/skills/entity-system/scripts/generate-child-migration.py +298 -0
package/claude/skills/entity-system/scripts/generate-metas-migration.py +233 -0
package/claude/skills/entity-system/scripts/generate-migration.py +382 -0
package/claude/skills/entity-system/scripts/generate-sample-data.py +418 -0
package/claude/skills/entity-system/scripts/scaffold-entity.py +661 -0
package/claude/skills/github/SKILL.md +467 -0
package/claude/skills/i18n-nextintl/SKILL.md +302 -0
package/claude/skills/i18n-nextintl/scripts/add-translation.py +243 -0
package/claude/skills/i18n-nextintl/scripts/extract-hardcoded.py +246 -0
package/claude/skills/i18n-nextintl/scripts/validate-translations.py +260 -0
package/claude/skills/impact-analysis/SKILL.md +203 -0
package/claude/skills/jest-unit/SKILL.md +306 -0
package/claude/skills/jest-unit/references/component-testing.md +371 -0
package/claude/skills/jest-unit/references/mocking-patterns.md +380 -0
package/claude/skills/jest-unit/references/service-hook-testing.md +454 -0
package/claude/skills/jira-integration/SKILL.md +539 -0
package/claude/skills/media-library/SKILL.md +743 -0
package/claude/skills/mock-analysis/SKILL.md +276 -0
package/claude/skills/monorepo-architecture/SKILL.md +162 -0
package/claude/skills/nextjs-api-development/SKILL.md +364 -0
package/claude/skills/nextjs-api-development/scripts/generate-crud-tests.py +456 -0
package/claude/skills/nextjs-api-development/scripts/scaffold-endpoint.py +481 -0
package/claude/skills/nextjs-api-development/scripts/validate-api.py +283 -0
package/claude/skills/notion-integration/SKILL.md +641 -0
package/claude/skills/npm-development-workflow/SKILL.md +480 -0
package/claude/skills/page-builder-blocks/SKILL.md +530 -0
package/claude/skills/page-builder-blocks/scripts/scaffold-block.py +444 -0
package/claude/skills/permissions-system/SKILL.md +619 -0
package/claude/skills/plugins/SKILL.md +340 -0
package/claude/skills/plugins/references/plugin-templates.md +414 -0
package/claude/skills/plugins/references/plugin-testing.md +353 -0
package/claude/skills/plugins/references/plugin-types.md +198 -0
package/claude/skills/plugins/scripts/scaffold-plugin.py +443 -0
package/claude/skills/pom-patterns/SKILL.md +452 -0
package/claude/skills/pom-patterns/scripts/generate-pom.py +392 -0
package/claude/skills/rate-limiting/SKILL.md +342 -0
package/claude/skills/react-best-practices/AGENTS.md +2410 -0
package/claude/skills/react-best-practices/README.md +123 -0
package/claude/skills/react-best-practices/SKILL.md +125 -0
package/claude/skills/react-best-practices/metadata.json +15 -0
package/claude/skills/react-best-practices/rules/_sections.md +46 -0
package/claude/skills/react-best-practices/rules/_template.md +28 -0
package/claude/skills/react-best-practices/rules/advanced-event-handler-refs.md +55 -0
package/claude/skills/react-best-practices/rules/advanced-use-latest.md +49 -0
package/claude/skills/react-best-practices/rules/async-api-routes.md +38 -0
package/claude/skills/react-best-practices/rules/async-defer-await.md +80 -0
package/claude/skills/react-best-practices/rules/async-dependencies.md +36 -0
package/claude/skills/react-best-practices/rules/async-parallel.md +28 -0
package/claude/skills/react-best-practices/rules/async-suspense-boundaries.md +99 -0
package/claude/skills/react-best-practices/rules/bundle-barrel-imports.md +59 -0
package/claude/skills/react-best-practices/rules/bundle-conditional.md +31 -0
package/claude/skills/react-best-practices/rules/bundle-defer-third-party.md +49 -0
package/claude/skills/react-best-practices/rules/bundle-dynamic-imports.md +35 -0
package/claude/skills/react-best-practices/rules/bundle-preload.md +50 -0
package/claude/skills/react-best-practices/rules/client-event-listeners.md +74 -0
package/claude/skills/react-best-practices/rules/client-localstorage-schema.md +71 -0
package/claude/skills/react-best-practices/rules/client-passive-event-listeners.md +48 -0
package/claude/skills/react-best-practices/rules/client-swr-dedup.md +56 -0
package/claude/skills/react-best-practices/rules/js-batch-dom-css.md +82 -0
package/claude/skills/react-best-practices/rules/js-cache-function-results.md +80 -0
package/claude/skills/react-best-practices/rules/js-cache-property-access.md +28 -0
package/claude/skills/react-best-practices/rules/js-cache-storage.md +70 -0
package/claude/skills/react-best-practices/rules/js-combine-iterations.md +32 -0
package/claude/skills/react-best-practices/rules/js-early-exit.md +50 -0
package/claude/skills/react-best-practices/rules/js-hoist-regexp.md +45 -0
package/claude/skills/react-best-practices/rules/js-index-maps.md +37 -0
package/claude/skills/react-best-practices/rules/js-length-check-first.md +49 -0
package/claude/skills/react-best-practices/rules/js-min-max-loop.md +82 -0
package/claude/skills/react-best-practices/rules/js-set-map-lookups.md +24 -0
package/claude/skills/react-best-practices/rules/js-tosorted-immutable.md +57 -0
package/claude/skills/react-best-practices/rules/rendering-activity.md +26 -0
package/claude/skills/react-best-practices/rules/rendering-animate-svg-wrapper.md +47 -0
package/claude/skills/react-best-practices/rules/rendering-conditional-render.md +40 -0
package/claude/skills/react-best-practices/rules/rendering-content-visibility.md +38 -0
package/claude/skills/react-best-practices/rules/rendering-hoist-jsx.md +46 -0
package/claude/skills/react-best-practices/rules/rendering-hydration-no-flicker.md +82 -0
package/claude/skills/react-best-practices/rules/rendering-svg-precision.md +28 -0
package/claude/skills/react-best-practices/rules/rerender-defer-reads.md +39 -0
package/claude/skills/react-best-practices/rules/rerender-dependencies.md +45 -0
package/claude/skills/react-best-practices/rules/rerender-derived-state.md +29 -0
package/claude/skills/react-best-practices/rules/rerender-functional-setstate.md +74 -0
package/claude/skills/react-best-practices/rules/rerender-lazy-state-init.md +58 -0
package/claude/skills/react-best-practices/rules/rerender-memo.md +44 -0
package/claude/skills/react-best-practices/rules/rerender-transitions.md +40 -0
package/claude/skills/react-best-practices/rules/server-after-nonblocking.md +73 -0
package/claude/skills/react-best-practices/rules/server-cache-lru.md +41 -0
package/claude/skills/react-best-practices/rules/server-cache-react.md +76 -0
package/claude/skills/react-best-practices/rules/server-parallel-fetching.md +83 -0
package/claude/skills/react-best-practices/rules/server-serialization.md +38 -0
package/claude/skills/react-patterns/SKILL.md +688 -0
package/claude/skills/registry-system/SKILL.md +331 -0
package/claude/skills/scheduled-actions/SKILL.md +671 -0
package/claude/skills/scope-enforcement/SKILL.md +542 -0
package/claude/skills/scope-enforcement/scripts/validate-scope.py +357 -0
package/claude/skills/server-actions/SKILL.md +493 -0
package/claude/skills/service-layer/SKILL.md +587 -0
package/claude/skills/session-management/SKILL.md +266 -0
package/claude/skills/session-management/scripts/create-session.py +166 -0
package/claude/skills/session-management/scripts/iteration-close.sh +105 -0
package/claude/skills/session-management/scripts/iteration-init.sh +180 -0
package/claude/skills/session-management/scripts/session-archive.sh +87 -0
package/claude/skills/session-management/scripts/session-close.sh +133 -0
package/claude/skills/session-management/scripts/session-init.sh +225 -0
package/claude/skills/session-management/scripts/session-list.sh +163 -0
package/claude/skills/session-management/scripts/split-plan.sh +116 -0
package/claude/skills/shadcn-components/SKILL.md +586 -0
package/claude/skills/shadcn-theming/SKILL.md +446 -0
package/claude/skills/suspense-loading/SKILL.md +280 -0
package/claude/skills/tailwind-theming/SKILL.md +507 -0
package/claude/skills/tanstack-query/SKILL.md +608 -0
package/claude/skills/test-coverage/SKILL.md +239 -0
package/claude/skills/web-design-guidelines/SKILL.md +39 -0
package/claude/skills/zod-validation/SKILL.md +537 -0
package/claude/templates/blocks/progress.md +86 -0
package/claude/templates/iteration/changes.md +61 -0
package/claude/templates/iteration/progress.md +55 -0
package/claude/templates/log.md +31 -0
package/claude/templates/story/context.md +77 -0
package/claude/templates/story/pendings.md +37 -0
package/claude/templates/story/plan.md +299 -0
package/claude/templates/story/requirements.md +109 -0
package/claude/templates/story/scope.json +10 -0
package/claude/templates/story/tests.md +91 -0
package/claude/templates/task/progress.md +58 -0
package/claude/templates/task/requirements.md +54 -0
package/claude/workflows/README.md +154 -0
package/claude/workflows/blocks.md +614 -0
package/claude/workflows/story.md +1207 -0
package/claude/workflows/task.md +927 -0
package/claude/workflows/tweak.md +527 -0
package/cursor/.gitkeep +0 -0
package/package.json +35 -0
package/scripts/postinstall.mjs +198 -0
package/scripts/setup.mjs +282 -0
package/scripts/sync.mjs +209 -0

package/claude/skills/api-bypass-layers/SKILL.md ADDED Viewed

@@ -0,0 +1,550 @@
+---
+name: api-bypass-layers
+description: |
+  Multi-layer security architecture for API bypass (superadmin/developer).
+  Covers authentication layers, authorization, team context, RLS policies, and three-layer bypass validation.
+  Use this skill when implementing admin bypass features or validating security architecture.
+allowed-tools: Read, Glob, Grep
+version: 1.1.0
+---
+# API Bypass Layers Skill
+Security architecture for superadmin and developer bypass access in the API layer.
+## File References
+| File | Purpose |
+|------|---------|
+| `packages/core/src/lib/api/auth/dual-auth.ts` | App-level bypass (canBypassTeamContext) |
+| `packages/core/src/lib/api/entity/generic-handler.ts` | CRUD handler (validateTeamContextWithBypass) |
+| `packages/core/migrations/001_better_auth_and_functions.sql` | get_auth_user_id() function |
+| `packages/core/migrations/010_teams_functions_triggers.sql` | can_bypass_rls(), get_user_team_ids(), RLS policies |
+| `packages/core/migrations/090_sample_data.sql` | System Admin Team (team-nextspark-001) |
+## Architecture Overview
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                    LAYER 1: AUTHENTICATION                       │
+├─────────────────────────────────────────────────────────────────┤
+│  API Key Auth              │  Session Auth                      │
+│  ├─ x-api-key header       │  ├─ Browser cookies                │
+│  ├─ Constant-time delay    │  ├─ Better Auth framework          │
+│  ├─ Key expiration check   │  └─ Full access (scopes: ['all'])  │
+│  ├─ Failed attempt lockout │                                    │
+│  └─ Scoped permissions     │                                    │
+└─────────────────────────────────────────────────────────────────┘
+                              ↓
+┌─────────────────────────────────────────────────────────────────┐
+│                    LAYER 2: AUTHORIZATION                        │
+├─────────────────────────────────────────────────────────────────┤
+│  Admin Bypass Check (Three-Layer Validation)                    │
+│  ├─ LAYER 1: Role check (superadmin OR developer)               │
+│  ├─ LAYER 2: Header confirmation (x-admin-bypass)               │
+│  └─ LAYER 3: System Admin Team membership (team-nextspark-001)  │
+│                                                                  │
+│  Permission Check                                                │
+│  ├─ Entity-level permissions (entity.action format)             │
+│  ├─ Team role hierarchy (owner > admin > member > viewer)       │
+│  └─ Scope validation for API keys                               │
+└─────────────────────────────────────────────────────────────────┘
+                              ↓
+┌─────────────────────────────────────────────────────────────────┐
+│                    LAYER 3: TEAM CONTEXT                         │
+├─────────────────────────────────────────────────────────────────┤
+│  Normal Mode (isBypass = false)                                 │
+│  ├─ x-team-id header REQUIRED                                   │
+│  ├─ Validate user is team member                                │
+│  ├─ Filter by teamId AND userId                                 │
+│  └─ Reject if not member (403 TEAM_ACCESS_DENIED)               │
+│                                                                  │
+│  Bypass Mode (isBypass = true)                                  │
+│  ├─ x-team-id header OPTIONAL                                   │
+│  ├─ Skip membership validation                                  │
+│  ├─ Skip userId filter                                          │
+│  └─ Cross-team or specific team access                          │
+└─────────────────────────────────────────────────────────────────┘
+                              ↓
+┌─────────────────────────────────────────────────────────────────┐
+│                    LAYER 4: DATABASE RLS                         │
+├─────────────────────────────────────────────────────────────────┤
+│  PostgreSQL Row Level Security (Final Defense)                  │
+│  ├─ can_bypass_rls() - superadmin ALWAYS, developer IF member   │
+│  ├─ get_auth_user_id() - reads from app.user_id GUC             │
+│  ├─ get_user_team_ids() - array of user's teams                 │
+│  └─ Policies: SELECT/INSERT/UPDATE/DELETE per table             │
+│                                                                  │
+│  Example Policy:                                                 │
+│  can_bypass_rls() OR teamId = ANY(get_user_team_ids())          │
+└─────────────────────────────────────────────────────────────────┘
+```
+## When to Use This Skill
+- Understanding the multi-layer security model
+- Implementing admin bypass for new features
+- Debugging authorization issues
+- Validating RLS policies work correctly
+- Adding new bypass-protected endpoints
+- Testing cross-team access scenarios
+## Constants
+**File:** `packages/core/src/lib/api/auth/dual-auth.ts:13-31`
+```typescript
+// System Admin Team - Members can bypass team context validation
+export const SYSTEM_ADMIN_TEAM_ID = 'team-nextspark-001'
+// Header required to confirm cross-team access intention
+export const ADMIN_BYPASS_HEADER = 'x-admin-bypass'
+export const ADMIN_BYPASS_VALUE = 'confirm-cross-team-access'
+// Roles that can potentially bypass team context
+const ELEVATED_ROLES = ['superadmin', 'developer'] as const
+```
+## App-Level Bypass: canBypassTeamContext()
+**File:** `packages/core/src/lib/api/auth/dual-auth.ts:205-226`
+Three-layer validation for admin bypass at the application level:
+```typescript
+export async function canBypassTeamContext(
+  authResult: DualAuthResult,
+  request: NextRequest
+): Promise<boolean> {
+  // LAYER 1: Must have elevated role
+  if (!authResult.success || !authResult.user) return false
+  const hasElevatedRole = ELEVATED_ROLES.includes(
+    authResult.user.role as typeof ELEVATED_ROLES[number]
+  )
+  if (!hasElevatedRole) return false
+  // LAYER 2: Must include confirmation header
+  const bypassHeader = request.headers.get(ADMIN_BYPASS_HEADER)
+  if (bypassHeader !== ADMIN_BYPASS_VALUE) return false
+  // LAYER 3: Must be member of System Admin Team
+  const isMember = await checkSystemAdminMembership(authResult.user.id)
+  if (!isMember) {
+    console.log('[dual-auth] User has elevated role but is not member of System Admin Team')
+  }
+  return isMember
+}
+```
+### Three-Layer Validation Table
+| Layer | Check | Requirement |
+|-------|-------|-------------|
+| 1 | Role | `user.role` is `superadmin` OR `developer` |
+| 2 | Header | `x-admin-bypass: confirm-cross-team-access` |
+| 3 | Membership | User belongs to `team-nextspark-001` |
+## Team Context Validation: validateTeamContextWithBypass()
+**File:** `packages/core/src/lib/api/entity/generic-handler.ts:267-309`
+```typescript
+async function validateTeamContextWithBypass(
+  request: NextRequest,
+  authResult: DualAuthResult,
+  userId: string
+): Promise<{ valid: true; teamId: string | null; isBypass: boolean } | { valid: false; error: NextResponse }> {
+  const teamId = getTeamIdFromRequest(request)
+  // Check if user can bypass team validation
+  const canBypass = await canBypassTeamContext(authResult, request)
+  if (canBypass) {
+    // Admin bypass: teamId is optional
+    // - If provided: filter by that team (no membership check)
+    // - If not provided: cross-team access (all teams)
+    // isBypass = true means skip userId filter too (see all records)
+    console.log('[GenericHandler] Admin bypass active:', { userId, teamId: teamId || 'cross-team' })
+    return { valid: true, teamId, isBypass: true }
+  }
+  // Normal flow: require teamId and membership
+  if (!teamId) {
+    const response = createApiError(
+      'Team context required. Include x-team-id header.',
+      400,
+      undefined,
+      'TEAM_CONTEXT_REQUIRED'
+    )
+    return { valid: false, error: await addCorsHeaders(response) }
+  }
+  const isMember = await validateTeamMembership(userId, teamId)
+  if (!isMember) {
+    const response = createApiError(
+      'Access denied: You are not a member of this team',
+      403,
+      undefined,
+      'TEAM_ACCESS_DENIED'
+    )
+    return { valid: false, error: await addCorsHeaders(response) }
+  }
+  return { valid: true, teamId, isBypass: false }
+}
+```
+## isBypass Flag Usage
+**File:** `packages/core/src/lib/api/entity/generic-handler.ts`
+The `isBypass` flag controls userId filtering in queries:
+```typescript
+// Line ~509, 538, 563, 1138
+if (userId && !entityConfig.access?.shared && !skipUserFilter && !isBypass) {
+  // Apply userId filter - only see own records
+}
+// When isBypass = true, this filter is skipped, allowing cross-user access
+```
+## Database-Level Bypass: can_bypass_rls()
+**File:** `packages/core/migrations/010_teams_functions_triggers.sql:115-147`
+**CRITICAL DIFFERENCE from App-Level:**
+- **Superadmin:** ALWAYS bypasses RLS (no team membership check)
+- **Developer:** Only bypasses IF member of System Admin Team
+```sql
+CREATE OR REPLACE FUNCTION public.can_bypass_rls()
+RETURNS BOOLEAN AS $$
+DECLARE
+  current_user_id TEXT;
+  user_role TEXT;
+  is_system_admin_member BOOLEAN;
+BEGIN
+  current_user_id := public.get_auth_user_id();
+  -- Get user role
+  SELECT role INTO user_role
+  FROM public."users"
+  WHERE id = current_user_id;
+  -- Superadmin ALWAYS bypasses (no team membership check)
+  IF user_role = 'superadmin' THEN
+    RETURN TRUE;
+  END IF;
+  -- Developer can bypass ONLY if member of System Admin Team
+  IF user_role = 'developer' THEN
+    SELECT EXISTS(
+      SELECT 1 FROM public."team_members"
+      WHERE "userId" = current_user_id
+        AND "teamId" = 'team-nextspark-001'
+    ) INTO is_system_admin_member;
+    RETURN is_system_admin_member;
+  END IF;
+  RETURN FALSE;
+END;
+$$ LANGUAGE plpgsql STABLE SECURITY DEFINER;
+```
+## App vs DB Bypass Logic Comparison
+| Role | App-Level (canBypassTeamContext) | DB-Level (can_bypass_rls) |
+|------|----------------------------------|---------------------------|
+| superadmin | Needs header + team membership | ALWAYS bypasses |
+| developer | Needs header + team membership | Only with team membership |
+| member | Cannot bypass | Cannot bypass |
+**Why the difference?**
+- App-level: Requires explicit intent (header) to prevent accidents
+- DB-level: Final defense, superadmin always trusted at data layer
+## RLS Helper Functions
+### get_auth_user_id()
+**File:** `packages/core/migrations/001_better_auth_and_functions.sql:10-24`
+```sql
+CREATE OR REPLACE FUNCTION public.get_auth_user_id()
+RETURNS TEXT
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path = public
+AS $$
+DECLARE v TEXT;
+BEGIN
+  v := current_setting('app.user_id', true);
+  IF v IS NULL OR v = '' THEN
+    RETURN NULL;
+  END IF;
+  RETURN v;
+END;
+$$;
+```
+### get_user_team_ids()
+**File:** `packages/core/migrations/010_teams_functions_triggers.sql:98-109`
+```sql
+CREATE OR REPLACE FUNCTION public.get_user_team_ids()
+RETURNS TEXT[] AS $$
+DECLARE
+  user_teams TEXT[];
+BEGIN
+  SELECT ARRAY_AGG(tm."teamId") INTO user_teams
+  FROM public."team_members" tm
+  WHERE tm."userId" = public.get_auth_user_id();
+  RETURN COALESCE(user_teams, ARRAY[]::TEXT[]);
+END;
+$$ LANGUAGE plpgsql STABLE SECURITY DEFINER;
+```
+## RLS Policy Pattern
+**File:** `packages/core/migrations/010_teams_functions_triggers.sql:164-208`
+```sql
+-- SELECT policy
+CREATE POLICY "teams_select_policy" ON public."teams"
+  FOR SELECT TO authenticated
+  USING (
+    public.is_superadmin()  -- Alias for can_bypass_rls()
+    OR
+    id IN (
+      SELECT "teamId" FROM public."team_members"
+      WHERE "userId" = public.get_auth_user_id()
+    )
+  );
+-- UPDATE policy
+CREATE POLICY "teams_update_policy" ON public."teams"
+  FOR UPDATE TO authenticated
+  USING (
+    public.is_superadmin()
+    OR
+    "ownerId" = public.get_auth_user_id()
+  )
+  WITH CHECK (
+    public.is_superadmin()
+    OR
+    "ownerId" = public.get_auth_user_id()
+  );
+-- DELETE policy
+CREATE POLICY "teams_delete_policy" ON public."teams"
+  FOR DELETE TO authenticated
+  USING (
+    public.is_superadmin()
+    OR
+    "ownerId" = public.get_auth_user_id()
+  );
+```
+## Error Codes
+| Code | HTTP Status | Trigger |
+|------|-------------|---------|
+| `TEAM_CONTEXT_REQUIRED` | 400 | Missing `x-team-id` header (non-bypass mode) |
+| `TEAM_ACCESS_DENIED` | 403 | User not member of specified team |
+| `AUTHENTICATION_FAILED` | 401 | Invalid credentials |
+## Normal Mode vs Bypass Mode
+### Normal Mode (Default)
+```typescript
+// Headers required
+const headers = {
+  'x-team-id': 'team-xxx'  // REQUIRED
+}
+// Behavior
+// - teamId is REQUIRED
+// - Validate user is team member
+// - Filter results by teamId AND userId
+// - Return 403 TEAM_ACCESS_DENIED if not member
+```
+### Bypass Mode (Admin)
+```typescript
+// Headers required
+const headers = {
+  'x-admin-bypass': 'confirm-cross-team-access',  // REQUIRED
+  'x-team-id': 'team-xxx'  // OPTIONAL (for filtering)
+}
+// Behavior
+// - teamId is OPTIONAL
+// - Skip membership validation
+// - Skip userId filter (isBypass = true)
+// - Access all teams or specific team
+```
+## Request Flow Diagram
+```
+┌──────────────────────────────────────────────────────────────────────────┐
+│                              API REQUEST                                  │
+├──────────────────────────────────────────────────────────────────────────┤
+│  Headers:                                                                 │
+│  ├─ Authorization: Bearer <api-key>  OR  Cookie: session=...             │
+│  ├─ x-team-id: team-xxx              (required in normal mode)           │
+│  └─ x-admin-bypass: confirm-...      (enables bypass mode)               │
+└──────────────────────────────────────────────────────────────────────────┘
+                                    │
+                                    ▼
+┌──────────────────────────────────────────────────────────────────────────┐
+│                        BACKEND SECURITY LAYERS                            │
+├──────────────────────────────────────────────────────────────────────────┤
+│                                                                           │
+│  LAYER 1: Authentication (dual-auth.ts:71-89)                            │
+│  └─ authenticateRequest() → DualAuthResult                               │
+│                                                                           │
+│  LAYER 2: Authorization (dual-auth.ts:205-226)                           │
+│  └─ canBypassTeamContext() → role + header + team check                  │
+│                                                                           │
+│  LAYER 3: Team Context (generic-handler.ts:267-309)                      │
+│  └─ validateTeamContextWithBypass() → { teamId, isBypass }               │
+│                                                                           │
+│  LAYER 4: Query Building (generic-handler.ts:509+)                       │
+│  └─ Add teamId/userId filters based on isBypass flag                     │
+│                                                                           │
+│  LAYER 5: Database RLS (010_teams_functions_triggers.sql:115-147)        │
+│  └─ can_bypass_rls() OR teamId = ANY(get_user_team_ids())                │
+│                                                                           │
+└──────────────────────────────────────────────────────────────────────────┘
+                                    │
+                                    ▼
+┌──────────────────────────────────────────────────────────────────────────┐
+│                           FILTERED RESPONSE                               │
+├──────────────────────────────────────────────────────────────────────────┤
+│  { success: true, data: [...filtered results...], info: { total: N } }   │
+└──────────────────────────────────────────────────────────────────────────┘
+```
+## Testing Bypass Mode
+### Cypress API Test
+```typescript
+describe('Admin Bypass', () => {
+  const SUPERADMIN_KEY = Cypress.env('SUPERADMIN_API_KEY')
+  it('should allow cross-team access with bypass', () => {
+    cy.request({
+      method: 'GET',
+      url: '/api/v1/products',
+      headers: {
+        'Authorization': `Bearer ${SUPERADMIN_KEY}`,
+        'x-admin-bypass': 'confirm-cross-team-access'
+        // No x-team-id = cross-team mode
+      }
+    }).then((response) => {
+      expect(response.status).to.eq(200)
+      // Returns data from ALL teams
+    })
+  })
+  it('should filter to specific team with bypass', () => {
+    cy.request({
+      method: 'GET',
+      url: '/api/v1/products',
+      headers: {
+        'Authorization': `Bearer ${SUPERADMIN_KEY}`,
+        'x-admin-bypass': 'confirm-cross-team-access',
+        'x-team-id': 'team-tmt-002'  // Filter to specific team
+      }
+    }).then((response) => {
+      expect(response.status).to.eq(200)
+      // Returns data only from team-tmt-002
+    })
+  })
+  it('should reject bypass without header', () => {
+    cy.request({
+      method: 'GET',
+      url: '/api/v1/products',
+      headers: {
+        'Authorization': `Bearer ${SUPERADMIN_KEY}`
+        // Missing x-admin-bypass and x-team-id
+      },
+      failOnStatusCode: false
+    }).then((response) => {
+      expect(response.status).to.eq(400)
+      expect(response.body.code).to.eq('TEAM_CONTEXT_REQUIRED')
+    })
+  })
+})
+```
+## Security Strengths
+| Feature | Implementation | Benefit |
+|---------|----------------|---------|
+| **Dual Authentication** | API Key + Session | Flexibility for different use cases |
+| **Three-Layer App Bypass** | Role + Header + Team | Defense in depth, prevents accidents |
+| **RLS Final Defense** | PostgreSQL policies | Data isolation even if app bypassed |
+| **Team Isolation** | App + DB checks | Multi-tenant security |
+| **System Admin Team** | Hardcoded ID | Prevents privilege escalation |
+| **isBypass Flag** | Skip userId filter | Cross-user visibility for admins |
+## Anti-Patterns
+```typescript
+// NEVER: Allow bypass based on role alone at app level
+if (user.role === 'superadmin') {
+  return true  // WRONG! Missing header and team checks at app level
+}
+// CORRECT: Use the three-layer function
+const isBypass = await canBypassTeamContext(authResult, request)
+// NEVER: Trust client-provided bypass status
+const isBypass = request.body.isBypass  // User can fake this!
+// CORRECT: Validate bypass on server
+const isBypass = await canBypassTeamContext(authResult, request)
+// NEVER: Skip userId filter without checking bypass
+if (user.role === 'superadmin') {
+  skipUserFilter = true  // WRONG! Should use isBypass from validation
+}
+// CORRECT: Use the isBypass flag from validateTeamContextWithBypass
+const { teamId, isBypass } = await validateTeamContextWithBypass(request, authResult, userId)
+if (!isBypass) {
+  // Apply userId filter
+}
+```
+## Checklist
+Before finalizing bypass implementation:
+- [ ] App-level uses three-layer validation (role + header + team)
+- [ ] `x-admin-bypass` header value is exactly `confirm-cross-team-access`
+- [ ] System Admin Team ID is `team-nextspark-001` (hardcoded)
+- [ ] RLS policies use `can_bypass_rls()` function
+- [ ] Superadmin always bypasses RLS (no team check at DB level)
+- [ ] Developer requires System Admin Team membership for RLS bypass
+- [ ] `isBypass` flag controls userId filter in queries
+- [ ] Normal mode requires `x-team-id` header
+- [ ] Bypass mode makes `x-team-id` optional
+- [ ] Error codes: `TEAM_CONTEXT_REQUIRED` (400), `TEAM_ACCESS_DENIED` (403)
+## Related Skills
+- `better-auth` - Authentication patterns and session management
+- `permissions-system` - RBAC + Features + Quotas permission model
+- `database-migrations` - PostgreSQL RLS policies
+- `nextjs-api-development` - API route patterns with dual auth
+- `cypress-api` - API testing with bypass scenarios