Validators
| Validator | Command | What it checks |
|---|---|---|
| Access control | validate:access-control | Forbidden code patterns in src/server/ |
| Router structure | validate:router | router.ts contains only imports and sub-router registrations |
| Scopes | validate:scopes | scopes.json cross-referenced against Prisma schema |
| Workflows | validate:workflows | Workflow definitions in src/server/workflows/ — see the Workflows Framework for full validation details |
Blocked code patterns
| Pattern | Reason | Correct alternative |
|---|---|---|
import { getUserScopes } | Bypasses declarative enforcement | scopedProcedure(['scope']) |
import { _unscopedPrisma } | Bypasses RLS | ctx.db |
ctx.userScopes | Enables conditional security | Separate procedures per access level |
$executeRaw | Bypasses RLS policies | Prisma query methods via ctx.db |
$queryRaw | Bypasses RLS policies | Prisma query methods via ctx.db |
Scopes validation checks
| Check | Description |
|---|---|
| Scope references | Every scope in roles, table policies, and service configs must be defined in the scopes array |
| Table existence | Every table in tables must exist in prisma/schema.prisma |
| Column existence | Every ownerColumn, orgColumn, groupAccess column must exist on the referenced table |
| Role uniqueness | No duplicate role names |
| Default role | Exactly one role can be marked as default |
| Service clients | Every service in services must have its @synthetiq/services-* package installed |
| Group access columns | Group access membership tables must have a userId column |
ESLint rules
| Rule | Scope | Effect |
|---|---|---|
| Service client imports | src/web/ | Error — service clients can only be used in src/server/ |
no-unsafe-type-assertion | All files | Error — prevents unsafe type assertions |
Generated artifacts
| Artifact | Generator | Used by |
|---|---|---|
procedures.json | generate:manifests | AI agent, HTTP API, MCP server, docs pages |
db-schema.json | generate:manifests | AI agent, docs pages |
pages.json | generate:manifests | AI agent, docs pages |
| RLS policies | generate:rls | PostgreSQL production database |
| Service mappings | generate:service-mappings | Service client integrations |
Build commands
| Command | Description |
|---|---|
synthetiq-app build | Full pipeline (all phases) |
synthetiq-app validate | Run all validators |
synthetiq-app validate:access-control | Check for security violations |
synthetiq-app validate:router | Check router structure |
synthetiq-app validate:scopes | Check scope configuration |
synthetiq-app validate:workflows | Check workflow definitions |
synthetiq-app generate:manifests | Generate API and schema manifests |
synthetiq-app generate:rls | Generate RLS policies |
synthetiq-app generate:service-mappings | Generate service mappings |
synthetiq-app sync:scopes | Sync scopes to database |
synthetiq-app register:schedules | Register scheduled jobs |
synthetiq-app seed:publisher | Seed default roles |