AuthzKit

Appearance

CLI Commands

AuthzKit ships two CLIs that help you wire policies into your application workflows.

authzkit-tenant-guard

Validate Prisma schemas, enforce tenant isolation, and generate deployment guidance.

Install

bash
pnpm add @authzkit/prisma-tenant-guard
pnpm add -D @authzkit/prisma-tenant-guard-generator
bash
npm install @authzkit/prisma-tenant-guard
npm install --save-dev @authzkit/prisma-tenant-guard-generator
bash
yarn add @authzkit/prisma-tenant-guard
yarn add --dev @authzkit/prisma-tenant-guard-generator
bash
bun add @authzkit/prisma-tenant-guard
bun add -d @authzkit/prisma-tenant-guard-generator

Commands

CommandDescription
authzkit-tenant-guard checkValidates metadata, tenant fields, and relation targets. Fails CI when cross-tenant writes are possible.
authzkit-tenant-guard planPrints a readable summary of tenant fields, composite selectors, and nested targets.
authzkit-tenant-guard rlsOutputs Postgres row-level security (RLS) guidance for the configured rls.varName.
authzkit-tenant-guard smokeExecutes a synthetic write to confirm cross-tenant mutations are rejected.

Configuration

Save a tenant-guard.config.json file at the root of your project:

json
{
  "tenantId": "tenant-a",
  "mode": "strict",
  "metaFile": ".prisma/tenant-guard/meta.json",
  "rls": { "enabled": true, "varName": "app.tenant_id" }
}

Use --config, --mode, or --tenant flags to override values per environment. The CLI exits non-zero on validation errors, making it safe to run in CI pipelines.

authzkit-tenant-guard-gen

Generate up-to-date metadata directly from your Prisma schema. Run it after each schema change or as part of your migration scripts.

bash
pnpm exec authzkit-tenant-guard-gen \
  --schema prisma/schema.prisma \
  --out .prisma/tenant-guard/meta.ts \
  --emitJson
bash
npm exec authzkit-tenant-guard-gen \
  --schema prisma/schema.prisma \
  --out .prisma/tenant-guard/meta.ts \
  --emitJson
bash
yarn authzkit-tenant-guard-gen \
  --schema prisma/schema.prisma \
  --out .prisma/tenant-guard/meta.ts \
  --emitJson
bash
bunx authzkit-tenant-guard-gen \
  --schema prisma/schema.prisma \
  --out .prisma/tenant-guard/meta.ts \
  --emitJson

Options:

  • --tenantField="tenantId,accountId" – provide a comma-separated list of tenant field candidates.
  • --include Post,Comment or --exclude AuditLog – scope the generator to specific models.
  • --jsonOutputPath – customize where the generated .json metadata lives.

The runtime and CLI both consume the generated metadata, so keep the outputs checked into your repo.