Docyrus Api Dev

Name: Docyrus Api Dev
Author: docyrus

docyrus/agent-skills

Wire Docyrus tenant ACL, role UID rules, and record-share routes from a frontend app using RestApiClient or useDocyrusClient().

Overview

Docyrus API Dev is an agent skill for the Build phase that documents Docyrus ACL HTTP routes and identifier rules for frontend integration.

Install

npx skills add https://github.com/docyrus/agent-skills --skill docyrus-api-dev

What is this skill?

Documents ACL base path `/api/v1/users/acl` and authenticated session requirements
Clarifies role UID vs id: prefer `tenant_role.uid` for assignments and role-query `roleIds`
`tenant_role_query.query` must be raw JSON objects, not stringified JSON
Covers record ACL GET/share endpoints and enum values for role ownership and query restriction levels
Notes `@ApiExcludeEndpoint()`—call routes directly instead of relying on generated OpenAPI
5 role ownership enum values (APP, CUSTOM, PRODUCT, SYSTEM, USER)
3 role query restriction levels (hidden, read-only, not-deletable)

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 553 installs on skills.sh; 13 GitHub stars; 2/3 security scanners passed (skills.sh audits).

What problem does it solve?

You are building Docyrus UI against ACL endpoints that Swagger omits, so role UIDs, JSON query shapes, and share routes are easy to get wrong.

Who is it for?

Solo builders adding sharing, roles, or tenant ACL screens on Docyrus when generated API docs are incomplete.

Skip if: Teams not on Docyrus or backends where ACL is fully exposed in OpenAPI and already wired in your app.

When should I use this skill?

Building Docyrus frontend features that touch user ACL, record shares, or tenant roles.

What do I get? / Deliverables

You integrate record ACL and role APIs with correct UIDs, raw JSON queries, and documented paths via your Docyrus client.

Correct ACL and share API calls from frontend code
Role and query payloads using UID and raw JSON query objects

Recommended Skills

Entra App Registrationmicrosoft/azure-skills

Walkthrough for Microsoft Entra ID app registration, OAuth configuration, and MSAL-based authentication setup.374k installs·1.2k stars

Azure Aigatewaymicrosoft/azure-skills

Quick reference for building and operating Azure API Management as an AI gateway using ARM .NET SDK and policy best prac…373k installs·1.2k stars

Lark Openapi Explorerlarksuite/cli

Escalation path for uncovered Lark/Feishu APIs: browse official OpenAPI docs and execute via lark-cli.208k installs·13.7k stars

Supabasesupabase/agent-skills

Authoritative Supabase agent skill for database, auth, edge functions, and client SSR with emphasis on up-to-date docs, …111k installs·2.2k stars

Firebase Auth Basicsfirebase/agent-skills

firebase-auth-basics is a guided agent skill for solo builders implementing Firebase Authentication in web or mobile-bac…75.7k installs·345 stars

Firebase Data Connectfirebase/agent-skills

Firebase Data Connect is an agent skill that equips solo builders to design relational data layers on Firebase using Gra…73.2k installs·345 stars

Journey fit

Primary fit

BuildIntegrations & version control

ACL integration is done while building the product against the live API, not during idea or launch phases. This skill is the integration source of truth for excluded Swagger routes under `/api/v1/users/acl`.

Also useful

BuildUI/UX & frontend

Also useful

ShipSecurity

How it compares

Use as a focused ACL integration guide instead of generic REST or OpenAPI-first API skills.

Common Questions / FAQ

Who is docyrus-api-dev for?

Frontend-focused solo and indie builders shipping Docyrus apps who need ACL routes and tenant role UID rules without relying on excluded Swagger endpoints.

When should I use docyrus-api-dev?

During Build integrations when you implement record shares, role assignment, or role-query filters against `/api/v1/users/acl`.

Is docyrus-api-dev safe to install?

It is documentation-style guidance with no bundled executables; review the Security Audits panel on this Prism page before trusting any third-party skill package.

SKILL.md

READMESKILL.md - Docyrus Api Dev

# ACL Endpoints for Frontend Developers

Base path: `/api/v1/users/acl`

All ACL endpoints require the normal authenticated API session.

These endpoints may be hidden from generated Swagger/OpenAPI output because the backend currently marks them with `@ApiExcludeEndpoint()`. Treat this document as the frontend integration source of truth and call these routes directly with `RestApiClient` or `useDocyrusClient()`.

## Important identifier rules

- Role assignments and ACL role relations are stored using `tenant_role.uid`.
- Returned nested role objects expose both `id` and `uid`, and both values map to the role UID.
- For role operations, backend can resolve incoming `roleId` values against both `tenant_role.uid` and `tenant_role.id`, but frontend apps should prefer role `uid` values from API responses.
- For user-role writes and role-query `roleIds`, send role UUIDs and prefer UID values.
- `tenant_role_query.query` is a JSON object matching the app's filter-query structure. Send raw JSON, not stringified JSON.

## Enum values

### Role ownership

- `APP`
- `CUSTOM`
- `PRODUCT`
- `SYSTEM`
- `USER`

### Role query restriction level

- `hidden`
- `read-only`
- `not-deletable`

## Endpoint groups

### 1) Record ACL endpoints

These manage record-level shares, not role CRUD.

| Method | Path | Purpose |
| :----- | :--- | :------ |
| `GET` | `/v1/users/acl?dataSourceId={uuid}&recordId={uuid}` | Fetch direct and effective ACL rows for a record |
| `POST` | `/v1/users/acl/share` | Upsert record share rows |
| `DELETE` | `/v1/users/acl/share` | Revoke matching share rows |
| `PUT` | `/v1/users/acl/owner` | Transfer record ownership |

#### Share payload notes

- `principalType` must be one of: `user`, `team`, `role`, `tenant`, `public`.
- `permissions` is the backend ACL bitmask value.
- `expiresAt` is optional and must be a valid ISO date if provided.

#### Record ACL response shapes

`GET /v1/users/acl` returns:

```json
{
  "direct": [
    {
      "id": "uuid",
      "principal_type": "user",
      "principal_id": "uuid",
      "permissions": 7,
      "expires_at": null,
      "created_by": "uuid-or-null",
      "created_on": "2026-03-29T20:10:00.000Z"
    }
  ],
  "effective": [
    {
      "id": "uuid",
      "user_id": "uuid",
      "permissions": 7,
      "source_principal_type": "role",
      "source_principal_id": "uuid"
    }
  ]
}
```

### 2) Role endpoints

| Method | Path | Purpose |
| :----- | :--- | :------ |
| `GET` | `/v1/users/acl/roles` | List tenant roles |
| `GET` | `/v1/users/acl/roles/:roleId` | Get one role |
| `POST` | `/v1/users/acl/roles` | Create role |
| `PATCH` | `/v1/users/acl/roles/:roleId` | Partial update role |
| `DELETE` | `/v1/users/acl/roles/:roleId` | Hard delete role |

#### Role create/update rules

- `slug` is required on create and must be unique within the tenant.
- Create defaults:
  - `ownership = "CUSTOM"`
  - `privileges = ""`
  - `status = 1`
- Role responses include both `id` and `uid`, both pointing to the role UID.

#### Role delete side effects

Deleting a role also cleans up dependent ACL state:

- removes `tenant_user_role` assignments for that role
- sets `tenant_user.primary_role` to `null` where applicable
- removes linked `tenant_acl_rule` rows
- removes linked `tenant_acl_field_rule` rows
- removes the role from `tenant_role_query` role arrays
- hard deletes role-query rows that become empty after role removal

Frontend implication: after role deletion, refresh role lists, user-role lists, role-query lists, and any UI showing primary-role labels.

### 3) User-role endpoints

| Method | Path | Purpose |
| :----- | :--- | :------ |
| `GET` | `/v1/users/acl/user-roles` | List assignments across the tenant |
| `GET` | `/v1/users/acl/users/:userId/roles` | List assignments for one user |
| `POST` | `/v1/users/acl/users/:userId/roles` | Add roles to a user |
| `PUT` | `/v1/users/acl/users/:userId/roles` | Replace the full role set for a user |
| `DELETE` | `/v1/users/acl/users/:us

What is this skill?

Documents ACL base path `/api/v1/users/acl` and authenticated session requirements

Clarifies role UID vs id: prefer `tenant_role.uid` for assignments and role-query `roleIds`

`tenant_role_query.query` must be raw JSON objects, not stringified JSON

Covers record ACL GET/share endpoints and enum values for role ownership and query restriction levels

Notes `@ApiExcludeEndpoint()`—call routes directly instead of relying on generated OpenAPI

5 role ownership enum values (APP, CUSTOM, PRODUCT, SYSTEM, USER)

3 role query restriction levels (hidden, read-only, not-deletable)

Compatible agents: Claude Code, Cursor, Codex, any compatible agent

Adoption & trust: 553 installs on skills.sh; 13 GitHub stars; 2/3 security scanners passed (skills.sh audits).

Journey fit

Primary fit

BuildIntegrations & version control

Also useful

BuildUI/UX & frontend

Also useful

ShipSecurity

SKILL.md

READMESKILL.md - Docyrus Api Dev

# ACL Endpoints for Frontend Developers

Base path: `/api/v1/users/acl`

All ACL endpoints require the normal authenticated API session.

These endpoints may be hidden from generated Swagger/OpenAPI output because the backend currently marks them with `@ApiExcludeEndpoint()`. Treat this document as the frontend integration source of truth and call these routes directly with `RestApiClient` or `useDocyrusClient()`.

## Important identifier rules

- Role assignments and ACL role relations are stored using `tenant_role.uid`.
- Returned nested role objects expose both `id` and `uid`, and both values map to the role UID.
- For role operations, backend can resolve incoming `roleId` values against both `tenant_role.uid` and `tenant_role.id`, but frontend apps should prefer role `uid` values from API responses.
- For user-role writes and role-query `roleIds`, send role UUIDs and prefer UID values.
- `tenant_role_query.query` is a JSON object matching the app's filter-query structure. Send raw JSON, not stringified JSON.

## Enum values

### Role ownership

- `APP`
- `CUSTOM`
- `PRODUCT`
- `SYSTEM`
- `USER`

### Role query restriction level

- `hidden`
- `read-only`
- `not-deletable`

## Endpoint groups

### 1) Record ACL endpoints

These manage record-level shares, not role CRUD.

| Method | Path | Purpose |
| :----- | :--- | :------ |
| `GET` | `/v1/users/acl?dataSourceId={uuid}&recordId={uuid}` | Fetch direct and effective ACL rows for a record |
| `POST` | `/v1/users/acl/share` | Upsert record share rows |
| `DELETE` | `/v1/users/acl/share` | Revoke matching share rows |
| `PUT` | `/v1/users/acl/owner` | Transfer record ownership |

#### Share payload notes

- `principalType` must be one of: `user`, `team`, `role`, `tenant`, `public`.
- `permissions` is the backend ACL bitmask value.
- `expiresAt` is optional and must be a valid ISO date if provided.

#### Record ACL response shapes

`GET /v1/users/acl` returns:

```json
{
  "direct": [
    {
      "id": "uuid",
      "principal_type": "user",
      "principal_id": "uuid",
      "permissions": 7,
      "expires_at": null,
      "created_by": "uuid-or-null",
      "created_on": "2026-03-29T20:10:00.000Z"
    }
  ],
  "effective": [
    {
      "id": "uuid",
      "user_id": "uuid",
      "permissions": 7,
      "source_principal_type": "role",
      "source_principal_id": "uuid"
    }
  ]
}
```

### 2) Role endpoints

| Method | Path | Purpose |
| :----- | :--- | :------ |
| `GET` | `/v1/users/acl/roles` | List tenant roles |
| `GET` | `/v1/users/acl/roles/:roleId` | Get one role |
| `POST` | `/v1/users/acl/roles` | Create role |
| `PATCH` | `/v1/users/acl/roles/:roleId` | Partial update role |
| `DELETE` | `/v1/users/acl/roles/:roleId` | Hard delete role |

#### Role create/update rules

- `slug` is required on create and must be unique within the tenant.
- Create defaults:
  - `ownership = "CUSTOM"`
  - `privileges = ""`
  - `status = 1`
- Role responses include both `id` and `uid`, both pointing to the role UID.

#### Role delete side effects

Deleting a role also cleans up dependent ACL state:

- removes `tenant_user_role` assignments for that role
- sets `tenant_user.primary_role` to `null` where applicable
- removes linked `tenant_acl_rule` rows
- removes linked `tenant_acl_field_rule` rows
- removes the role from `tenant_role_query` role arrays
- hard deletes role-query rows that become empty after role removal

Frontend implication: after role deletion, refresh role lists, user-role lists, role-query lists, and any UI showing primary-role labels.

### 3) User-role endpoints

| Method | Path | Purpose |
| :----- | :--- | :------ |
| `GET` | `/v1/users/acl/user-roles` | List assignments across the tenant |
| `GET` | `/v1/users/acl/users/:userId/roles` | List assignments for one user |
| `POST` | `/v1/users/acl/users/:userId/roles` | Add roles to a user |
| `PUT` | `/v1/users/acl/users/:userId/roles` | Replace the full role set for a user |
| `DELETE` | `/v1/users/acl/users/:us

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is docyrus-api-dev for?

When should I use docyrus-api-dev?

Is docyrus-api-dev safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is docyrus-api-dev for?

When should I use docyrus-api-dev?

Is docyrus-api-dev safe to install?

SKILL.md