Tenant-aware authorization for NestJS + TypeORM, built on top of @casl/ability.
nest-warden closes four gaps in @casl/ability that bite multi-tenant SaaS:
- No first-class tenant primitive — forgetting
tenantIdin a rule's conditions silently leaks data across tenants. - No graph-relationship traversal — rules like "Alice is an agent of Merchant M of Tenant X → Alice can approve M's payments" can't be expressed without denormalization or pre-flight queries.
- No TypeORM adapter for reverse lookups — CASL ships only Mongoose and Prisma adapters; TypeORM users get nothing. CASL also can't answer "which Ys can Alice access?" without loading them all and filtering — O(n) DB I/O.
- Underspecified conditional authorization — hand-rolled condition translators silently drop conditions when wrong.
Where to start
- Introduction — what nest-warden is and isn't.
- Why nest-warden? — the four gaps in detail.
- Installation — get the package into your project.
- Tenant Context — the central abstraction.
$relatedTooperator — the headline graph feature.- NestJS integration — wiring up the module.