chore: Add protect-endpoints skill (no-changelog)

[burivuhster]

Summary

Adds a new Claude Code skill that guides agents on applying n8n's RBAC scope decorators (`@ProjectScope` / `@GlobalScope`) to REST endpoints.

Related Linear tickets, Github issues, and Community forum posts

N/A — internal tooling.

Review / Merge checklist

• I have seen this code, I have run this code, and I take responsibility for this code.
• PR title and summary are descriptive.
• Docs updated (this PR is the doc).
• Tests included. — N/A, skill markdown only.
• PR Labeled with `Backport to Beta`, `Backport to Stable`, or `Backport to v1` — not needed, tooling only.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[cubic-dev-ai]

1 issue found across 1 file

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".claude/plugins/n8n/skills/protect-endpoints/SKILL.md">

<violation number="1" location=".claude/plugins/n8n/skills/protect-endpoints/SKILL.md:2">
P1: Remove the `name` field from this SKILL frontmatter; plugin skills must rely on the directory name for identification.

(Based on your team's feedback about omitting `name` in plugin SKILL frontmatter to avoid Claude Code namespacing bugs.) [FEEDBACK_USED]</violation>
</file>

Architecture diagram

sequenceDiagram
    participant Client
    participant Controller as @RestController
    participant Middleware as ScopedMiddleware (controller.registry.ts)
    participant AuthEngine as checkAccess (check-access.ts)
    participant DB as User/Role Store

    Note over Client,DB: Request flow for RBAC-protected endpoints

    Client->>Controller: Request (e.g., POST /projects/:projectId/widgets)
    
    Note over Controller,Middleware: Metadata check for @ProjectScope or @GlobalScope
    
    Controller->>Middleware: Intercept Request
    
    alt NEW: Handler has @ProjectScope(':resource::op')
        Middleware->>Middleware: Extract :projectId from URL params
        Middleware->>AuthEngine: userHasScopes(user, scope, projectId)
    else NEW: Handler has @GlobalScope(':resource::op')
        Middleware->>AuthEngine: userHasScopes(user, scope)
    end

    AuthEngine->>DB: Fetch user roles (Global + Project-specific)
    DB-->>AuthEngine: Roles & Permissions list
    
    AuthEngine->>AuthEngine: Validate scope intersection
    
    alt Authorized
        AuthEngine-->>Middleware: Access Granted
        Middleware->>Controller: Execute Handler Method
        Controller->>DB: CHANGED: Data access filtered by projectId
        DB-->>Controller: Resource Data
        Controller-->>Client: 200 OK / 201 Created
    else Unauthorized
        AuthEngine-->>Middleware: Access Denied
        Middleware-->>Client: 403 Forbidden / 401 Unauthorized
    end

    Note over Client,DB: Background: System Initialization (AuthRolesService.init)
    DB->>DB: Sync hardcoded scopes from constants.ee.ts to DB records

Loading

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.}

[github-actions]

Performance Comparison

Comparing current → latest master → 14-day baseline

Memory consumption baseline with starter plan resources

Metric	Current	Latest Master	Baseline (avg)	vs Master	vs Baseline	Status
memory-heap-used-baseline	118.98 MB	118.98 MB	115.72 MB (σ 2.02)	+0.0%	+2.8%	⚠️
memory-rss-baseline	293.85 MB	293.85 MB	291.38 MB (σ 29.40)	+0.0%	+0.8%	✅

Idle baseline with Instance AI module loaded

Metric	Current	Latest Master	Baseline (avg)	vs Master	vs Baseline	Status
instance-ai-rss-baseline	354.18 MB	354.18 MB	364.79 MB (σ 21.08)	+0.0%	-2.9%	✅
instance-ai-heap-used-baseline	191.65 MB	191.65 MB	187.79 MB (σ 2.07)	+0.0%	+2.1%	⚠️

docker-stats

Metric	Current	Latest Master	Baseline (avg)	vs Master	vs Baseline	Status
docker-image-size-n8n	1300.48 MB	1300.48 MB	1303.55 MB (σ 51.48)	+0.0%	-0.2%	✅
docker-image-size-runners	388.00 MB	388.00 MB	391.15 MB (σ 9.26)	+0.0%	-0.8%	✅

How to read this table

• Current: This PR's value (or latest master if PR perf tests haven't run)
• Latest Master: Most recent nightly master measurement
• Baseline: Rolling 14-day average from master
• vs Master: PR impact (current vs latest master)
• vs Baseline: Drift from baseline (current vs rolling avg)
• Status: ✅ within 1σ | ⚠️ 1-2σ | 🔴 >2σ regression