NestJS最佳实践指南：26条生产级规则，涵盖安全、性能、架构与数据库

nestjs-best-practices by xirothedev/agent-skills

117 周安装量

13 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/xirothedev/agent-skills --skill nestjs-best-practices

Node.js JavaScript 框架性能优化

🇨🇳中文介绍

NestJS 最佳实践

构建生产就绪型 NestJS 应用程序的全面指南。包含 13 个类别下的 26 条规则，涵盖安全性、架构、性能、验证、数据库操作、身份验证和高级模式。

何时应用

在以下情况下参考这些指南：

编写新的 NestJS 模块、控制器或服务时
实现身份验证和授权时
设置 Prisma 数据库操作时
创建 DTO 和验证管道时
添加中间件或守卫时
实现错误处理和日志记录时
审查 NestJS 代码是否符合最佳实践时
重构现有 NestJS 应用程序时

按优先级排序的规则类别

优先级	类别	影响	前缀
1	安全性	关键	`security-`
2	性能	高	`performance-`
3	架构

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

1. 安全性（关键）

security-cors-whitelist - 仅启用白名单来源的 CORS
security-dependency-audit - 使用 bun 定期进行依赖项安全审计
security-helmet-headers - 使用 Helmet 中间件设置安全头

performance-redis-caching - 使用 Redis 缓存频繁使用的数据

architecture-short-functions - 保持函数简短且单一职责
architecture-feature-modules - 按功能模块组织代码
architecture-no-dead-code - 移除未使用的代码和依赖项
architecture-thin-controllers - 单一职责 - 分离控制器和服务
architecture-naming-conventions - 使用一致的命名约定
architecture-event-driven - 使用事件驱动架构实现松耦合

4. 错误处理（高）

error-handling-exception-filter - 启用全局异常过滤器
error-handling-structured-logging - 实施适当的日志记录策略

5. 验证（关键）

validation-custom-pipes - 为查询参数转换创建自定义管道
validation-dto-validation - 使用 DTO 和 ValidationPipe 验证所有输入

6. 数据库（关键）

database-parameterized-queries - 使用参数化查询防止 SQL 注入（Prisma v7）

7. 身份验证（关键）

auth-password-hashing - 使用 Bun 内置的 Crypto 进行安全的密码哈希（argon2/bcrypt）
auth-route-guards - 使用守卫保护路由

api-cursor-pagination - 对大型数据集使用基于游标的分页
api-swagger-docs - 生成 Swagger/OpenAPI 文档

9. 配置（关键）

config-no-secrets - 切勿硬编码密钥 - 使用环境变量

testing-unit-tests - 编写全面的单元测试

deployment-health-checks - 实现健康检查端点

12. 中间件（中）

middleware-compression - 为响应启用压缩中间件
middleware-rate-limiting - 为所有路由实现速率限制

advanced-lazy-loading - 延迟加载非关键模块
advanced-scheduled-tasks - 使用 @nestjs/schedule 处理 cron 作业和计划任务

阅读各个规则文件以获取详细说明和代码示例：

rules/security-cors-whitelist.md
rules/auth-route-guards.md
rules/validation-dto-validation.md
rules/_sections.md

每个规则文件包含：

"For AI Agents" 部分，提供分步实施说明
用于代码审查的快速参考清单
❌ 错误模式与 ✅ 正确模式的对比，并附有文件位置
使用 bun add 的安装命令
NestJS + Prisma 的全面代码示例
安全性和性能注意事项

面向智能体的格式

所有规则都针对 AI 智能体进行了优化，包含：

明确的文件位置（例如 src/users/users.service.ts）
分步的 "For AI Agents" 部分
✅ 正确模式与 ❌ 错误模式的对比
快速参考清单
清晰的安装说明

框架 : NestJS 配合 Express/Fastify 适配器
运行时 : Bun（原生加密、调度）
数据库 : Prisma v7（sql 模板标签、交互式事务）
验证 : class-validator + class-transformer
安全性 : Helmet、CORS 白名单、速率限制
调度 : @nestjs/schedule 配合 cron/interval 装饰器
事件 : EventEmitter2 用于松耦合

获取包含所有规则详细说明的完整指南：AGENTS.md

cd packages/nestjs-best-practices-build
bun install
bun run build      # 生成 AGENTS.md
bun run validate   # 验证规则文件
bun run dev        # 构建并验证

13 个部分，涵盖 NestJS 开发的各个方面
26 条规则，按影响程度（关键、高、中）排序
兼容 Prisma v7 的数据库模式
Bun 运行时 原生功能（Crypto.hashPassword、@nestjs/schedule）
针对智能体优化，便于自动化代码生成和审查

🇺🇸English

NestJS Best Practices

Comprehensive guide for building production-ready NestJS applications. Contains 26 rules across 13 categories, covering security, architecture, performance, validation, database operations, authentication, and advanced patterns.

When to Apply

Reference these guidelines when:

Writing new NestJS modules, controllers, or services
Implementing authentication and authorization
Setting up Prisma database operations
Creating DTOs and validation pipes
Adding middleware or guards
Implementing error handling and logging
Reviewing NestJS code for best practices
Refactoring existing NestJS applications

Rule Categories by Priority

Priority	Category	Impact	Prefix
1	Security	CRITICAL	`security-`
2	Performance	HIGH	`performance-`
3	Architecture	HIGH	`architecture-`
4	Error Handling	HIGH	`error-handling-`
5	Validation	CRITICAL	`validation-`
6	Database	CRITICAL	`database-`
7	Authentication	CRITICAL	`auth-`
8	API	MEDIUM	`api-`
9	Configuration	CRITICAL	`config-`
10	Testing	MEDIUM	`testing-`
11	Deployment	MEDIUM	`deployment-`
12	Middleware	MEDIUM	`middleware-`
13	Advanced	HIGH	`advanced-`

Quick Reference

1. Security (CRITICAL)

security-cors-whitelist - Enable CORS with whitelist origins only
security-dependency-audit - Regular dependency security audits with bun
security-helmet-headers - Use Helmet middleware for security headers

2. Performance (HIGH)

performance-redis-caching - Cache frequently used data with Redis

3. Architecture (HIGH)

architecture-short-functions - Keep functions short and single purpose
architecture-feature-modules - Organize code by feature modules
architecture-no-dead-code - Remove unused code and dependencies
architecture-thin-controllers - Single responsibility - separate controller and service
architecture-naming-conventions - Use consistent naming conventions
architecture-event-driven - Use event-driven architecture for loose coupling

4. Error Handling (HIGH)

error-handling-exception-filter - Enable global exception filter
error-handling-structured-logging - Implement proper logging strategy

5. Validation (CRITICAL)

validation-custom-pipes - Create custom pipes for query parameter transformation
validation-dto-validation - Validate all inputs with DTOs and ValidationPipe

6. Database (CRITICAL)

database-parameterized-queries - Use parameterized queries to prevent SQL injection (Prisma v7)

7. Authentication (CRITICAL)

auth-password-hashing - Use Bun's built-in Crypto for secure password hashing (argon2/bcrypt)
auth-route-guards - Use guards for route protection

8. API (MEDIUM)

api-cursor-pagination - Use cursor-based pagination for large datasets
api-swagger-docs - Generate Swagger/OpenAPI documentation

9. Configuration (CRITICAL)

config-no-secrets - Never hardcode secrets - use environment variables

10. Testing (MEDIUM)

testing-unit-tests - Write comprehensive unit tests

11. Deployment (MEDIUM)

deployment-health-checks - Implement health check endpoints

12. Middleware (MEDIUM)

middleware-compression - Enable compression middleware for responses
middleware-rate-limiting - Implement rate limiting for all routes

13. Advanced (HIGH)

advanced-lazy-loading - Lazy load non-critical modules
advanced-scheduled-tasks - Use @nestjs/schedule for cron jobs and scheduled tasks

How to Use

Read individual rule files for detailed explanations and code examples:

rules/security-cors-whitelist.md
rules/auth-route-guards.md
rules/validation-dto-validation.md
rules/_sections.md

Each rule file contains:

"For AI Agents" section with step-by-step implementation instructions
Quick Reference Checklist for code review
❌ WRONG vs ✅ CORRECT patterns with file locations
Installation commands using bun add
Comprehensive code examples for NestJS + Prisma
Security and performance considerations

Key Patterns

Agent-Friendly Format

All rules are optimized for AI agents with:

Explicit file locations (e.g., src/users/users.service.ts)
Step-by-step "For AI Agents" sections
✅ CORRECT vs ❌ WRONG pattern comparisons
Quick Reference Checklists
Clear installation instructions

Technology Stack

Framework : NestJS with Express/Fastify adapter
Runtime : Bun (native crypto, scheduling)
Database : Prisma v7 (sql template tag, interactive transactions)
Validation : class-validator + class-transformer
Security : Helmet, CORS whitelisting, rate limiting
Scheduling : @nestjs/schedule with cron/interval decorators
Events : EventEmitter2 for loose coupling

Full Compiled Document

For the complete guide with all rules expanded: AGENTS.md

Build Commands

cd packages/nestjs-best-practices-build
bun install
bun run build      # Generate AGENTS.md
bun run validate   # Validate rule files
bun run dev        # Build and validate

Statistics

13 sections covering all aspects of NestJS development
26 rules prioritized by impact (CRITICAL, HIGH, MEDIUM)
Prisma v7 compatible database patterns
Bun runtime native features (Crypto.hashPassword, @nestjs/schedule)
Agent-optimized for automated code generation and review

Weekly Installs

104

Repository

xirothedev/agent-skills

GitHub Stars

First Seen

Jan 20, 2026

Security Audits

Gen Agent Trust HubPass SocketPass SnykPass

Installed on

gemini-cli92

opencode91

codex89

cursor88

github-copilot84

amp75

Node.js 环境配置指南：多环境管理、类型安全与最佳实践

10,500 周安装