@flusys/nestjs-shared 1.0.0-beta → 1.0.0-rc

package/cjs/utils/error-handler.util.js

@@ -8,28 +8,104 @@ Object.defineProperty(exports, "ErrorHandler", {
         return ErrorHandler;
     }
 });
+const _common = require("@nestjs/common");
+/** Check if running in production environment */ const IS_PRODUCTION = process.env.NODE_ENV === 'production';
+/** Sensitive keys that should be redacted from logs */ const SENSITIVE_KEYS = [
+    'password',
+    'secret',
+    'token',
+    'apiKey',
+    'credential',
+    'authorization'
+];
+/** Patterns that indicate sensitive data in error messages */ const SENSITIVE_PATTERNS = [
+    /password/i,
+    /secret/i,
+    /token/i,
+    /key/i,
+    /credential/i,
+    /authorization/i,
+    /bearer/i
+];
 let ErrorHandler = class ErrorHandler {
     /**
-   * Safely extract error message from unknown error
-   */ static getErrorMessage(error) {
+   * Safely extract error message from unknown error.
+   * @param error - The error to extract message from
+   * @param sanitizeForClient - If true, redacts potentially sensitive info in production
+   */ static getErrorMessage(error, sanitizeForClient = false) {
+        let message = 'Unknown error occurred';
         if (error instanceof Error) {
-            return error.message;
+            message = error.message;
+        } else if (typeof error === 'string') {
+            message = error;
         }
-        if (typeof error === 'string') {
-            return error;
+        // Sanitize for client responses in production
+        if (sanitizeForClient && IS_PRODUCTION) {
+            if (this.containsSensitiveData(message)) {
+                return 'An unexpected error occurred. Please try again later.';
+            }
         }
-        return 'Unknown error occurred';
+        return message;
+    }
+    /**
+   * Check if a string contains potentially sensitive data.
+   */ static containsSensitiveData(text) {
+        return SENSITIVE_PATTERNS.some((pattern)=>pattern.test(text));
     }
     /**
-   * Safely extract error stack from unknown error
-   */ static getErrorStack(error) {
+   * Safely extract error stack from unknown error.
+   * Returns undefined in production for client responses.
+   * @param error - The error to extract stack from
+   * @param forClient - If true, never returns stack in production
+   */ static getErrorStack(error, forClient = false) {
+        // Never expose stack traces to clients in production
+        if (forClient && IS_PRODUCTION) {
+            return undefined;
+        }
         if (error instanceof Error) {
             return error.stack;
         }
         return undefined;
     }
     /**
-   * Create error context object for logging
+   * Create a sanitized error response for clients.
+   * In production, sensitive data is redacted and stack traces removed.
+   */ static createClientError(error, statusCode = _common.HttpStatus.INTERNAL_SERVER_ERROR, code) {
+        const sanitizedError = {
+            message: this.getErrorMessage(error, true),
+            statusCode
+        };
+        if (code) {
+            sanitizedError.code = code;
+        }
+        // Include stack only in development
+        if (!IS_PRODUCTION) {
+            sanitizedError.stack = this.getErrorStack(error);
+        }
+        return sanitizedError;
+    }
+    /**
+   * Sanitize context data to redact sensitive fields from logs.
+   */ static sanitizeContextForLogging(context) {
+        const sanitized = {};
+        for (const [key, value] of Object.entries(context)){
+            // Check if key contains sensitive words
+            const isSensitive = SENSITIVE_KEYS.some((sk)=>key.toLowerCase().includes(sk.toLowerCase()));
+            if (isSensitive) {
+                sanitized[key] = '[REDACTED]';
+            } else if (Array.isArray(value)) {
+                sanitized[key] = value.map((item)=>typeof item === 'object' && item !== null ? this.sanitizeContextForLogging(item) : item);
+            } else if (typeof value === 'object' && value !== null) {
+                sanitized[key] = this.sanitizeContextForLogging(value);
+            } else {
+                sanitized[key] = value;
+            }
+        }
+        return sanitized;
+    }
+    /**
+   * Create error context object for internal logging.
+   * Context data is sanitized to redact sensitive fields.
    */ static createErrorContext(error, context) {
         const errorContext = {
             error: {
@@ -41,20 +117,22 @@ let ErrorHandler = class ErrorHandler {
             errorContext.error.name = error.name;
         }
         if (context && Object.keys(context).length > 0) {
-            errorContext.context = context;
+            // Sanitize context to redact sensitive fields
+            errorContext.context = this.sanitizeContextForLogging(context);
         }
         return errorContext;
     }
     /**
-   * Log error with consistent format
+   * Log error with consistent format.
+   * Sensitive data in context is automatically redacted.
    */ static logError(logger, error, operation, context) {
         const errorContext = this.createErrorContext(error, {
             operation,
             ...context
         });
         const errorMessage = `Failed to ${operation}: ${errorContext.error.message}`;
-        const loggerContext = logger.context || 'ErrorHandler';
-        logger.error(errorMessage, errorContext.error.stack, loggerContext, errorContext);
+        // Log full details internally (stack traces are fine for internal logs)
+        logger.error(errorMessage, errorContext.error.stack, errorContext);
     }
     /**
    * Re-throw error with proper type checking

package/cjs/utils/html-sanitizer.util.js

@@ -0,0 +1,74 @@
+/**
+ * HTML Sanitizer Utilities
+ *
+ * Provides functions for escaping HTML content to prevent XSS attacks.
+ * Use these utilities when interpolating user-provided variables into HTML content.
+ */ /**
+ * HTML entity mapping for escaping special characters
+ */ "use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+function _export(target, all) {
+    for(var name in all)Object.defineProperty(target, name, {
+        enumerable: true,
+        get: Object.getOwnPropertyDescriptor(all, name).get
+    });
+}
+_export(exports, {
+    get containsHtmlContent () {
+        return containsHtmlContent;
+    },
+    get escapeHtml () {
+        return escapeHtml;
+    },
+    get escapeHtmlVariables () {
+        return escapeHtmlVariables;
+    }
+});
+const HTML_ESCAPE_MAP = {
+    '&': '&',
+    '<': '&lt;',
+    '>': '&gt;',
+    '"': '&quot;',
+    "'": '&#x27;',
+    '/': '&#x2F;',
+    '`': '&#x60;',
+    '=': '&#x3D;'
+};
+/**
+ * Regex pattern matching characters that need HTML escaping
+ */ const HTML_ESCAPE_REGEX = /[&<>"'`=/]/g;
+function escapeHtml(str) {
+    if (!str || typeof str !== 'string') {
+        return str ?? '';
+    }
+    return str.replace(HTML_ESCAPE_REGEX, (char)=>HTML_ESCAPE_MAP[char] || char);
+}
+function escapeHtmlVariables(variables) {
+    if (!variables || typeof variables !== 'object') {
+        return {};
+    }
+    const escaped = {};
+    for (const [key, value] of Object.entries(variables)){
+        if (value === null || value === undefined) {
+            escaped[key] = '';
+        } else if (typeof value === 'string') {
+            escaped[key] = escapeHtml(value);
+        } else if (typeof value === 'object') {
+            // For objects/arrays, stringify and escape
+            escaped[key] = escapeHtml(JSON.stringify(value));
+        } else {
+            // For numbers, booleans, etc., convert to string (no escaping needed)
+            escaped[key] = String(value);
+        }
+    }
+    return escaped;
+}
+function containsHtmlContent(str) {
+    if (!str || typeof str !== 'string') {
+        return false;
+    }
+    // Check for common HTML patterns
+    return /<[a-z][\s\S]*>/i.test(str) || /javascript:/i.test(str) || /on\w+=/i.test(str);
+}

package/cjs/utils/index.js

@@ -3,6 +3,8 @@ Object.defineProperty(exports, "__esModule", {
     value: true
 });
 _export_star(require("./error-handler.util"), exports);
+_export_star(require("./html-sanitizer.util"), exports);
+_export_star(require("./query-helpers.util"), exports);
 function _export_star(from, to) {
     Object.keys(from).forEach(function(k) {
         if (k !== "default" && !Object.prototype.hasOwnProperty.call(to, k)) {

package/cjs/utils/query-helpers.util.js

@@ -0,0 +1,53 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+function _export(target, all) {
+    for(var name in all)Object.defineProperty(target, name, {
+        enumerable: true,
+        get: Object.getOwnPropertyDescriptor(all, name).get
+    });
+}
+_export(exports, {
+    get applyCompanyFilter () {
+        return applyCompanyFilter;
+    },
+    get buildCompanyWhereCondition () {
+        return buildCompanyWhereCondition;
+    },
+    get hasCompanyId () {
+        return hasCompanyId;
+    },
+    get validateCompanyOwnership () {
+        return validateCompanyOwnership;
+    }
+});
+const _common = require("@nestjs/common");
+function applyCompanyFilter(query, config, user) {
+    const columnName = config.columnName ?? 'companyId';
+    if (config.isCompanyFeatureEnabled && user?.companyId) {
+        query.andWhere(`${config.entityAlias}.${columnName} = :companyId`, {
+            companyId: user.companyId
+        });
+    }
+    return query;
+}
+function buildCompanyWhereCondition(baseWhere, isCompanyFeatureEnabled, user) {
+    if (isCompanyFeatureEnabled && user?.companyId) {
+        return {
+            ...baseWhere,
+            companyId: user.companyId
+        };
+    }
+    return baseWhere;
+}
+function hasCompanyId(entity) {
+    return entity !== null && typeof entity === 'object' && 'companyId' in entity;
+}
+function validateCompanyOwnership(entity, user, isCompanyFeatureEnabled, entityName) {
+    if (isCompanyFeatureEnabled && user?.companyId && hasCompanyId(entity)) {
+        if (entity.companyId && entity.companyId !== user.companyId) {
+            throw new _common.BadRequestException(`${entityName} belongs to another company`);
+        }
+    }
+}

package/classes/api-controller.class.d.ts

@@ -1,6 +1,6 @@
-import { BulkResponseDto, DeleteDto, FilterAndPaginationDto, GetByIdBodyDto, ListResponseDto, MessageResponseDto, SingleResponseDto } from '@flusys/nestjs-shared/dtos';
-import { Identity } from '@flusys/nestjs-shared/entities';
-import { ILoggedUserInfo, IService, PermissionCondition, PermissionOperator } from '@flusys/nestjs-shared/interfaces';
+import { BulkResponseDto, DeleteDto, FilterAndPaginationDto, GetByIdBodyDto, ListResponseDto, MessageResponseDto, SingleResponseDto } from '../dtos';
+import { Identity } from '../entities';
+import { ILoggedUserInfo, IService, PermissionCondition, PermissionOperator } from '../interfaces';
 import { Type } from '@nestjs/common';
 export type ApiEndpoint = 'insert' | 'insertMany' | 'getById' | 'getAll' | 'update' | 'updateMany' | 'delete';
 export type SecurityLevel = 'public' | 'jwt' | 'permission';
@@ -16,9 +16,9 @@ export type ApiSecurityConfig = {
 export interface ApiControllerOptions {
     security?: ApiSecurityConfig | EndpointSecurity | SecurityLevel;
 }
-export declare function createApiController<CreateDtoT extends Record<string, unknown>, UpdateDtoT extends {
+export declare function createApiController<CreateDtoT extends object, UpdateDtoT extends {
     id: string;
-}, ResponseDtoT extends Record<string, unknown>, InterfaceT extends Identity, ServiceT extends IService<CreateDtoT, UpdateDtoT, InterfaceT>>(createDtoClass: Type<CreateDtoT>, updateDtoClass: Type<UpdateDtoT>, responseDtoClass: Type<ResponseDtoT>, options?: ApiControllerOptions): abstract new (service: ServiceT) => {
+}, ResponseDtoT extends object, InterfaceT extends Identity, ServiceT extends IService<CreateDtoT, UpdateDtoT, InterfaceT>>(createDtoClass: Type<CreateDtoT>, updateDtoClass: Type<UpdateDtoT>, responseDtoClass: Type<ResponseDtoT>, options?: ApiControllerOptions): abstract new (service: ServiceT) => {
     service: ServiceT;
     insert(addDto: CreateDtoT, user: ILoggedUserInfo | null): Promise<SingleResponseDto<ResponseDtoT>>;
     insertMany(addDto: CreateDtoT[], user: ILoggedUserInfo | null): Promise<BulkResponseDto<ResponseDtoT>>;

package/classes/api-service.class.d.ts

@@ -1,11 +1,11 @@
-import { DeleteDto, FilterAndPaginationDto } from '@flusys/nestjs-shared/dtos';
-import { Identity } from '@flusys/nestjs-shared/entities';
-import { ILoggedUserInfo, IService } from '@flusys/nestjs-shared/interfaces';
-import { UtilsService } from '@flusys/nestjs-shared/modules';
+import { DeleteDto, FilterAndPaginationDto } from '../dtos';
+import { Identity } from '../entities';
+import { ILoggedUserInfo, IService } from '../interfaces';
+import { UtilsService } from '../modules/utils/utils.service';
 import { Logger } from '@nestjs/common';
 import { QueryRunner, Repository, SelectQueryBuilder } from 'typeorm';
 import { HybridCache } from './hybrid-cache.class';
-export declare abstract class ApiService<CreateDtoT extends Record<string, unknown>, UpdateDtoT extends {
+export declare abstract class ApiService<CreateDtoT extends object, UpdateDtoT extends {
     id: string;
 }, InterfaceT extends Identity, EntityT extends Identity, RepositoryT extends Repository<EntityT>> implements IService<CreateDtoT, UpdateDtoT, InterfaceT> {
     protected entityName: string;

package/classes/index.d.ts

@@ -4,3 +4,4 @@ export * from './request-scoped-api.service';
 export * from './hybrid-cache.class';
 export * from './winston-logger-adapter.class';
 export * from './winston.logger.class';
+export * from '../constants/permissions';

package/classes/request-scoped-api.service.d.ts

@@ -1,12 +1,13 @@
 import { DataSource, EntityTarget, Repository } from 'typeorm';
 import { Identity } from '../entities';
+import { IDataSourceProvider } from '../interfaces';
 import { ApiService } from './api-service.class';
-export declare abstract class RequestScopedApiService<CreateDtoT extends Record<string, unknown>, UpdateDtoT extends {
+export declare abstract class RequestScopedApiService<CreateDtoT extends object, UpdateDtoT extends {
     id: string;
 }, InterfaceT extends Identity, EntityT extends Identity, RepositoryT extends Repository<EntityT>> extends ApiService<CreateDtoT, UpdateDtoT, InterfaceT, EntityT, RepositoryT> {
     private repositoryInitialized;
     protected abstract resolveEntity(): EntityTarget<EntityT>;
-    protected abstract getDataSourceProvider(): any;
+    protected abstract getDataSourceProvider(): IDataSourceProvider;
     protected ensureRepositoryInitialized(): Promise<void>;
     protected initializeAdditionalRepositories(entities: EntityTarget<any>[]): Promise<Repository<any>[]>;
     protected getDataSourceForService(): Promise<DataSource>;

package/constants/index.d.ts

@@ -8,3 +8,4 @@ export declare const REQUEST_ID_HEADER = "x-request-id";
 export declare const CLIENT_TYPE_HEADER = "x-client-type";
 export declare const PERMISSIONS_CACHE_PREFIX = "permissions";
 export declare const IDEMPOTENCY_CACHE_PREFIX = "idempotency";
+export * from './permissions';

package/constants/permissions.d.ts

@@ -0,0 +1,167 @@
+export declare const USER_PERMISSIONS: {
+    readonly CREATE: "user.create";
+    readonly READ: "user.read";
+    readonly UPDATE: "user.update";
+    readonly DELETE: "user.delete";
+};
+export declare const COMPANY_PERMISSIONS: {
+    readonly CREATE: "company.create";
+    readonly READ: "company.read";
+    readonly UPDATE: "company.update";
+    readonly DELETE: "company.delete";
+};
+export declare const BRANCH_PERMISSIONS: {
+    readonly CREATE: "branch.create";
+    readonly READ: "branch.read";
+    readonly UPDATE: "branch.update";
+    readonly DELETE: "branch.delete";
+};
+export declare const ACTION_PERMISSIONS: {
+    readonly CREATE: "action.create";
+    readonly READ: "action.read";
+    readonly UPDATE: "action.update";
+    readonly DELETE: "action.delete";
+};
+export declare const ROLE_PERMISSIONS: {
+    readonly CREATE: "role.create";
+    readonly READ: "role.read";
+    readonly UPDATE: "role.update";
+    readonly DELETE: "role.delete";
+};
+export declare const ROLE_ACTION_PERMISSIONS: {
+    readonly READ: "role-action.read";
+    readonly ASSIGN: "role-action.assign";
+};
+export declare const USER_ROLE_PERMISSIONS: {
+    readonly READ: "user-role.read";
+    readonly ASSIGN: "user-role.assign";
+};
+export declare const USER_ACTION_PERMISSIONS: {
+    readonly READ: "user-action.read";
+    readonly ASSIGN: "user-action.assign";
+};
+export declare const COMPANY_ACTION_PERMISSIONS: {
+    readonly READ: "company-action.read";
+    readonly ASSIGN: "company-action.assign";
+};
+export declare const FILE_PERMISSIONS: {
+    readonly CREATE: "file.create";
+    readonly READ: "file.read";
+    readonly UPDATE: "file.update";
+    readonly DELETE: "file.delete";
+};
+export declare const FOLDER_PERMISSIONS: {
+    readonly CREATE: "folder.create";
+    readonly READ: "folder.read";
+    readonly UPDATE: "folder.update";
+    readonly DELETE: "folder.delete";
+};
+export declare const STORAGE_CONFIG_PERMISSIONS: {
+    readonly CREATE: "storage-config.create";
+    readonly READ: "storage-config.read";
+    readonly UPDATE: "storage-config.update";
+    readonly DELETE: "storage-config.delete";
+};
+export declare const EMAIL_CONFIG_PERMISSIONS: {
+    readonly CREATE: "email-config.create";
+    readonly READ: "email-config.read";
+    readonly UPDATE: "email-config.update";
+    readonly DELETE: "email-config.delete";
+};
+export declare const EMAIL_TEMPLATE_PERMISSIONS: {
+    readonly CREATE: "email-template.create";
+    readonly READ: "email-template.read";
+    readonly UPDATE: "email-template.update";
+    readonly DELETE: "email-template.delete";
+};
+export declare const FORM_PERMISSIONS: {
+    readonly CREATE: "form.create";
+    readonly READ: "form.read";
+    readonly UPDATE: "form.update";
+    readonly DELETE: "form.delete";
+};
+export declare const PERMISSIONS: {
+    readonly USER: {
+        readonly CREATE: "user.create";
+        readonly READ: "user.read";
+        readonly UPDATE: "user.update";
+        readonly DELETE: "user.delete";
+    };
+    readonly COMPANY: {
+        readonly CREATE: "company.create";
+        readonly READ: "company.read";
+        readonly UPDATE: "company.update";
+        readonly DELETE: "company.delete";
+    };
+    readonly BRANCH: {
+        readonly CREATE: "branch.create";
+        readonly READ: "branch.read";
+        readonly UPDATE: "branch.update";
+        readonly DELETE: "branch.delete";
+    };
+    readonly ACTION: {
+        readonly CREATE: "action.create";
+        readonly READ: "action.read";
+        readonly UPDATE: "action.update";
+        readonly DELETE: "action.delete";
+    };
+    readonly ROLE: {
+        readonly CREATE: "role.create";
+        readonly READ: "role.read";
+        readonly UPDATE: "role.update";
+        readonly DELETE: "role.delete";
+    };
+    readonly ROLE_ACTION: {
+        readonly READ: "role-action.read";
+        readonly ASSIGN: "role-action.assign";
+    };
+    readonly USER_ROLE: {
+        readonly READ: "user-role.read";
+        readonly ASSIGN: "user-role.assign";
+    };
+    readonly USER_ACTION: {
+        readonly READ: "user-action.read";
+        readonly ASSIGN: "user-action.assign";
+    };
+    readonly COMPANY_ACTION: {
+        readonly READ: "company-action.read";
+        readonly ASSIGN: "company-action.assign";
+    };
+    readonly FILE: {
+        readonly CREATE: "file.create";
+        readonly READ: "file.read";
+        readonly UPDATE: "file.update";
+        readonly DELETE: "file.delete";
+    };
+    readonly FOLDER: {
+        readonly CREATE: "folder.create";
+        readonly READ: "folder.read";
+        readonly UPDATE: "folder.update";
+        readonly DELETE: "folder.delete";
+    };
+    readonly STORAGE_CONFIG: {
+        readonly CREATE: "storage-config.create";
+        readonly READ: "storage-config.read";
+        readonly UPDATE: "storage-config.update";
+        readonly DELETE: "storage-config.delete";
+    };
+    readonly EMAIL_CONFIG: {
+        readonly CREATE: "email-config.create";
+        readonly READ: "email-config.read";
+        readonly UPDATE: "email-config.update";
+        readonly DELETE: "email-config.delete";
+    };
+    readonly EMAIL_TEMPLATE: {
+        readonly CREATE: "email-template.create";
+        readonly READ: "email-template.read";
+        readonly UPDATE: "email-template.update";
+        readonly DELETE: "email-template.delete";
+    };
+    readonly FORM: {
+        readonly CREATE: "form.create";
+        readonly READ: "form.read";
+        readonly UPDATE: "form.update";
+        readonly DELETE: "form.delete";
+    };
+};
+export type PermissionCode = (typeof PERMISSIONS)[keyof typeof PERMISSIONS][keyof (typeof PERMISSIONS)[keyof typeof PERMISSIONS]];

package/decorators/index.d.ts

@@ -2,3 +2,4 @@ export * from './api-response.decorator';
 export * from './current-user.decorator';
 export * from './public.decorator';
 export * from './require-permission.decorator';
+export * from './sanitize-html.decorator';

package/decorators/sanitize-html.decorator.d.ts

@@ -0,0 +1,2 @@
+export declare function SanitizeHtml(): PropertyDecorator;
+export declare function SanitizeAndTrim(): PropertyDecorator;

package/dtos/filter-and-pagination.dto.d.ts

@@ -5,9 +5,7 @@ export declare class FilterAndPaginationDto {
     sort?: Record<string, 'ASC' | 'DESC'>;
     select?: string[];
     withDeleted?: boolean;
-    extraKey?: string[];
 }
 export declare class GetByIdBodyDto {
     select?: string[];
-    extraKey?: string[];
 }

package/dtos/response-payload.dto.d.ts

@@ -53,11 +53,4 @@ export declare class ErrorResponseDto {
     errors?: ValidationErrorDto[];
     _meta?: RequestMetaDto;
 }
-export declare class ResponsePayloadDto<T> {
-    success: boolean;
-    message: string;
-    data?: T;
-    meta?: PaginationMetaDto | BulkMetaDto;
-    _meta?: RequestMetaDto;
-}
 export type ApiResponse<T> = SingleResponseDto<T> | ListResponseDto<T> | BulkResponseDto<T> | MessageResponseDto | ErrorResponseDto;

package/fesm/classes/api-controller.class.js

@@ -25,10 +25,10 @@ function _ts_param(paramIndex, decorator) {
         decorator(target, key, paramIndex);
     };
 }
-import { CurrentUser, Public, RequirePermission, RequireAnyPermission, RequirePermissionCondition } from '@flusys/nestjs-shared/decorators';
-import { DeleteDto, FilterAndPaginationDto, GetByIdBodyDto } from '@flusys/nestjs-shared/dtos';
-import { JwtAuthGuard, PermissionGuard } from '@flusys/nestjs-shared/guards';
-import { IdempotencyInterceptor, SetCreatedByOnBody, SetDeletedByOnBody, SetUpdateByOnBody, Slug } from '@flusys/nestjs-shared/interceptors';
+import { CurrentUser, Public, RequirePermission, RequireAnyPermission, RequirePermissionCondition } from '../decorators';
+import { DeleteDto, FilterAndPaginationDto, GetByIdBodyDto } from '../dtos';
+import { JwtAuthGuard, PermissionGuard } from '../guards';
+import { IdempotencyInterceptor, SetCreatedByOnBody, SetDeletedByOnBody, SetUpdateByOnBody, Slug } from '../interceptors';
 import { applyDecorators, Body, HttpCode, HttpStatus, Param, Post, Query, UseGuards, UseInterceptors, Version, VERSION_NEUTRAL } from '@nestjs/common';
 import { ApiBearerAuth, ApiBody, ApiHeader, ApiOperation, ApiParam, ApiQuery, ApiResponse } from '@nestjs/swagger';
 import { plainToInstance } from 'class-transformer';
@@ -94,8 +94,10 @@ import { ApiResponseDto } from '../decorators/api-response.decorator';
     // 2. It's an object with 'level' property but no endpoint keys
     const isGlobalSecurity = typeof securityConfig === 'string' || securityConfig && typeof securityConfig === 'object' && 'level' in securityConfig && !endpointKeys.some((key)=>key in securityConfig);
     // Normalize security config for each endpoint
+    // IMPORTANT: When per-endpoint security is specified, default to 'jwt' for unconfigured endpoints
+    // to prevent accidentally exposing endpoints without authentication
     const defaultSecurity = isGlobalSecurity ? normalizeSecurity(securityConfig) : {
-        level: 'public'
+        level: 'jwt'
     };
     const security = {
         insert: isGlobalSecurity ? defaultSecurity : normalizeSecurity(securityConfig?.insert),
@@ -337,16 +339,7 @@ import { ApiResponseDto } from '../decorators/api-response.decorator';
         HttpCode(HttpStatus.OK),
         ApiOperation({
             summary: 'Get all items with filters and pagination',
-            description: `
-Retrieves items with support for:
-- **filter**: Apply field-based filters (e.g., \`{ "isActive": true }\`)
-- **pagination**: Control page and page size
-- **sort**: Order by any field (e.g., \`{ "createdAt": "DESC" }\`)
-- **select**: Choose specific fields to return
-- **withDeleted**: Include soft-deleted items
-- **extraKey**: Include additional relations
-- **q** (query param): Global text search
-      `
+            description: 'Supports filter, pagination, sort, select, withDeleted, and q (search) params'
         }),
         ApiQuery({
             name: 'q',
@@ -375,15 +368,7 @@ Retrieves items with support for:
         HttpCode(HttpStatus.OK),
         ApiOperation({
             summary: 'Delete, restore, or permanently remove items',
-            description: `
-Performs one of three actions:
-
-- **"delete"** (soft delete): Marks items as deleted but keeps in database
-- **"restore"**: Reverts soft-deleted items to active
-- **"permanent"**: Completely removes items from database
-
-Supports single ID or array of IDs for batch operations.
-      `
+            description: 'Types: delete (soft), restore, permanent. Supports batch IDs.'
         }),
         ApiResponse({
             status: 200,

package/fesm/classes/index.js

@@ -4,3 +4,5 @@ export * from './request-scoped-api.service';
 export * from './hybrid-cache.class';
 export * from './winston-logger-adapter.class';
 export * from './winston.logger.class';
+// Re-export permission constants for convenience
+export * from '../constants/permissions';

package/fesm/constants/index.js

@@ -12,3 +12,5 @@ export const CLIENT_TYPE_HEADER = 'x-client-type';
 // Cache key prefixes
 export const PERMISSIONS_CACHE_PREFIX = 'permissions';
 export const IDEMPOTENCY_CACHE_PREFIX = 'idempotency';
+// Permission codes
+export * from './permissions';