@flusys/nestjs-shared 1.0.0-beta → 1.0.0-rc

package/fesm/constants/permissions.js

@@ -0,0 +1,121 @@
+/**
+ * Centralized Permission Codes
+ *
+ * Single source of truth for all permission codes used across the application.
+ * Use these constants instead of hardcoded strings to prevent typos and enable easy refactoring.
+ *
+ * Naming Convention: <entity>.<action>
+ * - entity: The resource being accessed (e.g., user, role, company)
+ * - action: The operation being performed (create, read, update, delete, assign)
+ */ // ==================== AUTH MODULE ====================
+export const USER_PERMISSIONS = {
+    CREATE: 'user.create',
+    READ: 'user.read',
+    UPDATE: 'user.update',
+    DELETE: 'user.delete'
+};
+export const COMPANY_PERMISSIONS = {
+    CREATE: 'company.create',
+    READ: 'company.read',
+    UPDATE: 'company.update',
+    DELETE: 'company.delete'
+};
+export const BRANCH_PERMISSIONS = {
+    CREATE: 'branch.create',
+    READ: 'branch.read',
+    UPDATE: 'branch.update',
+    DELETE: 'branch.delete'
+};
+// ==================== IAM MODULE ====================
+export const ACTION_PERMISSIONS = {
+    CREATE: 'action.create',
+    READ: 'action.read',
+    UPDATE: 'action.update',
+    DELETE: 'action.delete'
+};
+export const ROLE_PERMISSIONS = {
+    CREATE: 'role.create',
+    READ: 'role.read',
+    UPDATE: 'role.update',
+    DELETE: 'role.delete'
+};
+export const ROLE_ACTION_PERMISSIONS = {
+    READ: 'role-action.read',
+    ASSIGN: 'role-action.assign'
+};
+export const USER_ROLE_PERMISSIONS = {
+    READ: 'user-role.read',
+    ASSIGN: 'user-role.assign'
+};
+export const USER_ACTION_PERMISSIONS = {
+    READ: 'user-action.read',
+    ASSIGN: 'user-action.assign'
+};
+export const COMPANY_ACTION_PERMISSIONS = {
+    READ: 'company-action.read',
+    ASSIGN: 'company-action.assign'
+};
+// ==================== STORAGE MODULE ====================
+export const FILE_PERMISSIONS = {
+    CREATE: 'file.create',
+    READ: 'file.read',
+    UPDATE: 'file.update',
+    DELETE: 'file.delete'
+};
+export const FOLDER_PERMISSIONS = {
+    CREATE: 'folder.create',
+    READ: 'folder.read',
+    UPDATE: 'folder.update',
+    DELETE: 'folder.delete'
+};
+export const STORAGE_CONFIG_PERMISSIONS = {
+    CREATE: 'storage-config.create',
+    READ: 'storage-config.read',
+    UPDATE: 'storage-config.update',
+    DELETE: 'storage-config.delete'
+};
+// ==================== EMAIL MODULE ====================
+export const EMAIL_CONFIG_PERMISSIONS = {
+    CREATE: 'email-config.create',
+    READ: 'email-config.read',
+    UPDATE: 'email-config.update',
+    DELETE: 'email-config.delete'
+};
+export const EMAIL_TEMPLATE_PERMISSIONS = {
+    CREATE: 'email-template.create',
+    READ: 'email-template.read',
+    UPDATE: 'email-template.update',
+    DELETE: 'email-template.delete'
+};
+// ==================== FORM BUILDER MODULE ====================
+export const FORM_PERMISSIONS = {
+    CREATE: 'form.create',
+    READ: 'form.read',
+    UPDATE: 'form.update',
+    DELETE: 'form.delete'
+};
+// ==================== AGGREGATED EXPORTS ====================
+/**
+ * All permission codes grouped by module
+ */ export const PERMISSIONS = {
+    // Auth
+    USER: USER_PERMISSIONS,
+    COMPANY: COMPANY_PERMISSIONS,
+    BRANCH: BRANCH_PERMISSIONS,
+    // IAM
+    ACTION: ACTION_PERMISSIONS,
+    ROLE: ROLE_PERMISSIONS,
+    ROLE_ACTION: ROLE_ACTION_PERMISSIONS,
+    USER_ROLE: USER_ROLE_PERMISSIONS,
+    USER_ACTION: USER_ACTION_PERMISSIONS,
+    COMPANY_ACTION: COMPANY_ACTION_PERMISSIONS,
+    // Storage
+    FILE: FILE_PERMISSIONS,
+    FOLDER: FOLDER_PERMISSIONS,
+    STORAGE_CONFIG: STORAGE_CONFIG_PERMISSIONS,
+    // Email
+    EMAIL_CONFIG: EMAIL_CONFIG_PERMISSIONS,
+    EMAIL_TEMPLATE: EMAIL_TEMPLATE_PERMISSIONS,
+    // Form Builder
+    FORM: FORM_PERMISSIONS
+};

package/fesm/decorators/api-response.decorator.js

@@ -1,4 +1,4 @@
-import { BulkMetaDto, BulkResponseDto, ListResponseDto, PaginationMetaDto, SingleResponseDto } from '@flusys/nestjs-shared/dtos';
+import { BulkMetaDto, BulkResponseDto, ListResponseDto, PaginationMetaDto, SingleResponseDto } from '../dtos';
 import { applyDecorators } from '@nestjs/common';
 import { ApiExtraModels, ApiOkResponse, getSchemaPath } from '@nestjs/swagger';
 /**

package/fesm/decorators/index.js

@@ -2,3 +2,4 @@ export * from './api-response.decorator';
 export * from './current-user.decorator';
 export * from './public.decorator';
 export * from './require-permission.decorator';
+export * from './sanitize-html.decorator';

package/fesm/decorators/sanitize-html.decorator.js

@@ -0,0 +1,45 @@
+import { Transform } from 'class-transformer';
+import { escapeHtml } from '../utils/html-sanitizer.util';
+/**
+ * Decorator that sanitizes HTML content in string fields to prevent XSS attacks.
+ * Applies HTML escaping during transformation (when class-transformer processes the DTO).
+ *
+ * @example
+ * ```typescript
+ * class CreateCommentDto {
+ *   @SanitizeHtml()
+ *   @IsString()
+ *   content: string;
+ * }
+ * ```
+ *
+ * Input: '<script>alert("xss")</script>'
+ * Output: '&lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;'
+ */ export function SanitizeHtml() {
+    return Transform(({ value })=>{
+        if (typeof value === 'string') {
+            return escapeHtml(value);
+        }
+        return value;
+    });
+}
+/**
+ * Decorator that sanitizes HTML and trims whitespace from string fields.
+ * Combines sanitization with trimming for cleaner input handling.
+ *
+ * @example
+ * ```typescript
+ * class CreatePostDto {
+ *   @SanitizeAndTrim()
+ *   @IsString()
+ *   title: string;
+ * }
+ * ```
+ */ export function SanitizeAndTrim() {
+    return Transform(({ value })=>{
+        if (typeof value === 'string') {
+            return escapeHtml(value.trim());
+        }
+        return value;
+    });
+}

package/fesm/dtos/filter-and-pagination.dto.js

@@ -22,27 +22,15 @@ function _ts_metadata(k, v) {
 }
 import { ApiPropertyOptional } from '@nestjs/swagger';
 import { Type } from 'class-transformer';
-import { IsArray, IsBoolean, IsObject, IsOptional, ValidateNested } from 'class-validator';
+import { IsArray, IsBoolean, IsObject, IsOptional, IsString, Matches, MaxLength, ValidateNested } from 'class-validator';
 import { PaginationDto } from './pagination.dto';
-/**
- * DTO for filtering and pagination in get-all requests
- *
- * @example
- * {
- *   "filter": { "isActive": true, "category": "electronics" },
- *   "pagination": { "currentPage": 0, "pageSize": 10 },
- *   "sort": { "createdAt": "DESC" },
- *   "select": ["id", "name", "price"],
- *   "withDeleted": false
- * }
- */ export class FilterAndPaginationDto {
+export class FilterAndPaginationDto {
     constructor(){
         _define_property(this, "filter", void 0);
         _define_property(this, "pagination", void 0);
         _define_property(this, "sort", void 0);
         _define_property(this, "select", void 0);
         _define_property(this, "withDeleted", void 0);
-        _define_property(this, "extraKey", void 0);
     }
 }
 _ts_decorate([
@@ -90,7 +78,7 @@ _ts_decorate([
         type: [
             String
         ],
-        description: 'Fields to return. If empty, returns all fields.',
+        description: 'Fields to return. Must be valid field names (alphanumeric, underscores only). If empty, returns all fields.',
         example: [
             'id',
             'name',
@@ -100,6 +88,17 @@ _ts_decorate([
     }),
     IsOptional(),
     IsArray(),
+    IsString({
+        each: true
+    }),
+    Matches(/^[a-zA-Z_][a-zA-Z0-9_]*$/, {
+        each: true,
+        message: 'Select fields must be valid identifiers (alphanumeric and underscores only)'
+    }),
+    MaxLength(64, {
+        each: true,
+        message: 'Field names must be 64 characters or less'
+    }),
     _ts_metadata("design:type", Array)
 ], FilterAndPaginationDto.prototype, "select", void 0);
 _ts_decorate([
@@ -112,27 +111,11 @@ _ts_decorate([
     IsBoolean(),
     _ts_metadata("design:type", Boolean)
 ], FilterAndPaginationDto.prototype, "withDeleted", void 0);
-_ts_decorate([
-    ApiPropertyOptional({
-        type: [
-            String
-        ],
-        description: 'Additional relation keys to include',
-        example: [
-            'category',
-            'createdBy'
-        ]
-    }),
-    IsOptional(),
-    IsArray(),
-    _ts_metadata("design:type", Array)
-], FilterAndPaginationDto.prototype, "extraKey", void 0);
 /**
  * DTO for get-by-id request body
  */ export class GetByIdBodyDto {
     constructor(){
         _define_property(this, "select", void 0);
-        _define_property(this, "extraKey", void 0);
     }
 }
 _ts_decorate([
@@ -140,7 +123,7 @@ _ts_decorate([
         type: [
             String
         ],
-        description: 'Fields to return. If empty, returns all fields.',
+        description: 'Fields to return. Must be valid field names (alphanumeric, underscores only). If empty, returns all fields.',
         example: [
             'id',
             'name',
@@ -150,20 +133,16 @@ _ts_decorate([
     }),
     IsOptional(),
     IsArray(),
-    _ts_metadata("design:type", Array)
-], GetByIdBodyDto.prototype, "select", void 0);
-_ts_decorate([
-    ApiPropertyOptional({
-        type: [
-            String
-        ],
-        description: 'Additional relation keys to include',
-        example: [
-            'category',
-            'createdBy'
-        ]
+    IsString({
+        each: true
+    }),
+    Matches(/^[a-zA-Z_][a-zA-Z0-9_]*$/, {
+        each: true,
+        message: 'Select fields must be valid identifiers (alphanumeric and underscores only)'
+    }),
+    MaxLength(64, {
+        each: true,
+        message: 'Field names must be 64 characters or less'
     }),
-    IsOptional(),
-    IsArray(),
     _ts_metadata("design:type", Array)
-], GetByIdBodyDto.prototype, "extraKey", void 0);
+], GetByIdBodyDto.prototype, "select", void 0);

package/fesm/dtos/pagination.dto.js

@@ -25,17 +25,13 @@ import { Transform } from 'class-transformer';
 import { IsNumber, IsOptional } from 'class-validator';
 export class PaginationDto {
     constructor(){
-        /**
-   * Number of items per page. Defaults to 10 when not provided or invalid.
-   */ _define_property(this, "pageSize", 10);
-        /**
-   * Zero-based page index. Defaults to 0 when not provided or invalid.
-   */ _define_property(this, "currentPage", 0);
+        _define_property(this, "pageSize", 10);
+        _define_property(this, "currentPage", 0);
     }
 }
 _ts_decorate([
     ApiPropertyOptional({
-        description: 'Number of items per page. Defaults to 10 when not provided or invalid.',
+        description: 'Number of items per page (default: 10)',
         example: 10
     }),
     IsOptional(),
@@ -48,7 +44,7 @@ _ts_decorate([
 ], PaginationDto.prototype, "pageSize", void 0);
 _ts_decorate([
     ApiPropertyOptional({
-        description: 'Zero-based page index. Defaults to 0 when not provided or invalid.',
+        description: 'Zero-based page index (default: 0)',
         example: 0
     }),
     IsOptional(),

package/fesm/dtos/response-payload.dto.js

@@ -331,41 +331,3 @@ _ts_decorate([
 ErrorResponseDto = _ts_decorate([
     ApiExtraModels()
 ], ErrorResponseDto);
-export class ResponsePayloadDto {
-    constructor(){
-        _define_property(this, "success", void 0);
-        _define_property(this, "message", void 0);
-        _define_property(this, "data", void 0);
-        _define_property(this, "meta", void 0);
-        _define_property(this, "_meta", void 0);
-    }
-}
-_ts_decorate([
-    ApiProperty({
-        example: true
-    }),
-    _ts_metadata("design:type", Boolean)
-], ResponsePayloadDto.prototype, "success", void 0);
-_ts_decorate([
-    ApiProperty({
-        example: 'Operation successful'
-    }),
-    _ts_metadata("design:type", String)
-], ResponsePayloadDto.prototype, "message", void 0);
-_ts_decorate([
-    ApiPropertyOptional(),
-    _ts_metadata("design:type", typeof T === "undefined" ? Object : T)
-], ResponsePayloadDto.prototype, "data", void 0);
-_ts_decorate([
-    ApiPropertyOptional(),
-    _ts_metadata("design:type", Object)
-], ResponsePayloadDto.prototype, "meta", void 0);
-_ts_decorate([
-    ApiPropertyOptional({
-        type: RequestMetaDto
-    }),
-    _ts_metadata("design:type", typeof RequestMetaDto === "undefined" ? Object : RequestMetaDto)
-], ResponsePayloadDto.prototype, "_meta", void 0);
-ResponsePayloadDto = _ts_decorate([
-    ApiExtraModels()
-], ResponsePayloadDto);

package/fesm/entities/identity.js

@@ -26,10 +26,10 @@ export class Identity {
         _define_property(this, "id", void 0);
         _define_property(this, "createdAt", void 0);
         _define_property(this, "updatedAt", void 0);
-        _define_property(this, "deletedAt", void 0);
-        _define_property(this, "createdById", void 0);
-        _define_property(this, "updatedById", void 0);
-        _define_property(this, "deletedById", void 0);
+        _define_property(this, "deletedAt", null);
+        _define_property(this, "createdById", null);
+        _define_property(this, "updatedById", null);
+        _define_property(this, "deletedById", null);
     }
 }
 _ts_decorate([

package/fesm/entities/user-root.js

@@ -24,23 +24,22 @@ import { Column, CreateDateColumn, DeleteDateColumn, PrimaryGeneratedColumn, Upd
 export class UserRoot {
     constructor(){
         _define_property(this, "id", void 0);
-        _define_property(this, "name", void 0);
-        _define_property(this, "password", void 0);
+        _define_property(this, "name", null);
+        _define_property(this, "password", null);
         _define_property(this, "email", void 0);
-        _define_property(this, "phone", void 0);
-        _define_property(this, "isActive", void 0);
-        _define_property(this, "emailVerified", void 0);
-        _define_property(this, "phoneVerified", void 0);
-        _define_property(this, "profilePictureId", void 0);
-        _define_property(this, "lastLoginAt", void 0);
-        _define_property(this, "additionalFields", void 0);
+        _define_property(this, "phone", null);
+        _define_property(this, "isActive", true);
+        _define_property(this, "emailVerified", false);
+        _define_property(this, "phoneVerified", false);
+        _define_property(this, "profilePictureId", null);
+        _define_property(this, "lastLoginAt", null);
+        _define_property(this, "additionalFields", null);
         _define_property(this, "createdAt", void 0);
         _define_property(this, "updatedAt", void 0);
-        _define_property(this, "deletedAt", void 0);
-        // Audit columns (for ApiService compatibility)
-        _define_property(this, "createdById", void 0);
-        _define_property(this, "updatedById", void 0);
-        _define_property(this, "deletedById", void 0);
+        _define_property(this, "deletedAt", null);
+        _define_property(this, "createdById", null);
+        _define_property(this, "updatedById", null);
+        _define_property(this, "deletedById", null);
     }
 }
 _ts_decorate([

package/fesm/guards/permission.guard.js

@@ -35,106 +35,79 @@ import { ILogger } from '../interfaces/logger.interface';
 import { PermissionGuardConfig } from '../interfaces/permission.interface';
 export class PermissionGuard {
     async canActivate(context) {
-        // Check if route is marked as public
         const isPublic = this.reflector.getAllAndOverride(IS_PUBLIC_KEY, [
             context.getHandler(),
             context.getClass()
         ]);
         if (isPublic) return true;
-        // Get required permissions from decorator
         const permissionConfig = this.reflector.getAllAndOverride(PERMISSIONS_KEY, [
             context.getHandler(),
             context.getClass()
         ]);
-        // If no permissions required, allow access
-        if (!permissionConfig) {
-            return true;
-        }
-        // Normalize permission config (support old format: string[])
+        if (!permissionConfig) return true;
         const { permissions: requiredPermissions, operator } = this.normalizePermissionConfig(permissionConfig);
-        // If no permissions required, allow access
-        if (!requiredPermissions || requiredPermissions.length === 0) {
-            return true;
-        }
+        if (!requiredPermissions || requiredPermissions.length === 0) return true;
         const request = context.switchToHttp().getRequest();
         const user = request.user;
-        // User must be authenticated
-        if (!user) {
-            throw new UnauthorizedException('Authentication required');
-        }
-        // Cache is required for permission checks - fail securely if unavailable
+        if (!user) throw new UnauthorizedException('Authentication required');
         if (!this.cache) {
-            // Log error (in production, this should be monitored)
-            this.logger.error(`Cache not available - permission system unavailable (userId: ${user.id})`, undefined, 'PermissionGuard');
-            // Fail securely - deny access rather than allowing without permission check
+            this.logger.error(`Cache not available (userId: ${user.id})`, undefined, 'PermissionGuard');
             throw new PermissionSystemUnavailableException();
         }
-        // Get user's permissions from cache
         const userPermissions = await this.getUserPermissions(user);
-        // If no permissions found in cache, deny access
         if (!userPermissions || userPermissions.length === 0) {
-            this.logger.warn(`No permissions found for user (userId: ${user.id})`, 'PermissionGuard');
+            this.logger.warn(`No permissions found (userId: ${user.id})`, 'PermissionGuard');
             throw new NoPermissionsFoundException();
         }
-        // Check if this is a nested condition or simple permission list
         if (this.isNestedCondition(permissionConfig)) {
-            // Complex nested permission check
             const result = this.evaluateCondition(permissionConfig, userPermissions);
             if (!result.passed) {
-                this.logger.warn(`Permission check failed (userId: ${user.id}, missing: ${result.missingPermissions.join(', ')})`, 'PermissionGuard');
+                this.logger.warn(`Permission denied (userId: ${user.id})`, 'PermissionGuard');
                 throw new InsufficientPermissionsException(result.missingPermissions, result.operator);
             }
         } else {
-            // Simple permission check (backward compatible)
-            let hasRequiredPermissions;
+            let hasRequired;
             if (operator === 'or') {
-                // OR: User must have at least ONE permission
-                hasRequiredPermissions = requiredPermissions.some((permission)=>this.hasPermission(userPermissions, permission));
-                if (!hasRequiredPermissions) {
-                    throw new InsufficientPermissionsException(requiredPermissions, 'or');
-                }
+                hasRequired = requiredPermissions.some((p)=>this.hasPermission(userPermissions, p));
+                if (!hasRequired) throw new InsufficientPermissionsException(requiredPermissions, 'or');
             } else {
-                // AND (default): User must have ALL permissions
-                hasRequiredPermissions = requiredPermissions.every((permission)=>this.hasPermission(userPermissions, permission));
-                if (!hasRequiredPermissions) {
-                    const missing = requiredPermissions.filter((permission)=>!this.hasPermission(userPermissions, permission));
+                hasRequired = requiredPermissions.every((p)=>this.hasPermission(userPermissions, p));
+                if (!hasRequired) {
+                    const missing = requiredPermissions.filter((p)=>!this.hasPermission(userPermissions, p));
                     throw new InsufficientPermissionsException(missing, 'and');
                 }
             }
         }
         return true;
     }
-    /**
-   * Normalize permission config to handle both old and new formats
-   */ normalizePermissionConfig(config) {
-        // Old format: string[]
-        if (Array.isArray(config)) {
-            return {
-                permissions: config,
-                operator: 'and'
-            };
-        }
-        // New format: PermissionConfig
+    normalizePermissionConfig(config) {
+        if (Array.isArray(config)) return {
+            permissions: config,
+            operator: 'and'
+        };
         return {
             permissions: config.permissions || [],
             operator: config.operator || 'and'
         };
     }
-    /**
-   * Check if config is a nested condition (has children)
-   */ isNestedCondition(config) {
+    isNestedCondition(config) {
         if (Array.isArray(config)) return false;
         return 'children' in config && Array.isArray(config.children) && config.children.length > 0;
     }
-    /**
-   * Evaluate a nested permission condition recursively
-   */ evaluateCondition(condition, userPermissions) {
+    evaluateCondition(condition, userPermissions) {
         const { permissions = [], operator, children = [] } = condition;
-        // Results for this level
+        // SECURITY: Fail-closed - deny access when no permissions configured (empty condition)
+        if (permissions.length === 0 && children.length === 0) {
+            return {
+                passed: false,
+                message: 'No permissions configured - access denied by default',
+                missingPermissions: [],
+                operator
+            };
+        }
         const results = [];
         const failureDetails = [];
         const missingPermissions = [];
-        // Check permissions at this level
         if (permissions.length > 0) {
             if (operator === 'or') {
                 const hasAny = permissions.some((p)=>this.hasPermission(userPermissions, p));
@@ -153,7 +126,6 @@ export class PermissionGuard {
                 }
             }
         }
-        // Evaluate children recursively
         for (const child of children){
             const childResult = this.evaluateCondition(child, userPermissions);
             results.push(childResult.passed);
@@ -162,14 +134,9 @@ export class PermissionGuard {
                 missingPermissions.push(...childResult.missingPermissions);
             }
         }
-        // Combine results based on operator
-        let passed;
-        if (operator === 'or') {
-            passed = results.length === 0 || results.some((r)=>r);
-        } else {
-            passed = results.length === 0 || results.every((r)=>r);
-        }
-        const message = passed ? 'Permission granted' : `Permission denied: ${failureDetails.join(` ${operator.toUpperCase()} `)}`;
+        // Evaluate based on operator - empty results already handled above
+        const passed = operator === 'or' ? results.some((r)=>r) : results.every((r)=>r);
+        const message = passed ? 'OK' : `Denied: ${failureDetails.join(` ${operator.toUpperCase()} `)}`;
         return {
             passed,
             message,
@@ -177,48 +144,28 @@ export class PermissionGuard {
             operator
         };
     }
-    /**
-   * Get user's permissions from cache
-   */ async getUserPermissions(user) {
-        if (!this.cache) {
-            throw new PermissionSystemUnavailableException();
-        }
+    async getUserPermissions(user) {
+        if (!this.cache) throw new PermissionSystemUnavailableException();
         let cacheKey;
         if (this.config.enableCompanyFeature && user.companyId) {
-            // Company-based permissions (includes branchId for branch-scoped DIRECT permissions)
             const format = this.config.companyPermissionKeyFormat || `${PERMISSIONS_CACHE_PREFIX}:company:{companyId}:branch:{branchId}:user:{userId}`;
             cacheKey = format.replace('{userId}', user.id).replace('{companyId}', user.companyId).replace('{branchId}', user.branchId || 'null');
         } else {
-            // User-based permissions
             const format = this.config.userPermissionKeyFormat || `${PERMISSIONS_CACHE_PREFIX}:user:{userId}`;
             cacheKey = format.replace('{userId}', user.id);
         }
-        const permissions = await this.cache.get(cacheKey);
-        return permissions || [];
+        return await this.cache.get(cacheKey) || [];
     }
-    /**
-   * Check if user has a specific permission
-   * Supports wildcard matching (e.g., 'admin.*' matches 'admin.users.read')
-   */ hasPermission(userPermissions, requiredPermission) {
-        // Direct match
-        if (userPermissions.includes(requiredPermission)) {
-            return true;
-        }
-        // Wildcard match (e.g., '*' or 'admin.*')
+    hasPermission(userPermissions, requiredPermission) {
+        if (userPermissions.includes(requiredPermission)) return true;
         for (const permission of userPermissions){
-            if (permission === '*') {
-                return true; // Super admin
-            }
-            if (permission.endsWith('.*')) {
-                const prefix = permission.slice(0, -1); // Remove '*'
-                if (requiredPermission.startsWith(prefix)) {
-                    return true;
-                }
+            if (permission === '*') return true;
+            if (permission.endsWith('.*') && requiredPermission.startsWith(permission.slice(0, -1))) {
+                return true;
             }
         }
         return false;
     }
-    // NOTE: @Inject(Reflector) required for bundled code - external classes need explicit injection
     constructor(reflector, cache, config, logger){
         _define_property(this, "reflector", void 0);
         _define_property(this, "cache", void 0);
@@ -228,12 +175,10 @@ export class PermissionGuard {
         this.cache = cache;
         this.config = {
             enableCompanyFeature: false,
-            cacheKeyPrefix: PERMISSIONS_CACHE_PREFIX,
             userPermissionKeyFormat: `${PERMISSIONS_CACHE_PREFIX}:user:{userId}`,
             companyPermissionKeyFormat: `${PERMISSIONS_CACHE_PREFIX}:company:{companyId}:branch:{branchId}:user:{userId}`,
             ...config
         };
-        // Use provided logger or fallback to NestJS Logger wrapped in adapter
         this.logger = logger || new NestLoggerAdapter(new Logger(PermissionGuard.name));
     }
 }