@ftisindia/create-app 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (151) hide show
  1. package/LICENSE +144 -0
  2. package/bin/index.mjs +2 -0
  3. package/package.json +36 -0
  4. package/src/copy.mjs +45 -0
  5. package/src/log.mjs +23 -0
  6. package/src/main.mjs +221 -0
  7. package/src/run.mjs +52 -0
  8. package/src/substitute.mjs +40 -0
  9. package/template/.env.example +36 -0
  10. package/template/.github/workflows/ci.yml +36 -0
  11. package/template/.husky/pre-commit +1 -0
  12. package/template/README.md +146 -0
  13. package/template/_editorconfig +8 -0
  14. package/template/_gitignore +7 -0
  15. package/template/_nvmrc +1 -0
  16. package/template/_package.json +107 -0
  17. package/template/_prettierignore +5 -0
  18. package/template/_prettierrc +6 -0
  19. package/template/docs/API_REFERENCE.md +123 -0
  20. package/template/docs/GETTING_STARTED.md +65 -0
  21. package/template/docs/MODULE_COMPLETION_CHECKLIST.md +40 -0
  22. package/template/docs/OAUTH.md +46 -0
  23. package/template/docs/SAMPLE_MODULE.md +23 -0
  24. package/template/docs/api.http +269 -0
  25. package/template/eslint.config.mjs +51 -0
  26. package/template/nest-cli.json +8 -0
  27. package/template/prisma/migrations/20260530000000_init/migration.sql +248 -0
  28. package/template/prisma/schema.prisma +299 -0
  29. package/template/prisma/seed.ts +44 -0
  30. package/template/scripts/db-create.mjs +126 -0
  31. package/template/scripts/gen-module.mjs +217 -0
  32. package/template/scripts/seed-test-user-org.ts +264 -0
  33. package/template/scripts/setup-local.mjs +224 -0
  34. package/template/scripts/test-db.mjs +69 -0
  35. package/template/src/app.module.ts +58 -0
  36. package/template/src/common/decorators/.gitkeep +1 -0
  37. package/template/src/common/dto/error-response.dto.ts +17 -0
  38. package/template/src/common/dto/membership-response.dto.ts +51 -0
  39. package/template/src/common/dto/mutation-response.dto.ts +11 -0
  40. package/template/src/common/dto/role-summary.dto.ts +18 -0
  41. package/template/src/common/dto/user-summary.dto.ts +23 -0
  42. package/template/src/common/enums/.gitkeep +1 -0
  43. package/template/src/common/filters/.gitkeep +1 -0
  44. package/template/src/common/filters/http-exception.filter.ts +78 -0
  45. package/template/src/common/guards/.gitkeep +1 -0
  46. package/template/src/common/interceptors/.gitkeep +1 -0
  47. package/template/src/common/pipes/.gitkeep +1 -0
  48. package/template/src/common/swagger/api-error-responses.ts +54 -0
  49. package/template/src/common/types/.gitkeep +1 -0
  50. package/template/src/config/app.config.ts +7 -0
  51. package/template/src/config/auth.config.ts +33 -0
  52. package/template/src/config/database.config.ts +6 -0
  53. package/template/src/config/env.validation.ts +131 -0
  54. package/template/src/config/index.ts +5 -0
  55. package/template/src/config/rbac.config.ts +6 -0
  56. package/template/src/database/prisma/prisma-transaction.ts +22 -0
  57. package/template/src/database/prisma/prisma.module.ts +9 -0
  58. package/template/src/database/prisma/prisma.service.ts +16 -0
  59. package/template/src/main.ts +42 -0
  60. package/template/src/modules/access-control/access-control.module.ts +24 -0
  61. package/template/src/modules/access-control/application/route-registry.validator.ts +289 -0
  62. package/template/src/modules/access-control/application/services/ability.factory.ts +28 -0
  63. package/template/src/modules/access-control/application/services/access-control.service.ts +478 -0
  64. package/template/src/modules/access-control/application/services/permission.guard.ts +77 -0
  65. package/template/src/modules/access-control/application/services/rbac-cache.service.ts +148 -0
  66. package/template/src/modules/access-control/dto/access-control-response.dto.ts +79 -0
  67. package/template/src/modules/access-control/dto/create-role.dto.ts +18 -0
  68. package/template/src/modules/access-control/dto/update-role-permissions.dto.ts +23 -0
  69. package/template/src/modules/access-control/dto/update-role.dto.ts +19 -0
  70. package/template/src/modules/access-control/presentation/access-control.controller.ts +157 -0
  71. package/template/src/modules/access-control/presentation/permissions.decorator.ts +8 -0
  72. package/template/src/modules/access-control/presentation/public.decorator.ts +7 -0
  73. package/template/src/modules/access-control/types/permission-key.ts +37 -0
  74. package/template/src/modules/access-control/types/rbac-context.ts +11 -0
  75. package/template/src/modules/access-control/types/route-permission-registry.ts +129 -0
  76. package/template/src/modules/audit/application/services/audit.service.ts +97 -0
  77. package/template/src/modules/audit/audit.module.ts +13 -0
  78. package/template/src/modules/audit/dto/audit-response.dto.ts +75 -0
  79. package/template/src/modules/audit/dto/list-audit-logs-query.dto.ts +75 -0
  80. package/template/src/modules/audit/presentation/audit.controller.ts +37 -0
  81. package/template/src/modules/auth/application/services/auth.service.ts +509 -0
  82. package/template/src/modules/auth/application/services/password.service.ts +15 -0
  83. package/template/src/modules/auth/application/services/token.service.ts +95 -0
  84. package/template/src/modules/auth/auth.module.ts +73 -0
  85. package/template/src/modules/auth/dto/auth-response.dto.ts +29 -0
  86. package/template/src/modules/auth/dto/login.dto.ts +15 -0
  87. package/template/src/modules/auth/dto/logout.dto.ts +3 -0
  88. package/template/src/modules/auth/dto/oauth-exchange.dto.ts +15 -0
  89. package/template/src/modules/auth/dto/refresh-token.dto.ts +14 -0
  90. package/template/src/modules/auth/dto/signup.dto.ts +27 -0
  91. package/template/src/modules/auth/infrastructure/passport/google-auth.guard.ts +27 -0
  92. package/template/src/modules/auth/infrastructure/passport/google.strategy.ts +56 -0
  93. package/template/src/modules/auth/infrastructure/passport/jwt-auth.guard.ts +5 -0
  94. package/template/src/modules/auth/infrastructure/passport/jwt.strategy.ts +43 -0
  95. package/template/src/modules/auth/presentation/auth.controller.ts +148 -0
  96. package/template/src/modules/auth/presentation/current-user.decorator.ts +11 -0
  97. package/template/src/modules/auth/presentation/google-oauth-exception.filter.ts +33 -0
  98. package/template/src/modules/auth/types/authenticated-user.ts +7 -0
  99. package/template/src/modules/auth/types/google-auth-profile.ts +6 -0
  100. package/template/src/modules/auth/types/jwt-payload.ts +5 -0
  101. package/template/src/modules/health/dto/health-response.dto.ts +9 -0
  102. package/template/src/modules/health/health.module.ts +7 -0
  103. package/template/src/modules/health/presentation/health.controller.ts +33 -0
  104. package/template/src/modules/invitations/application/services/invitations.service.ts +967 -0
  105. package/template/src/modules/invitations/dto/accept-invitation.dto.ts +24 -0
  106. package/template/src/modules/invitations/dto/create-invitation.dto.ts +100 -0
  107. package/template/src/modules/invitations/dto/invitation-response.dto.ts +108 -0
  108. package/template/src/modules/invitations/dto/invitation-token.dto.ts +15 -0
  109. package/template/src/modules/invitations/invitations.module.ts +12 -0
  110. package/template/src/modules/invitations/presentation/invitations.controller.ts +149 -0
  111. package/template/src/modules/memberships/application/services/memberships.service.ts +455 -0
  112. package/template/src/modules/memberships/dto/transfer-owner.dto.ts +11 -0
  113. package/template/src/modules/memberships/dto/update-billing-contact.dto.ts +8 -0
  114. package/template/src/modules/memberships/dto/update-membership-owner.dto.ts +8 -0
  115. package/template/src/modules/memberships/dto/update-membership-role.dto.ts +11 -0
  116. package/template/src/modules/memberships/dto/update-membership-status.dto.ts +9 -0
  117. package/template/src/modules/memberships/memberships.module.ts +12 -0
  118. package/template/src/modules/memberships/presentation/memberships.controller.ts +193 -0
  119. package/template/src/modules/organisations/application/services/organisations.service.ts +147 -0
  120. package/template/src/modules/organisations/dto/create-organisation.dto.ts +32 -0
  121. package/template/src/modules/organisations/dto/organisation-response.dto.ts +62 -0
  122. package/template/src/modules/organisations/infrastructure/repositories/organisations.repository.ts +24 -0
  123. package/template/src/modules/organisations/organisations.module.ts +12 -0
  124. package/template/src/modules/organisations/presentation/organisations.controller.ts +37 -0
  125. package/template/src/modules/organisations/types/default-organisation-data.ts +18 -0
  126. package/template/src/modules/platform-admin/.gitkeep +1 -0
  127. package/template/src/modules/request-context/application/services/request-context.service.ts +79 -0
  128. package/template/src/modules/request-context/presentation/org-scope.guard.ts +26 -0
  129. package/template/src/modules/request-context/presentation/request-context.interceptor.ts +26 -0
  130. package/template/src/modules/request-context/presentation/request-context.middleware.ts +31 -0
  131. package/template/src/modules/request-context/request-context.module.ts +25 -0
  132. package/template/src/modules/request-context/types/request-context.ts +29 -0
  133. package/template/src/modules/sample/application/services/sample.service.ts +67 -0
  134. package/template/src/modules/sample/dto/sample-echo.dto.ts +10 -0
  135. package/template/src/modules/sample/dto/sample-response.dto.ts +41 -0
  136. package/template/src/modules/sample/presentation/sample.controller.ts +63 -0
  137. package/template/src/modules/sample/sample.module.ts +11 -0
  138. package/template/src/modules/settings/application/services/settings.service.ts +139 -0
  139. package/template/src/modules/settings/dto/setting-response.dto.ts +27 -0
  140. package/template/src/modules/settings/dto/update-setting.dto.ts +16 -0
  141. package/template/src/modules/settings/presentation/settings.controller.ts +66 -0
  142. package/template/src/modules/settings/settings.module.ts +12 -0
  143. package/template/src/modules/settings/types/setting-definitions.ts +104 -0
  144. package/template/src/modules/users/.gitkeep +1 -0
  145. package/template/test/.gitkeep +1 -0
  146. package/template/test/jest-e2e.json +9 -0
  147. package/template/test/permission.guard.spec.ts +22 -0
  148. package/template/test/route-registry.validator.spec.ts +90 -0
  149. package/template/test/security.e2e-spec.ts +102 -0
  150. package/template/tsconfig.build.json +4 -0
  151. package/template/tsconfig.json +18 -0
@@ -0,0 +1,79 @@
1
+ import { ApiProperty, ApiPropertyOptional } from "@nestjs/swagger";
2
+
3
+ export class PermissionResponseDto {
4
+ @ApiProperty({
5
+ example: "47bf2e11-6849-49cf-9138-f57c4e7ec0ac",
6
+ format: "uuid",
7
+ })
8
+ id!: string;
9
+
10
+ @ApiProperty({ example: "memberships.read" })
11
+ key!: string;
12
+
13
+ @ApiProperty({ example: "memberships" })
14
+ module!: string;
15
+
16
+ @ApiProperty({ example: "read" })
17
+ action!: string;
18
+
19
+ @ApiProperty({ example: "Membership" })
20
+ subject!: string;
21
+
22
+ @ApiPropertyOptional({
23
+ example: "Read organisation memberships.",
24
+ nullable: true,
25
+ })
26
+ description?: string | null;
27
+
28
+ @ApiProperty({ example: "2026-06-01T10:30:00.000Z", format: "date-time" })
29
+ createdAt!: string;
30
+ }
31
+
32
+ export class RoutePermissionResponseDto {
33
+ @ApiProperty({ example: "GET" })
34
+ method!: string;
35
+
36
+ @ApiProperty({ example: "/organisations/:orgId/memberships" })
37
+ path!: string;
38
+
39
+ @ApiProperty({ example: ["memberships.read"], type: [String] })
40
+ permissions!: string[];
41
+ }
42
+
43
+ export class RoleResponseDto {
44
+ @ApiProperty({
45
+ example: "f602c057-04f4-4ef8-8c84-1b7c62fbf8c5",
46
+ format: "uuid",
47
+ })
48
+ id!: string;
49
+
50
+ @ApiProperty({
51
+ example: "2c67399d-670c-4025-a5fd-1ea9a211891e",
52
+ format: "uuid",
53
+ })
54
+ orgId!: string;
55
+
56
+ @ApiProperty({ example: "Support" })
57
+ name!: string;
58
+
59
+ @ApiPropertyOptional({
60
+ example: "Can review support-facing records.",
61
+ nullable: true,
62
+ })
63
+ description?: string | null;
64
+
65
+ @ApiProperty({ example: false })
66
+ isSystemSeeded!: boolean;
67
+
68
+ @ApiProperty({ example: 3 })
69
+ membershipCount!: number;
70
+
71
+ @ApiProperty({ type: [PermissionResponseDto] })
72
+ permissions!: PermissionResponseDto[];
73
+
74
+ @ApiProperty({ example: "2026-06-01T10:30:00.000Z", format: "date-time" })
75
+ createdAt!: string;
76
+
77
+ @ApiProperty({ example: "2026-06-01T10:30:00.000Z", format: "date-time" })
78
+ updatedAt!: string;
79
+ }
@@ -0,0 +1,18 @@
1
+ import { ApiProperty, ApiPropertyOptional } from "@nestjs/swagger";
2
+ import { Transform } from "class-transformer";
3
+ import { IsOptional, IsString, MaxLength, MinLength } from "class-validator";
4
+
5
+ export class CreateRoleDto {
6
+ @ApiProperty({ example: "Support" })
7
+ @Transform(({ value }) => (typeof value === "string" ? value.trim() : value))
8
+ @IsString()
9
+ @MinLength(2)
10
+ @MaxLength(80)
11
+ name!: string;
12
+
13
+ @ApiPropertyOptional({ example: "Can review support-facing records." })
14
+ @IsOptional()
15
+ @IsString()
16
+ @MaxLength(240)
17
+ description?: string;
18
+ }
@@ -0,0 +1,23 @@
1
+ import { ApiProperty } from "@nestjs/swagger";
2
+ import {
3
+ ArrayMaxSize,
4
+ ArrayUnique,
5
+ IsArray,
6
+ IsString,
7
+ Matches,
8
+ MaxLength,
9
+ } from "class-validator";
10
+
11
+ export class UpdateRolePermissionsDto {
12
+ @ApiProperty({
13
+ example: ["memberships.read", "settings.read"],
14
+ isArray: true,
15
+ })
16
+ @IsArray()
17
+ @ArrayUnique()
18
+ @ArrayMaxSize(100)
19
+ @IsString({ each: true })
20
+ @MaxLength(120, { each: true })
21
+ @Matches(/^[a-z][a-z0-9_-]*\.[a-z][a-z0-9_-]*$/, { each: true })
22
+ permissionKeys!: string[];
23
+ }
@@ -0,0 +1,19 @@
1
+ import { ApiPropertyOptional } from "@nestjs/swagger";
2
+ import { Transform } from "class-transformer";
3
+ import { IsOptional, IsString, MaxLength, MinLength } from "class-validator";
4
+
5
+ export class UpdateRoleDto {
6
+ @ApiPropertyOptional({ example: "Support Lead" })
7
+ @IsOptional()
8
+ @Transform(({ value }) => (typeof value === "string" ? value.trim() : value))
9
+ @IsString()
10
+ @MinLength(2)
11
+ @MaxLength(80)
12
+ name?: string;
13
+
14
+ @ApiPropertyOptional({ example: "Can manage support-facing records." })
15
+ @IsOptional()
16
+ @IsString()
17
+ @MaxLength(240)
18
+ description?: string;
19
+ }
@@ -0,0 +1,157 @@
1
+ import {
2
+ Body,
3
+ Controller,
4
+ Delete,
5
+ Get,
6
+ Param,
7
+ Patch,
8
+ Post,
9
+ Put,
10
+ UseGuards,
11
+ } from "@nestjs/common";
12
+ import {
13
+ ApiBearerAuth,
14
+ ApiCreatedResponse,
15
+ ApiOkResponse,
16
+ ApiOperation,
17
+ ApiParam,
18
+ ApiTags,
19
+ } from "@nestjs/swagger";
20
+ import { DeletedResponseDto } from "../../../common/dto/mutation-response.dto";
21
+ import { ApiProtectedErrorResponses } from "../../../common/swagger/api-error-responses";
22
+ import { JwtAuthGuard } from "../../auth/infrastructure/passport/jwt-auth.guard";
23
+ import { CurrentUser } from "../../auth/presentation/current-user.decorator";
24
+ import { AuthenticatedUser } from "../../auth/types/authenticated-user";
25
+ import { OrgScopeGuard } from "../../request-context/presentation/org-scope.guard";
26
+ import { AccessControlService } from "../application/services/access-control.service";
27
+ import { PermissionGuard } from "../application/services/permission.guard";
28
+ import {
29
+ PermissionResponseDto,
30
+ RoleResponseDto,
31
+ RoutePermissionResponseDto,
32
+ } from "../dto/access-control-response.dto";
33
+ import { CreateRoleDto } from "../dto/create-role.dto";
34
+ import { UpdateRolePermissionsDto } from "../dto/update-role-permissions.dto";
35
+ import { UpdateRoleDto } from "../dto/update-role.dto";
36
+ import { RequirePermissions } from "./permissions.decorator";
37
+
38
+ @ApiTags("Access control")
39
+ @ApiBearerAuth()
40
+ @ApiParam({ name: "orgId", description: "Organisation ID.", format: "uuid" })
41
+ @ApiProtectedErrorResponses(404, 409)
42
+ @Controller("organisations/:orgId/access-control")
43
+ @UseGuards(JwtAuthGuard, OrgScopeGuard, PermissionGuard)
44
+ export class AccessControlController {
45
+ constructor(private readonly accessControlService: AccessControlService) {}
46
+
47
+ @Get("permissions")
48
+ @RequirePermissions("roles.read")
49
+ @ApiOperation({ summary: "List the seeded permission catalogue." })
50
+ @ApiOkResponse({
51
+ description: "Available permissions.",
52
+ type: [PermissionResponseDto],
53
+ })
54
+ listPermissions() {
55
+ return this.accessControlService.listPermissions();
56
+ }
57
+
58
+ @Get("route-permissions")
59
+ @RequirePermissions("roles.read")
60
+ @ApiOperation({
61
+ summary: "List permission requirements for protected routes.",
62
+ })
63
+ @ApiOkResponse({
64
+ description: "Protected route permission registry.",
65
+ type: [RoutePermissionResponseDto],
66
+ })
67
+ listRoutePermissions() {
68
+ return this.accessControlService.listRoutePermissions();
69
+ }
70
+
71
+ @Get("roles")
72
+ @RequirePermissions("roles.read")
73
+ @ApiOperation({ summary: "List organisation roles." })
74
+ @ApiOkResponse({
75
+ description: "Organisation roles.",
76
+ type: [RoleResponseDto],
77
+ })
78
+ listRoles(@Param("orgId") orgId: string) {
79
+ return this.accessControlService.listRoles(orgId);
80
+ }
81
+
82
+ @Post("roles")
83
+ @RequirePermissions("roles.manage")
84
+ @ApiOperation({ summary: "Create an organisation role." })
85
+ @ApiCreatedResponse({ description: "Role created.", type: RoleResponseDto })
86
+ createRole(
87
+ @CurrentUser() user: AuthenticatedUser,
88
+ @Param("orgId") orgId: string,
89
+ @Body() dto: CreateRoleDto,
90
+ ) {
91
+ return this.accessControlService.createRole(user, orgId, dto);
92
+ }
93
+
94
+ @Patch("roles/:roleId")
95
+ @RequirePermissions("roles.manage")
96
+ @ApiParam({ name: "roleId", description: "Role ID.", format: "uuid" })
97
+ @ApiOperation({ summary: "Update role name or description." })
98
+ @ApiOkResponse({ description: "Role updated.", type: RoleResponseDto })
99
+ updateRole(
100
+ @CurrentUser() user: AuthenticatedUser,
101
+ @Param("orgId") orgId: string,
102
+ @Param("roleId") roleId: string,
103
+ @Body() dto: UpdateRoleDto,
104
+ ) {
105
+ return this.accessControlService.updateRole(user, orgId, roleId, dto);
106
+ }
107
+
108
+ @Delete("roles/:roleId")
109
+ @RequirePermissions("roles.manage")
110
+ @ApiParam({ name: "roleId", description: "Role ID.", format: "uuid" })
111
+ @ApiOperation({ summary: "Delete an unused non-system role." })
112
+ @ApiOkResponse({ description: "Role deleted.", type: DeletedResponseDto })
113
+ deleteRole(
114
+ @CurrentUser() user: AuthenticatedUser,
115
+ @Param("orgId") orgId: string,
116
+ @Param("roleId") roleId: string,
117
+ ) {
118
+ return this.accessControlService.deleteRole(user, orgId, roleId);
119
+ }
120
+
121
+ @Get("roles/:roleId/permissions")
122
+ @RequirePermissions("roles.read")
123
+ @ApiParam({ name: "roleId", description: "Role ID.", format: "uuid" })
124
+ @ApiOperation({ summary: "Return role permissions." })
125
+ @ApiOkResponse({
126
+ description: "Role with assigned permissions.",
127
+ type: RoleResponseDto,
128
+ })
129
+ listRolePermissions(
130
+ @Param("orgId") orgId: string,
131
+ @Param("roleId") roleId: string,
132
+ ) {
133
+ return this.accessControlService.listRolePermissions(orgId, roleId);
134
+ }
135
+
136
+ @Put("roles/:roleId/permissions")
137
+ @RequirePermissions("permissions.assign")
138
+ @ApiParam({ name: "roleId", description: "Role ID.", format: "uuid" })
139
+ @ApiOperation({ summary: "Replace all permissions assigned to a role." })
140
+ @ApiOkResponse({
141
+ description: "Role with replacement permissions.",
142
+ type: RoleResponseDto,
143
+ })
144
+ replaceRolePermissions(
145
+ @CurrentUser() user: AuthenticatedUser,
146
+ @Param("orgId") orgId: string,
147
+ @Param("roleId") roleId: string,
148
+ @Body() dto: UpdateRolePermissionsDto,
149
+ ) {
150
+ return this.accessControlService.replaceRolePermissions(
151
+ user,
152
+ orgId,
153
+ roleId,
154
+ dto,
155
+ );
156
+ }
157
+ }
@@ -0,0 +1,8 @@
1
+ import { SetMetadata } from "@nestjs/common";
2
+ import { PermissionKey } from "../types/permission-key";
3
+
4
+ export const REQUIRED_PERMISSIONS_KEY = "requiredPermissions";
5
+
6
+ export function RequirePermissions(...permissions: PermissionKey[]) {
7
+ return SetMetadata(REQUIRED_PERMISSIONS_KEY, permissions);
8
+ }
@@ -0,0 +1,7 @@
1
+ import { SetMetadata } from "@nestjs/common";
2
+
3
+ export const IS_PUBLIC_KEY = "isPublic";
4
+
5
+ export function Public() {
6
+ return SetMetadata(IS_PUBLIC_KEY, true);
7
+ }
@@ -0,0 +1,37 @@
1
+ export const permissionKeys = [
2
+ "users.read",
3
+ "users.create",
4
+ "users.update",
5
+ "users.suspend",
6
+ "organisations.read",
7
+ "organisations.update",
8
+ "memberships.read",
9
+ "memberships.invite",
10
+ "memberships.revoke",
11
+ "roles.read",
12
+ "roles.manage",
13
+ "permissions.assign",
14
+ "billing.read",
15
+ "billing.manage",
16
+ "settings.read",
17
+ "settings.update",
18
+ "audit.read",
19
+ "platform.admin",
20
+ ] as const;
21
+
22
+ export type PermissionKey = (typeof permissionKeys)[number];
23
+
24
+ export type RoutePermissionEntry = {
25
+ method: string;
26
+ path: string;
27
+ permissions: PermissionKey[];
28
+ };
29
+
30
+ export function permissionKeyToRule(key: string) {
31
+ const [subject, action] = key.split(".", 2);
32
+ if (!subject || !action) {
33
+ throw new Error(`Invalid permission key: ${key}`);
34
+ }
35
+
36
+ return { action, subject };
37
+ }
@@ -0,0 +1,11 @@
1
+ export type RbacContext = {
2
+ cacheKey: string;
3
+ userId: string;
4
+ orgId: string;
5
+ membershipId: string;
6
+ membershipStatus: string;
7
+ roleId: string;
8
+ isOwner: boolean;
9
+ isBillingContact: boolean;
10
+ permissionKeys: string[];
11
+ };
@@ -0,0 +1,129 @@
1
+ import { RoutePermissionEntry } from "./permission-key";
2
+
3
+ export const routePermissionRegistry: RoutePermissionEntry[] = [
4
+ {
5
+ method: "GET",
6
+ path: "/organisations/:orgId/memberships/me",
7
+ permissions: ["memberships.read"],
8
+ },
9
+ {
10
+ method: "GET",
11
+ path: "/organisations/:orgId/memberships",
12
+ permissions: ["memberships.read"],
13
+ },
14
+ {
15
+ method: "PATCH",
16
+ path: "/organisations/:orgId/memberships/:membershipId/status",
17
+ permissions: ["memberships.revoke"],
18
+ },
19
+ {
20
+ method: "PATCH",
21
+ path: "/organisations/:orgId/memberships/:membershipId/role",
22
+ permissions: ["roles.manage"],
23
+ },
24
+ {
25
+ method: "PATCH",
26
+ path: "/organisations/:orgId/memberships/:membershipId/owner",
27
+ permissions: ["roles.manage"],
28
+ },
29
+ {
30
+ method: "PATCH",
31
+ path: "/organisations/:orgId/memberships/:membershipId/billing-contact",
32
+ permissions: ["billing.manage"],
33
+ },
34
+ {
35
+ method: "POST",
36
+ path: "/organisations/:orgId/memberships/transfer-owner",
37
+ permissions: ["roles.manage"],
38
+ },
39
+ {
40
+ method: "POST",
41
+ path: "/organisations/:orgId/invitations",
42
+ permissions: ["memberships.invite"],
43
+ },
44
+ {
45
+ method: "GET",
46
+ path: "/organisations/:orgId/invitations",
47
+ permissions: ["memberships.read"],
48
+ },
49
+ {
50
+ method: "POST",
51
+ path: "/organisations/:orgId/invitations/:invitationId/revoke",
52
+ permissions: ["memberships.revoke"],
53
+ },
54
+ {
55
+ method: "POST",
56
+ path: "/organisations/:orgId/invitations/:invitationId/resend",
57
+ permissions: ["memberships.invite"],
58
+ },
59
+ {
60
+ method: "GET",
61
+ path: "/organisations/:orgId/access-control/permissions",
62
+ permissions: ["roles.read"],
63
+ },
64
+ {
65
+ method: "GET",
66
+ path: "/organisations/:orgId/access-control/roles",
67
+ permissions: ["roles.read"],
68
+ },
69
+ {
70
+ method: "POST",
71
+ path: "/organisations/:orgId/access-control/roles",
72
+ permissions: ["roles.manage"],
73
+ },
74
+ {
75
+ method: "PATCH",
76
+ path: "/organisations/:orgId/access-control/roles/:roleId",
77
+ permissions: ["roles.manage"],
78
+ },
79
+ {
80
+ method: "DELETE",
81
+ path: "/organisations/:orgId/access-control/roles/:roleId",
82
+ permissions: ["roles.manage"],
83
+ },
84
+ {
85
+ method: "GET",
86
+ path: "/organisations/:orgId/access-control/roles/:roleId/permissions",
87
+ permissions: ["roles.read"],
88
+ },
89
+ {
90
+ method: "PUT",
91
+ path: "/organisations/:orgId/access-control/roles/:roleId/permissions",
92
+ permissions: ["permissions.assign"],
93
+ },
94
+ {
95
+ method: "GET",
96
+ path: "/organisations/:orgId/access-control/route-permissions",
97
+ permissions: ["roles.read"],
98
+ },
99
+ {
100
+ method: "GET",
101
+ path: "/organisations/:orgId/audit",
102
+ permissions: ["audit.read"],
103
+ },
104
+ {
105
+ method: "GET",
106
+ path: "/organisations/:orgId/settings",
107
+ permissions: ["settings.read"],
108
+ },
109
+ {
110
+ method: "GET",
111
+ path: "/organisations/:orgId/settings/:key",
112
+ permissions: ["settings.read"],
113
+ },
114
+ {
115
+ method: "PATCH",
116
+ path: "/organisations/:orgId/settings",
117
+ permissions: ["settings.update"],
118
+ },
119
+ {
120
+ method: "GET",
121
+ path: "/organisations/:orgId/sample/status",
122
+ permissions: ["organisations.read"],
123
+ },
124
+ {
125
+ method: "POST",
126
+ path: "/organisations/:orgId/sample/echo",
127
+ permissions: ["organisations.update"],
128
+ },
129
+ ];
@@ -0,0 +1,97 @@
1
+ import { BadRequestException, Injectable } from "@nestjs/common";
2
+ import { Prisma } from "@prisma/client";
3
+ import { PrismaService } from "../../../../database/prisma/prisma.service";
4
+ import { RequestContextService } from "../../../request-context/application/services/request-context.service";
5
+ import { ListAuditLogsQueryDto } from "../../dto/list-audit-logs-query.dto";
6
+
7
+ type PrismaClient = Prisma.TransactionClient | PrismaService;
8
+
9
+ export type AuditWriteInput = {
10
+ orgId?: string | null;
11
+ actorUserId?: string | null;
12
+ action: string;
13
+ targetType: string;
14
+ targetId?: string | null;
15
+ metadata?: Prisma.InputJsonValue;
16
+ };
17
+
18
+ const DEFAULT_LIMIT = 50;
19
+ const MAX_LIMIT = 100;
20
+
21
+ @Injectable()
22
+ export class AuditService {
23
+ constructor(
24
+ private readonly prisma: PrismaService,
25
+ private readonly requestContext: RequestContextService,
26
+ ) {}
27
+
28
+ async write(client: PrismaClient, data: AuditWriteInput) {
29
+ const context = this.requestContext.get();
30
+
31
+ await client.auditLog.create({
32
+ data: {
33
+ orgId: data.orgId ?? null,
34
+ actorUserId: data.actorUserId ?? context?.userId ?? null,
35
+ action: data.action,
36
+ targetType: data.targetType,
37
+ targetId: data.targetId ?? null,
38
+ metadata: data.metadata === undefined ? Prisma.JsonNull : data.metadata,
39
+ ipAddress: context?.ipAddress,
40
+ userAgent: context?.userAgent,
41
+ },
42
+ });
43
+ }
44
+
45
+ async listOrgLogs(orgId: string, query: ListAuditLogsQueryDto) {
46
+ this.requestContext.assertOrgScope(orgId);
47
+
48
+ const limit = Math.min(query.limit ?? DEFAULT_LIMIT, MAX_LIMIT);
49
+ if (query.from && query.to && new Date(query.from) > new Date(query.to)) {
50
+ throw new BadRequestException("from must be before or equal to to.");
51
+ }
52
+
53
+ const createdAt: Prisma.DateTimeFilter =
54
+ query.from || query.to
55
+ ? {
56
+ gte: query.from ? new Date(query.from) : undefined,
57
+ lte: query.to ? new Date(query.to) : undefined,
58
+ }
59
+ : {};
60
+ const where: Prisma.AuditLogWhereInput = {
61
+ orgId,
62
+ action: query.action,
63
+ actorUserId: query.actorUserId,
64
+ targetType: query.targetType,
65
+ targetId: query.targetId,
66
+ ...(query.from || query.to ? { createdAt } : {}),
67
+ };
68
+
69
+ const rows = await this.prisma.auditLog.findMany({
70
+ where,
71
+ include: {
72
+ actorUser: {
73
+ select: {
74
+ id: true,
75
+ displayName: true,
76
+ },
77
+ },
78
+ },
79
+ orderBy: [{ createdAt: "desc" }, { id: "desc" }],
80
+ take: limit + 1,
81
+ ...(query.cursor
82
+ ? {
83
+ cursor: { id: query.cursor },
84
+ skip: 1,
85
+ }
86
+ : {}),
87
+ });
88
+
89
+ const hasMore = rows.length > limit;
90
+ const items = rows.slice(0, limit);
91
+
92
+ return {
93
+ items,
94
+ nextCursor: hasMore ? items[items.length - 1]?.id : null,
95
+ };
96
+ }
97
+ }
@@ -0,0 +1,13 @@
1
+ import { Global, Module } from "@nestjs/common";
2
+ import { AuthModule } from "../auth/auth.module";
3
+ import { AuditService } from "./application/services/audit.service";
4
+ import { AuditController } from "./presentation/audit.controller";
5
+
6
+ @Global()
7
+ @Module({
8
+ imports: [AuthModule],
9
+ controllers: [AuditController],
10
+ providers: [AuditService],
11
+ exports: [AuditService],
12
+ })
13
+ export class AuditModule {}
@@ -0,0 +1,75 @@
1
+ import { ApiProperty, ApiPropertyOptional } from "@nestjs/swagger";
2
+
3
+ class AuditActorResponseDto {
4
+ @ApiProperty({
5
+ example: "4a4f0d8a-4bd2-469f-a6a9-3e1cb6a2b456",
6
+ format: "uuid",
7
+ })
8
+ id!: string;
9
+
10
+ @ApiPropertyOptional({ example: "Starter Owner", nullable: true })
11
+ displayName?: string | null;
12
+ }
13
+
14
+ export class AuditLogResponseDto {
15
+ @ApiProperty({
16
+ example: "df6537c4-f58b-452e-a67e-18ec528d0f0f",
17
+ format: "uuid",
18
+ })
19
+ id!: string;
20
+
21
+ @ApiPropertyOptional({
22
+ example: "2c67399d-670c-4025-a5fd-1ea9a211891e",
23
+ format: "uuid",
24
+ nullable: true,
25
+ })
26
+ orgId?: string | null;
27
+
28
+ @ApiPropertyOptional({
29
+ example: "4a4f0d8a-4bd2-469f-a6a9-3e1cb6a2b456",
30
+ format: "uuid",
31
+ nullable: true,
32
+ })
33
+ actorUserId?: string | null;
34
+
35
+ @ApiProperty({ example: "membership.status.update" })
36
+ action!: string;
37
+
38
+ @ApiProperty({ example: "Membership" })
39
+ targetType!: string;
40
+
41
+ @ApiPropertyOptional({
42
+ example: "0a57fb4a-95c6-4f7e-bd5a-f96dbe0599e3",
43
+ nullable: true,
44
+ })
45
+ targetId?: string | null;
46
+
47
+ @ApiPropertyOptional({
48
+ example: { previousStatus: "ACTIVE", nextStatus: "SUSPENDED" },
49
+ nullable: true,
50
+ })
51
+ metadata?: Record<string, unknown> | null;
52
+
53
+ @ApiPropertyOptional({ example: "127.0.0.1", nullable: true })
54
+ ipAddress?: string | null;
55
+
56
+ @ApiPropertyOptional({ example: "Mozilla/5.0", nullable: true })
57
+ userAgent?: string | null;
58
+
59
+ @ApiProperty({ example: "2026-06-01T10:30:00.000Z", format: "date-time" })
60
+ createdAt!: string;
61
+
62
+ @ApiPropertyOptional({ type: AuditActorResponseDto, nullable: true })
63
+ actorUser?: AuditActorResponseDto | null;
64
+ }
65
+
66
+ export class AuditLogListResponseDto {
67
+ @ApiProperty({ type: [AuditLogResponseDto] })
68
+ items!: AuditLogResponseDto[];
69
+
70
+ @ApiPropertyOptional({
71
+ example: "df6537c4-f58b-452e-a67e-18ec528d0f0f",
72
+ nullable: true,
73
+ })
74
+ nextCursor?: string | null;
75
+ }