@lenne.tech/nest-server 11.17.0 → 11.19.0

package/src/core/common/services/module.service.ts

@@ -5,10 +5,13 @@ import { ProcessType } from '../enums/process-type.enum';
 import { getStringIds, popAndMap } from '../helpers/db.helper';
 import { check } from '../helpers/input.helper';
 import { prepareInput, prepareOutput } from '../helpers/service.helper';
+import { getTranslatablePropertyKeys, updateLanguage } from '../decorators/translatable.decorator';
 import { ServiceOptions } from '../interfaces/service-options.interface';
 import { CoreModel } from '../models/core-model.model';
 import { FieldSelection } from '../types/field-selection.type';
 import { ConfigService } from './config.service';
+import { ModelRegistry } from './model-registry.service';
+import { RequestContext } from './request-context.service';
 
 /**
  * Module service class to be extended by concrete module services
@@ -40,6 +43,11 @@ export abstract class ModuleService<T extends CoreModel = any> {
     this.configService = options?.configService;
     this.mainDbModel = options?.mainDbModel;
     this.mainModelConstructor = options?.mainModelConstructor;
+
+    // Auto-register model class for ResponseModelInterceptor lookups
+    if (options?.mainModelConstructor && options?.mainDbModel?.modelName) {
+      ModelRegistry.register(options.mainDbModel.modelName, options.mainModelConstructor);
+    }
   }
 
   /**
@@ -191,7 +199,10 @@ export abstract class ModuleService<T extends CoreModel = any> {
     }
 
     // Run service function
-    let result = await serviceFunc(config);
+    // When force is enabled, bypass the Mongoose role guard plugin as well
+    let result = config.force
+      ? await RequestContext.runWithBypassRoleGuard(() => serviceFunc(config))
+      : await serviceFunc(config);
 
     // Pop and map main model
     if (config.processFieldSelection && config.fieldSelection && this.processFieldSelection) {
@@ -242,6 +253,85 @@ export abstract class ModuleService<T extends CoreModel = any> {
     return result;
   }
 
+  /**
+   * Simplified result processing for direct Mongoose queries.
+   * Handles population and output preparation without the full process() pipeline.
+   *
+   * Security (password hashing, role guard, createdBy/updatedBy, type mapping,
+   * field filtering, secret removal, translations) is handled automatically
+   * by the safety net (Mongoose plugins + interceptors).
+   *
+   * Use this when bypassing CrudService methods but still wanting
+   * population and custom prepareOutput() transformations.
+   *
+   * Note: This method does NOT perform authorization checks (checkRights).
+   * The caller is responsible for verifying permissions before calling this method.
+   *
+   * @example
+   * ```typescript
+   * // Direct Mongoose query with result processing
+   * const doc = await this.mainDbModel.findById(id).exec();
+   * return this.processResult(doc, serviceOptions);
+   *
+   * // Aggregate with result processing
+   * const results = await this.mainDbModel.aggregate(pipeline).exec();
+   * return this.processResult(results, serviceOptions);
+   * ```
+   */
+  async processResult(result: any, serviceOptions: ServiceOptions = {}): Promise<any> {
+    if (!result) {
+      return result;
+    }
+
+    // Population (if GraphQL field selection is available)
+    if (serviceOptions.fieldSelection && this.processFieldSelection) {
+      const populateOpts = serviceOptions.processFieldSelection || {};
+      const items = Array.isArray(result) ? result : [result];
+      for (const item of items) {
+        await this.processFieldSelection(item, serviceOptions.fieldSelection, populateOpts);
+      }
+    }
+
+    // Custom prepareOutput (type mapping, ObjectId conversion, custom overrides)
+    if (this.prepareOutput) {
+      result = await this.prepareOutput(result, serviceOptions);
+    }
+
+    return result;
+  }
+
+  /**
+   * Apply translation-aware input processing.
+   * Auto-detects @Translatable fields on the model and routes non-base-language
+   * values into _translations.
+   *
+   * @param input - The input data to transform
+   * @param oldDoc - The existing document from DB (needed for value comparison)
+   * @param language - Language code (defaults to RequestContext.getLanguage())
+   * @returns The transformed input with translations stored in _translations
+   *
+   * @example
+   * ```typescript
+   * // In a custom update method:
+   * const oldDoc = await this.mainDbModel.findById(id).lean();
+   * input = this.applyTranslationInput(input, oldDoc, serviceOptions.language);
+   * return this.mainDbModel.findByIdAndUpdate(id, input, { returnDocument: 'after' }).exec();
+   * ```
+   */
+  protected applyTranslationInput(input: any, oldDoc: any, language?: string): any {
+    language = language || RequestContext.getLanguage();
+    if (!language) {
+      return input;
+    }
+
+    const translatableFields = getTranslatablePropertyKeys(this.mainModelConstructor);
+    if (translatableFields.length === 0) {
+      return input;
+    }
+
+    return updateLanguage(language, input, oldDoc, translatableFields);
+  }
+
   /**
    * Prepare input before save
    */

package/src/core/common/services/request-context.service.ts

@@ -0,0 +1,69 @@
+import { AsyncLocalStorage } from 'async_hooks';
+
+export interface IRequestContext {
+  currentUser?: {
+    id: string;
+    hasRole?: (roles: string[]) => boolean;
+    roles?: string[];
+  };
+  language?: string;
+  /** When true, mongooseRoleGuardPlugin allows role changes regardless of user permissions */
+  bypassRoleGuard?: boolean;
+}
+
+/**
+ * Request-scoped context using AsyncLocalStorage.
+ * Provides access to the current user in Mongoose hooks and other
+ * places where NestJS request scope is not available.
+ */
+export class RequestContext {
+  private static storage = new AsyncLocalStorage<IRequestContext>();
+
+  static run<T>(context: IRequestContext, fn: () => T): T {
+    return this.storage.run(context, fn);
+  }
+
+  static get(): IRequestContext | undefined {
+    return this.storage.getStore();
+  }
+
+  static getCurrentUser(): IRequestContext['currentUser'] | undefined {
+    return this.storage.getStore()?.currentUser;
+  }
+
+  static getLanguage(): string | undefined {
+    return this.storage.getStore()?.language;
+  }
+
+  /**
+   * Check if the role guard bypass is active for the current context.
+   */
+  static isBypassRoleGuard(): boolean {
+    return this.storage.getStore()?.bypassRoleGuard === true;
+  }
+
+  /**
+   * Run a function with the role guard bypass enabled.
+   * The current context (user, language) is preserved; only bypassRoleGuard is added.
+   *
+   * Use this when authorized code needs to set roles on users, e.g.:
+   * - signUp with default roles
+   * - Admin panel where a non-admin role (e.g. HR_MANAGER) creates users with roles
+   * - System setup creating initial admin
+   *
+   * @example
+   * ```typescript
+   * await RequestContext.runWithBypassRoleGuard(async () => {
+   *   await this.mainDbModel.findByIdAndUpdate(userId, { roles: ['EMPLOYEE'] });
+   * });
+   * ```
+   */
+  static runWithBypassRoleGuard<T>(fn: () => T): T {
+    const currentStore = this.storage.getStore();
+    const context: IRequestContext = {
+      ...currentStore,
+      bypassRoleGuard: true,
+    };
+    return this.storage.run(context, fn);
+  }
+}

package/src/core/modules/auth/guards/auth.guard.ts

@@ -40,8 +40,8 @@ const createPassportContext =
         try {
           request.authInfo = info;
           return resolve(callback(err, user, info));
-        } catch (err) {
-          reject(err);
+        } catch (callbackError) {
+          reject(callbackError);
         }
       })(request, response, (err: any) => (err ? reject(err) : resolve(undefined))),
     );

package/src/core/modules/better-auth/core-better-auth.resolver.ts

@@ -342,9 +342,11 @@ export class CoreBetterAuthResolver {
         // 1. accessToken (JWT plugin enriched response)
         // 2. token (top-level, some BetterAuth versions)
         // 3. session.token (session-based fallback)
-        const responseAny = response as any;
+        const tokenResponse = response as any;
         const rawToken =
-          responseAny.accessToken || responseAny.token || (hasSession(response) ? response.session.token : undefined);
+          tokenResponse.accessToken ||
+          tokenResponse.token ||
+          (hasSession(response) ? response.session.token : undefined);
         const token = await this.resolveJwtToken(rawToken);
 
         return {

package/src/core/modules/error-code/INTEGRATION-CHECKLIST.md

@@ -86,7 +86,7 @@ const config = {
 };
 ```
 
-**Done!** Your project errors are now available via `/api/i18n/errors/:locale`.
+**Done!** Your project errors are now available via `/i18n/errors/:locale`.
 
 ---
 
@@ -221,14 +221,14 @@ After integration, verify:
 
 - [ ] `npm run build` succeeds without errors
 - [ ] `npm test` passes
-- [ ] `GET /api/i18n/errors/de` returns your project error codes
-- [ ] `GET /api/i18n/errors/en` returns English translations
+- [ ] `GET /i18n/errors/de` returns your project error codes
+- [ ] `GET /i18n/errors/en` returns English translations
 - [ ] Error codes follow format `PREFIX_XXXX` (e.g., `PROJ_0001`)
 - [ ] Translations include placeholders where needed (`{param}`)
 
 ### For Scenario C only:
 
-- [ ] `GET /api/i18n/errors/codes` returns all error codes (if implemented)
+- [ ] `GET /i18n/errors/codes` returns all error codes (if implemented)
 
 ---
 
@@ -269,10 +269,10 @@ const orderCode = ProjectErrorCode.ORDER_NOT_FOUND; // '#PROJ_0001: Order not fo
 
 ### REST Endpoints
 
-| Endpoint                   | Method | Description                               |
-| -------------------------- | ------ | ----------------------------------------- |
-| `/api/i18n/errors/:locale` | GET    | Get translations for locale (de, en, ...) |
-| `/api/i18n/errors/codes`   | GET    | Get all error codes (Scenario C only)     |
+| Endpoint               | Method | Description                               |
+| ---------------------- | ------ | ----------------------------------------- |
+| `/i18n/errors/:locale` | GET    | Get translations for locale (de, en, ...) |
+| `/i18n/errors/codes`   | GET    | Get all error codes (Scenario C only)     |
 
 ### Response Format (Nuxt i18n compatible)
 

package/src/core/modules/error-code/core-error-code.controller.ts

@@ -12,10 +12,10 @@ import { IErrorTranslationResponse, SupportedLocale } from './interfaces/error-c
  * This controller is publicly accessible (no authentication required).
  *
  * @example
- * GET /api/i18n/errors/de - Get German translations
- * GET /api/i18n/errors/en - Get English translations
+ * GET /i18n/errors/de - Get German translations
+ * GET /i18n/errors/en - Get English translations
  */
-@Controller('api/i18n/errors')
+@Controller('i18n/errors')
 export class CoreErrorCodeController {
   constructor(protected readonly errorCodeService: CoreErrorCodeService) {}
 

package/src/core/modules/error-code/interfaces/error-code.interfaces.ts

@@ -36,7 +36,7 @@ export interface IErrorCodeModuleConfig {
    * @example
    * ```typescript
    * // Standalone controller (RECOMMENDED)
-   * @Controller('api/i18n/errors')
+   * @Controller('i18n/errors')
    * export class ErrorCodeController {
    *   constructor(protected readonly errorCodeService: ErrorCodeService) {}
    *

package/src/core/modules/system-setup/INTEGRATION-CHECKLIST.md

@@ -68,7 +68,7 @@ Only needed if you want to add extra validation, logging, or custom fields.
 import { Controller } from '@nestjs/common';
 import { CoreSystemSetupController, Roles, RoleEnum } from '@lenne.tech/nest-server';
 
-@Controller('api/system-setup')
+@Controller('system-setup')
 @Roles(RoleEnum.ADMIN)
 export class SystemSetupController extends CoreSystemSetupController {
   // Override methods here for custom logic
@@ -83,10 +83,10 @@ export class SystemSetupController extends CoreSystemSetupController {
 
 - [ ] `npm run build` succeeds
 - [ ] `npm test` passes
-- [ ] `GET /api/system-setup/status` returns `{ needsSetup: true }` on empty database
-- [ ] `POST /api/system-setup/init` creates admin user with correct role
-- [ ] `GET /api/system-setup/status` returns `{ needsSetup: false }` after init
-- [ ] `POST /api/system-setup/init` returns 403 when users already exist
+- [ ] `GET /system-setup/status` returns `{ needsSetup: true }` on empty database
+- [ ] `POST /system-setup/init` creates admin user with correct role
+- [ ] `GET /system-setup/status` returns `{ needsSetup: false }` after init
+- [ ] `POST /system-setup/init` returns 403 when users already exist
 
 ---
 

package/src/core/modules/system-setup/README.md

@@ -42,12 +42,12 @@ Once any user exists, the init endpoint is permanently locked (returns 403) and
 
 ## Endpoints
 
-| Method | Endpoint                   | Description                 |
-| ------ | -------------------------- | --------------------------- |
-| GET    | `/api/system-setup/status` | Check if system needs setup |
-| POST   | `/api/system-setup/init`   | Create initial admin user   |
+| Method | Endpoint               | Description                 |
+| ------ | ---------------------- | --------------------------- |
+| GET    | `/system-setup/status` | Check if system needs setup |
+| POST   | `/system-setup/init`   | Create initial admin user   |
 
-### GET /api/system-setup/status
+### GET /system-setup/status
 
 Returns the current setup status.
 
@@ -60,7 +60,7 @@ Returns the current setup status.
 }
 ```
 
-### POST /api/system-setup/init
+### POST /system-setup/init
 
 Creates the initial admin user. Only works when zero users exist.
 
@@ -195,12 +195,12 @@ Typical frontend flow:
 
 ```typescript
 // 1. Check if setup is needed
-const status = await fetch('/api/system-setup/status');
+const status = await fetch('/system-setup/status');
 const { needsSetup } = await status.json();
 
 if (needsSetup) {
   // 2. Show setup form and submit
-  const result = await fetch('/api/system-setup/init', {
+  const result = await fetch('/system-setup/init', {
     method: 'POST',
     headers: { 'Content-Type': 'application/json' },
     body: JSON.stringify({
@@ -225,7 +225,7 @@ if (needsSetup) {
 
 **Solutions:**
 
-1. Check `GET /api/system-setup/status` - `needsSetup` should be `true`
+1. Check `GET /system-setup/status` - `needsSetup` should be `true`
 2. If this is a fresh deployment, verify the database is empty
 
 ### Init returns 403 "System setup requires BetterAuth"

package/src/core/modules/system-setup/core-system-setup.controller.ts

@@ -35,7 +35,7 @@ export class SystemSetupInitDto {
  * that no users exist before allowing creation.
  */
 @ApiTags('System Setup')
-@Controller('api/system-setup')
+@Controller('system-setup')
 @Roles(RoleEnum.ADMIN)
 export class CoreSystemSetupController {
   constructor(protected readonly systemSetupService: CoreSystemSetupService) {}

package/src/core.module.ts

@@ -3,17 +3,23 @@ import { DynamicModule, Global, MiddlewareConsumer, Module, NestModule, Unauthor
 import { APP_INTERCEPTOR, APP_PIPE } from '@nestjs/core';
 import { GraphQLModule } from '@nestjs/graphql';
 import { MongooseModule } from '@nestjs/mongoose';
-import { Context } from 'apollo-server-core';
+import type { Context } from 'graphql-ws';
 import graphqlUploadExpress = require('graphql-upload/graphqlUploadExpress.js');
 import mongoose from 'mongoose';
 
 import { merge } from './core/common/helpers/config.helper';
 import { CheckResponseInterceptor } from './core/common/interceptors/check-response.interceptor';
 import { CheckSecurityInterceptor } from './core/common/interceptors/check-security.interceptor';
+import { ResponseModelInterceptor } from './core/common/interceptors/response-model.interceptor';
+import { TranslateResponseInterceptor } from './core/common/interceptors/translate-response.interceptor';
 import { IServerOptions } from './core/common/interfaces/server-options.interface';
+import { RequestContextMiddleware } from './core/common/middleware/request-context.middleware';
 import { MapAndValidatePipe } from './core/common/pipes/map-and-validate.pipe';
 import { ComplexityPlugin } from './core/common/plugins/complexity.plugin';
 import { mongooseIdPlugin } from './core/common/plugins/mongoose-id.plugin';
+import { mongooseAuditFieldsPlugin } from './core/common/plugins/mongoose-audit-fields.plugin';
+import { mongoosePasswordPlugin } from './core/common/plugins/mongoose-password.plugin';
+import { mongooseRoleGuardPlugin } from './core/common/plugins/mongoose-role-guard.plugin';
 import { ConfigService } from './core/common/services/config.service';
 import { EmailService } from './core/common/services/email.service';
 import { MailjetService } from './core/common/services/mailjet.service';
@@ -49,6 +55,8 @@ export class CoreModule implements NestModule {
    * Integrate middleware, e.g. GraphQL upload handing for express
    */
   configure(consumer: MiddlewareConsumer) {
+    // RequestContext middleware must run for all routes to provide AsyncLocalStorage context
+    consumer.apply(RequestContextMiddleware).forRoutes('*');
     if (CoreModule.graphQlEnabled) {
       consumer.apply(graphqlUploadExpress()).forRoutes('graphql');
     }
@@ -186,6 +194,29 @@ export class CoreModule implements NestModule {
       options,
     );
 
+    // Wrap connectionFactory to add security plugins (password hashing, role guard)
+    const originalConnectionFactory = config.mongoose?.options?.connectionFactory;
+    config.mongoose.options = config.mongoose.options || {};
+    config.mongoose.options.connectionFactory = (connection, name) => {
+      // Run original factory first (includes mongooseIdPlugin from defaults)
+      if (originalConnectionFactory) {
+        connection = originalConnectionFactory(connection, name);
+      }
+      // Add password hashing plugin (enabled by default, opt-out via config)
+      if (config.security?.mongoosePasswordPlugin !== false) {
+        connection.plugin(mongoosePasswordPlugin);
+      }
+      // Add role guard plugin (enabled by default, opt-out via config)
+      if (config.security?.mongooseRoleGuardPlugin !== false) {
+        connection.plugin(mongooseRoleGuardPlugin);
+      }
+      // Add audit fields plugin (enabled by default, opt-out via config)
+      if (config.security?.mongooseAuditFieldsPlugin !== false) {
+        connection.plugin(mongooseAuditFieldsPlugin);
+      }
+      return connection;
+    };
+
     // Check secrets
     const jwtConfig = config.jwt;
     if (jwtConfig?.secret && jwtConfig.secret && jwtConfig.refresh && jwtConfig.refresh.secret === jwtConfig.secret) {
@@ -235,6 +266,26 @@ export class CoreModule implements NestModule {
       });
     }
 
+    // TranslateResponseInterceptor: Applies _translations based on Accept-Language header
+    // Registered after security interceptors → runs before them on response
+    // Translation happens before security checks strip restricted fields
+    if (config.security?.translateResponseInterceptor !== false) {
+      providers.push({
+        provide: APP_INTERCEPTOR,
+        useClass: TranslateResponseInterceptor,
+      });
+    }
+
+    // ResponseModelInterceptor: Auto-converts plain objects to model instances
+    // Registered last → runs first on response (NestJS reverse order for interceptors)
+    // This ensures plain objects get securityCheck() and @Restricted metadata before other interceptors check them
+    if (config.security?.responseModelInterceptor !== false) {
+      providers.push({
+        provide: APP_INTERCEPTOR,
+        useClass: ResponseModelInterceptor,
+      });
+    }
+
     if (config.mongoose?.modelDocumentation) {
       providers.push(ModelDocService);
     }
@@ -375,7 +426,7 @@ export class CoreModule implements NestModule {
             subscriptions: {
               'graphql-ws': {
                 context: ({ extra }) => extra,
-                onConnect: async (context: Context<any>) => {
+                onConnect: async (context: Context<any, any>) => {
                   const { connectionParams, extra } = context;
                   const enableAuth = graphQlOpts?.enableSubscriptionAuth ?? true;
 
@@ -470,7 +521,7 @@ export class CoreModule implements NestModule {
             subscriptions: {
               'graphql-ws': {
                 context: ({ extra }) => extra,
-                onConnect: async (context: Context<any>) => {
+                onConnect: async (context: Context<any, any>) => {
                   const { connectionParams, extra } = context;
                   const enableAuth = graphQlOpts?.enableSubscriptionAuth ?? true;
 
@@ -582,7 +633,7 @@ export class CoreModule implements NestModule {
             subscriptions: {
               'graphql-ws': {
                 context: ({ extra }) => extra,
-                onConnect: async (context: Context<any>) => {
+                onConnect: async (context: Context<any, any>) => {
                   const { connectionParams, extra } = context;
                   if (enableSubscriptionAuth) {
                     // get authToken from authorization header

package/src/index.ts

@@ -16,6 +16,7 @@ export * from './core/common/decorators/graphql-service-options.decorator';
 export * from './core/common/decorators/graphql-user.decorator';
 export * from './core/common/decorators/rest-service-options.decorator';
 export * from './core/common/decorators/rest-user.decorator';
+export * from './core/common/decorators/response-model.decorator';
 export * from './core/common/decorators/restricted.decorator';
 export * from './core/common/decorators/roles.decorator';
 export * from './core/common/decorators/translatable.decorator';
@@ -34,6 +35,7 @@ export * from './core/common/helpers/decorator.helper';
 export * from './core/common/helpers/file.helper';
 export * from './core/common/helpers/filter.helper';
 export * from './core/common/helpers/graphql.helper';
+export * from './core/common/helpers/interceptor.helper';
 export * from './core/common/helpers/gridfs.helper';
 export * from './core/common/helpers/input.helper';
 export * from './core/common/helpers/logging.helper';
@@ -49,6 +51,8 @@ export * from './core/common/inputs/single-filter.input';
 export * from './core/common/inputs/sort.input';
 export * from './core/common/interceptors/check-response.interceptor';
 export * from './core/common/interceptors/check-security.interceptor';
+export * from './core/common/interceptors/response-model.interceptor';
+export * from './core/common/interceptors/translate-response.interceptor';
 export * from './core/common/interfaces/core-persistence-model.interface';
 export * from './core/common/interfaces/cron-job-config-with-time-zone.interface';
 export * from './core/common/interfaces/cron-job-config-with-utc-offset.interface';
@@ -59,6 +63,7 @@ export * from './core/common/interfaces/prepare-output-options.interface';
 export * from './core/common/interfaces/resolve-selector.interface';
 export * from './core/common/interfaces/server-options.interface';
 export * from './core/common/interfaces/service-options.interface';
+export * from './core/common/middleware/request-context.middleware';
 export * from './core/common/middlewares/to-lower-case.middleware';
 export * from './core/common/models/core-model.model';
 export * from './core/common/models/core-persistence.model';
@@ -67,6 +72,9 @@ export * from './core/common/pipes/check-input.pipe';
 export * from './core/common/pipes/map-and-validate.pipe';
 export * from './core/common/plugins/complexity.plugin';
 export * from './core/common/plugins/mongoose-id.plugin';
+export * from './core/common/plugins/mongoose-audit-fields.plugin';
+export * from './core/common/plugins/mongoose-password.plugin';
+export * from './core/common/plugins/mongoose-role-guard.plugin';
 export * from './core/common/scalars/any.scalar';
 export * from './core/common/scalars/date-timestamp.scalar';
 export * from './core/common/scalars/date.scalar';
@@ -78,7 +86,9 @@ export * from './core/common/services/crud.service';
 export * from './core/common/services/email.service';
 export * from './core/common/services/mailjet.service';
 export * from './core/common/services/model-doc.service';
+export * from './core/common/services/model-registry.service';
 export * from './core/common/services/module.service';
+export * from './core/common/services/request-context.service';
 export * from './core/common/services/template.service';
 export * from './core/common/types/array-element.type';
 export * from './core/common/types/core-model-constructor.type';

package/src/server/modules/error-code/README.md

@@ -33,9 +33,9 @@ Demonstrates **Scenario C: Custom Service + Controller via forRoot()** where a p
 │  │  ErrorCodeService   │    │   ErrorCodeController       │  │
 │  │  extends Core...    │    │   (standalone - see below)  │  │
 │  │                     │    │                             │  │
-│  │  - LTNS_* (core)    │    │   GET /api/i18n/errors/codes│  │
-│  │  - SRV_* (server)   │    │   GET /api/i18n/errors/de   │  │
-│  │                     │    │   GET /api/i18n/errors/en   │  │
+│  │  - LTNS_* (core)    │    │   GET /i18n/errors/codes    │  │
+│  │  - SRV_* (server)   │    │   GET /i18n/errors/de       │  │
+│  │                     │    │   GET /i18n/errors/en       │  │
 │  └─────────────────────┘    └─────────────────────────────┘  │
 └──────────────────────────────────────────────────────────────┘
 ```
@@ -107,7 +107,7 @@ static routes (`/codes`), even if you re-declare the methods.
 
 ```typescript
 // DOES NOT WORK - parent route registered first!
-@Controller('api/i18n/errors')
+@Controller('i18n/errors')
 export class ErrorCodeController extends CoreErrorCodeController {
   @Get('codes') // Registered AFTER parent's :locale
   getAllCodes(): string[] {}
@@ -117,7 +117,7 @@ export class ErrorCodeController extends CoreErrorCodeController {
 }
 
 // WORKS - standalone ensures correct order
-@Controller('api/i18n/errors')
+@Controller('i18n/errors')
 export class ErrorCodeController {
   @Get('codes') // Registered first
   getAllCodes(): string[] {}

package/src/server/modules/error-code/error-code.controller.ts

@@ -16,8 +16,8 @@ import { ErrorCodeService } from './error-code.service';
  * correct route registration order.
  *
  * Endpoints:
- * - GET /api/i18n/errors/codes - Get all available error codes (custom)
- * - GET /api/i18n/errors/:locale - Get translations for a locale
+ * - GET /i18n/errors/codes - Get all available error codes (custom)
+ * - GET /i18n/errors/:locale - Get translations for a locale
  *
  * **WHY standalone instead of extending CoreErrorCodeController?**
  * NestJS registers routes from parent classes first, regardless of method declaration
@@ -33,7 +33,7 @@ import { ErrorCodeService } from './error-code.service';
  * })
  * ```
  */
-@Controller('api/i18n/errors')
+@Controller('i18n/errors')
 export class ErrorCodeController {
   constructor(protected readonly errorCodeService: ErrorCodeService) {}