@lenne.tech/nest-server 11.20.0 → 11.21.0

package/src/core/modules/auth/guards/roles.guard.ts

@@ -16,6 +16,7 @@ import { BetterAuthTokenService } from '../../better-auth/better-auth-token.serv
 import { BetterAuthenticatedUser } from '../../better-auth/better-auth.types';
 import { CoreBetterAuthService } from '../../better-auth/core-better-auth.service';
 import { ErrorCode } from '../../error-code';
+import { isMultiTenancyActive, isSystemRole, mergeRolesMetadata } from '../../tenant/core-tenant.helpers';
 import { AuthGuardStrategy } from '../auth-guard-strategy.enum';
 import { ExpiredTokenException } from '../exceptions/expired-token.exception';
 import { InvalidTokenException } from '../exceptions/invalid-token.exception';
@@ -134,11 +135,7 @@ export class RolesGuard extends AuthGuard(AuthGuardStrategy.JWT) {
       context.getHandler(),
       context.getClass(),
     ]);
-    const roles: string[] = reflectorRoles[0]
-      ? reflectorRoles[1]
-        ? [...reflectorRoles[0], ...reflectorRoles[1]]
-        : reflectorRoles[0]
-      : reflectorRoles[1];
+    const roles = mergeRolesMetadata(reflectorRoles);
 
     // Check if locked - always deny
     if (roles && roles.includes(RoleEnum.S_NO_ONE)) {
@@ -294,11 +291,7 @@ export class RolesGuard extends AuthGuard(AuthGuardStrategy.JWT) {
       context.getHandler(),
       context.getClass(),
     ]);
-    const roles: string[] = reflectorRoles[0]
-      ? reflectorRoles[1]
-        ? [...reflectorRoles[0], ...reflectorRoles[1]]
-        : reflectorRoles[0]
-      : reflectorRoles[1];
+    const roles = mergeRolesMetadata(reflectorRoles);
 
     // Check if locked
     if (roles && roles.includes(RoleEnum.S_NO_ONE)) {
@@ -317,6 +310,13 @@ export class RolesGuard extends AuthGuard(AuthGuardStrategy.JWT) {
         return user;
       }
 
+      // When multiTenancy active: pass through ALL non-system roles to CoreTenantGuard.
+      // CoreTenantGuard handles hierarchy (level) and non-hierarchy (exact) checks
+      // against membership.role (tenant) or user.roles (no tenant).
+      if (user && isMultiTenancyActive() && roles.some((r) => !isSystemRole(r))) {
+        return user;
+      }
+
       // If user is missing throw token exception
       if (!user) {
         if (err) {

package/src/core/modules/better-auth/better-auth-roles.guard.ts

@@ -10,6 +10,7 @@ import { GqlExecutionContext } from '@nestjs/graphql';
 
 import { RoleEnum } from '../../common/enums/role.enum';
 import { ErrorCode } from '../error-code';
+import { isMultiTenancyActive, isSystemRole, mergeRolesMetadata } from '../tenant/core-tenant.helpers';
 import { BetterAuthTokenService } from './better-auth-token.service';
 import { BetterAuthenticatedUser } from './better-auth.types';
 import { CoreBetterAuthModule } from './core-better-auth.module';
@@ -79,12 +80,7 @@ export class BetterAuthRolesGuard implements CanActivate {
     const classRoles = Reflect.getMetadata('roles', context.getClass()) as string[] | undefined;
 
     // Combine handler and class roles (handler takes precedence, like Reflector.getAll)
-    const reflectorRoles: (string[] | undefined)[] = [handlerRoles, classRoles];
-    const roles: string[] = reflectorRoles[0]
-      ? reflectorRoles[1]
-        ? [...reflectorRoles[0], ...reflectorRoles[1]]
-        : reflectorRoles[0]
-      : reflectorRoles[1];
+    const roles = mergeRolesMetadata([handlerRoles, classRoles]);
 
     // Check if locked - always deny
     if (roles && roles.includes(RoleEnum.S_NO_ONE)) {
@@ -120,6 +116,13 @@ export class BetterAuthRolesGuard implements CanActivate {
       return true;
     }
 
+    // When multiTenancy active: pass through ALL non-system roles to CoreTenantGuard.
+    // CoreTenantGuard handles hierarchy (level) and non-hierarchy (exact) checks
+    // against membership.role (tenant) or user.roles (no tenant).
+    if (isMultiTenancyActive() && roles.some((r) => !isSystemRole(r))) {
+      return true;
+    }
+
     // Check S_SELF role - user is accessing their own data
     if (roles.includes(RoleEnum.S_SELF)) {
       // Get the target object's ID from params or args

package/src/core/modules/tenant/INTEGRATION-CHECKLIST.md

@@ -0,0 +1,165 @@
+# Tenant Module Integration Checklist
+
+## Reference Implementation
+
+- Local: `node_modules/@lenne.tech/nest-server/src/server/modules/tenant/` (when available)
+- GitHub: https://github.com/lenneTech/nest-server/tree/develop/src/core/modules/tenant
+
+## Quick Start (Auto-Registration)
+
+For projects that don't need custom tenant logic:
+
+```typescript
+// config.env.ts
+multiTenancy: {},
+```
+
+That's it. CoreModule auto-registers the tenant module, guard, and service.
+
+> **Note:** Auto-registration uses default model/guard/service. For custom implementations, use manual registration with `CoreTenantModule.forRoot({ service: CustomTenantService })` in your ServerModule.
+
+## Custom Integration (Manual Registration)
+
+### 1. Create TenantMember Model
+
+**Create:** `src/server/modules/tenant/tenant-member.model.ts`
+
+```typescript
+import { Schema } from '@nestjs/mongoose';
+import { CoreTenantMemberModel } from '@lenne.tech/nest-server';
+
+@Schema({ timestamps: true })
+export class TenantMember extends CoreTenantMemberModel {
+  // Add custom fields here if needed
+}
+```
+
+### 2. Create Custom Service (Optional)
+
+**Create:** `src/server/modules/tenant/tenant.service.ts`
+
+Extend `CoreTenantService` to add custom logic (notifications, tenant creation, etc.).
+
+### 3. Register in ServerModule
+
+**Modify:** `src/server/server.module.ts`
+
+```typescript
+import { CoreTenantModule } from '@lenne.tech/nest-server';
+import { TenantMember } from './modules/tenant/tenant-member.model';
+import { TenantService } from './modules/tenant/tenant.service';
+
+@Module({
+  imports: [
+    CoreTenantModule.forRoot({
+      memberModel: TenantMember,
+      service: TenantService,
+    }),
+    // ...
+  ],
+})
+export class ServerModule {}
+```
+
+### 4. Define Hierarchy Roles (Recommended)
+
+**Create:** `src/server/modules/tenant/roles.ts`
+
+```typescript
+import { createHierarchyRoles } from '@lenne.tech/nest-server';
+
+// Must match roleHierarchy in config.env.ts (or use DefaultHR for defaults)
+export const HR = createHierarchyRoles({ member: 1, manager: 2, owner: 3 });
+// HR.MEMBER = 'member', HR.MANAGER = 'manager', HR.OWNER = 'owner'
+```
+
+Or use the built-in `DefaultHR` for the default hierarchy:
+
+```typescript
+import { DefaultHR } from '@lenne.tech/nest-server';
+// DefaultHR.MEMBER, DefaultHR.MANAGER, DefaultHR.OWNER
+```
+
+### 5. Add Tenant Header to API Calls
+
+All tenant-scoped requests must include:
+
+```
+X-Tenant-Id: <tenant-id>
+```
+
+### 6. Add tenantId to Scoped Models
+
+Models that should be tenant-scoped need a `tenantId` field:
+
+```typescript
+@Prop({ type: String })
+tenantId: string;
+```
+
+The tenant plugin automatically filters and populates this field.
+
+### 7. Use Hierarchy Roles on Protected Endpoints
+
+```typescript
+import { Roles, CurrentTenant, DefaultHR } from '@lenne.tech/nest-server';
+
+@Roles(DefaultHR.MEMBER)   // any active member
+async listItems(@CurrentTenant() tenantId: string) { ... }
+
+@Roles(DefaultHR.MANAGER)  // at least manager level
+async updateItem(...) { ... }
+
+@Roles(DefaultHR.OWNER)    // highest level only
+async deleteItem(...) { ... }
+```
+
+Normal (non-hierarchy) roles also work:
+
+```typescript
+@Roles('auditor')  // exact match against membership.role
+async viewAuditLog(...) { ... }
+```
+
+### 8. Skip Tenant Check for Non-Tenant Endpoints
+
+Use `@SkipTenantCheck()` for endpoints that intentionally work without tenant context:
+
+```typescript
+import { SkipTenantCheck, Roles, RoleEnum } from '@lenne.tech/nest-server';
+
+@SkipTenantCheck()
+@Roles(RoleEnum.S_USER)
+async listMyTenants() { ... }
+```
+
+## Verification Checklist
+
+- [ ] `pnpm run build` succeeds
+- [ ] `pnpm test` passes
+- [ ] Request with `X-Tenant-Id` header only returns tenant data
+- [ ] Request without header + hierarchy role checks user.roles and filters tenantIds
+- [ ] Admin user can access any tenant (if adminBypass: true)
+- [ ] Non-member gets 403 "Not a member of this tenant"
+- [ ] Unauthenticated + header → 403 "Authentication required for tenant access"
+- [ ] Public endpoint accessing tenantId-schema without context throws 403 (Safety Net)
+
+## Security
+
+> **Defense-in-Depth:** The guard validates membership and sets `req.tenantId`. The Mongoose plugin only uses this validated value (via RequestContext) — never the raw header. Additionally, the plugin's Safety Net throws `ForbiddenException` when a tenantId-scoped schema is accessed without valid tenant context.
+
+> **Tenant overrides user.roles:** When a tenant header is present, only `membership.role` is checked. `user.roles` is ignored (except ADMIN bypass). This prevents users from claiming higher privileges via `user.roles` when operating within a specific tenant.
+
+> **Cross-tenant writes:** Never pass user-supplied `tenantId` directly to `create()` or `new Model()`. The plugin only auto-sets `tenantId` on new documents when no explicit value is provided. Accepting user-supplied values bypasses the auto-set and could allow cross-tenant writes.
+
+## Common Mistakes
+
+| Mistake                                          | Symptom                            | Fix                                                                        |
+| ------------------------------------------------ | ---------------------------------- | -------------------------------------------------------------------------- |
+| Missing `tenantId` field on model                | Data not filtered by tenant        | Add `@Prop({ type: String }) tenantId: string`                             |
+| Forgetting `X-Tenant-Id` header                  | 403 or Safety Net exception        | Add header to all tenant-scoped API calls                                  |
+| Using only `@Roles(S_USER)` for tenant endpoints | No tenant membership check         | Use `@Roles(DefaultHR.MEMBER)` for tenant-level access                     |
+| Querying membership without bypass               | Empty results due to tenant filter | Use `RequestContext.runWithBypassTenantGuard()`                            |
+| Public endpoint accessing tenantId-schema        | 403 Safety Net exception           | Use `@SkipTenantCheck()` + `RequestContext.runWithBypassTenantGuard()`     |
+| Passing user-supplied tenantId to create()       | Cross-tenant write possible        | Let plugin auto-set tenantId from context                                  |
+| Custom hierarchy doesn't match config            | Roles fail unexpectedly            | Ensure `createHierarchyRoles()` input matches `multiTenancy.roleHierarchy` |

package/src/core/modules/tenant/README.md

@@ -0,0 +1,232 @@
+# CoreTenantModule
+
+Header-based multi-tenancy for @lenne.tech/nest-server.
+
+## Overview
+
+Enables tenant-based data isolation where:
+
+- Users can be members of multiple tenants
+- The active tenant is selected per-request via `X-Tenant-Id` header
+- Data is automatically filtered by tenant (via the existing Mongoose tenant plugin)
+- Tenant membership and roles are validated per-request
+
+## Architecture
+
+```
+Request + X-Tenant-Id Header
+  -> RequestContextMiddleware (lazy getters for tenant context)
+  -> Auth Middleware (sets req.user)
+  -> CoreTenantGuard (validates membership, sets req.tenantId)
+  -> Mongoose Tenant Plugin (filters queries by context.tenantId)
+```
+
+**Defense-in-depth:** Two layers of protection:
+
+1. **Guard level:** CoreTenantGuard validates membership and sets `tenantId` (only after successful check)
+2. **Plugin level:** Safety Net — throws `ForbiddenException` when a tenantId-scoped schema is accessed without valid tenant context
+
+## Configuration
+
+```typescript
+// config.env.ts
+
+// Disabled (default) - zero overhead
+// multiTenancy: undefined
+
+// Enabled with defaults
+multiTenancy: {},
+
+// Enabled with custom settings
+multiTenancy: {
+  headerName: 'x-tenant-id',        // Header name (default: 'x-tenant-id')
+  membershipModel: 'TenantMember',  // Mongoose model name (default)
+  adminBypass: true,                 // System admins bypass membership (default: true)
+  excludeSchemas: ['User', 'Session'], // Schemas without tenant filtering
+  roleHierarchy: {                   // Custom role hierarchy (default below)
+    member: 1,
+    manager: 2,
+    owner: 3,
+  },
+},
+
+// Pre-configured but disabled
+multiTenancy: { enabled: false },
+```
+
+## Components
+
+| Component                | Purpose                                                |
+| ------------------------ | ------------------------------------------------------ |
+| `CoreTenantMemberModel`  | User-tenant membership (join table with role + status) |
+| `CoreTenantGuard`        | APP_GUARD validating tenant header + membership        |
+| `CoreTenantService`      | Membership CRUD (add, remove, update role, find)       |
+| `@SkipTenantCheck()`     | Method/class decorator to skip tenant validation       |
+| `@CurrentTenant()`       | Parameter decorator extracting validated tenant ID     |
+| `TenantMemberStatus`     | Enum: ACTIVE, INVITED, SUSPENDED                       |
+| `DefaultHR`              | Type-safe constants for default hierarchy roles        |
+| `createHierarchyRoles()` | Generate type-safe constants from custom hierarchy     |
+
+## Usage
+
+### Protecting Endpoints with Hierarchy Roles
+
+Use `@Roles()` with hierarchy role strings. Higher levels include lower levels (level comparison).
+
+```typescript
+import { Roles, CurrentTenant, DefaultHR } from '@lenne.tech/nest-server';
+
+@Controller('projects')
+export class ProjectController {
+  @Get()
+  @Roles(DefaultHR.MEMBER) // any active member (level >= 1)
+  async list(@CurrentTenant() tenantId: string) {
+    return this.projectService.find({ tenantId });
+  }
+
+  @Put(':id')
+  @Roles(DefaultHR.MANAGER) // at least manager level (level >= 2)
+  async update(@Param('id') id: string, @Body() body: UpdateDto) {
+    return this.projectService.update(id, body);
+  }
+
+  @Delete(':id')
+  @Roles(DefaultHR.OWNER) // highest level only (level >= 3)
+  async delete(@Param('id') id: string) {
+    return this.projectService.delete(id);
+  }
+}
+```
+
+### Hierarchy Roles
+
+The role hierarchy defines levels where higher includes lower:
+
+| Role Key  | Level | Can Access                 |
+| --------- | ----- | -------------------------- |
+| `owner`   | 3     | Everything                 |
+| `manager` | 2     | MANAGER + MEMBER endpoints |
+| `member`  | 1     | MEMBER endpoints only      |
+
+Multiple roles can share the same level (e.g., `editor: 2, manager: 2` → equivalent access).
+
+### Custom Hierarchy
+
+```typescript
+// config.env.ts
+multiTenancy: {
+  roleHierarchy: { viewer: 1, editor: 2, manager: 2, admin: 3, owner: 4 },
+}
+
+// roles.ts — type-safe constants
+import { createHierarchyRoles } from '@lenne.tech/nest-server';
+export const HR = createHierarchyRoles({ viewer: 1, editor: 2, manager: 2, admin: 3, owner: 4 });
+// HR.VIEWER = 'viewer', HR.EDITOR = 'editor', HR.MANAGER = 'manager', HR.ADMIN = 'admin', HR.OWNER = 'owner'
+
+// resolver.ts
+@Roles(HR.EDITOR)  // requires level >= 2 (editor, manager, admin, owner all pass)
+```
+
+### Normal (Non-Hierarchy) Roles
+
+Roles not in `roleHierarchy` use exact match — no higher role can compensate:
+
+```typescript
+// membership.role = 'auditor' → @Roles('auditor') passes, @Roles('manager') fails
+@Roles('auditor')
+async auditLog(@CurrentTenant() tenantId: string) { ... }
+```
+
+### Tenant Context Rule
+
+**When a tenant header is present:** Only `membership.role` is checked. `user.roles` is ignored (except ADMIN bypass).
+
+**When no tenant header:** `user.roles` is checked instead. Hierarchy roles use level comparison, normal roles use exact match.
+
+```typescript
+// Example: user.roles=['manager'], tenant membership.role='member'
+// @Roles(DefaultHR.MANAGER) with X-Tenant-Id header → 403 (member < manager)
+// @Roles(DefaultHR.MANAGER) without header → 200 (user.roles manager(2) >= manager(2))
+```
+
+### Skipping Tenant Checks
+
+Use `@SkipTenantCheck()` for endpoints that intentionally work without tenant context:
+
+```typescript
+@SkipTenantCheck()
+@Roles(RoleEnum.S_USER)
+async listMyTenants() { ... }
+```
+
+Note: `@SkipTenantCheck()` with hierarchy roles still checks `user.roles` (no tenant context).
+
+### Admin Bypass
+
+System admins (`RoleEnum.ADMIN`) bypass the membership check by default.
+Disable with `multiTenancy: { adminBypass: false }`.
+
+### Filtering Without Header
+
+| User State                     | Filter Applied                                                      |
+| ------------------------------ | ------------------------------------------------------------------- |
+| Not authenticated, no context  | Safety Net: `ForbiddenException` on tenantId-schemas                |
+| Authenticated, no memberships  | Safety Net: `ForbiddenException` on tenantId-schemas                |
+| Authenticated, has memberships | `{ tenantId: { $in: [user's tenant IDs] } }`                        |
+| Authenticated + hierarchy role | `{ tenantId: { $in: [qualified tenant IDs] } }` (filtered by level) |
+| Admin without header           | No filter (sees all data via `isAdminBypass`)                       |
+
+## Extending via Module Inheritance
+
+```typescript
+@Injectable()
+export class TenantService extends CoreTenantService {
+  override async addMember(tenantId: string, userId: string, role?: string) {
+    const member = await super.addMember(tenantId, userId, role);
+    await this.notificationService.sendInvite(userId, tenantId);
+    return member;
+  }
+}
+
+// module
+CoreTenantModule.forRoot({ service: TenantService });
+```
+
+## Performance Considerations
+
+The `CoreTenantGuard` resolves tenant memberships (`resolveUserTenantIds()`) on every authenticated request that does not include an `X-Tenant-Id` header. This is necessary so the Mongoose plugin can filter by `{ tenantId: { $in: tenantIds } }`.
+
+For high-frequency endpoints that don't access tenant-scoped data, use `@SkipTenantCheck()` to avoid the membership lookup.
+
+## Security Notes
+
+> **Defense-in-Depth:** The Mongoose tenant plugin uses `tenantId` from `RequestContext`, which is only set by `CoreTenantGuard` after successful membership validation. The raw `X-Tenant-Id` header is **never** used directly for filtering. Even if the guard is bypassed (e.g., via `@SkipTenantCheck()`), the plugin's Safety Net throws `ForbiddenException` when a tenantId-scoped schema is accessed without valid tenant context.
+
+> **Explicit tenantId on writes:** The plugin only auto-sets `tenantId` on new documents when no explicit value is provided. Service-layer code that accepts user-supplied `tenantId` as a creation parameter could allow cross-tenant writes. Never pass user-supplied `tenantId` directly to `create()` or `new Model()`.
+
+### Secured Membership Controller Example
+
+When building a tenant management UI, protect membership endpoints:
+
+```typescript
+@Controller('tenants/:tenantId/members')
+export class TenantMemberController {
+  @Get()
+  @Roles(DefaultHR.MANAGER)
+  async listMembers(@CurrentTenant() tenantId: string) {
+    return this.tenantService.findMemberships(tenantId);
+  }
+
+  @Post()
+  @Roles(DefaultHR.OWNER)
+  async addMember(@CurrentTenant() tenantId: string, @Body() body: AddMemberDto) {
+    return this.tenantService.addMember(tenantId, body.userId, body.role);
+  }
+}
+```
+
+## Related
+
+- [Integration Checklist](./INTEGRATION-CHECKLIST.md)
+- [Configurable Features](../../../.claude/rules/configurable-features.md)
+- [Request Lifecycle](../../../docs/REQUEST-LIFECYCLE.md)

package/src/core/modules/tenant/core-tenant-member.model.ts

@@ -0,0 +1,121 @@
+import { UnauthorizedException } from '@nestjs/common';
+import { ObjectType } from '@nestjs/graphql';
+import { Schema } from '@nestjs/mongoose';
+
+import { Restricted } from '../../common/decorators/restricted.decorator';
+import { UnifiedField } from '../../common/decorators/unified-field.decorator';
+import { RoleEnum } from '../../common/enums/role.enum';
+import { CorePersistenceModel } from '../../common/models/core-persistence.model';
+import { RequestContext } from '../../common/services/request-context.service';
+import { DefaultHR, TenantMemberStatus } from './core-tenant.enums';
+import { checkRoleAccess } from './core-tenant.helpers';
+
+/**
+ * Core tenant member model (join table: User <-> Tenant).
+ *
+ * Represents a user's membership in a tenant with a specific role and status.
+ * This model is automatically excluded from tenant filtering (it is tenant-spanning).
+ *
+ * Projects can extend this model to add custom fields.
+ */
+@ObjectType({ description: 'Tenant membership', isAbstract: true })
+@Restricted(RoleEnum.S_USER)
+@Schema({ timestamps: true })
+export class CoreTenantMemberModel extends CorePersistenceModel {
+  /**
+   * ID of the user who invited this member
+   */
+  @UnifiedField({
+    description: 'ID of the inviting user',
+    isOptional: true,
+    mongoose: { type: String },
+    roles: RoleEnum.S_USER,
+  })
+  invitedBy: string = undefined;
+
+  /**
+   * Date when the user joined the tenant
+   */
+  @UnifiedField({
+    description: 'Date when the user joined',
+    isOptional: true,
+    mongoose: { type: Date },
+    roles: RoleEnum.S_USER,
+    type: Date,
+  })
+  joinedAt: Date = undefined;
+
+  /**
+   * Role within the tenant (string matching a key in the configured role hierarchy)
+   */
+  @UnifiedField({
+    description: 'Tenant role',
+    mongoose: { default: 'member', type: String },
+    roles: RoleEnum.S_USER,
+    type: () => String,
+  })
+  role: string = undefined;
+
+  /**
+   * Membership status
+   */
+  @UnifiedField({
+    description: 'Membership status',
+    mongoose: { default: TenantMemberStatus.ACTIVE, enum: Object.values(TenantMemberStatus), type: String },
+    roles: RoleEnum.S_USER,
+    type: () => String,
+  })
+  status: TenantMemberStatus = undefined;
+
+  /**
+   * Tenant ID (= tenantId for data isolation)
+   */
+  @UnifiedField({
+    description: 'Tenant ID',
+    mongoose: { index: true, type: String },
+    roles: RoleEnum.S_USER,
+  })
+  tenant: string = undefined;
+
+  /**
+   * User ID (reference to User collection)
+   */
+  @UnifiedField({
+    description: 'User ID',
+    mongoose: { index: true, type: String },
+    roles: RoleEnum.S_USER,
+  })
+  user: string = undefined;
+
+  /**
+   * Verification of the user's rights to access the properties of this object.
+   *
+   * Allows access when:
+   * - force mode is enabled
+   * - the requesting user owns this membership (user.id === this.user)
+   * - the requesting user is a system admin
+   * - the requesting user is at least a manager-level member of the same tenant
+   */
+  override securityCheck(user: any, force?: boolean): this {
+    if (force) return this;
+    if (!user) throw new UnauthorizedException('Access to tenant membership denied');
+
+    // Own membership or system admin
+    if (user.id === this.user || user.hasRole?.(RoleEnum.ADMIN)) return this;
+
+    // Tenant manager/owner of the same tenant can view members.
+    // context.tenantId is the guard-validated tenant ID (not the raw header),
+    // see RequestContextMiddleware which reads req.tenantId.
+    const context = RequestContext.get();
+    const tenantRole = context?.tenantRole;
+    if (
+      tenantRole &&
+      checkRoleAccess([DefaultHR.MANAGER], undefined, tenantRole) &&
+      context?.tenantId === this.tenant
+    ) {
+      return this;
+    }
+
+    throw new UnauthorizedException('Access to tenant membership denied');
+  }
+}

package/src/core/modules/tenant/core-tenant.decorators.ts

@@ -0,0 +1,46 @@
+import { createParamDecorator, SetMetadata } from '@nestjs/common';
+
+import { RequestContext } from '../../common/services/request-context.service';
+
+/**
+ * Metadata key for @SkipTenantCheck() decorator.
+ */
+export const SKIP_TENANT_CHECK_KEY = 'skipTenantCheck';
+
+/**
+ * Method/class decorator that opts out of tenant checks for a specific endpoint.
+ * When present, CoreTenantGuard skips all tenant validation and does not set
+ * tenantId or isAdminBypass on the request.
+ *
+ * Use this for endpoints that intentionally work without tenant context,
+ * e.g., listing available tenants, user profile endpoints, etc.
+ *
+ * @example
+ * ```typescript
+ * @SkipTenantCheck()
+ * @Roles(RoleEnum.S_USER)
+ * async listMyTenants() { ... }
+ * ```
+ */
+export const SkipTenantCheck = () => SetMetadata(SKIP_TENANT_CHECK_KEY, true);
+
+/**
+ * Parameter decorator that extracts the validated tenant ID from the current request.
+ * Returns `undefined` if no tenant header is set or the endpoint has @SkipTenantCheck().
+ *
+ * Reads from RequestContext (set by CoreTenantGuard → req.tenantId →
+ * RequestContextMiddleware lazy getter → context.tenantId), so it works
+ * consistently across HTTP and GraphQL without context-type switching.
+ *
+ * @example
+ * ```typescript
+ * @Get('projects')
+ * @Roles(DefaultHR.MEMBER)
+ * async listProjects(@CurrentTenant() tenantId: string | undefined) {
+ *   // tenantId comes from X-Tenant-Id header, validated by CoreTenantGuard
+ * }
+ * ```
+ */
+export const CurrentTenant = createParamDecorator((): string | undefined => {
+  return RequestContext.get()?.tenantId;
+});