@quanticjs/core 1.1.1

package/dist/events/OutboxPublisherService.js

@@ -0,0 +1,104 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var OutboxPublisherService_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OutboxPublisherService = void 0;
+const common_1 = require("@nestjs/common");
+const typeorm_1 = require("typeorm");
+const OutboxEvent_entity_1 = require("./OutboxEvent.entity");
+const RedisStreamPublisher_1 = require("./RedisStreamPublisher");
+const POLL_INTERVAL_MS = 100;
+const BATCH_SIZE = 50;
+const MAX_PUBLISH_ATTEMPTS = 5;
+const DLQ_STREAM = 'arex:events:dlq';
+let OutboxPublisherService = OutboxPublisherService_1 = class OutboxPublisherService {
+    dataSource;
+    redisPublisher;
+    logger = new common_1.Logger(OutboxPublisherService_1.name);
+    timer = null;
+    processing = false;
+    constructor(dataSource, redisPublisher) {
+        this.dataSource = dataSource;
+        this.redisPublisher = redisPublisher;
+    }
+    onModuleInit() {
+        this.timer = setInterval(() => this.pollAndPublish(), POLL_INTERVAL_MS);
+        this.logger.log(`Outbox publisher started (${POLL_INTERVAL_MS}ms poll interval)`);
+    }
+    onModuleDestroy() {
+        if (this.timer) {
+            clearInterval(this.timer);
+            this.timer = null;
+        }
+        this.logger.log('Outbox publisher stopped');
+    }
+    async pollAndPublish() {
+        if (this.processing)
+            return;
+        this.processing = true;
+        try {
+            const repo = this.dataSource.getRepository(OutboxEvent_entity_1.OutboxEvent);
+            const events = await repo.find({
+                where: { status: OutboxEvent_entity_1.OutboxEventStatus.Pending },
+                order: { createdAt: 'ASC' },
+                take: BATCH_SIZE,
+            });
+            for (const event of events) {
+                try {
+                    await this.redisPublisher.publishToStream(event.streamKey, {
+                        eventId: event.id,
+                        eventType: event.eventType,
+                        aggregateId: event.aggregateId,
+                        organizationId: event.organizationId || '',
+                        payload: JSON.stringify(event.payload),
+                        occurredAt: event.createdAt.toISOString(),
+                    });
+                    event.status = OutboxEvent_entity_1.OutboxEventStatus.Published;
+                    event.publishedAt = new Date();
+                    await repo.save(event);
+                }
+                catch (error) {
+                    event.publishAttempts += 1;
+                    event.lastError = error.message;
+                    if (event.publishAttempts >= MAX_PUBLISH_ATTEMPTS) {
+                        event.status = OutboxEvent_entity_1.OutboxEventStatus.Failed;
+                        this.logger.error(`Event ${event.id} exceeded max attempts, routing to DLQ`);
+                        try {
+                            await this.redisPublisher.publishToStream(DLQ_STREAM, {
+                                eventId: event.id,
+                                eventType: event.eventType,
+                                aggregateId: event.aggregateId,
+                                error: event.lastError || 'unknown',
+                                payload: JSON.stringify(event.payload),
+                            });
+                        }
+                        catch {
+                            this.logger.error(`Failed to route event ${event.id} to DLQ`);
+                        }
+                    }
+                    await repo.save(event);
+                }
+            }
+        }
+        catch (error) {
+            this.logger.error('Outbox poll cycle failed', error.stack);
+        }
+        finally {
+            this.processing = false;
+        }
+    }
+};
+exports.OutboxPublisherService = OutboxPublisherService;
+exports.OutboxPublisherService = OutboxPublisherService = OutboxPublisherService_1 = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [typeorm_1.DataSource,
+        RedisStreamPublisher_1.RedisStreamPublisher])
+], OutboxPublisherService);

package/dist/events/RedisStreamConsumer.d.ts

@@ -0,0 +1,43 @@
+import { Logger, OnModuleInit, OnModuleDestroy } from '@nestjs/common';
+import type { Redis } from 'ioredis';
+/**
+ * Abstract base class for Redis Stream consumer groups.
+ *
+ * Subclasses declare `streamKey`, `consumerGroup`, `consumerName`
+ * and implement `handleMessage(fields)`.
+ *
+ * Lifecycle:
+ *  - OnModuleInit: creates consumer group (idempotent), starts read loop
+ *  - OnModuleDestroy: stops the read loop gracefully, disconnects dedicated client
+ *
+ * Connection strategy:
+ *  - Shared REDIS_CLIENT: used for non-blocking ops (XGROUP CREATE, XACK)
+ *  - Dedicated cloned connection: used ONLY for blocking XREADGROUP BLOCK calls
+ *  - This prevents blocking consumers from starving non-blocking callers
+ *    (cache, distributed locks, publishers) that share the main REDIS_CLIENT.
+ *
+ * Features:
+ *  - Auto-creates consumer group via XGROUP CREATE ... MKSTREAM
+ *  - Recovers pending (unacked) messages on startup before reading new ones
+ *  - XREADGROUP BLOCK for efficient new-message polling (on dedicated connection)
+ *  - XACK after successful processing (on shared connection)
+ *  - Graceful shutdown (finishes in-flight message, disconnects dedicated client)
+ */
+export declare abstract class RedisStreamConsumer implements OnModuleInit, OnModuleDestroy {
+    protected readonly redis?: Redis | undefined;
+    protected readonly logger: Logger;
+    abstract readonly streamKey: string;
+    abstract readonly consumerGroup: string;
+    abstract readonly consumerName: string;
+    /** Override to filter by eventType. Return true to process. Default: all messages. */
+    protected shouldHandle(_fields: Record<string, string>): boolean;
+    abstract handleMessage(fields: Record<string, string>): Promise<void>;
+    private running;
+    /** Dedicated connection for blocking XREADGROUP — cloned from shared client on init */
+    private blockingClient?;
+    constructor(redis?: Redis | undefined);
+    onModuleInit(): Promise<void>;
+    onModuleDestroy(): Promise<void>;
+    private consumeLoop;
+    private readMessages;
+}

package/dist/events/RedisStreamConsumer.js

@@ -0,0 +1,158 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RedisStreamConsumer = void 0;
+const common_1 = require("@nestjs/common");
+const constants_1 = require("../cqrs/constants");
+/**
+ * Abstract base class for Redis Stream consumer groups.
+ *
+ * Subclasses declare `streamKey`, `consumerGroup`, `consumerName`
+ * and implement `handleMessage(fields)`.
+ *
+ * Lifecycle:
+ *  - OnModuleInit: creates consumer group (idempotent), starts read loop
+ *  - OnModuleDestroy: stops the read loop gracefully, disconnects dedicated client
+ *
+ * Connection strategy:
+ *  - Shared REDIS_CLIENT: used for non-blocking ops (XGROUP CREATE, XACK)
+ *  - Dedicated cloned connection: used ONLY for blocking XREADGROUP BLOCK calls
+ *  - This prevents blocking consumers from starving non-blocking callers
+ *    (cache, distributed locks, publishers) that share the main REDIS_CLIENT.
+ *
+ * Features:
+ *  - Auto-creates consumer group via XGROUP CREATE ... MKSTREAM
+ *  - Recovers pending (unacked) messages on startup before reading new ones
+ *  - XREADGROUP BLOCK for efficient new-message polling (on dedicated connection)
+ *  - XACK after successful processing (on shared connection)
+ *  - Graceful shutdown (finishes in-flight message, disconnects dedicated client)
+ */
+let RedisStreamConsumer = class RedisStreamConsumer {
+    redis;
+    logger = new common_1.Logger(this.constructor.name);
+    /** Override to filter by eventType. Return true to process. Default: all messages. */
+    shouldHandle(_fields) {
+        return true;
+    }
+    running = false;
+    /** Dedicated connection for blocking XREADGROUP — cloned from shared client on init */
+    blockingClient;
+    constructor(redis) {
+        this.redis = redis;
+    }
+    async onModuleInit() {
+        if (!this.redis) {
+            this.logger.warn('Redis client not available — consumer disabled');
+            return;
+        }
+        // Clone a dedicated connection for blocking reads.
+        // This prevents XREADGROUP BLOCK from starving cache/lock/publish ops on the shared client.
+        this.blockingClient = this.redis.duplicate();
+        this.blockingClient.on('error', (err) => this.logger.error(`Blocking client error on ${this.streamKey}: ${err.message}`));
+        // Create consumer group (idempotent) — uses shared client (non-blocking)
+        try {
+            await this.redis.xgroup('CREATE', this.streamKey, this.consumerGroup, '0', 'MKSTREAM');
+            this.logger.log(`Created consumer group "${this.consumerGroup}" on "${this.streamKey}"`);
+        }
+        catch (err) {
+            if (!err.message?.includes('BUSYGROUP')) {
+                throw err;
+            }
+            // Group already exists — fine
+        }
+        this.running = true;
+        // Process pending messages first, then new ones
+        // Run in background so NestJS startup isn't blocked
+        void this.consumeLoop();
+    }
+    async onModuleDestroy() {
+        this.running = false;
+        // Disconnect the dedicated blocking client
+        if (this.blockingClient) {
+            this.blockingClient.disconnect();
+            this.blockingClient = undefined;
+        }
+    }
+    async consumeLoop() {
+        // Phase 1: recover pending (unacked) messages
+        await this.readMessages('0');
+        // Phase 2: read new messages
+        while (this.running) {
+            await this.readMessages('>');
+        }
+    }
+    async readMessages(id) {
+        if (!this.redis || !this.blockingClient || !this.running)
+            return;
+        try {
+            const blockMs = id === '>' ? 5000 : undefined;
+            const args = [
+                'GROUP',
+                this.consumerGroup,
+                this.consumerName,
+                'COUNT',
+                '10',
+            ];
+            if (blockMs !== undefined) {
+                args.push('BLOCK', blockMs);
+            }
+            args.push('STREAMS', this.streamKey, id);
+            // Use dedicated blocking client for XREADGROUP — never the shared REDIS_CLIENT
+            const results = await this.blockingClient.xreadgroup(...args);
+            if (!results || results.length === 0) {
+                if (id === '0')
+                    return; // No pending — switch to new messages
+                return;
+            }
+            const [, entries] = results[0];
+            if (entries.length === 0 && id === '0') {
+                return; // All pending recovered
+            }
+            for (const [messageId, fieldArray] of entries) {
+                // Parse flat field array into Record
+                const fields = {};
+                for (let i = 0; i < fieldArray.length; i += 2) {
+                    fields[fieldArray[i]] = fieldArray[i + 1];
+                }
+                if (!this.shouldHandle(fields)) {
+                    // Ack and skip — uses shared client (non-blocking)
+                    await this.redis.xack(this.streamKey, this.consumerGroup, messageId);
+                    continue;
+                }
+                try {
+                    await this.handleMessage(fields);
+                    // XACK on shared client — non-blocking
+                    await this.redis.xack(this.streamKey, this.consumerGroup, messageId);
+                }
+                catch (err) {
+                    this.logger.error(`Failed to process message ${messageId} on ${this.streamKey}: ${err.message}`, err.stack);
+                    // Don't ack — message stays pending for retry on next startup
+                }
+            }
+        }
+        catch (err) {
+            if (!this.running)
+                return; // Shutdown in progress
+            this.logger.error(`Consumer read error on ${this.streamKey}: ${err.message}`, err.stack);
+            // Back off before retrying
+            await new Promise((r) => setTimeout(r, 2000));
+        }
+    }
+};
+exports.RedisStreamConsumer = RedisStreamConsumer;
+exports.RedisStreamConsumer = RedisStreamConsumer = __decorate([
+    __param(0, (0, common_1.Optional)()),
+    __param(0, (0, common_1.Inject)(constants_1.REDIS_CLIENT)),
+    __metadata("design:paramtypes", [Function])
+], RedisStreamConsumer);

package/dist/events/RedisStreamPublisher.d.ts

@@ -0,0 +1,9 @@
+import type { Redis } from 'ioredis';
+import { DomainEvent } from './DomainEvent';
+export declare class RedisStreamPublisher {
+    private readonly redis?;
+    private readonly logger;
+    constructor(redis?: Redis | undefined);
+    publish(event: DomainEvent): Promise<void>;
+    publishToStream(streamKey: string, fields: Record<string, string>): Promise<string | null>;
+}

package/dist/events/RedisStreamPublisher.js

@@ -0,0 +1,60 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+var RedisStreamPublisher_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RedisStreamPublisher = void 0;
+const common_1 = require("@nestjs/common");
+const constants_1 = require("../cqrs/constants");
+const MAX_STREAM_LENGTH = 10000;
+let RedisStreamPublisher = RedisStreamPublisher_1 = class RedisStreamPublisher {
+    redis;
+    logger = new common_1.Logger(RedisStreamPublisher_1.name);
+    constructor(redis) {
+        this.redis = redis;
+    }
+    async publish(event) {
+        if (!this.redis) {
+            this.logger.warn('Redis client not available, skipping event publish');
+            return;
+        }
+        await this.publishToStream(event.streamKey, {
+            eventId: event.eventId,
+            eventType: event.eventType,
+            aggregateId: event.aggregateId,
+            organizationId: event.organizationId || '',
+            payload: JSON.stringify(event.payload),
+            occurredAt: event.occurredAt.toISOString(),
+        });
+    }
+    async publishToStream(streamKey, fields) {
+        if (!this.redis)
+            return null;
+        try {
+            const messageId = await this.redis.xadd(streamKey, 'MAXLEN', '~', String(MAX_STREAM_LENGTH), '*', ...Object.entries(fields).flat());
+            this.logger.debug(`Published to ${streamKey}: ${messageId}`);
+            return messageId;
+        }
+        catch (error) {
+            this.logger.error(`Failed to publish to ${streamKey}`, error.stack);
+            throw error;
+        }
+    }
+};
+exports.RedisStreamPublisher = RedisStreamPublisher;
+exports.RedisStreamPublisher = RedisStreamPublisher = RedisStreamPublisher_1 = __decorate([
+    (0, common_1.Injectable)(),
+    __param(0, (0, common_1.Optional)()),
+    __param(0, (0, common_1.Inject)(constants_1.REDIS_CLIENT)),
+    __metadata("design:paramtypes", [Function])
+], RedisStreamPublisher);

package/dist/filters/GlobalExceptionFilter.d.ts

@@ -0,0 +1,11 @@
+import { ExceptionFilter, ArgumentsHost } from '@nestjs/common';
+/**
+ * Global exception filter for framework-level exceptions (guards, pipes, throttler).
+ * Result<T> errors are handled by ResultInterceptor — they never reach this filter.
+ */
+export declare class GlobalExceptionFilter implements ExceptionFilter {
+    private readonly logger;
+    private readonly isProduction;
+    catch(exception: unknown, host: ArgumentsHost): void;
+    private toProblemDetails;
+}

package/dist/filters/GlobalExceptionFilter.js

@@ -0,0 +1,102 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var GlobalExceptionFilter_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GlobalExceptionFilter = void 0;
+const common_1 = require("@nestjs/common");
+const throttler_1 = require("@nestjs/throttler");
+const CorrelationStore_1 = require("../middleware/CorrelationStore");
+/**
+ * Global exception filter for framework-level exceptions (guards, pipes, throttler).
+ * Result<T> errors are handled by ResultInterceptor — they never reach this filter.
+ */
+let GlobalExceptionFilter = GlobalExceptionFilter_1 = class GlobalExceptionFilter {
+    logger = new common_1.Logger(GlobalExceptionFilter_1.name);
+    isProduction = process.env.NODE_ENV === 'production';
+    catch(exception, host) {
+        const ctx = host.switchToHttp();
+        const request = ctx.getRequest();
+        const response = ctx.getResponse();
+        const correlationId = CorrelationStore_1.correlationStore.getStore()?.correlationId;
+        if (response.headersSent)
+            return;
+        if (correlationId) {
+            response.setHeader('X-Correlation-ID', correlationId);
+        }
+        const problem = this.toProblemDetails(exception, correlationId, request.originalUrl);
+        if (problem.retryAfter) {
+            response.setHeader('Retry-After', String(problem.retryAfter));
+        }
+        this.logger.error({
+            msg: `${problem.status} ${problem.title}`,
+            correlationId,
+            status: problem.status,
+            detail: problem.detail,
+        });
+        response
+            .status(problem.status)
+            .setHeader('Content-Type', 'application/problem+json')
+            .json(problem);
+    }
+    toProblemDetails(exception, correlationId, instance) {
+        // ThrottlerException → 429
+        if (exception instanceof throttler_1.ThrottlerException) {
+            return {
+                type: 'https://arex.dev/errors/RATE_LIMITED',
+                title: 'Too Many Requests',
+                status: 429,
+                detail: 'Rate limit exceeded. Please retry later.',
+                instance,
+                correlationId,
+                retryAfter: 60,
+            };
+        }
+        // NestJS HttpException (guards, pipes, etc.)
+        if (exception instanceof common_1.HttpException) {
+            const status = exception.getStatus();
+            const exceptionResponse = exception.getResponse();
+            const detail = typeof exceptionResponse === 'string'
+                ? exceptionResponse
+                : exceptionResponse.message;
+            if (status === 400 && Array.isArray(detail)) {
+                return {
+                    type: 'https://arex.dev/errors/VALIDATION_ERROR',
+                    title: 'Validation Error',
+                    status: 400,
+                    detail: 'One or more validation errors occurred.',
+                    instance,
+                    correlationId,
+                    errors: detail.map((msg) => ({ message: msg })),
+                };
+            }
+            return {
+                type: `https://arex.dev/errors/HTTP_${status}`,
+                title: exception.name,
+                status,
+                detail: typeof detail === 'string' ? detail : JSON.stringify(detail),
+                instance,
+                correlationId,
+            };
+        }
+        // Unhandled errors (middleware crashes, etc.)
+        const error = exception instanceof Error ? exception : new Error(String(exception));
+        return {
+            type: 'https://arex.dev/errors/INTERNAL_ERROR',
+            title: 'Internal Server Error',
+            status: 500,
+            detail: this.isProduction ? 'An unexpected error occurred.' : error.message,
+            instance,
+            correlationId,
+            ...(this.isProduction ? {} : { stack: error.stack }),
+        };
+    }
+};
+exports.GlobalExceptionFilter = GlobalExceptionFilter;
+exports.GlobalExceptionFilter = GlobalExceptionFilter = GlobalExceptionFilter_1 = __decorate([
+    (0, common_1.Catch)()
+], GlobalExceptionFilter);

package/dist/guards/JwtAuthGuard.d.ts

@@ -0,0 +1,10 @@
+import { ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+export declare const Public: () => (target: object, _key?: string | symbol, descriptor?: PropertyDescriptor) => void;
+declare const JwtAuthGuard_base: import("@nestjs/passport").Type<import("@nestjs/passport").IAuthGuard>;
+export declare class JwtAuthGuard extends JwtAuthGuard_base {
+    private readonly reflector;
+    constructor(reflector: Reflector);
+    canActivate(context: ExecutionContext): boolean | Promise<boolean> | import("rxjs").Observable<boolean>;
+}
+export {};

package/dist/guards/JwtAuthGuard.js

@@ -0,0 +1,46 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwtAuthGuard = exports.Public = void 0;
+const common_1 = require("@nestjs/common");
+const core_1 = require("@nestjs/core");
+const passport_1 = require("@nestjs/passport");
+const IS_PUBLIC_KEY = 'isPublic';
+const Public = () => (target, _key, descriptor) => {
+    if (descriptor) {
+        Reflect.defineMetadata(IS_PUBLIC_KEY, true, descriptor.value);
+    }
+    else {
+        Reflect.defineMetadata(IS_PUBLIC_KEY, true, target);
+    }
+};
+exports.Public = Public;
+let JwtAuthGuard = class JwtAuthGuard extends (0, passport_1.AuthGuard)('jwt') {
+    reflector;
+    constructor(reflector) {
+        super();
+        this.reflector = reflector;
+    }
+    canActivate(context) {
+        const isPublic = this.reflector.getAllAndOverride(IS_PUBLIC_KEY, [
+            context.getHandler(),
+            context.getClass(),
+        ]);
+        if (isPublic)
+            return true;
+        return super.canActivate(context);
+    }
+};
+exports.JwtAuthGuard = JwtAuthGuard;
+exports.JwtAuthGuard = JwtAuthGuard = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [core_1.Reflector])
+], JwtAuthGuard);

package/dist/guards/JwtStrategy.d.ts

@@ -0,0 +1,22 @@
+import { Strategy } from 'passport-jwt';
+export interface JwtPayload {
+    sub: string;
+    email: string;
+    realm_access?: {
+        roles: string[];
+    };
+    preferred_username?: string;
+}
+declare const JwtStrategy_base: new (...args: [opt: import("passport-jwt").StrategyOptionsWithRequest] | [opt: import("passport-jwt").StrategyOptionsWithoutRequest]) => Strategy & {
+    validate(...args: any[]): unknown;
+};
+export declare class JwtStrategy extends JwtStrategy_base {
+    constructor();
+    validate(payload: JwtPayload): {
+        keycloakId: string;
+        email: string;
+        roles: string[];
+        username: string | undefined;
+    };
+}
+export {};

package/dist/guards/JwtStrategy.js

@@ -0,0 +1,47 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JwtStrategy = void 0;
+const common_1 = require("@nestjs/common");
+const passport_1 = require("@nestjs/passport");
+const passport_jwt_1 = require("passport-jwt");
+const jwks_rsa_1 = require("jwks-rsa");
+let JwtStrategy = class JwtStrategy extends (0, passport_1.PassportStrategy)(passport_jwt_1.Strategy) {
+    constructor() {
+        const internalUrl = process.env.KEYCLOAK_INTERNAL_URL || process.env.KEYCLOAK_URL || 'http://localhost:8080';
+        const publicUrl = process.env.KEYCLOAK_URL || 'http://localhost:8080';
+        const realm = process.env.KEYCLOAK_REALM || 'arex';
+        super({
+            jwtFromRequest: passport_jwt_1.ExtractJwt.fromAuthHeaderAsBearerToken(),
+            secretOrKeyProvider: (0, jwks_rsa_1.passportJwtSecret)({
+                jwksUri: `${internalUrl}/realms/${realm}/protocol/openid-connect/certs`,
+                cache: true,
+                cacheMaxAge: 600_000,
+                rateLimit: true,
+            }),
+            issuer: `${publicUrl}/realms/${realm}`,
+            algorithms: ['RS256'],
+        });
+    }
+    validate(payload) {
+        return {
+            keycloakId: payload.sub,
+            email: payload.email,
+            roles: payload.realm_access?.roles || [],
+            username: payload.preferred_username,
+        };
+    }
+};
+exports.JwtStrategy = JwtStrategy;
+exports.JwtStrategy = JwtStrategy = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [])
+], JwtStrategy);

package/dist/guards/RolesGuard.d.ts

@@ -0,0 +1,8 @@
+import { CanActivate, ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+export declare const Roles: (...roles: string[]) => ClassDecorator & MethodDecorator;
+export declare class RolesGuard implements CanActivate {
+    private readonly reflector;
+    constructor(reflector: Reflector);
+    canActivate(context: ExecutionContext): boolean;
+}