API - NestJS REST API
Main backend. Exposes all business logic via REST. Producer only (never consumes from RabbitMQ).
What Agents Get Wrong
- Controllers are thin: business logic goes in use cases, not controllers
- Auth has multiple methods: JWT, CLI keys (
Bearer kodus_*), OAuth, SAML SSO. Public endpoints use@Public()decorator - Authorization uses
@CheckPolicies()+PolicyGuard, not custom guards. Repo-level checks usecheckRepoPermissions()withrepo.keyfrom query/body - Request context comes from
@Inject(REQUEST)— userequest.user.organization.uuidfor tenant isolation - Database migrations live in
libs/core/src/infrastructure/migrations, not inside the API app - Dry-run endpoints use SSE (Server-Sent Events) for streaming, not WebSockets
- Swagger docs are optional and protected by basic auth (
API_DOCS_ENABLEDenv var)