Release April 03, 2026 — FAC-107–112: Moodle Sync Fixes, Dean Promotion, Versioned Questionnaires & Role Derivation (#267)

* fix: docker url binding (#245) (#246)

* FAC-107 fix: populate campus, program, and department on users during sync and login#251 (#252)

Closes #247

The user table's campus_id, program_id, and department_id columns were
never populated. This adds scope field derivation in two code paths:

- Enrollment sync: new backfillUserScopes() phase runs after enrollment
  upserts, deriving fields from the course → program → department chain
  for all synced users.

- Login hydration: new deriveUserScopes() sets scope fields before
  persisting the user, ensuring immediate consistency on login.

Campus uses a two-tier strategy: username prefix lookup (covers most
Moodle users) with a fallback to the category hierarchy for
non-standard usernames.

Also exposes program and department in the GET /auth/me response and
adds them to the UserLoader populate list.

* FAC-108 fix: bullmq queue prefix isolation (#254) (#255)

* FAC-109 feat: streamline dean promotion flow (#256) (#257)

* feat: add dean-eligible categories endpoint for streamlined dean promotion

Add GET /admin/institutional-roles/dean-eligible-categories?userId=<uuid>
that resolves a user's CHAIRPERSON roles up the Moodle category tree to
eligible depth-3 department categories, enabling the admin console to
replace a raw number input with a proper dropdown for DEAN assignment.

Closes #249

* docs: add tech-spec for dean promotion flow

* FAC-110 feat: add admin endpoint for detailed info about a single user (#258) (#259)

Add GET /admin/users/:id endpoint (SUPER_ADMIN only) returning full user
profile with active enrollments and institutional role assignments.

- New AdminUserDetailResponseDto with enrollment and institutional role sub-DTOs
- Enrollments filtered by isActive and course.isActive to exclude stale data
- Institutional roles include moodleCategory context (name, depth, source)
- ParseUUIDPipe validates path param; parallel queries via Promise.all
- 32 tests passing (6 new), lint clean

* FAC-111 feat: add questionnaire version templating (#261) (#262)

* FAC-111 feat: add questionnaire version templating

Add POST /questionnaires/:id/versions/from-template endpoint that
deep-copies schemaSnapshot from an existing version into a new DRAFT
version. Wrapped in UnitOfWork transaction with validation for archived
questionnaires, same-questionnaire ownership, draft-source rejection,
and single-draft enforcement.

* chore: add tech-spec for questionnaire version templating

* FAC-112 feat: derive user roles during Moodle sync (#265) (#266)

* FAC-112 feat: derive user roles during Moodle sync

Add Phase 5 to enrollment sync pipeline that derives user roles
from existing enrollment and institutional role data, eliminating
the requirement for users to log in before roles appear.

- Add protected-roles guard to updateRolesFromEnrollments() to
  preserve SUPER_ADMIN and ADMIN roles through derivation
- Add deriveUserRoles() to EnrollmentSyncService with batch-load,
  group-by-user, and always-flush pattern
- Wire Phase 5 after backfillUserScopes() with non-fatal error handling
- Add 10 unit tests for role derivation logic
- Fix pre-existing lint error in questionnaire-types.spec.ts

Closes #264

* chore: add tech-spec for derive-roles-during-sync

Author: y4nder

_bmad-output/implementation-artifacts/tech-spec-admin-user-detail.md

@@ -7,6 +7,8 @@ services:
       POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?Set POSTGRES_PASSWORD in shell env}
       POSTGRES_DB: postgres
     command: postgres -c shared_buffers=512MB -c work_mem=8MB
+    ports:
+      - '127.0.0.1:5432:5432'
     volumes:
       - pg_data:/var/lib/postgresql/data
       - ./deploy/postgres/init.sql:/docker-entrypoint-initdb.d/init.sql:ro

_bmad-output/implementation-artifacts/tech-spec-derive-roles-during-sync.md

@@ -0,0 +1,113 @@
+import { User } from './user.entity';
+import { UserRole } from '../modules/auth/roles.enum';
+import { Enrollment } from './enrollment.entity';
+import { UserInstitutionalRole } from './user-institutional-role.entity';
+
+function stubEnrollment(role: string, isActive = true): Enrollment {
+  return { role, isActive } as unknown as Enrollment;
+}
+
+function stubInstRole(role: string): UserInstitutionalRole {
+  return { role } as unknown as UserInstitutionalRole;
+}
+
+describe('User.updateRolesFromEnrollments', () => {
+  let user: User;
+
+  beforeEach(() => {
+    user = new User();
+    user.roles = [];
+  });
+
+  it('should preserve SUPER_ADMIN alongside enrollment-derived roles', () => {
+    user.roles = [UserRole.SUPER_ADMIN];
+
+    user.updateRolesFromEnrollments([stubEnrollment('student')]);
+
+    expect(user.roles).toEqual(
+      expect.arrayContaining([UserRole.SUPER_ADMIN, UserRole.STUDENT]),
+    );
+    expect(user.roles).toHaveLength(2);
+  });
+
+  it('should preserve ADMIN alongside enrollment-derived roles', () => {
+    user.roles = [UserRole.ADMIN];
+
+    user.updateRolesFromEnrollments([stubEnrollment('editingteacher')]);
+
+    expect(user.roles).toEqual(
+      expect.arrayContaining([UserRole.ADMIN, UserRole.FACULTY]),
+    );
+    expect(user.roles).toHaveLength(2);
+  });
+
+  it('should derive roles from enrollments without protected roles', () => {
+    user.updateRolesFromEnrollments([
+      stubEnrollment('student'),
+      stubEnrollment('editingteacher'),
+    ]);
+
+    expect(user.roles).toEqual(
+      expect.arrayContaining([UserRole.STUDENT, UserRole.FACULTY]),
+    );
+    expect(user.roles).toHaveLength(2);
+  });
+
+  it('should keep SUPER_ADMIN when no enrollments and no institutional roles', () => {
+    user.roles = [UserRole.SUPER_ADMIN];
+
+    user.updateRolesFromEnrollments([]);
+
+    expect(user.roles).toEqual([UserRole.SUPER_ADMIN]);
+  });
+
+  it('should include both enrollment and institutional roles', () => {
+    user.updateRolesFromEnrollments(
+      [stubEnrollment('teacher')],
+      [stubInstRole(UserRole.DEAN)],
+    );
+
+    expect(user.roles).toEqual(
+      expect.arrayContaining([UserRole.FACULTY, UserRole.DEAN]),
+    );
+    expect(user.roles).toHaveLength(2);
+  });
+
+  it('should map manager enrollment role to DEAN via MoodleRoleMapping', () => {
+    user.updateRolesFromEnrollments([stubEnrollment('manager')]);
+
+    expect(user.roles).toEqual(expect.arrayContaining([UserRole.DEAN]));
+    expect(user.roles).toHaveLength(1);
+  });
+
+  it('should return empty roles when no protected roles, no enrollments, no institutional roles', () => {
+    user.updateRolesFromEnrollments([]);
+
+    expect(user.roles).toEqual([]);
+  });
+
+  it('should ignore inactive enrollments', () => {
+    user.updateRolesFromEnrollments([
+      stubEnrollment('student', false),
+      stubEnrollment('editingteacher', false),
+    ]);
+
+    expect(user.roles).toEqual([]);
+  });
+
+  it('should deduplicate roles from multiple enrollments with the same role', () => {
+    user.updateRolesFromEnrollments([
+      stubEnrollment('student'),
+      stubEnrollment('student'),
+      stubEnrollment('student'),
+    ]);
+
+    expect(user.roles).toEqual([UserRole.STUDENT]);
+  });
+
+  it('should fall back to uppercased role string for unknown Moodle roles', () => {
+    user.updateRolesFromEnrollments([stubEnrollment('coursecreator')]);
+
+    expect(user.roles).toEqual(['COURSECREATOR']);
+  });
+});

_bmad-output/implementation-artifacts/tech-spec-questionnaire-version-templating.md

@@ -94,6 +94,10 @@ export class User extends CustomBaseEntity {
     enrollments: Enrollment[],
     institutionalRoles: UserInstitutionalRole[] = [],
   ) {
+    const protectedRoles = this.roles.filter(
+      (r) => r === UserRole.SUPER_ADMIN || r === UserRole.ADMIN,
+    );
+
     const enrollmentRoles = enrollments
       .filter((e) => e.isActive)
       .map(
@@ -108,8 +112,8 @@ export class User extends CustomBaseEntity {
         (ir.role.toUpperCase() as unknown as UserRole),
     );
 
-    this.roles = [...new Set([...enrollmentRoles, ...instRoles])].filter(
-      Boolean,
-    );
+    this.roles = [
+      ...new Set([...protectedRoles, ...enrollmentRoles, ...instRoles]),
+    ].filter(Boolean);
   }
 }

_bmad-output/implementation-artifacts/tech-spec-streamline-dean-promotion.md

@@ -21,6 +21,7 @@ describe('AdminController', () => {
           currentPage: 1,
         },
       }),
+      GetUserDetail: jest.fn().mockResolvedValue({}),
     };
 
     const module: TestingModule = await Test.createTestingModule({
@@ -41,6 +42,12 @@ describe('AdminController', () => {
     controller = module.get(AdminController);
   });
 
+  it('should delegate user detail to the admin service', async () => {
+    await controller.GetUserDetail('user-1');
+
+    expect(adminService.GetUserDetail).toHaveBeenCalledWith('user-1');
+  });
+
   it('should delegate user listing to the admin service', async () => {
     const query: ListUsersQueryDto = {
       search: 'john',

docker-compose.deploy.yml

@@ -1,7 +1,17 @@
-import { Body, Controller, Delete, Get, Post, Query } from '@nestjs/common';
+import {
+  Body,
+  Controller,
+  Delete,
+  Get,
+  Param,
+  ParseUUIDPipe,
+  Post,
+  Query,
+} from '@nestjs/common';
 import {
   ApiBearerAuth,
   ApiOperation,
+  ApiParam,
   ApiQuery,
   ApiResponse,
   ApiTags,
@@ -12,7 +22,10 @@ import { AdminService } from './services/admin.service';
 import { AssignInstitutionalRoleDto } from './dto/requests/assign-institutional-role.request.dto';
 import { RemoveInstitutionalRoleDto } from './dto/requests/remove-institutional-role.request.dto';
 import { ListUsersQueryDto } from './dto/requests/list-users-query.dto';
+import { DeanEligibleCategoriesQueryDto } from './dto/requests/dean-eligible-categories-query.dto';
+import { AdminUserDetailResponseDto } from './dto/responses/admin-user-detail.response.dto';
 import { AdminUserListResponseDto } from './dto/responses/admin-user-list.response.dto';
+import { DeanEligibleCategoryResponseDto } from './dto/responses/dean-eligible-category.response.dto';
 
 @ApiTags('Admin')
 @Controller('admin')
@@ -86,6 +99,36 @@ export class AdminController {
     return this.adminService.ListUsers(query);
   }
 
+  @Get('users/:id')
+  @ApiOperation({ summary: 'Get detailed information about a single user' })
+  @ApiParam({ name: 'id', type: String, description: 'User UUID' })
+  @ApiResponse({ status: 200, type: AdminUserDetailResponseDto })
+  @ApiResponse({ status: 400, description: 'Invalid UUID format' })
+  @ApiResponse({ status: 404, description: 'User not found' })
+  async GetUserDetail(
+    @Param('id', ParseUUIDPipe) id: string,
+  ): Promise<AdminUserDetailResponseDto> {
+    return this.adminService.GetUserDetail(id);
+  }
+
+  @Get('institutional-roles/dean-eligible-categories')
+  @ApiOperation({
+    summary: 'List eligible department categories for DEAN promotion',
+  })
+  @ApiQuery({
+    name: 'userId',
+    required: true,
+    type: String,
+    description: 'UUID of the user to check eligibility for',
+  })
+  @ApiResponse({ status: 200, type: [DeanEligibleCategoryResponseDto] })
+  @ApiResponse({ status: 404, description: 'User not found' })
+  async GetDeanEligibleCategories(
+    @Query() query: DeanEligibleCategoriesQueryDto,
+  ): Promise<DeanEligibleCategoryResponseDto[]> {
+    return this.adminService.GetDeanEligibleCategories(query.userId);
+  }
+
   @Post('institutional-roles')
   @ApiOperation({
     summary: 'Assign an institutional role (DEAN/CHAIRPERSON) to a user',

src/entities/user.entity.spec.ts

@@ -1,7 +1,9 @@
 import { Module } from '@nestjs/common';
 import { MikroOrmModule } from '@mikro-orm/nestjs';
 import { Campus } from 'src/entities/campus.entity';
+import { Course } from 'src/entities/course.entity';
 import { Department } from 'src/entities/department.entity';
+import { Enrollment } from 'src/entities/enrollment.entity';
 import { MoodleCategory } from 'src/entities/moodle-category.entity';
 import { Program } from 'src/entities/program.entity';
 import { Semester } from 'src/entities/semester.entity';
@@ -16,7 +18,9 @@ import { AdminFiltersService } from './services/admin-filters.service';
   imports: [
     MikroOrmModule.forFeature([
       Campus,
+      Course,
       Department,
+      Enrollment,
       MoodleCategory,
       Program,
       Semester,