feat: ecosystem member invitation and management API's

[sujitaw]

What

• added API's for member invitation and management

Summary by CodeRabbit

• New Features
  • Added role-based access control for ecosystem resources with support for Ecosystem Lead and Ecosystem Member roles.
  • Enabled inviting members to join ecosystems with invitation status management.
  • Added ability to update organization status within ecosystems.
  • Added functionality to view all organizations and member invitations associated with an ecosystem.
  • Introduced ecosystem-scoped authorization guards for secure resource access.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

📝 Walkthrough

Walkthrough

This PR introduces comprehensive ecosystem membership and invitation management, including new authorization guards for role-based access control, JWT strategy enhancements to propagate ecosystem roles, API endpoints and services for inviting members and managing org status, repository methods for ecosystem operations, database schema refactoring to centralize ecosystem relationships, and email templates for member communications.

Changes

Cohort / File(s)	Summary
Authorization & Security apps/api-gateway/src/authz/authz.module.ts, apps/api-gateway/src/authz/guards/ecosystem-roles.guard.ts, apps/api-gateway/src/authz/jwt.strategy.ts	Adds EcosystemRolesGuard implementing CanActivate to enforce role-based ecosystem access with orgId extraction and validation. Enhances JWT strategy to fetch ecosystem roles via EcosystemRepository and propagate them in user details.
API Gateway DTOs apps/api-gateway/src/ecosystem/dtos/delete-ecosystem-users.ts, apps/api-gateway/src/ecosystem/dtos/ecosystem.ts, apps/api-gateway/src/ecosystem/dtos/send-ecosystem-invitation.ts	Introduces DTOs for ecosystem operations: DeleteEcosystemOrgDto, UpdateEcosystemOrgStatusDto, GetEcosystemInvitationsQueryDto, InviteMemberToEcosystemDto, UpdateEcosystemInvitationDto with validation decorators and transformations.
API Gateway Controller & Service apps/api-gateway/src/ecosystem/ecosystem.controller.ts, apps/api-gateway/src/ecosystem/ecosystem.service.ts, apps/api-gateway/src/ecosystem/ecosystem.module.ts	Adds six new endpoints for ecosystem management: invite-member, update-invitation-status, delete-ecosystem-users, update-org-status, get-ecosystem-orgs, get-member-invitations. Replaces OrgRolesGuard with EcosystemRolesGuard on select endpoints. Imports EcosystemServiceModule and adds delegating service methods.
Ecosystem Microservice apps/ecosystem/src/ecosystem.service.ts, apps/ecosystem/src/ecosystem.controller.ts, apps/ecosystem/src/ecosystem.module.ts	Adds six new MessagePattern handlers for ecosystem operations. Injects OrganizationRepository and UserRepository. Implements invitation creation with email delivery, status updates with org relationship creation, bulk org deletion/status management. Exports EcosystemService and EcosystemRepository.
Repository & Interfaces apps/ecosystem/repositories/ecosystem.repository.ts, apps/ecosystem/interfaces/ecosystem.interfaces.ts	Expands EcosystemRepository with 16 new public methods for user/org/invitation queries and mutations. Introduces 12 new interfaces (IEcosystemUser, IEcosystemOrg, IEcosystemInvitation, IGetAllOrgs, etc.) and types (EcosystemInvitationRoles, PrismaExecutor) for ecosystem operations.
Email Template apps/ecosystem/templates/invite-member-template.ts	Adds InviteMemberToEcosystem class with sendInviteEmailTemplate method generating sanitized HTML email with logo, personalized greeting, and environment-driven branding.
Database Schema libs/prisma-service/prisma/schema.prisma, libs/prisma-service/prisma/migrations/20260114071535_create_ecosystem/migration.sql, libs/prisma-service/prisma/migrations/20260108141409_added_deleted_at_parameter_in_ecosystem_invitation/migration.sql	Refactors ecosystem relationships by removing ecosystem_users table and centralizing via ecosystem_orgs. Adds userId to ecosystem_orgs, type/invitedOrg/deletedAt to ecosystem_invitations. Updates foreign keys and adds composite unique index on ecosystem_invitations(email, ecosystemId).
Enums & Constants libs/enum/src/enum.ts, libs/org-roles/enums/index.ts, libs/common/src/common.constant.ts	Adds InviteType (ECOSYSTEM, MEMBER) and MemberStatus (ACTIVE, INACTIVE) enums. Expands OrgRoles with ECOSYSTEM_LEAD and ECOSYSTEM_MEMBER. Introduces EcosystemRoles enum mirroring OrgRoles ecosystem members. Adds ECOSYSTEM_ROLES constant array.
Response Messages & Module Exports libs/common/src/response-messages/index.ts, apps/organization/src/organization.module.ts, apps/user/src/user.module.ts	Expands ecosystem.success with 20+ new message keys and ecosystem.error with 60+ new error keys for invitation/org operations. Exports OrganizationRepository and UserRepository from their respective modules for cross-module DI.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant APIGateway as API Gateway
    participant Guard as EcosystemRolesGuard
    participant JWTStrategy
    participant EcosystemRepo
    participant EcosystemSvc as Ecosystem Service

    Client->>APIGateway: POST /invite-member (with JWT token)
    APIGateway->>JWTStrategy: Validate token & propagate ecosystemRoles
    JWTStrategy->>EcosystemRepo: getUserByKeycloakId(keycloakId)
    JWTStrategy->>EcosystemRepo: getEcosystemOrgDetailsByUserId(userId)
    JWTStrategy-->>APIGateway: User with ecosystemRoles enriched
    
    APIGateway->>Guard: canActivate(context)
    Guard->>Guard: Extract orgId from params/query
    Guard->>Guard: Validate user has ECOSYSTEM_LEAD role
    Guard-->>APIGateway: Access granted
    
    APIGateway->>EcosystemSvc: inviteMemberToEcosystem(orgId, reqUser, ecosystemId)
    EcosystemSvc->>EcosystemRepo: createEcosystemInvitation(payload)
    EcosystemRepo-->>EcosystemSvc: Invitation created
    EcosystemSvc->>EcosystemSvc: sendInviteEmailTemplate()
    EcosystemSvc-->>APIGateway: { success: true }
    APIGateway-->>Client: 200 OK

Loading

sequenceDiagram
    participant User
    participant APIGateway as API Gateway
    participant EcosystemSvc as Ecosystem Service
    participant EcosystemRepo
    participant Org as Organization Service

    User->>APIGateway: POST /update-invitation-status (accept)
    APIGateway->>EcosystemSvc: updateEcosystemInvitationStatus(status, reqUser, ecosystemId)
    
    EcosystemSvc->>EcosystemRepo: updateEcosystemInvitationStatusByEmail(email, ecosystemId, ACCEPTED)
    EcosystemRepo-->>EcosystemSvc: Invitation updated
    
    alt Invitation Accepted
        EcosystemSvc->>EcosystemRepo: getEcosystemOrgDetailsByUserId(userId, ecosystemId)
        EcosystemSvc->>EcosystemRepo: createEcosystemOrg(IEcosystemOrg)
        EcosystemRepo-->>EcosystemSvc: Org relationship created
        EcosystemSvc->>Org: Associate user with org
    end
    
    EcosystemSvc-->>APIGateway: { success: true }
    APIGateway-->>User: 200 OK

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• feat: ecosystem service and create ecosystem invitation API route #1540 — Implements the same ecosystem membership, invitation, and org management feature surface with parallel changes to controllers, services, repositories, DTOs, enums, and database schema.

Suggested labels

feature

Suggested reviewers

• GHkrishna
• shitrerohit
• RinkalBhojani

Poem

🐰 A rabbit hops through ecosystems new,
Guards check roles with a bounce and view,
Invitations flutter, memberships bloom,
Orgs find their place in the ecosystem room,
In this burrow of trust, we all belong! 🌱

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: ecosystem member invitation and management API's' clearly and accurately describes the main objective of the PR—adding ecosystem member invitation and management APIs. It is specific, concise, and directly reflects the primary changes across the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sujitaw]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

Actionable comments posted: 16

Note

Due to the large number of review comments, Critical, Major severity comments were prioritized as inline comments.

🤖 Fix all issues with AI agents

In `@apps/api-gateway/src/authz/authz.module.ts`:
- Line 11: AuthzModule currently imports the backend EcosystemModule directly;
remove that direct import and instead inject the API-gateway EcosystemService
(the local provider that communicates via NATS) into JwtStrategy
(jwt.strategy.ts) and other auth code so JWT validation uses NATS-based
EcosystemService rather than direct EcosystemRepository access; update
JwtStrategy's validation flow to call EcosystemService methods asynchronously
(or use a short-lived cache layer in the API gateway) and remove any references
to EcosystemRepository from the gateway modules to avoid redundant backend
coupling.

In `@apps/api-gateway/src/authz/guards/ecosystem-roles.guard.ts`:
- Around line 19-23: The guard mistakenly creates requiredRolesNames via
Object.values(requiredRoles) and then checks requiredRolesNames for undefined;
instead use the array returned by getAllAndOverride directly: remove the
Object.values(...) step, treat requiredRoles as the roles array, and change the
null/undefined check to if (!requiredRoles) return true; locate the logic in the
EcosystemRolesGuard where getAllAndOverride is called (the requiredRoles
variable) and update the usage to reference requiredRoles (and cast to string[]
if needed) rather than requiredRolesNames.
- Around line 90-95: The current map on user.userOrgRoles returns a value only
when orgRoleItem.orgId matches orgId, leaving undefined entries in
user.selectedOrg.orgRoles; change the logic to produce an array of only matching
role names (e.g., filter user.userOrgRoles by matching orgId then map to
orgRoleItem.orgRole.name, or use reduce to push names when orgId matches) and
assign that result to user.selectedOrg.orgRoles (references:
user.selectedOrg.orgRoles, user.userOrgRoles, orgRoleItem, orgId); also remove
the unnecessary eslint-disable-next-line comment once fixed.

In `@apps/api-gateway/src/authz/jwt.strategy.ts`:
- Around line 77-82: The code calls
this.ecosystemRepository.getUserByKeycloakId, getEcosystemDetailsByUserId and
getEcosystemOrgDetailsByUserId without guarding for undefined/null userInfo,
user or ecosystem and without error handling; update jwt.strategy.ts to first
validate userInfo (and payload.email) before calling getUserByKeycloakId, check
that user is non-null before calling getEcosystemDetailsByUserId, and only call
getEcosystemOrgDetailsByUserId if both user and ecosystem exist; wrap these
repository calls in a try/catch and on failures return/throw an appropriate auth
error (e.g., Unauthorized) instead of letting exceptions propagate.

In `@apps/api-gateway/src/ecosystem/ecosystem.controller.ts`:
- Around line 136-138: Replace the generic Error throws checking for reqUser.id
with NestJS BadRequestException to return a 400 response: import
BadRequestException from `@nestjs/common` (if not already) and change the throw in
ecosystem.controller.ts (the blocks validating reqUser.id, including the checks
inside the methods where the current code throws new Error('Missing request user
id') — lines around the request-user validation at the top, and the similar
checks referenced at the other locations) to throw new
BadRequestException('Missing request user id'); apply the same replacement for
the other occurrences noted (the checks at the other validation sites).
- Around line 432-437: Replace the generic Error throws in the validation block
with NestJS BadRequestException so the controller returns 400s instead of 500s:
import BadRequestException from `@nestjs/common`, change the two throw new
Error(...) statements to throw new BadRequestException(...) (fix the typo
"lease" → "least" in the message), and keep the same checks referencing query
and OrgRoles.ECOSYSTEM_LEAD to preserve behavior.
- Around line 396-401: The response is sending HTTP 200 while the JSON body
contains HttpStatus.BAD_REQUEST; update the controller to make the HTTP status
and body consistent by returning res.status(HttpStatus.BAD_REQUEST).json({...})
instead of res.status(HttpStatus.OK).json({...}); locate the code that calls
res.status(HttpStatus.OK).json and adjust it (the block that currently sets
statusCode: HttpStatus.BAD_REQUEST and message:
ResponseMessages.ecosystem.error.ecosystemOrgsFetchFailed) so the outer HTTP
status matches the statusCode in the body.

In `@apps/ecosystem/repositories/ecosystem.repository.ts`:
- Around line 461-472: The getEcosystemOrg method logs errors but swallows them;
update getEcosystemOrg to rethrow the caught error (or throw a new Error with
context) after logging so callers can handle failures; locate the try/catch in
getEcosystemOrg around this.prisma.ecosystem_orgs.findFirst and either throw
error (e.g., throw error) or throw a wrapped Error with a descriptive message
after calling this.logger.error.
- Around line 367-377: The catch block in getUserByKeycloakId incorrectly logs
the wrong function name and swallows errors; update the catch to log a message
referencing getUserByKeycloakId (use this.logger.error with error.message) and
rethrow the error (or throw a new Error/error) after logging so callers don’t
receive undefined; locate the async getUserByKeycloakId(keycloakId: string)
method that calls this.prisma.user.findFirst and modify its catch to both
correct the log text and propagate the caught error.
- Around line 355-365: The catch in getEcosystemDetailsByUserId currently logs
the error via this.logger.error but swallows it, causing the method to resolve
to undefined; update the catch to rethrow the caught error (or throw a new Error
with context) after logging so callers receive a rejected promise, e.g., keep
the this.logger.error(...) call and then throw error; locate the method
getEcosystemDetailsByUserId and the prisma call this.prisma.ecosystem.findFirst
to implement the rethrow.
- Around line 438-446: The catch in createEcosystemOrg logs the error but
swallows it, causing the method to return undefined on failure; update the catch
in createEcosystemOrg (the method that calls this.prisma.ecosystem_orgs.create)
to rethrow the original error (or throw a new descriptive Error) after logging
via this.logger.error so callers receive the failure instead of undefined; keep
the existing log message (include error.message) and then throw the error to
propagate it.

In `@apps/ecosystem/src/ecosystem.service.ts`:
- Around line 273-280: The inviteMemberToEcosystem method currently returns true
when this.emailService.sendEmail(emailData) is truthy but falls through to
undefined when sendEmail returns false, violating the Promise<boolean>
signature; update the logic in inviteMemberToEcosystem around the
this.emailService.sendEmail(emailData) call to explicitly handle the falsy
response (e.g., after if (response) return true; add return false;) or instead
throw a descriptive Error (e.g., throw new Error('Failed to send invite email'))
so the method always resolves/rejects as a boolean per its signature.
- Around line 226-280: In inviteMemberToEcosystem, guard against
platformConfigData being null before accessing platformConfigData.emailFrom:
check platformConfigData after the findFirst call and either (a) provide a safe
fallback (e.g. use a configured default or process.env default) when setting
emailData.emailFrom, or (b) throw a clear
RpcException/HttpStatus.INTERNAL_SERVER_ERROR if platform config is required;
ensure the check occurs before creating EmailDto/emailData and reference
platformConfigData and emailData.emailFrom in the fix so you don't dereference
null.

In `@apps/ecosystem/templates/invite-member-template.ts`:
- Around line 4-6: The template function sendInviteEmailTemplate currently
escapes only email (safeEmail) but interpolates orgName and ecosystemName
directly into the HTML; create escaped variants (e.g., safeOrgName =
escapeHtml(orgName) and safeEcosystemName = escapeHtml(ecosystemName)) and use
those escaped variables wherever orgName and ecosystemName are inserted in the
template so all user-controlled inputs are HTML-escaped before rendering.

In `@libs/prisma-service/prisma/schema.prisma`:
- Line 792: The composite unique on email + ecosystemId is broken because
ecosystemId is nullable (ecosystemId String?) so multiple rows with the same
email and NULL ecosystemId are allowed; fix by either (A) making ecosystemId
required by removing the "?" on the ecosystemId field in the Invitation model so
the existing @@unique([...]) enforces uniqueness, (B) adding a raw SQL migration
that creates a partial unique index (e.g. CREATE UNIQUE INDEX ... ON
"Invitation"(email) WHERE ecosystemId IS NULL OR CREATE UNIQUE INDEX ... ON
"Invitation"(email, COALESCE(ecosystemId,
'00000000-0000-0000-0000-000000000000')) to treat NULLs as a canonical value) or
(C) enforce uniqueness at the application layer by validating in create/update
paths (the service or repository methods that insert Invitations) to prevent
more than one NULL ecosystemId per email; pick one approach and apply it to the
Invitation model/@@unique constraint and migrations accordingly.
- Line 793: The invitedOrg field currently stores a UUID but has no Prisma
relation; update the model that declares invitedOrg (the Invitation-like model
containing invitedOrg String? `@db.Uuid`) to add a `@relation` linking invitedOrg to
organisation.id (include fields and references for the relation and set an
appropriate onDelete behavior such as Cascade or SetNull), and add the inverse
relation field on the organisation model named ecosystem_invitations as an array
of the invitation model to complete the two-way relation and enforce referential
integrity.

🟡 Minor comments (9)

apps/api-gateway/src/ecosystem/dtos/delete-ecosystem-users.ts-14-15 (1)

14-15: Validation messages use singular "orgId" but the property is "orgIds".

For consistency and clarity, update the validation messages to match the property name:

📝 Suggested fix

-  `@IsArray`({ message: 'orgId must be an array' })
-  `@ArrayNotEmpty`({ message: 'orgId cannot be empty' })
+  `@IsArray`({ message: 'orgIds must be an array' })
+  `@ArrayNotEmpty`({ message: 'orgIds cannot be empty' })

apps/api-gateway/src/ecosystem/dtos/ecosystem.ts-14-15 (1)

14-15: Validation messages use singular "orgId" but the property is "orgIds".

Same issue as in DeleteEcosystemOrgDto. Update messages for consistency:

📝 Suggested fix

-  `@IsArray`({ message: 'orgId must be an array' })
-  `@ArrayNotEmpty`({ message: 'orgId cannot be empty' })
+  `@IsArray`({ message: 'orgIds must be an array' })
+  `@ArrayNotEmpty`({ message: 'orgIds cannot be empty' })

apps/ecosystem/repositories/ecosystem.repository.ts-348-352 (1)

348-352: Incorrect error message - copy-paste error.

The error message says getEcosystemDetailsByOrgId but this method is getEcosystemOrgDetailsByUserId.

📝 Suggested fix

     } catch (error) {
-      this.logger.error(`Error in getEcosystemDetailsByOrgId: ${error.message}`);
+      this.logger.error(`Error in getEcosystemOrgDetailsByUserId: ${error.message}`);
       throw error;
     }

apps/api-gateway/src/ecosystem/dtos/ecosystem.ts-41-43 (1)

41-43: Type annotation doesn't match the validation enum.

The role property is typed as EcosystemInvitationRoles but validated against InvitationViewRole. While they resolve to the same underlying values, this creates confusion. Additionally, the @ApiProperty decorator is missing for this required field.

📝 Suggested fix

 export class GetEcosystemInvitationsQueryDto {
+  `@ApiProperty`({ enum: InvitationViewRole, example: InvitationViewRole.ECOSYSTEM_MEMBER })
   `@IsEnum`(InvitationViewRole)
-  role: EcosystemInvitationRoles;
+  role: InvitationViewRole;

libs/common/src/response-messages/index.ts-216-216 (1)

216-216: Fix typo in error message.

signTransactionNotApplicable contains a typo: "aapllicable" should be "applicable".

Proposed fix

-      signTransactionNotApplicable: 'Signing transaction for w3c schema is not aapllicable',
+      signTransactionNotApplicable: 'Signing transaction for w3c schema is not applicable',

libs/common/src/response-messages/index.ts-225-225 (1)

225-225: Fix semantically incorrect error message.

The credentialDefinitionNotFound error message states "Credential definition found" but should indicate it was not found (this is in the error block).

Proposed fix

-      credentialDefinitionNotFound: 'Credential definition found',
+      credentialDefinitionNotFound: 'Credential definition not found',

libs/common/src/response-messages/index.ts-188-192 (1)

188-192: Fix typos in user-facing response messages.

Several ecosystem success messages contain typographical errors that will appear in API responses:

• Line 188: memberInviteSucess → memberInviteSuccess
• Line 190: deletionSuccessfull → deletionSuccessful
• Line 192: ecosytem → ecosystem

Proposed fix

-      memberInviteSucess: 'Invitation sent successfully for the member',
+      memberInviteSuccess: 'Invitation sent successfully for the member',
       updateInvitation: 'Status for ecosystem invitation updated successfully',
-      deletionSuccessfull: 'Record deleted successfully',
+      deletionSuccessful: 'Record deleted successfully',
       userStatusUpdated: 'User status updated successfully',
-      updatedEcosytemOrg: 'Updated ecosytem org successfully',
+      updatedEcosystemOrg: 'Updated ecosystem org successfully',

apps/api-gateway/src/authz/guards/ecosystem-roles.guard.ts-44-55 (1)

44-55: Variable shadowing: isPlatformAdmin declared twice.

The inner isPlatformAdmin (Line 46) shadows the outer variable (Line 38), which is confusing and error-prone. The outer check already confirms the condition, so the inner variable should be renamed.

Proposed fix

     if (isPlatformAdmin && requiredRolesNames.includes(OrgRoles.PLATFORM_ADMIN)) {
       // eslint-disable-next-line array-callback-return
-      const isPlatformAdmin = user.userOrgRoles.find((orgDetails) => {
+      const hasPlatformAdminRole = user.userOrgRoles.find((orgDetails) => {
         if (orgDetails.orgRole.name === OrgRoles.PLATFORM_ADMIN) {
           return true;
         }
       });
 
-      if (isPlatformAdmin) {
+      if (hasPlatformAdminRole) {
         return true;
       }
     }

apps/api-gateway/src/ecosystem/ecosystem.controller.ts-185-191 (1)

185-191: Inconsistent HTTP status codes.

The response body specifies HttpStatus.OK but the actual HTTP response uses HttpStatus.CREATED. This inconsistency can confuse API consumers.

Proposed fix

     if (result) {
       const finalResponse: IResponse = {
         statusCode: HttpStatus.OK,
         message: `${ResponseMessages.ecosystem.success.updateInvitation} as ${updateInvitation.status}`
       };
-      return res.status(HttpStatus.CREATED).json(finalResponse);
+      return res.status(HttpStatus.OK).json(finalResponse);
     }

Apply similar fixes at Line 317 (use HttpStatus.OK for DELETE) and Line 354 (use HttpStatus.OK for PUT).

🧹 Nitpick comments (19)

libs/prisma-service/prisma/schema.prisma (1)

791-791: Consider using an enum for the type field.

The type field is a required string without constraints on allowed values. Using an enum improves type safety, enables IDE autocompletion, and prevents invalid data.

Proposed refactor: Define an enum for invitation types

+enum EcosystemInvitationType {
+  MEMBER
+  ORGANIZATION
+  // Add other valid types
+}

 model ecosystem_invitations {
   ...
-  type                String
+  type                EcosystemInvitationType
   ...
 }

libs/enum/src/enum.ts (1)

113-121: Consider aligning casing between EcosystemOrgStatus and MemberStatus.

EcosystemOrgStatus uses uppercase values ('ACTIVE', 'INACTIVE') while MemberStatus uses lowercase ('active', 'inactive'). Both represent similar active/inactive state concepts. This inconsistency could lead to confusion or bugs when handling status comparisons across ecosystem-related logic.

🔧 Suggested alignment

Either make both uppercase:

 export enum MemberStatus {
-  ACTIVE = 'active',
-  INACTIVE = 'inactive'
+  ACTIVE = 'ACTIVE',
+  INACTIVE = 'INACTIVE'
 }

Or make both lowercase (depending on your database/API conventions).

libs/org-roles/enums/index.ts (2)

1-12: Casing inconsistency in OrgRoles values.

The existing roles use lowercase/snake_case ('owner', 'super_admin', 'platform_admin'), but the new ecosystem roles use Title Case with spaces ('Ecosystem Lead', 'Ecosystem Member'). This inconsistency could cause issues with role comparisons, database queries, or API contracts.

🔧 Suggested fix for consistency

 export enum OrgRoles {
   OWNER = 'owner',
   SUPER_ADMIN = 'super_admin',
   ADMIN = 'admin',
   ISSUER = 'issuer',
   VERIFIER = 'verifier',
   HOLDER = 'holder',
   MEMBER = 'member',
   PLATFORM_ADMIN = 'platform_admin',
-  ECOSYSTEM_LEAD = 'Ecosystem Lead',
-  ECOSYSTEM_MEMBER = 'Ecosystem Member'
+  ECOSYSTEM_LEAD = 'ecosystem_lead',
+  ECOSYSTEM_MEMBER = 'ecosystem_member'
 }

Note: If the Title Case values are required by existing database records or external systems, ensure all consumers are updated accordingly.

---

14-17: Remove the unused EcosystemRoles enum from libs/org-roles/enums/index.ts.

The EcosystemRoles enum defined at lines 14-17 is not imported or used anywhere in the codebase. The canonical EcosystemRoles enum is defined in libs/enum/src/enum.ts (lines 99-103) and is actively used in ecosystem service and repository files. Additionally, the two versions differ: the enum in libs/enum includes an ECOSYSTEM_OWNER member that the libs/org-roles version lacks.

Remove the unused enum from libs/org-roles/enums/index.ts to eliminate maintenance confusion and dead code. Keep OrgRoles in that file since it is widely imported and used throughout the codebase.

libs/common/src/common.constant.ts (1)

450-450: Consider deriving ECOSYSTEM_ROLES from the EcosystemRoles enum.

Hardcoding the values creates a maintenance risk—if the enum values change, this array won't automatically update, leading to potential inconsistencies.

🔧 Suggested approach

+import { EcosystemRoles } from '@credebl/enum/enum';
+
-export const ECOSYSTEM_ROLES = ['Ecosystem Lead', 'Ecosystem Member'];
+export const ECOSYSTEM_ROLES = Object.values(EcosystemRoles);

This ensures the constant stays in sync with the enum definition.

apps/ecosystem/interfaces/ecosystem.interfaces.ts (1)

99-121: LGTM with minor suggestion.

The interfaces are well-structured. Consider using the EcosystemInvitationRoles type (defined at line 197) in IEcosystemMemberInvitations.role to avoid duplicating the union type.

🔧 Optional refactor for consistency

Reorder the type alias to appear before its usage, then reference it:

+export type EcosystemInvitationRoles = OrgRoles.ECOSYSTEM_LEAD | OrgRoles.ECOSYSTEM_MEMBER;
+
 export interface IEcosystemMemberInvitations {
-  role: OrgRoles.ECOSYSTEM_LEAD | OrgRoles.ECOSYSTEM_MEMBER;
+  role: EcosystemInvitationRoles;
   ecosystemId?: string;
   email?: string;
   userId?: string;
 }
 
-export type EcosystemInvitationRoles = OrgRoles.ECOSYSTEM_LEAD | OrgRoles.ECOSYSTEM_MEMBER;

apps/api-gateway/src/ecosystem/dtos/send-ecosystem-invitation.ts (2)

32-35: Consider adding Swagger documentation for API consistency.

OrgIdParam lacks @ApiProperty() decorator, unlike other DTOs in this file. For consistent API documentation:

📝 Suggested improvement

 export class OrgIdParam {
+  `@ApiProperty`({ example: '6e672a9c-64f0-4d98-b312-f578f633800b' })
   `@IsUUID`() // or `@IsString`()
   orgId: string;
 }

---

37-53: Remove or document commented-out code.

Commented-out code for batch invitation DTO should either be removed or converted to a TODO with a tracking issue. Leaving dead code can cause confusion for future maintainers.

apps/ecosystem/repositories/ecosystem.repository.ts (1)

685-688: Consider using BadRequestException for consistency.

Other validation errors in this repository use NestJS exceptions. Using plain Error here breaks the pattern:

♻️ Suggested change

     if (OrgRoles.ECOSYSTEM_LEAD === role) {
       if (!ecosystemId) {
-        throw new Error('ecosystemId is required for LEAD');
+        throw new BadRequestException('ecosystemId is required for LEAD');
       }

apps/ecosystem/src/ecosystem.module.ts (1)

39-40: Consider exporting only the service layer.

Exporting EcosystemRepository directly allows other modules to bypass the service layer and access the database directly. This can lead to business logic being scattered across modules. If other modules need specific data access patterns, consider adding methods to EcosystemService instead.

If there's a specific reason for exposing the repository (e.g., shared transaction contexts), this is acceptable, but document the intended usage pattern.

apps/ecosystem/src/ecosystem.service.ts (3)

199-203: Remove or document commented-out code.

This block checking if a user already created an ecosystem is commented out without explanation. If this validation is intentionally removed, delete the dead code. If it's temporarily disabled, add a comment explaining why.

---

191-193: Use appropriate exception type instead of generic Error.

Throwing a plain Error bypasses NestJS exception handling. Consider using NotFoundException or RpcException for consistency with other error handling in this service.

Proposed fix

       if (!user) {
-        throw new Error('Error fetching user');
+        throw new NotFoundException(ResponseMessages.user.error.notFound);
       }

---

322-324: Use appropriate exception type instead of generic Error.

Similar to the earlier issue, this throws a plain Error. Use RpcException or a NestJS exception for consistency.

Proposed fix

         if (!role) {
-          throw new Error('Error fetching ecosystem role');
+          throw new RpcException({ 
+            statusCode: HttpStatus.INTERNAL_SERVER_ERROR, 
+            message: ResponseMessages.ecosystem.error.ecosystemRoleNotMatch 
+          });
         }

apps/ecosystem/templates/invite-member-template.ts (1)

19-41: Add fallbacks for environment variables.

If any of BRAND_LOGO, PLATFORM_NAME, PUBLIC_PLATFORM_SUPPORT_EMAIL, or POWERED_BY are undefined, the email will display "undefined" literally. Consider adding fallback values similar to how it's done in ecosystem.service.ts Line 107.

Example approach

const platformName = process.env.PLATFORM_NAME ?? 'the platform';
const brandLogo = process.env.BRAND_LOGO ?? '';
const supportEmail = process.env.PUBLIC_PLATFORM_SUPPORT_EMAIL ?? '';
const poweredBy = process.env.POWERED_BY ?? '';

apps/api-gateway/src/authz/guards/ecosystem-roles.guard.ts (1)

38-38: Fragile platform admin check based on email comparison.

Checking admin status by comparing email to an environment variable is potentially fragile (case sensitivity, email spoofing if not validated elsewhere). The subsequent check on userOrgRoles (Lines 46-50) provides defense-in-depth, but consider relying solely on role-based checks from the JWT claims or database.

apps/ecosystem/src/ecosystem.controller.ts (1)

140-147: Minor formatting: comment block attached to previous method.

The JSDoc comment for getEcosystemMemberInvitations is incorrectly attached to the closing brace of getAllEcosystemOrgsByEcosystemId. Add a newline for clarity.

Proposed fix

   async getAllEcosystemOrgsByEcosystemId(payload: { ecosystemId: string }): Promise<IGetAllOrgs[]> {
     return this.ecosystemService.getAllEcosystemOrgsByEcosystemId(payload.ecosystemId);
-  } /**
+  }
+
+  /**
    * Get Ecosystem member Invitations
    *
    * `@param` payload Contains IEcosystemMemberInvitations

libs/prisma-service/prisma/migrations/20260114071535_create_ecosystem/migration.sql (3)

44-45: Confirm user deletion/anonymization strategy for ecosystem_orgs.userId.

userId is required and the FK is ON DELETE RESTRICT. If user records are ever hard-deleted/anonymized, this will block deletion and retain references. If that’s not intended, consider nullable + ON DELETE SET NULL, or document soft-delete-only policy.

♻️ Optional adjustment (if hard-deletes are allowed)

-    "userId" UUID NOT NULL,
+    "userId" UUID,
...
-ALTER TABLE "ecosystem_orgs" ADD CONSTRAINT "ecosystem_orgs_userId_fkey" FOREIGN KEY ("userId") REFERENCES "user"("id") ON DELETE RESTRICT ON UPDATE CASCADE;
+ALTER TABLE "ecosystem_orgs" ADD CONSTRAINT "ecosystem_orgs_userId_fkey" FOREIGN KEY ("userId") REFERENCES "user"("id") ON DELETE SET NULL ON UPDATE CASCADE;

Also applies to: 86-86

---

55-57: Consider DB-level constraints for invitation type and invitedOrg.

type is free-form TEXT and invitedOrg has no FK. If type has a fixed set of values or invitedOrg maps to organisation(id), adding a DB enum/CHECK and/or FK would prevent invalid rows.

♻️ Optional FK (if `invitedOrg` references organisation)

+ALTER TABLE "ecosystem_invitations"
+  ADD CONSTRAINT "ecosystem_invitations_invitedOrg_fkey"
+  FOREIGN KEY ("invitedOrg") REFERENCES "organisation"("id")
+  ON DELETE SET NULL ON UPDATE CASCADE;

---

62-62: Soft-delete + unique index may block re-invites.

With deletedAt present, the unique index on (email, ecosystemId) still applies to soft-deleted rows. If re-inviting after soft delete is expected, use a partial unique index that only covers active rows.

♻️ Suggested partial unique index

-CREATE UNIQUE INDEX "ecosystem_invitations_email_ecosystemId_key" ON "ecosystem_invitations"("email", "ecosystemId");
+CREATE UNIQUE INDEX "ecosystem_invitations_email_ecosystemId_key"
+  ON "ecosystem_invitations"("email", "ecosystemId")
+  WHERE "deletedAt" IS NULL;

Also applies to: 74-74

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 788869f and c48c63c.

📒 Files selected for processing (24)

• apps/api-gateway/src/authz/authz.module.ts
• apps/api-gateway/src/authz/guards/ecosystem-roles.guard.ts
• apps/api-gateway/src/authz/jwt.strategy.ts
• apps/api-gateway/src/ecosystem/dtos/delete-ecosystem-users.ts
• apps/api-gateway/src/ecosystem/dtos/ecosystem.ts
• apps/api-gateway/src/ecosystem/dtos/send-ecosystem-invitation.ts
• apps/api-gateway/src/ecosystem/ecosystem.controller.ts
• apps/api-gateway/src/ecosystem/ecosystem.module.ts
• apps/api-gateway/src/ecosystem/ecosystem.service.ts
• apps/ecosystem/interfaces/ecosystem.interfaces.ts
• apps/ecosystem/repositories/ecosystem.repository.ts
• apps/ecosystem/src/ecosystem.controller.ts
• apps/ecosystem/src/ecosystem.module.ts
• apps/ecosystem/src/ecosystem.service.ts
• apps/ecosystem/templates/invite-member-template.ts
• apps/organization/src/organization.module.ts
• apps/user/src/user.module.ts
• libs/common/src/common.constant.ts
• libs/common/src/response-messages/index.ts
• libs/enum/src/enum.ts
• libs/org-roles/enums/index.ts
• libs/prisma-service/prisma/migrations/20260108141409_added_deleted_at_parameter_in_ecosystem_invitation/migration.sql
• libs/prisma-service/prisma/migrations/20260114071535_create_ecosystem/migration.sql
• libs/prisma-service/prisma/schema.prisma

💤 Files with no reviewable changes (1)

• libs/prisma-service/prisma/migrations/20260108141409_added_deleted_at_parameter_in_ecosystem_invitation/migration.sql

🧰 Additional context used

🧬 Code graph analysis (9)

apps/ecosystem/templates/invite-member-template.ts (1)

libs/common/src/common.utils.ts (1)

• escapeHtml (149-156)

apps/api-gateway/src/ecosystem/ecosystem.module.ts (1)

apps/ecosystem/src/ecosystem.module.ts (1)

• Module (20-42)

apps/api-gateway/src/ecosystem/dtos/send-ecosystem-invitation.ts (1)

libs/common/src/interfaces/cloud-wallet.interface.ts (1)

• Invitation (268-275)

apps/api-gateway/src/ecosystem/ecosystem.service.ts (2)

libs/common/src/interfaces/cloud-wallet.interface.ts (1)

• Invitation (268-275)

apps/ecosystem/interfaces/ecosystem.interfaces.ts (2)

• IEcosystemMemberInvitations (116-121)
• IEcosystemInvitation (140-151)

apps/ecosystem/src/ecosystem.controller.ts (2)

libs/common/src/interfaces/cloud-wallet.interface.ts (1)

• Invitation (268-275)

apps/ecosystem/interfaces/ecosystem.interfaces.ts (3)

• IGetAllOrgs (153-164)
• IEcosystemMemberInvitations (116-121)
• IEcosystemInvitation (140-151)

apps/api-gateway/src/ecosystem/dtos/ecosystem.ts (1)

apps/ecosystem/interfaces/ecosystem.interfaces.ts (1)

• EcosystemInvitationRoles (197-197)

apps/ecosystem/interfaces/ecosystem.interfaces.ts (1)

apps/api-gateway/src/issuance/utils/helper.ts (1)

• JsonValue (5-5)

apps/ecosystem/repositories/ecosystem.repository.ts (1)

apps/ecosystem/interfaces/ecosystem.interfaces.ts (6)

• ICreateEcosystem (7-19)
• PrismaExecutor (199-199)
• IEcosystem (21-29)
• IEcosystemOrg (106-114)
• IGetAllOrgs (153-164)
• IEcosystemInvitation (140-151)

apps/ecosystem/src/ecosystem.service.ts (5)

libs/common/src/response-messages/index.ts (1)

• ResponseMessages (1-754)

libs/common/src/interfaces/cloud-wallet.interface.ts (1)

• Invitation (268-275)

libs/common/src/dtos/email.dto.ts (1)

• EmailDto (1-8)

apps/ecosystem/templates/invite-member-template.ts (1)

• InviteMemberToEcosystem (3-50)

apps/ecosystem/interfaces/ecosystem.interfaces.ts (2)

• IEcosystemMemberInvitations (116-121)
• IEcosystemInvitation (140-151)

🔇 Additional comments (30)

apps/user/src/user.module.ts (4)

5-27: LGTM!

The new imports are well-organized and all appear to be utilized within the module definition. The PlatformConfig alias for ConfigModule improves clarity.

---

38-46: LGTM!

The addition of LoggerModule, PlatformConfig, and ContextInterceptorModule properly integrates infrastructure concerns for logging, configuration, and context propagation.

---

63-65: LGTM!

The addition of UserDevicesRepository and NATSClient as providers is appropriate. Note that NATSClient (the class provider) and the 'NATS_CLIENT' injection token from ClientsModule.register serve different purposes—the former likely provides a higher-level abstraction while the latter is the raw ClientProxy.

---

66-66: LGTM!

Exporting UserRepository from UserModule enables other modules to inject it upon importing the module. This is confirmed by EcosystemModule, which imports UserModule and injects UserRepository directly in EcosystemService. The export is correctly paired with UserRepository in the providers array (line 51) and follows NestJS module composition patterns.

libs/prisma-service/prisma/schema.prisma (2)

40-40: LGTM!

The ecosystemOrgs relation is correctly defined as the inverse side of the new user-to-ecosystem_orgs relationship.

---

777-781: The userId field and its foreign key relation are correctly defined. The field already exists in the ecosystem_orgs table from prior migrations (migration 20231123100506 added it as required with UUID type), so there are no migration concerns. Recent ecosystem table operations (migration 20260114071535) handle the table creation and recreation appropriately.

Likely an incorrect or invalid review comment.

apps/organization/src/organization.module.ts (1)

51-52: LGTM!

Exporting OrganizationRepository enables ecosystem-related modules to access organization data through dependency injection, which aligns with the PR's goal of adding ecosystem member management functionality.

libs/enum/src/enum.ts (1)

73-76: LGTM!

The InviteType enum is well-defined with clear values for ecosystem and member invitation types.

apps/ecosystem/interfaces/ecosystem.interfaces.ts (3)

1-6: LGTM!

The imports are well-organized and appropriate for the interfaces defined in this file.

---

123-195: LGTM!

The summary and detail interfaces (IEcosystemSummary, IUserSummary, IEcosystemInvitation, IGetAllOrgs, etc.) are well-defined with appropriate nullable types and clear field names that align with the ecosystem invitation workflow.

---

197-199: LGTM!

The EcosystemInvitationRoles type alias provides clear typing for ecosystem role constraints, and PrismaExecutor enables flexible transaction handling by accepting either a transaction client or the main Prisma client.

apps/api-gateway/src/ecosystem/dtos/send-ecosystem-invitation.ts (2)

16-30: LGTM with a minor note on decorator ordering.

The DTO is well-structured with proper UUID and string validations. Note that @IsString() after @IsUUID() is technically redundant since UUIDs are inherently strings, but it doesn't cause issues.

---

55-68: LGTM - Well-structured DTO with proper enum validation.

The UpdateEcosystemInvitationDto properly handles case-insensitive status input via the Transform decorator before enum validation.

apps/api-gateway/src/ecosystem/dtos/delete-ecosystem-users.ts (1)

6-28: LGTM - DTO structure is appropriate for batch deletion.

The DTO correctly validates an array of UUIDs with trimming transformation and proper ecosystem context.

apps/api-gateway/src/ecosystem/dtos/ecosystem.ts (1)

9-34: LGTM - DTO properly validates org status updates.

The DTO correctly handles batch status updates with proper enum validation for EcosystemOrgStatus.

apps/ecosystem/repositories/ecosystem.repository.ts (4)

279-290: LGTM - Simple user lookup method.

---

292-329: LGTM - Compound unique key operations are properly structured.

The methods correctly use the email_ecosystemId compound unique key for lookups and updates.

---

671-738: LGTM - Query method with flexible filtering.

The getEcosystemInvitations method properly handles different query scenarios for LEAD vs MEMBER roles with appropriate filtering.

---

94-145: Transaction handling already implemented at service layer — no changes required.

The method correctly accepts a PrismaExecutor parameter, and the service layer (ecosystem.service.ts line 206) already wraps the call in prisma.$transaction(tx), passing the transaction client as the second argument. Both the ecosystem and ecosystem_orgs creation operations execute atomically within the same transaction context.

apps/ecosystem/src/ecosystem.module.ts (1)

20-40: LGTM - Module configuration is appropriate.

The module correctly imports OrganizationModule and UserModule for cross-module dependencies and exports the ecosystem service layer for use by other modules.

libs/common/src/response-messages/index.ts (1)

163-274: LGTM on overall message structure.

The new ecosystem success and error message keys comprehensively cover the invitation workflow, member management, and status update operations introduced in this PR. The structure follows the existing pattern in the file.

apps/ecosystem/src/ecosystem.service.ts (2)

349-355: LGTM on transactional delete.

Good use of $transaction to ensure atomicity when deleting orgs and their associated invitations from the ecosystem.

---

305-347: LGTM on invitation status update with idempotency check.

The method properly checks for existing ecosystem org before creating a new one (Line 336-340), preventing duplicate records when an invitation is accepted multiple times.

apps/api-gateway/src/ecosystem/ecosystem.module.ts (1)

6-6: Same architectural concern: direct backend module import.

Similar to authz.module.ts, this imports the backend EcosystemModule directly. The alias (EcosystemServiceModule) is good for clarity, but the same coupling concerns apply.

If this pattern is intentional for the ecosystem invitation workflow (e.g., to access EcosystemRepository directly for JWT strategy role resolution), consider documenting this design decision.

Also applies to: 13-13

apps/api-gateway/src/authz/jwt.strategy.ts (1)

116-119: LGTM!

The ecosystem roles propagation logic correctly extracts unique role names using Set and assigns them to userDetails.ecosystemRoles.

apps/api-gateway/src/ecosystem/ecosystem.service.ts (1)

70-110: LGTM!

The new service methods correctly delegate to NATS with appropriate message patterns and return types. The implementation follows the established pattern in the file.

apps/ecosystem/src/ecosystem.controller.ts (2)

78-103: LGTM!

The new message pattern handlers correctly extract payload fields and delegate to the service methods with appropriate parameters and return types.

---

111-114: No action needed. The ecosystem service correctly implements the deleteOrgsFromEcosystem method that the controller calls, so there is no method name mismatch or runtime error risk.

libs/prisma-service/prisma/migrations/20260114071535_create_ecosystem/migration.sql (2)

77-83: FKs for ecosystem/org/role look consistent.

The RESTRICT delete + CASCADE update behavior is sensible for core ownership relations.

---

89-89: ecosystemId FK matches the nullable design.

ON DELETE SET NULL aligns with ecosystemId being optional for some invitations.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[sonarqubecloud]

Quality Gate passed

Issues
8 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud