feat: Complete NestJS backend scaffold — 22 modules, 39 entities, WebSocket gateway

Full backend rewrite from Rust/Axum to NestJS/TypeScript.
- 22 feature modules (auth, servers, wipes, maps, plugins, players, console,
  chat, team, notifications, settings, schedules, analytics, alerts, status,
  store, webstore, admin, setup, migration, users, licenses)
- 39 TypeORM entities matching PostgreSQL schema (12 migrations)
- Common infrastructure: JWT/RBAC guards, decorators, exception filter
- NATS service with pub/sub/request-reply
- Socket.IO WebSocket gateway with NATS bridge
- Docker: NestJS Dockerfile + updated docker-compose.yml
- Zero compile errors (npx tsc --noEmit clean)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend-nest/src/common/decorators/current-tenant.decorator.ts

@@ -0,0 +1,8 @@
+import { createParamDecorator, ExecutionContext } from '@nestjs/common';
+
+export const CurrentTenant = createParamDecorator(
+  (_data: unknown, ctx: ExecutionContext): string => {
+    const request = ctx.switchToHttp().getRequest();
+    return request.user?.license_id;
+  },
+);

backend-nest/src/common/decorators/current-user.decorator.ts

@@ -0,0 +1,9 @@
+import { createParamDecorator, ExecutionContext } from '@nestjs/common';
+
+export const CurrentUser = createParamDecorator(
+  (data: string | undefined, ctx: ExecutionContext) => {
+    const request = ctx.switchToHttp().getRequest();
+    const user = request.user;
+    return data ? user?.[data] : user;
+  },
+);

backend-nest/src/common/decorators/public.decorator.ts

@@ -0,0 +1,4 @@
+import { SetMetadata } from '@nestjs/common';
+
+export const IS_PUBLIC_KEY = 'isPublic';
+export const Public = () => SetMetadata(IS_PUBLIC_KEY, true);

backend-nest/src/common/decorators/require-permission.decorator.ts

@@ -0,0 +1,5 @@
+import { SetMetadata } from '@nestjs/common';
+
+export const PERMISSION_KEY = 'required_permission';
+export const RequirePermission = (permission: string) =>
+  SetMetadata(PERMISSION_KEY, permission);

backend-nest/src/common/dto/pagination.dto.ts

@@ -0,0 +1,17 @@
+import { IsOptional, IsInt, Min, Max } from 'class-validator';
+import { ApiPropertyOptional } from '@nestjs/swagger';
+
+export class PaginationDto {
+  @ApiPropertyOptional({ default: 1 })
+  @IsOptional()
+  @IsInt()
+  @Min(1)
+  page?: number = 1;
+
+  @ApiPropertyOptional({ default: 25 })
+  @IsOptional()
+  @IsInt()
+  @Min(1)
+  @Max(100)
+  limit?: number = 25;
+}

backend-nest/src/common/filters/http-exception.filter.ts

@@ -0,0 +1,35 @@
+import {
+  ExceptionFilter,
+  Catch,
+  ArgumentsHost,
+  HttpException,
+  HttpStatus,
+} from '@nestjs/common';
+import { Response } from 'express';
+
+@Catch()
+export class HttpExceptionFilter implements ExceptionFilter {
+  catch(exception: unknown, host: ArgumentsHost) {
+    const ctx = host.switchToHttp();
+    const response = ctx.getResponse<Response>();
+
+    let status = HttpStatus.INTERNAL_SERVER_ERROR;
+    let message = 'Internal server error';
+
+    if (exception instanceof HttpException) {
+      status = exception.getStatus();
+      const exResponse = exception.getResponse();
+      if (typeof exResponse === 'string') {
+        message = exResponse;
+      } else if (typeof exResponse === 'object' && exResponse !== null) {
+        const obj = exResponse as Record<string, unknown>;
+        message = (obj.message as string) || message;
+        if (Array.isArray(obj.message)) {
+          message = obj.message[0] as string;
+        }
+      }
+    }
+
+    response.status(status).json({ message });
+  }
+}

backend-nest/src/common/guards/jwt-auth.guard.ts

@@ -0,0 +1,20 @@
+import { Injectable, ExecutionContext } from '@nestjs/common';
+import { AuthGuard } from '@nestjs/passport';
+import { Reflector } from '@nestjs/core';
+import { IS_PUBLIC_KEY } from '../decorators/public.decorator';
+
+@Injectable()
+export class JwtAuthGuard extends AuthGuard('jwt') {
+  constructor(private reflector: Reflector) {
+    super();
+  }
+
+  canActivate(context: ExecutionContext) {
+    const isPublic = this.reflector.getAllAndOverride<boolean>(IS_PUBLIC_KEY, [
+      context.getHandler(),
+      context.getClass(),
+    ]);
+    if (isPublic) return true;
+    return super.canActivate(context);
+  }
+}

backend-nest/src/common/guards/license.guard.ts

@@ -0,0 +1,12 @@
+import { Injectable, CanActivate, ExecutionContext, ForbiddenException } from '@nestjs/common';
+
+@Injectable()
+export class LicenseGuard implements CanActivate {
+  canActivate(context: ExecutionContext): boolean {
+    const { user } = context.switchToHttp().getRequest();
+    if (!user?.license_id) {
+      throw new ForbiddenException('No active license');
+    }
+    return true;
+  }
+}

backend-nest/src/common/guards/permissions.guard.ts

@@ -0,0 +1,32 @@
+import { Injectable, CanActivate, ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { PERMISSION_KEY } from '../decorators/require-permission.decorator';
+
+@Injectable()
+export class PermissionsGuard implements CanActivate {
+  constructor(private reflector: Reflector) {}
+
+  canActivate(context: ExecutionContext): boolean {
+    const requiredPermission = this.reflector.getAllAndOverride<string>(
+      PERMISSION_KEY,
+      [context.getHandler(), context.getClass()],
+    );
+    if (!requiredPermission) return true;
+
+    const { user } = context.switchToHttp().getRequest();
+    if (!user) return false;
+
+    // Super admins bypass all permission checks
+    if (user.is_super_admin) return true;
+
+    // Check permissions JSONB from role
+    const permissions = user.permissions as Record<string, boolean> | undefined;
+    if (!permissions) return false;
+
+    // Support wildcard: "server.*" matches "server.view", "server.console", etc.
+    const parts = requiredPermission.split('.');
+    const wildcard = parts[0] + '.*';
+
+    return permissions[requiredPermission] === true || permissions[wildcard] === true;
+  }
+}

backend-nest/src/common/guards/super-admin.guard.ts

@@ -0,0 +1,12 @@
+import { Injectable, CanActivate, ExecutionContext, ForbiddenException } from '@nestjs/common';
+
+@Injectable()
+export class SuperAdminGuard implements CanActivate {
+  canActivate(context: ExecutionContext): boolean {
+    const { user } = context.switchToHttp().getRequest();
+    if (!user?.is_super_admin) {
+      throw new ForbiddenException('Platform admin access required');
+    }
+    return true;
+  }
+}

backend-nest/src/common/interceptors/transform.interceptor.ts

@@ -0,0 +1,17 @@
+import {
+  Injectable,
+  NestInterceptor,
+  ExecutionContext,
+  CallHandler,
+} from '@nestjs/common';
+import { Observable } from 'rxjs';
+import { map } from 'rxjs/operators';
+
+@Injectable()
+export class TransformInterceptor<T> implements NestInterceptor<T, T> {
+  intercept(_context: ExecutionContext, next: CallHandler): Observable<T> {
+    // Pass through — response shape is controlled by each controller
+    // This interceptor exists for future response wrapping if needed
+    return next.handle().pipe(map((data) => data));
+  }
+}