feat(trust-access): implement trust access request management system (#1739)

* feat(trust-access): implement trust access request management system

* feat(trust-access): implement trust access request management system

* feat: clean up logs

* feat(trust-access): validate user ID from member ID in trust access service

* feat(trust-access): enhance member ID handling and user verification

* feat: added trust page navigation

* feat(api): update dependencies and add new packages for nanoid and pdf-lib

* feat(trust-access): implement NDA signing email resend functionality

* feat(trust-access): add endpoint to preview NDA with watermark

* feat(trust-access): add reclaim access endpoint and email notification

* feat(trust-access): add document access and download endpoints with email updates

* feat(trust-access): integrate @tanstack/react-form for access request dialogs

* feat(trust-access): enforce scope selection and validate NDA status

* feat(trust-access): update approve button to include request details

* fix: import fix for monorepo

* fix: build fix

* feat(trust-access): add requested duration days to access request

* refactor(trust-access): remove scopes from access request and related services

* feat(trust-access): implement policies access and download endpoints

* chore: format

* refactor(trust-access): rename TrustAccessRequestsClient and remove unused components

* style(trust-access): update dialog components for consistent layout

* chore(workflows): add daniel/* to auto PR trigger paths

* chore(db): refactor migration

---------

Signed-off-by: Mariano Fuentes <marfuen98@gmail.com>
Co-authored-by: Mariano Fuentes <marfuen98@gmail.com>

Author: Itsnotaka

.env.example

@@ -26,4 +26,6 @@ TRIGGER_SECRET_KEY="" # Secret key from Trigger.dev
 OPENAI_API_KEY="" # AI Chat + Auto Generated Policies, Risks + Vendors
 FIRECRAWL_API_KEY="" # For research, self-host or use cloud-version @ https://firecrawl.dev
 
+TRUST_APP_URL="http://localhost:3008" # Trust portal public site for NDA signing and access requests
+
 AUTH_TRUSTED_ORIGINS=http://localhost:3000,https://*.trycomp.ai,http://localhost:3002

.github/workflows/auto-pr-to-main.yml

@@ -13,6 +13,7 @@ on:
       - claudio/*
       - mariano/*
       - lewis/*
+      - daniel/*
       - COMP-*
       - cursor/*
       - codex/*

apps/api/buildspec.yml

@@ -26,6 +26,7 @@ phases:
       - '[ -n "$DATABASE_URL" ] || { echo "❌ DATABASE_URL is not set"; exit 1; }'
       - '[ -n "$BASE_URL" ] || { echo "❌ BASE_URL is not set"; exit 1; }'
       - '[ -n "$BETTER_AUTH_URL" ] || { echo "❌ BETTER_AUTH_URL is not set"; exit 1; }'
+      - '[ -n "$TRUST_APP_URL" ] || { echo "❌ TRUST_APP_URL is not set"; exit 1; }'
 
       # Install only API workspace dependencies
       - echo "Installing API dependencies only..."

apps/api/package.json

@@ -20,8 +20,12 @@
     "class-validator": "^0.14.2",
     "dotenv": "^17.2.3",
     "jose": "^6.0.12",
+    "jspdf": "^3.0.3",
+    "nanoid": "^5.1.6",
+    "pdf-lib": "^1.17.1",
     "prisma": "^6.13.0",
     "reflect-metadata": "^0.2.2",
+    "resend": "^6.4.2",
     "rxjs": "^7.8.1",
     "swagger-ui-express": "^5.0.1",
     "zod": "^4.0.14"

apps/api/src/attachments/attachments.service.ts

@@ -267,9 +267,60 @@ export class AttachmentsService {
     });
   }
 
-  /**
-   * Sanitize filename for S3 storage
-   */
+  async uploadToS3(
+    fileBuffer: Buffer,
+    fileName: string,
+    contentType: string,
+    organizationId: string,
+    entityType: string,
+    entityId: string,
+  ): Promise<string> {
+    const fileId = randomBytes(16).toString('hex');
+    const sanitizedFileName = this.sanitizeFileName(fileName);
+    const timestamp = Date.now();
+    const s3Key = `${organizationId}/attachments/${entityType}/${entityId}/${timestamp}-${fileId}-${sanitizedFileName}`;
+
+    const putCommand = new PutObjectCommand({
+      Bucket: this.bucketName,
+      Key: s3Key,
+      Body: fileBuffer,
+      ContentType: contentType,
+      Metadata: {
+        originalFileName: this.sanitizeHeaderValue(fileName),
+        organizationId,
+        entityId,
+        entityType,
+      },
+    });
+
+    await this.s3Client.send(putCommand);
+    return s3Key;
+  }
+
+  async getPresignedDownloadUrl(s3Key: string): Promise<string> {
+    return this.generateSignedUrl(s3Key);
+  }
+
+  async getObjectBuffer(s3Key: string): Promise<Buffer> {
+    const getCommand = new GetObjectCommand({
+      Bucket: this.bucketName,
+      Key: s3Key,
+    });
+
+    const response = await this.s3Client.send(getCommand);
+    const chunks: Uint8Array[] = [];
+
+    if (!response.Body) {
+      throw new InternalServerErrorException('No file data received from S3');
+    }
+
+    for await (const chunk of response.Body as any) {
+      chunks.push(chunk);
+    }
+
+    return Buffer.concat(chunks);
+  }
+
   private sanitizeFileName(fileName: string): string {
     return fileName.replace(/[^a-zA-Z0-9.-]/g, '_');
   }
@@ -281,6 +332,7 @@ export class AttachmentsService {
    * - Trim whitespace
    */
   private sanitizeHeaderValue(value: string): string {
+    // eslint-disable-next-line no-control-regex
     const withoutControls = value.replace(/[\x00-\x1F\x7F]/g, '');
     const asciiOnly = withoutControls.replace(/[^\x20-\x7E]/g, '_');
     return asciiOnly.trim();

apps/api/src/comments/dto/update-comment.dto.ts

@@ -11,4 +11,4 @@ export class UpdateCommentDto {
   @IsNotEmpty()
   @MaxLength(2000)
   content: string;
-}
+}

apps/api/src/context/context.controller.ts

@@ -1,12 +1,12 @@
-import { 
-  Controller, 
-  Get, 
+import {
+  Controller,
+  Get,
   Post,
   Patch,
   Delete,
   Body,
   Param,
-  UseGuards 
+  UseGuards,
 } from '@nestjs/common';
 import {
   ApiBody,
@@ -17,10 +17,7 @@ import {
   ApiSecurity,
   ApiTags,
 } from '@nestjs/swagger';
-import {
-  AuthContext,
-  OrganizationId,
-} from '../auth/auth-context.decorator';
+import { AuthContext, OrganizationId } from '../auth/auth-context.decorator';
 import { HybridAuthGuard } from '../auth/hybrid-auth.guard';
 import type { AuthContext as AuthContextType } from '../auth/types';
 import { CreateContextDto } from './dto/create-context.dto';
@@ -58,18 +55,20 @@ export class ContextController {
     @OrganizationId() organizationId: string,
     @AuthContext() authContext: AuthContextType,
   ) {
-    const contextEntries = await this.contextService.findAllByOrganization(organizationId);
+    const contextEntries =
+      await this.contextService.findAllByOrganization(organizationId);
 
     return {
       data: contextEntries,
       count: contextEntries.length,
       authType: authContext.authType,
-      ...(authContext.userId && authContext.userEmail && {
-        authenticatedUser: {
-          id: authContext.userId,
-          email: authContext.userEmail,
-        },
-      }),
+      ...(authContext.userId &&
+        authContext.userEmail && {
+          authenticatedUser: {
+            id: authContext.userId,
+            email: authContext.userEmail,
+          },
+        }),
     };
   }
 
@@ -85,17 +84,21 @@ export class ContextController {
     @OrganizationId() organizationId: string,
     @AuthContext() authContext: AuthContextType,
   ) {
-    const contextEntry = await this.contextService.findById(contextId, organizationId);
+    const contextEntry = await this.contextService.findById(
+      contextId,
+      organizationId,
+    );
 
     return {
       ...contextEntry,
       authType: authContext.authType,
-      ...(authContext.userId && authContext.userEmail && {
-        authenticatedUser: {
-          id: authContext.userId,
-          email: authContext.userEmail,
-        },
-      }),
+      ...(authContext.userId &&
+        authContext.userEmail && {
+          authenticatedUser: {
+            id: authContext.userId,
+            email: authContext.userEmail,
+          },
+        }),
     };
   }
 
@@ -112,17 +115,21 @@ export class ContextController {
     @OrganizationId() organizationId: string,
     @AuthContext() authContext: AuthContextType,
   ) {
-    const contextEntry = await this.contextService.create(organizationId, createContextDto);
+    const contextEntry = await this.contextService.create(
+      organizationId,
+      createContextDto,
+    );
 
     return {
       ...contextEntry,
       authType: authContext.authType,
-      ...(authContext.userId && authContext.userEmail && {
-        authenticatedUser: {
-          id: authContext.userId,
-          email: authContext.userEmail,
-        },
-      }),
+      ...(authContext.userId &&
+        authContext.userEmail && {
+          authenticatedUser: {
+            id: authContext.userId,
+            email: authContext.userEmail,
+          },
+        }),
     };
   }
 
@@ -150,12 +157,13 @@ export class ContextController {
     return {
       ...updatedContextEntry,
       authType: authContext.authType,
-      ...(authContext.userId && authContext.userEmail && {
-        authenticatedUser: {
-          id: authContext.userId,
-          email: authContext.userEmail,
-        },
-      }),
+      ...(authContext.userId &&
+        authContext.userEmail && {
+          authenticatedUser: {
+            id: authContext.userId,
+            email: authContext.userEmail,
+          },
+        }),
     };
   }
 
@@ -171,17 +179,21 @@ export class ContextController {
     @OrganizationId() organizationId: string,
     @AuthContext() authContext: AuthContextType,
   ) {
-    const result = await this.contextService.deleteById(contextId, organizationId);
+    const result = await this.contextService.deleteById(
+      contextId,
+      organizationId,
+    );
 
     return {
       ...result,
       authType: authContext.authType,
-      ...(authContext.userId && authContext.userEmail && {
-        authenticatedUser: {
-          id: authContext.userId,
-          email: authContext.userEmail,
-        },
-      }),
+      ...(authContext.userId &&
+        authContext.userEmail && {
+          authenticatedUser: {
+            id: authContext.userId,
+            email: authContext.userEmail,
+          },
+        }),
     };
   }
 }

apps/api/src/context/context.service.ts

@@ -14,28 +14,37 @@ export class ContextService {
         orderBy: { createdAt: 'desc' },
       });
 
-      this.logger.log(`Retrieved ${contextEntries.length} context entries for organization ${organizationId}`);
+      this.logger.log(
+        `Retrieved ${contextEntries.length} context entries for organization ${organizationId}`,
+      );
       return contextEntries;
     } catch (error) {
-      this.logger.error(`Failed to retrieve context entries for organization ${organizationId}:`, error);
+      this.logger.error(
+        `Failed to retrieve context entries for organization ${organizationId}:`,
+        error,
+      );
       throw error;
     }
   }
 
   async findById(id: string, organizationId: string) {
     try {
       const contextEntry = await db.context.findFirst({
-        where: { 
+        where: {
           id,
-          organizationId 
+          organizationId,
         },
       });
 
       if (!contextEntry) {
-        throw new NotFoundException(`Context entry with ID ${id} not found in organization ${organizationId}`);
+        throw new NotFoundException(
+          `Context entry with ID ${id} not found in organization ${organizationId}`,
+        );
       }
 
-      this.logger.log(`Retrieved context entry: ${contextEntry.question.substring(0, 50)}... (${id})`);
+      this.logger.log(
+        `Retrieved context entry: ${contextEntry.question.substring(0, 50)}... (${id})`,
+      );
       return contextEntry;
     } catch (error) {
       if (error instanceof NotFoundException) {
@@ -55,15 +64,24 @@ export class ContextService {
         },
       });
 
-      this.logger.log(`Created new context entry: ${contextEntry.question.substring(0, 50)}... (${contextEntry.id}) for organization ${organizationId}`);
+      this.logger.log(
+        `Created new context entry: ${contextEntry.question.substring(0, 50)}... (${contextEntry.id}) for organization ${organizationId}`,
+      );
       return contextEntry;
     } catch (error) {
-      this.logger.error(`Failed to create context entry for organization ${organizationId}:`, error);
+      this.logger.error(
+        `Failed to create context entry for organization ${organizationId}:`,
+        error,
+      );
       throw error;
     }
   }
 
-  async updateById(id: string, organizationId: string, updateContextDto: UpdateContextDto) {
+  async updateById(
+    id: string,
+    organizationId: string,
+    updateContextDto: UpdateContextDto,
+  ) {
     try {
       // First check if the context entry exists in the organization
       await this.findById(id, organizationId);
@@ -73,7 +91,9 @@ export class ContextService {
         data: updateContextDto,
       });
 
-      this.logger.log(`Updated context entry: ${updatedContextEntry.question.substring(0, 50)}... (${id})`);
+      this.logger.log(
+        `Updated context entry: ${updatedContextEntry.question.substring(0, 50)}... (${id})`,
+      );
       return updatedContextEntry;
     } catch (error) {
       if (error instanceof NotFoundException) {
@@ -93,13 +113,15 @@ export class ContextService {
         where: { id },
       });
 
-      this.logger.log(`Deleted context entry: ${existingContextEntry.question.substring(0, 50)}... (${id})`);
-      return { 
+      this.logger.log(
+        `Deleted context entry: ${existingContextEntry.question.substring(0, 50)}... (${id})`,
+      );
+      return {
         message: 'Context entry deleted successfully',
         deletedContext: {
           id: existingContextEntry.id,
           question: existingContextEntry.question,
-        }
+        },
       };
     } catch (error) {
       if (error instanceof NotFoundException) {

apps/api/src/context/dto/context-response.dto.ts

@@ -21,7 +21,8 @@ export class ContextResponseDto {
 
   @ApiProperty({
     description: 'The answer or detailed explanation for the question',
-    example: 'We use a hybrid authentication system supporting both API keys and session-based authentication.',
+    example:
+      'We use a hybrid authentication system supporting both API keys and session-based authentication.',
   })
   answer: string;