WIP - audit logs

2026-05-16 14:14:06 +08:00 · 2026-01-10 12:57:27 +00:00
55 changed files with 561 additions and 2543 deletions
@@ -44,6 +44,7 @@
    "@nestjs-labs/nestjs-ioredis": "^11.0.4",
    "@nestjs/bullmq": "^11.0.4",
    "@nestjs/common": "^11.1.9",
    "nestjs-cls": "^4.5.0",
    "@nestjs/config": "^4.0.2",
    "@nestjs/core": "^11.1.9",
    "@nestjs/event-emitter": "^3.0.1",
@@ -1,6 +1,8 @@
 import { Module } from '@nestjs/common';
 import { APP_INTERCEPTOR } from '@nestjs/core';
 import { AppController } from './app.controller';
 import { AppService } from './app.service';
 import { AuditActorInterceptor } from './common/interceptors/audit-actor.interceptor';
 import { CoreModule } from './core/core.module';
 import { EnvironmentModule } from './integrations/environment/environment.module';
 import { CollaborationModule } from './collaboration/collaboration.module';
@@ -18,6 +20,7 @@ import { SecurityModule } from './integrations/security/security.module';
 import { TelemetryModule } from './integrations/telemetry/telemetry.module';
 import { RedisModule } from '@nestjs-labs/nestjs-ioredis';
 import { RedisConfigService } from './integrations/redis/redis-config.service';
 import { ClsModule } from 'nestjs-cls';
 const enterpriseModules = [];
 try {
@@ -35,6 +38,10 @@ try {
@Module({
  imports: [
    ClsModule.forRoot({
      global: true,
      middleware: { mount: true },
    }),
    CoreModule,
    DatabaseModule,
    EnvironmentModule,
@@ -60,6 +67,12 @@ try {
    ...enterpriseModules,
  ],
  controllers: [AppController],
-  providers: [AppService],
+  providers: [
    AppService,
    {
      provide: APP_INTERCEPTOR,
      useClass: AuditActorInterceptor,
    },
  ],
 })
 export class AppModule {}
@@ -0,0 +1,101 @@
 export const AuditEvent = {
  // Workspace Invitations
  WORKSPACE_CREATED: 'workspace.created',
  WORKSPACE_INVITE_CREATED: 'workspace.invite_created',
  WORKSPACE_INVITE_REVOKED: 'workspace.invite_revoked',
  WORKSPACE_INVITE_ACCEPTED: 'workspace.invite_accepted',
  WORKSPACE_USER_CREATED: 'workspace.user_created',
  WORKSPACE_USER_DEACTIVATED: 'workspace.user_deactivated',
  WORKSPACE_ALLOWED_DOMAIN_UPDATED: 'workspace.allowed_domain_updated',
  WORKSPACE_ICON_CHANGED: 'workspace.icon_changed',
  WORKSPACE_NAME_CHANGED: 'workspace.name_changed',
  WORKSPACE_AI_TOGGLED: 'workspace.ai_toggled',
  USER_CREATED: 'user.created',
  USER_DELETED: 'user.deleted',
  USER_LOGIN: 'user.login',
  USER_LOGOUT: 'user.logout',
  USER_ROLE_CHANGED: 'user.user_role_changed',
  USER_PASSWORD_CHANGED: 'user.password_changed',
  USER_PASSWORD_RESET: 'user.reset_password',
  USER_PHOTO_CHANGED: 'user.reset_password',
  USER_NAME_CHANGED: 'user.name_changed',
  USER_EMAIL_CHANGED: 'user.email_changed',
  USER_MFA_SETUP: 'user.mfa_setup',
  USER_MFA_BACKUP_CODE_GENERATED: 'user.mfa_backup_code_generated',
  // API Keys
  API_KEY_CREATED: 'api_key.created',
  API_KEY_UPDATED: 'api_key.updated',
  API_KEY_DELETED: 'api_key.deleted',
  // Space
  SPACE_CREATED: 'space.created',
  SPACE_UPDATED: 'space.updated',
  SPACE_DELETED: 'space.deleted',
  SPACE_MEMBER_ADDED: 'space.member_added',
  SPACE_MEMBER_REMOVED: 'space.member_removed',
  SPACE_MEMBER_ROLE_CHANGED: 'space.member_role_changed',
  // OR SPACE_USER_ADDED: 'space.user_added',
  // SPACE_GROUP_ADDED: 'space.group_added',
  // GROUP
  GROUP_CREATED: 'group.created',
  GROUP_UPDATED: 'group.updated',
  GROUP_DELETED: 'group.deleted',
  GROUP_MEMBER_ADDED: 'group.member_added',
  GROUP_MEMBER_REMOVED: 'group.member_removed',
  // Comments
  COMMENT_CREATED: 'comment.created',
  COMMENT_UPDATED: 'comment.updated',
  COMMENT_DELETED: 'comment.deleted',
  COMMENT_RESOLVED: 'comment.resolved',
  COMMENT_REOPENED: 'comment.reopened',
  // PAGE
  PAGE_CREATED: 'page.created',
  PAGE_UPDATED: 'page.updated',
  PAGE_TRASHED: 'page.trash',
  PAGE_DELETED: 'page.deleted',
  PAGE_SHARED: 'page.shared',
  ATTACHMENT_UPLOADED: 'attachment.uploaded',
  PAGE_IMPORTED: 'page.imported',
  PAGE_RESTORED: 'page.restored',
  PAGE_EXPORTED: 'page.exported',
  SPACE_EXPORTED: 'space.imported',
  // SSO EVENTS
 } as const;
 export type AuditEventType = (typeof AuditEvent)[keyof typeof AuditEvent];
 export type ActorType = 'user' | 'system' | 'api_key';
 export interface AuditLogPayload {
  event: AuditEventType;
  resourceType: string;
  resourceId?: string;
  changes?: {
    before?: Record<string, any>;
    after?: Record<string, any>;
  };
  metadata?: Record<string, any>;
 }
 export interface AuditLogData extends AuditLogPayload {
  workspaceId: string;
  actorId?: string;
  actorType: ActorType;
  ipAddress?: string;
  userAgent?: string;
 }
@@ -1,6 +1,5 @@
 export enum EventName {
  COLLAB_PAGE_UPDATED = 'collab.page.updated',
  PAGE_CREATED = 'page.created',
  PAGE_UPDATED = 'page.updated',
  PAGE_CONTENT_UPDATED = 'page-content-updated',
@@ -5,4 +5,4 @@ export const nanoIdGen = customAlphabet(alphabet, 10);
 const slugIdAlphabet =
  '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
-export const generateSlugId = customAlphabet(slugIdAlphabet, 10);
+export const generateSlugId = customAlphabet(slugIdAlphabet, 10);
@@ -10,12 +10,6 @@ export enum SpaceRole {
  READER = 'reader', // can only read pages in space
 }
 export enum PageRole {
  WRITER = 'writer', // can read and write pages in space
  READER = 'reader', // can only read pages in space
  RESTRICTED = 'restricted', // cannot access page
 }
 export enum SpaceVisibility {
  OPEN = 'open', // any workspace member can see that it exists and join.
  PRIVATE = 'private', // only added space users can see
@@ -0,0 +1,29 @@
 import {
  CallHandler,
  ExecutionContext,
  Injectable,
  NestInterceptor,
 } from '@nestjs/common';
 import { Observable } from 'rxjs';
 import { ClsService } from 'nestjs-cls';
 import { AuditContext, AUDIT_CONTEXT_KEY } from '../middlewares/audit-context.middleware';
@Injectable()
 export class AuditActorInterceptor implements NestInterceptor {
  constructor(private readonly cls: ClsService) {}
  intercept(context: ExecutionContext, next: CallHandler): Observable<any> {
    const request = context.switchToHttp().getRequest();
    const user = request.user?.user;
    if (user?.id) {
      const auditContext = this.cls.get<AuditContext>(AUDIT_CONTEXT_KEY);
      if (auditContext) {
        auditContext.actorId = user.id;
        this.cls.set(AUDIT_CONTEXT_KEY, auditContext);
      }
    }
    return next.handle();
  }
 }
@@ -14,18 +14,11 @@ export class InternalLogFilter extends ConsoleLogger {
    super();
    const isProduction = process.env.NODE_ENV === 'production';
    const isDebugMode = process.env.DEBUG_MODE === 'true';
-
+    
    if (isProduction && !isDebugMode) {
      this.allowedLogLevels = ['log', 'error', 'fatal'];
    } else {
-      this.allowedLogLevels = [
+      this.allowedLogLevels = ['log', 'debug', 'verbose', 'warn', 'error', 'fatal'];
        'log',
        'debug',
        'verbose',
        'warn',
        'error',
        'fatal',
      ];
    }
  }
@@ -0,0 +1,50 @@
 import { Injectable, NestMiddleware } from '@nestjs/common';
 import { FastifyRequest, FastifyReply } from 'fastify';
 import { ClsService } from 'nestjs-cls';
 export interface AuditContext {
  workspaceId: string | null;
  actorId: string | null;
  actorType: 'user' | 'system' | 'api_key';
  ipAddress: string | null;
 }
 export const AUDIT_CONTEXT_KEY = 'auditContext';
@Injectable()
 export class AuditContextMiddleware implements NestMiddleware {
  constructor(private readonly cls: ClsService) {}
  use(req: FastifyRequest['raw'], res: FastifyReply['raw'], next: () => void) {
    const workspaceId = (req as any).workspaceId ?? null;
    const ipAddress = this.extractIpAddress(req);
    const auditContext: AuditContext = {
      workspaceId,
      actorId: null,
      actorType: 'user',
      ipAddress,
    };
    this.cls.set(AUDIT_CONTEXT_KEY, auditContext);
    next();
  }
  private extractIpAddress(req: FastifyRequest['raw']): string | null {
    const xForwardedFor = req.headers['x-forwarded-for'];
    if (xForwardedFor) {
      const ips = Array.isArray(xForwardedFor)
        ? xForwardedFor[0]
        : xForwardedFor.split(',')[0];
      return ips?.trim() ?? null;
    }
    const xRealIp = req.headers['x-real-ip'];
    if (xRealIp) {
      return Array.isArray(xRealIp) ? xRealIp[0] : xRealIp;
    }
    return (req as any).socket?.remoteAddress ?? null;
  }
 }
@@ -1,168 +0,0 @@
 import { Injectable, Logger, NotFoundException } from '@nestjs/common';
 import {
  AbilityBuilder,
  createMongoAbility,
  MongoAbility,
 } from '@casl/ability';
 import { PageRole, SpaceRole } from '../../../common/helpers/types/permission';
 import { User } from '@docmost/db/types/entity.types';
 import {
  PagePermissionRepo,
  PageMemberRole,
 } from '@docmost/db/repos/page/page-permission-repo.service';
 import { PageRepo } from '@docmost/db/repos/page/page.repo';
 import {
  PageCaslAction,
  IPageAbility,
  PageCaslSubject,
 } from '../interfaces/page-ability.type';
 import { findHighestUserSpaceRole } from '@docmost/db/repos/Space/utils';
 import { UserSpaceRole } from '@docmost/db/repos/space/types';
 import { SpaceMemberRepo } from '@docmost/db/repos/space/space-member.repo';
@Injectable()
 export default class PageAbilityFactory {
  private readonly logger = new Logger(PageAbilityFactory.name);
  constructor(
    private readonly pagePermissionRepo: PagePermissionRepo,
    private readonly pageRepo: PageRepo,
    private readonly spaceMemberRepo: SpaceMemberRepo,
  ) {}
  async createForUser(user: User, pageId: string) {
    //user.id = '0197750c-a70c-73a6-83ad-65a193433f5c';
    // This opens the possibility to share pages with individual users from other Spaces
    /*     
    //TODO: we might account for space permission here too.
    // we could just do it all here. no need to call two abilities.
    const userSpaceRoles = await this.spaceMemberRepo.getUserSpaceRoles(
      user.id,
      spaceId,
    );
    */
    // const userPageRole = findHighestUserPageRole(userPageRoles);
    // if no role abort
    // Check page-level permissions first if pageId provided
    const permission = await this.pagePermissionRepo.getUserPagePermission({
      pageId: pageId,
      userId: user.id,
    });
    // does it pick one? what if the user has permissions via groups? what roles takes precedence?
    if (!permission) {
      //TODO: it means we should use the space level permission
      // need deeper understanding here though
      // call the space factory?
    }
    this.logger.log('permissions', permission);
    if (permission) {
      // make sure the permission is for this page
      // or cascaded/inherited from a parent page
      /*this.logger.debug('role', permission.role, 'cascade', permission.cascade);
      if (permission.pageId !== pageId && !permission.cascade) {
        this.logger.debug('no permission');
        // No explicit access and not inheriting - deny
        return new AbilityBuilder<MongoAbility<IPageAbility>>(
          createMongoAbility,
        ).build();
      }*/
    }
    // if no permission should we use space permission here?
    // if non, skip for default to take precedence
    switch (permission.role) {
      case PageRole.WRITER:
        return buildPageWriterAbility();
      case PageRole.READER:
        return buildPageReaderAbility();
      case PageRole.RESTRICTED:
        return buildPageRestrictedAbility();
      default:
        throw new NotFoundException('Page permissions not found');
    }
  }
  private buildAbilityForRole(role: string) {
    switch (role) {
      case PageRole.WRITER:
        return buildPageWriterAbility();
      case PageRole.READER:
        return buildPageReaderAbility();
      case PageRole.RESTRICTED:
        return buildPageRestrictedAbility();
      default:
        return new AbilityBuilder<MongoAbility<IPageAbility>>(
          createMongoAbility,
        ).build();
    }
  }
 }
 function buildPageWriterAbility() {
  const { can, build } = new AbilityBuilder<MongoAbility<IPageAbility>>(
    createMongoAbility,
  );
  can(PageCaslAction.Read, PageCaslSubject.Settings);
  can(PageCaslAction.Read, PageCaslSubject.Member);
  can(PageCaslAction.Manage, PageCaslSubject.Page);
  can(PageCaslAction.Manage, PageCaslSubject.Share);
  return build();
 }
 function buildPageReaderAbility() {
  const { can, build } = new AbilityBuilder<MongoAbility<IPageAbility>>(
    createMongoAbility,
  );
  can(PageCaslAction.Read, PageCaslSubject.Settings);
  can(PageCaslAction.Read, PageCaslSubject.Member);
  can(PageCaslAction.Read, PageCaslSubject.Page);
  can(PageCaslAction.Read, PageCaslSubject.Share);
  return build();
 }
 function buildPageRestrictedAbility() {
  const { cannot, build } = new AbilityBuilder<MongoAbility<IPageAbility>>(
    createMongoAbility,
  );
  cannot(PageCaslAction.Read, PageCaslSubject.Settings);
  cannot(PageCaslAction.Read, PageCaslSubject.Member);
  cannot(PageCaslAction.Read, PageCaslSubject.Page);
  cannot(PageCaslAction.Read, PageCaslSubject.Share);
  return build();
 }
 export interface UserPageRole {
  userId: string;
  role: string;
 }
 export function findHighestUserPageRole(userPageRoles: UserPageRole[]) {
  //TODO: perhaps, we want the lowest here?
  if (!userPageRoles) {
    return undefined;
  }
  const roleOrder: { [key in PageRole]: number } = {
    [PageRole.WRITER]: 3,
    [PageRole.READER]: 2,
    [PageRole.RESTRICTED]: 1,
  };
  let highestRole: string;
  for (const userPageRole of userPageRoles) {
    const currentRole = userPageRole.role;
    if (!highestRole || roleOrder[currentRole] > roleOrder[highestRole]) {
      highestRole = currentRole;
    }
  }
  return highestRole;
 }
@@ -1,11 +1,10 @@
 import { Global, Module } from '@nestjs/common';
 import SpaceAbilityFactory from './abilities/space-ability.factory';
 import WorkspaceAbilityFactory from './abilities/workspace-ability.factory';
 import PageAbilityFactory from './abilities/page-ability.factory';
@Global()
@Module({
-  providers: [WorkspaceAbilityFactory, SpaceAbilityFactory, PageAbilityFactory],
+  providers: [WorkspaceAbilityFactory, SpaceAbilityFactory],
-  exports: [WorkspaceAbilityFactory, SpaceAbilityFactory, PageAbilityFactory],
+  exports: [WorkspaceAbilityFactory, SpaceAbilityFactory],
 })
 export class CaslModule {}
@@ -1,19 +0,0 @@
 export enum PageCaslAction {
  Manage = 'manage',
  Create = 'create',
  Read = 'read',
  Edit = 'edit',
  Delete = 'delete',
 }
 export enum PageCaslSubject {
  Settings = 'settings',
  Member = 'member',
  Page = 'page',
  Share = 'share',
 }
 export type IPageAbility =
  | [PageCaslAction, PageCaslSubject.Settings]
  | [PageCaslAction, PageCaslSubject.Member]
  | [PageCaslAction, PageCaslSubject.Page]
  | [PageCaslAction, PageCaslSubject.Share];
@@ -15,7 +15,13 @@ import { SpaceModule } from './space/space.module';
 import { GroupModule } from './group/group.module';
 import { CaslModule } from './casl/casl.module';
 import { DomainMiddleware } from '../common/middlewares/domain.middleware';
 import { AuditContextMiddleware } from '../common/middlewares/audit-context.middleware';
 import { ShareModule } from './share/share.module';
 import {
  AUDIT_SERVICE,
  NoopAuditService,
 } from '../integrations/audit/audit.service';
 import { ClsMiddleware } from 'nestjs-cls';
@Module({
  imports: [
@@ -31,17 +37,31 @@ import { ShareModule } from './share/share.module';
    CaslModule,
    ShareModule,
  ],
  providers: [
    {
      provide: AUDIT_SERVICE,
      useClass: NoopAuditService,
    },
  ],
  exports: [AUDIT_SERVICE],
 })
 export class CoreModule implements NestModule {
  configure(consumer: MiddlewareConsumer) {
    const excludedRoutes = [
      { path: 'auth/setup', method: RequestMethod.POST },
      { path: 'health', method: RequestMethod.GET },
      { path: 'health/live', method: RequestMethod.GET },
      { path: 'billing/stripe/webhook', method: RequestMethod.POST },
    ];
    consumer
      .apply(DomainMiddleware)
-      .exclude(
+      .exclude(...excludedRoutes)
-        { path: 'auth/setup', method: RequestMethod.POST },
+      .forRoutes('*');
-        { path: 'health', method: RequestMethod.GET },
+
-        { path: 'health/live', method: RequestMethod.GET },
+    consumer
-        { path: 'billing/stripe/webhook', method: RequestMethod.POST },
+      .apply(AuditContextMiddleware)
-      )
+      .exclude(...excludedRoutes)
      .forRoutes('*');
  }
 }
@@ -7,7 +7,7 @@ import {
  MaxLength,
  MinLength,
 } from 'class-validator';
-import { Transform, TransformFnParams } from 'class-transformer';
+import {Transform, TransformFnParams} from "class-transformer";
 export class CreateGroupDto {
  @MinLength(2)
@@ -1,34 +0,0 @@
 import {
  ArrayMaxSize,
  IsArray,
  IsBoolean,
  IsEnum,
  IsOptional,
  IsUUID,
 } from 'class-validator';
 import { PageIdDto } from './page.dto';
 import { PageMemberRole } from '@docmost/db/repos/page/page-permission-repo.service';
 export class AddPageMembersDto extends PageIdDto {
  @IsEnum(PageMemberRole)
  role: string;
  // optional
  @IsArray()
  @ArrayMaxSize(25, {
    message: 'userIds must be an array with no more than 25 elements',
  })
  @IsUUID('all', { each: true })
  userIds: string[];
  @IsOptional()
  @IsArray()
  @ArrayMaxSize(25, {
    message: 'groupIds must be an array with no more than 25 elements',
  })
  @IsUUID('all', { each: true })
  groupIds: string[];
  @IsBoolean()
  @IsOptional()
  cascade?: boolean; // Apply to all child pages
 }
@@ -4,4 +4,4 @@ export class DeletedPageDto {
  @IsNotEmpty()
  @IsString()
  spaceId: string;
-}
+}
@@ -17,8 +17,8 @@ export type CopyPageMapEntry = {
 };
 export type ICopyPageAttachment = {
-  newPageId: string;
+  newPageId: string,
-  oldPageId: string;
+  oldPageId: string,
-  oldAttachmentId: string;
+  oldAttachmentId: string,
-  newAttachmentId: string;
+  newAttachmentId: string,
 };
@@ -1,22 +0,0 @@
 import { IsOptional, IsNumber, IsString, Min, Max } from 'class-validator';
 import { PageIdDto } from './page.dto';
 import { Type } from 'class-transformer';
 export class GetPageMembersDto extends PageIdDto {
  @IsOptional()
  @Type(() => Number)
  @IsNumber()
  @Min(1)
  page?: number = 1;
  @IsOptional()
  @Type(() => Number)
  @IsNumber()
  @Min(1)
  @Max(100)
  limit?: number = 20;
  @IsOptional()
  @IsString()
  query?: string;
 }
@@ -1,7 +0,0 @@
 import { IsUUID } from 'class-validator';
 import { PageIdDto } from './page.dto';
 export class RemovePageMemberDto extends PageIdDto {
  @IsUUID()
  memberId: string;
 }
@@ -1,11 +0,0 @@
 import { IsEnum, IsUUID } from 'class-validator';
 import { PageIdDto } from './page.dto';
 import { PageMemberRole } from '@docmost/db/repos/page/page-permission-repo.service';
 export class UpdatePageMemberRoleDto extends PageIdDto {
  @IsUUID()
  memberId: string;
  @IsEnum(PageMemberRole)
  role: string;
 }
@@ -1,21 +0,0 @@
 import { IsBoolean, IsEnum, IsOptional, IsUUID } from 'class-validator';
 import { PageMemberRole } from '@docmost/db/repos/page/page-permission-repo.service';
 export class UpdatePagePermissionDto {
  @IsUUID()
  pageId: string;
  @IsUUID()
  @IsOptional()
  userId?: string;
  @IsUUID()
  @IsOptional()
  groupId?: string;
  @IsEnum(PageMemberRole)
  role: string;
  @IsBoolean()
  cascade: boolean; // Apply to all child pages
 }
@@ -32,24 +32,9 @@ import {
 } from '../casl/interfaces/space-ability.type';
 import SpaceAbilityFactory from '../casl/abilities/space-ability.factory';
 import { PageRepo } from '@docmost/db/repos/page/page.repo';
 import { SharedPagesRepo } from '@docmost/db/repos/page/shared-pages.repo';
 import { RecentPageDto } from './dto/recent-page.dto';
 import { DuplicatePageDto } from './dto/duplicate-page.dto';
 import { DeletedPageDto } from './dto/deleted-page.dto';
 import { AddPageMembersDto } from './dto/add-page-members.dto';
 import { RemovePageMemberDto } from './dto/remove-page-member.dto';
 import { UpdatePageMemberRoleDto } from './dto/update-page-member-role.dto';
 import { UpdatePagePermissionDto } from './dto/update-page-permission.dto';
 import { GetPageMembersDto } from './dto/get-page-members.dto';
 import {
  PagePermissionService,
  PagePermissionsResponse,
 } from './services/page-member.service';
 import PageAbilityFactory from '../casl/abilities/page-ability.factory';
 import {
  PageCaslAction,
  PageCaslSubject,
 } from '../casl/interfaces/page-ability.type';
@UseGuards(JwtAuthGuard)
@Controller('pages')
@@ -59,9 +44,6 @@ export class PageController {
    private readonly pageRepo: PageRepo,
    private readonly pageHistoryService: PageHistoryService,
    private readonly spaceAbility: SpaceAbilityFactory,
    private readonly pageAbility: PageAbilityFactory,
    private readonly pagePermissionService: PagePermissionService,
    private readonly sharedPagesRepo: SharedPagesRepo,
  ) {}
  @HttpCode(HttpStatus.OK)
@@ -79,20 +61,10 @@ export class PageController {
      throw new NotFoundException('Page not found');
    }
-    const pageAbility = await this.pageAbility.createForUser(user, page.id);
+    const ability = await this.spaceAbility.createForUser(user, page.spaceId);
    if (pageAbility.cannot(PageCaslAction.Read, PageCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    /*const ability = await this.spaceAbility.createForUser(
      user,
      page.spaceId,
    );
    if (ability.cannot(SpaceCaslAction.Read, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
-    }*/
+    }
    return page;
  }
@@ -417,162 +389,4 @@ export class PageController {
    }
    return this.pageService.getPageBreadCrumbs(page.id);
  }
  @HttpCode(HttpStatus.OK)
  @Post('permissions/restrict')
  async restrictPage(@Body() dto: PageIdDto, @AuthUser() user: User) {
    const page = await this.pageRepo.findById(dto.pageId);
    if (!page) {
      throw new NotFoundException('Page not found');
    }
    // TODO: make sure they have access to the page, and can restrict
    // And the page is not already restricted
    // They can add and remove page restriction
    // When a page restriction is removed, we remove the entries in page permissions table.
    const ability = await this.spaceAbility.createForUser(user, page.spaceId);
    if (ability.cannot(SpaceCaslAction.Manage, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    return this.pagePermissionService.restrictPage(user, page.id);
  }
  @HttpCode(HttpStatus.OK)
  @Post('permissions/add')
  async addPageMembers(
    @Body() dto: AddPageMembersDto,
    @AuthUser() user: User,
    @AuthWorkspace() workspace: Workspace,
  ) {
    const page = await this.pageRepo.findById(dto.pageId);
    if (!page) {
      throw new NotFoundException('Page not found');
    }
    const ability = await this.spaceAbility.createForUser(user, page.spaceId);
    if (ability.cannot(SpaceCaslAction.Manage, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    return this.pagePermissionService.addMembersToPageBatch(
      dto,
      user,
      workspace.id,
    );
  }
  @HttpCode(HttpStatus.OK)
  @Post('permissions/remove')
  async removePageMember(
    @Body() dto: RemovePageMemberDto,
    @AuthUser() user: User,
    @AuthWorkspace() workspace: Workspace,
  ) {
    const page = await this.pageRepo.findById(dto.pageId);
    if (!page) {
      throw new NotFoundException('Page not found');
    }
    const ability = await this.spaceAbility.createForUser(user, page.spaceId);
    if (ability.cannot(SpaceCaslAction.Manage, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    return this.pagePermissionService.removePageMember(dto, workspace.id);
  }
  @HttpCode(HttpStatus.OK)
  @Post('permissions/update-role')
  async updatePageMemberRole(
    @Body() dto: UpdatePageMemberRoleDto,
    @AuthUser() user: User,
    @AuthWorkspace() workspace: Workspace,
  ) {
    const page = await this.pageRepo.findById(dto.pageId);
    if (!page) {
      throw new NotFoundException('Page not found');
    }
    const ability = await this.spaceAbility.createForUser(user, page.spaceId);
    if (ability.cannot(SpaceCaslAction.Manage, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    return this.pagePermissionService.updatePageMemberRole(dto, workspace.id);
  }
  @HttpCode(HttpStatus.OK)
  @Post('permissions/update')
  async updatePagePermissions(
    @Body() dto: UpdatePagePermissionDto,
    @AuthUser() user: User,
  ): Promise<PagePermissionsResponse> {
    const page = await this.pageRepo.findById(dto.pageId);
    if (!page) {
      throw new NotFoundException('Page not found');
    }
    const ability = await this.spaceAbility.createForUser(user, page.spaceId);
    if (ability.cannot(SpaceCaslAction.Manage, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    return this.pagePermissionService.updatePagePermission(dto);
  }
  @HttpCode(HttpStatus.OK)
  @Post('permissions/info')
  async getPagePermissions(
    @Body() dto: PageIdDto,
    @AuthUser() user: User,
  ): Promise<PagePermissionsResponse> {
    const page = await this.pageRepo.findById(dto.pageId);
    if (!page) {
      throw new NotFoundException('Page not found');
    }
    const ability = await this.spaceAbility.createForUser(user, page.spaceId);
    if (ability.cannot(SpaceCaslAction.Read, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    return this.pagePermissionService.getPagePermissions(dto.pageId);
  }
  @HttpCode(HttpStatus.OK)
  @Post('permissions/list')
  async getPageMembers(
    @Body() dto: GetPageMembersDto,
    @AuthUser() user: User,
    @AuthWorkspace() workspace: Workspace,
  ) {
    const page = await this.pageRepo.findById(dto.pageId);
    if (!page) {
      throw new NotFoundException('Page not found');
    }
    const ability = await this.spaceAbility.createForUser(user, page.spaceId);
    if (ability.cannot(SpaceCaslAction.Read, SpaceCaslSubject.Page)) {
      throw new ForbiddenException();
    }
    const pagination: PaginationOptions = {
      page: dto.page || 1,
      limit: dto.limit || 20,
      query: dto.query,
    };
    return this.pagePermissionService.getPageMembers(
      dto.pageId,
      workspace.id,
      pagination,
    );
  }
  @HttpCode(HttpStatus.OK)
  @Post('shared')
  async getUserSharedPages(@AuthUser() user: User) {
    return this.sharedPagesRepo.getUserSharedPages(user.id);
  }
 }
@@ -3,20 +3,12 @@ import { PageService } from './services/page.service';
 import { PageController } from './page.controller';
 import { PageHistoryService } from './services/page-history.service';
 import { TrashCleanupService } from './services/trash-cleanup.service';
 import { PagePermissionService } from './services/page-member.service';
 import { SharedPagesRepo } from '@docmost/db/repos/page/shared-pages.repo';
 import { StorageModule } from '../../integrations/storage/storage.module';
@Module({
  controllers: [PageController],
-  providers: [
+  providers: [PageService, PageHistoryService, TrashCleanupService],
-    PageService,
+  exports: [PageService, PageHistoryService],
    PageHistoryService,
    TrashCleanupService,
    PagePermissionService,
    SharedPagesRepo,
  ],
  exports: [PageService, PageHistoryService, PagePermissionService],
  imports: [StorageModule],
 })
 export class PageModule {}
@@ -1,648 +0,0 @@
 import {
  BadRequestException,
  Injectable,
  NotFoundException,
 } from '@nestjs/common';
 import { PaginationOptions } from '@docmost/db/pagination/pagination-options';
 import { KyselyDB, KyselyTransaction } from '@docmost/db/types/kysely.types';
 import {
  PagePermissionRepo,
  PageMemberRole,
 } from '@docmost/db/repos/page/page-permission-repo.service';
 import { SharedPagesRepo } from '@docmost/db/repos/page/shared-pages.repo';
 import { AddPageMembersDto } from '../dto/add-page-members.dto';
 import { InjectKysely } from 'nestjs-kysely';
 import { Page, PagePermission, User } from '@docmost/db/types/entity.types';
 import { PageRepo } from '@docmost/db/repos/page/page.repo';
 import { RemovePageMemberDto } from '../dto/remove-page-member.dto';
 import { UpdatePageMemberRoleDto } from '../dto/update-page-member-role.dto';
 import { UpdatePagePermissionDto } from '../dto/update-page-permission.dto';
 import { UserRepo } from '@docmost/db/repos/user/user.repo';
 import { GroupRepo } from '@docmost/db/repos/group/group.repo';
 import { SpaceMemberRepo } from '@docmost/db/repos/space/space-member.repo';
 import { executeTx } from '@docmost/db/utils';
 export interface IPagePermission {
  id: string;
  cascade: boolean;
  member: {
    id: string;
    type: 'user' | 'group' | 'public';
    email?: string;
    displayName?: string;
    avatarUrl?: string;
    workspaceRole?: string;
    name?: string;
    memberCount?: number;
  };
  membershipRole: {
    id: string;
    level: string;
    source: 'direct' | 'inherited';
  };
  grantedBy: {
    id: string;
    type: 'page' | 'space';
    title?: string;
    name?: string;
    parentId?: string;
  };
 }
 export interface PagePermissionsResponse {
  page: {
    id: string;
    title: string;
    hasCustomPermissions: boolean;
    inheritPermissions: boolean;
    permissions: IPagePermission[];
  };
 }
@Injectable()
 export class PagePermissionService {
  constructor(
    private pageMemberRepo: PagePermissionRepo,
    private pageRepo: PageRepo,
    private sharedPagesRepo: SharedPagesRepo,
    private userRepo: UserRepo,
    private groupRepo: GroupRepo,
    private spaceMemberRepo: SpaceMemberRepo,
    @InjectKysely() private readonly db: KyselyDB,
  ) {}
  async addUserToPage(
    userId: string,
    pageId: string,
    role: string,
    workspaceId: string,
    trx?: KyselyTransaction,
  ): Promise<void> {
    await this.pageMemberRepo.insertPageMember(
      {
        userId: userId,
        pageId: pageId,
        role: role,
      },
      trx,
    );
  }
  async addGroupToPage(
    groupId: string,
    pageId: string,
    role: string,
    workspaceId: string,
    trx?: KyselyTransaction,
  ): Promise<void> {
    await this.pageMemberRepo.insertPageMember(
      {
        groupId: groupId,
        pageId: pageId,
        role: role,
      },
      trx,
    );
  }
  async getPageMembers(
    pageId: string,
    workspaceId: string,
    pagination: PaginationOptions,
  ) {
    const page = await this.pageRepo.findById(pageId);
    // const page = await this.pageRepo.findById(pageId, { workspaceId });
    if (!page) {
      throw new NotFoundException('Page not found');
    }
    const members = await this.pageMemberRepo.getPageMembersPaginated(
      pageId,
      pagination,
    );
    return members;
  }
  async restrictPage(authUser: User, pageId: string) {
    // to add custom permissions to a page,
    // we have to restrict the page first.
    // the user is here because they can restrict this page
    // TODO: make sure page is not in trash
    // Not sure if normal users can see restricted pages in trash.
    await this.db
      .updateTable('pages')
      .set({
        isRestricted: true,
        restrictedById: authUser.id,
      })
      .where('id', '=', pageId)
      .execute();
  }
  async addMembersToPageBatch(
    dto: AddPageMembersDto,
    authUser: User,
    workspaceId: string,
  ): Promise<void> {
    try {
      const page = await this.pageRepo.findById(dto.pageId);
      //const page = await this.pageRepo.findById(dto.pageId, { workspaceId });
      if (!page) {
        throw new NotFoundException('Page not found');
      }
      // Validate role
      if (!Object.values(PageMemberRole).includes(dto.role as PageMemberRole)) {
        throw new BadRequestException(`Invalid role: ${dto.role}`);
      }
      // Enable custom permissions if adding first member
      /*if (!page.hasCustomPermissions) {
        await this.pageRepo.update(dto.pageId, {
          hasCustomPermissions: true,
          inheritPermissions: false,
        });
      }*/
      // Make sure we have valid workspace users
      const validUsersQuery = this.db
        .selectFrom('users')
        .select(['id', 'name'])
        .where('users.id', 'in', dto.userIds)
        .where('users.workspaceId', '=', workspaceId)
        .where(({ not, exists, selectFrom }) =>
          not(
            exists(
              selectFrom('pagePermissions')
                .select('id')
                .whereRef('pagePermissions.userId', '=', 'users.id')
                .where('pagePermissions.pageId', '=', dto.pageId),
            ),
          ),
        );
      const validGroupsQuery = this.db
        .selectFrom('groups')
        .select(['id', 'name'])
        .where('groups.id', 'in', dto.groupIds)
        .where('groups.workspaceId', '=', workspaceId)
        .where(({ not, exists, selectFrom }) =>
          not(
            exists(
              selectFrom('pagePermissions')
                .select('id')
                .whereRef('pagePermissions.groupId', '=', 'groups.id')
                .where('pagePermissions.pageId', '=', dto.pageId),
            ),
          ),
        );
      let validUsers = [],
        validGroups = [];
      if (dto.userIds && dto.userIds.length > 0) {
        validUsers = await validUsersQuery.execute();
      }
      if (dto.groupIds && dto.groupIds.length > 0) {
        validGroups = await validGroupsQuery.execute();
      }
      const usersToAdd = [];
      for (const user of validUsers) {
        usersToAdd.push({
          pageId: dto.pageId,
          userId: user.id,
          role: dto.role,
          addedById: authUser.id,
        });
        // Track orphaned page access if user doesn't have parent access
        if (page.parentPageId && dto.role !== PageMemberRole.NONE) {
          const hasParentAccess = await this.checkParentAccess(
            user.id,
            page.parentPageId,
          );
          if (!hasParentAccess) {
            await this.sharedPagesRepo.addSharedPage(user.id, dto.pageId);
          }
        }
      }
      const groupsToAdd = [];
      for (const group of validGroups) {
        groupsToAdd.push({
          pageId: dto.pageId,
          groupId: group.id,
          role: dto.role,
          addedById: authUser.id,
        });
      }
      const membersToAdd = [...usersToAdd, ...groupsToAdd];
      if (membersToAdd.length > 0) {
        await this.db
          .insertInto('pagePermissions')
          .values(membersToAdd)
          .execute();
      }
      // Apply to child pages if requested
      if (dto.cascade) {
        await this.cascadeToChildren(dto.pageId, membersToAdd);
      }
    } catch (error) {
      if (
        error instanceof NotFoundException ||
        error instanceof BadRequestException
      ) {
        throw error;
      }
      throw new BadRequestException(
        'Failed to add members to page. Please try again.',
      );
    }
  }
  async removePageMember(
    dto: RemovePageMemberDto,
    workspaceId: string,
  ): Promise<void> {
    const member = await this.db
      .selectFrom('pagePermissions')
      .innerJoin('pages', 'pages.id', 'pagePermissions.pageId')
      .select(['pagePermissions.id', 'pagePermissions.userId'])
      .where('pagePermissions.id', '=', dto.memberId)
      .where('pagePermissions.pageId', '=', dto.pageId)
      .where('pages.workspaceId', '=', workspaceId)
      .executeTakeFirst();
    if (!member) {
      throw new NotFoundException('Page member not found');
    }
    // Check if this is the last admin
    const adminCount = await this.pageMemberRepo.roleCountByPageId(
      PageMemberRole.ADMIN,
      dto.pageId,
    );
    if (adminCount === 1) {
      const memberToRemove = await this.pageMemberRepo.getPageMemberByTypeId(
        dto.pageId,
        { userId: member.userId },
      );
      if (memberToRemove?.role === PageMemberRole.ADMIN) {
        throw new BadRequestException('Cannot remove the last admin from page');
      }
    }
    await this.pageMemberRepo.removePageMemberById(dto.memberId, dto.pageId);
    // Remove from shared pages if it was tracked
    if (member.userId) {
      await this.sharedPagesRepo.removeSharedPage(member.userId, dto.pageId);
    }
  }
  async updatePageMemberRole(
    dto: UpdatePageMemberRoleDto,
    workspaceId: string,
  ): Promise<void> {
    const member = await this.db
      .selectFrom('pagePermissions')
      .innerJoin('pages', 'pages.id', 'pagePermissions.pageId')
      .select(['pagePermissions.id', 'pagePermissions.role'])
      .where('pagePermissions.id', '=', dto.memberId)
      .where('pagePermissions.pageId', '=', dto.pageId)
      .where('pages.workspaceId', '=', workspaceId)
      .executeTakeFirst();
    if (!member) {
      throw new NotFoundException('Page member not found');
    }
    if (
      member.role === PageMemberRole.ADMIN &&
      dto.role !== PageMemberRole.ADMIN
    ) {
      const adminCount = await this.pageMemberRepo.roleCountByPageId(
        PageMemberRole.ADMIN,
        dto.pageId,
      );
      if (adminCount === 1) {
        throw new BadRequestException('Cannot change role of the last admin');
      }
    }
    await this.pageMemberRepo.updatePageMember(
      { role: dto.role },
      dto.memberId,
      dto.pageId,
    );
  }
  async updatePagePermission(
    dto: UpdatePagePermissionDto,
  ): Promise<PagePermissionsResponse> {
    const { pageId, userId, groupId, role, cascade } = dto;
    try {
      // Validate inputs
      if (!userId && !groupId) {
        throw new BadRequestException(
          'Either userId or groupId must be provided',
        );
      }
      if (userId && groupId) {
        throw new BadRequestException('Cannot provide both userId and groupId');
      }
      if (!Object.values(PageMemberRole).includes(role as PageMemberRole)) {
        throw new BadRequestException(`Invalid role: ${role}`);
      }
      await executeTx(this.db, async (trx) => {
        // Update the role
        if (userId) {
          await this.pageMemberRepo.upsertPageMember(
            {
              pageId,
              userId,
              role,
            },
            trx,
          );
        } else if (groupId) {
          await this.pageMemberRepo.upsertPageMember(
            {
              pageId,
              groupId,
              role,
            },
            trx,
          );
        }
        // Mark page as having custom permissions
        /* await this.pageRepo.update(
          pageId,
          {
            hasCustomPermissions: true,
            inheritPermissions: false,
          },
          trx,
        );*/
        // Cascade to children if requested
        if (cascade) {
          const descendants = await this.pageRepo.getAllDescendants(
            pageId,
            trx,
          );
          for (const childId of descendants) {
            if (userId) {
              await this.pageMemberRepo.upsertPageMember(
                {
                  pageId: childId,
                  userId,
                  role,
                },
                trx,
              );
            } else if (groupId) {
              await this.pageMemberRepo.upsertPageMember(
                {
                  pageId: childId,
                  groupId,
                  role,
                },
                trx,
              );
            }
          }
        }
      });
      // Return comprehensive permission data
      return this.getPagePermissions(pageId);
    } catch (error) {
      if (error instanceof BadRequestException) {
        throw error;
      }
      throw new BadRequestException(
        'Failed to update page permissions. Please try again.',
      );
    }
  }
  async getPagePermissions(pageId: string): Promise<PagePermissionsResponse> {
    const page = await this.pageRepo.findById(pageId, { includeSpace: true });
    if (!page) {
      throw new NotFoundException('Page not found');
    }
    const permissions: IPagePermission[] = [];
    // 1. Get direct page members
    const directMembers = await this.pageMemberRepo.getPageMembers(pageId);
    // Batch fetch all users and groups
    const userIds = directMembers.filter((m) => m.userId).map((m) => m.userId);
    const groupIds = directMembers
      .filter((m) => m.groupId)
      .map((m) => m.groupId);
    const [users, groups] = await Promise.all([
      userIds.length > 0
        ? this.db
            .selectFrom('users')
            .selectAll()
            .where('id', 'in', userIds)
            .execute()
        : Promise.resolve([]),
      groupIds.length > 0
        ? this.db
            .selectFrom('groups')
            .selectAll()
            .where('id', 'in', groupIds)
            .execute()
        : Promise.resolve([]),
    ]);
    const userMap = new Map(users.map((u) => [u.id, u] as const));
    const groupMap = new Map(groups.map((g) => [g.id, g] as const));
    // Build permissions with batch-fetched data
    for (const member of directMembers) {
      let memberData: any = null;
      if (member.userId) {
        const user = userMap.get(member.userId);
        if (user) {
          memberData = {
            id: user.id,
            type: 'user' as const,
            email: user.email,
            displayName: user.name,
            avatarUrl: user.avatarUrl,
            workspaceRole: user.role,
          };
        }
      } else if (member.groupId) {
        const group = groupMap.get(member.groupId);
        if (group) {
          memberData = {
            id: group.id,
            type: 'group' as const,
            name: group.name,
            memberCount: await this.db
              .selectFrom('groupUsers')
              .select((eb) => eb.fn.count('userId').as('count'))
              .where('groupId', '=', group.id)
              .executeTakeFirst()
              .then((result) => Number(result?.count || 0)),
          };
        }
      }
      if (memberData) {
        permissions.push({
          id: member.id,
          cascade: true, // Page permissions cascade by default
          member: memberData,
          membershipRole: {
            id: member.id,
            level: member.role,
            source: 'direct',
          },
          grantedBy: {
            id: pageId,
            type: 'page',
            title: page.title,
          },
        });
      }
    }
    // 2. Get inherited space members (if page inherits)
    if (page) {
      //if (page.inheritPermissions || !page.hasCustomPermissions) {
      const spaceMembers = await this.spaceMemberRepo.getSpaceMembersPaginated(
        page.spaceId,
        { page: 1, limit: 100 },
      );
      for (const spaceMember of spaceMembers.items as any[]) {
        // Skip if user has direct page permission
        const hasDirect = directMembers.some(
          (dm) =>
            (dm.userId === spaceMember.id && spaceMember.type === 'user') ||
            (dm.groupId === spaceMember.id && spaceMember.type === 'group'),
        );
        if (!hasDirect) {
          permissions.push({
            id: `space-${spaceMember.id}`,
            cascade: false, // Space permissions don't cascade to page children
            member: {
              id: spaceMember.id,
              type: spaceMember.type as 'user' | 'group',
              email: spaceMember.email,
              displayName: spaceMember.name,
              avatarUrl: spaceMember.avatarUrl,
              name: spaceMember.name,
              memberCount: Number(spaceMember.memberCount || 0),
            },
            membershipRole: {
              id: `space-role-${spaceMember.id}`,
              level: spaceMember.role,
              source: 'inherited',
            },
            grantedBy: {
              id: page.spaceId,
              type: 'space',
              name: (page as any).space?.name,
            },
          });
        }
      }
    }
    return {
      page: {
        id: page.id,
        title: page.title,
        hasCustomPermissions: true,
        inheritPermissions: false,
        permissions,
      },
    };
  }
  private async checkParentAccess(
    userId: string,
    parentPageId: string | null,
  ): Promise<boolean> {
    if (!parentPageId) return true; // Root pages always accessible
    const parentAccess = await this.pageMemberRepo.resolveUserPageAccess(
      userId,
      parentPageId,
    );
    return parentAccess !== null && parentAccess !== PageMemberRole.NONE;
  }
  private async cascadeToChildren(
    pageId: string,
    membersToAdd: any[],
  ): Promise<void> {
    const descendants = await this.pageRepo.getAllDescendants(pageId);
    if (descendants.length === 0) return;
    // Separate user and group members for proper conflict handling
    const userMembers = membersToAdd.filter((m) => m.userId);
    const groupMembers = membersToAdd.filter((m) => m.groupId);
    for (const childId of descendants) {
      // Handle user members with proper conflict resolution
      if (userMembers.length > 0) {
        const childUserMembers = userMembers.map((m) => ({
          ...m,
          pageId: childId,
        }));
        await this.db
          .insertInto('pagePermissions')
          .values(childUserMembers)
          .onConflict((oc) =>
            oc.columns(['pageId', 'userId']).doUpdateSet({
              role: (eb) => eb.ref('excluded.role'),
              updatedAt: new Date(),
            }),
          )
          .execute();
      }
      // Handle group members separately
      if (groupMembers.length > 0) {
        const childGroupMembers = groupMembers.map((m) => ({
          ...m,
          pageId: childId,
        }));
        await this.db
          .insertInto('pagePermissions')
          .values(childGroupMembers)
          .onConflict((oc) =>
            oc.columns(['pageId', 'groupId']).doUpdateSet({
              role: (eb) => eb.ref('excluded.role'),
              updatedAt: new Date(),
            }),
          )
          .execute();
      }
    }
  }
 }
@@ -5,7 +5,7 @@ import {
  MaxLength,
  MinLength,
 } from 'class-validator';
-import { Transform, TransformFnParams } from 'class-transformer';
+import {Transform, TransformFnParams} from "class-transformer";
 export class CreateSpaceDto {
  @MinLength(2)
@@ -1,5 +1,6 @@
 import {
  BadRequestException,
  Inject,
  Injectable,
  NotFoundException,
 } from '@nestjs/common';
@@ -14,6 +15,11 @@ import { RemoveSpaceMemberDto } from '../dto/remove-space-member.dto';
 import { UpdateSpaceMemberRoleDto } from '../dto/update-space-member-role.dto';
 import { SpaceRole } from '../../../common/helpers/types/permission';
 import { PaginationResult } from '@docmost/db/pagination/pagination';
 import { AuditEvent } from '../../../common/events/audit-events';
 import {
  AUDIT_SERVICE,
  IAuditService,
 } from '../../../integrations/audit/audit.service';
@Injectable()
 export class SpaceMemberService {
@@ -21,6 +27,7 @@ export class SpaceMemberService {
    private spaceMemberRepo: SpaceMemberRepo,
    private spaceRepo: SpaceRepo,
    @InjectKysely() private readonly db: KyselyDB,
    @Inject(AUDIT_SERVICE) private readonly auditService: IAuditService,
  ) {}
  async addUserToSpace(
@@ -161,8 +168,43 @@ export class SpaceMemberService {
    if (membersToAdd.length > 0) {
      await this.spaceMemberRepo.insertSpaceMember(membersToAdd);
-    } else {
+
-      // either they are already members or do not exist on the workspace
+      // Audit log for each member added
      for (const user of validUsers) {
        this.auditService.log({
          event: AuditEvent.SPACE_MEMBER_ADDED,
          resourceType: 'space_members',
          resourceId: dto.spaceId,
          changes: {
            after: { role: dto.role },
          },
          metadata: {
            spaceId: dto.spaceId,
            spaceName: space.name,
            userId: user.id,
            userName: user.name,
            memberType: 'user',
          },
        });
      }
      for (const group of validGroups) {
        this.auditService.log({
          event: AuditEvent.SPACE_MEMBER_ADDED,
          resourceType: 'space_members',
          resourceId: dto.spaceId,
          changes: {
            after: { role: dto.role },
          },
          metadata: {
            spaceId: dto.spaceId,
            spaceName: space.name,
            groupId: group.id,
            groupName: group.name,
            memberType: 'group',
          },
        });
      }
    }
  }
@@ -209,6 +251,22 @@ export class SpaceMemberService {
      spaceMember.id,
      dto.spaceId,
    );
    this.auditService.log({
      event: AuditEvent.SPACE_MEMBER_REMOVED,
      resourceType: 'space_member',
      resourceId: dto.spaceId,
      changes: {
        before: { role: spaceMember.role },
      },
      metadata: {
        spaceId: dto.spaceId,
        spaceName: space.name,
        userId: spaceMember.userId,
        groupId: spaceMember.groupId,
        memberType: spaceMember.userId ? 'user' : 'group',
      },
    });
  }
  async updateSpaceMemberRole(
@@ -259,6 +317,23 @@ export class SpaceMemberService {
      spaceMember.id,
      dto.spaceId,
    );
    this.auditService.log({
      event: AuditEvent.SPACE_MEMBER_ROLE_CHANGED,
      resourceType: 'space_members',
      resourceId: dto.spaceId,
      changes: {
        before: { role: spaceMember.role },
        after: { role: dto.role },
      },
      metadata: {
        spaceId: dto.spaceId,
        spaceName: space.name,
        userId: spaceMember.userId,
        groupId: spaceMember.groupId,
        memberType: spaceMember.userId ? 'user' : 'group',
      },
    });
  }
  async validateLastAdmin(spaceId: string): Promise<void> {
@@ -70,9 +70,7 @@ export class UserService {
      );
      if (!isPasswordMatch) {
-        throw new BadRequestException(
+        throw new BadRequestException('You must provide the correct password to change your email');
          'You must provide the correct password to change your email',
        );
      }
      if (await this.userRepo.findByEmail(updateUserDto.email, workspace.id)) {
@@ -1,5 +1,6 @@
 import {
  BadRequestException,
  Inject,
  Injectable,
  Logger,
  NotFoundException,
@@ -33,6 +34,11 @@ import {
  validateAllowedEmail,
  validateSsoEnforcement,
 } from '../../auth/auth.util';
 import { AuditEvent } from '../../../common/events/audit-events';
 import {
  AUDIT_SERVICE,
  IAuditService,
 } from '../../../integrations/audit/audit.service';
@Injectable()
 export class WorkspaceInvitationService {
@@ -46,6 +52,7 @@ export class WorkspaceInvitationService {
    @InjectKysely() private readonly db: KyselyDB,
    @InjectQueue(QueueName.BILLING_QUEUE) private billingQueue: Queue,
    private readonly environmentService: EnvironmentService,
    @Inject(AUDIT_SERVICE) private readonly auditService: IAuditService,
  ) {}
  async getInvitations(workspaceId: string, pagination: PaginationOptions) {
@@ -179,6 +186,24 @@ export class WorkspaceInvitationService {
          workspace.hostname,
        );
      });
      // Audit log for each invitation created
      for (const invitation of invites) {
        this.auditService.log({
          event: AuditEvent.WORKSPACE_INVITE_CREATED,
          resourceType: 'workspace_invitation',
          resourceId: invitation.id,
          changes: {
            after: {
              email: invitation.email,
              role: invitation.role,
            },
          },
          metadata: {
            groupIds: invitation.groupIds,
          },
        });
      }
    }
  }
@@ -344,11 +369,32 @@ export class WorkspaceInvitationService {
    invitationId: string,
    workspaceId: string,
  ): Promise<void> {
    const invitation = await this.db
      .selectFrom('workspaceInvitations')
      .select(['id', 'email', 'role'])
      .where('id', '=', invitationId)
      .where('workspaceId', '=', workspaceId)
      .executeTakeFirst();
    await this.db
      .deleteFrom('workspaceInvitations')
      .where('id', '=', invitationId)
      .where('workspaceId', '=', workspaceId)
      .execute();
    if (invitation) {
      this.auditService.log({
        event: AuditEvent.WORKSPACE_INVITE_REVOKED,
        resourceType: 'workspace_invitation',
        resourceId: invitation.id,
        changes: {
          before: {
            email: invitation.email,
            role: invitation.role,
          },
        },
      });
    }
  }
  async getInvitationLinkById(
@@ -1,6 +1,7 @@
 import {
  BadRequestException,
  ForbiddenException,
  Inject,
  Injectable,
  Logger,
  NotFoundException,
@@ -34,6 +35,11 @@ import { QueueJob, QueueName } from '../../../integrations/queue/constants';
 import { Queue } from 'bullmq';
 import { generateRandomSuffixNumbers } from '../../../common/helpers';
 import { isPageEmbeddingsTableExists } from '@docmost/db/helpers/helpers';
 import { AuditEvent } from '../../../common/events/audit-events';
 import {
  AUDIT_SERVICE,
  IAuditService,
 } from '../../../integrations/audit/audit.service';
@Injectable()
 export class WorkspaceService {
@@ -52,6 +58,7 @@ export class WorkspaceService {
    @InjectQueue(QueueName.ATTACHMENT_QUEUE) private attachmentQueue: Queue,
    @InjectQueue(QueueName.BILLING_QUEUE) private billingQueue: Queue,
    @InjectQueue(QueueName.AI_QUEUE) private aiQueue: Queue,
    @Inject(AUDIT_SERVICE) private readonly auditService: IAuditService,
  ) {}
  async findById(workspaceId: string) {
@@ -428,6 +435,20 @@ export class WorkspaceService {
      user.id,
      workspaceId,
    );
    this.auditService.log({
      event: AuditEvent.USER_ROLE_CHANGED,
      resourceType: 'users',
      resourceId: user.id,
      changes: {
        before: { role: user.role },
        after: { role: newRole },
      },
      metadata: {
        userName: user.name,
        userEmail: user.email,
      },
    });
  }
  async generateHostname(
@@ -531,6 +552,19 @@ export class WorkspaceService {
        .execute();
    });
    this.auditService.log({
      event: AuditEvent.USER_DELETED,
      resourceType: 'users',
      resourceId: user.id,
      changes: {
        before: {
          name: user.name,
          email: user.email,
          role: user.role,
        },
      },
    });
    try {
      await this.attachmentQueue.add(QueueJob.DELETE_USER_AVATARS, user);
    } catch (err) {
@@ -26,7 +26,6 @@ import { UserTokenRepo } from './repos/user-token/user-token.repo';
 import { BacklinkRepo } from '@docmost/db/repos/backlink/backlink.repo';
 import { ShareRepo } from '@docmost/db/repos/share/share.repo';
 import { PageListener } from '@docmost/db/listeners/page.listener';
 import { PagePermissionRepo } from '@docmost/db/repos/page/page-permission-repo.service';
 // https://github.com/brianc/node-postgres/issues/811
 types.setTypeParser(types.builtins.INT8, (val) => Number(val));
@@ -79,7 +78,6 @@ types.setTypeParser(types.builtins.INT8, (val) => Number(val));
    BacklinkRepo,
    ShareRepo,
    PageListener,
    PagePermissionRepo,
  ],
  exports: [
    WorkspaceRepo,
@@ -95,7 +93,6 @@ types.setTypeParser(types.builtins.INT8, (val) => Number(val));
    UserTokenRepo,
    BacklinkRepo,
    ShareRepo,
    PagePermissionRepo,
  ],
 })
 export class DatabaseModule
@@ -3,7 +3,7 @@ import { type Kysely, sql } from 'kysely';
 export async function up(db: Kysely<any>): Promise<void> {
  await db.schema
    .alterTable('pages')
-    .addColumn('contributor_ids', sql`uuid[]`, (col) => col.defaultTo('{}'))
+    .addColumn('contributor_ids', sql`uuid[]`, (col) => col.defaultTo("{}"))
    .execute();
 }
@@ -1,102 +0,0 @@
 import { Kysely, sql } from 'kysely';
 export async function up(db: Kysely<any>): Promise<void> {
  await db.schema
    .createTable('page_permissions')
    .addColumn('id', 'uuid', (col) =>
      col.primaryKey().defaultTo(sql`gen_uuid_v7()`),
    )
    .addColumn('user_id', 'uuid', (col) =>
      col.references('users.id').onDelete('cascade'),
    )
    .addColumn('group_id', 'uuid', (col) =>
      col.references('groups.id').onDelete('cascade'),
    )
    .addColumn('page_id', 'uuid', (col) =>
      col.notNull().references('pages.id').onDelete('cascade'),
    )
    .addColumn('role', 'varchar', (col) => col.notNull())
    .addColumn('cascade', 'boolean', (col) => col.defaultTo(true).notNull()) // children can inherit
    .addColumn('added_by_id', 'uuid', (col) =>
      col.references('users.id').onDelete('set null'),
    )
    .addColumn('created_at', 'timestamptz', (col) =>
      col.notNull().defaultTo(sql`now()`),
    )
    .addColumn('updated_at', 'timestamptz', (col) =>
      col.notNull().defaultTo(sql`now()`),
    )
    .addColumn('deleted_at', 'timestamptz')
    .addUniqueConstraint('unique_page_user', ['page_id', 'user_id'])
    .addUniqueConstraint('unique_page_group', ['page_id', 'group_id'])
    .addCheckConstraint(
      'allow_either_user_id_or_group_id_check',
      sql`(user_id IS NOT NULL AND group_id IS NULL) OR (user_id IS NULL AND group_id IS NOT NULL)`,
    )
    .execute();
  await db.schema
    .alterTable('pages')
    .addColumn('is_restricted', 'boolean', (col) =>
      col.defaultTo(false).notNull(),
    )
    .addColumn('restricted_by_id', 'uuid', (col) =>
      col.references('users.id').onDelete('set null'),
    )
    .execute();
  // Add indexes for performance
  await db.schema
    .createIndex('idx_page_permissions_page_id')
    .on('page_permissions')
    .column('page_id')
    .execute();
  await db.schema
    .createIndex('idx_page_permissions_user_id')
    .on('page_permissions')
    .column('user_id')
    .execute();
  await db.schema
    .createIndex('idx_page_permissions_group_id')
    .on('page_permissions')
    .column('group_id')
    .execute();
  // Create user_shared_pages table for tracking orphaned page access
  await db.schema
    .createTable('user_shared_pages')
    .addColumn('user_id', 'uuid', (col) =>
      col.notNull().references('users.id').onDelete('cascade'),
    )
    .addColumn('page_id', 'uuid', (col) =>
      col.notNull().references('pages.id').onDelete('cascade'),
    )
    .addColumn('shared_at', 'timestamptz', (col) =>
      col.notNull().defaultTo(sql`now()`),
    )
    .addPrimaryKeyConstraint('user_shared_pages_pkey', ['user_id', 'page_id'])
    .execute();
  await db.schema
    .createIndex('idx_user_shared_pages_user_id')
    .on('user_shared_pages')
    .column('user_id')
    .execute();
  await db.schema
    .createIndex('idx_user_shared_pages_shared_at')
    .on('user_shared_pages')
    .column('shared_at')
    .execute();
 }
 export async function down(db: Kysely<any>): Promise<void> {
  await db.schema.alterTable('pages').dropColumn('is_restricted').execute();
  await db.schema.alterTable('pages').dropColumn('restricted_by_id').execute();
  await db.schema.dropTable('user_shared_pages').execute();
  await db.schema.dropTable('page_permissions').execute();
 }
@@ -0,0 +1,32 @@
 import { Kysely, sql } from 'kysely';
 export async function up(db: Kysely<any>): Promise<void> {
  await db.schema
    .createTable('audit_logs')
    .addColumn('id', 'uuid', (col) =>
      col.primaryKey().defaultTo(sql`gen_uuid_v7()`),
    )
    .addColumn('workspace_id', 'uuid', (col) =>
      col.notNull().references('workspaces.id').onDelete('cascade'),
    )
    .addColumn('actor_id', 'uuid', (col) =>
      col.references('users.id').onDelete('set null'),
    )
    .addColumn('actor_type', 'varchar', (col) =>
      col.notNull().defaultTo('user'),
    )
    .addColumn('event', 'varchar', (col) => col.notNull())
    .addColumn('resource_type', 'varchar', (col) => col.notNull())
    .addColumn('resource_id', 'uuid')
    .addColumn('changes', 'jsonb')
    .addColumn('metadata', 'jsonb')
    .addColumn('ip_address', sql `inet`)
    .addColumn('created_at', 'timestamptz', (col) =>
      col.notNull().defaultTo(sql`now()`),
    )
    .execute();
 }
 export async function down(db: Kysely<any>): Promise<void> {
  await db.schema.dropTable('audit_logs').execute();
 }
@@ -23,9 +23,9 @@ export class PaginationOptions {
  @IsOptional()
  @IsString()
-  query?: string;
+  query: string;
  @IsOptional()
  @IsBoolean()
-  adminView?: boolean;
+  adminView: boolean;
 }
@@ -105,10 +105,7 @@ export class CommentRepo {
    return Number(result?.count) > 0;
  }
-  async hasChildrenFromOtherUsers(
+  async hasChildrenFromOtherUsers(commentId: string, userId: string): Promise<boolean> {
    commentId: string,
    userId: string,
  ): Promise<boolean> {
    const result = await this.db
      .selectFrom('comments')
      .select((eb) => eb.fn.count('id').as('count'))
@@ -57,11 +57,7 @@ export class GroupUserRepo {
    if (pagination.query) {
      query = query.where((eb) =>
-        eb(
+        eb(sql`f_unaccent(users.name)`, 'ilike', sql`f_unaccent(${'%' + pagination.query + '%'})`),
          sql`f_unaccent(users.name)`,
          'ilike',
          sql`f_unaccent(${'%' + pagination.query + '%'})`,
        ),
      );
    }
@@ -114,11 +114,7 @@ export class GroupRepo {
    if (pagination.query) {
      query = query.where((eb) =>
-        eb(
+        eb(sql`f_unaccent(name)`, 'ilike', sql`f_unaccent(${'%' + pagination.query + '%'})`).or(
          sql`f_unaccent(name)`,
          'ilike',
          sql`f_unaccent(${'%' + pagination.query + '%'})`,
        ).or(
          sql`f_unaccent(description)`,
          'ilike',
          sql`f_unaccent(${'%' + pagination.query + '%'})`,
@@ -454,46 +454,4 @@ export class PageRepo {
      .selectAll()
      .execute();
  }
  async update(
    pageId: string,
    updatablePage: UpdatablePage,
    trx?: KyselyTransaction,
  ): Promise<void> {
    const db = dbOrTx(this.db, trx);
    await db
      .updateTable('pages')
      .set({ ...updatablePage, updatedAt: new Date() })
      .where('id', '=', pageId)
      .execute();
  }
  async getAllDescendants(
    pageId: string,
    trx?: KyselyTransaction,
  ): Promise<string[]> {
    const db = dbOrTx(this.db, trx);
    // Recursive CTE to get all descendants
    const descendants = await db
      .withRecursive('page_tree', (qb) =>
        qb
          .selectFrom('pages')
          .select(['id', 'parentPageId'])
          .where('parentPageId', '=', pageId)
          .where('deletedAt', 'is', null)
          .unionAll((eb) =>
            eb
              .selectFrom('pages as p')
              .innerJoin('page_tree as pt', 'p.parentPageId', 'pt.id')
              .select(['p.id', 'p.parentPageId'])
              .where('p.deletedAt', 'is', null),
          ),
      )
      .selectFrom('page_tree')
      .select('id')
      .execute();
    return descendants.map((d) => d.id);
  }
 }
@@ -1,58 +0,0 @@
 import { Injectable } from '@nestjs/common';
 import { InjectKysely } from 'nestjs-kysely';
 import { KyselyDB } from '../../types/kysely.types';
 import { Page } from '../../types/entity.types';
 import { PageMemberRole } from './page-permission-repo.service';
@Injectable()
 export class SharedPagesRepo {
  constructor(@InjectKysely() private readonly db: KyselyDB) {}
  async addSharedPage(userId: string, pageId: string): Promise<void> {
    await this.db
      .insertInto('userSharedPages')
      .values({
        userId,
        pageId,
        sharedAt: new Date(),
      })
      .onConflict((oc) => oc.columns(['userId', 'pageId']).doNothing())
      .execute();
  }
  async removeSharedPage(userId: string, pageId: string): Promise<void> {
    await this.db
      .deleteFrom('userSharedPages')
      .where('userId', '=', userId)
      .where('pageId', '=', pageId)
      .execute();
  }
  async getUserSharedPages(userId: string): Promise<Page[]> {
    return await this.db
      .selectFrom('userSharedPages as usp')
      .innerJoin('pages as p', 'p.id', 'usp.pageId')
      .innerJoin('pagePermissions as pm', (join) =>
        join
          .onRef('pm.pageId', '=', 'p.id')
          .on('pm.userId', '=', userId)
          .on('pm.role', '!=', PageMemberRole.NONE),
      )
      .selectAll('p')
      .where('usp.userId', '=', userId)
      .where('p.deletedAt', 'is', null)
      .orderBy('usp.sharedAt', 'desc')
      .execute();
  }
  async isPageSharedWithUser(userId: string, pageId: string): Promise<boolean> {
    const result = await this.db
      .selectFrom('userSharedPages')
      .select('userId')
      .where('userId', '=', userId)
      .where('pageId', '=', pageId)
      .executeTakeFirst();
    return !!result;
  }
 }
@@ -3,18 +3,13 @@
 * Please do not edit it manually.
 */
-import type { ColumnType } from 'kysely';
+import type { ColumnType } from "kysely";
-export type Generated<T> =
+export type Generated<T> = T extends ColumnType<infer S, infer I, infer U>
-  T extends ColumnType<infer S, infer I, infer U>
+  ? ColumnType<S, I | undefined, U>
-    ? ColumnType<S, I | undefined, U>
+  : ColumnType<T, T | undefined, T>;
    : ColumnType<T, T | undefined, T>;
-export type Int8 = ColumnType<
+export type Int8 = ColumnType<string, bigint | number | string, bigint | number | string>;
  string,
  bigint | number | string,
  bigint | number | string
 >;
 export type Json = JsonValue;
@@ -32,13 +27,13 @@ export type Timestamp = ColumnType<Date, Date | string, Date | string>;
 export interface ApiKeys {
  createdAt: Generated<Timestamp>;
  creatorId: string;
  deletedAt: Timestamp | null;
  expiresAt: Timestamp | null;
  id: Generated<string>;
  lastUsedAt: Timestamp | null;
  name: string | null;
  updatedAt: Generated<Timestamp>;
  creatorId: string;
  workspaceId: string;
 }
@@ -61,6 +56,20 @@ export interface Attachments {
  workspaceId: string;
 }
 export interface AuditLogs {
  actorId: string | null;
  actorType: Generated<string>;
  changes: Json | null;
  createdAt: Generated<Timestamp>;
  event: string;
  id: Generated<string>;
  ipAddress: string | null;
  metadata: Json | null;
  resourceId: string | null;
  resourceType: string;
  workspaceId: string;
 }
 export interface AuthAccounts {
  authProviderId: string | null;
  createdAt: Generated<Timestamp>;
@@ -77,25 +86,25 @@ export interface AuthProviders {
  createdAt: Generated<Timestamp>;
  creatorId: string | null;
  deletedAt: Timestamp | null;
  groupSync: Generated<boolean>;
  id: Generated<string>;
  isEnabled: Generated<boolean>;
  groupSync: Generated<boolean>;
  ldapBaseDn: string | null;
  ldapBindDn: string | null;
  ldapBindPassword: string | null;
  ldapConfig: Json | null;
  ldapTlsCaCert: string | null;
  ldapTlsEnabled: Generated<boolean | null>;
  ldapUrl: string | null;
  ldapUserAttributes: Json | null;
  ldapUserSearchFilter: string | null;
  ldapConfig: Json | null;
  settings: Json | null;
  name: string;
  oidcClientId: string | null;
  oidcClientSecret: string | null;
  oidcIssuer: string | null;
  samlCertificate: string | null;
  samlUrl: string | null;
  settings: Json | null;
  type: string;
  updatedAt: Generated<Timestamp>;
  workspaceId: string;
@@ -214,19 +223,6 @@ export interface PageHistory {
  workspaceId: string;
 }
 export interface PagePermissions {
  addedById: string | null;
  cascade: Generated<boolean>;
  createdAt: Generated<Timestamp>;
  deletedAt: Timestamp | null;
  groupId: string | null;
  id: Generated<string>;
  pageId: string;
  role: string;
  updatedAt: Generated<Timestamp>;
  userId: string | null;
 }
 export interface Pages {
  content: Json | null;
  contributorIds: Generated<string[] | null>;
@@ -313,12 +309,12 @@ export interface Users {
  deletedAt: Timestamp | null;
  email: string;
  emailVerifiedAt: Timestamp | null;
  hasGeneratedPassword: Generated<boolean | null>;
  id: Generated<string>;
  invitedById: string | null;
  lastActiveAt: Timestamp | null;
  lastLoginAt: Timestamp | null;
  locale: string | null;
  hasGeneratedPassword: Generated<boolean | null>;
  name: string | null;
  password: string | null;
  role: string | null;
@@ -328,12 +324,6 @@ export interface Users {
  workspaceId: string | null;
 }
 export interface UserSharedPages {
  pageId: string;
  sharedAt: Generated<Timestamp>;
  userId: string;
 }
 export interface UserTokens {
  createdAt: Generated<Timestamp>;
  expiresAt: Timestamp | null;
@@ -384,6 +374,7 @@ export interface Workspaces {
 export interface DB {
  apiKeys: ApiKeys;
  attachments: Attachments;
  auditLogs: AuditLogs;
  authAccounts: AuthAccounts;
  authProviders: AuthProviders;
  backlinks: Backlinks;
@@ -393,14 +384,13 @@ export interface DB {
  groups: Groups;
  groupUsers: GroupUsers;
  pageHistory: PageHistory;
-  pagePermissions: PagePermissions;
+  AuditLog: PagePermissions;
  pages: Pages;
  shares: Shares;
  spaceMembers: SpaceMembers;
  spaces: Spaces;
  userMfa: UserMfa;
  users: Users;
  userSharedPages: UserSharedPages;
  userTokens: UserTokens;
  workspaceInvitations: WorkspaceInvitations;
  workspaces: Workspaces;
@@ -1,51 +1,6 @@
-import {
+import { DB } from '@docmost/db/types/db';
  ApiKeys,
  Attachments,
  AuthAccounts,
  AuthProviders,
  Backlinks,
  Billing,
  Comments,
  FileTasks,
  Groups,
  GroupUsers,
  PageHistory,
  PagePermissions,
  Pages,
  Shares,
  SpaceMembers,
  Spaces,
  UserMfa,
  Users,
  UserSharedPages,
  UserTokens,
  WorkspaceInvitations,
  Workspaces,
 } from '@docmost/db/types/db';
 import { PageEmbeddings } from '@docmost/db/types/embeddings.types';
-export interface DbInterface {
+export interface DbInterface extends DB {
  attachments: Attachments;
  authAccounts: AuthAccounts;
  authProviders: AuthProviders;
  backlinks: Backlinks;
  billing: Billing;
  comments: Comments;
  fileTasks: FileTasks;
  groups: Groups;
  groupUsers: GroupUsers;
  pageEmbeddings: PageEmbeddings;
  pagePermissions: PagePermissions;
  pageHistory: PageHistory;
  pages: Pages;
  shares: Shares;
  spaceMembers: SpaceMembers;
  spaces: Spaces;
  userMfa: UserMfa;
  users: Users;
  userSharedPages: UserSharedPages;
  userTokens: UserTokens;
  workspaceInvitations: WorkspaceInvitations;
  workspaces: Workspaces;
  apiKeys: ApiKeys;
 }
@@ -4,10 +4,8 @@ import {
  Comments,
  Groups,
  Pages,
  PagePermissions,
  Spaces,
  Users,
  UserSharedPages,
  Workspaces,
  PageHistory as History,
  GroupUsers,
@@ -22,6 +20,7 @@ import {
  FileTasks,
  UserMfa as _UserMFA,
  ApiKeys,
  AuditLogs,
 } from './db';
 import { PageEmbeddings } from '@docmost/db/types/embeddings.types';
@@ -52,15 +51,6 @@ export type SpaceMember = Selectable<SpaceMembers>;
 export type InsertableSpaceMember = Insertable<SpaceMembers>;
 export type UpdatableSpaceMember = Updateable<Omit<SpaceMembers, 'id'>>;
 // PageMember
 export type PagePermission = Selectable<PagePermissions>;
 export type InsertablePagePermission = Insertable<PagePermissions>;
 export type UpdatablePagePermission = Updateable<Omit<PagePermissions, 'id'>>;
 // UserSharedPage
 export type UserSharedPage = Selectable<UserSharedPages>;
 export type InsertableUserSharedPage = Insertable<UserSharedPages>;
 // Group
 export type ExtendedGroup = Groups & { memberCount: number };
@@ -142,3 +132,8 @@ export type UpdatableApiKey = Updateable<Omit<ApiKeys, 'id'>>;
 export type PageEmbedding = Selectable<PageEmbeddings>;
 export type InsertablePageEmbedding = Insertable<PageEmbeddings>;
 export type UpdatablePageEmbedding = Updateable<Omit<PageEmbeddings, 'id'>>;
 // Audit Log
 export type AuditLog = Selectable<AuditLogs>;
 export type InsertableAuditLog = Insertable<AuditLogs>;
 export type UpdatableAuditLog = Updateable<Omit<AuditLogs, 'id'>>;
@@ -0,0 +1,48 @@
 import { Injectable } from '@nestjs/common';
 import { AuditLogPayload, ActorType } from '../../common/events/audit-events';
 export type IAuditService = {
  log(payload: AuditLogPayload): void | Promise<void>;
  logWithContext(
    payload: AuditLogPayload,
    context: {
      workspaceId: string;
      actorId?: string;
      actorType?: ActorType;
      ipAddress?: string;
      userAgent?: string;
    },
  ): void | Promise<void>;
  setActorId(actorId: string): void;
  setActorType(actorType: ActorType): void;
 };
 export const AUDIT_SERVICE = Symbol('AUDIT_SERVICE');
@Injectable()
 export class NoopAuditService implements IAuditService {
  log(_payload: AuditLogPayload): void {
    // No-op: swallow the log when EE module is not available
  }
  logWithContext(
    _payload: AuditLogPayload,
    _context: {
      workspaceId: string;
      actorId?: string;
      actorType?: ActorType;
      ipAddress?: string;
      userAgent?: string;
    },
  ): void {
    // No-op: swallow the log when EE module is not available
  }
  setActorId(_actorId: string): void {
    // No-op
  }
  setActorType(_actorType: ActorType): void {
    // No-op
  }
 }
@@ -41,4 +41,4 @@ export class ExportSpaceDto {
  @IsOptional()
  @IsBoolean()
  includeAttachments?: boolean;
-}
+}
@@ -107,7 +107,7 @@ export class ExportService {
      const page = await this.pageRepo.findById(pageId, {
        includeContent: true,
      });
-      if (page) {
+      if (page){
        pages = [page];
      }
    }
@@ -69,21 +69,17 @@ function taskList(turndownService: TurndownService) {
        'input[type="checkbox"]',
      ) as HTMLInputElement;
      const isChecked = checkbox.checked;
-
+      
      // Process content like regular list items
      content = content
        .replace(/^\n+/, '') // remove leading newlines
        .replace(/\n+$/, '\n') // replace trailing newlines with just a single one
        .replace(/\n/gm, '\n  '); // indent nested content with 2 spaces
-
+      
      // Create the checkbox prefix
      const prefix = `- ${isChecked ? '[x]' : '[ ]'} `;
-
+      
-      return (
+      return prefix + content + (node.nextSibling && !/\n$/.test(content) ? '\n' : '');
        prefix +
        content +
        (node.nextSibling && !/\n$/.test(content) ? '\n' : '')
      );
    },
  });
 }
@@ -15,4 +15,4 @@ export type ImportPageNode = {
  parentPageId: string | null;
  fileExtension: string;
  filePath: string;
-};
+};
@@ -6,6 +6,7 @@ export enum QueueName {
  FILE_TASK_QUEUE = '{file-task-queue}',
  SEARCH_QUEUE = '{search-queue}',
  AI_QUEUE = '{ai-queue}',
  AUDIT_QUEUE = '{audit-queue}',
 }
 export enum QueueJob {
@@ -58,4 +59,7 @@ export enum QueueJob {
  GENERATE_PAGE_EMBEDDINGS = 'generate-page-embeddings',
  DELETE_PAGE_EMBEDDINGS = 'delete-page-embeddings',
  AUDIT_LOG = 'audit-log',
  AUDIT_CLEANUP = 'audit-cleanup',
 }
@@ -1,4 +1,5 @@
-import { MentionNode } from '../../../common/helpers/prosemirror/utils';
+import { MentionNode } from "../../../common/helpers/prosemirror/utils";
 export interface IPageBacklinkJob {
  pageId: string;
@@ -8,4 +9,4 @@ export interface IPageBacklinkJob {
 export interface IStripeSeatsSyncJob {
  workspaceId: string;
-}
+}
@@ -73,6 +73,14 @@ import { BacklinksProcessor } from './processors/backlinks.processor';
        attempts: 1,
      },
    }),
    BullModule.registerQueue({
      name: QueueName.AUDIT_QUEUE,
      defaultJobOptions: {
        removeOnComplete: true,
        removeOnFail: true,
        attempts: 3,
      },
    }),
  ],
  exports: [BullModule],
  providers: [BacklinksProcessor],
@@ -42,7 +42,7 @@ export class LocalDriver implements StorageDriver {
    try {
      const fromFullPath = this._fullPath(fromFilePath);
      const toFullPath = this._fullPath(toFilePath);
-
+      
      if (await this.exists(fromFilePath)) {
        await fs.copy(fromFullPath, toFullPath);
      }
@@ -40,8 +40,8 @@ export const storageDriverConfigProvider = {
          },
        };
-      case StorageOption.S3: {
+      case StorageOption.S3:
-        const s3Config = {
+        { const s3Config = {
          driver,
          config: {
            region: environmentService.getAwsS3Region(),
@@ -68,8 +68,7 @@ export const storageDriverConfigProvider = {
          };
        }
-        return s3Config;
+        return s3Config; }
      }
      default:
        throw new Error(`Unknown storage driver: ${driver}`);
@@ -578,6 +578,9 @@ importers:
      nanoid:
        specifier: 3.3.11
        version: 3.3.11
      nestjs-cls:
        specifier: ^4.5.0
        version: 4.5.0(@nestjs/common@11.1.9(class-transformer@0.5.1)(class-validator@0.14.3)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.9)(reflect-metadata@0.2.2)(rxjs@7.8.2)
      nestjs-kysely:
        specifier: ^1.2.0
        version: 1.2.0(@nestjs/common@11.1.9(class-transformer@0.5.1)(class-validator@0.14.3)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.9)(kysely@0.28.2)(reflect-metadata@0.2.2)
@@ -7982,6 +7985,15 @@ packages:
  neo-async@2.6.2:
    resolution: {integrity: sha512-Yd3UES5mWCSqR+qNT93S3UoYUkqAZ9lLg8a7g9rimsWmYGK8cVToA4/sF3RrshdyV3sAGMXVUmpMYOw+dLpOuw==}
  nestjs-cls@4.5.0:
    resolution: {integrity: sha512-oi3GNCc5pnsnVI5WJKMDwmg4NP+JyEw+edlwgepyUba5+RGGtJzpbVaaxXGW1iPbDuQde3/fA8Jdjq9j88BVcQ==}
    engines: {node: '>=16'}
    peerDependencies:
      '@nestjs/common': '> 7.0.0 < 11'
      '@nestjs/core': '> 7.0.0 < 11'
      reflect-metadata: '*'
      rxjs: '>= 7'
  nestjs-kysely@1.2.0:
    resolution: {integrity: sha512-KseCGb0SXCzIYC+Hx3Z3d+kPAfSZCSK6j9UoqUV/gcBCPad9utC7itmoUw0/w5sV+Jf9pc1DKpgClP1IkflA4w==}
    peerDependencies:
@@ -19131,6 +19143,13 @@ snapshots:
  neo-async@2.6.2: {}
  nestjs-cls@4.5.0(@nestjs/common@11.1.9(class-transformer@0.5.1)(class-validator@0.14.3)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.9)(reflect-metadata@0.2.2)(rxjs@7.8.2):
    dependencies:
      '@nestjs/common': 11.1.9(class-transformer@0.5.1)(class-validator@0.14.3)(reflect-metadata@0.2.2)(rxjs@7.8.2)
      '@nestjs/core': 11.1.9(@nestjs/common@11.1.9(class-transformer@0.5.1)(class-validator@0.14.3)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/websockets@11.1.9)(reflect-metadata@0.2.2)(rxjs@7.8.2)
      reflect-metadata: 0.2.2
      rxjs: 7.8.2
  nestjs-kysely@1.2.0(@nestjs/common@11.1.9(class-transformer@0.5.1)(class-validator@0.14.3)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.9)(kysely@0.28.2)(reflect-metadata@0.2.2):
    dependencies:
      '@nestjs/common': 11.1.9(class-transformer@0.5.1)(class-validator@0.14.3)(reflect-metadata@0.2.2)(rxjs@7.8.2)