[PROD RELEASE] - Jan 26

.env.example

@@ -17,17 +17,32 @@ VALID_ISSUERS='["https://api.topcoder-dev.com"]'
 # ========================================
 # EXTERNAL SERVICES
 # ========================================
-TC_PROJECT_SERVICE_URL=http://localhost:8001/v5
-STANDARDIZED_SKILLS_API_URL=http://localhost:3000
-MEMBER_API_V6_URL=http://localhost:3001/v6
+TOPCODER_API_URL_BASE=https://api.topcoder-dev.com
+# Derived endpoints:
+# - TC_PROJECT_SERVICE_URL: ${TOPCODER_API_URL_BASE}/v5/projects
+# - STANDARDIZED_SKILLS_API_URL: ${TOPCODER_API_URL_BASE}/v5/standardized-skills
+# - MEMBER_API_V6_URL: ${TOPCODER_API_URL_BASE}/v6/members
 # PLATFORM UI BASE URL (used to generate anonymous feedback links)
 PLATFORM_UI_BASE_URL=http://localhost:3001
 # In production use https://platform.topcoder.com or https://platform.topcoder-dev.com
 
+# ========================================
+# EVENT BUS
+# ========================================
+BUS_API_URL=https://api.topcoder-dev.com/eventBus
+KAFKA_ERROR_TOPIC=common.error.reporting
+
+# ========================================
+# EMAIL
+# ========================================
+SENDGRID_ASSIGNMENT_OFFER_TEMPLATE_ID=
+SENDGRID_ASSIGNMENT_OFFER_ACCEPTED_TEMPLATE_ID=
+SENDGRID_ASSIGNMENT_OFFER_REJECTED_TEMPLATE_ID=
+
 # ========================================
 # M2M AUTHENTICATION
 # ========================================
-M2M_AUTH_URL=https://topcoder-dev.auth0.com/oauth/token
+AUTH0_URL=https://topcoder-dev.auth0.com/oauth/token
 M2M_CLIENT_ID=your_client_id
 M2M_CLIENT_SECRET=your_client_secret
-M2M_AUDIENCE=https://api.topcoder-dev.com
+AUTH0_AUDIENCE=https://api.topcoder-dev.com

.github/workflows/code_reviewer.yml

@@ -0,0 +1,21 @@
+name: AI PR Reviewer
+
+on:
+    pull_request:
+        types:
+            - opened
+            - synchronize
+permissions:
+    pull-requests: write
+jobs:
+    tc-ai-pr-review:
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout Repo
+              uses: actions/checkout@v3
+
+            - name: TC AI PR Reviewer
+              uses: topcoder-platform/tc-ai-pr-reviewer@master
+              with:
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # The GITHUB_TOKEN is there by default so you just need to keep it like it is and not necessarily need to add it as secret as it will throw an error. [More Details](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret)
+                  LAB45_API_KEY: ${{ secrets.LAB45_API_KEY }}

.github/workflows/trivy.yaml

@@ -0,0 +1,34 @@
+name: Trivy Scanner
+
+permissions:
+  contents: read
+  security-events: write
+on:
+  push:
+    branches:
+      - main
+      - dev
+  pull_request:
+jobs:
+  trivy-scan:
+    name: Use Trivy
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy scanner in repo mode
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          scan-type: "fs"
+          ignore-unfixed: true
+          format: "sarif"
+          output: "trivy-results.sarif"
+          severity: "CRITICAL,HIGH,UNKNOWN"
+          scanners: vuln,secret,misconfig,license
+          github-pat: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "trivy-results.sarif"

Dockerfile

@@ -10,6 +10,9 @@ RUN npm install -g pnpm
 COPY package.json pnpm-lock.yaml ./
 # Install dependencies
 RUN pnpm install --frozen-lockfile
+COPY prisma ./prisma
+COPY prisma.config.ts ./
+RUN DATABASE_URL="postgresql://user:pass@localhost:5432/db?schema=public" pnpm prisma:generate
 
 # ---- Build Stage ----
 FROM base AS build
@@ -20,23 +23,19 @@ COPY . .
 RUN pnpm build
 
 # ---- Production Dependencies Stage ----
-FROM base AS prod-deps
-RUN npm install -g pnpm
-COPY package.json pnpm-lock.yaml ./
-RUN pnpm install --frozen-lockfile --prod
+FROM deps AS prod-deps
+RUN pnpm prune --prod
 
 # ---- Production Stage ----
 FROM base AS production
-ENV NODE_ENV production
+ENV NODE_ENV=production
 # Copy built application from the build stage
 COPY --from=build /usr/src/app/dist ./dist
-COPY --from=build /usr/src/app/sql ./sql
-COPY --from=build /usr/src/app/data ./data
 # Copy production dependencies from the deps stage
 COPY --from=prod-deps /usr/src/app/node_modules ./node_modules
 
 # Expose the application port
 EXPOSE 3000
 
 # The command to run the application
-CMD ["node", "dist/main.js"]
+CMD ["node", "dist/src/main.js"]

README.md

@@ -37,28 +37,48 @@ pnpm prisma:migrate
 pnpm start:dev
 ```
 
+## Configuration
+
+Set the following environment variables (see `.env.example` for defaults):
+
+| Variable | Description |
+| --- | --- |
+| `PORT` | Port the API listens on. |
+| `DATABASE_URL` | PostgreSQL connection string used by Prisma. |
+| `AUTH_SECRET` | Shared secret for JWT verification in local/dev scenarios. |
+| `VALID_ISSUERS` | JSON array of allowed JWT issuers. |
+| `TOPCODER_API_URL_BASE` | Base URL for Topcoder API services. |
+| `PLATFORM_UI_BASE_URL` | Platform UI base URL used to generate anonymous feedback links. |
+| `AUTH0_URL` | Auth0 token endpoint for M2M client credentials. |
+| `M2M_CLIENT_ID` | Auth0 M2M client ID. |
+| `M2M_CLIENT_SECRET` | Auth0 M2M client secret. |
+| `AUTH0_AUDIENCE` | Auth0 audience for M2M tokens. |
+| `SENDGRID_ASSIGNMENT_OFFER_TEMPLATE_ID` | SendGrid template ID for assignment offer emails. |
+| `SENDGRID_ASSIGNMENT_OFFER_ACCEPTED_TEMPLATE_ID` | SendGrid template ID for assignment offer accepted emails. |
+| `SENDGRID_ASSIGNMENT_OFFER_REJECTED_TEMPLATE_ID` | SendGrid template ID for assignment offer rejected emails. |
+
 ## Authentication
 
 This API uses JWT authentication for user requests and supports M2M tokens for service-to-service access. Provide a Bearer token with the required scopes for protected endpoints.
 
 ## Security & Authorization
 
-The API supports both user JWTs and machine-to-machine (M2M) tokens. User tokens are evaluated for roles and scopes, while M2M tokens rely on scopes. Administrators and Topcoder Project Managers have elevated privileges for management operations.
+The API supports both user JWTs and machine-to-machine (M2M) tokens. User tokens are evaluated for roles and scopes, while M2M tokens rely on scopes. Administrators, Topcoder Project Managers, Topcoder Task Managers, and Topcoder Talent Managers have elevated privileges for management operations.
 
 | Scope | Description | Endpoints |
 | --- | --- | --- |
 | `read:engagements` | View engagement listings and details | `GET /engagements`, `GET /engagements/:id`, `GET /engagements/active` |
 | `write:engagements` | Create and update engagements | `POST /engagements`, `PUT /engagements/:id` |
 | `manage:engagements` | Full engagement management including deletion | `DELETE /engagements/:id` |
 | `read:applications` | View applications | `GET /applications`, `GET /applications/:id`, `GET /engagements/:id/applications` |
-| `write:applications` | Submit and update applications | `POST /engagements/:id/applications`, `PATCH /applications/:id/status` |
+| `write:applications` | Submit and update applications | `POST /engagements/:id/applications`, `PATCH /applications/:id/status`, `PATCH /applications/:id/approve` |
 
 ## M2M Token Configuration
 
 M2M access uses Auth0 client credentials. Ensure the client is configured with the required scopes for the endpoints it calls. Tokens are validated by `tc-core-library-js` before being processed by the service.
 
 ## Role-Based Access
 
-- Administrators and Topcoder Project Managers can bypass scope checks for most management operations.
+- Administrators, Topcoder Project Managers, Topcoder Task Managers, and Topcoder Talent Managers can bypass scope checks for most management operations.
 - Regular members can view engagements and manage their own applications.
-- Project Managers can view and update application statuses for engagements they own.
+- Project Managers can view and update application statuses for engagements they created, while Task Managers and Talent Managers can do so across engagements.

docs/ASSIGNMENT_STATUS_FLOW.md

@@ -0,0 +1,28 @@
+# Assignment Status Flow
+
+This diagram describes how an engagement assignment moves between statuses and the conditions for each transition.
+
+```mermaid
+stateDiagram-v2
+  direction LR
+
+  [*] --> SELECTED
+  SELECTED : Initial state
+
+  SELECTED --> OFFER_REJECTED : Candidate rejects offer or rate
+  SELECTED --> ASSIGNED : Offer accepted\nagreementRate agreed\nTalent Manager activates
+
+  ASSIGNED : Engagement active
+  ASSIGNED : Payments allowed
+
+  ASSIGNED --> COMPLETED : Work finished and duration ends
+  ASSIGNED --> TERMINATED : Ended early by member or manager
+
+  OFFER_REJECTED : Terminal (negative)
+  COMPLETED : Terminal (positive)
+  TERMINATED : Early termination
+
+  OFFER_REJECTED --> [*]
+  COMPLETED --> [*]
+  TERMINATED --> [*]
+```

docs/AUTHENTICATION.md

@@ -22,7 +22,7 @@ M2M tokens are issued via the Auth0 client credentials flow. These tokens do not
 | `write:engagements` | Create and update engagements | `POST /engagements`, `PUT /engagements/:id` |
 | `manage:engagements` | Full engagement management including deletion | `DELETE /engagements/:id` |
 | `read:applications` | View applications | `GET /applications`, `GET /applications/:id`, `GET /engagements/:id/applications` |
-| `write:applications` | Submit and update applications | `POST /engagements/:id/applications`, `PATCH /applications/:id/status` |
+| `write:applications` | Submit and update applications | `POST /engagements/:id/applications`, `PATCH /applications/:id/status`, `PATCH /applications/:id/approve` |
 
 ## Role-Based Access
 

package.json

@@ -16,15 +16,20 @@
     "test:debug": "node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand"
   },
   "dependencies": {
-    "@nestjs/cli": "^11.0.12",
     "@nestjs/axios": "^3.0.0",
+    "@nestjs/cli": "^11.0.12",
     "@nestjs/common": "^11.1.9",
     "@nestjs/config": "^4.0.2",
     "@nestjs/core": "^11.1.9",
     "@nestjs/platform-express": "^11.1.9",
+    "@nestjs/schematics": "^11.0.9",
     "@nestjs/swagger": "^11.2.3",
+    "@nestjs/testing": "^11.1.9",
+    "@prisma/adapter-pg": "^7.0.1",
     "@prisma/client": "^7.0.1",
     "@types/express": "^5.0.5",
+    "@types/jest": "^29.5.8",
+    "axios": "^1.13.2",
     "class-transformer": "^0.5.1",
     "class-validator": "^0.14.3",
     "date-fns": "^4.1.0",
@@ -34,10 +39,8 @@
     "pg": "^8.16.3",
     "reflect-metadata": "^0.1.13",
     "rxjs": "^7.8.2",
-    "tc-core-library-js": "github:topcoder-platform/tc-core-library-js#master",
-    "@nestjs/schematics": "^11.0.9",
-    "@types/jest": "^29.5.8",
-    "@nestjs/testing": "^11.1.9"
+    "tc-bus-api-wrapper": "github:topcoder-platform/tc-bus-api-wrapper",
+    "tc-core-library-js": "github:topcoder-platform/tc-core-library-js#master"
   },
   "devDependencies": {
     "@eslint/eslintrc": "^3.2.0",

packages/engagements-prisma-client/client.d.ts

@@ -0,0 +1 @@
+export * from "./index"

packages/engagements-prisma-client/client.js

@@ -0,0 +1,5 @@
+
+/* !!! This is code generated by Prisma. Do not edit directly. !!!
+/* eslint-disable */
+// biome-ignore-all lint: generated file
+module.exports = { ...require('.') }

packages/engagements-prisma-client/default.d.ts

@@ -0,0 +1 @@
+export * from "./index"

packages/engagements-prisma-client/default.js

@@ -0,0 +1,5 @@
+
+/* !!! This is code generated by Prisma. Do not edit directly. !!!
+/* eslint-disable */
+// biome-ignore-all lint: generated file
+module.exports = { ...require('#main-entry-point') }

packages/engagements-prisma-client/edge.d.ts

@@ -0,0 +1 @@
+export * from "./default"