feat: Stage 9 pre-launch essentials — auth, security, compliance, and UX improvements

P0 (launch blockers):
- Add Helmet security headers with CSP configuration
- Add health check endpoint (GET /health) via @nestjs/terminus
- Add 404/500 error pages and global error boundaries
- Add email service (Nodemailer + Handlebars templates)
- Add email verification on registration
- Add forgot password / password reset flow
- Add privacy policy and terms of service pages with registration consent

P1 (user retention):
- Add OAuth login (Google/GitHub) via Passport strategies
- Add JWT refresh token rotation (15min access + rotating refresh)
- Add new user onboarding modal (4-step guided flow)
- Add email notifications for mentions, comments, invitations, shares
- Add account deletion with password confirmation
- Add mobile responsive layout with collapsible sidebar

P2 (polish):
- Add space ownership transfer endpoint
- Add reusable Breadcrumb component
- Add cookie consent banner with localStorage persistence
- Add CI/CD pipeline (.github/workflows/ci.yml)
- Add structured logging via nestjs-pino
- Remove AI copilot ghost text / Tab autocomplete from editor

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Jason-chen-coder

.github/workflows/ci.yml

@@ -0,0 +1,44 @@
+name: CI
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 9
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: pnpm
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Generate Prisma Client
+        run: pnpm exec prisma generate
+        working-directory: apps/api
+
+      - name: Lint
+        run: pnpm lint
+
+      - name: Type check
+        run: pnpm typecheck
+
+      - name: Build
+        run: pnpm build
+
+      - name: Test
+        run: pnpm --filter @docStudio/api test --passWithNoTests

apps/api/.env.example

@@ -17,3 +17,19 @@ COLLAB_PORT=1234
 # Redis (optional for multi-instance collaboration via @hocuspocus/extension-redis)
 REDIS_HOST=localhost
 REDIS_PORT=6379
+
+# Email (SMTP)
+SMTP_HOST=smtp.example.com
+SMTP_PORT=587
+SMTP_SECURE=false
+SMTP_USER=
+SMTP_PASS=
+SMTP_FROM="DocStudio" <noreply@docstudio.app>
+
+# OAuth (optional — leave empty to disable)
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+GITHUB_CLIENT_ID=
+GITHUB_CLIENT_SECRET=
+API_URL=http://localhost:3001
+FRONTEND_URL=http://localhost:3000

apps/api/nest-cli.json

@@ -3,6 +3,12 @@
   "collection": "@nestjs/schematics",
   "sourceRoot": "src",
   "compilerOptions": {
-    "deleteOutDir": true
+    "deleteOutDir": true,
+    "assets": [
+      {
+        "include": "email/templates/**/*.hbs",
+        "watchAssets": true
+      }
+    ]
   }
 }

apps/api/package.json

@@ -24,13 +24,15 @@
   "dependencies": {
     "@fastify/compress": "^8.3.1",
     "@fastify/cors": "^11.2.0",
+    "@fastify/helmet": "^13.0.2",
     "@fastify/multipart": "^9.4.0",
     "@fastify/static": "^8.3.0",
     "@fastify/swagger": "^9.6.1",
     "@fastify/swagger-ui": "^5.2.5",
     "@hocuspocus/extension-database": "^3.4.4",
     "@hocuspocus/extension-redis": "^3.4.4",
     "@hocuspocus/server": "^3.4.4",
+    "@nestjs-modules/mailer": "^2.3.4",
     "@nestjs/common": "^11.0.1",
     "@nestjs/core": "^11.0.1",
     "@nestjs/jwt": "^11.0.2",
@@ -39,6 +41,7 @@
     "@nestjs/platform-fastify": "^11.0.1",
     "@nestjs/serve-static": "^5.0.4",
     "@nestjs/swagger": "^11.2.5",
+    "@nestjs/terminus": "^11.1.1",
     "@nestjs/throttler": "^6.5.0",
     "@prisma/client": "5.22.0",
     "@types/minio": "^7.1.1",
@@ -47,11 +50,17 @@
     "class-validator": "^0.14.3",
     "fastify": "^5.7.4",
     "fastify-multer": "^2.0.3",
+    "handlebars": "^4.7.8",
     "minio": "^8.0.6",
+    "nestjs-pino": "^4.6.1",
+    "nodemailer": "^8.0.4",
     "openai": "^6.32.0",
     "passport": "^0.7.0",
+    "passport-github2": "^0.1.12",
+    "passport-google-oauth20": "^2.0.0",
     "passport-jwt": "^4.0.1",
     "passport-local": "^1.0.0",
+    "pino-http": "^11.0.0",
     "prisma": "5.22.0",
     "reflect-metadata": "^0.2.2",
     "rxjs": "^7.8.1",
@@ -68,6 +77,9 @@
     "@types/express": "^5.0.0",
     "@types/jest": "^30.0.0",
     "@types/node": "^22.10.7",
+    "@types/nodemailer": "^7.0.11",
+    "@types/passport-github2": "^1.2.9",
+    "@types/passport-google-oauth20": "^2.0.17",
     "@types/passport-jwt": "^4.0.1",
     "@types/passport-local": "^1.0.38",
     "@types/sharp": "^0.32.0",
@@ -78,6 +90,7 @@
     "eslint-plugin-prettier": "^5.2.2",
     "globals": "^16.0.0",
     "jest": "^30.0.0",
+    "pino-pretty": "^13.1.3",
     "prettier": "^3.4.2",
     "source-map-support": "^0.5.21",
     "supertest": "^7.0.0",

apps/api/prisma/migrations/20260326172339_stage9_auth_enhancements/migration.sql

@@ -0,0 +1,21 @@
+-- AlterTable
+ALTER TABLE "users" ADD COLUMN     "emailVerified" BOOLEAN NOT NULL DEFAULT false,
+ADD COLUMN     "emailVerifyToken" TEXT,
+ADD COLUMN     "githubId" TEXT,
+ADD COLUMN     "googleId" TEXT,
+ADD COLUMN     "onboardingCompleted" BOOLEAN NOT NULL DEFAULT false,
+ADD COLUMN     "refreshToken" TEXT,
+ADD COLUMN     "resetToken" TEXT,
+ADD COLUMN     "resetTokenExpiry" TIMESTAMP(3);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "users_emailVerifyToken_key" ON "users"("emailVerifyToken");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "users_resetToken_key" ON "users"("resetToken");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "users_googleId_key" ON "users"("googleId");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "users_githubId_key" ON "users"("githubId");

apps/api/prisma/schema.prisma

@@ -15,10 +15,29 @@ model User {
   id           String   @id @default(cuid())
   email        String   @unique
   name         String
-  password     String? // 可选：如果使用 GitHub OAuth 则为空
+  password     String? // 可选：如果使用 OAuth 则为空
   avatarUrl    String? // 用户头像 URL
   isSuperAdmin Boolean  @default(false) // 平台级超级管理员
   isDisabled   Boolean  @default(false) // 账号禁用状态
+
+  // 邮箱验证
+  emailVerified    Boolean   @default(false)
+  emailVerifyToken String?   @unique
+
+  // 密码重置
+  resetToken       String?   @unique
+  resetTokenExpiry DateTime?
+
+  // OAuth
+  googleId     String?  @unique
+  githubId     String?  @unique
+
+  // 新用户引导
+  onboardingCompleted Boolean @default(false)
+
+  // JWT Refresh Token
+  refreshToken String?
+
   createdAt    DateTime @default(now())
   updatedAt    DateTime @updatedAt
 

apps/api/src/app.module.ts

@@ -22,6 +22,9 @@ import { ActivityModule } from './activity/activity.module';
 import { TemplatesModule } from './templates/templates.module';
 import { NotificationsModule } from './notifications/notifications.module';
 import { AiModule } from './ai/ai.module';
+import { HealthModule } from './health/health.module';
+import { EmailModule } from './email/email.module';
+import { LoggerModule } from 'nestjs-pino';
 
 @Module({
   imports: [
@@ -49,6 +52,18 @@ import { AiModule } from './ai/ai.module';
     TemplatesModule,
     NotificationsModule,
     AiModule,
+    HealthModule,
+    EmailModule,
+    LoggerModule.forRoot({
+      pinoHttp: {
+        transport:
+          process.env.NODE_ENV !== 'production'
+            ? { target: 'pino-pretty', options: { colorize: true, singleLine: true } }
+            : undefined,
+        level: process.env.NODE_ENV !== 'production' ? 'debug' : 'info',
+        autoLogging: false, // 避免记录每个 HTTP 请求（太嘈杂）
+      },
+    }),
   ],
   controllers: [AppController],
   providers: [

apps/api/src/auth/auth.controller.ts

@@ -3,6 +3,9 @@ import {
   Post,
   Body,
   Get,
+  Query,
+  Req,
+  Res,
   UseGuards,
   HttpCode,
   HttpStatus,
@@ -12,13 +15,20 @@ import {
   ApiOperation,
   ApiResponse,
   ApiBearerAuth,
+  ApiExcludeEndpoint,
 } from '@nestjs/swagger';
+// Fastify types imported as values (not 'import type') for decorator metadata
 import { AuthService } from './auth.service';
 import { RegisterDto } from './dto/register.dto';
 import { LoginDto } from './dto/login.dto';
 import { AuthResponseDto, UserResponseDto } from './dto/auth-response.dto';
 import { ChangePasswordDto } from './dto/change-password.dto';
+import { ForgotPasswordDto } from './dto/forgot-password.dto';
+import { ResetPasswordDto } from './dto/reset-password.dto';
+import { DeleteAccountDto } from './dto/delete-account.dto';
 import { JwtAuthGuard } from './guards/jwt-auth.guard';
+import { GoogleAuthGuard } from './guards/google-auth.guard';
+import { GithubAuthGuard } from './guards/github-auth.guard';
 import { CurrentUser } from '../common/decorators/current-user.decorator';
 
 @ApiTags('auth')
@@ -79,4 +89,120 @@ export class AuthController {
   ) {
     return this.authService.changePassword(user.id, changePasswordDto);
   }
+
+  // ==================== 邮箱验证 ====================
+
+  @Get('verify-email')
+  @ApiOperation({ summary: '验证邮箱', description: '通过邮件链接验证邮箱地址' })
+  @ApiResponse({ status: 200, description: '验证成功' })
+  @ApiResponse({ status: 400, description: '无效的验证令牌' })
+  async verifyEmail(@Query('token') token: string) {
+    return this.authService.verifyEmail(token);
+  }
+
+  @Post('resend-verification')
+  @UseGuards(JwtAuthGuard)
+  @ApiBearerAuth('JWT-auth')
+  @HttpCode(HttpStatus.OK)
+  @ApiOperation({ summary: '重新发送验证邮件' })
+  @ApiResponse({ status: 200, description: '验证邮件已发送' })
+  async resendVerification(@CurrentUser() user: UserResponseDto) {
+    return this.authService.resendVerification(user.id);
+  }
+
+  // ==================== 密码重置 ====================
+
+  @Post('forgot-password')
+  @HttpCode(HttpStatus.OK)
+  @ApiOperation({ summary: '忘记密码', description: '发送密码重置邮件' })
+  @ApiResponse({ status: 200, description: '如果邮箱存在将发送重置邮件' })
+  async forgotPassword(@Body() dto: ForgotPasswordDto) {
+    return this.authService.forgotPassword(dto.email);
+  }
+
+  @Post('reset-password')
+  @HttpCode(HttpStatus.OK)
+  @ApiOperation({ summary: '重置密码', description: '使用重置令牌设置新密码' })
+  @ApiResponse({ status: 200, description: '密码重置成功' })
+  @ApiResponse({ status: 400, description: '无效或已过期的重置令牌' })
+  async resetPassword(@Body() dto: ResetPasswordDto) {
+    return this.authService.resetPassword(dto.token, dto.newPassword);
+  }
+
+  // ==================== 账号删除 ====================
+
+  @Post('delete-account')
+  @UseGuards(JwtAuthGuard)
+  @ApiBearerAuth('JWT-auth')
+  @HttpCode(HttpStatus.OK)
+  @ApiOperation({ summary: '删除账号', description: '永久删除当前用户账号及所有数据' })
+  @ApiResponse({ status: 200, description: '账号已删除' })
+  @ApiResponse({ status: 401, description: '密码错误' })
+  async deleteAccount(
+    @CurrentUser() user: UserResponseDto,
+    @Body() dto: DeleteAccountDto,
+  ) {
+    return this.authService.deleteAccount(user.id, dto.password);
+  }
+
+  // ==================== Refresh Token ====================
+
+  @Post('refresh')
+  @HttpCode(HttpStatus.OK)
+  @ApiOperation({ summary: '刷新令牌', description: '使用 refresh_token 获取新的 access_token' })
+  @ApiResponse({ status: 200, description: '刷新成功' })
+  @ApiResponse({ status: 401, description: '无效的刷新令牌' })
+  async refreshToken(@Body('refresh_token') refreshToken: string) {
+    return this.authService.refreshTokens(refreshToken);
+  }
+
+  // ==================== OAuth 登录 ====================
+
+  @Get('google')
+  @UseGuards(GoogleAuthGuard)
+  @ApiExcludeEndpoint()
+  googleLogin() {
+    // Guard 会自动重定向到 Google
+  }
+
+  @Get('google/callback')
+  @UseGuards(GoogleAuthGuard)
+  @ApiExcludeEndpoint()
+  async googleCallback(@Req() req: any, @Res() res: any) {
+    const profile = req.user;
+    const result = await this.authService.oauthLogin({
+      googleId: profile.googleId,
+      email: profile.email,
+      name: profile.name,
+      avatarUrl: profile.avatarUrl,
+    });
+    const frontendUrl = process.env.FRONTEND_URL || 'http://localhost:3000';
+    return res.redirect(
+      `${frontendUrl}/auth/oauth-callback?token=${result.access_token}`,
+    );
+  }
+
+  @Get('github')
+  @UseGuards(GithubAuthGuard)
+  @ApiExcludeEndpoint()
+  githubLogin() {
+    // Guard 会自动重定向到 GitHub
+  }
+
+  @Get('github/callback')
+  @UseGuards(GithubAuthGuard)
+  @ApiExcludeEndpoint()
+  async githubCallback(@Req() req: any, @Res() res: any) {
+    const profile = req.user;
+    const result = await this.authService.oauthLogin({
+      githubId: profile.githubId,
+      email: profile.email,
+      name: profile.name,
+      avatarUrl: profile.avatarUrl,
+    });
+    const frontendUrl = process.env.FRONTEND_URL || 'http://localhost:3000';
+    return res.redirect(
+      `${frontendUrl}/auth/oauth-callback?token=${result.access_token}`,
+    );
+  }
 }