40227-vm/backend/docs/subjects.md

# Subjects Backend

## Purpose

`subjects` is the per-organization catalog of teaching subjects (name, code, description). It is
a generic-CRUD slice assembled from the shared factories; the backend is the source of truth for
subject records.

## Slice Files (by layer)

- Route: `src/routes/subjects.ts` — `createCrudRouter(controller, { permission: 'subjects' })`.
- Controller: `src/api/controllers/subjects.controller.ts` — `createCrudController(service, { csvFields })`.
- Service (BLL): `src/services/subjects.ts` — `createCrudService(DbApi, { notFoundCode: 'subjectsNotFound' })`.
- Repository (DAL): `src/db/api/subjects.ts` (`SubjectsDBApi`) — entity-specific
  `create`/`bulkImport`/`update`/`findBy`/`findAll`; `remove`/`deleteByIds`/`findAllAutocomplete`
  delegate to `db/api/shared/repository.ts`.
- Model: `src/db/models/subjects.ts`.
- Shared used: CRUD factories (`services/shared/crud-service.ts`,
  `api/controllers/shared/crud-controller.ts`, `api/http/crud-router.ts`), repository helpers
  (`db/api/shared/repository.ts`), `shared/constants/pagination.ts` (`resolvePagination`),
  `shared/constants/database.ts` (`BULK_IMPORT_TIMESTAMP_STEP_MS`), `db/utils.ts` (`Utils`).

## API

The standard generic-CRUD surface (all under `/api/subjects`, JWT + `${METHOD}_SUBJECTS`
permission, all `200`) — see `backend-architecture.md` for the shared contract:

- `POST /` — body `{ data }`, returns `true`.
- `POST /bulk-import` — multipart CSV file, returns `true`.
- `PUT /:id` — body `{ data, id }` (the service reads the id from the **body**), returns `true`.
- `DELETE /:id` — returns `true`.
- `POST /deleteByIds` — body `{ data: string[] }`, returns `true`.
- `GET /` — query filters, returns `{ rows, count }`; `?filetype=csv` streams a CSV of `csvFields`.
- `GET /count` — returns `{ rows: [], count }`.
- `GET /autocomplete` — `?query&limit&offset`, returns `[{ id, label }]` where `label` is `name`.
- `GET /:id` — returns the record with eager associations (see Data Contract).

`csvFields`: `id`, `name`, `code`, `description`.

## Access Rules

- JWT required; the whole router is guarded by `checkCrudPermissions('subjects')`, deriving
  `READ_SUBJECTS` / `CREATE_SUBJECTS` / `UPDATE_SUBJECTS` / `DELETE_SUBJECTS` per HTTP method.
- Access is granted by role permission or per-user `custom_permissions` (see `permissions.md`).

## Tenant Scope

- `findAll` scopes `where.organizationId` to `currentUser.organizationId`; a `globalAccess`
  role clears the org filter (sees all tenants).
- `create` assigns the organization from `currentUser.organizationId`; `update` only reassigns
  organization for `globalAccess` users (otherwise it stays the caller's org).

## Data Contract

Model columns (`paranoid`, soft-delete via `deletedAt`):

- `id` (UUID PK).
- `name`, `code`, `description` — TEXT, nullable.
- `importHash` (unique), `organizationId`, `createdById`, `updatedById`, timestamps.

Associations: `belongsTo` organization, createdBy/updatedBy (users); `hasMany`
`class_subjects_subject`. `findBy`/`GET /:id` eager-load class_subjects_subject and organization
in a single `Promise.all`.

List filters (`SubjectsFilter`): `id`, `name` (ilike), `code` (ilike), `description` (ilike),
`organization`, `createdAtRange`, plus `field`/`sort` ordering and `limit`/`page` pagination.

## Behavior / Notes

- `create`/`update` wire the organization relation via the `setOrganization` association mixin.
- `bulkImport` offsets `createdAt` per row by `BULK_IMPORT_TIMESTAMP_STEP_MS` to preserve order.
- List pagination uses the shared `resolvePagination` defaults (page size 10, capped at 100).
- Note: `SubjectsFilter` accepts an `active` flag the model has no column for; it is currently
  inert (kept for source accuracy).

## Tests

None yet.

## Related

- Generic-CRUD contract: `backend-architecture.md`; related slices: `class_subjects`, `classes`,
  `permissions.md`.