Hotfix - permission updates for PM / TM roles

.dockerignore

@@ -0,0 +1,9 @@
+.git
+.github
+node_modules
+dist
+coverage
+.env
+.env.*
+npm-debug.log*
+pnpm-debug.log*

Dockerfile

@@ -3,7 +3,6 @@
 FROM node:22.13.1-alpine
 
 RUN apk add --no-cache bash git
-RUN apk update
 
 ARG RESET_DB_ARG=false
 ENV RESET_DB=$RESET_DB_ARG
@@ -12,9 +11,15 @@ ENV SEED_DATA=$SEED_DATA_ARG
 ENV PRISMA_CLI_BINARY_TARGETS=linux-musl-openssl-3.0.x
 
 WORKDIR /app
-COPY . .
+COPY --chown=node:node . .
 RUN npm install pnpm -g
-RUN pnpm install
+RUN pnpm install --frozen-lockfile
 RUN pnpm run build
 RUN chmod +x appStartUp.sh
-CMD ./appStartUp.sh
+
+USER node
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=30s --retries=3 \
+  CMD wget -q -O /dev/null "http://127.0.0.1:${PORT:-3000}/v6/projects/health" || exit 1
+
+CMD ["./appStartUp.sh"]

README.md

@@ -96,7 +96,11 @@ For the full v5 -> v6 mapping table, see `docs/api-usage-analysis.md`.
 | `DELETE` | `/v6/projects/:projectId` | Admin only | Soft-delete project |
 | `GET` | `/v6/projects/:projectId/billingAccount` | JWT / M2M | Default billing account (Salesforce) |
 | `GET` | `/v6/projects/:projectId/billingAccounts` | JWT / M2M | All billing accounts for project |
-| `GET` | `/v6/projects/:projectId/permissions` | JWT / M2M | JWT: caller work-management policy map. M2M: per-member permission matrix with project permissions and template policies |
+| `GET` | `/v6/projects/:projectId/permissions` | JWT / M2M | Regular human JWT: caller work-management policy map. M2M, admins, project managers, and project copilots on the project: per-member permission matrix with project permissions and template policies |
+
+Talent Manager note:
+- `Talent Manager` and `Topcoder Talent Manager` callers create projects as primary `manager` members.
+- Updating `billingAccountId` is restricted to human administrators and project members whose role on that project is `manager` (`Full Access`).
 
 ### Members
 
@@ -114,7 +118,7 @@ For the full v5 -> v6 mapping table, see `docs/api-usage-analysis.md`.
 | --- | --- | --- | --- |
 | `GET` | `/v6/projects/:projectId/invites` | JWT / M2M | List invites |
 | `GET` | `/v6/projects/:projectId/invites/:inviteId` | JWT / M2M | Get invite |
-| `POST` | `/v6/projects/:projectId/invites` | JWT / M2M | Create invite(s) - partial-success response `{ success[], failed[] }` |
+| `POST` | `/v6/projects/:projectId/invites` | JWT / M2M | Create invite(s) - returns `201` when any invite is created and includes `{ success[], failed[] }` for rejected targets |
 | `PATCH` | `/v6/projects/:projectId/invites/:inviteId` | JWT / M2M | Accept / decline invite |
 | `DELETE` | `/v6/projects/:projectId/invites/:inviteId` | JWT / M2M | Delete invite |
 
@@ -463,7 +467,7 @@ Open `TODO (quality)` findings from prior phases:
 - Elasticsearch removed; all reads use PostgreSQL via Prisma.
 - Timeline/milestone CRUD intentionally not migrated (see `docs/timeline-milestone-migration.md`).
 - Deprecated endpoints not ported (scope change requests, reports, customer payments, phase members/approvals, estimation items).
-- Invite creation uses partial-success semantics: `{ success: Invite[], failed: ErrorInfo[] }`.
+- Invite creation returns `201` when any invite is created and still uses `{ success: Invite[], failed: ErrorInfo[] }` for rejected targets.
 - Event originator changed from `tc-project-service` to `project-service-v6`.
 
 Full details: `docs/DIFFERENCES_FROM_V5.md` and `docs/MIGRATION_FROM_TC_PROJECT_SERVICE.md`.

appStartUp.sh

@@ -4,4 +4,4 @@ set -eo pipefail
 export DATABASE_URL=$(echo -e ${DATABASE_URL})
 
 # Start the app
-pnpm start:prod
+exec node dist/src/main

docs/DIFFERENCES_FROM_V5.md

@@ -20,7 +20,7 @@ This document summarizes intentional differences and improvements in `project-se
 - Work management permission routes use query-parameter lookup patterns for consistency:
   - `/v6/projects/metadata/workManagementPermission?projectTemplateId=:id`
   - `/v6/projects/metadata/workManagementPermission?id=:id`
-- Invite creation uses partial-success response semantics:
+- Invite creation returns `201` when at least one invite is created and keeps partial-success response semantics:
   - `{ success: Invite[], failed: ErrorInfo[] }`
 
 ## Authorization Improvements

docs/MIGRATION_FROM_TC_PROJECT_SERVICE.md

@@ -102,6 +102,7 @@ This document maps legacy authorization logic from Express middleware to NestJS
 ## Consumer Migration Notes
 
 - Continue using `fields` query parameter for optional member/invite enrichment.
-- Handle `403` responses from invite create as partial-failure responses with body:
+- Invite create now returns `201` when at least one invite is created and still includes:
   - `{ success: Invite[], failed: ErrorInfo[] }`
+- Compatibility `403` responses remain possible when no invite is created and the response only contains failures.
 - If your integration relied on ES stale fields, switch to Member/Identity APIs for user metadata.

docs/PERMISSIONS.md

@@ -28,6 +28,17 @@ Swagger auth notes:
   - `src/shared/enums/projectMemberRole.enum.ts`
   - `src/shared/enums/scopes.enum.ts`
 
+## Talent Manager Behavior
+
+- `Talent Manager` and `Topcoder Talent Manager` satisfy `CREATE_PROJECT_AS_MANAGER`, so project creation persists them as the primary `manager` project member.
+- That primary `manager` membership then unlocks the standard manager-level project-owner paths, such as edit and delete checks that rely on project-member context.
+
+## Billing Account Editing
+
+- `MANAGE_PROJECT_BILLING_ACCOUNT_ID` is intentionally narrower than general project edit access.
+- A caller may set or update `billingAccountId` only when they are a human admin (`Connect Admin`, `administrator`, or `tgadmin`) or they are an active `manager` member on that specific project.
+- Global manager, project-manager, task-manager, talent-manager, or M2M-only access is not enough on its own to edit a project's billing account.
+
 ## Permission Rule Shape
 
 Supported shapes:

docs/api-usage-analysis.md

@@ -112,7 +112,7 @@
 | GET | `/v5/projects/:projectId/attachments` | **unused** | none | none | Attachment array (read-access filtered) |
 | GET | `/v5/projects/:projectId/phases/:phaseId/products` | **unused** | none | none | Phase product array |
 | GET | `/v5/projects/:projectId/phases/:phaseId/products/:productId` | **unused** | none | none | Single phase product |
-| GET | `/v5/projects/:projectId/permissions` | **unused** | none | none | JWT: policy map `{ [policyName]: true }` for allowed work-management actions. M2M in `/v6`: per-member permission matrix with memberships, project permissions, and template policies |
+| GET | `/v5/projects/:projectId/permissions` | **unused** | none | none | JWT: policy map `{ [policyName]: true }` for allowed work-management actions. In `/v6`, M2M/admin/project-manager/project-copilot callers receive a per-member permission matrix with memberships, project permissions, and template policies |
 | DELETE | `/v5/projects/:projectId` | **unused** | none | none | `204` |
 | GET | `/v5/projects/:projectId/phases/:phaseId` | **unused** | none | none | Phase object (includes members/approvals where present) |
 | POST | `/v5/projects/:projectId/phases` | **unused** | none | `{name,status,description?,requirements?,startDate?,endDate?,duration?,budget?,spentBudget?,progress?,details?,order?,productTemplateId?,members?}` | Created phase |

package.json

@@ -12,7 +12,7 @@
     "start:dev": "nest start --watch",
     "start:debug": "nest start --debug --watch",
     "start:prod": "node dist/src/main",
-    "lint": "eslint \"{src,apps,libs,test,prisma}/**/*.ts\" --fix",
+    "lint": "eslint \"{src,apps,libs,test,prisma}/**/*.ts\" --fix --no-error-on-unmatched-pattern",
     "test": "jest --config ./jest.config.js",
     "test:watch": "jest --config ./jest.config.js --watch",
     "test:cov": "jest --config ./jest.config.js --coverage",
@@ -104,14 +104,17 @@
   "packageManager": "[email protected]+sha512.41872f037ad22f7348e3b1debbaf7e867cfd448f2726d9cf74c08f19507c31d2c8e7a11525b983febc2df640b5438dee6023ebb1f84ed43cc2d654d2bc326264",
   "pnpm": {
     "overrides": {
+      "@hono/node-server": "1.19.10",
       "ajv": "8.18.0",
       "axios": "1.13.5",
-      "fast-xml-parser": "5.3.6",
-      "hono": "4.11.10",
+      "fast-xml-parser": "5.3.8",
+      "hono": "4.12.4",
       "jws": ">=3.2.3 <4.0.0 || >=4.0.1",
       "lodash": "4.17.23",
-      "minimatch": "10.2.1",
-      "qs": "6.14.2"
+      "minimatch": "10.2.3",
+      "multer": "2.1.1",
+      "qs": "6.14.2",
+      "serialize-javascript": "7.0.3"
     },
     "patchedDependencies": {
       "@eslint/[email protected]": "patches/@[email protected]",