feat: complete tOS project with HR, LEAN, Dashboard and Integrations modules

Full enterprise web operating system including: - Next.js 14 frontend with App Router, i18n (DE/EN), shadcn/ui - NestJS 10 backend with Prisma, JWT auth, Swagger docs - Keycloak 24 SSO with role-based access control - HR module (employees, time tracking, absences, org chart) - LEAN module (3S planning, morning meeting SQCDM, skill matrix) - Integrations module (PlentyONE, Zulip, Todoist, FreeScout, Nextcloud, ecoDMS, GembaDocs) - Dashboard with customizable drag & drop widget grid - Docker Compose infrastructure (PostgreSQL 16, Redis 7, Keycloak 24) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-06 19:37:55 +01:00
parent a2b6612e9e
commit fe305f6fc8
509 changed files with 81111 additions and 1 deletions
--- a/docker/keycloak/realm-export.json
+++ b/docker/keycloak/realm-export.json
@@ -0,0 +1,208 @@
+{
+  "id": "tos",
+  "realm": "tOS",
+  "displayName": "tOS - Enterprise Web Operating System",
+  "displayNameHtml": "<strong>tOS</strong> Enterprise",
+  "enabled": true,
+  "sslRequired": "external",
+  "registrationAllowed": false,
+  "rememberMe": true,
+  "verifyEmail": false,
+  "loginWithEmailAllowed": true,
+  "duplicateEmailsAllowed": false,
+  "resetPasswordAllowed": true,
+  "bruteForceProtected": true,
+  "permanentLockout": false,
+  "maxFailureWaitSeconds": 900,
+  "failureFactor": 5,
+  "defaultSignatureAlgorithm": "RS256",
+  "accessTokenLifespan": 300,
+  "ssoSessionIdleTimeout": 1800,
+  "ssoSessionMaxLifespan": 36000,
+  "roles": {
+    "realm": [
+      {
+        "name": "admin",
+        "description": "Full administrative access to all tOS features",
+        "composite": true,
+        "composites": {
+          "realm": ["hr-manager", "manager", "department_head", "team-lead", "employee"]
+        }
+      },
+      {
+        "name": "hr-manager",
+        "description": "HR management with access to employee data, absences, and time tracking",
+        "composite": true,
+        "composites": {
+          "realm": ["employee"]
+        }
+      },
+      {
+        "name": "manager",
+        "description": "Management access with cross-department visibility",
+        "composite": true,
+        "composites": {
+          "realm": ["department_head", "employee"]
+        }
+      },
+      {
+        "name": "department_head",
+        "description": "Department lead with team management capabilities",
+        "composite": true,
+        "composites": {
+          "realm": ["team-lead", "employee"]
+        }
+      },
+      {
+        "name": "team-lead",
+        "description": "Team lead with direct reports management",
+        "composite": true,
+        "composites": {
+          "realm": ["employee"]
+        }
+      },
+      {
+        "name": "employee",
+        "description": "Standard employee access to basic features",
+        "composite": false
+      }
+    ]
+  },
+  "groups": [
+    {
+      "name": "Administrators",
+      "path": "/Administrators",
+      "realmRoles": ["admin"]
+    },
+    {
+      "name": "Management",
+      "path": "/Management",
+      "realmRoles": ["manager"]
+    },
+    {
+      "name": "Departments",
+      "path": "/Departments",
+      "subGroups": [
+        { "name": "Sales", "path": "/Departments/Sales", "realmRoles": ["employee"] },
+        { "name": "Accounting", "path": "/Departments/Accounting", "realmRoles": ["employee"] },
+        { "name": "Warehouse", "path": "/Departments/Warehouse", "realmRoles": ["employee"] },
+        { "name": "Logistics", "path": "/Departments/Logistics", "realmRoles": ["employee"] },
+        { "name": "Engineering", "path": "/Departments/Engineering", "realmRoles": ["employee"] },
+        { "name": "IT", "path": "/Departments/IT", "realmRoles": ["employee"] },
+        { "name": "Executive", "path": "/Departments/Executive", "realmRoles": ["manager"] },
+        { "name": "Executive-Assistant", "path": "/Departments/Executive-Assistant", "realmRoles": ["employee"] },
+        { "name": "HR", "path": "/Departments/HR", "realmRoles": ["employee"] },
+        { "name": "Procurement", "path": "/Departments/Procurement", "realmRoles": ["employee"] }
+      ]
+    }
+  ],
+  "clients": [
+    {
+      "clientId": "tos-frontend",
+      "name": "tOS Frontend Application",
+      "enabled": true,
+      "publicClient": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "protocol": "openid-connect",
+      "secret": "${KEYCLOAK_FRONTEND_CLIENT_SECRET:-tos-frontend-secret-CHANGE-IN-PRODUCTION}",
+      "rootUrl": "http://localhost:3000",
+      "baseUrl": "http://localhost:3000",
+      "redirectUris": ["http://localhost:3000/*", "http://127.0.0.1:3000/*"],
+      "webOrigins": ["http://localhost:3000", "http://127.0.0.1:3000"],
+      "attributes": {
+        "pkce.code.challenge.method": "S256",
+        "post.logout.redirect.uris": "http://localhost:3000/*"
+      },
+      "defaultClientScopes": ["web-origins", "acr", "profile", "roles", "email"]
+    },
+    {
+      "clientId": "tos-backend",
+      "name": "tOS Backend API",
+      "enabled": true,
+      "publicClient": false,
+      "standardFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "serviceAccountsEnabled": true,
+      "protocol": "openid-connect",
+      "secret": "${KEYCLOAK_BACKEND_CLIENT_SECRET:-tos-backend-secret-CHANGE-IN-PRODUCTION}",
+      "rootUrl": "http://localhost:3001",
+      "baseUrl": "http://localhost:3001",
+      "redirectUris": ["http://localhost:3001/*"],
+      "webOrigins": ["http://localhost:3001"],
+      "defaultClientScopes": ["web-origins", "acr", "profile", "roles", "email"]
+    }
+  ],
+  "users": [
+    {
+      "username": "admin",
+      "email": "admin@tos.local",
+      "emailVerified": true,
+      "enabled": true,
+      "firstName": "System",
+      "lastName": "Administrator",
+      "credentials": [{ "type": "password", "value": "admin123", "temporary": true }],
+      "realmRoles": ["admin"],
+      "groups": ["/Administrators"]
+    },
+    {
+      "username": "manager",
+      "email": "manager@tos.local",
+      "emailVerified": true,
+      "enabled": true,
+      "firstName": "Max",
+      "lastName": "Manager",
+      "credentials": [{ "type": "password", "value": "manager123", "temporary": true }],
+      "realmRoles": ["manager"],
+      "groups": ["/Management"]
+    },
+    {
+      "username": "depthead",
+      "email": "depthead@tos.local",
+      "emailVerified": true,
+      "enabled": true,
+      "firstName": "Diana",
+      "lastName": "DepartmentHead",
+      "credentials": [{ "type": "password", "value": "depthead123", "temporary": true }],
+      "realmRoles": ["department_head"],
+      "groups": ["/Departments/IT"]
+    },
+    {
+      "username": "employee",
+      "email": "employee@tos.local",
+      "emailVerified": true,
+      "enabled": true,
+      "firstName": "Eva",
+      "lastName": "Employee",
+      "credentials": [{ "type": "password", "value": "employee123", "temporary": true }],
+      "realmRoles": ["employee"],
+      "groups": ["/Departments/IT"]
+    },
+    {
+      "username": "hrmanager",
+      "email": "hrmanager@tos.local",
+      "emailVerified": true,
+      "enabled": true,
+      "firstName": "Hannah",
+      "lastName": "HRManager",
+      "credentials": [{ "type": "password", "value": "hrmanager123", "temporary": true }],
+      "realmRoles": ["hr-manager"],
+      "groups": ["/Departments/HR"]
+    },
+    {
+      "username": "teamlead",
+      "email": "teamlead@tos.local",
+      "emailVerified": true,
+      "enabled": true,
+      "firstName": "Tim",
+      "lastName": "TeamLead",
+      "credentials": [{ "type": "password", "value": "teamlead123", "temporary": true }],
+      "realmRoles": ["team-lead"],
+      "groups": ["/Departments/Engineering"]
+    }
+  ],
+  "internationalizationEnabled": true,
+  "supportedLocales": ["de", "en"],
+  "defaultLocale": "de"
+}