feat(sdk/nestjs): implement NestJS SDK package (@ums/sdk-nestjs)

Phase B — Step 4: NestJS distribution under src/libs/sdk/nestjs/ — final
runtime of the multi-runtime SDK. Single package on top of
@ums/sdk-authorization, integrating with NestJS via DynamicModule, Guard,
Decorators, ExceptionFilter and Middleware.

@ums/sdk-nestjs (1.0.0)

Module
  UmsSdkModule.forRoot({ mode, accessor, validator, logger, ... })
  UmsSdkModule.forRootAsync({ inject, useFactory, imports })
  - @global module so providers are visible app-wide.
  - DI tokens: UMS_SDK_OPTIONS, UMS_AUTH_GRAPH_ACCESSOR,
    UMS_AUTHORIZATION_VALIDATOR, UMS_AUTHORIZATION_LOGGER.
  - Defaults: AsyncLocalAuthGraphAccessor + AuthorizationValidator +
    'enforce' mode + no logger.

Guard
  UmsAuthGuard implements CanActivate.
  - Reads UmsAuthRequirement[] metadata via Nest Reflector.
  - Evaluates each requirement against AuthorizationGraph from the
    accessor; short-circuits on first non-Granted decision.
  - Throws AuthorizationDeniedError or honors auditOnly / 'ignore' per
    requirement.
  - Decorator-free handlers pass through untouched.

Decorators
  @RequiresScope, @RequiresMenuOption, @RequiresDomainAccess,
  @RequiresFeatureFlag. Stackable (use Reflect metadata append). Each
  accepts { onDenied, auditOnly } options.

Filter
  AuthorizationDeniedFilter @catch(AuthorizationDeniedError) maps to
  HTTP 403 with structured body { code, message, primitive, target,
  graphRequestId }. Auto-registered when imported via UmsSdkModule.

Middleware
  AuthGraphMiddleware binds an incoming AuthorizationGraph (placed on
  req.umsAuthGraph by an upstream auth step) to the accessor for the
  request lifetime. Handles both AsyncLocalAuthGraphAccessor (run scope)
  and MemoryAuthGraphAccessor (set/clear).

Workspace + tests
  - Separate npm workspace at src/libs/sdk/nestjs/, file: references to
    sibling TypeScript packages (sdk-contracts, sdk-authorization,
    sdk-testing) under src/libs/sdk/typescript/. Both workspaces co-exist
    in the monorepo without conflict.
  - Vitest + unplugin-swc to compile decorator metadata
    (Vitest's default esbuild transformer does not support
    emitDecoratorMetadata).
  - End-to-end tests via @nestjs/testing + supertest: 7/7 PASS.
    Coverage:
      * 403 + AUTH_101 when scope is missing.
      * 201 when scope is granted.
      * 403 + AUTH_108 when stacked decorators short-circuit on flag.
      * 201 when both scope and flag are granted.
      * Decorator-free handler always 200.
      * Global vs per-controller guard registration.
      * AUTH_202 when graph is absent entirely.

UMS multi-runtime SDK Phase B is now complete:
  .NET     — 30/30 PASS
  TypeScript — 33/33 PASS
  NestJS   —  7/7 PASS
  Total      70 tests across three runtimes, all consuming the same
  src/libs/sdk/contracts/fixtures/ — contract parity verified.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: beyondnetPeru

src/libs/sdk/nestjs/.gitignore

@@ -0,0 +1,5 @@
+node_modules/
+dist/
+coverage/
+*.tsbuildinfo
+.npmrc