chore: initialize repository with project rules, docs, and phase-1 ADRs

Set up the foundation for the adastra-portal project:

- CLAUDE.md captures durable project rules (quality bar, security/perf/a11y
  as first-class, language, commit conventions, ADR proactivity).
- docs/ and decisions/ scaffolding with maintained indexes (docs/README.md
  and decisions/README.md), MADR 4.0.0 template, and tag vocabulary.
- Phase-1 ADRs (0001-0006) lock structural choices: ADR usage, Nx monorepo
  with the apps preset, naming convention (adastra-portal / portal-shell /
  portal-bff), Angular CSR/zoneless/Signals/Vitest, NestJS over Express,
  PostgreSQL with Prisma.
- docs/setup/ guides translated to English.
- .gitignore covers Node/Nx artifacts and the personal notes/ scratchpad.

The Nx workspace itself is not yet bootstrapped; that step is gated on a
revised setup guide aligned with the ADRs.
This commit is contained in:
Julien Gautier
2026-04-29 20:43:00 +02:00
commit 79eee77594
15 changed files with 1170 additions and 0 deletions
+91
View File
@@ -0,0 +1,91 @@
---
status: accepted
date: 2026-04-29
decision-makers: R&D Lead
tags: [backend]
---
# Backend stack — NestJS over Express, Fastify, Hono
## Context and Problem Statement
The backend (`portal-bff`) is the BFF: it owns authentication, sessions, and downstream API orchestration; it persists business data; it must be observable and auditable. The frontend never holds tokens or talks directly to upstream APIs. The choice of HTTP framework has architectural ripple effects (DI shape, validation pipeline, security defaults, ecosystem of integrations).
Which Node TypeScript framework gives us the right combination of structure, ecosystem, performance, and longevity for a security-sensitive BFF in an enterprise context?
## Decision Drivers
* Security is a first-class concern — the framework must impose structure rather than leave it to be hand-built.
* Architectural alignment with the Angular frontend (DI, decorators, modules, RxJS).
* First-class ecosystem for the things we will need: Passport / MSAL, Pino logging, OpenTelemetry, Prisma, Redis, validation, health checks.
* Long-term enterprise viability (no pre-1.0, no single-maintainer projects).
* Performance acceptable for a BFF (request mediation, not raw throughput benchmarks).
## Considered Options
* **NestJS** (latest stable major). (Chosen.)
* **Express 5** — minimal, ubiquitous.
* **Fastify 5** — performance-oriented, plugin-based.
* **Hono** — modern, multi-runtime.
* **tRPC** — typed RPC over HTTP.
## Decision Outcome
Chosen option: **NestJS at the latest stable major**, mounted on the **Express adapter** by default. Migration to the Fastify adapter remains an option later if profiling justifies it; this is a configuration change, not an application rewrite, because both adapters are first-class in NestJS.
### Consequences
* Good, because NestJS imposes a clear, opinionated architecture (modules, providers, controllers, pipes, guards, interceptors) — minimal room for bricolage.
* Good, because the team lives in the same paradigm as Angular (DI, decorators, RxJS).
* Good, because every supporting concern has a first-class NestJS integration: `@nestjs/passport` + `@azure/msal-node` for auth, `nestjs-pino` for logs, `nestjs-cls` for AsyncLocalStorage, `@nestjs/terminus` for health checks, `nestjs-prisma` for persistence.
* Good, because NestJS is at v11+ with a healthy enterprise track record (Adidas, Roche, Capgemini publicly), an active core team, and commercial support options.
* Good, because the adapter pattern lets us swap to Fastify later without touching application code.
* Bad, because NestJS has a non-trivial conceptual surface (DI hierarchy, lifecycle hooks, request-scoped providers) — one-time learning cost.
* Bad, because the framework is heavier than Express or Fastify alone — acceptable for our profile.
### Confirmation
* `apps/portal-bff/package.json` depends on `@nestjs/core`, `@nestjs/common`, `@nestjs/platform-express`.
* `apps/portal-bff/src/main.ts` bootstraps via `NestFactory.create`.
* All HTTP entry points are `@Controller`-based; no raw Express routes outside framework escape hatches.
* A global `ValidationPipe` is applied with `whitelist: true, forbidNonWhitelisted: true, transform: true`.
## Pros and Cons of the Options
### NestJS (chosen)
* Good, because opinionated structure sets a clear bar across the team.
* Good, because alignment with Angular reduces cognitive distance.
* Good, because the ecosystem covers every BFF concern we have.
* Bad, because verbose for tiny services — acceptable here, this is a real BFF.
### Express 5
* Good, because the lowest common denominator — every Node engineer knows it.
* Bad, because minimalist by design — every cross-cutting concern (DI, validation, structured errors, lifecycle) is built by hand. For a security-sensitive BFF in an "anti-bricolage" project, this is a poor fit.
* Bad, because Express-as-foundation in 2026 is the legacy default; the modern center of gravity has moved.
### Fastify 5
* Good, because excellent raw performance and a clean plugin model.
* Good, because schema-driven validation is built in.
* Bad, because architecture is left to the application — we'd reinvent NestJS poorly.
* Note: NestJS can run on a Fastify adapter — we can have both if a perf profile demands it.
### Hono
* Good, because modern, minimal, multi-runtime (Node, Bun, Workers).
* Bad, because too young (~2023) for our longevity bar — limited enterprise track record.
* Status: keep in watch list; reconsider in 1224 months.
### tRPC
* Good, because end-to-end type safety from server to client without code generation.
* Bad, because it tightly couples frontend and backend builds — incompatible with a BFF that may also need to serve non-Angular consumers later (downstream API gateways, mobile, partner integrations).
* Bad, because not a general HTTP framework — orthogonal to the choice we're making.
## More Information
* NestJS documentation: https://docs.nestjs.com
* NestJS Fastify adapter: https://docs.nestjs.com/techniques/performance
* Related ADRs: [ADR-0002](0002-adopt-nx-monorepo-apps-preset.md), [ADR-0006](0006-persistence-postgresql-prisma.md), ADR-0008 (auth flow, future), ADR-0009 (sessions, future), ADR-0012 (observability, future).