feat(people): add employment events tracking and offboarding checklist

apps/api/src/app.module.ts

@@ -55,6 +55,7 @@ import { AdminFeatureFlagsModule } from './admin-feature-flags/admin-feature-fla
 import { TimelinesModule } from './timelines/timelines.module';
 import { BackgroundChecksModule } from './background-checks/background-checks.module';
 import { BillingModule } from './billing/billing.module';
+import { OffboardingChecklistModule } from './offboarding-checklist/offboarding-checklist.module';
 
 @Module({
   imports: [
@@ -122,6 +123,7 @@ import { BillingModule } from './billing/billing.module';
     AdminOrganizationsModule,
     AdminFeatureFlagsModule,
     TimelinesModule,
+    OffboardingChecklistModule,
   ],
   controllers: [AppController],
   providers: [

apps/api/src/integration-platform/services/generic-employee-sync.service.ts

@@ -294,7 +294,11 @@ export class GenericEmployeeSyncService {
         try {
           await db.member.update({
             where: { id: member.id },
-            data: { deactivated: true, isActive: false },
+            data: {
+              deactivated: true,
+              isActive: false,
+              offboardDate: member.offboardDate ?? new Date(),
+            },
           });
           results.deactivated++;
           results.details.push({

apps/api/src/offboarding-checklist/access-revocation.service.ts

@@ -0,0 +1,207 @@
+import {
+  BadRequestException,
+  Injectable,
+  NotFoundException,
+} from '@nestjs/common';
+import { db } from '@db';
+
+@Injectable()
+export class AccessRevocationService {
+  async getAccessRevocations(organizationId: string, memberId: string) {
+    const vendors = await db.vendor.findMany({
+      where: { organizationId },
+      select: { id: true, name: true },
+      orderBy: { name: 'asc' },
+    });
+
+    const revocations = await db.offboardingAccessRevocation.findMany({
+      where: { organizationId, memberId },
+      include: {
+        revokedBy: { select: { id: true, name: true, email: true } },
+      },
+    });
+
+    const revocationMap = new Map(
+      revocations.map((r) => [r.vendorId, r]),
+    );
+
+    const vendorList = vendors.map((vendor) => {
+      const revocation = revocationMap.get(vendor.id);
+      return {
+        vendorId: vendor.id,
+        vendorName: vendor.name,
+        revoked: !!revocation,
+        revokedAt: revocation?.revokedAt ?? null,
+        revokedBy: revocation?.revokedBy ?? null,
+        notes: revocation?.notes ?? null,
+      };
+    });
+
+    return {
+      vendors: vendorList,
+      totalVendors: vendors.length,
+      revokedCount: revocations.length,
+    };
+  }
+
+  async revokeVendorAccess({
+    organizationId,
+    memberId,
+    vendorId,
+    revokedById,
+    notes,
+  }: {
+    organizationId: string;
+    memberId: string;
+    vendorId: string;
+    revokedById: string;
+    notes?: string;
+  }) {
+    const vendor = await db.vendor.findFirst({
+      where: { id: vendorId, organizationId },
+    });
+
+    if (!vendor) {
+      throw new NotFoundException('Vendor not found in this organization');
+    }
+
+    const existing = await db.offboardingAccessRevocation.findUnique({
+      where: { memberId_vendorId: { memberId, vendorId } },
+    });
+
+    if (existing) {
+      throw new BadRequestException(
+        'Vendor access has already been revoked for this member',
+      );
+    }
+
+    const revocation = await db.offboardingAccessRevocation.create({
+      data: {
+        organizationId,
+        memberId,
+        vendorId,
+        revokedById,
+        notes,
+      },
+      include: {
+        revokedBy: { select: { id: true, name: true, email: true } },
+      },
+    });
+
+    await this.syncAccessRevocationCompletion(
+      organizationId,
+      memberId,
+      revokedById,
+    );
+
+    return revocation;
+  }
+
+  async undoVendorRevocation({
+    organizationId,
+    memberId,
+    vendorId,
+  }: {
+    organizationId: string;
+    memberId: string;
+    vendorId: string;
+  }) {
+    const revocation = await db.offboardingAccessRevocation.findUnique({
+      where: { memberId_vendorId: { memberId, vendorId } },
+    });
+
+    if (!revocation) {
+      throw new NotFoundException('Revocation record not found');
+    }
+
+    await db.offboardingAccessRevocation.delete({
+      where: { id: revocation.id },
+    });
+
+    await this.syncAccessRevocationCompletion(organizationId, memberId);
+
+    return { success: true };
+  }
+
+  async revokeAllVendorAccess({
+    organizationId,
+    memberId,
+    revokedById,
+  }: {
+    organizationId: string;
+    memberId: string;
+    revokedById: string;
+  }) {
+    const vendors = await db.vendor.findMany({
+      where: { organizationId },
+      select: { id: true },
+    });
+
+    const existing = await db.offboardingAccessRevocation.findMany({
+      where: { organizationId, memberId },
+      select: { vendorId: true },
+    });
+
+    const existingSet = new Set(existing.map((r) => r.vendorId));
+    const toCreate = vendors.filter((v) => !existingSet.has(v.id));
+
+    if (toCreate.length > 0) {
+      await db.offboardingAccessRevocation.createMany({
+        data: toCreate.map((v) => ({
+          organizationId,
+          memberId,
+          vendorId: v.id,
+          revokedById,
+        })),
+        skipDuplicates: true,
+      });
+    }
+
+    await this.syncAccessRevocationCompletion(organizationId, memberId, revokedById);
+
+    return { confirmed: toCreate.length };
+  }
+
+  private async syncAccessRevocationCompletion(
+    organizationId: string,
+    memberId: string,
+    completedById?: string,
+  ) {
+    const templateItem = await db.offboardingChecklistTemplate.findFirst({
+      where: { organizationId, isAccessRevocation: true, isEnabled: true },
+    });
+
+    if (!templateItem) {
+      return;
+    }
+
+    const { totalVendors, revokedCount } = await this.getAccessRevocations(
+      organizationId,
+      memberId,
+    );
+
+    const allRevoked = totalVendors > 0 && revokedCount === totalVendors;
+
+    const existingCompletion =
+      await db.offboardingChecklistCompletion.findFirst({
+        where: { organizationId, memberId, templateItemId: templateItem.id },
+      });
+
+    if (allRevoked && !existingCompletion && completedById) {
+      await db.offboardingChecklistCompletion.create({
+        data: {
+          organizationId,
+          memberId,
+          templateItemId: templateItem.id,
+          completedById,
+        },
+      });
+    }
+
+    if (!allRevoked && existingCompletion) {
+      await db.offboardingChecklistCompletion.delete({
+        where: { id: existingCompletion.id },
+      });
+    }
+  }
+}

apps/api/src/offboarding-checklist/default-checklist-items.ts

@@ -0,0 +1,66 @@
+export const DEFAULT_OFFBOARDING_CHECKLIST_ITEMS = [
+  {
+    title: 'Revoke system access',
+    description:
+      "Disable or remove the employee's access to all company systems, applications, and cloud services.",
+    evidenceRequired: true,
+    isAccessRevocation: true,
+    sortOrder: 1,
+  },
+  {
+    title: 'Remove from identity provider',
+    description:
+      'Remove the employee from your identity provider (e.g., Okta, Azure AD, Google Workspace).',
+    evidenceRequired: true,
+    isAccessRevocation: false,
+    sortOrder: 2,
+  },
+  {
+    title: 'Retrieve company devices',
+    description:
+      'Collect all company-owned hardware including laptops, phones, access badges, and security keys.',
+    evidenceRequired: true,
+    isAccessRevocation: false,
+    sortOrder: 3,
+  },
+  {
+    title: 'Deactivate email and accounts',
+    description:
+      "Deactivate or redirect the employee's email account and remove from shared mailboxes and distribution lists.",
+    evidenceRequired: true,
+    isAccessRevocation: false,
+    sortOrder: 4,
+  },
+  {
+    title: 'Revoke privileged access',
+    description:
+      'Remove any elevated permissions, admin rights, SSH keys, API tokens, or shared credentials the employee had access to.',
+    evidenceRequired: true,
+    isAccessRevocation: false,
+    sortOrder: 5,
+  },
+  {
+    title: 'Notify relevant teams',
+    description:
+      "Inform the employee's team, IT, HR, and any relevant stakeholders of the departure.",
+    evidenceRequired: false,
+    isAccessRevocation: false,
+    sortOrder: 6,
+  },
+  {
+    title: 'Exit interview completed',
+    description:
+      'Conduct an exit interview covering security reminders and NDA obligations.',
+    evidenceRequired: false,
+    isAccessRevocation: false,
+    sortOrder: 7,
+  },
+  {
+    title: 'Update org chart and documentation',
+    description:
+      'Remove the employee from the org chart, on-call rotations, and internal documentation.',
+    evidenceRequired: false,
+    isAccessRevocation: false,
+    sortOrder: 8,
+  },
+] as const;

apps/api/src/offboarding-checklist/dto/complete-checklist-item.dto.ts

@@ -0,0 +1,30 @@
+import { ApiProperty } from '@nestjs/swagger';
+import { IsOptional, IsString, MaxLength, IsBase64 } from 'class-validator';
+import { IsMimeTypeField } from '../../utils/mime-type.validator';
+
+export class CompleteChecklistItemDto {
+  @ApiProperty({ description: 'Optional notes', required: false })
+  @IsOptional()
+  @IsString()
+  notes?: string;
+
+  @ApiProperty({ description: 'Evidence file name', required: false })
+  @IsOptional()
+  @IsString()
+  fileName?: string;
+
+  @ApiProperty({ description: 'Evidence file MIME type', required: false })
+  @IsOptional()
+  @IsMimeTypeField()
+  fileType?: string;
+
+  @ApiProperty({
+    description: 'Base64 encoded evidence file',
+    required: false,
+  })
+  @IsOptional()
+  @IsString()
+  @MaxLength(134_217_728)
+  @IsBase64()
+  fileData?: string;
+}

apps/api/src/offboarding-checklist/dto/create-template-item.dto.ts

@@ -0,0 +1,25 @@
+import { ApiProperty } from '@nestjs/swagger';
+import { IsString, IsNotEmpty, IsOptional, IsBoolean } from 'class-validator';
+
+export class CreateTemplateItemDto {
+  @ApiProperty({
+    description: 'Checklist item title',
+    example: 'Collect access badges',
+  })
+  @IsString()
+  @IsNotEmpty()
+  title: string;
+
+  @ApiProperty({ description: 'Guidance text for the admin', required: false })
+  @IsOptional()
+  @IsString()
+  description?: string;
+
+  @ApiProperty({
+    description: 'Whether evidence upload is required',
+    required: false,
+  })
+  @IsOptional()
+  @IsBoolean()
+  evidenceRequired?: boolean;
+}

apps/api/src/offboarding-checklist/dto/update-template-item.dto.ts

@@ -0,0 +1,29 @@
+import { ApiProperty } from '@nestjs/swagger';
+import { IsString, IsOptional, IsBoolean, IsNumber } from 'class-validator';
+
+export class UpdateTemplateItemDto {
+  @ApiProperty({ required: false })
+  @IsOptional()
+  @IsString()
+  title?: string;
+
+  @ApiProperty({ required: false })
+  @IsOptional()
+  @IsString()
+  description?: string;
+
+  @ApiProperty({ required: false })
+  @IsOptional()
+  @IsBoolean()
+  evidenceRequired?: boolean;
+
+  @ApiProperty({ required: false })
+  @IsOptional()
+  @IsNumber()
+  sortOrder?: number;
+
+  @ApiProperty({ required: false })
+  @IsOptional()
+  @IsBoolean()
+  isEnabled?: boolean;
+}