chore: initial project scaffold with admin web, backend, desktop client, and deployment setup

Add monorepo structure for NexaVPN WireGuard control plane including:
- .gitignore for node_modules, build artifacts, and environment files
- README with project overview, monorepo layout, and quick start guide
- Admin web UI with React, Vite, TypeScript, and nginx reverse proxy
- API client with type definitions for users, devices, policies, gateways, and audit logs
- Admin pages for dashboard, users, devices, policies, g

backend/internal/policy/handler.go

@@ -0,0 +1,62 @@
+package policy
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/nexavpn/nexavpn/backend/internal/apiutil"
+	"github.com/nexavpn/nexavpn/backend/internal/audit"
+	"github.com/nexavpn/nexavpn/backend/internal/httpserver"
+)
+
+type Handler struct {
+	service *Service
+	audit   *audit.Service
+}
+
+func NewHandler(service *Service, auditService *audit.Service) *Handler {
+	return &Handler{service: service, audit: auditService}
+}
+
+func (h *Handler) List(w http.ResponseWriter, r *http.Request) {
+	items, err := h.service.List(r.Context())
+	if err != nil {
+		apiutil.Error(w, http.StatusInternalServerError, "policies_list_failed", "unable to list policies")
+		return
+	}
+
+	apiutil.JSON(w, http.StatusOK, items)
+}
+
+func (h *Handler) Create(w http.ResponseWriter, r *http.Request) {
+	var input CreateRequest
+	if err := json.NewDecoder(r.Body).Decode(&input); err != nil {
+		apiutil.Error(w, http.StatusBadRequest, "invalid_json", "invalid request body")
+		return
+	}
+
+	claims, ok := httpserver.ClaimsFromContext(r.Context())
+	if !ok {
+		apiutil.Error(w, http.StatusUnauthorized, "unauthorized", "missing auth claims")
+		return
+	}
+
+	item, err := h.service.Create(r.Context(), claims.UserID, input)
+	if err != nil {
+		apiutil.Error(w, http.StatusInternalServerError, "policy_create_failed", "unable to create policy")
+		return
+	}
+
+	_ = h.audit.Record(r.Context(), audit.Entry{
+		ActorUserID: &claims.UserID,
+		EntityType:  "policy",
+		EntityID:    &item.ID,
+		EventType:   "admin.policy.created",
+		Status:      "success",
+		Message:     "admin created policy",
+		Metadata: map[string]any{
+			"name": item.Name,
+		},
+	})
+	apiutil.JSON(w, http.StatusCreated, item)
+}

backend/internal/policy/repository.go

@@ -0,0 +1,143 @@
+package policy
+
+import (
+	"context"
+
+	"github.com/google/uuid"
+	"github.com/jackc/pgx/v5/pgxpool"
+)
+
+type Repository interface {
+	List(ctx context.Context) ([]Policy, error)
+	Create(ctx context.Context, input CreateRequest, createdBy uuid.UUID) (Policy, error)
+	ResolveDestinations(ctx context.Context, userID uuid.UUID, deviceID *uuid.UUID) ([]string, error)
+}
+
+type PGRepository struct {
+	db *pgxpool.Pool
+}
+
+func NewPGRepository(db *pgxpool.Pool) *PGRepository {
+	return &PGRepository{db: db}
+}
+
+func (r *PGRepository) List(ctx context.Context) ([]Policy, error) {
+	rows, err := r.db.Query(ctx, `
+		select
+			p.id,
+			p.name,
+			p.description,
+			p.priority,
+			p.effect,
+			p.full_tunnel,
+			p.is_active,
+			coalesce(array_agg(pd.destination::text) filter (where pd.destination is not null), '{}')
+		from policies p
+		left join policy_destinations pd on pd.policy_id = p.id
+		where p.deleted_at is null
+		group by p.id, p.name, p.description, p.priority, p.effect, p.full_tunnel, p.is_active, p.created_at
+		order by p.priority asc, p.created_at desc
+	`)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var items []Policy
+	for rows.Next() {
+		var item Policy
+		if err := rows.Scan(&item.ID, &item.Name, &item.Description, &item.Priority, &item.Effect, &item.FullTunnel, &item.IsActive, &item.Destinations); err != nil {
+			return nil, err
+		}
+		items = append(items, item)
+	}
+	return items, rows.Err()
+}
+
+func (r *PGRepository) Create(ctx context.Context, input CreateRequest, createdBy uuid.UUID) (Policy, error) {
+	tx, err := r.db.Begin(ctx)
+	if err != nil {
+		return Policy{}, err
+	}
+	defer tx.Rollback(ctx)
+
+	policyID := uuid.New()
+	_, err = tx.Exec(ctx, `
+		insert into policies (id, name, description, priority, effect, full_tunnel, created_by)
+		values ($1, $2, $3, $4, $5, $6, $7)
+	`, policyID, input.Name, input.Description, input.Priority, input.Effect, input.FullTunnel, createdBy)
+	if err != nil {
+		return Policy{}, err
+	}
+
+	for _, destination := range input.Destinations {
+		if _, err := tx.Exec(ctx, `
+			insert into policy_destinations (id, policy_id, destination)
+			values ($1, $2, $3::cidr)
+		`, uuid.New(), policyID, destination); err != nil {
+			return Policy{}, err
+		}
+	}
+
+	for _, target := range input.Targets {
+		if _, err := tx.Exec(ctx, `
+			insert into policy_targets (id, policy_id, target_type, target_id)
+			values ($1, $2, $3, $4)
+		`, uuid.New(), policyID, target.Type, target.ID); err != nil {
+			return Policy{}, err
+		}
+	}
+
+	if err := tx.Commit(ctx); err != nil {
+		return Policy{}, err
+	}
+
+	inputPolicy := Policy{
+		ID:           policyID,
+		Name:         input.Name,
+		Description:  input.Description,
+		Priority:     input.Priority,
+		Effect:       input.Effect,
+		FullTunnel:   input.FullTunnel,
+		IsActive:     true,
+		Destinations: input.Destinations,
+		Targets:      input.Targets,
+	}
+	return inputPolicy, nil
+}
+
+func (r *PGRepository) ResolveDestinations(ctx context.Context, userID uuid.UUID, deviceID *uuid.UUID) ([]string, error) {
+	query := `
+		select distinct pd.destination::text
+		from policies p
+		join policy_destinations pd on pd.policy_id = p.id
+		join policy_targets pt on pt.policy_id = p.id
+		where p.deleted_at is null
+		  and p.is_active = true
+		  and p.effect = 'allow'
+		  and (
+			(pt.target_type = 'user' and pt.target_id = $1)
+	`
+	args := []any{userID}
+	if deviceID != nil {
+		query += ` or (pt.target_type = 'device' and pt.target_id = $2)`
+		args = append(args, *deviceID)
+	}
+	query += `)`
+
+	rows, err := r.db.Query(ctx, query, args...)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var destinations []string
+	for rows.Next() {
+		var value string
+		if err := rows.Scan(&value); err != nil {
+			return nil, err
+		}
+		destinations = append(destinations, value)
+	}
+	return destinations, rows.Err()
+}

backend/internal/policy/service.go

@@ -0,0 +1,33 @@
+package policy
+
+import (
+	"context"
+
+	"github.com/google/uuid"
+)
+
+type Service struct {
+	repo Repository
+}
+
+func NewService(repo Repository) *Service {
+	return &Service{repo: repo}
+}
+
+func (s *Service) List(ctx context.Context) ([]Policy, error) {
+	return s.repo.List(ctx)
+}
+
+func (s *Service) Create(ctx context.Context, actorID uuid.UUID, input CreateRequest) (Policy, error) {
+	if input.Priority == 0 {
+		input.Priority = 100
+	}
+	if input.Effect == "" {
+		input.Effect = "allow"
+	}
+	return s.repo.Create(ctx, input, actorID)
+}
+
+func (s *Service) ResolveDestinations(ctx context.Context, userID uuid.UUID, deviceID *uuid.UUID) ([]string, error) {
+	return s.repo.ResolveDestinations(ctx, userID, deviceID)
+}

backend/internal/policy/types.go

@@ -0,0 +1,30 @@
+package policy
+
+import "github.com/google/uuid"
+
+type Target struct {
+	Type string    `json:"type"`
+	ID   uuid.UUID `json:"id"`
+}
+
+type Policy struct {
+	ID           uuid.UUID `json:"id"`
+	Name         string    `json:"name"`
+	Description  string    `json:"description"`
+	Priority     int       `json:"priority"`
+	Effect       string    `json:"effect"`
+	FullTunnel   bool      `json:"full_tunnel"`
+	IsActive     bool      `json:"is_active"`
+	Destinations []string  `json:"destinations"`
+	Targets      []Target  `json:"targets"`
+}
+
+type CreateRequest struct {
+	Name         string   `json:"name"`
+	Description  string   `json:"description"`
+	Priority     int      `json:"priority"`
+	Effect       string   `json:"effect"`
+	FullTunnel   bool     `json:"full_tunnel"`
+	Destinations []string `json:"destinations"`
+	Targets      []Target `json:"targets"`
+}