# crm-core

Enterprise-ready CRM backend for B2B SaaS platforms. `crm-core` handles CRM data only—no billing, deploys, or ERP workloads.

## Scope & Limits

- ✅ Accounts, contacts, deals, pipelines/stages, activities, notes, tags
- ✅ Multi-tenant by design (`tenant_id` on every table and query)
- ✅ JWT validation via JWKS (trusted identity-gateway)
- ❌ No billing data or payment secrets
- ❌ No deployment or ERP features

## Authentication

`crm-core` trusts JWTs issued by `identity-gateway`.

Required claims:
- `sub` (user ID)
- `tenantId`
- `roles` (must include `crm.read`, `crm.write`, or `crm.admin`)

## Domain Model

See [docs/domain-model.md](docs/domain-model.md).

## Multi-tenant Enforcement

Every request reads `tenantId` from the JWT and filters all reads/writes with `tenant_id`. This prevents data leakage across tenants.

## Running Locally

```bash
cp .env.example .env
make run
```

Docker (API + Postgres):

```bash
docker-compose up --build
```

## Migrations & sqlc

```bash
make migrate-up
make sqlc
```

## Example cURL

```bash
curl -X POST http://localhost:8080/api/v1/accounts \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"name":"Acme Corp"}'
```

```bash
curl -X POST http://localhost:8080/api/v1/deals \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"title":"Upgrade","pipeline_id":"<pipeline>","stage_id":"<stage>","value_cents":500000}'
```