I need a backend-only Node.js + Express application in TypeScript (no UI — API only) for a Patient Management System using Sequelize + MySQL. The app should be production-ready, modern, secure, modular, and well-documented. Tech stack & tooling (required) Node.js (latest LTS 22; specify engine in package.json) Express (with router separation) Sequelize ORM (MySQL) with migration & seed support Authentication: bcrypt for password hashing, passport-jwt for JWT auth (access + refresh tokens) Validation: Zod for request body & query validations RBAC middleware for role-based access control Logging: Winston or pino with request logging middleware Linting/formatting: ESLint + Prettier API docs: Postman collection (auto-generated Swagger optional) Dev ops: Sequelize migrations, Sequelize config file, Docker support for MySQL Seed scripts for: Initial roles (SUPER_ADMIN, HOSPITAL_ADMIN, DEPARTMENT_STAFF) A sample Super Admin user (email: jyotishankar@evincedev.com ) High-level modules & responsibilities 1. Auth / User Management (separate module) Super Admin capabilities: Create hospitals and hospital admins Provide login credentials (password generated or set by flow, and send credentials via email) View all hospital admins Reassign roles (e.g., hospital admin → staff) Revoke roles / deactivate users Expose webhook endpoint to create patients for the related department & hospital (based on incoming hospitalId + departmentId from payload) Role list (minimum): SUPER_ADMIN HOSPITAL_ADMIN DEPARTMENT_STAFF Endpoints examples: POST /auth/login → returns accessToken + refreshToken POST /auth/refresh → issue new access token POST /users → create hospital admin (SUPER_ADMIN only) PATCH /users/:id/role → reassign role (SUPER_ADMIN only) PATCH /users/:id/deactivate → deactivate user 2. Hospital & Department Management (Hospital Admin scope) Relationships: Hospital → has many Departments Department → has many Users (DEPARTMENT_STAFF) Permissions: SUPER_ADMIN → full CRUD on hospitals and hospital admins HOSPITAL_ADMIN → manage departments inside their hospital HOSPITAL_ADMIN → CRUD department staff users, view patients for their departments DEPARTMENT_STAFF → can only view patients for their department Endpoints examples: POST /hospitals → create hospital (SUPER_ADMIN) GET /hospitals → list hospitals POST /hospitals/:id/departments → create department (HOSPITAL_ADMIN of that hospital) GET /hospitals/:id/departments → list departments with staff 3. Patient Management Relationships: Patient belongs to one Hospital Patient belongs to one Department Flows: Patients can be created either via API or webhook (incoming hospitalId & departmentId) Assignment: SUPER_ADMIN or HOSPITAL_ADMIN can assign patients to hospital/department HOSPITAL_ADMIN & DEPARTMENT_STAFF can view patients assigned to their scope Endpoints examples: POST /patients → create patient (SUPER_ADMIN or hospital admin) GET /patients → list patients (filtered by hospital, department, or assigned staff) GET /patients/:id → view patient (marks as "viewed" in activity log) POST /patients/:id/mark-viewed → mark as viewed by logged-in user POST /patients/:id/assign → assign to user / department / hospital RBAC & Authorization Implement a centralized RBAC middleware with: Role checks (e.g., requireRole(['SUPER_ADMIN', 'HOSPITAL_ADMIN'])) Ownership checks (hospital admins only see their hospital’s resources, staff only their department’s) JWT token validation + role extraction via passport-jwt Refresh token table in DB to allow secure revocation Database schema (Sequelize models, high-level) User → id, name, email, passwordHash, role, isActive, hospitalId?, departmentId?, createdAt Hospital → id, name, address, createdAt Department → id, name, hospitalId, createdAt Patient → id, firstName, lastName, dob, hospitalId, departmentId, createdAt ActivityLog → id, userId, patientId, action (VIEWED, ASSIGNED, etc.), timestamp RefreshToken → id, userId, token, expiresAt, revokedAt Validation & Security Zod schemas for DTO validation bcrypt salt rounds configurable via .env JWT expiry: short-lived access token (15m–30m), long-lived refresh token (7d–30d) Rate limiting for login endpoints Secure password reset & email integration Logging & Error Handling Centralized error handler returning format: { "data": null, "error": { "code": "ROLE_FORBIDDEN", "message": "You do not have access" } } Winston/pino for API + error logs Audit logging for role changes, patient assignment, etc. Dev & Delivery Requirements Provide README with setup & env vars Provide Postman collection with all endpoints Dockerfile + docker-compose (MySQL + app) Sequelize migrations & seed files Unit + integration tests (Jest + Supertest) for auth, hospital, patient flows