From 46ae8b24f97bc927a68fff438b3f424ebcc871fe Mon Sep 17 00:00:00 2001 From: Francisco Daniel Castro Borrome Date: Sat, 16 May 2026 23:52:51 -0400 Subject: [PATCH 1/3] refactor(repo): move docs to .docs/ and scripts to executions/ Docs moved to .docs/: - DATA-PERSISTENCE-GUARANTEE.md - PRODUCTION-TROUBLESHOOTING.md - SERVICE-AVAILABILITY-GUARANTEE.md - STARTUP.md Executables moved to executions/: - deploy-production.sh - migrate.sh References updated in README.md and .github/workflows/cd-deploy.yml. Added Rust target/ and Playwright artifact dirs to .gitignore. Co-Authored-By: Claude Sonnet 4.6 --- .../DATA-PERSISTENCE-GUARANTEE.md | 0 .../PRODUCTION-TROUBLESHOOTING.md | 0 .../SERVICE-AVAILABILITY-GUARANTEE.md | 0 STARTUP.md => .docs/STARTUP.md | 0 .github/workflows/cd-deploy.yml | 2 +- .gitignore | 9 + README.md | 245 +++++++++++++----- .../deploy-production.sh | 0 migrate.sh => executions/migrate.sh | 0 9 files changed, 196 insertions(+), 60 deletions(-) rename DATA-PERSISTENCE-GUARANTEE.md => .docs/DATA-PERSISTENCE-GUARANTEE.md (100%) rename PRODUCTION-TROUBLESHOOTING.md => .docs/PRODUCTION-TROUBLESHOOTING.md (100%) rename SERVICE-AVAILABILITY-GUARANTEE.md => .docs/SERVICE-AVAILABILITY-GUARANTEE.md (100%) rename STARTUP.md => .docs/STARTUP.md (100%) rename deploy-production.sh => executions/deploy-production.sh (100%) rename migrate.sh => executions/migrate.sh (100%) diff --git a/DATA-PERSISTENCE-GUARANTEE.md b/.docs/DATA-PERSISTENCE-GUARANTEE.md similarity index 100% rename from DATA-PERSISTENCE-GUARANTEE.md rename to .docs/DATA-PERSISTENCE-GUARANTEE.md diff --git a/PRODUCTION-TROUBLESHOOTING.md b/.docs/PRODUCTION-TROUBLESHOOTING.md similarity index 100% rename from PRODUCTION-TROUBLESHOOTING.md rename to .docs/PRODUCTION-TROUBLESHOOTING.md diff --git a/SERVICE-AVAILABILITY-GUARANTEE.md b/.docs/SERVICE-AVAILABILITY-GUARANTEE.md similarity index 100% rename from SERVICE-AVAILABILITY-GUARANTEE.md rename to .docs/SERVICE-AVAILABILITY-GUARANTEE.md diff --git a/STARTUP.md b/.docs/STARTUP.md similarity index 100% rename from STARTUP.md rename to .docs/STARTUP.md diff --git a/.github/workflows/cd-deploy.yml b/.github/workflows/cd-deploy.yml index b87553a..d33d735 100644 --- a/.github/workflows/cd-deploy.yml +++ b/.github/workflows/cd-deploy.yml @@ -27,7 +27,7 @@ jobs: cd /app/tucolmadord git fetch origin git reset --hard origin/main - bash deploy-production.sh + bash executions/deploy-production.sh ' release: diff --git a/.gitignore b/.gitignore index e7634c0..5e7b239 100644 --- a/.gitignore +++ b/.gitignore @@ -13,6 +13,15 @@ **/obj/ **/artifacts/ +# Rust build artifacts +**/target/ + +# Playwright test artifacts +**/e2e/results/ +**/e2e/reports/ +**/test-results/ +**/playwright-report/ + # Logs and local env files *.log *.tmp diff --git a/README.md b/README.md index 848d7fd..167dd6d 100644 --- a/README.md +++ b/README.md @@ -1,59 +1,186 @@ -
- TuColmadoRD Logo - -

TuColmadoRD

-

El ERP y Punto de Venta SaaS Definitivo para Colmados en RepΓΊblica Dominicana

- -

- Sitio Web β€’ - Demo β€’ - Contacto -

-
- ---- - -## πŸͺ Transformando la Cultura del Colmado - -**TuColmadoRD** es una plataforma integral diseΓ±ada especΓ­ficamente para las necesidades del comercio minorista y los colmados en la RepΓΊblica Dominicana. Combinamos la rapidez de un Punto de Venta (POS) optimizado para pantallas tΓ‘ctiles con la potencia de un sistema en la nube (SaaS), permitiendo a los propietarios administrar su negocio desde cualquier lugar. - -Dile adiΓ³s a las libretas de "fiado", al descuadre de caja y a las complicaciones fiscales. TuColmadoRD automatiza, asegura y simplifica toda la operaciΓ³n de tu negocio. - -### 🌟 Beneficios Clave - -- **Ventas SΓΊper RΓ‘pidas:** Interfaz de Punto de Venta (POS) intuitiva, compatible con lectores de cΓ³digos de barra e impresiΓ³n de recibos al instante. -- **FacturaciΓ³n ElectrΓ³nica (e-CF):** IntegraciΓ³n nativa con la DGII para emisiΓ³n de Comprobantes Fiscales ElectrΓ³nicos. Β‘Cumple con la ley sin esfuerzo! -- **Control de "Fiados":** MΓ³dulo dedicado para gestionar crΓ©ditos de clientes, lΓ­mites de deuda y abonos con historial transparente. -- **GestiΓ³n de Inventario Inteligente:** Alertas de bajo stock, control de productos con mΓΊltiples unidades de medida y reportes de rentabilidad. -- **Control de Delivery Seguro:** VerificaciΓ³n por cΓ³digo y proximidad GPS para asegurar que las entregas lleguen a su destino correctamente. -- **Manejo de Empleados y Turnos:** Control de acceso por roles (Cajero, Delivery, Administrador) y cuadre de caja (apertura y cierre de turnos). -- **Acceso 100% en la Nube:** Monitorea las ventas de tus sucursales en tiempo real desde tu celular o computadora a travΓ©s del panel de administraciΓ³n web. -- **Soporte Offline (Escritorio):** AplicaciΓ³n de escritorio instalable `.exe` para garantizar que la operaciΓ³n en caja nunca se detenga, con sincronizaciΓ³n automΓ‘tica a la nube. - ---- - -## πŸ›  Arquitectura TecnolΓ³gica de Vanguardia - -DiseΓ±ado para escalar y ofrecer alta disponibilidad, TuColmadoRD utiliza una arquitectura robusta: - -- **Frontend & POS:** Angular 19, TailwindCSS, DaisyUI (Progresive Web App & Escritorio). -- **Backend (Core API):** .NET 10 (C#), Arquitectura Limpia, CQRS, MediatR. -- **Microservicio Auth:** Node.js (Express), MongoDB para manejo Γ‘gil de perfiles de usuario. -- **Microservicio Fiscal (e-CF):** Python (Flask) para generaciΓ³n y firmado de XMLs normativos de la DGII. -- **Bases de Datos:** PostgreSQL (Datos relacionales robustos) y MongoDB (Logs y Auth). -- **Infraestructura & CI/CD:** Docker Compose, Traefik (Proxy Inverso), y despliegues automatizados con GitHub Actions. - ---- - -## πŸ’Ό ΒΏEres DueΓ±o de un Colmado? - -No dejes que la administraciΓ³n manual limite el crecimiento de tu negocio. Moderniza tu colmado hoy con **TuColmadoRD**. - -πŸ‘‰ **[Visita tucolmadord.com para agendar una demostraciΓ³n](https://tucolmadord.com)** πŸ‘ˆ - ---- - -
- Desarrollado con ❀️ en República Dominicana por Synset Solutions S.R.L.
- Β© 2026 Todos los derechos reservados. -
\ No newline at end of file +# TuColmadoRD β€” Monorepo + +Multi-tenant SaaS POS/ERP for the Dominican Republic retail market. This repository contains all services, frontends, infrastructure, and tooling as a single monorepo. + +--- + +## Architecture overview + +``` +Browser / PWA / Desktop (.exe) + β”‚ + β–Ό + Traefik (TLS termination, routing) + β”‚ + β–Ό + API Gateway (.NET 10, JWT validation, reverse proxy) + β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” + β–Ό β–Ό β–Ό β–Ό β–Ό +Core API Auth Service Catalog Service Reports Service ECF Generator +(.NET 10) (Node/Express) (Rust/Axum) (Rust/Axum) (Python/Flask) + β”‚ β”‚ β”‚ β”‚ + β–Ό β–Ό β–Ό β–Ό +PostgreSQL MongoDB PostgreSQL PostgreSQL + + Redis + Redis + (lazy cache) +``` + +**Supporting services:** Redis (queue + cache), BullMQ (Notification Service / Node.js), MailHog (dev SMTP), Prometheus + Grafana (observability). + +--- + +## Services + +| Directory | Language / Runtime | Role | +|---|---|---| +| `backend/src/Presentations/TuColmadoRD.ApiGateway` | .NET 10 | JWT auth middleware, reverse proxy to downstream services | +| `backend/src/Presentations/TuColmadoRD.Presentation.API` | .NET 10 | Core business API β€” Clean Architecture (Domain β†’ Application β†’ Infrastructure) | +| `auth/` | Node.js 22, Express 5, Mongoose 9 | User identity, bcrypt password hashing, JWT issuance | +| `services/catalog-service/` | Rust, Axum 0.7, SQLx 0.8 | Product/inventory reads with lazy Redis cache and circuit breaker | +| `services/reports-service/` | Rust, Axum 0.7, SQLx 0.8 | Sales reports with lazy Redis cache (TTL=600s) | +| `notification-service/` | Node.js, BullMQ 5, Nodemailer | Async email delivery via Redis-backed queue | +| `generadordexmle-cf/` | Python, Flask | DGII e-CF (electronic fiscal receipt) XML generation and signing | +| `frontend/web-admin/` | Angular 21, TailwindCSS, DaisyUI | Admin panel PWA | +| `frontend/landing-page/` | Static / SSR | Public marketing site | +| `backend/src/Presentations/TuColmadoRD.Desktop/` | .NET 10 | Offline-capable desktop shell (.exe) | + +### Backend layer structure (Clean Architecture) + +``` +backend/src/ + core/ + TuColmadoRD.Core.Domain # Entities, value objects, domain events + TuColmadoRD.Core.Application # CQRS commands/queries (MediatR), interfaces + infrastructure/ + TuColmadoRD.Infrastructure.Persistence # EF Core, PostgreSQL, migrations + TuColmadoRD.Infrastructure.CrossCutting # Logging, auth helpers + TuColmadoRD.Infrastructure.IOC # DI registration + TuColmadoRD.Infrastructure.Hosts # Worker/host configuration + Presentations/ + TuColmadoRD.Presentation.API # REST API, controllers, Swagger + TuColmadoRD.ApiGateway # Gateway proxy + JWT middleware + TuColmadoRD.Desktop # Desktop host +``` + +--- + +## Running locally + +### Prerequisites + +- Docker + Docker Compose v2 +- A `.env` file at the repo root (copy `.env.example` and fill in values) + +### Start everything + +```bash +docker compose up --build -d +``` + +Services and their local ports: + +| Service | Port | +|---|---| +| API Gateway | 8080 | +| Core API | 5000 | +| Auth Service | 3000 | +| Catalog Service | 8081 | +| Reports Service | 8082 | +| Notification Service | 4000 | +| ECF Generator | 5001 | +| Web Admin | 4200 (dev) | +| Traefik dashboard | 8090 | +| PostgreSQL | 5432 | +| MongoDB | 27017 | +| Redis | 6379 | +| MailHog UI | 8025 | +| Prometheus | 9090 | +| Grafana | 3001 | + +### Database migrations + +```bash +# Run EF Core migrations against a running Postgres container +./executions/migrate.sh +``` + +--- + +## CI/CD + +Four GitHub Actions workflows: + +| Workflow | Trigger | What it does | +|---|---|---| +| `ci-dev-to-qa.yml` | Push to `dev` | Lint, test, build all services | +| `ci-qa-to-main.yml` | Push to `qa` | E2E (Playwright), build Docker images | +| `ci-services.yml` | Push touching `services/**` or `workflow_dispatch` | Build + push Rust service images to `ghcr.io/odimsom/{catalog,reports}-service:main` | +| `cd-deploy.yml` | Push to `main` | SSH to VPS, run `executions/deploy-production.sh` | + +Branch flow: `feature/* β†’ dev β†’ qa β†’ main β†’ production` + +GHCR images are scoped to the `odimsom` org β€” the `GITHUB_TOKEN` does not have write access to any other namespace. + +--- + +## Infrastructure + +``` +infrastructure/ + monitoring/ + prometheus/ # prometheus.yml scrape config + grafana/ # dashboard provisioning + alertmanager/ + loki/ # log aggregation + promtail/ + terraform/ + modules/ # reusable Terraform modules + hostinger/ # VPS (SSH provider) + aws/ + azure/ + swarm/ # Docker Swarm stack (reference, not currently deployed) + ansible/ +``` + +Production runs a single VPS (Hostinger) with Docker Compose. Traefik handles TLS via Let's Encrypt ACME (`tlschallenge`). The `letsencrypt/acme.json` file on the host persists certificates across deploys. + +Prometheus scrapes: `catalog-service:8080/metrics`, `reports-service:8081/metrics`, `traefik:8080/metrics`. Grafana is served at `devops.tucolmadord.com/grafana`. + +--- + +## Load testing + +``` +perf-lab/ + scenarios/ + smoke.js # 1 VU Γ— 10 iterations β€” sanity check + lazy-loading.js # cold vs warm cache latency comparison + concurrency.js # ramp 0β†’50β†’100 VUs, measures p95/p99 and RPS + utils/helpers.js + docker-compose.yml # k6 + InfluxDB + Grafana stack +``` + +Run against any environment: + +```bash +cd perf-lab +BASE_URL=https://api.tucolmadord.com \ +AUTH_TOKEN= \ +TENANT_ID= \ +SCENARIO=concurrency.js \ +docker compose up --abort-on-container-exit +``` + +Grafana dashboard (k6 template) available at `http://localhost:3001` after the stack starts. + +--- + +## Multi-tenancy + +Every request must include `tenant_id` (query param or header). The gateway enforces this before forwarding to downstream services. Tenant data is row-level isolated in PostgreSQL using the `tenant_id` column; no cross-tenant queries are possible through the public API. + +--- + +## License + +See [LICENSE](LICENSE). diff --git a/deploy-production.sh b/executions/deploy-production.sh similarity index 100% rename from deploy-production.sh rename to executions/deploy-production.sh diff --git a/migrate.sh b/executions/migrate.sh similarity index 100% rename from migrate.sh rename to executions/migrate.sh From 5b95205f6327c48d64d55695c2c8a256fd611624 Mon Sep 17 00:00:00 2001 From: Francisco Daniel Castro Borrome Date: Sun, 17 May 2026 00:00:17 -0400 Subject: [PATCH 2/3] chore(community): add GitHub community health files - CODE_OF_CONDUCT.md (Contributor Covenant v2.1) - CONTRIBUTING.md (branch flow, commit style, PR checklist) - SECURITY.md (vulnerability reporting, scope, design notes) - ISSUE_TEMPLATE/bug_report.yml (service dropdown, logs field) - ISSUE_TEMPLATE/feature_request.yml (area dropdown, pre-submission checklist) - PULL_REQUEST_TEMPLATE.md (type, affected services, testing checklist) Co-Authored-By: Claude Sonnet 4.6 --- .github/CODE_OF_CONDUCT.md | 24 +++++++ .github/CONTRIBUTING.md | 74 ++++++++++++++++++++++ .github/ISSUE_TEMPLATE/bug_report.yml | 67 ++++++++++++++++++++ .github/ISSUE_TEMPLATE/feature_request.yml | 62 ++++++++++++++++++ .github/PULL_REQUEST_TEMPLATE.md | 44 +++++++++++++ .github/SECURITY.md | 46 ++++++++++++++ 6 files changed, 317 insertions(+) create mode 100644 .github/CODE_OF_CONDUCT.md create mode 100644 .github/CONTRIBUTING.md create mode 100644 .github/ISSUE_TEMPLATE/bug_report.yml create mode 100644 .github/ISSUE_TEMPLATE/feature_request.yml create mode 100644 .github/PULL_REQUEST_TEMPLATE.md create mode 100644 .github/SECURITY.md diff --git a/.github/CODE_OF_CONDUCT.md b/.github/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..8d8a196 --- /dev/null +++ b/.github/CODE_OF_CONDUCT.md @@ -0,0 +1,24 @@ +# Code of Conduct + +## Our standards + +This project follows the [Contributor Covenant](https://www.contributor-covenant.org/) v2.1. + +We are committed to providing a welcoming and inclusive environment. Expected behavior: + +- Use respectful and inclusive language +- Accept constructive criticism gracefully +- Focus on what is best for the project +- Show empathy toward other contributors + +Unacceptable behavior includes harassment, discriminatory language, and personal attacks of any kind. + +## Enforcement + +Violations may be reported to **borrome941@gmail.com**. All reports will be reviewed promptly and confidentially. + +Project maintainers who do not uphold this Code of Conduct may be removed from the project. + +## Attribution + +Adapted from the [Contributor Covenant](https://www.contributor-covenant.org/version/2/1/code_of_conduct/), version 2.1. diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md new file mode 100644 index 0000000..cf7a0d4 --- /dev/null +++ b/.github/CONTRIBUTING.md @@ -0,0 +1,74 @@ +# Contributing to TuColmadoRD + +## Branch flow + +``` +feature/your-feature + β”‚ + β–Ό + dev ──► qa ──► main ──► production +``` + +All PRs target `dev`. Never push directly to `qa` or `main` β€” promotion is automatic via CI. + +## Before you start + +1. Check open issues and discussions to avoid duplicate work. +2. For significant changes, open an issue or discussion first to align on approach. +3. Fork the repo and create a branch from `dev`: + ```bash + git checkout dev + git pull origin dev + git checkout -b feature/your-feature-name + ``` + +## Local setup + +See [[Local Development]] in the wiki or `.docs/STARTUP.md` for full instructions. + +```bash +cp .env.example .env # fill in values +docker compose up --build -d +./executions/migrate.sh +``` + +## Commit style + +We use [Conventional Commits](https://www.conventionalcommits.org/): + +``` +feat(catalog): add product variant support +fix(gateway): return 404 instead of 500 on unknown tenant +refactor(auth): extract token refresh into service layer +docs: update local development guide +test(reports): add integration test for daily summary +chore(ci): pin docker buildx version +``` + +**Scopes:** `auth`, `gateway`, `api`, `catalog`, `reports`, `notification`, `ecf`, `web`, `landing`, `ci`, `deploy`, `infra`. + +## Pull request checklist + +- [ ] Branch is up to date with `dev` +- [ ] All existing tests pass (`docker compose` integration tests) +- [ ] New behavior has test coverage +- [ ] No secrets or credentials in the diff +- [ ] `GHCR_TOKEN` is not committed (it stays in `.env`) +- [ ] PR description explains *why*, not just *what* + +## Code style + +- **.NET**: follow existing Clean Architecture layer boundaries β€” no business logic in controllers +- **Rust**: `cargo fmt` and `cargo clippy` must pass +- **TypeScript**: ESLint passes, no `any` casts without a comment explaining why +- **All services**: every public endpoint must include a tenant_id check + +## Testing + +- Unit tests: run inside each service directory +- Integration tests: run via `docker compose` (full stack must be up) +- Load tests: `perf-lab/` β€” run the `smoke.js` scenario first to validate reachability + +## Questions + +Use [GitHub Discussions](https://github.com/odimsom/TuColmadoRD-Monorepo/discussions) β€” Q&A category for how-to questions, Ideas category for proposals. diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml new file mode 100644 index 0000000..4abe9a7 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -0,0 +1,67 @@ +name: Bug report +description: Something isn't working as expected +labels: [bug] +body: + - type: markdown + attributes: + value: | + **Before filing:** check [open issues](https://github.com/odimsom/TuColmadoRD-Monorepo/issues) and the [Q&A discussion](https://github.com/odimsom/TuColmadoRD-Monorepo/discussions/categories/q-a) first. + + - type: dropdown + id: service + attributes: + label: Affected service + options: + - API Gateway + - Core API (.NET) + - Auth service + - Catalog service (Rust) + - Reports service (Rust) + - Notification service + - ECF Generator + - Web Admin (Angular) + - Landing page + - CI/CD / Deploy + - Infrastructure / Traefik + - Other + validations: + required: true + + - type: textarea + id: description + attributes: + label: What happened? + description: Clear description of the bug. Include error messages verbatim. + validations: + required: true + + - type: textarea + id: reproduction + attributes: + label: Steps to reproduce + placeholder: | + 1. Call endpoint `GET /api/v1/catalog?tenant_id=...` + 2. With header `Authorization: Bearer ...` + 3. Observe response... + validations: + required: true + + - type: textarea + id: expected + attributes: + label: Expected behavior + validations: + required: true + + - type: textarea + id: logs + attributes: + label: Relevant logs + description: "`docker compose logs | tail -50`" + render: shell + + - type: input + id: environment + attributes: + label: Environment + placeholder: "local / staging / production β€” Docker Compose v2.x, OS" diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml new file mode 100644 index 0000000..f7719a6 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.yml @@ -0,0 +1,62 @@ +name: Feature request +description: Propose a new feature or improvement +labels: [enhancement] +body: + - type: markdown + attributes: + value: | + For open-ended discussion or early-stage ideas, use [Discussions β†’ Ideas](https://github.com/odimsom/TuColmadoRD-Monorepo/discussions/categories/ideas) instead. + Open an issue when the feature is concrete enough to be actionable. + + - type: dropdown + id: area + attributes: + label: Area + options: + - POS / Sales flow + - Inventory management + - Reporting + - Delivery & GPS verification + - Employee & shift management + - Credit (fiado) management + - e-CF / DGII fiscal compliance + - Authentication & authorization + - API / Gateway + - Frontend (web admin) + - Desktop app + - Infrastructure / DevOps + - Developer experience + validations: + required: true + + - type: textarea + id: problem + attributes: + label: Problem this solves + description: What is currently painful or impossible? Be specific. + validations: + required: true + + - type: textarea + id: solution + attributes: + label: Proposed solution + description: How should it work? Include UI mockups, API shapes, or data models if helpful. + validations: + required: true + + - type: textarea + id: alternatives + attributes: + label: Alternatives considered + description: Other approaches you thought about and why you ruled them out. + + - type: checkboxes + id: checklist + attributes: + label: Pre-submission checklist + options: + - label: I searched existing issues and discussions + required: true + - label: This feature fits the scope of a POS/ERP for Dominican colmados + required: true diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..dfc2a6d --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,44 @@ +## What does this PR do? + + + +## Type of change + +- [ ] Bug fix +- [ ] New feature +- [ ] Refactor (no behavior change) +- [ ] CI / infrastructure +- [ ] Documentation + +## Affected services + + +- [ ] API Gateway +- [ ] Core API (.NET) +- [ ] Auth service +- [ ] Catalog service (Rust) +- [ ] Reports service (Rust) +- [ ] Notification service +- [ ] ECF Generator +- [ ] Web Admin (Angular) +- [ ] Landing page +- [ ] CI/CD / Deploy scripts +- [ ] Infrastructure + +## Testing + + + +- [ ] Local Docker Compose stack +- [ ] Unit tests pass +- [ ] Integration tests pass +- [ ] Manually tested the affected flow end-to-end +- [ ] perf-lab smoke test passes (if gateway/service change) + +## Checklist + +- [ ] Branch is up to date with `dev` +- [ ] No secrets or credentials in the diff +- [ ] Commit messages follow Conventional Commits +- [ ] DB migrations are backward-compatible (if applicable) +- [ ] `.env.example` updated if new env vars were added diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 0000000..33f041c --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,46 @@ +# Security Policy + +## Supported versions + +| Version | Supported | +|---|---| +| `main` (latest) | βœ… | +| Older tags | ❌ | + +Only the latest commit on `main` receives security fixes. + +## Reporting a vulnerability + +**Do not open a public issue for security vulnerabilities.** + +Report vulnerabilities privately to **borrome941@gmail.com** with: + +- A description of the vulnerability +- Steps to reproduce +- Potential impact +- (Optional) suggested fix + +You will receive an acknowledgment within 48 hours. We aim to release a fix within 7 days for critical issues. + +## Scope + +In scope: +- API Gateway β€” authentication bypass, JWT forgery, tenant isolation bypass +- Auth service β€” credential exposure, token leakage +- Any endpoint that allows cross-tenant data access +- SQL injection or command injection in any service +- Exposed secrets or credentials in build artifacts / Docker images + +Out of scope: +- Issues requiring physical access to the server +- Social engineering +- Denial of service (the load-testing perf-lab is intentional) +- Bugs in third-party dependencies (report those upstream) + +## Security design notes + +- All API requests require a valid JWT issued by the auth service +- `tenant_id` is extracted from the JWT β€” clients cannot supply their own +- All PostgreSQL queries are parameterized (SQLx compile-time checked in Rust, EF Core in .NET) +- No service credential is stored in the repository β€” secrets live in `.env` on the VPS only +- Internal services are not exposed through Traefik; only the gateway and frontends have public routes From 316bf763e2d48821c2d5bb88bb057fe87cd18378 Mon Sep 17 00:00:00 2001 From: Francisco Daniel Castro Borrome Date: Sun, 17 May 2026 00:02:24 -0400 Subject: [PATCH 3/3] chore(deps): configure Dependabot for all package ecosystems Ecosystems covered: - github-actions / weekly monday - docker / weekly monday - nuget /backend weekly tuesday (grouped: ef-core, aspnet, testing) - cargo /services/catalog-service weekly tuesday - cargo /services/reports-service weekly tuesday - npm /auth weekly wednesday - npm /notification-service weekly wednesday - pip /generadordexmle-cf weekly wednesday - npm /frontend/web-admin weekly thursday (grouped: angular, tailwind, testing) - npm /frontend/landing-page weekly thursday - npm /frontend weekly thursday - npm /scripts weekly thursday Updates are grouped per service/framework to reduce PR noise. Rust and NuGet patch/minor only to avoid breaking changes. Co-Authored-By: Claude Sonnet 4.6 --- .github/dependabot.yml | 156 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 156 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..09c8ec5 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,156 @@ +version: 2 +updates: + + # ── GitHub Actions ───────────────────────────────────────────────────────── + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly + day: monday + groups: + actions: + patterns: ["*"] + + # ── Docker base images ───────────────────────────────────────────────────── + - package-ecosystem: docker + directory: / + schedule: + interval: weekly + day: monday + groups: + docker-images: + patterns: ["*"] + + # ── NuGet (.NET backend) ─────────────────────────────────────────────────── + - package-ecosystem: nuget + directory: /backend + schedule: + interval: weekly + day: tuesday + groups: + ef-core: + patterns: + - "Microsoft.EntityFrameworkCore*" + - "Npgsql.EntityFrameworkCore*" + aspnet: + patterns: + - "Microsoft.AspNetCore*" + - "Microsoft.Extensions*" + - "Microsoft.IdentityModel*" + testing: + patterns: + - "xunit*" + - "Moq*" + - "FluentAssertions*" + - "Microsoft.NET.Test*" + other-nuget: + patterns: ["*"] + update-types: ["minor", "patch"] + + # ── Rust microservices ───────────────────────────────────────────────────── + - package-ecosystem: cargo + directory: /services/catalog-service + schedule: + interval: weekly + day: tuesday + groups: + catalog-deps: + patterns: ["*"] + update-types: ["minor", "patch"] + + - package-ecosystem: cargo + directory: /services/reports-service + schedule: + interval: weekly + day: tuesday + groups: + reports-deps: + patterns: ["*"] + update-types: ["minor", "patch"] + + # ── Node.js services ─────────────────────────────────────────────────────── + - package-ecosystem: npm + directory: /auth + schedule: + interval: weekly + day: wednesday + groups: + auth-prod: + dependency-type: production + patterns: ["*"] + auth-dev: + dependency-type: development + patterns: ["*"] + + - package-ecosystem: npm + directory: /notification-service + schedule: + interval: weekly + day: wednesday + groups: + notification-deps: + patterns: ["*"] + + # ── Angular frontend ─────────────────────────────────────────────────────── + - package-ecosystem: npm + directory: /frontend/web-admin + schedule: + interval: weekly + day: thursday + groups: + angular: + patterns: + - "@angular/*" + - "@angular-devkit/*" + tailwind: + patterns: + - "tailwindcss" + - "daisyui" + - "postcss*" + - "autoprefixer" + testing: + patterns: + - "@playwright/*" + - "playwright" + - "karma*" + - "jasmine*" + other-frontend: + patterns: ["*"] + update-types: ["minor", "patch"] + + - package-ecosystem: npm + directory: /frontend/landing-page + schedule: + interval: weekly + day: thursday + groups: + landing-deps: + patterns: ["*"] + + - package-ecosystem: npm + directory: /frontend + schedule: + interval: weekly + day: thursday + groups: + frontend-root: + patterns: ["*"] + + - package-ecosystem: npm + directory: /scripts + schedule: + interval: weekly + day: thursday + groups: + scripts-deps: + patterns: ["*"] + + # ── Python (ECF Generator) ───────────────────────────────────────────────── + - package-ecosystem: pip + directory: /generadordexmle-cf + schedule: + interval: weekly + day: wednesday + groups: + ecf-deps: + patterns: ["*"]