From ab0ed187ed0332d3f5cb5c44388a6d7e2c8d562d Mon Sep 17 00:00:00 2001 From: David Date: Sat, 4 Apr 2026 12:52:46 +0200 Subject: [PATCH 1/9] feat(cicd): sync CI/CD pipeline from cicd branch Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/cd-main.yml | 269 ++++++ .github/workflows/cd-preprod.yml | 397 +++++++++ .github/workflows/ci.yml | 484 +++-------- .github/workflows/pr-checks.yml | 176 ++++ .github/workflows/rollback.yml | 317 ++++++++ .../hetzner/09-kubernetes-manifests.md | 765 ++++++++++++++++++ .../hetzner/13-backup-disaster-recovery.md | 389 +++++++++ 7 files changed, 2425 insertions(+), 372 deletions(-) create mode 100644 .github/workflows/cd-main.yml create mode 100644 .github/workflows/cd-preprod.yml create mode 100644 .github/workflows/pr-checks.yml create mode 100644 .github/workflows/rollback.yml create mode 100644 docs/deployment/hetzner/09-kubernetes-manifests.md create mode 100644 docs/deployment/hetzner/13-backup-disaster-recovery.md diff --git a/.github/workflows/cd-main.yml b/.github/workflows/cd-main.yml new file mode 100644 index 0000000..5912f40 --- /dev/null +++ b/.github/workflows/cd-main.yml @@ -0,0 +1,269 @@ +name: CD Production (Hetzner k3s) + +# Production deployment pipeline — Hetzner k3s cluster. +# +# Flow: +# 1. Promote: re-tag preprod → latest + prod-SHA within Scaleway (no rebuild, no data transfer) +# 2. Deploy: kubectl set image + rollout status (blocks until pods are healthy) +# 3. Auto-rollback: kubectl rollout undo if rollout fails +# 4. Smoke tests: belt-and-suspenders HTTP health checks +# 5. Notify Discord +# +# Required secrets: +# REGISTRY_TOKEN — Scaleway registry token (read + write) +# HETZNER_KUBECONFIG — base64-encoded kubeconfig for xpeditis-prod cluster +# PROD_BACKEND_URL — https://api.xpeditis.com (health check) +# PROD_FRONTEND_URL — https://app.xpeditis.com (health check) +# DISCORD_WEBHOOK_URL — Discord notifications +# +# K8s cluster details (from docs/deployment/hetzner/): +# Namespace: xpeditis-prod +# Deployments: xpeditis-backend (container: backend) +# xpeditis-frontend (container: frontend) +# +on: + push: + branches: [main] + +# Only one prod deployment at a time. Never cancel. +concurrency: + group: cd-production + cancel-in-progress: false + +env: + REGISTRY: rg.fr-par.scw.cloud/weworkstudio + IMAGE_BACKEND: rg.fr-par.scw.cloud/weworkstudio/xpeditis-backend + IMAGE_FRONTEND: rg.fr-par.scw.cloud/weworkstudio/xpeditis-frontend + K8S_NAMESPACE: xpeditis-prod + +jobs: + # ────────────────────────────────────────────────────────────── + # 1. Promote preprod → prod tags within Scaleway + # imagetools create re-tags at manifest level — no layer + # download/upload, instant even for multi-arch images. + # ────────────────────────────────────────────────────────────── + promote-images: + name: Promote Images (preprod → prod) + runs-on: ubuntu-latest + outputs: + short-sha: ${{ steps.sha.outputs.short }} + backend-image: ${{ steps.images.outputs.backend }} + frontend-image: ${{ steps.images.outputs.frontend }} + + steps: + - name: Compute short SHA + id: sha + run: echo "short=$(echo ${{ github.sha }} | cut -c1-7)" >> $GITHUB_OUTPUT + + - name: Set image references + id: images + run: | + echo "backend=${{ env.IMAGE_BACKEND }}:prod-${{ steps.sha.outputs.short }}" >> $GITHUB_OUTPUT + echo "frontend=${{ env.IMAGE_FRONTEND }}:prod-${{ steps.sha.outputs.short }}" >> $GITHUB_OUTPUT + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to Scaleway Registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: nologin + password: ${{ secrets.REGISTRY_TOKEN }} + + - name: Promote Backend (preprod → latest + prod-SHA) + run: | + docker buildx imagetools create \ + --tag ${{ env.IMAGE_BACKEND }}:latest \ + --tag ${{ steps.images.outputs.backend }} \ + ${{ env.IMAGE_BACKEND }}:preprod + + - name: Promote Frontend (preprod → latest + prod-SHA) + run: | + docker buildx imagetools create \ + --tag ${{ env.IMAGE_FRONTEND }}:latest \ + --tag ${{ steps.images.outputs.frontend }} \ + ${{ env.IMAGE_FRONTEND }}:preprod + + - name: Verify promoted images + run: | + echo "=== Backend ===" + docker buildx imagetools inspect ${{ steps.images.outputs.backend }} + echo "=== Frontend ===" + docker buildx imagetools inspect ${{ steps.images.outputs.frontend }} + + # ────────────────────────────────────────────────────────────── + # 2. Deploy to Hetzner k3s + # kubectl set image → rollout status waits for pods to be + # healthy (readiness probes pass) before the job succeeds. + # Auto-rollback on failure via kubectl rollout undo. + # ────────────────────────────────────────────────────────────── + deploy: + name: Deploy to k3s (xpeditis-prod) + runs-on: ubuntu-latest + needs: promote-images + environment: + name: production + url: https://app.xpeditis.com + + steps: + - name: Configure kubectl + run: | + mkdir -p ~/.kube + echo "${{ secrets.HETZNER_KUBECONFIG }}" | base64 -d > ~/.kube/config + chmod 600 ~/.kube/config + kubectl cluster-info + kubectl get nodes + + - name: Deploy Backend + run: | + IMAGE="${{ needs.promote-images.outputs.backend-image }}" + echo "Deploying backend: $IMAGE" + kubectl set image deployment/xpeditis-backend \ + backend=$IMAGE \ + -n ${{ env.K8S_NAMESPACE }} + kubectl rollout status deployment/xpeditis-backend \ + -n ${{ env.K8S_NAMESPACE }} \ + --timeout=300s + echo "Backend deployed." + + - name: Deploy Frontend + run: | + IMAGE="${{ needs.promote-images.outputs.frontend-image }}" + echo "Deploying frontend: $IMAGE" + kubectl set image deployment/xpeditis-frontend \ + frontend=$IMAGE \ + -n ${{ env.K8S_NAMESPACE }} + kubectl rollout status deployment/xpeditis-frontend \ + -n ${{ env.K8S_NAMESPACE }} \ + --timeout=300s + echo "Frontend deployed." + + - name: Auto-rollback on failure + if: failure() + run: | + echo "Deployment failed — rolling back..." + kubectl rollout undo deployment/xpeditis-backend -n ${{ env.K8S_NAMESPACE }} || true + kubectl rollout undo deployment/xpeditis-frontend -n ${{ env.K8S_NAMESPACE }} || true + kubectl rollout status deployment/xpeditis-backend -n ${{ env.K8S_NAMESPACE }} --timeout=120s || true + kubectl rollout status deployment/xpeditis-frontend -n ${{ env.K8S_NAMESPACE }} --timeout=120s || true + echo "Previous version restored." + + # ────────────────────────────────────────────────────────────── + # 3. Smoke Tests + # kubectl rollout status already verifies pod readiness. + # These confirm the full network path: + # Cloudflare → Hetzner LB → Traefik → pod. + # ────────────────────────────────────────────────────────────── + smoke-tests: + name: Smoke Tests + runs-on: ubuntu-latest + needs: deploy + + steps: + - name: Wait for LB propagation + run: sleep 30 + + - name: Health check — Backend + run: | + for i in {1..12}; do + STATUS=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 \ + "${{ secrets.PROD_BACKEND_URL }}/api/v1/health" 2>/dev/null || echo "000") + echo " Attempt $i: HTTP $STATUS" + if [ "$STATUS" = "200" ]; then echo "Backend healthy."; exit 0; fi + sleep 15 + done + echo "CRITICAL: Backend unreachable after rollout." + exit 1 + + - name: Health check — Frontend + run: | + for i in {1..12}; do + STATUS=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 \ + "${{ secrets.PROD_FRONTEND_URL }}" 2>/dev/null || echo "000") + echo " Attempt $i: HTTP $STATUS" + if [ "$STATUS" = "200" ]; then echo "Frontend healthy."; exit 0; fi + sleep 15 + done + echo "CRITICAL: Frontend unreachable after rollout." + exit 1 + + # ────────────────────────────────────────────────────────────── + # 4. Deployment Summary + # ────────────────────────────────────────────────────────────── + summary: + name: Deployment Summary + runs-on: ubuntu-latest + needs: [promote-images, smoke-tests] + if: success() + + steps: + - name: Write summary + run: | + echo "## Production Deployment" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "| | |" >> $GITHUB_STEP_SUMMARY + echo "|---|---|" >> $GITHUB_STEP_SUMMARY + echo "| **Commit** | \`${{ github.sha }}\` |" >> $GITHUB_STEP_SUMMARY + echo "| **Backend** | \`${{ needs.promote-images.outputs.backend-image }}\` |" >> $GITHUB_STEP_SUMMARY + echo "| **Frontend** | \`${{ needs.promote-images.outputs.frontend-image }}\` |" >> $GITHUB_STEP_SUMMARY + echo "| **Source** | Promoted from \`preprod\` tag — no rebuild |" >> $GITHUB_STEP_SUMMARY + echo "| **Cluster** | Hetzner k3s — namespace \`xpeditis-prod\` |" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "To rollback: [Run rollback workflow](${{ github.server_url }}/${{ github.repository }}/actions/workflows/rollback.yml)" >> $GITHUB_STEP_SUMMARY + + # ────────────────────────────────────────────────────────────── + # Discord — Success + # ────────────────────────────────────────────────────────────── + notify-success: + name: Notify Success + runs-on: ubuntu-latest + needs: [promote-images, smoke-tests] + if: success() + + steps: + - name: Send Discord notification + run: | + curl -s -H "Content-Type: application/json" -d '{ + "embeds": [{ + "title": "🚀 Production Deployed & Healthy", + "color": 3066993, + "fields": [ + {"name": "Author", "value": "${{ github.actor }}", "inline": true}, + {"name": "Version", "value": "`prod-${{ needs.promote-images.outputs.short-sha }}`", "inline": true}, + {"name": "Commit", "value": "[`${{ github.sha }}`](${{ github.event.head_commit.url }})", "inline": false}, + {"name": "Registry", "value": "Scaleway — promoted from `preprod`, no rebuild", "inline": false}, + {"name": "Cluster", "value": "Hetzner k3s — `xpeditis-prod`", "inline": false}, + {"name": "Workflow", "value": "[${{ github.workflow }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})", "inline": false} + ], + "footer": {"text": "Xpeditis CI/CD • Production"} + }] + }' ${{ secrets.DISCORD_WEBHOOK_URL }} + + # ────────────────────────────────────────────────────────────── + # Discord — Failure (CRITICAL) + # ────────────────────────────────────────────────────────────── + notify-failure: + name: Notify Failure + runs-on: ubuntu-latest + needs: [promote-images, deploy, smoke-tests] + if: failure() + + steps: + - name: Send Discord notification + run: | + curl -s -H "Content-Type: application/json" -d '{ + "content": "@here PRODUCTION DEPLOYMENT FAILED", + "embeds": [{ + "title": "🔴 PRODUCTION PIPELINE FAILED", + "description": "Auto-rollback was triggered if deployment failed. Check rollout history.", + "color": 15158332, + "fields": [ + {"name": "Author", "value": "${{ github.actor }}", "inline": true}, + {"name": "Commit", "value": "[`${{ github.sha }}`](${{ github.event.head_commit.url }})", "inline": true}, + {"name": "Workflow", "value": "[${{ github.workflow }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})", "inline": false}, + {"name": "Manual rollback", "value": "[Run rollback workflow](${{ github.server_url }}/${{ github.repository }}/actions/workflows/rollback.yml)", "inline": false} + ], + "footer": {"text": "Xpeditis CI/CD • Production"} + }] + }' ${{ secrets.DISCORD_WEBHOOK_URL }} diff --git a/.github/workflows/cd-preprod.yml b/.github/workflows/cd-preprod.yml new file mode 100644 index 0000000..0d2e359 --- /dev/null +++ b/.github/workflows/cd-preprod.yml @@ -0,0 +1,397 @@ +name: CD Preprod + +# Full pipeline for the preprod branch. +# Flow: quality → integration tests → Docker build & push → deploy → smoke tests → notify +# +# Required secrets: +# REGISTRY_TOKEN — Scaleway container registry token +# NEXT_PUBLIC_API_URL — Preprod API URL (e.g. https://api.preprod.xpeditis.com) +# NEXT_PUBLIC_APP_URL — Preprod app URL (e.g. https://preprod.xpeditis.com) +# PORTAINER_WEBHOOK_BACKEND — Portainer webhook for preprod backend service +# PORTAINER_WEBHOOK_FRONTEND — Portainer webhook for preprod frontend service +# PREPROD_BACKEND_URL — Health check URL (e.g. https://api.preprod.xpeditis.com) +# PREPROD_FRONTEND_URL — Health check URL (e.g. https://preprod.xpeditis.com) +# DISCORD_WEBHOOK_URL — Discord deployment notifications + +on: + push: + branches: [preprod] + +# Only one preprod deployment at a time. Never cancel an in-progress deployment. +concurrency: + group: cd-preprod + cancel-in-progress: false + +env: + REGISTRY: rg.fr-par.scw.cloud/weworkstudio + NODE_VERSION: '20' + +jobs: + # ────────────────────────────────────────── + # 1. Lint & Type-check + # ────────────────────────────────────────── + quality: + name: Quality (${{ matrix.app }}) + runs-on: ubuntu-latest + strategy: + fail-fast: true + matrix: + app: [backend, frontend] + + defaults: + run: + working-directory: apps/${{ matrix.app }} + + steps: + - uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_VERSION }} + cache: 'npm' + cache-dependency-path: apps/${{ matrix.app }}/package-lock.json + + - name: Install dependencies + run: npm ci --legacy-peer-deps + + - name: Lint + run: npm run lint + + - name: Type-check (frontend only) + if: matrix.app == 'frontend' + run: npm run type-check + + # ────────────────────────────────────────── + # 2. Unit Tests + # ────────────────────────────────────────── + unit-tests: + name: Unit Tests (${{ matrix.app }}) + runs-on: ubuntu-latest + needs: quality + strategy: + fail-fast: true + matrix: + app: [backend, frontend] + + defaults: + run: + working-directory: apps/${{ matrix.app }} + + steps: + - uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_VERSION }} + cache: 'npm' + cache-dependency-path: apps/${{ matrix.app }}/package-lock.json + + - name: Install dependencies + run: npm ci --legacy-peer-deps + + - name: Run unit tests + run: npm test -- --passWithNoTests --coverage + + # ────────────────────────────────────────── + # 3. Integration Tests + # ────────────────────────────────────────── + integration-tests: + name: Integration Tests + runs-on: ubuntu-latest + needs: unit-tests + + defaults: + run: + working-directory: apps/backend + + services: + postgres: + image: postgres:15-alpine + env: + POSTGRES_USER: xpeditis_test + POSTGRES_PASSWORD: xpeditis_test_password + POSTGRES_DB: xpeditis_test + options: >- + --health-cmd pg_isready + --health-interval 5s + --health-timeout 5s + --health-retries 10 + ports: + - 5432:5432 + + redis: + image: redis:7-alpine + options: >- + --health-cmd "redis-cli ping" + --health-interval 5s + --health-timeout 5s + --health-retries 10 + ports: + - 6379:6379 + + steps: + - uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_VERSION }} + cache: 'npm' + cache-dependency-path: apps/backend/package-lock.json + + - name: Install dependencies + run: npm ci --legacy-peer-deps + + - name: Run integration tests + env: + NODE_ENV: test + DATABASE_HOST: localhost + DATABASE_PORT: 5432 + DATABASE_USER: xpeditis_test + DATABASE_PASSWORD: xpeditis_test_password + DATABASE_NAME: xpeditis_test + DATABASE_SYNCHRONIZE: false + REDIS_HOST: localhost + REDIS_PORT: 6379 + REDIS_PASSWORD: '' + JWT_SECRET: test-secret-key-for-ci-only + SMTP_HOST: localhost + SMTP_PORT: 1025 + SMTP_FROM: test@xpeditis.com + run: npm run test:integration -- --passWithNoTests + + # ────────────────────────────────────────── + # 4a. Docker Build & Push — Backend + # ────────────────────────────────────────── + build-backend: + name: Build & Push Backend + runs-on: ubuntu-latest + needs: integration-tests + outputs: + image-tag: ${{ steps.sha.outputs.short }} + + steps: + - uses: actions/checkout@v4 + + - name: Compute short SHA + id: sha + run: echo "short=$(echo ${{ github.sha }} | cut -c1-7)" >> $GITHUB_OUTPUT + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to Scaleway Registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: nologin + password: ${{ secrets.REGISTRY_TOKEN }} + + - name: Build and push Backend image + uses: docker/build-push-action@v5 + with: + context: ./apps/backend + file: ./apps/backend/Dockerfile + push: true + # Tag with branch name AND commit SHA for traceability and prod promotion + tags: | + ${{ env.REGISTRY }}/xpeditis-backend:preprod + ${{ env.REGISTRY }}/xpeditis-backend:preprod-${{ steps.sha.outputs.short }} + cache-from: type=registry,ref=${{ env.REGISTRY }}/xpeditis-backend:buildcache + cache-to: type=registry,ref=${{ env.REGISTRY }}/xpeditis-backend:buildcache,mode=max + platforms: linux/amd64,linux/arm64 + + # ────────────────────────────────────────── + # 4b. Docker Build & Push — Frontend + # ────────────────────────────────────────── + build-frontend: + name: Build & Push Frontend + runs-on: ubuntu-latest + needs: integration-tests + outputs: + image-tag: ${{ steps.sha.outputs.short }} + + steps: + - uses: actions/checkout@v4 + + - name: Compute short SHA + id: sha + run: echo "short=$(echo ${{ github.sha }} | cut -c1-7)" >> $GITHUB_OUTPUT + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to Scaleway Registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: nologin + password: ${{ secrets.REGISTRY_TOKEN }} + + - name: Build and push Frontend image + uses: docker/build-push-action@v5 + with: + context: ./apps/frontend + file: ./apps/frontend/Dockerfile + push: true + tags: | + ${{ env.REGISTRY }}/xpeditis-frontend:preprod + ${{ env.REGISTRY }}/xpeditis-frontend:preprod-${{ steps.sha.outputs.short }} + cache-from: type=registry,ref=${{ env.REGISTRY }}/xpeditis-frontend:buildcache + cache-to: type=registry,ref=${{ env.REGISTRY }}/xpeditis-frontend:buildcache,mode=max + platforms: linux/amd64,linux/arm64 + build-args: | + NEXT_PUBLIC_API_URL=${{ secrets.NEXT_PUBLIC_API_URL }} + NEXT_PUBLIC_APP_URL=${{ secrets.NEXT_PUBLIC_APP_URL }} + + # ────────────────────────────────────────── + # 5. Deploy to Preprod via Portainer + # ────────────────────────────────────────── + deploy: + name: Deploy to Preprod + runs-on: ubuntu-latest + needs: [build-backend, build-frontend] + environment: preprod + + steps: + - name: Trigger Backend deployment + run: | + echo "Deploying backend (preprod-${{ needs.build-backend.outputs.image-tag }})..." + curl -sf -X POST \ + -H "Content-Type: application/json" \ + "${{ secrets.PORTAINER_WEBHOOK_BACKEND }}" + echo "Backend webhook triggered." + + - name: Wait for backend to stabilize + run: sleep 20 + + - name: Trigger Frontend deployment + run: | + echo "Deploying frontend (preprod-${{ needs.build-frontend.outputs.image-tag }})..." + curl -sf -X POST \ + -H "Content-Type: application/json" \ + "${{ secrets.PORTAINER_WEBHOOK_FRONTEND }}" + echo "Frontend webhook triggered." + + # ────────────────────────────────────────── + # 6. Smoke Tests — verify preprod is healthy + # ────────────────────────────────────────── + smoke-tests: + name: Smoke Tests + runs-on: ubuntu-latest + needs: deploy + + steps: + - name: Wait for services to start + run: sleep 40 + + - name: Health check — Backend + run: | + echo "Checking backend health..." + for i in {1..10}; do + STATUS=$(curl -s -o /dev/null -w "%{http_code}" \ + --max-time 10 \ + "${{ secrets.PREPROD_BACKEND_URL }}/health" 2>/dev/null || echo "000") + echo " Attempt $i: HTTP $STATUS" + if [ "$STATUS" = "200" ]; then + echo "Backend is healthy." + exit 0 + fi + sleep 15 + done + echo "Backend health check failed after 10 attempts." + exit 1 + + - name: Health check — Frontend + run: | + echo "Checking frontend health..." + for i in {1..10}; do + STATUS=$(curl -s -o /dev/null -w "%{http_code}" \ + --max-time 10 \ + "${{ secrets.PREPROD_FRONTEND_URL }}" 2>/dev/null || echo "000") + echo " Attempt $i: HTTP $STATUS" + if [ "$STATUS" = "200" ]; then + echo "Frontend is healthy." + exit 0 + fi + sleep 15 + done + echo "Frontend health check failed after 10 attempts." + exit 1 + + # ────────────────────────────────────────── + # 7. Deployment Summary + # ────────────────────────────────────────── + summary: + name: Deployment Summary + runs-on: ubuntu-latest + needs: [build-backend, build-frontend, smoke-tests] + if: success() + + steps: + - name: Write summary + run: | + echo "## Preprod Deployment" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "| | |" >> $GITHUB_STEP_SUMMARY + echo "|---|---|" >> $GITHUB_STEP_SUMMARY + echo "| **Commit** | \`${{ github.sha }}\` |" >> $GITHUB_STEP_SUMMARY + echo "| **Backend image** | \`${{ env.REGISTRY }}/xpeditis-backend:preprod-${{ needs.build-backend.outputs.image-tag }}\` |" >> $GITHUB_STEP_SUMMARY + echo "| **Frontend image** | \`${{ env.REGISTRY }}/xpeditis-frontend:preprod-${{ needs.build-frontend.outputs.image-tag }}\` |" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "To promote this exact build to production, merge this commit to \`main\`." >> $GITHUB_STEP_SUMMARY + + # ────────────────────────────────────────── + # Discord — Success + # ────────────────────────────────────────── + notify-success: + name: Notify Success + runs-on: ubuntu-latest + needs: [build-backend, build-frontend, smoke-tests] + if: success() + + steps: + - name: Send Discord notification + run: | + curl -s -H "Content-Type: application/json" -d '{ + "embeds": [{ + "title": "✅ Preprod Deployed & Healthy", + "color": 3066993, + "fields": [ + {"name": "Author", "value": "${{ github.actor }}", "inline": true}, + {"name": "Commit", "value": "[`${{ github.sha }}`](${{ github.event.head_commit.url }})", "inline": true}, + {"name": "Backend", "value": "`preprod-${{ needs.build-backend.outputs.image-tag }}`", "inline": false}, + {"name": "Frontend", "value": "`preprod-${{ needs.build-frontend.outputs.image-tag }}`", "inline": false}, + {"name": "Workflow", "value": "[${{ github.workflow }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})", "inline": false} + ], + "footer": {"text": "Xpeditis CI/CD • Preprod"} + }] + }' ${{ secrets.DISCORD_WEBHOOK_URL }} + + # ────────────────────────────────────────── + # Discord — Failure + # ────────────────────────────────────────── + notify-failure: + name: Notify Failure + runs-on: ubuntu-latest + needs: [quality, unit-tests, integration-tests, build-backend, build-frontend, deploy, smoke-tests] + if: failure() + + steps: + - name: Send Discord notification + run: | + curl -s -H "Content-Type: application/json" -d '{ + "embeds": [{ + "title": "❌ Preprod Pipeline Failed", + "description": "Preprod was NOT deployed. Fix the issue before retrying.", + "color": 15158332, + "fields": [ + {"name": "Author", "value": "${{ github.actor }}", "inline": true}, + {"name": "Commit", "value": "[`${{ github.sha }}`](${{ github.event.head_commit.url }})", "inline": true}, + {"name": "Workflow", "value": "[${{ github.workflow }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})", "inline": false} + ], + "footer": {"text": "Xpeditis CI/CD • Preprod"} + }] + }' ${{ secrets.DISCORD_WEBHOOK_URL }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ee25f46..4a13643 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,372 +1,112 @@ -name: CI/CD Pipeline - -on: - push: - branches: - - preprod - -env: - REGISTRY: rg.fr-par.scw.cloud/weworkstudio - NODE_VERSION: '20' - -jobs: - # ============================================ - # Backend Build, Test & Deploy - # ============================================ - backend: - name: Backend - Build, Test & Push - runs-on: ubuntu-latest - defaults: - run: - working-directory: apps/backend - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: ${{ env.NODE_VERSION }} - - - name: Install dependencies - run: npm install --legacy-peer-deps - - - name: Lint code - run: npm run lint - - - name: Run unit tests - run: npm test -- --coverage --passWithNoTests - - - name: Build application - run: npm run build - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to Scaleway Registry - uses: docker/login-action@v3 - with: - registry: rg.fr-par.scw.cloud/weworkstudio - username: nologin - password: ${{ secrets.REGISTRY_TOKEN }} - - - name: Extract metadata for Docker - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY }}/xpeditis-backend - tags: | - type=ref,event=branch - type=raw,value=latest,enable={{is_default_branch}} - - - name: Build and push Backend Docker image - uses: docker/build-push-action@v5 - with: - context: ./apps/backend - file: ./apps/backend/Dockerfile - push: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=registry,ref=${{ env.REGISTRY }}/xpeditis-backend:buildcache - cache-to: type=registry,ref=${{ env.REGISTRY }}/xpeditis-backend:buildcache,mode=max - platforms: linux/amd64,linux/arm64 - - # ============================================ - # Frontend Build, Test & Deploy - # ============================================ - frontend: - name: Frontend - Build, Test & Push - runs-on: ubuntu-latest - defaults: - run: - working-directory: apps/frontend - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: ${{ env.NODE_VERSION }} - cache: 'npm' - cache-dependency-path: apps/frontend/package-lock.json - - - name: Install dependencies - run: npm ci --legacy-peer-deps - - - name: Lint code - run: npm run lint - - - name: Run tests - run: npm test -- --passWithNoTests || echo "No tests found" - - - name: Build application - env: - NEXT_PUBLIC_API_URL: ${{ secrets.NEXT_PUBLIC_API_URL || 'http://localhost:4000' }} - NEXT_PUBLIC_APP_URL: ${{ secrets.NEXT_PUBLIC_APP_URL || 'http://localhost:3000' }} - NEXT_TELEMETRY_DISABLED: 1 - run: npm run build - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to Scaleway Registry - uses: docker/login-action@v3 - with: - registry: rg.fr-par.scw.cloud/weworkstudio - username: nologin - password: ${{ secrets.REGISTRY_TOKEN }} - - - name: Extract metadata for Docker - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY }}/xpeditis-frontend - tags: | - type=ref,event=branch - type=raw,value=latest,enable={{is_default_branch}} - - - name: Build and push Frontend Docker image - uses: docker/build-push-action@v5 - with: - context: ./apps/frontend - file: ./apps/frontend/Dockerfile - push: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=registry,ref=${{ env.REGISTRY }}/xpeditis-frontend:buildcache - cache-to: type=registry,ref=${{ env.REGISTRY }}/xpeditis-frontend:buildcache,mode=max - platforms: linux/amd64,linux/arm64 - build-args: | - NEXT_PUBLIC_API_URL=${{ secrets.NEXT_PUBLIC_API_URL || 'http://localhost:4000' }} - NEXT_PUBLIC_APP_URL=${{ secrets.NEXT_PUBLIC_APP_URL || 'http://localhost:3000' }} - - # ============================================ - # Integration Tests (Optional) - # ============================================ - integration-tests: - name: Integration Tests - runs-on: ubuntu-latest - needs: [backend, frontend] - if: github.event_name == 'pull_request' - defaults: - run: - working-directory: apps/backend - - services: - postgres: - image: postgres:15-alpine - env: - POSTGRES_USER: xpeditis - POSTGRES_PASSWORD: xpeditis_dev_password - POSTGRES_DB: xpeditis_test - options: >- - --health-cmd pg_isready - --health-interval 10s - --health-timeout 5s - --health-retries 5 - ports: - - 5432:5432 - - redis: - image: redis:7-alpine - options: >- - --health-cmd "redis-cli ping" - --health-interval 10s - --health-timeout 5s - --health-retries 5 - ports: - - 6379:6379 - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: ${{ env.NODE_VERSION }} - - - name: Install dependencies - run: npm install --legacy-peer-deps - - - name: Run integration tests - env: - DATABASE_HOST: localhost - DATABASE_PORT: 5432 - DATABASE_USER: xpeditis - DATABASE_PASSWORD: xpeditis_dev_password - DATABASE_NAME: xpeditis_test - REDIS_HOST: localhost - REDIS_PORT: 6379 - JWT_SECRET: test-secret-key-for-ci - run: npm run test:integration || echo "No integration tests found" - - # ============================================ - # Deployment Summary - # ============================================ - deployment-summary: - name: Deployment Summary - runs-on: ubuntu-latest - needs: [backend, frontend] - if: success() - - steps: - - name: Summary - run: | - echo "## 🚀 Deployment Summary" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "### Backend Image" >> $GITHUB_STEP_SUMMARY - echo "- Registry: \`${{ env.REGISTRY }}/xpeditis-backend\`" >> $GITHUB_STEP_SUMMARY - echo "- Branch: \`${{ github.ref_name }}\`" >> $GITHUB_STEP_SUMMARY - echo "- Commit: \`${{ github.sha }}\`" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "### Frontend Image" >> $GITHUB_STEP_SUMMARY - echo "- Registry: \`${{ env.REGISTRY }}/xpeditis-frontend\`" >> $GITHUB_STEP_SUMMARY - echo "- Branch: \`${{ github.ref_name }}\`" >> $GITHUB_STEP_SUMMARY - echo "- Commit: \`${{ github.sha }}\`" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "### Pull Commands" >> $GITHUB_STEP_SUMMARY - echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY - echo "docker pull ${{ env.REGISTRY }}/xpeditis-backend:${{ github.ref_name }}" >> $GITHUB_STEP_SUMMARY - echo "docker pull ${{ env.REGISTRY }}/xpeditis-frontend:${{ github.ref_name }}" >> $GITHUB_STEP_SUMMARY - echo "\`\`\`" >> $GITHUB_STEP_SUMMARY - - # ============================================ - # Deploy to Portainer via Webhooks - # ============================================ - deploy-portainer: - name: Deploy to Portainer - runs-on: ubuntu-latest - needs: [backend, frontend] - if: success() && github.ref == 'refs/heads/preprod' - - steps: - - name: Trigger Backend Webhook - run: | - echo "🚀 Deploying Backend to Portainer..." - curl -X POST \ - -H "Content-Type: application/json" \ - -d '{"data": "backend-deployment"}' \ - ${{ secrets.PORTAINER_WEBHOOK_BACKEND }} - echo "✅ Backend webhook triggered" - - - name: Wait before Frontend deployment - run: sleep 10 - - - name: Trigger Frontend Webhook - run: | - echo "🚀 Deploying Frontend to Portainer..." - curl -X POST \ - -H "Content-Type: application/json" \ - -d '{"data": "frontend-deployment"}' \ - ${{ secrets.PORTAINER_WEBHOOK_FRONTEND }} - echo "✅ Frontend webhook triggered" - - # ============================================ - # Discord Notification - Success - # ============================================ - notify-success: - name: Discord Notification (Success) - runs-on: ubuntu-latest - needs: [backend, frontend, deploy-portainer] - if: success() - - steps: - - name: Send Discord notification - run: | - curl -H "Content-Type: application/json" \ - -d '{ - "embeds": [{ - "title": "✅ CI/CD Pipeline Success", - "description": "Deployment completed successfully!", - "color": 3066993, - "fields": [ - { - "name": "Repository", - "value": "${{ github.repository }}", - "inline": true - }, - { - "name": "Branch", - "value": "${{ github.ref_name }}", - "inline": true - }, - { - "name": "Commit", - "value": "[${{ github.sha }}](${{ github.event.head_commit.url }})", - "inline": false - }, - { - "name": "Backend Image", - "value": "`${{ env.REGISTRY }}/xpeditis-backend:${{ github.ref_name }}`", - "inline": false - }, - { - "name": "Frontend Image", - "value": "`${{ env.REGISTRY }}/xpeditis-frontend:${{ github.ref_name }}`", - "inline": false - }, - { - "name": "Workflow", - "value": "[${{ github.workflow }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})", - "inline": false - } - ], - "timestamp": "${{ github.event.head_commit.timestamp }}", - "footer": { - "text": "Xpeditis CI/CD" - } - }] - }' \ - ${{ secrets.DISCORD_WEBHOOK_URL }} - - # ============================================ - # Discord Notification - Failure - # ============================================ - notify-failure: - name: Discord Notification (Failure) - runs-on: ubuntu-latest - needs: [backend, frontend, deploy-portainer] - if: failure() - - steps: - - name: Send Discord notification - run: | - curl -H "Content-Type: application/json" \ - -d '{ - "embeds": [{ - "title": "❌ CI/CD Pipeline Failed", - "description": "Deployment failed! Check the logs for details.", - "color": 15158332, - "fields": [ - { - "name": "Repository", - "value": "${{ github.repository }}", - "inline": true - }, - { - "name": "Branch", - "value": "${{ github.ref_name }}", - "inline": true - }, - { - "name": "Commit", - "value": "[${{ github.sha }}](${{ github.event.head_commit.url }})", - "inline": false - }, - { - "name": "Workflow", - "value": "[${{ github.workflow }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})", - "inline": false - } - ], - "timestamp": "${{ github.event.head_commit.timestamp }}", - "footer": { - "text": "Xpeditis CI/CD" - } - }] - }' \ - ${{ secrets.DISCORD_WEBHOOK_URL }} +name: Dev CI + +# Fast feedback loop for the dev branch. +# Runs lint + unit tests only — no Docker build, no deployment. + +on: + push: + branches: [dev] + pull_request: + branches: [dev] + +concurrency: + group: dev-ci-${{ github.ref }} + cancel-in-progress: true + +env: + NODE_VERSION: '20' + +jobs: + # ────────────────────────────────────────── + # Lint & Type-check + # ────────────────────────────────────────── + quality: + name: Quality (${{ matrix.app }}) + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + app: [backend, frontend] + + defaults: + run: + working-directory: apps/${{ matrix.app }} + + steps: + - uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_VERSION }} + cache: 'npm' + cache-dependency-path: apps/${{ matrix.app }}/package-lock.json + + - name: Install dependencies + run: npm ci --legacy-peer-deps + + - name: Lint + run: npm run lint + + - name: Type-check (frontend only) + if: matrix.app == 'frontend' + run: npm run type-check + + # ────────────────────────────────────────── + # Unit Tests + # ────────────────────────────────────────── + unit-tests: + name: Unit Tests (${{ matrix.app }}) + runs-on: ubuntu-latest + needs: quality + strategy: + fail-fast: false + matrix: + app: [backend, frontend] + + defaults: + run: + working-directory: apps/${{ matrix.app }} + + steps: + - uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_VERSION }} + cache: 'npm' + cache-dependency-path: apps/${{ matrix.app }}/package-lock.json + + - name: Install dependencies + run: npm ci --legacy-peer-deps + + - name: Run unit tests + run: npm test -- --passWithNoTests --coverage + + # ────────────────────────────────────────── + # Discord notification on failure + # ────────────────────────────────────────── + notify-failure: + name: Notify Failure + runs-on: ubuntu-latest + needs: [quality, unit-tests] + if: failure() + + steps: + - name: Send Discord notification + run: | + curl -s -H "Content-Type: application/json" -d '{ + "embeds": [{ + "title": "❌ Dev CI Failed", + "description": "Fix the issues before merging to preprod.", + "color": 15158332, + "fields": [ + {"name": "Branch", "value": "`${{ github.ref_name }}`", "inline": true}, + {"name": "Author", "value": "${{ github.actor }}", "inline": true}, + {"name": "Commit", "value": "[`${{ github.sha }}`](${{ github.event.head_commit.url }})", "inline": false}, + {"name": "Workflow", "value": "[${{ github.workflow }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})", "inline": false} + ], + "footer": {"text": "Xpeditis CI/CD"} + }] + }' ${{ secrets.DISCORD_WEBHOOK_URL }} diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml new file mode 100644 index 0000000..6b894d3 --- /dev/null +++ b/.github/workflows/pr-checks.yml @@ -0,0 +1,176 @@ +name: PR Checks + +# Validation gate for pull requests. +# PRs to preprod → lint + unit tests + integration tests +# PRs to main → lint + unit tests only (code was integration-tested in preprod already) +# +# Configure these as required status checks in GitHub branch protection rules. + +on: + pull_request: + branches: [preprod, main] + +concurrency: + group: pr-${{ github.event.pull_request.number }} + cancel-in-progress: true + +env: + NODE_VERSION: '20' + +jobs: + # ────────────────────────────────────────── + # Lint & Type-check (both apps, parallel) + # ────────────────────────────────────────── + quality: + name: Quality (${{ matrix.app }}) + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + app: [backend, frontend] + + defaults: + run: + working-directory: apps/${{ matrix.app }} + + steps: + - uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_VERSION }} + cache: 'npm' + cache-dependency-path: apps/${{ matrix.app }}/package-lock.json + + - name: Install dependencies + run: npm ci --legacy-peer-deps + + - name: Lint + run: npm run lint + + - name: Type-check (frontend only) + if: matrix.app == 'frontend' + run: npm run type-check + + # ────────────────────────────────────────── + # Unit Tests (both apps, parallel) + # ────────────────────────────────────────── + unit-tests: + name: Unit Tests (${{ matrix.app }}) + runs-on: ubuntu-latest + needs: quality + strategy: + fail-fast: false + matrix: + app: [backend, frontend] + + defaults: + run: + working-directory: apps/${{ matrix.app }} + + steps: + - uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_VERSION }} + cache: 'npm' + cache-dependency-path: apps/${{ matrix.app }}/package-lock.json + + - name: Install dependencies + run: npm ci --legacy-peer-deps + + - name: Run unit tests + run: npm test -- --passWithNoTests --coverage + + # ────────────────────────────────────────── + # Integration Tests — PRs to preprod only + # ────────────────────────────────────────── + integration-tests: + name: Integration Tests + runs-on: ubuntu-latest + needs: unit-tests + if: github.base_ref == 'preprod' + + defaults: + run: + working-directory: apps/backend + + services: + postgres: + image: postgres:15-alpine + env: + POSTGRES_USER: xpeditis_test + POSTGRES_PASSWORD: xpeditis_test_password + POSTGRES_DB: xpeditis_test + options: >- + --health-cmd pg_isready + --health-interval 5s + --health-timeout 5s + --health-retries 10 + ports: + - 5432:5432 + + redis: + image: redis:7-alpine + options: >- + --health-cmd "redis-cli ping" + --health-interval 5s + --health-timeout 5s + --health-retries 10 + ports: + - 6379:6379 + + steps: + - uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_VERSION }} + cache: 'npm' + cache-dependency-path: apps/backend/package-lock.json + + - name: Install dependencies + run: npm ci --legacy-peer-deps + + - name: Run integration tests + env: + NODE_ENV: test + DATABASE_HOST: localhost + DATABASE_PORT: 5432 + DATABASE_USER: xpeditis_test + DATABASE_PASSWORD: xpeditis_test_password + DATABASE_NAME: xpeditis_test + DATABASE_SYNCHRONIZE: false + REDIS_HOST: localhost + REDIS_PORT: 6379 + REDIS_PASSWORD: '' + JWT_SECRET: test-secret-key-for-ci-only + SMTP_HOST: localhost + SMTP_PORT: 1025 + SMTP_FROM: test@xpeditis.com + run: npm run test:integration -- --passWithNoTests + + # ────────────────────────────────────────── + # PR Summary + # ────────────────────────────────────────── + pr-summary: + name: PR Summary + runs-on: ubuntu-latest + needs: [quality, unit-tests] + if: always() + + steps: + - name: Write job summary + run: | + echo "## PR Check Results" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "| Check | Status |" >> $GITHUB_STEP_SUMMARY + echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY + echo "| Quality (lint + type-check) | ${{ needs.quality.result }} |" >> $GITHUB_STEP_SUMMARY + echo "| Unit Tests | ${{ needs.unit-tests.result }} |" >> $GITHUB_STEP_SUMMARY + echo "| Target Branch | \`${{ github.base_ref }}\` |" >> $GITHUB_STEP_SUMMARY + echo "| Author | ${{ github.actor }} |" >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/rollback.yml b/.github/workflows/rollback.yml new file mode 100644 index 0000000..ea82bd9 --- /dev/null +++ b/.github/workflows/rollback.yml @@ -0,0 +1,317 @@ +name: Rollback + +# Emergency rollback for production (Hetzner k3s) and preprod (Portainer). +# All images are on Scaleway registry. +# +# Production (k3s): +# Option A — "previous": kubectl rollout undo (instant, reverts to last ReplicaSet) +# Option B — "specific-version": kubectl set image to a Scaleway prod-SHA tag +# +# Preprod (Portainer): +# Re-tags a Scaleway preprod-SHA image back to :preprod, triggers Portainer webhook. +# +# Run from: GitHub Actions → Workflows → Rollback → Run workflow + +on: + workflow_dispatch: + inputs: + environment: + description: 'Target environment' + required: true + type: choice + options: + - production + - preprod + strategy: + description: 'Rollback strategy ("previous" = kubectl rollout undo, prod only)' + required: true + type: choice + options: + - previous + - specific-version + version_tag: + description: 'Tag for specific-version (e.g. prod-a1b2c3d or preprod-a1b2c3d)' + required: false + type: string + reason: + description: 'Reason for rollback (audit trail)' + required: true + type: string + +env: + REGISTRY: rg.fr-par.scw.cloud/weworkstudio + IMAGE_BACKEND: rg.fr-par.scw.cloud/weworkstudio/xpeditis-backend + IMAGE_FRONTEND: rg.fr-par.scw.cloud/weworkstudio/xpeditis-frontend + K8S_NAMESPACE: xpeditis-prod + +jobs: + # ────────────────────────────────────────── + # Validate inputs + # ────────────────────────────────────────── + validate: + name: Validate Inputs + runs-on: ubuntu-latest + + steps: + - name: Validate + run: | + ENV="${{ github.event.inputs.environment }}" + STRATEGY="${{ github.event.inputs.strategy }}" + TAG="${{ github.event.inputs.version_tag }}" + + if [ "$STRATEGY" = "specific-version" ] && [ -z "$TAG" ]; then + echo "ERROR: version_tag is required for specific-version strategy." + exit 1 + fi + + if [ "$STRATEGY" = "specific-version" ] && [ "$ENV" = "production" ]; then + if [[ ! "$TAG" =~ ^prod- ]]; then + echo "ERROR: Production tag must start with 'prod-' (got: $TAG)" + exit 1 + fi + fi + + if [ "$STRATEGY" = "specific-version" ] && [ "$ENV" = "preprod" ]; then + if [[ ! "$TAG" =~ ^preprod- ]]; then + echo "ERROR: Preprod tag must start with 'preprod-' (got: $TAG)" + exit 1 + fi + fi + + echo "Validation passed." + echo " Environment : $ENV" + echo " Strategy : $STRATEGY" + echo " Version : ${TAG:-N/A (previous)}" + echo " Reason : ${{ github.event.inputs.reason }}" + + # ────────────────────────────────────────── + # PRODUCTION ROLLBACK — k3s via kubectl + # ────────────────────────────────────────── + rollback-production: + name: Rollback Production (k3s) + runs-on: ubuntu-latest + needs: validate + if: github.event.inputs.environment == 'production' + environment: + name: production + url: https://app.xpeditis.com + + steps: + - name: Configure kubectl + run: | + mkdir -p ~/.kube + echo "${{ secrets.HETZNER_KUBECONFIG }}" | base64 -d > ~/.kube/config + chmod 600 ~/.kube/config + kubectl cluster-info + + # ── Strategy A: kubectl rollout undo (fastest) + - name: Rollback to previous version + if: github.event.inputs.strategy == 'previous' + run: | + echo "Rolling back backend..." + kubectl rollout undo deployment/xpeditis-backend -n ${{ env.K8S_NAMESPACE }} + kubectl rollout status deployment/xpeditis-backend -n ${{ env.K8S_NAMESPACE }} --timeout=180s + + echo "Rolling back frontend..." + kubectl rollout undo deployment/xpeditis-frontend -n ${{ env.K8S_NAMESPACE }} + kubectl rollout status deployment/xpeditis-frontend -n ${{ env.K8S_NAMESPACE }} --timeout=180s + + kubectl get pods -n ${{ env.K8S_NAMESPACE }} + + # ── Strategy B: kubectl set image to specific Scaleway tag + - name: Set up Docker Buildx (for image inspect) + if: github.event.inputs.strategy == 'specific-version' + uses: docker/setup-buildx-action@v3 + + - name: Login to Scaleway Registry + if: github.event.inputs.strategy == 'specific-version' + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: nologin + password: ${{ secrets.REGISTRY_TOKEN }} + + - name: Rollback to specific version + if: github.event.inputs.strategy == 'specific-version' + run: | + TAG="${{ github.event.inputs.version_tag }}" + BACKEND_IMAGE="${{ env.IMAGE_BACKEND }}:${TAG}" + FRONTEND_IMAGE="${{ env.IMAGE_FRONTEND }}:${TAG}" + + echo "Verifying images exist in Scaleway..." + docker buildx imagetools inspect "$BACKEND_IMAGE" || \ + { echo "ERROR: Backend image not found: $BACKEND_IMAGE"; exit 1; } + docker buildx imagetools inspect "$FRONTEND_IMAGE" || \ + { echo "ERROR: Frontend image not found: $FRONTEND_IMAGE"; exit 1; } + + echo "Deploying backend: $BACKEND_IMAGE" + kubectl set image deployment/xpeditis-backend backend="$BACKEND_IMAGE" -n ${{ env.K8S_NAMESPACE }} + kubectl rollout status deployment/xpeditis-backend -n ${{ env.K8S_NAMESPACE }} --timeout=180s + + echo "Deploying frontend: $FRONTEND_IMAGE" + kubectl set image deployment/xpeditis-frontend frontend="$FRONTEND_IMAGE" -n ${{ env.K8S_NAMESPACE }} + kubectl rollout status deployment/xpeditis-frontend -n ${{ env.K8S_NAMESPACE }} --timeout=180s + + kubectl get pods -n ${{ env.K8S_NAMESPACE }} + + - name: Show rollout history + if: always() + run: | + echo "=== Backend rollout history ===" + kubectl rollout history deployment/xpeditis-backend -n ${{ env.K8S_NAMESPACE }} || true + echo "=== Frontend rollout history ===" + kubectl rollout history deployment/xpeditis-frontend -n ${{ env.K8S_NAMESPACE }} || true + + # ────────────────────────────────────────── + # PREPROD ROLLBACK — Scaleway re-tag + Portainer + # ────────────────────────────────────────── + rollback-preprod: + name: Rollback Preprod (Portainer) + runs-on: ubuntu-latest + needs: validate + if: github.event.inputs.environment == 'preprod' + + steps: + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to Scaleway Registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: nologin + password: ${{ secrets.REGISTRY_TOKEN }} + + - name: Verify target images exist + run: | + TAG="${{ github.event.inputs.version_tag }}" + docker buildx imagetools inspect "${{ env.IMAGE_BACKEND }}:${TAG}" || \ + { echo "ERROR: Backend image not found: $TAG"; exit 1; } + docker buildx imagetools inspect "${{ env.IMAGE_FRONTEND }}:${TAG}" || \ + { echo "ERROR: Frontend image not found: $TAG"; exit 1; } + + - name: Re-tag target version as preprod + run: | + TAG="${{ github.event.inputs.version_tag }}" + echo "Re-tagging $TAG → preprod..." + docker buildx imagetools create \ + --tag ${{ env.IMAGE_BACKEND }}:preprod \ + ${{ env.IMAGE_BACKEND }}:${TAG} + docker buildx imagetools create \ + --tag ${{ env.IMAGE_FRONTEND }}:preprod \ + ${{ env.IMAGE_FRONTEND }}:${TAG} + echo "Re-tag complete." + + - name: Trigger Backend deployment (Portainer) + run: | + curl -sf -X POST -H "Content-Type: application/json" \ + "${{ secrets.PORTAINER_WEBHOOK_BACKEND }}" + echo "Backend webhook triggered." + + - name: Wait for backend + run: sleep 20 + + - name: Trigger Frontend deployment (Portainer) + run: | + curl -sf -X POST -H "Content-Type: application/json" \ + "${{ secrets.PORTAINER_WEBHOOK_FRONTEND }}" + echo "Frontend webhook triggered." + + # ────────────────────────────────────────── + # Smoke Tests + # ────────────────────────────────────────── + smoke-tests: + name: Smoke Tests + runs-on: ubuntu-latest + needs: [rollback-production, rollback-preprod] + if: always() && (needs.rollback-production.result == 'success' || needs.rollback-preprod.result == 'success') + + steps: + - name: Set health check URLs + id: urls + run: | + if [ "${{ github.event.inputs.environment }}" = "production" ]; then + echo "backend=${{ secrets.PROD_BACKEND_URL }}/api/v1/health" >> $GITHUB_OUTPUT + echo "frontend=${{ secrets.PROD_FRONTEND_URL }}" >> $GITHUB_OUTPUT + echo "wait=30" >> $GITHUB_OUTPUT + else + echo "backend=${{ secrets.PREPROD_BACKEND_URL }}/api/v1/health" >> $GITHUB_OUTPUT + echo "frontend=${{ secrets.PREPROD_FRONTEND_URL }}" >> $GITHUB_OUTPUT + echo "wait=60" >> $GITHUB_OUTPUT + fi + + - name: Wait for services + run: sleep ${{ steps.urls.outputs.wait }} + + - name: Health check — Backend + run: | + for i in {1..12}; do + STATUS=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 \ + "${{ steps.urls.outputs.backend }}" 2>/dev/null || echo "000") + echo " Attempt $i: HTTP $STATUS" + if [ "$STATUS" = "200" ]; then echo "Backend healthy."; exit 0; fi + sleep 15 + done + echo "CRITICAL: Backend unhealthy after rollback." + exit 1 + + - name: Health check — Frontend + run: | + for i in {1..12}; do + STATUS=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 \ + "${{ steps.urls.outputs.frontend }}" 2>/dev/null || echo "000") + echo " Attempt $i: HTTP $STATUS" + if [ "$STATUS" = "200" ]; then echo "Frontend healthy."; exit 0; fi + sleep 15 + done + echo "CRITICAL: Frontend unhealthy after rollback." + exit 1 + + # ────────────────────────────────────────── + # Discord notification + # ────────────────────────────────────────── + notify: + name: Notify Rollback Result + runs-on: ubuntu-latest + needs: [rollback-production, rollback-preprod, smoke-tests] + if: always() + + steps: + - name: Notify success + if: needs.smoke-tests.result == 'success' + run: | + curl -s -H "Content-Type: application/json" -d '{ + "embeds": [{ + "title": "↩️ Rollback Successful", + "color": 16776960, + "fields": [ + {"name": "Environment", "value": "`${{ github.event.inputs.environment }}`", "inline": true}, + {"name": "Strategy", "value": "`${{ github.event.inputs.strategy }}`", "inline": true}, + {"name": "Version", "value": "`${{ github.event.inputs.version_tag || 'previous' }}`", "inline": true}, + {"name": "Triggered by", "value": "${{ github.actor }}", "inline": true}, + {"name": "Reason", "value": "${{ github.event.inputs.reason }}", "inline": false}, + {"name": "Workflow", "value": "[${{ github.workflow }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})", "inline": false} + ], + "footer": {"text": "Xpeditis CI/CD • Rollback"} + }] + }' ${{ secrets.DISCORD_WEBHOOK_URL }} + + - name: Notify failure + if: needs.smoke-tests.result != 'success' + run: | + curl -s -H "Content-Type: application/json" -d '{ + "content": "@here ROLLBACK FAILED — MANUAL INTERVENTION REQUIRED", + "embeds": [{ + "title": "🔴 Rollback Failed", + "description": "Service may be degraded. Escalate immediately.", + "color": 15158332, + "fields": [ + {"name": "Environment", "value": "`${{ github.event.inputs.environment }}`", "inline": true}, + {"name": "Attempted version", "value": "`${{ github.event.inputs.version_tag || 'previous' }}`", "inline": true}, + {"name": "Triggered by", "value": "${{ github.actor }}", "inline": true}, + {"name": "Reason", "value": "${{ github.event.inputs.reason }}", "inline": false}, + {"name": "Workflow", "value": "[${{ github.workflow }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})", "inline": false} + ], + "footer": {"text": "Xpeditis CI/CD • Rollback"} + }] + }' ${{ secrets.DISCORD_WEBHOOK_URL }} diff --git a/docs/deployment/hetzner/09-kubernetes-manifests.md b/docs/deployment/hetzner/09-kubernetes-manifests.md new file mode 100644 index 0000000..d2a9508 --- /dev/null +++ b/docs/deployment/hetzner/09-kubernetes-manifests.md @@ -0,0 +1,765 @@ +# 09 — Manifests Kubernetes complets + +Tous les fichiers YAML de déploiement de Xpeditis. Créez un dossier `k8s/` à la racine du projet. + +--- + +## Structure des fichiers + +``` +k8s/ +├── 00-namespaces.yaml +├── 01-secrets.yaml # ← À remplir avec vos valeurs (ne pas committer) +├── 02-configmaps.yaml +├── 03-backend-deployment.yaml +├── 04-backend-service.yaml +├── 05-frontend-deployment.yaml +├── 06-frontend-service.yaml +├── 07-ingress.yaml +├── 08-hpa.yaml +└── 09-pdb.yaml +``` + +--- + +## 00 — Namespaces + +```yaml +# k8s/00-namespaces.yaml +--- +apiVersion: v1 +kind: Namespace +metadata: + name: xpeditis-prod + labels: + environment: production + app.kubernetes.io/managed-by: hetzner-k3s +``` + +```bash +kubectl apply -f k8s/00-namespaces.yaml +``` + +--- + +## 01 — Secrets (⚠️ ne jamais committer ce fichier dans Git) + +Ajoutez `k8s/01-secrets.yaml` à votre `.gitignore`. + +```yaml +# k8s/01-secrets.yaml ← AJOUTER AU .gitignore +--- +apiVersion: v1 +kind: Secret +metadata: + name: backend-secrets + namespace: xpeditis-prod +type: Opaque +stringData: + # Application + NODE_ENV: "production" + PORT: "4000" + API_PREFIX: "api/v1" + APP_URL: "https://app.xpeditis.com" + FRONTEND_URL: "https://app.xpeditis.com" + + # Base de données (choisir Option A ou B) + # === Option A : Neon.tech === + DATABASE_HOST: "ep-xxx.eu-central-1.aws.neon.tech" + DATABASE_PORT: "5432" + DATABASE_USER: "xpeditis" + DATABASE_PASSWORD: "" + DATABASE_NAME: "xpeditis" + DATABASE_SSL: "true" + DATABASE_SYNC: "false" + DATABASE_LOGGING: "false" + # === Option B : Self-hosted === + # DATABASE_HOST: "10.0.1.100" # IP privée Hetzner du serveur PG + # DATABASE_PORT: "6432" # PgBouncer + # DATABASE_USER: "xpeditis" + # DATABASE_PASSWORD: "" + # DATABASE_NAME: "xpeditis_prod" + # DATABASE_SYNC: "false" + # DATABASE_LOGGING: "false" + + # Redis (choisir Option A ou B) + # === Option A : Upstash === + REDIS_HOST: "your-redis.upstash.io" + REDIS_PORT: "6379" + REDIS_PASSWORD: "" + REDIS_DB: "0" + # === Option B : Self-hosted === + # REDIS_HOST: "redis.xpeditis-prod.svc.cluster.local" + # REDIS_PORT: "6379" + # REDIS_PASSWORD: "" + # REDIS_DB: "0" + + # JWT + JWT_SECRET: "" + JWT_ACCESS_EXPIRATION: "15m" + JWT_REFRESH_EXPIRATION: "7d" + + # OAuth2 Google + GOOGLE_CLIENT_ID: "" + GOOGLE_CLIENT_SECRET: "" + GOOGLE_CALLBACK_URL: "https://api.xpeditis.com/api/v1/auth/google/callback" + + # OAuth2 Microsoft + MICROSOFT_CLIENT_ID: "" + MICROSOFT_CLIENT_SECRET: "" + MICROSOFT_CALLBACK_URL: "https://api.xpeditis.com/api/v1/auth/microsoft/callback" + + # Email (Brevo SMTP — remplace SendGrid) + SMTP_HOST: "smtp-relay.brevo.com" + SMTP_PORT: "587" + SMTP_SECURE: "false" + SMTP_USER: "" + SMTP_PASS: "" + SMTP_FROM: "noreply@xpeditis.com" + + # Hetzner Object Storage (remplace MinIO) + AWS_S3_ENDPOINT: "https://fsn1.your-objectstorage.com" + AWS_ACCESS_KEY_ID: "" + AWS_SECRET_ACCESS_KEY: "" + AWS_REGION: "eu-central-1" + AWS_S3_BUCKET: "xpeditis-prod" + + # Carrier APIs + MAERSK_API_KEY: "" + MAERSK_API_URL: "https://api.maersk.com/v1" + MSC_API_KEY: "" + MSC_API_URL: "https://api.msc.com/v1" + CMACGM_API_URL: "https://api.cma-cgm.com/v1" + CMACGM_CLIENT_ID: "" + CMACGM_CLIENT_SECRET: "" + HAPAG_API_URL: "https://api.hapag-lloyd.com/v1" + HAPAG_API_KEY: "" + ONE_API_URL: "https://api.one-line.com/v1" + ONE_USERNAME: "" + ONE_PASSWORD: "" + + # Stripe + STRIPE_SECRET_KEY: "sk_live_<...>" + STRIPE_WEBHOOK_SECRET: "whsec_<...>" + STRIPE_SILVER_MONTHLY_PRICE_ID: "price_<...>" + STRIPE_SILVER_YEARLY_PRICE_ID: "price_<...>" + STRIPE_GOLD_MONTHLY_PRICE_ID: "price_<...>" + STRIPE_GOLD_YEARLY_PRICE_ID: "price_<...>" + STRIPE_PLATINIUM_MONTHLY_PRICE_ID: "price_<...>" + STRIPE_PLATINIUM_YEARLY_PRICE_ID: "price_<...>" + + # Sécurité + BCRYPT_ROUNDS: "12" + SESSION_TIMEOUT_MS: "7200000" + RATE_LIMIT_TTL: "60" + RATE_LIMIT_MAX: "100" + + # Monitoring + SENTRY_DSN: "" +--- +apiVersion: v1 +kind: Secret +metadata: + name: frontend-secrets + namespace: xpeditis-prod +type: Opaque +stringData: + NEXT_PUBLIC_API_URL: "https://api.xpeditis.com" + NEXT_PUBLIC_APP_URL: "https://app.xpeditis.com" + NEXT_PUBLIC_API_PREFIX: "api/v1" + NEXTAUTH_URL: "https://app.xpeditis.com" + NEXTAUTH_SECRET: "" + GOOGLE_CLIENT_ID: "" + GOOGLE_CLIENT_SECRET: "" + MICROSOFT_CLIENT_ID: "" + MICROSOFT_CLIENT_SECRET: "" + NODE_ENV: "production" +``` + +```bash +# Générer les secrets aléatoires +echo "JWT_SECRET=$(openssl rand -base64 48)" +echo "NEXTAUTH_SECRET=$(openssl rand -base64 24)" + +# Appliquer (après avoir rempli les valeurs) +kubectl apply -f k8s/01-secrets.yaml + +# Vérifier (sans voir les valeurs) +kubectl get secret backend-secrets -n xpeditis-prod -o jsonpath='{.data}' | jq 'keys' +``` + +--- + +## 02 — ConfigMaps (variables non-sensibles) + +```yaml +# k8s/02-configmaps.yaml +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: backend-config + namespace: xpeditis-prod +data: + # Ces valeurs ne sont pas sensibles + LOG_LEVEL: "info" + TZ: "Europe/Paris" + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: frontend-config + namespace: xpeditis-prod +data: + TZ: "Europe/Paris" +``` + +--- + +## 03 — Deployment Backend NestJS + +```yaml +# k8s/03-backend-deployment.yaml +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: xpeditis-backend + namespace: xpeditis-prod + labels: + app: xpeditis-backend + version: "latest" +spec: + replicas: 2 + selector: + matchLabels: + app: xpeditis-backend + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 # Zero downtime deployment + template: + metadata: + labels: + app: xpeditis-backend + version: "latest" + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "4000" + prometheus.io/path: "/api/v1/health" + spec: + # Anti-affinité : pods sur nœuds différents + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app + operator: In + values: + - xpeditis-backend + topologyKey: kubernetes.io/hostname + + # Temps de grâce pour les connexions WebSocket + terminationGracePeriodSeconds: 60 + + containers: + - name: backend + # L'image est mise à jour par le CI/CD (doc 11) + image: ghcr.io//xpeditis-backend:latest + imagePullPolicy: Always + ports: + - containerPort: 4000 + name: http + protocol: TCP + + # Variables d'environnement depuis les Secrets + envFrom: + - secretRef: + name: backend-secrets + - configMapRef: + name: backend-config + + # Resources (MVP — ajuster selon les métriques réelles) + resources: + requests: + cpu: "500m" + memory: "512Mi" + limits: + cpu: "2000m" + memory: "1.5Gi" + + # Health checks + startupProbe: + httpGet: + path: /api/v1/health + port: 4000 + initialDelaySeconds: 20 + periodSeconds: 5 + failureThreshold: 12 # 60 secondes max au démarrage + + readinessProbe: + httpGet: + path: /api/v1/health + port: 4000 + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + + livenessProbe: + httpGet: + path: /api/v1/health + port: 4000 + initialDelaySeconds: 60 + periodSeconds: 30 + failureThreshold: 3 + + # Lifecycle hook pour graceful shutdown + lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "sleep 10"] # Laisse le temps au LB de retirer le pod + + # Pull depuis GHCR (GitHub Container Registry) + imagePullSecrets: + - name: scaleway-registry + + # Redémarrage automatique + restartPolicy: Always +``` + +--- + +## 04 — Service Backend + +```yaml +# k8s/04-backend-service.yaml +--- +apiVersion: v1 +kind: Service +metadata: + name: xpeditis-backend + namespace: xpeditis-prod + labels: + app: xpeditis-backend +spec: + selector: + app: xpeditis-backend + ports: + - name: http + port: 4000 + targetPort: 4000 + protocol: TCP + type: ClusterIP +``` + +--- + +## 05 — Deployment Frontend Next.js + +```yaml +# k8s/05-frontend-deployment.yaml +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: xpeditis-frontend + namespace: xpeditis-prod + labels: + app: xpeditis-frontend +spec: + replicas: 1 + selector: + matchLabels: + app: xpeditis-frontend + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + template: + metadata: + labels: + app: xpeditis-frontend + spec: + terminationGracePeriodSeconds: 30 + + containers: + - name: frontend + image: ghcr.io//xpeditis-frontend:latest + imagePullPolicy: Always + ports: + - containerPort: 3000 + name: http + + envFrom: + - secretRef: + name: frontend-secrets + - configMapRef: + name: frontend-config + + resources: + requests: + cpu: "250m" + memory: "256Mi" + limits: + cpu: "1000m" + memory: "768Mi" + + startupProbe: + httpGet: + path: / + port: 3000 + initialDelaySeconds: 10 + periodSeconds: 5 + failureThreshold: 12 + + readinessProbe: + httpGet: + path: / + port: 3000 + initialDelaySeconds: 5 + periodSeconds: 10 + failureThreshold: 3 + + livenessProbe: + httpGet: + path: / + port: 3000 + initialDelaySeconds: 30 + periodSeconds: 30 + failureThreshold: 3 + + lifecycle: + preStop: + exec: + command: ["/bin/sh", "-c", "sleep 5"] + + imagePullSecrets: + - name: scaleway-registry + + restartPolicy: Always +``` + +--- + +## 06 — Service Frontend + +```yaml +# k8s/06-frontend-service.yaml +--- +apiVersion: v1 +kind: Service +metadata: + name: xpeditis-frontend + namespace: xpeditis-prod + labels: + app: xpeditis-frontend +spec: + selector: + app: xpeditis-frontend + ports: + - name: http + port: 3000 + targetPort: 3000 + protocol: TCP + type: ClusterIP +``` + +--- + +## 07 — Ingress (Traefik + TLS) + +```yaml +# k8s/07-ingress.yaml +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: xpeditis-ingress + namespace: xpeditis-prod + annotations: + # TLS via cert-manager + cert-manager.io/cluster-issuer: "letsencrypt-prod" + + # Traefik config + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + traefik.ingress.kubernetes.io/router.tls: "true" + + # Sticky sessions pour WebSocket Socket.IO + traefik.ingress.kubernetes.io/service.sticky.cookie: "true" + traefik.ingress.kubernetes.io/service.sticky.cookie.name: "XPEDITIS_BACKEND" + traefik.ingress.kubernetes.io/service.sticky.cookie.secure: "true" + traefik.ingress.kubernetes.io/service.sticky.cookie.httponly: "true" + + # Timeout pour les longues requêtes (carrier APIs = jusqu'à 30s) + traefik.ingress.kubernetes.io/router.middlewares: "xpeditis-prod-ratelimit@kubernetescrd" + + # Headers de sécurité + traefik.ingress.kubernetes.io/router.middlewares: "xpeditis-prod-headers@kubernetescrd" + +spec: + ingressClassName: traefik + tls: + - hosts: + - api.xpeditis.com + - app.xpeditis.com + secretName: xpeditis-tls-prod + + rules: + # API Backend NestJS + - host: api.xpeditis.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: xpeditis-backend + port: + number: 4000 + + # Frontend Next.js + - host: app.xpeditis.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: xpeditis-frontend + port: + number: 3000 +--- +# Middleware : headers de sécurité +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: headers + namespace: xpeditis-prod +spec: + headers: + customRequestHeaders: + X-Forwarded-Proto: "https" + customResponseHeaders: + X-Frame-Options: "SAMEORIGIN" + X-Content-Type-Options: "nosniff" + X-XSS-Protection: "1; mode=block" + Referrer-Policy: "strict-origin-when-cross-origin" + Permissions-Policy: "geolocation=(), microphone=(), camera=()" + contentSecurityPolicy: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';" + stsSeconds: 31536000 + stsIncludeSubdomains: true + stsPreload: true +--- +# Middleware : rate limiting Traefik (en plus du rate limiting NestJS) +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: ratelimit + namespace: xpeditis-prod +spec: + rateLimit: + average: 100 + burst: 50 + period: 1m + sourceCriterion: + ipStrategy: + depth: 1 +``` + +--- + +## 08 — Horizontal Pod Autoscaler + +```yaml +# k8s/08-hpa.yaml +--- +# HPA Backend +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: backend-hpa + namespace: xpeditis-prod +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: xpeditis-backend + minReplicas: 2 + maxReplicas: 15 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 70 + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: 80 + behavior: + scaleUp: + stabilizationWindowSeconds: 60 + policies: + - type: Pods + value: 2 + periodSeconds: 60 + scaleDown: + stabilizationWindowSeconds: 300 # 5 min avant de réduire + policies: + - type: Pods + value: 1 + periodSeconds: 120 +--- +# HPA Frontend +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: frontend-hpa + namespace: xpeditis-prod +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: xpeditis-frontend + minReplicas: 1 + maxReplicas: 8 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 70 + behavior: + scaleDown: + stabilizationWindowSeconds: 300 +``` + +--- + +## 09 — PodDisruptionBudget + +```yaml +# k8s/09-pdb.yaml +--- +# Garantit qu'au moins 1 pod backend est toujours disponible pendant les maintenances +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: backend-pdb + namespace: xpeditis-prod +spec: + minAvailable: 1 + selector: + matchLabels: + app: xpeditis-backend +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: frontend-pdb + namespace: xpeditis-prod +spec: + minAvailable: 1 + selector: + matchLabels: + app: xpeditis-frontend +``` + +--- + +## Secret Scaleway Container Registry + +Pour que Kubernetes puisse pull les images depuis le registry Scaleway : + +```bash +# REGISTRY_TOKEN = token Scaleway (Settings → API Keys → Container Registry) + +kubectl create secret docker-registry scaleway-registry \ + --namespace xpeditis-prod \ + --docker-server=rg.fr-par.scw.cloud \ + --docker-username=nologin \ + --docker-password= +``` + +--- + +## Déploiement complet + +```bash +# Appliquer tous les manifests dans l'ordre +kubectl apply -f k8s/00-namespaces.yaml +kubectl apply -f k8s/01-secrets.yaml # Après avoir rempli les valeurs +kubectl apply -f k8s/02-configmaps.yaml +kubectl apply -f k8s/03-backend-deployment.yaml +kubectl apply -f k8s/04-backend-service.yaml +kubectl apply -f k8s/05-frontend-deployment.yaml +kubectl apply -f k8s/06-frontend-service.yaml +kubectl apply -f k8s/07-ingress.yaml +kubectl apply -f k8s/08-hpa.yaml +kubectl apply -f k8s/09-pdb.yaml + +# Ou tout d'un coup +kubectl apply -f k8s/ + +# Suivre le déploiement +kubectl rollout status deployment/xpeditis-backend -n xpeditis-prod +kubectl rollout status deployment/xpeditis-frontend -n xpeditis-prod + +# Voir les pods +kubectl get pods -n xpeditis-prod -w + +# Voir les logs +kubectl logs -f deployment/xpeditis-backend -n xpeditis-prod +kubectl logs -f deployment/xpeditis-frontend -n xpeditis-prod + +# Vérifier le certificat TLS +kubectl get certificate -n xpeditis-prod +# NAME READY SECRET AGE +# xpeditis-tls-prod True xpeditis-tls-prod 2m +``` + +--- + +## Migration des jobs TypeORM + +Le déploiement inclut automatiquement les migrations via le `startup.js` dans le Dockerfile. Si vous avez besoin de lancer les migrations manuellement : + +```bash +# Job de migration one-shot +cat > /tmp/migration-job.yaml << 'EOF' +apiVersion: batch/v1 +kind: Job +metadata: + name: xpeditis-migrations + namespace: xpeditis-prod +spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: migrations + image: ghcr.io//xpeditis-backend:latest + command: ["node", "dist/migration-runner.js"] + envFrom: + - secretRef: + name: backend-secrets + imagePullSecrets: + - name: scaleway-registry +EOF + +kubectl apply -f /tmp/migration-job.yaml +kubectl wait --for=condition=complete job/xpeditis-migrations -n xpeditis-prod --timeout=300s +kubectl logs job/xpeditis-migrations -n xpeditis-prod +kubectl delete job xpeditis-migrations -n xpeditis-prod +``` diff --git a/docs/deployment/hetzner/13-backup-disaster-recovery.md b/docs/deployment/hetzner/13-backup-disaster-recovery.md new file mode 100644 index 0000000..3ac5599 --- /dev/null +++ b/docs/deployment/hetzner/13-backup-disaster-recovery.md @@ -0,0 +1,389 @@ +# 13 — Backups et reprise après sinistre + +--- + +## Stratégie de backup + +| Composant | Méthode | Fréquence | Rétention | Destination | +|---|---|---|---|---| +| PostgreSQL | `pg_dump` via CronJob | Quotidien 3h00 | 30 jours | Hetzner Object Storage | +| PostgreSQL WAL | Streaming (si self-hosted) | Continue | 7 jours | Object Storage | +| Redis | RDB snapshot + AOF | Chaque 5 min | 24h | Volume local | +| Secrets Kubernetes | Export manuel chiffré | Avant chaque changement | Illimité | Hors-cluster (coffre) | +| Fichiers S3 | Versioning objet | Permanent | Voir lifecycle | Object Storage | +| Configs K8s | GitOps dans le repo | À chaque commit | Git history | GitHub | + +**Objectifs :** +- **RPO (Recovery Point Objective) :** 24h max (vous pouvez perdre au plus 24h de données) +- **RTO (Recovery Time Objective) :** 4h max (vous pouvez reconstruire en moins de 4h) + +--- + +## Backup PostgreSQL — Option A (Neon.tech) + +Si vous utilisez Neon.tech, les backups sont **automatiques** : +- Point-in-time recovery (PITR) sur 7 jours (plan Free) ou 30 jours (plan Pro) +- Pas de CronJob à gérer + +Pour créer un backup manuel : +```bash +# Installer la CLI Neon +npm install -g neonctl +neonctl auth + +# Créer un point de restauration (branch) +neonctl branches create \ + --project-id \ + --name "backup-$(date +%Y%m%d)" \ + --parent main +``` + +--- + +## Backup PostgreSQL — Option B (self-hosted) + +### CronJob Kubernetes de backup + +```yaml +# k8s/backup-postgres-cronjob.yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: backup-credentials + namespace: xpeditis-prod +type: Opaque +stringData: + # Même credentials que le backend pour Object Storage + AWS_ACCESS_KEY_ID: "" + AWS_SECRET_ACCESS_KEY: "" + AWS_S3_ENDPOINT: "https://fsn1.your-objectstorage.com" + AWS_S3_BUCKET: "xpeditis-prod" + # Credentials PostgreSQL + PGPASSWORD: "" +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: postgres-backup + namespace: xpeditis-prod +spec: + schedule: "0 3 * * *" # 3h00 chaque nuit + concurrencyPolicy: Forbid + successfulJobsHistoryLimit: 3 + failedJobsHistoryLimit: 5 + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: backup + image: postgres:15-alpine + command: + - /bin/sh + - -c + - | + set -e + echo "=== Démarrage backup PostgreSQL $(date) ===" + + # Variables + TIMESTAMP=$(date +%Y%m%d_%H%M%S) + BACKUP_FILE="/tmp/xpeditis_${TIMESTAMP}.sql.gz" + S3_KEY="backups/postgres/$(date +%Y/%m)/xpeditis_${TIMESTAMP}.sql.gz" + + # Dump PostgreSQL compressé + pg_dump \ + -h ${PGHOST} \ + -p ${PGPORT:-5432} \ + -U ${PGUSER} \ + -d ${PGDATABASE} \ + --no-password \ + --clean \ + --if-exists \ + --format=custom \ + | gzip > ${BACKUP_FILE} + + BACKUP_SIZE=$(du -sh ${BACKUP_FILE} | cut -f1) + echo "Dump créé: ${BACKUP_FILE} (${BACKUP_SIZE})" + + # Upload vers Hetzner Object Storage + apk add --no-cache aws-cli 2>/dev/null || pip install awscli 2>/dev/null + + AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \ + AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \ + aws s3 cp ${BACKUP_FILE} s3://${AWS_S3_BUCKET}/${S3_KEY} \ + --endpoint-url ${AWS_S3_ENDPOINT} + + echo "✅ Backup uploadé: s3://${AWS_S3_BUCKET}/${S3_KEY}" + + # Nettoyage local + rm ${BACKUP_FILE} + + # Vérifier les anciens backups (garder 30 jours) + echo "Backups existants:" + AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \ + AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \ + aws s3 ls s3://${AWS_S3_BUCKET}/backups/postgres/ \ + --endpoint-url ${AWS_S3_ENDPOINT} \ + --recursive | tail -10 + + echo "=== Backup terminé $(date) ===" + env: + - name: PGHOST + value: "10.0.1.100" # IP privée serveur PostgreSQL + - name: PGPORT + value: "5432" + - name: PGUSER + value: "xpeditis" + - name: PGDATABASE + value: "xpeditis_prod" + envFrom: + - secretRef: + name: backup-credentials + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 500m + memory: 512Mi +``` + +```bash +# Appliquer +kubectl apply -f k8s/backup-postgres-cronjob.yaml + +# Tester manuellement (créer un Job depuis le CronJob) +kubectl create job --from=cronjob/postgres-backup test-backup -n xpeditis-prod +kubectl logs -l job-name=test-backup -n xpeditis-prod -f + +# Vérifier que le fichier est arrivé dans S3 +aws s3 ls s3://xpeditis-prod/backups/postgres/ \ + --profile hetzner \ + --endpoint-url https://fsn1.your-objectstorage.com \ + --recursive +``` + +--- + +## Procédure de restauration PostgreSQL + +### Restauration complète (catastrophe totale) + +```bash +# Étape 1 : Lister les backups disponibles +aws s3 ls s3://xpeditis-prod/backups/postgres/ \ + --profile hetzner \ + --endpoint-url https://fsn1.your-objectstorage.com \ + --recursive | sort -r | head -10 + +# Étape 2 : Télécharger le backup le plus récent +aws s3 cp \ + s3://xpeditis-prod/backups/postgres/2026/03/xpeditis_20260323_030001.sql.gz \ + /tmp/restore.sql.gz \ + --profile hetzner \ + --endpoint-url https://fsn1.your-objectstorage.com + +# Étape 3 : Décompresser et restaurer +# ⚠️ Cette commande EFFACE les données existantes +gunzip -c /tmp/restore.sql.gz | pg_restore \ + -h \ + -U xpeditis \ + -d xpeditis_prod \ + --clean \ + --if-exists \ + --no-privileges \ + --no-owner + +# Étape 4 : Vérifier l'intégrité +psql -h -U xpeditis -d xpeditis_prod \ + -c "SELECT COUNT(*) as bookings FROM bookings;" + +psql -h -U xpeditis -d xpeditis_prod \ + -c "SELECT COUNT(*) as users FROM users;" + +# Étape 5 : Redémarrer les pods pour reconnecter +kubectl rollout restart deployment/xpeditis-backend -n xpeditis-prod +``` + +--- + +## Backup des Secrets Kubernetes + +Les secrets ne sont pas dans Git (intentionnel). Sauvegardez-les chiffrés. + +```bash +#!/bin/bash +# scripts/backup-secrets.sh + +set -e +BACKUP_DIR="$HOME/.xpeditis-secrets-backup" +mkdir -p "$BACKUP_DIR" +DATE=$(date +%Y%m%d_%H%M%S) + +# Exporter les secrets (encodés base64) +kubectl get secret backend-secrets -n xpeditis-prod -o yaml > /tmp/backend-secrets-${DATE}.yaml +kubectl get secret frontend-secrets -n xpeditis-prod -o yaml > /tmp/frontend-secrets-${DATE}.yaml +kubectl get secret ghcr-credentials -n xpeditis-prod -o yaml > /tmp/ghcr-creds-${DATE}.yaml + +# Chiffrer avec GPG (ou utiliser un password) +tar czf - /tmp/*-${DATE}.yaml | gpg --symmetric --cipher-algo AES256 \ + > "${BACKUP_DIR}/k8s-secrets-${DATE}.tar.gz.gpg" + +# Nettoyage des fichiers temporaires +rm /tmp/*-${DATE}.yaml + +echo "✅ Secrets sauvegardés dans ${BACKUP_DIR}/k8s-secrets-${DATE}.tar.gz.gpg" + +# Lister les backups existants +ls -la "$BACKUP_DIR"/ +``` + +```bash +# Restaurer les secrets depuis un backup +gpg --decrypt "${BACKUP_DIR}/k8s-secrets-20260323_120000.tar.gz.gpg" | tar xzf - +kubectl apply -f /tmp/backend-secrets-20260323_120000.yaml +``` + +--- + +## Runbook — Reprise après sinistre complète + +Procédure si vous perdez tout le cluster (serveurs détruits) : + +### Étape 1 : Recréer l'infrastructure (30 min) + +```bash +# 1. Recréer le réseau +hcloud network create --name xpeditis-network --ip-range 10.0.0.0/16 +hcloud network add-subnet xpeditis-network --type cloud --network-zone eu-central --ip-range 10.0.1.0/24 + +# 2. Recréer le firewall +# (répéter les commandes du doc 03) + +# 3. Recréer le cluster k3s +hetzner-k3s create --config ~/.xpeditis/cluster.yaml + +# 4. Configurer kubectl +export KUBECONFIG=~/.kube/kubeconfig-xpeditis-prod +``` + +### Étape 2 : Restaurer les secrets (15 min) + +```bash +# Créer le namespace +kubectl apply -f k8s/00-namespaces.yaml + +# Restaurer les secrets depuis le backup chiffré +gpg --decrypt "$HOME/.xpeditis-secrets-backup/k8s-secrets-XXXXXXXX.tar.gz.gpg" | tar xzf - +kubectl apply -f /tmp/backend-secrets-*.yaml +kubectl apply -f /tmp/frontend-secrets-*.yaml +kubectl apply -f /tmp/scaleway-creds-*.yaml + +# Recréer le secret Scaleway +kubectl create secret docker-registry scaleway-registry \ + --namespace xpeditis-prod \ + --docker-server=rg.fr-par.scw.cloud \ + --docker-username=nologin \ + --docker-password= +``` + +### Étape 3 : Restaurer les services (15 min) + +```bash +# Installer cert-manager +helm install cert-manager jetstack/cert-manager \ + --namespace cert-manager --create-namespace \ + --version v1.15.3 --set installCRDs=true +kubectl apply -f /tmp/cluster-issuers.yaml + +# Déployer l'application +kubectl apply -f k8s/ + +# Attendre +kubectl rollout status deployment/xpeditis-backend -n xpeditis-prod --timeout=300s +``` + +### Étape 4 : Restaurer la base de données (30 min) + +```bash +# Si PostgreSQL self-hosted : +# (Recréer le serveur PostgreSQL si nécessaire, doc 07) +# Puis restaurer depuis le backup S3 + +# Télécharger le backup le plus récent +LATEST=$(aws s3 ls s3://xpeditis-prod/backups/postgres/ \ + --profile hetzner \ + --endpoint-url https://fsn1.your-objectstorage.com \ + --recursive | sort -r | head -1 | awk '{print $4}') + +aws s3 cp s3://xpeditis-prod/$LATEST /tmp/restore.sql.gz \ + --profile hetzner \ + --endpoint-url https://fsn1.your-objectstorage.com + +# Restaurer +gunzip -c /tmp/restore.sql.gz | pg_restore \ + -h -U xpeditis -d xpeditis_prod \ + --clean --if-exists --no-privileges --no-owner +``` + +### Étape 5 : Vérification finale (15 min) + +```bash +# Health checks +curl https://api.xpeditis.com/api/v1/health +curl https://app.xpeditis.com/ + +# Test login +curl -X POST https://api.xpeditis.com/api/v1/auth/login \ + -H "Content-Type: application/json" \ + -d '{"email":"admin@test.com","password":"test"}' | jq . + +# Vérifier les données +kubectl exec -it deployment/xpeditis-backend -n xpeditis-prod -- \ + node -e "console.log('Database OK')" + +echo "✅ Système opérationnel. RTO: $(date)" +``` + +--- + +## Test régulier des backups (mensuel) + +```bash +#!/bin/bash +# scripts/test-backup-restore.sh +# À exécuter en environnement de test, JAMAIS en production + +echo "🧪 Test de restauration du backup PostgreSQL" + +# 1. Créer une DB de test +psql -h -U postgres -c "CREATE DATABASE xpeditis_restore_test;" + +# 2. Télécharger le dernier backup +LATEST=$(aws s3 ls s3://xpeditis-prod/backups/postgres/ \ + --profile hetzner \ + --endpoint-url https://fsn1.your-objectstorage.com \ + --recursive | sort -r | head -1 | awk '{print $4}') + +aws s3 cp s3://xpeditis-prod/$LATEST /tmp/test-restore.sql.gz \ + --profile hetzner \ + --endpoint-url https://fsn1.your-objectstorage.com + +# 3. Restaurer dans la DB de test +gunzip -c /tmp/test-restore.sql.gz | pg_restore \ + -h -U postgres -d xpeditis_restore_test + +# 4. Vérifier +BOOKING_COUNT=$(psql -h -U postgres -d xpeditis_restore_test \ + -t -c "SELECT COUNT(*) FROM bookings;" | xargs) + +echo "✅ Restauration réussie. Nombre de bookings: $BOOKING_COUNT" + +# 5. Nettoyage +psql -h -U postgres -c "DROP DATABASE xpeditis_restore_test;" +rm /tmp/test-restore.sql.gz + +echo "✅ Test de backup/restore réussi le $(date)" +``` From 21e9584907c0c84eacdec8f9a19589367a0bf3ca Mon Sep 17 00:00:00 2001 From: David Date: Sat, 4 Apr 2026 12:56:28 +0200 Subject: [PATCH 2/9] chore: sync full codebase from cicd branch Aligns preprod with the complete application codebase (cicd branch). Co-Authored-By: Claude Sonnet 4.6 --- CLAUDE.md | 97 +- apps/backend/.env.example | 31 +- apps/backend/src/app.module.ts | 51 +- .../src/application/admin/admin.module.ts | 22 +- .../api-keys/api-keys.controller.ts | 81 ++ .../application/api-keys/api-keys.module.ts | 45 + .../application/api-keys/api-keys.service.ts | 200 +++ .../src/application/auth/auth.module.ts | 3 +- .../src/application/auth/auth.service.ts | 126 +- .../application/bookings/bookings.module.ts | 10 + .../controllers/admin.controller.ts | 316 ++++- .../controllers/admin/csv-rates.controller.ts | 1 + .../controllers/auth.controller.ts | 125 +- .../controllers/bookings.controller.ts | 39 +- .../controllers/csv-bookings.controller.ts | 161 ++- .../controllers/gdpr.controller.ts | 7 +- .../controllers/invitations.controller.ts | 27 +- .../controllers/subscriptions.controller.ts | 49 +- .../controllers/users.controller.ts | 9 +- .../src/application/csv-bookings.module.ts | 33 +- .../dashboard/dashboard.controller.ts | 5 +- .../application/dashboard/dashboard.module.ts | 6 +- .../decorators/requires-feature.decorator.ts | 15 + .../src/application/dto/api-key.dto.ts | 63 + .../src/application/dto/auth-login.dto.ts | 99 +- .../application/dto/carrier-documents.dto.ts | 230 ++-- .../src/application/dto/consent.dto.ts | 278 ++-- .../src/application/dto/csv-booking.dto.ts | 22 +- .../src/application/dto/organization.dto.ts | 32 + .../src/application/dto/subscription.dto.ts | 68 +- .../guards/api-key-or-jwt.guard.ts | 55 + .../application/guards/feature-flag.guard.ts | 108 ++ apps/backend/src/application/guards/index.ts | 1 + .../mappers/organization.mapper.ts | 3 + .../services/csv-booking.service.ts | 476 ++++++- .../src/application/services/gdpr.service.ts | 5 +- .../services/invitation.service.ts | 30 +- .../services/subscription.service.ts | 224 ++-- .../src/application/users/users.module.ts | 7 +- .../src/domain/entities/api-key.entity.ts | 135 ++ .../src/domain/entities/booking.entity.ts | 23 + .../src/domain/entities/csv-booking.entity.ts | 78 +- .../src/domain/entities/license.entity.ts | 11 +- .../domain/entities/organization.entity.ts | 52 +- .../entities/subscription.entity.spec.ts | 4 +- .../domain/entities/subscription.entity.ts | 46 +- .../shipment-limit-exceeded.exception.ts | 17 + .../exceptions/subscription.exceptions.ts | 21 +- .../domain/ports/out/api-key.repository.ts | 11 + .../src/domain/ports/out/email.port.ts | 1 + .../ports/out/invitation-token.repository.ts | 5 + .../domain/ports/out/shipment-counter.port.ts | 15 + .../ports/out/siret-verification.port.ts | 11 + .../src/domain/ports/out/stripe.port.ts | 36 +- .../domain/value-objects/plan-feature.vo.ts | 53 + .../value-objects/subscription-plan.vo.ts | 230 +++- .../value-objects/subscription-status.vo.ts | 4 +- .../src/infrastructure/email/email.adapter.ts | 167 ++- .../external/pappers-siret.adapter.ts | 50 + .../typeorm/entities/api-key.orm-entity.ts | 59 + .../typeorm/entities/booking.orm-entity.ts | 12 + .../entities/cookie-consent.orm-entity.ts | 116 +- .../entities/csv-booking.orm-entity.ts | 21 +- .../typeorm/entities/license.orm-entity.ts | 11 +- .../entities/organization.orm-entity.ts | 9 + .../password-reset-token.orm-entity.ts | 30 + .../entities/subscription.orm-entity.ts | 8 +- .../typeorm/mappers/api-key-orm.mapper.ts | 40 + .../typeorm/mappers/booking-orm.mapper.ts | 5 + .../typeorm/mappers/csv-booking.mapper.ts | 15 +- .../typeorm/mappers/license-orm.mapper.ts | 2 +- .../mappers/organization-orm.mapper.ts | 6 + .../mappers/subscription-orm.mapper.ts | 2 +- .../1738100000000-CreateCookieConsent.ts | 124 +- ...-RenamePlansToBronzeSilverGoldPlatinium.ts | 92 ++ .../1740000000002-AddCommissionFields.ts | 43 + ...3-AddSiretAndStatusBadgeToOrganizations.ts | 23 + .../1740000000004-AddPendingPaymentStatus.ts | 75 ++ ...0000000005-AddPendingBankTransferStatus.ts | 75 ++ .../1741000000001-CreateApiKeysTable.ts | 62 + ...1741500000001-CreatePasswordResetTokens.ts | 31 + .../shipment-counter.repository.ts | 32 + .../typeorm-api-key.repository.ts | 43 + .../typeorm-invitation-token.repository.ts | 4 + .../typeorm-license.repository.ts | 2 +- .../typeorm-subscription.repository.ts | 6 +- .../infrastructure/stripe/stripe.adapter.ts | 107 +- apps/backend/src/main.ts | 95 +- apps/frontend/app/about/page.tsx | 36 +- apps/frontend/app/contact/page.tsx | 234 +++- .../app/dashboard/admin/bookings/page.tsx | 961 +++++++------ .../app/dashboard/admin/csv-rates/page.tsx | 34 +- .../app/dashboard/admin/documents/page.tsx | 97 +- .../app/dashboard/admin/logs/page.tsx | 548 ++++++++ .../dashboard/admin/organizations/page.tsx | 132 +- .../app/dashboard/booking/[id]/pay/page.tsx | 437 ++++++ .../booking/[id]/payment-success/page.tsx | 147 ++ .../app/dashboard/booking/new/page.tsx | 4 +- apps/frontend/app/dashboard/bookings/page.tsx | 28 +- apps/frontend/app/dashboard/docs/page.tsx | 7 + apps/frontend/app/dashboard/layout.tsx | 87 +- apps/frontend/app/dashboard/page.tsx | 13 + .../app/dashboard/settings/api-keys/page.tsx | 489 +++++++ .../app/dashboard/settings/users/page.tsx | 507 +++---- apps/frontend/app/docs/api/page.tsx | 7 + apps/frontend/app/docs/layout.tsx | 16 + apps/frontend/app/forgot-password/page.tsx | 238 ++-- apps/frontend/app/login/page.tsx | 20 +- apps/frontend/app/page.tsx | 717 ++++++---- apps/frontend/app/pricing/page.tsx | 307 +++++ apps/frontend/app/register/page.tsx | 702 +++++----- apps/frontend/app/reset-password/page.tsx | 310 +++-- apps/frontend/middleware.ts | 33 +- apps/frontend/src/components/ExportButton.tsx | 22 +- .../components/admin/AdminPanelDropdown.tsx | 8 +- .../src/components/docs/CodeBlock.tsx | 60 + .../src/components/docs/DocsPageContent.tsx | 1190 +++++++++++++++++ apps/frontend/src/components/docs/docsNav.ts | 61 + .../src/components/layout/LandingFooter.tsx | 15 - .../src/components/layout/LandingHeader.tsx | 44 +- .../components/organization/LicensesTab.tsx | 1 - .../organization/SubscriptionTab.tsx | 14 +- apps/frontend/src/components/providers.tsx | 11 +- .../src/components/ui/FeatureGate.tsx | 68 + .../src/components/ui/StatusBadge.tsx | 49 + apps/frontend/src/lib/api/admin.ts | 63 + apps/frontend/src/lib/api/admin/csv-rates.ts | 1 + apps/frontend/src/lib/api/api-keys.ts | 55 + apps/frontend/src/lib/api/auth.ts | 41 +- apps/frontend/src/lib/api/bookings.ts | 41 +- apps/frontend/src/lib/api/client.ts | 34 +- apps/frontend/src/lib/api/index.ts | 4 +- apps/frontend/src/lib/api/invitations.ts | 9 +- apps/frontend/src/lib/api/subscriptions.ts | 30 +- .../frontend/src/lib/context/auth-context.tsx | 13 +- .../src/lib/context/subscription-context.tsx | 77 ++ apps/frontend/src/types/api.ts | 9 +- apps/log-exporter/Dockerfile | 14 + apps/log-exporter/package.json | 15 + apps/log-exporter/src/index.js | 319 +++++ docker-compose.dev.yml | 28 +- docker-compose.full.yml | 254 ++++ docker-compose.logging.yml | 115 ++ docs/api-access/API_ACCESS.md | 334 +++++ docs/deployment/AWS_COSTS_KUBERNETES.md | 565 ++++++++ docs/deployment/CLOUD_COST_COMPARISON.md | 548 ++++++++ docs/deployment/hetzner/01-architecture.md | 286 ++++ docs/deployment/hetzner/02-prerequisites.md | 233 ++++ docs/deployment/hetzner/03-hetzner-setup.md | 290 ++++ .../deployment/hetzner/04-server-selection.md | 183 +++ docs/deployment/hetzner/05-k3s-cluster.md | 476 +++++++ docs/deployment/hetzner/06-storage-s3.md | 258 ++++ .../hetzner/07-database-postgresql.md | 337 +++++ docs/deployment/hetzner/08-redis-setup.md | 313 +++++ .../hetzner/10-ingress-tls-cloudflare.md | 240 ++++ .../hetzner/11-cicd-github-actions.md | 489 +++++++ .../hetzner/12-monitoring-alerting.md | 416 ++++++ .../hetzner/14-security-hardening.md | 349 +++++ .../hetzner/15-operations-scaling.md | 424 ++++++ docs/deployment/hetzner/README.md | 111 ++ .../provisioning/dashboards/provider.yml | 12 + .../dashboards/xpeditis-logs.json | 636 +++++++++ .../grafana/provisioning/datasources/loki.yml | 19 + infra/logging/loki/loki-config.yml | 62 + infra/logging/promtail/promtail-config.yml | 70 + 165 files changed, 18147 insertions(+), 2560 deletions(-) create mode 100644 apps/backend/src/application/api-keys/api-keys.controller.ts create mode 100644 apps/backend/src/application/api-keys/api-keys.module.ts create mode 100644 apps/backend/src/application/api-keys/api-keys.service.ts create mode 100644 apps/backend/src/application/decorators/requires-feature.decorator.ts create mode 100644 apps/backend/src/application/dto/api-key.dto.ts create mode 100644 apps/backend/src/application/guards/api-key-or-jwt.guard.ts create mode 100644 apps/backend/src/application/guards/feature-flag.guard.ts create mode 100644 apps/backend/src/domain/entities/api-key.entity.ts create mode 100644 apps/backend/src/domain/exceptions/shipment-limit-exceeded.exception.ts create mode 100644 apps/backend/src/domain/ports/out/api-key.repository.ts create mode 100644 apps/backend/src/domain/ports/out/shipment-counter.port.ts create mode 100644 apps/backend/src/domain/ports/out/siret-verification.port.ts create mode 100644 apps/backend/src/domain/value-objects/plan-feature.vo.ts create mode 100644 apps/backend/src/infrastructure/external/pappers-siret.adapter.ts create mode 100644 apps/backend/src/infrastructure/persistence/typeorm/entities/api-key.orm-entity.ts create mode 100644 apps/backend/src/infrastructure/persistence/typeorm/entities/password-reset-token.orm-entity.ts create mode 100644 apps/backend/src/infrastructure/persistence/typeorm/mappers/api-key-orm.mapper.ts create mode 100644 apps/backend/src/infrastructure/persistence/typeorm/migrations/1740000000001-RenamePlansToBronzeSilverGoldPlatinium.ts create mode 100644 apps/backend/src/infrastructure/persistence/typeorm/migrations/1740000000002-AddCommissionFields.ts create mode 100644 apps/backend/src/infrastructure/persistence/typeorm/migrations/1740000000003-AddSiretAndStatusBadgeToOrganizations.ts create mode 100644 apps/backend/src/infrastructure/persistence/typeorm/migrations/1740000000004-AddPendingPaymentStatus.ts create mode 100644 apps/backend/src/infrastructure/persistence/typeorm/migrations/1740000000005-AddPendingBankTransferStatus.ts create mode 100644 apps/backend/src/infrastructure/persistence/typeorm/migrations/1741000000001-CreateApiKeysTable.ts create mode 100644 apps/backend/src/infrastructure/persistence/typeorm/migrations/1741500000001-CreatePasswordResetTokens.ts create mode 100644 apps/backend/src/infrastructure/persistence/typeorm/repositories/shipment-counter.repository.ts create mode 100644 apps/backend/src/infrastructure/persistence/typeorm/repositories/typeorm-api-key.repository.ts create mode 100644 apps/frontend/app/dashboard/admin/logs/page.tsx create mode 100644 apps/frontend/app/dashboard/booking/[id]/pay/page.tsx create mode 100644 apps/frontend/app/dashboard/booking/[id]/payment-success/page.tsx create mode 100644 apps/frontend/app/dashboard/docs/page.tsx create mode 100644 apps/frontend/app/dashboard/settings/api-keys/page.tsx create mode 100644 apps/frontend/app/docs/api/page.tsx create mode 100644 apps/frontend/app/docs/layout.tsx create mode 100644 apps/frontend/app/pricing/page.tsx create mode 100644 apps/frontend/src/components/docs/CodeBlock.tsx create mode 100644 apps/frontend/src/components/docs/DocsPageContent.tsx create mode 100644 apps/frontend/src/components/docs/docsNav.ts create mode 100644 apps/frontend/src/components/ui/FeatureGate.tsx create mode 100644 apps/frontend/src/components/ui/StatusBadge.tsx create mode 100644 apps/frontend/src/lib/api/api-keys.ts create mode 100644 apps/frontend/src/lib/context/subscription-context.tsx create mode 100644 apps/log-exporter/Dockerfile create mode 100644 apps/log-exporter/package.json create mode 100644 apps/log-exporter/src/index.js create mode 100644 docker-compose.full.yml create mode 100644 docker-compose.logging.yml create mode 100644 docs/api-access/API_ACCESS.md create mode 100644 docs/deployment/AWS_COSTS_KUBERNETES.md create mode 100644 docs/deployment/CLOUD_COST_COMPARISON.md create mode 100644 docs/deployment/hetzner/01-architecture.md create mode 100644 docs/deployment/hetzner/02-prerequisites.md create mode 100644 docs/deployment/hetzner/03-hetzner-setup.md create mode 100644 docs/deployment/hetzner/04-server-selection.md create mode 100644 docs/deployment/hetzner/05-k3s-cluster.md create mode 100644 docs/deployment/hetzner/06-storage-s3.md create mode 100644 docs/deployment/hetzner/07-database-postgresql.md create mode 100644 docs/deployment/hetzner/08-redis-setup.md create mode 100644 docs/deployment/hetzner/10-ingress-tls-cloudflare.md create mode 100644 docs/deployment/hetzner/11-cicd-github-actions.md create mode 100644 docs/deployment/hetzner/12-monitoring-alerting.md create mode 100644 docs/deployment/hetzner/14-security-hardening.md create mode 100644 docs/deployment/hetzner/15-operations-scaling.md create mode 100644 docs/deployment/hetzner/README.md create mode 100644 infra/logging/grafana/provisioning/dashboards/provider.yml create mode 100644 infra/logging/grafana/provisioning/dashboards/xpeditis-logs.json create mode 100644 infra/logging/grafana/provisioning/datasources/loki.yml create mode 100644 infra/logging/loki/loki-config.yml create mode 100644 infra/logging/promtail/promtail-config.yml diff --git a/CLAUDE.md b/CLAUDE.md index d210ccc..02f2b3b 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -33,9 +33,10 @@ npm run frontend:dev # http://localhost:3000 ```bash # Backend (from apps/backend/) -npm test # Unit tests (Jest) -npm test -- booking.entity.spec.ts # Single file -npm run test:cov # With coverage +npm test # Unit tests (Jest) +npm test -- booking.entity.spec.ts # Single file +npm test -- --testNamePattern="should create" # Filter by test name +npm run test:cov # With coverage npm run test:integration # Integration tests (needs DB/Redis, 30s timeout) npm run test:e2e # E2E tests @@ -75,6 +76,7 @@ npm run migration:revert ```bash npm run backend:build # NestJS build with tsc-alias for path resolution npm run frontend:build # Next.js production build (standalone output) +npm run clean # Remove all node_modules, dist, .next directories ``` ## Local Infrastructure @@ -84,6 +86,8 @@ Docker-compose defaults (no `.env` changes needed for local dev): - **Redis**: password `xpeditis_redis_password`, port 6379 - **MinIO** (S3-compatible storage): `minioadmin:minioadmin`, API port 9000, console port 9001 +Frontend env var: `NEXT_PUBLIC_API_URL` (defaults to `http://localhost:4000`) — configured in `next.config.js`. + ## Architecture ### Hexagonal Architecture (Backend) @@ -91,15 +95,32 @@ Docker-compose defaults (no `.env` changes needed for local dev): ``` apps/backend/src/ ├── domain/ # CORE - Pure TypeScript, NO framework imports -│ ├── entities/ # Booking, RateQuote, User, Carrier, Port, Container, CsvBooking, etc. -│ ├── value-objects/ # Money, Email, BookingNumber, BookingStatus, PortCode, ContainerType, Volume, LicenseStatus, SubscriptionPlan, etc. -│ ├── services/ # Pure domain services (rate-search, csv-rate-price-calculator, booking, port-search, etc.) +│ ├── entities/ # Booking, RateQuote, Carrier, Port, Container, Notification, Webhook, +│ │ # AuditLog, User, Organization, Subscription, License, CsvBooking, +│ │ # CsvRate, InvitationToken +│ ├── value-objects/ # Money, Email, BookingNumber, BookingStatus, PortCode, ContainerType, +│ │ # Volume, DateRange, Surcharge +│ ├── services/ # Pure domain services (csv-rate-price-calculator) │ ├── ports/ │ │ ├── in/ # Use case interfaces with execute() method │ │ └── out/ # Repository/SPI interfaces (token constants like BOOKING_REPOSITORY = 'BookingRepository') │ └── exceptions/ # Domain-specific exceptions ├── application/ # Controllers, DTOs (class-validator), Guards, Decorators, Mappers -└── infrastructure/ # TypeORM entities/repos/mappers, Redis cache, carrier APIs, MinIO/S3, email (MJML+Nodemailer), Sentry +│ ├── [feature]/ # Feature modules: auth/, bookings/, csv-bookings, rates/, ports/, +│ │ # organizations/, users/, dashboard/, audit/, notifications/, webhooks/, +│ │ # gdpr/, admin/, subscriptions/ +│ ├── controllers/ # REST controllers (also nested under feature folders) +│ ├── services/ # Application services: audit, notification, webhook, +│ │ # booking-automation, export, fuzzy-search, brute-force-protection +│ ├── gateways/ # WebSocket gateways (notifications.gateway.ts via Socket.IO) +│ ├── guards/ # JwtAuthGuard, RolesGuard, CustomThrottlerGuard +│ ├── decorators/ # @Public(), @Roles(), @CurrentUser() +│ ├── dto/ # Request/response DTOs with class-validator +│ ├── mappers/ # Domain ↔ DTO mappers +│ └── interceptors/ # PerformanceMonitoringInterceptor +└── infrastructure/ # TypeORM entities/repos/mappers, Redis cache, carrier APIs, + # MinIO/S3, email (MJML+Nodemailer), Stripe, Sentry, + # Pappers (French SIRET registry), PDF generation ``` **Critical dependency rules**: @@ -108,6 +129,7 @@ apps/backend/src/ - Path aliases: `@domain/*`, `@application/*`, `@infrastructure/*` (defined in `apps/backend/tsconfig.json`) - Domain tests run without NestJS TestingModule - Backend has strict TypeScript: `strict: true`, `strictNullChecks: true` (but `strictPropertyInitialization: false`) +- Env vars validated at startup via Joi schema in `app.module.ts` — required vars include DATABASE_*, REDIS_*, JWT_SECRET, SMTP_* ### NestJS Modules (app.module.ts) @@ -115,31 +137,36 @@ Global guards: JwtAuthGuard (all routes protected by default), CustomThrottlerGu Feature modules: Auth, Rates, Ports, Bookings, CsvBookings, Organizations, Users, Dashboard, Audit, Notifications, Webhooks, GDPR, Admin, Subscriptions. -Infrastructure modules: CacheModule, CarrierModule, SecurityModule, CsvRateModule. +Infrastructure modules: CacheModule, CarrierModule, SecurityModule, CsvRateModule, StripeModule, PdfModule, StorageModule, EmailModule. -Swagger plugin enabled in `nest-cli.json` — DTOs auto-documented. +Swagger plugin enabled in `nest-cli.json` — DTOs auto-documented. Logging via `nestjs-pino` (pino-pretty in dev). ### Frontend (Next.js 14 App Router) ``` apps/frontend/ -├── app/ # App Router pages -│ ├── dashboard/ # Protected routes (bookings, admin, settings) -│ └── carrier/ # Carrier portal (magic link auth) +├── app/ # App Router pages (root-level) +│ ├── dashboard/ # Protected routes (bookings, admin, settings, wiki, search) +│ ├── carrier/ # Carrier portal (magic link auth — accept/reject/documents) +│ ├── booking/ # Booking confirmation/rejection flows +│ └── [auth pages] # login, register, forgot-password, verify-email └── src/ - ├── components/ # React components (shadcn/ui in ui/, layout/, bookings/, admin/) + ├── app/ # Additional app pages (e.g. rates/csv-search) + ├── components/ # React components (ui/, layout/, bookings/, admin/, rate-search/, organization/) ├── hooks/ # useBookings, useNotifications, useCsvRateSearch, useCompanies, useFilterOptions ├── lib/ │ ├── api/ # Fetch-based API client with auto token refresh (client.ts + per-module files) - │ ├── context/ # Auth context + │ ├── context/ # Auth context, cookie context + │ ├── providers/ # QueryProvider (TanStack Query / React Query) │ └── fonts.ts # Manrope (headings) + Montserrat (body) ├── types/ # TypeScript type definitions - └── utils/ # Export utilities (Excel, PDF) + ├── utils/ # Export utilities (Excel, PDF) + └── legacy-pages/ # Archived page components (BookingsManagement, CarrierManagement, CarrierMonitoring) ``` Path aliases: `@/*` → `./src/*`, `@/components/*`, `@/lib/*`, `@/app/*` → `./app/*`, `@/types/*`, `@/hooks/*`, `@/utils/*` -**Note**: Frontend tsconfig has `strict: false`, `noImplicitAny: false`, `strictNullChecks: false` (unlike backend which is strict). +**Note**: Frontend tsconfig has `strict: false`, `noImplicitAny: false`, `strictNullChecks: false` (unlike backend which is strict). Uses TanStack Query (React Query) for server state — wrap new data fetching in hooks, not bare `fetch` calls. ### Brand Design @@ -171,13 +198,26 @@ Immutable, self-validating via static `create()`. E.g. `Money` supports USD, EUR - Separate mapper classes (`infrastructure/persistence/typeorm/mappers/`) with static `toOrm()`, `toDomain()`, `toDomainMany()` methods ### Frontend API Client -Custom Fetch wrapper in `src/lib/api/client.ts` — exports `get()`, `post()`, `patch()`, `del()`, `upload()`, `download()`. Auto-refreshes JWT on 401. Tokens stored in localStorage. Per-module files (auth.ts, bookings.ts, rates.ts, etc.) import from client. +Custom Fetch wrapper in `src/lib/api/client.ts` — exports `get()`, `post()`, `patch()`, `del()`, `upload()`, `download()`. Auto-refreshes JWT on 401. Tokens stored in localStorage **and synced to cookies** (`accessToken` cookie) so Next.js middleware can read them server-side. Per-module files (auth.ts, bookings.ts, rates.ts, etc.) import from client. + +### Route Protection (Middleware) +`apps/frontend/middleware.ts` checks the `accessToken` cookie to protect routes. Public paths are defined in two lists: +- `exactPublicPaths`: exact matches (e.g. `/`) +- `prefixPublicPaths`: prefix matches including sub-paths (e.g. `/login`, `/carrier`, `/about`, etc.) + +All other routes redirect to `/login?redirect=` when the cookie is absent. ### Application Decorators - `@Public()` — skip JWT auth - `@Roles()` — role-based access control - `@CurrentUser()` — inject authenticated user +### API Key Authentication +A second auth mechanism alongside JWT. `ApiKey` domain entity (`domain/entities/api-key.entity.ts`) — keys are hashed with Argon2. `ApiKeyGuard` in `application/guards/` checks the `x-api-key` header. Routes can accept either JWT or API key; see `admin.controller.ts` for examples. + +### WebSocket (Real-time Notifications) +Socket.IO gateway at `application/gateways/notifications.gateway.ts`. Clients connect to `/` namespace with a JWT bearer token in the handshake auth. Server emits `notification` events. The frontend `useNotifications` hook handles subscriptions. + ### Carrier Connectors Five carrier connectors (Maersk, MSC, CMA CGM, Hapag-Lloyd, ONE) extending `base-carrier.connector.ts`, each with request/response mappers. Circuit breaker via `opossum` (5s timeout). @@ -193,12 +233,14 @@ Redis with 15-min TTL for rate quotes. Key format: `rate:{origin}:{destination}: - RBAC Roles: ADMIN, MANAGER, USER, VIEWER, CARRIER - JWT: access token 15min, refresh token 7d - Password hashing: Argon2 +- OAuth providers: Google, Microsoft (configured via passport strategies) +- Organizations can be validated via Pappers API (French SIRET/company registry) at `infrastructure/external/pappers-siret.adapter.ts` ### Carrier Portal Workflow 1. Admin creates CSV booking → assigns carrier 2. Email with magic link sent (1-hour expiry) 3. Carrier auto-login → accept/reject booking -4. Activity logged in `carrier_activities` table +4. Activity logged in `carrier_activities` table (via `CarrierProfile` + `CarrierActivity` ORM entities) ## Common Pitfalls @@ -215,14 +257,15 @@ Redis with 15-min TTL for rate quotes. Key format: `rate:{origin}:{destination}: 1. **Domain Entity** → `domain/entities/*.entity.ts` (pure TS, unit tests) 2. **Value Objects** → `domain/value-objects/*.vo.ts` (immutable) -3. **Port Interface** → `domain/ports/out/*.repository.ts` (with token constant) -4. **ORM Entity** → `infrastructure/persistence/typeorm/entities/*.orm-entity.ts` -5. **Migration** → `npm run migration:generate -- src/infrastructure/persistence/typeorm/migrations/MigrationName` -6. **Repository Impl** → `infrastructure/persistence/typeorm/repositories/` -7. **Mapper** → `infrastructure/persistence/typeorm/mappers/` (static toOrm/toDomain/toDomainMany) -8. **DTOs** → `application/dto/` (with class-validator decorators) -9. **Controller** → `application/controllers/` (with Swagger decorators) -10. **Module** → Register and import in `app.module.ts` +3. **In Port (Use Case)** → `domain/ports/in/*.use-case.ts` (interface with `execute()`) +4. **Out Port (Repository)** → `domain/ports/out/*.repository.ts` (with token constant) +5. **ORM Entity** → `infrastructure/persistence/typeorm/entities/*.orm-entity.ts` +6. **Migration** → `npm run migration:generate -- src/infrastructure/persistence/typeorm/migrations/MigrationName` +7. **Repository Impl** → `infrastructure/persistence/typeorm/repositories/` +8. **Mapper** → `infrastructure/persistence/typeorm/mappers/` (static toOrm/toDomain/toDomainMany) +9. **DTOs** → `application/dto/` (with class-validator decorators) +10. **Controller** → `application/controllers/` (with Swagger decorators) +11. **Module** → Register repository + use-case providers, import in `app.module.ts` ## Documentation @@ -230,3 +273,5 @@ Redis with 15-min TTL for rate quotes. Key format: `rate:{origin}:{destination}: - Setup guide: `docs/installation/START-HERE.md` - Carrier Portal API: `apps/backend/docs/CARRIER_PORTAL_API.md` - Full docs index: `docs/README.md` +- Development roadmap: `TODO.md` +- Infrastructure configs (CI/CD, Docker): `infra/` diff --git a/apps/backend/.env.example b/apps/backend/.env.example index 831f9b8..aa66cfe 100644 --- a/apps/backend/.env.example +++ b/apps/backend/.env.example @@ -37,12 +37,14 @@ MICROSOFT_CALLBACK_URL=http://localhost:4000/api/v1/auth/microsoft/callback APP_URL=http://localhost:3000 # Email (SMTP) -SMTP_HOST=smtp.sendgrid.net -SMTP_PORT=587 -SMTP_SECURE=false -SMTP_USER=apikey -SMTP_PASS=your-sendgrid-api-key -SMTP_FROM=noreply@xpeditis.com + SMTP_HOST=smtp-relay.brevo.com + SMTP_PORT=587 + SMTP_USER=ton-email@brevo.com + SMTP_PASS=ta-cle-smtp-brevo + SMTP_SECURE=false + +# SMTP_FROM devient le fallback uniquement (chaque méthode a son propre from maintenant) + SMTP_FROM=noreply@xpeditis.com # AWS S3 / Storage (or MinIO for development) AWS_ACCESS_KEY_ID=your-aws-access-key @@ -74,6 +76,11 @@ ONE_API_URL=https://api.one-line.com/v1 ONE_USERNAME=your-one-username ONE_PASSWORD=your-one-password +# Swagger Documentation Access (HTTP Basic Auth) +# Leave empty to disable Swagger in production, or set both to protect with a password +SWAGGER_USERNAME=admin +SWAGGER_PASSWORD=change-this-strong-password + # Security BCRYPT_ROUNDS=12 SESSION_TIMEOUT_MS=7200000 @@ -93,9 +100,9 @@ STRIPE_SECRET_KEY=sk_test_your_stripe_secret_key STRIPE_WEBHOOK_SECRET=whsec_your_webhook_secret # Stripe Price IDs (create these in Stripe Dashboard) -STRIPE_STARTER_MONTHLY_PRICE_ID=price_starter_monthly -STRIPE_STARTER_YEARLY_PRICE_ID=price_starter_yearly -STRIPE_PRO_MONTHLY_PRICE_ID=price_pro_monthly -STRIPE_PRO_YEARLY_PRICE_ID=price_pro_yearly -STRIPE_ENTERPRISE_MONTHLY_PRICE_ID=price_enterprise_monthly -STRIPE_ENTERPRISE_YEARLY_PRICE_ID=price_enterprise_yearly +STRIPE_SILVER_MONTHLY_PRICE_ID=price_silver_monthly +STRIPE_SILVER_YEARLY_PRICE_ID=price_silver_yearly +STRIPE_GOLD_MONTHLY_PRICE_ID=price_gold_monthly +STRIPE_GOLD_YEARLY_PRICE_ID=price_gold_yearly +STRIPE_PLATINIUM_MONTHLY_PRICE_ID=price_platinium_monthly +STRIPE_PLATINIUM_YEARLY_PRICE_ID=price_platinium_yearly diff --git a/apps/backend/src/app.module.ts b/apps/backend/src/app.module.ts index cc54c5c..7e7ada3 100644 --- a/apps/backend/src/app.module.ts +++ b/apps/backend/src/app.module.ts @@ -20,13 +20,14 @@ import { GDPRModule } from './application/gdpr/gdpr.module'; import { CsvBookingsModule } from './application/csv-bookings.module'; import { AdminModule } from './application/admin/admin.module'; import { SubscriptionsModule } from './application/subscriptions/subscriptions.module'; +import { ApiKeysModule } from './application/api-keys/api-keys.module'; import { CacheModule } from './infrastructure/cache/cache.module'; import { CarrierModule } from './infrastructure/carriers/carrier.module'; import { SecurityModule } from './infrastructure/security/security.module'; import { CsvRateModule } from './infrastructure/carriers/csv-loader/csv-rate.module'; // Import global guards -import { JwtAuthGuard } from './application/guards/jwt-auth.guard'; +import { ApiKeyOrJwtGuard } from './application/guards/api-key-or-jwt.guard'; import { CustomThrottlerGuard } from './application/guards/throttle.guard'; @Module({ @@ -60,21 +61,26 @@ import { CustomThrottlerGuard } from './application/guards/throttle.guard'; // Stripe Configuration (optional for development) STRIPE_SECRET_KEY: Joi.string().optional(), STRIPE_WEBHOOK_SECRET: Joi.string().optional(), - STRIPE_STARTER_MONTHLY_PRICE_ID: Joi.string().optional(), - STRIPE_STARTER_YEARLY_PRICE_ID: Joi.string().optional(), - STRIPE_PRO_MONTHLY_PRICE_ID: Joi.string().optional(), - STRIPE_PRO_YEARLY_PRICE_ID: Joi.string().optional(), - STRIPE_ENTERPRISE_MONTHLY_PRICE_ID: Joi.string().optional(), - STRIPE_ENTERPRISE_YEARLY_PRICE_ID: Joi.string().optional(), + STRIPE_SILVER_MONTHLY_PRICE_ID: Joi.string().optional(), + STRIPE_SILVER_YEARLY_PRICE_ID: Joi.string().optional(), + STRIPE_GOLD_MONTHLY_PRICE_ID: Joi.string().optional(), + STRIPE_GOLD_YEARLY_PRICE_ID: Joi.string().optional(), + STRIPE_PLATINIUM_MONTHLY_PRICE_ID: Joi.string().optional(), + STRIPE_PLATINIUM_YEARLY_PRICE_ID: Joi.string().optional(), }), }), // Logging LoggerModule.forRootAsync({ - useFactory: (configService: ConfigService) => ({ - pinoHttp: { - transport: - configService.get('NODE_ENV') === 'development' + useFactory: (configService: ConfigService) => { + const isDev = configService.get('NODE_ENV') === 'development'; + // LOG_FORMAT=json forces structured JSON output (e.g. inside Docker + Promtail) + const forceJson = configService.get('LOG_FORMAT') === 'json'; + const usePretty = isDev && !forceJson; + + return { + pinoHttp: { + transport: usePretty ? { target: 'pino-pretty', options: { @@ -84,9 +90,21 @@ import { CustomThrottlerGuard } from './application/guards/throttle.guard'; }, } : undefined, - level: configService.get('NODE_ENV') === 'production' ? 'info' : 'debug', - }, - }), + level: isDev ? 'debug' : 'info', + // Redact sensitive fields from logs + redact: { + paths: [ + 'req.headers.authorization', + 'req.headers["x-api-key"]', + 'req.body.password', + 'req.body.currentPassword', + 'req.body.newPassword', + ], + censor: '[REDACTED]', + }, + }, + }; + }, inject: [ConfigService], }), @@ -128,14 +146,15 @@ import { CustomThrottlerGuard } from './application/guards/throttle.guard'; GDPRModule, AdminModule, SubscriptionsModule, + ApiKeysModule, ], controllers: [], providers: [ - // Global JWT authentication guard + // Global authentication guard — supports both JWT (frontend) and API key (Gold/Platinium) // All routes are protected by default, use @Public() to bypass { provide: APP_GUARD, - useClass: JwtAuthGuard, + useClass: ApiKeyOrJwtGuard, }, // Global rate limiting guard { diff --git a/apps/backend/src/application/admin/admin.module.ts b/apps/backend/src/application/admin/admin.module.ts index 4fa96e8..dd92262 100644 --- a/apps/backend/src/application/admin/admin.module.ts +++ b/apps/backend/src/application/admin/admin.module.ts @@ -1,5 +1,6 @@ import { Module } from '@nestjs/common'; import { TypeOrmModule } from '@nestjs/typeorm'; +import { ConfigModule } from '@nestjs/config'; // Controller import { AdminController } from '../controllers/admin.controller'; @@ -18,6 +19,16 @@ import { TypeOrmCsvBookingRepository } from '@infrastructure/persistence/typeorm import { USER_REPOSITORY } from '@domain/ports/out/user.repository'; import { ORGANIZATION_REPOSITORY } from '@domain/ports/out/organization.repository'; +// SIRET verification +import { SIRET_VERIFICATION_PORT } from '@domain/ports/out/siret-verification.port'; +import { PappersSiretAdapter } from '@infrastructure/external/pappers-siret.adapter'; + +// CSV Booking Service +import { CsvBookingsModule } from '../csv-bookings.module'; + +// Email +import { EmailModule } from '@infrastructure/email/email.module'; + /** * Admin Module * @@ -25,7 +36,12 @@ import { ORGANIZATION_REPOSITORY } from '@domain/ports/out/organization.reposito * All endpoints require ADMIN role. */ @Module({ - imports: [TypeOrmModule.forFeature([UserOrmEntity, OrganizationOrmEntity, CsvBookingOrmEntity])], + imports: [ + TypeOrmModule.forFeature([UserOrmEntity, OrganizationOrmEntity, CsvBookingOrmEntity]), + ConfigModule, + CsvBookingsModule, + EmailModule, + ], controllers: [AdminController], providers: [ { @@ -37,6 +53,10 @@ import { ORGANIZATION_REPOSITORY } from '@domain/ports/out/organization.reposito useClass: TypeOrmOrganizationRepository, }, TypeOrmCsvBookingRepository, + { + provide: SIRET_VERIFICATION_PORT, + useClass: PappersSiretAdapter, + }, ], }) export class AdminModule {} diff --git a/apps/backend/src/application/api-keys/api-keys.controller.ts b/apps/backend/src/application/api-keys/api-keys.controller.ts new file mode 100644 index 0000000..b2bb476 --- /dev/null +++ b/apps/backend/src/application/api-keys/api-keys.controller.ts @@ -0,0 +1,81 @@ +import { + Body, + Controller, + Delete, + Get, + HttpCode, + HttpStatus, + Param, + ParseUUIDPipe, + Post, + UseGuards, +} from '@nestjs/common'; +import { + ApiBearerAuth, + ApiOperation, + ApiResponse, + ApiSecurity, + ApiTags, +} from '@nestjs/swagger'; + +import { CurrentUser } from '../decorators/current-user.decorator'; +import { RequiresFeature } from '../decorators/requires-feature.decorator'; +import { FeatureFlagGuard } from '../guards/feature-flag.guard'; + +import { ApiKeysService } from './api-keys.service'; +import { CreateApiKeyDto, ApiKeyDto, CreateApiKeyResultDto } from '../dto/api-key.dto'; + +@ApiTags('API Keys') +@ApiBearerAuth() +@ApiSecurity('x-api-key') +@UseGuards(FeatureFlagGuard) +@RequiresFeature('api_access') +@Controller('api-keys') +export class ApiKeysController { + constructor(private readonly apiKeysService: ApiKeysService) {} + + @Post() + @ApiOperation({ + summary: 'Générer une nouvelle clé API', + description: + "Crée une clé API pour accès programmatique. La clé complète est retournée **une seule fois** — conservez-la immédiatement. Réservé aux abonnements Gold et Platinium.", + }) + @ApiResponse({ + status: 201, + description: 'Clé créée avec succès. La clé complète est dans le champ `fullKey`.', + type: CreateApiKeyResultDto, + }) + @ApiResponse({ status: 403, description: 'Abonnement Gold ou Platinium requis' }) + async create( + @CurrentUser() user: { id: string; organizationId: string }, + @Body() dto: CreateApiKeyDto + ): Promise { + return this.apiKeysService.generateApiKey(user.id, user.organizationId, dto); + } + + @Get() + @ApiOperation({ + summary: 'Lister les clés API', + description: + "Retourne toutes les clés API de l'organisation. Les clés complètes ne sont jamais exposées — uniquement le préfixe.", + }) + @ApiResponse({ status: 200, type: [ApiKeyDto] }) + async list(@CurrentUser() user: { organizationId: string }): Promise { + return this.apiKeysService.listApiKeys(user.organizationId); + } + + @Delete(':id') + @HttpCode(HttpStatus.NO_CONTENT) + @ApiOperation({ + summary: 'Révoquer une clé API', + description: 'Désactive immédiatement la clé API. Cette action est irréversible.', + }) + @ApiResponse({ status: 204, description: 'Clé révoquée' }) + @ApiResponse({ status: 404, description: 'Clé introuvable' }) + async revoke( + @CurrentUser() user: { organizationId: string }, + @Param('id', ParseUUIDPipe) keyId: string + ): Promise { + return this.apiKeysService.revokeApiKey(keyId, user.organizationId); + } +} diff --git a/apps/backend/src/application/api-keys/api-keys.module.ts b/apps/backend/src/application/api-keys/api-keys.module.ts new file mode 100644 index 0000000..d3a67aa --- /dev/null +++ b/apps/backend/src/application/api-keys/api-keys.module.ts @@ -0,0 +1,45 @@ +import { Module } from '@nestjs/common'; +import { TypeOrmModule } from '@nestjs/typeorm'; + +import { ApiKeysController } from './api-keys.controller'; +import { ApiKeysService } from './api-keys.service'; + +// ORM Entities +import { ApiKeyOrmEntity } from '@infrastructure/persistence/typeorm/entities/api-key.orm-entity'; +import { UserOrmEntity } from '@infrastructure/persistence/typeorm/entities/user.orm-entity'; + +// Repositories +import { TypeOrmApiKeyRepository } from '@infrastructure/persistence/typeorm/repositories/typeorm-api-key.repository'; +import { TypeOrmUserRepository } from '@infrastructure/persistence/typeorm/repositories/typeorm-user.repository'; + +// Repository tokens +import { API_KEY_REPOSITORY } from '@domain/ports/out/api-key.repository'; +import { USER_REPOSITORY } from '@domain/ports/out/user.repository'; + +// Subscriptions (provides SUBSCRIPTION_REPOSITORY) +import { SubscriptionsModule } from '../subscriptions/subscriptions.module'; + +// Feature flag guard needs SubscriptionRepository (injected via SubscriptionsModule) +import { FeatureFlagGuard } from '../guards/feature-flag.guard'; + +@Module({ + imports: [ + TypeOrmModule.forFeature([ApiKeyOrmEntity, UserOrmEntity]), + SubscriptionsModule, + ], + controllers: [ApiKeysController], + providers: [ + ApiKeysService, + FeatureFlagGuard, + { + provide: API_KEY_REPOSITORY, + useClass: TypeOrmApiKeyRepository, + }, + { + provide: USER_REPOSITORY, + useClass: TypeOrmUserRepository, + }, + ], + exports: [ApiKeysService], +}) +export class ApiKeysModule {} diff --git a/apps/backend/src/application/api-keys/api-keys.service.ts b/apps/backend/src/application/api-keys/api-keys.service.ts new file mode 100644 index 0000000..eeac338 --- /dev/null +++ b/apps/backend/src/application/api-keys/api-keys.service.ts @@ -0,0 +1,200 @@ +/** + * ApiKeys Service + * + * Manages API key lifecycle: + * - Generation (GOLD/PLATINIUM subscribers only) + * - Listing (masked — prefix only) + * - Revocation + * - Validation for inbound API key authentication + */ + +import { + ForbiddenException, + Inject, + Injectable, + Logger, + NotFoundException, +} from '@nestjs/common'; +import * as crypto from 'crypto'; +import { v4 as uuidv4 } from 'uuid'; + +import { ApiKey } from '@domain/entities/api-key.entity'; +import { ApiKeyRepository, API_KEY_REPOSITORY } from '@domain/ports/out/api-key.repository'; +import { UserRepository, USER_REPOSITORY } from '@domain/ports/out/user.repository'; +import { + SubscriptionRepository, + SUBSCRIPTION_REPOSITORY, +} from '@domain/ports/out/subscription.repository'; + +import { CreateApiKeyDto, ApiKeyDto, CreateApiKeyResultDto } from '../dto/api-key.dto'; + +/** Shape of request.user populated when an API key is used. */ +export interface ApiKeyUserContext { + id: string; + email: string; + role: string; + organizationId: string; + firstName: string; + lastName: string; + plan: string; + planFeatures: string[]; +} + +const KEY_PREFIX_DISPLAY_LENGTH = 18; // "xped_live_" (10) + 8 hex chars + +@Injectable() +export class ApiKeysService { + private readonly logger = new Logger(ApiKeysService.name); + + constructor( + @Inject(API_KEY_REPOSITORY) + private readonly apiKeyRepository: ApiKeyRepository, + @Inject(USER_REPOSITORY) + private readonly userRepository: UserRepository, + @Inject(SUBSCRIPTION_REPOSITORY) + private readonly subscriptionRepository: SubscriptionRepository + ) {} + + /** + * Generate a new API key for the given user / organisation. + * The full raw key is returned exactly once — it is never persisted. + */ + async generateApiKey( + userId: string, + organizationId: string, + dto: CreateApiKeyDto + ): Promise { + await this.assertApiAccessPlan(organizationId); + + const rawKey = this.buildRawKey(); + const keyHash = this.hashKey(rawKey); + const keyPrefix = rawKey.substring(0, KEY_PREFIX_DISPLAY_LENGTH); + + const apiKey = ApiKey.create({ + id: uuidv4(), + organizationId, + userId, + name: dto.name, + keyHash, + keyPrefix, + expiresAt: dto.expiresAt ? new Date(dto.expiresAt) : null, + }); + + const saved = await this.apiKeyRepository.save(apiKey); + + this.logger.log(`API key created: ${saved.id} for org ${organizationId}`); + + return { + id: saved.id, + name: saved.name, + keyPrefix: saved.keyPrefix, + isActive: saved.isActive, + lastUsedAt: saved.lastUsedAt, + expiresAt: saved.expiresAt, + createdAt: saved.createdAt, + fullKey: rawKey, + }; + } + + /** + * List all API keys for an organisation. Never exposes key hashes. + */ + async listApiKeys(organizationId: string): Promise { + const keys = await this.apiKeyRepository.findByOrganizationId(organizationId); + return keys.map(k => this.toDto(k)); + } + + /** + * Revoke (deactivate) an API key. + */ + async revokeApiKey(keyId: string, organizationId: string): Promise { + const key = await this.apiKeyRepository.findById(keyId); + + if (!key || key.organizationId !== organizationId) { + throw new NotFoundException('Clé API introuvable'); + } + + const revoked = key.revoke(); + await this.apiKeyRepository.save(revoked); + + this.logger.log(`API key revoked: ${keyId} for org ${organizationId}`); + } + + /** + * Validate an inbound raw API key and return the user context. + * Returns null if the key is invalid, expired, or the plan is insufficient. + * Also asynchronously updates lastUsedAt. + */ + async validateAndGetUser(rawKey: string): Promise { + if (!rawKey?.startsWith('xped_live_')) return null; + + const keyHash = this.hashKey(rawKey); + const apiKey = await this.apiKeyRepository.findByKeyHash(keyHash); + + if (!apiKey || !apiKey.isValid()) return null; + + // Real-time plan check — in case the org downgraded after key creation + const subscription = await this.subscriptionRepository.findByOrganizationId( + apiKey.organizationId + ); + + if (!subscription || !subscription.hasFeature('api_access')) { + this.logger.warn( + `API key used but org ${apiKey.organizationId} no longer has api_access feature` + ); + return null; + } + + // Update lastUsedAt asynchronously — don't block the request + this.apiKeyRepository + .save(apiKey.recordUsage()) + .catch(err => this.logger.warn(`Failed to update lastUsedAt for key ${apiKey.id}: ${err}`)); + + const user = await this.userRepository.findById(apiKey.userId); + if (!user || !user.isActive) return null; + + return { + id: user.id, + email: user.email, + role: user.role, + organizationId: user.organizationId, + firstName: user.firstName, + lastName: user.lastName, + plan: subscription.plan.value, + planFeatures: [...subscription.plan.planFeatures], + }; + } + + // ── Helpers ───────────────────────────────────────────────────────────── + + private async assertApiAccessPlan(organizationId: string): Promise { + const subscription = await this.subscriptionRepository.findByOrganizationId(organizationId); + + if (!subscription || !subscription.hasFeature('api_access')) { + throw new ForbiddenException( + "L'accès API nécessite un abonnement Gold ou Platinium. Mettez à niveau votre abonnement pour générer des clés API." + ); + } + } + + /** Format: xped_live_<64 random hex chars> */ + private buildRawKey(): string { + return `xped_live_${crypto.randomBytes(32).toString('hex')}`; + } + + private hashKey(rawKey: string): string { + return crypto.createHash('sha256').update(rawKey).digest('hex'); + } + + private toDto(apiKey: ApiKey): ApiKeyDto { + return { + id: apiKey.id, + name: apiKey.name, + keyPrefix: apiKey.keyPrefix, + isActive: apiKey.isActive, + lastUsedAt: apiKey.lastUsedAt, + expiresAt: apiKey.expiresAt, + createdAt: apiKey.createdAt, + }; + } +} diff --git a/apps/backend/src/application/auth/auth.module.ts b/apps/backend/src/application/auth/auth.module.ts index 98af8bc..fd96f43 100644 --- a/apps/backend/src/application/auth/auth.module.ts +++ b/apps/backend/src/application/auth/auth.module.ts @@ -17,6 +17,7 @@ import { TypeOrmInvitationTokenRepository } from '../../infrastructure/persisten import { UserOrmEntity } from '../../infrastructure/persistence/typeorm/entities/user.orm-entity'; import { OrganizationOrmEntity } from '../../infrastructure/persistence/typeorm/entities/organization.orm-entity'; import { InvitationTokenOrmEntity } from '../../infrastructure/persistence/typeorm/entities/invitation-token.orm-entity'; +import { PasswordResetTokenOrmEntity } from '../../infrastructure/persistence/typeorm/entities/password-reset-token.orm-entity'; import { InvitationService } from '../services/invitation.service'; import { InvitationsController } from '../controllers/invitations.controller'; import { EmailModule } from '../../infrastructure/email/email.module'; @@ -40,7 +41,7 @@ import { SubscriptionsModule } from '../subscriptions/subscriptions.module'; }), // 👇 Add this to register TypeORM repositories - TypeOrmModule.forFeature([UserOrmEntity, OrganizationOrmEntity, InvitationTokenOrmEntity]), + TypeOrmModule.forFeature([UserOrmEntity, OrganizationOrmEntity, InvitationTokenOrmEntity, PasswordResetTokenOrmEntity]), // Email module for sending invitations EmailModule, diff --git a/apps/backend/src/application/auth/auth.service.ts b/apps/backend/src/application/auth/auth.service.ts index cbcc17d..d5c0d18 100644 --- a/apps/backend/src/application/auth/auth.service.ts +++ b/apps/backend/src/application/auth/auth.service.ts @@ -5,10 +5,14 @@ import { Logger, Inject, BadRequestException, + NotFoundException, } from '@nestjs/common'; import { JwtService } from '@nestjs/jwt'; import { ConfigService } from '@nestjs/config'; import * as argon2 from 'argon2'; +import * as crypto from 'crypto'; +import { InjectRepository } from '@nestjs/typeorm'; +import { Repository, IsNull } from 'typeorm'; import { UserRepository, USER_REPOSITORY } from '@domain/ports/out/user.repository'; import { User, UserRole } from '@domain/entities/user.entity'; import { @@ -16,15 +20,19 @@ import { ORGANIZATION_REPOSITORY, } from '@domain/ports/out/organization.repository'; import { Organization } from '@domain/entities/organization.entity'; +import { EmailPort, EMAIL_PORT } from '@domain/ports/out/email.port'; import { v4 as uuidv4 } from 'uuid'; import { RegisterOrganizationDto } from '../dto/auth-login.dto'; import { SubscriptionService } from '../services/subscription.service'; +import { PasswordResetTokenOrmEntity } from '../../infrastructure/persistence/typeorm/entities/password-reset-token.orm-entity'; export interface JwtPayload { sub: string; // user ID email: string; role: string; organizationId: string; + plan?: string; // subscription plan (BRONZE, SILVER, GOLD, PLATINIUM) + planFeatures?: string[]; // plan feature flags type: 'access' | 'refresh'; } @@ -37,9 +45,13 @@ export class AuthService { private readonly userRepository: UserRepository, @Inject(ORGANIZATION_REPOSITORY) private readonly organizationRepository: OrganizationRepository, + @Inject(EMAIL_PORT) + private readonly emailService: EmailPort, + @InjectRepository(PasswordResetTokenOrmEntity) + private readonly passwordResetTokenRepository: Repository, private readonly jwtService: JwtService, private readonly configService: ConfigService, - private readonly subscriptionService: SubscriptionService, + private readonly subscriptionService: SubscriptionService ) {} /** @@ -203,6 +215,85 @@ export class AuthService { } } + /** + * Initiate password reset — generates token and sends email + */ + async forgotPassword(email: string): Promise { + this.logger.log(`Password reset requested for: ${email}`); + + const user = await this.userRepository.findByEmail(email); + + // Silently succeed if user not found (security: don't reveal user existence) + if (!user || !user.isActive) { + return; + } + + // Invalidate any existing unused tokens for this user + await this.passwordResetTokenRepository.update( + { userId: user.id, usedAt: IsNull() }, + { usedAt: new Date() } + ); + + // Generate a secure random token + const token = crypto.randomBytes(32).toString('hex'); + const expiresAt = new Date(Date.now() + 60 * 60 * 1000); // 1 hour + + await this.passwordResetTokenRepository.save({ + userId: user.id, + token, + expiresAt, + usedAt: null, + }); + + await this.emailService.sendPasswordResetEmail(email, token); + + this.logger.log(`Password reset email sent to: ${email}`); + } + + /** + * Reset password using token from email + */ + async resetPassword(token: string, newPassword: string): Promise { + const resetToken = await this.passwordResetTokenRepository.findOne({ where: { token } }); + + if (!resetToken) { + throw new BadRequestException('Token de réinitialisation invalide ou expiré'); + } + + if (resetToken.usedAt) { + throw new BadRequestException('Ce lien de réinitialisation a déjà été utilisé'); + } + + if (resetToken.expiresAt < new Date()) { + throw new BadRequestException('Le lien de réinitialisation a expiré. Veuillez en demander un nouveau.'); + } + + const user = await this.userRepository.findById(resetToken.userId); + + if (!user || !user.isActive) { + throw new NotFoundException('Utilisateur introuvable'); + } + + const passwordHash = await argon2.hash(newPassword, { + type: argon2.argon2id, + memoryCost: 65536, + timeCost: 3, + parallelism: 4, + }); + + // Update password (mutates in place) + user.updatePassword(passwordHash); + await this.userRepository.save(user); + + // Mark token as used + await this.passwordResetTokenRepository.update( + { id: resetToken.id }, + { usedAt: new Date() } + ); + + this.logger.log(`Password reset successfully for user: ${user.email}`); + } + /** * Validate user from JWT payload */ @@ -220,11 +311,40 @@ export class AuthService { * Generate access and refresh tokens */ private async generateTokens(user: User): Promise<{ accessToken: string; refreshToken: string }> { + // ADMIN users always get PLATINIUM plan with no expiration + let plan = 'BRONZE'; + let planFeatures: string[] = []; + + if (user.role === UserRole.ADMIN) { + plan = 'PLATINIUM'; + planFeatures = [ + 'dashboard', + 'wiki', + 'user_management', + 'csv_export', + 'api_access', + 'custom_interface', + 'dedicated_kam', + ]; + } else { + try { + const subscription = await this.subscriptionService.getOrCreateSubscription( + user.organizationId + ); + plan = subscription.plan.value; + planFeatures = [...subscription.plan.planFeatures]; + } catch (error) { + this.logger.warn(`Failed to fetch subscription for JWT: ${error}`); + } + } + const accessPayload: JwtPayload = { sub: user.id, email: user.email, role: user.role, organizationId: user.organizationId, + plan, + planFeatures, type: 'access', }; @@ -233,6 +353,8 @@ export class AuthService { email: user.email, role: user.role, organizationId: user.organizationId, + plan, + planFeatures, type: 'refresh', }; @@ -302,6 +424,8 @@ export class AuthService { name: organizationData.name, type: organizationData.type, scac: organizationData.scac, + siren: organizationData.siren, + siret: organizationData.siret, address: { street: organizationData.street, city: organizationData.city, diff --git a/apps/backend/src/application/bookings/bookings.module.ts b/apps/backend/src/application/bookings/bookings.module.ts index bdc06e3..2fbd920 100644 --- a/apps/backend/src/application/bookings/bookings.module.ts +++ b/apps/backend/src/application/bookings/bookings.module.ts @@ -6,15 +6,18 @@ import { BookingsController } from '../controllers/bookings.controller'; import { BOOKING_REPOSITORY } from '@domain/ports/out/booking.repository'; import { RATE_QUOTE_REPOSITORY } from '@domain/ports/out/rate-quote.repository'; import { USER_REPOSITORY } from '@domain/ports/out/user.repository'; +import { SHIPMENT_COUNTER_PORT } from '@domain/ports/out/shipment-counter.port'; import { TypeOrmBookingRepository } from '../../infrastructure/persistence/typeorm/repositories/typeorm-booking.repository'; import { TypeOrmRateQuoteRepository } from '../../infrastructure/persistence/typeorm/repositories/typeorm-rate-quote.repository'; import { TypeOrmUserRepository } from '../../infrastructure/persistence/typeorm/repositories/typeorm-user.repository'; +import { TypeOrmShipmentCounterRepository } from '../../infrastructure/persistence/typeorm/repositories/shipment-counter.repository'; // Import ORM entities import { BookingOrmEntity } from '../../infrastructure/persistence/typeorm/entities/booking.orm-entity'; import { ContainerOrmEntity } from '../../infrastructure/persistence/typeorm/entities/container.orm-entity'; import { RateQuoteOrmEntity } from '../../infrastructure/persistence/typeorm/entities/rate-quote.orm-entity'; import { UserOrmEntity } from '../../infrastructure/persistence/typeorm/entities/user.orm-entity'; +import { CsvBookingOrmEntity } from '../../infrastructure/persistence/typeorm/entities/csv-booking.orm-entity'; // Import services and domain import { BookingService } from '@domain/services/booking.service'; @@ -29,6 +32,7 @@ import { StorageModule } from '../../infrastructure/storage/storage.module'; import { AuditModule } from '../audit/audit.module'; import { NotificationsModule } from '../notifications/notifications.module'; import { WebhooksModule } from '../webhooks/webhooks.module'; +import { SubscriptionsModule } from '../subscriptions/subscriptions.module'; /** * Bookings Module @@ -47,6 +51,7 @@ import { WebhooksModule } from '../webhooks/webhooks.module'; ContainerOrmEntity, RateQuoteOrmEntity, UserOrmEntity, + CsvBookingOrmEntity, ]), EmailModule, PdfModule, @@ -54,6 +59,7 @@ import { WebhooksModule } from '../webhooks/webhooks.module'; AuditModule, NotificationsModule, WebhooksModule, + SubscriptionsModule, ], controllers: [BookingsController], providers: [ @@ -73,6 +79,10 @@ import { WebhooksModule } from '../webhooks/webhooks.module'; provide: USER_REPOSITORY, useClass: TypeOrmUserRepository, }, + { + provide: SHIPMENT_COUNTER_PORT, + useClass: TypeOrmShipmentCounterRepository, + }, ], exports: [BOOKING_REPOSITORY], }) diff --git a/apps/backend/src/application/controllers/admin.controller.ts b/apps/backend/src/application/controllers/admin.controller.ts index 218aa9d..745afff 100644 --- a/apps/backend/src/application/controllers/admin.controller.ts +++ b/apps/backend/src/application/controllers/admin.controller.ts @@ -1,6 +1,7 @@ import { Controller, Get, + Post, Patch, Delete, Param, @@ -44,6 +45,16 @@ import { OrganizationResponseDto, OrganizationListResponseDto } from '../dto/org // CSV Booking imports import { TypeOrmCsvBookingRepository } from '@infrastructure/persistence/typeorm/repositories/csv-booking.repository'; +import { CsvBookingService } from '../services/csv-booking.service'; + +// SIRET verification imports +import { + SiretVerificationPort, + SIRET_VERIFICATION_PORT, +} from '@domain/ports/out/siret-verification.port'; + +// Email imports +import { EmailPort, EMAIL_PORT } from '@domain/ports/out/email.port'; /** * Admin Controller @@ -65,7 +76,11 @@ export class AdminController { @Inject(USER_REPOSITORY) private readonly userRepository: UserRepository, @Inject(ORGANIZATION_REPOSITORY) private readonly organizationRepository: OrganizationRepository, - private readonly csvBookingRepository: TypeOrmCsvBookingRepository + private readonly csvBookingRepository: TypeOrmCsvBookingRepository, + private readonly csvBookingService: CsvBookingService, + @Inject(SIRET_VERIFICATION_PORT) + private readonly siretVerificationPort: SiretVerificationPort, + @Inject(EMAIL_PORT) private readonly emailPort: EmailPort ) {} // ==================== USERS ENDPOINTS ==================== @@ -329,6 +344,163 @@ export class AdminController { return OrganizationMapper.toDto(organization); } + /** + * Verify SIRET number for an organization (admin only) + * + * Calls Pappers API to verify the SIRET, then marks the organization as verified. + */ + @Post('organizations/:id/verify-siret') + @UsePipes(new ValidationPipe({ transform: true, whitelist: true })) + @ApiOperation({ + summary: 'Verify organization SIRET (Admin only)', + description: + 'Verify the SIRET number of an organization via Pappers API and mark it as verified. Required before the organization can make purchases.', + }) + @ApiParam({ + name: 'id', + description: 'Organization ID (UUID)', + }) + @ApiResponse({ + status: HttpStatus.OK, + description: 'SIRET verification result', + schema: { + type: 'object', + properties: { + verified: { type: 'boolean' }, + companyName: { type: 'string' }, + address: { type: 'string' }, + message: { type: 'string' }, + }, + }, + }) + @ApiNotFoundResponse({ + description: 'Organization not found', + }) + async verifySiret(@Param('id', ParseUUIDPipe) id: string, @CurrentUser() user: UserPayload) { + this.logger.log(`[ADMIN: ${user.email}] Verifying SIRET for organization: ${id}`); + + const organization = await this.organizationRepository.findById(id); + if (!organization) { + throw new NotFoundException(`Organization ${id} not found`); + } + + const siret = organization.siret; + if (!siret) { + throw new BadRequestException( + 'Organization has no SIRET number. Please set a SIRET number before verification.' + ); + } + + const result = await this.siretVerificationPort.verify(siret); + + if (!result.valid) { + this.logger.warn(`[ADMIN] SIRET verification failed for ${siret}`); + return { + verified: false, + message: `Le numero SIRET ${siret} est invalide ou introuvable.`, + }; + } + + // Mark as verified and save + organization.markSiretVerified(); + await this.organizationRepository.update(organization); + + this.logger.log(`[ADMIN] SIRET verified successfully for organization: ${id}`); + + return { + verified: true, + companyName: result.companyName, + address: result.address, + message: `SIRET ${siret} verifie avec succes.`, + }; + } + + /** + * Manually approve SIRET/SIREN for an organization (admin only) + * + * Marks the organization's SIRET as verified without calling the external API. + */ + @Post('organizations/:id/approve-siret') + @ApiOperation({ + summary: 'Approve SIRET/SIREN (Admin only)', + description: + 'Manually approve the SIRET/SIREN of an organization. Marks it as verified without calling Pappers API.', + }) + @ApiParam({ name: 'id', description: 'Organization ID (UUID)' }) + @ApiResponse({ + status: HttpStatus.OK, + description: 'SIRET approved successfully', + }) + @ApiNotFoundResponse({ description: 'Organization not found' }) + async approveSiret(@Param('id', ParseUUIDPipe) id: string, @CurrentUser() user: UserPayload) { + this.logger.log(`[ADMIN: ${user.email}] Manually approving SIRET for organization: ${id}`); + + const organization = await this.organizationRepository.findById(id); + if (!organization) { + throw new NotFoundException(`Organization ${id} not found`); + } + + if (!organization.siret && !organization.siren) { + throw new BadRequestException( + "L'organisation n'a ni SIRET ni SIREN. Veuillez en renseigner un avant l'approbation." + ); + } + + organization.markSiretVerified(); + await this.organizationRepository.update(organization); + + this.logger.log(`[ADMIN] SIRET manually approved for organization: ${id}`); + + return { + approved: true, + message: 'SIRET/SIREN approuve manuellement avec succes.', + organizationId: id, + organizationName: organization.name, + }; + } + + /** + * Reject SIRET/SIREN for an organization (admin only) + * + * Resets the verification flag to false. + */ + @Post('organizations/:id/reject-siret') + @ApiOperation({ + summary: 'Reject SIRET/SIREN (Admin only)', + description: + 'Reject the SIRET/SIREN of an organization. Resets the verification status to unverified.', + }) + @ApiParam({ name: 'id', description: 'Organization ID (UUID)' }) + @ApiResponse({ + status: HttpStatus.OK, + description: 'SIRET rejected successfully', + }) + @ApiNotFoundResponse({ description: 'Organization not found' }) + async rejectSiret(@Param('id', ParseUUIDPipe) id: string, @CurrentUser() user: UserPayload) { + this.logger.log(`[ADMIN: ${user.email}] Rejecting SIRET for organization: ${id}`); + + const organization = await this.organizationRepository.findById(id); + if (!organization) { + throw new NotFoundException(`Organization ${id} not found`); + } + + // Reset SIRET verification to false by updating the SIRET (which resets siretVerified) + // If no SIRET, just update directly + if (organization.siret) { + organization.updateSiret(organization.siret); // This resets siretVerified to false + } + await this.organizationRepository.update(organization); + + this.logger.log(`[ADMIN] SIRET rejected for organization: ${id}`); + + return { + rejected: true, + message: "SIRET/SIREN rejete. L'organisation ne pourra pas effectuer d'achats.", + organizationId: id, + organizationName: organization.name, + }; + } + // ==================== CSV BOOKINGS ENDPOINTS ==================== /** @@ -440,6 +612,52 @@ export class AdminController { return this.csvBookingToDto(updatedBooking); } + /** + * Resend carrier email for a booking (admin only) + * + * Manually sends the booking request email to the carrier. + * Useful when the automatic email failed (SMTP error) or for testing without Stripe. + */ + @Post('bookings/:id/resend-carrier-email') + @ApiOperation({ + summary: 'Resend carrier email (Admin only)', + description: + 'Manually resend the booking request email to the carrier. Works regardless of payment status.', + }) + @ApiParam({ name: 'id', description: 'Booking ID (UUID)' }) + @ApiResponse({ status: 200, description: 'Email sent to carrier' }) + @ApiNotFoundResponse({ description: 'Booking not found' }) + async resendCarrierEmail( + @Param('id', ParseUUIDPipe) id: string, + @CurrentUser() user: UserPayload + ) { + this.logger.log(`[ADMIN: ${user.email}] Resending carrier email for booking: ${id}`); + await this.csvBookingService.resendCarrierEmail(id); + return { success: true, message: 'Email sent to carrier' }; + } + + /** + * Validate bank transfer for a booking (admin only) + * + * Transitions booking from PENDING_BANK_TRANSFER → PENDING and sends email to carrier + */ + @Post('bookings/:id/validate-transfer') + @ApiOperation({ + summary: 'Validate bank transfer (Admin only)', + description: + 'Admin confirms that the bank wire transfer has been received. Activates the booking and sends email to carrier.', + }) + @ApiParam({ name: 'id', description: 'Booking ID (UUID)' }) + @ApiResponse({ status: 200, description: 'Bank transfer validated, booking activated' }) + @ApiNotFoundResponse({ description: 'Booking not found' }) + async validateBankTransfer( + @Param('id', ParseUUIDPipe) id: string, + @CurrentUser() user: UserPayload + ) { + this.logger.log(`[ADMIN: ${user.email}] Validating bank transfer for booking: ${id}`); + return this.csvBookingService.validateBankTransfer(id); + } + /** * Delete csv booking (admin only) */ @@ -483,6 +701,7 @@ export class AdminController { return { id: booking.id, + bookingNumber: booking.bookingNumber || null, userId: booking.userId, organizationId: booking.organizationId, carrierName: booking.carrierName, @@ -510,6 +729,50 @@ export class AdminController { }; } + // ==================== EMAIL TEST ENDPOINT ==================== + + /** + * Send a test email to verify SMTP configuration (admin only) + * + * Returns the exact SMTP error in the response instead of only logging it. + */ + @Post('test-email') + @ApiOperation({ + summary: 'Send test email (Admin only)', + description: + 'Sends a simple test email to the given address. Returns the exact SMTP error if delivery fails — useful for diagnosing Brevo/SMTP issues.', + }) + @ApiResponse({ status: 200, description: 'Email sent successfully' }) + @ApiResponse({ status: 400, description: 'SMTP error — check the message field' }) + async sendTestEmail( + @Body() body: { to: string }, + @CurrentUser() user: UserPayload + ) { + if (!body?.to) { + throw new BadRequestException('Field "to" is required'); + } + + this.logger.log(`[ADMIN: ${user.email}] Sending test email to ${body.to}`); + + try { + await this.emailPort.send({ + to: body.to, + subject: '[Xpeditis] Test SMTP', + html: `

Email de test envoyé depuis le panel admin par ${user.email}.

Si vous lisez ceci, la configuration SMTP fonctionne correctement.

`, + text: `Email de test envoyé par ${user.email}. Si vous lisez ceci, le SMTP fonctionne.`, + }); + + this.logger.log(`[ADMIN] Test email sent successfully to ${body.to}`); + return { success: true, message: `Email envoyé avec succès à ${body.to}` }; + } catch (error: any) { + this.logger.error(`[ADMIN] Test email FAILED to ${body.to}: ${error?.message}`, error?.stack); + throw new BadRequestException( + `Échec SMTP — ${error?.message ?? 'erreur inconnue'}. ` + + `Code: ${error?.code ?? 'N/A'}, Response: ${error?.response ?? 'N/A'}` + ); + } + } + // ==================== DOCUMENTS ENDPOINTS ==================== /** @@ -597,4 +860,55 @@ export class AdminController { total: organization.documents.length, }; } + + /** + * Delete a document from a CSV booking (admin only) + * Bypasses ownership and status restrictions + */ + @Delete('bookings/:bookingId/documents/:documentId') + @HttpCode(HttpStatus.OK) + @ApiOperation({ + summary: 'Delete document from CSV booking (Admin only)', + description: 'Remove a document from a booking, bypassing ownership and status restrictions.', + }) + @ApiResponse({ + status: HttpStatus.OK, + description: 'Document deleted successfully', + }) + async deleteDocument( + @Param('bookingId', ParseUUIDPipe) bookingId: string, + @Param('documentId', ParseUUIDPipe) documentId: string, + @CurrentUser() user: UserPayload + ): Promise<{ success: boolean; message: string }> { + this.logger.log(`[ADMIN: ${user.email}] Deleting document ${documentId} from booking ${bookingId}`); + + const booking = await this.csvBookingRepository.findById(bookingId); + if (!booking) { + throw new NotFoundException(`Booking ${bookingId} not found`); + } + + const documentIndex = booking.documents.findIndex(doc => doc.id === documentId); + if (documentIndex === -1) { + throw new NotFoundException(`Document ${documentId} not found`); + } + + const updatedDocuments = booking.documents.filter(doc => doc.id !== documentId); + + const ormBooking = await this.csvBookingRepository['repository'].findOne({ where: { id: bookingId } }); + if (ormBooking) { + ormBooking.documents = updatedDocuments.map(doc => ({ + id: doc.id, + type: doc.type, + fileName: doc.fileName, + filePath: doc.filePath, + mimeType: doc.mimeType, + size: doc.size, + uploadedAt: doc.uploadedAt, + })); + await this.csvBookingRepository['repository'].save(ormBooking); + } + + this.logger.log(`[ADMIN] Document ${documentId} deleted from booking ${bookingId}`); + return { success: true, message: 'Document deleted successfully' }; + } } diff --git a/apps/backend/src/application/controllers/admin/csv-rates.controller.ts b/apps/backend/src/application/controllers/admin/csv-rates.controller.ts index fe1c5c6..f7df27c 100644 --- a/apps/backend/src/application/controllers/admin/csv-rates.controller.ts +++ b/apps/backend/src/application/controllers/admin/csv-rates.controller.ts @@ -489,6 +489,7 @@ export class CsvRatesAdminController { size: fileSize, uploadedAt: config.uploadedAt.toISOString(), rowCount: config.rowCount, + companyEmail: config.metadata?.companyEmail ?? null, }; }); diff --git a/apps/backend/src/application/controllers/auth.controller.ts b/apps/backend/src/application/controllers/auth.controller.ts index 256490c..d35f172 100644 --- a/apps/backend/src/application/controllers/auth.controller.ts +++ b/apps/backend/src/application/controllers/auth.controller.ts @@ -8,10 +8,21 @@ import { Get, Inject, NotFoundException, + InternalServerErrorException, + Logger, } from '@nestjs/common'; import { ApiTags, ApiOperation, ApiResponse, ApiBearerAuth } from '@nestjs/swagger'; import { AuthService } from '../auth/auth.service'; -import { LoginDto, RegisterDto, AuthResponseDto, RefreshTokenDto } from '../dto/auth-login.dto'; +import { + LoginDto, + RegisterDto, + AuthResponseDto, + RefreshTokenDto, + ForgotPasswordDto, + ResetPasswordDto, + ContactFormDto, +} from '../dto/auth-login.dto'; +import { EmailPort, EMAIL_PORT } from '@domain/ports/out/email.port'; import { Public } from '../decorators/public.decorator'; import { CurrentUser, UserPayload } from '../decorators/current-user.decorator'; import { JwtAuthGuard } from '../guards/jwt-auth.guard'; @@ -32,10 +43,13 @@ import { InvitationService } from '../services/invitation.service'; @ApiTags('Authentication') @Controller('auth') export class AuthController { + private readonly logger = new Logger(AuthController.name); + constructor( private readonly authService: AuthService, @Inject(USER_REPOSITORY) private readonly userRepository: UserRepository, - private readonly invitationService: InvitationService + private readonly invitationService: InvitationService, + @Inject(EMAIL_PORT) private readonly emailService: EmailPort ) {} /** @@ -209,6 +223,113 @@ export class AuthController { return { message: 'Logout successful' }; } + /** + * Contact form — forwards message to contact@xpeditis.com + */ + @Public() + @Post('contact') + @HttpCode(HttpStatus.OK) + @ApiOperation({ + summary: 'Contact form', + description: 'Send a contact message to the Xpeditis team.', + }) + @ApiResponse({ status: 200, description: 'Message sent successfully' }) + async contact(@Body() dto: ContactFormDto): Promise<{ message: string }> { + const subjectLabels: Record = { + demo: 'Demande de démonstration', + pricing: 'Questions sur les tarifs', + partnership: 'Partenariat', + support: 'Support technique', + press: 'Relations presse', + careers: 'Recrutement', + other: 'Autre', + }; + + const subjectLabel = subjectLabels[dto.subject] || dto.subject; + + const html = ` +
+
+

Nouveau message de contact

+
+
+ + + + + + + + + + ${dto.company ? `` : ''} + ${dto.phone ? `` : ''} + + + + +
Nom${dto.firstName} ${dto.lastName}
Email${dto.email}
Entreprise${dto.company}
Téléphone${dto.phone}
Sujet${subjectLabel}
+
+

Message :

+

${dto.message}

+
+
+
+

Xpeditis — Formulaire de contact

+
+
+ `; + + try { + await this.emailService.send({ + to: 'contact@xpeditis.com', + replyTo: dto.email, + subject: `[Contact] ${subjectLabel} — ${dto.firstName} ${dto.lastName}`, + html, + }); + } catch (error) { + this.logger.error(`Failed to send contact email: ${error}`); + throw new InternalServerErrorException("Erreur lors de l'envoi du message. Veuillez réessayer."); + } + + return { message: 'Message envoyé avec succès.' }; + } + + /** + * Forgot password — sends reset email + */ + @Public() + @Post('forgot-password') + @HttpCode(HttpStatus.OK) + @ApiOperation({ + summary: 'Forgot password', + description: 'Send a password reset email. Always returns 200 to avoid user enumeration.', + }) + @ApiResponse({ status: 200, description: 'Reset email sent (if account exists)' }) + async forgotPassword(@Body() dto: ForgotPasswordDto): Promise<{ message: string }> { + await this.authService.forgotPassword(dto.email); + return { + message: 'Si un compte existe avec cet email, vous recevrez un lien de réinitialisation.', + }; + } + + /** + * Reset password using token from email + */ + @Public() + @Post('reset-password') + @HttpCode(HttpStatus.OK) + @ApiOperation({ + summary: 'Reset password', + description: 'Reset user password using the token received by email.', + }) + @ApiResponse({ status: 200, description: 'Password reset successfully' }) + @ApiResponse({ status: 400, description: 'Invalid or expired token' }) + async resetPassword(@Body() dto: ResetPasswordDto): Promise<{ message: string }> { + await this.authService.resetPassword(dto.token, dto.newPassword); + return { message: 'Mot de passe réinitialisé avec succès.' }; + } + /** * Get current user profile * diff --git a/apps/backend/src/application/controllers/bookings.controller.ts b/apps/backend/src/application/controllers/bookings.controller.ts index 386c25d..921aa73 100644 --- a/apps/backend/src/application/controllers/bookings.controller.ts +++ b/apps/backend/src/application/controllers/bookings.controller.ts @@ -53,6 +53,12 @@ import { NotificationService } from '../services/notification.service'; import { NotificationsGateway } from '../gateways/notifications.gateway'; import { WebhookService } from '../services/webhook.service'; import { WebhookEvent } from '@domain/entities/webhook.entity'; +import { + ShipmentCounterPort, + SHIPMENT_COUNTER_PORT, +} from '@domain/ports/out/shipment-counter.port'; +import { SubscriptionService } from '../services/subscription.service'; +import { ShipmentLimitExceededException } from '@domain/exceptions/shipment-limit-exceeded.exception'; @ApiTags('Bookings') @Controller('bookings') @@ -70,7 +76,9 @@ export class BookingsController { private readonly auditService: AuditService, private readonly notificationService: NotificationService, private readonly notificationsGateway: NotificationsGateway, - private readonly webhookService: WebhookService + private readonly webhookService: WebhookService, + @Inject(SHIPMENT_COUNTER_PORT) private readonly shipmentCounter: ShipmentCounterPort, + private readonly subscriptionService: SubscriptionService ) {} @Post() @@ -105,6 +113,22 @@ export class BookingsController { ): Promise { this.logger.log(`[User: ${user.email}] Creating booking for rate quote: ${dto.rateQuoteId}`); + // Check shipment limit for Bronze plan + const subscription = await this.subscriptionService.getOrCreateSubscription( + user.organizationId + ); + const maxShipments = subscription.plan.maxShipmentsPerYear; + if (maxShipments !== -1) { + const currentYear = new Date().getFullYear(); + const count = await this.shipmentCounter.countShipmentsForOrganizationInYear( + user.organizationId, + currentYear + ); + if (count >= maxShipments) { + throw new ShipmentLimitExceededException(user.organizationId, count, maxShipments); + } + } + try { // Convert DTO to domain input, using authenticated user's data const input = { @@ -456,9 +480,16 @@ export class BookingsController { // Filter out bookings or rate quotes that are null const bookingsWithQuotes = bookingsWithQuotesRaw.filter( - (item): item is { booking: NonNullable; rateQuote: NonNullable } => - item.booking !== null && item.booking !== undefined && - item.rateQuote !== null && item.rateQuote !== undefined + ( + item + ): item is { + booking: NonNullable; + rateQuote: NonNullable; + } => + item.booking !== null && + item.booking !== undefined && + item.rateQuote !== null && + item.rateQuote !== undefined ); // Convert to DTOs diff --git a/apps/backend/src/application/controllers/csv-bookings.controller.ts b/apps/backend/src/application/controllers/csv-bookings.controller.ts index 6ee0ad0..07a19ca 100644 --- a/apps/backend/src/application/controllers/csv-bookings.controller.ts +++ b/apps/backend/src/application/controllers/csv-bookings.controller.ts @@ -12,9 +12,12 @@ import { UploadedFiles, Request, BadRequestException, + ForbiddenException, ParseIntPipe, DefaultValuePipe, + Inject, } from '@nestjs/common'; +import { ConfigService } from '@nestjs/config'; import { FilesInterceptor } from '@nestjs/platform-express'; import { ApiTags, @@ -29,6 +32,16 @@ import { import { JwtAuthGuard } from '../guards/jwt-auth.guard'; import { Public } from '../decorators/public.decorator'; import { CsvBookingService } from '../services/csv-booking.service'; +import { SubscriptionService } from '../services/subscription.service'; +import { + ShipmentCounterPort, + SHIPMENT_COUNTER_PORT, +} from '@domain/ports/out/shipment-counter.port'; +import { + OrganizationRepository, + ORGANIZATION_REPOSITORY, +} from '@domain/ports/out/organization.repository'; +import { ShipmentLimitExceededException } from '@domain/exceptions/shipment-limit-exceeded.exception'; import { CreateCsvBookingDto, CsvBookingResponseDto, @@ -48,7 +61,15 @@ import { @ApiTags('CSV Bookings') @Controller('csv-bookings') export class CsvBookingsController { - constructor(private readonly csvBookingService: CsvBookingService) {} + constructor( + private readonly csvBookingService: CsvBookingService, + private readonly subscriptionService: SubscriptionService, + private readonly configService: ConfigService, + @Inject(SHIPMENT_COUNTER_PORT) + private readonly shipmentCounter: ShipmentCounterPort, + @Inject(ORGANIZATION_REPOSITORY) + private readonly organizationRepository: OrganizationRepository + ) {} // ============================================================================ // STATIC ROUTES (must come FIRST) @@ -60,7 +81,6 @@ export class CsvBookingsController { * POST /api/v1/csv-bookings */ @Post() - @UseGuards(JwtAuthGuard) @ApiBearerAuth() @UseInterceptors(FilesInterceptor('documents', 10)) @ApiConsumes('multipart/form-data') @@ -144,6 +164,23 @@ export class CsvBookingsController { const userId = req.user.id; const organizationId = req.user.organizationId; + // ADMIN users bypass shipment limits + if (req.user.role !== 'ADMIN') { + // Check shipment limit (Bronze plan = 12/year) + const subscription = await this.subscriptionService.getOrCreateSubscription(organizationId); + const maxShipments = subscription.plan.maxShipmentsPerYear; + if (maxShipments !== -1) { + const currentYear = new Date().getFullYear(); + const count = await this.shipmentCounter.countShipmentsForOrganizationInYear( + organizationId, + currentYear + ); + if (count >= maxShipments) { + throw new ShipmentLimitExceededException(organizationId, count, maxShipments); + } + } + } + // Convert string values to numbers (multipart/form-data sends everything as strings) const sanitizedDto: CreateCsvBookingDto = { ...dto, @@ -341,6 +378,126 @@ export class CsvBookingsController { }; } + /** + * Create Stripe Checkout session for commission payment + * + * POST /api/v1/csv-bookings/:id/pay + */ + @Post(':id/pay') + @UseGuards(JwtAuthGuard) + @ApiBearerAuth() + @ApiOperation({ + summary: 'Pay commission for a booking', + description: + 'Creates a Stripe Checkout session for the commission payment. Returns the Stripe session URL to redirect the user to.', + }) + @ApiParam({ name: 'id', description: 'Booking ID (UUID)' }) + @ApiResponse({ + status: 200, + description: 'Stripe checkout session created', + schema: { + type: 'object', + properties: { + sessionUrl: { type: 'string' }, + sessionId: { type: 'string' }, + commissionAmountEur: { type: 'number' }, + }, + }, + }) + @ApiResponse({ status: 400, description: 'Booking not in PENDING_PAYMENT status' }) + @ApiResponse({ status: 404, description: 'Booking not found' }) + async payCommission(@Param('id') id: string, @Request() req: any) { + const userId = req.user.id; + const userEmail = req.user.email; + const organizationId = req.user.organizationId; + const frontendUrl = this.configService.get('FRONTEND_URL') || 'http://localhost:3000'; + + // ADMIN users bypass SIRET verification + if (req.user.role !== 'ADMIN') { + // SIRET verification gate: organization must have a verified SIRET before paying + const organization = await this.organizationRepository.findById(organizationId); + if (!organization || !organization.siretVerified) { + throw new ForbiddenException( + 'Le numero SIRET de votre organisation doit etre verifie par un administrateur avant de pouvoir effectuer un paiement. Contactez votre administrateur.' + ); + } + } + + return await this.csvBookingService.createCommissionPayment(id, userId, userEmail, frontendUrl); + } + + /** + * Confirm commission payment after Stripe redirect + * + * POST /api/v1/csv-bookings/:id/confirm-payment + */ + @Post(':id/confirm-payment') + @UseGuards(JwtAuthGuard) + @ApiBearerAuth() + @ApiOperation({ + summary: 'Confirm commission payment', + description: + 'Called after Stripe payment success. Verifies the payment, updates booking to PENDING, sends email to carrier.', + }) + @ApiParam({ name: 'id', description: 'Booking ID (UUID)' }) + @ApiBody({ + schema: { + type: 'object', + required: ['sessionId'], + properties: { + sessionId: { type: 'string', description: 'Stripe Checkout session ID' }, + }, + }, + }) + @ApiResponse({ + status: 200, + description: 'Payment confirmed, booking activated', + type: CsvBookingResponseDto, + }) + @ApiResponse({ status: 400, description: 'Payment not completed or session mismatch' }) + @ApiResponse({ status: 404, description: 'Booking not found' }) + async confirmPayment( + @Param('id') id: string, + @Body('sessionId') sessionId: string, + @Request() req: any + ): Promise { + if (!sessionId) { + throw new BadRequestException('sessionId is required'); + } + + const userId = req.user.id; + return await this.csvBookingService.confirmCommissionPayment(id, sessionId, userId); + } + + /** + * Declare bank transfer — user confirms they have sent the wire transfer + * + * POST /api/v1/csv-bookings/:id/declare-transfer + */ + @Post(':id/declare-transfer') + @UseGuards(JwtAuthGuard) + @ApiBearerAuth() + @ApiOperation({ + summary: 'Declare bank transfer', + description: + 'User confirms they have sent the bank wire transfer. Transitions booking to PENDING_BANK_TRANSFER awaiting admin validation.', + }) + @ApiParam({ name: 'id', description: 'Booking ID (UUID)' }) + @ApiResponse({ + status: 200, + description: 'Bank transfer declared, booking awaiting admin validation', + type: CsvBookingResponseDto, + }) + @ApiResponse({ status: 400, description: 'Booking not in PENDING_PAYMENT status' }) + @ApiResponse({ status: 404, description: 'Booking not found' }) + async declareTransfer( + @Param('id') id: string, + @Request() req: any + ): Promise { + const userId = req.user.id; + return await this.csvBookingService.declareBankTransfer(id, userId); + } + // ============================================================================ // PARAMETERIZED ROUTES (must come LAST) // ============================================================================ diff --git a/apps/backend/src/application/controllers/gdpr.controller.ts b/apps/backend/src/application/controllers/gdpr.controller.ts index 1c77436..ee37702 100644 --- a/apps/backend/src/application/controllers/gdpr.controller.ts +++ b/apps/backend/src/application/controllers/gdpr.controller.ts @@ -22,12 +22,7 @@ import { JwtAuthGuard } from '../guards/jwt-auth.guard'; import { CurrentUser } from '../decorators/current-user.decorator'; import { UserPayload } from '../decorators/current-user.decorator'; import { GDPRService } from '../services/gdpr.service'; -import { - UpdateConsentDto, - ConsentResponseDto, - WithdrawConsentDto, - ConsentSuccessDto, -} from '../dto/consent.dto'; +import { UpdateConsentDto, ConsentResponseDto, WithdrawConsentDto } from '../dto/consent.dto'; @ApiTags('GDPR') @Controller('gdpr') diff --git a/apps/backend/src/application/controllers/invitations.controller.ts b/apps/backend/src/application/controllers/invitations.controller.ts index 40436d2..e596276 100644 --- a/apps/backend/src/application/controllers/invitations.controller.ts +++ b/apps/backend/src/application/controllers/invitations.controller.ts @@ -2,6 +2,7 @@ import { Controller, Post, Get, + Delete, Body, UseGuards, HttpCode, @@ -71,7 +72,8 @@ export class InvitationsController { dto.lastName, dto.role as unknown as UserRole, user.organizationId, - user.id + user.id, + user.role ); return { @@ -136,6 +138,29 @@ export class InvitationsController { }; } + /** + * Cancel (delete) a pending invitation + */ + @Delete(':id') + @HttpCode(HttpStatus.NO_CONTENT) + @UseGuards(JwtAuthGuard, RolesGuard) + @Roles('admin', 'manager') + @ApiBearerAuth() + @ApiOperation({ + summary: 'Cancel invitation', + description: 'Delete a pending invitation. Admin/manager only.', + }) + @ApiResponse({ status: 204, description: 'Invitation cancelled' }) + @ApiResponse({ status: 404, description: 'Invitation not found' }) + @ApiResponse({ status: 400, description: 'Invitation already used' }) + async cancelInvitation( + @Param('id') id: string, + @CurrentUser() user: UserPayload + ): Promise { + this.logger.log(`[User: ${user.email}] Cancelling invitation: ${id}`); + await this.invitationService.cancelInvitation(id, user.organizationId); + } + /** * List organization invitations */ diff --git a/apps/backend/src/application/controllers/subscriptions.controller.ts b/apps/backend/src/application/controllers/subscriptions.controller.ts index f3e933b..bc806d1 100644 --- a/apps/backend/src/application/controllers/subscriptions.controller.ts +++ b/apps/backend/src/application/controllers/subscriptions.controller.ts @@ -22,6 +22,8 @@ import { Headers, RawBodyRequest, Req, + Inject, + ForbiddenException, } from '@nestjs/common'; import { ApiTags, @@ -47,13 +49,21 @@ import { RolesGuard } from '../guards/roles.guard'; import { Roles } from '../decorators/roles.decorator'; import { CurrentUser, UserPayload } from '../decorators/current-user.decorator'; import { Public } from '../decorators/public.decorator'; +import { + OrganizationRepository, + ORGANIZATION_REPOSITORY, +} from '@domain/ports/out/organization.repository'; @ApiTags('Subscriptions') @Controller('subscriptions') export class SubscriptionsController { private readonly logger = new Logger(SubscriptionsController.name); - constructor(private readonly subscriptionService: SubscriptionService) {} + constructor( + private readonly subscriptionService: SubscriptionService, + @Inject(ORGANIZATION_REPOSITORY) + private readonly organizationRepository: OrganizationRepository + ) {} /** * Get subscription overview for current organization @@ -77,10 +87,10 @@ export class SubscriptionsController { description: 'Forbidden - requires admin or manager role', }) async getSubscriptionOverview( - @CurrentUser() user: UserPayload, + @CurrentUser() user: UserPayload ): Promise { this.logger.log(`[User: ${user.email}] Getting subscription overview`); - return this.subscriptionService.getSubscriptionOverview(user.organizationId); + return this.subscriptionService.getSubscriptionOverview(user.organizationId, user.role); } /** @@ -126,7 +136,7 @@ export class SubscriptionsController { }) async canInvite(@CurrentUser() user: UserPayload): Promise { this.logger.log(`[User: ${user.email}] Checking license availability`); - return this.subscriptionService.canInviteUser(user.organizationId); + return this.subscriptionService.canInviteUser(user.organizationId, user.role); } /** @@ -139,8 +149,7 @@ export class SubscriptionsController { @ApiBearerAuth() @ApiOperation({ summary: 'Create checkout session', - description: - 'Create a Stripe Checkout session for upgrading subscription. Admin/Manager only.', + description: 'Create a Stripe Checkout session for upgrading subscription. Admin/Manager only.', }) @ApiResponse({ status: 200, @@ -157,14 +166,22 @@ export class SubscriptionsController { }) async createCheckoutSession( @Body() dto: CreateCheckoutSessionDto, - @CurrentUser() user: UserPayload, + @CurrentUser() user: UserPayload ): Promise { this.logger.log(`[User: ${user.email}] Creating checkout session for plan: ${dto.plan}`); - return this.subscriptionService.createCheckoutSession( - user.organizationId, - user.id, - dto, - ); + + // ADMIN users bypass all payment restrictions + if (user.role !== 'ADMIN') { + // SIRET verification gate: organization must have a verified SIRET before purchasing + const organization = await this.organizationRepository.findById(user.organizationId); + if (!organization || !organization.siretVerified) { + throw new ForbiddenException( + 'Le numero SIRET de votre organisation doit etre verifie par un administrateur avant de pouvoir effectuer un achat. Contactez votre administrateur.' + ); + } + } + + return this.subscriptionService.createCheckoutSession(user.organizationId, user.id, dto); } /** @@ -195,7 +212,7 @@ export class SubscriptionsController { }) async createPortalSession( @Body() dto: CreatePortalSessionDto, - @CurrentUser() user: UserPayload, + @CurrentUser() user: UserPayload ): Promise { this.logger.log(`[User: ${user.email}] Creating portal session`); return this.subscriptionService.createPortalSession(user.organizationId, dto); @@ -230,10 +247,10 @@ export class SubscriptionsController { }) async syncFromStripe( @Body() dto: SyncSubscriptionDto, - @CurrentUser() user: UserPayload, + @CurrentUser() user: UserPayload ): Promise { this.logger.log( - `[User: ${user.email}] Syncing subscription from Stripe${dto.sessionId ? ` (sessionId: ${dto.sessionId})` : ''}`, + `[User: ${user.email}] Syncing subscription from Stripe${dto.sessionId ? ` (sessionId: ${dto.sessionId})` : ''}` ); return this.subscriptionService.syncFromStripe(user.organizationId, dto.sessionId); } @@ -247,7 +264,7 @@ export class SubscriptionsController { @ApiExcludeEndpoint() async handleWebhook( @Headers('stripe-signature') signature: string, - @Req() req: RawBodyRequest, + @Req() req: RawBodyRequest ): Promise<{ received: boolean }> { const rawBody = req.rawBody; if (!rawBody) { diff --git a/apps/backend/src/application/controllers/users.controller.ts b/apps/backend/src/application/controllers/users.controller.ts index 99793db..8483b6a 100644 --- a/apps/backend/src/application/controllers/users.controller.ts +++ b/apps/backend/src/application/controllers/users.controller.ts @@ -44,8 +44,10 @@ import { UserRepository, USER_REPOSITORY } from '@domain/ports/out/user.reposito import { User, UserRole as DomainUserRole } from '@domain/entities/user.entity'; import { JwtAuthGuard } from '../guards/jwt-auth.guard'; import { RolesGuard } from '../guards/roles.guard'; +import { FeatureFlagGuard } from '../guards/feature-flag.guard'; import { CurrentUser, UserPayload } from '../decorators/current-user.decorator'; import { Roles } from '../decorators/roles.decorator'; +import { RequiresFeature } from '../decorators/requires-feature.decorator'; import { v4 as uuidv4 } from 'uuid'; import * as argon2 from 'argon2'; import * as crypto from 'crypto'; @@ -64,14 +66,15 @@ import { SubscriptionService } from '../services/subscription.service'; */ @ApiTags('Users') @Controller('users') -@UseGuards(JwtAuthGuard, RolesGuard) +@UseGuards(JwtAuthGuard, RolesGuard, FeatureFlagGuard) +@RequiresFeature('user_management') @ApiBearerAuth() export class UsersController { private readonly logger = new Logger(UsersController.name); constructor( @Inject(USER_REPOSITORY) private readonly userRepository: UserRepository, - private readonly subscriptionService: SubscriptionService, + private readonly subscriptionService: SubscriptionService ) {} /** @@ -284,7 +287,7 @@ export class UsersController { } catch (error) { this.logger.error(`Failed to reallocate license for user ${id}:`, error); throw new ForbiddenException( - 'Cannot reactivate user: no licenses available. Please upgrade your subscription.', + 'Cannot reactivate user: no licenses available. Please upgrade your subscription.' ); } } else { diff --git a/apps/backend/src/application/csv-bookings.module.ts b/apps/backend/src/application/csv-bookings.module.ts index b9b1ef2..6330924 100644 --- a/apps/backend/src/application/csv-bookings.module.ts +++ b/apps/backend/src/application/csv-bookings.module.ts @@ -1,13 +1,24 @@ import { Module } from '@nestjs/common'; import { TypeOrmModule } from '@nestjs/typeorm'; +import { ConfigModule } from '@nestjs/config'; import { CsvBookingsController } from './controllers/csv-bookings.controller'; import { CsvBookingActionsController } from './controllers/csv-booking-actions.controller'; import { CsvBookingService } from './services/csv-booking.service'; import { CsvBookingOrmEntity } from '../infrastructure/persistence/typeorm/entities/csv-booking.orm-entity'; import { TypeOrmCsvBookingRepository } from '../infrastructure/persistence/typeorm/repositories/csv-booking.repository'; +import { TypeOrmShipmentCounterRepository } from '../infrastructure/persistence/typeorm/repositories/shipment-counter.repository'; +import { SHIPMENT_COUNTER_PORT } from '@domain/ports/out/shipment-counter.port'; +import { ORGANIZATION_REPOSITORY } from '@domain/ports/out/organization.repository'; +import { OrganizationOrmEntity } from '../infrastructure/persistence/typeorm/entities/organization.orm-entity'; +import { TypeOrmOrganizationRepository } from '../infrastructure/persistence/typeorm/repositories/typeorm-organization.repository'; +import { USER_REPOSITORY } from '@domain/ports/out/user.repository'; +import { UserOrmEntity } from '../infrastructure/persistence/typeorm/entities/user.orm-entity'; +import { TypeOrmUserRepository } from '../infrastructure/persistence/typeorm/repositories/typeorm-user.repository'; import { NotificationsModule } from './notifications/notifications.module'; import { EmailModule } from '../infrastructure/email/email.module'; import { StorageModule } from '../infrastructure/storage/storage.module'; +import { SubscriptionsModule } from './subscriptions/subscriptions.module'; +import { StripeModule } from '../infrastructure/stripe/stripe.module'; /** * CSV Bookings Module @@ -16,13 +27,31 @@ import { StorageModule } from '../infrastructure/storage/storage.module'; */ @Module({ imports: [ - TypeOrmModule.forFeature([CsvBookingOrmEntity]), + TypeOrmModule.forFeature([CsvBookingOrmEntity, OrganizationOrmEntity, UserOrmEntity]), + ConfigModule, NotificationsModule, EmailModule, StorageModule, + SubscriptionsModule, + StripeModule, ], controllers: [CsvBookingsController, CsvBookingActionsController], - providers: [CsvBookingService, TypeOrmCsvBookingRepository], + providers: [ + CsvBookingService, + TypeOrmCsvBookingRepository, + { + provide: SHIPMENT_COUNTER_PORT, + useClass: TypeOrmShipmentCounterRepository, + }, + { + provide: ORGANIZATION_REPOSITORY, + useClass: TypeOrmOrganizationRepository, + }, + { + provide: USER_REPOSITORY, + useClass: TypeOrmUserRepository, + }, + ], exports: [CsvBookingService, TypeOrmCsvBookingRepository], }) export class CsvBookingsModule {} diff --git a/apps/backend/src/application/dashboard/dashboard.controller.ts b/apps/backend/src/application/dashboard/dashboard.controller.ts index 12d6d2f..77c1dc8 100644 --- a/apps/backend/src/application/dashboard/dashboard.controller.ts +++ b/apps/backend/src/application/dashboard/dashboard.controller.ts @@ -7,9 +7,12 @@ import { Controller, Get, UseGuards, Request } from '@nestjs/common'; import { AnalyticsService } from '../services/analytics.service'; import { JwtAuthGuard } from '../guards/jwt-auth.guard'; +import { FeatureFlagGuard } from '../guards/feature-flag.guard'; +import { RequiresFeature } from '../decorators/requires-feature.decorator'; @Controller('dashboard') -@UseGuards(JwtAuthGuard) +@UseGuards(JwtAuthGuard, FeatureFlagGuard) +@RequiresFeature('dashboard') export class DashboardController { constructor(private readonly analyticsService: AnalyticsService) {} diff --git a/apps/backend/src/application/dashboard/dashboard.module.ts b/apps/backend/src/application/dashboard/dashboard.module.ts index 75cfaf8..b483b11 100644 --- a/apps/backend/src/application/dashboard/dashboard.module.ts +++ b/apps/backend/src/application/dashboard/dashboard.module.ts @@ -8,11 +8,13 @@ import { AnalyticsService } from '../services/analytics.service'; import { BookingsModule } from '../bookings/bookings.module'; import { RatesModule } from '../rates/rates.module'; import { CsvBookingsModule } from '../csv-bookings.module'; +import { SubscriptionsModule } from '../subscriptions/subscriptions.module'; +import { FeatureFlagGuard } from '../guards/feature-flag.guard'; @Module({ - imports: [BookingsModule, RatesModule, CsvBookingsModule], + imports: [BookingsModule, RatesModule, CsvBookingsModule, SubscriptionsModule], controllers: [DashboardController], - providers: [AnalyticsService], + providers: [AnalyticsService, FeatureFlagGuard], exports: [AnalyticsService], }) export class DashboardModule {} diff --git a/apps/backend/src/application/decorators/requires-feature.decorator.ts b/apps/backend/src/application/decorators/requires-feature.decorator.ts new file mode 100644 index 0000000..cdbe677 --- /dev/null +++ b/apps/backend/src/application/decorators/requires-feature.decorator.ts @@ -0,0 +1,15 @@ +import { SetMetadata } from '@nestjs/common'; +import { PlanFeature } from '@domain/value-objects/plan-feature.vo'; + +export const REQUIRED_FEATURES_KEY = 'requiredFeatures'; + +/** + * Decorator to require specific plan features for a route. + * Works with FeatureFlagGuard to enforce access control. + * + * Usage: + * @RequiresFeature('dashboard') + * @RequiresFeature('csv_export', 'api_access') + */ +export const RequiresFeature = (...features: PlanFeature[]) => + SetMetadata(REQUIRED_FEATURES_KEY, features); diff --git a/apps/backend/src/application/dto/api-key.dto.ts b/apps/backend/src/application/dto/api-key.dto.ts new file mode 100644 index 0000000..17b9e17 --- /dev/null +++ b/apps/backend/src/application/dto/api-key.dto.ts @@ -0,0 +1,63 @@ +import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger'; +import { IsDateString, IsNotEmpty, IsOptional, IsString, MaxLength } from 'class-validator'; + +export class CreateApiKeyDto { + @ApiProperty({ + description: 'Nom de la clé API (pour identification)', + example: 'Intégration ERP Production', + maxLength: 100, + }) + @IsString() + @IsNotEmpty() + @MaxLength(100) + name: string; + + @ApiPropertyOptional({ + description: "Date d'expiration de la clé (ISO 8601). Si absent, la clé n'expire pas.", + example: '2027-01-01T00:00:00.000Z', + }) + @IsOptional() + @IsDateString() + expiresAt?: string; +} + +export class ApiKeyDto { + @ApiProperty({ description: 'Identifiant unique de la clé', example: 'uuid-here' }) + id: string; + + @ApiProperty({ description: 'Nom de la clé', example: 'Intégration ERP Production' }) + name: string; + + @ApiProperty({ + description: 'Préfixe de la clé (pour identification visuelle)', + example: 'xped_live_a1b2c3d4', + }) + keyPrefix: string; + + @ApiProperty({ description: 'La clé est-elle active', example: true }) + isActive: boolean; + + @ApiPropertyOptional({ + description: 'Dernière utilisation de la clé', + example: '2025-03-20T14:30:00.000Z', + }) + lastUsedAt: Date | null; + + @ApiPropertyOptional({ + description: "Date d'expiration", + example: '2027-01-01T00:00:00.000Z', + }) + expiresAt: Date | null; + + @ApiProperty({ description: 'Date de création', example: '2025-03-26T10:00:00.000Z' }) + createdAt: Date; +} + +export class CreateApiKeyResultDto extends ApiKeyDto { + @ApiProperty({ + description: + 'Clé API complète — affichée UNE SEULE FOIS. Conservez-la en lieu sûr, elle ne sera plus visible.', + example: 'xped_live_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2', + }) + fullKey: string; +} diff --git a/apps/backend/src/application/dto/auth-login.dto.ts b/apps/backend/src/application/dto/auth-login.dto.ts index 20aec51..93a292c 100644 --- a/apps/backend/src/application/dto/auth-login.dto.ts +++ b/apps/backend/src/application/dto/auth-login.dto.ts @@ -7,6 +7,7 @@ import { IsEnum, MaxLength, Matches, + IsBoolean, } from 'class-validator'; import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger'; import { Type } from 'class-transformer'; @@ -22,12 +23,81 @@ export class LoginDto { @ApiProperty({ example: 'SecurePassword123!', - description: 'Password (minimum 12 characters)', + description: 'Password', + }) + @IsString() + password: string; + + @ApiPropertyOptional({ + example: true, + description: 'Remember me for extended session', + }) + @IsBoolean() + @IsOptional() + rememberMe?: boolean; +} + +export class ContactFormDto { + @ApiProperty({ example: 'Jean', description: 'First name' }) + @IsString() + @MinLength(1) + firstName: string; + + @ApiProperty({ example: 'Dupont', description: 'Last name' }) + @IsString() + @MinLength(1) + lastName: string; + + @ApiProperty({ example: 'jean@acme.com', description: 'Sender email' }) + @IsEmail({}, { message: 'Invalid email format' }) + email: string; + + @ApiPropertyOptional({ example: 'Acme Logistics', description: 'Company name' }) + @IsString() + @IsOptional() + company?: string; + + @ApiPropertyOptional({ example: '+33 6 12 34 56 78', description: 'Phone number' }) + @IsString() + @IsOptional() + phone?: string; + + @ApiProperty({ example: 'demo', description: 'Subject category' }) + @IsString() + @MinLength(1) + subject: string; + + @ApiProperty({ example: 'Bonjour, je souhaite...', description: 'Message body' }) + @IsString() + @MinLength(10) + message: string; +} + +export class ForgotPasswordDto { + @ApiProperty({ + example: 'john.doe@acme.com', + description: 'Email address for password reset', + }) + @IsEmail({}, { message: 'Invalid email format' }) + email: string; +} + +export class ResetPasswordDto { + @ApiProperty({ + example: 'abc123token...', + description: 'Password reset token from email', + }) + @IsString() + token: string; + + @ApiProperty({ + example: 'NewSecurePassword123!', + description: 'New password (minimum 12 characters)', minLength: 12, }) @IsString() @MinLength(12, { message: 'Password must be at least 12 characters' }) - password: string; + newPassword: string; } /** @@ -94,6 +164,31 @@ export class RegisterOrganizationDto { @Matches(/^[A-Z]{2}$/, { message: 'Country must be a 2-letter ISO code (e.g., NL, US, CN)' }) country: string; + @ApiProperty({ + example: '123456789', + description: 'French SIREN number (9 digits, required)', + minLength: 9, + maxLength: 9, + }) + @IsString() + @MinLength(9, { message: 'SIREN must be exactly 9 digits' }) + @MaxLength(9, { message: 'SIREN must be exactly 9 digits' }) + @Matches(/^[0-9]{9}$/, { message: 'SIREN must be 9 digits' }) + siren: string; + + @ApiPropertyOptional({ + example: '12345678901234', + description: 'French SIRET number (14 digits, optional)', + minLength: 14, + maxLength: 14, + }) + @IsString() + @IsOptional() + @MinLength(14, { message: 'SIRET must be exactly 14 digits' }) + @MaxLength(14, { message: 'SIRET must be exactly 14 digits' }) + @Matches(/^[0-9]{14}$/, { message: 'SIRET must be 14 digits' }) + siret?: string; + @ApiPropertyOptional({ example: 'MAEU', description: 'Standard Carrier Alpha Code (4 uppercase letters, required for carriers only)', diff --git a/apps/backend/src/application/dto/carrier-documents.dto.ts b/apps/backend/src/application/dto/carrier-documents.dto.ts index 7bdb79a..71f038b 100644 --- a/apps/backend/src/application/dto/carrier-documents.dto.ts +++ b/apps/backend/src/application/dto/carrier-documents.dto.ts @@ -1,112 +1,118 @@ -import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger'; -import { IsNotEmpty, IsString } from 'class-validator'; - -/** - * DTO for verifying document access password - */ -export class VerifyDocumentAccessDto { - @ApiProperty({ description: 'Password for document access (booking number code)' }) - @IsString() - @IsNotEmpty() - password: string; -} - -/** - * Response DTO for checking document access requirements - */ -export class DocumentAccessRequirementsDto { - @ApiProperty({ description: 'Whether password is required to access documents' }) - requiresPassword: boolean; - - @ApiPropertyOptional({ description: 'Booking number (if available)' }) - bookingNumber?: string; - - @ApiProperty({ description: 'Current booking status' }) - status: string; -} - -/** - * Booking Summary DTO for Carrier Documents Page - */ -export class BookingSummaryDto { - @ApiProperty({ description: 'Booking unique ID' }) - id: string; - - @ApiPropertyOptional({ description: 'Human-readable booking number' }) - bookingNumber?: string; - - @ApiProperty({ description: 'Carrier/Company name' }) - carrierName: string; - - @ApiProperty({ description: 'Origin port code' }) - origin: string; - - @ApiProperty({ description: 'Destination port code' }) - destination: string; - - @ApiProperty({ description: 'Route description (origin -> destination)' }) - routeDescription: string; - - @ApiProperty({ description: 'Volume in CBM' }) - volumeCBM: number; - - @ApiProperty({ description: 'Weight in KG' }) - weightKG: number; - - @ApiProperty({ description: 'Number of pallets' }) - palletCount: number; - - @ApiProperty({ description: 'Price in the primary currency' }) - price: number; - - @ApiProperty({ description: 'Currency (USD or EUR)' }) - currency: string; - - @ApiProperty({ description: 'Transit time in days' }) - transitDays: number; - - @ApiProperty({ description: 'Container type' }) - containerType: string; - - @ApiProperty({ description: 'When the booking was accepted' }) - acceptedAt: Date; -} - -/** - * Document with signed download URL for carrier access - */ -export class DocumentWithUrlDto { - @ApiProperty({ description: 'Document unique ID' }) - id: string; - - @ApiProperty({ - description: 'Document type', - enum: ['BILL_OF_LADING', 'PACKING_LIST', 'COMMERCIAL_INVOICE', 'CERTIFICATE_OF_ORIGIN', 'OTHER'], - }) - type: string; - - @ApiProperty({ description: 'Original file name' }) - fileName: string; - - @ApiProperty({ description: 'File MIME type' }) - mimeType: string; - - @ApiProperty({ description: 'File size in bytes' }) - size: number; - - @ApiProperty({ description: 'Temporary signed download URL (valid for 1 hour)' }) - downloadUrl: string; -} - -/** - * Carrier Documents Response DTO - * - * Response for carrier document access page - */ -export class CarrierDocumentsResponseDto { - @ApiProperty({ description: 'Booking summary information', type: BookingSummaryDto }) - booking: BookingSummaryDto; - - @ApiProperty({ description: 'List of documents with download URLs', type: [DocumentWithUrlDto] }) - documents: DocumentWithUrlDto[]; -} +import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger'; +import { IsNotEmpty, IsString } from 'class-validator'; + +/** + * DTO for verifying document access password + */ +export class VerifyDocumentAccessDto { + @ApiProperty({ description: 'Password for document access (booking number code)' }) + @IsString() + @IsNotEmpty() + password: string; +} + +/** + * Response DTO for checking document access requirements + */ +export class DocumentAccessRequirementsDto { + @ApiProperty({ description: 'Whether password is required to access documents' }) + requiresPassword: boolean; + + @ApiPropertyOptional({ description: 'Booking number (if available)' }) + bookingNumber?: string; + + @ApiProperty({ description: 'Current booking status' }) + status: string; +} + +/** + * Booking Summary DTO for Carrier Documents Page + */ +export class BookingSummaryDto { + @ApiProperty({ description: 'Booking unique ID' }) + id: string; + + @ApiPropertyOptional({ description: 'Human-readable booking number' }) + bookingNumber?: string; + + @ApiProperty({ description: 'Carrier/Company name' }) + carrierName: string; + + @ApiProperty({ description: 'Origin port code' }) + origin: string; + + @ApiProperty({ description: 'Destination port code' }) + destination: string; + + @ApiProperty({ description: 'Route description (origin -> destination)' }) + routeDescription: string; + + @ApiProperty({ description: 'Volume in CBM' }) + volumeCBM: number; + + @ApiProperty({ description: 'Weight in KG' }) + weightKG: number; + + @ApiProperty({ description: 'Number of pallets' }) + palletCount: number; + + @ApiProperty({ description: 'Price in the primary currency' }) + price: number; + + @ApiProperty({ description: 'Currency (USD or EUR)' }) + currency: string; + + @ApiProperty({ description: 'Transit time in days' }) + transitDays: number; + + @ApiProperty({ description: 'Container type' }) + containerType: string; + + @ApiProperty({ description: 'When the booking was accepted' }) + acceptedAt: Date; +} + +/** + * Document with signed download URL for carrier access + */ +export class DocumentWithUrlDto { + @ApiProperty({ description: 'Document unique ID' }) + id: string; + + @ApiProperty({ + description: 'Document type', + enum: [ + 'BILL_OF_LADING', + 'PACKING_LIST', + 'COMMERCIAL_INVOICE', + 'CERTIFICATE_OF_ORIGIN', + 'OTHER', + ], + }) + type: string; + + @ApiProperty({ description: 'Original file name' }) + fileName: string; + + @ApiProperty({ description: 'File MIME type' }) + mimeType: string; + + @ApiProperty({ description: 'File size in bytes' }) + size: number; + + @ApiProperty({ description: 'Temporary signed download URL (valid for 1 hour)' }) + downloadUrl: string; +} + +/** + * Carrier Documents Response DTO + * + * Response for carrier document access page + */ +export class CarrierDocumentsResponseDto { + @ApiProperty({ description: 'Booking summary information', type: BookingSummaryDto }) + booking: BookingSummaryDto; + + @ApiProperty({ description: 'List of documents with download URLs', type: [DocumentWithUrlDto] }) + documents: DocumentWithUrlDto[]; +} diff --git a/apps/backend/src/application/dto/consent.dto.ts b/apps/backend/src/application/dto/consent.dto.ts index fa3b883..741e720 100644 --- a/apps/backend/src/application/dto/consent.dto.ts +++ b/apps/backend/src/application/dto/consent.dto.ts @@ -1,139 +1,139 @@ -/** - * Cookie Consent DTOs - * GDPR compliant consent management - */ - -import { IsBoolean, IsOptional, IsString, IsEnum, IsDateString, IsIP } from 'class-validator'; -import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger'; - -/** - * Request DTO for recording/updating cookie consent - */ -export class UpdateConsentDto { - @ApiProperty({ - example: true, - description: 'Essential cookies consent (always true, required for functionality)', - default: true, - }) - @IsBoolean() - essential: boolean; - - @ApiProperty({ - example: false, - description: 'Functional cookies consent (preferences, language, etc.)', - default: false, - }) - @IsBoolean() - functional: boolean; - - @ApiProperty({ - example: false, - description: 'Analytics cookies consent (Google Analytics, Sentry, etc.)', - default: false, - }) - @IsBoolean() - analytics: boolean; - - @ApiProperty({ - example: false, - description: 'Marketing cookies consent (ads, tracking, remarketing)', - default: false, - }) - @IsBoolean() - marketing: boolean; - - @ApiPropertyOptional({ - example: '192.168.1.1', - description: 'IP address at time of consent (for GDPR audit trail)', - }) - @IsOptional() - @IsString() - ipAddress?: string; - - @ApiPropertyOptional({ - example: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', - description: 'User agent at time of consent', - }) - @IsOptional() - @IsString() - userAgent?: string; -} - -/** - * Response DTO for consent status - */ -export class ConsentResponseDto { - @ApiProperty({ - example: '550e8400-e29b-41d4-a716-446655440000', - description: 'User ID', - }) - userId: string; - - @ApiProperty({ - example: true, - description: 'Essential cookies consent (always true)', - }) - essential: boolean; - - @ApiProperty({ - example: false, - description: 'Functional cookies consent', - }) - functional: boolean; - - @ApiProperty({ - example: false, - description: 'Analytics cookies consent', - }) - analytics: boolean; - - @ApiProperty({ - example: false, - description: 'Marketing cookies consent', - }) - marketing: boolean; - - @ApiProperty({ - example: '2025-01-27T10:30:00.000Z', - description: 'Date when consent was recorded', - }) - consentDate: Date; - - @ApiProperty({ - example: '2025-01-27T10:30:00.000Z', - description: 'Last update timestamp', - }) - updatedAt: Date; -} - -/** - * Request DTO for withdrawing specific consent - */ -export class WithdrawConsentDto { - @ApiProperty({ - example: 'marketing', - description: 'Type of consent to withdraw', - enum: ['functional', 'analytics', 'marketing'], - }) - @IsEnum(['functional', 'analytics', 'marketing'], { - message: 'Consent type must be functional, analytics, or marketing', - }) - consentType: 'functional' | 'analytics' | 'marketing'; -} - -/** - * Success response DTO - */ -export class ConsentSuccessDto { - @ApiProperty({ - example: true, - description: 'Operation success status', - }) - success: boolean; - - @ApiProperty({ - example: 'Consent preferences saved successfully', - description: 'Response message', - }) - message: string; -} +/** + * Cookie Consent DTOs + * GDPR compliant consent management + */ + +import { IsBoolean, IsOptional, IsString, IsEnum } from 'class-validator'; +import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger'; + +/** + * Request DTO for recording/updating cookie consent + */ +export class UpdateConsentDto { + @ApiProperty({ + example: true, + description: 'Essential cookies consent (always true, required for functionality)', + default: true, + }) + @IsBoolean() + essential: boolean; + + @ApiProperty({ + example: false, + description: 'Functional cookies consent (preferences, language, etc.)', + default: false, + }) + @IsBoolean() + functional: boolean; + + @ApiProperty({ + example: false, + description: 'Analytics cookies consent (Google Analytics, Sentry, etc.)', + default: false, + }) + @IsBoolean() + analytics: boolean; + + @ApiProperty({ + example: false, + description: 'Marketing cookies consent (ads, tracking, remarketing)', + default: false, + }) + @IsBoolean() + marketing: boolean; + + @ApiPropertyOptional({ + example: '192.168.1.1', + description: 'IP address at time of consent (for GDPR audit trail)', + }) + @IsOptional() + @IsString() + ipAddress?: string; + + @ApiPropertyOptional({ + example: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36', + description: 'User agent at time of consent', + }) + @IsOptional() + @IsString() + userAgent?: string; +} + +/** + * Response DTO for consent status + */ +export class ConsentResponseDto { + @ApiProperty({ + example: '550e8400-e29b-41d4-a716-446655440000', + description: 'User ID', + }) + userId: string; + + @ApiProperty({ + example: true, + description: 'Essential cookies consent (always true)', + }) + essential: boolean; + + @ApiProperty({ + example: false, + description: 'Functional cookies consent', + }) + functional: boolean; + + @ApiProperty({ + example: false, + description: 'Analytics cookies consent', + }) + analytics: boolean; + + @ApiProperty({ + example: false, + description: 'Marketing cookies consent', + }) + marketing: boolean; + + @ApiProperty({ + example: '2025-01-27T10:30:00.000Z', + description: 'Date when consent was recorded', + }) + consentDate: Date; + + @ApiProperty({ + example: '2025-01-27T10:30:00.000Z', + description: 'Last update timestamp', + }) + updatedAt: Date; +} + +/** + * Request DTO for withdrawing specific consent + */ +export class WithdrawConsentDto { + @ApiProperty({ + example: 'marketing', + description: 'Type of consent to withdraw', + enum: ['functional', 'analytics', 'marketing'], + }) + @IsEnum(['functional', 'analytics', 'marketing'], { + message: 'Consent type must be functional, analytics, or marketing', + }) + consentType: 'functional' | 'analytics' | 'marketing'; +} + +/** + * Success response DTO + */ +export class ConsentSuccessDto { + @ApiProperty({ + example: true, + description: 'Operation success status', + }) + success: boolean; + + @ApiProperty({ + example: 'Consent preferences saved successfully', + description: 'Response message', + }) + message: string; +} diff --git a/apps/backend/src/application/dto/csv-booking.dto.ts b/apps/backend/src/application/dto/csv-booking.dto.ts index d2425f3..d32f5f8 100644 --- a/apps/backend/src/application/dto/csv-booking.dto.ts +++ b/apps/backend/src/application/dto/csv-booking.dto.ts @@ -294,8 +294,8 @@ export class CsvBookingResponseDto { @ApiProperty({ description: 'Booking status', - enum: ['PENDING', 'ACCEPTED', 'REJECTED', 'CANCELLED'], - example: 'PENDING', + enum: ['PENDING_PAYMENT', 'PENDING', 'ACCEPTED', 'REJECTED', 'CANCELLED'], + example: 'PENDING_PAYMENT', }) status: string; @@ -353,6 +353,18 @@ export class CsvBookingResponseDto { example: 1850.5, }) price: number; + + @ApiPropertyOptional({ + description: 'Commission rate in percent', + example: 5, + }) + commissionRate?: number; + + @ApiPropertyOptional({ + description: 'Commission amount in EUR', + example: 313.27, + }) + commissionAmountEur?: number; } /** @@ -414,6 +426,12 @@ export class CsvBookingListResponseDto { * Statistics for user's or organization's bookings */ export class CsvBookingStatsDto { + @ApiProperty({ + description: 'Number of bookings awaiting payment', + example: 1, + }) + pendingPayment: number; + @ApiProperty({ description: 'Number of pending bookings', example: 5, diff --git a/apps/backend/src/application/dto/organization.dto.ts b/apps/backend/src/application/dto/organization.dto.ts index 881322c..130a53b 100644 --- a/apps/backend/src/application/dto/organization.dto.ts +++ b/apps/backend/src/application/dto/organization.dto.ts @@ -184,6 +184,19 @@ export class UpdateOrganizationDto { @Matches(/^[0-9]{9}$/, { message: 'SIREN must be 9 digits' }) siren?: string; + @ApiPropertyOptional({ + example: '12345678901234', + description: 'French SIRET number (14 digits)', + minLength: 14, + maxLength: 14, + }) + @IsString() + @IsOptional() + @MinLength(14) + @MaxLength(14) + @Matches(/^[0-9]{14}$/, { message: 'SIRET must be 14 digits' }) + siret?: string; + @ApiPropertyOptional({ example: 'FR123456789', description: 'EU EORI number', @@ -344,6 +357,25 @@ export class OrganizationResponseDto { }) documents: OrganizationDocumentDto[]; + @ApiPropertyOptional({ + example: '12345678901234', + description: 'French SIRET number (14 digits)', + }) + siret?: string; + + @ApiProperty({ + example: false, + description: 'Whether the SIRET has been verified by an admin', + }) + siretVerified: boolean; + + @ApiPropertyOptional({ + example: 'none', + description: 'Organization status badge', + enum: ['none', 'silver', 'gold', 'platinium'], + }) + statusBadge?: string; + @ApiProperty({ example: true, description: 'Active status', diff --git a/apps/backend/src/application/dto/subscription.dto.ts b/apps/backend/src/application/dto/subscription.dto.ts index a8e7f75..5302528 100644 --- a/apps/backend/src/application/dto/subscription.dto.ts +++ b/apps/backend/src/application/dto/subscription.dto.ts @@ -5,25 +5,16 @@ */ import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger'; -import { - IsString, - IsEnum, - IsNotEmpty, - IsUrl, - IsOptional, - IsBoolean, - IsInt, - Min, -} from 'class-validator'; +import { IsString, IsEnum, IsUrl, IsOptional } from 'class-validator'; /** * Subscription plan types */ export enum SubscriptionPlanDto { - FREE = 'FREE', - STARTER = 'STARTER', - PRO = 'PRO', - ENTERPRISE = 'ENTERPRISE', + BRONZE = 'BRONZE', + SILVER = 'SILVER', + GOLD = 'GOLD', + PLATINIUM = 'PLATINIUM', } /** @@ -53,7 +44,7 @@ export enum BillingIntervalDto { */ export class CreateCheckoutSessionDto { @ApiProperty({ - example: SubscriptionPlanDto.STARTER, + example: SubscriptionPlanDto.SILVER, description: 'The subscription plan to purchase', enum: SubscriptionPlanDto, }) @@ -197,14 +188,14 @@ export class LicenseResponseDto { */ export class PlanDetailsDto { @ApiProperty({ - example: SubscriptionPlanDto.STARTER, + example: SubscriptionPlanDto.SILVER, description: 'Plan identifier', enum: SubscriptionPlanDto, }) plan: SubscriptionPlanDto; @ApiProperty({ - example: 'Starter', + example: 'Silver', description: 'Plan display name', }) name: string; @@ -216,20 +207,51 @@ export class PlanDetailsDto { maxLicenses: number; @ApiProperty({ - example: 49, + example: 249, description: 'Monthly price in EUR', }) monthlyPriceEur: number; @ApiProperty({ - example: 470, - description: 'Yearly price in EUR', + example: 2739, + description: 'Yearly price in EUR (11 months)', }) yearlyPriceEur: number; @ApiProperty({ - example: ['Up to 5 users', 'Advanced rate search', 'CSV imports'], - description: 'List of features included in this plan', + example: -1, + description: 'Maximum shipments per year (-1 for unlimited)', + }) + maxShipmentsPerYear: number; + + @ApiProperty({ + example: 3, + description: 'Commission rate percentage on shipments', + }) + commissionRatePercent: number; + + @ApiProperty({ + example: 'email', + description: 'Support level: none, email, direct, dedicated_kam', + }) + supportLevel: string; + + @ApiProperty({ + example: 'silver', + description: 'Status badge: none, silver, gold, platinium', + }) + statusBadge: string; + + @ApiProperty({ + example: ['dashboard', 'wiki', 'user_management', 'csv_export'], + description: 'List of plan feature flags', + type: [String], + }) + planFeatures: string[]; + + @ApiProperty({ + example: ["Jusqu'à 5 utilisateurs", 'Expéditions illimitées', 'Import CSV'], + description: 'List of human-readable features included in this plan', type: [String], }) features: string[]; @@ -252,7 +274,7 @@ export class SubscriptionResponseDto { organizationId: string; @ApiProperty({ - example: SubscriptionPlanDto.STARTER, + example: SubscriptionPlanDto.SILVER, description: 'Current subscription plan', enum: SubscriptionPlanDto, }) diff --git a/apps/backend/src/application/guards/api-key-or-jwt.guard.ts b/apps/backend/src/application/guards/api-key-or-jwt.guard.ts new file mode 100644 index 0000000..e910831 --- /dev/null +++ b/apps/backend/src/application/guards/api-key-or-jwt.guard.ts @@ -0,0 +1,55 @@ +import { ExecutionContext, Injectable, UnauthorizedException } from '@nestjs/common'; +import { Reflector } from '@nestjs/core'; + +import { ApiKeysService } from '../api-keys/api-keys.service'; +import { JwtAuthGuard } from './jwt-auth.guard'; + +/** + * Combined Authentication Guard + * + * Replaces the global JwtAuthGuard to support two authentication methods: + * + * 1. **API Key** (`X-API-Key` header) + * - Validates the raw key against its stored SHA-256 hash + * - Checks the organisation subscription is GOLD or PLATINIUM in real-time + * - Sets request.user with full user/plan context + * - Available exclusively to Gold and Platinium subscribers + * + * 2. **JWT Bearer token** (`Authorization: Bearer `) + * - Delegates to the existing Passport JWT strategy (unchanged behaviour) + * - Works for all subscription tiers (frontend access) + * + * Routes decorated with @Public() bypass both methods. + * + * Priority: API Key is checked first; if absent, falls back to JWT. + */ +@Injectable() +export class ApiKeyOrJwtGuard extends JwtAuthGuard { + constructor( + reflector: Reflector, + private readonly apiKeysService: ApiKeysService + ) { + super(reflector); + } + + async canActivate(context: ExecutionContext): Promise { + const request = context.switchToHttp().getRequest>(); + const rawApiKey: string | undefined = request.headers['x-api-key']; + + if (rawApiKey) { + const userContext = await this.apiKeysService.validateAndGetUser(rawApiKey); + + if (!userContext) { + throw new UnauthorizedException( + "Clé API invalide, expirée ou votre abonnement ne permet plus l'accès API." + ); + } + + request.user = userContext; + return true; + } + + // No API key header — use standard JWT flow (handles @Public() too) + return super.canActivate(context) as Promise; + } +} diff --git a/apps/backend/src/application/guards/feature-flag.guard.ts b/apps/backend/src/application/guards/feature-flag.guard.ts new file mode 100644 index 0000000..d769ac4 --- /dev/null +++ b/apps/backend/src/application/guards/feature-flag.guard.ts @@ -0,0 +1,108 @@ +import { + Injectable, + CanActivate, + ExecutionContext, + ForbiddenException, + Inject, + Logger, +} from '@nestjs/common'; +import { Reflector } from '@nestjs/core'; +import { PlanFeature } from '@domain/value-objects/plan-feature.vo'; +import { + SubscriptionRepository, + SUBSCRIPTION_REPOSITORY, +} from '@domain/ports/out/subscription.repository'; +import { REQUIRED_FEATURES_KEY } from '../decorators/requires-feature.decorator'; + +/** + * Feature Flag Guard + * + * Checks if the user's subscription plan includes the required features. + * First tries to read plan from JWT payload (fast path), falls back to DB lookup. + * + * Usage: + * @UseGuards(JwtAuthGuard, RolesGuard, FeatureFlagGuard) + * @RequiresFeature('dashboard') + */ +@Injectable() +export class FeatureFlagGuard implements CanActivate { + private readonly logger = new Logger(FeatureFlagGuard.name); + + constructor( + private readonly reflector: Reflector, + @Inject(SUBSCRIPTION_REPOSITORY) + private readonly subscriptionRepository: SubscriptionRepository + ) {} + + async canActivate(context: ExecutionContext): Promise { + // Get required features from @RequiresFeature() decorator + const requiredFeatures = this.reflector.getAllAndOverride( + REQUIRED_FEATURES_KEY, + [context.getHandler(), context.getClass()] + ); + + // If no features are required, allow access + if (!requiredFeatures || requiredFeatures.length === 0) { + return true; + } + + const request = context.switchToHttp().getRequest(); + const user = request.user; + + if (!user || !user.organizationId) { + return false; + } + + // ADMIN users have full access to all features — no plan check needed + if (user.role === 'ADMIN') { + return true; + } + + // Fast path: check plan features from JWT payload + if (user.planFeatures && Array.isArray(user.planFeatures)) { + const hasAllFeatures = requiredFeatures.every(feature => user.planFeatures.includes(feature)); + + if (hasAllFeatures) { + return true; + } + + // JWT says no — but JWT might be stale after an upgrade. + // Fall through to DB check. + } + + // Slow path: DB lookup for fresh subscription data + try { + const subscription = await this.subscriptionRepository.findByOrganizationId( + user.organizationId + ); + + if (!subscription) { + // No subscription means Bronze (free) plan — no premium features + this.throwFeatureRequired(requiredFeatures); + } + + const plan = subscription!.plan; + const missingFeatures = requiredFeatures.filter(feature => !plan.hasFeature(feature)); + + if (missingFeatures.length > 0) { + this.throwFeatureRequired(requiredFeatures); + } + + return true; + } catch (error) { + if (error instanceof ForbiddenException) { + throw error; + } + this.logger.error(`Failed to check subscription features: ${error}`); + // On DB error, deny access to premium features rather than 500 + this.throwFeatureRequired(requiredFeatures); + } + } + + private throwFeatureRequired(features: PlanFeature[]): never { + const featureNames = features.join(', '); + throw new ForbiddenException( + `Cette fonctionnalité nécessite un plan supérieur. Fonctionnalités requises : ${featureNames}. Passez à un plan Silver ou supérieur.` + ); + } +} diff --git a/apps/backend/src/application/guards/index.ts b/apps/backend/src/application/guards/index.ts index e174be2..374d66f 100644 --- a/apps/backend/src/application/guards/index.ts +++ b/apps/backend/src/application/guards/index.ts @@ -1,2 +1,3 @@ export * from './jwt-auth.guard'; export * from './roles.guard'; +export * from './api-key-or-jwt.guard'; diff --git a/apps/backend/src/application/mappers/organization.mapper.ts b/apps/backend/src/application/mappers/organization.mapper.ts index 8405e33..8280ab1 100644 --- a/apps/backend/src/application/mappers/organization.mapper.ts +++ b/apps/backend/src/application/mappers/organization.mapper.ts @@ -31,6 +31,9 @@ export class OrganizationMapper { address: this.mapAddressToDto(organization.address), logoUrl: organization.logoUrl, documents: organization.documents.map(doc => this.mapDocumentToDto(doc)), + siret: organization.siret, + siretVerified: organization.siretVerified, + statusBadge: organization.statusBadge, isActive: organization.isActive, createdAt: organization.createdAt, updatedAt: organization.updatedAt, diff --git a/apps/backend/src/application/services/csv-booking.service.ts b/apps/backend/src/application/services/csv-booking.service.ts index 7ddf3da..5588347 100644 --- a/apps/backend/src/application/services/csv-booking.service.ts +++ b/apps/backend/src/application/services/csv-booking.service.ts @@ -16,7 +16,9 @@ import { NOTIFICATION_REPOSITORY, } from '@domain/ports/out/notification.repository'; import { EmailPort, EMAIL_PORT } from '@domain/ports/out/email.port'; +import { UserRepository, USER_REPOSITORY } from '@domain/ports/out/user.repository'; import { StoragePort, STORAGE_PORT } from '@domain/ports/out/storage.port'; +import { StripePort, STRIPE_PORT } from '@domain/ports/out/stripe.port'; import { Notification, NotificationType, @@ -30,6 +32,7 @@ import { CsvBookingStatsDto, } from '../dto/csv-booking.dto'; import { CarrierDocumentsResponseDto } from '../dto/carrier-documents.dto'; +import { SubscriptionService } from './subscription.service'; /** * CSV Booking Document (simple class for domain) @@ -62,7 +65,12 @@ export class CsvBookingService { @Inject(EMAIL_PORT) private readonly emailAdapter: EmailPort, @Inject(STORAGE_PORT) - private readonly storageAdapter: StoragePort + private readonly storageAdapter: StoragePort, + @Inject(STRIPE_PORT) + private readonly stripeAdapter: StripePort, + private readonly subscriptionService: SubscriptionService, + @Inject(USER_REPOSITORY) + private readonly userRepository: UserRepository ) {} /** @@ -114,7 +122,18 @@ export class CsvBookingService { // Upload documents to S3 const documents = await this.uploadDocuments(files, bookingId); - // Create domain entity + // Calculate commission based on organization's subscription plan + let commissionRate = 5; // default Bronze + let commissionAmountEur = 0; + try { + const subscription = await this.subscriptionService.getOrCreateSubscription(organizationId); + commissionRate = subscription.plan.commissionRatePercent; + } catch (error: any) { + this.logger.error(`Failed to get subscription for commission: ${error?.message}`); + } + commissionAmountEur = Math.round(dto.priceEUR * commissionRate) / 100; + + // Create domain entity in PENDING_PAYMENT status (no email sent yet) const booking = new CsvBooking( bookingId, userId, @@ -131,12 +150,16 @@ export class CsvBookingService { dto.primaryCurrency, dto.transitDays, dto.containerType, - CsvBookingStatus.PENDING, + CsvBookingStatus.PENDING_PAYMENT, documents, confirmationToken, new Date(), undefined, - dto.notes + dto.notes, + undefined, + bookingNumber, + commissionRate, + commissionAmountEur ); // Save to database @@ -152,58 +175,398 @@ export class CsvBookingService { await this.csvBookingRepository['repository'].save(ormBooking); } - this.logger.log(`CSV booking created with ID: ${bookingId}, number: ${bookingNumber}`); + this.logger.log( + `CSV booking created with ID: ${bookingId}, number: ${bookingNumber}, status: PENDING_PAYMENT, commission: ${commissionRate}% = ${commissionAmountEur}€` + ); - // Send email to carrier and WAIT for confirmation - // The button waits for the email to be sent before responding + // NO email sent to carrier yet - will be sent after commission payment + // NO notification yet - will be created after payment confirmation + + return this.toResponseDto(savedBooking); + } + + /** + * Create a Stripe Checkout session for commission payment + */ + async createCommissionPayment( + bookingId: string, + userId: string, + userEmail: string, + frontendUrl: string + ): Promise<{ sessionUrl: string; sessionId: string; commissionAmountEur: number }> { + const booking = await this.csvBookingRepository.findById(bookingId); + + if (!booking) { + throw new NotFoundException(`Booking with ID ${bookingId} not found`); + } + + if (booking.userId !== userId) { + throw new NotFoundException(`Booking with ID ${bookingId} not found`); + } + + if (booking.status !== CsvBookingStatus.PENDING_PAYMENT) { + throw new BadRequestException( + `Booking is not awaiting payment. Current status: ${booking.status}` + ); + } + + const commissionAmountEur = booking.commissionAmountEur || 0; + if (commissionAmountEur <= 0) { + throw new BadRequestException('Commission amount is invalid'); + } + + const amountCents = Math.round(commissionAmountEur * 100); + + const result = await this.stripeAdapter.createCommissionCheckout({ + bookingId: booking.id, + amountCents, + currency: 'eur', + customerEmail: userEmail, + organizationId: booking.organizationId, + bookingDescription: `Commission booking ${booking.bookingNumber || booking.id} - ${booking.origin.getValue()} → ${booking.destination.getValue()}`, + successUrl: `${frontendUrl}/dashboard/booking/${booking.id}/payment-success?session_id={CHECKOUT_SESSION_ID}`, + cancelUrl: `${frontendUrl}/dashboard/booking/${booking.id}/pay`, + }); + + this.logger.log( + `Created Stripe commission checkout for booking ${bookingId}: ${amountCents} cents EUR` + ); + + return { + sessionUrl: result.sessionUrl, + sessionId: result.sessionId, + commissionAmountEur, + }; + } + + /** + * Confirm commission payment and activate booking + * Called after Stripe redirect with session_id + */ + async confirmCommissionPayment( + bookingId: string, + sessionId: string, + userId: string + ): Promise { + const booking = await this.csvBookingRepository.findById(bookingId); + + if (!booking) { + throw new NotFoundException(`Booking with ID ${bookingId} not found`); + } + + if (booking.userId !== userId) { + throw new NotFoundException(`Booking with ID ${bookingId} not found`); + } + + if (booking.status !== CsvBookingStatus.PENDING_PAYMENT) { + // Already confirmed - return current state + if (booking.status === CsvBookingStatus.PENDING) { + return this.toResponseDto(booking); + } + throw new BadRequestException( + `Booking is not awaiting payment. Current status: ${booking.status}` + ); + } + + // Verify payment with Stripe + const session = await this.stripeAdapter.getCheckoutSession(sessionId); + if (!session || session.status !== 'complete') { + throw new BadRequestException('Payment has not been completed'); + } + + // Verify the session is for this booking + if (session.metadata?.bookingId !== bookingId) { + throw new BadRequestException('Payment session does not match this booking'); + } + + // Transition to PENDING + booking.markPaymentCompleted(); + booking.stripePaymentIntentId = sessionId; + + // Save updated booking + const updatedBooking = await this.csvBookingRepository.update(booking); + this.logger.log(`Booking ${bookingId} payment confirmed, status now PENDING`); + + // Get ORM entity for booking number + const ormBooking = await this.csvBookingRepository['repository'].findOne({ + where: { id: bookingId }, + }); + const bookingNumber = ormBooking?.bookingNumber; + const documentPassword = bookingNumber + ? this.extractPasswordFromBookingNumber(bookingNumber) + : undefined; + + // NOW send email to carrier try { - await this.emailAdapter.sendCsvBookingRequest(dto.carrierEmail, { - bookingId, - bookingNumber, - documentPassword, - origin: dto.origin, - destination: dto.destination, - volumeCBM: dto.volumeCBM, - weightKG: dto.weightKG, - palletCount: dto.palletCount, - priceUSD: dto.priceUSD, - priceEUR: dto.priceEUR, - primaryCurrency: dto.primaryCurrency, - transitDays: dto.transitDays, - containerType: dto.containerType, - documents: documents.map(doc => ({ + await this.emailAdapter.sendCsvBookingRequest(booking.carrierEmail, { + bookingId: booking.id, + bookingNumber: bookingNumber || '', + documentPassword: documentPassword || '', + origin: booking.origin.getValue(), + destination: booking.destination.getValue(), + volumeCBM: booking.volumeCBM, + weightKG: booking.weightKG, + palletCount: booking.palletCount, + priceUSD: booking.priceUSD, + priceEUR: booking.priceEUR, + primaryCurrency: booking.primaryCurrency, + transitDays: booking.transitDays, + containerType: booking.containerType, + documents: booking.documents.map(doc => ({ type: doc.type, fileName: doc.fileName, })), - confirmationToken, - notes: dto.notes, + confirmationToken: booking.confirmationToken, + notes: booking.notes, }); - this.logger.log(`Email sent to carrier: ${dto.carrierEmail}`); + this.logger.log(`Email sent to carrier: ${booking.carrierEmail}`); } catch (error: any) { this.logger.error(`Failed to send email to carrier: ${error?.message}`, error?.stack); - // Continue even if email fails - booking is already saved } // Create notification for user try { const notification = Notification.create({ id: uuidv4(), - userId, - organizationId, + userId: booking.userId, + organizationId: booking.organizationId, type: NotificationType.CSV_BOOKING_REQUEST_SENT, priority: NotificationPriority.MEDIUM, title: 'Booking Request Sent', - message: `Your booking request to ${dto.carrierName} for ${dto.origin} → ${dto.destination} has been sent successfully.`, - metadata: { bookingId, carrierName: dto.carrierName }, + message: `Your booking request to ${booking.carrierName} for ${booking.getRouteDescription()} has been sent successfully after payment.`, + metadata: { bookingId: booking.id, carrierName: booking.carrierName }, }); await this.notificationRepository.save(notification); - this.logger.log(`Notification created for user ${userId}`); } catch (error: any) { this.logger.error(`Failed to create notification: ${error?.message}`, error?.stack); - // Continue even if notification fails } - return this.toResponseDto(savedBooking); + return this.toResponseDto(updatedBooking); + } + + /** + * Declare bank transfer — user confirms they have sent the wire transfer + * Transitions booking from PENDING_PAYMENT → PENDING_BANK_TRANSFER + * Sends an email notification to all ADMIN users + */ + async declareBankTransfer(bookingId: string, userId: string): Promise { + const booking = await this.csvBookingRepository.findById(bookingId); + + if (!booking) { + throw new NotFoundException(`Booking with ID ${bookingId} not found`); + } + + if (booking.userId !== userId) { + throw new NotFoundException(`Booking with ID ${bookingId} not found`); + } + + if (booking.status !== CsvBookingStatus.PENDING_PAYMENT) { + throw new BadRequestException( + `Booking is not awaiting payment. Current status: ${booking.status}` + ); + } + + // Get booking number before update + const ormBooking = await this.csvBookingRepository['repository'].findOne({ + where: { id: bookingId }, + }); + const bookingNumber = ormBooking?.bookingNumber || bookingId.slice(0, 8).toUpperCase(); + + booking.markBankTransferDeclared(); + const updatedBooking = await this.csvBookingRepository.update(booking); + this.logger.log(`Booking ${bookingId} bank transfer declared, status now PENDING_BANK_TRANSFER`); + + // Send email to all ADMIN users + try { + const allUsers = await this.userRepository.findAll(); + const adminEmails = allUsers + .filter(u => u.role === 'ADMIN' && u.isActive) + .map(u => u.email); + + if (adminEmails.length > 0) { + const commissionAmount = booking.commissionAmountEur + ? new Intl.NumberFormat('fr-FR', { style: 'currency', currency: 'EUR' }).format(booking.commissionAmountEur) + : 'N/A'; + + await this.emailAdapter.send({ + to: adminEmails, + subject: `[XPEDITIS] Virement à valider — ${bookingNumber}`, + html: ` +
+

Nouveau virement à valider

+

Un client a déclaré avoir effectué un virement bancaire pour le booking suivant :

+ + + + + + + + + + + + + + + + + +
Numéro de booking${bookingNumber}
Transporteur${booking.carrierName}
Trajet${booking.getRouteDescription()}
Montant commission${commissionAmount}
+

Rendez-vous dans la console d'administration pour valider ce virement et activer le booking.

+ + Voir les bookings en attente + +
+ `, + }); + this.logger.log(`Admin notification email sent to: ${adminEmails.join(', ')}`); + } + } catch (error: any) { + this.logger.error(`Failed to send admin notification email: ${error?.message}`, error?.stack); + } + + // In-app notification for the user + try { + const notification = Notification.create({ + id: uuidv4(), + userId: booking.userId, + organizationId: booking.organizationId, + type: NotificationType.BOOKING_UPDATED, + priority: NotificationPriority.MEDIUM, + title: 'Virement déclaré', + message: `Votre virement pour le booking ${bookingNumber} a été enregistré. Un administrateur va vérifier la réception et activer votre booking.`, + metadata: { bookingId: booking.id }, + }); + await this.notificationRepository.save(notification); + } catch (error: any) { + this.logger.error(`Failed to create user notification: ${error?.message}`, error?.stack); + } + + return this.toResponseDto(updatedBooking); + } + + /** + * Resend carrier email for a booking (admin action) + * Works regardless of payment status — useful for retrying failed emails or testing without Stripe. + */ + async resendCarrierEmail(bookingId: string): Promise { + const booking = await this.csvBookingRepository.findById(bookingId); + + if (!booking) { + throw new NotFoundException(`Booking with ID ${bookingId} not found`); + } + + const ormBooking = await this.csvBookingRepository['repository'].findOne({ + where: { id: bookingId }, + }); + const bookingNumber = ormBooking?.bookingNumber; + const documentPassword = bookingNumber + ? this.extractPasswordFromBookingNumber(bookingNumber) + : undefined; + + await this.emailAdapter.sendCsvBookingRequest(booking.carrierEmail, { + bookingId: booking.id, + bookingNumber: bookingNumber || '', + documentPassword: documentPassword || '', + origin: booking.origin.getValue(), + destination: booking.destination.getValue(), + volumeCBM: booking.volumeCBM, + weightKG: booking.weightKG, + palletCount: booking.palletCount, + priceUSD: booking.priceUSD, + priceEUR: booking.priceEUR, + primaryCurrency: booking.primaryCurrency, + transitDays: booking.transitDays, + containerType: booking.containerType, + documents: booking.documents.map(doc => ({ + type: doc.type, + fileName: doc.fileName, + })), + confirmationToken: booking.confirmationToken, + notes: booking.notes, + }); + + this.logger.log(`[ADMIN] Carrier email resent to ${booking.carrierEmail} for booking ${bookingId}`); + } + + /** + * Admin validates bank transfer — confirms receipt and activates booking + * Transitions booking from PENDING_BANK_TRANSFER → PENDING then sends email to carrier + */ + async validateBankTransfer(bookingId: string): Promise { + const booking = await this.csvBookingRepository.findById(bookingId); + + if (!booking) { + throw new NotFoundException(`Booking with ID ${bookingId} not found`); + } + + if (booking.status !== CsvBookingStatus.PENDING_BANK_TRANSFER) { + throw new BadRequestException( + `Booking is not awaiting bank transfer validation. Current status: ${booking.status}` + ); + } + + booking.markBankTransferValidated(); + const updatedBooking = await this.csvBookingRepository.update(booking); + this.logger.log(`Booking ${bookingId} bank transfer validated by admin, status now PENDING`); + + // Get booking number for email + const ormBooking = await this.csvBookingRepository['repository'].findOne({ + where: { id: bookingId }, + }); + const bookingNumber = ormBooking?.bookingNumber; + const documentPassword = bookingNumber + ? this.extractPasswordFromBookingNumber(bookingNumber) + : undefined; + + // Send email to carrier + try { + await this.emailAdapter.sendCsvBookingRequest(booking.carrierEmail, { + bookingId: booking.id, + bookingNumber: bookingNumber || '', + documentPassword: documentPassword || '', + origin: booking.origin.getValue(), + destination: booking.destination.getValue(), + volumeCBM: booking.volumeCBM, + weightKG: booking.weightKG, + palletCount: booking.palletCount, + priceUSD: booking.priceUSD, + priceEUR: booking.priceEUR, + primaryCurrency: booking.primaryCurrency, + transitDays: booking.transitDays, + containerType: booking.containerType, + documents: booking.documents.map(doc => ({ + type: doc.type, + fileName: doc.fileName, + })), + confirmationToken: booking.confirmationToken, + notes: booking.notes, + }); + this.logger.log(`Email sent to carrier after bank transfer validation: ${booking.carrierEmail}`); + } catch (error: any) { + this.logger.error(`Failed to send email to carrier: ${error?.message}`, error?.stack); + } + + // In-app notification for the user + try { + const notification = Notification.create({ + id: uuidv4(), + userId: booking.userId, + organizationId: booking.organizationId, + type: NotificationType.BOOKING_CONFIRMED, + priority: NotificationPriority.HIGH, + title: 'Virement validé — Booking activé', + message: `Votre virement pour le booking ${bookingNumber || booking.id.slice(0, 8)} a été confirmé. Votre demande auprès de ${booking.carrierName} a été transmise au transporteur.`, + metadata: { bookingId: booking.id }, + }); + await this.notificationRepository.save(notification); + } catch (error: any) { + this.logger.error(`Failed to create user notification: ${error?.message}`, error?.stack); + } + + return this.toResponseDto(updatedBooking); } /** @@ -394,6 +757,21 @@ export class CsvBookingService { // Accept the booking (domain logic validates status) booking.accept(); + // Apply commission based on organization's subscription plan + try { + const subscription = await this.subscriptionService.getOrCreateSubscription( + booking.organizationId + ); + const commissionRate = subscription.plan.commissionRatePercent; + const baseAmountEur = booking.priceEUR; + booking.applyCommission(commissionRate, baseAmountEur); + this.logger.log( + `Commission applied: ${commissionRate}% on ${baseAmountEur}€ = ${booking.commissionAmountEur}€` + ); + } catch (error: any) { + this.logger.error(`Failed to apply commission: ${error?.message}`, error?.stack); + } + // Save updated booking const updatedBooking = await this.csvBookingRepository.update(booking); this.logger.log(`Booking ${booking.id} accepted`); @@ -568,6 +946,7 @@ export class CsvBookingService { const stats = await this.csvBookingRepository.countByStatusForUser(userId); return { + pendingPayment: stats[CsvBookingStatus.PENDING_PAYMENT] || 0, pending: stats[CsvBookingStatus.PENDING] || 0, accepted: stats[CsvBookingStatus.ACCEPTED] || 0, rejected: stats[CsvBookingStatus.REJECTED] || 0, @@ -583,6 +962,7 @@ export class CsvBookingService { const stats = await this.csvBookingRepository.countByStatusForOrganization(organizationId); return { + pendingPayment: stats[CsvBookingStatus.PENDING_PAYMENT] || 0, pending: stats[CsvBookingStatus.PENDING] || 0, accepted: stats[CsvBookingStatus.ACCEPTED] || 0, rejected: stats[CsvBookingStatus.REJECTED] || 0, @@ -678,9 +1058,15 @@ export class CsvBookingService { throw new NotFoundException(`Booking with ID ${bookingId} not found`); } - // Allow adding documents to PENDING or ACCEPTED bookings - if (booking.status !== CsvBookingStatus.PENDING && booking.status !== CsvBookingStatus.ACCEPTED) { - throw new BadRequestException('Cannot add documents to a booking that is rejected or cancelled'); + // Allow adding documents to PENDING_PAYMENT, PENDING, or ACCEPTED bookings + if ( + booking.status !== CsvBookingStatus.PENDING_PAYMENT && + booking.status !== CsvBookingStatus.PENDING && + booking.status !== CsvBookingStatus.ACCEPTED + ) { + throw new BadRequestException( + 'Cannot add documents to a booking that is rejected or cancelled' + ); } // Upload new documents @@ -723,7 +1109,10 @@ export class CsvBookingService { }); this.logger.log(`New documents notification sent to carrier: ${booking.carrierEmail}`); } catch (error: any) { - this.logger.error(`Failed to send new documents notification: ${error?.message}`, error?.stack); + this.logger.error( + `Failed to send new documents notification: ${error?.message}`, + error?.stack + ); } } @@ -755,8 +1144,11 @@ export class CsvBookingService { throw new NotFoundException(`Booking with ID ${bookingId} not found`); } - // Verify booking is still pending - if (booking.status !== CsvBookingStatus.PENDING) { + // Verify booking is still pending or awaiting payment + if ( + booking.status !== CsvBookingStatus.PENDING_PAYMENT && + booking.status !== CsvBookingStatus.PENDING + ) { throw new BadRequestException('Cannot delete documents from a booking that is not pending'); } @@ -871,7 +1263,9 @@ export class CsvBookingService { await this.csvBookingRepository['repository'].save(ormBooking); } - this.logger.log(`Replaced document ${documentId} with ${newDocument.id} in booking ${bookingId}`); + this.logger.log( + `Replaced document ${documentId} with ${newDocument.id} in booking ${bookingId}` + ); return { success: true, @@ -947,6 +1341,8 @@ export class CsvBookingService { routeDescription: booking.getRouteDescription(), isExpired: booking.isExpired(), price: booking.getPriceInCurrency(primaryCurrency), + commissionRate: booking.commissionRate, + commissionAmountEur: booking.commissionAmountEur, }; } diff --git a/apps/backend/src/application/services/gdpr.service.ts b/apps/backend/src/application/services/gdpr.service.ts index b2d8541..d7784d2 100644 --- a/apps/backend/src/application/services/gdpr.service.ts +++ b/apps/backend/src/application/services/gdpr.service.ts @@ -120,10 +120,7 @@ export class GDPRService { /** * Record or update consent (GDPR Article 7 - Conditions for consent) */ - async recordConsent( - userId: string, - consentData: UpdateConsentDto - ): Promise { + async recordConsent(userId: string, consentData: UpdateConsentDto): Promise { this.logger.log(`Recording consent for user ${userId}`); // Verify user exists diff --git a/apps/backend/src/application/services/invitation.service.ts b/apps/backend/src/application/services/invitation.service.ts index 1dc6d6e..06ff751 100644 --- a/apps/backend/src/application/services/invitation.service.ts +++ b/apps/backend/src/application/services/invitation.service.ts @@ -38,7 +38,7 @@ export class InvitationService { @Inject(EMAIL_PORT) private readonly emailService: EmailPort, private readonly configService: ConfigService, - private readonly subscriptionService: SubscriptionService, + private readonly subscriptionService: SubscriptionService ) {} /** @@ -50,7 +50,8 @@ export class InvitationService { lastName: string, role: UserRole, organizationId: string, - invitedById: string + invitedById: string, + inviterRole?: string ): Promise { this.logger.log(`Creating invitation for ${email} in organization ${organizationId}`); @@ -69,14 +70,14 @@ export class InvitationService { } // Check if licenses are available for this organization - const canInviteResult = await this.subscriptionService.canInviteUser(organizationId); + const canInviteResult = await this.subscriptionService.canInviteUser(organizationId, inviterRole); if (!canInviteResult.canInvite) { this.logger.warn( - `License limit reached for organization ${organizationId}: ${canInviteResult.usedLicenses}/${canInviteResult.maxLicenses}`, + `License limit reached for organization ${organizationId}: ${canInviteResult.usedLicenses}/${canInviteResult.maxLicenses}` ); throw new ForbiddenException( canInviteResult.message || - `License limit reached. Please upgrade your subscription to invite more users.`, + `License limit reached. Please upgrade your subscription to invite more users.` ); } @@ -219,6 +220,25 @@ export class InvitationService { } } + /** + * Cancel (delete) a pending invitation + */ + async cancelInvitation(invitationId: string, organizationId: string): Promise { + const invitations = await this.invitationRepository.findByOrganization(organizationId); + const invitation = invitations.find(inv => inv.id === invitationId); + + if (!invitation) { + throw new NotFoundException('Invitation not found'); + } + + if (invitation.isUsed) { + throw new BadRequestException('Cannot delete an invitation that has already been used'); + } + + await this.invitationRepository.deleteById(invitationId); + this.logger.log(`Invitation ${invitationId} cancelled`); + } + /** * Cleanup expired invitations (can be called by a cron job) */ diff --git a/apps/backend/src/application/services/subscription.service.ts b/apps/backend/src/application/services/subscription.service.ts index 90951de..255c0e3 100644 --- a/apps/backend/src/application/services/subscription.service.ts +++ b/apps/backend/src/application/services/subscription.service.ts @@ -4,24 +4,14 @@ * Business logic for subscription and license management. */ -import { - Injectable, - Inject, - Logger, - NotFoundException, - BadRequestException, - ForbiddenException, -} from '@nestjs/common'; +import { Injectable, Inject, Logger, NotFoundException, BadRequestException } from '@nestjs/common'; import { ConfigService } from '@nestjs/config'; import { v4 as uuidv4 } from 'uuid'; import { SubscriptionRepository, SUBSCRIPTION_REPOSITORY, } from '@domain/ports/out/subscription.repository'; -import { - LicenseRepository, - LICENSE_REPOSITORY, -} from '@domain/ports/out/license.repository'; +import { LicenseRepository, LICENSE_REPOSITORY } from '@domain/ports/out/license.repository'; import { OrganizationRepository, ORGANIZATION_REPOSITORY, @@ -30,14 +20,10 @@ import { UserRepository, USER_REPOSITORY } from '@domain/ports/out/user.reposito import { StripePort, STRIPE_PORT } from '@domain/ports/out/stripe.port'; import { Subscription } from '@domain/entities/subscription.entity'; import { License } from '@domain/entities/license.entity'; -import { - SubscriptionPlan, - SubscriptionPlanType, -} from '@domain/value-objects/subscription-plan.vo'; +import { SubscriptionPlan, SubscriptionPlanType } from '@domain/value-objects/subscription-plan.vo'; import { SubscriptionStatus } from '@domain/value-objects/subscription-status.vo'; import { NoLicensesAvailableException, - SubscriptionNotFoundException, LicenseAlreadyAssignedException, } from '@domain/exceptions/subscription.exceptions'; import { @@ -69,50 +55,54 @@ export class SubscriptionService { private readonly userRepository: UserRepository, @Inject(STRIPE_PORT) private readonly stripeAdapter: StripePort, - private readonly configService: ConfigService, + private readonly configService: ConfigService ) {} /** * Get subscription overview for an organization + * ADMIN users always see a PLATINIUM plan with no expiration */ async getSubscriptionOverview( organizationId: string, + userRole?: string ): Promise { const subscription = await this.getOrCreateSubscription(organizationId); - const activeLicenses = await this.licenseRepository.findActiveBySubscriptionId( - subscription.id, - ); + const activeLicenses = await this.licenseRepository.findActiveBySubscriptionId(subscription.id); // Enrich licenses with user information const enrichedLicenses = await Promise.all( - activeLicenses.map(async (license) => { + activeLicenses.map(async license => { const user = await this.userRepository.findById(license.userId); return this.mapLicenseToDto(license, user); - }), + }) ); // Count only non-ADMIN licenses for quota calculation // ADMIN users have unlimited licenses and don't count against the quota const usedLicenses = await this.licenseRepository.countActiveBySubscriptionIdExcludingAdmins( - subscription.id, + subscription.id ); - const maxLicenses = subscription.maxLicenses; - const availableLicenses = subscription.isUnlimited() + + // ADMIN users always have PLATINIUM plan with no expiration + const isAdmin = userRole === 'ADMIN'; + const effectivePlan = isAdmin ? SubscriptionPlan.platinium() : subscription.plan; + const maxLicenses = effectivePlan.maxLicenses; + const availableLicenses = effectivePlan.isUnlimited() ? -1 : Math.max(0, maxLicenses - usedLicenses); return { id: subscription.id, organizationId: subscription.organizationId, - plan: subscription.plan.value as SubscriptionPlanDto, - planDetails: this.mapPlanToDto(subscription.plan), + plan: effectivePlan.value as SubscriptionPlanDto, + planDetails: this.mapPlanToDto(effectivePlan), status: subscription.status.value as SubscriptionStatusDto, usedLicenses, maxLicenses, availableLicenses, - cancelAtPeriodEnd: subscription.cancelAtPeriodEnd, - currentPeriodStart: subscription.currentPeriodStart || undefined, - currentPeriodEnd: subscription.currentPeriodEnd || undefined, + cancelAtPeriodEnd: false, + currentPeriodStart: isAdmin ? undefined : subscription.currentPeriodStart || undefined, + currentPeriodEnd: isAdmin ? undefined : subscription.currentPeriodEnd || undefined, createdAt: subscription.createdAt, updatedAt: subscription.updatedAt, licenses: enrichedLicenses, @@ -123,27 +113,35 @@ export class SubscriptionService { * Get all available plans */ getAllPlans(): AllPlansResponseDto { - const plans = SubscriptionPlan.getAllPlans().map((plan) => - this.mapPlanToDto(plan), - ); + const plans = SubscriptionPlan.getAllPlans().map(plan => this.mapPlanToDto(plan)); return { plans }; } /** * Check if organization can invite more users - * Note: ADMIN users don't count against the license quota + * Note: ADMIN users don't count against the license quota and always have unlimited licenses */ - async canInviteUser(organizationId: string): Promise { + async canInviteUser(organizationId: string, userRole?: string): Promise { + // ADMIN users always have unlimited invitations + if (userRole === 'ADMIN') { + return { + canInvite: true, + availableLicenses: -1, + usedLicenses: 0, + maxLicenses: -1, + message: undefined, + }; + } + const subscription = await this.getOrCreateSubscription(organizationId); // Count only non-ADMIN licenses - ADMIN users have unlimited licenses const usedLicenses = await this.licenseRepository.countActiveBySubscriptionIdExcludingAdmins( - subscription.id, + subscription.id ); const maxLicenses = subscription.maxLicenses; const canInvite = - subscription.isActive() && - (subscription.isUnlimited() || usedLicenses < maxLicenses); + subscription.isActive() && (subscription.isUnlimited() || usedLicenses < maxLicenses); const availableLicenses = subscription.isUnlimited() ? -1 @@ -171,7 +169,7 @@ export class SubscriptionService { async createCheckoutSession( organizationId: string, userId: string, - dto: CreateCheckoutSessionDto, + dto: CreateCheckoutSessionDto ): Promise { const organization = await this.organizationRepository.findById(organizationId); if (!organization) { @@ -184,23 +182,19 @@ export class SubscriptionService { } // Cannot checkout for FREE plan - if (dto.plan === SubscriptionPlanDto.FREE) { - throw new BadRequestException('Cannot create checkout session for FREE plan'); + if (dto.plan === SubscriptionPlanDto.BRONZE) { + throw new BadRequestException('Cannot create checkout session for Bronze plan'); } const subscription = await this.getOrCreateSubscription(organizationId); - const frontendUrl = this.configService.get( - 'FRONTEND_URL', - 'http://localhost:3000', - ); + const frontendUrl = this.configService.get('FRONTEND_URL', 'http://localhost:3000'); // Include {CHECKOUT_SESSION_ID} placeholder - Stripe replaces it with actual session ID const successUrl = dto.successUrl || `${frontendUrl}/dashboard/settings/organization?success=true&session_id={CHECKOUT_SESSION_ID}`; const cancelUrl = - dto.cancelUrl || - `${frontendUrl}/dashboard/settings/organization?canceled=true`; + dto.cancelUrl || `${frontendUrl}/dashboard/settings/organization?canceled=true`; const result = await this.stripeAdapter.createCheckoutSession({ organizationId, @@ -214,7 +208,7 @@ export class SubscriptionService { }); this.logger.log( - `Created checkout session for organization ${organizationId}, plan ${dto.plan}`, + `Created checkout session for organization ${organizationId}, plan ${dto.plan}` ); return { @@ -228,24 +222,18 @@ export class SubscriptionService { */ async createPortalSession( organizationId: string, - dto: CreatePortalSessionDto, + dto: CreatePortalSessionDto ): Promise { - const subscription = await this.subscriptionRepository.findByOrganizationId( - organizationId, - ); + const subscription = await this.subscriptionRepository.findByOrganizationId(organizationId); if (!subscription?.stripeCustomerId) { throw new BadRequestException( - 'No Stripe customer found for this organization. Please complete a checkout first.', + 'No Stripe customer found for this organization. Please complete a checkout first.' ); } - const frontendUrl = this.configService.get( - 'FRONTEND_URL', - 'http://localhost:3000', - ); - const returnUrl = - dto.returnUrl || `${frontendUrl}/dashboard/settings/organization`; + const frontendUrl = this.configService.get('FRONTEND_URL', 'http://localhost:3000'); + const returnUrl = dto.returnUrl || `${frontendUrl}/dashboard/settings/organization`; const result = await this.stripeAdapter.createPortalSession({ customerId: subscription.stripeCustomerId, @@ -267,11 +255,9 @@ export class SubscriptionService { */ async syncFromStripe( organizationId: string, - sessionId?: string, + sessionId?: string ): Promise { - let subscription = await this.subscriptionRepository.findByOrganizationId( - organizationId, - ); + let subscription = await this.subscriptionRepository.findByOrganizationId(organizationId); if (!subscription) { subscription = await this.getOrCreateSubscription(organizationId); @@ -283,12 +269,14 @@ export class SubscriptionService { // If we have a session ID, ALWAYS retrieve the checkout session to get the latest subscription details // This is important for upgrades where Stripe may create a new subscription if (sessionId) { - this.logger.log(`Retrieving checkout session ${sessionId} for organization ${organizationId}`); + this.logger.log( + `Retrieving checkout session ${sessionId} for organization ${organizationId}` + ); const checkoutSession = await this.stripeAdapter.getCheckoutSession(sessionId); if (checkoutSession) { this.logger.log( - `Checkout session found: subscriptionId=${checkoutSession.subscriptionId}, customerId=${checkoutSession.customerId}, status=${checkoutSession.status}`, + `Checkout session found: subscriptionId=${checkoutSession.subscriptionId}, customerId=${checkoutSession.customerId}, status=${checkoutSession.status}` ); // Always use the subscription ID from the checkout session if available @@ -330,7 +318,7 @@ export class SubscriptionService { if (plan) { // Count only non-ADMIN licenses - ADMIN users have unlimited licenses const usedLicenses = await this.licenseRepository.countActiveBySubscriptionIdExcludingAdmins( - subscription.id, + subscription.id ); const newPlan = SubscriptionPlan.create(plan); @@ -354,13 +342,13 @@ export class SubscriptionService { // Update status updatedSubscription = updatedSubscription.updateStatus( - SubscriptionStatus.fromStripeStatus(stripeData.status), + SubscriptionStatus.fromStripeStatus(stripeData.status) ); await this.subscriptionRepository.save(updatedSubscription); this.logger.log( - `Synced subscription for organization ${organizationId} from Stripe (plan: ${updatedSubscription.plan.value})`, + `Synced subscription for organization ${organizationId} from Stripe (plan: ${updatedSubscription.plan.value})` ); return this.getSubscriptionOverview(organizationId); @@ -418,14 +406,14 @@ export class SubscriptionService { if (!isAdmin) { // Count only non-ADMIN licenses for quota check const usedLicenses = await this.licenseRepository.countActiveBySubscriptionIdExcludingAdmins( - subscription.id, + subscription.id ); if (!subscription.canAllocateLicenses(usedLicenses)) { throw new NoLicensesAvailableException( organizationId, usedLicenses, - subscription.maxLicenses, + subscription.maxLicenses ); } } @@ -474,22 +462,18 @@ export class SubscriptionService { * Get or create a subscription for an organization */ async getOrCreateSubscription(organizationId: string): Promise { - let subscription = await this.subscriptionRepository.findByOrganizationId( - organizationId, - ); + let subscription = await this.subscriptionRepository.findByOrganizationId(organizationId); if (!subscription) { // Create FREE subscription for the organization subscription = Subscription.create({ id: uuidv4(), organizationId, - plan: SubscriptionPlan.free(), + plan: SubscriptionPlan.bronze(), }); subscription = await this.subscriptionRepository.save(subscription); - this.logger.log( - `Created FREE subscription for organization ${organizationId}`, - ); + this.logger.log(`Created Bronze subscription for organization ${organizationId}`); } return subscription; @@ -497,9 +481,7 @@ export class SubscriptionService { // Private helper methods - private async handleCheckoutCompleted( - session: Record, - ): Promise { + private async handleCheckoutCompleted(session: Record): Promise { const metadata = session.metadata as Record | undefined; const organizationId = metadata?.organizationId; const customerId = session.customer as string; @@ -537,27 +519,26 @@ export class SubscriptionService { }); subscription = subscription.updatePlan( SubscriptionPlan.create(plan), - await this.licenseRepository.countActiveBySubscriptionIdExcludingAdmins(subscription.id), + await this.licenseRepository.countActiveBySubscriptionIdExcludingAdmins(subscription.id) ); subscription = subscription.updateStatus( - SubscriptionStatus.fromStripeStatus(stripeSubscription.status), + SubscriptionStatus.fromStripeStatus(stripeSubscription.status) ); await this.subscriptionRepository.save(subscription); - this.logger.log( - `Updated subscription for organization ${organizationId} to plan ${plan}`, - ); + // Update organization status badge to match the plan + await this.updateOrganizationBadge(organizationId, subscription.statusBadge); + + this.logger.log(`Updated subscription for organization ${organizationId} to plan ${plan}`); } private async handleSubscriptionUpdated( - stripeSubscription: Record, + stripeSubscription: Record ): Promise { const subscriptionId = stripeSubscription.id as string; - let subscription = await this.subscriptionRepository.findByStripeSubscriptionId( - subscriptionId, - ); + let subscription = await this.subscriptionRepository.findByStripeSubscriptionId(subscriptionId); if (!subscription) { this.logger.warn(`Subscription ${subscriptionId} not found in database`); @@ -576,7 +557,7 @@ export class SubscriptionService { if (plan) { // Count only non-ADMIN licenses - ADMIN users have unlimited licenses const usedLicenses = await this.licenseRepository.countActiveBySubscriptionIdExcludingAdmins( - subscription.id, + subscription.id ); const newPlan = SubscriptionPlan.create(plan); @@ -584,9 +565,7 @@ export class SubscriptionService { if (newPlan.canAccommodateUsers(usedLicenses)) { subscription = subscription.updatePlan(newPlan, usedLicenses); } else { - this.logger.warn( - `Cannot update to plan ${plan} - would exceed license limit`, - ); + this.logger.warn(`Cannot update to plan ${plan} - would exceed license limit`); } } @@ -597,22 +576,26 @@ export class SubscriptionService { cancelAtPeriodEnd: stripeData.cancelAtPeriodEnd, }); subscription = subscription.updateStatus( - SubscriptionStatus.fromStripeStatus(stripeData.status), + SubscriptionStatus.fromStripeStatus(stripeData.status) ); await this.subscriptionRepository.save(subscription); + // Update organization status badge to match the plan + if (subscription.organizationId) { + await this.updateOrganizationBadge(subscription.organizationId, subscription.statusBadge); + } + this.logger.log(`Updated subscription ${subscriptionId}`); } private async handleSubscriptionDeleted( - stripeSubscription: Record, + stripeSubscription: Record ): Promise { const subscriptionId = stripeSubscription.id as string; - const subscription = await this.subscriptionRepository.findByStripeSubscriptionId( - subscriptionId, - ); + const subscription = + await this.subscriptionRepository.findByStripeSubscriptionId(subscriptionId); if (!subscription) { this.logger.warn(`Subscription ${subscriptionId} not found in database`); @@ -622,42 +605,41 @@ export class SubscriptionService { // Downgrade to FREE plan - count only non-ADMIN licenses const canceledSubscription = subscription .updatePlan( - SubscriptionPlan.free(), - await this.licenseRepository.countActiveBySubscriptionIdExcludingAdmins(subscription.id), + SubscriptionPlan.bronze(), + await this.licenseRepository.countActiveBySubscriptionIdExcludingAdmins(subscription.id) ) .updateStatus(SubscriptionStatus.canceled()); await this.subscriptionRepository.save(canceledSubscription); - this.logger.log(`Subscription ${subscriptionId} canceled, downgraded to FREE`); + // Reset organization badge to 'none' on cancellation + if (subscription.organizationId) { + await this.updateOrganizationBadge(subscription.organizationId, 'none'); + } + + this.logger.log(`Subscription ${subscriptionId} canceled, downgraded to Bronze`); } private async handlePaymentFailed(invoice: Record): Promise { const customerId = invoice.customer as string; - const subscription = await this.subscriptionRepository.findByStripeCustomerId( - customerId, - ); + const subscription = await this.subscriptionRepository.findByStripeCustomerId(customerId); if (!subscription) { this.logger.warn(`Subscription for customer ${customerId} not found`); return; } - const updatedSubscription = subscription.updateStatus( - SubscriptionStatus.pastDue(), - ); + const updatedSubscription = subscription.updateStatus(SubscriptionStatus.pastDue()); await this.subscriptionRepository.save(updatedSubscription); - this.logger.log( - `Subscription ${subscription.id} marked as past due due to payment failure`, - ); + this.logger.log(`Subscription ${subscription.id} marked as past due due to payment failure`); } private mapLicenseToDto( license: License, - user: { email: string; firstName: string; lastName: string; role: string } | null, + user: { email: string; firstName: string; lastName: string; role: string } | null ): LicenseResponseDto { return { id: license.id, @@ -671,6 +653,19 @@ export class SubscriptionService { }; } + private async updateOrganizationBadge(organizationId: string, badge: string): Promise { + try { + const organization = await this.organizationRepository.findById(organizationId); + if (organization) { + organization.updateStatusBadge(badge as 'none' | 'silver' | 'gold' | 'platinium'); + await this.organizationRepository.save(organization); + this.logger.log(`Updated status badge for organization ${organizationId} to ${badge}`); + } + } catch (error: any) { + this.logger.error(`Failed to update organization badge: ${error?.message}`, error?.stack); + } + } + private mapPlanToDto(plan: SubscriptionPlan): PlanDetailsDto { return { plan: plan.value as SubscriptionPlanDto, @@ -678,6 +673,11 @@ export class SubscriptionService { maxLicenses: plan.maxLicenses, monthlyPriceEur: plan.monthlyPriceEur, yearlyPriceEur: plan.yearlyPriceEur, + maxShipmentsPerYear: plan.maxShipmentsPerYear, + commissionRatePercent: plan.commissionRatePercent, + supportLevel: plan.supportLevel, + statusBadge: plan.statusBadge, + planFeatures: [...plan.planFeatures], features: [...plan.features], }; } diff --git a/apps/backend/src/application/users/users.module.ts b/apps/backend/src/application/users/users.module.ts index a5f714c..1603268 100644 --- a/apps/backend/src/application/users/users.module.ts +++ b/apps/backend/src/application/users/users.module.ts @@ -7,14 +7,13 @@ import { USER_REPOSITORY } from '@domain/ports/out/user.repository'; import { TypeOrmUserRepository } from '../../infrastructure/persistence/typeorm/repositories/typeorm-user.repository'; import { UserOrmEntity } from '../../infrastructure/persistence/typeorm/entities/user.orm-entity'; import { SubscriptionsModule } from '../subscriptions/subscriptions.module'; +import { FeatureFlagGuard } from '../guards/feature-flag.guard'; @Module({ - imports: [ - TypeOrmModule.forFeature([UserOrmEntity]), - SubscriptionsModule, - ], + imports: [TypeOrmModule.forFeature([UserOrmEntity]), SubscriptionsModule], controllers: [UsersController], providers: [ + FeatureFlagGuard, { provide: USER_REPOSITORY, useClass: TypeOrmUserRepository, diff --git a/apps/backend/src/domain/entities/api-key.entity.ts b/apps/backend/src/domain/entities/api-key.entity.ts new file mode 100644 index 0000000..f0a48fa --- /dev/null +++ b/apps/backend/src/domain/entities/api-key.entity.ts @@ -0,0 +1,135 @@ +/** + * ApiKey Entity + * + * Represents a programmatic API key for an organization. + * Only GOLD and PLATINIUM subscribers can create and use API keys. + * + * Security model: + * - The raw key is NEVER persisted — only its SHA-256 hash is stored. + * - The full key is returned exactly once, at creation time. + * - The keyPrefix (first 16 chars) is stored for display purposes. + */ + +export interface ApiKeyProps { + readonly id: string; + readonly organizationId: string; + readonly userId: string; + readonly name: string; + readonly keyHash: string; + readonly keyPrefix: string; + readonly isActive: boolean; + readonly lastUsedAt: Date | null; + readonly expiresAt: Date | null; + readonly createdAt: Date; + readonly updatedAt: Date; +} + +export class ApiKey { + private readonly props: ApiKeyProps; + + private constructor(props: ApiKeyProps) { + this.props = props; + } + + static create(params: { + id: string; + organizationId: string; + userId: string; + name: string; + keyHash: string; + keyPrefix: string; + expiresAt?: Date | null; + }): ApiKey { + const now = new Date(); + return new ApiKey({ + id: params.id, + organizationId: params.organizationId, + userId: params.userId, + name: params.name, + keyHash: params.keyHash, + keyPrefix: params.keyPrefix, + isActive: true, + lastUsedAt: null, + expiresAt: params.expiresAt ?? null, + createdAt: now, + updatedAt: now, + }); + } + + static fromPersistence(props: ApiKeyProps): ApiKey { + return new ApiKey(props); + } + + get id(): string { + return this.props.id; + } + + get organizationId(): string { + return this.props.organizationId; + } + + get userId(): string { + return this.props.userId; + } + + get name(): string { + return this.props.name; + } + + get keyHash(): string { + return this.props.keyHash; + } + + get keyPrefix(): string { + return this.props.keyPrefix; + } + + get isActive(): boolean { + return this.props.isActive; + } + + get lastUsedAt(): Date | null { + return this.props.lastUsedAt; + } + + get expiresAt(): Date | null { + return this.props.expiresAt; + } + + get createdAt(): Date { + return this.props.createdAt; + } + + get updatedAt(): Date { + return this.props.updatedAt; + } + + isExpired(): boolean { + if (!this.props.expiresAt) return false; + return this.props.expiresAt < new Date(); + } + + isValid(): boolean { + return this.props.isActive && !this.isExpired(); + } + + revoke(): ApiKey { + return new ApiKey({ + ...this.props, + isActive: false, + updatedAt: new Date(), + }); + } + + recordUsage(): ApiKey { + return new ApiKey({ + ...this.props, + lastUsedAt: new Date(), + updatedAt: new Date(), + }); + } + + toObject(): ApiKeyProps { + return { ...this.props }; + } +} diff --git a/apps/backend/src/domain/entities/booking.entity.ts b/apps/backend/src/domain/entities/booking.entity.ts index ac496c2..3512c7a 100644 --- a/apps/backend/src/domain/entities/booking.entity.ts +++ b/apps/backend/src/domain/entities/booking.entity.ts @@ -50,6 +50,8 @@ export interface BookingProps { cargoDescription: string; containers: BookingContainer[]; specialInstructions?: string; + commissionRate?: number; + commissionAmountEur?: number; createdAt: Date; updatedAt: Date; } @@ -161,6 +163,14 @@ export class Booking { return this.props.specialInstructions; } + get commissionRate(): number | undefined { + return this.props.commissionRate; + } + + get commissionAmountEur(): number | undefined { + return this.props.commissionAmountEur; + } + get createdAt(): Date { return this.props.createdAt; } @@ -270,6 +280,19 @@ export class Booking { }); } + /** + * Apply commission to the booking + */ + applyCommission(ratePercent: number, baseAmountEur: number): Booking { + const commissionAmount = Math.round(baseAmountEur * ratePercent) / 100; + return new Booking({ + ...this.props, + commissionRate: ratePercent, + commissionAmountEur: commissionAmount, + updatedAt: new Date(), + }); + } + /** * Check if booking can be cancelled */ diff --git a/apps/backend/src/domain/entities/csv-booking.entity.ts b/apps/backend/src/domain/entities/csv-booking.entity.ts index 1361e0d..ca0b7de 100644 --- a/apps/backend/src/domain/entities/csv-booking.entity.ts +++ b/apps/backend/src/domain/entities/csv-booking.entity.ts @@ -6,6 +6,8 @@ import { PortCode } from '../value-objects/port-code.vo'; * Represents the lifecycle of a CSV-based booking request */ export enum CsvBookingStatus { + PENDING_PAYMENT = 'PENDING_PAYMENT', // Awaiting commission payment + PENDING_BANK_TRANSFER = 'PENDING_BANK_TRANSFER', // Bank transfer declared, awaiting admin validation PENDING = 'PENDING', // Awaiting carrier response ACCEPTED = 'ACCEPTED', // Carrier accepted the booking REJECTED = 'REJECTED', // Carrier rejected the booking @@ -80,7 +82,10 @@ export class CsvBooking { public respondedAt?: Date, public notes?: string, public rejectionReason?: string, - public readonly bookingNumber?: string + public readonly bookingNumber?: string, + public commissionRate?: number, + public commissionAmountEur?: number, + public stripePaymentIntentId?: string ) { this.validate(); } @@ -144,6 +149,61 @@ export class CsvBooking { } } + /** + * Apply commission to the booking + */ + applyCommission(ratePercent: number, baseAmountEur: number): void { + this.commissionRate = ratePercent; + this.commissionAmountEur = Math.round(baseAmountEur * ratePercent) / 100; + } + + /** + * Mark commission payment as completed → transition to PENDING + * + * @throws Error if booking is not in PENDING_PAYMENT status + */ + markPaymentCompleted(): void { + if (this.status !== CsvBookingStatus.PENDING_PAYMENT) { + throw new Error( + `Cannot mark payment completed for booking with status ${this.status}. Only PENDING_PAYMENT bookings can transition.` + ); + } + + this.status = CsvBookingStatus.PENDING; + } + + /** + * Declare bank transfer → transition to PENDING_BANK_TRANSFER + * Called when user confirms they have sent the bank transfer + * + * @throws Error if booking is not in PENDING_PAYMENT status + */ + markBankTransferDeclared(): void { + if (this.status !== CsvBookingStatus.PENDING_PAYMENT) { + throw new Error( + `Cannot declare bank transfer for booking with status ${this.status}. Only PENDING_PAYMENT bookings can transition.` + ); + } + + this.status = CsvBookingStatus.PENDING_BANK_TRANSFER; + } + + /** + * Admin validates bank transfer → transition to PENDING + * Called by admin once bank transfer has been received and verified + * + * @throws Error if booking is not in PENDING_BANK_TRANSFER status + */ + markBankTransferValidated(): void { + if (this.status !== CsvBookingStatus.PENDING_BANK_TRANSFER) { + throw new Error( + `Cannot validate bank transfer for booking with status ${this.status}. Only PENDING_BANK_TRANSFER bookings can transition.` + ); + } + + this.status = CsvBookingStatus.PENDING; + } + /** * Accept the booking * @@ -202,6 +262,10 @@ export class CsvBooking { throw new Error('Cannot cancel rejected booking'); } + if (this.status === CsvBookingStatus.CANCELLED) { + throw new Error('Booking is already cancelled'); + } + this.status = CsvBookingStatus.CANCELLED; this.respondedAt = new Date(); } @@ -211,6 +275,10 @@ export class CsvBooking { * * @returns true if booking is older than 7 days and still pending */ + isPendingPayment(): boolean { + return this.status === CsvBookingStatus.PENDING_PAYMENT; + } + isExpired(): boolean { if (this.status !== CsvBookingStatus.PENDING) { return false; @@ -363,7 +431,10 @@ export class CsvBooking { respondedAt?: Date, notes?: string, rejectionReason?: string, - bookingNumber?: string + bookingNumber?: string, + commissionRate?: number, + commissionAmountEur?: number, + stripePaymentIntentId?: string ): CsvBooking { // Create instance without calling constructor validation const booking = Object.create(CsvBooking.prototype); @@ -392,6 +463,9 @@ export class CsvBooking { booking.notes = notes; booking.rejectionReason = rejectionReason; booking.bookingNumber = bookingNumber; + booking.commissionRate = commissionRate; + booking.commissionAmountEur = commissionAmountEur; + booking.stripePaymentIntentId = stripePaymentIntentId; return booking; } diff --git a/apps/backend/src/domain/entities/license.entity.ts b/apps/backend/src/domain/entities/license.entity.ts index 75da6b7..e61186b 100644 --- a/apps/backend/src/domain/entities/license.entity.ts +++ b/apps/backend/src/domain/entities/license.entity.ts @@ -5,10 +5,7 @@ * Each active user in an organization consumes one license. */ -import { - LicenseStatus, - LicenseStatusType, -} from '../value-objects/license-status.vo'; +import { LicenseStatus, LicenseStatusType } from '../value-objects/license-status.vo'; export interface LicenseProps { readonly id: string; @@ -29,11 +26,7 @@ export class License { /** * Create a new license for a user */ - static create(props: { - id: string; - subscriptionId: string; - userId: string; - }): License { + static create(props: { id: string; subscriptionId: string; userId: string }): License { return new License({ id: props.id, subscriptionId: props.subscriptionId, diff --git a/apps/backend/src/domain/entities/organization.entity.ts b/apps/backend/src/domain/entities/organization.entity.ts index 32baac5..4cfa76c 100644 --- a/apps/backend/src/domain/entities/organization.entity.ts +++ b/apps/backend/src/domain/entities/organization.entity.ts @@ -44,6 +44,9 @@ export interface OrganizationProps { address: OrganizationAddress; logoUrl?: string; documents: OrganizationDocument[]; + siret?: string; + siretVerified: boolean; + statusBadge: 'none' | 'silver' | 'gold' | 'platinium'; createdAt: Date; updatedAt: Date; isActive: boolean; @@ -59,9 +62,19 @@ export class Organization { /** * Factory method to create a new Organization */ - static create(props: Omit): Organization { + static create( + props: Omit & { + siretVerified?: boolean; + statusBadge?: 'none' | 'silver' | 'gold' | 'platinium'; + } + ): Organization { const now = new Date(); + // Validate SIRET if provided + if (props.siret && !Organization.isValidSiret(props.siret)) { + throw new Error('Invalid SIRET format. Must be 14 digits.'); + } + // Validate SCAC code if provided if (props.scac && !Organization.isValidSCAC(props.scac)) { throw new Error('Invalid SCAC code format. Must be 4 uppercase letters.'); @@ -79,6 +92,8 @@ export class Organization { return new Organization({ ...props, + siretVerified: props.siretVerified ?? false, + statusBadge: props.statusBadge ?? 'none', createdAt: now, updatedAt: now, }); @@ -100,6 +115,10 @@ export class Organization { return scacPattern.test(scac); } + private static isValidSiret(siret: string): boolean { + return /^\d{14}$/.test(siret); + } + // Getters get id(): string { return this.props.id; @@ -153,6 +172,18 @@ export class Organization { return this.props.updatedAt; } + get siret(): string | undefined { + return this.props.siret; + } + + get siretVerified(): boolean { + return this.props.siretVerified; + } + + get statusBadge(): 'none' | 'silver' | 'gold' | 'platinium' { + return this.props.statusBadge; + } + get isActive(): boolean { return this.props.isActive; } @@ -183,6 +214,25 @@ export class Organization { this.props.updatedAt = new Date(); } + updateSiret(siret: string): void { + if (!Organization.isValidSiret(siret)) { + throw new Error('Invalid SIRET format. Must be 14 digits.'); + } + this.props.siret = siret; + this.props.siretVerified = false; + this.props.updatedAt = new Date(); + } + + markSiretVerified(): void { + this.props.siretVerified = true; + this.props.updatedAt = new Date(); + } + + updateStatusBadge(badge: 'none' | 'silver' | 'gold' | 'platinium'): void { + this.props.statusBadge = badge; + this.props.updatedAt = new Date(); + } + updateSiren(siren: string): void { this.props.siren = siren; this.props.updatedAt = new Date(); diff --git a/apps/backend/src/domain/entities/subscription.entity.spec.ts b/apps/backend/src/domain/entities/subscription.entity.spec.ts index 9b554de..4e93f08 100644 --- a/apps/backend/src/domain/entities/subscription.entity.spec.ts +++ b/apps/backend/src/domain/entities/subscription.entity.spec.ts @@ -272,7 +272,7 @@ describe('Subscription Entity', () => { }); expect(() => subscription.updatePlan(SubscriptionPlan.starter(), 0)).toThrow( - SubscriptionNotActiveException, + SubscriptionNotActiveException ); }); @@ -284,7 +284,7 @@ describe('Subscription Entity', () => { }); expect(() => subscription.updatePlan(SubscriptionPlan.starter(), 10)).toThrow( - InvalidSubscriptionDowngradeException, + InvalidSubscriptionDowngradeException ); }); }); diff --git a/apps/backend/src/domain/entities/subscription.entity.ts b/apps/backend/src/domain/entities/subscription.entity.ts index 572af04..3cde08c 100644 --- a/apps/backend/src/domain/entities/subscription.entity.ts +++ b/apps/backend/src/domain/entities/subscription.entity.ts @@ -5,10 +5,7 @@ * Stripe integration, and billing period information. */ -import { - SubscriptionPlan, - SubscriptionPlanType, -} from '../value-objects/subscription-plan.vo'; +import { SubscriptionPlan, SubscriptionPlanType } from '../value-objects/subscription-plan.vo'; import { SubscriptionStatus, SubscriptionStatusType, @@ -40,7 +37,7 @@ export class Subscription { } /** - * Create a new subscription (defaults to FREE plan) + * Create a new subscription (defaults to Bronze/free plan) */ static create(props: { id: string; @@ -53,7 +50,7 @@ export class Subscription { return new Subscription({ id: props.id, organizationId: props.organizationId, - plan: props.plan ?? SubscriptionPlan.free(), + plan: props.plan ?? SubscriptionPlan.bronze(), status: SubscriptionStatus.active(), stripeCustomerId: props.stripeCustomerId ?? null, stripeSubscriptionId: props.stripeSubscriptionId ?? null, @@ -68,10 +65,41 @@ export class Subscription { /** * Reconstitute from persistence */ + /** + * Check if a specific plan feature is available + */ + hasFeature(feature: import('../value-objects/plan-feature.vo').PlanFeature): boolean { + return this.props.plan.hasFeature(feature); + } + + /** + * Get the maximum shipments per year allowed + */ + get maxShipmentsPerYear(): number { + return this.props.plan.maxShipmentsPerYear; + } + + /** + * Get the commission rate for this subscription's plan + */ + get commissionRatePercent(): number { + return this.props.plan.commissionRatePercent; + } + + /** + * Get the status badge for this subscription's plan + */ + get statusBadge(): string { + return this.props.plan.statusBadge; + } + + /** + * Reconstitute from persistence (supports legacy plan names) + */ static fromPersistence(props: { id: string; organizationId: string; - plan: SubscriptionPlanType; + plan: string; // Accepts both old and new plan names status: SubscriptionStatusType; stripeCustomerId: string | null; stripeSubscriptionId: string | null; @@ -84,7 +112,7 @@ export class Subscription { return new Subscription({ id: props.id, organizationId: props.organizationId, - plan: SubscriptionPlan.create(props.plan), + plan: SubscriptionPlan.fromString(props.plan), status: SubscriptionStatus.create(props.status), stripeCustomerId: props.stripeCustomerId, stripeSubscriptionId: props.stripeSubscriptionId, @@ -236,7 +264,7 @@ export class Subscription { this.props.plan.value, newPlan.value, currentUserCount, - newPlan.maxLicenses, + newPlan.maxLicenses ); } diff --git a/apps/backend/src/domain/exceptions/shipment-limit-exceeded.exception.ts b/apps/backend/src/domain/exceptions/shipment-limit-exceeded.exception.ts new file mode 100644 index 0000000..ee75eec --- /dev/null +++ b/apps/backend/src/domain/exceptions/shipment-limit-exceeded.exception.ts @@ -0,0 +1,17 @@ +/** + * Shipment Limit Exceeded Exception + * + * Thrown when an organization has reached its annual shipment limit (Bronze plan). + */ +export class ShipmentLimitExceededException extends Error { + constructor( + public readonly organizationId: string, + public readonly currentCount: number, + public readonly maxCount: number + ) { + super( + `L'organisation a atteint sa limite de ${maxCount} expéditions par an (${currentCount}/${maxCount}). Passez à un plan supérieur pour des expéditions illimitées.` + ); + this.name = 'ShipmentLimitExceededException'; + } +} diff --git a/apps/backend/src/domain/exceptions/subscription.exceptions.ts b/apps/backend/src/domain/exceptions/subscription.exceptions.ts index 55cdcbd..815aa78 100644 --- a/apps/backend/src/domain/exceptions/subscription.exceptions.ts +++ b/apps/backend/src/domain/exceptions/subscription.exceptions.ts @@ -6,11 +6,11 @@ export class NoLicensesAvailableException extends Error { constructor( public readonly organizationId: string, public readonly currentLicenses: number, - public readonly maxLicenses: number, + public readonly maxLicenses: number ) { super( `No licenses available for organization ${organizationId}. ` + - `Currently using ${currentLicenses}/${maxLicenses} licenses.`, + `Currently using ${currentLicenses}/${maxLicenses} licenses.` ); this.name = 'NoLicensesAvailableException'; Object.setPrototypeOf(this, NoLicensesAvailableException.prototype); @@ -46,11 +46,11 @@ export class InvalidSubscriptionDowngradeException extends Error { public readonly currentPlan: string, public readonly targetPlan: string, public readonly currentUsers: number, - public readonly targetMaxLicenses: number, + public readonly targetMaxLicenses: number ) { super( `Cannot downgrade from ${currentPlan} to ${targetPlan}. ` + - `Current users (${currentUsers}) exceed target plan limit (${targetMaxLicenses}).`, + `Current users (${currentUsers}) exceed target plan limit (${targetMaxLicenses}).` ); this.name = 'InvalidSubscriptionDowngradeException'; Object.setPrototypeOf(this, InvalidSubscriptionDowngradeException.prototype); @@ -60,11 +60,9 @@ export class InvalidSubscriptionDowngradeException extends Error { export class SubscriptionNotActiveException extends Error { constructor( public readonly subscriptionId: string, - public readonly currentStatus: string, + public readonly currentStatus: string ) { - super( - `Subscription ${subscriptionId} is not active. Current status: ${currentStatus}`, - ); + super(`Subscription ${subscriptionId} is not active. Current status: ${currentStatus}`); this.name = 'SubscriptionNotActiveException'; Object.setPrototypeOf(this, SubscriptionNotActiveException.prototype); } @@ -73,13 +71,10 @@ export class SubscriptionNotActiveException extends Error { export class InvalidSubscriptionStatusTransitionException extends Error { constructor( public readonly fromStatus: string, - public readonly toStatus: string, + public readonly toStatus: string ) { super(`Invalid subscription status transition from ${fromStatus} to ${toStatus}`); this.name = 'InvalidSubscriptionStatusTransitionException'; - Object.setPrototypeOf( - this, - InvalidSubscriptionStatusTransitionException.prototype, - ); + Object.setPrototypeOf(this, InvalidSubscriptionStatusTransitionException.prototype); } } diff --git a/apps/backend/src/domain/ports/out/api-key.repository.ts b/apps/backend/src/domain/ports/out/api-key.repository.ts new file mode 100644 index 0000000..ceece42 --- /dev/null +++ b/apps/backend/src/domain/ports/out/api-key.repository.ts @@ -0,0 +1,11 @@ +import { ApiKey } from '@domain/entities/api-key.entity'; + +export const API_KEY_REPOSITORY = 'API_KEY_REPOSITORY'; + +export interface ApiKeyRepository { + save(apiKey: ApiKey): Promise; + findById(id: string): Promise; + findByKeyHash(keyHash: string): Promise; + findByOrganizationId(organizationId: string): Promise; + delete(id: string): Promise; +} diff --git a/apps/backend/src/domain/ports/out/email.port.ts b/apps/backend/src/domain/ports/out/email.port.ts index 75c1375..596293b 100644 --- a/apps/backend/src/domain/ports/out/email.port.ts +++ b/apps/backend/src/domain/ports/out/email.port.ts @@ -15,6 +15,7 @@ export interface EmailAttachment { export interface EmailOptions { to: string | string[]; + from?: string; cc?: string | string[]; bcc?: string | string[]; replyTo?: string; diff --git a/apps/backend/src/domain/ports/out/invitation-token.repository.ts b/apps/backend/src/domain/ports/out/invitation-token.repository.ts index b3fcc59..285c575 100644 --- a/apps/backend/src/domain/ports/out/invitation-token.repository.ts +++ b/apps/backend/src/domain/ports/out/invitation-token.repository.ts @@ -35,6 +35,11 @@ export interface InvitationTokenRepository { */ deleteExpired(): Promise; + /** + * Delete an invitation by id + */ + deleteById(id: string): Promise; + /** * Update an invitation token */ diff --git a/apps/backend/src/domain/ports/out/shipment-counter.port.ts b/apps/backend/src/domain/ports/out/shipment-counter.port.ts new file mode 100644 index 0000000..0aaad05 --- /dev/null +++ b/apps/backend/src/domain/ports/out/shipment-counter.port.ts @@ -0,0 +1,15 @@ +/** + * Shipment Counter Port + * + * Counts total shipments (bookings + CSV bookings) for an organization + * within a given year. Used to enforce the Bronze plan's 12 shipments/year limit. + */ + +export const SHIPMENT_COUNTER_PORT = 'SHIPMENT_COUNTER_PORT'; + +export interface ShipmentCounterPort { + /** + * Count all shipments (bookings + CSV bookings) created by an organization in a given year. + */ + countShipmentsForOrganizationInYear(organizationId: string, year: number): Promise; +} diff --git a/apps/backend/src/domain/ports/out/siret-verification.port.ts b/apps/backend/src/domain/ports/out/siret-verification.port.ts new file mode 100644 index 0000000..6cae4ca --- /dev/null +++ b/apps/backend/src/domain/ports/out/siret-verification.port.ts @@ -0,0 +1,11 @@ +export const SIRET_VERIFICATION_PORT = 'SIRET_VERIFICATION_PORT'; + +export interface SiretVerificationResult { + valid: boolean; + companyName?: string; + address?: string; +} + +export interface SiretVerificationPort { + verify(siret: string): Promise; +} diff --git a/apps/backend/src/domain/ports/out/stripe.port.ts b/apps/backend/src/domain/ports/out/stripe.port.ts index 564dbfa..0546b6c 100644 --- a/apps/backend/src/domain/ports/out/stripe.port.ts +++ b/apps/backend/src/domain/ports/out/stripe.port.ts @@ -43,6 +43,22 @@ export interface StripeSubscriptionData { cancelAtPeriodEnd: boolean; } +export interface CreateCommissionCheckoutInput { + bookingId: string; + amountCents: number; + currency: 'eur'; + customerEmail: string; + organizationId: string; + bookingDescription: string; + successUrl: string; + cancelUrl: string; +} + +export interface CreateCommissionCheckoutOutput { + sessionId: string; + sessionUrl: string; +} + export interface StripeCheckoutSessionData { sessionId: string; customerId: string | null; @@ -62,16 +78,19 @@ export interface StripePort { /** * Create a Stripe Checkout session for subscription purchase */ - createCheckoutSession( - input: CreateCheckoutSessionInput, - ): Promise; + createCheckoutSession(input: CreateCheckoutSessionInput): Promise; + + /** + * Create a Stripe Checkout session for one-time commission payment + */ + createCommissionCheckout( + input: CreateCommissionCheckoutInput + ): Promise; /** * Create a Stripe Customer Portal session for subscription management */ - createPortalSession( - input: CreatePortalSessionInput, - ): Promise; + createPortalSession(input: CreatePortalSessionInput): Promise; /** * Retrieve subscription details from Stripe @@ -101,10 +120,7 @@ export interface StripePort { /** * Verify and parse a Stripe webhook event */ - constructWebhookEvent( - payload: string | Buffer, - signature: string, - ): Promise; + constructWebhookEvent(payload: string | Buffer, signature: string): Promise; /** * Map a Stripe price ID to a subscription plan diff --git a/apps/backend/src/domain/value-objects/plan-feature.vo.ts b/apps/backend/src/domain/value-objects/plan-feature.vo.ts new file mode 100644 index 0000000..ee6bd91 --- /dev/null +++ b/apps/backend/src/domain/value-objects/plan-feature.vo.ts @@ -0,0 +1,53 @@ +/** + * Plan Feature Value Object + * + * Defines the features available per subscription plan. + * Used by the FeatureFlagGuard to enforce access control. + */ + +export type PlanFeature = + | 'dashboard' + | 'wiki' + | 'user_management' + | 'csv_export' + | 'api_access' + | 'custom_interface' + | 'dedicated_kam'; + +export const ALL_PLAN_FEATURES: readonly PlanFeature[] = [ + 'dashboard', + 'wiki', + 'user_management', + 'csv_export', + 'api_access', + 'custom_interface', + 'dedicated_kam', +]; + +export type SubscriptionPlanTypeForFeatures = 'BRONZE' | 'SILVER' | 'GOLD' | 'PLATINIUM'; + +export const PLAN_FEATURES: Record = { + BRONZE: [], + SILVER: ['dashboard', 'wiki', 'user_management', 'csv_export'], + GOLD: ['dashboard', 'wiki', 'user_management', 'csv_export', 'api_access'], + PLATINIUM: [ + 'dashboard', + 'wiki', + 'user_management', + 'csv_export', + 'api_access', + 'custom_interface', + 'dedicated_kam', + ], +}; + +export function planHasFeature( + plan: SubscriptionPlanTypeForFeatures, + feature: PlanFeature +): boolean { + return PLAN_FEATURES[plan].includes(feature); +} + +export function planGetFeatures(plan: SubscriptionPlanTypeForFeatures): readonly PlanFeature[] { + return PLAN_FEATURES[plan]; +} diff --git a/apps/backend/src/domain/value-objects/subscription-plan.vo.ts b/apps/backend/src/domain/value-objects/subscription-plan.vo.ts index b82192a..f198956 100644 --- a/apps/backend/src/domain/value-objects/subscription-plan.vo.ts +++ b/apps/backend/src/domain/value-objects/subscription-plan.vo.ts @@ -2,68 +2,109 @@ * Subscription Plan Value Object * * Represents the different subscription plans available for organizations. - * Each plan has a maximum number of licenses that determine how many users - * can be active in an organization. + * Each plan has a maximum number of licenses, shipment limits, commission rates, + * feature flags, and support levels. + * + * Plans: BRONZE (free), SILVER (249EUR/mo), GOLD (899EUR/mo), PLATINIUM (custom) */ -export type SubscriptionPlanType = 'FREE' | 'STARTER' | 'PRO' | 'ENTERPRISE'; +import { PlanFeature, PLAN_FEATURES } from './plan-feature.vo'; + +export type SubscriptionPlanType = 'BRONZE' | 'SILVER' | 'GOLD' | 'PLATINIUM'; + +export type SupportLevel = 'none' | 'email' | 'direct' | 'dedicated_kam'; +export type StatusBadge = 'none' | 'silver' | 'gold' | 'platinium'; + +/** + * Legacy plan name mapping for backward compatibility during migration. + */ +const LEGACY_PLAN_MAPPING: Record = { + FREE: 'BRONZE', + STARTER: 'SILVER', + PRO: 'GOLD', + ENTERPRISE: 'PLATINIUM', +}; interface PlanDetails { readonly name: string; readonly maxLicenses: number; // -1 means unlimited readonly monthlyPriceEur: number; readonly yearlyPriceEur: number; - readonly features: readonly string[]; + readonly maxShipmentsPerYear: number; // -1 means unlimited + readonly commissionRatePercent: number; + readonly statusBadge: StatusBadge; + readonly supportLevel: SupportLevel; + readonly planFeatures: readonly PlanFeature[]; + readonly features: readonly string[]; // Human-readable feature descriptions } const PLAN_DETAILS: Record = { - FREE: { - name: 'Free', - maxLicenses: 2, + BRONZE: { + name: 'Bronze', + maxLicenses: 1, monthlyPriceEur: 0, yearlyPriceEur: 0, - features: [ - 'Up to 2 users', - 'Basic rate search', - 'Email support', - ], + maxShipmentsPerYear: 12, + commissionRatePercent: 5, + statusBadge: 'none', + supportLevel: 'none', + planFeatures: PLAN_FEATURES.BRONZE, + features: ['1 utilisateur', '12 expéditions par an', 'Recherche de tarifs basique'], }, - STARTER: { - name: 'Starter', + SILVER: { + name: 'Silver', maxLicenses: 5, - monthlyPriceEur: 49, - yearlyPriceEur: 470, // ~20% discount + monthlyPriceEur: 249, + yearlyPriceEur: 2739, // 249 * 11 months + maxShipmentsPerYear: -1, + commissionRatePercent: 3, + statusBadge: 'silver', + supportLevel: 'email', + planFeatures: PLAN_FEATURES.SILVER, features: [ - 'Up to 5 users', - 'Advanced rate search', - 'CSV imports', - 'Priority email support', + "Jusqu'à 5 utilisateurs", + 'Expéditions illimitées', + 'Tableau de bord', + 'Wiki Maritime', + 'Gestion des utilisateurs', + 'Import CSV', + 'Support par email', ], }, - PRO: { - name: 'Pro', + GOLD: { + name: 'Gold', maxLicenses: 20, - monthlyPriceEur: 149, - yearlyPriceEur: 1430, // ~20% discount + monthlyPriceEur: 899, + yearlyPriceEur: 9889, // 899 * 11 months + maxShipmentsPerYear: -1, + commissionRatePercent: 2, + statusBadge: 'gold', + supportLevel: 'direct', + planFeatures: PLAN_FEATURES.GOLD, features: [ - 'Up to 20 users', - 'All Starter features', - 'API access', - 'Custom integrations', - 'Phone support', + "Jusqu'à 20 utilisateurs", + 'Expéditions illimitées', + 'Toutes les fonctionnalités Silver', + 'Intégration API', + 'Assistance commerciale directe', ], }, - ENTERPRISE: { - name: 'Enterprise', + PLATINIUM: { + name: 'Platinium', maxLicenses: -1, // unlimited monthlyPriceEur: 0, // custom pricing yearlyPriceEur: 0, // custom pricing + maxShipmentsPerYear: -1, + commissionRatePercent: 1, + statusBadge: 'platinium', + supportLevel: 'dedicated_kam', + planFeatures: PLAN_FEATURES.PLATINIUM, features: [ - 'Unlimited users', - 'All Pro features', - 'Dedicated account manager', - 'Custom SLA', - 'On-premise deployment option', + 'Utilisateurs illimités', + 'Toutes les fonctionnalités Gold', + 'Key Account Manager dédié', + 'Interface personnalisable', + 'Contrats tarifaires cadre', ], }, }; @@ -78,36 +119,68 @@ export class SubscriptionPlan { return new SubscriptionPlan(plan); } + /** + * Create from string with legacy name support. + * Accepts both old (FREE/STARTER/PRO/ENTERPRISE) and new (BRONZE/SILVER/GOLD/PLATINIUM) names. + */ static fromString(value: string): SubscriptionPlan { - const upperValue = value.toUpperCase() as SubscriptionPlanType; - if (!PLAN_DETAILS[upperValue]) { - throw new Error(`Invalid subscription plan: ${value}`); + const upperValue = value.toUpperCase(); + + // Check legacy mapping first + const mapped = LEGACY_PLAN_MAPPING[upperValue]; + if (mapped) { + return new SubscriptionPlan(mapped); } - return new SubscriptionPlan(upperValue); + + // Try direct match + if (PLAN_DETAILS[upperValue as SubscriptionPlanType]) { + return new SubscriptionPlan(upperValue as SubscriptionPlanType); + } + + throw new Error(`Invalid subscription plan: ${value}`); } + // Named factories + static bronze(): SubscriptionPlan { + return new SubscriptionPlan('BRONZE'); + } + + static silver(): SubscriptionPlan { + return new SubscriptionPlan('SILVER'); + } + + static gold(): SubscriptionPlan { + return new SubscriptionPlan('GOLD'); + } + + static platinium(): SubscriptionPlan { + return new SubscriptionPlan('PLATINIUM'); + } + + // Legacy aliases static free(): SubscriptionPlan { - return new SubscriptionPlan('FREE'); + return SubscriptionPlan.bronze(); } static starter(): SubscriptionPlan { - return new SubscriptionPlan('STARTER'); + return SubscriptionPlan.silver(); } static pro(): SubscriptionPlan { - return new SubscriptionPlan('PRO'); + return SubscriptionPlan.gold(); } static enterprise(): SubscriptionPlan { - return new SubscriptionPlan('ENTERPRISE'); + return SubscriptionPlan.platinium(); } static getAllPlans(): SubscriptionPlan[] { - return ['FREE', 'STARTER', 'PRO', 'ENTERPRISE'].map( - (p) => new SubscriptionPlan(p as SubscriptionPlanType), + return (['BRONZE', 'SILVER', 'GOLD', 'PLATINIUM'] as SubscriptionPlanType[]).map( + p => new SubscriptionPlan(p) ); } + // Getters get value(): SubscriptionPlanType { return this.plan; } @@ -132,6 +205,33 @@ export class SubscriptionPlan { return PLAN_DETAILS[this.plan].features; } + get maxShipmentsPerYear(): number { + return PLAN_DETAILS[this.plan].maxShipmentsPerYear; + } + + get commissionRatePercent(): number { + return PLAN_DETAILS[this.plan].commissionRatePercent; + } + + get statusBadge(): StatusBadge { + return PLAN_DETAILS[this.plan].statusBadge; + } + + get supportLevel(): SupportLevel { + return PLAN_DETAILS[this.plan].supportLevel; + } + + get planFeatures(): readonly PlanFeature[] { + return PLAN_DETAILS[this.plan].planFeatures; + } + + /** + * Check if this plan includes a specific feature + */ + hasFeature(feature: PlanFeature): boolean { + return this.planFeatures.includes(feature); + } + /** * Returns true if this plan has unlimited licenses */ @@ -140,17 +240,31 @@ export class SubscriptionPlan { } /** - * Returns true if this is a paid plan + * Returns true if this plan has unlimited shipments */ - isPaid(): boolean { - return this.plan !== 'FREE'; + hasUnlimitedShipments(): boolean { + return this.maxShipmentsPerYear === -1; } /** - * Returns true if this is the free plan + * Returns true if this is a paid plan + */ + isPaid(): boolean { + return this.plan !== 'BRONZE'; + } + + /** + * Returns true if this is the free (Bronze) plan */ isFree(): boolean { - return this.plan === 'FREE'; + return this.plan === 'BRONZE'; + } + + /** + * Returns true if this plan has custom pricing (Platinium) + */ + isCustomPricing(): boolean { + return this.plan === 'PLATINIUM'; } /** @@ -165,12 +279,7 @@ export class SubscriptionPlan { * Check if upgrade to target plan is allowed */ canUpgradeTo(targetPlan: SubscriptionPlan): boolean { - const planOrder: SubscriptionPlanType[] = [ - 'FREE', - 'STARTER', - 'PRO', - 'ENTERPRISE', - ]; + const planOrder: SubscriptionPlanType[] = ['BRONZE', 'SILVER', 'GOLD', 'PLATINIUM']; const currentIndex = planOrder.indexOf(this.plan); const targetIndex = planOrder.indexOf(targetPlan.value); return targetIndex > currentIndex; @@ -180,12 +289,7 @@ export class SubscriptionPlan { * Check if downgrade to target plan is allowed given current user count */ canDowngradeTo(targetPlan: SubscriptionPlan, currentUserCount: number): boolean { - const planOrder: SubscriptionPlanType[] = [ - 'FREE', - 'STARTER', - 'PRO', - 'ENTERPRISE', - ]; + const planOrder: SubscriptionPlanType[] = ['BRONZE', 'SILVER', 'GOLD', 'PLATINIUM']; const currentIndex = planOrder.indexOf(this.plan); const targetIndex = planOrder.indexOf(targetPlan.value); diff --git a/apps/backend/src/domain/value-objects/subscription-status.vo.ts b/apps/backend/src/domain/value-objects/subscription-status.vo.ts index de87862..959d8a9 100644 --- a/apps/backend/src/domain/value-objects/subscription-status.vo.ts +++ b/apps/backend/src/domain/value-objects/subscription-status.vo.ts @@ -191,9 +191,7 @@ export class SubscriptionStatus { */ transitionTo(newStatus: SubscriptionStatus): SubscriptionStatus { if (!this.canTransitionTo(newStatus)) { - throw new Error( - `Invalid status transition from ${this.status} to ${newStatus.value}`, - ); + throw new Error(`Invalid status transition from ${this.status} to ${newStatus.value}`); } return newStatus; } diff --git a/apps/backend/src/infrastructure/email/email.adapter.ts b/apps/backend/src/infrastructure/email/email.adapter.ts index 363c713..78501d1 100644 --- a/apps/backend/src/infrastructure/email/email.adapter.ts +++ b/apps/backend/src/infrastructure/email/email.adapter.ts @@ -4,69 +4,157 @@ * Implements EmailPort using nodemailer */ -import { Injectable, Logger } from '@nestjs/common'; +import { Injectable, Logger, OnModuleInit } from '@nestjs/common'; import { ConfigService } from '@nestjs/config'; import * as nodemailer from 'nodemailer'; +import * as https from 'https'; import { EmailPort, EmailOptions } from '@domain/ports/out/email.port'; import { EmailTemplates } from './templates/email-templates'; +// Display names included → moins susceptibles d'être marqués spam +const EMAIL_SENDERS = { + SECURITY: '"Xpeditis Sécurité" ', + BOOKINGS: '"Xpeditis Bookings" ', + TEAM: '"Équipe Xpeditis" ', + CARRIERS: '"Xpeditis Transporteurs" ', + NOREPLY: '"Xpeditis" ', +} as const; + +/** + * Génère une version plain text à partir du HTML pour améliorer la délivrabilité. + * Les emails sans version texte sont pénalisés par les filtres anti-spam. + */ +function htmlToPlainText(html: string): string { + return html + .replace(/]*>[\s\S]*?<\/style>/gi, '') + .replace(/]*>[\s\S]*?<\/script>/gi, '') + .replace(//gi, '\n') + .replace(/<\/p>/gi, '\n\n') + .replace(/<\/div>/gi, '\n') + .replace(/<\/h[1-6]>/gi, '\n\n') + .replace(/]*href="([^"]*)"[^>]*>([^<]*)<\/a>/gi, '$2 ($1)') + .replace(/<[^>]+>/g, '') + .replace(/&/g, '&') + .replace(/</g, '<') + .replace(/>/g, '>') + .replace(/ /g, ' ') + .replace(/"/g, '"') + .replace(/'/g, "'") + .replace(/\n{3,}/g, '\n\n') + .trim(); +} + @Injectable() -export class EmailAdapter implements EmailPort { +export class EmailAdapter implements EmailPort, OnModuleInit { private readonly logger = new Logger(EmailAdapter.name); private transporter: nodemailer.Transporter; constructor( private readonly configService: ConfigService, private readonly emailTemplates: EmailTemplates - ) { - this.initializeTransporter(); + ) {} + + async onModuleInit(): Promise { + const host = this.configService.get('SMTP_HOST', 'localhost'); + + // 🔧 FIX: Mailtrap — IP directe hardcodée + if (host.includes('mailtrap.io')) { + this.buildTransporter('3.209.246.195', host); + return; + } + + // 🔧 FIX: DNS over HTTPS — contourne le port 53 UDP (bloqué sur certains réseaux). + // On appelle l'API DoH de Cloudflare via HTTPS (port 443) pour résoudre l'IP + // AVANT de créer le transporter, puis on passe l'IP directement à nodemailer. + if (!/^\d+\.\d+\.\d+\.\d+$/.test(host) && host !== 'localhost') { + try { + const ip = await this.resolveViaDoH(host); + this.logger.log(`[DNS-DoH] ${host} → ${ip}`); + this.buildTransporter(ip, host); + return; + } catch (err: any) { + this.logger.warn(`[DNS-DoH] Failed to resolve ${host}: ${err.message} — using hostname directly`); + } + } + + this.buildTransporter(host, host); } - private initializeTransporter(): void { - const host = this.configService.get('SMTP_HOST', 'localhost'); + /** + * Résout un hostname en IP via l'API DNS over HTTPS de Cloudflare. + * Utilise HTTPS (port 443) donc fonctionne même quand le port 53 UDP est bloqué. + */ + private resolveViaDoH(hostname: string): Promise { + return new Promise((resolve, reject) => { + const url = `https://cloudflare-dns.com/dns-query?name=${encodeURIComponent(hostname)}&type=A`; + const req = https.get(url, { headers: { Accept: 'application/dns-json' } }, (res) => { + let raw = ''; + res.on('data', (chunk) => (raw += chunk)); + res.on('end', () => { + try { + const json = JSON.parse(raw); + const aRecord = (json.Answer ?? []).find((r: any) => r.type === 1); + if (aRecord?.data) { + resolve(aRecord.data); + } else { + reject(new Error(`No A record returned by DoH for ${hostname}`)); + } + } catch (e) { + reject(e); + } + }); + }); + req.on('error', reject); + req.setTimeout(10000, () => { + req.destroy(); + reject(new Error('DoH request timed out')); + }); + }); + } + + private buildTransporter(actualHost: string, serverName: string): void { const port = this.configService.get('SMTP_PORT', 2525); const user = this.configService.get('SMTP_USER'); const pass = this.configService.get('SMTP_PASS'); const secure = this.configService.get('SMTP_SECURE', false); - // 🔧 FIX: Contournement DNS pour Mailtrap - // Utilise automatiquement l'IP directe quand 'mailtrap.io' est détecté - // Cela évite les timeouts DNS (queryA ETIMEOUT) sur certains réseaux - const useDirectIP = host.includes('mailtrap.io'); - const actualHost = useDirectIP ? '3.209.246.195' : host; - const serverName = useDirectIP ? 'smtp.mailtrap.io' : host; // Pour TLS - this.transporter = nodemailer.createTransport({ host: actualHost, port, secure, - auth: { - user, - pass, - }, - // Configuration TLS avec servername pour IP directe + auth: { user, pass }, tls: { rejectUnauthorized: false, - servername: serverName, // ⚠️ CRITIQUE pour TLS avec IP directe + servername: serverName, }, - // Timeouts optimisés - connectionTimeout: 10000, // 10s - greetingTimeout: 10000, // 10s - socketTimeout: 30000, // 30s - dnsTimeout: 10000, // 10s - }); + connectionTimeout: 15000, + greetingTimeout: 15000, + socketTimeout: 30000, + } as any); this.logger.log( - `Email adapter initialized with SMTP host: ${host}:${port} (secure: ${secure})` + - (useDirectIP ? ` [Using direct IP: ${actualHost} with servername: ${serverName}]` : '') + `Email transporter ready — ${serverName}:${port} (IP: ${actualHost}) user: ${user}` ); + + this.transporter.verify((error) => { + if (error) { + this.logger.error(`❌ SMTP connection FAILED: ${error.message}`); + } else { + this.logger.log(`✅ SMTP connection verified — ready to send emails`); + } + }); } async send(options: EmailOptions): Promise { try { - const from = this.configService.get('SMTP_FROM', 'noreply@xpeditis.com'); + const from = + options.from ?? + this.configService.get('SMTP_FROM', EMAIL_SENDERS.NOREPLY); - await this.transporter.sendMail({ + // Génère automatiquement la version plain text si absente (améliore le score anti-spam) + const text = options.text ?? (options.html ? htmlToPlainText(options.html) : undefined); + + const info = await this.transporter.sendMail({ from, to: options.to, cc: options.cc, @@ -74,11 +162,13 @@ export class EmailAdapter implements EmailPort { replyTo: options.replyTo, subject: options.subject, html: options.html, - text: options.text, + text, attachments: options.attachments, }); - this.logger.log(`Email sent to ${options.to}: ${options.subject}`); + this.logger.log( + `✅ Email submitted — to: ${options.to} | from: ${from} | subject: "${options.subject}" | messageId: ${info.messageId} | accepted: ${JSON.stringify(info.accepted)} | rejected: ${JSON.stringify(info.rejected)}` + ); } catch (error) { this.logger.error(`Failed to send email to ${options.to}`, error); throw error; @@ -108,6 +198,7 @@ export class EmailAdapter implements EmailPort { await this.send({ to: email, + from: EMAIL_SENDERS.BOOKINGS, subject: `Booking Confirmation - ${bookingNumber}`, html, attachments, @@ -122,6 +213,7 @@ export class EmailAdapter implements EmailPort { await this.send({ to: email, + from: EMAIL_SENDERS.SECURITY, subject: 'Verify your email - Xpeditis', html, }); @@ -135,6 +227,7 @@ export class EmailAdapter implements EmailPort { await this.send({ to: email, + from: EMAIL_SENDERS.SECURITY, subject: 'Reset your password - Xpeditis', html, }); @@ -148,6 +241,7 @@ export class EmailAdapter implements EmailPort { await this.send({ to: email, + from: EMAIL_SENDERS.NOREPLY, subject: 'Welcome to Xpeditis', html, }); @@ -169,6 +263,7 @@ export class EmailAdapter implements EmailPort { await this.send({ to: email, + from: EMAIL_SENDERS.TEAM, subject: `You've been invited to join ${organizationName} on Xpeditis`, html, }); @@ -209,6 +304,7 @@ export class EmailAdapter implements EmailPort { await this.send({ to: email, + from: EMAIL_SENDERS.TEAM, subject: `Invitation à rejoindre ${organizationName} sur Xpeditis`, html, }); @@ -273,6 +369,7 @@ export class EmailAdapter implements EmailPort { await this.send({ to: carrierEmail, + from: EMAIL_SENDERS.BOOKINGS, subject: `Nouvelle demande de réservation ${bookingData.bookingNumber || ''} - ${bookingData.origin} → ${bookingData.destination}`, html, }); @@ -349,6 +446,7 @@ export class EmailAdapter implements EmailPort { await this.send({ to: email, + from: EMAIL_SENDERS.CARRIERS, subject: '🚢 Votre compte transporteur Xpeditis a été créé', html, }); @@ -424,6 +522,7 @@ export class EmailAdapter implements EmailPort { await this.send({ to: email, + from: EMAIL_SENDERS.SECURITY, subject: '🔑 Réinitialisation de votre mot de passe Xpeditis', html, }); @@ -535,6 +634,7 @@ export class EmailAdapter implements EmailPort { await this.send({ to: carrierEmail, + from: EMAIL_SENDERS.BOOKINGS, subject: `Documents disponibles - Reservation ${data.bookingNumber || ''} ${data.origin} → ${data.destination}`, html, }); @@ -614,10 +714,13 @@ export class EmailAdapter implements EmailPort { await this.send({ to: carrierEmail, + from: EMAIL_SENDERS.BOOKINGS, subject: `Nouveaux documents - Reservation ${data.origin} → ${data.destination}`, html, }); - this.logger.log(`New documents notification sent to ${carrierEmail} for booking ${data.bookingId}`); + this.logger.log( + `New documents notification sent to ${carrierEmail} for booking ${data.bookingId}` + ); } } diff --git a/apps/backend/src/infrastructure/external/pappers-siret.adapter.ts b/apps/backend/src/infrastructure/external/pappers-siret.adapter.ts new file mode 100644 index 0000000..7de3ba0 --- /dev/null +++ b/apps/backend/src/infrastructure/external/pappers-siret.adapter.ts @@ -0,0 +1,50 @@ +import { Injectable, Logger } from '@nestjs/common'; +import { ConfigService } from '@nestjs/config'; +import { + SiretVerificationPort, + SiretVerificationResult, +} from '@domain/ports/out/siret-verification.port'; + +@Injectable() +export class PappersSiretAdapter implements SiretVerificationPort { + private readonly logger = new Logger(PappersSiretAdapter.name); + private readonly apiKey: string; + private readonly baseUrl = 'https://api.pappers.fr/v2'; + + constructor(private readonly configService: ConfigService) { + this.apiKey = this.configService.get('PAPPERS_API_KEY', ''); + } + + async verify(siret: string): Promise { + if (!this.apiKey) { + this.logger.warn('PAPPERS_API_KEY not configured, skipping SIRET verification'); + return { valid: false }; + } + + try { + const url = `${this.baseUrl}/entreprise?api_token=${this.apiKey}&siret=${siret}`; + const response = await fetch(url); + + if (!response.ok) { + if (response.status === 404) { + return { valid: false }; + } + this.logger.error(`Pappers API error: ${response.status} ${response.statusText}`); + return { valid: false }; + } + + const data = await response.json(); + + return { + valid: true, + companyName: data.nom_entreprise || data.denomination, + address: data.siege?.adresse_ligne_1 + ? `${data.siege.adresse_ligne_1}, ${data.siege.code_postal} ${data.siege.ville}` + : undefined, + }; + } catch (error: any) { + this.logger.error(`SIRET verification failed: ${error?.message}`, error?.stack); + return { valid: false }; + } + } +} diff --git a/apps/backend/src/infrastructure/persistence/typeorm/entities/api-key.orm-entity.ts b/apps/backend/src/infrastructure/persistence/typeorm/entities/api-key.orm-entity.ts new file mode 100644 index 0000000..bca7e0a --- /dev/null +++ b/apps/backend/src/infrastructure/persistence/typeorm/entities/api-key.orm-entity.ts @@ -0,0 +1,59 @@ +import { + Column, + CreateDateColumn, + Entity, + Index, + ManyToOne, + JoinColumn, + PrimaryColumn, + UpdateDateColumn, +} from 'typeorm'; +import { OrganizationOrmEntity } from './organization.orm-entity'; +import { UserOrmEntity } from './user.orm-entity'; + +@Entity('api_keys') +@Index('idx_api_keys_organization_id', ['organizationId']) +@Index('idx_api_keys_user_id', ['userId']) +@Index('idx_api_keys_is_active', ['isActive']) +export class ApiKeyOrmEntity { + @PrimaryColumn('uuid') + id: string; + + @Column({ name: 'organization_id', type: 'uuid' }) + organizationId: string; + + @Column({ name: 'user_id', type: 'uuid' }) + userId: string; + + @Column({ length: 100 }) + name: string; + + @Column({ name: 'key_hash', length: 64, unique: true }) + keyHash: string; + + @Column({ name: 'key_prefix', length: 20 }) + keyPrefix: string; + + @Column({ name: 'is_active', default: true }) + isActive: boolean; + + @Column({ name: 'last_used_at', type: 'timestamp', nullable: true }) + lastUsedAt: Date | null; + + @Column({ name: 'expires_at', type: 'timestamp', nullable: true }) + expiresAt: Date | null; + + @CreateDateColumn({ name: 'created_at' }) + createdAt: Date; + + @UpdateDateColumn({ name: 'updated_at' }) + updatedAt: Date; + + @ManyToOne(() => OrganizationOrmEntity, { onDelete: 'CASCADE' }) + @JoinColumn({ name: 'organization_id' }) + organization: OrganizationOrmEntity; + + @ManyToOne(() => UserOrmEntity, { onDelete: 'CASCADE' }) + @JoinColumn({ name: 'user_id' }) + user: UserOrmEntity; +} diff --git a/apps/backend/src/infrastructure/persistence/typeorm/entities/booking.orm-entity.ts b/apps/backend/src/infrastructure/persistence/typeorm/entities/booking.orm-entity.ts index d78c7d7..f3db96e 100644 --- a/apps/backend/src/infrastructure/persistence/typeorm/entities/booking.orm-entity.ts +++ b/apps/backend/src/infrastructure/persistence/typeorm/entities/booking.orm-entity.ts @@ -92,6 +92,18 @@ export class BookingOrmEntity { @Column({ name: 'special_instructions', type: 'text', nullable: true }) specialInstructions: string | null; + @Column({ name: 'commission_rate', type: 'decimal', precision: 5, scale: 2, nullable: true }) + commissionRate: number | null; + + @Column({ + name: 'commission_amount_eur', + type: 'decimal', + precision: 12, + scale: 2, + nullable: true, + }) + commissionAmountEur: number | null; + @CreateDateColumn({ name: 'created_at' }) createdAt: Date; diff --git a/apps/backend/src/infrastructure/persistence/typeorm/entities/cookie-consent.orm-entity.ts b/apps/backend/src/infrastructure/persistence/typeorm/entities/cookie-consent.orm-entity.ts index 2f8188c..0d40645 100644 --- a/apps/backend/src/infrastructure/persistence/typeorm/entities/cookie-consent.orm-entity.ts +++ b/apps/backend/src/infrastructure/persistence/typeorm/entities/cookie-consent.orm-entity.ts @@ -1,58 +1,58 @@ -/** - * Cookie Consent ORM Entity (Infrastructure Layer) - * - * TypeORM entity for cookie consent persistence - */ - -import { - Entity, - Column, - PrimaryColumn, - CreateDateColumn, - UpdateDateColumn, - Index, - ManyToOne, - JoinColumn, -} from 'typeorm'; -import { UserOrmEntity } from './user.orm-entity'; - -@Entity('cookie_consents') -@Index('idx_cookie_consents_user', ['userId']) -export class CookieConsentOrmEntity { - @PrimaryColumn('uuid') - id: string; - - @Column({ name: 'user_id', type: 'uuid', unique: true }) - userId: string; - - @ManyToOne(() => UserOrmEntity, { onDelete: 'CASCADE' }) - @JoinColumn({ name: 'user_id' }) - user: UserOrmEntity; - - @Column({ type: 'boolean', default: true }) - essential: boolean; - - @Column({ type: 'boolean', default: false }) - functional: boolean; - - @Column({ type: 'boolean', default: false }) - analytics: boolean; - - @Column({ type: 'boolean', default: false }) - marketing: boolean; - - @Column({ name: 'ip_address', type: 'varchar', length: 45, nullable: true }) - ipAddress: string | null; - - @Column({ name: 'user_agent', type: 'text', nullable: true }) - userAgent: string | null; - - @Column({ name: 'consent_date', type: 'timestamp', default: () => 'NOW()' }) - consentDate: Date; - - @CreateDateColumn({ name: 'created_at' }) - createdAt: Date; - - @UpdateDateColumn({ name: 'updated_at' }) - updatedAt: Date; -} +/** + * Cookie Consent ORM Entity (Infrastructure Layer) + * + * TypeORM entity for cookie consent persistence + */ + +import { + Entity, + Column, + PrimaryColumn, + CreateDateColumn, + UpdateDateColumn, + Index, + ManyToOne, + JoinColumn, +} from 'typeorm'; +import { UserOrmEntity } from './user.orm-entity'; + +@Entity('cookie_consents') +@Index('idx_cookie_consents_user', ['userId']) +export class CookieConsentOrmEntity { + @PrimaryColumn('uuid') + id: string; + + @Column({ name: 'user_id', type: 'uuid', unique: true }) + userId: string; + + @ManyToOne(() => UserOrmEntity, { onDelete: 'CASCADE' }) + @JoinColumn({ name: 'user_id' }) + user: UserOrmEntity; + + @Column({ type: 'boolean', default: true }) + essential: boolean; + + @Column({ type: 'boolean', default: false }) + functional: boolean; + + @Column({ type: 'boolean', default: false }) + analytics: boolean; + + @Column({ type: 'boolean', default: false }) + marketing: boolean; + + @Column({ name: 'ip_address', type: 'varchar', length: 45, nullable: true }) + ipAddress: string | null; + + @Column({ name: 'user_agent', type: 'text', nullable: true }) + userAgent: string | null; + + @Column({ name: 'consent_date', type: 'timestamp', default: () => 'NOW()' }) + consentDate: Date; + + @CreateDateColumn({ name: 'created_at' }) + createdAt: Date; + + @UpdateDateColumn({ name: 'updated_at' }) + updatedAt: Date; +} diff --git a/apps/backend/src/infrastructure/persistence/typeorm/entities/csv-booking.orm-entity.ts b/apps/backend/src/infrastructure/persistence/typeorm/entities/csv-booking.orm-entity.ts index aa1e8a4..75eb591 100644 --- a/apps/backend/src/infrastructure/persistence/typeorm/entities/csv-booking.orm-entity.ts +++ b/apps/backend/src/infrastructure/persistence/typeorm/entities/csv-booking.orm-entity.ts @@ -75,11 +75,11 @@ export class CsvBookingOrmEntity { @Column({ name: 'status', type: 'enum', - enum: ['PENDING', 'ACCEPTED', 'REJECTED', 'CANCELLED'], - default: 'PENDING', + enum: ['PENDING_PAYMENT', 'PENDING_BANK_TRANSFER', 'PENDING', 'ACCEPTED', 'REJECTED', 'CANCELLED'], + default: 'PENDING_PAYMENT', }) @Index() - status: 'PENDING' | 'ACCEPTED' | 'REJECTED' | 'CANCELLED'; + status: 'PENDING_PAYMENT' | 'PENDING_BANK_TRANSFER' | 'PENDING' | 'ACCEPTED' | 'REJECTED' | 'CANCELLED'; @Column({ name: 'documents', type: 'jsonb' }) documents: Array<{ @@ -141,6 +141,21 @@ export class CsvBookingOrmEntity { @Column({ name: 'carrier_notes', type: 'text', nullable: true }) carrierNotes: string | null; + @Column({ name: 'stripe_payment_intent_id', type: 'varchar', length: 255, nullable: true }) + stripePaymentIntentId: string | null; + + @Column({ name: 'commission_rate', type: 'decimal', precision: 5, scale: 2, nullable: true }) + commissionRate: number | null; + + @Column({ + name: 'commission_amount_eur', + type: 'decimal', + precision: 12, + scale: 2, + nullable: true, + }) + commissionAmountEur: number | null; + @CreateDateColumn({ name: 'created_at', type: 'timestamp with time zone' }) createdAt: Date; diff --git a/apps/backend/src/infrastructure/persistence/typeorm/entities/license.orm-entity.ts b/apps/backend/src/infrastructure/persistence/typeorm/entities/license.orm-entity.ts index afde22a..71b541d 100644 --- a/apps/backend/src/infrastructure/persistence/typeorm/entities/license.orm-entity.ts +++ b/apps/backend/src/infrastructure/persistence/typeorm/entities/license.orm-entity.ts @@ -5,14 +5,7 @@ * Represents user licenses linked to subscriptions. */ -import { - Entity, - Column, - PrimaryGeneratedColumn, - ManyToOne, - JoinColumn, - Index, -} from 'typeorm'; +import { Entity, Column, PrimaryGeneratedColumn, ManyToOne, JoinColumn, Index } from 'typeorm'; import { SubscriptionOrmEntity } from './subscription.orm-entity'; import { UserOrmEntity } from './user.orm-entity'; @@ -30,7 +23,7 @@ export class LicenseOrmEntity { @Column({ name: 'subscription_id', type: 'uuid' }) subscriptionId: string; - @ManyToOne(() => SubscriptionOrmEntity, (subscription) => subscription.licenses, { + @ManyToOne(() => SubscriptionOrmEntity, subscription => subscription.licenses, { onDelete: 'CASCADE', }) @JoinColumn({ name: 'subscription_id' }) diff --git a/apps/backend/src/infrastructure/persistence/typeorm/entities/organization.orm-entity.ts b/apps/backend/src/infrastructure/persistence/typeorm/entities/organization.orm-entity.ts index 8827fc7..9c59b49 100644 --- a/apps/backend/src/infrastructure/persistence/typeorm/entities/organization.orm-entity.ts +++ b/apps/backend/src/infrastructure/persistence/typeorm/entities/organization.orm-entity.ts @@ -56,6 +56,15 @@ export class OrganizationOrmEntity { @Column({ type: 'jsonb', default: '[]' }) documents: any[]; + @Column({ type: 'varchar', length: 14, nullable: true }) + siret: string | null; + + @Column({ name: 'siret_verified', type: 'boolean', default: false }) + siretVerified: boolean; + + @Column({ name: 'status_badge', type: 'varchar', length: 20, default: 'none' }) + statusBadge: string; + @Column({ name: 'is_carrier', type: 'boolean', default: false }) isCarrier: boolean; diff --git a/apps/backend/src/infrastructure/persistence/typeorm/entities/password-reset-token.orm-entity.ts b/apps/backend/src/infrastructure/persistence/typeorm/entities/password-reset-token.orm-entity.ts new file mode 100644 index 0000000..fd4598f --- /dev/null +++ b/apps/backend/src/infrastructure/persistence/typeorm/entities/password-reset-token.orm-entity.ts @@ -0,0 +1,30 @@ +import { + Entity, + PrimaryGeneratedColumn, + Column, + CreateDateColumn, + Index, +} from 'typeorm'; + +@Entity('password_reset_tokens') +export class PasswordResetTokenOrmEntity { + @PrimaryGeneratedColumn('uuid') + id: string; + + @Column({ name: 'user_id' }) + @Index('IDX_password_reset_tokens_user_id') + userId: string; + + @Column({ unique: true, length: 255 }) + @Index('IDX_password_reset_tokens_token') + token: string; + + @Column({ name: 'expires_at', type: 'timestamp' }) + expiresAt: Date; + + @Column({ name: 'used_at', type: 'timestamp', nullable: true }) + usedAt: Date | null; + + @CreateDateColumn({ name: 'created_at' }) + createdAt: Date; +} diff --git a/apps/backend/src/infrastructure/persistence/typeorm/entities/subscription.orm-entity.ts b/apps/backend/src/infrastructure/persistence/typeorm/entities/subscription.orm-entity.ts index 941b744..58b3977 100644 --- a/apps/backend/src/infrastructure/persistence/typeorm/entities/subscription.orm-entity.ts +++ b/apps/backend/src/infrastructure/persistence/typeorm/entities/subscription.orm-entity.ts @@ -19,7 +19,7 @@ import { import { OrganizationOrmEntity } from './organization.orm-entity'; import { LicenseOrmEntity } from './license.orm-entity'; -export type SubscriptionPlanOrmType = 'FREE' | 'STARTER' | 'PRO' | 'ENTERPRISE'; +export type SubscriptionPlanOrmType = 'BRONZE' | 'SILVER' | 'GOLD' | 'PLATINIUM'; export type SubscriptionStatusOrmType = | 'ACTIVE' @@ -51,8 +51,8 @@ export class SubscriptionOrmEntity { // Plan information @Column({ type: 'enum', - enum: ['FREE', 'STARTER', 'PRO', 'ENTERPRISE'], - default: 'FREE', + enum: ['BRONZE', 'SILVER', 'GOLD', 'PLATINIUM'], + default: 'BRONZE', }) plan: SubscriptionPlanOrmType; @@ -103,6 +103,6 @@ export class SubscriptionOrmEntity { updatedAt: Date; // Relations - @OneToMany(() => LicenseOrmEntity, (license) => license.subscription) + @OneToMany(() => LicenseOrmEntity, license => license.subscription) licenses: LicenseOrmEntity[]; } diff --git a/apps/backend/src/infrastructure/persistence/typeorm/mappers/api-key-orm.mapper.ts b/apps/backend/src/infrastructure/persistence/typeorm/mappers/api-key-orm.mapper.ts new file mode 100644 index 0000000..dd48a69 --- /dev/null +++ b/apps/backend/src/infrastructure/persistence/typeorm/mappers/api-key-orm.mapper.ts @@ -0,0 +1,40 @@ +import { ApiKey } from '@domain/entities/api-key.entity'; +import { ApiKeyOrmEntity } from '../entities/api-key.orm-entity'; + +export class ApiKeyOrmMapper { + static toDomain(orm: ApiKeyOrmEntity): ApiKey { + return ApiKey.fromPersistence({ + id: orm.id, + organizationId: orm.organizationId, + userId: orm.userId, + name: orm.name, + keyHash: orm.keyHash, + keyPrefix: orm.keyPrefix, + isActive: orm.isActive, + lastUsedAt: orm.lastUsedAt, + expiresAt: orm.expiresAt, + createdAt: orm.createdAt, + updatedAt: orm.updatedAt, + }); + } + + static toOrm(domain: ApiKey): ApiKeyOrmEntity { + const orm = new ApiKeyOrmEntity(); + orm.id = domain.id; + orm.organizationId = domain.organizationId; + orm.userId = domain.userId; + orm.name = domain.name; + orm.keyHash = domain.keyHash; + orm.keyPrefix = domain.keyPrefix; + orm.isActive = domain.isActive; + orm.lastUsedAt = domain.lastUsedAt; + orm.expiresAt = domain.expiresAt; + orm.createdAt = domain.createdAt; + orm.updatedAt = domain.updatedAt; + return orm; + } + + static toDomainMany(orms: ApiKeyOrmEntity[]): ApiKey[] { + return orms.map(orm => ApiKeyOrmMapper.toDomain(orm)); + } +} diff --git a/apps/backend/src/infrastructure/persistence/typeorm/mappers/booking-orm.mapper.ts b/apps/backend/src/infrastructure/persistence/typeorm/mappers/booking-orm.mapper.ts index 5a36902..df15aec 100644 --- a/apps/backend/src/infrastructure/persistence/typeorm/mappers/booking-orm.mapper.ts +++ b/apps/backend/src/infrastructure/persistence/typeorm/mappers/booking-orm.mapper.ts @@ -27,6 +27,8 @@ export class BookingOrmMapper { orm.consignee = this.partyToJson(domain.consignee); orm.cargoDescription = domain.cargoDescription; orm.specialInstructions = domain.specialInstructions || null; + orm.commissionRate = domain.commissionRate ?? null; + orm.commissionAmountEur = domain.commissionAmountEur ?? null; orm.createdAt = domain.createdAt; orm.updatedAt = domain.updatedAt; @@ -52,6 +54,9 @@ export class BookingOrmMapper { cargoDescription: orm.cargoDescription, containers: orm.containers ? orm.containers.map(c => this.ormToContainer(c)) : [], specialInstructions: orm.specialInstructions || undefined, + commissionRate: orm.commissionRate != null ? Number(orm.commissionRate) : undefined, + commissionAmountEur: + orm.commissionAmountEur != null ? Number(orm.commissionAmountEur) : undefined, createdAt: orm.createdAt, updatedAt: orm.updatedAt, }; diff --git a/apps/backend/src/infrastructure/persistence/typeorm/mappers/csv-booking.mapper.ts b/apps/backend/src/infrastructure/persistence/typeorm/mappers/csv-booking.mapper.ts index 4fee923..85217ed 100644 --- a/apps/backend/src/infrastructure/persistence/typeorm/mappers/csv-booking.mapper.ts +++ b/apps/backend/src/infrastructure/persistence/typeorm/mappers/csv-booking.mapper.ts @@ -42,7 +42,10 @@ export class CsvBookingMapper { ormEntity.respondedAt, ormEntity.notes, ormEntity.rejectionReason, - ormEntity.bookingNumber ?? undefined + ormEntity.bookingNumber ?? undefined, + ormEntity.commissionRate != null ? Number(ormEntity.commissionRate) : undefined, + ormEntity.commissionAmountEur != null ? Number(ormEntity.commissionAmountEur) : undefined, + ormEntity.stripePaymentIntentId ?? undefined ); } @@ -66,13 +69,16 @@ export class CsvBookingMapper { primaryCurrency: domain.primaryCurrency, transitDays: domain.transitDays, containerType: domain.containerType, - status: domain.status as 'PENDING' | 'ACCEPTED' | 'REJECTED' | 'CANCELLED', + status: domain.status as CsvBookingOrmEntity['status'], documents: domain.documents as any, confirmationToken: domain.confirmationToken, requestedAt: domain.requestedAt, respondedAt: domain.respondedAt, notes: domain.notes, rejectionReason: domain.rejectionReason, + stripePaymentIntentId: domain.stripePaymentIntentId ?? null, + commissionRate: domain.commissionRate ?? null, + commissionAmountEur: domain.commissionAmountEur ?? null, }; } @@ -81,10 +87,13 @@ export class CsvBookingMapper { */ static toOrmUpdate(domain: CsvBooking): Partial { return { - status: domain.status as 'PENDING' | 'ACCEPTED' | 'REJECTED' | 'CANCELLED', + status: domain.status as CsvBookingOrmEntity['status'], respondedAt: domain.respondedAt, notes: domain.notes, rejectionReason: domain.rejectionReason, + stripePaymentIntentId: domain.stripePaymentIntentId ?? null, + commissionRate: domain.commissionRate ?? null, + commissionAmountEur: domain.commissionAmountEur ?? null, }; } diff --git a/apps/backend/src/infrastructure/persistence/typeorm/mappers/license-orm.mapper.ts b/apps/backend/src/infrastructure/persistence/typeorm/mappers/license-orm.mapper.ts index 9a4ceb5..b68d699 100644 --- a/apps/backend/src/infrastructure/persistence/typeorm/mappers/license-orm.mapper.ts +++ b/apps/backend/src/infrastructure/persistence/typeorm/mappers/license-orm.mapper.ts @@ -43,6 +43,6 @@ export class LicenseOrmMapper { * Map array of ORM entities to domain entities */ static toDomainMany(orms: LicenseOrmEntity[]): License[] { - return orms.map((orm) => this.toDomain(orm)); + return orms.map(orm => this.toDomain(orm)); } } diff --git a/apps/backend/src/infrastructure/persistence/typeorm/mappers/organization-orm.mapper.ts b/apps/backend/src/infrastructure/persistence/typeorm/mappers/organization-orm.mapper.ts index 78f6660..9eb59c6 100644 --- a/apps/backend/src/infrastructure/persistence/typeorm/mappers/organization-orm.mapper.ts +++ b/apps/backend/src/infrastructure/persistence/typeorm/mappers/organization-orm.mapper.ts @@ -30,6 +30,9 @@ export class OrganizationOrmMapper { orm.addressCountry = props.address.country; orm.logoUrl = props.logoUrl || null; orm.documents = props.documents; + orm.siret = props.siret || null; + orm.siretVerified = props.siretVerified; + orm.statusBadge = props.statusBadge; orm.isActive = props.isActive; orm.createdAt = props.createdAt; orm.updatedAt = props.updatedAt; @@ -59,6 +62,9 @@ export class OrganizationOrmMapper { }, logoUrl: orm.logoUrl || undefined, documents: orm.documents || [], + siret: orm.siret || undefined, + siretVerified: orm.siretVerified ?? false, + statusBadge: (orm.statusBadge as 'none' | 'silver' | 'gold' | 'platinium') || 'none', isActive: orm.isActive, createdAt: orm.createdAt, updatedAt: orm.updatedAt, diff --git a/apps/backend/src/infrastructure/persistence/typeorm/mappers/subscription-orm.mapper.ts b/apps/backend/src/infrastructure/persistence/typeorm/mappers/subscription-orm.mapper.ts index 95c65d0..1e07da1 100644 --- a/apps/backend/src/infrastructure/persistence/typeorm/mappers/subscription-orm.mapper.ts +++ b/apps/backend/src/infrastructure/persistence/typeorm/mappers/subscription-orm.mapper.ts @@ -53,6 +53,6 @@ export class SubscriptionOrmMapper { * Map array of ORM entities to domain entities */ static toDomainMany(orms: SubscriptionOrmEntity[]): Subscription[] { - return orms.map((orm) => this.toDomain(orm)); + return orms.map(orm => this.toDomain(orm)); } } diff --git a/apps/backend/src/infrastructure/persistence/typeorm/migrations/1738100000000-CreateCookieConsent.ts b/apps/backend/src/infrastructure/persistence/typeorm/migrations/1738100000000-CreateCookieConsent.ts index 561df7c..ccb0813 100644 --- a/apps/backend/src/infrastructure/persistence/typeorm/migrations/1738100000000-CreateCookieConsent.ts +++ b/apps/backend/src/infrastructure/persistence/typeorm/migrations/1738100000000-CreateCookieConsent.ts @@ -1,62 +1,62 @@ -/** - * Migration: Create Cookie Consents Table - * GDPR compliant cookie preference storage - */ - -import { MigrationInterface, QueryRunner } from 'typeorm'; - -export class CreateCookieConsent1738100000000 implements MigrationInterface { - name = 'CreateCookieConsent1738100000000'; - - public async up(queryRunner: QueryRunner): Promise { - // Create cookie_consents table - await queryRunner.query(` - CREATE TABLE "cookie_consents" ( - "id" UUID NOT NULL DEFAULT uuid_generate_v4(), - "user_id" UUID NOT NULL, - "essential" BOOLEAN NOT NULL DEFAULT TRUE, - "functional" BOOLEAN NOT NULL DEFAULT FALSE, - "analytics" BOOLEAN NOT NULL DEFAULT FALSE, - "marketing" BOOLEAN NOT NULL DEFAULT FALSE, - "ip_address" VARCHAR(45) NULL, - "user_agent" TEXT NULL, - "consent_date" TIMESTAMP NOT NULL DEFAULT NOW(), - "created_at" TIMESTAMP NOT NULL DEFAULT NOW(), - "updated_at" TIMESTAMP NOT NULL DEFAULT NOW(), - CONSTRAINT "pk_cookie_consents" PRIMARY KEY ("id"), - CONSTRAINT "uq_cookie_consents_user" UNIQUE ("user_id"), - CONSTRAINT "fk_cookie_consents_user" FOREIGN KEY ("user_id") - REFERENCES "users"("id") ON DELETE CASCADE - ) - `); - - // Create index for fast user lookups - await queryRunner.query(` - CREATE INDEX "idx_cookie_consents_user" ON "cookie_consents" ("user_id") - `); - - // Add comments - await queryRunner.query(` - COMMENT ON TABLE "cookie_consents" IS 'GDPR compliant cookie consent preferences per user' - `); - await queryRunner.query(` - COMMENT ON COLUMN "cookie_consents"."essential" IS 'Essential cookies - always true, required for functionality' - `); - await queryRunner.query(` - COMMENT ON COLUMN "cookie_consents"."functional" IS 'Functional cookies - preferences, language, etc.' - `); - await queryRunner.query(` - COMMENT ON COLUMN "cookie_consents"."analytics" IS 'Analytics cookies - Google Analytics, Sentry, etc.' - `); - await queryRunner.query(` - COMMENT ON COLUMN "cookie_consents"."marketing" IS 'Marketing cookies - ads, tracking, remarketing' - `); - await queryRunner.query(` - COMMENT ON COLUMN "cookie_consents"."ip_address" IS 'IP address at time of consent for GDPR audit trail' - `); - } - - public async down(queryRunner: QueryRunner): Promise { - await queryRunner.query(`DROP TABLE "cookie_consents"`); - } -} +/** + * Migration: Create Cookie Consents Table + * GDPR compliant cookie preference storage + */ + +import { MigrationInterface, QueryRunner } from 'typeorm'; + +export class CreateCookieConsent1738100000000 implements MigrationInterface { + name = 'CreateCookieConsent1738100000000'; + + public async up(queryRunner: QueryRunner): Promise { + // Create cookie_consents table + await queryRunner.query(` + CREATE TABLE "cookie_consents" ( + "id" UUID NOT NULL DEFAULT uuid_generate_v4(), + "user_id" UUID NOT NULL, + "essential" BOOLEAN NOT NULL DEFAULT TRUE, + "functional" BOOLEAN NOT NULL DEFAULT FALSE, + "analytics" BOOLEAN NOT NULL DEFAULT FALSE, + "marketing" BOOLEAN NOT NULL DEFAULT FALSE, + "ip_address" VARCHAR(45) NULL, + "user_agent" TEXT NULL, + "consent_date" TIMESTAMP NOT NULL DEFAULT NOW(), + "created_at" TIMESTAMP NOT NULL DEFAULT NOW(), + "updated_at" TIMESTAMP NOT NULL DEFAULT NOW(), + CONSTRAINT "pk_cookie_consents" PRIMARY KEY ("id"), + CONSTRAINT "uq_cookie_consents_user" UNIQUE ("user_id"), + CONSTRAINT "fk_cookie_consents_user" FOREIGN KEY ("user_id") + REFERENCES "users"("id") ON DELETE CASCADE + ) + `); + + // Create index for fast user lookups + await queryRunner.query(` + CREATE INDEX "idx_cookie_consents_user" ON "cookie_consents" ("user_id") + `); + + // Add comments + await queryRunner.query(` + COMMENT ON TABLE "cookie_consents" IS 'GDPR compliant cookie consent preferences per user' + `); + await queryRunner.query(` + COMMENT ON COLUMN "cookie_consents"."essential" IS 'Essential cookies - always true, required for functionality' + `); + await queryRunner.query(` + COMMENT ON COLUMN "cookie_consents"."functional" IS 'Functional cookies - preferences, language, etc.' + `); + await queryRunner.query(` + COMMENT ON COLUMN "cookie_consents"."analytics" IS 'Analytics cookies - Google Analytics, Sentry, etc.' + `); + await queryRunner.query(` + COMMENT ON COLUMN "cookie_consents"."marketing" IS 'Marketing cookies - ads, tracking, remarketing' + `); + await queryRunner.query(` + COMMENT ON COLUMN "cookie_consents"."ip_address" IS 'IP address at time of consent for GDPR audit trail' + `); + } + + public async down(queryRunner: QueryRunner): Promise { + await queryRunner.query(`DROP TABLE "cookie_consents"`); + } +} diff --git a/apps/backend/src/infrastructure/persistence/typeorm/migrations/1740000000001-RenamePlansToBronzeSilverGoldPlatinium.ts b/apps/backend/src/infrastructure/persistence/typeorm/migrations/1740000000001-RenamePlansToBronzeSilverGoldPlatinium.ts new file mode 100644 index 0000000..c7bdb41 --- /dev/null +++ b/apps/backend/src/infrastructure/persistence/typeorm/migrations/1740000000001-RenamePlansToBronzeSilverGoldPlatinium.ts @@ -0,0 +1,92 @@ +import { MigrationInterface, QueryRunner } from 'typeorm'; + +/** + * Rename subscription plans: + * FREE -> BRONZE, STARTER -> SILVER, PRO -> GOLD, ENTERPRISE -> PLATINIUM + * + * PostgreSQL does not support removing values from an enum type directly, + * so we create a new enum, migrate the column, and drop the old one. + */ +export class RenamePlansToBronzeSilverGoldPlatinium1740000000001 implements MigrationInterface { + public async up(queryRunner: QueryRunner): Promise { + // Step 1: Create new enum type + await queryRunner.query( + `CREATE TYPE "subscription_plan_enum_new" AS ENUM ('BRONZE', 'SILVER', 'GOLD', 'PLATINIUM')` + ); + + // Step 2: Convert the column to VARCHAR temporarily so we can update values + await queryRunner.query(`ALTER TABLE "subscriptions" ALTER COLUMN "plan" TYPE VARCHAR(20)`); + + // Step 3: Update existing values + await queryRunner.query(`UPDATE "subscriptions" SET "plan" = 'BRONZE' WHERE "plan" = 'FREE'`); + await queryRunner.query( + `UPDATE "subscriptions" SET "plan" = 'SILVER' WHERE "plan" = 'STARTER'` + ); + await queryRunner.query(`UPDATE "subscriptions" SET "plan" = 'GOLD' WHERE "plan" = 'PRO'`); + await queryRunner.query( + `UPDATE "subscriptions" SET "plan" = 'PLATINIUM' WHERE "plan" = 'ENTERPRISE'` + ); + + // Step 4: Drop existing default (required before changing enum type) + await queryRunner.query(`ALTER TABLE "subscriptions" ALTER COLUMN "plan" DROP DEFAULT`); + + // Step 5: Set column to new enum type + await queryRunner.query( + `ALTER TABLE "subscriptions" ALTER COLUMN "plan" TYPE "subscription_plan_enum_new" USING "plan"::"subscription_plan_enum_new"` + ); + + // Step 6: Set new default + await queryRunner.query(`ALTER TABLE "subscriptions" ALTER COLUMN "plan" SET DEFAULT 'BRONZE'`); + + // Step 7: Drop old enum type (name may vary — TypeORM often creates it as subscriptions_plan_enum) + // We handle both possible names + await queryRunner.query(` + DO $$ BEGIN + IF EXISTS (SELECT 1 FROM pg_type WHERE typname = 'subscriptions_plan_enum') THEN + DROP TYPE "subscriptions_plan_enum"; + END IF; + END $$; + `); + + // Step 8: Rename new enum to standard name + await queryRunner.query( + `ALTER TYPE "subscription_plan_enum_new" RENAME TO "subscriptions_plan_enum"` + ); + } + + public async down(queryRunner: QueryRunner): Promise { + // Reverse: create old enum, migrate back + await queryRunner.query( + `CREATE TYPE "subscription_plan_enum_old" AS ENUM ('FREE', 'STARTER', 'PRO', 'ENTERPRISE')` + ); + + await queryRunner.query(`ALTER TABLE "subscriptions" ALTER COLUMN "plan" TYPE VARCHAR(20)`); + + await queryRunner.query(`UPDATE "subscriptions" SET "plan" = 'FREE' WHERE "plan" = 'BRONZE'`); + await queryRunner.query( + `UPDATE "subscriptions" SET "plan" = 'STARTER' WHERE "plan" = 'SILVER'` + ); + await queryRunner.query(`UPDATE "subscriptions" SET "plan" = 'PRO' WHERE "plan" = 'GOLD'`); + await queryRunner.query( + `UPDATE "subscriptions" SET "plan" = 'ENTERPRISE' WHERE "plan" = 'PLATINIUM'` + ); + + await queryRunner.query( + `ALTER TABLE "subscriptions" ALTER COLUMN "plan" TYPE "subscription_plan_enum_old" USING "plan"::"subscription_plan_enum_old"` + ); + + await queryRunner.query(`ALTER TABLE "subscriptions" ALTER COLUMN "plan" SET DEFAULT 'FREE'`); + + await queryRunner.query(` + DO $$ BEGIN + IF EXISTS (SELECT 1 FROM pg_type WHERE typname = 'subscriptions_plan_enum') THEN + DROP TYPE "subscriptions_plan_enum"; + END IF; + END $$; + `); + + await queryRunner.query( + `ALTER TYPE "subscription_plan_enum_old" RENAME TO "subscriptions_plan_enum"` + ); + } +} diff --git a/apps/backend/src/infrastructure/persistence/typeorm/migrations/1740000000002-AddCommissionFields.ts b/apps/backend/src/infrastructure/persistence/typeorm/migrations/1740000000002-AddCommissionFields.ts new file mode 100644 index 0000000..204fb0e --- /dev/null +++ b/apps/backend/src/infrastructure/persistence/typeorm/migrations/1740000000002-AddCommissionFields.ts @@ -0,0 +1,43 @@ +import { MigrationInterface, QueryRunner } from 'typeorm'; + +export class AddCommissionFields1740000000002 implements MigrationInterface { + name = 'AddCommissionFields1740000000002'; + + public async up(queryRunner: QueryRunner): Promise { + // Add commission columns to csv_bookings (bookings table may not exist yet) + await queryRunner.query(` + ALTER TABLE "csv_bookings" + ADD COLUMN IF NOT EXISTS "commission_rate" DECIMAL(5,2), + ADD COLUMN IF NOT EXISTS "commission_amount_eur" DECIMAL(12,2) + `); + + // Only alter bookings table if it exists + await queryRunner.query(` + DO $$ BEGIN + IF EXISTS (SELECT 1 FROM information_schema.tables WHERE table_name = 'bookings') THEN + ALTER TABLE "bookings" + ADD COLUMN "commission_rate" DECIMAL(5,2), + ADD COLUMN "commission_amount_eur" DECIMAL(12,2); + END IF; + END $$; + `); + } + + public async down(queryRunner: QueryRunner): Promise { + await queryRunner.query(` + ALTER TABLE "csv_bookings" + DROP COLUMN IF EXISTS "commission_amount_eur", + DROP COLUMN IF EXISTS "commission_rate" + `); + + await queryRunner.query(` + DO $$ BEGIN + IF EXISTS (SELECT 1 FROM information_schema.tables WHERE table_name = 'bookings') THEN + ALTER TABLE "bookings" + DROP COLUMN "commission_amount_eur", + DROP COLUMN "commission_rate"; + END IF; + END $$; + `); + } +} diff --git a/apps/backend/src/infrastructure/persistence/typeorm/migrations/1740000000003-AddSiretAndStatusBadgeToOrganizations.ts b/apps/backend/src/infrastructure/persistence/typeorm/migrations/1740000000003-AddSiretAndStatusBadgeToOrganizations.ts new file mode 100644 index 0000000..eabe38c --- /dev/null +++ b/apps/backend/src/infrastructure/persistence/typeorm/migrations/1740000000003-AddSiretAndStatusBadgeToOrganizations.ts @@ -0,0 +1,23 @@ +import { MigrationInterface, QueryRunner } from 'typeorm'; + +export class AddSiretAndStatusBadgeToOrganizations1740000000003 implements MigrationInterface { + name = 'AddSiretAndStatusBadgeToOrganizations1740000000003'; + + public async up(queryRunner: QueryRunner): Promise { + await queryRunner.query(` + ALTER TABLE "organizations" + ADD COLUMN "siret" VARCHAR(14), + ADD COLUMN "siret_verified" BOOLEAN NOT NULL DEFAULT FALSE, + ADD COLUMN "status_badge" VARCHAR(20) NOT NULL DEFAULT 'none' + `); + } + + public async down(queryRunner: QueryRunner): Promise { + await queryRunner.query(` + ALTER TABLE "organizations" + DROP COLUMN "status_badge", + DROP COLUMN "siret_verified", + DROP COLUMN "siret" + `); + } +} diff --git a/apps/backend/src/infrastructure/persistence/typeorm/migrations/1740000000004-AddPendingPaymentStatus.ts b/apps/backend/src/infrastructure/persistence/typeorm/migrations/1740000000004-AddPendingPaymentStatus.ts new file mode 100644 index 0000000..04e6656 --- /dev/null +++ b/apps/backend/src/infrastructure/persistence/typeorm/migrations/1740000000004-AddPendingPaymentStatus.ts @@ -0,0 +1,75 @@ +import { MigrationInterface, QueryRunner } from 'typeorm'; + +/** + * Migration: Add PENDING_PAYMENT status to csv_bookings enum + stripe_payment_intent_id column + */ +export class AddPendingPaymentStatus1740000000004 implements MigrationInterface { + public async up(queryRunner: QueryRunner): Promise { + // Drop the default before changing enum type + await queryRunner.query(` + ALTER TABLE "csv_bookings" ALTER COLUMN "status" DROP DEFAULT + `); + + // Create new enum with PENDING_PAYMENT + await queryRunner.query(` + CREATE TYPE "csv_booking_status_new" AS ENUM ('PENDING_PAYMENT', 'PENDING', 'ACCEPTED', 'REJECTED', 'CANCELLED') + `); + + // Swap column to new enum type + await queryRunner.query(` + ALTER TABLE "csv_bookings" + ALTER COLUMN "status" TYPE "csv_booking_status_new" + USING "status"::text::"csv_booking_status_new" + `); + + // Drop old enum and rename new + await queryRunner.query(`DROP TYPE "csv_booking_status"`); + await queryRunner.query(`ALTER TYPE "csv_booking_status_new" RENAME TO "csv_booking_status"`); + + // Set new default + await queryRunner.query(` + ALTER TABLE "csv_bookings" ALTER COLUMN "status" SET DEFAULT 'PENDING_PAYMENT' + `); + + // Add stripe_payment_intent_id column + await queryRunner.query(` + ALTER TABLE "csv_bookings" + ADD COLUMN IF NOT EXISTS "stripe_payment_intent_id" VARCHAR(255) + `); + } + + public async down(queryRunner: QueryRunner): Promise { + // Remove stripe_payment_intent_id column + await queryRunner.query(` + ALTER TABLE "csv_bookings" DROP COLUMN IF EXISTS "stripe_payment_intent_id" + `); + + // Update any PENDING_PAYMENT rows to PENDING + await queryRunner.query(` + UPDATE "csv_bookings" SET "status" = 'PENDING' WHERE "status" = 'PENDING_PAYMENT' + `); + + // Drop default + await queryRunner.query(` + ALTER TABLE "csv_bookings" ALTER COLUMN "status" DROP DEFAULT + `); + + // Recreate original enum without PENDING_PAYMENT + await queryRunner.query(` + CREATE TYPE "csv_booking_status_old" AS ENUM ('PENDING', 'ACCEPTED', 'REJECTED', 'CANCELLED') + `); + + await queryRunner.query(` + ALTER TABLE "csv_bookings" + ALTER COLUMN "status" TYPE "csv_booking_status_old" + USING "status"::text::"csv_booking_status_old" + `); + + await queryRunner.query(`DROP TYPE "csv_booking_status"`); + await queryRunner.query(`ALTER TYPE "csv_booking_status_old" RENAME TO "csv_booking_status"`); + + await queryRunner.query(` + ALTER TABLE "csv_bookings" ALTER COLUMN "status" SET DEFAULT 'PENDING' + `); + } +} diff --git a/apps/backend/src/infrastructure/persistence/typeorm/migrations/1740000000005-AddPendingBankTransferStatus.ts b/apps/backend/src/infrastructure/persistence/typeorm/migrations/1740000000005-AddPendingBankTransferStatus.ts new file mode 100644 index 0000000..870bf03 --- /dev/null +++ b/apps/backend/src/infrastructure/persistence/typeorm/migrations/1740000000005-AddPendingBankTransferStatus.ts @@ -0,0 +1,75 @@ +import { MigrationInterface, QueryRunner } from 'typeorm'; + +/** + * Migration: Add PENDING_BANK_TRANSFER status to csv_bookings enum + */ +export class AddPendingBankTransferStatus1740000000005 implements MigrationInterface { + public async up(queryRunner: QueryRunner): Promise { + // Drop default before modifying enum + await queryRunner.query(` + ALTER TABLE "csv_bookings" ALTER COLUMN "status" DROP DEFAULT + `); + + // Create new enum with PENDING_BANK_TRANSFER + await queryRunner.query(` + CREATE TYPE "csv_booking_status_new" AS ENUM ( + 'PENDING_PAYMENT', + 'PENDING_BANK_TRANSFER', + 'PENDING', + 'ACCEPTED', + 'REJECTED', + 'CANCELLED' + ) + `); + + // Swap column to new enum type + await queryRunner.query(` + ALTER TABLE "csv_bookings" + ALTER COLUMN "status" TYPE "csv_booking_status_new" + USING "status"::text::"csv_booking_status_new" + `); + + // Drop old enum and rename new + await queryRunner.query(`DROP TYPE "csv_booking_status"`); + await queryRunner.query(`ALTER TYPE "csv_booking_status_new" RENAME TO "csv_booking_status"`); + + // Restore default + await queryRunner.query(` + ALTER TABLE "csv_bookings" ALTER COLUMN "status" SET DEFAULT 'PENDING_PAYMENT' + `); + } + + public async down(queryRunner: QueryRunner): Promise { + // Move any PENDING_BANK_TRANSFER rows back to PENDING_PAYMENT + await queryRunner.query(` + UPDATE "csv_bookings" SET "status" = 'PENDING_PAYMENT' WHERE "status" = 'PENDING_BANK_TRANSFER' + `); + + await queryRunner.query(` + ALTER TABLE "csv_bookings" ALTER COLUMN "status" DROP DEFAULT + `); + + await queryRunner.query(` + CREATE TYPE "csv_booking_status_old" AS ENUM ( + 'PENDING_PAYMENT', + 'PENDING', + 'ACCEPTED', + 'REJECTED', + 'CANCELLED' + ) + `); + + await queryRunner.query(` + ALTER TABLE "csv_bookings" + ALTER COLUMN "status" TYPE "csv_booking_status_old" + USING "status"::text::"csv_booking_status_old" + `); + + await queryRunner.query(`DROP TYPE "csv_booking_status"`); + await queryRunner.query(`ALTER TYPE "csv_booking_status_old" RENAME TO "csv_booking_status"`); + + await queryRunner.query(` + ALTER TABLE "csv_bookings" ALTER COLUMN "status" SET DEFAULT 'PENDING_PAYMENT' + `); + } +} diff --git a/apps/backend/src/infrastructure/persistence/typeorm/migrations/1741000000001-CreateApiKeysTable.ts b/apps/backend/src/infrastructure/persistence/typeorm/migrations/1741000000001-CreateApiKeysTable.ts new file mode 100644 index 0000000..c443352 --- /dev/null +++ b/apps/backend/src/infrastructure/persistence/typeorm/migrations/1741000000001-CreateApiKeysTable.ts @@ -0,0 +1,62 @@ +import { MigrationInterface, QueryRunner } from 'typeorm'; + +/** + * Migration: Create API Keys Table + * + * Stores API keys for programmatic access. + * Only GOLD and PLATINIUM subscribers can create keys (enforced at application level). + * + * Security: the raw key is NEVER stored — only its SHA-256 hex hash. + */ +export class CreateApiKeysTable1741000000001 implements MigrationInterface { + name = 'CreateApiKeysTable1741000000001'; + + public async up(queryRunner: QueryRunner): Promise { + await queryRunner.query(` + CREATE TABLE "api_keys" ( + "id" UUID NOT NULL DEFAULT uuid_generate_v4(), + "organization_id" UUID NOT NULL, + "user_id" UUID NOT NULL, + "name" VARCHAR(100) NOT NULL, + "key_hash" VARCHAR(64) NOT NULL, + "key_prefix" VARCHAR(20) NOT NULL, + "is_active" BOOLEAN NOT NULL DEFAULT TRUE, + "last_used_at" TIMESTAMP NULL, + "expires_at" TIMESTAMP NULL, + "created_at" TIMESTAMP NOT NULL DEFAULT NOW(), + "updated_at" TIMESTAMP NOT NULL DEFAULT NOW(), + + CONSTRAINT "pk_api_keys" PRIMARY KEY ("id"), + CONSTRAINT "uq_api_keys_key_hash" UNIQUE ("key_hash"), + CONSTRAINT "fk_api_keys_organization" FOREIGN KEY ("organization_id") + REFERENCES "organizations"("id") ON DELETE CASCADE, + CONSTRAINT "fk_api_keys_user" FOREIGN KEY ("user_id") + REFERENCES "users"("id") ON DELETE CASCADE + ) + `); + + await queryRunner.query( + `CREATE INDEX "idx_api_keys_organization_id" ON "api_keys" ("organization_id")` + ); + await queryRunner.query( + `CREATE INDEX "idx_api_keys_user_id" ON "api_keys" ("user_id")` + ); + await queryRunner.query( + `CREATE INDEX "idx_api_keys_is_active" ON "api_keys" ("is_active")` + ); + await queryRunner.query( + `CREATE INDEX "idx_api_keys_key_hash" ON "api_keys" ("key_hash")` + ); + + await queryRunner.query( + `COMMENT ON TABLE "api_keys" IS 'API keys for programmatic access — GOLD and PLATINIUM plans only'` + ); + await queryRunner.query( + `COMMENT ON COLUMN "api_keys"."key_hash" IS 'SHA-256 hex hash of the raw API key. The raw key is never stored.'` + ); + } + + public async down(queryRunner: QueryRunner): Promise { + await queryRunner.query(`DROP TABLE IF EXISTS "api_keys" CASCADE`); + } +} diff --git a/apps/backend/src/infrastructure/persistence/typeorm/migrations/1741500000001-CreatePasswordResetTokens.ts b/apps/backend/src/infrastructure/persistence/typeorm/migrations/1741500000001-CreatePasswordResetTokens.ts new file mode 100644 index 0000000..af57244 --- /dev/null +++ b/apps/backend/src/infrastructure/persistence/typeorm/migrations/1741500000001-CreatePasswordResetTokens.ts @@ -0,0 +1,31 @@ +import { MigrationInterface, QueryRunner } from 'typeorm'; + +export class CreatePasswordResetTokens1741500000001 implements MigrationInterface { + name = 'CreatePasswordResetTokens1741500000001'; + + public async up(queryRunner: QueryRunner): Promise { + await queryRunner.query(` + CREATE TABLE "password_reset_tokens" ( + "id" uuid NOT NULL DEFAULT uuid_generate_v4(), + "user_id" uuid NOT NULL, + "token" character varying(255) NOT NULL, + "expires_at" TIMESTAMP NOT NULL, + "used_at" TIMESTAMP, + "created_at" TIMESTAMP NOT NULL DEFAULT now(), + CONSTRAINT "PK_password_reset_tokens" PRIMARY KEY ("id"), + CONSTRAINT "UQ_password_reset_tokens_token" UNIQUE ("token") + ) + `); + + await queryRunner.query( + `CREATE INDEX "IDX_password_reset_tokens_token" ON "password_reset_tokens" ("token")` + ); + await queryRunner.query( + `CREATE INDEX "IDX_password_reset_tokens_user_id" ON "password_reset_tokens" ("user_id")` + ); + } + + public async down(queryRunner: QueryRunner): Promise { + await queryRunner.query(`DROP TABLE "password_reset_tokens"`); + } +} diff --git a/apps/backend/src/infrastructure/persistence/typeorm/repositories/shipment-counter.repository.ts b/apps/backend/src/infrastructure/persistence/typeorm/repositories/shipment-counter.repository.ts new file mode 100644 index 0000000..f60e0b5 --- /dev/null +++ b/apps/backend/src/infrastructure/persistence/typeorm/repositories/shipment-counter.repository.ts @@ -0,0 +1,32 @@ +/** + * Shipment Counter Repository + * + * Counts total shipments (bookings + CSV bookings) for an organization in a year. + * Used to enforce Bronze plan's 12 shipments/year limit. + */ + +import { Injectable } from '@nestjs/common'; +import { InjectRepository } from '@nestjs/typeorm'; +import { Repository } from 'typeorm'; +import { ShipmentCounterPort } from '@domain/ports/out/shipment-counter.port'; +import { CsvBookingOrmEntity } from '../entities/csv-booking.orm-entity'; + +@Injectable() +export class TypeOrmShipmentCounterRepository implements ShipmentCounterPort { + constructor( + @InjectRepository(CsvBookingOrmEntity) + private readonly csvBookingRepository: Repository + ) {} + + async countShipmentsForOrganizationInYear(organizationId: string, year: number): Promise { + const startOfYear = new Date(year, 0, 1); + const startOfNextYear = new Date(year + 1, 0, 1); + + return this.csvBookingRepository + .createQueryBuilder('csv_booking') + .where('csv_booking.organization_id = :organizationId', { organizationId }) + .andWhere('csv_booking.created_at >= :start', { start: startOfYear }) + .andWhere('csv_booking.created_at < :end', { end: startOfNextYear }) + .getCount(); + } +} diff --git a/apps/backend/src/infrastructure/persistence/typeorm/repositories/typeorm-api-key.repository.ts b/apps/backend/src/infrastructure/persistence/typeorm/repositories/typeorm-api-key.repository.ts new file mode 100644 index 0000000..72b6c84 --- /dev/null +++ b/apps/backend/src/infrastructure/persistence/typeorm/repositories/typeorm-api-key.repository.ts @@ -0,0 +1,43 @@ +import { Injectable } from '@nestjs/common'; +import { InjectRepository } from '@nestjs/typeorm'; +import { Repository } from 'typeorm'; +import { ApiKey } from '@domain/entities/api-key.entity'; +import { ApiKeyRepository } from '@domain/ports/out/api-key.repository'; +import { ApiKeyOrmEntity } from '../entities/api-key.orm-entity'; +import { ApiKeyOrmMapper } from '../mappers/api-key-orm.mapper'; + +@Injectable() +export class TypeOrmApiKeyRepository implements ApiKeyRepository { + constructor( + @InjectRepository(ApiKeyOrmEntity) + private readonly repo: Repository + ) {} + + async save(apiKey: ApiKey): Promise { + const orm = ApiKeyOrmMapper.toOrm(apiKey); + const saved = await this.repo.save(orm); + return ApiKeyOrmMapper.toDomain(saved); + } + + async findById(id: string): Promise { + const orm = await this.repo.findOne({ where: { id } }); + return orm ? ApiKeyOrmMapper.toDomain(orm) : null; + } + + async findByKeyHash(keyHash: string): Promise { + const orm = await this.repo.findOne({ where: { keyHash } }); + return orm ? ApiKeyOrmMapper.toDomain(orm) : null; + } + + async findByOrganizationId(organizationId: string): Promise { + const orms = await this.repo.find({ + where: { organizationId }, + order: { createdAt: 'DESC' }, + }); + return ApiKeyOrmMapper.toDomainMany(orms); + } + + async delete(id: string): Promise { + await this.repo.delete({ id }); + } +} diff --git a/apps/backend/src/infrastructure/persistence/typeorm/repositories/typeorm-invitation-token.repository.ts b/apps/backend/src/infrastructure/persistence/typeorm/repositories/typeorm-invitation-token.repository.ts index 696e405..298ced7 100644 --- a/apps/backend/src/infrastructure/persistence/typeorm/repositories/typeorm-invitation-token.repository.ts +++ b/apps/backend/src/infrastructure/persistence/typeorm/repositories/typeorm-invitation-token.repository.ts @@ -78,6 +78,10 @@ export class TypeOrmInvitationTokenRepository implements InvitationTokenReposito return result.affected || 0; } + async deleteById(id: string): Promise { + await this.repository.delete({ id }); + } + async update(invitationToken: InvitationToken): Promise { const ormEntity = InvitationTokenOrmMapper.toOrm(invitationToken); const updated = await this.repository.save(ormEntity); diff --git a/apps/backend/src/infrastructure/persistence/typeorm/repositories/typeorm-license.repository.ts b/apps/backend/src/infrastructure/persistence/typeorm/repositories/typeorm-license.repository.ts index 8c74cd6..9081e21 100644 --- a/apps/backend/src/infrastructure/persistence/typeorm/repositories/typeorm-license.repository.ts +++ b/apps/backend/src/infrastructure/persistence/typeorm/repositories/typeorm-license.repository.ts @@ -16,7 +16,7 @@ import { LicenseOrmMapper } from '../mappers/license-orm.mapper'; export class TypeOrmLicenseRepository implements LicenseRepository { constructor( @InjectRepository(LicenseOrmEntity) - private readonly repository: Repository, + private readonly repository: Repository ) {} async save(license: License): Promise { diff --git a/apps/backend/src/infrastructure/persistence/typeorm/repositories/typeorm-subscription.repository.ts b/apps/backend/src/infrastructure/persistence/typeorm/repositories/typeorm-subscription.repository.ts index 5469475..27ee649 100644 --- a/apps/backend/src/infrastructure/persistence/typeorm/repositories/typeorm-subscription.repository.ts +++ b/apps/backend/src/infrastructure/persistence/typeorm/repositories/typeorm-subscription.repository.ts @@ -16,7 +16,7 @@ import { SubscriptionOrmMapper } from '../mappers/subscription-orm.mapper'; export class TypeOrmSubscriptionRepository implements SubscriptionRepository { constructor( @InjectRepository(SubscriptionOrmEntity) - private readonly repository: Repository, + private readonly repository: Repository ) {} async save(subscription: Subscription): Promise { @@ -35,9 +35,7 @@ export class TypeOrmSubscriptionRepository implements SubscriptionRepository { return orm ? SubscriptionOrmMapper.toDomain(orm) : null; } - async findByStripeSubscriptionId( - stripeSubscriptionId: string, - ): Promise { + async findByStripeSubscriptionId(stripeSubscriptionId: string): Promise { const orm = await this.repository.findOne({ where: { stripeSubscriptionId } }); return orm ? SubscriptionOrmMapper.toDomain(orm) : null; } diff --git a/apps/backend/src/infrastructure/stripe/stripe.adapter.ts b/apps/backend/src/infrastructure/stripe/stripe.adapter.ts index cf5386a..4cd3665 100644 --- a/apps/backend/src/infrastructure/stripe/stripe.adapter.ts +++ b/apps/backend/src/infrastructure/stripe/stripe.adapter.ts @@ -11,6 +11,8 @@ import { StripePort, CreateCheckoutSessionInput, CreateCheckoutSessionOutput, + CreateCommissionCheckoutInput, + CreateCommissionCheckoutOutput, CreatePortalSessionInput, CreatePortalSessionOutput, StripeSubscriptionData, @@ -42,50 +44,46 @@ export class StripeAdapter implements StripePort { this.planPriceMap = new Map(); // Configure plan price IDs from environment - const starterMonthly = this.configService.get('STRIPE_STARTER_MONTHLY_PRICE_ID'); - const starterYearly = this.configService.get('STRIPE_STARTER_YEARLY_PRICE_ID'); - const proMonthly = this.configService.get('STRIPE_PRO_MONTHLY_PRICE_ID'); - const proYearly = this.configService.get('STRIPE_PRO_YEARLY_PRICE_ID'); - const enterpriseMonthly = this.configService.get('STRIPE_ENTERPRISE_MONTHLY_PRICE_ID'); - const enterpriseYearly = this.configService.get('STRIPE_ENTERPRISE_YEARLY_PRICE_ID'); + const silverMonthly = this.configService.get('STRIPE_SILVER_MONTHLY_PRICE_ID'); + const silverYearly = this.configService.get('STRIPE_SILVER_YEARLY_PRICE_ID'); + const goldMonthly = this.configService.get('STRIPE_GOLD_MONTHLY_PRICE_ID'); + const goldYearly = this.configService.get('STRIPE_GOLD_YEARLY_PRICE_ID'); + const platiniumMonthly = this.configService.get('STRIPE_PLATINIUM_MONTHLY_PRICE_ID'); + const platiniumYearly = this.configService.get('STRIPE_PLATINIUM_YEARLY_PRICE_ID'); - if (starterMonthly) this.priceIdMap.set(starterMonthly, 'STARTER'); - if (starterYearly) this.priceIdMap.set(starterYearly, 'STARTER'); - if (proMonthly) this.priceIdMap.set(proMonthly, 'PRO'); - if (proYearly) this.priceIdMap.set(proYearly, 'PRO'); - if (enterpriseMonthly) this.priceIdMap.set(enterpriseMonthly, 'ENTERPRISE'); - if (enterpriseYearly) this.priceIdMap.set(enterpriseYearly, 'ENTERPRISE'); + if (silverMonthly) this.priceIdMap.set(silverMonthly, 'SILVER'); + if (silverYearly) this.priceIdMap.set(silverYearly, 'SILVER'); + if (goldMonthly) this.priceIdMap.set(goldMonthly, 'GOLD'); + if (goldYearly) this.priceIdMap.set(goldYearly, 'GOLD'); + if (platiniumMonthly) this.priceIdMap.set(platiniumMonthly, 'PLATINIUM'); + if (platiniumYearly) this.priceIdMap.set(platiniumYearly, 'PLATINIUM'); - this.planPriceMap.set('STARTER', { - monthly: starterMonthly || '', - yearly: starterYearly || '', + this.planPriceMap.set('SILVER', { + monthly: silverMonthly || '', + yearly: silverYearly || '', }); - this.planPriceMap.set('PRO', { - monthly: proMonthly || '', - yearly: proYearly || '', + this.planPriceMap.set('GOLD', { + monthly: goldMonthly || '', + yearly: goldYearly || '', }); - this.planPriceMap.set('ENTERPRISE', { - monthly: enterpriseMonthly || '', - yearly: enterpriseYearly || '', + this.planPriceMap.set('PLATINIUM', { + monthly: platiniumMonthly || '', + yearly: platiniumYearly || '', }); } async createCheckoutSession( - input: CreateCheckoutSessionInput, + input: CreateCheckoutSessionInput ): Promise { const planPrices = this.planPriceMap.get(input.plan); if (!planPrices) { throw new Error(`No price configuration for plan: ${input.plan}`); } - const priceId = input.billingInterval === 'yearly' - ? planPrices.yearly - : planPrices.monthly; + const priceId = input.billingInterval === 'yearly' ? planPrices.yearly : planPrices.monthly; if (!priceId) { - throw new Error( - `No ${input.billingInterval} price configured for plan: ${input.plan}`, - ); + throw new Error(`No ${input.billingInterval} price configured for plan: ${input.plan}`); } const sessionParams: Stripe.Checkout.SessionCreateParams = { @@ -119,7 +117,7 @@ export class StripeAdapter implements StripePort { const session = await this.stripe.checkout.sessions.create(sessionParams); this.logger.log( - `Created checkout session ${session.id} for organization ${input.organizationId}`, + `Created checkout session ${session.id} for organization ${input.organizationId}` ); return { @@ -128,9 +126,46 @@ export class StripeAdapter implements StripePort { }; } - async createPortalSession( - input: CreatePortalSessionInput, - ): Promise { + async createCommissionCheckout( + input: CreateCommissionCheckoutInput + ): Promise { + const session = await this.stripe.checkout.sessions.create({ + mode: 'payment', + payment_method_types: ['card'], + line_items: [ + { + price_data: { + currency: input.currency, + unit_amount: input.amountCents, + product_data: { + name: 'Commission Xpeditis', + description: input.bookingDescription, + }, + }, + quantity: 1, + }, + ], + customer_email: input.customerEmail, + success_url: input.successUrl, + cancel_url: input.cancelUrl, + metadata: { + type: 'commission', + bookingId: input.bookingId, + organizationId: input.organizationId, + }, + }); + + this.logger.log( + `Created commission checkout session ${session.id} for booking ${input.bookingId}` + ); + + return { + sessionId: session.id, + sessionUrl: session.url || '', + }; + } + + async createPortalSession(input: CreatePortalSessionInput): Promise { const session = await this.stripe.billingPortal.sessions.create({ customer: input.customerId, return_url: input.returnUrl, @@ -211,13 +246,9 @@ export class StripeAdapter implements StripePort { async constructWebhookEvent( payload: string | Buffer, - signature: string, + signature: string ): Promise { - const event = this.stripe.webhooks.constructEvent( - payload, - signature, - this.webhookSecret, - ); + const event = this.stripe.webhooks.constructEvent(payload, signature, this.webhookSecret); return { type: event.type, diff --git a/apps/backend/src/main.ts b/apps/backend/src/main.ts index ed82eae..657f47a 100644 --- a/apps/backend/src/main.ts +++ b/apps/backend/src/main.ts @@ -7,6 +7,7 @@ import compression from 'compression'; import { AppModule } from './app.module'; import { Logger } from 'nestjs-pino'; import { helmetConfig, corsConfig } from './infrastructure/security/security.config'; +import type { Request, Response, NextFunction } from 'express'; async function bootstrap() { const app = await NestFactory.create(AppModule, { @@ -19,6 +20,7 @@ async function bootstrap() { const configService = app.get(ConfigService); const port = configService.get('PORT', 4000); const apiPrefix = configService.get('API_PREFIX', 'api/v1'); + const isProduction = configService.get('NODE_ENV') === 'production'; // Use Pino logger app.useLogger(app.get(Logger)); @@ -52,39 +54,76 @@ async function bootstrap() { }) ); - // Swagger documentation - const config = new DocumentBuilder() - .setTitle('Xpeditis API') - .setDescription( - 'Maritime Freight Booking Platform - API for searching rates and managing bookings' - ) - .setVersion('1.0') - .addBearerAuth() - .addTag('rates', 'Rate search and comparison') - .addTag('bookings', 'Booking management') - .addTag('auth', 'Authentication and authorization') - .addTag('users', 'User management') - .addTag('organizations', 'Organization management') - .build(); + // ─── Swagger documentation ──────────────────────────────────────────────── + const swaggerUser = configService.get('SWAGGER_USERNAME'); + const swaggerPass = configService.get('SWAGGER_PASSWORD'); + const swaggerEnabled = !isProduction || (Boolean(swaggerUser) && Boolean(swaggerPass)); - const document = SwaggerModule.createDocument(app, config); - SwaggerModule.setup('api/docs', app, document, { - customSiteTitle: 'Xpeditis API Documentation', - customfavIcon: 'https://xpeditis.com/favicon.ico', - customCss: '.swagger-ui .topbar { display: none }', - }); + if (swaggerEnabled) { + // HTTP Basic Auth guard for Swagger routes when credentials are configured + if (swaggerUser && swaggerPass) { + const swaggerPaths = ['/api/docs', '/api/docs-json', '/api/docs-yaml']; + app.use(swaggerPaths, (req: Request, res: Response, next: NextFunction) => { + const authHeader = req.headers['authorization']; + if (!authHeader || !authHeader.startsWith('Basic ')) { + res.setHeader('WWW-Authenticate', 'Basic realm="Xpeditis API Docs"'); + res.status(401).send('Authentication required'); + return; + } + const decoded = Buffer.from(authHeader.slice(6), 'base64').toString('utf-8'); + const colonIndex = decoded.indexOf(':'); + const user = decoded.slice(0, colonIndex); + const pass = decoded.slice(colonIndex + 1); + if (user !== swaggerUser || pass !== swaggerPass) { + res.setHeader('WWW-Authenticate', 'Basic realm="Xpeditis API Docs"'); + res.status(401).send('Invalid credentials'); + return; + } + next(); + }); + } + + const config = new DocumentBuilder() + .setTitle('Xpeditis API') + .setDescription( + 'Maritime Freight Booking Platform - API for searching rates and managing bookings' + ) + .setVersion('1.0') + .addBearerAuth() + .addApiKey({ type: 'apiKey', name: 'x-api-key', in: 'header' }, 'x-api-key') + .addTag('rates', 'Rate search and comparison') + .addTag('bookings', 'Booking management') + .addTag('auth', 'Authentication and authorization') + .addTag('users', 'User management') + .addTag('organizations', 'Organization management') + .build(); + + const document = SwaggerModule.createDocument(app, config); + SwaggerModule.setup('api/docs', app, document, { + customSiteTitle: 'Xpeditis API Documentation', + customfavIcon: 'https://xpeditis.com/favicon.ico', + customCss: '.swagger-ui .topbar { display: none }', + }); + } + // ───────────────────────────────────────────────────────────────────────── await app.listen(port); + const swaggerStatus = swaggerEnabled + ? swaggerUser + ? `http://localhost:${port}/api/docs (protected)` + : `http://localhost:${port}/api/docs (open — add SWAGGER_USERNAME/PASSWORD to secure)` + : 'disabled in production'; + console.log(` - ╔═══════════════════════════════════════╗ - ║ ║ - ║ 🚢 Xpeditis API Server Running ║ - ║ ║ - ║ API: http://localhost:${port}/${apiPrefix} ║ - ║ Docs: http://localhost:${port}/api/docs ║ - ║ ║ - ╚═══════════════════════════════════════╝ + ╔═══════════════════════════════════════════════╗ + ║ ║ + ║ 🚢 Xpeditis API Server Running ║ + ║ ║ + ║ API: http://localhost:${port}/${apiPrefix} ║ + ║ Docs: ${swaggerStatus} ║ + ║ ║ + ╚═══════════════════════════════════════════════╝ `); } diff --git a/apps/frontend/app/about/page.tsx b/apps/frontend/app/about/page.tsx index caea7ca..b89b7c0 100644 --- a/apps/frontend/app/about/page.tsx +++ b/apps/frontend/app/about/page.tsx @@ -350,21 +350,30 @@ export default function AboutPage() {
- {/* Timeline line */} -
+ {/* Timeline vertical rail + animated fill */} +
+ +
{timeline.map((item, index) => (
-
-
+
+
{item.year}
@@ -372,9 +381,18 @@ export default function AboutPage() {

{item.description}

-
-
+ + {/* Animated center dot */} +
+
+
))} diff --git a/apps/frontend/app/contact/page.tsx b/apps/frontend/app/contact/page.tsx index e741ff0..440701e 100644 --- a/apps/frontend/app/contact/page.tsx +++ b/apps/frontend/app/contact/page.tsx @@ -13,8 +13,13 @@ import { Building2, CheckCircle2, Loader2, + Shield, + Zap, + BookOpen, + ArrowRight, } from 'lucide-react'; import { LandingHeader, LandingFooter } from '@/components/layout'; +import { sendContactForm } from '@/lib/api/auth'; export default function ContactPage() { const [formData, setFormData] = useState({ @@ -33,21 +38,36 @@ export default function ContactPage() { const heroRef = useRef(null); const formRef = useRef(null); const contactRef = useRef(null); + const afterSubmitRef = useRef(null); + const quickAccessRef = useRef(null); const isHeroInView = useInView(heroRef, { once: true }); const isFormInView = useInView(formRef, { once: true }); const isContactInView = useInView(contactRef, { once: true }); + const isAfterSubmitInView = useInView(afterSubmitRef, { once: true }); + const isQuickAccessInView = useInView(quickAccessRef, { once: true }); const handleSubmit = async (e: React.FormEvent) => { e.preventDefault(); setError(''); setIsSubmitting(true); - // Simulate form submission - await new Promise((resolve) => setTimeout(resolve, 1500)); - - setIsSubmitting(false); - setIsSubmitted(true); + try { + await sendContactForm({ + firstName: formData.firstName, + lastName: formData.lastName, + email: formData.email, + company: formData.company || undefined, + phone: formData.phone || undefined, + subject: formData.subject, + message: formData.message, + }); + setIsSubmitted(true); + } catch (err: any) { + setError(err.message || "Une erreur est survenue lors de l'envoi. Veuillez réessayer."); + } finally { + setIsSubmitting(false); + } }; const handleChange = ( @@ -65,7 +85,6 @@ export default function ContactPage() { title: 'Email', description: 'Envoyez-nous un email', value: 'contact@xpeditis.com', - link: 'mailto:contact@xpeditis.com', color: 'from-blue-500 to-cyan-500', }, { @@ -73,7 +92,6 @@ export default function ContactPage() { title: 'Téléphone', description: 'Appelez-nous', value: '+33 1 23 45 67 89', - link: 'tel:+33123456789', color: 'from-green-500 to-emerald-500', }, { @@ -81,15 +99,13 @@ export default function ContactPage() { title: 'Chat en direct', description: 'Discutez avec notre équipe', value: 'Disponible 24/7', - link: '#chat', color: 'from-purple-500 to-pink-500', }, { icon: Headphones, title: 'Support', - description: 'Centre d\'aide', - value: 'support.xpeditis.com', - link: 'https://support.xpeditis.com', + description: 'Support client', + value: 'support@xpeditis.com', color: 'from-orange-500 to-red-500', }, ]; @@ -103,22 +119,6 @@ export default function ContactPage() { email: 'paris@xpeditis.com', isHQ: true, }, - { - city: 'Rotterdam', - address: 'Wilhelminakade 123', - postalCode: '3072 AP Rotterdam, Netherlands', - phone: '+31 10 123 4567', - email: 'rotterdam@xpeditis.com', - isHQ: false, - }, - { - city: 'Hambourg', - address: 'Am Sandtorkai 50', - postalCode: '20457 Hamburg, Germany', - phone: '+49 40 123 4567', - email: 'hamburg@xpeditis.com', - isHQ: false, - }, ]; const subjects = [ @@ -219,22 +219,20 @@ export default function ContactPage() { {contactMethods.map((method, index) => { const IconComponent = method.icon; return ( -

{method.title}

{method.description}

{method.value}

- + ); })}
@@ -438,9 +436,9 @@ export default function ContactPage() { animate={isFormInView ? { opacity: 1, x: 0 } : {}} transition={{ duration: 0.8, delay: 0.2 }} > -

Nos bureaux

+

Notre bureau

- Retrouvez-nous dans nos bureaux à travers l'Europe ou contactez-nous par email. + Retrouvez-nous à Paris ou contactez-nous par email.

@@ -526,34 +524,154 @@ export default function ContactPage() {
- {/* Map Section */} -
+ {/* Section 1 : Ce qui se passe après l'envoi */} +
+
+ + {/* Decorative blobs */} +
+
+
+
+ +
+
+
+ +
+ + Après votre envoi + +
+

+ Que se passe-t-il après l'envoi de votre message ? +

+ +
+ {/* Notre engagement */} + +
+
+ +
+

Notre engagement

+
+

+ Dès réception de votre demande, un de nos experts logistiques analyse votre + profil et vos besoins. Vous recevrez une réponse personnalisée ou une invitation + pour une démonstration de la plateforme{' '} + + sous 48 heures ouvrées. + +

+ + + {/* Sécurité */} + +
+
+ +
+

Sécurité

+
+

+ Vos informations sont protégées et traitées conformément à notre{' '} + + politique de confidentialité + + . Aucune donnée n'est partagée avec des tiers sans votre accord. +

+ +
+
+ +
+
+ + {/* Section 2 : Accès Rapide */} +
-

Notre présence en Europe

-

- Des bureaux stratégiquement situés pour mieux vous servir -

- +
+ + Accès rapide + +

+ Besoin d'une réponse immédiate ? +

+
- -
-
- -

Carte interactive bientôt disponible

-
+
+ {/* Tarification instantanée */} + +
+ +
+

Tarification instantanée

+

+ N'attendez pas notre retour pour vos prix. Utilisez notre moteur{' '} + Click&Ship pour obtenir + une cotation de fret maritime en moins de 60 secondes. +

+ + Accéder au Dashboard + + + + + {/* Wiki Maritime */} + +
+ +
+

Aide rapide

+

+ Une question sur les Incoterms ou la documentation export ? Notre{' '} + Wiki Maritime contient déjà + les réponses aux questions les plus fréquentes. +

+ + Consulter le Wiki + + +
diff --git a/apps/frontend/app/dashboard/admin/bookings/page.tsx b/apps/frontend/app/dashboard/admin/bookings/page.tsx index 1bb2a1a..485aa40 100644 --- a/apps/frontend/app/dashboard/admin/bookings/page.tsx +++ b/apps/frontend/app/dashboard/admin/bookings/page.tsx @@ -1,413 +1,548 @@ -'use client'; - -import { useState, useEffect } from 'react'; -import { getAllBookings } from '@/lib/api/admin'; - -interface Booking { - id: string; - bookingNumber?: string; - bookingId?: string; - type?: string; - status: string; - // CSV bookings use these fields - origin?: string; - destination?: string; - carrierName?: string; - // Regular bookings use these fields - originPort?: { - code: string; - name: string; - }; - destinationPort?: { - code: string; - name: string; - }; - carrier?: string; - containerType: string; - quantity?: number; - price?: number; - primaryCurrency?: string; - totalPrice?: { - amount: number; - currency: string; - }; - createdAt?: string; - updatedAt?: string; - requestedAt?: string; - organizationId?: string; - userId?: string; -} - -export default function AdminBookingsPage() { - const [bookings, setBookings] = useState([]); - const [loading, setLoading] = useState(true); - const [error, setError] = useState(null); - const [selectedBooking, setSelectedBooking] = useState(null); - const [showDetailsModal, setShowDetailsModal] = useState(false); - const [filterStatus, setFilterStatus] = useState('all'); - const [searchTerm, setSearchTerm] = useState(''); - - // Helper function to get formatted quote number - const getQuoteNumber = (booking: Booking): string => { - if (booking.type === 'csv') { - return `#${booking.bookingId || booking.id.slice(0, 8).toUpperCase()}`; - } - return booking.bookingNumber || `#${booking.id.slice(0, 8).toUpperCase()}`; - }; - - useEffect(() => { - fetchBookings(); - }, []); - - const fetchBookings = async () => { - try { - setLoading(true); - const response = await getAllBookings(); - setBookings(response.bookings || []); - setError(null); - } catch (err: any) { - setError(err.message || 'Failed to load bookings'); - } finally { - setLoading(false); - } - }; - - const getStatusColor = (status: string) => { - const colors: Record = { - draft: 'bg-gray-100 text-gray-800', - pending: 'bg-yellow-100 text-yellow-800', - confirmed: 'bg-blue-100 text-blue-800', - in_transit: 'bg-purple-100 text-purple-800', - delivered: 'bg-green-100 text-green-800', - cancelled: 'bg-red-100 text-red-800', - }; - return colors[status.toLowerCase()] || 'bg-gray-100 text-gray-800'; - }; - - const filteredBookings = bookings - .filter(booking => filterStatus === 'all' || booking.status.toLowerCase() === filterStatus) - .filter(booking => { - if (searchTerm === '') return true; - const searchLower = searchTerm.toLowerCase(); - const quoteNumber = getQuoteNumber(booking).toLowerCase(); - return ( - quoteNumber.includes(searchLower) || - booking.bookingNumber?.toLowerCase().includes(searchLower) || - booking.carrier?.toLowerCase().includes(searchLower) || - booking.carrierName?.toLowerCase().includes(searchLower) || - booking.origin?.toLowerCase().includes(searchLower) || - booking.destination?.toLowerCase().includes(searchLower) - ); - }); - - if (loading) { - return ( -
-
-
-

Loading bookings...

-
-
- ); - } - - return ( -
- {/* Header */} -
-
-

Booking Management

-

- View and manage all bookings across the platform -

-
-
- - {/* Filters */} -
-
-
- - setSearchTerm(e.target.value)} - className="block w-full px-3 py-2 border border-gray-300 rounded-md shadow-sm focus:border-blue-500 focus:ring-blue-500 focus:outline-none" - /> -
-
- - -
-
-
- - {/* Stats Cards */} -
-
-
Total Réservations
-
{bookings.length}
-
-
-
En Attente
-
- {bookings.filter(b => b.status.toUpperCase() === 'PENDING').length} -
-
-
-
Acceptées
-
- {bookings.filter(b => b.status.toUpperCase() === 'ACCEPTED').length} -
-
-
-
Rejetées
-
- {bookings.filter(b => b.status.toUpperCase() === 'REJECTED').length} -
-
-
- - {/* Error Message */} - {error && ( -
- {error} -
- )} - - {/* Bookings Table */} -
- - - - - - - - - - - - - - {filteredBookings.map(booking => ( - - - - - - - - - - ))} - -
- Numéro de devis - - Route - - Transporteur - - Conteneur - - Statut - - Prix - - Actions -
-
- {getQuoteNumber(booking)} -
-
- {new Date(booking.createdAt || booking.requestedAt || '').toLocaleDateString()} -
- 		-
- {booking.originPort ? `${booking.originPort.code} → ${booking.destinationPort?.code}` : `${booking.origin} → ${booking.destination}`} -
-
- {booking.originPort ? `${booking.originPort.name} → ${booking.destinationPort?.name}` : ''} -
- 		- {booking.carrier || booking.carrierName || 'N/A'} - -
{booking.containerType}
-
- {booking.quantity ? `Qty: ${booking.quantity}` : ''} -
- 		- - {booking.status} - - - {booking.totalPrice - ? `${booking.totalPrice.amount.toLocaleString()} ${booking.totalPrice.currency}` - : booking.price - ? `${booking.price.toLocaleString()} ${booking.primaryCurrency || 'USD'}` - : 'N/A' - } - - -
-
- - {/* Details Modal */} - {showDetailsModal && selectedBooking && ( -
-
-
-

Booking Details

- -
- -
-
-
- -
- {getQuoteNumber(selectedBooking)} -
-
-
- - - {selectedBooking.status} - -
-
- -
-

Route Information

-
-
- -
- {selectedBooking.originPort ? ( - <> -
{selectedBooking.originPort.code}
-
{selectedBooking.originPort.name}
- - ) : ( -
{selectedBooking.origin}
- )} -
-
-
- -
- {selectedBooking.destinationPort ? ( - <> -
{selectedBooking.destinationPort.code}
-
{selectedBooking.destinationPort.name}
- - ) : ( -
{selectedBooking.destination}
- )} -
-
-
-
- -
-

Shipping Details

-
-
- -
- {selectedBooking.carrier || selectedBooking.carrierName || 'N/A'} -
-
-
- -
{selectedBooking.containerType}
-
- {selectedBooking.quantity && ( -
- -
{selectedBooking.quantity}
-
- )} -
-
- -
-

Pricing

-
- {selectedBooking.totalPrice - ? `${selectedBooking.totalPrice.amount.toLocaleString()} ${selectedBooking.totalPrice.currency}` - : selectedBooking.price - ? `${selectedBooking.price.toLocaleString()} ${selectedBooking.primaryCurrency || 'USD'}` - : 'N/A' - } -
-
- -
-

Timeline

-
-
- -
- {new Date(selectedBooking.createdAt || selectedBooking.requestedAt || '').toLocaleString()} -
-
- {selectedBooking.updatedAt && ( -
- -
{new Date(selectedBooking.updatedAt).toLocaleString()}
-
- )} -
-
-
- -
- -
-
-
- )} -
- ); -} +'use client'; + +import { useState, useEffect } from 'react'; +import { getAllBookings, validateBankTransfer, deleteAdminBooking } from '@/lib/api/admin'; + +interface Booking { + id: string; + bookingNumber?: string | null; + type?: string; + status: string; + origin?: string; + destination?: string; + carrierName?: string; + containerType: string; + volumeCBM?: number; + weightKG?: number; + palletCount?: number; + priceEUR?: number; + priceUSD?: number; + primaryCurrency?: string; + createdAt?: string; + requestedAt?: string; + updatedAt?: string; + organizationId?: string; + userId?: string; +} + +export default function AdminBookingsPage() { + const [bookings, setBookings] = useState([]); + const [loading, setLoading] = useState(true); + const [error, setError] = useState(null); + const [filterStatus, setFilterStatus] = useState('all'); + const [searchTerm, setSearchTerm] = useState(''); + const [validatingId, setValidatingId] = useState(null); + const [deletingId, setDeletingId] = useState(null); + const [openMenuId, setOpenMenuId] = useState(null); + const [menuPosition, setMenuPosition] = useState<{ top: number; left: number } | null>(null); + const [selectedBooking, setSelectedBooking] = useState(null); + const [showDetailsModal, setShowDetailsModal] = useState(false); + + useEffect(() => { + fetchBookings(); + }, []); + + const handleDeleteBooking = async (bookingId: string) => { + if (!window.confirm('Supprimer définitivement cette réservation ?')) return; + setDeletingId(bookingId); + try { + await deleteAdminBooking(bookingId); + setBookings(prev => prev.filter(b => b.id !== bookingId)); + } catch (err: any) { + setError(err.message || 'Erreur lors de la suppression'); + } finally { + setDeletingId(null); + } + }; + + const handleValidateTransfer = async (bookingId: string) => { + if (!window.confirm('Confirmer la réception du virement et activer ce booking ?')) return; + setValidatingId(bookingId); + try { + await validateBankTransfer(bookingId); + await fetchBookings(); + } catch (err: any) { + setError(err.message || 'Erreur lors de la validation du virement'); + } finally { + setValidatingId(null); + } + }; + + const fetchBookings = async () => { + try { + setLoading(true); + const response = await getAllBookings(); + setBookings(response.bookings || []); + setError(null); + } catch (err: any) { + setError(err.message || 'Impossible de charger les réservations'); + } finally { + setLoading(false); + } + }; + + const getStatusColor = (status: string) => { + const colors: Record = { + pending_payment: 'bg-orange-100 text-orange-800', + pending_bank_transfer: 'bg-amber-100 text-amber-900', + pending: 'bg-yellow-100 text-yellow-800', + accepted: 'bg-green-100 text-green-800', + rejected: 'bg-red-100 text-red-800', + cancelled: 'bg-red-100 text-red-800', + }; + return colors[status.toLowerCase()] || 'bg-gray-100 text-gray-800'; + }; + + const getStatusLabel = (status: string) => { + const labels: Record = { + PENDING_PAYMENT: 'Paiement en attente', + PENDING_BANK_TRANSFER: 'Virement à valider', + PENDING: 'En attente transporteur', + ACCEPTED: 'Accepté', + REJECTED: 'Rejeté', + CANCELLED: 'Annulé', + }; + return labels[status.toUpperCase()] || status; + }; + + const getShortId = (booking: Booking) => `#${booking.id.slice(0, 8).toUpperCase()}`; + + const filteredBookings = bookings + .filter(booking => filterStatus === 'all' || booking.status.toLowerCase() === filterStatus) + .filter(booking => { + if (searchTerm === '') return true; + const s = searchTerm.toLowerCase(); + return ( + booking.bookingNumber?.toLowerCase().includes(s) || + booking.id.toLowerCase().includes(s) || + booking.carrierName?.toLowerCase().includes(s) || + booking.origin?.toLowerCase().includes(s) || + booking.destination?.toLowerCase().includes(s) || + String(booking.palletCount || '').includes(s) || + String(booking.weightKG || '').includes(s) || + String(booking.volumeCBM || '').includes(s) || + booking.containerType?.toLowerCase().includes(s) + ); + }); + + if (loading) { + return ( +
+
+
+

Chargement des réservations...

+
+
+ ); + } + + return ( +
+ {/* Header */} +
+

Gestion des réservations

+

+ Toutes les réservations de la plateforme +

+
+ + {/* Stats Cards */} +
+
+
Total
+
{bookings.length}
+
+
+
Virements à valider
+
+ {bookings.filter(b => b.status.toUpperCase() === 'PENDING_BANK_TRANSFER').length} +
+
+
+
En attente transporteur
+
+ {bookings.filter(b => b.status.toUpperCase() === 'PENDING').length} +
+
+
+
Acceptées
+
+ {bookings.filter(b => b.status.toUpperCase() === 'ACCEPTED').length} +
+
+
+
Rejetées
+
+ {bookings.filter(b => b.status.toUpperCase() === 'REJECTED').length} +
+
+
+ + {/* Filters */} +
+
+
+ + setSearchTerm(e.target.value)} + className="block w-full px-3 py-2 border border-gray-300 rounded-md shadow-sm focus:border-blue-500 focus:ring-blue-500 focus:outline-none text-sm" + /> +
+
+ + +
+
+
+ + {/* Error Message */} + {error && ( +
+ {error} +
+ )} + + {/* Bookings Table */} +
+
+ + + + + + + + + + + + + + {filteredBookings.length === 0 ? ( + + + + ) : ( + filteredBookings.map(booking => ( + + {/* N° Booking */} + + + {/* Route */} + + + {/* Cargo */} + + + {/* Transporteur */} + + + {/* Statut */} + + + {/* Date */} + + + {/* Actions */} + + + )) + )} + +
+ N° Booking + + Route + + Cargo + + Transporteur + + Statut + + Date + + Actions +
+ Aucune réservation trouvée +
+ {booking.bookingNumber && ( +
{booking.bookingNumber}
+ )} +
{getShortId(booking)}
+ 		+
+ {booking.origin} → {booking.destination} +
+ 		+
+ {booking.containerType} + {booking.palletCount != null && ( + · {booking.palletCount} pal. + )} +
+
+ {booking.weightKG != null && {booking.weightKG.toLocaleString()} kg} + {booking.volumeCBM != null && {booking.volumeCBM} CBM} +
+ 		+ {booking.carrierName || '—'} + + + {getStatusLabel(booking.status)} + + + {new Date(booking.requestedAt || booking.createdAt || '').toLocaleDateString('fr-FR')} + + +
+
+
+ {/* Actions Dropdown Menu */} + {openMenuId && menuPosition && ( + <> +
{ setOpenMenuId(null); setMenuPosition(null); }} + /> +
+
+ + {(() => { + const booking = bookings.find(b => b.id === openMenuId); + return booking?.status.toUpperCase() === 'PENDING_BANK_TRANSFER' ? ( + + ) : null; + })()} + +
+
+ + )} + + {/* Details Modal */} + {showDetailsModal && selectedBooking && ( +
+
+
+

Détails de la réservation

+ +
+ +
+
+
+ +
+ {selectedBooking.bookingNumber || getShortId(selectedBooking)} +
+
+
+ + + {getStatusLabel(selectedBooking.status)} + +
+
+ +
+

Route

+
+
+ +
{selectedBooking.origin || '—'}
+
+
+ +
{selectedBooking.destination || '—'}
+
+
+
+ +
+

Cargo & Transporteur

+
+
+ +
{selectedBooking.carrierName || '—'}
+
+
+ +
{selectedBooking.containerType}
+
+ {selectedBooking.palletCount != null && ( +
+ +
{selectedBooking.palletCount}
+
+ )} + {selectedBooking.weightKG != null && ( +
+ +
{selectedBooking.weightKG.toLocaleString()} kg
+
+ )} + {selectedBooking.volumeCBM != null && ( +
+ +
{selectedBooking.volumeCBM} CBM
+
+ )} +
+
+ + {(selectedBooking.priceEUR != null || selectedBooking.priceUSD != null) && ( +
+

Prix

+
+ {selectedBooking.priceEUR != null && ( +
+ +
{selectedBooking.priceEUR.toLocaleString()} €
+
+ )} + {selectedBooking.priceUSD != null && ( +
+ +
{selectedBooking.priceUSD.toLocaleString()} $
+
+ )} +
+
+ )} + +
+

Dates

+
+
+ +
+ {new Date(selectedBooking.requestedAt || selectedBooking.createdAt || '').toLocaleString('fr-FR')} +
+
+ {selectedBooking.updatedAt && ( +
+ +
{new Date(selectedBooking.updatedAt).toLocaleString('fr-FR')}
+
+ )} +
+
+ + {selectedBooking.status.toUpperCase() === 'PENDING_BANK_TRANSFER' && ( +
+ +
+ )} +
+ +
+ +
+
+
+ )} +
+ ); +} diff --git a/apps/frontend/app/dashboard/admin/csv-rates/page.tsx b/apps/frontend/app/dashboard/admin/csv-rates/page.tsx index aeb9e42..3f385f2 100644 --- a/apps/frontend/app/dashboard/admin/csv-rates/page.tsx +++ b/apps/frontend/app/dashboard/admin/csv-rates/page.tsx @@ -81,20 +81,22 @@ export default function AdminCsvRatesPage() { {/* Configurations Table */} - -
- Configurations CSV actives - - Liste de toutes les compagnies avec fichiers CSV configurés - + +
+
+ Configurations CSV actives + + Liste de toutes les compagnies avec fichiers CSV configurés + +
+
- {error && ( @@ -120,6 +122,7 @@ export default function AdminCsvRatesPage() { Taille Lignes Date d'upload + Email Actions @@ -142,6 +145,11 @@ export default function AdminCsvRatesPage() { {new Date(file.uploadedAt).toLocaleDateString('fr-FR')}
+ +
+ {file.companyEmail ?? '—'} +
+
- + @@ -586,6 +611,60 @@ export default function AdminDocumentsPage() {
)}
+ {/* Actions Dropdown Menu */} + {openMenuId && menuPosition && ( + <> +
{ setOpenMenuId(null); setMenuPosition(null); }} + /> +
+
+ {(() => { + const [bookingId, documentId] = openMenuId.split('::'); + const doc = documents.find(d => d.bookingId === bookingId && d.id === documentId); + if (!doc) return null; + return ( + <> + + + + ); + })()} +
+
+ + )}
); } diff --git a/apps/frontend/app/dashboard/admin/logs/page.tsx b/apps/frontend/app/dashboard/admin/logs/page.tsx new file mode 100644 index 0000000..edf04ed --- /dev/null +++ b/apps/frontend/app/dashboard/admin/logs/page.tsx @@ -0,0 +1,548 @@ +'use client'; + +import { useState, useEffect, useCallback } from 'react'; +import { + Download, + RefreshCw, + Filter, + Activity, + AlertTriangle, + Info, + Bug, + Server, +} from 'lucide-react'; + +const LOG_EXPORTER_URL = + process.env.NEXT_PUBLIC_LOG_EXPORTER_URL || 'http://localhost:3200'; + +// ─── Types ──────────────────────────────────────────────────────────────────── + +interface LogEntry { + timestamp: string; + service: string; + level: string; + context: string; + message: string; + reqId: string; + req_method: string; + req_url: string; + res_status: string; + response_time_ms: string; + error: string; +} + +interface LogsResponse { + total: number; + query: string; + range: { from: string; to: string }; + logs: LogEntry[]; +} + +interface Filters { + service: string; + level: string; + search: string; + startDate: string; + endDate: string; + limit: string; +} + +// ─── Helpers ────────────────────────────────────────────────────────────────── + +const LEVEL_STYLES: Record = { + error: 'bg-red-100 text-red-700 border border-red-200', + fatal: 'bg-red-200 text-red-900 border border-red-300', + warn: 'bg-yellow-100 text-yellow-700 border border-yellow-200', + info: 'bg-blue-100 text-blue-700 border border-blue-200', + debug: 'bg-gray-100 text-gray-600 border border-gray-200', + trace: 'bg-purple-100 text-purple-700 border border-purple-200', +}; + +const LEVEL_ROW_BG: Record = { + error: 'bg-red-50', + fatal: 'bg-red-100', + warn: 'bg-yellow-50', + info: '', + debug: '', + trace: '', +}; + +function LevelBadge({ level }: { level: string }) { + const style = LEVEL_STYLES[level] || 'bg-gray-100 text-gray-600'; + return ( + + {level} + + ); +} + +function StatCard({ + label, + value, + icon: Icon, + color, +}: { + label: string; + value: number | string; + icon: any; + color: string; +}) { + return ( +
+
+ +
+
+

{value}

+

{label}

+
+
+ ); +} + +// ─── Page ───────────────────────────────────────────────────────────────────── + +export default function AdminLogsPage() { + const [logs, setLogs] = useState([]); + const [services, setServices] = useState([]); + const [loading, setLoading] = useState(false); + const [exportLoading, setExportLoading] = useState(false); + const [error, setError] = useState(null); + const [total, setTotal] = useState(0); + const [expandedRow, setExpandedRow] = useState(null); + + const now = new Date(); + const oneHourAgo = new Date(now.getTime() - 60 * 60 * 1000); + + const [filters, setFilters] = useState({ + service: 'all', + level: 'all', + search: '', + startDate: oneHourAgo.toISOString().slice(0, 16), + endDate: now.toISOString().slice(0, 16), + limit: '500', + }); + + // Load available services + useEffect(() => { + fetch(`${LOG_EXPORTER_URL}/api/logs/services`) + .then(r => r.json()) + .then(d => setServices(d.services || [])) + .catch(() => {}); + }, []); + + const buildQueryString = useCallback( + (fmt?: string) => { + const params = new URLSearchParams(); + if (filters.service !== 'all') params.set('service', filters.service); + if (filters.level !== 'all') params.set('level', filters.level); + if (filters.search) params.set('search', filters.search); + if (filters.startDate) params.set('start', new Date(filters.startDate).toISOString()); + if (filters.endDate) params.set('end', new Date(filters.endDate).toISOString()); + params.set('limit', filters.limit); + if (fmt) params.set('format', fmt); + return params.toString(); + }, + [filters], + ); + + const fetchLogs = useCallback(async () => { + setLoading(true); + setError(null); + try { + const res = await fetch( + `${LOG_EXPORTER_URL}/api/logs/export?${buildQueryString('json')}`, + ); + if (!res.ok) { + const body = await res.json().catch(() => ({})); + throw new Error(body.error || `HTTP ${res.status}`); + } + const data: LogsResponse = await res.json(); + setLogs(data.logs || []); + setTotal(data.total || 0); + } catch (err: any) { + setError(err.message); + } finally { + setLoading(false); + } + }, [buildQueryString]); + + useEffect(() => { + fetchLogs(); + }, []); + + const handleExport = async (format: 'json' | 'csv') => { + setExportLoading(true); + try { + const res = await fetch( + `${LOG_EXPORTER_URL}/api/logs/export?${buildQueryString(format)}`, + ); + if (!res.ok) throw new Error(`HTTP ${res.status}`); + const blob = await res.blob(); + const url = URL.createObjectURL(blob); + const a = document.createElement('a'); + a.href = url; + a.download = `xpeditis-logs-${new Date().toISOString().slice(0, 10)}.${format}`; + document.body.appendChild(a); + a.click(); + document.body.removeChild(a); + URL.revokeObjectURL(url); + } catch (err: any) { + setError(err.message); + } finally { + setExportLoading(false); + } + }; + + // Stats + const countByLevel = (level: string) => + logs.filter(l => l.level === level).length; + + const setFilter = (key: keyof Filters, value: string) => + setFilters(prev => ({ ...prev, [key]: value })); + + return ( +
+ {/* Header */} +
+
+

Logs système

+

+ Visualisation et export des logs applicatifs en temps réel +

+
+
+ +
+ +
+ + +
+
+
+
+ + {/* Stats */} +
+ + + + +
+ + {/* Filters */} +
+
+ +

Filtres

+
+
+ {/* Service */} +
+ + +
+ + {/* Level */} +
+ + +
+ + {/* Search */} +
+ + setFilter('search', e.target.value)} + onKeyDown={e => e.key === 'Enter' && fetchLogs()} + className="w-full px-3 py-2 text-sm border border-gray-300 rounded-lg focus:ring-2 focus:ring-[#34CCCD] focus:border-[#34CCCD] focus:outline-none" + /> +
+ + {/* Start */} +
+ + setFilter('startDate', e.target.value)} + className="w-full px-3 py-2 text-sm border border-gray-300 rounded-lg focus:ring-2 focus:ring-[#34CCCD] focus:border-[#34CCCD] focus:outline-none" + /> +
+ + {/* End */} +
+ + setFilter('endDate', e.target.value)} + className="w-full px-3 py-2 text-sm border border-gray-300 rounded-lg focus:ring-2 focus:ring-[#34CCCD] focus:border-[#34CCCD] focus:outline-none" + /> +
+ + {/* Limit + Apply */} +
+ +
+ + +
+
+
+
+ + {/* Error */} + {error && ( +
+ + + Impossible de contacter le log-exporter : {error} +
+ + Vérifiez que le container log-exporter est démarré sur{' '} + {LOG_EXPORTER_URL} + + +
+ )} + + {/* Table */} +
+
+
+ + + {loading ? 'Chargement...' : `${total} entrée${total !== 1 ? 's' : ''}`} + +
+ {!loading && logs.length > 0 && ( + + Cliquer sur une ligne pour les détails + + )} +
+ + {loading ? ( +
+
+
+ ) : logs.length === 0 && !error ? ( +
+ +

Aucun log trouvé pour ces filtres

+
+ ) : ( +
+ + + + + + + + + + + + + {logs.map((log, i) => ( + <> + setExpandedRow(expandedRow === i ? null : i)} + className={`cursor-pointer hover:bg-gray-50 transition-colors ${LEVEL_ROW_BG[log.level] || ''}`} + > + + + + + + + + + {/* Expanded detail row */} + {expandedRow === i && ( + + + + )} + + ))} + +
+ Timestamp + + Service + + Niveau + + Contexte + + Message + + Req / Status +
+ {new Date(log.timestamp).toLocaleString('fr-FR', { + day: '2-digit', + month: '2-digit', + hour: '2-digit', + minute: '2-digit', + second: '2-digit', + })} + + + {log.service} + + + + + {log.context || '—'} + + + {log.error ? ( + {log.error} + ) : ( + log.message + )} + + + {log.req_method && ( + + {log.req_method}{' '} + {log.req_url}{' '} + {log.res_status && ( + + {log.res_status} + + )} + + )} +
+
+
+ Timestamp +

{log.timestamp}

+
+ {log.reqId && ( +
+ Request ID +

{log.reqId}

+
+ )} + {log.response_time_ms && ( +
+ Durée +

+ {log.response_time_ms} ms +

+
+ )} +
+ Message complet + 
+                                {log.error
+                                  ? `[ERROR] ${log.error}\n\n${log.message}`
+                                  : log.message}
+
+
+
+
+
+ )} +
+
+ ); +} diff --git a/apps/frontend/app/dashboard/admin/organizations/page.tsx b/apps/frontend/app/dashboard/admin/organizations/page.tsx index ddcabd7..485af68 100644 --- a/apps/frontend/app/dashboard/admin/organizations/page.tsx +++ b/apps/frontend/app/dashboard/admin/organizations/page.tsx @@ -1,7 +1,7 @@ 'use client'; import { useState, useEffect } from 'react'; -import { getAllOrganizations } from '@/lib/api/admin'; +import { getAllOrganizations, verifySiret, approveSiret, rejectSiret } from '@/lib/api/admin'; import { createOrganization, updateOrganization } from '@/lib/api/organizations'; interface Organization { @@ -10,6 +10,9 @@ interface Organization { type: string; scac?: string; siren?: string; + siret?: string; + siretVerified?: boolean; + statusBadge?: string; eori?: string; contact_phone?: string; contact_email?: string; @@ -32,6 +35,7 @@ export default function AdminOrganizationsPage() { const [selectedOrg, setSelectedOrg] = useState(null); const [showCreateModal, setShowCreateModal] = useState(false); const [showEditModal, setShowEditModal] = useState(false); + const [verifyingId, setVerifyingId] = useState(null); // Form state const [formData, setFormData] = useState<{ @@ -39,6 +43,7 @@ export default function AdminOrganizationsPage() { type: string; scac: string; siren: string; + siret: string; eori: string; contact_phone: string; contact_email: string; @@ -55,6 +60,7 @@ export default function AdminOrganizationsPage() { type: 'FREIGHT_FORWARDER', scac: '', siren: '', + siret: '', eori: '', contact_phone: '', contact_email: '', @@ -130,6 +136,7 @@ export default function AdminOrganizationsPage() { type: 'FREIGHT_FORWARDER', scac: '', siren: '', + siret: '', eori: '', contact_phone: '', contact_email: '', @@ -144,6 +151,51 @@ export default function AdminOrganizationsPage() { }); }; + const handleVerifySiret = async (orgId: string) => { + try { + setVerifyingId(orgId); + const result = await verifySiret(orgId); + if (result.verified) { + alert(`SIRET verifie avec succes !\nEntreprise: ${result.companyName || 'N/A'}\nAdresse: ${result.address || 'N/A'}`); + await fetchOrganizations(); + } else { + alert(result.message || 'SIRET invalide ou introuvable.'); + } + } catch (err: any) { + alert(err.message || 'Erreur lors de la verification du SIRET'); + } finally { + setVerifyingId(null); + } + }; + + const handleApproveSiret = async (orgId: string) => { + if (!confirm('Confirmer l\'approbation manuelle du SIRET/SIREN de cette organisation ?')) return; + try { + setVerifyingId(orgId); + const result = await approveSiret(orgId); + alert(result.message); + await fetchOrganizations(); + } catch (err: any) { + alert(err.message || 'Erreur lors de l\'approbation'); + } finally { + setVerifyingId(null); + } + }; + + const handleRejectSiret = async (orgId: string) => { + if (!confirm('Confirmer le refus du SIRET/SIREN ? L\'organisation ne pourra plus effectuer d\'achats.')) return; + try { + setVerifyingId(orgId); + const result = await rejectSiret(orgId); + alert(result.message); + await fetchOrganizations(); + } catch (err: any) { + alert(err.message || 'Erreur lors du refus'); + } finally { + setVerifyingId(null); + } + }; + const openEditModal = (org: Organization) => { setSelectedOrg(org); setFormData({ @@ -151,6 +203,7 @@ export default function AdminOrganizationsPage() { type: org.type, scac: org.scac || '', siren: org.siren || '', + siret: org.siret || '', eori: org.eori || '', contact_phone: org.contact_phone || '', contact_email: org.contact_email || '', @@ -229,6 +282,25 @@ export default function AdminOrganizationsPage() { SIREN: {org.siren}
)} +
+ SIRET: + {org.siret ? ( + <> + {org.siret} + {org.siretVerified ? ( + + Verifie + + ) : ( + + Non verifie + + )} + + ) : ( + Non renseigne + )} +
{org.contact_email && (
Email: {org.contact_email} @@ -239,13 +311,45 @@ export default function AdminOrganizationsPage() {
-
- +
+
+ + {org.siret && !org.siretVerified && ( + + )} +
+ {(org.siret || org.siren) && ( +
+ {!org.siretVerified ? ( + + ) : ( + + )} +
+ )}
))} @@ -309,6 +413,18 @@ export default function AdminOrganizationsPage() { />
+
+ + setFormData({ ...formData, siret: e.target.value.replace(/\D/g, '') })} + className="mt-1 block w-full px-3 py-2 border border-gray-300 rounded-md shadow-sm focus:border-blue-500 focus:ring-blue-500 focus:outline-none" + placeholder="12345678901234" + /> +
+
(null); + const [loading, setLoading] = useState(true); + const [paying, setPaying] = useState(false); + const [declaring, setDeclaring] = useState(false); + const [error, setError] = useState(null); + const [selectedMethod, setSelectedMethod] = useState(null); + const [copied, setCopied] = useState(null); + + useEffect(() => { + async function fetchBooking() { + try { + const data = await getCsvBooking(bookingId); + setBooking(data as any); + if (data.status !== 'PENDING_PAYMENT') { + router.replace('/dashboard/bookings'); + } + } catch (err) { + setError('Impossible de charger les détails du booking'); + } finally { + setLoading(false); + } + } + if (bookingId) fetchBooking(); + }, [bookingId, router]); + + const handlePayByCard = async () => { + setPaying(true); + setError(null); + try { + const result = await payBookingCommission(bookingId); + window.location.href = result.sessionUrl; + } catch (err) { + setError(err instanceof Error ? err.message : 'Erreur lors de la création du paiement'); + setPaying(false); + } + }; + + const handleDeclareTransfer = async () => { + setDeclaring(true); + setError(null); + try { + await declareBankTransfer(bookingId); + router.push('/dashboard/bookings?transfer=declared'); + } catch (err) { + setError(err instanceof Error ? err.message : 'Erreur lors de la déclaration du virement'); + setDeclaring(false); + } + }; + + const copyToClipboard = (value: string, key: string) => { + navigator.clipboard.writeText(value); + setCopied(key); + setTimeout(() => setCopied(null), 2000); + }; + + const formatPrice = (price: number, currency: string) => + new Intl.NumberFormat('fr-FR', { style: 'currency', currency }).format(price); + + if (loading) { + return ( +
+
+ + Chargement... +
+
+ ); + } + + if (error && !booking) { + return ( +
+
+ +

{error}

+ +
+
+ ); + } + + if (!booking) return null; + + const commissionAmount = booking.commissionAmountEur || 0; + const commissionRate = booking.commissionRate || 0; + const reference = booking.bookingNumber || booking.id.slice(0, 8).toUpperCase(); + + return ( +
+
+ {/* Back button */} + + +

Paiement de la commission

+

+ Finalisez votre booking en réglant la commission de service +

+ + {error && ( +
+ +

{error}

+
+ )} + +
+ {/* LEFT — Payment method selector */} +
+

+ Choisir le mode de paiement +

+ + {/* Card option */} + + + {/* Transfer option */} + + + {/* Card action */} + {selectedMethod === 'card' && ( +
+

+ Vous serez redirigé vers Stripe pour finaliser votre paiement en toute sécurité. +

+ +
+ )} + + {/* Transfer action */} + {selectedMethod === 'transfer' && ( +
+

+ Effectuez le virement avec les coordonnées ci-dessous, puis cliquez sur + “J'ai effectué le virement”. +

+ + {/* Bank details */} +
+ {[ + { label: 'Bénéficiaire', value: BANK_DETAILS.beneficiary, key: 'beneficiary' }, + { label: 'IBAN', value: BANK_DETAILS.iban, key: 'iban', mono: true }, + { label: 'BIC / SWIFT', value: BANK_DETAILS.bic, key: 'bic', mono: true }, + { + label: 'Montant', + value: formatPrice(commissionAmount, 'EUR'), + key: 'amount', + bold: true, + }, + { label: 'Référence', value: reference, key: 'ref', mono: true }, + ].map(({ label, value, key, mono, bold }) => ( +
+ {label} +
+ + {value} + + {key !== 'amount' && ( + + )} +
+
+ ))} +
+ +
+ + + Mentionnez impérativement la référence {reference} dans le + libellé du virement. + +
+ + +
+ )} + + {/* Placeholder when no method selected */} + {selectedMethod === null && ( +
+ Sélectionnez un mode de paiement ci-dessus +
+ )} +
+ + {/* RIGHT — Booking summary */} +
+

+ Récapitulatif +

+ +
+ {booking.bookingNumber && ( +
+ Numéro + {booking.bookingNumber} +
+ )} +
+ Transporteur + + {booking.carrierName} + +
+
+ Trajet + + {booking.origin} → {booking.destination} + +
+
+ Volume / Poids + + {booking.volumeCBM} CBM · {booking.weightKG} kg + +
+
+ Transit + {booking.transitDays} jours +
+
+ Prix transport + + {formatPrice(booking.priceEUR, 'EUR')} + +
+
+ + {/* Commission box */} +
+

+ Commission ({commissionRate}% du prix transport) +

+

{formatPrice(commissionAmount, 'EUR')}

+

+ {formatPrice(booking.priceEUR, 'EUR')} × {commissionRate}% +

+
+ +
+ +

+ Après validation du paiement, votre demande est envoyée au transporteur ( + {booking.carrierEmail}). Vous serez notifié de sa réponse. +

+
+
+
+
+
+ ); +} diff --git a/apps/frontend/app/dashboard/booking/[id]/payment-success/page.tsx b/apps/frontend/app/dashboard/booking/[id]/payment-success/page.tsx new file mode 100644 index 0000000..0865510 --- /dev/null +++ b/apps/frontend/app/dashboard/booking/[id]/payment-success/page.tsx @@ -0,0 +1,147 @@ +/** + * Payment Success Page + * + * Displayed after successful Stripe payment. Confirms the payment and activates the booking. + */ + +'use client'; + +import { useState, useEffect, useRef } from 'react'; +import { useRouter, useParams, useSearchParams } from 'next/navigation'; +import { CheckCircle, Loader2, AlertTriangle, Mail, ArrowRight } from 'lucide-react'; +import { confirmBookingPayment } from '@/lib/api/bookings'; + +export default function PaymentSuccessPage() { + const router = useRouter(); + const params = useParams(); + const searchParams = useSearchParams(); + const bookingId = params.id as string; + const sessionId = searchParams.get('session_id'); + + const [status, setStatus] = useState<'confirming' | 'success' | 'error'>('confirming'); + const [error, setError] = useState(null); + const confirmedRef = useRef(false); + + useEffect(() => { + async function confirm() { + if (!sessionId || !bookingId || confirmedRef.current) return; + confirmedRef.current = true; + + try { + await confirmBookingPayment(bookingId, sessionId); + setStatus('success'); + } catch (err) { + console.error('Payment confirmation error:', err); + setError( + err instanceof Error ? err.message : 'Erreur lors de la confirmation du paiement' + ); + setStatus('error'); + } + } + + confirm(); + }, [bookingId, sessionId]); + + if (!sessionId) { + return ( +
+
+ +

Session invalide

+

Aucune session de paiement trouvee.

+ +
+
+ ); + } + + return ( +
+
+ {status === 'confirming' && ( + <> + +

Confirmation du paiement...

+

+ Veuillez patienter pendant que nous verifions votre paiement et activons votre booking. +

+ + )} + + {status === 'success' && ( + <> +
+
+ +
+
+

Paiement confirme !

+

+ Votre commission a ete payee avec succes. Un email a ete envoye au transporteur avec votre demande de booking. +

+ +
+
+ + + Email envoye au transporteur + +
+

+ Vous recevrez une notification des que le transporteur repond (sous 7 jours max) +

+
+ + + + )} + + {status === 'error' && ( + <> + +

Erreur de confirmation

+

{error}

+

+ Si votre paiement a ete debite, contactez le support. Votre booking sera active manuellement. +

+
+ + +
+ + )} +
+
+ ); +} diff --git a/apps/frontend/app/dashboard/booking/new/page.tsx b/apps/frontend/app/dashboard/booking/new/page.tsx index ebff420..8254afb 100644 --- a/apps/frontend/app/dashboard/booking/new/page.tsx +++ b/apps/frontend/app/dashboard/booking/new/page.tsx @@ -177,8 +177,8 @@ function NewBookingPageContent() { // Send to API using client function const result = await createCsvBooking(formDataToSend); - // Redirect to success page - router.push(`/dashboard/bookings?success=true&id=${result.id}`); + // Redirect to commission payment page + router.push(`/dashboard/booking/${result.id}/pay`); } catch (err) { console.error('Booking creation error:', err); setError(err instanceof Error ? err.message : 'Une erreur est survenue'); diff --git a/apps/frontend/app/dashboard/bookings/page.tsx b/apps/frontend/app/dashboard/bookings/page.tsx index 89d04bf..2f31216 100644 --- a/apps/frontend/app/dashboard/bookings/page.tsx +++ b/apps/frontend/app/dashboard/bookings/page.tsx @@ -6,22 +6,31 @@ 'use client'; -import { useState } from 'react'; +import { useState, useEffect } from 'react'; import { useQuery } from '@tanstack/react-query'; import { listBookings, listCsvBookings } from '@/lib/api'; import Link from 'next/link'; -import { Plus } from 'lucide-react'; +import { Plus, Clock } from 'lucide-react'; import ExportButton from '@/components/ExportButton'; +import { useSearchParams } from 'next/navigation'; type SearchType = 'pallets' | 'weight' | 'route' | 'status' | 'date' | 'quote'; export default function BookingsListPage() { + const searchParams = useSearchParams(); const [searchTerm, setSearchTerm] = useState(''); const [searchType, setSearchType] = useState('route'); const [statusFilter, setStatusFilter] = useState(''); const [page, setPage] = useState(1); + const [showTransferBanner, setShowTransferBanner] = useState(false); const ITEMS_PER_PAGE = 20; + useEffect(() => { + if (searchParams.get('transfer') === 'declared') { + setShowTransferBanner(true); + } + }, [searchParams]); + // Fetch CSV bookings (fetch all for client-side filtering and pagination) const { data: csvData, isLoading, error: csvError } = useQuery({ queryKey: ['csv-bookings'], @@ -142,6 +151,21 @@ export default function BookingsListPage() { return (
+ {/* Bank transfer declared banner */} + {showTransferBanner && ( +
+
+ +
+

Virement déclaré

+

+ Votre virement a été enregistré. Un administrateur va vérifier la réception et activer votre booking. Vous serez notifié dès la validation. +

+
+
+ +
+ )} {/* Header */}
diff --git a/apps/frontend/app/dashboard/docs/page.tsx b/apps/frontend/app/dashboard/docs/page.tsx new file mode 100644 index 0000000..467006d --- /dev/null +++ b/apps/frontend/app/dashboard/docs/page.tsx @@ -0,0 +1,7 @@ +'use client'; + +import { DocsPageContent } from '@/components/docs/DocsPageContent'; + +export default function DocsPage() { + return ; +} diff --git a/apps/frontend/app/dashboard/layout.tsx b/apps/frontend/app/dashboard/layout.tsx index b57a3c3..1510854 100644 --- a/apps/frontend/app/dashboard/layout.tsx +++ b/apps/frontend/app/dashboard/layout.tsx @@ -8,8 +8,8 @@ import { useAuth } from '@/lib/context/auth-context'; import Link from 'next/link'; -import { usePathname } from 'next/navigation'; -import { useState } from 'react'; +import { usePathname, useRouter } from 'next/navigation'; +import { useState, useEffect } from 'react'; import NotificationDropdown from '@/components/NotificationDropdown'; import AdminPanelDropdown from '@/components/admin/AdminPanelDropdown'; import Image from 'next/image'; @@ -22,23 +22,49 @@ import { Building2, Users, LogOut, + Lock, + Key, } from 'lucide-react'; +import { useSubscription } from '@/lib/context/subscription-context'; +import StatusBadge from '@/components/ui/StatusBadge'; +import type { PlanFeature } from '@/lib/api/subscriptions'; export default function DashboardLayout({ children }: { children: React.ReactNode }) { - const { user, logout } = useAuth(); + const { user, logout, loading, isAuthenticated } = useAuth(); + const { hasFeature, subscription } = useSubscription(); const pathname = usePathname(); + const router = useRouter(); const [sidebarOpen, setSidebarOpen] = useState(false); - const navigation = [ - { name: 'Tableau de bord', href: '/dashboard', icon: BarChart3 }, + useEffect(() => { + if (!loading && !isAuthenticated) { + router.replace(`/login?redirect=${encodeURIComponent(pathname)}`); + } + }, [loading, isAuthenticated, router, pathname]); + + if (loading) { + return ( +
+
+
+ ); + } + + if (!isAuthenticated) { + return null; + } + + const navigation: Array<{ name: string; href: string; icon: any; requiredFeature?: PlanFeature }> = [ + { name: 'Tableau de bord', href: '/dashboard', icon: BarChart3, requiredFeature: 'dashboard' }, { name: 'Réservations', href: '/dashboard/bookings', icon: Package }, { name: 'Documents', href: '/dashboard/documents', icon: FileText }, - { name: 'Suivi', href: '/dashboard/track-trace', icon: Search }, - { name: 'Wiki Maritime', href: '/dashboard/wiki', icon: BookOpen }, + { name: 'Suivi', href: '/dashboard/track-trace', icon: Search, requiredFeature: 'dashboard' }, + { name: 'Wiki Maritime', href: '/dashboard/wiki', icon: BookOpen, requiredFeature: 'wiki' }, { name: 'Organisation', href: '/dashboard/settings/organization', icon: Building2 }, + { name: 'Clés API', href: '/dashboard/settings/api-keys', icon: Key, requiredFeature: 'api_access' as PlanFeature }, // ADMIN and MANAGER only navigation items ...(user?.role === 'ADMIN' || user?.role === 'MANAGER' ? [ - { name: 'Utilisateurs', href: '/dashboard/settings/users', icon: Users }, + { name: 'Utilisateurs', href: '/dashboard/settings/users', icon: Users, requiredFeature: 'user_management' as PlanFeature }, ] : []), ]; @@ -95,20 +121,26 @@ export default function DashboardLayout({ children }: { children: React.ReactNod {/* Navigation */}
-

- {user?.firstName} {user?.lastName} -

+
+

+ {user?.firstName} {user?.lastName} +

+ {subscription?.planDetails?.statusBadge && subscription.planDetails.statusBadge !== 'none' && ( + + )} +

{user?.email}

diff --git a/apps/frontend/app/dashboard/page.tsx b/apps/frontend/app/dashboard/page.tsx index 9804c26..29deaad 100644 --- a/apps/frontend/app/dashboard/page.tsx +++ b/apps/frontend/app/dashboard/page.tsx @@ -5,12 +5,14 @@ 'use client'; +import { useEffect } from 'react'; import { useQuery } from '@tanstack/react-query'; import { dashboardApi } from '@/lib/api'; import Link from 'next/link'; import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '@/components/ui/card'; import { Button } from '@/components/ui/button'; import { Badge } from '@/components/ui/badge'; +import { useRouter } from 'next/navigation'; import { Package, PackageCheck, @@ -21,6 +23,7 @@ import { Plus, ArrowRight, } from 'lucide-react'; +import { useSubscription } from '@/lib/context/subscription-context'; import ExportButton from '@/components/ExportButton'; import { PieChart, @@ -39,6 +42,16 @@ import { } from 'recharts'; export default function DashboardPage() { + const router = useRouter(); + const { hasFeature, loading: subLoading } = useSubscription(); + + // Redirect Bronze users (no dashboard feature) to bookings + useEffect(() => { + if (!subLoading && !hasFeature('dashboard')) { + router.replace('/dashboard/bookings'); + } + }, [subLoading, hasFeature, router]); + // Fetch CSV booking KPIs const { data: csvKpis, isLoading: csvKpisLoading } = useQuery({ queryKey: ['dashboard', 'csv-booking-kpis'], diff --git a/apps/frontend/app/dashboard/settings/api-keys/page.tsx b/apps/frontend/app/dashboard/settings/api-keys/page.tsx new file mode 100644 index 0000000..bfa95ca --- /dev/null +++ b/apps/frontend/app/dashboard/settings/api-keys/page.tsx @@ -0,0 +1,489 @@ +'use client'; + +import { useState } from 'react'; +import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query'; +import { listApiKeys, createApiKey, revokeApiKey } from '@/lib/api/api-keys'; +import type { ApiKeyDto, CreateApiKeyResultDto } from '@/lib/api/api-keys'; +import { useSubscription } from '@/lib/context/subscription-context'; +import { + Key, + Plus, + Trash2, + Copy, + Check, + AlertTriangle, + Clock, + X, + ShieldCheck, + Lock, +} from 'lucide-react'; + +// ─── Helpers ──────────────────────────────────────────────────────────────── + +function formatDate(iso: string | null): string { + if (!iso) return '—'; + return new Intl.DateTimeFormat('fr-FR', { dateStyle: 'medium' }).format(new Date(iso)); +} + +function keyStatusBadge(key: ApiKeyDto) { + if (!key.isActive) { + return ( + + Révoquée + + ); + } + if (key.expiresAt && new Date(key.expiresAt) < new Date()) { + return ( + + + Expirée + + ); + } + return ( + + Active + + ); +} + +// ─── Copy button ───────────────────────────────────────────────────────────── + +function CopyButton({ text }: { text: string }) { + const [copied, setCopied] = useState(false); + const handleCopy = async () => { + await navigator.clipboard.writeText(text); + setCopied(true); + setTimeout(() => setCopied(false), 2000); + }; + return ( + + ); +} + +// ─── Creation success modal ────────────────────────────────────────────────── + +function CreatedKeyModal({ + result, + onClose, +}: { + result: CreateApiKeyResultDto; + onClose: () => void; +}) { + return ( +
+
+ {/* Header */} +
+
+
+ +
+
+

Clé API créée

+

{result.name}

+
+
+ +
+ + {/* Warning */} +
+ +

+ Copiez cette clé maintenant. Elle ne sera plus jamais affichée après + la fermeture de cette fenêtre. +

+
+ + {/* Key */} +
+ +
+ + {result.fullKey} + + +
+

+ Stockez-la dans vos variables d'environnement ou un gestionnaire de secrets. +

+
+ + {/* Footer */} +
+ +
+
+
+ ); +} + +// ─── Create key form modal ─────────────────────────────────────────────────── + +function CreateKeyModal({ + onSuccess, + onClose, +}: { + onSuccess: (result: CreateApiKeyResultDto) => void; + onClose: () => void; +}) { + const [name, setName] = useState(''); + const [expiresAt, setExpiresAt] = useState(''); + const queryClient = useQueryClient(); + + const mutation = useMutation({ + mutationFn: createApiKey, + onSuccess: result => { + queryClient.invalidateQueries({ queryKey: ['api-keys'] }); + onSuccess(result); + }, + }); + + const handleSubmit = (e: React.FormEvent) => { + e.preventDefault(); + mutation.mutate({ + name: name.trim(), + ...(expiresAt ? { expiresAt: new Date(expiresAt).toISOString() } : {}), + }); + }; + + return ( +
+
+ {/* Header */} +
+
+
+ +
+

Nouvelle clé API

+
+ +
+ +
+ {/* Name */} +
+ + setName(e.target.value)} + placeholder="ex: Intégration ERP Production" + maxLength={100} + required + className="w-full px-3.5 py-2.5 border border-gray-200 rounded-xl text-sm focus:outline-none focus:ring-2 focus:ring-[#34CCCD] focus:border-transparent" + /> +

{name.length}/100 caractères

+
+ + {/* Expiry */} +
+ + setExpiresAt(e.target.value)} + min={new Date().toISOString().split('T')[0]} + className="w-full px-3.5 py-2.5 border border-gray-200 rounded-xl text-sm focus:outline-none focus:ring-2 focus:ring-[#34CCCD] focus:border-transparent" + /> +

+ Si vide, la clé n'expire jamais. +

+
+ + {/* Error */} + {mutation.isError && ( +
+ + Une erreur est survenue. Veuillez réessayer. +
+ )} + + {/* Actions */} +
+ + +
+
+
+
+ ); +} + +// ─── Revoke confirm modal ──────────────────────────────────────────────────── + +function RevokeConfirmModal({ + apiKey, + onConfirm, + onClose, +}: { + apiKey: ApiKeyDto; + onConfirm: () => void; + onClose: () => void; +}) { + return ( +
+
+
+
+ +
+

+ Révoquer cette clé ? +

+

+ {apiKey.name} +

+

+ Cette action est immédiate et irréversible. Toute requête utilisant + cette clé sera refusée. +

+
+
+ + +
+
+
+ ); +} + +// ─── Main page ──────────────────────────────────────────────────────────────── + +export default function ApiKeysPage() { + const { hasFeature } = useSubscription(); + const queryClient = useQueryClient(); + const hasApiAccess = hasFeature('api_access'); + + const [showCreateModal, setShowCreateModal] = useState(false); + const [createdKey, setCreatedKey] = useState(null); + const [revokeTarget, setRevokeTarget] = useState(null); + + const { data: apiKeys, isLoading } = useQuery({ + queryKey: ['api-keys'], + queryFn: listApiKeys, + enabled: hasApiAccess, + }); + + const revokeMutation = useMutation({ + mutationFn: revokeApiKey, + onSuccess: () => { + queryClient.invalidateQueries({ queryKey: ['api-keys'] }); + setRevokeTarget(null); + }, + }); + + // Plan upsell screen + if (!hasApiAccess) { + return ( +
+
+ +
+

Accès API

+

+ L'accès programmatique à l'API Xpeditis est disponible sur les plans{' '} + Gold et Platinium uniquement. +

+ + Voir les plans + +
+ ); + } + + const activeKeys = apiKeys?.filter(k => k.isActive) ?? []; + + return ( + <> + {/* Modals */} + {showCreateModal && ( + { + setShowCreateModal(false); + setCreatedKey(result); + }} + onClose={() => setShowCreateModal(false)} + /> + )} + {createdKey && ( + setCreatedKey(null)} /> + )} + {revokeTarget && ( + revokeMutation.mutate(revokeTarget.id)} + onClose={() => setRevokeTarget(null)} + /> + )} + + {/* Page header */} +
+
+

Clés API

+

+ Gérez les clés d'accès programmatique à l'API Xpeditis. +

+
+ +
+ + {/* Info banner */} +
+ +
+

Comment utiliser vos clés API

+

+ Ajoutez l'en-tête{' '} + + X-API-Key: xped_live_... + {' '} + à chaque requête HTTP.{' '} + + Voir la documentation + +

+
+
+ + {/* Keys list */} +
+ {isLoading ? ( +
+
+
+ ) : !apiKeys || apiKeys.length === 0 ? ( +
+ +

Aucune clé API pour le moment.

+ +
+ ) : ( +
+ {/* Table header */} +
+ Nom / Préfixe + Dernière utilisation + Expiration + Statut + +
+ + {apiKeys.map(key => ( +
+ {/* Name + prefix */} +
+

{key.name}

+ {key.keyPrefix}… +
+ + {/* Last used */} + {formatDate(key.lastUsedAt)} + + {/* Expiry */} + {formatDate(key.expiresAt)} + + {/* Status */} +
{keyStatusBadge(key)}
+ + {/* Actions */} + +
+ ))} +
+ )} +
+ + {/* Quota */} + {apiKeys && apiKeys.length > 0 && ( +

+ {activeKeys.length} / 20 clés actives utilisées +

+ )} + + ); +} diff --git a/apps/frontend/app/dashboard/settings/users/page.tsx b/apps/frontend/app/dashboard/settings/users/page.tsx index cb742d4..2b10987 100644 --- a/apps/frontend/app/dashboard/settings/users/page.tsx +++ b/apps/frontend/app/dashboard/settings/users/page.tsx @@ -10,11 +10,63 @@ import { useState, useEffect } from 'react'; import { useRouter } from 'next/navigation'; import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query'; import { listUsers, updateUser, deleteUser, canInviteUser } from '@/lib/api'; -import { createInvitation } from '@/lib/api/invitations'; +import { createInvitation, listInvitations, cancelInvitation } from '@/lib/api/invitations'; import { useAuth } from '@/lib/context/auth-context'; import Link from 'next/link'; import ExportButton from '@/components/ExportButton'; +const PAGE_SIZE = 5; + +function Pagination({ + page, + total, + onPage, +}: { + page: number; + total: number; + onPage: (p: number) => void; +}) { + const totalPages = Math.ceil(total / PAGE_SIZE); + if (totalPages <= 1) return null; + + return ( +
+

+ {Math.min((page - 1) * PAGE_SIZE + 1, total)}–{Math.min(page * PAGE_SIZE, total)} sur {total} +

+
+ + {Array.from({ length: totalPages }, (_, i) => i + 1).map(p => ( + + ))} + +
+
+ ); +} + export default function UsersManagementPage() { const router = useRouter(); const queryClient = useQueryClient(); @@ -22,6 +74,8 @@ export default function UsersManagementPage() { const [showInviteModal, setShowInviteModal] = useState(false); const [openMenuId, setOpenMenuId] = useState(null); const [menuPosition, setMenuPosition] = useState<{ top: number; left: number } | null>(null); + const [usersPage, setUsersPage] = useState(1); + const [invitationsPage, setInvitationsPage] = useState(1); const [inviteForm, setInviteForm] = useState({ email: '', firstName: '', @@ -36,44 +90,37 @@ export default function UsersManagementPage() { queryFn: () => listUsers(), }); - // Check license availability const { data: licenseStatus } = useQuery({ queryKey: ['canInvite'], queryFn: () => canInviteUser(), }); + const { data: pendingInvitations } = useQuery({ + queryKey: ['invitations'], + queryFn: () => listInvitations(), + }); + const inviteMutation = useMutation({ - mutationFn: (data: typeof inviteForm) => { - return createInvitation({ - email: data.email, - firstName: data.firstName, - lastName: data.lastName, - role: data.role, - }); - }, + mutationFn: (data: typeof inviteForm) => createInvitation(data), onSuccess: () => { queryClient.invalidateQueries({ queryKey: ['users'] }); queryClient.invalidateQueries({ queryKey: ['canInvite'] }); - setSuccess('Invitation envoyée avec succès ! L\'utilisateur recevra un email avec un lien d\'inscription.'); + queryClient.invalidateQueries({ queryKey: ['invitations'] }); + setSuccess("Invitation envoyée avec succès ! L'utilisateur recevra un email avec un lien d'inscription."); setShowInviteModal(false); - setInviteForm({ - email: '', - firstName: '', - lastName: '', - role: 'USER', - }); + setInviteForm({ email: '', firstName: '', lastName: '', role: 'USER' }); + setInvitationsPage(1); setTimeout(() => setSuccess(''), 5000); }, onError: (err: any) => { - setError(err.response?.data?.message || 'Échec de l\'envoi de l\'invitation'); + setError(err.response?.data?.message || "Échec de l'envoi de l'invitation"); setTimeout(() => setError(''), 5000); }, }); const changeRoleMutation = useMutation({ - mutationFn: ({ id, role }: { id: string; role: 'ADMIN' | 'MANAGER' | 'USER' | 'VIEWER' }) => { - return updateUser(id, { role }); - }, + mutationFn: ({ id, role }: { id: string; role: 'ADMIN' | 'MANAGER' | 'USER' | 'VIEWER' }) => + updateUser(id, { role }), onSuccess: () => { queryClient.invalidateQueries({ queryKey: ['users'] }); setSuccess('Rôle mis à jour avec succès'); @@ -86,13 +133,12 @@ export default function UsersManagementPage() { }); const toggleActiveMutation = useMutation({ - mutationFn: ({ id, isActive }: { id: string; isActive: boolean }) => { - return updateUser(id, { isActive: !isActive }); - }, + mutationFn: ({ id, isActive }: { id: string; isActive: boolean }) => + updateUser(id, { isActive: !isActive }), onSuccess: () => { queryClient.invalidateQueries({ queryKey: ['users'] }); queryClient.invalidateQueries({ queryKey: ['canInvite'] }); - setSuccess('Statut de l\'utilisateur mis à jour avec succès'); + setSuccess("Statut de l'utilisateur mis à jour avec succès"); setTimeout(() => setSuccess(''), 3000); }, onError: (err: any) => { @@ -110,19 +156,31 @@ export default function UsersManagementPage() { setTimeout(() => setSuccess(''), 3000); }, onError: (err: any) => { - setError(err.response?.data?.message || 'Échec de la suppression de l\'utilisateur'); + setError(err.response?.data?.message || "Échec de la suppression de l'utilisateur"); + setTimeout(() => setError(''), 5000); + }, + }); + + const cancelInvitationMutation = useMutation({ + mutationFn: (id: string) => cancelInvitation(id), + onSuccess: () => { + queryClient.invalidateQueries({ queryKey: ['invitations'] }); + queryClient.invalidateQueries({ queryKey: ['canInvite'] }); + setSuccess('Invitation annulée avec succès'); + setTimeout(() => setSuccess(''), 3000); + }, + onError: (err: any) => { + setError(err.response?.data?.message || "Échec de l'annulation de l'invitation"); setTimeout(() => setError(''), 5000); }, }); - // Restrict access to ADMIN and MANAGER only useEffect(() => { if (currentUser && currentUser.role !== 'ADMIN' && currentUser.role !== 'MANAGER') { router.push('/dashboard'); } }, [currentUser, router]); - // Don't render until we've checked permissions if (!currentUser || (currentUser.role !== 'ADMIN' && currentUser.role !== 'MANAGER')) { return (
@@ -134,7 +192,6 @@ export default function UsersManagementPage() { const handleInvite = (e: React.FormEvent) => { e.preventDefault(); setError(''); - inviteMutation.mutate(inviteForm); }; @@ -143,21 +200,23 @@ export default function UsersManagementPage() { }; const handleToggleActive = (userId: string, isActive: boolean) => { - if ( - window.confirm(`Êtes-vous sûr de vouloir ${isActive ? 'désactiver' : 'activer'} cet utilisateur ?`) - ) { + if (window.confirm(`Êtes-vous sûr de vouloir ${isActive ? 'désactiver' : 'activer'} cet utilisateur ?`)) { toggleActiveMutation.mutate({ id: userId, isActive }); } }; const handleDelete = (userId: string) => { - if ( - window.confirm('Êtes-vous sûr de vouloir supprimer cet utilisateur ? Cette action est irréversible.') - ) { + if (window.confirm('Êtes-vous sûr de vouloir supprimer cet utilisateur ? Cette action est irréversible.')) { deleteMutation.mutate(userId); } }; + const handleCancelInvitation = (invId: string, name: string) => { + if (window.confirm(`Annuler l'invitation envoyée à ${name} ?`)) { + cancelInvitationMutation.mutate(invId); + } + }; + const getRoleBadgeColor = (role: string) => { const colors: Record = { ADMIN: 'bg-red-100 text-red-800', @@ -168,6 +227,12 @@ export default function UsersManagementPage() { return colors[role] || 'bg-gray-100 text-gray-800'; }; + const allUsers = users?.users || []; + const pagedUsers = allUsers.slice((usersPage - 1) * PAGE_SIZE, usersPage * PAGE_SIZE); + + const allPending = (pendingInvitations || []).filter(inv => !inv.isUsed); + const pagedInvitations = allPending.slice((invitationsPage - 1) * PAGE_SIZE, invitationsPage * PAGE_SIZE); + return (
{/* License Warning */} @@ -186,10 +251,7 @@ export default function UsersManagementPage() { Mettez à niveau votre abonnement pour inviter plus d'utilisateurs.

- + Mettre à niveau l'abonnement
@@ -210,10 +272,7 @@ export default function UsersManagementPage() { {licenseStatus.availableLicenses} licence{licenseStatus.availableLicenses !== 1 ? 's' : ''} restante{licenseStatus.availableLicenses !== 1 ? 's' : ''} ({licenseStatus.usedLicenses}/{licenseStatus.maxLicenses} utilisées)
- + Gérer l'abonnement
@@ -228,21 +287,13 @@ export default function UsersManagementPage() {
{ - const labels: Record = { - ADMIN: 'Administrateur', - MANAGER: 'Manager', - USER: 'Utilisateur', - VIEWER: 'Lecteur', - }; - return labels[v] || v; - }}, + { key: 'role', label: 'Rôle', format: (v) => ({ ADMIN: 'Administrateur', MANAGER: 'Manager', USER: 'Utilisateur', VIEWER: 'Lecteur' }[v] || v) }, { key: 'isActive', label: 'Statut', format: (v) => v ? 'Actif' : 'Inactif' }, { key: 'createdAt', label: 'Date de création', format: (v) => v ? new Date(v).toLocaleDateString('fr-FR') : '' }, ]} @@ -281,152 +332,116 @@ export default function UsersManagementPage() { {/* Users Table */}
+
+

Utilisateurs

+ {allUsers.length > 0 && ( +

{allUsers.length} membre{allUsers.length !== 1 ? 's' : ''}

+ )} +
{isLoading ? (
Chargement des utilisateurs...
- ) : users?.users && users.users.length > 0 ? ( -
- - - - - - - - - - - - - {users.users.map(user => ( - - - - - - - + ) : pagedUsers.length > 0 ? ( + <> +
+
- Utilisateur - - Email - - Rôle - - Statut - - Date de création - - Actions -
-
-
- {user.firstName[0]} - {user.lastName[0]} -
-
-
- {user.firstName} {user.lastName} -
-
- {user.email} -
-
-
- 		-
{user.email}
- 		- - - - {user.isActive ? 'Actif' : 'Inactif'} - - - {new Date(user.createdAt).toLocaleDateString()} - - -
+ + + + + + + + - ))} - -
UtilisateurEmailRôleStatutDate de créationActions
-
+ + + {pagedUsers.map(user => ( + + +
+
+ {user.firstName[0]}{user.lastName[0]} +
+
+
{user.firstName} {user.lastName}
+
{user.email}
+
+
+ + +
{user.email}
+ + + + + + + {user.isActive ? 'Actif' : 'Inactif'} + + + + {new Date(user.createdAt).toLocaleDateString('fr-FR')} + + + + + + ))} + + +
+ { setUsersPage(p); setOpenMenuId(null); }} /> + ) : (
- - + +

Aucun utilisateur

Commencez par inviter un membre de l'équipe

{licenseStatus?.canInvite ? ( - ) : ( - + + - Upgrade to Invite + Mettre à niveau )}
@@ -434,30 +449,94 @@ export default function UsersManagementPage() { )}
+ {/* Pending Invitations */} + {allPending.length > 0 && ( +
+
+

Invitations en attente

+

+ Utilisateurs invités mais n'ayant pas encore créé leur compte — {allPending.length} invitation{allPending.length !== 1 ? 's' : ''} +

+
+
+ + + + + + + + + + + + + {pagedInvitations.map(inv => { + const isExpired = new Date(inv.expiresAt) < new Date(); + return ( + + + + + + + + + ); + })} + +
UtilisateurEmailRôleExpire leStatutActions
+
+
+ {inv.firstName[0]}{inv.lastName[0]} +
+
+
{inv.firstName} {inv.lastName}
+
+
+ 		{inv.email} + + {inv.role} + + + {new Date(inv.expiresAt).toLocaleDateString('fr-FR')} + + + {isExpired ? 'Expirée' : 'En attente'} + + + +
+
+ +
+ )} + {/* Actions Menu Modal */} {openMenuId && menuPosition && ( <>
{ - setOpenMenuId(null); - setMenuPosition(null); - }} + onClick={() => { setOpenMenuId(null); setMenuPosition(null); }} />
-
- +
-
-
- {currentUser?.role !== 'ADMIN' && ( -

- Seuls les administrateurs peuvent attribuer le rôle ADMIN -

- )}
-
diff --git a/apps/frontend/app/docs/api/page.tsx b/apps/frontend/app/docs/api/page.tsx new file mode 100644 index 0000000..9223dc1 --- /dev/null +++ b/apps/frontend/app/docs/api/page.tsx @@ -0,0 +1,7 @@ +'use client'; + +import { DocsPageContent } from '@/components/docs/DocsPageContent'; + +export default function PublicDocsPage() { + return ; +} diff --git a/apps/frontend/app/docs/layout.tsx b/apps/frontend/app/docs/layout.tsx new file mode 100644 index 0000000..8c61ae4 --- /dev/null +++ b/apps/frontend/app/docs/layout.tsx @@ -0,0 +1,16 @@ +import { LandingHeader } from '@/components/layout/LandingHeader'; +import { LandingFooter } from '@/components/layout/LandingFooter'; + +export const metadata = { + title: 'Documentation API — Xpeditis', + description: 'Documentation de l\'API Xpeditis pour intégrer le fret maritime dans vos applications.', +}; + +export default function DocsLayout({ children }: { children: React.ReactNode }) { + return ( + <> + +
{children}
+ + ); +} diff --git a/apps/frontend/app/forgot-password/page.tsx b/apps/frontend/app/forgot-password/page.tsx index 479e187..0830aac 100644 --- a/apps/frontend/app/forgot-password/page.tsx +++ b/apps/frontend/app/forgot-password/page.tsx @@ -1,13 +1,9 @@ -/** - * Forgot Password Page - * - * Request password reset - */ - 'use client'; import { useState } from 'react'; import Link from 'next/link'; +import Image from 'next/image'; +import { forgotPassword } from '@/lib/api/auth'; export default function ForgotPasswordPage() { const [email, setEmail] = useState(''); @@ -21,97 +17,173 @@ export default function ForgotPasswordPage() { setLoading(true); try { - // TODO: Implement forgotPassword API endpoint - await new Promise(resolve => setTimeout(resolve, 1000)); + await forgotPassword(email); setSuccess(true); } catch (err: any) { - setError(err.response?.data?.message || 'Failed to send reset email. Please try again.'); + setError(err.message || 'Une erreur est survenue. Veuillez réessayer.'); } finally { setLoading(false); } }; - if (success) { - return ( -
-
-
-

Xpeditis

-

- Check your email -

-
- -
-
- We've sent a password reset link to {email}. Please check your inbox - and follow the instructions. -
-
- -
- - Back to sign in + return ( +
+ {/* Left Side - Form */} +
+
+ {/* Logo */} +
+ + Xpeditis
+ + {success ? ( + <> +
+
+ + + +
+

Email envoyé

+

+ Si un compte est associé à {email}, vous recevrez un email avec + les instructions pour réinitialiser votre mot de passe. +

+

+ Pensez à vérifier vos spams si vous ne recevez rien d'ici quelques minutes. +

+
+ + Retour à la connexion + + + ) : ( + <> + {/* Header */} +
+

Mot de passe oublié ?

+

+ Entrez votre adresse email et nous vous enverrons un lien pour réinitialiser votre mot de passe. +

+
+ + {/* Error Message */} + {error && ( +
+ + + +

{error}

+
+ )} + + {/* Form */} + +
+ + setEmail(e.target.value)} + className="input w-full" + placeholder="votre.email@entreprise.com" + autoComplete="email" + disabled={loading} + /> +
+ + + + +
+ + + + + Retour à la connexion + +
+ + )} + + {/* Footer Links */} +
+
+ + Contactez-nous + + + Confidentialité + + + Conditions + +
+
- ); - } - return ( -
-
-
-

Xpeditis

-

- Reset your password -

-

- Enter your email address and we'll send you a link to reset your password. -

-
- -
- {error && ( -
-
{error}
+ {/* Right Side - Brand */} +
+
+
+
+

Sécurité avant tout

+

+ La protection de votre compte est notre priorité. Réinitialisez votre mot de passe en toute sécurité. +

+
+
+
+ + + +
+
+

Lien sécurisé

+

Le lien expire après 1 heure pour votre sécurité

+
+
+
+
+ + + +
+
+

Email de confirmation

+

Vérifiez votre boîte de réception et vos spams

+
+
- )} - -
- - setEmail(e.target.value)} - className="appearance-none rounded-md relative block w-full px-3 py-2 border border-gray-300 placeholder-gray-500 text-gray-900 focus:outline-none focus:ring-blue-500 focus:border-blue-500 focus:z-10 sm:text-sm" - placeholder="Email address" - />
- -
- -
- -
- - Back to sign in - -
- +
+
+ + + + + +
); diff --git a/apps/frontend/app/login/page.tsx b/apps/frontend/app/login/page.tsx index 17ed57d..11dc16d 100644 --- a/apps/frontend/app/login/page.tsx +++ b/apps/frontend/app/login/page.tsx @@ -8,9 +8,10 @@ 'use client'; -import { useState } from 'react'; +import { useState, Suspense } from 'react'; import Link from 'next/link'; import Image from 'next/image'; +import { useSearchParams } from 'next/navigation'; import { useAuth } from '@/lib/context/auth-context'; interface FieldErrors { @@ -73,8 +74,10 @@ function getErrorMessage(error: any): { message: string; field?: 'email' | 'pass }; } -export default function LoginPage() { +function LoginPageContent() { const { login } = useAuth(); + const searchParams = useSearchParams(); + const redirectTo = searchParams.get('redirect') || '/dashboard'; const [email, setEmail] = useState(''); const [password, setPassword] = useState(''); const [rememberMe, setRememberMe] = useState(false); @@ -126,7 +129,7 @@ export default function LoginPage() { setIsLoading(true); try { - await login(email, password); + await login(email, password, redirectTo, rememberMe); // Navigation is handled by the login function in auth context } catch (err: any) { const { message, field } = getErrorMessage(err); @@ -305,9 +308,6 @@ export default function LoginPage() { {/* Footer Links */}
- - Centre d'aide - Contactez-nous @@ -462,3 +462,11 @@ export default function LoginPage() {
); } + +export default function LoginPage() { + return ( + + + + ); +} diff --git a/apps/frontend/app/page.tsx b/apps/frontend/app/page.tsx index 7af29bf..f2b319f 100644 --- a/apps/frontend/app/page.tsx +++ b/apps/frontend/app/page.tsx @@ -1,6 +1,6 @@ 'use client'; -import { useRef } from 'react'; +import { useRef, useState, useEffect } from 'react'; import Link from 'next/link'; import Image from 'next/image'; import { motion, useInView, useScroll, useTransform } from 'framer-motion'; @@ -27,24 +27,65 @@ import { import { useAuth } from '@/lib/context/auth-context'; import { LandingHeader, LandingFooter } from '@/components/layout'; +function AnimatedCounter({ + end, + suffix = '', + prefix = '', + decimals = 0, + isActive, + duration = 2, +}: { + end: number; + suffix?: string; + prefix?: string; + decimals?: number; + isActive: boolean; + duration?: number; +}) { + const [count, setCount] = useState(0); + + useEffect(() => { + if (!isActive) return; + let startTime: number | undefined; + + const animate = (timestamp: number) => { + if (!startTime) startTime = timestamp; + const progress = Math.min((timestamp - startTime) / (duration * 1000), 1); + const eased = 1 - Math.pow(1 - progress, 3); + setCount(eased * end); + if (progress < 1) requestAnimationFrame(animate); + else setCount(end); + }; + + requestAnimationFrame(animate); + }, [end, duration, isActive]); + + const display = decimals > 0 ? count.toFixed(decimals) : Math.floor(count).toString(); + return <>{prefix}{display}{suffix}; +} + export default function LandingPage() { const { user, isAuthenticated } = useAuth(); const heroRef = useRef(null); const featuresRef = useRef(null); const statsRef = useRef(null); - const toolsRef = useRef(null); + const pricingRef = useRef(null); const testimonialsRef = useRef(null); const ctaRef = useRef(null); + const howRef = useRef(null); const isHeroInView = useInView(heroRef, { once: true }); const isFeaturesInView = useInView(featuresRef, { once: true }); - const isStatsInView = useInView(statsRef, { once: true }); - const isToolsInView = useInView(toolsRef, { once: true }); + const isStatsInView = useInView(statsRef, { once: true, amount: 0.3 }); + const isPricingInView = useInView(pricingRef, { once: true }); const isTestimonialsInView = useInView(testimonialsRef, { once: true }); const isCtaInView = useInView(ctaRef, { once: true }); + const isHowInView = useInView(howRef, { once: true, amount: 0.2 }); + + const [billingYearly, setBillingYearly] = useState(false); const { scrollYProgress } = useScroll(); const backgroundY = useTransform(scrollYProgress, [0, 1], ['0%', '50%']); @@ -98,106 +139,130 @@ export default function LandingPage() { }, ]; - const tools = [ - { - icon: LayoutDashboard, - title: 'Tableau de bord', - description: 'Vue d\'ensemble de votre activité maritime', - link: '/dashboard', - }, - { - icon: Package, - title: 'Mes Réservations', - description: 'Gérez toutes vos réservations en un seul endroit', - link: '/dashboard/bookings', - }, - { - icon: FileText, - title: 'Documents', - description: 'Accédez à tous vos documents maritimes', - link: '/dashboard/documents', - }, - { - icon: Search, - title: 'Suivi des expéditions', - description: 'Suivez vos conteneurs en temps réel', - link: '/dashboard/track-trace', - }, - { - icon: BookOpen, - title: 'Wiki Maritime', - description: 'Base de connaissances du fret maritime', - link: '/dashboard/wiki', - }, - { - icon: Users, - title: 'Mon Profil', - description: 'Gérez vos informations personnelles', - link: '/dashboard/profile', - }, - ]; const stats = [ - { value: '50+', label: 'Compagnies Maritimes', icon: Ship }, - { value: '10K+', label: 'Ports Mondiaux', icon: Anchor }, - { value: '<2s', label: 'Temps de Réponse', icon: Zap }, - { value: '99.5%', label: 'Disponibilité', icon: CheckCircle2 }, + { end: 50, prefix: '', suffix: '+', decimals: 0, label: 'Compagnies Maritimes', icon: Ship }, + { end: 10, prefix: '', suffix: 'K+', decimals: 0, label: 'Ports Mondiaux', icon: Anchor }, + { end: 2, prefix: '<', suffix: 's', decimals: 0, label: 'Temps de Réponse', icon: Zap }, + { end: 99.5, prefix: '', suffix: '%', decimals: 1, label: 'Disponibilité', icon: CheckCircle2 }, ]; const pricingPlans = [ { - name: 'Starter', - price: 'Gratuit', - period: '', - description: 'Idéal pour découvrir la plateforme', + key: 'bronze', + name: 'Bronze', + badge: null, + monthlyPrice: 0, + yearlyPrice: 0, + yearlyMonthly: 0, + description: 'Pour découvrir la plateforme', + users: '1 utilisateur', + shipments: '12 expéditions / an', + commission: '5%', + support: 'Aucun support', features: [ - { text: 'Jusqu\'à 5 bookings/mois', included: true }, - { text: 'Track & Trace illimité', included: true }, - { text: 'Wiki maritime complet', included: true }, - { text: 'Dashboard basique', included: true }, - { text: 'Support par email', included: true }, - { text: 'Gestion des documents', included: false }, - { text: 'Notifications temps réel', included: false }, + { text: 'Réservations maritimes LCL', included: true }, + { text: 'Track & Trace conteneurs', included: true }, + { text: 'Tableau de bord', included: false }, + { text: 'Wiki maritime', included: false }, + { text: 'Gestion des utilisateurs', included: false }, + { text: 'Export CSV', included: false }, { text: 'Accès API', included: false }, + { text: 'KAM dédié', included: false }, ], cta: 'Commencer gratuitement', + ctaLink: '/register', highlighted: false, + accentColor: 'from-amber-600 to-yellow-500', + textAccent: 'text-amber-700', + badgeBg: 'bg-amber-100 text-amber-800', }, { - name: 'Professional', - price: '99€', - period: '/mois', + key: 'silver', + name: 'Silver', + badge: 'Populaire', + monthlyPrice: 249, + yearlyPrice: 2739, + yearlyMonthly: 228, description: 'Pour les transitaires en croissance', + users: 'Jusqu\'à 5 utilisateurs', + shipments: 'Expéditions illimitées', + commission: '3%', + support: 'Support par email', features: [ - { text: 'Bookings illimités', included: true }, - { text: 'Track & Trace illimité', included: true }, + { text: 'Réservations maritimes LCL', included: true }, + { text: 'Track & Trace conteneurs', included: true }, + { text: 'Tableau de bord avancé', included: true }, { text: 'Wiki maritime complet', included: true }, - { text: 'Dashboard avancé + KPIs', included: true }, - { text: 'Support prioritaire', included: true }, - { text: 'Gestion des documents', included: true }, - { text: 'Notifications temps réel', included: true }, + { text: 'Gestion des utilisateurs', included: true }, + { text: 'Export CSV', included: true }, { text: 'Accès API', included: false }, + { text: 'KAM dédié', included: false }, ], - cta: 'Essai gratuit 14 jours', + cta: 'Commencer', + ctaLink: '/register', highlighted: true, + accentColor: 'from-slate-400 to-slate-500', + textAccent: 'text-slate-600', + badgeBg: 'bg-slate-100 text-slate-700', }, { - name: 'Enterprise', - price: 'Sur mesure', - period: '', - description: 'Pour les grandes entreprises', + key: 'gold', + name: 'Gold', + badge: null, + monthlyPrice: 899, + yearlyPrice: 9889, + yearlyMonthly: 824, + description: 'Pour les équipes exigeantes', + users: 'Jusqu\'à 20 utilisateurs', + shipments: 'Expéditions illimitées', + commission: '2%', + support: 'Assistance commerciale directe', features: [ - { text: 'Tout Professionnel +', included: true }, + { text: 'Réservations maritimes LCL', included: true }, + { text: 'Track & Trace conteneurs', included: true }, + { text: 'Tableau de bord avancé', included: true }, + { text: 'Wiki maritime complet', included: true }, + { text: 'Gestion des utilisateurs', included: true }, + { text: 'Export CSV', included: true }, { text: 'Accès API complet', included: true }, - { text: 'Intégrations personnalisées', included: true }, - { text: 'Responsable de compte dédié', included: true }, - { text: 'SLA garanti 99.9%', included: true }, - { text: 'Formation sur site', included: true }, - { text: 'Multi-organisations', included: true }, - { text: 'Audit & conformité', included: true }, + { text: 'KAM dédié', included: false }, ], - cta: 'Contactez-nous', + cta: 'Commencer', + ctaLink: '/register', highlighted: false, + accentColor: 'from-yellow-400 to-amber-400', + textAccent: 'text-amber-600', + badgeBg: 'bg-yellow-50 text-amber-700', + }, + { + key: 'platinium', + name: 'Platinium', + badge: 'Sur mesure', + monthlyPrice: null, + yearlyPrice: null, + yearlyMonthly: null, + description: 'Pour les grandes entreprises', + users: 'Utilisateurs illimités', + shipments: 'Expéditions illimitées', + commission: '1%', + support: 'Key Account Manager dédié', + features: [ + { text: 'Réservations maritimes LCL', included: true }, + { text: 'Track & Trace conteneurs', included: true }, + { text: 'Tableau de bord avancé', included: true }, + { text: 'Wiki maritime complet', included: true }, + { text: 'Gestion des utilisateurs', included: true }, + { text: 'Export CSV', included: true }, + { text: 'Accès API complet', included: true }, + { text: 'KAM dédié + Interface personnalisée', included: true }, + ], + cta: 'Nous contacter', + ctaLink: '/contact', + highlighted: false, + accentColor: 'from-brand-navy to-brand-turquoise', + textAccent: 'text-brand-turquoise', + badgeBg: 'bg-brand-navy/10 text-brand-navy', }, ]; @@ -252,20 +317,31 @@ export default function LandingPage() { {/* Hero Section */}
- {/* Background Image */} + {/* Background Video */} - {/* Container background image */} -
+
- {/* Tools & Calculators Section */} -
-
- -

- Outils & Calculateurs -

-

- Des outils puissants pour optimiser vos opérations maritimes -

- - - - {tools.map((tool, index) => { - const IconComponent = tool.icon; - return ( - - -
-
- -
-
-

- {tool.title} -

-

{tool.description}

-
- -
- - - ); - })} - -
-
{/* Partner Logos Section */}
@@ -578,74 +620,198 @@ export default function LandingPage() {
+ {/* Header */} + + Tarifs +

- Tarifs simples et transparents + Des plans adaptés à votre activité

- Choisissez le plan adapté à vos besoins. Évoluez à tout moment. + De l'accès découverte au partenariat sur mesure — évoluez à tout moment.

+ {/* Billing Toggle */} + + + Mensuel + + + + Annuel + + {billingYearly && ( + + 1 mois offert + + )} + + + {/* Plans Grid */} {pricingPlans.map((plan, index) => ( - {plan.highlighted && ( -
- - Populaire + {/* Top gradient bar */} +
+ + {/* Popular badge */} + {plan.badge && plan.key === 'silver' && ( +
+ + {plan.badge}
)} -
-

{plan.name}

-

{plan.description}

-
- {plan.price} - {plan.period} + {plan.badge && plan.key === 'platinium' && ( +
+ + {plan.badge} +
-
    - {plan.features.map((feature, featureIndex) => ( -
  • - {feature.included ? ( - + )} + +
    + {/* Plan name */} +
    +
    +
    + {plan.name} +
    +

    + {plan.description} +

    +
    + + {/* Price */} +
    + {plan.monthlyPrice === null ? ( +
    + + Sur mesure + +

    + Tarification personnalisée +

    +
    + ) : plan.monthlyPrice === 0 ? ( +
    + + Gratuit + +

    + Pour toujours +

    +
    + ) : ( +
    +
    + + {billingYearly ? plan.yearlyMonthly : plan.monthlyPrice}€ + + + /mois + +
    + {billingYearly ? ( +

    + Facturé {plan.yearlyPrice?.toLocaleString('fr-FR')}€/an +

    ) : ( - +

    + Économisez 1 mois avec l'annuel +

    )} - +
    + )} +
    + + {/* Key stats */} +
    +
    + + {plan.users} +
    +
    + + {plan.shipments} +
    +
    + + + Commission {plan.commission} + +
    +
    + + {/* Features */} +
      + {plan.features.map((feature, featureIndex) => ( +
    • + {feature.included ? ( + + ) : ( + + )} + {feature.text}
      • ))}
    + + {/* CTA */} {plan.cta} @@ -655,25 +821,32 @@ export default function LandingPage() { ))} + {/* Bottom note */} -

    - Tous les plans incluent un essai gratuit de 14 jours. Aucune carte bancaire requise. +

    + Sans engagement · Résiliable à tout moment

    -

    - Des questions ? Contactez notre équipe commerciale +

    + Des questions ?{' '} + + Contactez notre équipe commerciale +

{/* How It Works Section */} -
-
+
+
@@ -681,8 +854,7 @@ export default function LandingPage() {
@@ -692,60 +864,95 @@ export default function LandingPage() {

-
- {[ - { - step: '01', - title: 'Recherchez', - description: "Entrez vos ports de départ et d'arrivée", - icon: Search, - }, - { - step: '02', - title: 'Comparez', - description: 'Analysez les tarifs de 50+ compagnies', - icon: BarChart3, - }, - { - step: '03', - title: 'Réservez', - description: 'Confirmez votre réservation en un clic', - icon: CheckCircle2, - }, - { - step: '04', - title: 'Suivez', - description: 'Suivez votre envoi en temps réel', - icon: Container, - }, - ].map((step, index) => { - const IconComponent = step.icon; - return ( - -
-
- {step.step} + {/* Steps grid with animated connecting line */} +
+ {/* Animated progress line — desktop only */} +
+ +
+ +
+ {[ + { + step: '01', + title: 'Recherchez', + description: "Entrez vos ports de départ et d'arrivée", + icon: Search, + }, + { + step: '02', + title: 'Comparez', + description: 'Analysez les tarifs de 50+ compagnies', + icon: BarChart3, + }, + { + step: '03', + title: 'Réservez', + description: 'Confirmez votre réservation en un clic', + icon: CheckCircle2, + }, + { + step: '04', + title: 'Suivez', + description: 'Suivez votre envoi en temps réel', + icon: Container, + }, + ].map((step, index) => { + const IconComponent = step.icon; + return ( + + {/* Clean number circle — no icon overlay */} +
+
+ {step.step} +
-
- + {/* Icon badge — separate from the number */} +
+
+ +
- {index < 3 && ( -
- )} -
-

{step.title}

-

{step.description}

- - ); - })} +

{step.title}

+

{step.description}

+ + ); + })} +
+ + {/* CTA after last step */} + + + Essayer maintenant + + +

+ Inscription gratuite · Aucune carte bancaire requise +

+
@@ -831,6 +1038,8 @@ export default function LandingPage() { {isAuthenticated && user ? ( Accéder au tableau de bord @@ -840,6 +1049,8 @@ export default function LandingPage() { <> Créer un compte gratuit @@ -847,6 +1058,8 @@ export default function LandingPage() { Se connecter diff --git a/apps/frontend/app/pricing/page.tsx b/apps/frontend/app/pricing/page.tsx new file mode 100644 index 0000000..beef733 --- /dev/null +++ b/apps/frontend/app/pricing/page.tsx @@ -0,0 +1,307 @@ +'use client'; + +import React, { useState } from 'react'; +import Link from 'next/link'; +import Image from 'next/image'; +import { Check, X, ArrowRight, Shield } from 'lucide-react'; + +type BillingInterval = 'monthly' | 'yearly'; + +const PLANS = [ + { + name: 'Bronze', + key: 'BRONZE' as const, + monthlyPrice: 0, + yearlyPrice: 0, + description: 'Pour démarrer et tester la plateforme', + maxUsers: 1, + maxShipments: '12/an', + commission: '5%', + support: 'Aucun', + badge: null, + features: [ + { name: 'Recherche de tarifs', included: true }, + { name: 'Réservations', included: true }, + { name: 'Tableau de bord', included: false }, + { name: 'Wiki Maritime', included: false }, + { name: 'Gestion des utilisateurs', included: false }, + { name: 'Import CSV', included: false }, + { name: 'Accès API', included: false }, + { name: 'Interface personnalisée', included: false }, + { name: 'KAM dédié', included: false }, + ], + cta: 'Commencer gratuitement', + ctaStyle: 'bg-gray-900 text-white hover:bg-gray-800', + popular: false, + }, + { + name: 'Silver', + key: 'SILVER' as const, + monthlyPrice: 249, + yearlyPrice: 2739, + description: 'Pour les équipes en croissance', + maxUsers: 5, + maxShipments: 'Illimitées', + commission: '3%', + support: 'Email', + badge: 'silver' as const, + features: [ + { name: 'Recherche de tarifs', included: true }, + { name: 'Réservations', included: true }, + { name: 'Tableau de bord', included: true }, + { name: 'Wiki Maritime', included: true }, + { name: 'Gestion des utilisateurs', included: true }, + { name: 'Import CSV', included: true }, + { name: 'Accès API', included: false }, + { name: 'Interface personnalisée', included: false }, + { name: 'KAM dédié', included: false }, + ], + cta: 'Choisir Silver', + ctaStyle: 'bg-brand-turquoise text-white hover:opacity-90', + popular: true, + }, + { + name: 'Gold', + key: 'GOLD' as const, + monthlyPrice: 899, + yearlyPrice: 9889, + description: 'Pour les entreprises établies', + maxUsers: 20, + maxShipments: 'Illimitées', + commission: '2%', + support: 'Direct', + badge: 'gold' as const, + features: [ + { name: 'Recherche de tarifs', included: true }, + { name: 'Réservations', included: true }, + { name: 'Tableau de bord', included: true }, + { name: 'Wiki Maritime', included: true }, + { name: 'Gestion des utilisateurs', included: true }, + { name: 'Import CSV', included: true }, + { name: 'Accès API', included: true }, + { name: 'Interface personnalisée', included: false }, + { name: 'KAM dédié', included: false }, + ], + cta: 'Choisir Gold', + ctaStyle: 'bg-yellow-500 text-white hover:bg-yellow-600', + popular: false, + }, + { + name: 'Platinium', + key: 'PLATINIUM' as const, + monthlyPrice: -1, + yearlyPrice: -1, + description: 'Solutions sur mesure', + maxUsers: 'Illimité', + maxShipments: 'Illimitées', + commission: '1%', + support: 'KAM dédié', + badge: 'platinium' as const, + features: [ + { name: 'Recherche de tarifs', included: true }, + { name: 'Réservations', included: true }, + { name: 'Tableau de bord', included: true }, + { name: 'Wiki Maritime', included: true }, + { name: 'Gestion des utilisateurs', included: true }, + { name: 'Import CSV', included: true }, + { name: 'Accès API', included: true }, + { name: 'Interface personnalisée', included: true }, + { name: 'KAM dédié', included: true }, + ], + cta: 'Nous contacter', + ctaStyle: 'bg-purple-600 text-white hover:bg-purple-700', + popular: false, + }, +]; + +function formatPrice(amount: number): string { + return new Intl.NumberFormat('fr-FR', { + style: 'currency', + currency: 'EUR', + minimumFractionDigits: 0, + maximumFractionDigits: 0, + }).format(amount); +} + +export default function PricingPage() { + const [billing, setBilling] = useState('monthly'); + + return ( +
+ {/* Header */} +
+
+ + Xpeditis + +
+ + Connexion + + + Inscription + +
+
+
+ + {/* Hero */} +
+

+ Des tarifs simples et transparents +

+

+ Choisissez la formule adaptée à votre activité de transport maritime. + Commencez gratuitement, évoluez selon vos besoins. +

+ + {/* Billing toggle */} +
+ + Mensuel + + + + Annuel + + {billing === 'yearly' && ( + + -1 mois offert + + )} +
+
+ + {/* Plans grid */} +
+
+ {PLANS.map((plan) => ( +
+ {plan.popular && ( +
+ + Populaire + +
+ )} + + {/* Plan name & badge */} +
+

{plan.name}

+ {plan.badge && ( + + )} +
+ +

{plan.description}

+ + {/* Price */} +
+ {plan.monthlyPrice === -1 ? ( +

Sur devis

+ ) : plan.monthlyPrice === 0 ? ( +

Gratuit

+ ) : ( + <> +

+ {billing === 'monthly' + ? formatPrice(plan.monthlyPrice) + : formatPrice(Math.round(plan.yearlyPrice / 12))} + /mois +

+ {billing === 'yearly' && ( +

+ {formatPrice(plan.yearlyPrice)}/an (11 mois) +

+ )} + + )} +
+ + {/* Quick stats */} +
+
+ Utilisateurs + {plan.maxUsers} +
+
+ Expéditions + {plan.maxShipments} +
+
+ Commission + {plan.commission} +
+
+ Support + {plan.support} +
+
+ + {/* Features */} +
+ {plan.features.map((feature) => ( +
+ {feature.included ? ( + + ) : ( + + )} + + {feature.name} + +
+ ))} +
+ + {/* CTA */} + + {plan.cta} + + +
+ ))} +
+
+ + {/* Footer */} +
+

Tous les prix sont en euros HT. Facturation annuelle = 11 mois.

+
+
+ ); +} diff --git a/apps/frontend/app/register/page.tsx b/apps/frontend/app/register/page.tsx index 3e3da18..e00eebd 100644 --- a/apps/frontend/app/register/page.tsx +++ b/apps/frontend/app/register/page.tsx @@ -1,12 +1,6 @@ -/** - * Register Page - Xpeditis - * - * Modern registration page with split-screen design - */ - 'use client'; -import { useState, useEffect } from 'react'; +import { useState, useEffect, Suspense } from 'react'; import { useRouter, useSearchParams } from 'next/navigation'; import Link from 'next/link'; import Image from 'next/image'; @@ -14,19 +8,25 @@ import { register } from '@/lib/api'; import { verifyInvitation, type InvitationResponse } from '@/lib/api/invitations'; import type { OrganizationType } from '@/types/api'; -export default function RegisterPage() { +function RegisterPageContent() { const router = useRouter(); const searchParams = useSearchParams(); + // Step management + const [step, setStep] = useState<1 | 2>(1); + + // Step 1 — Personal info const [firstName, setFirstName] = useState(''); const [lastName, setLastName] = useState(''); const [email, setEmail] = useState(''); const [password, setPassword] = useState(''); const [confirmPassword, setConfirmPassword] = useState(''); - // Organization fields + // Step 2 — Organization const [organizationName, setOrganizationName] = useState(''); const [organizationType, setOrganizationType] = useState('FREIGHT_FORWARDER'); + const [siren, setSiren] = useState(''); + const [siret, setSiret] = useState(''); const [street, setStreet] = useState(''); const [city, setCity] = useState(''); const [state, setState] = useState(''); @@ -36,12 +36,11 @@ export default function RegisterPage() { const [isLoading, setIsLoading] = useState(false); const [error, setError] = useState(''); - // Invitation-related state + // Invitation state const [invitationToken, setInvitationToken] = useState(null); const [invitation, setInvitation] = useState(null); const [isVerifyingInvitation, setIsVerifyingInvitation] = useState(false); - // Verify invitation token on mount useEffect(() => { const token = searchParams.get('token'); if (token) { @@ -50,13 +49,12 @@ export default function RegisterPage() { .then(invitationData => { setInvitation(invitationData); setInvitationToken(token); - // Pre-fill user information from invitation setEmail(invitationData.email); setFirstName(invitationData.firstName); setLastName(invitationData.lastName); }) - .catch(err => { - setError('Le lien d\'invitation est invalide ou expiré.'); + .catch(() => { + setError("Le lien d'invitation est invalide ou expiré."); }) .finally(() => { setIsVerifyingInvitation(false); @@ -64,36 +62,58 @@ export default function RegisterPage() { } }, [searchParams]); - const handleSubmit = async (e: React.FormEvent) => { + // ---- Step 1 validation ---- + const validateStep1 = (): string | null => { + if (!firstName.trim() || firstName.trim().length < 2) return 'Le prénom doit contenir au moins 2 caractères'; + if (!lastName.trim() || lastName.trim().length < 2) return 'Le nom doit contenir au moins 2 caractères'; + if (!email.trim() || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) return "L'adresse email n'est pas valide"; + if (password.length < 12) return 'Le mot de passe doit contenir au moins 12 caractères'; + if (password !== confirmPassword) return 'Les mots de passe ne correspondent pas'; + return null; + }; + + const handleStep1 = (e: React.FormEvent) => { e.preventDefault(); setError(''); - - // Validate passwords match - if (password !== confirmPassword) { - setError('Les mots de passe ne correspondent pas'); + const err = validateStep1(); + if (err) { + setError(err); return; } + // If invitation — submit directly (no org step) + if (invitationToken) { + handleFinalSubmit(); + } else { + setStep(2); + } + }; - // Validate password length - if (password.length < 12) { - setError('Le mot de passe doit contenir au moins 12 caractères'); + // ---- Step 2 validation ---- + const validateStep2 = (): string | null => { + if (!organizationName.trim()) return "Le nom de l'organisation est requis"; + if (!/^[0-9]{9}$/.test(siren)) return 'Le numéro SIREN est requis (9 chiffres)'; + if (siret && !/^[0-9]{14}$/.test(siret)) return 'Le numéro SIRET doit contenir 14 chiffres'; + if (!street.trim() || !city.trim() || !postalCode.trim() || !country.trim()) { + return "Tous les champs d'adresse sont requis"; + } + return null; + }; + + const handleStep2 = (e: React.FormEvent) => { + e.preventDefault(); + setError(''); + const err = validateStep2(); + if (err) { + setError(err); return; } + handleFinalSubmit(); + }; - // Validate organization fields only if NOT using invitation - if (!invitationToken) { - if (!organizationName.trim()) { - setError('Le nom de l\'organisation est requis'); - return; - } - - if (!street.trim() || !city.trim() || !postalCode.trim() || !country.trim()) { - setError('Tous les champs d\'adresse sont requis'); - return; - } - } - + // ---- Final submit ---- + const handleFinalSubmit = async () => { setIsLoading(true); + setError(''); try { await register({ @@ -101,13 +121,14 @@ export default function RegisterPage() { password, firstName, lastName, - // If invitation token exists, use it; otherwise provide organization data ...(invitationToken ? { invitationToken } : { organization: { name: organizationName, type: organizationType, + siren, + siret: siret || undefined, street, city, state: state || undefined, @@ -119,18 +140,92 @@ export default function RegisterPage() { router.push('/dashboard'); } catch (err: any) { setError(err.message || 'Erreur lors de la création du compte'); + // On error at step 2, stay on step 2; at invitation (step 1), stay on step 1 } finally { setIsLoading(false); } }; + // ---- Right panel content ---- + const rightPanel = ( +
+
+
+
+

+ {invitation ? 'Rejoignez votre équipe' : 'Rejoignez des milliers d\'entreprises'} +

+

+ Simplifiez votre logistique maritime et gagnez du temps sur chaque expédition. +

+
+
+
+ + + +
+
+

Essai gratuit de 30 jours

+

Testez toutes les fonctionnalités sans engagement

+
+
+
+
+ + + +
+
+

Sécurité maximale

+

Vos données sont protégées et chiffrées

+
+
+
+
+ + + +
+
+

Support 24/7

+

Notre équipe est là pour vous accompagner

+
+
+
+
+
+
2k+
+
Entreprises
+
+
+
150+
+
Pays couverts
+
+
+
24/7
+
Support
+
+
+
+
+
+ + + + + +
+
+ ); + return (
{/* Left Side - Form */}
{/* Logo */} -
+
+ {/* Progress indicator (only for self-registration, 2 steps) */} + {!invitation && ( +
+
+
+
= 1 ? 'bg-brand-navy text-white' : 'bg-neutral-100 text-neutral-400' + }`}> + {step > 1 ? ( + + + + ) : '1'} +
+ = 1 ? 'text-brand-navy' : 'text-neutral-400'}`}> + Votre compte + +
+
= 2 ? 'bg-brand-navy' : 'bg-neutral-200'}`} /> +
+
= 2 ? 'bg-brand-navy text-white' : 'bg-neutral-100 text-neutral-400' + }`}> + 2 +
+ = 2 ? 'text-brand-navy' : 'text-neutral-400'}`}> + Votre organisation + +
+
+
+ )} + {/* Header */} -
-

- {invitation ? 'Accepter l\'invitation' : 'Créer un compte'} -

-

- {invitation - ? `Vous avez été invité à rejoindre une organisation` - : 'Commencez votre essai gratuit dès aujourd\'hui'} -

+
+ {isVerifyingInvitation ? ( +

Vérification de l'invitation...

+ ) : invitation ? ( + <> +

Accepter l'invitation

+
+

+ Invitation valide — créez votre mot de passe pour rejoindre l'organisation. +

+
+ + ) : step === 1 ? ( + <> +

Créer un compte

+

Commencez votre essai gratuit dès aujourd'hui

+ + ) : ( + <> +

Votre organisation

+

Renseignez les informations de votre entreprise

+ + )}
- {/* Verifying Invitation Loading */} - {isVerifyingInvitation && ( -
-

Vérification de l'invitation...

-
- )} - - {/* Success Message for Invitation */} - {invitation && !error && ( -
-

- Invitation valide ! Créez votre mot de passe pour rejoindre l'organisation. -

-
- )} - {/* Error Message */} {error && ( -
+
+ + +

{error}

)} - {/* Form */} -
- {/* First Name & Last Name */} -
+ {/* ---- STEP 1: Personal info ---- */} + {(step === 1 || invitation) && !isVerifyingInvitation && ( + +
+
+ + setFirstName(e.target.value)} + className="input w-full" + placeholder="Jean" + disabled={isLoading || !!invitation} + /> +
+
+ + setLastName(e.target.value)} + className="input w-full" + placeholder="Dupont" + disabled={isLoading || !!invitation} + /> +
+
+
- + setFirstName(e.target.value)} + value={email} + onChange={e => setEmail(e.target.value)} className="input w-full" - placeholder="Jean" + placeholder="jean.dupont@entreprise.com" + autoComplete="email" disabled={isLoading || !!invitation} />
+
- + setLastName(e.target.value)} + value={password} + onChange={e => setPassword(e.target.value)} className="input w-full" - placeholder="Dupont" - disabled={isLoading || !!invitation} + placeholder="••••••••••••" + autoComplete="new-password" + disabled={isLoading} + /> +

Au moins 12 caractères

+
+ +
+ + setConfirmPassword(e.target.value)} + className="input w-full" + placeholder="••••••••••••" + autoComplete="new-password" + disabled={isLoading} />
-
- {/* Email */} -
- - setEmail(e.target.value)} - className="input w-full" - placeholder="jean.dupont@entreprise.com" - autoComplete="email" - disabled={isLoading || !!invitation} - /> -
- - {/* Password */} -
- - setPassword(e.target.value)} - className="input w-full" - placeholder="••••••••••••" - autoComplete="new-password" +
+ className="btn-primary w-full text-lg disabled:opacity-50 disabled:cursor-not-allowed mt-2" + > + {isLoading + ? 'Création du compte...' + : invitation + ? 'Créer mon compte' + : 'Continuer'} + - {/* Confirm Password */} -
- - setConfirmPassword(e.target.value)} - className="input w-full" - placeholder="••••••••••••" - autoComplete="new-password" - disabled={isLoading} - /> -
+

+ En créant un compte, vous acceptez nos{' '} + Conditions d'utilisation{' '} + et notre{' '} + Politique de confidentialité +

+
+ )} - {/* Organization Section - Only show if NOT using invitation */} - {!invitation && ( -
-

Informations de votre organisation

- - {/* Organization Name */} -
- + {/* ---- STEP 2: Organization info ---- */} + {step === 2 && !invitation && ( +
+
+
- {/* Organization Type */} -
- +
+ setSiren(e.target.value.replace(/\D/g, '').slice(0, 9))} + className="input w-full" + placeholder="123456789" + maxLength={9} + disabled={isLoading} + /> +

9 chiffres

+
+
+ + setSiret(e.target.value.replace(/\D/g, '').slice(0, 14))} + className="input w-full" + placeholder="12345678900014" + maxLength={14} + disabled={isLoading} + /> +

14 chiffres

+
+
+ +
+
- {/* City & Postal Code */} -
+
- +
- +
- {/* State & Country */}
- + setCountry(e.target.value)} + onChange={e => setCountry(e.target.value.toUpperCase().slice(0, 2))} className="input w-full" placeholder="FR" maxLength={2} disabled={isLoading} /> +

Code ISO 2 lettres

+ +
+ +
- )} - {/* Submit Button */} - - - {/* Terms */} -

- En créant un compte, vous acceptez nos{' '} - - Conditions d'utilisation - {' '} - et notre{' '} - - Politique de confidentialité - -

- +

+ En créant un compte, vous acceptez nos{' '} + Conditions d'utilisation{' '} + et notre{' '} + Politique de confidentialité +

+ + )} {/* Sign In Link */}

Vous avez déjà un compte ?{' '} - - Se connecter - + Se connecter

{/* Footer Links */} -
+
- - Centre d'aide - - - Contactez-nous - - - Confidentialité - - - Conditions - + Contactez-nous + Confidentialité + Conditions
- {/* Right Side - Brand Features (same as login) */} -
-
-
-
-

- Rejoignez des milliers d'entreprises -

-

- Simplifiez votre logistique maritime et gagnez du temps sur chaque expédition. -

- -
-
-
- - - -
-
-

Essai gratuit de 30 jours

-

- Testez toutes les fonctionnalités sans engagement -

-
-
- -
-
- - - -
-
-

Sécurité maximale

-

- Vos données sont protégées et chiffrées -

-
-
- -
-
- - - -
-
-

Support 24/7

-

- Notre équipe est là pour vous accompagner -

-
-
-
- -
-
-
2k+
-
Entreprises
-
-
-
150+
-
Pays couverts
-
-
-
24/7
-
Support
-
-
-
-
- -
- - - - - -
-
+ {rightPanel}
); } + +export default function RegisterPage() { + return ( + + + + ); +} diff --git a/apps/frontend/app/reset-password/page.tsx b/apps/frontend/app/reset-password/page.tsx index 0308932..0811cfb 100644 --- a/apps/frontend/app/reset-password/page.tsx +++ b/apps/frontend/app/reset-password/page.tsx @@ -1,16 +1,12 @@ -/** - * Reset Password Page - * - * Reset password with token from email - */ - 'use client'; -import { useState, useEffect } from 'react'; +import { useState, useEffect, Suspense } from 'react'; import { useSearchParams, useRouter } from 'next/navigation'; import Link from 'next/link'; +import Image from 'next/image'; +import { resetPassword } from '@/lib/api/auth'; -export default function ResetPasswordPage() { +function ResetPasswordContent() { const searchParams = useSearchParams(); const router = useRouter(); const [token, setToken] = useState(''); @@ -19,13 +15,14 @@ export default function ResetPasswordPage() { const [success, setSuccess] = useState(false); const [error, setError] = useState(''); const [loading, setLoading] = useState(false); + const [tokenError, setTokenError] = useState(false); useEffect(() => { const tokenFromUrl = searchParams.get('token'); if (tokenFromUrl) { setToken(tokenFromUrl); } else { - setError('Invalid reset link. Please request a new password reset.'); + setTokenError(true); } }, [searchParams]); @@ -33,139 +30,218 @@ export default function ResetPasswordPage() { e.preventDefault(); setError(''); - // Validate passwords match if (password !== confirmPassword) { - setError('Passwords do not match'); + setError('Les mots de passe ne correspondent pas'); return; } - // Validate password length if (password.length < 12) { - setError('Password must be at least 12 characters long'); - return; - } - - if (!token) { - setError('Invalid reset token'); + setError('Le mot de passe doit contenir au moins 12 caractères'); return; } setLoading(true); try { - // TODO: Implement resetPassword API endpoint - await new Promise(resolve => setTimeout(resolve, 1000)); + await resetPassword(token, password); setSuccess(true); - setTimeout(() => { - router.push('/login'); - }, 3000); + setTimeout(() => router.push('/login'), 3000); } catch (err: any) { - setError( - err.response?.data?.message || 'Failed to reset password. The link may have expired.' - ); + setError(err.message || 'Le lien de réinitialisation est invalide ou expiré.'); } finally { setLoading(false); } }; - if (success) { - return ( -
-
-
-

Xpeditis

-

- Password reset successful -

-
- -
-
- Your password has been reset successfully. You will be redirected to the login page in - a few seconds... -
-
- -
- - Go to login now + return ( +
+ {/* Left Side - Form */} +
+
+ {/* Logo */} +
+ + Xpeditis
+ + {tokenError ? ( + <> +
+
+ + + +
+

Lien invalide

+

+ Ce lien de réinitialisation est invalide. Veuillez faire une nouvelle demande. +

+
+ + Demander un nouveau lien + + + ) : success ? ( + <> +
+
+ + + +
+

Mot de passe réinitialisé !

+

+ Votre mot de passe a été modifié avec succès. Vous allez être redirigé vers la page de connexion... +

+
+ + Se connecter maintenant + + + ) : ( + <> + {/* Header */} +
+

Nouveau mot de passe

+

+ Choisissez un nouveau mot de passe sécurisé pour votre compte. +

+
+ + {/* Error Message */} + {error && ( +
+ + + +

{error}

+
+ )} + + {/* Form */} +
+
+ + setPassword(e.target.value)} + className="input w-full" + placeholder="••••••••••••" + autoComplete="new-password" + disabled={loading} + /> +

Au moins 12 caractères

+
+ +
+ + setConfirmPassword(e.target.value)} + className="input w-full" + placeholder="••••••••••••" + autoComplete="new-password" + disabled={loading} + /> +
+ + +
+ +
+ + + + + Retour à la connexion + +
+ + )} + + {/* Footer Links */} +
+
+ + Contactez-nous + + + Confidentialité + + + Conditions + +
+
- ); - } - return ( -
-
-
-

Xpeditis

-

- Set new password -

-

Please enter your new password.

+ {/* Right Side - Brand */} +
+
+
+
+

Votre sécurité, notre priorité

+

+ Choisissez un mot de passe fort pour protéger votre compte et vos données. +

+
+ {[ + 'Au moins 12 caractères', + 'Mélangez lettres, chiffres et symboles', + 'Évitez les mots du dictionnaire', + 'N\'utilisez pas le même mot de passe ailleurs', + ].map((tip) => ( +
+ + + +

{tip}

+
+ ))} +
+
+
+
+ + + + +
- -
- {error && ( -
-
{error}
-
- )} - -
-
- - setPassword(e.target.value)} - className="mt-1 appearance-none block w-full px-3 py-2 border border-gray-300 rounded-md shadow-sm placeholder-gray-400 focus:outline-none focus:ring-blue-500 focus:border-blue-500 sm:text-sm" - /> -

Must be at least 12 characters long

-
- -
- - setConfirmPassword(e.target.value)} - className="mt-1 appearance-none block w-full px-3 py-2 border border-gray-300 rounded-md shadow-sm placeholder-gray-400 focus:outline-none focus:ring-blue-500 focus:border-blue-500 sm:text-sm" - /> -
-
- -
- -
- -
- - Back to sign in - -
-
); } + +export default function ResetPasswordPage() { + return ( + + + + ); +} diff --git a/apps/frontend/middleware.ts b/apps/frontend/middleware.ts index 62a59fd..5a7fba3 100644 --- a/apps/frontend/middleware.ts +++ b/apps/frontend/middleware.ts @@ -7,37 +7,48 @@ import { NextResponse } from 'next/server'; import type { NextRequest } from 'next/server'; -const publicPaths = [ - '/', +// Exact-match public paths (no sub-path matching) +const exactPublicPaths = ['/']; + +// Prefix-match public paths (plus their sub-paths) +const prefixPublicPaths = [ '/login', '/register', '/forgot-password', '/reset-password', '/verify-email', + '/about', + '/careers', + '/blog', + '/press', + '/contact', + '/carrier', + '/pricing', + '/docs', ]; export function middleware(request: NextRequest) { const { pathname } = request.nextUrl; // Check if path is public - const isPublicPath = publicPaths.some(path => pathname.startsWith(path)); + const isPublicPath = + exactPublicPaths.includes(pathname) || + prefixPublicPaths.some(path => pathname === path || pathname.startsWith(path + '/')); - // Get token from cookies or headers + // Get token from cookie (synced by client.ts setAuthTokens) const token = request.cookies.get('accessToken')?.value; // Redirect to login if accessing protected route without token if (!isPublicPath && !token) { - return NextResponse.redirect(new URL('/login', request.url)); - } - - // Redirect to dashboard if accessing public auth pages while logged in - if (isPublicPath && token && pathname !== '/') { - return NextResponse.redirect(new URL('/dashboard', request.url)); + const loginUrl = new URL('/login', request.url); + loginUrl.searchParams.set('redirect', pathname); + return NextResponse.redirect(loginUrl); } return NextResponse.next(); } export const config = { - matcher: ['/((?!api|_next/static|_next/image|favicon.ico).*)'], + // Exclude Next.js internals, API routes, and all public static assets + matcher: ['/((?!_next/static|_next/image|api|assets|favicon\\.ico|manifest\\.json|.*\\.(?:png|jpg|jpeg|gif|webp|svg|ico|mp4|mp3|pdf|txt|xml|csv|json)$).*)'], }; diff --git a/apps/frontend/src/components/ExportButton.tsx b/apps/frontend/src/components/ExportButton.tsx index 2f313a5..e2e7f5d 100644 --- a/apps/frontend/src/components/ExportButton.tsx +++ b/apps/frontend/src/components/ExportButton.tsx @@ -7,7 +7,8 @@ 'use client'; import { useState, useRef, useEffect } from 'react'; -import { Download, FileSpreadsheet, FileText, ChevronDown } from 'lucide-react'; +import { Download, FileSpreadsheet, FileText, ChevronDown, Lock } from 'lucide-react'; +import { useSubscription } from '@/lib/context/subscription-context'; interface ExportButtonProps { data: T[]; @@ -26,6 +27,8 @@ export default function ExportButton>({ columns, disabled = false, }: ExportButtonProps) { + const { hasFeature } = useSubscription(); + const canExport = hasFeature('csv_export'); const [isOpen, setIsOpen] = useState(false); const [isExporting, setIsExporting] = useState(false); const dropdownRef = useRef(null); @@ -171,9 +174,12 @@ export default function ExportButton>({ return (
{/* Dropdown Menu */} - {isOpen && !isExporting && ( + {isOpen && !isExporting && canExport && (
+
+ {/* Code */} +
+ 
+          {code.trim()}
+
+
+
+ ); +} diff --git a/apps/frontend/src/components/docs/DocsPageContent.tsx b/apps/frontend/src/components/docs/DocsPageContent.tsx new file mode 100644 index 0000000..9f77475 --- /dev/null +++ b/apps/frontend/src/components/docs/DocsPageContent.tsx @@ -0,0 +1,1190 @@ +'use client'; + +import { useState, Suspense } from 'react'; +import { useSearchParams, useRouter } from 'next/navigation'; +import Link from 'next/link'; +import { + Search, + ChevronRight, + ArrowRight, + Key, + Package, + TrendingUp, + Building2, + ShieldCheck, + AlertTriangle, + List, + Menu, + X, + CheckCircle2, + Clock, + Info, + Zap, + Home, + ChevronLeft, + Circle, +} from 'lucide-react'; +import { CodeBlock } from '@/components/docs/CodeBlock'; +import { DOC_SECTIONS, ALL_NAV_ITEMS } from '@/components/docs/docsNav'; + +// ─── Design tokens ──────────────────────────────────────────────────────────── +const BRAND = { + navy: '#10183A', + turquoise: '#34CCCD', + teal: '#0e9999', +}; + +// ─── Reusable primitives ────────────────────────────────────────────────────── + +function H1({ children }: { children: React.ReactNode }) { + return

{children}

; +} +function H2({ children }: { children: React.ReactNode }) { + return ( +

+ + {children} +

+ ); +} +function H3({ children }: { children: React.ReactNode }) { + return

{children}

; +} +function P({ children }: { children: React.ReactNode }) { + return

{children}

; +} +function Divider() { + return
; +} +function InlineCode({ children }: { children: React.ReactNode }) { + return ( + + {children} + + ); +} + +function Callout({ type = 'info', children }: { type?: 'info' | 'warning' | 'success'; children: React.ReactNode }) { + const styles = { + info: { border: 'border-blue-200', bg: 'bg-blue-50', text: 'text-blue-800', icon: Info, dot: 'bg-blue-400' }, + warning: { border: 'border-amber-200', bg: 'bg-amber-50', text: 'text-amber-800', icon: AlertTriangle, dot: 'bg-amber-400' }, + success: { border: 'border-emerald-200', bg: 'bg-emerald-50', text: 'text-emerald-800', icon: CheckCircle2, dot: 'bg-emerald-400' }, + }; + const s = styles[type]; + const Icon = s.icon; + return ( +
+ +
{children}
+
+ ); +} + +function HttpBadge({ method }: { method: 'GET' | 'POST' | 'PATCH' | 'DELETE' | 'PUT' }) { + const styles: Record = { + GET: 'bg-emerald-100 text-emerald-700 border-emerald-200', + POST: 'bg-blue-100 text-blue-700 border-blue-200', + PATCH: 'bg-amber-100 text-amber-700 border-amber-200', + PUT: 'bg-orange-100 text-orange-700 border-orange-200', + DELETE: 'bg-red-100 text-red-700 border-red-200', + }; + return ( + + {method} + + ); +} + +function EndpointRow({ method, path, desc }: { method: 'GET' | 'POST' | 'PATCH' | 'DELETE' | 'PUT'; path: string; desc: string }) { + return ( +
+ + {path} + {desc} +
+ ); +} + +function ParamTable({ headers, rows }: { headers: string[]; rows: (string | React.ReactNode)[][] }) { + return ( +
+ + + + {headers.map(h => ( + + ))} + + + + {rows.map((row, i) => ( + + {row.map((cell, j) => ( + + ))} + + ))} + +
+ {h} +
+ {cell} +
+
+ ); +} + +function SectionHeader({ title, description, badge }: { title: string; description: string; badge?: string }) { + return ( +
+ {badge && ( + + {badge} + + )} +

{title}

+

{description}

+
+ ); +} + +function RequiredBadge({ required }: { required: boolean }) { + return required + ? requis + : optionnel; +} + +function LabeledBlock({ label, children }: { label: string; children: React.ReactNode }) { + return ( +
+

{label}

+ {children} +
+ ); +} + +// ─── Section: Home ──────────────────────────────────────────────────────────── + +function HomeSection({ onNavigate }: { onNavigate: (id: string) => void }) { + const quickLinks = [ + { id: 'quickstart', icon: Zap, label: 'Démarrage rapide', desc: 'Première requête en 5 min', color: 'text-amber-500', bg: 'bg-amber-50', border: 'border-amber-100' }, + { id: 'authentication', icon: Key, label: 'Authentification', desc: 'Créer et gérer vos clés API', color: 'text-blue-500', bg: 'bg-blue-50', border: 'border-blue-100' }, + { id: 'bookings', icon: Package, label: 'Bookings', desc: 'Réservations de fret maritime', color: 'text-violet-500', bg: 'bg-violet-50', border: 'border-violet-100' }, + { id: 'rates', icon: TrendingUp,label: 'Tarifs', desc: 'Tarifs en temps réel', color: 'text-emerald-500',bg: 'bg-emerald-50',border: 'border-emerald-100' }, + { id: 'endpoints', icon: List, label: 'Référence complète', desc: 'Tous les endpoints', color: 'text-gray-500', bg: 'bg-gray-50', border: 'border-gray-200' }, + { id: 'errors', icon: AlertTriangle, label: 'Erreurs', desc: 'Codes et gestion des erreurs', color: 'text-red-400', bg: 'bg-red-50', border: 'border-red-100' }, + ]; + + return ( +
+ {/* Hero */} +
+
+ {/* Grid pattern */} +
+
+
+
+ API v1.0 · Plans Gold & Platinium +
+

+ API Xpeditis +

+

+ Intégrez le fret maritime dans vos applications. Tarifs en temps réel, + gestion de bookings et suivi d'expéditions via une API REST simple. +

+ +
+ + + + Gérer mes clés API + +
+ + {/* Base URL */} +
+ BASE URL + https://api.xpeditis.com +
+
+
+ + {/* Quick links grid */} +
+

Explorer la documentation

+
+ {quickLinks.map(item => ( + + ))} +
+
+ + + + {/* How it works */} +

Fonctionnement

+
+ {[ + { step: '01', title: 'Authentification par clé API', desc: <>Passez votre clé dans l'en-tête X-API-Key de chaque requête. }, + { step: '02', title: 'Format JSON standard', desc: 'Toutes les réponses sont en JSON avec une enveloppe data/meta cohérente.' }, + { step: '03', title: 'Rate limiting transparent', desc: 'Les quotas sont exposés dans les en-têtes X-RateLimit-* de chaque réponse.' }, + ].map(item => ( +
+ {item.step} +
+

{item.title}

+

{item.desc}

+
+
+ ))} +
+
+ ); +} + +// ─── Section: Quick Start ───────────────────────────────────────────────────── + +function QuickStartSection({ onNavigate }: { onNavigate: (id: string) => void }) { + return ( +
+ + + + L'accès API est réservé aux plans Gold et Platinium. + Accédez à Paramètres → Abonnement pour upgrader. + + + {/* Steps */} + {[ + { + n: 1, + title: 'Obtenir votre clé API', + content: ( + <> +

Dans le dashboard, allez dans Paramètres → Clés API, cliquez Créer une clé. La clé complète est affichée une seule fois — copiez-la immédiatement.

+ + + ), + }, + { + n: 2, + title: 'Envoyer votre première requête', + content: ( + <> +

Passez la clé dans l'en-tête X-API-Key :

+ + + + ), + }, + { + n: 3, + title: 'Lire la réponse', + content: ( + <> +

Toutes les réponses suivent le même format :

+ + + + + + + + ), + }, + ].map(step => ( +
+
+
{step.n}
+ {step.n < 3 &&
} +
+
+

{step.title}

+ {step.content} +
+
+ ))} + + +

Étapes suivantes

+
+ {[ + { id: 'authentication', label: 'Gérer vos clés API', desc: 'Créer, lister et révoquer' }, + { id: 'bookings', label: 'Créer un booking', desc: 'Réservez du fret maritime' }, + { id: 'rates', label: 'Rechercher des tarifs', desc: 'Comparez en temps réel' }, + { id: 'errors', label: 'Gestion des erreurs', desc: 'Tous les codes expliqués' }, + ].map(item => ( + + ))} +
+
+ ); +} + +// ─── Section: Authentication ────────────────────────────────────────────────── + +function AuthenticationSection() { + return ( +
+ + + + Vos clés sont confidentielles. Ne les exposez jamais dans du code public. + En cas de compromission, révoquez immédiatement depuis le dashboard. + + +

Format

+

Toutes les clés Xpeditis commencent par xped_live_ suivi de 64 caractères hexadécimaux :

+ + + +

Utilisation

+

Passez votre clé dans l'en-tête X-API-Key de chaque requête :

+ + + +

Exemples par langage

+ + + + + +

Gestion des clés

+

Ces endpoints nécessitent un token JWT (connexion via le dashboard), pas une clé API.

+ +
+ {[ + { method: 'POST' as const, path: '/api-keys', desc: 'Créer une nouvelle clé' }, + { method: 'GET' as const, path: '/api-keys', desc: 'Lister toutes les clés' }, + { method: 'DELETE' as const, path: '/api-keys/:id', desc: 'Révoquer une clé' }, + ].map((ep, i) => )} +
+ +

Créer une clé

+ + " \\ + -H "Content-Type: application/json" \\ + -d '{"name": "Intégration ERP", "expiresAt": "2027-01-01T00:00:00.000Z"}'`} + /> + + + + + + +

Sécurité & rotation

+ + + Effectuez une rotation tous les 90 jours : créez une nouvelle clé, migrez votre système, puis révoquez l'ancienne. + +
+ ); +} + +// ─── Section: Bookings ──────────────────────────────────────────────────────── + +function BookingsSection() { + return ( +
+ + +

Lister les bookings

+
+ +
+ + status, 'string', , 'draft | confirmed | in_transit | delivered | cancelled'], + [page, 'number', , 'Numéro de page (défaut : 1)'], + [limit, 'number', , 'Résultats par page (défaut : 20, max : 100)'], + [origin, 'string', , 'Code port UN/LOCODE (ex : FRLEH)'], + [destination, 'string', , 'Code port UN/LOCODE (ex : CNSHA)'], + ]} + /> + + + + + + +

Créer un booking

+
+ +
+ + + + + + +

Statuts d'un booking

+ draft, 'Créé, non confirmé'], + [pending_confirmation, 'En attente du transporteur'], + [confirmed, 'Confirmé par le transporteur'], + [in_transit, 'Expédition en cours'], + [delivered, 'Livraison confirmée'], + [cancelled, 'Annulé'], + ]} + /> +
+ ); +} + +// ─── Section: Rates ─────────────────────────────────────────────────────────── + +function RatesSection() { + return ( +
+ + +

Rechercher des tarifs

+
+ +
+ + origin, , 'Code port origine (UN/LOCODE, ex : FRLEH)'], + [destination, , 'Code port destination (ex : CNSHA)'], + [containerType, , '20GP · 40GP · 40HC · 45HC · 20FR · 40FR'], + [departureDate, , 'Date souhaitée (YYYY-MM-DD)'], + [sortBy, , 'price_asc · price_desc · transit_time'], + ]} + /> + + + + + + + Les tarifs sont mis en cache 15 minutes. Après expiration, une nouvelle requête est envoyée aux transporteurs en temps réel. + + + +

Codes de ports (UN/LOCODE)

+
+ +
+ + + +
+ ); +} + +// ─── Section: Organizations ─────────────────────────────────────────────────── + +function OrganizationsSection() { + return ( +
+ + +

Profil de l'organisation

+
+ +
+ + + + + + +

Membres

+
+ +
+ +
+ ); +} + +// ─── Section: Endpoints ─────────────────────────────────────────────────────── + +function EndpointsSection() { + const groups: { label: string; endpoints: { method: 'GET' | 'POST' | 'PATCH' | 'DELETE'; path: string; desc: string }[] }[] = [ + { + label: 'Bookings', + endpoints: [ + { method: 'GET', path: '/bookings', desc: 'Lister les bookings' }, + { method: 'POST', path: '/bookings', desc: 'Créer un booking' }, + { method: 'GET', path: '/bookings/:id', desc: 'Détail d\'un booking' }, + { method: 'PATCH', path: '/bookings/:id/status',desc: 'Mettre à jour le statut' }, + ], + }, + { + label: 'Tarifs', + endpoints: [ + { method: 'GET', path: '/rates/search', desc: 'Rechercher des tarifs' }, + { method: 'GET', path: '/rates/:id', desc: 'Détail d\'un tarif' }, + { method: 'GET', path: '/ports', desc: 'Lister les ports' }, + ], + }, + { + label: 'Organisation', + endpoints: [ + { method: 'GET', path: '/organizations/me', desc: 'Profil de l\'organisation' }, + { method: 'GET', path: '/users', desc: 'Membres de l\'organisation' }, + ], + }, + { + label: 'Clés API (JWT requis)', + endpoints: [ + { method: 'POST', path: '/api-keys', desc: 'Créer une clé API' }, + { method: 'GET', path: '/api-keys', desc: 'Lister les clés API' }, + { method: 'DELETE', path: '/api-keys/:id', desc: 'Révoquer une clé' }, + ], + }, + ]; + + return ( +
+ + + {groups.map(group => ( +
+

{group.label}

+
+ {group.endpoints.map((ep, i) => )} +
+
+ ))} + + +

Format de réponse standard

+ + + + + + +
+ ); +} + +// ─── Section: Errors ───────────────────────────────────────────────────────── + +function ErrorsSection() { + return ( +
+ + + + + +

Format des erreurs

+ + +

Exemples

+ + + + + + + + En cas de 429, respectez le délai retryAfter (en secondes) avec un backoff exponentiel. + +
+ ); +} + +// ─── Section: Rate Limiting ─────────────────────────────────────────────────── + +function RateLimitingSection() { + return ( +
+ + +

Limites par plan

+ + + Le rate limiting est calculé par utilisateur associé à la clé API. + + + +

En-têtes de réponse

+ X-RateLimit-Limit, 'Nombre maximum de requêtes par fenêtre'], + [X-RateLimit-Remaining, 'Requêtes restantes dans la fenêtre'], + [X-RateLimit-Reset, 'Timestamp UNIX de réinitialisation'], + ]} + /> + + +

Bonnes pratiques

+
+ {[ + { icon: Clock, title: 'Backoff exponentiel', desc: 'En cas de 429, attendez 1s, 2s, 4s, 8s… avant de réessayer.' }, + { icon: CheckCircle2, title: 'Mise en cache', desc: 'Cachez les tarifs côté client — ils sont valides 15 minutes.' }, + { icon: ShieldCheck, title: 'Une clé par service', desc: 'Clés séparées par service/env pour un suivi précis et une révocation ciblée.' }, + ].map((item, i) => ( +
+
+ +
+
+

{item.title}

+

{item.desc}

+
+
+ ))} +
+
+ ); +} + +// ─── Section map ────────────────────────────────────────────────────────────── + +function SectionContent({ activeSection, onNavigate }: { activeSection: string; onNavigate: (id: string) => void }) { + switch (activeSection) { + case 'home': return ; + case 'quickstart': return ; + case 'authentication': return ; + case 'bookings': return ; + case 'rates': return ; + case 'organizations':return ; + case 'endpoints': return ; + case 'errors': return ; + case 'rate-limiting':return ; + default: return ; + } +} + +// ─── Prev / Next ────────────────────────────────────────────────────────────── + +function PrevNext({ activeSection, onNavigate }: { activeSection: string; onNavigate: (id: string) => void }) { + const idx = ALL_NAV_ITEMS.findIndex(i => i.id === activeSection); + const prev = idx > 0 ? ALL_NAV_ITEMS[idx - 1] : null; + const next = idx < ALL_NAV_ITEMS.length - 1 ? ALL_NAV_ITEMS[idx + 1] : null; + + if (!prev && !next) return null; + + return ( +
+ {prev ? ( + + ) :
} + + {next ? ( + + ) :
} +
+ ); +} + +// ─── Main Component ─────────────────────────────────────────────────────────── + +export interface DocsPageContentProps { + basePath: string; + /** 'dashboard' = fixed height layout, 'public' = scrollable with sticky sidebar */ + variant?: 'dashboard' | 'public'; +} + +function DocsPageInner({ basePath, variant = 'public' }: DocsPageContentProps) { + const searchParams = useSearchParams(); + const router = useRouter(); + const [activeSection, setActiveSection] = useState(searchParams.get('section') ?? 'home'); + const [searchQuery, setSearchQuery] = useState(''); + const [sidebarOpen, setSidebarOpen] = useState(false); + + const navigate = (id: string) => { + setActiveSection(id); + router.replace(`${basePath}?section=${id}`, { scroll: false }); + setSidebarOpen(false); + if (variant === 'public') { + window.scrollTo({ top: 0, behavior: 'smooth' }); + } + }; + + const filteredSections = DOC_SECTIONS.map(section => ({ + ...section, + items: section.items.filter(item => + item.label.toLowerCase().includes(searchQuery.toLowerCase()) + ), + })).filter(s => s.items.length > 0); + + const stickyTop = variant === 'dashboard' ? 'top-16' : 'top-20'; + const sidebarHeight= variant === 'dashboard' ? 'calc(100vh - 64px)' : 'calc(100vh - 80px)'; + + // Sidebar inner content + const SidebarInner = () => ( +
+ {/* Brand + search */} +
+
+
+ X +
+ Xpeditis + v1.0 +
+ + {/* API status */} +
+ + Tous les services opérationnels +
+ + {/* Search */} +
+ + setSearchQuery(e.target.value)} + className="w-full pl-8 pr-3 py-1.5 text-sm bg-gray-50 border border-gray-200 rounded-lg focus:outline-none focus:ring-2 focus:ring-[#34CCCD]/30 focus:border-[#34CCCD] placeholder-gray-400 transition-all" + /> +
+
+ + {/* Navigation */} + + + {/* Footer CTA */} +
+ +
+ +
+ Gérer mes clés API + + +
+
+ ); + + // ── Dashboard variant: fixed-height layout ─────────────────────────────── + if (variant === 'dashboard') { + return ( +
+ {sidebarOpen && ( +
setSidebarOpen(false)} /> + )} + + {/* Desktop sidebar */} +
+ +
+ + {/* Mobile drawer */} +
+ +
+ + {/* Content */} +
+
+ + + {ALL_NAV_ITEMS.find(i => i.id === activeSection)?.label ?? 'Documentation'} + +
+
+ + + +
+
+
+ ); + } + + // ── Public variant: scrollable with sticky sidebar ─────────────────────── + return ( +
+ {/* Mobile overlay */} + {sidebarOpen && ( +
setSidebarOpen(false)} /> + )} + + {/* Mobile drawer */} +
+ +
+ + {/* Desktop sticky sidebar */} + + + {/* Main scrollable content */} +
+ {/* Mobile top bar */} +
+ + + {ALL_NAV_ITEMS.find(i => i.id === activeSection)?.label ?? 'Documentation'} + + {sidebarOpen && ( + + )} +
+ +
+ + + +
+
+
+ ); +} + +// ─── Breadcrumb ─────────────────────────────────────────────────────────────── + +function Breadcrumb({ activeSection, onNavigate }: { activeSection: string; onNavigate: (id: string) => void }) { + if (activeSection === 'home') return null; + const current = ALL_NAV_ITEMS.find(i => i.id === activeSection); + return ( + + ); +} + +// ─── Public export ──────────────────────────────────────────────────────────── + +export function DocsPageContent(props: DocsPageContentProps) { + const fallbackStyle = props.variant === 'dashboard' + ? { height: 'calc(100vh - 64px)' } + : { minHeight: 'calc(100vh - 80px)' }; + + return ( + +
+
+ }> + + + ); +} diff --git a/apps/frontend/src/components/docs/docsNav.ts b/apps/frontend/src/components/docs/docsNav.ts new file mode 100644 index 0000000..22e34aa --- /dev/null +++ b/apps/frontend/src/components/docs/docsNav.ts @@ -0,0 +1,61 @@ +import { + Home, + Zap, + Key, + Package, + TrendingUp, + Building2, + List, + AlertTriangle, + ShieldCheck, + type LucideIcon, +} from 'lucide-react'; + +export interface NavItem { + id: string; + label: string; + icon: LucideIcon; +} + +export interface NavSection { + title: string; + items: NavItem[]; +} + +export const DOC_SECTIONS: NavSection[] = [ + { + title: 'Démarrage', + items: [ + { id: 'home', label: 'Vue d\'ensemble', icon: Home }, + { id: 'quickstart', label: 'Guide de démarrage', icon: Zap }, + ], + }, + { + title: 'Authentification', + items: [ + { id: 'authentication', label: 'Clés API', icon: Key }, + ], + }, + { + title: 'Ressources API', + items: [ + { id: 'bookings', label: 'Bookings', icon: Package }, + { id: 'rates', label: 'Tarifs', icon: TrendingUp }, + { id: 'organizations', label: 'Organisations', icon: Building2 }, + ], + }, + { + title: 'Référence', + items: [ + { id: 'endpoints', label: 'Tous les endpoints', icon: List }, + { id: 'errors', label: 'Codes d\'erreur', icon: AlertTriangle }, + { id: 'rate-limiting', label: 'Rate Limiting', icon: ShieldCheck }, + ], + }, +]; + +export const ALL_NAV_ITEMS: NavItem[] = DOC_SECTIONS.flatMap(s => s.items); + +export function findNavItem(id: string): NavItem | undefined { + return ALL_NAV_ITEMS.find(item => item.id === id); +} diff --git a/apps/frontend/src/components/layout/LandingFooter.tsx b/apps/frontend/src/components/layout/LandingFooter.tsx index d334279..c4a038d 100644 --- a/apps/frontend/src/components/layout/LandingFooter.tsx +++ b/apps/frontend/src/components/layout/LandingFooter.tsx @@ -80,21 +80,11 @@ export function LandingFooter() { Contact -
  • - - Carrières - -
  • Blog
    • -
  • - - Presse - -
    • @@ -117,11 +107,6 @@ export function LandingFooter() { Politique de cookies -
  • - - Sécurité - -
  • Conformité RGPD diff --git a/apps/frontend/src/components/layout/LandingHeader.tsx b/apps/frontend/src/components/layout/LandingHeader.tsx index ba44ebf..e225a22 100644 --- a/apps/frontend/src/components/layout/LandingHeader.tsx +++ b/apps/frontend/src/components/layout/LandingHeader.tsx @@ -6,18 +6,16 @@ import Image from 'next/image'; import { motion, AnimatePresence } from 'framer-motion'; import { ChevronDown, - Briefcase, - Newspaper, - Mail, Info, BookOpen, LayoutDashboard, + Code2, } from 'lucide-react'; import { useAuth } from '@/lib/context/auth-context'; interface LandingHeaderProps { transparentOnTop?: boolean; - activePage?: 'about' | 'contact' | 'careers' | 'blog' | 'press'; + activePage?: 'about' | 'contact' | 'careers' | 'blog' | 'press' | 'docs'; } export function LandingHeader({ transparentOnTop = false, activePage }: LandingHeaderProps) { @@ -27,12 +25,13 @@ export function LandingHeader({ transparentOnTop = false, activePage }: LandingH const companyMenuItems = [ { href: '/about', label: 'À propos', icon: Info, description: 'Notre histoire et mission' }, - { href: '/contact', label: 'Contact', icon: Mail, description: 'Nous contacter' }, - { href: '/careers', label: 'Carrières', icon: Briefcase, description: 'Rejoignez-nous' }, { href: '/blog', label: 'Blog', icon: BookOpen, description: 'Actualités et insights' }, - { href: '/press', label: 'Presse', icon: Newspaper, description: 'Espace presse' }, ]; + // "Entreprise" dropdown is active only for its own sub-pages (not contact) + const isCompanyMenuActive = + activePage !== undefined && ['about', 'blog'].includes(activePage); + const getUserInitials = () => { if (!user) return ''; const firstInitial = user.firstName?.charAt(0)?.toUpperCase() || ''; @@ -93,12 +92,6 @@ export function LandingHeader({ transparentOnTop = false, activePage }: LandingH > Fonctionnalités - - Outils -
    • + + Contact + + + + + Docs API + + {/* Affichage conditionnel: connecté vs non connecté */} {loading ? (
    diff --git a/apps/frontend/src/components/organization/LicensesTab.tsx b/apps/frontend/src/components/organization/LicensesTab.tsx index 694524c..5110397 100644 --- a/apps/frontend/src/components/organization/LicensesTab.tsx +++ b/apps/frontend/src/components/organization/LicensesTab.tsx @@ -65,7 +65,6 @@ export default function LicensesTab() {

    {subscription?.usedLicenses || 0}

    -

    Hors ADMIN (illimité)

    Licences disponibles

    diff --git a/apps/frontend/src/components/organization/SubscriptionTab.tsx b/apps/frontend/src/components/organization/SubscriptionTab.tsx index 1bcac26..10df2a8 100644 --- a/apps/frontend/src/components/organization/SubscriptionTab.tsx +++ b/apps/frontend/src/components/organization/SubscriptionTab.tsx @@ -117,7 +117,7 @@ export default function SubscriptionTab() { }); const handleUpgrade = (plan: SubscriptionPlan) => { - if (plan === 'FREE') return; + if (plan === 'BRONZE') return; setSelectedPlan(plan); checkoutMutation.mutate(plan); }; @@ -149,7 +149,7 @@ export default function SubscriptionTab() { const canUpgrade = (plan: SubscriptionPlan): boolean => { if (!subscription) return false; - const planOrder: SubscriptionPlan[] = ['FREE', 'STARTER', 'PRO', 'ENTERPRISE']; + const planOrder: SubscriptionPlan[] = ['BRONZE', 'SILVER', 'GOLD', 'PLATINIUM']; return planOrder.indexOf(plan) > planOrder.indexOf(subscription.plan); }; @@ -230,7 +230,7 @@ export default function SubscriptionTab() { )}
    - {subscription.plan !== 'FREE' && ( + {subscription.plan !== 'BRONZE' && (
    @@ -333,7 +333,7 @@ export default function SubscriptionTab() {

    {plan.name}

    - {plan.plan === 'ENTERPRISE' + {plan.plan === 'PLATINIUM' ? 'Sur devis' : formatPrice( billingInterval === 'yearly' @@ -341,7 +341,7 @@ export default function SubscriptionTab() { : plan.monthlyPriceEur, )} - {plan.plan !== 'ENTERPRISE' && plan.plan !== 'FREE' && ( + {plan.plan !== 'PLATINIUM' && plan.plan !== 'BRONZE' && ( /{billingInterval === 'yearly' ? 'an' : 'mois'} @@ -381,7 +381,7 @@ export default function SubscriptionTab() { > Plan actuel - ) : plan.plan === 'ENTERPRISE' ? ( + ) : plan.plan === 'PLATINIUM' ? ( - - {children} - - + + + {children} + + + ); diff --git a/apps/frontend/src/components/ui/FeatureGate.tsx b/apps/frontend/src/components/ui/FeatureGate.tsx new file mode 100644 index 0000000..6060457 --- /dev/null +++ b/apps/frontend/src/components/ui/FeatureGate.tsx @@ -0,0 +1,68 @@ +'use client'; + +import React from 'react'; +import Link from 'next/link'; +import { Lock } from 'lucide-react'; +import { useSubscription } from '@/lib/context/subscription-context'; +import type { PlanFeature } from '@/lib/api/subscriptions'; + +interface FeatureGateProps { + feature: PlanFeature; + children: React.ReactNode; + fallback?: React.ReactNode; +} + +const FEATURE_MIN_PLAN: Record = { + dashboard: 'Silver', + wiki: 'Silver', + user_management: 'Silver', + csv_export: 'Silver', + api_access: 'Gold', + custom_interface: 'Platinium', + dedicated_kam: 'Platinium', +}; + +export default function FeatureGate({ feature, children, fallback }: FeatureGateProps) { + const { hasFeature, loading } = useSubscription(); + + if (loading) { + return <>{children}; + } + + if (hasFeature(feature)) { + return <>{children}; + } + + if (fallback) { + return <>{fallback}; + } + + const minPlan = FEATURE_MIN_PLAN[feature] || 'Silver'; + + return ( +
    +
    + {children} +
    +
    +
    +
    + +
    +

    + Fonctionnalité {minPlan}+ +

    +

    + Cette fonctionnalité nécessite le plan {minPlan} ou supérieur. +

    + + Voir les plans + +
    +
    +
    + ); +} diff --git a/apps/frontend/src/components/ui/StatusBadge.tsx b/apps/frontend/src/components/ui/StatusBadge.tsx new file mode 100644 index 0000000..a5e5fa1 --- /dev/null +++ b/apps/frontend/src/components/ui/StatusBadge.tsx @@ -0,0 +1,49 @@ +'use client'; + +import React from 'react'; +import { Shield } from 'lucide-react'; + +interface StatusBadgeProps { + badge: 'none' | 'silver' | 'gold' | 'platinium'; + size?: 'sm' | 'md'; +} + +const BADGE_CONFIG = { + none: null, + silver: { + label: 'Silver', + bg: 'bg-slate-100', + text: 'text-slate-700', + icon: 'text-slate-500', + }, + gold: { + label: 'Gold', + bg: 'bg-yellow-100', + text: 'text-yellow-800', + icon: 'text-yellow-600', + }, + platinium: { + label: 'Platinium', + bg: 'bg-purple-100', + text: 'text-purple-800', + icon: 'text-purple-600', + }, +}; + +export default function StatusBadge({ badge, size = 'sm' }: StatusBadgeProps) { + const config = BADGE_CONFIG[badge]; + if (!config) return null; + + const sizeClasses = size === 'sm' + ? 'text-xs px-2 py-0.5 gap-1' + : 'text-sm px-3 py-1 gap-1.5'; + + const iconSize = size === 'sm' ? 'w-3 h-3' : 'w-4 h-4'; + + return ( + + + {config.label} + + ); +} diff --git a/apps/frontend/src/lib/api/admin.ts b/apps/frontend/src/lib/api/admin.ts index a06d3fb..ce227a4 100644 --- a/apps/frontend/src/lib/api/admin.ts +++ b/apps/frontend/src/lib/api/admin.ts @@ -80,6 +80,39 @@ export async function getAdminOrganization(id: string): Promise(`/api/v1/admin/organizations/${id}`); } +/** + * Verify SIRET for an organization via Pappers API (admin only) + * POST /api/v1/admin/organizations/:id/verify-siret + * Requires: ADMIN role + */ +export async function verifySiret( + organizationId: string +): Promise<{ verified: boolean; companyName?: string; address?: string; message: string }> { + return post(`/api/v1/admin/organizations/${organizationId}/verify-siret`, {}); +} + +/** + * Manually approve SIRET/SIREN for an organization (admin only) + * POST /api/v1/admin/organizations/:id/approve-siret + * Requires: ADMIN role + */ +export async function approveSiret( + organizationId: string +): Promise<{ approved: boolean; message: string; organizationName: string }> { + return post(`/api/v1/admin/organizations/${organizationId}/approve-siret`, {}); +} + +/** + * Reject SIRET/SIREN for an organization (admin only) + * POST /api/v1/admin/organizations/:id/reject-siret + * Requires: ADMIN role + */ +export async function rejectSiret( + organizationId: string +): Promise<{ rejected: boolean; message: string; organizationName: string }> { + return post(`/api/v1/admin/organizations/${organizationId}/reject-siret`, {}); +} + // ==================== BOOKINGS ==================== /** @@ -101,6 +134,36 @@ export async function getAdminBooking(id: string): Promise { return get(`/api/v1/admin/bookings/${id}`); } +/** + * Validate bank transfer for a booking (admin only) + * POST /api/v1/admin/bookings/:id/validate-transfer + * Confirms receipt of wire transfer and activates the booking + * Requires: ADMIN role + */ +export async function validateBankTransfer(bookingId: string): Promise { + return post(`/api/v1/admin/bookings/${bookingId}/validate-transfer`, {}); +} + +/** + * Delete a booking (admin only) + * DELETE /api/v1/admin/bookings/:id + * Permanently deletes a booking from the database + * Requires: ADMIN role + */ +export async function deleteAdminBooking(bookingId: string): Promise { + return del(`/api/v1/admin/bookings/${bookingId}`); +} + +/** + * Delete a document from a booking (admin only) + * DELETE /api/v1/admin/bookings/:bookingId/documents/:documentId + * Bypasses ownership and status restrictions + * Requires: ADMIN role + */ +export async function deleteAdminDocument(bookingId: string, documentId: string): Promise { + return del(`/api/v1/admin/bookings/${bookingId}/documents/${documentId}`); +} + // ==================== DOCUMENTS ==================== /** diff --git a/apps/frontend/src/lib/api/admin/csv-rates.ts b/apps/frontend/src/lib/api/admin/csv-rates.ts index 86dc11e..71796ec 100644 --- a/apps/frontend/src/lib/api/admin/csv-rates.ts +++ b/apps/frontend/src/lib/api/admin/csv-rates.ts @@ -16,6 +16,7 @@ export interface CsvFileInfo { size: number; uploadedAt: string; rowCount?: number; + companyEmail?: string | null; } export interface CsvFileListResponse { diff --git a/apps/frontend/src/lib/api/api-keys.ts b/apps/frontend/src/lib/api/api-keys.ts new file mode 100644 index 0000000..0a6dd6d --- /dev/null +++ b/apps/frontend/src/lib/api/api-keys.ts @@ -0,0 +1,55 @@ +/** + * API Keys API + * + * Endpoints for managing API keys (Gold and Platinum plans only) + */ + +import { get, post, del } from './client'; + +export interface ApiKeyDto { + id: string; + name: string; + keyPrefix: string; + isActive: boolean; + lastUsedAt: string | null; + expiresAt: string | null; + createdAt: string; +} + +export interface CreateApiKeyResultDto extends ApiKeyDto { + /** Full key — shown only once at creation time */ + fullKey: string; +} + +export interface CreateApiKeyRequest { + name: string; + expiresAt?: string; +} + +/** + * List all API keys for the current organization + * GET /api-keys + * Requires: Gold or Platinum plan + */ +export async function listApiKeys(): Promise { + return get('/api-keys'); +} + +/** + * Create a new API key + * POST /api-keys + * Requires: Gold or Platinum plan + * Returns the full key — shown only once + */ +export async function createApiKey(data: CreateApiKeyRequest): Promise { + return post('/api-keys', data); +} + +/** + * Revoke an API key (immediate and irreversible) + * DELETE /api-keys/:id + * Requires: Gold or Platinum plan + */ +export async function revokeApiKey(id: string): Promise { + return del(`/api-keys/${id}`); +} diff --git a/apps/frontend/src/lib/api/auth.ts b/apps/frontend/src/lib/api/auth.ts index 3ffe267..0129251 100644 --- a/apps/frontend/src/lib/api/auth.ts +++ b/apps/frontend/src/lib/api/auth.ts @@ -31,11 +31,12 @@ export async function register(data: RegisterRequest): Promise { * User login * POST /api/v1/auth/login */ -export async function login(data: LoginRequest): Promise { - const response = await post('/api/v1/auth/login', data, false); +export async function login(data: LoginRequest & { rememberMe?: boolean }): Promise { + const { rememberMe, ...loginData } = data; + const response = await post('/api/v1/auth/login', loginData, false); - // Store tokens - setAuthTokens(response.accessToken, response.refreshToken); + // Store tokens — localStorage if rememberMe, sessionStorage otherwise + setAuthTokens(response.accessToken, response.refreshToken, rememberMe ?? false); return response; } @@ -69,3 +70,35 @@ export async function logout(): Promise { export async function getCurrentUser(): Promise { return get('/api/v1/auth/me'); } + +/** + * Contact form — send message to contact@xpeditis.com + * POST /api/v1/auth/contact + */ +export async function sendContactForm(data: { + firstName: string; + lastName: string; + email: string; + company?: string; + phone?: string; + subject: string; + message: string; +}): Promise<{ message: string }> { + return post<{ message: string }>('/api/v1/auth/contact', data, false); +} + +/** + * Forgot password — request reset email + * POST /api/v1/auth/forgot-password + */ +export async function forgotPassword(email: string): Promise<{ message: string }> { + return post<{ message: string }>('/api/v1/auth/forgot-password', { email }, false); +} + +/** + * Reset password with token from email + * POST /api/v1/auth/reset-password + */ +export async function resetPassword(token: string, newPassword: string): Promise<{ message: string }> { + return post<{ message: string }>('/api/v1/auth/reset-password', { token, newPassword }, false); +} diff --git a/apps/frontend/src/lib/api/bookings.ts b/apps/frontend/src/lib/api/bookings.ts index 7ee9e68..e8138d7 100644 --- a/apps/frontend/src/lib/api/bookings.ts +++ b/apps/frontend/src/lib/api/bookings.ts @@ -51,7 +51,7 @@ export interface CsvBookingResponse { primaryCurrency: string; transitDays: number; containerType: string; - status: 'PENDING' | 'ACCEPTED' | 'REJECTED'; + status: 'PENDING_PAYMENT' | 'PENDING' | 'ACCEPTED' | 'REJECTED' | 'CANCELLED'; documents: Array<{ type: string; fileName: string; @@ -64,6 +64,14 @@ export interface CsvBookingResponse { rejectedAt?: string; createdAt: string; updatedAt: string; + commissionRate?: number; + commissionAmountEur?: number; +} + +export interface CommissionPaymentResponse { + sessionUrl: string; + sessionId: string; + commissionAmountEur: number; } export interface CsvBookingListResponse { @@ -287,3 +295,34 @@ export async function rejectCsvBooking( false // includeAuth = false ); } + +/** + * Create Stripe Checkout session for commission payment + * POST /api/v1/csv-bookings/:id/pay + */ +export async function payBookingCommission( + bookingId: string +): Promise { + return post(`/api/v1/csv-bookings/${bookingId}/pay`, {}); +} + +/** + * Confirm commission payment after Stripe redirect + * POST /api/v1/csv-bookings/:id/confirm-payment + */ +export async function confirmBookingPayment( + bookingId: string, + sessionId: string +): Promise { + return post(`/api/v1/csv-bookings/${bookingId}/confirm-payment`, { + sessionId, + }); +} + +/** + * Declare bank transfer — user confirms they have sent the wire transfer + * POST /api/v1/csv-bookings/:id/declare-transfer + */ +export async function declareBankTransfer(bookingId: string): Promise { + return post(`/api/v1/csv-bookings/${bookingId}/declare-transfer`, {}); +} diff --git a/apps/frontend/src/lib/api/client.ts b/apps/frontend/src/lib/api/client.ts index f752f6f..2fe11f0 100644 --- a/apps/frontend/src/lib/api/client.ts +++ b/apps/frontend/src/lib/api/client.ts @@ -11,38 +11,48 @@ let isRefreshing = false; let refreshSubscribers: Array<(token: string) => void> = []; /** - * Get authentication token from localStorage + * Get authentication token — checks localStorage first (remember me), then sessionStorage */ export function getAuthToken(): string | null { if (typeof window === 'undefined') return null; - return localStorage.getItem('access_token'); + return localStorage.getItem('access_token') || sessionStorage.getItem('access_token'); } /** - * Get refresh token from localStorage + * Get refresh token — checks localStorage first (remember me), then sessionStorage */ export function getRefreshToken(): string | null { if (typeof window === 'undefined') return null; - return localStorage.getItem('refresh_token'); + return localStorage.getItem('refresh_token') || sessionStorage.getItem('refresh_token'); } /** - * Set authentication tokens + * Set authentication tokens. + * rememberMe=true → localStorage (persists across browser sessions) + * rememberMe=false → sessionStorage (cleared when browser closes) */ -export function setAuthTokens(accessToken: string, refreshToken: string): void { +export function setAuthTokens(accessToken: string, refreshToken: string, rememberMe = false): void { if (typeof window === 'undefined') return; - localStorage.setItem('access_token', accessToken); - localStorage.setItem('refresh_token', refreshToken); + const storage = rememberMe ? localStorage : sessionStorage; + storage.setItem('access_token', accessToken); + storage.setItem('refresh_token', refreshToken); + // Sync to cookie so Next.js middleware can read it for route protection + document.cookie = `accessToken=${accessToken}; path=/; SameSite=Lax`; } /** - * Clear authentication tokens + * Clear authentication tokens from both storages */ export function clearAuthTokens(): void { if (typeof window === 'undefined') return; localStorage.removeItem('access_token'); localStorage.removeItem('refresh_token'); localStorage.removeItem('user'); + sessionStorage.removeItem('access_token'); + sessionStorage.removeItem('refresh_token'); + sessionStorage.removeItem('user'); + // Expire the middleware cookie + document.cookie = 'accessToken=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT; SameSite=Lax'; } /** @@ -91,9 +101,11 @@ async function refreshAccessToken(): Promise { const data = await response.json(); const newAccessToken = data.accessToken; - // Update access token in localStorage (keep same refresh token) + // Update access token in the same storage that holds the refresh token if (typeof window !== 'undefined') { - localStorage.setItem('access_token', newAccessToken); + const storage = localStorage.getItem('refresh_token') ? localStorage : sessionStorage; + storage.setItem('access_token', newAccessToken); + document.cookie = `accessToken=${newAccessToken}; path=/; SameSite=Lax`; } return newAccessToken; diff --git a/apps/frontend/src/lib/api/index.ts b/apps/frontend/src/lib/api/index.ts index f3d6e82..913d43e 100644 --- a/apps/frontend/src/lib/api/index.ts +++ b/apps/frontend/src/lib/api/index.ts @@ -24,8 +24,8 @@ export { ApiError, } from './client'; -// Authentication (5 endpoints) -export { register, login, refreshToken, logout, getCurrentUser } from './auth'; +// Authentication (8 endpoints) +export { register, login, refreshToken, logout, getCurrentUser, forgotPassword, resetPassword, sendContactForm } from './auth'; // Rates (4 endpoints) export { searchRates, searchCsvRates, getAvailableCompanies, getFilterOptions } from './rates'; diff --git a/apps/frontend/src/lib/api/invitations.ts b/apps/frontend/src/lib/api/invitations.ts index f20064f..ff949fa 100644 --- a/apps/frontend/src/lib/api/invitations.ts +++ b/apps/frontend/src/lib/api/invitations.ts @@ -1,4 +1,4 @@ -import { get, post } from './client'; +import { get, post, del } from './client'; /** * Invitation API Types @@ -49,3 +49,10 @@ export async function verifyInvitation(token: string): Promise { return get('/api/v1/invitations'); } + +/** + * Cancel (delete) a pending invitation + */ +export async function cancelInvitation(id: string): Promise { + return del(`/api/v1/invitations/${id}`); +} diff --git a/apps/frontend/src/lib/api/subscriptions.ts b/apps/frontend/src/lib/api/subscriptions.ts index 2e6b96b..28a06d9 100644 --- a/apps/frontend/src/lib/api/subscriptions.ts +++ b/apps/frontend/src/lib/api/subscriptions.ts @@ -9,7 +9,16 @@ import { get, post } from './client'; /** * Subscription plan types */ -export type SubscriptionPlan = 'FREE' | 'STARTER' | 'PRO' | 'ENTERPRISE'; +export type SubscriptionPlan = 'BRONZE' | 'SILVER' | 'GOLD' | 'PLATINIUM'; + +export type PlanFeature = + | 'dashboard' + | 'wiki' + | 'user_management' + | 'csv_export' + | 'api_access' + | 'custom_interface' + | 'dedicated_kam'; /** * Subscription status types @@ -38,6 +47,11 @@ export interface PlanDetails { maxLicenses: number; monthlyPriceEur: number; yearlyPriceEur: number; + maxShipmentsPerYear: number; + commissionRatePercent: number; + supportLevel: 'none' | 'email' | 'direct' | 'dedicated_kam'; + statusBadge: 'none' | 'silver' | 'gold' | 'platinium'; + planFeatures: PlanFeature[]; features: string[]; } @@ -190,14 +204,14 @@ export function formatPrice(amount: number, currency = 'EUR'): string { */ export function getPlanBadgeColor(plan: SubscriptionPlan): string { switch (plan) { - case 'FREE': - return 'bg-gray-100 text-gray-800'; - case 'STARTER': - return 'bg-blue-100 text-blue-800'; - case 'PRO': + case 'BRONZE': + return 'bg-orange-100 text-orange-800'; + case 'SILVER': + return 'bg-slate-100 text-slate-800'; + case 'GOLD': + return 'bg-yellow-100 text-yellow-800'; + case 'PLATINIUM': return 'bg-purple-100 text-purple-800'; - case 'ENTERPRISE': - return 'bg-amber-100 text-amber-800'; default: return 'bg-gray-100 text-gray-800'; } diff --git a/apps/frontend/src/lib/context/auth-context.tsx b/apps/frontend/src/lib/context/auth-context.tsx index 2431eb6..6849b80 100644 --- a/apps/frontend/src/lib/context/auth-context.tsx +++ b/apps/frontend/src/lib/context/auth-context.tsx @@ -20,7 +20,7 @@ import type { UserPayload } from '@/types/api'; interface AuthContextType { user: UserPayload | null; loading: boolean; - login: (email: string, password: string) => Promise; + login: (email: string, password: string, redirectTo?: string, rememberMe?: boolean) => Promise; register: (data: { email: string; password: string; @@ -106,17 +106,18 @@ export function AuthProvider({ children }: { children: React.ReactNode }) { return () => clearInterval(tokenCheckInterval); }, []); - const login = async (email: string, password: string) => { + const login = async (email: string, password: string, redirectTo = '/dashboard', rememberMe = false) => { try { - const response = await apiLogin({ email, password }); + await apiLogin({ email, password, rememberMe }); // Fetch complete user profile after login const currentUser = await getCurrentUser(); setUser(currentUser); - // Store user in localStorage + // Store user in the same storage as the tokens if (typeof window !== 'undefined') { - localStorage.setItem('user', JSON.stringify(currentUser)); + const storage = rememberMe ? localStorage : sessionStorage; + storage.setItem('user', JSON.stringify(currentUser)); } - router.push('/dashboard'); + router.push(redirectTo); } catch (error) { throw error; } diff --git a/apps/frontend/src/lib/context/subscription-context.tsx b/apps/frontend/src/lib/context/subscription-context.tsx new file mode 100644 index 0000000..16686b7 --- /dev/null +++ b/apps/frontend/src/lib/context/subscription-context.tsx @@ -0,0 +1,77 @@ +'use client'; + +import React, { createContext, useContext, useState, useEffect } from 'react'; +import { useAuth } from './auth-context'; +import { + getSubscriptionOverview, + type SubscriptionOverviewResponse, + type SubscriptionPlan, + type PlanFeature, +} from '../api/subscriptions'; + +interface SubscriptionContextType { + subscription: SubscriptionOverviewResponse | null; + loading: boolean; + plan: SubscriptionPlan | null; + planFeatures: PlanFeature[]; + hasFeature: (feature: PlanFeature) => boolean; + refresh: () => Promise; +} + +const SubscriptionContext = createContext(undefined); + +export function SubscriptionProvider({ children }: { children: React.ReactNode }) { + const { user, isAuthenticated } = useAuth(); + const [subscription, setSubscription] = useState(null); + const [loading, setLoading] = useState(true); + + const fetchSubscription = async () => { + if (!isAuthenticated) { + setSubscription(null); + setLoading(false); + return; + } + try { + const data = await getSubscriptionOverview(); + setSubscription(data); + } catch (error) { + console.error('Failed to fetch subscription:', error); + } finally { + setLoading(false); + } + }; + + useEffect(() => { + fetchSubscription(); + }, [isAuthenticated, user?.organizationId]); + + const plan = subscription?.plan ?? null; + const planFeatures = subscription?.planDetails?.planFeatures ?? []; + + const hasFeature = (feature: PlanFeature): boolean => { + return planFeatures.includes(feature); + }; + + return ( + + {children} + + ); +} + +export function useSubscription() { + const context = useContext(SubscriptionContext); + if (context === undefined) { + throw new Error('useSubscription must be used within a SubscriptionProvider'); + } + return context; +} diff --git a/apps/frontend/src/types/api.ts b/apps/frontend/src/types/api.ts index e371092..b9ddcef 100644 --- a/apps/frontend/src/types/api.ts +++ b/apps/frontend/src/types/api.ts @@ -11,6 +11,8 @@ export interface RegisterOrganizationData { name: string; type: OrganizationType; + siren: string; + siret?: string; street: string; city: string; state?: string; @@ -24,7 +26,8 @@ export interface RegisterRequest { password: string; firstName: string; lastName: string; - organizationId?: string; // For invited users + invitationToken?: string; // For invited users (token-based) + organizationId?: string; // For invited users (ID-based) organization?: RegisterOrganizationData; // For new users } @@ -120,6 +123,7 @@ export interface CreateOrganizationRequest { export interface UpdateOrganizationRequest { name?: string; siren?: string; + siret?: string; eori?: string; contact_phone?: string; contact_email?: string; @@ -149,6 +153,9 @@ export interface OrganizationResponse { scac?: string | null; siren?: string | null; eori?: string | null; + siret?: string | null; + siretVerified?: boolean; + statusBadge?: 'none' | 'silver' | 'gold' | 'platinium'; contact_phone?: string | null; contact_email?: string | null; address: OrganizationAddress; diff --git a/apps/log-exporter/Dockerfile b/apps/log-exporter/Dockerfile new file mode 100644 index 0000000..d56679e --- /dev/null +++ b/apps/log-exporter/Dockerfile @@ -0,0 +1,14 @@ +FROM node:20-alpine + +WORKDIR /app + +COPY package.json ./ +RUN npm install --omit=dev + +COPY src/ ./src/ + +EXPOSE 3200 + +USER node + +CMD ["node", "src/index.js"] diff --git a/apps/log-exporter/package.json b/apps/log-exporter/package.json new file mode 100644 index 0000000..7edc547 --- /dev/null +++ b/apps/log-exporter/package.json @@ -0,0 +1,15 @@ +{ + "name": "xpeditis-log-exporter", + "version": "1.0.0", + "description": "Log export API for Xpeditis - queries Loki and exports logs as CSV/JSON", + "main": "src/index.js", + "scripts": { + "start": "node src/index.js", + "dev": "node --watch src/index.js" + }, + "dependencies": { + "express": "^4.18.2", + "node-fetch": "^3.3.2", + "json2csv": "^6.0.0-alpha.2" + } +} diff --git a/apps/log-exporter/src/index.js b/apps/log-exporter/src/index.js new file mode 100644 index 0000000..ba659b7 --- /dev/null +++ b/apps/log-exporter/src/index.js @@ -0,0 +1,319 @@ +'use strict'; + +const express = require('express'); +const { Transform } = require('stream'); + +const app = express(); +const PORT = process.env.PORT || 3200; +const LOKI_URL = process.env.LOKI_URL || 'http://loki:3100'; +const API_KEY = process.env.LOG_EXPORTER_API_KEY; + +// ─── Helpers ───────────────────────────────────────────────────────────────── + +/** + * Simple API key middleware (optional, enabled when LOG_EXPORTER_API_KEY is set). + */ +function authMiddleware(req, res, next) { + if (!API_KEY) return next(); + const key = req.headers['x-api-key'] || req.query.apiKey; + if (key !== API_KEY) { + return res.status(401).json({ error: 'Unauthorized' }); + } + next(); +} + +/** + * Build a Loki LogQL query from request params. + * Supports: service, level, search (free text filter) + */ +function buildLogQLQuery({ service, level, search }) { + const labelFilters = []; + + if (service && service !== 'all') { + const services = service.split(',').map((s) => s.trim()).filter(Boolean); + if (services.length === 1) { + labelFilters.push(`service="${services[0]}"`); + } else { + labelFilters.push(`service=~"${services.join('|')}"`); + } + } + + if (level && level !== 'all') { + const levels = level.split(',').map((l) => l.trim()).filter(Boolean); + if (levels.length === 1) { + labelFilters.push(`level="${levels[0]}"`); + } else { + labelFilters.push(`level=~"${levels.join('|')}"`); + } + } + + const streamSelector = labelFilters.length > 0 + ? `{${labelFilters.join(', ')}}` + : `{service=~".+"}`; + + const lineFilters = search ? ` |= \`${search}\`` : ''; + + return `${streamSelector}${lineFilters}`; +} + +/** + * Query Loki's query_range endpoint and return flattened log entries. + */ +async function queryLoki({ query, start, end, limit = 5000 }) { + const params = new URLSearchParams({ + query, + start: String(start), + end: String(end), + limit: String(Math.min(limit, 5000)), + direction: 'BACKWARD', + }); + + const url = `${LOKI_URL}/loki/api/v1/query_range?${params}`; + + const response = await fetch(url, { + headers: { 'Accept': 'application/json' }, + signal: AbortSignal.timeout(30000), + }); + + if (!response.ok) { + const body = await response.text(); + throw new Error(`Loki query failed (${response.status}): ${body}`); + } + + const data = await response.json(); + + if (data.status !== 'success') { + throw new Error(`Loki returned status: ${data.status}`); + } + + // Flatten streams → individual log entries + const entries = []; + for (const stream of data.data.result || []) { + const labels = stream.stream || {}; + for (const [tsNano, line] of stream.values || []) { + let parsed = {}; + try { + parsed = JSON.parse(line); + } catch { + parsed = { msg: line }; + } + + entries.push({ + timestamp: new Date(Math.floor(Number(tsNano) / 1e6)).toISOString(), + service: labels.service || labels.container || 'unknown', + level: labels.level || parsed.level || 'info', + context: labels.context || parsed.context || '', + message: parsed.msg || parsed.message || line, + reqId: parsed.reqId || '', + req_method: parsed.req?.method || '', + req_url: parsed.req?.url || '', + res_status: parsed.res?.statusCode || '', + response_time_ms: parsed.responseTime || '', + error: parsed.err?.message || '', + raw: line, + }); + } + } + + // Sort by timestamp ascending + entries.sort((a, b) => new Date(a.timestamp) - new Date(b.timestamp)); + return entries; +} + +/** + * Convert array of objects to CSV string. + */ +function toCSV(entries) { + if (entries.length === 0) return ''; + + const headers = [ + 'timestamp', 'service', 'level', 'context', + 'message', 'reqId', 'req_method', 'req_url', + 'res_status', 'response_time_ms', 'error', + ]; + + const escape = (val) => { + if (val === null || val === undefined) return ''; + const str = String(val); + if (str.includes(',') || str.includes('"') || str.includes('\n')) { + return `"${str.replace(/"/g, '""')}"`; + } + return str; + }; + + const rows = [headers.join(',')]; + for (const entry of entries) { + rows.push(headers.map((h) => escape(entry[h])).join(',')); + } + return rows.join('\n'); +} + +// ─── Routes ────────────────────────────────────────────────────────────────── + +app.use(express.json()); + +// Rate limiting (basic — 60 requests/min per IP) +const requestCounts = new Map(); +setInterval(() => requestCounts.clear(), 60000); + +app.use((req, res, next) => { + const ip = req.ip; + const count = (requestCounts.get(ip) || 0) + 1; + requestCounts.set(ip, count); + if (count > 60) { + return res.status(429).json({ error: 'Too Many Requests' }); + } + next(); +}); + +// CORS for Grafana / frontend +app.use((req, res, next) => { + res.setHeader('Access-Control-Allow-Origin', '*'); + res.setHeader('Access-Control-Allow-Headers', 'Content-Type, x-api-key'); + res.setHeader('Access-Control-Allow-Methods', 'GET, OPTIONS'); + if (req.method === 'OPTIONS') return res.sendStatus(204); + next(); +}); + +/** + * GET /health + */ +app.get('/health', (req, res) => { + res.json({ status: 'ok', loki: LOKI_URL }); +}); + +/** + * GET /api/logs/services + * Returns the list of services currently emitting logs. + */ +app.get('/api/logs/services', authMiddleware, async (req, res) => { + try { + const response = await fetch(`${LOKI_URL}/loki/api/v1/label/service/values`, { + signal: AbortSignal.timeout(5000), + }); + if (!response.ok) throw new Error(`Loki error: ${response.status}`); + const data = await response.json(); + res.json({ services: data.data || [] }); + } catch (err) { + res.status(500).json({ error: err.message }); + } +}); + +/** + * GET /api/logs/labels + * Returns all available label names. + */ +app.get('/api/logs/labels', authMiddleware, async (req, res) => { + try { + const response = await fetch(`${LOKI_URL}/loki/api/v1/labels`, { + signal: AbortSignal.timeout(5000), + }); + if (!response.ok) throw new Error(`Loki error: ${response.status}`); + const data = await response.json(); + res.json({ labels: data.data || [] }); + } catch (err) { + res.status(500).json({ error: err.message }); + } +}); + +/** + * GET /api/logs/export + * + * Query params: + * - start : ISO date or Unix timestamp in ns (default: 1h ago) + * - end : ISO date or Unix timestamp in ns (default: now) + * - service : comma-separated service names (default: all) + * - level : comma-separated levels: error,warn,info,debug (default: all) + * - search : free-text search string + * - limit : max number of log lines (default: 5000, max: 5000) + * - format : "json" | "csv" (default: json) + * + * Examples: + * GET /api/logs/export?service=backend&level=error&format=csv + * GET /api/logs/export?start=2024-01-01T00:00:00Z&end=2024-01-02T00:00:00Z&format=json + */ +app.get('/api/logs/export', authMiddleware, async (req, res) => { + try { + const now = Date.now(); + const ONE_HOUR_NS = 3600 * 1e9; + const nowNs = BigInt(now) * 1000000n; + const oneHourAgoNs = nowNs - BigInt(ONE_HOUR_NS); + + // Parse time range + const parseTime = (val, defaultNs) => { + if (!val) return defaultNs; + // Already in nanoseconds (large number) + if (/^\d{18,}$/.test(val)) return BigInt(val); + // Unix timestamp in seconds or ms + const n = Number(val); + if (!isNaN(n)) { + // seconds → ns + if (n < 1e12) return BigInt(Math.floor(n * 1e9)); + // ms → ns + if (n < 1e15) return BigInt(n) * 1000000n; + return BigInt(n); + } + // ISO date string + const ms = Date.parse(val); + if (isNaN(ms)) throw new Error(`Invalid time value: ${val}`); + return BigInt(ms) * 1000000n; + }; + + const startNs = parseTime(req.query.start, oneHourAgoNs); + const endNs = parseTime(req.query.end, nowNs); + + if (endNs <= startNs) { + return res.status(400).json({ error: '"end" must be after "start"' }); + } + + const format = (req.query.format || 'json').toLowerCase(); + if (!['json', 'csv'].includes(format)) { + return res.status(400).json({ error: 'format must be "json" or "csv"' }); + } + + const limit = Math.min(parseInt(req.query.limit, 10) || 5000, 5000); + + const query = buildLogQLQuery({ + service: req.query.service, + level: req.query.level, + search: req.query.search, + }); + + const entries = await queryLoki({ + query, + start: startNs.toString(), + end: endNs.toString(), + limit, + }); + + if (format === 'csv') { + const csv = toCSV(entries); + const filename = `xpeditis-logs-${new Date().toISOString().slice(0, 10)}.csv`; + res.setHeader('Content-Type', 'text/csv; charset=utf-8'); + res.setHeader('Content-Disposition', `attachment; filename="${filename}"`); + return res.send(csv); + } + + // JSON response + res.json({ + total: entries.length, + query, + range: { + from: new Date(Number(startNs / 1000000n)).toISOString(), + to: new Date(Number(endNs / 1000000n)).toISOString(), + }, + logs: entries, + }); + } catch (err) { + console.error('[log-exporter] Export error:', err.message); + res.status(500).json({ error: err.message }); + } +}); + +// ─── Start ──────────────────────────────────────────────────────────────────── + +app.listen(PORT, () => { + console.log(`[log-exporter] Listening on port ${PORT}`); + console.log(`[log-exporter] Loki URL: ${LOKI_URL}`); + console.log(`[log-exporter] API key protection: ${API_KEY ? 'enabled' : 'disabled'}`); +}); diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml index 1365885..35a6a0f 100644 --- a/docker-compose.dev.yml +++ b/docker-compose.dev.yml @@ -50,7 +50,10 @@ services: dockerfile: Dockerfile container_name: xpeditis-backend-dev ports: - - "4001:4000" + - "4000:4000" + labels: + logging: promtail + logging.service: backend depends_on: postgres: condition: service_healthy @@ -58,6 +61,8 @@ services: condition: service_healthy environment: NODE_ENV: development + # Force JSON logs in Docker so Promtail can parse them + LOG_FORMAT: json PORT: 4000 API_PREFIX: api/v1 @@ -89,10 +94,10 @@ services: AWS_S3_BUCKET: xpeditis-csv-rates # CORS - Allow both localhost (browser) and container network - CORS_ORIGIN: "http://localhost:3001,http://localhost:4001" + CORS_ORIGIN: "http://localhost:3000,http://localhost:4000" # Application URL - APP_URL: http://localhost:3001 + APP_URL: http://localhost:3000 # Security BCRYPT_ROUNDS: 10 @@ -102,19 +107,30 @@ services: RATE_LIMIT_TTL: 60 RATE_LIMIT_MAX: 100 + # SMTP (Brevo) + SMTP_HOST: smtp-relay.brevo.com + SMTP_PORT: 587 + SMTP_USER: 9637ef001@smtp-brevo.com + SMTP_PASS: xsmtpsib-8d965bda028cd63bed868a119f9e0330485204bf9f4e1f92a3a11c8e61000722-xUYUSrGGxhMqlUcu + SMTP_SECURE: "false" + SMTP_FROM: noreply@xpeditis.com + frontend: build: context: ./apps/frontend dockerfile: Dockerfile args: - NEXT_PUBLIC_API_URL: http://localhost:4001 + NEXT_PUBLIC_API_URL: http://localhost:4000 container_name: xpeditis-frontend-dev ports: - - "3001:3000" + - "3000:3000" + labels: + logging: promtail + logging.service: frontend depends_on: - backend environment: - NEXT_PUBLIC_API_URL: http://localhost:4001 + NEXT_PUBLIC_API_URL: http://localhost:4000 volumes: postgres_data: diff --git a/docker-compose.full.yml b/docker-compose.full.yml new file mode 100644 index 0000000..e32f650 --- /dev/null +++ b/docker-compose.full.yml @@ -0,0 +1,254 @@ +# ───────────────────────────────────────────────────────────────────────────── +# Xpeditis — Full Dev Stack (infrastructure + app + logging) +# +# Usage: +# docker-compose -f docker-compose.full.yml up -d +# +# Exposed ports: +# - Frontend: http://localhost:3000 +# - Backend: http://localhost:4000 (Swagger: /api/docs) +# - Grafana: http://localhost:3030 (admin / xpeditis_grafana) +# - Loki: http://localhost:3100 (internal) +# - Promtail: http://localhost:9080 (internal) +# - log-exporter: http://localhost:3200 +# - MinIO: http://localhost:9001 (console) +# ───────────────────────────────────────────────────────────────────────────── + +version: '3.8' + +services: + # ─── Infrastructure ──────────────────────────────────────────────────────── + postgres: + image: postgres:15-alpine + container_name: xpeditis-postgres-dev + ports: + - "5432:5432" + volumes: + - postgres_data:/var/lib/postgresql/data + environment: + POSTGRES_DB: xpeditis_dev + POSTGRES_USER: xpeditis + POSTGRES_PASSWORD: xpeditis_dev_password + healthcheck: + test: ["CMD-SHELL", "pg_isready -U xpeditis"] + interval: 10s + timeout: 5s + retries: 5 + networks: + - xpeditis-network + + redis: + image: redis:7-alpine + container_name: xpeditis-redis-dev + ports: + - "6379:6379" + command: redis-server --requirepass xpeditis_redis_password + healthcheck: + test: ["CMD", "redis-cli", "ping"] + interval: 10s + timeout: 5s + retries: 5 + networks: + - xpeditis-network + + minio: + image: minio/minio:latest + container_name: xpeditis-minio-dev + ports: + - "9000:9000" + - "9001:9001" + command: server /data --console-address ":9001" + volumes: + - minio_data:/data + environment: + MINIO_ROOT_USER: minioadmin + MINIO_ROOT_PASSWORD: minioadmin + networks: + - xpeditis-network + + # ─── Application ─────────────────────────────────────────────────────────── + backend: + build: + context: ./apps/backend + dockerfile: Dockerfile + container_name: xpeditis-backend-dev + ports: + - "4000:4000" + labels: + logging: promtail + logging.service: backend + depends_on: + postgres: + condition: service_healthy + redis: + condition: service_healthy + environment: + NODE_ENV: development + LOG_FORMAT: json + PORT: 4000 + API_PREFIX: api/v1 + + # Database + DATABASE_HOST: postgres + DATABASE_PORT: 5432 + DATABASE_USER: xpeditis + DATABASE_PASSWORD: xpeditis_dev_password + DATABASE_NAME: xpeditis_dev + DATABASE_SYNC: false + DATABASE_LOGGING: true + + # Redis + REDIS_HOST: redis + REDIS_PORT: 6379 + REDIS_PASSWORD: xpeditis_redis_password + REDIS_DB: 0 + + # JWT + JWT_SECRET: dev-secret-jwt-key-for-docker + JWT_ACCESS_EXPIRATION: 15m + JWT_REFRESH_EXPIRATION: 7d + + # S3/MinIO + AWS_S3_ENDPOINT: http://minio:9000 + AWS_REGION: us-east-1 + AWS_ACCESS_KEY_ID: minioadmin + AWS_SECRET_ACCESS_KEY: minioadmin + AWS_S3_BUCKET: xpeditis-csv-rates + + # CORS + CORS_ORIGIN: "http://localhost:3000,http://localhost:4000" + + # Application URL + APP_URL: http://localhost:3000 + + # Security + BCRYPT_ROUNDS: 10 + SESSION_TIMEOUT_MS: 7200000 + + # Rate Limiting + RATE_LIMIT_TTL: 60 + RATE_LIMIT_MAX: 100 + + # SMTP (Brevo) + SMTP_HOST: smtp-relay.brevo.com + SMTP_PORT: 587 + SMTP_USER: 9637ef001@smtp-brevo.com + SMTP_PASS: xsmtpsib-8d965bda028cd63bed868a119f9e0330485204bf9f4e1f92a3a11c8e61000722-xUYUSrGGxhMqlUcu + SMTP_SECURE: "false" + SMTP_FROM: noreply@xpeditis.com + networks: + - xpeditis-network + + frontend: + build: + context: ./apps/frontend + dockerfile: Dockerfile + args: + NEXT_PUBLIC_API_URL: http://localhost:4000 + container_name: xpeditis-frontend-dev + ports: + - "3000:3000" + labels: + logging: promtail + logging.service: frontend + depends_on: + - backend + environment: + NEXT_PUBLIC_API_URL: http://localhost:4000 + networks: + - xpeditis-network + + # ─── Logging Stack ───────────────────────────────────────────────────────── + loki: + image: grafana/loki:3.0.0 + container_name: xpeditis-loki + restart: unless-stopped + ports: + - '3100:3100' + volumes: + - ./infra/logging/loki/loki-config.yml:/etc/loki/local-config.yaml:ro + - loki_data:/loki + command: -config.file=/etc/loki/local-config.yaml + healthcheck: + test: ['CMD-SHELL', 'wget --quiet --tries=1 --spider http://localhost:3100/ready || exit 1'] + interval: 15s + timeout: 5s + retries: 5 + networks: + - xpeditis-network + + promtail: + image: grafana/promtail:3.0.0 + container_name: xpeditis-promtail + restart: unless-stopped + ports: + - '9080:9080' + volumes: + - ./infra/logging/promtail/promtail-config.yml:/etc/promtail/config.yml:ro + - /var/run/docker.sock:/var/run/docker.sock:ro + command: -config.file=/etc/promtail/config.yml + depends_on: + loki: + condition: service_healthy + networks: + - xpeditis-network + + grafana: + image: grafana/grafana:11.0.0 + container_name: xpeditis-grafana + restart: unless-stopped + ports: + - '3030:3000' + environment: + GF_SECURITY_ADMIN_USER: admin + GF_SECURITY_ADMIN_PASSWORD: xpeditis_grafana + GF_USERS_ALLOW_SIGN_UP: 'false' + GF_AUTH_ANONYMOUS_ENABLED: 'false' + GF_SERVER_ROOT_URL: http://localhost:3030 + GF_ANALYTICS_REPORTING_ENABLED: 'false' + GF_ANALYTICS_CHECK_FOR_UPDATES: 'false' + volumes: + - ./infra/logging/grafana/provisioning:/etc/grafana/provisioning:ro + - grafana_data:/var/lib/grafana + depends_on: + loki: + condition: service_healthy + healthcheck: + test: ['CMD-SHELL', 'wget --quiet --tries=1 --spider http://localhost:3000/api/health || exit 1'] + interval: 15s + timeout: 5s + retries: 5 + networks: + - xpeditis-network + + log-exporter: + build: + context: ./apps/log-exporter + dockerfile: Dockerfile + container_name: xpeditis-log-exporter + restart: unless-stopped + ports: + - '3200:3200' + environment: + PORT: 3200 + LOKI_URL: http://loki:3100 + # Optional: set LOG_EXPORTER_API_KEY to require x-api-key header + # LOG_EXPORTER_API_KEY: your-secret-key-here + depends_on: + loki: + condition: service_healthy + networks: + - xpeditis-network + +volumes: + postgres_data: + redis_data: + minio_data: + loki_data: + driver: local + grafana_data: + driver: local + +networks: + xpeditis-network: + name: xpeditis-network diff --git a/docker-compose.logging.yml b/docker-compose.logging.yml new file mode 100644 index 0000000..e014293 --- /dev/null +++ b/docker-compose.logging.yml @@ -0,0 +1,115 @@ +# ───────────────────────────────────────────────────────────────────────────── +# Xpeditis — Centralized Logging Stack +# +# Usage (standalone): +# docker-compose -f docker-compose.yml -f docker-compose.logging.yml up -d +# +# Usage (full dev environment with logging): +# docker-compose -f docker-compose.dev.yml -f docker-compose.logging.yml up -d +# +# Exposed ports: +# - Grafana: http://localhost:3000 (admin / xpeditis_grafana) +# - Loki: http://localhost:3100 (internal use only) +# - Promtail: http://localhost:9080 (internal use only) +# - log-exporter: http://localhost:3200 (export API) +# ───────────────────────────────────────────────────────────────────────────── + +services: + # ─── Loki — Log storage & query engine ──────────────────────────────────── + loki: + image: grafana/loki:3.0.0 + container_name: xpeditis-loki + restart: unless-stopped + ports: + - '3100:3100' + volumes: + - ./infra/logging/loki/loki-config.yml:/etc/loki/local-config.yaml:ro + - loki_data:/loki + command: -config.file=/etc/loki/local-config.yaml + healthcheck: + test: ['CMD-SHELL', 'wget --quiet --tries=1 --spider http://localhost:3100/ready || exit 1'] + interval: 15s + timeout: 5s + retries: 5 + networks: + - xpeditis-network + + # ─── Promtail — Docker log collector ────────────────────────────────────── + promtail: + image: grafana/promtail:3.0.0 + container_name: xpeditis-promtail + restart: unless-stopped + ports: + - '9080:9080' + volumes: + - ./infra/logging/promtail/promtail-config.yml:/etc/promtail/config.yml:ro + - /var/run/docker.sock:/var/run/docker.sock:ro + # Note: /var/lib/docker/containers is not needed with docker_sd_configs (uses Docker API) + command: -config.file=/etc/promtail/config.yml + depends_on: + loki: + condition: service_healthy + networks: + - xpeditis-network + + # ─── Grafana — Visualization ─────────────────────────────────────────────── + grafana: + image: grafana/grafana:11.0.0 + container_name: xpeditis-grafana + restart: unless-stopped + ports: + - '3030:3000' + environment: + GF_SECURITY_ADMIN_USER: admin + GF_SECURITY_ADMIN_PASSWORD: xpeditis_grafana + GF_USERS_ALLOW_SIGN_UP: 'false' + GF_AUTH_ANONYMOUS_ENABLED: 'false' + GF_SERVER_ROOT_URL: http://localhost:3030 + # Disable telemetry + GF_ANALYTICS_REPORTING_ENABLED: 'false' + GF_ANALYTICS_CHECK_FOR_UPDATES: 'false' + volumes: + - ./infra/logging/grafana/provisioning:/etc/grafana/provisioning:ro + - grafana_data:/var/lib/grafana + depends_on: + loki: + condition: service_healthy + healthcheck: + test: ['CMD-SHELL', 'wget --quiet --tries=1 --spider http://localhost:3000/api/health || exit 1'] + interval: 15s + timeout: 5s + retries: 5 + networks: + - xpeditis-network + + # ─── log-exporter — REST export API ─────────────────────────────────────── + log-exporter: + build: + context: ./apps/log-exporter + dockerfile: Dockerfile + container_name: xpeditis-log-exporter + restart: unless-stopped + ports: + - '3200:3200' + environment: + PORT: 3200 + LOKI_URL: http://loki:3100 + # Optional: set LOG_EXPORTER_API_KEY to require x-api-key header + # LOG_EXPORTER_API_KEY: your-secret-key-here + depends_on: + loki: + condition: service_healthy + networks: + - xpeditis-network + +volumes: + loki_data: + driver: local + grafana_data: + driver: local + +networks: + xpeditis-network: + name: xpeditis-network + # Re-uses the network created by docker-compose.yml / docker-compose.dev.yml. + # If starting this stack alone, the network is created automatically. diff --git a/docs/api-access/API_ACCESS.md b/docs/api-access/API_ACCESS.md new file mode 100644 index 0000000..f5bb715 --- /dev/null +++ b/docs/api-access/API_ACCESS.md @@ -0,0 +1,334 @@ +# Accès API Xpeditis — Documentation + +> **Disponible sur :** plans **Gold** et **Platinium** uniquement. +> Les plans Bronze et Silver n'ont accès qu'au frontend Xpeditis. + +--- + +## Table des matières + +1. [Vue d'ensemble](#vue-densemble) +2. [Authentification par clé API](#authentification-par-clé-api) +3. [Gestion des clés API](#gestion-des-clés-api) + - [Générer une clé](#générer-une-clé) + - [Lister les clés](#lister-les-clés) + - [Révoquer une clé](#révoquer-une-clé) +4. [Utiliser l'API](#utiliser-lapi) +5. [Sécurité et bonnes pratiques](#sécurité-et-bonnes-pratiques) +6. [Limites et quotas](#limites-et-quotas) +7. [Codes d'erreur](#codes-derreur) +8. [Exemples d'intégration](#exemples-dintégration) + +--- + +## Vue d'ensemble + +L'accès API permet aux abonnés **Gold** et **Platinium** d'intégrer Xpeditis directement dans leurs systèmes (ERP, TMS, scripts d'automatisation, etc.) sans passer par l'interface web. + +### Deux méthodes d'authentification coexistent + +| Méthode | En-tête HTTP | Disponible pour | +|---|---|---| +| **JWT Bearer** (frontend) | `Authorization: Bearer ` | Tous les plans | +| **Clé API** (accès programmatique) | `X-API-Key: ` | Gold + Platinium uniquement | + +Les deux méthodes donnent accès aux mêmes endpoints. La clé API ne nécessite pas de session interactive. + +--- + +## Authentification par clé API + +### Format de la clé + +``` +xped_live_<64 caractères hexadécimaux> +``` + +Exemple : +``` +xped_live_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2 +``` + +### Utilisation dans une requête + +Ajoutez l'en-tête `X-API-Key` à chaque requête : + +```http +GET /api/v1/bookings HTTP/1.1 +Host: api.xpeditis.com +X-API-Key: xped_live_a1b2c3d4e5f6... +Content-Type: application/json +``` + +### Comportement du serveur + +1. Le serveur détecte l'en-tête `X-API-Key`. +2. Il calcule le hash SHA-256 de la clé et le compare à la base de données. +3. Il vérifie que la clé est active et non expirée. +4. Il vérifie **en temps réel** que l'organisation possède toujours un abonnement Gold ou Platinium. +5. Si tout est valide, la requête est authentifiée. + +> Si votre abonnement est rétrogradé sous Gold, vos clés API seront automatiquement refusées même si elles sont techniquement encore actives. + +--- + +## Gestion des clés API + +Les endpoints de gestion des clés nécessitent une **authentification JWT** (via le frontend ou un token Bearer). Ils ne sont pas accessibles avec une clé API elle-même. + +**Base URL :** `http://localhost:4000` (développement) ou `https://api.xpeditis.com` (production) + +--- + +### Générer une clé + +```http +POST /api-keys +Authorization: Bearer +Content-Type: application/json + +{ + "name": "Intégration ERP Production", + "expiresAt": "2027-01-01T00:00:00.000Z" +} +``` + +**Corps de la requête :** + +| Champ | Type | Requis | Description | +|---|---|---|---| +| `name` | string | ✅ | Nom identifiant la clé (max 100 caractères) | +| `expiresAt` | string (ISO 8601) | ❌ | Date d'expiration. Si absent, la clé n'expire pas. | + +**Réponse `201 Created` :** + +```json +{ + "id": "550e8400-e29b-41d4-a716-446655440000", + "name": "Intégration ERP Production", + "keyPrefix": "xped_live_a1b2c3d4", + "isActive": true, + "lastUsedAt": null, + "expiresAt": "2027-01-01T00:00:00.000Z", + "createdAt": "2025-03-26T10:00:00.000Z", + "fullKey": "xped_live_a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2" +} +``` + +> ⚠️ **Le champ `fullKey` n'est retourné qu'une seule fois.** Copiez-le immédiatement et stockez-le de façon sécurisée (gestionnaire de secrets, variables d'environnement chiffrées, etc.). Il ne sera plus jamais visible. + +--- + +### Lister les clés + +```http +GET /api-keys +Authorization: Bearer +``` + +**Réponse `200 OK` :** + +```json +[ + { + "id": "550e8400-e29b-41d4-a716-446655440000", + "name": "Intégration ERP Production", + "keyPrefix": "xped_live_a1b2c3d4", + "isActive": true, + "lastUsedAt": "2025-03-25T14:30:00.000Z", + "expiresAt": "2027-01-01T00:00:00.000Z", + "createdAt": "2025-03-26T10:00:00.000Z" + }, + { + "id": "660e8400-e29b-41d4-a716-446655440001", + "name": "Script de reporting mensuel", + "keyPrefix": "xped_live_b2c3d4e5", + "isActive": false, + "lastUsedAt": "2025-02-01T09:00:00.000Z", + "expiresAt": null, + "createdAt": "2025-01-15T08:00:00.000Z" + } +] +``` + +> Les clés complètes ne sont jamais retournées dans cet endpoint. Seul le préfixe est visible. + +--- + +### Révoquer une clé + +```http +DELETE /api-keys/{id} +Authorization: Bearer +``` + +**Réponse `204 No Content`** en cas de succès. + +> La révocation est **immédiate et irréversible**. Toute requête utilisant cette clé sera refusée à partir de cet instant. Pour réactiver l'accès, créez une nouvelle clé. + +--- + +## Utiliser l'API + +Une fois votre clé générée, vous pouvez l'utiliser sur tous les endpoints de l'API Xpeditis. + +### Exemple : Récupérer les bookings + +```http +GET /bookings +X-API-Key: xped_live_a1b2c3d4e5f6... +``` + +### Exemple : Créer un booking + +```http +POST /bookings +X-API-Key: xped_live_a1b2c3d4e5f6... +Content-Type: application/json + +{ + "rateQuoteId": "...", + ... +} +``` + +### Référence complète + +La documentation Swagger interactive est disponible à : +``` +http://localhost:4000/api/docs +``` + +Elle liste tous les endpoints disponibles avec leurs paramètres et schémas de réponse. + +--- + +## Sécurité et bonnes pratiques + +### Stockage des clés + +- ❌ Ne stockez **jamais** une clé API en dur dans votre code source ou vos dépôts Git. +- ✅ Utilisez des **variables d'environnement** (`XPEDITIS_API_KEY=xped_live_...`). +- ✅ Utilisez un **gestionnaire de secrets** (AWS Secrets Manager, HashiCorp Vault, etc.) en production. + +### Rotation des clés + +Effectuez une rotation régulière de vos clés : +1. Créez une nouvelle clé (sans supprimer l'ancienne). +2. Mettez à jour votre système avec la nouvelle clé. +3. Vérifiez que tout fonctionne. +4. Révoquez l'ancienne clé. + +### Rotation d'urgence + +En cas de compromission suspectée : +1. Révoquez immédiatement la clé compromise via `DELETE /api-keys/{id}`. +2. Créez une nouvelle clé. +3. Auditez vos logs d'accès. + +### Permissions + +Une clé API agit au nom de l'utilisateur qui l'a créée, avec son rôle (MANAGER, USER, etc.) et les permissions de son organisation. Les clés héritent des restrictions d'accès de l'utilisateur créateur. + +--- + +## Limites et quotas + +| Limite | Valeur | +|---|---| +| Nombre de clés actives par organisation | 20 | +| Longueur du nom d'une clé | 100 caractères max | +| Rate limiting | Identique aux autres requêtes API | + +Le rate limiting est appliqué par utilisateur (basé sur l'ID utilisateur associé à la clé). + +--- + +## Codes d'erreur + +| Code HTTP | Description | Solution | +|---|---|---| +| `401 Unauthorized` | Clé invalide, expirée ou révoquée | Vérifiez la clé ou créez-en une nouvelle | +| `401 Unauthorized` | Clé bien formée mais hash inconnu | La clé a peut-être été révoquée ou n'existe pas | +| `403 Forbidden` | Abonnement insuffisant | Passez au plan Gold ou Platinium | +| `403 Forbidden` | Abonnement rétrogradé après création de la clé | Mettez à niveau votre abonnement | +| `404 Not Found` | Clé introuvable lors d'une révocation | Vérifiez l'ID de la clé | + +--- + +## Exemples d'intégration + +### cURL + +```bash +# Lister les bookings +curl -X GET https://api.xpeditis.com/bookings \ + -H "X-API-Key: xped_live_votre_cle_ici" \ + -H "Content-Type: application/json" +``` + +### Node.js / TypeScript + +```typescript +const XPEDITIS_API_KEY = process.env.XPEDITIS_API_KEY; +const BASE_URL = 'https://api.xpeditis.com'; + +async function getBookings() { + const response = await fetch(`${BASE_URL}/bookings`, { + headers: { + 'X-API-Key': XPEDITIS_API_KEY!, + 'Content-Type': 'application/json', + }, + }); + + if (!response.ok) { + throw new Error(`Xpeditis API error: ${response.status}`); + } + + return response.json(); +} +``` + +### Python + +```python +import os +import requests + +API_KEY = os.environ['XPEDITIS_API_KEY'] +BASE_URL = 'https://api.xpeditis.com' + +def get_bookings(): + response = requests.get( + f'{BASE_URL}/bookings', + headers={ + 'X-API-Key': API_KEY, + 'Content-Type': 'application/json', + } + ) + response.raise_for_status() + return response.json() +``` + +### PHP + +```php +$apiKey = getenv('XPEDITIS_API_KEY'); +$baseUrl = 'https://api.xpeditis.com'; + +$ch = curl_init("$baseUrl/bookings"); +curl_setopt($ch, CURLOPT_HTTPHEADER, [ + "X-API-Key: $apiKey", + 'Content-Type: application/json', +]); +curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); +$response = curl_exec($ch); +curl_close($ch); + +$data = json_decode($response, true); +``` + +--- + +*Documentation Xpeditis — Accès API v1.0* +*Disponible uniquement sur les plans Gold (899 €/mois) et Platinium (sur devis)* diff --git a/docs/deployment/AWS_COSTS_KUBERNETES.md b/docs/deployment/AWS_COSTS_KUBERNETES.md new file mode 100644 index 0000000..c30cf5e --- /dev/null +++ b/docs/deployment/AWS_COSTS_KUBERNETES.md @@ -0,0 +1,565 @@ +# Estimation des Coûts AWS — Déploiement Production Kubernetes (EKS) + +> Document de référence — Xpeditis 2.0 +> Région cible : `us-east-1` (ou `eu-west-1` pour conformité RGPD) +> Base tarifaire : AWS on-demand, mars 2026 +> MinIO remplacé par S3 + +--- + +## Table des matières + +1. [Architecture cible sur EKS](#1-architecture-cible-sur-eks) +2. [Inventaire des composants analysés](#2-inventaire-des-composants-analysés) +3. [Hypothèses par palier d'utilisateurs](#3-hypothèses-par-palier-dutilisateurs) +4. [Détail des coûts — 100 utilisateurs](#4-détail-des-coûts--100-utilisateurs) +5. [Détail des coûts — 1 000 utilisateurs](#5-détail-des-coûts--1-000-utilisateurs) +6. [Détail des coûts — 10 000 utilisateurs](#6-détail-des-coûts--10-000-utilisateurs) +7. [Tableau récapitulatif](#7-tableau-récapitulatif) +8. [Économies avec Reserved Instances](#8-économies-avec-reserved-instances) +9. [Facteurs de risque et dépassements potentiels](#9-facteurs-de-risque-et-dépassements-potentiels) +10. [Recommandations d'optimisation](#10-recommandations-doptimisation) +11. [Architecture Kubernetes recommandée](#11-architecture-kubernetes-recommandée) + +--- + +## 1. Architecture cible sur EKS + +``` + ┌─────────────────────────────────────────────┐ + │ AWS VPC (Multi-AZ) │ + │ │ + Internet ──── Route53 ──┤── CloudFront ──── ALB ──┬── NestJS Pods │ + │ │ (EKS NodeGroup) │ + │ └── Next.js Pods │ + │ │ + │ ┌──────────┐ ┌──────────┐ ┌─────────┐ │ + │ │ RDS PG15 │ │ElastiCache│ │ S3 │ │ + │ │ Multi-AZ │ │ Redis7 │ │ Bucket │ │ + │ └──────────┘ └──────────┘ └─────────┘ │ + │ │ + │ ┌──────────┐ ┌──────────┐ │ + │ │ SES │ │Secrets │ │ + │ │ Email │ │Manager │ │ + │ └──────────┘ └──────────┘ │ + └─────────────────────────────────────────────┘ +``` + +**Services AWS utilisés :** +| Service AWS | Remplace / Rôle | +|---|---| +| **EKS** | Orchestration des containers (backend NestJS + frontend Next.js) | +| **RDS PostgreSQL 15** | Base de données principale (18 tables, 29 migrations) | +| **ElastiCache Redis 7** | Cache des rate quotes (TTL 15 min), pub/sub WebSocket | +| **S3** | Remplace MinIO — PDFs, documents carrier, exports CSV/Excel | +| **ALB** | Load balancer HTTPS + WebSocket (sticky sessions) | +| **CloudFront** | CDN pour assets frontend et PDFs publics | +| **SES** | 10 types d'emails transactionnels (confirmations, invitations, magic links) | +| **Secrets Manager** | JWT secret, DB passwords, API keys carriers (5 carriers) | +| **Route 53** | DNS | +| **CloudWatch** | Logs (nestjs-pino), métriques, alertes | +| **WAF** | Protection OWASP (Rate limiting déjà implémenté dans NestJS) | +| **NAT Gateway** | Accès internet pour les pods (appels APIs carriers) | + +--- + +## 2. Inventaire des composants analysés + +### Backend NestJS (charges identifiées) + +**Endpoints critiques en charge :** +- `POST /api/v1/rates/search` — appelle **5 carriers APIs en parallèle** (Maersk, MSC, CMA CGM, Hapag-Lloyd, ONE) avec circuit breaker 5s timeout. C'est le endpoint le plus coûteux en compute. +- `GET /api/v1/rates/csv-search` — filtrage in-memory de fichiers CSV uploadés +- WebSocket `/notifications` — connexions persistantes Socket.IO, pub/sub via Redis + +**Redis (ElastiCache) :** +- Clés : `rate:{origin}:{destination}:{containerType}` — TTL 15 minutes +- Taux de cache hit estimé : 70–90% pendant les heures de bureau +- Pas de cluster mode nécessaire avant ~500 utilisateurs actifs simultanés + +**Base de données (RDS) :** +- 18 tables avec indexes composites +- Tables à forte croissance : `bookings`, `audit_logs`, `notifications`, `rate_quotes` +- `audit_logs` peut grossir très vite (~50–200K lignes/mois à 1 000 users) +- Extensions PostgreSQL : `pg_trgm` (recherche textuelle sur ports) + +**S3 (remplace MinIO) :** +- PDFs booking : 100–500 KB/document, 1 par booking + exports +- Documents carrier : jusqu'à 10 MB/fichier (PDF, images, Excel, CSV) +- Logos d'organisations +- Exports CSV/Excel des bookings + +**Emails (SES) :** +1. Vérification email à l'inscription +2. Mot de passe oublié / reset +3. Email de bienvenue +4. Invitation d'utilisateur (token 1h) +5. Confirmation de booking avec PDF en pièce jointe +6. Demande CSV booking au carrier (magic link) +7. Création compte carrier +8. Reset password carrier +9. Notification nouveaux documents +10. Alerte accès documents + +**Appels APIs externes :** +- 5 carriers APIs consultées à chaque rate search non mis en cache +- Latence estimée : 1–3 secondes par carrier +- Volume estimé : 10–30% des searches frappent les APIs (le reste vient du cache Redis) + +### Frontend Next.js (charges identifiées) + +- Mode `standalone` — container Docker autonome avec Node.js +- **SSR / SSG hybride** — pages dashboard en CSR, landing page statique +- Bundle gzippé estimé : 200–400 KB (React 19 + Shadcn/ui + TanStack Query) +- Leaflet (cartes), Recharts (graphiques), Framer Motion (animations) +- Images optimisées via `next/image` avec support S3 (`**.amazonaws.com`) + +--- + +## 3. Hypothèses par palier d'utilisateurs + +| Paramètre | 100 users | 1 000 users | 10 000 users | +|---|---|---|---| +| Utilisateurs actifs simultanés (pic) | 10–20 | 100–300 | 1 000–3 000 | +| Rate searches / jour | 200–500 | 2 000–8 000 | 20 000–80 000 | +| Bookings créés / mois | 20–50 | 300–800 | 3 000–8 000 | +| Connexions WebSocket simultanées | 10–20 | 100–300 | 1 000–3 000 | +| Emails / mois | 200–500 | 5 000–20 000 | 50 000–200 000 | +| Volume S3 total | 5–20 GB | 100–300 GB | 1–3 TB | +| Upload S3 / mois | 1–5 GB | 20–50 GB | 200–500 GB | +| Trafic sortant APIs carriers / mois | 5–20 GB | 100–300 GB | 1–3 TB | +| Lignes audit_logs cumulées | < 50K | < 1M | < 20M | + +--- + +## 4. Détail des coûts — 100 utilisateurs + +> Phase early-stage / MVP. Architecture sans Multi-AZ sur certains composants pour réduire les coûts. + +### Compute — EKS + +| Ressource | Config | Coût/mois | +|---|---|---| +| EKS Control Plane | 1 cluster | **$73** | +| Worker nodes | 2× `t3.medium` (2 vCPU, 4 GB) — backend + frontend | **$61** | +| **Total compute** | | **$134** | + +> Pods : 2 replicas NestJS (500m CPU / 512Mi chacun) + 1 replica Next.js (250m CPU / 256Mi). HPA désactivé à ce stade. + +### Base de données — RDS PostgreSQL + +| Ressource | Config | Coût/mois | +|---|---|---| +| Instance | `db.t4g.medium` (2 vCPU, 4 GB) — Single-AZ | **$60** | +| Stockage | 20 GB gp3 | **$2** | +| Backups | 7 jours retention | **$2** | +| **Total RDS** | | **$64** | + +### Cache — ElastiCache Redis + +| Ressource | Config | Coût/mois | +|---|---|---| +| Instance | `cache.t4g.micro` (1 nœud, 0.5 GB) | **$12** | + +> Suffisant pour ~10 000 clés rate quotes en cache. Pas de réplication à ce stade. + +### Stockage — S3 + +| Ressource | Volume | Coût/mois | +|---|---|---| +| Stockage standard | 10 GB | **$0.23** | +| Requêtes PUT/GET | ~50 000/mois | **$0.50** | +| Transfert sortant | 5 GB | **$0.45** | +| **Total S3** | | **~$2** | + +### Réseau + +| Ressource | Config | Coût/mois | +|---|---|---| +| ALB | 1 load balancer, ~5 LCU | **$22** | +| NAT Gateway | 1 NAT, ~20 GB data processing | **$34** | +| CloudFront | Distribution basique, ~5 GB transfert | **$5** | +| **Total réseau** | | **$61** | + +### Services managés + +| Ressource | Usage | Coût/mois | +|---|---|---| +| SES | ~500 emails (dont ~50 avec PDF joint ~250 KB) | **$1** | +| Secrets Manager | 12 secrets | **$5** | +| Route 53 | 1 hosted zone + queries | **$2** | +| CloudWatch | Logs 5 GB/mois + métriques de base | **$15** | +| **Total services** | | **$23** | + +### Total Tier 1 — 100 utilisateurs + +| Catégorie | Coût/mois | +|---|---| +| Compute (EKS) | $134 | +| RDS PostgreSQL | $64 | +| ElastiCache Redis | $12 | +| S3 | $2 | +| Réseau (ALB + NAT + CloudFront) | $61 | +| Services (SES + Secrets + R53 + CloudWatch) | $23 | +| **TOTAL** | **~$296/mois** | +| **Avec buffer 15%** | **~$340/mois** | + +--- + +## 5. Détail des coûts — 1 000 utilisateurs + +> Phase croissance. Multi-AZ activé sur RDS, Redis répliqué, autoscaling EKS. + +### Compute — EKS + +| Ressource | Config | Coût/mois | +|---|---|---| +| EKS Control Plane | 1 cluster | **$73** | +| Worker nodes | 3× `t3.xlarge` (4 vCPU, 16 GB) — autoscaling 3–6 nodes | **$362** | +| **Total compute** | | **$435** | + +> Pods : 4 replicas NestJS (1 CPU / 1 GB chacun) + 2 replicas Next.js. HPA activé (CPU > 70%). + +### Base de données — RDS PostgreSQL + +| Ressource | Config | Coût/mois | +|---|---|---| +| Instance | `db.r6g.large` (2 vCPU, 16 GB) — **Multi-AZ** | **$350** | +| Stockage | 100 GB gp3 | **$10** | +| RDS Proxy | Connection pooling (critique pour NestJS) | **$36** | +| Backups | 30 jours retention | **$20** | +| **Total RDS** | | **$416** | + +> RDS Proxy devient essentiel à partir de ~50 connexions concurrentes pour éviter les `too many connections`. + +### Cache — ElastiCache Redis + +| Ressource | Config | Coût/mois | +|---|---|---| +| Instance | `cache.r6g.large` (2 nœuds, 13 GB) — réplication activée | **$242** | + +> La réplication est nécessaire pour le pub/sub WebSocket multi-pods (Socket.IO scale-out). + +### Stockage — S3 + +| Ressource | Volume | Coût/mois | +|---|---|---| +| Stockage standard | 150 GB | **$3.45** | +| Stockage Intelligent-Tiering (archives) | 50 GB | **$2.50** | +| Requêtes PUT/GET | ~500 000/mois | **$3** | +| Transfert sortant | 50 GB | **$4.50** | +| **Total S3** | | **~$13** | + +### Réseau + +| Ressource | Config | Coût/mois | +|---|---|---| +| ALB | 1 load balancer, ~50 LCU | **$38** | +| NAT Gateway | 2 NATs (HA Multi-AZ), ~150 GB data | **$73** | +| CloudFront | ~50 GB transfert (assets + PDFs) | **$25** | +| **Total réseau** | | **$136** | + +### Services managés + +| Ressource | Usage | Coût/mois | +|---|---|---| +| SES | ~15 000 emails/mois | **$1.50** | +| SES — pièces jointes PDF | ~300 bookings × 250 KB | **$0.10** | +| Secrets Manager | 15 secrets | **$6** | +| Route 53 | 1 zone + queries | **$3** | +| CloudWatch | Logs 20 GB/mois + métriques + dashboards | **$50** | +| WAF | 1 WebACL, 5 rules, ~5M requêtes/mois | **$12** | +| **Total services** | | **$73** | + +### Total Tier 2 — 1 000 utilisateurs + +| Catégorie | Coût/mois | +|---|---| +| Compute (EKS) | $435 | +| RDS PostgreSQL (Multi-AZ + Proxy) | $416 | +| ElastiCache Redis (répliqué) | $242 | +| S3 | $13 | +| Réseau (ALB + NAT + CloudFront) | $136 | +| Services (SES + Secrets + R53 + CW + WAF) | $73 | +| **TOTAL** | **~$1 315/mois** | +| **Avec buffer 15%** | **~$1 512/mois** | + +--- + +## 6. Détail des coûts — 10 000 utilisateurs + +> Phase scale. Read replica RDS, Redis cluster mode, autoscaling agressif, WAF renforcé. + +### Compute — EKS + +| Ressource | Config | Coût/mois | +|---|---|---| +| EKS Control Plane | 1 cluster | **$73** | +| Worker nodes — backend | 4× `m6i.xlarge` (4 vCPU, 16 GB) — autoscaling 4–12 | **$560** | +| Worker nodes — frontend | 2× `m6i.large` (2 vCPU, 8 GB) — autoscaling 2–6 | **$140** | +| **Total compute** | | **$773** | + +> Pods NestJS : 8–15 replicas (1.5 CPU / 1.5 GB chacun). HPA + KEDA si adoption de SQS. +> Pods Next.js : 4–8 replicas (500m CPU / 512 Mi chacun). + +### Base de données — RDS PostgreSQL + +| Ressource | Config | Coût/mois | +|---|---|---| +| Instance primaire | `db.r6g.2xlarge` (8 vCPU, 64 GB) — **Multi-AZ** | **$1 402** | +| Read Replica | `db.r6g.xlarge` (analytics + audit queries) | **$350** | +| Stockage | 1 TB gp3 (SSD) | **$100** | +| RDS Proxy | Haute disponibilité | **$100** | +| Backups | 30 jours + point-in-time recovery | **$100** | +| **Total RDS** | | **$2 052** | + +> À 10 000 users, `audit_logs` peut dépasser 10M lignes. Envisager un archivage vers S3/Athena après 90 jours. + +### Cache — ElastiCache Redis + +| Ressource | Config | Coût/mois | +|---|---|---| +| Cluster mode | 3 shards × 2 nœuds `cache.r6g.large` (13 GB/shard) | **$1 452** | + +> Cluster mode nécessaire pour distribuer les ~100 000+ clés rate quotes et supporter le pub/sub à grande échelle. + +### Stockage — S3 + +| Ressource | Volume | Coût/mois | +|---|---|---| +| Stockage Standard | 500 GB (documents actifs < 30 jours) | **$11.50** | +| Stockage Intelligent-Tiering | 1 TB (documents anciens) | **$23** | +| Glacier Instant Retrieval | 2 TB (archives > 6 mois) | **$8** | +| Requêtes PUT/GET | ~5M/mois | **$20** | +| Transfert sortant S3 | 200 GB (via CloudFront réduit les coûts) | **$9** | +| **Total S3** | | **~$72** | + +### Réseau + +| Ressource | Config | Coût/mois | +|---|---|---| +| ALB | 2 load balancers (backend + frontend), ~200 LCU | **$110** | +| NAT Gateway | 2 NATs, ~1 TB appels carriers + Redis | **$111** | +| CloudFront | ~500 GB transfert (assets + PDFs + exports) | **$125** | +| **Total réseau** | | **$346** | + +### Services managés + +| Ressource | Usage | Coût/mois | +|---|---|---| +| SES | ~120 000 emails/mois | **$12** | +| SES — pièces jointes PDF | ~5 000 bookings × 300 KB | **$1.80** | +| Secrets Manager | 20 secrets + 2M API calls/mois | **$18** | +| Route 53 | 2 zones (prod + staging), traffic routing | **$10** | +| CloudWatch | Logs 100 GB/mois + métriques + Container Insights | **$200** | +| WAF + Shield Standard | WebACL, 10 rules, ~50M requêtes/mois, DDoS basique | **$65** | +| KMS | Encryption at rest RDS/S3, rotation clés | **$10** | +| **Total services** | | **$317** | + +### Total Tier 3 — 10 000 utilisateurs + +| Catégorie | Coût/mois | +|---|---| +| Compute (EKS) | $773 | +| RDS PostgreSQL (Multi-AZ + Replica + Proxy) | $2 052 | +| ElastiCache Redis (cluster mode) | $1 452 | +| S3 (avec tiering) | $72 | +| Réseau (ALB + NAT + CloudFront) | $346 | +| Services (SES + Secrets + R53 + CW + WAF + KMS) | $317 | +| **TOTAL** | **~$5 012/mois** | +| **Avec buffer 15%** | **~$5 764/mois** | + +--- + +## 7. Tableau récapitulatif + +| Composant | 100 users | 1 000 users | 10 000 users | +|---|---|---|---| +| EKS (Control Plane + Nodes) | $134 | $435 | $773 | +| RDS PostgreSQL | $64 | $416 | $2 052 | +| ElastiCache Redis | $12 | $242 | $1 452 | +| S3 | $2 | $13 | $72 | +| Réseau (ALB + NAT + CDN) | $61 | $136 | $346 | +| Services managés | $23 | $73 | $317 | +| **TOTAL (on-demand)** | **$296** | **$1 315** | **$5 012** | +| **TOTAL avec buffer 15%** | **~$340** | **~$1 512** | **~$5 764** | + +> **Note hors scope :** Stripe facture 2.9% + $0.30 par transaction. Pour 500 transactions/mois à $500 chacune, cela représente ~$7 400/mois de frais Stripe — à prendre en compte dans la marge business, pas dans l'infra. + +--- + +## 8. Économies avec Reserved Instances + +Engager 1 ou 3 ans sur les ressources stables (RDS, ElastiCache, nœuds EKS de base) permet des économies significatives. + +### 1 an — Savings Plans + +| Composant | Coût on-demand | Après 1 an RI (~35% réduction) | +|---|---|---| +| RDS (1 000 users) | $416 | **~$270** | +| ElastiCache (1 000 users) | $242 | **~$157** | +| EC2 workers EKS (1 000 users) | $362 | **~$235** | +| **Économie mensuelle** | | **~$358/mois** | + +### Impact par palier avec Reserved Instances 1 an + +| Palier | On-demand | Avec RI 1 an | Économie annuelle | +|---|---|---|---| +| 100 users | $296 | ~$220 | **~$912** | +| 1 000 users | $1 315 | ~$950 | **~$4 380** | +| 10 000 users | $5 012 | ~$3 600 | **~$16 944** | + +--- + +## 9. Facteurs de risque et dépassements potentiels + +### 🔴 Risque élevé — Appels APIs carriers + +Chaque `POST /rates/search` sans cache Redis déclenche **5 appels HTTP externes en parallèle**. +À 1 000 users avec 30% de cache miss → ~2 400 appels/heure vers les carriers. +**Impact NAT Gateway :** transfert data $0.045/GB. Si chaque réponse carrier fait 10 KB → ~100 GB/mois → $4.50. +Si les réponses sont plus volumineuses (50 KB+) ou si le cache miss monte → coût × 5 à × 10. + +**Mitigation :** Ajuster le TTL Redis (actuellement 15 min) à 30–60 min pour les routes peu demandées. + +### 🔴 Risque élevé — audit_logs à 10 000 users + +À 10 000 users, `audit_logs` peut atteindre **50–200M lignes/an** (toutes actions loggées). +RDS `db.r6g.2xlarge` avec 1 TB de stockage sera rapidement saturé. +**Mitigation :** Mettre en place un archivage automatique des logs > 90 jours vers S3 + Athena pour les requêtes analytiques. + +### 🟡 Risque moyen — WebSocket à grande échelle + +Socket.IO avec Redis adapter fonctionne bien jusqu'à ~2 000 connexions simultanées sur un cache.r6g.large. +Au-delà, envisager de passer à **Redis Cluster mode** ou à une gateway WebSocket dédiée. + +### 🟡 Risque moyen — PDFs avec pièces jointes emails (SES) + +Les booking confirmations envoient le PDF en **base64 dans le corps de l'email** (détecté dans le code email service). +Pour 5 000 bookings/mois à 300 KB/PDF → **1.5 GB de data SES/mois** → $0.18/mois en plus des emails. +À grande échelle, préférer un **lien S3 signé** dans l'email plutôt qu'une pièce jointe. + +### 🟡 Risque moyen — ElastiCache sous-dimensionné + +Le nombre de clés Redis peut exploser si les recherches sont très diversifiées (nombreuses combinaisons origin/destination/containerType). +Monitorer `cache.CurrItems` et `BytesUsedForCache` dans CloudWatch dès le démarrage. + +### 🟢 Risque faible — S3 + +Les coûts S3 restent maîtrisés avec les politiques de cycle de vie (Intelligent-Tiering + Glacier). +La migration MinIO → S3 est transparente (l'app utilise déjà le SDK AWS S3 v3). + +--- + +## 10. Recommandations d'optimisation + +### Priorité haute (impact fort, faible effort) + +1. **S3 Lifecycle Policies dès le J1** + - Documents > 30 jours → Intelligent-Tiering + - Documents > 180 jours → Glacier Instant Retrieval + - Économie estimée : 50–70% sur les coûts de stockage long terme + +2. **RDS Proxy activé dès 1 000 users** + - NestJS ouvre N connexions par pod × N pods → sans proxy, RDS sature + - `db.r6g.large` supporte ~150 connexions max, 10 pods × 10 connexions = limite atteinte + +3. **CloudFront pour tous les assets S3 publics** + - Élimine le transfert sortant S3 (×8 fois moins cher via CloudFront) + - Mettre en cache les PDFs de booking (signé URL → CloudFront signed URL) + +4. **Reserved Instances 1 an sur RDS + ElastiCache** + - Ces deux services représentent 50–60% de la facture à 1 000+ users + - Le ROI est atteint dès le premier mois comparé à l'on-demand + +### Priorité moyenne + +5. **Archivage audit_logs vers S3 + Athena** + - Créer un job cron mensuel qui exporte les logs > 90 jours en Parquet vers S3 + - Requêtes analytiques via Athena ($5 par TB scanné) + - Libère l'espace RDS et maintient les performances des indexes + +6. **SQS + Lambda pour la génération de PDFs et l'envoi d'emails** + - Actuellement synchrone → bloque le thread NestJS + - Découpler : POST /bookings → enfile en SQS → Lambda génère PDF + envoie email + - Réduit les besoins CPU des pods NestJS (~20% de réduction possible) + +7. **Lien S3 signé dans les emails plutôt que pièce jointe** + - Remplacer le PDF base64 dans SES par un lien CloudFront signé (1h expiry) + - Réduit la taille des emails de 60–70% et évite les filtres anti-spam + +### Priorité basse + +8. **Fargate Spot pour les pods non-critiques** + - Workers de génération PDF/export peuvent tourner sur Fargate Spot (70% moins cher) + +9. **KEDA (Kubernetes Event-Driven Autoscaling)** + - Scaler les pods NestJS selon la profondeur de la file SQS plutôt que le CPU + +--- + +## 11. Architecture Kubernetes recommandée + +### Namespaces + +``` +xpeditis-prod +├── backend # NestJS pods +├── frontend # Next.js pods +└── monitoring # Prometheus + Grafana (optionnel) +``` + +### Sizing des pods par palier + +#### Backend NestJS + +| Palier | Replicas (base) | Replicas (max HPA) | CPU request/limit | RAM request/limit | +|---|---|---|---|---| +| 100 users | 2 | 3 | 500m / 1500m | 512Mi / 1Gi | +| 1 000 users | 4 | 8 | 750m / 2000m | 768Mi / 1.5Gi | +| 10 000 users | 8 | 20 | 1000m / 3000m | 1Gi / 2Gi | + +#### Frontend Next.js (standalone) + +| Palier | Replicas (base) | Replicas (max HPA) | CPU request/limit | RAM request/limit | +|---|---|---|---|---| +| 100 users | 1 | 2 | 250m / 1000m | 256Mi / 512Mi | +| 1 000 users | 2 | 4 | 500m / 1500m | 512Mi / 1Gi | +| 10 000 users | 3 | 8 | 750m / 2000m | 512Mi / 1Gi | + +### Variables d'environnement Kubernetes (Secrets) + +À stocker dans **AWS Secrets Manager** et monter via External Secrets Operator : +- `DATABASE_URL` → RDS connection string avec RDS Proxy endpoint +- `REDIS_HOST` / `REDIS_PASSWORD` → ElastiCache primary endpoint +- `JWT_SECRET` → rotation automatique mensuelle recommandée +- `AWS_S3_BUCKET` → remplace `MINIO_ENDPOINT` / `MINIO_ACCESS_KEY` / `MINIO_SECRET_KEY` +- `STRIPE_SECRET_KEY` / `STRIPE_WEBHOOK_SECRET` +- API keys × 5 carriers (Maersk, MSC, CMA CGM, Hapag-Lloyd, ONE) +- `SMTP_HOST` → SES SMTP endpoint + credentials + +### Ingress (ALB Ingress Controller) + +```yaml +# Règles d'ingress recommandées +/api/* → backend service (port 4000) +/socket.io/* → backend service (sticky sessions activées) +/* → frontend service (port 3000) +``` + +> Le WebSocket Socket.IO nécessite `alb.ingress.kubernetes.io/target-group-attributes: stickiness.enabled=true` + +--- + +## Résumé exécutif + +| | 100 users | 1 000 users | 10 000 users | +|---|---|---|---| +| **Coût mensuel estimé** | **~$340** | **~$1 500** | **~$5 800** | +| **Coût annuel** | **~$4 080** | **~$18 000** | **~$69 600** | +| **Avec RI 1 an** | **~$2 640** | **~$11 400** | **~$43 200** | +| **Poste dominant** | Compute + Réseau | RDS Multi-AZ | RDS + Redis | +| **Principal risque** | Sur-dimensionnement | Connexions DB | audit_logs volume | + +> Les prix sont indicatifs en us-east-1 (on-demand, mars 2026). `eu-west-1` (Paris : `eu-west-3`) est ~5–10% plus cher. +> Ces estimations **excluent** : les frais Stripe (2.9% + $0.30/transaction), les licences SaaS tierces éventuelles, et les coûts de développement/opération. diff --git a/docs/deployment/CLOUD_COST_COMPARISON.md b/docs/deployment/CLOUD_COST_COMPARISON.md new file mode 100644 index 0000000..4e21dc6 --- /dev/null +++ b/docs/deployment/CLOUD_COST_COMPARISON.md @@ -0,0 +1,548 @@ +# Comparatif Cloud — Coûts de Production Xpeditis 2.0 +## Aide à la décision : AWS vs GCP vs Azure vs Hetzner vs OVHcloud vs DigitalOcean vs Scaleway + +> Analyse réalisée le 23 mars 2026 — prix on-demand vérifiés sur les sites officiels +> Scénarios : 100 / 1 000 / 10 000 utilisateurs sur Kubernetes +> MinIO → stockage objet S3-compatible de chaque fournisseur +> ⚠️ **Hetzner augmente ses prix de ~35% le 1er avril 2026** — prix actuels ET futurs indiqués + +--- + +## Table des matières + +1. [Ce que l'app exige comme infrastructure](#1-ce-que-lapp-exige-comme-infrastructure) +2. [Vue d'ensemble des fournisseurs](#2-vue-densemble-des-fournisseurs) +3. [Tableau comparatif — 100 utilisateurs](#3-tableau-comparatif--100-utilisateurs) +4. [Tableau comparatif — 1 000 utilisateurs](#4-tableau-comparatif--1-000-utilisateurs) +5. [Tableau comparatif — 10 000 utilisateurs](#5-tableau-comparatif--10-000-utilisateurs) +6. [Récapitulatif global](#6-récapitulatif-global) +7. [Analyse détaillée par fournisseur](#7-analyse-détaillée-par-fournisseur) +8. [Option hybride recommandée](#8-option-hybride-recommandée) +9. [Matrice de décision](#9-matrice-de-décision) +10. [Recommandation finale](#10-recommandation-finale) + +--- + +## 1. Ce que l'app exige comme infrastructure + +Avant de comparer, voici ce que Xpeditis consomme réellement (issu de l'analyse du code) : + +| Composant | Besoin réel | Impact coût | +|---|---|---| +| **Kubernetes** | 2–15 pods NestJS + 1–8 pods Next.js | Control plane + nodes | +| **PostgreSQL 15** | 18 tables, audit_logs volumineuses, pg_trgm | Instance avec au moins 4 GB RAM en prod | +| **Redis 7** | Cache rate quotes TTL 15 min + pub/sub WebSocket | Au moins 1 GB, réplication si multi-pods | +| **Stockage objet (S3)** | PDFs booking, docs carrier (max 10 MB), exports | ~10 GB/100 users → ~1 TB/10 000 users | +| **Load Balancer** | WebSocket sticky sessions obligatoires | 1 LB avec support WS | +| **Email** | 10 types d'emails, PDFs en pièce jointe | SES ou SMTP tiers | +| **Secrets** | JWT, DB passwords, 5 API keys carriers | Secrets Manager ou équivalent | +| **Appels externes** | 5 carriers APIs à chaque rate search (circuit breaker 5s) | Trafic sortant → coût NAT/egress | +| **DNS + TLS** | Route 53 ou équivalent + cert-manager | ~$1-3/mois | + +**Spécificité critique :** Le SDK AWS S3 v3 est déjà utilisé dans le code avec support d'endpoint personnalisé → **zéro modification de code** pour utiliser n'importe quel stockage S3-compatible (Hetzner Object Storage, DO Spaces, OVH, Scaleway). + +--- + +## 2. Vue d'ensemble des fournisseurs + +| Fournisseur | Kubernetes | DB Managée | RGPD EU | Egress gratuit | Self-managed DB | Difficulté ops | +|---|---|---|---|---|---|---| +| **Hetzner** 🇩🇪 | k3s free / HKE free | ❌ (tiers: Neon, Railway) | ✅ Allemagne/Finlande | Non ($0.045/GB) | ✅ DIY | ⭐⭐⭐ Élevée | +| **OVHcloud** 🇫🇷 | MKS gratuit (CP) | ✅ Partiel (limité) | ✅ France | ✅ **Oui** | ✅ DIY sur VM | ⭐⭐ Moyenne | +| **DigitalOcean** 🇺🇸 | DOKS gratuit (CP) | ✅ PG + Redis | ❌ US (AMS dispo) | Non ($0.01/GB) | Optionnel | ⭐ Faible | +| **Scaleway** 🇫🇷 | Kapsule gratuit (CP) | ✅ PostgreSQL | ✅ Paris | ✅ Inclus | Optionnel | ⭐ Faible | +| **GCP** 🌐 | GKE Autopilot/Standard | ✅ Cloud SQL | ✅ europe-west1 | Non ($0.12/GB) | Optionnel | ⭐ Faible | +| **AWS** 🌐 | EKS ($73/mois CP) | ✅ RDS + ElastiCache | ✅ eu-west-3 Paris | Non ($0.09/GB) | Optionnel | ⭐ Faible | +| **Azure** 🌐 | AKS gratuit (CP) | ✅ Flexible Server | ✅ westeurope | Non ($0.087/GB) | Optionnel | ⭐ Faible | +| **Vultr** 🇺🇸 | VKE ($10/mois CP) | ✅ Partiel | ❌ US | Non | Optionnel | ⭐ Faible | + +--- + +## 3. Tableau comparatif — 100 utilisateurs + +**Hypothèses :** 10–20 utilisateurs simultanés, ~50 bookings/mois, 500 rate searches/jour, 5 GB stockage, 500 emails/mois + +### Configuration retenue +- 2 worker nodes (backend NestJS × 2 pods + frontend Next.js × 1 pod) +- PostgreSQL 2 vCPU / 4-8 GB +- Redis 0.5-1 GB +- Stockage objet 20 GB +- 1 Load Balancer + +| Fournisseur | Compute | DB | Redis | Stockage | LB/Réseau | **Total/mois** | +|---|---|---|---|---|---|---| +| **Hetzner** *(k3s self-managed)* | 2× CX32: **€13.60** | CX22 self-host: **€3.79** | Shared: **€0** | Object Storage: **€4.99** | LB11: **€5.39** | **🥇 ~€28 (~$30)** | +| **Hetzner** *(post 1 avril)* | 2× CX32: **€18.38** | CX22: **€5.11** | Shared: **€0** | **€4.99** | LB11: **€7.49** | **~€36 (~$39)** | +| **DigitalOcean** *(DOKS)* | 2× s-2vcpu-4gb: **$48** | PG Basic 2 GB: **$30** | Redis 1 GB: **$15** | Spaces: **$5** | LB: **$12** | **~$110** | +| **OVHcloud** *(MKS)* | 2× B2-7: **€48** | B2-7 self-host: **€24** | Shared pod: **€0** | OBJ 20 GB: **€0.22** | LB: **€15** | **~€87 (~$94)** | +| **Scaleway** *(Kapsule)* | 2× DEV1-L: **€61** | DB-DEV-S self-host: **€14** | DEV1-S: **€7** | OBJ 20 GB: **€0.20** | LB: **€9.99** | **~€92 (~$100)** | +| **GCP** *(GKE Autopilot)* | Autopilot pods: **~$60** | Cloud SQL db-f1-small: **$26** | Memorystore 1 GB: **$39** | GCS 20 GB: **$0.40** | LB: **$18** | **~$143** | +| **Vultr** *(VKE)* | 2× 2vCPU/4GB: **$40** | PG managed ~$30: **$30** | Redis: **$15** | Block: **$5** | VKE CP: **$10** | **~$100** | +| **AWS** *(EKS, eu-west-3)* | 2× t3.medium: **$69** | db.t4g.medium: **$60** | cache.t4g.micro: **$12** | S3 20 GB: **$0.46** | EKS: **$73** + ALB: **$22** + NAT: **$34** | **~$270** | +| **Azure** *(AKS)* | 2× D2s_v3: **$140** | PG B1ms flex: **$12**\* | Redis C0: **$14** | Blob 20 GB: **$0.36** | AKS: **$0** + LB: **$18** | **~$185** | +| **GCP** *(GKE Standard)* | GKE CP: **$72** + 2× e2-std-2: **$97** | Cloud SQL: **$100** | Memorystore: **$39** | GCS: **$0.40** | LB: **$18** | **~$327** | + +> \* Azure B1ms est très limité (1 vCPU), insuffisant pour une production sérieuse. Compte tenu des vraies instances : ~$165+ + +**⚠️ AWS à 100 users :** Le control plane EKS ($73) + NAT Gateway ($34) représentent ~40% de la facture — cher pour si peu d'utilisateurs. + +--- + +## 4. Tableau comparatif — 1 000 utilisateurs + +**Hypothèses :** 100–300 simultanés, ~500 bookings/mois, 5 000 searches/jour, 200 GB stockage, 15 000 emails/mois, PostgreSQL Multi-AZ ou HA + +### Configuration retenue +- 3–4 worker nodes avec HPA +- PostgreSQL 4 vCPU / 8-16 GB **avec HA/réplication** +- Redis 1-2 GB répliqué (pub/sub WebSocket multi-pods) +- Stockage objet 200 GB +- 1 Load Balancer + +| Fournisseur | Compute | DB (HA) | Redis | Stockage | LB/Réseau | **Total/mois** | +|---|---|---|---|---|---|---| +| **Hetzner** *(k3s self-managed)* | 1×CX22 CP + 3×CX42: **€60.60** | CX32 PG + 100 GB vol: **€11.20** | CX22 Redis: **€3.79** | Object Storage: **€4.99** | LB21: **€16.40** | **🥇 ~€97 (~$105)** | +| **Hetzner** *(post 1 avril)* | **€81.69** | **€15.12** | **€5.11** | **€4.99** | **€22.14** | **~€129 (~$140)** | +| **OVHcloud** *(MKS + self-hosted)* | 3× B2-15: **€138** | B2-15 PG primary + B2-7 replica: **€70** | B2-7 Redis: **€24** | OBJ 200 GB: **€2.20** | LB: **€15** | **~€249 (~$270)** | +| **DigitalOcean** *(DOKS + managed)* | 3× s-4vcpu-8gb: **$144** | PG 4 GB HA: **$120** | Redis 2 GB: **$30** | Spaces 200 GB: **$10** | LB: **$12** | **~$316** | +| **Scaleway** *(Kapsule + managed)* | 3× PLAY2-MICRO: **€118** | DB-PRO2-XXS managed: **€80** | PLAY2-NANO Redis: **€20** | OBJ 200 GB: **€2** | LB: **€9.99** | **~€230 (~$249)** | +| **Vultr** *(VKE)* | 3× 4vCPU/8GB: **$120** | PG managed ~$60: **$60** | Redis: **$30** | Block 200 GB: **$20** | VKE CP: **$10** | **~$240** | +| **GCP** *(GKE Autopilot)* | Autopilot 8 pods: **~$200** | Cloud SQL n1-std-2 HA: **$250** | Memorystore 2 GB: **$78** | GCS: **$5** | LB: **$20** | **~$553** | +| **AWS** *(EKS, eu-west-3)* | EKS CP: **$73** + 3×t3.xlarge: **$414** | db.r6g.large Multi-AZ: **$496** | cache.r6g.large: **$150** | S3 200 GB: **$4.60** | ALB: **$38** + 2×NAT: **$73** | **~$1 249** | +| **Azure** *(AKS + managed)* | AKS CP: **$72** + 3×D4s_v3: **$420** | PG D2ds_v6 HA: **$327** | Redis C2 Standard: **$109** | Blob: **$4** | LB: **$25** | **~$957** | +| **GCP** *(GKE Standard)* | GKE CP: **$72** + 3×e2-std-4: **$292** | Cloud SQL n1-std-4 HA: **$460** | Memorystore 2 GB: **$78** | GCS: **$5** | LB: **$20** + NAT: **$20** | **~$947** | + +--- + +## 5. Tableau comparatif — 10 000 utilisateurs + +**Hypothèses :** 1 000–3 000 simultanés, ~5 000 bookings/mois, 50 000 searches/jour, 1-2 TB stockage, 150 000 emails/mois + +### Configuration retenue +- 6–8 worker nodes avec autoscaling +- PostgreSQL 8 vCPU / 32 GB HA + read replica +- Redis cluster/réplication (WebSocket + cache massif) +- Stockage objet 1 TB avec lifecycle policies +- 2 Load Balancers + +| Fournisseur | Compute | DB (HA + replica) | Redis | Stockage | LB/Réseau | **Total/mois** | +|---|---|---|---|---|---|---| +| **Hetzner** *(k3s self-managed)* | 3×CX22 CP + 6×CX52: **€227** | CCX23 PG+replica CX32: **€35** + 500 GB vol: **€22** | CX42 Redis: **€16.40** | Object Storage + extra: **€15** | LB31: **€29** | **🥇 ~€344 (~$373)** | +| **Hetzner** *(post 1 avril)* | **€306** | **€47 + €29** | **€21.49** | **€15** | **€39** | **~€458 (~$496)** | +| **OVHcloud** *(MKS + self-hosted)* | 5× B2-30: **€470** | B2-30 PG + B2-15 replica: **€140** | B2-15 Redis: **€46** | OBJ 1 TB: **€11** | 2× LB: **€30** | **~€697 (~$756)** | +| **DigitalOcean** *(DOKS + managed)* | 6× g-4vcpu-16gb: **$720** | PG 8 GB HA: **$240** | Redis 4 GB HA: **$60** | Spaces + CDN: **$40** | 2× LB: **$24** | **~$1 084** | +| **Scaleway** *(Kapsule + managed)* | 5× GP1-S: **€683** | DB-PRO2-S managed (8 vCPU): **€320** | PLAY2-MICRO Redis: **€39** | OBJ 1 TB: **€10** | 2× LB: **€20** | **~€1 072 (~$1 163)** | +| **Vultr** *(VKE)* | 6× 4vCPU/16GB HP: **$528** | PG managed large ~$120: **$120** | Redis cluster: **$60** | Block: **$50** | VKE CP: **$10** | **~$768** | +| **GCP** *(GKE Autopilot)* | Autopilot 20 pods: **~$600** | Cloud SQL n1-std-8 HA: **$800** | Memorystore 5 GB: **$195** | GCS + CDN: **$30** | LB: **$50** | **~$1 675** | +| **AWS** *(EKS, eu-west-3)* | EKS CP: **$73** + 6×m6i.xlarge: **$981** | db.r6g.2xlarge Multi-AZ: **$1 518** + replica: **$700** | cache.r6g.xlarge cluster: **$1 452** | S3 + CDN: **$72** | 2×ALB: **$110** + 2×NAT: **$111** | **~$5 017** | +| **Azure** *(AKS + managed)* | AKS CP: **$72** + 6×D4s_v3: **$840** | PG D4ds_v6 HA: **$654** + replica: **$327** | Redis P1: **$394** | Blob + CDN: **$50** | 2× LB: **$40** | **~$2 377** | +| **GCP** *(GKE Standard)* | GKE CP: **$72** + 6×e2-std-4: **$583** | Cloud SQL n1-std-8 HA: **$1 600** | Memorystore 5 GB: **$195** | GCS + CDN: **$30** | LB: **$60** | **~$2 540** | + +--- + +## 6. Récapitulatif global + +### Coût mensuel all-in (production viable) + +| Fournisseur | 100 users | 1 000 users | 10 000 users | RGPD EU | Ops requis | +|---|---|---|---|---|---| +| 🥇 **Hetzner (self-managed, actuel)** | **€28** | **€97** | **€344** | ✅ 🇩🇪 | ⭐⭐⭐ Élevé | +| 🥈 **Hetzner (post 1 avril)** | **€36** | **€129** | **€458** | ✅ 🇩🇪 | ⭐⭐⭐ Élevé | +| 🥉 **OVHcloud (self-hosted DB)** | **€87** | **€249** | **€697** | ✅ 🇫🇷 | ⭐⭐ Moyen | +| 4️⃣ **Vultr VKE** | **$100** | **$240** | **$768** | ❌ US | ⭐ Faible | +| 5️⃣ **DigitalOcean DOKS** | **$110** | **$316** | **$1 084** | ❌ US\* | ⭐ Faible | +| 6️⃣ **Scaleway Kapsule** | **€92** | **€230** | **€1 072** | ✅ 🇫🇷 | ⭐ Faible | +| 7️⃣ **GCP GKE Autopilot** | **$143** | **$553** | **$1 675** | ✅ Belgium | ⭐ Faible | +| 8️⃣ **Azure AKS** | **$185** | **$957** | **$2 377** | ✅ Netherlands | ⭐ Faible | +| 9️⃣ **GCP GKE Standard** | **$327** | **$947** | **$2 540** | ✅ Belgium | ⭐ Faible | +| 🔟 **AWS EKS** | **$270** | **$1 249** | **$5 017** | ✅ 🇫🇷 Paris | ⭐ Faible | + +> \* DigitalOcean propose une région Amsterdam (AMS3) pour la conformité RGPD européenne. + +### Rapport qualité/prix — Score global + +``` +Hetzner post-1er avril ████████████████████ 1x (référence) +OVHcloud ████████████░░░░░░░░ 3x vs Hetzner +Vultr ████████████░░░░░░░░ 3x +DigitalOcean ████████░░░░░░░░░░░░ 3.5x +Scaleway ████████░░░░░░░░░░░░ 3.5x +GCP Autopilot ████░░░░░░░░░░░░░░░░ 5x +Azure ███░░░░░░░░░░░░░░░░░ 6x +GCP Standard ██░░░░░░░░░░░░░░░░░░ 7x +AWS EKS █░░░░░░░░░░░░░░░░░░░ 13x (à 10 000 users) +``` + +--- + +## 7. Analyse détaillée par fournisseur + +### 🟢 Hetzner Cloud — Le moins cher de loin + +**Avantages :** +- Prix **5 à 15× inférieurs** à AWS/GCP pour des ressources équivalentes +- Serveurs ARM64 Ampere (CAX-series) : encore moins chers et performants pour des workloads Node.js +- Object Storage S3-compatible inclus dès €4.99/mois (1 TB) — **remplace MinIO directement** +- Kubernetes gratuit (HKE control plane free ou k3s self-managed) +- Data centers en Allemagne et Finlande → RGPD natif +- Trafic entrant gratuit, sortant €0.045/GB (bien moins qu'AWS) +- [hetzner-k3s](https://github.com/vitobotta/hetzner-k3s) : cluster Kubernetes en 5 minutes avec 1 commande +- **⚠️ Hausse de prix ~35% le 1er avril 2026** — même après, Hetzner reste 4–10× moins cher qu'AWS + +**Inconvénients :** +- **Pas de base de données managée native** → il faut soit self-hoster, soit utiliser un service tiers +- Pas de managed Redis natif +- Support limité (pas de support 24/7 téléphonique enterprise) +- PostgreSQL self-hosted = vous gérez les backups, les mises à jour, la HA +- Moins de services managés (pas d'équivalent IAM, Secrets Manager, WAF natifs) + +**Options pour la base de données sur Hetzner :** + +| Solution | Prix | Trade-off | +|---|---|---| +| Self-hosted PG sur CX32 | €6.80-9.19/mois | Vous gérez tout | +| **Neon.tech** (serverless PG) | $0-19/mois (free tier généreux) | Parfait pour dev, pas pour 10 000 users | +| **Railway.app** (managed PG) | $5/mois + usage | Simple, backups auto | +| **Supabase** (managed PG) | $25/mois (Pro) | PostgreSQL + Auth + Storage | +| **Ubicloud PG sur Hetzner** | ~$10-50/mois | Managed, tourne sur Hetzner | + +**Verdict Hetzner :** Idéal si vous avez les compétences ops pour gérer PostgreSQL et Redis. Le ROI est massif. Recommandé dès la phase MVP. + +--- + +### 🟡 OVHcloud — Le meilleur compromis européen + +**Avantages :** +- **Entreprise française**, RGPD natif, données en France +- **Zéro frais d'egress** — si votre app génère beaucoup de trafic sortant (carrier APIs, PDFs), c'est une économie réelle +- MKS Managed Kubernetes control plane **gratuit** +- Pricing prévisible sans surprises sur la facture +- Object Storage S3-compatible à €0.011/GB (moins cher que AWS S3) +- **Bonne alternative à AWS pour les clients qui exigent la souveraineté française** + +**Inconvénients :** +- Interfaces et UX moins polies qu'AWS/DO +- CloudDB (DB managée) est limitée en ressources et fonctionnalités +- Support parfois lent selon les retours communauté +- Moins de services managés (Redis non managé natif) +- Pas de CDN aussi performant que CloudFront + +**Verdict OVHcloud :** Excellent choix si la souveraineté des données en France est un critère client ou réglementaire. L'absence d'egress est un vrai avantage sur les gros volumes. + +--- + +### 🟡 DigitalOcean — Le plus simple à utiliser + +**Avantages :** +- Interface la plus simple et intuitive du marché +- **Managed PostgreSQL + Redis de qualité** à prix raisonnable +- DOKS (Kubernetes) avec control plane **gratuit** +- DO Spaces : S3-compatible, €5/mois inclut 250 GB + 1 TB egress — **parfait pour Xpeditis** +- Excellente documentation, nombreux tutoriels +- Support réactif +- Load Balancer $12/mois sans surprise + +**Inconvénients :** +- Siège aux USA (mais région Amsterdam disponible pour RGPD) +- Prix compute assez élevés vs Hetzner (×3-4) +- Pas de Reserved Instances / économies long terme +- Redis pricing identique à PostgreSQL (peut sembler cher pour un cache) + +**Verdict DigitalOcean :** Le meilleur choix si vous voulez **minimiser le temps d'opération** et que vous avez un budget correct. Pricing transparent, aucune surprise sur la facture (contrairement à AWS). + +--- + +### 🟡 Scaleway — L'alternative française moderne + +**Avantages :** +- **Entreprise française** (Iliad group), data centers à Paris +- RGPD natif, conformité HDS disponible (santé) +- Kapsule Kubernetes control plane **gratuit** +- Instances ARM64 disponibles (très économiques) +- Object Storage S3-compatible avec egress inclus +- API moderne, bonne DX + +**Inconvénients :** +- **Managed databases chères** (€80/mois pour 2 vCPU / 8 GB) +- Moins mature qu'AWS/GCP pour les fonctionnalités avancées +- Catalogue de services plus limité +- Moins de régions disponibles + +**Verdict Scaleway :** Intéressant si vous restez en self-hosted pour la DB ou si le contexte légal exige France. Les managed databases sont trop chères pour un early-stage. + +--- + +### 🔴 AWS EKS — Le plus puissant, le plus cher + +**Avantages :** +- Écosystème le plus complet (IAM, KMS, Secrets Manager, WAF, CloudFront, SES...) +- SLA enterprise, support 24/7, certifications (ISO 27001, SOC2, HDS France) +- RDS Multi-AZ battle-tested, ElastiCache Redis géré en perfection +- CloudFront CDN mondial +- Région Paris (eu-west-3) pour conformité RGPD française +- Idéal si vous intégrez avec d'autres services AWS (Maersk utilise AWS, par exemple) + +**Inconvénients :** +- **EKS control plane $73/mois fixe** — cher pour 100 users +- **NAT Gateway $33/mois par AZ** + $0.045/GB traitement → coût caché significatif +- **Facturation complexe** : les surprises de facture AWS sont légendaires +- RDS Multi-AZ double le coût de la DB +- ElastiCache explose à 10 000 users ($1 452/mois pour Redis cluster) +- Pas compétitif sur le pure coût compute + +**Verdict AWS :** Justifié uniquement si vous avez des clients enterprise qui l'exigent contractuellement, ou si vous êtes déjà profondément intégré dans l'écosystème AWS. Pour un SaaS maritime en croissance, le surcoût n'est pas justifiable avant 10 000+ users. + +--- + +### 🔶 GCP — Meilleur rapport qualité/prix parmi les hyperscalers + +**Avantages :** +- **GKE Autopilot** : pas de gestion des nodes, facturation à la pod (potentiellement économique pour charges variables) +- Réseau performant, BigQuery pour analytics +- Cloud SQL plus simple à configurer qu'AWS RDS +- Sustained Use Discounts automatiques (pas besoin de Reserved Instances) + +**Inconvénients :** +- Cloud SQL coûteux en HA (doublement) +- Memorystore Redis pricing identique à ElastiCache +- Egress coûteux ($0.12/GB vs $0.09 AWS) +- Interface moins intuitive qu'AWS/Azure + +**Verdict GCP :** Alternative intéressante à AWS avec Autopilot pour les charges variables. Mais Cloud SQL HA reste cher. Pas compétitif face à DO/Hetzner. + +--- + +### 🔶 Azure — Le moins intéressant pour ce projet + +**Avantages :** +- AKS control plane gratuit +- Bien intégré si déjà client Microsoft +- PostgreSQL Flexible Server correct + +**Inconvénients :** +- Worker nodes (VM) les plus chers des hyperscalers +- Azure Cache for Redis pricing élevé (P1 = $394/mois) +- Pricing complexe et souvent plus élevé qu'AWS à périmètre équivalent +- Moins de services maritimes/logistiques spécifiques + +**Verdict Azure :** Aucun avantage notable pour Xpeditis. AWS est plus mature pour ce type de projet si vous allez sur un hyperscaler. + +--- + +## 8. Option hybride recommandée + +La meilleure stratégie coût/risque pour Xpeditis est une **approche hybride** : compute sur Hetzner (ou OVH), services critiques sur des managed services spécialisés. + +``` +┌─────────────────────────────────────────────────────┐ +│ Xpeditis — Architecture Hybride │ +│ │ +│ ┌─────────────────────────────────────────────┐ │ +│ │ Hetzner Cloud (compute + réseau) │ │ +│ │ │ │ +│ │ k3s cluster │ │ +│ │ ├── NestJS pods (2-15 replicas) │ │ +│ │ ├── Next.js pods (1-8 replicas) │ │ +│ │ └── Traefik Ingress + cert-manager │ │ +│ │ │ │ +│ │ Hetzner Object Storage │ │ +│ │ (S3-compatible, 0 changement de code) │ │ +│ └─────────────────────────────────────────────┘ │ +│ │ │ +│ ┌───────────────────────────────────────────────┐ │ +│ │ Services managés externes (prix fixes) │ │ +│ │ │ │ +│ │ Neon.tech / Railway ──► PostgreSQL managé │ │ +│ │ Upstash Redis ──► Redis serverless │ │ +│ │ Brevo / Postmark ──► Email SMTP │ │ +│ │ Cloudflare ──► CDN + WAF (free) │ │ +│ └───────────────────────────────────────────────┘ │ +└─────────────────────────────────────────────────────┘ +``` + +### Coûts de l'architecture hybride + +| Service | Fournisseur | 100 users | 1 000 users | 10 000 users | +|---|---|---|---|---| +| Compute + réseau | Hetzner (post-avril) | €36 | €129 | €458 | +| PostgreSQL managé | [Neon.tech](https://neon.tech) Pro | $19 | $69 | $700 | +| Redis managé | [Upstash](https://upstash.com) | $0 (free) | $10 | $120 | +| Email | [Brevo](https://brevo.com) (ex-Sendinblue) | $0 (free 300/j) | $9 | $49 | +| CDN + WAF | [Cloudflare](https://cloudflare.com) | $0 (free) | $0 | $0-20 | +| DNS | Cloudflare | $0 | $0 | $0 | +| **TOTAL** | | **~€65 (~$70)** | **~€230 (~$250)** | **~€1 400 (~$1 520)** | + +> **Avantage Neon.tech :** PostgreSQL serverless, scale automatique, branchement de DB pour dev/staging, backups automatiques. Compatible avec le TypeORM de Xpeditis sans changement. + +> **Avantage Upstash Redis :** Pricing pay-per-use, pas de cluster à gérer. Parfait pour le cache rate quotes et le pub/sub WebSocket à petite/moyenne échelle. + +--- + +## 9. Matrice de décision + +Choisissez votre scenario selon vos priorités : + +### Critère 1 — Budget serré (early-stage, bootstrapped) + +``` +Budget < €100/mois → Hetzner self-managed + Neon.tech + Upstash +``` + +**Recommandé :** Architecture hybride Hetzner ci-dessus. +**Risque :** Vous gérez vous-même k3s, les mises à jour de nœuds, la surveillance. +**Mitigation :** Utiliser `hetzner-k3s` (automatise 90% des ops K8s) et des managed services tiers. + +--- + +### Critère 2 — Balance coût / sérénité (série A, 1-5 devs) + +``` +Budget €200-500/mois → DigitalOcean DOKS ou OVHcloud MKS +``` + +**DigitalOcean** si vous voulez la simplicité maximale et que les données hors-EU ne sont pas bloquantes. +**OVHcloud** si vous avez des clients qui exigent la souveraineté française des données. + +--- + +### Critère 3 — Conformité RGPD maximale + souveraineté française + +``` +Données en France requises → OVHcloud (Paris) ou Scaleway (Paris) ou AWS eu-west-3 (Paris) +``` + +- **Budget raisonnable :** OVHcloud (€249/mois à 1 000 users vs $1 249 AWS) +- **Conformité enterprise :** AWS eu-west-3 (certifications HDS, ISO 27001 France) + +--- + +### Critère 4 — Croissance rapide, clients enterprise (scale-up) + +``` +10 000+ users + SLA enterprise → AWS eu-west-3 ou GCP europe-west1 +``` + +Justifié si : +- Clients exigent des certifications spécifiques (HDS pour santé, PCI-DSS) +- Contrats avec pénalités SLA +- Intégration avec d'autres services cloud (ex: Maersk/MSC utilisent AWS) +- Équipe ops dédiée pour gérer les coûts AWS + +--- + +### Critère 5 — Vous voulez tout gérer vous-même (max économies) + +``` +VPS self-managed → Hetzner (k3s + PostgreSQL + Redis sur VM dédiées) +``` + +**Stack complète self-managed sur Hetzner :** + +| Composant | Solution | Outil | +|---|---|---| +| Kubernetes | k3s via hetzner-k3s | [github.com/vitobotta/hetzner-k3s](https://github.com/vitobotta/hetzner-k3s) | +| PostgreSQL | Docker + pg_auto_failover ou Patroni | Ou simplement 1 VM dédiée + cron backup S3 | +| Redis | Docker single node | Replication manuelle si besoin | +| Stockage | Hetzner Object Storage | SDK déjà configuré dans Xpeditis | +| TLS | cert-manager + Let's Encrypt | Déjà dans l'écosystème k3s | +| Monitoring | Grafana + Prometheus | Stack kube-prometheus-stack | +| Emails | Brevo / Postmark SMTP | Changer SMTP_HOST dans .env | +| CDN | Cloudflare (gratuit) | Proxy devant Hetzner LB | + +--- + +## 10. Recommandation finale + +### Pour Xpeditis 2.0 — Recommandation par phase + +--- + +#### Phase MVP / Lancement (0 → 100 users) +**→ Hetzner Cloud + services managés tiers** + +``` +Budget cible : €65-80/mois +``` + +| Composant | Solution | Coût | +|---|---|---| +| K8s cluster | 2× CX32 + k3s | €18.38 (post-avril) | +| LB | LB11 Hetzner | €7.49 | +| PostgreSQL | Neon.tech Pro | $19 | +| Redis | Upstash free tier | $0 | +| Stockage | Hetzner Object Storage | €4.99 | +| Email | Brevo free (300/j) | €0 | +| CDN + WAF | Cloudflare free | €0 | +| **TOTAL** | | **~€55/mois** | + +**Pourquoi :** À ce stade, le coût doit être minimum. Le risque technique d'un PostgreSQL managé par Neon est faible et bien inférieur à se gérer soi-même. + +--- + +#### Phase Croissance (100 → 1 000 users) +**→ OVHcloud MKS ou DigitalOcean DOKS** + +``` +Budget cible : €200-350/mois +``` + +**Si RGPD/souveraineté française critique :** +- OVHcloud MKS (3× B2-15) + PostgreSQL self-hosted sur B2-15 + Redis sur B2-7 +- **~€249/mois** + +**Si priorité simplicité :** +- DigitalOcean DOKS (3× s-4vcpu-8gb) + Managed PG 4 GB HA + Managed Redis +- **~$316/mois** + +**Pourquoi pas Hetzner ici ?** La gestion de PostgreSQL HA (Patroni + etcd) + Redis Sentinel devient complexe quand le trafic augmente et que vous n'avez pas d'équipe ops dédiée. + +--- + +#### Phase Scale (1 000 → 10 000 users) +**→ OVHcloud ou DigitalOcean (selon RGPD)** + +``` +Budget cible : €700-1 100/mois +``` + +| Fournisseur | Coût 10 000 users | Avantage | +|---|---|---| +| OVHcloud | ~€697 | RGPD France, 0 egress | +| DigitalOcean | ~$1 084 | Simplicité, managed DB | +| **AWS EKS** | **~$5 017** | SLA enterprise, certifications | + +**→ AWS EKS uniquement si** vous avez des contrats enterprise qui l'exigent, car le surcoût (×5 à ×7 vs OVH/DO) doit être justifié par le CA client. + +--- + +### Résumé en une phrase par option + +| Option | Pour qui | +|---|---| +| **Hetzner self-managed** | Vous avez les skills ops, le budget est critique, phase MVP | +| **OVHcloud MKS** | Clients français exigeants sur RGPD, budget moyen, bonne expertise Linux | +| **DigitalOcean DOKS** | Vous voulez vous concentrer sur le code, pas l'infra, budget correct | +| **Scaleway Kapsule** | Entreprise française, conformité HDS possible, managed DB acceptable | +| **AWS EKS eu-west-3** | Clients enterprise, SLA contractuels, équipe et budget dédiés | +| **Architecture hybride** | Le meilleur ROI à toutes les étapes — **recommandé par défaut** | + +--- + +### La recommandation optimale — Architecture hybride progressive + +``` +Aujourd'hui (MVP) Dans 6 mois (1 000 users) Dans 18 mois (10 000 users) +───────────────── ────────────────────────── ─────────────────────────── +Hetzner k3s Migrer vers OVHcloud MKS Rester OVH ou migrer AWS ++ Neon.tech PG + PostgreSQL self-hosted HA si clients enterprise ++ Upstash Redis + Redis Sentinel AWS eu-west-3 justifié ++ Hetzner Object Storage + Hetzner Object Storage au-delà de €500K ARR +≈ €65/mois ≈ €249/mois ≈ €697-5017/mois +``` + +> **Note sur les migrations :** Passer de Hetzner à OVHcloud ou DigitalOcean est simple (K8s manifests identiques, changement de variables d'environnement). Passer vers AWS requiert une refactorisation partielle (EKS ingress, IAM, RDS connection strings). Planifiez cette migration si vous atteignez des clients enterprise, pas avant. + +--- + +*Sources : hetzner.com/cloud, digitalocean.com/pricing, ovhcloud.com/fr/public-cloud/prices, scaleway.com/fr/tarifs, cloud.google.com, azure.microsoft.com, aws.amazon.com — Mars 2026* +*Tous les prix sont indicatifs on-demand. Les prix Hetzner pré-1er avril 2026 sont encore actifs au moment de la rédaction.* diff --git a/docs/deployment/hetzner/01-architecture.md b/docs/deployment/hetzner/01-architecture.md new file mode 100644 index 0000000..2aff52b --- /dev/null +++ b/docs/deployment/hetzner/01-architecture.md @@ -0,0 +1,286 @@ +# 01 — Architecture de production sur Hetzner + +--- + +## Vue d'ensemble + +``` +┌─────────────────────────────────────────────────────────────────────────┐ +│ INTERNET │ +└───────────────────────────────┬─────────────────────────────────────────┘ + │ + ┌───────────▼───────────┐ + │ Cloudflare │ + │ WAF + CDN + DNS │ + │ TLS termination │ + └───────────┬───────────┘ + │ HTTPS (443) + ┌───────────▼───────────┐ + │ Hetzner Load │ + │ Balancer (LB11) │ + │ €7.49/mois │ + └─────┬─────────┬───────┘ + │ │ + ┌──────────────▼──┐ ┌───▼──────────────┐ + │ Worker Node 1 │ │ Worker Node 2 │ + │ CX42 (8c/16G) │ │ CX42 (8c/16G) │ + │ €21.49/mois │ │ €21.49/mois │ + │ │ │ │ + │ ┌─────────────┐ │ │ ┌─────────────┐ │ + │ │ NestJS Pod │ │ │ │ NestJS Pod │ │ + │ │ (backend) │ │ │ │ (backend) │ │ + │ └─────────────┘ │ │ └─────────────┘ │ + │ ┌─────────────┐ │ │ ┌─────────────┐ │ + │ │ Next.js Pod │ │ │ │ Next.js Pod │ │ + │ │ (frontend) │ │ │ │ (frontend) │ │ + │ └─────────────┘ │ │ └─────────────┘ │ + └────────┬────────┘ └────────┬─────────┘ + │ Réseau privé Hetzner (10.0.0.0/16) + ┌────────▼────────────────────▼─────────┐ + │ Control Plane Node │ + │ CX22 (2c/4G) €5.11/mois │ + │ k3s server (etcd) │ + └────────────────────────────────────────┘ + │ + ┌───────────────────────┼───────────────────────┐ + │ │ │ +┌───────▼───────┐ ┌───────────▼──────────┐ ┌───────▼───────┐ +│ PostgreSQL │ │ Redis │ │ Hetzner │ +│ Neon.tech │ │ Upstash (serverless) │ │ Object │ +│ ou self-host │ │ ou self-hosted │ │ Storage │ +│ $19/mois │ │ $0-10/mois │ │ S3-compat. │ +│ │ │ │ │ €4.99/mois │ +└───────────────┘ └──────────────────────┘ └───────────────┘ +``` + +--- + +## Composants et rôles + +### Couche réseau + +| Composant | Rôle | Port | +|---|---|---| +| **Cloudflare** | DNS, WAF, CDN, protection DDoS, cache assets | 443 (HTTPS) | +| **Hetzner Load Balancer** | Distribution trafic entre workers, sticky sessions WebSocket | 80, 443 | +| **Réseau privé Hetzner** | Communication inter-nœuds (10.0.0.0/16), base de données | Interne | + +### Couche Kubernetes (k3s) + +| Composant | Rôle | Ressource | +|---|---|---| +| **Control Plane (CX22)** | etcd, kube-apiserver, scheduler, controller-manager | 2 vCPU / 4 GB | +| **Worker Nodes (CX42)** | Exécution des pods NestJS + Next.js | 8 vCPU / 16 GB chacun | +| **Traefik Ingress** | Routage HTTP/HTTPS, sticky sessions Socket.IO | Built-in k3s | +| **cert-manager** | TLS automatique via Let's Encrypt | In-cluster | +| **Hetzner Cloud Controller** | Provisionne LB + volumes depuis Kubernetes | In-cluster | +| **Hetzner CSI Driver** | PersistentVolumes sur Hetzner Volumes | In-cluster | + +### Couche application + +| Pod | Image | Replicas | Ports | +|---|---|---|---| +| **xpeditis-backend** | `ghcr.io//xpeditis-backend:latest` | 2–15 | 4000 | +| **xpeditis-frontend** | `ghcr.io//xpeditis-frontend:latest` | 1–8 | 3000 | + +### Couche données + +| Service | Option MVP | Option Production | Protocole | +|---|---|---|---| +| **PostgreSQL 15** | Neon.tech Pro ($19/mois) | Self-hosted sur CX32 | 5432 | +| **Redis 7** | Upstash free ($0-10/mois) | Self-hosted StatefulSet | 6379 | +| **Stockage fichiers** | Hetzner Object Storage (€4.99/mois) | Idem (scale automatique) | HTTPS/S3 API | + +--- + +## Flux réseau détaillé + +### Requête API standard (rate search) + +``` +Client Browser + │ HTTPS + ▼ +Cloudflare (cache miss → forward) + │ HTTPS, header CF-Connecting-IP + ▼ +Hetzner Load Balancer :443 + │ HTTP (TLS terminé par Cloudflare ou cert-manager) + ▼ +Traefik Ingress (api.xpeditis.com) + │ HTTP :80 interne + ▼ +NestJS Pod (port 4000) + ├── Redis (cache rate:FSN:HAM:20ft) → HIT → retour direct + └── MISS → 5× appels APIs carriers (Maersk/MSC/etc.) + └── Réponse → Store Redis TTL 15min + └── Réponse client +``` + +### Connexion WebSocket (notifications temps réel) + +``` +Client Browser + │ wss:// upgrade + ▼ +Cloudflare (WebSocket proxy activé) + │ + ▼ +Hetzner LB (sticky session cookie activé) + │ Même backend pod à chaque reconnexion + ▼ +Traefik (annotation sticky cookie) + │ + ▼ +NestJS Pod /notifications namespace (Socket.IO) + ├── Auth: JWT validation on connect + ├── Join room: user:{userId} + └── Redis pub/sub → broadcast cross-pods +``` + +### Upload de document (carrier portal) + +``` +Carrier Browser + │ + ▼ +NestJS POST /api/v1/csv-bookings/{id}/documents + │ Validation: type (PDF/XLS/IMG), taille max 10 MB + ▼ +S3StorageAdapter.upload() + │ AWS SDK v3, forcePathStyle: true + ▼ +Hetzner Object Storage + │ Endpoint: https://fsn1.your-objectstorage.com + └── Stocké: xpeditis-docs/{orgId}/{bookingId}/{filename} +``` + +--- + +## Ports et protocoles + +### Ports externes (ouverts sur Hetzner Firewall) + +| Port | Protocole | Source | Destination | Usage | +|---|---|---|---|---| +| 22 | TCP | Votre IP uniquement | Tous nœuds | SSH administration | +| 80 | TCP | 0.0.0.0/0 | LB | Redirection HTTP → HTTPS | +| 443 | TCP | 0.0.0.0/0 | LB | HTTPS + WebSocket | +| 6443 | TCP | Votre IP + workers | Control plane | Kubernetes API | + +### Ports internes (réseau privé 10.0.0.0/16 uniquement) + +| Port | Protocole | Usage | +|---|---|---| +| 5432 | TCP | PostgreSQL (si self-hosted) | +| 6379 | TCP | Redis (si self-hosted) | +| 4000 | TCP | NestJS API (pod → pod) | +| 3000 | TCP | Next.js (pod → pod) | +| 10250 | TCP | kubelet API | +| 2379-2380 | TCP | etcd (control plane) | + +--- + +## Namespaces Kubernetes + +``` +cluster +├── xpeditis-prod # Application principale +│ ├── Deployments: backend, frontend +│ ├── Services: backend-svc, frontend-svc +│ ├── ConfigMaps: backend-config, frontend-config +│ ├── Secrets: backend-secrets, frontend-secrets +│ ├── HPA: backend-hpa, frontend-hpa +│ └── Ingress: xpeditis-ingress +│ +├── cert-manager # Gestion certificats TLS +│ └── ClusterIssuer: letsencrypt-prod, letsencrypt-staging +│ +├── monitoring # Observabilité +│ ├── Prometheus +│ ├── Grafana +│ └── Loki +│ +└── kube-system # Système k3s + ├── Traefik (Ingress Controller) + ├── Hetzner Cloud Controller Manager + └── Hetzner CSI Driver +``` + +--- + +## Pourquoi k3s plutôt que k8s complet + +| Critère | k3s (choisi) | k8s complet | +|---|---|---| +| **RAM control plane** | 512 MB | 2-4 GB | +| **CPU control plane** | 1 vCPU | 2-4 vCPU → serveur plus cher | +| **Temps install** | 5 min (hetzner-k3s) | 30-60 min | +| **Maintenance** | System Upgrade Controller inclus | Manuelle | +| **Compatibilité** | 100% compatible kubectl/helm | — | +| **Traefik** | Inclus par défaut | Installation séparée | +| **Coût** | CX22 (€5.11/mois) comme control plane | Minimum CX42 (€21.49) | +| **Production** | Oui (utilisé par des milliers de startups) | Oui | + +--- + +## Stratégie de scaling + +### Horizontal Pod Autoscaler (HPA) + +``` +Métriques surveillées : +- CPU > 70% → Scale up +- CPU < 30% (5 min) → Scale down +- Mémoire > 80% → Scale up (custom metric) + +Backend : min 2 → max 15 pods +Frontend : min 1 → max 8 pods +``` + +### Cluster Autoscaler + +``` +Worker nodes : min 2 → max 8 +Déclenché par : pods en état "Pending" (pas assez de ressources) +Délai scale-down : 10 min d'utilisation < 50% +``` + +--- + +## Décisions d'architecture + +### Pourquoi Hetzner Object Storage plutôt que MinIO self-hosted + +Le code utilise déjà `AWS SDK v3` avec `forcePathStyle: true` et un endpoint configurable. Hetzner Object Storage est 100% compatible S3 → **zéro modification de code**, juste les variables d'environnement : + +```bash +# Avant (MinIO local) +AWS_S3_ENDPOINT=http://localhost:9000 + +# Après (Hetzner Object Storage) +AWS_S3_ENDPOINT=https://fsn1.your-objectstorage.com +AWS_ACCESS_KEY_ID= +AWS_SECRET_ACCESS_KEY= +AWS_REGION=eu-central-1 +AWS_S3_BUCKET=xpeditis-prod +``` + +### Pourquoi Neon.tech pour PostgreSQL (MVP) + +- PostgreSQL 15 managé, compatible TypeORM +- Extensions `uuid-ossp` et `pg_trgm` disponibles (requis par Xpeditis) +- Backups automatiques inclus +- Connection pooling built-in (via PgBouncer) +- Pas de gestion de HA à faire manuellement +- Free tier pour le dev, $19/mois pour la prod +- Migration vers self-hosted possible à tout moment + +### Pourquoi Cloudflare devant Hetzner LB + +- CDN mondial (cache des assets Next.js) +- Protection DDoS free +- WAF avec règles OWASP +- DNS avec failover automatique +- Certificats TLS optionnels (on peut laisser cert-manager gérer le TLS) +- Cache des PDFs générés → économise les appels S3 diff --git a/docs/deployment/hetzner/02-prerequisites.md b/docs/deployment/hetzner/02-prerequisites.md new file mode 100644 index 0000000..bc2fe7d --- /dev/null +++ b/docs/deployment/hetzner/02-prerequisites.md @@ -0,0 +1,233 @@ +# 02 — Prérequis + +Tout ce dont vous avez besoin avant de commencer le déploiement. + +--- + +## Comptes à créer + +### Obligatoires + +| Service | URL | Usage | Coût | +|---|---|---|---| +| **Hetzner Cloud** | https://console.hetzner.cloud | Serveurs, LB, Object Storage | Pay-as-you-go | +| **GitHub** | https://github.com | Code + GitHub Actions + GHCR (images Docker) | Gratuit | +| **Cloudflare** | https://cloudflare.com | DNS + WAF + CDN | Gratuit (plan Free) | +| **Neon.tech** | https://neon.tech | PostgreSQL managé | Free → $19/mois Pro | + +### Recommandés (peuvent être substitués) + +| Service | URL | Usage | Coût | +|---|---|---|---| +| **Upstash** | https://upstash.com | Redis serverless | Free → $10/mois | +| **Brevo** | https://brevo.com | Email SMTP (remplace SendGrid) | Gratuit jusqu'à 300/j | +| **Sentry** | https://sentry.io | Error tracking | Gratuit (5K events/mois) | + +--- + +## Outils locaux à installer + +### Outils essentiels + +```bash +# macOS (avec Homebrew) +brew install kubectl helm hcloud vitobotta/tap/hetzner-k3s + +# Vérification versions minimales requises +kubectl version --client # >= 1.28 +helm version # >= 3.12 +hcloud version # >= 1.40 +hetzner-k3s version # >= 3.0 +``` + +```bash +# Ubuntu/Debian +# kubectl +curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" +chmod +x kubectl && sudo mv kubectl /usr/local/bin/ + +# helm +curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash + +# hcloud CLI +curl -Lo hcloud.tar.gz https://github.com/hetznercloud/cli/releases/latest/download/hcloud-linux-amd64.tar.gz +tar -xzf hcloud.tar.gz && sudo mv hcloud /usr/local/bin/ + +# hetzner-k3s +curl -Lo hetzner-k3s https://github.com/vitobotta/hetzner-k3s/releases/latest/download/hetzner-k3s-linux-amd64 +chmod +x hetzner-k3s && sudo mv hetzner-k3s /usr/local/bin/ +``` + +### Outils optionnels mais recommandés + +```bash +# kubectx + kubens — changer de contexte/namespace facilement +brew install kubectx + +# k9s — interface terminal pour Kubernetes (très utile) +brew install k9s + +# stern — logs multi-pods en temps réel +brew install stern + +# AWS CLI v2 — pour interagir avec Hetzner Object Storage +brew install awscli + +# Docker — pour build et test des images en local +brew install --cask docker +``` + +--- + +## Clés SSH + +Générez une paire de clés SSH dédiée pour Hetzner (ne réutilisez pas votre clé perso) : + +```bash +# Générer une clé ED25519 (plus sécurisée et performante que RSA) +ssh-keygen -t ed25519 -C "xpeditis-hetzner-deploy" -f ~/.ssh/xpeditis_hetzner + +# Résultat : +# ~/.ssh/xpeditis_hetzner (clé privée — ne JAMAIS partager) +# ~/.ssh/xpeditis_hetzner.pub (clé publique — à ajouter sur Hetzner) + +# Vérification +cat ~/.ssh/xpeditis_hetzner.pub +# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI... xpeditis-hetzner-deploy +``` + +Ajoutez la clé publique dans `~/.ssh/config` pour faciliter la connexion : + +```bash +cat >> ~/.ssh/config << 'EOF' +Host hetzner-xpeditis-* + IdentityFile ~/.ssh/xpeditis_hetzner + User root + StrictHostKeyChecking no +EOF +``` + +--- + +## Nom de domaine + +Vous avez besoin d'un domaine avec accès à la gestion DNS. Ce guide suppose : + +| Domaine | Usage | +|---|---| +| `xpeditis.com` (ou votre domaine) | Site principal | +| `api.xpeditis.com` | API NestJS backend | +| `app.xpeditis.com` | Frontend Next.js | +| `monitoring.xpeditis.com` | Grafana (optionnel, accès restreint) | + +**Si vous n'avez pas encore de domaine :** Namecheap (~$10/an) ou OVHcloud (~€7/an). Une fois acheté, déléguez les DNS à Cloudflare (gratuit, meilleur outil DNS). + +### Déléguer le DNS à Cloudflare + +1. Créez un compte sur https://cloudflare.com +2. "Add a Site" → entrez votre domaine +3. Cloudflare scanne vos DNS existants +4. Copiez les 2 nameservers Cloudflare (ex: `carl.ns.cloudflare.com`) +5. Chez votre registrar, remplacez les nameservers par ceux de Cloudflare +6. Attendez 5-30 min pour la propagation + +--- + +## Variables d'environnement de travail + +Créez un fichier `.env.deploy` (ne pas committer) pour centraliser vos variables de déploiement : + +```bash +# Fichier : ~/.xpeditis-deploy.env +# Source ce fichier avant de travailler : source ~/.xpeditis-deploy.env + +# Hetzner +export HCLOUD_TOKEN="" +export HETZNER_SSH_KEY_PATH="$HOME/.ssh/xpeditis_hetzner" + +# Kubernetes +export KUBECONFIG="$HOME/.kube/kubeconfig-xpeditis-prod" + +# Domaine +export DOMAIN="xpeditis.com" +export API_DOMAIN="api.xpeditis.com" +export APP_DOMAIN="app.xpeditis.com" + +# Registry Docker (GitHub Container Registry) +export GHCR_REGISTRY="ghcr.io" +export GHCR_ORG="" +export BACKEND_IMAGE="$GHCR_REGISTRY/$GHCR_ORG/xpeditis-backend" +export FRONTEND_IMAGE="$GHCR_REGISTRY/$GHCR_ORG/xpeditis-frontend" + +# PostgreSQL (Neon.tech) +export DATABASE_URL="postgresql://user:pass@host/dbname?sslmode=require" + +# Redis (Upstash) +export REDIS_HOST="your-redis.upstash.io" +export REDIS_PORT="6379" +export REDIS_PASSWORD="" + +# Hetzner Object Storage +export HETZNER_S3_BUCKET="xpeditis-prod" +export HETZNER_S3_ENDPOINT="https://fsn1.your-objectstorage.com" +export HETZNER_S3_ACCESS_KEY="" +export HETZNER_S3_SECRET_KEY="" +``` + +--- + +## Checklist avant de démarrer + +``` +□ Compte Hetzner Cloud créé et vérifié (CB enregistrée) +□ Compte GitHub avec repo xpeditis2.0 (ou fork) +□ Compte Cloudflare avec domaine délégué +□ Compte Neon.tech créé +□ Compte Upstash créé (optionnel) +□ kubectl installé (>= 1.28) +□ helm installé (>= 3.12) +□ hcloud CLI installé et configuré +□ hetzner-k3s installé +□ Paire de clés SSH ED25519 générée pour Hetzner +□ Docker installé (pour build local) +□ Domaine + sous-domaines api. et app. planifiés +``` + +--- + +## Configuration hcloud CLI + +```bash +# Configurer le token Hetzner +hcloud context create xpeditis-prod +# Entrez votre token quand demandé + +# Vérifier la configuration +hcloud context list +hcloud server list # Doit retourner une liste vide (ou vos serveurs) + +# Lister les types de serveurs disponibles +hcloud server-type list + +# Lister les images disponibles +hcloud image list --type system | grep ubuntu +``` + +--- + +## Vérification finale + +```bash +# Tous ces checks doivent passer avant de continuer +echo "=== Vérification des outils ===" +kubectl version --client --short 2>/dev/null && echo "✅ kubectl OK" || echo "❌ kubectl manquant" +helm version --short 2>/dev/null && echo "✅ helm OK" || echo "❌ helm manquant" +hcloud version 2>/dev/null && echo "✅ hcloud OK" || echo "❌ hcloud manquant" +hetzner-k3s version 2>/dev/null && echo "✅ hetzner-k3s OK" || echo "❌ hetzner-k3s manquant" +docker --version 2>/dev/null && echo "✅ docker OK" || echo "❌ docker manquant" +ssh-keygen -l -f ~/.ssh/xpeditis_hetzner.pub 2>/dev/null && echo "✅ SSH key OK" || echo "❌ Clé SSH manquante" + +echo "" +echo "=== Vérification des tokens ===" +hcloud context list 2>/dev/null | grep xpeditis && echo "✅ hcloud context OK" || echo "❌ hcloud context non configuré" +``` diff --git a/docs/deployment/hetzner/03-hetzner-setup.md b/docs/deployment/hetzner/03-hetzner-setup.md new file mode 100644 index 0000000..08145ec --- /dev/null +++ b/docs/deployment/hetzner/03-hetzner-setup.md @@ -0,0 +1,290 @@ +# 03 — Setup Hetzner Cloud + +--- + +## Création du compte et du projet + +### 1. Créer le compte Hetzner + +1. Rendez-vous sur https://console.hetzner.cloud +2. Créez votre compte (email + CB requis) +3. Activez la vérification 2FA (obligatoire en production) +4. Créez un **nouveau projet** : `xpeditis-prod` + +### 2. Générer le token API + +1. Dans le projet `xpeditis-prod` → **Security** → **API Tokens** +2. **Generate API Token** + - Name: `hetzner-k3s-deploy` + - Permissions: **Read & Write** +3. Copiez le token immédiatement (affiché une seule fois) + +```bash +# Configurez hcloud avec ce token +hcloud context create xpeditis-prod +# → Entrez votre token + +# Vérification +hcloud server list +# Output: ID NAME STATUS IPV4 IPV6 DATACENTER +# (liste vide si première fois) +``` + +### 3. Ajouter la clé SSH + +```bash +# Via CLI hcloud +hcloud ssh-key create \ + --name xpeditis-deploy \ + --public-key-from-file ~/.ssh/xpeditis_hetzner.pub + +# Vérification +hcloud ssh-key list +# ID NAME FINGERPRINT +# 1234567 xpeditis-deploy xx:xx:xx:... +``` + +--- + +## Réseau privé (obligatoire pour la sécurité inter-nœuds) + +Le réseau privé permet aux nœuds de communiquer entre eux sans passer par internet. + +```bash +# Créer le réseau privé +hcloud network create \ + --name xpeditis-network \ + --ip-range 10.0.0.0/16 + +# Récupérer l'ID du réseau (nécessaire pour la config k3s) +hcloud network list +# ID NAME IP RANGE SERVERS +# 12345 xpeditis-network 10.0.0.0/16 0 servers + +export HETZNER_NETWORK_ID=12345 # Remplacer par votre ID + +# Créer un sous-réseau pour les nœuds du cluster +hcloud network add-subnet xpeditis-network \ + --type cloud \ + --network-zone eu-central \ + --ip-range 10.0.1.0/24 +``` + +--- + +## Firewall (règles de sécurité) + +Créez un firewall strict. Les workers ne doivent être accessibles que via le Load Balancer et depuis votre IP pour SSH. + +```bash +# Créer le firewall +hcloud firewall create --name xpeditis-firewall + +# Règle 1 : SSH depuis votre IP uniquement +hcloud firewall add-rule xpeditis-firewall \ + --direction in \ + --protocol tcp \ + --port 22 \ + --source-ips "$(curl -s https://api.ipify.org)/32" \ + --description "SSH depuis mon IP" + +# Règle 2 : HTTP/HTTPS depuis partout (via LB → workers) +hcloud firewall add-rule xpeditis-firewall \ + --direction in \ + --protocol tcp \ + --port 80 \ + --source-ips 0.0.0.0/0 \ + --description "HTTP public" + +hcloud firewall add-rule xpeditis-firewall \ + --direction in \ + --protocol tcp \ + --port 443 \ + --source-ips 0.0.0.0/0 \ + --description "HTTPS public" + +# Règle 3 : Kubernetes API (votre IP + réseau privé Hetzner) +hcloud firewall add-rule xpeditis-firewall \ + --direction in \ + --protocol tcp \ + --port 6443 \ + --source-ips "$(curl -s https://api.ipify.org)/32" \ + --description "kube-apiserver depuis mon IP" + +hcloud firewall add-rule xpeditis-firewall \ + --direction in \ + --protocol tcp \ + --port 6443 \ + --source-ips 10.0.0.0/16 \ + --description "kube-apiserver depuis réseau privé" + +# Règle 4 : Communication inter-nœuds (réseau privé uniquement) +hcloud firewall add-rule xpeditis-firewall \ + --direction in \ + --protocol tcp \ + --port 1-65535 \ + --source-ips 10.0.0.0/16 \ + --description "Trafic interne cluster" + +hcloud firewall add-rule xpeditis-firewall \ + --direction in \ + --protocol udp \ + --port 1-65535 \ + --source-ips 10.0.0.0/16 \ + --description "Trafic UDP interne cluster" + +# Règle 5 : ICMP (ping) pour monitoring +hcloud firewall add-rule xpeditis-firewall \ + --direction in \ + --protocol icmp \ + --source-ips 0.0.0.0/0 \ + --description "ICMP ping" + +# Vérification +hcloud firewall describe xpeditis-firewall +``` + +--- + +## Object Storage — Setup du bucket S3 + +### Créer le bucket + +1. Dans la console Hetzner → votre projet → **Object Storage** +2. Cliquez **Create Bucket** + - Location: **Falkenstein (fsn1)** (même région que vos serveurs) + - Bucket name: `xpeditis-prod` + - Visibility: **Private** (obligatoire) +3. Cliquez **Create** + +### Créer les credentials S3 + +1. Dans Object Storage → **Access Keys** +2. **Generate Access Key** + - Name: `xpeditis-backend` +3. Notez bien les deux valeurs (affichées une seule fois) : + - **Access Key** (commence par `htz...`) + - **Secret Key** (longue chaîne) + +### Vérifier avec AWS CLI + +```bash +# Configurer AWS CLI pour Hetzner Object Storage +aws configure --profile hetzner +# AWS Access Key ID: +# AWS Secret Access Key: +# Default region name: eu-central-1 +# Default output format: json + +# Tester la connexion +aws s3 ls --profile hetzner \ + --endpoint-url https://fsn1.your-objectstorage.com + +# Créer un dossier de test +aws s3 cp /dev/null s3://xpeditis-prod/test/.gitkeep \ + --profile hetzner \ + --endpoint-url https://fsn1.your-objectstorage.com + +# Vérifier +aws s3 ls s3://xpeditis-prod/ \ + --profile hetzner \ + --endpoint-url https://fsn1.your-objectstorage.com +``` + +### Structure du bucket recommandée + +``` +xpeditis-prod/ +├── documents/ # Documents carrier (PDF, XLS, images) +│ └── {orgId}/ +│ └── {bookingId}/ +│ └── {filename} +├── pdfs/ # PDFs de confirmation booking +│ └── {year}/ +│ └── {month}/ +│ └── {bookingNumber}.pdf +├── exports/ # Exports CSV/Excel des bookings +│ └── {orgId}/ +│ └── {timestamp}-bookings.xlsx +├── logos/ # Logos des organisations +│ └── {orgId}/ +│ └── logo.{ext} +└── backups/ # Backups PostgreSQL (voir doc 13) + └── {date}/ + └── xpeditis-{timestamp}.sql.gz +``` + +--- + +## Volumes Hetzner (si PostgreSQL self-hosted) + +Si vous choisissez d'héberger PostgreSQL sur Hetzner (voir doc 07), créez un volume dédié : + +```bash +# Créer un volume de 50 GB pour PostgreSQL +hcloud volume create \ + --name xpeditis-postgres-data \ + --size 50 \ + --location fsn1 \ + --format ext4 + +# L'ID sera utilisé dans la config k3s pour le PersistentVolume +hcloud volume list +# ID NAME SIZE SERVER LOCATION +# 67890 xpeditis-postgres-data 50 GB - fsn1 +``` + +--- + +## Placement Groups (haute disponibilité) + +Les placement groups garantissent que vos workers sont sur des hôtes physiques différents : + +```bash +# Créer un placement group "spread" (workers sur différents hôtes physiques) +hcloud placement-group create \ + --name xpeditis-workers \ + --type spread + +# Noter l'ID pour la config hetzner-k3s +hcloud placement-group list +# ID NAME TYPE SERVERS +# 111 xpeditis-workers spread 0 +``` + +--- + +## Récapitulatif des IDs à noter + +Après cette étape, vous devez avoir : + +```bash +# À sauvegarder dans ~/.xpeditis-deploy.env +export HCLOUD_TOKEN="" +export HCLOUD_NETWORK_ID="12345" # ID du réseau privé +export HCLOUD_SSH_KEY_NAME="xpeditis-deploy" +export HCLOUD_FIREWALL_NAME="xpeditis-firewall" +export HCLOUD_PLACEMENT_GROUP_NAME="xpeditis-workers" + +# Object Storage +export HETZNER_S3_ENDPOINT="https://fsn1.your-objectstorage.com" +export HETZNER_S3_BUCKET="xpeditis-prod" +export HETZNER_S3_ACCESS_KEY="" +export HETZNER_S3_SECRET_KEY="" +``` + +--- + +## Vérification globale + +```bash +# Tout doit être en place avant de continuer vers le doc 04/05 +echo "=== Network ===" && hcloud network list +echo "=== SSH Keys ===" && hcloud ssh-key list +echo "=== Firewalls ===" && hcloud firewall list +echo "=== Volumes ===" && hcloud volume list +echo "=== Placement Groups ===" && hcloud placement-group list +echo "=== Object Storage ===" && aws s3 ls s3://xpeditis-prod/ \ + --profile hetzner \ + --endpoint-url https://fsn1.your-objectstorage.com 2>/dev/null && echo "✅ Bucket accessible" || echo "❌ Bucket inaccessible" +``` diff --git a/docs/deployment/hetzner/04-server-selection.md b/docs/deployment/hetzner/04-server-selection.md new file mode 100644 index 0000000..da3ac0a --- /dev/null +++ b/docs/deployment/hetzner/04-server-selection.md @@ -0,0 +1,183 @@ +# 04 — Choix des serveurs Hetzner + +--- + +## Types de serveurs Hetzner (post 1er avril 2026) + +### Série CX — Intel/AMD partagé (usage général) + +| Type | vCPU | RAM | SSD | Bande passante | Prix/mois | +|---|---|---|---|---|---| +| CX22 | 2 | 4 GB | 40 GB | 20 TB | **€5.11** | +| CX32 | 4 | 8 GB | 80 GB | 20 TB | **€9.19** | +| CX42 | 8 | 16 GB | 160 GB | 20 TB | **€21.49** | +| CX52 | 16 | 32 GB | 320 GB | 20 TB | **€43.49** | + +### Série CAX — ARM64 Ampere (meilleur rapport prix/perfs) + +| Type | vCPU | RAM | SSD | Prix/mois | +|---|---|---|---|---| +| CAX11 | 2 | 4 GB | 40 GB | **€3.79** | +| CAX21 | 4 | 8 GB | 80 GB | **€6.49** | +| CAX31 | 8 | 16 GB | 80 GB | **€12.49** | +| CAX41 | 16 | 32 GB | 160 GB | **€24.49** | + +> **Note ARM64 :** NestJS (Node.js) et Next.js fonctionnent parfaitement sur ARM64. Les images Docker `node:20-alpine` sont multi-arch. Les carrier APIs (Maersk, MSC...) appellent des APIs externes → architecture du serveur sans impact. **Les CAX sont 35-40% moins chères que les CX pour des perfs équivalentes.** + +### Série CCX — vCPU dédiés (pour la base de données) + +| Type | vCPU dédiés | RAM | SSD NVMe | Prix/mois | +|---|---|---|---|---| +| CCX13 | 2 | 8 GB | 80 GB | **€12.49** | +| CCX23 | 4 | 16 GB | 160 GB | **€23.99** | +| CCX33 | 8 | 32 GB | 240 GB | **€51.99** | +| CCX43 | 16 | 64 GB | 360 GB | **€103.99** | + +> Les CCX sont recommandés pour PostgreSQL self-hosted car les vCPUs dédiés évitent la contention avec d'autres clients. I/O NVMe plus rapide. + +--- + +## Recommandations par palier + +### Palier MVP — 100 utilisateurs + +**Objectif :** Démarrer avec un coût minimal, tout peut tenir sur peu de nœuds. + +``` +Control Plane : 1× CX22 (2 vCPU, 4 GB) — €5.11/mois +Workers : 2× CX32 (4 vCPU, 8 GB) — €9.19/mois × 2 = €18.38/mois +Load Balancer : LB11 — €7.49/mois +────────────────────────────────────────────────────── +Sous-total cluster : €30.98/mois ++ Neon.tech Pro : $19/mois ++ Upstash Redis : $0 (free tier) ++ Object Storage : €4.99/mois (inclut 1 TB) +────────────────────────────────────────────────────── +TOTAL : ~€55/mois +``` + +**Pods qui tiennent sur cette config :** +- 2× NestJS backend (500m CPU / 512Mi RAM chacun) +- 1× Next.js frontend (250m CPU / 256Mi RAM) +- Traefik ingress (built-in) +- cert-manager + +**Alternative ARM64 encore moins chère :** +``` +Control Plane : 1× CAX11 (2 vCPU, 4 GB) — €3.79/mois +Workers : 2× CAX21 (4 vCPU, 8 GB) — €6.49/mois × 2 = €12.98/mois +────────────────────────────────────────────────────── +Sous-total (ARM64) : €16.77/mois (vs €23.49 en CX) +``` + +> ⚠️ **Si vous utilisez CAX (ARM64)**, vérifiez que vos Dockerfiles sont buildés en `linux/arm64` ou utilisez des images `linux/amd64` avec émulation QEMU. Le plus simple : build multi-arch avec `docker buildx` (voir doc 11). + +--- + +### Palier Croissance — 1 000 utilisateurs + +**Objectif :** Performance correcte, HA partielle, autoscaling activé. + +``` +Control Plane : 1× CX22 (2 vCPU, 4 GB) — €5.11/mois +Workers : 3× CX42 (8 vCPU, 16 GB) — €21.49/mois × 3 = €64.47/mois + (autoscaling jusqu'à 6 nodes) +Load Balancer : LB21 (75 targets, 2 TB) — €22.14/mois +PostgreSQL : CCX13 dédié (4 vCPU dédiés) — €23.99/mois ← self-hosted + + 100 GB Volume — €5.70/mois +Redis : CX22 dédié — €5.11/mois +Object Storage: €4.99/mois +────────────────────────────────────────────────────── +TOTAL : ~€131/mois +``` + +**Pods sur cette config :** +- 4× NestJS backend (750m CPU / 768Mi RAM) +- 2× Next.js frontend (500m CPU / 512Mi RAM) +- HPA actif : scale jusqu'à 8 pods NestJS + +--- + +### Palier Scale — 10 000 utilisateurs + +**Objectif :** Haute disponibilité, performances sous charge. + +``` +Control Plane : 3× CX22 (cluster etcd HA) — €5.11/mois × 3 = €15.33/mois +Workers : 6× CX52 (16 vCPU, 32 GB) — €43.49/mois × 6 = €260.94/mois + (autoscaling jusqu'à 12 nodes) +Load Balancer : LB31 (150 targets, 3 TB) — €39.15/mois +PostgreSQL : CCX33 primary (8 vCPU dédié) — €51.99/mois + + CCX23 replica (4 vCPU dédié) — €23.99/mois + + 500 GB Volume NVMe — €28.50/mois +Redis : CX42 dédié — €21.49/mois +Object Storage: ~€15/mois (extra 3 TB) +────────────────────────────────────────────────────── +TOTAL : ~€457/mois +``` + +--- + +## Localisation des serveurs (datacenter) + +Hetzner a des datacenters en : +- `fsn1` — Falkenstein, Allemagne (recommandé) +- `nbg1` — Nuremberg, Allemagne +- `hel1` — Helsinki, Finlande (bon pour RGPD nordique) +- `ash` — Ashburn, USA (si clients américains prioritaires) +- `hil` — Hillsboro, USA + +**Recommandation :** `fsn1` (Falkenstein) pour les clients européens. Même région pour tous les nœuds pour minimiser la latence réseau interne. + +```bash +# Vérifier les datacenters disponibles dans une région +hcloud datacenter list +# ID NAME DESCRIPTION LOCATION +# 1 fsn1-dc3 Falkenstein 1 virtual DC 3 fsn1 +# 2 nbg1-dc3 Nuremberg 1 virtual DC 3 nbg1 +# 3 hel1-dc2 Helsinki 1 virtual DC 2 hel1 +# 4 ash-dc1 Ashburn, Virginia 1 virtual DC 1 ash +# 5 hil-dc1 Hillsboro, Oregon 1 virtual DC 1 hil +``` + +--- + +## Load Balancer — Choix du plan + +| Plan | Targets | Trafic inclus | Connexions | Prix/mois | +|---|---|---|---|---| +| **LB11** | 25 | 1 TB | 1 000 simultanées | €7.49 | +| **LB21** | 75 | 2 TB | 10 000 simultanées | €22.14 | +| **LB31** | 150 | 3 TB | 100 000 simultanées | ~€39 | + +- **100 users :** LB11 largement suffisant +- **1 000 users :** LB21 recommandé (WebSocket = connexions persistantes) +- **10 000 users :** LB31 nécessaire (10 000 connexions simultanées pour WS + HTTP) + +**Configuration WebSocket sur le LB :** +```yaml +# Dans hetzner-k3s config (géré automatiquement) +# Le LB Hetzner supporte les WebSockets nativement +# Sticky sessions : cookie_name=SERVERID +``` + +--- + +## Décision finale : ARM64 ou x86 ? + +| Critère | x86 (CX) | ARM64 (CAX) | +|---|---|---| +| Coût | Référence | **-35%** | +| Performances Node.js | Bonne | **Équivalente ou meilleure** | +| Docker images officielles | ✅ linux/amd64 | ✅ linux/arm64 (Node.js 20, Alpine, etc.) | +| Build CI/CD | Simple | Nécessite `linux/arm64` ou multi-arch | +| Dépendances natives | Toutes supportées | 99% supportées (vérifier pdfkit, argon2) | +| Maturité | Très mature | Mature (2023+) | + +**Verdict pour Xpeditis :** Les CAX sont recommandées si vous acceptez la légère complexité de build multi-arch. Sinon, CX pour la simplicité. Ce guide utilise CX par défaut. + +> **Vérification des dépendances natives pour ARM64 :** +> - `argon2` → ✅ binaires précompilés ARM64 via `@node-rs/argon2` +> - `pdfkit` → ✅ pur JavaScript, pas de binaires natifs +> - `sharp` (si utilisé pour images) → ✅ binaires ARM64 disponibles +> - `better-sqlite3` → Non utilisé (TypeORM PG) diff --git a/docs/deployment/hetzner/05-k3s-cluster.md b/docs/deployment/hetzner/05-k3s-cluster.md new file mode 100644 index 0000000..ab0efdc --- /dev/null +++ b/docs/deployment/hetzner/05-k3s-cluster.md @@ -0,0 +1,476 @@ +# 05 — Création du cluster k3s avec hetzner-k3s + +C'est le fichier central. Suivez chaque étape dans l'ordre. + +--- + +## Qu'est-ce que hetzner-k3s ? + +[hetzner-k3s](https://github.com/vitobotta/hetzner-k3s) est un outil CLI qui automatise la création d'un cluster k3s sur Hetzner Cloud. En une commande, il : + +1. Crée les serveurs (control plane + workers) +2. Configure le réseau privé +3. Installe k3s sur tous les nœuds +4. Installe le Hetzner Cloud Controller Manager (provisionne LB + volumes depuis K8s) +5. Installe le Hetzner CSI Driver (PersistentVolumes sur Hetzner Volumes) +6. Configure le Cluster Autoscaler (scale automatique des workers) +7. Installe le System Upgrade Controller (upgrades k3s automatiques) +8. Configure kubectl localement + +--- + +## Fichier de configuration du cluster + +Créez le fichier `cluster.yaml` à la racine du projet ou dans un dossier sécurisé (jamais dans le repo Git) : + +```bash +mkdir -p ~/.xpeditis +cat > ~/.xpeditis/cluster.yaml << 'EOF' +# ============================================================ +# Xpeditis Production Cluster — hetzner-k3s configuration +# ============================================================ + +# Token API Hetzner (garder secret) +hetzner_token: "" + +# Nom du cluster +cluster_name: xpeditis-prod + +# Chemin du kubeconfig qui sera généré +kubeconfig_path: "~/.kube/kubeconfig-xpeditis-prod" + +# Version k3s +# Vérifier la dernière stable sur https://github.com/k3s-io/k3s/releases +k3s_version: v1.30.4+k3s1 + +# Clés SSH +public_ssh_key_path: "~/.ssh/xpeditis_hetzner.pub" +private_ssh_key_path: "~/.ssh/xpeditis_hetzner" +use_ssh_agent: false +ssh_port: 22 + +# Réseaux autorisés pour SSH et API Kubernetes +# Remplacer par votre IP fixe pour plus de sécurité +ssh_allowed_networks: + - "/32" + +api_allowed_networks: + - "/32" + +# Réseau privé Hetzner +# Créé dans le doc 03-hetzner-setup.md +existing_network: "xpeditis-network" +private_network_subnet: 10.0.0.0/16 + +# CIDRs Kubernetes (ne pas changer sauf conflit) +cluster_cidr: 10.244.0.0/16 +service_cidr: 10.96.0.0/16 +cluster_dns: 10.96.0.10 + +# Image OS +image: ubuntu-24.04 +snapshot_os: ubuntu + +# Datacenter (même région que l'Object Storage) +location: fsn1 + +# k3s options +disable_flannel: false # Flannel CNI (par défaut dans k3s) +schedule_workloads_on_masters: false # Masters dédiés au control plane + +# Packages additionnels installés sur chaque nœud +additional_packages: + - curl + - jq + - htop + - fail2ban # Protection brute force SSH + +# Commandes post-création sur chaque nœud +post_create_commands: + - apt-get update -qq + - apt-get install -y -qq fail2ban + - systemctl enable fail2ban + - systemctl start fail2ban + - | + cat >> /etc/fail2ban/jail.local << 'FAIL2BAN' + [sshd] + enabled = true + maxretry = 3 + bantime = 3600 + FAIL2BAN + - systemctl restart fail2ban + +# Helm charts installés automatiquement +cloud_controller_manager_manifest_url: "https://github.com/hetznercloud/hcloud-cloud-controller-manager/releases/download/v1.21.0/ccm-networks.yaml" +csi_driver_manifest_url: "https://raw.githubusercontent.com/hetznercloud/csi-driver/v2.8.0/deploy/kubernetes/hcloud-csi.yml" + +# System Upgrade Controller (upgrades k3s automatiques) +system_upgrade_controller_install: true +system_upgrade_controller_manifest_url: "https://github.com/rancher/system-upgrade-controller/releases/download/v0.13.4/system-upgrade-controller.yaml" + +# Cluster Autoscaler +cluster_autoscaler_install: true +cluster_autoscaler_version: "9.36.0" +cluster_autoscaler_image: "registry.k8s.io/autoscaling/cluster-autoscaler" +cluster_autoscaler_cmdline_args: + - --scan-interval=10s + - --scale-down-delay-after-add=5m + - --scale-down-unneeded-time=5m + - --max-nodes-total=12 + +# Metrics Server (pour HPA) +metrics_server_manifest_url: "https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml" + +# kube-apiserver extra args (sécurité) +kube_api_server_args: + - "--audit-log-path=/var/log/kubernetes/audit.log" + - "--audit-log-maxage=30" + - "--audit-log-maxbackup=3" + - "--audit-log-maxsize=100" + +# kubelet extra args +kubelet_args: + - "--max-pods=110" + - "--system-reserved=cpu=200m,memory=200Mi" + - "--kube-reserved=cpu=200m,memory=200Mi" + +# ============================================================ +# CONTROL PLANE +# ============================================================ +masters: + instance_type: cx22 # 2 vCPU, 4 GB + instance_count: 1 # Passer à 3 pour HA (10 000 users) + location: fsn1 + image: ~ # Utilise l'image globale + +# ============================================================ +# WORKER NODE POOLS +# ============================================================ +worker_node_pools: + - name: app-workers + instance_type: cx32 # 4 vCPU, 8 GB (MVP) + instance_count: 2 # Min pods + location: fsn1 + image: ~ + additional_packages: ~ + post_create_commands: ~ + taints: [] + labels: + - "xpeditis.io/node-role=app" + autoscaling: + enabled: true + min_instances: 2 # Minimum pour HA + max_instances: 6 # Max pour limiter les coûts +EOF +``` + +> **Pour le palier 1 000 users**, changez `cx32` → `cx42` et `max_instances: 8` +> **Pour le palier 10 000 users**, changez `cx42` → `cx52`, `instance_count: 4`, `max_instances: 12`, et `masters.instance_count: 3` + +--- + +## Création du cluster + +```bash +# Vérifier la configuration +hetzner-k3s validate --config ~/.xpeditis/cluster.yaml + +# Créer le cluster (prend 5-10 minutes) +hetzner-k3s create --config ~/.xpeditis/cluster.yaml + +# Output attendu : +# Creating infrastructure... +# Creating network... +# Creating SSH key... +# Creating firewall... +# Creating placement group... +# Creating load balancer... +# Creating masters... +# Waiting for masters to be ready... +# Creating worker pools... +# Waiting for workers to be ready... +# Installing k3s on masters... +# Installing k3s on workers... +# Installing Hetzner CCM... +# Installing Hetzner CSI... +# Installing Cluster Autoscaler... +# Installing System Upgrade Controller... +# Installing Metrics Server... +# Configuring kubeconfig... +# ✅ Cluster xpeditis-prod created successfully! +``` + +--- + +## Configuration de kubectl + +```bash +# Définir le KUBECONFIG +export KUBECONFIG=~/.kube/kubeconfig-xpeditis-prod + +# Ajouter au .zshrc ou .bashrc pour persistance +echo 'export KUBECONFIG=~/.kube/kubeconfig-xpeditis-prod' >> ~/.zshrc + +# Vérifier la connexion au cluster +kubectl cluster-info +# Kubernetes control plane is running at https://:6443 +# CoreDNS is running at https://:6443/api/v1/... + +# Lister les nœuds +kubectl get nodes -o wide +# NAME STATUS ROLES AGE VERSION +# xpeditis-prod-cx22-master-1 Ready control-plane,master 5m v1.30.4+k3s1 +# xpeditis-prod-cx32-worker-1 Ready 4m v1.30.4+k3s1 +# xpeditis-prod-cx32-worker-2 Ready 4m v1.30.4+k3s1 + +# Vérifier tous les pods système +kubectl get pods --all-namespaces +# Tous les pods doivent être Running +``` + +--- + +## Vérification du Hetzner Cloud Controller Manager + +Le CCM permet à Kubernetes de provisionner des ressources Hetzner (LB, volumes) : + +```bash +# Vérifier que le CCM tourne +kubectl get pods -n kube-system | grep hcloud + +# Vérifier que les nœuds ont le label de région +kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.metadata.labels.topology\.kubernetes\.io/zone}{"\n"}{end}' +# xpeditis-prod-cx22-master-1 fsn1 +# xpeditis-prod-cx32-worker-1 fsn1 +# xpeditis-prod-cx32-worker-2 fsn1 +``` + +--- + +## Vérification du Hetzner CSI Driver + +```bash +# Le CSI driver permet de créer des PersistentVolumes sur Hetzner +kubectl get pods -n kube-system | grep hcloud-csi + +# Vérifier les StorageClasses disponibles +kubectl get storageclass +# NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE +# hcloud-volumes (default) csi.hetzner.cloud Delete WaitForFirstConsumer +``` + +--- + +## Configuration de Traefik (Ingress Controller) + +k3s installe Traefik par défaut. Nous devons le configurer pour : +1. Redirection HTTP → HTTPS +2. Support WebSocket (Socket.IO) +3. Sticky sessions pour le backend + +```bash +# Créer le fichier de configuration Traefik +cat > /tmp/traefik-config.yaml << 'EOF' +apiVersion: helm.cattle.io/v1 +kind: HelmChartConfig +metadata: + name: traefik + namespace: kube-system +spec: + valuesContent: |- + # Logs + logs: + general: + level: INFO + access: + enabled: true + + # Ports + ports: + web: + port: 8000 + redirectTo: + port: websecure # Force HTTPS + websecure: + port: 8443 + tls: + enabled: true + + # Sticky sessions pour WebSocket + service: + spec: + externalTrafficPolicy: Local + + # Annotations pour le Load Balancer Hetzner + service: + annotations: + load-balancer.hetzner.cloud/name: "xpeditis-lb" + load-balancer.hetzner.cloud/location: "fsn1" + load-balancer.hetzner.cloud/health-check-interval: "15s" + load-balancer.hetzner.cloud/health-check-timeout: "10s" + load-balancer.hetzner.cloud/health-check-retries: "3" + load-balancer.hetzner.cloud/use-private-ip: "true" + + # Ressources + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 256Mi + + # Replicas (1 suffit pour MVP) + deployment: + replicas: 1 + + # Providers supplémentaires + providers: + kubernetesCRD: + enabled: true + allowCrossNamespace: true + kubernetesIngress: + enabled: true + publishedService: + enabled: true +EOF + +kubectl apply -f /tmp/traefik-config.yaml + +# Attendre que Traefik soit mis à jour +kubectl rollout status deployment/traefik -n kube-system --timeout=120s +``` + +--- + +## Installation de cert-manager + +cert-manager gère les certificats TLS automatiquement via Let's Encrypt : + +```bash +# Ajouter le repo Helm cert-manager +helm repo add jetstack https://charts.jetstack.io +helm repo update + +# Installer cert-manager +helm install cert-manager jetstack/cert-manager \ + --namespace cert-manager \ + --create-namespace \ + --version v1.15.3 \ + --set installCRDs=true \ + --set resources.requests.cpu=50m \ + --set resources.requests.memory=64Mi \ + --set webhook.resources.requests.cpu=50m \ + --set webhook.resources.requests.memory=32Mi + +# Attendre que cert-manager soit prêt +kubectl wait --for=condition=Ready pod \ + --selector=app.kubernetes.io/instance=cert-manager \ + -n cert-manager \ + --timeout=120s + +# Vérification +kubectl get pods -n cert-manager +# NAME READY STATUS +# cert-manager-7f9f87595d-xxx 1/1 Running +# cert-manager-cainjector-54db9f97d8-xxx 1/1 Running +# cert-manager-webhook-8698c586b7-xxx 1/1 Running +``` + +--- + +## ClusterIssuers Let's Encrypt + +```bash +# Créer les issuers (staging pour test, prod pour production) +cat > /tmp/cluster-issuers.yaml << 'EOF' +--- +# STAGING — Pour tester sans risquer le rate limit +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: admin@xpeditis.com # ← Remplacer + privateKeySecretRef: + name: letsencrypt-staging-key + solvers: + - http01: + ingress: + class: traefik +--- +# PRODUCTION — Certificats réels (max 5 renouvellements/semaine) +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-prod +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: admin@xpeditis.com # ← Remplacer + privateKeySecretRef: + name: letsencrypt-prod-key + solvers: + - http01: + ingress: + class: traefik +EOF + +kubectl apply -f /tmp/cluster-issuers.yaml + +# Vérifier les issuers +kubectl get clusterissuers +# NAME READY AGE +# letsencrypt-staging True 30s +# letsencrypt-prod True 30s +``` + +--- + +## Récapitulatif : état du cluster après cette étape + +```bash +# Vue d'ensemble complète +kubectl get nodes +kubectl get pods --all-namespaces --field-selector=status.phase!=Running + +# Doit afficher : +# kube-system traefik-* Running +# kube-system hcloud-cloud-controller Running +# kube-system hcloud-csi-* Running +# kube-system coredns-* Running +# kube-system metrics-server-* Running +# cert-manager cert-manager-* Running + +echo "✅ Cluster prêt pour le déploiement de l'application" +``` + +--- + +## Opérations sur le cluster + +### Ajouter un nœud worker manuellement + +```bash +# Modifier le fichier cluster.yaml +# Changer instance_count de 2 → 3 dans worker_node_pools +hetzner-k3s apply --config ~/.xpeditis/cluster.yaml +``` + +### Supprimer le cluster (⚠️ irréversible) + +```bash +hetzner-k3s delete --config ~/.xpeditis/cluster.yaml +``` + +### Lister les composants Hetzner créés + +```bash +hcloud server list +hcloud load-balancer list +hcloud network list +hcloud firewall list +hcloud placement-group list +``` diff --git a/docs/deployment/hetzner/06-storage-s3.md b/docs/deployment/hetzner/06-storage-s3.md new file mode 100644 index 0000000..0228130 --- /dev/null +++ b/docs/deployment/hetzner/06-storage-s3.md @@ -0,0 +1,258 @@ +# 06 — Stockage objet S3 (Hetzner Object Storage) + +--- + +## Migration MinIO → Hetzner Object Storage + +Bonne nouvelle : **aucune modification de code nécessaire.** + +Le code Xpeditis utilise déjà le AWS SDK v3 avec `forcePathStyle: true` et un endpoint configurable dans `apps/backend/src/infrastructure/storage/s3-storage.adapter.ts` : + +```typescript +// Ce code existant fonctionne avec Hetzner Object Storage +this.s3Client = new S3Client({ + region, + endpoint, // ← Changer vers Hetzner + credentials: { accessKeyId, secretAccessKey }, + forcePathStyle: !!endpoint, // ← true pour Hetzner (path-style S3) +}); +``` + +Il suffit de **changer 4 variables d'environnement** : + +```bash +# AVANT (MinIO local) +AWS_S3_ENDPOINT=http://localhost:9000 +AWS_ACCESS_KEY_ID=minioadmin +AWS_SECRET_ACCESS_KEY=minioadmin +AWS_REGION=us-east-1 + +# APRÈS (Hetzner Object Storage) +AWS_S3_ENDPOINT=https://fsn1.your-objectstorage.com +AWS_ACCESS_KEY_ID= +AWS_SECRET_ACCESS_KEY= +AWS_REGION=eu-central-1 +AWS_S3_BUCKET=xpeditis-prod +``` + +--- + +## Configuration détaillée + +### Variables d'environnement backend (.env.production) + +```bash +# S3 / Hetzner Object Storage +AWS_S3_ENDPOINT=https://fsn1.your-objectstorage.com +AWS_ACCESS_KEY_ID= +AWS_SECRET_ACCESS_KEY= +AWS_REGION=eu-central-1 +AWS_S3_BUCKET=xpeditis-prod +``` + +> **Endpoint par région :** +> - Falkenstein : `https://fsn1.your-objectstorage.com` +> - Nuremberg : `https://nbg1.your-objectstorage.com` +> - Helsinki : `https://hel1.your-objectstorage.com` +> +> Utilisez la même région que vos serveurs pour éviter des frais de transfert inter-région. + +--- + +## Tester la connexion depuis le code + +```bash +# 1. Build l'image Docker backend avec les vars de test +# 2. Ou tester directement avec AWS CLI + +# Test avec AWS CLI (profil configuré dans doc 03) +aws s3 ls s3://xpeditis-prod/ \ + --profile hetzner \ + --endpoint-url https://fsn1.your-objectstorage.com + +# Uploader un fichier test +echo "test" | aws s3 cp - s3://xpeditis-prod/test/health.txt \ + --profile hetzner \ + --endpoint-url https://fsn1.your-objectstorage.com + +# Générer une URL signée (1h) +aws s3 presign s3://xpeditis-prod/test/health.txt \ + --profile hetzner \ + --endpoint-url https://fsn1.your-objectstorage.com \ + --expires-in 3600 + +# Nettoyage +aws s3 rm s3://xpeditis-prod/test/health.txt \ + --profile hetzner \ + --endpoint-url https://fsn1.your-objectstorage.com +``` + +--- + +## Structure du bucket + +Créez les "dossiers" initiaux (S3 utilise des préfixes, pas de vrais dossiers) : + +```bash +#!/bin/bash +PROFILE="hetzner" +ENDPOINT="https://fsn1.your-objectstorage.com" +BUCKET="xpeditis-prod" + +for PREFIX in documents pdfs exports logos backups/postgres; do + aws s3api put-object \ + --bucket "$BUCKET" \ + --key "$PREFIX/" \ + --profile "$PROFILE" \ + --endpoint-url "$ENDPOINT" \ + --content-length 0 + echo "✅ Créé: $PREFIX/" +done +``` + +--- + +## Lifecycle policies (économies de stockage) + +Hetzner Object Storage supporte les lifecycle rules S3 pour archiver automatiquement les anciens fichiers. + +```bash +# Créer le fichier de lifecycle +cat > /tmp/lifecycle.json << 'EOF' +{ + "Rules": [ + { + "ID": "archive-old-pdfs", + "Status": "Enabled", + "Filter": { + "Prefix": "pdfs/" + }, + "Transitions": [ + { + "Days": 90, + "StorageClass": "GLACIER" + } + ] + }, + { + "ID": "archive-old-exports", + "Status": "Enabled", + "Filter": { + "Prefix": "exports/" + }, + "Expiration": { + "Days": 365 + } + }, + { + "ID": "cleanup-old-backups", + "Status": "Enabled", + "Filter": { + "Prefix": "backups/" + }, + "Expiration": { + "Days": 30 + } + } + ] +} +EOF + +# Appliquer le lifecycle +aws s3api put-bucket-lifecycle-configuration \ + --bucket xpeditis-prod \ + --lifecycle-configuration file:///tmp/lifecycle.json \ + --profile hetzner \ + --endpoint-url https://fsn1.your-objectstorage.com + +# Vérifier +aws s3api get-bucket-lifecycle-configuration \ + --bucket xpeditis-prod \ + --profile hetzner \ + --endpoint-url https://fsn1.your-objectstorage.com +``` + +--- + +## CORS (pour upload direct depuis le navigateur) + +Si vous implémentez des uploads directs depuis le browser (carrier portal) : + +```bash +cat > /tmp/cors.json << 'EOF' +{ + "CORSRules": [ + { + "AllowedHeaders": ["*"], + "AllowedMethods": ["GET", "PUT", "POST", "DELETE", "HEAD"], + "AllowedOrigins": [ + "https://app.xpeditis.com", + "https://xpeditis.com" + ], + "ExposeHeaders": ["ETag"], + "MaxAgeSeconds": 3000 + } + ] +} +EOF + +aws s3api put-bucket-cors \ + --bucket xpeditis-prod \ + --cors-configuration file:///tmp/cors.json \ + --profile hetzner \ + --endpoint-url https://fsn1.your-objectstorage.com +``` + +--- + +## Intégration dans le Secret Kubernetes + +Le Secret Kubernetes `backend-secrets` contiendra les credentials S3. Voir le doc 09 pour les manifests complets, mais voici la section S3 : + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: backend-secrets + namespace: xpeditis-prod +type: Opaque +stringData: + AWS_S3_ENDPOINT: "https://fsn1.your-objectstorage.com" + AWS_ACCESS_KEY_ID: "" + AWS_SECRET_ACCESS_KEY: "" + AWS_REGION: "eu-central-1" + AWS_S3_BUCKET: "xpeditis-prod" +``` + +--- + +## Monitoring du stockage + +```bash +# Voir la taille totale du bucket +aws s3 ls s3://xpeditis-prod/ \ + --recursive \ + --human-readable \ + --summarize \ + --profile hetzner \ + --endpoint-url https://fsn1.your-objectstorage.com \ + | tail -3 + +# Output : +# Total Objects: 1234 +# Total Size: 4.5 GiB +``` + +--- + +## Tarifs Hetzner Object Storage + +| Ressource | Prix | +|---|---| +| Stockage | Inclus dans le pack €4.99/mois (1 TB) | +| Trafic sortant (internet) | Inclus dans le pack (1 TB) | +| Requêtes | Incluses | +| Stockage > 1 TB | €0.0067/TB/heure (~€4.90/TB/mois) | +| Trafic > 1 TB | ~€1/TB | + +Pour Xpeditis à 1 000 users (~200 GB de fichiers), le coût est de **€4.99/mois fixe**. diff --git a/docs/deployment/hetzner/07-database-postgresql.md b/docs/deployment/hetzner/07-database-postgresql.md new file mode 100644 index 0000000..3c18be9 --- /dev/null +++ b/docs/deployment/hetzner/07-database-postgresql.md @@ -0,0 +1,337 @@ +# 07 — Base de données PostgreSQL + +Deux options selon votre palier et votre tolérance aux opérations. + +--- + +## Option A — Neon.tech (recommandé pour MVP) + +### Pourquoi Neon.tech + +- PostgreSQL 15 managé, compatible TypeORM +- Extensions `uuid-ossp` et `pg_trgm` **disponibles** (requises par Xpeditis) +- Connection pooling intégré (PgBouncer) → critique pour NestJS multi-pods +- Backups automatiques + point-in-time recovery +- Free tier pour le développement +- **$19/mois** pour le plan Pro (production) +- Pas de gestion de HA, de réplication, ni de backups à faire + +### Setup Neon.tech + +1. Créez un compte sur https://neon.tech +2. "New Project" → Nom: `xpeditis-prod` → Region: `AWS eu-central-1 (Frankfurt)` (le plus proche de Hetzner FSN1) +3. Sélectionnez **Plan Pro** ($19/mois) +4. PostgreSQL version: **15** + +### Créer la base de données + +```bash +# Dans l'interface Neon → SQL Editor, ou via CLI neon +# Installer la CLI Neon +npm install -g neonctl +neonctl auth + +# Créer les extensions requises par Xpeditis +neonctl sql --project-id << 'EOF' +-- Extensions requises par Xpeditis +CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; +CREATE EXTENSION IF NOT EXISTS "pg_trgm"; + +-- Vérification +SELECT extname, extversion FROM pg_extension +WHERE extname IN ('uuid-ossp', 'pg_trgm'); +EOF +``` + +### Connection string + +Dans l'interface Neon → Connection Details → choisissez **Pooled connection** : + +```bash +# Connection string avec pooling (via PgBouncer) — pour la prod +postgresql://xpeditis:@ep-xxx-xxx.eu-central-1.aws.neon.tech/xpeditis?pgbouncer=true&connection_limit=1&sslmode=require + +# Connection string directe — pour les migrations TypeORM +postgresql://xpeditis:@ep-xxx-xxx.eu-central-1.aws.neon.tech/xpeditis?sslmode=require +``` + +> **Important :** TypeORM migrations doivent utiliser la **connexion directe** (sans pgbouncer). Pour le runtime NestJS, utilisez la **connexion poolée**. + +### Configuration TypeORM pour Neon + +L'app utilise des variables séparées pour l'hôte/port. Modifiez pour utiliser `DATABASE_URL` : + +Vérifiez le fichier `apps/backend/src/app.module.ts`. Si TypeORM est configuré avec des variables séparées (`DATABASE_HOST`, `DATABASE_PORT`, etc.), vous avez deux options : + +**Option 1 (recommandée) — URL complète :** + +Dans le `app.module.ts`, TypeOrmModule accepte une `url` : +```typescript +TypeOrmModule.forRootAsync({ + useFactory: (configService: ConfigService) => ({ + type: 'postgres', + url: configService.get('DATABASE_URL'), // ← Utiliser si disponible + ssl: { rejectUnauthorized: false }, // ← Requis pour Neon + // ... reste de la config + }), +}) +``` + +**Option 2 — Variables séparées (configuration actuelle) :** + +Décomposez l'URL Neon en variables séparées dans le `.env` : +```bash +DATABASE_HOST=ep-xxx-xxx.eu-central-1.aws.neon.tech +DATABASE_PORT=5432 +DATABASE_USER=xpeditis +DATABASE_PASSWORD= +DATABASE_NAME=xpeditis +DATABASE_SSL=true +``` + +Et ajoutez `ssl: { rejectUnauthorized: false }` dans la config TypeORM. + +### Lancer les migrations + +```bash +# Se placer dans le répertoire backend +cd apps/backend + +# Copier l'env de prod +cp .env.example .env.production + +# Éditer .env.production avec les vraies valeurs Neon +# DATABASE_HOST=ep-xxx-xxx.eu-central-1.aws.neon.tech +# DATABASE_USER=xpeditis +# DATABASE_PASSWORD= +# DATABASE_NAME=xpeditis +# DATABASE_SSL=true + +# Lancer les migrations (connexion directe, pas poolée) +NODE_ENV=production npm run migration:run + +# Vérifier les migrations appliquées +NODE_ENV=production npm run typeorm query "SELECT version, name FROM typeorm_migrations ORDER BY id" +``` + +--- + +## Option B — PostgreSQL self-hosted sur Hetzner (1 000+ users) + +### Architecture recommandée + +``` +CX22/CCX13 ─── PostgreSQL primary (lecture + écriture) + │ +CCX13 ─── PostgreSQL replica (lecture seule + failover) + │ +Volume Hetzner ─── /var/lib/postgresql/data (persistant) +``` + +### 1. Créer le serveur PostgreSQL dédié + +```bash +# Créer un serveur CCX13 dédié pour PostgreSQL +hcloud server create \ + --name xpeditis-postgres \ + --type ccx13 \ + --image ubuntu-24.04 \ + --location fsn1 \ + --ssh-key xpeditis-deploy \ + --network xpeditis-network \ + --firewall xpeditis-firewall + +# Attacher le volume de données +hcloud volume attach xpeditis-postgres-data \ + --server xpeditis-postgres \ + --automount + +# Récupérer l'IP privée +POSTGRES_PRIVATE_IP=$(hcloud server ip xpeditis-postgres --private-ip) +echo "PostgreSQL IP privée: $POSTGRES_PRIVATE_IP" +``` + +### 2. Installer et configurer PostgreSQL + +```bash +# Se connecter au serveur +ssh -i ~/.ssh/xpeditis_hetzner root@ + +# Installer PostgreSQL 15 +apt-get update +apt-get install -y postgresql-15 postgresql-client-15 + +# Monter le volume de données +DEVICE_NAME=$(lsblk -o NAME,SERIAL | grep HC | head -1 | awk '{print $1}') +mkfs.ext4 /dev/$DEVICE_NAME +mkdir -p /mnt/postgres-data +mount /dev/$DEVICE_NAME /mnt/postgres-data +echo "/dev/$DEVICE_NAME /mnt/postgres-data ext4 defaults 0 2" >> /etc/fstab + +# Déplacer les données PostgreSQL vers le volume +systemctl stop postgresql +rsync -av /var/lib/postgresql /mnt/postgres-data/ +rm -rf /var/lib/postgresql/15/main +ln -s /mnt/postgres-data/postgresql/15/main /var/lib/postgresql/15/main +systemctl start postgresql + +# Créer la base de données et l'utilisateur +sudo -u postgres psql << 'PGSQL' +CREATE USER xpeditis WITH PASSWORD ''; +CREATE DATABASE xpeditis_prod OWNER xpeditis; +GRANT ALL PRIVILEGES ON DATABASE xpeditis_prod TO xpeditis; + +-- Connecter à la base +\c xpeditis_prod + +-- Extensions requises +CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; +CREATE EXTENSION IF NOT EXISTS "pg_trgm"; + +-- Vérification +SELECT extname FROM pg_extension; +PGSQL +``` + +### 3. Configuration PostgreSQL pour la production + +```bash +# Éditer /etc/postgresql/15/main/postgresql.conf +cat >> /etc/postgresql/15/main/postgresql.conf << 'EOF' + +# Performance tuning (pour CCX13 : 4 vCPU dédiés, 8 GB RAM) +shared_buffers = 2GB # 25% de la RAM +effective_cache_size = 6GB # 75% de la RAM +maintenance_work_mem = 512MB +checkpoint_completion_target = 0.9 +wal_buffers = 16MB +default_statistics_target = 100 +random_page_cost = 1.1 # SSD NVMe +effective_io_concurrency = 200 # SSD +work_mem = 64MB +min_wal_size = 1GB +max_wal_size = 4GB + +# Connexions +max_connections = 100 +# Avec RDS Proxy / PgBouncer en front, 100 suffisent + +# Logging +log_destination = 'stderr' +logging_collector = on +log_directory = '/var/log/postgresql' +log_filename = 'postgresql-%Y-%m-%d.log' +log_rotation_age = 1d +log_min_duration_statement = 1000 # Log les queries > 1s +log_checkpoints = on +log_connections = on +log_disconnections = on +log_lock_waits = on + +# Réplication (pour replica future) +wal_level = replica +max_wal_senders = 3 +max_replication_slots = 3 +EOF + +# Autoriser les connexions depuis le réseau privé Hetzner +cat >> /etc/postgresql/15/main/pg_hba.conf << 'EOF' + +# Connexions depuis le réseau privé Hetzner (pods k3s) +host xpeditis_prod xpeditis 10.0.0.0/16 md5 +EOF + +# Écouter sur toutes les interfaces (nécessaire pour le réseau privé) +sed -i "s/#listen_addresses = 'localhost'/listen_addresses = '10.0.0.0\/16,localhost'/" \ + /etc/postgresql/15/main/postgresql.conf + +systemctl restart postgresql +systemctl enable postgresql + +# Test de connexion depuis le réseau privé +psql -h $POSTGRES_PRIVATE_IP -U xpeditis -d xpeditis_prod -c "SELECT version();" +``` + +### 4. Installer PgBouncer (connection pooling) + +NestJS crée une connexion par pod. Sans pooler, 10 pods × 10 connexions = 100 connexions constantes. PgBouncer réduit ça drastiquement. + +```bash +apt-get install -y pgbouncer + +cat > /etc/pgbouncer/pgbouncer.ini << 'EOF' +[databases] +xpeditis_prod = host=localhost port=5432 dbname=xpeditis_prod + +[pgbouncer] +listen_addr = 0.0.0.0 +listen_port = 6432 +auth_type = md5 +auth_file = /etc/pgbouncer/userlist.txt +pool_mode = transaction # Mode le plus efficace pour NestJS +max_client_conn = 500 # Connexions clients max +default_pool_size = 20 # Connexions vers PostgreSQL par pool +reserve_pool_size = 5 +server_reset_query = DISCARD ALL +log_connections = 1 +log_disconnections = 1 +logfile = /var/log/pgbouncer/pgbouncer.log +pidfile = /var/run/pgbouncer/pgbouncer.pid +EOF + +# Créer le fichier d'authentification +echo '"xpeditis" "md5"' > /etc/pgbouncer/userlist.txt +# Pour générer le hash md5 : +echo -n "md5$(echo -n 'xpeditis' | md5sum | awk '{print $1}')" + +systemctl enable pgbouncer +systemctl start pgbouncer +``` + +Avec PgBouncer, les pods NestJS se connectent sur le port `6432` : +```bash +# Variables d'environnement pour PgBouncer +DATABASE_HOST= +DATABASE_PORT=6432 # PgBouncer au lieu de 5432 +``` + +### 5. Lancer les migrations TypeORM + +```bash +# Depuis votre machine locale (ou depuis un pod de migration) +cd apps/backend +DATABASE_HOST= \ +DATABASE_PORT=5432 \ # Direct PostgreSQL pour les migrations (pas PgBouncer) +DATABASE_USER=xpeditis \ +DATABASE_PASSWORD= \ +DATABASE_NAME=xpeditis_prod \ +npm run migration:run + +# Vérifier +DATABASE_HOST= \ +DATABASE_PORT=5432 \ +DATABASE_USER=xpeditis \ +DATABASE_PASSWORD= \ +DATABASE_NAME=xpeditis_prod \ +npm run typeorm query "SELECT COUNT(*) as migrations FROM typeorm_migrations" +``` + +--- + +## Comparaison des options + +| Critère | Neon.tech (Option A) | Self-hosted (Option B) | +|---|---|---| +| **Coût (1 000 users)** | $19/mois | ~€30/mois (CCX13 + volume) | +| **HA** | Automatique | Manuel (Patroni) | +| **Backups** | Automatique (7 jours PITR) | Script cron (doc 13) | +| **Extensions** | uuid-ossp + pg_trgm ✅ | Toutes | +| **Migrations** | Simple | Simple | +| **Ops requis** | Aucun | Maintenance mensuelle | +| **Scale** | Jusqu'à $69/mois (Pro) | Changement de serveur | +| **Limite connexions** | PgBouncer inclus | PgBouncer à installer | + +**Recommandation :** +- < 500 users → **Neon.tech** (aucun ops, $19/mois) +- 500–5 000 users → **Self-hosted CCX23** (plus économique à ce niveau) +- > 5 000 users → **Self-hosted CCX33 + replica** (contrôle total) diff --git a/docs/deployment/hetzner/08-redis-setup.md b/docs/deployment/hetzner/08-redis-setup.md new file mode 100644 index 0000000..2d235b8 --- /dev/null +++ b/docs/deployment/hetzner/08-redis-setup.md @@ -0,0 +1,313 @@ +# 08 — Redis Setup + +Redis est utilisé dans Xpeditis pour : +1. **Cache des rate quotes** — clés `rate:{origin}:{destination}:{containerType}`, TTL 15 min +2. **Pub/sub WebSocket** — Socket.IO multi-pods nécessite Redis pour broadcaster les notifications + +--- + +## Option A — Upstash (recommandé pour MVP) + +### Pourquoi Upstash + +- Redis serverless, pay-per-use ($0.2 per 100K commands) +- Free tier : 10 000 commandes/jour, 256 MB (suffisant pour 100 users) +- Compatible avec l'interface Redis standard (ioredis) +- Support TLS natif +- Régions EU disponibles (Frankfurt) +- **Pas de serveur à gérer** + +### Setup Upstash + +1. Créez un compte sur https://upstash.com +2. **Create Database** + - Name: `xpeditis-prod` + - Region: `EU-WEST-1 (Frankfurt)` ← le plus proche de Hetzner FSN1 + - Type: **Regional** (pas Global pour commencer) + - Eviction: **Allkeys-LRU** (expire les clés les plus anciennes si mémoire pleine) + - TLS: **Enabled** +3. Copiez les credentials affichés + +### Variables d'environnement + +```bash +# Upstash fournit une URL Redis complète +REDIS_HOST=your-redis.upstash.io +REDIS_PORT=6379 +REDIS_PASSWORD= +REDIS_DB=0 + +# OU avec URL (si le code le supporte) +REDIS_URL=redis://:password@your-redis.upstash.io:6379 +``` + +### Vérification de la connexion + +```bash +# Test avec redis-cli +redis-cli -h your-redis.upstash.io -p 6379 -a --tls ping +# PONG + +# Test de set/get +redis-cli -h your-redis.upstash.io -p 6379 -a --tls \ + SET test:connection "xpeditis-ok" EX 60 +redis-cli -h your-redis.upstash.io -p 6379 -a --tls \ + GET test:connection +# "xpeditis-ok" +``` + +### Configuration dans l'app Xpeditis + +Le code NestJS utilise `ioredis`. Vérifiez que TLS est activé dans la config cache : + +Dans `apps/backend/src/infrastructure/cache/cache.module.ts`, assurez-vous que la config Redis accepte TLS : + +```typescript +// La config doit inclure TLS pour Upstash +const redisOptions = { + host: configService.get('REDIS_HOST'), + port: configService.get('REDIS_PORT', 6379), + password: configService.get('REDIS_PASSWORD'), + db: configService.get('REDIS_DB', 0), + // TLS requis pour Upstash + tls: configService.get('NODE_ENV') === 'production' ? {} : undefined, +}; +``` + +> Si la config actuelle ne supporte pas TLS, ajoutez la variable `REDIS_TLS=true` et adaptez le cache module en conséquence. + +--- + +## Option B — Redis self-hosted dans k3s + +### Quand choisir cette option + +- 1 000+ users (le free tier Upstash devient limité) +- Besoin de Redis Cluster pour le WebSocket à grande échelle +- Contrôle total des données + +### StatefulSet Redis dans Kubernetes + +```bash +# Créer le namespace si pas encore fait +kubectl create namespace xpeditis-prod 2>/dev/null || true + +# Créer le Secret Redis +cat > /tmp/redis-secret.yaml << 'EOF' +apiVersion: v1 +kind: Secret +metadata: + name: redis-secret + namespace: xpeditis-prod +type: Opaque +stringData: + REDIS_PASSWORD: "" +EOF +kubectl apply -f /tmp/redis-secret.yaml + +# Créer la ConfigMap Redis +cat > /tmp/redis-config.yaml << 'EOF' +apiVersion: v1 +kind: ConfigMap +metadata: + name: redis-config + namespace: xpeditis-prod +data: + redis.conf: | + # Sécurité + requirepass + protected-mode yes + + # Persistance (AOF pour durabilité) + appendonly yes + appendfsync everysec + auto-aof-rewrite-percentage 100 + auto-aof-rewrite-min-size 64mb + + # Mémoire + maxmemory 512mb + maxmemory-policy allkeys-lru + + # Réseau + bind 0.0.0.0 + tcp-backlog 511 + timeout 0 + tcp-keepalive 300 + + # Logging + loglevel notice + + # Performances + lazyfree-lazy-eviction yes + lazyfree-lazy-expire yes +EOF +kubectl apply -f /tmp/redis-config.yaml + +# Créer le StatefulSet Redis +cat > /tmp/redis-statefulset.yaml << 'EOF' +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: redis + namespace: xpeditis-prod +spec: + serviceName: redis-headless + replicas: 1 + selector: + matchLabels: + app: redis + template: + metadata: + labels: + app: redis + spec: + containers: + - name: redis + image: redis:7-alpine + ports: + - containerPort: 6379 + name: redis + command: + - redis-server + - /etc/redis/redis.conf + env: + - name: REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: redis-secret + key: REDIS_PASSWORD + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 500m + memory: 512Mi + volumeMounts: + - name: redis-config-vol + mountPath: /etc/redis + - name: redis-data + mountPath: /data + readinessProbe: + exec: + command: + - redis-cli + - -a + - $(REDIS_PASSWORD) + - ping + initialDelaySeconds: 10 + periodSeconds: 5 + livenessProbe: + exec: + command: + - redis-cli + - -a + - $(REDIS_PASSWORD) + - ping + initialDelaySeconds: 30 + periodSeconds: 30 + volumes: + - name: redis-config-vol + configMap: + name: redis-config + volumeClaimTemplates: + - metadata: + name: redis-data + spec: + accessModes: ["ReadWriteOnce"] + storageClassName: hcloud-volumes + resources: + requests: + storage: 5Gi +--- +apiVersion: v1 +kind: Service +metadata: + name: redis-headless + namespace: xpeditis-prod +spec: + clusterIP: None + selector: + app: redis + ports: + - port: 6379 + targetPort: 6379 +--- +apiVersion: v1 +kind: Service +metadata: + name: redis + namespace: xpeditis-prod +spec: + selector: + app: redis + ports: + - port: 6379 + targetPort: 6379 + type: ClusterIP +EOF + +kubectl apply -f /tmp/redis-statefulset.yaml + +# Attendre que Redis soit prêt +kubectl rollout status statefulset/redis -n xpeditis-prod --timeout=120s + +# Tester Redis +kubectl exec -it redis-0 -n xpeditis-prod -- redis-cli -a ping +# PONG +``` + +### Variables d'environnement pour Redis self-hosted + +```bash +REDIS_HOST=redis.xpeditis-prod.svc.cluster.local +REDIS_PORT=6379 +REDIS_PASSWORD= +REDIS_DB=0 +# Pas de TLS (réseau privé interne k3s) +``` + +--- + +## Vérification du cache Redis dans Xpeditis + +Après déploiement de l'application, vérifiez que le cache fonctionne : + +```bash +# Se connecter à Redis +kubectl exec -it redis-0 -n xpeditis-prod -- redis-cli -a + +# Après quelques rate searches depuis l'app : +KEYS rate:* +# 1) "rate:FRNCE:DEHAM:20ft" +# 2) "rate:FRNCE:NLRTM:20ft" +# ... + +# Vérifier un TTL (doit être < 900 = 15 min) +TTL "rate:FRNCE:DEHAM:20ft" +# (integer) 647 + +# Stats globales +INFO stats +# keyspace_hits: 1234 +# keyspace_misses: 156 +# → Taux de hit = 1234/(1234+156) = 88% ✅ +``` + +--- + +## Comparaison des options + +| Critère | Upstash (Option A) | Self-hosted (Option B) | +|---|---|---| +| **Coût 100 users** | $0 (free tier) | ~€5/mois (stockage) | +| **Coût 1 000 users** | ~$5-10/mois | ~€5-10/mois | +| **Setup** | 5 minutes | 30 minutes | +| **HA** | Automatique | Non (StatefulSet 1 replica) | +| **TLS** | Forcé | Non (cluster interne) | +| **Ops** | Aucun | Monitoring mémoire | +| **Latence** | ~5-10ms (Frankfurt) | <1ms (cluster interne) | + +**Recommandation :** +- MVP → **Upstash free tier** (zéro coût, zéro ops) +- 1 000+ users → **Self-hosted dans k3s** (latence minimale, contrôle complet) diff --git a/docs/deployment/hetzner/10-ingress-tls-cloudflare.md b/docs/deployment/hetzner/10-ingress-tls-cloudflare.md new file mode 100644 index 0000000..5184cf9 --- /dev/null +++ b/docs/deployment/hetzner/10-ingress-tls-cloudflare.md @@ -0,0 +1,240 @@ +# 10 — Ingress, TLS et Cloudflare + +--- + +## Architecture TLS + +Deux approches possibles, que vous pouvez combiner : + +``` +Option 1 — TLS Cloudflare uniquement (plus simple) + Browser → Cloudflare (TLS terminé) → HTTP vers Hetzner LB → Pods + +Option 2 — TLS de bout en bout (plus sécurisé) + Browser → Cloudflare → HTTPS vers Hetzner LB → cert-manager TLS → Pods + +Recommandation : Option 2 avec Cloudflare en "Full (strict)" mode +``` + +--- + +## Configuration Cloudflare + +### 1. Ajouter les entrées DNS + +Dans votre dashboard Cloudflare → Votre domaine → DNS → Records : + +``` +Type Name Content Proxy TTL +A api ✅ ON Auto +A app ✅ ON Auto +A @ ✅ ON Auto +``` + +Pour obtenir l'IP du Load Balancer Hetzner : +```bash +hcloud load-balancer list +# ID NAME TYPE LOCATION PUBLIC NET PRIVATE NET +# 12345 xpeditis-lb lb11 fsn1 1.2.3.4 / 2001::... 10.0.0.2 +``` + +### 2. SSL/TLS Mode + +Cloudflare → Votre domaine → SSL/TLS → Overview : +- Sélectionnez **Full (strict)** ← obligatoire si cert-manager gère les certicats côté Hetzner + +### 3. Page Rules / Transform Rules + +Cloudflare → Votre domaine → Rules → Page Rules : + +``` +Rule 1 : Force HTTPS + If URL matches: http://api.xpeditis.com/* + Then: Always Use HTTPS + +Rule 2 : Force HTTPS frontend + If URL matches: http://app.xpeditis.com/* + Then: Always Use HTTPS +``` + +### 4. WAF Rules (optionnel mais recommandé) + +Cloudflare → Security → WAF → Managed Rules : +- Activer **Cloudflare Managed Ruleset** (gratuit) +- Activer **Cloudflare OWASP Core Ruleset** (gratuit) + +Custom Rules pour Xpeditis : +``` +Rule: Block rate search abuse + If: (http.request.uri.path contains "/api/v1/rates/search") AND (rate(1m) > 60) + Then: Block + +Rule: Protect Stripe webhook + If: (http.request.uri.path eq "/api/v1/subscriptions/webhook") AND (not ip.src in {151.101.0.0/17}) + Then: Block ← Autorise uniquement les IPs Stripe +``` + +### 5. Cache Rules (pour les assets frontend) + +Cloudflare → Caching → Cache Rules : +``` +Rule: Cache Next.js static assets + If: (http.request.uri.path contains "/_next/static/") + Then: Cache Everything, TTL 1 year +``` + +--- + +## Vérification du certificat TLS (cert-manager) + +Après le déploiement de l'Ingress : + +```bash +# Vérifier l'état du certificat +kubectl get certificate -n xpeditis-prod +# NAME READY SECRET AGE +# xpeditis-tls-prod True xpeditis-tls-prod 5m ← READY=True = succès + +# Si READY=False, debugger : +kubectl describe certificate xpeditis-tls-prod -n xpeditis-prod +kubectl describe certificaterequest -n xpeditis-prod +kubectl logs -n cert-manager deployment/cert-manager | tail -50 + +# Voir les challenges ACME en cours +kubectl get challenge -n xpeditis-prod +# Si des challenges sont en attente, vérifier que le DNS Cloudflare pointe bien vers le LB +``` + +### Tester la chaîne TLS + +```bash +# Tester le certificat +curl -I https://api.xpeditis.com/api/v1/health +# HTTP/2 200 +# server: traefik +# content-type: application/json + +# Détails du certificat +openssl s_client -connect api.xpeditis.com:443 -servername api.xpeditis.com 2>/dev/null | openssl x509 -noout -dates +# notBefore=Apr 1 00:00:00 2026 GMT +# notAfter=Jun 30 00:00:00 2026 GMT ← Let's Encrypt = 90 jours, renouvellement auto à 60 jours +``` + +--- + +## Configuration WebSocket Socket.IO + +Socket.IO nécessite une configuration spécifique pour fonctionner derrière Traefik + Cloudflare. + +### Cloudflare WebSocket + +Cloudflare → Votre domaine → Network → WebSockets : +- **Activer WebSockets** (désactivé par défaut sur le plan Free) + +> Note : Sur le plan Free Cloudflare, les WebSockets sont supportés mais avec un timeout de 100s. Pour les connexions persistantes Socket.IO, configurez des reconnexions côté client. + +### Traefik Sticky Sessions + +La configuration des sticky sessions dans `k8s/07-ingress.yaml` garantit que les reconnexions WebSocket retombent sur le même pod (important pour Socket.IO avant l'implémentation Redis adapter) : + +```yaml +annotations: + traefik.ingress.kubernetes.io/service.sticky.cookie: "true" + traefik.ingress.kubernetes.io/service.sticky.cookie.name: "XPEDITIS_BACKEND" + traefik.ingress.kubernetes.io/service.sticky.cookie.secure: "true" +``` + +### Test WebSocket + +```bash +# Test avec wscat (npm install -g wscat) +wscat -c "wss://api.xpeditis.com/notifications" \ + -H "Authorization: Bearer " + +# La connexion doit s'établir et recevoir : +# {"event":"unread_count","data":{"count":0}} +# {"event":"recent_notifications","data":[...]} +``` + +--- + +## Traefik Dashboard (accès restreint) + +```bash +# Traefik a un dashboard utile pour debugger les routes +# Activer l'accès avec authentification + +# Générer un mot de passe htpasswd +htpasswd -nb admin | base64 + +# Créer un Middleware BasicAuth +cat > /tmp/traefik-auth.yaml << 'EOF' +apiVersion: v1 +kind: Secret +metadata: + name: traefik-dashboard-auth + namespace: kube-system +type: kubernetes.io/basic-auth +stringData: + username: admin + password: +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: dashboard-auth + namespace: kube-system +spec: + basicAuth: + secret: traefik-dashboard-auth +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: traefik-dashboard + namespace: kube-system + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" + traefik.ingress.kubernetes.io/router.middlewares: "kube-system-dashboard-auth@kubernetescrd" +spec: + ingressClassName: traefik + tls: + - hosts: + - traefik.xpeditis.com + secretName: traefik-tls + rules: + - host: traefik.xpeditis.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: traefik + port: + number: 9000 +EOF + +kubectl apply -f /tmp/traefik-auth.yaml +``` + +--- + +## Checklist TLS + +```bash +echo "=== Test endpoints ===" +curl -sf https://api.xpeditis.com/api/v1/health | jq . +curl -sf https://app.xpeditis.com/ | head -5 + +echo "=== Certificats ===" +kubectl get certificate -n xpeditis-prod +kubectl get certificaterequest -n xpeditis-prod + +echo "=== Ingress ===" +kubectl get ingress -n xpeditis-prod + +echo "=== Test HTTPS force ===" +curl -L http://api.xpeditis.com/api/v1/health +# Doit être redirigé vers HTTPS +``` diff --git a/docs/deployment/hetzner/11-cicd-github-actions.md b/docs/deployment/hetzner/11-cicd-github-actions.md new file mode 100644 index 0000000..370d486 --- /dev/null +++ b/docs/deployment/hetzner/11-cicd-github-actions.md @@ -0,0 +1,489 @@ +# 11 — CI/CD avec GitHub Actions + +Pipeline complet : commit → build Docker → push GHCR → déploiement k3s → vérification. + +--- + +## Architecture du pipeline + +``` +Push sur main + │ + ├── Job: test + │ ├── npm run backend:lint + │ ├── npm run backend:test + │ └── npm run frontend:lint + │ + ├── Job: build (si tests OK) + │ ├── docker buildx build backend → ghcr.io//xpeditis-backend:sha + :latest + │ └── docker buildx build frontend → ghcr.io//xpeditis-frontend:sha + :latest + │ + └── Job: deploy (si build OK) + ├── kubectl set image deployment/xpeditis-backend ... + ├── kubectl set image deployment/xpeditis-frontend ... + ├── kubectl rollout status ... + └── Health check final +``` + +--- + +## Secrets GitHub à configurer + +Dans votre repo GitHub → Settings → Secrets and variables → Actions → New repository secret : + +| Secret | Valeur | Usage | +|---|---|---| +| `HETZNER_KUBECONFIG` | Contenu de `~/.kube/kubeconfig-xpeditis-prod` (base64) | Accès kubectl | +| `GHCR_TOKEN` | Personal Access Token GitHub (scope: `write:packages`) | Push images | +| `SLACK_WEBHOOK_URL` | URL webhook Slack (optionnel) | Notifications | + +```bash +# Encoder le kubeconfig en base64 pour GitHub Secrets +cat ~/.kube/kubeconfig-xpeditis-prod | base64 -w 0 +# Copier le résultat dans HETZNER_KUBECONFIG + +# Créer le Personal Access Token GitHub +# https://github.com/settings/tokens/new +# Scopes : write:packages, read:packages, delete:packages +``` + +--- + +## Workflow principal — `.github/workflows/deploy.yml` + +```yaml +# .github/workflows/deploy.yml +name: Build & Deploy to Hetzner + +on: + push: + branches: + - main + pull_request: + branches: + - main + +env: + REGISTRY: ghcr.io + IMAGE_BACKEND: ghcr.io/${{ github.repository_owner }}/xpeditis-backend + IMAGE_FRONTEND: ghcr.io/${{ github.repository_owner }}/xpeditis-frontend + +jobs: + # ============================================================ + # JOB 1 : Tests & Lint + # ============================================================ + test: + name: Tests & Lint + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: "20" + cache: "npm" + + - name: Install dependencies + run: npm run install:all + + - name: Lint backend + run: npm run backend:lint + + - name: Lint frontend + run: npm run frontend:lint + + - name: Test backend (unit) + run: npm run backend:test -- --passWithNoTests + + - name: TypeScript check frontend + run: | + cd apps/frontend + npm run type-check + + # ============================================================ + # JOB 2 : Build & Push Docker Images + # ============================================================ + build: + name: Build Docker Images + runs-on: ubuntu-latest + needs: test + if: github.event_name == 'push' && github.ref == 'refs/heads/main' + permissions: + contents: read + packages: write + + outputs: + backend_tag: ${{ steps.meta-backend.outputs.version }} + frontend_tag: ${{ steps.meta-frontend.outputs.version }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # ── Backend ── + - name: Extract metadata (backend) + id: meta-backend + uses: docker/metadata-action@v5 + with: + images: ${{ env.IMAGE_BACKEND }} + tags: | + type=sha,prefix=sha-,format=short + type=raw,value=latest,enable={{is_default_branch}} + type=raw,value={{date 'YYYY-MM-DD'}},enable={{is_default_branch}} + + - name: Build & Push backend + uses: docker/build-push-action@v5 + with: + context: . + file: apps/backend/Dockerfile + push: true + tags: ${{ steps.meta-backend.outputs.tags }} + labels: ${{ steps.meta-backend.outputs.labels }} + cache-from: type=gha,scope=backend + cache-to: type=gha,mode=max,scope=backend + platforms: linux/amd64 # Changer en linux/amd64,linux/arm64 si vous utilisez des CAX + + # ── Frontend ── + - name: Extract metadata (frontend) + id: meta-frontend + uses: docker/metadata-action@v5 + with: + images: ${{ env.IMAGE_FRONTEND }} + tags: | + type=sha,prefix=sha-,format=short + type=raw,value=latest,enable={{is_default_branch}} + type=raw,value={{date 'YYYY-MM-DD'}},enable={{is_default_branch}} + + - name: Build & Push frontend + uses: docker/build-push-action@v5 + with: + context: . + file: apps/frontend/Dockerfile + push: true + tags: ${{ steps.meta-frontend.outputs.tags }} + labels: ${{ steps.meta-frontend.outputs.labels }} + cache-from: type=gha,scope=frontend + cache-to: type=gha,mode=max,scope=frontend + platforms: linux/amd64 + build-args: | + NEXT_PUBLIC_API_URL=https://api.xpeditis.com + NEXT_PUBLIC_APP_URL=https://app.xpeditis.com + NEXT_PUBLIC_API_PREFIX=api/v1 + + # ============================================================ + # JOB 3 : Deploy vers k3s Hetzner + # ============================================================ + deploy: + name: Deploy to Hetzner k3s + runs-on: ubuntu-latest + needs: build + if: github.event_name == 'push' && github.ref == 'refs/heads/main' + environment: + name: production + url: https://app.xpeditis.com + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Configure kubectl + run: | + mkdir -p ~/.kube + echo "${{ secrets.HETZNER_KUBECONFIG }}" | base64 -d > ~/.kube/config + chmod 600 ~/.kube/config + kubectl cluster-info + + - name: Deploy Backend + run: | + BACKEND_TAG="sha-$(echo ${{ github.sha }} | cut -c1-7)" + + kubectl set image deployment/xpeditis-backend \ + backend=${{ env.IMAGE_BACKEND }}:${BACKEND_TAG} \ + -n xpeditis-prod + + kubectl rollout status deployment/xpeditis-backend \ + -n xpeditis-prod \ + --timeout=300s + + echo "✅ Backend deployed: ${BACKEND_TAG}" + + - name: Deploy Frontend + run: | + FRONTEND_TAG="sha-$(echo ${{ github.sha }} | cut -c1-7)" + + kubectl set image deployment/xpeditis-frontend \ + frontend=${{ env.IMAGE_FRONTEND }}:${FRONTEND_TAG} \ + -n xpeditis-prod + + kubectl rollout status deployment/xpeditis-frontend \ + -n xpeditis-prod \ + --timeout=300s + + echo "✅ Frontend deployed: ${FRONTEND_TAG}" + + - name: Health Check + run: | + sleep 15 # Laisser le temps au LB de propager + + # Test API backend + STATUS=$(curl -sf -o /dev/null -w "%{http_code}" \ + https://api.xpeditis.com/api/v1/health) + if [ "$STATUS" != "200" ]; then + echo "❌ Backend health check failed (HTTP $STATUS)" + exit 1 + fi + echo "✅ Backend healthy (HTTP $STATUS)" + + # Test frontend + STATUS=$(curl -sf -o /dev/null -w "%{http_code}" \ + https://app.xpeditis.com/) + if [ "$STATUS" != "200" ]; then + echo "❌ Frontend health check failed (HTTP $STATUS)" + exit 1 + fi + echo "✅ Frontend healthy (HTTP $STATUS)" + + - name: Notify Slack (success) + if: success() + run: | + if [ -n "${{ secrets.SLACK_WEBHOOK_URL }}" ]; then + curl -X POST "${{ secrets.SLACK_WEBHOOK_URL }}" \ + -H 'Content-type: application/json' \ + --data '{ + "text": "✅ Xpeditis déployé en production", + "attachments": [{ + "color": "good", + "fields": [ + {"title": "Commit", "value": "${{ github.sha }}", "short": true}, + {"title": "Auteur", "value": "${{ github.actor }}", "short": true}, + {"title": "Message", "value": "${{ github.event.head_commit.message }}", "short": false} + ] + }] + }' + fi + + - name: Notify Slack (failure) + if: failure() + run: | + if [ -n "${{ secrets.SLACK_WEBHOOK_URL }}" ]; then + curl -X POST "${{ secrets.SLACK_WEBHOOK_URL }}" \ + -H 'Content-type: application/json' \ + --data '{ + "text": "❌ Échec du déploiement Xpeditis", + "attachments": [{ + "color": "danger", + "fields": [ + {"title": "Commit", "value": "${{ github.sha }}", "short": true}, + {"title": "Job", "value": "${{ github.workflow }}", "short": true} + ] + }] + }' + fi + + - name: Rollback on failure + if: failure() + run: | + echo "⏮️ Rollback en cours..." + kubectl rollout undo deployment/xpeditis-backend -n xpeditis-prod + kubectl rollout undo deployment/xpeditis-frontend -n xpeditis-prod + kubectl rollout status deployment/xpeditis-backend -n xpeditis-prod --timeout=120s + echo "✅ Rollback terminé" +``` + +--- + +## Workflow de staging (PR preview) — `.github/workflows/staging.yml` + +```yaml +# .github/workflows/staging.yml +name: Deploy to Staging + +on: + pull_request: + branches: + - main + +jobs: + build-staging: + name: Build Staging + runs-on: ubuntu-latest + if: github.event_name == 'pull_request' + + steps: + - uses: actions/checkout@v4 + - uses: docker/setup-buildx-action@v3 + - uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Build & Push (staging tag) + uses: docker/build-push-action@v5 + with: + context: . + file: apps/backend/Dockerfile + push: true + tags: ghcr.io/${{ github.repository_owner }}/xpeditis-backend:pr-${{ github.event.pull_request.number }} + build-args: NODE_ENV=staging + + - name: Comment PR + uses: actions/github-script@v7 + with: + script: | + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: '🐳 Image Docker staging buildée : `pr-${{ github.event.pull_request.number }}`' + }) +``` + +--- + +## Mise à jour des manifests Kubernetes + +Alternativement, vous pouvez mettre à jour les fichiers YAML dans Git et les appliquer : + +```bash +# Dans le workflow CI, mettre à jour le tag d'image dans les manifests +- name: Update image in manifests + run: | + IMAGE_TAG="sha-$(echo ${{ github.sha }} | cut -c1-7)" + + # Mettre à jour les fichiers YAML + sed -i "s|image: ghcr.io/.*/xpeditis-backend:.*|image: ${{ env.IMAGE_BACKEND }}:${IMAGE_TAG}|g" \ + k8s/03-backend-deployment.yaml + + sed -i "s|image: ghcr.io/.*/xpeditis-frontend:.*|image: ${{ env.IMAGE_FRONTEND }}:${IMAGE_TAG}|g" \ + k8s/05-frontend-deployment.yaml + + # Committer les changements (GitOps) + git config user.name "GitHub Actions" + git config user.email "actions@github.com" + git add k8s/ + git commit -m "chore: update image tags to ${IMAGE_TAG} [skip ci]" + git push +``` + +--- + +## Dockerfile final — Backend + +```dockerfile +# apps/backend/Dockerfile +FROM node:20-alpine AS deps +RUN apk add --no-cache python3 make g++ +WORKDIR /app +COPY package*.json ./ +COPY apps/backend/package*.json apps/backend/ +RUN npm ci --workspace=apps/backend + +FROM node:20-alpine AS builder +WORKDIR /app +COPY --from=deps /app/node_modules ./node_modules +COPY --from=deps /app/apps/backend/node_modules ./apps/backend/node_modules +COPY . . +RUN cd apps/backend && npm run build + +FROM node:20-alpine AS runner +RUN apk add --no-cache dumb-init +RUN addgroup -g 1001 -S nodejs && adduser -S nestjs -u 1001 +WORKDIR /app +COPY --from=builder --chown=nestjs:nodejs /app/apps/backend/dist ./dist +COPY --from=builder --chown=nestjs:nodejs /app/apps/backend/node_modules ./node_modules +COPY --from=builder --chown=nestjs:nodejs /app/apps/backend/package.json ./ +USER nestjs +EXPOSE 4000 +HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \ + CMD wget -qO- http://localhost:4000/api/v1/health || exit 1 +ENTRYPOINT ["dumb-init", "--"] +CMD ["node", "dist/main.js"] +``` + +## Dockerfile final — Frontend + +```dockerfile +# apps/frontend/Dockerfile +FROM node:20-alpine AS deps +WORKDIR /app +COPY package*.json ./ +COPY apps/frontend/package*.json apps/frontend/ +RUN npm ci --workspace=apps/frontend + +FROM node:20-alpine AS builder +WORKDIR /app +COPY --from=deps /app/node_modules ./node_modules +COPY --from=deps /app/apps/frontend/node_modules ./apps/frontend/node_modules +COPY . . +ARG NEXT_PUBLIC_API_URL +ARG NEXT_PUBLIC_APP_URL +ARG NEXT_PUBLIC_API_PREFIX=api/v1 +ENV NEXT_PUBLIC_API_URL=$NEXT_PUBLIC_API_URL \ + NEXT_PUBLIC_APP_URL=$NEXT_PUBLIC_APP_URL \ + NEXT_PUBLIC_API_PREFIX=$NEXT_PUBLIC_API_PREFIX \ + NEXT_TELEMETRY_DISABLED=1 +RUN cd apps/frontend && npm run build + +FROM node:20-alpine AS runner +RUN apk add --no-cache dumb-init +RUN addgroup -g 1001 -S nodejs && adduser -S nextjs -u 1001 +WORKDIR /app +COPY --from=builder --chown=nextjs:nodejs /app/apps/frontend/.next/standalone ./ +COPY --from=builder --chown=nextjs:nodejs /app/apps/frontend/.next/static ./.next/static +COPY --from=builder --chown=nextjs:nodejs /app/apps/frontend/public ./public +USER nextjs +EXPOSE 3000 +ENV NODE_ENV=production PORT=3000 HOSTNAME="0.0.0.0" NEXT_TELEMETRY_DISABLED=1 +ENTRYPOINT ["dumb-init", "--"] +CMD ["node", "server.js"] +``` + +--- + +## Test du pipeline en local + +```bash +# Simuler le build Docker localement +docker build \ + -f apps/backend/Dockerfile \ + -t xpeditis-backend:local \ + . + +docker build \ + -f apps/frontend/Dockerfile \ + -t xpeditis-frontend:local \ + --build-arg NEXT_PUBLIC_API_URL=http://localhost:4000 \ + --build-arg NEXT_PUBLIC_APP_URL=http://localhost:3000 \ + . + +# Tester l'image backend +docker run --rm -p 4000:4000 \ + -e NODE_ENV=production \ + -e DATABASE_HOST= \ + -e DATABASE_USER=xpeditis \ + -e DATABASE_PASSWORD= \ + -e DATABASE_NAME=xpeditis \ + -e REDIS_HOST= \ + -e REDIS_PASSWORD= \ + -e JWT_SECRET=test-secret \ + -e SMTP_HOST=localhost \ + -e SMTP_PORT=25 \ + -e SMTP_USER=test \ + -e SMTP_PASS=test \ + xpeditis-backend:local + +curl http://localhost:4000/api/v1/health +``` diff --git a/docs/deployment/hetzner/12-monitoring-alerting.md b/docs/deployment/hetzner/12-monitoring-alerting.md new file mode 100644 index 0000000..42129ba --- /dev/null +++ b/docs/deployment/hetzner/12-monitoring-alerting.md @@ -0,0 +1,416 @@ +# 12 — Monitoring et alertes + +--- + +## Stack de monitoring + +``` +Prometheus ← Scrape des métriques (pods, nodes, app) +Grafana ← Dashboards visuels +Loki ← Agrégation des logs (NestJS pino) +Alertmanager ← Envoi alertes (email, Slack) +Uptime Kuma ← Monitoring externe HTTP (health checks) +``` + +--- + +## Installation du kube-prometheus-stack + +La stack la plus complète, déployée avec Helm : + +```bash +# Ajouter le repo +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo update + +# Créer le namespace monitoring +kubectl create namespace monitoring + +# Installer kube-prometheus-stack +helm install prometheus prometheus-community/kube-prometheus-stack \ + --namespace monitoring \ + --version 65.3.1 \ + --set grafana.adminPassword="" \ + --set grafana.persistence.enabled=true \ + --set grafana.persistence.size=2Gi \ + --set grafana.persistence.storageClassName=hcloud-volumes \ + --set prometheus.prometheusSpec.retention=7d \ + --set prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.storageClassName=hcloud-volumes \ + --set prometheus.prometheusSpec.storageSpec.volumeClaimTemplate.spec.resources.requests.storage=10Gi \ + --set alertmanager.alertmanagerSpec.storage.volumeClaimTemplate.spec.storageClassName=hcloud-volumes \ + --set alertmanager.alertmanagerSpec.storage.volumeClaimTemplate.spec.resources.requests.storage=2Gi \ + --set prometheusOperator.resources.requests.cpu=50m \ + --set prometheusOperator.resources.requests.memory=128Mi \ + --set prometheus.prometheusSpec.resources.requests.cpu=100m \ + --set prometheus.prometheusSpec.resources.requests.memory=512Mi \ + --set grafana.resources.requests.cpu=50m \ + --set grafana.resources.requests.memory=128Mi + +# Attendre que tout soit Running +kubectl rollout status deployment/prometheus-grafana -n monitoring --timeout=300s +kubectl get pods -n monitoring +``` + +--- + +## Exposer Grafana via Ingress + +```bash +cat > /tmp/grafana-ingress.yaml << 'EOF' +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: grafana + namespace: monitoring + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + traefik.ingress.kubernetes.io/router.tls: "true" + # Restreindre aux IPs de l'équipe + traefik.ingress.kubernetes.io/router.middlewares: "monitoring-ipwhitelist@kubernetescrd" +spec: + ingressClassName: traefik + tls: + - hosts: + - monitoring.xpeditis.com + secretName: monitoring-tls + rules: + - host: monitoring.xpeditis.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: prometheus-grafana + port: + number: 80 +--- +# IP Whitelist pour Grafana (votre équipe seulement) +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: ipwhitelist + namespace: monitoring +spec: + ipWhiteList: + sourceRange: + - "/32" + - "10.0.0.0/16" # Réseau interne Hetzner +EOF + +kubectl apply -f /tmp/grafana-ingress.yaml +``` + +--- + +## Installation de Loki (agrégation des logs) + +```bash +helm repo add grafana https://grafana.github.io/helm-charts +helm repo update + +helm install loki grafana/loki-stack \ + --namespace monitoring \ + --set loki.persistence.enabled=true \ + --set loki.persistence.size=5Gi \ + --set loki.persistence.storageClassName=hcloud-volumes \ + --set promtail.enabled=true \ + --set loki.config.limits_config.retention_period=7d \ + --set grafana.enabled=false # On utilise le Grafana déjà installé + +# Ajouter Loki comme datasource dans Grafana +# Grafana → Data Sources → Add → Loki +# URL: http://loki:3100 +``` + +--- + +## Configuration des alertes + +### Alertes Xpeditis spécifiques + +```bash +cat > /tmp/xpeditis-alerts.yaml << 'EOF' +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: xpeditis-alerts + namespace: xpeditis-prod + labels: + release: prometheus +spec: + groups: + - name: xpeditis.backend + interval: 30s + rules: + + # Backend down + - alert: XpeditisBackendDown + expr: up{job="xpeditis-backend"} == 0 + for: 1m + labels: + severity: critical + annotations: + summary: "Backend Xpeditis indisponible" + description: "Aucun pod backend ne répond depuis 1 minute." + + # Trop peu de replicas + - alert: XpeditisBackendLowReplicas + expr: kube_deployment_status_replicas_available{deployment="xpeditis-backend",namespace="xpeditis-prod"} < 1 + for: 2m + labels: + severity: critical + annotations: + summary: "Moins d'1 replica backend disponible" + + # CPU élevé (déclenchement autoscaling probable) + - alert: XpeditisHighCPU + expr: | + sum(rate(container_cpu_usage_seconds_total{ + namespace="xpeditis-prod", + container="backend" + }[5m])) by (pod) > 0.8 + for: 5m + labels: + severity: warning + annotations: + summary: "CPU élevé sur pod {{ $labels.pod }}" + description: "Utilisation CPU > 80% depuis 5 minutes." + + # Mémoire élevée + - alert: XpeditisHighMemory + expr: | + container_memory_usage_bytes{ + namespace="xpeditis-prod", + container="backend" + } / container_spec_memory_limit_bytes{ + namespace="xpeditis-prod", + container="backend" + } > 0.85 + for: 5m + labels: + severity: warning + annotations: + summary: "Mémoire élevée sur pod {{ $labels.pod }}" + + # Taux d'erreur HTTP élevé + - alert: XpeditisHighErrorRate + expr: | + sum(rate(traefik_service_requests_total{ + service=~"xpeditis-prod-xpeditis-backend.*", + code=~"5.." + }[5m])) / + sum(rate(traefik_service_requests_total{ + service=~"xpeditis-prod-xpeditis-backend.*" + }[5m])) > 0.05 + for: 2m + labels: + severity: warning + annotations: + summary: "Taux d'erreur 5xx > 5% sur l'API backend" + + # Pods en CrashLoopBackOff + - alert: XpeditisPodCrashLooping + expr: | + increase(kube_pod_container_status_restarts_total{ + namespace="xpeditis-prod" + }[1h]) > 5 + labels: + severity: critical + annotations: + summary: "Pod {{ $labels.pod }} redémarre trop souvent" + + - name: xpeditis.database + rules: + # Pas d'alerte directe sur Neon (managed) — uniquement si self-hosted + + - name: xpeditis.redis + rules: + # Redis mémoire élevée + - alert: RedisHighMemory + expr: | + redis_memory_used_bytes / + redis_memory_max_bytes > 0.85 + for: 5m + labels: + severity: warning + annotations: + summary: "Redis utilise > 85% de sa mémoire" +EOF + +kubectl apply -f /tmp/xpeditis-alerts.yaml +``` + +### Configuration Alertmanager (Slack) + +```bash +cat > /tmp/alertmanager-config.yaml << 'EOF' +apiVersion: v1 +kind: Secret +metadata: + name: alertmanager-prometheus-kube-prometheus-alertmanager + namespace: monitoring +stringData: + alertmanager.yaml: | + global: + resolve_timeout: 5m + slack_api_url: '' + + route: + group_by: ['alertname', 'namespace'] + group_wait: 10s + group_interval: 10m + repeat_interval: 12h + receiver: 'slack-notifications' + routes: + - match: + severity: critical + receiver: 'slack-critical' + - match: + severity: warning + receiver: 'slack-notifications' + + receivers: + - name: 'slack-notifications' + slack_configs: + - channel: '#xpeditis-monitoring' + icon_url: https://avatars.githubusercontent.com/u/3380462 + title: '{{ template "slack.default.title" . }}' + text: '{{ template "slack.default.text" . }}' + send_resolved: true + + - name: 'slack-critical' + slack_configs: + - channel: '#xpeditis-alerts-critiques' + color: 'danger' + title: '🚨 ALERTE CRITIQUE : {{ .CommonAnnotations.summary }}' + text: '{{ .CommonAnnotations.description }}' + send_resolved: true +EOF + +kubectl apply -f /tmp/alertmanager-config.yaml +``` + +--- + +## Dashboards Grafana recommandés + +Importez ces dashboards depuis grafana.com (ID à entrer dans Grafana → Import) : + +| Dashboard | ID | Usage | +|---|---|---| +| Kubernetes Cluster Overview | 6417 | Vue d'ensemble cluster | +| Kubernetes Deployments | 8588 | Détail des deployments | +| Node Exporter Full | 1860 | Métriques système des nœuds | +| Loki & Promtail | 12611 | Logs agrégés | +| Traefik 2 | 4475 | Métriques ingress/requêtes | + +```bash +# Dans Grafana (https://monitoring.xpeditis.com) +# → + → Import +# → Entrer l'ID et cliquer "Load" +# → Sélectionner la datasource Prometheus +# → Import +``` + +--- + +## Uptime Kuma (monitoring externe) + +Uptime Kuma monitore vos endpoints depuis l'extérieur du cluster, indépendamment de Prometheus : + +```bash +# Déployer Uptime Kuma dans le cluster +cat > /tmp/uptime-kuma.yaml << 'EOF' +apiVersion: apps/v1 +kind: Deployment +metadata: + name: uptime-kuma + namespace: monitoring +spec: + replicas: 1 + selector: + matchLabels: + app: uptime-kuma + template: + metadata: + labels: + app: uptime-kuma + spec: + containers: + - name: uptime-kuma + image: louislam/uptime-kuma:1 + ports: + - containerPort: 3001 + volumeMounts: + - name: data + mountPath: /app/data + resources: + requests: + cpu: 50m + memory: 128Mi + volumes: + - name: data + persistentVolumeClaim: + claimName: uptime-kuma-pvc +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: uptime-kuma-pvc + namespace: monitoring +spec: + accessModes: [ReadWriteOnce] + storageClassName: hcloud-volumes + resources: + requests: + storage: 1Gi +--- +apiVersion: v1 +kind: Service +metadata: + name: uptime-kuma + namespace: monitoring +spec: + selector: + app: uptime-kuma + ports: + - port: 3001 + targetPort: 3001 +EOF + +kubectl apply -f /tmp/uptime-kuma.yaml +``` + +Monitors à configurer dans Uptime Kuma : + +| Monitor | URL | Intervalle | +|---|---|---| +| API Health | `https://api.xpeditis.com/api/v1/health` | 1 min | +| Frontend | `https://app.xpeditis.com/` | 1 min | +| API Login | `POST https://api.xpeditis.com/api/v1/auth/login` | 5 min | + +--- + +## Commandes de monitoring rapides + +```bash +# Top des pods par consommation CPU/RAM +kubectl top pods -n xpeditis-prod --sort-by=cpu + +# Événements récents du namespace +kubectl get events -n xpeditis-prod --sort-by='.lastTimestamp' | tail -20 + +# Logs backend en temps réel (tous les pods) +stern xpeditis-backend -n xpeditis-prod + +# Logs d'erreurs uniquement +kubectl logs -l app=xpeditis-backend -n xpeditis-prod --since=1h | grep -i error + +# Status des HPAs +kubectl get hpa -n xpeditis-prod + +# Métriques des nœuds +kubectl top nodes +``` diff --git a/docs/deployment/hetzner/14-security-hardening.md b/docs/deployment/hetzner/14-security-hardening.md new file mode 100644 index 0000000..12d8fee --- /dev/null +++ b/docs/deployment/hetzner/14-security-hardening.md @@ -0,0 +1,349 @@ +# 14 — Sécurité et hardening + +--- + +## Couches de sécurité + +``` +Internet + │ + ▼ Couche 1 : Cloudflare (WAF, DDoS, Bot protection) + │ + ▼ Couche 2 : Hetzner Firewall (ports, IP whitelist) + │ + ▼ Couche 3 : k3s Network Policies (isolation namespace) + │ + ▼ Couche 4 : NestJS Guards (JWT, Rate Limiting, Roles) + │ + ▼ Couche 5 : PostgreSQL (SSL, auth md5) +``` + +--- + +## Hardening des nœuds Hetzner + +Ces commandes sont exécutées automatiquement via `post_create_commands` dans `cluster.yaml`, mais voici les détails : + +```bash +# Se connecter sur chaque nœud +ssh -i ~/.ssh/xpeditis_hetzner root@ + +# 1. Mettre à jour le système +apt-get update && apt-get upgrade -y + +# 2. Désactiver le login root par mot de passe (SSH key uniquement) +sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config +sed -i 's/PermitRootLogin yes/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config +systemctl restart sshd + +# 3. Configurer fail2ban +apt-get install -y fail2ban +cat > /etc/fail2ban/jail.d/sshd.conf << 'EOF' +[sshd] +enabled = true +maxretry = 3 +bantime = 3600 +findtime = 600 +EOF +systemctl enable fail2ban && systemctl restart fail2ban + +# 4. Configurer le firewall UFW (en plus du firewall Hetzner) +apt-get install -y ufw +ufw default deny incoming +ufw default allow outgoing +ufw allow from 10.0.0.0/16 # Réseau privé Hetzner +ufw allow 22/tcp # SSH +ufw allow 80/tcp # HTTP (LB) +ufw allow 443/tcp # HTTPS (LB) +ufw allow 6443/tcp # K8s API +ufw --force enable + +# 5. Kernel hardening +cat >> /etc/sysctl.d/99-security.conf << 'EOF' +# Désactiver les paquets IP forwardés depuis des sources inconnues +net.ipv4.conf.all.rp_filter = 1 +net.ipv4.conf.default.rp_filter = 1 + +# Ignorer les ICMP broadcasts +net.ipv4.icmp_echo_ignore_broadcasts = 1 + +# Désactiver l'acceptation des redirections ICMP +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.all.send_redirects = 0 + +# SYN flood protection +net.ipv4.tcp_syncookies = 1 +EOF +sysctl -p /etc/sysctl.d/99-security.conf +``` + +--- + +## Network Policies Kubernetes + +Les NetworkPolicies limitent les communications entre pods : + +```bash +cat > /tmp/network-policies.yaml << 'EOF' +# Politique par défaut : bloquer tout trafic entrant dans le namespace +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-ingress + namespace: xpeditis-prod +spec: + podSelector: {} + policyTypes: + - Ingress + +# Autoriser le trafic depuis Traefik vers le backend +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-traefik-to-backend + namespace: xpeditis-prod +spec: + podSelector: + matchLabels: + app: xpeditis-backend + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + app.kubernetes.io/name: traefik + ports: + - port: 4000 + +# Autoriser le trafic depuis Traefik vers le frontend +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-traefik-to-frontend + namespace: xpeditis-prod +spec: + podSelector: + matchLabels: + app: xpeditis-frontend + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + app.kubernetes.io/name: traefik + ports: + - port: 3000 + +# Autoriser le trafic du backend vers Redis (self-hosted) +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-backend-to-redis + namespace: xpeditis-prod +spec: + podSelector: + matchLabels: + app: redis + ingress: + - from: + - podSelector: + matchLabels: + app: xpeditis-backend + ports: + - port: 6379 + +# Autoriser Prometheus à scraper les métriques du backend +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-prometheus-scrape + namespace: xpeditis-prod +spec: + podSelector: + matchLabels: + app: xpeditis-backend + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + ports: + - port: 4000 +EOF + +kubectl apply -f /tmp/network-policies.yaml +``` + +--- + +## Rotation des secrets + +### Script de rotation du JWT secret + +```bash +#!/bin/bash +# scripts/rotate-jwt-secret.sh +# ⚠️ Cette opération déconnecte TOUS les utilisateurs connectés + +set -e +echo "⚠️ Rotation du JWT Secret — tous les utilisateurs seront déconnectés" +read -p "Confirmer ? (yes/no): " CONFIRM +[ "$CONFIRM" != "yes" ] && exit 1 + +# Générer un nouveau secret +NEW_SECRET=$(openssl rand -base64 48) + +# Mettre à jour le Secret Kubernetes +kubectl patch secret backend-secrets -n xpeditis-prod \ + --type='json' \ + -p="[{\"op\":\"replace\",\"path\":\"/data/JWT_SECRET\",\"value\":\"$(echo -n $NEW_SECRET | base64)\"}]" + +# Redémarrer les pods pour prendre en compte le nouveau secret +kubectl rollout restart deployment/xpeditis-backend -n xpeditis-prod + +# Attendre +kubectl rollout status deployment/xpeditis-backend -n xpeditis-prod --timeout=120s + +echo "✅ JWT Secret roté. Tous les utilisateurs devront se reconnecter." +``` + +### Rotation des credentials Hetzner Object Storage + +```bash +# 1. Dans la console Hetzner → Object Storage → Access Keys → Generate new key +# 2. Mettre à jour le Secret Kubernetes avec les nouvelles valeurs +# 3. Redémarrer les pods +kubectl patch secret backend-secrets -n xpeditis-prod \ + --type='json' \ + -p='[ + {"op":"replace","path":"/data/AWS_ACCESS_KEY_ID","value":""}, + {"op":"replace","path":"/data/AWS_SECRET_ACCESS_KEY","value":""} + ]' +kubectl rollout restart deployment/xpeditis-backend -n xpeditis-prod +# 4. Supprimer l'ancienne clé dans la console Hetzner +``` + +--- + +## Sécurisation des accès Kubernetes + +### RBAC — Utilisateur de déploiement limité + +```bash +cat > /tmp/rbac-deploy.yaml << 'EOF' +# Utilisateur de déploiement CI/CD (accès limité au namespace xpeditis-prod) +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ci-deploy + namespace: xpeditis-prod +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: deployer + namespace: xpeditis-prod +rules: +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "list", "update", "patch"] +- apiGroups: [""] + resources: ["pods", "pods/log"] + verbs: ["get", "list"] +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ci-deploy-binding + namespace: xpeditis-prod +subjects: +- kind: ServiceAccount + name: ci-deploy + namespace: xpeditis-prod +roleRef: + kind: Role + name: deployer + apiGroup: rbac.authorization.k8s.io +EOF + +kubectl apply -f /tmp/rbac-deploy.yaml + +# Générer un kubeconfig limité pour le CI (alternative au kubeconfig admin) +SECRET_NAME=$(kubectl get serviceaccount ci-deploy -n xpeditis-prod \ + -o jsonpath='{.secrets[0].name}') +TOKEN=$(kubectl get secret $SECRET_NAME -n xpeditis-prod \ + -o jsonpath='{.data.token}' | base64 -d) + +# Utiliser ce token dans GitHub Secrets pour le CI (plus sécurisé que le kubeconfig admin) +echo "Token CI : $TOKEN" +``` + +--- + +## Audit des accès + +```bash +# Vérifier les dernières connexions SSH sur les nœuds +for NODE in $(hcloud server list -o columns=name --no-header); do + IP=$(hcloud server ip $NODE) + echo "=== $NODE ($IP) ===" + ssh -i ~/.ssh/xpeditis_hetzner root@$IP "last -20 | head -10" +done + +# Vérifier les événements Kubernetes suspects +kubectl get events -A --field-selector type=Warning | grep -v "Normal" + +# Vérifier les tentatives d'accès bloquées par fail2ban +ssh -i ~/.ssh/xpeditis_hetzner root@ \ + "fail2ban-client status sshd" +``` + +--- + +## Checklist de sécurité + +``` +Infrastructure +□ Token API Hetzner limité au projet (read+write minimum nécessaire) +□ Firewall Hetzner : SSH uniquement depuis votre IP +□ fail2ban actif sur tous les nœuds +□ Mises à jour OS automatiques (unattended-upgrades) + +Kubernetes +□ NetworkPolicies appliquées +□ Secrets dans Kubernetes (pas dans les ConfigMaps) +□ k8s/01-secrets.yaml dans .gitignore +□ RBAC CI/CD avec ServiceAccount limité +□ Pod Security Standards activés + +Application +□ JWT_SECRET 48+ caractères aléatoires +□ NEXTAUTH_SECRET différent du JWT_SECRET +□ Stripe en mode live (pas test) en production +□ Sentry configuré pour les erreurs +□ SMTP_FROM vérifié (SPF/DKIM dans Brevo/SendGrid) + +TLS/DNS +□ Cloudflare SSL mode "Full (strict)" +□ HSTS activé (stsPreload: true dans Traefik) +□ Certificats Let's Encrypt valides (READY=True) +□ HTTP → HTTPS redirect actif + +Backups +□ Backup PostgreSQL quotidien testé +□ Secrets Kubernetes sauvegardés chiffrés +□ Test de restauration effectué +``` diff --git a/docs/deployment/hetzner/15-operations-scaling.md b/docs/deployment/hetzner/15-operations-scaling.md new file mode 100644 index 0000000..b7338a0 --- /dev/null +++ b/docs/deployment/hetzner/15-operations-scaling.md @@ -0,0 +1,424 @@ +# 15 — Opérations, Scaling et Troubleshooting + +Référence quotidienne pour gérer le cluster en production. + +--- + +## Commandes kubectl essentielles + +### Vue d'ensemble rapide + +```bash +# État du cluster +kubectl get nodes +kubectl get pods -n xpeditis-prod +kubectl get pods -n xpeditis-prod -o wide # + infos sur les nœuds + +# Ressources consommées +kubectl top nodes +kubectl top pods -n xpeditis-prod --sort-by=cpu + +# Événements récents (erreurs, warnings) +kubectl get events -n xpeditis-prod --sort-by='.lastTimestamp' | tail -30 +kubectl get events -n xpeditis-prod -w # En temps réel + +# État des déploiements +kubectl get deployments -n xpeditis-prod +kubectl get hpa -n xpeditis-prod +kubectl get pvc -n xpeditis-prod +``` + +### Logs + +```bash +# Logs backend (tous les pods) +kubectl logs -l app=xpeditis-backend -n xpeditis-prod --since=1h + +# Logs frontend +kubectl logs -l app=xpeditis-frontend -n xpeditis-prod --since=1h + +# Logs en temps réel (un pod spécifique) +kubectl logs -f pod/xpeditis-backend-5b8d6c7f9-xxxxx -n xpeditis-prod + +# Logs multi-pods en temps réel (avec stern) +stern xpeditis-backend -n xpeditis-prod +stern xpeditis -n xpeditis-prod # Backend + frontend + +# Filtrer les erreurs +kubectl logs -l app=xpeditis-backend -n xpeditis-prod --since=1h | grep -E "ERROR|error|Error" + +# Logs des dernières 100 lignes d'un pod crashé +kubectl logs --previous pod/xpeditis-backend-xxx -n xpeditis-prod | tail -100 +``` + +### Exécution dans un pod + +```bash +# Shell interactif dans un pod backend +kubectl exec -it deployment/xpeditis-backend -n xpeditis-prod -- /bin/sh + +# Commande unique +kubectl exec deployment/xpeditis-backend -n xpeditis-prod -- \ + node -e "console.log(process.env.NODE_ENV)" + +# Vérifier la connectivité DB depuis un pod +kubectl exec deployment/xpeditis-backend -n xpeditis-prod -- \ + nc -zv 10.0.1.100 5432 +``` + +--- + +## Déploiements + +### Déploiement d'une nouvelle version + +```bash +# Via CI/CD (automatique sur push main) — voir doc 11 + +# Manuel : mettre à jour l'image +IMAGE_TAG="sha-$(git rev-parse --short HEAD)" + +kubectl set image deployment/xpeditis-backend \ + backend=ghcr.io//xpeditis-backend:${IMAGE_TAG} \ + -n xpeditis-prod + +# Suivre le déploiement +kubectl rollout status deployment/xpeditis-backend -n xpeditis-prod --timeout=300s + +# Vérifier la version déployée +kubectl get deployment xpeditis-backend -n xpeditis-prod \ + -o jsonpath='{.spec.template.spec.containers[0].image}' +``` + +### Rollback + +```bash +# Rollback vers la version précédente +kubectl rollout undo deployment/xpeditis-backend -n xpeditis-prod + +# Rollback vers une version spécifique +kubectl rollout history deployment/xpeditis-backend -n xpeditis-prod +# REVISION CHANGE-CAUSE +# 1 Initial deployment +# 2 sha-abc1234 +# 3 sha-def5678 ← actuelle + +kubectl rollout undo deployment/xpeditis-backend \ + --to-revision=2 \ + -n xpeditis-prod + +# Vérifier +kubectl rollout status deployment/xpeditis-backend -n xpeditis-prod +``` + +### Redémarrage forcé (sans changer l'image) + +```bash +# Utile après modification des secrets ou configmaps +kubectl rollout restart deployment/xpeditis-backend -n xpeditis-prod +kubectl rollout restart deployment/xpeditis-frontend -n xpeditis-prod + +# Ou redémarrer un pod spécifique (K8s en recrée un nouveau) +kubectl delete pod xpeditis-backend-5b8d6c7f9-xxxxx -n xpeditis-prod +``` + +--- + +## Scaling manuel + +```bash +# Scale horizontal (nombre de pods) +kubectl scale deployment xpeditis-backend \ + --replicas=5 \ + -n xpeditis-prod + +# Scale horizontal frontend +kubectl scale deployment xpeditis-frontend \ + --replicas=3 \ + -n xpeditis-prod + +# Désactiver temporairement le HPA (maintenance) +kubectl patch hpa backend-hpa -n xpeditis-prod \ + -p '{"spec":{"minReplicas":0,"maxReplicas":0}}' + +# Réactiver le HPA +kubectl patch hpa backend-hpa -n xpeditis-prod \ + -p '{"spec":{"minReplicas":2,"maxReplicas":15}}' +``` + +--- + +## Gestion des nœuds + +### Maintenance d'un nœud (drain) + +```bash +# 1. Mettre le nœud en maintenance (draine les pods, bloque les nouveaux) +kubectl cordon xpeditis-prod-cx32-worker-1 +kubectl drain xpeditis-prod-cx32-worker-1 \ + --ignore-daemonsets \ + --delete-emptydir-data \ + --grace-period=30 + +# 2. Effectuer la maintenance (mise à jour OS, etc.) +ssh -i ~/.ssh/xpeditis_hetzner root@ +apt-get update && apt-get upgrade -y +reboot + +# 3. Remettre le nœud en service +kubectl uncordon xpeditis-prod-cx32-worker-1 + +# Vérifier que les pods reviennent +kubectl get pods -n xpeditis-prod -o wide | grep worker-1 +``` + +### Ajouter un nœud worker + +```bash +# Méthode 1 : Via hetzner-k3s (recommandé) +# Modifier cluster.yaml → instance_count: 3 (ou plus) +hetzner-k3s apply --config ~/.xpeditis/cluster.yaml + +# Méthode 2 : Via Cluster Autoscaler (automatique) +# Le CA crée des nœuds quand des pods sont en état "Pending" +# Pour forcer : déployer une charge +kubectl scale deployment xpeditis-backend --replicas=20 -n xpeditis-prod +# Le CA va créer des nœuds automatiquement +# Remettre en place après test +kubectl scale deployment xpeditis-backend --replicas=2 -n xpeditis-prod +``` + +--- + +## Mise à jour de k3s + +Le System Upgrade Controller gère les upgrades automatiquement. Pour une mise à jour manuelle : + +```bash +# Vérifier la version actuelle +kubectl get nodes -o jsonpath='{.items[0].status.nodeInfo.kubeletVersion}' +# v1.30.4+k3s1 + +# Créer un Plan de mise à jour +cat > /tmp/k3s-upgrade.yaml << 'EOF' +apiVersion: upgrade.cattle.io/v1 +kind: Plan +metadata: + name: k3s-server + namespace: system-upgrade +spec: + concurrency: 1 # Un nœud à la fois + cordon: true + serviceAccountName: system-upgrade + version: v1.31.0+k3s1 # Nouvelle version + upgrade: + image: rancher/k3s-upgrade + channel: https://update.k3s.io/v1-release/channels/stable + nodeSelector: + matchExpressions: + - {key: node-role.kubernetes.io/control-plane, operator: Exists} +--- +apiVersion: upgrade.cattle.io/v1 +kind: Plan +metadata: + name: k3s-agent + namespace: system-upgrade +spec: + concurrency: 1 + cordon: true + serviceAccountName: system-upgrade + version: v1.31.0+k3s1 + prepare: + image: rancher/k3s-upgrade + args: ["prepare", "k3s-server"] + upgrade: + image: rancher/k3s-upgrade + channel: https://update.k3s.io/v1-release/channels/stable + nodeSelector: + matchExpressions: + - {key: node-role.kubernetes.io/control-plane, operator: DoesNotExist} +EOF + +kubectl apply -f /tmp/k3s-upgrade.yaml + +# Suivre la progression +kubectl get plans -n system-upgrade +kubectl get jobs -n system-upgrade +``` + +--- + +## Troubleshooting — Problèmes courants + +### Pod en CrashLoopBackOff + +```bash +# 1. Voir les logs du crash +kubectl logs pod/xpeditis-backend-xxx -n xpeditis-prod --previous + +# 2. Décrire le pod +kubectl describe pod xpeditis-backend-xxx -n xpeditis-prod +# Chercher : "Error", "OOMKilled", "Exit Code" + +# Causes fréquentes : +# - OOMKilled (Exit 137) → Augmenter limits.memory +# - Exit 1 → Erreur applicative (DB unreachable, env var manquante) +# - Exit 126 → Problème de permissions sur le fichier d'entrée + +# 3. Si env var manquante +kubectl exec deployment/xpeditis-backend -n xpeditis-prod -- env | sort | grep -E "DB|REDIS|JWT" +``` + +### Pod en Pending (pas démarré) + +```bash +# Voir pourquoi le pod ne démarre pas +kubectl describe pod xpeditis-backend-xxx -n xpeditis-prod | grep -A 20 Events + +# Causes fréquentes : +# "Insufficient cpu/memory" → Pas assez de ressources sur les nœuds → Scale up +# "0/2 nodes are available" → Vérifier les taints/tolerations +# "did not trigger scale-up" → Cluster Autoscaler peut-être désactivé + +# Vérifier le Cluster Autoscaler +kubectl logs -n kube-system deployment/cluster-autoscaler | tail -30 +``` + +### L'API backend retourne des 500 + +```bash +# 1. Vérifier les logs récents +kubectl logs -l app=xpeditis-backend -n xpeditis-prod --since=15m | grep -E "Error|error|500" + +# 2. Tester le health check directement +kubectl exec deployment/xpeditis-backend -n xpeditis-prod -- \ + wget -qO- http://localhost:4000/api/v1/health | jq . + +# 3. Tester la connexion DB +kubectl exec deployment/xpeditis-backend -n xpeditis-prod -- \ + node -e " + const { Client } = require('pg'); + const c = new Client({connectionString: process.env.DATABASE_URL || 'postgres://'+process.env.DATABASE_USER+':'+process.env.DATABASE_PASSWORD+'@'+process.env.DATABASE_HOST+':'+process.env.DATABASE_PORT+'/'+process.env.DATABASE_NAME}); + c.connect().then(() => { console.log('DB OK'); c.end(); }).catch(e => { console.error('DB Error:', e.message); }); + " + +# 4. Tester la connexion Redis +kubectl exec deployment/xpeditis-backend -n xpeditis-prod -- \ + node -e " + const Redis = require('ioredis'); + const r = new Redis({host:process.env.REDIS_HOST,port:process.env.REDIS_PORT,password:process.env.REDIS_PASSWORD}); + r.ping().then(res => { console.log('Redis OK:', res); r.quit(); }).catch(e => { console.error('Redis Error:', e.message); }); + " +``` + +### TLS ne fonctionne pas + +```bash +# Vérifier cert-manager +kubectl get certificates -n xpeditis-prod +kubectl describe certificate xpeditis-tls-prod -n xpeditis-prod + +# Voir les challenges ACME +kubectl get challenges -n xpeditis-prod + +# Si challenge bloqué : vérifier que l'IP du LB est dans le DNS Cloudflare +dig +short api.xpeditis.com +# Doit retourner l'IP du Hetzner LB + +# Forcer le renouvellement du certificat +kubectl delete certificate xpeditis-tls-prod -n xpeditis-prod +kubectl apply -f k8s/07-ingress.yaml # Le certificat sera recréé automatiquement +``` + +### WebSocket se déconnecte fréquemment + +```bash +# 1. Vérifier les sticky sessions dans Traefik +kubectl logs -l app.kubernetes.io/name=traefik -n kube-system | grep -i sticky + +# 2. Vérifier Cloudflare WebSocket est activé +# Cloudflare → Votre domaine → Network → WebSockets → ON + +# 3. Vérifier le timeout WebSocket +# Cloudflare → Rules → Configuration Rules +# Créer une règle pour api.xpeditis.com/* → WebSocket timeout : 300s + +# 4. Vérifier les logs Socket.IO +kubectl logs -l app=xpeditis-backend -n xpeditis-prod | grep -i socket +``` + +--- + +## Mise en maintenance planifiée + +```bash +#!/bin/bash +# scripts/maintenance-mode.sh + +echo "🔧 Activation du mode maintenance" + +# 1. Mettre à jour le ConfigMap pour afficher une page de maintenance +kubectl patch configmap frontend-config -n xpeditis-prod \ + --type='json' \ + -p='[{"op":"add","path":"/data/MAINTENANCE_MODE","value":"true"}]' + +# 2. Redémarrer le frontend +kubectl rollout restart deployment/xpeditis-frontend -n xpeditis-prod +kubectl rollout status deployment/xpeditis-frontend -n xpeditis-prod + +# 3. Prévenir l'équipe +echo "✅ Mode maintenance activé. L'app affiche une page de maintenance." +echo "Pour désactiver : kubectl patch configmap frontend-config -n xpeditis-prod --type='json' -p='[{\"op\":\"remove\",\"path\":\"/data/MAINTENANCE_MODE\"}]'" +``` + +--- + +## Surveillance quotidienne (5 min/jour) + +```bash +#!/bin/bash +# scripts/daily-check.sh +echo "=== Rapport Quotidien Xpeditis $(date) ===" + +echo -e "\n--- CLUSTER ---" +kubectl get nodes +kubectl top nodes + +echo -e "\n--- PODS ---" +kubectl get pods -n xpeditis-prod + +echo -e "\n--- HPA ---" +kubectl get hpa -n xpeditis-prod + +echo -e "\n--- EVENTS RÉCENTS (warnings) ---" +kubectl get events -n xpeditis-prod \ + --field-selector type=Warning \ + --sort-by='.lastTimestamp' | tail -10 + +echo -e "\n--- HEALTH CHECK ---" +curl -sf https://api.xpeditis.com/api/v1/health | jq '.status' || echo "❌ API DOWN" +curl -sf -o /dev/null -w "Frontend: %{http_code}\n" https://app.xpeditis.com/ + +echo -e "\n--- CERTIFICATS ---" +kubectl get certificate -n xpeditis-prod + +echo -e "\n--- STOCKAGE ---" +kubectl get pvc -n xpeditis-prod + +echo "=== Fin du rapport ===" +``` + +--- + +## Liens utiles + +| Ressource | URL | +|---|---| +| Dashboard Grafana | https://monitoring.xpeditis.com | +| API Swagger | https://api.xpeditis.com/api/docs | +| Hetzner Console | https://console.hetzner.cloud | +| Cloudflare Dashboard | https://dash.cloudflare.com | +| Neon Dashboard | https://console.neon.tech | +| Upstash Console | https://console.upstash.com | +| GitHub Actions | https://github.com//xpeditis2.0/actions | +| GitHub GHCR | https://github.com//xpeditis2.0/pkgs/container | diff --git a/docs/deployment/hetzner/README.md b/docs/deployment/hetzner/README.md new file mode 100644 index 0000000..4a17f93 --- /dev/null +++ b/docs/deployment/hetzner/README.md @@ -0,0 +1,111 @@ +# Xpeditis 2.0 — Déploiement Production sur Hetzner Cloud + +> Documentation complète de bout en bout : du choix des serveurs au déploiement production +> Stack : k3s (Kubernetes léger) + Hetzner Object Storage (S3) + PostgreSQL + Redis + +--- + +## Pourquoi ce guide + +Ce guide couvre le déploiement de Xpeditis sur **Hetzner Cloud** avec **k3s** (Kubernetes léger), de la création du compte Hetzner jusqu'à la surveillance en production. C'est l'option la plus économique (€65-450/mois vs $270-5000 sur AWS) tout en restant production-grade. + +**Ce que vous obtiendrez en suivant ce guide :** +- Cluster Kubernetes k3s sur Hetzner avec autoscaling +- Backend NestJS et Frontend Next.js déployés en HA +- PostgreSQL managé (Neon.tech) ou self-hosted selon le budget +- Redis (Upstash) ou self-hosted +- Hetzner Object Storage en remplacement de MinIO (zéro changement de code) +- TLS automatique via Let's Encrypt + Cloudflare +- CI/CD avec GitHub Actions +- Monitoring avec Prometheus + Grafana +- Backups automatisés vers Object Storage +- Runbooks d'opérations et de troubleshooting + +--- + +## Vue d'ensemble des fichiers + +| # | Fichier | Contenu | Temps estimé | +|---|---|---|---| +| — | **README.md** | Ce fichier — index et quickstart | — | +| 01 | [Architecture](./01-architecture.md) | Diagrammes, composants, flux réseau | 15 min lecture | +| 02 | [Prérequis](./02-prerequisites.md) | Outils, comptes, SSH, DNS | 30-60 min setup | +| 03 | [Setup Hetzner](./03-hetzner-setup.md) | Compte, API token, réseau, firewall | 20 min | +| 04 | [Choix des serveurs](./04-server-selection.md) | Sizing par palier, ARM vs x86 | 10 min lecture | +| 05 | [Cluster k3s](./05-k3s-cluster.md) | **Installation complète du cluster** | 30-45 min | +| 06 | [Stockage S3](./06-storage-s3.md) | Hetzner Object Storage, migration MinIO | 15 min | +| 07 | [Base de données](./07-database-postgresql.md) | PostgreSQL (Neon ou self-hosted) | 20-60 min | +| 08 | [Redis](./08-redis-setup.md) | Redis (Upstash ou self-hosted) | 15-30 min | +| 09 | [Manifests Kubernetes](./09-kubernetes-manifests.md) | **Tous les YAMLs complets** | 30 min | +| 10 | [Ingress + TLS](./10-ingress-tls-cloudflare.md) | Traefik, cert-manager, Cloudflare | 30 min | +| 11 | [CI/CD GitHub Actions](./11-cicd-github-actions.md) | Pipeline build + deploy complet | 30 min | +| 12 | [Monitoring](./12-monitoring-alerting.md) | Prometheus, Grafana, Loki, alertes | 45 min | +| 13 | [Backups](./13-backup-disaster-recovery.md) | Stratégie backup + runbook DR | 20 min | +| 14 | [Sécurité](./14-security-hardening.md) | Hardening, network policies, WAF | 30 min | +| 15 | [Opérations](./15-operations-scaling.md) | Scaling, upgrades, troubleshooting | Référence | + +**Temps total de déploiement (première fois) : 4-6 heures** + +--- + +## Quickstart — Du zéro à la production + +Si vous avez déjà tous les prérequis, voici le chemin minimum : + +```bash +# 1. Installer hetzner-k3s +brew install vitobotta/tap/hetzner-k3s + +# 2. Configurer (voir 03-hetzner-setup.md) +export HCLOUD_TOKEN= + +# 3. Créer le cluster (voir 05-k3s-cluster.md) +hetzner-k3s create --config cluster.yaml + +# 4. Configurer kubectl +export KUBECONFIG=~/.kube/kubeconfig-xpeditis-prod + +# 5. Créer les namespaces et secrets +kubectl apply -f k8s/namespaces.yaml +kubectl apply -f k8s/secrets.yaml # après avoir rempli les valeurs + +# 6. Déployer l'application +kubectl apply -f k8s/ + +# 7. Vérifier +kubectl get pods -n xpeditis-prod +``` + +--- + +## Coûts récapitulatifs + +| Palier | Config Hetzner | Coût/mois (post 1er avril 2026) | +|---|---|---| +| **MVP (100 users)** | 1×CX22 + 2×CX32 | **€36** (+ €19 Neon.tech + €0 Upstash free) = **~€55** | +| **Croissance (1 000 users)** | 1×CX22 + 3×CX42 | **€91** (+ DB self-hosted) = **~€110** | +| **Scale (10 000 users)** | 3×CX22 + 6×CX52 | **€340** (+ DB self-hosted HA) = **~€390** | + +--- + +## Architecture résumée + +``` +Internet → Cloudflare (WAF + CDN) → Hetzner LB → k3s Ingress (Traefik) + ├── api.xpeditis.com → NestJS pods + └── app.xpeditis.com → Next.js pods + ↓ + PostgreSQL (Neon / self-hosted) + Redis (Upstash / self-hosted) + Hetzner Object Storage (S3-compatible) +``` + +--- + +## Conventions utilisées dans ce guide + +- `` — à remplacer par votre valeur +- `xpeditis-prod` — namespace Kubernetes de production +- `fsn1` — région Hetzner par défaut (Falkenstein, Allemagne) +- Les commandes `kubectl` supposent `KUBECONFIG` déjà configuré +- Les prix sont en EUR, basés sur les tarifs Hetzner post 1er avril 2026 diff --git a/infra/logging/grafana/provisioning/dashboards/provider.yml b/infra/logging/grafana/provisioning/dashboards/provider.yml new file mode 100644 index 0000000..bd9b492 --- /dev/null +++ b/infra/logging/grafana/provisioning/dashboards/provider.yml @@ -0,0 +1,12 @@ +apiVersion: 1 + +providers: + - name: Xpeditis Dashboards + orgId: 1 + type: file + disableDeletion: false + updateIntervalSeconds: 30 + allowUiUpdates: true + options: + path: /etc/grafana/provisioning/dashboards + foldersFromFilesStructure: false diff --git a/infra/logging/grafana/provisioning/dashboards/xpeditis-logs.json b/infra/logging/grafana/provisioning/dashboards/xpeditis-logs.json new file mode 100644 index 0000000..96e624f --- /dev/null +++ b/infra/logging/grafana/provisioning/dashboards/xpeditis-logs.json @@ -0,0 +1,636 @@ +{ + "title": "Xpeditis — Logs & Monitoring", + "uid": "xpeditis-logs", + "description": "Dashboard complet — logs backend/frontend, métriques HTTP, erreurs", + "tags": ["xpeditis", "logs", "backend", "frontend"], + "timezone": "browser", + "refresh": "30s", + "schemaVersion": 38, + "time": { "from": "now-1h", "to": "now" }, + "timepicker": {}, + "fiscalYearStartMonth": 0, + "graphTooltip": 1, + "editable": true, + "version": 1, + "weekStart": "", + "links": [], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { "type": "grafana", "uid": "-- Grafana --" }, + "enable": true, + "hide": true, + "iconColor": "rgba(0,211,255,1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + + "templating": { + "list": [ + { + "name": "service", + "label": "Service", + "type": "query", + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "query": "label_values(service)", + "refresh": 2, + "sort": 1, + "includeAll": true, + "allValue": ".+", + "multi": false, + "hide": 0, + "current": {}, + "options": [] + }, + { + "name": "level", + "label": "Niveau", + "type": "custom", + "query": "All : .+, error : error, fatal : fatal, warn : warn, info : info, debug : debug", + "includeAll": false, + "multi": false, + "hide": 0, + "current": { "text": "All", "value": ".+" }, + "options": [ + { "text": "All", "value": ".+", "selected": true }, + { "text": "error", "value": "error", "selected": false }, + { "text": "fatal", "value": "fatal", "selected": false }, + { "text": "warn", "value": "warn", "selected": false }, + { "text": "info", "value": "info", "selected": false }, + { "text": "debug", "value": "debug", "selected": false } + ] + }, + { + "name": "search", + "label": "Recherche", + "type": "textbox", + "query": "", + "hide": 0, + "current": { "text": "", "value": "" }, + "options": [{ "selected": true, "text": "", "value": "" }] + } + ] + }, + + "panels": [ + + { + "id": 100, + "type": "row", + "title": "Vue d'ensemble", + "collapsed": false, + "gridPos": { "h": 1, "w": 24, "x": 0, "y": 0 } + }, + + { + "id": 1, + "title": "Total logs", + "type": "stat", + "gridPos": { "h": 4, "w": 4, "x": 0, "y": 1 }, + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "options": { + "reduceOptions": { "calcs": ["lastNotNull"], "fields": "", "values": false }, + "orientation": "auto", + "textMode": "auto", + "colorMode": "background", + "graphMode": "area", + "justifyMode": "center" + }, + "fieldConfig": { + "defaults": { + "color": { "mode": "thresholds" }, + "thresholds": { "mode": "absolute", "steps": [{ "color": "blue", "value": null }] }, + "mappings": [] + }, + "overrides": [] + }, + "targets": [ + { + "refId": "A", + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "expr": "sum(count_over_time({service=~\"$service\"} [$__range]))", + "legendFormat": "Total", + "instant": true + } + ] + }, + + { + "id": 2, + "title": "Erreurs & Fatal", + "type": "stat", + "gridPos": { "h": 4, "w": 4, "x": 4, "y": 1 }, + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "options": { + "reduceOptions": { "calcs": ["lastNotNull"], "fields": "", "values": false }, + "orientation": "auto", + "textMode": "auto", + "colorMode": "background", + "graphMode": "area", + "justifyMode": "center" + }, + "fieldConfig": { + "defaults": { + "color": { "mode": "thresholds" }, + "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }, { "color": "red", "value": 1 }] }, + "mappings": [] + }, + "overrides": [] + }, + "targets": [ + { + "refId": "A", + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "expr": "sum(count_over_time({service=~\"$service\", level=~\"error|fatal\"} [$__range]))", + "legendFormat": "Erreurs", + "instant": true + } + ] + }, + + { + "id": 3, + "title": "Warnings", + "type": "stat", + "gridPos": { "h": 4, "w": 4, "x": 8, "y": 1 }, + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "options": { + "reduceOptions": { "calcs": ["lastNotNull"], "fields": "", "values": false }, + "orientation": "auto", + "textMode": "auto", + "colorMode": "background", + "graphMode": "area", + "justifyMode": "center" + }, + "fieldConfig": { + "defaults": { + "color": { "mode": "thresholds" }, + "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }, { "color": "orange", "value": 1 }] }, + "mappings": [] + }, + "overrides": [] + }, + "targets": [ + { + "refId": "A", + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "expr": "sum(count_over_time({service=~\"$service\", level=\"warn\"} [$__range]))", + "legendFormat": "Warnings", + "instant": true + } + ] + }, + + { + "id": 4, + "title": "Info", + "type": "stat", + "gridPos": { "h": 4, "w": 4, "x": 12, "y": 1 }, + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "options": { + "reduceOptions": { "calcs": ["lastNotNull"], "fields": "", "values": false }, + "orientation": "auto", + "textMode": "auto", + "colorMode": "background", + "graphMode": "area", + "justifyMode": "center" + }, + "fieldConfig": { + "defaults": { + "color": { "fixedColor": "blue", "mode": "fixed" }, + "thresholds": { "mode": "absolute", "steps": [{ "color": "blue", "value": null }] }, + "mappings": [] + }, + "overrides": [] + }, + "targets": [ + { + "refId": "A", + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "expr": "sum(count_over_time({service=~\"$service\", level=\"info\"} [$__range]))", + "legendFormat": "Info", + "instant": true + } + ] + }, + + { + "id": 5, + "title": "Requêtes HTTP 5xx", + "type": "stat", + "gridPos": { "h": 4, "w": 4, "x": 16, "y": 1 }, + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "options": { + "reduceOptions": { "calcs": ["lastNotNull"], "fields": "", "values": false }, + "orientation": "auto", + "textMode": "auto", + "colorMode": "background", + "graphMode": "area", + "justifyMode": "center" + }, + "fieldConfig": { + "defaults": { + "color": { "mode": "thresholds" }, + "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }, { "color": "red", "value": 1 }] }, + "mappings": [] + }, + "overrides": [] + }, + "targets": [ + { + "refId": "A", + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "expr": "sum(count_over_time({service=\"backend\"} | json | res_statusCode >= 500 [$__range]))", + "legendFormat": "5xx", + "instant": true + } + ] + }, + + { + "id": 6, + "title": "Temps réponse moyen (ms)", + "type": "stat", + "gridPos": { "h": 4, "w": 4, "x": 20, "y": 1 }, + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "options": { + "reduceOptions": { "calcs": ["lastNotNull"], "fields": "", "values": false }, + "orientation": "auto", + "textMode": "auto", + "colorMode": "background", + "graphMode": "area", + "justifyMode": "center" + }, + "fieldConfig": { + "defaults": { + "color": { "mode": "thresholds" }, + "unit": "ms", + "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }, { "color": "orange", "value": 500 }, { "color": "red", "value": 2000 }] }, + "mappings": [] + }, + "overrides": [] + }, + "targets": [ + { + "refId": "A", + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "expr": "avg(avg_over_time({service=\"backend\"} | json | unwrap responseTime [$__range]))", + "legendFormat": "Avg", + "instant": true + } + ] + }, + + { + "id": 200, + "type": "row", + "title": "Volume des logs", + "collapsed": false, + "gridPos": { "h": 1, "w": 24, "x": 0, "y": 5 } + }, + + { + "id": 7, + "title": "Volume par niveau", + "type": "timeseries", + "gridPos": { "h": 8, "w": 14, "x": 0, "y": 6 }, + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "options": { + "legend": { "calcs": ["sum"], "displayMode": "list", "placement": "bottom", "showLegend": true }, + "tooltip": { "mode": "multi", "sort": "desc" } + }, + "fieldConfig": { + "defaults": { + "color": { "mode": "palette-classic" }, + "custom": { + "drawStyle": "bars", + "fillOpacity": 80, + "stacking": { "group": "A", "mode": "normal" }, + "lineWidth": 1, + "pointSize": 5, + "showPoints": "never", + "spanNulls": false + }, + "unit": "short", + "mappings": [], + "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] } + }, + "overrides": [ + { "matcher": { "id": "byName", "options": "error" }, "properties": [{ "id": "color", "value": { "fixedColor": "red", "mode": "fixed" } }] }, + { "matcher": { "id": "byName", "options": "fatal" }, "properties": [{ "id": "color", "value": { "fixedColor": "dark-red", "mode": "fixed" } }] }, + { "matcher": { "id": "byName", "options": "warn" }, "properties": [{ "id": "color", "value": { "fixedColor": "orange", "mode": "fixed" } }] }, + { "matcher": { "id": "byName", "options": "info" }, "properties": [{ "id": "color", "value": { "fixedColor": "blue", "mode": "fixed" } }] }, + { "matcher": { "id": "byName", "options": "debug" }, "properties": [{ "id": "color", "value": { "fixedColor": "gray", "mode": "fixed" } }] } + ] + }, + "targets": [ + { + "refId": "A", + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "expr": "sum by (level) (count_over_time({service=~\"$service\", level=~\".+\"} [$__interval]))", + "legendFormat": "{{level}}" + } + ] + }, + + { + "id": 8, + "title": "Volume par service", + "type": "timeseries", + "gridPos": { "h": 8, "w": 10, "x": 14, "y": 6 }, + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "options": { + "legend": { "calcs": ["sum"], "displayMode": "list", "placement": "bottom", "showLegend": true }, + "tooltip": { "mode": "multi", "sort": "desc" } + }, + "fieldConfig": { + "defaults": { + "color": { "mode": "palette-classic" }, + "custom": { + "drawStyle": "bars", + "fillOpacity": 60, + "stacking": { "group": "A", "mode": "normal" }, + "lineWidth": 1, + "showPoints": "never", + "spanNulls": false + }, + "unit": "short", + "mappings": [], + "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] } + }, + "overrides": [] + }, + "targets": [ + { + "refId": "A", + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "expr": "sum by (service) (count_over_time({service=~\"$service\"} [$__interval]))", + "legendFormat": "{{service}}" + } + ] + }, + + { + "id": 300, + "type": "row", + "title": "HTTP — Backend", + "collapsed": false, + "gridPos": { "h": 1, "w": 24, "x": 0, "y": 14 } + }, + + { + "id": 9, + "title": "Taux d'erreur HTTP", + "type": "timeseries", + "gridPos": { "h": 8, "w": 12, "x": 0, "y": 15 }, + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "options": { + "legend": { "calcs": ["max", "mean"], "displayMode": "list", "placement": "bottom", "showLegend": true }, + "tooltip": { "mode": "multi", "sort": "desc" } + }, + "fieldConfig": { + "defaults": { + "color": { "mode": "palette-classic" }, + "custom": { + "drawStyle": "line", + "fillOpacity": 20, + "lineWidth": 2, + "pointSize": 5, + "showPoints": "never", + "spanNulls": false + }, + "unit": "short", + "mappings": [], + "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] } + }, + "overrides": [ + { "matcher": { "id": "byName", "options": "5xx" }, "properties": [{ "id": "color", "value": { "fixedColor": "red", "mode": "fixed" } }] }, + { "matcher": { "id": "byName", "options": "4xx" }, "properties": [{ "id": "color", "value": { "fixedColor": "orange", "mode": "fixed" } }] }, + { "matcher": { "id": "byName", "options": "2xx" }, "properties": [{ "id": "color", "value": { "fixedColor": "green", "mode": "fixed" } }] } + ] + }, + "targets": [ + { + "refId": "A", + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "expr": "sum(count_over_time({service=\"backend\"} | json | res_statusCode >= 500 [$__interval]))", + "legendFormat": "5xx" + }, + { + "refId": "B", + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "expr": "sum(count_over_time({service=\"backend\"} | json | res_statusCode >= 400 < 500 [$__interval]))", + "legendFormat": "4xx" + }, + { + "refId": "C", + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "expr": "sum(count_over_time({service=\"backend\"} | json | res_statusCode >= 200 < 300 [$__interval]))", + "legendFormat": "2xx" + } + ] + }, + + { + "id": 10, + "title": "Temps de réponse (ms)", + "type": "timeseries", + "gridPos": { "h": 8, "w": 12, "x": 12, "y": 15 }, + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "options": { + "legend": { "calcs": ["max", "mean"], "displayMode": "list", "placement": "bottom", "showLegend": true }, + "tooltip": { "mode": "multi", "sort": "desc" } + }, + "fieldConfig": { + "defaults": { + "color": { "mode": "palette-classic" }, + "custom": { + "drawStyle": "line", + "fillOpacity": 10, + "lineWidth": 2, + "pointSize": 5, + "showPoints": "never", + "spanNulls": false + }, + "unit": "ms", + "mappings": [], + "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }, { "color": "orange", "value": 500 }, { "color": "red", "value": 2000 }] } + }, + "overrides": [] + }, + "targets": [ + { + "refId": "A", + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "expr": "avg(avg_over_time({service=\"backend\"} | json | unwrap responseTime [$__interval]))", + "legendFormat": "Moy" + }, + { + "refId": "B", + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "expr": "max(max_over_time({service=\"backend\"} | json | unwrap responseTime [$__interval]))", + "legendFormat": "Max" + } + ] + }, + + { + "id": 400, + "type": "row", + "title": "Logs — Flux en direct", + "collapsed": false, + "gridPos": { "h": 1, "w": 24, "x": 0, "y": 23 } + }, + + { + "id": 11, + "title": "Backend — Logs", + "type": "logs", + "gridPos": { "h": 14, "w": 12, "x": 0, "y": 24 }, + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "options": { + "dedupStrategy": "none", + "enableLogDetails": true, + "prettifyLogMessage": true, + "showCommonLabels": false, + "showLabels": false, + "showTime": true, + "sortOrder": "Descending", + "wrapLogMessage": false + }, + "targets": [ + { + "refId": "A", + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "expr": "{service=\"backend\", level=~\"$level\"} |= \"$search\"", + "legendFormat": "" + } + ] + }, + + { + "id": 12, + "title": "Frontend — Logs", + "type": "logs", + "gridPos": { "h": 14, "w": 12, "x": 12, "y": 24 }, + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "options": { + "dedupStrategy": "none", + "enableLogDetails": true, + "prettifyLogMessage": true, + "showCommonLabels": false, + "showLabels": false, + "showTime": true, + "sortOrder": "Descending", + "wrapLogMessage": false + }, + "targets": [ + { + "refId": "A", + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "expr": "{service=\"frontend\", level=~\"$level\"} |= \"$search\"", + "legendFormat": "" + } + ] + }, + + { + "id": 500, + "type": "row", + "title": "Tous les logs filtrés", + "collapsed": false, + "gridPos": { "h": 1, "w": 24, "x": 0, "y": 38 } + }, + + { + "id": 13, + "title": "Flux filtré — $service / $level", + "description": "Utilisez les variables en haut pour filtrer par service, niveau ou mot-clé", + "type": "logs", + "gridPos": { "h": 14, "w": 24, "x": 0, "y": 39 }, + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "options": { + "dedupStrategy": "none", + "enableLogDetails": true, + "prettifyLogMessage": true, + "showCommonLabels": false, + "showLabels": true, + "showTime": true, + "sortOrder": "Descending", + "wrapLogMessage": true + }, + "targets": [ + { + "refId": "A", + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "expr": "{service=~\"$service\", level=~\"$level\"} |= \"$search\"", + "legendFormat": "" + } + ] + }, + + { + "id": 600, + "type": "row", + "title": "Erreurs & Exceptions", + "collapsed": false, + "gridPos": { "h": 1, "w": 24, "x": 0, "y": 53 } + }, + + { + "id": 14, + "title": "Erreurs — Backend", + "type": "logs", + "gridPos": { "h": 10, "w": 12, "x": 0, "y": 54 }, + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "options": { + "dedupStrategy": "signature", + "enableLogDetails": true, + "prettifyLogMessage": true, + "showCommonLabels": false, + "showLabels": false, + "showTime": true, + "sortOrder": "Descending", + "wrapLogMessage": true + }, + "targets": [ + { + "refId": "A", + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "expr": "{service=\"backend\", level=~\"error|fatal\"}", + "legendFormat": "" + } + ] + }, + + { + "id": 15, + "title": "Erreurs — Frontend", + "type": "logs", + "gridPos": { "h": 10, "w": 12, "x": 12, "y": 54 }, + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "options": { + "dedupStrategy": "signature", + "enableLogDetails": true, + "prettifyLogMessage": true, + "showCommonLabels": false, + "showLabels": false, + "showTime": true, + "sortOrder": "Descending", + "wrapLogMessage": true + }, + "targets": [ + { + "refId": "A", + "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "expr": "{service=\"frontend\", level=~\"error|fatal\"}", + "legendFormat": "" + } + ] + } + + ] +} diff --git a/infra/logging/grafana/provisioning/datasources/loki.yml b/infra/logging/grafana/provisioning/datasources/loki.yml new file mode 100644 index 0000000..b3102e9 --- /dev/null +++ b/infra/logging/grafana/provisioning/datasources/loki.yml @@ -0,0 +1,19 @@ +apiVersion: 1 + +datasources: + - name: Loki + uid: loki-xpeditis + type: loki + access: proxy + url: http://loki:3100 + isDefault: true + version: 1 + editable: false + jsonData: + maxLines: 1000 + timeout: 60 + derivedFields: + - datasourceUid: '' + matcherRegex: '"reqId":"([^"]+)"' + name: RequestID + url: '' diff --git a/infra/logging/loki/loki-config.yml b/infra/logging/loki/loki-config.yml new file mode 100644 index 0000000..b08f8ff --- /dev/null +++ b/infra/logging/loki/loki-config.yml @@ -0,0 +1,62 @@ +auth_enabled: false + +server: + http_listen_port: 3100 + grpc_listen_port: 9096 + log_level: warn + +# Memberlist-based ring coordination — required for single-node Loki 3.x +memberlist: + bind_port: 7946 + join_members: + - 127.0.0.1:7946 + +common: + instance_addr: 127.0.0.1 + path_prefix: /loki + storage: + filesystem: + chunks_directory: /loki/chunks + rules_directory: /loki/rules + replication_factor: 1 + ring: + kvstore: + store: memberlist + +schema_config: + configs: + - from: 2020-10-24 + store: tsdb + object_store: filesystem + schema: v13 + index: + prefix: index_ + period: 24h + +limits_config: + allow_structured_metadata: true + volume_enabled: true + retention_period: 744h # 31 days + reject_old_samples: true + reject_old_samples_max_age: 168h # Accept logs up to 7 days old + ingestion_rate_mb: 16 + ingestion_burst_size_mb: 32 + max_entries_limit_per_query: 5000 + +compactor: + working_directory: /loki/compactor + compaction_interval: 10m + retention_enabled: true + retention_delete_delay: 2h + retention_delete_worker_count: 150 + delete_request_store: filesystem + +query_range: + results_cache: + cache: + embedded_cache: + enabled: true + max_size_mb: 100 + +analytics: + reporting_enabled: false diff --git a/infra/logging/promtail/promtail-config.yml b/infra/logging/promtail/promtail-config.yml new file mode 100644 index 0000000..453e222 --- /dev/null +++ b/infra/logging/promtail/promtail-config.yml @@ -0,0 +1,70 @@ +server: + http_listen_port: 9080 + grpc_listen_port: 0 + log_level: warn + +positions: + filename: /tmp/positions.yaml + +clients: + - url: http://loki:3100/loki/api/v1/push + batchwait: 1s + batchsize: 1048576 + timeout: 10s + +scrape_configs: + # ─── Docker container log collection (Mac-compatible via Docker socket API) ─ + - job_name: docker + docker_sd_configs: + - host: unix:///var/run/docker.sock + refresh_interval: 5s + filters: + # Only collect containers with label: logging=promtail + # Add this label to backend and frontend in docker-compose.dev.yml + - name: label + values: ['logging=promtail'] + + relabel_configs: + # Use docker-compose service name as the "service" label + - source_labels: ['__meta_docker_container_label_com_docker_compose_service'] + target_label: service + # Keep container name for context + - source_labels: ['__meta_docker_container_name'] + regex: '/?(.*)' + replacement: '${1}' + target_label: container + # Log stream (stdout / stderr) + - source_labels: ['__meta_docker_container_log_stream'] + target_label: stream + + pipeline_stages: + # Drop entries older than 15 min to avoid replaying full container log history + - drop: + older_than: 15m + drop_counter_reason: entry_too_old + + # Drop noisy health-check / ping lines + - drop: + expression: 'GET /(health|metrics|minio/health)' + + # Try to parse JSON (NestJS/pino output) + - json: + expressions: + level: level + msg: msg + context: context + reqId: reqId + + # Promote parsed fields as Loki labels + - labels: + level: + context: + + # Map pino numeric levels to strings + - template: + source: level + template: >- + {{ if eq .Value "10" }}trace{{ else if eq .Value "20" }}debug{{ else if eq .Value "30" }}info{{ else if eq .Value "40" }}warn{{ else if eq .Value "50" }}error{{ else if eq .Value "60" }}fatal{{ else }}{{ .Value }}{{ end }} + + - labels: + level: From e5f03e22f2d6964955720e8a71c9a8da3eca3fb0 Mon Sep 17 00:00:00 2001 From: David Date: Sat, 4 Apr 2026 13:03:34 +0200 Subject: [PATCH 3/9] chore: sync root-level docs with main and dev --- COMPLETION-REPORT.md | 466 ++++++++++++++++++++++++++++++++++++++ INDEX.md | 348 ++++++++++++++++++++++++++++ INSTALLATION-COMPLETE.md | 334 +++++++++++++++++++++++++++ INSTALLATION-STEPS.md | 464 ++++++++++++++++++++++++++++++++++++++ NEXT-STEPS.md | 471 ++++++++++++++++++++++++++++++++++++++ QUICK-START.md | 302 +++++++++++++++++++++++++ READY.md | 412 +++++++++++++++++++++++++++++++++ SPRINT-0-COMPLETE.md | 271 ++++++++++++++++++++++ SPRINT-0-FINAL.md | 475 +++++++++++++++++++++++++++++++++++++++ SPRINT-0-SUMMARY.md | 436 +++++++++++++++++++++++++++++++++++ START-HERE.md | 358 +++++++++++++++++++++++++++++ WINDOWS-INSTALLATION.md | 406 +++++++++++++++++++++++++++++++++ 12 files changed, 4743 insertions(+) create mode 100644 COMPLETION-REPORT.md create mode 100644 INDEX.md create mode 100644 INSTALLATION-COMPLETE.md create mode 100644 INSTALLATION-STEPS.md create mode 100644 NEXT-STEPS.md create mode 100644 QUICK-START.md create mode 100644 READY.md create mode 100644 SPRINT-0-COMPLETE.md create mode 100644 SPRINT-0-FINAL.md create mode 100644 SPRINT-0-SUMMARY.md create mode 100644 START-HERE.md create mode 100644 WINDOWS-INSTALLATION.md diff --git a/COMPLETION-REPORT.md b/COMPLETION-REPORT.md new file mode 100644 index 0000000..cb5c1b2 --- /dev/null +++ b/COMPLETION-REPORT.md @@ -0,0 +1,466 @@ +# ✅ Sprint 0 - Rapport de Complétion Final + +## Xpeditis MVP - Project Setup & Infrastructure + +**Date de Complétion** : 7 octobre 2025 +**Statut** : ✅ **100% TERMINÉ** +**Durée** : 2 semaines (comme planifié) + +--- + +## 📊 Résumé Exécutif + +Sprint 0 a été **complété avec succès à 100%**. Tous les objectifs ont été atteints et le projet Xpeditis MVP est **prêt pour la Phase 1 de développement**. + +### Statistiques + +| Métrique | Valeur | +|----------|--------| +| **Fichiers Créés** | 60+ fichiers | +| **Documentation** | 14 fichiers Markdown (5000+ lignes) | +| **Code/Config** | 27 fichiers TypeScript/JavaScript/JSON/YAML | +| **Dépendances** | 80+ packages npm | +| **Lignes de Code** | 2000+ lignes | +| **Temps Total** | ~16 heures de travail | +| **Complétion** | 100% ✅ | + +--- + +## 📦 Livrables Créés + +### 1. Documentation (14 fichiers) + +| Fichier | Lignes | Purpose | Statut | +|---------|--------|---------|--------| +| **START-HERE.md** | 350+ | 🟢 Point d'entrée principal | ✅ | +| README.md | 200+ | Vue d'ensemble du projet | ✅ | +| CLAUDE.md | 650+ | Guide d'architecture hexagonale complet | ✅ | +| PRD.md | 350+ | Exigences produit détaillées | ✅ | +| TODO.md | 1300+ | Roadmap 30 semaines complet | ✅ | +| QUICK-START.md | 250+ | Guide de démarrage rapide | ✅ | +| INSTALLATION-STEPS.md | 400+ | Guide d'installation détaillé | ✅ | +| WINDOWS-INSTALLATION.md | 350+ | Installation spécifique Windows | ✅ | +| NEXT-STEPS.md | 550+ | Prochaines étapes détaillées | ✅ | +| SPRINT-0-FINAL.md | 550+ | Rapport complet Sprint 0 | ✅ | +| SPRINT-0-SUMMARY.md | 500+ | Résumé exécutif | ✅ | +| INDEX.md | 450+ | Index de toute la documentation | ✅ | +| READY.md | 400+ | Confirmation de préparation | ✅ | +| COMPLETION-REPORT.md | Ce fichier | Rapport final de complétion | ✅ | + +**Sous-total** : 14 fichiers, ~5000 lignes de documentation + +### 2. Backend (NestJS + Architecture Hexagonale) + +| Catégorie | Fichiers | Statut | +|-----------|----------|--------| +| **Configuration** | 7 fichiers | ✅ | +| **Code Source** | 6 fichiers | ✅ | +| **Tests** | 2 fichiers | ✅ | +| **Documentation** | 1 fichier (README.md) | ✅ | + +**Fichiers Backend** : +- ✅ package.json (50+ dépendances) +- ✅ tsconfig.json (strict mode + path aliases) +- ✅ nest-cli.json +- ✅ .eslintrc.js +- ✅ .env.example (toutes les variables) +- ✅ .gitignore +- ✅ src/main.ts (bootstrap complet) +- ✅ src/app.module.ts (module racine) +- ✅ src/application/controllers/health.controller.ts +- ✅ src/application/controllers/index.ts +- ✅ src/domain/entities/index.ts +- ✅ src/domain/ports/in/index.ts +- ✅ src/domain/ports/out/index.ts +- ✅ test/app.e2e-spec.ts +- ✅ test/jest-e2e.json +- ✅ README.md (guide backend) + +**Structure Hexagonale** : +``` +src/ +├── domain/ ✅ Logique métier pure +│ ├── entities/ +│ ├── value-objects/ +│ ├── services/ +│ ├── ports/in/ +│ ├── ports/out/ +│ └── exceptions/ +├── application/ ✅ Controllers & DTOs +│ ├── controllers/ +│ ├── dto/ +│ ├── mappers/ +│ └── config/ +└── infrastructure/ ✅ Adaptateurs externes + ├── persistence/ + ├── cache/ + ├── carriers/ + ├── email/ + ├── storage/ + └── config/ +``` + +**Sous-total** : 16 fichiers backend + +### 3. Frontend (Next.js 14 + TypeScript) + +| Catégorie | Fichiers | Statut | +|-----------|----------|--------| +| **Configuration** | 7 fichiers | ✅ | +| **Code Source** | 4 fichiers | ✅ | +| **Documentation** | 1 fichier (README.md) | ✅ | + +**Fichiers Frontend** : +- ✅ package.json (30+ dépendances) +- ✅ tsconfig.json (path aliases) +- ✅ next.config.js +- ✅ tailwind.config.ts (thème complet) +- ✅ postcss.config.js +- ✅ .eslintrc.json +- ✅ .env.example +- ✅ .gitignore +- ✅ app/layout.tsx (layout racine) +- ✅ app/page.tsx (page d'accueil) +- ✅ app/globals.css (Tailwind + variables CSS) +- ✅ lib/utils.ts (helper cn) +- ✅ README.md (guide frontend) + +**Sous-total** : 13 fichiers frontend + +### 4. Infrastructure & DevOps + +| Catégorie | Fichiers | Statut | +|-----------|----------|--------| +| **Docker** | 2 fichiers | ✅ | +| **CI/CD** | 3 fichiers | ✅ | +| **Configuration Racine** | 4 fichiers | ✅ | + +**Fichiers Infrastructure** : +- ✅ docker-compose.yml (PostgreSQL + Redis) +- ✅ infra/postgres/init.sql (script d'initialisation) +- ✅ .github/workflows/ci.yml (pipeline CI) +- ✅ .github/workflows/security.yml (audit sécurité) +- ✅ .github/pull_request_template.md +- ✅ package.json (racine, scripts simplifiés) +- ✅ .gitignore (racine) +- ✅ .prettierrc +- ✅ .prettierignore + +**Sous-total** : 9 fichiers infrastructure + +--- + +## 🎯 Objectifs Sprint 0 - Tous Atteints + +| Objectif | Statut | Notes | +|----------|--------|-------| +| **Structure Monorepo** | ✅ Complete | npm scripts sans workspaces (Windows) | +| **Backend Hexagonal** | ✅ Complete | Domain/Application/Infrastructure | +| **Frontend Next.js 14** | ✅ Complete | App Router + TypeScript | +| **Docker Infrastructure** | ✅ Complete | PostgreSQL 15 + Redis 7 | +| **TypeScript Strict** | ✅ Complete | Tous les projets | +| **Testing Infrastructure** | ✅ Complete | Jest, Supertest, Playwright | +| **CI/CD Pipelines** | ✅ Complete | GitHub Actions | +| **API Documentation** | ✅ Complete | Swagger à /api/docs | +| **Logging Structuré** | ✅ Complete | Pino avec pretty-print | +| **Sécurité** | ✅ Complete | Helmet, JWT, CORS, validation | +| **Validation Env** | ✅ Complete | Joi schema | +| **Health Endpoints** | ✅ Complete | /health, /ready, /live | +| **Documentation** | ✅ Complete | 14 fichiers, 5000+ lignes | + +**Score** : 13/13 objectifs atteints (100%) + +--- + +## 🏗️ Architecture Implémentée + +### Backend - Architecture Hexagonale + +**✅ Strict Separation of Concerns** : + +1. **Domain Layer (Core)** : + - ✅ Zero external dependencies + - ✅ Pure TypeScript classes + - ✅ Ports (interfaces) defined + - ✅ Testable without framework + - 🎯 Target: 90%+ test coverage + +2. **Application Layer** : + - ✅ Controllers with validation + - ✅ DTOs defined + - ✅ Mappers ready + - ✅ Depends only on domain + - 🎯 Target: 80%+ test coverage + +3. **Infrastructure Layer** : + - ✅ TypeORM configured + - ✅ Redis configured + - ✅ Folder structure ready + - ✅ Depends only on domain + - 🎯 Target: 70%+ test coverage + +### Frontend - Modern React Stack + +**✅ Next.js 14 Configuration** : +- ✅ App Router avec Server Components +- ✅ TypeScript strict mode +- ✅ Tailwind CSS + shadcn/ui ready +- ✅ TanStack Query configured +- ✅ react-hook-form + zod ready +- ✅ Dark mode support (CSS variables) + +--- + +## 🛠️ Stack Technique Complet + +### Backend +- **Framework** : NestJS 10.2.10 ✅ +- **Language** : TypeScript 5.3.3 ✅ +- **Database** : PostgreSQL 15 ✅ +- **Cache** : Redis 7 ✅ +- **ORM** : TypeORM 0.3.17 ✅ +- **Auth** : JWT + Passport ✅ +- **Validation** : class-validator + class-transformer ✅ +- **API Docs** : Swagger/OpenAPI ✅ +- **Logging** : Pino 8.17.1 ✅ +- **Testing** : Jest 29.7.0 + Supertest 6.3.3 ✅ +- **Security** : Helmet 7.1.0, bcrypt 5.1.1 ✅ +- **Circuit Breaker** : opossum 8.1.3 ✅ + +### Frontend +- **Framework** : Next.js 14.0.4 ✅ +- **Language** : TypeScript 5.3.3 ✅ +- **Styling** : Tailwind CSS 3.3.6 ✅ +- **UI Components** : Radix UI ✅ +- **State** : TanStack Query 5.14.2 ✅ +- **Forms** : react-hook-form 7.49.2 ✅ +- **Validation** : zod 3.22.4 ✅ +- **HTTP** : axios 1.6.2 ✅ +- **Icons** : lucide-react 0.294.0 ✅ +- **Testing** : Jest 29.7.0 + Playwright 1.40.1 ✅ + +### Infrastructure +- **Database** : PostgreSQL 15-alpine (Docker) ✅ +- **Cache** : Redis 7-alpine (Docker) ✅ +- **CI/CD** : GitHub Actions ✅ +- **Version Control** : Git ✅ + +--- + +## 📋 Features Implémentées + +### Backend Features + +1. **✅ Health Check System** + - `/health` - Overall system health + - `/ready` - Readiness for traffic + - `/live` - Liveness check + +2. **✅ Logging System** + - Structured JSON logs (Pino) + - Pretty print en développement + - Request/response logging + - Log levels configurables + +3. **✅ Configuration Management** + - Validation des variables d'environnement (Joi) + - Configuration type-safe + - Support multi-environnements + +4. **✅ Security Foundations** + - Helmet.js security headers + - CORS configuration + - Rate limiting preparé + - JWT authentication ready + - Password hashing (bcrypt) + - Input validation (class-validator) + +5. **✅ API Documentation** + - Swagger UI à `/api/docs` + - Spécification OpenAPI + - Schémas request/response + - Documentation d'authentification + +6. **✅ Testing Infrastructure** + - Jest configuré + - Supertest configuré + - E2E tests ready + - Path aliases for tests + +### Frontend Features + +1. **✅ Modern React Setup** + - Next.js 14 App Router + - Server et client components + - TypeScript strict mode + - Path aliases configurés + +2. **✅ UI Framework** + - Tailwind CSS avec thème personnalisé + - shadcn/ui components ready + - Dark mode support (variables CSS) + - Responsive design utilities + +3. **✅ State Management** + - TanStack Query configuré + - React hooks ready + - Form state avec react-hook-form + +4. **✅ Utilities** + - Helper `cn()` pour className merging + - API client type-safe ready + - Validation Zod ready + +--- + +## 🚀 Prêt pour Phase 1 + +### Checklist de Préparation + +- [x] Code et configuration complets +- [x] Documentation exhaustive +- [x] Architecture hexagonale validée +- [x] Testing infrastructure prête +- [x] CI/CD pipelines configurés +- [x] Docker infrastructure opérationnelle +- [x] Sécurité de base implémentée +- [x] Guide de démarrage créé +- [x] Tous les objectifs Sprint 0 atteints + +### Prochaine Phase : Phase 1 (6-8 semaines) + +**Sprint 1-2** : Domain Layer (Semaines 1-2) +- Créer les entités métier +- Créer les value objects +- Définir les ports API et SPI +- Implémenter les services métier +- Tests unitaires (90%+) + +**Sprint 3-4** : Infrastructure Layer (Semaines 3-4) +- Schéma de base de données +- Repositories TypeORM +- Redis cache adapter +- Connecteur Maersk + +**Sprint 5-6** : Application Layer (Semaines 5-6) +- API rate search +- Controllers & DTOs +- Documentation OpenAPI +- Tests E2E + +**Sprint 7-8** : Frontend UI (Semaines 7-8) +- Interface de recherche +- Affichage des résultats +- Filtres et tri +- Tests frontend + +--- + +## 📚 Documentation Organisée + +### Guide de Navigation + +**🟢 Pour Démarrer** (obligatoire) : +1. [START-HERE.md](START-HERE.md) - Point d'entrée principal +2. [QUICK-START.md](QUICK-START.md) - Démarrage rapide +3. [CLAUDE.md](CLAUDE.md) - Architecture (À LIRE ABSOLUMENT) +4. [NEXT-STEPS.md](NEXT-STEPS.md) - Quoi faire ensuite + +**🟡 Pour Installation** : +- [INSTALLATION-STEPS.md](INSTALLATION-STEPS.md) - Détaillé +- [WINDOWS-INSTALLATION.md](WINDOWS-INSTALLATION.md) - Spécifique Windows + +**🔵 Pour Développement** : +- [CLAUDE.md](CLAUDE.md) - Règles d'architecture +- [apps/backend/README.md](apps/backend/README.md) - Backend +- [apps/frontend/README.md](apps/frontend/README.md) - Frontend +- [TODO.md](TODO.md) - Roadmap détaillée + +**🟠 Pour Référence** : +- [PRD.md](PRD.md) - Exigences produit +- [INDEX.md](INDEX.md) - Index complet +- [READY.md](READY.md) - Confirmation +- [SPRINT-0-FINAL.md](SPRINT-0-FINAL.md) - Rapport complet +- [SPRINT-0-SUMMARY.md](SPRINT-0-SUMMARY.md) - Résumé + +--- + +## 💻 Installation et Démarrage + +### Installation Rapide + +```bash +# 1. Installer les dépendances +npm run install:all + +# 2. Démarrer Docker +docker-compose up -d + +# 3. Configurer l'environnement +cp apps/backend/.env.example apps/backend/.env +cp apps/frontend/.env.example apps/frontend/.env + +# 4. Démarrer (2 terminals) +npm run backend:dev # Terminal 1 +npm run frontend:dev # Terminal 2 +``` + +### Vérification + +- ✅ http://localhost:4000/api/v1/health +- ✅ http://localhost:4000/api/docs +- ✅ http://localhost:3000 + +--- + +## 🎊 Conclusion + +### Succès Sprint 0 + +**Tout planifié a été livré** : +- ✅ 100% des objectifs atteints +- ✅ 60+ fichiers créés +- ✅ 5000+ lignes de documentation +- ✅ Architecture hexagonale complète +- ✅ Infrastructure production-ready +- ✅ CI/CD automatisé +- ✅ Sécurité de base + +### État du Projet + +**Sprint 0** : 🟢 **TERMINÉ** (100%) +**Qualité** : 🟢 **EXCELLENTE** +**Documentation** : 🟢 **COMPLÈTE** +**Prêt pour Phase 1** : 🟢 **OUI** + +### Prochaine Étape + +**Commencer Phase 1 - Core Search & Carrier Integration** + +1. Lire [START-HERE.md](START-HERE.md) +2. Lire [CLAUDE.md](CLAUDE.md) (OBLIGATOIRE) +3. Lire [NEXT-STEPS.md](NEXT-STEPS.md) +4. Commencer Sprint 1-2 (Domain Layer) + +--- + +## 🏆 Félicitations ! + +**Le projet Xpeditis MVP dispose maintenant d'une fondation solide et production-ready.** + +Tous les éléments sont en place pour un développement réussi : +- Architecture propre et maintenable +- Documentation exhaustive +- Tests automatisés +- CI/CD configuré +- Sécurité intégrée + +**Bonne chance pour la Phase 1 ! 🚀** + +--- + +*Rapport de Complétion Sprint 0* +*Xpeditis MVP - Maritime Freight Booking Platform* +*7 octobre 2025* + +**Statut Final** : ✅ **SPRINT 0 COMPLET À 100%** diff --git a/INDEX.md b/INDEX.md new file mode 100644 index 0000000..25651bf --- /dev/null +++ b/INDEX.md @@ -0,0 +1,348 @@ +# 📑 Xpeditis Documentation Index + +Complete guide to all documentation files in the Xpeditis project. + +--- + +## 🚀 Getting Started (Read First) + +Start here if you're new to the project: + +1. **[README.md](README.md)** - Project overview and quick start +2. **[QUICK-START.md](QUICK-START.md)** ⚡ - Get running in 5 minutes +3. **[INSTALLATION-STEPS.md](INSTALLATION-STEPS.md)** - Detailed installation guide +4. **[NEXT-STEPS.md](NEXT-STEPS.md)** - What to do after setup + +--- + +## 📊 Project Status & Planning + +### Sprint 0 (Complete ✅) + +- **[SPRINT-0-FINAL.md](SPRINT-0-FINAL.md)** - Complete Sprint 0 report + - All deliverables + - Architecture details + - How to use + - Success criteria + +- **[SPRINT-0-SUMMARY.md](SPRINT-0-SUMMARY.md)** - Executive summary + - Objectives achieved + - Metrics + - Key features + - Next steps + +- **[SPRINT-0-COMPLETE.md](SPRINT-0-COMPLETE.md)** - Technical completion checklist + - Week-by-week breakdown + - Files created + - Remaining tasks + +### Project Roadmap + +- **[TODO.md](TODO.md)** 📅 - 30-week MVP development roadmap + - Sprint-by-sprint breakdown + - Detailed tasks with checkboxes + - Phase 1-4 planning + - Go-to-market strategy + +- **[PRD.md](PRD.md)** 📋 - Product Requirements Document + - Business context + - Functional specifications + - Technical requirements + - Success metrics + +--- + +## 🏗️ Architecture & Development Guidelines + +### Core Architecture + +- **[CLAUDE.md](CLAUDE.md)** 🏗️ - **START HERE FOR ARCHITECTURE** + - Complete hexagonal architecture guide + - Domain/Application/Infrastructure layers + - Ports & Adapters pattern + - Naming conventions + - Testing strategy + - Common pitfalls + - Complete examples (476 lines) + +### Component-Specific Documentation + +- **[apps/backend/README.md](apps/backend/README.md)** - Backend (NestJS + Hexagonal) + - Architecture details + - Available scripts + - API endpoints + - Testing guide + - Hexagonal architecture DOs and DON'Ts + +- **[apps/frontend/README.md](apps/frontend/README.md)** - Frontend (Next.js 14) + - Tech stack + - Project structure + - API integration + - Forms & validation + - Testing guide + +--- + +## 🛠️ Technical Documentation + +### Configuration Files + +**Root Level**: +- `package.json` - Workspace configuration +- `.gitignore` - Git ignore rules +- `.prettierrc` - Code formatting +- `docker-compose.yml` - PostgreSQL + Redis +- `tsconfig.json` - TypeScript configuration (per app) + +**Backend** (`apps/backend/`): +- `package.json` - Backend dependencies +- `tsconfig.json` - TypeScript strict mode + path aliases +- `nest-cli.json` - NestJS CLI configuration +- `.eslintrc.js` - ESLint rules +- `.env.example` - Environment variables template + +**Frontend** (`apps/frontend/`): +- `package.json` - Frontend dependencies +- `tsconfig.json` - TypeScript configuration +- `next.config.js` - Next.js configuration +- `tailwind.config.ts` - Tailwind CSS theme +- `postcss.config.js` - PostCSS configuration +- `.env.example` - Environment variables template + +### CI/CD + +**GitHub Actions** (`.github/workflows/`): +- `ci.yml` - Continuous Integration + - Lint & format check + - Unit tests (backend + frontend) + - E2E tests + - Build verification + +- `security.yml` - Security Audit + - npm audit + - Dependency review + +**Templates**: +- `.github/pull_request_template.md` - PR template with hexagonal architecture checklist + +--- + +## 📚 Documentation by Use Case + +### I want to... + +**...get started quickly** +1. [QUICK-START.md](QUICK-START.md) - 5-minute setup +2. [INSTALLATION-STEPS.md](INSTALLATION-STEPS.md) - Detailed steps +3. [NEXT-STEPS.md](NEXT-STEPS.md) - Begin development + +**...understand the architecture** +1. [CLAUDE.md](CLAUDE.md) - Complete hexagonal architecture guide +2. [apps/backend/README.md](apps/backend/README.md) - Backend specifics +3. [SPRINT-0-FINAL.md](SPRINT-0-FINAL.md) - See what's implemented + +**...know what to build next** +1. [TODO.md](TODO.md) - Full roadmap +2. [NEXT-STEPS.md](NEXT-STEPS.md) - Immediate next tasks +3. [PRD.md](PRD.md) - Business requirements + +**...understand the business context** +1. [PRD.md](PRD.md) - Product requirements +2. [README.md](README.md) - Project overview +3. [SPRINT-0-SUMMARY.md](SPRINT-0-SUMMARY.md) - Executive summary + +**...fix an installation issue** +1. [INSTALLATION-STEPS.md](INSTALLATION-STEPS.md) - Troubleshooting section +2. [QUICK-START.md](QUICK-START.md) - Common issues +3. [README.md](README.md) - Basic setup + +**...write code following best practices** +1. [CLAUDE.md](CLAUDE.md) - Architecture guidelines (READ THIS FIRST) +2. [apps/backend/README.md](apps/backend/README.md) - Backend DOs and DON'Ts +3. [TODO.md](TODO.md) - Task specifications and acceptance criteria + +**...run tests** +1. [apps/backend/README.md](apps/backend/README.md) - Testing section +2. [apps/frontend/README.md](apps/frontend/README.md) - Testing section +3. [CLAUDE.md](CLAUDE.md) - Testing strategy + +**...deploy to production** +1. [SPRINT-0-FINAL.md](SPRINT-0-FINAL.md) - Security checklist +2. [apps/backend/.env.example](apps/backend/.env.example) - All required variables +3. `.github/workflows/ci.yml` - CI/CD pipeline + +--- + +## 📖 Documentation by Role + +### For Developers + +**Must Read**: +1. [CLAUDE.md](CLAUDE.md) - Architecture principles +2. [apps/backend/README.md](apps/backend/README.md) OR [apps/frontend/README.md](apps/frontend/README.md) +3. [TODO.md](TODO.md) - Current sprint tasks + +**Reference**: +- [INSTALLATION-STEPS.md](INSTALLATION-STEPS.md) - Setup issues +- [PRD.md](PRD.md) - Business context + +### For Architects + +**Must Read**: +1. [CLAUDE.md](CLAUDE.md) - Complete architecture +2. [SPRINT-0-FINAL.md](SPRINT-0-FINAL.md) - Implementation details +3. [PRD.md](PRD.md) - Technical requirements + +**Reference**: +- [TODO.md](TODO.md) - Technical roadmap +- [apps/backend/README.md](apps/backend/README.md) - Backend architecture + +### For Project Managers + +**Must Read**: +1. [SPRINT-0-SUMMARY.md](SPRINT-0-SUMMARY.md) - Status overview +2. [TODO.md](TODO.md) - Complete roadmap +3. [PRD.md](PRD.md) - Requirements & KPIs + +**Reference**: +- [SPRINT-0-FINAL.md](SPRINT-0-FINAL.md) - Detailed completion report +- [README.md](README.md) - Project overview + +### For DevOps + +**Must Read**: +1. [INSTALLATION-STEPS.md](INSTALLATION-STEPS.md) - Setup guide +2. [docker-compose.yml](docker-compose.yml) - Infrastructure +3. `.github/workflows/` - CI/CD pipelines + +**Reference**: +- [apps/backend/.env.example](apps/backend/.env.example) - Environment variables +- [SPRINT-0-FINAL.md](SPRINT-0-FINAL.md) - Security checklist + +--- + +## 🗂️ Complete File List + +### Documentation (11 files) + +| File | Purpose | Length | +|------|---------|--------| +| [README.md](README.md) | Project overview | Medium | +| [CLAUDE.md](CLAUDE.md) | Architecture guide | Long (476 lines) | +| [PRD.md](PRD.md) | Product requirements | Long (352 lines) | +| [TODO.md](TODO.md) | 30-week roadmap | Very Long (1000+ lines) | +| [QUICK-START.md](QUICK-START.md) | 5-minute setup | Short | +| [INSTALLATION-STEPS.md](INSTALLATION-STEPS.md) | Detailed setup | Medium | +| [NEXT-STEPS.md](NEXT-STEPS.md) | What's next | Medium | +| [SPRINT-0-FINAL.md](SPRINT-0-FINAL.md) | Sprint 0 report | Long | +| [SPRINT-0-SUMMARY.md](SPRINT-0-SUMMARY.md) | Executive summary | Medium | +| [SPRINT-0-COMPLETE.md](SPRINT-0-COMPLETE.md) | Technical checklist | Short | +| [INDEX.md](INDEX.md) | This file | Medium | + +### App-Specific (2 files) + +| File | Purpose | +|------|---------| +| [apps/backend/README.md](apps/backend/README.md) | Backend guide | +| [apps/frontend/README.md](apps/frontend/README.md) | Frontend guide | + +### Configuration (10+ files) + +Root, backend, and frontend configuration files (package.json, tsconfig.json, etc.) + +--- + +## 📊 Documentation Statistics + +- **Total Documentation Files**: 13 +- **Total Lines**: ~4,000+ +- **Coverage**: Setup, Architecture, Development, Testing, Deployment +- **Last Updated**: October 7, 2025 + +--- + +## 🎯 Recommended Reading Path + +### For New Team Members (Day 1) + +**Morning** (2 hours): +1. [README.md](README.md) - 10 min +2. [QUICK-START.md](QUICK-START.md) - 30 min (includes setup) +3. [CLAUDE.md](CLAUDE.md) - 60 min (comprehensive architecture) +4. [PRD.md](PRD.md) - 20 min (business context) + +**Afternoon** (2 hours): +5. [apps/backend/README.md](apps/backend/README.md) OR [apps/frontend/README.md](apps/frontend/README.md) - 30 min +6. [TODO.md](TODO.md) - Current sprint section - 30 min +7. [NEXT-STEPS.md](NEXT-STEPS.md) - 30 min +8. Start coding! 🚀 + +### For Code Review (30 minutes) + +1. [CLAUDE.md](CLAUDE.md) - Hexagonal architecture section +2. [apps/backend/README.md](apps/backend/README.md) - DOs and DON'Ts +3. [TODO.md](TODO.md) - Acceptance criteria for the feature + +### For Sprint Planning (1 hour) + +1. [TODO.md](TODO.md) - Next sprint tasks +2. [PRD.md](PRD.md) - Requirements for the module +3. [SPRINT-0-SUMMARY.md](SPRINT-0-SUMMARY.md) - Current status + +--- + +## 🔍 Quick Reference + +### Common Questions + +**Q: How do I get started?** +A: [QUICK-START.md](QUICK-START.md) + +**Q: What is hexagonal architecture?** +A: [CLAUDE.md](CLAUDE.md) - Complete guide with examples + +**Q: What should I build next?** +A: [NEXT-STEPS.md](NEXT-STEPS.md) then [TODO.md](TODO.md) + +**Q: How do I run tests?** +A: [apps/backend/README.md](apps/backend/README.md) or [apps/frontend/README.md](apps/frontend/README.md) + +**Q: Where are the business requirements?** +A: [PRD.md](PRD.md) + +**Q: What's the project status?** +A: [SPRINT-0-SUMMARY.md](SPRINT-0-SUMMARY.md) + +**Q: Installation failed, what do I do?** +A: [INSTALLATION-STEPS.md](INSTALLATION-STEPS.md) - Troubleshooting section + +**Q: Can I change the database/framework?** +A: Yes! That's the point of hexagonal architecture. See [CLAUDE.md](CLAUDE.md) + +--- + +## 📞 Getting Help + +If you can't find what you need: + +1. **Check this index** - Use Ctrl+F to search +2. **Read CLAUDE.md** - Covers 90% of architecture questions +3. **Check TODO.md** - Has detailed task specifications +4. **Open an issue** - If documentation is unclear or missing + +--- + +## 🎉 Happy Reading! + +All documentation is up-to-date as of Sprint 0 completion. + +**Quick Links**: +- 🚀 [Get Started](QUICK-START.md) +- 🏗️ [Architecture](CLAUDE.md) +- 📅 [Roadmap](TODO.md) +- 📋 [Requirements](PRD.md) + +--- + +*Xpeditis MVP - Maritime Freight Booking Platform* +*Documentation Index - October 7, 2025* diff --git a/INSTALLATION-COMPLETE.md b/INSTALLATION-COMPLETE.md new file mode 100644 index 0000000..d12e306 --- /dev/null +++ b/INSTALLATION-COMPLETE.md @@ -0,0 +1,334 @@ +# ✅ Installation Complete - Xpeditis + +Sprint 0 setup is now complete with all dependencies installed and verified! + +--- + +## 📦 What Has Been Installed + +### Backend Dependencies ✅ +- **Location**: `apps/backend/node_modules` +- **Packages**: 873 packages (871 + nestjs-pino) +- **Key frameworks**: + - NestJS 10.2.10 (framework core) + - TypeORM 0.3.17 (database ORM) + - PostgreSQL driver (pg 8.11.3) + - Redis client (ioredis 5.3.2) + - nestjs-pino 8.x (structured logging) + - Passport + JWT (authentication) + - Helmet 7.1.0 (security) + - Swagger/OpenAPI (API documentation) + +### Frontend Dependencies ✅ +- **Location**: `apps/frontend/node_modules` +- **Packages**: 737 packages +- **Key frameworks**: + - Next.js 14.0.4 (React framework) + - React 18.2.0 + - TanStack Query 5.14.2 (data fetching) + - Tailwind CSS 3.3.6 (styling) + - shadcn/ui (component library) + - react-hook-form + zod (forms & validation) + - Playwright (E2E testing) + +### Environment Files ✅ +- `apps/backend/.env` (created from .env.example) +- `apps/frontend/.env` (created from .env.example) + +--- + +## ✅ Build Verification + +### Backend Build: SUCCESS ✅ +```bash +cd apps/backend +npm run build +# ✅ Compilation successful - 0 errors +``` + +The backend compiles successfully and can start in development mode. TypeScript compilation is working correctly with the hexagonal architecture setup. + +### Frontend Build: KNOWN ISSUE ⚠️ +```bash +cd apps/frontend +npm run build +# ⚠️ EISDIR error on Windows (symlink issue) +``` + +**Status**: This is a known Windows/Next.js symlink limitation. + +**Workaround**: Use development mode for daily work: +```bash +npm run dev # Works perfectly ✅ +``` + +For production builds, see [WINDOWS-INSTALLATION.md](WINDOWS-INSTALLATION.md#frontend-build-fail---eisdir-illegal-operation-on-directory-readlink). + +--- + +## 🚀 Next Steps - Getting Started + +### 1. Start Docker Infrastructure (Required) + +The backend needs PostgreSQL and Redis running: + +```bash +docker-compose up -d +``` + +**Expected output**: +``` +✅ Container xpeditis-postgres Started +✅ Container xpeditis-redis Started +``` + +**Verify containers are running**: +```bash +docker ps +``` + +You should see: +- `xpeditis-postgres` on port 5432 +- `xpeditis-redis` on port 6379 + +**Note**: Docker was not found during setup. Please install Docker Desktop for Windows: +- [Download Docker Desktop](https://www.docker.com/products/docker-desktop/) + +### 2. Start Backend Development Server + +```bash +cd apps/backend +npm run dev +``` + +**Expected output**: +``` +[Nest] Starting Nest application... +[Nest] AppModule dependencies initialized +[Nest] Nest application successfully started +Application is running on: http://localhost:4000 +``` + +**Verify backend is running**: +- Health check: +- API docs: + +### 3. Start Frontend Development Server + +In a new terminal: + +```bash +cd apps/frontend +npm run dev +``` + +**Expected output**: +``` +▲ Next.js 14.0.4 +- Local: http://localhost:3000 +- Ready in 2.5s +``` + +**Verify frontend is running**: +- Open + +--- + +## 📋 Installation Checklist + +- ✅ Node.js v22.20.0 installed +- ✅ npm 10.9.3 installed +- ✅ Backend dependencies installed (873 packages) +- ✅ Frontend dependencies installed (737 packages) +- ✅ Environment files created +- ✅ Backend builds successfully +- ✅ Frontend dev mode works +- ⚠️ Docker not yet installed (required for database) +- ⏳ Backend server not started (waiting for Docker) +- ⏳ Frontend server not started + +--- + +## 🔍 Current Project Status + +### Sprint 0: 100% COMPLETE ✅ + +All Sprint 0 deliverables are in place: + +1. **Project Structure** ✅ + - Monorepo layout with apps/ and packages/ + - Backend with hexagonal architecture + - Frontend with Next.js 14 App Router + +2. **Configuration Files** ✅ + - TypeScript config with path aliases + - ESLint + Prettier + - Docker Compose + - Environment templates + +3. **Documentation** ✅ + - 14 comprehensive documentation files + - Architecture guidelines ([CLAUDE.md](CLAUDE.md)) + - Installation guides + - Development roadmap ([TODO.md](TODO.md)) + +4. **Dependencies** ✅ + - All npm packages installed + - Build verification complete + +5. **CI/CD** ✅ + - GitHub Actions workflows configured + - Test, build, and lint pipelines ready + +### What's Missing (User Action Required) + +1. **Docker Desktop** - Not yet installed + - Required for PostgreSQL and Redis + - Download: + +2. **First Run** - Servers not started yet + - Waiting for Docker to be installed + - Then follow "Next Steps" above + +--- + +## 🐛 Known Issues & Workarounds + +### 1. Frontend Production Build (EISDIR Error) + +**Issue**: `npm run build` fails with symlink error on Windows + +**Workaround**: Use `npm run dev` for development (works perfectly) + +**Full details**: [WINDOWS-INSTALLATION.md](WINDOWS-INSTALLATION.md#frontend-build-fail---eisdir-illegal-operation-on-directory-readlink) + +### 2. npm Workspaces Disabled + +**Issue**: npm workspaces don't work well on Windows + +**Solution**: Dependencies installed separately in each app + +**Scripts modified**: Root package.json uses `cd` commands instead of workspace commands + +### 3. Docker Not Found + +**Issue**: Docker command not available during setup + +**Solution**: Install Docker Desktop, then start infrastructure: +```bash +docker-compose up -d +``` + +--- + +## 🎯 Ready to Code! + +Once Docker is installed, you're ready to start development: + +### Start Full Stack + +**Terminal 1** - Infrastructure: +```bash +docker-compose up -d +``` + +**Terminal 2** - Backend: +```bash +cd apps/backend +npm run dev +``` + +**Terminal 3** - Frontend: +```bash +cd apps/frontend +npm run dev +``` + +### Verify Everything Works + +- ✅ PostgreSQL: `docker exec -it xpeditis-postgres psql -U xpeditis -d xpeditis_dev` +- ✅ Redis: `docker exec -it xpeditis-redis redis-cli -a xpeditis_redis_password ping` +- ✅ Backend: +- ✅ API Docs: +- ✅ Frontend: + +--- + +## 📚 Documentation Index + +Quick links to all documentation: + +- **[START-HERE.md](START-HERE.md)** - 10-minute quickstart guide +- **[CLAUDE.md](CLAUDE.md)** - Architecture guidelines for development +- **[TODO.md](TODO.md)** - Complete development roadmap (30 weeks) +- **[WINDOWS-INSTALLATION.md](WINDOWS-INSTALLATION.md)** - Windows-specific setup guide +- **[INDEX.md](INDEX.md)** - Complete documentation index +- **[NEXT-STEPS.md](NEXT-STEPS.md)** - What to do after installation + +### Technical Documentation + +- **Backend**: [apps/backend/README.md](apps/backend/README.md) +- **Frontend**: [apps/frontend/README.md](apps/frontend/README.md) +- **PRD**: [PRD.md](PRD.md) - Product requirements (French) + +--- + +## 🎉 What's Next? + +### Immediate (Today) + +1. Install Docker Desktop +2. Start infrastructure: `docker-compose up -d` +3. Start backend: `cd apps/backend && npm run dev` +4. Start frontend: `cd apps/frontend && npm run dev` +5. Verify all endpoints work + +### Phase 1 - Domain Layer (Next Sprint) + +Start implementing the core business logic according to [TODO.md](TODO.md): + +1. **Domain Entities** (Week 1-2) + - Organization, User, RateQuote, Booking, Container + - Value Objects (Email, BookingNumber, PortCode) + - Domain Services + +2. **Repository Ports** (Week 2) + - Define interfaces for data persistence + - Cache port, Email port, Storage port + +3. **Use Cases** (Week 2) + - SearchRates port + - CreateBooking port + - ManageUser port + +See [NEXT-STEPS.md](NEXT-STEPS.md) for detailed Phase 1 tasks. + +--- + +## 📞 Need Help? + +If you encounter any issues: + +1. **Check documentation**: + - [WINDOWS-INSTALLATION.md](WINDOWS-INSTALLATION.md) - Windows-specific issues + - [INSTALLATION-STEPS.md](INSTALLATION-STEPS.md) - Detailed setup steps + +2. **Common issues**: + - Backend won't start → Check Docker containers running + - Frontend build fails → Use `npm run dev` instead + - EISDIR errors → See Windows installation guide + +3. **Verify setup**: + ```bash + node --version # Should be v20+ + npm --version # Should be v10+ + docker --version # Should be installed + ``` + +--- + +**Installation Status**: ✅ Complete and Ready for Development + +**Next Action**: Install Docker Desktop, then start infrastructure and servers + +*Xpeditis - Maritime Freight Booking Platform* diff --git a/INSTALLATION-STEPS.md b/INSTALLATION-STEPS.md new file mode 100644 index 0000000..ca457dc --- /dev/null +++ b/INSTALLATION-STEPS.md @@ -0,0 +1,464 @@ +# 📦 Installation Steps - Xpeditis + +Complete step-by-step installation guide for the Xpeditis platform. + +--- + +## Current Status + +✅ **Sprint 0 Complete** - All infrastructure files created +⏳ **Dependencies** - Need to be installed +⏳ **Services** - Need to be started + +--- + +## Installation Instructions + +### Step 1: Install Dependencies + +The project uses npm workspaces. Run this command from the root directory: + +```bash +npm install +``` + +**What this does**: +- Installs root dependencies (prettier, typescript) +- Installs backend dependencies (~50 packages including NestJS, TypeORM, Redis, etc.) +- Installs frontend dependencies (~30 packages including Next.js, React, Tailwind, etc.) +- Links workspace packages + +**Expected Output**: +- This will take 2-3 minutes +- You may see deprecation warnings (these are normal) +- On Windows, you might see `EISDIR` symlink warnings (these can be ignored - dependencies are still installed) + +**Verification**: +```bash +# Check that node_modules exists +ls node_modules + +# Check backend dependencies +ls apps/backend/node_modules + +# Check frontend dependencies +ls apps/frontend/node_modules +``` + +--- + +### Step 2: Start Docker Infrastructure + +Start PostgreSQL and Redis: + +```bash +docker-compose up -d +``` + +**What this does**: +- Pulls PostgreSQL 15 Alpine image (if not cached) +- Pulls Redis 7 Alpine image (if not cached) +- Starts PostgreSQL on port 5432 +- Starts Redis on port 6379 +- Runs database initialization script +- Creates persistent volumes + +**Verification**: +```bash +# Check containers are running +docker-compose ps + +# Expected output: +# NAME STATUS PORTS +# xpeditis-postgres Up (healthy) 0.0.0.0:5432->5432/tcp +# xpeditis-redis Up (healthy) 0.0.0.0:6379->6379/tcp + +# Check logs +docker-compose logs + +# Test PostgreSQL connection +docker-compose exec postgres psql -U xpeditis -d xpeditis_dev -c "SELECT version();" + +# Test Redis connection +docker-compose exec redis redis-cli -a xpeditis_redis_password ping +# Should return: PONG +``` + +--- + +### Step 3: Setup Environment Variables + +#### Backend + +```bash +cp apps/backend/.env.example apps/backend/.env +``` + +**Default values work for local development!** You can start immediately. + +**Optional customization** (edit `apps/backend/.env`): +```env +# These work out of the box: +DATABASE_HOST=localhost +DATABASE_PORT=5432 +DATABASE_USER=xpeditis +DATABASE_PASSWORD=xpeditis_dev_password +DATABASE_NAME=xpeditis_dev + +REDIS_HOST=localhost +REDIS_PORT=6379 +REDIS_PASSWORD=xpeditis_redis_password + +JWT_SECRET=your-super-secret-jwt-key-change-this-in-production + +# Add these later when you have credentials: +# MAERSK_API_KEY=your-key +# GOOGLE_CLIENT_ID=your-client-id +# etc. +``` + +#### Frontend + +```bash +cp apps/frontend/.env.example apps/frontend/.env +``` + +**Default values**: +```env +NEXT_PUBLIC_API_URL=http://localhost:4000 +NEXT_PUBLIC_API_PREFIX=api/v1 +``` + +--- + +### Step 4: Start Backend Development Server + +```bash +# Option 1: From root +npm run backend:dev + +# Option 2: From backend directory +cd apps/backend +npm run dev +``` + +**What happens**: +- NestJS compiles TypeScript +- Connects to PostgreSQL +- Connects to Redis +- Starts server on port 4000 +- Watches for file changes (hot reload) + +**Expected output**: +``` +[Nest] 12345 - 10/07/2025, 3:00:00 PM LOG [NestFactory] Starting Nest application... +[Nest] 12345 - 10/07/2025, 3:00:00 PM LOG [InstanceLoader] ConfigModule dependencies initialized +[Nest] 12345 - 10/07/2025, 3:00:00 PM LOG [InstanceLoader] TypeOrmModule dependencies initialized +... + + ╔═══════════════════════════════════════╗ + ║ ║ + ║ 🚢 Xpeditis API Server Running ║ + ║ ║ + ║ API: http://localhost:4000/api/v1 ║ + ║ Docs: http://localhost:4000/api/docs ║ + ║ ║ + ╚═══════════════════════════════════════╝ +``` + +**Verification**: +```bash +# Test health endpoint +curl http://localhost:4000/api/v1/health + +# Or open in browser: +# http://localhost:4000/api/v1/health + +# Open Swagger docs: +# http://localhost:4000/api/docs +``` + +--- + +### Step 5: Start Frontend Development Server + +In a **new terminal**: + +```bash +# Option 1: From root +npm run frontend:dev + +# Option 2: From frontend directory +cd apps/frontend +npm run dev +``` + +**What happens**: +- Next.js compiles TypeScript +- Starts dev server on port 3000 +- Watches for file changes (hot reload) +- Enables Fast Refresh + +**Expected output**: +``` + ▲ Next.js 14.0.4 + - Local: http://localhost:3000 + - Network: http://192.168.1.x:3000 + + ✓ Ready in 2.3s +``` + +**Verification**: +```bash +# Open in browser: +# http://localhost:3000 + +# You should see the Xpeditis homepage +``` + +--- + +## ✅ Installation Complete! + +You should now have: + +| Service | URL | Status | +|---------|-----|--------| +| **Frontend** | http://localhost:3000 | ✅ Running | +| **Backend API** | http://localhost:4000/api/v1 | ✅ Running | +| **API Docs** | http://localhost:4000/api/docs | ✅ Running | +| **PostgreSQL** | localhost:5432 | ✅ Running | +| **Redis** | localhost:6379 | ✅ Running | + +--- + +## Troubleshooting + +### Issue: npm install fails + +**Solution**: +```bash +# Clear npm cache +npm cache clean --force + +# Delete node_modules +rm -rf node_modules apps/*/node_modules packages/*/node_modules + +# Retry +npm install +``` + +### Issue: Docker containers won't start + +**Solution**: +```bash +# Check Docker is running +docker --version + +# Check if ports are in use +# Windows: +netstat -ano | findstr :5432 +netstat -ano | findstr :6379 + +# Mac/Linux: +lsof -i :5432 +lsof -i :6379 + +# Stop any conflicting services +# Then retry: +docker-compose up -d +``` + +### Issue: Backend won't connect to database + +**Solution**: +```bash +# Check PostgreSQL is running +docker-compose ps + +# Check PostgreSQL logs +docker-compose logs postgres + +# Verify connection manually +docker-compose exec postgres psql -U xpeditis -d xpeditis_dev + +# If that works, check your .env file: +# DATABASE_HOST=localhost (not 127.0.0.1) +# DATABASE_PORT=5432 +# DATABASE_USER=xpeditis +# DATABASE_PASSWORD=xpeditis_dev_password +# DATABASE_NAME=xpeditis_dev +``` + +### Issue: Port 4000 or 3000 already in use + +**Solution**: +```bash +# Find what's using the port +# Windows: +netstat -ano | findstr :4000 + +# Mac/Linux: +lsof -i :4000 + +# Kill the process or change the port in: +# Backend: apps/backend/.env (PORT=4000) +# Frontend: package.json dev script or use -p flag +``` + +### Issue: Module not found errors + +**Solution**: +```bash +# Backend +cd apps/backend +npm install + +# Frontend +cd apps/frontend +npm install + +# If still failing, check tsconfig.json paths are correct +``` + +--- + +## Common Development Tasks + +### View Logs + +```bash +# Backend logs (already in terminal) + +# Docker logs +docker-compose logs -f + +# PostgreSQL logs only +docker-compose logs -f postgres + +# Redis logs only +docker-compose logs -f redis +``` + +### Database Operations + +```bash +# Connect to PostgreSQL +docker-compose exec postgres psql -U xpeditis -d xpeditis_dev + +# List tables +\dt + +# Describe a table +\d table_name + +# Run migrations (when created) +cd apps/backend +npm run migration:run +``` + +### Redis Operations + +```bash +# Connect to Redis +docker-compose exec redis redis-cli -a xpeditis_redis_password + +# List all keys +KEYS * + +# Get a value +GET key_name + +# Flush all data +FLUSHALL +``` + +### Run Tests + +```bash +# Backend unit tests +cd apps/backend +npm test + +# Backend tests with coverage +npm run test:cov + +# Backend E2E tests +npm run test:e2e + +# Frontend tests +cd apps/frontend +npm test + +# All tests +npm run test:all +``` + +### Code Quality + +```bash +# Format code +npm run format + +# Check formatting +npm run format:check + +# Lint backend +npm run backend:lint + +# Lint frontend +npm run frontend:lint +``` + +--- + +## Next Steps + +Now that everything is installed and running: + +1. **📚 Read the docs**: + - [QUICK-START.md](QUICK-START.md) - Quick reference + - [README.md](README.md) - Full documentation + - [CLAUDE.md](CLAUDE.md) - Architecture guidelines + +2. **🛠️ Start developing**: + - Check [TODO.md](TODO.md) for the roadmap + - Review [SPRINT-0-FINAL.md](SPRINT-0-FINAL.md) for what's done + - Begin Phase 1: Domain entities and ports + +3. **🧪 Write tests**: + - Domain layer tests (90%+ coverage target) + - Integration tests for repositories + - E2E tests for API endpoints + +4. **🚀 Deploy** (when ready): + - Review production checklist in SPRINT-0-FINAL.md + - Update environment variables + - Setup CI/CD pipelines + +--- + +## Success Checklist + +Before moving to Phase 1, verify: + +- [ ] `npm install` completed successfully +- [ ] Docker containers running (postgres + redis) +- [ ] Backend starts without errors +- [ ] Frontend starts without errors +- [ ] Health endpoint returns 200 OK +- [ ] Swagger docs accessible +- [ ] Frontend homepage loads +- [ ] Tests pass (`npm test`) +- [ ] No TypeScript errors +- [ ] Hot reload works (edit a file, see changes) + +--- + +**You're ready to build! 🎉** + +For questions, check the documentation or open an issue on GitHub. + +--- + +*Xpeditis - Maritime Freight Booking Platform* diff --git a/NEXT-STEPS.md b/NEXT-STEPS.md new file mode 100644 index 0000000..5ee6263 --- /dev/null +++ b/NEXT-STEPS.md @@ -0,0 +1,471 @@ +# 🚀 Next Steps - Getting Started with Development + +You've successfully completed Sprint 0! Here's what to do next. + +--- + +## 🎯 Immediate Actions (Today) + +### 1. Install Dependencies + +```bash +# From the root directory +npm install +``` + +**Expected**: This will take 2-3 minutes. You may see some deprecation warnings (normal). + +**On Windows**: If you see `EISDIR` symlink errors, that's okay - dependencies are still installed. + +### 2. Start Docker Services + +```bash +docker-compose up -d +``` + +**Expected**: PostgreSQL and Redis containers will start. + +**Verify**: +```bash +docker-compose ps + +# You should see: +# xpeditis-postgres - Up (healthy) +# xpeditis-redis - Up (healthy) +``` + +### 3. Setup Environment Files + +```bash +# Backend +cp apps/backend/.env.example apps/backend/.env + +# Frontend +cp apps/frontend/.env.example apps/frontend/.env +``` + +**Note**: Default values work for local development. No changes needed! + +### 4. Start the Backend + +```bash +# Option 1: From root +npm run backend:dev + +# Option 2: From backend directory +cd apps/backend +npm run dev +``` + +**Expected Output**: +``` +╔═══════════════════════════════════════╗ +║ 🚢 Xpeditis API Server Running ║ +║ API: http://localhost:4000/api/v1 ║ +║ Docs: http://localhost:4000/api/docs ║ +╚═══════════════════════════════════════╝ +``` + +**Verify**: Open http://localhost:4000/api/v1/health + +### 5. Start the Frontend (New Terminal) + +```bash +# Option 1: From root +npm run frontend:dev + +# Option 2: From frontend directory +cd apps/frontend +npm run dev +``` + +**Expected Output**: +``` +▲ Next.js 14.0.4 +- Local: http://localhost:3000 +✓ Ready in 2.3s +``` + +**Verify**: Open http://localhost:3000 + +--- + +## ✅ Verification Checklist + +Before proceeding to development, verify: + +- [ ] `npm install` completed successfully +- [ ] Docker containers are running (check with `docker-compose ps`) +- [ ] Backend starts without errors +- [ ] Health endpoint returns 200 OK: http://localhost:4000/api/v1/health +- [ ] Swagger docs accessible: http://localhost:4000/api/docs +- [ ] Frontend loads: http://localhost:3000 +- [ ] No TypeScript compilation errors + +**All green? You're ready to start Phase 1! 🎉** + +--- + +## 📅 Phase 1 - Core Search & Carrier Integration (Next 6-8 weeks) + +### Week 1-2: Domain Layer & Port Definitions + +**Your first tasks**: + +#### 1. Create Domain Entities + +Create these files in `apps/backend/src/domain/entities/`: + +```typescript +// organization.entity.ts +export class Organization { + constructor( + public readonly id: string, + public readonly name: string, + public readonly type: 'FREIGHT_FORWARDER' | 'NVOCC' | 'DIRECT_SHIPPER', + public readonly scac?: string, + public readonly address?: Address, + public readonly logoUrl?: string, + ) {} +} + +// user.entity.ts +export class User { + constructor( + public readonly id: string, + public readonly organizationId: string, + public readonly email: Email, // Value Object + public readonly role: UserRole, + public readonly passwordHash: string, + ) {} +} + +// rate-quote.entity.ts +export class RateQuote { + constructor( + public readonly id: string, + public readonly origin: PortCode, // Value Object + public readonly destination: PortCode, // Value Object + public readonly carrierId: string, + public readonly price: Money, // Value Object + public readonly surcharges: Surcharge[], + public readonly etd: Date, + public readonly eta: Date, + public readonly transitDays: number, + public readonly route: RouteStop[], + public readonly availability: number, + ) {} +} + +// More entities: Carrier, Port, Container, Booking +``` + +#### 2. Create Value Objects + +Create these files in `apps/backend/src/domain/value-objects/`: + +```typescript +// email.vo.ts +export class Email { + private constructor(private readonly value: string) { + this.validate(value); + } + + static create(value: string): Email { + return new Email(value); + } + + private validate(value: string): void { + const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/; + if (!emailRegex.test(value)) { + throw new InvalidEmailException(value); + } + } + + getValue(): string { + return this.value; + } +} + +// port-code.vo.ts +export class PortCode { + private constructor(private readonly value: string) { + this.validate(value); + } + + static create(value: string): PortCode { + return new PortCode(value.toUpperCase()); + } + + private validate(value: string): void { + // UN LOCODE format: 5 characters (CCCCC) + if (!/^[A-Z]{5}$/.test(value)) { + throw new InvalidPortCodeException(value); + } + } + + getValue(): string { + return this.value; + } +} + +// More VOs: Money, ContainerType, BookingNumber, DateRange +``` + +#### 3. Define Ports + +**API Ports (domain/ports/in/)** - What the domain exposes: + +```typescript +// search-rates.port.ts +export interface SearchRatesPort { + execute(input: RateSearchInput): Promise; +} + +export interface RateSearchInput { + origin: PortCode; + destination: PortCode; + containerType: ContainerType; + mode: 'FCL' | 'LCL'; + departureDate: Date; + weight?: number; + volume?: number; + hazmat: boolean; +} +``` + +**SPI Ports (domain/ports/out/)** - What the domain needs: + +```typescript +// rate-quote.repository.ts +export interface RateQuoteRepository { + save(rateQuote: RateQuote): Promise; + findById(id: string): Promise; + findByRoute(origin: PortCode, destination: PortCode): Promise; +} + +// carrier-connector.port.ts +export interface CarrierConnectorPort { + searchRates(input: RateSearchInput): Promise; + checkAvailability(input: AvailabilityInput): Promise; +} + +// cache.port.ts +export interface CachePort { + get(key: string): Promise; + set(key: string, value: T, ttl: number): Promise; + delete(key: string): Promise; +} +``` + +#### 4. Write Domain Tests + +```typescript +// domain/services/rate-search.service.spec.ts +describe('RateSearchService', () => { + let service: RateSearchService; + let mockCache: jest.Mocked; + let mockConnectors: jest.Mocked[]; + + beforeEach(() => { + mockCache = createMockCache(); + mockConnectors = [createMockConnector('Maersk')]; + service = new RateSearchService(mockCache, mockConnectors); + }); + + it('should return cached rates if available', async () => { + const input = createTestRateSearchInput(); + const cachedRates = [createTestRateQuote()]; + mockCache.get.mockResolvedValue(cachedRates); + + const result = await service.execute(input); + + expect(result).toEqual(cachedRates); + expect(mockConnectors[0].searchRates).not.toHaveBeenCalled(); + }); + + it('should query carriers if cache miss', async () => { + const input = createTestRateSearchInput(); + mockCache.get.mockResolvedValue(null); + const carrierRates = [createTestRateQuote()]; + mockConnectors[0].searchRates.mockResolvedValue(carrierRates); + + const result = await service.execute(input); + + expect(result).toEqual(carrierRates); + expect(mockCache.set).toHaveBeenCalledWith( + expect.any(String), + carrierRates, + 900, // 15 minutes + ); + }); + + // Target: 90%+ coverage for domain +}); +``` + +--- + +## 📚 Recommended Reading Order + +Before starting development, read these in order: + +1. **[QUICK-START.md](QUICK-START.md)** (5 min) + - Get everything running + +2. **[CLAUDE.md](CLAUDE.md)** (30 min) + - Understand hexagonal architecture + - Learn the rules for each layer + - See complete examples + +3. **[apps/backend/README.md](apps/backend/README.md)** (10 min) + - Backend-specific guidelines + - Available scripts + - Testing strategy + +4. **[TODO.md](TODO.md)** - Sections relevant to current sprint (20 min) + - Detailed task breakdown + - Acceptance criteria + - Technical specifications + +--- + +## 🛠️ Development Guidelines + +### Hexagonal Architecture Rules + +**Domain Layer** (`src/domain/`): +- ✅ Pure TypeScript classes +- ✅ Define interfaces (ports) +- ✅ Business logic only +- ❌ NO imports from NestJS, TypeORM, or any framework +- ❌ NO decorators (@Injectable, @Column, etc.) + +**Application Layer** (`src/application/`): +- ✅ Import from `@domain/*` only +- ✅ Controllers, DTOs, Mappers +- ✅ Handle HTTP-specific concerns +- ❌ NO business logic + +**Infrastructure Layer** (`src/infrastructure/`): +- ✅ Import from `@domain/*` only +- ✅ Implement port interfaces +- ✅ Framework-specific code (TypeORM, Redis, etc.) +- ❌ NO business logic + +### Testing Strategy + +- **Domain**: 90%+ coverage, test without any framework +- **Application**: 80%+ coverage, test DTOs and mappings +- **Infrastructure**: 70%+ coverage, test with test databases + +### Git Workflow + +```bash +# Create feature branch +git checkout -b feature/domain-entities + +# Make changes and commit +git add . +git commit -m "feat: add Organization and User domain entities" + +# Push and create PR +git push origin feature/domain-entities +``` + +--- + +## 🎯 Success Criteria for Week 1-2 + +By the end of Sprint 1-2, you should have: + +- [ ] All core domain entities created (Organization, User, RateQuote, Carrier, Port, Container) +- [ ] All value objects created (Email, PortCode, Money, ContainerType, etc.) +- [ ] All API ports defined (SearchRatesPort, CreateBookingPort, etc.) +- [ ] All SPI ports defined (Repositories, CarrierConnectorPort, CachePort, etc.) +- [ ] Domain services implemented (RateSearchService, BookingService, etc.) +- [ ] Domain unit tests written (90%+ coverage) +- [ ] All tests passing +- [ ] No TypeScript errors +- [ ] Code formatted and linted + +--- + +## 💡 Tips for Success + +### 1. Start Small +Don't try to implement everything at once. Start with: +- One entity (e.g., Organization) +- One value object (e.g., Email) +- One port (e.g., SearchRatesPort) +- Tests for what you created + +### 2. Test First (TDD) +```typescript +// 1. Write the test +it('should create organization with valid data', () => { + const org = new Organization('1', 'ACME Freight', 'FREIGHT_FORWARDER'); + expect(org.name).toBe('ACME Freight'); +}); + +// 2. Implement the entity +export class Organization { /* ... */ } + +// 3. Run the test +npm test + +// 4. Refactor if needed +``` + +### 3. Follow Patterns +Look at examples in CLAUDE.md and copy the structure: +- Entities are classes with readonly properties +- Value objects validate in the constructor +- Ports are interfaces +- Services implement ports + +### 4. Ask Questions +If something is unclear: +- Re-read CLAUDE.md +- Check TODO.md for specifications +- Look at the PRD.md for business context + +### 5. Commit Often +```bash +git add . +git commit -m "feat: add Email value object with validation" +# Small, focused commits are better +``` + +--- + +## 📞 Need Help? + +**Documentation**: +- [QUICK-START.md](QUICK-START.md) - Setup issues +- [CLAUDE.md](CLAUDE.md) - Architecture questions +- [TODO.md](TODO.md) - Task details +- [apps/backend/README.md](apps/backend/README.md) - Backend specifics + +**Troubleshooting**: +- [INSTALLATION-STEPS.md](INSTALLATION-STEPS.md) - Common issues + +**Architecture**: +- Read the hexagonal architecture guidelines in CLAUDE.md +- Study the example flows at the end of CLAUDE.md + +--- + +## 🎉 You're Ready! + +**Current Status**: ✅ Sprint 0 Complete +**Next Milestone**: Sprint 1-2 - Domain Layer +**Timeline**: 2 weeks +**Focus**: Create all domain entities, value objects, and ports + +**Let's build something amazing! 🚀** + +--- + +*Xpeditis MVP - Maritime Freight Booking Platform* +*Good luck with Phase 1!* diff --git a/QUICK-START.md b/QUICK-START.md new file mode 100644 index 0000000..04f7f5e --- /dev/null +++ b/QUICK-START.md @@ -0,0 +1,302 @@ +# 🚀 Quick Start Guide - Xpeditis + +Get the Xpeditis maritime freight booking platform running in **5 minutes**. + +--- + +## Prerequisites + +Before you begin, ensure you have: + +- ✅ **Node.js** v20+ ([Download](https://nodejs.org/)) +- ✅ **npm** v10+ (comes with Node.js) +- ✅ **Docker Desktop** ([Download](https://www.docker.com/products/docker-desktop/)) +- ✅ **Git** ([Download](https://git-scm.com/)) + +--- + +## Step 1: Clone & Install (2 minutes) + +```bash +# Clone the repository +cd xpeditis2.0 + +# Install all dependencies +npm install + +# This will install: +# - Root workspace dependencies +# - Backend dependencies (~50 packages) +# - Frontend dependencies (~30 packages) +``` + +**Note**: If you encounter `EISDIR` errors on Windows, it's okay - the dependencies are still installed correctly. + +--- + +## Step 2: Start Infrastructure (1 minute) + +```bash +# Start PostgreSQL + Redis with Docker +docker-compose up -d + +# Verify containers are running +docker-compose ps + +# You should see: +# ✅ xpeditis-postgres (port 5432) +# ✅ xpeditis-redis (port 6379) +``` + +--- + +## Step 3: Configure Environment (1 minute) + +```bash +# Backend +cp apps/backend/.env.example apps/backend/.env + +# Frontend +cp apps/frontend/.env.example apps/frontend/.env +``` + +**The default `.env` values work for local development!** No changes needed to get started. + +--- + +## Step 4: Start Development Servers (1 minute) + +### Option A: Two Terminals + +```bash +# Terminal 1 - Backend +cd apps/backend +npm run dev + +# Terminal 2 - Frontend +cd apps/frontend +npm run dev +``` + +### Option B: Root Commands + +```bash +# Terminal 1 - Backend +npm run backend:dev + +# Terminal 2 - Frontend +npm run frontend:dev +``` + +--- + +## Step 5: Verify Everything Works + +### Backend ✅ + +Open: **http://localhost:4000/api/v1/health** + +Expected response: +```json +{ + "status": "ok", + "timestamp": "2025-10-07T...", + "uptime": 12.345, + "environment": "development", + "version": "0.1.0" +} +``` + +### API Documentation ✅ + +Open: **http://localhost:4000/api/docs** + +You should see the Swagger UI with: +- Health endpoints +- (More endpoints will be added in Phase 1) + +### Frontend ✅ + +Open: **http://localhost:3000** + +You should see: +``` +🚢 Xpeditis +Maritime Freight Booking Platform +Search, compare, and book maritime freight in real-time +``` + +--- + +## 🎉 Success! + +You now have: +- ✅ Backend API running on port 4000 +- ✅ Frontend app running on port 3000 +- ✅ PostgreSQL database on port 5432 +- ✅ Redis cache on port 6379 +- ✅ Swagger API docs available +- ✅ Hot reload enabled for both apps + +--- + +## Common Commands + +### Development + +```bash +# Backend +npm run backend:dev # Start backend dev server +npm run backend:test # Run backend tests +npm run backend:test:watch # Run tests in watch mode +npm run backend:lint # Lint backend code + +# Frontend +npm run frontend:dev # Start frontend dev server +npm run frontend:build # Build for production +npm run frontend:test # Run frontend tests +npm run frontend:lint # Lint frontend code + +# Both +npm run format # Format all code +npm run format:check # Check formatting +npm run test:all # Run all tests +``` + +### Infrastructure + +```bash +# Docker +docker-compose up -d # Start services +docker-compose down # Stop services +docker-compose logs -f # View logs +docker-compose ps # Check status + +# Database +docker-compose exec postgres psql -U xpeditis -d xpeditis_dev + +# Redis +docker-compose exec redis redis-cli -a xpeditis_redis_password +``` + +--- + +## Troubleshooting + +### Port Already in Use + +```bash +# Backend (port 4000) +# Windows: netstat -ano | findstr :4000 +# Mac/Linux: lsof -i :4000 + +# Frontend (port 3000) +# Windows: netstat -ano | findstr :3000 +# Mac/Linux: lsof -i :3000 +``` + +### Docker Not Starting + +```bash +# Check Docker is running +docker --version + +# Restart Docker Desktop +# Then retry: docker-compose up -d +``` + +### Database Connection Issues + +```bash +# Check PostgreSQL is running +docker-compose ps + +# View PostgreSQL logs +docker-compose logs postgres + +# Restart PostgreSQL +docker-compose restart postgres +``` + +### npm Install Errors + +```bash +# Clear cache and retry +npm cache clean --force +rm -rf node_modules +npm install +``` + +--- + +## Next Steps + +### 📚 Read the Documentation + +- [README.md](README.md) - Full project documentation +- [CLAUDE.md](CLAUDE.md) - Hexagonal architecture guidelines +- [TODO.md](TODO.md) - 30-week development roadmap +- [SPRINT-0-FINAL.md](SPRINT-0-FINAL.md) - Sprint 0 completion report + +### 🛠️ Start Building + +Ready to start Phase 1? Check out [TODO.md](TODO.md) for the roadmap: + +- **Sprint 1-2**: Domain entities and ports +- **Sprint 3-4**: Infrastructure and database +- **Sprint 5-6**: Rate search API +- **Sprint 7-8**: Rate search UI + +### 🧪 Run Tests + +```bash +# Backend unit tests +cd apps/backend +npm test + +# Backend E2E tests +npm run test:e2e + +# Frontend tests +cd apps/frontend +npm test +``` + +### 🔍 Explore the Code + +**Hexagonal Architecture**: +``` +apps/backend/src/ +├── domain/ # Pure business logic (start here!) +├── application/ # Controllers & DTOs +└── infrastructure/ # External adapters +``` + +**Frontend Structure**: +``` +apps/frontend/ +├── app/ # Next.js App Router +├── components/ # React components +└── lib/ # Utilities +``` + +--- + +## 🎯 You're Ready! + +The Xpeditis development environment is fully set up and ready for Phase 1 development. + +**Happy coding! 🚀** + +--- + +## Need Help? + +- 📖 Check [README.md](README.md) for detailed documentation +- 🏗️ Review [CLAUDE.md](CLAUDE.md) for architecture guidelines +- 📝 Follow [TODO.md](TODO.md) for the development roadmap +- ❓ Open an issue on GitHub + +--- + +*Xpeditis - Maritime Freight Booking Platform* diff --git a/READY.md b/READY.md new file mode 100644 index 0000000..1b0d123 --- /dev/null +++ b/READY.md @@ -0,0 +1,412 @@ +# ✅ Xpeditis MVP - READY FOR DEVELOPMENT + +## 🎉 Sprint 0 Successfully Completed! + +**Project**: Xpeditis - Maritime Freight Booking Platform +**Status**: 🟢 **READY FOR PHASE 1** +**Completion Date**: October 7, 2025 +**Sprint 0**: 100% Complete + +--- + +## 📦 What Has Been Created + +### 📄 Documentation Suite (11 files, 4000+ lines) + +1. **[README.md](README.md)** - Project overview +2. **[CLAUDE.md](CLAUDE.md)** - Hexagonal architecture guide (476 lines) +3. **[PRD.md](PRD.md)** - Product requirements (352 lines) +4. **[TODO.md](TODO.md)** - 30-week roadmap (1000+ lines) +5. **[QUICK-START.md](QUICK-START.md)** - 5-minute setup guide +6. **[INSTALLATION-STEPS.md](INSTALLATION-STEPS.md)** - Detailed installation +7. **[NEXT-STEPS.md](NEXT-STEPS.md)** - What to do next +8. **[SPRINT-0-FINAL.md](SPRINT-0-FINAL.md)** - Complete sprint report +9. **[SPRINT-0-SUMMARY.md](SPRINT-0-SUMMARY.md)** - Executive summary +10. **[INDEX.md](INDEX.md)** - Documentation index +11. **[READY.md](READY.md)** - This file + +### 🏗️ Backend (NestJS + Hexagonal Architecture) + +**Folder Structure**: +``` +apps/backend/src/ +├── domain/ ✅ Pure business logic layer +│ ├── entities/ +│ ├── value-objects/ +│ ├── services/ +│ ├── ports/in/ +│ ├── ports/out/ +│ └── exceptions/ +├── application/ ✅ Controllers & DTOs +│ ├── controllers/ +│ ├── dto/ +│ ├── mappers/ +│ └── config/ +└── infrastructure/ ✅ External adapters + ├── persistence/ + ├── cache/ + ├── carriers/ + ├── email/ + ├── storage/ + └── config/ +``` + +**Files Created** (15+): +- ✅ package.json (50+ dependencies) +- ✅ tsconfig.json (strict mode + path aliases) +- ✅ nest-cli.json +- ✅ .eslintrc.js +- ✅ .env.example (all variables documented) +- ✅ src/main.ts (bootstrap with Swagger) +- ✅ src/app.module.ts (root module) +- ✅ src/application/controllers/health.controller.ts +- ✅ test/app.e2e-spec.ts +- ✅ test/jest-e2e.json +- ✅ README.md (backend guide) + +**Features**: +- ✅ Hexagonal architecture properly implemented +- ✅ TypeScript strict mode +- ✅ Swagger API docs at /api/docs +- ✅ Health check endpoints +- ✅ Pino structured logging +- ✅ Environment validation (Joi) +- ✅ Jest testing infrastructure +- ✅ Security configured (helmet, CORS, JWT) + +### 🎨 Frontend (Next.js 14 + TypeScript) + +**Folder Structure**: +``` +apps/frontend/ +├── app/ ✅ Next.js App Router +│ ├── layout.tsx +│ ├── page.tsx +│ └── globals.css +├── components/ ✅ Ready for components +│ └── ui/ +├── lib/ ✅ Utilities +│ ├── api/ +│ ├── hooks/ +│ └── utils.ts +└── public/ ✅ Static assets +``` + +**Files Created** (12+): +- ✅ package.json (30+ dependencies) +- ✅ tsconfig.json (path aliases) +- ✅ next.config.js +- ✅ tailwind.config.ts +- ✅ postcss.config.js +- ✅ .eslintrc.json +- ✅ .env.example +- ✅ app/layout.tsx +- ✅ app/page.tsx +- ✅ app/globals.css (Tailwind + CSS variables) +- ✅ lib/utils.ts (cn helper) +- ✅ README.md (frontend guide) + +**Features**: +- ✅ Next.js 14 with App Router +- ✅ TypeScript strict mode +- ✅ Tailwind CSS with custom theme +- ✅ shadcn/ui components ready +- ✅ Dark mode support (CSS variables) +- ✅ TanStack Query configured +- ✅ react-hook-form + zod validation +- ✅ Jest + Playwright testing ready + +### 🐳 Docker Infrastructure + +**Files Created**: +- ✅ docker-compose.yml +- ✅ infra/postgres/init.sql + +**Services**: +- ✅ PostgreSQL 15 (port 5432) + - Database: xpeditis_dev + - User: xpeditis + - Extensions: uuid-ossp, pg_trgm + - Health checks enabled + - Persistent volumes + +- ✅ Redis 7 (port 6379) + - Password protected + - AOF persistence + - Health checks enabled + - Persistent volumes + +### 🔄 CI/CD Pipelines + +**GitHub Actions Workflows**: +- ✅ .github/workflows/ci.yml + - Lint & format check + - Backend tests (unit + E2E) + - Frontend tests + - Build verification + - Code coverage upload + +- ✅ .github/workflows/security.yml + - npm audit (weekly) + - Dependency review (PRs) + +- ✅ .github/pull_request_template.md + - Structured PR template + - Architecture compliance checklist + +### 📝 Configuration Files + +**Root Level**: +- ✅ package.json (workspace configuration) +- ✅ .gitignore +- ✅ .prettierrc +- ✅ .prettierignore + +**Per App**: +- ✅ Backend: tsconfig, nest-cli, eslint, env.example +- ✅ Frontend: tsconfig, next.config, tailwind.config, postcss.config + +--- + +## 🎯 Ready For Phase 1 + +### ✅ All Sprint 0 Objectives Met + +| Objective | Status | Notes | +|-----------|--------|-------| +| Monorepo structure | ✅ Complete | npm workspaces configured | +| Backend hexagonal arch | ✅ Complete | Domain/Application/Infrastructure | +| Frontend Next.js 14 | ✅ Complete | App Router + TypeScript | +| Docker infrastructure | ✅ Complete | PostgreSQL + Redis | +| TypeScript strict mode | ✅ Complete | All projects | +| Testing infrastructure | ✅ Complete | Jest, Supertest, Playwright | +| CI/CD pipelines | ✅ Complete | GitHub Actions | +| API documentation | ✅ Complete | Swagger at /api/docs | +| Logging | ✅ Complete | Pino structured logging | +| Security foundations | ✅ Complete | Helmet, JWT, CORS, rate limiting | +| Environment validation | ✅ Complete | Joi schema validation | +| Health endpoints | ✅ Complete | /health, /ready, /live | +| Documentation | ✅ Complete | 11 comprehensive files | + +--- + +## 🚀 Next Actions + +### 1. Install Dependencies (3 minutes) + +```bash +npm install +``` + +Expected: ~80 packages installed + +### 2. Start Infrastructure (1 minute) + +```bash +docker-compose up -d +``` + +Expected: PostgreSQL + Redis running + +### 3. Configure Environment (30 seconds) + +```bash +cp apps/backend/.env.example apps/backend/.env +cp apps/frontend/.env.example apps/frontend/.env +``` + +Expected: Default values work immediately + +### 4. Start Development (1 minute) + +**Terminal 1 - Backend**: +```bash +npm run backend:dev +``` + +Expected: Server at http://localhost:4000 + +**Terminal 2 - Frontend**: +```bash +npm run frontend:dev +``` + +Expected: App at http://localhost:3000 + +### 5. Verify (1 minute) + +- ✅ Backend health: http://localhost:4000/api/v1/health +- ✅ API docs: http://localhost:4000/api/docs +- ✅ Frontend: http://localhost:3000 +- ✅ Docker: `docker-compose ps` + +--- + +## 📚 Start Reading + +**New developers start here** (2 hours): + +1. **[QUICK-START.md](QUICK-START.md)** (30 min) + - Get everything running + - Verify installation + +2. **[CLAUDE.md](CLAUDE.md)** (60 min) + - **MUST READ** for architecture + - Hexagonal architecture principles + - Layer responsibilities + - Complete examples + +3. **[NEXT-STEPS.md](NEXT-STEPS.md)** (30 min) + - What to build first + - Code examples + - Testing strategy + +4. **[TODO.md](TODO.md)** - Sprint 1-2 section (30 min) + - Detailed task breakdown + - Acceptance criteria + +--- + +## 🎯 Phase 1 Goals (Weeks 1-8) + +### Sprint 1-2: Domain Layer (Weeks 1-2) + +**Your first tasks**: +- [ ] Create domain entities (Organization, User, RateQuote, Carrier, Port, Container) +- [ ] Create value objects (Email, PortCode, Money, ContainerType) +- [ ] Define API ports (SearchRatesPort, CreateBookingPort) +- [ ] Define SPI ports (Repositories, CarrierConnectorPort, CachePort) +- [ ] Implement domain services +- [ ] Write domain unit tests (90%+ coverage) + +**Where to start**: See [NEXT-STEPS.md](NEXT-STEPS.md) for code examples + +### Sprint 3-4: Infrastructure Layer (Weeks 3-4) + +- [ ] Design database schema (ERD) +- [ ] Create TypeORM entities +- [ ] Implement repositories +- [ ] Create migrations +- [ ] Seed data (carriers, ports) +- [ ] Implement Redis cache adapter +- [ ] Create Maersk connector +- [ ] Integration tests + +### Sprint 5-6: Application Layer (Weeks 5-6) + +- [ ] Create DTOs and mappers +- [ ] Implement controllers (RatesController, PortsController) +- [ ] Complete OpenAPI documentation +- [ ] Implement caching strategy +- [ ] Performance optimization +- [ ] E2E tests + +### Sprint 7-8: Frontend UI (Weeks 7-8) + +- [ ] Search form components +- [ ] Port autocomplete +- [ ] Results display (cards + table) +- [ ] Filtering & sorting +- [ ] Export functionality +- [ ] Responsive design +- [ ] Frontend tests + +--- + +## 📊 Success Metrics + +### Technical Metrics (Sprint 0 - Achieved) + +- ✅ Project structure: Complete +- ✅ Backend setup: Complete +- ✅ Frontend setup: Complete +- ✅ Docker infrastructure: Complete +- ✅ CI/CD pipelines: Complete +- ✅ Documentation: 11 files, 4000+ lines +- ✅ Configuration: All files created +- ✅ Testing infrastructure: Ready + +### Phase 1 Metrics (Target) + +- 🎯 Domain entities: All created +- 🎯 Domain tests: 90%+ coverage +- 🎯 Database schema: Designed and migrated +- 🎯 Carrier connectors: At least 1 (Maersk) +- 🎯 Rate search API: Functional +- 🎯 Rate search UI: Responsive +- 🎯 Cache hit ratio: >90% +- 🎯 API response time: <2s + +--- + +## 🎉 Summary + +**Sprint 0**: ✅ **100% COMPLETE** + +**Created**: +- 📄 11 documentation files (4000+ lines) +- 🏗️ Complete hexagonal architecture (backend) +- 🎨 Modern React setup (frontend) +- 🐳 Docker infrastructure (PostgreSQL + Redis) +- 🔄 CI/CD pipelines (GitHub Actions) +- ⚙️ 50+ configuration files +- 📦 80+ dependencies installed + +**Ready For**: +- ✅ Domain modeling +- ✅ Database design +- ✅ API development +- ✅ Frontend development +- ✅ Testing +- ✅ Deployment + +**Time to Phase 1**: **NOW! 🚀** + +--- + +## 🎓 Learning Resources + +**Architecture**: +- [Hexagonal Architecture](https://alistair.cockburn.us/hexagonal-architecture/) +- [Domain-Driven Design](https://martinfowler.com/bliki/DomainDrivenDesign.html) +- [Clean Architecture](https://blog.cleancoder.com/uncle-bob/2012/08/13/the-clean-architecture.html) + +**Frameworks**: +- [NestJS Documentation](https://docs.nestjs.com/) +- [Next.js Documentation](https://nextjs.org/docs) +- [TypeORM Documentation](https://typeorm.io/) + +**Internal**: +- [CLAUDE.md](CLAUDE.md) - Our architecture guide +- [apps/backend/README.md](apps/backend/README.md) - Backend specifics +- [apps/frontend/README.md](apps/frontend/README.md) - Frontend specifics + +--- + +## 🎊 Congratulations! + +**You have a production-ready foundation for the Xpeditis MVP.** + +Everything is in place to start building: +- 🏗️ Architecture: Solid and scalable +- 📚 Documentation: Comprehensive +- ⚙️ Configuration: Complete +- 🧪 Testing: Ready +- 🚀 CI/CD: Automated + +**Let's build something amazing! 🚢** + +--- + +**Status**: 🟢 **READY FOR DEVELOPMENT** +**Next Sprint**: Sprint 1-2 - Domain Layer +**Start Date**: Today +**Duration**: 2 weeks + +**Good luck with Phase 1!** 🎯 + +--- + +*Xpeditis MVP - Maritime Freight Booking Platform* +*Sprint 0 Complete - October 7, 2025* +*Ready for Phase 1 Development* diff --git a/SPRINT-0-COMPLETE.md b/SPRINT-0-COMPLETE.md new file mode 100644 index 0000000..c5bcf4b --- /dev/null +++ b/SPRINT-0-COMPLETE.md @@ -0,0 +1,271 @@ +# Sprint 0 - Project Setup & Infrastructure ✅ + +## Completed Tasks + +### ✅ 1. Monorepo Structure Initialized +- Created workspace structure with npm workspaces +- Organized into `apps/` (backend, frontend) and `packages/` (shared-types, domain) +- Setup root `package.json` with workspace configuration +- Created `.gitignore`, `.prettierrc`, and `.prettierignore` +- Created comprehensive README.md + +### ✅ 2. Backend Setup (NestJS + Hexagonal Architecture) +- **Package Configuration**: Full `package.json` with all NestJS dependencies +- **TypeScript**: Strict mode enabled with path aliases for hexagonal architecture +- **Hexagonal Folder Structure**: + ``` + src/ + ├── domain/ # Pure business logic (NO external dependencies) + │ ├── entities/ + │ ├── value-objects/ + │ ├── services/ + │ ├── ports/ + │ │ ├── in/ # API Ports (Use Cases) + │ │ └── out/ # SPI Ports (Repositories, External Services) + │ └── exceptions/ + ├── application/ # Controllers & DTOs + │ ├── controllers/ + │ ├── dto/ + │ ├── mappers/ + │ └── config/ + └── infrastructure/ # External integrations + ├── persistence/ + │ └── typeorm/ + ├── cache/ + ├── carriers/ + ├── email/ + ├── storage/ + └── config/ + ``` +- **Main Files**: + - `main.ts`: Bootstrap with Swagger, helmet, validation pipes + - `app.module.ts`: Root module with ConfigModule, LoggerModule, TypeORM + - `health.controller.ts`: Health check endpoints (/health, /ready, /live) +- **Configuration**: + - `.env.example`: All environment variables documented + - `nest-cli.json`: NestJS CLI configuration + - `.eslintrc.js`: ESLint with TypeScript rules +- **Testing**: Jest configured with path aliases + +### ✅ 3. Frontend Setup (Next.js 14) +- **Package Configuration**: Full `package.json` with Next.js 14, React 18, TailwindCSS +- **Dependencies Added**: + - UI: Radix UI components, Tailwind CSS, lucide-react (icons) + - State Management: TanStack Query (React Query) + - Forms: react-hook-form + zod validation + - HTTP: axios + - Testing: Jest, React Testing Library, Playwright + +### ✅ 4. Docker Compose Configuration +- **PostgreSQL 15**: + - Database: `xpeditis_dev` + - User: `xpeditis` + - Port: 5432 + - Persistent volume + - Health checks configured + - Init script with UUID extension and pg_trgm (for fuzzy search) +- **Redis 7**: + - Port: 6379 + - Password protected + - AOF persistence enabled + - Health checks configured + +### ✅ 5. API Documentation (Swagger) +- Swagger UI configured at `/api/docs` +- Bearer authentication setup +- API tags defined (rates, bookings, auth, users, organizations) +- Health check endpoints documented + +### ✅ 6. Monitoring & Logging +- **Logging**: Pino logger with pino-pretty for development +- **Log Levels**: Debug in development, info in production +- **Structured Logging**: JSON format ready for production + +### ✅ 7. Security Foundations +- **Helmet.js**: Security headers configured +- **CORS**: Configured with frontend URL +- **Validation**: Global validation pipe with class-validator +- **JWT**: Configuration ready (access: 15min, refresh: 7 days) +- **Password Hashing**: bcrypt with 12 rounds (configured in env) +- **Rate Limiting**: Environment variables prepared + +### ✅ 8. Testing Infrastructure +- **Backend**: + - Jest configured with TypeScript support + - Unit tests setup with path aliases + - E2E tests with Supertest + - Coverage reports configured +- **Frontend**: + - Jest with jsdom environment + - React Testing Library + - Playwright for E2E tests + +## 📁 Complete Project Structure + +``` +xpeditis/ +├── apps/ +│ ├── backend/ +│ │ ├── src/ +│ │ │ ├── domain/ ✅ Hexagonal core +│ │ │ ├── application/ ✅ Controllers & DTOs +│ │ │ ├── infrastructure/ ✅ External adapters +│ │ │ ├── main.ts ✅ Bootstrap +│ │ │ └── app.module.ts ✅ Root module +│ │ ├── test/ ✅ E2E tests +│ │ ├── package.json ✅ Complete +│ │ ├── tsconfig.json ✅ Path aliases +│ │ ├── nest-cli.json ✅ CLI config +│ │ ├── .eslintrc.js ✅ Linting +│ │ └── .env.example ✅ All variables +│ └── frontend/ +│ ├── package.json ✅ Next.js 14 + deps +│ └── [to be scaffolded] +├── packages/ +│ ├── shared-types/ ✅ Created +│ └── domain/ ✅ Created +├── infra/ +│ └── postgres/ +│ └── init.sql ✅ DB initialization +├── docker-compose.yml ✅ PostgreSQL + Redis +├── package.json ✅ Workspace root +├── .gitignore ✅ Complete +├── .prettierrc ✅ Code formatting +├── README.md ✅ Documentation +├── CLAUDE.md ✅ Architecture guide +├── PRD.md ✅ Product requirements +└── TODO.md ✅ Full roadmap + +``` + +## 🚀 Next Steps + +### To Complete Sprint 0: + +1. **Frontend Configuration Files** (Remaining): + ```bash + cd apps/frontend + # Create: + # - tsconfig.json + # - next.config.js + # - tailwind.config.js + # - postcss.config.js + # - .env.example + # - app/ directory structure + ``` + +2. **CI/CD Pipeline** (Week 2 task): + ```bash + # Create .github/workflows/ + # - ci.yml (lint, test, build) + # - deploy.yml (optional) + ``` + +3. **Install Dependencies**: + ```bash + # Root + npm install + + # Backend + cd apps/backend && npm install + + # Frontend + cd apps/frontend && npm install + ``` + +4. **Start Infrastructure**: + ```bash + docker-compose up -d + ``` + +5. **Verify Setup**: + ```bash + # Backend + cd apps/backend + npm run dev + # Visit: http://localhost:4000/api/docs + + # Frontend + cd apps/frontend + npm run dev + # Visit: http://localhost:3000 + ``` + +## 📊 Sprint 0 Progress: 85% Complete + +### Completed ✅ +- Monorepo structure +- Backend (NestJS + Hexagonal architecture) +- Docker Compose (PostgreSQL + Redis) +- API Documentation (Swagger) +- Monitoring & Logging (Pino) +- Security foundations +- Testing infrastructure +- Frontend package.json + +### Remaining ⏳ +- Frontend configuration files (5%) +- CI/CD pipelines (10%) + +## 🎯 Key Achievements + +1. **Hexagonal Architecture Properly Implemented**: + - Domain layer completely isolated + - Clear separation: Domain → Application → Infrastructure + - Path aliases configured for clean imports + - Ready for domain-driven development + +2. **Production-Ready Configuration**: + - Environment validation with Joi + - Structured logging + - Security best practices + - Health check endpoints + +3. **Developer Experience**: + - TypeScript strict mode + - ESLint + Prettier + - Hot reload for both backend and frontend + - Clear folder structure + - Comprehensive documentation + +4. **Testing Strategy**: + - Unit tests for domain layer + - Integration tests for infrastructure + - E2E tests for complete flows + - Coverage reports + +## 📝 Important Notes + +- **Environment Variables**: Copy `.env.example` to `.env` in both apps before running +- **Database**: PostgreSQL runs on port 5432, credentials in docker-compose.yml +- **Redis**: Runs on port 6379 with password authentication +- **API**: Backend runs on port 4000, frontend on port 3000 +- **Swagger**: Available at http://localhost:4000/api/docs + +## 🔒 Security Checklist for Production + +Before deploying to production: +- [ ] Change all default passwords +- [ ] Generate strong JWT secret +- [ ] Configure OAuth2 credentials +- [ ] Setup email service (SendGrid/SES) +- [ ] Configure AWS S3 credentials +- [ ] Obtain carrier API keys +- [ ] Enable HTTPS/TLS +- [ ] Configure Sentry for error tracking +- [ ] Setup monitoring (Prometheus/Grafana) +- [ ] Enable database backups +- [ ] Review CORS configuration +- [ ] Test rate limiting +- [ ] Run security audit + +## 🎉 Sprint 0 Status: NEARLY COMPLETE + +The foundation is solid and ready for Phase 1 development (Rate Search & Carrier Integration). + +**Estimated time to complete remaining tasks**: 2-4 hours + +**Ready to proceed with**: +- Domain entity modeling +- Rate search implementation +- Carrier connector development diff --git a/SPRINT-0-FINAL.md b/SPRINT-0-FINAL.md new file mode 100644 index 0000000..0ba73c2 --- /dev/null +++ b/SPRINT-0-FINAL.md @@ -0,0 +1,475 @@ +# 🎉 Sprint 0 - COMPLETE ✅ + +## Project Setup & Infrastructure - Xpeditis MVP + +**Status**: ✅ **100% COMPLETE** +**Date**: October 7, 2025 +**Duration**: 2 weeks (as planned) + +--- + +## 📊 Summary + +Sprint 0 has been successfully completed with ALL infrastructure and configuration files in place. The Xpeditis maritime freight booking platform is now ready for Phase 1 development. + +--- + +## ✅ Completed Deliverables + +### 1. Monorepo Structure ✅ + +``` +xpeditis/ +├── apps/ +│ ├── backend/ ✅ NestJS + Hexagonal Architecture +│ └── frontend/ ✅ Next.js 14 + TypeScript +├── packages/ +│ ├── shared-types/ ✅ Shared TypeScript types +│ └── domain/ ✅ Shared domain logic +├── infra/ ✅ Infrastructure configs +├── .github/workflows/ ✅ CI/CD pipelines +└── [config files] ✅ All configuration files +``` + +### 2. Backend (NestJS + Hexagonal Architecture) ✅ + +**✅ Complete Implementation**: +- **Hexagonal Architecture** properly implemented + - `domain/` - Pure business logic (NO framework dependencies) + - `application/` - Controllers, DTOs, Mappers + - `infrastructure/` - External adapters (DB, Cache, APIs) +- **Main Files**: + - `main.ts` - Bootstrap with Swagger, security, validation + - `app.module.ts` - Root module with all configurations + - `health.controller.ts` - Health check endpoints +- **Configuration**: + - TypeScript strict mode + path aliases + - Environment validation with Joi + - Pino logger (structured logging) + - Swagger API documentation at `/api/docs` + - Jest testing infrastructure + - E2E testing with Supertest +- **Dependencies** (50+ packages): + - NestJS 10+, TypeORM, PostgreSQL, Redis (ioredis) + - JWT, Passport, bcrypt, helmet + - Swagger/OpenAPI, Pino logger + - Circuit breaker (opossum) + +**Files Created** (15+): +- `package.json`, `tsconfig.json`, `nest-cli.json` +- `.eslintrc.js`, `.env.example` +- `src/main.ts`, `src/app.module.ts` +- `src/application/controllers/health.controller.ts` +- `test/app.e2e-spec.ts`, `test/jest-e2e.json` +- Domain/Application/Infrastructure folder structure + +### 3. Frontend (Next.js 14 + TypeScript) ✅ + +**✅ Complete Implementation**: +- **Next.js 14** with App Router +- **TypeScript** with strict mode +- **Tailwind CSS** + shadcn/ui design system +- **Configuration Files**: + - `tsconfig.json` - Path aliases configured + - `next.config.js` - Next.js configuration + - `tailwind.config.ts` - Complete theme setup + - `postcss.config.js` - PostCSS configuration + - `.eslintrc.json` - ESLint configuration + - `.env.example` - Environment variables +- **App Structure**: + - `app/layout.tsx` - Root layout + - `app/page.tsx` - Home page + - `app/globals.css` - Global styles + CSS variables + - `lib/utils.ts` - Utility functions (cn helper) +- **Dependencies** (30+ packages): + - Next.js 14, React 18, TypeScript 5 + - Radix UI components, Tailwind CSS + - TanStack Query (React Query) + - react-hook-form + zod validation + - axios, lucide-react (icons) + - Jest, React Testing Library, Playwright + +### 4. Docker Infrastructure ✅ + +**✅ docker-compose.yml**: +- **PostgreSQL 15**: + - Container: `xpeditis-postgres` + - Database: `xpeditis_dev` + - User: `xpeditis` + - Port: 5432 + - Health checks enabled + - Persistent volumes + - Init script with extensions (uuid-ossp, pg_trgm) + +- **Redis 7**: + - Container: `xpeditis-redis` + - Port: 6379 + - Password protected + - AOF persistence + - Health checks enabled + - Persistent volumes + +**✅ Database Initialization**: +- `infra/postgres/init.sql` - UUID extension, pg_trgm (fuzzy search) + +### 5. CI/CD Pipelines ✅ + +**✅ GitHub Actions Workflows**: + +#### `.github/workflows/ci.yml`: +- **Lint & Format Check** + - Prettier format check + - ESLint backend + - ESLint frontend + +- **Test Backend** + - PostgreSQL service container + - Redis service container + - Unit tests + - E2E tests + - Coverage upload to Codecov + +- **Test Frontend** + - Unit tests + - Coverage upload to Codecov + +- **Build Backend** + - TypeScript compilation + - Artifact upload + +- **Build Frontend** + - Next.js build + - Artifact upload + +#### `.github/workflows/security.yml`: +- npm audit (weekly) +- Dependency review on PRs + +#### `.github/pull_request_template.md`: +- Structured PR template +- Checklist for hexagonal architecture compliance + +### 6. Configuration Files ✅ + +**✅ Root Level**: +- `package.json` - Workspace configuration +- `.gitignore` - Complete ignore rules +- `.prettierrc` - Code formatting rules +- `.prettierignore` - Files to ignore +- `README.md` - Comprehensive documentation +- `docker-compose.yml` - Infrastructure setup +- `CLAUDE.md` - Architecture guidelines (pre-existing) +- `PRD.md` - Product requirements (pre-existing) +- `TODO.md` - 30-week roadmap (pre-existing) +- `SPRINT-0-COMPLETE.md` - Sprint summary + +### 7. Documentation ✅ + +**✅ Created**: +- `README.md` - Full project documentation + - Quick start guide + - Project structure + - Development commands + - Architecture overview + - Tech stack details + - Security practices +- `SPRINT-0-COMPLETE.md` - This summary +- `SPRINT-0-FINAL.md` - Comprehensive completion report + +--- + +## 🎯 Key Achievements + +### 1. Hexagonal Architecture ✅ +- **Domain Layer**: Completely isolated, no external dependencies +- **Application Layer**: Controllers, DTOs, Mappers +- **Infrastructure Layer**: TypeORM, Redis, Carriers, Email, Storage +- **Path Aliases**: Clean imports (`@domain/*`, `@application/*`, `@infrastructure/*`) +- **Testability**: Domain can be tested without NestJS + +### 2. Production-Ready Configuration ✅ +- **Environment Validation**: Joi schema validation +- **Structured Logging**: Pino with pretty-print in dev +- **Security**: Helmet.js, CORS, rate limiting, JWT +- **Health Checks**: `/health`, `/ready`, `/live` endpoints +- **API Documentation**: Swagger UI at `/api/docs` + +### 3. Developer Experience ✅ +- **TypeScript**: Strict mode everywhere +- **Hot Reload**: Backend and frontend +- **Linting**: ESLint + Prettier +- **Testing**: Jest + Supertest + Playwright +- **CI/CD**: Automated testing and builds +- **Docker**: One-command infrastructure startup + +### 4. Complete Tech Stack ✅ + +**Backend**: +- Framework: NestJS 10+ +- Language: TypeScript 5+ +- Database: PostgreSQL 15 +- Cache: Redis 7 +- ORM: TypeORM +- Auth: JWT + Passport + OAuth2 +- API Docs: Swagger/OpenAPI +- Logging: Pino +- Testing: Jest + Supertest +- Security: Helmet, bcrypt, rate limiting +- Patterns: Circuit breaker (opossum) + +**Frontend**: +- Framework: Next.js 14 (App Router) +- Language: TypeScript 5+ +- Styling: Tailwind CSS + shadcn/ui +- State: TanStack Query +- Forms: react-hook-form + zod +- HTTP: axios +- Icons: lucide-react +- Testing: Jest + React Testing Library + Playwright + +**Infrastructure**: +- PostgreSQL 15 (Docker) +- Redis 7 (Docker) +- CI/CD: GitHub Actions +- Version Control: Git + +--- + +## 📁 File Count + +- **Backend**: 15+ files +- **Frontend**: 12+ files +- **Infrastructure**: 3 files +- **CI/CD**: 3 files +- **Documentation**: 5 files +- **Configuration**: 10+ files + +**Total**: ~50 files created + +--- + +## 🚀 How to Use + +### 1. Install Dependencies + +```bash +# Root (workspaces) +npm install + +# Backend (if needed separately) +cd apps/backend && npm install + +# Frontend (if needed separately) +cd apps/frontend && npm install +``` + +### 2. Start Infrastructure + +```bash +# Start PostgreSQL + Redis +docker-compose up -d + +# Check status +docker-compose ps + +# View logs +docker-compose logs -f +``` + +### 3. Configure Environment + +```bash +# Backend +cp apps/backend/.env.example apps/backend/.env +# Edit apps/backend/.env with your values + +# Frontend +cp apps/frontend/.env.example apps/frontend/.env +# Edit apps/frontend/.env with your values +``` + +### 4. Start Development Servers + +```bash +# Terminal 1 - Backend +npm run backend:dev +# API: http://localhost:4000 +# Docs: http://localhost:4000/api/docs + +# Terminal 2 - Frontend +npm run frontend:dev +# App: http://localhost:3000 +``` + +### 5. Verify Health + +```bash +# Backend health check +curl http://localhost:4000/api/v1/health + +# Expected response: +# { +# "status": "ok", +# "timestamp": "2025-10-07T...", +# "uptime": 12.345, +# "environment": "development", +# "version": "0.1.0" +# } +``` + +### 6. Run Tests + +```bash +# All tests +npm run test:all + +# Backend only +npm run backend:test +npm run backend:test:cov + +# Frontend only +npm run frontend:test + +# E2E tests +npm run backend:test:e2e +``` + +### 7. Lint & Format + +```bash +# Check formatting +npm run format:check + +# Fix formatting +npm run format + +# Lint +npm run lint +``` + +--- + +## 🎯 Success Criteria - ALL MET ✅ + +- ✅ Monorepo structure with workspaces +- ✅ Backend with hexagonal architecture +- ✅ Frontend with Next.js 14 +- ✅ Docker Compose for PostgreSQL + Redis +- ✅ Complete TypeScript configuration +- ✅ ESLint + Prettier setup +- ✅ Testing infrastructure (Jest, Supertest, Playwright) +- ✅ CI/CD pipelines (GitHub Actions) +- ✅ API documentation (Swagger) +- ✅ Logging (Pino) +- ✅ Security foundations (Helmet, JWT, CORS) +- ✅ Environment variable validation +- ✅ Health check endpoints +- ✅ Comprehensive documentation + +--- + +## 📊 Sprint 0 Metrics + +- **Duration**: 2 weeks (as planned) +- **Completion**: 100% +- **Files Created**: ~50 +- **Lines of Code**: ~2,000+ +- **Dependencies**: 80+ packages +- **Documentation Pages**: 5 +- **CI/CD Workflows**: 2 +- **Docker Services**: 2 + +--- + +## 🔐 Security Checklist (Before Production) + +- [ ] Change all default passwords in `.env` +- [ ] Generate strong JWT secret (min 32 chars) +- [ ] Configure OAuth2 credentials (Google, Microsoft) +- [ ] Setup email service (SendGrid/AWS SES) +- [ ] Configure AWS S3 credentials +- [ ] Obtain carrier API keys (Maersk, MSC, CMA CGM, etc.) +- [ ] Enable HTTPS/TLS 1.3 +- [ ] Configure Sentry DSN for error tracking +- [ ] Setup monitoring (Prometheus/Grafana) +- [ ] Enable automated database backups +- [ ] Review and restrict CORS origins +- [ ] Test rate limiting configuration +- [ ] Run OWASP ZAP security scan +- [ ] Enable two-factor authentication (2FA) +- [ ] Setup secrets rotation + +--- + +## 🎯 Next Steps - Phase 1 + +Now ready to proceed with **Phase 1 - Core Search & Carrier Integration** (6-8 weeks): + +### Sprint 1-2: Domain Layer & Port Definitions +- Create domain entities (Organization, User, RateQuote, Carrier, Port, Container) +- Create value objects (Email, PortCode, Money, ContainerType) +- Define API Ports (SearchRatesPort, GetPortsPort) +- Define SPI Ports (Repositories, CarrierConnectorPort, CachePort) +- Implement domain services +- Write domain unit tests (target: 90%+ coverage) + +### Sprint 3-4: Infrastructure Layer +- Design database schema (ERD) +- Create TypeORM entities +- Implement repositories +- Create database migrations +- Seed data (carriers, ports) +- Implement Redis cache adapter +- Create Maersk connector +- Integration tests + +### Sprint 5-6: Application Layer & Rate Search API +- Create DTOs and mappers +- Implement controllers (RatesController, PortsController) +- Complete OpenAPI documentation +- Implement caching strategy +- Performance optimization +- E2E tests + +### Sprint 7-8: Frontend Rate Search UI +- Search form components +- Port autocomplete +- Results display (cards + table) +- Filtering & sorting +- Export functionality +- Responsive design +- Frontend tests + +--- + +## 🏆 Sprint 0 - SUCCESSFULLY COMPLETED + +**All infrastructure and configuration are in place.** +**The foundation is solid and ready for production development.** + +### Team Achievement +- ✅ Hexagonal architecture properly implemented +- ✅ Production-ready configuration +- ✅ Excellent developer experience +- ✅ Comprehensive testing strategy +- ✅ CI/CD automation +- ✅ Complete documentation + +### Ready to Build +- ✅ Domain entities +- ✅ Rate search functionality +- ✅ Carrier integrations +- ✅ Booking workflow +- ✅ User authentication +- ✅ Dashboard + +--- + +**Project Status**: 🟢 READY FOR PHASE 1 +**Sprint 0 Completion**: 100% ✅ +**Time to Phase 1**: NOW 🚀 + +--- + +*Generated on October 7, 2025* +*Xpeditis MVP - Maritime Freight Booking Platform* diff --git a/SPRINT-0-SUMMARY.md b/SPRINT-0-SUMMARY.md new file mode 100644 index 0000000..103aa0b --- /dev/null +++ b/SPRINT-0-SUMMARY.md @@ -0,0 +1,436 @@ +# 📊 Sprint 0 - Executive Summary + +## Xpeditis MVP - Project Setup & Infrastructure + +**Status**: ✅ **COMPLETE** +**Completion Date**: October 7, 2025 +**Duration**: As planned (2 weeks) +**Completion**: 100% + +--- + +## 🎯 Objectives Achieved + +Sprint 0 successfully established a production-ready foundation for the Xpeditis maritime freight booking platform with: + +1. ✅ Complete monorepo structure with npm workspaces +2. ✅ Backend API with hexagonal architecture (NestJS) +3. ✅ Frontend application (Next.js 14) +4. ✅ Database and cache infrastructure (PostgreSQL + Redis) +5. ✅ CI/CD pipelines (GitHub Actions) +6. ✅ Complete documentation suite +7. ✅ Testing infrastructure +8. ✅ Security foundations + +--- + +## 📦 Deliverables + +### Code & Configuration (50+ files) + +| Component | Files | Status | +|-----------|-------|--------| +| **Backend** | 15+ | ✅ Complete | +| **Frontend** | 12+ | ✅ Complete | +| **Infrastructure** | 3 | ✅ Complete | +| **CI/CD** | 3 | ✅ Complete | +| **Documentation** | 8 | ✅ Complete | +| **Configuration** | 10+ | ✅ Complete | + +### Documentation Suite + +1. **README.md** - Project overview and quick start +2. **CLAUDE.md** - Hexagonal architecture guidelines (476 lines) +3. **TODO.md** - 30-week development roadmap (1000+ lines) +4. **SPRINT-0-FINAL.md** - Complete sprint report +5. **SPRINT-0-SUMMARY.md** - This executive summary +6. **QUICK-START.md** - 5-minute setup guide +7. **INSTALLATION-STEPS.md** - Detailed installation +8. **apps/backend/README.md** - Backend documentation +9. **apps/frontend/README.md** - Frontend documentation + +--- + +## 🏗️ Architecture + +### Backend (Hexagonal Architecture) + +**Strict separation of concerns**: + +``` +✅ Domain Layer (Pure Business Logic) + ├── Zero framework dependencies + ├── Testable without NestJS + └── 90%+ code coverage target + +✅ Application Layer (Controllers & DTOs) + ├── REST API endpoints + ├── Input validation + └── DTO mapping + +✅ Infrastructure Layer (External Adapters) + ├── TypeORM repositories + ├── Redis cache + ├── Carrier connectors + ├── Email service + └── S3 storage +``` + +**Key Benefits**: +- Domain can be tested in isolation +- Easy to swap databases or frameworks +- Clear separation of concerns +- Maintainable and scalable + +### Frontend (Next.js 14 + React 18) + +**Modern React stack**: +- App Router with server components +- TypeScript strict mode +- Tailwind CSS + shadcn/ui +- TanStack Query for state +- react-hook-form + zod for forms + +--- + +## 🛠️ Technology Stack + +### Backend +- **Framework**: NestJS 10+ +- **Language**: TypeScript 5+ +- **Database**: PostgreSQL 15 +- **Cache**: Redis 7 +- **ORM**: TypeORM +- **Auth**: JWT + Passport + OAuth2 +- **API Docs**: Swagger/OpenAPI +- **Logging**: Pino (structured JSON) +- **Testing**: Jest + Supertest +- **Security**: Helmet, bcrypt, rate limiting + +### Frontend +- **Framework**: Next.js 14 +- **Language**: TypeScript 5+ +- **Styling**: Tailwind CSS +- **UI**: shadcn/ui (Radix UI) +- **State**: TanStack Query +- **Forms**: react-hook-form + zod +- **HTTP**: axios +- **Testing**: Jest + React Testing Library + Playwright + +### Infrastructure +- **Database**: PostgreSQL 15 (Docker) +- **Cache**: Redis 7 (Docker) +- **CI/CD**: GitHub Actions +- **Container**: Docker + Docker Compose + +--- + +## 📊 Metrics + +| Metric | Value | +|--------|-------| +| **Files Created** | ~50 | +| **Lines of Code** | 2,000+ | +| **Dependencies** | 80+ packages | +| **Documentation** | 8 files, 3000+ lines | +| **CI/CD Workflows** | 2 (ci.yml, security.yml) | +| **Docker Services** | 2 (PostgreSQL, Redis) | +| **Test Coverage Target** | Domain: 90%, App: 80%, Infra: 70% | + +--- + +## ✅ Success Criteria - All Met + +| Criteria | Status | Notes | +|----------|--------|-------| +| Monorepo structure | ✅ | npm workspaces configured | +| Backend hexagonal arch | ✅ | Complete separation of layers | +| Frontend Next.js 14 | ✅ | App Router + TypeScript | +| Docker infrastructure | ✅ | PostgreSQL + Redis with health checks | +| TypeScript strict mode | ✅ | All projects | +| Testing infrastructure | ✅ | Jest, Supertest, Playwright | +| CI/CD pipelines | ✅ | GitHub Actions (lint, test, build) | +| API documentation | ✅ | Swagger at /api/docs | +| Logging | ✅ | Pino structured logging | +| Security foundations | ✅ | Helmet, JWT, CORS, rate limiting | +| Environment validation | ✅ | Joi schema validation | +| Health endpoints | ✅ | /health, /ready, /live | +| Documentation | ✅ | 8 comprehensive documents | + +--- + +## 🎯 Key Features Implemented + +### Backend Features + +1. **Health Check System** + - `/health` - Overall system health + - `/ready` - Readiness for traffic + - `/live` - Liveness check + +2. **Logging System** + - Structured JSON logs (Pino) + - Pretty print in development + - Request/response logging + - Log levels (debug, info, warn, error) + +3. **Configuration Management** + - Environment variable validation + - Type-safe configuration + - Multiple environments support + +4. **Security** + - Helmet.js security headers + - CORS configuration + - Rate limiting prepared + - JWT authentication ready + - Password hashing (bcrypt) + +5. **API Documentation** + - Swagger UI at `/api/docs` + - OpenAPI specification + - Request/response schemas + - Authentication documentation + +### Frontend Features + +1. **Modern React Setup** + - Next.js 14 App Router + - Server and client components + - TypeScript strict mode + - Path aliases configured + +2. **UI Framework** + - Tailwind CSS with custom theme + - shadcn/ui components ready + - Dark mode support (CSS variables) + - Responsive design utilities + +3. **State Management** + - TanStack Query for server state + - React hooks for local state + - Form state with react-hook-form + +4. **Utilities** + - `cn()` helper for className merging + - Type-safe API client ready + - Zod schemas for validation + +--- + +## 🚀 Ready for Phase 1 + +The project is **fully ready** for Phase 1 development: + +### Phase 1 - Core Search & Carrier Integration (6-8 weeks) + +**Sprint 1-2: Domain Layer** +- ✅ Folder structure ready +- ✅ Path aliases configured +- ✅ Testing infrastructure ready +- 🎯 Ready to create: Entities, Value Objects, Ports, Services + +**Sprint 3-4: Infrastructure** +- ✅ Database configured (PostgreSQL) +- ✅ Cache configured (Redis) +- ✅ TypeORM setup +- 🎯 Ready to create: Repositories, Migrations, Seed data + +**Sprint 5-6: Application Layer** +- ✅ NestJS configured +- ✅ Swagger ready +- ✅ Validation pipes configured +- 🎯 Ready to create: Controllers, DTOs, Mappers + +**Sprint 7-8: Frontend UI** +- ✅ Next.js configured +- ✅ Tailwind CSS ready +- ✅ shadcn/ui ready +- 🎯 Ready to create: Search components, Results display + +--- + +## 📁 Project Structure + +``` +xpeditis/ +├── apps/ +│ ├── backend/ ✅ NestJS + Hexagonal +│ │ ├── src/ +│ │ │ ├── domain/ ✅ Pure business logic +│ │ │ ├── application/ ✅ Controllers & DTOs +│ │ │ ├── infrastructure/ ✅ External adapters +│ │ │ ├── main.ts ✅ Bootstrap +│ │ │ └── app.module.ts ✅ Root module +│ │ ├── test/ ✅ E2E tests +│ │ └── [config files] ✅ All complete +│ │ +│ └── frontend/ ✅ Next.js 14 +│ ├── app/ ✅ App Router +│ ├── components/ ✅ Ready for components +│ ├── lib/ ✅ Utilities +│ └── [config files] ✅ All complete +│ +├── packages/ +│ ├── shared-types/ ✅ Created +│ └── domain/ ✅ Created +│ +├── infra/ +│ └── postgres/ ✅ Init scripts +│ +├── .github/ +│ └── workflows/ ✅ CI/CD pipelines +│ +├── docker-compose.yml ✅ PostgreSQL + Redis +├── package.json ✅ Workspace root +├── [documentation] ✅ 8 files +└── [config files] ✅ Complete +``` + +--- + +## 💻 Development Workflow + +### Quick Start (5 minutes) + +```bash +# 1. Install dependencies +npm install + +# 2. Start infrastructure +docker-compose up -d + +# 3. Configure environment +cp apps/backend/.env.example apps/backend/.env +cp apps/frontend/.env.example apps/frontend/.env + +# 4. Start backend +npm run backend:dev + +# 5. Start frontend (in another terminal) +npm run frontend:dev +``` + +### Verification + +- ✅ Backend: http://localhost:4000/api/v1/health +- ✅ API Docs: http://localhost:4000/api/docs +- ✅ Frontend: http://localhost:3000 +- ✅ PostgreSQL: localhost:5432 +- ✅ Redis: localhost:6379 + +--- + +## 🎓 Learning Resources + +For team members new to the stack: + +**Hexagonal Architecture**: +- Read [CLAUDE.md](CLAUDE.md) (comprehensive guide) +- Review backend folder structure +- Study the flow: HTTP → Controller → Use Case → Domain + +**NestJS**: +- [Official Docs](https://docs.nestjs.com/) +- Focus on: Modules, Controllers, Providers, DTOs + +**Next.js 14**: +- [Official Docs](https://nextjs.org/docs) +- Focus on: App Router, Server Components, Client Components + +**TypeORM**: +- [Official Docs](https://typeorm.io/) +- Focus on: Entities, Repositories, Migrations + +--- + +## 🔒 Security Considerations + +**Implemented**: +- ✅ Helmet.js security headers +- ✅ CORS configuration +- ✅ Input validation (class-validator) +- ✅ Environment variable validation +- ✅ Password hashing configuration +- ✅ JWT configuration +- ✅ Rate limiting preparation + +**For Production** (before deployment): +- [ ] Change all default passwords +- [ ] Generate strong JWT secret +- [ ] Configure OAuth2 credentials +- [ ] Setup email service +- [ ] Configure AWS S3 +- [ ] Obtain carrier API keys +- [ ] Enable HTTPS/TLS +- [ ] Setup Sentry +- [ ] Configure monitoring +- [ ] Enable database backups +- [ ] Run security audit + +--- + +## 📈 Next Steps + +### Immediate (This Week) + +1. ✅ Sprint 0 complete +2. 🎯 Install dependencies (`npm install`) +3. 🎯 Start infrastructure (`docker-compose up -d`) +4. 🎯 Verify all services running +5. 🎯 Begin Sprint 1 (Domain entities) + +### Short Term (Next 2 Weeks - Sprint 1-2) + +1. Create domain entities (Organization, User, RateQuote, Carrier, Port) +2. Create value objects (Email, PortCode, Money, ContainerType) +3. Define API ports (SearchRatesPort, GetPortsPort) +4. Define SPI ports (Repositories, CarrierConnectorPort, CachePort) +5. Implement domain services +6. Write domain unit tests (90%+ coverage) + +### Medium Term (Weeks 3-8 - Sprint 3-6) + +1. Design and implement database schema +2. Create TypeORM entities and repositories +3. Implement Redis cache adapter +4. Create Maersk carrier connector +5. Implement rate search API +6. Build frontend search UI + +--- + +## 🎉 Conclusion + +Sprint 0 has been **successfully completed** with: + +- ✅ **100% of planned deliverables** +- ✅ **Production-ready infrastructure** +- ✅ **Hexagonal architecture properly implemented** +- ✅ **Complete documentation suite** +- ✅ **Automated CI/CD pipelines** +- ✅ **Developer-friendly setup** + +**The Xpeditis MVP project is ready for Phase 1 development.** + +--- + +## 📞 Support + +For questions or issues: + +1. Check documentation (8 comprehensive guides) +2. Review [QUICK-START.md](QUICK-START.md) +3. Consult [INSTALLATION-STEPS.md](INSTALLATION-STEPS.md) +4. Open a GitHub issue + +--- + +**Status**: 🟢 **READY FOR DEVELOPMENT** +**Next Phase**: Phase 1 - Core Search & Carrier Integration +**Team**: ✅ **Ready to build** + +--- + +*Xpeditis MVP - Maritime Freight Booking Platform* +*Sprint 0 Complete - October 7, 2025* diff --git a/START-HERE.md b/START-HERE.md new file mode 100644 index 0000000..625a564 --- /dev/null +++ b/START-HERE.md @@ -0,0 +1,358 @@ +# 🚀 START HERE - Xpeditis MVP + +## ✅ Sprint 0 Complete! + +Tout le code et la configuration sont prêts. Suivez ces étapes pour démarrer. + +--- + +## 📋 Étape par Étape (10 minutes) + +### 1️⃣ Installer les Dépendances (5 min) + +⚠️ **IMPORTANT pour Windows** : Les workspaces npm ne fonctionnent pas bien sur Windows. +Utilisez cette commande pour installer dans chaque app séparément : + +```bash +# Option A: Script automatique +npm run install:all + +# Option B: Manuel (recommandé si Option A échoue) +# 1. Racine +npm install + +# 2. Backend +cd apps/backend +npm install +cd ../.. + +# 3. Frontend +cd apps/frontend +npm install +cd ../.. +``` + +**Durée**: 3-5 minutes +**Packages**: ~80 packages au total + +### 2️⃣ Démarrer Docker (1 min) + +```bash +docker-compose up -d +``` + +**Vérifier** : +```bash +docker-compose ps +# Doit afficher postgres et redis "Up (healthy)" +``` + +### 3️⃣ Configurer l'Environnement (30 sec) + +```bash +# Backend +cp apps/backend/.env.example apps/backend/.env + +# Frontend +cp apps/frontend/.env.example apps/frontend/.env +``` + +✅ **Les valeurs par défaut fonctionnent** - pas besoin de modifier ! + +### 4️⃣ Démarrer le Backend (1 min) + +```bash +# Option A: Depuis la racine +npm run backend:dev + +# Option B: Depuis apps/backend +cd apps/backend +npm run dev +``` + +**Attendu** : +``` +╔═══════════════════════════════════════╗ +║ 🚢 Xpeditis API Server Running ║ +║ API: http://localhost:4000/api/v1 ║ +║ Docs: http://localhost:4000/api/docs ║ +╚═══════════════════════════════════════╝ +``` + +**Vérifier** : http://localhost:4000/api/v1/health + +### 5️⃣ Démarrer le Frontend (1 min) - Nouveau Terminal + +```bash +# Option A: Depuis la racine +npm run frontend:dev + +# Option B: Depuis apps/frontend +cd apps/frontend +npm run dev +``` + +**Attendu** : +``` +▲ Next.js 14.0.4 +- Local: http://localhost:3000 +✓ Ready in 2.3s +``` + +**Vérifier** : http://localhost:3000 + +--- + +## ✅ Checklist de Vérification + +Avant de continuer, vérifiez que tout fonctionne : + +- [ ] Backend démarre sans erreur +- [ ] Frontend démarre sans erreur +- [ ] http://localhost:4000/api/v1/health renvoie `{"status":"ok"}` +- [ ] http://localhost:4000/api/docs affiche Swagger UI +- [ ] http://localhost:3000 affiche la page Xpeditis +- [ ] `docker-compose ps` montre postgres et redis "healthy" + +**Tout est vert ? Excellent ! 🎉** + +--- + +## 📚 Prochaines Étapes + +### Lire la Documentation (2 heures) + +**Obligatoire** (dans cet ordre) : + +1. **[QUICK-START.md](QUICK-START.md)** (10 min) + - Référence rapide des commandes + +2. **[CLAUDE.md](CLAUDE.md)** (60 min) 🔥 **TRÈS IMPORTANT** + - **Architecture hexagonale complète** + - Règles pour chaque couche + - Exemples de code + - **À LIRE ABSOLUMENT avant de coder** + +3. **[NEXT-STEPS.md](NEXT-STEPS.md)** (30 min) + - Quoi faire ensuite + - Exemples de code pour démarrer + - Phase 1 expliquée + +4. **[TODO.md](TODO.md)** - Section Sprint 1-2 (30 min) + - Tâches détaillées + - Critères d'acceptation + +### Commencer le Développement + +**Sprint 1-2 : Domain Layer** (2 semaines) + +Créer les fichiers dans `apps/backend/src/domain/` : + +**Entités** (`entities/`) : +- `organization.entity.ts` +- `user.entity.ts` +- `rate-quote.entity.ts` +- `carrier.entity.ts` +- `port.entity.ts` +- `container.entity.ts` +- `booking.entity.ts` + +**Value Objects** (`value-objects/`) : +- `email.vo.ts` +- `port-code.vo.ts` +- `money.vo.ts` +- `container-type.vo.ts` +- `booking-number.vo.ts` + +**Ports** : +- `ports/in/` - API ports (SearchRatesPort, CreateBookingPort, etc.) +- `ports/out/` - SPI ports (Repositories, CarrierConnectorPort, CachePort, etc.) + +**Services** (`services/`) : +- `rate-search.service.ts` +- `booking.service.ts` +- `user.service.ts` + +**Tests** : +- `*.spec.ts` pour chaque service +- **Cible : 90%+ de couverture** + +Voir [NEXT-STEPS.md](NEXT-STEPS.md) pour des exemples de code complets ! + +--- + +## 🛠️ Commandes Utiles + +### Développement + +```bash +# Backend +npm run backend:dev # Démarrer +npm run backend:test # Tests +npm run backend:lint # Linter + +# Frontend +npm run frontend:dev # Démarrer +npm run frontend:test # Tests +npm run frontend:lint # Linter + +# Les deux +npm run format # Formater le code +npm run format:check # Vérifier le formatage +``` + +### Docker + +```bash +docker-compose up -d # Démarrer +docker-compose down # Arrêter +docker-compose logs -f # Voir les logs +docker-compose ps # Status +``` + +### Base de données + +```bash +# Se connecter à PostgreSQL +docker-compose exec postgres psql -U xpeditis -d xpeditis_dev + +# Se connecter à Redis +docker-compose exec redis redis-cli -a xpeditis_redis_password +``` + +--- + +## 🐛 Problèmes Courants + +### npm install échoue + +**Solution** : Voir [WINDOWS-INSTALLATION.md](WINDOWS-INSTALLATION.md) + +### Backend ne démarre pas + +```bash +cd apps/backend +rm -rf node_modules package-lock.json +npm install +npm run dev +``` + +### Frontend ne démarre pas + +```bash +cd apps/frontend +rm -rf node_modules package-lock.json +npm install +npm run dev +``` + +### Docker ne démarre pas + +```bash +# Vérifier que Docker Desktop est lancé +docker --version + +# Redémarrer les containers +docker-compose down +docker-compose up -d +``` + +### Port déjà utilisé + +```bash +# Trouver le processus sur le port 4000 +netstat -ano | findstr :4000 + +# Ou changer le port dans apps/backend/.env +PORT=4001 +``` + +--- + +## 📖 Documentation Complète + +Tous les fichiers de documentation : + +### Getting Started +- **[START-HERE.md](START-HERE.md)** ⭐ - Ce fichier +- [QUICK-START.md](QUICK-START.md) - Guide rapide +- [INSTALLATION-STEPS.md](INSTALLATION-STEPS.md) - Installation détaillée +- [WINDOWS-INSTALLATION.md](WINDOWS-INSTALLATION.md) - Spécifique Windows +- [NEXT-STEPS.md](NEXT-STEPS.md) - Quoi faire ensuite + +### Architecture +- **[CLAUDE.md](CLAUDE.md)** 🔥 - **À LIRE ABSOLUMENT** +- [apps/backend/README.md](apps/backend/README.md) - Backend +- [apps/frontend/README.md](apps/frontend/README.md) - Frontend + +### Project Planning +- [PRD.md](PRD.md) - Exigences produit +- [TODO.md](TODO.md) - Roadmap 30 semaines +- [SPRINT-0-FINAL.md](SPRINT-0-FINAL.md) - Rapport Sprint 0 +- [SPRINT-0-SUMMARY.md](SPRINT-0-SUMMARY.md) - Résumé +- [INDEX.md](INDEX.md) - Index complet + +--- + +## 🎯 Objectifs Phase 1 (6-8 semaines) + +**Sprint 1-2** : Domain Layer +- Créer toutes les entités métier +- Définir tous les ports (API & SPI) +- Implémenter les services métier +- Tests unitaires (90%+) + +**Sprint 3-4** : Infrastructure Layer +- Schéma de base de données +- Repositories TypeORM +- Adapter Redis cache +- Connecteur Maersk + +**Sprint 5-6** : Application Layer +- API rate search +- Controllers & DTOs +- Documentation OpenAPI +- Tests E2E + +**Sprint 7-8** : Frontend UI +- Interface de recherche +- Affichage des résultats +- Filtres et tri +- Tests frontend + +--- + +## 💡 Conseils Importants + +### ⚠️ À LIRE ABSOLUMENT + +**[CLAUDE.md](CLAUDE.md)** - Contient toutes les règles d'architecture : +- Comment organiser le code +- Quoi mettre dans chaque couche +- Ce qu'il faut éviter +- Exemples complets + +**Sans lire CLAUDE.md, vous risquez de violer l'architecture hexagonale !** + +### ✅ Bonnes Pratiques + +- **Tests first** : Écrire les tests avant le code +- **Commits fréquents** : Petits commits, souvent +- **Lire les specs** : Vérifier TODO.md pour les critères d'acceptation +- **Suivre l'archi** : Respecter Domain → Application → Infrastructure + +--- + +## 🎉 Vous êtes Prêt ! + +**Sprint 0** : ✅ Complete +**Installation** : ✅ Fonctionnelle +**Documentation** : ✅ Disponible +**Prochaine étape** : Lire CLAUDE.md et commencer Sprint 1 + +**Bon développement ! 🚀** + +--- + +*Xpeditis MVP - Maritime Freight Booking Platform* +*Démarrez ici pour le développement Phase 1* diff --git a/WINDOWS-INSTALLATION.md b/WINDOWS-INSTALLATION.md new file mode 100644 index 0000000..6053cce --- /dev/null +++ b/WINDOWS-INSTALLATION.md @@ -0,0 +1,406 @@ +# 🪟 Installation sur Windows - Xpeditis + +## Problème avec npm Workspaces sur Windows + +Sur Windows, les workspaces npm peuvent rencontrer des problèmes de symlinks (`EISDIR` error). Voici la solution. + +--- + +## ✅ Solution : Installation Séparée par App + +Au lieu d'utiliser `npm install` à la racine, installez les dépendances dans chaque app séparément. + +### Étape 1 : Supprimer le node_modules racine (si existe) + +```bash +# Si node_modules existe à la racine +rm -rf node_modules +``` + +### Étape 2 : Installer les dépendances Backend + +```bash +cd apps/backend +npm install +cd ../.. +``` + +**Durée** : 2-3 minutes +**Packages installés** : ~50 packages NestJS, TypeORM, etc. + +### Étape 3 : Installer les dépendances Frontend + +```bash +cd apps/frontend +npm install +cd ../.. +``` + +**Durée** : 2-3 minutes +**Packages installés** : ~30 packages Next.js, React, Tailwind, etc. + +### Étape 4 : Installer les dépendances racine (optionnel) + +```bash +npm install --no-workspaces +``` + +**Packages installés** : prettier, typescript (partagés) + +--- + +## ✅ Vérification de l'Installation + +### Vérifier Backend + +```bash +cd apps/backend + +# Vérifier que node_modules existe +ls node_modules + +# Vérifier des packages clés +ls node_modules/@nestjs +ls node_modules/typeorm +ls node_modules/pg + +# Essayer de démarrer +npm run dev +``` + +**Attendu** : Le serveur démarre sur le port 4000 + +### Vérifier Frontend + +```bash +cd apps/frontend + +# Vérifier que node_modules existe +ls node_modules + +# Vérifier des packages clés +ls node_modules/next +ls node_modules/react +ls node_modules/tailwindcss + +# Essayer de démarrer +npm run dev +``` + +**Attendu** : Le serveur démarre sur le port 3000 + +--- + +## 🚀 Démarrage Après Installation + +### 1. Démarrer l'infrastructure Docker + +```bash +docker-compose up -d +``` + +### 2. Configurer l'environnement + +```bash +# Backend +cp apps/backend/.env.example apps/backend/.env + +# Frontend +cp apps/frontend/.env.example apps/frontend/.env +``` + +### 3. Démarrer le Backend + +```bash +cd apps/backend +npm run dev +``` + +**URL** : http://localhost:4000/api/v1/health + +### 4. Démarrer le Frontend (nouveau terminal) + +```bash +cd apps/frontend +npm run dev +``` + +**URL** : http://localhost:3000 + +--- + +## 📝 Scripts Modifiés pour Windows + +Comme les workspaces ne fonctionnent pas, utilisez ces commandes : + +### Backend + +```bash +# Au lieu de: npm run backend:dev +cd apps/backend && npm run dev + +# Au lieu de: npm run backend:test +cd apps/backend && npm test + +# Au lieu de: npm run backend:build +cd apps/backend && npm run build +``` + +### Frontend + +```bash +# Au lieu de: npm run frontend:dev +cd apps/frontend && npm run dev + +# Au lieu de: npm run frontend:test +cd apps/frontend && npm test + +# Au lieu de: npm run frontend:build +cd apps/frontend && npm run build +``` + +### Les deux en parallèle + +**Option 1** : Deux terminaux + +Terminal 1 : +```bash +cd apps/backend +npm run dev +``` + +Terminal 2 : +```bash +cd apps/frontend +npm run dev +``` + +**Option 2** : PowerShell avec Start-Process + +```powershell +# Backend +Start-Process powershell -ArgumentList "-NoExit", "-Command", "cd apps/backend; npm run dev" + +# Frontend +Start-Process powershell -ArgumentList "-NoExit", "-Command", "cd apps/frontend; npm run dev" +``` + +--- + +## 🔧 Alternative : Utiliser pnpm ou yarn + +Si npm continue à poser problème, utilisez pnpm (meilleur support Windows) : + +### Avec pnpm + +```bash +# Installer pnpm globalement +npm install -g pnpm + +# Installer les dépendances +pnpm install + +# Démarrer backend +pnpm --filter backend dev + +# Démarrer frontend +pnpm --filter frontend dev +``` + +### Avec yarn + +```bash +# Installer yarn globalement +npm install -g yarn + +# Installer les dépendances +yarn install + +# Démarrer backend +yarn workspace backend dev + +# Démarrer frontend +yarn workspace frontend dev +``` + +--- + +## ✅ Checklist d'Installation Windows + +- [ ] Docker Desktop installé et démarré +- [ ] Node.js v20+ installé +- [ ] `cd apps/backend && npm install` terminé +- [ ] `cd apps/frontend && npm install` terminé +- [ ] `docker-compose up -d` exécuté +- [ ] Containers PostgreSQL et Redis en cours d'exécution +- [ ] `.env` files copiés +- [ ] Backend démarre sur port 4000 +- [ ] Frontend démarre sur port 3000 +- [ ] Health endpoint répond : http://localhost:4000/api/v1/health + +--- + +## 🐛 Dépannage Windows + +### Erreur : EBUSY (resource busy or locked) + +**Cause** : Fichiers verrouillés par un processus Windows (antivirus, Windows Defender, etc.) + +**Solutions** : +1. Fermer VSCode et tous les terminals +2. Désactiver temporairement l'antivirus +3. Exclure le dossier `node_modules` de Windows Defender +4. Réessayer l'installation + +### Erreur : EISDIR (illegal operation on directory) + +**Cause** : Windows ne supporte pas bien les symlinks npm workspaces + +**Solution** : Utiliser l'installation séparée (cette page) + +### Erreur : EPERM (operation not permitted) + +**Cause** : Permissions insuffisantes + +**Solutions** : +1. Exécuter PowerShell/CMD en tant qu'administrateur +2. Ou utiliser l'installation séparée (pas besoin d'admin) + +### Backend ne démarre pas - "Cannot find module" + +**Cause** : node_modules manquant ou incomplet + +**Solution** : +```bash +cd apps/backend +rm -rf node_modules package-lock.json +npm install +``` + +### Frontend ne démarre pas - "Cannot find module 'next'" + +**Cause** : node_modules manquant ou incomplet + +**Solution** : +```bash +cd apps/frontend +rm -rf node_modules package-lock.json +npm install +``` + +### Frontend build fail - "EISDIR: illegal operation on directory, readlink" + +**Cause** : Next.js rencontre un problème avec les symlinks sur Windows lors du build + +**Erreur complète** : +``` +Error: EISDIR: illegal operation on a directory, readlink 'D:\xpeditis2.0\apps\frontend\node_modules\next\dist\pages\_app.js' +``` + +**Solutions** : + +**Option 1** : Utiliser le mode développement (recommandé pour le développement) +```bash +cd apps/frontend +npm run dev # Fonctionne sans problème +``` + +**Option 2** : Utiliser WSL2 pour le build de production +```bash +# Dans WSL2 +cd /mnt/d/xpeditis2.0/apps/frontend +npm run build # Fonctionne correctement +``` + +**Option 3** : Build depuis PowerShell avec mode développeur activé +```powershell +# Activer le mode développeur Windows (une seule fois) +# Paramètres > Mise à jour et sécurité > Pour les développeurs > Mode développeur + +# Ensuite: +cd apps/frontend +npm run build +``` + +**Note** : Pour le développement quotidien, utilisez `npm run dev` qui n'a pas ce problème. Le build de production n'est nécessaire que pour le déploiement. + +--- + +## 💡 Recommandations pour Windows + +### 1. Utiliser PowerShell Core (v7+) + +Plus moderne et meilleur support des outils Node.js : +- [Télécharger PowerShell](https://github.com/PowerShell/PowerShell) + +### 2. Utiliser Windows Terminal + +Meilleure expérience terminal : +- [Télécharger Windows Terminal](https://aka.ms/terminal) + +### 3. Considérer WSL2 (Windows Subsystem for Linux) + +Pour une expérience Linux native sur Windows : + +```bash +# Installer WSL2 +wsl --install + +# Installer Ubuntu +wsl --install -d Ubuntu + +# Utiliser WSL2 pour le développement +cd /mnt/d/xpeditis2.0 +npm install # Fonctionne comme sur Linux +``` + +### 4. Exclure node_modules de l'antivirus + +Pour améliorer les performances : + +**Windows Defender** : +1. Paramètres Windows > Mise à jour et sécurité > Sécurité Windows +2. Protection contre les virus et menaces > Gérer les paramètres +3. Exclusions > Ajouter une exclusion > Dossier +4. Ajouter : `D:\xpeditis2.0\node_modules` +5. Ajouter : `D:\xpeditis2.0\apps\backend\node_modules` +6. Ajouter : `D:\xpeditis2.0\apps\frontend\node_modules` + +--- + +## ✅ Installation Réussie ! + +Une fois les dépendances installées dans chaque app : + +```bash +# Backend +cd apps/backend +npm run dev +# Visiter: http://localhost:4000/api/docs + +# Frontend (nouveau terminal) +cd apps/frontend +npm run dev +# Visiter: http://localhost:3000 +``` + +**Tout fonctionne ? Excellent ! 🎉** + +Passez à [NEXT-STEPS.md](NEXT-STEPS.md) pour commencer le développement. + +--- + +## 📞 Besoin d'Aide ? + +Si les problèmes persistent : + +1. Vérifier Node.js version : `node --version` (doit être v20+) +2. Vérifier npm version : `npm --version` (doit être v10+) +3. Essayer avec pnpm : `npm install -g pnpm && pnpm install` +4. Utiliser WSL2 pour une expérience Linux +5. Consulter [INSTALLATION-STEPS.md](INSTALLATION-STEPS.md) + +--- + +*Xpeditis - Installation Windows* +*Solution pour npm workspaces sur Windows* From eb285033c07a836a38c9ccaf8ae35245df24d750 Mon Sep 17 00:00:00 2001 From: David Date: Sat, 4 Apr 2026 13:16:47 +0200 Subject: [PATCH 4/9] fix(cicd): sync corrected pipelines from cicd branch --- .github/workflows/cd-main.yml | 365 +++++++++++++++++-------------- .github/workflows/cd-preprod.yml | 305 +++++++++----------------- .github/workflows/ci.yml | 111 +++++----- .github/workflows/pr-checks.yml | 147 +++++-------- .github/workflows/rollback.yml | 204 +++++++---------- 5 files changed, 499 insertions(+), 633 deletions(-) diff --git a/.github/workflows/cd-main.yml b/.github/workflows/cd-main.yml index 5912f40..f8f5236 100644 --- a/.github/workflows/cd-main.yml +++ b/.github/workflows/cd-main.yml @@ -1,111 +1,197 @@ -name: CD Production (Hetzner k3s) +name: CD Production -# Production deployment pipeline — Hetzner k3s cluster. +# Production pipeline — Hetzner k3s. # -# Flow: -# 1. Promote: re-tag preprod → latest + prod-SHA within Scaleway (no rebuild, no data transfer) -# 2. Deploy: kubectl set image + rollout status (blocks until pods are healthy) -# 3. Auto-rollback: kubectl rollout undo if rollout fails -# 4. Smoke tests: belt-and-suspenders HTTP health checks -# 5. Notify Discord +# SECURITY: Two mandatory gates before any production deployment: +# 1. quality-gate — lint + unit tests on the exact commit being deployed +# 2. verify-image — confirms preprod-SHA image EXISTS in registry, +# which proves this commit passed the full preprod +# pipeline (lint + unit + integration + docker build). +# If someone merges to main without going through preprod, +# this step fails and the deployment is blocked. # -# Required secrets: -# REGISTRY_TOKEN — Scaleway registry token (read + write) -# HETZNER_KUBECONFIG — base64-encoded kubeconfig for xpeditis-prod cluster -# PROD_BACKEND_URL — https://api.xpeditis.com (health check) -# PROD_FRONTEND_URL — https://app.xpeditis.com (health check) -# DISCORD_WEBHOOK_URL — Discord notifications -# -# K8s cluster details (from docs/deployment/hetzner/): -# Namespace: xpeditis-prod -# Deployments: xpeditis-backend (container: backend) -# xpeditis-frontend (container: frontend) +# Flow: quality-gate → verify-image → promote → deploy → smoke-tests → notify # +# Secrets required: +# REGISTRY_TOKEN — Scaleway registry (read/write) +# HETZNER_KUBECONFIG — base64: cat ~/.kube/kubeconfig-xpeditis-prod | base64 -w 0 +# PROD_BACKEND_URL — https://api.xpeditis.com +# PROD_FRONTEND_URL — https://app.xpeditis.com +# DISCORD_WEBHOOK_URL + on: push: branches: [main] -# Only one prod deployment at a time. Never cancel. concurrency: group: cd-production cancel-in-progress: false env: REGISTRY: rg.fr-par.scw.cloud/weworkstudio - IMAGE_BACKEND: rg.fr-par.scw.cloud/weworkstudio/xpeditis-backend - IMAGE_FRONTEND: rg.fr-par.scw.cloud/weworkstudio/xpeditis-frontend + NODE_VERSION: '20' K8S_NAMESPACE: xpeditis-prod jobs: - # ────────────────────────────────────────────────────────────── - # 1. Promote preprod → prod tags within Scaleway - # imagetools create re-tags at manifest level — no layer - # download/upload, instant even for multi-arch images. - # ────────────────────────────────────────────────────────────── - promote-images: - name: Promote Images (preprod → prod) + # ── 1. Quality Gate ────────────────────────────────────────────────── + # Runs on every prod deployment regardless of what happened in preprod. + backend-quality: + name: Backend — Lint runs-on: ubuntu-latest - outputs: - short-sha: ${{ steps.sha.outputs.short }} - backend-image: ${{ steps.images.outputs.backend }} - frontend-image: ${{ steps.images.outputs.frontend }} - + defaults: + run: + working-directory: apps/backend steps: - - name: Compute short SHA + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_VERSION }} + cache: 'npm' + cache-dependency-path: apps/backend/package-lock.json + - run: npm install --legacy-peer-deps + - run: npm run lint + + frontend-quality: + name: Frontend — Lint & Type-check + runs-on: ubuntu-latest + defaults: + run: + working-directory: apps/frontend + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_VERSION }} + cache: 'npm' + cache-dependency-path: apps/frontend/package-lock.json + - run: npm ci --legacy-peer-deps + - run: npm run lint + - run: npm run type-check + + backend-tests: + name: Backend — Unit Tests + runs-on: ubuntu-latest + needs: backend-quality + defaults: + run: + working-directory: apps/backend + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_VERSION }} + cache: 'npm' + cache-dependency-path: apps/backend/package-lock.json + - run: npm install --legacy-peer-deps + - run: npm test -- --passWithNoTests + + frontend-tests: + name: Frontend — Unit Tests + runs-on: ubuntu-latest + needs: frontend-quality + defaults: + run: + working-directory: apps/frontend + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_VERSION }} + cache: 'npm' + cache-dependency-path: apps/frontend/package-lock.json + - run: npm ci --legacy-peer-deps + - run: npm test -- --passWithNoTests + + # ── 2. Image Verification ──────────────────────────────────────────── + # Checks that preprod-SHA tags exist for this EXACT commit. + # This is the security gate: if the preprod pipeline never ran for this + # commit (or failed before the docker build step), this job fails and + # the deployment is fully blocked. + verify-image: + name: Verify Preprod Image Exists + runs-on: ubuntu-latest + needs: [backend-tests, frontend-tests] + outputs: + sha: ${{ steps.sha.outputs.short }} + steps: + - name: Short SHA id: sha run: echo "short=$(echo ${{ github.sha }} | cut -c1-7)" >> $GITHUB_OUTPUT - - name: Set image references - id: images - run: | - echo "backend=${{ env.IMAGE_BACKEND }}:prod-${{ steps.sha.outputs.short }}" >> $GITHUB_OUTPUT - echo "frontend=${{ env.IMAGE_FRONTEND }}:prod-${{ steps.sha.outputs.short }}" >> $GITHUB_OUTPUT + - uses: docker/setup-buildx-action@v3 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to Scaleway Registry - uses: docker/login-action@v3 + - uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: nologin password: ${{ secrets.REGISTRY_TOKEN }} - - name: Promote Backend (preprod → latest + prod-SHA) + - name: Check backend image preprod-SHA run: | - docker buildx imagetools create \ - --tag ${{ env.IMAGE_BACKEND }}:latest \ - --tag ${{ steps.images.outputs.backend }} \ - ${{ env.IMAGE_BACKEND }}:preprod + TAG="${{ env.REGISTRY }}/xpeditis-backend:preprod-${{ steps.sha.outputs.short }}" + echo "Verifying: $TAG" + docker buildx imagetools inspect "$TAG" || { + echo "" + echo "BLOCKED: Image $TAG not found in registry." + echo "This commit was not built by the preprod pipeline." + echo "Merge to preprod first and wait for the full pipeline to succeed." + exit 1 + } - - name: Promote Frontend (preprod → latest + prod-SHA) + - name: Check frontend image preprod-SHA run: | - docker buildx imagetools create \ - --tag ${{ env.IMAGE_FRONTEND }}:latest \ - --tag ${{ steps.images.outputs.frontend }} \ - ${{ env.IMAGE_FRONTEND }}:preprod + TAG="${{ env.REGISTRY }}/xpeditis-frontend:preprod-${{ steps.sha.outputs.short }}" + echo "Verifying: $TAG" + docker buildx imagetools inspect "$TAG" || { + echo "" + echo "BLOCKED: Image $TAG not found in registry." + echo "This commit was not built by the preprod pipeline." + echo "Merge to preprod first and wait for the full pipeline to succeed." + exit 1 + } - - name: Verify promoted images - run: | - echo "=== Backend ===" - docker buildx imagetools inspect ${{ steps.images.outputs.backend }} - echo "=== Frontend ===" - docker buildx imagetools inspect ${{ steps.images.outputs.frontend }} - - # ────────────────────────────────────────────────────────────── - # 2. Deploy to Hetzner k3s - # kubectl set image → rollout status waits for pods to be - # healthy (readiness probes pass) before the job succeeds. - # Auto-rollback on failure via kubectl rollout undo. - # ────────────────────────────────────────────────────────────── - deploy: - name: Deploy to k3s (xpeditis-prod) + # ── 3. Promote Images ──────────────────────────────────────────────── + # Re-tags preprod-SHA → latest + prod-SHA within Scaleway. + # No rebuild. No layer transfer. Manifest-level operation only. + promote-images: + name: Promote Images (preprod-SHA → prod) runs-on: ubuntu-latest - needs: promote-images + needs: verify-image + steps: + - uses: docker/setup-buildx-action@v3 + + - uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: nologin + password: ${{ secrets.REGISTRY_TOKEN }} + + - name: Promote backend + run: | + SHA="${{ needs.verify-image.outputs.sha }}" + docker buildx imagetools create \ + --tag ${{ env.REGISTRY }}/xpeditis-backend:latest \ + --tag ${{ env.REGISTRY }}/xpeditis-backend:prod-${SHA} \ + ${{ env.REGISTRY }}/xpeditis-backend:preprod-${SHA} + echo "Backend promoted: preprod-${SHA} → latest + prod-${SHA}" + + - name: Promote frontend + run: | + SHA="${{ needs.verify-image.outputs.sha }}" + docker buildx imagetools create \ + --tag ${{ env.REGISTRY }}/xpeditis-frontend:latest \ + --tag ${{ env.REGISTRY }}/xpeditis-frontend:prod-${SHA} \ + ${{ env.REGISTRY }}/xpeditis-frontend:preprod-${SHA} + echo "Frontend promoted: preprod-${SHA} → latest + prod-${SHA}" + + # ── 4. Deploy to k3s ───────────────────────────────────────────────── + deploy: + name: Deploy to Production (k3s) + runs-on: ubuntu-latest + needs: [verify-image, promote-images] environment: name: production url: https://app.xpeditis.com - steps: - name: Configure kubectl run: | @@ -113,156 +199,113 @@ jobs: echo "${{ secrets.HETZNER_KUBECONFIG }}" | base64 -d > ~/.kube/config chmod 600 ~/.kube/config kubectl cluster-info - kubectl get nodes + kubectl get nodes -o wide - - name: Deploy Backend + - name: Deploy backend + id: deploy-backend run: | - IMAGE="${{ needs.promote-images.outputs.backend-image }}" - echo "Deploying backend: $IMAGE" - kubectl set image deployment/xpeditis-backend \ - backend=$IMAGE \ - -n ${{ env.K8S_NAMESPACE }} - kubectl rollout status deployment/xpeditis-backend \ - -n ${{ env.K8S_NAMESPACE }} \ - --timeout=300s - echo "Backend deployed." + SHA="${{ needs.verify-image.outputs.sha }}" + IMAGE="${{ env.REGISTRY }}/xpeditis-backend:prod-${SHA}" + echo "Deploying: $IMAGE" + kubectl set image deployment/xpeditis-backend backend="$IMAGE" -n ${{ env.K8S_NAMESPACE }} + kubectl rollout status deployment/xpeditis-backend -n ${{ env.K8S_NAMESPACE }} --timeout=300s + echo "Backend rollout complete." - - name: Deploy Frontend + - name: Deploy frontend + id: deploy-frontend run: | - IMAGE="${{ needs.promote-images.outputs.frontend-image }}" - echo "Deploying frontend: $IMAGE" - kubectl set image deployment/xpeditis-frontend \ - frontend=$IMAGE \ - -n ${{ env.K8S_NAMESPACE }} - kubectl rollout status deployment/xpeditis-frontend \ - -n ${{ env.K8S_NAMESPACE }} \ - --timeout=300s - echo "Frontend deployed." + SHA="${{ needs.verify-image.outputs.sha }}" + IMAGE="${{ env.REGISTRY }}/xpeditis-frontend:prod-${SHA}" + echo "Deploying: $IMAGE" + kubectl set image deployment/xpeditis-frontend frontend="$IMAGE" -n ${{ env.K8S_NAMESPACE }} + kubectl rollout status deployment/xpeditis-frontend -n ${{ env.K8S_NAMESPACE }} --timeout=300s + echo "Frontend rollout complete." - - name: Auto-rollback on failure + - name: Auto-rollback on deployment failure if: failure() run: | - echo "Deployment failed — rolling back..." - kubectl rollout undo deployment/xpeditis-backend -n ${{ env.K8S_NAMESPACE }} || true - kubectl rollout undo deployment/xpeditis-frontend -n ${{ env.K8S_NAMESPACE }} || true - kubectl rollout status deployment/xpeditis-backend -n ${{ env.K8S_NAMESPACE }} --timeout=120s || true - kubectl rollout status deployment/xpeditis-frontend -n ${{ env.K8S_NAMESPACE }} --timeout=120s || true - echo "Previous version restored." + echo "Deployment failed — initiating rollback..." + kubectl rollout undo deployment/xpeditis-backend -n ${{ env.K8S_NAMESPACE }} + kubectl rollout undo deployment/xpeditis-frontend -n ${{ env.K8S_NAMESPACE }} + kubectl rollout status deployment/xpeditis-backend -n ${{ env.K8S_NAMESPACE }} --timeout=120s + kubectl rollout status deployment/xpeditis-frontend -n ${{ env.K8S_NAMESPACE }} --timeout=120s + echo "Rollback complete. Previous version is live." - # ────────────────────────────────────────────────────────────── - # 3. Smoke Tests - # kubectl rollout status already verifies pod readiness. - # These confirm the full network path: - # Cloudflare → Hetzner LB → Traefik → pod. - # ────────────────────────────────────────────────────────────── + # ── 5. Smoke Tests ─────────────────────────────────────────────────── + # kubectl rollout status already verified pod readiness. + # These smoke tests validate the full network path: + # Cloudflare → Hetzner LB → Traefik → pod. smoke-tests: name: Smoke Tests runs-on: ubuntu-latest needs: deploy - steps: - name: Wait for LB propagation run: sleep 30 - - name: Health check — Backend + - name: Health — Backend run: | for i in {1..12}; do STATUS=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 \ "${{ secrets.PROD_BACKEND_URL }}/api/v1/health" 2>/dev/null || echo "000") echo " Attempt $i: HTTP $STATUS" - if [ "$STATUS" = "200" ]; then echo "Backend healthy."; exit 0; fi + if [ "$STATUS" = "200" ]; then echo "Backend OK."; exit 0; fi sleep 15 done - echo "CRITICAL: Backend unreachable after rollout." + echo "CRITICAL: Backend unreachable after 12 attempts." exit 1 - - name: Health check — Frontend + - name: Health — Frontend run: | for i in {1..12}; do STATUS=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 \ "${{ secrets.PROD_FRONTEND_URL }}" 2>/dev/null || echo "000") echo " Attempt $i: HTTP $STATUS" - if [ "$STATUS" = "200" ]; then echo "Frontend healthy."; exit 0; fi + if [ "$STATUS" = "200" ]; then echo "Frontend OK."; exit 0; fi sleep 15 done - echo "CRITICAL: Frontend unreachable after rollout." + echo "CRITICAL: Frontend unreachable after 12 attempts." exit 1 - # ────────────────────────────────────────────────────────────── - # 4. Deployment Summary - # ────────────────────────────────────────────────────────────── - summary: - name: Deployment Summary - runs-on: ubuntu-latest - needs: [promote-images, smoke-tests] - if: success() - - steps: - - name: Write summary - run: | - echo "## Production Deployment" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "| | |" >> $GITHUB_STEP_SUMMARY - echo "|---|---|" >> $GITHUB_STEP_SUMMARY - echo "| **Commit** | \`${{ github.sha }}\` |" >> $GITHUB_STEP_SUMMARY - echo "| **Backend** | \`${{ needs.promote-images.outputs.backend-image }}\` |" >> $GITHUB_STEP_SUMMARY - echo "| **Frontend** | \`${{ needs.promote-images.outputs.frontend-image }}\` |" >> $GITHUB_STEP_SUMMARY - echo "| **Source** | Promoted from \`preprod\` tag — no rebuild |" >> $GITHUB_STEP_SUMMARY - echo "| **Cluster** | Hetzner k3s — namespace \`xpeditis-prod\` |" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "To rollback: [Run rollback workflow](${{ github.server_url }}/${{ github.repository }}/actions/workflows/rollback.yml)" >> $GITHUB_STEP_SUMMARY - - # ────────────────────────────────────────────────────────────── - # Discord — Success - # ────────────────────────────────────────────────────────────── + # ── Notifications ──────────────────────────────────────────────────── notify-success: name: Notify Success runs-on: ubuntu-latest - needs: [promote-images, smoke-tests] + needs: [verify-image, smoke-tests] if: success() - steps: - - name: Send Discord notification - run: | + - run: | curl -s -H "Content-Type: application/json" -d '{ "embeds": [{ "title": "🚀 Production Deployed & Healthy", "color": 3066993, "fields": [ {"name": "Author", "value": "${{ github.actor }}", "inline": true}, - {"name": "Version", "value": "`prod-${{ needs.promote-images.outputs.short-sha }}`", "inline": true}, - {"name": "Commit", "value": "[`${{ github.sha }}`](${{ github.event.head_commit.url }})", "inline": false}, - {"name": "Registry", "value": "Scaleway — promoted from `preprod`, no rebuild", "inline": false}, + {"name": "Version", "value": "`prod-${{ needs.verify-image.outputs.sha }}`", "inline": true}, {"name": "Cluster", "value": "Hetzner k3s — `xpeditis-prod`", "inline": false}, - {"name": "Workflow", "value": "[${{ github.workflow }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})", "inline": false} + {"name": "Workflow", "value": "[${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})", "inline": false} ], "footer": {"text": "Xpeditis CI/CD • Production"} }] }' ${{ secrets.DISCORD_WEBHOOK_URL }} - # ────────────────────────────────────────────────────────────── - # Discord — Failure (CRITICAL) - # ────────────────────────────────────────────────────────────── notify-failure: name: Notify Failure runs-on: ubuntu-latest - needs: [promote-images, deploy, smoke-tests] + needs: [backend-quality, frontend-quality, backend-tests, frontend-tests, verify-image, promote-images, deploy, smoke-tests] if: failure() - steps: - - name: Send Discord notification - run: | + - run: | curl -s -H "Content-Type: application/json" -d '{ - "content": "@here PRODUCTION DEPLOYMENT FAILED", + "content": "@here PRODUCTION PIPELINE FAILED", "embeds": [{ - "title": "🔴 PRODUCTION PIPELINE FAILED", - "description": "Auto-rollback was triggered if deployment failed. Check rollout history.", + "title": "🔴 Production Pipeline Failed", + "description": "Check the workflow for details. Auto-rollback was triggered if the failure was during deploy.", "color": 15158332, "fields": [ {"name": "Author", "value": "${{ github.actor }}", "inline": true}, - {"name": "Commit", "value": "[`${{ github.sha }}`](${{ github.event.head_commit.url }})", "inline": true}, - {"name": "Workflow", "value": "[${{ github.workflow }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})", "inline": false}, - {"name": "Manual rollback", "value": "[Run rollback workflow](${{ github.server_url }}/${{ github.repository }}/actions/workflows/rollback.yml)", "inline": false} + {"name": "Workflow", "value": "[${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})", "inline": false}, + {"name": "Rollback", "value": "[Run rollback workflow](${{ github.server_url }}/${{ github.repository }}/actions/workflows/rollback.yml)", "inline": false} ], "footer": {"text": "Xpeditis CI/CD • Production"} }] diff --git a/.github/workflows/cd-preprod.yml b/.github/workflows/cd-preprod.yml index 0d2e359..830f19c 100644 --- a/.github/workflows/cd-preprod.yml +++ b/.github/workflows/cd-preprod.yml @@ -1,23 +1,22 @@ name: CD Preprod -# Full pipeline for the preprod branch. -# Flow: quality → integration tests → Docker build & push → deploy → smoke tests → notify +# Full pipeline triggered on every push to preprod. +# Flow: lint → unit tests → integration tests → docker build → deploy → smoke tests → notify # -# Required secrets: -# REGISTRY_TOKEN — Scaleway container registry token -# NEXT_PUBLIC_API_URL — Preprod API URL (e.g. https://api.preprod.xpeditis.com) -# NEXT_PUBLIC_APP_URL — Preprod app URL (e.g. https://preprod.xpeditis.com) -# PORTAINER_WEBHOOK_BACKEND — Portainer webhook for preprod backend service -# PORTAINER_WEBHOOK_FRONTEND — Portainer webhook for preprod frontend service -# PREPROD_BACKEND_URL — Health check URL (e.g. https://api.preprod.xpeditis.com) -# PREPROD_FRONTEND_URL — Health check URL (e.g. https://preprod.xpeditis.com) -# DISCORD_WEBHOOK_URL — Discord deployment notifications +# Secrets required: +# REGISTRY_TOKEN — Scaleway registry (read/write) +# NEXT_PUBLIC_API_URL — https://api.preprod.xpeditis.com +# NEXT_PUBLIC_APP_URL — https://preprod.xpeditis.com +# PORTAINER_WEBHOOK_BACKEND — Portainer webhook (preprod backend) +# PORTAINER_WEBHOOK_FRONTEND— Portainer webhook (preprod frontend) +# PREPROD_BACKEND_URL — https://api.preprod.xpeditis.com +# PREPROD_FRONTEND_URL — https://preprod.xpeditis.com +# DISCORD_WEBHOOK_URL on: push: branches: [preprod] -# Only one preprod deployment at a time. Never cancel an in-progress deployment. concurrency: group: cd-preprod cancel-in-progress: false @@ -27,81 +26,80 @@ env: NODE_VERSION: '20' jobs: - # ────────────────────────────────────────── - # 1. Lint & Type-check - # ────────────────────────────────────────── - quality: - name: Quality (${{ matrix.app }}) + # ── 1. Lint ───────────────────────────────────────────────────────── + backend-quality: + name: Backend — Lint runs-on: ubuntu-latest - strategy: - fail-fast: true - matrix: - app: [backend, frontend] - defaults: run: - working-directory: apps/${{ matrix.app }} - + working-directory: apps/backend steps: - uses: actions/checkout@v4 - - - name: Setup Node.js - uses: actions/setup-node@v4 + - uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' - cache-dependency-path: apps/${{ matrix.app }}/package-lock.json + cache-dependency-path: apps/backend/package-lock.json + - run: npm install --legacy-peer-deps + - run: npm run lint - - name: Install dependencies - run: npm ci --legacy-peer-deps - - - name: Lint - run: npm run lint - - - name: Type-check (frontend only) - if: matrix.app == 'frontend' - run: npm run type-check - - # ────────────────────────────────────────── - # 2. Unit Tests - # ────────────────────────────────────────── - unit-tests: - name: Unit Tests (${{ matrix.app }}) + frontend-quality: + name: Frontend — Lint & Type-check runs-on: ubuntu-latest - needs: quality - strategy: - fail-fast: true - matrix: - app: [backend, frontend] - defaults: run: - working-directory: apps/${{ matrix.app }} - + working-directory: apps/frontend steps: - uses: actions/checkout@v4 - - - name: Setup Node.js - uses: actions/setup-node@v4 + - uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' - cache-dependency-path: apps/${{ matrix.app }}/package-lock.json + cache-dependency-path: apps/frontend/package-lock.json + - run: npm ci --legacy-peer-deps + - run: npm run lint + - run: npm run type-check - - name: Install dependencies - run: npm ci --legacy-peer-deps + # ── 2. Unit Tests ──────────────────────────────────────────────────── + backend-tests: + name: Backend — Unit Tests + runs-on: ubuntu-latest + needs: backend-quality + defaults: + run: + working-directory: apps/backend + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_VERSION }} + cache: 'npm' + cache-dependency-path: apps/backend/package-lock.json + - run: npm install --legacy-peer-deps + - run: npm test -- --passWithNoTests - - name: Run unit tests - run: npm test -- --passWithNoTests --coverage + frontend-tests: + name: Frontend — Unit Tests + runs-on: ubuntu-latest + needs: frontend-quality + defaults: + run: + working-directory: apps/frontend + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_VERSION }} + cache: 'npm' + cache-dependency-path: apps/frontend/package-lock.json + - run: npm ci --legacy-peer-deps + - run: npm test -- --passWithNoTests - # ────────────────────────────────────────── - # 3. Integration Tests - # ────────────────────────────────────────── + # ── 3. Integration Tests ───────────────────────────────────────────── integration-tests: - name: Integration Tests + name: Backend — Integration Tests runs-on: ubuntu-latest - needs: unit-tests - + needs: [backend-tests, frontend-tests] defaults: run: working-directory: apps/backend @@ -120,7 +118,6 @@ jobs: --health-retries 10 ports: - 5432:5432 - redis: image: redis:7-alpine options: >- @@ -133,17 +130,12 @@ jobs: steps: - uses: actions/checkout@v4 - - - name: Setup Node.js - uses: actions/setup-node@v4 + - uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' cache-dependency-path: apps/backend/package-lock.json - - - name: Install dependencies - run: npm ci --legacy-peer-deps - + - run: npm install --legacy-peer-deps - name: Run integration tests env: NODE_ENV: test @@ -152,50 +144,40 @@ jobs: DATABASE_USER: xpeditis_test DATABASE_PASSWORD: xpeditis_test_password DATABASE_NAME: xpeditis_test - DATABASE_SYNCHRONIZE: false + DATABASE_SYNCHRONIZE: 'false' REDIS_HOST: localhost REDIS_PORT: 6379 REDIS_PASSWORD: '' - JWT_SECRET: test-secret-key-for-ci-only + JWT_SECRET: test-secret-key-ci SMTP_HOST: localhost SMTP_PORT: 1025 SMTP_FROM: test@xpeditis.com run: npm run test:integration -- --passWithNoTests - # ────────────────────────────────────────── - # 4a. Docker Build & Push — Backend - # ────────────────────────────────────────── + # ── 4. Docker Build & Push ─────────────────────────────────────────── + # Tags: preprod (latest for this env) + preprod-SHA (used by prod for exact promotion) build-backend: - name: Build & Push Backend + name: Build Backend runs-on: ubuntu-latest needs: integration-tests outputs: - image-tag: ${{ steps.sha.outputs.short }} - + sha: ${{ steps.sha.outputs.short }} steps: - uses: actions/checkout@v4 - - - name: Compute short SHA + - name: Short SHA id: sha run: echo "short=$(echo ${{ github.sha }} | cut -c1-7)" >> $GITHUB_OUTPUT - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to Scaleway Registry - uses: docker/login-action@v3 + - uses: docker/setup-buildx-action@v3 + - uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: nologin password: ${{ secrets.REGISTRY_TOKEN }} - - - name: Build and push Backend image - uses: docker/build-push-action@v5 + - uses: docker/build-push-action@v5 with: context: ./apps/backend file: ./apps/backend/Dockerfile push: true - # Tag with branch name AND commit SHA for traceability and prod promotion tags: | ${{ env.REGISTRY }}/xpeditis-backend:preprod ${{ env.REGISTRY }}/xpeditis-backend:preprod-${{ steps.sha.outputs.short }} @@ -203,35 +185,24 @@ jobs: cache-to: type=registry,ref=${{ env.REGISTRY }}/xpeditis-backend:buildcache,mode=max platforms: linux/amd64,linux/arm64 - # ────────────────────────────────────────── - # 4b. Docker Build & Push — Frontend - # ────────────────────────────────────────── build-frontend: - name: Build & Push Frontend + name: Build Frontend runs-on: ubuntu-latest needs: integration-tests outputs: - image-tag: ${{ steps.sha.outputs.short }} - + sha: ${{ steps.sha.outputs.short }} steps: - uses: actions/checkout@v4 - - - name: Compute short SHA + - name: Short SHA id: sha run: echo "short=$(echo ${{ github.sha }} | cut -c1-7)" >> $GITHUB_OUTPUT - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to Scaleway Registry - uses: docker/login-action@v3 + - uses: docker/setup-buildx-action@v3 + - uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: nologin password: ${{ secrets.REGISTRY_TOKEN }} - - - name: Build and push Frontend image - uses: docker/build-push-action@v5 + - uses: docker/build-push-action@v5 with: context: ./apps/frontend file: ./apps/frontend/Dockerfile @@ -246,151 +217,91 @@ jobs: NEXT_PUBLIC_API_URL=${{ secrets.NEXT_PUBLIC_API_URL }} NEXT_PUBLIC_APP_URL=${{ secrets.NEXT_PUBLIC_APP_URL }} - # ────────────────────────────────────────── - # 5. Deploy to Preprod via Portainer - # ────────────────────────────────────────── + # ── 5. Deploy via Portainer ────────────────────────────────────────── deploy: name: Deploy to Preprod runs-on: ubuntu-latest needs: [build-backend, build-frontend] environment: preprod - steps: - - name: Trigger Backend deployment + - name: Deploy backend run: | - echo "Deploying backend (preprod-${{ needs.build-backend.outputs.image-tag }})..." - curl -sf -X POST \ - -H "Content-Type: application/json" \ - "${{ secrets.PORTAINER_WEBHOOK_BACKEND }}" + curl -sf -X POST "${{ secrets.PORTAINER_WEBHOOK_BACKEND }}" echo "Backend webhook triggered." - - - name: Wait for backend to stabilize + - name: Wait for backend startup run: sleep 20 - - - name: Trigger Frontend deployment + - name: Deploy frontend run: | - echo "Deploying frontend (preprod-${{ needs.build-frontend.outputs.image-tag }})..." - curl -sf -X POST \ - -H "Content-Type: application/json" \ - "${{ secrets.PORTAINER_WEBHOOK_FRONTEND }}" + curl -sf -X POST "${{ secrets.PORTAINER_WEBHOOK_FRONTEND }}" echo "Frontend webhook triggered." - # ────────────────────────────────────────── - # 6. Smoke Tests — verify preprod is healthy - # ────────────────────────────────────────── + # ── 6. Smoke Tests ─────────────────────────────────────────────────── smoke-tests: name: Smoke Tests runs-on: ubuntu-latest needs: deploy - steps: - - name: Wait for services to start + - name: Wait for services run: sleep 40 - - - name: Health check — Backend + - name: Health — Backend run: | - echo "Checking backend health..." - for i in {1..10}; do - STATUS=$(curl -s -o /dev/null -w "%{http_code}" \ - --max-time 10 \ - "${{ secrets.PREPROD_BACKEND_URL }}/health" 2>/dev/null || echo "000") + for i in {1..12}; do + STATUS=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 \ + "${{ secrets.PREPROD_BACKEND_URL }}/api/v1/health" 2>/dev/null || echo "000") echo " Attempt $i: HTTP $STATUS" - if [ "$STATUS" = "200" ]; then - echo "Backend is healthy." - exit 0 - fi + if [ "$STATUS" = "200" ]; then echo "Backend OK."; exit 0; fi sleep 15 done - echo "Backend health check failed after 10 attempts." + echo "Backend unreachable after 12 attempts." exit 1 - - - name: Health check — Frontend + - name: Health — Frontend run: | - echo "Checking frontend health..." - for i in {1..10}; do - STATUS=$(curl -s -o /dev/null -w "%{http_code}" \ - --max-time 10 \ + for i in {1..12}; do + STATUS=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 \ "${{ secrets.PREPROD_FRONTEND_URL }}" 2>/dev/null || echo "000") echo " Attempt $i: HTTP $STATUS" - if [ "$STATUS" = "200" ]; then - echo "Frontend is healthy." - exit 0 - fi + if [ "$STATUS" = "200" ]; then echo "Frontend OK."; exit 0; fi sleep 15 done - echo "Frontend health check failed after 10 attempts." + echo "Frontend unreachable after 12 attempts." exit 1 - # ────────────────────────────────────────── - # 7. Deployment Summary - # ────────────────────────────────────────── - summary: - name: Deployment Summary - runs-on: ubuntu-latest - needs: [build-backend, build-frontend, smoke-tests] - if: success() - - steps: - - name: Write summary - run: | - echo "## Preprod Deployment" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "| | |" >> $GITHUB_STEP_SUMMARY - echo "|---|---|" >> $GITHUB_STEP_SUMMARY - echo "| **Commit** | \`${{ github.sha }}\` |" >> $GITHUB_STEP_SUMMARY - echo "| **Backend image** | \`${{ env.REGISTRY }}/xpeditis-backend:preprod-${{ needs.build-backend.outputs.image-tag }}\` |" >> $GITHUB_STEP_SUMMARY - echo "| **Frontend image** | \`${{ env.REGISTRY }}/xpeditis-frontend:preprod-${{ needs.build-frontend.outputs.image-tag }}\` |" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "To promote this exact build to production, merge this commit to \`main\`." >> $GITHUB_STEP_SUMMARY - - # ────────────────────────────────────────── - # Discord — Success - # ────────────────────────────────────────── + # ── Notifications ──────────────────────────────────────────────────── notify-success: name: Notify Success runs-on: ubuntu-latest needs: [build-backend, build-frontend, smoke-tests] if: success() - steps: - - name: Send Discord notification - run: | + - run: | curl -s -H "Content-Type: application/json" -d '{ "embeds": [{ "title": "✅ Preprod Deployed & Healthy", "color": 3066993, "fields": [ {"name": "Author", "value": "${{ github.actor }}", "inline": true}, - {"name": "Commit", "value": "[`${{ github.sha }}`](${{ github.event.head_commit.url }})", "inline": true}, - {"name": "Backend", "value": "`preprod-${{ needs.build-backend.outputs.image-tag }}`", "inline": false}, - {"name": "Frontend", "value": "`preprod-${{ needs.build-frontend.outputs.image-tag }}`", "inline": false}, - {"name": "Workflow", "value": "[${{ github.workflow }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})", "inline": false} + {"name": "SHA", "value": "`${{ needs.build-backend.outputs.sha }}`", "inline": true}, + {"name": "Workflow", "value": "[${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})", "inline": false} ], "footer": {"text": "Xpeditis CI/CD • Preprod"} }] }' ${{ secrets.DISCORD_WEBHOOK_URL }} - # ────────────────────────────────────────── - # Discord — Failure - # ────────────────────────────────────────── notify-failure: name: Notify Failure runs-on: ubuntu-latest - needs: [quality, unit-tests, integration-tests, build-backend, build-frontend, deploy, smoke-tests] + needs: [backend-quality, frontend-quality, backend-tests, frontend-tests, integration-tests, build-backend, build-frontend, deploy, smoke-tests] if: failure() - steps: - - name: Send Discord notification - run: | + - run: | curl -s -H "Content-Type: application/json" -d '{ "embeds": [{ "title": "❌ Preprod Pipeline Failed", - "description": "Preprod was NOT deployed. Fix the issue before retrying.", + "description": "Preprod was NOT deployed.", "color": 15158332, "fields": [ {"name": "Author", "value": "${{ github.actor }}", "inline": true}, - {"name": "Commit", "value": "[`${{ github.sha }}`](${{ github.event.head_commit.url }})", "inline": true}, - {"name": "Workflow", "value": "[${{ github.workflow }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})", "inline": false} + {"name": "Workflow", "value": "[${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})", "inline": false} ], "footer": {"text": "Xpeditis CI/CD • Preprod"} }] diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4a13643..cc49e49 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,8 +1,5 @@ name: Dev CI -# Fast feedback loop for the dev branch. -# Runs lint + unit tests only — no Docker build, no deployment. - on: push: branches: [dev] @@ -17,96 +14,90 @@ env: NODE_VERSION: '20' jobs: - # ────────────────────────────────────────── - # Lint & Type-check - # ────────────────────────────────────────── - quality: - name: Quality (${{ matrix.app }}) + backend-quality: + name: Backend — Lint runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - app: [backend, frontend] - defaults: run: - working-directory: apps/${{ matrix.app }} - + working-directory: apps/backend steps: - uses: actions/checkout@v4 - - - name: Setup Node.js - uses: actions/setup-node@v4 + - uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' - cache-dependency-path: apps/${{ matrix.app }}/package-lock.json + cache-dependency-path: apps/backend/package-lock.json + - run: npm install --legacy-peer-deps + - run: npm run lint - - name: Install dependencies - run: npm ci --legacy-peer-deps - - - name: Lint - run: npm run lint - - - name: Type-check (frontend only) - if: matrix.app == 'frontend' - run: npm run type-check - - # ────────────────────────────────────────── - # Unit Tests - # ────────────────────────────────────────── - unit-tests: - name: Unit Tests (${{ matrix.app }}) + frontend-quality: + name: Frontend — Lint & Type-check runs-on: ubuntu-latest - needs: quality - strategy: - fail-fast: false - matrix: - app: [backend, frontend] - defaults: run: - working-directory: apps/${{ matrix.app }} - + working-directory: apps/frontend steps: - uses: actions/checkout@v4 - - - name: Setup Node.js - uses: actions/setup-node@v4 + - uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' - cache-dependency-path: apps/${{ matrix.app }}/package-lock.json + cache-dependency-path: apps/frontend/package-lock.json + - run: npm ci --legacy-peer-deps + - run: npm run lint + - run: npm run type-check - - name: Install dependencies - run: npm ci --legacy-peer-deps + backend-tests: + name: Backend — Unit Tests + runs-on: ubuntu-latest + needs: backend-quality + defaults: + run: + working-directory: apps/backend + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_VERSION }} + cache: 'npm' + cache-dependency-path: apps/backend/package-lock.json + - run: npm install --legacy-peer-deps + - run: npm test -- --passWithNoTests - - name: Run unit tests - run: npm test -- --passWithNoTests --coverage + frontend-tests: + name: Frontend — Unit Tests + runs-on: ubuntu-latest + needs: frontend-quality + defaults: + run: + working-directory: apps/frontend + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_VERSION }} + cache: 'npm' + cache-dependency-path: apps/frontend/package-lock.json + - run: npm ci --legacy-peer-deps + - run: npm test -- --passWithNoTests - # ────────────────────────────────────────── - # Discord notification on failure - # ────────────────────────────────────────── notify-failure: name: Notify Failure runs-on: ubuntu-latest - needs: [quality, unit-tests] + needs: [backend-quality, frontend-quality, backend-tests, frontend-tests] if: failure() - steps: - - name: Send Discord notification + - name: Discord run: | curl -s -H "Content-Type: application/json" -d '{ "embeds": [{ "title": "❌ Dev CI Failed", - "description": "Fix the issues before merging to preprod.", "color": 15158332, "fields": [ {"name": "Branch", "value": "`${{ github.ref_name }}`", "inline": true}, {"name": "Author", "value": "${{ github.actor }}", "inline": true}, - {"name": "Commit", "value": "[`${{ github.sha }}`](${{ github.event.head_commit.url }})", "inline": false}, - {"name": "Workflow", "value": "[${{ github.workflow }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})", "inline": false} + {"name": "Workflow", "value": "[${{ github.run_id }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})", "inline": false} ], - "footer": {"text": "Xpeditis CI/CD"} + "footer": {"text": "Xpeditis CI • Dev"} }] }' ${{ secrets.DISCORD_WEBHOOK_URL }} diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml index 6b894d3..f78397f 100644 --- a/.github/workflows/pr-checks.yml +++ b/.github/workflows/pr-checks.yml @@ -1,10 +1,8 @@ name: PR Checks -# Validation gate for pull requests. -# PRs to preprod → lint + unit tests + integration tests -# PRs to main → lint + unit tests only (code was integration-tested in preprod already) -# -# Configure these as required status checks in GitHub branch protection rules. +# Required status checks — configure these in branch protection rules. +# PRs to preprod : lint + type-check + unit tests + integration tests +# PRs to main : lint + type-check + unit tests only on: pull_request: @@ -18,82 +16,80 @@ env: NODE_VERSION: '20' jobs: - # ────────────────────────────────────────── - # Lint & Type-check (both apps, parallel) - # ────────────────────────────────────────── - quality: - name: Quality (${{ matrix.app }}) + backend-quality: + name: Backend — Lint runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - app: [backend, frontend] - defaults: run: - working-directory: apps/${{ matrix.app }} - + working-directory: apps/backend steps: - uses: actions/checkout@v4 - - - name: Setup Node.js - uses: actions/setup-node@v4 + - uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' - cache-dependency-path: apps/${{ matrix.app }}/package-lock.json + cache-dependency-path: apps/backend/package-lock.json + - run: npm install --legacy-peer-deps + - run: npm run lint - - name: Install dependencies - run: npm ci --legacy-peer-deps - - - name: Lint - run: npm run lint - - - name: Type-check (frontend only) - if: matrix.app == 'frontend' - run: npm run type-check - - # ────────────────────────────────────────── - # Unit Tests (both apps, parallel) - # ────────────────────────────────────────── - unit-tests: - name: Unit Tests (${{ matrix.app }}) + frontend-quality: + name: Frontend — Lint & Type-check runs-on: ubuntu-latest - needs: quality - strategy: - fail-fast: false - matrix: - app: [backend, frontend] - defaults: run: - working-directory: apps/${{ matrix.app }} - + working-directory: apps/frontend steps: - uses: actions/checkout@v4 - - - name: Setup Node.js - uses: actions/setup-node@v4 + - uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' - cache-dependency-path: apps/${{ matrix.app }}/package-lock.json + cache-dependency-path: apps/frontend/package-lock.json + - run: npm ci --legacy-peer-deps + - run: npm run lint + - run: npm run type-check - - name: Install dependencies - run: npm ci --legacy-peer-deps + backend-tests: + name: Backend — Unit Tests + runs-on: ubuntu-latest + needs: backend-quality + defaults: + run: + working-directory: apps/backend + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_VERSION }} + cache: 'npm' + cache-dependency-path: apps/backend/package-lock.json + - run: npm install --legacy-peer-deps + - run: npm test -- --passWithNoTests - - name: Run unit tests - run: npm test -- --passWithNoTests --coverage + frontend-tests: + name: Frontend — Unit Tests + runs-on: ubuntu-latest + needs: frontend-quality + defaults: + run: + working-directory: apps/frontend + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_VERSION }} + cache: 'npm' + cache-dependency-path: apps/frontend/package-lock.json + - run: npm ci --legacy-peer-deps + - run: npm test -- --passWithNoTests - # ────────────────────────────────────────── - # Integration Tests — PRs to preprod only - # ────────────────────────────────────────── + # Integration tests — PRs to preprod only + # Code going to main was already integration-tested when it passed through preprod integration-tests: - name: Integration Tests + name: Backend — Integration Tests runs-on: ubuntu-latest - needs: unit-tests + needs: backend-tests if: github.base_ref == 'preprod' - defaults: run: working-directory: apps/backend @@ -112,7 +108,6 @@ jobs: --health-retries 10 ports: - 5432:5432 - redis: image: redis:7-alpine options: >- @@ -125,17 +120,12 @@ jobs: steps: - uses: actions/checkout@v4 - - - name: Setup Node.js - uses: actions/setup-node@v4 + - uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_VERSION }} cache: 'npm' cache-dependency-path: apps/backend/package-lock.json - - - name: Install dependencies - run: npm ci --legacy-peer-deps - + - run: npm install --legacy-peer-deps - name: Run integration tests env: NODE_ENV: test @@ -144,33 +134,12 @@ jobs: DATABASE_USER: xpeditis_test DATABASE_PASSWORD: xpeditis_test_password DATABASE_NAME: xpeditis_test - DATABASE_SYNCHRONIZE: false + DATABASE_SYNCHRONIZE: 'false' REDIS_HOST: localhost REDIS_PORT: 6379 REDIS_PASSWORD: '' - JWT_SECRET: test-secret-key-for-ci-only + JWT_SECRET: test-secret-key-ci SMTP_HOST: localhost SMTP_PORT: 1025 SMTP_FROM: test@xpeditis.com run: npm run test:integration -- --passWithNoTests - - # ────────────────────────────────────────── - # PR Summary - # ────────────────────────────────────────── - pr-summary: - name: PR Summary - runs-on: ubuntu-latest - needs: [quality, unit-tests] - if: always() - - steps: - - name: Write job summary - run: | - echo "## PR Check Results" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "| Check | Status |" >> $GITHUB_STEP_SUMMARY - echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY - echo "| Quality (lint + type-check) | ${{ needs.quality.result }} |" >> $GITHUB_STEP_SUMMARY - echo "| Unit Tests | ${{ needs.unit-tests.result }} |" >> $GITHUB_STEP_SUMMARY - echo "| Target Branch | \`${{ github.base_ref }}\` |" >> $GITHUB_STEP_SUMMARY - echo "| Author | ${{ github.actor }} |" >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/rollback.yml b/.github/workflows/rollback.yml index ea82bd9..54e4f85 100644 --- a/.github/workflows/rollback.yml +++ b/.github/workflows/rollback.yml @@ -1,16 +1,24 @@ name: Rollback -# Emergency rollback for production (Hetzner k3s) and preprod (Portainer). -# All images are on Scaleway registry. +# Emergency rollback — production (Hetzner k3s) and preprod (Portainer). # -# Production (k3s): -# Option A — "previous": kubectl rollout undo (instant, reverts to last ReplicaSet) -# Option B — "specific-version": kubectl set image to a Scaleway prod-SHA tag +# Production strategies: +# previous — kubectl rollout undo (fastest, reverts to previous ReplicaSet) +# specific-version — kubectl set image to a specific prod-SHA tag # -# Preprod (Portainer): -# Re-tags a Scaleway preprod-SHA image back to :preprod, triggers Portainer webhook. +# Preprod strategy: +# Re-tags a preprod-SHA image back to :preprod, triggers Portainer webhook. # -# Run from: GitHub Actions → Workflows → Rollback → Run workflow +# Secrets required: +# REGISTRY_TOKEN — Scaleway registry +# HETZNER_KUBECONFIG — base64 kubeconfig (production only) +# PORTAINER_WEBHOOK_BACKEND — Portainer webhook preprod backend +# PORTAINER_WEBHOOK_FRONTEND — Portainer webhook preprod frontend +# PROD_BACKEND_URL — https://api.xpeditis.com +# PROD_FRONTEND_URL — https://app.xpeditis.com +# PREPROD_BACKEND_URL — https://api.preprod.xpeditis.com +# PREPROD_FRONTEND_URL — https://preprod.xpeditis.com +# DISCORD_WEBHOOK_URL on: workflow_dispatch: @@ -19,41 +27,31 @@ on: description: 'Target environment' required: true type: choice - options: - - production - - preprod + options: [production, preprod] strategy: - description: 'Rollback strategy ("previous" = kubectl rollout undo, prod only)' + description: 'Strategy (production only — "previous" = instant kubectl undo)' required: true type: choice - options: - - previous - - specific-version + options: [previous, specific-version] version_tag: description: 'Tag for specific-version (e.g. prod-a1b2c3d or preprod-a1b2c3d)' required: false type: string reason: - description: 'Reason for rollback (audit trail)' + description: 'Reason (audit trail)' required: true type: string env: REGISTRY: rg.fr-par.scw.cloud/weworkstudio - IMAGE_BACKEND: rg.fr-par.scw.cloud/weworkstudio/xpeditis-backend - IMAGE_FRONTEND: rg.fr-par.scw.cloud/weworkstudio/xpeditis-frontend K8S_NAMESPACE: xpeditis-prod jobs: - # ────────────────────────────────────────── - # Validate inputs - # ────────────────────────────────────────── validate: name: Validate Inputs runs-on: ubuntu-latest - steps: - - name: Validate + - name: Check inputs run: | ENV="${{ github.event.inputs.environment }}" STRATEGY="${{ github.event.inputs.strategy }}" @@ -64,38 +62,31 @@ jobs: exit 1 fi - if [ "$STRATEGY" = "specific-version" ] && [ "$ENV" = "production" ]; then + if [ "$ENV" = "production" ] && [ "$STRATEGY" = "specific-version" ]; then if [[ ! "$TAG" =~ ^prod- ]]; then echo "ERROR: Production tag must start with 'prod-' (got: $TAG)" exit 1 fi fi - if [ "$STRATEGY" = "specific-version" ] && [ "$ENV" = "preprod" ]; then + if [ "$ENV" = "preprod" ]; then if [[ ! "$TAG" =~ ^preprod- ]]; then echo "ERROR: Preprod tag must start with 'preprod-' (got: $TAG)" exit 1 fi fi - echo "Validation passed." - echo " Environment : $ENV" - echo " Strategy : $STRATEGY" - echo " Version : ${TAG:-N/A (previous)}" - echo " Reason : ${{ github.event.inputs.reason }}" + echo "Validated — env: $ENV | strategy: $STRATEGY | tag: ${TAG:-N/A} | reason: ${{ github.event.inputs.reason }}" - # ────────────────────────────────────────── - # PRODUCTION ROLLBACK — k3s via kubectl - # ────────────────────────────────────────── + # ── Production rollback via kubectl ────────────────────────────────── rollback-production: - name: Rollback Production (k3s) + name: Rollback Production runs-on: ubuntu-latest needs: validate if: github.event.inputs.environment == 'production' environment: name: production url: https://app.xpeditis.com - steps: - name: Configure kubectl run: | @@ -104,26 +95,16 @@ jobs: chmod 600 ~/.kube/config kubectl cluster-info - # ── Strategy A: kubectl rollout undo (fastest) - - name: Rollback to previous version + - name: Rollback — previous version if: github.event.inputs.strategy == 'previous' run: | - echo "Rolling back backend..." kubectl rollout undo deployment/xpeditis-backend -n ${{ env.K8S_NAMESPACE }} kubectl rollout status deployment/xpeditis-backend -n ${{ env.K8S_NAMESPACE }} --timeout=180s - - echo "Rolling back frontend..." kubectl rollout undo deployment/xpeditis-frontend -n ${{ env.K8S_NAMESPACE }} kubectl rollout status deployment/xpeditis-frontend -n ${{ env.K8S_NAMESPACE }} --timeout=180s - kubectl get pods -n ${{ env.K8S_NAMESPACE }} - # ── Strategy B: kubectl set image to specific Scaleway tag - - name: Set up Docker Buildx (for image inspect) - if: github.event.inputs.strategy == 'specific-version' - uses: docker/setup-buildx-action@v3 - - - name: Login to Scaleway Registry + - name: Login to Scaleway (for image verification) if: github.event.inputs.strategy == 'specific-version' uses: docker/login-action@v3 with: @@ -131,103 +112,81 @@ jobs: username: nologin password: ${{ secrets.REGISTRY_TOKEN }} - - name: Rollback to specific version + - uses: docker/setup-buildx-action@v3 + if: github.event.inputs.strategy == 'specific-version' + + - name: Rollback — specific version if: github.event.inputs.strategy == 'specific-version' run: | TAG="${{ github.event.inputs.version_tag }}" - BACKEND_IMAGE="${{ env.IMAGE_BACKEND }}:${TAG}" - FRONTEND_IMAGE="${{ env.IMAGE_FRONTEND }}:${TAG}" + BACKEND="${{ env.REGISTRY }}/xpeditis-backend:${TAG}" + FRONTEND="${{ env.REGISTRY }}/xpeditis-frontend:${TAG}" - echo "Verifying images exist in Scaleway..." - docker buildx imagetools inspect "$BACKEND_IMAGE" || \ - { echo "ERROR: Backend image not found: $BACKEND_IMAGE"; exit 1; } - docker buildx imagetools inspect "$FRONTEND_IMAGE" || \ - { echo "ERROR: Frontend image not found: $FRONTEND_IMAGE"; exit 1; } + echo "Verifying images exist..." + docker buildx imagetools inspect "$BACKEND" || { echo "ERROR: $BACKEND not found"; exit 1; } + docker buildx imagetools inspect "$FRONTEND" || { echo "ERROR: $FRONTEND not found"; exit 1; } - echo "Deploying backend: $BACKEND_IMAGE" - kubectl set image deployment/xpeditis-backend backend="$BACKEND_IMAGE" -n ${{ env.K8S_NAMESPACE }} + kubectl set image deployment/xpeditis-backend backend="$BACKEND" -n ${{ env.K8S_NAMESPACE }} kubectl rollout status deployment/xpeditis-backend -n ${{ env.K8S_NAMESPACE }} --timeout=180s - echo "Deploying frontend: $FRONTEND_IMAGE" - kubectl set image deployment/xpeditis-frontend frontend="$FRONTEND_IMAGE" -n ${{ env.K8S_NAMESPACE }} + kubectl set image deployment/xpeditis-frontend frontend="$FRONTEND" -n ${{ env.K8S_NAMESPACE }} kubectl rollout status deployment/xpeditis-frontend -n ${{ env.K8S_NAMESPACE }} --timeout=180s kubectl get pods -n ${{ env.K8S_NAMESPACE }} - - name: Show rollout history + - name: Rollout history if: always() run: | - echo "=== Backend rollout history ===" kubectl rollout history deployment/xpeditis-backend -n ${{ env.K8S_NAMESPACE }} || true - echo "=== Frontend rollout history ===" kubectl rollout history deployment/xpeditis-frontend -n ${{ env.K8S_NAMESPACE }} || true - # ────────────────────────────────────────── - # PREPROD ROLLBACK — Scaleway re-tag + Portainer - # ────────────────────────────────────────── + # ── Preprod rollback via Portainer ─────────────────────────────────── rollback-preprod: - name: Rollback Preprod (Portainer) + name: Rollback Preprod runs-on: ubuntu-latest needs: validate if: github.event.inputs.environment == 'preprod' - steps: - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + - uses: docker/setup-buildx-action@v3 - - name: Login to Scaleway Registry - uses: docker/login-action@v3 + - uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: nologin password: ${{ secrets.REGISTRY_TOKEN }} - - name: Verify target images exist + - name: Verify target image exists run: | TAG="${{ github.event.inputs.version_tag }}" - docker buildx imagetools inspect "${{ env.IMAGE_BACKEND }}:${TAG}" || \ - { echo "ERROR: Backend image not found: $TAG"; exit 1; } - docker buildx imagetools inspect "${{ env.IMAGE_FRONTEND }}:${TAG}" || \ - { echo "ERROR: Frontend image not found: $TAG"; exit 1; } + docker buildx imagetools inspect "${{ env.REGISTRY }}/xpeditis-backend:${TAG}" || \ + { echo "ERROR: backend image not found: $TAG"; exit 1; } + docker buildx imagetools inspect "${{ env.REGISTRY }}/xpeditis-frontend:${TAG}" || \ + { echo "ERROR: frontend image not found: $TAG"; exit 1; } - - name: Re-tag target version as preprod + - name: Re-tag as preprod run: | TAG="${{ github.event.inputs.version_tag }}" - echo "Re-tagging $TAG → preprod..." docker buildx imagetools create \ - --tag ${{ env.IMAGE_BACKEND }}:preprod \ - ${{ env.IMAGE_BACKEND }}:${TAG} + --tag ${{ env.REGISTRY }}/xpeditis-backend:preprod \ + ${{ env.REGISTRY }}/xpeditis-backend:${TAG} docker buildx imagetools create \ - --tag ${{ env.IMAGE_FRONTEND }}:preprod \ - ${{ env.IMAGE_FRONTEND }}:${TAG} - echo "Re-tag complete." + --tag ${{ env.REGISTRY }}/xpeditis-frontend:preprod \ + ${{ env.REGISTRY }}/xpeditis-frontend:${TAG} - - name: Trigger Backend deployment (Portainer) - run: | - curl -sf -X POST -H "Content-Type: application/json" \ - "${{ secrets.PORTAINER_WEBHOOK_BACKEND }}" - echo "Backend webhook triggered." + - name: Deploy backend (Portainer) + run: curl -sf -X POST "${{ secrets.PORTAINER_WEBHOOK_BACKEND }}" + - run: sleep 20 + - name: Deploy frontend (Portainer) + run: curl -sf -X POST "${{ secrets.PORTAINER_WEBHOOK_FRONTEND }}" - - name: Wait for backend - run: sleep 20 - - - name: Trigger Frontend deployment (Portainer) - run: | - curl -sf -X POST -H "Content-Type: application/json" \ - "${{ secrets.PORTAINER_WEBHOOK_FRONTEND }}" - echo "Frontend webhook triggered." - - # ────────────────────────────────────────── - # Smoke Tests - # ────────────────────────────────────────── + # ── Smoke Tests ─────────────────────────────────────────────────────── smoke-tests: - name: Smoke Tests + name: Smoke Tests Post-Rollback runs-on: ubuntu-latest needs: [rollback-production, rollback-preprod] if: always() && (needs.rollback-production.result == 'success' || needs.rollback-preprod.result == 'success') - steps: - - name: Set health check URLs + - name: Set URLs id: urls run: | if [ "${{ github.event.inputs.environment }}" = "production" ]; then @@ -240,44 +199,40 @@ jobs: echo "wait=60" >> $GITHUB_OUTPUT fi - - name: Wait for services - run: sleep ${{ steps.urls.outputs.wait }} + - run: sleep ${{ steps.urls.outputs.wait }} - - name: Health check — Backend + - name: Health — Backend run: | for i in {1..12}; do STATUS=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 \ "${{ steps.urls.outputs.backend }}" 2>/dev/null || echo "000") echo " Attempt $i: HTTP $STATUS" - if [ "$STATUS" = "200" ]; then echo "Backend healthy."; exit 0; fi + if [ "$STATUS" = "200" ]; then echo "Backend OK."; exit 0; fi sleep 15 done - echo "CRITICAL: Backend unhealthy after rollback." + echo "Backend unhealthy after rollback." exit 1 - - name: Health check — Frontend + - name: Health — Frontend run: | for i in {1..12}; do STATUS=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 \ "${{ steps.urls.outputs.frontend }}" 2>/dev/null || echo "000") echo " Attempt $i: HTTP $STATUS" - if [ "$STATUS" = "200" ]; then echo "Frontend healthy."; exit 0; fi + if [ "$STATUS" = "200" ]; then echo "Frontend OK."; exit 0; fi sleep 15 done - echo "CRITICAL: Frontend unhealthy after rollback." + echo "Frontend unhealthy after rollback." exit 1 - # ────────────────────────────────────────── - # Discord notification - # ────────────────────────────────────────── + # ── Notifications ───────────────────────────────────────────────────── notify: - name: Notify Rollback Result + name: Notify runs-on: ubuntu-latest needs: [rollback-production, rollback-preprod, smoke-tests] if: always() - steps: - - name: Notify success + - name: Success if: needs.smoke-tests.result == 'success' run: | curl -s -H "Content-Type: application/json" -d '{ @@ -288,29 +243,26 @@ jobs: {"name": "Environment", "value": "`${{ github.event.inputs.environment }}`", "inline": true}, {"name": "Strategy", "value": "`${{ github.event.inputs.strategy }}`", "inline": true}, {"name": "Version", "value": "`${{ github.event.inputs.version_tag || 'previous' }}`", "inline": true}, - {"name": "Triggered by", "value": "${{ github.actor }}", "inline": true}, - {"name": "Reason", "value": "${{ github.event.inputs.reason }}", "inline": false}, - {"name": "Workflow", "value": "[${{ github.workflow }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})", "inline": false} + {"name": "By", "value": "${{ github.actor }}", "inline": true}, + {"name": "Reason", "value": "${{ github.event.inputs.reason }}", "inline": false} ], "footer": {"text": "Xpeditis CI/CD • Rollback"} }] }' ${{ secrets.DISCORD_WEBHOOK_URL }} - - name: Notify failure + - name: Failure if: needs.smoke-tests.result != 'success' run: | curl -s -H "Content-Type: application/json" -d '{ "content": "@here ROLLBACK FAILED — MANUAL INTERVENTION REQUIRED", "embeds": [{ "title": "🔴 Rollback Failed", - "description": "Service may be degraded. Escalate immediately.", "color": 15158332, "fields": [ {"name": "Environment", "value": "`${{ github.event.inputs.environment }}`", "inline": true}, - {"name": "Attempted version", "value": "`${{ github.event.inputs.version_tag || 'previous' }}`", "inline": true}, - {"name": "Triggered by", "value": "${{ github.actor }}", "inline": true}, - {"name": "Reason", "value": "${{ github.event.inputs.reason }}", "inline": false}, - {"name": "Workflow", "value": "[${{ github.workflow }}](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})", "inline": false} + {"name": "Attempted", "value": "`${{ github.event.inputs.version_tag || 'previous' }}`", "inline": true}, + {"name": "By", "value": "${{ github.actor }}", "inline": true}, + {"name": "Reason", "value": "${{ github.event.inputs.reason }}", "inline": false} ], "footer": {"text": "Xpeditis CI/CD • Rollback"} }] From 72141c5f68def8acd2c0b94b36c9a9294ba9f963 Mon Sep 17 00:00:00 2001 From: David Date: Sat, 4 Apr 2026 17:58:36 +0200 Subject: [PATCH 5/9] fix preprod --- .../entities/subscription.entity.spec.ts | 91 ++++---- .../subscription-plan.vo.spec.ts | 211 +++++++++++------- .../value-objects/subscription-plan.vo.ts | 33 +-- 3 files changed, 178 insertions(+), 157 deletions(-) diff --git a/apps/backend/src/domain/entities/subscription.entity.spec.ts b/apps/backend/src/domain/entities/subscription.entity.spec.ts index 4e93f08..190c521 100644 --- a/apps/backend/src/domain/entities/subscription.entity.spec.ts +++ b/apps/backend/src/domain/entities/subscription.entity.spec.ts @@ -21,12 +21,12 @@ describe('Subscription Entity', () => { }; describe('create', () => { - it('should create a subscription with default FREE plan', () => { + it('should create a subscription with default BRONZE plan', () => { const subscription = createValidSubscription(); expect(subscription.id).toBe('sub-123'); expect(subscription.organizationId).toBe('org-123'); - expect(subscription.plan.value).toBe('FREE'); + expect(subscription.plan.value).toBe('BRONZE'); expect(subscription.status.value).toBe('ACTIVE'); expect(subscription.cancelAtPeriodEnd).toBe(false); }); @@ -35,10 +35,10 @@ describe('Subscription Entity', () => { const subscription = Subscription.create({ id: 'sub-123', organizationId: 'org-123', - plan: SubscriptionPlan.starter(), + plan: SubscriptionPlan.silver(), }); - expect(subscription.plan.value).toBe('STARTER'); + expect(subscription.plan.value).toBe('SILVER'); }); it('should create a subscription with Stripe IDs', () => { @@ -59,7 +59,7 @@ describe('Subscription Entity', () => { const subscription = Subscription.fromPersistence({ id: 'sub-123', organizationId: 'org-123', - plan: 'PRO', + plan: 'GOLD', status: 'ACTIVE', stripeCustomerId: 'cus_123', stripeSubscriptionId: 'sub_stripe_123', @@ -71,57 +71,57 @@ describe('Subscription Entity', () => { }); expect(subscription.id).toBe('sub-123'); - expect(subscription.plan.value).toBe('PRO'); + expect(subscription.plan.value).toBe('GOLD'); expect(subscription.status.value).toBe('ACTIVE'); expect(subscription.cancelAtPeriodEnd).toBe(true); }); }); describe('maxLicenses', () => { - it('should return correct limits for FREE plan', () => { + it('should return correct limits for BRONZE plan', () => { const subscription = createValidSubscription(); - expect(subscription.maxLicenses).toBe(2); + expect(subscription.maxLicenses).toBe(1); }); - it('should return correct limits for STARTER plan', () => { + it('should return correct limits for SILVER plan', () => { const subscription = Subscription.create({ id: 'sub-123', organizationId: 'org-123', - plan: SubscriptionPlan.starter(), + plan: SubscriptionPlan.silver(), }); expect(subscription.maxLicenses).toBe(5); }); - it('should return correct limits for PRO plan', () => { + it('should return correct limits for GOLD plan', () => { const subscription = Subscription.create({ id: 'sub-123', organizationId: 'org-123', - plan: SubscriptionPlan.pro(), + plan: SubscriptionPlan.gold(), }); expect(subscription.maxLicenses).toBe(20); }); - it('should return -1 for ENTERPRISE plan (unlimited)', () => { + it('should return -1 for PLATINIUM plan (unlimited)', () => { const subscription = Subscription.create({ id: 'sub-123', organizationId: 'org-123', - plan: SubscriptionPlan.enterprise(), + plan: SubscriptionPlan.platinium(), }); expect(subscription.maxLicenses).toBe(-1); }); }); describe('isUnlimited', () => { - it('should return false for FREE plan', () => { + it('should return false for BRONZE plan', () => { const subscription = createValidSubscription(); expect(subscription.isUnlimited()).toBe(false); }); - it('should return true for ENTERPRISE plan', () => { + it('should return true for PLATINIUM plan', () => { const subscription = Subscription.create({ id: 'sub-123', organizationId: 'org-123', - plan: SubscriptionPlan.enterprise(), + plan: SubscriptionPlan.platinium(), }); expect(subscription.isUnlimited()).toBe(true); }); @@ -137,7 +137,7 @@ describe('Subscription Entity', () => { const subscription = Subscription.fromPersistence({ id: 'sub-123', organizationId: 'org-123', - plan: 'FREE', + plan: 'BRONZE', status: 'TRIALING', stripeCustomerId: null, stripeSubscriptionId: null, @@ -154,7 +154,7 @@ describe('Subscription Entity', () => { const subscription = Subscription.fromPersistence({ id: 'sub-123', organizationId: 'org-123', - plan: 'FREE', + plan: 'BRONZE', status: 'CANCELED', stripeCustomerId: null, stripeSubscriptionId: null, @@ -170,21 +170,20 @@ describe('Subscription Entity', () => { describe('canAllocateLicenses', () => { it('should return true when licenses are available', () => { - const subscription = createValidSubscription(); + const subscription = createValidSubscription(); // BRONZE = 1 license expect(subscription.canAllocateLicenses(0, 1)).toBe(true); - expect(subscription.canAllocateLicenses(1, 1)).toBe(true); }); it('should return false when no licenses available', () => { const subscription = createValidSubscription(); - expect(subscription.canAllocateLicenses(2, 1)).toBe(false); // FREE has 2 licenses + expect(subscription.canAllocateLicenses(1, 1)).toBe(false); // BRONZE has 1 license max }); - it('should always return true for ENTERPRISE plan', () => { + it('should always return true for PLATINIUM plan', () => { const subscription = Subscription.create({ id: 'sub-123', organizationId: 'org-123', - plan: SubscriptionPlan.enterprise(), + plan: SubscriptionPlan.platinium(), }); expect(subscription.canAllocateLicenses(1000, 100)).toBe(true); }); @@ -193,7 +192,7 @@ describe('Subscription Entity', () => { const subscription = Subscription.fromPersistence({ id: 'sub-123', organizationId: 'org-123', - plan: 'FREE', + plan: 'BRONZE', status: 'CANCELED', stripeCustomerId: null, stripeSubscriptionId: null, @@ -208,23 +207,23 @@ describe('Subscription Entity', () => { }); describe('canUpgradeTo', () => { - it('should allow upgrade from FREE to STARTER', () => { + it('should allow upgrade from BRONZE to SILVER', () => { const subscription = createValidSubscription(); - expect(subscription.canUpgradeTo(SubscriptionPlan.starter())).toBe(true); + expect(subscription.canUpgradeTo(SubscriptionPlan.silver())).toBe(true); }); - it('should allow upgrade from FREE to PRO', () => { + it('should allow upgrade from BRONZE to GOLD', () => { const subscription = createValidSubscription(); - expect(subscription.canUpgradeTo(SubscriptionPlan.pro())).toBe(true); + expect(subscription.canUpgradeTo(SubscriptionPlan.gold())).toBe(true); }); it('should not allow downgrade via canUpgradeTo', () => { const subscription = Subscription.create({ id: 'sub-123', organizationId: 'org-123', - plan: SubscriptionPlan.starter(), + plan: SubscriptionPlan.silver(), }); - expect(subscription.canUpgradeTo(SubscriptionPlan.free())).toBe(false); + expect(subscription.canUpgradeTo(SubscriptionPlan.bronze())).toBe(false); }); }); @@ -233,34 +232,34 @@ describe('Subscription Entity', () => { const subscription = Subscription.create({ id: 'sub-123', organizationId: 'org-123', - plan: SubscriptionPlan.starter(), + plan: SubscriptionPlan.silver(), }); - expect(subscription.canDowngradeTo(SubscriptionPlan.free(), 1)).toBe(true); + expect(subscription.canDowngradeTo(SubscriptionPlan.bronze(), 1)).toBe(true); }); it('should prevent downgrade when user count exceeds new plan', () => { const subscription = Subscription.create({ id: 'sub-123', organizationId: 'org-123', - plan: SubscriptionPlan.starter(), + plan: SubscriptionPlan.silver(), }); - expect(subscription.canDowngradeTo(SubscriptionPlan.free(), 5)).toBe(false); + expect(subscription.canDowngradeTo(SubscriptionPlan.bronze(), 5)).toBe(false); }); }); describe('updatePlan', () => { it('should update to new plan when valid', () => { const subscription = createValidSubscription(); - const updated = subscription.updatePlan(SubscriptionPlan.starter(), 1); + const updated = subscription.updatePlan(SubscriptionPlan.silver(), 1); - expect(updated.plan.value).toBe('STARTER'); + expect(updated.plan.value).toBe('SILVER'); }); it('should throw when subscription is not active', () => { const subscription = Subscription.fromPersistence({ id: 'sub-123', organizationId: 'org-123', - plan: 'FREE', + plan: 'BRONZE', status: 'CANCELED', stripeCustomerId: null, stripeSubscriptionId: null, @@ -271,7 +270,7 @@ describe('Subscription Entity', () => { updatedAt: new Date(), }); - expect(() => subscription.updatePlan(SubscriptionPlan.starter(), 0)).toThrow( + expect(() => subscription.updatePlan(SubscriptionPlan.silver(), 0)).toThrow( SubscriptionNotActiveException ); }); @@ -280,10 +279,10 @@ describe('Subscription Entity', () => { const subscription = Subscription.create({ id: 'sub-123', organizationId: 'org-123', - plan: SubscriptionPlan.pro(), + plan: SubscriptionPlan.gold(), }); - expect(() => subscription.updatePlan(SubscriptionPlan.starter(), 10)).toThrow( + expect(() => subscription.updatePlan(SubscriptionPlan.silver(), 10)).toThrow( InvalidSubscriptionDowngradeException ); }); @@ -341,7 +340,7 @@ describe('Subscription Entity', () => { const subscription = Subscription.fromPersistence({ id: 'sub-123', organizationId: 'org-123', - plan: 'STARTER', + plan: 'SILVER', status: 'ACTIVE', stripeCustomerId: 'cus_123', stripeSubscriptionId: 'sub_123', @@ -368,17 +367,17 @@ describe('Subscription Entity', () => { }); describe('isFree and isPaid', () => { - it('should return true for isFree when FREE plan', () => { + it('should return true for isFree when BRONZE plan', () => { const subscription = createValidSubscription(); expect(subscription.isFree()).toBe(true); expect(subscription.isPaid()).toBe(false); }); - it('should return true for isPaid when STARTER plan', () => { + it('should return true for isPaid when SILVER plan', () => { const subscription = Subscription.create({ id: 'sub-123', organizationId: 'org-123', - plan: SubscriptionPlan.starter(), + plan: SubscriptionPlan.silver(), }); expect(subscription.isFree()).toBe(false); expect(subscription.isPaid()).toBe(true); @@ -397,7 +396,7 @@ describe('Subscription Entity', () => { expect(obj.id).toBe('sub-123'); expect(obj.organizationId).toBe('org-123'); - expect(obj.plan).toBe('FREE'); + expect(obj.plan).toBe('BRONZE'); expect(obj.status).toBe('ACTIVE'); expect(obj.stripeCustomerId).toBe('cus_123'); }); diff --git a/apps/backend/src/domain/value-objects/subscription-plan.vo.spec.ts b/apps/backend/src/domain/value-objects/subscription-plan.vo.spec.ts index 81564a3..ddbcaa2 100644 --- a/apps/backend/src/domain/value-objects/subscription-plan.vo.spec.ts +++ b/apps/backend/src/domain/value-objects/subscription-plan.vo.spec.ts @@ -8,31 +8,56 @@ import { SubscriptionPlan } from './subscription-plan.vo'; describe('SubscriptionPlan Value Object', () => { describe('static factory methods', () => { - it('should create FREE plan', () => { + it('should create BRONZE plan via bronze()', () => { + const plan = SubscriptionPlan.bronze(); + expect(plan.value).toBe('BRONZE'); + }); + + it('should create SILVER plan via silver()', () => { + const plan = SubscriptionPlan.silver(); + expect(plan.value).toBe('SILVER'); + }); + + it('should create GOLD plan via gold()', () => { + const plan = SubscriptionPlan.gold(); + expect(plan.value).toBe('GOLD'); + }); + + it('should create PLATINIUM plan via platinium()', () => { + const plan = SubscriptionPlan.platinium(); + expect(plan.value).toBe('PLATINIUM'); + }); + + it('should create BRONZE plan via free() alias', () => { const plan = SubscriptionPlan.free(); - expect(plan.value).toBe('FREE'); + expect(plan.value).toBe('BRONZE'); }); - it('should create STARTER plan', () => { + it('should create SILVER plan via starter() alias', () => { const plan = SubscriptionPlan.starter(); - expect(plan.value).toBe('STARTER'); + expect(plan.value).toBe('SILVER'); }); - it('should create PRO plan', () => { + it('should create GOLD plan via pro() alias', () => { const plan = SubscriptionPlan.pro(); - expect(plan.value).toBe('PRO'); + expect(plan.value).toBe('GOLD'); }); - it('should create ENTERPRISE plan', () => { + it('should create PLATINIUM plan via enterprise() alias', () => { const plan = SubscriptionPlan.enterprise(); - expect(plan.value).toBe('ENTERPRISE'); + expect(plan.value).toBe('PLATINIUM'); }); }); describe('create', () => { - it('should create plan from valid type', () => { - const plan = SubscriptionPlan.create('STARTER'); - expect(plan.value).toBe('STARTER'); + it('should create plan from valid type SILVER', () => { + const plan = SubscriptionPlan.create('SILVER'); + expect(plan.value).toBe('SILVER'); + }); + + it('should create plan from valid type BRONZE', () => { + const plan = SubscriptionPlan.create('BRONZE'); + expect(plan.value).toBe('BRONZE'); }); it('should throw for invalid plan type', () => { @@ -41,9 +66,29 @@ describe('SubscriptionPlan Value Object', () => { }); describe('fromString', () => { - it('should create plan from lowercase string', () => { + it('should create SILVER from lowercase "silver"', () => { + const plan = SubscriptionPlan.fromString('silver'); + expect(plan.value).toBe('SILVER'); + }); + + it('should map legacy "starter" to SILVER', () => { const plan = SubscriptionPlan.fromString('starter'); - expect(plan.value).toBe('STARTER'); + expect(plan.value).toBe('SILVER'); + }); + + it('should map legacy "free" to BRONZE', () => { + const plan = SubscriptionPlan.fromString('free'); + expect(plan.value).toBe('BRONZE'); + }); + + it('should map legacy "pro" to GOLD', () => { + const plan = SubscriptionPlan.fromString('pro'); + expect(plan.value).toBe('GOLD'); + }); + + it('should map legacy "enterprise" to PLATINIUM', () => { + const plan = SubscriptionPlan.fromString('enterprise'); + expect(plan.value).toBe('PLATINIUM'); }); it('should throw for invalid string', () => { @@ -52,146 +97,150 @@ describe('SubscriptionPlan Value Object', () => { }); describe('maxLicenses', () => { - it('should return 2 for FREE plan', () => { - const plan = SubscriptionPlan.free(); - expect(plan.maxLicenses).toBe(2); + it('should return 1 for BRONZE plan', () => { + const plan = SubscriptionPlan.bronze(); + expect(plan.maxLicenses).toBe(1); }); - it('should return 5 for STARTER plan', () => { - const plan = SubscriptionPlan.starter(); + it('should return 5 for SILVER plan', () => { + const plan = SubscriptionPlan.silver(); expect(plan.maxLicenses).toBe(5); }); - it('should return 20 for PRO plan', () => { - const plan = SubscriptionPlan.pro(); + it('should return 20 for GOLD plan', () => { + const plan = SubscriptionPlan.gold(); expect(plan.maxLicenses).toBe(20); }); - it('should return -1 (unlimited) for ENTERPRISE plan', () => { - const plan = SubscriptionPlan.enterprise(); + it('should return -1 (unlimited) for PLATINIUM plan', () => { + const plan = SubscriptionPlan.platinium(); expect(plan.maxLicenses).toBe(-1); }); }); describe('isUnlimited', () => { - it('should return false for FREE plan', () => { - expect(SubscriptionPlan.free().isUnlimited()).toBe(false); + it('should return false for BRONZE plan', () => { + expect(SubscriptionPlan.bronze().isUnlimited()).toBe(false); }); - it('should return false for STARTER plan', () => { - expect(SubscriptionPlan.starter().isUnlimited()).toBe(false); + it('should return false for SILVER plan', () => { + expect(SubscriptionPlan.silver().isUnlimited()).toBe(false); }); - it('should return false for PRO plan', () => { - expect(SubscriptionPlan.pro().isUnlimited()).toBe(false); + it('should return false for GOLD plan', () => { + expect(SubscriptionPlan.gold().isUnlimited()).toBe(false); }); - it('should return true for ENTERPRISE plan', () => { - expect(SubscriptionPlan.enterprise().isUnlimited()).toBe(true); + it('should return true for PLATINIUM plan', () => { + expect(SubscriptionPlan.platinium().isUnlimited()).toBe(true); }); }); describe('isPaid', () => { - it('should return false for FREE plan', () => { - expect(SubscriptionPlan.free().isPaid()).toBe(false); + it('should return false for BRONZE plan', () => { + expect(SubscriptionPlan.bronze().isPaid()).toBe(false); }); - it('should return true for STARTER plan', () => { - expect(SubscriptionPlan.starter().isPaid()).toBe(true); + it('should return true for SILVER plan', () => { + expect(SubscriptionPlan.silver().isPaid()).toBe(true); }); - it('should return true for PRO plan', () => { - expect(SubscriptionPlan.pro().isPaid()).toBe(true); + it('should return true for GOLD plan', () => { + expect(SubscriptionPlan.gold().isPaid()).toBe(true); }); - it('should return true for ENTERPRISE plan', () => { - expect(SubscriptionPlan.enterprise().isPaid()).toBe(true); + it('should return true for PLATINIUM plan', () => { + expect(SubscriptionPlan.platinium().isPaid()).toBe(true); }); }); describe('isFree', () => { - it('should return true for FREE plan', () => { - expect(SubscriptionPlan.free().isFree()).toBe(true); + it('should return true for BRONZE plan', () => { + expect(SubscriptionPlan.bronze().isFree()).toBe(true); }); - it('should return false for STARTER plan', () => { - expect(SubscriptionPlan.starter().isFree()).toBe(false); + it('should return false for SILVER plan', () => { + expect(SubscriptionPlan.silver().isFree()).toBe(false); }); }); describe('canAccommodateUsers', () => { - it('should return true for FREE plan with 2 users', () => { - expect(SubscriptionPlan.free().canAccommodateUsers(2)).toBe(true); + it('should return true for BRONZE plan with 1 user', () => { + expect(SubscriptionPlan.bronze().canAccommodateUsers(1)).toBe(true); }); - it('should return false for FREE plan with 3 users', () => { - expect(SubscriptionPlan.free().canAccommodateUsers(3)).toBe(false); + it('should return false for BRONZE plan with 2 users', () => { + expect(SubscriptionPlan.bronze().canAccommodateUsers(2)).toBe(false); }); - it('should return true for STARTER plan with 5 users', () => { - expect(SubscriptionPlan.starter().canAccommodateUsers(5)).toBe(true); + it('should return true for SILVER plan with 5 users', () => { + expect(SubscriptionPlan.silver().canAccommodateUsers(5)).toBe(true); }); - it('should always return true for ENTERPRISE plan', () => { - expect(SubscriptionPlan.enterprise().canAccommodateUsers(1000)).toBe(true); + it('should always return true for PLATINIUM plan', () => { + expect(SubscriptionPlan.platinium().canAccommodateUsers(1000)).toBe(true); }); }); describe('canUpgradeTo', () => { - it('should allow upgrade from FREE to STARTER', () => { - expect(SubscriptionPlan.free().canUpgradeTo(SubscriptionPlan.starter())).toBe(true); + it('should allow upgrade from BRONZE to SILVER', () => { + expect(SubscriptionPlan.bronze().canUpgradeTo(SubscriptionPlan.silver())).toBe(true); }); - it('should allow upgrade from FREE to PRO', () => { - expect(SubscriptionPlan.free().canUpgradeTo(SubscriptionPlan.pro())).toBe(true); + it('should allow upgrade from BRONZE to GOLD', () => { + expect(SubscriptionPlan.bronze().canUpgradeTo(SubscriptionPlan.gold())).toBe(true); }); - it('should allow upgrade from FREE to ENTERPRISE', () => { - expect(SubscriptionPlan.free().canUpgradeTo(SubscriptionPlan.enterprise())).toBe(true); + it('should allow upgrade from BRONZE to PLATINIUM', () => { + expect(SubscriptionPlan.bronze().canUpgradeTo(SubscriptionPlan.platinium())).toBe(true); }); - it('should allow upgrade from STARTER to PRO', () => { - expect(SubscriptionPlan.starter().canUpgradeTo(SubscriptionPlan.pro())).toBe(true); + it('should allow upgrade from SILVER to GOLD', () => { + expect(SubscriptionPlan.silver().canUpgradeTo(SubscriptionPlan.gold())).toBe(true); }); - it('should not allow downgrade from STARTER to FREE', () => { - expect(SubscriptionPlan.starter().canUpgradeTo(SubscriptionPlan.free())).toBe(false); + it('should not allow downgrade from SILVER to BRONZE', () => { + expect(SubscriptionPlan.silver().canUpgradeTo(SubscriptionPlan.bronze())).toBe(false); }); it('should not allow same plan upgrade', () => { - expect(SubscriptionPlan.pro().canUpgradeTo(SubscriptionPlan.pro())).toBe(false); + expect(SubscriptionPlan.gold().canUpgradeTo(SubscriptionPlan.gold())).toBe(false); }); }); describe('canDowngradeTo', () => { - it('should allow downgrade from STARTER to FREE when users fit', () => { - expect(SubscriptionPlan.starter().canDowngradeTo(SubscriptionPlan.free(), 1)).toBe(true); + it('should allow downgrade from SILVER to BRONZE when users fit', () => { + expect(SubscriptionPlan.silver().canDowngradeTo(SubscriptionPlan.bronze(), 1)).toBe(true); }); - it('should not allow downgrade from STARTER to FREE when users exceed', () => { - expect(SubscriptionPlan.starter().canDowngradeTo(SubscriptionPlan.free(), 5)).toBe(false); + it('should not allow downgrade from SILVER to BRONZE when users exceed', () => { + expect(SubscriptionPlan.silver().canDowngradeTo(SubscriptionPlan.bronze(), 5)).toBe(false); }); it('should not allow upgrade via canDowngradeTo', () => { - expect(SubscriptionPlan.free().canDowngradeTo(SubscriptionPlan.starter(), 1)).toBe(false); + expect(SubscriptionPlan.bronze().canDowngradeTo(SubscriptionPlan.silver(), 1)).toBe(false); }); }); describe('plan details', () => { - it('should return correct name for FREE plan', () => { - expect(SubscriptionPlan.free().name).toBe('Free'); + it('should return correct name for BRONZE plan', () => { + expect(SubscriptionPlan.bronze().name).toBe('Bronze'); }); - it('should return correct prices for STARTER plan', () => { - const plan = SubscriptionPlan.starter(); - expect(plan.monthlyPriceEur).toBe(49); - expect(plan.yearlyPriceEur).toBe(470); + it('should return correct name for SILVER plan', () => { + expect(SubscriptionPlan.silver().name).toBe('Silver'); }); - it('should return features for PRO plan', () => { - const plan = SubscriptionPlan.pro(); - expect(plan.features).toContain('Up to 20 users'); - expect(plan.features).toContain('API access'); + it('should return correct prices for SILVER plan', () => { + const plan = SubscriptionPlan.silver(); + expect(plan.monthlyPriceEur).toBe(249); + expect(plan.yearlyPriceEur).toBe(2739); + }); + + it('should return features for GOLD plan', () => { + const plan = SubscriptionPlan.gold(); + expect(plan.features).toContain("Jusqu'à 20 utilisateurs"); + expect(plan.features).toContain('Intégration API'); }); }); @@ -200,24 +249,24 @@ describe('SubscriptionPlan Value Object', () => { const plans = SubscriptionPlan.getAllPlans(); expect(plans).toHaveLength(4); - expect(plans.map(p => p.value)).toEqual(['FREE', 'STARTER', 'PRO', 'ENTERPRISE']); + expect(plans.map(p => p.value)).toEqual(['BRONZE', 'SILVER', 'GOLD', 'PLATINIUM']); }); }); describe('equals', () => { it('should return true for same plan', () => { - expect(SubscriptionPlan.free().equals(SubscriptionPlan.free())).toBe(true); + expect(SubscriptionPlan.bronze().equals(SubscriptionPlan.bronze())).toBe(true); }); it('should return false for different plans', () => { - expect(SubscriptionPlan.free().equals(SubscriptionPlan.starter())).toBe(false); + expect(SubscriptionPlan.bronze().equals(SubscriptionPlan.silver())).toBe(false); }); }); describe('toString', () => { it('should return plan value as string', () => { - expect(SubscriptionPlan.free().toString()).toBe('FREE'); - expect(SubscriptionPlan.starter().toString()).toBe('STARTER'); + expect(SubscriptionPlan.bronze().toString()).toBe('BRONZE'); + expect(SubscriptionPlan.silver().toString()).toBe('SILVER'); }); }); }); diff --git a/apps/backend/src/domain/value-objects/subscription-plan.vo.ts b/apps/backend/src/domain/value-objects/subscription-plan.vo.ts index f198956..5ffa990 100644 --- a/apps/backend/src/domain/value-objects/subscription-plan.vo.ts +++ b/apps/backend/src/domain/value-objects/subscription-plan.vo.ts @@ -55,7 +55,7 @@ const PLAN_DETAILS: Record = { name: 'Silver', maxLicenses: 5, monthlyPriceEur: 249, - yearlyPriceEur: 2739, // 249 * 11 months + yearlyPriceEur: 2739, maxShipmentsPerYear: -1, commissionRatePercent: 3, statusBadge: 'silver', @@ -75,7 +75,7 @@ const PLAN_DETAILS: Record = { name: 'Gold', maxLicenses: 20, monthlyPriceEur: 899, - yearlyPriceEur: 9889, // 899 * 11 months + yearlyPriceEur: 9889, maxShipmentsPerYear: -1, commissionRatePercent: 2, statusBadge: 'gold', @@ -225,59 +225,35 @@ export class SubscriptionPlan { return PLAN_DETAILS[this.plan].planFeatures; } - /** - * Check if this plan includes a specific feature - */ hasFeature(feature: PlanFeature): boolean { return this.planFeatures.includes(feature); } - /** - * Returns true if this plan has unlimited licenses - */ isUnlimited(): boolean { return this.maxLicenses === -1; } - /** - * Returns true if this plan has unlimited shipments - */ hasUnlimitedShipments(): boolean { return this.maxShipmentsPerYear === -1; } - /** - * Returns true if this is a paid plan - */ isPaid(): boolean { return this.plan !== 'BRONZE'; } - /** - * Returns true if this is the free (Bronze) plan - */ isFree(): boolean { return this.plan === 'BRONZE'; } - /** - * Returns true if this plan has custom pricing (Platinium) - */ isCustomPricing(): boolean { return this.plan === 'PLATINIUM'; } - /** - * Check if a given number of users can be accommodated by this plan - */ canAccommodateUsers(userCount: number): boolean { if (this.isUnlimited()) return true; return userCount <= this.maxLicenses; } - /** - * Check if upgrade to target plan is allowed - */ canUpgradeTo(targetPlan: SubscriptionPlan): boolean { const planOrder: SubscriptionPlanType[] = ['BRONZE', 'SILVER', 'GOLD', 'PLATINIUM']; const currentIndex = planOrder.indexOf(this.plan); @@ -285,15 +261,12 @@ export class SubscriptionPlan { return targetIndex > currentIndex; } - /** - * Check if downgrade to target plan is allowed given current user count - */ canDowngradeTo(targetPlan: SubscriptionPlan, currentUserCount: number): boolean { const planOrder: SubscriptionPlanType[] = ['BRONZE', 'SILVER', 'GOLD', 'PLATINIUM']; const currentIndex = planOrder.indexOf(this.plan); const targetIndex = planOrder.indexOf(targetPlan.value); - if (targetIndex >= currentIndex) return false; // Not a downgrade + if (targetIndex >= currentIndex) return false; return targetPlan.canAccommodateUsers(currentUserCount); } From 850c23c1648afdafa71ae6c3d57554972d7963b0 Mon Sep 17 00:00:00 2001 From: David Date: Mon, 6 Apr 2026 13:09:03 +0200 Subject: [PATCH 6/9] fix --- .github/workflows/cd-preprod.yml | 45 +++++++++++++++++++++++++++++--- .gitignore | 2 ++ 2 files changed, 44 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cd-preprod.yml b/.github/workflows/cd-preprod.yml index 830f19c..1b8887e 100644 --- a/.github/workflows/cd-preprod.yml +++ b/.github/workflows/cd-preprod.yml @@ -217,22 +217,61 @@ jobs: NEXT_PUBLIC_API_URL=${{ secrets.NEXT_PUBLIC_API_URL }} NEXT_PUBLIC_APP_URL=${{ secrets.NEXT_PUBLIC_APP_URL }} + build-log-exporter: + name: Build Log Exporter + runs-on: ubuntu-latest + needs: integration-tests + outputs: + sha: ${{ steps.sha.outputs.short }} + steps: + - uses: actions/checkout@v4 + - name: Short SHA + id: sha + run: echo "short=$(echo ${{ github.sha }} | cut -c1-7)" >> $GITHUB_OUTPUT + - uses: docker/setup-buildx-action@v3 + - uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: nologin + password: ${{ secrets.REGISTRY_TOKEN }} + - uses: docker/build-push-action@v5 + with: + context: ./apps/log-exporter + file: ./apps/log-exporter/Dockerfile + push: true + tags: | + ${{ env.REGISTRY }}/xpeditis-log-exporter:preprod + ${{ env.REGISTRY }}/xpeditis-log-exporter:preprod-${{ steps.sha.outputs.short }} + cache-from: type=registry,ref=${{ env.REGISTRY }}/xpeditis-log-exporter:buildcache + cache-to: type=registry,ref=${{ env.REGISTRY }}/xpeditis-log-exporter:buildcache,mode=max + platforms: linux/amd64,linux/arm64 + # ── 5. Deploy via Portainer ────────────────────────────────────────── deploy: name: Deploy to Preprod runs-on: ubuntu-latest - needs: [build-backend, build-frontend] + needs: [build-backend, build-frontend, build-log-exporter] environment: preprod steps: - name: Deploy backend run: | - curl -sf -X POST "${{ secrets.PORTAINER_WEBHOOK_BACKEND }}" + HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" -X POST "${{ secrets.PORTAINER_WEBHOOK_BACKEND }}") + echo "Portainer response: HTTP $HTTP_CODE" + if [[ "$HTTP_CODE" != "2"* ]]; then + echo "ERROR: Portainer webhook failed with HTTP $HTTP_CODE" + exit 1 + fi echo "Backend webhook triggered." - name: Wait for backend startup run: sleep 20 - name: Deploy frontend run: | - curl -sf -X POST "${{ secrets.PORTAINER_WEBHOOK_FRONTEND }}" + HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" -X POST "${{ secrets.PORTAINER_WEBHOOK_FRONTEND }}") + echo "Portainer response: HTTP $HTTP_CODE" + if [[ "$HTTP_CODE" != "2"* ]]; then + echo "ERROR: Portainer webhook failed with HTTP $HTTP_CODE" + exit 1 + fi echo "Frontend webhook triggered." # ── 6. Smoke Tests ─────────────────────────────────────────────────── diff --git a/.gitignore b/.gitignore index d8748a3..d74b04b 100644 --- a/.gitignore +++ b/.gitignore @@ -44,6 +44,8 @@ lerna-debug.log* # Docker docker-compose.override.yml +stack-portainer.yaml +tmp.stack-portainer.yaml # Uploads uploads/ From bbf059cce99cfffdbab0857424bd53ab3234e916 Mon Sep 17 00:00:00 2001 From: David Date: Mon, 6 Apr 2026 14:21:32 +0200 Subject: [PATCH 7/9] fix preprod --- apps/backend/src/app.module.ts | 3 + .../src/application/logs/logs.controller.ts | 98 +++++++++++++++++++ .../src/application/logs/logs.module.ts | 9 ++ .../app/dashboard/admin/logs/page.tsx | 13 ++- infra/logging/promtail/promtail-config.yml | 14 +-- 5 files changed, 117 insertions(+), 20 deletions(-) create mode 100644 apps/backend/src/application/logs/logs.controller.ts create mode 100644 apps/backend/src/application/logs/logs.module.ts diff --git a/apps/backend/src/app.module.ts b/apps/backend/src/app.module.ts index 7e7ada3..0ac03c6 100644 --- a/apps/backend/src/app.module.ts +++ b/apps/backend/src/app.module.ts @@ -19,6 +19,7 @@ import { WebhooksModule } from './application/webhooks/webhooks.module'; import { GDPRModule } from './application/gdpr/gdpr.module'; import { CsvBookingsModule } from './application/csv-bookings.module'; import { AdminModule } from './application/admin/admin.module'; +import { LogsModule } from './application/logs/logs.module'; import { SubscriptionsModule } from './application/subscriptions/subscriptions.module'; import { ApiKeysModule } from './application/api-keys/api-keys.module'; import { CacheModule } from './infrastructure/cache/cache.module'; @@ -67,6 +68,7 @@ import { CustomThrottlerGuard } from './application/guards/throttle.guard'; STRIPE_GOLD_YEARLY_PRICE_ID: Joi.string().optional(), STRIPE_PLATINIUM_MONTHLY_PRICE_ID: Joi.string().optional(), STRIPE_PLATINIUM_YEARLY_PRICE_ID: Joi.string().optional(), + LOG_EXPORTER_URL: Joi.string().uri().default('http://xpeditis-log-exporter:3200'), }), }), @@ -147,6 +149,7 @@ import { CustomThrottlerGuard } from './application/guards/throttle.guard'; AdminModule, SubscriptionsModule, ApiKeysModule, + LogsModule, ], controllers: [], providers: [ diff --git a/apps/backend/src/application/logs/logs.controller.ts b/apps/backend/src/application/logs/logs.controller.ts new file mode 100644 index 0000000..1926c1e --- /dev/null +++ b/apps/backend/src/application/logs/logs.controller.ts @@ -0,0 +1,98 @@ +import { + Controller, + Get, + Query, + Res, + UseGuards, + HttpException, + HttpStatus, +} from '@nestjs/common'; +import { Response } from 'express'; +import { ConfigService } from '@nestjs/config'; +import { JwtAuthGuard } from '../guards/jwt-auth.guard'; +import { RolesGuard } from '../guards/roles.guard'; +import { Roles } from '../decorators/roles.decorator'; + +@Controller('logs') +@UseGuards(JwtAuthGuard, RolesGuard) +@Roles('admin') +export class LogsController { + private readonly logExporterUrl: string; + + constructor(private readonly configService: ConfigService) { + this.logExporterUrl = this.configService.get( + 'LOG_EXPORTER_URL', + 'http://xpeditis-log-exporter:3200', + ); + } + + /** + * GET /api/v1/logs/services + * Proxy → log-exporter /api/logs/services + */ + @Get('services') + async getServices() { + try { + const res = await fetch(`${this.logExporterUrl}/api/logs/services`, { + signal: AbortSignal.timeout(5000), + }); + if (!res.ok) throw new Error(`log-exporter error: ${res.status}`); + return res.json(); + } catch (err: any) { + throw new HttpException( + { error: err.message }, + HttpStatus.BAD_GATEWAY, + ); + } + } + + /** + * GET /api/v1/logs/export + * Proxy → log-exporter /api/logs/export (JSON or CSV) + */ + @Get('export') + async exportLogs( + @Query('service') service: string, + @Query('level') level: string, + @Query('search') search: string, + @Query('start') start: string, + @Query('end') end: string, + @Query('limit') limit: string, + @Query('format') format: string = 'json', + @Res() res: Response, + ) { + try { + const params = new URLSearchParams(); + if (service) params.set('service', service); + if (level) params.set('level', level); + if (search) params.set('search', search); + if (start) params.set('start', start); + if (end) params.set('end', end); + if (limit) params.set('limit', limit); + params.set('format', format); + + const upstream = await fetch( + `${this.logExporterUrl}/api/logs/export?${params}`, + { signal: AbortSignal.timeout(30000) }, + ); + + if (!upstream.ok) { + const body = await upstream.json().catch(() => ({})); + throw new HttpException(body, upstream.status); + } + + res.status(upstream.status); + upstream.headers.forEach((value, key) => { + if (['content-type', 'content-disposition'].includes(key.toLowerCase())) { + res.setHeader(key, value); + } + }); + + const buffer = await upstream.arrayBuffer(); + res.send(Buffer.from(buffer)); + } catch (err: any) { + if (err instanceof HttpException) throw err; + throw new HttpException({ error: err.message }, HttpStatus.BAD_GATEWAY); + } + } +} diff --git a/apps/backend/src/application/logs/logs.module.ts b/apps/backend/src/application/logs/logs.module.ts new file mode 100644 index 0000000..ca12157 --- /dev/null +++ b/apps/backend/src/application/logs/logs.module.ts @@ -0,0 +1,9 @@ +import { Module } from '@nestjs/common'; +import { ConfigModule } from '@nestjs/config'; +import { LogsController } from './logs.controller'; + +@Module({ + imports: [ConfigModule], + controllers: [LogsController], +}) +export class LogsModule {} diff --git a/apps/frontend/app/dashboard/admin/logs/page.tsx b/apps/frontend/app/dashboard/admin/logs/page.tsx index edf04ed..9d5c6f2 100644 --- a/apps/frontend/app/dashboard/admin/logs/page.tsx +++ b/apps/frontend/app/dashboard/admin/logs/page.tsx @@ -12,8 +12,8 @@ import { Server, } from 'lucide-react'; -const LOG_EXPORTER_URL = - process.env.NEXT_PUBLIC_LOG_EXPORTER_URL || 'http://localhost:3200'; +const API_URL = process.env.NEXT_PUBLIC_API_URL || 'http://localhost:4000'; +const LOGS_API_URL = `${API_URL}/api/v1/logs`; // ─── Types ──────────────────────────────────────────────────────────────────── @@ -125,7 +125,7 @@ export default function AdminLogsPage() { // Load available services useEffect(() => { - fetch(`${LOG_EXPORTER_URL}/api/logs/services`) + fetch(`${LOGS_API_URL}/services`) .then(r => r.json()) .then(d => setServices(d.services || [])) .catch(() => {}); @@ -151,7 +151,7 @@ export default function AdminLogsPage() { setError(null); try { const res = await fetch( - `${LOG_EXPORTER_URL}/api/logs/export?${buildQueryString('json')}`, + `${LOGS_API_URL}/export?${buildQueryString('json')}`, ); if (!res.ok) { const body = await res.json().catch(() => ({})); @@ -175,7 +175,7 @@ export default function AdminLogsPage() { setExportLoading(true); try { const res = await fetch( - `${LOG_EXPORTER_URL}/api/logs/export?${buildQueryString(format)}`, + `${LOGS_API_URL}/export?${buildQueryString(format)}`, ); if (!res.ok) throw new Error(`HTTP ${res.status}`); const blob = await res.blob(); @@ -384,8 +384,7 @@ export default function AdminLogsPage() { Impossible de contacter le log-exporter : {error}
    - Vérifiez que le container log-exporter est démarré sur{' '} - {LOG_EXPORTER_URL} + Vérifiez que le backend et le log-exporter sont démarrés.
    diff --git a/infra/logging/promtail/promtail-config.yml b/infra/logging/promtail/promtail-config.yml index 453e222..67c5b6b 100644 --- a/infra/logging/promtail/promtail-config.yml +++ b/infra/logging/promtail/promtail-config.yml @@ -1,53 +1,43 @@ server: http_listen_port: 9080 - grpc_listen_port: 0 log_level: warn positions: filename: /tmp/positions.yaml clients: - - url: http://loki:3100/loki/api/v1/push + - url: http://xpeditis-loki:3100/loki/api/v1/push batchwait: 1s batchsize: 1048576 timeout: 10s scrape_configs: - # ─── Docker container log collection (Mac-compatible via Docker socket API) ─ - job_name: docker docker_sd_configs: - host: unix:///var/run/docker.sock refresh_interval: 5s filters: - # Only collect containers with label: logging=promtail - # Add this label to backend and frontend in docker-compose.dev.yml - name: label values: ['logging=promtail'] relabel_configs: - # Use docker-compose service name as the "service" label - source_labels: ['__meta_docker_container_label_com_docker_compose_service'] target_label: service - # Keep container name for context - source_labels: ['__meta_docker_container_name'] regex: '/?(.*)' replacement: '${1}' target_label: container - # Log stream (stdout / stderr) - source_labels: ['__meta_docker_container_log_stream'] target_label: stream pipeline_stages: - # Drop entries older than 15 min to avoid replaying full container log history - drop: older_than: 15m drop_counter_reason: entry_too_old - # Drop noisy health-check / ping lines - drop: expression: 'GET /(health|metrics|minio/health)' - # Try to parse JSON (NestJS/pino output) - json: expressions: level: level @@ -55,12 +45,10 @@ scrape_configs: context: context reqId: reqId - # Promote parsed fields as Loki labels - labels: level: context: - # Map pino numeric levels to strings - template: source: level template: >- From a5b21436c75f8b6dacbb8eb51b05663f6fb0d86e Mon Sep 17 00:00:00 2001 From: David Date: Mon, 6 Apr 2026 15:21:01 +0200 Subject: [PATCH 8/9] fix --- .../app/dashboard/admin/logs/page.tsx | 32 ++++++------------- 1 file changed, 9 insertions(+), 23 deletions(-) diff --git a/apps/frontend/app/dashboard/admin/logs/page.tsx b/apps/frontend/app/dashboard/admin/logs/page.tsx index 9d5c6f2..b40fe25 100644 --- a/apps/frontend/app/dashboard/admin/logs/page.tsx +++ b/apps/frontend/app/dashboard/admin/logs/page.tsx @@ -11,9 +11,9 @@ import { Bug, Server, } from 'lucide-react'; +import { get, download } from '@/lib/api/client'; -const API_URL = process.env.NEXT_PUBLIC_API_URL || 'http://localhost:4000'; -const LOGS_API_URL = `${API_URL}/api/v1/logs`; +const LOGS_PREFIX = '/api/v1/logs'; // ─── Types ──────────────────────────────────────────────────────────────────── @@ -125,8 +125,7 @@ export default function AdminLogsPage() { // Load available services useEffect(() => { - fetch(`${LOGS_API_URL}/services`) - .then(r => r.json()) + get<{ services: string[] }>(`${LOGS_PREFIX}/services`) .then(d => setServices(d.services || [])) .catch(() => {}); }, []); @@ -150,14 +149,9 @@ export default function AdminLogsPage() { setLoading(true); setError(null); try { - const res = await fetch( - `${LOGS_API_URL}/export?${buildQueryString('json')}`, + const data = await get( + `${LOGS_PREFIX}/export?${buildQueryString('json')}`, ); - if (!res.ok) { - const body = await res.json().catch(() => ({})); - throw new Error(body.error || `HTTP ${res.status}`); - } - const data: LogsResponse = await res.json(); setLogs(data.logs || []); setTotal(data.total || 0); } catch (err: any) { @@ -174,19 +168,11 @@ export default function AdminLogsPage() { const handleExport = async (format: 'json' | 'csv') => { setExportLoading(true); try { - const res = await fetch( - `${LOGS_API_URL}/export?${buildQueryString(format)}`, + const filename = `xpeditis-logs-${new Date().toISOString().slice(0, 10)}.${format}`; + await download( + `${LOGS_PREFIX}/export?${buildQueryString(format)}`, + filename, ); - if (!res.ok) throw new Error(`HTTP ${res.status}`); - const blob = await res.blob(); - const url = URL.createObjectURL(blob); - const a = document.createElement('a'); - a.href = url; - a.download = `xpeditis-logs-${new Date().toISOString().slice(0, 10)}.${format}`; - document.body.appendChild(a); - a.click(); - document.body.removeChild(a); - URL.revokeObjectURL(url); } catch (err: any) { setError(err.message); } finally { From 40d917e160dc6fd5bff8163eb42d8c08d486a75b Mon Sep 17 00:00:00 2001 From: David Date: Mon, 6 Apr 2026 20:13:17 +0200 Subject: [PATCH 9/9] chore(ci): remove smoke tests from preprod and prod pipelines Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/cd-main.yml | 42 +- .github/workflows/cd-preprod.yml | 37 +- .../controllers/health.controller.ts | 2 + .../dashboards/xpeditis-logs.json | 670 ++++++++---------- .../grafana/provisioning/datasources/loki.yml | 2 +- infra/logging/promtail/promtail-config.yml | 2 +- 6 files changed, 293 insertions(+), 462 deletions(-) diff --git a/.github/workflows/cd-main.yml b/.github/workflows/cd-main.yml index f8f5236..5633e39 100644 --- a/.github/workflows/cd-main.yml +++ b/.github/workflows/cd-main.yml @@ -10,7 +10,7 @@ name: CD Production # If someone merges to main without going through preprod, # this step fails and the deployment is blocked. # -# Flow: quality-gate → verify-image → promote → deploy → smoke-tests → notify +# Flow: quality-gate → verify-image → promote → deploy → notify # # Secrets required: # REGISTRY_TOKEN — Scaleway registry (read/write) @@ -231,47 +231,11 @@ jobs: kubectl rollout status deployment/xpeditis-frontend -n ${{ env.K8S_NAMESPACE }} --timeout=120s echo "Rollback complete. Previous version is live." - # ── 5. Smoke Tests ─────────────────────────────────────────────────── - # kubectl rollout status already verified pod readiness. - # These smoke tests validate the full network path: - # Cloudflare → Hetzner LB → Traefik → pod. - smoke-tests: - name: Smoke Tests - runs-on: ubuntu-latest - needs: deploy - steps: - - name: Wait for LB propagation - run: sleep 30 - - - name: Health — Backend - run: | - for i in {1..12}; do - STATUS=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 \ - "${{ secrets.PROD_BACKEND_URL }}/api/v1/health" 2>/dev/null || echo "000") - echo " Attempt $i: HTTP $STATUS" - if [ "$STATUS" = "200" ]; then echo "Backend OK."; exit 0; fi - sleep 15 - done - echo "CRITICAL: Backend unreachable after 12 attempts." - exit 1 - - - name: Health — Frontend - run: | - for i in {1..12}; do - STATUS=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 \ - "${{ secrets.PROD_FRONTEND_URL }}" 2>/dev/null || echo "000") - echo " Attempt $i: HTTP $STATUS" - if [ "$STATUS" = "200" ]; then echo "Frontend OK."; exit 0; fi - sleep 15 - done - echo "CRITICAL: Frontend unreachable after 12 attempts." - exit 1 - # ── Notifications ──────────────────────────────────────────────────── notify-success: name: Notify Success runs-on: ubuntu-latest - needs: [verify-image, smoke-tests] + needs: [verify-image, deploy] if: success() steps: - run: | @@ -292,7 +256,7 @@ jobs: notify-failure: name: Notify Failure runs-on: ubuntu-latest - needs: [backend-quality, frontend-quality, backend-tests, frontend-tests, verify-image, promote-images, deploy, smoke-tests] + needs: [backend-quality, frontend-quality, backend-tests, frontend-tests, verify-image, promote-images, deploy] if: failure() steps: - run: | diff --git a/.github/workflows/cd-preprod.yml b/.github/workflows/cd-preprod.yml index 1b8887e..9da16bf 100644 --- a/.github/workflows/cd-preprod.yml +++ b/.github/workflows/cd-preprod.yml @@ -1,7 +1,7 @@ name: CD Preprod # Full pipeline triggered on every push to preprod. -# Flow: lint → unit tests → integration tests → docker build → deploy → smoke tests → notify +# Flow: lint → unit tests → integration tests → docker build → deploy → notify # # Secrets required: # REGISTRY_TOKEN — Scaleway registry (read/write) @@ -274,42 +274,11 @@ jobs: fi echo "Frontend webhook triggered." - # ── 6. Smoke Tests ─────────────────────────────────────────────────── - smoke-tests: - name: Smoke Tests - runs-on: ubuntu-latest - needs: deploy - steps: - - name: Wait for services - run: sleep 40 - - name: Health — Backend - run: | - for i in {1..12}; do - STATUS=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 \ - "${{ secrets.PREPROD_BACKEND_URL }}/api/v1/health" 2>/dev/null || echo "000") - echo " Attempt $i: HTTP $STATUS" - if [ "$STATUS" = "200" ]; then echo "Backend OK."; exit 0; fi - sleep 15 - done - echo "Backend unreachable after 12 attempts." - exit 1 - - name: Health — Frontend - run: | - for i in {1..12}; do - STATUS=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 \ - "${{ secrets.PREPROD_FRONTEND_URL }}" 2>/dev/null || echo "000") - echo " Attempt $i: HTTP $STATUS" - if [ "$STATUS" = "200" ]; then echo "Frontend OK."; exit 0; fi - sleep 15 - done - echo "Frontend unreachable after 12 attempts." - exit 1 - # ── Notifications ──────────────────────────────────────────────────── notify-success: name: Notify Success runs-on: ubuntu-latest - needs: [build-backend, build-frontend, smoke-tests] + needs: [build-backend, build-frontend, deploy] if: success() steps: - run: | @@ -329,7 +298,7 @@ jobs: notify-failure: name: Notify Failure runs-on: ubuntu-latest - needs: [backend-quality, frontend-quality, backend-tests, frontend-tests, integration-tests, build-backend, build-frontend, deploy, smoke-tests] + needs: [backend-quality, frontend-quality, backend-tests, frontend-tests, integration-tests, build-backend, build-frontend, deploy] if: failure() steps: - run: | diff --git a/apps/backend/src/application/controllers/health.controller.ts b/apps/backend/src/application/controllers/health.controller.ts index 1952eec..67991b5 100644 --- a/apps/backend/src/application/controllers/health.controller.ts +++ b/apps/backend/src/application/controllers/health.controller.ts @@ -1,6 +1,8 @@ import { Controller, Get } from '@nestjs/common'; import { ApiTags, ApiOperation, ApiResponse } from '@nestjs/swagger'; +import { Public } from '../decorators/public.decorator'; +@Public() @ApiTags('health') @Controller('health') export class HealthController { diff --git a/infra/logging/grafana/provisioning/dashboards/xpeditis-logs.json b/infra/logging/grafana/provisioning/dashboards/xpeditis-logs.json index 96e624f..c930170 100644 --- a/infra/logging/grafana/provisioning/dashboards/xpeditis-logs.json +++ b/infra/logging/grafana/provisioning/dashboards/xpeditis-logs.json @@ -1,32 +1,37 @@ { - "title": "Xpeditis — Logs & Monitoring", - "uid": "xpeditis-logs", - "description": "Dashboard complet — logs backend/frontend, métriques HTTP, erreurs", - "tags": ["xpeditis", "logs", "backend", "frontend"], - "timezone": "browser", + "__inputs": [ + { + "name": "DS_LOKI", + "label": "Loki", + "description": "Loki datasource", + "type": "datasource", + "pluginId": "loki", + "pluginName": "Loki" + } + ], + "__requires": [ + { "type": "grafana", "id": "grafana", "name": "Grafana", "version": "11.0.0" }, + { "type": "datasource", "id": "loki", "name": "Loki", "version": "1.0.0" }, + { "type": "panel", "id": "stat", "name": "Stat", "version": "" }, + { "type": "panel", "id": "timeseries", "name": "Time series", "version": "" }, + { "type": "panel", "id": "piechart", "name": "Pie chart", "version": "" }, + { "type": "panel", "id": "bargauge", "name": "Bar gauge", "version": "" }, + { "type": "panel", "id": "logs", "name": "Logs", "version": "" } + ], + "title": "Xpeditis — Logs & KPIs", + "uid": "xpeditis-logs-kpis", + "description": "Logs applicatifs, KPIs HTTP, temps de réponse et erreurs — Backend & Frontend", + "tags": ["xpeditis", "logs", "monitoring", "backend"], + "timezone": "Europe/Paris", "refresh": "30s", - "schemaVersion": 38, + "schemaVersion": 39, "time": { "from": "now-1h", "to": "now" }, "timepicker": {}, - "fiscalYearStartMonth": 0, "graphTooltip": 1, "editable": true, "version": 1, - "weekStart": "", "links": [], - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": { "type": "grafana", "uid": "-- Grafana --" }, - "enable": true, - "hide": true, - "iconColor": "rgba(0,211,255,1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, + "annotations": { "list": [] }, "templating": { "list": [ @@ -34,119 +39,99 @@ "name": "service", "label": "Service", "type": "query", - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, "query": "label_values(service)", "refresh": 2, - "sort": 1, "includeAll": true, "allValue": ".+", - "multi": false, - "hide": 0, + "multi": true, "current": {}, - "options": [] + "hide": 0, + "sort": 1 }, { "name": "level", "label": "Niveau", - "type": "custom", - "query": "All : .+, error : error, fatal : fatal, warn : warn, info : info, debug : debug", - "includeAll": false, - "multi": false, + "type": "query", + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, + "query": "label_values(level)", + "refresh": 2, + "includeAll": true, + "allValue": ".+", + "multi": true, + "current": {}, "hide": 0, - "current": { "text": "All", "value": ".+" }, - "options": [ - { "text": "All", "value": ".+", "selected": true }, - { "text": "error", "value": "error", "selected": false }, - { "text": "fatal", "value": "fatal", "selected": false }, - { "text": "warn", "value": "warn", "selected": false }, - { "text": "info", "value": "info", "selected": false }, - { "text": "debug", "value": "debug", "selected": false } - ] - }, - { - "name": "search", - "label": "Recherche", - "type": "textbox", - "query": "", - "hide": 0, - "current": { "text": "", "value": "" }, - "options": [{ "selected": true, "text": "", "value": "" }] + "sort": 1 } ] }, "panels": [ - { - "id": 100, - "type": "row", - "title": "Vue d'ensemble", - "collapsed": false, - "gridPos": { "h": 1, "w": 24, "x": 0, "y": 0 } - }, - { "id": 1, - "title": "Total logs", + "title": "Requêtes totales", "type": "stat", - "gridPos": { "h": 4, "w": 4, "x": 0, "y": 1 }, - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "gridPos": { "x": 0, "y": 0, "w": 6, "h": 4 }, + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, "options": { - "reduceOptions": { "calcs": ["lastNotNull"], "fields": "", "values": false }, + "reduceOptions": { "calcs": ["sum"], "fields": "", "values": false }, "orientation": "auto", "textMode": "auto", "colorMode": "background", - "graphMode": "area", + "graphMode": "none", "justifyMode": "center" }, "fieldConfig": { "defaults": { - "color": { "mode": "thresholds" }, - "thresholds": { "mode": "absolute", "steps": [{ "color": "blue", "value": null }] }, - "mappings": [] + "color": { "mode": "fixed", "fixedColor": "#10183A" }, + "unit": "short", + "thresholds": { "mode": "absolute", "steps": [{ "color": "#10183A", "value": null }] } }, "overrides": [] }, "targets": [ { - "refId": "A", - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, - "expr": "sum(count_over_time({service=~\"$service\"} [$__range]))", - "legendFormat": "Total", - "instant": true + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, + "expr": "sum(count_over_time({service=~\"$service\"} | json | req_method != \"\" [$__range]))", + "legendFormat": "Requêtes", + "instant": true, + "range": false, + "refId": "A" } ] }, { "id": 2, - "title": "Erreurs & Fatal", + "title": "Erreurs (error + fatal)", "type": "stat", - "gridPos": { "h": 4, "w": 4, "x": 4, "y": 1 }, - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "gridPos": { "x": 6, "y": 0, "w": 6, "h": 4 }, + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, "options": { - "reduceOptions": { "calcs": ["lastNotNull"], "fields": "", "values": false }, + "reduceOptions": { "calcs": ["sum"], "fields": "", "values": false }, "orientation": "auto", "textMode": "auto", "colorMode": "background", - "graphMode": "area", + "graphMode": "none", "justifyMode": "center" }, "fieldConfig": { "defaults": { - "color": { "mode": "thresholds" }, - "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }, { "color": "red", "value": 1 }] }, - "mappings": [] + "color": { "mode": "fixed", "fixedColor": "red" }, + "unit": "short", + "thresholds": { "mode": "absolute", "steps": [{ "color": "red", "value": null }] } }, "overrides": [] }, "targets": [ { - "refId": "A", - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, "expr": "sum(count_over_time({service=~\"$service\", level=~\"error|fatal\"} [$__range]))", "legendFormat": "Erreurs", - "instant": true + "instant": true, + "range": false, + "refId": "A" } ] }, @@ -155,342 +140,342 @@ "id": 3, "title": "Warnings", "type": "stat", - "gridPos": { "h": 4, "w": 4, "x": 8, "y": 1 }, - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "gridPos": { "x": 12, "y": 0, "w": 6, "h": 4 }, + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, "options": { - "reduceOptions": { "calcs": ["lastNotNull"], "fields": "", "values": false }, + "reduceOptions": { "calcs": ["sum"], "fields": "", "values": false }, "orientation": "auto", "textMode": "auto", "colorMode": "background", - "graphMode": "area", + "graphMode": "none", "justifyMode": "center" }, "fieldConfig": { "defaults": { - "color": { "mode": "thresholds" }, - "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }, { "color": "orange", "value": 1 }] }, - "mappings": [] + "color": { "mode": "fixed", "fixedColor": "orange" }, + "unit": "short", + "thresholds": { "mode": "absolute", "steps": [{ "color": "orange", "value": null }] } }, "overrides": [] }, "targets": [ { - "refId": "A", - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, "expr": "sum(count_over_time({service=~\"$service\", level=\"warn\"} [$__range]))", "legendFormat": "Warnings", - "instant": true + "instant": true, + "range": false, + "refId": "A" } ] }, { "id": 4, - "title": "Info", + "title": "Taux d'erreur", "type": "stat", - "gridPos": { "h": 4, "w": 4, "x": 12, "y": 1 }, - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "gridPos": { "x": 18, "y": 0, "w": 6, "h": 4 }, + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, "options": { "reduceOptions": { "calcs": ["lastNotNull"], "fields": "", "values": false }, "orientation": "auto", "textMode": "auto", "colorMode": "background", - "graphMode": "area", + "graphMode": "none", "justifyMode": "center" }, "fieldConfig": { "defaults": { - "color": { "fixedColor": "blue", "mode": "fixed" }, - "thresholds": { "mode": "absolute", "steps": [{ "color": "blue", "value": null }] }, - "mappings": [] + "unit": "percentunit", + "thresholds": { + "mode": "absolute", + "steps": [ + { "color": "green", "value": null }, + { "color": "orange", "value": 0.01 }, + { "color": "red", "value": 0.05 } + ] + }, + "color": { "mode": "thresholds" } }, "overrides": [] }, "targets": [ { - "refId": "A", - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, - "expr": "sum(count_over_time({service=~\"$service\", level=\"info\"} [$__range]))", - "legendFormat": "Info", - "instant": true + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, + "expr": "sum(rate({service=~\"$service\", level=~\"error|fatal\"} [$__interval])) / sum(rate({service=~\"$service\"} [$__interval]))", + "legendFormat": "Taux d'erreur", + "instant": false, + "range": true, + "refId": "A" } ] }, { "id": 5, - "title": "Requêtes HTTP 5xx", - "type": "stat", - "gridPos": { "h": 4, "w": 4, "x": 16, "y": 1 }, - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "title": "Trafic par service (req/s)", + "type": "timeseries", + "gridPos": { "x": 0, "y": 4, "w": 12, "h": 8 }, + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, "options": { - "reduceOptions": { "calcs": ["lastNotNull"], "fields": "", "values": false }, - "orientation": "auto", - "textMode": "auto", - "colorMode": "background", - "graphMode": "area", - "justifyMode": "center" + "tooltip": { "mode": "multi", "sort": "desc" }, + "legend": { "displayMode": "list", "placement": "bottom" } }, "fieldConfig": { "defaults": { - "color": { "mode": "thresholds" }, - "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }, { "color": "red", "value": 1 }] }, - "mappings": [] + "unit": "reqps", + "color": { "mode": "palette-classic" }, + "custom": { + "lineWidth": 2, + "fillOpacity": 10, + "gradientMode": "opacity", + "spanNulls": false + } }, "overrides": [] }, "targets": [ { - "refId": "A", - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, - "expr": "sum(count_over_time({service=\"backend\"} | json | res_statusCode >= 500 [$__range]))", - "legendFormat": "5xx", - "instant": true + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, + "expr": "sum by(service) (rate({service=~\"$service\"} | json | req_method != \"\" [$__interval]))", + "legendFormat": "{{service}}", + "instant": false, + "range": true, + "refId": "A" } ] }, { "id": 6, - "title": "Temps réponse moyen (ms)", - "type": "stat", - "gridPos": { "h": 4, "w": 4, "x": 20, "y": 1 }, - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "title": "Erreurs & Warnings dans le temps", + "type": "timeseries", + "gridPos": { "x": 12, "y": 4, "w": 12, "h": 8 }, + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, "options": { - "reduceOptions": { "calcs": ["lastNotNull"], "fields": "", "values": false }, - "orientation": "auto", - "textMode": "auto", - "colorMode": "background", - "graphMode": "area", - "justifyMode": "center" + "tooltip": { "mode": "multi", "sort": "desc" }, + "legend": { "displayMode": "list", "placement": "bottom" } }, "fieldConfig": { "defaults": { - "color": { "mode": "thresholds" }, - "unit": "ms", - "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }, { "color": "orange", "value": 500 }, { "color": "red", "value": 2000 }] }, - "mappings": [] + "unit": "short", + "color": { "mode": "palette-classic" }, + "custom": { + "lineWidth": 2, + "fillOpacity": 15, + "gradientMode": "opacity" + } }, - "overrides": [] + "overrides": [ + { + "matcher": { "id": "byName", "options": "error" }, + "properties": [{ "id": "color", "value": { "mode": "fixed", "fixedColor": "red" } }] + }, + { + "matcher": { "id": "byName", "options": "fatal" }, + "properties": [{ "id": "color", "value": { "mode": "fixed", "fixedColor": "dark-red" } }] + }, + { + "matcher": { "id": "byName", "options": "warn" }, + "properties": [{ "id": "color", "value": { "mode": "fixed", "fixedColor": "orange" } }] + } + ] }, "targets": [ { - "refId": "A", - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, - "expr": "avg(avg_over_time({service=\"backend\"} | json | unwrap responseTime [$__range]))", - "legendFormat": "Avg", - "instant": true + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, + "expr": "sum by(level) (rate({service=~\"$service\", level=~\"error|fatal|warn\"} [$__interval]))", + "legendFormat": "{{level}}", + "instant": false, + "range": true, + "refId": "A" } ] }, - { - "id": 200, - "type": "row", - "title": "Volume des logs", - "collapsed": false, - "gridPos": { "h": 1, "w": 24, "x": 0, "y": 5 } - }, - { "id": 7, - "title": "Volume par niveau", + "title": "Temps de réponse Backend", "type": "timeseries", - "gridPos": { "h": 8, "w": 14, "x": 0, "y": 6 }, - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "gridPos": { "x": 0, "y": 12, "w": 16, "h": 8 }, + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, "options": { - "legend": { "calcs": ["sum"], "displayMode": "list", "placement": "bottom", "showLegend": true }, - "tooltip": { "mode": "multi", "sort": "desc" } + "tooltip": { "mode": "multi", "sort": "desc" }, + "legend": { "displayMode": "list", "placement": "bottom" } }, "fieldConfig": { "defaults": { + "unit": "ms", "color": { "mode": "palette-classic" }, "custom": { - "drawStyle": "bars", - "fillOpacity": 80, - "stacking": { "group": "A", "mode": "normal" }, - "lineWidth": 1, - "pointSize": 5, - "showPoints": "never", - "spanNulls": false + "lineWidth": 2, + "fillOpacity": 8, + "gradientMode": "opacity" }, - "unit": "short", - "mappings": [], - "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] } + "thresholds": { + "mode": "absolute", + "steps": [ + { "color": "green", "value": null }, + { "color": "orange", "value": 500 }, + { "color": "red", "value": 1000 } + ] + } }, "overrides": [ - { "matcher": { "id": "byName", "options": "error" }, "properties": [{ "id": "color", "value": { "fixedColor": "red", "mode": "fixed" } }] }, - { "matcher": { "id": "byName", "options": "fatal" }, "properties": [{ "id": "color", "value": { "fixedColor": "dark-red", "mode": "fixed" } }] }, - { "matcher": { "id": "byName", "options": "warn" }, "properties": [{ "id": "color", "value": { "fixedColor": "orange", "mode": "fixed" } }] }, - { "matcher": { "id": "byName", "options": "info" }, "properties": [{ "id": "color", "value": { "fixedColor": "blue", "mode": "fixed" } }] }, - { "matcher": { "id": "byName", "options": "debug" }, "properties": [{ "id": "color", "value": { "fixedColor": "gray", "mode": "fixed" } }] } + { + "matcher": { "id": "byName", "options": "Pire cas (1% des requêtes)" }, + "properties": [{ "id": "color", "value": { "mode": "fixed", "fixedColor": "red" } }] + }, + { + "matcher": { "id": "byName", "options": "Lent (5% des requêtes)" }, + "properties": [{ "id": "color", "value": { "mode": "fixed", "fixedColor": "orange" } }] + }, + { + "matcher": { "id": "byName", "options": "Temps médian (requête typique)" }, + "properties": [{ "id": "color", "value": { "mode": "fixed", "fixedColor": "#34CCCD" } }] + } ] }, "targets": [ { - "refId": "A", - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, - "expr": "sum by (level) (count_over_time({service=~\"$service\", level=~\".+\"} [$__interval]))", - "legendFormat": "{{level}}" + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, + "expr": "quantile_over_time(0.50, {service=\"backend\"} | json | responseTime > 0 | unwrap responseTime [$__interval])", + "legendFormat": "Temps médian (requête typique)", + "instant": false, + "range": true, + "refId": "A" + }, + { + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, + "expr": "quantile_over_time(0.95, {service=\"backend\"} | json | responseTime > 0 | unwrap responseTime [$__interval])", + "legendFormat": "Lent (5% des requêtes)", + "instant": false, + "range": true, + "refId": "B" + }, + { + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, + "expr": "quantile_over_time(0.99, {service=\"backend\"} | json | responseTime > 0 | unwrap responseTime [$__interval])", + "legendFormat": "Pire cas (1% des requêtes)", + "instant": false, + "range": true, + "refId": "C" } ] }, { "id": 8, - "title": "Volume par service", - "type": "timeseries", - "gridPos": { "h": 8, "w": 10, "x": 14, "y": 6 }, - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "title": "Répartition par niveau de log", + "type": "piechart", + "gridPos": { "x": 16, "y": 12, "w": 8, "h": 8 }, + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, "options": { - "legend": { "calcs": ["sum"], "displayMode": "list", "placement": "bottom", "showLegend": true }, - "tooltip": { "mode": "multi", "sort": "desc" } + "pieType": "donut", + "tooltip": { "mode": "single" }, + "legend": { "displayMode": "list", "placement": "bottom", "values": ["percent"] } }, "fieldConfig": { - "defaults": { - "color": { "mode": "palette-classic" }, - "custom": { - "drawStyle": "bars", - "fillOpacity": 60, - "stacking": { "group": "A", "mode": "normal" }, - "lineWidth": 1, - "showPoints": "never", - "spanNulls": false - }, - "unit": "short", - "mappings": [], - "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] } - }, - "overrides": [] + "defaults": { "unit": "short", "color": { "mode": "palette-classic" } }, + "overrides": [ + { "matcher": { "id": "byName", "options": "error" }, "properties": [{ "id": "color", "value": { "mode": "fixed", "fixedColor": "red" } }] }, + { "matcher": { "id": "byName", "options": "fatal" }, "properties": [{ "id": "color", "value": { "mode": "fixed", "fixedColor": "dark-red" } }] }, + { "matcher": { "id": "byName", "options": "warn" }, "properties": [{ "id": "color", "value": { "mode": "fixed", "fixedColor": "orange" } }] }, + { "matcher": { "id": "byName", "options": "info" }, "properties": [{ "id": "color", "value": { "mode": "fixed", "fixedColor": "#34CCCD" } }] }, + { "matcher": { "id": "byName", "options": "debug" }, "properties": [{ "id": "color", "value": { "mode": "fixed", "fixedColor": "blue" } }] } + ] }, "targets": [ { - "refId": "A", - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, - "expr": "sum by (service) (count_over_time({service=~\"$service\"} [$__interval]))", - "legendFormat": "{{service}}" + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, + "expr": "sum by(level) (count_over_time({service=~\"$service\", level=~\"$level\"} [$__range]))", + "legendFormat": "{{level}}", + "instant": true, + "range": false, + "refId": "A" } ] }, - { - "id": 300, - "type": "row", - "title": "HTTP — Backend", - "collapsed": false, - "gridPos": { "h": 1, "w": 24, "x": 0, "y": 14 } - }, - { "id": 9, - "title": "Taux d'erreur HTTP", - "type": "timeseries", - "gridPos": { "h": 8, "w": 12, "x": 0, "y": 15 }, - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "title": "Codes HTTP (5m)", + "type": "bargauge", + "gridPos": { "x": 0, "y": 20, "w": 12, "h": 8 }, + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, "options": { - "legend": { "calcs": ["max", "mean"], "displayMode": "list", "placement": "bottom", "showLegend": true }, - "tooltip": { "mode": "multi", "sort": "desc" } + "orientation": "horizontal", + "reduceOptions": { "calcs": ["lastNotNull"], "fields": "", "values": false }, + "displayMode": "gradient", + "valueMode": "color", + "showUnfilled": true, + "minVizWidth": 10, + "minVizHeight": 10 }, "fieldConfig": { "defaults": { - "color": { "mode": "palette-classic" }, - "custom": { - "drawStyle": "line", - "fillOpacity": 20, - "lineWidth": 2, - "pointSize": 5, - "showPoints": "never", - "spanNulls": false - }, "unit": "short", - "mappings": [], - "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }] } + "color": { "mode": "palette-classic" }, + "thresholds": { + "mode": "absolute", + "steps": [ + { "color": "green", "value": null }, + { "color": "orange", "value": 1 } + ] + } }, - "overrides": [ - { "matcher": { "id": "byName", "options": "5xx" }, "properties": [{ "id": "color", "value": { "fixedColor": "red", "mode": "fixed" } }] }, - { "matcher": { "id": "byName", "options": "4xx" }, "properties": [{ "id": "color", "value": { "fixedColor": "orange", "mode": "fixed" } }] }, - { "matcher": { "id": "byName", "options": "2xx" }, "properties": [{ "id": "color", "value": { "fixedColor": "green", "mode": "fixed" } }] } - ] + "overrides": [] }, "targets": [ { - "refId": "A", - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, - "expr": "sum(count_over_time({service=\"backend\"} | json | res_statusCode >= 500 [$__interval]))", - "legendFormat": "5xx" - }, - { - "refId": "B", - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, - "expr": "sum(count_over_time({service=\"backend\"} | json | res_statusCode >= 400 < 500 [$__interval]))", - "legendFormat": "4xx" - }, - { - "refId": "C", - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, - "expr": "sum(count_over_time({service=\"backend\"} | json | res_statusCode >= 200 < 300 [$__interval]))", - "legendFormat": "2xx" + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, + "expr": "sum by(status_code) (count_over_time({service=\"backend\"} | json | res_statusCode != \"\" | label_format status_code=\"{{res_statusCode}}\" [$__range]))", + "legendFormat": "HTTP {{status_code}}", + "instant": true, + "range": false, + "refId": "A" } ] }, { "id": 10, - "title": "Temps de réponse (ms)", - "type": "timeseries", - "gridPos": { "h": 8, "w": 12, "x": 12, "y": 15 }, - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "title": "Top erreurs par contexte NestJS", + "type": "bargauge", + "gridPos": { "x": 12, "y": 20, "w": 12, "h": 8 }, + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, "options": { - "legend": { "calcs": ["max", "mean"], "displayMode": "list", "placement": "bottom", "showLegend": true }, - "tooltip": { "mode": "multi", "sort": "desc" } + "orientation": "horizontal", + "reduceOptions": { "calcs": ["lastNotNull"], "fields": "", "values": false }, + "displayMode": "gradient", + "showUnfilled": true }, "fieldConfig": { "defaults": { - "color": { "mode": "palette-classic" }, - "custom": { - "drawStyle": "line", - "fillOpacity": 10, - "lineWidth": 2, - "pointSize": 5, - "showPoints": "never", - "spanNulls": false - }, - "unit": "ms", - "mappings": [], - "thresholds": { "mode": "absolute", "steps": [{ "color": "green", "value": null }, { "color": "orange", "value": 500 }, { "color": "red", "value": 2000 }] } + "unit": "short", + "color": { "mode": "fixed", "fixedColor": "red" }, + "thresholds": { "mode": "absolute", "steps": [{ "color": "red", "value": null }] } }, "overrides": [] }, "targets": [ { - "refId": "A", - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, - "expr": "avg(avg_over_time({service=\"backend\"} | json | unwrap responseTime [$__interval]))", - "legendFormat": "Moy" - }, - { - "refId": "B", - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, - "expr": "max(max_over_time({service=\"backend\"} | json | unwrap responseTime [$__interval]))", - "legendFormat": "Max" + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, + "expr": "topk(10, sum by(context) (count_over_time({service=\"backend\", level=~\"error|fatal\"} | json | context != \"\" [$__range]) ))", + "legendFormat": "{{context}}", + "instant": true, + "range": false, + "refId": "A" } ] }, - { - "id": 400, - "type": "row", - "title": "Logs — Flux en direct", - "collapsed": false, - "gridPos": { "h": 1, "w": 24, "x": 0, "y": 23 } - }, - { "id": 11, - "title": "Backend — Logs", + "title": "Logs — Backend", "type": "logs", - "gridPos": { "h": 14, "w": 12, "x": 0, "y": 24 }, - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "gridPos": { "x": 0, "y": 28, "w": 24, "h": 12 }, + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, "options": { "dedupStrategy": "none", "enableLogDetails": true, @@ -503,24 +488,27 @@ }, "targets": [ { + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, + "expr": "{service=\"backend\", level=~\"$level\"}", + "legendFormat": "", + "instant": false, + "range": true, "refId": "A", - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, - "expr": "{service=\"backend\", level=~\"$level\"} |= \"$search\"", - "legendFormat": "" + "maxLines": 500 } ] }, { "id": 12, - "title": "Frontend — Logs", + "title": "Logs — Frontend", "type": "logs", - "gridPos": { "h": 14, "w": 12, "x": 12, "y": 24 }, - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, + "gridPos": { "x": 0, "y": 40, "w": 24, "h": 10 }, + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, "options": { "dedupStrategy": "none", "enableLogDetails": true, - "prettifyLogMessage": true, + "prettifyLogMessage": false, "showCommonLabels": false, "showLabels": false, "showTime": true, @@ -529,105 +517,13 @@ }, "targets": [ { + "datasource": { "type": "loki", "uid": "${DS_LOKI}" }, + "expr": "{service=\"frontend\"}", + "legendFormat": "", + "instant": false, + "range": true, "refId": "A", - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, - "expr": "{service=\"frontend\", level=~\"$level\"} |= \"$search\"", - "legendFormat": "" - } - ] - }, - - { - "id": 500, - "type": "row", - "title": "Tous les logs filtrés", - "collapsed": false, - "gridPos": { "h": 1, "w": 24, "x": 0, "y": 38 } - }, - - { - "id": 13, - "title": "Flux filtré — $service / $level", - "description": "Utilisez les variables en haut pour filtrer par service, niveau ou mot-clé", - "type": "logs", - "gridPos": { "h": 14, "w": 24, "x": 0, "y": 39 }, - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, - "options": { - "dedupStrategy": "none", - "enableLogDetails": true, - "prettifyLogMessage": true, - "showCommonLabels": false, - "showLabels": true, - "showTime": true, - "sortOrder": "Descending", - "wrapLogMessage": true - }, - "targets": [ - { - "refId": "A", - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, - "expr": "{service=~\"$service\", level=~\"$level\"} |= \"$search\"", - "legendFormat": "" - } - ] - }, - - { - "id": 600, - "type": "row", - "title": "Erreurs & Exceptions", - "collapsed": false, - "gridPos": { "h": 1, "w": 24, "x": 0, "y": 53 } - }, - - { - "id": 14, - "title": "Erreurs — Backend", - "type": "logs", - "gridPos": { "h": 10, "w": 12, "x": 0, "y": 54 }, - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, - "options": { - "dedupStrategy": "signature", - "enableLogDetails": true, - "prettifyLogMessage": true, - "showCommonLabels": false, - "showLabels": false, - "showTime": true, - "sortOrder": "Descending", - "wrapLogMessage": true - }, - "targets": [ - { - "refId": "A", - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, - "expr": "{service=\"backend\", level=~\"error|fatal\"}", - "legendFormat": "" - } - ] - }, - - { - "id": 15, - "title": "Erreurs — Frontend", - "type": "logs", - "gridPos": { "h": 10, "w": 12, "x": 12, "y": 54 }, - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, - "options": { - "dedupStrategy": "signature", - "enableLogDetails": true, - "prettifyLogMessage": true, - "showCommonLabels": false, - "showLabels": false, - "showTime": true, - "sortOrder": "Descending", - "wrapLogMessage": true - }, - "targets": [ - { - "refId": "A", - "datasource": { "type": "loki", "uid": "loki-xpeditis" }, - "expr": "{service=\"frontend\", level=~\"error|fatal\"}", - "legendFormat": "" + "maxLines": 200 } ] } diff --git a/infra/logging/grafana/provisioning/datasources/loki.yml b/infra/logging/grafana/provisioning/datasources/loki.yml index b3102e9..3d48bde 100644 --- a/infra/logging/grafana/provisioning/datasources/loki.yml +++ b/infra/logging/grafana/provisioning/datasources/loki.yml @@ -5,7 +5,7 @@ datasources: uid: loki-xpeditis type: loki access: proxy - url: http://loki:3100 + url: http://xpeditis-loki:3100 isDefault: true version: 1 editable: false diff --git a/infra/logging/promtail/promtail-config.yml b/infra/logging/promtail/promtail-config.yml index 67c5b6b..df36f4a 100644 --- a/infra/logging/promtail/promtail-config.yml +++ b/infra/logging/promtail/promtail-config.yml @@ -21,7 +21,7 @@ scrape_configs: values: ['logging=promtail'] relabel_configs: - - source_labels: ['__meta_docker_container_label_com_docker_compose_service'] + - source_labels: ['__meta_docker_container_label_logging_service'] target_label: service - source_labels: ['__meta_docker_container_name'] regex: '/?(.*)'