feat: Production hardening + 20 future-proofing features (60 microservices, full-stack)

.dockerignore

@@ -0,0 +1,22 @@
+node_modules
+.pnpm-store
+dist
+.git
+.github
+coverage
+*.log
+.env*
+.DS_Store
+Thumbs.db
+tb-sidecar/tb-sidecar
+tb-sidecar/vendor
+offline-queue
+analytics-service/__pycache__
+analytics-service/.venv
+resilience-agent/vendor
+k6
+tests/integration
+docs
+archives
+*.tar.gz
+*.zip

.env.production.example

@@ -0,0 +1,103 @@
+# ─────────────────────────────────────────────────────────────────────────────
+# 54Link Agency Banking Platform — Production Environment Variables
+# Copy to .env.production and fill in all values before deploying
+# NEVER commit .env.production to version control
+# ─────────────────────────────────────────────────────────────────────────────
+
+# ── Domain ────────────────────────────────────────────────────────────────────
+DOMAIN=54link.ng
+KEYCLOAK_HOSTNAME=keycloak.54link.ng
+GRAFANA_DOMAIN=grafana.54link.ng
+ALERTMANAGER_DOMAIN=alerts.54link.ng
+
+# ── PostgreSQL ────────────────────────────────────────────────────────────────
+POSTGRES_DB=54link
+POSTGRES_USER=54link
+POSTGRES_PASSWORD=CHANGE_ME_STRONG_PASSWORD_32CHARS
+POSTGRES_PORT=5432
+DATABASE_URL=postgresql://54link:CHANGE_ME_STRONG_PASSWORD_32CHARS@postgres:5432/54link
+
+# ── Redis ─────────────────────────────────────────────────────────────────────
+REDIS_PASSWORD=CHANGE_ME_REDIS_PASSWORD_24CHARS
+REDIS_PORT=6379
+REDIS_URL=redis://:CHANGE_ME_REDIS_PASSWORD_24CHARS@redis:6379
+
+# ── Kafka ─────────────────────────────────────────────────────────────────────
+KAFKA_PORT=9092
+KAFKA_UI_USER=admin
+KAFKA_UI_PASSWORD=CHANGE_ME_KAFKA_UI_PASSWORD
+
+# ── TigerBeetle ───────────────────────────────────────────────────────────────
+TIGERBEETLE_PORT=3001
+
+# ── Temporal ──────────────────────────────────────────────────────────────────
+TEMPORAL_PORT=7233
+
+# ── Keycloak ──────────────────────────────────────────────────────────────────
+KEYCLOAK_PORT=8080
+KEYCLOAK_ADMIN=admin
+KEYCLOAK_ADMIN_PASSWORD=CHANGE_ME_KEYCLOAK_ADMIN_PASSWORD
+KEYCLOAK_REALM=54link
+KEYCLOAK_CLIENT_ID=pos-shell
+KEYCLOAK_CLIENT_SECRET=CHANGE_ME_KEYCLOAK_CLIENT_SECRET
+
+# ── Permify ───────────────────────────────────────────────────────────────────
+PERMIFY_PORT=3476
+
+# ── APISIX ────────────────────────────────────────────────────────────────────
+APISIX_ADMIN_KEY=CHANGE_ME_APISIX_ADMIN_KEY_32CHARS
+APISIX_VIEWER_KEY=CHANGE_ME_APISIX_VIEWER_KEY_32CHARS
+
+# ── HashiCorp Vault ───────────────────────────────────────────────────────────
+VAULT_PORT=8200
+VAULT_ROOT_TOKEN=CHANGE_ME_VAULT_ROOT_TOKEN
+VAULT_APP_TOKEN=CHANGE_ME_VAULT_APP_TOKEN
+
+# ── Application ───────────────────────────────────────────────────────────────
+NODE_ENV=production
+JWT_SECRET=CHANGE_ME_JWT_SECRET_64CHARS_MINIMUM_FOR_HS512
+LOG_LEVEL=info
+
+# ── Manus OAuth (dev/staging only) ────────────────────────────────────────────
+VITE_APP_ID=your-manus-app-id
+OAUTH_SERVER_URL=https://api.manus.im
+VITE_OAUTH_PORTAL_URL=https://manus.im
+VITE_FRONTEND_FORGE_API_KEY=your-forge-api-key
+VITE_FRONTEND_FORGE_API_URL=https://api.manus.im
+BUILT_IN_FORGE_API_KEY=your-built-in-forge-api-key
+BUILT_IN_FORGE_API_URL=https://api.manus.im
+
+# ── AWS (S3 for firmware OTA) ─────────────────────────────────────────────────
+AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
+AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+AWS_REGION=us-east-1
+S3_BUCKET=54link-firmware
+
+# ── FIDO2 ─────────────────────────────────────────────────────────────────────
+FIDO2_RP_ID=54link.ng
+FIDO2_RP_NAME=54Link POS
+FIDO2_ORIGIN=https://54link.ng
+
+# ── SMTP ──────────────────────────────────────────────────────────────────────
+SMTP_HOST=smtp.gmail.com
+SMTP_PORT=587
+SMTP_USER=alerts@54link.ng
+SMTP_PASS=CHANGE_ME_SMTP_PASSWORD
+SMTP_FROM=noreply@54link.ng
+
+# ── Grafana ───────────────────────────────────────────────────────────────────
+GRAFANA_USER=admin
+GRAFANA_PASSWORD=CHANGE_ME_GRAFANA_PASSWORD
+
+# ── WhatsApp Business API ─────────────────────────────────────────────────────
+WHATSAPP_TOKEN=CHANGE_ME_WHATSAPP_TOKEN
+WHATSAPP_PHONE_ID=CHANGE_ME_WHATSAPP_PHONE_ID
+
+# ── Slack (Alertmanager notifications) ───────────────────────────────────────
+SLACK_WEBHOOK_URL=https://hooks.slack.com/services/CHANGE_ME
+
+# ── PagerDuty (escalation) ────────────────────────────────────────────────────
+PAGERDUTY_INTEGRATION_KEY=CHANGE_ME_PAGERDUTY_KEY
+
+# ── Workflow Orchestrator ─────────────────────────────────────────────────────
+KEYCLOAK_CLIENT_SECRET_WORKFLOW=CHANGE_ME_WORKFLOW_CLIENT_SECRET

.github/CODEOWNERS

@@ -0,0 +1,36 @@
+# 54Link POS Shell — Code Owners
+# These owners are automatically requested for review on PRs.
+
+# Global owners (required for all PRs)
+*                           @54link/platform-team
+
+# Security-sensitive files require security team review
+server/_core/               @54link/security-team @54link/platform-team
+.github/workflows/          @54link/security-team @54link/platform-team
+.gitleaks.toml              @54link/security-team
+scripts/rotate-secrets.sh   @54link/security-team
+scripts/bootstrap-production.sh @54link/security-team
+
+# Financial logic requires fintech team review
+server/routers/transactions.ts  @54link/fintech-team @54link/platform-team
+server/routers/settlement.ts    @54link/fintech-team @54link/platform-team
+server/routers/agentManagement.ts @54link/fintech-team
+
+# CBN compliance requires compliance team review
+services/python/cbn-reporting-engine/ @54link/compliance-team @54link/platform-team
+server/routers/cbnReporting.ts        @54link/compliance-team
+
+# MDM requires device team review
+server/routers/mdm.ts              @54link/device-team @54link/platform-team
+services/go/mdm-compliance-engine/ @54link/device-team
+android-native/                    @54link/device-team
+
+# Database schema changes require DBA review
+drizzle/schema.ts   @54link/dba-team @54link/platform-team
+drizzle/            @54link/dba-team
+
+# Infrastructure changes require DevOps review
+docker-compose*.yml     @54link/devops-team
+infra/                  @54link/devops-team
+monitoring/             @54link/devops-team
+nginx.conf              @54link/devops-team

.github/branch-protection.json

@@ -0,0 +1,104 @@
+{
+  "_comment": "GitHub Branch Protection Rules for 54Link POS Shell",
+  "_description": "Apply via: scripts/setup-branch-protection.sh",
+  "_docs": "https://docs.github.com/en/rest/branches/branch-protection",
+
+  "main": {
+    "required_status_checks": {
+      "strict": true,
+      "contexts": [
+        "Secret Scanning (Gitleaks)",
+        "Snyk CVE Scan",
+        "Type check",
+        "Lint",
+        "Unit tests (Vitest)",
+        "Production build",
+        "Go services build & test",
+        "Python services test",
+        "Playwright Tests (1/3)",
+        "Playwright Tests (2/3)",
+        "Playwright Tests (3/3)",
+        "OWASP ZAP DAST Scan",
+        "Prometheus alert lint"
+      ]
+    },
+    "enforce_admins": true,
+    "required_pull_request_reviews": {
+      "dismiss_stale_reviews": true,
+      "require_code_owner_reviews": true,
+      "required_approving_review_count": 2,
+      "require_last_push_approval": true
+    },
+    "restrictions": null,
+    "allow_force_pushes": false,
+    "allow_deletions": false,
+    "block_creations": false,
+    "required_conversation_resolution": true,
+    "lock_branch": false,
+    "allow_fork_syncing": false,
+    "required_linear_history": true,
+    "required_signatures": false
+  },
+
+  "develop": {
+    "required_status_checks": {
+      "strict": true,
+      "contexts": [
+        "Secret Scanning (Gitleaks)",
+        "Type check",
+        "Lint",
+        "Unit tests (Vitest)",
+        "Production build"
+      ]
+    },
+    "enforce_admins": false,
+    "required_pull_request_reviews": {
+      "dismiss_stale_reviews": true,
+      "require_code_owner_reviews": false,
+      "required_approving_review_count": 1,
+      "require_last_push_approval": false
+    },
+    "restrictions": null,
+    "allow_force_pushes": false,
+    "allow_deletions": false,
+    "block_creations": false,
+    "required_conversation_resolution": true,
+    "lock_branch": false,
+    "allow_fork_syncing": true,
+    "required_linear_history": false,
+    "required_signatures": false
+  },
+
+  "release/*": {
+    "required_status_checks": {
+      "strict": true,
+      "contexts": [
+        "Secret Scanning (Gitleaks)",
+        "Snyk CVE Scan",
+        "Type check",
+        "Lint",
+        "Unit tests (Vitest)",
+        "Production build",
+        "Playwright Tests (1/3)",
+        "Playwright Tests (2/3)",
+        "Playwright Tests (3/3)"
+      ]
+    },
+    "enforce_admins": true,
+    "required_pull_request_reviews": {
+      "dismiss_stale_reviews": true,
+      "require_code_owner_reviews": true,
+      "required_approving_review_count": 2,
+      "require_last_push_approval": true
+    },
+    "restrictions": null,
+    "allow_force_pushes": false,
+    "allow_deletions": false,
+    "block_creations": false,
+    "required_conversation_resolution": true,
+    "lock_branch": false,
+    "allow_fork_syncing": false,
+    "required_linear_history": true,
+    "required_signatures": false
+  }
+}