feat(payments): live payment-availability kill switch + per-account override
CI / changes (pull_request) Successful in 3s
CI / unit (pull_request) Successful in 11s
CI / integration (pull_request) Successful in 21s
CI / ui (pull_request) Successful in 1m15s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 2m0s
CI / changes (pull_request) Successful in 3s
CI / unit (pull_request) Successful in 11s
CI / integration (pull_request) Successful in 21s
CI / ui (pull_request) Successful in 1m15s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 2m0s
Let an operator disable purchases live from the admin — a whole rail/channel or one account — and show the user a localized reason on their next attempt, so a provider outage or a misconfig is explained instead of a silent dead button. - rail kill switch (payments.rail_status, per rail direct:web / direct:android / vk / telegram): enabled + a per-language message, edited on the catalog page. Fail-open — a rail with no row stays enabled, so payments are never accidentally killed. The intake gate (CanPurchase in handleWalletOrder, before the order) returns payment_unavailable + the localized message, orthogonal to the security gates. - per-account override (payments.account_payment_override, a row only for non-default): allow / deny / default, edited on the user card. "allow" bypasses ONLY the ops rail switch, never the security gates (trusted platform, the email anchor, the VK-iOS freeze, the min client version). - wire: an additive ExecuteResponse.message envelope field (frozen-contract-safe); the gateway forwards a backend domain-error message; the client shows it on a payment_unavailable buy attempt. - admin: rail toggles on the catalog page, the override control on the user card. - tests: the pure gate (unit, TDD), the store + gate + override end-to-end (integration, migration 00016), the client (svelte-check / vitest). - docs: PAYMENTS (+ru), the decisions log (D45/D46). Fiscalization stays cabinet-side (owner decision) — no itemized-receipt code. Contour-safe: additive migration (two new tables, no wipe), the wire add is additive, and fail-open so nothing is disabled until an operator acts.
This commit is contained in:
@@ -94,10 +94,14 @@ func (x *ExecuteRequest) GetRequestId() string {
|
||||
// ExecuteResponse is the unary reply. result_code is "ok" on success or a stable
|
||||
// error code; payload is the FlatBuffers-encoded response body (empty on error).
|
||||
type ExecuteResponse struct {
|
||||
state protoimpl.MessageState `protogen:"open.v1"`
|
||||
RequestId string `protobuf:"bytes,1,opt,name=request_id,json=requestId,proto3" json:"request_id,omitempty"`
|
||||
ResultCode string `protobuf:"bytes,2,opt,name=result_code,json=resultCode,proto3" json:"result_code,omitempty"`
|
||||
Payload []byte `protobuf:"bytes,3,opt,name=payload,proto3" json:"payload,omitempty"`
|
||||
state protoimpl.MessageState `protogen:"open.v1"`
|
||||
RequestId string `protobuf:"bytes,1,opt,name=request_id,json=requestId,proto3" json:"request_id,omitempty"`
|
||||
ResultCode string `protobuf:"bytes,2,opt,name=result_code,json=resultCode,proto3" json:"result_code,omitempty"`
|
||||
Payload []byte `protobuf:"bytes,3,opt,name=payload,proto3" json:"payload,omitempty"`
|
||||
// message is an optional, already-localized human-readable reason a domain outcome may carry for
|
||||
// the user (e.g. a payment-unavailable explanation set by an operator). Additive and
|
||||
// frozen-contract-safe; empty for the common case where result_code alone suffices.
|
||||
Message string `protobuf:"bytes,4,opt,name=message,proto3" json:"message,omitempty"`
|
||||
unknownFields protoimpl.UnknownFields
|
||||
sizeCache protoimpl.SizeCache
|
||||
}
|
||||
@@ -153,6 +157,13 @@ func (x *ExecuteResponse) GetPayload() []byte {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (x *ExecuteResponse) GetMessage() string {
|
||||
if x != nil {
|
||||
return x.Message
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
// SubscribeRequest opens the live stream. It is empty: the session is taken from
|
||||
// the Authorization header.
|
||||
type SubscribeRequest struct {
|
||||
@@ -262,13 +273,14 @@ const file_edge_v1_edge_proto_rawDesc = "" +
|
||||
"\fmessage_type\x18\x01 \x01(\tR\vmessageType\x12\x18\n" +
|
||||
"\apayload\x18\x02 \x01(\fR\apayload\x12\x1d\n" +
|
||||
"\n" +
|
||||
"request_id\x18\x03 \x01(\tR\trequestId\"k\n" +
|
||||
"request_id\x18\x03 \x01(\tR\trequestId\"\x85\x01\n" +
|
||||
"\x0fExecuteResponse\x12\x1d\n" +
|
||||
"\n" +
|
||||
"request_id\x18\x01 \x01(\tR\trequestId\x12\x1f\n" +
|
||||
"\vresult_code\x18\x02 \x01(\tR\n" +
|
||||
"resultCode\x12\x18\n" +
|
||||
"\apayload\x18\x03 \x01(\fR\apayload\"\x12\n" +
|
||||
"\apayload\x18\x03 \x01(\fR\apayload\x12\x18\n" +
|
||||
"\amessage\x18\x04 \x01(\tR\amessage\"\x12\n" +
|
||||
"\x10SubscribeRequest\"P\n" +
|
||||
"\x05Event\x12\x12\n" +
|
||||
"\x04kind\x18\x01 \x01(\tR\x04kind\x12\x18\n" +
|
||||
|
||||
@@ -35,6 +35,10 @@ message ExecuteResponse {
|
||||
string request_id = 1;
|
||||
string result_code = 2;
|
||||
bytes payload = 3;
|
||||
// message is an optional, already-localized human-readable reason a domain outcome may carry for
|
||||
// the user (e.g. a payment-unavailable explanation set by an operator). Additive and
|
||||
// frozen-contract-safe; empty for the common case where result_code alone suffices.
|
||||
string message = 4;
|
||||
}
|
||||
|
||||
// SubscribeRequest opens the live stream. It is empty: the session is taken from
|
||||
|
||||
Reference in New Issue
Block a user