1507ceb793
CI / changes (pull_request) Successful in 3s
CI / unit (pull_request) Successful in 11s
CI / integration (pull_request) Successful in 21s
CI / ui (pull_request) Successful in 1m15s
CI / conformance (pull_request) Successful in 10s
CI / gate (pull_request) Successful in 0s
CI / deploy (pull_request) Successful in 2m0s
Let an operator disable purchases live from the admin — a whole rail/channel or one account — and show the user a localized reason on their next attempt, so a provider outage or a misconfig is explained instead of a silent dead button. - rail kill switch (payments.rail_status, per rail direct:web / direct:android / vk / telegram): enabled + a per-language message, edited on the catalog page. Fail-open — a rail with no row stays enabled, so payments are never accidentally killed. The intake gate (CanPurchase in handleWalletOrder, before the order) returns payment_unavailable + the localized message, orthogonal to the security gates. - per-account override (payments.account_payment_override, a row only for non-default): allow / deny / default, edited on the user card. "allow" bypasses ONLY the ops rail switch, never the security gates (trusted platform, the email anchor, the VK-iOS freeze, the min client version). - wire: an additive ExecuteResponse.message envelope field (frozen-contract-safe); the gateway forwards a backend domain-error message; the client shows it on a payment_unavailable buy attempt. - admin: rail toggles on the catalog page, the override control on the user card. - tests: the pure gate (unit, TDD), the store + gate + override end-to-end (integration, migration 00016), the client (svelte-check / vitest). - docs: PAYMENTS (+ru), the decisions log (D45/D46). Fiscalization stays cabinet-side (owner decision) — no itemized-receipt code. Contour-safe: additive migration (two new tables, no wipe), the wire add is additive, and fail-open so nothing is disabled until an operator acts.
55 lines
2.2 KiB
Protocol Buffer
55 lines
2.2 KiB
Protocol Buffer
syntax = "proto3";
|
|
|
|
// Package scrabble.edge.v1 is the client <-> gateway Connect-RPC contract. It is
|
|
// deliberately minimal (ARCHITECTURE.md §2): a single unary Execute that routes
|
|
// by message_type, and a server-streaming Subscribe for the in-app live channel.
|
|
// The actual request/response and event bodies travel as FlatBuffers bytes in the
|
|
// payload fields (pkg/fbs). The session token rides in the Authorization header,
|
|
// not the envelope (no per-request signing — ARCHITECTURE.md §3).
|
|
package scrabble.edge.v1;
|
|
|
|
option go_package = "scrabble/gateway/proto/edge/v1;edgev1";
|
|
|
|
// Gateway is the public edge service.
|
|
service Gateway {
|
|
// Execute runs one unary operation identified by message_type. Auth operations
|
|
// (auth.*) are unauthenticated and return a minted session; all others require
|
|
// a valid session token in the Authorization header.
|
|
rpc Execute(ExecuteRequest) returns (ExecuteResponse);
|
|
// Subscribe opens the in-app live-event stream for the authenticated session.
|
|
rpc Subscribe(SubscribeRequest) returns (stream Event);
|
|
}
|
|
|
|
// ExecuteRequest is the unary envelope. message_type selects the operation;
|
|
// payload is its FlatBuffers-encoded request body; request_id is an optional
|
|
// client correlation id echoed back.
|
|
message ExecuteRequest {
|
|
string message_type = 1;
|
|
bytes payload = 2;
|
|
string request_id = 3;
|
|
}
|
|
|
|
// ExecuteResponse is the unary reply. result_code is "ok" on success or a stable
|
|
// error code; payload is the FlatBuffers-encoded response body (empty on error).
|
|
message ExecuteResponse {
|
|
string request_id = 1;
|
|
string result_code = 2;
|
|
bytes payload = 3;
|
|
// message is an optional, already-localized human-readable reason a domain outcome may carry for
|
|
// the user (e.g. a payment-unavailable explanation set by an operator). Additive and
|
|
// frozen-contract-safe; empty for the common case where result_code alone suffices.
|
|
string message = 4;
|
|
}
|
|
|
|
// SubscribeRequest opens the live stream. It is empty: the session is taken from
|
|
// the Authorization header.
|
|
message SubscribeRequest {}
|
|
|
|
// Event is one live event. kind is the notification catalog kind; payload is its
|
|
// FlatBuffers-encoded body; event_id is a correlation id.
|
|
message Event {
|
|
string kind = 1;
|
|
bytes payload = 2;
|
|
string event_id = 3;
|
|
}
|