gitadmin/ArchiTools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9e7abfafc87d97ff67b512a87ff352d9e456d9da
ArchiTools/docs/ARCHITECTURE-QUICK.md
T
AI Assistant 0c4b91707f audit: production safety fixes, cleanup, and documentation overhaul 
CRITICAL fixes:
- Fix SQL injection in geoportal search (template literal in $queryRaw)
- Preserve enrichment data during GIS re-sync (upsert update explicit fields only)
- Fix ePay version race condition (advisory lock in transaction)
- Add requireAuth() to compress-pdf and unlock routes (were unauthenticated)
- Remove hardcoded Stirling PDF API key (env vars now required)

IMPORTANT fixes:
- Add admin role check on registratura debug-sequences endpoint
- Fix reserved slot race condition with advisory lock in transaction
- Use SSO identity in close-guard-dialog instead of hardcoded "Utilizator"
- Storage DELETE catches only P2025 (not found), re-throws real errors
- Add onDelete: SetNull for GisFeature → GisSyncRun relation
- Move portal-only users to PORTAL_ONLY_USERS env var
- Add security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy)
- Add periodic cleanup for eTerra/ePay session caches and progress store
- Log warning when ePay dataDocument is missing (expiry fallback)

Cleanup:
- Delete orphaned rgi-test page (1086 lines, unregistered, inaccessible)
- Delete legacy/ folder (5 files, unreferenced from src/)
- Remove unused ensureBucketExists() from minio-client.ts

Documentation:
- Optimize CLAUDE.md: 464 → 197 lines (moved per-module details to docs/)
- Create docs/ARCHITECTURE-QUICK.md (80 lines: data flow, deps, env vars)
- Create docs/MODULE-MAP.md (140 lines: entry points, API routes, cross-deps)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 06:40:34 +02:00

4.4 KiB
Raw Blame History

ArchiTools — Architecture Quick Reference

Data Flow

Browser → Traefik (tools.beletage.ro) → Next.js :3000
                                          ├── App Router (pages)
                                          ├── API Routes (/api/*)
                                          │     ├── Prisma → PostgreSQL + PostGIS
                                          │     ├── MinIO (file storage)
                                          │     ├── eTerra ANCPI (external GIS API)
                                          │     └── Brevo SMTP (email notifications)
                                          └── Auth: NextAuth → Authentik OIDC

Module Dependencies

registratura ←→ address-book    (bidirectional: contacts + reverse lookup)
parcel-sync  →  geoportal       (map components reuse)
geoportal    →  PostGIS          (spatial queries, vector tiles)
parcel-sync  →  eTerra API       (external: ANCPI cadastral data)
parcel-sync  →  ePay API         (external: ANCPI CF extract ordering)
parcel-sync  →  MinIO            (CF extract PDF storage)
notifications → registratura     (deadline digest data)
all modules  → core/storage      (KeyValueStore via Prisma)
all modules  → core/auth         (Authentik SSO session)

Critical API Routes (Write Operations)

Route Method What it does Auth
/api/storage PUT/DELETE KeyValueStore CRUD Middleware
/api/registratura POST/PUT/DELETE Registry entries + audit Middleware + Bearer
/api/registratura/reserved POST Reserve future registry slots Middleware
/api/registratura/debug-sequences POST/PATCH Reset sequence counters Admin only
/api/vault PUT/DELETE Encrypted vault entries Middleware
/api/address-book PUT/DELETE Contact CRUD Middleware + Bearer
/api/eterra/sync-background POST Start GIS sync job Middleware
/api/eterra/uats POST/PATCH UAT management + county refresh Middleware
/api/ancpi/order POST ePay CF extract order Middleware
/api/notifications/digest POST Trigger email digest Bearer
/api/notifications/preferences PUT User notification prefs Middleware
/api/compress-pdf/* POST PDF compression/unlock requireAuth

Storage Architecture

KeyValueStore (Prisma)          GisFeature (PostGIS)           MinIO
├── namespace: module-id        ├── layerId + objectId         ├── bucket: tools
├── key: entity UUID            ├── geometry (GeoJSON)         ├── bucket: ancpi-cf
└── value: JSON blob            ├── enrichment (JSONB)         └── PDF files
                                └── geom (native PostGIS)

Auth Flow

User → /auth/signin → Authentik OIDC → callback → NextAuth session
  ├── Middleware: checks JWT token, redirects if unauthenticated
  ├── Portal-only users: env PORTAL_ONLY_USERS → redirected to /portal
  └── API routes excluded from middleware: use requireAuth() or Bearer token

Environment Variables (Critical)

Var Required Used by
DATABASE_URL Yes Prisma
NEXTAUTH_SECRET Yes NextAuth JWT
NEXTAUTH_URL Yes Auth redirects
ENCRYPTION_SECRET Yes Password Vault AES-256
STIRLING_PDF_URL Yes PDF compression/unlock
STIRLING_PDF_API_KEY Yes Stirling PDF auth
NOTIFICATION_CRON_SECRET Yes Digest endpoint Bearer
MINIO_* Yes MinIO connection
ANCPI_* For ePay ePay CF ordering
ILOVEPDF_PUBLIC_KEY Optional Cloud PDF compression
PORTAL_ONLY_USERS Optional Comma-separated usernames
Reference in New Issue View Git Blame Copy Permalink