feat: production-ready platform v2 — security hardening, middleware integration, mobile parity, scoring#19
Open
devin-ai-integration[bot] wants to merge 14 commits intodevin/1777656760-ndsep-phase44-mergefrom
Conversation
…h, mobile parity Security hardening: - DDoS protection middleware (per-IP rate limiting, auto-blocking, circuit breaker) - Ransomware protection (file integrity monitoring, hash-chained audit, canary files) - CSP/HSTS/security headers (comprehensive HTTP security) - Session hardening (CSRF, idle timeout, concurrent session limits) - Security dashboard API endpoint (/api/security/status) Offline resilience for African deployments: - Service worker with cache-first/network-first strategies - IndexedDB offline mutation queue with background sync - Adaptive bandwidth detection and management - Resilient WebSocket with exponential backoff and HTTP fallback - Events polling fallback endpoint (/api/events/poll) Middleware health integration: - Unified health dashboard for all 12 middleware services - Health check API endpoint (/api/middleware/health) - PWA middleware health page Mobile parity: - Flutter: breach incidents, consent management, DPIA, DPO registry, middleware health - React Native: breach incidents, consent management, DPIA, DPO registry, middleware health Workers: - Go: OpenAppSec WAF integration worker - Python: Offline sync worker with conflict resolution - Rust: Offline resilience worker with dedup and priority queue Production config: - Complete .env.production.example with all middleware service vars - Enhanced seed data with 10 additional Nigerian organizations - Comprehensive smoke test script - Rust workspace updated with all crate members Co-Authored-By: Patrick Munis <pmunis@gmail.com>
Business rules (NDPA compliance): - Penalty calculation engine (NDPA Article 47, up to 2% annual turnover) - Compliance score calculator (100-point scale, 10 categories) - Risk assessment scorer (sector-aware, data volume, cross-border) - SLA breach detection with urgency levels - DPCO licence renewal eligibility checks - Cross-border transfer adequacy determination Workflow lifecycle: - Organization onboarding (draft→submitted→under_review→approved/rejected) - Violation enforcement (investigating→escalated→penalty_imposed→appealed) - Breach notification (24h SLA, escalation for 10K+ records) - DPIA workflow (submission→review→approval) - DSAR lifecycle (48h validation, 30-day completion) - Side effects: auto-creates financial penalties, audit logs Middleware integration: - Dapr sidecar (service invocation, state store, pub/sub) - TigerBeetle ledger (penalty issuance, payment tracking) - OpenSearch full-text search (organizations, violations, assets) tRPC router: - workflows.getAvailableActions - workflows.executeTransition - workflows.calculatePenalty - workflows.calculateComplianceScore - workflows.calculateRiskScore - workflows.checkSla - workflows.checkRenewalEligibility - workflows.checkCrossBorderAdequacy Co-Authored-By: Patrick Munis <pmunis@gmail.com>
Co-Authored-By: Patrick Munis <pmunis@gmail.com>
Co-Authored-By: Patrick Munis <pmunis@gmail.com>
Author
Author
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
…from DB Previously requireSession used req.cookies which requires cookie-parser middleware. Now extracts token from raw Cookie header directly (using 'cookie' package) and looks up the full user object from the database (including role) for proper admin authorization checks. Co-Authored-By: Patrick Munis <pmunis@gmail.com>
Co-Authored-By: Patrick Munis <pmunis@gmail.com>
Author
E2E Test Results — PR #19 Production-Ready PlatformAll 8 tests passed. Ran frontend locally against PostgreSQL, tested new endpoints and business rules end-to-end via curl + browser. Session: https://app.devin.ai/sessions/638573251e5f4e859a5f3b205afec3cd Shell Tests (1-7) — All Passed
Browser Tests (8) — All Passed
Finding: Orphaned UI Pages
|
…ard & Middleware Health routes - Moved catch-all NotFound route from middle of Switch to the end, unblocking 13+ routes (data-pipeline, data-lineage, knowledge-graph, penalty-dashboard, etc.) - Added SecurityDashboard and MiddlewareHealth imports and routes - Removed duplicate /dpco route (DpcoLanding vs DpcoPortal) - Added /security-dashboard and /middleware-health sidebar entries - All 22 compliance module routes now render correctly (0 remaining 404s) Co-Authored-By: Patrick Munis <pmunis@gmail.com>
Co-Authored-By: Patrick Munis <pmunis@gmail.com>
devin-ai-integration Bot
added a commit
that referenced
this pull request
May 3, 2026
… pagination, keyboard shortcuts Dashboard Enhancements: - Animated counters on all metric cards (#9) - Sparkline mini-charts showing 7-day trends (#8) - Donut chart for transfer status distribution (#10) Data Table Improvements: - Column sorting on Transfers table (#19) - Pagination with page navigation (#21) - Export CSV on Transfers table - Loading skeletons instead of spinner Navigation: - Keyboard shortcuts overlay dialog (press ?) (#17) Co-Authored-By: Patrick Munis <pmunis@gmail.com>
devin-ai-integration Bot
added a commit
that referenced
this pull request
May 3, 2026
- Kafka (#1-7): MirrorMaker2, Schema Registry, Tiered Storage, DLQ, Consumer Lag, Compaction, EOS - Redis (#8-12): Sentinel HA, Streams, Bloom Filter, Connection Pool, Cache Warming - PostgreSQL (#13-18): PgBouncer, Patroni HA, Logical Replication, Partitioning, pg_cron, TDE - TigerBeetle (#19-22): 6-node cluster, S3 backup, balance reconciliation, account hierarchy - Temporal (#23-27): Multi-cluster, versioning, saga visibility, KEDA auto-scale, cron workflows - APISIX (#28-33): GraphQL, gRPC transcoding, service discovery, IP geofencing, ISO 20022, API keys - Keycloak (#34-38): BVN/NIN SPI, adaptive auth, bank federation, token exchange, brute force - Dapr (#39-43): Service invocation, distributed lock, config store, external bindings, message TTL - OpenSearch (#44-48): ILM, cross-cluster search, anomaly detection, security plugin, index templates - Observability (#49-53): Tail sampling, Thanos long-term storage, unified alerting, auto-instrumentation, SLO - Mojaloop (#54-56): Full hub deployment, PISP, Oracle party resolution - Fluvio (#57-59): SmartModules, Kafka mirror connector, stateful stream processing - Permify (#60-62): Payment schema, bulk permission check, audit log - OpenAppSec (#63-65): Enforce mode, threat intelligence, bot detection Infrastructure: Updated docker-compose.middleware.yml with all 65 enhancements Backend: tRPC middleware router with 15 monitoring procedures Frontend: Full middleware monitoring dashboard at /middleware Configs: OTEL collector tail sampling, Thanos objstore, KEDA scalers Co-Authored-By: Patrick Munis <pmunis@gmail.com>
…stency - Reorganize sidebar from flat menuItems array to 10 functional category groups: Core Platform, Enforcement & Finance, Compliance Management, DPCO Portal, Organizations & IAM, AI & Intelligence, Operations & Infrastructure, Banking & Sectors, Governance & Reporting, Advanced Features, Admin & Settings - Add collapsible section headers with color-coded badges and item counts - Fix DPCO page SelectItem empty value error (use 'all' instead of '') - Replace hardcoded dark theme classes with theme-aware Tailwind utilities - Use Card/CardContent/CardHeader/CardTitle components for consistent UI - Replace raw HTML select with Select/SelectContent/SelectItem components - Replace raw div progress bars with Progress component Co-Authored-By: Patrick Munis <pmunis@gmail.com>
… names, and date interval syntax Co-Authored-By: Patrick Munis <pmunis@gmail.com>
… + fix Date rendering - Convert 64 pages from dark theme (bg-slate-900, bg-gray-800) to light theme using CSS variables (bg-background, bg-card, text-foreground, border-border) - Fix SelectItem empty value crash in 17 files (Radix requires non-empty value) - Fix Date object rendering crash in DpoReports.tsx and ComplianceAuditReturns.tsx - Hide Orchestration and BGP Route notifications from dashboard for demo - All 137 sidebar routes verified with zero 404 errors Co-Authored-By: Patrick Munis <pmunis@gmail.com>
Co-Authored-By: Patrick Munis <pmunis@gmail.com>
Author
E2E Test Results — PR #19 Visual Consistency, Bug Fixes & Route ValidationAll 7 tests passed. Tested locally against dev server (localhost:3000) with PostgreSQL backend. Session: https://app.devin.ai/sessions/638573251e5f4e859a5f3b205afec3cd Test Results (7/7 passed)
ScreenshotsDashboard — Clean (no notification clutter) Audit Returns — Fixed (was 404, now renders) Compliance Calendar — Dropdown works Vendor Risk — Light theme applied Fix applied during testing
Commit: |
… data display - enforcement_fines: org_id → organization_id, remove case_id join - vendor_risk: contract_status → status in stats query - compliance_gap: assessed_at → created_at - regulatory_intelligence: published_at → created_at - whistleblower: submitted_at → created_at - incident_response: incident_type → category, activated_at → created_at - data_pipeline: fix dbt_models schema→schema_name, remove is_paused, dag_name→dag_id - ai_ethics: overall_ethics_score → overall_score, review_status → status - cross_agency: status 'active' → 'approved' in stats - staff_training (db.ts): training_status → training_type, scheduled_date → created_at - enforcement_timeline (newFeatures.ts): cv.violation_type → cv.title Co-Authored-By: Patrick Munis <pmunis@gmail.com>
Co-Authored-By: Patrick Munis <pmunis@gmail.com>
Author
Test Results — Production Readiness V26 of 7 tests passed. 1 failed. Tested locally at Results Summary
Test 2 Failure: Banking DashboardRoot cause: Banking database tables do not exist in PostgreSQL. The banking router defines 43 tRPC endpoints across 9 sub-routers, but no corresponding tables were created.
To fix: Create banking tables (banking_institutions, kyc_cases, aml_cases, etc.) and seed with data. Passing Tests EvidenceTest 3 — DPCO Portal: 5 Licensed DPCOs, Quick Actions visible Test 4 — Theme Consistency: 0 dark theme classes in vendor-risk, incident-response, compliance-gap
Test 5 — Route Validation: All 6 deep routes return HTTP 200 Test 7 — TypeScript: |
Author
Test Results — UI Audit FixesSession: https://app.devin.ai/sessions/638573251e5f4e859a5f3b205afec3cd Ran the app locally against seeded PostgreSQL database, navigated to 5 key pages testing theme consistency, data loading, and layout alignment. 5/5 tests passed. 3 User-Reported Problem Pages (all fixed)Cross-Sector Data Sharing — PASSED
Admin Platform Settings — PASSED
Email Digest Settings — PASSED
Sampling: Banking & DPCO (design token fixes)Banking Dashboard — PASSED
DPCO Scorecard — PASSED
EscalationBanking sub-sections partially empty: KYC Management, AML Cases, Payments (NIP/RTGS), Correspondent Banks, and Watchlist sub-sections show "—" dashes. The main banking tables are seeded but these sub-section tRPC endpoints may need fixes. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Comprehensive production-readiness PR covering encryption at rest, security hardening, UI consistency, and data seeding across the NDSEP platform.
Encryption at Rest (Latest Commit)
server/encryption.ts— core encrypt/decrypt module with versioned format (enc:v1:<iv>:<tag>:<ciphertext>)server/encryptionMiddleware.ts— transparent encrypt-on-write middleware for tRPC mutationsserver/dbSslConfig.ts— centralized PostgreSQL SSL config with CA certificate verificationrejectUnauthorized: falsein 20+ database connection pools (was vulnerable to MitM attacks)drizzle/0019_field_encryption.sql— migration to enable pgcrypto, widen PII columns, add tracking tablescripts/rotate-encryption-key.ts— encryption key rotation script with dry-run supportSECURITY.mdupdated with full encryption-at-rest documentationPrevious Changes (UI, Layout, Security)
<DashboardLayout>wrappersrejectUnauthorized: falseReview & Testing Checklist for Human
FIELD_ENCRYPTION_KEY(64-char hex) in production.envbefore deploying. Without it, encryption gracefully degrades (passthrough) but PII is unprotected.drizzle/0019_field_encryption.sqlmigration before running on production DB — it widens PII varchar columns to TEXT and enables pgcrypto extensionbash infra/postgres/generate-ssl-certs.sh(or use your CA's certs)FIELD_ENCRYPTION_KEY, create a user, check DB — email/name should showenc:v1:...formatOLD_KEY=<old> NEW_KEY=<new> DATABASE_URL=<url> npx tsx scripts/rotate-encryption-key.ts --dry-runNotes
FIELD_ENCRYPTION_KEYenv var. If not set, all data passes through unencrypted (backward compatible). This means existing deployments continue working without changes.enc:v1:) is self-describing — the system auto-detects whether a value is encrypted or plaintext, so mixed states during migration are safe.mysql-compat.ts,slaNotificationScheduler.ts) use mysql2-specific SSL config rather than the shared PG config.Link to Devin session: https://app.devin.ai/sessions/638573251e5f4e859a5f3b205afec3cd