Merge upstream/main into fix/issues-187

Made-with: Cursor

Author: wheval

.env.example

@@ -5,6 +5,7 @@ FRONTEND_URL=http://localhost:5173
 
 # Docker Postgres defaults
 DATABASE_URL=postgresql://postgres:postgres@localhost:5432/accesslayer
+APP_SECRET=your_32_character_long_secret_string_here
 
 GOOGLE_CLIENT_ID=
 GOOGLE_CLIENT_SECRET=
@@ -23,6 +24,7 @@ PAYSTACK_PUBLIC_KEY=
 # API Configuration
 API_VERSION=1.0.0
 ENABLE_API_VERSION_HEADER=true
+ENABLE_SCHEMA_VERSION_HEADER=true
 ENABLE_RESPONSE_TIMING=true
 ENABLE_REQUEST_LOGGING=true
 BACKGROUND_JOB_LOCK_TTL_MS=300000

CONTRIBUTING.md

@@ -5,6 +5,7 @@ Thanks for contributing to the backend for Access Layer, a Stellar-native creato
 ## Before you start
 
 - Read the [README](./README.md) for context.
+- Review the [Backend Domain Model and Endpoint Boundaries](./docs/architecture/domain-boundaries.md).
 - Review the scoped backlog in [docs/open-source/issue-backlog.md](./docs/open-source/issue-backlog.md).
 - Keep pull requests limited to one backend issue or one documentation improvement.
 - Open a discussion before changing core API shape or background processing architecture.

README.md

@@ -15,6 +15,8 @@ The server is responsible for:
 - notifications, analytics, and moderation workflows
 - access checks for gated off-chain content
 
+See [Backend Domain Model and Endpoint Boundaries](./docs/architecture/domain-boundaries.md) for a technical overview and [API Versioning](./docs/api-versioning.md) for details on schema versioning.
+
 ## Tech
 
 - Node.js
@@ -167,7 +169,8 @@ readinessProbe:
 
 ## Open source workflow
 
-- Read [CONTRIBUTING.md](./CONTRIBUTING.md) before starting work.
-- Browse the maintainer issue inventory in [docs/open-source/issue-backlog.md](./docs/open-source/issue-backlog.md).
+- Read the [README](./README.md) for context.
+- Review the [Backend Domain Model and Endpoint Boundaries](./docs/architecture/domain-boundaries.md).
+- Review the scoped backlog in [docs/open-source/issue-backlog.md](./docs/open-source/issue-backlog.md).
 - Review [SECURITY.md](./SECURITY.md) before reporting vulnerabilities.
 - Use the issue templates in [`.github/ISSUE_TEMPLATE`](./.github/ISSUE_TEMPLATE) for new scoped work.

docs/api-versioning.md

@@ -0,0 +1,27 @@
+# API and Schema Versioning
+
+The Access Layer Server uses versioning headers to inform clients about the current API version and the expected structure of request bodies.
+
+## Response Headers
+
+### `X-API-Version`
+
+Indicates the current overall version of the API. This is typically used for tracking feature sets and major API releases.
+
+### `X-Schema-Version`
+
+Indicates the active version of the request body schema. This version should be checked by consumers to ensure they are sending request bodies in the format expected by the server.
+
+## Versioning Strategy
+
+Both headers follow [Semantic Versioning (SemVer)](https://semver.org/):
+
+- **MAJOR** version: Breaking changes to the API or schema.
+- **MINOR** version: Backwards-compatible new features or additions.
+- **PATCH** version: Backwards-compatible bug fixes.
+
+## Expected Consumer Behavior
+
+1. **Check Headers**: Consumers should inspect the `X-Schema-Version` header in API responses.
+2. **Schema Alignment**: If the `X-Schema-Version` major version changes, consumers must update their request body structures to match the new schema requirements.
+3. **Warning Handling**: Consumers may choose to log warnings if they detect a version mismatch that they haven't yet updated to support.

docs/architecture/domain-boundaries.md

@@ -0,0 +1,84 @@
+# Backend Domain Model and Endpoint Boundaries
+
+This document outlines the core backend entities, their relationships, and the boundaries between different modules in the Access Layer Server.
+
+## Domain Model
+
+The following diagram illustrates the core entities and their relationships within the system:
+
+```mermaid
+erDiagram
+    User ||--o| CreatorProfile : "owns"
+    User ||--o| StellarWallet : "links"
+    User {
+        string id PK
+        string email
+        string passwordHash
+        string firstName
+        string lastName
+        boolean emailVerified
+    }
+    CreatorProfile {
+        string id PK
+        string userId FK
+        string handle
+        string displayName
+        string bio
+        json perks
+    }
+    StellarWallet {
+        string id PK
+        string userId FK
+        string address
+    }
+    IndexerDLQ {
+        string id PK
+        string jobType
+        json payload
+        string failureReason
+    }
+    AuditEvent {
+        string id PK
+        string actor
+        string action
+        string target
+        string targetId
+        json metadata
+    }
+```
+
+### Core Entities
+
+1. **User**: Represents a registered user. Holds authentication and basic profile data.
+2. **CreatorProfile**: Represents the creator persona of a user. Tied to a specific handle and contains metadata like bio and perks.
+3. **StellarWallet**: Links a user to their Stellar public address. Used for identity verification and ownership checks.
+4. **IndexerDLQ**: Stores failed indexing jobs from the Stellar blockchain for manual review or reprocessing.
+5. **AuditEvent**: A generic log for significant actions occurring in the system.
+
+## Module Boundaries
+
+The server is organized into feature-based modules under `src/modules/`. Each module is responsible for its own business logic, routes, and (where applicable) data validation.
+
+### Major Route Groups
+
+| Module     | Responsibility                                                                | Primary Entities |
+| :--------- | :---------------------------------------------------------------------------- | :--------------- |
+| `auth`     | User registration, login, session management, and password resets.            | `User`           |
+| `creators` | Public and private creator profile management, including stats and discovery. | `CreatorProfile` |
+| `wallet`   | Linking and verifying Stellar wallets.                                        | `StellarWallet`  |
+| `admin`    | Internal management tools and system monitoring.                              | All              |
+| `health`   | System health checks and status monitoring.                                   | N/A              |
+
+### Cross-Module Rules
+
+To ensure a maintainable and decoupled architecture, the following rules apply:
+
+1. **No Direct Database Access**: Modules should not directly query Prisma models belonging to other modules if a service/utility exists.
+2. **Shared Utilities**: Common logic (e.g., mail sending, logging, pagination) belongs in `src/utils/` and can be used by any module.
+3. **Constants**: Shared configuration and string constants belong in `src/constants/`.
+4. **Types**: Cross-cutting TypeScript types belong in `src/types/`.
+
+### Interaction Patterns
+
+- **Initialization**: `src/app.ts` assembles the modules and registers global middlewares.
+- **Data Sharing**: If a module needs data from another (e.g., `creators` needing user info), it should use the Prisma client (which is shared) but respect the logical boundaries defined in the schema files.

docs/indexer/EVENT_PROCESSING.md

@@ -0,0 +1,33 @@
+# Chain Event Processing
+
+The indexer processes events from the blockchain to update the read models and activity feeds. To ensure data consistency and prevent duplicate processing, the following strategies are employed.
+
+## 1. Deduplication
+
+Before processing a batch of events, they should be deduped based on their unique identifier on the chain: `transactionHash` and `eventIndex`.
+
+The `dedupeChainEvents` helper in `src/utils/indexer-dedupe.utils.ts` provides this functionality.
+
+### Example Usage:
+
+```typescript
+import { dedupeChainEvents } from '../utils/indexer-dedupe.utils';
+
+const rawEvents = fetchEventsFromChain();
+const uniqueEvents = dedupeChainEvents(rawEvents);
+// Proceed with processing uniqueEvents
+```
+
+## 2. Idempotency
+
+Event handlers must be idempotent. This means that processing the same event multiple times should have the same effect as processing it once.
+
+### Strategies for Idempotency:
+
+- **Database Upserts**: Use Prisma's `upsert` or `update` with unique constraints where possible.
+- **State Check**: Before applying a change (like incrementing a balance), verify if the event has already been accounted for (e.g. by checking a `lastProcessedLedger` or a specific event log).
+- **Atomic Transactions**: Ensure that all changes related to an event are committed in a single database transaction.
+
+## 3. Error Handling
+
+If an event fails to process after multiple retries, it is moved to the [Dead-Letter Queue (DLQ)](./DLQ_WORKFLOW.md) for manual investigation.

docs/read-model-rebuild.md

@@ -46,38 +46,60 @@ Source of truth (events / primary tables)
 1. **Pause or fence the live indexer** that writes to the read model, or ensure it is idempotent enough to run concurrently with the rebuild.
 
 2. **Truncate or soft-delete** the stale read-model rows:
+
    ```sql
    TRUNCATE TABLE creator_ownership_reads;
    -- or, for an incremental rebuild without full downtime:
    UPDATE creator_ownership_reads SET rebuild_pending = true;
    ```
 
 3. **Run the rebuild script** (location: `scripts/rebuild-read-model.sh` once implemented):
+
    ```bash
    pnpm ts-node src/scripts/rebuild-read-model.ts --model=creator_ownership_reads
    ```
+
    The script must process records in batches (recommended batch size: 500) and log progress at each checkpoint.
 
 4. **Verify output:**
+
    ```sql
    SELECT COUNT(*) FROM creator_ownership_reads;
    -- Compare to expected count derived from source tables
    ```
+
    Spot-check a sample of records against the source of truth.
 
 5. **Resume the live indexer.** If fenced, lift the fence. If the indexer was paused, restart it and confirm it picks up from the correct cursor position.
 
 ## Expected duration
 
-| Table size | Estimated rebuild time |
-|---|---|
-| < 10k rows | < 1 minute |
-| 10k – 100k rows | 2–10 minutes |
-| 100k – 1M rows | 15–60 minutes |
-| > 1M rows | Plan for multi-hour window; use batched pagination |
+| Table size      | Estimated rebuild time                             |
+| --------------- | -------------------------------------------------- |
+| < 10k rows      | < 1 minute                                         |
+| 10k – 100k rows | 2–10 minutes                                       |
+| 100k – 1M rows  | 15–60 minutes                                      |
+| > 1M rows       | Plan for multi-hour window; use batched pagination |
 
 Duration depends on DB instance size, network, and whether indexes are rebuilt inline or deferred.
 
+## Indexer replay dry-run
+
+Use the admin replay endpoint in dry-run mode to validate replay inputs without producing audit-write side effects.
+
+```bash
+curl -X POST "$API_BASE_URL/admin/indexer/replay" \
+  -H "Content-Type: application/json" \
+  -H "x-admin-id: <admin-id>" \
+  -d '{"startLedger": 123456, "dryRun": true}'
+```
+
+Notes:
+
+- `dryRun` defaults to `false`; omit it to run a normal replay initiation.
+- In dry-run mode, the response includes `dryRun: true` and no audit event is written.
+- `startLedger` must be a positive integer in both dry-run and normal mode.
+
 ## Rollback guidance
 
 If the rebuild produces incorrect data:

prisma/schema/activity.prisma

@@ -0,0 +1,31 @@
+// prisma/schema/activity.prisma
+
+enum ActivityType {
+  CREATOR_REGISTERED
+  KEY_BOUGHT
+  KEY_SOLD
+  PROFILE_UPDATED
+}
+
+model Activity {
+  id          String       @id @default(cuid())
+  type        ActivityType
+  
+  // Actor who performed the action (wallet address or user ID)
+  actor       String
+  
+  // Optional creator associated with this activity
+  creatorId   String?
+  
+  // Optional target of the activity (e.g., target wallet address)
+  target      String?
+  
+  // Payload for event-specific data (e.g., price, amount, previous values)
+  payload     Json
+  
+  createdAt   DateTime     @default(now())
+
+  @@index([creatorId])
+  @@index([actor])
+  @@index([type])
+}

prisma/schema/creator.prisma

@@ -9,6 +9,7 @@ model CreatorProfile {
   avatarUrl   String?
   perkSummary String?
   isVerified  Boolean  @default(false)
+  perks       Json?
   createdAt   DateTime @default(now())
   updatedAt   DateTime @updatedAt
 

prisma/schema/ownership.prisma

@@ -0,0 +1,21 @@
+// prisma/schema/ownership.prisma
+
+model KeyOwnership {
+  id            String   @id @default(cuid())
+  
+  // The wallet address of the owner
+  ownerAddress  String
+  
+  // The ID or handle of the creator whose keys are owned
+  creatorId     String
+  
+  // The amount of keys owned
+  balance       Decimal  @default(0)
+  
+  createdAt     DateTime @default(now())
+  updatedAt     DateTime @updatedAt
+
+  @@unique([ownerAddress, creatorId])
+  @@index([ownerAddress])
+  @@index([creatorId])
+}