feat: EOD reports, security audit (rate limiting + 44 validators), and 30 critical path tests
EOD Reports & Daily Close (order-service + Blazor UI):
- GetEodReportQuery: Dapper query for revenue, orders, payment breakdown, top items, hourly chart
- CloseDayCommand: check pending orders, generate final report
- EodReport.razor: 6 KPI cards, donut/bar charts, top 10 table, close-day dialog
- FluentValidation for both query and command
- BFF proxy endpoints for reports
Security Audit — Rate Limiting:
- Tighten auth-ratelimit from 100 to 10 req/min (brute force protection)
- Add payment-ratelimit (30/min), api-ratelimit (100/min), hub-ratelimit (500/min)
- Apply rate limits to ALL Traefik routers (previously many had none)
Security Audit — Input Sanitization (44 missing validators created):
- iam-service: 14 validators (auth, user, role commands)
- merchant-service: 11 validators (admin, attendance commands)
- wallet-service: 7 validators (wallet, points commands)
- fnb-engine: 7 validators (session, table, ticket, reservation)
- catalog-service: 6 validators (product, category CRUD)
- storage-service: 6 validators (upload, share, quota)
- order-service: 2 validators (complete order/payment)
Critical Path Unit Tests (30 new tests):
- inventory-service: 12 tests (deduction, partial stock, idempotency)
- wallet-service: 14 tests (create payment, process callback, domain events)
- fnb-engine: 8 tests (kitchen-served event handler, inventory client integration)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
a7a753bf38