25f68781ad
SEC-C-01: Replace Neon PostgreSQL credentials (npg_Ssfy6HKO0cXI) with local dev connection strings in all 19 appsettings.json files. Production credentials must be injected via ConnectionStrings__DefaultConnection env var. Add appsettings.Production.json and appsettings.Staging.json to .gitignore. SEC-C-02: Add services/goodgo-mcp-server/.env to root .gitignore. Create .env.example with safe placeholder values documenting required variables. SEC-C-03: Wrap AddDeveloperSigningCredential() in env check — development only. Non-development environments must provide X.509 certificate via IdentityServer:SigningCertificatePath and IdentityServer:SigningCertificatePassword. SEC-C-04: Remove 4 unauthenticated debug endpoints from StaffController: GET debug/all, POST debug/seed, POST debug/update-userid, POST debug/update-merchant. These endpoints allowed privilege escalation and data exfiltration without auth. SEC-C-05: Removed endpoints containing SQL injection via string interpolation (lines 307, 367 in StaffController). Also removed [AllowAnonymous] from GET lookup endpoint — inherits class-level [Authorize]. BREAKING: debug/* endpoints are permanently removed. BFF lookup endpoint now requires authentication. Co-Authored-By: Paperclip <noreply@paperclip.ing>
GoodGo Platform
Monorepo platform with microservices architecture for the merchant/customer ecosystem — POS, F&B, retail, spa, karaoke, and more.
Domain: goodgo.vn | Staging: api.staging.goodgo.vn
Tech Stack
| Layer | Technologies |
|---|---|
| Backend | .NET 10.0 (C# 14), MediatR/CQRS, EF Core 10, FluentValidation, Serilog, Dapper, Polly |
| Web | Blazor WASM + MudBlazor 8.15 (Material Design) |
| Mobile | .NET MAUI (cross-platform), SwiftUI (iOS) |
| Database | PostgreSQL 16 (local) / Neon PostgreSQL (cloud), Redis 7 |
| Messaging | RabbitMQ 3 (AMQP) |
| Storage | MinIO (S3-compatible) |
| Gateway | Traefik v3 |
| Infra | Docker Compose (local), Kubernetes RKE2 (staging/prod) |
| CI/CD | GitHub Actions, Docker Hub |
| Observability | Prometheus + Grafana + Loki + Promtail |
| Auth | Duende IdentityServer, JWT Bearer, OAuth2 |
| Monorepo | pnpm 8 workspaces, Turborepo |
Project Structure
services/ # 26 .NET microservices (Clean Architecture + CQRS)
apps/ # Frontend applications
packages/ # Shared Node.js packages (@goodgo/*)
deployments/ # Environment configs (local, staging, production)
infra/ # Infrastructure (Traefik, databases, observability)
scripts/ # Automation scripts (dev, db, deploy, build)
Services
Core Platform
iam-service-net— Identity & Access Management (JWT, RBAC, MFA, Sessions)merchant-service-net— Merchant & Shop managementcatalog-service-net— Product catalogorder-service-net— Order processinginventory-service-net— Inventory managementwallet-service-net— Wallet & paymentsfnb-engine-net— F&B enginebooking-service-net— Booking & reservations
Engagement
promotion-service-net— Promotions & discountsmembership-service-net— Membership & loyaltychat-service-net— Chat & messaging (SignalR + Redis)social-service-net— Social featuresmission-service-net— Gamification missions
Advertising
ads-manager-service-net— Campaign managementads-serving-service-net— Ad deliveryads-billing-service-net— Ad billingads-tracking-service-net— Event trackingads-analytics-service-net— Analytics
Marketing Integrations
mkt-facebook-service-net— Facebookmkt-whatsapp-service-net— WhatsAppmkt-x-service-net— X (Twitter)mkt-zalo-service-net— Zalo
Utilities
storage-service-net— File storage (MinIO)mining-service-net— Data mining
Frontend Apps
| App | Stack | Description |
|---|---|---|
web-client-tpos-net |
Blazor WASM + MudBlazor | POS system (multi-vertical: karaoke, restaurant, cafe, spa, retail) |
web-client-base-net |
Blazor WASM + MudBlazor | Enterprise portal |
app-client-base-net |
.NET MAUI | Cross-platform mobile app |
app-client-base-swift |
SwiftUI | iOS app |
web-docs |
VitePress | Documentation site |
Quick Start
Prerequisites
- Docker & Docker Compose
- .NET 10.0 SDK
- Node.js 25+
- pnpm 8+
Run Locally
# Start infrastructure (PostgreSQL, Redis, RabbitMQ, MinIO, Traefik) + all services
cd deployments/local
docker compose up -d
# Run database migrations (per service)
./scripts/db/migrate.sh
# Start a specific service for development
./scripts/dev/start-service.sh iam-service-net
Architecture
Each .NET service follows Clean Architecture + CQRS:
ServiceName/
src/
ServiceName.API/ # Controllers + MediatR Commands/Queries
ServiceName.Domain/ # Entities, aggregates, domain events (no dependencies)
ServiceName.Infrastructure/ # EF Core, repositories, migrations
tests/
ServiceName.UnitTests/ # xUnit + FluentAssertions
ServiceName.FunctionalTests/ # WebApplicationFactory integration tests
Documentation
- ROADMAP.md — Development roadmap and phase tracking
- CLAUDE.md — Full architecture reference and agent configuration
Maintainer
Built by VelikHo (@hongochai10)
- Email: hongochai10@icloud.com
- GitHub: https://github.com/hongochai10