Merge pull request #634 from lbedner/payments-service

Payments Service

Author: lbedner

.github/workflows/security.yml

@@ -58,5 +58,6 @@ jobs:
         uv run pip-audit \
           --ignore-vuln GHSA-4xh5-x5gv-qwph \
           --ignore-vuln GHSA-6vgw-5pg2-w6jp \
+          --ignore-vuln GHSA-58qw-9mgm-455v \
           --ignore-vuln ECHO-ffe1-1d3c-d9bc \
           --ignore-vuln ECHO-7db2-03aa-5591

.github/workflows/stack-matrix.yml

@@ -0,0 +1,51 @@
+name: Stack Matrix
+
+# Runs the full 13-stack generate → install → lint → typecheck → pytest
+# pipeline. This is the slow tier — gated off the default ``ci.yml`` run so
+# day-to-day PRs stay fast, but it fires on any PR touching template or
+# core-engine code (where drift lands) and nightly to catch anything that
+# merged without touching a gated path.
+
+on:
+  pull_request:
+    branches: [ main ]
+    paths:
+      - 'aegis/templates/**'
+      - 'aegis/core/**'
+      - 'aegis/cli/**'
+      - 'tests/cli/**'
+      - 'pyproject.toml'
+      - 'uv.lock'
+      - '.github/workflows/stack-matrix.yml'
+  schedule:
+    # 07:00 UTC daily — catches drift merged via PRs that didn't match the
+    # path filter above (e.g. docs-only PRs that inadvertently move a
+    # template Jinja file).
+    - cron: '0 7 * * *'
+  workflow_dispatch: {}
+
+concurrency:
+  group: stack-matrix-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  stack-matrix:
+    runs-on: ubuntu-latest
+    timeout-minutes: 45
+    steps:
+      - uses: actions/checkout@v5
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v6
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+
+      - name: Set up Python
+        run: uv python install 3.11
+
+      - name: Install dependencies
+        run: uv sync --all-extras
+
+      - name: Run full stack matrix
+        run: make test-stacks-full

Makefile

@@ -265,6 +265,13 @@ test-stacks-build: ## Test all stacks build and pass checks (slow)
 	@uv run pytest tests/cli/test_stack_validation.py -v -m "slow" --tb=short
 	@echo "✅ All stacks build and pass quality checks!"
 
+test-stacks-quick: ## Run Phase 2 against base, everything, insights only (fast feedback)
+	@echo "⚡ Running stack validation against representative subset..."
+	@uv run pytest tests/cli/test_stack_validation.py::test_stack_full_validation \
+		-v -m "slow" --tb=short \
+		-k "base or everything or insights"
+	@echo "✅ Quick stack validation completed!"
+
 test-stacks-runtime: ## Test all stacks runtime integration with Docker (future)
 	@echo "🐳 Runtime integration testing not yet implemented"
 	@echo "ℹ️  Will test Docker Compose startup and health checks for all combinations"
@@ -277,11 +284,16 @@ test-stacks-full: ## Full stack matrix testing pipeline (comprehensive but slow)
 	@echo "📋 Phase 2: Stack Build and Validation Testing"
 	@make test-stacks-build
 	@echo ""
-	@echo "📋 Phase 3: Stack Runtime Testing (skipped - not implemented)"
-	@echo "ℹ️  Runtime testing will be added in future iterations"
+	@echo "📋 Phase 3: Kitchen Sink (everything stack: all services + components)"
+	@make test-everything
 	@echo ""
 	@echo "🎉 Complete stack matrix testing completed successfully!"
-	@echo "   All component combinations can generate, build, and pass quality checks"
+	@echo "   All component/service combinations can generate, build, and pass quality checks"
+
+test-everything: ## Generate and run ALL tests inside the kitchen-sink stack
+	@echo "🧪 Running full kitchen-sink stack test (all services + core components)..."
+	@uv run pytest tests/cli/test_stack_validation.py -v -m "slow" -k "everything" --tb=short
+	@echo "✅ Kitchen sink passes full validation."
 
 # Enhanced template testing with specific component combinations
 test-template-database: ## Test template with database component
@@ -413,52 +425,13 @@ endif
 	@echo "✅ $(COMPONENT) component generated successfully in ../test-$(COMPONENT)-quick/"
 	@echo "   Run 'cd ../test-$(COMPONENT)-quick && make check' to validate"
 
-# ============================================================================
-# PARITY TESTING - Cookiecutter vs Copier Template Comparison
-# ============================================================================
-
-test-parity: ## Run all Cookiecutter vs Copier parity tests
-	@echo "🔍 Running template parity tests (Cookiecutter vs Copier)..."
-	@uv run pytest tests/test_template_parity.py -v
-
-test-parity-quick: ## Quick parity test (base project only)
-	@echo "⚡ Quick parity test - base project only..."
-	@uv run pytest tests/test_template_parity.py::TestTemplateParity::test_parity_base_project -v
-
-test-parity-components: ## Test parity for all component combinations
-	@echo "🧩 Testing parity for all component combinations..."
-	@uv run pytest tests/test_template_parity.py -k "scheduler or worker or database" -v
-
-test-parity-services: ## Test parity for all service combinations
-	@echo "🔧 Testing parity for all service combinations..."
-	@uv run pytest tests/test_template_parity.py -k "auth or ai" -v
-
-test-parity-full: ## Comprehensive parity test (all combinations)
-	@echo "🚀 Comprehensive parity testing..."
-	@uv run pytest tests/test_template_parity.py::TestTemplateParity::test_parity_kitchen_sink -v
-
-# ============================================================================
-# DUAL-ENGINE TESTING - Cookiecutter and Copier Template Matrix
-# ============================================================================
-
-test-engines: ## Run all tests with both template engines
-	@echo "🔧 Running tests with both Cookiecutter and Copier engines..."
-	@uv run pytest -v -m "not slow"
-
-test-engines-quick: ## Quick test with both engines (fast tests only)
-	@echo "⚡ Quick dual-engine test (fast tests only)..."
-	@uv run pytest -v -m "not slow" --engine=cookiecutter
-	@uv run pytest -v -m "not slow" --engine=copier
-
-test-engines-cookiecutter: ## Run tests with Cookiecutter engine only
-	@echo "🍪 Testing with Cookiecutter engine..."
-	@uv run pytest -v --engine=cookiecutter
-
-test-engines-copier: ## Run tests with Copier engine only
-	@echo "📋 Testing with Copier engine..."
-	@uv run pytest -v --engine=copier
+# ``test-parity*`` and ``test-engines*`` targets were removed in PR #401
+# when Cookiecutter was retired — Copier is now the sole template engine,
+# so parity/dual-engine harnesses became dead weight. The backing
+# ``tests/test_template_parity.py`` + ``--engine=`` plugin no longer exist;
+# ``make test-stacks-full`` is the canonical full-coverage entry point.
 
-.PHONY: test lint fix format typecheck check install clean docs-serve docs-build cli-test gif gif-quick gif-demo redis-start redis-stop redis-cli redis-logs redis-stats redis-reset redis-queues redis-workers redis-failed redis-monitor redis-info test-template-quick test-template test-template-with-components test-template-database test-template-worker test-template-auth test-template-ai test-template-full test-component-quick test-stacks test-stacks-build test-stacks-runtime test-stacks-full clean-test-projects test-parity test-parity-quick test-parity-components test-parity-services test-parity-full test-engines test-engines-quick test-engines-cookiecutter test-engines-copier help
+.PHONY: test lint fix format typecheck check install clean docs-serve docs-build cli-test gif gif-quick gif-demo redis-start redis-stop redis-cli redis-logs redis-stats redis-reset redis-queues redis-workers redis-failed redis-monitor redis-info test-template-quick test-template test-template-with-components test-template-database test-template-worker test-template-auth test-template-ai test-template-full test-component-quick test-stacks test-stacks-build test-stacks-runtime test-stacks-full test-everything clean-test-projects help
 
 # Default target
 .DEFAULT_GOAL := help

README.md

@@ -129,10 +129,11 @@ Most starters lock you in at `init`. Aegis Stack doesn't. See **[Evolving Your S
 
 **Services** (business logic)
 
-- **Auth** → JWT authentication
 - **AI** → PydanticAI / LangChain
+- **Auth** → JWT authentication
 - **Comms** → Resend + Twilio
 - **Insights** → Adoption metrics (GitHub, PyPI, Plausible) *(experimental)*
+- **Payment** → Stripe checkout, subscriptions, refunds, disputes *(experimental)*
 
 [Components Docs →](https://lbedner.github.io/aegis-stack/components/) | [Services Docs →](https://lbedner.github.io/aegis-stack/services/)
 

aegis/cli/utils.py

@@ -36,6 +36,12 @@ def detect_scheduler_backend(components: list[str]) -> str:
                 # Check if database is also present (legacy detection)
                 clean_names = clean_component_names(components)
                 if ComponentNames.DATABASE in clean_names:
+                    # Use the database engine if specified, otherwise sqlite
+                    for comp in components:
+                        if extract_base_component_name(comp) == ComponentNames.DATABASE:
+                            db_engine = extract_engine_info(comp)
+                            if db_engine:
+                                return db_engine
                     return StorageBackends.SQLITE  # Default database backend
     return StorageBackends.MEMORY  # Default to memory-only
 

aegis/commands/deploy.py

@@ -300,16 +300,22 @@ def _run_health_check(
 ) -> bool:
     """Run health check against the deployed application.
 
-    Waits for containers to stabilize, then checks the /health/ endpoint.
-    Returns True if healthy.
+    Hits the public Traefik entrypoint on the droplet (port 80) rather
+    than the webserver container's internal port 8000 — that port isn't
+    published to the host in prod compose, so the old `localhost:8000`
+    check always produced a false negative. Going through Traefik also
+    validates the full routing path the real users hit (container health
+    + docker labels + Traefik registration).
     """
     typer.echo(t("deploy.health_waiting"))
     time.sleep(10)
 
     for attempt in range(1, retries + 1):
         typer.echo(t("deploy.health_attempt", n=attempt, total=retries))
         result = _run_remote_capture(
-            host, user, "curl -sf http://localhost:8000/health/ 2>/dev/null"
+            host,
+            user,
+            "curl -sf --max-time 10 http://localhost/health/ -o /dev/null",
         )
         if result.returncode == 0:
             typer.secho(t("deploy.health_passed"), fg="green")

aegis/constants.py

@@ -83,6 +83,16 @@ class AIProviders:
     ]
 
 
+class PaymentProviders:
+    """Payment provider options for the payment service."""
+
+    STRIPE = "stripe"
+
+    ALL = [STRIPE]
+
+    DEFAULT = STRIPE
+
+
 class OllamaMode:
     """Ollama deployment mode options."""
 
@@ -126,19 +136,24 @@ class AnswerKeys:
     AI = "include_ai"
     COMMS = "include_comms"
     INSIGHTS = "include_insights"
+    PAYMENT = "include_payment"
 
     # Service names (used for selection/lookup)
     SERVICE_AUTH = "auth"
     SERVICE_AI = "ai"
     SERVICE_COMMS = "comms"
     SERVICE_INSIGHTS = "insights"
+    SERVICE_PAYMENT = "payment"
 
     # Insights source flags
     INSIGHTS_GITHUB = "insights_github"
     INSIGHTS_PYPI = "insights_pypi"
     INSIGHTS_PLAUSIBLE = "insights_plausible"
     INSIGHTS_REDDIT = "insights_reddit"
 
+    # Payment configuration
+    PAYMENT_PROVIDER = "payment_provider"
+
     # Configuration values
     SCHEDULER_BACKEND = "scheduler_backend"
     SCHEDULER_WITH_PERSISTENCE = "scheduler_with_persistence"

aegis/core/copier_manager.py

@@ -22,7 +22,7 @@
     GITHUB_TEMPLATE_URL,
     version_to_git_tag,
 )
-from ..constants import AnswerKeys, StorageBackends
+from ..constants import AnswerKeys, PaymentProviders, StorageBackends
 from .migration_generator import (
     generate_migrations_for_services,
     get_services_needing_migrations,
@@ -153,6 +153,10 @@ def generate_with_copier(
             AnswerKeys.INSIGHTS_REDDIT, "no"
         )
         == "yes",
+        AnswerKeys.PAYMENT: template_context.get(AnswerKeys.PAYMENT, "no") == "yes",
+        AnswerKeys.PAYMENT_PROVIDER: template_context.get(
+            AnswerKeys.PAYMENT_PROVIDER, PaymentProviders.DEFAULT
+        ),
     }
 
     # Detect dev vs production mode for template sourcing
@@ -264,6 +268,8 @@ def generate_with_copier(
     # Only run migrations automatically for SQLite (file-based, no server needed)
     # PostgreSQL requires a running server, so skip auto-migration
     is_sqlite = database_engine == StorageBackends.SQLITE
+    is_payment_included: bool = copier_data.get(AnswerKeys.PAYMENT, False) is True
+    needs_migration_files = needs_migration_files or is_payment_included
     run_migrations = needs_migration_files and is_sqlite
 
     # Generate migrations for services that need them (always, regardless of engine)
@@ -277,6 +283,8 @@ def generate_with_copier(
             "include_ai": is_ai_included,
             "ai_backend": ai_backend_str,
             "ai_voice": ai_voice_enabled,
+            "include_insights": is_insights_included,
+            "include_payment": is_payment_included,
         }
         services = get_services_needing_migrations(context)
         if services: