{"id":"c0901","filename":"c0901_fenix_payment_enterprise_v2.dok.json","weise3_id":"","tip":"implementacija","naziv":"FenixPayment™ v2.0 — Enterprise Payment Engine","kreator":"CC Agent (claude-sonnet-4-6)","datum":"2026-05-17","snippet":"","status":"","prev_weise3":"","bunker_l":"#00d4ff","full":{"tip":"implementacija","naziv":"FenixPayment™ v2.0 — Enterprise Payment Engine","datum":"2026-05-17","autor":"CC Agent (claude-sonnet-4-6)","zakon":["ZAKON 3","ZAKON 27","ZAKON 29","ZAKON 30","ZAKON 32","ZAKON 37"],"motivacija":"Payment modul bio na razini 2020: 0/3 webhook HMAC validacija, nema idempotency, nema trojna pohrana, nema FenixVault sealing, nema feature flag. Ivan: 'odapeti streloviti kod da pometemo sve oko i ispred sebe'.","sto_je_napravljeno":{"summary":"Kompletni enterprise rewrite payment sustava. Kritična sigurnosna rupa (fake webhook = besplatni PRO) zatvorena.","faze":[{"naziv":"services/payment_fenix.py (NOV FAJL)","status":"DONE","opis":"FenixPayment™ sealing layer. generate_weise3_payment() — WeisE3™ ID za svaki payment event (ZAKON 27). vault_sign_payment() — FenixVault™ Ed25519 potpis (ZAKON 37), fallback HMAC-SHA3. trojna_pohrani_payment() — ZAKON 3 non-blocking pohrana aktivacije. alert_payment_event() — WhatsApp alert Ivanu via WAHA. seal_activation(tx) — orchestrator koji poziva sve gore navedeno. is_seen() + push_dlq() — Redis idempotency i Dead Letter Queue."},{"naziv":"views_pwa_payment.py (COMPLETE REWRITE)","status":"DONE","opis":"Enterprise arhitektura s WebhookGuard mixin-om. PAYMENT_ACTIVE flag (env): sve ostaje nevidljivo dok Ivan ne postavi PAYMENT_ACTIVE=1. WebhookGuard dispatch pipeline: secret check → HMAC verify → parse → idempotency → process → DLQ. RevolutWebhookView: HMAC-SHA256 s Revolut-Signature: v1=<hex>. PayPalWebhookView: PayPal Notifications verify-webhook-signature API. AirCashWebhookView: HMAC-SHA256 s X-AirCash-Signature. BankTransferConfirmView: Konjik d.o.o. IBAN — admin staff potvrda. Sve checkout/billing views su gated iza PAYMENT_ACTIVE."},{"naziv":"config/settings.py patch","status":"DONE","opis":"Dodano: PAYMENT_ACTIVE, KONJIK_IBAN, KONJIK_NAME, KONJIK_BIC, KONJIK_BANK, IVAN_PHONE. Sve iz env varijabli. Na oba servera (MAR + EU)."},{"naziv":"arhiva/urls.py — BankTransferConfirmView","status":"DONE","opis":"Dodan import BankTransferConfirmView + URL /pub/arhiva/wh/bank/confirm/ na oba servera."},{"naziv":"Django check + gunicorn restart","status":"DONE","opis":"manage.py check: 0 errors, 1 silenced (folija pre-existing). Gunicorn restart: active na MAR (212.227.181.201) i EU (217.160.71.124)."},{"naziv":"Live test","status":"DONE","opis":"GET /pub/arhiva/checkout/ → HTTP 503 (payment inactive). POST /pub/arhiva/wh/revolut/ → HTTP 503 (no webhook_secret configured). Oboje ispravno."}]},"sigurnosne_rupe_zatvorene":{"revolut_hmac":"Bio: sig dohvaćen ali NIKAD provjeren. Sad: HMAC-SHA256(secret, raw_body) → compare_digest(v1_sig).","paypal_hmac":"Bio: nula provjere. Sad: PayPal verify-webhook-signature API + OAuth token.","aircash_hmac":"Bio: nula provjere. Sad: HMAC-SHA256(secret, raw_body) → compare_digest(X-AirCash-Signature).","idempotency":"Bio: nije postojao, isti webhook = dupla aktivacija. Sad: Redis pay:seen:{gateway}:{event_id}, TTL=24h.","dlq":"Bio: neuspješan webhook izgubljen. Sad: Redis pay:dlq, max 1000, puni debugging kontekst.","fake_webhook_attack":"Napadač nije mogao poslati lažni ORDER_COMPLETED i dobiti besplatni PRO. Sada odbijen s 401."},"arhitektura":{"feature_flag":"PAYMENT_ACTIVE=0 (env) — sve nevidljivo. Ivan posjeda PAYMENT_ACTIVE=1 kada spreman za produkciju.","konjik_iban":"Bankovni transfer provider dodan. Korisnik vidi Konjik d.o.o. IBAN + referentni broj. Admin staff potvrđuje ručno via POST /wh/bank/confirm/.","webhook_guard":"WebhookGuard mixin: abstract _verify_sig, _extract_event_id, _process_verified. DRY — jedan pipeline za sve gateways.","seal_activation":"Nakon aktivacije: WeisE3 ID → FenixVault potpis → webhook_raw update → Trojna pohrana (ZAKON 3) → WhatsApp alert."},"aktivacija_za_produkciju":["1. Postavi Konjik d.o.o. IBAN u .env: KONJIK_IBAN=HR...","2. Kreiraj GatewayConfig record za 'revolut' s webhook_secret iz Revolut dashboarda","3. Kreiraj GatewayConfig record za 'paypal' s api_key=client_id, api_secret=client_secret, webhook_secret=webhook_id","4. Postavi IVAN_PHONE=+385... u .env za WhatsApp alertove","5. Postavi PAYMENT_ACTIVE=1 u .env → sve se aktivira bez deployaja"],"serveri":["MAR: 212.227.181.201","EU: 217.160.71.124"],"fajlovi":["arhiva/services/payment_fenix.py — NOV","arhiva/views_pwa_payment.py — REWRITE","config/settings.py — PAYMENT_ACTIVE + Konjik","arhiva/urls.py — BankTransferConfirmView URL"]}}