Maqsafy Technical Documentation
This internal documentation covers the technical structure of the Maqsafy platform, including system architecture, environments, database, APIs, deployment, backup and restore, security, release management, incident response, and troubleshooting.
Documentation Status
| Item | Status |
|---|---|
| Current baseline | Internal preliminary technical documentation |
| Official final approval | Not approved yet |
| External sharing | Not allowed until sanitized and approved |
| Primary source material | GitHub source code, extracted route metadata, schema metadata, and technical team confirmations |
| Sensitive data policy | Production secrets, real tokens, private keys, and customer data must not be included |
Documentation Scope
- Backend
- Frontend
- Mobile App
- Database
- API and route inventory
- RBAC and tenant isolation
- Infrastructure
- Deployment and release management
- Backup and restore
- Security controls
- Observability and monitoring
- Incident response
- Troubleshooting
Priority Review Areas
The following areas must be reviewed before this documentation can be considered final.
| Priority | Area | Required Action |
|---|---|---|
| High | RBAC and credential permissions | Confirm backend behavior and keep the matrix aligned with the technical team decision |
| High | Tenant isolation | Attach evidence for school, supplier, and operator negative access tests |
| High | Payment idempotency | Confirm duplicate callbacks, retries, and jobs cannot create duplicate financial impact |
| High | Backup and restore | Attach restore test date, environment, result, RPO, and RTO evidence |
| Medium | OpenAPI / Swagger | Confirm whether an OpenAPI specification exists or should remain planned |
| Medium | Integrations | Confirm provider names or mark them intentionally undisclosed |
| Medium | Release process | Confirm production deployment, rollback, hotfix, and approval ownership |
Security Notice
This documentation is internal only. It must not include real passwords, production .env files, access tokens, API keys, private keys, merchant secrets, payment credentials, private URLs, or sensitive production data.