Add claude-generated openapi spec

Add claude-generated README
Rename config vars. Add widget holder template and endpoint to serve it. Add dockerfile
2026-04-03 10:07:49 +03:00 · 2026-04-02 19:31:09 +03:00 · 2026-03-31 22:18:41 +03:00 · 2026-03-26 06:50:06 +03:00 · 2026-03-26 06:39:37 +03:00 · 2026-03-25 23:48:48 +03:00
34 changed files with 1704 additions and 27 deletions
--- a/.claude/settings.local.json
+++ b/.claude/settings.local.json
@@ -0,0 +1,7 @@
 {
  "permissions": {
    "allow": [
      "Bash(helm template:*)"
    ]
  }
 }
--- a/24
+++ b/24
@@ -0,0 +1,24 @@
 FROM        golang:1.26-alpine3.23 AS build
 WORKDIR     /payoutsbuild
 RUN         apk add --update --no-cache ca-certificates git
 ENV         GOBIN=/payoutsbuild/bin
 ADD         . /payoutsbuild
 RUN         cd /payoutsbuild && \
            go mod download && \
            go build ./cmd/...
 FROM        alpine:3.23
 WORKDIR     /app
 COPY        --from=build /payoutsbuild/payouts /app/
 COPY        --from=build /payoutsbuild/config/payouts.properties /app/
 EXPOSE      8080
 ENTRYPOINT [ "/app/payouts" ]
--- a/README.md
+++ b/README.md
@@ -0,0 +1,398 @@
 # Payouts Service
 A Go service for processing payouts via YooKassa, supporting SBP, YooMoney, bank card, and widget-based payout flows.
 ---
 ## API Reference
 ### `GET /health`
 Health check endpoint. Verifies database connectivity.
 **Request parameters:** None
 **Response:**
 | Status | Body |
 |--------|------|
 | `200 OK` | `{"OK": true}` |
 | `503 Service Unavailable` | `{"OK": false, "Error": "error details"}` |
 **Example:**
 ```bash
 curl -s http://localhost:8080/health
 ```
 ---
 ### `GET /version`
 Returns the application version.
 **Request parameters:** None
 **Response:** Plain text version string (e.g. `v1.0.0`). If version is `unknown`, the git commit hash from build info is appended.
 **Example:**
 ```bash
 curl -s http://localhost:8080/version
 ```
 ---
 ### `POST /api/v1/user/register`
 Register a new user.
 **Request body (JSON):**
 | Field | Type | Required | Description |
 |-------|------|----------|-------------|
 | `tin` | string | yes | Tax identification number |
 | `phone` | string | yes | Phone number (must be unique) |
 | `password` | string | yes | Password |
 | `password_cfm` | string | yes | Password confirmation (must match `password`) |
 **Response:**
 | Status | Description |
 |--------|-------------|
 | `201 Created` | User registered successfully (no body) |
 | `400 Bad Request` | Validation error or phone already registered |
 | `500 Internal Server Error` | Password hashing failure |
 **Example:**
 ```bash
 curl -s -X POST http://localhost:8080/api/v1/user/register \
  -H "Content-Type: application/json" \
  -d '{"tin":"123456789","phone":"+79001234567","password":"secret","password_cfm":"secret"}'
 ```
 ---
 ### `POST /api/v1/user/login`
 Authenticate a user and obtain a session token.
 **Request body (JSON):**
 | Field | Type | Required | Description |
 |-------|------|----------|-------------|
 | `phone` | string | yes | Registered phone number |
 | `password` | string | yes | Password |
 **Response (200 OK):**
 ```json
 {
  "token": "550e8400-e29b-41d4-a716-446655440000",
  "token_ttl": 1712000000
 }
 ```
 | Field | Type | Description |
 |-------|------|-------------|
 | `token` | string | UUID session token to use in subsequent requests |
 | `token_ttl` | integer | Unix timestamp when the token expires |
 **Error response:**
 ```json
 {
  "status": 401,
  "message": "Unauthorized"
 }
 ```
 **Example:**
 ```bash
 curl -s -X POST http://localhost:8080/api/v1/user/login \
  -H "Content-Type: application/json" \
  -d '{"phone":"+79001234567","password":"secret"}'
 ```
 ---
 ### `GET /api/v1/payout/sbp/banks`
 Retrieve the list of banks available for SBP payouts.
 **Request parameters:** None
 **Authentication:** Not required
 **Response (200 OK):**
 ```json
 {
  "type": "sbp_banks",
  "items": [
    {
      "bank_id": "100000000111",
      "name": "Тинькофф Банк",
      "bic": "044525974"
    }
  ]
 }
 ```
 **Example:**
 ```bash
 curl -s http://localhost:8080/api/v1/payout/sbp/banks
 ```
 ---
 ### `POST /api/v1/payout/create`
 Create a payout. The `payout_type` determines which additional fields are required.
 **Request headers:**
 | Header | Required | Description |
 |--------|----------|-------------|
 | `Authorization` | yes | `Bearer {token}` — session token from login |
 | `Content-Type` | yes | `application/json` |
 **Request body (JSON):**
 | Field | Type | Required | Description |
 |-------|------|----------|-------------|
 | `payout_type` | string | yes | One of: `spb`, `yoo_money`, `bank_card`, `widget` |
 | `amount` | float | yes | Payout amount in rubles |
 | `payout_token` | string | for `widget` | Token received from the YooKassa widget `success_callback` |
 | `account_number` | string | for `yoo_money` | YooMoney wallet number or phone |
 | `bank_id` | string | for `spb` | Bank identifier from `/api/v1/payout/sbp/banks` |
 | `card_number` | string | for `bank_card` | Card number |
 > **Note:** For `spb`, the phone number is taken from the authenticated user's profile.
 **Response (200 OK):**
 ```json
 {
  "payout_id": "po-285e5ee7-0022-5000-8000-01516a44b37d",
  "payout_status": "succeeded"
 }
 ```
 | Field | Type | Description |
 |-------|------|-------------|
 | `payout_id` | string | YooKassa payout identifier |
 | `payout_status` | string | One of: `created`, `pending`, `succeeded`, `canceled`, `failed` |
 **Error response:**
 ```json
 {
  "status": 401,
  "message": "Unauthorized"
 }
 ```
 **Example (SBP payout):**
 ```bash
 curl -s -X POST http://localhost:8080/api/v1/payout/create \
  -H "Authorization: Bearer 550e8400-e29b-41d4-a716-446655440000" \
  -H "Content-Type: application/json" \
  -d '{"payout_type":"spb","amount":500.00,"bank_id":"100000000111"}'
 ```
 **Example (widget payout):**
 ```bash
 curl -s -X POST http://localhost:8080/api/v1/payout/create \
  -H "Authorization: Bearer 550e8400-e29b-41d4-a716-446655440000" \
  -H "Content-Type: application/json" \
  -d '{"payout_type":"widget","amount":500.00,"payout_token":"pt-285e5ee7-0022-5000-8000-01516a44b37d"}'
 ```
 ---
 ### `POST /api/v1/payout/callback`
 Webhook endpoint for YooKassa payout status notifications. Called by YooKassa when a payout status changes.
 > **Note:** When `YooKassa.CheckAllowedCallbackAddress = true`, requests are validated against a CIDR whitelist of YooKassa IP ranges.
 **Request body (JSON, sent by YooKassa):**
 ```json
 {
  "id": "po-285e5ee7-0022-5000-8000-01516a44b37d",
  "status": "succeeded",
  "amount": {
    "value": "500.00",
    "currency": "RUB"
  },
  "payout_destination": {
    "type": "bank_card",
    "card": {
      "number": "220000******0001",
      "first6": "220000",
      "last4": "0001",
      "card_type": "MIR",
      "issuer_country": "RU",
      "issuer_name": "Sberbank"
    }
  },
  "description": "Payout description",
  "created_at": "2024-01-01T12:00:00.000Z",
  "succeeded_at": "2024-01-01T12:00:05.000Z",
  "test": false
 }
 ```
 **Response:** `200 OK` (processing is asynchronous)
 **Example:**
 ```bash
 curl -s -X POST http://localhost:8080/api/v1/payout/callback \
  -H "Content-Type: application/json" \
  -d '{"id":"po-285e5ee7-0022-5000-8000-01516a44b37d","status":"succeeded","amount":{"value":"500.00","currency":"RUB"}}'
 ```
 ---
 ## Payout Widget: `/payout/widget`
 `GET /payout/widget` serves an HTML page that embeds the [YooKassa Payout Widget](https://yookassa.ru/developers/payouts/making-payouts/bank-card/using-payout-widget/implementing-widget). The widget collects card details from the user and returns a one-time `payout_token` that must be passed to `/api/v1/payout/create`.
 ### Mobile App Integration
 The widget page is designed to be loaded inside a **WebView** on Android or iOS. The widget communicates back to the native app via JavaScript bridge callbacks.
 #### Widget Callbacks
 The widget fires two callbacks:
 **`success_callback(data)`** — called when the user successfully submits card details. The `data` object contains the `payout_token` and card metadata. See [YooKassa widget output parameters](https://yookassa.ru/developers/payouts/making-payouts/bank-card/using-payout-widget/implementing-widget#reference-output-parameters).
 **`error_callback(error)`** — called when an error occurs in the widget. See [error output parameters](https://yookassa.ru/developers/payouts/making-payouts/bank-card/using-payout-widget/implementing-widget#reference-output-parameters-error).
 #### Android
 Expose a JavaScript interface named `AndroidCallback` on the WebView:
 ```kotlin
 class AndroidBridge {
    @JavascriptInterface
    fun onWidgetData(dataJson: String) {
        val data = JSONObject(dataJson)
        val payoutToken = data.getString("payout_token")
        // Call /api/v1/payout/create with payout_type "widget"
        createPayout(payoutToken = payoutToken, amount = 500.0)
    }
    @JavascriptInterface
    fun onWidgetError(errorJson: String) {
        // Handle widget error
    }
 }
 webView.addJavascriptInterface(AndroidBridge(), "AndroidCallback")
 ```
 #### iOS (WKWebView)
 Add a `WKScriptMessageHandler` named `iosCallback`:
 ```swift
 class WidgetMessageHandler: NSObject, WKScriptMessageHandler {
    func userContentController(
        _ userContentController: WKUserContentController,
        didReceive message: WKScriptMessage
    ) {
        guard let body = message.body as? String,
              let data = body.data(using: .utf8),
              let json = try? JSONSerialization.jsonObject(with: data) as? [String: Any]
        else { return }
        if message.name == "onWidgetData" {
            let payoutToken = json["payout_token"] as? String ?? ""
            // Call /api/v1/payout/create with payout_type "widget"
            createPayout(payoutToken: payoutToken, amount: 500.0)
        } else if message.name == "onWidgetError" {
            // Handle widget error
        }
    }
 }
 let contentController = WKUserContentController()
 let handler = WidgetMessageHandler()
 contentController.add(handler, name: "onWidgetData")
 contentController.add(handler, name: "onWidgetError")
 ```
 #### Payout Flow After Widget Callback
 When `onWidgetData` fires, call `/api/v1/payout/create` with `payout_type = "widget"` and the received `payout_token`:
 ```bash
 curl -s -X POST https://your-service/api/v1/payout/create \
  -H "Authorization: Bearer {session_token}" \
  -H "Content-Type: application/json" \
  -d '{
    "payout_type": "widget",
    "amount": 500.00,
    "payout_token": "{payout_token_from_widget}"
  }'
 ```
 ---
 ## Configuration
 Configuration is loaded from a `.properties` file (default: `config/payouts.properties`).
 ### YooKassa
 | Property | Default | Description |
 |----------|---------|-------------|
 | `YooKassa.BaseUrl` | `https://api.yookassa.ru/v3` | YooKassa API base URL |
 | `YooKassa.Timeout` | `2s` | HTTP request timeout |
 | `YooKassa.Test` | `false` | Enable test mode |
 | `YooKassa.ApiBaseKey` | — | Base API key (used for SBP bank list) |
 | `YooKassa.ApiBaseSecret` | — | Base API secret |
 | `YooKassa.ApiPayoutKey` | — | Payouts API key (gateway account ID; also used as `account_id` in the widget) |
 | `YooKassa.ApiPayoutSecret` | — | Payouts API secret |
 | `YooKassa.Retry.Enabled` | `false` | Enable automatic request retries |
 | `YooKassa.Retry.Count` | `3` | Total attempt count (including the initial request) |
 | `YooKassa.Retry.WaitTime` | `200ms` | Initial delay between retries |
 | `YooKassa.Retry.MaxWaitTime` | `5s` | Maximum delay (exponential backoff cap) |
 | `YooKassa.CheckAllowedCallbackAddress` | `true` | Validate callback source IP against whitelist |
 | `YooKassa.AllowedCallbackSubnets` | YooKassa IP ranges | Comma-separated CIDR subnets allowed to send callbacks |
 | `YooKassa.CallbackProcessTimeout` | `1s` | Timeout for async callback processing |
 | `YooKassa.WidgetVersion` | `3.1.0` | YooKassa widget JS version loaded on `/payout/widget` |
 ### Database
 | Property | Default | Description |
 |----------|---------|-------------|
 | `Database.Type` | — | Database driver: `sqlite` or `postgres` |
 | `Database.Connection` | — | Connection string. SQLite: `payouts.db`. PostgreSQL: `host=127.0.0.1 user=gorm password=gorm dbname=gorm port=5432 sslmode=disable` |
 | `Database.LogLevel` | `Info` | GORM log level: `Debug`, `Info`, `Warn`, `Error` |
 | `Database.TraceRequests` | `false` | Log all SQL queries |
 ### Session Cache
 | Property | Default | Description |
 |----------|---------|-------------|
 | `Cache.TTL` | `24h` | Session token time-to-live (Go duration string) |
 ### Server
 | Property | Default | Description |
 |----------|---------|-------------|
 | `Server.Port` | `:8080` | Listening address and port |
 | `Server.WriteTimeout` | `35s` | Response write timeout |
 | `Server.ReadTimeout` | `35s` | Request read timeout |
 | `Server.EnablePProfEndpoints` | `false` | Expose `/debug/pprof` endpoints |
 | `Server.Tls.Enabled` | `false` | Enable TLS |
 | `Server.Tls.CertFile` | — | Path to TLS certificate file |
 | `Server.Tls.KeyFile` | — | Path to TLS private key file |
 ### Logging
 | Property | Default | Description |
 |----------|---------|-------------|
 | `Log.Level` | `DEBUG` | Log level: `DEBUG`, `INFO`, `WARN`, `ERROR` |
 | `Log.FilePath` | `./logs/payouts.log` | Log file path |
 | `Log.TextOutput` | `false` | Use plain text output instead of JSON |
 | `Log.StdoutEnabled` | `true` | Write logs to stdout |
 | `Log.FileEnabled` | `false` | Write logs to file |
--- a/config/payouts.properties
+++ b/config/payouts.properties
@@ -3,10 +3,9 @@ Server.WriteTimeout = 35s
 Server.ReadTimeout = 35s
 Server.EnablePProfEndpoints = false
-Socket.MaxHttpBufferSize = 2097152
+Server.Tls.Enabled = false
-Socket.PingInterval = 25s
+Server.Tls.CertFile =
-Socket.PingTimeout = 20s
+Server.Tls.KeyFile =
 Socket.Debug = false
 # Prometheus settings
 Metrics.Endpoint = /metrics
@@ -56,8 +55,10 @@ YooKassa.AllowedCallbackSubnets = 185.71.76.0/27,185.71.77.0/27,77.75.153.0/25,7
 # Base API key/secret
 YooKassa.ApiBaseKey =
 YooKassa.ApiBaseSecret =
-# Payments API key/secret
+# Payouts API key/secret
-YooKassa.ApiPaymentKey =
+YooKassa.ApiPayoutKey =
-YooKassa.ApiPaymentSecret =
+YooKassa.ApiPayoutSecret =
 # Timeout to process yookassa callback
 YooKassa.CallbackProcessTimeout = 1s
 # Widget version
 YooKassa.WidgetVersion = 3.1.0
--- a/helm/payouts/Chart.yaml
+++ b/helm/payouts/Chart.yaml
@@ -0,0 +1,6 @@
 apiVersion: v2
 name: payouts
 description: Payouts service Helm chart
 type: application
 version: 0.1.0
 appVersion: "1.0.0"
--- a/helm/payouts/README.md
+++ b/helm/payouts/README.md
@@ -0,0 +1,203 @@
 # payouts Helm Chart
 Helm chart for deploying the **payouts** service to Kubernetes.
 ## Prerequisites
 - Kubernetes 1.21+
 - Helm 3.2+
 ## Installing the Chart
 ```bash
 helm install payouts ./helm
 ```
 To install into a specific namespace:
 ```bash
 helm install payouts ./helm --namespace payouts --create-namespace
 ```
 ## Uninstalling the Chart
 ```bash
 helm uninstall payouts
 ```
 ## Configuration
 All parameters are set via `values.yaml` or `--set` flags.
 ### Image
 | Parameter | Description | Default |
 |-----------|-------------|---------|
 | `image.repository` | Container image repository | `payouts` |
 | `image.tag` | Container image tag | `latest` |
 | `image.pullPolicy` | Image pull policy | `IfNotPresent` |
 ### Service
 | Parameter | Description | Default |
 |-----------|-------------|---------|
 | `service.type` | Kubernetes service type | `ClusterIP` |
 | `service.port` | Service port | `8080` |
 ### Ingress
 | Parameter | Description | Default |
 |-----------|-------------|---------|
 | `ingress.enabled` | Enable ingress | `false` |
 | `ingress.className` | IngressClass name | `""` |
 | `ingress.annotations` | Ingress annotations | `{}` |
 | `ingress.host` | Ingress hostname | `payouts.example.com` |
 | `ingress.path` | Ingress path | `/` |
 | `ingress.pathType` | Ingress path type | `Prefix` |
 | `ingress.tls` | TLS configuration | `[]` |
 ### TLS (application-level)
 When `config.Server.Tls.Enabled` is `true` the chart mounts a TLS secret as
 files into the pod at the paths defined by `config.Server.Tls.CertFile` and
 `config.Server.Tls.KeyFile`.
 Two modes are supported:
 **Option A — use an existing secret** (type `kubernetes.io/tls`):
 ```yaml
 config:
  Server:
    Tls:
      Enabled: true
 tls:
  existingSecret: "my-tls-secret"
 ```
 **Option B — let the chart create the secret** (supply PEM values, do not commit to VCS):
 ```yaml
 config:
  Server:
    Tls:
      Enabled: true
 tls:
  cert: |
    -----BEGIN CERTIFICATE-----
    ...
  key: |
    -----BEGIN PRIVATE KEY-----
    ...
 ```
 | Parameter | Description | Default |
 |-----------|-------------|---------|
 | `config.Server.Tls.Enabled` | Enable TLS on the HTTP server | `false` |
 | `config.Server.Tls.CertFile` | Path to the certificate file inside the pod | `/etc/payouts/tls/tls.crt` |
 | `config.Server.Tls.KeyFile` | Path to the private key file inside the pod | `/etc/payouts/tls/tls.key` |
 | `tls.existingSecret` | Name of an existing `kubernetes.io/tls` secret to use | `""` |
 | `tls.cert` | PEM-encoded certificate (used when `existingSecret` is empty) | `""` |
 | `tls.key` | PEM-encoded private key (used when `existingSecret` is empty) | `""` |
 > When TLS is enabled, either `tls.existingSecret` or both `tls.cert` and `tls.key` must be provided — the chart will fail with a descriptive error otherwise.
 ### Application Config
 Non-secret application parameters are stored in a ConfigMap and mounted as
 `/etc/payouts/config.yaml` inside the pod. The path is passed to the application
 via the `CONFIG_PATH` environment variable.
 All keys preserve the exact casing from `config/payouts.properties`.
 | Parameter | Description | Default |
 |-----------|-------------|---------|
 | `config.Server.Port` | HTTP listen address | `:8080` |
 | `config.Server.WriteTimeout` | HTTP write timeout | `35s` |
 | `config.Server.ReadTimeout` | HTTP read timeout | `35s` |
 | `config.Server.EnablePProfEndpoints` | Expose pprof endpoints | `false` |
 | `config.Socket.MaxHttpBufferSize` | Max HTTP buffer size for socket | `2097152` |
 | `config.Socket.PingInterval` | Socket ping interval | `25s` |
 | `config.Socket.PingTimeout` | Socket ping timeout | `20s` |
 | `config.Socket.Debug` | Enable socket debug logging | `false` |
 | `config.Metrics.Endpoint` | Prometheus metrics endpoint | `/metrics` |
 | `config.Metrics.HistogramBuckets` | Global histogram buckets | `0.001,...,10` |
 | `config.Metrics.Http.HistogramEnabled` | Enable HTTP latency histogram | `true` |
 | `config.Metrics.Http.Buckets` | HTTP histogram buckets | `0.001,...,10` |
 | `config.Log.Level` | Log level | `DEBUG` |
 | `config.Log.FilePath` | Log file path | `./logs/payouts.log` |
 | `config.Log.TextOutput` | Use plain-text log format | `false` |
 | `config.Log.StdoutEnabled` | Log to stdout | `true` |
 | `config.Log.FileEnabled` | Log to file | `false` |
 | `config.Database.Type` | Database type (`sqlite` or `postgres`) | `""` |
 | `config.Database.LogLevel` | Database query log level | `Info` |
 | `config.Database.TraceRequests` | Trace all DB requests | `false` |
 | `config.Cache.TTL` | Session cache TTL | `24h` |
 | `config.YooKassa.BaseUrl` | YooKassa API base URL | `https://api.yookassa.ru/v3` |
 | `config.YooKassa.Timeout` | YooKassa request timeout | `2s` |
 | `config.YooKassa.Retry.Enabled` | Enable request retries | `false` |
 | `config.YooKassa.Retry.Count` | Retry count (incl. initial) | `3` |
 | `config.YooKassa.Retry.WaitTime` | Wait time between retries | `200ms` |
 | `config.YooKassa.Retry.MaxWaitTime` | Max wait time (exponential backoff) | `5s` |
 | `config.YooKassa.Test` | Enable YooKassa test mode | `false` |
 | `config.YooKassa.CheckAllowedCallbackAddress` | Validate callback source IP | `true` |
 | `config.YooKassa.AllowedCallbackSubnets` | Allowed callback CIDR list | YooKassa subnets |
 | `config.YooKassa.CallbackProcessTimeout` | Timeout to process callback | `1s` |
 ### Secrets
 Secret values are stored in a Kubernetes Secret and injected as environment
 variables. Variable names are the uppercased property key with `.` replaced by `_`.
 > **These values are empty by default and must be supplied before deploying to production.**
 | Env variable | Original property |
 |---|---|
 | `DATABASE_CONNECTION` | `Database.Connection` |
 | `YOOKASSA_APIBASEKEY` | `YooKassa.ApiBaseKey` |
 | `YOOKASSA_APIBASESECRET` | `YooKassa.ApiBaseSecret` |
 | `YOOKASSA_APIPAYOUTKEY` | `YooKassa.ApiPayoutKey` |
 | `YOOKASSA_APIPAYOUTSECRET` | `YooKassa.ApiPayoutSecret` |
 Provide secrets at install/upgrade time:
 ```bash
 helm install payouts ./helm \
  --set secrets.DATABASE_CONNECTION="host=127.0.0.1 user=app password=s3cr3t dbname=payouts port=5432 sslmode=disable" \
  --set secrets.YOOKASSA_APIBASEKEY="<key>" \
  --set secrets.YOOKASSA_APIBASESECRET="<secret>" \
  --set secrets.YOOKASSA_APIPAYOUTKEY="<key>" \
  --set secrets.YOOKASSA_APIPAYOUTSECRET="<secret>"
 ```
 Or keep them in a separate values file that is **not committed to version control**:
 ```bash
 helm install payouts ./helm -f secrets.values.yaml
 ```
 Example `secrets.values.yaml`:
 ```yaml
 secrets:
  DATABASE_CONNECTION: "host=127.0.0.1 user=payouts password=password dbname=payouts port=5432 sslmode=disable"
  YOOKASSA_APIBASEKEY: "<key>"
  YOOKASSA_APIBASESECRET: "<secret>"
  YOOKASSA_APIPAYOUTKEY: "<key>"
  YOOKASSA_APIPAYOUTSECRET: "<secret>"
 ```
 ### Ingress example
 ```yaml
 ingress:
  enabled: true
  className: nginx
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  host: payouts.example.com
  tls:
    - secretName: payouts-tls
      hosts:
        - payouts.example.com
 ```
--- a/helm/payouts/templates/NOTES.txt
+++ b/helm/payouts/templates/NOTES.txt
@@ -0,0 +1,45 @@
 1. Get the application URL:
 {{- if .Values.ingress.enabled }}
  http{{ if .Values.ingress.tls }}s{{ end }}://{{ .Values.ingress.host }}{{ .Values.ingress.path }}
 {{- else if eq .Values.service.type "NodePort" }}
  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "payouts.fullname" . }})
  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
  echo "http://$NODE_IP:$NODE_PORT"
 {{- else if eq .Values.service.type "LoadBalancer" }}
  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "payouts.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
  echo "http://$SERVICE_IP:{{ .Values.service.port }}"
 {{- else }}
  kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ include "payouts.fullname" . }} {{ .Values.service.port }}:{{ .Values.service.port }}
  echo "http://127.0.0.1:{{ .Values.service.port }}"
 {{- end }}
 2. Configuration is mounted at $CONFIG_PATH inside the pod:
   /etc/payouts/config.yaml  (from ConfigMap {{ include "payouts.fullname" . }})
 {{- if .Values.config.Server.Tls.Enabled }}
 3. TLS is ENABLED. Certificate and key are mounted from Secret {{ include "payouts.tlsSecretName" . }}:
   {{ .Values.config.Server.Tls.CertFile }}
   {{ .Values.config.Server.Tls.KeyFile }}
 {{- if not .Values.tls.existingSecret }}
   The chart created the TLS secret. To rotate the certificate, update tls.cert / tls.key and run helm upgrade.
 {{- else }}
   Using existing secret: {{ .Values.tls.existingSecret }}
 {{- end }}
 4. Secret environment variables are injected from Secret {{ include "payouts.fullname" . }}:
 {{- else }}
 3. Secret environment variables are injected from Secret {{ include "payouts.fullname" . }}:
 {{- end }}
   DATABASE_CONNECTION, YOOKASSA_APIBASEKEY, YOOKASSA_APIBASESECRET,
   YOOKASSA_APIPAYOUTKEY, YOOKASSA_APIPAYOUTSECRET
   Before deploying to production, populate these values:
   helm upgrade {{ .Release.Name }} ./helm \
     --set secrets.DATABASE_CONNECTION="host=... dbname=..." \
     --set secrets.YOOKASSA_APIBASEKEY="<key>" \
     --set secrets.YOOKASSA_APIBASESECRET="<secret>" \
     --set secrets.YOOKASSA_APIPAYOUTKEY="<key>" \
     --set secrets.YOOKASSA_APIPAYOUTSECRET="<secret>"
   Or use a separate values file that is not committed to version control:
   helm upgrade {{ .Release.Name }} ./helm -f secrets.values.yaml
--- a/helm/payouts/templates/_helpers.tpl
+++ b/helm/payouts/templates/_helpers.tpl
@@ -0,0 +1,62 @@
 {{/*
 Expand the name of the chart.
 */}}
 {{- define "payouts.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{/*
 Create a default fully qualified app name.
 */}}
 {{- define "payouts.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
 {{- $name := default .Chart.Name .Values.nameOverride }}
 {{- if contains $name .Release.Name }}
 {{- .Release.Name | trunc 63 | trimSuffix "-" }}
 {{- else }}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{- end }}
 {{- end }}
 {{/*
 Common labels
 */}}
 {{- define "payouts.labels" -}}
 helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{ include "payouts.selectorLabels" . }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "payouts.selectorLabels" -}}
 app.kubernetes.io/name: {{ include "payouts.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 {{/*
 Name of the TLS secret to mount.
 Returns tls.existingSecret when set, otherwise the chart-managed secret name.
 */}}
 {{- define "payouts.tlsSecretName" -}}
 {{- if .Values.tls.existingSecret }}
 {{- .Values.tls.existingSecret }}
 {{- else }}
 {{- printf "%s-tls" (include "payouts.fullname" .) }}
 {{- end }}
 {{- end }}
 {{/*
 Validate TLS configuration.
 */}}
 {{- define "payouts.validateTls" -}}
 {{- if .Values.config.Server.Tls.Enabled }}
 {{- if and (not .Values.tls.existingSecret) (or (not .Values.tls.cert) (not .Values.tls.key)) }}
 {{- fail "TLS is enabled: either set tls.existingSecret or provide both tls.cert and tls.key" }}
 {{- end }}
 {{- end }}
 {{- end }}
--- a/helm/payouts/templates/configmap.yaml
+++ b/helm/payouts/templates/configmap.yaml
@@ -0,0 +1,9 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ include "payouts.fullname" . }}
  labels:
    {{- include "payouts.labels" . | nindent 4 }}
 data:
  config.yaml: |
    {{- .Values.config | toYaml | nindent 4 }}
--- a/helm/payouts/templates/deployment.yaml
+++ b/helm/payouts/templates/deployment.yaml
@@ -0,0 +1,85 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "payouts.fullname" . }}
  labels:
    {{- include "payouts.labels" . | nindent 4 }}
 spec:
  replicas: {{ .Values.replicaCount }}
  selector:
    matchLabels:
      {{- include "payouts.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      labels:
        {{- include "payouts.selectorLabels" . | nindent 8 }}
      annotations:
        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
        {{- if .Values.config.Server.Tls.Enabled }}
        checksum/tls: {{ include (print $.Template.BasePath "/tls-secret.yaml") . | sha256sum }}
        {{- end }}
    spec:
      containers:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          env:
            - name: CONFIG_PATH
              value: /etc/payouts/config.yaml
            {{- range $key, $value := .Values.secrets }}
            - name: {{ $key }}
              valueFrom:
                secretKeyRef:
                  name: {{ include "payouts.fullname" $ }}
                  key: {{ $key }}
            {{- end }}
          ports:
            - name: http
              containerPort: {{ trimPrefix ":" .Values.config.Server.Port | int }}
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /health
              port: http
          readinessProbe:
            httpGet:
              path: /health
              port: http
          volumeMounts:
            - name: config
              mountPath: /etc/payouts
              readOnly: true
            {{- if .Values.config.Server.Tls.Enabled }}
            - name: tls
              mountPath: /etc/payouts/tls
              readOnly: true
            {{- end }}
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
      volumes:
        - name: config
          configMap:
            name: {{ include "payouts.fullname" . }}
        {{- if .Values.config.Server.Tls.Enabled }}
        - name: tls
          secret:
            secretName: {{ include "payouts.tlsSecretName" . }}
            items:
              - key: tls.crt
                path: tls.crt
              - key: tls.key
                path: tls.key
        {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
--- a/helm/payouts/templates/ingress.yaml
+++ b/helm/payouts/templates/ingress.yaml
@@ -0,0 +1,31 @@
 {{- if .Values.ingress.enabled }}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: {{ include "payouts.fullname" . }}
  labels:
    {{- include "payouts.labels" . | nindent 4 }}
  {{- with .Values.ingress.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
  {{- if .Values.ingress.className }}
  ingressClassName: {{ .Values.ingress.className }}
  {{- end }}
  {{- if .Values.ingress.tls }}
  tls:
    {{- toYaml .Values.ingress.tls | nindent 4 }}
  {{- end }}
  rules:
    - host: {{ .Values.ingress.host }}
      http:
        paths:
          - path: {{ .Values.ingress.path }}
            pathType: {{ .Values.ingress.pathType }}
            backend:
              service:
                name: {{ include "payouts.fullname" . }}
                port:
                  name: http
 {{- end }}
--- a/helm/payouts/templates/secret.yaml
+++ b/helm/payouts/templates/secret.yaml
@@ -0,0 +1,11 @@
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "payouts.fullname" . }}
  labels:
    {{- include "payouts.labels" . | nindent 4 }}
 type: Opaque
 data:
  {{- range $key, $value := .Values.secrets }}
  {{ $key }}: {{ $value | toString | b64enc | quote }}
  {{- end }}
--- a/helm/payouts/templates/service.yaml
+++ b/helm/payouts/templates/service.yaml
@@ -0,0 +1,15 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "payouts.fullname" . }}
  labels:
    {{- include "payouts.labels" . | nindent 4 }}
 spec:
  type: {{ .Values.service.type }}
  ports:
    - port: {{ .Values.service.port }}
      targetPort: http
      protocol: TCP
      name: http
  selector:
    {{- include "payouts.selectorLabels" . | nindent 4 }}
--- a/helm/payouts/templates/tls-secret.yaml
+++ b/helm/payouts/templates/tls-secret.yaml
@@ -0,0 +1,13 @@
 {{- if and .Values.config.Server.Tls.Enabled (not .Values.tls.existingSecret) }}
 {{- include "payouts.validateTls" . }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ printf "%s-tls" (include "payouts.fullname" .) }}
  labels:
    {{- include "payouts.labels" . | nindent 4 }}
 type: kubernetes.io/tls
 data:
  tls.crt: {{ .Values.tls.cert | toString | b64enc }}
  tls.key: {{ .Values.tls.key | toString | b64enc }}
 {{- end }}
--- a/helm/payouts/values.yaml
+++ b/helm/payouts/values.yaml
@@ -0,0 +1,105 @@
 replicaCount: 1
 image:
  repository: payouts
  tag: latest
  pullPolicy: IfNotPresent
 service:
  type: ClusterIP
  port: 8080
 ingress:
  enabled: false
  className: ""
  annotations: {}
  host: payouts.example.com
  path: /
  pathType: Prefix
  tls: []
 resources: {}
 nodeSelector: {}
 tolerations: []
 affinity: {}
 # Non-secret application config — rendered as /etc/payouts/config.yaml inside the pod
 config:
  Server:
    Port: ":8080"
    WriteTimeout: 35s
    ReadTimeout: 35s
    EnablePProfEndpoints: false
    Tls:
      Enabled: false
      CertFile: /etc/payouts/tls/tls.crt
      KeyFile: /etc/payouts/tls/tls.key
  Socket:
    MaxHttpBufferSize: 2097152
    PingInterval: 25s
    PingTimeout: 20s
    Debug: false
  Metrics:
    Endpoint: /metrics
    HistogramBuckets: "0.001,0.002,0.005,0.01,0.025,0.05,0.1,0.25,0.5,1,2.5,5,10"
    Http:
      HistogramEnabled: true
      Buckets: "0.001,0.002,0.005,0.01,0.025,0.05,0.1,0.25,0.5,1,2.5,5,10"
  Log:
    Level: DEBUG
    FilePath: ./logs/payouts.log
    TextOutput: false
    StdoutEnabled: true
    FileEnabled: false
  Database:
    Type: ""
    LogLevel: Info
    TraceRequests: false
  Cache:
    TTL: 24h
  YooKassa:
    BaseUrl: https://api.yookassa.ru/v3
    Timeout: 2s
    Retry:
      Enabled: false
      Count: 3
      WaitTime: 200ms
      MaxWaitTime: 5s
    Test: false
    CheckAllowedCallbackAddress: true
    AllowedCallbackSubnets: "185.71.76.0/27,185.71.77.0/27,77.75.153.0/25,77.75.156.11/32,77.75.156.35/32,77.75.154.128/25,2a02:5180::/32"
    CallbackProcessTimeout: 1s
 # TLS for the application server
 # When config.Server.Tls.Enabled is true, a volume with the cert and key is mounted
 # into the pod at the paths defined by config.Server.Tls.CertFile / KeyFile.
 #
 # Option A — bring your own secret (must be type kubernetes.io/tls):
 #   tls.existingSecret: "my-tls-secret"
 #
 # Option B — supply PEM values and let the chart create the secret:
 #   tls.cert: |
 #     -----BEGIN CERTIFICATE-----
 #     ...
 #   tls.key: |
 #     -----BEGIN PRIVATE KEY-----
 #     ...
 tls:
  existingSecret: ""
  cert: ""
  key: ""
 # Secret values — injected as env vars (uppercase, dots → underscores)
 secrets:
  DATABASE_CONNECTION: ""
  YOOKASSA_APIBASEKEY: ""
  YOOKASSA_APIBASESECRET: ""
  YOOKASSA_APIPAYOUTKEY: ""
  YOOKASSA_APIPAYOUTSECRET: ""
--- a/internal/api/health/health_handler.go
+++ b/internal/api/health/health_handler.go
@@ -0,0 +1,46 @@
 package health
 import (
 	"encoding/json"
 	"fmt"
 	"log/slog"
 	"net/http"
 	"payouts/internal/service/database"
 )
 // Route health route
 const Route = "/health"
 // New constructs a new health Handler.
 func New(dbService database.Service) (Handler, error) {
 	return &handler{
 		dbService: dbService,
 	}, nil
 }
 type handler struct {
 	dbService database.Service
 }
 // HealthHandler handles the health check requests
 func (h *handler) Health(w http.ResponseWriter, r *http.Request) {
 	defer r.Body.Close()
 	w.Header().Set("Content-Type", "application/json")
 	status := map[string]any{}
 	// Check database connection
 	err := h.dbService.HealthCheck()
 	if err != nil {
 		w.WriteHeader(http.StatusServiceUnavailable)
 		status["Error"] = fmt.Sprintf("%v", err)
 		slog.Error("Health check failed", slog.String("error", status["Error"].(string)))
 	} else {
 		w.WriteHeader(http.StatusOK)
 	}
 	status["OK"] = (err == nil)
 	encoder := json.NewEncoder(w)
 	encoder.Encode(status)
 }
--- a/internal/api/health/module.go
+++ b/internal/api/health/module.go
@@ -0,0 +1,16 @@
 package health
 import (
 	"net/http"
 	"go.uber.org/fx"
 )
 var Module = fx.Options(
 	fx.Provide(New),
 )
 // Handler health handler interface
 type Handler interface {
 	Health(http.ResponseWriter, *http.Request)
 }
--- a/internal/api/module.go
+++ b/internal/api/module.go
@@ -11,9 +11,11 @@ import (
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"go.uber.org/fx"
 	"payouts/internal/api/health"
 	"payouts/internal/api/payout"
 	"payouts/internal/api/user"
 	"payouts/internal/api/version"
 	"payouts/internal/api/widget"
 	appConfig "payouts/internal/config"
 	"payouts/internal/service/monitoring"
 )
@@ -21,8 +23,10 @@ import (
 // Module is a fx module
 var Module = fx.Options(
 	user.Module,
 	health.Module,
 	payout.Module,
 	version.Module,
 	widget.Module,
 	monitoring.Module,
 	fx.Invoke(RegisterRoutes),
@@ -39,7 +43,9 @@ type Params struct {
 	PayoutHandler payout.Handler
 	UserHandler   user.Handler
 	HealthHandler health.Handler
 	Version       version.Handler
 	Widget        widget.Handler
 	Metrics monitoring.Metrics
 }
@@ -50,7 +56,10 @@ func RegisterRoutes(p Params, lc fx.Lifecycle) {
 	router := mux.NewRouter()
 	router.StrictSlash(true)
 	// Version endpoint
 	router.HandleFunc(version.Route, p.Version.VersionHandler).Methods(http.MethodGet)
 	// Health check endpoint
 	router.HandleFunc(health.Route, p.HealthHandler.Health).Methods(http.MethodGet)
 	if p.AppConfig.Server.EnablePProfEndpoints {
 		router.HandleFunc("/debug/pprof/cmdline", pprof.Cmdline)
@@ -67,9 +76,13 @@ func RegisterRoutes(p Params, lc fx.Lifecycle) {
 	userRouter.HandleFunc(user.LoginRoute, p.UserHandler.UserLogin).Methods(http.MethodPost)
 	payoutRouter := apiRouter.PathPrefix(payout.BaseRoute).Subrouter()
 	payoutRouter.HandleFunc(payout.BanksRoute, p.PayoutHandler.GetSbpBanks).Methods(http.MethodGet)
 	payoutRouter.HandleFunc(payout.CreateRoute, p.PayoutHandler.PayoutCreate).Methods(http.MethodPost)
 	payoutRouter.HandleFunc(payout.CallbackRoute, p.PayoutHandler.PayoutCallback).Methods(http.MethodPost)
 	// Widget endpoint
 	router.HandleFunc(widget.WidgetPage, p.Widget.WidgetHandler).Methods(http.MethodGet)
 	// collect api metrics
 	apiRouter.Use(p.Metrics.GetMiddleware())
--- a/internal/api/payout/payout_handler.go
+++ b/internal/api/payout/payout_handler.go
@@ -122,7 +122,7 @@ func (p *payoutHandler) GetSbpBanks(w http.ResponseWriter, r *http.Request) {
 	}
 }
-// PaymentCreate implements [Handler].
+// PayoutCreate implements [Handler].
 func (p *payoutHandler) PayoutCreate(w http.ResponseWriter, r *http.Request) {
 	defer r.Body.Close()
@@ -203,7 +203,7 @@ func (p *payoutHandler) delayedPayoutUpdate(ctx context.Context, payoutData *yoo
 	}
 }
-// PaymentCallback implements [Handler].
+// PayoutCallback implements [Handler].
 func (p *payoutHandler) PayoutCallback(w http.ResponseWriter, r *http.Request) {
 	// todo: check also the X-real-ip and/or X-Forwarded-For
 	if p.yookassaConf.CheckAllowedCallbackAddress && !p.checkAllowedIpCallback(r.RemoteAddr) {
--- a/internal/api/version/version_handler.go
+++ b/internal/api/version/version_handler.go
@@ -3,6 +3,7 @@ package version
 import (
 	"io"
 	"net/http"
 	"runtime/debug"
 	"go.uber.org/fx"
@@ -39,7 +40,20 @@ type handler struct {
 func (h *handler) VersionHandler(w http.ResponseWriter, r *http.Request) {
 	defer r.Body.Close()
 	ver := h.version
 	if ver == "unknown" {
 		buildInfo, ok := debug.ReadBuildInfo()
 		if ok {
 			for _, setting := range buildInfo.Settings {
 				if setting.Key == "vcs.revision" {
 					ver = ver + "-" + setting.Value
 					break
 				}
 			}
 		}
 	}
 	w.Header().Set("Content-Type", "text/plain")
 	w.WriteHeader(http.StatusOK)
-	io.WriteString(w, h.version)
+	io.WriteString(w, ver+"\n")
 }
--- a/internal/api/widget/module.go
+++ b/internal/api/widget/module.go
@@ -0,0 +1,9 @@
 package widget
 import (
 	"go.uber.org/fx"
 )
 var Module = fx.Options(
 	fx.Provide(NewWidgetHandler),
 )
--- a/internal/api/widget/widget_handler.go
+++ b/internal/api/widget/widget_handler.go
@@ -0,0 +1,55 @@
 package widget
 import (
 	"html/template"
 	"net/http"
 	"go.uber.org/fx"
 	"payouts/internal/service/yookassa"
 	yookassaConf "payouts/internal/service/yookassa/config"
 	"payouts/internal/templates"
 )
 const WidgetPage = "/payout/widget"
 type Handler interface {
 	WidgetHandler(http.ResponseWriter, *http.Request)
 }
 type widgetHandler struct {
 	template *template.Template
 	config   yookassaConf.YooKassa
 }
 // Params represents the module input params
 type Params struct {
 	fx.In
 	YookassaService yookassa.Service
 }
 func NewWidgetHandler(p Params) (Handler, error) {
 	return &widgetHandler{
 		template: templates.Templates,
 		config:   p.YookassaService.GetConfig(),
 	}, nil
 }
 // WidgetHandler renders the payouts widget page
 func (h *widgetHandler) WidgetHandler(w http.ResponseWriter, r *http.Request) {
 	data := struct {
 		ApiPayoutKey string
 		WidgetVersion string
 	}{
 		ApiPayoutKey: h.config.ApiPayoutKey,
 		WidgetVersion: h.config.WidgetVersion,
 	}
 	w.Header().Set("Content-Type", "text/html; charset=utf-8")
 	err := h.template.ExecuteTemplate(w, "payouts-widget.html", data)
 	if err != nil {
 		http.Error(w, "internal error", http.StatusInternalServerError)
 		return
 	}
 }
--- a/internal/config/module.go
+++ b/internal/config/module.go
@@ -66,6 +66,9 @@ func NewAppConfig() (*App, error) {
 		tempConf.SetConfigName(confName)
 		tempConf.SetConfigType(confType)
 		tempConf.AutomaticEnv()
 		tempConf.SetEnvKeyReplacer(strings.NewReplacer(".", "_"))
 		err := tempConf.ReadInConfig()
 		if err != nil {
 			// complain on missed non-default config
--- a/internal/models/payout.go
+++ b/internal/models/payout.go
@@ -10,6 +10,8 @@ type PayoutType int64
 const (
 	TypeSBP PayoutType = iota
 	TypeYooMoney
 	TypeCard
 	TypeCardWidget
 )
 func (r PayoutType) String() string {
@@ -18,6 +20,10 @@ func (r PayoutType) String() string {
 		return "spb"
 	case TypeYooMoney:
 		return "yoo_money"
 	case TypeCard:
 		return "bank_card"
 	case TypeCardWidget:
 		return "widget"
 	}
 	return "unknown"
 }
@@ -33,8 +39,12 @@ func (r *PayoutType) UnmarshalText(text []byte) (err error) {
 		*r = TypeSBP
 	case "yoo_money":
 		*r = TypeYooMoney
 	case "bank_card":
 		*r = TypeCard
 	case "widget":
 		*r = TypeCardWidget
 	default:
-		err = fmt.Errorf("invalid payment type: %s", s)
+		err = fmt.Errorf("invalid payout type: %s", s)
 	}
 	return err
 }
@@ -83,7 +93,7 @@ func (r *PayoutStatus) UnmarshalText(text []byte) (err error) {
 	case "failed":
 		*r = StatusFailed
 	default:
-		err = fmt.Errorf("invalid payment type: %s", s)
+		err = fmt.Errorf("invalid payout type: %s", s)
 	}
 	return err
 }
@@ -96,8 +106,10 @@ type SBPBank struct {
 type PayoutReq struct {
 	PayoutType    PayoutType `json:"payout_type"`
 	PayoutToken   string     `json:"payout_token"`
 	AccountNumber string     `json:"account_number"`
 	BankID        string     `json:"bank_id"`
 	CardNumber    string     `json:"card_number"`
 	Amount        float32    `json:"amount"`
 }
--- a/internal/service/database/db_service.go
+++ b/internal/service/database/db_service.go
@@ -109,3 +109,17 @@ func (d *dbService) UpdatePayoutByPayoutID(payoutId string, updateModel orm.Payo
 	p := d.getParams(opts...)
 	return gorm.G[orm.Payout](d.db).Where("payout_id = ?", payoutId).Updates(p.ctx, updateModel)
 }
 // HealthCheck implements [Service].
 func (d *dbService) HealthCheck() error {
 	if d.db == nil {
 		return errors.New("database connection is nil")
 	}
 	db, err := d.db.DB()
 	if err != nil {
 		return err
 	}
 	return db.Ping()
 }
--- a/internal/service/database/module.go
+++ b/internal/service/database/module.go
@@ -31,6 +31,7 @@ type Service interface {
 	CreatePayout(payoutModel *orm.Payout, opts ...Optional) error
 	UpdatePayoutById(id uint, updateModel orm.Payout, opts ...Optional) (int, error)
 	UpdatePayoutByPayoutID(payoutId string, updateModel orm.Payout, opts ...Optional) (int, error)
 	HealthCheck() error
 }
 // Params represents the module input params
--- a/internal/service/monitoring/config/metrics.go
+++ b/internal/service/monitoring/config/metrics.go
@@ -1,10 +1,3 @@
 /*
 * Copyright (c) New Cloud Technologies, Ltd., 2013-2026
 *
 * You can not use the contents of the file in any way without New Cloud Technologies Ltd. written permission.
 * To obtain such a permit, you should contact New Cloud Technologies, Ltd. at https://myoffice.ru/contacts/
 */
 package config
 import (
--- a/internal/service/yookassa/config/yookassa.go
+++ b/internal/service/yookassa/config/yookassa.go
@@ -13,8 +13,9 @@ type YooKassa struct {
 	ApiBaseKey       string
 	ApiBaseSecret    string
-	ApiPaymentKey    string
+	ApiPayoutKey    string
-	ApiPaymentSecret string
+	ApiPayoutSecret string
 	WidgetVersion    string
 	CallbackProcessTimeout time.Duration
 }
--- a/internal/service/yookassa/yookassa_api.go
+++ b/internal/service/yookassa/yookassa_api.go
@@ -39,7 +39,8 @@ type Metadata map[string]any
 type PayoutRequest struct {
 	Amount                Amount            `json:"amount"`
-	PayoutDestinationData PayoutDestination `json:"payout_destination_data"`
+	PayoutToken           string            `json:"payout_token,omitempty"`
 	PayoutDestinationData PayoutDestination `json:"payout_destination_data,omitzero"`
 	Description           string            `json:"description"`
 	Metadata              Metadata          `json:"metadata"`
 	Test                  bool              `json:"test"`
--- a/internal/service/yookassa/yookassa_service.go
+++ b/internal/service/yookassa/yookassa_service.go
@@ -26,7 +26,7 @@ type yookassaService struct {
 func NewYookassaService(conf config.YooKassa) (Service, error) {
 	client := resty.New()
 	client.SetBaseURL(conf.BaseUrl)
-	client.SetBasicAuth(conf.ApiPaymentKey, conf.ApiPaymentSecret)
+	client.SetBasicAuth(conf.ApiPayoutKey, conf.ApiPayoutSecret)
 	client.SetTimeout(conf.Timeout)
 	if conf.Retry.Enabled {
@@ -110,10 +110,23 @@ func (y *yookassaService) CreatePayout(req models.PayoutReq, userSession *orm.Us
 	switch req.PayoutType {
 	case models.TypeSBP:
-		yReq.PayoutDestinationData.Phone = userSession.Phone
+		yReq.PayoutDestinationData = PayoutDestination{
-		yReq.PayoutDestinationData.BankID = req.BankID
+			Phone:  userSession.Phone,
 			BankID: req.BankID,
 		}
 	case models.TypeYooMoney:
 		yReq.PayoutDestinationData.AccountNumber = req.AccountNumber
 	case models.TypeCard:
 		yReq.PayoutDestinationData.Card = Card{
 			Number: req.CardNumber,
 		}
 	case models.TypeCardWidget:
 		yReq.PayoutToken = req.PayoutToken
 		yReq.PayoutDestinationData = PayoutDestination{}
 	default:
 		return nil, errors.New("unsupported payout type")
 	}
--- a/internal/templates/payouts-widget.html
+++ b/internal/templates/payouts-widget.html
@@ -0,0 +1,45 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Payouts Page</title>
    <script src="https://yookassa.ru/payouts-data/{{ .WidgetVersion }}/widget.js"></script>
    <style>
    </style>
 </head>
 <body>
    <div id="payout-form"></div>
    <script>
        // Инициализация виджета. Все параметры обязательные.
        const payoutsData = new window.PayoutsData({
            type: 'payout',
            account_id: '{{ .ApiPayoutKey }}', // Идентификатор шлюза (agentId в личном кабинете)
            success_callback: function(data) {
                // https://yookassa.ru/developers/payouts/making-payouts/bank-card/using-payout-widget/implementing-widget#reference-output-parameters
                if (window.AndroidCallback) {
                    window.AndroidCallback.onWidgetData(JSON.stringify(data));
                } else if (window.webkit && window.webkit.messageHandlers.iosCallback) {
                    window.webkit.messageHandlers.iosCallback.onWidgetData(JSON.stringify(data));
                }
            },
            error_callback: function(error) {
                // https://yookassa.ru/developers/payouts/making-payouts/bank-card/using-payout-widget/implementing-widget#reference-output-parameters-error
                if (window.AndroidCallback) {
                    window.AndroidCallback.onWidgetError(JSON.stringify(error));
                } else if (window.webkit && window.webkit.messageHandlers.iosCallback) {
                    window.webkit.messageHandlers.iosCallback.onWidgetError(JSON.stringify(error));
                }
            }
        });
        //Отображение формы в контейнере
        payoutsData.render('payout-form')
        //Метод возвращает Promise, исполнение которого говорит о полной загрузке формы сбора данных (можно не использовать).
        .then(() => {
            //Код, который нужно выполнить после отображения формы.
        });
    </script>
 </body>
 </html>
--- a/internal/templates/templates.go
+++ b/internal/templates/templates.go
@@ -0,0 +1,11 @@
 package templates
 import (
 	"embed"
 	"html/template"
 )
 //go:embed *.html
 var FS embed.FS
 var Templates = template.Must(template.ParseFS(FS, "*.html"))
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -0,0 +1,415 @@
 openapi: 3.1.0
 info:
  title: Payouts Service API
  description: API for managing user registrations, authentication, and payouts via YooKassa.
  version: 1.0.0
 servers:
  - url: /
 tags:
  - name: user
    description: User registration and authentication
  - name: payout
    description: Payout operations
  - name: system
    description: Health and version endpoints
 paths:
  /api/v1/user/register:
    post:
      tags: [user]
      summary: Register a new user
      operationId: userRegister
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/UserRegisterRequest'
      responses:
        '201':
          description: User created successfully
        '400':
          description: Invalid input (empty fields or password mismatch)
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '500':
          description: Internal server error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
  /api/v1/user/login:
    post:
      tags: [user]
      summary: Authenticate a user and obtain a session token
      operationId: userLogin
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/UserLoginRequest'
      responses:
        '200':
          description: Login successful
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/UserLoginResponse'
        '400':
          description: Invalid input (empty phone or password)
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '401':
          description: Invalid credentials
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
  /api/v1/payout/sbp/banks:
    get:
      tags: [payout]
      summary: Get list of SBP (Fast Payment System) banks
      operationId: getSbpBanks
      responses:
        '200':
          description: List of SBP banks
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/SBPBankListResponse'
        '400':
          description: Bad request (YooKassa API error)
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '500':
          description: Internal server error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
  /api/v1/payout/create:
    post:
      tags: [payout]
      summary: Create a new payout
      operationId: createPayout
      security:
        - bearerAuth: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/PayoutRequest'
      responses:
        '200':
          description: Payout created successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PayoutResponse'
        '400':
          description: Invalid payout data
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '401':
          description: Unauthorized (missing or invalid token)
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '500':
          description: Internal server error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
  /api/v1/payout/callback:
    post:
      tags: [payout]
      summary: Receive payout status callback from YooKassa
      description: |
        Called by YooKassa to notify of payout status changes.
        If IP validation is enabled, the request must originate from an allowed subnet.
        Status updates are processed asynchronously.
      operationId: payoutCallback
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/PayoutResponse'
      responses:
        '200':
          description: Callback received and queued for processing
        '400':
          description: Invalid JSON payload
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '403':
          description: Forbidden (IP address not in allowed subnets)
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
  /payout/widget:
    get:
      tags: [payout]
      summary: Serve the payout widget HTML page
      operationId: getPayoutWidget
      responses:
        '200':
          description: Widget HTML page
          content:
            text/html:
              schema:
                type: string
        '500':
          description: Template rendering error
  /health:
    get:
      tags: [system]
      summary: Health check
      description: Verifies database connectivity.
      operationId: healthCheck
      responses:
        '200':
          description: Service is healthy
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/HealthResponse'
        '503':
          description: Service unavailable (database connection failed)
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/HealthResponse'
  /version:
    get:
      tags: [system]
      summary: Get service version
      operationId: getVersion
      responses:
        '200':
          description: Version string (optionally including git commit hash)
          content:
            text/plain:
              schema:
                type: string
                example: v1.2.3
 components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      description: UUID session token obtained from the login endpoint
  schemas:
    UserRegisterRequest:
      type: object
      required: [tin, phone, password, password_cfm]
      properties:
        tin:
          type: string
          description: Taxpayer Identification Number
          example: "1234567890"
        phone:
          type: string
          description: User phone number
          example: "+79001234567"
        password:
          type: string
          format: password
          description: User password
        password_cfm:
          type: string
          format: password
          description: Password confirmation (must match password)
    UserLoginRequest:
      type: object
      required: [phone, password]
      properties:
        phone:
          type: string
          description: Registered phone number
          example: "+79001234567"
        password:
          type: string
          format: password
    UserLoginResponse:
      type: object
      properties:
        token:
          type: string
          format: uuid
          description: Session token (UUID)
          example: "550e8400-e29b-41d4-a716-446655440000"
        token_ttl:
          type: integer
          format: int64
          description: Token expiration as Unix timestamp
          example: 1711958400
    SBPBankListResponse:
      type: object
      properties:
        type:
          type: string
          example: "list"
        items:
          type: array
          items:
            $ref: '#/components/schemas/SBPBank'
    SBPBank:
      type: object
      properties:
        bank_id:
          type: string
          description: Bank identifier
          example: "100000000111"
        name:
          type: string
          description: Human-readable bank name
          example: "Sberbank"
        bic:
          type: string
          description: Bank Identification Code
          example: "044525225"
    PayoutType:
      type: string
      enum: [spb, yoo_money, bank_card, widget]
      description: |
        Payout method:
        - `spb` — Fast Payment System (SBP)
        - `yoo_money` — YooMoney wallet
        - `bank_card` — bank card
        - `widget` — card via widget
    PayoutRequest:
      type: object
      required: [payout_type, amount]
      properties:
        payout_type:
          $ref: '#/components/schemas/PayoutType'
        payout_token:
          type: string
          description: Payment token (used for widget/card payouts)
          example: "pt_xxxxxxxxxxxxxxxxxxxx"
        account_number:
          type: string
          description: Account/phone number for SBP or YooMoney payouts
          example: "+79001234567"
        bank_id:
          type: string
          description: Bank identifier (required for SBP payouts)
          example: "100000000111"
        card_number:
          type: string
          description: Card number (for bank_card payout type)
          example: "4111111111111111"
        amount:
          type: number
          format: float
          description: Payout amount in RUB
          example: 1000.00
    PayoutStatus:
      type: string
      enum: [created, pending, succeeded, canceled, failed]
    Amount:
      type: object
      properties:
        value:
          type: string
          description: Amount as a decimal string
          example: "1000.00"
        currency:
          type: string
          description: ISO 4217 currency code
          example: "RUB"
    PayoutDestination:
      type: object
      description: Payout destination details (structure depends on payout type)
      additionalProperties: true
    PayoutResponse:
      type: object
      properties:
        id:
          type: string
          description: YooKassa payout ID
          example: "po_1da5c87d-0984-50e8-a7f3-8de646dd9ec9"
        status:
          $ref: '#/components/schemas/PayoutStatus'
        amount:
          $ref: '#/components/schemas/Amount'
        payout_destination:
          $ref: '#/components/schemas/PayoutDestination'
        description:
          type: string
          example: "Payout for order #42"
        created_at:
          type: string
          format: date-time
          example: "2024-04-02T12:00:00Z"
        succeeded_at:
          type: string
          format: date-time
          example: "2024-04-02T12:01:00Z"
        metadata:
          type: object
          additionalProperties: true
          description: Arbitrary key-value metadata
        test:
          type: boolean
          description: Whether this is a test payout
          example: false
    HealthResponse:
      type: object
      properties:
        OK:
          type: boolean
          description: Whether the service is healthy
        Error:
          type: string
          description: Error message (only present when OK is false)
    ErrorResponse:
      type: object
      properties:
        status:
          type: integer
          description: HTTP status code
          example: 400
        message:
          type: string
          description: Human-readable error message
          example: "Bad Request"
Author	SHA1	Message	Date
alxeg	ad57a5679f	Add claude-generated openapi spec	2026-04-03 10:07:49 +03:00
alxeg	2402d0e01f	Add claude-generated README	2026-04-02 19:31:09 +03:00
alxeg	6d67e969e0	Rename config vars. Add widget holder template and endpoint to serve it. Add dockerfile	2026-03-31 22:18:41 +03:00
alxeg	33da1338bb	Revert probes back	2026-03-26 06:50:06 +03:00
alxeg	8c5ae99a6b	Claude generated helm chart improvements	2026-03-26 06:39:37 +03:00
alxeg	fc0c84f7f7	Implement health check for deploy. Make version endpoint to return revision if not set	2026-03-25 23:48:48 +03:00
alxeg	ee6b510e41	Fix generated helm chart	2026-03-25 23:08:37 +03:00
alxeg	0658854f47	Fix autogenerated README.md	2026-03-23 14:02:22 +03:00
alxeg	da823e7898	Test local llm to generate some content	2026-03-22 19:29:27 +03:00
alxeg	4659b0089e	Add sbp banks route	2026-03-19 00:17:25 +03:00