https://github.com/polymathuniversata/cryptochap
https://github.com/polymathuniversata/cryptochap
Last synced: 5 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/polymathuniversata/cryptochap
- Owner: polymathuniversata
- Created: 2025-08-21T19:25:16.000Z (11 months ago)
- Default Branch: main
- Last Pushed: 2025-08-24T01:08:29.000Z (10 months ago)
- Last Synced: 2025-09-05T04:19:03.189Z (10 months ago)
- Language: TypeScript
- Size: 128 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# π CryptoChap
### WhatsApp-native USDC on Base
*Send, receive, and buy USDC on Base network through WhatsApp chat*
[](https://base.org)
[](https://centre.io)
[](https://whatsapp.com)
[](https://cryptochap.dev/security)
[](https://www.typescriptlang.org/)
## π Project Structure
```
cryptochap/
βββ frontend/ # Next.js React application
β βββ app/ # Next.js App Router
β βββ components/ # Reusable UI components
β βββ lib/ # Utility libraries
β βββ types/ # TypeScript type definitions
βββ backend/ # Express.js API server with TypeScript
β βββ src/
β β βββ config/ # Configuration management
β β βββ controllers/ # Route handlers (7 controllers)
β β β βββ api.ts # Legacy API routes
β β β βββ index.ts # Route index
β β β βββ system.ts # Health, metrics, docs
β β β βββ users.ts # User management
β β β βββ wallets.ts # Wallet operations
β β β βββ transactions.ts # Transaction handling
β β β βββ whatsapp.ts # WhatsApp webhooks
β β βββ middleware/ # Security & validation (4 middlewares)
β β β βββ validation.ts # Input validation (Joi)
β β β βββ security.ts # Security headers (CSP, HSTS)
β β β βββ rateLimiter.ts # Rate limiting
β β β βββ errorHandler.ts # Error handling
β β βββ services/ # Business logic (9 services)
β β β βββ blockchain.service.ts # Base network operations
β β β βββ wallet-derivation.service.ts # HD wallet derivation
β β β βββ whatsapp-engine.service.ts # Message processing
β β β βββ monitoring.service.ts # Performance tracking
β β β βββ database-backup.service.ts # Backup automation
β β β βββ logging.service.ts # Structured logging
β β β βββ wallet.service.ts # Wallet management
β β β βββ token-management.service.ts # Token operations
β β β βββ whatsapp.service.ts # WhatsApp integration
β β βββ utils/ # Utility functions
β β βββ docs/ # API documentation
βββ contracts/ # Smart contracts (Solidity)
β βββ contracts/
β β βββ CryptoChapWallet.sol # Main wallet contract
β β βββ MockERC20.sol # Test token
β βββ test/ # Contract tests
βββ tests/ # Integration tests
βββ deployments/ # Deployment configurations
βββ docs/ # Documentation
βββ scripts/ # Build and deployment scripts
```
## π§ Technology Stack
### Frontend
- **Framework**: Next.js 15 with App Router
- **Language**: TypeScript
- **Styling**: Tailwind CSS
- **UI Components**: Radix UI
- **State Management**: React Context + Custom Hooks
- **Testing**: Jest + React Testing Library
### Backend
- **Framework**: Express.js with TypeScript
- **Database**: PostgreSQL with connection pooling
- **Caching**: Redis for sessions and rate limiting
- **Blockchain**: ethers.js v6 for Base network
- **Validation**: Joi for input validation
- **Logging**: Winston for structured logging
- **Testing**: Jest with comprehensive coverage
### Blockchain
- **Network**: Base (Ethereum Layer 2)
- **Tokens**: USDC, ETH
- **Smart Contracts**: Solidity with OpenZeppelin
- **Wallet**: HD wallet derivation (BIP-44)
- **RPC**: Configurable provider endpoints
### DevOps & Deployment
- **Containerization**: Docker + Docker Compose
- **Build Tools**: TypeScript, ESLint, Prettier
- **Testing**: Jest, Playwright
- **Monitoring**: Custom metrics and alerting
## π‘ API Endpoints
### System Endpoints
- `GET /api/system/health` - Health check with database status
- `GET /api/system/metrics` - Performance and system metrics
- `GET /api/docs` - API documentation overview
- `GET /api/docs/openapi.json` - OpenAPI 3.0 specification
- `GET /api/docs/errors` - Comprehensive error code reference
### User Management
- `GET /api/users/{id}` - Get user by ID
- `PUT /api/users/{id}` - Update user information
- `POST /api/users` - Create new user (WhatsApp integration)
- `DELETE /api/users/{id}` - Soft delete user
### Wallet Management
- `GET /api/wallets/{id}` - Get wallet information
- `POST /api/wallets` - Create new wallet
- `PUT /api/wallets/{id}/balance` - Update wallet balance
- `DELETE /api/wallets/{id}` - Deactivate wallet (soft delete)
- `GET /api/users/{userId}/wallets` - Get user wallets
### Transaction Management
- `GET /api/transactions/{id}` - Get transaction details
- `POST /api/transactions` - Create new transaction
- `PUT /api/transactions/{id}/status` - Update transaction status
- `GET /api/users/{userId}/transactions` - Get user transaction history
- `GET /api/wallets/{walletId}/transactions` - Get wallet transaction history
### WhatsApp Integration
- `GET /whatsapp/webhook` - WhatsApp webhook verification
- `POST /whatsapp/webhook` - WhatsApp message processing
- `POST /whatsapp/webhook/status` - WhatsApp status updates
- `POST /api/whatsapp/send` - Send WhatsApp message (testing)
- `POST /api/whatsapp/templates` - Send WhatsApp templates
- `GET /api/whatsapp/status` - WhatsApp configuration status
- `GET /api/whatsapp/health` - WhatsApp health check
## π€ WhatsApp Commands
Users can interact with CryptoChap using these commands:
### Core Commands
- `balance` - Check wallet balance (ETH & USDC)
- `send AMOUNT ADDRESS` - Transfer USDC to address
- `receive` - Get receiving address
- `help` - Show available commands
### Advanced Commands
- `status` - Check network status and gas prices
- `wallet` - Get detailed wallet information
- `network` - View Base network information
- `gas` - Check current gas prices
### Interactive Features
- Button replies for quick actions
- Template messages for formatted responses
- Real-time transaction updates
- Error handling with helpful messages
## π‘οΈ Security Features
CryptoChap implements enterprise-grade security measures:
### Input Validation & Sanitization
- **Joi-based validation** with comprehensive schemas for all endpoints
- **Security-focused input sanitization** to prevent injection attacks
- **Suspicious pattern detection** for malicious input
- **Rate limiting** (100 req/15min global, 10 req/min for sensitive endpoints)
### Content Security Policy (CSP)
- **Production-ready CSP headers** to prevent XSS attacks
- **API-specific security headers** for enhanced protection
- **Request ID middleware** for comprehensive request tracing
- **Strict Transport Security (HSTS)** for HTTPS enforcement
### Comprehensive Monitoring
- **Performance metrics tracking** with automatic alerting
- **Memory usage monitoring** with configurable thresholds
- **Health check endpoints** for system status
- **Error tracking and categorization**
- **Database backup automation** with retention policies
### Blockchain Security
- **HD wallet derivation** with secure key management
- **Transaction validation** before execution
- **Gas estimation** with safety buffers
- **Address format validation** using ethers.js
- **Smart contract security** with OpenZeppelin standards
### Database Security
- **Automated backup system** with configurable retention
- **Parameterized queries** to prevent SQL injection
- **Connection pooling** for optimal performance
- **SSL/TLS encryption** for database connections
- **Data validation** at application and database levels
## π Authentication & Authorization
### Security Headers
All API responses include comprehensive security headers:
- **Content-Security-Policy** - Prevents XSS attacks
- **Strict-Transport-Security** - Enforces HTTPS
- **X-Frame-Options** - Prevents clickjacking
- **X-Content-Type-Options** - Prevents MIME sniffing
- **X-XSS-Protection** - Enables XSS filtering
### Rate Limiting
- **Global rate limiting:** 100 requests per 15 minutes
- **Strict rate limiting:** 10 requests per minute for sensitive endpoints
- **IP-based tracking** with automatic blocking
### Input Validation
- **Comprehensive validation schemas** for all endpoints
- **Security-focused sanitization** of all user input
- **Suspicious pattern detection** for malicious payloadsts
## π Quick Start
### Prerequisites
- Node.js 18+
- PostgreSQL 13+
- Redis 6+
- Docker & Docker Compose
### Installation
1. **Clone the repository**
```bash
git clone https://github.com/polymathuniversata/cryptochap.git
cd cryptochap
```
2. **Setup environment variables**
```bash
cp frontend/.env.local.example frontend/.env.local
cp backend/.env.example backend/.env
```
3. **Start development environment**
```bash
# Start dependencies (PostgreSQL, Redis)
docker-compose up -d
# Install frontend dependencies
cd frontend && npm install
# Install backend dependencies
cd ../backend && npm install
# Start development servers
cd ../backend && npm run dev &
cd ../frontend && npm run dev
```
4. **Access the application**
- Frontend: http://localhost:3000
- Backend API: http://localhost:3001
- API Documentation: http://localhost:3001/api/docs
- Health Check: http://localhost:3001/api/system/health
- Metrics: http://localhost:3001/api/system/metrics
## π οΈ Development
### Available Scripts
#### Frontend (`cd frontend`)
```bash
npm run dev # Start development server
npm run build # Build for production
npm run start # Start production server
npm run lint # Run ESLint
npm run test # Run tests
```
#### Backend (`cd backend`)
```bash
npm run dev # Start development server with hot reload
npm run build # Build TypeScript
npm run start # Start production server
npm run test # Run tests
npm run lint # Run ESLint
```
### Testing
```bash
# Run all tests
npm test
# Run with coverage
npm run test:coverage
# Run specific test suite
npm test -- tests/unit/wallet.test.ts
```
## π Documentation
- [π System Architecture](docs/architecture.md)
- [π₯ User Flows](docs/user-flows.md)
- [π Sprint Planning](docs/sprint-planning.md)
- [π§ System Design](docs/system-design.md)
- [π§ͺ Testing Strategy](docs/testing-strategy.md)
- [π Deployment Guide](deployments/deployment-guide.md)
- [π± WhatsApp Setup](docs/WHATSAPP_SETUP_GUIDE.md)
- [π§ WhatsApp Architecture](docs/WHATSAPP_ARCHITECTURE.md)
## β¨ What you get
π **WhatsApp-first experience** β Native chat interface for crypto operations
π° **Auto wallet generation** β Unique wallet per user (custodial or non-custodial)
β‘ **Base network integration** β Fast, low-cost USDC transfers
οΏ½ **Seamless onramp** β Buy crypto with fiat, mobile money, or cards
π± **Mobile money support** β M-Pesa, Airtel Money, Tigo Pesa integration
οΏ½ **Enterprise security** β Webhook architecture with proper validation
## π Environment Variables
Create a `.env` file with the following configuration:
```env
# Database Configuration
POSTGRES_PASSWORD=your_secure_postgres_password_here
# WhatsApp provider: twilio | meta
WHATSAPP_PROVIDER=twilio
# Twilio (if using Twilio WhatsApp API)
TWILIO_ACCOUNT_SID=ACxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
TWILIO_AUTH_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
TWILIO_WHATSAPP_NUMBER=whatsapp:+1xxxxxxxxxx
# Meta WhatsApp Cloud API (if using Meta)
META_WHATSAPP_TOKEN=EAAG...
META_VERIFY_TOKEN=your_webhook_verify_token
META_PHONE_NUMBER_ID=1xxxxxxxxxxxxxxx
META_APP_ID=xxxxxxxxxxxxxxx
META_APP_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Chain config
BASE_RPC_URL=https://base-mainnet.g.alchemy.com/v2/your-key
BASE_CHAIN_ID=8453
USDC_CONTRACT=0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913
# Signing
OPERATOR_MNEMONIC="seed phrase words ..."
# or
OPERATOR_PRIVATE_KEY=0x...
# Onramp (choose one or more)
ONRAMP_PROVIDER=coinbase
COINBASE_ONRAMP_APP_ID=your_app_id
MOONPAY_API_KEY=pk_test_...
TRANSAK_API_KEY=pk_test_...
STRIPE_SECRET_KEY=sk_test_...
# FX and pricing (for mobile money)
BASE_USD_ORACLE=coingecko
SPREAD_BPS=100 # 1% spread
MOBILE_MONEY_FEE_FLAT=0.30
MOBILE_MONEY_FEE_BPS=150 # 1.5%
# M-Pesa (Daraja)
MPESA_ENV=sandbox # sandbox | production
MPESA_CONSUMER_KEY=...
MPESA_CONSUMER_SECRET=...
MPESA_SHORTCODE=...
MPESA_PASSKEY=...
MPESA_CALLBACK_BASE_URL=https://your.app/webhooks/mpesa
# Airtel Money
AIRTEL_ENV=sandbox
AIRTEL_CLIENT_ID=...
AIRTEL_CLIENT_SECRET=...
AIRTEL_COUNTRY=KE # or TZ, UG, etc.
AIRTEL_CURRENCY=KES
AIRTEL_CALLBACK_BASE_URL=https://your.app/webhooks/airtel
# Tigo Pesa
TIGOPESA_ENV=sandbox
TIGOPESA_CLIENT_ID=...
TIGOPESA_CLIENT_SECRET=...
TIGOPESA_CALLBACK_BASE_URL=https://your.app/webhooks/tigo
```
## π³ Onramp Integration
Reply to "buy" or "deposit" with a provider link prefilled with:
- **Asset:** USDC
- **Network:** Base
- **Destination:** User's wallet address
- **Amount:** Optional fiat amount (e.g., USD $50)
### Provider Examples
**Coinbase Onramp (hosted flow)**
- Prefill address and Base network using provider-supported parameters
- Docs: https://docs.cloud.coinbase.com
**MoonPay**
```
https://buy.moonpay.com?apiKey=YOUR_KEY¤cyCode=usdc&walletAddress=0xUSER&baseCurrencyCode=usd&baseCurrencyAmount=50&chain=base
```
**Transak**
```
https://global.transak.com/?apiKey=YOUR_KEY&cryptoCurrency=USDC&network=base&walletAddress=0xUSER&disableWalletAddressForm=true
```
**Stripe Crypto Onramp**
- Create server-side onramp session, get session URL/client secret
- Docs: https://stripe.com/docs/crypto/onramp
π‘ **Tip:** If a provider requires server-side token/signature, expose an endpoint (e.g., `/onramp/session?address=0xUSER&amount=50`) and return the redirect URL.
## π± Mobile Money Integration
Mobile money rails power both onramp (fiat β USDC) and offramp (USDC β fiat) flows.
### Supported Providers
**M-Pesa (Daraja API)**
- STK Push (C2B): prompt user approval on phone
- B2C/B2B payouts: send funds to mobile wallet
- Docs: https://developer.safaricom.co.ke/
**Airtel Money Open API**
- Collections (C2B) and Disbursements (B2C)
- Docs: https://developers.airtel.africa/
**Tigo Pesa**
- Collections and Payouts APIs via Tigo Business
- Docs via operator portal/regional aggregator
### Flow Patterns
**Onramp (mobile money β USDC):**
1. User: `buy 20 usdc via mpesa`
2. Bot: Initiates C2B/Checkout (STK Push) for equivalent fiat + fees
3. Provider: Sends payment callback β server verifies payment
4. Bot: Credits USDC by transferring from treasury to user's address
5. Bot: Replies with transaction hash and receipt
**Offramp (USDC β mobile money):**
1. User: `cashout 15 usdc to mpesa +2547xxxxxxx`
2. Bot: Confirms quote (FX + fee), asks for YES confirmation
3. Bot: Swaps USDCβfiat liquidity, calls B2C payout API
4. Provider: Callback confirms payout success/failure
### Example Commands
- `buy 20 usdc via mpesa`
- `buy 50 usdc via airtel`
- `cashout 15 usdc to mpesa +254712345678`
### API Endpoints
- `POST /payments/quote` β FX quotes with fees
- `POST /payments/mpesa/collect` β STK Push trigger
- `POST /payouts/mpesa` β Mobile money disbursement
- `POST /webhooks/mpesa` β Payment/payout callbacks
## π¬ Message Commands
| Command | Function |
|---------|----------|
| `help` | Returns available commands |
| `address` | Returns user's deposit address on Base |
| `deposit` / `buy [amount]` | Returns onramp link + instructions |
| `balance` | Shows USDC and ETH (gas) balance |
| `send 5 USDC to 0xabc123β¦` | Transfers tokens on-chain |
| `send 2 USDC to +15551234567` | Resolves phone β wallet, then transfers |
| `history` | Last N transfers (from USDC Transfer events) |
### Send Confirmation Flow
1. **User:** `send 10 USDC to 0xabcβ¦`
2. **Bot:** `Confirm sending 10 USDC (fee ~0.000x ETH)? Reply YES within 2 minutes.`
3. **User:** `YES`
4. **Bot:** `Submitted tx 0x⦠(link to basescan.org)`
## π οΈ Server Implementation
```typescript
import express from 'express'
import { ethers } from 'ethers'
const app = express()
app.use(express.json())
const provider = new ethers.JsonRpcProvider(process.env.BASE_RPC_URL)
const wallet = new ethers.Wallet(process.env.OPERATOR_PRIVATE_KEY!, provider)
const USDC = new ethers.Contract(
process.env.USDC_CONTRACT!,
[
'function balanceOf(address) view returns (uint256)',
'function decimals() view returns (uint8)',
'function transfer(address to, uint256 amount) returns (bool)'
],
wallet
)
function getUserAddressFromPhone(phone: string): string {
// TODO: implement deterministic derivation or DB lookup
return '0x...'
}
app.post('/webhook', async (req, res) => {
const { from, body } = parseIncomingMessage(req)
if (/^address$/i.test(body)) {
const addr = getUserAddressFromPhone(from)
return res.json(replyText(`Your Base USDC address:\n${addr}`))
}
if (/^balance$/i.test(body)) {
const addr = getUserAddressFromPhone(from)
const [usdc, dec] = await Promise.all([
USDC.balanceOf(addr),
USDC.decimals()
])
const eth = await provider.getBalance(addr)
return res.json(
replyText(
`USDC: ${ethers.formatUnits(usdc, dec)}\nBase ETH: ${ethers.formatEther(eth)}`
)
)
}
// Additional command handlers...
return res.json(replyText('Try: address | balance | deposit | send 5 USDC to 0x...'))
})
app.listen(3000, () => console.log('Bot listening on :3000'))
```
## π Deployment & Security
### Webhook Setup
- **HTTPS Required:** Use trusted certificate (ngrok for local dev)
- **Idempotency:** Dedupe messages, handle provider retries
- **Logging:** Transaction hashes and message IDs for auditing
### Security Best Practices
- **Key Management:** Use HSM/KMS (AWS KMS, Azure Key Vault)
- **Compliance:** KYC/AML via onramp providers
- **Rate Limiting:** Per-user velocity limits, geo/IP screening
- **Privacy:** Encrypt phone numbers (PII) at rest
### Operational Notes
- Treasury wallet needs USDC and fiat float for settlement
- Daily reconciliation of provider statements vs on-chain activity
- Implement idempotency keys for collect/payout requests
- Apply per-user/daily limits and KYC thresholds
- Store quotes with expiry (2-5 minutes) for FX volatility
## π§ Troubleshooting
| Issue | Solution |
|-------|----------|
| **Gas Errors** | Fund signing wallet with Base ETH |
| **USDC Transfer Failed** | Verify contract address, decimals, user balance |
| **Webhook Not Firing** | Check provider console logs, HTTPS URL |
| **Onramp Link Issues** | Verify provider parameters, allowlists, app IDs |
| **Mobile Money Fails** | Check phone format, wallet balance, shortcode |
| **Payout Rejected** | Verify KYC limits, daily caps, country/currency |
## π Documentation
CryptoChap includes comprehensive documentation covering all aspects of the platform:
### π Core Documentation
- **[Architecture Guide](docs/architecture.md)** - System architecture and design patterns
- **[Implementation Guide](docs/implementation-guide.md)** - Complete feature overview and setup instructions
- **[Service Breakdown](docs/service-breakdown.md)** - Detailed analysis of all 9 backend services
- **[API Documentation](docs/api-documentation.md)** - Complete REST API reference with examples
### π οΈ Technical Documentation
- **[System Design](docs/system-design.md)** - Technical specifications and design decisions
- **[Testing Strategy](docs/testing-strategy.md)** - Testing approach and coverage requirements
- **[User Flows](docs/user-flows.md)** - User interaction patterns and workflows
### π± WhatsApp Integration
- **[WhatsApp Setup Guide](docs/WHATSAPP_SETUP_GUIDE.md)** - Complete WhatsApp Business API setup
- **[WhatsApp Instructions](docs/WHATSAPP_INSTRUCTIONS.md)** - Integration and configuration steps
- **[WhatsApp Architecture](docs/WHATSAPP_ARCHITECTURE.md)** - WhatsApp system design
- **[WhatsApp Checklist](docs/WHATSAPP_CHECKLIST.md)** - Setup verification checklist
### π Deployment & Operations
- **[Deployment Guide](DEPLOYMENT.md)** - Production deployment instructions
- **[Sprint Planning](docs/sprint-planning.md)** - Development roadmap and milestones
- **[Sprint 1 Report](docs/sprint1-completion-report.md)** - Completed features and achievements
---
**Built for the future of accessible crypto** π
*Made with β€οΈ for global financial inclusion*