callbacks service draft

ci/dev/README.md

@@ -12,7 +12,7 @@ Docker Compose + Makefile build system for local development.
 **Services:**
 - Discovery, Ledger, Billing Fees, Billing Documents, FX Oracle, Payments Orchestrator
 - Chain Gateway, MNTX Gateway, TGSettle Gateway
-- FX Ingestor, Notification, BFF (Server), Frontend
+- FX Ingestor, Notification, BFF (Server), Callbacks, Frontend
 
 ## Quick Start
 
@@ -60,10 +60,14 @@ make status                 # Check service status
 Examples:
 - Blockchain private keys (Chain Gateway)
 - External API keys (MNTX, TGSettle)
+- Webhook signing secrets (Callbacks)
 - Production-like secrets
 
 Infrastructure (MongoDB, NATS) uses plain `.env.dev` credentials.
 
+Callbacks, Chain, and TRON run Vault Agent sidecars with AppRole.
+Set the corresponding `*_VAULT_ROLE_ID` and `*_VAULT_SECRET_ID` values in `.env.dev`.
+
 ## Network
 
 All services on `sendico-dev` network. Vault also on `cicd` network to connect to infra Vault if needed.

ci/dev/callbacks.dockerfile

@@ -0,0 +1,39 @@
+# Development Dockerfile for Callbacks Service with Air hot reload
+
+FROM golang:alpine AS builder
+
+RUN apk add --no-cache bash git build-base protoc protobuf-dev && \
+    go install google.golang.org/protobuf/cmd/protoc-gen-go@latest && \
+    go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest && \
+    go install github.com/air-verse/air@latest
+
+WORKDIR /src
+
+COPY api/proto ./api/proto
+COPY api/pkg ./api/pkg
+COPY ci/scripts/proto/generate.sh ./ci/scripts/proto/
+RUN bash ci/scripts/proto/generate.sh
+
+# Runtime stage for development with Air
+FROM golang:alpine
+
+RUN apk add --no-cache bash git build-base && \
+    go install github.com/air-verse/air@latest
+
+WORKDIR /src
+
+# Copy generated proto and pkg from builder
+COPY --from=builder /src/api/proto ./api/proto
+COPY --from=builder /src/api/pkg ./api/pkg
+
+# Copy vault-aware entrypoint wrapper
+COPY api/edge/callbacks/entrypoint.sh /app/entrypoint.sh
+RUN chmod +x /app/entrypoint.sh
+
+# Source code will be mounted at runtime
+WORKDIR /src/api/edge/callbacks
+
+EXPOSE 9420
+
+ENTRYPOINT ["/app/entrypoint.sh"]
+CMD ["air", "-c", ".air.toml", "--", "-config.file", "/app/config.yml", "-debug"]

ci/dev/vault-agent/callbacks.hcl

@@ -0,0 +1,20 @@
+vault {
+  address = "http://dev-vault:8200"
+}
+
+auto_auth {
+  method "approle" {
+    mount_path = "auth/approle"
+    config = {
+      role_id_file_path    = "/run/vault/role_id"
+      secret_id_file_path  = "/run/vault/secret_id"
+    }
+  }
+
+  sink "file" {
+    config = {
+      path = "/run/vault/token"
+      mode = 0600
+    }
+  }
+}