The latest articles on DEV Community by Paulo Fox (@paulofox0105). https://dev.to/paulofox0105 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3906909%2F44bd2d90-c5de-4cb0-b4f3-57ac0df10d0c.png https://dev.to/paulofox0105 en Paulo Fox Fri, 01 May 2026 03:07:54 +0000 https://dev.to/paulofox0105/how-i-used-dspy-to-cut-claude-api-costs-by-73-with-real-benchmarks-d2a https://dev.to/paulofox0105/how-i-used-dspy-to-cut-claude-api-costs-by-73-with-real-benchmarks-d2a <p>I was spending ~$200/month on Claude API calls for an internal automation pipeline. After integrating DSPy and running 50 optimization cycles, the same pipeline costs $54/month — <strong>73% less</strong> — with identical output quality. Here's exactly what I did.</p> <h2> The Problem With Manual Prompting </h2> <p>Manual prompt engineering has a fundamental flaw: <strong>you optimize for the examples you can think of</strong>, not for the distribution of real inputs. You write a prompt, test it on 5 cases, it looks good, you ship it, and then it fails on case #47 in production.</p> <p>DSPy (from Stanford NLP) flips this. Instead of writing prompts manually, you define what you want (a "signature") and DSPy optimizes the prompt automatically using your actual data.</p> <p>I built <strong>FoxMind</strong> around DSPy to make this accessible as an API.</p> <h2> How DSPy Works (In 5 Minutes) </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">dspy</span> <span class="c1"># 1. Define what you want (signature) </span><span class="k">class</span> <span class="nc">Summarizer</span><span class="p">(</span><span class="n">dspy</span><span class="p">.</span><span class="n">Signature</span><span class="p">):</span> <span class="sh">"""</span><span class="s">Summarize a customer support ticket into one sentence.</span><span class="sh">"""</span> <span class="n">ticket</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="n">dspy</span><span class="p">.</span><span class="nc">InputField</span><span class="p">()</span> <span class="n">summary</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="n">dspy</span><span class="p">.</span><span class="nc">OutputField</span><span class="p">()</span> <span class="c1"># 2. Create a module </span><span class="n">summarize</span> <span class="o">=</span> <span class="n">dspy</span><span class="p">.</span><span class="nc">Predict</span><span class="p">(</span><span class="n">Summarizer</span><span class="p">)</span> <span class="c1"># 3. Define a metric (what "good" means) </span><span class="k">def</span> <span class="nf">quality_metric</span><span class="p">(</span><span class="n">example</span><span class="p">,</span> <span class="n">prediction</span><span class="p">,</span> <span class="n">trace</span><span class="o">=</span><span class="bp">None</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">float</span><span class="p">:</span> <span class="c1"># Score 0-1: is the summary under 20 words and accurate? </span> <span class="n">words</span> <span class="o">=</span> <span class="nf">len</span><span class="p">(</span><span class="n">prediction</span><span class="p">.</span><span class="n">summary</span><span class="p">.</span><span class="nf">split</span><span class="p">())</span> <span class="k">return</span> <span class="mf">1.0</span> <span class="k">if</span> <span class="n">words</span> <span class="o">&lt;=</span> <span class="mi">20</span> <span class="k">else</span> <span class="nf">max</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">1</span> <span class="o">-</span> <span class="p">(</span><span class="n">words</span> <span class="o">-</span> <span class="mi">20</span><span class="p">)</span> <span class="o">/</span> <span class="mi">50</span><span class="p">)</span> <span class="c1"># 4. Optimize — DSPy finds the best prompt automatically </span><span class="kn">from</span> <span class="n">dspy.teleprompt</span> <span class="kn">import</span> <span class="n">BootstrapFewShot</span> <span class="n">optimizer</span> <span class="o">=</span> <span class="nc">BootstrapFewShot</span><span class="p">(</span><span class="n">metric</span><span class="o">=</span><span class="n">quality_metric</span><span class="p">,</span> <span class="n">max_bootstrapped_demos</span><span class="o">=</span><span class="mi">4</span><span class="p">)</span> <span class="n">optimized_summarize</span> <span class="o">=</span> <span class="n">optimizer</span><span class="p">.</span><span class="nf">compile</span><span class="p">(</span><span class="n">summarize</span><span class="p">,</span> <span class="n">trainset</span><span class="o">=</span><span class="n">your_examples</span><span class="p">)</span> <span class="c1"># The optimized module has a better prompt + few-shot examples baked in </span><span class="n">result</span> <span class="o">=</span> <span class="nf">optimized_summarize</span><span class="p">(</span><span class="n">ticket</span><span class="o">=</span><span class="sh">"</span><span class="s">Customer can</span><span class="sh">'</span><span class="s">t login after password reset...</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">result</span><span class="p">.</span><span class="n">summary</span><span class="p">)</span> <span class="c1"># "Customer locked out post-password reset, needs account unlock." </span></code></pre> </div> <p>DSPy doesn't just write a better prompt — it <strong>selects the best few-shot examples</strong> from your training data and arranges them to minimize token usage while maximizing quality.</p> <h2> The 33 Techniques </h2> <p>FoxMind's optimizer applies 33 evidence-based prompting techniques from academic literature, selecting the ones most relevant to your task type. The top performers in our benchmarks:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Technique</th> <th>Avg. Quality Gain</th> <th>Token Impact</th> </tr> </thead> <tbody> <tr> <td>Chain-of-Thought (CoT)</td> <td>+18%</td> <td>+40% tokens</td> </tr> <tr> <td><strong>Compressed CoT</strong></td> <td>+15%</td> <td>+8% tokens</td> </tr> <tr> <td>Role assignment</td> <td>+12%</td> <td>+2% tokens</td> </tr> <tr> <td>Contrastive examples</td> <td>+11%</td> <td>+15% tokens</td> </tr> <tr> <td>Output constraints</td> <td>+9%</td> <td>-5% tokens</td> </tr> <tr> <td>Self-consistency (sampled)</td> <td>+22%</td> <td>+200% tokens</td> </tr> </tbody> </table></div> <p><strong>Compressed CoT</strong> is the key insight. Standard CoT ("think step by step") adds 40% more tokens for 18% quality gain. Compressed CoT gives 15% quality with only 8% more tokens — much better ROI. We use it as the default.</p> <h2> Why 73% Token Reduction Is Possible </h2> <p>Most manually-written prompts are verbose. Developers write prompts like they write documentation — with repetition, disclaimers, and edge-case handling for things that never actually happen.</p> <p>A typical unoptimized prompt we audited:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>You are an expert customer service agent working for an e-commerce company. Your job is to help customers with their questions and concerns. Please be polite and professional at all times. When answering questions, make sure to: - Read the question carefully - Think about what the customer really needs - Provide a helpful and accurate response - Be concise but complete - If you don't know something, say so Customer question: {question} Please provide a helpful response to the customer's question above. </code></pre> </div> <p>DSPy-optimized version of the same task:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>You are a customer service agent. Answer concisely. Example: Q: "Can I return a opened item?" A: "Yes, within 30 days with receipt." Q: "Where's my order #4521?" A: "Check tracking at orders.example.com/4521" Q: {question} A: </code></pre> </div> <p><strong>Same quality. 73% fewer tokens.</strong> The key moves:</p> <ol> <li>Eliminated redundant instructions ("be polite", "read carefully") — the model already does this</li> <li>Replaced abstract guidelines with 2 concrete examples</li> <li>Removed the trailing restatement of the question</li> <li>Used few-shot format instead of zero-shot instructions</li> </ol> <h2> The FoxMind API </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">requests</span> <span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="sh">"</span><span class="s">https://foxmind-api.centralfox.online/v1/build</span><span class="sh">"</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">X-API-Key</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">your-key</span><span class="sh">"</span><span class="p">},</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">task</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Classify customer support tickets as: billing, shipping, returns, technical, other</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">examples</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span><span class="sh">"</span><span class="s">input</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">I was charged twice</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">output</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">billing</span><span class="sh">"</span><span class="p">},</span> <span class="p">{</span><span class="sh">"</span><span class="s">input</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">My package hasn</span><span class="sh">'</span><span class="s">t arrived</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">output</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">shipping</span><span class="sh">"</span><span class="p">},</span> <span class="p">],</span> <span class="sh">"</span><span class="s">model</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">claude-sonnet-4-6</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ecosystem</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">my-project</span><span class="sh">"</span> <span class="p">}</span> <span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">response</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">super_prompt</span><span class="sh">"</span><span class="p">])</span> <span class="c1"># The optimized prompt </span><span class="nf">print</span><span class="p">(</span><span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">quality_score</span><span class="sh">"</span><span class="p">])</span> <span class="c1"># 0.82–0.98 </span><span class="nf">print</span><span class="p">(</span><span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">token_reduction</span><span class="sh">"</span><span class="p">])</span> <span class="c1"># e.g. "67%" </span><span class="nf">print</span><span class="p">(</span><span class="n">result</span><span class="p">[</span><span class="sh">"</span><span class="s">techniques_used</span><span class="sh">"</span><span class="p">])</span> <span class="c1"># ["compressed_cot", "contrastive_examples", ...] </span></code></pre> </div> <p>The API returns a ready-to-use optimized prompt. Drop it into your application, replace the manual one, done.</p> <h2> Benchmark Results </h2> <p>Tested on 4 real production tasks across 200 examples each:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Task</th> <th>Manual Score</th> <th>DSPy Score</th> <th>Token Delta</th> </tr> </thead> <tbody> <tr> <td>Support ticket classification</td> <td>0.74</td> <td>0.91</td> <td>-71%</td> </tr> <tr> <td>Product description generation</td> <td>0.68</td> <td>0.87</td> <td>-69%</td> </tr> <tr> <td>SQL query generation</td> <td>0.71</td> <td>0.89</td> <td>-74%</td> </tr> <tr> <td>Code review summarization</td> <td>0.76</td> <td>0.93</td> <td>-78%</td> </tr> </tbody> </table></div> <p>Score is a composite of accuracy, format compliance, and output quality rated by a judge model.</p> <h2> Lesson: DSPy Needs Real Examples, Not Synthetic Ones </h2> <p>The biggest mistake when setting up DSPy: using synthetic training examples you generated yourself. Your synthetic examples reflect your mental model of the task — which is the same mental model that produced the bad manual prompt.</p> <p><strong>Use real production data.</strong> Even 20 real input/output pairs from your logs will outperform 200 synthetic ones. The optimizer finds patterns you wouldn't have written into a prompt manually.</p> <h2> Phase 2: MIPRO Auto-Optimization (50+ Executions) </h2> <p>After 50 API calls, FoxMind switches from <code>BootstrapFewShot</code> to <code>MIPRO</code> (Multi-prompt Instruction Proposal Optimizer). MIPRO:</p> <ol> <li>Proposes candidate instructions using the LLM itself</li> <li>Evaluates each instruction across your data</li> <li>Combines the best instructions with the best few-shot examples</li> </ol> <p>MIPRO adds ~15% quality improvement over BootstrapFewShot but needs more data. This is why it only activates after sufficient usage — the optimizer needs signal.</p> <h2> What's Next </h2> <p>FoxMind is live at <a href="https://foxmind.centralfox.online" rel="noopener noreferrer">foxmind.centralfox.online</a>.</p> <p>Roadmap:</p> <ul> <li>Multi-turn conversation optimization (not just single-prompt)</li> <li>DSPy Assertions — hard constraints the optimizer must satisfy</li> <li>Cost dashboard: real-time token savings vs. your baseline</li> <li>Export to LangChain/LlamaIndex format</li> </ul> <p>If you're using DSPy in production, or have questions about prompt optimization, BootstrapFewShot configuration, or reducing LLM costs — drop a comment.</p> <p><strong>Built with:</strong> Python 3.12 · DSPy 3.1.3 · FastAPI · PostgreSQL · Claude API · Claude Code (Anthropic)</p> <p>🔗 <a href="https://foxmind.centralfox.online" rel="noopener noreferrer">foxmind.centralfox.online</a> | Reddit <a href="https://reddit.com/u/foxdigitaldev" rel="noopener noreferrer">u/foxdigitaldev</a></p> ai python dspy llm Paulo Fox Fri, 01 May 2026 03:07:40 +0000 https://dev.to/paulofox0105/building-a-website-as-a-service-from-lead-to-live-https-site-in-under-24-hours-44f5 https://dev.to/paulofox0105/building-a-website-as-a-service-from-lead-to-live-https-site-in-under-24-hours-44f5 <p>A dentist in Fortaleza asked me to build her a website. I quoted R$1.500 and six weeks. She hired someone on Fiverr for R$300 and got it in two days. She was right.</p> <p>Traditional web agencies are pricing themselves out of the small business market in Brazil. I decided to automate the entire pipeline — from lead discovery to live website — and see how low I could push the cost. The result is <strong>Fox WaaS</strong>: a Website-as-a-Service that deploys a professional site in under 24 hours for R$299 setup + R$79/month.</p> <h2> The Stack </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Google Maps Scraper │ ▼ Lead Scorer (has website? quality score) │ ▼ WhatsApp Outreach (via Evolution API) │ ▼ Template Engine (AI-personalized content) │ ▼ deploy_site.sh (Nginx + SSL + Cloudflare DNS) │ ▼ Live HTTPS site in &lt;24h </code></pre> </div> <p>Everything is automated except the client approval step (they review before go-live).</p> <h2> Lesson 1: Google Maps Is the Best Lead Source for Brazilian SMBs </h2> <p>We scrape Google Maps for businesses in a city + category (<code>dentistas Fortaleza</code>, <code>restaurantes Maceió</code>) using the Places API. The scoring model identifies the best leads:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">score_lead</span><span class="p">(</span><span class="n">business</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">int</span><span class="p">:</span> <span class="n">score</span> <span class="o">=</span> <span class="mi">0</span> <span class="c1"># High-value signals </span> <span class="k">if</span> <span class="n">business</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">rating</span><span class="sh">"</span><span class="p">)</span> <span class="ow">and</span> <span class="n">business</span><span class="p">[</span><span class="sh">"</span><span class="s">rating</span><span class="sh">"</span><span class="p">]</span> <span class="o">&gt;=</span> <span class="mf">4.0</span><span class="p">:</span> <span class="n">score</span> <span class="o">+=</span> <span class="mi">25</span> <span class="c1"># Reviews exist = real business </span> <span class="k">if</span> <span class="n">business</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">user_ratings_total</span><span class="sh">"</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">&gt;=</span> <span class="mi">10</span><span class="p">:</span> <span class="n">score</span> <span class="o">+=</span> <span class="mi">20</span> <span class="c1"># Established business </span> <span class="c1"># No website = our target customer </span> <span class="k">if</span> <span class="ow">not</span> <span class="n">business</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">website</span><span class="sh">"</span><span class="p">):</span> <span class="n">score</span> <span class="o">+=</span> <span class="mi">30</span> <span class="c1"># Primary signal: no digital presence </span> <span class="k">elif</span> <span class="sh">"</span><span class="s">facebook.com</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">business</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">website</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">):</span> <span class="n">score</span> <span class="o">+=</span> <span class="mi">20</span> <span class="c1"># Facebook page only = weak web presence </span> <span class="c1"># Category multiplier (high-ticket services) </span> <span class="n">high_value</span> <span class="o">=</span> <span class="p">[</span><span class="sh">"</span><span class="s">dentista</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">clínica</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">advocacia</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">restaurante</span><span class="sh">"</span><span class="p">]</span> <span class="k">if</span> <span class="nf">any</span><span class="p">(</span><span class="n">cat</span> <span class="ow">in</span> <span class="n">business</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">types</span><span class="sh">"</span><span class="p">,</span> <span class="p">[])</span> <span class="k">for</span> <span class="n">cat</span> <span class="ow">in</span> <span class="n">high_value</span><span class="p">):</span> <span class="n">score</span> <span class="o">+=</span> <span class="mi">15</span> <span class="k">return</span> <span class="n">score</span> <span class="c1"># 0–100, target: ≥ 60 </span></code></pre> </div> <p>Leads scoring ≥60 get contacted. Leads scoring ≥80 get priority outreach.</p> <h2> Lesson 2: Template Engine With AI Personalization </h2> <p>We have 8 base templates (restaurant, clinic, law firm, beauty salon, gym, retail, services, generic). Each template is personalized with the client's actual business data.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">generate_site_content</span><span class="p">(</span><span class="n">business</span><span class="p">:</span> <span class="nb">dict</span><span class="p">,</span> <span class="n">template</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Generate personalized copy for each HTML section.</span><span class="sh">"""</span> <span class="n">sections</span> <span class="o">=</span> <span class="p">{}</span> <span class="c1"># Hero section </span> <span class="n">sections</span><span class="p">[</span><span class="sh">"</span><span class="s">hero_title</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">llm_complete</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Write a compelling 6-word tagline for this business: </span><span class="si">{</span><span class="n">business</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">. </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Category: </span><span class="si">{</span><span class="n">business</span><span class="p">[</span><span class="sh">'</span><span class="s">category</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">. City: </span><span class="si">{</span><span class="n">business</span><span class="p">[</span><span class="sh">'</span><span class="s">city</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">. </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Output ONLY the tagline, no quotes.</span><span class="sh">"</span> <span class="p">)</span> <span class="c1"># About section </span> <span class="n">sections</span><span class="p">[</span><span class="sh">"</span><span class="s">about_text</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">llm_complete</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Write 2 sentences about </span><span class="si">{</span><span class="n">business</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> in Brazilian Portuguese. </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Mention: city, years in business (if known), specialty. </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Tone: professional, warm. Do not use </span><span class="sh">'</span><span class="s">somos</span><span class="sh">'</span><span class="s"> or </span><span class="sh">'</span><span class="s">nossa empresa</span><span class="sh">'</span><span class="s">.</span><span class="sh">"</span> <span class="p">)</span> <span class="c1"># Services </span> <span class="n">sections</span><span class="p">[</span><span class="sh">"</span><span class="s">services</span><span class="sh">"</span><span class="p">]</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">llm_complete</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">List 6 services for a </span><span class="si">{</span><span class="n">business</span><span class="p">[</span><span class="sh">'</span><span class="s">category</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> business in Brazil. </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Format: JSON array of {{name, description(1 sentence), icon(emoji)}}. </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">JSON only, no markdown.</span><span class="sh">"</span> <span class="p">)</span> <span class="k">return</span> <span class="n">sections</span> </code></pre> </div> <p>The personalized content is injected into the template via Jinja2. Result: 2,400 template × content combinations, each genuinely different.</p> <h2> Lesson 3: One-Command Deploy (Nginx + SSL + DNS) </h2> <p>The <code>deploy_site.sh</code> script does the full deployment in one command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="c"># Usage: ./deploy_site.sh &lt;slug&gt; &lt;domain&gt; &lt;site_dir&gt;</span> <span class="nv">SLUG</span><span class="o">=</span><span class="nv">$1</span> <span class="c"># e.g. "clinica-maria-jose"</span> <span class="nv">DOMAIN</span><span class="o">=</span><span class="nv">$2</span> <span class="c"># e.g. "clinicamariajose.com.br"</span> <span class="nv">SITE_DIR</span><span class="o">=</span><span class="nv">$3</span> <span class="c"># 1. Copy files to nginx root</span> <span class="nb">sudo mkdir</span> <span class="nt">-p</span> /var/www/waas/<span class="nv">$SLUG</span> <span class="nb">sudo cp</span> <span class="nt">-r</span> <span class="nv">$SITE_DIR</span>/<span class="k">*</span> /var/www/waas/<span class="nv">$SLUG</span>/ <span class="c"># 2. Generate nginx config from template</span> envsubst <span class="s1">'$SLUG $DOMAIN'</span> &lt; /etc/nginx/templates/waas.conf.tmpl <span class="se">\</span> | <span class="nb">sudo tee</span> /etc/nginx/sites-available/<span class="nv">$SLUG</span> <span class="o">&gt;</span> /dev/null <span class="nb">sudo ln</span> <span class="nt">-sf</span> /etc/nginx/sites-available/<span class="nv">$SLUG</span> /etc/nginx/sites-enabled/ <span class="c"># 3. Test config before reload</span> <span class="nb">sudo </span>nginx <span class="nt">-t</span> <span class="o">&amp;&amp;</span> <span class="nb">sudo </span>nginx <span class="nt">-s</span> reload <span class="c"># 4. Issue SSL certificate (Certbot + Cloudflare DNS challenge)</span> <span class="nb">sudo </span>certbot certonly <span class="se">\</span> <span class="nt">--dns-cloudflare</span> <span class="se">\</span> <span class="nt">--dns-cloudflare-credentials</span> /etc/letsencrypt/cloudflare.ini <span class="se">\</span> <span class="nt">-d</span> <span class="nv">$DOMAIN</span> <span class="nt">-d</span> www.<span class="nv">$DOMAIN</span> <span class="se">\</span> <span class="nt">--non-interactive</span> <span class="nt">--agree-tos</span> <span class="nt">--email</span> admin@centralfox.online <span class="c"># 5. Set up Cloudflare DNS (A record pointing to VPS)</span> curl <span class="nt">-s</span> <span class="nt">-X</span> POST <span class="s2">"https://api.cloudflare.com/client/v4/zones/</span><span class="nv">$CF_ZONE_ID</span><span class="s2">/dns_records"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"X-Auth-Email: </span><span class="nv">$CF_EMAIL</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"X-Auth-Key: </span><span class="nv">$CF_API_KEY</span><span class="s2">"</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s2">"{</span><span class="se">\"</span><span class="s2">type</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="s2">A</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">name</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="nv">$DOMAIN</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">content</span><span class="se">\"</span><span class="s2">:</span><span class="se">\"</span><span class="nv">$VPS_IP</span><span class="se">\"</span><span class="s2">,</span><span class="se">\"</span><span class="s2">proxied</span><span class="se">\"</span><span class="s2">:true}"</span> <span class="nb">echo</span> <span class="s2">"✅ </span><span class="nv">$DOMAIN</span><span class="s2"> deployed at https://</span><span class="nv">$DOMAIN</span><span class="s2">"</span> </code></pre> </div> <p>Total time from command to live HTTPS site: <strong>47 seconds</strong>.</p> <h2> Lesson 4: WhatsApp Outreach With Evolution API </h2> <p>Cold email in Brazil has near-zero open rates. WhatsApp has 95% open rates and most business owners respond within 2 hours.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">send_outreach</span><span class="p">(</span><span class="n">phone</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">business_name</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">preview_url</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Send personalized WhatsApp message with site preview.</span><span class="sh">"""</span> <span class="n">message</span> <span class="o">=</span> <span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Olá! Vi que a *</span><span class="si">{</span><span class="n">business_name</span><span class="si">}</span><span class="s">* ainda não tem site profissional. </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Montei uma prévia gratuita para vocês: </span><span class="si">{</span><span class="n">preview_url</span><span class="si">}</span><span class="se">\n\n</span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">Site pronto em 24h por R$299. Posso mostrar mais detalhes?</span><span class="sh">"</span> <span class="p">)</span> <span class="n">resp</span> <span class="o">=</span> <span class="k">await</span> <span class="n">httpx</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">EVOLUTION_API_URL</span><span class="si">}</span><span class="s">/message/sendText/</span><span class="si">{</span><span class="n">INSTANCE_NAME</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">apikey</span><span class="sh">"</span><span class="p">:</span> <span class="n">EVOLUTION_API_KEY</span><span class="p">},</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">number</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">55</span><span class="si">{</span><span class="n">phone</span><span class="si">}</span><span class="s">@s.whatsapp.net</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">:</span> <span class="n">message</span><span class="p">}</span> <span class="p">)</span> <span class="k">return</span> <span class="n">resp</span><span class="p">.</span><span class="n">status_code</span> <span class="o">==</span> <span class="mi">201</span> </code></pre> </div> <p><strong>The preview URL is the key.</strong> We deploy a "preview" version of the personalized site before contacting the lead. They click a link and see <em>their own business</em> already built. Conversion rate: 18% (vs 3% for text-only outreach).</p> <h2> Lesson 5: The Economics </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Cost</th> <th>Amount</th> </tr> </thead> <tbody> <tr> <td>VPS (Contabo 24GB)</td> <td>R$82/month</td> </tr> <tr> <td>Cloudflare (free tier)</td> <td>R$0</td> </tr> <tr> <td>Certbot SSL</td> <td>R$0</td> </tr> <tr> <td>Claude API (content gen)</td> <td>~R$0.12/site</td> </tr> <tr> <td>WhatsApp (Evolution API)</td> <td>R$0 (self-hosted)</td> </tr> <tr> <td><strong>Total per site</strong></td> <td><strong>~R$0.50</strong></td> </tr> </tbody> </table></div> <p>At R$299 setup + R$79/month, the margin on a 100-site portfolio:</p> <ul> <li>Monthly recurring: 100 × R$79 = R$7.900</li> <li>Infrastructure: R$82 + ~R$200 (misc) = R$282</li> <li><strong>Net margin: ~96%</strong></li> </ul> <p>The bottleneck is not infrastructure — it's sales. Each site takes ~45 minutes of human time (content review, client approval, small edits).</p> <h2> Results After 2 Months </h2> <ul> <li> <strong>87 sites deployed</strong> (73 client-paid, 14 preview/demo)</li> <li> <strong>Average deploy time: 19 hours</strong> from payment to go-live</li> <li> <strong>Lighthouse scores: 91–97</strong> across all sites</li> <li>Client churn: 3/73 (4%) — all price-objections in month 2</li> </ul> <h2> What's Next </h2> <p>Fox WaaS is live at <a href="https://sites.centralfox.online" rel="noopener noreferrer">sites.centralfox.online</a>.</p> <p>Roadmap:</p> <ul> <li>E-commerce integration (MercadoPago + simple product catalog)</li> <li>WhatsApp ordering system (customers order directly via WA button)</li> <li>Dashboard for clients (update photos, hours, contact info without contacting us)</li> <li>Multi-city expansion beyond Fortaleza</li> </ul> <p>If you're building automated deployment pipelines, WaaS businesses, or have questions about nginx automation, Cloudflare API, or the Brazilian SMB market — drop a comment.</p> <p><strong>Built with:</strong> Python 3.12 · FastAPI · Nginx · Certbot · Cloudflare API · Evolution API · Claude Code (Anthropic)</p> <p>🔗 <a href="https://sites.centralfox.online" rel="noopener noreferrer">sites.centralfox.online</a> | Reddit <a href="https://reddit.com/u/foxdigitaldev" rel="noopener noreferrer">u/foxdigitaldev</a></p> python webdev automation saas Paulo Fox Fri, 01 May 2026 03:02:25 +0000 https://dev.to/paulofox0105/building-an-open-source-snyk-alternative-secret-detection-sast-and-sbom-in-one-tool-5829 https://dev.to/paulofox0105/building-an-open-source-snyk-alternative-secret-detection-sast-and-sbom-in-one-tool-5829 <p>Snyk is $98/month per developer for private repos. Semgrep OSS is free but has no secret detection. GitGuardian has a free tier but no SBOM. I wanted one tool that does all three — so I built <strong>FoxShield</strong>, an open-source security auditor for GitHub repositories.</p> <h2> What FoxShield Does </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>git push └─► GitHub Action: foxshield@v2 ├─ Secret scan (50+ patterns: API keys, tokens, certificates) ├─ SAST (OWASP Top 10 per language) ├─ Dependency audit (CVE lookup via OSV.dev) └─ SBOM (CycloneDX JSON) </code></pre> </div> <p>Available as:</p> <ul> <li> <strong>GitHub Action</strong> — <code>uses: PauloFox0105/foxshield@v2</code> </li> <li> <strong>CLI</strong> — <code>npx foxshield audit .</code> </li> <li> <strong>API</strong> — REST endpoint for CI/CD integration</li> </ul> <h2> Lesson 1: Secret Detection Must Be Pattern + Context </h2> <p>Naive regex finds too many false positives. <code>API_KEY=test123</code> is not a secret. <code>sk-ant-api03-...</code> is always a secret, regardless of context.</p> <p>We use a two-tier system:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># Tier 1: High-confidence patterns (zero false positives, no context needed) </span><span class="n">HIGH_CONFIDENCE</span> <span class="o">=</span> <span class="p">[</span> <span class="p">(</span><span class="sa">r</span><span class="sh">'</span><span class="s">sk-ant-api\d{2}-[A-Za-z0-9_-]{93}</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Anthropic API Key</span><span class="sh">'</span><span class="p">),</span> <span class="p">(</span><span class="sa">r</span><span class="sh">'</span><span class="s">ghp_[A-Za-z0-9]{36}</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">GitHub Personal Access Token</span><span class="sh">'</span><span class="p">),</span> <span class="p">(</span><span class="sa">r</span><span class="sh">'</span><span class="s">sk-or-v1-[A-Za-z0-9]{64}</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">OpenRouter API Key</span><span class="sh">'</span><span class="p">),</span> <span class="p">(</span><span class="sa">r</span><span class="sh">'</span><span class="s">-----BEGIN (RSA |EC )?PRIVATE KEY-----</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Private Key</span><span class="sh">'</span><span class="p">),</span> <span class="c1"># ... 35 more </span><span class="p">]</span> <span class="c1"># Tier 2: Context-sensitive patterns (require entropy check) </span><span class="n">CONTEXT_SENSITIVE</span> <span class="o">=</span> <span class="p">[</span> <span class="p">(</span><span class="sa">r</span><span class="sh">'</span><span class="s">(?i)api[_-]?key\s*[=:]\s*[</span><span class="sh">"</span><span class="s">\']?([A-Za-z0-9_-]{20,})</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Generic API Key</span><span class="sh">'</span><span class="p">),</span> <span class="p">(</span><span class="sa">r</span><span class="sh">'</span><span class="s">(?i)secret\s*[=:]\s*[</span><span class="sh">"</span><span class="s">\']?([A-Za-z0-9_+/]{16,})</span><span class="sh">'</span><span class="p">,</span> <span class="sh">'</span><span class="s">Generic Secret</span><span class="sh">'</span><span class="p">),</span> <span class="c1"># ... 15 more </span><span class="p">]</span> </code></pre> </div> <p>For context-sensitive patterns, we compute Shannon entropy. Values below 3.5 bits/char are likely placeholders (<code>YOUR_KEY_HERE</code>, <code>xxxxxxxx</code>).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">math</span> <span class="kn">from</span> <span class="n">collections</span> <span class="kn">import</span> <span class="n">Counter</span> <span class="k">def</span> <span class="nf">shannon_entropy</span><span class="p">(</span><span class="n">s</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">float</span><span class="p">:</span> <span class="k">if</span> <span class="ow">not</span> <span class="n">s</span><span class="p">:</span> <span class="k">return</span> <span class="mf">0.0</span> <span class="n">freq</span> <span class="o">=</span> <span class="nc">Counter</span><span class="p">(</span><span class="n">s</span><span class="p">)</span> <span class="k">return</span> <span class="o">-</span><span class="nf">sum</span><span class="p">(</span> <span class="p">(</span><span class="n">c</span> <span class="o">/</span> <span class="nf">len</span><span class="p">(</span><span class="n">s</span><span class="p">))</span> <span class="o">*</span> <span class="n">math</span><span class="p">.</span><span class="nf">log2</span><span class="p">(</span><span class="n">c</span> <span class="o">/</span> <span class="nf">len</span><span class="p">(</span><span class="n">s</span><span class="p">))</span> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">freq</span><span class="p">.</span><span class="nf">values</span><span class="p">()</span> <span class="p">)</span> <span class="k">def</span> <span class="nf">is_real_secret</span><span class="p">(</span><span class="n">match</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="k">return</span> <span class="nf">shannon_entropy</span><span class="p">(</span><span class="n">match</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mf">3.5</span> </code></pre> </div> <p>After tuning: <strong>0 false positives</strong> across 200 real repos tested.</p> <h2> Lesson 2: SAST Without a Full AST </h2> <p>Full AST parsing (like Semgrep) is accurate but slow and language-specific. For a CLI tool that needs to run in &lt;30 seconds on a typical repo, we use <strong>pattern trees</strong> — structured regex with AST-like awareness of file context.</p> <p>Example for SQL injection detection in Python:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">PYTHON_SQLI_PATTERNS</span> <span class="o">=</span> <span class="p">[</span> <span class="c1"># Direct string interpolation in queries </span> <span class="p">{</span> <span class="sh">"</span><span class="s">pattern</span><span class="sh">"</span><span class="p">:</span> <span class="sa">r</span><span class="sh">'</span><span class="s">(?:execute|query|cursor\.execute)\s*\(\s*[fF][</span><span class="sh">"</span><span class="s">\'].*\{</span><span class="sh">'</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Possible SQL injection: f-string in query execution</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">severity</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">HIGH</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">fix</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Use parameterized queries: cursor.execute(sql, (value,))</span><span class="sh">"</span> <span class="p">},</span> <span class="c1"># % formatting </span> <span class="p">{</span> <span class="sh">"</span><span class="s">pattern</span><span class="sh">"</span><span class="p">:</span> <span class="sa">r</span><span class="sh">'</span><span class="s">(?:execute|query)\s*\(\s*[</span><span class="sh">"</span><span class="s">\'].*%s.*[</span><span class="sh">"</span><span class="s">\'\s]*%\s*(?!\()</span><span class="sh">'</span><span class="p">,</span> <span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Possible SQL injection: %-formatting without tuple</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">severity</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">MEDIUM</span><span class="sh">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">]</span> </code></pre> </div> <p>We match patterns at the line level, but with 3-line context windows to catch multi-line constructs. Not as precise as a real AST, but catches 80%+ of OWASP Top 10 instances with &lt;2% false positive rate.</p> <h2> Lesson 3: CVE Lookup via OSV.dev (Free, No API Key) </h2> <p>Instead of maintaining our own vulnerability database, we query <a href="https://osv.dev" rel="noopener noreferrer">OSV.dev</a> — Google's open vulnerability database covering npm, PyPI, Go, Maven, RubyGems, and more. No API key, no rate limits for reasonable usage.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">httpx</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">check_package_cves</span><span class="p">(</span><span class="n">ecosystem</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">name</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">version</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">[</span><span class="nb">dict</span><span class="p">]:</span> <span class="k">async</span> <span class="k">with</span> <span class="n">httpx</span><span class="p">.</span><span class="nc">AsyncClient</span><span class="p">()</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="n">resp</span> <span class="o">=</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="sh">"</span><span class="s">https://api.osv.dev/v1/query</span><span class="sh">"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">version</span><span class="sh">"</span><span class="p">:</span> <span class="n">version</span><span class="p">,</span> <span class="sh">"</span><span class="s">package</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="n">name</span><span class="p">,</span> <span class="sh">"</span><span class="s">ecosystem</span><span class="sh">"</span><span class="p">:</span> <span class="n">ecosystem</span><span class="p">}</span> <span class="p">},</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">10</span> <span class="p">)</span> <span class="n">data</span> <span class="o">=</span> <span class="n">resp</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="k">return</span> <span class="p">[</span> <span class="p">{</span> <span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="n">vuln</span><span class="p">[</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">summary</span><span class="sh">"</span><span class="p">:</span> <span class="n">vuln</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">summary</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">),</span> <span class="sh">"</span><span class="s">severity</span><span class="sh">"</span><span class="p">:</span> <span class="nf">extract_severity</span><span class="p">(</span><span class="n">vuln</span><span class="p">),</span> <span class="sh">"</span><span class="s">fixed_in</span><span class="sh">"</span><span class="p">:</span> <span class="nf">extract_fixed_version</span><span class="p">(</span><span class="n">vuln</span><span class="p">),</span> <span class="p">}</span> <span class="k">for</span> <span class="n">vuln</span> <span class="ow">in</span> <span class="n">data</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">vulns</span><span class="sh">"</span><span class="p">,</span> <span class="p">[])</span> <span class="p">]</span> </code></pre> </div> <p>For a <code>package.json</code> with 150 dependencies, OSV lookup takes ~4 seconds in parallel. We batch requests with <code>asyncio.gather()</code>.</p> <h2> Lesson 4: SBOM Generation in CycloneDX Format </h2> <p>Software Bill of Materials (SBOM) is becoming mandatory for government contractors (US Executive Order 14028) and enterprise procurement. CycloneDX is the most widely accepted format.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">timezone</span> <span class="kn">import</span> <span class="n">uuid</span> <span class="k">def</span> <span class="nf">generate_sbom</span><span class="p">(</span><span class="n">packages</span><span class="p">:</span> <span class="nb">list</span><span class="p">[</span><span class="nb">dict</span><span class="p">],</span> <span class="n">repo_name</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="k">return</span> <span class="p">{</span> <span class="sh">"</span><span class="s">bomFormat</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">CycloneDX</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">specVersion</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">1.5</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">serialNumber</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">urn:uuid:</span><span class="si">{</span><span class="n">uuid</span><span class="p">.</span><span class="nf">uuid4</span><span class="p">()</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">version</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="sh">"</span><span class="s">metadata</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">timezone</span><span class="p">.</span><span class="n">utc</span><span class="p">).</span><span class="nf">isoformat</span><span class="p">(),</span> <span class="sh">"</span><span class="s">tools</span><span class="sh">"</span><span class="p">:</span> <span class="p">[{</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">FoxShield</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">version</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">2.0</span><span class="sh">"</span><span class="p">}],</span> <span class="sh">"</span><span class="s">component</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">application</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="n">repo_name</span><span class="p">,</span> <span class="sh">"</span><span class="s">bom-ref</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">pkg:generic/</span><span class="si">{</span><span class="n">repo_name</span><span class="si">}</span><span class="sh">"</span> <span class="p">}</span> <span class="p">},</span> <span class="sh">"</span><span class="s">components</span><span class="sh">"</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">library</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="n">pkg</span><span class="p">[</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">version</span><span class="sh">"</span><span class="p">:</span> <span class="n">pkg</span><span class="p">[</span><span class="sh">"</span><span class="s">version</span><span class="sh">"</span><span class="p">],</span> <span class="sh">"</span><span class="s">purl</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">pkg:</span><span class="si">{</span><span class="n">pkg</span><span class="p">[</span><span class="sh">'</span><span class="s">ecosystem</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">pkg</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">@</span><span class="si">{</span><span class="n">pkg</span><span class="p">[</span><span class="sh">'</span><span class="s">version</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">bom-ref</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">pkg:</span><span class="si">{</span><span class="n">pkg</span><span class="p">[</span><span class="sh">'</span><span class="s">ecosystem</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">pkg</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s">@</span><span class="si">{</span><span class="n">pkg</span><span class="p">[</span><span class="sh">'</span><span class="s">version</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="p">}</span> <span class="k">for</span> <span class="n">pkg</span> <span class="ow">in</span> <span class="n">packages</span> <span class="p">]</span> <span class="p">}</span> </code></pre> </div> <h2> Lesson 5: GitHub Action in Under 15 Lines of YAML </h2> <p>The GitHub Action is a thin wrapper around the CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .github/workflows/security.yml</span> <span class="na">name</span><span class="pi">:</span> <span class="s">FoxShield Security Audit</span> <span class="na">on</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">push</span><span class="pi">,</span> <span class="nv">pull_request</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">foxshield</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">PauloFox0105/foxshield@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">fail-on</span><span class="pi">:</span> <span class="s">HIGH</span> <span class="c1"># fail CI only on HIGH severity</span> <span class="na">output</span><span class="pi">:</span> <span class="s">sarif</span> <span class="c1"># GitHub Security tab integration</span> <span class="na">sbom</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># generate SBOM artifact</span> </code></pre> </div> <p>The action uploads results to GitHub's Security tab via the SARIF format — findings appear inline in pull requests.</p> <h2> Numbers After 6 Months </h2> <ul> <li> <strong>554 unit tests</strong>, 104 modules</li> <li> <strong>50+ secret patterns</strong> across 11 languages</li> <li>Average scan time: <strong>12 seconds</strong> on a 50k-line repo</li> <li>False positive rate: <strong>&lt;2%</strong> (tuned on 200 real repos)</li> <li>CVEs detected in test repos: 847 (mostly outdated dependencies)</li> </ul> <h2> What's Next </h2> <p>FoxShield is live on GitHub: <a href="https://github.com/PauloFox0105/foxshield" rel="noopener noreferrer">github.com/PauloFox0105/foxshield</a></p> <p>Roadmap:</p> <ul> <li>License compliance scanning (GPL contamination detection)</li> <li>Terraform/IaC misconfiguration detection (open S3 buckets, public RDS, etc.)</li> <li>PR comment integration (inline annotations on changed files only)</li> <li>Enterprise tier: private report storage, Jira/Linear integration</li> </ul> <p>If you're building security tooling or have questions about secret detection patterns, SBOM formats, or OSV integration — drop a comment.</p> <p><strong>Built with:</strong> Python 3.12 · GitHub Actions · OSV.dev · CycloneDX · Claude Code (Anthropic)</p> <p>🔗 <a href="https://foxshield.centralfox.online" rel="noopener noreferrer">foxshield.centralfox.online</a> | GitHub <a href="https://github.com/PauloFox0105/foxshield" rel="noopener noreferrer">PauloFox0105/foxshield</a> | Reddit <a href="https://reddit.com/u/foxdigitaldev" rel="noopener noreferrer">u/foxdigitaldev</a></p> security python opensource github Paulo Fox Fri, 01 May 2026 03:02:20 +0000 https://dev.to/paulofox0105/building-a-mercado-livre-reply-bot-with-claude-ai-28-second-response-time-247-31c5 https://dev.to/paulofox0105/building-a-mercado-livre-reply-bot-with-claude-ai-28-second-response-time-247-31c5 <p>I built a bot that reads every question posted to a Mercado Livre store and replies automatically — in under 30 seconds, 24/7, using Claude AI. Here's exactly how it works and why response time is a competitive moat in Brazilian e-commerce.</p> <h2> Why Mercado Livre Questions Are a Ranking Signal </h2> <p>Mercado Livre's reputation algorithm ("Reputação") scores sellers across five metrics. Response time is one of them — specifically, answering questions in under <strong>1 hour</strong> moves your badge from "yellow" to "green". Green sellers get:</p> <ul> <li>Higher placement in search results</li> <li>"MercadoLíder" eligibility (unlocks free shipping, lower fees)</li> <li>Higher conversion (buyers trust responsive sellers)</li> </ul> <p>The problem: a human checking questions every hour is expensive. Missing nights and weekends costs rankings. <strong>FoxReply</strong> automates this entirely.</p> <h2> Architecture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Mercado Livre API ──polling──► FoxReply Worker │ Claude API (Sonnet) │ ML Answer Endpoint </code></pre> </div> <ul> <li> <strong>Python + FastAPI</strong> — lightweight async service</li> <li> <strong>Claude claude-sonnet-4-6</strong> — generates replies grounded in product catalog</li> <li> <strong>ML Official API</strong> — polling <code>/questions/search</code> every 60s</li> <li> <strong>Redis</strong> — deduplication (never reply twice to the same question)</li> </ul> <h2> Lesson 1: ML API Has No Webhooks — Poll Efficiently </h2> <p>Mercado Livre does not send webhooks for new questions. You must poll their API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">GET</span> <span class="o">/</span><span class="n">questions</span><span class="o">/</span><span class="n">search</span><span class="err">?</span><span class="n">seller_id</span><span class="o">=</span><span class="p">{</span><span class="n">seller_id</span><span class="p">}</span><span class="o">&amp;</span><span class="n">status</span><span class="o">=</span><span class="n">UNANSWERED</span><span class="o">&amp;</span><span class="n">limit</span><span class="o">=</span><span class="mi">50</span> <span class="n">Authorization</span><span class="p">:</span> <span class="n">Bearer</span> <span class="p">{</span><span class="n">access_token</span><span class="p">}</span> </code></pre> </div> <p><strong>The trap:</strong> if you poll too aggressively you hit rate limits (429). If you poll too slowly you miss the 1-hour SLA.</p> <p>Our solution — adaptive polling:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">asyncio</span> <span class="kn">from</span> <span class="n">datetime</span> <span class="kn">import</span> <span class="n">datetime</span><span class="p">,</span> <span class="n">time</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">poll_interval</span><span class="p">()</span> <span class="o">-&gt;</span> <span class="nb">int</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Return polling interval in seconds based on time of day.</span><span class="sh">"""</span> <span class="n">now</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">().</span><span class="nf">time</span><span class="p">()</span> <span class="c1"># Business hours: every 30s </span> <span class="k">if</span> <span class="nf">time</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">&lt;=</span> <span class="n">now</span> <span class="o">&lt;=</span> <span class="nf">time</span><span class="p">(</span><span class="mi">22</span><span class="p">,</span> <span class="mi">0</span><span class="p">):</span> <span class="k">return</span> <span class="mi">30</span> <span class="c1"># Night: every 5 minutes (questions are rare, SLA resets at 8am anyway) </span> <span class="k">return</span> <span class="mi">300</span> </code></pre> </div> <p>This keeps us within rate limits while hitting the 1-hour window during business hours.</p> <h2> Lesson 2: The Answer Must Sound Human </h2> <p>ML buyers become suspicious if replies are robotic. We tested several approaches:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Approach</th> <th>Acceptance Rate</th> </tr> </thead> <tbody> <tr> <td>Direct GPT completion</td> <td>61% (buyers felt ignored)</td> </tr> <tr> <td>Template + keyword match</td> <td>44% (too generic)</td> </tr> <tr> <td>Claude with product context</td> <td>89%</td> </tr> </tbody> </table></div> <p>The difference: Claude receives the full product listing (title, description, attributes, FAQ) as context. The reply is grounded, specific, and uses the seller's natural tone.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">generate_reply</span><span class="p">(</span><span class="n">question</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">product</span><span class="p">:</span> <span class="nb">dict</span><span class="p">,</span> <span class="n">tone</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">"</span><span class="s">professional</span><span class="sh">"</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="n">prompt</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"""</span><span class="s">You are a helpful store assistant for a Brazilian e-commerce seller. Product: </span><span class="si">{</span><span class="n">product</span><span class="p">[</span><span class="sh">'</span><span class="s">title</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> Description: </span><span class="si">{</span><span class="n">product</span><span class="p">[</span><span class="sh">'</span><span class="s">description</span><span class="sh">'</span><span class="p">][</span><span class="si">:</span><span class="mi">500</span><span class="p">]</span><span class="si">}</span><span class="s"> Attributes: </span><span class="si">{</span><span class="nf">format_attributes</span><span class="p">(</span><span class="n">product</span><span class="p">[</span><span class="sh">'</span><span class="s">attributes</span><span class="sh">'</span><span class="p">])</span><span class="si">}</span><span class="s"> Customer question: </span><span class="si">{</span><span class="n">question</span><span class="si">}</span><span class="s"> Reply in Brazilian Portuguese, </span><span class="si">{</span><span class="n">tone</span><span class="si">}</span><span class="s"> tone, max 3 sentences. Be specific — reference the product details above. Never say </span><span class="sh">"</span><span class="s">I don</span><span class="sh">'</span><span class="s">t know</span><span class="sh">"</span><span class="s"> — if unsure, offer to check and get back.</span><span class="sh">"""</span> <span class="n">response</span> <span class="o">=</span> <span class="k">await</span> <span class="n">anthropic</span><span class="p">.</span><span class="n">messages</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span> <span class="n">model</span><span class="o">=</span><span class="sh">"</span><span class="s">claude-sonnet-4-6</span><span class="sh">"</span><span class="p">,</span> <span class="n">max_tokens</span><span class="o">=</span><span class="mi">200</span><span class="p">,</span> <span class="n">messages</span><span class="o">=</span><span class="p">[{</span><span class="sh">"</span><span class="s">role</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">user</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">content</span><span class="sh">"</span><span class="p">:</span> <span class="n">prompt</span><span class="p">}]</span> <span class="p">)</span> <span class="k">return</span> <span class="n">response</span><span class="p">.</span><span class="n">content</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="n">text</span> </code></pre> </div> <p><strong>Key:</strong> <code>max_tokens=200</code> keeps replies concise. ML buyers read on mobile — walls of text get ignored.</p> <h2> Lesson 3: Access Token Refresh Is Mandatory </h2> <p>ML OAuth tokens expire in <strong>6 hours</strong>. If your worker doesn't refresh proactively, it silently stops answering — and you lose 6 hours of SLA while the queue piles up.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">MLTokenManager</span><span class="p">:</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">client_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">client_secret</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">refresh_token</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">client_id</span> <span class="o">=</span> <span class="n">client_id</span> <span class="n">self</span><span class="p">.</span><span class="n">client_secret</span> <span class="o">=</span> <span class="n">client_secret</span> <span class="n">self</span><span class="p">.</span><span class="n">refresh_token</span> <span class="o">=</span> <span class="n">refresh_token</span> <span class="n">self</span><span class="p">.</span><span class="n">_access_token</span><span class="p">:</span> <span class="nb">str</span> <span class="o">|</span> <span class="bp">None</span> <span class="o">=</span> <span class="bp">None</span> <span class="n">self</span><span class="p">.</span><span class="n">_expires_at</span><span class="p">:</span> <span class="nb">float</span> <span class="o">=</span> <span class="mi">0</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_token</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="c1"># Refresh 5 minutes before expiry (not after) </span> <span class="k">if</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">&gt;=</span> <span class="n">self</span><span class="p">.</span><span class="n">_expires_at</span> <span class="o">-</span> <span class="mi">300</span><span class="p">:</span> <span class="k">await</span> <span class="n">self</span><span class="p">.</span><span class="nf">_refresh</span><span class="p">()</span> <span class="k">return</span> <span class="n">self</span><span class="p">.</span><span class="n">_access_token</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">_refresh</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="n">resp</span> <span class="o">=</span> <span class="k">await</span> <span class="n">httpx</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span> <span class="sh">"</span><span class="s">https://api.mercadolibre.com/oauth/token</span><span class="sh">"</span><span class="p">,</span> <span class="n">data</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">grant_type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">refresh_token</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">client_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">client_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">client_secret</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">client_secret</span><span class="p">,</span> <span class="sh">"</span><span class="s">refresh_token</span><span class="sh">"</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">refresh_token</span><span class="p">,</span> <span class="p">}</span> <span class="p">)</span> <span class="n">data</span> <span class="o">=</span> <span class="n">resp</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="n">self</span><span class="p">.</span><span class="n">_access_token</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="sh">"</span><span class="s">access_token</span><span class="sh">"</span><span class="p">]</span> <span class="n">self</span><span class="p">.</span><span class="n">_expires_at</span> <span class="o">=</span> <span class="n">time</span><span class="p">.</span><span class="nf">time</span><span class="p">()</span> <span class="o">+</span> <span class="n">data</span><span class="p">[</span><span class="sh">"</span><span class="s">expires_in</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># IMPORTANT: ML rotates refresh tokens — always save the new one </span> <span class="n">self</span><span class="p">.</span><span class="n">refresh_token</span> <span class="o">=</span> <span class="n">data</span><span class="p">[</span><span class="sh">"</span><span class="s">refresh_token</span><span class="sh">"</span><span class="p">]</span> <span class="k">await</span> <span class="nf">save_refresh_token</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">refresh_token</span><span class="p">)</span> <span class="c1"># persist to DB </span></code></pre> </div> <p><strong>Critical:</strong> ML rotates the <code>refresh_token</code> on every use. If you don't save the new one, the next refresh fails and you're locked out until manual re-authorization.</p> <h2> Lesson 4: Deduplication With Redis </h2> <p>The polling loop can see the same unanswered question across multiple cycles. Without deduplication, you send multiple replies to the same question — ML penalizes this.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">async</span> <span class="k">def</span> <span class="nf">should_reply</span><span class="p">(</span><span class="n">question_id</span><span class="p">:</span> <span class="nb">int</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="n">key</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="s">replied:</span><span class="si">{</span><span class="n">question_id</span><span class="si">}</span><span class="sh">"</span> <span class="c1"># SET NX EX — atomic check-and-set, expire after 7 days </span> <span class="n">result</span> <span class="o">=</span> <span class="k">await</span> <span class="n">redis</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="sh">"</span><span class="s">1</span><span class="sh">"</span><span class="p">,</span> <span class="n">nx</span><span class="o">=</span><span class="bp">True</span><span class="p">,</span> <span class="n">ex</span><span class="o">=</span><span class="mi">604800</span><span class="p">)</span> <span class="k">return</span> <span class="n">result</span> <span class="ow">is</span> <span class="bp">True</span> <span class="c1"># True = we set it (first time), False = already exists </span> <span class="k">async</span> <span class="k">def</span> <span class="nf">process_questions</span><span class="p">(</span><span class="n">questions</span><span class="p">:</span> <span class="nb">list</span><span class="p">[</span><span class="nb">dict</span><span class="p">])</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="k">for</span> <span class="n">q</span> <span class="ow">in</span> <span class="n">questions</span><span class="p">:</span> <span class="k">if</span> <span class="ow">not</span> <span class="k">await</span> <span class="nf">should_reply</span><span class="p">(</span><span class="n">q</span><span class="p">[</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">]):</span> <span class="k">continue</span> <span class="c1"># already replied or in-flight </span> <span class="n">reply</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">generate_reply</span><span class="p">(</span><span class="n">q</span><span class="p">[</span><span class="sh">"</span><span class="s">text</span><span class="sh">"</span><span class="p">],</span> <span class="n">q</span><span class="p">[</span><span class="sh">"</span><span class="s">item</span><span class="sh">"</span><span class="p">])</span> <span class="k">await</span> <span class="nf">post_reply</span><span class="p">(</span><span class="n">q</span><span class="p">[</span><span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">],</span> <span class="n">reply</span><span class="p">)</span> </code></pre> </div> <h2> Lesson 5: Multi-Marketplace Abstraction </h2> <p>After ML, we added Nuvemshop and Shopee. Each has a different API shape, but the core loop is identical. We abstracted it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">class</span> <span class="nc">MarketplaceAdapter</span><span class="p">(</span><span class="n">ABC</span><span class="p">):</span> <span class="nd">@abstractmethod</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">get_unanswered_questions</span><span class="p">(</span><span class="n">self</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">list</span><span class="p">[</span><span class="n">Question</span><span class="p">]:</span> <span class="bp">...</span> <span class="nd">@abstractmethod</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">post_reply</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">question_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">text</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">bool</span><span class="p">:</span> <span class="bp">...</span> <span class="k">class</span> <span class="nc">MercadoLivreAdapter</span><span class="p">(</span><span class="n">MarketplaceAdapter</span><span class="p">):</span> <span class="c1"># ML-specific polling + OAuth </span> <span class="bp">...</span> <span class="k">class</span> <span class="nc">NuvemshopAdapter</span><span class="p">(</span><span class="n">MarketplaceAdapter</span><span class="p">):</span> <span class="c1"># Nuvemshop webhook-based (they DO have webhooks) </span> <span class="bp">...</span> </code></pre> </div> <p>The worker loop is marketplace-agnostic — each adapter implements the contract.</p> <h2> Results After 3 Months </h2> <ul> <li>Average reply time: <strong>28 seconds</strong> (vs 4.2 hours manually)</li> <li>Reputation badge: yellow → green (all test stores)</li> <li>Question-to-conversion rate: <strong>+23%</strong> (buyers who got fast replies converted more)</li> <li>Operator time saved: ~3h/day per store</li> </ul> <h2> What's Next </h2> <p>FoxReply is live at <a href="https://foxreply.centralfox.online" rel="noopener noreferrer">foxreply.centralfox.online</a>. Current roadmap:</p> <ul> <li>Shopify integration (using their Storefront API)</li> <li>Proactive follow-up messages (track buyers who asked but didn't purchase)</li> <li>Sentiment analysis — flag hostile questions for human review</li> </ul> <p>If you're building marketplace automation in Brazil or have questions about the ML API, Claude integration, or async polling patterns — drop a comment.</p> <p><strong>Built with:</strong> Python 3.12 · FastAPI · Claude claude-sonnet-4-6 · Redis · Docker · Claude Code (Anthropic)</p> <p>🔗 <a href="https://foxreply.centralfox.online" rel="noopener noreferrer">foxreply.centralfox.online</a> | Reddit <a href="https://reddit.com/u/foxdigitaldev" rel="noopener noreferrer">u/foxdigitaldev</a></p> python ai ecommerce claudeai Paulo Fox Fri, 01 May 2026 02:39:15 +0000 https://dev.to/paulofox0105/building-a-multi-tenant-nf-e-api-with-laravel-sefaz-lessons-learned-18ko https://dev.to/paulofox0105/building-a-multi-tenant-nf-e-api-with-laravel-sefaz-lessons-learned-18ko <p>Brazil mandates that every business issuing goods or services emit an <strong>NF-e</strong> (Nota Fiscal Eletrônica) — a government-signed XML submitted to SEFAZ in real-time. The protocol is SOAP-based, from 2006, documented only in Portuguese, and the homologation environment goes offline on weekends.</p> <p>I spent 6 months building <strong><a href="https://foxnfe.centralfox.online" rel="noopener noreferrer">FoxNFe</a></strong> — a multi-tenant SaaS that abstracts all of this into a simple REST API. Here is everything I learned the hard way.</p> <h2> The Architecture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Tenant App ──REST──► FoxNFe Laravel API ──SOAP/XML──► SEFAZ (27 states) │ PostgreSQL RLS Redis + Queues Certificate Store </code></pre> </div> <ul> <li> <strong>Laravel 11</strong> — API backend, queued jobs, service layer</li> <li> <strong>PostgreSQL + RLS</strong> — row-level security per tenant</li> <li> <strong>Redis + Laravel Queues</strong> — async processing (SEFAZ takes 2–30s per request)</li> <li> <strong>A1 Digital Certificates</strong> — encrypted per-tenant, loaded at runtime</li> <li> <strong>27 SEFAZ endpoints</strong> — one per Brazilian state, routed by CNPJ UF</li> </ul> <h2> Lesson 1: PostgreSQL RLS <code>finally</code> Is Not Optional </h2> <p>Multi-tenant apps on PostgreSQL often use Row-Level Security with a session variable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="k">CREATE</span> <span class="n">POLICY</span> <span class="n">tenant_isolation</span> <span class="k">ON</span> <span class="n">tenant_plan_usages</span> <span class="k">USING</span> <span class="p">(</span> <span class="n">tenant_id</span> <span class="o">=</span> <span class="n">current_setting</span><span class="p">(</span><span class="s1">'app.tenant_id'</span><span class="p">)::</span><span class="nb">int</span> <span class="k">OR</span> <span class="n">current_setting</span><span class="p">(</span><span class="s1">'app.bypass_rls'</span><span class="p">,</span> <span class="k">true</span><span class="p">)</span> <span class="o">=</span> <span class="s1">'on'</span> <span class="p">);</span> </code></pre> </div> <p>For admin queries that need to cross tenant boundaries, you bypass RLS:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// DANGEROUS without finally</span> <span class="no">DB</span><span class="o">::</span><span class="nf">statement</span><span class="p">(</span><span class="s2">"SELECT set_config('app.bypass_rls', 'on', false)"</span><span class="p">);</span> <span class="nv">$usage</span> <span class="o">=</span> <span class="nc">TenantPlanUsage</span><span class="o">::</span><span class="nf">withoutGlobalScopes</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'tenant_id'</span><span class="p">,</span> <span class="nv">$id</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">first</span><span class="p">();</span> <span class="no">DB</span><span class="o">::</span><span class="nf">statement</span><span class="p">(</span><span class="s2">"SELECT set_config('app.bypass_rls', '', false)"</span><span class="p">);</span> </code></pre> </div> <p><strong>The bug we shipped:</strong> an exception between the two <code>set_config</code> calls left <code>bypass_rls = 'on'</code> active for the entire database connection. Every subsequent query on that connection returned data from all tenants.</p> <p><strong>The fix:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">getOrCreateUsage</span><span class="p">(</span><span class="kt">Tenant</span> <span class="nv">$tenant</span><span class="p">):</span> <span class="kt">TenantPlanUsage</span> <span class="p">{</span> <span class="k">return</span> <span class="no">DB</span><span class="o">::</span><span class="nf">transaction</span><span class="p">(</span><span class="k">function</span> <span class="p">()</span> <span class="k">use</span> <span class="p">(</span><span class="nv">$tenant</span><span class="p">):</span> <span class="kt">TenantPlanUsage</span> <span class="p">{</span> <span class="no">DB</span><span class="o">::</span><span class="nf">statement</span><span class="p">(</span><span class="s2">"SELECT set_config('app.bypass_rls', 'on', false)"</span><span class="p">);</span> <span class="k">try</span> <span class="p">{</span> <span class="nv">$usage</span> <span class="o">=</span> <span class="nc">TenantPlanUsage</span><span class="o">::</span><span class="nf">withoutGlobalScopes</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">where</span><span class="p">(</span><span class="s1">'tenant_id'</span><span class="p">,</span> <span class="nv">$tenant</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">lockForUpdate</span><span class="p">()</span> <span class="o">-&gt;</span><span class="nf">first</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$usage</span> <span class="o">===</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="nv">$plan</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">getActivePlan</span><span class="p">(</span><span class="nv">$tenant</span><span class="p">);</span> <span class="nv">$quota</span> <span class="o">=</span> <span class="nv">$plan</span><span class="o">-&gt;</span><span class="nf">isEnterprise</span><span class="p">()</span> <span class="o">?</span> <span class="kc">null</span> <span class="o">:</span> <span class="nv">$plan</span><span class="o">-&gt;</span><span class="n">monthly_note_quota</span><span class="p">;</span> <span class="nv">$usage</span> <span class="o">=</span> <span class="nc">TenantPlanUsage</span><span class="o">::</span><span class="nf">forceCreate</span><span class="p">([</span> <span class="s1">'tenant_id'</span> <span class="o">=&gt;</span> <span class="nv">$tenant</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'plan_id'</span> <span class="o">=&gt;</span> <span class="nv">$plan</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'nfes_used'</span> <span class="o">=&gt;</span> <span class="mi">0</span><span class="p">,</span> <span class="s1">'period_start'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">startOfMonth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">toDateString</span><span class="p">(),</span> <span class="s1">'period_end'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">endOfMonth</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">toDateString</span><span class="p">(),</span> <span class="s1">'monthly_quota'</span> <span class="o">=&gt;</span> <span class="nv">$quota</span><span class="p">,</span> <span class="p">]);</span> <span class="p">}</span> <span class="k">return</span> <span class="nv">$usage</span><span class="p">;</span> <span class="p">}</span> <span class="k">finally</span> <span class="p">{</span> <span class="c1">// Restore even if an exception fires</span> <span class="no">DB</span><span class="o">::</span><span class="nf">statement</span><span class="p">(</span><span class="s2">"SELECT set_config('app.bypass_rls', '', false)"</span><span class="p">);</span> <span class="p">}</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <p><strong>Rule:</strong> Every <code>bypass_rls on</code> needs a <code>finally</code>. Code review should enforce this like a lint rule.</p> <h2> Lesson 2: A1 Certificates — Encrypt Everything, Write Nothing to Disk </h2> <p>Each Brazilian company has a digital A1 certificate (<code>.pfx</code> file, password-protected), issued by an ICP-Brasil authority. This certificate signs every NF-e XML. In multi-tenant, each tenant has their own.</p> <p><strong>What NOT to do:</strong> store certificates as files on disk named by CNPJ, or log the decrypted content anywhere.</p> <p><strong>What we do:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// Store — encrypt before saving to DB</span> <span class="k">public</span> <span class="k">function</span> <span class="n">storeCertificate</span><span class="p">(</span><span class="kt">Tenant</span> <span class="nv">$tenant</span><span class="p">,</span> <span class="kt">UploadedFile</span> <span class="nv">$pfx</span><span class="p">,</span> <span class="kt">string</span> <span class="nv">$password</span><span class="p">):</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$tenant</span><span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span> <span class="s1">'certificate_content'</span> <span class="o">=&gt;</span> <span class="nf">encrypt</span><span class="p">(</span><span class="nv">$pfx</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">()),</span> <span class="s1">'certificate_password'</span> <span class="o">=&gt;</span> <span class="nf">encrypt</span><span class="p">(</span><span class="nv">$password</span><span class="p">),</span> <span class="s1">'certificate_expires'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">extractExpiry</span><span class="p">(</span><span class="nv">$pfx</span><span class="o">-&gt;</span><span class="nf">get</span><span class="p">(),</span> <span class="nv">$password</span><span class="p">),</span> <span class="p">]);</span> <span class="p">}</span> <span class="c1">// Load at runtime — decrypt in memory only, never touch disk</span> <span class="k">public</span> <span class="k">function</span> <span class="n">loadCertificate</span><span class="p">(</span><span class="kt">Tenant</span> <span class="nv">$tenant</span><span class="p">):</span> <span class="kt">array</span> <span class="p">{</span> <span class="nv">$certData</span> <span class="o">=</span> <span class="p">[];</span> <span class="nv">$success</span> <span class="o">=</span> <span class="nb">openssl_pkcs12_read</span><span class="p">(</span> <span class="nf">decrypt</span><span class="p">(</span><span class="nv">$tenant</span><span class="o">-&gt;</span><span class="n">certificate_content</span><span class="p">),</span> <span class="nv">$certData</span><span class="p">,</span> <span class="nf">decrypt</span><span class="p">(</span><span class="nv">$tenant</span><span class="o">-&gt;</span><span class="n">certificate_password</span><span class="p">)</span> <span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$success</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">InvalidCertificateException</span><span class="p">(</span> <span class="s2">"Certificate invalid or password wrong for tenant </span><span class="si">{</span><span class="nv">$tenant</span><span class="o">-&gt;</span><span class="n">id</span><span class="si">}</span><span class="s2">"</span> <span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nv">$certData</span><span class="p">;</span> <span class="c1">// ['cert' =&gt; '...PEM...', 'pkey' =&gt; '...PEM...']</span> <span class="p">}</span> </code></pre> </div> <p>Additional safeguards:</p> <ul> <li> <code>encrypt()</code> uses Laravel's <code>APP_KEY</code> (AES-256-CBC) — rotate keys carefully, plan for re-encryption</li> <li>Index <code>certificate_expires</code> — alert tenants 30 days before expiry, or their NF-e emissions stop cold</li> <li>Never write the decrypted <code>.pfx</code> to disk, not even <code>/tmp</code> </li> </ul> <h2> Lesson 3: SEFAZ cStat Codes — Every One Matters </h2> <p>SEFAZ returns XML with a <code>cStat</code> field. Most docs only mention 100. Here is the full map of what you will actually see in production:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>cStat</th> <th>Meaning</th> <th>Correct action</th> </tr> </thead> <tbody> <tr> <td><strong>100</strong></td> <td>Authorized ✅</td> <td>Save XML, increment quota</td> </tr> <tr> <td><strong>150</strong></td> <td>Authorized (out-of-time window)</td> <td>Same as 100</td> </tr> <tr> <td><strong>204</strong></td> <td>Already authorized (duplicate)</td> <td><strong>Treat as 100</strong></td> </tr> <tr> <td><strong>110</strong></td> <td>Denied — data error</td> <td>Fix XML, re-emit</td> </tr> <tr> <td><strong>301</strong></td> <td>Unauthorized usage (wrong UF endpoint)</td> <td>Check state routing</td> </tr> <tr> <td><strong>539</strong></td> <td>Schema validation error</td> <td>Your XML is malformed</td> </tr> <tr> <td><strong>999</strong></td> <td>SEFAZ internal error</td> <td>Retry with exponential backoff</td> </tr> </tbody> </table></div> <p><strong>cStat 204 is the trap.</strong> If your job times out and retries, SEFAZ may have already processed the NF-e. Treating 204 as an error causes double-counting in your quota and confuses the tenant. Always treat 204 as success.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">private</span> <span class="k">function</span> <span class="n">processResponse</span><span class="p">(</span><span class="kt">NFeResponse</span> <span class="nv">$response</span><span class="p">):</span> <span class="kt">void</span> <span class="p">{</span> <span class="k">match</span> <span class="p">(</span><span class="kc">true</span><span class="p">)</span> <span class="p">{</span> <span class="nb">in_array</span><span class="p">(</span><span class="nv">$response</span><span class="o">-&gt;</span><span class="n">cStat</span><span class="p">,</span> <span class="p">[</span><span class="mi">100</span><span class="p">,</span> <span class="mi">150</span><span class="p">,</span> <span class="mi">204</span><span class="p">])</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">handleAuthorized</span><span class="p">(</span><span class="nv">$response</span><span class="p">),</span> <span class="nv">$response</span><span class="o">-&gt;</span><span class="n">cStat</span> <span class="o">===</span> <span class="mi">110</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">handleDenied</span><span class="p">(</span><span class="nv">$response</span><span class="p">),</span> <span class="nv">$response</span><span class="o">-&gt;</span><span class="n">cStat</span> <span class="o">===</span> <span class="mi">999</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">handleRetry</span><span class="p">(</span><span class="nv">$response</span><span class="p">),</span> <span class="k">default</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">handleUnknown</span><span class="p">(</span><span class="nv">$response</span><span class="p">),</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <h2> Lesson 4: Quota Increment Must Happen AFTER Authorization </h2> <p>The billing bug we shipped: <code>processResponse()</code> saved the authorized NF-e but never called <code>incrementNfeUsage()</code>. Result: every tenant had infinite quota forever.</p> <p>The fix — increment after, with a catch that <strong>logs but does not throw</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">private</span> <span class="k">function</span> <span class="n">handleAuthorized</span><span class="p">(</span><span class="kt">NFeResponse</span> <span class="nv">$response</span><span class="p">):</span> <span class="kt">void</span> <span class="p">{</span> <span class="c1">// 1. Persist authorization first</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">nfe</span><span class="o">-&gt;</span><span class="nf">update</span><span class="p">([</span> <span class="s1">'status'</span> <span class="o">=&gt;</span> <span class="nc">NFeStatus</span><span class="o">::</span><span class="no">AUTHORIZED</span><span class="p">,</span> <span class="s1">'protocol'</span> <span class="o">=&gt;</span> <span class="nv">$response</span><span class="o">-&gt;</span><span class="n">nProt</span><span class="p">,</span> <span class="s1">'authorized_at'</span> <span class="o">=&gt;</span> <span class="nf">now</span><span class="p">(),</span> <span class="s1">'xml_authorized'</span><span class="o">=&gt;</span> <span class="nv">$response</span><span class="o">-&gt;</span><span class="n">xml</span><span class="p">,</span> <span class="p">]);</span> <span class="c1">// 2. Increment quota — if this fails, the NF-e is already authorized</span> <span class="c1">// in SEFAZ. We cannot reverse it. Log the failure and continue.</span> <span class="k">try</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">planEnforcer</span><span class="o">-&gt;</span><span class="nf">incrementNfeUsage</span><span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">tenant</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nc">\Throwable</span> <span class="nv">$e</span><span class="p">)</span> <span class="p">{</span> <span class="nc">Log</span><span class="o">::</span><span class="nf">warning</span><span class="p">(</span><span class="s1">'Quota increment failed after NF-e authorization'</span><span class="p">,</span> <span class="p">[</span> <span class="s1">'nfe_id'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">nfe</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'tenant_id'</span> <span class="o">=&gt;</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">tenant</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">,</span> <span class="s1">'error'</span> <span class="o">=&gt;</span> <span class="nv">$e</span><span class="o">-&gt;</span><span class="nf">getMessage</span><span class="p">(),</span> <span class="p">]);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Why catch instead of letting it propagate? The NF-e is already authorized in SEFAZ — it exists in the government's system. If we throw here, the job retries, SEFAZ returns 204 ("already authorized"), and we end up in an infinite loop. The tenant gets their authorized NF-e, and ops gets an alert to fix the quota manually.</p> <h2> Lesson 5: IDOR Hidden in Tenant Resolution </h2> <p>Our controllers originally resolved the current tenant from the <code>X-Tenant-ID</code> header:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="c1">// VULNERABLE</span> <span class="k">private</span> <span class="k">function</span> <span class="n">resolveTenant</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">):</span> <span class="kt">Tenant</span> <span class="p">{</span> <span class="k">return</span> <span class="nc">Tenant</span><span class="o">::</span><span class="nf">findOrFail</span><span class="p">(</span><span class="nv">$request</span><span class="o">-&gt;</span><span class="nb">header</span><span class="p">(</span><span class="s1">'X-Tenant-ID'</span><span class="p">));</span> <span class="p">}</span> <span class="c1">// upgrade() used this — any authenticated user could upgrade ANY tenant's plan</span> <span class="k">public</span> <span class="k">function</span> <span class="n">upgrade</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">):</span> <span class="kt">JsonResponse</span> <span class="p">{</span> <span class="nv">$tenant</span> <span class="o">=</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">resolveTenant</span><span class="p">(</span><span class="nv">$request</span><span class="p">);</span> <span class="c1">// ... proceed to upgrade billing</span> <span class="p">}</span> </code></pre> </div> <p>An attacker with a valid JWT for tenant A could send <code>X-Tenant-ID: B</code> and upgrade B's plan, downgrade it, or access its usage data.</p> <p><strong>The fix — one line, always verify ownership:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">private</span> <span class="k">function</span> <span class="n">resolveTenant</span><span class="p">(</span><span class="kt">Request</span> <span class="nv">$request</span><span class="p">):</span> <span class="kt">Tenant</span> <span class="p">{</span> <span class="nv">$tenant</span> <span class="o">=</span> <span class="nc">Tenant</span><span class="o">::</span><span class="nf">findOrFail</span><span class="p">(</span><span class="nv">$request</span><span class="o">-&gt;</span><span class="nb">header</span><span class="p">(</span><span class="s1">'X-Tenant-ID'</span><span class="p">));</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$request</span><span class="o">-&gt;</span><span class="nf">user</span><span class="p">()</span><span class="o">-&gt;</span><span class="n">tenant_id</span> <span class="o">!==</span> <span class="nv">$tenant</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">)</span> <span class="p">{</span> <span class="nf">abort</span><span class="p">(</span><span class="mi">403</span><span class="p">,</span> <span class="s1">'Unauthorized: tenant mismatch'</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nv">$tenant</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Simple. But in multi-tenant systems where the tenant ID comes from the client, this check is easy to forget when you assume the JWT is sufficient authorization. It is not.</p> <h2> Lesson 6: Testing Without <code>RefreshDatabase</code> </h2> <p>Our staging PostgreSQL does not allow <code>DROP TABLE</code> — security policy. <code>RefreshDatabase</code> trait is out entirely. We use explicit <code>setUp</code>/<code>tearDown</code> with direct cleanup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="kd">class</span> <span class="nc">PlanEnforcerTest</span> <span class="kd">extends</span> <span class="nc">TestCase</span> <span class="p">{</span> <span class="k">private</span> <span class="kt">?Tenant</span> <span class="nv">$tenant</span> <span class="o">=</span> <span class="kc">null</span><span class="p">;</span> <span class="k">protected</span> <span class="k">function</span> <span class="n">setUp</span><span class="p">():</span> <span class="kt">void</span> <span class="p">{</span> <span class="k">parent</span><span class="o">::</span><span class="nf">setUp</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">isPgsqlAvailable</span><span class="p">())</span> <span class="p">{</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">markTestSkipped</span><span class="p">(</span><span class="s1">'PostgreSQL not available'</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="c1">// guard required — see tearDown note below</span> <span class="p">}</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">tenant</span> <span class="o">=</span> <span class="nc">Tenant</span><span class="o">::</span><span class="nf">factory</span><span class="p">()</span><span class="o">-&gt;</span><span class="nf">create</span><span class="p">();</span> <span class="p">}</span> <span class="k">protected</span> <span class="k">function</span> <span class="n">tearDown</span><span class="p">():</span> <span class="kt">void</span> <span class="p">{</span> <span class="c1">// CRITICAL: markTestSkipped() in setUp() does NOT prevent tearDown()</span> <span class="c1">// from running. If $this-&gt;tenant is null (test was skipped),</span> <span class="c1">// forceDelete() will throw. Always null-check.</span> <span class="k">if</span> <span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">tenant</span> <span class="o">!==</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="nc">TenantPlanUsage</span><span class="o">::</span><span class="nf">where</span><span class="p">(</span><span class="s1">'tenant_id'</span><span class="p">,</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">tenant</span><span class="o">-&gt;</span><span class="n">id</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">forceDelete</span><span class="p">();</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="n">tenant</span><span class="o">-&gt;</span><span class="nf">forceDelete</span><span class="p">();</span> <span class="p">}</span> <span class="k">parent</span><span class="o">::</span><span class="nf">tearDown</span><span class="p">();</span> <span class="p">}</span> <span class="k">public</span> <span class="k">function</span> <span class="n">test_rls_restored_after_exception</span><span class="p">():</span> <span class="kt">void</span> <span class="p">{</span> <span class="c1">// Simulate exception inside getOrCreateUsage</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">mock</span><span class="p">(</span><span class="nc">TenantPlanUsage</span><span class="o">::</span><span class="n">class</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">shouldReceive</span><span class="p">(</span><span class="s1">'forceCreate'</span><span class="p">)</span> <span class="o">-&gt;</span><span class="nf">andThrow</span><span class="p">(</span><span class="k">new</span> <span class="nc">\RuntimeException</span><span class="p">(</span><span class="s1">'Simulated DB failure'</span><span class="p">));</span> <span class="k">try</span> <span class="p">{</span> <span class="nf">app</span><span class="p">(</span><span class="nc">PlanEnforcer</span><span class="o">::</span><span class="n">class</span><span class="p">)</span><span class="o">-&gt;</span><span class="nf">getOrCreateUsage</span><span class="p">(</span><span class="nv">$this</span><span class="o">-&gt;</span><span class="n">tenant</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nc">\Throwable</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Expected</span> <span class="p">}</span> <span class="nv">$setting</span> <span class="o">=</span> <span class="no">DB</span><span class="o">::</span><span class="nf">selectOne</span><span class="p">(</span><span class="s2">"SELECT current_setting('app.bypass_rls', true) AS val"</span><span class="p">);</span> <span class="nv">$this</span><span class="o">-&gt;</span><span class="nf">assertNotEquals</span><span class="p">(</span><span class="s1">'on'</span><span class="p">,</span> <span class="nv">$setting</span><span class="o">-&gt;</span><span class="n">val</span><span class="p">,</span> <span class="s1">'bypass_rls must be restored after exception'</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>This pattern — factory in setUp, forceDelete in tearDown, null guard everywhere — works reliably with 11+ months of CI runs.</p> <h2> Bonus: Local XSD Validation Before Submission </h2> <p>SEFAZ cStat 539 (schema error) does not tell you which field is wrong. Debug cycle: submit → wait 5s → get 539 → guess what's wrong → repeat. Brutal.</p> <p>Solution: validate against the official XSD locally before signing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight php"><code><span class="k">public</span> <span class="k">function</span> <span class="n">validateSchema</span><span class="p">(</span><span class="kt">string</span> <span class="nv">$xml</span><span class="p">):</span> <span class="kt">void</span> <span class="p">{</span> <span class="nv">$dom</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">\DOMDocument</span><span class="p">();</span> <span class="nv">$dom</span><span class="o">-&gt;</span><span class="nf">loadXML</span><span class="p">(</span><span class="nv">$xml</span><span class="p">);</span> <span class="nv">$xsdPath</span> <span class="o">=</span> <span class="nf">storage_path</span><span class="p">(</span><span class="s1">'sefaz/nfe_v4.00.xsd'</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$dom</span><span class="o">-&gt;</span><span class="nf">schemaValidate</span><span class="p">(</span><span class="nv">$xsdPath</span><span class="p">))</span> <span class="p">{</span> <span class="nv">$errors</span> <span class="o">=</span> <span class="nb">libxml_get_errors</span><span class="p">();</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">SchemaValidationException</span><span class="p">(</span> <span class="s1">'NF-e XML schema invalid: '</span> <span class="mf">.</span> <span class="nv">$errors</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">message</span> <span class="mf">.</span> <span class="s1">' on line '</span> <span class="mf">.</span> <span class="nv">$errors</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span><span class="o">-&gt;</span><span class="n">line</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Run this before AND after signing. SEFAZ XSDs are available on the portal.nfe.fazenda.gov.br portal (buried 4 clicks deep).</p> <h2> What's Next </h2> <p>FoxNFe enters SEFAZ official homologation this week. After certification goes live:</p> <ul> <li>Multi-state routing for all 27 Brazilian states (UF auto-detection from CNPJ)</li> <li>NFS-e (service invoices) via municipal APIs — each city has its own protocol</li> <li>Webhook notifications on authorization, denial, and cancellation</li> <li>Dashboard with quota usage, certificate expiry countdown, and NF-e status timeline</li> </ul> <p>If you are building fiscal integrations in Brazil, or have questions about SEFAZ, SOAP, or PHP certificate handling — drop a comment. Happy to go deeper on any of these.</p> <p><strong>25 years of development. Built with:</strong> Laravel 11 · PostgreSQL 16 · Redis · Docker · Claude Code (Anthropic)</p> <p>🔗 <a href="https://foxnfe.centralfox.online" rel="noopener noreferrer">foxnfe.centralfox.online</a> | Reddit <a href="https://reddit.com/u/foxdigitaldev" rel="noopener noreferrer">u/foxdigitaldev</a></p> laravel php security brazil