ZERAKET

Documentation

System architecture.

A reference for engineers, partners and auditors. ZERAKET runs as an edge-first application with a hardened Postgres core and a strict separation between client, server functions and admin paths.

Runtime

  • TanStack Start (React 19, Vite 7) served from Cloudflare Workers (edge)
  • Server functions for app logic, server routes under /api/public/* for webhooks and cron
  • Static assets, images and video distributed through Cloudflare's global CDN

Data layer

  • PostgreSQL (Supabase) with Row Level Security enabled on every public table
  • Security-definer helper functions (has_role, has_organizer_role) avoid RLS recursion
  • Realtime channels are policy-gated by ticket status and organizer membership
  • Storage in private buckets by default; public buckets serve only marketing media

Ticketing pipeline

  • Encrypted ticket payloads with rotating QR (15s window) and offline fallback
  • Optional NFC binding for high-value tiers; identity-bound tickets for VIP
  • Idempotent payment to ledger flow via Postgres triggers, no double-credit
  • Scanner sessions with deployment-scoped tokens and stale-session revocation

Payments and money movement

  • Pesapal, MTN Mobile Money, Airtel Money, card and bank rails
  • Double-entry ledger (finance_txns, payout_ledger_entries) reconciled daily
  • Platform fees, taxes and provider fees resolved per organizer / per event
  • Payout disbursement attempts logged with provider response codes

Identity and access

  • Email/password and Google auth via the managed auth service
  • Roles stored in a dedicated user_roles table (never on profiles)
  • Organizer membership uses a separate organizer_members table with capability checks
  • Admin actions logged in admin_action_log and access_audit_log

Observability

  • Structured server-function logs, Cloudflare access logs, Postgres slow-query log
  • Heartbeat workers monitor critical user journeys end-to-end
  • Real-time gate alerts on sales spikes, scan anomalies and session revokes
This document is maintained by ZERAKET engineering. Implementation details may change; the public contract is described in the API documentation.