SaaS

WB-SMP — Wildberries Seller Management Platform

WB-SMP — Wildberries Seller Management Platform

Challenge

Wildberries sellers face 34.5–38% commission rates with limited visibility into true unit economics. They need:

  • Real-time margin per SKU after all fees
  • Automated advertising bid optimization
  • Inventory forecasting to prevent stockouts
  • Competitive intelligence

Build a unified command center integrating 262 API endpoints across 14 Wildberries hosts.

Solution Architecture

Platform Overview

Modular monolith with 9 bounded contexts serving growing sellers (10–50 SKUs, 100K–1M RUB/month revenue).

Wildberries E-commerce Unit Economics Advertising Russia B2B SaaS

Developer Tools Portal — tools.gantman.biz

Developer Tools Portal — tools.gantman.biz

Challenge

DevSecOps practitioners juggle six to ten web tools daily: JSON formatters, JWT decoders, hash generators, API clients, network calculators. These tools live at different URLs, require separate bookmarks, and offer inconsistent UX. No single public interface provides all common developer utilities in one place with immediate access — no signup walls, no cookie consent popups blocking tool use.

Build a unified developer tool suite that:

Developer Tools SaaS Freemium Self-Hosted CyberChef API Testing DevSecOps

AWS PCI-DSS Platform — Multi-Tenant Compliance SaaS

AWS PCI-DSS Platform — Multi-Tenant Compliance SaaS

Challenge

Enterprise security teams need a unified platform to manage compliance assessments, track vulnerabilities, handle incidents, and maintain asset inventories — all with proper multi-tenant isolation for managed service providers. Off-the-shelf GRC tools are expensive, inflexible, and don’t integrate well with cloud-native infrastructure.

Build a production-ready compliance platform with:

  • Multi-tenant architecture with Row-Level Security
  • Real-time alerts via WebSocket
  • Comprehensive REST API for automation
  • Multiple compliance framework support

Solution Architecture

Overview

┌─────────────────────────────────────────────────────────────────┐
│                      Frontend (React)                            │
│           Dashboard · Assessments · Incidents · Assets          │
└────────────────────────┬────────────────────────────────────────┘
                         │ HTTPS / WSS
                         ▼
┌─────────────────────────────────────────────────────────────────┐
│                    FastAPI Backend                               │
│     34+ Endpoints · JWT Auth · RBAC · Multi-tenant Middleware   │
└────────────────────────┬────────────────────────────────────────┘
                         │
         ┌───────────────┼───────────────┐
         ▼               ▼               ▼
┌────────────────┐ ┌──────────┐ ┌─────────────────┐
│  PostgreSQL    │ │ WebSocket│ │  Audit Logging  │
│  + RLS Policies│ │  Manager │ │  (Immutable)    │
└────────────────┘ └──────────┘ └─────────────────┘

API Endpoints (34+)

DomainCountKey Operations
Authentication6Login, register, refresh, password change, MFA
Compliance7Framework list, assessments, reports, gap analysis
Threats4Catalog, risk matrix, statistics, trends
Vulnerabilities6List, scan, remediate, severity trends
Assets5Inventory, topology, tagging, relationships
Incidents5Lifecycle, actions, timeline, metrics
WebSocket1Real-time security alerts

Compliance Frameworks

FrameworkControlsUse Case
PCI-DSS 4.0270+Payment card processing
NIST CSF 2.06 functionsGeneral cybersecurity
ISO 27001:202293 controlsInformation security
SOC 2 Type II5 trust criteriaService organization

Key Features

1. Multi-Tenant Architecture

# Row-Level Security enforced at database level
class TenantMiddleware:
    async def __call__(self, request, call_next):
        tenant_id = extract_tenant(request)
        # All queries automatically filtered by tenant
        set_tenant_context(tenant_id)
        return await call_next(request)
  • Automatic tenant isolation on every query
  • No cross-tenant data leakage possible
  • Efficient index usage with RLS policies

2. Real-Time Alerts

// WebSocket connection for live security events
const ws = new WebSocket('wss://api.example.com/ws/alerts');
ws.onmessage = (event) => {
    const alert = JSON.parse(event.data);
    // Severity: critical, high, medium, low
    if (alert.severity === 'critical') {
        showNotification(alert);
    }
};

3. Compliance Assessment Workflow

Assessment Lifecycle:
├── Draft → Configure scope, select controls
├── In Progress → Evidence collection, control testing
├── Review → Findings validation, risk rating
├── Complete → Report generation, remediation tracking
└── Archived → Historical reference

4. Vulnerability Management

# Comprehensive vulnerability tracking
class Vulnerability(Base):
    cve_id: str              # CVE-2024-XXXXX
    severity: SeverityEnum   # CRITICAL, HIGH, MEDIUM, LOW
    cvss_score: float        # 0.0 - 10.0
    affected_assets: List[Asset]
    remediation_status: RemediationStatus
    due_date: datetime
    sla_breach: bool         # Computed from severity + age

Tech Stack

ComponentTechnologyPurpose
API FrameworkFastAPI 0.109Async REST API
ORMSQLAlchemy (async)Database abstraction
ValidationPydanticRequest/response schemas
AuthJWT + RBACAuthentication & authorization
DatabasePostgreSQLPrimary data store + RLS
Real-timeWebSocketLive alert streaming
Testingpytest + coverageQuality assurance

Security Features

OWASP Top 10 Protections

ThreatMitigation
InjectionParameterized queries via SQLAlchemy
Broken AuthJWT with short TTL, refresh tokens
Sensitive DataAES-256 encryption at rest
XXEJSON-only APIs, no XML parsing
Broken AccessRLS + RBAC enforcement
Security MisconfigSecurity headers middleware
XSSOutput encoding, CSP headers
Insecure DeserializationPydantic schema validation
Vulnerable ComponentsDependabot, SBOM tracking
Insufficient LoggingComprehensive audit trail

Audit Logging

# Every state-changing operation logged
@audit_log
async def create_finding(finding: FindingCreate):
    # Automatically captures:
    # - User ID, tenant ID
    # - Timestamp, IP address
    # - Before/after state
    # - Operation type
    return await finding_service.create(finding)

Project Structure

src/api/
├── main.py                # FastAPI app factory
├── config.py              # Environment config
├── middleware/            # Auth, tenant, security
├── routers/               # 34+ endpoint handlers
│   ├── auth.py
│   ├── compliance.py
│   ├── threats.py
│   ├── vulnerabilities.py
│   ├── assets.py
│   └── incidents.py
├── models/                # 15+ SQLAlchemy models
├── services/              # Business logic layer
├── schemas/               # Pydantic validation
└── websocket/             # Real-time alerts

Results & Benefits

Technical Achievements

  • Zero SQL injection risk: ORM-only queries with parameterization
  • Complete tenant isolation: RLS policies at database level
  • Sub-100ms API latency: Async throughout, optimized queries
  • 100% type coverage: Pydantic schemas + Python type hints

Business Value

  1. MSP-Ready: Multi-tenant architecture for managed services
  2. Automation-First: Every operation accessible via API
  3. Compliance-Mapped: Built-in framework alignment
  4. Audit-Ready: Immutable logging for regulators

PCI-DSS NIST CSF Compliance Multi-tenant GRC Vulnerability Management