KsefPay
A Rust product for Polish e-invoicing: official XML generation/validation, workspaces, company tax-ID accounts, encrypted certificates, and KSeF sandbox flows.
Official invoices with typed custody boundaries
KSeF integration needs schema accuracy, session handling, certificate custody, tenant isolation, permissions, audit trails, and operational hygiene.
`ksef-core` owns domain/integration logic; `ksef-server` wraps it with Axum routes, workspace tenancy, account scopes, encrypted certificate storage, CSRF, rate limits, audit logs, and sandbox flows.
- Boundary note
- The project should be presented as a side project and product/compliance chapter, not as a replacement for the blockchain systems narrative.Certificate encryption depends on preserving the configured storage key; losing that key means stored certificate material cannot be decrypted.
- Evidence path
- Official invoice XSD validation / Generated invoice model / KSeF session integrationPublic product evidence: typed invoices, KSeF sessions, tenant/account scope, certificate custody, and guardrails.
- What it proves
- Shows serious Rust product engineering outside blockchain with typed boundaries and security posture
- Adds breadth: compliance integration, tenancy, and operational security
How the data moves through the system
First read the data path. Then use the code hooks as pointers to the mechanisms that make the claim inspectable.
Generated structures and XSD validation make official invoice XML reviewable and testable.
Workspaces and tax-ID accounts scope access, permissions, invoice history, exports, and membership.
Authentication, certificate storage, invites, capabilities, and controls stay explicit.
Generated types and validation tests keep the official schema as source of truth.
Tests cover challenge, certificate auth, session open, invoice send, and session close.
Operations bind to selected workspace and tax-ID account, not ambient user identity.
Company certificates are stored through an encrypted path keyed by application config.
CSRF, rate limits, audit events, invites, SMTP mode, and production checks are explicit.
How the system progresses
A short staged view of the system from start to final output.
Create workspace and company account
The user works inside a workspace and selected company tax-ID account.
Prepare identity and access
The app prepares certificates, permissions, invites, and account scope before KSeF operations.
Generate, validate, and send invoices
Invoice data becomes official XML, validates against XSD, sends through KSeF, then enters history/export paths.
Public product evidence: typed invoices, KSeF sessions, tenant/account scope, certificate custody, and guardrails.
- Inspect `ksef-core` for domain split, generated invoice bindings, KSeF session code, and account-scope modeling.
- Inspect `ksef-server` for Axum routes, workspace/account flows, invites, CSRF/rate-limit/audit integration, and production checks.
This chapter stands on architecture and public evidence.