Lead Architect / Tech Reviewer (Python/FastAPI) — Architecture and Audit of Affiliate CRM (Crypto/Forex)

I am creating a complex infrastructure SaaS platform (Affiliate CRM / TDS) for highly competitive verticals (Crypto, Forex, iGaming). I have a Senior developer (Python + JS) who is currently writing code. But I need a Technical Partner (Gatekeeper) and Architect.

As the Owner, I think in terms of risks. I do not want to depend on the programmer's mood or deal with their "crutches". I need a specialist who will build the system in such a way that it cannot be broken. You are my technical shield and auditor. The developer gets paid for a stage only after your written "Approved". This is not Full-time coding from scratch; it is architecture management and strict Code Review.

📦 Project scope (What we have now):

* Backend: Python 3.12 (FastAPI, Asyncio), PostgreSQL, Redis (lead queues). About 15-20 key endpoints.

* Frontend/Loader: Vanilla JS (~1000 lines of obfuscated injection logic + Interaction Hijacking).

* Infrastructure: Docker containers.

🎯 Specific project tasks (Deliverables):

1. Proper architecture on GitHub (CI/CD & Security)

* Complete refactoring of the repository structure. Strict separation into client (loaders, Wasm), server (FastAPI, matching), and infra (Docker, Nginx configs).

* Setting up Branch Protection: no line of code from the developer enters main without your Pull Request Review.

2. Creation of a "Technical Passport" (Bus-Factor = 0)

* You must describe the entire architecture so that in case of the sudden disappearance of the current developer, a new team can deploy and understand the project within 2 hours.

* Writing documentation: API contracts, database schemas, Frontend-Backend-Broker interaction logic, and Disaster Recovery strategy.

3. Designing Multi-Tenancy (Role Isolation)

Design and oversee the implementation of RLS (Row Level Security) in the database for 3 levels of access:

* SuperAdmin: license management, overall statistics, master billing of traffic.

* Admin: creating buyers, toggling SMS gateway management, topping up balances.

* Buyer: adding forms, creating FB apps, obtaining JS loader code, personal statistics.

* No request should allow data crossing between buyers at the memory (Redis) or database level.

4. Zero-Trust Code Review (Stealth and Load)

* Frontend: Audit of direct lead injection logic (Fetch/Wasm) from the donor browser to the broker. Checking traffic retention logic (intercepting visibilitychange, popstate, resolving Safari User Gesture Token issues).

* Backend: Detecting I/O blocks in FastAPI and eliminating Race Conditions in Redis when issuing leads to multiple donors simultaneously.

⚠️ REQUIREMENTS (Must-have):

* Niche experience (Crypto/Forex/Gambling): Mandatory practical experience in developing or deep architectural auditing of CRM systems, TDS, or Affiliate trackers specifically for these verticals. You must understand the specifics of this traffic from the inside.

* AdTech expertise: You know perfectly what cloaking is, Postback chains, JA3 fingerprints, CORS bypass, and why residential proxies are vital.

* Uncompromisingness: You can firmly argue against (Reject) a developer if the architecture is crooked or dangerous.

* Security hygiene: Zero hardcoded secrets. The server never reveals its real IP.

⛔ FILTER QUESTION (Mandatory for response)

Attention: template responses or responses without specific technical answers to these 3 questions will be deleted immediately without reading.

* Safari API Timeout: We are making an asynchronous Fetch request to the CRM broker from the donor browser. The broker responds in 3.5 seconds. How will you technically retain the right to execute window.location.replace in Safari (iOS) to avoid getting blocked by "Pop-up blocked" due to an expired native User Gesture Token?

* FastAPI High-Load: Our FastAPI endpoint started to slow down sharply under traffic load, although the database (PostgreSQL) is functioning normally and resting. What tool will you use to find I/O blocks in the asynchronous event loop?

* Wasm Security: How will you hide the very fact and URL of the outgoing request to the broker's API from the browser's Network tab using WebAssembly?

If you are ready to take responsibility for the technical core of a strict AdTech system and become my "technical shield" — I look forward to your response.