Architecture Overview
SeptemCore Platform-Kernel is a universal, industry-agnostic modular platform designed for a 10-year lifespan with thousands of third-party modules. It provides seven primitives (Auth, Data, Events, Notify, Files, Money, Audit) and the infrastructure to compose any business application from them.
This page presents the C4 Level 1 System Context view: who uses the platform and how.
Depth: For container-level detail (individual services and data stores) see Service Map. For runtime data flows see Data Flow.
C4 Level 1 — System Context
Note: C4Context diagrams use the PlantUML C4 notation. Docusaurus renders Mermaid — the diagram above uses the
C4Contexttype introduced in Mermaid 10.x.
Key Actors
| Actor | Role | Primary Interface |
|---|---|---|
| Tenant Admin | Installs modules, manages users and RBAC, configures billing | UI Shell + REST API |
| End User | Uses the business application assembled from modules | MFE Modules in browser |
| Module Developer | Builds third-party modules with the @platform/sdk | SDK + CLI + gRPC |
| Platform Owner | Operates infrastructure, manages all tenants | kernel-cli + SSH + Admin UI |
The Seven Primitives
Everything in Platform-Kernel is composed from seven core primitives. Modules never implement these themselves — they call the primitives through the SDK.
| Primitive | Service | What it provides |
|---|---|---|
| Auth | IAM | Identity, RBAC, MFA, JWT, SSO, AuthProvider plugins |
| Data | Data Layer | Tenant-scoped CRUD, relations, schema migrations, CDC |
| Events | Event Bus | Pub/sub over Kafka, typed schemas, DLQ, replay |
| Notify | Notify Service | Email, WebSocket push, SMS, Browser Push channels |
| Files | Files Service | S3-backed storage, image processing, thumbnails |
| Money | Money Service | Wallets, hold/confirm, ledger, double-entry accounting |
| Audit | Audit Service | SOX-grade immutable audit trail, dual-write |
Three-Layer Polyglot Stack
Platform-Kernel uses three languages, each chosen for its strengths in the specific role it plays.
| Layer | Language | Components | Rationale |
|---|---|---|---|
| DX & Orchestration | TypeScript 5.5+ | UI Shell, SDK, CLI | Developer velocity, shared types front↔back |
| Core Services | Go 1.24+ | 12 services + Gateway + kernel-cli | Goroutines, gRPC performance, memory safety |
| Module Sandbox | Rust → Wasm | Third-party module isolation | Hardware-level isolation, deterministic <5ms budget |
Architecture Principles
| Principle | Implementation |
|---|---|
| Everything is a Primitive | All module capabilities come from the 7 primitives via SDK — no direct DB/infra access |
| Single Entry Point | API Gateway (Envoy + Go Gateway Service) is the only point of external ingress |
| Single Exit Point | Integration Hub is the only path for outbound external API calls — circuit breaker mandatory |
| Protocol Translation | REST↔gRPC at the Gateway: clients see REST, core services speak gRPC |
| Tenant Isolation | Every request carries tenantId from JWT; PostgreSQL RLS enforces data boundaries |
| Event-Driven | All state mutations publish Kafka events (outbox pattern) for integration and audit |
| Zero Trust | mTLS between all services, JWT ES256 with 15-minute TTL, RBAC on every request |
| Dev = Prod | Docker Compose locally = Kubernetes in production — identical stack, different orchestrators |
| Schema-First | Protobuf → buf generate → typed Go + TypeScript clients. OpenAPI → request validation |
Boundaries of the Kernel
The kernel is industry-agnostic. It does not contain business logic.
| ✅ Kernel provides | ❌ Kernel does NOT provide |
|---|---|
| 7 primitives (Auth, Data, Events, Notify, Files, Money, Audit) | Business logic for any module |
| UI Shell (thin host for MFE modules) | Domain-specific engines (Commission, TDS, SmartLink) |
| Module Registry + Module Federation 2.0 | Integrations with specific external services |
| API Gateway + rate limiting + auth | UI builders (landing pages, PWA builders) |
@platform/sdk-* package suite | iGaming / e-commerce domain knowledge |
| Encryption, security, immutable audit | Anything outside this specification |
Note: iGaming is the first target market, but the kernel is not restricted to it. Any vertical can build on the same primitives.
Related Pages
- Service Map — C4 Level 2: all 15 services, protocols, data stores
- Data Flow — Request and event lifecycle sequence diagrams
- CDC Pipeline — PostgreSQL → Debezium → Kafka → ClickHouse
- Security Deep Dive — Encryption key hierarchy and JWT lifecycle
- Tenant Isolation — 6-layer isolation model