Service Map
The Service Map is the C4 Level 2 Container view of Platform-Kernel. It shows all services, their communication protocols, and data store dependencies.
Depth: For system context (actors and external systems) see Architecture Overview. For runtime sequence diagrams see Data Flow.
ASCII Service Map
┌──────────────────────────────────────────────────────────────────────┐
│ CLIENTS │
│ Browser (UI Shell + MFE Modules) · SDK Clients · Webhooks │
└───────────────────────┬──────────────────────────────────────────────┘
│ HTTPS / WSS
┌───────────────────────▼──────────────────────────────────────────────┐
│ GATEWAY LAYER │
│ ┌────────────────────────────────────────┐ │
│ │ Envoy Gateway │ :443 (TLS termination) │
│ │ TLS · Rate Limit (Valkey hybrid) │ LDS/RDS/CDS/EDS xDS │
│ │ OIDC · CORS · mTLS upstream │ Zero-downtime reload │
│ └──────────────────┬─────────────────────┘ │
│ │ HTTP/1.1 │
│ ┌──────────────────▼─────────────────────┐ │
│ │ Go Gateway Service :8080 │ │
│ │ JWT Validation · RBAC hasPermission() │ │
│ │ OpenAPI 3.x Request Validation │ │
│ │ Protocol Translation REST ↔ gRPC │ │
│ │ Circuit Breaker (sony/gobreaker) ×2 │ │
│ │ Domain Resolver xDS snapshots │ │
│ └──────────────────┬─────────────────────┘ │
└─────────────────────│────────────────────────────────────────────────┘
│ gRPC (mTLS, DEADLINE=5s)
┌─────────────────────▼────────────────────────────────────────────────┐
│ CORE SERVICES (Go 1.24+) │
│ │
│ ┌───────────────┐ ┌───────────────┐ ┌───────────────┐ │
│ │ IAM :8081 │ │ Data :8082 │ │ EventBus │ │
│ │ Auth/RBAC │ │ CRUD + RLS │ │ :8083 │ │
│ │ JWT ES256 │ │ Migrations │ │ Kafka pub/sub│ │
│ │ TOTP/OIDC │ │ CDC outbox │ │ DLQ + replay │ │
│ └───────────────┘ └───────────────┘ └───────────────┘ │
│ │
│ ┌───────────────┐ ┌───────────────┐ ┌───────────────┐ │
│ │ Notify :8084 │ │ Files :8085 │ │ Money :8086 │ │
│ │ Email/WS/SMS │ │ S3 storage │ │ Wallets │ │
│ │ RabbitMQ Q │ │ Thumbnails │ │ Hold/Confirm │ │
│ │ WebSocket hub│ │ Multipart │ │ Ledger (2E) │ │
│ └───────────────┘ └───────────────┘ └───────────────┘ │
│ │
│ ┌───────────────┐ ┌───────────────┐ ┌───────────────┐ │
│ │ Audit :8087 │ │ ModReg :8088 │ │ Billing:8089 │ │
│ │ Dual-write │ │ Manifests │ │ Subscriptions│ │
│ │ Immutable │ │ Valkey cache │ │ Plans/Limits │ │
│ │ SOX-grade │ │ xDS routing │ │ Invoices │ │
│ └───────────────┘ └───────────────┘ └───────────────┘ │
│ │
│ ┌───────────────┐ ┌───────────────┐ ┌───────────────┐ │
│ │ IntHub :8090 │ │ FeatFlag │ │ Vault Sidecar│ │
│ │ Circuit Brkr │ │ :8091 │ │ Secrets mgmt │ │
│ │ DLQ/Retry │ │ LaunchDarkly │ │ KEK/DEK │ │
│ │ AES-256 cred │ │ Valkey cache │ │ 90-day rotate│ │
│ └───────────────┘ └───────────────┘ └───────────────┘ │
└──────────────────────────────────────────────────────────────────────┘
│
┌─────────────────────▼────────────────────────────────────────────────┐
│ DATA STORES │
│ │
│ PostgreSQL 17 · Valkey 8 · Apache Kafka · RabbitMQ 4 │
│ ClickHouse · S3 / MinIO │
└──────────────────────────────────────────────────────────────────────┘
Service Directory
| Service | Port | Language | Primary responsibility |
|---|---|---|---|
| Envoy Gateway | 443 | Envoy (C++) | TLS termination, rate limiting, xDS dynamic config |
| Go Gateway Service | 8080 | Go 1.24 | JWT validation, RBAC, REST↔gRPC translation, OpenAPI validation |
| IAM | 8081 | Go 1.24 | Auth, RBAC, JWT issuance, TOTP, OIDC provider, AuthProvider plugins |
| Data Layer | 8082 | Go 1.24 | Tenant-scoped CRUD, schema migrations (goose), CDC outbox |
| Event Bus | 8083 | Go 1.24 | Kafka pub/sub, RabbitMQ transactional, DLQ, replay |
| Notify | 8084 | Go 1.24 | Email, WebSocket push, browser push; RabbitMQ dispatch queue |
| Files | 8085 | Go 1.24 | S3-backed storage, image resize, thumbnail generation |
| Money | 8086 | Go 1.24 | Wallets, hold/confirm, double-entry ledger, currency |
| Audit | 8087 | Go 1.24 | SOX-grade dual-write, immutable append-only audit trail |
| Module Registry | 8088 | Go 1.24 | Module lifecycle (FSM), manifest storage, Valkey cache, xDS route push |
| Billing | 8089 | Go 1.24 | Subscription plans, usage limits, invoices, metering |
| Integration Hub | 8090 | Go 1.24 | Outbound API proxy, circuit breaker, credential vault, DLQ |
| Feature Flags | 8091 | Go 1.24 | LaunchDarkly-compatible flags, Valkey cache, per-tenant overrides |
| Domain Resolver | — | Go 1.24 | xDS snapshot server for Envoy (LDS/RDS/CDS/EDS) |
| Vault Sidecar | — | HashiCorp Vault | Secrets injection, KEK/DEK lifecycle, 90-day rotation |
Communication Protocols
Data Store Dependencies
| Service | Data Store Dependencies |
|---|---|
| Gateway (Go) | Valkey 8 (rate limit, sessions) |
| IAM | PostgreSQL (users, roles, sessions), Valkey 8 (refresh tokens, RBAC cache), Kafka (auth events) |
| Data Layer | PostgreSQL (tenant data via RLS), Valkey 8 (query cache), Kafka (CDC outbox), ClickHouse (analytics) |
| Event Bus | Kafka (primary transport), RabbitMQ (transactional queue) |
| Notify | PostgreSQL (message history), RabbitMQ (dispatch queue) |
| Files | PostgreSQL (metadata), Kafka (events), S3/MinIO (blobs) |
| Money | PostgreSQL (wallets, ledger), Kafka (events) |
| Audit | PostgreSQL (WAL dual-write), Kafka (stream) |
| Module Registry | PostgreSQL (manifests), Valkey 8 (active modules cache), Kafka (events), S3/MinIO (JS bundles) |
| Billing | PostgreSQL (plans, invoices), Kafka (events) |
| Integration Hub | PostgreSQL (provider configs), Valkey 8 (Circuit Breaker state), RabbitMQ (DLQ) |
| Feature Flags | PostgreSQL (flag definitions), Valkey 8 (evaluation cache) |
Async Messaging Architecture
Two message brokers serve different roles:
KAFKA (Apache Kafka — KRaft mode)
Role : Domain event streaming
Topics : platform.{auth|money|module|data|files|audit|billing}.events
Retention : 7 days (audit: 30 days)
Partition : By entity_id (wallet_id, user_id, module_id — ordering per entity)
Consumers : Audit, Notify, Billing, Gateway (cache invalidation)
DLQ : platform.{domain}.dlq (3 retries: 100ms → 200ms → 400ms)
RABBITMQ 4 (AMQP 0-9-1)
Role : Transactional message delivery
Exchange : notify.direct
Routing : notify.send (key per channel adapter)
Consumers : Notify Service channel dispatchers (email, SMS, push)
Max queue : 10 000 messages (NOTIFY_RABBITMQ_MAX_QUEUE_LENGTH)
Retries : 5× with base delay 30s (NOTIFY_MAX_RETRIES=5)
UI Shell + Module Federation
UI Shell (Vite 8 + React 19 + Module Federation 2.0)
├── Core (always loaded)
│ ├── Dashboard (metrics widgets)
│ ├── Module Manager
│ ├── User Management
│ └── Settings (Branding, Auth, Notifications)
│
└── Installed Modules (lazy-loaded on route activation)
├── Module A: @scope/crm
│ └── remoteEntry.js (CDN: MODULE_CDN_BASE_URL/{tenantId}/{moduleId}/{version}/)
├── Module B: @scope/ecommerce
└── ... up to 50 modules (REGISTRY_MAX_MODULES_PER_TENANT)
MFE Isolation:
- Each module runs in its own Error Boundary (crash ≠ shell crash)
- LRU eviction at >10 loaded MFEs (memory management for 8h+ sessions)
- Module unmount on navigation → kernel.lifecycle().onDeactivate() cleanup
- Shared singletons: React 19, Zustand — enforced by requiredVersion
Gateway: Circuit Breaker Configuration
The Go Gateway Service implements a two-tier circuit breaker using
sony/gobreaker:
Tier 1 — Per-Tenant Soft Breaker
Trigger : >50% error rate over 60s for a single tenant
Effect : Circuit opens for that tenant only
Purpose : One tenant's bad client does not affect others
Tier 2 — Per-Service Global Breaker
Trigger : 5 consecutive failures in 30s
Open time : 30s (StatusCode 503 returned immediately)
Reset : Half-open → single probe → close if successful
Purpose : Cascade failure protection if a service is down
gRPC Deadline : 5s (GRPC_CALL_TIMEOUT_MS=5000)
Retry policy : 1× with 100ms backoff on idempotent GET only
No retry on POST/PATCH/DELETE (idempotency keys instead)
Related Pages
- Architecture Overview — C4 Level 1 System Context
- Data Flow — Request lifecycle and event flow sequence diagrams
- CDC Pipeline — ClickHouse analytics pipeline detail
- Tenant Isolation — 6-layer isolation model