docs: Align documentation with true microservices architecture
Transform all documentation from modular monolith to true microservices
architecture where core services are independently deployable.
Key Changes:
- Core Kernel: Infrastructure only (no business logic)
- Core Services: Auth, Identity, Authz, Audit as separate microservices
- Each service has own entry point (cmd/{service}/)
- Each service has own gRPC server and database schema
- Services register with Consul for service discovery
- API Gateway: Moved from Epic 8 to Epic 1 as core infrastructure
- Single entry point for all external traffic
- Handles routing, JWT validation, rate limiting, CORS
- Service Discovery: Consul as primary mechanism (ADR-0033)
- Database Pattern: Per-service connections with schema isolation
Documentation Updates:
- Updated all 9 architecture documents
- Updated 4 ADRs and created 2 new ADRs (API Gateway, Service Discovery)
- Rewrote Epic 1: Core Kernel & Infrastructure (infrastructure only)
- Rewrote Epic 2: Core Services (Auth, Identity, Authz, Audit as services)
- Updated Epic 3-8 stories for service architecture
- Updated plan.md, playbook.md, requirements.md, index.md
- Updated all epic READMEs and story files
New ADRs:
- ADR-0032: API Gateway Strategy
- ADR-0033: Service Discovery Implementation (Consul)
New Stories:
- Epic 1.7: Service Client Interfaces
- Epic 1.8: API Gateway Implementation
This commit is contained in:
@@ -25,16 +25,22 @@ Complete flow of user logging in and receiving authentication tokens.
|
||||
sequenceDiagram
|
||||
participant User
|
||||
participant Client
|
||||
participant Gateway[API Gateway]
|
||||
participant AuthService
|
||||
participant IdentityService
|
||||
participant DB
|
||||
participant TokenProvider
|
||||
participant AuditService
|
||||
participant Registry[Consul]
|
||||
|
||||
User->>Client: Enter credentials
|
||||
Client->>AuthService: POST /api/v1/auth/login
|
||||
Client->>Gateway: POST /api/v1/auth/login
|
||||
Gateway->>Gateway: Rate limiting check
|
||||
Gateway->>AuthService: Login request (gRPC)
|
||||
AuthService->>AuthService: Validate request format
|
||||
AuthService->>IdentityService: Verify credentials
|
||||
AuthService->>Registry: Discover Identity Service
|
||||
Registry-->>AuthService: Identity Service endpoint
|
||||
AuthService->>IdentityService: Verify credentials (gRPC)
|
||||
IdentityService->>DB: Query user by email
|
||||
DB-->>IdentityService: User data
|
||||
IdentityService->>IdentityService: Verify password hash
|
||||
@@ -49,11 +55,14 @@ sequenceDiagram
|
||||
DB-->>TokenProvider: Token stored
|
||||
TokenProvider-->>AuthService: Refresh token
|
||||
|
||||
AuthService->>AuditService: Log login
|
||||
AuthService->>Registry: Discover Audit Service
|
||||
Registry-->>AuthService: Audit Service endpoint
|
||||
AuthService->>AuditService: Log login (gRPC)
|
||||
AuditService->>DB: Store audit log
|
||||
AuditService-->>AuthService: Logged
|
||||
|
||||
AuthService-->>Client: Access + Refresh tokens
|
||||
AuthService-->>Gateway: Access + Refresh tokens
|
||||
Gateway-->>Client: Access + Refresh tokens
|
||||
Client-->>User: Authentication successful
|
||||
```
|
||||
|
||||
@@ -63,23 +72,25 @@ How the system checks if a user has permission to perform an action.
|
||||
|
||||
```mermaid
|
||||
sequenceDiagram
|
||||
participant Gateway[API Gateway]
|
||||
participant Handler
|
||||
participant AuthzMiddleware
|
||||
participant AuthzService
|
||||
participant PermissionResolver
|
||||
participant Cache
|
||||
participant DB
|
||||
participant IdentityService
|
||||
participant Registry[Consul]
|
||||
|
||||
Handler->>AuthzMiddleware: Check permission
|
||||
AuthzMiddleware->>AuthzMiddleware: Extract user from context
|
||||
AuthzMiddleware->>AuthzService: Authorize(user, permission)
|
||||
Gateway->>Handler: Request with user context
|
||||
Handler->>AuthzService: Authorize(user, permission) (gRPC)
|
||||
AuthzService->>Registry: Discover Identity Service
|
||||
Registry-->>AuthzService: Identity Service endpoint
|
||||
|
||||
AuthzService->>Cache: Check permission cache
|
||||
Cache-->>AuthzService: Cache miss
|
||||
|
||||
AuthzService->>PermissionResolver: Resolve permissions
|
||||
PermissionResolver->>IdentityService: Get user roles
|
||||
PermissionResolver->>IdentityService: Get user roles (gRPC)
|
||||
IdentityService->>DB: Query user roles
|
||||
DB-->>IdentityService: User roles
|
||||
IdentityService-->>PermissionResolver: Roles list
|
||||
@@ -91,12 +102,12 @@ sequenceDiagram
|
||||
|
||||
AuthzService->>AuthzService: Check permission in list
|
||||
AuthzService->>Cache: Store in cache
|
||||
AuthzService-->>AuthzMiddleware: Authorized/Unauthorized
|
||||
AuthzService-->>Handler: Authorized/Unauthorized
|
||||
|
||||
alt Authorized
|
||||
AuthzMiddleware-->>Handler: Continue
|
||||
Handler-->>Gateway: Continue request
|
||||
else Unauthorized
|
||||
AuthzMiddleware-->>Handler: 403 Forbidden
|
||||
Handler-->>Gateway: 403 Forbidden
|
||||
end
|
||||
```
|
||||
|
||||
|
||||
Reference in New Issue
Block a user