# Epic 2: Core Services (Authentication & Authorization) ## Overview Implement Auth, Identity, Authz, and Audit as **separate, independent microservices**. Each service has its own entry point (`cmd/{service}/`), gRPC server, database connection/schema, and registers with Consul service registry. Services communicate via service clients (gRPC) and use service discovery. **Key Principle:** Each service is independently deployable from day one. ## Stories ### 2.1 Auth Service - JWT Authentication - [Story: 2.1 - Auth Service](./2.1-jwt-authentication.md) - **Goal:** Implement Auth Service as independent microservice with JWT token generation/validation. - **Deliverables:** - Service entry point: `cmd/auth-service/main.go` - gRPC server implementation - Database connection and schema (auth schema) - Service registration with Consul - JWT token generation/validation logic ### 2.2 Identity Service - User Management - [Story: 2.2 - Identity Service](./2.2-identity-management.md) - **Goal:** Implement Identity Service as independent microservice for user CRUD and password management. - **Deliverables:** - Service entry point: `cmd/identity-service/main.go` - gRPC server implementation - Database connection and schema (identity schema with User entity) - Service registration with Consul - User CRUD, password management, email verification ### 2.3 Authz Service - Authorization & RBAC - [Story: 2.3 - Authz Service](./2.3-rbac-system.md) - **Goal:** Implement Authz Service as independent microservice for permission resolution and authorization. - **Deliverables:** - Service entry point: `cmd/authz-service/main.go` - gRPC server implementation - Database connection and schema (authz schema with Role, Permission entities) - Service registration with Consul - Permission resolution, RBAC/ABAC authorization ### 2.4 Role Management (Part of Authz Service) - [Story: 2.4 - Role Management](./2.4-role-management.md) - **Goal:** Extend Authz Service with role management API. - **Deliverables:** - Role management gRPC endpoints - Role assignment to users (via Identity Service client) - Permission assignment to roles ### 2.5 Audit Service - Audit Logging - [Story: 2.5 - Audit Service](./2.5-audit-logging.md) - **Goal:** Implement Audit Service as independent microservice for audit logging. - **Deliverables:** - Service entry point: `cmd/audit-service/main.go` - gRPC server implementation - Database connection and schema (audit schema with AuditLog entity) - Service registration with Consul - Audit log recording and querying ### 2.6 Database Seeding - [Story: 2.6 - Database Seeding](./2.6-database-seeding.md) - **Goal:** Provide seeding for all services (initial admin user, default roles, permissions). - **Deliverables:** - Seed scripts for each service - Seed commands - Integration with service startup ## Deliverables Checklist - [ ] Auth Service: Independent service with gRPC server, database schema, Consul registration - [ ] Identity Service: Independent service with gRPC server, User entity, Consul registration - [ ] Authz Service: Independent service with gRPC server, Role/Permission entities, Consul registration - [ ] Audit Service: Independent service with gRPC server, AuditLog entity, Consul registration - [ ] All services use service clients for inter-service communication - [ ] All services have their own database connection pools and schemas - [ ] Seed scripts for all services ## Acceptance Criteria - Each service is independently deployable - Each service has its own entry point (`cmd/{service}/main.go`) - Each service registers with Consul service registry - Services communicate via gRPC through service clients - Each service has its own database schema - API Gateway can route to all services via service discovery - Integration test: Services can discover and communicate with each other