Runtime Services

The platform is a modular Go backend plus SvelteKit frontends. Runtime state is externalized to PostgreSQL and object storage.

Backend Binaries

BinaryCompose serviceCommandPurpose
apiapi/app/apiMain HTTP API, admin API, public verification, embedded ingest in dev.
ingestOptional standalone/app/ingestAgent-only /ingest/v1 gateway with dedicated least-privilege DB role.
worker-proofproof-worker/app/worker-proofConsumes proofs.validated; validates .der, decrypts, signs, creates certificates.
workeranchor-worker/app/worker anchorConsumes certificates.to_anchor; submits/updates anchors and regenerates PDFs after anchoring.
workernotification-worker/app/worker notificationsConsumes notifications.to_send; sends SMTP/webhook deliveries and records retries/DLQ.
workerreport-worker/app/worker reportsSchedules and creates monthly billing reports and billing export artifacts.
workerretry-worker/app/worker retryEnqueues due proof retries and re-tests recoverable proof states.
workermaintenance-worker/app/worker maintenanceApplies retention/anonymization and verifies audit/receipt chains.
migratordb-migrate profile/app/migratorRuns embedded SQL migrations.
verifierCLI image target/app/verifierOffline verification CLI foundation.

The worker binary chooses its kind from the first argument or WORKER_KIND. WORKER_ONCE=true runs one claim pass and exits, which is useful for controlled maintenance or release validation.

External Dependencies

DependencyCurrent local implementationProduction expectation
PostgreSQLpg17-pgmq image with migrations and dev seed data.Managed PostgreSQL 17-compatible cluster, backups, monitoring, least-privilege roles.
QueueTable-backed jobs and jobs_dlq.Same table-backed queue unless product changes.
Object storageMinIO buckets.S3-compatible storage, bucket policy, optional filesystem backend for air-gapped installs.
KeycloakImported realms and seeded users.Per-instance realms, web clients, service account, JWKS, optional federation.
SignerIn-process test signer.Dedicated remote signer with mTLS, key IDs, HMAC, decrypt, PAdES/TSA, receipt signing, transaction signing.
Blockchainnoop chain.Hedera adapter and deployed contracts once final inputs are available.
NotificationsMailpit SMTP in local compose.SMTP relay plus webhook delivery with SSRF policy.
ObservabilityOTel Collector, Prometheus, Loki, Tempo, Grafana.Same signal path or compatible managed backend.

Frontend Services

AppCompose servicePurpose
frontendwipe-frontendNew SvelteKit BFF. OIDC tokens stay encrypted server-side in an HttpOnly session cookie.
dashboardwipe-dashboardExisting dashboard/test console using proxy routes and generated HeyAPI client.
admin-docswipe-admin-docsStatic Hugo/LotusDocs administrator handbook served by unprivileged Nginx.

Both consume the backend OpenAPI-generated TypeScript client. After backend API changes, regenerate from backend/docs/swagger/swagger.json and run frontend type checks.

Data Flow

  1. A user or automation submits a .der proof through /api/v1/proofs, /api/v1/proofs/bulk, or enrolled-agent /ingest/v1/proofs.
  2. The API stores the proof object before processing and publishes a table-backed job in the same transaction.
  3. The proof worker validates the payload, uses the signer for decrypt/HMAC/PAdES operations, consumes license allocation, creates a certificate, and emits report/notification/anchor work as needed.
  4. The anchor worker updates on-chain metadata when a real chain is configured. With the local noop chain, certificates are finalized as CERTIFIED_NO_ANCHOR.
  5. The public /verify endpoint validates public identifiers without exposing tenant, organization, proof, or certificate internal IDs in the response.