System Architecture · v3.7.0
⌚ Seiko Watch Store
Platform
AI-Native · Event-Driven · Tri-Cloud · Production-Grade
🖥 Client Layer
React 18 + TypeScript
React SPA
Full frontend with shopping cart, dark mode, drag & drop, admin panel, chat widget
:3000
DOMPurify (XSS)
XSS Prevention
All dynamic content sanitized with DOMPurify before render
HttpOnly Cookies
Secure Token Storage
JWT stored in HttpOnly + SameSite=Strict cookies — no localStorage
CSP Headers
Content Security Policy
Inline scripts and unauthorized sources blocked at browser level
44 RTL Tests
React Testing Library
44 component/service tests across 5 test files
23 E2E Playwright
End-to-End Tests
23 Playwright tests with webServer auto-start, chromium, CI artifact
HTTPS · Nginx Reverse Proxy
⚙️ Backend — Express API
Node.js 20 + TypeScript
Express API
Fully typed backend, strict tsconfig, zero type errors
:5001
Keycloak OIDC
Authentication
JWKS-based JWT verification, RBAC roles: Admin / User / Agent
:8080
Zod Validation
Input Validation
Schema validation on every endpoint. No unvalidated input reaches the DB
Helmet.js
Security Headers
X-Frame-Options, HSTS, CSP, X-Content-Type-Options set automatically
Rate Limiting
express-rate-limit
Per-user and per-IP request limits. AI chat: 10 req/min
Stripe Webhooks
Payment Processing
Payment Intents + webhook signature verification. Hardened in v3.1
Kafka Producer
server/kafka/producer.ts
Publishes order.placed events to Redpanda on every successful order
100 Tests · 97% Cov
Jest + Supertest
100 backend tests, 97% route coverage. Runs in CI on every push
🗄 Database
PostgreSQL 15
Primary Database
Parameterized queries throughout — SQL injection impossible by design
:5433
pgvector
Vector Embeddings
Ready for RAG semantic search — Phase 9 activation
node-pg-migrate
DB Migrations
Version-controlled schema migrations, reproducible across environments
integration_logs
Audit Table
Every integration event (success/failure/DLQ/AI analysis) persisted here
🤖 Claude AI Agent
Claude claude-opus-4-6
LLM Backbone
Server-side only — API key never exposed to client (backend proxy pattern)
Trigger.dev Jobs
Async Background Queue
chat-async · daily-report · low-stock-alert · order-confirmation · log-analyzer
AI Log Analyzer
Autonomous Ops (v3.7)
Hourly: queries integration_logs → Claude root-cause analysis → Jira ticket auto-created
RAG / pgvector
Semantic Search (Phase 9)
Natural language product search: "waterproof under €200" → vector similarity
📊 Observability Stack
Prometheus
Metrics Collection
RED metrics + business metrics: orders_created_total, watches_low_stock, ollama_chat_duration_ms
:9090
Grafana
Dashboards
API Health · Stock Intelligence · AI Operations · Integration Platform · Infrastructure
:3001
Alertmanager
Alert Routing
4 rules: IntegrationServiceDown · HighFailureRate · DLQMessages · CircuitBreakerOpen
:9093
Pino + Correlation ID
Structured Logging
JSON logs with x-correlation-id on every request. pino-pretty for local dev
Loki · ELK · Splunk
Log Aggregation
Loki+Promtail for K8s-native logs. ELK for full-text analytics. Splunk for enterprise SIEM
order.placed event
🔀 Event-Driven Integration Platform
Redpanda (Kafka)
Message Broker
Kafka-compatible. Topics: order.placed · orders.created.dlq
:9092
Go Consumer
integration-service/consumer
Reads order.placed events, routes to adapters. Goroutine-based concurrency
:8083
ServiceNow Adapter
adapters/servicenow.go
Adapter pattern — maps OrderEvent to ITSM incident/change ticket
Circuit Breaker
gobreaker (v3.4)
Opens after 5 consecutive adapter failures. Prevents cascade failure
Retry + Backoff
Resilience (v3.4)
1s → 2s → 4s exponential backoff, 3 attempts before DLQ
Dead Letter Queue
orders.created.dlq
Exhausted retries routed here. Grafana alert fires when DLQ fills
Chaos Engineering
SERVICENOW_CHAOS_FAILURE_RATE
Env var injects N% random failures. 10 consumer_test.go tests verify all resilience paths
Redpanda Console
Kafka Management UI
Topic browser, consumer group lag, message inspector
:8084
☁️ AWS · Live
ECS Fargate
Container Runtime
Backend 512 CPU/1GB · Frontend 256/512. Serverless containers
RDS PostgreSQL
Managed Database
PostgreSQL 15, KMS encryption, automated backups, parameter group
ALB
Application Load Balancer
Path routing: /api/* → backend · /* → frontend · eu-central-1
Secrets Manager
Secret Storage
DB password, Stripe keys, JWT secret. IAM least-privilege access
CloudWatch
Monitoring
Log groups, CPU/mem/ALB/RDS dashboard, 4 alarms
ECR
Container Registry
Backend + frontend image repos. OIDC push from GitHub Actions
☁️ Azure · Live
Container Apps
Container Runtime
Serverless containers, westeurope region, auto-scaling
PostgreSQL Flexible
Managed Database
Azure Database for PostgreSQL, private networking
Key Vault
Secret Management
Managed Identity — no credentials in code or env vars
Front Door
CDN + Ingress
HTTPS, custom domain, global CDN layer
ACR
Artifact Registry
Azure Container Registry. OIDC GitHub Actions push
Bicep / Terraform
IaC
Bicep for Azure-native, Terraform azurerm for multi-cloud parity
☁️ GCP · Ready
Cloud Run
Container Runtime
Terraform module: service, IAM bindings, traffic splitting
Cloud SQL
Managed Database
PostgreSQL, private IP, automated backups. terraform apply pending
Artifact Registry
Container Registry
Lifecycle policies, image scanning. Workload Identity Federation for OIDC
Secret Manager
Secret Storage
DB password, Stripe keys, JWT. Workload Identity — no long-lived keys
Terraform Modules
infra/gcp/modules/
cloud_run · cloud_sql · artifact_registry — all written, deploy pending
🚀 CI/CD Pipeline — GitHub Actions
tsc + ESLint
Type Check + Lint
TypeScript strict compile + ESLint on every push. Fails build on error
Jest (100 tests)
Backend Tests
100 tests, 97% coverage. Coverage HTML artifact uploaded
Playwright E2E
E2E Tests in CI
23 tests, chromium. webServer auto-start. Report uploaded as artifact
Go Build
Integration Service
Go build + test for integration-service on every push
ECR Push
Image Build & Push
Docker/Podman build → GHCR + ECR. Tagged :latest and :
OIDC (no secrets)
Secretless Deploy
GitHub OIDC federation → AWS + Azure. No long-lived credentials stored
Husky + commitlint
Pre-commit Gates
type-check + lint-staged on commit. Conventional commits enforced
Order Event Flow
Customer
React SPA
POST /api/v1/orders
Express API
Zod · RBAC · Stripe
order.placed
Redpanda
Kafka topic
consume
Go Service
Retry · CB · DLQ
adapt
ServiceNow
ITSM Ticket
if failure
Claude AI
Log Analysis → Jira
AWS ECS · eu-central-1 · Live
Azure Container Apps · westeurope · Live
GCP Cloud Run · Terraform Ready
Kubernetes · Phase 8
v3.7.0 · 167 tests · 97% coverage
Frontend / AWS
Backend API
Database / GCP
AI / Claude
Observability / AWS Cloud
Event-Driven / Kafka
CI/CD
Hover over any service for details