System Architecture
System Components
| Component | Responsibility |
|---|---|
identity-service | Authentication, JWT issuance, distributor provisioning, customer identity, and role/account claims |
customer-service | Distributor invites, customer assignment, and entitlement checks |
game-service | Authoritative two-player WHOT gameplay |
chat-service | Moderated encrypted messaging, receipts, retention, legal hold, and audit trails |
whot-ios | Native SwiftUI client for onboarding, gameplay, and entitled chat |
staff-console | Internal moderation interface |
gateway | NGINX routing layer for local service access |
Architecture Principles
- Each service owns one domain and its own persistence boundary.
- REST handles commands and queries; WebSockets handle live gameplay and live chat events.
- Authorization is explicit through JWT claims and trusted service-to-service credentials.
- Production hardening must preserve the documented service boundaries rather than collapsing them into shared state.
Principal Flows
Registration and onboarding
- A distributor is provisioned through the identity service.
- The customer service issues a single-use invite.
- Invite redemption creates a customer identity and relationship link.
- Downstream services use the relationship state and JWT claims to authorize access.
Gameplay
- A player creates a game invite.
- The recipient accepts or declines.
- The game service becomes the single source of truth for turn resolution and scorekeeping.
- WebSocket sessions stream live game events and reconnect support.
Chat
- Chat conversations are created only for entitled distributor-customer pairs.
- Messages are encrypted and stored with delivery/read state.
- Participant-facing copies disappear after both parties read them.
- Retained archives remain available for approved moderation workflows until expiry or legal-hold release.
Boundaries
identity-servicedoes not own gameplay or chat content.customer-servicedoes not authenticate users.game-servicedoes not manage relationships or chat.chat-servicedoes not decide who may be related; it consumes entitlement decisions.