Backend Implementation Plan
Detailed Backend Tasks (Auth / Core / Modules)
Section titled “Detailed Backend Tasks (Auth / Core / Modules)”Backend Documentation Structure
Section titled “Backend Documentation Structure”This phase is split into multiple documents:
-
Auth Backend (fully implemented API) → See: 2.1.-Backend-Auth.
-
Platform Core Backend (to implement) → See: 2.2.-Backend-Core.
-
Module Backends (Finance / Market / Touring / Venue / AI) → Defined in this document
0. Overview
Section titled “0. Overview”This document defines all backend work required to implement the Kisum platform architecture.
It is intentionally:
- long
- explicit
- implementation-focused
- non-abstract
This is not theory — this is what engineers should build.
1. AUTH BACKEND — FULL TASK BREAKDOWN
Section titled “1. AUTH BACKEND — FULL TASK BREAKDOWN”The Auth service is already implemented and should not be modified structurally.
It is responsible for:
- authentication (login / refresh / logout)
- JWT issuance and validation
- user management
- company memberships
- roles and permissions (grants)
- access aggregation (
/auth/me/access)
For full API details, refer to:
👉 2.1.-Backend-Auth.md
Auth depends on Platform Core for company entitlements.
See Core implementation in section:
👉 2.2.-Backend-Core.md
Important integration note
Section titled “Important integration note”Auth integrates with Platform Core to resolve company entitlements.
Flow:
- Frontend calls
/auth/me/access - Auth loads:
- user grants (Auth DB)
- Auth calls Platform Core:
GET /internal/companies/{companyId}/entitlements
- Auth merges:
effectiveAccess = entitlements ∩ userGrants- Auth returns final access model
1.1 Service bootstrap
Section titled “1.1 Service bootstrap”- Initialize backend service
- Setup:
- config loader (env-based)
- logger (structured JSON logs)
- HTTP router
- middleware stack
- graceful shutdown
Must include
Section titled “Must include”- request ID middleware
- panic recovery middleware
- timeout middleware
- CORS config (for frontend)
1.2 Database setup (PostgreSQL)
Section titled “1.2 Database setup (PostgreSQL)”Tables
Section titled “Tables”- users
- sessions
- company_memberships
- membership_module_grants
- permissions
- membership_permissions
- membership_delegation_policies
- create migrations
- setup connection pooling
- add retry logic
- validate schema at startup
1.3 Redis setup
Section titled “1.3 Redis setup”Purpose
Section titled “Purpose”- access cache
- session cache
- revocation
- rate limits
- connect Redis client
- namespace keys
- implement TTL strategy
- add fallback if Redis down
1.4 JWT system
Section titled “1.4 JWT system”- generate RSA keypair
- expose JWKS endpoint
- implement token signing
- implement token verification
Validate
Section titled “Validate”- exp
- iss
- aud
- tokenVersion
- sessionId
1.5 Session system
Section titled “1.5 Session system”- create session on login
- store hashed refresh token
- revoke session
- revoke all sessions
- check session validity on request
1.6 Auth endpoints
Section titled “1.6 Auth endpoints”Implement:
Section titled “Implement:”POST /auth/login
POST /auth/refresh
POST /auth/logout
POST /auth/logout-all
GET /auth/me
GET /auth/me/access
- validate inputs
- standardize responses
- implement error codes
- rate limit login
1.7 Membership + access system
Section titled “1.7 Membership + access system”- load membership by user + company
- load module grants
- load permissions
- load delegation
1.8 Access aggregation
Section titled “1.8 Access aggregation”Module resolution rules
Section titled “Module resolution rules”Modules must be computed as:
enabledModules = (Basic package modules IF active) + (all active addon modules)
Example:
- Basic inactive
- Addons: finance, market
→ enabledModules = [“finance”, “market”]
- Basic active
- Addons: finance
→ enabledModules = [“basic”, “finance”]
- load membership
- call Core
- merge
- compute effective modules
- compute permissions
- compute delegation
- cache result
1.9 Access cache
Section titled “1.9 Access cache”Key format
Section titled “Key format”access:{company}:{membership}:{version}
- store cache
- invalidate on change
- fallback to DB if miss
1.10 Tenant management APIs
Section titled “1.10 Tenant management APIs”- list users
- create membership
- update membership
- grant modules
- revoke modules
- grant permissions
- revoke permissions
- update delegation
2. PLATFORM CORE BACKEND
Section titled “2. PLATFORM CORE BACKEND”2.1 Service bootstrap
Section titled “2.1 Service bootstrap”- same structure as Auth
- internal API only
2.2 Database
Section titled “2.2 Database”Tables
Section titled “Tables”- modules
- packages
- addons
- package_modules
- addon_modules
- company_subscriptions
- company_addons
2.3 Catalog management
Section titled “2.3 Catalog management”- CRUD modules
- CRUD packages
- CRUD addons
- mapping tables
2.4 Company entitlements
Section titled “2.4 Company entitlements”- activate Basic
- deactivate Basic
- activate addon
- deactivate addon
- update dates
- update status
- bump version
2.5 Core APIs
Section titled “2.5 Core APIs”Company entitlements (used by Auth)
Section titled “Company entitlements (used by Auth)”GET /internal/companies/{companyId}/entitlements
Returns:
- active Basic subscription
- active addons
- enabled modules
- entitlementVersion
Catalog APIs (used by Platform Admin)
Section titled “Catalog APIs (used by Platform Admin)”GET /internal/catalog/modules
GET /internal/catalog/packages
GET /internal/catalog/addons
POST /internal/catalog/modules
POST /internal/catalog/packages
POST /internal/catalog/addons
Company subscription management
Section titled “Company subscription management”POST /internal/companies/{companyId}/basic
POST /internal/companies/{companyId}/addons
- These endpoints are internal only
- Must require service-to-service authentication
- Must NOT be exposed publicly
2.6 Entitlement invalidation
Section titled “2.6 Entitlement invalidation”- bump version
- notify Auth
- clear cache
3. BUSINESS BACKENDS
Section titled “3. BUSINESS BACKENDS”3.1 Shared middleware
Section titled “3.1 Shared middleware”Every backend MUST:
- validate JWT
- resolve x-org
- load access from Auth:
GET /auth/me/access- check module
- check permission
- proceed or 403
3.2 Basic Backend
Section titled “3.2 Basic Backend”- requires Basic subscription
- requires basic module
3.3 Finance Backend
Section titled “3.3 Finance Backend”- MUST check module:
module = "finance"- MUST check permission:
finance.*- MUST reject if:
module disabled → 403 permission missing → 4033.4 Market Backend
Section titled “3.4 Market Backend”- requires market module
3.5 Touring Backend
Section titled “3.5 Touring Backend”- requires touring module
3.6 Venue Backend
Section titled “3.6 Venue Backend”- requires venue module
3.7 AI Backend
Section titled “3.7 AI Backend”- requires ai module
4. CROSS-SERVICE TASKS
Section titled “4. CROSS-SERVICE TASKS”4.1 x-org
Section titled “4.1 x-org”- must be required header
- must resolve company
4.2 Caching
Section titled “4.2 Caching”- implement Redis keys
- implement invalidation
4.3 Observability
Section titled “4.3 Observability”Track:
Section titled “Track:”- login errors
- auth failures
- permission denials
- cache hits/misses
4.4 Internal service authentication
Section titled “4.4 Internal service authentication”All internal calls must be secured.
Required for:
- Auth → Core
- Backends → Auth (optional)
Options:
- internal JWT
- shared secret
- mTLS (preferred for production)
Never expose internal endpoints publicly.
5. PLATFORM ADMIN BACKEND
Section titled “5. PLATFORM ADMIN BACKEND”This backend interacts with Platform Core.
- manage packages (Core)
- manage modules (Core)
- manage permissions (Auth)
- approve companies
- manage subscriptions (Core)
6. FINAL RULES
Section titled “6. FINAL RULES”- Auth = access truth
- Core = commercial truth
- Backend = execution
- Frontend = UI only