Skip to content

Cloud Backend

The Cloud Backend is the central API server for the Monozu Cloud platform. It serves the Cloud SPA, handles Edge device communication, runs background jobs, and exposes internal M2M endpoints for the Management service.

Tech stack

Section titled “Tech stack”
ComponentTechnology
LanguageGo 1.26
HTTP frameworkFiber v3 (fasthttp)
Database clientsqlx (manual SQL, no ORM)
DatabaseAzure SQL Server (MSSQL)
AuthJWT (HS256), bcrypt, TOTP, OIDC
Loggingzerolog (structured JSON)
ObservabilityOpenTelemetry → Azure Application Insights
MigrationsFlyway (V1–V28)

Entry point

Section titled “Entry point”
Backend/
├── cmd/
│   └── server/
│       └── main.go        # Binary entry point
├── internal/
│   ├── app/               # Wiring: DI, route registration
│   ├── domain/            # ~35 bounded context packages
│   ├── db/                # sqlx setup, models, RLS helpers
│   ├── middleware/         # Auth, RBAC, logging, recovery
│   ├── services/          # Shared cross-domain services
│   ├── jobs/              # Background job runners
│   ├── websocket/         # WebSocket hub and handlers
│   └── rbac/              # Permission catalog
├── db/
│   └── migration/         # Flyway SQL files (V1–V28)
└── go.mod

Route registration

Section titled “Route registration”

All API routes are registered in internal/app/register_*.go files. Each file corresponds to a domain or feature group. Routes share the /api/v1 prefix.

File patternRoutes registered
register_auth.go/api/v1/auth/*
register_assets.go/api/v1/assets/*
register_incidents.go/api/v1/incidents/*
register_security.go/api/v1/security/* (optional)
register_internal.go/internal/license/refresh

Handler pattern

Section titled “Handler pattern”

Every domain follows: handler → service → repository (sqlx)

domain/<name>/
├── handler.go    # HTTP handler, input parsing, response marshalling
├── service.go    # Business logic, cross-domain calls
└── repository.go # sqlx queries against Azure SQL

Handlers are thin: they parse and validate input, call the service, and write the response. Business logic lives in the service layer.

Background jobs

Section titled “Background jobs”

Long-running and scheduled operations run in internal/jobs/:

JobTriggerPurpose
CVE feed syncScheduledPull new CVEs from NVD/CISA, store in catalog
Vulnerability matchingOn demand / scheduledMatch CVE CPE to tenant assets
Audit log retentionScheduledDelete audit_logs older than tenant retention period
Security tool executionOn demand (via WebSocket)Run investigation tools through VPN gateway
Section titled “Related pages”