The Cloud Backend is organized using Domain-Driven Design. All business logic lives in Backend/internal/domain/, split into ~35 bounded context packages.
flowchart TD
subgraph Core
auth[auth] --> tenant[tenant]
tenant --> rbac[rbac]
rbac --> audit[audit]
audit --> settings[settings]
end
subgraph CMDB
assets[assets] --> sites[sites]
sites --> zones[zones]
zones --> vendors[vendors]
vendors --> edge_pkg[edge]
end
subgraph ITSM
incidents[incidents] --> problems[problems]
problems --> changes[changes]
changes --> releases[releases]
releases --> pir[pir]
pir --> servicerequest[servicerequest]
servicerequest --> maintenance[maintenance]
end
subgraph Security [Security - optional]
sec[security] --> vulnerabilities[vulnerabilities]
vulnerabilities --> cvefeed[cvefeed]
cvefeed --> compliance[compliance]
compliance --> playbooks[playbooks]
playbooks --> attacktechniques[attacktechniques]
end
subgraph Operations [Operations - optional]
backup[backup] --> vpn[vpn]
vpn --> devices[devices]
end
subgraph Knowledge
knowledge[knowledge] --> diagrams_pkg[diagrams]
end
subgraph Platform
billing[billing] --> notifications[notifications]
notifications --> integrations[integrations]
integrations --> admin[admin]
admin --> mgmt_pkg[management]
end
Core --> CMDB
Core --> ITSM
Core --> Platform
Package Responsibility authLogin, registration, TOTP MFA, OIDC callbacks, password reset, invitations tenantTenant CRUD, onboarding flow, tenant status (pending/active) rbacGroups, permission assignment, catalog auditImmutable audit_logs for all mutating operations, retention policy, export settingsLicense info, OIDC config, SSH/API keys, SLA policies, priority matrix
Package Responsibility assetsAsset CRUD, metadata, lifecycle, supervision, cross-links to ITSM sitesPhysical site registry zonesNetwork zones and VLANs vendorsVendor registry, security assessments, vendor portal edgeEdge appliance provisioning keys and registration
Package Responsibility incidentsFull incident lifecycle, SLA tracking, priority matrix, major incidents problemsProblem records, root cause, workaround, links to incidents changesITIL change requests, multi-stage approvals, state machine releasesRelease management, links to changes pirPost-incident reviews servicerequestService catalog and request lifecycle maintenanceMaintenance windows, calendar, email notifications
Package Responsibility securityAlert inbox, investigation terminal, SOC workflows vulnerabilitiesCVE records, remediation tracking, asset matching cvefeedNVD CVE API sync, CISA KEV sync, scheduled jobs complianceFrameworks, controls, evidence, posture scoring playbooksAutomated alert response rules attacktechniquesMITRE ATT&CK technique catalog and heatmap data
Package Responsibility backupBackup repositories, folders, files (SHA-256 checksums), schedules, jobs vpnVPN gateways, access policies, session management devicesEdge device command dispatch, OTA snap updates
Package Responsibility knowledgeMarkdown articles, tags, publication status, ITSM cross-links diagramsNetwork diagrams (ReactFlow JSON), CRUD, versioning
Package Responsibility billingLicense enforcement (blocks login for pending tenants) notificationsIn-app notification badge, email via Resend integrationsWebhook ingest (POST /integrations/ingest/:token) adminCross-tenant admin CRUD (requires ADMIN_PANEL_ENABLED=true) managementM2M client for Management Backend communication
Backend/internal/domain/<package>/
├── handler.go # HTTP handlers
├── service.go # Business logic
└── repository.go # sqlx queries
The route for each domain is registered in Backend/internal/app/register_<package>.go.
