Aggregate Roots¶

Target Architecture — Final-State Design

The 9 aggregate roots below form the domain model of the Runtime & Cloud Platform. Each is a consistency boundary owned by exactly one microservice, persisted via NHibernate, and the source of the domain events it emits. Naming follows the conventions: singular PascalCase nouns.

RuntimeEnvironment¶

Purpose — represents an isolated, Pulumi-provisioned runtime environment (a stage/region slice) that hosts generated SaaS workloads.

Fields — environmentId, tenantId, projectId, name, stage (dev/test/staging/prod), region, status, pulumiStackRef, isolationModel, createdAt, decommissionedAt.
Entities — ComputeTarget (per AKS/ACA/Functions/App Service surface, with its provisioned resource ids), NetworkBoundary.
Value Objects — EnvironmentStage, Region, IsolationModel (silo/pool/shared), ProvisioningStatus.
Invariants — an environment cannot accept deployments unless status = Provisioned; region and stage are immutable after provisioning; a prod environment requires a RuntimeTenantBinding before first deployment.
Domain Events — RuntimeEnvironmentProvisioned, RuntimeEnvironmentDecommissioned.
Repository — RuntimeEnvironmentRepository.
Persistence — Azure SQL / PostgreSQL via NHibernate; one row per environment with child rows for compute targets.

RuntimeService¶

Purpose — the live inventory record of a single generated component running in an environment (gateway, microservice, worker, portal, mobile backend).

Fields — serviceId, tenantId, environmentId, moduleId, componentType, image, version, computeTarget, replicas, endpointUrl, status, lastObservedAt.
Entities — ServiceInstance (per replica/revision), EndpointBinding.
Value Objects — ComponentType (gateway/microservice/worker/admin-portal/customer-portal/mobile-backend), ImageReference, RuntimeStatus.
Invariants — version must match a known RuntimeDeployment for the environment; a service cannot be Running without at least one healthy instance; tenantId is immutable.
Domain Events — RuntimeInventoryUpdated, RuntimeServiceRetired.
Repository — RuntimeServiceRepository.
Persistence — Azure SQL / PostgreSQL via NHibernate; reconciled by the RuntimeInventoryWorker.

RuntimeDeployment¶

Purpose — a single rollout of one or more generated components into an environment, with a health-gated, reversible state machine.

Fields — deploymentId, tenantId, environmentId, releaseRef, strategy, status, configurationId, startedAt, completedAt, previousDeploymentId.
Entities — DeploymentStep (per component rollout), HealthGate, RollbackPoint.
Value Objects — DeploymentStrategy (RollingHealthGated/BlueGreen/Canary), DeploymentStatus, ReleaseReference.
Invariants — a deployment cannot reach Completed unless all HealthGates pass; rollback targets must reference a prior Completed deployment; only one in-flight deployment per environment+component at a time.
Domain Events — RuntimeDeploymentRequested, RuntimeDeploymentCompleted, RuntimeDeploymentRolledBack.
Repository — RuntimeDeploymentRepository.
Persistence — Azure SQL / PostgreSQL via NHibernate; step logs to Blob.

RuntimeConfiguration¶

Purpose — a versioned set of runtime configuration applied to workloads in an environment.

Fields — configurationId, tenantId, environmentId, version, status, appliedAt, checksum.
Entities — ConfigurationEntry (key/value/scope), ConfigurationScope.
Value Objects — ConfigVersion, ConfigScope (environment/service/tenant), Checksum.
Invariants — version is monotonic per environment; configuration entries never contain secret values (only SecretBinding references); a published version is immutable.
Domain Events — ConfigurationPublished, ConfigurationSynced.
Repository — RuntimeConfigurationRepository.
Persistence — Azure SQL / PostgreSQL via NHibernate.

SecretBinding¶

Purpose — binds a workload to one or more Azure Key Vault secrets via managed identity, without materializing secret values.

Fields — secretBindingId, tenantId, environmentId, serviceId, keyVaultRef, secretName, currentVersion, rotationSchedule, status.
Entities — SecretReference (Key Vault URI + version), RotationRecord.
Value Objects — KeyVaultReference, RotationSchedule, ManagedIdentityRef.
Invariants — a binding references Key Vault only (no plaintext); rotation produces a new version without changing the binding identity; bindings are tenant- and environment-scoped.
Domain Events — SecretBound, SecretRotated.
Repository — SecretBindingRepository.
Persistence — Azure SQL / PostgreSQL via NHibernate for metadata; secret material remains in Azure Key Vault.

ScalingPolicy¶

Purpose — declares how a running service scales against live telemetry and SLOs.

Fields — scalingPolicyId, tenantId, environmentId, serviceId, target, metric, minReplicas, maxReplicas, targetUtilizationPercent, scaleToZero, cooldownSeconds, status.
Entities — ScalingRule (metric → threshold → action), ScalingEvent (applied action history).
Value Objects — ScalingMetric (cpu/memory/queue-length/request-rate), ReplicaBounds, Cooldown.
Invariants — minReplicas ≤ maxReplicas; scaleToZero only permitted on event-driven targets (Container Apps/Functions); a policy applies to exactly one service.
Domain Events — ScalingPolicyApplied, ScalingPolicyViolated.
Repository — ScalingPolicyRepository.
Persistence — Azure SQL / PostgreSQL via NHibernate.

HealthCheckResult¶

Purpose — an immutable record of a single health evaluation of a running service.

Fields — healthCheckResultId, tenantId, environmentId, serviceId, status, evaluatedAt, evaluationWindow.
Entities — CheckEntry (probe name/status/duration/data).
Value Objects — HealthStatus (Healthy/Degraded/Unhealthy), ProbeKind (self/liveness/readiness/dependency), LatencyMs.
Invariants — results are append-only and immutable; aggregate status is the worst of its CheckEntry statuses; each result belongs to exactly one service + window.
Domain Events — HealthCheckCompleted, HealthDegraded.
Repository — HealthCheckResultRepository.
Persistence — Azure SQL / PostgreSQL for recent results; telemetry detail to Application Insights.

RuntimeDriftFinding¶

Purpose — a detected divergence between actual runtime state and Git/Pulumi desired state.

Fields — findingId, tenantId, environmentId, serviceId, kind, desired, actual, severity, status, detectedAt, remediatedAt, remediationDeploymentId.
Entities — RemediationAttempt (action/result/timestamp).
Value Objects — DriftKind (ImageVersionMismatch/ReplicaMismatch/ConfigDrift/MissingResource/UnmanagedResource), Severity, DriftStatus.
Invariants — a finding cannot be Resolved without a recorded remediation or an accepted exception; duplicate findings with the same hash are merged; desired is always sourced from authoritative Git/Pulumi state.
Domain Events — RuntimeDriftDetected, RuntimeDriftRemediated.
Repository — RuntimeDriftFindingRepository.
Persistence — Azure SQL / PostgreSQL for findings; full state snapshots to Cosmos DB.

RuntimeTenantBinding¶

Purpose — binds a tenant to a runtime environment with an enforced isolation model, the cross-cutting multi-tenant boundary.

Fields — tenantBindingId, tenantId, environmentId, isolationModel, quota, networkPartition, dataPartition, status, boundAt.
Entities — QuotaAllocation (compute/storage/throughput limits), PartitionAssignment.
Value Objects — IsolationModel (silo/pool/shared), ResourceQuota, PartitionKey.
Invariants — a silo binding maps to a dedicated environment; quota allocations cannot exceed environment capacity; tenantId + environmentId is unique.
Domain Events — RuntimeTenantBound, RuntimeTenantQuotaAdjusted.
Repository — RuntimeTenantBindingRepository.
Persistence — Azure SQL / PostgreSQL via NHibernate.

Aggregate Relationships¶

flowchart TB
    Env["RuntimeEnvironment"] --> Svc["RuntimeService"]
    Env --> Dep["RuntimeDeployment"]
    Env --> TB["RuntimeTenantBinding"]
    Dep --> Cfg["RuntimeConfiguration"]
    Dep --> SB["SecretBinding"]
    Svc --> SP["ScalingPolicy"]
    Svc --> HC["HealthCheckResult"]
    Env --> DF["RuntimeDriftFinding"]
    DF --> Dep

Hold "Alt" / "Option" to enable pan & zoom