@bluealba/platform-cli 1.0.1 → 1.0.2

package/docs/architecture/gateway-architecture.mdx

@@ -0,0 +1,845 @@
+---
+title: Gateway Service Architecture
+description: Deep dive into the PAE NestJS Gateway Service - routing, proxying, HTTP/2, WebSocket, catalog integration, and platform context
+---
+
+import { Card, CardGrid, Aside, Tabs, TabItem } from '@astrojs/starlight/components';
+
+The **PAE NestJS Gateway Service** is the central entry point for all platform traffic. Built with NestJS and Fastify, it handles authentication, authorization, routing, and request proxying to backend services and micro-frontends.
+
+## Role and Responsibilities
+
+The gateway acts as a **reverse proxy** and **API gateway** with the following responsibilities:
+
+<CardGrid stagger>
+  <Card title="Traffic Entry Point" icon="star">
+    Single entry point for all HTTP and WebSocket traffic, handling SSL termination and HTTP/2
+  </Card>
+
+  <Card title="Authentication" icon="approve-check">
+    Validates JWT tokens, API keys, and service credentials for every request
+  </Card>
+
+  <Card title="Authorization" icon="shield">
+    Enforces RBAC policies and operation-based access control before proxying requests
+  </Card>
+
+  <Card title="Request Routing" icon="random">
+    Resolves target services dynamically using the catalog and forwards requests
+  </Card>
+
+  <Card title="Context Management" icon="seti:json">
+    Manages tenant, user, and application context throughout request lifecycle
+  </Card>
+
+  <Card title="Header Enrichment" icon="seti:config">
+    Adds platform context headers to forwarded requests for downstream services
+  </Card>
+</CardGrid>
+
+---
+
+## Architecture Overview
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                    PAE NestJS Gateway                            │
+│                                                                  │
+│  ┌────────────────────────────────────────────────────────────┐ │
+│  │                    HTTP/2 Server (Fastify)                 │ │
+│  │              SSL/TLS Termination                           │ │
+│  └────────────────────┬───────────────────────────────────────┘ │
+│                       │                                          │
+│  ┌────────────────────▼───────────────────────────────────────┐ │
+│  │               Authentication Middleware                    │ │
+│  │  • JWT Validation (Cookie-based)                          │ │
+│  │  • API Key Validation                                     │ │
+│  │  • Service-to-Service Auth                                │ │
+│  └────────────────────┬───────────────────────────────────────┘ │
+│                       │                                          │
+│  ┌────────────────────▼───────────────────────────────────────┐ │
+│  │              Tenant Resolution Middleware                  │ │
+│  │  • Subdomain Pattern Matching                             │ │
+│  │  • URL Pattern Matching                                   │ │
+│  │  • Cookie/Header-based Resolution                         │ │
+│  └────────────────────┬───────────────────────────────────────┘ │
+│                       │                                          │
+│  ┌────────────────────▼───────────────────────────────────────┐ │
+│  │            Platform Context Setup                          │ │
+│  │  • Store tenant, user, app in request context             │ │
+│  │  • Validate tenant access for user                        │ │
+│  └────────────────────┬───────────────────────────────────────┘ │
+│                       │                                          │
+│  ┌────────────────────▼───────────────────────────────────────┐ │
+│  │              Catalog Route Resolution                      │ │
+│  │  • Query catalog for target module                        │ │
+│  │  • Match request path to module routes                    │ │
+│  │  • Handle tenant-based module restrictions                │ │
+│  └────────────────────┬───────────────────────────────────────┘ │
+│                       │                                          │
+│  ┌────────────────────▼───────────────────────────────────────┐ │
+│  │              Authorization Guard                           │ │
+│  │  • Check user has required operations                     │ │
+│  │  • Evaluate authorization rules                           │ │
+│  │  • Enforce tenant-scoped access                           │ │
+│  └────────────────────┬───────────────────────────────────────┘ │
+│                       │                                          │
+│  ┌────────────────────▼───────────────────────────────────────┐ │
+│  │              Proxy Middleware                              │ │
+│  │  • Add forwarding headers                                 │ │
+│  │  • Sign requests for cloud functions                      │ │
+│  │  • Forward to target service                              │ │
+│  └────────────────────┬───────────────────────────────────────┘ │
+└────────────────────────┼───────────────────────────────────────┘
+                         │
+        ┌────────────────┼────────────────┐
+        ▼                ▼                ▼
+   ┌─────────┐    ┌──────────┐    ┌──────────────┐
+   │ Service │    │   UI     │    │   Lambda     │
+   │   A     │    │  Shell   │    │  Function    │
+   └─────────┘    └──────────┘    └──────────────┘
+```
+
+---
+
+## Core Modules
+
+### 1. Authentication Module
+
+Handles all authentication mechanisms.
+
+**Location**: `apps/pae-nestjs-gateway-service/src/authentication/`
+
+**Key Components**:
+- `authentication.service.ts` - Core authentication logic
+- `guards/auth.guard.ts` - Authentication guard for routes
+- `guards/auth.middleware.ts` - Authentication middleware
+- `api-keys/` - API key authentication
+- `oauth-providers/` - Multi-IDP OAuth support
+- `impersonation/` - User impersonation feature
+
+**Supported Authentication Methods**:
+
+<Tabs>
+  <TabItem label="JWT Cookie">
+    ```typescript
+    // Extract JWT from HTTP-only cookie
+    const token = request.cookies[AUTH_COOKIE_NAME];
+    const user = await jwtService.verify(token, { secret });
+
+    // Decoded JWT contains:
+    {
+      id: 'user-123',
+      username: 'john@acme.com',
+      displayName: 'John Doe',
+      tenantId: 'acme',
+      groups: ['admins', 'users'],
+      applications: ['app-1', 'app-2']
+    }
+    ```
+  </TabItem>
+
+  <TabItem label="API Key">
+    ```typescript
+    // Extract API key from Authorization header
+    const apiKey = extractBearerToken(request);
+
+    // Validate against database
+    const user = await apiKeysService.getUserForApiKey(apiKey);
+
+    // Returns user context if valid
+    ```
+  </TabItem>
+
+  <TabItem label="Service-to-Service">
+    ```typescript
+    // Special case: SERVICE_ACCESS_SECRET
+    if (apiKey === process.env.SERVICE_ACCESS_SECRET) {
+      return {
+        id: 'service',
+        username: 'service',
+        displayName: 'Service Account',
+        authProviderName: 'service-access',
+        groups: [],
+        applications: []
+      };
+    }
+    ```
+  </TabItem>
+</Tabs>
+
+<Aside type="note">
+  The authentication guard runs on **every request** except public routes. Public routes are marked with `@Public()` decorator or match configured passthrough patterns.
+</Aside>
+
+---
+
+### 2. Authorization Module
+
+Enforces access control policies.
+
+**Location**: `apps/pae-nestjs-gateway-service/src/authorization/`
+
+**Key Components**:
+- `authorization.service.ts` - Authorization logic
+- `authorization.guard.ts` - Authorization guard
+
+**Authorization Flow**:
+
+```typescript
+async authorizeRequest(context: ExecutionContext, username: string, tenantId?: number) {
+  // 1. Get user's allowed resources (applications + operations), filtered by tenant
+  const allowedResources = await authzService.getAuthorizedResourcesForUser(username, tenantId);
+
+  // 2. Get catalog and resolve target module
+  const catalog = await catalogService.getCatalog();
+  const targetModule = catalogService.resolveTargetModule(catalog, requestPath);
+
+  // 3. Check if user is authorized for this module/path/method
+  const isAuthorized = paeInstance.isAuthorized(
+    targetModule,
+    catalog,
+    allowedResources,
+    requestPath,
+    requestMethod
+  );
+
+  // 4. Add authorization headers for downstream services
+  this.addAuthzHeaders(context, allowedResources);
+
+  return isAuthorized;
+}
+```
+
+**Authorization Headers Added**:
+
+```http
+x-forwarded-user-operations: users::read,users::write,orders::read
+```
+
+---
+
+### 3. Tenant Module
+
+Manages multi-tenancy.
+
+**Location**: `apps/pae-nestjs-gateway-service/src/tenants/`
+
+**Key Components**:
+- `tenants.service.ts` - Tenant CRUD operations
+- `tenant-resolver.service.ts` - Tenant resolution from requests
+- `pattern-matchers/` - URL pattern matching strategies
+- `tenant.guard.ts` - Tenant validation guard
+
+**Tenant Resolution Strategies**:
+
+<Tabs>
+  <TabItem label="Subdomain">
+    ```typescript
+    // Extract tenant from subdomain
+    // acme.platform.com → tenant: 'acme'
+
+    const host = req.headers.host; // 'acme.platform.com'
+    const subdomain = host.split('.')[0]; // 'acme'
+    const tenant = await tenantsService.findByCode(subdomain);
+    ```
+  </TabItem>
+
+  <TabItem label="Path">
+    ```typescript
+    // Extract tenant from URL path
+    // platform.com/tenants/acme/app → tenant: 'acme'
+
+    const pathPattern = '/tenants/:tenantCode/*';
+    const match = matchPath(req.url, pathPattern);
+    const tenant = await tenantsService.findByCode(match.tenantCode);
+    ```
+  </TabItem>
+
+  <TabItem label="Header">
+    ```typescript
+    // Extract tenant from custom header
+    // x-tenant-id: acme → tenant: 'acme'
+
+    const tenantCode = req.headers['x-tenant-id'];
+    const tenant = await tenantsService.findByCode(tenantCode);
+    ```
+  </TabItem>
+
+  <TabItem label="Cookie">
+    ```typescript
+    // Extract tenant from cookie
+    // tenant=acme → tenant: 'acme'
+
+    const tenantCode = req.cookies['tenant'];
+    const tenant = await tenantsService.findByCode(tenantCode);
+    ```
+  </TabItem>
+
+  <TabItem label="Query Param">
+    ```typescript
+    // Extract tenant from query parameter
+    // ?tenant=acme → tenant: 'acme'
+
+    const tenantCode = req.query.tenant;
+    const tenant = await tenantsService.findByCode(tenantCode);
+    ```
+  </TabItem>
+</Tabs>
+
+**Tenant URL Patterns**:
+
+Tenants can be configured with multiple URL patterns:
+
+```typescript
+interface TenantUrlPattern {
+  id: string;
+  tenantId: string;
+  type: 'SUBDOMAIN' | 'PATH' | 'CUSTOM_DOMAIN' | 'QUERY_PARAM' | 'HEADER';
+  pattern: string;
+  priority: number; // Higher priority patterns checked first
+}
+
+// Examples:
+{
+  type: 'SUBDOMAIN',
+  pattern: 'acme.platform.com'
+}
+
+{
+  type: 'CUSTOM_DOMAIN',
+  pattern: 'acme-corp.com'
+}
+
+{
+  type: 'PATH',
+  pattern: '/t/acme/*'
+}
+```
+
+---
+
+### 4. Catalog Module
+
+Dynamic service registry and route resolution.
+
+**Location**: `apps/pae-nestjs-gateway-service/src/catalog/`
+
+**Key Components**:
+- `catalog.service.ts` - Catalog management
+- `catalog.repository.ts` - Data persistence
+- `catalog-gateway.service.ts` - Gateway-specific catalog logic
+
+**Catalog Structure**:
+
+```typescript
+interface CatalogItem {
+  id: string;
+  name: string;
+  code: string;
+  type: 'service' | 'app' | 'tool' | 'cloud-function' | 'utility' | 'documentation';
+  baseUrl: string;
+
+  protocol?: 'http' | 'https';
+  port: number;
+
+  ui?: {
+    route: string;
+    bundleFile: string;
+    mountAtSelector: string;
+    customProps: {};
+  };
+
+
+  // Authorization
+  authorization: {
+    operations?: string[];
+    isPublic?: boolean;
+    routes?: {}  
+  }
+
+  // Metadata
+  createdAt: Date;
+  createdBy: string;
+  updatedAt: Date;
+  updatedBy: string;
+}
+```
+
+**Route Resolution**:
+
+```typescript
+// Example: Resolve target for /api/habits/123
+const catalog = await catalogService.getCatalog();
+const targetModule = catalogService.resolveTargetModule(catalog, '/api/habits/123');
+
+// Returns:
+{
+  name: 'habits-service',
+  type: 'service',
+  baseUrl: '/api/habits',
+  protocol: 'http',
+  port: 80
+}
+```
+
+**Tenant-Scoped Catalog**:
+
+The catalog can be filtered by tenant to restrict available modules:
+
+```typescript
+// Get catalog filtered by tenant
+const catalog = await catalogService.getCatalog(tenantId);
+
+// Only returns modules assigned to this tenant
+// via tenant_application_restrictions table
+```
+
+---
+
+### 5. Proxy Module
+
+Forwards requests to target services.
+
+**Location**: `apps/pae-nestjs-gateway-service/src/proxy/`
+
+**Key Components**:
+- `proxy.service.ts` - Request forwarding logic
+- `proxy.middleware.ts` - Proxy middleware
+- `build-forward-url.ts` - URL construction
+
+**Proxy Flow**:
+
+```typescript
+async forwardRequest(targetModule: CatalogItem, req: FastifyRequest, reply: FastifyReply) {
+  // 1. Build target URL
+  const targetUrl = buildForwardURL(targetModule, req, tenantConfig, impersonationMode);
+
+  // 2. Add forward headers
+  const forwardHeaders = {
+    'x-forwarded-host': req.headers.host,
+    'x-forwarded-server': localIpAddress,
+    'x-forwarded-uri': req.url,
+    'x-forwarded-proto': req.protocol,
+    'x-forwarded-for': req.ip,
+    'x-forwarded-user-id': user.id,
+    'x-forwarded-user': user.username,
+    'x-forwarded-user-name': user.displayName,
+    'x-forwarded-user-operations': Array.from(allowedOperations).join(','),
+    'x-forwarded-tenant-config': base64(tenant),
+    'x-forwarded-tenant': base64(tenant),           // only in multi-tenant mode
+    'x-forwarded-allowed-tenants': base64(tenant),  // only in multi-tenant mode
+  };
+
+  // 3. Sign request if cloud function requires it
+  if (targetModule.cloudFunction?.requiresSignature) {
+    const signature = await signCloudFunctionRequest(req, targetModule, targetUrl);
+    Object.assign(forwardHeaders, signature);
+  }
+
+  // 4. Forward request using Fastify reply-from
+  reply.from(targetUrl, {
+    rewriteRequestHeaders: (_, headers) => ({
+      ...headers,
+      ...forwardHeaders
+    })
+  });
+}
+```
+
+**Forward Headers**:
+
+The gateway adds these headers to every proxied request:
+
+```http
+x-forwarded-host: platform.com
+x-forwarded-server: 192.168.1.10
+x-forwarded-uri: /api/habits/123
+x-forwarded-protocol: https
+x-forwarded-for: 203.0.113.45
+x-forwarded-user-id: john@acme.com
+x-forwarded-user: john@acme.com
+x-forwarded-user-name: John Doe
+x-forwarded-auth-provider-name: okta
+x-forwarded-tenant: eyJ0ZW5hbnRJZCI6ImFjbWUifQ==
+x-forwarded-tenant-config: eyJtb2RlIjoibXVsdGktdGVuYW50In0=
+x-forwarded-allowed-tenants: W3siaWQiOiJhY21lIn1d
+x-forwarded-user-operations: habits.read,habits.write,habits.delete
+```
+
+<Aside type="tip" title="Service Implementation">
+  Backend services should extract these headers to get platform context. The `pae-service-nestjs-sdk` provides decorators to automatically extract context:
+
+  ```typescript
+  @Get()
+  async findAll(@PlatformContext() ctx: PlatformContext) {
+    // ctx contains tenant, user, and other context
+  }
+  ```
+</Aside>
+
+---
+
+### 6. Platform Context Module
+
+Manages request-scoped context.
+
+**Location**: `apps/pae-nestjs-gateway-service/src/platform-context/`
+
+**Key Component**:
+- `context/context.service.ts` - Context management using nestjs-cls
+
+**Context Storage**:
+
+The gateway uses `nestjs-cls` (Continuation-Local Storage) to store request-scoped data:
+
+```typescript
+@Injectable()
+export class PlatformContextService {
+  constructor(private readonly cls: ClsService) {}
+
+  // Store session
+  setSession(session: Session) {
+    this.cls.set('pae::session', session);
+  }
+
+  // Store user
+  setAuthUser(user: AuthUserWithApplications) {
+    this.cls.set('pae::authUser', user);
+  }
+
+  // Store tenant
+  setTenant(tenant: Tenant | null) {
+    this.cls.set('tenant', tenant);
+  }
+
+  // Store target module
+  setTargetModule(targetModule: CatalogItem) {
+    this.cls.set('targetModule', targetModule);
+  }
+
+  // Retrieve from context
+  getAuthUser(): AuthUserWithApplications {
+    return this.cls.get('pae::authUser');
+  }
+}
+```
+
+**Context Flow**:
+
+```
+1. Request arrives
+2. Authentication middleware → setSession(), setAuthUser()
+3. Tenant middleware → setTenant()
+4. Catalog middleware → setTargetModule()
+5. Any service/guard can access context via PlatformContextService
+6. Request completes → context automatically cleaned up
+```
+
+---
+
+## HTTP/2 and WebSocket Support
+
+### HTTP/2 Configuration
+
+The gateway uses Fastify with HTTP/2 support:
+
+```typescript
+// apps/pae-nestjs-gateway-service/src/main.ts
+const httpsOptions = {
+  http2: true,
+  https: {
+    key: fs.readFileSync(process.env.SSL_KEY_PATH),
+    cert: fs.readFileSync(process.env.SSL_CERT_PATH)
+  }
+};
+
+const app = await NestFactory.create<FastifyAdapter>(
+  AppModule,
+  new FastifyAdapter(httpsOptions)
+);
+
+await app.listen(443, '0.0.0.0');
+```
+
+**HTTP/2 Benefits**:
+- Multiplexing: Multiple requests over single connection
+- Header compression: Reduces bandwidth
+- Server push: Proactive resource delivery
+- Binary protocol: Faster parsing
+
+### WebSocket Support
+
+The gateway supports WebSocket connections:
+
+```typescript
+// WebSocket proxying
+const targetWsUrl = targetModule.serviceUrl.replace('http', 'ws');
+
+// Forward WebSocket upgrade
+reply.hijack();
+const ws = new WebSocket(targetWsUrl, {
+  headers: forwardHeaders
+});
+
+// Pipe messages bidirectionally
+clientWs.on('message', data => ws.send(data));
+ws.on('message', data => clientWs.send(data));
+```
+
+---
+
+## Lambda Function Integration
+
+The gateway can route to AWS Lambda functions (or other cloud functions).
+
+**Lambda Configuration**:
+
+```typescript
+// Register Lambda function in catalog
+{
+  code: 'pdf-generator',
+  name: 'PDF Generator Function',
+  type: 'CLOUD_FUNCTION',
+  baseUrl: '/api/pdf',
+  cloudFunction: {
+    provider: 'AWS_LAMBDA',
+    functionName: 'pae-pdf-generator',
+    region: 'us-east-1',
+    requiresSignature: true
+  }
+}
+```
+
+**Request Signing**:
+
+For functions that require AWS Signature V4:
+
+```typescript
+// apps/pae-nestjs-gateway-service/src/proxy/create-cloud-function-signer.ts
+export const createCloudFunctionSigner = (module: CatalogItem, targetUrl: string) => {
+  return async (req: FastifyRequest) => {
+    const signature = aws4.sign({
+      service: 'lambda',
+      region: module.cloudFunction.region,
+      method: req.method,
+      path: new URL(targetUrl).pathname,
+      headers: {
+        'content-type': req.headers['content-type'],
+        'host': new URL(targetUrl).host
+      },
+      body: req.body
+    }, {
+      accessKeyId: process.env.AWS_ACCESS_KEY_ID,
+      secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY
+    });
+
+    return signature.headers;
+  };
+};
+```
+
+---
+
+## Configuration
+
+### Environment Variables
+
+The gateway requires these environment variables:
+
+<Tabs>
+  <TabItem label="Core">
+    ```bash
+    # Service Access
+    SERVICE_ACCESS_SECRET=secret-for-service-to-service-auth
+    JWT_SECRET=secret-for-jwt-validation
+
+    # Authentication Service
+    AUTHN_SERVICE_URL=http://pae-authn-service:4000
+
+    # Ports
+    HTTP_PORT=80
+    HTTPS_PORT=443
+    ```
+  </TabItem>
+
+  <TabItem label="HTTPS">
+    ```bash
+    # HTTPS Configuration
+    HTTPS=true
+    HTTP2=true
+    SSL_CERT_PATH=/etc/ssl/cert.pem
+    SSL_KEY_PATH=/etc/ssl/key.pem
+    ```
+  </TabItem>
+
+  <TabItem label="Database">
+    ```bash
+    # Database
+    DB_CLIENT=pg
+    DB_URL=postgresql://user:pass@host:5432/db
+    ```
+  </TabItem>
+
+  <TabItem label="Optional">
+    ```bash
+    # Logging
+    LOG_LEVEL=debug
+    LOG_JSON=true
+
+    # Observability
+    TRACE_URL=http://jaeger:14268/api/traces
+
+    # Auth Passthrough (regex)
+    AUTH_PASSTHROUGH_PATTERN=^/_/.*
+
+    # AWS (for Lambda)
+    AWS_REGION=us-east-1
+    AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
+    AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+    ```
+  </TabItem>
+</Tabs>
+
+---
+
+## Performance Considerations
+
+### Connection Pooling
+
+The gateway maintains connection pools to backend services:
+
+```typescript
+// Fastify reply-from configuration
+app.register(fastifyReplyFrom, {
+  base: targetUrl,
+  // Connection pool settings
+  http: {
+    connections: 100, // Max connections per host
+    pipelining: 10    // Max pipelined requests
+  }
+});
+```
+
+### Caching
+
+The catalog is cached to avoid database queries on every request:
+
+```typescript
+// Cache catalog in memory with TTL
+private catalogCache: {
+  data: CatalogItem[];
+  timestamp: number;
+  ttl: number; // 5 minutes
+};
+
+async getCatalog() {
+  if (this.isCacheValid()) {
+    return this.catalogCache.data;
+  }
+
+  const catalog = await this.catalogRepository.findAll();
+  this.catalogCache = {
+    data: catalog,
+    timestamp: Date.now(),
+    ttl: 5 * 60 * 1000
+  };
+
+  return catalog;
+}
+```
+
+### Request Timeouts
+
+Configure timeouts to prevent hanging requests:
+
+```typescript
+// Fastify timeout configuration
+const app = await NestFactory.create(AppModule, new FastifyAdapter({
+  connectionTimeout: 30000,  // 30 seconds
+  keepAliveTimeout: 5000     // 5 seconds
+}));
+```
+
+---
+
+## Error Handling
+
+The gateway implements comprehensive error handling:
+
+```typescript
+// Global exception filter
+@Catch()
+export class GlobalExceptionFilter implements ExceptionFilter {
+  catch(exception: unknown, host: ArgumentsHost) {
+    const ctx = host.switchToHttp();
+    const response = ctx.getResponse();
+    const request = ctx.getRequest();
+
+    // Log error with context
+    logger.error({
+      error: exception,
+      path: request.url,
+      method: request.method,
+      user: request.user?.username,
+      tenant: request.tenant?.code
+    });
+
+    // Send appropriate response
+    if (exception instanceof HttpException) {
+      response.status(exception.getStatus()).send({
+        statusCode: exception.getStatus(),
+        message: exception.message,
+        timestamp: new Date().toISOString(),
+        path: request.url
+      });
+    } else {
+      response.status(500).send({
+        statusCode: 500,
+        message: 'Internal server error',
+        timestamp: new Date().toISOString(),
+        path: request.url
+      });
+    }
+  }
+}
+```
+
+---
+
+## Health Checks
+
+The gateway exposes health check endpoints:
+
+```http
+GET /_/health
+```
+
+Response:
+```json
+{
+  healthy: 'ok'
+}
+```
+
+---
+
+## Security Considerations
+
+<Aside type="caution" title="Security Best Practices">
+  1. **Always use HTTPS** in production environments
+  2. **Rotate secrets regularly** (JWT_SECRET, SERVICE_ACCESS_SECRET)
+  3. **Keep SSL certificates up to date** - automate renewal with Let's Encrypt
+  4. **Rate limit endpoints** to prevent abuse
+  5. **Validate all inputs** before proxying to services
+  6. **Log security events** (failed auth, authorization denials)
+  7. **Implement CSRF protection** for browser-based requests
+</Aside>
+
+---
+
+## Next Steps
+
+- **[Authentication System](/_/docs/architecture/authentication-system/)** - Deep dive into authentication flows
+- **[Authorization System](/_/docs/architecture/authorization-system/)** - Understanding RBAC and permissions
+- **[Multi-Tenancy](/_/docs/architecture/multi-tenancy/)** - Tenant isolation and context