Boundary giữa service

Mục tiêu

Định nghĩa service ownership để tránh trùng trách nhiệm, query nhầm database và bypass Gateway context.

Trạng thái hiện tại

Đã đóng:

• API Gateway owns routing, JWT validation, request/correlation id, trusted headers injection và coarse route guard.
• Identity Service owns account, credential, session, branch/workspace membership cho auth, token issuing và JWKS.

Chưa đóng:

• Entitlement Service E2E qua Gateway.
• Payment Service integration trong billing-context flow.

Luồng chính

Client request
→ API Gateway
→ validate route/token
→ inject trusted headers
→ downstream service owns business behavior

Quy tắc quan trọng

Service ownership:

• API Gateway owns routing, JWT validation, request/correlation id, trusted headers injection, coarse route guard.
• Identity Service owns account, credential, session, branch/workspace membership for auth, token issuing, JWKS.
• Entitlement Service owns setup status, package/catalog, capability, entitlement, navigation/current-context.
• Payment Service owns quote, order, subscription, payment, trial billing lifecycle.

Không được làm:

• Gateway does not login, issue JWT, or query business DB.
• Identity Service does not route/proxy/own setup/billing.
• Entitlement Service does not issue login token.
• Payment Service does not own feature capability graph.

Workspace/member isolation phải đến từ trusted Gateway context, không đến từ client-provided body fields.

Liên quan

• Tổng quan hệ thống
• Mô hình token và context
• Trusted headers

TODO

• Chưa đóng: Entitlement Service contract qua Gateway cho setup/current-context.
• Chưa đóng: Payment Service billing lifecycle contract trong docs.