Architecture overview

Services

• API (Go, :8080 + :8443) — cabinet HTTP, mTLS ingest
• TSDB (:8428) — Prometheus-compatible TSDB
• Postgres (:5432) — relational state
• Cabinet (Next.js, :3000) — the browser UI

The API is a single binary with three TLS-distinguished surfaces:

• Cabinet: cookie session, allowlist CORS, users in the browser
• Embed: bearer JWT, *-CORS, partners in an iframe
• mTLS: peer-cert auth, a separate listener, agents

Plus two CORS-permissive surfaces:

• Public dashboards (/public/dashboards/:token)
• SCIM (/scim/v2/Users, /scim/v2/Groups)