flowchart TB %% ---------------------------------------------------- %% 1. USERS & STAKEHOLDERS %% ---------------------------------------------------- subgraph Users ["1. Users & Stakeholders"] SysAdmin(["Platform Superadmin"]) WsAdmin(["Workspace Admin"]) TenOp(["Tenant Operator"]) CustRev(["Customer Reviewer"]) Auditor(["Auditor / Compliance"]) ExtSupport(["External Support / PSA"]) end %% ---------------------------------------------------- %% 2. IDENTITY & ACCESS %% ---------------------------------------------------- subgraph Identity_Access ["2. Access & Identity"] EntraOIDC["Entra OIDC / Tenant Users"] LocalUsers["Local Platform Users / Break-glass"] SysPanel["Platform / System Panel"] AdminPanel["Admin / Tenant Panel"] RBAC["Capability-based RBAC"] ScopeRes["Workspace / Tenant Scope Resolution"] end %% ---------------------------------------------------- %% 3. APPLICATION UI %% ---------------------------------------------------- subgraph Application_UI ["3. Application UI (Filament)"] TenDash["Tenant Dashboard"] OpsHub["Operations Hub"] InvVersions["Inventory & Policy Versions"] FindInbox["Findings / Governance Inbox"] RevWorkspace["Reviews / Customer Workspace"] EvidReports["Evidence & Reports"] SuppHandoffUI["Support Handoff"] end %% ---------------------------------------------------- %% 4. DOMAIN SERVICES %% ---------------------------------------------------- subgraph Domain_Services ["4. Domain Services"] WsSvc["Workspace Service"] TenSvc["Tenant Service"] OpRunSvc["OperationRun Service"] BackRestSvc["Backup / Restore Services"] DriftSvc["Drift Detection Service"] BaseCompSvc["Baseline / Compliance Service"] EvidSnapSvc["Evidence Snapshot Service"] RevPackSvc["Review Pack Service"] NotifSvc["Notification Service"] SuppSvc["Support Handoff Service"] end %% ---------------------------------------------------- %% 5. EXECUTION & OPERATIONS %% ---------------------------------------------------- subgraph Execution_Operations ["5. Execution & Operations"] Scheduler["Scheduler"] QueuesJobs["Queues / Jobs"] OpRunLife["OperationRun Lifecycle"] ProgStat["Progress / Status / Failure Reason"] AuditEvt["Audit Events"] end %% ---------------------------------------------------- %% 6. PROVIDER BOUNDARY %% ---------------------------------------------------- subgraph Provider_Boundary ["6. Provider Boundary"] ProvGateway["Provider Gateway"] GraphAdapt["Microsoft Graph Adapter"] IntuneProv["Intune Provider"] FutProv["Optional future providers"] ExtPSA["External PSA / ITSM"] MailTeams["Email / Teams Notifications"] end %% ---------------------------------------------------- %% 7. DATA STORE %% ---------------------------------------------------- subgraph Data_Store ["7. Data Store (PostgreSQL)"] dbOrg[("Workspaces & Tenants")] dbIAM[("Users, Memberships & Capabilities")] dbOps[("OperationRuns & AuditLogs")] dbDomain[("Policies, Versions & Findings")] dbGov[("EvidenceSnapshots & StoredReports")] dbSupport[("SupportRequests & Notifications")] end %% ---------------------------------------------------- %% 8. GOVERNANCE & EVIDENCE %% ---------------------------------------------------- subgraph Governance_Evidence ["8. Governance & Evidence"] BaseProf["Baseline Profiles"] CtrlCat["Control Catalog"] RiskAcc["Risk Acceptance / Exceptions"] EvidMap["Evidence Mapping"] TenRev["Tenant Reviews"] AudPack["Auditor Packs"] StoreRep["Stored Reports"] end %% ==================================================== %% RELATIONSHIPS & EDGES %% ==================================================== %% Users to Identity SysAdmin & ExtSupport -->|authenticates| LocalUsers WsAdmin & TenOp & CustRev & Auditor -->|authenticates| EntraOIDC LocalUsers -->|accesses| SysPanel EntraOIDC -->|accesses| AdminPanel SysPanel & AdminPanel -->|authorizes| RBAC RBAC -->|selects scope| ScopeRes %% Identity to UI ScopeRes -->|renders context| TenDash & OpsHub & InvVersions & FindInbox & RevWorkspace & EvidReports & SuppHandoffUI %% UI to Domain TenDash -->|reads state| WsSvc & TenSvc OpsHub -->|creates run| OpRunSvc InvVersions -->|fetches state| BackRestSvc FindInbox -->|reviews| DriftSvc RevWorkspace -->|publishes review| RevPackSvc EvidReports -->|views| EvidSnapSvc SuppHandoffUI -->|escalates| SuppSvc %% Domain to Governance BaseCompSvc -->|manages| BaseProf & CtrlCat DriftSvc -->|evaluates against| RiskAcc EvidSnapSvc -->|maps to| EvidMap RevPackSvc -->|exports report| TenRev & AudPack & StoreRep %% Domain to Execution OpRunSvc -->|dispatches job| QueuesJobs BackRestSvc & DriftSvc & BaseCompSvc & EvidSnapSvc & RevPackSvc -->|dispatches job| QueuesJobs Scheduler -->|triggers| QueuesJobs QueuesJobs -->|updates| OpRunLife OpRunLife -->|tracks| ProgStat OpRunLife -->|emits audit event| AuditEvt %% Execution & Domain to Provider QueuesJobs -->|reads / mutates| ProvGateway ProvGateway -->|routes to| GraphAdapt & FutProv GraphAdapt -->|calls| IntuneProv NotifSvc & AuditEvt -->|sends notification| MailTeams SuppSvc -->|creates ticket| ExtPSA %% Persistence Layer (Services / Exec to DB) WsSvc & TenSvc -->|writes| dbOrg RBAC -->|reads / writes| dbIAM OpRunLife & AuditEvt -->|records execution truth| dbOps BackRestSvc & DriftSvc -->|writes| dbDomain EvidSnapSvc & RevPackSvc -->|writes evidence| dbGov NotifSvc & SuppSvc -->|writes| dbSupport