Architecture
The server manages versioned project state, coordinates blob streaming, and delegates authentication to an external OIDC provider. The web client is a WASM application served directly from a CDN.
Component Overview
graph TD
User(["User"])
Clients["Clients<br/>(Desktop, Web, CLI)"]
CDN["CDN / Static Hosting<br/>(WASM Frontend)"]
OIDC["OIDC Identity Provider"]
Proxy["Reverse Proxy / Load Balancer<br/>(TLS Termination)"]
Server["FDK Server<br/>(Axum, Rust)"]
DB["PostgreSQL<br/>(Project State, Versioned History)"]
S3["S3-Compatible Object Storage<br/>(Blobs, Large Data)"]
User --> Clients
Clients -- "Web only" --> CDN
Clients --> OIDC
Clients --> Proxy
Proxy --> Server
Server --> DB
Server --> S3
Server -.-> |"token validation"| OIDC
Infrastructure Requirements
| Component | Purpose | Requirement | Examples |
|---|---|---|---|
| Database | Versioned project state | PostgreSQL 15+ | Any managed or self-hosted PostgreSQL |
| Object Storage | Large data blobs | S3-compatible API | MinIO, AWS S3, Azure Blob Storage, GCS |
| Identity Provider | User authentication | OpenID Connect (OIDC) | Keycloak, Auth0, Entra ID, Okta |
| TLS Certificates | Transport encryption | Valid TLS cert for server domain | Let’s Encrypt, ACM, cert-manager |
| Reverse Proxy | TLS termination, routing | HTTP reverse proxy (recommended) | nginx, Traefik, ALB, Cloud Load Balancer |
| Static Hosting | WASM frontend assets | CDN or static file server | S3 + CloudFront, nginx, any CDN |
Server Characteristics
- Single statically compiled Rust binary
- Can run database migrations at startup (optional)
- Stateless — horizontally scalable behind a load balancer
- Configurable via environment variables