Domain Ownership
Status
Active
Date
2026-04-28
Owners
- Platform Backend
Last Verified Commit
56362a7a
Ownership Rules
This repo currently uses a shared database, but service ownership is logical and must still be respected.
Core rules:
- each domain has one primary runtime owner
wallet_serviceis the only money writer- edge services do not become hidden domain owners
- orchestration is allowed, but direct cross-domain mutation is not
Domain Map
| Domain | Primary Owner | Edge Surface | Notes |
|---|---|---|---|
| player auth/profile/common data | player_service | gateway | includes registration helpers, profile, messages, captcha/common data |
| player balances, deposits, withdrawals | wallet_service | gateway and admin_service | money writes stay here even when initiated elsewhere |
| rolling lifecycle | rolling_service | wallet_service, admin_service, gateway | consumes wallet events and emits rolling events |
| coupons, rebate, cashback, lossback | promotion_service | gateway and admin_service | settlement and coupon saga logic lives here |
| provider callbacks and game integration | game_service | direct provider traffic and gateway proxying | provider-specific auth and callback semantics stay here |
| agent portal flows | agent_service | direct agent frontend traffic | includes legacy agent compatibility aliases |
| back-office operational APIs | admin_service | direct bo/admin traffic | also owns top-info websocket aggregation |
| SMS automation and reconciliation | recon_service | admin_service compatibility adapters | extracted from middle_server; no direct money mutation |
| player HTTP routing and legacy response translation | gateway | player-facing external traffic | edge only; owns no business data |
Non-Negotiable Ownership Constraints
recon_servicemay persist review or match state, but final approval must still flow throughwallet_service.admin_servicemay orchestrate approvals and queries, but it must not become a second money writer.gatewaymay normalize or proxy payloads, but it must not persist domain state.- worker loops must run under the owner service or owner worker runtime.
Multi-Brand Ownership
Per ADR-009, two new domain ownerships are added and one existing aggregate
becomes brand-global:
| Domain | Primary Owner | Edge Surface | Notes |
|---|---|---|---|
| brand catalog and per-brand configuration | admin_service | direct bo/admin traffic | owns brand and brand_config; brand defaults override documented globals |
| agent-to-brand allow list | admin_service writes; agent_service reads | admin_service exposes agent_brand CRUD; agent_service enforces it on every agent-facing route | controls which brands an agent can serve |
| agent aggregate | agent_service | direct agent frontend traffic | stays brand-global; per-brand variation lives in agent_setting(agent_id, brand_id) and agent_domain(agent_id, brand_id) |
Brand isolation rules:
- every other domain owner above scopes its writes by
brand_id wallet_servicerejects any command whose target row brand differs from request brand; ADR-005 still bindswallet_serviceas the only money writergatewayresolves brand from the request domain and forwardsX-Brand-Idgame_serviceresolves brand from the outbound account namespace on callback- back-office staff ownership is removed by this change and is not replaced
Migration Gap
The unresolved ownership area is the residual middle_server back-office scope
outside recon:
- role and menu management
- config and i18n editing
- web rules, FAQ, and content
- BI push tooling
- coin passthrough behavior
- generic catch-all forwarding
Those capabilities need an explicit owner before full legacy retirement.