Platform Admin Service — Domain Model
Status: populated Owner: TBD Last updated: 2026-04-18 Companion: Service Template · 02 DDD
1. Aggregates
| Aggregate | Root entity | Primary ID | Invariants |
|---|---|---|---|
| PlatformConfig | PlatformConfig | (key, scope, tenantId) composite | key must be in code-defined allow-list; value must match type schema for key; isArchived is terminal-soft |
| FeatureFlag | FeatureFlag | FlagKey (string) | key globally unique; archived flag always evaluates to false; enabledTenantIds and disabledTenantIds take precedence over defaultEnabled |
| HealthSource | HealthSource | HealthSourceId (hsr_) | serviceId unique; heartbeat timestamp updated on registration; stale > TTL = unhealthy |
2. State machines
2.1 PlatformConfig
2.2 FeatureFlag
2.3 HealthSource
3. Entities (non-root)
| Entity | Parent | Purpose |
|---|---|---|
| PlatformConfigHistory | PlatformConfig | Append-only log of value changes with before/after and actor |
| TenantFlagOverride | FeatureFlag | Per-tenant explicit enable/disable; overrides defaultEnabled |
| HealthCheckResult | HealthSource | Last N probe results; used for aggregate status |
4. Value objects
| Value object | Shape | Notes |
|---|---|---|
ConfigKey | allow-listed string {namespace}.{key} | e.g., global.session_max_absolute_minutes |
ConfigScope | enum PLATFORM | TENANT | NODE | |
ConfigValue | typed scalar (int, bool, string) | Type validated against key schema |
FlagKey | [a-z0-9._-]+ globally unique | Immutable once created |
FlagDecision | { enabled: boolean, reason: string } | Returned by evaluate() |
AggregateHealthStatus | enum healthy | degraded | unhealthy | Derived from per-service statuses |
5. Domain events
| Event | Subject | Fired by |
|---|---|---|
| ConfigUpdated | platform_admin.config.updated.v1 | UpsertConfigUseCase |
| FlagCreated | platform_admin.flag.created.v1 | CreateFlagUseCase |
| FlagUpdated | platform_admin.flag.updated.v1 | UpdateFlagUseCase |
| FlagArchived | platform_admin.flag.archived.v1 | ArchiveFlagUseCase |
| HealthSourceRegistered | platform_admin.health_source.registered.v1 | RegisterHealthSourceUseCase |
6. Ubiquitous language
| Term | Meaning |
|---|---|
| Platform config | A governed KV pair that controls platform behavior (session timeouts, MFA defaults, SMTP settings) |
| Allow-list | Code-defined set of valid config keys; unknown keys are rejected at API boundary |
| Feature flag | A named boolean gate that controls feature exposure across the platform |
| Tenant override | An explicit per-tenant enable/disable that takes precedence over the platform default |
| Health source | A registered service endpoint that platform-admin polls for health status |
| Aggregate health | The derived overall platform status combining all health source results |
| Evaluation | Resolving a feature flag for a given tenant context → { enabled: boolean } |
7. Invariants
| # | Invariant |
|---|---|
| INV-01 | Config key must be in code allow-list; unknown keys rejected with 400 |
| INV-02 | Config value must match the type schema defined for the key |
| INV-03 | Archived configs are soft-deleted; history preserved |
| INV-04 | FeatureFlag key is immutable once created |
| INV-05 | Archived flag always evaluates to enabled=false; no override can change this |
| INV-06 | enabledTenantIds and disabledTenantIds are mutually exclusive per tenant |
| INV-07 | Config mutations emit a PlatformConfigHistory row with old/new values |
| INV-08 | Feature-flag and licensing decisions are independent (BR-ADM-002) |