Ghasi-SMS-Gateway — Service Index
26 services. Each has the standard 17-doc layout under services/<service>/ per SERVICE_TEMPLATE. 14 are the original platform core; 12 are new bounded contexts ratified in ADR-0004 for the national-backbone uplift.
Identity. auth-service is the canonical identity surface and owns a pluggable IdP provider abstraction. Keycloak is the base/default provider and also acts as an OIDC/SAML broker so tenants can federate their own corporate IdP (Azure AD, Okta, Google Workspace, ADFS, generic OIDC/SAML). Firebase is retained as an optional legacy provider only.
Compliance. compliance-engine implements the Compliance Layer — a first-class architectural tier between orchestration and routing. Every outbound SMS is evaluated (asynchronously, in the NATS consumer) before any carrier dispatch.
Edge & Access
| Service | Responsibility |
|---|
| api-gateway | Public API edge, auth enforcement, rate limiting, request routing |
| auth-service | IdP provider abstraction (Keycloak default + tenant external OIDC/SAML); JWKS; API keys; RBAC; tenant scoping |
Messaging Core
Trust & Safety
| Service | Responsibility |
|---|
| compliance-engine | Rule-based + AI-assisted evaluation of every outbound SMS (gRPC); hold queue; tenant scoring & risk tiering; immutable audit log; compliance reporting |
Commerce & Operations
Frontends (Product Surfaces)
| Service | Responsibility |
|---|
| customer-portal | Tenant-facing self-service portal backend |
| admin-dashboard | Platform operator dashboard backend (incl. compliance rule authoring, hold queue review, tenant score dashboards) |
National-Backbone Bounded Contexts (new — ADR-0004)
These 12 services implement the national-asset capabilities documented in ADR-0004 and tracked in 07-epics-and-user-stories.md §6.
Trust & Safety
| Service | Responsibility |
|---|
| sms-firewall-service | Inbound MO firewall, transit MT firewall, AIT detection, SIM-box detection, grey-route exclusion, DND enforcement |
| fraud-intel-service | ML scoring for AIT, SIM-box, OTP harvesting, grey-route arbitrage; fraud feed import/export (MISP-compatible) |
| consent-ledger-service | National DND sync, per-tenant consent records, STOP-keyword handling, consent audit (>= 7 y), CheckConsent API |
| sender-id-registry-service | National sender-ID registry: KYC, verification (DNS-TXT/OTP/notarised/document), suspension, regulator export, reputation scoring |
Messaging Core
| Service | Responsibility |
|---|
| number-intelligence-service | HLR/HSS lookup with cache (MSISDN → MNO/line-type/country), MNP registry, EIR/CEIR cross-check, public Lookup API |
| channel-router-service | Multi-channel fallback (SMS → WhatsApp BSP → Voice OTP → email) per recipient profile + tenant policy; OTT adapters; 2-way MO routing; conversational session manager |
| cbc-bridge-service | 3GPP TS 23.041 cell-broadcast bridge to MNO RAN for civil emergency alerts; government-PKI signature verification; multi-language broadcast |
Commerce / Regulator
| Service | Responsibility |
|---|
| cdr-mediation-service | Canonical CDR generation distinct from billing events; hash-chained append-only object-storage CDRs; daily TAP 3.12/RAP roll-up; signed file drops to ATRA |
| numbering-service | MSISDN/short-code/alpha-ID inventory and lifecycle (lease, recall, expiry); reservation/hold/release; per-tenant pool management |
| regulator-portal-service | ATRA-facing portal: LI requests, complaint ingest, scheduled and ad-hoc reports, SIEM forwarding (Splunk/ELK/QRadar), compliance attestations |
Product
| Service | Responsibility |
|---|
| developer-portal-service | Public dev portal (docs, sandbox, API key self-serve, consumption analytics); SDKs (Node, Python, Java, .NET, Go, PHP, Android, iOS, Flutter); Verify API |
| campaign-service | Campaign builder (segments, schedule, throttle, A/B, kill-switch); template catalog (merge fields, conditional content, multi-language); approved-template workflow paired with EP-CE-13; reporting |
Total: 26 services. Each follows the SERVICE_TEMPLATE with 17 canonical docs. See NAMING for conventions.
Platform dependency (not a service). Keycloak runs as an infrastructure component in the ghasi-identity namespace. It is not listed as a Ghasi microservice but is the base IdP consumed by auth-service. See 01-enterprise-architecture §3.1 and auth-service SERVICE_OVERVIEW §5.