Architecture Overview

Browser / API Client
        │
        ▼
   ┌─────────┐
   │  Nginx  │  :80 / :443
   └────┬────┘
        │
        ├── /              ──► UI (React frontend, :3000)
        ├── /authsec/*     ──► AuthSec backend (:7468)
        ├── /.well-known/* ──► AuthSec backend (:7468)
        ├── /oauth2/*      ──► Hydra public API (:4444)
        └── /userinfo      ──► Hydra public API (:4444)

   ┌──────────────────────────────────────────────────┐
   │              AuthSec Backend (:7468)             │
   │  (Go monolith - all modules merged into one      │
   │   binary, one port, one Docker image)            │
   │                                                  │
   │  /authsec/uflow/*    - auth, OIDC, JWT, TOTP,    │
   │                         WebAuthn, SCIM           │
   │  /authsec/authmgr/*  - RBAC, token validation    │
   │  /authsec/clientms/* - OAuth client management   │
   │  /authsec/hmgr/*     - Hydra proxy/login/consent │
   │  /authsec/oocmgr/*   - OIDC provider config      │
   │  /authsec/sdkmgr/*   - AI agent SDK management   │
   │  /authsec/exsvc/*    - external integrations     │
   │  /authsec/webauthn/* - passkey flows             │
   │  /authsec/spire/*    - SPIFFE workload identity  │
   │  /authsec/migration/*- DB migration management   │
   └──────────────────────────────────────────────────┘

   Infrastructure:
     postgres   - master DB + dynamic per-tenant DBs
     hydra      - Ory Hydra OAuth2/OIDC server
     redis      - session cache, rate limiting

The UI is the entry point for user-facing flows and calls backend APIs through /authsec/*.

OOC_MANAGER_URL and AUTH_MANAGER_URL both point to the AuthSec service because these modules are merged into the monolith.