Architecture Diagram

flowchart TB
  userA["Tenant A Users"] --> r53["Route53"]
  userB["Tenant B Users"] --> r53

  r53 --> edge["Edge Router / ALB"]

  subgraph account["AWS Account (single)"]
    cp["Global Control Plane\n(tenant registry, licensing, routing snapshots)"]

    subgraph tenantA["Tenant A Data Plane"]
      ia["integrations-service-a"]
      da["discovery-service-a"]
      wa["discovery-worker-a"]
      aa["audit-service-a"]
      ma["iam-service-a"]
      dba["RDS scope A"]
      s3a["S3 evidence scope A"]
      sa["Secrets scope A"]
    end

    subgraph tenantB["Tenant B Data Plane"]
      ib["integrations-service-b"]
      db["discovery-service-b"]
      wb["discovery-worker-b"]
      ab["audit-service-b"]
      mb["iam-service-b"]
      dbb["RDS scope B"]
      s3b["S3 evidence scope B"]
      sb["Secrets scope B"]
    end

    logs["CloudWatch Logs / Metrics"]
  end

  cp -->|publish routing metadata| edge

  edge --> ia
  edge --> da
  edge --> aa
  edge --> ma

  edge --> ib
  edge --> db
  edge --> ab
  edge --> mb

  da --> wa
  db --> wb

  ia --> dba
  da --> dba
  aa --> dba
  ma --> dba
  da --> s3a
  ia --> sa
  da --> sa

  ib --> dbb
  db --> dbb
  ab --> dbb
  mb --> dbb
  db --> s3b
  ib --> sb
  db --> sb

  ia --> logs
  da --> logs
  wa --> logs
  aa --> logs
  ma --> logs
  ib --> logs
  db --> logs
  wb --> logs
  ab --> logs
  mb --> logs