Merge pull request #237 from rararulab/issue-228-docs-alignment

crrow · web-flow · commit f5f702d72b17 · 2026-03-31T12:55:28.000+09:00
docs: align documentation with single-process architecture (#228)
diff --git a/docs/design/architecture.md b/docs/design/architecture.md
@@ -10,9 +10,9 @@
 
 ## Design Principles
 
-1. **Stateless first** — all backend services are stateless. State belongs in dedicated stores (database, cache, object store). Any service instance can be killed and replaced without impact.
+1. **Stateless first** — all backend services are stateless. State belongs in dedicated stores (database, object store). Any service instance can be killed and replaced without impact.
 2. **Pluggable** — cross-cutting concerns (auth, rate limiting) are middleware slots with defined interfaces. Swap implementations without touching business logic.
-3. **Cloud-native** — designed for Kubernetes from day one. Service discovery via DNS, horizontal scaling per component, infrastructure and application layers are cleanly separated.
+3. **Single-process standalone** — all services run in a single process via the `app` binary. The architecture is designed so that individual services *could* be split into separate deployments in the future, but the current deployment model is a single process.
 
 ## System Overview
 
@@ -23,17 +23,16 @@
 
 | Component | Stateful | Description |
 |-----------|----------|-------------|
-| **Gateway** | No | Control-plane entry point. Reverse proxy, rate limiting, auth middleware. See [Gateway](./gateway.md). |
-| **MetaService** | No | System brain. Metadata CRUD, share link lifecycle, connection token signing, service topology awareness (K8s Endpoints API). See [MetaService](./meta-service.md). |
+| **Gateway** | No | Control-plane entry point. Reverse proxy for MetaService and Ingestor, rate limiting, auth middleware. Streamer is accessed directly, not through Gateway — streaming data should not pass through a reverse proxy. See [Gateway](./gateway.md). |
+| **MetaService** | No | System brain. Metadata CRUD, share link lifecycle, connection token signing. See [MetaService](./meta-service.md). |
 | **Ingestor** | No | Receives uploads from clients, processes into HLS. Storage is an internal detail. Stateless — no affinity needed. |
-| **Streamer** | No | Serves video playback. Per-video affinity via consistent hashing for local cache optimization. Client reconnects to a different instance only on failure. |
-| **Client (WASM)** | No | Core logic in Rust → WASM. Client-side load balancing, connection reuse, failover. |
+| **Streamer** | No | Serves video playback. Accessed directly by clients, not proxied through Gateway. |
+| **Client (WASM)** | No | Core logic in Rust → WASM. |
 | **MinIO (S3)** | Yes | Object storage. Internal to Ingestor/Streamer — never exposed to clients. |
 | **Database** | Yes | Metadata persistence. |
-| **MemoryCache** | Yes | Rate limiting state for Gateway and MetaService. Redis, Memcached, or in-process. |
-| **Queue** | Yes | Async job delivery between services (e.g. upload verification). Redis Streams, RabbitMQ, or SQS. |
+| **Queue (in-memory)** | No | In-process async job delivery (e.g. upload-complete notification). Uses an in-memory channel within the single process — not a distributed message broker. |
 
-All backend services are stateless. State belongs in dedicated stores.
+All services run in a single process. Backend services are stateless; persistent state belongs in dedicated stores (database, object storage).
 
 ## User Identity
 
@@ -43,27 +42,21 @@ Ownership checks (e.g. "can this user delete this video?") are enforced by MetaS
 
 ## Data Plane — Connection Token Flow
 
-Control-plane requests go through Gateway. Data-plane traffic (upload/playback) bypasses Gateway entirely — clients connect directly to Ingestor/Streamer instances.
+Control-plane requests go through Gateway. Data-plane traffic (upload/playback) is served by Ingestor/Streamer directly (all within the same process).
 
-This follows the **Kafka / Redis Cluster pattern**: client fetches a service map, computes routing locally, and connects directly to the target instance.
+In the current single-process deployment, all services share the same address. The connection token flow still applies — it authorizes data-plane access regardless of deployment topology.
 
 ```
 1. Client → Gateway → MetaService: "I want to upload/watch video X"
-2. MetaService returns a service map (list of Ingestor/Streamer external addresses)
-   sourced from K8s Endpoints API, mapped to externally reachable addresses (NodePort)
-3. Client computes target locally:
-   - Upload:   round-robin across Ingestors
-   - Playback: consistent hash ring on video_id → pick Streamer (cache affinity)
-4. Client connects directly to the chosen instance with a signed connection token
-5. Upload: client sends file data to Ingestor (storage is an internal detail of Ingestor)
-   Playback: client requests HLS manifest/segments from Streamer (caching is an internal detail)
+2. MetaService returns a connection token authorizing the action
+3. Client connects to Ingestor (upload) or Streamer (playback) with the signed token
+4. Upload: client sends file data to Ingestor
+   Playback: client requests HLS manifest/segments from Streamer
 ```
 
-**On failure**: client refreshes the service map from MetaService, recomputes target, reconnects. Only the failed node's connections are affected — consistent hashing minimizes cache disruption on Streamer topology changes.
+## Scaling (future)
 
-## Scaling
-
-Horizontal scaling is handled by K8s HPA. Each service exposes a `/metrics` endpoint (Prometheus format):
+The current deployment is single-process. The architecture is designed so that services *could* be separated and scaled independently in the future. Potential scale-out dimensions:
 
 | Service | Scale Metric |
 |---------|-------------|
diff --git a/docs/design/gateway.md b/docs/design/gateway.md
@@ -26,7 +26,8 @@ Gateway performs **prefix-strip-and-forward**. It never parses downstream routes
 |--------|----------|---------|
 | `/api/meta/*` | MetaService | Video metadata, share links |
 | `/api/ingest/*` | Ingestor | Upload negotiation |
-| `/api/stream/*` | Streamer | Playback negotiation |
+
+Streamer is **not** proxied through Gateway. Video streaming data should not pass through a reverse proxy — clients access Streamer directly. This is by design: Gateway handles control-plane traffic only.
 
 Adding endpoints to any downstream service requires **zero Gateway changes**.
 
@@ -39,19 +40,16 @@ Request → AuthMiddleware → RateLimitMiddleware → ProxyForward → Response
 - **AuthMiddleware** — extracts user identity and injects `X-User-Id` header for downstream services. Currently hardcoded to `bot` (single-user mode). Interface is defined so a real implementation (e.g. JWT verification) can be swapped in without changing Gateway internals or any downstream service.
 - **RateLimitMiddleware** — per-user throttling using a backing cache (Redis / in-process). Only applies to control-plane requests since data-plane traffic never hits Gateway.
 
-## Service Discovery on K8s
+## Service Discovery
 
-No external service registry needed. Gateway resolves upstreams via **K8s Service DNS**:
+In the current single-process deployment, Gateway forwards requests to MetaService and Ingestor in-process. Upstream addresses are configured via environment variables:
 
 ```yaml
 upstreams:
-  meta:   "http://meta-service:8080"
-  ingest: "http://ingest-service:8080"
-  stream: "http://stream-service:8080"
+  meta:   "http://localhost:8080"
+  ingest: "http://localhost:8080"
 ```
 
-K8s handles DNS resolution and load balancing across pods.
-
 ## Why a Custom Gateway (Not Nginx)
 
 K8s Ingress (Nginx/Envoy) handles infrastructure concerns: TLS termination, external routing, health checks. Gateway handles **business concerns**: auth validation and rate limiting are application logic that belongs in application code, not Nginx config.
diff --git a/docs/design/ingestor.md b/docs/design/ingestor.md
@@ -14,7 +14,7 @@ Three responsibilities:
 
 ![Ingestor Upload Phase](./ingestor-upload-flow.svg)
 
-## Processing Pipeline (async, queue-driven)
+## Processing Pipeline (async, in-memory queue)
 
 ![Ingestor Processing Pipeline](./ingestor-processing-flow.svg)
 
@@ -38,7 +38,7 @@ bucket/
 Processing tasks are persisted in the database with their current state. This ensures:
 
 - **Crash recovery** — on restart, Ingestor picks up incomplete tasks rather than re-processing from scratch
-- **No duplicate work** — each task has a unique ID; the queue delivers at-least-once, Ingestor deduplicates via DB state
+- **No duplicate work** — each task has a unique ID; Ingestor deduplicates via DB state
 
 ### Failure Strategy
 
@@ -54,8 +54,8 @@ After all retries exhausted, the task is marked `failed` and MetaService is noti
 
 ```
 Owner calls DELETE /videos/:id
-  → MetaService publishes cancellation event to queue
-  → Ingestor consumes event
+  → MetaService publishes cancellation event to in-memory queue
+  → Ingestor consumes event (same process)
   → If transmux is in progress: kill ffmpeg, clean up partial HLS output
   → If task is queued but not started: discard from queue
   → Notify MetaService: status → cancelled
diff --git a/docs/design/layout.md b/docs/design/layout.md
@@ -6,7 +6,7 @@
 crates/
 ├── app/        # The ONLY binary crate. CLI entry point, starts services based on args.
 ├── core/       # Shared library. Domain types, DB repos, storage helpers, HTTP client.
-├── server/     # HTTP server foundation. Metrics (/metrics for k8s HPA), health, graceful shutdown, tracing.
+├── server/     # HTTP server foundation. Health checks, graceful shutdown, tracing.
 ├── meta/       # Library crate. Video metadata CRUD, share links. Exposes Router + State.
 ├── ingestor/   # Library crate. Upload + transmux pipeline. Exposes Router + State.
 ├── streamer/   # Library crate. HLS playback + segment caching. Exposes Router + State.
@@ -19,7 +19,7 @@ crates/
 1. **Single binary** — `app` is the only crate with `main.rs`. It parses CLI args to decide which service(s) to start. No other crate produces a binary.
 2. **Library-first** — Every service crate is a lib crate that exposes its `Router` and `State`. The `app` crate composes them.
 3. **`core` is shared code** — Domain types, database repositories, storage helpers, config. No HTTP server logic.
-4. **`server` is the HTTP foundation** — Wraps axum with cross-cutting concerns: metrics endpoint for k8s HPA, health checks, graceful shutdown, tracing setup. Service crates depend on `server`, not on raw axum server setup.
+4. **`server` is the HTTP foundation** — Wraps axum with cross-cutting concerns: health checks, graceful shutdown, tracing setup. Service crates depend on `server`, not on raw axum server setup.
 5. **Each crate owns its tests** — Every lib crate has its own unit/integration tests. `cargo test -p <crate>` must pass independently.
 
 ## Service Crate Contract
@@ -57,7 +57,6 @@ server.mount("/api/meta", meta_router)
 | HTTP client (`reqwest` singletons) | `core` |
 | Config (`AppConfig`, `paths`) | `core` |
 | HTTP server (`bind`, `run`, graceful shutdown) | `server` |
-| Metrics endpoint (`/metrics`) | `server` |
 | Health check (`/healthz`, `/readyz`) | `server` |
 | Tracing/logging setup | `server` |
 
diff --git a/docs/design/meta-service.md b/docs/design/meta-service.md
@@ -8,8 +8,8 @@ Four responsibilities:
 
 1. **Metadata management** — video CRUD, share link lifecycle, ownership enforcement
 2. **Connection token** — issues HMAC-signed tokens that authorize clients to access data-plane services
-3. **Topology awareness** — watches K8s Endpoints API to maintain a live service map
-4. **Task lifecycle** — publishes cancellation/deletion events to the queue for Ingestor to consume
+3. **Service address** — provides the service address for clients to connect to data-plane services
+4. **Task lifecycle** — publishes cancellation/deletion events to the in-memory queue for Ingestor to consume (same process)
 
 All mutating operations check ownership via `X-User-Id` (currently hardcoded to `bot` by Gateway). Each video record stores an `owner` field set at creation time.
 
@@ -19,20 +19,11 @@ All mutating operations check ownership via `X-User-Id` (currently hardcoded to
 
 ![MetaService Playback Interaction](./meta-playback-flow.svg)
 
-Follows the **Kafka / Redis Cluster pattern**: routing decisions live on the client side, MetaService only provides the data.
-
 When a client requests an upload or playback, MetaService returns:
 
-- **Service map** — list of healthy Ingestor/Streamer external addresses (NodePort)
+- **Service address** — the address of the single-process server hosting Ingestor/Streamer
 - **Connection token** — authorizes the client to connect
 
-The client computes the target locally:
-
-| Action | Strategy | Reason |
-|--------|----------|--------|
-| Upload | Round-robin | Stateless, no affinity needed |
-| Playback | Consistent hash ring on `video_id` | Cache affinity — same video hits same Streamer. On node changes, only `1/N` keys re-map |
-
 ## Connection Token
 
 Data-plane services (Ingestor/Streamer) sit outside Gateway's auth middleware. The connection token is the **only** mechanism that authorizes data-plane access. Without a valid token, services reject the connection.
@@ -45,7 +36,7 @@ signature = HMAC-SHA256(payload, server_secret)
 token     = base64url(payload + signature)
 ```
 
-`server_secret` is shared between MetaService and data-plane services via K8s Secret. Data-plane services verify tokens locally — no callback to MetaService needed.
+`server_secret` is shared between MetaService and data-plane services via configuration. In the single-process deployment, all services share the same config. Data-plane services verify tokens locally — no callback to MetaService needed.
 
 ### Fields
 
@@ -67,23 +58,6 @@ The token does not encode a target instance. It only authorizes the action — t
 | Short-lived | TTL-based expiry limits replay attacks |
 | Scoped | `action` field prevents cross-purpose reuse |
 
-## Topology Awareness
-
-![MetaService Topology Awareness](./meta-topology-flow.svg)
-
-MetaService watches K8s Endpoints API for Ingestor and Streamer services, giving it a live view of ready pods without polling.
-
-Pods are exposed via NodePort. MetaService maps internal pod IPs to externally reachable `node_ip:node_port` pairs in the service map.
-
-On topology changes (scale up/down, pod failure):
-
-- Service map updates immediately
-- Existing client connections are unaffected
-- New requests or service map refreshes reflect the new topology
-- Consistent hashing minimizes cache disruption on Streamer changes
-
-Only videos previously assigned to failed nodes need to re-map.
-
 ## Share Link
 
 ![MetaService Share Link Flow](./meta-share-flow.svg)
@@ -108,7 +82,7 @@ Share link controls **who can enter**. Connection token controls **how long they
 
 ### Rate Limiting
 
-Rate limit state is stored in MemoryCache (Redis), shared by Gateway and MetaService:
+Rate limit state is stored in-memory, shared by Gateway and MetaService within the single process:
 
 | Layer | Location | Protects against |
 |-------|----------|-----------------|
diff --git a/docs/design/performance.md b/docs/design/performance.md
@@ -46,16 +46,18 @@ Each viewer consumes ~2.5 Mbps. With Streamer cache hits, most traffic is served
 
 ---
 
-## Instance Sizing
+## Capacity per Service (single-process)
 
-| Service | Sizing factor | Light (100 viewers) | Peak (1,000 viewers) |
-|---------|---------------|:-------------------:|:--------------------:|
-| Gateway | ~10K req/s per instance | 1 | 2 |
-| MetaService | ~5K req/s per instance | 1 | 2 |
-| Ingestor | 1 per ~20 concurrent uploads | 1 | 3 |
-| Streamer | 1 per ~200 concurrent streams (NIC bound) | 1 | 5 |
+All services share a single process. The following estimates show per-service capacity within that process:
 
-Gateway and MetaService handle lightweight control-plane requests. Streamer is the primary scale-out target.
+| Service | Capacity factor |
+|---------|----------------|
+| Gateway | ~10K req/s (lightweight control-plane proxy) |
+| MetaService | ~5K req/s (metadata reads/writes) |
+| Ingestor | ~20 concurrent upload negotiations; transmux is CPU-bound |
+| Streamer | ~200 concurrent streams per 1 Gbps NIC capacity |
+
+Gateway and MetaService handle lightweight control-plane requests. Streamer is the primary resource consumer.
 
 ---
 
@@ -76,7 +78,7 @@ Two separate concerns with very different limits:
 - **Upload negotiation** (token validation + presigned URL signing): ~20 concurrent per instance
 - **Transmux processing** (CPU bound): ~5 concurrent per instance
 
-With 3 instances × 5 transmux slots = ~15 videos/min throughput. HPA scales on queue depth; the queue provides natural backpressure (client sees `processing` status until complete).
+In the single-process deployment, transmux concurrency is limited by available CPU cores. The in-memory queue provides natural backpressure (client sees `processing` status until complete).
 
 ### Streamer — Network I/O
 
@@ -88,13 +90,11 @@ With 3 instances × 5 transmux slots = ~15 videos/min throughput. HPA scales on
 
 ### Consistent hash rebalance on scale-up
 
-Adding a Streamer instance remaps `1/N` of cached videos, causing cold-start penalties. Mitigate by scaling during low-traffic periods and using virtual nodes to reduce per-event disruption.
-
 ### Infrastructure
 
-- **MinIO** — disk I/O on write path; use erasure coding across nodes + SSD for hot tier
-- **Database** — ~10K writes/s (Postgres), sufficient for this scale; shard by `video_id` if needed
-- **Queue** — ~100K msg/s (Redis Streams), far exceeds needs
+- **MinIO** — disk I/O on write path; use SSD for hot tier
+- **Database** — ~10K writes/s (Postgres), sufficient for this scale
+- **Queue** — in-memory channel, negligible overhead
 
 ---
 
@@ -114,7 +114,7 @@ Client                    Gateway    MetaService    Ingestor
   │◄── 200 OK ────────────────────────────────────────┤
   │                                                    │
   ├── POST /uploaded ──────►├───────────►│             │
-  │         ~50ms           │            │── queue ───►│
+  │         ~50ms           │            │── notify ──►│
   │◄── 202 Accepted ──────┤            │             │
   │                                                    │
   │                             (async transmux)       │
@@ -224,12 +224,14 @@ The 1,000-viewer target is well within single-machine capacity. Upgrading to a 2
 
 ---
 
-## Scaling Decision Guide
+## Scaling Decision Guide (future)
+
+The current deployment is single-process. If the architecture were split into separate services, these would be the scaling signals:
 
 | Signal | Action |
 |--------|--------|
-| Playback latency rising, cache miss rate high | Add Streamer instances |
-| Transmux queue depth growing | Add Ingestor instances (HPA on queue depth) |
-| Control-plane P99 > 100 ms | Add MetaService instance or DB read replica |
-| Gateway CPU > 70% | Add Gateway instance or offload TLS to Ingress |
-| MinIO write latency spiking | Add storage nodes or move to SSD |
+| Playback latency rising, cache miss rate high | Scale Streamer |
+| Transmux queue depth growing | Scale Ingestor |
+| Control-plane P99 > 100 ms | Scale MetaService or add DB read replica |
+| Gateway CPU > 70% | Scale Gateway or offload TLS to Ingress |
+| MinIO write latency spiking | Add storage capacity or move to SSD |
