• Okhtay Sattari
• >Projects
• >TuranBilgi Business Platform: API-First Distributed Microservices Architecture

TuranBilgi Business Platform:
API-First Distributed Microservices Architecture

(July 2025 - Present)

TuranBilgi is a modern, API-first, multi-client business platform designed to support complex domain workflows alongside high-performance real-time communication. The platform follows a distributed microservices architecture with event-driven coordination, enabling independent scaling, fault isolation, and long-term extensibility across backend services and client applications.

• Platform Overview & Architectural Focus
• Platform Microservices
• Security & Authentication
• Testing Strategy & Quality Assurance
• Containerization, Deployment, Backup & Observability
• Future Extensions: Serverless & Micro-Frontends
• Client Applications

Platform Overview & Architectural Focus

TuranBilgi is designed as a unified backend system serving multiple client applications through a shared API layer. All business logic, authentication, authorization, and real-time capabilities are centralized within the platform and exposed through a shared API layer. This ensures consistent behavior across all consuming clients while allowing internal services to evolve independently. It is designed around long-term platform sustainability rather than short-term feature delivery. Its architecture emphasizes:

• API-First Design (REST & GraphQL)

  All platform capabilities are exposed through well-defined REST and GraphQL APIs. This guarantees that web, mobile, desktop, and third-party integrations operate on a shared and stable contract, while preserving internal service autonomy.

• Event-Driven Communication Model

  TuranBilgi adopts an event-driven architecture for internal coordination, background processing, and state propagation between services. Asynchronous messaging (Kafka & RabbitMQ) enables loose coupling between services, improves resilience, and supports scalable background processing.

  • Kafka is used for internal domain events, workflow continuation, and background processing. It enables replayable event streams, horizontally scalable consumers, and loose coupling between microservices using the outbox pattern.
  • RabbitMQ is intentionally limited to external integrations such as email, SMS, and third-party providers, acting as a resilient boundary for side-effects, retries, and failure isolation.
  • Synchronous REST APIs are used primarily for queries, validation, and administrative interactions, not for long-running or state-changing workflows.

  This clear separation of communication patterns ensures resilience, observability, and long-term maintainability.

• Service Boundaries & Fault Isolation

  The platform is composed of multiple domain-focused microservices, each owning its data model and execution context. This prevents cascading failures and ensures that issues in one domain (such as discussion, chat, or real-time notification) do not compromise core business functionality.

• Horizontal Scalability

  All services are designed to be stateless and container-friendly, enabling independent horizontal scaling of Core, Interaction, Payment, Real-Time, and AI components or microservices based on workload characteristics.

• Polyglot Persistence

  Each service uses the storage technology best suited to its domain:

  • PostgreSQL for transactional and relational data
  • MongoDB for document-oriented and interaction-heavy workloads
  • Redis for caching, coordination, and real-time state management

  This approach optimizes performance while preserving clear data ownership and service autonomy and maintainability.

• Real-Time Reliability

  WebSocket-based presence, notifications, and messaging are designed to remain consistent and responsive under concurrent load, supporting real-time collaboration and communication use cases at scale.

• Clean Separation of Concerns

  Authentication, business logic, communication, payments, and intelligence are treated as independently bounded domains. This enables long-term evolution of the platform without cross-service entanglement or architectural rewrites.

• Platform Evolution Philosophy

  TuranBilgi is intentionally structured for incremental evolution. New services, additional client applications (web, mobile, desktop), and external integrations can be introduced without architectural rewrites or disrupting existing functionality, with preserving platform stability while enabling continuous growth.

Platform Microservices

TuranBilgi platform consists of several domain microservices, each focused on a specific area of platform functionality while communicating and coordinating through events or synchronous API calls.

1. Core Business Microservice
2. Interaction & Discussion Microservice
3. Payment, Billing & Financial Processing Microservice
4. Real-Time Communication, Notification & Audit Processing Microservice
5. AI Microservice

1. Core Business Microservice

The Core Business microservice is implemented using Node.js (Express.js with TypeScript) and exposes both REST and GraphQL APIs. It serves as the primary orchestration and transactional domain service of the platform, coordinating long-running business workflows, enforcing business rules, and managing the lifecycle of core business entities.

This microservice does not replace domain ownership of other services, but instead acts as the central workflow coordinator and external-integration boundary, ensuring that domain services remain decoupled from infrastructure and third-party concerns.

Core Responsibilities:

Business Workflow Orchestration

The Core Business microservice supports a collaborative and moderated workflow where users and administrators interact to create, refine, and finalize ideas, projects, contracts, invoices, and support tickets. It manages multi-step, stateful workflows that span multiple domains and user roles:

1. Idea Management & Discussion:

   • Users or prospective clients submit ideas into the system.
   • Moderator administrators review submissions and may propose refinements or initiate new idea threads.
   • All discussions and refinements are handled via the Interaction microservice, allowing commenting and refining ideas and collaborative iteration until an idea reaches maturity.

2. Project Creation & Collaboration:

   • Once an idea and its discussion thread are finalized, administrators can create a project and associated applications based on the root idea and the agreed upon discussion thread.
   • Project details and applications are further discussed and refined through the Interaction microservice until consensus is reached.

3. Contract Management:

   • After project agreement, contracts are created and managed within the Core Business microservice.
   • Contract terms are discussed between administrators and the associated users via the Interaction microservice.
   • Once agreed, contracts transition to an immutable state, locking associated project definitions and obligations.

4. Invoice Generation & Payment Coordination:

   • Administrators generate invoices over time based on agreed contracts.
   • Users pay invoices, while invoice details and payment-related discussions continue through the Interaction microservice.
   • Payment execution and provider-specific integrations are owned exclusively by the Payment microservice, which operates independently and is intentionally isolated for security and compliance reasons.

5. Support Ticket Management:

   • Users create support tickets within the Core Business microservice.
   • Support administrators review, respond, and resolve tickets.
   • Ticket discussions occur through the Interaction microservice until resolution, after which tickets are closed, the resolutions are recorded, and the tickets are archived.

Authentication & Account Management

In addition to business workflows, the Core Business microservice is responsible for:

• User and administrator authentication and authorization
• Account registration, login, and profile management
• Enforcement of access control and role-based permissions
• Other domain-specific transactional operations

Event-Driven Integration & External Side Effects

The Core Business microservice acts as the central gateway for external asynchronous integrations, while preserving a fully event-driven internal architecture.

• All domain microservices emit internal domain events through Kafka using their own outbox patterns.

• The Core Business microservice is the sole consumer responsible for translating selected domain events into external side effects, such as:

  • Email notifications
  • SMS messages
  • Other third-party, non-domain integrations

External integrations are intentionally not handled directly by domain services. Instead:

• Domain services publish intent-based events (e.g., user registered, comment replied, invoice paid).
• The Core Business microservice consumes these events, applies integration-specific logic, and enqueues external jobs via RabbitMQ.
• Dedicated background workers process these queues, handling retries, failures, and delivery guarantees without blocking domain workflows.

This design prevents infrastructure concerns from leaking into domain services and ensures consistent handling of external systems.

Infrastructure Components:

• PostgreSQL

  Primary relational database for business-critical, transactional data (users, admins, ideas, projects, applications, contracts, invoices, support tickets).

• MongoDB

  Document-oriented, write-optimized, and schema-flexible storage used for outbox persistence, event projection support, and supplementary non-relational data.

• Redis

  Caching, distributed coordination, rate-limiting, and performance optimization.

• Kafka

  Internal event streaming backbone for inter-service communication, domain events, and audit propagation.

• RabbitMQ

  Asynchronous job processing and external integration queuing, used exclusively for side-effect-driven workflows such as email and SMS delivery.

Architectural Rationale:

This approach ensures:

• Clear separation between domain logic and external side effects
• Strong decoupling between microservices
• Consistent, observable, and retryable external integrations
• Simplified operational control over third-party dependencies
• Preservation of domain ownership while enabling coordinated workflows

2. Interaction & Discussion Microservice (Shared Collaboration Layer)

To support structured communication, decision-making, and accountability across all business domains, TuranBilgi includes a dedicated Interaction & Discussion microservice. This service implements a unified, reusable interaction model that enables threaded discussions, contextual replies, moderation workflows, and historical traceability for all major business entities.

Rather than embedding isolated comment systems within individual services, TuranBilgi centralizes all collaborative interactions into a shared domain layer, ensuring consistency, scalability, and governance.

The microservice is implemented using NestJS with TypeScript and exposes both REST and GraphQL interfaces. It operates in close coordination with the Core Business microservice through an event-driven Saga-based architecture.

Shared Interaction Model:

All major platform entities require structured communication and collaborative workflows:

These entities share common interaction requirements:

• Threaded conversations
• Nested replies
• Moderation and reporting
• Edit and deletion history
• Actor accountability
• Contextual linking to business entities

This unified design is referred to internally as the Shared Interaction Model.

Core Responsibilities:

The Interaction & Discussion microservice is implemented using NestJS and provides both REST and GraphQL APIs. It operates independently from the Core Business API and focuses exclusively on collaborative workflows. Key responsibilities include:

1. Thread & Comment Management

   • Creation and management of discussion threads
   • Hierarchical reply structures
   • Entity-agnostic attachment of discussions
   • Rich metadata support (status, visibility, ownership)
   • Soft deletion and version history

2. Moderation & Governance

   • User and administrator moderation tools
   • Reporting and review workflows
   • Content visibility control
   • Policy enforcement
   • Abuse detection and escalation pipelines

3. Accountability & Auditability

   • Immutable activity logs
   • Per-action attribution
   • Historical change tracking
   • Legal and compliance support

4. API & Developer Interfaces

   The service exposes:

   • REST APIs with OpenAPI (Swagger) documentation
   • GraphQL APIs with Apollo Sandbox support
   • JWT-secured endpoints for client and service access
   • Legal and compliance support

   This dual-interface strategy enables frontend teams to select the most appropriate interaction model for each client application.

Data Management:

The interaction subsystem is optimized for high-volume, write-heavy collaboration workloads.

• MongoDB is used for:

  • Thread roots
  • Comments and replies
  • Moderation reports
  • Revision histories
  • Event streaming outboxes

• PostgreSQL (via Core Business Microservice)

  remains the source of truth for business entities.

All discussions are linked to business entities through a generic entity reference model, enabling flexible cross-domain associations without schema coupling.

Event Integration:

The service integrates with the platform’s event-driven infrastructure.

• Produces Events For:

  • New comments
  • Moderation actions
  • Resolution updates
  • Thread lifecycle changes

• Consumes Events For:

  • Entity deletion
  • Access revocation
  • User suspension
  • Workflow transitions

This ensures synchronization between business workflows and interaction state.

Architectural Benefits:

The Interaction & Discussion microservice provides:

• Centralized collaboration logic
• Consistent user experience across domains
• Independent scalability
• Reduced duplication
• Strong governance capabilities
• Simplified compliance auditing
• Clean domain boundaries

It functions as the platform’s unified collaboration and discourse layer.

3. Payment, Billing & Financial Processing Microservice

To support secure, scalable, and regulation-compliant financial operations, TuranBilgi includes a dedicated Payment, Billing & Financial Processing microservice. This microservice handles payment intents, billing workflows, PSP integrations, settlement reconciliation, and fraud prevention, isolating financial execution from core business logic and maintaining strong transactional boundaries.

Rather than embedding payment logic directly within the Core Business API, TuranBilgi isolates all monetary processing into a specialized domain service. This separation ensures strong security boundaries, regulatory compliance, independent scalability, and fault isolation for all financial operations.

The microservice is implemented using NestJS with TypeScript and exposes REST APIs for transactional workflows and webhook integrations. It operates in close coordination with the Core Business microservice through an event-driven Saga-based architecture.

Architectural Role:

The Payment microservice functions as the platform’s financial execution and settlement layer. It is responsible for:

• Orchestrating payment lifecycles
• Integrating with external payment service providers (PSPs)
• Ensuring transactional integrity
• Emitting authoritative payment events
• Supporting reconciliation and audit workflows

All financial state transitions are managed locally and synchronized with other services via Kafka events, avoiding cross-service database coupling.

Core Responsibilities:

1. Payment Orchestration & Processing

The microservice manages the full lifecycle of invoice payments, including:

• Creation of payment intents linked to invoices
• Integration with third-party PSPs (e.g., iyzico)
• Secure card and wallet payment handling
• Multi-currency transaction support (TRY, EUR, USD)
• 3D Secure and fraud-prevention workflows
• Idempotent payment execution
• Retry and failure recovery mechanisms

All payment operations are executed within database transactions and coordinated through the outbox pattern to guarantee consistency.

2. External Provider Integration Layer

A dedicated adapter layer abstracts third-party payment providers and normalizes their APIs into a unified internal interface. This layer supports:

• Provider-specific request/response mapping
• Signature and webhook verification
• Error normalization
• Rate-limit and timeout handling
• Provider failover strategies
• Future extensibility for additional PSPs

This design enables seamless migration or multi-provider support without impacting upstream business logic.

3. Webhook & Settlement Processing

The microservice exposes secure webhook endpoints to receive asynchronous confirmations and settlement notifications from PSPs. Key responsibilities include:

• Cryptographic signature validation
• Idempotent webhook handling
• Payment status reconciliation
• Settlement confirmation processing
• Dispute and chargeback handling
• Refund and reversal workflows

Webhook processing pipelines are isolated from public APIs to prevent external interference with transactional state.

4. Financial Event Production & Saga Coordination

The Payment microservice participates in distributed business workflows using event-driven Saga choreography. It emits domain events such as:

• PaymentInitiated
• PaymentPending
• PaymentConfirmed
• PaymentFailed
• PaymentRefunded
• SettlementCompleted

These events are published via the MongoDB Outbox and Kafka pipeline and consumed by the Core Business and Real-Time services to update invoice states, trigger notifications, and generate audit records. No direct database access between services is permitted, preserving domain isolation.

5. Reconciliation & Reporting Subsystem

To ensure long-term financial accuracy and regulatory compliance, the microservice includes automated reconciliation pipelines. These processes support:

• Daily PSP settlement comparison
• Invoice-to-payment matching
• Currency conversion validation
• Discrepancy detection
• Manual adjustment workflows
• Financial report generation

This subsystem provides resilience against message loss, provider outages, and partial failures.

6. Fraud Prevention & Compliance Support

The payment service incorporates security and compliance controls, including:

• Velocity and anomaly detection
• Duplicate transaction suppression
• Risk-based payment scoring
• Audit trail generation
• MASAK and AML alignment support
• GDPR and KVKK–compliant data handling

Sensitive card data is never stored within platform databases and is handled exclusively by certified PSPs.

API & Integration Interfaces:

The Payment microservice exposes specialized APIs optimized for transactional reliability.

Supported Interfaces

• REST APIs for payment creation and management
• Secure webhook endpoints for provider callbacks
• Internal service APIs for invoice validation
• JWT and mutual-authenticated service endpoints

GraphQL is intentionally excluded from payment execution paths to reduce complexity and ensure deterministic transactional behavior.

Data Management:

The microservice maintains its own isolated relational database optimized for financial workloads.

• PostgreSQL is used for:

  • Payment records
  • Provider references
  • Settlement records
  • Reconciliation logs
  • Adjustment entries

• MongoDB is used for:

  • Event outboxes
  • Integration logs
  • Webhook payload archives

All monetary records are immutable and append-only, ensuring auditability and traceability.

Event Integration:

The microservice is tightly integrated with TuranBilgi’s event-driven infrastructure.

• Produces Events For:

  • Payment lifecycle transitions
  • Settlement confirmations
  • Refunds and reversals
  • Dispute resolutions

• Consumes Events For:

  • Invoice creation
  • Invoice cancellation
  • User account status changes
  • Contract lifecycle updates

This bidirectional integration enables consistent financial synchronization across distributed domains.

Distributed Reliability & Consistency:

To guarantee financial correctness in a distributed environment, the Payment microservice employs:

• Transactional outbox pattern
• Exactly-once event publishing
• Idempotent command handling
• Optimistic locking
• Compensating actions for failed workflows
• Automated reconciliation jobs

These mechanisms ensure consistency without requiring distributed transactions.

Architectural Benefits:

The Payment, Billing & Financial Processing microservice provides:

• Strong financial domain isolation
• Enhanced security boundaries
• Regulatory compliance readiness
• Independent scalability
• Provider-agnostic payment abstraction
• Fault-tolerant transaction processing
• Long-term auditability
• Reduced operational risk

It functions as the platform’s dedicated financial execution and settlement authority while remaining loosely coupled to core business workflows.

4. Real-Time Communication, Notification & Audit Processing Microservice

A dedicated NestJS and Socket.IO–based microservice is responsible for managing all real-time communication, notification delivery, and centralized audit projections across the distributed platform, ensuring responsive client experiences and operational traceability. The service maintains persistent WebSocket connections and exposes REST and GraphQL APIs to support scalable, low-latency client interactions.

Rather than acting as a centralized event authority, this microservice operates as a specialized consumer and processor within a federated, domain-driven event architecture. Each domain service owns its own event production and outbox mechanisms, while this service focuses on real-time delivery, notification orchestration, and audit aggregation.

Core Responsibilities:

1. Real-Time Chat & Collaboration System

The microservice provides a full-featured, managed chat and collaboration subsystem supporting both private and room-based communication.

Administrative & Management APIs

Through REST and GraphQL interfaces, administrators can:

• Create and manage chat rooms
• Assign and manage room administrators
• Add, remove, and manage room members
• Moderate and manage room messages
• Control access and visibility based on business rules

These management capabilities enable controlled, enterprise-grade collaboration environments.

Messaging Features

The chat subsystem supports:

• Private one-to-one messaging
• Room-based group messaging
• Real-time typing indicators
• Message delivery and read/seen acknowledgments
• Private message deletion
• Global (moderator-level) message deletion
• Message lifecycle management

All messaging operations are synchronized across distributed gateways using Kafka and Redis to ensure consistency and fault tolerance.

2. Notification Management System

The platform implements a flexible, event-driven notification system supporting both manual and automated workflows. This microservice acts as the primary notification orchestration and delivery engine, consuming domain events emitted by distributed services and transforming them into user-facing notifications.

Notification Types

• Channel Notifications
  Broadcast notifications delivered to system channels, teams, or workspaces
• Private Notifications
  Direct, user-targeted notifications

Notification Creation Modes

A. Manual (Admin-Driven)
Administrators can:

• Create draft notifications
• Schedule publication
• Publish immediately
• Target specific channels or users

B. System-Generated (Event-Driven)
Distributed domain services emit notification-related events via their own MongoDB Outbox and Kafka publishing mechanisms for business events such as:

• Invoice generation
• Payment events
• Support ticket updates
• Workflow state transitions
• System alerts

These events are published to Kafka by the originating services and consumed by the notification processors for delivery.

Notification Interaction Tracking

The notification subsystem supports:

• Read and acknowledgment events for private notifications
• Channel-level read tracking
• Delivery status monitoring
• Per-user notification state synchronization

This enables accurate notification lifecycle management and user engagement tracking.

3. Centralized Audit Log Aggregation via Event Streaming

This microservice serves as the centralized audit projection and compliance authority for the Turan Bilgi platform.

All domain microservices emit standardized audit events as part of their own transactional workflows using the MongoDB Outbox pattern. These events are reliably published to Kafka through service-local outbox processors, ensuring atomicity, durability, and failure isolation without cross-service coupling.

The Realtime microservice acts as the sole consumer and persistence owner of audit events. It consumes audit-related Kafka topics, validates and enriches incoming events, and persists them into an immutable, append-only audit log store.

Core responsibilities include:

• Collection of internal audit events via MongoDB Outbox
• Reliable publishing of internal audit events through Kafka outbox workers
• Consumption of audit events from Kafka topics published by all domain microservices
• Schema validation, normalization, and enrichment of audit records
• Idempotent, ordered, and append-only persistence in MongoDB
• Long-term retention, archiving, and replay support
• Centralized audit visibility for regulatory, compliance, and forensic use cases

This design enforces clear ownership boundaries: domain services are responsible only for emitting audit intent, while audit persistence, retention, and compliance guarantees are centralized. The approach preserves domain autonomy, avoids distributed transactions, and enables scalable, fault-tolerant audit processing through event-driven architecture.

Distributed Scalability & Coordination:

To support multi-instance deployments and horizontal scaling:

• Apache Kafka serves as the shared event streaming backbone for inter-service communication, enabling reliable, ordered, and replayable message delivery such as chat, notification, and audit workloads. Kafka enables multiple gateway instances to publish and consume chat and notification events reliably across the cluster.
• Redis provides distributed coordination for:
  • WebSocket gateway synchronization
  • Room membership management
  • Duplicate event suppression
  • Shared session and state management
  • Caching of low-change system and actor data

This infrastructure enables independent scaling of producers and consumers while maintaining platform-wide consistency, or ensuring consistent behavior across clusters.

Architectural Benefits:

This microservice is designed to scale independently from core business and interaction microservices and provides:

• Low-latency and governed real-time communication environments
• Event-driven notification orchestration
• Reliable private and multi-channel notification pipelines
• Centralized, compliant audit projections
• Loose coupling between domains
• High system observability, traceability and compliance support
• Independent deployment and horizontally scalable real-time infrastructure
• Fault-tolerant event consumption pipelines

It functions as the platform’s real-time delivery and compliance projection layer, rather than as a centralized event authority.

5. AI Microservice (Intelligent Extension Layer)

To support advanced intelligence, automation, and knowledge-driven features, TuranBilgi includes an optional AI Microservice that extends the platform’s capabilities into natural language understanding, semantic search, content summarization, and assisted workflows.

The AI microservice is developed using Python and built on the FastAPI framework, enabling high-performance asynchronous processing and scalable API-driven intelligence services. This service operates as an independent extension layer within the microservice architecture, allowing AI capabilities to evolve separately from the core business services.

Purpose

The AI microservice is designed as a loosely coupled, language-agnostic intelligence layer that consumes business events (such as idea creation, discussion updates, and support ticket changes) and produces knowledge artifacts that enhance user experience and platform insight. It does not replace existing services but augments them with machine-assisted intelligence.

By isolating AI workloads into a dedicated Python-based service, TuranBilgi ensures:

• Clear separation between business logic and computational intelligence
• Independent scaling of AI-intensive operations
• Flexibility to integrate machine learning models, vector databases, and NLP pipelines
• Clean API-based communication with other microservices

This architecture enables TuranBilgi to progressively introduce intelligent features without compromising the stability or modularity of the core platform.

Key Responsibilities

The AI microservice provides:

1. Semantic Embedding Generation — Creating vector representations of text content from discussions, tickets, and ideas for similarity search and retrieval.
2. Content Summarization — Producing concise summaries of long discussion threads or support histories to improve readability and decision-making.
3. Semantic Search & Matching — Enabling users and services to find related content using meaning-based search queries (not just keyword matching).
4. RAG-style Assistant Responses — Combining retrieved content with language models to answer questions in context (e.g., “What are the main issues in idea X?”).
5. Optional Moderation Support — Assisting with detection of content quality issues or policy violations. (Future expansion)

Architecture Integration

The AI microservice operates independently from the other microservices but integrates through the platform’s event infrastructure:

• Consumes Domain Events (e.g., new idea created, discussion updated) for embedding and indexing.
• Publishes AI-derived Events (e.g., summary available, related content recommendations).
• Stores Embeddings & Metadata in a search-optimized store (such as PostgreSQL with vector indexing) separate from other services’ databases.
• Exposes REST + gRPC Endpoints for other services or clients to request intelligent capabilities.

This separation maintains microservice boundaries, avoids direct coupling to the database store of other microservices, and enables independent scaling of AI workloads.

Benefits

Adding the AI microservice to the platform enables:

• Faster insights over large amounts of text content
• Smarter search and discovery of related ideas and discussion context
• Enhanced user productivity through summarization and assisted content navigation
• Foundation for future AI-driven workflows such as predictive recommendations and automated scoring

Future-Ready Approach

While the core platform handles transactional and collaboration workloads, the AI microservice is designed for extensibility into:

• Hybrid retrieval-augmented generation (RAG)
• Local model hosting and fine-tuning
• Intelligent workflow orchestration
• Graph-based reasoning over business entities

This aligns with TuranBilgi’s long-term extensibility goals while preserving clear service boundaries.

Security & Authentication

TuranBilgi adopts a shared JWT-based authentication model across all microservices to ensure consistent and secure identity propagation throughout the system.

The Core Business service acts as the primary identity authority, issuing signed JWT access tokens after successful authentication. Client applications include these tokens in subsequent requests to other microservices, which independently validate the token signature and claims without requiring centralized session storage.

This approach provides:

• Stateless authentication across services
• Clear separation between authentication (identity verification) and authorization (role- and claim-based access control)
• Secure service-to-service communication using trusted token validation
• Simplified identity propagation across distributed workflows

JWT expiration policies and claim validation mechanisms enforce time-bound access while preserving scalability and performance.

This model balances strong security guarantees with operational simplicity, avoiding the need for centralized session management or complex gateway-level token orchestration.

Testing Strategy & Quality Assurance

TuranBilgi follows a structured, multi-layered testing strategy designed to ensure reliability, security, and long-term scalability across its distributed microservice architecture.

Testing is implemented using modern, ecosystem-appropriate frameworks (such as Jest, Vitest, SuperTest, MSW, and language-native testing tools) depending on service requirements. This layered testing strategy supports safe refactoring, reduces regression risk, and ensures consistent behavior in a distributed environment.

Testing Layers

All services follow clearly defined validation layers to ensure correctness, resilience, and predictable system behavior. The testing strategy includes:

• Unit Testing — validates isolated business logic, domain rules, and service-level functionality.
• Integration Testing — verifies interactions between APIs, databases, caches, and message brokers.
• End-to-End (E2E) Testing — validates complete user and system flows across REST, GraphQL, and real-time WebSocket interfaces.
• API Contract Testing — ensures backward compatibility and stable inter-service communication.
• External Dependency Mocking — isolates third-party integrations for deterministic testing.
• Code Coverage Enforcement in CI — prevents untested code from entering production branches.

Backend Microservices (Node.js)

• NestJS microservices are tested using Jest and SuperTest for unit and integration testing.
• Express.js or Fastify microservices are tested using Vitest, enabling fast and modern TypeScript-based testing.
• External services are mocked using MSW where required.

AI Microservice (FastAPI – Python)

The AI microservice is tested using:

• Pytest
• httpx for async endpoint testing
• pytest-asyncio
• coverage.py for coverage enforcement

Test Environment Architecture

Testing environments are fully isolated from production and are provisioned using containerized infrastructure. They include:

• Environment-specific configuration files (e.g., .env.test)
• Dockerized test databases (e.g., PostgreSQL, MongoDB, Redis)
• Dockerized message brokers (RabbitMQ, Kafka)
• Mocked or sandboxed external services
• Containerized test execution within CI pipelines

Integration tests run against real, isolated service dependencies to accurately simulate production interactions without impacting live systems. Unit tests mock messaging clients, while integration tests validate real message flows against isolated broker instances. This ensures realistic validation of event-driven communication without impacting production systems. This approach ensures deterministic, reproducible results across local development and continuous integration (CI) environments.

CI Pipeline Strategy

Each microservice runs automated tests in the CI pipeline on:

• Pull requests
• Merge to main branches
• Release candidates

Pipelines enforce:

• Test execution
• Coverage thresholds
• Linting and static analysis
• Build validation

No service can be deployed unless it passes all automated quality gates.

Security Validation

Security is integrated into the testing lifecycle through:

• Dependency vulnerability scanning
• Input validation and schema testing
• Authentication and authorization flow testing
• Rate-limiting and abuse-case testing
• Secure configuration validation

This ensures resilience against common attack vectors and misconfigurations.

Why This Testing Strategy

This testing strategy was chosen to:

• Maintain strict service isolation in a microservice architecture
• Allow independent evolution of services
• Support long-term scalability
• Ensure production-grade reliability
• Minimize regression risks during feature expansion

By aligning testing tools with each technology stack (NestJS, Express/Fastify, FastAPI), TuranBilgi achieves both architectural clarity and operational stability. This approach balances developer velocity with strict quality controls, enabling rapid innovation without compromising system stability.

Containerization, Deployment, Backup & Observability

The entire ecosystem is containerized under the TuranDocker project. This includes the Core Business, Interaction, Payment, and Real-Time microservices, PostgreSQL, MongoDB, Redis, Apache Kafka, RabbitMQ, reverse proxies (Nginx), and all the observability & monitoring tools. This setup enables fast, repeatable deployments on any Linux VPS while providing a strong foundation for future orchestration with Kubernetes or other container platforms, while remaining fully operational with Docker Compose or Docker Swarm.

Backup Strategy

To ensure data durability and disaster recovery, TuranBilgi implements automated backup pipelines for critical data stores:

• Automated database backups are performed for PostgreSQL and MongoDB via scheduled backup containers, producing timestamped, compressed dumps.
• Backups are pushed off the primary VPS to remote object storage (e.g., Backblaze B2 using rclone or similar tooling), ensuring safety in the event of server failure, data corruption, or infrastructure incidents. Backups are encrypted in transit and can be encrypted at rest to ensure confidentiality of sensitive data.
• Retention policies and cleanup procedures manage local storage, while periodic restore testing procedures (e.g., test restores to temporary containers) validate the correctness and integrity of backup artifacts.

These mechanisms guarantee that production data remains protected, restorable, and resilient against operational faults or disasters.

Observability & Monitoring

TuranBilgi adopts a comprehensive observability and monitoring strategy to provide deep visibility into system behavior, performance, and reliability across its distributed landscape. Observability goes beyond basic monitoring by correlating metrics, logs, and error events to enable rapid diagnosis and root cause analysis in complex deployments.
The observability platform includes:

• Metrics Collection & Alerting:

  A containerized Prometheus stack collects metrics from services, databases, brokers, and runtime resources (CPU, memory, request latencies, consumer lag, queue depths, etc.). Alerts are configured for critical thresholds (e.g., error rates, slowdowns, resource saturation) to notify stakeholders automatically.

• Dashboarding & Visualization:

  Grafana is used to visualize time-series metrics and create operational dashboards that display key indicators such as API performance, Kafka consumer health, RabbitMQ queue statistics, and WebSocket connection trends, turning raw telemetry into actionable insight.

• Error Tracking:

  Sentry captures exceptions, stack traces, and contextual request metadata from all services, enabling quick identification of issues in production and correlating failures with release versions and service flows.

• Distributed Tracing (Optional / Extensible):

  OpenTelemetry-based tracing can be integrated to visualize cross-service request flows and event-driven interactions, providing deeper insight into distributed transactions.

• Log Aggregation (Optional / Extensible):

  For centralized log analysis and search, a logging stack (e.g., Loki with Promtail or a full ELK stack) ingests and indexes logs from all containers. Correlating logs with metrics and traces helps answer not only what is happening, but why it is happening — critical for distributed systems and complex workflows.

Together, these components provide a unified observability surface that enhances operational confidence, reduces time to resolution, and supports continuous performance optimization as the platform evolves.

Orchestration Strategy & Migration Path

TuranBilgi is intentionally designed with orchestration portability in mind. While the platform currently operates efficiently using Docker Compose or Docker Swarm, its container boundaries, stateless service design, externalized configuration, and volume management patterns ensure a smooth migration path to Kubernetes when scaling requirements justify it.

Phase 1 — Docker Compose (Current / Early Stage)

Ideal for:

• Single-node or small multi-node deployments
• Low-to-medium traffic environments
• Cost-sensitive VPS infrastructure
• Rapid development and controlled environments

Benefits:

• Minimal operational overhead
• Simpler networking model
• Lower infrastructure complexity
• Easier debugging and deployment workflows

At this stage, Kubernetes would add unnecessary operational weight.

Phase 2 — Docker Swarm (Optional Intermediate Stage)

Suitable when:

• Running multiple nodes
• Needing simple clustering
• Basic rolling updates and service replication are required
• Traffic begins to grow but remains predictable

Swarm provides:

• Native service replication
• Overlay networking
• Basic load balancing
• Rolling deployments

However, Swarm remains simpler than Kubernetes and is often sufficient for medium-scale production workloads.

Phase 3 — Kubernetes (When It Becomes Necessary)

Migration to Kubernetes becomes justified when TuranBilgi experiences one or more of the following:

• Multi-node horizontal scaling across regions
• Auto-scaling requirements (HPA based on CPU, memory, or custom metrics)
• Complex rolling deployments or canary releases
• Blue/green deployments at scale
• Infrastructure spanning multiple data centers or cloud providers
• Need for advanced workload scheduling policies
• Team growth requiring stronger DevOps separation of concerns
• Platform-level SLA commitments

Kubernetes introduces production-grade orchestration capabilities such as:

• Horizontal Pod Autoscaling (HPA)
• Self-healing workloads
• Advanced rollout strategies
• StatefulSets for databases and brokers
• Native secret management
• Network policies
• Infrastructure abstraction

The migration can be executed incrementally:

1. Ensure all services:

   • Are fully stateless (except databases/brokers)
   • Use environment-based configuration
   • Store state only in volumes or external systems

2. Convert Docker Compose services into:

   • Kubernetes Deployments
   • Services (ClusterIP)
   • Ingress resources
   • ConfigMaps & Secrets

3. Migrate infrastructure components:

   • PostgreSQL → StatefulSet
   • MongoDB → StatefulSet
   • Kafka/RabbitMQ → Operator-based deployment (recommended)

4. Introduce:

   • Horizontal Pod Autoscalers
   • Liveness and readiness probes
   • Resource limits and requests

5. Gradually transition traffic from VPS deployment to Kubernetes cluster.

Because TuranBilgi already enforces clean container boundaries, this migration would be structural rather than architectural. Infrastructure evolution does not require service redesign, preserving long-term architectural stability.

API Gateway Considerations

API Gateways (e.g., Kong, KrakenD, Nginx Plus, Ambassador) provide centralized request routing, authentication, rate limiting, caching, and observability at the edge.

For TuranBilgi, an API Gateway is not necessary in early stages because:

• Clients can directly call microservices with JWT tokens
• Each microservice independently handles CORS and authorization
• Reverse proxy + TLS termination + strong JWT validation is sufficient
• Observability is already provided via Prometheus, Grafana, and Sentry

When an API Gateway Becomes Justified:

• Multi-team ownership requires unified policy enforcement
• Rate limiting, request throttling, or advanced authentication across services is needed
• Centralized analytics, logging, or metrics aggregation at the API edge is desired
• Multiple external clients (mobile, web, third-party) require simplified routing
• Service discovery, path-based routing, or versioned APIs need standardization

Migration Path:

1. Deploy the gateway in front of existing microservices without changing service internals.
2. Move TLS termination, authentication enforcement, and request routing to the gateway incrementally.
3. Integrate gateway-specific features (rate limiting, caching, analytics) as traffic grows.
4. Continue leveraging observability stack for detailed service-level metrics while the gateway provides edge-level insights.

Adding a gateway is incremental and should occur only when operational complexity or external exposure grows beyond what direct service calls can safely and efficiently manage.

Service Mesh Considerations (Consul Connect / Istio)

Service meshes provide:

• Mutual TLS (mTLS) between services
• Fine-grained traffic routing
• Circuit breaking
• Distributed tracing injection
• Service-to-service policy enforcement
• Observability at network layer

However, they introduce:

• Significant operational complexity
• Additional resource consumption
• Steeper debugging difficulty
• Learning curve and maintenance overhead

When a Service Mesh Is NOT Necessary

For TuranBilgi, a service mesh is not required when:

• Running in Docker Compose or Swarm
• Deploying on a single-node or small cluster
• Service-to-service communication remains simple
• mTLS can be handled at the gateway or via internal TLS
• Observability is already handled via Prometheus + Grafana + Sentry
• Traffic policies are not highly complex

In early and mid-stage deployments, adding Istio or Consul Connect would be architectural overengineering.

When a Service Mesh Becomes Justified

For TuranBilgi, a service mesh may become beneficial if:

• TuranBilgi scales to large multi-node Kubernetes clusters
• Zero-trust internal networking becomes mandatory
• Strong internal mTLS enforcement is required
• Advanced traffic shaping (A/B testing, canary per-route) is required
• Platform SLAs demand granular failure isolation
• Multi-team ownership requires traffic-level governance

At that stage:

• Istio offers powerful traffic control and ecosystem maturity.
• Consul Connect provides lighter-weight service mesh capabilities with simpler operational footprint.

Strategic Deployment Path for TuranBilgi

Current Stage:

• Docker Compose or Swarm is fully sufficient.
• No service mesh required.
• Reverse proxy + TLS termination + strong JWT validation is enough.

Scaling Stage (Future):

• Migrate to Kubernetes when horizontal scaling or advanced rollout strategies become necessary.
• Introduce service mesh only if internal zero-trust networking or complex traffic management becomes mandatory.

TuranBilgi’s architecture is intentionally modular and container-native, ensuring that orchestration upgrades can occur without redesigning core services.

Architectural Philosophy

TuranBilgi prioritizes:

• Operational clarity over complexity
• Incremental scalability over premature optimization
• Container portability over vendor lock-in
• Observability-first design
• Measured adoption of advanced infrastructure patterns

This approach ensures that infrastructure evolves in response to real operational needs rather than theoretical scalability assumptions.

Future Extensions: Serverless & Micro-Frontends

While TuranBilgi currently uses a microservice architecture, future extensions may incorporate Serverless and Micro-Frontend patterns:

• Serverless

  Serverless can be used for event handlers, AI inference, webhook integrations, and other bursty workloads without requiring always-on infrastructure.

• Micro-Frontends

  Micro-Frontends enable independent UI modules (e.g., Chat, Notifications, AI Assist), allowing teams to develop, release, and scale UI components autonomously.

These patterns are not required at MVP, but become meaningful and beneficial as the platform grows, teams scale, and feature sets become more independent.

Client Applications

TuranBilgi is a multi-client platform, designed to serve different user experiences through a shared backend infrastructure. Client applications include:

• Admin Panel, to be built with Vite + React, for internal system management and operational workflows
• End-user Web Application, to be built with Vite + React, providing interactive user experiences
• End-user Mobile Application, to be built with React Native, enabling cross-platform mobile access
• Public Website, to be built with Next.js (React), providing interactive and SEO-friendly user experiences to be focused on marketing and informational content

All client applications consume the same TuranBilgi APIs (REST, GraphQL, and WebSockets), ensuring:

• Shared authentication and authorization
• Consistent business logic
• Unified real-time behavior across web, mobile, and desktop platforms