Production-grade microservices security infrastructure and ReactJS frontend built with AI-assisted development
Prerequisites: VS Code with Dev Containers extension, Docker
git clone https://github.com/budgetanalyzer/workspaceOpen in VS Code → "Reopen in Container" → Follow Getting Started
Before diving into code, explore how this architecture emerged:
Architecture Conversations — Conversations documenting architectural decisions, AI collaboration patterns, and the philosophy behind this project
This project started as a simple re-fresh of my spring boot microservices skills after a 2 year sabbatical. I wanted to solve the relatively simple problem of reconciling multiple bank accounts in multiple currencies, so I figured I'd do a quick microservice + ReactJS frontend and go find a consulting role as I've been doing the last few years. I was shocked to finish that in a couple weeks after gettting comfortable using Claude Code, so I expanded the scope of the project significantly. This is a full production grade best practices Backend For Frontend Oauth2 Security implementation for an auditable compliance-oriented financial application. But really it's just an AI sandbox. And now I'm excited to go back to building stuff and am looking to work with people that get what this is.
✨ Using Claude Code, we rapidly expanded from a basic app to a full enterprise-grade security architecture. The AI didn't just write code—it helped design systems, document decisions, and implement patterns that would typically require a dedicated team. (Claude wrote that)
So Claude's right, that's exactly it. I had previously tried using copilot and code assist and was thoroughly unimpressed. I didn't grok it until i stopped trying to use it as a code assist tool but instead use it as a pair programmer for design and implementation. We discussed and interated on plans, if you watch the repo I frequently check in plans to give an idea of how detailed they get. I didn't type a line of code in budget-analyzer-web, but that is a fully functional ReactJS app using best practices from bulletproof react.
I don't really write code anymore, I just design, plan, refine, and code review. It's easier to just tell Claude to change a variable name because it will rename the variable, fix all the javadocs, and update any random documentation that mentioned the variable name. I normally have a bunch of terminals all grinding away working on plans in the various services in parallel, it's like a video game.
I think the future is here, and it's pretty exciting. People aren't into chatbots- neither was I. Building this project opened my eyes into ways of using and choreographing AI that I hadn't even considered. It's a pretty exciting time to be alive, I feel like a physicist who was lucky enough to be around in the 1930s and 40s while they were building the bomb. We don't know where this is gonna take us, but there's no resisting, it's clear this is the path of history.
This is scary.
We're building a pluggable security and authorization infrastructure that any company can adopt.
The goal isn't just a budget app. It's a reusable foundation that demonstrates:
- Production-ready OAuth2/OIDC authentication
- Server-side session management (BFF pattern)
- Per-request session validation at the gateway
- Role-based access control with delegation
- Defense-in-depth security layers
Once these patterns mature, this becomes a template for enterprise applications—drop in your business logic and inherit battle-tested security.
But we're also in parallel figuring out how to code with AI. This is the IDE/coding standard baseline for human/AI development. All opensource, I envision us including url resources for CLAUDE.md files. Very standardized code rules, it'd be cool to keep it here, but i'm down if someone has a better idea. All the code is gonna look generic and that's OK, no need for style, markdown and simple code, let's standardardize the interface to AI. VS Code open source, bring your own key is the way it goes, it's not up for debate. They aren't gonna control this. And here's the thing, once you communicate with AI using code you realize that's the only interface it has to the external world. Software architects are the new high priests, we speak AI. AI is already here, this is all Claude Opus 4.5. We're not waiting on the next model. This isn't a toy for the masses, it's such a different experience as a software architect. It just doesn't have any way to communicate other than text, and yeah, chatbots are weak.
(running out of breath)
The project quickly became meta. For example we want to avoid vendor lock-in for AI service providers. We should be able to swap out and experiment with Gemini and Claude and whatever comes next. The criticism I keep hearing about using AI for development is that it's great for greenfield projects like this, but it breaks for a real company with a large complex codebase. My hypothesis is that we simply haven't quite formalized the best practices for doing those migrations, but I think it's possible to introduce these AI development tools into a mature system by starting on leaf nodes and working your way up documenting functionality. For example create a CLAUDE.md file in a single microservice or piece of the architecture and focus on getting it working well there, and then expand outwards. I think it's a mistake to try to use a top-down approach introducing these tools.
flowchart TB
subgraph Clients
Browser[Browser]
end
subgraph Ingress["Istio Ingress Gateway (:443)"]
direction LR
SSL[SSL Termination]
EXT["ext_authz (inline on /api/*)"]
THROTTLE[Auth-Path Throttling]
end
subgraph Auth["Auth Layer"]
SG[Session Gateway<br/>OAuth2 / Sessions<br/>Port 8081]
EA[ext_authz<br/>Session Validation<br/>Redis-backed]
end
subgraph Routing["NGINX API Gateway"]
direction LR
ROUTE[Routing + Rate Limiting]
end
subgraph Services["Backend Microservices"]
TS[Transaction Service]
CS[Currency Service]
PS[Permission Service]
end
Redis[(Redis<br/>Session Store)]
Browser -->|HTTPS| Ingress
Ingress -->|"/auth/*, /oauth2/*, /logout, /user"| SG
Ingress -->|"/api/* (ext_authz approved)"| Routing
Ingress -->|"/, /login (frontend)"| Routing
EXT -.->|Session Lookup| EA
EA -->|Session Lookup| Redis
SG -->|Session Dual-Write| Redis
Routing -->|mTLS| Services
style SG fill:#e1f5fe
style EA fill:#f3e5f5
style Ingress fill:#fff3e0
| Layer | Component | Responsibility |
|---|---|---|
| 1 | Istio Ingress Gateway | SSL termination, ext_authz enforcement, auth-path throttling, ingress routing |
| 2 | Session Gateway | OAuth2 flows, HTTP-only cookies, session management |
| 3 | ext_authz | Per-request session validation via Redis, header injection |
| 4 | Backend Services | mTLS-enforced access (Istio STRICT), data-level authorization |
- Tokens never exposed to browser — Immune to XSS token theft
- Instant session revocation — Redis key delete terminates access immediately
- Identity provider abstraction — Swap Auth0/Okta/Keycloak without client changes
- Pluggable design — Security infrastructure meant for reuse across organizations
This project demonstrates what's achievable when AI augments development:
- Architecture design — Security patterns, component responsibilities, data flows
- Implementation — Services, configurations, and integrations
- Documentation — Living docs that stay current with the code
- Code review — Pattern consistency and security considerations
✨ The rapid expansion from simple app to enterprise architecture was only possible through AI assistance. This isn't just a showcase—it's a proof point for AI-augmented software development.
| Layer | Technologies |
|---|---|
| Frontend | React, TypeScript, Vite |
| Backend | Spring Boot, Java 24+, Gradle |
| Gateway | Istio Ingress Gateway, NGINX |
| Auth | OAuth2/OIDC, Auth0 |
| Infrastructure | Kubernetes (Kind), Tilt, Istio, Calico, Docker, PostgreSQL, Redis, RabbitMQ |
No tradeoff between development speed and production fidelity. Edit code locally — changes reach the running Kubernetes pod in seconds without image rebuilds or pod restarts, while Istio mTLS, Calico network policies, ext_authz session validation, and TLS-encrypted infrastructure stay active around it.
| Stack | Inner-loop mechanism |
|---|---|
| Java (Spring Boot) | Gradle compiles on the host, Tilt syncs the JAR into the pod, process restarts — seconds |
| React (Vite) | Tilt syncs source files, Vite HMR hot-patches the browser — sub-second |
| Shared library | service-common change cascades to all downstream services automatically |
Most teams choose: fast local dev (unfaithful) or real Kubernetes (slow rebuilds). This setup gives both. Details in the live development pipeline docs.
| Repository | Purpose |
|---|---|
| orchestration | Tilt + Kind development environment, Istio ingress, ext_authz, NGINX configuration |
| session-gateway | OAuth2 BFF, session management, Redis dual-write for ext_authz validation |
| transaction-service | Financial transactions, accounts, and analytics API |
| currency-service | Currency management and exchange rates — Demo service showcasing advanced microservice patterns |
| permission-service | Role management and access delegation (RBAC) |
| budget-analyzer-web | React frontend with multi-currency support |
| service-common | Shared Java library for all backend services |
| checkstyle-config | Shared checkstyle rules for Java services |
| basic-repository-template | Template for creating new services |
| workspace | Start here — Devcontainer entry point, single clone to get everything |
| architecture-conversations | The philosophical foundation — conversations exploring AI-assisted development |
| claude-discovery | Experimental AI discovery tool |
Note: The
currency-serviceserves as our reference implementation. It demonstrates generic patterns commonly needed in production microservices—patterns we're fleshing out to be reusable across services.
MIT
Everything above is bleurubin. Everything below is Claude summarizing the research.
Route between thousands of AI-loadable expert files without a graph database. Each expert self-describes ("Consult when: [condition]"), AI interprets semantically. Works on air-gapped networks.
LLMs skip steps when pattern-matching. Force them to write intermediate state and they compute correctly. We figured this out for arithmetic before o1 shipped.
Character counting · Arithmetic
You don't tell AI what to build—you ask, then correct course. The human is the taste function, not the generator.
