Skip to content

Vijfpas products (product catalog)

This document records each product with ownership, environments, dependencies, confidentiality classification, and operational requirements.

1. Product entry contract

Each product should define:

  • Type
  • Owner team
  • Environments
  • Users
  • Confidentiality class
  • Dependencies
  • Runtime zones
  • External exposure
  • Technology stack (frontend/backend)
  • HA/SLO target
  • RPO/RTO target
  • On-call and escalation owner
  • Backup and observability baseline
  • Security notes
  • Threat model ID
  • Runbook ID/path
  • Lifecycle management baseline
  • Degraded-mode behavior

Threat model IDs referenced in this document are indexed in Vijfpas Threat Model Index. Confidentiality classes in this document follow Vijfpas Confidentiality Model. The value recorded per product is the default product-data baseline; specific datasets may classify higher.

1.1 First-party web stack baseline

Unless explicitly documented otherwise, self-developed web products use:

  • Front-end: Next.js with TypeScript
  • Back-end: Axum with Rust
  • Primary operational database: PostgreSQL
  • Projection pattern: Kafka streams/events to query and analytics stores (for example Neo4j, OpenSearch app/search, data engineering platform)

1.2 First-party dependency map by type: web/service (Mermaid)

flowchart LR
  subgraph WEBTYPE[Type: web/service]
    REF[ref]
    NIB[nibbler]
    GEN[genea]
    SHOP[shop]
  end

  KC[Keycloak]
  SVCAPI[svc API tier]
  PG[(PostgreSQL primary)]
  KAFKA[Kafka app]
  QUERY[(Neo4j/OpenSearch/Lakehouse projections)]
  OBJ[(Object storage)]
  CI[GitLab CI/CD]
  PAY[Payment provider]
  MAIL[Mail provider]

  REF --> KC
  REF --> PG
  REF --> KAFKA
  REF --> CI

  NIB --> KC
  NIB --> SVCAPI
  NIB --> PG
  NIB --> KAFKA
  NIB -. optional .-> OBJ

  GEN --> KC
  GEN --> SVCAPI
  GEN --> PG
  GEN --> KAFKA
  GEN --> OBJ

  SHOP --> KC
  SHOP --> SVCAPI
  SHOP --> PG
  SHOP --> KAFKA
  SHOP --> PAY
  SHOP --> MAIL

  KAFKA --> QUERY

1.3 First-party dependency map by type: mobile (Mermaid)

flowchart LR
  subgraph MOBILETYPE[Type: mobile]
    NOTI[notimon]
  end

  KC[Keycloak]
  ALERT[Alertmanager]
  PUSH[Push provider]
  API[svc API tier]

  NOTI --> KC
  NOTI --> ALERT
  NOTI --> PUSH
  NOTI --> API

1.4 First-party dependency map by type: FPGA (Mermaid)

flowchart LR
  subgraph FPGATYPE[Type: fpga project]
    F48[sec48]
  end

  CI[GitLab CI/CD]
  ART[Nexus artifacts]
  DOCS[Documentation platform]

  F48 --> CI
  F48 --> ART
  F48 --> DOCS

1.5 Planned later product note: landing app / tenant portal

Planned later, but not yet designed in detail:

  • a first-party landing app / tenant portal for users and tenant admins
  • primary use cases:
  • see available apps and environment endpoints
  • see subscriptions / entitlements
  • launch or request access to apps
  • later manage tenant-scoped app and subscription settings
  • likely baseline dependencies:
  • keycloak for identity
  • tenant registry / entitlement source of truth
  • platform app catalog metadata
  • approved tenant exposure model from tenant-exposure-matrix.md
  • keep this as a deferred product-design item; continue later once app/subscription ownership and tenant workflow scope are clearer

2. First-party products

ref

  • Type: web/service
  • Owner team: web
  • Environments: dev / acc / prd
  • Users: internal and service consumers
  • Confidentiality class: CONF-2 (default internal product data baseline)
  • Dependencies: PostgreSQL (primary), Keycloak, GitLab CI/CD, optional Kafka projection pipeline
  • Runtime zones: core (primary), optional svc publishing API in prd
  • External exposure: no direct public UI; API exposure by policy only
  • HA/SLO target: medium; target 99.5% in prd
  • RPO/RTO target: <= 24h / <= 72h
  • On-call and escalation owner: web team primary, contain/data secondary by dependency
  • Backup and observability baseline: daily DB backup, API latency/error dashboards
  • Security notes: service-to-service auth, least-privilege DB roles
  • Threat model ID: TM-PROD-REF
  • Runbook ID/path: RB-PROD-REF -> runbooks/ref.md (template/TBD)
  • Lifecycle management baseline: monthly application release train, quarterly dependency/security patch cycle
  • Degraded-mode behavior: read-only API mode allowed for non-critical operations when dependencies are degraded

nibbler

  • Type: web
  • Owner team: web
  • Environments: dev / acc / prd
  • Users: end users (private and sharing features)
  • Confidentiality class: CONF-3 (account and personal content)
  • Dependencies: Keycloak, PostgreSQL (primary), Kafka projection pipeline, optional object storage/search
  • Runtime zones: dmz front-end + svc backend
  • External exposure: yes (public web)
  • HA/SLO target: high; target 99.9% in prd
  • RPO/RTO target: <= 8h / <= 24h
  • On-call and escalation owner: web team primary, contain/data secondary by dependency
  • Backup and observability baseline: DB backup + optional object backup, user-facing SLI dashboards
  • Security notes: MFA-capable login via Keycloak, abuse/rate-limit controls
  • Threat model ID: TM-PROD-NIBBLER
  • Runbook ID/path: RB-PROD-NIBBLER -> runbooks/nibbler.md (template/TBD)
  • Lifecycle management baseline: monthly release train, quarterly dependency/security patch cycle
  • Degraded-mode behavior: keep browse/read flows online when optional search/object features are degraded

genea

  • Type: web
  • Owner team: web
  • Environments: dev / acc / prd
  • Users: end users (family history/private sharing)
  • Confidentiality class: CONF-3
  • Dependencies: Keycloak, PostgreSQL (primary), Kafka projection pipeline to query stores (Neo4j/OpenSearch/lakehouse), object storage
  • Runtime zones: dmz front-end + svc backend
  • External exposure: yes (public web)
  • HA/SLO target: high; target 99.9% in prd
  • RPO/RTO target: <= 8h / <= 24h
  • On-call and escalation owner: web team primary, contain/data secondary by dependency
  • Backup and observability baseline: DB backup and object backup, search/index integrity checks if used
  • Security notes: privacy-first authorization model and audit logging for sensitive views
  • Threat model ID: TM-PROD-GENEA
  • Runbook ID/path: RB-PROD-GENEA -> runbooks/genea.md (template/TBD)
  • Lifecycle management baseline: monthly release train, quarterly dependency/security patch cycle
  • Degraded-mode behavior: preserve privacy controls and read access first; postpone non-critical write/index operations during incidents

shop

  • Type: web
  • Owner team: web
  • Environments: dev / acc / prd
  • Users: public customers and internal operators
  • Confidentiality class: CONF-3 (customer/order data)
  • Dependencies: Keycloak, PostgreSQL (primary), Kafka projection pipeline, payment provider integration, mail provider
  • Runtime zones: dmz front-end + svc backend
  • External exposure: yes (public web)
  • HA/SLO target: high; target 99.9% in prd
  • RPO/RTO target: <= 8h / <= 24h
  • On-call and escalation owner: web team primary, contain/data secondary by dependency
  • Backup and observability baseline: transactional DB backup and payment-event audit trail
  • Security notes: strict secret handling for payment integration and fraud/rate monitoring
  • Threat model ID: TM-PROD-SHOP
  • Runbook ID/path: RB-PROD-SHOP -> runbooks/shop.md (template/TBD)
  • Lifecycle management baseline: biweekly release train for checkout-critical paths, quarterly dependency/security patch cycle
  • Degraded-mode behavior: fail closed for checkout/payment if integrity is uncertain; allow catalog browsing where safe

notimon

  • Type: mobile
  • Owner team: mobile
  • Environments: dev / acc / prd
  • Users: operators receiving Alertmanager notifications
  • Confidentiality class: CONF-2 baseline; CONF-3 when alert content contains sensitive data
  • Dependencies: Alertmanager, Keycloak, PostgreSQL (primary), Kafka/event pipeline where required, push notification provider
  • Runtime zones: mobile app + svc API
  • External exposure: app-store distribution; API is not public anonymous
  • HA/SLO target: medium/high; target 99.5% for notification API path
  • RPO/RTO target: <= 8h / <= 24h
  • On-call and escalation owner: mobile team primary, observ team secondary for alert pipeline dependencies
  • Backup and observability baseline: API config backup and notification delivery dashboards
  • Security notes: token lifecycle controls and device/session revocation support
  • Threat model ID: TM-PROD-NOTIMON
  • Runbook ID/path: RB-PROD-NOTIMON -> runbooks/notimon.md (template/TBD)
  • Lifecycle management baseline: monthly mobile/API release train, quarterly dependency/security patch cycle
  • Degraded-mode behavior: queue and retry notifications when push provider/API is degraded; preserve alert integrity over latency

sec48

  • Type: FPGA project
  • Owner team: fpga
  • Environments: dev / acc / prd
  • Users: internal engineering
  • Confidentiality class: CONF-3 (engineering IP)
  • Dependencies: GitLab CI/CD, artifact repository, documentation platform
  • Runtime zones: core engineering toolchain
  • External exposure: no direct public runtime
  • HA/SLO target: medium (engineering productivity)
  • RPO/RTO target: <= 24h / <= 72h
  • On-call and escalation owner: fpga team primary, cicd team secondary for pipeline dependencies
  • Backup and observability baseline: source/artifact backup and pipeline health monitoring
  • Security notes: supply-chain integrity for toolchains and signed artifact policy
  • Threat model ID: TM-PROD-SEC48
  • Runbook ID/path: RB-PROD-SEC48 -> runbooks/sec48.md (template/TBD)
  • Lifecycle management baseline: milestone-based release cadence with quarterly dependency/security patching of toolchains
  • Degraded-mode behavior: prioritize deterministic and reproducible build path; defer non-critical experimentation pipelines

3. Third-party products

Keep third-party products separate from first-party ownership.

homeassistant

  • Type: third-party application
  • Owner team: third
  • Environments: tst / prd
  • Users: household/internal operators
  • Confidentiality class: CONF-2
  • Dependencies: dedicated runtime VM, persistent /config storage, external recorder DB (postgresql preferred on this platform; MariaDB is a supported alternative), internal reverse proxy or approved dmz publication path, optional SMTP
  • Technology stack: vendor-defined (third-party managed)
  • Runtime zones: prd-svc app path by default, prd-core recorder DB path, optional prd-dmz publication only by explicit policy
  • External exposure: internal-only by default; remote/public exposure only through approved prd-dmz ingress
  • HA/SLO target: medium; target 99.5% in prd
  • RPO/RTO target: <= 24h / <= 72h
  • On-call and escalation owner: third team primary, data team secondary for recorder DB dependency
  • Backup and observability baseline: /config backup is primary, recorder DB backup is secondary, plus service and database health dashboards
  • Security notes: native Home Assistant auth is the first-rollout baseline, keep one local owner/break-glass account, least-privilege integration credentials, reverse-proxy hardening with trusted_proxies, and treat Keycloak/Microsoft/Google SSO as a later custom integration path rather than a baseline requirement
  • Threat model ID: TM-PROD-HOMEASSISTANT
  • Runbook ID/path: RB-PROD-HOMEASSISTANT -> runbooks/homeassistant.md
  • Lifecycle management baseline: quarterly vendor patching and controlled version jumps after tst validation
  • Degraded-mode behavior: keep local automations and manual controls working first; degrade history/analytics before core control paths
  • Integration baseline: backup and upgrade runbook required; SSO is a later explicit design decision, not part of the first production rollout

mermaid live

  • Type: third-party application
  • Owner team: third
  • Environments: tst / prd
  • Users: internal documentation users
  • Confidentiality class: CONF-2
  • Dependencies: Keycloak (preferred), core ingress/runtime
  • Technology stack: vendor-defined (third-party managed)
  • Runtime zones: core
  • External exposure: internal-only
  • HA/SLO target: medium; target 99.0% in prd
  • RPO/RTO target: <= 24h / <= 72h
  • On-call and escalation owner: third team primary
  • Backup and observability baseline: configuration backup and availability monitoring
  • Security notes: SSO preferred via Keycloak, no anonymous admin access
  • Threat model ID: TM-PROD-MERMAIDLIVE
  • Runbook ID/path: RB-PROD-MERMAIDLIVE -> runbooks/mermaid-live.md (template/TBD)
  • Lifecycle management baseline: quarterly vendor patching after tst validation
  • Degraded-mode behavior: service may be temporarily read-only/unavailable without affecting critical platform paths
  • Integration baseline: SSO preferred, backup and upgrade runbook required

draw.io

  • Type: third-party application
  • Owner team: third
  • Environments: tst / prd
  • Users: internal documentation users
  • Confidentiality class: CONF-2
  • Dependencies: Keycloak (preferred), core ingress/runtime
  • Technology stack: vendor-defined (third-party managed)
  • Runtime zones: core
  • External exposure: internal-only
  • HA/SLO target: medium; target 99.0% in prd
  • RPO/RTO target: <= 24h / <= 72h
  • On-call and escalation owner: third team primary
  • Backup and observability baseline: configuration backup and availability monitoring
  • Security notes: SSO preferred via Keycloak, no anonymous admin access
  • Threat model ID: TM-PROD-DRAWIO
  • Runbook ID/path: RB-PROD-DRAWIO -> runbooks/drawio.md (template/TBD)
  • Lifecycle management baseline: quarterly vendor patching after tst validation
  • Degraded-mode behavior: service may be temporarily read-only/unavailable without affecting critical platform paths
  • Integration baseline: SSO preferred, backup and upgrade runbook required

nextcloud

  • Type: third-party application
  • Owner team: third
  • Environments: acc / prd
  • Users: internal users and trusted collaborators
  • Confidentiality class: CONF-3
  • Dependencies: k8s-prd, postgresql.prd-core, valkey.prd-core, cephrgw.prd-core, keycloak.prd-svc (target), SMTP
  • Technology stack: vendor-defined (third-party managed)
  • Runtime zones: prd-dmz ingress + prd-svc app path + prd-core data path
  • External exposure: yes in prd, through approved prd-dmz ingress only
  • HA/SLO target: medium/high; target 99.5% in prd
  • RPO/RTO target: <= 8h / <= 24h
  • On-call and escalation owner: third team primary, data team secondary for storage/database dependencies
  • Backup and observability baseline: PostgreSQL backup + object-storage backup + config export, sync and storage-health dashboards
  • Security notes: SSO via keycloak.prd-svc is the target for the internet-facing deployment, strict share/link policy, audit logging for sensitive data, and no hard multi-tenant SaaS boundary inside one shared instance
  • Threat model ID: TM-PROD-NEXTCLOUD
  • Runbook ID/path: RB-PROD-NEXTCLOUD -> runbooks/nextcloud.md
  • Lifecycle management baseline: quarterly vendor patching and controlled major upgrades after acc validation
  • Degraded-mode behavior: preserve file read access first; throttle non-critical background sync/index jobs during incidents
  • Integration baseline: SSO required, backup and upgrade runbook required

3.1 Third-party dependency map (Mermaid)

flowchart LR
  subgraph THIRDPROD[Third-party products]
    HOME[homeassistant]
    MMD[mermaid live]
    DRAW[draw.io]
    NC[nextcloud]
  end

  ENV[acc/prd environments]
  SSO[Keycloak SSO required in prd]
  MARIADB[(MariaDB)]
  PG[(PostgreSQL)]
  VK[(Valkey)]
  RGW[(CephRGW object)]
  BK[Backup/restore runbooks]
  UPD[Upgrade/patch runbooks]
  DATA[(Persistent storage)]

  HOME --> ENV
  MMD --> ENV
  DRAW --> ENV
  NC --> ENV

  HOME -. preferred .-> SSO
  HOME --> MARIADB
  MMD -. preferred .-> SSO
  DRAW -. preferred .-> SSO
  NC --> SSO

  HOME --> BK
  MMD --> BK
  DRAW --> BK
  NC --> BK

  HOME --> UPD
  MMD --> UPD
  DRAW --> UPD
  NC --> UPD

  HOME --> DATA
  NC --> PG
  NC --> VK
  NC --> RGW

3.2 Product ownership map (Mermaid)

flowchart LR
  WEBTEAM[web team] --> REF[ref]
  WEBTEAM --> NIB[nibbler]
  WEBTEAM --> GEN[genea]
  WEBTEAM --> SHOP[shop]

  MOBTEAM[mobile team] --> NOTI[notimon]
  FPGATEAM[fpga team] --> F48[sec48]
  THIRDTEAM[third team] --> HOME[homeassistant]
  THIRDTEAM --> MMD[mermaid live]
  THIRDTEAM --> DRAW[draw.io]
  THIRDTEAM --> NC[nextcloud]

4. Product governance matrix

Product RPO/RTO target On-call owner Threat model ID Runbook ID/path Lifecycle baseline Degraded-mode baseline
ref <= 24h / <= 72h web (primary), contain/data (secondary) TM-PROD-REF RB-PROD-REF -> runbooks/ref.md monthly release train + quarterly dependency patching read-only mode for non-critical operations
nibbler <= 8h / <= 24h web (primary), contain/data (secondary) TM-PROD-NIBBLER RB-PROD-NIBBLER -> runbooks/nibbler.md monthly release train + quarterly dependency patching preserve read/user access, degrade optional features
genea <= 8h / <= 24h web (primary), contain/data (secondary) TM-PROD-GENEA RB-PROD-GENEA -> runbooks/genea.md monthly release train + quarterly dependency patching prioritize privacy controls and safe read access
shop <= 8h / <= 24h web (primary), contain/data (secondary) TM-PROD-SHOP RB-PROD-SHOP -> runbooks/shop.md biweekly checkout-critical releases + quarterly dependency patching fail closed for checkout if payment integrity uncertain
notimon <= 8h / <= 24h mobile (primary), observ (secondary) TM-PROD-NOTIMON RB-PROD-NOTIMON -> runbooks/notimon.md monthly release train + quarterly dependency patching queue/retry notifications during provider/API issues
sec48 <= 24h / <= 72h fpga (primary), cicd (secondary) TM-PROD-SEC48 RB-PROD-SEC48 -> runbooks/sec48.md milestone releases + quarterly toolchain patching prioritize reproducible build path over throughput
homeassistant <= 24h / <= 72h third (primary), data (secondary) TM-PROD-HOMEASSISTANT RB-PROD-HOMEASSISTANT -> runbooks/homeassistant.md quarterly vendor patching safe-mode automation during dependency issues
mermaid live <= 24h / <= 72h third TM-PROD-MERMAIDLIVE RB-PROD-MERMAIDLIVE -> runbooks/mermaid-live.md quarterly vendor patching temporary read-only/unavailable acceptable
draw.io <= 24h / <= 72h third TM-PROD-DRAWIO RB-PROD-DRAWIO -> runbooks/drawio.md quarterly vendor patching temporary read-only/unavailable acceptable
nextcloud <= 8h / <= 24h third (primary), data (secondary) TM-PROD-NEXTCLOUD RB-PROD-NEXTCLOUD -> runbooks/nextcloud.md quarterly vendor patching + controlled major upgrades preserve read access, throttle background jobs

5. External integration profiles

Integration Threat model ID Consuming products Security baseline Availability baseline Lifecycle/change baseline Runbook ID/path
Payment provider TM-EXT-PAYMENT shop token/secret in OpenBao, signed callback validation, strict allow-lists external outage must fail closed for checkout and preserve order integrity quarterly API contract review and sandbox validation RB-EXT-PAYMENT -> runbooks/ext-payment-provider.md (template/TBD)
Mail provider TM-EXT-MAIL shop scoped credentials, SPF/DKIM/DMARC alignment, rate abuse controls queue/retry outbound mail; non-critical mail can be delayed quarterly API/config review RB-EXT-MAIL -> runbooks/ext-mail-provider.md (template/TBD)
Push notification provider TM-EXT-PUSH notimon scoped credentials, token rotation, callback signature validation if applicable retries/backoff required; alert payload integrity over speed quarterly provider SDK/API review RB-EXT-PUSH -> runbooks/ext-push-provider.md (template/TBD)
Documentation platform (for sec48) TM-EXT-DOCS sec48 Git-backed read-only publication from the monorepo docs/ tree; no runtime authoring surface non-critical dependency; outages should not block signed build path quarterly platform compatibility review RB-EXT-DOCS -> runbooks/ext-docs-platform.md

6. Product catalog backlog

  1. Author and link full threat model documents for all TM-* IDs.
  2. Replace template/TBD product and external-integration runbooks with executable procedures.
  3. Add per-product sequence diagrams for incident and degraded-mode paths.