← Back to Main Documentation

Architecture Documentation

Updated: Wed 06 May 2026 17:14:18 CEST — Phase 1 naming migration: reframed Overview to lead with current identification layer; moved Solana commerce to “Future Vision” section; updated repository naming (Plings-Web / Plings-API / Plings-Gateway)

This directory contains comprehensive documentation of the Plings system architecture, covering everything from high-level system design to detailed technical implementation decisions.

Contents

System Design

• System Overview - High-level platform goals, principles, and subsystem architecture
• Technology Stack Decisions - Detailed rationale for all technology choices
• Database Architecture - Complete database design document with PostgreSQL + Neo4j dual system

Future Vision: Solana Commerce (not currently built)

• Solana Payment Architecture - Long-term blockchain integration for direct object payments
  • Payment-to-object system design (future vision)
  • HD wallet → Solana address mapping (architecture preserved; commerce features deferred)
  • Service marketplace infrastructure
  • Global payment scale analysis

Technical Implementation

• Component Architecture - Microservice breakdown and interface contracts (stub)
• Data Flow Diagrams - UML and sequence diagrams for core user interactions (stub)
• Integration Patterns - Standard patterns for external systems and services (stub)

Security & Guidelines

• API Security Guidelines - GraphQL authentication, authorization, and security best practices

Migration Documentation

• Unified ID Migration TODO - Complete migration plan from dual-UUID to unified ID system

Overview

The Plings architecture combines a deterministic identification scheme (BIP32 HD wallet paths), a dual-database backend, a transport-agnostic scan layer, and a single GraphQL contract serving all clients (web, native — planned). The HD wallet identification layer is current and production-relevant; long-term commerce features (Solana payments, NFT ownership, on-chain marketplace) are future vision preserved in the architecture but not actively built.

Core Architectural Principles

Verifiable Identity for Every Object

• Each object has a deterministic identifier derived from a BIP32 HD wallet path
• Manufacturer signatures provide cryptographic proof of origin (offline-verifiable)
• Path delegation enables identifier-range grants to subcontractors and plants

HD Wallet Infrastructure Foundation

• Critical Choice: HD wallets over PKI — chosen for hierarchical delegation, deterministic derivation, and the ability to map paths to Solana Program Derived Addresses when commerce features are eventually built
• Hierarchical paths follow m/44'/501'/manufacturer/category/instance and map deterministically to Solana addresses
• The HD wallet identification architecture is active and production-relevant today; do not casually refactor

One Backend, Many UIs — One GraphQL Interface

• The single canonical interface is the GraphQL API at api.plings.io
• Web, native (planned), and any future client all consume the same schema
• The Gateway (s.plings.io) handles the browser path; native apps call the GraphQL API directly for instant native scan UX
• Centralised concerns (validation, auth, scan logging) live behind the GraphQL layer and apply to every caller

Multi-Layer System Architecture

Three-Tier Platform Structure

The Plings ecosystem operates as three coordinated layers:

1. Client Layer — User Interfaces
   • Plings-Web (current): React + TypeScript PWA at https://plings.io, disk path Plings-Web/
   • Plings-iOS (planned): Native iOS app — calls GraphQL API directly
   • Plings-Android (planned): Native Android app — calls GraphQL API directly
2. Gateway Layer — Browser-side Scan Routing
   • Repository concept: Plings-Gateway · disk path Plings-Gateway/
   • URL: https://s.plings.io
   • Purpose: Universal scan entry point for browser-based scans (QR / NFC / RFID); routes based on object status, user context, and business rules
3. Backend Layer — Plings-API
   • Repository concept: Plings-API · disk path Plings-API/
   • URL: https://api.plings.io
   • Purpose: GraphQL contract, business logic, dual-database coordination, HD wallet operations
   • API: Single GraphQL endpoint serving every client

Dual Database System

• PostgreSQL/Supabase: User authentication, object metadata, RLS security, business logic, HD wallet path registry
• Neo4j (Aura): Complex relationship traversal, variable-depth queries, graph analytics
• Separation of Concerns: Business data vs. relationship data

GraphQL API Integration

• Single Endpoint: https://api.plings.io/graphql
• Technology: Ariadne GraphQL over FastAPI
• Features: Object operations, relationship management, HD wallet operations
• Security: JWT-based authentication with Supabase RLS

Future Vision: Solana Commerce (not currently built)

The bullets below describe long-term commerce capabilities that the HD wallet architecture preserves but are not actively being built. Treat as design context, not as features under current development.

• Solana: Ultra-low fees ($0.00025), 400ms confirmation, 600K TPS with Firedancer
• Program Derived Addresses: Would prevent payment interception while preserving HD wallet benefits
• NFT Ownership: Dynamic ownership transfer through blockchain-native certificates
• Service Marketplace: Every object as a hub for rental, repair, insurance services
• Universal Commerce Scale: Solana fees enable transactions at any price point

Key Innovations (of the current identification layer)

1. Hierarchical Delegation: HD paths enable secure manufacturer → plant → batch → instance delegation
2. Offline + Online Verification: HD wallets enable cryptographic verification without network access
3. Graph + Relational Hybrid: Leverages strengths of both database paradigms
4. Future-Compatible Identifiers: Same paths deterministically map to Solana PDAs if commerce launches

Security Model: Verification Authority

Fundamental Security Design: Controlled Verification

Critical Architectural Decision: The Plings system uses hardened HD wallet derivation at all levels, which creates an intentional verification authority model where only specific parties can cryptographically verify identifiers.

Who Can Verify What

Verification Authority Hierarchy:

Plings (Master Authority)
├── Authority: Master key at m/44'/501'/1'
├── Can Verify: Everything in ecosystem  
├── Role: Neutral verification service
└── Trust: Ecosystem coordinator

Manufacturers (Brand Authorities)
├── Authority: Brand-level keys (e.g., m/44'/501'/1'/3' for Coca-Cola)
├── Can Verify: Only their own products
├── Role: Brand authenticity experts  
└── Trust: Self-verification for their products

External Clients (No Authority)
├── Authority: None (by design)
├── Can Verify: Nothing independently
├── Role: Verification consumers
└── Trust: Must rely on authorized authorities

Why External Clients Cannot Verify Independently

Hardened Key Requirement:

Example Path: 1.3.1255.C2.5847.90000
HD Derivation: m/44'/501'/1'/3'/1255'/2'/5847'/90000'
               └──────────────────────────────────────┘
                ALL HARDENED - requires private keys

Missing Keys: External clients lack:

• Plings master private key
• Manufacturer private keys
• Plant-level private keys
• Batch-level private keys

Result: Cannot perform cryptographic verification independently.

Trust Network Architecture

Verification Flow Design

Security Benefits of Authority Model

Controlled Brand Verification:

• Prevents Unauthorized Claims: External parties cannot forge verification results
• Manufacturer Control: Brands maintain authority over product authentication
• Trusted Network: Creates reliable ecosystem of verification authorities
• Anti-Counterfeiting: Cryptographically impossible to fake verification without keys

System Integrity:

• Authority Accountability: Verification sources are known and accountable
• Network Trust: Users trust established authorities rather than unknown validators
• Audit Trail: All verifications logged and traceable
• Reputation Stakes: Authorities stake reputation on verification accuracy

Implementation Implications

For Backend Architecture:

• Verification APIs: Provide verification-as-a-service to clients
• Key Security: Implement multi-tier key management (Vercel → SoftHSM → Hardware HSM)
• Authority Management: Track and manage verification authority relationships
• Cross-Verification: Enable multiple authority confirmation for high-value items

For Frontend Architecture:

• API Integration: Always use verification APIs, never attempt independent verification
• Trust Indicators: Show verification sources clearly to users
• Offline Handling: Graceful degradation when verification unavailable
• Error States: Handle verification failures and network issues appropriately

For Client Applications:

// Correct approach - use verification authorities
async function verifyProduct(path, instanceKey) {
    const verification = await fetch('/api/verify', {
        method: 'POST',
        body: JSON.stringify({ path, instanceKey })
    });
    return verification.json();
}

// ❌ INCORRECT - clients cannot verify independently
function attemptLocalVerification(path, instanceKey) {
    // This cannot work - requires private keys
    return cryptoVerify(path, instanceKey); 
}

Security vs Decentralization Trade-off

Why Centralized Verification Is Intentional

Alternative Considered: Fully decentralized verification where anyone could verify Problem: Would undermine manufacturer brand control and enable verification chaos Solution: Controlled authority model that balances security with manufacturer needs

Benefits of Authority Model:

• Brand Protection: Manufacturers control their authentication narrative
• Quality Assurance: Verification results come from accountable sources
• Business Model: Enables verification services as value proposition
• Trust Building: Users know who they’re trusting

Threat Model and Mitigations

Potential Attack Vectors

Authority Compromise:

• Risk: Plings or manufacturer keys compromised
• Mitigation: Multi-tier key storage, HSM protection, incident response procedures

False Verification:

• Risk: Malicious verification responses
• Mitigation: Cross-verification, audit trails, reputation systems

Network Attacks:

• Risk: Man-in-the-middle attacks on verification APIs
• Mitigation: TLS encryption, certificate pinning, API authentication

Social Engineering:

• Risk: Users trust fake verification sources
• Mitigation: Clear authority indicators, education, official app channels

Defense in Depth

Layer 1: Cryptographic verification by authorities Layer 2: Cross-verification between multiple authorities Layer 3: Audit trails and anomaly detection Layer 4: User education and trust indicators Layer 5: Incident response and key rotation procedures

Development Strategy for New Developers

Understanding Our Backend Architecture

Key Insight: Plings uses a sophisticated multi-layer architecture with clear separation of concerns:

API Strategy

• Single GraphQL Endpoint: All frontend data needs served through api.plings.io/graphql
• No REST APIs: GraphQL provides type-safe, efficient data fetching
• Interactive Documentation: GraphiQL explorer available at the endpoint
• JWT Authentication: Secure user sessions with Supabase integration

Repository Structure

• Plings-Web (disk: Plings-Web/) — React + TypeScript + Vite
• Plings-API (disk: Plings-API/) — FastAPI + Ariadne GraphQL + Python
• Plings-Gateway (disk: Plings-Gateway/) — TypeScript on Vercel Edge
• Plings-iOS / Plings-Android (planned) — native mobile clients
• Cross-Repository Development: Claude Code coordinates full-stack features

Development Flow

1. Plings-Web Development: Query GraphQL API for all data operations
2. Plings-API Development: Implement business logic in FastAPI GraphQL resolvers
3. Database Operations: Use PostgreSQL for security/metadata, Neo4j for relationships
4. Gateway Routing: Update routing rules in Plings-Gateway/lib/router.ts for browser-side scan flows
5. (Future) Blockchain Integration: Solana operations would be abstracted through GraphQL mutations when commerce features are built

For Frontend Developers

The architecture enables revolutionary commerce features:

1. Scan-to-Pay: Instant object purchase through QR code scanning
2. Service Discovery: Find rental, repair, insurance for any object
3. Real-time Ownership: Live blockchain-based ownership updates
4. Offline Verification: Authenticate objects without network connectivity
5. Payment Integration: Seamless Solana wallet integration
6. GraphQL Integration: Type-safe data fetching with automatic caching

Key Integration Points:

• API Endpoint: https://api.plings.io/graphql
• Authentication: JWT tokens from Supabase auth
• Real-time Updates: GraphQL subscriptions for live data
• Error Handling: Standardized GraphQL error responses

For Backend Developers

Architecture requires careful implementation of:

1. HD Wallet Security: Multi-tier key management (Vercel → SoftHSM → Hardware HSM)
2. Dual Database Sync: Maintain consistency between PostgreSQL and Neo4j
3. Blockchain Integration: Solana program development and PDA management
4. Payment Routing: Secure transaction flow through smart contracts
5. Service Orchestration: Marketplace provider coordination
6. GraphQL Schema: Type-safe API design with Ariadne

Key Implementation Areas:

• FastAPI Setup: Serverless deployment on Vercel
• Database Coordination: Ensure PostgreSQL and Neo4j consistency
• Cryptographic Operations: HD wallet path generation and verification
• Blockchain Abstraction: Hide Solana complexity behind GraphQL mutations

Integration Points

Architecture integrates with:

• Blockchain Layer: Solana validators and smart contracts
• Payment Systems: Multi-wallet support and transaction processing
• GraphQL Schema: Unified API for complex architecture
• HD Wallet System: Cryptographic verification and key management
• Service Providers: External rental, repair, insurance services

Revolutionary Impact

Global Commerce Transformation

Vision: Replace Visa/Mastercard by making every physical object a payment terminal Path: Build through niche use cases → expand to universal commerce infrastructure Timeline: 5-10 years to global payment infrastructure significance

Market Disruption Potential

• Total Addressable Market: $100B+ POS terminals + $200B+ payment processing
• Competitive Advantage: First system enabling direct object payments
• Network Effects: Every object strengthens the ecosystem
• Infrastructure Lock-in: Replaces traditional payment systems

Status Legend

• ✅ Complete - Fully documented and implemented
• 🏗️ In Progress - Documentation exists, implementation ongoing
• 📋 Stub - Outlined structure, content to follow
• 🔄 Migration - Legacy system being updated

Detailed Technical Architecture

Core Components Layer Architecture

Architectural Rationale: Why a Dual-Database System?

The Plings architecture intentionally uses a polyglot persistence model, leveraging two different types of databases to handle specific tasks for which they are best suited. This design is a deliberate choice to maximize security, performance, and scalability.

1. Neo4j Aura (The Graph Engine):

• Purpose: To manage the complex, interconnected web of relationships between objects.
• Strengths: Its graph-native structure is ideal for deep, variable-depth queries, such as traversing component hierarchies (PART_OF), class structures (SUBCLASS_OF), and intricate spatial relationships (IN, ON). It answers the question: “How are things connected?”

2. Supabase - PostgreSQL (The Ownership & Security Engine):

• Purpose: To manage object metadata, user ownership, and enforce security.
• Strengths: Its primary role is to leverage Supabase’s powerful Row-Level Security (RLS) engine, which is tightly integrated with user authentication (auth.uid()). This provides a robust, declarative security model that is difficult and inefficient to replicate in a graph database. It answers the question: “Who owns this and who is allowed to see it?”
• UI Performance Cache: The data in Postgres also serves as a highly performant cache for the UI. When displaying a simple list of a user’s objects, querying the relational object_instances table is significantly faster and more efficient than performing a broad graph traversal.

In summary, the system is designed so that Neo4j manages the graph’s complexity, while Supabase manages the users’ security. The unified ID system provides the critical link between these two specialized systems.

Object Model

ObjectClass and ObjectInstance

The UOGS distinguishes between an object’s blueprint (ObjectClass) and its physical manifestation (ObjectInstance). In Neo4j, these are represented as nodes with labels and properties.

ObjectClass (The Template Node): A node with the label :ObjectClass.

{
  "name": "Mountain Bike",
  "description": "A bicycle designed for off-road cycling.",
  "version": 1,
  "owner": "Plings",
  "capabilities": ["off-road", "sport"]
}

ObjectInstance (The Physical Item Node): A node with the label :ObjectInstance.

{
  "owner": "user:123"
}

PlingsIdentifier (The Pointer Node): A node with the label :PlingsIdentifier.

{
    "value": "plg:44-10012-22-7890-Qmx3D",
    "identifier_type": "QR",
    "status": "active"
}

Key Graph Relations

Relationships in Neo4j are first-class citizens, connecting nodes directly with a specific type.

• Spatial (e.g., IN): A direct relationship between two ObjectInstance nodes.
  • (:ObjectInstance {name: 'MyBike'})-[:IN]->(:ObjectInstance {name: 'HomeGarage'})
• Expected Spatial (e.g., SHOULD_BE_IN): The object’s assigned or “home” location.
  • (:ObjectInstance {name: 'MyBike'})-[:SHOULD_BE_IN]->(:ObjectInstance {name: 'WorkshopShelf3'})
• Identifies: A PlingsIdentifier node IDENTIFIES an ObjectInstance node.
  • (:PlingsIdentifier {value: '...'})-[:IDENTIFIES]->(:ObjectInstance {name: 'MyBike'})
• Instance Of: An ObjectInstance node is an INSTANCE_OF an ObjectClass node.
  • (:ObjectInstance {name: 'MyBike'})-[:INSTANCE_OF]->(:ObjectClass {name: 'Mountain Bike'})
• Scan Event: A ScanEvent node records the interaction, linked to an identifier.
  • (:ScanEvent)-[:SCANNED]->(:PlingsIdentifier)
• Part Of: An ObjectInstance can be PART_OF another ObjectInstance.
  • (:ObjectInstance {name: 'MySaddle'})-[:PART_OF]->(:ObjectInstance {name: 'MyBike'})
• Subclass Of: An ObjectClass can be a SUBCLASS_OF another ObjectClass.
  • (:ObjectClass {name: 'Mountain Bike'})-[:SUBCLASS_OF]->(:ObjectClass {name: 'Bicycle'})
• Capabilities: An object’s potential uses are stored as properties on the ObjectClass node.
  • (:ObjectClass {name: 'Lamp'}) has property capabilities: ["BikeLamp", "HelmetLamp"]

For detailed schema information, see ../database/neo4j-core-schema.md.