This view zooms one level into the TalkIDE platform: which deployable units run, where they run, and how they talk to each other. “Container” is the C4 term — a runnable thing with its own lifecycle (process, pod, managed service). It is not specific to Docker.
For the physical DigitalOcean topology (clusters, ports, pools, volumes) see the dedicated
infrastructure.md page.
flowchart TB
Browser["End user's browser"]
subgraph cp["K8s namespace: talkide (control-plane)"]
FE["TalkIDE FE<br/>Vue 3 · Vite · nginx"]
BE["TalkIDE BE<br/>Kotlin · Spring Boot · JVM 21<br/>incl. gateway-proxy"]
end
subgraph tenant["K8s namespace: {tenant}-{env} (per tenant-environment)"]
WORKER["talkide-worker<br/>Node/TS · Anthropic Agent SDK<br/>(LIVE since 2026-05-21)"]
UAPP["User-app pod<br/>Spring Boot + Vue static<br/>same-origin single pod"]
JOBS["Ephemeral Jobs<br/>Kaniko image build · gradle build/test"]
end
subgraph do["DigitalOcean managed services"]
PGA["Managed PG — cluster A<br/>talkide-prod-pg (control-plane)"]
PGB["Managed PG — cluster B<br/>talkide-dataplane-pg (data-plane)"]
SPACES["DO Spaces<br/>talkide-prod-space"]
REG["Container Registry"]
end
NFS["NFS server pod<br/>per-project working tree + .git/"]
Browser -->|"HTTPS"| FE
Browser -->|"REST + SSE"| BE
Browser -->|"{slug}/{uuid}.talkide.app"| UAPP
FE -->|"/api"| BE
BE -->|"control-plane DB (PgBouncer)"| PGA
BE -->|"K8s API · provision"| WORKER
BE -->|"K8s API · provision"| UAPP
WORKER -->|"agent calls via gateway-proxy"| BE
WORKER -->|"dispatch"| JOBS
WORKER -->|"working tree"| NFS
BE -->|"working tree"| NFS
JOBS -->|"push image"| REG
UAPP -->|"per-app schema (PgBouncer SCRAM)"| PGB
UAPP -->|"uploads / generated"| SPACES
Containers in the TalkIDE platform namespace (talkide)
| Container | Tech | Where | Talks to | Spec |
|---|---|---|---|---|
| TalkIDE BE | Kotlin · Spring Boot 3.x · JVM 21 | K8s pod :8080 (prod); lokálně 9090 přes application-local.yaml, ~1.3–1.6 GB | TalkIDE FE (REST+SSE), talkide-worker, control-plane Postgres, NFS, K8s API (fabric8 client), DO Spaces, DO Registry, Stripe, Mailgun | tech-stack.md, architecture.md |
| TalkIDE FE | Vue 3 · TypeScript · Vite · Tailwind 4 | K8s pod (nginx + static build), ~30–50 MB; locally npm run dev on 5200 | TalkIDE BE (api.talkide.app) | editor-stack.md, design-system.md |
| gateway-proxy | Part of TalkIDE BE | Inside the BE pod | Anthropic API — holds the raw ANTHROPIC_API_KEY; proxies agent calls so the worker never sees the key | worker-runtime.md § 6, ADR-024 |
| Claude Code CLI (local-dev only) | claude CLI binary | Host machine (lokál) | Anthropic API via Max plan | worker-runtime.md § 9 |
| NFS Server pod | nfs-server-provisioner, RWX | K8s pod, mounts DO Block Volume talkide-prod-nfs-vol | TalkIDE BE pod, worker pods, build/test Jobs | infrastructure.md, ADR-013 |
| Ingress controller | ingress-nginx | K8s ingress-nginx ns; backs talkide-prod-lb (DO LB) | All HTTP traffic in/out | ADR-021 |
Containers per tenant-environment namespace (<tenant>-<env>)
| Container | Tech | Status | Notes |
|---|---|---|---|
| talkide-worker | Node/TS · @anthropic-ai/claude-agent-sdk in-process · ~lightweight, no JVM | LIVE (2026-05-21) | One worker pod per tenant-environment namespace. Stateful (session, transcript on NFS, 3-week resume); survives BE redeploys. Calls the gateway-proxy — never holds the Anthropic key. |
| gradle build/test Job | Ephemeral K8s Job | planned (be#213/218) | Stateless, bounded runtime; dispatched by the worker. Cluster scheduler is the concurrency manager; an OOM in one Job does not kill others. |
| Kaniko build Job | Rootless image build, one Job per build | LIVE | Reads source from NFS, pushes the user-app image to the registry. |
| User-app BE+FE pod | Spring Boot + Vue/Vite static build, same-origin single pod, ~800 MB | LIVE | One multi-stage image: FE dist is copied into the BE static/ resources; one JVM on :8080 serves both API and FE. The FE calls relative /api — no baseURL. Connects to its own schema in data-plane cluster B. |
| (no Mara runtime) | — | — | User apps are products of Mara, not consumers of her. |
DEV and PROD are two parallel deployments per project: preview (<uuid>) re-deploys
with every build; published (<slug>) only on explicit Publish by the user. See
cross-cutting-flows.md § Deploy lifecycle and
ADR-022. Under ADR-026
these become explicit first-class Environments.
Managed services (DigitalOcean)
| Service | Purpose | Notes |
|---|---|---|
talkide-prod-pg — Managed PG 18, cluster A (control-plane) | Platform DB + durable session state | Direct port 25060, pooled 25061. PgBouncer pools: talkide-tx (transaction, size 18) and talkide (session, size 3 — Liquibase advisory locks). See ADR-023. |
talkide-dataplane-pg — Managed PG 18, cluster B (data-plane) | One schema per user app (tk_t<tenantId>_p<slug>_<env>) | Fronted by a self-hosted PgBouncer (SCRAM-SHA-256, edoburu/pgbouncer). Schema-per-app isolation, per-app role + search_path. ADR-023 supersedes the single-cluster ADR-016 model. |
talkide-prod-space — Spaces | User-app uploads (apps/user_{id}/app_{slug}/uploads/), generated files, platform backups/exports/logs/artifacts | Single bucket; per-app prefix isolation; versioning enabled; signed URLs. |
talkide-prod-lb — Load Balancer | Public ingress for talkide.app, api.talkide.app, *.talkide.app | Auto-provisioned by ingress-nginx. |
talkide-prod-vpc | Private network for cluster + Postgres + Spaces | All east-west traffic stays inside the VPC. |
| DO Container Registry | Image storage | Professional plan — unlimited repos. Platform BE/FE, talkide-worker, shared userapp build cache, and per-user-app images. |
DO DNS (talkide.app) | Apex, www, api, *.talkide.app | Reserved subdomain list enforced at slug validation (Create Project). |
Cross-cutting concerns by container
| Concern | Owning container |
|---|---|
| Auth (JWT) | TalkIDE BE — Spring Security filter validates JWT on every request; refresh via FE Axios interceptor (ADR-004) |
| Tenant isolation (row-level) | TalkIDE BE — every query filters by tenantId from JWT (ADR-001) |
| Tenant isolation (resource-level) | K8s namespaces per tenant-environment, schema-per-app + per-app PG role, NFS subdir per project |
| Conversation orchestration | TalkIDE BE → talkide-worker per tenant-env (LIVE since 2026-05-21; in-process sidecar replaced) |
| Anthropic key custody | TalkIDE BE gateway-proxy — single place that holds the raw key |
| Activity feed (SSE) | TalkIDE BE — per-project (UC-05) and per-tenant Studio (UC-06) streams (ADR-008) |
| Per-user spend metering & quota (FUP) | TalkIDE BE → Redis (planned, UC-08002) |
| Billing & payments | TalkIDE BE → Stripe (UC-10); transactional email → Mailgun (ADR-025) |
| Build & deploy of user apps | TalkIDE BE → Kaniko Job → Registry → ingress reconcile (Stopa B) |
Was this page helpful?
Thanks for the feedback.