Platform · V1.0

Secure. Stable. Scalable.
And built for AI.

One foundation for every application we deliver. Engineered so you focus on business value — while we take care of the boring stuff.

Why the platform exists

One platform. Many apps. Zero drift.

Standardised once, reused everywhere. Every application we build inherits the same foundation — so complexity lives in the platform, not scattered across apps.

Secure
Zero-trust by default. Secrets in Secrets Manager, scoped IAM, private subnets, non-root containers, TLS everywhere. Enforced by the pipeline — not by memory.
Stable
Managed services over self-hosted. Multi-AZ Postgres, same image across environments, boring pipelines. Reliability over novelty, every time.
Scalable
Stateless services. Isolated databases per app. Scale out by raising desired count. No monolith, no shared-DB coupling, no ceiling.
AI-First
Stack chosen for Claude Code leverage. Ground truth in an Obsidian vault, encoded in reusable skills — correct by default, not by accident.
Executive summary

Four foundations. One stack.

Foundation
AWS · Fargate
Single cloud. Serverless containers. No EC2 to manage, no clusters to babysit.
Stack
Java · React · Postgres
Strong talent pool. Mature tooling. Strongest Claude Code generation quality.
Delivery
GitLab · Terraform · GSD
Everything as code. Discovery first, then phased build — each gate enforced.
Ground Truth
Obsidian · Skills
Best practices encoded, referenced by Claude on every build. Correct by default.
Architecture · layered view

Eight layers. Standard services. Nothing rolled by hand.

Each app inherits the same foundation. Own ECS service, own RDS, own secrets, own repo. Integration through APIs and events — never shared databases.

01
Frontend
React · TypeScript · CloudFront + S3
02
API Layer
Spring Boot · REST · OpenAPI · ALB ingress
03
Compute
ECS on Fargate · Docker · private subnets
04
Integration
REST APIs · SQS / EventBridge (optional async)
05
Data
RDS PostgreSQL · multi-AZ · Flyway migrations
06
Security & Config
Secrets Manager · Cognito OIDC · IAM least-privilege
07
Observability
CloudWatch logs & metrics · on-demand Claude agents
08
Infrastructure as Code
Terraform · versioned in Git · no portal clicks
Isolation principle. Each application gets its own service, its own database, its own secrets, its own repository. Integration happens through APIs or events — never through shared databases.
Architectural landscape

The physical picture.

Users enter through managed ingress, reach stateless Fargate services in private subnets, and hit isolated RDS databases per app. Everything in Terraform, secrets in Secrets Manager, logs to CloudWatch.

Actors
End users
Operators
Waste-mgmt, municipalities
Developers
Local · Claude Code
CI/CD
GitLab CI
Build · Test · Deploy
IaC
Terraform
All AWS in code
Edge & identity
CDN
CloudFront
TLS · WAF
Ingress
Application LB
Public subnet
Identity
Cognito
OIDC · roles
Registry
ECR
Container images
AWS · eu-west-1 · VPC · private subnets · multi-AZ
Satellite app A
Compute
ECS · Fargate
Spring Boot · React
Data
RDS PostgreSQL
Multi-AZ · PITR
Satellite app B
Compute
ECS · Fargate
Spring Boot · React
Data
RDS PostgreSQL
Multi-AZ · PITR
Integration · REST APIs (OpenAPI) · SQS / EventBridge · no shared DBs
Secrets
Secrets Mgr
Logs
CloudWatch
Audit
CloudTrail
Access
IAM · LP
Ops AI
Claude Agents
On-demand log analysis · diagnostics · audit
DR · eu-central-1
Replicas
Cross-region
Read replicas
Archive
S3
Annual snapshots
Failover
RTO ½ day
RPO 0 · multi-AZ
Rebuild
Terraform
ECS from code
User traffic flowControl & deploy flowDR replication
Design principles

Nine rules we won't bend.

Every choice traces back to one of these. When a future decision feels ambiguous, we return to the principles — not to a person's preference.

P·01
Standardise the platform, isolate the apps
One foundation, reused everywhere. Each app: own repo, service, database. No shared-DB coupling.
P·02
Everything as code, everything in Git
App code, Terraform, pipeline, docs, tests, skills — all versioned. No portal clicks.
P·03
AI-first by design
Stack chosen for Claude Code leverage. Ground truth in vault + skills.
P·04
Cost-efficient by default
Fargate over EKS. Right-sized RDS. Managed services over self-hosted.
P·05
Secure out of the box
Zero-trust: Secrets Manager, scoped IAM, private subnets, non-root containers.
P·06
Horizontally scalable from day one
Stateless services. Same image across envs, config at runtime. Scale by desired count.
P·07
Same image across environments
The exact artifact tested in Acceptance is what goes to Production. Config differs, code identical.
P·08
Pipeline boring by design
Lint, test, security, build, deploy, verify. Every stage predictable.
P·09
Keep the team focused on software, not infra
Managed services absorb ops load. SOLID · KISS · DRY · YAGNI — code & infra.
End-to-end delivery workflow

From developer intent to running software.

Every arrow is automated or policy-enforced — nothing depends on someone remembering.

① Developer workstation
Mac · Claude Code · local loop
Developer
Defines intent
Editor
VS Code
Extensions
AI
Claude Code
Reads CLAUDE.md · writes code
Skills
Reusable automations
DB · Query · Infra · Log
Ground truth
Obsidian vault
Architecture · conventions · API
Local dev
Docker Compose
Postgres · backend · frontend
Git push
feat/* → MR → main
② CI / CD pipeline
GitLab · 9 gates
1
Lint
checkstyle · eslint · tf fmt
2
Test
unit · integration · testcontainers
3
Security
SAST · dependency scan
4
Build
Docker · push to ECR
5
Terraform
plan / apply · OIDC · IaC
6
Deploy
ECS service update → Acceptance
7
E2E
Playwright vs live acceptance
8
Manual gate
Lead dev approval
9
Promote
Same image SHA → Production
③ AWS runtime & feedback
Acceptance · Production · observability
Acceptance · eu-west-1
Fargate · stateless tasks
RDS Postgres · per app · multi-AZ
Production · eu-west-1
Fargate · desired_count ≥ 2
RDS Postgres · multi-AZ · PITR
Observability
CloudWatch
Logs · metrics
Ops AI
Claude log analyzer
On-demand diagnostics
Feedback loop
Insights update skills & vault
Continuous learning
End users
HTTPS · CloudFront · ALB
Same image across environments. The exact artifact tested in Acceptance is what goes to Production. Code identical; config differs. Findings from production update the skills and vault — so the next build starts smarter.
Non-functional guarantees

Secure by default. Recoverable always.

Security
Zero-trust, layered
  • Parameterised queries, input validation, output encoding
  • OIDC via AWS Cognito, RBAC enforced server-side
  • Encryption at rest (RDS) + TLS 1.2+ in transit
  • VPC: public ALB, private ECS & RDS
  • IAM least privilege per service
  • Secrets in Secrets Manager — never in code
  • CloudTrail audit logging
Disaster Recovery
Zero data loss · ½ day RTO
  • RDS multi-AZ — synchronous replica, minute-scale failover
  • Cross-region read replica for regional failure
  • Point-in-time recovery enabled
  • 35-day automated backup retention
  • Annual snapshot export to S3 for archival
  • ECS multi-AZ task placement
  • Terraform enables clean rebuild
Observability
CloudWatch + Claude agents
  • Structured JSON application logs
  • CloudWatch metrics & alarms on error / latency / CPU
  • Distributed tracing (X-Ray) where valuable
  • Claude agents for log analysis & diagnostics
  • Manual trigger first, automated after trust
  • IAM-scoped access, cost-bounded invocation
  • DataDog optional if depth is needed later
AI-first engineering

Claude Code isn't a tool. It's the delivery model.

AI-first delivery only works when the AI has context it can trust. The platform bakes that context into the workflow — ground truth in a vault, reusable skills that enforce it, and agents that apply it in operations.

Ground Truth
Obsidian vault
Architecture decisions, DB conventions, API patterns, testing standards, security checklists — all versioned in Git. Referenced by Claude on every build.
Reusable Skills
Opinionated automations
Database Design · Query Optimisation · Infra Patterns · Project Setup. Every skill encodes a standard so Claude-generated code is correct by default, not by accident.
Operational Agents
Claude on the ops side
Log analyser. Performance diagnostics. Security audit. Triggered on-demand from CloudWatch alerts. IAM-scoped, cost-bounded, human-approved first.
Next Step

Start delivering better, faster, cheaper.

Tell us your ambitions and plans. We'll scope it, build it, and run it — on the same secure, stable, scalable foundation every other Pareto project runs on.

Work with UsApply as Expert