5a8c26cf5d
- Backend: ShallowEtagHeaderFilter for /api/v1/*, API-VERSIONING.md, README (tenant, CORS, Flyway, ETag) - k8s: backend-deployment.yaml (Deployment, Service, Secret/ConfigMap) - Web: scaffold with directory pull, 304 handling, touch-friendly UI - Android 16: ANDROID-16-TARGET.md; BuildConfig STUN/signaling, SMOAApplication configures InfrastructureManager - Domain: CertificateManager revocation stub, ReportService signReports, ZeroTrust/ThreatDetection minimal docs - TODO.md and IMPLEMENTATION_STATUS.md updated; communications README for endpoint config Co-authored-by: Cursor <cursoragent@cursor.com>
9.7 KiB
9.7 KiB
SMOA System Architecture
Version: 1.0
Last Updated: 2024-12-20
Status: Draft - In Progress
System Overview
The Secure Mobile Operations Application (SMOA) is a hardened Android-based application designed for deployment on approved foldable mobile devices. SMOA enables identity presentation, secure internal routing, and mission communications in connected, disconnected, and degraded environments.
System Purpose
SMOA provides secure mobile operations capabilities for government and military personnel, including:
- Digital credential presentation
- Secure communications
- Orders management
- Evidence chain of custody
- Regulatory reporting
- Domain-specific operations (law enforcement, military, judicial, intelligence)
System Context
SMOA operates in a secure mobile and multi-platform environment with:
- Primary client: Android (enterprise-hardened builds); primary device class foldable smartphones with biometric hardware support.
- Additional clients: iOS (last three generations: iOS 15, 16, 17) and Web Dapp (Desktop/Laptop, including touch devices); same backend API contract.
- Deployment Model: Government-furnished or government-approved devices under MDM/UEM control where applicable; Web Dapp served over HTTPS with CORS.
- Connectivity: Online, offline, and degraded modes; backend supports all clients via REST and configurable CORS.
Architecture Principles
Security First
- Multi-factor authentication required
- Hardware-backed encryption
- Zero-trust architecture principles
- Defense in depth
Resilience
- Offline operation capability
- Degraded mode support
- Data synchronization
- Automatic recovery
Compliance
- Standards-based implementation
- Compliance by design
- Audit trail throughout
- Certification ready
Modularity
- Modular architecture
- Clear module boundaries
- Well-defined interfaces
- Reusable components
High-Level Architecture
System Components
┌─────────────────────────────────────────────────────────────┐
│ SMOA Application │
├─────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Core │ │ Core │ │ Core │ │
│ │ Modules │ │ Modules │ │ Modules │ │
│ │ (8) │ │ (8) │ │ (8) │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Feature │ │ Feature │ │ Feature │ │
│ │ Modules │ │ Modules │ │ Modules │ │
│ │ (13) │ │ (13) │ │ (13) │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────────┐ │
│ │ Common Infrastructure │ │
│ │ - Authentication - Security - Database │ │
│ │ - Networking - Storage - Logging │ │
│ └──────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
Core Modules (8)
- core:auth - Authentication framework
- core:security - Security infrastructure
- core:common - Common utilities
- core:barcode - PDF417 barcode generation
- core:as4 - AS4 gateway messaging
- core:eidas - eIDAS compliance
- core:signing - Digital signatures & seals
- core:certificates - Certificate management
Feature Modules (13)
- modules:credentials - Issued credentials
- modules:directory - Internal directory
- modules:communications - Unit communications
- modules:meetings - Secure meetings
- modules:browser - Controlled browser
- modules:orders - Orders management
- modules:evidence - Evidence chain of custody
- modules:reports - Report generation
- modules:atf - ATF form support
- modules:ncic - NCIC/III integration
- modules:military - Military operations
- modules:judicial - Judicial operations
- modules:intelligence - Intelligence operations
Component Architecture
Authentication Component
- Multi-factor authentication (PIN + Fingerprint + Facial Recognition)
- Session management
- Re-authentication triggers
- Hardware-backed key storage
Security Component
- Encryption (at rest and in transit)
- Key management
- Certificate management
- Audit logging
- Policy enforcement
Data Storage Component
- Room database (local SQLite)
- Encrypted storage
- Offline data caching
- Data synchronization
Network Component
- Secure communication (TLS)
- VPN support
- Offline mode detection
- Degraded mode handling
Module Architecture
Module Structure
Each module follows a consistent structure:
- Domain Layer: Business logic and data models
- Data Layer: Database and repositories
- Presentation Layer: UI components (Jetpack Compose)
- Service Layer: Business services
Module Dependencies
- Core modules have no dependencies on feature modules
- Feature modules depend on core modules
- Clear dependency hierarchy
- Minimal inter-module dependencies
Data Architecture
Data Model
- Room Database: Primary local storage
- Encrypted Storage: Sensitive data encryption
- Offline Cache: Time-bounded offline data
- Synchronization: Data sync on connectivity
Data Flow
- User input → Domain layer
- Domain layer → Data layer (persistence)
- Data layer → Domain layer (retrieval)
- Domain layer → Presentation layer (display)
Data Protection
- Encryption at rest (hardware-backed)
- Encryption in transit (TLS)
- Access control (RBAC)
- Audit logging
Integration Architecture
External System Integrations
- AS4 Gateway: Inter-agency messaging
- NCIC/III: Law enforcement databases
- ATF eTrace: Firearms tracing
- QTSP: Qualified Trust Service Providers
- Timestamping Authority: Qualified timestamps
Integration Patterns
- RESTful APIs
- AS4 messaging
- Secure file transfer
- Certificate-based authentication
Deployment Architecture
Deployment Model
- Device: Government-furnished foldable Android devices
- MDM/UEM: Mobile device management
- Backend Services: Enterprise backend (if applicable)
- Network: Secure government networks
Infrastructure Requirements
- Android 7.0+ (API 24+)
- Biometric hardware support
- Hardware-backed key storage
- Network connectivity (with offline support)
Technology Stack
Platform
- Language: Kotlin
- Platform: Android
- Minimum SDK: 24 (Android 7.0)
- Target SDK: 34 (Android 14)
Core Libraries
- UI: Jetpack Compose
- Database: Room
- Networking: Retrofit, OkHttp
- Dependency Injection: Hilt
- Security: Android Keystore, BouncyCastle
- Barcode: ZXing
- PDF: PDFBox or iText
Development Tools
- IDE: Android Studio
- Build System: Gradle
- Version Control: Git
- CI/CD: (To be determined)
Security Architecture
See Security Architecture Document for detailed security architecture.
Key Security Features
- Multi-factor authentication
- Hardware-backed encryption
- Secure key storage
- Encrypted communication
- Audit logging
- Policy enforcement
Performance Considerations
Optimization Strategies
- Lazy loading
- Caching
- Background processing
- Efficient database queries
- Image optimization
Performance Targets
- Application startup: < 3 seconds
- Screen transitions: < 300ms
- API response: < 2 seconds
- Database queries: < 100ms
Scalability
Current Scope
- Single device deployment
- Local data storage
- Offline-first architecture
Future Considerations
- Multi-device synchronization
- Cloud backend integration
- Enterprise deployment
Diagrams
System Architecture Diagram
[To be added: PlantUML or image]
Component Architecture Diagram
[To be added: PlantUML or image]
Module Dependency Diagram
[To be added: PlantUML or image]
Data Flow Diagram
[To be added: PlantUML or image]
References
Document Owner: Technical Lead
Last Updated: 2024-12-20
Status: Draft - In Progress
Next Review: 2024-12-27