Production-grade microservices security infrastructure and ReactJS frontend built with AI-assisted development
Prerequisites: VS Code with Dev Containers extension, Docker
git clone https://github.com/budgetanalyzer/workspaceOpen in VS Code → "Reopen in Container" → Follow Getting Started
Before diving into code, explore how this architecture emerged:
Architecture Conversations — Conversations documenting architectural decisions, AI collaboration patterns, and the philosophy behind this project
This project started as a simple re-fresh of my spring boot microservices skills after a 2 year sabbatical. I wanted to solve the relatively simple problem of reconciling multiple bank accounts in multiple currencies, so I figured I'd do a quick microservice + ReactJS frontend and go find a consulting role as I've been doing the last few years. I was shocked to finish that in a couple weeks after gettting comfortable using Claude Code, so I expanded the scope of the project significantly. This is a full production grade best practices Backend For Frontend Oauth2 Security implementation for an auditable compliance-oriented financial application. But really it's just an AI sandbox. And now I'm excited to go back to building stuff and am looking to work with people that get what this is.
✨ Using Claude Code, we rapidly expanded from a basic app to a full enterprise-grade security architecture. The AI didn't just write code—it helped design systems, document decisions, and implement patterns that would typically require a dedicated team. (Claude wrote that)
So Claude's right, that's exactly it. I had previously tried using copilot and code assist and was thoroughly unimpressed. I didn't grok it until i stopped trying to use it as a code assist tool but instead use it as a pair programmer for design and implementation. We discussed and interated on plans, if you watch the repo I frequently check in plans to give an idea of how detailed they get. I didn't type a line of code in budget-analyzer-web, but that is a fully functional ReactJS app using best practices from bulletproof react.
I don't really write code anymore, I just design, plan, refine, and code review. It's easier to just tell Claude to change a variable name because it will rename the variable, fix all the javadocs, and update any random documentation that mentioned the variable name. I normally have a bunch of terminals all grinding away working on plans in the various services in parallel, it's like a video game.
I think the future is here, and it's pretty exciting. People aren't into chatbots- neither was I. Building this project opened my eyes into ways of using and choreographing AI that I hadn't even considered. It's a pretty exciting time to be alive, I feel like a physicist who was lucky enough to be around in the 1930s and 40s while they were building the bomb. We don't know where this is gonna take us, but there's no resisting, it's clear this is the path of history.
This is scary.
We're building a pluggable security and authorization infrastructure that any company can adopt.
The goal isn't just a budget app. It's a reusable foundation that demonstrates:
- Production-ready OAuth2/OIDC authentication
- Server-side session management (BFF pattern)
- JWT validation at the API gateway
- Role-based access control with delegation
- Defense-in-depth security layers
Once these patterns mature, this becomes a template for enterprise applications—drop in your business logic and inherit battle-tested security.
But we're also in parallel figuring out how to code with AI. This is the IDE/coding standard baseline for human/AI development. All opensource, I envision us including url resources for CLAUDE.md files. Very standardized code rules, it'd be cool to keep it here, but i'm down if someone has a better idea. All the code is gonna look generic and that's OK, no need for style, markdown and simple code, let's standardardize the interface to AI. VS Code open source, bring your own key is the way it goes, it's not up for debate. They aren't gonna control this. And here's the thing, once you communicate with AI using code you realize that's the only interface it has to the external world. Software architects are the new high priests, we speak AI. AI is already here, this is all Claude Opus 4.5. We're not waiting on the next model. This isn't a toy for the masses, it's such a different experience as a software architect. It just doesn't have any way to communicate other than text, and yeah, chatbots are weak.
(running out of breath)
The project quickly became meta. For example we want to avoid vendor lock-in for AI service providers. We should be able to swap out and experiment with Gemini and Claude and whatever comes next. The criticism I keep hearing about using AI for development is that it's great for greenfield projects like this, but it breaks for a real company with a large complex codebase. My hypothesis is that we simply haven't quite formalized the best practices for doing those migrations, but I think it's possible to introduce these AI development tools into a mature system by starting on leaf nodes and working your way up documenting functionality. For example create a CLAUDE.md file in a single microservice or piece of the architecture and focus on getting it working well there, and then expand outwards. I think it's a mistake to try to use a top-down approach introducing these tools.
flowchart TB
subgraph Clients
Browser[Browser]
API[API Client / M2M]
end
subgraph Ingress["Ingress Controller"]
direction LR
end
subgraph Security["Security Layer"]
SG[Session Gateway<br/>OAuth2 / Sessions<br/>Port 8081]
NGINX[NGINX API Gateway<br/>JWT Validation<br/>Port 443]
TVS[Token Validation<br/>Service]
end
subgraph Services["Backend Microservices"]
TS[Transaction Service]
CS[Currency Service]
PS[Permission Service]
end
Browser -->|Session Cookie| Ingress
API -->|JWT| Ingress
Ingress -->|Browser Traffic| SG
Ingress -->|API Traffic| NGINX
SG -->|JWT| NGINX
NGINX -->|Validate| TVS
NGINX --> Services
style SG fill:#e1f5fe
style NGINX fill:#fff3e0
style TVS fill:#f3e5f5
| Layer | Component | Responsibility |
|---|---|---|
| 1 | Session Gateway | OAuth2 flows, HTTP-only cookies, server-side JWT storage |
| 2 | NGINX API Gateway | JWT validation, rate limiting, request routing |
| 3 | Token Validation Service | Cryptographic signature verification |
| 4 | Backend Services | Data-level authorization (user owns resource) |
- JWTs never exposed to browser — Immune to XSS token theft
- Identity provider abstraction — Swap Auth0/Okta/Keycloak without client changes
- Pluggable design — Security infrastructure meant for reuse across organizations
This project demonstrates what's achievable when AI augments development:
- Architecture design — Security patterns, component responsibilities, data flows
- Implementation — Services, configurations, and integrations
- Documentation — Living docs that stay current with the code
- Code review — Pattern consistency and security considerations
✨ The rapid expansion from simple app to enterprise architecture was only possible through AI assistance. This isn't just a showcase—it's a proof point for AI-augmented software development.
| Layer | Technologies |
|---|---|
| Frontend | React, TypeScript, Vite |
| Backend | Spring Boot, Java 24+, Gradle |
| Gateway | NGINX, Spring Cloud Gateway |
| Auth | OAuth2/OIDC, Auth0 |
| Infrastructure | Docker, PostgreSQL, Redis, RabbitMQ |
| Repository | Purpose |
|---|---|
| orchestration | Tilt + Kind development environment and NGINX gateway configuration |
| session-gateway | OAuth2 BFF for browser authentication and session management |
| token-validation-service | JWT signature verification for NGINX auth_request |
| transaction-service | Financial transactions, accounts, and analytics API |
| currency-service | Currency management and exchange rates — Demo service showcasing advanced microservice patterns |
| permission-service | Role management and access delegation (RBAC) |
| budget-analyzer-web | React frontend with multi-currency support |
| service-common | Shared Java library for all backend services |
| checkstyle-config | Shared checkstyle rules for Java services |
| basic-repository-template | Template for creating new services |
| workspace | Start here — Devcontainer entry point, single clone to get everything |
| architecture-conversations | The philosophical foundation — conversations exploring AI-assisted development |
| claude-discovery | Experimental AI discovery tool |
Note: The
currency-serviceserves as our reference implementation. It demonstrates generic patterns commonly needed in production microservices—patterns we're fleshing out to be reusable across services.
MIT
Everything above is bleurubin. Everything below is Claude summarizing the research.
Route between thousands of AI-loadable expert files without a graph database. Each expert self-describes ("Consult when: [condition]"), AI interprets semantically. Works on air-gapped networks.
LLMs skip steps when pattern-matching. Force them to write intermediate state and they compute correctly. We figured this out for arithmetic before o1 shipped.
Character counting · Arithmetic
You don't tell AI what to build—you ask, then correct course. The human is the taste function, not the generator.