A-POST-OLdevel

Block toolkit

The A-POST-OL platform isn't an empty framework. It's 26 ready-made PostgreSQL modules and 8+ C++ server modules. From these blocks, an information system of any kind can be assembled.

Below — a map of blocks organized by group. Each block links to its detailed page in the db-platform wiki, the source of truth.

Confirmed by independent audit

7 architectural decisions flagged by the audit

An April 2026 external auditor singled out these platform decisions as worth carrying into any new stack. Below — his words and our explanations.

Workflow engine — as data

States, transitions, and events of business processes are stored in DB tables, not in code. Change the workflow without redeploying the service.

«States/transitions/events configurable without deploy. Truly useful.»
wiki ↗

Registry — hierarchical K/V for config

Platform and project configuration are stored in a registry modeled after Windows Registry. Changeable at runtime — no service restart.

«Hierarchical K/V for config, changeable at runtime.»
wiki ↗

Entity file convention

Each business entity is assembled from 8 SQL files: table, view, routine, api, rest, event, init, security. Open the project — instantly know where everything lives.

«Entity file convention — consistent navigation.»
wiki ↗

Audit log taxonomy

Event-code registry 1xxx–9xxx with predictable grouping by subsystem. Debugging and error tracing become a one-line affair.

«Code registry 1xxx-9xxx really simplifies debugging.»
wiki ↗

Three-layer access control (ACU/AMU/AOU)

Access is controlled at three levels: class (ACU), method (AMU), object (AOU). Not just role-based — a fine-grained model for multi-tenant and enterprise.

«Proper access model, not just role-based.»
wiki ↗

Observer via PG NOTIFY

Pub/sub real-time subscriptions to object events: PostgreSQL LISTEN/NOTIFY → WebSocket → frontend. No Kafka, no Redis, no operational overhead.

«Simple and effective real-time subscriptions without Kafka overhead.»
wiki ↗

Role-based DB users

Real security boundaries not at the application layer, but at the PostgreSQL layer: kernel / admin / daemon / apibot — four DB users with different SECURITY DEFINER rights.

«Real security boundaries at the DB layer.»
wiki ↗

— from the independent audit of Apostol CSMS, April 2026.

Auth & Sessions

Built-in authorization, authentication, and session management blocks.

OAuth 2.0

6 grant types · PKCE · JWT (HS/RS/ES/PS)

wiki ↗

Registration

Signup flow with email/phone confirmation

wiki ↗

Sign In / Sign Out

Cookie-based and token-based scenarios

wiki ↗

Password Recovery

Multi-step reset with verification code

wiki ↗

Verification Codes

SMS / Email one-time codes

wiki ↗

Sessions & Context

User · scope · area · locale · interface

wiki ↗

Entities & Objects

Class-oriented data model with inheritance, types, and states.

Object hierarchy

Object → Reference / Document → your classes

wiki ↗

Object endpoints

Generic CRUD: get / list / count / set / delete

wiki ↗

Class endpoints

Per-class REST patterns with workflow methods

wiki ↗

Object Groups / Links

Arbitrary grouping and linking of objects

wiki ↗

Object Data

Arbitrary object payload: text / JSON / XML / Base64

wiki ↗

Object Address / Geolocation

Postal addresses and GPS coordinates with temporal validity

wiki ↗

Workflow & Events

State machine, audit log, real-time subscriptions. Business process — as data.

States & Transitions

AddState / AddTransition in init.sql — configured in DB

wiki ↗

Methods & Events

AddMethod / AddEvent with PL/pgSQL handlers

wiki ↗

Workflow customization

Extending states and methods in project configuration

wiki ↗

Audit log

Codified event registry 1xxx–9xxx

wiki ↗

Notification

Object change journal + notification dispatch

wiki ↗

Observer (Pub/Sub)

LISTEN/NOTIFY → WebSocket subscriptions with filter routing

wiki ↗

Files, Config & Data

File storage, multilingual content, hierarchical settings registry.

File service

Virtual FS · UNIX masks · S3 buckets

wiki ↗

Resource tree

Localized hierarchical content (HTML/MD/MIME)

wiki ↗

Registry

K/V config like Windows Registry, runtime-changeable

wiki ↗

Localization

ISO 639-1 + localized error messages (6 languages)

wiki ↗

KLADR

Russian address classifier, ready integration

wiki ↗

Replication

Multi-instance data synchronization

wiki ↗

Access & Security

Three-layer ACL, isolated DB users, area-based document visibility.

ACU — class access

5 bits: a/c/s/u/d (access/create/select/update/delete)

wiki ↗

AMU — method access

3 bits: x/v/e (execute/visible/enable) for workflow methods

wiki ↗

AOU — object access

Per-object permissions: select/update/delete

wiki ↗

Area — document scope

Hierarchical area (branch/region/department) for multi-tenant

wiki ↗

Role-based DB users

kernel / admin / daemon / apibot — real isolation

wiki ↗

JWT — issuer / audience

Multi-app scenarios: web, mobile, service-to-service

wiki ↗

Communication & Integrations

Notifications, inbound webhooks, outbound HTTP, reports.

Notice

In-app notifications for users

wiki ↗

Comment

Hierarchical comments on objects

wiki ↗

MessageServer

Email / SMS / Push dispatcher (separate process)

wiki ↗

PGFetch — outbound HTTP

Async fetch to external APIs via LISTEN/NOTIFY

wiki ↗

REST + Swagger UI

418 endpoints out of the box · OpenAPI 3.0 auto-generation

wiki ↗

Reports

Report builder: tree / form / routine / ready

wiki ↗