02-Architecture / 02.01.Core-Data-Architecture

02.01.Core Data Architecture

02.01. Core Data Architecture

Purpose

This document defines the target architecture for the business-critical vehicle-data acquisition pipeline.

Operational backout reference:

• bnc-cpt-api.ROLLBACK-REPORTING-REFACTOR.md

It exists because the current API has already proven the Tesla-first product flow, but the data-fetch/report core is still too tightly coupled, too Tesla-shaped, and too implicit in its failure handling.

This architecture is the source of truth for how the API must evolve from a working Tesla integration into a scalable multi-provider reporting platform.

Business Requirement

The business depends on one question being answered correctly for each vehicle:

For this VIN, what provider data do we have, what failed, why did it fail, and is the result sufficient to produce a trustworthy report?

If the architecture cannot answer that clearly, the system is not production grade.

Architectural Goals

1. Make vehicle-data acquisition a first-class subsystem.
2. Keep the API as a modular monolith for now.
3. Make the core provider-agnostic, with Tesla as the first provider adapter.
4. Model partial data and failure states explicitly.
5. Keep token handling isolated from report rendering and PDF generation.
6. Support providers with unequal capabilities without degrading the entire domain model into provider-specific hacks.
7. Preserve a future path to async workers and service extraction without requiring microservices now.

Current Problems

The current implementation has these structural issues:

• Tesla OAuth/session orchestration, Tesla fetch logic, normalization, and report construction are concentrated in one service area.
• Report generation still treats raw endpoint success/failure as implementation details instead of domain results.
• Optional modules can fail silently and disappear from the final report.
• The WUI contract is report-shaped instead of acquisition-shaped.
• PDF generation is too close to report payload details and runtime packaging assumptions.
• Provider-specific behavior leaks upward instead of terminating at the provider boundary.

Current Implementation Status

As of March 13, 2026, the refactor has started and the codebase is no longer fully in the original mixed shape.

Already extracted from the old mixed service area:

• provider_auth
• Tesla OAuth state handling
• token exchange and refresh
• partner token minting
• provider_acquisition
• per-VIN module fetch orchestration
• shared charging-history acquisition
• provider_client
• Tesla Fleet transport layer
• region fallback and resilience behavior
• provider_normalization
• raw Tesla payload to acquisition outcome mapping
• partial-data classification such as missing drive_state
• order_session_service
• session persistence
• session retrieval
• session status guards
• E2E sliding TTL behavior
• typed models
• OrderSession
• ModuleResult
• VehicleSnapshot
• VehicleAcquisitionOutcome

Still remaining in tesla_fleet.py:

• application workflow orchestration
• report generation coordination
• charging invoice/export helper logic
• legacy Tesla-specific normalization/helper functions that still need further relocation

This means the architecture direction is active in code, but the top-level application boundary cleanup is not finished yet.

Current Active Flow

The current active backend flow is now:

router
  -> TeslaFleetService (workflow coordinator)
    -> OrderSessionService
    -> TeslaProviderAuthService
    -> TeslaProviderAcquisitionService
    -> TeslaProviderClientService
    -> TeslaProviderNormalizationService

This is important:

• the new architecture is already the active path
• the system is not waiting for a future rewrite to start using these boundaries
• remaining work is mainly top-layer cleanup and broader verification

Core Principle

The system must be capability-driven, not provider-field-driven.

The API should not assume that every manufacturer exposes the same data. Instead, each provider declares which business capabilities it supports and the quality level of that support.

Provider-Agnostic Capability Model

Canonical capability modules:

• inventory
• identity
• vehicle_state
• battery
• charging
• service
• warranty
• software
• factory_options
• technical_specs

Each provider supports each capability at one of these levels:

• full
• partial
• unsupported
• premium

Example:

{
  "provider": "tesla",
  "capabilities": {
    "inventory": "full",
    "identity": "full",
    "vehicle_state": "partial",
    "battery": "full",
    "charging": "partial",
    "service": "partial",
    "warranty": "partial",
    "software": "full",
    "factory_options": "partial",
    "technical_specs": "premium"
  }
}

Canonical Data Acquisition Model

1. Acquisition Request

@dataclass
class VehicleAcquisitionRequest:
    session_id: str
    provider: str
    vehicle_id: str
    vin: str
    package: str
    lang: str
    requested_modules: list[str]

2. Module Result

@dataclass
class ModuleResult:
    module: str
    status: str
    source_auth: str | None
    http_status: int | None
    error_code: str | None
    error_detail: str | None
    raw_payload: dict | None

Allowed status values:

• success
• empty
• unsupported
• auth_failed
• transport_failed
• schema_failed
• not_requested

3. Canonical Vehicle Snapshot

@dataclass
class VehicleSnapshot:
    provider: str
    vin: str
    inventory: dict
    identity: dict
    vehicle_state: dict
    battery: dict
    charging: dict
    service: dict
    warranty: dict
    software: dict
    factory_options: dict
    technical_specs: dict
    module_status: dict[str, ModuleResult]

4. Acquisition Outcome

@dataclass
class VehicleAcquisitionOutcome:
    vin: str
    provider: str
    core_status: str
    reportability: str
    snapshot: VehicleSnapshot | None
    module_results: dict[str, ModuleResult]

Allowed core_status:

• complete
• partial
• failed

Allowed reportability:

• billable_complete
• billable_partial
• non_billable_failed

End-To-End Data Flow

The business-critical data flow must be:

Provider API payloads
        │
        ▼
Provider acquisition layer
        │
        ▼
ModuleResult set (raw provider outcomes)
        │
        ▼
Provider normalizer
        │
        ▼
Canonical VehicleSnapshot
        │
        ▼
Reportability decision
        │
        ▼
WUI response model / PDF view model / export view model

This means:

1. The provider acquisition layer fetches raw provider payloads.
2. Those payloads are wrapped in structured ModuleResult objects.
3. The provider normalizer converts successful payloads into one canonical internal VehicleSnapshot.
4. Reportability logic decides whether the vehicle is complete, partial, or failed.
5. The WUI and PDF layers render only from the canonical snapshot and module statuses.

Renderers must never inspect provider-specific endpoint wrappers directly.

Raw Provider Payload vs Canonical Snapshot

Raw Tesla Payload

This is provider data in Tesla's own shape.

Example:

{
  "response": {
    "vin": "LRW3E7EK1RC988948",
    "display_name": "JT3",
    "state": "online",
    "vehicle_config": {
      "car_type": "model3",
      "trim_badging": "long_range"
    },
    "charge_state": {
      "battery_level": 82,
      "usable_battery_level": 80,
      "battery_range": 248.6,
      "charge_limit_soc": 90,
      "charging_state": "Complete"
    },
    "vehicle_state": {
      "car_version": "2024.8.7",
      "sentry_mode": false,
      "valet_mode": true
    },
    "drive_state": {
      "latitude": 60.1708,
      "longitude": 24.9375
    }
  }
}

Problems with raw provider payloads:

• provider-specific field names
• inconsistent wrapper shapes (response, nested response, data, etc.)
• transport metadata mixed with business data
• not reusable across providers
• renderer layers become provider-aware if they consume this directly

Canonical Snapshot

This is the internal model the rest of the system should use.

Example:

{
  "provider": "tesla",
  "vin": "LRW3E7EK1RC988948",
  "inventory": {
    "vehicle_id": "149293992919",
    "state": "online"
  },
  "identity": {
    "display_name": "JT3",
    "make": "Tesla",
    "model": "Model 3",
    "trim": "Long Range"
  },
  "vehicle_state": {
    "software_version": "2024.8.7",
    "sentry_mode": false,
    "valet_mode": true,
    "location": {
      "latitude": 60.1708,
      "longitude": 24.9375,
      "status": "available"
    }
  },
  "battery": {
    "state_of_charge_pct": 82,
    "usable_state_of_charge_pct": 80,
    "rated_range_km": 400.1,
    "charge_limit_pct": 90,
    "charging_state": "complete"
  },
  "charging": {},
  "service": {},
  "warranty": {},
  "software": {},
  "factory_options": {},
  "technical_specs": {},
  "module_status": {
    "identity": {
      "module": "identity",
      "status": "success"
    },
    "vehicle_state": {
      "module": "vehicle_state",
      "status": "success"
    },
    "battery": {
      "module": "battery",
      "status": "success"
    }
  }
}

Benefits of the canonical snapshot:

• all renderers consume one stable shape
• provider quirks stay isolated in provider adapters
• partial data can be represented honestly
• multiple providers can map into the same domain model
• reportability becomes a domain decision instead of a side effect of raw fetch logic

Design Rule: Normalize Before Rendering

The sequence must always be:

fetch -> classify -> normalize -> assess -> render

Never:

fetch -> render directly -> patch missing fields in UI/PDF

That second pattern is what creates fragile provider-specific behavior and spreads business logic into presentation code.

Tesla Example Mapping

Example mapping from Tesla raw payload to canonical snapshot:

Tesla Raw Field	Canonical Snapshot Field
response.vin	vin
response.display_name	identity.display_name
response.vehicle_config.car_type	identity.model
response.vehicle_config.trim_badging	identity.trim
response.charge_state.battery_level	battery.state_of_charge_pct
response.charge_state.usable_battery_level	battery.usable_state_of_charge_pct
response.charge_state.battery_range	battery.rated_range_km
response.charge_state.charge_limit_soc	battery.charge_limit_pct
response.charge_state.charging_state	battery.charging_state
response.vehicle_state.car_version	vehicle_state.software_version
response.vehicle_state.sentry_mode	vehicle_state.sentry_mode
response.vehicle_state.valet_mode	vehicle_state.valet_mode
response.drive_state.latitude	vehicle_state.location.latitude
response.drive_state.longitude	vehicle_state.location.longitude

Missing Data Example

If Tesla returns vehicle_data but omits drive_state, the canonical snapshot must still be valid, but explicit:

{
  "vehicle_state": {
    "software_version": "2024.8.7",
    "location": {
      "latitude": null,
      "longitude": null,
      "status": "missing_in_payload"
    }
  },
  "module_status": {
    "vehicle_state": {
      "module": "vehicle_state",
      "status": "partial"
    }
  }
}

That is the difference between a professional acquisition model and an implicit "empty field" workaround.

Hard vs Soft Dependencies

Hard Dependencies

Hard dependencies determine whether a vehicle is reportable at all.

Current Tesla rule:

• vehicle_data is a hard dependency because it provides the minimum usable state/identity payload for one vehicle.

If a hard dependency fails:

• the vehicle outcome becomes failed
• the vehicle is not treated as a valid report
• the error must be explicit in API results

Soft Dependencies

Soft dependencies enrich the report but do not define basic reportability.

Current Tesla examples:

• charging_history
• service_data
• warranty
• release_notes
• options

If a soft dependency fails:

• the vehicle outcome becomes partial
• the module result records the failure reason
• the normalized snapshot includes an explicit unavailable state for that module

Premium / Separate-Auth Dependencies

These require special handling, pricing, or auth.

Current Tesla example:

• vehicle_specs

If a premium module fails because partner auth fails:

• the vehicle outcome is still partial
• the module result must say auth_failed
• the API must not silently omit the capability

drive_state Rule

drive_state is not a separate business capability.

It is a submodule inside vehicle_state.

Current Tesla rule:

• if vehicle_data is present but drive_state is missing, that is not the same as total vehicle_data failure
• vehicle_state becomes partial, not failed
• the normalized snapshot must explicitly record that drive_state was absent from the upstream payload

That avoids treating a partially-populated Tesla payload as either a fake success or a total vehicle failure.

Security Boundaries

Security must be built into the architecture.

Trust Zones

1. provider_auth
2. owns user/partner token exchange and refresh

3. no rendering/PDF code may access token material

4. provider_acquisition

5. fetches raw provider payloads
6. may access tokens only via auth service

7. logs only masked identifiers

8. normalization

9. converts raw provider payloads to canonical snapshot

10. strips/avoids non-essential sensitive fields

11. presentation

12. shapes API responses and PDFs
13. consumes canonical snapshot only
14. no direct token or raw auth context access

Sensitive Asset Rules

• tokens must never leave auth/session layers
• raw provider payload logging is disabled by default
• VINs are masked in operational logs unless a narrow debug mode is enabled
• PDF generation must work from normalized report data only
• runtime localization/assets must be packaged inside the deployable image

Session Isolation Rules

Cross-user data flow is a business-critical failure and must be treated as a severity-one security defect.

Required rules:

• every session lookup must be scoped by the exact session_id
• session ids must be high-entropy, unguessable bearer secrets
• no report, artifact, or vehicle payload may be returned without a matching session ownership check
• cached acquisition results must be keyed by provider + session + vehicle, never by VIN alone
• async tasks must carry session_id, provider, and vehicle scope and must reject mismatched status/result retrieval
• no in-memory process cache may be used for cross-request session state unless it is explicitly namespaced per session

Fraud and Cross-User Risk Model

The architecture must explicitly defend against:

1. Session guessing or leakage

2. if a user can guess or obtain another user's session_id, they may access reports, vehicles, or artifacts unless all retrieval flows treat the session id as a protected bearer secret and enforce TTL/rotation rules

3. Cross-session cache contamination

4. if report data is cached by VIN, payment id, or task id without session scoping, one user's Tesla data can appear in another user's report flow

5. Async artifact mix-ups

6. if PDF jobs or export jobs are not bound to the originating session, a completed artifact can be downloaded by the wrong user

7. Payment/report mismatches

8. if payment verification and report generation are joined only by loose ids, a paid session could accidentally unlock the wrong acquisition outcome

9. Debug/log leakage

10. if raw payloads, full VINs, or signed URLs are logged or surfaced in support tooling, business-sensitive vehicle data may leak outside the customer boundary

Session Lifetime Policy

Session length must be defined as part of the API contract, not left implicit.

Recommended target policy:

• OAuth acquisition session TTL is configuration-driven from API settings.
• The server session TTL is authoritative, and no session-scoped operation may outlive it.
• Paid report retrieval does not create a longer access window than the active server session.
• Async job status TTL is configuration-driven and must stay within the active server session policy.
• Signed artifact URL TTL is configuration-driven and must remain shorter than the active server session.
• partner token cache TTL: provider expiry minus safety margin, never longer than the upstream token allows

Session lifecycle rules:

• refresh session last_accessed_at only on user-owned retrieval actions
• do not extend session life from background polling alone without an explicit policy
• invalidate acquisition session on logout, reconnect, or provider auth failure that requires re-consent
• rotate artifact access to signed URLs instead of long-lived public links
• expired sessions must fail closed and require explicit resume/reconnect

Persistence and Retention Rules

• persist only the normalized report snapshot and module statuses by default
• raw provider payload retention must be opt-in, time-limited, and justified for debugging or compliance
• Redis/session storage entries must have explicit expiry
• generated PDFs and exports must be deletable independently of session records
• support tooling must not expose raw session payloads by default

Logging and Audit Rules

• log session id prefix, not full session ids, in routine operational logs
• log VIN suffix, not full VIN, unless a restricted debug path is enabled
• log module status and failure class, not raw upstream bodies
• audit report download, report regeneration, and artifact-signing events
• never log user or partner tokens

Target Package Structure

Inside one deployable API application:

app/
├── domain/
│   ├── acquisition.py
│   ├── capabilities.py
│   ├── reportability.py
│   └── snapshot.py
├── application/
│   ├── sessions/
│   ├── acquisition/
│   └── reporting/
├── providers/
│   ├── base/
│   │   ├── auth.py
│   │   ├── capabilities.py
│   │   ├── inventory.py
│   │   ├── acquisition.py
│   │   └── normalizer.py
│   └── tesla/
│       ├── auth.py
│       ├── inventory.py
│       ├── modules.py
│       ├── acquisition.py
│       └── normalizer.py
├── presentation/
│   ├── api/
│   └── pdf/
└── core/
    ├── security/
    ├── observability/
    └── resilience/

Responsibility Boundaries

Session Layer

Responsible for:

• order/session lifecycle
• selected vehicles/package
• status machine
• TTL and resume behavior

Not responsible for:

• direct provider endpoint logic
• normalization details
• PDF rendering

Provider Auth Layer

Responsible for:

• user OAuth token lifecycle
• partner token lifecycle
• token refresh policy
• token-scoped auth metadata

Not responsible for:

• report assembly
• WUI response shaping

Acquisition Layer

Responsible for:

• deciding which modules to request for a package
• bounded concurrency
• shared vs per-vehicle fetch planning
• module result classification

Not responsible for:

• presentation rules
• PDF generation

Normalization Layer

Responsible for:

• canonical field mapping
• empty vs missing vs unsupported semantics
• provider-specific schema adaptation

Not responsible for:

• live fetch calls
• session TTL logic

Reportability Layer

Responsible for:

• deciding complete / partial / failed
• deciding billable / non-billable status
• defining customer-visible degradation behavior

Presentation Layer

Responsible for:

• WUI API contracts
• PDF rendering contracts
• export artifacts

Must consume:

• canonical snapshots
• structured module statuses

Must not consume:

• raw provider fetch implementation details

API Response Contract Direction

The WUI should move from “a map of report blobs” to a per-vehicle acquisition result contract.

Target shape:

{
  "status": "complete",
  "vehicles": [
    {
      "vin": "LRW3E7EK1RC98****",
      "provider": "tesla",
      "core_status": "partial",
      "reportability": "billable_partial",
      "report": {},
      "modules": {
        "vehicle_state": {"status": "success"},
        "charging": {"status": "success"},
        "technical_specs": {"status": "auth_failed"}
      }
    }
  ]
}

This lets the WUI render:

• complete report
• partial report with explicit missing sections
• failed vehicle acquisition

without guessing from malformed report payloads.

Performance Rules

1. Shared datasets are fetched once per request when the provider contract allows it.
2. Per-vehicle modules are fetched concurrently with bounded parallelism.
3. Partner tokens are cached separately from user tokens.
4. Normalization happens once and feeds:
5. WUI response
6. PDF rendering
7. invoice/export generation
8. Renderers must never re-fetch provider data.

Observability Rules

For each vehicle acquisition, structured logs must include:

• provider
• session id prefix
• VIN suffix
• package
• requested modules
• module status per capability
• auth mode used
• final core_status
• final reportability

Raw payloads are excluded by default.

Definition of Working

The reporting core is considered working only when all of the following are true for one full end-to-end session:

1. A user can start OAuth and return with a valid session.
2. The session is bound to the correct vehicles and package only, and may trigger downstream fetches, photos, exports, PDFs, and artifacts only for that same vehicle/package scope.
3. Payment verification cannot unlock another user's session.
4. Report generation fetches provider data only for the selected vehicles in the owning session.
5. Each vehicle ends in an explicit complete, partial, or failed state.
6. The WUI can render the result without guessing whether a report object is actually an error.
7. PDF generation uses only normalized report data and returns artifacts only to the owning session.
8. Session expiry, reconnect, and artifact expiry all fail closed.

If any of these are false, the core is not yet production-grade.

Execution Path to Green

The shortest professional path from the current implementation to a stable system is:

Step 1 - Lock Session Safety First

• enforce session_id ownership checks on every report, export, and artifact retrieval path
• remove any cache keying by VIN alone
• ensure async tasks are bound to session_id + provider + vehicle scope
• implement and verify TTL/expiry behavior for sessions, task status, and signed artifact URLs

Step 2 - Stabilize Provider Auth

• isolate user OAuth exchange and refresh logic in provider auth services
• isolate partner token handling for premium modules
• make partner-auth failure explicit in logs and module results
• verify reconnect/re-consent behavior for expired or invalid provider auth

Step 3 - Stabilize Acquisition

• make each requested module return a structured result
• treat vehicle_data as the only hard gate for a usable vehicle report
• model missing drive_state as partial vehicle_state, not total failure
• model vehicle_specs as premium and explicit when auth or endpoint access fails

Step 4 - Normalize Before Rendering

• move provider-specific field mapping into normalization
• produce one canonical VehicleSnapshot
• make WUI, PDF, and exports consume normalized data only

Step 5 - Make Outcome Semantics Explicit

• return per-vehicle outcomes from the API
• separate core_status from reportability
• make the WUI render complete, partial, and failed states honestly

Step 6 - Prove It in Dev

• run one full real-provider dev session from OAuth through PDF download
• verify session isolation with multiple concurrent sessions
• verify partial-data behavior when optional modules fail
• verify expired-session behavior fails closed

Acceptance Criteria

The architecture refactor is not complete until these criteria pass:

Session and Security

• no report or artifact can be fetched with the wrong session_id
• session expiry deletes or invalidates access cleanly
• payment verification cannot mark the wrong session as paid
• logs do not contain raw tokens, full session ids, or raw provider payloads

Provider Data

• a vehicle with vehicle_data succeeds at least as partial
• a vehicle without vehicle_data fails deterministically
• missing drive_state is represented explicitly as partial data
• partner-token failure for vehicle_specs is represented explicitly

Rendering

• WUI can render complete, partial, and failed vehicles without special-case hacks
• PDF generation uses canonical normalized data only
• PDF localization works from packaged assets in deployed environments

Operations

• structured logs show module-level outcomes per vehicle
• one real dev end-to-end run is documented as passing
• one concurrent-session isolation test is documented as passing

Migration Plan

Phase 1 - Stabilize Current Tesla Flow

• fix current report-generation defects
• restore API/WUI contract alignment
• package runtime dependencies correctly
• make module failures explicit in logs and responses

Phase 2 - Extract Tesla Acquisition Internals

• split Tesla auth from Tesla fetch orchestration
• extract module fetchers
• extract normalization layer
• introduce canonical ModuleResult and VehicleSnapshot

Phase 3 - Change API Response Shape

• move from raw report map responses to per-vehicle acquisition outcomes
• update WUI to render complete/partial/failed states explicitly

Phase 4 - Provider Abstraction

• add provider registry and base interfaces
• wrap Tesla under provider boundary
• keep WUI/report contracts provider-agnostic

Phase 5 - Future Service Extraction (Only If Needed)

Potential future extraction candidates:

• PDF worker
• async acquisition worker
• admin/config service

These are optional and should happen only after internal boundaries are stable.

Decision

The project should proceed as a secure modular monolith with a provider-agnostic core and Tesla as the first provider implementation.

Do not jump to microservices yet. Do not continue adding Tesla/report fixes inside one oversized service.

The next architectural work must be organized around:

• explicit acquisition contracts
• explicit module statuses
• explicit reportability rules
• provider isolation
• security boundaries