# Runtime and Components

The diagram below focuses on the deployed `galaxy/gateway` process and its
runtime dependencies.

```mermaid
flowchart LR
    subgraph Clients
        Public["Public REST clients"]
        Authd["Authenticated gRPC clients"]
    end

    subgraph Gateway["Edge Gateway process"]
        PublicHTTP["Public HTTP listener\n/healthz /readyz /api/v1/public/auth/*"]
        AuthGRPC["Authenticated gRPC listener\nExecuteCommand / SubscribeEvents"]
        AdminHTTP["Optional admin HTTP listener\n/metrics"]
        SessionSnap["In-memory session snapshot cache"]
        Replay["Replay reservation client"]
        PushHub["PushHub"]
        SessSub["Session event subscriber"]
        ClientSub["Client event subscriber"]
        Telemetry["Logs, traces, metrics"]
    end

    Public --> PublicHTTP
    Authd --> AuthGRPC
    AuthGRPC --> SessionSnap
    AuthGRPC --> Replay
    AuthGRPC --> PushHub
    SessSub --> SessionSnap
    SessSub --> PushHub
    ClientSub --> PushHub
    PublicHTTP --> Telemetry
    AuthGRPC --> Telemetry
    AdminHTTP --> Telemetry

    Redis["Redis\nsession records + replay keys + streams"]
    AuthSvc["Auth / Session Service"]
    Downstream["Downstream business services"]
    Metrics["Prometheus / OTLP collectors"]

    PublicHTTP -. public auth adapter .-> AuthSvc
    SessionSnap --> Redis
    Replay --> Redis
    SessSub --> Redis
    ClientSub --> Redis
    AuthGRPC --> Downstream
    Telemetry --> Metrics
```

Notes:

- `cmd/gateway` refuses startup when Redis connectivity or the response signer
  is misconfigured.
- The admin listener is optional and serves only Prometheus text metrics.
- Public auth routing stays available without an upstream adapter, but returns
  `503 service_unavailable`.
- The default runtime reserves direct `user.*` authenticated self-service
  routes. When `GATEWAY_USER_SERVICE_BASE_URL` is unset those routes stay
  mounted but fail closed as dependency-unavailable instead of returning a
  route miss.