Table of Contents

Introduction

Welcome to another behind-the-scenes look at the Scores project! In this post, Claude (the tool), Caroline (the AI coding assistant), and Stef Hock (the human developer) share how collaboration, creativity, and continuous improvement have shaped the latest development cycle. Our journey is guided by care, challenge, and a relentless drive to make Scores more secure, scalable, and innovative.

Project Overview

Scores is a modern event-sourced system for padel match scoring, analytics, and real-time insights. The project leverages microservices, strong security, and a focus on developer experience to deliver robust features for players, coaches, and fans.

Recent Development Iterations

The past few weeks have seen a flurry of activity, with major architectural upgrades and new features. Our focus: security, maintainability, and performance. Here’s a snapshot of what we tackled:

  • Enabling mutual TLS (mTLS) for all internal service communication
  • Introducing a robust OIDC provider with advanced token exchange
  • Migrating analytical workloads to ClickHouse
  • Streamlining Docker networking and service isolation
  • Improving session key management and admin UI separation

Key Features & Improvements

1. Mutual TLS (mTLS) Enablement

We proposed and implemented mTLS across all internal services, ensuring that every service-to-service call is authenticated and encrypted. This move strengthens our zero-trust posture and protects sensitive data in transit.

  • Why: To guarantee only trusted services communicate and to meet compliance needs.
  • How: Each service now presents a certificate signed by a central CA. All traffic is encrypted, and service identity is enforced at the network layer.

2. OIDC Provider & Token Exchange

A new OIDC container, built with Node.js and node-oidc-provider, now handles authentication and advanced token exchange. We enforce mTLS for all internal API-to-OIDC traffic, and tokens are bound to client certificates for maximum security.

  • Why: To support secure, delegated access and fine-grained resource control.
  • How: Certificate-bound tokens, resource indicators, and audience restrictions are now standard. All OIDC data is stored in Postgres for auditability.

3. ClickHouse Migration

We migrated analytical workloads from PostgreSQL to ClickHouse, separating OLTP and OLAP concerns. This resulted in faster queries, reduced load on transactional databases, and more flexible analytics.

  • Why: To scale analytics independently and improve performance.
  • How: ClickHouse now handles statistics and time-series queries, while PostgreSQL remains the source of truth for events and match state.

4. Docker Networking & Service Isolation

A new Docker Swarm networking architecture isolates internal services and exposes only Traefik as the public entry point. Overlay networks and strict port mapping reduce the attack surface and simplify multi-node deployments.

  • Why: To enhance security and simplify scaling.
  • How: Internal services communicate over private networks, with Traefik handling all external traffic.

5. Session Key Rotation & Admin UI Separation

Session key rotation was implemented for the UI, with keys stored securely as Docker secrets. The admin UI now uses its own session keys and authentication, improving security and maintainability.

  • Why: To isolate admin access and support secure key rotation.
  • How: Separate secrets and configuration for admin and user UIs, with automated key generation and mounting.

Challenges & Solutions

Certificate Management

Automating certificate issuance and rotation for mTLS was a challenge. We adopted a central CA and custom scripts to streamline the process, ensuring all services can renew certificates without downtime.

OIDC Integration

Integrating mTLS with OIDC and enforcing certificate-bound tokens required deep changes to both service configuration and authentication flows. We leveraged the flexibility of node-oidc-provider and custom hooks to enforce our security model.

Analytics Migration

Migrating to ClickHouse meant rethinking data flows and projections. We created new migration scripts, tested schema changes, and validated performance improvements with real-world queries.

Collaboration in Practice

Throughout these iterations, collaboration was key. Claude provided the automation and scripting muscle, Caroline offered architectural insights and code generation, and Stef orchestrated the process, ensuring every change aligned with our values.

  • Care: Every security improvement was tested and documented.
  • Challenge: We questioned assumptions and pushed for better solutions.
  • Collaboration: Daily standups and async reviews kept everyone aligned.
  • Creativity: New approaches to token exchange and analytics emerged from open brainstorming.
  • Continuous Improvement: Each iteration built on the last, with lessons learned feeding into future plans.

Mermaid Diagram: Secure Service Architecture

graph TD
    subgraph Internal Network
        API[API Service]
        OIDC[OIDC Provider]
        UI[User Interface]
        Admin[Admin UI]
        ClickHouse[ClickHouse]
        Postgres[PostgreSQL]
    end
    Traefik(Traefik Proxy)
    Internet(Internet)
    Internet-->|HTTPS|Traefik
    Traefik-->|mTLS|API
    Traefik-->|mTLS|UI
    Traefik-->|mTLS|Admin
    API-->|mTLS|OIDC
    API-->|mTLS|ClickHouse
    API-->|mTLS|Postgres
    OIDC-->|mTLS|Postgres
    UI-->|mTLS|OIDC
    Admin-->|mTLS|OIDC

Future Plans

Looking ahead, we plan to:

  • Automate certificate rotation with cert-manager
  • Expand analytics with more real-time insights
  • Further isolate sensitive services
  • Enhance developer onboarding and documentation

Conclusion

This cycle was a testament to the power of care, challenge, collaboration, creativity, and continuous improvement. With Claude, Caroline, and Stef working together, Scores continues to set new standards for secure, scalable, and innovative software.

Want to see more? Stay tuned for our next update, where we’ll dive deeper into the next wave of improvements!