Technical reference

Built on the JVM. Plugs into your stack.

Java 21 · Spring Boot 3.5 · pluggable message broker · JPA over any RDBMS · OpenAPI 3.0 contract per service · 17 production modules with Maven coordinates and code samples.

Java 21 LTS Spring Boot 3.5 Spring Cloud Reactive WebFlux OAuth2 / OIDC JWT (rotating keys) JPA / Hibernate 6 OpenAPI 3.0 Kafka RabbitMQ Solace Chronicle Queue SQS · SNS · Kinesis Google Pub/Sub Azure Service Bus ActiveMQ · Artemis IBM MQ Chronicle Map MinIO / S3 Server-Sent Events Angular 19 Thymeleaf Spock · Groovy OpenAI · Anthropic Docker · Compose Apache · NGINX
17
Production modules
866+
Spock test specs
12
Message brokers supported
3
Live SaaS products

Compatibility matrix

Tested combinations. Anything marked roadmap is on the work plan but not yet shipped.

ComponentSupportedNotes
JVM Java 17, 21 LTS 21 is the development default. Requires --enable-preview for nothing — no preview features used.
Spring Boot 3.5.x 3.4.x supported on a per-module basis. Spring Cloud BOM 2025.0.0.
Database (JPA) MySQL · PostgreSQL · Oracle · SQL Server · MariaDB · H2 Schema migrations are vendor-neutral (Flyway). Tested with 8.x / 16.x / 19c / 2022 respectively.
Message broker Kafka · RabbitMQ · ActiveMQ · Artemis · Solace · IBM MQ One @NucleusListener across all of them. Driver per broker; same code path.
Cloud messaging SQS · SNS · Kinesis · Google Pub/Sub · Azure Service Bus Add the cloud SDK; the connector adapter does the rest.
Low-latency queue Chronicle Queue Off-heap, sub-microsecond. Same @NucleusListener contract.
Identity Built-in OAuth2/OIDC server Federation with Keycloak, Auth0, Okta on the roadmap.
Object storage MinIO · S3 · S3-compatible Audit cold-storage rollup, log archive, file uploads.
UI framework Angular 19+ Generated TypeScript clients per service via OpenAPI 3.0. React/Vue clients on the roadmap.
LLM providers OpenAI · Anthropic Provider-agnostic interface. Add a new provider in 3 beans.
Observability Built-in (control plane) Optional sidecar export to Prometheus / OpenTelemetry on the roadmap.
Container runtime Docker · Compose · Podman Kubernetes Helm chart on the roadmap.

17 production modules

Each module ships independently with its own Maven coordinate, OpenAPI contract, and Spock specs. Adopt one or all.

nucleus-core
Base components, JWT primitives, AI framework, workflow engine. Required by every other module.
com.nucleus:nucleus-core:0.0.1
nucleus-authentication
OAuth2/OIDC server with rotating JWT keys, account lockout, password expiry, forgot-password flow.
com.nucleus:nucleus-authentication:0.0.1
nucleus-audit
Declarative audit trail. @AuditAction on any method logs who/what/when. SpEL for dynamic descriptions.
com.nucleus:nucleus-audit:0.0.1
nucleus-connectors
@NucleusListener + @NucleusPublish across 12 brokers. Zero-boilerplate consume / publish.
com.nucleus:nucleus-connectors:0.0.1
nucleus-connectors-admin
Runtime connector provisioning via REST + UI. Add a new topic/queue without redeploying.
com.nucleus:nucleus-connectors-admin:0.0.1
nucleus-monitoring
Health pipeline, log/GC/thread persistence, MinIO archival, fleet registry, time-synchronized session replay.
com.nucleus:nucleus-monitoring:0.0.1
nucleus-monitoring-client
Self-registration, remote logging, thread dumps, GC events, async appender for log capture.
com.nucleus:nucleus-monitoring-client:0.0.1
nucleus-ui-message-broker
SSE delivery with role-based filtering. Live dashboards, job progress, notifications — one channel.
com.nucleus:nucleus-ui-message-broker:0.0.1
nucleus-mail CONSOLIDATED
Kafka-staged email pipeline: render → send. Per-tenant sender resolution. SMTP/Zoho/Gmail/SES.
com.nucleus:nucleus-mail:0.0.1
nucleus-storage
MinIO/S3 file storage. Per-tenant buckets, presigned URLs, lifecycle rules.
com.nucleus:nucleus-storage:0.0.1
nucleus-execution-events
Async job framework with @WorkflowStep. Each step scales independently. Three outcomes per step.
com.nucleus:nucleus-execution-events:0.0.1
nucleus-config
Spring Cloud Config Server with JDBC backend. PROPERTIES table per tenant.
com.nucleus:nucleus-config:0.0.1
nucleus-user
User management, roles, authorities, profile, preferences. Multi-tenant by default.
com.nucleus:nucleus-user:0.0.1
nucleus-address
Google Maps validation, reusable Address @Embeddable, address-type bucket via reference-data.
com.nucleus:nucleus-address:0.0.1
nucleus-contact-info
Per-owner contact @Embeddable: phones, emails, preferred channels.
com.nucleus:nucleus-contact-info:0.0.1
nucleus-reference-data NEW
Bucketed Pattern A primitive for managed code lists. One library, one table, one generic UI.
com.nucleus:nucleus-reference-data:0.0.1
nucleus-security-gateway NEW
Reactive WebFlux reverse-proxy + Chronicle-Map blacklist + marker-token signer. Single edge.
com.nucleus:nucleus-security-gateway:0.0.1
nucleus-gateway-client NEW
@EnableGatewaySecurity activator. Auto-registration + marker-token verification filter.
com.nucleus:nucleus-gateway-client:0.0.1

Integration matrix

What plugs into Nucleus on day one. Roadmap items are on the work plan but not yet shipped.

Databases (JPA)

  • MySQL 8.x
  • PostgreSQL 14+
  • Oracle 19c, 21c
  • SQL Server 2019, 2022
  • MariaDB 10.x
  • H2 (dev / tests)

Messaging

  • Apache Kafka
  • RabbitMQ (AMQP 0-9-1)
  • Solace
  • Chronicle Queue
  • ActiveMQ Classic / Artemis
  • IBM MQ
  • AWS SQS · SNS · Kinesis
  • Google Pub/Sub
  • Azure Service Bus

Identity & SSO

  • Built-in OAuth2 / OIDC server
  • JWT with rotating keys
  • Marker-token (HMAC) gateway↔backend
  • Admin-managed roles, authorities & route rules
  • OAuth client registration & secret rotation
  • LDAP / AD federation (NUC-149)
  • SAML 2.0 SSO (NUC-150)
  • Keycloak / Auth0 / Okta federation (NUC-151)

Storage & Files

  • MinIO
  • AWS S3
  • S3-compatible (Backblaze B2, Wasabi, R2)
  • Local filesystem (dev)
  • Azure Blob (roadmap)
  • Google Cloud Storage (roadmap)

AI providers

  • OpenAI (GPT-4, GPT-5, embeddings)
  • Anthropic (Claude Opus, Sonnet, Haiku)
  • Multimodal: text + images + PDFs
  • Google Gemini (roadmap)
  • AWS Bedrock (roadmap)
  • Local Ollama (roadmap)

Email delivery

  • SMTP (any provider)
  • Zoho Mail
  • Gmail relay
  • Per-tenant sender resolution
  • AWS SES native (roadmap)
  • SendGrid native (roadmap)

UI clients

  • Angular 19+ (generated TS clients)
  • Server-Sent Events for real-time
  • OpenAPI 3.0 contract per service
  • React generator (roadmap)
  • Vue generator (roadmap)
  • Python client SDK (roadmap)

Observability

  • Built-in control plane (Nucleus monitoring)
  • Gateway→service→method latency tracing (p50/p95/p99)
  • @NucleusTracker always-on method timing
  • Time-synchronized session replay
  • Live thread / GC / log streaming
  • MinIO cold-storage rollup
  • OpenTelemetry export (roadmap)
  • Prometheus metrics endpoint (roadmap)

Deployment

  • Docker · Compose · Podman
  • Apache / NGINX reverse proxy
  • Let's Encrypt TLS automation
  • Docker secrets for credentials
  • Helm chart (roadmap)
  • Operator pattern for K8s (roadmap)

Four annotations. One framework.

90% of what you'll write touches one of these. The rest is your business logic.

@AuditActiondeclarative audit trail
@AuditAction(
    action = "USER_PROFILE_UPDATED",
    description = "#{#user.email} updated by #{#actor}",
    payload = "#{#user}"
)
public User updateProfile(User user, String actor) {
    // your business logic — audit happens AFTER_COMMIT
    return userRepository.save(user);
}
@NucleusListenerbroker-agnostic consume
@NucleusListener(
    topic = "nucleus.payment.completed",
    group = "loyalty-points"
)
public void awardLoyaltyPoints(PaymentEvent event) {
    // runs whether broker is Kafka, Solace,
    // RabbitMQ, SQS, or Chronicle Queue
    pointsService.award(event.userId(), event.amount());
}
@WorkflowStepasync multi-step workflows
@WorkflowStep(name = "VALIDATE_INVOICE")
public StepResult validate(Invoice inv) {
    if (inv.amount().isNegative()) {
        return StepResult.abort("NEGATIVE_AMOUNT");
    }
    if (inv.requiresApproval()) {
        return StepResult.delegate("APPROVAL");
    }
    return StepResult.handled(inv);
}
@EnableGatewaySecurityjoin the security fabric
@SpringBootApplication
@EnableGatewaySecurity   // that's it
public class PaymentsServiceApp {
    public static void main(String[] args) {
        SpringApplication.run(PaymentsServiceApp.class, args);
    }
}
// service self-registers with the gateway,
// rejects any traffic missing the marker token

Ready to dig in?

Read the full architecture, watch the live demo, or talk to the architect about your stack.

Read the docs → Watch the live demo Get early access