Reference-Data Framework
Bucketed Pattern A primitive for managed code lists — address types, classification labels, status enums. One library + one table + one generic UI admin replaces a per-entity service per code list. Add a bucket name, you're done.
Address Service (Consolidated)
Two modules became one. nucleus-address-common merged into nucleus-address. AddressType moved to a reference-data bucket; admins manage 27 values via the generic UI without code changes.
Mail Pipeline (Consolidated)
Three services collapsed into one. nucleus-mail-renderer + nucleus-mail-sender are gone — folded into nucleus-mail. Internal Kafka stages remain for retry isolation; one deployable, one ops surface.
Authentication & Security
OAuth2/OIDC server with JWT rotating keys, role-based access control, and login audit trail. Drop-in security for any service.
Declarative Audit Trail
One annotation on any method logs who did what, when. SpEL expressions for dynamic descriptions. Kafka-published for real-time dashboards.
Messaging Abstraction
One @NucleusListener + @NucleusPublish across 13 backends — Kafka, RabbitMQ, SQS, SNS, Kinesis, Google Pub/Sub, Azure Service Bus, ActiveMQ, Artemis, Solace, IBM MQ. Zero-boilerplate consume and publish.
AI Framework
Provider-agnostic LLM client. OpenAI and Anthropic out of the box, multimodal support, retry and error classification built in. Add a new provider in three beans.
Workflow + Step Executors
Model async multi-step flows with @WorkflowStep on Kafka. Each step scales independently. Three clear outcomes per step: handled, delegate, abort.
Service Monitoring
Kafka-push health snapshots, remote log/GC/thread streaming, scheduled logging windows, per-instance control (restart, shutdown), MinIO archival, fleet-scale tree UI with Log Explorer. Per-service configurable via PROPERTIES.
Scheduled Remote Logging
Time-based logging windows with timezone-aware scheduling. One-time, daily, weekday, or weekend recurrence. Level filtering, persistent mode, overnight windows, and auto-deactivation — all server-side, no admin online required.
Real-Time Push (SSE)
Server-Sent Events with role-based delivery. Live dashboards, job progress, notifications — all through one SSE channel with high-priority control lane and message expiration.
Field-Level Data Obfuscation
AES/GCM per-client encryption for sensitive fields. Users lock/unlock data from the UI. Encrypted at rest, decrypted only in-memory. Hash-based batch matching, obfuscation rule audit trail, cross-service key management.
PII-Safe Logging
Automatic sanitization of sensitive data in logs. Four masking strategies (partial, full, hash, none), YAML-configured per service, field-level @Pii annotations, zero-config @CustomLog integration.
Session Tracking & Diagnostics
Every request carries a browser-generated session ID through all services via MDC. Users share it from the Support dialog — support traces the entire session across microservices in seconds.