Mac Mini / NUC
On-prem node
A physical execution node on your network. Best for workflows touching local files, internal-only systems, or strict residency rules.
- No cloud egress
- Boots on power-on
- Local secrets vault
Architecture · technical detail
How it's actually built.
The operating model describes the principles. This page is the technical detail — where code runs, how state is stored, what isolates one workflow from another.
Topology · where code runs
Deployment options
Same system, three deployment shapes. Pick the one that matches your data residency, latency, and trust model.
Your VPC
Private cloud worker
A long-running worker inside your AWS / GCP / Azure account. Same code as on-prem, scaled horizontally, behind your firewall.
- Your IAM
- VPC peering
- Auto-scale on queue depth
Workers / Lambda
Edge function
Stateless edge entrypoints for webhooks, schedulers, and public APIs. Hands off to a worker for anything stateful.
- Sub-100ms cold start
- Signed webhook ingress
- No persistent state
Runtime · system components
Inside a running system
Six components, each replaceable, each observable, each owned by you.
Control plane
Orchestrator
Routes tasks between agents, holds task state, emits telemetry. Stateless per task; persistent state lives in the store.
Postgres + outbox
State store
Task state, agent decisions, approvals, audit. Outbox pattern guarantees every emitted event is durably recorded before it ships.
Per-integration
Secrets vault
Credentials scoped to one integration and one workflow. Rotated on schedule, never logged, never crossed between tenants.
Observability
Telemetry bus
Structured events for every step. Streams to your dashboards (Grafana / Datadog / native) and to the operator console.
Permissions
Policy engine
Versioned policy that decides what each agent can do without asking, and what always requires a human approval.
Recovery
Replay engine
Every task is replayable from its audit log. Failed runs resume from the last durable step, not from zero.
Lifecycle · one task, end to end
A request through the system
trace · T-1041durable
task.execute
started 14:02:11.043 · region eu-west · attempt 1/3
OK · 312ms5 hops
ingress
webhook
12ms
HMAC verified
policy.eval
guardrails
8ms
2 rules · pass
orchestrator
state.store
21ms
checkpoint #4
agent.dispatch
secrets.lease
184ms
1 tool call
tool.call
audit.log
87ms
200 OK
timeline · 312ms total
0ms ───────────────────────── 312ms
ingress
policy.eval
orchestrator
agent.dispatch
tool.call
If any step fails, the task resumes from the last replay.checkpoint — never from zero, never with stale state. Secrets are single-use leases; the audit log is append-only.
Security · isolation model
Threat model & boundaries
We assume agents will misbehave — they're probabilistic systems. The architecture contains the blast radius.
Isolation boundaries
Each workflow runs in its own process with its own secrets scope. A compromised agent in workflow A cannot read workflow B's credentials, memory, or state.
Audit-first writes
Every external write is preceded by an audit log entry. If the log fails, the write fails. There is no quiet action.
Approval gates
Destructive actions, financial moves, and customer-facing outputs are routed through human approval queues. The policy decides which class each action falls into.
Zero-trust secrets
Agents never see raw credentials. They request a scoped, short-lived token from the vault, used for one call, then discarded.
Stack · what we build on
Compatibility matrix
Boring, proven, swap-able. Nothing exotic in the critical path.
RuntimeNode 20, Deno, Python 3.12
StatePostgres 15+, pgvector, Redis
AgentsClaude, GPT, local Llama via Ollama
IntegrationsSlack, GitHub, Stripe, browser, custom HTTP/OAuth
ObservabilityOpenTelemetry, Grafana, Datadog, native console
DeployDocker, Fly.io, Cloudflare Workers, bare metal
Want the deep dive?
We share the full reference architecture, threat model, and infra diagrams under NDA on the first call.
Request the technical brief