Proofpane — Architecture Map

A multi-tenant AI governance + multi-agent orchestration platform with compliance-by-construction: every AI call passes a policy gate, lands in a hash-chained audit log, and exports as a signed Evidence Pack. Ships in four deployment shapes (cloud-only · cloud+tray · cloud+daemon · local-MCP) — see below.

Deployment shapes

One codebase, four deployment topologies. Each mode is real today — the daemon binary, the tray app, and the cloud are all one repo.

Mode 1

Cloud-only (SaaS)

Web user, no install
BrowserCloud (FastAPI + SQLite + Qdrant)

All execution server-side. Tool runtime = LocalToolRuntime in the cloud process. Fastest path to demo.

Mode 2

Cloud + Tauri Tray

Web user + native HITL approvals
BrowserCloudTauri Tray (SSE+REST, OS keyring JWT)

Tray pops native HITL approval dialogs when cp.tool.hitl fires; auto-approve gate uses precedent engine. Cross-instance reconcile via cp.hitl.resolve.

Mode 3

Cloud + Paired Daemon

Power user with local files / tools
BrowserCloudDaemon `run` (WebSocket reverse RPC)

Cloud → user machine: 7 local tools (read/write/edit/bash/glob/grep/list) routed via RemoteToolRuntime. Pairing code → device token bound to caller's org.

Mode 4

Local-first MCP (no cloud)

Claude Desktop / Cursor / Continue
MCP hostDaemon `mcp` (stdio MCP server)

Same daemon binary, mcp role. Tools exposed as MCP. No governance overlay in this mode — pure tool execution. Set CP_VENDOR=claude_desktop / codex_desktop for vendor tagging.

Request lifecycle

One LLM call traverses all 7 gates. Failure at any gate is itself audited.

Request
User / workflow / MCP client
Auth + Tenant
JWT → org_id binding
Policy gate
runtime_policy + DLP
Budget gate
per-org USD cap
LLM call
5 providers + composed Capsule
Audit + Cost
hash-chained · token rollup
Evidence Pack
Ed25519-signed export

Manage — governance objects

AI Use Cases

Per-org case intake + RAG
  • · AI-governance-shaped intake form (post-cleanup)
  • · Filesystem store: data/projects/{org_id}/{case_id}/
  • · Qdrant per-case collections · hybrid (BM25 + vector) search
  • · Workflow runs link back to a case for traceability
AI Use Cases →

Workflows & Skills

24 skills · 8 categories · visual builder
  • · Intake · risk · vendor · policy · monitoring · audit · training · external
  • · React Flow canvas · drag-drop palette
  • · AI Builder chat: proposes / edits the canvas
  • · Node types: skill · trigger · multi-agent · mcp_call
  • · Per-run HITL checkpoints with approval drawer
  • · is_template=1 = global catalog; everything else per-org
Workflows →

MCP Setup

Plug Claude/Cursor/etc into governance
  • · Daemon pair: short code → device token bound to org
  • · Org-scoped MCP server registry · stdio + http transports
  • · Publish lifecycle: draft → published → deprecated
  • · Members only see published; admin curates
MCP Setup →

MCP Activity

At-a-glance daemon trace
  • · Vendor-tagged ingestion (Claude Desktop · Codex Desktop)
  • · Cross-boundary block / HITL / allow rates · DLP masking events
  • · Per-agent policy scopes — code_agent vs hr_agent isolation
  • · Servers callable from workflows + skills
MCP Activity →

Watch — visibility dashboards

Mission Control (Audit)

Tamper-evident decision log
  • · Hash-chained audit_log (SHA-256, org_id in hash)
  • · 50+ event types: skill · workflow · MCP · multi-agent · tray · cp.*
  • · Mission Control: agents · terminal pool · HITL queue · precedent engine
  • · Live SSE event stream + CSV export bracketed by filters
  • · Evidence Pack: Ed25519-signed zip + offline verifier
Mission Control →

Cost & Budget

Spend gate + anomaly + forecast
  • · Per-org monthly USD cap · refusal is itself audited
  • · Anomaly flag: call > Nx recent average
  • · Month-end forecast (linear / rolling7d / worst_case + 10%)
  • · Live LiteLLM pricing fallback for unknown models (D33)
  • · Dashboard: KPIs · 30-day sparkline · top spenders
Cost dashboard →

Quality Stack

Hallucination + drift signals
  • · L3 closed-set membership against 259-control truth set
  • · L4 LLM-as-judge with grounding dimension
  • · L5 drift alerts: pass-rate + hallucination rate, suppressed independently
  • · Workflow eval suites (DAG node-output / trace-path / step-budget)
  • · Quality sampling daemon · hallucination triage queue
Quality dashboard →

Agent Runs (unified)

Tree-view across 4 agent kinds
  • · Workflow / Remediation / Multi-agent / Cross-vendor — one tree-view
  • · parent_run_id nests sub-agents (doc 16 contract)
  • · Live tree via SSE · pop-out window for side-by-side
  • · Index: 24h / 7d / 30d filter · kind chip · descendant rollup
  • · audit_log IS the state machine — view is pure projection
Agent runs →

Cross-vendor Eval

Same case, N providers, judged
  • · Pairwise diff on decision fields + schema
  • · Severity grades {info, warning, critical}
  • · Optional independent judge for semantic equivalence on non-critical pairs
  • · Live 4-level tree: suite → case → provider → judge (doc 16)
Cross-vendor →

Lab — self-evolution experiments

Self-Evolution (Dreams)

Gene · Capsule · approval loop
  • · Gene library (proposed / approved / deprecated · 400-char cap)
  • · Capsules: frozen composed prompts · exactly-one-active per (org, skill)
  • · Dream loop: audit signals → Gene proposals (HITL gate, never auto-approve)
  • · Sandbox replay (K samples) before approve
  • · Auto-deprecate: approved Genes never picked > stale_after_days
  • · META loop: code-agent's own system prompt is itself a Capsule
Dreams →

Parallel Universe

Exogenous dreamer · 5 sources
  • · 5 sources: anthropic-sdk-python · openai-python · arxiv cs.AI · GitHub Search · Hacker News
  • · Sonnet triager scores relevance · proposes Gene or code-agent
  • · Per-org budget meter · scheduled loop · stale auto-sweep
  • · Promote → HITL-gated downstream (Gene proposal / code-agent session)
Parallel Universe →

Repo Coder — Mode A

Dual role: tool + self-improvement executor
  • · Role 1 — general LLM coder: any goal, edits existing repo via git worktree
  • · Role 2 — self-improvement executor: Parallel Universe promotes here for code changes
  • · Disposable branch · active-cap 10 · 60s command timeout
  • · LLM tool loop: read / write / run / done
  • · Iter + token budgets (default 20 iter / 200k tokens)
  • · HITL gate: promote creates session, operator manually clicks Run loop
  • · META loop: own system prompt is itself a Gene-evolved Capsule
  • · Internal module + route still named code_agent — only the UI label changed
Repo Coder →

Greenfield — Mode B

Docker sandbox · new project
  • · Docker container · --network=none · isolated artifact build
  • · On Approve: tarball download · on Discard: container teardown
  • · Same AgentRunView tree-view as Repo Coder
  • · Mode A vs Mode B chosen by goal shape (edit existing vs greenfield)
Greenfield →

Admin — identity & access

Identity & Tenancy

Who's allowed to do what
  • · JWT auth · register / login
  • · Magic-link invitations (SMTP-delivered)
  • · Roles: owner / admin / member · destructive ops admin+
  • · Org switcher in account drawer
  • · Every resource scoped by org_id (SQL + filesystem)
  • · Cross-org tampering detected via hash chain
Users →

Foundation — stack & integrations

Compliance Frameworks

59 controls (truth-set: 259 IDs)
  • · NIST AI RMF · ISO 42001 · EU AI Act · GDPR · SOC 2 TSC
  • · Skill ↔ control mapping out of the box
  • · Per-org overrides (add / remove / approve)
  • · Closed-set ID truth-set drives hallucination guard (doc 15)
Compliance →

Multi-Agent Primitives

Consensus + adversarial review
  • · consensus(N agents, method=vote | entropy)
  • · adversarial_review: drafter → critic → reviser rounds
  • · REST endpoints AND workflow node types
  • · Semantic-entropy escalation for HITL routing
  • · Sub-agents emit own audit tree via parent_run_id

Cloud Runtime

FastAPI · SQLite WAL · Qdrant
  • · Single-process FastAPI (fly.io target)
  • · SQLite with WAL · tenant-scoped tables · Qdrant for RAG / precedents
  • · asyncio loops: scout · dream · workflow worker · drift sweep · staleness sweep
  • · Realtime: WS /devices/ws · SSE /audit/stream
  • · Alembic migrations (D29) · structured JSON logs (D30) · Sentry (D31)

Tauri Tray

Desktop HITL approval app
  • · Tauri 2 + React + Rust core · macOS / Windows / Linux
  • · Pair via short admin code → 90-day JWT
  • · OS keyring JWT (Keychain / Cred Mgr / Secret Service)
  • · SSE + REST: REST = source of truth, SSE = wakeup signal
  • · Auto-approve via precedent threshold; 'Approve & remember' (boost=3.0)
  • · Activity panel · cross-instance reconcile via cp.hitl.resolve

Hybrid Daemon

User-machine binary · two roles
  • · Pairing: short code → device token bound to org
  • · Role A — `run`: cloud-paired (WebSocket reverse RPC)
  • · Role B — `mcp`: stdio MCP server for Claude Desktop / Cursor / Continue
  • · 7 local tools: read / write / edit / bash / glob / grep / list
  • · Built as a single PyInstaller binary

LLM Providers

5 backends · one adapter
  • · Anthropic · OpenAI · DeepSeek · Google Gemini · OpenAI-compatible (vLLM / Together / Fireworks / Ollama)
  • · Per-org API keys + platform key fallback
  • · Tool-calling adapter normalised across vendors
  • · Schema sanitization for Gemini compatibility
  • · Vendor /models cache + LiteLLM live pricing fallback (D33)

External Integrations

Salesforce · Gmail · Slack
  • · Salesforce: REST + OAuth (password/refresh-token); governed lead intake skill
  • · Gmail OAuth + auto email processor
  • · Slack drift-alert notifier
  • · external.* skill prefix; PII safe — audits field NAMES not values

Documentation

Per-subsystem deep dives
  • · CLAUDE.md §4 — subsystem map + recipes + gotchas
  • · docs/architecture/01-…16 — one file per subsystem
  • · docs/architecture/15-quality-and-hallucination — 4-signal reference
  • · docs/architecture/16-agent-tree-view — parent_run_id contract

Stack

Frontend
  • · Next.js 14 (app router)
  • · Tailwind
  • · React Flow (builder)
  • · SSE streams
Backend
  • · FastAPI
  • · SQLite + WAL
  • · Qdrant (RAG / precedents)
  • · asyncio loops
Desktop
  • · Tauri 2 (Rust + WebView)
  • · PyInstaller daemon binary
  • · tauri-plugin-store
  • · OS keyring crate
Storage
  • · SQLite app.db (tenant-scoped)
  • · Filesystem cases
  • · Ed25519 signing key
  • · Audit hash chain
External
  • · Anthropic / OpenAI / DeepSeek / Gemini / OAI-compat
  • · GitHub · arxiv · HN
  • · Salesforce · Gmail · Slack
  • · MCP servers (stdio / http)