# Architecture overview

## System boundary
- Self-hosted by default with optional licensing validation.
- Offline-first, with all critical verification paths available without network access.

## Core infrastructure
- PostgreSQL: the only canonical database, with schema isolation per module.
- Valkey: cache, queues, and streams (Redis compatible).
- RustFS: object storage for content-addressed artifacts.
- Optional: NATS JetStream as an alternative queue and stream transport.

## External dependencies
- OCI registry with referrers for SBOM and attestation discovery.
- Fulcio or KMS-backed signing (optional, depending on crypto profile).
- Rekor (optional) for transparency log anchoring.

## Core services (high level)
- Authority: OIDC and OAuth2 token issuance, DPoP and mTLS sender constraints.
- Signer: DSSE signing with entitlement checks and scanner integrity verification.
- Attestor: transparency logging and attestation verification.
- Scanner (Web + Worker): SBOM generation, analyzers, inventory and usage views, diffs.
- Concelier: advisory ingest under the Aggregation-Only Contract (AOC).
- Excititor: VEX ingest under AOC with consensus and evidence preservation.
- Policy Engine: deterministic policy evaluation with explain traces.
- Scheduler: impact selection and analysis-only re-evaluation.
- Notify: rules, channels, and delivery workflows.
- Export Center: deterministic exports and offline bundles.
- UI and CLI: operator and automation surfaces.
- Zastava: runtime observer and optional admission enforcement.
- Advisory AI: evidence-based guidance with guardrails.
- Orchestrator: job DAGs and pack runs.

## Trust boundaries
- Authority issues short-lived OpTok tokens with sender constraints (DPoP or mTLS).
- Signer enforces Proof of Entitlement (PoE) and scanner image integrity before signing.
- Only Signer produces DSSE; only Attestor writes to Rekor.
- All evidence is content-addressed and immutable once written.