Architecture
Modular monolith architecture with separate workers for async processing.
System Context
Component Architecture
Frontend (Next.js 14+)
| Aspect | Detail |
|---|---|
| Framework | Next.js 14+ with App Router |
| Language | TypeScript 5+ |
| Styling | Tailwind CSS v4 |
| State | React Context + Server Components |
| i18n | Arabic/English with native RTL |
| Auth | NextAuth.js → Keycloak OIDC |
| Components | 69 custom components |
| Pages | 67 pages |
Backend (FastAPI)
| Aspect | Detail |
|---|---|
| Framework | FastAPI (async Python 3.11+) |
| ORM | SQLModel (SQLAlchemy + Pydantic) |
| Routers | 57 API routers |
| Services | 60+ service modules |
| Models | 45 database models |
| Auth | JWT (Keycloak) + API keys |
| Middleware | 5-layer security chain |
Background Worker
Async task processor for:
- KRI scheduled evaluations
- Escalation processing
- Email notifications
- Document retention cleanup
- Data refresh jobs
Infrastructure Topology
| Component | Port | Purpose |
|---|---|---|
| Frontend | 3006 | Next.js web application |
| Backend | 8005 | FastAPI REST API |
| PostgreSQL | 5432 | Data + vector store (pg16 + pgvector) |
| Redis | 6379 | Cache + task queue |
| MinIO | 9000/9001 | Object storage (S3-compatible) |
| Keycloak | 8080 | IAM and SSO |
| Prometheus | 9090 | Metrics aggregation |
| Grafana | 3003 | Monitoring dashboards |
| OTEL Collector | 4317 | Trace collection |
| Ollama | 11434 | Local LLM inference |
Security Architecture
5-Layer Middleware Chain
Every API request passes through:
- CORS — domain-level isolation
- Security Headers — HSTS, CSP, X-Frame-Options
- Rate Limiting — Redis-backed DoS protection
- CSRF — double-submit cookie pattern
- Audit Middleware — immutable audit trail
Data Isolation
- API Layer:
PermissionCheckerdependency - Query Layer:
OrgScopedQueryfilter - Database Layer: PostgreSQL RLS policies (19 policies)
- Session Layer:
app.current_org_idvariable injection
AI Architecture
See AI Features and AI Governance.