Architecture
Planes
Customer site ──outbound TLS──▶ Secure Edge ──mTLS──▶ Ingestion GW
│
▼
Auth + Tenant Routing
│
Stream Bus (cdc.events, partition by tenant_id)
├─▶ Bronze Store (raw JSONB)
├─▶ Tenant Materializer ─▶ analytics.* + typed_extras.*
└─▶ Global Aggregator ─▶ global_analytics.* (1m, 1h)
▲
│ DLQ + Replay (per tenant)
└── Checkpoint + Dedupe StoreDatabase schemas
-- control plane
control.dim_tenant (tenant_id, name, plan, industry, region, created_at, ...)
control.global_rollup_key_allowlist (key, added_by, added_at)
control.pii_masking_policy (tenant_id, field_path, action) -- hash | redact | drop
control.members (tenant_id, user_id, role) -- owner|admin|operator|viewer
-- bronze (raw, RLS by tenant_id)
bronze.cdc_events (
event_id uuid pk, tenant_id uuid, source_id uuid,
op text, table_name text, lsn text, event_time timestamptz,
payload jsonb, ingest_time timestamptz default now()
)
-- tenant read models (RLS by tenant_id)
analytics.devices, analytics.sites, analytics.sessions, analytics.metrics_min
analytics.extras_text (tenant_id, entity_id, key, value)
analytics.extras_num (tenant_id, entity_id, key, value)
analytics.extras_bool (tenant_id, entity_id, key, value)
analytics.extras_time (tenant_id, entity_id, key, value)
-- global rollups (internal-only, RLS DENY for tenant role)
global_analytics.rollup_min (bucket, key, plan, industry, region, value_sum, value_count)
global_analytics.rollup_hr (bucket, key, plan, industry, region, value_sum, value_count)
Route map
Public
/ Home
/platform Platform
/solutions Solutions
/pricing Pricing
/security Security
/contact Book demo
/docs/prd PRD
/docs/architecture Architecture
Auth
/auth Sign in / Sign up / SSO
App (tenant-scoped, RLS-enforced)
/app/overview Operational dashboard
/app/data-sources Source list + status
/app/connectors Wizard
/app/tenants Tenant registry (internal ops sees all)
/app/alerts Rules + state
/app/reports Scheduled + ad-hoc exports
/app/global Internal-only cross-tenant rollups
/app/settings Workspace, members, retention, masking
/app/audit Immutable audit log
Role model
owner — billing + everything
admin — sources, alerts, members, retention, masking
operator — dashboards + ack/silence alerts
viewer — read-only dashboards
internal_ops — cross-tenant analytics (allowlisted only)
service_role — backend writes; bypasses RLS for materializer + aggregator
Cross-tenant rollup invariants
- ›A metric key reaches global_analytics.* only if it appears in control.global_rollup_key_allowlist.
- ›Tenant-specific keys remain queryable via analytics.* under tenant RLS.
- ›Breakdowns are limited to attributes that live on control.dim_tenant (plan, industry, region).
- ›global_analytics.* tables deny SELECT to tenant roles — exposed only via the internal Global Analytics console.
Incremental implementation plan
- 01Frontend scaffold + design system (this commit).
- 02Enable Lovable Cloud → auth + tenants/members + RLS.
- 03Connector pairing endpoints + outbound agent contract (stubbed).
- 04Bronze ingest server-fn + dedupe store; wire to a fake source.
- 05Tenant materializer + typed extras tables.
- 06Alert rule evaluator + channels.
- 07Global aggregator + allowlist enforcement + internal console.
- 08Reports/exports + audit log + masking policies.
