Technical Architecture

Architecture Built for Production AI

A complete infrastructure stack — from visual builder to agent runtime to data layer. Every component purpose-built, vertically integrated, and production-hardened.

Read the DocsView on GitHub
System Architecture

Four Layers. One Stack.

OrchStack is a vertically-integrated platform — every layer is purpose-built to work together, from the UI down to the database.

Application Layer

StudioControl PanelREST APIsEmbed WidgetsCLI

Agent Runtime

LLM RouterMemory ManagerTool ExecutorGuard SystemContext Builder

Orchestration Engine

Workflow EngineState MachineEvent BusSchedulerHuman Gates

Infrastructure

PostgreSQLRedisS3Vector DBMessage Queue
Core Services

Deep-Dive into Every Service

Six battle-tested services power every agent execution. Each is independently scalable, fully observable, and configurable per tenant.

llm-router

LLM Router

Intelligent multi-provider routing with automatic failover, latency-aware selection, and real-time cost optimization across OpenAI, Anthropic, Google, and self-hosted models.

Multi-provider with auto-fallback
Latency & cost-aware routing
Streaming + batch support
memory-mgr

Memory Manager

5-tier memory architecture — session, long-term, entity, shared, and collective — backed by Redis for hot data, PostgreSQL for persistence, and Vector DB for semantic recall.

5-tier memory hierarchy
Redis + PostgreSQL + Vector DB
Automatic memory consolidation
tool-exec

Tool Executor

Sandboxed, permission-scoped tool execution with configurable retry logic, timeout handling, circuit breakers, and full execution tracing for every tool call.

Sandboxed execution environment
Retry logic + circuit breakers
Per-tool timeout & rate limits
knowledge

Knowledge Engine

Production-grade RAG pipeline with hybrid search (BM25 + semantic), multi-stage re-ranking, chunk optimization, and source attribution on every retrieval.

Hybrid BM25 + semantic search
Multi-stage re-ranking
Source attribution & citations
guard-sys

Guard System

Input/output validation layer with PII detection, content policy enforcement, prompt injection defense, token budgets, and per-tenant cost limits — all configurable per agent.

PII detection & redaction
Prompt injection defense
Token budgets & cost limits
event-bus

Event Bus

Real-time event streaming for every agent action — SSE for live UIs, webhook delivery with retry, and append-only audit logging for compliance and debugging.

Real-time SSE streaming
Webhook delivery with retry
Immutable audit log
Request Lifecycle

How a Request Flows Through OrchStack

Every agent request follows a deterministic pipeline with full tracing from ingestion to outcome measurement.

01
User RequestHTTP / WS / SDK
02
API GatewayAuth, Rate Limit
03
Agent RouterSelect + Configure
04
LLM + Tools + MemoryExecute Loop
05
ResponseStream / Batch
06
Outcome TrackingMetrics + Audit
Security

Security by Design

Every layer of OrchStack is built with enterprise security primitives. Not bolted on — baked in.

Multi-Tenant Isolation

Row-level security (RLS) on PostgreSQL ensures tenant data is fully isolated at the database level. No shared state leaks between organizations.

Encryption at Rest + Transit

AES-256 encryption for data at rest, TLS 1.3 for data in transit. Secrets are stored in vault-backed key management with automatic rotation.

SOC 2 Compliance Ready

Architecture designed for SOC 2 Type II compliance with access controls, change management, and continuous monitoring built into every layer.

Immutable Audit Trails

Every agent action, tool call, LLM request, and admin change is logged to an append-only audit log with cryptographic integrity verification.

Tech Stack

Built With Modern Infrastructure

Proven, open-source technologies — chosen for reliability, performance, and developer experience.

TypeScriptLanguage
Node.jsRuntime
Next.jsFramework
PostgreSQLDatabase
RedisCache
Qdrant / pgvectorVector DB
Docker / K8sContainers
Vercel / AWSDeploy

Architecture FAQ

Explore the Full Architecture

Read the documentation or request a personalized architecture review with our engineering team.

Read the DocumentationRequest Architecture Review

Open architecture -- self-host or managed cloud