Architecture overview
A map of everything in the eigenoid org: repositories, technologies, environments, and how they connect.
Organization overview
Eigenoid is a private GitHub organization building an AI agent framework. The org contains the core framework, supporting applications, backend services, infrastructure-as-code, platform tooling, and documentation. All repositories are private.
The repository naming convention uses category prefixes (app-, svc-, iac-, docs-, platform-) so you can identify a repo's purpose from its name alone.
Repository map
Repository details
Core Framework
| Repository | Stack | Purpose |
|---|---|---|
eigenoid | Python, Cython | AI agent framework with SPIFFE/SPIRE identity and delegation chains. Distributed as compiled wheels via Artifact Registry. |
eigenoid-sample | Python | Reference implementation of the automated distribution pipeline. Used to validate the packaging, tagging, and release flow. |
Applications
| Repository | Stack | Purpose |
|---|---|---|
app-access-admin | React, Vite, TypeScript | Internal admin portal for access management. Behind Cloudflare Access (GitHub org auth). |
app-access-public | React, Vite, TypeScript | Public-facing portal for access management. Magic link + MFA (TOTP, Passkeys, Email OTP backup) authentication. Runs on Cloudflare Workers. |
app-block-page | HTML/CSS, Cloudflare Pages | Custom block page shown when Cloudflare Access denies a request. See ADR-0005. |
app-studio-frontend | React, Vite, TypeScript | Visual agent builder UI for designing and testing multi-agent systems. |
Backend Services
| Repository | Stack | Purpose |
|---|---|---|
svc-access | Go, Chi, GORM, PostgreSQL | Backend API for the access management product. Runs on Cloud Run with separate admin and public modes. |
svc-studio | Go | Go backend for the Studio product (workflow/automation engine). Runs on Cloud Run. |
Infrastructure
All infrastructure repos use Terraform targeting Google Cloud Platform, following the producer/consumer model.
| Repository | Purpose |
|---|---|
iac-foundation | Workload Identity Federation, service accounts, GCP API enablement |
iac-platform | Cloud Run deployments, Artifact Registry |
iac-access | Access product infrastructure: Cloud Run, tunnels, DNS, Access apps |
iac-api-gateway | Terraform for Apigee API Gateway resources |
iac-studio | Terraform for Studio domain (svc-studio + frontend) |
iac-distribution | Artifact Registry repositories for Python packages (one per project) |
iac-template | Pre-configured template for bootstrapping new IaC stacks |
Platform Tooling
| Repository | Stack | Purpose |
|---|---|---|
platform-actions | GitHub Actions, YAML | Reusable workflows, Terraflow orchestrator, centralized environment config |
platform-api-gateway | Cloudflare Workers, TypeScript | API routing layer with domain separation (.eigenoid.services internal, .eigenoid.com public). See API Gateway docs. |
platform-design-tokens | Tailwind CSS | Shared design token preset consumed by all frontend applications |
platform-settings | YAML, GitHub Actions | safe-settings configuration for GitHub org governance. See ADR-0006. |
Documentation
| Repository | Stack | Purpose |
|---|---|---|
docs-internal | Docusaurus 3, TypeScript | This site. Private internal documentation at docs.eigenoid.services. |
docs-external | Docusaurus 3, TypeScript | Public-facing documentation. |
Technology landscape
| Category | Technologies |
|---|---|
| Languages | TypeScript, Go, Python, Cython, HCL |
| Frontend | React, Vite, React Flow, Tailwind CSS, Cloudflare Workers (Workers Builds) |
| Backend | Go (Chi router, GORM ORM), PostgreSQL (Cloud SQL) |
| AI / Identity | SPIFFE/SPIRE, delegation chains |
| Infrastructure | Terraform, Google Cloud Platform (Cloud Run, Cloud SQL, Artifact Registry, WIF) |
| Edge / CDN | Cloudflare (Pages, Workers, Access, Tunnels, DNS) |
| CI/CD | GitHub Actions, Terraflow (custom orchestrator), Cloudflare Pages (docs) |
| Governance | safe-settings (GitHub App), Conventional Commits, squash merge |
| Documentation | Docusaurus 3, Mermaid diagrams, ADRs |
Environment topology
The org operates three isolated GCP projects, one per environment, as defined in ADR-0009. Cloudflare handles the edge layer. GitHub is the source of truth for code and CI.
| Layer | Service | Role |
|---|---|---|
| Source + CI | GitHub | Code hosting, pull request workflows, GitHub Actions for build/test/deploy |
| Edge | Cloudflare Pages | Static hosting for documentation and block page |
| Edge | Cloudflare Workers | API gateway (request routing, header sanitization) and frontend app hosting via Workers Builds (app-access-public, app-studio-frontend) |
| Edge | Cloudflare Access | Zero Trust authentication (GitHub org for internal, magic link for public) |
| Edge | Cloudflare Tunnels | Secure origin connectivity -- backends are never exposed directly |
| Compute | Cloud Run | Containerized backend services (Go) with per-environment isolation |
| Data | Cloud SQL (PostgreSQL) | Managed relational database, one instance per environment |
| Artifacts | Artifact Registry | Python packages and Docker images, one repository per environment |
| Auth | Workload Identity Federation | Keyless CI authentication from GitHub Actions to GCP via OIDC |
All regional GCP resources use europe-west1 (Belgium). Environment configuration is centralized in platform-actions/config/environments.yaml.
Data flow
How a typical request travels from user to database and back.
- The user hits a frontend URL (e.g.,
access-dev.eigenoid.services). - Cloudflare Access authenticates the request. Internal apps use GitHub OAuth (org membership required). Public apps use magic link + MFA (TOTP, Passkeys, Email OTP).
- Cloudflare Workers serves the frontend apps.
- The frontend makes API calls to the gateway domain (e.g.,
api-dev.eigenoid.services). - The Cloudflare Worker validates and sanitizes headers, then forwards the request through a Cloudflare Tunnel using a service token.
- The tunnel routes to the appropriate Cloud Run instance (
svc-accessin admin or public mode). - The Go backend processes the request, queries Cloud SQL (PostgreSQL), and returns the response back through the same chain.
System jobs (Cloud Scheduler, Pub/Sub) bypass the gateway and call Cloud Run directly.
Next steps
- Onboarding guide -- set up your environment and make your first contribution.
- Glossary -- key terms explained in plain language.
- Infrastructure as Code -- how Terraform and Terraflow manage GCP resources.
- Distribution -- automated Python package distribution pipeline.
- API Gateway -- detailed routing architecture and auth flows.