Platform architecture & build pipeline
API-first to the component level · open by default · EU-first, Germany where acceptable · a person greenlights every change.
Bound by the OpenAPI contract bus
Edge & perimeter
Every request enters here — routing, security, edge compute, the API gateway.
Domain services
Independently deployable; each owns its data, speaks only via API.
Intelligence
Reasoning, deep research & agentic build, model-agnostic behind one gateway. Anthropic models run through Google Cloud's Gemini Enterprise Agent Platform (formerly Vertex AI), via the Model Garden — Frankfurt or the EU multi-region endpoint, so inference stays in-EU. Team chat on a Claude subscription; product & dev inference on the Agent Platform.
Compute, data & observability
Heavy workloads, the warehouse, and the client-facing dashboards.
Communications
Transactional mail, notifications, the direct incident channel, intake.
Office & collaboration
Internal team only — Mail, Docs, Drive, Calendar. Client data never lands here.
Where technically & financially acceptable: GCP Frankfurt · OSS repatriable to German infra (e.g. Hetzner) · the client runs the open core on their own infrastructure.
Cloudflare EU data localization · Brevo (FR) · Workspace EU region · EU-resident inference. Nothing leaves the EU without a named reason.
Used only with EU data localization and an OSS exit path. Honest caveat: US parentage carries CLOUD-Act exposure — mitigated by in-region storage and the right to repatriate every layer.
Sovereignty zoning answers which jurisdiction; placement answers whose hardware. Because every layer sits behind the OpenAPI contract bus, the substrate is a dial, not a rewrite — the contract is the invariant, and the same delivered system runs in any of three places, chosen per workload by which one's properties fit.
Ubuntu services plane — k3s, PostgreSQL, MinIO (S3), Ory/Zitadel, observability. Mac Studio M3 Ultra inference plane — open-weight models via MLX/Ollama, on-device.
Best for: sovereign & sensitive-data processing, steady-state inference, dev/test. Most sovereign, no egress, cheapest at steady load.
The four managed pillars carrying the public surface, burst load, and email — where the value bought is transferred operational responsibility, not raw compute.
Best for: the public SLA surface, availability promises, email deliverability, spiky demand. You buy the pager, not the box.
Containers → EKS/ECS · Postgres → RDS · OIDC federates to their IdP · objects → S3 · IaC re-targets · Claude → Bedrock. The deliverable redeploys; it does not get rewritten.
Best for: clients with an existing cloud commitment or their own residency mandate. The system lands inside their account, perimeter, and keys.
Frontier reasoning is always a hosted call — Claude is closed-weight, so it is reached by API (Agent Platform, or Bedrock on a client's AWS) wherever the rest runs; the Mac Studio serves the open-weight tier, the contract bus routes between them. And production email wants a relay on every substrate — deliverability is an IP-reputation game a self-hosted mail server loses. Everything else genuinely moves.
Development pipeline
Contract before code · agents propose, a person disposes · reproducible, auditable, reversible.
- 01
Contract first
Every feature begins as an OpenAPI contract and a scoped brief. The contract is the spec — code follows it, internal components included.
- 02
Agentic build
Claude Code agents generate small, atomic pull requests against the contract and its tests. Narrow diffs, each independently reviewable.
Claude Code · Agent Platform authGitHubOpenAPI tests - 03
/meeting — human greenlight, on real devices
No agent change merges without a person reviewing and testing the atomic PR across the device fleet — desktop, laptop, tablet, phone — seeing the change as a user will.
Mac Studio M3 UltraMacBook Air M4iPad AiriPhone 17 ProA person decides — by design. The daily drivers double as the first hardware test bench, and the Mac Studio M3 Ultra hosts open-weight models locally — that inference stays on-device. This gate is non-negotiable and never automated away. - 04
Continuous integration
Lint · typecheck · OpenAPI conformance · unit & integration · SAST/DAST security scan — the zero-trust, break-it-first ethos in the gate.
GitHub ActionsOpenAPI conformanceSAST · DAST - 05
Infrastructure as code
Cloudflare and GCP provisioned declaratively — reproducible, auditable, and repatriable to EU/German infra by changing a target, not a rewrite.
OpenTofuOCI images - 06
Deploy — isolated per tenant
The static site and dynamic edge routes ship through the chain below; heavier services deploy to Cloud Run / GKE in GCP Frankfurt. One isolated build per customer, handed over to run on their own infrastructure.
GitHubGitHub ActionsWranglerCloudflare Pages / Workers - 07
Observe
OpenTelemetry → Prometheus / Grafana; live dashboards shipped to the client; incidents routed to the direct channel.
OpenTelemetryGrafanaBrevo channel - 08
Care loop
Automation handles the deterministic ~80% of maintenance; humans take the judgment calls; usage is metered per tenant for honest pass-through billing — and feeds back into the contract.
Managed only where it earns it — open everywhere else, repatriable always.
Four managed pillars carry what they do best: Cloudflare (edge), GCP (heavy compute & data, Frankfurt), Brevo (EU communications), Google Workspace (internal office). Every other layer is open source, and every managed dependency keeps an OSS, EU-hostable exit — so no single layer is a lock-in, and the client always owns the core under Apache-2.0.
Cloudflare, Google, and the GitHub code host are US-headquartered; that is named, not hidden. EU data localization, a maintained open-source exit on every layer, and a distributed Git history that mirrors out in a single command mean residency is enforced today and repatriation is available tomorrow — the same principle as the product: open by default, reliable by subscription, and reversible by design.
Apuna · platform architecture & pipeline · June 18, 2026