Skip to content

Deployment Architecture

Source of Truth: TRUTH_MAP.md

Overview

Fulcrum is designed to run as a set of containerized services, orchestrated via Docker Compose (development) or Railway (production). The architecture emphasizes strict separation of concerns between the Control Plane (Management) and the Data Plane (Enforcement).

Topology

graph TD
    Client[Client Applications] --> LB[Load Balancer]

    subgraph "Fulcrum Platform"
        LB --> API[API Gateway / gRPC Server]

        subgraph "Core Services"
            API --> Engine[Policy Engine]
            API --> Budget[Budget Service]
            API --> Audit[Audit Service]
        end

        subgraph "Data Layer"
            Engine --> Cache[(Redis Cache)]
            Audit --> DB[(TimescaleDB)]
            Budget --> DB
        end

        subgraph "Message Bus"
            API --> NATS[NATS JetStream]
            NATS --> Workers[event-processor]
        end
    end

Components

1. API Server (Golang)

  • Role: Entry point for SDKs and Dashboard.
  • Protocols: gRPC (Agents), REST/Connect (Web Dashboard).
  • Scaling: Stateless, horizontally scalable.

2. Policy Engine (OPA/Rego)

  • Role: Evaluates governance policies against input context.
  • Implementation: Embedded OPA library or external OPA server.
  • State: Policies cached in-memory/Redis for low latency (<10ms).

3. Data Stores

  • PostgreSQL (TimescaleDB): Primary source of truth for configuration, users, policies, and metrics. Uses TimescaleDB extension for time-series data.
  • Redis: Hot cache for API keys, rate limits, and active policy definitions.

4. NATS JetStream

  • Role: Asynchronous event bus.
  • Use Cases: Decoupling audit logging from the critical path, processing analytics, distributing config updates.

Production Environment (Railway)

Fulcrum runs entirely on Railway with 6 active services:

Compute Services

Service Image/Build Purpose
fulcrum-server infra/docker/Dockerfile.server Main API server (gRPC/REST + MCP)
event-processor infra/docker/Dockerfile.eventprocessor NATS event consumer
dashboard dashboard/Dockerfile Next.js admin UI

Data Services

Service Image Purpose
timescaledb-docker timescale/timescaledb-ha:pg16 PostgreSQL 16 + TimescaleDB (metrics hypertables)
Redis Railway Plugin Cache for policies, sessions
nats nats:latest JetStream messaging

Database Configuration

The timescaledb-docker service is configured as a Docker Image deployment: - Image: timescale/timescaledb-ha:pg16 - Host: timescaledb-docker.railway.internal:5432 - Database: fulcrum_metrics - Schemas: fulcrum (app tables), metrics (telemetry) - Volume: Persistent storage mounted at /var/lib/postgresql/data

Connection strings configured via Railway environment variables.

Configuration

  • Variables: Environment variables via Doppler + Railway
  • Secrets: Doppler integration for sensitive values
  • Security: HSTS enabled, TLS termination at Railway edge

Local Development

The docker-compose.yml provides a localized replica of the production stack: - fulcrum-server: Core API - postgres: Config DB - redis: Cache - prometheus/grafana: Observability stack

See Deployment Guide for setup instructions.

Document Purpose
TRUTH_MAP.md Infrastructure source of truth
DEPLOYMENT_GUIDE.md Deployment procedures
CREDENTIALS.md Secret management locations

Last Updated: February 2, 2026 Evidence sources: TRUTH_MAP.md, Railway MCP verification 2026-01-31