Architecture Specifications

The 16 architecture blueprints define what each structural component of a Weblisk deployment is, what it's responsible for, and how it interacts with everything else. These are the building blocks — protocol says how things talk, architecture says what the things are.

Architecture blueprints don't prescribe implementation details — they define responsibilities, interfaces, and constraints. A conforming orchestrator in Go and one in Rust must behave identically from the outside, even though their internals differ completely.

Orchestrator

The orchestrator is the trust anchor of every deployment. It doesn't execute business logic — it manages identity, registration, routing, discovery, and the audit trail. Every agent registers with the orchestrator. Every task routes through it. Every capability grant originates from it.

Responsibilities

Agent registration: Verify Ed25519 signatures, issue WLT tokens, assign agent IDs
Service directory: Maintain the live registry of all agents — names, URLs, capabilities, health status
Task routing: Accept task submissions and forward to the target agent (directly or via domain controller)
Channel brokering: Create time-limited channels for direct agent-to-agent communication
Namespace management: Enforce unique naming across agents, prevent collisions
Audit logging: Record every operation in an append-only log — registrations, tasks, messages, approvals
Strategy management: Store business strategies and observations for the lifecycle loop

Endpoints

Endpoint	Purpose
`POST /v1/register`	Agent registration — issues auth token
`DELETE /v1/register`	Agent deregistration
`POST /v1/task`	Task submission and routing
`POST /v1/channel`	Broker agent-to-agent channel
`GET /v1/services`	Current service directory
`GET /v1/health`	Orchestrator health status
`GET /v1/audit`	Append-only audit log
`GET/POST /v1/strategy`	Business strategy management
`GET/POST /v1/context`	Entity context (company, project)
`GET /v1/observations`	Agent observation history
`GET/POST /v1/approve`	Approval queue management

What It Does NOT Do

Does NOT execute agent logic — it routes, doesn't compute
Does NOT store business data — agents own their data
Does NOT make decisions — it enforces policies declared elsewhere
Does NOT communicate externally — only agents talk to the outside world

Domain Controller

Domain controllers are business logic directors. They don't do the work themselves — they decompose complex requests into multi-agent workflows, coordinate execution order, handle failure cases, and aggregate results.

Responsibilities

Workflow declaration: Define multi-step workflows as directed acyclic graphs (DAGs)
Task decomposition: Break incoming requests into sub-tasks for specialist agents
Coordination: Manage execution order, parallel branches, conditional paths, and join points
Failure handling: Retry transient failures, circuit-break on persistent failures, report partial results
Result aggregation: Combine outputs from multiple agents into a unified response
Event-driven triggering: React to observations, scheduled events, or external triggers

Domain vs. Agent

Aspect	Domain Controller	Work Agent
Role	Director — orchestrates others	Executor — does the actual work
Logic	Workflow coordination, routing	Domain-specific computation
Data access	Reads service directory, forwards context	Reads/writes domain data
Capabilities	`workflow:execute`	Specific: `file:read`, `llm:chat`, etc.
Example	SEO domain controller	SEO analyzer, meta writer, sitemap generator

Workflow Definition

Domain workflow declaration

workflows:
  full-audit:
    trigger: manual
    steps:
      - id: analyze
        agent: seo-analyzer
        inputs: { html_files: "$input.files" }
      - id: check-a11y
        agent: a11y-checker
        inputs: { html_files: "$input.files" }
        parallel: true         # Runs alongside 'analyze'
      - id: generate-fixes
        agent: seo-writer
        depends_on: [analyze, check-a11y]
        inputs:
          seo_report: "$steps.analyze.output"
          a11y_report: "$steps.check-a11y.output"
      - id: approve
        type: approval_gate
        depends_on: [generate-fixes]

Agent Base

The agent base blueprint defines the minimal contract every agent must satisfy — 5 standard endpoints, capability declaration, pub/sub integration, and operational behaviour (retry, circuit breaker, health reporting).

Required Endpoints

Endpoint	Auth	Purpose
`POST /v1/describe`	No	Return AgentManifest — identity, capabilities, I/O schema
`POST /v1/execute`	Yes	Execute a task, return signed TaskResult
`GET /v1/health`	No	Health check with metrics
`POST /v1/message`	Yes	Receive agent-to-agent messages
`POST /v1/services`	Yes	Accept service directory updates

Agent Types

Work agent (type: "agent") — domain-specific executor. Does the actual computation.
Domain controller (type: "domain") — workflow coordinator. Decomposes and routes.
Infrastructure agent (type: "infrastructure") — system service. Always running, hub-scoped.

Operational Behaviour

Registration: On startup, build manifest, sign it, POST to orchestrator, store the returned token
Health reporting: Respond to GET /v1/health within 1 second; include uptime, version, and queue depth
Concurrency: Respect max_concurrent from manifest — reject excess with 429
Graceful shutdown: Complete in-flight tasks, deregister from orchestrator, then exit
Service directory: Accept pushes from orchestrator; use for agent-to-agent messaging lookups

Application Gateway

The application gateway is the end-user edge — it sits between external clients (browsers, mobile apps, third-party services) and the internal agent network. It handles authentication, authorization, rate limiting, and request mediation.

Responsibilities

Session management: Create and validate user sessions (implements auth-session or auth-token patterns)
ABAC enforcement: Attribute-Based Access Control — evaluate policies against user attributes, resource attributes, and context
Rate limiting: Per-user, per-IP, per-endpoint rate limits with configurable windows
Route protection: Map external routes to internal agents; block undeclared routes
Request mediation: Transform external request format → internal TaskRequest; transform TaskResult → external response
CORS management: Enforce origin allowlists per route

Request Flow

Gateway request lifecycle

Client request
  → Rate limiter (429 if exceeded)
  → Authentication (401 if invalid)
  → ABAC policy evaluation (403 if denied)
  → Route resolution (404 if unmapped)
  → Request mediation (transform to TaskRequest)
  → Orchestrator /v1/task submission
  → Agent execution
  → Response mediation (transform from TaskResult)
  → Client response

Admin Gateway

The admin gateway is a completely separate entry point for platform operators. It runs on a different port (or network), uses different authentication, and enforces stricter controls than the application gateway.

Security Model

Separate network: MUST NOT share an ingress path with the application gateway
Ed25519 operator identity: Operators authenticate with their own Ed25519 keypair — not passwords
MFA required: Second factor verification for all state-changing operations
IP allowlist: Only whitelisted IP ranges can reach the admin gateway
4-eyes approval: Destructive operations (agent removal, policy changes, data deletion) require approval from a second operator
Role-based access: Operators have explicit roles — viewer, operator, admin, superadmin

Admin Operations

Category	Operations	Approval
Monitoring	View health, logs, metrics, audit trail	None
Configuration	Update policies, rate limits, CORS rules	None
Agent management	Force-deregister agent, restart, update	4-eyes
Security	Revoke tokens, rotate keys, block IPs	4-eyes
Data	Purge audit logs, delete agent storage	4-eyes + superadmin

Client Architecture

The client blueprint defines how external consumers (browsers, mobile apps, CLI tools, third-party services) interact with the platform — what they can see, what they can do, and what data boundaries apply.

Client Taxonomy

Client Type	Trust Level	Session Model	Data Access
Browser (SPA)	Low	Session cookie or short-lived JWT	User-scoped only
Mobile app	Low	Refresh token rotation	User-scoped only
Server-to-server	Medium	API key with scoped permissions	Scope-defined
Internal agent	High	WLT token from orchestrator	Capability-scoped
Federated hub	Variable	Federation token	Data boundary contract

Data Boundary Rules

Clients NEVER interact directly with agents — all traffic routes through the application gateway
Response payloads are filtered by the gateway based on client trust level and requested scope
Internal fields (agent IDs, trace IDs, raw task results) are stripped before client delivery
File access is proxied — clients receive signed URLs with expiry, never direct storage paths

Hub

The hub blueprint defines how a complete Weblisk deployment operates as a collaborative, discoverable unit — including marketplace participation, tiered access, commerce, and federation with other hubs.

Hub Capabilities

Discovery: Hub advertises its capabilities to the Weblisk marketplace for other hubs to find
Tiered access: Free tier (limited agents, rate-limited), Pro tier (full access, priority routing)
Commerce: Hub operators can charge for access to their agents via marketplace billing
Federation: Hub-to-hub collaboration with trust tiers and data boundary contracts (see Protocol — Federation)
Registry: Central registry of all local agents, domains, and workflows
Self-sovereignty: Hub operator has full control — no external dependency required to operate

Deployment Model

Hub deployment structure

hub/
├── orchestrator         # Central coordination
├── gateway/             # Application edge (port 443)
├── admin/               # Operator access (port 8443, separate network)
├── agents/
│   ├── infrastructure/  # 11 system agents (always running)
│   └── domains/         # Business domain controllers + work agents
├── storage/             # Agent-local SQLite databases
├── config/
│   ├── global.yaml      # Hub-level configuration
│   ├── policies/        # ABAC, rate-limit, safety policies
│   └── federation/      # Peer definitions, data boundaries
└── keys/                # Ed25519 keypairs (orchestrator + agents)

Lifecycle

The lifecycle blueprint defines the continuous optimisation loop — how the system observes, recommends, and acts on improvements over time. This is what makes a Weblisk deployment adaptive rather than static.

The Loop

Strategise: Operators define business strategies with measurable targets (via /v1/strategy)
Observe: Agents emit observations during task execution — measurements, anomalies, opportunities
Recommend: Agents propose changes based on observations and strategy alignment
Approve: Recommendations with approval: required wait for human sign-off
Execute: Approved recommendations are executed as new tasks
Measure: Results feed back into observations — the loop continues

Strategy Structure

Strategy definition

{
  "name": "improve-core-web-vitals",
  "status": "active",
  "targets": [
    { "metric": "lcp", "target": "< 2.5s", "current": "3.1s" },
    { "metric": "cls", "target": "< 0.1", "current": "0.05" }
  ],
  "agents": ["perf-analyzer", "image-optimizer", "css-optimizer"],
  "review_frequency": "weekly"
}

Supporting Components

The remaining 8 architecture blueprints define cross-cutting system concerns — persistence, testing, observability, CLI, and security layers.

Component	Specification
storage	Abstract persistence interface. Each agent owns its own SQLite database — no shared state. Schema migrations are versioned and agent-local. Backup and restore follow a standard protocol.
testing	Conformance test suite specification. Every architecture component and pattern has a verification checklist. Implementations must pass the suite to claim compliance.
observability	Structured JSON logging (levels, correlation IDs, rotation), distributed tracing via `trace_id` propagation, and Prometheus-compatible metrics endpoints. Every agent exposes `/metrics`.
cli	CLI operations specification — interrogation commands (list agents, show health, query audit), management commands (register, deregister, approve), and code generation commands (domain create, generate).
data-security	Transport security (TLS 1.3 minimum for production), scope-aware data boundaries (agent-local → domain → hub → federation), and opt-in data primitives (encryption at rest, field-level access control).
enforcement	Non-bypassable boundary inspection. The enforcement layer sits between the gateway and agents — validating that every request complies with declared policies before reaching any agent. Includes rogue agent detection (anomalous capability requests, traffic patterns).
threat-model	5-boundary attack surface analysis: client→gateway, gateway→orchestrator, orchestrator→agent, agent→agent, hub→hub. Each boundary maps to OWASP categories with specific mitigations. Includes residual risk documentation.
change-management	Versioning rules (semantic versioning for agents and blueprints), migration procedures (database schema, API versions), and deprecation lifecycle (announce → warn → sunset → remove with minimum 90-day windows).

These architecture blueprints define the structural contracts. For the implementation details of the server framework, see Server Framework. For the 38 cross-cutting patterns that these components inherit, see Pattern Specifications. For the runtime agents that implement these architectures, see the Agent Catalog.