Skip to main content

Architecture Overview

OneProtect is a multi-tenant MSSP SaaS control plane over composable open-source engines. Agents and connectors run inside tenant environments; there is no OneProtect campus or OneProtect-owned discovery network.

Implemented foundation:

  • FastAPI api-service.
  • worker-service consuming NATS JetStream.
  • Postgres + RLS canonical tenant store.
  • NATS JetStream event spine.
  • Auth/session seam with OIDC JWT verification.
  • Local Keycloak profile for OIDC integration testing.
  • Next.js frontend.
  • Tenant-scoped integration destinations, credential references, and delivery policy.
  • DB-driven durable delivery retry scheduling.
  • Asset Discovery v1 contracts plus Postgres/RLS storage/read APIs for identity, fingerprints, collectors, classification, telemetry, and command lifecycle.
  • Minimal asset heartbeat ingestion for tenant-scoped agent/collector identity facts.
  • Mock webhook sink for local delivery development.

Phase 1 planning now includes:

  • Agent enrollment with tenant-scoped enrollment token and future token-for-certificate / mTLS device identity.
  • SCIM 2.0 for user/group lifecycle provisioning.
  • OneProtect internal ticketing as the canonical ticket/work-item module.
  • Active/passive asset discovery authorization contracts.
  • Auditor export controls, watermarking, export hashes, read-action audit, and PII/PHI redaction.
  • SOC 2, HIPAA, and GLBA starter policy catalog with OneProtect-managed and tenant-managed policy ownership.
  • Platform-managed per-tenant envelope encryption keys for exports, evidence objects, SSH recordings, and sensitive identity metadata.
  • AWS primary deployment architecture decisions.

Planned engines and infrastructure:

  • osquery/Fleet for endpoint facts after contract review.
  • OpenTelemetry Collector for telemetry after contract review.
  • Managed OIDC or separately operated Keycloak for production IdP realm/client lifecycle.
  • OPA for policy.
  • Prometheus/Loki/Grafana for observability.
  • OpenSearch for log/search workloads if accepted by ADR.
  • TimescaleDB/Timestream for time-series workloads if accepted by ADR.
  • S3 + tenant KMS for evidence/object storage using ADR-0018 key refs when runtime storage is scoped.
  • MSK/Kinesis or NATS JetStream for production event backbone after ADR review.

See source docs: docs/architecture/composable-architecture.md, docs/architecture/service-boundaries.md, docs/architecture/bounded-contexts.md, and docs/client-response/phase1-architectural-response-summary.md.