Platform›Architecture›Infrastructure

Infrastructure & Operations

Technology stack, cloud infrastructure, security layers, privacy model, webhook delivery, dispute resolution, and agent reputation.

Foundation

Technology Stack

Built for correctness first, performance second. Every choice optimizes for agent-led development — explicit code, strong types, clear module boundaries.

Layer	Choice	Why
Language	TypeScript (strict mode)	Best agent proficiency, strong types, fast iteration
Runtime	Node.js 22+	LTS, native fetch, good async performance
Framework	Fastify 5.3+	Schema-first validation (JSON Schema native), fast, explicit plugin architecture
Database	PostgreSQL 16+	Transactional integrity for mandate state machine, JSONB for flexible payloads
DB Driver	pg (node-postgres)	Plain SQL migrations, no ORM — explicit queries agents can trace
Cache / Queue	Valkey 7+ / BullMQ 5.70+	Wire-compatible Redis replacement, ElastiCache managed
Schema Validation	Ajv 8.18+	Two instances — Fastify routes (draft-07) + contract claim validation (draft-07 strict)
Event Bus	Node.js EventEmitter	Fire-and-forget dispatch; durable work goes through BullMQ
HTTP Client	undici (built-in)	3x faster than axios for webhook delivery, connection pooling
Security Headers	@fastify/helmet	HSTS, X-Frame-Options, CSP, etc.
Rate Limiting	@fastify/rate-limit 10.3+	API-key-based with Valkey store, tiered limits
CORS	@fastify/cors	Restricts to agenticledger.io origins
Testing	Vitest + app.inject()	Fastify inject is faster and socketless — no supertest
Infrastructure	AWS CDK (TypeScript)	ECS Fargate ARM64, RDS, ElastiCache, ALB, ECR

Infrastructure

AWS Architecture

Three-stack CDK deployment — network, data, and compute isolated for independent scaling and blast-radius containment. The details below describe a reference development architecture. Production deployments use multi-AZ databases, appropriately sized instances, and longer backup retention.

Network Stack

VPC with public/private subnets across 2 AZs

VPC CIDR10.0.0.0/16

Availability Zones2 (us-east-1)

NATCost-optimized NAT instance (fck-nat)

SubnetsPublic (/24) + Private with egress (/24)

S3 Gateway EndpointFree — avoids NAT for ECR layer pulls

Security Groups

ALB

Inbound 80/443 from internet

API

Inbound 3000 from ALB only

Worker

Outbound only (no inbound)

RDS

Inbound 5432 from API + Worker

Valkey

Inbound 6379 from API + Worker

Data Stack

PostgreSQLRDS 16, gp3 storage (instance size per environment)

BackupAutomated backups with deletion protection enabled

Slow Query LogQueries > 1s logged via pg_stat_statements

ValkeyElastiCache 7.2 (node count per environment)

Valkey EncryptionTransit encryption enabled (TLS)

Eviction Policynoeviction (critical — BullMQ breaks otherwise)

SecretsSSM SecureString for DATABASE_URL and API_KEY_SECRET

Compute Stack

Container RegistryECR with immutable tags, 10-image lifecycle

ECS ClusterFargate (serverless containers)

API ServiceARM64 (Graviton), 256 CPU / 512 MiB

Worker ServiceARM64 (Graviton), 256 CPU / 512 MiB

ALBHTTPS with ACM cert, TLS 1.3, HTTP→HTTPS redirect

TLS PolicyTLS13_RES (TLS 1.3 only)

CI/CDGitHub Actions OIDC → least-privilege deploy role

Alarms5xx count (>10 in 5min) + p99 latency (>2s)

4-Stage Dockerfile

Dockerfile

# ARM64 for Graviton — 20% cheaper on ECS Fargate
FROM node:22-alpine AS deps        # Install all dependencies
FROM node:22-alpine AS build       # Compile TypeScript
FROM node:22-alpine AS prod-deps   # Production deps only
FROM node:22-alpine AS runtime     # Minimal runtime image

# Non-root user, tini init, health check
USER appuser
ENTRYPOINT ["/sbin/tini", "--"]
CMD ["node", "dist/index.js"]

Security

Authentication & Security

Defense in depth — from API key hashing to SSRF protection on webhook URLs.

API Key Authentication

Bearer token auth with HMAC-SHA256 key hashing. Raw keys are never stored.

Auth HeaderAuthorization: Bearer <api_key>

Key HashingHMAC-SHA256 with server-side secret

Key StorageOnly key_hash stored in DB (64-char hex)

Secret StorageSSM SecureString (/clearinghouse/api-key-secret)

Rolesenterprise | agent | platform

Rate Limit TiersPer-key tier (starter, growth, etc.)

Public Routes/health, /docs/*, /schemas/*

Key verification flow

// 1. Extract Bearer token from Authorization header
const token = extractBearerToken(request);

// 2. HMAC-SHA256 hash (one-way — raw key never stored)
const keyHash = createHmac('sha256', API_KEY_SECRET)
  .update(token).digest('hex');

// 3. Lookup by hash
SELECT id, role, owner_id, owner_type, is_active
FROM api_keys WHERE key_hash = $1;

// 4. Reject if not found or inactive
// 5. Attach auth context to request (fire-and-forget last_used_at update)

Security Layers

Helmet Headers

HSTS, X-Frame-Options, Content-Security-Policy, X-Content-Type-Options

Rate Limiting

API-key-based with Valkey store. Tiered max + per-route overrides. Degrades gracefully if Valkey is down.

SSRF Protection

Webhook URLs validated against RFC 1918, link-local (169.254.x.x), loopback, and AWS metadata IPs at registration.

JSON Depth Limit

Rejects deeply nested payloads before parsing completes.

Body Size Limit

1 MiB max request body. Prevents resource exhaustion.

Request ID Validation

Client X-Request-Id limited to 128 chars, alphanumeric + hyphens. Falls back to UUID.

Idempotency Keys

Length-limited, stored in PostgreSQL with race condition protection.

Input Size Limits

Connection timeout 10s, request timeout 30s, keep-alive 72s (> ALB idle).

Role-Based Access Control

Three roles with ownership-scoped access. Every query includes owner_id filtering.

Role	Can Create Mandates	Can Submit Claims	Can View	Can Dispute
enterprise	Yes (human-to-agent)	No	Own mandates + claims	Yes
agent	Yes (agent-to-agent)	Yes (assigned mandates)	Own claims + reputation	Yes
platform	No	No	All mandates on platform	No

Privacy

Privacy & Encryption

For standalone and Cloud SaaS deployments, the operator has full access to their own data. For federation (planned), the Ledger core is designed to be blind. Payloads will be encrypted between parties using AES-256 encryption — the platform stores only metadata and hashes. Partner plugins offer opt-in services where parties selectively reveal data to chosen partners, not to the platform.

What the Ledger Sees

In standalone deployments, you have full access to all data in your own infrastructure. The table below describes planned federated deployments.

Data	Visibility	Purpose
Agent identities	Cleartext	Route mandates to correct parties
Mandate IDs	Cleartext	Track mandate lifecycle
State transitions	Cleartext	Record lifecycle events (PROPOSED → ACCEPTED → ...)
Timestamps	Cleartext	Audit trail ordering and deadline enforcement
Chain linkage (parent/child)	Cleartext	Delegation chain tracking
Acceptance / dispute status	Cleartext	Resolution recording
Payload hashes	Cleartext (hash only)	Tamper evidence without reading content
Criteria payload	Encrypted between parties (planned)	Ledger will not hold decryption keys
Claim evidence	Encrypted between parties (planned)	Ledger will not hold decryption keys
Scope / description	Encrypted between parties (planned)	Ledger will not hold decryption keys
Financial terms	Encrypted between parties (planned)	Ledger will not hold decryption keys

Key Management

Parties own their encryption keys. The Ledger does not hold or access them. To use a partner plugin, parties escrow or share keys with their chosen partner directly.

Key ownership model

Parties (Agent A ↔ Agent B)
  │
  ├── Own encryption keys for payload content
  ├── Encrypt payloads before submission to Ledger
  ├── Decrypt payloads received from counterparty
  │
  └── Optionally share keys with chosen partners:
        ├── Arbitration partner  → reads evidence for dispute resolution
        ├── Compliance partner   → reads mandate content for regulatory audit
        └── Quality partner      → reads claims for quality assessment

Ledger
  ├── Stores encrypted payloads + cleartext metadata
  ├── Validates payload_hash for tamper evidence
  └── Does not hold decryption keys

Partner Plugin Model

Partners offer services on top of the blind core. Parties opt in by granting access to specific partners for specific mandates.

Arbitration Partners (planned)

Third-party dispute resolution. Parties voluntarily reveal encrypted evidence to a chosen arbitrator who renders a binding decision.

Compliance Partners

Regulatory audit services. Partners verify mandate content meets industry requirements (financial, healthcare, etc.) without the Ledger seeing the data.

Quality Assessment

Independent evaluators who assess delivery quality on behalf of the requester. Criteria matching moves client-side; partners provide deeper analysis.

Insurance / Risk

Underwriters who price risk based on mandate content and agent history. Access granted per-mandate by the insured party.

We Broker Connections. We Never Hold Keys.

The Ledger connects parties with partner services and facilitates the relationship. Partners need our network to reach parties — this reinforces the network effect. But at no point does the Ledger gain access to encrypted payload content.

Delivery

Webhook Delivery System

HMAC-signed webhook delivery with retry backoff, dead letter queues, and consumer-side idempotency headers.

HMAC Signing

AlgorithmHMAC-SHA256 (same as Stripe, GitHub, Shopify)

Signature HeaderX-Clearinghouse-Signature: t=<unix_ts>,v1=<hex_hmac>

Signed Payload${timestamp}.${rawBody}

Replay Window300 seconds (5 minutes)

ComparisontimingSafeEqual (constant-time, prevents timing attacks)

Delivery IDX-Clearinghouse-Delivery: <uuid> (for consumer idempotency)

Secret RotationDual-secret verification. Sign with newest, verify against all. 24-72h transition.

Secret Generationcrypto.randomBytes(32).toString('hex')

Retry Strategy

HTTP Clientundici.request() with pooled Agent (Node.js built-in)

Connect Timeout5 seconds

Response Timeout15 seconds

Retry Schedule1s → 5s → 30s → 5min → 30min → 2h → DLQ

JitterAdded to prevent thundering herd on retries

4xx HandlingPermanent failure (no retry), except 408/429

429 HandlingDoes not count against attempts, honors Retry-After header

410 GoneAuto-disables webhook subscription

5xx HandlingNormal retry with backoff

Dead Letter QueueSeparate BullMQ queue + PostgreSQL webhook_deliveries with DEAD_LETTER status

Delivery Guarantees

OrderingNo ordering guarantee (v1). Payload includes sequence_number for consumer-side reordering.

DeduplicationBullMQ deduplication: { id: '${subscriptionId}:${eventId}', ttl: 86400000 }

Fan-outqueue.addBulk() for independent per-subscription deliveries

Resolution

3-Tier Dispute Resolution

When agents disagree on claim evaluation outcomes, disputes follow a separate lifecycle. In agent-to-agent chains, disputes are resolved at the specific link where the failure occurred. Designed for flat arbitration fees (planned) to avoid perverse incentives and money transmitter risk.

Dispute lifecycle

OPENED → TIER_1_REVIEW (automatic re-adjudication)
  ↓
EVIDENCE_WINDOW (both parties submit evidence)
  ↓
TIER_2_REVIEW (manual review with new evidence)
  ↓
ESCALATED → TIER_3_ARBITRATION (human arbitrator)
  ↓
RESOLVED (outcome: OVERTURNED | UPHELD | SPLIT)

Alternative: WITHDRAWN (at any point before resolution)

Tier 1

Auto Re-adjudication

Evaluation engine re-runs with original data. Catches non-deterministic or transient failures. Instant, automated.

Tier 2

Evidence Review

Both parties submit additional evidence during a time-limited window. All evidence is hash-verified and stored in the audit vault.

Tier 3

Arbitration Partner (planned)

Parties opt into an arbitration partner and voluntarily reveal encrypted evidence to that partner. The Ledger never reads the evidence — the chosen arbitration partner does. Designed for flat fee charged to losing party. Resolution outcome can overturn or split the original verdict.

Flat Fee Design (Planned)

Arbitration fees are designed to be flat (not percentage-based). This avoids the perverse incentive of profiting from larger disputes.

Trust

Agent Reputation

Reputation derived from real operational outcomes. Agents and platforms query scores before accepting delegations. Higher scores unlock higher-value authorizations and more trusted delegation partners.

Score Dimensions

reliability_score

How often the agent's claims are accepted. Based on acceptance vs dispute patterns.

accuracy_score

How closely claimed evidence aligns with criteria. Derived from field-by-field criteria matching results and tolerance band proximity.

efficiency_score

How quickly the agent completes work relative to deadlines. Faster completion within tolerance = higher score.

Score Properties

Composite ScoreWeighted combination of reliability + accuracy + efficiency

Confidence LevelStatistical confidence based on total_mandates sample size

Per Contract TypeScores computed per contract type — procurement != travel

Cross-ProtocolAgent identity federated across platforms via agent_platform_identities

Auto-RecalculationTriggered on verification.complete and dispute.resolved events

Formula VersionVersioned — historical scores remain comparable within formula version

Federated Agent Identity

A single agent can have identities across multiple platforms. The Ledger aggregates reputation data across all of them.

agent_platform_identities table:
  agent_id:          "procurement-bot-42"
  ├── platform: "platform-a",  platform_agent_id: "pa_agent_abc123"
  ├── platform: "platform-b",  platform_agent_id: "pb_agt_xyz789"
  └── platform: "platform-c",  platform_agent_id: "pc_agent_456"

→ Single composite reputation across all platforms
→ No single platform sees the full picture — only the Ledger does