Platform Architecture
This guide provides a comprehensive overview of the ASCEND platform architecture, helping you understand how components interact and how to design integrations effectively.
High-Level Architecture
ASCEND follows a layered architecture designed for enterprise-scale deployments:
┌──────────────────────────────────────────────────────────────────────────────┐
│ CLIENT LAYER │
│ ┌────────────────┐ ┌────────────────┐ ┌────────────────┐ │
│ │ Python SDK │ │ Node.js SDK │ │ Boto3 Wrapper │ │
│ │ (ascend-ai) │ │ (@ascend-ai/sdk) │ │ (ascend-boto3) │ │
│ └───────┬────────┘ └───────┬────────┘ └───────┬────────┘ │
│ │ │ │ │
│ └───────────────────┴───────────────────┘ │
│ │ │
│ ┌───────────────────────────▼───────────────────────────────────────────┐ │
│ │ REST API (HTTPS) │ │
│ │ https://pilot.owkai.app/api │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────────────────────────┐
│ GATEWAY LAYER │
│ ┌────────────────┐ ┌────────────────┐ ┌────────────────┐ │
│ │ AWS ALB │ │ Rate Limiter │ │ WAF Rules │ │
│ │ (Load Balancer)│ │ (SlowAPI+Redis)│ │ │ │
│ └───────┬────────┘ └───────┬────────┘ └───────┬────────┘ │
│ └───────────────────┴───────────────────┘ │
└──────────────────────────────────────────────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────────────────────────┐
│ APPLICATION LAYER │
│ │
│ ┌─────────────────────────────────────────────────────────────────────────┐ │
│ │ FastAPI Application │ │
│ │ │ │
│ │ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ┌─────────────┐ │ │
│ │ │ Auth │ │ Action │ │ Policy │ │ Alert │ │ │
│ │ │ Routes │ │ Routes │ │ Routes │ │ Routes │ │ │
│ │ └──────┬───────┘ └──────┬───────┘ └──────┬───────┘ └──────┬──────┘ │ │
│ │ │ │ │ │ │ │
│ │ ┌──────▼─────────────────▼─────────────────▼─────────────────▼──────┐ │ │
│ │ │ SERVICE LAYER │ │ │
│ │ │ │ │ │
│ │ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │ │
│ │ │ │ Token │ │ Policy │ │ Risk │ │ │ │
│ │ │ │ Service │ │ Engine │ │ Calculator │ │ │ │
│ │ │ └─────────────┘ └─────────────┘ └─────────────┘ │ │ │
│ │ │ │ │ │
│ │ │ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │ │ │
│ │ │ │ Audit │ │ Approval │ │ Workflow │ │ │ │
│ │ │ │ Service │ │ Service │ │ Engine │ │ │ │
│ │ │ └─────────────┘ └─────────────┘ └─────────────┘ │ │ │
│ │ │ │ │ │
│ │ └────────────────────────────────────────────────────────────────────┘ │ │
│ │ │ │
│ └─────────────────────────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────────────────────────┐
│ DATA LAYER │
│ ┌────────────────┐ ┌────────────────┐ ┌────────────────┐ │
│ │ PostgreSQL │ │ Redis │ │ S3 │ │
│ │ (RDS 15+) │ │ (ElastiCache) │ │ (Audit Logs) │ │
│ │ │ │ │ │ │ │
│ │ • Row-Level │ │ • Session │ │ • WORM Storage │ │
│ │ Security │ │ Cache │ │ • Compliance │ │
│ │ • Multi-tenant │ │ • Rate Limits │ │ Exports │ │
│ └────────────────┘ └────────────────┘ └────────────────┘ │
└──────────────────────────────────────────────────────────────────────────────┘
Component Details
Client Layer
The client layer provides multiple integration options for connecting to ASCEND.
SDKs
| SDK | Language | Package | Key Features |
|---|---|---|---|
| Python | Python 3.9+ | ascend-ai-sdk | Async support, circuit breaker, MCP integration |
| Node.js | Node 18+ | @ascend-ai/sdk | TypeScript, Promise-based, streaming |
| Boto3 Wrapper | Python | ascend-boto3-wrapper | Zero-code AWS governance |
Direct API
For languages without SDK support, use the REST API directly:
# Example: Evaluate an action
curl -X POST https://pilot.owkai.app/api/authorization/agent-action \
-H "X-API-Key: your_api_key" \
-H "Content-Type: application/json" \
-d '{
"agent_id": "my-agent",
"action_type": "data_access",
"resource": "customer_db",
"action_details": {"query": "SELECT * FROM users"}
}'
Gateway Layer
The gateway layer handles authentication, rate limiting, and security.
Authentication Methods
| Method | Use Case | Header |
|---|---|---|
| API Key | Programmatic access (SDKs, scripts) | X-API-Key: your_key |
| JWT Token | User sessions (console, OAuth) | Authorization: Bearer token |
| Cognito | SSO/SAML integration | Cognito JWT |
Rate Limiting
Rate limits protect the platform and ensure fair usage:
| Tier | Requests/Second | Burst | Headers |
|---|---|---|---|
| Standard | 100 | 200 | X-RateLimit-Limit, X-RateLimit-Remaining |
| Enterprise | 1000 | 2000 | Customizable |
The SDK automatically handles rate limiting with exponential backoff.
Application Layer
The application layer contains the core business logic.
API Routes (200+ Endpoints)
| Category | Endpoints | Purpose |
|---|---|---|
| Authentication | 30+ | Login, logout, token management, MFA |
| Agent Actions | 20+ | Action submission, evaluation, status |
| Agent Registry | 12 | Agent registration and management |
| Policies | 15+ | Policy CRUD and evaluation |
| Alerts | 14+ | Alert management and acknowledgment |
| Analytics | 25+ | Dashboards, metrics, reporting |
| Admin | 60+ | Organization, user, billing management |
| Webhooks | 10 | Event notification configuration |
Service Layer
Critical services that power the platform:
Token Service
- RS256 JWT token generation and validation
- Multi-pool Cognito support
- Token refresh and revocation
Policy Engine
- Rule evaluation and matching
- Conflict detection
- Priority-based processing
Risk Calculator
- Multi-factor risk assessment
- ML-based prediction (optional)
- Custom risk model support
Audit Service
- Immutable WORM logging
- Hash-chain integrity
- Compliance export (SOC 2, HIPAA)
Data Layer
The data layer provides persistent storage with enterprise-grade security.
PostgreSQL Database
| Feature | Implementation |
|---|---|
| Multi-tenancy | Row-Level Security (RLS) with org_id |
| Encryption | AES-256 at rest, TLS 1.3 in transit |
| Backup | Automated daily backups, 30-day retention |
| High Availability | Multi-AZ deployment |
Core Tables (28+)
organizations # Tenant information
users # User accounts
api_keys # Hashed API keys (SHA-256)
agents # Registered agents
agent_actions # Action history
pending_agent_actions # Actions awaiting approval
enterprise_policies # Policy definitions
alerts # Security alerts
log_audit_trails # Immutable audit logs
Redis Cache
| Use Case | TTL | Purpose |
|---|---|---|
| Session data | 30 min | User session management |
| Rate limits | 1 min | Request throttling |
| Policy cache | 5 min | Reduce database load |
| JWT validation | 15 min | Token verification caching |
S3 Storage
| Bucket | Purpose | Retention |
|---|---|---|
| Audit Logs | WORM compliance storage | 7 years |
| Compliance Exports | SOC 2, HIPAA reports | 5 years |
| Backups | Disaster recovery | 90 days |
Request Flow
Understanding the request flow helps you design effective integrations.
Action Evaluation Flow
1. SDK Request
┌─────────────────────────────────────────────────────────┐
│ client.evaluate_action( │
│ action_type="database.query", │
│ resource="production_db", │
│ parameters={"sql": "SELECT * FROM users"} │
│ ) │
└─────────────────────────────────────────────────────────┘
│
▼
2. Authentication (Gateway)
┌─────────────────────────────────────────────────────────┐
│ • Validate API key │
│ • Check rate limits │
│ • Verify organization membership │
└─────────────────────────────────────────────────────────┘
│
▼
3. Authorization Route (Application)
┌─────────────────────────────────────────────────────────┐
│ POST /api/authorization/agent-action │
│ • Parse request body │
│ • Validate input schema │
│ • Extract organization context │
└─────────────────────────────────────────────────────────┘
│
▼
4. Policy Evaluation (Service)
┌─────────────────────────────────────────────────────────┐
│ Policy Engine │
│ • Load applicable policies │
│ • Match conditions against action │
│ • Determine highest-priority match │
└─────────────────────────────────────────────────────────┘
│
▼
5. Risk Calculation (Service)
┌─────────────────────────────────────────────────────────┐
│ Risk Calculator │
│ • Base score from action type │
│ • Adjust for resource sensitivity │
│ • Factor in agent trust level │
│ • Apply historical behavior modifiers │
└─────────────────────────────────────────────────────────┘
│
▼
6. Decision (Service)
┌─────────────────────────────────────────────────────────┐
│ • Combine policy result + risk score │
│ • Generate action_id │
│ • If pending: create approval request │
│ • Create audit log entry │
└─────────────────────────────────────────────────────────┘
│
▼
7. Response
┌─────────────────────────────────────────────────────────┐
│ { │
│ "action_id": "act_abc123", │
│ "decision": "allowed", │
│ "risk_score": 35, │
│ "reason": "Policy: Allow read-only queries" │
│ } │
└─────────────────────────────────────────────────────────┘
Approval Flow
When an action requires approval:
1. Pending Decision Returned
┌──────────────────────────────────────┐
│ decision: "pending" │
│ approval_request_id: "apr_xyz789" │
│ required_approvers: ["finance-mgr"] │
└──────────────────────────────────────┘
│
▼
2. Notification Sent
┌──────────────────────────────────────┐
│ • Slack notification │
│ • Email to approvers │
│ • Console alert │
└──────────────────────────────────────┘
│
▼
3. Approver Reviews (Console)
┌──────────────────────────────────────┐
│ • View action details │
│ • See risk assessment │
│ • Review context │
│ • Approve or Deny │
└──────────────────────────────────────┘
│
▼
4. Agent Notified
┌──────────────────────────────────────┐
│ • Webhook callback (if configured) │
│ • Poll status endpoint │
│ • client.wait_for_decision() │
└──────────────────────────────────────┘
│
▼
5. Action Proceeds (if approved)
Security Architecture
ASCEND implements defense-in-depth security:
Security Layers
┌───────────────────────────────────────────────────────────────────┐
│ Layer 1: Network Security │
│ • VPC isolation │
│ • Security groups │
│ • WAF rules │
│ • DDoS protection │
└───────────────────────────────────────────────────────────────────┘
│
▼
┌───────────────────────────────────────────────────────────────────┐
│ Layer 2: Transport Security │
│ • TLS 1.3 encryption │
│ • Certificate pinning (SDKs) │
│ • HSTS headers │
└───────────────────────────────────────────────────────────────────┘
│
▼
┌───────────────────────────────────────────────────────────────────┐
│ Layer 3: Authentication │
│ • API key validation (SHA-256) │
│ • RS256 JWT verification │
│ • MFA support │
└───────────────────────────────────────────────────────────────────┘
│
▼
┌───────────────────────────────────────────────────────────────────┐
│ Layer 4: Authorization │
│ • RBAC (6 levels) │
│ • Row-Level Security │
│ • Organization isolation │
└───────────────────────────────────────────────────────────────────┘
│
▼
┌───────────────────────────────────────────────────────────────────┐
│ Layer 5: Data Security │
│ • AES-256 encryption at rest │
│ • BYOK/CMK support │
│ • Secret management (AWS Secrets Manager) │
└───────────────────────────────────────────────────────────────────┘
│
▼
┌───────────────────────────────────────────────────────────────────┐
│ Layer 6: Audit & Compliance │
│ • Immutable audit logs │
│ • Hash-chain integrity │
│ • WORM storage │
└───────────────────────────────────────────────────────────────────┘
RBAC Hierarchy
| Role | Level | Permissions |
|---|---|---|
| Viewer | 1 | Read-only access to dashboards |
| Analyst | 2 | View actions, alerts, and reports |
| Operator | 3 | Approve/deny actions, manage alerts |
| Manager | 4 | Configure policies, manage agents |
| Admin | 5 | Full organization management |
| Super Admin | 6 | System-wide administration |
Deployment Architecture
AWS Infrastructure
┌────────────────────────────────────────────────────────────────────┐
│ AWS Cloud (us-east-2) │
│ │
│ ┌───────────────────────────────────────────────────────────────┐ │
│ │ VPC │ │
│ │ │ │
│ │ ┌─────────────────────┐ ┌─────────────────────┐ │ │
│ │ │ Public Subnet │ │ Private Subnet │ │ │
│ │ │ │ │ │ │ │
│ │ │ ┌───────────────┐ │ │ ┌───────────────┐ │ │ │
│ │ │ │ ALB │──┼────┼─▶│ ECS Fargate │ │ │ │
│ │ │ │ │ │ │ │ (FastAPI) │ │ │ │
│ │ │ └───────────────┘ │ │ └───────┬───────┘ │ │ │
│ │ │ │ │ │ │ │ │
│ │ │ ┌───────────────┐ │ │ ┌───────▼───────┐ │ │ │
│ │ │ │ NAT GW │──┼────┼─▶│ ElastiCache │ │ │ │
│ │ │ │ │ │ │ │ (Redis) │ │ │ │
│ │ │ └───────────────┘ │ │ └───────────────┘ │ │ │
│ │ │ │ │ │ │ │
│ │ └─────────────────────┘ │ ┌───────────────┐ │ │ │
│ │ │ │ RDS Postgres │ │ │ │
│ │ │ │ (Multi-AZ) │ │ │ │
│ │ │ └───────────────┘ │ │ │
│ │ │ │ │ │
│ │ └─────────────────────┘ │ │
│ │ │ │
│ └───────────────────────────────────────────────────────────────┘ │
│ │
│ ┌───────────┐ ┌───────────┐ ┌───────────┐ ┌───────────┐ │
│ │ Cognito │ │ Secrets │ │ S3 │ │ CloudWatch│ │
│ │ │ │ Manager │ │ │ │ │ │
│ └───────────┘ └───────────┘ └───────────┘ └───────────┘ │
│ │
└────────────────────────────────────────────────────────────────────┘
Scalability
| Component | Scaling Strategy | Capacity |
|---|---|---|
| API Servers | ECS auto-scaling | 2-20 instances |
| Database | Vertical + Read Replicas | Up to db.r6g.16xlarge |
| Cache | Redis Cluster | 3-6 nodes |
| Storage | S3 | Unlimited |
Integration Points
Gateway Integrations
| Gateway | Integration | Use Case |
|---|---|---|
| AWS API Gateway | Lambda Authorizer | Serverless APIs |
| Kong | Custom Plugin | API management |
| Envoy/Istio | ext_authz | Service mesh |
| NGINX | Auth subrequest | Traditional proxies |
Notification Channels
| Channel | Events | Configuration |
|---|---|---|
| Slack | All alert types | Webhook URL |
| Microsoft Teams | All alert types | Webhook URL |
| Critical alerts | SMTP or SES | |
| Webhooks | Custom events | HTTPS endpoint |
SIEM Integration
| Platform | Protocol | Data Format |
|---|---|---|
| Splunk | HEC (HTTPS) | JSON |
| IBM QRadar | Syslog | CEF |
| Microsoft Sentinel | Log Analytics API | JSON |
Performance Characteristics
Latency Targets
| Operation | p50 | p99 | Target |
|---|---|---|---|
| Action evaluation | 15ms | 50ms | <100ms |
| Policy lookup | 5ms | 15ms | <25ms |
| Risk calculation | 10ms | 30ms | <50ms |
| Audit write | 2ms | 8ms | <15ms |
Throughput
| Tier | Actions/Second | Concurrent Agents |
|---|---|---|
| Standard | 100 | 50 |
| Professional | 500 | 200 |
| Enterprise | 2000+ | Unlimited |
Next Steps
Now that you understand the architecture:
- Register Your First Agent: Connect your agent to ASCEND
- Create Your First Policy: Define governance rules
- Evaluate Your First Action: See the flow in action
Last Updated: 2026-01-20