Six-Layer Design
Modular, self-contained architecture spanning document processing through perimeter security.
Architecture Diagram
┌─────────────────────────────────────────────────────────┐
│ CLOUDFLARE EDGE │
│ Zero Trust · Rate Limiting │
│ Webhook Validation · Tunnel │
└───────────────────────┬─────────────────────────────────┘
│ Encrypted Tunnel
┌───────────────────────┴─────────────────────────────────┐
│ PERIMETER LAYER │
│ tunnelManager · rateLimiter · webhookValidator │
│ perimeterLedger · cloudflareConfig │
└───────────────────────┬─────────────────────────────────┘
│
┌───────────────┼───────────────┬─────────────────┐
│ │ │ │
▼ ▼ ▼ ▼
┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ DOCUMENT │ │ SIGNING │ │ SDC │ │ TELECOM │
│ ENGINE │ │ GATEWAY │ │ VIEWER │ │ SCA │
│ :3001 │ │ :3002 │ │ :3003 │ │ :3004 │
│ │ │ │ │ │ │ │
│ Ingest │ │ Sessions │ │ Viewer │ │ Inbound │
│ Parse │ │ Multi-sig │ │ Tokens │ │ AI Intent │
│ Canonicalize │ │ OTP Engine │ │ Export Ctrl │ │ Compliance │
│ Transform │ │ Certificates │ │ Watermark │ │ Conversation │
│ Export │ │ Distribute │ │ Access Log │ │ Action │
│ Fingerprint │ │ │ │ │ │ Outbound │
└──────┬───────┘ └──────────────┘ └──────────────┘ └──────────────┘
│
▼
┌──────────────────────────────────────────────────────────┐
│ SOVEREIGNTY LAYER │
│ IPFS/Kubo · CID Registry · Hash Chain · Signatures │
│ QR Generator · Audit Trail · SKU Engine │
└──────────────────────────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────┐
│ OPERATIONS LAYER :3005 │
│ Monitoring Dashboard · Backup Agent │
│ Docker Compose · Health Checks │
└──────────────────────────────────────────────────────────┘
Document Processing Pipeline
| Stage | Module | Description |
|---|---|---|
| 1 | Ingest | Accept PDF, DOCX, PNG, JPG, HTML, TXT, MD via CLI or API |
| 2 | Parse | Format-specific extraction to canonical JSON |
| 3 | Canonicalize | Deterministic normalization (whitespace, encoding, structure) |
| 4 | Transform | Governance, compliance, and brand transforms applied |
| 5 | Export | Template-based rendering to target format |
| 6 | Fingerprint | SHA-256 hash + metadata fingerprint generation |
| 7 | Sign | Digital signature with ESIGN/UETA certificate |
| 8 | Encrypt | AES-256-GCM encryption for at-rest storage |
| 9 | Store | IPFS push via Kubo with CID registration |
| 10 | Anchor | Hash-chain ledger anchoring with lifecycle tracking |
Module Inventory
Document Engine — 14 Modules
Core processing pipeline: format detection, parsing (PDF, DOCX, HTML, image OCR, text), canonical engine, governance/compliance/brand transforms, template export, and fingerprinting.
Sovereignty Layer — 12 Modules
IPFS client, Kubo node management, CID registry, event log, ledger anchor, document fingerprint, signature engine, QR generator, audit trail, SKU engine, lifecycle registry, research/publication OS.
Signing Gateway — 5 Modules
Gateway server (:3002), session manager, OTP engine, signature certificate generator, distribution engine.
Secure Document Control — 7 Modules
SDC server (:3003), viewer protection engine, access token manager, export policy enforcer, forensic watermark, access ledger, SDC configuration.
Sovereign Comms Agent — 6 Modules
SCA server (:3004), inbound router, AI intent engine, action engine, outbound composer, conversation ledger.
Perimeter Security — 5 Modules
Tunnel manager, rate limiter, webhook validator, perimeter ledger, Cloudflare configuration.
Service Ports
| Port | Service | Access |
|---|---|---|
| 3001 | Document Engine Portal | Internal only |
| 3002 | Signing Gateway | Internal only |
| 3003 | SDC Viewer | Internal only |
| 3004 | SCA Webhook | Internal only |
| 3005 | Monitoring Dashboard | Internal only |
| 5001 | IPFS / Kubo API | Internal only |
| 8081 | IPFS Gateway | Internal only |
All ports are internal. External access is exclusively through Cloudflare Zero Trust tunnels.