Skip to content
Pollenix Docs

Architecture

Architecture

Six architectural choices that take years to build right and are load-bearing across every Pollen8 satellite. Health’s audit story is the same audit story Legal’s is. The DB Engine’s read-only validator is the same validator BI widgets execute through. The AuthContext gating one tool gates them all. The PQC envelope encrypting one credential encrypts every credential.

1 · Post-quantum encryption

Every at-rest credential lands under a NIST-standardized hybrid envelope:

LayerAlgorithmStandard
Outer KEM (classical)X25519 ECDH(PQ-transition hybrid)
Outer KEM (PQ)ML-KEM-1024FIPS 203
KDFHKDF-SHA3-512SHA-3 family is PQ-safe
AEADAES-256-GCM256-bit symmetric is PQ-safe
Audit signaturesML-DSA-65FIPS 204

Hybrid is failure-safe: if either KEM is later broken, the other still protects. Ahead of the CNSA 2.0 federal mandate (2030); the “harvest-now-decrypt-later” threat is already addressed.

See Crypto (PQC envelope) for the operator guide — key generation, migration paths, library trade-offs.

2 · Why Engine on every AI output

No LLM call ships without a Why trace. Every assistant message, every workflow step, every drafted document, every bot reply carries:

  • Retrieval breakdown — which chunks, which sources, which classifications.
  • Model used — including fine-tune overrides where applied.
  • Per-event latency and cost.
  • Fingerprint signatures (ML-DSA-65) for tamper-evident audit.

Every assistant message has a Why? button that opens the trace panel — retrieval breakdown, model, per-event timing, source counts. Pre-discovery defensibility for any audit.

3 · AuthContext capability tokens

Every tool call carries a vault-signed capability JWS that authorizes exactly the operation in scope:

  • Token TTL ≤ 30 seconds.
  • Single-use: the first consumption invalidates replay.
  • Audit log records the consumption + the calling user + the exact capability minted.
  • No service has standing chart access, standing DB access, or standing key material.

Means a leaked token decays before it’s useful — and a leak is visible in the audit trail by construction.

4 · Validator-gated tools

Every external action passes a validator before the driver is touched.

DB Engine. The NL→SQL planner’s output runs through sqlglot — SELECT-only enforced, DROP / DELETE / TRUNCATE / GRANT all rejected at parse time, scope predicates AND-injected, single- statement only. Hand-edited SQL passes the same gate. Then EXPLAIN (FORMAT JSON) preflight blocks queries that would scan billions of rows.

Contact Center. The dialogue runtime enforces identity-before-dispatch at the node level — workflow graphs can’t draw around the lock. Controlled-substance refills are blocked at runtime regardless of what the graph says.

Vault retrieval. Hybrid pgvector + tsvector + Reciprocal Rank Fusion is wrapped by matter-team ACL clauses applied at the SQL layer.

5 · SQL-layer ACLs

Application-layer ACLs are easy to get wrong — a missing filter on a list endpoint becomes a tenant leak. Pollen8 pushes isolation to the SQL layer:

  • Matter-team isolation for the Legal Vault uses EXISTS (SELECT 1 FROM legal_matter_team ...) clauses AND-injected into both vector and keyword retrieval queries.
  • DB Engine scope predicates are SQL fragments stamped onto each connection that the validator inlines into every executed query. The planner is told about them; if it omits them, the validator re-applies.
  • Tenant scoping is a column-level tenant_id match on every row-level read.

Even a model with a stale context can’t surface a chunk the asking user isn’t allowed to read.

6 · Deployable, not SaaS

Pollen8 Core runs in your cloud — AWS, Azure, or on-prem Kubernetes:

  • Helm chart for AWS / EKS.
  • Bicep + CFT for Azure / AKS.
  • Container image for self-managed Kubernetes.
  • AWS Marketplace + Azure Marketplace listings.
  • Private-link supported for both.
  • BAA available on request.

Files stay in your cloud. The only outbound traffic is the AI provider you configure under AI providers — Pollen8 doesn’t proxy through a third-party inference layer.

How the pillars compose

Caller (user / bot / Word add-in / agent)
       
       ├─► AuthContext mint  (≤30s, single-use)
       
       
   MCP tool — locked contract (db.run_sql / bi.refresh_widget / ...)
       
       ├─► Validator gate  (sqlglot / identity-lock / EXPLAIN preflight)
       
       
   Driver / retrieval pipeline
       
       ├─► SQL-layer ACL  (EXISTS subqueries, scope predicates)
       
       
   Storage  ◄── PQC envelope (ML-KEM-1024 + AES-256-GCM)
       
       └─► Why trace stamped (retrieval + model + cost, signed ML-DSA-65)

Six pillars. Every request goes through every layer. None of them are optional, none are toggleable, none of them can be bypassed by a misconfiguration of the layer above.

Where to go next

  • Crypto (PQC envelope) — operator guide for the PQC keymat and rotation.
  • Audit — the Why trace store, retention, export.
  • AI providers — how outbound model calls are configured and audited.
  • Coverage — file-stays-in-your-cloud storage model.
  • DB Engine overview — the read-only NL→SQL pipeline with its validator and EXPLAIN preflight.
  • Roles — how seat types map to capability sets.