Architecture

The stack

The app, the AI service, and the docs each deploy as their own Cloud Run service from their own git repo, with the same CI/CD shape (staging auto-deploy → production manual gate).

The audit invariant

The single most important production guarantee:

The application physically cannot rewrite history. DELETE and UPDATE are stripped from the application role on the audit tables.

It is enforced in two layers:

1. Application layer — the audit-events collection denies update and delete access.
2. Database layer — a migration runs REVOKE UPDATE, DELETE on the audit table from the application role, so even a compromised app cannot tamper with the trail.

Combined with the supersede mechanic on the evidence base (old row → superseded, new row → active, both retained forever), the entire decision history is reconstructable and defensible.

Audit data is retained indefinitely — hot and queryable for seven years (the pharma regulatory standard), then archived to cold storage with the append-only invariant preserved.

The AI boundary

The Wizard service holds the only Anthropic key (server-side). The browser never calls it directly: it goes through the app's /wizard-api proxy, which attaches a service secret and forwarded identity. Every Wizard answer must cite its retrieved sources and refuses ungrounded questions.

Tenant isolation and residency

• Isolation — enforced at the data-access layer, the schema validator, and by integration tests. Only authenticated users with an active membership can see a tenant's data.
• Residency — data does not leave its region. APAC runs in Sydney (australia-southeast1), EU in Frankfurt (europe-west3), AMER in us-central1. No cross-region transit by default.
• No training on customer data — a contractual guarantee; provider contracts include the clause.