v 2.1 · 8 zones · 59 design decisions

Eight zones. Zero trust between them.

bRRAIn is a productized, multi-tenant, zero-trust AI memory platform. Every zone enforces its own boundary; the Consolidator is the sole writer to the Vault; the internal Handler routes, summarizes, and detects anomalies but makes no business decisions. This is what's running on every brain pod today.

Read the docs → Security model

brrain pod · system topology

Zone 1

Vault

Zone 2

Workspaces

Zone 3

Control

Zone 4

Conflict

Zone 5

Notifier

Zone 6

MCP

Zone 7

Security

Zone 8

Sandbox

Consolidator

Sole writer to the Vault · event-driven + 60-min heartbeat

Handler

Internal AI engine · runs locally on every brain pod

AES-256

Envelope encryption

2× gates

Per vault write

Sub-second

Retrieval latency

4 tiers

Deployment models

The 8-zone architecture

Each zone is independently deployable, testable, and trust-isolated.

No implicit trust between zones. Cross-zone calls go through audited interfaces, not direct memory access.

Zone 1

The Vault

Encrypted inner core with envelope encryption, immutable project structure, read-only access. Write-through Consolidator with graph-filesystem atomic sync.

Zone 2

Workspaces

User and team sandboxes. Session flow, tiered loading, local sync. Where chats and edits happen before they're consolidated into the Vault.

Zone 3

Control Plane

7-tier role hierarchy (Sovereign → Architect → Librarian → Operator → Contributor → Observer → Guest). Policy engine, GUI, CLI, and the API surface.

Zone 4

Conflict Zone

Per-project conflict records with role-hierarchy auto-resolution and a configurable escalation timer. Conflicts are immutable; closure replaces deletion.

Zone 5

Notifier

Isolated notification service. One-directional push, its own key store / retry / log. Channel allowlist + blocklist.

Zone 6

MCP Gateway

Sandboxed MCP servers. Bidirectional firewall. Tiered inspection (fast-path for trusted, full-path for everything else). LLM allowlist per user/project.

Zone 7

Security Policy Engine

Two inspection gates per Vault write (pre-queue + pre-write). Content classification, PII detection, progressive enforcement (warn → rate-limit → block).

Zone 8

Code Sandbox

CVE scanning, quarantine with feedback, developer pattern detection. Untrusted code never executes against the live Vault.

Write path

The Consolidator is the sole writer. Everything else is read-only.

Event-driven consolidation. Two security inspection gates run before any write lands in the Vault.

Step 1

Workspace write

User edits, AI captures, or SDK pushes land in a workspace sandbox. The Vault stays untouched.

Step 2

Consolidation trigger

Captures fire an event-driven trigger; a periodic heartbeat catches anything missed. No polling loops, no race windows.

Step 3

Security inspection

Zone 7 pre-queue gate: content classification, PII detection, policy allowlist. Tiered for performance.

Step 4

AI summarization

The internal AI engine produces a structured rollup — key takeaways, decisions, learnings, and contradictions.

Step 5

Vault commit

Atomic write to the Vault. Per-user master context updated. Activity index appended. Tier 2 graph index updated asynchronously.

Read path

Three retrieval tiers, in order of cost.

Tier 1 fits in a single message; Tier 2 walks the POPE-based ontology graph; Tier 3 fetches the raw Vault file. Most queries resolve at Tier 1.

Tier 1 · Consolidated Master Context

Pre-assembled per user, team, and guest. Cold zone (institution), warm (project), hot (user). Loaded on session boot — the AI has its full operating context in one document.

Generated by the Consolidator with AI summarization for hot zones
Per-user version reflects only that user's slice
Auto-seeded at brain pod boot with role + identity stamps

Tier 2 · POPE Graph RAG

Relationship-aware retrieval over People / Organizations / Places / Events plus provenance (Decisions, Learnings) and reliability (Risks). Metadata pointers; content fetched on demand.

Built fresh at every brain pod boot from the canonical Vault
Updated continuously as new content lands, with bounded lag per deployment tier
Never blocks a Vault write — graph stays a derivative index, not a dependency

Tier 3 · On-demand Vault read

Direct file read from the Vault, role-tier gated. Symlink-blocked, path-traversal-blocked, audit-logged on every access — granted or denied.

Used when the graph misses or returns a metadata pointer
Same role gate as the canonical Vault tree — no new attack surface
Falls back to direct content search when the graph is offline

The Handler

An internal AI engine that routes — never decides.

An internal, fine-tuned language model runs locally on every brain pod. It summarizes, classifies, detects conflicts, and runs security checks. It does not make business decisions — that's your team's job.

Summarize — daily activity rollups, project digests, executive briefs
Classify — content type, sensitivity, ontology tags
Detect conflicts — concurrent edits, contradicting decisions
Security check — companion to the Zone 7 inspection gates
Extract — structured decisions and learnings from unstructured chats

No external AI provider sees your data. The engine runs entirely inside your brain pod's trust boundary — same physical box as the Vault, behind the same role-tier gates.

🤖 Internal AI engine · in-process · zero external calls

→ summarize · today's activity
  inputs: 14 captures from a project
  task: structured rollup
← structured response · <2s

                            {

                              "summary": "Q3 launch substrate complete…",

                              "key_takeaway": "All milestones green",

                              "decisions": [3 entries],

                              "learnings": [4 entries],

                              "contradiction": null

                            }

Deployment

Your data stays where your compliance requires.

Four deployment tiers. The same Go binary. Different boundaries.

Tier 1

Hosted Standard

Multi-tenant on bRRAIn cloud
Sub-second retrieval
Up in < 90 seconds
Auto-managed updates

Tier 2

Co-located

Dedicated brain pod, our infra
Isolated tenancy
Per-org encryption keys
Operator-controlled upgrades

Tier 3

Data-Resident

Pinned to your jurisdiction
Sovereign-cloud geo gating
Per-region audit logs
Compliance-aligned

Tier 4

Sovereign On-Prem

Air-gappable
Your hardware, your keys
Customer-defined SLOs
Full operator ownership

Constraints

59 accepted design decisions. None will be revisited unless business fundamentals change.

Architecture is the set of decisions you don't have to re-make. Here are the load-bearing ones.

Zero-trust by zone

Every zone implements zero trust; no implicit trust boundaries exist. Cross-zone calls go through audited interfaces, not direct memory access.

Multi-tenant isolation

Tenant data is cryptographically isolated. Cross-tenant leakage is architecturally impossible — not policy-impossible.

Audit-grade logging

Every operation produces immutable, compliance-grade audit trails. Tamper-evident — drop, reorder, or modify any event and the chain breaks detectably.

Event-driven consolidation

Captures fire an explicit trigger; a periodic heartbeat catches anything missed. No polling loops, no hot writers, no race windows.

Sandboxed extensions

MCP servers, code handlers, and LLM calls run in isolated environments. Ports inspected, response classified, propagation throttled.

Universal Identity

Cross-organization user IDs (Sovrynty integration) enable the vendor network. Identity travels; trust doesn't.

Need an architecture review?

Enterprise plans include a dedicated architecture review with our engineering team. We can also share the full 59-decision design decision log under NDA.

Talk to engineering Read the docs