Skip to content
FractalOps

Current Stack, Solution, and IA Map

Current Stack, Solution, and IA Map

Section titled “Current Stack, Solution, and IA Map”

Last reviewed: 2026-05-10

This document supersedes older stack snapshots. It is the current routing document for FractalOps stack ownership, solution placement, information architecture, and external technology assumptions.

Non-Negotiable Product Boundary

Section titled “Non-Negotiable Product Boundary”

FractalOps is the organization meta-control plane.

onboarding -> work -> proposal -> proof -> reflective improvement

FractalOps strongly owns the execution substrate required to operate that loop. Adjacent tools remain integration endpoints unless they directly provide runtime execution, identity, secret, proof, lineage, or delivery state.

Source Of Truth Order

Section titled “Source Of Truth Order”
  1. Constitution and canonical architecture
  2. Runtime topology and stack operation catalog
  3. Kubernetes/Argo GitOps manifests
  4. Package manifests and lockfiles
  5. External official vendor documentation
  6. Historical docs

Historical docs must not override this page. If a requirement conflicts with this page, update the older requirement page or link it back here.

Runtime Spine

Section titled “Runtime Spine”
Portal
  -> Proposal Plane
  -> Studio / Harness Runtime
  -> AgentSquad or Ouroboros run
  -> Daytona workspace / execution slot
  -> agent process adapter
  -> Armory MCP and skills
  -> GitHub App PR / issue evidence
  -> Semantics + DataHub + ClickHouse + Chronicle

Truth Planes

Section titled “Truth Planes”
PlaneFractalOps RoleNot Allowed
SemanticsOntology, identity, lineage meaningBulk telemetry store
DataHubCatalog, searchable lineage, entity/aspect metadataMutation gate or proof authority
MimirRuntime metrics and build/cache time seriesProof facts or ontology
GlitchTipApplication error/performance tracking (Sentry-compatible)Metrics TSDB, ontology, or proof authority
ClickHouseProof facts, event analytics, warehouse projectionsLong-form wiki body store or metrics TSDB
Chronicle/WORMLong-term evidence artifacts and provenanceUI state store
GitHub AppIssue, PR, review, merge identityHuman PAT fallback for agents
OpenBaoSecret and runtime credential authorityPlain env drift
OpenTelemetryTrace/metric/log signal transportProduct ontology replacement

Current Package Baseline

Section titled “Current Package Baseline”
AreaCurrent Baseline
Python>=3.11, managed through uv
BackendFastAPI, Pydantic v2, SQLAlchemy v2, Alembic
Agent runtimeLangGraph >=0.6, checkpoint-postgres, LangGraph CLI
Durable workflowTemporal Python SDK
RDF/ontologyrdflib
ObservabilityOpenTelemetry API/SDK/OTLP HTTP, Mimir metrics store
Error trackingGlitchTip 6.1.8 (Sentry-compatible), per-project DSN auto-provisioned by project_factory
Frontend package managerpnpm@10.24.0
PortalAstro >=6.4.0, React 19, Tailwind >=4.3.0, DaisyUI 5
Portal stateNanostores plus route-local React state where needed
Flow UI@xyflow/react; topology flows must share palette/node patterns
Browser automationPlaywright ^1.59.1, routed through PlaywrightGrid for runtime work

Stack Operation Catalog

Section titled “Stack Operation Catalog”

Generated from the live FractalOps stack catalog on 2026-05-10.

StackPrimary OperationOwnership Class
argocdbootstrap_argocd_identity_gitopsGitOps substrate
clickhousebootstrap_clickhousewarehouse/proof fact plane
cloudflaredinstall_cloudflared_openbaoedge connector
daytonacreate_project_daytona_workspaceexecution workspace substrate
datahubbootstrap_datahubcatalog/lineage plane
dokployconfigure_dokploy_git_transportpersistent backing services + static delivery endpoint
evidencebootstrap_evidence_supabaseChronicle/evidence storage
fractalopsbootstrap_fractalops_appsproduct runtime
gitopsreconcile_connector_ssottopology reconciliation
headlampbootstrap_headlampKubernetes operator UI endpoint
k3sreconcile_k3s_oidcKubernetes execution substrate
kafkabootstrap_kafkaevent/log stream substrate
langboardcreate_project_daytona_workspaceproject lifecycle and issue surface
openbao-secret-deliveryreconcile_connector_ssotsecret delivery chain
penpotbootstrap_daytona_penpot_argocddesign endpoint
pomeriumbootstrap_pomerium_runtimezero-trust access edge
runtime-storagestorage_surface_metricsstorage pressure and cleanup
nexusreconcile_nexus_fractalopsinternal package + docker/build cache registry (folds the former registry-cache LXC)
windmillwindmill_runbook_catalogrunbook and lightweight automation endpoint

Kubernetes And Infra Baseline

Section titled “Kubernetes And Infra Baseline”
LayerCurrent Direction
Clusterk3s remains the near-term runtime cluster.
NetworkingCilium CNI is the target network/security substrate.
IngressGateway API is the target Kubernetes ingress contract.
PolicyDefault deny NetworkPolicy first; then explicit service egress/ingress.
Pod securityKyverno enforces Pod Security Standards, Restricted where possible.
SecretsExternal Secrets pulls from OpenBao/Vault-compatible scopes.
Image trustSigstore/Cosign for signatures and attestations.
Workload identitySPIFFE/SPIRE for workload identity; no hard-coded local IP identity.
mTLSCilium mTLS or Istio Ambient only after SPIFFE identity is stable.
BuildPlatform CI image builds are GitOps-pinned and use the Nexus build cache. There is no per-project or in-sandbox build pipeline; dev previews are bare processes (see Dev Preview Plane).
CacheSingle Nexus cache plane (npm/pypi/apt/docker-pull/buildcache) + workspace-level transparent turbo/cache surfaces.
AutoscalingHPA exists for API/Portal/Worker; queue/resource metrics must drive future scale policy.

Solution Ownership Matrix

Section titled “Solution Ownership Matrix”
SolutionUser SurfaceExecution SurfaceTruth Owner
Portalyamonco/fractalops-frontend:portal Astro shellFastAPI routes and generated API facadeFrontend repo + FractalOps GitOps
Project delivery/projects/*, /work/*AgentSquad on Daytona + LangGraphGitHub App + Semantics
Research/research/*, /domains/research/*Research-mode AgentSquad on same runtimeAstro/Starlight repo + DataHub/wiki
Ouroboros/admin/agents/ouroboros, CLIStudio run for FractalOps self-improvementFractalOps repo issues
Platform image buildCI release pipelineGitOps-pinned image builds with the Nexus build cacheBuild evidence + registry
Dev preview planeProject workspace UIBare dev server in the Daytona sandbox + daytona-proxy signed URL; <slug>.monstore.io per projectDev Preview Plane + project delivery guard
Persistent servicesProject workspace UIDokploy (databases, static-site / vercel-sim hosting, big-facility compose)Project delivery guard
Browser proofPortal/Daytona/Agent HUDPlaywrightGrid MCPChronicle evidence refs
Error trackingProject apps + GlitchTip MCP triageGlitchTip (Sentry-compatible) on fractalops-postgresqlPer-project DSN + GlitchTip org
Search/wikiResearch and AgentSquad toolsSearXNGgrid + Agent Memory ArchiveWiki body + DataHub catalog
LineagePortal lineage pagesRDF/OpenLineage/DataHub projectionSemantics/DataHub/ClickHouse
SecretsPortal credential brokerOpenBao, External Secrets, SPIFFE where availableOpenBao

Agent Team Types

Section titled “Agent Team Types”

Reuse the same Studio, Daytona, LangGraph, mailbox, GitHub App, and DataHub lineage rails. Agent role order, handoff graph, MCP/skill loadout, write policy, repository scope, and PR submitter policy are owned by the Studio Team Contract. Template catalogs, Armory, project profile hydration, and generation reconciliation must render from that contract instead of carrying their own role maps.

Team TypePurposeRequired Agents
ouroborosFractalOps self-improvementCore-8 plus explicit extension packs
agentsquadProject deliveryplanner, curator, backend, frontend, tester, committer, compactor, closer
researchInvestigation and documentationinquirer, curator, scout, auditor, actor, scribe, tester, committer, closer

Research is not a separate runtime. It creates one research request, one mono repo, one Daytona workspace, and one Astro/Starlight documentation surface. Each follow-up request is a ticket and PR in that research repo.

Portal IA

Section titled “Portal IA”

The Portal is not a landing page. It is the operating surface.

Primary Navigation

Section titled “Primary Navigation”
GroupRoutesPurpose
Home/, /workspace, /work/*operator daily work and launch path
Projects/projects, /projects/:slug/*project assets, team, studio, proof, operations
Research/research, /research/*, /domains/research/*search, wiki, evidence, lineage, experiments
Runtime/runtimes, /admin/agents/*, /operations, /ops/*runtime state and operator controls
Data/data, /datasets, /domains, /glossarycatalog and domain graph navigation
Review/review/*, /proposals/*, /proof/*approvals, evidence gaps, proof closure
Packages/packages/*, /repos/*, /credentialspackage, repository, and credential surfaces
Admin/admin/*access workbench, templates, semantics, evidence renewal

Page Composition Rules

Section titled “Page Composition Rules”
LayerRule
TemplatePortalShell and PortalPageShell own persistent shell and copilot docking.
OrganismPage-specific business surfaces live under organisms.
MoleculeReusable controls, flow nodes, tables, selectors, disclosure panels.
AtomBadges, icons, brand mark, small chips.
Runtime stateGlobal shell/copilot state stays persistent; page state must not recreate global docks.

Data And Lineage Architecture

Section titled “Data And Lineage Architecture”

Current direction:

Agent action
  -> structured event
  -> OpenTelemetry signal
  -> ClickHouse fact
  -> Semantics RDF identity
  -> DataHub entity/aspect/search projection
  -> Chronicle evidence ref when proof artifact exists

OpenLineage should be used for portable run/job/dataset lineage events where its event model fits. FractalOps-specific agent, issue, PR, browser, and proof metadata should be custom facets/aspects rather than parallel ad hoc event shapes.

DataHub is already designed around entities and aspects. FractalOps should project:

  • project
  • repository
  • agent squad generation
  • run attempt
  • workspace lease
  • browser lease
  • tool loadout
  • issue and PR delivery
  • evidence artifact
  • wiki/search knowledge asset
  • dataset/feature/API/route lineage

Search And Wiki Contract

Section titled “Search And Wiki Contract”

SearXNGgrid must behave like an enriched search gateway:

  1. Query web sources.
  2. Query internal wiki/search index with higher priority.
  3. Return merged results with source, freshness, confidence, and lineage refs.
  4. Mark stale wiki results explicitly.
  5. Let the agent create a wiki update proposal when a stale result is corrected.
  6. Project the update to DataHub and ClickHouse.

The wiki body store and DataHub catalog must not split into two disconnected products. DataHub/Elasticsearch-like discovery should be reused for entity and lineage search; wiki content remains a body/source store.

External Reference Baseline

Section titled “External Reference Baseline”

Official docs checked on 2026-05-10:

StackCurrent External AssumptionOfficial Source
AstroAstro docs track latest and reported latest release as v6.3.0; FractalOps Portal currently pins ^6.1.10.https://docs.astro.build/en/upgrade-astro/
DaytonaWorkspaces, lifecycle, scheduling, and warm workspace reconciliation remain first-class Daytona concepts.https://daytona.com/docs/
DataHubUse entities/aspects and metadata graph, not custom one-off catalog tables.https://docs.datahub.com/docs/metadata-modeling/metadata-model/
OpenLineageUse JSON-schema/OpenAPI event model and custom facets for extension.https://openlineage.io/docs/spec/
PomeriumIdentity-aware proxy for BeyondCorp/zero-trust access.https://www.pomerium.com/docs
OpenBaoSecret generation and encryption service; keep it as secret authority.https://openbao.org/
SPIFFE/SPIREKubernetes PSAT node attestation and workload registration are the target identity model.https://spiffe.io/docs/latest/deploying/configuring/
CiliumGateway API and policy integration are the target network model.https://docs.cilium.io/en/latest/network/servicemesh/gateway-api/gateway-api.html
KyvernoPod Security Standards can be enforced as Kyverno policies.https://kyverno.io/policies/pod-security/
WindmillUse scripts/flows/apps/workers/MCP for lightweight runbooks, not as durable execution replacement.https://www.windmill.dev/docs/core_concepts/mcp
Sigstore/CosignPrefer identity-based/keyless signing and attestation verification.https://docs.sigstore.dev/cosign/signing/overview/
Cloudflare TunnelOutbound cloudflared tunnel is the edge connector; avoid inbound host exposure.https://developers.cloudflare.com/tunnel/
GitHub AppAgents use GitHub App installation tokens for repo/issue/PR work.https://docs.github.com/rest/reference/apps

Deprecation And Cleanup Rules

Section titled “Deprecation And Cleanup Rules”
Legacy/DriftCurrent Rule
alternate agent process adapters as product truthRemoved. LangGraph Harness Runtime owns Studio/AgentSquad execution state.
local browser fallbackNot canonical. Use PlaywrightGrid.
human PAT for agentsNot allowed. Use GitHub App.
local Docker daemon in DaytonaForbidden. docker is hard-walled in the sandbox; dev previews are bare processes (see Dev Preview Plane) and persistent services live on Dokploy.
in-sandbox compose/build-and-ship planeRemoved. There is no per-project build pipeline; platform images are CI-built and GitOps-pinned.
raw local IP as identityNot allowed. Use domain/runtime asset/SPIFFE identity.
full graph snapshots in high-frequency evidence rowsNot allowed. Store digest summaries and lineage refs.
OpenFGA/OPA as duplicated app auth meshKeep only where policy contract is explicit and value is proven.

Documentation Maintenance Rule

Section titled “Documentation Maintenance Rule”

Every stack or IA change must update this page first, then update narrow per-stack pages.

Required update evidence:

fops stacks list --compact
gh repo clone yamonco/fractalops-frontend /tmp/fractalops_frontend && find /tmp/fractalops_frontend/portal/src/pages -maxdepth 4 -type f
package/lockfile delta
platform/k8s/argocd and platform/k8s/apps delta
official upstream docs link when behavior depends on a vendor feature