Aegis 365 -- Technology Stack
Core Technology Selections
| Component | Technology | Rationale |
|---|---|---|
| Language | C# 12 / .NET 8+ | Type safety, async/await first, enterprise diagnostics, Azure-native |
| API Gateway | .NET Minimal APIs + FastEndpoints | High-performance HTTP, built-in DI, OpenAI-compatible endpoint |
| Service Layer | Vertical Slice Architecture + MediatR | Per-feature encapsulation, event-driven patterns, testability |
| Hot Cache | Redis 7+ | Sub-ms access, Lua atomic operations, Azure Cache for Redis |
| Warm Store | MSSQL 2022 / PostgreSQL 15+ | Encrypted session state, Secure State Map, audit logs |
| Cold Archive | MSSQL / PostgreSQL + Azure Blob | Long-term immutable audit logs, ZKP proof chains |
| ORM | EF Core 8 + Dapper (hybrid) | EF for relationships, Dapper for bulk/perf-critical ops |
| Encryption | NaCl / Bouncy Castle + HSM | Format-preserving encryption, Shamir's Secret Sharing, PKCS#11 |
| Small LM (L1/L2) | Ollama + Mistral 7B or Phi-3 | Local execution, no external calls, FinServ-tuned |
| Message Queue | Azure Service Bus / RabbitMQ | Async event sourcing, L6 audit dispatch, idempotency |
| Identity Provider | Azure AD / Okta OIDC | Enterprise SSO, MFA, SCIM user lifecycle |
| Observability | Application Insights + ELK | Distributed tracing, real-time alerts, forensics |
| Deployment | Docker + Kubernetes (AKS) | Container-native, blue-green deploys, Helm charts |
| Cryptography | TweetNaCl.NET, BouncyCastle | Ed25519, HMAC-SHA256, AEAD (ChaCha20-Poly1305) |
Service Architecture -- Microservices-Ready Monolith
For an initial deployment (100--1,000 users), Aegis 365 implements a modular monolith with vertical slices. This allows independent scaling and testing while avoiding premature microservices complexity.
| Service / Module | Responsibility | Key Classes | Scaling Path |
|---|---|---|---|
| API Gateway | Routing, OpenAI-compat endpoint, OpenAPI | AegisApiController, PromptNormalizationMiddleware |
Load balance across instances |
| L0 -- Behavioral | Action interception, HITL, Mosaic detection | BehavioralGuardrailService, ActionContextEngine |
Shared Redis session state |
| L1 -- Intent | SLM inference, injection detection, ACI | IntentShieldService, LocalSLMConnector |
Local SLM per node |
| L2 -- Classification | PII detection, sensitivity, Private Map | ClassificationEngine, SensitivityClassifier, PrivateSemanticMap |
GPU-accelerated NER in cloud |
| L3 -- Anonymization | FPE, tokenization, Level 1--3 | AnonymizationEngine, SecureStateMapWriter |
Shared Redis state map |
| L4 -- Hydration | Re-hydration, clearance gating, hover | HydrationEngine, ClearanceValidator, RoleBasedMasking |
Clearance cache per user |
| L5 -- Sovereignty | Geo-routing, compliance, registry | SovereigntyBorderService, ComplianceRegistryCache |
Embedded registry, async updates |
| L6 -- Proof & Audit | ZKP generation, Break Glass, logs | ProofNotaryService, AuditLogDispatcher, BreakGlassWorkflow |
Event-sourced immutable store |
| L7 -- Cache | Semantic hashing, lookups, TTL | SemanticCacheService, VectorSimilarityCalculator |
Distributed Redis, background eviction |
| Admin / Identity | RBAC, policy, user lifecycle | RoleBasedAccessControl, PolicyEngine, IdentitySyncWorker |
Direct IdP integration |
| SIEM / SOAR | Event export, bidirectional commands | SIEMEventDispatcher, SOARCommandListener |
Separate background worker |