Core architecture
- Three components: API server, vector database, and LLM provider connection.
- Optional web UI on top.
- Standard flow: ingest, chunk, embed, retrieve context, and answer.
Architecture comparison
VaultCrux vs typical RAG
A standard RAG stack is optimized for speed of setup. VaultCrux is optimized for evidence quality, control, and auditability.
The typical RAG-as-a-Service stack
In market research across platforms such as Orq.ai, Nuclia, Stack AI, and open-source frameworks like LlamaIndex, Haystack, and Verba, the common deployment shape is intentionally simple.
Operating footprint
- Single-cloud deployment with API plus managed vector store.
- Usually Postgres for user accounts and a reverse proxy.
- Often two to three servers run comfortably by one team.
What VaultCrux actually runs
VaultCrux is built as an evidence and control plane, not only a retrieval API. The as-built production topology and software layers are materially deeper.
- Four dedicated hosts: app (API + MCP + workers + Frontdoor), data (Postgres + pgvector + Qdrant), ops (Prometheus + Alertmanager + Grafana + OpsLite), and dedicated HashiCorp Vault (Raft + Transit signing), connected through Tailscale.
- Four-layer retrieval pipeline: hybrid BM25+ANN candidate generation, lane-aware late fusion across four embedding lanes (768 -> 1024 -> 1536 -> 3072), meaning control via priors and receipt-normalized anchoring, and reranking.
Receipts and governance
- CROWN receipts (BLAKE3 hashing + ed25519 Transit signing + append-only provenance ledger).
- Shield capability firewall with 9 policy stages.
- WatchCrux independent audit layer and chunk-level evidence mapping.
Runtime economics and identity
- Ledgered credit mint/spend economy.
- MCP tool inventory (25+ tools across 6 service lines).
- Agent principal/sponsor separation with budget-capped tokens and multi-seat RBAC provisioning.