Service Breakdown
Frontend, backend, proxy, and CSRG-IAP service details.
Service Breakdown
1. Frontend Console (React SPA)
The web application that users interact with. Built with React 18, TypeScript, and Tailwind CSS.
Responsibilities:
- User authentication (email/password, Google OAuth, GitHub OAuth)
- Organization management
- MCP server and agent registration
- Policy creation with visual builder
- Dashboard with security metrics and analytics
- API key management
- Intent plan monitoring and visualization
Connects to: Backend API via HTTPS (https://customer-api.armoriq.ai)
2. Backend API (NestJS)
The central business logic layer built with NestJS and Prisma ORM.
Key modules:
| Module | Purpose |
|---|---|
| Auth | JWT authentication, OAuth (Google/GitHub), OTP verification, password reset |
| Organization | Multi-tenant org management, memberships, quotas, invitations |
| MCP | MCP server registry, URL resolution, certificate management |
| Agent Scanner | Agent registration, framework detection (A2A/MCP), security scanning |
| Intent Assurance Plan (IAP) | Intent plan processing, CSRG integration, Merkle tree construction, step verification |
| Policies | Policy CRUD, target-based rules, per-member and per-client access control |
| Domain Mapping | Custom domain → target URL mapping, DNS verification |
| Proxy Enforcement | Proxy token generation, OAuth2 authorization code, token exchange |
| API Keys | Key generation, validation, usage tracking |
| OAuth Client | OAuth 2.0 client registration and secret management |
| Dashboard | Aggregated metrics, analytics, alerts |
| Audit Log | Timestamped, org-scoped audit trail |
| Scan | Vulnerability scanning engine for MCP servers |
Connects to: CSRG-IAP for intent signing, Prisma DB for persistence
3. Proxy Server (NestJS)
A stateless reverse proxy that intercepts all traffic between AI agents/SDKs and MCP servers.
Responsibilities:
- Authenticate incoming requests (JWT, API key, or CSRG proof headers)
- Resolve target URL from token claims or dynamic MCP lookup
- Enforce policies (tool access control, domain validation, audience checks)
- Verify each tool execution via backend Intent Assurance Plan (IAP) step verification
- Verify cryptographic Merkle proofs via CSRG
- Forward validated requests to the target MCP server
- Support SSE streaming and MCP session management
- Create audit logs for every proxied request
Key design: The proxy has no database - all validation is delegated to the backend and CSRG services.
4. CSRG-IAP (Python / FastAPI)
The Canonical Structured Reasoning Graph engine provides cryptographic intent assurance.
Responsibilities:
- Build deterministic reasoning graphs from execution plans
- Compute Merkle trees over plan nodes for tamper detection
- Sign intent tokens with Ed25519 (or ECDSA P-256 for GCP)
- Verify individual tool actions against the signed plan using Merkle proofs
- Track trust deltas (ReAnchor, Delegate, Revoke)
- Maintain append-only Merkle audit logs