Architecture Layers — Full Reference
The xOps sovereign stack is structured in 6 layers. This page provides the full technical detail for each layer. For the CxO overview, see the xOps page.
L6 · xOps Interface
| Attribute | Value |
|---|---|
| Technology | Open WebUI 0.8+ |
| Version | v0.8.x |
| Monthly Cost (Prod) | $45–85 |
| Terraform Module | terraform-aws-web (M3) — WIP |
| ADLC Mapping | Agents + Skills — pipeline engine = ADLC agent runtime |
Local: ghcr.io/open-webui/open-webui:latest · Claude API via native Anthropic integration
Prod: ECS Fargate arm64 · cpu=2048 mem=4096 · 2 to 6 replicas · 70% CPU target
Enterprise Features:
- Pipeline engine = Commands & Hooks layer
- Native MCP client + mcpo sidecar for OpenAPI bridge
- SCIM 2.0 → IAM Identity Center user sync
- OpenTelemetry → CloudWatch Application Signals
- Built-in RAG: document management + OpenAI/Claude embeddings — zero external vector DB
Why Not:
- Dify: Workflow builder IDE, not ops command centre
- SaaS ChatGPT/Teams: APRA CPS 234 data sovereignty breach
L5 · Runbooks + ADLC API
| Attribute | Value |
|---|---|
| Technology | FastAPI 0.115+ + CrewAI 0.102+ |
| Version | Python 3.13 |
| Monthly Cost (Prod) | $25–50 |
| Terraform Module | terraform-aws-web (M3) — WIP |
| ADLC Mapping | Memory & MCP — Claude API = reasoning engine; FastAPI = orchestration shell |
Local: fastapi-dev + crewai + cloudops-runbooks (pip) · LiteLLM → Claude API
Prod: ECS Fargate arm64 · cpu=1024 mem=2048 · 2 to 8 replicas · 60% CPU target
Enterprise Features:
- CloudOps-Runbooks PyPI v1.3: 119+ analyzers as MCP tools
- CrewAI Flows v2 + Knowledge (built-in ChromaDB): CloudOps + FinOps + DevSecOps crews
- LiteLLM gateway (golden path): Claude API direct all envs — Bedrock VPC = BC2+ config change
- Prompt Caching 5-min TTL: 60–80% net on interactive RAG (>70% hit rate)
- SSE streaming → WebSocket bridge to Open WebUI
- Fargate Spot SIGTERM → EFS checkpoint (2min drain) — recovers crew state on new task
Why Not:
- Lambda: Cold starts kill streaming; 15min timeout breaks long-running crews
- Node.js: Python owns Anthropic SDK + CrewAI + boto3 ecosystem
L4 · Data + Knowledge
| Attribute | Value |
|---|---|
| Technology | SQLite + ChromaDB (via CrewAI Knowledge) + Open WebUI RAG |
| Monthly Cost (Prod) | $6 (EFS) |
| Terraform Module | terraform-aws-efs (M4) — GAP |
| ADLC Mapping | Memory — SQLite = Open WebUI metadata; ChromaDB = vector RAG; tmp/ = FinOps evidence |
Local: SQLite (Open WebUI default) + ChromaDB (CrewAI Knowledge) + file-based FinOps — $0 data layer
Prod: EFS volume ($6/mo) for SQLite + ChromaDB durability on Fargate
Enterprise Features:
- SQLite: zero config, zero external DB — handles fewer than 50 users without issues
- ChromaDB (via CrewAI Knowledge): text/PDF/CSV chunking + vector embeddings — fully local RAG
- Open WebUI built-in RAG: document management + embeddings — consistent local/prod
- EFS volume: $6/mo persistent storage for SQLite + ChromaDB on Fargate
- File-based FinOps: JSON/CSV evidence in tmp/ — no SQL database needed at BC1 scale
Why Not:
- RDS PostgreSQL: $20/mo + ops overhead; SQLite handles fewer than 50 users; upgrade at BC2+
- Aurora Serverless v2: 0.5 ACU min = $43/mo; too much overhead for BC1
- pgvector: ChromaDB + Open WebUI RAG handle BC1 vectors; evaluate BC2+ for cross-system SQL+vector search
- S3 Tables (Iceberg): Excellent for FinOps analytics at scale; BC1 file-based sufficient
- Valkey / ElastiCache: ALB sticky sessions sufficient at BC1; add BC2+ for pub/sub
- OpenSearch Serverless: 2 OCU min = $345/mo
- Qdrant OSS: Strong vector DB; evaluate at BC2+ for dedicated vector workloads
L3 · Delivery Edge
| Attribute | Value |
|---|---|
| Technology | CloudFront + WAFv2 + ALB + ACM + Route53 |
| Monthly Cost (Prod) | $15–60 |
| Terraform Module | terraform-aws-web (M3 — edge submodule) — WIP |
| ADLC Mapping | Settings — WAFv2 rules + ACM certs = ADLC compliance boundaries at edge |
Local: Nginx reverse proxy + mkcert dev TLS
Prod: CloudFront PriceClass_100 + WAFv2 (CommonRuleSet+ATP) + ALB sticky + ACM auto-renew
Enterprise Features:
- CloudFront PriceClass_100: US/EU/AP PoPs, 50% less than all regions
- WAFv2 ATPRuleSet: bot protection for Open WebUI auth endpoints
- ALB sticky sessions: WebSocket connection persistence
- CloudFront Cache-Disabled behavior for /ws/* and /socket.io/* — WebSocket upgrade passthrough
- ACM auto-renew DNS validation: zero certificate ops
- Secrets Manager auto-rotation 90 days for all service credentials
Why Not:
- Nginx/HAProxy on ECS: 450+ CloudFront PoPs vs single-AZ; zero ops
- API Gateway: Not designed for WebSocket streaming; ALB+CF native
L2 · Compute (M2)
| Attribute | Value |
|---|---|
| Technology | ECS Fargate Graviton4 ARM64 |
| Version | Platform 1.4+ |
| Monthly Cost (Prod) | Included in $110 |
| Terraform Module | terraform-aws-ecs (M2) — PUBLISHED |
| ADLC Mapping | Commands & Hooks — ECS task lifecycle hooks = ADLC pre/post-deploy |
Local: docker-compose (bare-metal + devcontainer = same file = same env)
Prod: M2 outputs: cluster_arn + task_exec_iam_role_arn + log_group_arn
Enterprise Features:
- Graviton4 ARM64: ~30% better price-performance vs x86; ~60% lower energy (ASRS 1 disclosure)
- Fargate Spot for CrewAI pipeline workers: 70% async savings · Spot capacity provider weight 3:1
- CloudWatch Application Signals: OTel-native, SLO-aware, FastAPI is instrumented natively
- ECS Service Connect: built-in service mesh, no Istio overhead
- Graviton4 ap-southeast-2 on AWS 100% renewable energy commitment
Why Not:
- EKS: $73/mo control plane; ECS sufficient for BC1 with 6 services
- EC2 ASG: OS patching overhead; Fargate = zero OS ops
- K3S: Excellent for hybrid-cloud — see Hybrid Deployment
L1 · Identity (M1)
| Attribute | Value |
|---|---|
| Technology | IAM Identity Center + SCIM 2.0 |
| Version | SSOOIDC API |
| Monthly Cost (Prod) | FREE |
| Terraform Module | terraform-aws-iam-identity-center (M1) — PUBLISHED |
| ADLC Mapping | Settings — IAM IdC SCPs + permission sets = ADLC compliance boundaries for identity |
Local: Open WebUI built-in auth · .env OIDC bypass for local dev · IAM Identity Center for SIT/PROD
Prod: M1 outputs: sso_instance_arn + identity_store_id + sso_groups_ids
Enterprise Features:
- SCIM 2.0 → Open WebUI provisions and removes users on HR change
- OIDC for CrewAI Claude API auth — no long-lived keys
- Permission Sets → ECS task IAM roles least-privilege
- ABAC: cost-center tag → FinOps pipeline RBAC access control
- MFA enforcement: TOTP + FIDO2 hardware keys mandatory
Why Not:
- Keycloak 26: Full IdP is too heavy for BC1; revisit BC2+ when SCIM pipeline needed
- Okta/Auth0: Sovereignty + cost — IAM IdC is AWS-native and free
- Cognito: No SCIM 2.0; limited enterprise SSO; not for operator auth