Architecture Reference

Component Inventory

Spectorn is organized around the production API gateway first, with protection, memory, SOC, and dashboard capabilities layered around it.

spectorn-server

Role: OpenAI-compatible API gateway and control plane.

AttributeValue
LanguageRust
Interfaces/v1/chat/completions, /v1/scan, dashboard/admin APIs, Stripe webhook
Key stateAPI keys, tenant policy, providers, model routes, sessions, usage, billing

Key capabilities:

  • Tenant-scoped API keys and role/session handling.
  • Provider routing with BYOK and hosted-provider fallback.
  • Prompt scanning before model forwarding.
  • Recalled-memory scanning before prompt injection.
  • Non-streaming and SSE output scanning.
  • SSRF-resistant upstream base URL validation.
  • Production readiness checks for secrets, CORS, memory, audit, and process-local topology.

Files: spectorn-server/src/

sentinel-core

Role: Detection engine library used by the gateway and SOC paths.

AttributeValue
LanguageRust
InterfacesPyO3 registry path and native/FFI path
Exact engine countTreat as implementation metadata; verify from bindings.rs and all_engine_names()

Key capabilities:

  • Pattern and heuristic analysis for prompt injection, jailbreak, exfiltration, moderation, tool abuse, and related categories.
  • Raw obfuscation analysis plus decode-and-rescan paths, including ROT13 parity on native/FFI.
  • Sentinel Lattice-inspired runtime heuristics. Formal/state-enumeration routines are not claimed as production LTL proof unless a runtime path and tests explicitly say so.
  • ML/semantic/anomaly signals where enabled by build/runtime configuration.

Files: sentinel-core/src/engines/, sentinel-core/src/bindings.rs

gomcp

Role: SOC pipeline, MCP server, memory backend, and experimental runtime guard host.

AttributeValue
LanguageGo
BuildZero-CGO default
Main areasSOC API, MCP tools, memory, cmd/immune

Key capabilities:

  • SOC event ingestion, correlation, and audit trails.
  • Memory/fact storage used by the gateway memory layer.
  • MCP tool surface.
  • Experimental immune/runtime guard implementation under gomcp/cmd/immune.

Files: gomcp/cmd/, gomcp/internal/

shield

Role: DMZ/protocol-validation component.

AttributeValue
LanguageC11
FocusProtocol validation, rate limiting, anti-DoS, CLI/RBAC hardening

Files: shield/

dashboard

Role: User cabinet, admin/operator UI, and SOC visibility surface.

AttributeValue
FrameworkNext.js / React
FocusCustomer onboarding, API keys, providers/models, billing, security visibility, admin operations

Files: dashboard/

Universal Sidecar

Role: Sensor adapter that can send external logs/events into the SOC path.

Files: sentinel-sidecar/ if present in the deployment tree.

Communication Matrix

From > ToProtocolPurpose
Client > spectorn-serverHTTPS JSON/SSEAPI gateway traffic
spectorn-server > sentinel-corein-process Rust/PyO3/nativeInput/output analysis
spectorn-server > upstream providerHTTPS JSON/SSEOpenAI-compatible model calls
spectorn-server > gomcpprocess/API integration where configuredMemory and SOC integration
gomcp > dashboardHTTP/SSE where configuredOperator/user visibility

Technology Choices

DecisionChoiceRationale
API gatewayRustFail-closed security path, async HTTP, strong typing
Detection enginesRustMemory safety and fast text analysis
SOC/memoryGoStatic binaries and concurrency
DMZ componentC11Low-level protocol/security work
DashboardNext.jsProduct UI and admin workflows

Honesty Rules

  • Do not publish engine counts as customer guarantees unless the count is generated from the current build.
  • Do not publish per-layer detection percentages unless they come from a named benchmark corpus and harness.
  • Do not describe immune as production kernel/eBPF enforcement until that path exists, is wired, and has deployment evidence.
Spectorn — AI Gateway for LLM Apps | Security & Memory in One API