System Architecture & Infrastructure

System architecture, database schema, Docker Compose orchestration, and environment variables.

Part of the Comprehensive Technical Documentation. Definitive reference based on a non-invasive scan of the molecule-core repository.

3. System Architecture

System Boundary Diagram

┌─────────────────────────────────────────────────────────────┐
│ Canvas (Next.js 15 · port 3000)                             │
│ React Flow + Zustand + WebSocket                            │
│ Visual drag-to-nest org chart · 10-tab ops panel            │
└──────────────────┬──────────────────────────────────────────┘
                   │ HTTP + WebSocket
┌──────────────────▼──────────────────────────────────────────┐
│ Platform (Go / Gin · port 8080)                             │
│ Control plane: workspace CRUD, registry, discovery,         │
│ A2A proxy, activity, memory APIs, secrets, approvals        │
└─────────┬────────────────────────────────────┬──────────────┘
          │                                    │
    Postgres 16                             Redis 7
    (internal: 5432)                        (internal: 6379)

┌─────────────────────────────────────────────────────────────┐
│ Workspace Runtime (Python 3.11+ Docker image)               │
│ Pluggable adapters: claude-code, langgraph, autogen,        │
│ openclaw, hermes, codex, google-adk, external               │
│ A2A protocol server · heartbeat · skills · HMA memory       │
└─────────────────────────────────────────────────────────────┘
          │
┌─────────────────────────────────────────────────────────────┐
│ Langfuse (self-hosted · ClickHouse + Postgres backend)      │
│ OpenTelemetry traces for every LLM call                     │
└─────────────────────────────────────────────────────────────┘

Network Model

Path	Protocol	Purpose
Canvas ↔ Platform	HTTP REST + WebSocket	UI operations + real-time event fanout
Platform ↔ Postgres	TCP	Source of truth for all durable state
Platform ↔ Redis	TCP	Ephemeral state (liveness TTL), caching, pub/sub
Workspace ↔ Workspace	HTTP (A2A JSON-RPC 2.0)	Direct peer-to-peer, platform not in data path
Workspace → Langfuse	HTTP	Automatic OpenTelemetry tracing
Docker Network	`molecule-monorepo-net`	Internal-only by default, no exposed DB/Redis ports

Core Components

1. Canvas (Next.js 15)

React Flow for visual workspace graph
Zustand for state management
WebSocket for real-time updates
10-tab side panel: Chat, Activity, Details, Skills, Terminal, Config, Files, Memory, Traces, Events
Drag-to-nest team building
Bundle import/export via drag-and-drop
Empty state with template palette + onboarding wizard

2. Platform (Go 1.25+ / Gin)

Gin-based REST API + WebSocket hub
Workspace lifecycle management (CRUD + pause/resume/restart)
Registry and heartbeat system (30s default)
Hierarchy-aware access control (CanCommunicate())
A2A proxy for browser-safe inter-workspace communication
Event broadcasting (Redis pub/sub → WebSocket fanout)
Docker provisioner with T1–T4 tier enforcement
Activity logging with configurable retention (default 7 days)
Secrets management (AES-256-GCM encryption)
File, terminal, bundle, template, traces APIs
Langfuse integration
Prometheus metrics endpoint

3. Workspace Runtime (Python 3.11+)

Unified workspace/ Docker image
Adapter-driven execution (7 runtimes)
A2A server via Uvicorn
Heartbeat loop (30s default)
Skill hot-reload system (~3 second propagation)
Memory tools with HMA scope support
Approval/human-in-the-loop integration
Activity reporting
Awareness namespace integration (optional)
Plugin-mounted shared rules and skills

4. Infrastructure

Postgres 16: Source of truth (workspaces, events, activity, secrets, memories)
Redis 7: Ephemeral state (liveness TTL 60s), URL caching, pub/sub
Langfuse 2.x: LLM tracing and observability (self-hosted, ClickHouse backend)
Docker: Workspace provisioning with T1–T4 tier system
LiteLLM proxy (optional): Unified API for multiple model providers
Ollama (optional): Local LLM models

4. Database Schema

11 migration files in workspace-server/migrations/.

Core Tables

Table	Purpose	Key Columns
`workspaces`	Current state registry	`id`, `name`, `role`, `tier` (1-4), `status`, `parent_id`, `agent_card` (JSONB), `url`, `forwarded_to`, `last_heartbeat_at`, `last_error_rate`, `active_tasks`, `uptime_seconds`, `current_task`, `runtime`
`agents`	Agent assignment history	`workspace_id`, `model`, `status`, `removed_at`, `removal_reason`
`workspace_secrets`	Encrypted credentials	`workspace_id`, `key`, `encrypted_value` (BYTEA, AES-256-GCM)
`agent_memories`	HMA-scoped memory	`workspace_id`, `content`, `scope` (LOCAL/TEAM/GLOBAL)
`structure_events`	Immutable event log (APPEND-ONLY, never UPDATE/DELETE)	`event_type`, `workspace_id`, `agent_id`, `target_id`, `payload` (JSONB)
`activity_logs`	Operational activity with retention	`workspace_id`, `activity_type`, `source_id`, `target_id`, `method`, `request_body`, `response_body`, `duration_ms`, `status`, `error_detail`
`canvas_layouts`	Node visual positions	`workspace_id`, `x`, `y`, `collapsed`
`canvas_viewport`	Canvas pan/zoom state	Single row, upserted

Redis Key Patterns

Key Pattern	Value	TTL	Purpose
`ws:{id}`	`"online"`	60s	Liveness detection (heartbeat refreshes)
`ws:{id}:url`	Host-mapped URL	5min	URL cache for external discovery
`ws:{id}:internal_url`	Docker-internal URL	—	Container-to-container discovery
`events:broadcast`	pub/sub channel	—	Event fanout to WebSocket hub

20. Docker Compose Orchestration

Full Stack (`docker-compose.yml`)

Service	Image	Port	Purpose
`postgres`	postgres:16	5432 (internal)	Primary database (`wal_level=logical`)
`redis`	redis:7	6379 (internal)	Cache + pub/sub (`notify-keyspace-events=KEA`)
`langfuse-clickhouse`	clickhouse/clickhouse-server	internal	Analytics backend
`langfuse-web`	langfuse/langfuse	3100	Observability UI
`platform`	Built from Go	8080	Control plane
`canvas`	Built from Next.js	3000	Frontend

Optional Profiles

Profile	Service	Purpose
`multi-provider`	LiteLLM proxy	Unified API for OpenAI, Anthropic, Google, etc.
`local-models`	Ollama	Local LLM inference

Infrastructure-Only (`docker-compose.infra.yml`)

Postgres + Redis + Langfuse only (for local development without containerized workspace-server/canvas).

21. Environment Variables

Platform (Go)

Variable	Default	Purpose
`DATABASE_URL`	`postgres://dev:dev@localhost:5432/molecule?sslmode=prefer`	Postgres connection
`REDIS_URL`	`redis://localhost:6379`	Redis connection
`PORT`	`8080`	Platform listen port
`PLATFORM_URL`	`http://host.docker.internal:8080`	Injected to workspace containers
`SECRETS_ENCRYPTION_KEY`	Optional	AES-256 key (32 bytes) for secret encryption
`CONFIGS_DIR`	`/configs`	Workspace config template directory
`PLUGINS_DIR`	`/plugins`	Shared plugin directory
`ACTIVITY_RETENTION_DAYS`	`7`	Activity log retention
`ACTIVITY_CLEANUP_INTERVAL_HOURS`	`6`	Cleanup frequency
`CORS_ORIGINS`	`http://localhost:3000,...`	CORS whitelist
`RATE_LIMIT`	`600`	Requests per minute
`WORKSPACE_DIR`	Optional	Shared workspace volume
`AWARENESS_URL`	Optional	Awareness service URL

Canvas (Next.js)

Variable	Default	Purpose
`NEXT_PUBLIC_PLATFORM_URL`	`http://localhost:8080`	Platform backend URL
`NEXT_PUBLIC_WS_URL`	`ws://localhost:8080/ws`	WebSocket URL
`PORT`	`3000`	Canvas listen port

Workspace Runtime (Python)

Variable	Default	Purpose
`WORKSPACE_ID`	`workspace-default`	Unique workspace identifier
`WORKSPACE_CONFIG_PATH`	`/configs`	Config directory mount
`PLATFORM_URL`	`http://host.docker.internal:8080`	Platform connection
`PARENT_ID`	Empty	Parent workspace ID (set if nested)
`AWARENESS_URL`	Optional	Awareness service
`AWARENESS_NAMESPACE`	Optional	Scoped namespace for awareness memory
`LANGFUSE_HOST`	`http://langfuse-web:3000`	Langfuse endpoint
`LANGFUSE_PUBLIC_KEY`	Optional	Langfuse auth
`LANGFUSE_SECRET_KEY`	Optional	Langfuse auth
`DEPLOYMENT_RETRY_ATTEMPTS`	`3`	Delegation retry count
`DELEGATION_TIMEOUT`	`120`	Delegation timeout (seconds)
`APPROVAL_TIMEOUT`	`300`	Approval wait timeout (seconds)
`AUDIT_LOG_PATH`	`/var/log/molecule/audit.jsonl`	Audit log file path

System Architecture & Infrastructure

On this page