A self-hosted, single-tenant, air-gap-first automation platform. A deterministic core you can audit, an opt-in AI layer you can govern, and a durable execution backbone that never loses a run. This page covers the whole system, end to end.
Each principle solves a specific enterprise constraint. Together they let AMOS scale without per-bot fees, run fully offline, and stay auditable while still using AI where it adds value.
A stateful "brain" (orchestrator, durable store, vault, gateway) and stateless worker hosts that pull immutable, versioned workflow artifacts. Delete or recreate a runner without losing a run.
Every run is a Temporal workflow execution with an append-only event history, deterministic replay and idempotency caching. Partial-completion and runner crashes become recoverable events, never repeated side effects.
Orchestration is a declarative, replayable graph (closed-vocabulary JSON DSL). All non-determinism (LLM calls, agentic reasoning) is locked inside typed steps. AI is invited in only where it helps.
An internal event bus (NATS JetStream, CloudEvents) decouples trigger ingestion, observability fan-out and outbound integration from the synchronous execution path.
Workflows, agent definitions, config bundles, triggers and model definitions are versioned Git artifacts and the single source of truth. Every change, including a self-heal fix, is reviewable like a pull request.
No outbound telemetry by default. Bring-your-own LLM only (no bundled weights). Install, upgrade and patch through signed offline bundles and a private registry mirror.
The whole system sits inside the customer's single-tenant perimeter. People act through a single surface, the Operator Console. Only three traffic types are allowed to cross the boundary.
Allowed egress: calling the BYO LLM, federating with the IdP, and acting on target apps. Webhook-OUT to ITSM and SIEM export are egress-gated and off by default in air-gap. The IdP can validate tokens offline through cached JWKS.
From authored source of truth, down through the control plane and durable backbone, out to a stateless runner fleet that touches your target systems outbound-only.
Each component has a clear responsibility, a typed interface, and an open-source technology behind it. Nothing is a black box.
One unified REST API across every pillar, with RBAC + ABAC and folder isolation. Starts workflow executions, dispatches the fleet, runs the self-heal loop.
At dispatch, deep-merges layered config (base → environment → trigger) into one immutable, content-hashed snapshot pinned to the run. Fail-closed on missing bindings.
A deterministic Temporal workflow that reads the DSL as input and dispatches each node as an activity. Change the DSL and it runs at once, no rebuild.
Per-run guardrails: iteration and token budgets, tool allowlists, mandatory human checkpoints, autonomy level. Verifies tool receipts so an agent cannot fake success.
Run every side-effect step and every LLM call as a Temporal activity with its own retry policy and idempotency-keyed result caching.
A closed loop: detect, diagnose, recover, validate, decide, write back. Multi-strategy recovery from cheap to costly, fixes written back as a reviewable DSL diff.
Opt-in agentic step: a Pydantic AI agent running inside an activity, returning a typed result. The rest of the run stays deterministic and replay-safe.
Durable transactional work queue with retry, dead-letter, priority and infinite pause-for-approval at zero idle runner cost.
Enrolls with a one-time token, holds an mTLS identity, heartbeats capabilities, pulls leased jobs. Opens no inbound port into the customer network.
Manages a real logged-in desktop session for legacy GUI automation, with auto-login from the vault and a pinned display resolution.
Browser, API, file and DB work in a clean sandbox per session, autoscaling to zero. AI-generated code runs inside gVisor or a Firecracker microVM.
Matches required capability and identity to an eligible runner pool with load balance and failover. Fails fast and closed when no zone-matched runner exists.
An IDP pipeline (OCR, layout, table, post-process) on dedicated GPU runners, with a pluggable engine and confidence-thresholded human review.
A durable five-stage workflow: comprehend to an intermediate form, clarify, author DSL, self-test with a separate grader, present with a reliability report, then a mandatory human gate.
Runs candidate v2 and incumbent v1 on the same golden dataset on your own LLM, with dual grounding. Verdict passes only if v2 is at least v1 on every gated metric, else it blocks.
One abstraction so authoring, self-heal and agentic steps run against cloud or self-hosted vLLM unchanged. Air-gap loads models fully local with pinned versions.
A per-tenant, versioned library of SOP-to-IR-to-DSL triples, reused as golden datasets for the gate and regression fixtures for self-test. Strictly tenant-scoped.
The single human surface: authoring chat, a deterministic read-only diagram, fleet and run monitoring, and the approval inbox. The only place approvals complete.
One typed node for approval, form and document-validation, all compiling to a Temporal suspend-and-signal pattern with SLA timers and a cross-workflow inbox.
Web Chat is the air-gap default and approval surface. Slack, Telegram and Teams are connected-only and notify-and-deep-link, never approve in-channel.
Envelope encryption with only ciphertext at rest, just-in-time in-memory decryption on the runner, never written to disk or logs. Pluggable BYO-vault facade.
An append-only, SHA-256 hash-chained trail of every human and agent action, including LLM prompts and responses. Exports to SIEM, never transits to the vendor.
One OTel collector redacts sensitive fields before storage, then fans out to OpenSearch, VictoriaMetrics and Langfuse across six telemetry domains.
Two-tier RBAC plus optional ABAC, with folder isolation as the hard multi-tenant boundary. IdP federation via SAML/OIDC and SCIM, offline JWKS validation.
Every tool call passes through a governed gateway: per-workflow scope allowlists, tool-description hashing and rug-pull guard, outbound DLP, cross-server chain detection.
Offline, signed, flat per-edition licensing locked to a cluster fingerprint. Distributes entitlements with no internet. Never bills per bot or per run.
Three flows cover the lifecycle: authoring a workflow, executing it durably, and recovering when a UI changes. Every side effect is a retried activity, and durable state lives only in the event history.
Git is the source of truth for logic and config. The Temporal event history is the source of truth for execution state. Heavy blobs are passed by reference, and secrets never leave the vault as plaintext at rest.
| Store | Holds | Why |
|---|---|---|
| Git | DSL, config bundles, agent and trigger definitions, model definitions, prompts | Source of truth, reviewable like a PR, versioned, diff-able, replayable |
| PostgreSQL | Control-plane catalog and metadata, Temporal persistence, hash-chained audit | Relational, transactional, strong RBAC filtering, HA via replication |
| Temporal | Run state, event history, signals and timers, durable agent state | Durable execution: deterministic replay, idempotency, safe self-heal patching |
| OpenSearch | Traces, logs, full execution trace, cross-workflow task index | Search and incident investigation, lifecycle-managed retention |
| VictoriaMetrics | Metrics: cost per run, success rate, latency, tokens, ROI counters | Compressed time series with configurable retention and downsampling |
| Langfuse | LLM-observability traces, eval datasets, judge scores, prompt plane | LLM-domain observability and evaluation, telemetry disabled for air-gap |
| Object store | Files, screenshots, document-AI input and output, backups, offline bundles | Pass-by-reference keeps the event history small and replay-safe |
| Vault store | Secret ciphertext and wrapped data keys, versioned master key-ring | Envelope encryption, only ciphertext at rest, KMS or HSM auto-unseal |
| NATS JetStream | CloudEvents, run events, approval and alert events, webhook-OUT layer 1 | Durable 1:N fan-out and dead-letter, always-on in-perimeter |
AES-256-GCM envelope encryption, never plaintext at rest, just-in-time decrypt, wiped at teardown.
Append-only, tamper-evident hash-chain, 12 to 24 months plus legal hold, integrity preserved after restore.
Redacted at capture and at the collector before storage, with DSAR export and erasure support.
Redacted and per-tenant scoped, lifecycle-managed with a disk-pressure guardrail so a full disk never crashes the platform.
The same offline-capable bundle and guided installer serve a single node, a high-availability cluster, or a fully air-gapped install. Moving between them never requires repackaging a workflow.
| Aspect | Single-node | HA (multi-node) | Air-gapped |
|---|---|---|---|
| Shape | All control-plane on one node, co-located stores | 3+ nodes across 3+ zones behind a load balancer, replicated DB | Single-node or HA, but zero egress |
| Network | Internet or local | Internet or internal | No internet |
| Availability | No HA commitment | 99.9% control-plane uptime | Per the base tier |
| DR | Backup and restore | Active/passive to active/active | Base tier plus offline restore |
| Best for | POC, pilot, dev and test | Production, regulated, high SLA | Finance, healthcare, government |
Runners enroll, heartbeat and pull leased jobs over mTLS. The control plane never connects into a runner, so runners can live in isolated zones.
Helm plus Zarf image, chart and license tooling, verified with cosign, mirrored into a private OCI registry. No image pulls reach the internet.
Durable execution plus Temporal worker versioning let in-flight runs finish on the old worker while new runs route to the new one. Rollback is a drain.
Least privilege at every layer, a semi-trusted AI wrapped in typed steps with guardrails, sandboxes and validators, and an immutable record of every action that never leaves your infrastructure.
Two-tier RBAC plus ABAC, folder isolation as a hard boundary, SAML/OIDC and SCIM federation, offline JWKS, service accounts via OAuth2 and SPIFFE.
Envelope encryption with only ciphertext at rest, just-in-time in-memory decrypt on the runner, instant per-runner revocation, BYO-vault facade.
AI-generated and semi-trusted code runs in gVisor or a Firecracker microVM, never a bare container, with CPU, memory, wall-clock and egress quotas.
Every MCP tool call passes a gateway with scoped allowlists, version pinning, tool-description hashing, rug-pull guard and outbound DLP.
SHA-256 hash-chained trail of every human and agent action, including LLM prompts and responses. Tampering breaks the chain and is detected on verify.
No phone-home, BYO LLM only, egress-gated webhooks off by default, signed offline import for models, patches and licenses.
The quality attributes that drive enterprise adoption, each tied to the architectural tactic that delivers it.
| Quality attribute | Architectural tactic |
|---|---|
| Reliability / durability | Temporal event history and replay, idempotency caching, post-step validator, lease fencing tokens |
| Security | Envelope encryption with JIT decrypt, KMS/HSM auto-unseal, gVisor sandbox, MCP gateway with DLP, outbound-only runners |
| Air-gap / sovereignty | BYO LLM, offline Helm plus Zarf bundle, private OCI mirror, offline signing, egress-gated webhooks |
| Scalability without per-bot | Control-plane and stateless-runner split, two-class fleet, queue-depth autoscale to zero, capability and zone targeting |
| Auditability | Immutable hash-chained audit of every action, SIEM export, full reproducible run trace, model version pinning, signed gate certificate |
| No lock-in | Portable DSL in Git, BYO-vault facade, BYO model registry, pluggable Doc-AI engine, OSS-only stack, spec-first OpenAPI |
| Observability | One OTel pipeline with redaction, fanning out to OpenSearch, VictoriaMetrics and Langfuse, with independent alerting and on-call |
Every layer is built on permissively licensed open source that runs fully on your infrastructure. No SaaS-only dependency anywhere in the critical path.
| Layer | Pick | License | Role |
|---|---|---|---|
| Durable execution | Temporal | MIT | The durable backbone, single source of truth for run state and replay |
| DSL and validation | XGrammar, Pydantic, Ajv | Apache / MIT | Closed-vocabulary JSON DSL, constrained decoding and schema validation |
| Agentic runtime | Pydantic AI | MIT | Opt-in agentic steps as typed agents inside a Temporal activity |
| LLM serving | vLLM | Apache | Reference BYO serving, OpenAI-compatible, runs air-gapped |
| Web automation | Playwright, Browser-Use | Apache / MIT | Deterministic browser driver plus agentic browser |
| Desktop automation | FlaUI + UIA | MIT | Windows desktop interactive automation |
| Document AI | PaddleOCR, Docling | Apache / MIT | On-prem OCR, layout and table extraction |
| Sandbox | gVisor (Firecracker) | Apache | Sandbox for ephemeral runners and dry-run authoring |
| Vault | Google Tink, OpenBao | Apache / MPL | Envelope encryption and JIT decrypt, BYO-vault facade |
| Control-plane store | PostgreSQL | BSD-like | Relational store, Temporal persistence, audit host |
| Event bus | NATS JetStream, Valkey | Apache / BSD | Internal CloudEvents bus and cache |
| Observability | OpenTelemetry, OpenSearch, VictoriaMetrics, Langfuse | Apache / MIT | One telemetry pipeline fanning out to three stores |
| Identity | Keycloak, SPIFFE/SPIRE | Apache | SAML/OIDC plus SCIM and workload identity |
| API and gateway | oapi-codegen, APISIX | Apache / MIT | Unified OpenAPI 3.1 REST API |
| Installer / air-gap | Helm + Zarf, cosign | Apache | Guided installer, signed offline bundle, private OCI mirror |
The defining decisions, all accepted. Each one trades a tempting shortcut for long-term reliability, auditability or no lock-in.
Interpreter, not codegen. The DSL is data for one deterministic Temporal workflow. An AI fix to the DSL runs at once, with no worker rebuild or redeploy.
Temporal is the only backbone. Adopt it, do not build, and keep no second checkpointer. Durability, replay and state are a single source of truth.
Agents inside activities. Agentic steps are opt-in Pydantic AI agents running inside an activity, composed on Temporal, not a heavy agent framework.
Stateless per run. A run's state is the DSL plus input plus event history. No free-form agent memory leaking across runs.
BYO LLM only. Pluggable cloud or local endpoint, with an eval harness and sizing guide shipped, never bundled weights.
Self-heal suggest-only by risk tier. Low can auto-apply if enabled, high always pauses for human approval. Fixes are reviewable diffs into versioned DSL.
Approval only in the Console. Channels notify and deep-link, never approve in-channel. Identity and channel are audited.
Flat per-edition licensing. Two editions by capability, never per bot or per run. Ed25519 offline, cluster-fingerprinted, no phone-home.
Air-gap-first. Control-plane and runner split, offline bundle and registry, offline signing, guided installer with a hard-block preflight.
Diagram strictly read-only. Render DSL to diagram one way only. No round-trip and no drag-and-drop editor that could drift from the source.
The hardest failure modes in enterprise automation, and the structural decision that contains each one.
An LLM could invent a parameter, fake a success, or mutate a running step.
Contained by: a deterministic recorded core, post-step validators and tool-receipt verification, risk-tiered human approval, suggest-only by default, and model version pinning for replay.
Desktop GUI cannot run in a container or Session 0, and breaks silently when a disconnect changes resolution.
Contained by: a dedicated interactive session manager with auto-login, a pinned display resolution, per-session slots, and a persistent runner class separate from the ephemeral fleet.
A re-dispatched job after a false heartbeat timeout could run a payment or email twice.
Contained by: lease fencing plus idempotency keys, Temporal result caching so completed steps never rerun, and outbound-only lease-pull runners.
Install, upgrade, CVE patch, DR and model update are all harder offline.
Contained by: air-gap as a designed-for scenario, signed offline bundles and a registry mirror, documented offline upgrade and patch paths, and a hard-block preflight.
Tool poisoning, rug-pull, cross-server exfiltration, confused-deputy OAuth.
Contained by: a governed gateway with no open marketplace, namespace verification, version pinning, tool-description hashing, scoped RBAC, outbound DLP, and signed import.
A customer model that is too weak degrades authoring and self-heal.
Contained by: an eval harness and sizing guide to certify a model before production, one code path against any model, and an AI-Quality gate that blocks a regression.
We can take your architecture, security and procurement teams through any layer of this design, end to end, against your own requirements.
Book a demo