6 ComponentsFrom Source CodeApache 2.0 + MIT

Lattice System Architecture

Crash-proof governed runtime for AI agents. This documentation describes the architecture of every component in the Lattice ecosystem, derived from actual source code analysis — package names, line counts, and real API endpoints.

Quick start

brew install latticehq/lattice/lattice && lattice server

Ecosystem Diagram

How all components connect. Click any node to inspect.

User / Developer

Desktop Layer

Runtime Layer (Go Binary)

Infrastructure

Developer

CLI / GUI / IaC

Browser

Dashboard

API Client

Go SDK

Toolbox

Swift macOS

Workbench

316K lines

27 Agents

Minion isolation

170+ MCP

Tools

lattice CLI

120+ cmds

Terraform

IaC

Go SDK

agentsdk

API Gateway

REST/DRPC/WS

Identity

OAuth2/OIDC

Temporal

Durable exec

Policy

Rego→SQL

Budget

Hard/soft

Audit

SHA-256

WireGuard

P2P + DERP

Inference

MLX/llama.cpp

Agent Workflows

Durable signal loop

AI Governance

PII · Model · Tool gate

PubSub

WebSocket events

PostgreSQL

50+ tbl SQLC

Operator

Laravel SSH

Docker

Containers

Traefik

SSL

Prometheus

Metrics

OTel

Tracing

AI Providers

Claude/GPT/Gemini

GitHub

Releases + Hooks

Components

Each component has 4 detailed sub-pages: Architecture, Deployment, Security, and Lifecycle.

Runtime

Apache 2.0

Durable execution, RBAC+ABAC, cryptographic audit, budget enforcement, WireGuard mesh.

Go 1.24+~50K lines273 tests4 sub-pages

Workbench

MIT

Multi-model AI agent workspace. Git worktree isolation, 170+ MCP tools, 27 agent definitions.

TypeScript316K lines4 sub-pages

Inference

Apache 2.0

Local model serving. MLX on Apple Silicon, llama.cpp for CPU/NVIDIA. OpenAI-compatible API.

Go + Python~5K lines4 sub-pages

Operator

Apache 2.0

Multi-server deployment via SSH. Docker, Traefik auto-SSL, database provisioning, backups.

PHP/Laravel 12~30K lines4 sub-pages

Toolbox

MIT

Native macOS app manager. One-click install, auto-update via GitHub Releases.

Swift 5~3K lines4 sub-pages

Enforcement Gates

Every agent action passes through five sequential gates. Policy violations are structurally impossible.

Request

Identity

Authorization

Constraints

Execute

Audit

Identitylatticed/httpmw

OAuth 2.0, OIDC, SAML, mTLS, API keys. Cloud IAM (AWS, Azure, GCP).

Authorizationlatticed/rbac

Rego policies compiled to SQL. RBAC + ABAC. 744KB of policy code, 44K+ test lines.

Constraintslatticed/aigovernance

Per-agent budget caps. PII filtering. Model restriction. Tool whitelisting.

Executelatticed/temporal

Embedded Temporal v1.30.1. Durable workflows. Crash recovery. Continue-As-New.

Auditlatticed/audit

SHA-256 hash chain. Tamper-evident. Diff capture. SOC2/HIPAA/FedRAMP.

Technical Specifications

All values from source code. No aspirational claims.

Runtime Core

LanguageGo 1.24+

Durable ExecutionEmbedded Temporal v1.30.1

DatabasePostgreSQL 13+ (16 recommended)

Schema50+ tables, 424 migrations, SQLC-generated

APIREST (100+ endpoints), DRPC (Protobuf), WebSocket

Tests273+ test files, 44K+ lines in RBAC alone

Authentication

ProtocolsOAuth 2.0, OIDC, SAML, mTLS, API Keys

Cloud IAMAWS IAM, Azure AD, GCP Service Accounts

Key StorageSHA-256 hashed, auto-rotated

Policy Engine

LanguageRego (OPA) — 427 lines in policy.rego

CompilationRego → SQL via regosql package

CachingLRU with SHA-256(actor+action+object) keys

ScopeRBAC + ABAC combined, per-request evaluation

Networking

MeshTailscale/WireGuard, P2P + DERP relay

NAT TraversalUDP hole-punch, WebSocket fallback

TelemetryBatched every 1 min, max 1000 per batch

Observability

MetricsPrometheus

TracingOpenTelemetry

AuditSHA-256 hash chain, immutable, queryable

LoggingStructured JSON

Deployment

BinarySingle Go binary (latticed)

DockerDocker Compose ready

KubernetesHelm chart (lattice/lattice)

PlatformsLinux, macOS, Windows (amd64, arm64)

Air-gappedSupported

How Things Connect

Real integration points from the codebase. No aspirational architecture.

ConnectionMethodProtocol

Workbench→Runtime

CLI spawning (lattice list/start/stop) + SSH proxy (config-ssh)Process + SSH

Workbench→AI Providers

Vercel AI SDK (@ai-sdk/*) for Claude, GPT, Gemini, OllamaHTTP/SSE

Runtime→Inference

Embedded as /inference mount point in latticed binaryIn-process

Operator→Runtime

SSH deployment to remote servers. Install + configure latticed.SSH

Toolbox→GitHub

GitHub Releases API for version detection and asset downloadHTTPS

SDK→Runtime

Go client wrapping REST + WebSocket APIs. agentsdk for sidecars.HTTP/WS

Terraform→Runtime

Provider manages orgs, agents, templates, budgets as HCL resourcesREST API