Control Plane Architecture¶
Download the full architecture diagram (PDF)
Conceptual — Working Document
This is a conceptual architecture for internal discussion. It describes the target-state permission model, not the current implementation.
Core Principle¶
One codebase. Four permission tiers. Visibility determined by credentials. Every new world inherits the same structure.
Layer 1 — UCCA Ops (God Mode)¶
Visibility: Tim + Alex only | Access: Everything | Surface: ops.ucca.online
| Capability | Description |
|---|---|
| Infrastructure State | Full Terraform and platform visibility |
| Health | System-wide health monitoring |
| Access Control | Identity and permission management |
| Engine Diagnostics | Production engine internals |
| Terraform | IaC state and drift detection |
| Authority Catalogue | Registered authorities across all domains |
| Aggregate Financials | Cross-world financial rollup |
| Aggregate Telemetry | All telemetry, all worlds |
Layer 2 — SU Overlay (You See This, They Don't)¶
Visibility: UCCA only (superuser into any world) | Purpose: The containment box — cost-to-serve and margin visibility
| Capability | Description |
|---|---|
| Billing (UCCA view) | Internal billing and cost tracking |
| Tech Notes | Engineering notes invisible to world admins |
| Engine Logs | Raw engine processing logs |
| Triumvirate Management | Legislative triumvirate lifecycle and configuration |
| Sandbox | Pre-production testing environment |
| SU Override | Superuser intervention into any world |
| Diff Reports | Change tracking across world configurations |
| Resource Telemetry (cost) | Per-resource cost attribution |
| Triumvirate Lifecycle | Triumvirate versioning and state transitions |
Layer 3 — World Control Plane (Domain Admin)¶
Visibility: Domain admin | Scope: Manages their world only — cannot see other worlds or UCCA internals
Example: AU VET — RTOpacks
| Capability | Description |
|---|---|
| RTO Database | Registered Training Organisation records |
| Compliance Docs | Domain-specific compliance documentation |
| Enrichment Pipeline | Data enrichment configuration and status |
| Search Config | Search tuning and relevance configuration |
| User Management | World-scoped user administration |
| Analytics | World-scoped usage and engagement data |
| Billing Config | Billing plans and subscription management |
| Revenue View | Revenue reporting for this world |
| Support Queue | Support ticket management |
| Resource Telemetry | Resource usage metrics |
| Notifications | World notification configuration |
| Audit Log | Full audit trail for this world |
Layer 4 — Client View (End User Only)¶
Visibility: Own data only | Experience: Product experience — no admin, no engine, no UCCA | World-branded, zero fingerprinting
| Capability | Description |
|---|---|
| RTO Search | Search the RTO database |
| My Compliance | Personal compliance status and documents |
| My Documents | Document management |
| Payment / Billing | Subscription and payment management |
| Support Tickets | Submit and track support requests |
| Notifications | Personal notifications |
| Account | Account settings and profile |
The client sees a complete product. They don't know the other layers exist. The engine is invisible.
World Replication¶
The architecture is designed for horizontal replication. Each new regulated domain gets the same four-layer structure:
| World | Domain | Status |
|---|---|---|
| AU VET (RTOpacks) | Australian Vocational Education | Live |
| US Defence | US Department of Defense | Future |
| Healthcare | Medical regulatory compliance | Future |
| Aviation | Aviation safety and certification | Future |
New world = new tenant, same template. The control plane codebase is shared; permission tiers determine what each user sees.
Related¶
- Architecture Principles
- Security Posture — includes the Engine Invisibility Rule enforced at Layer 4
Version History¶
| Version | Date | Change | Author |
|---|---|---|---|
| 1.0 | 2026-03-02 | Initial creation from Control Plane Architecture v2 PDF | Claude Code |