Care Collaborative
TechnicalEnterprise SecurityOperator-ManagedWebRTC · Temporal

System Architecture

Single-binary Runtime deployed on Operator-managed VMs with embedded Temporal orchestration, real-time WebRTC media server, AI Governance proxy, and Cloudflare edge delivery — backed by Azure Flexible Server PostgreSQL.

Client Layer
Cloudflare Edge
Real-Time Media Plane
Operator-Managed Compute · VMs
Runtime Container (Single Binary)
Worker Pool
Azure Data Layer · Flexible Server
Identity & SSO
Monitoring & Observability
AI Services (External Cloud)
Browser
Cloudflare Pages
Desktop App
Electron · WIP
Media Client
WebRTC · SRTP
Agent CLI
Internal Only
CDN / DDoS
Edge Protection
Load Balancer
L7 Routing
Pages
Frontend Hosting
WebRTC Server
Cloud · Self-hosted
Voice Agent
Via Temporal
Media Routing
SRTP · Opus
API Server
REST · DRPC · WS
Temporal
Durable Execution
Media Server
Embedded WebRTC
AI Governance
Bridge Proxy
RBAC Engine
OPA · Rego
Tailnet
WireGuard Mesh
Auth Provider
OAuth2 · OIDC
Audit Engine
Immutable Trail
Notifications
Real-time Push
Task Workers
Durable Activities
Agent Runtime
SSH · Process
Health Monitor
Heartbeat
PostgreSQL
Main Database
Temporal DB
Workflow State
Visibility DB
Search Index
Blob Storage
Recordings
Key Vault
TLS · Secrets
Audit Logs
Activity Trail
OAuth2 / SSO
SAML · OIDC · OAuth
Azure AD / Okta
Identity Providers
Private DNS
Zone Resolution
Prometheus
Metrics Collection
OpenTelemetry
Distributed Tracing
Health Checks
Endpoint Monitor
Speech-to-Text
Real-time STT
LLM Providers
Provider Agnostic
Text-to-Speech
Voice Synthesis
Avatar Stream
Lip-sync · Video

Traffic Flow

1
Client → Cloudflare Edge
HTTPS / TLS 1.3 from browser or desktop app. Static frontend served from Cloudflare Pages. API & WebSocket requests routed via L7 Load Balancer.
2
Cloudflare → Runtime VMs
Load Balancer routes to Operator-managed VMs running the Runtime container — a single binary embedding Temporal, real-time media, and AI Governance.
3
Runtime orchestration
Temporal provides durable execution with per-org namespace isolation. AI Governance intercepts all LLM calls for budget and policy enforcement via MITM proxy.
4
Real-time media flow
WebRTC media server (cloud or self-hosted) manages voice/video rooms. Agents join via Temporal workflows, processing STT → LLM → TTS pipelines in real-time.
5
Data persistence
Three PostgreSQL databases on Azure Flexible Server — main data, Temporal workflow state, and search visibility. AES-256 encrypted, private endpoint access only.
6
External integrations
OAuth2/OIDC/SAML SSO via Auth0, Azure AD, Okta. AI providers (STT, LLM, TTS, Avatar) routed through AI Governance proxy for budget/policy enforcement.

Key Specs

EncryptionAES-256 at rest, TLS 1.3 in transit
Databases3 PostgreSQL (main, temporal, visibility)
AuthOAuth 2.0, OIDC, SAML 2.0, SSO
MediaWebRTC + SRTP + Opus
OrchestrationTemporal (per-org namespace isolation)
AI GovernanceMITM proxy, OPA policies, budget caps
SecurityDefense-in-depth, audit trail