// WRIT // SOVEREIGN AI BACKEND · // NIST 800-53 REV 5 // OSCAL COMPONENT DEFINITIONS · // HYBRID X25519+ML-KEM-768 TLS · // 100% APACHE / MIT / BSD / MPL · // CNSA 2.0 ALIGNED · // ONE OPENAPI CONTRACT · // IL4 / IL5 TARGET · // AIR-GAP READY · // WRIT // SOVEREIGN AI BACKEND · // NIST 800-53 REV 5 // OSCAL COMPONENT DEFINITIONS · // HYBRID X25519+ML-KEM-768 TLS · // 100% APACHE / MIT / BSD / MPL · // CNSA 2.0 ALIGNED · // ONE OPENAPI CONTRACT · // IL4 / IL5 TARGET · // AIR-GAP READY · // WRIT // SOVEREIGN AI BACKEND · // NIST 800-53 REV 5 // OSCAL COMPONENT DEFINITIONS · // HYBRID X25519+ML-KEM-768 TLS · // 100% APACHE / MIT / BSD / MPL · // CNSA 2.0 ALIGNED · // ONE OPENAPI CONTRACT · // IL4 / IL5 TARGET · // AIR-GAP READY · // WRIT // SOVEREIGN AI BACKEND · // NIST 800-53 REV 5 // OSCAL COMPONENT DEFINITIONS · // HYBRID X25519+ML-KEM-768 TLS · // 100% APACHE / MIT / BSD / MPL · // CNSA 2.0 ALIGNED · // ONE OPENAPI CONTRACT · // IL4 / IL5 TARGET · // AIR-GAP READY · // WRIT // SOVEREIGN AI BACKEND · // NIST 800-53 REV 5 // OSCAL COMPONENT DEFINITIONS · // HYBRID X25519+ML-KEM-768 TLS · // 100% APACHE / MIT / BSD / MPL · // CNSA 2.0 ALIGNED · // ONE OPENAPI CONTRACT · // IL4 / IL5 TARGET · // AIR-GAP READY · // WRIT // SOVEREIGN AI BACKEND · // NIST 800-53 REV 5 // OSCAL COMPONENT DEFINITIONS · // HYBRID X25519+ML-KEM-768 TLS · // 100% APACHE / MIT / BSD / MPL · // CNSA 2.0 ALIGNED · // ONE OPENAPI CONTRACT · // IL4 / IL5 TARGET · // AIR-GAP READY ·
§ PLATFORM OVERVIEW

One platform.
Every kind
of AI.

Writ gives your developers one simple way to use eleven different kinds of AI. One login. One set of rules. One set of logs. And every kind of AI uses the same approach, so learning one means learning them all.

For engineers — Read the Architecture Reference
§ CAPABILITIES

Eleven things Writ can do.

Each capability is available through the same simple web address. Your developers call one, call another, or chain them together — and the experience feels identical. The goal is to let your team focus on the mission, not on stitching products together.

01

Chat and writing

Answer questions, draft text, explain documents, summarize.
02

Prediction

Sort records into categories; forecast outcomes from features.
03

Image understanding

Find objects, recognize scenes, describe or tag photos and video.
04

Search with AI

Find the right document, pull the right paragraph, cite the source.
05

Graph-aware search

Follow relationships between people, places, events, and records.
06

Speech

Transcribe audio. Read text aloud. Separate speakers.
07

Mixed inputs

Understand images and words together — document photos, charts, scans.
08

Time-series

Forecast a trend. Flag the reading that doesn't belong.
09

Ranking

Sort a long list so the important items come first.
10

Learning from feedback

Improve an assistant or model with human preference data.
11

Simulation

Run what-if models for training and scenario planning.
12

Agents

Plan a multi-step task, choose the right tool, and execute it.
§ HOW IT WORKS

Five steps. Every time.

Whether a developer is asking a question, running a prediction, searching documents, or coordinating an agent — the steps are the same. That's the point of having one platform.

§ HOW A REQUEST FLOWS
STEP · 01
Request

A developer or an AI tool asks Writ to do something.

STEP · 02
Verified

Writ checks who's asking and what they're allowed to do.

STEP · 03
Routed

The request goes to the right kind of AI — chat, prediction, search, and so on.

STEP · 04
Answered

The AI produces a result.

STEP · 05
Signed & logged

The answer is signed. A complete audit record is filed.

FIGURE — The same five steps run every time. Chat, prediction, search, speech, agents — one system, one audit record per request.
ENCRYPTED END-TO-END
§ PLATFORM MAP

Every service. Every connection.

This is the interactive map of the platform — every service and every relationship between them. Hover a box to see what that piece does. Hover a line to see how two services talk to each other. Click to pin your view in place.

§ PLATFORM MAP hover a box or a line
Writ platform architecture graph CLIENT App / SDK / CLI Writ SDKs (Python · TS · Go · Rust) CLIENT AI Coding Tool Model Context Protocol (MCP) EDGE Edge Gateway Envoy + oqs-provider CONTROL PLANE API Gateway FastAPI · OpenAPI 3.1 at /v1/* CONTROL PLANE MCP Director Custom · MCP spec-compliant IDENTITY Keycloak Keycloak (Apache 2.0) IDENTITY SPIRE SPIRE / SPIFFE (CNCF) IDENTITY OpenBao OpenBao (MPL 2.0 · Linux Foundation) POLICY OPA Open Policy Agent (CNCF) AI RUNTIME vLLM vLLM (Apache 2.0) AI RUNTIME KServe KServe (CNCF) AI RUNTIME Triton NVIDIA Triton (BSD-3) AI RUNTIME LangGraph LangGraph (MIT) DATA PLANE PostgreSQL PostgreSQL + pgvector extension DATA PLANE OpenSearch OpenSearch (Apache 2.0) DATA PLANE MinIO MinIO (AGPLv3 · OSI) DATA PLANE NATS JetStream NATS (CNCF) SUPPLY CHAIN Sigstore Sigstore / cosign v3 (Apache 2.0) OBSERVABILITY Observability Prometheus · Grafana · Loki · Tempo
▸ View as list
CLIENT
App / SDK / CLI

Applications you build. Your mobile app, your web app, your Python or TypeScript service. They import the Writ toolkit and call the platform over the network.

CLIENT
AI Coding Tool

Claude Desktop, Cursor, Windsurf, and other tools that speak the Model Context Protocol. A developer runs one command and their editor can use every Writ capability.

EDGE
Edge Gateway

The front door. Terminates encrypted traffic, enforces rate limits, and passes validated requests to the control plane. Speaks hybrid future-proof encryption (X25519 + ML-KEM-768).

CONTROL PLANE
API Gateway

The single OpenAPI 3.1 surface at /v1/*. Every capability — chat, prediction, search, speech, agents — lives here. One auth model, one error model, one audit schema, one rate-limit policy.

CONTROL PLANE
MCP Director

The tool plane. Exposes every Writ capability as a Model Context Protocol tool. One endpoint; namespaced tools; OAuth 2.1 scopes; everything audited.

IDENTITY
Keycloak

OIDC identity broker. Handles CAC / PIV / enterprise SSO, federation to external IdPs, and token issuance.

IDENTITY
SPIRE

Workload identity. Every service in the cluster gets a SPIFFE identity issued by SPIRE; internal mTLS is verified against it.

IDENTITY
OpenBao

Secrets and key management. HSM-backed. Replaces HashiCorp Vault under a permissive license.

POLICY
OPA

Policy decisions. For every request, OPA evaluates tenant, classification, purpose, and release markings against the rules your admins wrote.

AI RUNTIME
vLLM

Generative model server. Runs large language models with efficient batching, streaming, and multi-tenant isolation.

AI RUNTIME
KServe

Inference server for predictive, classical-ML, and computer-vision models. Scales to zero when idle; spins up when work arrives.

AI RUNTIME
Triton

High-throughput inference for vision and multimodal models, with TensorRT-LLM backends for NVIDIA GPUs.

AI RUNTIME
LangGraph

Agent runtime. Implements plan / act / reflect loops, tool calling, and multi-step workflows with persistent checkpoints.

DATA PLANE
PostgreSQL

The main database. Stores conversations, agent checkpoints, user records, and vector embeddings for AI search (via the pgvector extension).

DATA PLANE
OpenSearch

Full-text and hybrid search. Documents with classification tags; policy-enforced retrieval.

DATA PLANE
MinIO

Object storage. Model weights, training data, evidence bundles. Works offline, synchronizes when a link opens.

DATA PLANE
NATS JetStream

Messaging and event streaming. Feeds audit records, model-request queues, and cross-service events.

SUPPLY CHAIN
Sigstore

Signing and transparency. Every container image, every release, every audit bundle is signed with post-quantum-safe keys and logged to a public record.

OBSERVABILITY
Observability

Metrics, logs, and traces — the operations view of the platform. Dashboards your team already knows how to read. Every service reports; nothing is black-boxed.

Technical deep dive — Architecture Reference paper
§ WORKS WITH YOUR TOOLS

Plays well with modern AI assistants.

Developers who already use assistants like Claude Desktop, Cursor, or other modern coding tools can connect them to Writ with a single command. The same rules and security that protect the platform protect those connections.

Every connection is authenticated against your identity system. Every request is logged. Every answer is auditable.

How developers build with Writ
// Connect your AI tool
writ
mTLS · hybrid-X25519+ML-KEM-768
 $ writ connect claude-desktop
§ WHERE IT RUNS

One install. Three sizes.

Writ is the same software from a developer's laptop all the way to a full government data center. A program typically starts small and grows as the mission matures — with no rewrite along the way.

SIZE · 01
writ.profile.dev

Laptop

A single file you run on a developer's computer. Works offline. No special hardware needed. Good for a first demo.

  • Any laptop, 8 GB of memory
  • Works without an internet connection
  • Seeded with sample data
SIZE · 02
writ.profile.edge

Single server

One hardened server in the field. Runs on standard hardware — most brands of Intel, AMD, and ARM. Supports limited AI chips.

  • 8–16 CPU cores
  • Optional AI accelerator
  • Ready for air-gapped networks
SIZE · 03
writ.profile.cluster

Full data center

A full cluster in a data center. Built for high-sensitivity government workloads. Supports multiple tenants and cross-site operation.

  • Kubernetes cluster, standard or hardened
  • Multiple AI accelerators
  • Security-hardened base images only
§ FOR TECHNICAL READERS

Every piece of the architecture documented.

Read the Architecture Paper