Rigorix.
OSS

High-Level Architecture

┌─────────────────────────────────────────────────────────────┐
│  Browser                                                      │
│  ├── rigorix.eu → nginx → Astro static site                  │
│  └── app.rigorix.eu → Axum (Rust) → Embedded frontend       │
│                                                                │
│  All API calls: /api/v1/* → Axum → PostgreSQL                 │
└─────────────────────────────────────────────────────────────┘

Key Design Decisions

Single Binary Deployment

The entire application — backend server, frontend assets, and CLI — ships as a single Rust binary. This means:

  • One deployment artifact, not a dozen microservices
  • Air-gapped enterprise deployment is straightforward
  • No npm, CDN, or external runtime dependencies in production

Frontend Split

The frontend is split across two subdomains:

SubdomainPurposeTech
rigorix.euLanding, blog, docs, pricingAstro (static HTML)
app.rigorix.euDashboard, login, APIAlpine.js SPA

Authentication

All API requests are authenticated via Keycloak SSO with JWT tokens. The dashboard uses the OAuth2 authorization code flow with PKCE.

Data Storage

  • PostgreSQL — Primary data store for audits, policies, teams, and compliance scores
  • HMAC-SHA256 — Each audit log entry is signed for tamper-proof integrity
  • 7-year retention — Configurable per organization