High-Level Architecture
┌─────────────────────────────────────────────────────────────┐
│ Browser │
│ ├── rigorix.eu → nginx → Astro static site │
│ └── app.rigorix.eu → Axum (Rust) → Embedded frontend │
│ │
│ All API calls: /api/v1/* → Axum → PostgreSQL │
└─────────────────────────────────────────────────────────────┘
Key Design Decisions
Single Binary Deployment
The entire application — backend server, frontend assets, and CLI — ships as a single Rust binary. This means:
- One deployment artifact, not a dozen microservices
- Air-gapped enterprise deployment is straightforward
- No npm, CDN, or external runtime dependencies in production
Frontend Split
The frontend is split across two subdomains:
| Subdomain | Purpose | Tech |
|---|---|---|
| rigorix.eu | Landing, blog, docs, pricing | Astro (static HTML) |
| app.rigorix.eu | Dashboard, login, API | Alpine.js SPA |
Authentication
All API requests are authenticated via Keycloak SSO with JWT tokens. The dashboard uses the OAuth2 authorization code flow with PKCE.
Data Storage
- PostgreSQL — Primary data store for audits, policies, teams, and compliance scores
- HMAC-SHA256 — Each audit log entry is signed for tamper-proof integrity
- 7-year retention — Configurable per organization