Architecture
This section documents the inside of Velocity — what the platform owns in Postgres, how it enforces security at the database layer, and how the schema evolves over time. Most of the day-to-day docs describe the CRD surface and REST API; this section is for the operator who needs to know what Velocity is doing to their database.
What’s here
- Database schema — every table in the
platformschema, what it stores, how it’s partitioned and indexed. - Stored procedures —
audit_insert()andaudit_verify_window(), the only sanctioned writers/verifiers for the audit chain. - RLS and grants — the two-role model (
velocity_api,velocity_operator),SET LOCAL ROLEper transaction, per-tenant grants. - Migrations — index of the six migrations that bring a cluster from empty to current.
How the pieces fit
┌─────────────────────────────┐ Kubernetes API ─────►│ velocity-operator │ (CRDs) │ • mirrors CRDs into │ │ platform.schema_defs │ │ • provisions per-tenant │ │ schemas + tables │ │ • partition manager │ │ • anomaly scanner │ └──────────────┬──────────────┘ │ velocity_operator role │ (NOSUPERUSER, NOBYPASSRLS, │ CREATEROLE for tenants) ▼ ┌─────────────────────────────┐ REST clients ───────►│ velocity-api │ │ • SET LOCAL ROLE <domain> │ │ • parameterised queries │ │ • audit_insert() only │ └──────────────┬──────────────┘ │ velocity_api role │ (NOSUPERUSER, NOBYPASSRLS) ▼ ┌─────────────────────────────┐ │ Postgres │ │ • platform.* (this dir) │ │ • {org}_{app}_{domain}.* │ │ (provisioned per tenant) │ └─────────────────────────────┘Three things are load-bearing across every page in this section:
velocity_apiisNOBYPASSRLS— verified at startup (ADR-007). If it ever hasBYPASSRLS=true, the API server refuses to start. RLS is therefore an actual backstop, not a paper one.- Direct
INSERTintoplatform.audit_logis revoked. The chain is only writable throughaudit_insert(). - Idempotent migrations. Every file under
migrations/is safe to re-apply. Re-running is the recovery primitive when state drift is suspected.