ShrouDB
Get started
Getting started

Architecture

How engines, storage, and protocols fit together.

Platform overview

Moat is a single process that hosts every engine core. Two listeners, one shared storage and telemetry plane, one auth model.

architecture
                    ┌────────────────────────────────┐
                    │         ShrouDB Moat           │
  HTTP :8200  ──▶   │  ┌──────────────────────────┐  │
                    │  │     Auth / Scope gate    │  │
  TCP  :8201  ──▶   │  └──────────────────────────┘  │
                    │  ┌────────┬────────┬────────┐  │
                    │  │ Sigil  │ Cipher │ Stash  │  │
                    │  ├────────┼────────┼────────┤  │
                    │  │ Keep   │  Veil  │ Forge  │  │
                    │  ├────────┼────────┼────────┤  │
                    │  │ Sentry │Courier │Chronicle│  │
                    │  └────────┴────────┴────────┘  │
                    │  ┌──────────────────────────┐  │
                    │  │  Encrypted WAL + Config  │  │
                    │  └──────────────────────────┘  │
                    └────────────────────────────────┘

Engine dependencies

  • Veil uses Cipher (embedded or remote) for key operations.
  • Stash uses Cipher for envelope encryption.
  • Courier optionally uses Cipher for payload encryption.
  • Chronicle receives audit events from every engine via the tracing layer.
  • Sigil, Forge, Sentry, and Keep are independent.

Storage model

Write-ahead log

Every mutation is appended to an encrypted WAL. AES-256-GCM, per-engine HKDF derivation. Reads come from in-memory state hydrated from WAL on start.

ConfigStore

Bootstrap config comes from your TOML file at startup. Runtime mutations from CONFIG SET are persisted to the WAL so they survive restarts. Structural keys are immutable; operational keys (TTLs, rotation, rate limits) are runtime-mutable.

Per-tenant isolation

Multi-tenant deployments derive separate engine master keys per tenant via HKDF. Tenants cannot decrypt each other's data even with process access.

Protocol layer

TCP wire protocol

High-performance binary protocol. Connections authenticate with AUTH, switch context with ENGINE <name>, then issue engine-specific commands.

HTTP REST

Routes follow /v1/{engine}/{action}/{resource}. Auth is Bearer token with the same scope syntax as TCP.

Telemetry flow

All engines emit via a unified tracing layer. Four fan-outs:

  • Console — human-readable logs to stdout.
  • Audit file — JSON-line events to disk.
  • OpenTelemetry — OTLP export to Jaeger, Tempo, Datadog.
  • Chronicle — routes events to the Chronicle engine for query.