Lattice Runtime
Go 1.24+Apache 2.0273 Tests

System Architecture

Crash-proof governed runtime for AI agents. Single Go binary with embedded Temporal, cryptographic audit, RBAC+ABAC policy engine, budget enforcement, and WireGuard zero-trust mesh. Architecture derived from source code analysis.

Client Layer
API Gateway (chi router)
Tailnet Mesh (WireGuard)
latticed (Single Binary)
Core Services (coderd.go)
Temporal Workers
Data Layer
Governance Engine
Observability
AI Providers (External)
Workbench
Electron · 316K lines
lattice CLI
Go · 120+ cmds
Go SDK
agentsdk pkg
Terraform
IaC Provider
Toolbox
Swift macOS
Operator
Laravel SSH
REST API
100+ endpoints
DRPC
Protobuf bidir
WebSocket
PubSub events
Middleware
12 layers
WireGuard
P2P encrypted
DERP Relay
TCP/WS fallback
Coordinator
Agent discovery
Temporal v1.30
Embedded gRPC:7233
Identity Engine
OAuth2/OIDC/SAML
Policy Engine
Rego → SQL
Budget Engine
Hard/soft limits
Agent Lifecycle
CRUD + Signal
Crypto Keys
Sign/Encrypt/Rotate
PubSub
DB-backed events
Provisioner
Terraform jobs
AgentWorkflow
Durable signal loop
CoordWorkflow
Room management
Task Queue
lattice-agents
PostgreSQL
50+ tables SQLC
Temporal DB
Workflow state
Audit Ledger
SHA-256 chain
424 Migrations
Schema evolution
AI Budgets
lattice_ai_budgets
Agent State
lattice_agents
Crypto Keys
Signing + Encrypt
RBAC
Role-based 744KB
ABAC
Attribute-based
Rego/OPA
policy.rego 427L
Rego→SQL
DB-level enforce
PII Filter
Prompt scan
Model Lock
Restrict models
Tool Gate
Whitelist tools
Audit Chain
SHA-256 linked
Prometheus
Metrics export
OpenTelemetry
Distributed tracing
Net Telemetry
Batch 1min/1000
Anthropic
Claude
OpenAI
GPT
Google
Gemini
Ollama/Local
Inference server

Request Flow

1
Request Arrives
REST/DRPC/WS → 12-layer middleware (CSRF, CORS, rate limit, tracing)
2
Identity Verified
OAuth2/OIDC/SAML/mTLS/API key. Subject constructed.
3
Policy Evaluated
Rego → SQL. RBAC+ABAC. DB queries filtered by policy.
4
Budget Checked
Per-agent, per-org limits. Hard caps halt. Soft caps alert.
5
Temporal Executes
AgentWorkflow durable signal loop. Continue-As-New @1000.
6
Audit Logged
SHA-256(event + prev_hash). Diff captured. Immutable.

Key Specs (from code)

BinarySingle Go (latticed)
TemporalEmbedded v1.30.1 :7233
Namespaceslattice-org-{orgID}
PolicyRego → SQL (regosql)
RBAC cacheLRU SHA256 keys
AuditSHA-256 chain
MeshWireGuard + DERP
DBPostgreSQL 50+ tbl SQLC
Middleware12 layers
Rate limit512/min, 60/min login