---
summary: The two-plane model and the load-bearing invariants.
title: Architecture
path: architecture
status: published
---

# Architecture

The single most important structural idea is that ScaiCrew owns a **control plane** and is a thin
orchestrator over an **execution / substrate plane** of pre-existing services.

## Control plane (this product)

- The crew-member object model and versioning
- The conversational authoring orchestrator
- The trigger scheduler and webhook ingress
- The **compiler** (crew-member definition → ScaiCore program)
- The run dispatcher
- User login and the Bridge read models

## Execution plane (existing services)

| Service | Role |
|---|---|
| ScaiCore | Runs the compiled program (embedded in-process) |
| ScaiBunker | Sandboxes tool execution |
| ScaiSkills / connectors | Capabilities over MCP |
| ScaiGrid / ScaiInfer | Inference |
| ScaiDrive | Memory and files |
| ScaiMatrix | RAG |
| ScaiScribe | Document rendering |
| ScaiQueue | Human-in-the-loop and policy |
| ScaiVault | Secrets |
| ScaiKey | Identity |
| ScaiControl | Cost metering |

## The boundary is firm

- ScaiCrew **computes when** approval is needed; ScaiQueue **enforces** it.
- ScaiCrew **compiles to** ScaiCore directives but never executes them itself.
- ScaiCrew **references secrets** by ScaiVault handle but never holds plaintext.

Anything beyond single-branch handoff orchestration is exported to ScaiFlow, not built here.

## Load-bearing invariants

- **Workspace is the hard tenancy boundary.** Every control-plane row carries `workspace_id`,
  derived from the caller's token — never from a request body. See [Workspaces](/docs/scaicrew/workspaces).
- **Each crew member is its own identity.** Substrate access happens *as* that identity, so every
  action is attributable and independently revocable. See [Identities](/docs/scaicrew/authentication/identities).
- **Definitions are immutable, versioned records.** Every run pins the exact version it executed.
  See [Crew members](/docs/scaicrew/crew-members).
- **Approval is computed from rigidity × effect class.** See [Approvals](/docs/scaicrew/approvals).
- **The compiler is pure and deterministic.** The same draft compiles identically however it was
  produced (chat, form, API, or template install).
- **Secrets only ever live in ScaiVault**, referenced by handle everywhere else.