Concepts

Architecture

Lelu is designed with a strict separation between the data plane (Engine) and the control plane (Platform). This ensures high availability, low latency, and secure policy evaluation.

The Split Architecture

To ensure that authorization checks never block your AI agents, Lelu splits its responsibilities into two distinct services:

The Engine (Data Plane)

A lightweight, high-performance Go service that evaluates Rego policies in memory. It handles all /authorize requests from your agents. It uses Redis for fast queueing and caching.

The Platform (Control Plane)

A Go API and Next.js UI that manages policies, human-in-the-loop approvals, and the audit trail. It uses PostgreSQL for persistent storage and syncs policies down to the Engine.

Data Flow

1. Policy Sync
The Platform pushes updated Rego policies to the Engine via a secure gRPC/HTTP stream.
2. Authorization Request
An AI agent calls the Engine's /authorize endpoint. The Engine evaluates the policy in <2ms.
3. Human-in-the-loop (If needed)
If confidence is low, the Engine pushes the request to Redis. The Platform reads from Redis and displays it in the UI for human approval.
4. Audit Logging
Every decision is asynchronously batched and sent to the Platform (and optionally S3) for immutable audit logging.

Previous: Installation Next: API

Architecture

The Split Architecture

The Engine (Data Plane)

The Platform (Control Plane)

Data Flow

1. Policy Sync

2. Authorization Request

3. Human-in-the-loop (If needed)

4. Audit Logging