← Back to Rocket Powered AI

Under the Hood

This page is for engineers. Here's how we architected a platform that lets AI build production-grade applications without the usual shortcuts, security holes, and technical debt.

Architecture Overview

The Rocket Powered AI platform is composed of four major subsystems, each with a distinct responsibility. They work together to provide a full-stack, multi-tenant, compliance-ready runtime for every product built on the platform.

Studios 6 specialized React workspaces — Business, Product, Design, Marketing, Revenue, Support — loaded as iframes in the shell app
Fuselage Per-product Lambdalith runtime — mounts ALL 65 RocketCore modules + WASM sandbox for custom product code
RocketCore 65 Rust crates — auth, billing, compliance, collab, AI, CRM, CMS, and 58 more — 500K+ lines of security-hardened code
Fuel Self-hosted GPU inference on NVIDIA DGX Spark — private AI models, no data leaves your infrastructure
Infrastructure AWS CDK — Lambda ARM64, API Gateway, DynamoDB, S3, Cognito, CloudFront, Bedrock, SES, SNS, Step Functions
RocketCore

65 Rust Crates. 1,200+ Endpoints. One Coherent System.

RocketCore is the foundation layer — a library of 65 independent Rust crates, each exposing an Axum router via pub fn routes() -> Router<AppState>. Every crate is annotated with #[utoipa::path] for automatic OpenAPI spec generation, and every struct derives utoipa::ToSchema. The generated spec drives TypeScript SDK generation via @hey-api/openapi-ts, so there are zero hand-written API calls on the frontend.

Module Categories

Foundation (6 crates)

rocketcore-common (Cedar evaluator, JWT, Cognito sync), rocketcore-db (DynamoDB single-table with compile-time tenant isolation), rocketcore-platform (errors, validation), rocketcore-http (Axum helpers, CORS, WAF, security headers), rocketcore-telemetry (structured logging, X-Ray, PII redaction), rocketcore-i18n

Identity & Access (8 crates)

rocketcore-auth (SRP-6a login, MFA, social, magic links), rocketcore-password (bcrypt + SRP verifier), rocketcore-users (profiles, devices, PATs), rocketcore-accounts (multi-tenant), rocketcore-sharing (Cedar-authorized), rocketcore-superadmin, rocketcore-scim (directory sync), rocketcore-internal

Commerce & Billing (5 crates)

rocketcore-billing (Stripe Connect, subscriptions, credits), rocketcore-stripe (webhook processing), rocketcore-ecommerce (products, cart, checkout), rocketcore-estimates (invoicing, PDF), rocketcore-loyalty (points, tiers, gift cards)

AI & Intelligence (5 crates)

rocketcore-ai (Bedrock conversations, streaming, tool use), rocketcore-ai-agents (persistent memory, multi-channel), rocketcore-ai-experts (1,008 MoE personas, sub-100ms routing), rocketcore-research (AI-powered reports), rocketcore-mcp (Model Context Protocol)

Content & Collaboration (7 crates)

rocketcore-documents (S3, versioning, virus scan), rocketcore-collab (CRDT via Automerge/Loro, MemoryDB presence), rocketcore-cms (pages, posts, menus), rocketcore-wiki (spaces, backlinks), rocketcore-forms (e-signatures, PDF), rocketcore-media (HLS/DASH, MediaConvert), rocketcore-chat

Communication (4 crates)

rocketcore-notify (in-app, push), rocketcore-realtime (WebSocket transport), rocketcore-sms (Twilio integration, campaigns), rocketcore-email-marketing (SES, lists, automations)

Operations & Industry (12 crates)

rocketcore-dispatch (field service), rocketcore-routing (Haversine, time-windowed), rocketcore-inventory (warehouses, POs), rocketcore-labor (timecards, payroll), rocketcore-health (biometrics, risk scores), rocketcore-iot (telemetry, alerts), rocketcore-providers, rocketcore-bookings, rocketcore-events, rocketcore-groups, rocketcore-members, rocketcore-education

Platform & DevEx (18 crates)

rocketcore-analytics, rocketcore-charts, rocketcore-compliance, rocketcore-projects, rocketcore-workflow (Step Functions), rocketcore-jobs (async queues), rocketcore-webhooks, rocketcore-crm, rocketcore-search-api (inverted-index on DynamoDB), rocketcore-feature-flags, rocketcore-edge-config, rocketcore-design-tokens, rocketcore-templates, rocketcore-import-export, rocketcore-surveys, rocketcore-community, rocketcore-support, rocketcore-issue-tracking

Data Layer: DynamoDB Single-Table Design

All RocketCore modules share one DynamoDB table per deployment. The rocketcore-db crate enforces compile-time tenant isolation: every query includes the tenant's partition key, derived from the JWT — never from user input. The single-table design gives us:

  • Partition-level tenant isolation with Cedar authorization on every read/write
  • Optimistic locking via conditional writes (no lost updates)
  • Soft deletes with configurable retention periods for GDPR/CCPA compliance
  • DynamoDB Streams feeding an immutable audit log (SOC 2 evidence)
  • Built-in inverted-index full-text search — no Elasticsearch, zero fixed cost
  • Automatic GSIs for common access patterns (by-type, by-status, by-date)

Auth: SRP-6a Zero-Knowledge Protocol

Passwords never leave the browser. RocketCore implements the Secure Remote Password protocol (SRP-6a) backed by AWS Cognito. The auth flow:

  • SRP-6a — Zero-knowledge proof; server never sees the password
  • MFA — TOTP, SMS, email, backup codes, passkeys (WebAuthn/FIDO2)
  • Social — Google, Apple, GitHub, Facebook, LinkedIn via OIDC
  • Enterprise — SAML 2.0 SSO, SCIM 2.0 directory sync
  • Authorization — Cedar policy language for RBAC/ABAC (not if role == "admin")

OpenAPI & SDK Pipeline

Every backend handler is annotated with #[utoipa::path]. The pipeline:

# 1. Generate OpenAPI spec from Rust utoipa annotations make openapi # → openapi.json + openapi-rocketcore.json # 2. Generate TypeScript SDK from the spec make sdk # → web-app/sdk/src/generated/{sdk.gen.ts, types.gen.ts} # 3. Audit: zero fetch/axios in frontend code make sdk-audit # scans all .ts/.tsx for prohibited patterns # 4. Ship: build → audit → deploy → test make ship # full pipeline, the ONLY way to deploy

The SDK audit step is non-negotiable: if any fetch(, axios, or XMLHttpRequest appears in frontend code, the build fails. 100% of API calls go through the generated SDK.

Fuselage

Per-Product Lambdalith Runtime

When a founder builds a product on Rocket Powered AI, that product gets its own Fuselage — a dedicated Lambdalith (single-Lambda monolith) that mounts the full RocketCore surface area plus a WASM sandbox for custom product code.

Architecture

  • One Fuselage per product — maps to a product slug, not a customer or account. One founder can have multiple products, each with its own Fuselage.
  • Three environmentsdev (auto-deploy on save), test (manual promote), prod (manual promote with confirmation). Dev and test are always gated via rocket-core-gate (CloudFront Lambda@Edge access control).
  • One AWS sub-account per productrocketpowered-<slug>, three stages within. Full blast-radius isolation.
  • DNS conventiondev.<slug>.rocketpowered.app, test.<slug>.rocketpowered.app, <slug>.rocketpowered.app (prod). Custom domains only on prod (Hatch/Fly tier).

WASM Sandbox

Custom product code runs in a Wasmtime sandbox. Host functions bridge exclusively to RocketCore modules — the sandbox cannot access the network, filesystem, or anything outside the RocketCore API surface. This means:

  • Product code cannot bypass tenant isolation or Cedar authorization
  • Product code cannot make arbitrary network calls or access other tenants' data
  • Product code gets the full 1,200+ endpoint surface area through safe host function bindings
  • Cold starts stay fast because the WASM module is pre-compiled and cached

Route Structure

# RocketCore routes (served by the mounted crates) /v1/core/* # All 65 RocketCore modules /api/auth/* # Auth, password, users, accounts, sharing # Product-specific routes (served by the WASM sandbox) /api/ext/* # Custom product endpoints defined in WASM # NOT served by Fuselage — Studio endpoints live in the studio app

Resource Naming Convention

# Pattern: <slug>-<stage>-<resource> acme-dev-main # Lambda function acme-dev-table # DynamoDB table acme-prod-fuselage # Fuselage deployment artifact acme-prod-cdn # CloudFront distribution
Fuel

Self-Hosted GPU Inference

Fuel is Rocket Powered AI's self-hosted AI inference layer, running on NVIDIA DGX Spark hardware. It provides private, on-premise AI model execution for workloads where data sovereignty, latency, or cost matter.

Why Self-Hosted?

  • Data sovereignty — Sensitive inference workloads (medical, legal, financial) never leave your infrastructure. No data is sent to OpenAI, Anthropic, or any third-party API.
  • Cost at scale — API token costs grow linearly with usage. Self-hosted inference has a fixed hardware cost with unlimited throughput.
  • Latency — Local inference avoids the round-trip to a cloud API. Sub-10ms inference for embedding models.
  • Custom models — Fine-tuned models, LoRA adapters, and domain-specific models that can't run on commercial APIs.

Integration with RocketCore AI Modules

The rocketcore-ai and rocketcore-ai-agents crates support multiple inference backends. When a Fuselage is configured with a Fuel endpoint, AI requests are routed to the local GPU cluster instead of Bedrock. The routing is transparent — the same API surface, same streaming protocol, same tool-use interface.

Backend When to Use Data Location
AWS Bedrock Default. Managed AI models (Claude, Llama, Mistral) with no hardware to maintain. AWS region
Fuel (DGX Spark) Data sovereignty, custom fine-tuned models, high-throughput batch inference, cost optimization at scale. On-premise
External APIs OpenAI, Anthropic, Google — for specific model access (GPT-4o, Claude, Gemini). Provider's cloud
Studios

6 Specialized Workspaces

Studios are the user-facing layer — six independent React + Vite apps loaded as iframes inside the main shell application. Each studio is purpose-built for a specific stage of the product lifecycle.

Business Studio

Corporate formation, trademark, banking, cap table management, and legal document generation. The operational backbone for incubated startups.

Product Studio

AI-guided PRD creation, competitor research, market analysis, feature prioritization, user story generation, and product roadmap management.

Design Studio

Visual UI builder, design token management, component library, brand asset generation (AI image creation), and theme customization.

Marketing Studio

7 AI marketing agents, multi-platform ad campaign management, creative generation (copy, image, video), audience targeting, ROAS optimization, and performance dashboards.

Revenue Studio

Billing configuration, subscription management, pricing experiments, revenue analytics, churn prediction, and financial reporting.

Support Studio

Customer support ticketing, SLA management, canned responses, knowledge base, CSAT tracking, and agent assignment workflows.

Studio Architecture

  • Each studio is a standalone Vite + React 19 + Tailwind v4 app with its own build
  • Studios share the auto-generated TypeScript SDK (@sdk/generated) for API calls
  • Authentication is shared via the shell app — studios inherit the session
  • Studios import UI primitives from @rocketcore/auth and rocket-core's shadcn/Radix component set
  • Each studio deploys to its own S3 bucket with CloudFront distribution
  • AI enhancement is wired into every surface — structured JSON output from domain-specific experts, not chat artifacts

Full Tech Stack

Layer Technology Why
Language Rust Memory safety without garbage collection. No null pointer dereferences, no data races, no buffer overflows. Compiles to native ARM64.
HTTP Framework Axum (Tokio) Async Rust web framework with compile-time route extraction, tower middleware stack, and zero-cost abstractions.
Compute AWS Lambda (ARM64) Pay-per-invocation, no idle cost, automatic scaling to thousands of concurrent requests. Runs the full Lambdalith binary.
Database DynamoDB Single-digit millisecond latency at any scale. Single-table design with GSIs. No connection pooling, no scaling knobs, no maintenance windows.
Auth AWS Cognito + Cedar Cognito handles identity and MFA. Cedar handles authorization with a formal policy language — not if/else spaghetti.
Storage S3 11 nines of durability. Pre-signed URLs for direct browser uploads. Virus scanning via Lambda trigger.
CDN CloudFront Global edge network. Lambda@Edge for access gating (rocket-core-gate). Signed URLs for private content.
AI Bedrock + Fuel (DGX Spark) Managed models via Bedrock (Claude, Llama, Mistral). Self-hosted inference via Fuel for sovereignty and cost.
Real-Time WebSocket + MemoryDB WebSocket connections for live collaboration and chat. MemoryDB (Redis-compatible) for presence and cursor state.
Frontend React 19, Vite 6, Tailwind v4 Modern React with server components support. Vite for sub-second HMR. Tailwind for utility-first styling.
Mobile React Native (Expo) Single codebase for iOS and Android. Expo for OTA updates without App Store review cycles.
Desktop Tauri Native desktop apps at ~10MB (vs Electron's ~200MB). Rust backend with web frontend.
SDK Generation @hey-api/openapi-ts Auto-generated TypeScript SDK from utoipa OpenAPI spec. Zero hand-written API calls.
Testing Hurl + Playwright Hurl for API integration tests (95 passing). Playwright for E2E browser tests. Both run against real infrastructure, never mocks.
Infrastructure AWS CDK v2 (TypeScript) Infrastructure-as-code. One CDK app provisions the full stack. No ClickOps, no manual console changes.

Deployment Pipeline

Every deployment follows the same pipeline. There are no shortcuts.

make ship # Step 1: Build # → cargo lambda build --release --arm64 (Rust backend) # → make openapi (generate OpenAPI spec from utoipa annotations) # → make sdk (generate TypeScript SDK) # → vite build (web-app + 6 studios) # Step 2: Audit # → make sdk-audit (zero fetch/axios in frontend code) # Step 3: Deploy # → deploy-lambda.sh (update Lambda function code) # → deploy web-app + studios to S3 # → CloudFront invalidation # Step 4: Test # → run-tests.sh (Hurl API integration tests with fresh Cognito tokens) # → 95/95 tests must pass — any failure blocks the deploy

Key Constraints

  • No mocks, no stubs, no TODOs — Every test runs against real AWS infrastructure. A 500 is never acceptable.
  • No hand-written SDK functions — If the backend needs a new endpoint, add utoipa annotations, regenerate the SDK, and use the generated function.
  • No workarounds — Security defaults (MFA, email verification, CSRF, rate limiting, Cedar authorization) are never disabled. If they block development, the blocker is the real bug.
  • One way to deploymake ship. No aws CLI commands, no manual console changes, no skipping steps.

Security Architecture

Zero-Knowledge Auth

SRP-6a means the server never sees passwords. Combined with Cognito's HSM-backed token signing and automatic credential rotation.

Cedar Policy Authorization

Every access decision goes through Cedar — a formal, auditable policy language. No if role == "admin" scattered through the codebase. Policies are versioned, testable, and SOC 2-compliant.

Compile-Time Tenant Isolation

The rocketcore-db crate's query builder requires a TenantId at the type level. You literally cannot compile a query without it. Derived from JWT, never from user input.

WAF + Rate Limiting

AWS WAF rules block known attack patterns. Per-endpoint rate limiting prevents abuse. CORS policies restrict origins. Payload size limits prevent DoS.

WASM Sandbox

Custom product code runs in Wasmtime with no filesystem, network, or direct database access. All interactions go through typed host function bindings that enforce authorization.

PII Redaction

The telemetry layer automatically redacts personally identifiable information from logs before they're written. Even if a developer accidentally logs a user's email, it's scrubbed before it hits CloudWatch.

Want to build on this?

Whether you're a technical founder who wants to understand what's under the hood, or an engineer evaluating the platform — we'd love to talk.

Join the Waitlist