SecureGate Docs

Architecture

Multi-tenant microservices architecture with GPU-accelerated inference and per-tenant encrypted data isolation

System Overview

SecureGate is built as a set of stateless microservices behind a Go API gateway (hanzo/base). All services are multi-tenant by design — tenant isolation is enforced at every layer from ingress routing to database encryption.

                   *.dev.satschel.com / *.custom-client.com
                              |
                   +----------v----------+
                   |   Hanzo Ingress     |  TLS, hostname routing
                   +----------+----------+
                              | SNI -> tenant resolution
                   +----------v----------+
                   |   Hanzo Gateway     |  JWT validation (IAM)
                   |                     |  X-Org-Id + X-Tenant-Id
                   +----------+----------+
                              |
                   +----------v----------+
                   |   Base API (Go)     |  Stateless, multi-tenant
                   |   hanzo/base        |  All data scoped by tenant_id
                   |   SQLite per tenant |  CEK-encrypted embeddings
                   +----------+----------+
                              |
           +------------------+------------------+
           |                  |                  |
    +------v------+   +------v------+   +------v------+
    |  Ingest     |   |  Embed      |   |  Enhance    |
    |  :8002      |   |  :8001      |   |  :8003      |
    |  InsightFace|   |  ArcFace    |   |  CodeFormer |
    |  + Weapons  |   |  Batcher    |   |  RealESRGAN |
    +------+------+   +------+------+   +-------------+
           |                 |
           |          +------v------+
           |          | sqlite-vec  |  Per-tenant 512-d index
           |          | + FAISS     |  (hot cache)
           |          +-------------+
           |
           +--------> S3 / R2 (face crops, per-tenant prefix)

Multi-Tenant Hierarchy

SecureGate uses a three-level hierarchy for data isolation:

Org: SecureGate AI                    <-- branding, features, billing plan
+-- Tenant: Madison Square Garden     <-- data isolation, own DB, own CEK
|   +-- Customer: John Doe            <-- face embeddings encrypted with CEK
|   +-- Customer: Jane Smith
+-- Tenant: Crypto Conference 2026
|   +-- Customer: ...
+-- Tenant: Private Client X
LevelPurposeIsolation Mechanism
OrgCompany deploying the productIAM org config — branding, logo, domain, feature flags
TenantCustomer of that orgSeparate SQLite DB, separate TEK, separate S3 prefix
CustomerEnd-user within a tenantFace embeddings encrypted with tenant CEK (or per-customer CEK)

Header Flow

Every request carries tenant context injected by the gateway:

Ingress -> Gateway -> API
         X-Org-Id: securegate-ai
         X-Tenant-Id: msg
         Authorization: Bearer <IAM JWT>

The API gateway validates these headers and scopes all database queries to the resolved tenant.

Microservices

API Gateway (Go)

  • Port: 8080
  • Framework: hanzo/base
  • Role: Stateless reverse proxy. Routes v1 API calls to Python services. Serves legacy-compatible REST endpoints (events, rooms, cameras, attendees) directly from its own SQLite collections.
  • GPU: No

Ingest Service (Python)

  • Port: 8002
  • Framework: FastAPI
  • Role: Receives images, runs face detection (InsightFace antelopev2 SCRFD), quality filtering (blur, angle, face size), face alignment (112x112), and weapon detection (YOLOv8n Firearm). Forwards valid face crops to the embed service.
  • GPU: Yes (ONNX Runtime CUDA)

Embed Service (Python)

  • Port: 8001
  • Framework: FastAPI
  • Role: Takes aligned 112x112 face crops, extracts 512-d ArcFace embeddings (glintr100), and performs cosine similarity search against the per-tenant sqlite-vec index. Uses MicroBatcher for GPU batch efficiency.
  • GPU: Yes (ONNX Runtime CUDA)

Enhance Service (Python)

  • Port: 8003
  • Framework: FastAPI
  • Role: Async face restoration (CodeFormer, fidelity=0.7) and background upscaling (RealESRGAN x4plus). Jobs queued via Redis, results stored in S3/R2.
  • GPU: Yes (PyTorch CUDA)

Per-Tenant Data Storage

Each tenant gets its own SQLite database files:

/data/tenants/
+-- msg/                        <-- Madison Square Garden
|   +-- securegate.db           <-- hanzo/base collections (events, rooms, etc.)
|   +-- embeddings.db           <-- sqlite-vec (512-d face vectors, CEK-encrypted)
+-- crypto-conf-2026/
|   +-- securegate.db
|   +-- embeddings.db

Why sqlite-vec

Concernsqlite-vecExternal Vector DB
Per-tenant isolationOne file per tenantRequires namespacing
Encryption at restFile-level TEK encryptionComplex per-collection encryption
Tenant deletionDelete file (crypto-shredding)Complex purge operations
Operational overheadIn-process, zero dependenciesSeparate cluster to manage
Query latency~1ms for less than 1M vectors~1-5ms network overhead

FAISS serves as a hot cache for high-throughput matching. It loads from sqlite-vec when a tenant becomes active and is evicted on inactivity.

Encryption Hierarchy

See the Security page for the full encryption hierarchy (OEK, TEK, CEK, DEK) and HSM/MPC integration details.

Capacity

~150 concurrent camera streams at 5 FPS on a single DGX Spark GH200 GPU.

Getting Started

Quick start guide — run SecureGate locally, create an event, register attendees, connect cameras

Face Detection

InsightFace antelopev2 SCRFD detector — real-time face detection, quality filtering, and alignment pipeline

On this page

System OverviewMulti-Tenant HierarchyHeader FlowMicroservicesAPI Gateway (Go)Ingest Service (Python)Embed Service (Python)Enhance Service (Python)Per-Tenant Data StorageWhy sqlite-vecEncryption HierarchyCapacity