Architecture

Browser ──► Portal (Next.js) ──► BFF /api/proxy/dlaas/* ──► dlaas-platform-api ──► lifeform-service runtime
                          │
                          └──► Postgres (Portal identity + tenant secrets)

• Portal owns user, organization, membership and Portal-issued API keys.
• DLaaS control plane (dlaas-platform-api) owns tenants, contracts, ai_id lifecycle, asset intake, training jobs, audit, quota and billing.
• lifeform runtime owns sessions and the kernel state. Portal never reconstructs cognitive state — it speaks HTTP only.

Trust boundary

Server-only secrets live in the Portal pod environment:

• DLAAS_CONTROL_PLANE_SECRET — used during sign-up to create your tenant.
• DLAAS_SERVICE_SECRET — used for admin endpoints (e.g. raw snapshot export).
• PORTAL_TENANT_SECRET_KEY — wraps each org's api_secret at rest.
• AUTH_SECRET — Auth.js JWT signing.

None of these ever appear in client bundles or in any response body.