CONSTITUTION · IMMUTABLE FOUNDATIONS

Why we built it the way it is.

Eight invariants ratified on March 20, 2026. Every architectural decision since traces back to one of them. Updates require a formal amendment.

The medallion path

Every dataset travels Bronze → Silver → Gold. No shortcut.

Reproducibility is not a feature; it is a property. By forcing every transformation to leave a trail through three layers, we guarantee that any insight from yesterday can be reconstructed tomorrow — even if every line of code has changed in between. The cost of an extra commit per pipeline buys us the ability to audit ourselves indefinitely.

REF Article C1 of the engineering text.

Configuration over code

Behavior is driven by contracts, not by proprietary code.

A platform that hides its decisions inside compiled artifacts cannot be trusted by the people who depend on it. Every job, every schema, every routing rule lives in a YAML or in a data contract that anyone — engineer, analyst, compliance officer — can read. Code is generic and reusable; configuration is specific and falsifiable.

REF Article C2 of the engineering text.

III

Test before ship

Nothing reaches production untested.

Quality is not the enemy of velocity; it is what makes velocity sustainable. Lambdas have unit tests. Infrastructure has end-to-end tests. Configurations validate against schemas. Front-ends ship against accessibility audits. We built this discipline because the alternative — patching after the fact — costs ten times more and breaks trust in ways that years of correct behavior cannot repair.

REF Article C4 of the engineering text.

Environment isolation

Every AWS command names its profile. Always.

A wrong-profile apply on production is not a hypothetical — it has happened in our industry, and the recovery cost is measured in days. We made it impossible by convention: no implicit profile, no default, no "I will set it later." This is the kind of friction that prevents incidents instead of explaining them.

REF Article C7 of the engineering text.

GitOps only

No manual change. Everything goes through pull request.

A platform with manual overrides is a platform that drifts. We give up the speed of "just SSH in and fix it" for the certainty that our environment matches our git history. The audit trail is not a feature we add at the end; it is what the platform is made of.

REF Article C8 of the engineering text.

Multi-tenant by design

Tenant isolation is structural, not added later.

Every S3 path, every Iceberg partition, every OpenSearch index carries an organization identifier from the moment a record enters the system. We did not retrofit this; we started with it. The result: when a new client is onboarded, isolation does not require new code, only new configuration.

REF Article C9 of the engineering text.

VII

Observability built-in

Every insight ships with its lineage.

An answer without provenance is a guess. The platform refuses to produce results that cannot be traced back to the records that created them, the model version that processed them, the date they were ingested. This is what makes our outputs admissible in board rooms, audits, and — soon — under EU AI Act Article 50.

REF Article C11 of the engineering text.

VIII

Domain neutrality

The framework stays agnostic of the client and the vertical.

A platform whose code is poisoned by one client’s vocabulary cannot serve the next. We separate framework (generic, multi-tenant, reusable) from semantics (which lives in YAML contracts, data definitions, knowledge packs). When we onboard a new vertical, we change configuration. We do not change the platform.

REF Article C13 of the engineering text.