Proprietary & Confidential — FiTechAroma LLC — For Client Distribution Only
FiTechAroma // Enterprise Platform Briefing // Controlled Distribution

Enterprise-grade
National News
Intelligence Platform

FiTechAroma's sovereign, AI-augmented news intelligence platform — engineered for national-level information requirements, government data classification constraints, and zero tolerance for single points of failure. This is not a product. This is national information infrastructure.

FedRAMP Moderate / FISMA
On-Premises + GovCloud Burst
99.982% (Tier III+ DC)
Hybrid Sovereign + API
US Sovereign Only
Operational Reality

This Is Not a Product — It Is Infrastructure

At the scale of a national intelligence or defense communications mission, the platform is not a service being procured — it is national information infrastructure being built. Every architectural decision carries legal, operational, and national security weight that commercial SaaS platforms are not designed to bear.

FiTechAroma's enterprise platform is designed around five non-negotiable operational constraints: no single points of failure anywhere; data sovereignty and classification boundaries are law, not preferences; every component requires an approved security posture before it touches the network; recovery objectives are written into contracts with financial penalties; and the AI is a force multiplier for human analysts, not a replacement for human judgment.

Network Segmentation First

The platform operates across three physically isolated network tiers. Tier 1 (DMZ) faces the internet and ingests public content. Tier 2 (Analysis Zone) is air-gap-adjacent — data crosses from Tier 1 via a hardware data diode. Tier 3 (Analyst Zone) is classified-adjacent. No tier can reach back toward a less-restricted tier. Ever.

Dual-Site Active-Active

Primary and DR sites operate in active-active configuration across geographically separated Tier III+ data centers, connected via dedicated MPLS or dark fiber — never the public internet. Proxmox VE cluster (5+ nodes) with Ceph distributed storage at each site eliminates every shared-storage single point of failure.

CDS — One-Way Data Flow

The Cross-Domain Solution (CDS) between Tier 1 and Tier 2 is a hardware data diode — a physical device that permits data to flow in one direction only and is physically incapable of returning data to the internet-facing zone. No software misconfiguration can create a return path. This is a physical constraint, not a logical one.

Human Analysts in the Loop

The AI pipeline is a force multiplier for cleared analysts — it handles the volume, speed, and breadth that human attention cannot match. Finished intelligence products are reviewed and released by humans. The AI surfaces, summarizes, and correlates; analysts judge, contextualize, and decide.

Enterprise Architecture

Three-Tier Security Zone Architecture

↗ Click any component to view detailed technical and operational context

Tier 1 — DMZ / public ingestion (unclassified, internet-facing) WAF + IDS/IPSSuricata, perimeter BroadcastSDR + GStreamer Social FirehoseFull firehose APIs OSINT / WebScrapy, Playwright Wire APIsAP, Reuters Kafka + Schema RegistryValidated, typed event streams Flink Pre-filterPII strip, deduplicate Cross-domain solution (CDS) — hardware data diode — one-way only — no return path Tier 2 — analysis and AI processing (restricted — cleared personnel only) Flink (Full Pipeline)Enrichment, correlation Whisper (GPU)Broadcast transcription NLLB-200 (GPU)200-lang translation Claude APIUnclass only On-premises LLM Cluster — Llama 3.1 70B / Mixtral 8x22B (NVIDIA A100/H100)Summarize · entity disambiguation · sentiment · narrative framing · threat scoring — air-gapped, sovereign PostgreSQL + pgvectorPatroni HA, 3-node TimescaleDBVolume / velocity data Elasticsearch3-node cluster Ceph RGWObject store Vault Enterprise + HSMDynamic secrets, PKI, mTLS Kong EnterpriseAPI gateway, rate limit, audit Keycloak + LDAP/ADSSO, MFA, clearance RBAC Tier 3 — analyst and dissemination (classified-adjacent — cleared workstations) FastAPI (Python 3.12)REST + WebSockets, OpenAPI Analyst DashboardReact + TypeScript, live feed Dissemination EngineMarked reports, partner feeds Priority Alert EngineDuty officer escalation · PACE comms plan · NIPR email · classified messaging mTLS / Istio Observability, SIEM, and compliance (all zones — read-only log forwarding) Splunk SIEMAll audit events Prometheus + GrafanaMetrics, logs, traces OpenSCAP / NessusSTIG compliance, CVE Chaos MeshResilience testing Proxmox VE 5-node cluster + Ceph — dual-site active/active — MPLS/dark fiber — RKE2 Kubernetes — Ansible AWX RPO ≤ 15 min · RTO ≤ 4 hr · GitLab CI (self-hosted) · Harbor registry · Cosign image signing
Select a component
for technical detail
Infrastructure

Proxmox + Ceph — Sovereign by Design

FiTechAroma's enterprise infrastructure is built on a Proxmox VE cluster of five or more nodes backed by Ceph distributed storage — running on-premises in two geographically separated Tier III+ data centers in an active-active configuration. The two sites connect exclusively via a dedicated MPLS circuit or dark fiber link; they never traverse the public internet.

Ceph eliminates every shared-storage single point of failure. Where a traditional deployment would rely on a SAN — one appliance whose failure takes down the entire cluster — Ceph distributes data across all nodes with a configurable replication factor (minimum 3). No individual node failure loses data. Proxmox's live migration moves workloads off a degraded node without downtime.

AWX / Ansible Automation Platform

All infrastructure management runs through Red Hat Ansible Automation Platform (AWX). No engineer runs raw ansible-playbook against production. Every automation action is access-controlled, approval-gated for high-risk changes, and audit-logged. STIG baseline hardening is applied automatically to every provisioned node.

HashiCorp Vault Enterprise + HSM

Dynamic secrets: no service holds a static credential. Credentials are requested from Vault at runtime with a hard TTL — when the service restarts, the old credential has already expired. Hardware Security Modules (Thales Luna) back the Vault unseal keys. No human ever touches root keys. Every secret access is audit-logged to Splunk.

RKE2 Kubernetes — FIPS Validated

Production workloads run on RKE2, a CNCF-conformant, FIPS 140-2 validated Kubernetes distribution. Istio provides a zero-trust service mesh with mutual TLS between every pod. Network policies enforce that no service can communicate with any other service it does not explicitly need to reach.

Supply Chain Integrity

No container images are pulled from Docker Hub in production. All images are built in the self-hosted GitLab CI pipeline, scanned by Trivy for CVEs, signed with Cosign, and stored in Harbor. A Kubernetes admission controller refuses to schedule any unsigned image — unsigned equals undeployable.

AI / LLM Strategy

Sovereign AI Where the Law Requires It

The LLM choice is determined by data classification, not model capability. Routing classified or sensitive content to any external API endpoint — Anthropic, OpenAI, Google, or anyone — is legally prohibited under FISMA, potentially a criminal spillage event under 18 U.S.C. § 1924, and operationally catastrophic. The on-premises LLM cluster is the only permissible option for Tier 2 content.

FedRAMP authorization does not solve this. FedRAMP authorizes the infrastructure controls — it says nothing about what happens inside a model's inference process, whether telemetry is logged on the vendor's side, or whether model weights are accessible to vendor engineers. The vendor still controls the model, and that control path is an unacceptable vector in a classified environment.

IL6 and JWICS requirements make this concrete: JWICS packets have no route to api.anthropic.com. The network physically does not have a path there. Any AI system processing JWICS-level traffic must physically exist on that network.

Llama 3.1 70B — Classified Workloads

Self-hosted on the NVIDIA A100/H100 GPU cluster inside Tier 2. Open weights under Meta's government-permissible license — FiTechAroma owns the weights, can audit them, sign them, fine-tune them on classified corpora, and version-lock them. No call-home behavior. No telemetry. The GPU cluster is the physical price of sovereignty: $290,000 CapEx that is non-negotiable.

Claude API — Unclassified Only

Used exclusively within Tier 1 for public-domain content: open social media, publicly broadcast news transcripts, open-source publications. Claude's long context window, structured JSON output reliability, and narrative analysis quality make it the best tool for this layer. It never touches Tier 2 data. The cross-domain solution at the tier boundary ensures this is enforced at the network layer, not just the application layer.

Whisper — Audio Transcription

Self-hosted OpenAI Whisper on dedicated GPU for broadcast audio-to-text. No audio content leaves the sovereign boundary. Broadcast streams are segmented, transcribed asynchronously, and the text results passed to the Flink pipeline. Confidence scores are attached to all transcribed output.

NLLB-200 — Translation

Meta's No Language Left Behind model, self-hosted, provides coverage for 200 languages. Foreign-language state media (RT, CGTN, KCNA Watch) is monitored via publicly accessible web scraping and translated before NLP analysis. Confidence scores are attached and surfaced to analysts on translated content.

PACE Plan — AI Continuity
PACE
Capability
Status
P
On-prem Llama 3.1 70B cluster (GPU)
Full analytical capability — classified-safe — zero external dependencies
● Full capability
A
Smaller on-prem model (Mistral 7B)
Degraded accuracy — still fully sovereign — no external dependencies
● Degraded accuracy
C
Claude API (unclassified data only)
External dependency — requires network access — Tier 1 content only
● Unclassified only
E
Human analyst triage — raw transcripts only
Platform produces pre-filtered, translated summaries without LLM enrichment
● Manual operations
Technology Stack

Complete Enterprise Stack

DomainTechnologyRationale
VirtualizationProxmox VE (5-node+) + CephHA, no SAN SPOF, dual-site sovereign
AutomationRed Hat AAP / AWXAudited, RBAC, approval workflows, ITSM integration
SecretsVault Enterprise + HSMDynamic secrets, PKI, zero standing privilege, HSM-backed
OrchestrationRKE2 (FIPS-validated)CNCF-compliant, FIPS 140-2, hardened for gov environments
Service meshIstio + mTLSZero-trust internal networking, lateral movement prevention
Ingest — broadcastPython + GStreamer + SDRLive TV/radio capture, open-source, no vendor lock-in
Ingest — webScrapy + PlaywrightStatic + JS-rendered pages, configurable spider framework
Ingest — socialX Firehose (enterprise) + RedditFull firehose, not sampled; $504K/yr — largest data line item
Message busConfluent Kafka + Schema RegistryAt-scale, schema-enforced, exactly-once delivery options
Stream processingApache FlinkStateful, exactly-once, handles late-arriving events
LLM — classifiedLlama 3.1 70B / Mixtral 8x22BAir-gapped, sovereign, fine-tunable on classified corpora
LLM — unclassifiedClaude API (Anthropic)Best-in-class analysis, long context, structured JSON output
TranscriptionWhisper (GPU, self-hosted)Broadcast audio-to-text, no external API dependency
TranslationNLLB-200 (self-hosted)200-language coverage, confidence scoring, sovereign
Primary datastorePostgreSQL 16 + pgvector (Patroni)HA 3-node, semantic vector search, structured JSONB analysis
Time-seriesTimescaleDBVolume/velocity metrics, hypertable compression
SearchElasticsearch (3-node)Full-text + vector hybrid search, aggregations
Object storageCeph RGW (S3-compatible)On-prem sovereign object store, no AWS dependency
API gatewayKong EnterpriseRate limiting, auth, full audit log, plugin ecosystem
BackendFastAPI (Python 3.12)Async, OpenAPI auto-generated, WebSocket, type-safe
FrontendReact 18 + Vite + TypeScriptAnalyst dashboard, real-time WebSocket feed
IdentityKeycloak + LDAP/ADSSO, MFA mandatory, clearance-aware RBAC, on-prem
SIEMSplunk EnterpriseAll logs, all audit events, immutable index, correlation rules
ScanningTenable Nessus / OpenSCAPContinuous STIG compliance, CVE vulnerability scanning
IDS/IPSSuricataNetwork-level threat detection, ET Pro signatures, inline blocking
ObservabilityPrometheus + Grafana + Loki + TempoFull metrics/logs/traces/profiles in one stack
ChaosChaos MeshWeekly fault injection, mandatory resilience validation
Backup/DRVelero + Proxmox Backup ServerRPO ≤ 15 min, RTO ≤ 4 hr, tested quarterly
CI/CDGitLab CI (self-hosted)Supply chain integrity, no public SaaS dependency
RegistryHarbor + Cosign + TrivyPrivate images, CVE scanning, cryptographic signing
Change managementServiceNow + GitLabITSM + GitOps — every change is a ticket and a merge request
Governance and Compliance

Non-Negotiable at This Level

Every architecture decision in this platform traces back to one or more regulatory requirements. Compliance is not a layer added at the end — it is the foundation the architecture is built on.

FedRAMP Moderate/High

Every cloud-touching component must hold a FedRAMP authorization or pass through the agency's ATO process. AWS GovCloud and Azure Government both qualify. The Anthropic API, used for unclassified content only, requires a FedRAMP package or a third-party system ATO.

FISMA Continuous Monitoring

Annual security assessments, continuous monitoring via Splunk SIEM, and a System Security Plan documenting every NIST SP 800-53 Rev. 5 control. Ansible enforces STIG baselines automatically. OpenSCAP runs nightly and reports drift. Zero tolerance for undetected configuration drift.

Zero-Trust Networking

No implicit trust anywhere inside the perimeter. Every service-to-service call traverses Istio with mTLS. Every analyst workstation authenticates to Keycloak for every session. Kubernetes network policies prevent lateral movement — the ingestion service cannot reach the analyst dashboard. Period.

Audit Log Immutability

Every action — analyst query, model inference call, configuration change, Vault secret access — is written to an append-only Splunk index that the SOC controls. Development teams cannot write to audit logs. This is both a compliance requirement and a legal requirement in a government context.

Disaster Recovery — Tested, Not Documented

RPO of ≤15 minutes and RTO of ≤4 hours are validated quarterly by deliberately failing a primary site and measuring actual recovery time. Chaos Mesh runs weekly fault injection against the Kubernetes cluster. Untested recovery is not recovery.

Supply Chain Integrity

All container images are built in the self-hosted GitLab CI pipeline, scanned by Trivy for CVEs, cryptographically signed with Cosign, and stored in Harbor. Unsigned images are blocked at the Kubernetes admission controller. AI model weights are versioned, checksummed, signed, and promoted through a formal security review before any production deployment.