Infrastructure

Multi-region, privacy-first infrastructure. Designed to be deleted.

Designed to Be Deleted

CIRISBridge is temporary infrastructure. Every component knows it will be retired when Veilid matures. This isn't a bug—it's the mission. We avoid lock-in, vendor-specific integrations, and features that assume centralization is forever.

DNS → Veilid DHT

Proxy → Veilid private routes

Billing → TBD (may persist longest)

Multi-Region Active/Active

Clients

Americas / Europe

separate domains per region

Vultr US

Chicago

via Cloudflare

CIRISBilling

CIRISProxy

PostgreSQL

Redis

Caddy (TLS)

+ CIRISLens

Hetzner EU

Falkenstein, Germany

direct DNS

CIRISBilling

CIRISProxy

PostgreSQL

Redis

Caddy (TLS)

PostgreSQL sync

US Region (Americas)

EU Region (Europe)

US-only service

Services

Split DNS

US via Cloudflare proxy, EU direct. Zero single point of failure.

• US: Cloudflare proxy + DDoS protection
• EU: Direct DNS to Hetzner
• If CF fails, EU still accessible

CIRISBilling

Sustainable operation without ads or data monetization.

• Pre-purchased credits model
• Idempotent consumption (exactly-once)
• Google OAuth authentication

CIRISProxy

LLM routing with Zero Data Retention. Your conversations are never stored.

• OpenAI-compatible API (LiteLLM)
• All providers configured for ZDR
• No prompt/response logging

PostgreSQL

Bi-directional replication. Both regions can accept writes.

• Synchronous replication
• Last-write-wins conflict resolution
• Manual failover (safer for financial data)

Performance

Production Metrics (scout.ciris.ai)

368 MB

Memory Usage

CPU Usage

5-10s

Response Time

Core Services

Edge Device Support

CIRISAgent runs on Android ARM32 devices via Chaquopy Python with 15-20 second response times. Total app footprint under 100MB.

• Full on-device runtime (no cloud required)
• SQLite with WAL mode for local persistence

Coherence Ratchet

Ethical consistency isn't expensive—deception is. Truth verification is O(1), while lying requires solving NP-hard consistency against cryptographically-signed history.

• Truth-telling: constant time verification
• Deception: exponentially growing computational cost
• Ethics as path of least resistance

Graceful Degradation

• LLM fallback chain: Primary → Fast → Fallback providers
• Phased initialization: Critical services block, optional services fail gracefully
• Resource adaptation: Adjusts to intermittent networks and power constraints

Key Design Decisions

Active/Active, Not Primary/Replica

Both regions serve all requests simultaneously. No single point of failure for compute. Each region has its own domain. If one region fails, clients can switch to the other immediately—no failover delay.

Two Independent Providers

Vultr (US company) and Hetzner (German company) provide jurisdictional diversity. No single provider can take down CIRIS. No vendor lock-in means we can swap providers if pricing or policies change.

Split DNS Strategy

US traffic routes through Cloudflare for DDoS protection and caching. EU traffic uses direct DNS to Hetzner. This split ensures zero single point of failure—if Cloudflare has issues, EU remains directly accessible.

Manual Database Failover

For financial data (credit balances, transactions), we chose manual promotion over automatic failover. This prevents split-brain scenarios and ensures human verification before changing write authority. Good enough beats perfect when money is involved.

Safety Integration

CIRISBridge implements the Safety Policy: "Fix if we can. Pause only if we can't."

Global Pause

Stops proxy, billing, DNS across all regions. PostgreSQL persists. Requires explicit documented reason.

Regional Pause

Pauses one region while other continues serving. Graceful degradation for localized issues.

Safety runbooks are public in the CIRISBridge repository.

100% AGPL-3.0 Open Source

Why AGPL-3.0?

Every CIRIS component uses the GNU Affero General Public License v3.0. This isn't just "open source"—it's network copyleft. If anyone modifies CIRIS and offers it as a service, they must release their modifications under the same license.

• Prevents cloud appropriation — No company can take CIRIS, modify it, and offer it as a closed service
• Ensures transparency — Any deployed version's source must be available to users
• Protects the commons — Improvements flow back to the community, not into proprietary forks

Every component of CIRIS infrastructure is open source under AGPL-3.0. You can audit our claims, reproduce our setup, or fork it—and if you serve it to others, you share your improvements.