Pramiti Docs

Two-Plane Model

Read plane (Epistom) and write plane (Aegis) over a shared semantic substrate

Pramiti's architecture separates concerns into two independent planes that share a common platform layer but can be deployed and scaled independently.

Read Plane (Epistom)

The read plane answers: "What does this data mean?"

Components:

  • Knowledge Model (OWL 2 QL in Oxigraph)
  • NLQ Engine (query routing, SQL generation, validation)
  • MCP Server (8 tools for agent connectivity)
  • Verified Queries (curated SQL patterns)
  • Drift Detection (schema change monitoring)
  • Feedback Engine (self-improving accuracy)

Dependencies: PostgreSQL + Oxigraph + LLM

The read plane operates exclusively on read-only database connections. The EPISTOM_SQL_READONLY=true setting ensures LLM-generated SQL cannot modify source databases.

Write Plane (Aegis)

The write plane answers: "Is this action valid?"

Components:

  • Policy Decision Point (constraint evaluation)
  • Constraint Engine (JSON predicates + SHACL)
  • Impact Engine (blast radius computation)
  • Attestation Store (Ed25519 signing, append-only)
  • Connection Manager (downstream MCP servers)
  • SIEM Integration (OCSF delivery)

Dependencies: PostgreSQL only

The write plane is deliberately simple and auditable. It has no LLM dependency, no Oxigraph dependency, and no non-deterministic components. Every evaluation produces the same result given the same inputs.

Independent Deployment

The two planes can be deployed independently:

# Epistom only (read plane)
docker compose -f docker-compose.epistom.yml up -d
 
# Aegis only (write plane)
docker compose -f docker-compose.aegis.yml up -d
 
# Both planes (full platform)
docker compose up -d

Each has its own API entry point (epistom_main.py, aegis_main.py, main.py) with the appropriate routers included.

Shared Platform Layer

Both planes share:

  • Authentication — JWT, SAML SSO, Azure AD, API keys
  • Tenancy — Workspace-based data isolation
  • Audit — Append-only audit log with HMAC tamper detection
  • Rate Limiting — Per-key rate limiting with Redis support
  • Billing — Stripe integration for cloud deployments

Why Two Planes?

Separating reads and writes provides:

  1. Independent scaling — The read plane needs LLM capacity; the write plane needs policy evaluation throughput
  2. Different trust models — The read plane involves LLM (non-deterministic); the write plane is fully deterministic
  3. Different buyers — VP Data buys Epistom; CISO buys Aegis
  4. Blast radius isolation — A compromise in the read plane doesn't affect write-plane enforcement
  5. Regulatory clarity — Auditors can verify the write plane independently of the read plane

On this page