Product · the whole stack

Governance first.
AI second.
Data third.

Koine is three layers with strict trust boundaries, three entry paths that share one Gateway, and a Prompt Stack that guarantees the AI never writes. This page explains each piece.

Section 01

Three layers, not one monolith.

Connector Layer

One interface, bidirectional, per-dialect drivers. Knows nothing about users, roles, or prompts. Takes a compiled query, returns rows or a write receipt.

  • Postgres + PostGIS · reference implementation
  • MySQL · MariaDB
  • SQLite + Spatialite
  • SQL Server
  • Generic REST / OpenAPI
  • Google Sheets · CSV upload · ArcGIS · Mapbox (preview)

Intelligence Middleware

The product itself. Every request — chat turn, direct API call, or inbound webhook — passes through this layer once.

  • Gateway: auth, path tag, RBAC, rate limit, PII strip, audit
  • Tool Registry: portable + raw, reviewed writes
  • Prompt Stack: four tiers, versioned, eval-gated
  • ContextFacts: domain truths the AI must cite
  • Write Proposals: dry-run → two-party approval → execute
  • Audit: read-12mo + write-7yr, immutable

Experience Shell

Koine Studio for operators. Koine Chat for end users. Or build your own.

  • Studio: prompt editor, tool registry, audit, approvals queue
  • Chat: SSE streaming, spec-cards, inline citations
  • Reports: branded PDF / XLSX / HTML, scheduled
  • Open API: tenants ship their own chat, mobile app, voice surface

Connectors ≠ Middleware ≠ Shell

Each layer depends only on the one directly below. This is the single most important invariant in Koine — breaking it loses the moat.

  • Shell never speaks to a database
  • Middleware never executes dialect-specific SQL
  • Connector never holds governance state

See the three entry paths ↓

Section 02

Three entry paths. One Gateway.

Every request is tagged at entry and treated equally under the same governance. Writes are refused on the chat path before capability checks even run — enforced in code, not in prompts.

Chat · AI-first, read-only forever

Analysts, ministers, partner officers ask in plain EN / FR / PT. Koine composes a four-tier prompt, picks tools from the catalogue, renders the answer with citations and an expandable SQL trace. The AI can propose writes as spec cards; humans execute them elsewhere.

Direct Tool API · for your own UIs

Your dashboard, your mobile app, your internal form. Call POST /api/v1/tools/<slug>/run/ with JSON. Same Gateway, same audit, same RBAC. Writes allowed with the right capability.

System-to-System · governed ETL

Webhook in → tool runs → destination connector receives. Schedule runs. Map fields between Salesforce and your Postgres. Move data across systems with dry-run previews, two-party approval for anything destructive, and a 7-year audit trail.

One enforcement point

The Gateway checks auth, capability, rate limit, PII, and path-write-gating on every request regardless of entry. There is no bypass. There is no dev-mode override. Platform admin included.

READ REQUEST Chat / API / S2S ↓ Gateway → auth → entry-path tag → effective access → rate limit ↓ Prompt Composer (chat only) → System → Tenant → Role → Session + ContextFacts ↓ Tool Registry → filtered catalogue ↓ Tool Dispatch → Connector compile + execute ↓ PII strip (if caller lacks pii_access) ↓ Audit → read-stream ↓ Response with citations + SQL trace WRITE REQUEST (api / s2s only — chat refused at Gateway) ↓ Mandatory dry-run → signed dry-run token ↓ Approval check (single admin for Tier 2, two admins for Tier 3) ↓ Execute with tenant constraints ↓ Write audit → 7-year stream + compensating-action hint
Section 03

The four-tier Prompt Stack.

Prompts are code. They have versions, diffs, reviews, and evaluations against a tenant-authored Golden Set. A prompt change without a passing eval is a change that has not happened.
TIER 01

Koine System

Sealed. Loaded first. Refusal rules, tool-call protocol, citation schema, write-never. Ships with the Middleware. Tenants cannot edit.

TIER 02

Tenant Voice

Domain tone, organisation identity, tenant-specific caveats. Edited in Studio per locale, eval-gated on publish.

TIER 03

Role Persona

Formal for a Minister, concise for a field officer. Composes additively with Tenant Voice; conflicts resolved most-restrictive-on-safety.

TIER 04

Session Override

/terse · /lang fr · /explain. Cosmetic only. Cannot unlock writes, change connectors, or weaken governance. Ever.

Section 04

Bring any system.

Bidirectional connectors hide the dialect, protocol, and auth story from everything above them. The Middleware speaks to one interface; the tenant's database is the one that changes.

SQL connectors

  • Postgres · PostGIS · native dry-run via tx rollback
  • MySQL · MariaDB
  • SQLite · Spatialite for edge deploys
  • SQL Server

Non-SQL connectors

  • Generic REST / OpenAPI
  • Google Sheets
  • CSV upload (read-only)
  • ArcGIS Feature Service · Mapbox Datasets (preview)
  • Salesforce · SAP · HubSpot (preview)
Section 05

Governance is a feature, not a setting.

Tenants don't turn governance off. They configure its scope. The Gateway enforces; no code path bypasses.

RBAC × Capability

Role = scope (event types, states, LGAs, dates, projects) + capabilities (export, write, manage, approve, PII). Union across all active roles.

Audit, two streams

Read-audit 12 months, write-audit 7 years. Append-only. Every prompt compose, tool run, and approval recorded with caller + approvers.

Write policy

Three tiers. Tier 1 = reversible small writes. Tier 2 = one admin approves. Tier 3 = two admins. Dry-run tokens mandatory.

Data residency

Tenants bind connectors in their region. Cross-region is opt-in. Dedicated deploys available for sovereign clients.