Skip to content
Alien Giraffe

Architecture Overview

Alien Giraffe is designed as a just-in-time data access platform. It combines a control plane for authentication, policy evaluation, and orchestration with isolated runtime environments that serve approved access to multiple data sources.

Architecture at a glance

Section titled “Architecture at a glance”

Alien Giraffe is built on a set of clearly defined architectural principles:

  • Deployments run entirely within infrastructure controlled by the organization
  • Trust boundaries are established and enforced before any data access request is provisioned
  • Approved access executes within short-lived, isolated data enclaves
  • Connectivity is exposed through managed, request-scoped tunnels rather than broad runtime access
  • Logs, events, and audit records are generated at every decision point and for all data access operations

Reference architecture

Section titled “Reference architecture”
Reference architecture diagram showing organization-controlled deployment, control plane services, policy enforcement, data enclaves, outbound tunnels, datasources, and audit flows.

Architecture topics

Section titled “Architecture topics”

Deployment Model

Section titled “Deployment Model”

Understand how Alien Giraffe is deployed into an organization-controlled Kubernetes environment, how tenancy options are separated, and how infrastructure is provisioned.

Secret Isolation

Section titled “Secret Isolation”

Learn how the platform avoids secret sharing across trust boundaries and how the double-door isolation model separates request intake from runtime execution.

Data Enclaves

Section titled “Data Enclaves”

See how the execution runtime is provisioned, how approved data is pulled and materialized before access is exposed, and how isolation, egress policy, and least privilege are enforced.

Tunnel Architecture

Section titled “Tunnel Architecture”

Review how managed tunnels expose request-scoped explorer and API access without turning the platform into a general-purpose network bridge.

Observability & Audit

Section titled “Observability & Audit”

Explore how logs, event streams, and audit records are captured across the control plane, tunnel layer, and data enclave lifecycle.

Benchmarks

Section titled “Benchmarks”

Review how Alien Giraffe benchmark runs are executed, what the latest request and load-test numbers look like, and how the platform performs on cross-source dataset joins.

How the parts fit together

Section titled “How the parts fit together”

At a high level, a request moves through the system in this order:

  1. A user or system submits a request through the API, UI, or an integration channel.
  2. The control plane authenticates the request and evaluates it against policy.
  3. If the request is approved, the platform provisions a data enclave inside the organization environment.
  4. The enclave receives only the scoped secret references and execution inputs needed for the approved pull path.
  5. The enclave performs an atomic parallel ingestion phase, materializes the approved data into its in-memory runtime, and clears pull credentials.
  6. If interactive access is needed, the platform can then publish a managed request tunnel with temporary credentials.
  7. The enclave is terminated when the access window closes or the job finishes.

Next steps

Section titled “Next steps”
  1. Start with Deployment Model for the infrastructure shape.
  2. Continue to Secret Isolation and Data Enclaves for the core security model.
  3. Read Tunnel Architecture and Observability & Audit for connectivity and operational visibility.