Skip to Content
Design DecisionsOverview

Design Decisions

This section is the platform’s decision log: the significant, deliberate choices that shaped how Orbit is built, deployed, and operated. Each page follows a light ADR format — Context (the forces at play), Decision (what was decided, precisely), Consequences (what it bought and what it costs), and Evidence (where in the repository the decision is visible).

The log is mined from the platform’s memory records (memory/*.md) and design documents (designs/*.md), which capture decisions as they were made — dates below are as recorded there. Where a record gives only a month, or no date at all, the status line on the decision page says so rather than inventing one.

A recurring theme runs through the log: single writer, many readers. The per-solution agent is the only process that mutates a solution’s repositories (one replica, serial tasks, per-request branches); everything else — the reader webapp, Mission Control, Aurora — observes over HTTP. Several decisions below are downstream of that stance.

The decisions

IdTitleDateAreaDecision in one line
ADR-001Azure Container Apps as the sole deployment target2026-07-02DeploymentAurora and all per-solution stacks run on ACA via managed identity; the Vercel path was retired and deleted.
ADR-002Shared images per release, built from immutable git tags2026-06 (month as recorded)DeploymentContainer images are shared across solutions and built server-side from per-component git tags; per-solution state is only apps, shares, and env.
ADR-003Two external apps per solution; the agent is internal-only2026-06-30 (revised 2026-07-01, 2026-07-03)DeploymentReader and Mission Control are external ACA apps with per-solution subdomains; since 2026-07-03 the agent has internal ingress only, reached in-env at http://agent-<h>, with Mission Control’s browser traffic going through a same-origin /agent proxy.
ADR-004Single-replica writer with keep-alive-guarded scale-to-zero2026-07-03DeploymentThe agent is capped at one replica and scales to zero, kept alive mid-task by a self-directed long-poll rather than a queue + KEDA.
ADR-005Consolidate the aurora repo into the orbit platform repo2026-07-02RepositoriesOne repo holds the whole platform — apps, Aurora, services, infrastructure, and releases.
ADR-006The three-repo split for solutions2026-05 (in progress as of 2026-05-31)RepositoriesA solution spans a global methodology repo, a customer repo, and a MaxQLabs-only internal repo that tracks .orbit/ as first-class history.
ADR-007Agent-served solution data2026-07-02DataThe agent is the sole owner of the solution mounts and serves the tree over HTTP; the reader webapp is mount-free and caches per (instance, version).
ADR-008Portfolio registry as three microservices on Cosmos-shaped Postgres2026-07-02 (live 2026-07-03)DataCustomer/Tenant/Solution are three Hono services over JSONB records with If-Match concurrency and Entra-only Postgres auth, fronted by the aurora-webapp BFF.
ADR-009Release records reference artifacts, never bytesnot dated in the recordReleasesreleases/ stores per-component release.yaml records pinning a git tag and an ACR image reference; components version independently.
ADR-010Strictly serial task processing with per-request git branches2026-05-30AgentsOne process-wide TaskProcessor runs tasks one at a time across all requests and owns the branch-per-request, commit-per-task, merge-on-success lifecycle.
ADR-011Vendored per-stage methodology digest in cached system prompts2026-06-22/23 (PoC)AgentsA generated ~8.2K-token per-stage digest is injected into cached system prompts instead of every agent re-reading ~74K tokens of methodology.
ADR-012Native octokit solution tools, gated by conversational confirmationnot dated in the recordAgentsThe in-product agent chat creates solutions through a native GitHub-API service (no gh/git subprocess), behind a typed-confirm gate plus a canUseTool hard guard.
ADR-013Fork-with-upstream solution provisioning; the LLM is the glue2026-06 (month as recorded)SolutionsNew solutions are true GitHub forks (upstream link kept for template sync); deterministic work lives in scripts, skills only orchestrate.
ADR-014The editorial broadsheet design language2026-06-09/10UIThe webapp is light-first warm paper with a graphite dark companion, one accent color, token-only theming, and banned glass/glow/gradient idioms.
ADR-015TypeScript is canonical for the solution plane2026-07-05DeploymentPer-solution deployment lives once in the @maxq/orbit-deploy engine (steps with plan/apply/verify under scenarios, driven by agent tools, CLI, and the creation hook); bash keeps only the human-run platform singletons, and provision-solution.sh is legacy until the engine is live-proven.

Reading the log

  • Status is Accepted unless noted; one entry (ADR-011) is an accepted proof of concept with rollout still in progress.
  • Areas group thematically: Deployment, Repositories, Data, Releases, Agents, Solutions, UI. The sidebar follows this grouping.
  • Several decisions explicitly supersede earlier ones — e.g. the internal repo tracking .orbit/ (ADR-006) supersedes the gitignore approach noted in ADR-010, the busy keep-alive (ADR-004) supersedes an earlier queue + KEDA plan, and ADR-003’s 2026-07-03 revision (agent internal-only) supersedes its own earlier “the agent is public by design” stance. The pages note this so future work does not re-litigate settled questions or “finish” retired mechanisms.
  • Evidence paths are relative to the platform repo root (maxq-labs-orbit-platform/orbit) unless stated otherwise.