Pathway 3 · Architecture & engineering

How LynCareOS is built — stack, data, security, deployment

Current-state architecture for engineers and technical reviewers: what runs in production today, how tenancy and module gating work, and where the platform is heading. Diagrams plus substance; full specifications open in the library viewer with Mermaid support.

React 19 · FastAPI · PostgreSQL 16 Docker · Cloudflare Tunnel 11 module routers live

01Production topology

One Sydney VPS runs the product API and database. Cloudflare Tunnel terminates TLS for app.lyncareos.com. Marketing is separate on Cloudflare Pages.

PRODUCTION (CURRENT) Browser PWAReact 19 CloudflareTunnel + edge FastAPI:8020 · 2 workers PostgreSQL 16system of record Stripebilling webhooks LM Studioscript OCR (server)
App traffic: PWA → Cloudflare Tunnel → FastAPI → PostgreSQL. Redis supports cache and pub/sub, not scan durability.

Authoritative detail: 01-ARCHITECTURE · 20-PRODUCTION-DEPLOYMENT-GUIDE

02Frontend

React 19, TypeScript, Vite 8, Tailwind with the Calm Care design system. Module routes are enabled from /api/me/modules at login. API calls go through lib/api.ts; OpenAPI contract pipeline (B1) is live but most UI types remain hand-written in api.ts today.

03 · Design system 05 · Developer guide

03Backend & APIs

Python 3.12 in Docker, FastAPI, psycopg v3 async pool. No ORM — parameterised SQL. Target layering is router → service → repository; hot paths migrated, legacy SQL-in-router modules remain under CI guardrails. Eleven module routers are mounted with require_module() gates.

Async prescription scanning uses a PostgreSQL-backed queue (claim, worker, notify) rather than holding API connections during vision inference.

04Data & multi-tenancy

Every tenant-owned row carries tenant_id. Carers and observers are scoped by patient_access; tenant admins see all patients in the account. PostgreSQL RLS is defence-in-depth, not a substitute for application checks.

!

Before any migration

Read 11-DATABASE-SAFETY-AND-MIGRATIONS to confirm which database you are connected to.

05Module gating

backend/billing/tiers.json defines which module slugs each plan includes. Routers use require_module(slug); missing entitlement returns HTTP 402. Frontend shows UpgradeGate on the same signal.

See the business pathway for tier/module tables, or 23-SUBSCRIPTION-TIER-ENTITLEMENTS-MATRIX.

06Security & audit

  • JWT (HS256) with sub (user) and optional tid (tenant).
  • Identity PHI encrypted at rest; per-tenant DEKs provisioned for future column encryption.
  • MFA uses a separate crypto envelope — MFA_ENCRYPTION_KEY must be pinned before public launch.
  • Care alerts durable in PostgreSQL; in-app bell + PWA badge (Web Push retired).
17 · Hardening & scale 07 · Platform runbook

07Deployment

App: deploy.ps1 on the VPS with Docker Compose production profile. Marketing: deploy-marketing-pages.ps1 to Cloudflare Pages. This documentation portal: deploy-docs-portal.ps1docs.lyncareos.com with Cloudflare Access + Google.

Docs portal deploy 20 · Production deploy

08Architecture evolution

Target state adds Capacitor native clients, 30+ module routers, i18n (11 Wave-1 languages), optional native push, and full OpenAPI contract adoption in the UI. Each layer is independently deliverable on the current foundation.

Full architecture spec

01-ARCHITECTURE — current vs target, Mermaid diagrams

Open in library →