Technical Architecture:
Why GoDo Platform is Different

Most AI tools generate code. GoDo generates structured metadata that a hardened runtime engine executes. Here's why that matters for regulated industries.

The Core Architectural Difference

AI-assembled metadata vs. AI-generated code

AI Coding Tools

v0, Cursor, Claude Code

These tools use AI to generate raw source code that must be executed directly.

// AI generates this: function processWorkflow(data) { if (data.amount > 10000) { sendToApproval(data); } else { autoApprove(data); } logToDatabase(data); }
  • Black-box logic - hard to audit what the AI decided
  • Code can have bugs, security vulnerabilities, or hallucinated functions
  • Requires developers to review, test, and harden for production
  • No guaranteed compliance - each generated app is unique
  • Difficult to trace decisions for auditors
GoDo Platform

Metadata-Driven Architecture

GoDo's AI generates structured JSON metadata that describes the workflow. A TypeScript runtime engine — built on curated, compliance-aware components — executes it.

// AI generates this metadata: { "workflowId": "approval_flow_001", "nodes": [ { "type": "CONDITIONAL", "condition": "amount > 10000", "truePath": "approval_node", "falsePath": "auto_approve_node" } ] }
  • Visual, traceable logic - compliance officers can read the workflow
  • No code execution vulnerabilities - only validated components run
  • No developers needed - ops teams configure and deploy
  • Compliance-aware components — audit log, encryption, retention defaults baked in
  • Full audit trail — every decision logged + timestamped, written in the same DB transaction as the change

The GoDo AI Pipeline

A sophisticated 3-pass LLM architecture that generates structured, auditable metadata

1. Intent Interpretation
User describes workflow in natural language
2. Three-Pass AI Generation
AI Drafting → AI Critique → AI Architect (structured JSON)
3. Metadata Scaffold Output
AppScaffold / PatternScaffold JSON (entities, workflow nodes, rules)
4. Visual Workflow Builder
React Flow WorkflowPreviewGraph - user reviews and refines
5. Runtime Execution
TypeScript RuntimeRenderer executes the metadata dynamically
6. Audit Trail
Co-transactional Postgres writes with immutability trigger; hash-chain signatures on the roadmap

At no point does the system generate or execute arbitrary code. Every component is known, tested, and validated.

The Component Library

Curated, compliance-aware building blocks — not AI-invented code

15+ Years of Operating Experience

Backed by 15+ years of operating compliance workflows in regulated industries. The GoDo Platform 2026 codebase is new — built from the ground up on Postgres with the lessons of those years in its architecture.

Modern TypeScript Engine

Built on a modern TypeScript runtime with mapped ActivityType enums (IMPORT, EVENT, APPROVAL, etc.) and curated Domain Patterns for common compliance workflows.

Curated Components

Every component in the library is hand-curated with audit log, encryption, and retention defaults baked in. The AI selects and assembles — it never invents new logic or hallucinates functions.

Why this matters: Unlike AI coding tools that can generate infinite variations of untested code, GoDo's AI can only select from a finite, validated library. This constraint is a feature, not a limitation - it's what makes the output auditable and compliance-ready.

Audit Trail

Every action, logged and timestamped — on the same database transaction as the change

Bolt-On Audit Logs

  • Logged after the fact — possible to write a change without an audit entry
  • Application-layer enforcement only
  • Can be disabled or bypassed by privileged roles
  • Limited attribution — often just user ID and timestamp

GoDo's Audit Trail

  • Co-transactional: Audit entry written in the same DB transaction as the workflow change — they ship or fail together.
  • Immutability trigger: Postgres-level trigger prevents UPDATE/DELETE on AuditLogEntry rows.
  • Full attribution: Every entry captures actor, action, before/after state, request context, and timestamp.
  • Configurable retention: 7-year default; tenant-configurable for longer regulatory windows.
  • Tamper-evident roadmap: Hash-chain signatures (SOR Phase 0) on the way — not yet shipped.

GoDo's audit trail today is a real, immutable record of every workflow action — backed by a Postgres trigger that physically prevents modification. Cryptographic hash-chain signatures are roadmap and will not be claimed as shipped until they are.

Per-Tenant Data Scoping

Application-layer enforcement today — database-layer isolation on the roadmap

Naive Multi-Tenant SaaS

// Shared table, ad-hoc filter SELECT * FROM workflows WHERE tenant_id = 'company_123'
  • Filter applied per-query — easy to forget
  • One missed WHERE clause = cross-tenant exposure
  • Audit logs share tenants too

GoDo Platform (today)

// Centralized scoping at the data-access layer prisma.workflow.findMany({ where: { orgId: ctx.orgId, ...filters } })
  • Every query routes through a tenant-scoping data-access layer — no raw SQL in app code.
  • Audit logs scoped per tenant; no cross-tenant audit reads.
  • Tenant context propagated from auth → query in a single call path that's easy to audit.
  • Roadmap: Postgres Row-Level Security (RLS) policies for database-layer enforcement — in progress, not yet shipped.

Today, tenant isolation is enforced at the application layer through a centralized data-access layer. Database-level enforcement via RLS is on the near-term roadmap. We will not claim "complete" isolation until that ships.

Advanced Workflow Orchestration

Parallel execution, branching logic, and cross-process coordination

Parallel Fan-Out

Launch multiple workflow branches simultaneously - perfect for due diligence processes where different teams work on different aspects in parallel.

JoinAt Convergence

Automatically wait for multiple parallel branches to complete before proceeding - essential for approval workflows requiring multiple stakeholders.

? TRUE FALSE

Conditional Branching

Dynamic routing based on data values, user roles, or external conditions - all visually represented and fully traceable.

L1 Process Orchestration Diagram

L1 Process Orchestration

Cross-process coordination at the highest level - manage complex multi-workflow scenarios like startup intake flowing into due diligence and investment closing.

Advanced Capabilities: GoDo's branching and parallel workflow orchestration enables these advanced patterns at the highest level, making it suitable for the most complex compliance workflows in PE, VC, insurance, and healthcare operations.

Speed Without Sacrifice

As fast as vibe coding - before you need developers to harden it

Stage AI Coding Tools GoDo Platform
Initial Generation ~60 seconds
Fast prototype		 ~60 seconds
Scaffold generation
Review & Refinement Hours to days
Code review, testing		 Minutes to hours
Visual workflow editing
Hardening for Production Weeks to months
Security, error handling, audit trail		 Already built-in
Pre-validated components
Compliance Documentation Manual effort
Reverse-engineer audit trail		 Automatic
Built into architecture
Total Time to Production Months
Fast to prototype, slow to production		 Hours to days
Production-ready from start

The vibe coding scaffold generation operates in under 60 seconds. The difference is what happens next: with AI coding, you need developers to harden it. With GoDo, you're already production-ready.

Realistic Deployment Timelines

What to actually expect when building on GoDo

Simple Workflows

Hours: Document collection, approval routing, status tracking - straightforward linear processes can be configured and deployed in a single working session.

Moderate Complexity

1-3 Days: Multi-stakeholder workflows with conditional logic, parallel branches, and integration points may require iterative refinement in the visual builder.

Complex Multi-Process Workflows

Days to Weeks: Highly complex workflows with extensive branching, cross-process orchestration, and custom data bindings may need manual refinement if the AI's first pass isn't perfect.

Why This Architecture Matters for Regulated Industries

The technical decisions that enable compliance at speed

✓ Auditor Can Read It

Visual workflow graphs, not code. Your compliance officer can trace every decision. Your auditor can verify every step. No "trust the black box" required.

✓ No Code Vulnerabilities

Because no arbitrary code is generated or executed, there are no SQL injection risks, no buffer overflows, no dependency vulnerabilities from AI hallucinations.

✓ Built-In Auditability

Every component is hand-curated with audit log, encryption, and retention defaults baked in. Workflows inherit those properties automatically.

✓ Co-Transactional Audit

Audit entries are written in the same Postgres transaction as the workflow change — they ship together or fail together. A Postgres trigger physically prevents UPDATE or DELETE on audit rows.

✓ Per-Tenant Data Scoping

Every query routes through a centralized data-access layer that enforces tenant scope. Audit logs and workflow data are scoped per tenant. RLS-based database enforcement is on the roadmap.

✓ No Developer Dependency

Ops teams configure, deploy, and maintain workflows themselves. No IT queue. No developer bottleneck. No technical debt.

Sovereign Deployment

Run the entire stack on hardware you own — AI inference included

Cloud-Only Deployment

  • AI inference calls leave your infrastructure on every request
  • Client data processed by third-party AI providers
  • Privilege and confidentiality depend on contractual promises, not architecture
  • Per-token cost compounds with volume

GoDo Sovereign Mode

  • Full local stack: Postgres, Temporal workflow engine, and Next.js app all run via Docker Compose on your hardware.
  • Local AI inference: pnpm dev:sovereign routes all LLM calls to a local Ollama instance — zero cloud API calls.
  • Two-model council on Mac Studio Ultra (128 GB): gpt-oss:120b (116B, primary reasoning) + gemma4:31b (31B, adversarial reviewer). Different training lineages deliberately — so each catches the other's blind spots. Native tool calling and structured outputs supported.
  • Zero runtime AI: Once an app is built, workflows run entirely on deterministic code. No model inference, no API calls, no per-query cost at runtime. Rules fire, steps advance, audit trails write.
  • Fail-shut design: Sovereign mode hard-fails if the local model is unavailable — it never silently falls back to a cloud API.
  • Hybrid option: Local-first with optional cloud shadow for heavy reasoning tasks — configurable per profile.
pnpm dev:sovereign # all AI calls → local Ollama; fail-shut if Ollama is down pnpm dev:hybrid # local-first with cloud fallback on council tasks pnpm llm:check # smoke-test all configured backends GET /api/system/llm-status # JSON: active profile + backend health

Who this matters for: Any regulated industry where data residency is a hard requirement — law firms (Rule 1.6), healthcare (HIPAA-adjacent workflows), finance (internal policy data that can't touch external AI). Sovereign mode was designed for the customer who cannot accept "your data stays private because we promise" and needs "your data stays private because the architecture makes it physically impossible to leave."

See the Architecture in Action

Most technical demos show you slides. We'll show you the actual metadata scaffold, the visual workflow builder, and the audit trail in real-time.

Book a Technical Deep-Dive →

Bring your toughest compliance workflow. We'll build it together.