System Topology

High-level view of how users, analysts, and law enforcement interact with the platform.

What's in the platform

• Analyst Console (Next.js) — secure portal for volunteers and LEOs behind IAP; all traffic proxied through the Core API so PII stays redacted.

• Core API (core-svc) — 22+ API routers covering intake, hybrid search, report generation, task status, taxonomy, and SSI investigation management (history, wallets, evidence, playbooks, live events); enforces encryption and RBAC. Cases are referred to as reviews in the API (routes under /reviews/); the UI calls them cases.

• Cloud Run Jobs (14) — background workers for ingestion, classification sweeping, intake processing, report generation, dossier assembly, data-retention purge, analytics aggregation, linkage extraction, watchlist monitoring, infrastructure clustering, takedown detection, scheduled reports, and eCrimeX polling (ssi-ecx-poller). See Job Architecture for the full inventory.

• SSI Cloud Run Service (ssi-svc) — always-on service for scam-site investigation: browser automation, OSINT, and wallet extraction. Analysts trigger investigations via POST /investigations/ssi on core-svc; core dispatches to ssi-svc at POST /trigger/investigate.

• PII Protection — victim contact fields are Fernet-encrypted at rest; decryption is audit-logged and restricted to authorized roles. See core/docs/design/pii_vault.md.

• Data Stores — Cloud SQL (PostgreSQL 15, IAM auth), three GCS buckets (evidence, reports, data-bundles), and Vertex AI Search for hybrid retrieval.

• AI Services — Vertex AI Gemini 2.0 for classification, entity extraction, and report generation; Vertex AI Search for semantic + keyword hybrid search.

• GraphService — server-side graph traversal engine (src/i4g/services/graph_service.py) for building entity relationship subgraphs via BFS with optional NetworkX spring layout for large graphs (>500 nodes).

• Analytics Aggregation Job — Cloud Run job that computes entity_stats, analytics_kpis, and analytics_kpis_monthly materialized views; feeds the Timeline, Taxonomy Explorer, and Geographic Heatmap.

• Platform Ops — Secret Manager for credentials, Cloud Logging with correlation IDs, Cloud Monitoring with alerting thresholds, and Artifact Registry for the 8 container images.

• CI/CD — GitHub Actions with Workload Identity Federation (no long-lived keys) pushing images to Artifact Registry.

Why it matters

• Safety by design: PII contact fields are encrypted at rest; analysts work on redacted data.

• Evidence-ready: Every case flows toward a signed dossier that law enforcement can verify.

• Resilient & scalable: Serverless services scale 0→10 for campaigns or surges without a large ops team.