iqCloud + IoTGuardian Architecture
Canonical mirror of H:\websites\audit-output\architecture.md and the iqCloud + IoTGuardian Architecture Notion page. Edit src/content/diagrams.ts to update.
1. Tier-1 — iqCloud platform plane
Public traffic terminates at Front Door + WAF, flows over Private Link to APIM, and fans out to six platform Container Apps. Per-tenant data plane below.
2. Tier-2 — IoTGuardian tenant plane
Existing surface (marketing site + 34-page Vite console) plus the device runtime to build (edge agent, DPS, IoT Hub, Device Update, attestation) and the AKS workloads it feeds.
3. Identity flow
Three IdPs, one authorisation plane. JWT lands at APIM with a tenant_id claim; backend pins the connection scope via SET LOCAL before any query.
4. Telemetry signing path
Every event is HMAC-SHA256 signed per-tenant before leaving the source. Stream Analytics verifies; failures dead-letter and alert SOC.
5. Billing path
Single Stripe merchant of record. Sibling sites consume @iqcloud/billing-sdk; iqcloud-billing owns webhook handling and writes every event to audit.
6. Control plane data flow
iqcloud-controlplane: pulls from Azure ARM/Monitor/Cost, ingests four webhook sources (Monitor/Defender/Sentinel/Stripe), gates writes behind multi-sig, feeds both /ops and IoTGuardian Super-Admin, emits daily Teams + email digest.
7. AI feature controls
Per-tenant on/off matrix backed by INDUSTRY_RECOMMENDATIONS in iqcloud-ai-registry. Multi-sig on expensive or compliance-blocker features; toggles enforced at runtime by the APIM token-limit policy and audited end-to-end.
8. Cross-tenant isolation guards
Six guards stack: code wrapper, AI Search physical separation, Foundry per-tenant projects, FORCE RLS, network private endpoints, Bitwarden naming.