Platform
Sovereign primitives.
One verified plane.
Six managed primitives wrapped in a verified plan loop: deploy, verify, approve, operate, prove. Runs on Outscale SecNumCloud infrastructure today, multi-cloud by design.
Six sovereign primitives
The substrate, fully managed.
Self-hosted Git
Object Storage
Secrets
Container Registry
Runtime
Keycloak SSO
The verified plan loop
From intent to audit evidence — in one loop.
Pick a verified blueprint — or describe intent.
Rectangle curates the blueprint catalog: Peppol AP, LTA, Keycloak, Mistral inference, Tyk gateway, ArgoCD apps. Same artifact whether authored by a human or by AI Mode.
- Curated catalog, not a blank Terraform file
- Blueprints carry residency and policy invariants
- Multi-cloud target — Outscale today, OVH/hybrid on roadmap
Peppol AP
verifiedPDP/PA-ready access point with SMP.
Keycloak Realm
verifiedSovereign identity with OIDC + SAML.
LTA Bucket
verifiedProbative archive aligned to NF Z42-013.
Mistral Inference
verifiedSovereign-hosted EU model endpoint.
Tyk Gateway
verifiedmTLS API gateway with quota guards.
ArgoCD App
verifiedGitOps app wired into the verified plan loop.
Every change becomes a signed, reviewable plan.
Plans land in a product console — resource tree, signed diff, residency check, policy invariants. Reviewers see exactly what will change, before it changes.
- Signed plan hash bound to source commit
- Residency and network policy checked at plan time
- Destructive changes called out, not hidden
- namespace
- peppol-ap-prod
- services
- tyk-gateway
- peppol-ap@1.4
- keycloak-realm
- policy
- mTLS · quota=10k/s
+ namespace: peppol-ap-prod region: fr-par-secnumcloud+ tyk.gateway: quota=10k/s mTLS=on+ peppol.ap: version=1.4 pdp_pa=ready+ argocd.app: peppol-ap sync=manual~ keycloak.realm: rotated client secrets! requires approval: compliance.peppolHumans approve before infrastructure changes.
Approval is scoped to the compliance domain a change touches. Approver identity is attached to the signed plan as evidence.
- Designed so apply requires explicit human approval
- Approval scopes match your regulatory perimeter
- AI Mode follows the same gate as humans
- plan hash
- 0x9c41…ab2e
- residency
- fr-par · SecNumCloud
- blueprint
- peppol-ap@1.4 (verified)
- retention
- 10y · NF Z42-013
- Residency check passed
- Verified blueprint resolved
- Plan diff reviewed
- Approver identity attached
GitOps keeps reality equal to signed state.
ArgoCD reconciles your sovereign estate against signed Git state. Drift is surfaced for review — never silently corrected.
- ArgoCD reconciliation on a sovereign control plane
- Drift surfaces as a reviewable event
- One CLI for engineers, one console for reviewers
Plans, approvals, deploys and drift become evidence.
Every step lands in the LTA — archivage à valeur probante aligned with NF Z42-013 and eIDAS timestamps. Exportable on regulator request.
- NF Z42-013 aligned · eIDAS-grade timestamps
- Configurable retention windows (5 / 10 / 30y)
- Audit export designed for regulator workflows
- Prompt receivedp:0x71…ceops-lead@rectangle · 14:02:11
- Plan signed0x9c41…ab2eai-mode / verified blueprint · 14:02:18
- Human approvalsig:0x4b…9dcompliance.peppol · 14:05:44
- Deployedrev:1.4.0argocd · fr-par-secnumcloud · 14:09:56
- Archivedlta:0xaa…12LTA · NF Z42-013 · 10y · 14:10:02
Multi-cloud by design
Start on Outscale SecNumCloud. Extend later, without rewriting.
Blueprints target a sovereign substrate rather than a vendor SKU. OVH, hybrid and on-prem extensions are on the roadmap — your workloads do not change as the substrate evolves.
Formal verification discipline
A typed infrastructure model — no drift between intent and runtime.
Blueprints carry machine-checkable invariants for residency, identity and network policy. Plans are signed. ArgoCD reconciles runtime against signed state — drift is surfaced, not silently corrected.