Platform architecture

Multi-agency workforce program platform

RATEB is organized in platform layers that connect agency workspaces, partner portals, and regulated corridors—with separate agency databases, event-driven workflows, and policy controls in the stack.

Architecture overview

Orchestration infrastructure, not a single application

Programs, corridors, and agencies share a common workflow core while program data stays in separate agency databases. The platform separates user interfaces, workflow execution, field operations, finance, and storage.

Primary role

Coordinate workforce lifecycle stages, documents, finance events, and field telemetry across sending and host markets.

Tenancy model

Shared orchestration with isolated agency datastores and policy-scoped operator access.

Integration surface

REST APIs, signed webhooks, and server-sent streams for partner and government-aligned systems.

Review posture

Technical documentation for CTO, procurement, and enterprise architecture review — not a product tour.

Platform layers

Seven layers with explicit boundaries

Each layer owns a distinct responsibility set. Upper layers consume contracts from lower layers; cross-layer calls flow through orchestration and policy gates.

Experience Layer

Responsibilities: Agency consoles, operator workspaces, partner-facing surfaces, and localized program UIs.
Operational role: Presents stage graphs, task queues, and corridor context without embedding business rules in the client.
Boundaries: No direct datastore access; all mutations route through orchestration APIs with session and RBAC enforcement.

Orchestration Layer

Responsibilities: Stage graphs, workflow engines, assignment queues, verification pipelines, and cross-module coordination.
Operational role: Single execution authority for lifecycle transitions, retries, and correlation across modules.
Boundaries: Does not own long-term storage of program records; commits outcomes to tenant datastores via the data layer.

Telemetry Layer

Responsibilities: Geospatial signals, offline sync buffers, geofence evaluation, and escalation routing.
Operational role: Operational visibility and anomaly routing for field programs — distinct from passive analytics.
Boundaries: Consumes orchestration context; does not mutate finance or governance state without workflow gates.

Business Modules

Responsibilities: Recruitment, deployment, documents, inspections, violations, and corridor-specific program modules.
Operational role: Domain logic packaged as modules invoked by orchestration — not standalone silos.
Boundaries: Module APIs are tenant-scoped; cross-tenant reads are blocked at connection and policy layers.

Governance Layer

Responsibilities: RBAC, country profiles, policy enforcement, audit history, and labor oversight workflows.
Operational role: Evaluates whether a transition, export, or operator action is permitted before commit.
Boundaries: Policy decisions are logged; governance does not replace orchestration execution.

Commercial Layer

Responsibilities: Ledger, AR/AP, multi-currency postings, registration fees, and payment synchronization.
Operational role: Financial truth linked to lifecycle events via transaction correlation identifiers.
Boundaries: No program stage commits without orchestration; finance events are idempotent where configured.

Data Layer

Responsibilities: Platform configuration, tenant routing, and isolated agency program datastores.
Operational role: Persistence, backups, and connection scoping for multi-agency operations.
Boundaries: Platform stores hold configuration and routing; agency databases hold program records—not cross-tenant workflow config.

Multi-tenant isolation

Shared core, isolated program data

Orchestration and governance are centralized; workforce records and operational state remain tenant-bound.

Shared orchestration core

One workflow engine and policy graph serve all agencies — reducing duplicated stacks per tenant.

Isolated tenant datastores

Agency program databases hold workers, documents, and stage history with connection-level segregation.

Governance boundaries

Country scope, branch RBAC, and API keys constrain what operators and integrations can observe.

Scoped operations

Finance, telemetry, and exports remain attributable to tenant, corridor, and actor context.

Event-driven infrastructure

Event fabric with replay-safe delivery

Lifecycle and integration events flow through a common fabric with ordered replay, signed webhooks, and idempotent consumers.

Emit Orchestration publishes lifecycle or integration event

Route Fabric fans out to webhooks, SSE subscribers, and internal modules

Verify HMAC / session scope validated at edge

Commit Idempotent handler persists or advances stage

Event fabric

Normalized event envelopes with correlation IDs, tenant context, and policy version references.

Webhooks

Outbound HMAC-signed delivery for partner systems; verification before side effects.

SSE streams

Server-sent streams for operator consoles requiring near-real-time queue and stage updates.

Orchestrated workflows

Stage graphs consume events to advance, branch, or hold programs pending verification.

Replay-safe operations

Consumers designed for at-least-once delivery without duplicate commits to finance or lifecycle state.

Idempotency

Idempotency keys on write paths for API clients, webhooks, and field sync batches.

Field operations

Location-assisted operations for field programs

Location and device signals support deployment oversight—with offline sync and basic consistency checks.

Geospatial telemetry

Location checkpoints tied to worker and program context for corridor operations.

Offline synchronization

Buffered uploads reconcile when connectivity returns without losing correlation order.

Signal validation

Consistency checks flag implausible location jumps, device mismatches, or stale updates.

Geofence rules

Program-defined zones trigger holds, alerts, or escalation paths through workflows.

Operational escalation

Anomalies route to operator queues with audit attribution — not silent background logging only.

Finance infrastructure

Ledger-linked commercial subsystem

Financial events remain correlated to lifecycle stages and registration flows across currencies.

Ledger subsystem

Double-entry style postings with program and tenant attribution on each line.

AR / AP

Receivables and payables aligned to agency billing models and corridor fee schedules.

Transaction linkage

Payments and adjustments reference orchestration correlation IDs for reconciliation.

Multi-currency support

Posting and display currencies separated where corridor rules require FX context.

Registration / payment sync

Signup and renewal flows synchronize commercial state with provisioning gates.

Operational governance

Policy and accountability across the stack

Governance evaluates requests before orchestration commits — preserving audit-ready history.

RBAC

Roles scoped by country, branch, and module with least-privilege defaults.

Policy enforcement

Country profiles and stage rules applied consistently before transitions.

Audit history

Append-oriented records of actor, policy version, and correlation on sensitive actions.

Country scopes

Sending-market and host-market boundaries enforced on data and operator visibility.

Labor oversight support

Inspections, violations, deploy blocks, and visibility modules for government-aligned review.

Deployment model

Topology from edge to tenant datastore

Public surfaces, agency workspaces, and partner integrations converge on the orchestration core and tenant-bound persistence.

Public edge

Agency workspace

Partner portals

APIs

Orchestration core

Tenant databases

Public edge TLS termination, rate limits, and static marketing or trust surfaces.

Agency workspace Tenant-scoped operator console and program administration.

Partner portals Sending-country agency and host-market partner interfaces.

APIs REST integrations, webhook ingress/egress, scoped API keys.

Orchestration core Workflow engine, governance gates, event fabric, module router.

Tenant databases Isolated agency program datastores and document storage paths.

Architecture review

Request a technical walkthrough of layers, isolation, and deployment topology for procurement or engineering review.

Request architecture review Security & compliance center

Operational proof

Reference diagrams & workflows

Illustrative models for technical review—complement the sections above.

Screenshots, diagrams, and metrics on this page use sample operational data or illustrative interfaces. They are not live production dashboards, audited statistics, or evidence of universal government integrations.

Government & labor oversight

Inspections, violations, live tracking, and worker mobilization

RATEB includes a government-aligned control surface for labor monitoring demonstrations: inspectors record findings, violations and blacklist rules gate deployments, supervisors open a live tracking map with geofences, and field teams onboard workers to the mobile app via QR credentials—all scoped to the active agency database with role-based access.

Government Control consolidates inspections, violations, blacklist, worker alerts, and monitoring tabs behind one console—with optional read-only government view and a link to the live tracking map.
Inspection workflows capture worker and agency context, inspector identity, status (pending, passed, failed), and hashed credentials where policies require authenticated field access.
Tracking Map filters by tenant, agency, country, and session status; supports geofence creation, route playback, and latest worker locations on OpenStreetMap.
Worker Mobile Onboarding issues QR credentials so workers join the mobile program without sharing passwords in chat—device and identity fields stay optional for controlled pilots.

Sample operational data · demonstration interfaces · not a claim of live government integration unless contracted separately.

Government Control dashboard with summary cards and inspection form — **Government Control** Labor monitoring console—violations, blacklist, worker alerts, and inspection tabs in one place.

Inspection table showing pending, passed, and failed statuses — **Inspection records** Inspection history with status badges, inspector attribution, and agency-scoped rows.

Tracking map with geofence controls and workforce location marker — **Tracking Map** Live map, geofences, playback, and filters for tenant, agency, and country.

Worker mobile onboarding screen generating a QR code — **Worker Mobile Onboarding** QR-based credentials for worker mobile app mobilization.

Reference diagrams

Illustrative diagrams · not live system output

**Worker lifecycle workflow** Stage graph from intake through deployment and closure.

**Agency onboarding** From qualification to production workspace.

**Deployment lifecycle** Program setup, field coordination, host handover.

**Tenant separation** Shared platform core; separate agency databases.

**Event processing** Emit, route, verify, and commit with replay safety.

Workflow walkthroughs

Typical operator paths—your corridor policies may add or remove steps.

Worker onboarding

Create worker record and assign sending-market profile.
Capture documents; dedupe against existing files.
Run verification bundles (medical, police, embassy as configured).
Advance stage when policy checks pass; notify owners.

Outcome Worker records are ready for deployment queue with full history.

Compliance review

Inspector or reviewer opens worker records and corridor context.
Compare documents and stage state to country policy profile.
Record finding, violation, or deploy hold if required.
Release or block next transition with actor attribution.

Outcome Decision is logged and visible to agency and oversight roles.

Deployment approval

Deployment program selects host market and placement slot.
Human gate confirms readiness (docs, medical, visa steps).
Emit deployment event; update field-operations context.
Partner portal receives scoped deployment package.

Outcome Placement is active with correlated events for finance and reporting.

Finance reconciliation

Fees and invoices link to worker or placement correlation IDs.
Payments post to ledger with idempotent handling.
Controllers match AR/AP lines to stage milestones.
Export trial balance or corridor report for review.

Outcome Financial lines trace back to program events—not orphan spreadsheets.

Partner coordination

Host-market partner receives scoped portal access.
Exchange deployment documents and status updates.
Webhook or API notifies partner systems where configured.
Closure events sync back to agency workspace.

Outcome Partners work inside defined boundaries without cross-tenant visibility.