Topic · Security architecture
GUS.ai connectsthe way youalready run.
Cloud-deployed. Outbound authenticated connections only. No inbound holes in the OT firewall. Read-only at the OT layer. Per-customer data isolation. Documented exit ramp with portable data export.
Chapter 06
The
Security Posture.
One direction. One boundary. One audit trail.
Architecture
ADX. Plant floor to GUS.ai.
ADX edge gathers. ADX server stores. GUS.ai queries. Single outbound port from the plant network. ISA-95 hierarchy. The same architecture running today at the reference cheese plant.
Plant floor · ADX at the Edge
Ignition Edge + EventGateway
01
PLC / ControlLogix
Existing process controls. EventGateway speaks Allen-Bradley MSG instructions natively.
02
Ignition Edge IIoT
Time-series via Sparkplug B. Active/standby redundancy. Store-and-forward, no data loss.
03
EventGateway
APT-built microservice. Translates PLC data to JSON, publishes to MQTT.
Two production services in the standard deployment. Node-RED is also installed for prototyping but is not in the production data path. PLCTagWriter (the only ADX write-back path) is optional and only installed on explicit customer request.
MQTT + TLS · port 8883 outbound only · Sparkplug B payloads · no inbound firewall holes
APT cloud · ADX at the Server
HiveMQ, Chronicler, Museum
01
HiveMQ
MQTT broker. Receives the encrypted outbound stream. Industry-standard, swappable.
02
Chronicler
APT-built. Parses Sparkplug B, republishes flat MQTT, writes to Museum on ISA-95 path.
03
Museum
ADX data store. Built on TimescaleDB. Enterprise / Site / Area / Line / Workcell hierarchy.
GUS.ai queries Museum read-only via PostgreSQL. Encrypted at rest (AES-256, TigerData default).
Read-only PostgreSQL query into Museum · plant-scoped · citation-tracked
AI agent · queries ADX read-only
GUS.ai
01
Claude tool-use loop
14 read-only tools. 10-call budget per query. Plant-scoped reasoning across telemetry + corpus.
02
Citation-first answers
Every response cites its source: document page, telemetry tag, alarm definition, batch record, or dependency graph node.
03
No write path of any kind
GUS.ai cannot use PLCTagWriter, cannot modify Museum, cannot reach the PLC.
Tamper-evident audit log. SHA-256 hash chain on every record. Verifiable on demand.
The Promises
Read-only. Outbound only. Customer data, customer control.
Nine commitments that define the security baseline. The CYBERSECURITY_SUMMARY.pdf answers the formal questions on request.
No inbound firewall ports. All connections outbound from the facility.
Read-only at the OT layer. Standard ADX has no PLC write path; GUS.ai cannot write under any configuration.
TLS 1.2+ encryption on every hop leaving the facility.
Encryption at rest in our cloud, customer-isolated tenant.
Early access uses Clerk email login (password or magic link) with domain whitelist. Production wires native Entra ID with tenant RBAC.
SOC 2 Type II across the stack: Anthropic, OpenAI, TigerData (database), Clerk (identity), Railway (hosting).
Tamper-evident audit log. SHA-256 hash chain on every record, verifiable on demand.
Your data is never used to train AI models. Period.
Exit ramp on day one. Data export, key revocation, off-boarding documented in the engagement agreement.
GUS.ai observes the process. It never controls it.
The agent reasons, cites, and answers. No actuation, no overrides, no writes to the control system.
Identity · Audit · Exit
Who asked. What it found. How to leave.
Three rails to give an IT lead what they actually need: provable identity, provable history, provable exit.
Pilot, then production
Identity
Early phase
Clerk email login (password or magic link). Domain-whitelisted by invite list. Stand up in hours.
Production
Native Entra ID / Azure AD / ADFS through the existing tenant. No new account store to manage.
Role-based access
Today: every authenticated user has identical read-only access. Operator / engineer / supervisor / admin tiers (with AD group mapping) are on the roadmap for a future release.
Per-query attribution
Every chat is logged against the authenticated Clerk user. Both phases.
SHA-256 hash chain
Audit
Every query, every answer, every citation
Stored in the tamper-evident log. Reviewable in the admin UI.
SHA-256 hash chain
Each record cryptographically links to the previous. Verifiable on demand by walking the chain.
Exportable
CSV download from the admin export today. Security events go to JSONL trail (SIEM-ingestible).
Day-one ramp
Exit
Day-one data export
PostgreSQL dump of the schema, JSON corpus + embeddings, full audit log.
Access revocation
Pull Clerk users to revoke human access. APT rotates the service-account credentials on request.
Tenant teardown
Off-boarding procedure documented in the engagement agreement.
The FAQ · 1 of 2
Network, auth, and ops.
Four common questions from IT teams on initial review.
Q · 01
What firewall rules do I need to open?
One outbound rule, port 8883, to a known URL. No inbound rules. The facility's network security posture is not weakened.
Q · 02
What does 'authenticated' mean specifically?
Username/password on the MQTT broker by default. Mutual TLS with client-side certificates available on request as a second authentication layer.
Q · 03
What happens if cloud connectivity drops?
Ignition Edge IIoT buffers data locally per the Sparkplug B store-and-forward spec, then forwards when the connection is restored. No data loss.
Q · 04
Is SAML SSO available today?
Not in the early phase. Early access uses Clerk email login (password or magic link) with the customer's domain on the invite whitelist. SAML SSO is available at production deployment, either via Clerk's Enhanced Authentication add-on or a native Entra ID integration.
The FAQ · 2 of 2
Tenancy, write-back, and exit.
Three more on multi-tenancy, control-system safety, and how you leave.
Q · 01
Am I in a multi-tenant database?
Per-customer schema in a TigerData-managed PostgreSQL cluster. Standard SaaS isolation pattern. Per-customer dedicated database is available on enterprise contract if required.
Q · 02
Can GUS.ai write to my PLC?
No, never. ADX has an optional component called PLCTagWriter that can write back to a PLC, but it is not in the standard deployment and GUS.ai cannot use it under any configuration. GUS.ai has 14 read-only tools and zero write methods in the adapter layer.
Q · 03
What's the exit ramp if a customer wants out?
PostgreSQL dump of the customer schema, JSON corpus + embeddings export, full audit log, and Clerk user revocation. Off-boarding procedure documented in the engagement agreement.
The FAQ · continued
Five follow-ons after the architecture walk.
Audit, identity, key control, and what happens if APT goes away.
Q · 01
Can we see the audit UI?
Yes. The admin queries page provides a filterable, paginated view of every query, every tool called, every result returned, with timestamps and per-user attribution. Available in production at app.apt-gus.ai.
Q · 02
How do we revoke a user's access?
Pull the user from the Clerk dashboard. Takes seconds, no APT involvement required. APT can also rotate the service-account credentials on request. Both mechanisms documented in the engagement agreement.
Q · 03
How does the SHA-256 hash chain actually work?
Each audit record carries a prev_hash (SHA-256 of the previous record) and a record_hash (SHA-256 of this record's contents). Rewriting any prior record breaks every subsequent hash. A database trigger rejects UPDATEs that would change a finalized hash. The audit-verify endpoint walks the chain on demand and reports the first break.
Q · 04
What happens if APT goes out of business?
Customer data stays portable. Day-one export provides a PostgreSQL dump of the customer schema, JSON corpus + embeddings, and the full audit log, all in portable open formats. Re-hostable on any TimescaleDB cluster; corpus importable to any vector store.
Q · 05
Why is RBAC on the roadmap and not yet available?
GUS.ai is read-only by architecture. Every authenticated user sees the same tool surface today and cannot take action against the control system. The risk profile of an advisory tool with no write path is fundamentally different from a tool that can actuate. Tiered access (operator / engineer / supervisor / admin with AD group mapping) is on the roadmap for a future release.
End of topic · IT & Security