Architecture
Docker per-tenant containers, Traefik routing, S3 persistence, and EC2 infrastructure.
Cloud Architecture
Reeve Cloud runs on AWS with a container-per-tenant architecture. Each tenant gets a dedicated gateway process with isolated data, while shared infrastructure handles routing, auth, and persistence.
Infrastructure Stack
┌─────────────────────────────────────────┐
│ EC2 Instance │
│ │
Internet ──────────▶│ Traefik (reverse proxy, TLS, routing) │
│ │ │
│ ├──▶ Tenant A (Docker container) │
│ │ └── Gateway :8080 │
│ │ │
│ ├──▶ Tenant B (Docker container) │
│ │ └── Gateway :8081 │
│ │ │
│ └──▶ Tenant C (Docker container) │
│ └── Gateway :8082 │
│ │
│ S3 Sync ◀──── Persistent data │
└─────────────────────────────────────────┘Components
| Component | Technology | Purpose |
|---|---|---|
| Compute | EC2 (ARM, Graviton) | Host Docker containers |
| Routing | Traefik | Reverse proxy, TLS termination, host-based routing |
| Containers | Docker | Per-tenant gateway isolation |
| Storage | S3 | Persistent data (configs, memory, goals DB) |
| Auth | Clerk | User authentication, session management |
| Services | Railway (Python FastAPI) | Connectors, billing, analytics APIs |
| Frontend | Vercel (Next.js) | Cockpit dashboard |
Traefik Routing
Traefik routes requests based on hostname:
mindfortress.gw.meetreeve.com → Tenant: mindfortress → Container port 8080
acme.gw.meetreeve.com → Tenant: acme → Container port 8081WebSocket connections for real-time gateway communication:
wss://mindfortress.gw.meetreeve.com/ws/gatewayTraefik handles:
- TLS termination — Let's Encrypt certificates
- WebSocket upgrade — Transparent WS proxying
- Health checks — Container health monitoring
- Load balancing — Round-robin for multi-instance deployments
Container Lifecycle
Each tenant's container runs:
- Gateway process — The full Reeve gateway (Node.js)
- SQLite databases — Goals, memory, sessions (local to container)
- Config files —
reeve.json, workspace files, layer configs
Container startup
docker run -d \
--name tenant-mindfortress \
-e TENANT_ID=mindfortress \
-e REEVE_CLOUD_MODE=true \
-e REEVE_SERVICES_URL=https://services.meetreeve.com \
-v /data/tenants/mindfortress:/data \
reeve-gateway:latestData directory structure
/data/tenants/mindfortress/
├── reeve.json ← Gateway config
├── org/ ← Layer 2 (org) config
│ ├── AGENTS.md
│ ├── SOUL.md
│ └── CONTEXT.md
├── agents/ ← Agent workspaces
│ ├── main/
│ │ └── workspace/
│ └── marketing/
│ └── workspace/
├── goals/ ← Goals SQLite DB
│ └── goals.db
├── memory/ ← Semantic memory
│ └── memory.db
└── sessions/ ← Session dataS3 Sync
Persistent data is synced to S3 for durability:
- Config files —
reeve.json, workspace markdown files - Databases — Goals DB, memory DB (periodic snapshots)
- Agent workspaces — All markdown files in agent workspaces
Sync runs periodically and on container shutdown. On container start, data is pulled from S3 before the gateway starts.
SQLite databases use WAL mode for concurrent read/write access. S3 sync snapshots the database files at regular intervals, not on every write.
Services Architecture
The Python FastAPI services layer runs separately on Railway:
Gateway Container ──── HTTPS ────▶ Services API (Railway)
├── /api/auth/ ← Authentication
├── /api/connectors/ ← OAuth flows
├── /api/credits/ ← Billing
├── /api/dashboard/ ← Analytics
└── /api/brand/ ← Brand IntelService-to-service auth uses X-Reeve-Services-Token header with a shared secret.
Scaling
- Vertical: Larger EC2 instances for more tenants per host
- Horizontal: Additional EC2 instances with Traefik load balancing
- Per-tenant: Each container has configurable CPU/memory limits
Current capacity: ~50 tenants per m7g.xlarge instance, depending on agent activity.