Nautilus

Architecture

The 30-second picture

  • 16 microservices organized by business domain. Each owns its data. None share schemas.
  • Event bus is NATS JetStream with Quanta's agent contract layered on top.
  • Shore cluster runs on RKE2 (public cloud — OCI, AWS, or Azure). Vessel cluster runs on K3s. Same pattern, same charts, two scales.
  • Identity is Zitadel (OIDC / OAuth2). One IDP across all domains.
  • API gateway is Kong Gateway OSS. Same deployment shore and onboard.
  • Networking + policy + observability is Cilium (CNI, WireGuard, Hubble). No separate service mesh in Phase 1–3.
  • Database per service is PostgreSQL via the CloudNativePG operator.
  • Frontends are React PWA (POS / kiosk / iTV / signage) and React Native (mobile) — one codebase, multiple form factors.
  • Comms is ConnectOne (PBX + signaling + media) with CallCraft as the AI-voice surface inside it.
  • AI fabric is Quanta. Content safety + analysis is Heimdall.
  • Privacy is per-tenant region pinning, GDPR-grade by default, crypto-erasure for non-deletable stores.

Three-tier integration model: Tier A open primitives (NATS JetStream + Quanta agent contract, Signal-Protocol library, PSI module — Apache 2.0 / AGPL-with-linking-exception). Tier B closed commercial NT Connect services (Quanta, ConnectOne, CallCraft, Heimdall). Tier C documented interfaces (CC BY 4.0 specs + Apache 2.0 conformance harnesses) with ship-PBX live and Heimdall API, CallCraft contract, iTV / GRMS coming.

Three-tier integration model

Nautilus is organized into three tiers with different licensing and openness postures. The model is designed so any third party can build a Nautilus-compatible integration without running a single line of NT Connect's commercial code.

Tier A — Open primitives

Permissively licensed. Foundational. Everyone uses these.

Primitive License What it is
NATS JetStream + Quanta agent contract Apache 2.0 The bus (NATS) and the JetStream subject + stream contracts (AGENT_MESSAGES / AGENT_RESPONSES, cross-account sourcing for tenant isolation, agent JWT semantics).
Signal-Protocol library AGPL-3.0 with linking exception (libsignal pattern) The end-to-end encryption library underlying secure messaging.
PSI contact-discovery module Apache 2.0 Private set intersection for contact discovery.

Tier B — Closed services

Commercial NT Connect products. Run them yourself via the published interfaces, or use NT Connect's managed services.

  • Quanta — auth, messaging-service, keys-service, websocket-gateway, push, media, group, admin, video.
  • ConnectOne — Cloud PBX, signaling, media platform.
  • CallCraft — AI-voice agent runtime inside ConnectOne.
  • Heimdall — DeBERTa-v3 multi-task analysis service + 12 content-safety plugins.

Tier C — Documented interfaces

Anyone can implement against these specs and integrate without using NT Connect's closed services. Spec text is CC BY 4.0; reference stubs and conformance harnesses are Apache 2.0.

  • ship-PBX integrationlive (Draft v0.1). Legacy PBX (Avaya / Mitel / Cisco / Alcatel / Asterisk / FreeSWITCH) ↔ Nautilus bus for call events, PA/GA, E911, recordings, commands.
  • Heimdall content-safety API — coming next.
  • CallCraft agent contract — extends the Quanta agent contract with voice/video-session semantics.
  • ConnectOne E911 / PA-GA / muster signaling.
  • Quanta keys-service protocol.
  • iTV / cabin GRMS adapter contract.
  • Fleet-wide federation.

Browse Tier-C specs →

The bus

The bus is NATS JetStream v2.10+ (with -js enabled), running cross-account so tenants are isolated by JetStream sourcing rather than by namespace. Quanta's agent contract layers on top:

  • AGENT_MESSAGES — outbound stream of events that AI agents may consume.
  • AGENT_RESPONSES — agent outputs flowing back to the platform.
  • Cross-account JetStream sourcing per tenant.
  • Agent JWT semantics for capability scoping.

Every domain event is observable to AI agents by construction. This is what we mean when we say "AI as fabric, not bolt-on."

Ship-to-shore bus topology: shore RKE2 cluster runs the NATS JetStream cluster with Quanta's agent contract (AGENT_MESSAGES / AGENT_RESPONSES) on top. Each vessel runs a K3s cluster with a NATS leaf node that replicates JetStream streams to shore. Replication is dashed because it absorbs VSAT / Starlink outages with guaranteed delivery and replay on reconnect. Tenants are isolated by cross-account JetStream sourcing.

Ship ↔ shore sync

Onboard NATS leaf node replicates JetStream streams to the shore cluster with guaranteed delivery and replay-on-reconnect. When the VSAT / Starlink uplink is degraded:

  • Onboard domains keep publishing events locally.
  • Shore replication queue grows.
  • On reconnect, the queue drains in order; idempotent consumers reconcile.

No batch jobs. No "end-of-day sync." Operational reality is reflected in the fleet dashboard live, with replay catching up degraded vessels.

Per-tenant region pinning

Privacy is the global default, regardless of tenant jurisdiction. GDPR-grade controls are baseline; tenants in other jurisdictions inherit them rather than getting weaker protections.

  • Each tenant is pinned to a shore region at onboarding.
  • Operational data stays in-region.
  • Heimdall has per-region SafeSpace deployments with metadata-only cross-border flow to a single consolidation region for analytics — not full content.
  • DSR APIs (access / rectify / erase / port / restrict / object) are first-class endpoints in Domain 1.
  • Crypto-erasure for non-deletable stores (audit logs, blockchain-style append-only ledgers).
  • Per-category retention configured per jurisdiction.
  • DPIA per tenant authored at onboarding.
  • No secondary use of operational data without explicit renewed consent.

Diagram: Tenant A pinned to EU region. Tenant B pinned to US region. Heimdall SafeSpace per-region; metadata-only flow to consolidation region. DSR APIs in Domain 1.

Vessel deployment topology

A vessel is a K3s cluster running the same Helm charts as the shore cluster, with a few cruise-specific additions.

Vessel deployment topology: a K3s cluster onboard. Networking and observability layer with Cilium CNI plus WireGuard, eBPF kube-proxy replacement, Hubble flow observability, Kong Gateway in DB-less mode, Prometheus and Loki. Bus and state layer with NATS leaf node (replicating to shore), CloudNativePG operator with Postgres per service, Redis cache, IPTV origin cache. Comms and AI layer with ConnectOne PBX (cabin SIP, PA / GA, E911, offline operation), CallCraft AI-voice agents, onboard Heimdall content-safety, NVIDIA L4 GPU. Domain services row with the 16 bounded domains as React PWA frontends.

Onboard cluster components:

  • K3s control plane.
  • Cilium CNI — kernel ≥ 5.15 required, eBPF kube-proxy replacement, WireGuard transparent encryption, CiliumNetworkPolicy for identity-based authz, Hubble flow observability.
  • CloudNativePG operator with one Postgres cluster per domain service. PgBouncer in front of the primary; postgres_exporter + ServiceMonitor mandatory.
  • NATS leaf node replicating JetStream streams to shore.
  • Kong Gateway OSS in DB-less mode with decK declarative config under GitOps.
  • ConnectOne PBX running locally so onboard calls survive uplink loss.
  • CallCraft agent runtime for onboard AI-voice (offline-capable for safety paths).
  • Heimdall onboard module — quantized SafeSpace tier per OQ-21, sized to onboard hardware.
  • signsync for fleet-wide signage.
  • IPTV origin cache for the iTV stack.
  • NVIDIA L4 GPU (typical sizing) for the onboard Heimdall and CallCraft inference workloads.

CallCraft + AI agents

Diagram: AI agents joining ConnectOne calls / rooms via AGENT_MESSAGES / AGENT_RESPONSES streams, with Quanta orchestrating intent dispatch and the agents posting back into Domains 3 (folio), 4 (POS), 7 (dining), 8 (excursions), 16 (telehealth) as appropriate.

A CallCraft agent is a first-class participant in a ConnectOne call or room. It joins via the Quanta agent contract, consumes audio + signaling, and produces:

  • AI Notes summaries on every call (configurable per tenant).
  • Voice intents routed back into the relevant domain — voice ordering posts a Domain 4 POS event; concierge booking posts a Domain 8 excursion event.
  • Sentiment and content analysis via Heimdall, applied to call audio per tenant policy.
  • AI-guided mustering instructions during emergency, over the ConnectOne PA/GA tier.

There is no separate SIP / WebRTC stack inside any SPMS domain. The transport is ConnectOne; the AI is CallCraft; both communicate over the bus.

Domain interaction map

Diagram: 16 domains as event publishers / subscribers. Sample flows: gangway scan → Domain 5 publishes embark event → Domain 6 muster updates → Domain 14 PA system gets crew acknowledgment via CrewApp → Domain 12 fleet dashboard updates live.

A handful of canonical event flows make the model concrete:

  • Guest scans card at gangway. Domain 5 publishes embark.scanned. Domain 6 muster updates the live headcount. Domain 12 fleet dashboard reflects the new gangway count. Heimdall (via Domain 13) analyzes the access pattern for anomalies.
  • Waiter posts an order. Domain 4 publishes pos.order.created. Domain 3 posts the line to the folio. Domain 11 decrements inventory. Domain 7 emits an order.fired event for the KDS. Domain 13 updates the predictive-spend model for the guest.
  • Guest dials cabin extension and asks for room service. Domain 14 ConnectOne routes the call. CallCraft joins as an agent. CallCraft publishes pos.order.created on the guest's behalf. Domain 3 posts to folio. Domain 7 fires the order on the KDS. Domain 13 captures the intent for voice-pattern analysis.
  • Operator changes a venue menu in the CMS. Domain 7 publishes menu.updated. Domain 15 signage subscribers redraw all menu boards in the affected venue within seconds. Domain 4 POS terminals refresh. Domain 13 updates the recommendation index.

What we're explicitly not doing

  • No service mesh in Phase 1–3. Cilium covers CNI, encryption, policy, and observability. Linkerd / Istio are tracked as future-evaluation only.
  • No MongoDB or Couchbase in Nautilus. Postgres JSONB covers the flexible-schema needs.
  • No Oracle DB. No Oracle MICROS terminals. Commodity hardware throughout.
  • No batch ship-to-shore sync. Event-stream replication only.
  • No proprietary PBX. ConnectOne is the platform; legacy on-vessel PBXes integrate via the Tier-C ship-PBX spec.
  • No closed CSAM-detection black box. Heimdall's CSAM path uses PhotoDNA + Thorn with NCMEC reporting per 18 USC 2258A; it's auditable.
  • No "AI-powered" without naming the model. DeBERTa-v3-large for analysis; named LLM agents per task; quantized variants onboard.

See the tech stack → See the roadmap →