Skip to main content

Overview

Tesslate Studio is an AI-powered web application builder with a multi-tier, container-based architecture. Users describe what they want in natural language, an AI agent writes the code, and the platform handles isolated containerized deployment for each project. This page explains how the system is structured, how data flows between components, how security is enforced, and what technologies power each layer. Whether you are evaluating the platform, planning a deployment, or troubleshooting an issue, this document gives you the full picture.

High-Level Architecture

All services run on a single host machine via Docker Desktop.Request routing (Traefik reverse proxy):
Incoming PathRouted ToPort
/api/*, /ws/*Orchestrator8000
/* (everything else)App (React frontend)5173
Running services:
ServicePortRole
Traefik80, 443, 8080Reverse proxy, *.localhost subdomain routing
App5173React frontend (Vite dev server)
Orchestrator8000FastAPI backend (business logic, AI agents)
PostgreSQL5432Database
User ProjectsDynamicOne container per project, created on demand
Storage: Local filesystem at orchestrator/users/{user_id}/{project_slug}/

Core Components

Orchestrator (FastAPI Backend)

The orchestrator is the central brain of Tesslate Studio. It handles all business logic, coordinates between the frontend and containers, and manages the AI agent system. Responsibilities:
AreaDetails
AuthenticationJWT tokens (7-day access, 14-day refresh), OAuth 2.0 (GitHub, Google), HTTP-only cookies with CSRF protection
Project ManagementCRUD operations, file tree navigation, project metadata
Container OrchestrationStart/stop containers, health checks, log streaming, namespace lifecycle
AI Agent SystemAgent instantiation, tool execution, LLM calls via LiteLLM, streaming responses
File OperationsRead/write/edit files in project containers (local filesystem in Docker, pod exec in K8s)
Git OperationsClone, commit, push, pull, branch management
External DeploymentBuild and deploy to Vercel, Netlify, Cloudflare
BillingStripe subscriptions, usage tracking, creator payouts
Technology stack:
ComponentTechnologyPurpose
FrameworkFastAPIModern async Python web framework
LanguagePython 3.11Backend programming language
ORMSQLAlchemy 2.xDatabase ORM with async support
DB DriverasyncpgAsync PostgreSQL driver
Authenticationfastapi-usersUser auth and OAuth integration
AI GatewayLiteLLMMulti-model AI proxy (OpenAI, Anthropic, custom)
K8s Clientkubernetes (Python)Kubernetes API interaction
S3 Clientboto3Object storage (AWS S3, MinIO, DO Spaces)
PaymentsStripe SDKSubscription billing

Frontend (React Application)

The frontend is a single-page application that provides the development workspace: code editor, live preview, chat interface, file browser, and project dashboard. Technology stack:
ComponentTechnologyPurpose
FrameworkReact 19UI component library
LanguageTypeScript 5.xType-safe JavaScript
Build ToolVite 5.xFast dev server and bundler
StylingTailwind CSS 3.xUtility-first CSS framework
Code EditorMonaco EditorVSCode-based code editing
StateReact ContextAuth, project, and agent state
RoutingReact Router 6.xClient-side navigation
HTTP ClientAxiosAPI communication
StreamingEventSource (SSE)Real-time agent responses
Key features:
  • Monaco Editor with IntelliSense, syntax highlighting, and multi-file support
  • Live Preview via embedded iframe showing user project output in real time
  • Chat UI for conversational interaction with AI agents, with streamed responses
  • File Browser for navigating, creating, renaming, and deleting project files
  • Marketplace for browsing and installing agents and templates

Database (PostgreSQL)

PostgreSQL stores all persistent application data. Schema management is handled by Alembic migrations that run automatically on startup. Key tables:
TablePurpose
usersUser accounts, OAuth tokens, subscriptions
projectsProject metadata, owner, slug, settings
project_snapshotsEBS VolumeSnapshot records for versioning/timeline
containersIndividual services per project (frontend, backend, db)
container_connectionsDependency graph between containers
chatsChat sessions with AI agents
messagesIndividual chat messages
marketplace_agentsPre-built AI agents
deploymentsExternal deployment records
deployment_credentialsOAuth tokens for Vercel/Netlify/Cloudflare
shell_sessionsPersistent bash sessions
kanban_tasksProject task management
Optimization strategies:
  • Async connection pooling via SQLAlchemy
  • Indexed foreign keys (project_id, user_id)
  • Lazy loading for related objects
  • No blocking on database I/O (fully async)

Container Runtime

The container runtime provides isolated development environments for each user project. The orchestrator automatically selects the correct backend based on DEPLOYMENT_MODE.
ComponentTechnologyPurpose
RuntimeDocker DesktopRun containers on local machine
OrchestrationDocker ComposeMulti-container project management
RoutingTraefikReverse proxy with *.localhost routing
StorageLocal filesystemDirect volume mounts to orchestrator/users/
Storage structure:
orchestrator/users/
  {user_id}/
    {project_slug}/
      frontend/
        src/
        package.json
      backend/
        main.py
      tesslate.json

AI Agent System

The agent system enables AI-driven code generation within user projects. Agents receive user requests, call LLMs, execute tools (file operations, shell commands), and stream results back to the frontend.
ComponentTechnologyPurpose
LLM GatewayLiteLLMUnified interface for multiple AI model providers
StreamingServer-Sent EventsReal-time agent responses to the frontend
Tool SystemCustom Python toolsFile ops, bash, sessions, web fetch, task tracking
Agent LoopCustom streaming agentIterative tool-calling loop with LLM
Supported models (via LiteLLM):
  • OpenAI: GPT-4, GPT-3.5
  • Anthropic: Claude 3.5 Sonnet, Claude 3 Opus
  • Custom: Qwen, DeepSeek, any LiteLLM-compatible endpoint
Agent tools:
ToolPurpose
read_write.pyRead/write files in the project
edit.pyEdit specific sections of a file
bash.pyExecute shell commands in the project container
session.pyPersistent shell sessions
fetch.pyHTTP requests for web content
todos.pyTask planning and tracking
metadata.pyQuery project information

Data Flow

User Request Lifecycle

1. User interacts with the frontend UI
   |
2. Frontend sends HTTP or WebSocket request to the orchestrator
   |
3. Orchestrator validates authentication (JWT / cookie)
   |
4. Orchestrator queries or updates the database
   |
5. Orchestrator performs the requested operation:
   +-- File operation    --> Container filesystem (local or pod exec)
   +-- Container action  --> Docker API or Kubernetes API
   +-- AI chat           --> LiteLLM --> OpenAI / Anthropic
   +-- Deployment        --> Vercel / Netlify / Cloudflare API
   |
6. Orchestrator returns response to the frontend
   |
7. Frontend updates the UI

Agent Chat Flow

1

User sends a message

The user types a request in the chat UI (for example, “Add a dark mode toggle”).
2

Frontend opens SSE connection

The frontend sends POST /api/chat/stream with the message and agent ID. The response is a Server-Sent Events stream.
3

Orchestrator creates the agent

The agent/factory.py module loads the agent configuration (system prompt, tools, model) from the database.
4

Agent loop executes

The agent/stream_agent.py runs an iterative loop:
  1. Call the LLM with the system prompt, conversation history, and available tools
  2. If the LLM returns tool calls (e.g., write_file, bash), execute them in the project container
  3. Stream tool execution events to the frontend in real time
  4. Call the LLM again with tool results
  5. Repeat until the LLM produces a final response
5

Frontend renders results

The chat UI displays streamed events: thinking indicators, tool executions (file writes, command output), and the final response. The live preview updates automatically via Vite HMR.

Container Start Flow (Kubernetes)

1

User clicks Start

Frontend sends POST /api/projects/{id}/start.
2

Orchestrator creates namespace

A new namespace proj-{uuid} is created with labels for the project and user.
3

PVC is provisioned

A 10Gi PVC is created. If a VolumeSnapshot exists from a previous session, the PVC is created from the snapshot (EBS lazy-loads data on access).
4

File manager pod starts

A file manager pod starts immediately (under 10 seconds). It handles file operations and git commands.
5

Dev containers start

Dev container Deployments, Services, and Ingress resources are created. Pod affinity ensures all containers land on the same node to share the RWO PVC.
6

Frontend polls for status

The frontend polls GET /api/projects/{id}/status. When all containers report healthy, the project is marked as running, and the user can access it at the subdomain URL.

Security Architecture

Authentication and Authorization

Mechanisms:
  1. JWT Tokens (Bearer authentication)
    • Access tokens: 7-day expiry
    • Refresh tokens: 14-day expiry
    • Sent in Authorization: Bearer {token} header
  2. HTTP-Only Cookies (Session authentication)
    • Secure, HttpOnly, SameSite=Lax
    • Domain-scoped for subdomain access
    • CSRF protection via double-submit cookie pattern
  3. OAuth 2.0 (Third-party login)
    • GitHub and Google providers
    • Authorization Code Grant flow
    • State token validation to prevent CSRF

CORS and Content Security Policy

CORS (Dynamic middleware):
  • Allowed origins: localhost:*, *.localhost, APP_DOMAIN, *.APP_DOMAIN
  • Credentials enabled (cookies, auth headers)
  • Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS

Credential Encryption

DataEncryption Method
GitHub tokensFernet encryption (derived from SECRET_KEY)
Deployment OAuth tokensFernet encryption (DEPLOYMENT_ENCRYPTION_KEY)
User passwordsbcrypt hashing (via fastapi-users)

Container Isolation (Kubernetes)

Each project gets a dedicated namespace (proj-{uuid}) with:
  • Resource quotas per namespace (CPU, memory, storage)
  • RBAC rules preventing cross-namespace access
  • Automatic cleanup on project deletion (delete namespace cascades to all resources)

SSL/TLS

EnvironmentMethod
Docker (local)HTTP only (*.localhost); no SSL needed
Kubernetes (Minikube)HTTP only; no TLS configured
Kubernetes (AWS EKS)Wildcard certificate (*.yourdomain.com) via cert-manager + Let’s Encrypt, DNS-01 challenge through Cloudflare

Secrets Management

Kubernetes secrets:
  • tesslate-app-secrets: API keys, OAuth credentials, domain config
  • postgres-secret: Database credentials
  • s3-credentials: S3/MinIO access keys
Best practices:
  • Secrets are never stored in Git
  • Minikube: generated from .env.minikube via generate-secrets.sh
  • AWS EKS: created via kubectl create secret or managed by Terraform

Scalability

Horizontal Scaling

ComponentScalable?Notes
Orchestrator (backend)YesStateless design; all state is in PostgreSQL. Multiple replicas supported via K8s Deployment.
FrontendYesStatic build served by NGINX; easily replicated or served via CDN.
PostgreSQLPartiallySingle instance by default. Read replicas planned for the future. Connection pooling handles high concurrency.
User project podsYesEach project runs in its own namespace; cluster autoscaler adds nodes as needed.

Non-Blocking Design

All long-running operations are designed to be non-blocking:
  • Project creation: Background task for container setup; the API returns immediately.
  • Deployments: Async build process; webhook on completion.
  • Agent chat: Streaming responses (no wait for full LLM completion).
  • File operations: Async I/O throughout.
  • Snapshots: VolumeSnapshot creation returns immediately; frontend polls for ready status.

Load Balancing

  • Kubernetes: NGINX Ingress Controller with round-robin distribution. Session affinity is not required because the backend is stateless.
  • Docker: Traefik automatically discovers and routes to containers.

Container Images

ImageDockerfileBasePurposeApproximate Size
tesslate-backendorchestrator/Dockerfilepython:3.11-slimFastAPI orchestrator~1.5 GB
tesslate-frontendapp/Dockerfile.prodnode:20-alpine (build), nginx:alpine (runtime)React UI served via NGINX~200 MB
tesslate-devserverorchestrator/Dockerfile.devservernode:20-alpineUniversal dev environment for user projects~1.2 GB
Devserver includes:
  • Node.js 20 + npm + Bun
  • Python 3 + pip
  • Go + Air (hot reload)
  • Git, git-lfs, curl, bash, tmux
  • Pre-cached npm packages (Vite, React, TypeScript, ESLint, Tailwind)

External Integrations

Authentication Providers

ProviderPurposeFlow
GitHubUser login, repository importOAuth Authorization Code Grant
GoogleUser loginOAuth Authorization Code Grant
GitLabRepository importOAuth Authorization Code Grant
BitbucketRepository importOAuth Authorization Code Grant

Deployment Providers

ProviderPurpose
VercelFrontend hosting (OAuth + API, git push auto-deploy)
NetlifyFrontend hosting (OAuth + API, git push auto-deploy)
Cloudflare PagesFrontend hosting (direct upload API)
Cloudflare WorkersServerless backend (wrangler CLI)

Payment Provider

ProviderFeatures
StripeRecurring subscriptions, one-time credit purchases, creator payouts (Stripe Connect), usage-based billing

Storage Providers

ProviderUse CaseProtocol
AWS S3Production project storageS3 API (boto3)
DigitalOcean SpacesProduction project storageS3 API (boto3)
MinIOLocal/development S3-compatible storageS3 API (boto3)

Architecture Principles

Every project runs in its own isolated environment (Docker container or Kubernetes namespace). This ensures no conflicts between projects, independent dependency management, resource limits, and clean teardown (deleting a container or namespace removes everything).
User requests never block on long-running tasks. Project creation, deployments, and agent chat all run asynchronously. The frontend polls for status or receives streamed updates.
Tesslate Studio uses LiteLLM as a universal AI gateway, supporting 100+ providers. You can use OpenAI, Anthropic, Google, self-hosted open-source models, or any LiteLLM-compatible endpoint. There is no vendor lock-in.
When self-hosted, all data stays on your infrastructure. The only external calls are to AI model providers (if you choose cloud models) and optional OAuth/deployment providers. You have complete control over your data.
The orchestrator is fully stateless. All persistent state lives in PostgreSQL or the container runtime. This means you can run multiple orchestrator replicas behind a load balancer without any special coordination.
All Kubernetes manifests use Kustomize with base/overlay separation. AWS infrastructure is provisioned with Terraform. Every resource is reproducible and version-controlled.

Health Checks and Monitoring

Endpoints

EndpointPurpose
GET /healthBackend liveness (returns 200 if alive)
GET /api/configPublic configuration (deployment mode, app domain)

Kubernetes Probes

ProbePathIntervalPurpose
Startup/health5s (24 failures = 2 min max)Allow time for boot and migrations
Liveness/health10sRestart pod if it becomes unresponsive
Readiness/health5sRemove from load balancer if unhealthy

Application Logging

  • Format: %(asctime)s - %(name)s - %(levelname)s - %(message)s
  • Level: Configurable via LOG_LEVEL environment variable
  • Key loggers: app.main, app.services.orchestration.kubernetes_orchestrator, app.agent.stream_agent, app.routers.*

Future Enhancements

EnhancementDescription
Distributed task queueMove background tasks to Celery + Redis for reliability
Prometheus + GrafanaMetrics collection, dashboards, and alerting
PostgreSQL read replicasImproved read performance and high availability
CDN integrationCloudFlare CDN for frontend assets; faster global access
Multi-region deploymentK8s clusters in multiple regions with geo-routing
Cluster autoscalerHPA for backend pods; node autoscaler for K8s nodes

Next Steps

Quickstart

Get running locally with Docker Compose in minutes

Configuration Reference

Every environment variable, explained and categorized

Deployment Guide

Deploy to production with Docker Compose, Kubernetes, or AWS EKS

Developer Guide

Explore the system internals and API reference