System Overview

ContentGrid is a model- and API-first Enterprise Content Management (ECM) platform that generates complete, standards-based REST APIs directly from your data model. The platform consists of two primary environments: a Management Platform for application configuration and a Runtime Platform for execution.

What Makes ContentGrid Different

Traditional ECM systems often rely on folder hierarchies, generic database schemas, and monolithic architectures. ContentGrid takes a fundamentally different approach:

Model-First Design: Define your data model with entities, attributes, and relations. ContentGrid automatically generates intuitive REST APIs that mirror your domain model—URLs like /invoices and /invoices/{id} emerge naturally from your schema.

Relational Database Foundation: Unlike ECMs that use generic key-value storage, ContentGrid leverages PostgreSQL’s full capabilities by mapping entities directly to tables and columns. This enables efficient queries, proper indexes, and standard database tooling.

Attribute-Based Access Control: Instead of folder-based permissions, ContentGrid uses ABAC policies that evaluate entity and user attributes. This provides flexible, fine-grained access control independent of data organization.

Small Core, Extensible Ecosystem: The platform core provides only essential ECM functionality. Everything else is implemented as external automations that integrate seamlessly through standard protocols.

Architecture at a Glance

graph TB

    subgraph "Runtime Platform"
        Gateway[Gateway<br/>Routing & Authorization]
        Keycloak[Keycloak<br/>Authentication]
        OPA[OPA<br/>Policy Evaluation]
        Solon[Solon<br/>Policy Collection]
        Navigator[Navigator<br/>Web UI]

        subgraph "Application Instance"
            AppServer[Application Server<br/>Dynamic API]
        end

        subgraph "Persistent Storage"
            DB[(PostgreSQL<br/>Metadata & Structure)]
            S3[(S3-Compatible<br/>Content Storage)]
        end
    end

    Gateway --> OPA
    Gateway --> AppServer
    AppServer --> Solon
    Solon --> OPA
    AppServer --> DB
    AppServer --> S3
    Users[Clients] --> Keycloak
    Users --> Gateway
    Users --> Navigator

    MP[Management Platform]
    MP -->|Configure| Gateway
    MP -->|Configure| AppServer

Management Platform

The Management Platform is where you define, configure, and deploy ContentGrid applications. It consists of three primary components:

• Architect: Source of truth for application models (entities, permissions, configurations)
• Scribe: Transforms models into deployment artifacts (application model, database migrations, policies, OpenAPI specs)
• Captain: Orchestrates infrastructure provisioning and Kubernetes deployment

The platform runs as a SaaS service—you don’t need to host or manage it yourself. For complete details on how these components work together to enable the full application lifecycle, see Management Platform.

Runtime Platform

The Runtime Platform provides the infrastructure and services to run ContentGrid applications securely and efficiently. Key components include:

• Gateway: Entry point for all requests, handles routing, authentication, and policy evaluation
• Keycloak: Identity and access management via OpenID Connect
• OPA: Centralized policy engine for attribute-based access control
• Navigator: Shared React frontend that dynamically adapts to any application model
• Solon: Collects policies from all applications and bundles them for OPA.
• Pathfinder: Automatic Ingress management and TLS certificate provisioning

All components run in Kubernetes and use dynamic service discovery to automatically detect and integrate new applications. For complete details on platform architecture, request flow, and operational characteristics, see Runtime Platform.

Application Server

Each ContentGrid application runs as an instance of the Application Server—a single shared container image configured with application-specific artifacts. The server uses a configuration-driven approach rather than code generation, enabling rapid deployment of model changes. For complete details on architecture, query construction, and performance characteristics, see Application Server.

Data Storage

ContentGrid separates structured metadata from binary content for optimal performance:

PostgreSQL: Each application has its own database with schema generated automatically from the data model. Entities map to tables, attributes to columns, and relations to foreign keys. Flyway manages migrations.

S3-Compatible Storage: Binary content (documents, images, videos) is stored in dedicated S3 buckets per application.

Encryption: Transparent application side encryption at rest. For complete details on encryption architecture, key management, and range request support, see Data Storage.

Deployment Pipeline

The deployment pipeline automates the complete path from application model to running service:

1. Artifact Generation: Scribe generates a versioned ZIP artifact with model, migrations, and policies
2. Infrastructure Provisioning: Captain provisions database, S3 bucket, and Keycloak realm
3. Kubernetes Deployment: Captain creates all necessary Kubernetes resources
4. Application Startup: Application Server fetches artifact, runs migrations, and begins serving

For complete details on the deployment see Deployment Pipeline.

Integration Points

The platform provides several mechanisms for external automations to extend functionality:

• Service accounts: Automations authenticate via OIDC client credentials flow
• Webhook Notifications: Automations subscribe to create/update/delete events

External automations integrate seamlessly, they can use the same HAL/HAL-FORMS patterns as core functionality, making them familiar to API consumers.

Key Architectural Benefits

Developer Experience: Standards-based APIs (HAL, HAL-FORMS, RFC 9110) reduce learning curves and enable existing tooling. Model-first approach means intuitive URLs that match your domain.

Scalability: Each application is independently scalable. Kubernetes-native architecture enables horizontal scaling of application instances. Database and storage scale independently.

Security: ABAC policies evaluated at query time prevent unauthorized data from being loaded. Content encryption ensures data confidentiality. Separate isolation per application.

Flexibility: Small core with automation extension points allows customization without forking. Replace or disable automations independently. Multiple implementations of the same functionality can coexist.

Operational Simplicity: Single shared container image for all applications. Configuration-driven rather than code changes. Standard Kubernetes operations for deployment and scaling.

Next Steps

For deeper understanding of specific subsystems:

• Architecture Principles - Design philosophy and values
• Management Platform - Application model management
• Runtime Platform - Infrastructure components in detail
• Application Server - API generation and query engine
• Access Control - ABAC and policy enforcement
• Data Storage - Encryption and storage architecture
• Deployment Pipeline - Application deployment process