RiskNodes 2.0: Open Source, Sovereign, Agentic

Published on

A photo of a sunset at sea, Connemara

RiskNodes has undergone a major refactoring. The platform has been renamed, relicensed, and rebuilt around a new architecture and a new mission: Agentic Intelligence Risk Management.

Renamed and relicensed

The project, previously named Fluvial Diligence, is now RiskNodes — published under the European Union Public Licence (EUPL) on Codeberg. The EUPL is a copyleft licence recognised by the European Commission, compatible with the GPL family, and designed for cross-border use within the EU legal framework.

Architecture: from services to a single process

The most significant technical change is a wholesale simplification of the deployment stack.

Before: PostgreSQL database, Redis job queue, Dagu orchestration, a separate Go-based GraphQL service, Caddy reverse proxy, Docker Compose, and a JavaScript reverse-proxy layer (Doorman). Multiple services, multiple languages, multiple points of failure.

After: A single Python application on Starlette/ASGI with SQLite for state management. Background tasks run within the ASGI process itself. No containers, no external services, no database server.

The result: uvx run risknodes is the entire deployment.

Key changes in this migration:

  • WSGI to ASGI — the application now runs on Starlette, replacing the previous WSGI stack
  • MariaDB/PostgreSQL to SQLite — all state in a single file, no database server required
  • Redis/RQ to BackgroundTask — job processing runs inside the application process
  • GraphQL service removed — the separate Go service has been retired
  • Docker Compose removed — no containerisation required for deployment
  • Doorman removed — the JavaScript reverse-proxy layer has been retired

Authentication: OIDC

Password-based authentication has been replaced entirely with OpenID Connect (OIDC). RiskNodes no longer stores passwords or manages sessions directly. Authentication is delegated to an external identity provider — Google, Azure AD (Windows), or any OIDC-compliant service.

This includes server-rendered authentication pages (replacing the previous SPA-based flow), UUID-based user identifiers, and the removal of all JWT and Argon2 password-hashing code.

Agentic questionnaire answering

The headline new feature: RiskNodes can now drive a structured, questionnaire-backed review of code changes using a local LLM.

When a change set is submitted, RiskNodes iterates through the project’s questionnaire, presenting each question to an LLM (via Ollama) alongside the relevant source context. The LLM returns a structured answer — verdict, reasoning, evidence — validated against a Pydantic schema and recorded in the database. The workflow then determines whether the change is approved automatically or escalated for human review.

This is the foundation of the AIRM (Agentic Intelligence Risk Management) capability: treating AI agents as third-party vendors, subject to the same structured due diligence that regulated industries apply to human suppliers.

Frontend bundled with Python package

The Vue.js frontend is now built and bundled directly into the Python package, simplifying distribution and eliminating the need for a separate frontend deployment step.

BDD test discipline

Behavioural specifications have been reorganised and a pre-commit guard now enforces consistency between step definitions and feature files. This supports the dogfooding process — RiskNodes reviews its own changes against its own specifications.