1 Architecture Overview
CF Cloudflare Edge Layer — Security, CDN, DNS, Intelligence
Tunnel
huly.agilex.co.za
Zero inbound ports
Zero inbound ports
Pages
app.agilex.co.za
Demo + Agent Portal
Demo + Agent Portal
DNS + CDN
SSL/TLS 1.3
DDoS + WAF
DDoS + WAF
D1
Agent state
Task queue, logs
Task queue, logs
KV
Sessions, cache
Rate limits
Rate limits
AG A.G.I.L.E. Agent Workers — Autonomous Recruitment Intelligence
A — Acquire
CV parsing, sourcing
Profile creation
Profile creation
G — Gauge
Screening, scoring
Auto-advance
Auto-advance
I — Integrate
Scheduling
Calendar sync
Calendar sync
L — Leverage
Analytics, reports
Market intel
Market intel
E — Engage
Email, notifications
Candidate nurture
Candidate nurture
AI Cloudflare AI Gateway — Multi-Model Inference, Caching, Analytics
Workers AI
Llama 3.3 8B (fast)
bge-base (embeddings)
bge-base (embeddings)
Anthropic
Claude Opus/Sonnet
Primary reasoning
Primary reasoning
OpenAI
GPT-4o fallback
Alternative scoring
Alternative scoring
Google
Gemini Pro
Report generation
Report generation
Vectorize
Candidate embeddings
Semantic search (RAG)
Semantic search (RAG)
Cloudflare Tunnel — outbound only
HZ Hetzner VPS — Huly ATS (Minimal Metadata Store)
Huly Services
front, account, transactor
workspace, collaborator
workspace, collaborator
CockroachDB
Pipeline metadata
Links to M365 docs
Links to M365 docs
Elasticsearch
Full-text search
Candidate index
Candidate index
MinIO
Thumbnails only
NOT document store
NOT document store
Resend
SMTP bridge
Transactional email
Transactional email
Microsoft Graph API — OAuth 2.0
MS Microsoft 365 — Golden Source of Records & Evidence of Work
OneDrive
CVs, offers, refs
contracts, ID docs
contracts, ID docs
SharePoint
Document libraries
Metadata + search
Metadata + search
Teams
Client channels
Agent activity feed
Agent activity feed
Entra ID
SSO / OAuth
User management
User management
Outlook
Email sync
Calendar integration
Calendar integration
2 Core Design Principle
ATS = Lightweight Metadata Layer
Huly stores the minimum data to manage the pipeline. Every document field is a OneDrive/SharePoint URL, not a binary file.
| ATS Stores (Huly) | M365 Stores (Golden Source) |
|---|---|
| Name, email, phone | Full CV / resume PDF |
| Pipeline stage & status | Signed offer letters |
| Skills tags (extracted) | Reference letters |
| Vacancy & client link | Interview scorecards |
| OneDrive URLs to docs | ID documents & certificates |
| Agent activity log | Client contracts & briefs |
Microsoft 365 = Source of Truth
OneDrive and SharePoint are the authoritative record. The ATS links to documents — never duplicates them.
- Version history — every edit tracked (500+ versions)
- Compliance — POPIA/retention via Microsoft Purview
- Search — Microsoft Search indexes all content
- Access control — M365 permissions, not ATS ACLs
- Teams — documents surface in client channels
- Mobile — OneDrive/Teams apps everywhere
- Co-authoring — real-time collaborative editing
3 Document Flow — CV to Placement
1
Agent Receives CV
Acquire agent parses PDF, extracts name, skills, experience
2
Upload to OneDrive
/Candidates/Active/{Name}/ via Microsoft Graph API
3
Get Sharing Link
Graph API returns view-only or edit URL
4
Store Link in ATS
Huly candidate record holds OneDrive URL
5
Generate Embedding
CV text → vector in Cloudflare Vectorize for semantic search
Viewing documents: Click the link in Huly → opens in Office Online. Browse in SharePoint → filter by stage/client. See in Teams → Files tab in client channel. Mobile → OneDrive or Teams app.
4 AI Gateway — Multi-Model Inference
All AI inference routes through Cloudflare AI Gateway: one endpoint, multiple providers, with caching, analytics, cost tracking, and automatic fallback.
| Task | Primary Model | Fallback | Reasoning |
|---|---|---|---|
| CV parsing & extraction | Workers AI (Llama 8B) | Claude Haiku | Fast, cheap, structured output at edge |
| Candidate scoring | Claude Sonnet | GPT-4o | Nuanced reasoning for fair evaluation |
| Interview questions | Claude Opus | Claude Sonnet | Quality-critical, candidate-facing output |
| Offer letter drafting | Claude Sonnet | GPT-4o | Strong writing with legal context |
| CEO / exec reports | Claude Sonnet | Gemini Pro | Data synthesis + clear narrative |
| Email responses | Workers AI (Llama 8B) | Claude Haiku | High volume, templated, cost-sensitive |
| Semantic search / matching | Workers AI (bge-base) | — | Embedding model, always at edge, zero latency |
How It Gets Smarter Over Time
Growing Vector Index
Every CV processed adds an embedding. At 1000+ candidates, the system finds nuanced patterns human recruiters would miss.
Semantic Caching
Similar queries return cached results in <10ms. After 3 months, expect 30-50% cache hits — faster responses at zero cost.
Feedback Loop
When consultants override agent decisions, the feedback refines scoring prompts. Accuracy improves quarterly.
Analytics-Driven
AI Gateway logs every request. A dashboard shows cost per agent, model performance, and where to optimise.
5 Microsoft 365 Structure
OneDrive — Shared Drive
AgileX Recruitment/
├── Candidates/
│ ├── Active/
│ │ └── {Name} — {Role} ({Client})/
│ │ ├── CV.pdf
│ │ ├── Offer_Letter.pdf
│ │ ├── References/
│ │ ├── Scorecards/
│ │ └── ID_Docs/
│ ├── Placed/
│ └── Archived/
├── Clients/
│ └── {Client Name}/
│ ├── Contract.pdf
│ ├── Rate_Card.xlsx
│ ├── Vacancy_Briefs/
│ └── Reports/
├── Staff/
│ ├── Policies/
│ └── Training/
└── Reports/
├── Weekly/ (auto-generated)
├── Monthly/
└── Quarterly/
SharePoint — Document Libraries
agilex.sharepoint.com/sites/Recruitment
| Library | Metadata Columns |
|---|---|
| Candidates | Name, Vacancy, Stage, Client, Consultant |
| Clients | Client, Industry, Contract Status |
| Staff | Employee, Department, Doc Type |
| Templates | Type, Version, Last Updated |
| Reports | Type, Period, Agent or Human |
Content Types: Candidate CV, Offer Letter, Reference, Scorecard, Contract, Vacancy Brief, Pipeline Report
Teams — Channels & Tabs
Team: AgileX Recruitment
├── General
├── Leadership
├── Pipeline Reviews
├── Clients/
│ ├── Standard Bank
│ ├── Absa Group
│ ├── Shoprite Holdings
│ ├── Woolworths
│ ├── FirstRand
│ ├── Nedbank
│ ├── Capitec
│ ├── Pick n Pay
│ ├── TFG
│ └── Mr Price
├── Agent Activity
│ ├── Tab: Dashboard
│ ├── Tab: Pipeline Board
│ └── Tab: AI Usage Stats
└── Templates & TrainingAgents post to channels automatically via Microsoft Graph API.
6 Monthly Cost Estimate
| Component | Specification | Cost (ZAR) | Tier |
|---|---|---|---|
| Hetzner VPS (CPX31) | 4 vCPU, 8 GB RAM, 160 GB NVMe | ~R280 | Paid |
| Cloudflare (Tunnel, DNS, CDN, WAF) | Free plan — all included | R0 | Free |
| Cloudflare Workers | Free: 100K requests/day | R0 | Free |
| Cloudflare D1 + KV + Vectorize | Free tiers are generous | R0 | Free |
| Cloudflare AI Gateway | Metering, caching, analytics | R0 | Free |
| Workers AI (edge inference) | CV parsing, embeddings (~$5-20) | ~R90 – R360 | Usage |
| Claude API (via AI Gateway) | Scoring, drafting, reports (~$20-50) | ~R360 – R900 | Usage |
| Resend (transactional email) | Free: 100 emails/day | R0 | Free |
| Microsoft 365 Business Basic | Per user (if not existing) | ~R110/user | Per user |
| Total (excl. M365 licenses) | R730 – R1,540 |
7 Security Model
| Layer | Mechanism | Provider |
|---|---|---|
| Edge protection | WAF rules, DDoS mitigation, bot management, rate limiting | Cloudflare |
| Transport | TLS 1.3 — Full (Strict) SSL mode | Cloudflare |
| Authentication | OpenID Connect SSO via Microsoft Entra ID; JWT for agent-to-service | Microsoft + CF |
| Authorization | Huly workspace roles (Owner / Maintainer / User) + M365 permissions | Huly + Microsoft |
| Data at rest | CockroachDB encrypted; M365 BitLocker; CF Workers encrypted | All providers |
| API throttling | AI Gateway rate limits; KV per-user counters; CORS policies | Cloudflare |
| Secrets | Cloudflare Workers secrets (encrypted); never in code or logs | Cloudflare |
| Email auth | DKIM + SPF + DMARC via Resend + Cloudflare DNS | Resend + CF |
| Compliance | POPIA — Hetzner EU + M365 data residency + Microsoft Purview retention | All |
8 Implementation Phases
Completed Done
- Huly ATS running locally (Docker / OrbStack)
- 11 staff accounts created and joined to workspace
- 10 client organisations (5 banking, 5 retail)
- 15 vacancies across AI, DevOps, Banking, Retail, Graduate roles
- 30 candidates across 9 pipeline stages
- Setup guide, training guide, interactive sales demo portal
- Deployment architecture document (this document)
Week 1 — Infrastructure Hetzner + Cloudflare
- Provision Hetzner CPX31 VPS (Ubuntu 24.04, fsn1)
- Deploy Huly Docker stack to VPS with production config
- Create and configure Cloudflare Tunnel → huly.agilex.co.za
- Configure Cloudflare DNS, SSL (Full Strict), WAF rules
- Configure Resend SMTP + DNS records (SPF / DKIM / DMARC)
- Disable public signup, seed production data
Week 2 — Intelligence AI + Agents
- Create Cloudflare AI Gateway (agilex-recruitment)
- Create D1 database + KV namespace + Vectorize index
- Scaffold
agilex-agentsCloudflare Worker project - Implement Acquire agent (CV parsing → OneDrive + ATS)
- Implement Gauge agent (scoring + auto-advance)
- Deploy Workers + agent portal to Pages (app.agilex.co.za)
Week 3 — Documents Microsoft 365
- Register app in Microsoft Entra ID with Graph API permissions
- Create SharePoint site + document libraries + content types
- Create Teams team + client channels + agent activity channel
- Create OneDrive shared folder structure via Graph API
- Implement Graph API integration in agent Workers
- Test end-to-end document flow: agent → OneDrive → link in ATS
Week 4 — Integration Full Testing
- Implement Integrate agent (scheduling + Google/Outlook Calendar)
- Implement Leverage agent (analytics + auto-generated reports)
- Implement Engage agent (communication + Teams posting)
- End-to-end test with real candidate flow
- Client demo readiness review