Self-hostable, security-first, and designed from the ground up for the constraints of enterprise Oracle ERP infrastructure. This page documents the full technology stack across all four platform phases.
n8n is the workflow engine at the center of the platform. Every incident — from the moment it enters via webhook to the moment the audit record is written — is orchestrated by an n8n workflow. The choice of n8n over alternatives like Zapier, Make, or custom Python is deliberate: n8n is the only workflow platform with a self-hosted Docker deployment option, native OracleDB node support, encrypted credential storage, and a visual workflow editor that non-engineers can audit and understand.
n8n's Code nodes (JavaScript or Python) handle the data transformation layer between raw Oracle diagnostic output and LLM-ready structured JSON. The HITL (Human-in-the-Loop) node manages the Safe-Stop sequence for High-Risk actions — serializing workflow state, sending the Decision Tower notification, and waiting for the JWT-signed approval signal before resuming.
Runs entirely behind the corporate firewall or on-premise VPN. No data transits the public internet during workflow execution. PostgreSQL backend for workflow state and audit records.
DockerSelf-hostedBuilt-in Oracle Database node connects via JDBC with configurable schema restrictions. The diagnostic connection uses a read-only schema; the execution connection is gated by the approval workflow.
JDBCRead-only schemaAll Oracle DB credentials, MOS credentials, and API keys are stored in n8n's encrypted credential vault. Zero plaintext storage in workflow definitions, scripts, or environment files.
AES-256Vault integrationThe platform uses LLMs for three distinct tasks: incident triage and domain classification, root cause analysis from structured diagnostic output, and knowledge base article generation. Claude is the preferred model for root cause analysis — its large context window (200K tokens) handles verbose Oracle diagnostic output like SQLHC reports and TKPROF traces without truncation, and its structured reasoning performance on technical content is strong.
Claude 3.5 Sonnet or Claude 3 Opus for root cause identification, resolution synthesis, and knowledge base article drafting. Preferred for large-context Oracle diagnostic analysis. Called via Anthropic API from n8n's HTTP Request node.
200K contextAPI accessStructured outputGPT-4o used for incident triage and domain classification where speed matters more than context depth. Also serves as a hot-swap alternative to Claude for root cause analysis in deployments where the OpenAI API is already provisioned and approved.
128K contextFunction callingHot-swap capableAll LLM calls use a structured prompting strategy that constrains the model's output to the evidence presented — retrieved RAG cases, Oracle Support Note content, and diagnostic script output. The model is explicitly instructed not to suggest resolution steps not grounded in the retrieved evidence. This prevents hallucinated Oracle fix paths that could cause production damage. Every LLM call includes the Oracle version, module, and current diagnostic context in the system prompt to ensure version-appropriate analysis.
The Playwright browser agent is a Node.js application running a Chromium instance inside a dedicated Docker container, separate from the n8n deployment. It exposes a simple REST API that n8n calls with an error code and ERP version — and returns structured JSON containing the Symptoms, Cause, and Solution sections from the top-ranked My Oracle Support knowledge article. The agent handles Oracle SSO authentication via session persistence, bot detection evasion via playwright-extra Stealth Plugin, and session expiry detection with automatic admin alerting.
Headless Chromium controlled by Playwright's Node.js API. Runs in a dedicated Docker container separate from n8n to prevent browser failures from cascading into workflow failures.
Node.js 20+ChromiumDockerOne-time manual MFA login captured via Playwright's storageState into an encrypted auth.json file. All subsequent runs load this session — no MFA re-challenge. Session expiry triggers an admin alert and graceful workflow pause.
storageStateEncrypted volumeStealth Plugin masks the navigator.webdriver fingerprint, randomizes User-Agent strings, and adds human-like timing and interaction patterns to prevent MOS bot detection flagging over time.
playwright-extraStealth pluginThe vector database stores vectorized Oracle diagnostic outputs, resolution summaries, and Oracle Support Note excerpts — enabling the platform to retrieve semantically similar prior resolutions for every new incident. The metadata filtering capability is critical: raw vector similarity alone cannot distinguish an ORA-01652 resolution for EBS R11i from one for R12.2.10. Every stored chunk carries oracle_error_code, erp_module, erp_version, and environment_id metadata that scopes retrieval precisely.
Open-source vector database designed for billion-scale vector workloads. Self-hosted via Docker Compose or Kubernetes. Supports advanced compound metadata filtering — query by error code AND module AND ERP version simultaneously. Recommended for environments with 50+ active users or multi-environment Oracle deployments.
Self-hostedBillion-scaleCompound filteringPostgreSQL extension adding vector search to the existing Postgres instance used for n8n workflow state. Eliminates a separate vector database service for smaller deployments. Recommended when the knowledge base is expected to stay under 10 million vectors and the Oracle environment has fewer than 50 active users.
PostgreSQL extensionSingle DB<10M vectorsThe n8n Embeddings node generates vector embeddings from structured diagnostic analysis output before storage and retrieval. OpenAI's text-embedding-3-small is the default — cost-effective at $0.02/million tokens and sufficient for Oracle diagnostic content. For air-gapped environments where data cannot leave the network, a locally-hosted HuggingFace sentence-transformers model (all-MiniLM-L6-v2) provides equivalent performance without external API calls.
Direct Oracle database connectivity via JDBC for all EBS diagnostic queries. The diagnostic connection uses a restricted read-only schema. SQL*Plus handles scripts that require the full SQL*Plus interface. n8n's OracleDB node manages both connection types.
JDBCSQL*PlusRead-only schemaOracle Fusion Cloud does not expose direct database access. The platform uses Oracle Fusion REST APIs — OTBI for reporting, BIP for scheduled reports, ESS for job history, and module-specific REST endpoints for AP, AR, GL, and HCM diagnostics.
OTBIBIPESS APIApplication tier diagnostics — concurrent manager logs, spool file analysis, application-level configuration — require SSH access to the EBS application server. n8n's SSH node handles authenticated connections for log retrieval and system-level diagnostic commands.
SSHApp tierCM logsThe platform's diagnostic capability is built on the same 65 production-grade scripts published at scripts.williamagreen.com. These are not illustrative examples — they are the actual scripts used by Oracle consultants in production EBS and Fusion environments, peer-reviewed, versioned, and tested across 11 Oracle modules. The AI platform wraps these scripts with LLM interpretation — the scripts provide the evidence, the LLM provides the analysis.
n8n, Milvus, and PostgreSQL run behind the corporate firewall or connect via VPN to Oracle EBS. No Oracle data transits the public internet during diagnostic execution or fix approval.
All credentials stored in n8n's encrypted vault or HashiCorp Vault. Oracle DB, MOS, and LLM API credentials are retrieved at runtime — never written to disk, never embedded in workflow definitions.
Every high-risk fix approval carries a JWT token tied to the specific Request ID. n8n validates the token before executing — preventing replay attacks and ensuring the approval was issued for this exact incident.
The diagnostic Oracle connection uses a restricted read-only schema — SELECT privileges only. The execution connection for approved fixes uses a separate schema with precisely scoped write privileges. No single connection has both diagnostic and unrestricted write access.
We're happy to walk through any component of the stack in detail — architecture reviews, security assessments, or proof-of-concept scoping.
Get in Touch →