Contact

Arhas · Engineering

How we build and host.

A Windows desktop application, a hospital system and a laboratory system do not share a runtime. They share a rule: if we cannot describe the mechanism precisely, we do not describe it at all.


01 — The platform

Everything we run, we run on Cloudflare.

Workers for compute, Pages for the static sites, R2 for objects, KV for the hot path, D1 for the small relational things. No second cloud, no rented Kubernetes, no orchestration layer we would then have to defend.

MedOS and LabOS are Next.js builds compiled to Workers with OpenNext, each deployed with a Mumbai placement hint. BRUTAL is not on that platform at all: it is a native Windows application, and its only server-side surface is a licence Worker at api.brutaloptimizer.com, plus a Pages site that streams installers out of an R2 bucket.

BRUTAL cloud/website/wrangler.toml:17-19 — bucket brutal-downloads, streamed by functions/downloads/[[path]].js

The one piece of infrastructure worth pointing at is the watcher. BRUTAL's sentinel runs on a five-minute cron, writes to D1 and KV, and is a separate deployment unit on purpose — so that a bad deploy of the thing being watched cannot take the watcher down with it. That is the whole trick, and it costs nothing.

BRUTAL cloud/sentinel/wrangler.toml:36 — crons = ["*/5 * * * *"] · :26-31 — the KV namespace and D1 binding it writes to

This website is the smallest instance of the same idea: static Astro, built to dist, pushed to Pages. No analytics, no tag manager, no third-party font request, no cookie. There is nothing here to consent to, which is the cheapest possible way to demonstrate the posture the trust page describes.

What that buys, and what it does not

A placement hint is not a data-residency guarantee.

placement.region: aws:ap-south-1 tells Cloudflare to run the Worker near Mumbai. It is a hint the platform honours, not a contract it signs. So we publish it as a hint. The database region is a separate fact, the object storage region is a third fact, and collapsing all three into "hosted in India" is the sentence this page exists to refuse.

MedOS app/wrangler.jsonc:15-17 · LabOS app/wrangler.jsonc:14-16 — placement.region

02 — What each product actually is

Three stacks, described the way an engineer would have to describe them.

A native Windows application

BRUTAL Optimizer

C# WPF on .NET 8, published as a self-contained single file for win-x64. No kernel driver. No DirectX hooks. No injection. Frame-time and 1% lows come from Windows’ own display statistics — the D3DKMT present count — which is why the overlay can show a dash and say "no game" instead of inventing a render rate. Timer resolution and system tuning go through documented P/Invoke calls, and drive maintenance is gated on what the disk physically reports it is.

  • Frame data: D3DKMT display present count, not ETW, not injection
  • System tuning: P/Invoke NtSetTimerResolution, NtSetSystemInformation
  • Storage gate: WMI MSFT_PhysicalDisk MediaType — TRIM on flash, defrag never
  • Licensing: a Cloudflare Worker at api.brutaloptimizer.com

Services/FrameStatsService.cs · GameFpsCounter.cs · StorageHealthService.cs

Next.js on Cloudflare Workers

MedOS

The application is a Next.js build compiled to a Worker with OpenNext, running with a Mumbai placement hint. The primary database is Turso — libSQL over HTTP — in ap-south-1. Patient fields are encrypted in the application before they reach the database: AES-256-GCM with a random IV per value, subkeys derived with HKDF-SHA256, and a key version in the envelope so keys can be rotated without a migration. Exact-match search on an encrypted column runs against an HMAC-SHA256 blind index rather than plaintext.

  • Compute: Cloudflare Workers via OpenNext, placement aws:ap-south-1
  • Database: Turso (libSQL), ap-south-1
  • Encryption: AES-256-GCM, 96-bit random IV, 128-bit tag, HKDF-SHA256 subkeys
  • Search: HMAC-SHA256 blind index — no plaintext column to search

lib/security/encryption.ts · app/wrangler.jsonc

Next.js on Cloudflare Workers

LabOS

Same runtime shape as MedOS, same Mumbai placement hint, and a security library written for one job: making a retro-active edit detectable. Every patient-data write, every authentication event and every privileged action is appended to a per-lab audit chain, where each row carries a SHA-256 hash of the row before it. Field encryption is v2 throughout — AES-256-GCM with the AAD bound to the key id, the lab, the record and the field — and a value arriving without an enc: prefix is refused in production rather than quietly stored.

  • Audit: SHA-256 hash chain per lab, recomputable with verifyAuditChain()
  • Encryption: AES-256-GCM v2, AAD bound to (kid, labId, recordId, field)
  • Release control: four-eyes checked in the API, 403 before any write
  • Reports: R2 bucket labos-reports, signed URLs, never public

lib/security/audit.ts · lib/security/encryption.ts · api/results/route.ts:265-277

03 — Where the data actually lives

We will not write “all your data is stored in Mumbai”.

It is the line every Indian health-software vendor uses, and for us it would be false in three different ways. Here is the version that is true, row by row, with the config file each row came from.

Data residency: where each part of the system runs, and the config file each row was read from
What Where How precise we can honestly be
Application compute MedOS app/wrangler.jsonc:15-17 · LabOS app/wrangler.jsonc:14-16 — placement.region Cloudflare Workers, placement region aws:ap-south-1 A placement hint, not a contract. Cloudflare tries to run the Worker near Mumbai. It does not undertake to.
MedOS database MedOS app/src/lib/d1.ts:3 · COMPLIANCE_AUDIT.md:16 — Turso host medos-…aws-ap-south-1.turso.io Turso (libSQL), ap-south-1 In India. This is the one row in this table that is unambiguous.
LabOS database LabOS app/src/lib/db.ts:12 — LABOS_DATABASE_URL is a runtime secret: no region in any config Turso (libSQL), region not published We have not verified the region, so we are not printing one. Ask, and we will check before we answer.
Report PDFs, uploads LabOS app/wrangler.jsonc:29-35 — R2_REPORTS, bucket labos-reports Cloudflare R2 (APAC) Not India-guaranteed. LabOS report PDFs are served by signed URL and are never public, which is a different property from residency.
arhas.in itself package.json:14 — astro build && wrangler pages deploy dist Cloudflare Pages, global edge Static pages. No accounts, no forms, no personal data. Residency is not a question here.

Read the table again and notice what it does not say. That is the honest shape of a Cloudflare-native deployment in India in 2026, and a vendor who tells you otherwise is either not reading their own config or is hoping you will not ask.

04 — What we are still finishing

A gap you can read is a gap you can hold us to.

None of this is on a competitor's website, and all of it is true of ours. Publishing it is not humility. It is the only way the rest of the page means anything.

  • 01

    The MedOS AAD row-binding retrofit is about 95% done

    Encrypted fields are bound to their row with additional authenticated data, so a ciphertext cannot be transplanted from one patient record to another. Rows written before v5.6 still decrypt through a legacy path that has no AAD. The encryption is real. Its universality is not, and until the retrofit closes we will not write a sentence that implies otherwise.

    MedOS app/docs/security/known-gaps.md:126-146

  • 02

    We do not run a public status page

    Which is why there is no uptime percentage anywhere on this website. A number nobody can check against a public record is decoration. When the status page exists, the number will point at it.

    No status page, no SLO export, no monitoring history published

  • 03

    No external certification, no third-party security audit

    Our security artifacts are internal: hand-rolled crypto and audit libraries, an internal fixes register, static analysis in CI. Internal review is not an audit and we do not describe it as one. The full list of what we have not certified is on the trust page.

    See /trust — the list is published in plain words

05 — How the work goes

The standard is not a document. It is what happens before a number ships.

  • A figure is counted, not estimated. 661 is the arithmetic sum of a table in the source. 171 is the length of an array. If nobody has counted it, it does not go on a page. BRUTAL Views/OptimizeView.xaml.cs:56-77 — sum of TweakCount across all 22 modules · LabOS lib/instrument-library.ts — exactly 171 entries
  • A guarantee lives in the code path. Not in a settings tooltip, not in a policy PDF. If a determined click can route around it, it was never a guarantee.
  • If a claim is 95% true, we publish the 5%. The AAD retrofit above is the worked example. It would have been easy to write "AAD row-binding on every record" and nobody outside would have known. MedOS app/docs/security/known-gaps.md:126-146 — AAD retrofit at ~95%
  • We do not ship a certification we do not hold. Not as a badge, not in schema, not in an alt attribute.

There is no careers page here, and no team page. Both would require us to publish things we have not verified, on a site whose entire argument is that we do not do that. When there are roles, they will be written down and linked from here.

What we can tell you is the shape of the work: small surface area, boring platform, real regulation enforced where the data is entered, and a public list of the gaps we have not closed yet. If that is how you want to build, the contact page is the whole process.

Write to us