Ghasi SMS Gateway — Executive Brief
Date: April 25, 2026 Audience: Business Stakeholders · MNO CTO Status: For Presentation Owner: Platform Architecture Team References: Architecture Baseline v1.2 · ADR-0001 through ADR-0004
Executive Summary
Ghasi SMS Gateway is a multi-tenant, AI-compliance-gated messaging platform built to operate as Afghanistan's national SMS backbone. It connects all five Afghan MNOs under a single sovereign infrastructure, enforces regulatory compliance through an AI-powered engine, delivers telecom-grade SLAs — and exposes a complete commercial surface: a customer portal, admin dashboard, developer API, campaign manager, and a direct ATRA regulator integration.
Not a single byte of sensitive data leaves the country. The architecture is fully specified, ADR-approved, and ready to scale from an early-stage SaaS to an active-active national data plane serving 38M+ citizens.
| Afghan MNOs connected | 5 (AWCC, Roshan, Etisalat AF, MTN AF, Salaam) |
| Sustained throughput | 10M+ messages / hour across both Afghan regions |
| Availability SLA | 99.99% monthly (≤ 4 min 22 s downtime) |
| OTP delivery (P99) | ≤ 3 seconds end-to-end including compliance |
| Audit log retention | 13 months hot · 7 years cold (ATRA requirement) |
The Problem
No Sovereign Infrastructure
Every SMS sent in Afghanistan today routes through foreign aggregators (Twilio, Infobip, Sinch). Citizen PII and OTP codes leave the country — violating ATRA data-residency obligations and exposing government, banking, and healthcare communication to foreign jurisdictions.
Fragmented, Uncontrolled Traffic
Five MNOs operate in isolation with no unified sender-ID registry, no national DND ledger, no fraud intelligence layer, and no compliant CDR pipeline for ATRA reporting. SIM-box fraud, grey routes, and OTP harvesting operate freely with no detection surface.
No Emergency Broadcast Capability
Afghanistan has no civil-emergency cell-broadcast infrastructure. Disaster alerts, flood warnings, and public-safety notices cannot be pushed to citizens at scale. During crises, this absence costs lives.
Zero Local Compliance Tooling
Banks, ministries, and healthcare providers have no compliant channel for regulated SMS. Content is unscreened, sender IDs are unregistered, and CDRs are unavailable for audit — leaving the regulated sector fully exposed.
Core Platform Capabilities
Multi-MNO Connectivity
Dedicated SMPP 3.4 connector pools per MNO (AWCC, Roshan, Etisalat AF, MTN AF, Salaam), with per-bind TPS governors, sequence management, and automatic failover. No single MNO incident affects traffic on other operators. Each bind direction (TX / RX / TRX) is independently managed per operator.
AI Compliance Engine
A sovereign local LLM runs entirely within the Afghan data plane and classifies message content. A rules pipeline evaluates keyword, regex, geo, rate, volume, DLR-abuse, and composite signals. The verdict — ALLOW, FLAG, HOLD, or BLOCK — gates every outbound SMS. No message ever reaches a carrier without an explicit ALLOW. The pipeline is fail-closed: if the compliance engine is unavailable, messages remain queued and are never forwarded.
Sender-ID Registry
National sender-ID registration with KYC of registrant, verification, suspension, and ATRA export. Once adopted by ATRA, this becomes the authoritative national registry — a strategic asset and durable revenue moat that no foreign operator can replicate without physical presence in-country.
Cell-Broadcast Bridge (Emergency)
3GPP TS 23.041 / ETSI EN 302 117 compatible bridge for civil emergency broadcasts, accessible only via government PKI (mTLS). P0-lane emergency messages pre-empt all other traffic and achieve ≤ 1 second delivery to MNO broadcast infrastructure.
Campaign Manager
Full campaign lifecycle management: audience segments, template library, scheduled dispatch, A/B testing, throttle controls, kill-switch, and two-way conversation sessions. Tenants run promotional, transactional, and government broadcast campaigns without developer involvement after initial integration.
Multi-Channel Fallback
Automatic cascade: SMS → MMS → RCS → WhatsApp Business → Voice OTP → Email. Per-recipient profile and per-tenant policy ensures maximum deliverability regardless of network conditions.
Regulator Integration (ATRA)
CDR pipeline produces TAP 3.12 / RAP exports signed with a regulator-approved key, delivered nightly to ATRA SFTP / API automatically. Lawful Intercept interface, complaint ingest, and a regulator-only mTLS portal are built-in from day one.
Platform Surfaces — Portals & APIs
All surfaces sit behind Kong Gateway (TLS, auth, rate limiting) and are served via Cloudflare CDN.
Admin Dashboard — admin.ghasi.io
Audience: Platform Operator / NOC
- Tenant lifecycle management (onboard, suspend, tier change)
- Compliance hold-queue review and manual release / reject
- Operator SMPP health, bind state, TPS governor controls
- System-wide message throughput and delivery-rate dashboards
- Sender-ID registry management and KYC workflow
- Billing overrides, invoice management, pricing table configuration
- NOC alert feed and escalation triage
Customer Portal — app.ghasi.io
Audience: Tenant / Business User
- API key creation and self-serve key rotation
- Message logs with delivery status and compliance verdict
- Campaign builder: segments, templates, schedule, A/B, kill-switch
- Webhook endpoint configuration and HMAC key management
- Real-time analytics: throughput, delivery rates, cost breakdown
- Compliance score dashboard and hold-queue notifications
- Billing — invoice history, current usage, payment management
Developer Portal — developers.ghasi.io
Audience: Developers / Integrators
- Interactive API documentation (OpenAPI 3.1, Swagger UI)
- Sandbox environment with mock SMPP operator for safe testing
- SDK downloads (Node, Python, PHP, Go — generated from spec)
- Self-serve API key management and consumption analytics
- Webhook simulator and DLR test harness
- Code samples and integration guides per vertical
Regulator Portal — regulator.ghasi.io (mTLS only)
Audience: ATRA — Telecom Regulator
- Monthly CDR submission — TAP 3.12 / RAP signed exports
- Nightly automated ATRA SFTP / API delivery of CDR bundles
- Sender-ID registry export on demand
- Lawful Intercept (LI) request intake and audit trail
- License artifact repository and renewal workflow
- Complaint ingest from ATRA with response tracking
- Immutable audit log access: 13-month hot, 7-year cold
The Regulator Portal operates on a separate mTLS-authenticated endpoint accessible only to ATRA. CDR exports are cryptographically signed. Data is delivered automatically on a nightly schedule — no manual export process.
Outbound Message Flow
Every message traverses the full pipeline. Compliance is not optional — it is architecturally enforced before any carrier hand-off.
Customer App
│ REST / SDK
▼
Kong Gateway TLS · JWT/API-key auth · Rate limiting · Correlation IDs
│
▼
SMS Orchestrator Payload validation · E.164 normalization · Idempotency check · Queue
│ 202 Accepted returned to caller immediately
▼
Compliance Engine AI content classification + Rules pipeline
│ Verdict: ALLOW / FLAG / HOLD / BLOCK
│ ── BLOCK → message dropped, caller alerted, never reaches carrier
│ ── HOLD → admin review queue (≤ 4h SLA)
│ ── ALLOW → proceeds
▼
Routing Engine MNO selection · Least-cost routing · QoS · Health-aware
│
▼
SMPP Connector Per-MNO pool · Per-bind TPS governor · Sequence management
│ SMPP 3.4
▼
MNO AWCC · Roshan · Etisalat AF · MTN AF · Salaam
│
▼
Citizen Delivered · DLR returned → Billing → Webhook → Analytics
Fail-closed guarantee. If the Compliance Engine is unavailable, messages remain in EVALUATING state and are never forwarded to the carrier — by any code path.
Compliance Architecture
Verdict Pipeline
| Verdict | Action | Decision maker |
|---|---|---|
| ALLOW | Routes to carrier immediately | AI + rules engine |
| FLAG | Routes with audit annotation | AI soft signal |
| HOLD | Enters admin review queue (≤ 4h SLA) | Rules threshold |
| BLOCK | Silently dropped, caller alerted | Rules engine — hard block |
Trusted-Tenant Fast Path
Pre-vetted banks, ministries, and healthcare providers register signed message templates. At send-time, content is fingerprint-verified against the approved template — compliance runs in shadow mode only (logged, not blocking). This delivers OTP-class latency (≤ 3s P99) without sacrificing the compliance evidence trail.
Data Sovereignty
The compliance AI is a locally-hosted LLM running inside the Afghan data plane. Message content is never sent to a foreign API for classification. An external LLM is a geo-scoped fallback only, governed by strict data-residency policy.
ATRA Reporting & CDR Pipeline
| Step | What happens |
|---|---|
| 1. DLR received | MNO confirms delivery via SMPP |
| 2. CDR generated | dlr-processor emits cdr.generated.v1 event |
| 3. Mediation | cdr-mediation-service normalises to canonical schema |
| 4. Partitioned storage | Written to MinIO object store, partitioned by hour |
| 5. Daily roll-up | TAP 3.12 / RAP file built, signed with regulator-approved key |
| 6. Nightly export | Delivered to ATRA SFTP / API automatically |
| 7. Analytics | Ingested into ClickHouse for drill-down and ad-hoc queries |
CDR records are immutable — corrections are appended as adjustment records, never overwrites.
| Artifact | Hot retention | Cold retention |
|---|---|---|
| CDR records | — | 7 years (WORM object storage) |
| Compliance audit log | 13 months | 7 years |
| Evaluation trace | 90 days | Cold archive |
| Auth / SSO events | 13 months | — |
| Webhook delivery log | 90 days | — |
Campaign Management
The campaign service is a first-class bounded context. Tenants manage the full campaign lifecycle without developer involvement after initial integration.
| Feature | Detail |
|---|---|
| Audience Segments | Tag-based, CSV upload, or API-defined |
| Template Library | Variable binding with compliance pre-approval |
| Scheduled Dispatch | One-shot, recurring, or event-triggered |
| A/B Testing | Split by percentage, auto-promote winner |
| Throttle Controls | Per-campaign TPS cap, quiet-window enforcement |
| Kill-Switch | Instant campaign halt with in-flight drain |
| Conversation Sessions | Two-way SMS threads for interactive campaigns |
Traffic Priority Lanes
Every campaign message is assigned a lane based on content type and tenant tier. Bulk marketing traffic can never crowd out OTP or emergency messages.
| Lane | Use Case | P99 Delivery |
|---|---|---|
| P0 — Emergency | Civil emergency broadcasts | ≤ 1 s |
| P1 — OTP | Authentication codes, 2FA | ≤ 3 s |
| P2 — Transactional | Bank alerts, delivery notifications | ≤ 10 s |
| P3 — Marketing | Promotional, bulk campaigns | ≤ 60 s |
| P4 — Broadcast | Authorised national broadcasts | ≤ 5 min |
Resilience & Architecture Strength
Multi-Region Active-Active
Dual Afghan regions — Kabul (primary) and Mazar-i-Sharif (secondary) — operate simultaneously in read-write mode. Geo-aware routing pins traffic to the closest healthy region. A cold DR copy in Dubai holds sealed audit and CDR archives. Failover for OTP-class traffic achieves RTO ≤ 5 minutes.
Zero-Trust Service Mesh
Istio with SPIFFE/SPIRE workload identities issues short-lived SVIDs to every pod. All east-west traffic is mTLS in STRICT mode — no implicit namespace trust. HSM appliances (FIPS 140-2 Level 3) hold platform JWT signing keys, SAML SP keys, and webhook HMAC roots. No key is ever exported from the HSM.
Non-Functional Requirements
| Metric | Target |
|---|---|
| Sustained throughput | 10M msg/h across both Afghan regions |
| Burst capacity | 250K msg/min for 30 seconds |
| Availability — Edge + Orchestrator | 99.99% monthly |
| Submit → 202 acknowledgement (P99) | ≤ 200 ms |
| OTP delivery end-to-end (P99) | ≤ 3 s |
| RPO — OTP / transactional | ≤ 5 s |
| RTO — full platform | ≤ 15 min |
| Fraud detection mean time to detect | ≤ 15 min |
| Webhook first-attempt success | ≥ 99.9% within 5 s |
Business Opportunity & Revenue Streams
Per-Message API Revenue
Tiered per-message fees across five traffic lanes. At 10% of Afghanistan's national SMS volume (hundreds of millions of messages monthly), API revenue alone is material. Each MNO partnership unlocks additional revenue-share arrangements as the platform becomes the preferred national aggregation layer.
Regulatory Registry Monopoly
Once adopted by ATRA, the Sender-ID Registry becomes a government-mandated utility. Every entity sending SMS in Afghanistan must register — creating a recurring annual fee stream with near-zero churn. No foreign operator can replicate this without physical sovereign presence in-country.
Compliance-as-a-Service
The compliance engine, trusted-tenant fast-path, and tenant-compliance scoring are premium-tier features. Banks, ministries, and healthcare providers pay a premium for a compliance-certified channel they cannot build or procure domestically elsewhere.
Government & Emergency Infrastructure Contracts
The Cell-Broadcast Bridge and P0-lane emergency infrastructure are procurable by government as a managed service. Multi-year contracts with civil defence, NDMA, and public health authorities deliver stable, high-margin, strategic revenue with structural lock-in — no competitor can displace this without rebuilding the physical data plane.
Campaign & Engagement Platform
The campaign service enables a SaaS upsell tier: businesses pay per campaign or per seat for the campaign builder, A/B testing, analytics, and conversation sessions. This mirrors the model of Mailchimp or Braze but natively integrated into the sovereign messaging backbone — no foreign data processing required.
Developer Ecosystem & Marketplace
The developer portal creates a flywheel: more developers → more integrations → more tenants → more MNO traffic volume → stronger MNO negotiating position. SDK distribution and a sandbox environment lower the integration barrier to near-zero, accelerating adoption across fintech, e-commerce, logistics, and healthcare verticals.
Strategic moat. No foreign competitor — Twilio, Infobip, or Sinch — can offer sovereign on-prem AI compliance, a national sender-ID authority, ATRA-integrated CDR, CBC emergency broadcast, and a government-mTLS regulator portal, all from within Afghan borders. This is not a feature gap. It is a structural impossibility for non-resident operators.
Extensibility & Expansion Roadmap
Multi-Country Expansion
The architecture is jurisdiction-parameterised. Adding a new country means provisioning a new Kubernetes region, configuring per-country MNO connector pools, and binding the compliance engine to local regulatory rules. Control-plane services (billing, compliance rules, sender-ID, analytics) are shared. Central Asia, Central Africa, and underserved MENA markets present the same structural gap as Afghanistan.
Channel Expansion
The channel-router-service already specifies cascading fallback across SMS → MMS → RCS → WhatsApp Business → Voice OTP → Email. As RCS adoption grows globally, the platform routes intelligently without any tenant-side changes. WhatsApp Business API integration opens conversational commerce alongside transactional messaging — same compliance pipeline, new channel.
Financial Inclusion & Mobile Money
OTP infrastructure for mobile money and mobile banking is the highest-value use case in underbanked markets. The trusted-tenant fast-path and P1-lane guarantee make Ghasi the natural infrastructure partner for any MNO or fintech launching mobile financial services in the region.
Environmental Disasters & Sensor Networks
The Cell-Broadcast Bridge is the delivery infrastructure for a national alerting layer. Sensor ingest adapters publish to the existing lane.p0.emergency NATS subject — no new data plane is needed. The CBC dispatches to all reachable cell towers within 1 second.
| Sensor / Source | Alert Type | Delivery Lane |
|---|---|---|
| Seismic network (USGS / national) | Earthquake early warning | P0 Cell-Broadcast |
| Hydrological / dam sensors | Flood / dam failure alerts | P0 Cell-Broadcast |
| Air quality / AQI stations | Dust storm / pollution warnings | P1 SMS broadcast |
| Power grid SCADA | Outage / load-shedding notices | P2 SMS |
| Weather / NWP model | Extreme weather advisories | P0–P1 by severity |
| Epidemic surveillance | Disease outbreak alerts | P1 targeted by region |
| Wildfire detection | Evacuation orders by cell zone | P0 Cell-Broadcast |
These use cases require zero new infrastructure. Sensor adapters publish events to existing NATS subjects, routed through the existing priority-lane pipeline to existing MNO binds. The platform is already designed to carry this traffic — it only needs the sensor integration layer.
Architecture Maturity
What Is Already Designed & Documented
| Domain | Artifact |
|---|---|
| Enterprise Architecture | C4 Level 1 + Level 2 diagrams, outbound + DLR sequence diagrams |
| Compliance Layer | Full gRPC spec, 9-type rule taxonomy, verdict FSM, hold-queue lifecycle |
| Identity & Access | Keycloak + multi-IdP abstraction, SAML 2.0 / OIDC broker, RBAC |
| Multi-Region | ADR-0004: active-active KBL + MZR + DXB cold DR, NATS super-cluster |
| SMPP Pool | Per-MNO per-direction connector topology, bind affinity, TPS governors |
| Traffic Lanes | P0–P4 SLA budgets, NATS subjects, TPS shaping, priority enforcement |
| CDR Pipeline | TAP 3.12 / RAP, ClickHouse ingestion, ATRA SFTP export |
| Campaign Service | Segments, templates, A/B testing, kill-switch, conversation sessions |
| Platform Portals | Admin, Customer, Developer, ATRA Regulator — all fully specified |
| Security | HSM key hierarchy (FIPS 140-2 L3), zero-trust mesh, RLS, TDE |
| Observability | Prometheus + Grafana + OpenTelemetry + Loki — dashboards defined |
| Testing | Full test pyramid: unit, integration, contract, E2E — coverage targets set |
| Chaos Engineering | Weekly GameDay programme, NOC escalation tiers, PagerDuty integration |
Architecture Principles
| Principle | Guarantee |
|---|---|
| No shared databases | Each service owns exactly one schema — no cross-service DB calls |
| Async-first | NATS JetStream for all inter-service events; sync (gRPC) only where latency demands |
| Fail-closed compliance | No code path exists that routes a message without an ALLOW verdict |
| Idempotency everywhere | Redis-keyed idempotency; safe to retry any message at any stage |
| Sovereign AI | Local LLM; message content never leaves the Afghan data plane |
| Immutable audit | Append-only, WORM-locked, 13-month hot retention |
| Zero-trust east-west | mTLS STRICT mode + SPIFFE SVIDs issued to every pod |
| HSM-backed cryptography | FIPS 140-2 Level 3; no key is ever exported from the HSM |
Closing Statement
Ghasi SMS Gateway is not a messaging API. It is sovereign national infrastructure — the only platform capable of serving as Afghanistan's telecom backbone with full regulatory integration, AI-powered compliance, a built-in campaign engine, four purpose-built portals, and a roadmap that extends naturally to public safety, IoT alerting, multi-country expansion, and the next generation of multi-channel communication.
The architecture is ready. The specifications are approved. The opportunity is now.
Architecture Baseline v1.2 · ADR-0001 through ADR-0004 · Platform Architecture Team · April 2026