Case study · JEGantic Hospitality, Montreal

Meet Orchid.

One AI operations layer running 8+ hospitality venues — answering from live POS, reservation, and ticketing data in the chat apps the team already uses.

Agentic system design 6 platforms integrated live In daily production use

01 / The problem

Eight venues. Five systems. Zero shared picture.

JEGantic Hospitality operates 8+ distinct venues in Montreal — restaurants, nightclubs, lounges, and a luxury transport service — each running on different operational systems: point-of-sale, reservations and guest CRM, event ticketing, project management, and multiple messaging channels.

Leadership needed sales figures, reservation data, ticket sales, and task status on demand — across venues that must never leak each other's commercially sensitive data — without hiring a data team or building a bespoke dashboard for every request.

The brief: a persistent AI “right hand,” reachable from WhatsApp and Discord, that understands the business, queries live data from every backend system, respects strict per-venue boundaries, and gets safer and smarter over time instead of being rebuilt for every new request.

0+
venues on one operations layer
0
specialized agents, strictly scoped
0
business platforms wired in live
0/7
scheduled autonomy via cron

02 / Architecture

One assistant. Many agents. Hard boundaries.

Orchid lives on a persistent agent runtime that keeps one identity alive across channels and days, routing work to data-isolated sub-agents. Tap any component to explore it.

Channels

Runtime

Main session

Specialized agents

Integration layer

03 / Design principles

The decisions that make it dependable.

Principle 01

Persona and memory as architecture

Tone and boundaries live in a persona file; long-term memory is curated and pruned on a schedule, kept separate from raw daily logs — not prompt dressing.

Principle 02

Hard multi-tenant data boundaries

Each venue's channel binds to an agent forbidden from querying or disclosing any other venue's data. Cross-venue questions route to one portfolio-level agent.

Principle 03

Config-as-code knowledge bases

Every external API has a documented knowledge base with endpoint docs and a pinned venue-to-ID map, so agents look up trusted identifiers instead of guessing.

Principle 04

Deterministic scripts, reasoning on top

Math, pagination, auth signing, and formatting happen in small testable scripts. The model decides what to fetch; code guarantees how — keeping numbers auditable.

Principle 05

Approval gates on the irreversible

Outbound email, calendar invites, and destructive operations require explicit human confirmation — codified in operating rules, not left to model judgment.

Principle 06

Scheduled autonomy, not chat-only

Daily task lists, nightly recaps, weather-driven staffing alerts, and drift audits run unattended on cron — idempotent, so re-runs never double-post.

04 / Integrations

Live, credentialed connections. Not mocks.

Every integration is a real production API connection wired through a purpose-built script and a documented knowledge base.

Payfacto POS Veloce

Point-of-sale · sales, labor, invoices, master data

  • Sales, item mix, payment mix, discounts, taxes, hourly breakdowns, refunds, voids, check-level invoices, labor and time-and-attendance, and full reference data.
  • Migrated live from API v1 to v2 — new base URL, redesigned sales endpoints, new auth envelope — with every report script re-verified against production data.
  • Pinned per-venue location-ID map, so routine questions never need discovery calls. Five POS locations currently live, including a corporate aggregate view.

SevenRooms

Reservations & guest CRM · deliberately read-only

  • Reservations, guests, availability, waitlist, events, charges, and floor operations — scoped down to read-only calls by design.
  • Pinned venue-ID map with per-venue credentials; the same single-venue data boundary enforced as on the POS side.

TIXR

Event ticketing · HMAC-signed reporting pipeline

  • Live sales pace, order and ticket-level exports, event configuration, and fee reconciliation. HMAC-SHA256 request signing handled once in code, reused everywhere.
  • Automated Google Sheets report generator: per-venue, per-event three-tab workbooks written idempotently into each venue's Drive folder, validated against dashboard sold-counts before delivery.
  • A dedicated NYE tracker cross-references ticket sales against reservation covers for every venue's New Year's Eve event, unattended on a daily schedule.

Asana

Project management · two-way synced

  • A bespoke two-way sync engine links a WhatsApp-delivered daily task list to Asana: tasks push to the right project, auto-assign the right teammate, and set custom fields.
  • Native dependency support — a “blocked by” note becomes a real Asana dependency, and completing the blocker auto-unblocks the dependent in both systems.
  • Fully idempotent and safe to re-run on every cron tick. Delivered at 8 AM by WhatsApp and 6 PM by email, both re-synced first so the systems never drift.

Google Workspace

Calendar, Gmail, Sheets, Drive, Analytics, Ads, Search Console

  • Team-wide free/busy, event creation and invites, email send, report generation with idempotent Sheet updates, GA4, Search Console, and Google Ads reporting.
  • A team meeting scheduler turns fuzzy language (“afternoon this week”) into concrete open slots with deterministic multi-person calendar math, and only books after human confirmation.

AgentMail

Outbound email · approval-gated, never auto-sent

  • A dedicated hosted inbox for the assistant identity, wrapped in a draft → review → explicit approval → send workflow.

Internal governance tooling

Self-healing reliability & cost controls

  • A session-model auditor runs on a heartbeat to detect and auto-correct model drift across every channel-facing session — a fix born from a real cost spike, not a hypothetical.
  • A structured cross-agent handoff protocol (intent / target / context / input / progress / status / errors / next-action) routes work between agents without losing context or leaking cross-venue data.

05 / In action

Real flows, end to end.

Pick a scenario to watch how a request actually moves through the system.

Illustrative conversations — figures and task names are placeholders, the flows are real.

Orchid
#agent-yoko-luna · Discord

06 / Security & governance

Guardrails built into the architecture.

Boundaries are enforced by scoping and routing — not just prompt instructions.

  • i

    Least-privilege API scoping

    The reservations platform is restricted to read-only calls; POS and ticketing credentials are venue-scoped and never shared across venues.

  • ii

    Secrets isolation

    All keys and tokens live in environment files excluded from version control. The assistant is instructed never to echo credentials under any circumstance.

  • iii

    Data boundaries at the routing layer

    Cross-venue disclosure is prevented by agent scoping and channel binding, documented as a standing architectural rule — a real multi-tenancy control.

  • iv

    Human-in-the-loop for external actions

    Outbound email, calendar invites, and destructive operations all require explicit confirmation before they execute.

  • v

    PII-safety by default

    Portfolio-wide reports strip guest names and identifying detail; guest-level detail is reserved for the single venue's own channel.

07 / What this build demonstrates

A living system, in daily use.

Not a proof of concept — Orchid runs day-to-day operations for the group, and each capability below was engineered against production systems.

Agentic system design

Persona, memory, multi-agent routing, tool orchestration, and scheduled autonomy composed into one coherent operating layer — not just prompt engineering.

Real API integration engineering

OAuth and token auth, custom HMAC request signing, live API version migrations against production, and rate-limit-aware scripting.

Multi-tenant data governance

Cross-venue leakage — a genuinely hard problem — solved architecturally, matching patterns used in enterprise B2B SaaS.

Two-way sync engineering

Chat surface and system of record kept in lockstep, including dependency-graph propagation — a non-trivial distributed-state problem.

Operational reliability for AI agents

Self-healing cost and config drift, idempotent report generation, and durable scheduled jobs — rather than one-shot demos.

Business fluency

Per-venue brand voice, venue-specific accounting-day rollovers, and recurring city-event calendars encoded directly into the system's operating context.

Client, venue, and staff names are used with permission for portfolio purposes. Credentials and private identifiers are excluded from this write-up.

Start here

Want an operations layer like this?

If your business runs on systems that don't talk to each other, this is exactly the kind of problem we build for. Let us walk you through how we would approach yours.