Service Boundaries

    This page describes the current public service boundaries inside ByteOr Cloud.

    API service

    The API service owns synchronous control-plane actions.

    • authenticates human sessions, bearer tokens, enrollment tokens, and agent runtime keys
    • applies tenancy and RBAC rules at organization, project, and environment scope
    • validates drafts, versions, bundles, deployments, approvals, and artifact uploads
    • persists durable control-plane state and enqueues background workflow jobs

    Worker service

    The worker owns asynchronous and retryable jobs.

    • spec_ingest for draft parse and validation work
    • deploy_bundle_build for deployment tarball assembly and secret resolution
    • incident_ingest for artifact indexing and follow-up processing
    • replay for replay execution or dry-run orchestration
    • scheduled retention and metering aggregation work

    Jobs move through queued, running, completed, failed, retrying, and dead_letter states.

    Shared crates and domain logic

    Shared crates carry the rules that should not drift between services.

    • tenancy and RBAC resolution
    • approval coverage and governed capability checks
    • config-bundle validation and typed tuning rules
    • artifact metadata, replay policy, and audit persistence
    • object-store and signing-key integration points

    Persistence boundaries

    • Postgres stores organizations, projects, environments, drafts, versions, bundles, deployments, approvals, and audit records.
    • Object storage persists deploy-bundle tarballs and artifact blobs.
    • Migrations define schema changes and versioned control-plane persistence rules.

    UI boundary

    The UI is not the source of truth for pipeline compilation or deployment policy.

    • It edits draft state through the shared planning model.
    • It requests preview and version creation through backend validation and lowering.
    • It displays the effective runtime posture persisted by bundle and deployment workflows.

    Secret handling boundary

    • Secret-bearing adapter auth must stay in secretRefs, not inline endpoint fields.
    • Inline secret refs are encrypted at rest and only materialized during deploy-bundle build.
    • Vault-backed refs fail closed when the control-plane Vault configuration is missing.
    Provenance
    Need the canonical source?
    Use the public hub to orient yourself, then jump to repo-owned docs or rustdoc when you need contract-level detail.
    Source-of-truth modelRepo docs index