The control plane has three roles. Keeping them separate is what makes Flocks honest.

Gateway

  • Accepts client requests.
  • Issues grants (the only source of dispatch authority).
  • Owns the audit log.
  • Stateless beyond the in-memory request cache; restartable at will.

Coordinator

  • The only durable component.
  • Holds enrollments, leases, audit chain heads, run journals.
  • Backed by SQLite by default; Postgres for multi-replica gateways.

Roost

  • Owns no global state.
  • Spawns agents, applies isolation, journals locally for replay.
  • Reports to the coordinator via the gateway.
If the coordinator goes down, no new dispatches happen — but in-flight runs complete. If a roost goes down, the coordinator’s lease expires and the gateway re-schedules.