A production fleet serving paying tenants. Stronger isolation, signed dispatch end-to-end, scheduler-backed leases, capability-scoped tools.

What changes vs private

  • MicroVM isolation is required for any tenant-shared roost.
  • Signed dispatch — every dispatch is signed by the gateway and verified by the roost before spawn.
  • Scheduler-backed leases — re-scheduling on roost failure is authoritative, not advisory.
  • Per-second metering — every grant emits a usage record for billing pipelines.
  • Postgres coordinator — multi-replica gateways read from a shared coordinator.
Platform mode is the upper bound of the fabric. Use it when you genuinely have hostile workloads to keep apart.