Deployment architecture
Fibric is a managed cloud service. You do not install servers, run databases, or operate queues; you connect systems and configure operators, and the platform runs the governed loop for you. This page describes where Fibric runs, how the request path is put together, the swap-seam architecture that lets the platform scale without rewrites, and the short answer to what customers host: nothing, except the credentials they grant to connectors.
The managed cloud
Fibric runs on AWS in the us-east-1 region. All platform components, the API, the event store, the executor, the secret store, and the receipt ledger, run inside that footprint. Today, us-east-1 is the primary region; multi-region residency is on the roadmap and per-tenant model residency is already expressible as policy (see model routing below).
| Component | What it does | Where it runs |
|---|---|---|
| API | Serves api.fibric.io/v1: ingest, operators, connectors, plans, receipts. | Managed cloud, us-east-1 |
| Event store | Postgres with row-level security; every tenant row carries reseller_id + tenant_id. | Managed cloud, us-east-1 |
| Executor | Deterministic disposal of plans: trust gate, single-flight, idempotency. | Managed cloud, us-east-1 |
| Secret store | Per-tenant connector credentials, encrypted at rest. | Managed cloud, us-east-1 |
| Connector runtime | Executes connector tools with injected per-tenant credentials; makes the outbound calls to your systems. | Managed cloud, us-east-1 |
| Model access | All model calls go through one router; the model itself is a routed dependency, not a fixed component. | Provider-hosted, selected by policy |
The request path
One governed loop, end to end:
your systems Fibric managed cloud (us-east-1)
──────────── ─────────────────────────────────────────────
webhook / poll / gateway ──────> ingest ──> EventBus ──> EventRouter (glob match)
│
operator (ModelRouter)
│ proposes ExecutionPlan
DeterministicExecutor
trust gate · single-flight
· idempotency (DurableExec)
│
your systems <────────────────── connector runtime <────────┘
(per-tenant creds) receipts → ledger
Inbound, connectors declare their event sources as webhook or poll (the events map in a connector definition); hardware sources publish through a gateway that speaks the same envelope. Everything becomes an EventEnvelope at the door. Outbound, only the connector runtime touches your systems, with credentials resolved per tenant at call time, after the trust gate has disposed the action. The reasoning step sits between two deterministic layers and has no network path of its own.
The swap-seam architecture
The kernel defines five infrastructure dependencies as interfaces, seams, in packages/kernel/src/seams.ts. Each seam has a deliberately cheap MVP implementation and a named scale-up target that drops in behind the same interface, with no application rewrite. This is one architecture serving two goals at once: the cheapest deployment that is still correct, and a clean path to scale.
| Seam | Interface | MVP implementation | Scale-up target |
|---|---|---|---|
DurableExec |
once(key, fn), at-most-once per key, surviving retries |
In-process / Postgres outbox | Temporal |
EventBus |
publish(env) / subscribe(sub) |
In-process / EventBridge | MSK / Kafka |
ModelRouter |
invoke(req), the kernel's only model entry point |
Policy router over a default model | Same interface; policy grows richer |
VectorStore |
upsert / query, tenant-scoped |
pgvector | OpenSearch Serverless / S3 Vectors |
BlobStore |
put / getUrl |
S3 | S3, with Iceberg/Athena analytics deferred |
The seam contract is visible in the source. DurableExec, for example, is one method:
// ── Durable execution — MVP: in-process / Postgres outbox · scale-up: Temporal ──
export interface DurableExec {
once<T>(key: string, fn: () => Promise<T>): Promise<T>; // at-most-once per key, survives retries
}
Running Kafka, Temporal, and a dedicated vector database from day one would multiply cost and operational surface before any tenant needed them. The seams let the platform run lean, the target is a full platform bill measured in hundreds of dollars a month, not thousands, while guaranteeing that the day a tenant's volume demands Kafka, the swap is an implementation change behind an interface the rest of the code already programs against.
Model routing
No kernel code calls a model directly; every model call goes through the ModelRouter seam, and which model serves a request is policy, keyed by tenant:
export interface ModelPolicy {
defaultModel: string; // e.g. "deepseek.v3.2"
perTenant?: Record<string, string>; // e.g. { "city-of-x": "us.anthropic.claude-..." }
}
export class PolicyModelRouter implements ModelRouter {
resolveModel(tenant_id: string): string {
return this.policy.perTenant?.[tenant_id] ?? this.policy.defaultModel;
}
}
This is load-bearing for regulated tenants: a requirement like "this tenant's reasoning must run on a US-hosted model" is one entry in perTenant, not a code branch. The routing decision keys off the same verified tenant identity the database uses for row-level security, so a tenant's model policy cannot be selected by anything a caller passes in a request body.
What customers host
Nothing. There is no agent to install, no database to run, no queue to size. What you contribute is access:
| You provide | What it is | Where it lives |
|---|---|---|
| Connector credentials | API keys, OAuth grants, or IAM roles for the systems a connector senses and acts on, scoped as narrowly as the connector's tools require. | Fibric's secret store, encrypted at rest, keyed to your tenant. See Secrets and credentials. |
| Webhook registrations | Pointing your systems' webhooks at your tenant's ingest endpoints, usually done for you by the connector at install. | Your source systems' configuration. |
| A hardware gateway, if applicable | For hardware-category connectors, a gateway on your network (for example a BACnet gateway) publishes readings as envelopes. It holds outbound-only credentials to your tenant's ingest; the platform holds nothing on your network. | Your site, publishing outbound to Fibric. |
This architecture is not hypothetical: BearScope, Fibric's flagship product, runs in production today on this exact deployment, live operators over live commerce and support data, governed by the same executor and the same tenancy wall described here.
Availability posture
Fibric does not yet publish a public uptime SLO; enterprise agreements carry their own. What we document instead are the mechanics that make interruptions safe rather than silent: ingest deduplicates on idempotency keys so retried deliveries never double-count, side effects are idempotent so a retried plan never re-fires, and a paused stream resumes from a cursor with nothing lost. Those semantics, at-least-once ingestion, idempotent execution, single-flight serialization, replay, and backpressure, are specified in Reliability and delivery semantics. Deploys return brief 503 service_unavailable responses with Retry-After; see Errors for handling.
Continue with Reliability and delivery semantics for the failure-mode contract, the security model for what is enforced along this path, and Environments for how sandbox and production coexist on the same deployment.