Architecture
Per-tenant Firecracker microVMs, an inter-agent coordination supervisor, and a cryptographically chained audit trail — composing one substrate.
Each box is independently testable. The integration is where the Phase I research deliverables live.
System diagram
Read top-to-bottom: external services → broker → supervisor → tenant agent fleet → audit chain → operator.
Customer's connected services
(Twilio, Stripe, GHL, Calendly, Google,
QuickBooks, etc.)
▲
│
│ short-lived
│ capability-scoped tokens
│
┌─────────────────────────┴────────────────────────────┐
│ Capability Broker (Problem 1) │
│ Mints ≤5-min action-scoped delegations. │
│ Long-lived customer credentials never leave here. │
└─────────────────────────┬────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────┐
│ Coordination Supervisor (Problem 2) │
│ Observes every tool call across the swarm. │
│ Action-conflict classifier, p99 < 100 ms. │
└─────────────────────────┬───────────────────────────┘
│
┌─────────────────┬───────┴───────┬──────────────────┐
▼ ▼ ▼ ▼
┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐
│ Agent A │ │ Agent B │ │ Agent C │ ··· │ Agent N │
│ (μVM) │ │ (μVM) │ │ (μVM) │ │ (μVM) │
│ tenant T│ │ tenant T│ │ tenant T│ │ tenant T│
└────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘
│ │ │ │
└─────────────────┴───────┬───────┴──────────────────┘
▼
┌─────────────────────────────────────────────────────┐
│ Audit Chain (Problem 3) — cryptographic, │
│ replayable, deterministic prose rendering │
└─────────────────────────────────────────────────────┘
│
▼
Operator dashboard
(the SMB owner)The Firecracker-isolated agents at the bottom of the diagram are the runtime substrate (Problem 1). The supervisor sits between every agent and every external action (Problem 2). The audit chain captures every accepted action and renders it for the operator (Problem 3).
Locked decisions
Five architectural commitments that frame the Phase I work.
Single-region us-west-2 for the agent fleet.
Bedrock AgentCore is GA in us-west-2; voice-receptionist latency budget is preserved at <70ms cross-country RTT. Multi-region active-active is reserved for post-SOC-2 enterprise tier.
One shared AWS KMS key with IAM scoping per-customer.
Per-customer KMS keys reserved as Enterprise upsell. The shared-key + IAM-scoped pattern is faster to ship and auditable; the threat model is documented and testable.
Strict semver for the agent setup template, with pinned-version customer activations.
Each version lives at a known path with deprecated_at + sunset_at fields. Patch upgrades auto-apply (security only); minor/major require explicit customer opt-in. This is the substrate the reproducibility of Phase I deliverables sits on.
Capability broker as a separate process from the agent runtime.
The broker is the only system that holds long-lived customer credentials. Agent microVMs request action-scoped delegations on demand. This is what makes Problem 1 testable — we can prove no long-lived credential ever entered an agent context.
Audit-chain anchoring is Merkle-root + DynamoDB; external timestamping is optional.
In Phase I we anchor the chain to an immutable DynamoDB record with a CloudWatch trigger. External public-timestamping (Sigstore, certificate transparency) is reserved for Phase II — the science of operator usability is independent of where the anchor sits.
Read more