service-vm-tenant — PointSav Documentation

The tenant proxy is the customer-facing layer of the PPN VM resource pool. It accepts spawn, destroy, and status requests from authenticated callers and enforces the tenant contract before forwarding to the fleet controller.

[edit]Authentication and namespace isolation

Authentication uses bearer tokens issued at tenant provisioning time. Each token carries a tenant identifier that the proxy uses to namespace all VM records. A tenant may not query, modify, or destroy VMs belonging to another tenant; the proxy enforces this at every endpoint before any fleet interaction.

[edit]Quota enforcement

Each tenant is assigned a capacity ceiling at provisioning time. The proxy checks current allocated capacity against the ceiling before forwarding a spawn request; requests that would exceed the quota are rejected. Concurrent creates from the same tenant are serialised through a per-tenant gate to prevent two simultaneous requests from both passing the quota check against the same pre-spawn total.

[edit]Audit trail

All write operations are appended to an immutable audit log. Each entry records the tenant identifier, VM identifier, operation type, timestamp, and request source. The log is append-only; no path touches existing entries.

[edit]See also

PPN VM Resource Pool Architecture — full architecture overview including fleet controller, host agent, and tenant proxy
PPN Tenant VM Isolation — the isolation model enforced by the tenant proxy
service-vm-fleet — the fleet controller that receives forwarded spawn requests

Woodfine Capital Projects™, MCorp™, PointSav Digital Systems™, Totebox Orchestration™, Totebox Archive™, and Capability Geometry™ are trademarks of Woodfine Capital Projects Inc., used in Canada, the United States, Latin America, and Europe. All other trademarks are the property of their respective owners.