Internal Resource Kit

Multi-Tenant
Orchestration
Platform

Declarative infrastructure orchestration for multi-tenant systems. Built entirely on the Cloudflare Developer Platform.

Explore Architecture View Sandbox

Packages

CF Services

SDK Functions

<10ms

Auth Latency

Master-Shard Architecture

Two-tier orchestration model where the Master declares desired state and Shard Controllers converge actual state to match.

Master Account

The Brain

Control Plane API

D1: Inventory Database

R2: Bundle Storage

Reconciliation Worker

CRON Self-Healing Engine

Shard Accounts

The Muscle (N accounts)

Shard Controller

Dispatch Namespaces

Per-App D1 Databases

Per-App R2 Buckets

Per-App KV Namespaces

Master declares state

Queue + HTTP sync

Shard converges

Self-healing

Declarative Control Plane

Every application is defined in a single factory.yaml manifest. IrK provisions all infrastructure idempotently — D1 databases, R2 buckets, KV namespaces, secrets, and RBAC roles.

Idempotent provisioning — re-deploying is always safe

Resources named with prefix-first convention for collision prevention

Bindings auto-injected into Dispatch Namespace

factory.yaml

apiVersion: v1
kind: Application
metadata:
  name: crm
  tenantID: 018e936a-7332-...
spec:
  version: 1.2.0
  resources:
    d1: [customers, inventory]
    r2: [attachments]
    kv: [sessions]
  secrets:
    - STRIPE_API_KEY
    - TWILIO_TOKEN
  rbac:
    roles: [admin, sales, support]

The Petabyte SDK

5 core functions that abstract all IrK complexity. Tenant isolation is automatic — there is no "unscoped" mode.

Authentication

getUser(request, env)

Returns user identity with tenant context, roles, and permissions. Better Auth sessions with signed cookies.

Authorization

checkPermission(uid, action, resource)

Zanzibar-Lite ReBAC engine. Graph-traversal authorization with sub-10ms latency on hot path.

Database

db(env, 'customers')

Per-app D1 databases, tenant-scoped automatically. Query, insert, update, delete with type safety.

Storage

storage(env, 'attachments')

Per-app R2 buckets with put, get, delete, list operations. Tenant-scoped with zero configuration.

Secrets

secrets(env).get('API_KEY')

App-scoped, read-only access to Worker Secrets. Scoped to Dispatch Namespace for blast radius containment.

Zero Vulnerability Surface

The SDK enforces isolation at the platform level. A developer using it correctly cannot create a multi-tenancy vulnerability.

Structural Isolation

Multi-tenancy enforced at the infrastructure layer, not in application code. Six layers of isolation guarantee blast radius containment.

Layer	Mechanism	Enforced By
Network	Separate Cloudflare accounts per shard	Account boundaries
Compute	V8 isolates per Dispatch Namespace script	Cloudflare runtime
Data	Per-app D1, R2, KV bindings	Infrastructure provisioning
Auth	Better Auth sessions + Zanzibar-Lite tuples	Better Auth + D1
Secrets	Worker Secrets scoped to app	Cloudflare Secrets API
Naming	Prefix-first resource convention	SPEC-001 validation

Bundle Pipeline

From git push to live deployment. HMAC-SHA256 signed bundles verified at every step.

git push

GitHub Actions CI

Build + Sign

HMAC-SHA256 bundle

Reconcile

Verify + enqueue

Shard Deploy

Provision resources

Live

app.svcN.example.com

Security by Design

Every layer encrypted. Every bundle signed. Every secret rotatable. Cloudflare manages TLS 1.3 in transit and AES-256 at rest.

BETTER_AUTH_SECRET

HMAC-SHA256 — User session signing

MASSIVE_BRIDGE_KEY

HMAC-SHA256 — Admin plane JWT signing

BUNDLE_SIGNING_KEY

HMAC-SHA256 — Bundle integrity verification

SHARD_SECRET_N

Symmetric — Master ↔ Shard authentication

Encryption Coverage

In Transit (TLS 1.3) 100%

At Rest (AES-256) 100%

D1 (Inventory DB + per-app databases)

R2 (Bundles, logs, exports)

KV (Rate limiting + app KV)

Workers Secrets (write-only API)

Cloudflare Queues

Monorepo Packages

Nine packages orchestrating the full platform lifecycle. TypeScript throughout, pnpm workspaces, Vitest testing.

@petabyte/sdk

Developer SDK — getUser, checkPermission, db, storage, secrets

@irk/control-plane-api

Master-side API — state management, orchestration, auth bridge

@irk/shard-controller

Shard-side orchestrator — provision, deploy, reconcile via Queues

@irk/auth

Identity Engine — Better Auth, OAuth, 2FA, device flow

@irk/massive

Admin UI — SvelteKit dashboard for tenant and app management

@irk/reconciliation-worker

Async job processor — bundle intake, R2 events, app reconciliation

@irk/cli

Command-line interface — 17 commands, bridge JWT auth

@irk/bootstrap

System initialization — idempotent setup for master + shards

@irk/shared

Monorepo types & utilities — error codes, schemas, constants

Tech Stack

Cloudflare

Workers, D1, R2, KV, Queues

TypeScript

Strict mode, ESM

Svelte 5

SvelteKit + Tailwind 4

Vitest

Istanbul + Codecov

Wrangler

CF Workers CLI

Better Auth

Sessions, OAuth, 2FA

GitHub Actions

CI/CD pipeline

pnpm

Monorepo workspaces

See the Developer Tools

irk-sandbox brings the full Cloudflare API surface to your local machine. Test Workers, D1, KV, R2, Durable Objects, and more without touching production.

Explore irk-sandbox

Multi-Tenant Orchestration Platform