Dashboard
Server-rendered operator views, launch controls, live-view shell, and emergency release.
SYSTEM ARCHITECTURE
Tabyard keeps identity, policy, and lifecycle authority away from hostile web content. The browser runtime remains replaceable behind a narrow adapter.
STABLE CONNECTION MODEL
COMPONENT RESPONSIBILITIES
The control plane never needs to become the browser runtime, and a compromised worker never receives database, host, or root platform access.
Server-rendered operator views, launch controls, live-view shell, and emergency release.
Authentication, policy, allocation, lifecycle state, grant issuance, and reconciliation.
Authoritative sessions, workers, leases, tokens, policy snapshots, and audit events.
A stable Tabyard contract around replaceable worker-specific response shapes.
Authenticated HTTP and WebSocket transport for scoped CDP and viewer grants.
Independent browser runtimes with explicit health, capacity, quarantine, and egress.
SESSION STATE
A caller passes authentication and policy checks.
A worker lease is reserved before browser startup.
The scoped connection is available until release or timeout.
Connections close and cleanup runs idempotently.
The terminal event and lease outcome are recorded.
Every uncertain path enters reconciliation before a worker becomes eligible again.
ONE-VPS DIRECTION
The next safe scaling step is three independently declared workers, one lease per worker, and no published raw runtime ports.
NEXT BOUNDARY