REFERENCE DOCUMENTATION

INFRASTRUCTURE MANUAL

Reference manuals, build schemas, and credential variables for deploying inside isolated virtual micro-VM runtimes.

1. Getting Started

DEVELOPMENT DEPLOYER orchestrates secure, isolated build-pipeline runtimes for corporate GitOps streams. By utilizing isolated Firecracker micro-VM containers, workloads execute statelessly without cross-contamination. Unlike traditional containers that share the host kernel, every DEVELOPMENT DEPLOYER build executes inside a dedicated micro-VM. These micro-VMs boot in less than 5 milliseconds, mount a read-only root filesystem, and use jailer processes to restrict jail-break attempts. The host kernel is shielded, preventing cross-tenant leakage or persistent compromised footprints.

SECURITY COMPLIANCE REQUIREMENT: The gateway is configured with hard-coded filters that restrict environment boot actions to verified business entities. Public-domain email assertions (e.g., Gmail, Outlook, Hotmail) will result in immediate termination during the handshake phase.

System Architecture Overview

The runner architecture splits execution into two domains: the untrusted runtime and the trusted hypervisor controller. Workloads operate strictly inside the untrusted guest boundaries, communicating with the host via ring buffers over virtual sockets (vsock).

+-------------------------------------------------------------+ | HOST PHYSICAL SERVER | | +-------------------------------------------------------+ | | | DEVELOPMENT DEPLOYER VIRTUALIZATION ENGINE | | | | +---------------------+ +---------------------+ | | | | | MICRO-VM #1 | | MICRO-VM #2 | | | | | | [Isolated Guest] | | [Isolated Guest] | | | | | | - Read-Only RootFS | | - Read-Only RootFS | | | | | | - Encrypted RAMFS | | - Encrypted RAMFS | | | | | +----------+----------+ +----------+----------+ | | | | | | | | | | v (vsock / tap0) v (vsock/tap0)| | | | +------+---------------------------+-------+ | | | | | Host Hypervisor Kernel (Shielded) | | | | | +------------------------------------------+ | | | +-------------------------------------------------------+ | +-------------------------------------------------------------+

Prerequisites & Setup Checks

Before integrating your repositories with the gateway, verify that your environment satisfies the following infrastructure constraints:

  • OIDC Identity Provider (e.g., Okta, Entra ID, Ping Identity) configured for SAML/OIDC federations
  • Corporate domain email namespaces whitelisted in the Gateway administration registry
  • Hardware-backed security keys (YubiKey, Titan Key, or Apple Secure Enclave) for passkey handshakes
  • SSH Deployment Signatures registered in your corporate secrets vault

Installation Guidelines

The DEVELOPMENT DEPLOYER Command Line Interface (CLI) is compiled statically for all major operating systems. Select your platform below to download and install the agent locally:

macOS (Homebrew Package Manager)

# Tap the official corporate repository
$ brew tap development-deployer/cli
# Install the static binary CLI package
$ brew install devdep-cli

Linux (Debian / Ubuntu Systems)

# Add the secure repository signature key
$ curl -sSL https://apt.development-deployer.enterprise.acme/gpg.key | gpg --dearmor -o /usr/share/keyrings/devdep.gpg

# Add the repository definition list
$ echo "deb [signed-by=/usr/share/keyrings/devdep.gpg] https://apt.development-deployer.enterprise.acme/ stable main" | sudo tee /etc/apt/sources.list.d/devdep.list

# Synchronize package sources and install
$ sudo apt-get update && sudo apt-get install devdep-cli

Windows (Microsoft PowerShell Console)

# Pull down the install wrapper and execute the dynamic installer
PS C:\> iex ((New-Object System.Net.WebClient).DownloadString('https://get.development-deployer.enterprise.acme/install.ps1'))

Initial CLI Configuration

To provision staging or production environments, construct a compliance access file referencing your corporate ID, vault secrets, and metadata definitions. Initialize your system:

# Print active protocol and binary configuration version
$ devdep-cli version
DEVELOPMENT DEPLOYER CLI v4.2.0 (protocol v4.2) [commit: 3f7b2a9e]

# Generate a configuration template containing domain metadata
$ devdep-cli init --entity="Acme Corp" --domain="k8s.prod.acme.com" --out=devdep.yaml
[SUCCESS] Integration schema generated successfully: ./devdep.yaml

2. Authentication & Handshakes

Single Sign-On (SSO) gates operate under strict OIDC guidelines. Workspaces authenticate via scoped corporate identity servers. Public identity providers (such as Gmail, Yahoo, or Outlook) are blocked by default at the edge firewall level to enforce organizational perimeter control.

OIDC Trust Verification Flow

When a session handshake is requested by a client CLI agent or Web Portal, the gateway starts a multi-step identity token exchange:

[OIDC Handshake initiated]
  1. Ingress detects client IP footprint: 198.51.100.42
  2. Client asserts identity scope: devops-ops@acme.corp
  3. IdP Gateway query: resolving metadata XML endpoint... done
  4. Cryptographic assertion: signature check PASS (RSA-2048)
  5. Session Token issued: #DEP-2026 active (compliance window: 15:00)

Passkey & PIN Cryptography

SSO sessions utilize hardware-backed passkeys. Authentication assertions are signed locally on user devices and validated using registered public keys. Plaintext passkeys are never transmitted across the network, ensuring zero exposure to eavesdropping. The client device receives a random cryptographic challenge, signs it using its internal secure chip, and returns only the signature.

Dynamic Token Auditing & Compliance Expiry

Upon successful assertion, the security token has a lifetime of exactly 15 minutes. This window is strictly enforced by the server kernel. If a deployment operation fails to check-in within this countdown window:

  • The active secure session ID is marked invalid at the ingress layer
  • Any active micro-VM container sandbox running under the session ID is immediately terminated
  • The local CLI client session cache is cleared, triggering mandatory re-authentication

3. Pipeline Configuration

Pipeline execution parameters are declared in standard config formats (YAML). Runtimes dynamically inject secrets from registered vault scopes directly to ephemeral micro-VM memories during sandbox bootstrap.

Detailed Schema Syntax

The `devdep.yaml` file controls core resource bounds, rootfs configurations, OIDC bindings, and vault endpoints. Review the production configuration schema below:

version: "4.2"
metadata:
  namespace: acme-prod-gateway
  owner: security-ops
  environment: production

pipeline:
  runtimes:
    - name: api-gateway-worker
      vm_vcpus: 2
      vm_memory_mb: 2048
      base_os: minimal-alpine-3.18
      sandbox:
        read_only_rootfs: true
        network_sandbox: isolated
        allow_dns_resolution: false

  secrets:
    provider: hashicorp-vault
    address: https://vault.prod.acme.com:8200
    key_rotation: automatic
    mappings:
      - env: DB_PASSKEY
        source: prod/database/api-user/password

Vault Secrets Isolation

DEVELOPMENT DEPLOYER enforces strict zero-persistence mechanics for secret keys. Credentials mapped from your provider are injected directly into the kernel memory space of the micro-VM guest. The hypervisor creates an anonymous, unlinked memory file descriptor using `memfd_create` and flags it with `MFD_CLOEXEC`.

The filesystem is mounted inside the sandbox as a ramfs partition. Because it resides entirely in RAM, the credentials vanish instantly on container tear-down, leaving zero trace of security parameters in standard system logs or physical disks.

Lifecycle Execution Hooks

Build jobs run within three strictly separated execution segments:

Hook Name Execution Boundary Description
pre_bootstrap Host Controller Sets up system resources, maps network namespaces, and downloads OIDC metadata to build the trust zone.
run_command Isolated Guest VM Compiles source code, runs integration suites, and packages binaries within the read-only micro-VM sandbox.
post_teardown Host Controller Destroys virtual interfaces, unlinks memory blocks, updates cryptographic hashes, and publishes signed telemetry reports.

4. Network Ingress & Egress

DEVELOPMENT DEPLOYER routes traffic globally to edge distribution points with sub-millisecond route propagation. The system's ingress controller utilizes Anycast routing to distribute traffic to the physically nearest healthy container.

Anycast Routing & Convergence

By utilizing Border Gateway Protocol (BGP) Anycast routing, client requests hit the physically closest edge node. If a regional node encounters performance degradation, automated path checkers instantly adjust BGP weights, rerouting packets to adjacent network gateways without session interruptions.

TLS 1.3 Tunnel Protocols

Every request between CLI agents, vault environments, and API endpoints is encrypted with mTLS (Mutual Transport Layer Security).

  • Strict cipher policy: only TLS 1.3 (Curve25519 for ephemeral key exchange)
  • Strict forward secrecy: certificates are rotated automatically every 12 hours
  • Signature confirmation: SHA-384 message digest hashes are appended to metadata headers

Edge Node Handshake Latencies

Ingress nodes continuously measure path latencies. If a route exceeds nominal threshold limits, traffic is instantly redirected:

# Ingress routing diagnostics output
$ devdep-cli network check-routes

Checking anycast nodes for: acme-prod-gateway
[Node: US-East-1] Ingress check... latency 3.4ms → STATUS: NOMINAL
[Node: EU-West-1] Ingress check... latency 8.1ms → STATUS: NOMINAL
[Node: AP-South-1] Ingress check... latency 12.0ms → STATUS: NOMINAL
Edge distribution routes synced. Packet drop rate: 0.00%

5. CLI Command Reference

The devdep-cli executable is the primary command-line utility for managing corporate gateway configurations, triggering tests, and auditing network runtimes.

Command List Reference

Command Syntax Options & Flags Purpose
devdep-cli auth --provider, --token Authenticates the local terminal context with the enterprise OIDC gateway.
devdep-cli init --entity, --domain, --out Creates a fresh, pre-configured devdep.yaml metadata profile.
devdep-cli validate --file Verifies syntax and matches secrets references against the vault database.
devdep-cli deploy --env, --timeout Boots the micro-VM, checks certificates, executes pipelines, and tears down the VM.
devdep-cli status --ticket Audits session lifespan parameters and verifies active IP footprints.
devdep-cli network check-routes, --verbose Runs route latency measurements across geographic ingress endpoints.

Exit Codes Reference

Automated pipeline integrations evaluate CLI execution status codes. Below are the standard return codes:

Exit Code Identifier Description & Action Required
0 SUCCESS Execution completed without errors. No action required.
101 ERR_OIDC_TIMEOUT The trust verification handshake expired. Re-authenticate via SSO.
102 ERR_DOMAIN_RESTRICTED Public domains are blocked. Login with a provisioned corporate domain email.
201 ERR_VAULT_MISMATCH Ingress could not resolve the Vault endpoint. Verify host endpoint or token permissions.
301 ERR_VM_BOOT_FAILED Host hypervisor initialization failure. Contact on-premise system support.
401 ERR_EGRESS_VIOLATION Sandbox program attempted to call unapproved external IPs. Audit egress routes.

6. Advanced CI/CD Integration

DEVELOPMENT DEPLOYER integrates into enterprise workflow orchestration engines. Rather than storing static gateway keys in pipeline variables, we recommend utilizing OpenID Connect (OIDC) federation to verify identity at execution runtime.

GitHub Actions Workflow

Configure a workflow file under .github/workflows/devdep.yml. Ensure that the permissions block includes id-token: write to allow token generation:

name: DEVELOPMENT DEPLOYER Secure VM Deployment
on:
  push:
    branches: [ "main" ]

permissions:
  id-token: write
  contents: read

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Source Code
        uses: actions/checkout@v4

      - name: Authenticate with DEVELOPMENT DEPLOYER OIDC Gateway
        uses: development-deployer/action-auth@v1
        with:
          gateway-url: "https://devdep.prod.acme.com"
          audience: "devdep-github-actions"

      - name: Execute Isolated VM Sandbox Run
        uses: development-deployer/action-run@v1
        with:
          config-path: "./devdep.yaml"
          environment: "production"

GitLab CI Pipeline Configuration

Configure a workflow inside .gitlab-ci.yml using the federated identity token system:

stages:
  - deploy

devdep_deploy_job:
  stage: deploy
  image: enterprise.development-deployer.acme/devdep-cli:v4.2.0
  id_tokens:
    DEVDEP_JWT:
      aud: devdep-gitlab-actions
  script:
    - devdep-cli auth --provider=gitlab-jwt --token=$DEVDEP_JWT
    - devdep-cli validate --file=./devdep.yaml
    - devdep-cli deploy --env=production
  only:
    - main

7. Troubleshooting & FAQ

Solutions to common problems, firewall logs configuration, and authentication issues.

Frequently Encountered Incidents

Q: Why does my authentication request return "CRITICAL ERROR: INVALID_ENTITY_DOMAIN"?

A: The DEVELOPMENT DEPLOYER edge gateway blocks any credentials linked to public domain structures. Verify that you are logging in with your official corporate identity credentials provider account. If your corporate domain is new, contact your network administrator to whitelist your domain in the gateway registry database.

Q: What happens if the compliance ticket countdown timer runs out?

A: When the 15-minute window expires, the issued OIDC SSO session is immediately revoked, and any micro-VM sandbox container running under that session signature is terminated. To resume work, you must execute a fresh SSO handshake via the authentication portal.

Q: Can I run custom Docker images inside the micro-VM runner?

A: Yes. DEVELOPMENT DEPLOYER supports loading custom base OS images. However, the image must be converted to an uncompressed root filesystem block image (.ext4) and signed with your corporate security key before ingestion.

Q: How does the system handle secrets rotation?

A: If key_rotation: automatic is configured, the gateway queries HashiCorp Vault during vm boot. If a secret has changed, the VM is hot-reloaded with the new credentials injected into memory without causing downtime.

Q: The CLI returns error 401 (Egress Violation). How do I resolve this?

A: This indicates that your build process attempted to query a network address not whitelisted in the pipeline's sandboxing rules. Check your devdep.yaml settings and add the necessary IP domains or services to the approved outbound metadata mapping properties.

Self-Hosted Binaries

RUN DEVELOPMENT DEPLOYER ON-PREMISE

Request integration access to fetch self-hosted server packages or inspect deployment credentials via OIDC.