Architecture

Tonbo Artifacts splits into three planes that fail independently. Knowing the model makes the failure behavior easy to reason about.

Tonbo Artifacts splits into three planes. Each fails independently; a problem in one doesn't propagate to the others.

The three planes

PlaneWhere it livesWhat it holds
Data planeYour S3 bucket (BYO) or a Tonbo-managed S3 prefixImmutable file chunks (≤4 MiB blocks)
Metadata planeTonbo-operated metadata storePer-workspace directory tree, file index, per-mount permissions
Control planeTonbo Orchestrator APIAuth, workspace lifecycle, mount-session issuance

On the customer host, a sidecar agent process (the artifacts binary, started by artifacts mount) serves the FUSE mount. It owns the on-disk metadata + chunk cache and talks to the metadata and data planes directly. The control plane is not in the read/write path. It shows up only on login, workspace create/delete, and the initial mount-session handshake.

        Agent VM                      Tonbo                        S3
        --------                      -----                        --

   +-----------------+        +--------------------+
   |   FUSE mount    |        |   Orchestrator     |
   |                 |  <-->  |  (control plane)   |
   |  sidecar agent  |        +--------------------+
   |     process     |
   |                 |        +--------------------+
   |   local cache   |  <-->  |   Metadata store   |
   +-----------------+        +--------------------+
           |
           |  chunks (read / write)
           +-------------------------------------------------> +--------+
                                                               | chunks |
                                                               +--------+

Failure isolation

If this is unavailableExisting mountsNew operations
OrchestratorReads and writes continue; metadata flows directly between the sidecar and the metadata storelogin, workspace create/delete, mount blocked
Metadata storeCached lookups still serve from the sidecar; uncached lookups and metadata writes return errorsMounts that need fresh metadata fail to start
Chunk store (S3)Cached chunks read normally; uncached reads block until S3 returnsWrites buffer to local cache, then back-pressure
Sidecar agent processThat host's mount stops responding; artifacts mount re-establishes it. Other hosts unaffected.Other hosts unaffected
Agent VMNothing on the workspace is lost. Chunks remain in S3, metadata in the metadata store.None

Durability

No customer data ever lives only on the agent VM. The local cache is a performance artifact; losing it is a latency event, not a data event.

Chunks (data plane). Chunks are written to S3 on file close and on explicit fsync. S3 provides eleven nines of durability. In BYO mode, your bucket's existing properties (versioning, replication, lifecycle) apply unchanged.

Metadata (metadata plane). Metadata updates are committed to the metadata store before the originating operation (or fsync) returns. The metadata store rotates a full snapshot to a separate S3 region at least daily. Recovery from process crash is log replay on the metadata store; recovery from host loss is snapshot restore.

Chunks and the index. A chunk's object key is a sequential slice id assigned by the metadata store, not a content hash; the same bytes written twice land in different chunks. The file-to-chunk index lives in the metadata store, so backup, restore, and migration move that metadata snapshot alongside the chunks rather than reconstructing the index from the bucket.

Isolation

Each workspace is a separate namespace inside the metadata store. A mount-session token is scoped to exactly one workspace; it cannot enumerate or read any other workspace's metadata, even within the same organization.

In managed mode, the data plane is scoped the same way. The IAM credentials issued to a mount session can only read or write within that workspace's S3 prefix.

In BYO mode, S3 credentials never leave the customer host. The orchestrator never holds them and the metadata store never holds them. A Tonbo operator with full operational access to either plane cannot read your bytes.

Exit

In BYO mode the customer owns the data path end-to-end. Chunks live under documented prefixes in your bucket as stable, immutable objects readable by any S3-aware tool (aws s3 sync, rclone, s3cmd) without Tonbo running and without Tonbo's permission. Reconstructing files (names, tree, permissions) additionally needs the metadata index, which Tonbo holds; the bytes themselves are never locked to Tonbo.