Monorepo Layout
The repository is partitioned into several top-level directories, each serving a distinct phase of the development and deployment lifecycle.| Directory | Purpose |
|---|---|
crates/ | The primary Rust workspace containing the daemon, CLI, and supporting libraries. |
schemas/ | Language-agnostic definitions, including Protobuf files for gRPC and JSON schemas for UI updates. |
apps/ | Frontend surfaces including the React-based Web Console and Tauri desktop wrapper. |
infra/ | Deployment recipes, including Dockerfiles, systemd units, and Compose files. |
scripts/ | Automation for protocol generation, CI/CD gates, and release packaging. |
Crate Dependency Map
The following diagram illustrates the relationship between the core crates.palyra-daemon serves as the central orchestrator, while palyra-common provides the shared types used across the entire ecosystem.
System Entity Relationship Diagram
Sources: crates/palyra-daemon/Cargo.toml#25-41, crates/palyra-cli/Cargo.toml#25-33, crates/palyra-browserd/Cargo.toml#22-23Core Crate Descriptions
Gateway and Orchestration
palyra-daemon: The central gateway. It hosts the agent run loop, manages session state, and exposes gRPC and HTTP APIs. It links almost every other crate to provide a unified runtime crates/palyra-daemon/Cargo.toml#25-41.palyra-control-plane: Implements the high-level orchestration logic, including the scheduler for routines and the objective management system crates/palyra-daemon/Cargo.toml#28.palyra-cli: The user-facing terminal interface. It provides tools for local agent interaction, daemon management, and diagnostic “doctor” checks crates/palyra-cli/Cargo.toml#11-13.
Security and Identity
palyra-policy: Integrates the Cedar policy engine for deny-by-default authorization of tool executions and service access crates/palyra-daemon/Cargo.toml#33.palyra-safety: Provides content inspection and redaction to prevent prompt injection and secret leakage crates/palyra-daemon/Cargo.toml#36.palyra-identity: Manages the Device CA, mTLS certificate rotation, and the secure pairing handshake between nodes crates/palyra-identity/Cargo.toml#1-5.palyra-vault: Handles envelope encryption and provides a secure abstraction for storing secrets using OS-native backends crates/palyra-daemon/Cargo.toml#40.
Execution Runtimes
palyra-sandbox: Responsible for executing untrusted code via process isolation (Tier B) or containerization (Tier C) crates/palyra-daemon/Cargo.toml#37.palyra-plugins-runtime: A Wasmtime-based runner for Palyra Skills. It enforces strict fuel and memory limits on Wasm plugins crates/palyra-plugins/runtime/src/lib.rs#1-7.palyra-browserd: A standalone service for headless browser automation, isolated from the main daemon to mitigate SSRF and memory exhaustion risks crates/palyra-browserd/Cargo.toml#11-13.
Protocol and Schema Architecture
The workspace uses a code-generation pipeline to ensure type safety across Rust, the Web Console, and potential mobile clients.Protobuf Service Map
Thebuild.rs scripts in the daemon and CLI crates compile .proto files from the schemas/ directory into Rust stubs using tonic crates/palyra-daemon/build.rs#7-14.
| Schema File | Generated Service / Client | Purpose |
|---|---|---|
gateway.v1 | GatewayServiceClient | Main agent interaction and session management crates/palyra-daemon/build.rs#8. |
memory.v1 | MemoryServiceClient | Durable fact storage and RAG retrieval crates/palyra-daemon/build.rs#10. |
browser.v1 | BrowserServiceClient | Communication between daemon and palyra-browserd crates/palyra-daemon/build.rs#14. |
auth.v1 | AuthServiceClient | Identity verification and pairing flows crates/palyra-daemon/build.rs#11. |
Plugin WIT Interface
For Wasm plugins, Palyra uses the WebAssembly Interface Type (WIT) defined incrates/palyra-plugins/sdk/wit/palyra-sdk.wit. This defines the Tier A host capabilities, such as http-count and storage-handle, which are imported by plugins to interact with the host crates/palyra-plugins/sdk/src/lib.rs#23-43.
Sources: crates/palyra-plugins/runtime/src/lib.rs#1-7, crates/palyra-plugins/sdk/src/lib.rs#11-25
Deployment Profiles
The repository defines canonical deployment profiles inpalyra-common to standardize configuration across different environments. These profiles dictate the default security posture and binding behavior of the services.
local: Optimized for desktop use, mapping to thelocal_desktopdeployment mode crates/palyra-common/src/deployment_profiles.rs#37-47.single-vm: Designed for remote VPS deployments crates/palyra-common/src/deployment_profiles.rs#48-50.worker-enabled: Extends the VPS profile to include support for networked execution workers crates/palyra-common/src/deployment_profiles.rs#72.