> ## Documentation Index
> Fetch the complete documentation index at: https://docs-code.palyra.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Repository Structure and Crate Map

<details>
  <summary>Relevant source files</summary>

  The following files were used as context for generating this wiki page:

  * Cargo.lock
  * Cargo.toml
  * crates/palyra-a2ui/Cargo.toml
  * crates/palyra-auth/Cargo.toml
  * crates/palyra-browserd/Cargo.toml
  * crates/palyra-browserd/build.rs
  * crates/palyra-cli/Cargo.toml
  * crates/palyra-cli/build.rs
  * crates/palyra-cli/src/cli.rs
  * crates/palyra-cli/tests/version\_cli.rs
  * crates/palyra-common/Cargo.toml
  * crates/palyra-common/build.rs
  * crates/palyra-common/src/build.rs
  * crates/palyra-common/src/config.rs
  * crates/palyra-common/src/deployment\_profiles.rs
  * crates/palyra-common/src/health.rs
  * crates/palyra-common/src/ids.rs
  * crates/palyra-daemon/Cargo.toml
  * crates/palyra-daemon/build.rs
  * crates/palyra-daemon/src/journal/state\_health.rs
  * crates/palyra-identity/Cargo.toml
  * crates/palyra-plugins/runtime/Cargo.toml
  * crates/palyra-plugins/runtime/src/lib.rs
  * crates/palyra-plugins/sdk/Cargo.toml
  * crates/palyra-plugins/sdk/src/lib.rs
  * crates/palyra-plugins/sdk/wit/palyra-sdk.wit
  * crates/palyra-policy/Cargo.toml
  * crates/palyra-skills/Cargo.toml
</details>

The Palyra repository is organized as a Rust monorepo utilizing Cargo workspaces to manage a suite of interconnected crates, alongside supporting schemas and frontend applications. The architecture is designed to decouple the core agent orchestration logic (the daemon) from the various execution environments (sandboxes, browsers, and workers) and the user interfaces (CLI and Web Console).

## Monorepo Layout

The repository is partitioned into several top-level directories, each serving a distinct phase of the development and deployment lifecycle.

| Directory  | Purpose                                                                                           |
| :--------- | :------------------------------------------------------------------------------------------------ |
| `crates/`  | The primary Rust workspace containing the daemon, CLI, and supporting libraries.                  |
| `schemas/` | Language-agnostic definitions, including Protobuf files for gRPC and JSON schemas for UI updates. |
| `apps/`    | Frontend surfaces including the React-based Web Console and Tauri desktop wrapper.                |
| `infra/`   | Deployment recipes, including Dockerfiles, systemd units, and Compose files.                      |
| `scripts/` | Automation for protocol generation, CI/CD gates, and release packaging.                           |

**Sources:** [Cargo.toml#1-24](http://Cargo.toml#1-24), [crates/palyra-common/src/deployment\_profiles.rs#146-153](http://crates/palyra-common/src/deployment_profiles.rs#146-153)

## Crate Dependency Map

The following diagram illustrates the relationship between the core crates. `palyra-daemon` serves as the central orchestrator, while `palyra-common` provides the shared types used across the entire ecosystem.

### System Entity Relationship Diagram

```mermaid theme={null}
graph TD
    subgraph "Entry Points"
        CLI["palyra-cli (bin: palyra)"]
        DAEMON_BIN["palyra-daemon (bin: palyrad)"]
        BROWSERD["palyra-browserd (bin: palyra-browserd)"]
    end

    subgraph "Core Logic"
        DAEMON_BIN --> CONTROL["palyra-control-plane"]
        DAEMON_BIN --> SAFETY["palyra-safety"]
        DAEMON_BIN --> POLICY["palyra-policy"]
    end

    subgraph "Execution & Security"
        DAEMON_BIN --> SANDBOX["palyra-sandbox"]
        DAEMON_BIN --> PLUGINS["palyra-plugins-runtime"]
        DAEMON_BIN --> VAULT["palyra-vault"]
        DAEMON_BIN --> IDENTITY["palyra-identity"]
        DAEMON_BIN --> EGRESS["palyra-egress-proxy"]
    end

    subgraph "Shared Foundation"
        CONTROL --> COMMON["palyra-common"]
        CLI --> COMMON
        SANDBOX --> COMMON
        BROWSERD --> EGRESS
    end

    subgraph "Protocol Layer"
        DAEMON_BIN -- "gRPC/Protobuf" --> CLI
        DAEMON_BIN -- "gRPC/Protobuf" --> BROWSERD
    end
```

**Sources:** [crates/palyra-daemon/Cargo.toml#25-41](http://crates/palyra-daemon/Cargo.toml#25-41), [crates/palyra-cli/Cargo.toml#25-33](http://crates/palyra-cli/Cargo.toml#25-33), [crates/palyra-browserd/Cargo.toml#22-23](http://crates/palyra-browserd/Cargo.toml#22-23)

## Core Crate Descriptions

### Gateway and Orchestration

* **`palyra-daemon`**: The central gateway. It hosts the agent run loop, manages session state, and exposes gRPC and HTTP APIs. It links almost every other crate to provide a unified runtime [crates/palyra-daemon/Cargo.toml#25-41](http://crates/palyra-daemon/Cargo.toml#25-41).
* **`palyra-control-plane`**: Implements the high-level orchestration logic, including the scheduler for routines and the objective management system [crates/palyra-daemon/Cargo.toml#28](http://crates/palyra-daemon/Cargo.toml#28).
* **`palyra-cli`**: The user-facing terminal interface. It provides tools for local agent interaction, daemon management, and diagnostic "doctor" checks [crates/palyra-cli/Cargo.toml#11-13](http://crates/palyra-cli/Cargo.toml#11-13).

### Security and Identity

* **`palyra-policy`**: Integrates the Cedar policy engine for deny-by-default authorization of tool executions and service access [crates/palyra-daemon/Cargo.toml#33](http://crates/palyra-daemon/Cargo.toml#33).
* **`palyra-safety`**: Provides content inspection and redaction to prevent prompt injection and secret leakage [crates/palyra-daemon/Cargo.toml#36](http://crates/palyra-daemon/Cargo.toml#36).
* **`palyra-identity`**: Manages the Device CA, mTLS certificate rotation, and the secure pairing handshake between nodes [crates/palyra-identity/Cargo.toml#1-5](http://crates/palyra-identity/Cargo.toml#1-5).
* **`palyra-vault`**: Handles envelope encryption and provides a secure abstraction for storing secrets using OS-native backends [crates/palyra-daemon/Cargo.toml#40](http://crates/palyra-daemon/Cargo.toml#40).

### Execution Runtimes

* **`palyra-sandbox`**: Responsible for executing untrusted code via process isolation (Tier B) or containerization (Tier C) [crates/palyra-daemon/Cargo.toml#37](http://crates/palyra-daemon/Cargo.toml#37).
* **`palyra-plugins-runtime`**: A Wasmtime-based runner for Palyra Skills. It enforces strict fuel and memory limits on Wasm plugins [crates/palyra-plugins/runtime/src/lib.rs#1-7](http://crates/palyra-plugins/runtime/src/lib.rs#1-7).
* **`palyra-browserd`**: A standalone service for headless browser automation, isolated from the main daemon to mitigate SSRF and memory exhaustion risks [crates/palyra-browserd/Cargo.toml#11-13](http://crates/palyra-browserd/Cargo.toml#11-13).

## Protocol and Schema Architecture

The workspace uses a code-generation pipeline to ensure type safety across Rust, the Web Console, and potential mobile clients.

### Protobuf Service Map

The `build.rs` scripts in the daemon and CLI crates compile `.proto` files from the `schemas/` directory into Rust stubs using `tonic` [crates/palyra-daemon/build.rs#7-14](http://crates/palyra-daemon/build.rs#7-14).

| Schema File  | Generated Service / Client | Purpose                                                                                                                         |
| :----------- | :------------------------- | :------------------------------------------------------------------------------------------------------------------------------ |
| `gateway.v1` | `GatewayServiceClient`     | Main agent interaction and session management [crates/palyra-daemon/build.rs#8](http://crates/palyra-daemon/build.rs#8).        |
| `memory.v1`  | `MemoryServiceClient`      | Durable fact storage and RAG retrieval [crates/palyra-daemon/build.rs#10](http://crates/palyra-daemon/build.rs#10).             |
| `browser.v1` | `BrowserServiceClient`     | Communication between daemon and `palyra-browserd` [crates/palyra-daemon/build.rs#14](http://crates/palyra-daemon/build.rs#14). |
| `auth.v1`    | `AuthServiceClient`        | Identity verification and pairing flows [crates/palyra-daemon/build.rs#11](http://crates/palyra-daemon/build.rs#11).            |

### Plugin WIT Interface

For Wasm plugins, Palyra uses the WebAssembly Interface Type (WIT) defined in `crates/palyra-plugins/sdk/wit/palyra-sdk.wit`. This defines the Tier A host capabilities, such as `http-count` and `storage-handle`, which are imported by plugins to interact with the host [crates/palyra-plugins/sdk/src/lib.rs#23-43](http://crates/palyra-plugins/sdk/src/lib.rs#23-43).

```mermaid theme={null}
graph LR
    subgraph "Host (palyra-daemon)"
        PR["palyra-plugins-runtime"]
        HC["Host Capabilities (Tier A)"]
    end

    subgraph "Plugin (.wasm)"
        SDK["palyra-plugins-sdk"]
        RUN["run() entrypoint"]
    end

    RUN --> SDK
    SDK -- "Import" --> HC
    PR -- "Fuel/Memory Limits" --> RUN
```

**Sources:** [crates/palyra-plugins/runtime/src/lib.rs#1-7](http://crates/palyra-plugins/runtime/src/lib.rs#1-7), [crates/palyra-plugins/sdk/src/lib.rs#11-25](http://crates/palyra-plugins/sdk/src/lib.rs#11-25)

## Deployment Profiles

The repository defines canonical deployment profiles in `palyra-common` to standardize configuration across different environments. These profiles dictate the default security posture and binding behavior of the services.

* **`local`**: Optimized for desktop use, mapping to the `local_desktop` deployment mode [crates/palyra-common/src/deployment\_profiles.rs#37-47](http://crates/palyra-common/src/deployment_profiles.rs#37-47).
* **`single-vm`**: Designed for remote VPS deployments [crates/palyra-common/src/deployment\_profiles.rs#48-50](http://crates/palyra-common/src/deployment_profiles.rs#48-50).
* **`worker-enabled`**: Extends the VPS profile to include support for networked execution workers [crates/palyra-common/src/deployment\_profiles.rs#72](http://crates/palyra-common/src/deployment_profiles.rs#72).

**Sources:** [crates/palyra-common/src/deployment\_profiles.rs#22-50](http://crates/palyra-common/src/deployment_profiles.rs#22-50)
