Skip to content

Atespace: per-tenant scoping for the actor lifecycle#280

Open
Haven Xia (HavenXia) wants to merge 6 commits into
agent-substrate:mainfrom
HavenXia:atespace-inc1
Open

Atespace: per-tenant scoping for the actor lifecycle#280
Haven Xia (HavenXia) wants to merge 6 commits into
agent-substrate:mainfrom
HavenXia:atespace-inc1

Conversation

@HavenXia

@HavenXia Haven Xia (HavenXia) commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

This is part of solution for #21.

First incremental slice of the atespace design for actors — part of #21. An atespace is a mandatory tenant boundary that every actor belongs to. It's folded into the actor's identity and storage key (actor:<atespace>:<id>), so list/get/delete within a tenant is a cheap key-prefix operation, and actors in different atespaces can reuse the same id without colliding.

This PR adds atespace through the actor lifecycle end-to-end (proto → store → control API → kubectl-ate).

It doesn't touch DNS, snapshots, scheduling, or auth. Landing it on its own so the future changes are additive, and everything that isn't actor-CRUD is explicitly out of scope below.

This PR changes:

  • Proto — every actor RPC request carries an atespace; Actor carries it as part of its identity.
  • Store — actors are keyed actor:<atespace>:<id> - GetActor/DeleteActor/ListActors take an atespace. Listing is a scoped SCAN actor:<atespace>:*, or SCAN actor:* for all atespaces.
  • Control API — create / get / delete / suspend / pause / resume / update are all atespace-scoped. atespace is required and validated as a DNS-1123 label. The syncer's dead-worker recovery is atespace-aware by adding Worker.actor_atespace.
  • changes on kubectl-ate:
    • --atespace / -a on every actor subcommand (create/get/delete/resume/suspend/pause/logs).
    • -A / --all-atespaces to list across all tenants.
    • Add an ATESPACE column in the actor table, the existing namespace column is renamed TEMPLATE NS to disambiguate it from the atespace.

Examples

Scope a listing to one tenant (-a is shorthand for --atespace):

Creation

$ kubectl ate create actor test -t ate-demo-counter/counter --atespace team-a
ATESPACE   TEMPLATE NS        TEMPLATE   ID     STATUS             ATEOM POD   ATEOM IP   VERSION
team-a     ate-demo-counter   counter    test   STATUS_SUSPENDED   <none>                 1

$ kubectl ate create actor test2 -t ate-demo-counter/counter --atespace team-a
ATESPACE   TEMPLATE NS        TEMPLATE   ID      STATUS             ATEOM POD   ATEOM IP   VERSION
team-a     ate-demo-counter   counter    test2   STATUS_SUSPENDED   <none>                 1

$ kubectl ate create actor test -t ate-demo-counter/counter --atespace team-b
ATESPACE   TEMPLATE NS        TEMPLATE   ID     STATUS             ATEOM POD   ATEOM IP   VERSION
team-b     ate-demo-counter   counter    test   STATUS_SUSPENDED   <none>                 1

Get by atespaces

$ kubectl ate get actors -A
ATESPACE   TEMPLATE NS        TEMPLATE   ID      STATUS             ATEOM POD   ATEOM IP   VERSION
team-a     ate-demo-counter   counter    test    STATUS_SUSPENDED   <none>                 1
team-a     ate-demo-counter   counter    test2   STATUS_SUSPENDED   <none>                 1
team-b     ate-demo-counter   counter    test    STATUS_SUSPENDED   <none>                 1

$ kubectl ate get actors -a team-a
ATESPACE   TEMPLATE NS        TEMPLATE   ID      STATUS             ATEOM POD   ATEOM IP   VERSION
team-a     ate-demo-counter   counter    test    STATUS_SUSPENDED   <none>                 1
team-a     ate-demo-counter   counter    test2   STATUS_SUSPENDED   <none>                 1

$ kubectl ate get actors -a team-b
ATESPACE   TEMPLATE NS        TEMPLATE   ID     STATUS             ATEOM POD   ATEOM IP   VERSION
team-b     ate-demo-counter   counter    test   STATUS_SUSPENDED   <none>                 1

Resume & Suspend

$ kubectl ate resume actor test -a team-a
ATESPACE   TEMPLATE NS        TEMPLATE   ID     STATUS           ATEOM POD                                              ATEOM IP     VERSION
team-a     ate-demo-counter   counter    test   STATUS_RUNNING   ate-demo-counter/counter-deployment-5d9b77d6fd-r846n   10.52.3.86   3

$ kubectl ate get actors -a team-a
ATESPACE   TEMPLATE NS        TEMPLATE   ID      STATUS             ATEOM POD                                              ATEOM IP     VERSION
team-a     ate-demo-counter   counter    test    STATUS_RUNNING     ate-demo-counter/counter-deployment-5d9b77d6fd-r846n   10.52.3.86   3
team-a     ate-demo-counter   counter    test2   STATUS_SUSPENDED   <none>                                                              1

$ kubectl ate suspend actor test -a team-a
ATESPACE   TEMPLATE NS        TEMPLATE   ID     STATUS             ATEOM POD   ATEOM IP   VERSION
team-a     ate-demo-counter   counter    test   STATUS_SUSPENDED   <none>                 5

Scope / non-goals

Deferred to later atespace increments (intentionally not in this PR): the Atespace object + CRUD
RPCs, DNS names, snapshot paths, template grants, the worker's own (system) atespace, and quota.

  • Tests pass
  • Appropriate documentation

@HavenXia Haven Xia (HavenXia) changed the title Atespace inc1 The initial shape of atespace Jun 19, 2026
@HavenXia Haven Xia (HavenXia) changed the title The initial shape of atespace Atespace: per-tenant scoping for the actor lifecycle Jun 19, 2026
@HavenXia Haven Xia (HavenXia) marked this pull request as ready for review June 19, 2026 19:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@HavenXia