Cephalon Technology Packs
Technology packs are the runtime companion pattern for future-facing workloads in Cephalon.
They sit between pure metadata and full application blueprints:
Blueprintsdefine project shapePatternsdefine supporting design behaviorTechnologiesdefine workload postureTechnology packsprovide reusable runtime primitives for those technologies
Maturity, ownership, and long-range alignment
Section titled “Maturity, ownership, and long-range alignment”Each shipped technology pack carries explicit maturity (M0 through M4) and an ownership mode (taxonomy-only / application-managed / cephalon-managed / provider-managed). Read those labels before assuming a pack is runtime-ready:
- per-package truth:
engine-surface-maturity-audit.md - consolidated cross-reference covering technology packs and every other shipped family:
conformance-matrix.md - per-pack runtime surfaces (
/engine/*routes,snapshot.*keys, catalog interfaces):runtime-contract-index.md
Technology pack selection is also a long-range planning decision; not every workload that sounds plausible today belongs in the engine. Use long-range-direction.md to check that a candidate pack’s substrate, provider boundary, and lifetime expectation match the engine’s multi-horizon stance before introducing a new pack family. Packs that feel right for one transient era should ship as additive companion packs, not as engine-core sprawl.
Authoring guardrails for a new technology pack are unchanged below; the table here is the adopter-facing maturity reminder so consumers do not assume M0 taxonomy-only packs already own runtime execution.
Why this exists
Section titled “Why this exists”Technology profiles should not stop at documentation or scaffold hints. When a workload becomes important enough to need reusable services, capabilities, or conventions, it should move into a companion package instead of forcing changes into the engine core.
That keeps the engine extensible without making every new trend a built-in subsystem.
Some profiles can also start as engine-owned contract baselines before a dedicated companion pack
exists. The new cell-based-architecture profile now follows that path: the engine ships
CellBoundaryDescriptor, CellRouteDescriptor, CellHealthIsolationDescriptor,
CellTrafficAutomationRuntimeDescriptor, /engine/cells, /engine/cell-routes,
/engine/cell-health-isolations, /engine/cell-traffic-automations, and the
cell-boundaries, cell-routes, cell-health-isolations, plus cell-traffic-automations
technology runtime surfaces today. That engine-owned baseline now also carries additive
providerId plus edgeNodeIds targeting on the shared automation catalog. The shared
materialization seam is now also explicit through CellTrafficAutomationMaterializationResult,
CellTrafficAutomationMaterializationStates, ICellTrafficAutomationProviderMaterializer, and
ICellTrafficAutomationEdgeMaterializer; Cephalon.Edge now ships the first concrete
edge-runtime materializer while the provider-named result/state types stay available as
compatibility helpers over the same contract. Future service-mesh, gateway, or provider companion
packs can reconcile provider-owned or edge-owned traffic posture back onto the same shared
automation catalog instead of publishing a second materialization registry. The first concrete
provider-specific control-plane follow-through is now also shipped through
Cephalon.Edge.KubernetesGateway, which projects Kubernetes Gateway API Gateway plus HTTPRoute
intent back onto the same shared automation catalog and publishes that view through the
kubernetes-gateway-traffic-materializations technology surface. That same pack now also supports
opt-in live observe-only Gateway API polling plus apply-and-reconcile ownership-aware
HTTPRoute writes so projected intent, write posture, and observed control-plane status can stay
on one runtime truth instead of spawning a second provider-local view.
Shipped baseline packs
Section titled “Shipped baseline packs”Current baseline packages:
Cephalon.Agentics- runtime services and capability activation for
AgenticWorkloads - registers
IAgentToolCatalogwhen the profile is selected - registers the Cephalon-managed abstraction-level
IAgentToolDispatcher, abstraction-levelIAgentToolRunCatalog, andIAgentToolRunReporterwhen execution is enabled - lets ASP.NET Core hosts trigger one bounded managed run through
POST /engine/agent-tools/{toolId}/runswithout taking a dependency on implementation types - can retry failed executor attempts inside the same process when
ExecutionMaxAttemptsis greater than1, reportingretry-scheduledrun-state posture instead of claiming durable retry ownership - can suppress duplicate completed
toolId + runIdexecutions inside the same process whenEnableExecutionIdempotencyis enabled, reportingskippedduplicate-completed posture instead of claiming durable inbox or cross-node exactly-once ownership - lets operators filter approval-blocked and terminal-failed runs through
/engine/agent-tool-runs/approval-requiredand/engine/agent-tool-runs/terminal-failures - lets modules add
IAgentToolExecutor,IAgentToolExecutionPolicy, andIAgentToolExecutionObserverservices without making the host own the tool loop
- runtime services and capability activation for
Cephalon.Eventing- runtime services and capability activation for
EventDrivenIntegration - registers
IEventChannelCatalog,IEventSubscriptionCatalog,IEventSubscriptionExecutionBindingCatalog, the abstraction-levelIEventSubscriptionExecutionReadinessCatalog, the abstraction-levelIEventPublicationRuntimeCatalog, the abstraction-level event-dispatch runtime descriptor/state catalogs, and stable event subscription plus dispatch runtime metadata keys when the profile and options enable those paths - lets
Cephalon.Engine, host adapters, and operator tooling read subscription execution readiness through/engine/event-subscription-readinessandsnapshot.EventSubscriptionExecutionReadinesswithout taking a direct dependency on the eventing pack - registers the abstraction-level
IEventPublicationDispatcherwhen a real publishing path exists, allowing host adapters to expose bounded publication actions such asPOST /engine/event-publicationswithout depending on eventing implementation types - lets
Cephalon.Engine, host adapters, and operator tooling read publication runtime state through/engine/event-publications/runtime*andsnapshot.EventPublicationStates, with in-process outcomes separated from outboxacceptedhandoff truth - can opt into a Cephalon-managed direct in-process subscription execution lane through
EnableInProcessSubscriptionExecution, registeredIEventSubscriptionExecutorservices, andIEventPublisher, including bounded process-local retries throughInProcessSubscriptionMaxAttempts/InProcessSubscriptionRetryDelayMillisecondsand duplicate-completed execution suppression throughEnableInProcessSubscriptionIdempotency/InProcessSubscriptionIdempotencyRetentionMinuteswhen explicitly configured, without claiming durable broker, durable inbox, cross-node exactly-once, durable retry-queue, or distributed retry ownership
- runtime services and capability activation for
Cephalon.Eventing.Wolverine- optional companion adapter proof for managed dispatch over
EventDrivenIntegration - projects runtime truth for the current Wolverine-backed outbox, dispatch loop, bounded provider-managed dispatch retry with terminal storage semantics, first-class terminal dispatch-state/summary posture, managed subscription bindings, bounded provider-managed subscription retry, terminal exhausted-attempt failure posture, and subscription readiness without turning Wolverine into an engine-core dependency
- optional companion adapter proof for managed dispatch over
Cephalon.Retrieval- runtime services and capability activation for
KnowledgeRetrieval - registers
IKnowledgeCatalog, the abstraction-levelIKnowledgeIndexCatalog,IKnowledgeIndexer, andIKnowledgeQueryEnginewhen the profile and options enable those paths - lets modules add
IKnowledgeDocumentProviderservices so Cephalon can build a managed lexical index, bounded query path, operator reindex path, and opt-in background reindex scheduler without making hosts own the retrieval loop
- runtime services and capability activation for
Cephalon.MultiTenancy- runtime services and capability activation for
MultiTenancy - registers
ITenantResolverandITenantContextAccessorwhen the profile is selected - projects
tenant-resolutionfor the shipped core andtenant-governance-boundariesfor companion-owned or companion-planned governance workflows
- runtime services and capability activation for
Cephalon.MultiTenancy.Governance- tenant-governance companion pack for
MultiTenancy - registers
ITenantMembershipStorewith an in-memory default or opt-in file-backed durable store - registers
ITenantMembershipCatalogandITenantMembershipEvaluatorwhen membership evaluation is enabled - registers
ITenantInvitationStorewith an in-memory default or opt-in file-backed durable store - registers
ITenantInvitationCatalogandITenantInvitationValidatorwhen invitation validation is enabled - registers
ITenantInvitationDeliveryRunCatalogandITenantInvitationDeliveryDispatcherwhen invitation delivery dispatch is enabled; external delivery requires a registeredITenantInvitationDeliverySender - registers
ITenantInvitationDeliveryRetryStore,ITenantInvitationDeliveryRetryRunner,ITenantInvitationDeliveryRetryExecutionCoordinationCatalog, andITenantInvitationDeliveryRetryRuntimeCatalogwhen the opt-in invitation delivery retry queue is enabled, with an in-memory default, opt-in file-backed durable store, process-local execution coordination, and opt-in background scheduling hosted service - registers
ITenantInvitationDeliveryStatusReconcilerwhen invitation delivery status reconciliation is enabled; provider-specific callback translation, provider-specific signature verification, and provider polling stay outside the core pack and belong in host adapters or provider companions such as the SendGrid, Mailgun, and Amazon SES ASP.NET Core translators - registers
ITenantInvitationDeliveryStatusObservationStorewith an in-memory default or opt-in file-backed durable store for normalized reconciliation observations - registers
ITenantAdministrationWorkflowwhen tenant-administration workflow execution is enabled - registers
ITenantDomainOwnershipStorewith an in-memory default or opt-in file-backed durable store - registers
ITenantDomainOwnershipCatalogandITenantDomainOwnershipValidatorwhen domain-ownership validation is enabled - registers
ITenantDomainOwnershipVerificationWorkflowwhen in-process domain-ownership verification workflows are enabled - registers
ITenantDomainOwnershipProofChallengeIssuerwhen domain proof challenge issuance is enabled - registers
ITenantDomainOwnershipProofPublicationPlannerwhen domain proof publication planning is enabled - registers
ITenantDomainOwnershipHttpProofPublisherandITenantDomainOwnershipHttpProofPublicationCatalogwhen HTTP proof publication is enabled - registers
ITenantDomainOwnershipProofEvaluatorwhen domain proof evaluation and the verification workflow are enabled - registers
ITenantDomainOwnershipHttpProofCollectorwhen HTTP proof collection, publication planning, proof evaluation, and the verification workflow are enabled - registers
ITenantDomainOwnershipDnsTxtProofCollectorwhen DNS TXT proof collection, publication planning, proof evaluation, and the verification workflow are enabled; collection becomes Cephalon-managed only when a DNS-over-HTTPS resolver endpoint is configured - registers
ITenantDomainOwnershipProofPollingRunnerwhen the proof verification runner is enabled so hosts can run bounded on-demand polling over pending or rejected HTTP/DNS declarations without owning the loop themselves - registers
ITenantDomainOwnershipProofVerificationRunnerwhen challenge issuance, publication planning, proof evaluation, and the verification workflow are enabled - registers
ITenantGovernanceActionCatalogandITenantGovernanceActionDeciderwhen governance-action decisions are enabled - registers
ITenantGovernanceActionStorewith an in-memory default or opt-in file-backed durable store - registers
ITenantGovernanceActionWorkflowwhen in-process governance-action workflows are enabled - projects
tenant-membershipsfor the Cephalon-managed membership catalog, store, and evaluation proof - projects
tenant-invitationsfor the Cephalon-managed invitation catalog, store, validation, delivery dispatch, sender readiness, delivery-run, opt-in retry queue, process-local retry execution coordination, delivery-status reconciliation, and normalized observation-store proof - projects
tenant-domain-ownershipfor the Cephalon-managed declared domain-ownership catalog, store, validation, in-process verification-workflow, proof-challenge issuance, proof-publication planning, HTTP file proof-publication state, reported-proof evaluation, HTTP file proof-collection proof, and configured DNS TXT proof-collection proof - projects
tenant-governance-actionsfor the Cephalon-managed approval/remediation action catalog, decision, in-process workflow, and action-store proof
- tenant-governance companion pack for
Cephalon.MultiTenancy.Governance.AspNetCore- optional ASP.NET Core adapter for
Cephalon.MultiTenancy.Governance - maps
MapCephalonTenantDomainOwnershipHttpProofs()so published HTTP proof files can be served from ASP.NET Core hosts - maps
MapCephalonTenantAdministrationCommands()so tenant-administration workflow commands can be exposed through a fail-closed ASP.NET Core endpoint - maps
MapCephalonTenantInvitationDeliveryDispatches()so tenant-invitation delivery dispatch can be requested through a fail-closed ASP.NET Core endpoint over the host-agnostic dispatcher - maps
MapCephalonTenantInvitationDeliveryStatusCallbacks()so normalized invitation delivery-status observations can be reconciled through a fail-closed ASP.NET Core endpoint - maps
MapCephalonTenantInvitationDeliveryStatusObservations()so normalized observation history can be read, filtered by attention, provider message id, or remediation action, and summarized through a bounded fail-closed ASP.NET Core endpoint - can verify provider-neutral HMAC-SHA256 callback signatures over the exact normalized JSON body when
TenantInvitationDeliveryStatusCallbackSigningSecretis configured - can reject duplicate signed normalized callbacks inside a bounded process-local replay window without claiming durable inboxes or cross-node exactly-once delivery
- keeps endpoint enablement, route pattern, cache-control, authorization, provider-message-match enforcement, callback signature headers/key id/tolerance, signed-callback replay retention/cache limits, observation read default/max limits, and endpoint-description posture configurable through
Engine:MultiTenancy:Governance:AspNetCore
- optional ASP.NET Core adapter for
Cephalon.MultiTenancy.Governance.HttpDelivery- optional HTTP webhook sender companion for
Cephalon.MultiTenancy.Governance - registers a provider-managed
ITenantInvitationDeliverySenderwith sender idhttp-webhookby default - reads
Engine:MultiTenancy:Governance:HttpInvitationDeliveryor code-first options for endpoint, method, headers, accepted status codes, timeout, supported channels, provider-neutral idempotency headers, bounded in-process retry/backoff, and optional HMAC-SHA256 webhook signing - emits
Cephalon.MultiTenancy.Governance.HttpDeliverydiagnostics while leaving Mailgun Messages API handoff toCephalon.MultiTenancy.Governance.MailgunDelivery, SendGrid Mail Send API handoff toCephalon.MultiTenancy.Governance.SendGridDelivery, SMTP relay handoff toCephalon.MultiTenancy.Governance.SmtpDelivery, Amazon SES v2 handoff toCephalon.MultiTenancy.Governance.AmazonSesDelivery, Microsoft GraphsendMailhandoff toCephalon.MultiTenancy.Governance.MicrosoftGraphDelivery, and leaving additional provider-specific email API senders beyond the shipped SMTP/SendGrid/Mailgun/Amazon SES/Microsoft Graph set, SMS, chat, CRM, identity-provider, automatic background delivery workers, distributed retry queues, additional provider-specific delivery-status callback translation beyond shipped SendGrid/Mailgun/Amazon SES translators, provider-specific callback signature verification beyond shipped SendGrid/Mailgun/Amazon SNS hardening, provider polling, and provider-reconciliation semantics to future provider packs or applications
- optional HTTP webhook sender companion for
Cephalon.MultiTenancy.Governance.AmazonSesDelivery- optional Amazon SES v2 sender companion for
Cephalon.MultiTenancy.Governance - registers a provider-managed
ITenantInvitationDeliverySenderwith sender idamazon-ses-emailby default - reads
Engine:MultiTenancy:Governance:AmazonSesInvitationDeliveryor code-first options for AWS region, configuration set, sender identity, reply-to addresses, recipient metadata key, supported channels, templates, message tags, accepted status codes, timeout, and safe context-tag projection - exposes
IAmazonSesInvitationDeliveryClient,AmazonSesInvitationDeliveryMessage, andAmazonSesInvitationDeliveryClientResultso hosts can test or replace the AWS SDK handoff without changing the core dispatcher - emits
Cephalon.MultiTenancy.Governance.AmazonSesDeliverydiagnostics while leaving Amazon SES over SNS callback translation, opt-in SNS signature verification, bounded process-local SNS replay protection, observation-store-backed SNS message-id idempotency, opt-in verified SNS subscription confirmation, and opt-in verified SNS unsubscribe-confirmation observation toCephalon.MultiTenancy.Governance.AmazonSesDelivery.AspNetCore; AWS account/IAM/identity verification, DKIM/SPF/DMARC, sandbox exit, SES configuration-set event destination setup, SNS topic/subscription creation, automatic resubscribe/restore, subscription lifecycle governance, provider polling, callback inboxes, SMS, chat, CRM, identity-provider onboarding, distributed retry queues, and provider-specific reconciliation semantics remain future provider-pack or application work
- optional Amazon SES v2 sender companion for
Cephalon.MultiTenancy.Governance.AmazonSesDelivery.AspNetCore- optional ASP.NET Core Amazon SES over SNS callback translator, SNS signature-verification, process-local SNS replay-protection, observation-store-backed SNS message-id idempotency, verified SNS subscription-confirmation, and verified SNS unsubscribe-confirmation observation companion for
Cephalon.MultiTenancy.Governance - maps
MapCephalonAmazonSesInvitationDeliveryStatusCallbacks()so SNSNotificationenvelopes carrying SES event publishing payloads can be translated intoITenantInvitationDeliveryStatusReconciler - reads
Engine:MultiTenancy:Governance:AmazonSesInvitationDelivery:AspNetCoreor code-first options for route, authorization, provider-message matching, body/event limits, event source/actor, engagement-event mapping, raw SES replay/test payload acceptance, SNS signature policy, SNS replay cache posture, SNS message-id idempotency posture, optional SNS subscription-confirmation timeout/posture, and optional SNS unsubscribe-confirmation observation posture - translates SES
Send,Delivery,Bounce,Complaint,Reject,Rendering Failure, andDeliveryDelayevents into Cephalon delivery statuses while skipping engagement and subscription events by default - can confirm verified SNS
SubscriptionConfirmationenvelopes whenEnableSnsSubscriptionConfirmationis enabled with SNS signature verification, using replaceableIAmazonSesSnsSubscriptionConfirmationClient - can observe verified SNS
UnsubscribeConfirmationenvelopes whenEnableSnsUnsubscribeConfirmationObservationis enabled with SNS signature verification, validating but never invokingSubscribeURL - projects
tenant-invitation-delivery-amazon-ses-status-callbackswith route/auth/limit/translation/SNS-signature/process-local-replay/message-id-idempotency/inbox/subscription-confirmation/unsubscribe-confirmation posture while leaving SNS topic/subscription creation, SES event-destination setup, automatic resubscribe/restore, subscription lifecycle governance, durable callback inboxes, distributed replay protection, distributed event-id ledgers, provider polling, and cross-node exactly-once delivery to future provider packs or applications
- optional ASP.NET Core Amazon SES over SNS callback translator, SNS signature-verification, process-local SNS replay-protection, observation-store-backed SNS message-id idempotency, verified SNS subscription-confirmation, and verified SNS unsubscribe-confirmation observation companion for
Cephalon.MultiTenancy.Governance.MailgunDelivery- optional Mailgun Messages API sender companion for
Cephalon.MultiTenancy.Governance - registers a provider-managed
ITenantInvitationDeliverySenderwith sender idmailgun-emailby default - reads
Engine:MultiTenancy:Governance:MailgunInvitationDeliveryor code-first options for API base URL, domain name, API key, sender email, recipient metadata key, supported channels, templates, tags, user variables, safe headers, test mode, accepted status codes, and provider message id JSON-property capture - exposes
IMailgunInvitationDeliveryClient,MailgunInvitationDeliveryMessage, andMailgunInvitationDeliveryClientResultso hosts can test or replace the default Mailgun HTTP client without changing the core dispatcher - emits
Cephalon.MultiTenancy.Governance.MailgunDeliverydiagnostics while leaving Mailgun webhook callback translation, optional HMAC signed-webhook verification, bounded process-local replay-token rejection, and observation-store-backed Mailgun event-id idempotency toCephalon.MultiTenancy.Governance.MailgunDelivery.AspNetCore, Amazon SES v2 handoff toCephalon.MultiTenancy.Governance.AmazonSesDelivery, Microsoft GraphsendMailhandoff toCephalon.MultiTenancy.Governance.MicrosoftGraphDelivery, and leaving additional provider-specific email API senders beyond the shipped SMTP/SendGrid/Mailgun/Amazon SES/Microsoft Graph set, SMS, chat, CRM, identity-provider onboarding, bounce handling, provider polling, callback inboxes, and provider-specific reconciliation semantics to future provider packs or applications
- optional Mailgun Messages API sender companion for
Cephalon.MultiTenancy.Governance.MicrosoftGraphDelivery- optional Microsoft Graph
sendMailsender companion forCephalon.MultiTenancy.Governance - registers a provider-managed
ITenantInvitationDeliverySenderwith sender idmicrosoft-graph-emailby default - reads
Engine:MultiTenancy:Governance:MicrosoftGraphInvitationDeliveryor code-first options for Graph base URL, API version, sender user id, access token fallback, recipient metadata key, supported channels, templates, categories, safe customx-*internet message headers, sent-items posture, accepted status codes, and safe request metadata capture - exposes
IMicrosoftGraphInvitationDeliveryClient,IMicrosoftGraphInvitationDeliveryAccessTokenProvider,MicrosoftGraphInvitationDeliveryMessage, andMicrosoftGraphInvitationDeliveryClientResultso hosts can test, replace, or plug managed-identity/Azure Identity token acquisition into the default Graph HTTP handoff without changing the core dispatcher - emits
Cephalon.MultiTenancy.Governance.MicrosoftGraphDeliverydiagnostics while leaving Microsoft Entra app registration, permission consent, mailbox access policy, Graph change notifications, provider polling, delivery completion semantics after Graph acceptssendMail, callback inboxes, additional provider-specific email API senders beyond the shipped SMTP/SendGrid/Mailgun/Amazon SES/Microsoft Graph set, SMS, chat, CRM, identity-provider onboarding, bounce handling, and provider-specific reconciliation semantics to future provider packs or applications
- optional Microsoft Graph
Cephalon.MultiTenancy.Governance.MicrosoftGraphDelivery.AzureIdentity- optional Azure.Identity token-provider companion for
Cephalon.MultiTenancy.Governance.MicrosoftGraphDelivery - replaces the Graph sender’s static access-token provider with a
TokenCredential-backed provider - reads
Engine:MultiTenancy:Governance:MicrosoftGraphInvitationDelivery:AzureIdentityor code-first options for scopes, tenant id, managed identity client id, authority host, and credential-chain exclusions - supports explicit
TokenCredentialinjection for tests or shared host credential factories - emits
Cephalon.MultiTenancy.Governance.MicrosoftGraphDelivery.AzureIdentitydiagnostics while leaving Microsoft Entra app registration/consent, mailbox provisioning, Exchange access policy, Graph accepted-handoff semantics, provider polling, callback inboxes, and delivery completion to hosts or providers
- optional Azure.Identity token-provider companion for
Cephalon.MultiTenancy.Governance.MailgunDelivery.AspNetCore- optional ASP.NET Core Mailgun webhook translator companion for
Cephalon.MultiTenancy.Governance - maps
MapCephalonMailgunInvitationDeliveryStatusCallbacks()so Mailgun webhook objects can be translated intoITenantInvitationDeliveryStatusReconciler - reads
Engine:MultiTenancy:Governance:MailgunInvitationDelivery:AspNetCoreor code-first options for route, authorization, provider-message matching, body/event limits, event source/actor, engagement-event mapping, Mailgun message-id angle-bracket normalization, optional Mailgun HMAC-SHA256 signature verification, signature timestamp tolerance, parent-signature acceptance, bounded replay-token retention/cache limits, and Mailgun event-id idempotency - translates Mailgun
accepted,delivered,failed,complained, andunsubscribedevents into Cephalon delivery statuses while skipping engagement events by default - can verify Mailgun HMAC-SHA256 signed webhook envelopes over
timestamp + token, including optionalparent-signaturesupport for subaccount events, before translation or reconciliation - can reject duplicate verified Mailgun webhook tokens with
409inside a bounded process-local replay window while storing only token fingerprints - can skip duplicate translated Mailgun events by checking the stable
mailgun:{event-data.id}observation id inITenantInvitationDeliveryStatusObservationStorebefore reconciliation - projects
tenant-invitation-delivery-mailgun-status-callbackswith route/auth/limit/translation/signature/replay/event-id-idempotency posture while leaving durable callback inboxes, distributed replay protection, distributed event-id ledgers, provider polling, cross-node exactly-once delivery, and provider translation/signature semantics beyond the shipped SendGrid/Mailgun/Amazon SES translators to future provider packs or applications
- optional ASP.NET Core Mailgun webhook translator companion for
Cephalon.MultiTenancy.Governance.SendGridDelivery- optional SendGrid Mail Send API sender companion for
Cephalon.MultiTenancy.Governance - registers a provider-managed
ITenantInvitationDeliverySenderwith sender idsendgrid-emailby default - reads
Engine:MultiTenancy:Governance:SendGridInvitationDeliveryor code-first options for API base URL, API key, sender email, recipient metadata key, supported channels, templates, categories, custom arguments, safe headers, sandbox mode, accepted status codes, and provider message id header capture - exposes
ISendGridInvitationDeliveryClient,SendGridInvitationDeliveryMessage, andSendGridInvitationDeliveryClientResultso hosts can test or replace the default SendGrid HTTP client without changing the core dispatcher - emits
Cephalon.MultiTenancy.Governance.SendGridDeliverydiagnostics while leaving SendGrid Event Webhook callback translation, optional signed-webhook verification, bounded process-local signed-callback replay protection, and observation-store-backed SendGrid event-id idempotency toCephalon.MultiTenancy.Governance.SendGridDelivery.AspNetCore, leaving Mailgun Messages API handoff toCephalon.MultiTenancy.Governance.MailgunDelivery, Amazon SES v2 handoff toCephalon.MultiTenancy.Governance.AmazonSesDelivery, Microsoft GraphsendMailhandoff toCephalon.MultiTenancy.Governance.MicrosoftGraphDelivery, and leaving durable callback inboxes, distributed replay, bounce orchestration beyond status translation, provider polling, dynamic-template lifecycle management, additional provider-specific email API senders beyond the shipped SMTP/SendGrid/Mailgun/Amazon SES/Microsoft Graph set, SMS, chat, CRM, identity-provider onboarding, and provider-specific reconciliation semantics to future provider packs or applications
- optional SendGrid Mail Send API sender companion for
Cephalon.MultiTenancy.Governance.SendGridDelivery.AspNetCore- optional ASP.NET Core SendGrid Event Webhook translator companion for
Cephalon.MultiTenancy.Governance - maps
MapCephalonSendGridInvitationDeliveryStatusCallbacks()so SendGrid Event Webhook arrays can be translated intoITenantInvitationDeliveryStatusReconciler - reads
Engine:MultiTenancy:Governance:SendGridInvitationDelivery:AspNetCoreor code-first options for route, authorization, provider-message matching, body/event limits, event source/actor, engagement-event mapping,sg_message_idnormalization, optional signed Event Webhook verification, bounded process-local signed-callback replay retention/cache limits, and observation-store-backedsg_event_idduplicate suppression - translates SendGrid
processed,delivered,deferred,bounce,dropped,spamreport,unsubscribe, andgroup_unsubscribeevents into Cephalon delivery statuses while skipping engagement events by default - can verify SendGrid ECDSA-SHA256 signed Event Webhook requests over timestamp plus exact raw request body bytes before parsing or reconciliation
- can reject duplicate verified signed Event Webhook requests inside a bounded process-local replay window keyed by safe signature fingerprints
- can skip duplicate translated SendGrid events by checking the stable
sendgrid:{sg_event_id}observation id before invoking the reconciler - projects
tenant-invitation-delivery-sendgrid-status-callbackswith route/auth/limit/translation/signature/replay/event-id-idempotency posture while leaving durable callback inboxes, distributed replay protection, distributed event-id ledgers, provider polling, cross-node exactly-once delivery, and provider translation/signature semantics beyond the shipped SendGrid/Mailgun/Amazon SES translators to future provider packs or applications
- optional ASP.NET Core SendGrid Event Webhook translator companion for
Cephalon.MultiTenancy.Governance.SmtpDelivery- optional SMTP relay sender companion for
Cephalon.MultiTenancy.Governance - registers a provider-managed
ITenantInvitationDeliverySenderwith sender idsmtp-emailby default - reads
Engine:MultiTenancy:Governance:SmtpInvitationDeliveryor code-first options for relay host, port, TLS posture, credentials, sender address, recipient metadata key, supported channels, deterministic message-id domain, templates, and safe custom headers - exposes
ISmtpInvitationDeliveryClient,SmtpInvitationDeliveryMessage, andSmtpInvitationDeliveryClientResultso hosts can test or replace the default SMTP relay client without changing the core dispatcher - emits
Cephalon.MultiTenancy.Governance.SmtpDeliverydiagnostics while leaving Mailgun Messages API handoff toCephalon.MultiTenancy.Governance.MailgunDelivery, SendGrid Mail Send API handoff toCephalon.MultiTenancy.Governance.SendGridDelivery, Amazon SES v2 handoff toCephalon.MultiTenancy.Governance.AmazonSesDelivery, Microsoft GraphsendMailhandoff toCephalon.MultiTenancy.Governance.MicrosoftGraphDelivery, and leaving additional provider-specific email API senders beyond the shipped SMTP/SendGrid/Mailgun/Amazon SES/Microsoft Graph set, SMS, chat, CRM, identity-provider onboarding, bounce handling, provider polling, callback inboxes, and provider-specific reconciliation semantics to future provider packs or applications
- optional SMTP relay sender companion for
Cephalon.Edge- runtime services and capability activation for
EdgeNativeDelivery - registers
IEdgeNodeCatalogwhen the profile is selected
- runtime services and capability activation for
Cephalon.Edge.KubernetesGateway- first provider-specific control-plane materializer over the shared
cell-based-architecturetraffic-automation baseline - projects Kubernetes Gateway API intent and can now overlay live Gateway API observation plus owned
HTTPRouteapply-and-reconcile without moving cluster-specific ownership or reconcile policy intoCephalon.Engine
- first provider-specific control-plane materializer over the shared
Cephalon.Edge.Traefik- second provider-specific control-plane materializer over the shared
cell-based-architecturetraffic-automation baseline - projects deterministic Traefik
IngressRouteintent and can now also overlay opt-in live observe-only CRD polling for route existence, dependency readiness, ownership, drift, and freshness back onto the same shared automation catalog without moving Traefik CRD semantics intoCephalon.Engine
- second provider-specific control-plane materializer over the shared
These packages are also used as scaffold hints for the matching built-in technology profiles.
The phase-8 data packs are companion packages rather than technology packs, but they can now enrich EventDrivenIntegration truth by projecting staged outbox producers and application-managed inbox stores into the eventing runtime surfaces when both baselines are active.
Runtime pattern
Section titled “Runtime pattern”The expected layering is:
- select technology profiles through
Engine:Technologies - install companion packages that understand those profiles
- register the companion package in startup
- let module/package runtime behavior activate only when the technology is actually selected
- let installed modules contribute pack-specific descriptors through the pack’s contributor services instead of pushing every descriptor into host startup
The shared cell traffic-materialization seam now also carries one stable lifecycle vocabulary that
provider and edge packs can reuse instead of inventing provider-local status taxonomies:
CellTrafficAutomationOwnershipStates, CellTrafficAutomationDependencyStates,
CellTrafficAutomationDriftStates, and CellTrafficAutomationLifecycleActions. The shared runtime
catalog projects those values back onto providerMaterialization.*, edgeMaterialization.*, and
derived materialization.* metadata so requested, observed, conflicted, drifted, or dependency-missing
posture stays comparable across Cephalon.Edge, Cephalon.Edge.KubernetesGateway, and
Cephalon.Edge.Traefik.
Example:
builder.AddCephalon(engine =>{ engine.AddAgentics(options => { options.Tools.Add(new AgentToolDescriptor( id: "planner", displayName: "Planner", description: "Builds agent plans.", capabilityKeys: ["workflow.approval.request", "workflow.approval.record"], executionGraphId: "approval-flow", hostedExecutionId: "approval-pump")); });
engine.AddRetrieval(options => { options.Collections.Add(new KnowledgeCollectionDescriptor( id: "docs", displayName: "Docs", description: "Knowledge base for retrieval."));
options.DefaultQueryLimit = 10; options.MaximumQueryLimit = 25; options.FreshnessStaleAfterSeconds = 3600; });
engine.AddMultiTenancy(options => { options.DefaultTenantId = "tenant-001"; options.Tenants.Add(new TenantContext( tenantId: "tenant-001", tenantKey: "acme", displayName: "Acme", domains: ["acme.example.test"])); });
engine.AddMultiTenancyGovernance(options => { options.Memberships.Add(new TenantMembershipDescriptor( tenantId: "tenant-001", principalId: "user-001", displayName: "Acme Admin", roles: ["admin", "member"])); });
engine.AddEventing(options => { options.Channels.Add(new EventChannelDescriptor( id: "orders", displayName: "Orders", description: "Integration events for the order domain.")); });
engine.AddEdge(options => { options.Nodes.Add(new EdgeNodeDescriptor( id: "storefront-edge", displayName: "Storefront Edge", description: "Regional node serving intermittently connected experiences.")); });});{ "Engine": { "Technologies": ["AgenticWorkloads", "EventDrivenIntegration", "KnowledgeRetrieval", "MultiTenancy", "EdgeNativeDelivery"] }}Authoring pattern
Section titled “Authoring pattern”A technology pack should usually contain:
Configuration/- options or defaults for the workload
Services/- runtime contracts the app can consume
Modules/- one or more modules that bridge the pack into Cephalon
Registration/EngineBuilderextensions for easy startup registration
Recommended contracts to use:
ITechnologyContributor- when the pack adds new technology descriptors to the runtime catalog
ITechnologyServiceContributor- when services should only activate for selected technologies
ITechnologyCapabilityContributor- when capabilities should only activate for selected technologies
Shipped pack-specific extension points:
Cephalon.AgenticsIAgentToolContributorandIAgentToolRegistryfor descriptor contributionIAgentToolExecutorfor the managed execution implementation of one registered toolIAgentToolExecutionPolicyfor approval-required or deny decisions before an executor runsIAgentToolExecutionObserverfor audit, telemetry, or projection hooks after each run report is recorded- abstraction-level
Cephalon.Abstractions.Agentics.IAgentToolDispatcher,AgentToolExecutionRequest, andAgentToolExecutionResultfor host-neutral tool-run actions - abstraction-level
Cephalon.Abstractions.Agentics.IAgentToolRunCatalogfor runtime-state reads andIAgentToolRunReporterfor controlled report writes
Cephalon.RetrievalIKnowledgeCollectionContributorandIKnowledgeCollectionRegistryIKnowledgeDocumentProviderfor module-owned source documents- abstraction-level
Cephalon.Abstractions.Retrieval.IKnowledgeIndexerfor manual reindex actions - abstraction-level
Cephalon.Abstractions.Retrieval.IKnowledgeQueryEngine,KnowledgeQueryRequest,KnowledgeQueryResult, andKnowledgeQueryMatchfor bounded host-neutral query actions throughPOST /engine/knowledge-indexes/{collectionId}/queries - abstraction-level
Cephalon.Abstractions.Retrieval.IKnowledgeIndexCatalogfor runtime-state reads through/engine/knowledge-indexesandsnapshot.KnowledgeIndexes RetrievalOptions.EnableBackgroundReindexing,RunBackgroundReindexOnStartup,BackgroundReindexInitialDelaySeconds,BackgroundReindexIntervalSeconds, andBackgroundReindexCollectionIdsfor the opt-in in-process background reindex scheduler over the sameIKnowledgeIndexerpath
Cephalon.MultiTenancyITenantResolverfor host-neutral tenant resolutionITenantContextAccessorfor ambient tenant context in the current async flowMultiTenancyRuntimeOptionsfor configuration-driven tenants, domains, default tenant, and resolver enablement
Cephalon.MultiTenancy.GovernanceITenantMembershipContributorandITenantMembershipRegistryfor module-contributed membershipsITenantMembershipCatalogfor the merged membership read modelITenantMembershipStorefor runtime tenant-membership state, with in-memory and file-backed baselinesITenantMembershipEvaluatorfor the current Cephalon-managed membership evaluation pathITenantGovernanceActionContributorandITenantGovernanceActionRegistryfor module-contributed approval/remediation actionsITenantGovernanceActionStorefor runtime approval/remediation action state, with in-memory and file-backed baselinesITenantGovernanceActionCatalogfor the merged action read modelITenantGovernanceActionDeciderfor the current Cephalon-managed action decision pathITenantGovernanceActionWorkflowfor the current Cephalon-managed in-process action status-transition pathITenantInvitationContributorandITenantInvitationRegistryfor module-contributed invitationsITenantInvitationCatalogfor the merged invitation read modelITenantInvitationStorefor runtime tenant-invitation state, with in-memory and file-backed baselinesITenantInvitationValidatorfor the current Cephalon-managed invitation validation pathITenantInvitationDeliveryDispatcher,ITenantInvitationDeliverySender, andITenantInvitationDeliveryRunCatalogfor the current host-agnostic invitation delivery dispatch path over registered sender extensionsITenantInvitationDeliveryRetryStore,ITenantInvitationDeliveryRetryRunner,ITenantInvitationDeliveryRetryExecutionCoordinationCatalog, andITenantInvitationDeliveryRetryRuntimeCatalogfor the opt-in local retry queue, bounded retry path, process-local overlap coordination, and opt-in background retry scheduling state over retryable sender failuresITenantInvitationDeliveryStatusReconcilerfor the current host-agnostic delivery status observation path over provider or receiver reportsITenantInvitationDeliveryStatusObservationStorefor normalized delivery-status observation history, with in-memory and file-backed baselinesCephalon.MultiTenancy.Governance.HttpDeliveryplusAddCephalonHttpInvitationDelivery(...)when a host wants the first-party signed/retrying HTTP webhook sender implementation for that dispatch pathCephalon.MultiTenancy.Governance.AmazonSesDeliveryplusAddCephalonAmazonSesInvitationDelivery(...)when a host wants the first-party Amazon SES v2 sender implementation for that dispatch pathCephalon.MultiTenancy.Governance.MailgunDeliveryplusAddCephalonMailgunInvitationDelivery(...)when a host wants the first-party Mailgun Messages API sender implementation for that dispatch pathCephalon.MultiTenancy.Governance.MailgunDelivery.AspNetCoreplusMapCephalonMailgunInvitationDeliveryStatusCallbacks()when an ASP.NET Core host wants first-party Mailgun webhook payload translation into the delivery-status reconciliation pathCephalon.MultiTenancy.Governance.MicrosoftGraphDeliveryplusAddCephalonMicrosoftGraphInvitationDelivery(...)when a host wants the first-party Microsoft GraphsendMailsender implementation for that dispatch pathCephalon.MultiTenancy.Governance.MicrosoftGraphDelivery.AzureIdentityplusAddCephalonMicrosoftGraphInvitationDeliveryAzureIdentity(...)when a host wants first-party Azure.Identity token acquisition for the Microsoft Graph sender without writing its ownIMicrosoftGraphInvitationDeliveryAccessTokenProviderCephalon.MultiTenancy.Governance.SendGridDeliveryplusAddCephalonSendGridInvitationDelivery(...)when a host wants the first-party SendGrid Mail Send API sender implementation for that dispatch pathCephalon.MultiTenancy.Governance.SmtpDeliveryplusAddCephalonSmtpInvitationDelivery(...)when a host wants the first-party SMTP relay sender implementation for that dispatch pathITenantAdministrationWorkflowfor the current Cephalon-managed host-driven membership and invitation administration pathITenantDomainOwnershipProofChallengeIssuerfor the current Cephalon-managed proof-challenge issuance path that creates expected proof values and publication hintsITenantDomainOwnershipProofPublicationPlannerfor the current Cephalon-managed proof-publication planning path that emits DNS TXT or HTTP file instructionsITenantDomainOwnershipProofEvaluatorfor the current Cephalon-managed proof-evaluation path over application/provider-reported evidenceITenantDomainOwnershipHttpProofCollectorfor the current Cephalon-managed on-demand HTTP file proof-collection pathITenantDomainOwnershipDnsTxtProofCollectorfor the current Cephalon-managed on-demand DNS TXT proof-collection path when an explicit DNS-over-HTTPS resolver endpoint is configuredITenantDomainOwnershipProofVerificationRunnerfor the current Cephalon-managed proof-verification orchestration path over challenge issuance, publication planning, reported-proof evaluation, optional HTTP file collection, and configured DNS TXT collection
MultiTenancyGovernanceOptionsfor host-defined memberships, invitations, domain ownerships, governance actions, store paths, tenant-administration workflow enablement, invitation delivery dispatch/run-history enablement, invitation delivery retry queue enablement/max attempts/delay/batch limit/file durability/process-local execution coordination/background scheduling, invitation delivery status reconciliation enablement, delivery-status observation-store enablement/history/file durability, proof challenge defaults, proof publication planning, HTTP proof collection, DNS TXT proof collection resolver/timeout/size limits, proof verification runner orchestration, bounded proof polling enablement/batch limits, proof evaluation, and validation/evaluation/decision/workflow enablementCephalon.EventingIEventChannelContributor,IEventChannelRegistry,IEventSubscriptionExecutionBindingContributor,IEventSubscriptionExecutionBindingCatalog, the abstraction-levelIEventSubscriptionExecutionReadinessCatalog, and the abstraction-levelIEventPublicationRuntimeCatalog
Cephalon.EdgeIEdgeNodeContributorandIEdgeNodeRegistry
Those contributor interfaces are the preferred way for installed modules to add descriptors into a selected technology pack. Project-level code can still replace the final catalog service through DI when it needs full control.
For Cephalon.Agentics, AgentToolDescriptor can now also link back to:
- published capability keys through
capabilityKeys - one execution graph through
executionGraphId - one hosted execution through
hostedExecutionId
That keeps AI-facing tool metadata anchored in the same module, capability, execution-graph, hosted-execution, and runtime-story contracts the engine already exposes.
When execution is enabled, Cephalon.Agentics also owns one narrow tool-dispatch loop. The dispatcher is still host-agnostic: modules contribute descriptors through IAgentToolContributor, register exactly one IAgentToolExecutor for each executable tool id, and optionally add policy or observer services. Runtime surfaces then report whether each tool is cephalon-managed, awaiting-executor, or not-configured, plus retry policy, idempotency policy, latest run outcome, retry-scheduled counts, retry-pending posture, approval-required posture, duplicate-completed posture, terminal-failure posture, and totals. When ExecutionMaxAttempts is greater than 1, failed executor attempts are retried inside the same process and reported as retry-scheduled; the default remains a single attempt. When EnableExecutionIdempotency is enabled, duplicate completed toolId + runId executions observed inside the configured process-local retention window are reported as skipped with idempotencyPolicy = completed-run, idempotencyDurability = none, and idempotencyScope = process-local; the default preserves repeated execution behavior. The direct run-state read seam and the bounded dispatch action contract now live in Cephalon.Abstractions.Agentics, so ASP.NET Core hosts and tooling can read /engine/agent-tool-runs, /engine/agent-tool-runs/retry-pending, /engine/agent-tool-runs/idempotency-duplicates, /engine/agent-tool-runs/approval-required, /engine/agent-tool-runs/terminal-failures, /engine/agent-tool-runs/{runId}, /engine/agent-tool-runs/by-tool/{toolId}, trigger POST /engine/agent-tools/{toolId}/runs, and read snapshot.AgentToolRuns without depending on Cephalon.Agentics implementation types. That is the boundary of the current managed proof; broader autonomous planning, memory stores, durable approval workflows, durable retry queues, durable inboxes, dead-letter systems, cross-node exactly-once delivery, distributed schedulers, or provider-specific AI orchestration remain future companion work unless another package explicitly owns them.
When ingestion and querying are enabled, Cephalon.Retrieval now owns one narrow lexical retrieval loop. Modules still own the source material through IKnowledgeDocumentProvider, while the pack owns indexing, bounded query execution, index state, freshness reporting, manual operator reindexing, and an opt-in in-process background reindex scheduler for registered collections. Runtime surfaces report indexingOwnership, queryOwnership, backgroundReindexingOwnership, backgroundReindexingScheduled, provider readiness, latest index outcome, document count, query count, freshness state, scheduler scope/timing metadata, and a query fingerprint rather than raw query text. ASP.NET Core hosts can request the same bounded query and indexer paths through POST /engine/knowledge-indexes/{collectionId}/queries and POST /engine/knowledge-indexes/{collectionId}/reindex without referencing retrieval implementation types. That is the boundary of the current managed proof; vector databases, embeddings, distributed indexes, durable search clusters, rerankers, provider-specific semantic search, distributed scheduler coordination, and leader-election semantics remain future companion work unless another package explicitly owns them.
When multi-tenancy is selected, Cephalon.MultiTenancy owns one narrow tenant-resolution loop. The base package resolves configured tenant ids, tenant keys, host names, defaults, and single-tenant fallback through ITenantResolver, then exposes the ambient answer through ITenantContextAccessor and the tenant-resolution surface.
Cephalon.MultiTenancy.Governance owns the concrete companion proofs beside that base package: membership cataloging/evaluation, invitation cataloging/validation, invitation delivery dispatch/run-state, retry queue execution/coordination/scheduling, delivery-status reconciliation and observation storage, tenant-administration workflow commands, declared domain-ownership validation/workflow/challenge/publication-plan/proof collection/verification/polling, and approval/remediation action decision/workflow state. Its membership, invitation, invitation-delivery retry, delivery-status observation, domain-ownership, and action stores are in-memory by default and become Cephalon-managed local JSON durable stores when their file paths are configured.
ASP.NET Core hosts can install Cephalon.MultiTenancy.Governance.AspNetCore for fail-closed HTTP proof serving, tenant-administration commands, invitation-delivery dispatch actions, normalized delivery-status callbacks, provider-neutral Cephalon HMAC callback signatures, bounded process-local signed-callback replay protection, and bounded observation reads with filtered rollup summaries plus attention-category drill-downs, provider-message drill-downs, and remediation-action filters. Hosts that want first-party outbound senders can add Cephalon.MultiTenancy.Governance.HttpDelivery, Cephalon.MultiTenancy.Governance.SmtpDelivery, Cephalon.MultiTenancy.Governance.SendGridDelivery, Cephalon.MultiTenancy.Governance.MailgunDelivery, Cephalon.MultiTenancy.Governance.AmazonSesDelivery, or Cephalon.MultiTenancy.Governance.MicrosoftGraphDelivery without changing the core dispatcher. Hosts using Microsoft Graph can add Cephalon.MultiTenancy.Governance.MicrosoftGraphDelivery.AzureIdentity for first-party DefaultAzureCredential/managed-identity token acquisition without moving Microsoft Entra-specific code into the governance core.
Provider callback translation stays additive: Cephalon.MultiTenancy.Governance.SendGridDelivery.AspNetCore translates SendGrid Event Webhook arrays, can verify SendGrid signatures, can reject bounded process-local signed-callback replays, and can skip duplicate sg_event_id observations; Cephalon.MultiTenancy.Governance.MailgunDelivery.AspNetCore translates Mailgun webhook objects, can verify Mailgun HMAC-SHA256 signed webhook envelopes including parent-signature for subaccount events, can reject duplicate verified Mailgun tokens inside a bounded process-local replay window, and can skip duplicate event-data.id observations; and Cephalon.MultiTenancy.Governance.AmazonSesDelivery.AspNetCore translates SNS Notification envelopes that carry Amazon SES event publishing payloads, can verify SNS signatures before translation, can confirm verified SNS SubscriptionConfirmation envelopes when explicitly enabled, and can observe verified SNS UnsubscribeConfirmation envelopes without invoking SubscribeURL when explicitly enabled. The shared ASP.NET Core observation read surface can also summarize and filter by provider message id and remediation action, then return deterministic remediation hints for matched attention categories, but those hints are operator guidance over stored normalized observations only. Actual DNS proof publication, provider-backed proof publication or mutation, remediation execution beyond state transitions, distributed or provider-backed governance storage, additional provider-specific email API senders beyond the shipped SMTP/SendGrid/Mailgun/Amazon SES/Microsoft Graph set, SMS/chat/CRM/identity-provider invitation senders, distributed retry queues, cross-node delivery leases, exactly-once delivery, provider-specific or distributed callback inboxes, cross-node callback replay protection, distributed event-id ledgers, automatic resubscribe/restore, subscription lifecycle governance, provider-specific callback payload translation beyond the shipped SendGrid/Mailgun/Amazon SES translators, provider-specific callback signature verification beyond shipped SendGrid/Mailgun/Amazon SNS hardening, provider polling, identity-provider synchronization, public onboarding, and tenant-admin UI/backoffice flows remain outside the current managed proof until the governance package or provider packs own those paths explicitly.
Cephalon.MultiTenancy.Governance.SendGridDelivery.AspNetCore also owns bounded process-local replay rejection for verified SendGrid signed Event Webhook callbacks and observation-store-backed event-id idempotency for translated SendGrid events. The replay guard reports replay policy/key/scope/durability/retention/cache posture through tenant-invitation-delivery-sendgrid-status-callbacks, but it remains non-durable and per process. The event-id guard is enabled only when the governance observation store is enabled, checks the normalized sendgrid:{sg_event_id} observation id in ITenantInvitationDeliveryStatusObservationStore, and inherits that store’s durability. Neither guard is a distributed replay ledger, durable callback inbox, distributed event-id ledger, or cross-node exactly-once promise.
Cephalon.MultiTenancy.Governance.MailgunDelivery.AspNetCore owns Mailgun webhook payload translation plus optional HMAC-SHA256 signed-webhook verification, bounded process-local replay-token rejection, and observation-store-backed Mailgun event-id idempotency. It reports route, authorization, body/event limits, provider-message matching, translation ownership, signature verification posture, replay policy/key/scope/durability/retention/cache posture, event-id idempotency policy/key/scope/store durability posture, and inbox/polling boundaries through tenant-invitation-delivery-mailgun-status-callbacks. Durable callback inboxes, distributed replay/event-id ledgers, provider polling, and cross-node exactly-once delivery remain outside this proof.
Cephalon.MultiTenancy.Governance.AmazonSesDelivery.AspNetCore owns Amazon SES over SNS payload translation, opt-in SNS signature verification, bounded process-local SNS replay protection, observation-store-backed Amazon SNS MessageId idempotency, opt-in verified SNS subscription confirmation, and opt-in verified SNS unsubscribe-confirmation observation. It reports route, authorization, body/event limits, provider-message matching, translation ownership, SNS signature verification posture, SNS signature-version/topic/certificate policy, process-local SNS replay posture, SNS message-id idempotency policy/key/scope/store durability posture, SNS subscription-confirmation posture, SNS unsubscribe-confirmation observation posture, and inbox/polling boundaries through tenant-invitation-delivery-amazon-ses-status-callbacks. The message-id guard is enabled only when the governance observation store is enabled, checks the normalized amazon-ses-sns:{MessageId} observation id in ITenantInvitationDeliveryStatusObservationStore, skips duplicate translated events before reconciliation, and inherits that store’s durability. Subscription confirmation is enabled only when a host opts in with SNS signature verification; it confirms verified SubscriptionConfirmation envelopes through replaceable IAmazonSesSnsSubscriptionConfirmationClient. Unsubscribe-confirmation observation is enabled only when a host opts in with SNS signature verification; it validates but never invokes SubscribeURL because visiting that URL can restore the subscription. SNS topic/subscription creation, automatic resubscribe/restore, subscription lifecycle governance, durable callback inboxes, distributed replay/event-id ledgers, provider polling, and cross-node exactly-once delivery remain outside this proof.
ASP.NET Core hosts can also map MapCephalonTenantInvitationDeliveryStatusObservations() to expose bounded/filterable GET /engine/tenant-invitations/delivery-status/observations reads over ITenantInvitationDeliveryStatusObservationStore; that route returns filtered status/attention/remediation/outcome/source/providerMessageId/channel/sender/tenant summaries derived from matched observations before the record limit is applied and accepts attention= drill-down filters for delivery failures, deferred/suppressed/unknown statuses, reconciliation gaps, and recording gaps plus providerMessageId= filters for provider callback tracebacks and remediation= filters for stable operator next-action labels. It is an operator/audit read surface over normalized observations, not a provider-specific callback inbox, provider poller, distributed remediation executor, or distributed replay ledger. The dispatch endpoint records safe adapter metadata before invoking the core dispatcher, but it still depends on registered sender extensions for actual provider delivery and does not create distributed retry queues, cross-node leases, exactly-once delivery, or provider-specific notification semantics.
Runtime introspection contract:
ITechnologyRuntimeContributor- used by packs to project their active runtime surface into a transport-neutral snapshot
ITechnologyRuntimeCatalog- host-agnostic abstraction for reading the merged runtime surface set in code
IRuntimeIntrospectionSnapshotProvider- engine-level abstraction for reading one operator-facing snapshot that combines the runtime manifest, runtime status, and active technology-pack surfaces
GET /engine/technology-surfaces- returns the active pack surfaces and the merged entries visible to the runtime after host options, module contributors, and in-process runtime transitions have been applied; agentic tools now also surface linked capability keys, live execution-graph and hosted-execution state, managed execution readiness, and latest run-state truth when those links or reports exist, while the same reported runs are also available through
snapshot.AgentToolRuns; retrieval collections now also surface provider readiness, indexing/query/background-reindexing ownership, per-collection scheduler inclusion, freshness state, document counts, query counts, latest run outcomes, scheduler scope/timing metadata, and query fingerprints when indexed, scheduled, or queried; multi-tenancy now surfaces the active tenant-resolution answer, governance companion boundaries, and the concretetenant-memberships,tenant-invitations,tenant-administration,tenant-domain-ownership, plustenant-governance-actionscompanion proofs, including membership-store, invitation-store, invitation delivery dispatch/sender/run-state posture, delivery status reconciliation/latest status posture, delivery-status observation store posture/count/latest observation, tenant-administration command ownership, domain-ownership-store, proof-challenge issuance, proof-publication planning, proof-evaluation, HTTP proof collection, configured DNS TXT proof collection, proof-verification runner, proof-polling runner, opt-in background proof-polling run state, and action-store durability metadata, when the governance pack is installed; ASP.NET Core governance adapters also surfacetenant-administration-http-endpointsroute, mapping, and authorization posture,tenant-invitation-delivery-http-endpointsdispatch route/auth/contract posture, plustenant-invitation-delivery-status-http-endpointssigned-callback signature/replay posture and bounded observation-read route/auth/limit/summary-dimension/attention/provider-message-filter/remediation-filter/remediation-hint posture when registered; SendGrid ASP.NET Core adapters surfacetenant-invitation-delivery-sendgrid-status-callbacksroute/auth/translation/signature/replay/event-id-idempotency posture when registered; Mailgun ASP.NET Core adapters surfacetenant-invitation-delivery-mailgun-status-callbacksroute/auth/translation/signature-verification/replay-boundary posture when registered; Amazon SES ASP.NET Core adapters surfacetenant-invitation-delivery-amazon-ses-status-callbacksroute/auth/translation/SNS-signature/replay/message-id-idempotency posture when registered GET /engine/snapshot- returns the broader runtime introspection snapshot when operators need manifest, runtime status, and technology-pack surfaces in one payload
Guardrails
Section titled “Guardrails”- keep packs additive; do not mutate engine core behavior globally
- prefer activating services/capabilities from
TechnologySelectioninstead of branching in hosts - prefer pack-specific contributor services over hardcoded host-owned descriptor lists when extending a shipped pack
- prefer
ITechnologyRuntimeContributorwhen a pack needs an operator-facing runtime snapshot instead of inventing host-specific ad-hoc endpoints - keep built-in technology profiles lightweight; move reusable runtime behavior into packs
- only create a new blueprint when project shape changes materially
- only add a new built-in technology profile when validation, guidance, or scaffold/package hints are distinct enough to justify it