ThreadForge is a layered platform architecture for executing distributed services and AI agents using workload identity, service mesh authentication, and policy-driven communication boundaries.
This repository contains architecture documentation only.
flowchart TD
W[Agents / Workloads]
C[Containment Surface
AuthorizationPolicy]
R[Secure Runtime
Service Mesh / mTLS]
I[Identity Surface
SPIFFE / SPIRE]
F[Fabric
Kubernetes Infrastructure]
W --> C
C --> R
R --> I
I --> F
ThreadForge enforces service communication through identity-verifiable workloads and explicit authorization policy, rather than relying on network location or implicit trust.
Trust Establishment
Trust in ThreadForge is established through cryptographic workload identity.
SPIRE issues SPIFFE identities to workloads running inside the cluster. The service mesh authenticates those identities using mutual TLS (mTLS). Authorization policies then define which identities are permitted to communicate.
This ensures that:
services cannot communicate without verified identity
access decisions are policy-driven
network location does not imply trust
ThreadForge Platform Repositories Layer Purpose Repository Fabric Infrastructure substrate for secure workloads https://github.com/computeaholic/threadforge-fabric
Identity Surface Workload identity issuance using SPIFFE/SPIRE https://github.com/computeaholic/threadforge-identity-surface
Secure Runtime Authenticated service communication using service mesh https://github.com/computeaholic/threadforge-secure-runtime
Containment Surface Policy-driven workload isolation and authorization enforcement https://github.com/computeaholic/threadforge-containment-surface
Workloads Demonstration workloads and AI agent containment examples https://github.com/computeaholic/threadforge-agent-containment-lab Technology Mapping Layer Technology Fabric Kubernetes cluster infrastructure Identity Surface SPIFFE / SPIRE workload identity Secure Runtime Istio service mesh with mTLS Containment Surface Istio AuthorizationPolicy Workloads Services and AI agents executing within the runtime Core Technologies
ThreadForge builds on several established open-source infrastructure systems:
Kubernetes
SPIFFE / SPIRE
Istio
ThreadForge focuses on how these components are composed into an identity-first runtime architecture rather than replacing them.
Layer Model
Fabric provides the Kubernetes infrastructure substrate.
Identity Surface issues verifiable workload identity via SPIFFE/SPIRE.
Secure Runtime provides authenticated and encrypted service-to-service transport.
Containment Surface enforces least-privilege service graphs through runtime policy.
Workloads execute services and AI agents within these constraints.
Architectural Principle
AI agents and services should be treated as untrusted workloads and constrained using identity-based runtime policy.
Additional Documents
Architecture interactions
System layer responsibilities
Threat model
ThreadForge demonstrates how modern infrastructure primitives can be composed into an identity-first runtime architecture capable of safely executing distributed services and autonomous agents.
Additional diagrams describing the platform: