PostgreSQL Service
One Space service owns the PostgreSQL administrator credential, provisions exact database roles, and gives each Capsule access only to its registered database set.
The control credential stops at the Service
- Only the PostgreSQL Service holds the administrator DSN.
- The provisioner uses a dedicated Bearer token for Capsule creation and finalization.
- Each Capsule receives a random principal; the Service stores its hash and exact database set.
- Database and role names are derived on the server from validated Capsule and workload identifiers.
- The current compatibility runtime issues only a database URL scoped to the registered workload.
- No generic SQL, global list, arbitrary create, or arbitrary drop operation is exposed.
Internal discovery, protected mutations
GET /healthz GET /v1/driver POST /v1/capsules/provision POST /v1/capsules/finalize POST /v1/capsules/apps/create POST /v1/capsules/apps/drop POST /v1/capsules/drop /v1/driver and the /apps/ route segments are retained wire identifiers from
before the public Service and Assistant rename. The two GET routes reveal only liveness and
validated manifest metadata. Every POST route requires the correct Bearer authority for its exact operation. These endpoints
are internal to private Space networks and must not be routed to the Internet.
Request and response contract
Control requests are JSON objects with Content-Type: application/json. A successful
mutation returns HTTP 200 and a trace_id; errors return a generic error without
reflecting SQL, subprocess output, credentials, or an upstream body.
The capsule.app.* operation names and app_id field below are legacy wire
compatibility identifiers. New public documentation calls that workload an Assistant; these identifiers
can change only through a versioned interface migration.
capsule.provisionuses provisioner authority withcapsule_idandprincipal_token; it returnsdatabase_urlandcreated.capsule.finalizeuses provisioner authority withcapsule_id; it returnsfinalized.capsule.app.createuses that Capsule's principal withcapsule_idandapp_id; it returnsdatabase_urlandcreated.capsule.app.dropuses that Capsule's principal withcapsule_idandapp_id; it returns the exactdroppeddatabase and may reportalready_absentfor a proved retry.capsule.dropuses that Capsule's principal withcapsule_id; it returns the exactdroppeddatabase list and retires the principal for retry-safe finalization.
What conforms now
- The manifest is parsed with a closed allowlist before the listener or token state starts.
- Malformed, incomplete, unknown, Capsule-scoped, and required-BYOK declarations fail closed.
- Discovery metadata matches the in-image manifest exactly.
- Unauthenticated mutations remain forbidden, including the Docker healthcheck's live auth probe.
- Provision, retry, workload teardown, Capsule retirement, and legacy-route denial retain their isolation tests.
Read the PostgreSQL Service source.