Live posture across every execution surface.
Loading events...
The live compute plane as an interactive SynInfra Canvas — nodes, workloads and their placement. Drag to arrange, click to inspect.
Live health of every in-process platform runtime.
The real, in-process logical runtimes this server is composed of — the SynDB engine, SynDrive, SynAuth, SynVault, SynCompute, SynOpt, SynNet, SynStream and SynPost. Each card is probed live: the latency is a real method call or SQL round-trip against the running subsystem, and the metric is counted from it. Health, transitions and last-known posture are persisted in the control plane and survive a restart.
Probing platform runtimes…
A supervisor probes every runtime on a cadence and remediates any that aren’t healthy — re-probing, re-driving the SynOpt autoscaler, with backoff and escalation. The autoscaler launches and drains SynOpt-managed compute nodes against real load.
No remediation events yet — all runtimes healthy.
Prove the fabric self-heals by breaking it on purpose. Use the ☠ control on any live replica (Workloads) to hard-kill it, or ☠ Drill on a runtime above to degrade it — then watch the supervisor recover it. Every drill is audited to the durable log and survives a restart.
No drills run yet — inject a fault to see the recovery.
Isolation boundaries and resource quotas.
Isolation boundaries with hard resource quotas. Each tenant pins CPU / RAM / storage / GPU ceilings, an isolation mode (container / microVM / namespace) and a workload cap. Live usage is tracked against quota so over-subscription surfaces immediately.
Connecting to control plane...
Servers in the compute cluster.
Servers participating in the mini-cloud. Each node advertises its role, CPU / RAM / GPU capacity, agent version and live heartbeat. New nodes are normally added via Settings → Enroll node, which mints a token and prints a real install script.
Connecting to control plane...
Trusted endpoints and fleet agents.
Trusted endpoints and fleet agents that consume platform resources. Track ownership, trust level, posture and last-seen freshness.
Connecting to control plane...
Deployable compute units and their vault secrets.
Deployable compute units (web / worker / job / function / media / static). Scale, suspend, wake, restart or roll back any workload — the canonical "run only when needed" control. Each workload is backed by its own SynVault secret namespace.
Deploy a workload and SynCompute spawns it as one or more real OS process replicas, bin-packed across the managed node pool. Each replica runs your command (or a built-in heartbeat service) in its own process group with a scrubbed, injected environment; stdout/stderr are captured live, and the supervisor restarts any replica that dies. Scaling and stopping start and signal real processes — and the resulting node load drives the autoscaler.
No workloads running yet — deploy one above.
Connecting to control plane...
Per-workload secret namespaces issued from the shared vault. Pick a workload namespace, then add or rotate the secrets its runtime reads at boot. Values are encrypted at rest and never returned — only the key, version and a short fingerprint are shown. Issue a scoped runtime token to let a workload authenticate to internal services.
Load a namespace to manage its secrets.
The live OS-level process table.
The live OS-level process table across every node. Suspend, resume, throttle, restart or kill any process in place — the actions a platform operator needs during an incident. CPU / RAM / restarts / open files are tracked per process.
Connecting to control plane...
Container runtime instances.
Container runtime instances. Track image, owning tenant, host node, exposed ports, CPU / RAM and restart counts.
Connecting to control plane...
Micro-VM and legacy VM workloads.
Micro-VM and legacy VM workloads for strong isolation or unmodified guests. Track guest OS, vCPU / RAM / disk allocation and isolation mode.
Connecting to control plane...
Scale-to-zero functions and invocation.
Real, isolated, multi-language functions — the AWS Lambda / Supabase / GCP Cloud Functions equivalent. Author a function in any runtime your nodes support, declare its environment variables and SynVault secrets, then invoke it with a JSON payload to run the code in a scrubbed subprocess sandbox with a hard wall-clock timeout. Every invocation captures real stdout / stderr, updates the rolling p95 and is journaled for audit.
Invoke a function to run its real code and capture stdout / stderr.
Connecting to control plane...
Select a function and invoke it to see its recent runs.
Background queues and workers.
Background job queues and their workers. Track queue depth, processing rate, worker count and drain state — the backbone of asynchronous workloads.
Connecting to control plane...
Schedules and the placement simulator.
Cron and event schedules plus a live placement simulator. The simulator scores every node for a candidate workload by free CPU + free RAM, honouring role and GPU requirements and penalising degraded nodes — exactly the decision the scheduler makes.
Score every node for a candidate workload.
Connecting to control plane...
Accelerator inventory and allocation.
GPU pool inventory and allocation. Track model, VRAM, host node, utilisation, temperature and the workload each accelerator is assigned to.
Connecting to control plane...
Detect, build, sign and publish artifacts.
The custom application packager. Detect a runtime profile from any language or framework, then run the full eight-stage pipeline (detect → dependencies → build → test → SBOM → scan → sign → publish) to produce a signed, attested artifact.
Enter a language to detect the build tool, start command, port and health endpoint.
Run a build to watch the eight-stage pipeline execute.
Connecting to control plane...
Vault-backed release lifecycle.
DevSecOps deployments. Deploy an application to provision (or patch) its workload, attach a dedicated SynVault secret namespace and mint a scoped runtime token, then advance the release through its full lifecycle (build → scan → sign → stage → health → approval → production → traffic shift → monitor → stable) with blue-green / canary / rolling strategies and one-click rollback.
Deploy to provision a workload, attach a Vault namespace + runtime token, and start the release lifecycle.
Connecting to control plane...
Real runtime, memory, scheduler, autoscaler and IPC telemetry.
The SRE surface, living inside the compute domain. Real, measured signals fused from the live process, SynOpt's tiered memory virtualisation, the work scheduler, the SynOpt↔SynCompute autoscaler and the instrumented IPC fabric — nothing here is synthesised. The autoscaler reconciles on a 15-second cadence; Force reconcile runs a cycle immediately and shows the decision.
Sampling the live process…
Rolling up nodes…
Reading the tier manager…
Reading the scheduler…
Reading the bridge…
No reconcile decisions yet — trigger one with Force reconcile.
No IPC measured yet.
Waiting for IPC traffic…
Request-to-resource lifecycle traces.
Request-to-resource lifecycle tracing — the killer feature. Trace any request end to end and see exactly where time and resources go: DNS → firewall → TLS → proxy → auth → service → SynDB query → storage → response. The dominant bottleneck, CPU-ms, RAM, payload sizes and a risk grade are computed for every trace.
Run a trace to see the stage-by-stage lifecycle waterfall and the bottleneck.
Connecting to control plane...
Idle / leak / over-allocation findings.
The resource optimizer scans workloads and processes for idle, over-allocated and leaking resources and produces actionable findings with concrete recommendations. Run a scan, then act on (or dismiss) each finding.
Connecting to control plane...
Detected anomalies and failures.
Incident and anomaly detection. The scanner inspects the process table, node health and function error rates for CPU exhaustion, crash loops, memory leaks, degraded nodes and error spikes, then opens deduplicated incidents you can triage and resolve.
Connecting to control plane...
Append-only operational event log.
Durable, queryable operational log for every action taken through the compute control plane — lifecycle changes, deployments, heal events, chaos drills, scans and vault operations. This tier is append-only and survives restart, independent of the live state document, with bounded retention.
Loading log…
Triggered and scheduled compute jobs.
The automation engine. Define triggered or scheduled jobs and run them on demand. Bound executors actually run: incident.scan, optimize, health.check, config.snapshot, scale_workload and scale_to_zero.
Connecting to control plane...
Enrollment, health, config and capabilities.
Plane-wide operations: enroll new nodes, sweep cluster health, version the entire desired-state and review the subsystems behind the control plane.
Mint an enrollment token and generate a real install script + systemd unit the operator runs on the target host. The node appears in the Nodes surface in the enrolling state until health reporting goes green.
Generate an enrollment to see the token and the install script.
Probe every node's heartbeat freshness and roll up workload health in real time.
Run a sweep to probe every node.
The control plane keeps versioned snapshots of the entire compute desired-state. Capture a snapshot before risky changes and roll back instantly if needed.
Loading versions...
| Subsystem | Backed by | State |
|---|---|---|
| Execution control plane | syndb-compute | active |
| Workload secrets & tokens | syndb-vault | active |
| Tenancy & isolation | syndb-tenant | active |
| Runtime & modules | syndb-runtime | active |
| Scheduling & placement | syndb-compute | active |
| Request tracing | syndb-compute | active |
| Capsule / device agents | syndb-capsule | supervised |
| Config versioning | syndb-compute | active |
What needs you now — unread mail, approvals awaiting, open incidents and the ticket queue, all live and one click from the work.
Messages, meetings, approvals and the ticket queue — all in one place.
Loading…
Loading…
Loading…
Live posture across every realtime, streaming, social & monetisation surface.
A real, adaptive HLS stream served through the SynComms player. Pick any ready asset from Video Assets or a channel from TV to play it here.
Loading events...
Realtime channels and messages.
Loading channels…
Team Spaces: shared mailboxes, tickets and SLA — one governed conversation per address.
Team Spaces turn a shared address (e.g. incident-204@space.company.syn) into one governed conversation. Inbound mail opens a communicationContext, posts to the team channel, and raises a ticket with an SLA clock — auto-assigned to an on-rotation agent. Internal notes stay on the timeline and never enter outgoing mail.
Loading spaces…
Drop a message onto a Space address to watch the gate run end-to-end.
Loading queue…
Pick a conversation from the queue to triage it.
A live, status-columned board over every open ticket and case across your shared inboxes — priority, assignee and SLA, breaching first.
A live board of every open ticket and case across your shared inboxes — the governed work objects behind support, incidents and requests. Move a card with its status buttons; the SLA clock and assignee stay honest, and breaching cards float to the top of each column.
Loading the board…
Pick a card to reassign it, escalate, or move it through its lifecycle.
Booking pages, availability, the booking gate and the meeting lifecycle — one context per appointment.
A booking page turns a resource and its working hours into a shareable scheduling endpoint. A request against it runs the Phase 3 gate: it opens one communicationContext, places the appointment, schedules a SynComms room, captures the intake and queues reminders — all threaded to one id.
Loading booking pages…
Pick a page, find a free slot a day or more out, fill the invitee in and book — the gate confirms the appointment, the room and the reminders in one ordered burst.
Pick a page and find slots.
Every confirmed booking becomes a Meeting with its own join code —
Pick a page to see its bookings.
A customer's whole relationship in one time-ordered timeline with the stats a CRM card shows.
A customer's whole relationship in one time-ordered timeline — every email, chat, call, meeting and booking that shares their contexts — with the headline numbers a CRM card shows. A pure projection: it reproduces no message body, only references.
Enter a customer to build their timeline.
No timeline yet.
A governed workflow object — request, decide and resolve a document, purchase, expense, leave, access, publication or contract sign-off, all on one context.
An approval is a governed workflow object — not a chat reply saying “approved.” Request a document, purchase, expense, leave, access, publication or contract sign-off; it opens (or threads into) one communicationContext, places an approval facet, and runs a validated multi-step status machine — all / any / quorum rules, sequential or parallel — emitting one event per recorded verdict.
Loading approvals…
No steps yet — add one below.
Pick an approval to review its steps, record a verdict, or withdraw it.
The operational-response gate — declare an incident to stand up a ticket, bridge, responders, affected services and tasks on one context; escalate, page and post status-page updates.
An incident is an operational-response object — not a status line in a chat. Declaring one opens a communicationContext and, in one call, stands up an incident ticket + a bridge call + responders + affected services + seeded response tasks, with a hot SLA clock that tightens on escalation. Post status-page updates, escalate the severity, page responders and flip a service’s state — all on one shared audit trail.
Loading incidents…
No responders yet — the first commander leads.
No affected services yet.
No seeded tasks yet.
Pick an incident to post a status update, escalate the severity, page a responder, or flip a service’s state.
Native WebRTC meetings, webinars, recordings and transcripts.
Mint a join code and connect instantly — peer-to-peer on a LAN, server-forwarded as the room grows.
Pick a time to schedule it for later, or leave the time blank to start now. Either way it becomes one Meeting with a shareable join code.
Every call, scheduled meeting and booked appointment is one Meeting here — Join to enter the room, Start / End to drive its lifecycle. Need recurring availability or a public booking page?
Connecting to SynComms...
On-device capture yields a recording or transcript object — pick one to attach it to a meeting. The bytes stay on the device; only the reference is stored.
Connecting to SynComms...
Connecting to SynComms...
Live audio spaces and participants.
Live audio rooms (think Spaces / Stages) — start a room, count participants, and end it. Backed by the realtime SFU media plane.
Loading rooms...
Connecting to SynComms...
On-demand video & audio, encoding and ingest.
Upload or import video & audio; we encode adaptive HLS (up to 4K), each with its own playback ID.
Mint a resumable upload URL, then complete it to spawn a processing asset — exactly the Mux direct-upload flow.
Create an upload URL to receive a signed PUT target and an asset.
Ingest any public video URL straight into the encoder.
Connecting to SynComms...
RTMP/SRT ingest, stream keys, simulcast and recordings.
Go live in three steps: create a stream, point your encoder at the ingest URL, then Go live from its row. Stopping a recording-enabled stream rolls it off to a VOD asset.
Connecting to SynComms...
Point OBS / ffmpeg / a hardware encoder at the server URL with the stream key. Reset the key to revoke a leaked credential instantly.
Select a live stream to reveal its ingest URL + stream key.
Linear channels and the EPG.
Linear TV channels with a live electronic programme guide (EPG). Each channel plays a continuous HLS feed; the guide shows what's on now and what's next, computed against the wall clock. Tune a channel to watch it.
Loading channels...
Public/signed playback IDs and signed-URL minting.
A ready-made adaptive player with public and signed playback IDs. Mint a short-lived signed token, then play the signed URL.
Connecting to SynComms...
Mint a token to get a signed, playable URL + verifiable JWT.
Posts, comments, reactions, follows, polls and moderation.
A sovereign social graph — posts, threaded comments, reactions, reposts, polls and follows, each governed and audited.
Load the feed to see graph-aware posts.
Connecting to SynComms...
Connecting to SynComms...
Connecting to SynComms...
The unified forms engine — surveys, polls, feedback, contact, quizzes & registrations; draft → publish → analyse.
One engine for every form — surveys, polls, feedback, contact, quizzes & registrations — borrowing the best of SurveyMonkey, Typeform & Google Forms, native to the platform. Build it, publish it, collect through one validated gate, and roll it up into privacy-preserving analytics for SynAnaly. Phone & country questions use the Meridian international inputs.
Loading forms…
No questions yet — add one below.
Pick a form to publish, close, fill it in, or see its results.
A published form renders here exactly as a respondent sees it — submitting runs the public gate (no sign-in required).
Publish a form, then open it here to fill it in.
Pick a form to see its privacy-preserving roll-up.
Access rules, the allow/deny gate, subscriptions, tips, coupons and revenue.
Per-object access rules with a real allow/deny gate, subscriptions, tips and an append-only revenue ledger.
Evaluate an object to see the real allow/deny decision.
Connecting to SynComms...
Connecting to SynComms...
Connecting to SynComms...
Connecting to SynComms...
Connecting to SynComms...
Connecting to SynComms...
Engagement analytics and real-time viewer counts.
Engagement & quality-of-experience analytics. Drop a view beacon to watch the numbers move in real time.
Loading analytics...
Loading analytics...
Auto-generated transcripts and translation.
Automatic speech-to-text captions in many languages, plus on-demand translation.
Generate a caption track, then preview its transcript cues.
Connecting to SynComms...
Summaries, chapters, moderation and Q&A.
AI robots run over any asset — title & summary, chapters, key moments, scenes, moderation, Q&A or caption translation.
Run a robot to see its structured result.
Connecting to SynComms...
Signed URLs, restrictions, DRM and media tools.
Protect content with signed playback IDs, URL signing keys, playback restrictions and DRM. Verify any minted token offline.
Connecting to SynComms...
Connecting to SynComms...
Connecting to SynComms...
Build deterministic media URLs for any playback ID: a poster thumbnail at any timestamp, an animated GIF, a storyboard sprite, a sub-clip and an MP4 rendition.
Build URLs to get ready-to-use thumbnail / GIF / storyboard / clip / MP4 links.
The append-only governance trail.
The append-only governance trail. Every object created across SynComms writes an immutable audit event (action, object kind/id, actor, tenant) — the backbone of compliance and tamper-evidence.
Connecting to SynComms...
API keys, webhooks and simulcast targets.
Everything internal teams and external integrations need: environment-scoped API keys and webhooks that fire on asset/live lifecycle events — the developer contract for the engine.
Connecting to SynComms...
Connecting to SynComms...
Restream a live stream to external platforms (YouTube Live, etc.) in parallel.
Connecting to SynComms...
Live posture across every mail surface.
SynPost is fully native: message metadata lives in the SynDB control plane and raw RFC-5322 MIME is written once to a content-addressed object tier (CAS) — no Postgres, no S3, no Redis. New-mail fan-out, presence and the webserver are all in-tree (SynRealtime · SynPush · SynWeb).
--
Loading events...
Read, compose, send and receive.
Your day, your team and bookable time — native.
Loading calendar…
Public scheduling pages and appointments.
Event pages, programmes, tickets and registration.
Work that comes out of your inbox.
Loading tasks…
Personal notes alongside your mail.
Every attachment across the org, in one place.
Loading files…
Connect domains, publish DNS, verify and rotate DKIM.
Connect a domain to send and receive mail. SynPost mints a real 2048-bit RSA DKIM keypair (the private half is sealed in the key store) and renders the MX, SPF, DKIM and DMARC records — plus MTA-STS and TLS-RPT — to publish. Verify then queries live public DNS and confirms each record before flipping the domain to verified.
Connect a domain to receive its DNS records.
Pick a domain below, then “View DNS”.
Connecting to SynPost...
Provision email addresses and folders.
Create email addresses on a connected domain. Each new mailbox is provisioned with the standard folders (Inbox, Sent, Drafts, Archive, Spam, Trash) and a storage quota.
Create a mailbox to provision its folders.
Connecting to SynPost...
Pick the signature each mailbox applies by default. New messages and replies from that mailbox are pre-signed automatically — senders can still switch or remove it per message in the composer.
Loading mailboxes…
Forwarders to local mailboxes.
Forwarders route mail from one address to another local mailbox. A message sent to an alias is delivered to its target's inbox.
Connecting to SynPost...
External delivery queue, retries and suppression.
External recipients are DKIM-signed with the sending domain's own key and queued here for delivery. The processor resolves each recipient's MX, opens STARTTLS, and delivers over real ESMTP. Transient failures are retried with exponential backoff; hard bounces fail the message and suppress the address automatically.
Loading queue…
Loading suppressions…
Ports, relay/smarthost and delivery settings.
One place to configure how SynPost sends and receives mail. Point delivery at an authenticated relay / smarthost when your host blocks outbound port 25 (AWS, GCP, Azure, DigitalOcean and most home ISPs do), set the listening ports and HELO identity, and manage your sending domains and mailboxes.
Route every outbound message through an authenticated relay instead of delivering direct-to-MX on port 25. Works with any provider — Postmark, SendGrid, Mailgun, Amazon SES, Brevo, or your own MTA. Leave this off to deliver straight to each recipient's mail exchanger.
Save your relay, then run a connection test to verify the host, TLS and authentication before enabling it.
The HELO name SynPost announces and the standard service ports. Inbound SMTP (25) accepts mail from the internet; Submission (587) and SMTPS (465) accept authenticated client sends; IMAP (143 / 993) serves mailboxes to mail apps.
When a company brings their own domain, configure both directions here. Receive accepts inbound mail addressed to the domain (its MX points to our MTA and is routed to mailboxes); Send lets its mailboxes deliver outbound, DKIM-signed with the domain's own key. A catch-all routes any unmatched recipient to one mailbox on the domain.
Loading connected domains…
Every mailbox quota draws from one shared company storage pool. Set the pool size, then give each provisioned mailbox a slice of it — total allocation can never exceed the pool.
—
Loading mailboxes…
Live per-tenant telemetry across storage, mailboxes, domains and messages, each measured against its quota. A resource turns amber past 75% and red once it reaches its limit. Set a limit to 0 for “no limit”, then Save limits to apply.
Loading resource meter…
Create a mailbox on a connected domain. Sign-in uses the member's platform identity password — provisioning links the mailbox to that identity, so there is no separate mail credential to manage. You can provision a person's mailbox before they first sign in to the Syneratix platform.
Provisioned mailboxes appear under Storage above and on the Mailboxes surface.
Address book.
A lightweight address book. Contacts autocomplete in the composer and back the People surface in later phases.
Connecting to SynPost...
Design rich email visually — designs, templates and signatures.
Compose rich, on-brand email visually — headings, buttons, images, columns, data tables and action cards. Every design compiles to email-safe HTML with a plain-text alternative and an image-blocked fallback, and is checked for deliverability issues before you send. Save a design to reuse it, promote it to a template, or publish it as an organisation signature.
Loading designs…
Loading templates…
Loading signatures…
Bulk sends on the same mail infrastructure.
Campaigns reuse the exact send pipeline — DKIM-signed with the sending domain's key, suppression-aware, and queued through the same outbound MTA. The audience is your contacts (optionally narrowed to a team). Every recipient is stamped with the campaign id so delivery stats roll up live.
Loading campaigns…
Communications API keys and the REST send endpoint.
Issue bearer keys for the Communications API — programmatic transactional email over the same infrastructure. Keys are shown once and stored only as a SHA-256 hash. Send with a single authenticated POST.
A new key's secret token appears here once — copy it now.
Loading keys…
Send a transactional email with one authenticated request:
curl -X POST https://YOUR_HOST/v1/comms/email/send \
-H "Authorization: Bearer YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{"to":"user@example.com","subject":"Hello","text":"Sent via the Communications API"}'
Immutable, reference-only governance trail.
An immutable, reference-only record of governed actions — message opens, forwards, exports, permission denials, attachment downloads, signatures applied, drafts shared, events created, bookings cancelled, mailbox delegations and legal holds. Each entry stores object references and a tamper-evident digest; message bodies are never copied here.
Loading audit trail…
Design, delivery, growth and compliance — scoped to what you manage.
Loading mail settings…
Live posture across every networking surface.
Loading events...
The live network plane as an interactive SynInfra Canvas — drag to arrange, click a node to inspect.
The live gateway and domain configuration.
The live SynWeb gateway fronting this system. Configure a domain to make the running platform reachable by name — start with the local DNS resolver and a custom name like syneratix.syn, then add the printed hosts line to open it in your browser, mirroring a production deployment.
Loading webserver…
Connecting to control plane...
Configure a domain to see the authoritative DNS record, the hosts-file line and a verification command.
Reverse proxy, SNI routing and rate limits.
Reverse-proxy and SNI routes. Each route maps a host (and optional path) to an upstream pool, with TLS termination, WAF and per-route rate limits.
Connecting to control plane...
Upstream pools, members and health checks.
Upstream / load-balancer pools. Members are comma-separated host:port endpoints balanced by the chosen algorithm. Run an active health check to TCP-probe every member and refresh the healthy/total counts.
Connecting to control plane...
Run a health check to probe pool members in real time.
Authoritative zones and records.
Authoritative DNS. Author zones and the A/AAAA/CNAME/MX/TXT/SRV records served from them.
Connecting to control plane...
Connecting to control plane...
Published API endpoints, auth and quotas.
API gateway. Publish API endpoints backed by an upstream pool, with per-endpoint auth (API key / JWT / OAuth2 / mTLS), rate limits and timeouts.
Connecting to control plane...
East-west services, mTLS and traffic policy.
Service mesh. Register east-west services with their namespace, version, mTLS posture, instance count and traffic-distribution policy.
Connecting to control plane...
L3/L4 allow/deny policy engine.
L3/L4 firewall policy, evaluated in priority order. Lower priority numbers are evaluated first; the default-deny rule should always sit last.
Connecting to control plane...
Encrypted tunnels and peer management.
WireGuard-style VPN peers. Each peer carries an endpoint, allowed-IP set and public key; status reflects the last successful handshake.
Connecting to control plane...
CIDR allocation and utilisation.
IP address management. Track CIDR allocations, their gateway, owning VLAN and utilisation across the estate.
Connecting to control plane...
Layer-2 segment definitions.
Layer-2 segments. Map VLAN ids to subnets and control tagging for trunk ports.
Connecting to control plane...
Static routes and address translation.
Static routes and NAT entries. Define destination/gateway pairs, the egress interface, metric and NAT mode (masquerade / SNAT / none).
Connecting to control plane...
Reservations and active leases.
DHCP reservations and active leases. Bind MAC addresses to fixed IPs or review dynamically-assigned leases and their expiry.
Connecting to control plane...
Throughput, bandwidth and flow telemetry.
Live throughput and flow telemetry sampled from the data plane. The series refresh on a short interval while this panel is open.
Loading counters...
Scheduled and triggered network jobs.
Network automation. Schedule or trigger jobs (config snapshots, health sweeps, certificate refresh) and run them on demand with the Run action. Bound executors: config.snapshot, health.check.
Connecting to control plane...
Versioned desired-state snapshots.
Config script management. The control plane keeps versioned snapshots of the entire network desired-state; capture a snapshot before risky changes and roll back instantly if needed.
Loading versions...
Click "Refresh" to load the current configuration export.
Live DNS / TCP / TLS / HTTP probes.
Troubleshooting. These probes run real operations against the host network stack — DNS resolution, TCP reachability, TLS-port checks and HTTP requests.
Run a probe above to see live results.
Append-only operational event log.
Append-only operational log for every change and probe made through the control plane.
Loading log...
Plane behaviour and subsystem state.
Plane-wide behaviour. These map to the runtime subsystems behind the control plane (syndb-web proxy, syndb-dns, syndb-firewall, syndb-vpn).
Push the control plane's desired-state into the live runtime. This ensures every desired DNS zone and record exists in the authoritative resolver and reports what changed.
Click "Reconcile now" to apply desired-state and see the diff.
| Subsystem | Backed by | State |
|---|---|---|
| Reverse proxy / SNI routing | syndb-web | active |
| Load balancing + health | syndb-web | active |
| Authoritative DNS | syndb-dns | active |
| API gateway | syndb-gateway | active |
| Service mesh | syndb-fabric-gateway | supervised |
| Firewall / WAF | syndb-firewall | active |
| VPN tunnels | syndb-vpn | supervised |
| Config versioning | syndb-netctl | active |
No resources in this view
Connect SynCompute or SynNet, or add a planned node to start designing.
Tables, objects, volumes, archive, protection and replication for this tenant.
Identity, policy, encryption, audit, detection, response and recovery for the entire sovereign enterprise stack.
Live posture across every trust and protection plane.
The live security plane as an interactive SynInfra Canvas — vault, identity, trust, threat and audit, with their internal trust edges. Drag to arrange, click to inspect.
Users, service accounts, MFA, sessions and login policy.
Loading users…
RBAC, ABAC and policy-based access with tenant isolation.
Loading roles…
| Model | Meaning |
|---|---|
| RBAC | Role-based access: Admin, Developer, Auditor |
| ABAC | Attribute-based: department, branch, clearance, device, time |
| PBAC | Policy-based: rules expressed as security policies |
| Tenant isolation | One enterprise cannot reach another's resources |
Secrets, encryption keys, leasing and rotation.
| Item | Example |
|---|---|
| API keys | Payment provider keys, SMS gateway keys |
| DB passwords | Internal service credentials |
| Encryption keys | Tenant master keys (KEK / DEK) |
| Signing keys | JWT, webhook, package signing |
| TLS private keys | Webserver certificates |
| Federation keys | Partner trust keys |
| Backup keys | Offline restore keys |
No service stores long-term secrets in config files. Every sensitive service requests short-lived credentials from Vault at runtime.
Sovereign certificate authority and PKI hierarchy.
SynDB Root CA
└── Enterprise Intermediate CA
├── Webserver TLS certificates
├── Database mTLS certificates
├── Service-to-service certificates
├── Federation certificates
├── Backup node certificates
└── Device / agent certificatesLoading revocation list…
Certificate inventory, TLS profiles and domain security.
Loading managed certificates…
Loading inventory…
Web application firewall and bot defense.
| Attack | Protection |
|---|---|
| SQL injection | Query pattern blocking |
| XSS | Script payload detection |
| Path traversal | Block ../ and encoded traversal |
| Command injection | Block shell payload patterns |
| SSRF | Block internal metadata + private-IP calls |
| CSRF | Token enforcement |
| File upload attacks | MIME / type / extension scanning |
| Bot abuse | Fingerprinting and scoring |
bot score 0 - 30 normal 31 - 60 suspicious 61 - 80 challenge 81 - 100 block
Auth, signed requests, rate limits and quotas.
| Feature | Purpose |
|---|---|
| API keys | App-level access |
| OAuth / OIDC | User-delegated access |
| JWT validation | Token-based auth |
| HMAC signatures | Signed requests |
| mTLS | High-trust API access |
| Scopes + quotas | Limit permissions and protect tenants |
| Rate limits | Token-bucket abuse prevention |
| Schema validation | Reject malformed payloads |
| Replay protection | Nonce / timestamp validation |
| Webhook signing | Verify callbacks |
Public API light auth, strict rate limits Partner API API key + HMAC + quotas Internal API service identity + mTLS Admin API mTLS + MFA + audit Federation API enterprise cert + signed exchange Break-glass one-time, fully audited
IP policy, segmentation and per-service firewalls.
| Control | Purpose |
|---|---|
| IP allowlist / blocklist | Approve or block sources (CIDR-aware) |
| Country rules | Allow / block by geography |
| Port policies | Control exposed ports per service |
| Service firewall | Per-service ingress / egress |
| Tenant firewall | Tenant-specific network isolation |
| VPN-only admin | Admin portals reachable only via secure network |
Public Zone websites, public APIs DMZ Zone gateway, reverse proxy, WAF App Zone app services, job workers Data Zone SynDB, object store, ledger Security Zone Vault, CA, audit, key manager Backup Zone encrypted backups, federation replication
Risk scoring, anomaly detection and alerts.
| Source | Events |
|---|---|
| Identity | Logins, MFA, lockouts |
| Webserver / API | Blocked payloads, rate limits, auth failures |
| Vault | Secret access, key rotation |
| SynDB | Queries, exports, schema changes |
| Network | Denied flows, unusual traffic |
| Federation | Remote syncs, trust changes |
user risk: 72 / 100
reason:
- new device
- failed MFA
- login from new country
- attempted admin endpoint
action:
- require MFA
- alert security admin
- restrict sensitive exportsImmutable, tamper-evident, correlated audit trail.
| Requirement | Description |
|---|---|
| Append-only | Logs cannot be silently edited |
| Tamper-evident | Hash-chained log entries |
| Searchable | Filter by user, service, tenant, IP |
| Exportable | CSV, JSON, PDF, compliance bundle |
| Signed | Important events are cryptographically signed |
| Correlated | Link user -> API -> DB -> file -> export |
| Tenant-isolated | Each enterprise sees only its own logs |
Control packs mapped to live audit + policy evidence.
Evaluating controls…
Trusted peers, signed exchange and revocable contracts.
| Feature | Purpose |
|---|---|
| Federation identity | Each enterprise has a cryptographic identity |
| mTLS federation | Both sides authenticate |
| Signed data exchange | Prevent tampering |
| Encrypted replication | Remote node cannot read data |
| Policy-bound sharing | Share only approved data |
| Revocation | Cut off partner trust instantly |
| Federation audit | Log all cross-org activity |
Enterprise A encrypts backup locally backup is signed backup is sent to Enterprise B Enterprise B stores encrypted backup only Enterprise B cannot decrypt it Enterprise A keeps restore keys audit log records every replication event
Encrypted, key-separated, verifiable backups.
| Layer | Protection |
|---|---|
| Data at rest | AES-256-GCM page encryption, per-tenant DEKs |
| Backup encryption | Separate backup keys, never co-located |
| Export encryption | Password / key-protected exports |
| Federation backup | mTLS + payload encryption, remote zero-knowledge |
| Restore approval | Privileged, audited restore workflow |
Zero-trust workload + device identity and posture.
No workload or device is trusted by default. Each must: 1. prove identity 2. receive short-lived credentials 3. access only assigned resources 4. communicate over mTLS 5. emit audit logs 6. respect quota and policy
Detect, contain, investigate, recover.
Loading alerts…
Loading risk profiles…
| Phase | Action |
|---|---|
| Detect | Correlate signals into a scored incident |
| Contain | Lock account / IP, revoke tokens, isolate workload |
| Investigate | Replay access path: user -> API -> DB -> file |
| Eradicate | Rotate secrets, revoke certs, patch policy |
| Recover | Restore from verified backup, re-enable access |
| Review | Post-incident report + control hardening |
Controls, posture targets and rollout phases.
| Setting | State |
|---|---|
| Enforce MFA for admins | on |
| TLS 1.3 minimum | on |
| mTLS between services | phase 2 |
| Tamper-evident audit | on |
| Automatic key rotation | 9 due |
| Geo / IP login policy | on |
| WAF default mode | block |
Metrics, dashboards and operational insight across the platform.
DataTable, DataGrid, and DataList — the three primitives every module composes its resource surfaces from.
Compute fleet across all regions
Deployed workloads and their runtime health
Authoritative zone — syneratix.io
| Name | Type | Value | TTL | State |
|---|---|---|---|---|
syneratix.ioApex | A | 203.0.113.42 | 300 | Resolved |
www.syneratix.ioSubdomain | CNAME | syneratix.io. | 300 | Resolved |
api.syneratix.ioGateway | A | 203.0.113.55 | 60 | Resolved |
mail.syneratix.ioMail | MX | 10 mx1.mailhost.net. | 3600 | Propagating |
_dmarc.syneratix.ioDMARC | TXT | v=DMARC1; p=reject; rua=mailto:dmarc@… | 3600 | Resolved |
staging.syneratix.ioStaging | A | 198.51.100.18 | 60 | NXDOMAIN |
Recent objects in the active workspace bucket
Routers, switches and gateways across the fabric
Live identity sessions for the current tenant
| User | Device | IP | Last seen | State |
|---|---|---|---|---|
Sarah Achensuperadmin | MacBook Pro · macOS 14 | 203.0.113.4 | active | Online |
Daniel Okothtenant_admin | Windows 11 Pro | 203.0.113.21 | 9m | Online |
Lillian Vegaanalyst | iPhone 15 · iOS 18 | 198.51.100.6 | 44m | Idle |
Mateo Ríosdeveloper | Ubuntu 24.04 | 10.0.4.18 | 2h | Away |
| Tenant | Enterprise | Status | Isolation | Namespace | Region | Databases | Representation | Created |
|---|
| # | Time | Query | Duration | Rows | Status |
|---|---|---|---|---|---|
| No queries executed yet | |||||
| ID | Name | Severity | Hits | Enabled | Action |
|---|---|---|---|---|---|
| Loading… | |||||
Bare-metal HTTP/1.1 reverse proxy fronting Studio and the JSON IPC plane. Configure under [web] in syndb.toml.
| Key | Tenant | Namespace | Created | Action |
|---|---|---|---|---|
| No secrets loaded | ||||
| Key ID | Purpose | State | Version | Created | Action |
|---|---|---|---|---|---|
| No keys loaded | |||||
| Token ID | Identity | Kind | Scope | Expires | Action |
|---|---|---|---|---|---|
| No tokens loaded | |||||
-- List all tables
SHOW TABLES;
-- Describe a table structure
DESCRIBE auth_users;
-- Select data
SELECT email, display_name, status FROM auth_users WHERE status = 'active';
-- Insert data
INSERT INTO my_table (col1, col2) VALUES ('value1', 42);
-- Update data
UPDATE auth_users SET status = 'suspended' WHERE email = 'user@example.com';
-- Delete data
DELETE FROM auth_users WHERE status = 'locked';
-- SynQL supports all standard SQL plus: -- SHOW TABLES, DESCRIBE, EXPLAIN -- Window functions (ROW_NUMBER, RANK, DENSE_RANK, etc.) -- CTE (WITH ... AS), Recursive CTE -- GROUPING SETS, ROLLUP, CUBE -- TRY_CAST for safe type conversions -- Hash and merge join optimizer hints
SynQL is SynDB's native query language — a superset of SQL with enterprise extensions.
| Type | Description | Example |
|---|---|---|
INTEGER | 64-bit signed integer | 42 |
REAL | 64-bit floating point | 3.14 |
TEXT | UTF-8 string | 'hello' |
BLOB | Binary large object | X'DEADBEEF' |
BOOLEAN | True/False (0/1) | TRUE |
TIMESTAMP | Unix epoch seconds | 1700000000 |
CREATE TABLE table_name ( id INTEGER PRIMARY KEY, name TEXT NOT NULL, value REAL DEFAULT 0.0, created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP ); ALTER TABLE table_name ADD COLUMN new_col TEXT; DROP TABLE IF EXISTS table_name; CREATE INDEX idx_name ON table_name(column_name);
SELECT ... FROM ... WHERE ... GROUP BY ... HAVING ... ORDER BY ... LIMIT ... OFFSET ...; INSERT INTO ... (cols) VALUES (...); UPDATE ... SET ... WHERE ...; DELETE FROM ... WHERE ...; INSERT OR REPLACE INTO ... VALUES (...);
SynDB supports ANSI SQL with the following clauses and operators:
| Operator | Description |
|---|---|
=, !=, <, >, <=, >= | Comparison operators |
AND, OR, NOT | Logical operators |
BETWEEN ... AND ... | Range check |
IN (...) | Set membership |
LIKE, GLOB | Pattern matching |
IS NULL, IS NOT NULL | Null checks |
EXISTS (...) | Subquery existence |
CASE WHEN ... THEN ... ELSE ... END | Conditional expression |
COUNT(*), COUNT(DISTINCT col) SUM(col), AVG(col), MIN(col), MAX(col) GROUP_CONCAT(col, ',') -- With FILTER clause: COUNT(*) FILTER (WHERE status = 'active') SUM(amount) FILTER (WHERE type = 'credit')
| Function | Description | Example |
|---|---|---|
LENGTH(s) | String length | LENGTH('hello') -> 5 |
UPPER(s) | Uppercase | UPPER('abc') -> 'ABC' |
LOWER(s) | Lowercase | LOWER('ABC') -> 'abc' |
SUBSTR(s,i,n) | Substring | SUBSTR('hello',2,3) -> 'ell' |
TRIM(s) | Remove whitespace | TRIM(' hi ') -> 'hi' |
REPLACE(s,a,b) | Replace occurrences | REPLACE('aXb','X','Y') -> 'aYb' |
COALESCE(a,b,...) | First non-null | COALESCE(NULL,'x') -> 'x' |
| Function | Description |
|---|---|
ABS(n) | Absolute value |
ROUND(n,d) | Round to d decimal places |
CEIL(n) / FLOOR(n) | Ceiling / floor |
RANDOM() | Random integer |
TRY_CAST(expr AS type) | Safe cast (returns NULL on failure) |
TRY_CAST is a SynQL extension -- it returns NULL on type mismatches instead of erroring. Useful for ETL/migration scripts.-- Row numbering SELECT name, ROW_NUMBER() OVER (ORDER BY created_at DESC) as rn FROM users; -- Ranking (with ties) SELECT name, score, RANK() OVER (ORDER BY score DESC) FROM leaderboard; SELECT name, score, DENSE_RANK() OVER (ORDER BY score DESC) FROM leaderboard; -- Running totals SELECT date, amount, SUM(amount) OVER (ORDER BY date ROWS BETWEEN UNBOUNDED PRECEDING AND CURRENT ROW) as running_total FROM transactions; -- Partitioned windows SELECT dept, name, salary, AVG(salary) OVER (PARTITION BY dept) as dept_avg FROM employees; -- NTILE - distribute into buckets SELECT name, salary, NTILE(4) OVER (ORDER BY salary DESC) as quartile FROM employees; -- LAG / LEAD (prev/next row values) SELECT date, price, LAG(price,1) OVER (ORDER BY date) as prev_price FROM stock_prices;
-- Create an index CREATE INDEX idx_users_email ON auth_users(email); -- Create a unique index CREATE UNIQUE INDEX idx_users_email_unique ON auth_users(email); -- Composite index CREATE INDEX idx_users_tenant_status ON auth_users(tenant_id, status); -- Drop an index DROP INDEX idx_users_email;
EXPLAIN to verify your indexes are being used.-- Inner Join SELECT u.email, s.created_at FROM auth_users u INNER JOIN auth_sessions s ON u.user_id = s.user_id; -- Left Outer Join SELECT u.email, r.name FROM auth_users u LEFT JOIN auth_user_roles ur ON u.user_id = ur.user_id LEFT JOIN auth_roles r ON ur.role_id = r.role_id; -- Cross Join SELECT a.name, b.name FROM table_a a CROSS JOIN table_b b; -- Self Join SELECT e.name as employee, m.name as manager FROM employees e LEFT JOIN employees m ON e.manager_id = m.id;
EXPLAIN to see which strategy was chosen.-- Begin a transaction BEGIN TRANSACTION; -- Perform operations INSERT INTO orders (customer_id, total) VALUES (1, 99.99); UPDATE inventory SET quantity = quantity - 1 WHERE product_id = 42; -- Commit changes COMMIT; -- Or rollback on error ROLLBACK;
EXPLAIN before deploying any query that touches >10k rows. Look for full table scans and add indexes accordingly.-- Check table sizes
SELECT name, COUNT(*) as rows FROM (SHOW TABLES) ORDER BY rows DESC;
-- Find slow queries (from metrics log)
-- Check the Metrics tab -> Query Log -> sort by Duration
-- Verify indexes
SHOW TABLES;
DESCRIBE table_name;
-- Check active sessions
SELECT * FROM auth_sessions WHERE expires_at > strftime('%s','now');
. to see column suggestions. Press Tab to accept a suggestion.WITH ... AS) to break complex queries into readable steps.WITH active_users AS ( SELECT * FROM auth_users WHERE status = 'active' ), user_sessions AS ( SELECT user_id, COUNT(*) as session_count FROM auth_sessions GROUP BY user_id ) SELECT u.email, u.display_name, COALESCE(s.session_count, 0) as sessions FROM active_users u LEFT JOIN user_sessions s ON u.user_id = s.user_id ORDER BY sessions DESC;
| Shortcut | Action |
|---|---|
| Cmd+Enter / Ctrl+Enter | Execute query |
| Cmd+Shift+F / Ctrl+Shift+F | Format / beautify query |
| Cmd+S / Ctrl+S | Save query |
| Cmd+L / Ctrl+L | Clear editor |
| Tab | Accept autocomplete suggestion |
| Escape | Dismiss autocomplete / AI panel |
| Cmd+/ / Ctrl+/ | Toggle line comment |
| Cmd+I / Ctrl+I | Toggle AI panel |
| Metric | Actual | Target | Status | Owner | Certification | |
|---|---|---|---|---|---|---|
| No metrics defined | ||||||
| Report | Type | Source | Schedule | Last run | |
|---|---|---|---|---|---|
| No saved reports | |||||
| Alert | Condition | State | Then | Last checked | |
|---|---|---|---|---|---|
| No alert rules | |||||