The vocabulary, in one place.

A SHA-256 hash that points to the most recent record in a process's audit chain. Persisted on the daemon's narrow durable surface so the chain survives restarts. Knowing the anchor is enough to validate every prior record.

See: /security

Each AuditRecord includes the previous record's hash and is sealed with SHA-256. Tampering with one record breaks linkage at ingest. The same artifact powers metering and compliance.

See: /security, /economics

Signed by the fabric CA, scoped to a specific holder, node, lease, and epoch. TTL of 300 seconds or less. Long-lived secrets are not the unit of access in Tenura.

See: /security

A GPU held for two minutes is 120 GPU-seconds. 80 GiB of memory held for an hour is 288,000 GiB-seconds. Cost = capacity × duration_seconds × rate.

See: /pricing, /economics

A cell has its own scheduler, fabric CA, and pool of nodes. Leases are bound to the cell that issued them. Multi-cell deployments coordinate via the orchestrator.

A minimal firmware specification for disaggregated computing fabrics. Implements the lease state machine, capability minting, replay protection, and the FENCED state. The wire protocol is open.

See: /architecture

Entered when teardown fails on lease expiry or revocation. Cleanup is enforcement, not hope: an operator must explicitly clear the fence (after diagnostic and remediation) before the resource is eligible for new leases.

See: /security

A graph-based resource runtime: programs declare resource intent (GPU + memory + storage + network) by shape, the runtime acquires leases via fabricBIOS, and the program runs against the resulting handles.

See: /architecture

Every resource access in Tenura is a lease. Leases have a TTL, a mandatory teardown path, and an audit-chain trail. When the TTL elapses, the resource is reclaimed automatically.

Lease TTLs default to short windows (seconds to minutes) and can be extended by explicit renewal. Capability tokens have their own TTL upper-bounded by 300 seconds, even if the parent lease is longer.

Both the client and the daemon present certificates signed by the fabric CA. There is no plaintext mode. Required for every control-plane interaction.

See: /security

When a Guaranteed-priority request arrives and capacity is insufficient, the scheduler identifies victims at strictly lower priority (Standard, then Scavenger) and revokes their leases. Every preemption generates an audit-chain event.

See: /economics

Guaranteed leases are never preempted. Standard leases are preempted by Guaranteed requests under contention. Scavenger leases are preempted by anyone — designed for fault-tolerant batch work that monetizes otherwise-idle capacity.

See: /pricing

Three flavors: hard (reject when exceeded), soft (track but allow), burst (temporary over-quota with TTL). Per-tenant, per-resource, per-cell.

See: /economics

Preemptible by Guaranteed requests under contention. Discounted compared to Guaranteed. The default tier for non-latency-sensitive workloads.

Tenants own quotas, hold leases, and receive bills. Each tenant has a CA-issued certificate and an accounting tag that flows through every lease event.