// pages/features.jsx
const TOKEN_CODE = `vela aegis-generate-token \\
--allow-file /tmp \\
--allow-file /data/uploads \\
--allow-network false \\
--allow-syscall read \\
--max-memory-mb 256 \\
--max-timeout-ms 30000 \\
--expires-in-seconds 3600`;
const POLICY_CODE = `# policy.yaml
deny_patterns:
- "rm -rf"
- "curl\\\\s+https?://"
- "wget"
- "chmod.*777"
- "nc\\\\s+-" # netcat
require_approval_for:
- pattern: "sudo"
reason: "privilege escalation requires human review"
- pattern: "pip install"
reason: "package installation must be pre-approved"
max_timeout_ms: 15000`;
const ALERT_CODE = `{
"execution_id": "a1b2c3d4",
"alerts": [
{
"severity": "HIGH",
"rule_id": "sensitive_file_access",
"description": "Process attempted to access /etc/shadow"
},
{
"severity": "CRITICAL",
"rule_id": "syscall_rate_spike",
"description": "Syscall rate exceeded 847/s (limit: 500/s)"
}
]
}`;
const TELEMETRY_CODE = `{"record":{
"execution_id":"a1b2c3",
"timestamp_ms":1748649600000,
"command":["python3","-c","..."],
"exit_code":0,
"duration_ms":187,
"events":[
"RequestReceived",
"TokenValidated",
"PolicyChecked",
"VMAssigned",
"CommandFinished"
],
"memory_consumed_mb":42
},"degraded_policy":false,"alerts":[]}`;
const API_ENDPOINTS = [
{ method: 'POST', path: '/execute', desc: 'Submit code for execution' },
{ method: 'GET', path: '/executions', desc: 'List recent executions' },
{ method: 'GET', path: '/executions/:id', desc: 'Get execution details + telemetry' },
{ method: 'GET', path: '/health', desc: 'Health check with execution counters' },
{ method: 'GET', path: '/metrics', desc: 'Prometheus metrics (text format)' },
];
const METHOD_COLORS = { POST: 'var(--color-green)', GET: 'var(--color-blue)', DELETE: 'var(--color-red)' };
function FeatureSection({ flip, badge, icon: Icon, title, children, right }) {
return (
{/* Text side */}
{Icon && }{badge}
{title}
{children}
{/* Visual side */}
{right}
);
}
function FeaturesPage() {
useSEO("Features — Vela Runtime", "Explore the isolation and security features of Vela.");
return (
{/* Hero */}
Features
Every feature, explained
Vela is not a black box. Here's exactly what it does and why it matters.
{/* Section 1 — Firecracker */}
{[
{ label: 'p50 latency (warmed pool)', value: '~150ms', ok: true },
{ label: 'Cold start', value: '~900ms', ok: null },
{ label: 'Leaks between executions', value: '0', ok: true },
{ label: 'Shared host kernel', value: 'Never', ok: true },
{ label: 'KVM hardware isolation', value: 'Yes', ok: true },
].map(({ label, value, ok }) => (
{label}
{value}
))}
Vela runs every execution in a fresh Firecracker micro-VM — the same technology that powers AWS Lambda and Fargate. Unlike Docker, Firecracker VMs provide hardware-level isolation through KVM. Your host kernel is never shared with untrusted code.
Pre-warmed VM pools amortize startup overhead. Configure --pool-size 4 and p50 drops to ~150ms. When execution finishes, the VM is destroyed — nothing persists between runs.
{/* Section 2 — Tokens */}
}>
Capability tokens are HMAC-SHA256 signed JSON payloads that declare exactly what a caller is permitted to do. The daemon verifies the signature before executing anything.
{['Filesystem paths — exact directory allowlist', 'Network access — boolean on/off', 'Allowed syscalls — per-execution allowlist', 'Memory limit — hard cap in MB', 'Timeout — hard cap in milliseconds', 'Expiry — Unix timestamp; expired tokens rejected'].map(f => (
{f}
))}
Define what's allowed at the organization level — not just per-token. Vela compiles YAML rules at startup into pre-compiled regexes for zero-overhead enforcement.
Three decision types: Allow (proceed), Deny (reject with reason), RequireApproval. Connect an external policy service with --policy-endpoint. Vela fails closed if the endpoint is unreachable.
{/* Section 4 — Intrusion detection */}
}>
Vela watches every execution for anomalous behavior and attaches alerts to the telemetry record. No configuration required — rules are enabled by default.
{[
'Sensitive file access (/etc/shadow, /root/.ssh/*)',
'Syscall rate spike (>500/s signals exploit)',
'Private network access (RFC-1918 addresses)',
'Custom pattern matching (intrusion_rules.toml)',
].map(f => (
{f}
))}
Every execution produces a structured telemetry record appended to an append-only JSONL log. Events trace the full lifecycle from request to result.
Access three ways: JSONL log file (grep/jq/SIEM), live stream socket (real-time events), or vela inspect <id> (CLI lookup). The audit UI visualizes the log with filtering and alert badges.
{/* Section 6 — Cloud API */}
| Method |
Path |
{API_ENDPOINTS.map((ep, i) => (
|
{ep.method}
|
{ep.path}
{ep.desc}
|
))}
}>
Run the cloud API server with a single command and a YAML config. SQLite-backed execution store, queue-based worker pool, and API key authentication included.
{['Webhook notifications on completion', 'Per-API-key rate limiting (no Redis)', 'Execution labels for filtering', 'JavaScript/Node.js execution', 'Prometheus /metrics endpoint (7 counters)'].map(f => (
{f}
))}