Rows of bare-metal server racks in a dimly lit datacenter corridor

Compute sovereignty

Hardware-level control. Enterprise-grade isolation.

KVM lifecycle, live migration, and redeploy-from-image — one API, one reconciliation loop.

Talk to an engineer Explore the architecture

Global distribution — earth view of network arcs

Regional terrain — topographic network paths

Geographic distribution

Deploy anywhere. The control plane is one Postgres.

Place workloads by region, latency, sovereignty, or fault domain. One reconciliation loop coordinates every site from a single Postgres of record.

Geographic distribution

Deploy anywhere. The control plane is one Postgres.

Place workloads by region, latency, sovereignty, or fault domain. One reconciliation loop coordinates every site from a single Postgres of record.

Platform architecture

Postgres holds the desired state. Three binaries reconcile it.

The gateway projects per-host manifests, agents reconcile them, and Postgres enforces tenant isolation with row-level security.

0 message brokers

Read the three-component architecture Inspect the RLS-backed security model

Virtualization control-plane diagram — gateway, agent, image service, and Postgres layered into the hardware rack

Gateway · Agent · Image Service · Postgres

Core capabilities

Four domains. One control surface.

domains

One API, one task model, one reconciliation loop

Compute sovereignty

KVM/libvirt lifecycle
Template → create → running → migrate
Evacuation + redeploy-from-image

kvm · live-migration · reconcile

Network as code

OVS/OpenFlow SDN
Three-layer policy: zone · VM · NIC
Microsegmentation at the packet boundary

ovs · openflow · bgp · ospf

Storage coherence

Ceph orchestration — Mon · Mgr · OSD
Pool capabilities as queryable objects
Placement-aware scheduling

ceph · rbd · clone · snapshot

Trust by construction

Activation leases · zero-trust agent identity
Row-level security at the database boundary
FIPS 140-3 via aws-lc-rs

rls · fips · lease · audit

Intelligence-native design

Every operation carries its reason. That is the interface.

9 MCP read tools across the full state surface

{
  "tool": "vm.list",
  "description": "List virtual machines visible to caller",
  "inputSchema": {
    "type": "object",
    "properties": {
      "cluster_id": { "type": "string", "format": "uuid" },
      "status": { "enum": ["running","stopped","paused"] }
    }
  }
}

{
  "capability": "snapshot",
  "available": false,
  "reason": {
    "code": "pool_type_unsupported",
    "message": "RBD pools do not support external snapshots",
    "pool_id": "a1b2c3d4-...",
    "required": "zfs|dir"
  }
}

{
  "tool": "host.list",
  "description": "List hosts in a cluster with health and role",
  "inputSchema": {
    "type": "object",
    "properties": {
      "cluster_id": { "type": "string", "format": "uuid" },
      "role": { "enum": ["compute","storage","converged"] }
    }
  }
}

{
  "manifest": "host-desired-state",
  "host_id": "e5f6a7b8-...",
  "projected_vms": 12,
  "network_zones": ["mgmt", "tenant-a", "storage"],
  "converge_target": "2024-01-15T09:30:00Z",
  "drift_detected": false
}

{
  "capability": "live_migration",
  "available": true,
  "reason": {
    "code": "ok",
    "message": "Host meets CPU and network requirements",
    "source_host": "node-03",
    "target_host": "node-07"
  }
}

{
  "tool": "task.get",
  "description": "Get task details with step-level progress",
  "inputSchema": {
    "type": "object",
    "properties": {
      "task_id": { "type": "string", "format": "uuid" }
    },
    "required": ["task_id"]
  }
}

Bare metal to production in six stages

01 Discover hardware
Provisioner walks the rack, inventories every host, and registers topology.
02 Configure the site
Setup TUI declares network ranges, storage pools, and identity trust roots.
03 Enroll agents
Each host agent presents its identity and joins the reconciliation loop.
04 Deploy workloads
VMs instantiate from versioned templates through the gateway API.
05 Self-configure networks
Overlay and underlay converge to declared topology without manual wiring.
06 Observe and converge
Monitoring lights up. Drift triggers reconciliation, not pages.

Deployment & licensing

Compare the operational shape. Then choose.

Basalt is three binaries and one database. The incumbent is a constellation of appliances, queues, and per-socket contracts.

4 components total

Architecture 3 static binaries + 1 Postgres database

Licensing Capacity-based — tracks infrastructure, not CPU sockets

Gateway footprint Hundreds of megabytes — part of the platform, not its own estate

Incumbent stack

vCenter

ESXi

NSX-T

vSAN

vRealize

Message Queues

Multiple DBs

Schema Registry

JMX Exporter

Upgrade Choreography

Per-Socket Licensing

Cert Sidecars

Run it yourself. Start here.

See pricing