Public / Private Boundary
Defining where public open-source tools end and private production infrastructure begins.
Ecosystem Partitioning
Sans Serif Systems operates as a hybrid environment. To guarantee predictability for local developer environments while keeping client proprietary codebase configurations secure, the lab separates public utility tools from the private execution engine.
🔓 Public Lab
- Browser-native schema sandboxes
- Local-first CLI helper binaries
- Open-source evaluation harness formats
- Mermaid flow diagram compilers
- Build-verification ledger specifications
🔒 Private Runtime
- Production loop runners (Governance engine)
- Proprietary evaluation job-packs (Tessera adapters)
- Custom developer cockpit integrations
- LLM provider billing and fallback models
- Team codebase context index databases
Why This Split Exists
1. Safety & Governance: Agents running in production need strict boundary enforcement. Distributing the raw execution code publicly makes it hard to enforce safety standards across arbitrary local setups. Keeping runtimes private guarantees secure tool boundaries.
2. Client IP Isolation: Custom enterprise prompt contexts, schema rules, and codebase ingestion paths containing sensitive intellectual property must remain isolated on private runner instances.
3. Reusable Standards: By isolating execution, we can publish public tools that act as clean, stateless adapters — enabling developers to model schemas and compile diagrams without needing complex backend deployments.