Tom Hundley
🤖 Ghostwritten by Claude Opus 4.6 · Fact-checked & edited by GPT 5.4
A shared codebase does not mean every machine should behave the same way. In this design, distribution profiles create a hard boundary between the machine that serves live operator traffic and the machine used for development. The always-on host runs the runtime profile and is authoritative for channel serving. The development laptop runs the dev-client profile and does not serve production traffic. A phone can run an operator-mobile profile for operator access without inheriting serving or build responsibilities.
That separation matters because the failure mode is obvious and expensive: without distinct profiles, a development machine can accidentally answer a real operator message. The point of the profile model is to make that structurally impossible. Instead of one undifferentiated install, the same repository yields different runtime postures depending on which profile a device adopts.
TL;DR: If development and production share the same undifferentiated runtime posture, a laptop experiment can end up handling live traffic.
The design problem was not about source control. It was about runtime authority.
A fleet with an always-on host and a separate development laptop has two very different operational needs:
If both machines inherit the same serving posture, the boundary between production and development becomes a matter of habit. That is fragile. A local test process, an experimental branch, or an accidentally started service can put a development machine in the path of real traffic.
That is the trap distribution profiles are meant to prevent. The design groundwork established just before the June 2 field tests and June 3 go-live drew a hard line between the machine that serves the operator and the machine that acts as a workbench. The result is simple: the runtime serves, the laptop builds, and the two roles no longer blur together.
TL;DR: The same repository can produce three distinct runtime postures: runtime, dev-client, and operator-mobile.
A distribution profile is a named operating posture that determines which capabilities a device receives. The codebase stays the same, but the active profile changes what the machine is allowed to do.
In this design, three profiles matter:
| Profile | Gateway | Live Channel Serving | Auth-Profile Sync | Build Tools | Operator Access |
|---|---|---|---|---|---|
runtime |
✅ Active | ✅ Authoritative | ✅ Authoritative | ❌ | ❌ |
dev-client |
❌ | ❌ Disabled | 🔽 Read-only consumer | ✅ Active | ❌ |
operator-mobile |
❌ | ❌ | 🔽 Read-only consumer | ❌ | ✅ Active |
## Illustrative profile config — not production values
profile: runtime # or: dev-client | operator-mobile
capabilities:
gateway: true
channel_serving: true
auth_profile_sync: authoritative
build_tools: false
operator_ui: false
channels:
mode: live
binding: exclusiveThe important idea is not the syntax. It is the posture.
The runtime profile belongs on the always-on host. It runs the gateway, serves live channel traffic, and holds the authoritative channel and auth wiring. This is the production surface. It is the machine responsible for channel turns, and it is authoritative for auth-profile sync.
The dev-client profile belongs on the development laptop. It includes build tools, test harnesses, and local execution paths for development work. It does not serve production traffic. It consumes auth-profile data from the authoritative source, but only as a read-only client.
The operator-mobile profile belongs on the phone. It provides operator access without turning the device into either a development workstation or a production-serving endpoint. It is for access and oversight, not for hosting the runtime.
TL;DR: Profiles are not just organizational labels; they enforce who can serve traffic, who can sync auth data, and which devices can hold production authority.
The security value of the model comes from three design choices.
The runtime profile is authoritative for channel serving. That closes the most dangerous gap in a multi-device setup: a development machine should never be able to become a competing responder for live traffic.
When the runtime is the sole authoritative serving surface, the fleet avoids the class of failure where an experimental process answers a real operator message.
The dev-client profile should not carry production-serving credentials. That means the development laptop is not merely asked to avoid production traffic; it is structurally prevented from acting like a production endpoint.
This is the difference between policy and boundary. A policy says, “do not run production from here.” A boundary says, “this profile cannot become production-serving in the first place.”
Auth-profile sync flows from an authoritative source outward. The runtime profile is authoritative; the dev-client and operator-mobile profiles consume that data. That one-directional model matters because it prevents a development machine from pushing itself upstream into the production topology.
In practice, that means a dev machine cannot become a rogue production endpoint simply by having the same repository checked out locally.
TL;DR: Profiles replace convention with architecture, which is exactly what production systems need.
It is always tempting to solve this kind of problem with process alone. A team can write a note in the README, document which machine should run the gateway, and rely on discipline to keep development separate from production.
That works until it does not.
A process restarts automatically. A developer is debugging late at night and forgets which environment is active. A new machine is provisioned from a familiar setup. The problem with convention-based separation is that it fails at the exact moment systems are under stress.
Distribution profiles move the boundary into the system design itself. The dev laptop is a workbench. The always-on host is the stage. The phone is an operator surface. Each device gets a different slice of configuration and capability, even though all three can originate from the same repository.
That is the real teaching kernel here: profiles separate “this machine serves the operator” from “this machine is a workbench.” Once that distinction is explicit, the deployment topology becomes safer and easier to reason about.
TL;DR: The shift was from one undifferentiated install to role-specific runtime postures with clear authority.
Before this design, a shared repository could imply a shared operational posture. After the profile split, the topology is explicit:
That is a meaningful architectural improvement because it preserves a unified codebase while separating responsibilities at runtime.
The benefit is not only cleaner deployment. It is cleaner failure handling. When channel serving authority is anchored to the runtime profile, there is less ambiguity about where live traffic belongs, where auth state originates, and which device is allowed to act on behalf of the fleet.
A distribution profile is a named runtime posture that determines which capabilities a device receives from a shared codebase. Instead of every machine acting like a full-capability clone, each profile activates only the responsibilities appropriate to that device.
Separate repositories can create drift in code, configuration, and operational assumptions. Profiles preserve a single codebase while still enforcing different runtime roles, which keeps development closer to the real system without giving every machine production authority.
The runtime profile is the profile that serves live channel traffic and holds the authoritative channel and auth wiring. In this design, it is the only profile meant to act as the production-serving surface.
The design is specifically intended to prevent that. The dev-client profile does not serve live channels, should not carry production-serving credentials, and consumes auth-profile data from the authoritative source rather than defining it.
A feature flag toggles behavior inside an application. A distribution profile defines the machine’s overall operating posture: whether it can serve traffic, whether it has build tools, whether it is authoritative for auth data, and what role it plays in the fleet.
Distribution profiles solve a practical systems problem: the machine used to build and test software should not be able to quietly become the machine that serves real users. By defining runtime, dev-client, and operator-mobile postures, the deployment model makes authority explicit. The same repository can still power the whole fleet, but each device receives only the capabilities appropriate to its role. That separation is what turns a flexible codebase into a safer operating system for live agent work.
Discover more content: