Dicklesworthstone
flywheel_connectors
Rust

Mesh-native protocol and Rust connector library for secure AI agent integration with external services: Twitter, Linear, Stripe, Discord, Gmail, GitHub, and more

Last updated Jul 2, 2026
82
Stars
5
Forks
0
Issues
0
Stars/day
Attention Score
39
Language breakdown
Rust 97.0%
Shell 2.9%
TLA 0.1%
Lean 0.0%
Python 0.0%
Makefile 0.0%
β–Έ Files click to expand
README

Flywheel Connector Protocol (FCP)

FCP - Secure connectors for AI agents with zone-based isolation and capability tokens

Specification note: FCPSpecificationV3.md is the current architectural and conformance target. FCPSpecificationV2.md is retained as historical / legacy-interoperability context. When descriptions conflict, trust V3 for intended semantics and the code for current behavior.

A secure connector protocol and Rust platform for AI agent operations across zones, hosts, and personal device meshes. The workspace ships 42 platform crates under crates/, 177 connector crates under connectors/ (176 production connectors plus one adversarial conformance test crate, connectors/_adversarial/), and a single agent-first CLI (fwc) that classifies every answer by truth source and refuses to fabricate runtime state.


TL;DR

The Problem

AI agents need to act on the real world (read mail, file PRs, send messages, query databases, control hardware), but the prevailing toolchains do this with a shared-memory plugin model, an "API key in a .env file" trust model, and a "prompt told the model not to do that" security model. None of those survive a hostile input from Discord, a compromised laptop, or a misconfigured deploy.

The Solution

FCP is a connector platform where:

  • Every connector is a separately-signed sandboxed binary with an embedded manifest declaring its capabilities, sandbox limits, and network constraints.
  • Every operation is gated by a capability token with type-state-enforced binding, so an UnboundVerified token does not compile against a function that requires BoundVerified.
  • Every request is bound to exactly one zone (a cryptographic namespace with its own symmetric key); cross-zone access requires explicit policy and proof.
  • Every connector's outbound network traffic flows through an egress proxy with CIDR deny defaults, SNI enforcement, and secretless credential injection, so the connector binary never sees raw API keys.
  • Every operation produces a signed receipt and is recorded on a hash-linked audit chain with monotonic sequence numbers and Hybrid Logical Clock causality, plus an OpenTelemetry OTLP parity exporter.
  • Sensitive zones support post-quantum cryptography (X-Wing KEM hybrid HPKE + ML-DSA-65 signatures) and threshold owner keys (FROST) so no single device holds the complete signing material.

Truth Hierarchy

fwc classifies every answer by its source (mesh-backed > host-backed > node-local > offline) rather than collapsing everything into a single fake "live" state.

  • Current operational path (V1, host-first): fwc β†’ fcp-host β†’ connector subprocesses over supervised stdio/JSON-RPC. This is what runs in production today.
  • Target steady state (V2, mesh-native): personal-device sovereignty, mesh durability, capability-gated execution across your own infrastructure. The mesh infrastructure (gossip, IBLT, XOR filters, symbol-first object distribution, LiveTruthResolver, KnowledgeState taxonomy) is built and tested; the cutover gates are documented in docs/FCP3TransitionScorecard.md.

Three Foundational Axioms

| Axiom | Principle | |-------|-----------| | Universal Fungibility | All durable mesh objects are symbol-addressable: any K' RaptorQ symbols reconstruct the canonical object bytes. Control-plane messages may travel over FCPC streams, but the canonical representation is a content-addressed mesh object. | | Authenticated Mesh | Tailscale is the transport AND the identity layer. Every node has unforgeable WireGuard keys. Zones map to Tailscale ACL tags. | | Explicit Authority | No ambient authority. All capabilities flow from the owner key through cryptographic chains and short-lived, instance-bound capability tokens. |

Why Use FCP?

Status legend:

  • PROVEN: backed by direct repository evidence (tests, harnesses, golden vectors).
  • LIMITED: functional at the stated scope but narrower than the mature target (e.g. threshold-gated rather than adaptive).
  • STEADY-STATE TARGET: architectural target with built infrastructure but not yet operational by default.
PROVEN means repository evidence, not a claim of live production deployment.

| Feature | Status | What It Does | Evidence | |---------|--------|--------------|----------| | Host-First Control Plane | PROVEN | fwc + fcp-host is the proven provisioning boundary. Operators use this path today while mesh-backed truth converges to steady state. | crates/fcp-host/src/{supervisor,enforcement,health}.rs, crates/fcp-conformance/tests/hostinvokeloopconformance.rs, crates/fcp-e2e/tests/capabilityenforcementconcurrente2e.rs | | Truthful Runtime Resolution | PROVEN | fwc resolves runtime mode explicitly and classifies answers as mesh-backed, host-backed, node-local, or offline instead of fabricating "live". | crates/fwc/src/{truth,catalog,readiness}.rs, crates/fwc/tests/{cualintegration,readmestatus_pinning}.rs | | Capability Token Typestate | PROVEN | CapabilityToken<Unverified β†’ UnboundVerified β†’ BoundVerified β†’ ConstraintsEnforced> is compiler-enforced across every connector boundary. LEGACYVERIFYALLOWLIST.len() == 0; forward-only ratchet enforced by conformance test. | crates/fcp-conformance/tests/capabilitytypestateconnectorboundarydja9u.rs, crates/fcp-core/tests/typestatecompilefail.rs | | Capability Tokens (CWT/COSE) | PROVEN | COSE/CWT signing, canonical CBOR, constraints, instance binding, predicate matrix all covered. | crates/fcp-crypto/src/cose.rs, crates/fcp-core/src/capability.rs, crates/fcp-host/tests/capabilitytokentypestate_runtime.rs | | Post-Quantum Zone Keys | PROVEN | ZoneKeyManifest V4 schema with hybrid HPKE-X25519 + X-Wing KEM wrap lists, RustCrypto X-Wing (draft-06) + IETF KAT, ML-DSA-65 FIPS 204 signatures with KAT, hybrid verifier, length-invariant Deserialize, constant-time Eq. | crates/fcp-crypto-pq/, crates/fcp-core/src/zone_keys.rs, mixed V3/V4 mesh migration harness | | Zone Isolation | LIMITED | Core cryptographic namespaces proven; Lean zone-flow lattice proof source pinned; host-side connector RPC requires explicit allowedzones before invoke/introspect/health. | crates/fcp-core/src/{zonekeys,pcs,policy}.rs, lean/Fcp/Zone/Lattice.lean, crates/fcp-host/tests/allowedzonesrequired.rs, crates/fcp-e2e/tests/zoneisolationfull_e2e.rs | | Tamper-Evident Audit + HLC | PROVEN | Hash-linked audit chain with monotonic sequence numbers, quorum-signed checkpoints, Hybrid Logical Clocks, Hierarchical Version Vectors for revocation freshness, and an OTLP parity exporter. | crates/fcp-audit/src/hlc.rs, crates/fcp-mesh/src/revocation/hiervv.rs, crates/fcp-conformance/tests/{hlchiervvconformance,auditotlphlccontract}.rs | | Revocation | PROVEN | First-class revocation objects, exact-membership lookup (no XOR filter in the revocation path), RevocationSeal for check-use atomicity, priority gossip push, zone-wide freshness SLA. | crates/fcp-core/src/revocation.rs, crates/fcp-conformance/tests/revocationtiming.rs, crates/fcp-e2e/tests/revocationcascade_e2e.rs | | Egress Proxy | PROVEN | Connector network access routed through manifest-aware guardrails with CIDR deny defaults and denial audit evidence. | crates/fcp-sandbox/src/egress.rs, crates/fcp-e2e/tests/egressproxye2e.rs | | Secretless Connectors | PROVEN | Egress proxy injects credentials per request through SecretFetchHook; connector binaries pass credentialid references rather than raw bearer material. | crates/fcp-crypto/src/secretfetch.rs, crates/fcp-e2e/tests/secretless{github,slack,gmail}e2e.rs | | Multi-Method Provider Auth | PROVEN | fcp-provider-auth consolidates API key, AWS SigV4 request signing, JWT refresh, OAuth device-code, authorization-code with PKCE, refresh-token, and setup-token; AuthProfile flows through the credential pool layer. | crates/fcp-provider-auth/, host/fwc profile-admin and OAuth login surfaces | | Credential Pooling | PROVEN | Multi-credential per-provider pools with priority, strategy, exhaustion-cooldown, active-lease tracking, LRU, sticky restick, max-use, and a redaction-safe connector-boundary E2E. | crates/fcp-host/src/credentials.rs, crates/fcp-e2e/tests/credentialpoole2e.rs, host admin API routes, audit log | | Multi-Host Singleton Writers (HRW) | PROVEN | Quorum-signed durable leases gossip across nodes; rendezvous hashing picks the holder deterministically; binary launch/flush/invoke fencing prevents split-writer windows; multi-node failover replay harness lands as closeout. | crates/fcp-core/src/lease.rs, crates/fcp-mesh/src/{authority,coordinator,planner}.rs, multi-node failover replay harness | | Threshold Owner Key | PROVEN | FROST ceremony and signing support exist in fcp-bootstrap; not yet the universal operational default. | crates/fcp-bootstrap/src/ceremony.rs, crates/fcp-e2e/tests/thresholdownerkey_e2e.rs | | Threshold Secrets (Shamir) | PROVEN | Shamir secret sharing for device-distributed recovery so raw secret material never lives on one machine. | crates/fcp-core/src/secret.rs, crates/fcp-e2e/tests/thresholdsecretse2e.rs | | Supply Chain Attestations | PROVEN | Registry-side attestation schemas, TUF/cosign verification adapters, host gate proof. Release-distribution proof remains outside this repo. | crates/fcp-registry/src/lib.rs, crates/fcp-e2e/tests/supplychainattestation_e2e.rs | | Offline Access | PROVEN | ObjectPlacementPolicy, repair controllers, cache-while-offline, queued writes, drain-on-restore. | crates/fcp-store/src/offline.rs, crates/fcp-e2e/tests/{offlineaccess,offlinerepair}_e2e.rs | | Mesh-Stored Policy Objects | PROVEN | Zone definitions and policy bundles exist as owner-signed objects with mesh gossip, verification, evaluation, and revocation proof. | crates/fcp-core/src/policy.rs, crates/fcp-e2e/tests/meshpolicyobject_e2e.rs | | Symbol-First Protocol | PROVEN | RaptorQ object-symbol framing, reconstruction, repair machinery, multipath aggregation, offline resilience. | crates/fcp-raptorq/, crates/fcp-e2e/tests/symbolfirstprotocol_e2e.rs, golden vectors | | Browser Real-CDP Control Plane | PROVEN | Rust-owned CDP control-worker, supervised target/session manager, cookie ownership boundary, native launcher/proxy worker, direct-CDP routing, real-browser operation-matrix closeout β€” mirrors OpenClaw semantics. | connectors/browser/, host browser CDP manager proof | | Voice-Call Multi-Provider Parity | PROVEN | Shared CallAuthToken, SessionStore, replay-cache crate (fcp-voice-call); Twilio, Telnyx, Plivo all flow through the same architectural shape with no-live-credential loopback evidence. | crates/fcp-voice-call/, connectors/{twilio,telnyx,plivo}/, scripts/e2e/voicecallmultiproviderverification.sh | | Manifest Operations Conformance | PROVEN | Every connector with declared operations exposes them via typed [provides.operations.] in manifest.toml; runtime const drift is caught by a conformance scanner. | crates/fcp-conformance/tests/manifestoperations.rs | | Computation Migration | PROVEN | Migrate-and-resume reference proof: CRIU-format checkpoint handoff, lease transfer, replay, byte-equivalent completion. | crates/fcp-kernel/src/computationmigration.rs, crates/fcp-e2e/tests/computationmigration_reference.rs | | Mesh-Native Architecture | STEADY-STATE TARGET | Gossip, IBLT, XOR filters, masked IBLT anti-entropy, and LiveTruthResolver are built and tested. The production fwc β†’ fcp-host β†’ connector subprocess invoke path remains host-first today. Pinned by crates/fwc/tests/readmestatuspinning.rs. | crates/fcp-mesh/, crates/fwc/src/truth.rs |

Audit status: all status labels reconciled as of 2026-05-16. See docs/quarterly/2026-Q2-claims-vs-reality.md for the inaugural quarterly debiasing report.

Design Philosophy

Five principles drive every architectural decision in FCP.

1. Mechanical Enforcement, Not Prompted Compliance

Security is enforced by the type system, the binary boundary, the protocol, or cryptography. Never by a string in a prompt. Telling a model "don't read private email" is trivially bypassed by a hostile message; telling a Rust compiler that gmail.read does not exist in the z:public zone is not. Examples from the codebase:

  • Capability-token typestate. CapabilityToken<UnboundVerified> and CapabilityToken<BoundVerified> are distinct types. An operation executor that requires full instance-binding declares fn execute(: CapabilityToken<BoundVerified>, ...). An UnboundVerified token (produced by the gateway, which does not yet know the connector's real InstanceId) does not compile against that signature. Enforced by trybuild tests in crates/fcp-core/tests/typestatecompile_fail.rs.
  • Connector-boundary ratchet. crates/fcp-conformance/tests/capabilitytypestateconnectorboundarydja9u.rs checks LEGACYVERIFYALLOWLIST.len() == 0. New connectors must use the typestate path; enforced connectors cannot regress.
  • Sealed FcpConnector trait. Third-party crates cannot accidentally subvert the lifecycle by implementing the trait themselves.

2. Default Deny With Explicit Allow

If a capability is not granted, it cannot be invoked. If a zone is not bound, the host refuses to start the subprocess. If allowedzones is empty, connector RPC fails closed before invoke, introspection, or health probes reach connector code. If cidrdeny is malformed, the sandbox rejects the manifest at runtime rather than silently degrading. If a webhook signing secret is empty or shorter than the threshold, the webhook layer refuses to verify. At every boundary, absence of explicit configuration is treated as denial, never as a permissive default.

3. Truthfulness Over Convenience

fwc classifies every answer by its source rather than collapsing runtime state into a fake "live" answer. If the host is unreachable and the operator did not pass --offline, fwc refuses rather than falling back to stale artifact data silently. Offline answers carry provenance markers and stale-data caveats. Placeholder runtime data, guessed simulate support, and local file-edit side channels are bugs, not convenience features.

This is the same reason every operator run produces a replayable evidence bundle (trace.jsonl, summary.json, environment.json, replay.sh): debugging starts from artifacts the system actually wrote, not from a story the operator reconstructed afterwards.

4. Symbol-First Data Model

Durable data is content-addressed and symbol-distributed. Any K' RaptorQ symbols reconstruct the canonical object bytes. There is no "primary copy"; there is only a placement policy and a repair controller that maintains it. This eliminates retransmit coordination, enables multipath aggregation, and turns offline resilience from "did I cache this file" into "do I have K' of the N symbols this object is encoded into."

5. Audit Everything That Has Side Effects

Every operation with external effects produces a signed receipt. Every receipt is appended to a hash-linked audit chain with monotonic sequence numbers and Hybrid Logical Clock attributes. Audit heads are quorum-signed across nodes. Receipts are the primary deduplication primitive: on retry with the same idempotency key, the mesh returns the prior receipt instead of re-executing. The OpenTelemetry OTLP parity exporter re-emits the audit chain as traces/metrics/logs, so external observability systems get the same causal model.


Quick Example

# Install fwc
cargo build -p fwc --bin fwc --release
cp target/release/fwc ~/.local/bin/

Start fcp-host in another terminal

./target/release/fcp-host

Talk to the host (current provisioning path, V1)

fwc --host http://127.0.0.1:8787 list fwc --host http://127.0.0.1:8787 show github fwc --host http://127.0.0.1:8787 status github fwc --host http://127.0.0.1:8787 simulate github issues.create --file payload.json fwc --host http://127.0.0.1:8787 invoke github issues.create --file payload.json

See which truth source backs the answer

fwc --host http://127.0.0.1:8787 mesh explain-availability github

Offline mode: artifact-backed data without a running host

fwc list --offline fwc search "send message" --offline fwc show github --offline fwc ops github --offline fwc schema github issues.create --offline

Compile a natural-language intent into a concrete plan, then materialize it safely

fwc plan "search my Gmail for invoices from last week" fwc explain fwc do --approve

Expose connectors to MCP clients

fwc serve-mcp --host http://127.0.0.1:8787 github slack gmail

Audit + history

fwc history --connector github --limit 20 fwc audit tail --zone z:work fwc supply-chain verify github

Architecture

Current Operator Path (V1, Host-First)

This is the provisioning boundary that runs in production today.

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                          OPERATOR PATH (V1)                                 β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚                                                                             β”‚
β”‚   Operator / AI Agent                                                       β”‚
β”‚       β”‚                                                                     β”‚
β”‚       β–Ό                                                                     β”‚
β”‚   β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚
β”‚   β”‚  fwc (CLI)                                                          β”‚  β”‚
β”‚   β”‚  --host http://127.0.0.1:8787                                       β”‚  β”‚
β”‚   β”‚  Classifies answers: host-backed | node-local | offline             β”‚  β”‚
β”‚   β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
β”‚                                β”‚  HTTP Admin API                            β”‚
β”‚                                β–Ό                                            β”‚
β”‚   β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚
β”‚   β”‚  fcp-host (Supervisor)                                              β”‚  β”‚
β”‚   β”‚  1. Verify capability token (COSE)         8. Append audit + HLC    β”‚  β”‚
β”‚   β”‚  2. Check token expiry (CWT nbf/exp)       9. Emit OTLP span        β”‚  β”‚
β”‚   β”‚  3. Check revocation (O(1) freshness)     10. Issue HRW lease       β”‚  β”‚
β”‚   β”‚  4. Enforce zone policy (allowed_zones)   11. Credential pool lease β”‚  β”‚
β”‚   β”‚  5. Check rate limits (token bucket)      12. Receipt for retries   β”‚  β”‚
β”‚   β”‚  6. Connector lifecycle / health           13. Rollout / canary     β”‚  β”‚
β”‚   β”‚  7. Sandbox configuration                  14. Drift detection      β”‚  β”‚
β”‚   β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
β”‚                                β”‚  stdio / JSON-RPC                          β”‚
β”‚                                β–Ό                                            β”‚
β”‚   β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”     β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”     β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”                  β”‚
β”‚   β”‚  Connector  β”‚     β”‚  Connector  β”‚     β”‚  Connector  β”‚                  β”‚
β”‚   β”‚   Gmail     β”‚     β”‚   GitHub    β”‚     β”‚   Slack     β”‚                  β”‚
β”‚   β”‚ (sandboxed) β”‚     β”‚ (sandboxed) β”‚     β”‚ (sandboxed) β”‚                  β”‚
β”‚   β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜     β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜     β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜                  β”‚
β”‚          β”‚                   β”‚                   β”‚                          β”‚
β”‚          β”‚ Egress proxy: CIDR deny + SNI + SPKI + credential injection      β”‚
β”‚          β–Ό                   β–Ό                   β–Ό                          β”‚
β”‚     Gmail API          GitHub API           Slack API                       β”‚
β”‚                                                                             β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Target Steady State (V2, Mesh-Native)

This is the intended steady-state architecture: every device is a peer in a personal mesh, with symbol-based data distribution and mesh-backed answers as the highest-confidence truth source. The mesh infrastructure is built and tested; the remaining work is production evidence and cutover gating.

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                          PERSONAL MESH (V2)                                 β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚                                                                             β”‚
β”‚   β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”      β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”      β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”                         β”‚
β”‚   β”‚ Desktop  │◄────►│  Laptop  │◄────►│  Phone   β”‚  ← Tailscale mesh      β”‚
β”‚   β”‚ MeshNode β”‚      β”‚ MeshNode β”‚      β”‚ MeshNode β”‚                         β”‚
β”‚   β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜      β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜      β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜                         β”‚
β”‚        β”‚                 β”‚                 β”‚                                β”‚
β”‚        β–Ό                 β–Ό                 β–Ό                                β”‚
β”‚   β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚
β”‚   β”‚              SYMBOL DISTRIBUTION (RaptorQ K-of-N)                   β”‚  β”‚
β”‚   β”‚  Object: gmail-inbox-2026-05      K=100 symbols                     β”‚  β”‚
β”‚   β”‚  Desktop: [1,5,12,23,...]  Laptop: [2,8,15,...]  Phone: [3,9,...]   β”‚  β”‚
β”‚   β”‚  Any 100 symbols β†’ full reconstruction; no symbol is "important"    β”‚  β”‚
β”‚   β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
β”‚                                                                             β”‚
β”‚   β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚
β”‚   β”‚  Gossip + IBLT + XOR-filter set reconciliation                      β”‚  β”‚
β”‚   β”‚  HLC + HierVV for causality and revocation freshness                β”‚  β”‚
β”‚   β”‚  HRW (rendezvous hashing) elects singleton writers                  β”‚  β”‚
β”‚   β”‚  Threshold owner key (FROST) and threshold secrets (Shamir)         β”‚  β”‚
β”‚   β”‚  Post-quantum zone keys (X-Wing KEM + ML-DSA-65, ZoneKeyManifest V4)β”‚  β”‚
β”‚   β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
β”‚                                                                             β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Core Concepts

Terminology

| Term | Definition | |------|------------| | Symbol | A RaptorQ-encoded fragment; any K' symbols reconstruct the original | | Object | Content-addressed data with ObjectHeader (refs, retention, provenance) | | Zone | A cryptographic namespace with its own symmetric encryption key | | Epoch | A logical time unit; no ordering within, ordering between | | MeshNode | A device participating in the FCP mesh | | Capability | An authorized operation with cryptographic proof; grantobjectids enable mechanical verification | | Role | Named bundle of capabilities (RoleObject) for simplified policy administration | | ResourceObject | Zone-bound handle for external resources (files, repos, APIs) | | Resource Visibility | ResourceObjects carry public/private classification; the host enforces declassification when writing higher-confidentiality data to lower-confidentiality external resources | | Connector | A sandboxed binary that bridges an external service to FCP | | Receipt | Signed proof of operation execution for idempotency | | Revocation | First-class object that invalidates tokens, keys, or devices | | Lease | HRW-elected, quorum-signed authority to act as singleton writer for a connector instance | | HLC / HierVV | Hybrid Logical Clock / Hierarchical Version Vector for audit causality |

Cryptographic Key Hierarchy

FCP uses a structured key hierarchy to prevent cross-purpose key reuse. The hybrid classical + post-quantum stack lives in fcp-crypto (classical) and fcp-crypto-pq (X-Wing KEM, ML-DSA-65).

Owner Key (Ed25519, threshold via FROST)
    β”‚
    β”œβ”€β”€ sign NodeKeyAttestation     (binds node_id β†’ signing/encryption/issuance keys)
    β”œβ”€β”€ sign ZoneKeyManifest V3/V4  (distributes zone symmetric keys via HPKE-X25519
    β”‚                                and X-Wing KEM hybrid wrap)
    β”œβ”€β”€ sign DeviceEnrollment       (admits new nodes)
    └── sign RevocationObject       (invalidates any of the above)

Per-Node Keys: Node Signing Key (Ed25519) β†’ signs frames, gossip, receipts, audit heads Node Encryption Key (X25519) β†’ receives HPKE-sealed zone keys Node Issuance Key (Ed25519) β†’ mints capability tokens (separately revocable) Optional: Node ML-DSA-65 Key β†’ post-quantum signing (hybrid alongside Ed25519)

Per-Zone Keys: Zone Encryption Key (ChaCha20-Poly1305) β”‚ β”œβ”€β”€ HKDF("FCP3-ZONE-KEY" β€– zone_id) β†’ zone subkey β”œβ”€β”€ HKDF(zonekey β€– senderinstance_id) β†’ per-sender subkey (reboot-safe) └── Per-symbol nonce: frame_seq β€– ESI (deterministic, no coordination)

Per-Session Keys (from X25519 ECDH, optional X-Wing KEM hybrid): Shared secret β†’ HKDF with both nonces β”œβ”€β”€ kmaci2r (initiator β†’ responder MAC key) β”œβ”€β”€ kmacr2i (responder β†’ initiator MAC key) └── k_ctx (control-plane AEAD key)

Five distinct cryptographic roles:

| Key | Algorithm | Purpose | |-----|-----------|---------| | Owner Key | Ed25519 (FROST-thresholded) | Root trust; signs attestations, manifests, revocations | | Node Signing Key | Ed25519 | Per-device; signs frames, gossip, receipts | | Node Encryption Key | X25519 (+ optional X-Wing KEM) | Per-device; receives sealed zone keys and secret shares | | Node Issuance Key | Ed25519 | Per-device; mints capability tokens (separately revocable) | | Zone Encryption Key | ChaCha20-Poly1305 | Per-zone symmetric key; AEAD for zone data |

Each node has a NodeKeyAttestation signed by the owner, binding the Tailscale node ID to all three node key types plus their Key IDs (KIDs) for rotation. Issuance keys are separately revocable so token minting can be disabled without affecting other functions.

Security Invariants

These invariants are enforced mechanically:

  • Single-Zone Binding. A connector instance binds to exactly one zone for its lifetime.
  • Default Deny β€” if a capability is not explicitly granted to a zone, it cannot be invoked. The host now refuses to start a connector subprocess with an empty allowed_zones set.
  • No Cross-Connector Calling β€” connectors do not call each other; all composition flows through the host.
  • Threshold Secret Distribution β€” secrets use Shamir's Secret Sharing; never complete on any single device.
  • Revocation Enforcement β€” tokens, keys, and operations check revocation before use. Revocation is wired into all 14 stages of the enforcement pipeline (Gemini Lane 3 closed the gap where freshness was checked but is_revoked() was not consulted).
  • Auditable Everything β€” every operation produces a signed receipt and a hash-linked audit event with HLC + HierVV.
  • Cryptographic Authority Chain β€” all authority flows from the owner key through verifiable signature chains.

Zone Architecture

Zones are cryptographic boundaries, not labels. Each zone has its own randomly generated symmetric key, distributed to eligible nodes via owner-signed ZoneKeyManifest (V3 = HPKE-X25519, V4 = hybrid HPKE-X25519 + X-Wing KEM).

z:owner        [Trust: 100]   Direct owner control, most privileged
    β”‚                         Tailscale tag: tag:fcp-owner
    β–Ό
z:private      [Trust: 80]    Personal data, high sensitivity
    β”‚                         Tailscale tag: tag:fcp-private
    β–Ό
z:work         [Trust: 60]    Professional context, medium sensitivity
    β”‚                         Tailscale tag: tag:fcp-work
    β–Ό
z:community    [Trust: 40]    Trusted external (paired users)
    β”‚                         Tailscale tag: tag:fcp-community
    β–Ό
z:public       [Trust: 20]    Public/anonymous inputs
                              Tailscale tag: tag:fcp-public

INVARIANTS: Integrity: Data flows DOWN freely. UP requires ApprovalToken (elevation). Confidentiality: Data flows UP freely. DOWN requires ApprovalToken (declassification).

Provenance and Taint

Every piece of data carries provenance:

| Field | Purpose | |-------|---------| | origin_zone | Where data originated | | current_zone | Updated on every zone crossing | | integrity_label | Numeric integrity level (higher = more trusted source) | | confidentiality_label | Numeric confidentiality level (higher = more sensitive) | | label_adjustments | Proof-carrying label changes (elevation/declassification) with ApprovalToken references | | taint | Compositional flags (PUBLICINPUT, EXTERNALINPUT, PROMPT_SURFACE, …) | | taint_reductions | Proof-carrying reductions via SanitizerReceipt references |

Merge rule: combining data from multiple sources yields MIN(integrity) and MAX(confidentiality). Compromised inputs cannot elevate trust; sensitive outputs cannot be inadvertently exposed.

Taint reduction: specific taints can be cleared when you have a verifiable SanitizerReceipt from a sanitizer capability (URL scanner, malware scanner, schema validator). The receipt is a first-class mesh object.

Defense-in-Depth

Layer 1: Tailscale ACLs       β†’ Network-level isolation
Layer 2: Zone Encryption      β†’ Cryptographic isolation (per-zone symmetric keys)
Layer 3: Policy Objects       β†’ Authority isolation (owner-signed mesh objects)
Layer 4: Capability Signing   β†’ Operation isolation (node-signed COSE/CWT tokens)
Layer 5: Revocation Check     β†’ Continuous validity enforcement (HLC-fresh check)

Symbol Layer (RaptorQ)

All durable data in FCP is symbol-addressable. RaptorQ (RFC 6330) generates a stream of fungible symbols where any K' symbols reconstruct the original. This eliminates retransmit coordination, enables multipath aggregation, and provides natural offline resilience.

| Property | Benefit | |----------|---------| | Fungibility | Any K' symbols reconstruct; no coordination needed | | Multipath | Aggregate bandwidth across all network paths | | Resumable | No bookkeeping; just collect more symbols | | DoS Resistant | Attackers cannot target "important" symbols | | Offline Resilient | Partial availability = partial reconstruction | | Key Rotation Safe | zonekeyid in each symbol enables seamless rotation | | Chunked Objects | Large payloads split via ChunkedObjectManifest for partial retrieval and targeted repair |

Frame Format (FCPS)

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                    FCPS FRAME FORMAT (Symbol-Native)                      β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚  Bytes 0-3:     Magic (0x46 0x43 0x50 0x53 = "FCPS")                     β”‚
β”‚  Bytes 4-5:     Version (u16 LE)                                          β”‚
β”‚  Bytes 6-7:     Flags (u16 LE)                                            β”‚
β”‚  Bytes 8-11:    Symbol Count (u32 LE)                                     β”‚
β”‚  Bytes 12-15:   Total Payload Length (u32 LE)                             β”‚
β”‚  Bytes 16-47:   Object ID (32 bytes)                                      β”‚
β”‚  Bytes 48-49:   Symbol Size (u16 LE, default 1024)                        β”‚
β”‚  Bytes 50-57:   Zone Key ID (8 bytes, for rotation)                       β”‚
β”‚  Bytes 58-89:   Zone ID hash (32 bytes, BLAKE3; fixed-size)               β”‚
β”‚  Bytes 90-97:   Epoch ID (u64 LE)                                         β”‚
β”‚  Bytes 98-105:  Sender Instance ID (u64 LE, reboot-safety)                β”‚
β”‚  Bytes 106-113: Frame Seq (u64 LE, per-sender monotonic counter)          β”‚
β”‚  Bytes 114+:    Symbol payloads (encrypted, concatenated)                 β”‚
β”‚                                                                           β”‚
β”‚  Fixed header: 114 bytes                                                  β”‚
β”‚  Integrity: per-symbol AEAD tags + per-frame session MAC                  β”‚
β”‚  Per-symbol nonce: derived as frameseq || esile (deterministic)         β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Session Authentication

High-throughput symbol delivery uses per-session authentication, not per-frame signatures:

  • Handshake: X25519 ECDH authenticated by attested node signing keys, with per-party nonces for replay protection and crypto-suite negotiation. Optional X-Wing KEM hybrid for post-quantum forward secrecy.
  • Session keys: HKDF-derived directional MAC keys (kmaci2r, kmacr2i) from ECDH shared secret, bound to the selected suite and both handshake nonces.
  • Per-sender subkeys: Each sender derives a unique subkey via HKDF including senderinstanceid, eliminating cross-sender and cross-reboot nonce collision.
  • Per-frame MAC: HMAC-SHA256 or BLAKE3 (negotiated) with per-sender monotonic frame_seq for anti-replay.
Responder-picks suite negotiation: the initiator proposes supported suites; the responder selects from its preference list with a MINIMUMSUITE floor. See docs/protocol/session-handshake.md.

Session rekey triggers: sessions automatically rekey after configurable thresholds: frames (default 1B), elapsed time (default 24h), or cumulative bytes (default 1 TiB).

Control Plane Framing (FCPC)

FCPS handles high-throughput symbol delivery. FCPC provides reliable, ordered, backpressured framing for control-plane objects (invoke, response, receipts, approvals, audit events). FCPC uses the session's negotiated k_ctx symmetric key for AEAD without per-message Ed25519 signatures.


Mesh Architecture

In the target architecture every device is a MeshNode. Today the proven operator path is host-first; the mesh layer below is built and tested but not yet the operational default.

MeshNode Components

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                                MESHNODE                                  β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚
β”‚  β”‚  Tailscale Identity                                                β”‚  β”‚
β”‚  β”‚  - Stable node ID (unforgeable WireGuard keys)                     β”‚  β”‚
β”‚  β”‚  - Signing/encryption/issuance keys with owner attestation         β”‚  β”‚
β”‚  β”‚  - ACL tags for zone mapping                                       β”‚  β”‚
β”‚  β”‚  - Optional PostureAttestation (TPM / Secure Enclave)              β”‚  β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚
β”‚  β”‚  Symbol Store                                                      β”‚  β”‚
β”‚  β”‚  - Local symbol storage with retention classes                     β”‚  β”‚
β”‚  β”‚  - Quarantine store for unreferenced objects (bounded)             β”‚  β”‚
β”‚  β”‚  - XOR filters + IBLT + masked-IBLT anti-entropy for gossip        β”‚  β”‚
β”‚  β”‚  - Reachability-based garbage collection                           β”‚  β”‚
β”‚  β”‚  - ObjectPlacementPolicy enforcement for availability SLOs         β”‚  β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚
β”‚  β”‚  Capability + Revocation Registry                                  β”‚  β”‚
β”‚  β”‚  - Zone keyrings (deterministic key selection by zonekeyid)      β”‚  β”‚
β”‚  β”‚  - Trust anchors (owner key, attested node keys)                   β”‚  β”‚
β”‚  β”‚  - Monotonic seq numbers for O(1) freshness                        β”‚  β”‚
β”‚  β”‚  - ZoneCheckpoint checkpoints for fast sync                        β”‚  β”‚
β”‚  β”‚  - RevocationPushMessage for priority gossip                       β”‚  β”‚
β”‚  β”‚  - HLC + HierVV freshness frontier (angoc.17.3)                    β”‚  β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚
β”‚  β”‚  Connector State Manager                                           β”‚  β”‚
β”‚  β”‚  - Externalized connector state as mesh objects                    β”‚  β”‚
β”‚  β”‚  - Single-writer semantics via HRW + quorum-signed leases          β”‚  β”‚
β”‚  β”‚  - Fencing tokens prevent split-writer windows                     β”‚  β”‚
β”‚  β”‚  - Multi-writer CRDT support (LWW-Map, OR-Set, counters)           β”‚  β”‚
β”‚  β”‚  - Safe failover and migration for stateful connectors             β”‚  β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚
β”‚  β”‚  Execution Planner                                                 β”‚  β”‚
β”‚  β”‚  - Device profiles (CPU, GPU, memory, battery)                     β”‚  β”‚
β”‚  β”‚  - Connector availability and version requirements                 β”‚  β”‚
β”‚  β”‚  - Secret reconstruction cost estimation                           β”‚  β”‚
β”‚  β”‚  - Symbol locality scoring, DERP penalty                           β”‚  β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚
β”‚  β”‚  Repair Controller                                                 β”‚  β”‚
β”‚  β”‚  - Background symbol coverage evaluation                           β”‚  β”‚
β”‚  β”‚  - Automatic repair toward ObjectPlacementPolicy targets           β”‚  β”‚
β”‚  β”‚  - Rebalancing after device churn or offline periods               β”‚  β”‚
β”‚  β”‚  - Power-aware deferral (battery threshold)                        β”‚  β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚
β”‚  β”‚  Egress Proxy                                                      β”‚  β”‚
β”‚  β”‚  - Connector network access via capability-gated IPC               β”‚  β”‚
β”‚  β”‚  - CIDR deny defaults (localhost, private, tailnet ranges)         β”‚  β”‚
β”‚  β”‚  - SNI enforcement, SPKI pinning                                   β”‚  β”‚
β”‚  β”‚  - Secretless credential injection (SecretFetchHook)               β”‚  β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚
β”‚  β”‚  Audit Chain                                                       β”‚  β”‚
β”‚  β”‚  - Hash-linked audit events per zone with monotonic seq            β”‚  β”‚
β”‚  β”‚  - Hybrid Logical Clock attributes                                 β”‚  β”‚
β”‚  β”‚  - Quorum-signed audit heads for tamper evidence                   β”‚  β”‚
β”‚  β”‚  - Operation receipts for idempotency                              β”‚  β”‚
β”‚  β”‚  - OpenTelemetry OTLP parity exporter (traces, metrics, logs)      β”‚  β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Transport Priority

Priority 1: Tailscale Direct (same LAN)
Priority 2: Tailscale Mesh (NAT traversal)
Priority 3: Tailscale DERP Relay         (policy-controlled per zone)
Priority 4: Tailscale Funnel (public)    (low-trust zones only by default)

Zones configure transport policy via ZoneTransportPolicy to control DERP/Funnel availability.

Device Enrollment

New devices join the mesh through owner-signed enrollment:

  • Device joins the Tailscale tailnet.
  • Owner issues a DeviceEnrollment object (signed).
  • Owner issues a NodeKeyAttestation binding the node to signing/encryption/issuance keys; sensitive zones may require a PostureAttestation (TPM, Secure Enclave, Android Keystore).
  • Device receives enrollment via mesh gossip.
  • Other nodes accept the new device as peer.
Device removal triggers revocation + zone key rotation + secret resharing.

Multi-Host Authority (HRW Leases)

Connectors declaring singleton_writer = true use execution leases to guarantee only one node writes state at a time. Leases are coordinated via rendezvous hashing (HRW) to deterministically select a coordinator from online nodes, with quorum signatures for distributed issuance.

| Property | Behavior | |----------|----------| | Holder selection | HRW score over (nodeid, connectorid, epoch) β€” deterministic, no election round | | Quorum | Lease issuance requires N-of-M owner-attested signers; duplicate / unknown / quorum-deficient signers rejected at construction and on gossip ingress | | Fencing | Binary launch / flush / invoke fencing prevents split-writer windows during reseat | | Durability | Leases gossip as durable mesh objects; stale-lease detection, malformed-lease status invalidation, sequence-drift flagging | | Failover | Multi-node failover replay harness with redaction-safe artifacts provides the closeout proof |

This prevents double-polling and cursor conflicts while surviving coordinator failures.


Connector Binary Structure

Every FCP connector is a single executable with embedded metadata:

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚                          FCP BINARY                          β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚
β”‚  β”‚  MANIFEST SECTION                                      β”‚  β”‚
β”‚  β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”              β”‚  β”‚
β”‚  β”‚  β”‚  Metadata       β”‚  β”‚  Capabilities   β”‚              β”‚  β”‚
β”‚  β”‚  β”‚  - Name         β”‚  β”‚  - Required     β”‚              β”‚  β”‚
β”‚  β”‚  β”‚  - Version      β”‚  β”‚  - Optional     β”‚              β”‚  β”‚
β”‚  β”‚  β”‚  - Author       β”‚  β”‚  - Forbidden    β”‚              β”‚  β”‚
β”‚  β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜              β”‚  β”‚
β”‚  β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”              β”‚  β”‚
β”‚  β”‚  β”‚  Zone Policy    β”‚  β”‚  Sandbox Config β”‚              β”‚  β”‚
β”‚  β”‚  β”‚  - Home zone    β”‚  β”‚  - Memory limit β”‚              β”‚  β”‚
β”‚  β”‚  β”‚  - Allowed      β”‚  β”‚  - CPU limit    β”‚              β”‚  β”‚
β”‚  β”‚  β”‚  - Forbidden    β”‚  β”‚  - FS access    β”‚              β”‚  β”‚
β”‚  β”‚  β”‚  - Tailscale tagβ”‚  β”‚  - deny_exec    β”‚              β”‚  β”‚
β”‚  β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜              β”‚  β”‚
β”‚  β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”   β”‚  β”‚
β”‚  β”‚  β”‚  [provides.operations.*]                         β”‚   β”‚  β”‚
β”‚  β”‚  β”‚  Typed input/output schemas per operation        β”‚   β”‚  β”‚
β”‚  β”‚  β”‚  Network constraints per operation               β”‚   β”‚  β”‚
β”‚  β”‚  β”‚  Risk / safety / idempotency classification      β”‚   β”‚  β”‚
β”‚  β”‚  β”‚  AI hints for agent-readable operation docs      β”‚   β”‚  β”‚
β”‚  β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜   β”‚  β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚
β”‚  β”‚  CODE SECTION                                          β”‚  β”‚
β”‚  β”‚  - FCP protocol implementation                         β”‚  β”‚
β”‚  β”‚  - Capability negotiation                              β”‚  β”‚
β”‚  β”‚  - External API client                                 β”‚  β”‚
β”‚  β”‚  - State management                                    β”‚  β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
β”‚  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”  β”‚
β”‚  β”‚  SIGNATURE SECTION                                     β”‚  β”‚
β”‚  β”‚  - Ed25519 signature over manifest + code              β”‚  β”‚
β”‚  β”‚  - Reproducible build attestation                      β”‚  β”‚
β”‚  β”‚  - Registry provenance chain                           β”‚  β”‚
β”‚  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜  β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Sandbox Enforcement

Connectors support two sandbox models:

  • Native (ELF / Mach-O / PE): OS-level sandboxes β€” seccomp + Landlock (Linux), seatbelt (macOS), AppContainer (Windows, Tier 2).
  • WASI (WebAssembly): WASM-based isolation with capability-gated hostcalls. Recommended for high-risk connectors (financial, credential-handling) due to memory isolation and cross-platform consistency.
| Constraint | Purpose | |------------|---------| | Memory limit | Prevent resource exhaustion | | CPU limit | Prevent runaway computation | | Wall-clock timeout | Bound operation duration | | FS readonly paths | Limit filesystem access | | FS writable paths | Explicit state directory | | deny_exec | Prevent child process spawning | | deny_ptrace | Prevent debugging/tracing | | NetworkConstraints | Explicit host/port/TLS requirements |

Connector State

Connectors with polling cursors, dedup caches, or other long-lived state externalize their canonical state into the mesh:

ConnectorStateRoot {
  connector_id     β†’ Which connector
  zone_id          β†’ Which zone
  head             β†’ Latest ConnectorStateObject
}

ConnectorStateObject { prev β†’ Hash link to previous state seq β†’ Monotonic sequence state_cbor β†’ Canonical connector-specific state signature β†’ Node signature }

Local $CONNECTOR_STATE is a cache only. The authoritative state lives as mesh objects, enabling:

  • Safe failover: another node can resume from last committed state.
  • Resumable polling: cursors survive node restarts and migrations.
  • Deterministic migration: state is explicit, not implicit in process memory.
Periodic snapshots: connectors emit ConnectorStateSnapshot objects at configurable intervals, enabling compaction of the state chain while preserving fork detection for singleton_writer connectors.

Agent API Caching

fcp-host exposes cache metadata on agent-facing discovery surfaces so clients can avoid refetching unchanged metadata:

  • GET /rpc/discover
  • GET /rpc/introspect/{connector_id}
Responses carry ETag, Last-Modified, Cache-Control, and Vary. Clients can revalidate with If-None-Match / If-Modified-Since headers or the JSON-RPC _cache object. When the cached view is still valid, the host returns the normal JSON body with meta.status = 304 and refreshed cache metadata, keeping the agent API JSON-RPC-friendly.

Security Model

Threat Model

FCP defends against:

| Threat | Mitigation | |--------|------------| | Compromised device | Threshold owner key (FROST), threshold secrets (Shamir), revocation, zone key rotation | | Malicious connector binary | Ed25519 signature verification, OS sandboxing, supply chain attestations (in-toto / SLSA) | | Compromised external service | Zone isolation, capability limits, manifest-declared network constraints | | SSRF / localhost attacks | Egress proxy with CIDR deny defaults (localhost, private, tailnet ranges) | | Prompt injection via messages | Protocol-level filtering, taint tracking with proof-carrying reductions, MCP-bridge description scanning | | Privilege escalation | Static capability allocation, no runtime grants, unified ApprovalToken for elevation/declassification | | Replay attacks | Session MACs with monotonic seq, epoch binding, receipts | | DoS / resource exhaustion | Admission control with PeerBudget, anti-amplification rules, per-peer rate limiting | | Key compromise | Revocation objects with monotonic seq for O(1) freshness, key rotation with zonekeyid | | Supply chain attacks | in-toto attestations, SLSA provenance, reproducible builds, transparency log, mesh mirroring | | Quantum-capable adversary | Hybrid HPKE-X25519 + X-Wing KEM for zone keys; ML-DSA-65 for post-quantum signatures | | Side-channel timing | Constant-time comparison on PQ secret types (subtle::ConstantTimeEq); HMAC verify via mac.verify_slice() | | Length-bypass on transparent byte envelopes | Custom length-invariant Deserialize with proptest fuzz |

Threshold Secrets

Secrets use Shamir's Secret Sharing (not RaptorQ symbols, which can leak structure):

Secret: API_KEY
Scheme: Shamir over GF(2^8), k=3, n=5

Distribution: Desktop: share_1 (wrapped for Desktop's public key) Laptop: share_2 (wrapped for Laptop's public key) Phone: share_3 (wrapped for Phone's public key) Tablet: share_4 (wrapped for Tablet's public key) Server: share_5 (wrapped for Server's public key)

To use: 1. Obtain SecretAccessToken (signed by approver) 2. Collect any 3 wrapped shares 3. Unwrap and reconstruct using Shamir 4. Use in memory only 5. Zeroize immediately after use 6. Log audit event

No single device ever has the complete secret. A node cannot decrypt other nodes' shares.

Operation Receipts

Operations with side effects produce signed receipts:

OperationReceipt {
  requestobjectid    β†’ What was requested
  idempotency_key      β†’ For deduplication
  outcomeobjectids   β†’ What was produced
  executed_at          β†’ When
  executed_by          β†’ Which node
  signature            β†’ Node's signing key
}

On retry with the same idempotency key, the mesh returns the prior receipt instead of re-executing.

OperationIntent pre-commit: for Strict or Risky operations, callers first write an OperationIntent object containing the idempotency key, then invoke. Executors check that the intent exists, preventing accidental re-execution during retries. This provides exactly-once semantics for operations with external side effects.

Revocation

First-class revocation objects can invalidate:

| Scope | Effect | |-------|--------| | Capability | Token becomes invalid | | IssuerKey | Node can no longer mint tokens | | NodeAttestation | Device removed from mesh | | ZoneKey | Forces key rotation | | ConnectorBinary | Supply chain incident response |

Revocations are owner-signed and enforced before every operation. Revocation lookup is wired into all 14 stages of the host enforcement pipeline.

Freshness policy:

  • Strict β€” requires fresh revocation check or abort (default for Risky/Dangerous operations).
  • Warn β€” log warning but proceed if cached revocation list is within max_age.
  • BestEffort β€” use stale cache if offline, log degraded state.

The 14-Stage Enforcement Pipeline

Every invoke request flows through a deterministic 14-stage pipeline in crates/fcp-host/src/enforcement.rs. Each stage either passes the request to the next stage or produces a structured denial. The conformance test crates/fcp-conformance/tests/nopermissiveemptyzonebranch.rs enforces the contract that no stage is skipped on the basis of an empty input.

| # | Stage | Failure Mode | |---|-------|--------------| | 1 | Capability token COSE verify | Reject malformed or wrong-key signatures before parsing claims | | 2 | CWT temporal bounds | Reject expired (exp) or not-yet-valid (nbf) tokens | | 3 | Typestate binding check | UnboundVerified β†’ BoundVerified promotion against the live InstanceId | | 4 | Revocation lookup | Exact-membership is_revoked() against the registry; HLC + HierVV freshness gate | | 5 | Zone binding | Token's zoneid must match the connector instance's allowedzones; empty allowed_zones is a hard refusal | | 6 | Capability constraints | Predicate matrix: schema, value-range, host-allowlist, redaction policy | | 7 | Provenance & taint flow | Merge rule (MIN(integrity), MAX(confidentiality)); approval/sanitizer receipts as needed | | 8 | HRW lease check | For singleton_writer connectors, verify the local node holds the current quorum-signed lease | | 9 | Rate-limit gate | Per-pool token bucket / sliding-window / leaky-bucket | | 10 | Admission budget | PeerBudget + anti-amplification (response ≀ N Γ— request) | | 11 | Credential pool lease | Lease a credential from the pool; honor strategy, priority, exhaustion-cooldown | | 12 | Audit + HLC | Append a hash-linked audit event with HLC timestamp and HierVV; emit OTLP span | | 13 | Sandbox setup | Apply network constraints, FS allowlist, memory/CPU limits, denyexec, denyptrace | | 14 | Dispatch to connector subprocess | Send the invoke envelope over the supervised JSON-RPC channel |

A returned OperationReceipt walks back up the pipeline, releasing the credential lease, recording the receipt for idempotency, and closing the OTLP span.

Admission Control

Nodes enforce per-peer resource budgets:

| Mechanism | Purpose | |-----------|---------| | PeerBudget | Per-peer limits on bytes/sec, frames/sec, pending requests | | Anti-amplification | Response size ≀ N Γ— request size until peer authenticated | | Rate limiting | Token bucket, sliding-window, leaky-bucket enforcement; burst applies to token buckets | | Backpressure | Reject new requests when budget exhausted |

Audit Chain (HLC + HierVV + OTLP)

Every zone maintains a hash-linked audit chain with monotonic sequence numbers, Hybrid Logical Clock attributes, and a Hierarchical Version Vector frontier for revocation freshness:

AuditEvent1 β†’ AuditEvent2 β†’ AuditEvent_3 β†’ ... β†’ AuditHead
  seq=1          seq=2          seq=3              head_seq=N
  HLC=(t,c)      HLC=(t,c)      HLC=(t,c)
     ↑              ↑              ↑                   ↑
  signed         signed         signed         quorum-signed

ZoneCheckpoint { revhead, revseq β†’ Revocation chain state audithead, auditseq β†’ Audit chain state hier_vv β†’ Hierarchical version vector }

  • Events are hash-linked (tamper-evident) with monotonic seq for O(1) freshness checks.
  • AuditHead checkpoints are quorum-signed (n-f nodes).
  • HLC clock rollbacks alert; HierVV size histograms surface frontier health.
  • ZoneCheckpoint enables fast sync without chain traversal.
  • Required events: secret access, risky operations, approvals, zone transitions, revocations.
  • W3C-compatible traceid / spanid flow through InvokeRequest, AuditEvent, and the OTLP parity exporter.
The OTLP exporter re-emits audit events as OpenTelemetry traces, metrics, and logs with pinned HLC attributes, host backpressure proof, retry harness, and an fwc telemetry otlp-readiness operator probe.

Post-Quantum Cryptography

Production-grade PQ infrastructure lives in fcp-crypto-pq:

| Primitive | Algorithm | Use | |-----------|-----------|-----| | KEM | X-Wing (RustCrypto draft-06) | Hybrid HPKE-X25519 + X-Wing wrap of zone keys in ZoneKeyManifest V4 | | Signature | ML-DSA-65 (FIPS 204) | Post-quantum signing path alongside Ed25519 | | AEAD profile | Fcp4Aad | Wire format for XWingSealedBox | | Lattice delegation | Trapdoor delegation chain | Lean formal soundness theorem; throughput bench vs Ed25519 and ML-DSA-65 |

Properties:

  • IETF KAT regression harness for X-Wing.
  • Pinned KAT vectors for ML-DSA-65; randomized signing via getrandom.
  • ZoneKeyManifest V4 supports mixed V3 + V4 wrap lists, per-recipient KEM discriminator, and a safe migratedtov4 promotion path.
  • Hybrid verifier dispatches through both HPKE-X25519 and X-Wing.
  • Constant-time PartialEq on all PQ secret types via subtle::ConstantTimeEq.
  • Length-invariant Deserialize on all transparent PQ byte envelopes with proptest fuzz coverage.
  • Mixed V3/V4 mesh migration harness proves both readers see the same effective zone key during cutover.

Connectors

The workspace ships 177 connector crates β€” 176 production connectors plus one adversarial conformance test crate (connectors/_adversarial/). All 176 production crates ship a manifest.toml and tests. The connector surface is broad but not perfectly uniform: 156 currently implement the formal ConnectorErrorMapping trait, 158 currently follow the full src/client.rs + src/connector.rs + src/types.rs layout, and 160 currently publish explicit OperationInfo structs. A workspace conformance guard fails CI if a mature connector lacks a tests/ directory.

Tier 1: Critical Infrastructure

| Connector | Archetype | Why | |-----------|-----------|-----| | fcp.github | Request-Response + Webhook | Code review, issue management, CI/CD | | fcp.linear | Request-Response + Webhook | Human ↔ agent task handoff; bi-directional Beads sync | | fcp.stripe | Request-Response + Webhook | Financial operations; invoicing, subscriptions | | fcp.gmail | Polling + Request-Response | Email automation, inbox management | | fcp.slack | Bidirectional | Team communication | | fcp.twitter | Request-Response + Streaming | Real-time information layer | | fcp.browser | Browser Automation (Real CDP) | Universal adapter for any web service | | fcp.telegram | Bidirectional + Webhook | Real-time messaging, bot automation | | fcp.discord | Bidirectional + Webhook | Community management, server automation | | fcp.youtube | Request-Response | Video transcripts, channel analytics |

Connector Categories (representative)

| Category | Connectors | |----------|------------| | AI / LLM (cloud) | Anthropic, anthropic-vertex, aws-bedrock, OpenAI, Google AI (Gemini), Mistral, xAI Grok, DeepSeek, Together, NVIDIA NIM, MoonShot Kimi, Qwen, Fireworks, llm-router, microsoft-foundry, HuggingFace | | AI / LLM (local) | Ollama, LM Studio, Whisper | | Embeddings | Voyage AI | | Media generation | Fal AI, Runway (Gen-3/Gen-4 video), ComfyUI | | Speech | ElevenLabs, Deepgram, Azure Speech | | Specialty AI | Inworld (character / voice agents) | | Search | DuckDuckGo, Brave Search, Perplexity Search, SearXNG, Tavily, Exa, Firecrawl, Wolfram | | Google Services | Gmail, Calendar, Drive, Docs, Sheets, Chat, Places, YouTube, People, Workspace Events, Admin Reports, BigQuery, Google AI, Google Meet | | Messaging & Collaboration | Slack, Discord, Telegram, Twitter/X, Matrix, Mattermost, Microsoft Teams, Outlook, Signal, WhatsApp, BlueBubbles, iMessage, Synology Chat, IRC, Nostr, Feishu, LINE, DingTalk, WeCom, QQ, Zalo, Tlon (Urbit), Nextcloud Talk | | Voice-call | Twilio, Telnyx, Plivo (all sharing fcp-voice-call substrate) | | Dev Tools | GitHub, GitLab, Bitbucket, Linear, Jira, ClickUp, Todoist, Trello, Asana, Confluence, CircleCI | | Databases | PostgreSQL, MySQL/MariaDB, SQLite, Redis, MongoDB, Elasticsearch, DuckDB, Snowflake, Qdrant, Pinecone, VectorDB | | Cloud & Infra | S3, AWS, Azure, GCP, Kubernetes, Terraform, Pulumi, Vercel, Netlify, Cloudflare, DockerHub, Firebase, Supabase | | Observability | Datadog, Grafana, Sentry, Mixpanel, Amplitude, PostHog, Segment, Metabase | | Productivity | Notion, Airtable, Figma, DocuSign, Pandadoc, Evernote, Logseq, Roam, Coda, Apple Notes, Apple Reminders, Obsidian, Email Generic | | Communication | SendGrid, Mailchimp, HubSpot, Intercom, Zendesk | | Finance | Stripe, PayPal, Plaid, Square, Shopify | | Security | 1Password, Bitwarden | | Automation | Zapier, Make, n8n, Retool, Cron, Webhook Receiver | | Content | Reddit, LinkedIn, Spotify, Anna's Archive, Arxiv, Semantic Scholar, Mastodon, Twitch, Hacker News | | Home & Local | Sonos, Hue, Home Assistant | | Other | MCP Bridge, Salesforce, Box, Dropbox, Microsoft 365 |

The authoritative inventory is the connectors/ directory or manifest-backed fwc list --offline, not a handwritten static table. A few connectors are explicitly non-live today (tlon ships as status = "incubating"; zalouser ships as status = "quarantined"; huggingface describes itself as incubating in its connector description but does not declare a status field). Inventory pr


README truncated. View on GitHub
πŸ”— More in this category

Β© 2026 GitRepoTrend Β· Dicklesworthstone/flywheel_connectors Β· Updated daily from GitHub