01 · Identity
Every peer is a `did:oas`.
No setup keys. No shared secrets that leak into logs. Every peer presents a cryptographic identity rooted in your organization's lineage tree. Revoke a parent — all descendants drop in the next policy tick.
The private mesh for
agents and humans.
Cryptographic identity. Policy-derived ACLs. Multi-transport overlay. Built for the world where every device — and every agent — needs a place on your network.
hmr/founder
forge/agent-1
hives/flight-a
coordinator
sim-3429
jetson-edge
esp32-broker
macos-laptop
iridium-uplink
Principles
Three rules every Beacons fleet keeps.
Beacons is not a VPN with policy bolted on. It is built line one around how autonomous organizations actually work — where peers come and go in seconds, identity is cryptographic, and ACLs are derived from governance, never hand-authored.
02 · Policy
ACLs derived from governance.
Define ENR trust roots, accepted agent kinds, and Arsenal capability scopes once. The policy engine continuously recomputes routes whenever a lineage updates, a capability is issued, or an attestation expires.
03 · Multi-transport
Whatever the device can speak.
Kernel WireGuard on Linux. Userspace WireGuard on macOS and iOS. WebRTC inside a browser tab. MQTT for an ESP32. CoAP for LoRaWAN. Cellular IP for a Telnyx SIM. Iridium when there is no terrestrial link at all.
Universal client matrix
Seven tiers. One mesh.
Every device in the world maps to a tier. The tier picks the transport, the identity storage, and the distribution channel — automatically.
T1
Full
Kernel WG. Linux servers, Windows, NAS.
T2
Sandboxed
Userspace WG. macOS, iOS, Android.
T3
Browser
WebRTC datachannel. PWA, extensions.
T4
Constrained
MQTT / CoAP brokered. ESP32, RP2040.
T5
Cellular
A SIM is the credential. Field devices.
T6
WASM/WASI
Universal target. Hives, Workers, edge.
T7
Container
Docker, K8s sidecar, DaemonSet.
Identity
A composite verdict, every enrollment.
Every peer joining a Beacons fleet is verified through three independent layers — and either all three pass, or the peer never sees a route.
- OAS resolves the `did:oas` and walks lineage to a trusted root
- AEGIS challenges the peer with a fresh Ed25519 nonce
- Arsenal verifies a capability token scoped to this fleet
- ENR governance permits the entity kind
enroll.sh — composite verdict
$ bcn peer enroll did:oas:acme:agent:scribe-7 → oas: resolved · lineage chain depth 3 → aegis: challenge signed · key verified → arsenal: capability beacons:fleet:join · valid 7m → policy: fleet=acme · trust-root=did:oas:acme:hmr:jr · ok peer admitted in 184ms → wireguard route installed · 100.64.7.3/32
policy.rs — derived ACL fragment
pub fn compute_acl( fleet: &Fleet, peer: &Peer, ) -> Result<Acl, PolicyError> { // 1. lineage check let lineage = oas::walk(&peer.did, fleet.trust_roots)?; // 2. capability check let cap = arsenal::verify(&peer.token, "beacons:fleet:join")?; // 3. governance check fleet.enr.accepts_kind(&peer.kind)?; // 4. derive the routes this peer is allowed to reach Ok(Acl::derive(fleet, &lineage, &cap)) }
Policy
Hand-authored ACLs are an edge case.
Define ENR governance once: trusted roots, accepted entity kinds, required capability scopes, attestation issuers. The policy engine derives every ACL — and recomputes whenever lineage, capability, or attestation state changes.
- Continuous recomputation on lineage updates
- Capability revocations propagate in seconds
- Attestations gate access (e.g. SOC 2 trained, signed audit)
- Manual ACL escape hatch for legacy systems
Audit
Tamper-evident from minute one.
Every coordinator action emits a Blake3-hashed event chained against the prior event. The fleet's chain root is periodically anchored on Sigil — so the audit history is verifiable independent of L1fe's infrastructure.
- Configurable anchor cadence per fleet
- Independent verification via Sigil
- Hash-chained per fleet, not per coordinator
- Survives coordinator compromise
audit.tail — sigil-anchored chain
event#9281 peer.enrolled did:oas:acme:agent:scribe-7 event#9282 acl.recomputed +2 routes · -1 route event#9283 cap.revoked did:oas:acme:agent:bot-aging event#9284 peer.dropped cap revoked · routes torn down event#9285 anchor.submit sigil:tx:8af3…b2c1 · root=blake3:…ec71 chain root verified at sigil height 4 491 207
Every device in the world deserves a place on your network — by policy, not by hand.
From a kernel-WireGuard Linux server to an ESP32 brokered through a Raspberry Pi to a Hives flight running as a WASM module — they all join through the same composite verdict, and they all leave under the same policy revocation.
Cellular
Multi-provider cellular, from line one.
Beacons treats cellular as a first-class transport implemented via a provider trait. Telnyx is the launch plugin. Twilio, Soracom, Hologram, 1NCE, Particle and Onomondo follow. eUICC orchestration is owned by Beacons and consumed by Locks through an internal API.
- Per-SIM `did:oas:<ns>:tool:sim-<iccid>`
- Per-fleet private APN
- Configurable provider failover
- Cabbage-metered, billed alongside bandwidth
order.cli — telnyx provider
$ bcn cellular order \
--provider telnyx \
--quantity 100 \
--plan global-1gb \
--apn acme-private
→ provider: telnyx
→ shipping: acme-warehouse-dallas
→ eta: 2026-05-24
100 sims minted · each tied to did:oas:acme:tool:sim-…Order of magnitude
Designed to scale by the design itself.
These are not vanity targets. They are the assumptions the architecture is built against — coordinator throughput, audit chain integrity, lineage walks, ACL recomputation, transport negotiation.
7
Client tiers
From kernel WireGuard to brokered ESP32. One mesh, one identity.
8
Transports
WG, userspace WG, WebRTC, MQTT, CoAP, cellular IP, satellite, LoRa.
9+
Cellular providers
Telnyx · Twilio · Soracom · Hologram · 1NCE · Particle · Onomondo · EMnify · KORE.
~184ms
Composite verdict
OAS resolve + AEGIS challenge + Arsenal verify on a warm coordinator.
Composable
Stands on the L1fe stack. Doesn't lock you in.
Beacons consumes OAS, AEGIS, Arsenal, Sigil, Silos, Cabbage, Relays, Hives, MAP. It doesn't reimplement any of them — and every interface is replaceable.
OAS · AEGIS · Arsenal
Identity, challenge, capability — the three layers of the composite verdict.
Sigil anchoring
Audit chain roots anchored on the Sigil blockchain. Tamper-evident, independently verifiable.
Hives · Silos · Cabbage
WASM compute joins fleets automatically. Postgres state via Silos. Billing meters through Cabbage.
Relays · MAP
MagicDNS routed through Relays / PowerDNS. MAP exposes a BEACONS protocol module for cross-engine discovery.
Forge · Aut0
Forge agents embed `beacons-sdk` and auto-join their org's fleet. Aut0 provisions a default fleet on founding.
JOBS · Locks · Lockers
JOBS-managed devices become peers automatically. Locks issues hardware-rooted identities via eUICC. Lockers settles cellular overages.
FAQ
Common questions.
The decisions that shaped the architecture, in five paragraphs.
Why not just use Tailscale or NetBird?+
Both are well-engineered. Both were built for human users on a small number of long-lived devices. Beacons is line-one designed for autonomous organizations where peers are agents spawned and destroyed in seconds, where identity derives from cryptographic lineage, and where access is policy-derived from organizational governance. The fork was attempted, evaluated honestly, and abandoned. See comparisons.What is a `did:oas` and why does every peer have one?+
`did:oas` is the L1fe ecosystem's Decentralized Identifier method, anchored to a lineage rooted at a human (HMR). Every peer in a Beacons fleet — agent, server, ESP32, SIM — is identified by a `did:oas` so revocation, audit, and capability binding all work the same way. See identity.What if I just want WireGuard?+
WireGuard is one of the eight transports Beacons supports — the default on Linux, Windows and where the OS allows it. You get its performance plus identity, audit, and policy. vs raw WireGuard.Can I self-host the entire stack?+
Yes. Beacons is open core. The Rust workspace, SDKs and clients are MIT/Apache-2.0 dual-licensed. Hosted control-plane operations and enterprise features are commercial. See pricing.How does cellular billing work?+
Cellular usage flows through Cabbage on the same metering pipeline as mesh bandwidth. You see one bill that combines per-peer mesh charges, relay bandwidth, and per-SIM cellular data. See cellular.