Quickstart

A fleet, two peers, a tunnel — in about five minutes.

The shortest path from zero to a verified composite-verdict enrollment with a working WireGuard tunnel between two peers. Linux x86_64 is the demo target; the same flow works on every Tier 1 host.

1 · Install the CLI and the daemon

# macOS
brew install l1feai/tap/beacons

# Debian / Ubuntu
curl -fsSL https://beacons.sh/install.sh | sh

# Arch
yay -S beacons-bin

2 · Authenticate against your control plane

bcn login --control https://console.beacons.sh
# opens browser, signs you in through Locks (or your own IdP)
# binds your shell session to an Arsenal ACT

3 · Create a fleet

bcn fleet create my-test \
  --trust-root did:oas:acme:hmr:jr \
  --accept-kinds agent,agent:instance,service \
  --max-lineage-depth 8

✓ fleet did:oas:acme:fleet:my-test created

4 · Enroll two peers

bcn peer enroll did:oas:acme:hmr:alice --fleet my-test
bcn peer enroll did:oas:acme:agent:bot1 --fleet my-test

✓ alice  100.64.7.2/32  online
✓ bot1   100.64.7.3/32  online

5 · Verify the tunnel

alice $ ping bot1.my-test.beacons.mesh
PING bot1.my-test.beacons.mesh (100.64.7.3): 56 data bytes
64 bytes from 100.64.7.3: icmp_seq=0 ttl=64 time=2.4 ms
64 bytes from 100.64.7.3: icmp_seq=1 ttl=64 time=1.9 ms

What just happened

  1. OAS resolved each peer's did:oas and walked lineage to your trust root.
  2. AEGIS issued a fresh nonce and verified each peer's signature.
  3. Arsenal verified your shell session's ACT scoped beacons:fleet:join.
  4. The policy engine derived an ACL granting full intra-fleet routing.
  5. The coordinator dispatched WireGuard peer configurations to both daemons.
  6. The audit chain recorded both enrollments and submitted the next anchor.

Next: explore the CLI · read the API reference · how identity works.

Open a fleet

The mesh that fits agents and humans.

A `did:oas`-rooted private mesh that ships peer configurations to any device, anywhere, by policy — not by hand.

Open consoleRead the quickstart