Gateway · Master Registry · Reference Contract

archangel control plane

This page is the in-browser composer for the archangel handshake. All key material is generated, stored, and signed on this device. The remote nodes remain agnostic executors — the wire format below is the only contract between this control plane and any conforming node-side daemon.

Operator Identity

No operator keys on this device. Generate to mint a fresh ed25519 identity and x25519 WireGuard peer pair. Private material is held in this browser's localStorage only — never transmitted.

Enroll Node · ARCHANGEL/v0 Handshake

Generate a nonce, sign the canonical message with your ed25519 key, then issue the WireGuard config locally. Node-side archangelverifies the signature against its allow-list before binding the peer.

Node ID (slug)Node LabelRegionWG Endpoint (host:port)Status URL (signed /status)Assigned Address (CIDR)DNS (in-tunnel resolver)Node ed25519 pubkey (hex, 64)

Node x25519 pubkey (base64, WireGuard)

Local Registry · 0 nodes

No nodes registered on this device. Complete an enrollment above to add one.

Wire Format · Reference Contract

Any node implementing this contract is conforming. The Go reference daemon ships in node-daemon/ at the repo root.

POST {node}/archangel/enroll
Content-Type: application/json

{
  "v": "ARCHANGEL/v0",
  "nonce": "<32B hex from GET /archangel/challenge>",
  "client_ed_pub": "<hex>",
  "client_x25519_pub": "<hex>",
  "device_label": "<string>",
  "sig_ed25519": "<ed25519(\"ARCHANGEL/v0\\n\" + nonce + \"\\n\" + client_x25519_pub)>"
}

→ 200 {
  "assigned_ip": "10.42.0.42/32",
  "server_x25519_pub": "<base64>",
  "server_endpoint": "host:port",
  "dns": "10.42.0.1",
  "cidv1_receipt": "<bafy...>"
}