Security Model

All mesh traffic is encrypted with WireGuard. Control plane APIs use TLS 1.2+ and authenticate via SSO, API tokens, or device credentials.

• Never trust, always verify — every connection evaluates identity and policy
• Least privilege — grant access to specific resources, not entire networks
• Assume breach — audit all connectivity and configuration changes
• Device trust — enforce posture checks for sensitive resources