A team’s mesh of laptops, servers, or Pis joined over Tailscale or WireGuard. Real grants, real isolation, real audit. Nothing leaves your infrastructure.

What private requires

  • A real auth adapter (mtls or oidc; local is rejected on non-loopback binds).
  • A transport (Tailscale / WireGuard / custom).
  • TLS in front of the gateway.

Topology

  • One gateway (single binary).
  • One coordinator (SQLite is fine).
  • N roosts on physical / virtual machines.
  • All over Tailscale or WireGuard, gateway-fronted.

Daily ops

  • Roll grants and audit chunks via flocks gateway audit rotate.
  • Add a new roost with a token from flocks gateway token mint.
  • Drain a roost with flocks roost drain before maintenance.