Every gateway and every roost owns an Ed25519 keypair. The public key is the node’s identity. There are no shared secrets.
  • Generation happens at first boot, persisted under data_dir/keys/.
  • The gateway’s verifying key is the cluster’s anchor. Pin it in your install scripts.
  • Roost identities live forever; rotation is explicit (flocks roost rotate).

What this buys you

  • Every audit row points back to who ran what — verifiable years later.
  • A stolen roost binary can’t impersonate the gateway: only the gateway has the key that signs grants.