feat: add TLS for node bridge

2026-01-16 05:28:33 +00:00
parent 1656f491fd
commit 1ab1e312b2
36 changed files with 1161 additions and 180 deletions
--- a/docs/gateway/bridge-protocol.md
+++ b/docs/gateway/bridge-protocol.md
@@ -28,8 +28,12 @@ If you are building an operator client (CLI, web UI, automations), use the
 ## Transport

 - TCP, one JSON object per line (JSONL).
+- Optional TLS (when `bridge.tls.enabled` is true).
 - Gateway owns the listener (default `18790`).

+When TLS is enabled, discovery TXT records include `bridgeTls=1` plus
+`bridgeTlsSha256` so nodes can pin the certificate.
+
 ## Handshake + pairing

 1) Client sends `hello` with node metadata + token (if already paired).