docs: add network hub + pairing locality

2026-01-21 00:14:06 +00:00
parent e083f678fd
commit e5ea8a0d22
5 changed files with 75 additions and 0 deletions
--- a/docs/concepts/architecture.md
+++ b/docs/concepts/architecture.md
@@ -77,6 +77,21 @@ Client                    Gateway
  safely retry; the server keeps a short‑lived dedupe cache.
 - Nodes must include `role: "node"` plus caps/commands/permissions in `connect`.

+## Pairing + local trust
+
+- All WS clients (operators + nodes) include a **device identity** on `connect`.
+- New device IDs require pairing approval; the Gateway issues a **device token**
+  for subsequent connects.
+- **Local** connects (loopback or the gateway host’s own tailnet address) can be
+  auto‑approved to keep same‑host UX smooth.
+- **Non‑local** connects must sign the `connect.challenge` nonce and require
+  explicit approval.
+- Gateway auth (`gateway.auth.*`) still applies to **all** connections, local or
+  remote.
+
+Details: [Gateway protocol](/gateway/protocol), [Pairing](/start/pairing),
+[Security](/gateway/security).
+
 ## Protocol typing and codegen

 - TypeBox schemas define the protocol.