Skip to content

System Architecture Overview

Bedrock is a tactical situational-awareness system: operators and devices share position, chat, drawings, and voice over a resilient mesh, with cryptographic identity and classification enforcement. It is 8 independent git repos (no umbrella monorepo).

The repos

Repo Language Role
directory TypeScript (AdonisJS) Identity authority — FIDO2 login, signs IdentityToken/ServerToken, issues group keys, publishes the revocation list. The root of trust.
common Rust (waypoint_common) Canonical shared crate — AuthEnvelope pack/verify, token protos, SIDC parser, outbox policy. The contract every client/server mirrors.
server Rust (waypoint node) Zenoh transport router — relays + stores traffic, federates router↔router (mTLS), enforces the per-message classification gate.
android Kotlin Tactical client — engine + Zenoh transport + MapLibre map UI.
web TypeScript (AdonisJS + Inertia) Browser client — Zenoh-over-WSS, server-side recorder tier.
node Rust Headless GPS / sensor daemon — peer-mesh publisher (position/heartbeat).
gateway Rust Interop bridge — translates to/from CoT/TAK, ADatP-3, NFFI, etc.
infrastructure Terraform GCE/KMS provisioning + PKI/TLS for deployments.

How they fit

flowchart TB
    DIR["<b>directory</b><br/>identity authority"]
    COMMON["<b>common</b><br/>canonical contract<br/>(compiled by all)"]

    subgraph clients [ ]
        direction LR
        AND["android"]
        WEB["web"]
        NODE["node<br/>(GPS daemon)"]
    end

    R1["<b>server</b><br/>router A"]
    R2["<b>server</b><br/>router B"]
    GW["gateway"]
    EXT["CoT/TAK, ADatP-3,<br/>NFFI … (external)"]

    DIR -->|"FIDO2 login, tokens,<br/>group key, revocations · HTTPS"| AND
    DIR --> WEB
    DIR --> NODE

    AND <-->|"Zenoh TLS"| R1
    WEB <-->|"Zenoh WSS"| R1
    NODE <-->|"peer mesh"| R1
    R1 <-->|"gossip / mTLS"| R2
    R1 --> GW --> EXT

    COMMON -.->|contract| AND
    COMMON -.-> WEB
    COMMON -.-> NODE
    COMMON -.-> R1
    COMMON -.-> R2
    COMMON -.-> GW

End-to-end flow

  1. Login (HTTPS → Directory). Operator authenticates with a FIDO2 assertion (devices use a single-use registration token). The Directory returns a 5×7-day IdentityToken batch and the device's Ed25519 signing key (public half = principal_sign_key in the token). See security/pki.md.
  2. Connect (Zenoh). The client opens a server-cert-TLS Zenoh session to a router and gets the waypoint/global/auth/** queryable for the router's ServerToken (classification ceiling + coverage cells). Group keys come from /api/group-key.
  3. Send. Each message content is sealed with AES-256-GCM under the deployment group key (SealedContent), wrapped in an AuthEnvelope — Ed25519 device_signature over signed-cleartext classification + owner_principal_id fields plus the sealed payload — and put on a cell-routed key expression (waypoint/<cell>/<topic>/...). Heartbeats remain plaintext. See protocol/wire-protocol.md.
  4. Relay / store. The router verifies the envelope, reads the signed-cleartext classification envelope field for the classification gate (min(sender, server)), stores durable prefixes (chat/drawings as opaque ciphertext), and fans out to subscribers + federated routers. The router never decodes the payload and holds no group key. Late joiners get the durable prefix to catch up.
  5. Receive. Every receiver runs the full envelope verify + revocation gate before any DB write or UI event. See security/model.md.
  6. Interop. The gateway subscribes to the mesh and translates to/from external tactical formats. See protocol/interop-standards/.

Where each concern is documented

Note: identity is token-only — the Directory's Ed25519 signature over the token (residual cert paths are being removed; see pki.md). Member content is AES-256-GCM sealed under the deployment group key before it enters the envelope (server-blind E2E confidentiality); the router is payload-blind and group-key-free. The flag-day cutover activating this fleet-wide (web, gateway, node clients) is outstanding — see security/model.md and architecture/status-roadmap.md.