Beacon Privacy

!!! danger “Authorization boundary” Fleet salt and beacon signaling do not authorize segment transfer. Segment exchange requires authenticated mTLS.

Beacon and Fleet Salt Scope

identity.fleet_salt is documented as a privacy input for beacon/HMAC use and is explicitly not a transport credential.

Beacon Wire Format (Implemented)

edge/beacon/frame.go defines a bounded JSON wire frame:

• version

• domain_id

• node_id

• nonce

• timestamp_unix

• hmac

Constraints:

• version == 1

• required fields must be non-empty

• max serialized frame size is bounded (MaxFrameBytes)

Passive-Observer Threat Notes

Beacon fields are intentionally discovery-oriented and do not authorize transfer. An observer can learn coarse heartbeat metadata (domain_id, node_id, timestamp) but cannot bypass mTLS transport authorization using beacon data alone.

Evidence

• edge/config/config.go (IdentityConfig.FleetSalt comments)

• edge/transport/transport.go package comment + connection requirements

• edge/transport/transport_test.go auth/rejection tests

• edge/beacon/frame.go

• edge/beacon/frame_test.go

See Also

• mTLS

• Architecture → Threat Model

• Architecture → Invariants — INV-09