# Topics — Vertical Cross-Cut

Canonical topics SPT design touches. Each topic lists every index entry that covers it.
Pointers use `<file>` + `§section` or `entry name`.

---

## NAT traversal (general)

- `papers/INDEX.md` arxiv-cs-0603074 / bford-p2pnat — 2005 baseline (82% UDP / 64% TCP)
- `papers/INDEX.md` arxiv-2408-01791 — QUIC HP, faster than TCP under loss
- `papers/INDEX.md` arxiv-2510-27500 — 2025 production: 70% real rate, TCP ≈ QUIC, relay centralization risk
- `articles/INDEX.md` oneuptime-com-...udp-hole-punching-nat — concrete 4-step walkthrough + Python ref impl
- `forums-wikis-videos/INDEX.md` news-ycombinator HN 45822982 — symmetric NAT math, TCP simul-open, RFC 7250 raw pubkeys
- `forums-wikis-videos/INDEX.md` discuss-libp2p forum — rust-libp2p DCUtR brittleness in practice
- `forums-wikis-videos/INDEX.md` dietpi forum — outbound-initiated hole punch + rendezvous helper
- `docs/INDEX.md` `libp2p-io-docs-dcutr.html` — DCUtR protocol spec
- `docs/INDEX.md` `docs-rs-libp2p-...hole-punching` — libp2p tutorial walkthrough
- `docs/INDEX.md` `docs-iroh-computer-about-faq.html` — ~90% direct claim
- `docs/INDEX.md` `docs-iroh-computer-concepts-relays.html` — relay as fallback
- `repos/iroh.md` §Dial by pubkey — `Endpoint::connect(addr, alpn)` does it
- `repos/rust-libp2p.md` §NAT traversal: DCUtR + §Hole punching (QUIC) — PR #3964 deep dive
- `repos/quinn.md` §Hole-punching / simultaneous open — `Endpoint::new` with pre-punched socket
- `repos/vpn-cluster.md` nebula §NAT hole-punching — punch signaling pattern
- `rfcs-specs/INDEX.md` RFC 8489 (STUN), RFC 8656 (TURN), RFC 8445 (ICE) — the triad
- **Best single read:** `papers/INDEX.md` arxiv-2510-27500 (2025 production data overrides older numbers)

## Hole punching (technique-specific)

- `papers/INDEX.md` arxiv-cs-0603074 §3.4 "Peers Behind Different NATs" — canonical algorithm
- `papers/INDEX.md` arxiv-2408-01791 — QUIC HP + connection migration saves 2 RTTs
- `articles/INDEX.md` oneuptime — 5x send burst @ 100ms gaps; sym-NAT failure mode
- `repos/rust-libp2p.md` §Hole punching (QUIC) PR #3964 — `hole_puncher` sprays 64-byte UDP every 10–200 ms, matches inbound by SocketAddr (not PeerId)
- `repos/quinn.md` `quinn/examples/single_socket.rs` — one UDP socket, server+client roles share it
- `repos/vpn-cluster.md` nebula `punchy.go` — 1-byte UDP punch, lighthouse cross-introduction
- `docs/INDEX.md` `libp2p-io-docs-dcutr.html` — sync via relayed conn, simultaneous DIAL+LISTEN
- `rfcs-specs/INDEX.md` (none directly — hole punching is application-level)
- **Best single read:** `repos/rust-libp2p.md` §Hole punching PR #3964 (code paths + design rationale)

## Identity (pubkey-as-address, no PKI)

- `rfcs-specs/INDEX.md` syncthing-device-ids — SHA-256(DER cert) → base32 + Luhn check digits, dash-grouped
- `rfcs-specs/INDEX.md` did-key-spec §2 — `did:key:` + multibase(base58-btc) + multicodec
- `rfcs-specs/INDEX.md` noise-protocol §7 (XX/IK patterns), §7.8 (identity hiding)
- `rfcs-specs/INDEX.md` RFC 9420 §10 (KeyPackages — Ed25519 leaf credential)
- `repos/iroh.md` §Endpoint + identity — `EndpointId = PublicKey` (Ed25519), display via base32
- `repos/rust-libp2p.md` §Identity — `PeerId` = SHA-256 multihash of pubkey
- `repos/veilid.md` §Identity (TypedKey) — `CryptoTyped<Bare>` = 4-byte FOURCC + raw key; display `VLD0:<base64url>`
- `repos/magic-wormhole.md` §SPAKE2 exchange — derives shared key from short code
- `docs/INDEX.md` `docs-iroh-computer-about-faq.html` — EndpointId auth via libp2p TLS handshake
- `docs/INDEX.md` `ssbc-github-io-ssb-db.html` — SSB ed25519 feed identity
- `docs/INDEX.md` `scuttlebot-io-...secure-scuttlebutt.html` — SSB Secret Handshake (4-way ed25519 mutual auth)
- `docs/INDEX.md` `briarproject-org.html` — QR / shared link contact swap
- `docs/INDEX.md` `atproto-com.html` — DID + handle resolution (federated, not P2P)
- `articles/INDEX.md` theregister-...veilid — 256-bit pubkey as ID, no special nodes
- `articles/INDEX.md` vlaicu-io-posts-wormhole — SPAKE2 + PGP wordlist UX
- `forums-wikis-videos/INDEX.md` wiki/veilid — Rust, pubkey-only, MPL-2.0
- `forums-wikis-videos/INDEX.md` community-braxtech — Briar QR + offline-by-design pattern
- **Best single read:** `rfcs-specs/INDEX.md` §syncthing-device-ids (closest production analogue to SPT's "no-account" identity)

## DHT (distributed hash table)

- `papers/INDEX.md` arxiv-2402-09993 — Kademlia churn from NAT'd peers; TTL incompatible with low-latency ops
- `papers/INDEX.md` arxiv-2402-16201 — Honeybee verifiable random walks vs Kademlia/GossipSub
- `forums-wikis-videos/INDEX.md` wiki/mainline-dht — 16–28M concurrent users, KRPC=bencode-over-UDP, 5-min token rotation
- `docs/INDEX.md` `docs-rs-mainline.html` — `Dht::client/server`, BEP_0043, `as_async()`
- `docs/INDEX.md` `libp2p-io-docs-kademlia-dht.html` — k-buckets, XOR distance, FIND_NODE/FIND_VALUE/STORE
- `docs/INDEX.md` `docs-ipfs-tech-how-to-modify-bootstrap-list.html` — editable bootstrap UX pattern
- `repos/rust-libp2p.md` §Kademlia DHT — `Config::new(StreamProtocol)` for private namespace `/spt/kad/1.0.0`
- `repos/veilid.md` §DHT records — `create_dht_record`, `set_dht_value`, `watch_dht_values`, schemas DFLT/SMPL
- `repos/iroh.md` (no native DHT — uses pkarr publishing; `iroh-mainline-address-lookup` is external)
- `articles/INDEX.md` blog-ipfs-tech-rust-libp2p-bootstrap — production-scale Kademlia data (30k conns/node, <300 KB/conn)
- **Best single read:** `papers/INDEX.md` arxiv-2402-09993 (Kademlia scalability limits) or `repos/rust-libp2p.md` §Kademlia DHT (working API)

## Transport (QUIC / TCP)

- `repos/quinn.md` (entire file) — pure-Rust QUIC, RFC 9000/9001/9002, ECN + GSO/GRO
- `repos/iroh.md` §Streams — bi/uni streams via `noq` (forked quinn)
- `repos/rust-libp2p.md` §Transport: QUIC — `with_quic()`, `quinn 0.11.9 + rustls 0.23`
- `docs/INDEX.md` `docs-rs-iroh-quinn-latest-tokio-runtime.html` — `TokioRuntime` adapter
- `docs/INDEX.md` `docs-rs-iroh-0-90-0.html` — Endpoint/builder/ALPN surface
- `papers/INDEX.md` arxiv-2408-01791 — QUIC HP perf vs TCP
- `forums-wikis-videos/INDEX.md` HN 45822982 — "QUIC requires TLS but not CA" + RFC 7250 raw pubkeys
- `rfcs-specs/INDEX.md` (QUIC not directly indexed — see Brief [^41][^42] for RFC 9000)
- **Best single read:** `repos/quinn.md` (complete API + Windows specifics + 0-RTT + migration)

## LAN discovery (mDNS / DNS-SD / broadcast)

- `rfcs-specs/INDEX.md` RFC 6762 §§3,5,6,8,9,10,11,15,17,18 + Appendix A — full mDNS spec
- `rfcs-specs/INDEX.md` RFC 4795 (LLMNR) — Windows-only hostname resolution alternative
- `rfcs-specs/INDEX.md` XEP-0174 §3, §3.1 — `_presence._tcp.local.` template (most directly transferable for `_spt._udp.local.`)
- `rfcs-specs/INDEX.md` syncthing-localdisco-v4 — UDP broadcast 21027, magic `0x2EA7D90B`, protobuf Announce
- `rfcs-specs/INDEX.md` draft-cai-ssdp-v1 — SSDP (`M-SEARCH` / `NOTIFY`); included to explain why mDNS wins
- `docs/INDEX.md` `docs-rs-mdns-sd-latest.html` — `ServiceDaemon::new/browse/register`, TXT properties
- `docs/INDEX.md` `crates-io-mdns-sd.html` — crate metadata
- `forums-wikis-videos/INDEX.md` forum-duplicacy (Tailscale vs ZT) — L2 + mDNS = "feels like it works"
- `articles/INDEX.md` (none direct; vlaicu-wormhole mentions LAN-direct as first negotiation phase)
- `repos/iroh.md` lines 10-14, 102-118 — `iroh-mdns-address-lookup` (out-of-tree); was `discovery-local-network` feature in 0.90
- `repos/rust-libp2p.md` §Workspace `protocols/mdns/` — libp2p has native mdns behaviour
- **Best single read:** `rfcs-specs/INDEX.md` RFC 6762 + XEP-0174 (wire spec + production template)

## Relay / TURN (fallback when hole punch fails)

- `rfcs-specs/INDEX.md` RFC 8656 (TURN) §§3,4,7,9,10,11,12,17,18 — Allocate, ChannelBind, Send/Data
- `forums-wikis-videos/INDEX.md` reddit-r-webrtc (gated) — OpenRelay 20 GB/month free
- `docs/INDEX.md` `docs-iroh-computer-concepts-relays.html` — DERP-style fallback
- `docs/INDEX.md` `docs-iroh-computer-add-a-relay.html` — self-host pattern (stateless relays)
- `docs/INDEX.md` `docs-iroh-computer-about-faq.html` — relay rate limits, public n0 relays
- `docs/INDEX.md` `tailscale-com.html` — DERP origin (account-required disqualified)
- `repos/iroh.md` §Relay self-hosting — `iroh-relay --features server`, `ServerConfig`, `AccessConfig::Restricted`
- `repos/rust-libp2p.md` §Workspace `protocols/relay/` — libp2p circuit relay v2 + `examples/relay-server/`
- `repos/vpn-cluster.md` nebula `relay_manager.go` — opt-in relay fallback
- `repos/vpn-cluster.md` headscale §NAT traversal — DERP map distribution (separate processes)
- `articles/INDEX.md` oneuptime — "For symmetric NAT, TURN servers are the fallback"
- `papers/INDEX.md` arxiv-2510-27500 — relay centralization warning (NAT traversal infra = silent re-centralization)
- **Best single read:** `repos/iroh.md` §Relay self-hosting (concrete self-host path)

## Pairing / SPAKE2 / short codes

- `repos/magic-wormhole.md` (entire file) — SPAKE2 + PGP wordlist, full Rust API surface
- `articles/INDEX.md` vlaicu-io-posts-wormhole — Protocol Stack overview, PAKE explanation, integration examples
- `docs/INDEX.md` `docs-rs-magic-wormhole.html` — Wormhole API: connect, send_json, transit
- `docs/INDEX.md` `magic-wormhole-readthedocs-io-welcome.html` — conceptual PAKE explainer
- `docs/INDEX.md` `briarproject-org.html` — QR contact swap pattern
- `forums-wikis-videos/INDEX.md` community-braxtech — Briar + Simplex + Tox social patterns
- `forums-wikis-videos/INDEX.md` 34c3 Trevor Perrin (Noise talk) — XX/IK pattern selection
- `rfcs-specs/INDEX.md` noise-protocol §7.7 (per-payload security), §7.8 (identity hiding), §10 (Noise Pipes 0-RTT)
- `rfcs-specs/INDEX.md` did-key-spec — alt encoding for cross-ecosystem interop
- **Best single read:** `repos/magic-wormhole.md` (cheat sheet at bottom is copy-paste-ready)

## Gossipsub / pub-sub

- `repos/rust-libp2p.md` §Gossipsub messaging — `Behaviour::new(privacy, Config)`, `MessageAuthenticity::Signed`, `protocol_id_prefix("/spt/meshsub")` for private namespace
- `papers/INDEX.md` arxiv-2402-16201 — GossipSub vs Honeybee under Sybil (4–63% improvement)
- `papers/INDEX.md` arxiv-2406-16661 — Close-Weaver: latency-aware neighbour selection for messaging workloads
- `docs/INDEX.md` `handbook-scuttlebutt-nz-concepts-gossip.html` — SSB friend-of-friend replication
- `docs/INDEX.md` (libp2p gossipsub not directly indexed)
- **Best single read:** `repos/rust-libp2p.md` §Gossipsub messaging (working API)

## Binary size

- `repos/low-priority.md` §min-sized-rust — full recipe checklist + nightly knobs
- `articles/INDEX.md` dev-to-ahaoboy-...bloaty-metafile — 11MB → 4.5MB walkthrough; rustls-tls = biggest win
- `repos/iroh.md` §Binary size knobs — default features to strip; `tls-ring` vs `aws-lc-rs`
- `repos/rust-libp2p.md` §Binary size knobs — per-protocol opt-in feature flags
- `repos/quinn.md` §Binary size knobs — `runtime-tokio` + `rustls-ring` minimum; drop `platform-verifier`, `bloom`
- `repos/magic-wormhole.md` §Binary size knobs — `default-features = false` for pairing-only
- `repos/veilid.md` §Binary size knobs — `geolocation` trap door (pulls reqwest); MPL-2.0 footprint >10 MB realistic
- `articles/INDEX.md` blog-ipfs-tech-rust-libp2p-bootstrap — production memory profile baseline
- Brief §2.8 — LTO + `opt-level="z"` + `strip` → 5-15 MB target
- **Best single read:** `repos/low-priority.md` §min-sized-rust (canonical checklist)

## Windows quirks / firewall / portability

- `docs/INDEX.md` `learn-microsoft-com-...windows-firewall-rules.html` — inbound rule precedence, automatic rule creation pitfalls
- `forums-wikis-videos/INDEX.md` reddit-r-sysadmin (gated) — first-bind Defender dialog
- `repos/quinn.md` §Windows specifics — `quinn-udp` Wine/Proton ECN gaps; `WSARecvMsg` requirement; max_gso_segments=512 on Win11 x64
- `repos/iroh.md` gotcha — `socket/transports/ip.rs:177` Windows interface flips
- `repos/magic-wormhole.md` gotcha — pure WebSocket, no libc / Unix sockets; clean Windows-native fit
- `repos/veilid.md` gotcha — protected store uses Windows Credential Manager; `always_use_insecure_storage` fallback for services
- `repos/low-priority.md` §min-sized-rust — `no_main/win/` reference + `windows-sys` feature pruning
- Brief §2.8 — code signing, "unknown publisher" first-run UX
- **Best single read:** `repos/quinn.md` §Windows specifics + `docs/INDEX.md` `learn-microsoft-com-...firewall-rules.html`

## Agent protocols (MCP / A2A / orchestration)

- `articles/INDEX.md` anthropic-com-news-mcp — MCP launch, local stdio/SSE
- `articles/INDEX.md` kdjingpai-com-...zhengshifaa — MCP 2025 roadmap (remote, OAuth2, registry, hierarchical agents)
- `articles/INDEX.md` ibm-com-...agent2agent-protocol — A2A architecture (AgentCard, Task, Message)
- `articles/INDEX.md` microsoft-...autogen — multi-agent in-process orchestration
- `docs/INDEX.md` `atproto-com.html` — DID + handle (federated, account-required)
- Brief §2.7 + §3 — MCP / A2A disqualifications (HTTP server-required, not P2P)
- **Best single read:** Brief §2.7 (compact comparison table) or `articles/INDEX.md` ibm-...agent2agent (clearest A2A architecture)

## Privacy / onion / anonymity

- `repos/veilid.md` (entire — onion routing, all-nodes-as-relay, MPL-2.0)
- `docs/INDEX.md` `docs-rs-tor-hsservice-latest.html` — Arti `OnionService::launch()`
- `docs/INDEX.md` `lib-rs-tor-hsservice.html` — Arti maturity signals
- `docs/INDEX.md` `veilid-com-how-it-works-networking.html` — Veilid topology, all-node-relay
- `docs/INDEX.md` `earendil-network.html` — anonymous comm, WIP
- `docs/INDEX.md` `gnunet-org.html` — privacy-by-design (C-only)
- `articles/INDEX.md` forum-torproject-...arti — Hidden Service hardening, Conflux multi-leg
- `articles/INDEX.md` theregister-...veilid — "Tor for apps" positioning
- `articles/INDEX.md` dev-to-byteknight-yggdrasil — Tor-over-Yggdrasil pattern
- `forums-wikis-videos/INDEX.md` reddit-r-opensource (gated) — Veilid sentiment
- `forums-wikis-videos/INDEX.md` wiki/veilid — Rust, MPL-2.0, pubkey-only
- `repos/low-priority.md` arti — 68-crate workspace pattern (REFERENCE only; threat model disjoint from SPT)
- Brief §2.5 + §3 — Arti latency disqualification as primary transport
- **Best single read:** `repos/veilid.md` (the only candidate with first-class onion in tree)

## Mesh-VPN coordinator anti-patterns

- `repos/vpn-cluster.md` (entire file: nebula + innernet + headscale)
  - nebula `lighthouse.go` + `punchy.go` — coordinator broker pattern
  - innernet `server/` — single mandatory coordinator (anti-SPT)
  - headscale `state.go` + `node_store.go` — copy-on-write atomic.Pointer snapshot (BORROW)
  - headscale `noise.go` + `auth.go` — Noise-over-HTTP + PreAuthKey UX
  - innernet `nat.rs` — endpoint candidate list (no hole punch)
- `docs/INDEX.md` `tailscale-com.html` — DERP architecture origin (account disqualified)
- `docs/INDEX.md` `zerotier-com.html` — controller-based (account disqualified)
- `docs/INDEX.md` `yggdrasil-network-github-io.html` — Go daemon, manual public peers
- `docs/INDEX.md` `wireguard-com.html` — Noise in production reference
- `articles/INDEX.md` dev-to-byteknight-yggdrasil — `sudo yggdrasilctl addPeer` friction
- `articles/INDEX.md` antlatt-tailscale (stub 502) — would have been homelab pitch
- `forums-wikis-videos/INDEX.md` forum-duplicacy + dietpi — Tailscale/ZT/WireGuard debates
- `repos/low-priority.md` cjdns + yggdrasil-go — SKIP (daemon shape)
- Brief §2.6 + §3 — all mesh VPNs disqualified for SPT
- **Best single read:** `repos/vpn-cluster.md` (deepest borrow analysis: 514 lines covering 3 systems)

## Bootstrap nodes / soft-centralization

- `articles/INDEX.md` blog-ipfs-tech-rust-libp2p-bootstrap — hardcoded list pattern + opt-out FAQ
- `docs/INDEX.md` `docs-ipfs-tech-how-to-modify-bootstrap-list.html` — `ipfs bootstrap add/rm`
- `repos/iroh.md` §Endpoint construction (presets) — `presets::N0` vs `presets::Minimal`
- `repos/rust-libp2p.md` §Bootstrap node config — ships ZERO hardcoded; examples-only
- `repos/veilid.md` §Bootstrap config — Veilid Foundation seeds + V1 signed-bootstrap for private nets
- `repos/vpn-cluster.md` headscale §Identity — PreAuthKey + interactive accept flows
- `papers/INDEX.md` arxiv-2510-27500 — relay/signaling infra is silent centralization point
- Brief §4 Q1 + Q2 — relay operator + libp2p bootstrap open questions
- **Best single read:** `articles/INDEX.md` blog-ipfs-tech-rust-libp2p-bootstrap (real-world pattern + opt-out story)

## Crypto / Noise / MLS / TLS

- `rfcs-specs/INDEX.md` noise-protocol (full spec) — patterns, message format, encoding
- `rfcs-specs/INDEX.md` RFC 9420 (MLS) — group key agreement, framing, cipher suites
- `docs/INDEX.md` `docs-rs-snow.html` — Rust Noise impl, `Builder → HandshakeState → TransportState`
- `docs/INDEX.md` `lib-rs-noise-protocol.html` — alt crate, Unlicense
- `docs/INDEX.md` `wireguard-com.html` — Noise in production reference
- `forums-wikis-videos/INDEX.md` 34c3 Trevor Perrin — Noise talk authoritative source
- `forums-wikis-videos/INDEX.md` HN 45822982 — raw pubkey TLS (RFC 7250) for P2P
- `repos/quinn.md` §TLS config — `QuicClientConfig` / `QuicServerConfig` via rustls
- `repos/iroh.md` — TLS via `tls-ring` (default) or `tls-aws-lc-rs` (PQ-capable)
- `repos/magic-wormhole.md` §SPAKE2 — derived shared key via HKDF subkeys
- `repos/veilid.md` §Identity — VLD0 crypto suite: Ed25519+X25519+ChaCha20Poly1305+BLAKE3+Argon2
- **Best single read:** `rfcs-specs/INDEX.md` noise-protocol (handshake selection guide) + `docs/INDEX.md` `docs-rs-snow.html` (Rust API)

## Tokio integration / async runtime

- `forums-wikis-videos/INDEX.md` stackoverflow-71116502 — sync `main` → async cookbook
- `docs/INDEX.md` `tokio-rs-tokio-tutorial-hello-tokio.html` — `#[tokio::main]` + `Runtime::new().block_on(...)`
- `docs/INDEX.md` `docs-rs-iroh-quinn-latest-tokio-runtime.html` — `TokioRuntime` adapter for quinn
- `repos/quinn.md` §tokio runtime integration — `Runtime` trait + `AsyncUdpSocket` trait
- `repos/iroh.md` — tokio mandatory; `n0-future` is the abstraction
- `repos/rust-libp2p.md` — libp2p-quic ≥ 0.13 dropped async-std (tokio only)
- `repos/veilid.md` §Binary size knobs — `rt-tokio` vs `rt-async-std` choice
- Brief §2.8 — one-time integration cost, ~1-2 MB
- **Best single read:** `forums-wikis-videos/INDEX.md` stackoverflow-71116502 (one-line recipe)

## Connection migration / NAT rebind / mobility

- `repos/quinn.md` §Connection migration — `ServerConfig.migration=true`, `Endpoint::rebind`, keep_alive_interval
- `papers/INDEX.md` arxiv-2408-01791 — QUIC migration saves 2 RTTs vs re-punch
- `repos/iroh.md` `examples/monitor-connections.rs` — observe path changes
- (No direct prior art in libp2p docs for QUIC migration as of mapper read)
- **Best single read:** `repos/quinn.md` §Connection migration

## 0-RTT / session resumption

- `repos/quinn.md` §0-RTT — `Connecting::into_0rtt()`, `enable_early_data = true`, replay safety
- `repos/iroh.md` `examples/0rtt.rs` — `Connecting::into_0rtt()` for sub-RTT reconnects + security caveats
- `rfcs-specs/INDEX.md` noise-protocol §10 — Noise Pipes (0-RTT compound protocols)
- **Best single read:** `repos/quinn.md` §0-RTT (full safety story)

## Append-only signed logs / message history

- `docs/INDEX.md` `ssbc-github-io-ssb-db.html` — SSB unforgeable append-only feeds
- `docs/INDEX.md` `handbook-scuttlebutt-nz-concepts-gossip.html` — friend-of-friend replication
- `repos/low-priority.md` hypercore — Ed25519-signed manifests, sparse merkle replication (JS-only)
- `repos/low-priority.md` nostr-protocol + rust-nostr — signed event model, Schnorr/secp256k1
- `docs/INDEX.md` `docs-rs-nostr.html` — `EventBuilder`, `Keys::generate`, NIP-44 DM
- `articles/INDEX.md` (none direct)
- **Best single read:** `docs/INDEX.md` `ssbc-github-io-ssb-db.html` (closest match to SPT spool model)

## Authentication / access control

- `repos/iroh.md` `examples/auth-hook.rs` — `EndpointHooks::before_connect` per-peer allowlist
- `repos/iroh.md` `examples/incoming-filter.rs` — pre-handshake drop (cheaper flood protection)
- `repos/iroh.md` §Relay self-hosting — `AccessConfig::Restricted(callback)` per EndpointId
- `repos/vpn-cluster.md` headscale `db/preauth_keys.go` — `hskey-auth-{prefix}-{secret}` with bcrypt
- `repos/vpn-cluster.md` innernet `redeem` flow — invitation TOML → one-shot key swap
- `rfcs-specs/INDEX.md` STUN §9 — short-term & long-term credentials
- `rfcs-specs/INDEX.md` RFC 9420 §16 — Authentication Service trust assumptions
- **Best single read:** `repos/iroh.md` `examples/auth-hook.rs` + `repos/vpn-cluster.md` headscale PreAuthKey

## CRDT / shared state

- `repos/low-priority.md` iroh-loro — 307-line CRDT-over-iroh demo (Loro + iroh ALPN)
- (No other prior art in this corpus)
- **Best single read:** `repos/low-priority.md` §iroh-loro (the only template)

## Cross-cluster patterns (coordinator design)

- `repos/vpn-cluster.md` §Cross-cluster patterns — shared design choices across nebula/innernet/headscale
- Relevance ranking for SPT (highest first): headscale NodeStore copy-on-write, innernet invitation-TOML, nebula lighthouse punch signaling, headscale typed `change.Change` events, expired_invite_sweeper pattern
- **Best single read:** `repos/vpn-cluster.md` §Cross-cluster patterns