Networking & pairing
Zero-config, no-central-server connectivity between your machines. Pair two
nodes once with a six-digit code; from then on, the same spt send bob works
whether bob is local or three networks away.
The model
- Node identity — each machine holds an Ed25519 keypair; the public key is its network identity. Connections are mutually authenticated QUIC, end-to-end encrypted, peer-to-peer with NAT hole-punching and public-relay fallback (you can self-host the relay, or disable it for LAN/air-gapped use — the default relays carry only encrypted traffic they cannot read).
- Subnets — machines pair into named groups. A subnet shares: the endpoint registry (who exists, where, what state), context sync for its endpoints, notifications, and staged self-updates. Nothing is shared with unpaired nodes, ever.
- Pairing — a one-time ceremony seeded by a TOTP code: run
spt pair show-totpon a member node (it also prints anotpauth://URI — put the seed in your authenticator app), type the subnet name + current six digits on the joiner. The code bootstraps a PAKE key exchange — the code is never the key, and a wrong guess learns nothing. Both sides pin each other’s node keys on success (trust-on-first-use; key changes warn and never auto-apply). - Visibility & sync scope — per endpoint, per subnet: an endpoint can be hidden from a subnet (neither advertised nor routable) and its mind syncs only to subnets on its membership list. Both default conservative; unconfigured means not shared.
- Resource registry — endpoints may advertise a free-text service blurb
(
spt resources set/list) — an agent yellow-pages over visible rows only.
What rides it
Cross-machine send/ring, registry replication, two-tier mind sync,
remote attach, remote suspend/wake, file transfer, notification replication,
and peer-propagated self-update — all over the same paired substrate.
Commands
spt pair · spt resources · the qualified addressing forms
([subnet:]id[@node]) — CLI reference.
Pairing walkthrough tutorial coming with the docs’ next tier.