Networks

Networks are a group-level access control primitive in Pilot Protocol. A network grants connectivity to all its members at once, an alternative to establishing trust between every pair of agents.

Overview

Networks grant connectivity to all members at once. Adding multiple agents to the same network allows them to discover and connect to each other without individual handshake ceremonies. The network boundary is the trust boundary.

Networks are managed through the `pilotctl network` commands. Private Network is in early access.

Networks vs. bilateral trust

Pilot Protocol has two access control models that can be used together.

Scope: Bilateral trust is one-to-one. Network membership is group-wide.
Setup: Bilateral trust requires a handshake and approval per pair. Network membership requires adding an agent once to connect to all members.
Scaling: Bilateral trust requires O(n²) handshakes for n agents. Network membership requires O(n) adds for n agents.
Discovery: Bilateral trust requires a known address or hostname. Network membership allows enumeration via `pilotctl network members`.
Revocation: Bilateral trust is revoked per-peer. Network membership is revoked for all members by removing the agent from the network.
Use case: Bilateral trust is for cross-organizational collaboration or unknown peers. Networks are for teams, fleets, or agents within the same organization.
Persistence: Bilateral trust is stored locally on each node. Network membership is stored in the registry and survives node restarts.

Bilateral trust is for relationships between agents that do not share an organizational boundary. Networks are for agents that should be able to communicate by default.

What network membership grants

When two agents share a network, they gain a specific set of permissions.

Discover addresses: Without a network, private agents are invisible. With a shared network, members' endpoints can be resolved.
Open connections: Without a network, connection attempts are dropped. With a shared network, connections are accepted.
Send datagrams: Without a network, datagrams are dropped. With a shared network, they are delivered.
List members: Without a network, the network cannot be enumerated. With a shared network, the member list is available via `pilotctl network members`.
Handshake auto-approval: Without a network, this requires manual approval. With a shared network, membership serves as a trust signal.

Network membership does not grant traffic inspection or transitive access.

No traffic inspection: Encryption is end-to-end between agents. The network grants connectivity, not visibility.
No transitive access: If A and B share network 1, and B and C share network 2, A cannot reach C. Each network is an independent trust domain.

Enterprise networks add production controls. Enable at creation with `pilotctl network create --name prod --enterprise`.

RBAC: Three-tier roles (owner, admin, member).
Invites: Consent-based invite flow.
Identity & SSO: OIDC, SAML, Entra ID, LDAP, and webhook identity providers.
Directory sync: Push AD/Entra ID/LDAP entries to auto-provision members.
Policies: Membership caps, port whitelists, and network descriptions.
Audit & compliance: Structured audit events and SIEM export.
Blueprints: Declarative JSON provisioning.

Standard network permissions are simple: a member can communicate inside the boundary, and is invisible outside. Enterprise networks add roles and port policies for finer-grained control.

The backbone (network 0)

Every registered agent belongs to network 0, the backbone. This is the global address space where node IDs are allocated and endpoints are registered.

Address allocation
Endpoint resolution
NAT traversal
Handshake relay

The backbone does not grant communication rights. Private agents on the backbone are invisible to everyone except their trusted peers and network co-members.

Join rules

A join rule, set with `pilotctl network create`, controls how new members are added.

Open: Any node can join without approval. For public communities.
Invite only: Only an owner or admin can invite new members. For high-security environments.
Token-gated: Anyone with a shared secret token can join. For teams that can distribute a token out-of-band.

For token-gated networks, agents self-join with the token:

pilotctl network join 1 --token my-secret

Network lifecycle

To create a network:

pilotctl network create --name research-lab --join-rule token --token my-secret

The `--join-rule` is one of `open`, `invite`, or `token`. Use `--enterprise` to enable enterprise features.

Admins add agents by identifier:

Node ID: e.g., `1001`. Found in `pilotctl info` output.
Pilot address: e.g., `1:0001.0000.03E9`. Found in daemon startup output.
Hostname: e.g., `my-agent`. Set at daemon start with `--hostname`.

pilotctl network invite 1 1001
# or by hostname / pilot address
pilotctl network invite 1 my-agent
pilotctl network invite 1 1:0001.0000.03E9

Once added, the agent can communicate with all other network members. To monitor agents, list live members with `pilotctl network members <network_id>`.

To remove agents:

pilotctl network kick 1 1001
# or by hostname / pilot address
pilotctl network kick 1 my-agent

Access is revoked immediately. To delete a network, owners can use `pilotctl network delete <network_id>`. All member associations are removed.

How it works under the hood

Network membership is checked automatically at three points in the protocol.

1. Address resolution: When agent A looks up agent B, the registry checks if B is public. If not, it checks if A and B share a network or have mutual trust. Otherwise, the lookup is denied.

2. Connection acceptance: When a connection request arrives at a private agent, the daemon checks the source against its trust list and shared network membership. If neither applies, the request is silently dropped.

3. Datagram delivery: Datagrams to private agents use the same check. If the sender is not trusted and not in a shared network, the datagram is dropped.

Security model

The network security model is that membership equals access. Standard networks have no traffic inspection. Enterprise networks add RBAC and port-level policies.

When a non-member tries to connect to a private network agent, the request is silently rejected to prevent scanning.

Backbone (network 0) membership does not grant any communication rights.

Running `pilotctl network kick` revokes access immediately, with no propagation delay.

Network membership is not transitive. Each network is an independent trust domain.

Enterprise networks support port-level policies to restrict which ports members can access. Use `pilotctl network policy <network_id> --allowed-ports 80,443,1001` to set a policy. Other flags include `--max-members <n>` and `--description <text>`. Without any `--<flag>` argument, `pilotctl network policy <network_id>` shows the current policy.