LatticeNet

Deployment shape

Docker server first. systemd node-agent on each host.

Lattice is built for small private infrastructure where the control plane should stay boring: run the server as a container, keep agents as host binaries, and let nodes dial out instead of exposing management ports.

Server

Use the GHCR image behind HTTPS, with durable state, audit WAL, logs, plugin bundles, and master key backed up together.

Docker guide

Node agent

Install the outbound agent as a systemd service. Execution stays off until an operator explicitly enables reviewed tasks.

Agent guide

Updates

GitHub Release binaries and SHA256SUMS feed server-reviewed agent update policies. Nothing follows a mutable latest pointer.

Update model

First install

Get a private control plane online, then add privileges deliberately.

The recommended start is a local server bound to 127.0.0.1:8088, a trusted reverse proxy, TOTP for the first admin, and one node-agent enrolled without host mutation.

git clone https://github.com/LatticeNet/lattice.git
cd lattice/compose
cp .env.example .env
$EDITOR .env
mkdir -p data plugins
docker compose up -d

Control loop

Every dangerous change has a visible plan before it becomes a task.

Firewall, DNS, proxy-core deployment, and agent updates share the same review shape: operators inspect the rendered intent, approve the visible plan hash, and the node reports the result back through the outbound task channel.

ConfigureSet intent in the dashboard or API.

RenderServer creates a secret-safe review plan.

ApproveDashboard sends the SHA-256 of the visible plan.

QueueAgent leases a bounded task over outbound HTTPS.

ApplyNode validates artifacts before mutation.

AuditResult and actor trail stay in the server log.

What is live now

Fleet operations, network policy, DNS, proxy-core, logs, and plugin foundations.

Inventory and monitoring

Metrics, host facts, machine cost and renewal reminders, fleet map, logs, SSH alerts, and node token lifecycle.

Network and DNS

Reviewed nft policy, Network Guard, self-host DNS apply/publish, Geo-Routing preview, and rollback-protected apply scripts.

Proxy-core operations

VLESS + REALITY profile management, subscriptions, usage reporting, quota/expiry notifications, and collector health.

Agent lifecycle

Manual update plans and auto-plan pending approvals for pinned HTTPS artifacts, SHA-256 digests, and target versions.

Plugin trust

Signed manifests, digest pinning, trusted publisher policy, capability broker, lifecycle registry, and noop runtime foundation.

Public ecosystem

GHCR server image, GitHub Release binaries for the agent, GitHub Pages docs, and a Signed plugin index roadmap.

Lattice is early and usable for private fleets with careful perimeter hardening. Community plugin execution is not enabled by default; marketplace work starts with a read-only signed index.

Choose your path

Operators get deployment runbooks. Developers get release contracts and extension boundaries.

Operators

Install the server, enroll agents, enable TOTP, back up state, and turn on host mutation only where needed.

Read the operator guide

Security reviewers

Understand trust boundaries, approval hashing, plugin capability gates, and why agents never need inbound management ports.

Review the model

Plugin authors

Start with local bundles and signed manifests. Remote install and runner activation remain separate safety gates.

Author plugins

Contributors

Work across the split repos, keep SDK contracts versioned, and follow release tag order before cutting downstream artifacts.

Developer guide

Release managers

Publish server images through GHCR and node-agent binaries through GitHub Releases with SHA256SUMS.

Release workflow

Roadmap readers

Track what is implemented, what is intentionally blocked, and what must mature before marketplace install or real runners.

Roadmap

LatticeNetReviewed control plane for self-hosted fleets.