Skip to documentation
OrbitMeshDocs
Browse documentation
Docs/Engineering Specs

ENGINEERING SPECS

MVP Implementation Status

This document is the current status index for OrbitMesh MVP implementation.
View source

This document is the current status index for OrbitMesh MVP implementation.

Status values:

implemented
  Code exists and is expected to work in the current MVP.

needs_verification
  Code exists, but the latest production smoke result is not recorded here.

partially_implemented
  A usable slice exists, but the full documented behavior is not complete.

planned
  Designed and accepted, but not implemented.

deferred
  Intentionally out of the current MVP.

blocked
  Cannot progress without an external dependency or decision.

1. Current MVP Scope

Current MVP scope is the Traffic MVP:

Tenant
  -> Node
    -> Capability Binding
      -> Runtime Binding
        -> Endpoint
          -> Client Access Subscription

sing-box is the current Traffic runtime implementation. It is not the product abstraction.

2. Implemented

2.1 Control Plane

Area Status Notes
Tenant login and tenant selection implemented Console can authenticate and load tenant context.
Node model implemented Current model is Node-centered rather than generic gateway-centered.
Node metadata update implemented Node name, provider, region, and display attributes can be edited and trigger desired state publication.
Capability binding model implemented Traffic roles are modeled as capability binding roles.
Runtime binding model implemented Runtime state is attached to runtime bindings.
Endpoint model implemented Endpoint is the Node/Runtime/Capability reachability resource; Traffic Entry, inter-node proxy, DNS, and TLS readiness share this model.
Desired State compile implemented Desired state is generated from Node, Capability Binding, Runtime Binding, Endpoint, and Subscription.
Runtime catalog implemented Catalog exposes runtime metadata, roles, capabilities, schema, and install profile references.
Runtime install profiles implemented Edge Runtime can discover installation profiles for active bindings.
Subscription target catalog implemented Client output targets are catalog-driven.
Tenant Plan Subscription schema implemented Plans, plan versions, entitlements, quota templates, tenant subscriptions, and plan-derived quota metadata are modeled in Ent.
Plan catalog seed implemented Free and Pro plan seeds are created by Control Plane startup. Team and Enterprise remain planned catalog extensions.
Platform Plan API implemented Platform operator read/assignment/effective-entitlement/quota-sync APIs are exposed under /api/v1/platform/....
Effective Entitlement read path implemented Platform API resolves definition defaults plus plan overrides for a tenant plan version.
Plan-derived quota sync implemented Active finite plan quota templates can create or update source-marked quota policies.

2.2 Edge Runtime

Area Status Notes
Device-bound node identity implemented Node identity is bound to the original deployment token/device identity.
Registration implemented Registration returns node identity and runtime context.
Heartbeat implemented Runtime status, binding status, versions, and path data are reported.
Desired State pull/apply implemented Node-scoped desired state and runtime-binding-scoped configs are supported.
Runtime install profile execution implemented sing-box install path is driven by runtime binding/install profile.
sing-box traffic runtime implemented Current Traffic Entry and Traffic Exit runtime path.
Usage collector implemented sing-box stats are collected and reported as traffic usage.
Runtime update flow partially_implemented CLI/service update design exists; packaging and channel policy continue after MVP alignment.

2.3 Traffic Entry, Exit, And Routing

Area Status Notes
traffic.entry role implemented Traffic Entry is modeled as a role, not as a top-level gateway type.
traffic.exit role implemented Traffic Exit is selected by traffic policy and compiled into runtime config.
sing-box Trojan Entry implemented Current MVP protocol path.
Traffic policy rules implemented Route selection and exit candidate selection are available.
Route profile rendering implemented Subscription output can include grouped routing templates.
Multiple endpoint subscription selection implemented Client Access Subscription can target multiple ready Traffic Entry endpoints.
Dynamic endpoint reconciliation implemented First-party client subscriptions continuously reconcile policy-selected Traffic Entry endpoints and atomically republish Desired State for affected Nodes.

2.4 Endpoint, DNS, TLS, And Certificate Readiness

Area Status Notes
Endpoint readiness implemented Readiness is derived from endpoint, DNS, TLS binding, and certificate status.
Runtime endpoint templates implemented sing-box traffic.exit publishes an inter_node_proxy mixed/tcp endpoint template; Control Plane reconciles endpoint rows from adapter templates.
DNS record state implemented Console displays record name, target, status, and blockers.
ACME certificate issuance implemented System certificate workflow exists.
TLS binding implemented Endpoint TLS binding status and certificate expiry are visible.
DNS/TLS readiness dashboard implemented /network/domains shows domain and TLS readiness instead of isolated certificates.
Custom domain onboarding deferred Deferred until Traffic MVP is stable.

2.5 Client Access Subscription

Area Status Notes
Subscription creation implemented Console can create subscriptions against ready Traffic Entry endpoints.
Subscription update implemented Subscription name, default format, and selected Traffic Entry endpoints can be edited; old and new endpoint nodes are recompiled.
Catalog-driven format generation implemented Target metadata, schemas, and profile presets come from the catalog.
Clash output implemented Supported by current subscription target rendering.
Surge output implemented Includes versioned template support.
Shadowrocket output implemented Supported without unsupported target parameters.
Rotation implemented Rotation invalidates previous public subscription URL and protocol credentials.
Revoke implemented Revoked subscription credentials are removed from runtime configuration.
Delete revoked subscription implemented Revoked subscriptions can be removed from active Console views.

2.6 Usage, Quota, And Adjustments

Area Status Notes
Usage attribution implemented Usage includes tenant, user, subscription, node, runtime, binding, direction, and metering point where available.
client_access metering implemented Main MVP accounting and quota metering point.
Infrastructure traffic metering partially_implemented sing-box can report node-level exit_egress and relay_transit from runtime outbound counters, and Console exposes /nodes/traffic for infrastructure traffic. mesh_transit and runtime_local are reserved for later runtimes. Subscription-level attribution remains client_access only.
Tenant usage implemented Console summary and table display.
User usage implemented Console filter, breakdown, and user-level quota creation.
Subscription usage implemented Console display and subscription detail integration.
Node usage implemented Console display and node navigation.
Concrete usage target filters implemented Usage table supports scope, target, and direction.
Attribution coverage display implemented Console shows user, subscription, and node attribution coverage.
Quota policies implemented Tenant, user, subscription, and node scopes are exposed.
Quota enforcement implemented Blocking quota can exclude affected runtime credentials.
Quota events implemented Console shows event status and credential impact.
Usage adjustment implemented Current-period billable total can be credited or debited.
Usage reset implemented Reset creates a negative adjustment; raw samples are preserved.

2.7 Console

Area Status Notes
Menu and route alignment implemented Traffic, Network Resources, Platform, and Settings are aligned with current MVP routes.
Mobile navigation implemented Mobile menu and layout fixes are in place.
Skeleton states implemented Core Console loading states exist.
Version display implemented Console shows frontend and API version context.
Runtime Catalog page implemented Runtime metadata and install profiles are visible.
Node detail runtime state implemented Desired state, runtime path, version, and binding state are visible.
Node and subscription editing implemented Node metadata and client access subscriptions use the same edit/save pattern as policy resources.
Usage & Quotas page implemented Usage, quota policy, enforcement, events, and adjustments are integrated; billable total, raw upload/download, and credential-blocking state are labeled separately.
Domains & Certificates page implemented DNS/TLS readiness is grouped by endpoint context with address, DNS record, TLS binding, certificate, readiness, and owner context.
Routing policy presentation implemented Policy tables and simulation output show Entry -> Relay -> Exit path context and selected exit names instead of raw node IDs.
Page context and layout polish implemented Console routes include page descriptions; mobile cards, adjacent panels, and button interaction states are normalized.

2.8 Deployment And Release

Area Status Notes
API container build implemented API is built and published by tag workflow.
Edge Runtime release artifact implemented Agent artifacts are published by release workflow.
Cloudflare Pages console deploy implemented Console deploys from main.
Cloudflare Worker installer implemented install.orbitmesh.dev serves installer flow.
S3/R2 download prefix implemented Release artifact download prefix is configurable.
Production health endpoint implemented /healthz returns version and commit.

3. Needs Verification

These items have code paths, but the latest smoke run should be recorded before the MVP is considered stable.

Area Status Required verification
Production smoke record partially_verified 2026-07-07 production smoke recorded API 0.1.121 / commit 30b775a, Console reachability, nodes, endpoints, subscriptions, runtime binding ids, and residual issues.
Quota block propagation needs_verification Exceeded disable quota removes affected credentials from compiled runtime configuration after latest changes. Not destructively retested in the 2026-07-07 smoke run.
Quota restoration propagation needs_verification Adjustment/reset restores credentials after usage returns below limit. Existing history shows one restored policy, but no current-period reset was executed in the 2026-07-07 smoke run.
Multi-endpoint subscription verified Existing subscriptions with two Traffic Entry endpoints render valid Clash output and public subscription credentials.
Traffic Entry -> Traffic Exit routing partially_verified Desired state compiles policy path from Tencent Entry to hermes-agent Exit through healthy mesh endpoint 100.74.113.86:18082; a clean non-exit external client exit-IP test still needs SSH/client access.
DNS/TLS reconcile after endpoint change partially_verified Current endpoint state is healthy: domain active, DNS synced, certificates issued, TLS bindings ready. Endpoint mutation-triggered reconcile was not performed in the 2026-07-07 smoke run.
Edge Runtime update flow needs_verification Current update command and release artifact path work on the test nodes. Not executed in the 2026-07-07 smoke run.

Additional 2026-07-07 follow-up items:

  • Align quota enforcement list current-period state with public subscription quota headers. The list still shows June 2026 periods while subscription headers expose the current monthly expiry of 2026-08-01T00:00:00Z.
  • Investigate GET /api/v1/health-checks?page.page_size=3 latency; one production smoke call took about 6.6 seconds.
  • Investigate workstation-side intermittent resolution/connectivity to api.orbitmesh.dev, Kubernetes ClusterIP, and ingress node IPs. Cluster-internal service calls were stable.
  • Restore or document SSH access for a non-exit client test host such as aws-test so Traffic Entry -> Traffic Exit can be proven by external-client exit-IP observation.

Use traffic-mvp-acceptance-checklist.md to record the smoke result.

4. Planned Next

These items are designed but not implemented.

Area Status Notes
Tenant Plan Subscription UI planned Tenant Console should expose read-only current plan, period, entitlement, limit, and plan-derived quota state.
Platform Plan Console planned apps/platform should expose plan assignment and tenant plan operations.
Team and Enterprise plan seeds planned Free and Pro are implemented; larger catalog tiers remain documented extensions.
Resource limit enforcement planned Node, runtime binding, client subscription, traffic policy, and domain creation should check entitlements.
Automatic default tenant plan assignment planned New tenants should receive a default tenant plan subscription.
Account system expansion planned Account, billing role, service accounts, RBAC expansion are post-Traffic-MVP work.

5. Deferred

These are intentionally out of the current Traffic MVP.

Area Status Notes
Mesh production workflow deferred EasyTier/Tailscale/NetBird work resumes after Traffic MVP stabilization.
Gateway production workflow deferred Traefik/NGINX/Envoy Gateway work resumes after Traffic MVP stabilization.
Tunnel production workflow deferred frp/Cloudflare Tunnel/ngrok-like flows are post-MVP.
Managed Node commercial workflow deferred Needs Tenant Plan and billing foundation first.
Payment provider integration deferred Tenant Plan MVP can be seed/manual before payment integration.
Invoices and tax deferred Not required for MVP.
Custom domain onboarding deferred DNS/TLS readiness exists; user-facing onboarding is deferred.
Runtime marketplace deferred Runtime plugin model exists; marketplace is later.
Prometheus source of truth for billing deferred Traffic usage remains in Control Plane SQL for product enforcement.

6. Blocked

No current MVP item is marked blocked.

If an item becomes blocked, record:

  • blocker.
  • owner.
  • date found.
  • required decision or external dependency.
  • fallback if any.
OrbitMesh DocumentationContent follows the repository's main branch.