443 relay
The data plane for NAT-bound devices: both ends dial outbound through a WebSocket bridge on port 443.
Phones behind carrier NAT can't accept inbound connections, and edges like Cloudflare only pass ports 80/443. The 443 relay solves both: a per-edge WebSocket bridge with a 1-byte role preamble lets both sides dial outbound, so a phone participates in the data plane while opening zero inbound ports.
Two outbound dials meet in the middle; the preamble says who is who.
phone ──outbound──▶ wss://edge:443 ◀──outbound── backbone
[role byte: worker] [role byte: dialer]
bridge splices the two streams → one ordinary TCP pipeHardened in production
Three real bugs, three fixes
- Build-fingerprint agreement — both ends must prove they run the same runtime pack before any tensor bytes flow.
- Node-token download auth — partial-shard downloads are authenticated with the same wallet-derived node token the app already holds.
- The `Int.ushr` frame stall — Kotlin's
ushruses only the low 5 bits of its shift, solen ushr 56becamelen ushr 24and silently corrupted every frame ≥ 64 KiB (a 593 KBresult_outputwas the first casualty). Fixed by moving length packing toLongshifts — and load-bearing for batched expert dispatch, which routinely exceeds 64 KiB.
The relay carries whatever the topology needs — ring layer boundaries or expert dispatch streams — and the same mechanism verified for the ring is what production phone workers use in the swarm.