Network Access
Why This Matters
Section titled “Why This Matters”Aegis Core is the stateful runtime. Desktop apps, mobile apps, channels, MCP clients, and agent plugins all need a Core URL. The right network path depends on which devices need access and how public the endpoint should be.
Connection Options
Section titled “Connection Options”| Option | Best for | Core URL shape | Notes |
|---|---|---|---|
| Local-only | One desktop app controls Core on the same machine | http://127.0.0.1:8787 | Safest default. Mobile devices cannot reach it directly. |
| LAN | Phone and desktop are on the same trusted network | http://192.168.x.x:8787 or http://hostname.local:8787 | Useful for home/lab testing. Avoid untrusted Wi-Fi. |
| Tailscale Serve | Private access from devices in your tailnet | https://<device>.<tailnet>.ts.net | Good default for owner devices across networks. |
| Tailscale Funnel | Temporary public access through Tailscale | https://<name>.<tailnet>.ts.net | Public internet exposure. Use sparingly and keep Aegis auth enabled. |
| Cloudflare Tunnel | Stable public HTTPS hostname without opening router ports | https://aegis.example.com | Good for webhooks, mobile access outside LAN, and owner-controlled domains. |
| VPS / public host | Always-on remote Core | https://aegis.example.com | Requires hardening, backups, monitoring, and owner-controlled secrets. |
Recommended Defaults
Section titled “Recommended Defaults”- Use local-only when you only need the desktop app.
- Use Tailscale Serve when your phone, tablet, or second computer should privately reach Core from outside the LAN.
- Use Cloudflare Tunnel when you need a real public HTTPS hostname, webhook callbacks, or mobile access without a VPN client.
- Treat Tailscale Funnel and public-host deployments as public exposure. Keep them behind Aegis auth and avoid using them for early development builds.
Pairing Mobile Devices
Section titled “Pairing Mobile Devices”The desktop app should generate a pairing QR code or setup link with:
- Core URL.
- Node ID.
- Platform and device family.
- Optional scoped node token.
If a phone cannot connect, check the network path before rotating tokens:
- Open the Core URL from the phone browser.
- Confirm the desktop app reports Core as healthy.
- Confirm the URL uses the same route the phone can actually reach.
- Regenerate the pairing link if the Core URL changed.
Operator Notes
Section titled “Operator Notes”Cloudflare Tunnel and Tailscale are transport choices. They do not replace Aegis auth, scoped Native Node tokens, tool approval policy, provider secrets, or evidence logging.