Documentation
The browser as a mesh node (WASM)
A browser tab can become a real node of the VIGIL-MESH private network, with no client to install. The node core is compiled to WebAssembly and connects over WebTransport (QUIC/HTTP3): the page then gets a socket surface — UDP, TCP, multicast — on the private network, with the same addresses and the same rules as any machine. The node's private key is generated inside the page and never leaves it.
The browser, a real mesh node
This is not a web client leaning on a gateway that would break end-to-end encryption. The node core runs in the page, in WebAssembly, and speaks the same protocol as the native clients: the tab receives a stable address and becomes a member of the network on the same footing as a workstation or a server.
- WASM core: the node logic (encryption, sessions, addressing) is compiled to WebAssembly and runs in the tab.
- WebTransport: the connection to the mesh goes through WebTransport (QUIC/HTTP3), giving the browser a transport close to that of the native clients.
- Private key never outside the page: the node's private key is generated inside the page and never leaves the browser — the server never sees it.
What you can do
Because the page regains a real network surface on the mesh, it can consume and control services of the private network directly, without an intermediate gateway.
Control
A no-code application in the browser can command machines and services of the mesh (for example teleoperation) by addressing their private addresses directly.
Visualize
Supervise devices, display telemetry or consume a stream published on the private network, from a simple page.
UDP/TCP/multicast sockets
The page gets a surface of UDP, TCP and multicast sockets on the private network, with the same addresses and the same rules as any machine of the mesh.
Security
The trust model is the same as for a native node: the session is encrypted end to end in the page, and the infrastructure never holds the session.
- E2E session in the page: encryption is established in the tab, between the browser node and its peer, just like between two native clients.
- The server does not hold the session: the vigie relays encrypted bytes and owns no session key; the controller distributes the signed network map but does not see the content of the flows.
- Private key non-exportable in practice: generated and kept in the page, it is never sent to the server nor stored outside the browser.
Limits and browser prerequisites
The browser node is powerful, but remains subject to the constraints of the browser sandbox. A few points to keep in mind.
- A recent browser supporting WebAssembly and WebTransport (QUIC/HTTP3) is required; availability varies across browsers and versions.
- The socket surface is provided by the WASM core across the mesh, within the browser sandbox: it is not raw access to the operating system's network stack.
- The session is tied to the tab: it does not survive closing the page the way an installed native background service would.
- For a permanent node that starts at boot, prefer a native client (see /en/docs/install-android or /en/docs/install-jetson); the browser targets immediate access with no install.