The bundle a partner deploys on their VPS. Caddy, xray VLESS tunnel, coturn, str0m-based SFU forwarder, bootstrap scripts. Every byte that touches partner-side traffic is here.
OPEN SOURCE · AGPL-3.0 PARTNER-EDGE
What we publish, what we operate.
OxPulse is split across three repositories on purpose. The piece a partner deploys on their own server is fully open and AGPL-3.0. The product surface — web client and control plane — is closed. This page documents that boundary in plain terms, including what it does not give you.
The asymmetric split
Three repositories, three roles. The split is the central architectural decision behind both the federated mesh and the compliance posture.
Web client and Rust signaling / coordination server. Operated by us at oxpulse.chat. This is where the closed product surface lives.
Operator console. Partner registration, trust scoring, abuse triage, billing, compliance reporting. Run only by our internal team.
The shape is intentional. Open exactly the surface a partner needs to trust their own server. Close exactly the surface where the operating advantage and the compliance ergonomics live.
What you can audit on the partner-edge
The partner-edge bundle is a four-container stack. Each component is upstream open source, configured by code in the public repo.
- Caddy — TLS termination, ACME, SNI multiplexing.
- xray-client — VLESS + Reality + XHTTP anti-DPI tunnel with ML-KEM-768 post-quantum key exchange.
- coturn — TURN/STUN relay with HMAC-SHA1 ephemeral credentials (RFC 5766).
- Rust SFU — str0m 0.18 media-forwarding engine. Forwards SRTP; never decrypts media.
- Bootstrap scripts — single-command deploy, ~30 MB Docker image.
Reproducible builds: the AGPL repository pins all upstream commits and toolchain versions. Build the binary from a tagged commit, hash the result, compare it to the binary you are running. If they match, the running binary is the source you read.
What is not open
The web client and the control plane are closed source. We are explicit about this rather than ambiguous. From POSITIONING §4b:
“Open exactly the surface a partner needs to trust their own server. Close exactly the surface where our operating advantage lives.”
The product surface stays closed for three reasons: partner-trust scoring and IP-block lists for state-controlled infrastructure (publishing them gives adversaries a defection roadmap), abuse triage and quarantine pipelines (publishing assists evasion), and the compliance posture itself — HIPAA-readiness at v1, FISMA-Moderate target at v2 are easier to attest against a controlled product surface than against a federation of unauthenticated forks.
This is not Signal-tier “every line on every device is open.” It is the partner-can-verify-their-own-infrastructure tier. The distinction matters and we say it that way.
Federated, not decentralized
Partner nodes register with a control plane at api.oxpulse.chat, receive a registration token, and are trust-scored. Unknown or hostile operators are disconnected. This is curated federation, not anonymous federation in the Matrix sense, and it is not a decentralized network.
The load-bearing privacy claim is the cryptographic boundary, not the network topology: operators forward only ciphertext. Content keys are ephemeral and live in participants’ browsers; they are never transmitted to or held by the control plane. A compromised control plane could affect the partner mesh — registration, disconnects, trust scoring — but it cannot read message content or call audio.
Operators today trust api.oxpulse.chat. We have not designed a decentralized alternative to the control plane. If we do, it will be documented in the threat model first. For the full picture see /security.
Warrant canary
As of 2026-05-08:
- No warrants have been received.
- No subpoenas have been received.
- No operator data requests have been received.
- No traffic logs have been handed over.
This statement is refreshed in place. The absence of an updated date is itself the signal. If this section disappears or stops being refreshed, treat it as a notice.
Run a partner-edge node
The partner-edge bundle is a ~30 MB Docker image with a single-command deploy. A sysadmin without a DevOps team can run it. For the simpler starting point — a TURN relay without the SFU, provisioned in one command on a Debian / Ubuntu or RHEL-family VM — see the turn-node installer:
Full edge SFU, anti-DPI tunnel and the rest of the stack are in the public repository:
License posture
oxpulse-partner-edge is licensed under AGPL-3.0. Standard operator deployments — running the bundle on infrastructure you control, registering with the control plane, forwarding ciphertext for paid users — require no commercial license.
Commercial terms apply to OEM embedding and to proprietary forks that need to ship without the AGPL’s network-use disclosure clause. Dual licensing is available for B2B deployments that cannot accept AGPL. Inquiries via /contact.