The resolver

Public addresses,
private networks.

Every brane gets a routable address — whether it's on a Gaia pod in a datacenter or on a Pi in your closet. The Omega resolver glues Tailscale Funnel, cloudflared tunnels, NetBird, ngrok, and your own WireGuard mesh into one namespace: *.branes.sh, *.sandboxes.sh, *.desktops.sh, *.browsers.sh.

[zones]

*.branes.sh · sandboxes · desktops · browsers

[backends]

Tailscale · cloudflared · NetBird · ngrok · WG

[tls]

1.3 · ACME-EAB · per-zone

[ddos]

Cloudflare-front, gateway-rate-limited

At a glance

The properties
that matter.

public zones

*.branes.sh, *.sandboxes.sh, *.desktops.sh, *.browsers.sh — share one resolver.

tunnel backends

Tailscale Funnel, cloudflared, NetBird, ngrok, plain WireGuard.

∞

subdomains/tenant

Per-brane, per-deployment, per-replica subdomains. Auto-issued ACME certs.

< 30 s

time to public

From `ω apply` to a working `https://...branes.sh` URL on a brand-new tenant.

In the manifest

How you
describe it.

networking.zgraph.toml

[brane.api]
substrate   = "gaia"
capability  = "standard"
image       = "omega/api:1.4"
replicas    = 16

// the resolver block on a brane

In operation

What it
looks like running.

$ω network resolver --brane api

brane.api public api.branes.sh mode tailscale-funnel cert letsencrypt R3 · valid until 2026-07-13 upstream 100.84.21.42:7842 (gaia-04) …

$ω network probe https://api.branes.sh/health

→ resolved cloudflare-front: 104.18.x.x → TCP 18ms → TLS 44ms (TLS 1.3, ECDHE-ECDSA-CHACHA20) → HTTP 200 OK · 14ms

public namespace

*.branes.sh · *.sandboxes.sh · *.desktops.sh · *.browsers.sh

ACME

EAB-bound, per-zone, automatic renewal

tunnel backends

Tailscale Funnel · cloudflared · NetBird · ngrok · WG

egress

allowlist-by-default · capability-scoped

rate limiting

GCRA · per-token-bucket · per-resolver

ddos

optional Cloudflare front · always-on rate limit

By design

What this
surface does.

Public host on day zero

Brand-new tenants get a working https://...branes.sh URL within 30 seconds of `ω apply`. Real cert. Real DNS. No coupon code, no pricing tier.

PUBLIC

Same address, every substrate

An api.branes.sh URL works whether the upstream is on Gaia, Biome, or your laptop. Move the brane between substrates and the URL doesn't change.

PORTABLE

Egress is allowlist-by-default

Branes can't talk to hosts the manifest didn't name. Capability layer (WASI) and tunnel layer (resolver) both enforce the allowlist.

SCOPED

Bring your own overlay

WireGuard, Tailscale, NetBird — the resolver speaks all of them. Air-gap by removing public zones; the substrate keeps working over your overlay.

PRIVATE

← Branes Storage →

Public addresses,private networks.

The propertiesthat matter.

How youdescribe it.

What itlooks like running.

What thissurface does.