Per-VM tunnel keys
USB control and reverse-tunnel operations are isolated with per-VM SSH tunnel keys. Trust is scoped to the exact target VM instead of shared across the fleet.
Security
Scoped trust, explicit enrollment, no public endpoint ports
Beagle secures the streaming stack with per-VM SSH tunnel keys, scoped endpoint tokens, enrollment-based onboarding, a no-public-port philosophy, fingerprint awareness, and WireGuard-backed residential egress modes.
Enrollment-based onboarding
Endpoints are brought into the fleet through enrollment and scoped endpoint tokens. This keeps onboarding explicit and tied to the assigned runtime profile.
No public ports philosophy
Beagle does not rely on open ports on the endpoint. The security model prefers controlled host-side integration, scoped credentials, and reverse SSH for sensitive flows such as USB.
Fingerprint awareness
The control plane evaluates VM configurations for server- and virtio-style characteristics as risk hints. This does not change the product path; it provides operational awareness.
Residential egress and WireGuard exit
Sensitive targets can use direct, split, or full egress control through a WireGuard exit. This gives the operator explicit control over network posture without opening endpoint ports.
Responsible disclosure
For security issues, contact the project through the official Beagle OS channels and include enough technical detail to reproduce the issue safely.