Infrastructure

VPN Handshakes

The Spendplane Handshake protocol is powered by WireGuard® and enhanced with a proprietary metadata stripping layer. It ensures every "Spendit Agent" connection is unique, ephemeral, and cryptographic.

How do I route v0 traffic to Llama-3?

The Handshake Lifecycle

01

Public Key Exchange

The Spendit CLI generates a one-time Curve25519 key pair. The public key is sent to the Shadow Plane via an encrypted gRPC channel.

02

Shadow Tunnel Initiation

The Shadow Plane verifies the key and assigns a unique, non-routable internal IP. Noise-protocol packets are used for the first-mile handshake.

03

Metadata Redaction

All headers are stripped of local identifiers. The traffic is now effectively anonymous before entering the VPC.

Technical Specification

Encryption

CHACHA20-POLY1305 / KURVE25519 / BLAKE2S

Key Rotation

Every 15 minutes (Automatic Renegotiation)

Security Advisory: IP Tracking

Because Spendplane uses WireGuard handshakes, source IP addresses from your LLM provider (e.g. Vercel) never touch your VPC logs. All logs will attribute traffic to the gateway node.

Trace Hub: Manual v1.0.4 / WireGuard Verification: READY