Core Concepts

Tubo is built around a small set of orthogonal concepts: roles, overlays, clusters, namespaces, service identities, and a capability-based trust model. Understanding these makes every command and configuration option obvious.

Roles

Every tubo process runs in one of four roles:

Role Command What it does
relaytubo relayPublic bootstrap node. Assists NAT traversal via libp2p circuit relay v2. Does not see traffic content.
attachtubo attachPublishes a local HTTP service into the swarm. Signs announcements, accepts libp2p streams, forwards to origin.
connecttubo connectOpens a local HTTP listener. Discovers the service, dials it, and proxies traffic through a libp2p stream.
gatewaytubo gatewayHTTP ingress gateway that routes requests to swarm services by Host header. Acts as a shared connect proxy.

Overlays, clusters and namespaces

Tubo organises its address space into a three-level hierarchy:

When you run tubo join you join the public overlay and are placed in the home/default cluster/namespace. You can create your own clusters with tubo create cluster/<name>.

Service identity

Every service has two names:

When you run tubo attach http://127.0.0.1:1234 --name lmstudio, Tubo generates or reuses a stable service owner key under ~/.config/tubo/clusters/.../services/ and derives the service ID from it. The service ID remains stable across restarts.

Discovery

In collaborative namespaces, service announcements are published over libp2p GossipSub on an opaque Discovery V3 topic derived from the namespace discovery entry, not from public cluster and namespace IDs alone. Each announcement is Ed25519-signed by the service owner key and carries a PublishLease/ServiceClaim chain signed by the cluster authority.

Clients validate the full chain before routing to a peer:

  1. Topic is correct for the current cluster/namespace discovery entry.
  2. Announcement signature is valid (service owner key).
  3. ServiceClaim is signed by a trusted authority.
  4. Nonce has not been seen before (replay protection).
In the public home/default namespace, ambient discovery is disabled. Services are unlisted — only reachable via a signed invite token. Use a private cluster for ambient discovery.

Access control

Tubo uses a capability-based access model with three main concepts:

NAT traversal

Tubo uses libp2p's built-in NAT traversal stack:

No inbound ports are required on service hosts. Only the relay needs a public TCP port.

Configuration precedence

CLI flag  >  env var  >  config file  >  default  >  interactive prompt

Configuration lives at ~/.config/tubo/config.yaml by default. Override with --config-dir or XDG_CONFIG_HOME.

Next steps