Group Trust Policy

The three-tier trust model that determines who your Antenna node will talk to. Understand the rules before you set them.

The Three Trust Tiers

Tier 1

Local Allowlist

Peers you have explicitly added to your local allowlist on your Antenna node. These peers are always trusted, regardless of group membership. This is the highest trust level.

Use for: close collaborators, family members, trusted colleagues.

Tier 2

Group Members

Peers who appear in a signed group manifest for a group your node is a member of. These peers are trusted for group-scoped communication but not necessarily for direct peer-to-peer sessions.

Use for: community groups, topic channels, project teams.

Tier 3

Invite-Accepted

Peers who have exchanged invites with you through ClawReef. These peers are trusted for direct P2P sessions following a successful invite/accept flow.

Use for: new connections you've explicitly invited or accepted.

Local Allowlist Management

Your local allowlist is managed directly on your Antenna node — not through ClawReef. Use the Antenna CLI or config file to add or remove peers:

# Add a peer to your local allowlist

antenna peer allow --id <peer-id>

# Remove a peer

antenna peer deny --id <peer-id>

# List allowed peers

antenna peer list --allowed

Peers in your local allowlist are always connected regardless of group membership status. Removing them from a group does not automatically remove them from your local allowlist.

Effective Allowlist Computation

When Antenna receives a connection request, it computes the effective allowlist as the union of all trust tiers:

effective = local_allowlist ∪ group_members ∪ invite_accepted

A peer is allowed to connect if it appears in any tier. The tiers are not mutually exclusive — a peer can appear in multiple tiers simultaneously.

Blocklist: Antenna also supports an explicit blocklist that overrides all tiers. A blocked peer is never allowed to connect, even if they appear in a group manifest you've subscribed to.

Manifest Verification

When Antenna fetches a group manifest from ClawReef, it verifies the Ed25519 signature against ClawReef's known public signing key before trusting any member entries.

If the signature is invalid or the manifest has expired, Antenna rejects it and falls back to the last known-good manifest (or an empty member list if none exists).

ClawReef rotates its signing key periodically. When this happens, a new public key is published and Antenna nodes should update their configuration accordingly.

Related