Skip to content
Maestra
[ 00 ]

Build worlds
that respond.

Connect devices, locations, and experiences with open-source orchestration.

DownloadRead the Docs
[ 01 // FEATURES ]

Built for what you build.

01

Your Installations Stay Private

Sites never expose ports. All connections are initiated outbound through encrypted tunnels — your installations remain invisible to the outside world.

02

You Decide What Flows Where

Every message between sites requires an explicit policy. Nothing crosses boundaries without your permission. Complete control over what data goes where.

03

Cryptographic Trust

Every device is verified with mutual TLS certificates. No passwords, no tokens — mathematical proof that each connection is exactly who it claims to be.

04

See Everything in Real Time

A live dashboard shows every connected site, every message flow, every heartbeat. Know the state of your entire installation network at a glance.

05

Isolated by Design

Each site gets its own cryptographically isolated account. A compromise at one location cannot affect another. Security is architectural, not bolted on.

06

Full History, Always

Every action, every connection, every policy change is logged with full context. When something happens, you can trace exactly what, when, and why.

[ 02 // PROCEDURE ]

Three steps to connected.

  1. Step / 01
    01

    Install the Agent

    Drop the lightweight agent onto each site. It connects outbound to the cloud gateway — no ports to open, no firewall rules to manage.

  2. Step / 02
    02

    Connect to the Gateway

    The agent authenticates with its unique certificate and joins the cloud mesh. Your sites can now see each other through the secure relay.

  3. Step / 03
    03

    Define and Create

    Set policies for what flows between sites. Route messages, synchronize state, orchestrate experiences across locations — all through a single control plane.

[ 03 // ARCHITECTURE ]

Serious infrastructure, creative on the surface.

  1. 01Sitesoutbound TLS · zero ports exposed
  2. 02Edge ProxyEnvoy · rate limiting · TLS termination
  3. 03AuthmTLS + OIDC · cryptographic identity
  4. 04Message Routerpolicy-driven routing
  5. 05Cloud NATSisolated accounts per site
  6. 06Policy Engineevery flow explicitly allowed
  7. 07Control Planesite management, certs, audit
  8. 08Dashboardreal-time monitoring
NATS · FastAPI · PostgreSQL · mTLS · OIDC · Redis · Envoy
[ 04 // DOWNLOAD ]

Get the desktop app.

01macOSUniversal (Apple Silicon + Intel)──→
02Windowsx64──→
03Linuxx64 (.deb, .AppImage)──→

Or build from source

[ 05 ]

Ready to bring your installation to life?

DownloadRead the Docs