Hub
Every Weblisk deployment is a hub — a self-sovereign node that owns its orchestrators, domains, agents, logic, and data. Hubs connect to form a global network where businesses collaborate through cryptographically enforced data contracts.
What Is a Hub?
A hub is a complete Weblisk deployment. It includes an orchestrator, domain controllers, work agents, infrastructure agents, and all associated data. The owner of a hub has full sovereignty — no external authority can access data, modify behavior, or override policies.
Self-Sovereign
Your hub, your rules. Data never leaves your boundary without an explicit data contract. No vendor can access your orchestrator or override your domain policies.
Domain-Organized
Each hub runs domain controllers for its business functions. Three domains ship free — SEO, Content Quality, and Health Monitoring. Add custom domains for your industry.
Agent-Powered
Specialized work agents run under domain controllers. Infrastructure agents provide shared services. All agents are sandboxed with explicit capability grants.
Hub Architecture
Hub (self-sovereign deployment)
├── Orchestrator (coordinator)
│ ├── Domain: SEO
│ │ ├── seo-analyzer (work agent)
│ │ └── a11y-checker (work agent)
│ ├── Domain: Content
│ │ ├── content-analyzer (work agent)
│ │ └── meta-checker (work agent)
│ ├── Domain: Health
│ │ ├── uptime-checker (work agent)
│ │ └── perf-auditor (work agent)
│ └── Infrastructure Agents
│ ├── sync
│ ├── cron
│ ├── webhook
│ └── email-send
└── Federation (hub-to-hub)
├── Discovery & trust establishment
├── Data boundary contracts
└── Cross-org task execution
Hub Roles
Every hub can serve one or more roles simultaneously:
| Role | Description | Example |
|---|---|---|
| Provider | Publishes agent capabilities for others to consume | A logistics company offering shipment tracking |
| Consumer | Discovers and invokes capabilities from other hubs | A retailer consuming shipment tracking from a logistics partner |
| Registry | Indexes published capabilities and serves discovery queries | Avaropoint's global registry, a regional or vertical registry |
A manufacturing hub might provide inventory intelligence to retail hubs, consume compliance checking from an audit hub, and operate a private registry for its supplier network — all simultaneously.
Federation
Federation is the protocol that lets hubs collaborate. When two organizations want to work together, their hubs establish trust through Ed25519 identity signing, negotiate data boundary contracts, and then coordinate agent work across organizational boundaries. See Protocols for the full federation wire protocol, data contracts, and behavioural integrity specification.
Collaboration Flow
- Discover — Consumer hub searches the registry or queries a provider directly. Reviews listing: capability, data contract, SLA, pricing, behavioural metrics, jurisdiction.
- Review Data Contract — Consumer downloads the data contract. Reviews what inbound data is required/permitted, what outbound data will be returned, what fields are forbidden, jurisdiction requirements, and retention policy. Legal/compliance team approves.
- Initiate Peering — Consumer hub sends a peering request (
POST /v1/federation/peer) with its orchestrator manifest, requested capabilities, and accepted data contracts. - Provider Review — Provider hub reviews the consumer's identity, jurisdiction, and requested capabilities. Provider approves or rejects.
- Trust Established — Provider sends peer-accept. Both hubs exchange manifests and public keys. Federation link is live.
- First Collaboration — Consumer's domain controller includes the federated capability in its workflow. First federated task executes with full data contract enforcement, behavioural verification, and audit logging.
- Ongoing Monitoring — Both hubs monitor usage against quotas and SLAs, behavioural fingerprint stability, data contract compliance, error rates, and latency.
Capability Listings
When a hub publishes a capability to the network, the listing includes verifiable metadata — not marketing text, but cryptographically signed facts:
{ "listing_id": "avaropoint:seo-audit", "provider": { "hub_name": "avaropoint-prod", "public_key": "<hex Ed25519 public key>", "federation_url": "https://agents.avaropoint.com/v1/federation", "jurisdiction": "US" }, "capability": { "domain": "seo", "action": "audit", "version": "1.2.0", "data_contract": "seo-audit-v1" }, "tier": "pro", "pricing": {"model": "per_invocation", "unit_price": 0.05, "free_quota": 100}, "sla": {"availability_target": 99.9, "p95_latency_ms": 5000}, "metrics": { "uptime_30d": 99.95, "p95_latency_30d_ms": 3200, "total_invocations_30d": 142000, "error_rate_30d": 0.002, "behavioral_changes_90d": 1 }, "compliance": {"jurisdiction": "US", "retention_hours": 24}, "signature": "<provider's Ed25519 signature over listing>" }
Free vs Pro Tiers
Tier separation is about capability scope and service levels, not security or quality. Both tiers use the same federation protocol, data contracts, and trust enforcement.
| Aspect | Free | Pro |
|---|---|---|
| Federation protocol | Full | Full |
| Data contracts | Full enforcement | Full enforcement |
| Behavioural verification | Full | Full |
| Concurrency | Limited (5 concurrent) | Configurable (up to SLA) |
| Rate limiting | Strict (100/hour) | Per-contract |
| SLA | Best-effort | Contractual (99.9%+) |
| Support | Community | Business hours or 24/7 |
| Metering | Usage-capped (free quota) | Pay-per-use or subscription |
| Priority routing | Standard | Priority queue |
| Audit access | Self-only | Shared audit with provider |
Pricing Models
| Model | Description | Suited For |
|---|---|---|
| per_invocation | Charge per federated task execution | High-volume, low-cost tasks |
| monthly_subscription | Flat fee for unlimited or capped access | Predictable workloads |
| tiered | Price brackets based on volume | Variable workloads |
| custom | Negotiated pricing for enterprise | Large partnerships |
Usage Metering
Both hubs independently track usage for reconciliation. Metering records are dual-signed by both consumer and provider, ensuring neither party can dispute usage unilaterally. Discrepancies are flagged for manual resolution.
Discovery
Registry Search
Hubs search the registry by capability, domain, jurisdiction, and tier via GET /v1/hub/search:
| Parameter | Description |
|---|---|
domain | Filter by domain (e.g. "seo") |
action | Filter by action (e.g. "audit") |
tier | "free", "pro", or "all" |
jurisdiction | Filter by provider jurisdiction (ISO 3166-1) |
min_uptime | Minimum 30-day uptime percentage |
max_latency | Maximum p95 latency in ms |
sort | "relevance", "uptime", "latency", "price", "invocations" |
Direct Discovery
Without a registry, one hub can query another hub's published capabilities directly via
GET /v1/federation/contracts, which returns the data contracts and capabilities the
target hub offers to peers at the requester's trust tier.
Data Sovereignty
Data sovereignty isn't a feature — it's the foundation. Every piece of data in a Weblisk hub has an owner, a purpose, and a boundary.
| Principle | How It Works |
|---|---|
| Owner control | Data never leaves a hub without the owner's explicit, signed consent |
| Purpose limitation | Data contracts specify exactly what data is shared and for what purpose |
| Time-bounded | Contracts include expiry dates — shared data is automatically revoked |
| Audit trail | Every cross-boundary data access is cryptographically logged |
| Behavioral integrity | Agents that deviate from established patterns are flagged before they can cause harm |
Behavioural Change Management
Behavioural integrity is especially critical across hubs because each hub relies on capabilities it does not own or control.
Provider Obligations
When a provider updates an agent that backs a published capability:
- BENIGN changes: Publish updated metrics. No disruption.
- NOTABLE changes: Update hub listing, notify collaborating hubs via
POST /v1/hub/notify, allow 7-day parallel running of old + new version. - BREAKING changes: Publish new listing version alongside old, notify all collaborators with detailed changelog, provide 30-day deprecation window. Collaborators must explicitly opt-in.
- CRITICAL changes: Immediately suspend the listing, notify all collaborators with
BEHAVIORAL_CHANGE_CRITICAL, require re-approval from all active collaborators.
Collaborator Protections
- Version pinning — collaborators can pin to a specific version; providers MUST continue serving it during deprecation
- Change notifications — all changes above BENIGN trigger a notification to the collaborating hub
- Automatic suspension — CRITICAL behavioural changes automatically suspend federated tasks until admin review
- Audit trail — full history of behavioural changes visible in the listing's metrics
Revocation & Removal
Collaborator Disconnects
A collaborator can revoke trust at any time via POST /v1/federation/peer-revoke.
In-flight tasks complete with timeout, no new tasks are dispatched, metering finalises at
revocation, and the data retention clock starts on both sides.
Provider Delists
A provider can remove a capability via POST /v1/hub/delist.
Active collaborators receive a 30-day warning. Existing collaborators continue for the
deprecation window. After deprecation, trust relationships expire and the listing
is removed from registry search results.
Emergency Revocation
In case of a security incident (compromised key, data breach, malicious behaviour), immediate revocation terminates the trust relationship with no grace period, cancels all in-flight tasks, purges all cross-boundary data per retention policy, logs the incident in both audit trails, and notifies the registry.
Registry Architecture
A registry is itself a Weblisk hub — an orchestrator with specialised agents for indexing and discovery:
| Component | Role |
|---|---|
| Index Agent | Crawls and indexes hub manifests from known providers |
| Search Agent | Handles discovery queries with ranking and filtering |
| Metrics Agent | Collects and aggregates uptime, latency, and usage metrics |
| Verification Agent | Validates hub identity and manifest signatures |
| Alert Agent | Monitors behavioural changes and notifies affected collaborators |
The registry NEVER handles actual federated task data. It only indexes metadata (listings, metrics, contracts). All data exchange happens directly between hubs through the federation protocol.
Registry Federation
Multiple registries can federate with each other, sharing listing indexes. This prevents a single point of failure and supports regional or vertical-specific registries:
Global Registry (Avaropoint) ├── EU Registry (regional) ├── APAC Registry (regional) └── Healthcare Registry (vertical)
Each registry independently verifies hub signatures. A listing appearing in multiple registries carries the same cryptographic proof regardless of which registry serves it.
Hub Network
At scale, the hub network forms a topology analogous to the internet — decentralised, resilient, and self-organising. Key properties:
- No single point of failure — if any hub or registry goes offline, the remaining network continues. Existing trust relationships are peer-to-peer and do not depend on the registry.
- Organic growth — new hubs join by peering with existing hubs. No central authority approves membership.
- Domain specialisation — each hub excels at its own domains. Collaboration lets every hub access capabilities beyond its own specialisation.
- Data stays home — each hub processes data within its own jurisdiction. Only the minimum required data (per data contracts) crosses boundaries, cryptographically controlled at every step.
Replacing EDI & Traditional B2B
| Traditional (EDI/B2B) | Weblisk Hub Network |
|---|---|
| Fixed message formats (X12, EDIFACT) | Flexible data contracts with explicit boundaries |
| Point-to-point VAN connections | Federated mesh with peer discovery |
| Opaque data pipelines | Full audit trail on both sides |
| No behavioural guarantees | Behavioural fingerprinting and change detection |
| Manual integration per partner | Agents negotiate and execute autonomously |
| Data ownership unclear | Data ownership explicit in every contract |
| Months to onboard a partner | Peering flow: discover → review → connect |
| No AI-native processing | Agents understand content, context, and intent |
| Vendor lock-in | Open protocol, self-sovereign hubs |
Use Cases
Supply Chain
Manufacturer, distributor, and retailer each run their own hub.
Inventory agents collaborate across hubs with data contracts
that protect each party's pricing and customer data. The manufacturer's
procurement agent can invoke the supplier's inventory:check without
the supplier ever seeing the manufacturer's production schedule.
B2B Integration
Replace EDI documents and translation middleware with native federation. Partners connect their hubs, define data contracts, and agents handle the rest — no custom integration code.
Multi-Tenant SaaS
Each customer gets their own hub with full data sovereignty. Your platform hub coordinates features and updates. Customers keep their data under their own control.
Hub API Endpoints
Hub-specific endpoints (in addition to federation endpoints):
| Path | Method | Auth | Description |
|---|---|---|---|
/v1/hub/search | GET | Public | Search capability listings across the network |
/v1/hub/listing/{id} | GET | Public | Get listing details with metrics and compliance info |
/v1/hub/publish | POST | Hub-auth | Publish or update a capability listing |
/v1/hub/delist | POST | Hub-auth | Remove a listing (30-day deprecation for active collaborators) |
/v1/hub/metrics/{id} | GET | Public | Get listing performance metrics |
/v1/hub/contracts/{name} | GET | Public | Download a data contract |
/v1/hub/notify | POST | Hub-auth | Send change notification to collaborators |
/v1/hub/usage | GET | Peer-auth | Usage metering for billing period |
Security Considerations
| Threat | Mitigation |
|---|---|
| Listing integrity | Listings are signed by the provider hub. Registries and collaborators verify signatures before indexing or peering. |
| Sybil attacks | Each listing requires a valid hub identity with a verifiable key pair. Registries MAY require additional identity verification. |
| Price manipulation | Usage metering is dual-signed by both hubs. Neither party can unilaterally alter usage records. |
| Bait-and-switch | Behavioural fingerprinting detects when a provider changes agent behaviour. BREAKING and CRITICAL changes trigger notifications and suspension. |
| Data harvesting | Data contracts are enforced by the consumer's own hub before data crosses the boundary. A malicious provider cannot request more data than the contract permits. |
| Supply chain attacks | Behavioural change detection flags anomalies. Key rotation requires dual-signature proof. Emergency revocation enables immediate disconnection. |