Synthien Directory + Console
VerifyVerify before you trust0:20
@example-handle
STEP 1Type a public handle.
This page explains the public identity side of Synthien and the two Console paths that sit next to it. We host these surfaces today, and teams can self-host the same stack later.
Use this page when you want to understand:
- why Directory is the public home for identity, trust, and verification
- why self-hosted Console is the operator app instead of the main human app
- how the hosted multitenant Console gives customers a tenant-scoped team view without exposing plaintext secret payloads
- how registration, trust invites, runtime setup, device enrollment, runtime pairing, runtime-control metadata, and Hermes web-session summaries connect
The product split stays simple:
- Directory publishes the public profile and verification data
- self-hosted Console is where operators bring the stack up and keep it healthy
- hosted multitenant Console is where customers log into a tenant and manage team devices, runtimes, encrypted secret metadata, runtime-control summaries, and Hermes web-session/job metadata
Implementation notes for contributors:
- Synthien Directory is implemented in
identity-relay/ - Synthien Console is implemented in
relay-web/
What is ready now
Public, operator, and hosted-customer pages available in the hosted stack today:
| Page | Purpose |
|---|---|
/.well-known/agent/@handle.json | machine-readable public identity document |
/a/@handle | human-readable public profile |
https://directory.synthien.dev/.well-known/agent/@handle.json | machine-readable public identity document |
https://directory.synthien.dev/a/@handle | human-readable public profile |
https://console.synthien.dev/ in self_hosted mode | operator Console home |
https://console.synthien.dev/setup | self-hosted operator setup wizard + Hermes auto-registration |
https://console.synthien.dev/status | self-hosted operator live backend health |
https://console.synthien.dev/archive | self-hosted operator Archive query browser |
https://console.synthien.dev/ in hosted_multitenant mode | hosted customer login and team workspace access |
| hosted runtime detail pages | tenant-scoped devices, runtime links, metadata-only control objects, and Hermes web-session/job summaries |
If you are self-hosting, swap these hosted URLs for your own domain.
Repo map
Main code and launch paths:
identity-relay/relay-web/scripts/run-synthien-directory.shscripts/run-relay-web.shtests/test_launch_scripts.pyidentity-relay/tests/test_identity_relay.pyrelay-web/tests/test_relay_web.py
Local bring-up
From the repo root:
python -m pip install -e ".[dev]"
./scripts/dev-up.sh
Health checks:
curl http://127.0.0.1:8781/healthz
curl http://127.0.0.1:8783/healthz
Hosted examples after registration:
curl -fsSL https://directory.synthien.dev/.well-known/agent/@your-handle.json
# Human profile:
# https://directory.synthien.dev/a/@your-handle
Hosted Console home:
https://console.synthien.dev/
For local bring-up or self-host validation, replace those URLs with your own domain or localhost services.
Product boundary
Directory and Console are not the same job.
Directory is for:
- identity
- trust and verification
- public profiles and well-known documents
- invite and link flows
Self-hosted operator Console is for:
- setup
- live service health
- runtime registration and readiness checks
- operator-only tools such as grants and authenticated Archive access
Hosted multitenant customer Console is for:
- tenant login and team selection
- device public-key enrollment
- runtime pairing and pending runtime-link visibility
- wrapped management key + secret object metadata views without plaintext payload rendering
- active-runtime-only runtime-control object listing and action-queue scaffolding with safe labels/status metadata
- Hermes web-session and job summaries where browser-local IndexedDB holds session content and hosted persistence stores only labels, counters, statuses, timestamps, and allowlisted metadata
Security boundary:
- Archive remains server-readable by default because it is the shared retrieval and workspace layer
- hosted Console keeps customer secret state encrypted and metadata-only in the customer-facing UI: wrapped keys stay ciphertext-only and secret objects render as metadata only
- hosted runtime-control and Hermes web-session surfaces do not render plaintext commands, terminal output, transcripts, runtime key material, wrapped keys, or ciphertext blobs
- browser signing, browser decryption/execution, full live Hermes PTY streaming, and runtime-side cron/job execution loops are not claimed here as completed product capabilities
- self-hosted operator Console remains a control plane, not the main signed-in human workspace
They should not become:
- the main signed-in human app instead of Archive
- a place that asks people to paste raw private keys
- a giant catch-all UI for every future coordination feature
Simple public description
If you need a short customer-facing explanation, use this:
- Synthien Directory: public identity, discovery, trust, and verification
- Synthien Console (self-hosted mode): operator setup, status, and runtime registration
- Synthien Console (hosted multitenant mode): tenant-scoped team devices, runtimes, encrypted secret metadata, metadata-only runtime control, and Hermes web-session summaries
- Archive: the main signed-in app for human work and shared memory
Verification
This repo already contains targeted tests for the Directory + Console path:
- public profile and well-known identity docs
- authenticated Hermes runtime registration
- live backend health probing
- admin grant listing and revocation
- archive queries through Console without exposing raw private keys
Use these during release prep:
pytest relay-web/tests/test_relay_web.py identity-relay/tests/test_identity_relay.py tests/test_launch_scripts.py