Pillar one
The agent connects an authenticated user on an attested device to the resource they were granted, and only that resource. There are no flat networks behind it and no standing routes that outlive the session.
The shortest path from a user to a resource is the only path the platform builds.
In depth
Each connection is point-to-point and short-lived, scoped by policy, and recorded by the audit chain. The user experience stays familiar; the operational guarantees are very different.
Each session terminates between the device and the resource. There is no implicit network access surface.
Connections survive sleep, network roaming, and silent re-authentication so end users do not learn to bypass them.
First-class clients for Windows, macOS, and Linux. Installed via your MDM with the rest of the corporate baseline.
The agent restores its session after reboot using the operating system's keychain. The user does not see a re-authentication prompt.
Access is scoped to a named service. The user never sees a resource that policy did not list.
Routes are chosen by platform decision, not by user preference, and the decision is logged.
TCP, SSH, and HTTP handlers built in. SOCKS5 is available for application-level routing.
Direct device-to-device connections where the network allows; relay-mediated paths when it does not.