Zeq Edge
Edge protection for any site. Point your DNS at the Zeq edge — get a WAF, a cache, an audit entangled state, and a per-Zeqond entangled state of every request. Physical type-safety: requests that ride a forbidden phase against the HulyaPulse f = 1.287 Hz system clock are phase-cancelled at the gate.
Phase 2.1 (2026-05-19). Backed by four cf_* tables and one sibling Node process (shared/cf-edge/). The framework's ≤ 0.1 % tolerance (KO42) applies.
What you get
| Layer | What the edge does |
|---|---|
| DNS | CNAME flattening — point www.theirsite.com → zeqedge.zeq.dev. (Apex / NS-delegation = Phase 3+.) |
| TLS | Strict origin TLS by default; per-site insecure_origin_allowed for staging environments (Pro+ tier). |
| WAF | Built-in three-gate: HF1–HF20 composite (doctrine-default weights, Σwᵢ = 0.9999) ∧ ZEQ-PROTECT-001 ∧ ZEQ-PROTECT-002. |
| Cache | Redis-backed (LRU fallback), key = `sha256(host |
| Audit | Every request → one row on the customer's machine entangled state. Operator IDs: CF-REQ, CF-CACHE-HIT, CF-WAF-BLOCK, CF-RULE-DENY, CF-ORIGIN-FAIL. |
| Analytics | 60-Zeqond rollup window (≈ 46.6 s — 77 ticks at 1.287 Hz). One UPSERT row per (site_id, window_start_zeqond). |
Quickstart
- Create a state machine (already a working framework flow).
- Open
/apps/zeq-edge/, paste your adminzsm_key, click Add site. - Set the CNAME the form shows you.
- Once propagated, requests are proxied, scored, cached, and audit-logged.
Programmatic registration
curl -X POST https://zeq.dev.local:3099/api/cf/sites \
-H 'X-Zeq-SM-Key: zsm_…' \
-H 'Content-Type: application/json' \
-d '{
"hostname": "www.your-domain.com",
"origin_url": "https://origin.your-domain.com",
"plan_tier": "pro"
}'
{
"ok": true,
"id": "…",
"edge_id": "deadbeefcafef00d",
"dns_instructions": {
"cname_target": "deadbeefcafef00d.zeqedge.zeq.dev",
"message": "Set the following CNAME at your DNS provider:\n www.your-domain.com CNAME deadbeefcafef00d.zeqedge.zeq.dev"
},
"status": "pending_cname"
}
API surface
See api-reference.md for the full list. Phase 2.1 ships:
POST /api/cf/sites·GET /api/cf/sites·GET /api/cf/sites/:idPOST /api/cf/sites/:id/rules·DELETE /api/cf/sites/:id/rules/:rule_idGET /api/cf/sites/:id/analytics?window=60z|24h|7dPOST /api/cf/sites/:id/purge
Rule engine
See rule-engine.md for the matcher reference. Phase 2.1 ships three rule kinds:
| Kind | When to use | action_json contract |
|---|---|---|
page_rule | Path-scoped cache TTL / allow / deny. | { deny: true } · { cache_ttl_zeqonds: 600 } · {} (= allow). |
waf | Path-scoped WAF threshold override. | { threshold: 0.85 } — composite must be ≥ this to fire. |
redirect | 308 / 301 redirect off matched prefix. | { target: "/new", status: 308 }. |
First match wins. Rules are evaluated in ascending priority — priority: 0 beats priority: 100.
Pricing
See pricing.md. Phase 2.1 pricing decision lock:
- Free tier: 1 site / 100k requests per day shared across the site's routes.
- Pro / Business: existing framework tiers — no new ZEQ lines added in Phase 2.1 (see
tallyEconomy.OPERATION_COSTS). Phase 2.2 addscf_request_billable+cf_bandwidth_kb_egress. - Threat rebate: 5 ZEQ per 1 000 blocks, capped at 100 ZEQ per Zeqond per machine (anti-farm-rebate per Zeq's 2026-05-19 decision).
Phase 2.1 caveats — honest remaining-work callouts
- ACME automation — Phase 2.2 (Let's Encrypt DNS-01 via the framework's auth on
*.zeqedge.zeq.dev). - Multi-POP geographic distribution — Phase 3+ (rides existing
zeqMeshpeer gossip). - Mobile-friendly dashboard — Phase 2.2.
- Custom cert upload flow — Phase 2.2 (operator-managed cert via ZSC
cf:cert:<hostname>:*until then). - CLI subcommand — Phase 2.2 (
zeq cf …). - Bandwidth metering surface — Phase 2.2 (
bytes_egressis captured incf_request_aggregatestoday; the chargeOperation call lands in 2.2).
Constants verbatim
| Constant | Value | Source |
|---|---|---|
| HulyaPulse f | 1.287 Hz | lib/zeq-kernel-constants.ts DISPLAY.F_H_HZ |
| Zeqond τ | 0.777 s | same DISPLAY.TAU_ZQ_S |
| α (modulation) | 1.29 × 10⁻³ | same DISPLAY.ALPHA_K |
| Aggregation window | 60 Zeqonds (≈ 46.6 s) | lib/cfCore.ts CF_AGGREGATE_WINDOW_Z |
| Threat-rebate per 1k blocks | 5 ZEQ | lib/cfCore.ts CF_THREAT_REBATE_PER_1K |
| Threat-rebate cap | 100 ZEQ / Zeqond / machine | lib/cfCore.ts CF_THREAT_REBATE_CAP_PER_ZEQOND |
| Default cache TTL | 300 Zeqonds (≈ 233 s) | lib/cfCore.ts CF_CACHE_DEFAULT_TTL_Z |
| Cache body upper bound | 5 MiB | lib/cfCore.ts CF_CACHE_MAX_BODY_BYTES |
The framework's own tolerance applies to every number here — drift across docs/code/dashboard is a bug.