spectral-mesh and spectral-edge use the same policy document format and the same Go packages (internal/policy, internal/policyengine). One file can feed both components when you run them in parallel.
- Schema:
schema_versionandruleswithid,pattern,severity, andaction(observeorblock). Legacy{"patterns":["..."]}is still accepted. - Example:
policy.example.jsonat the repo root. - Reload: Send
SIGHUPtospectral-meshon Linux or macOS to reload-policyfrom disk (when a file path is set).spectral-meshon Windows does not handle SIGHUP in-tree—restart the process.spectral-edgewithout-policyuses built-in defaults and cannot hot-reload policy via SIGHUP.
| Concern | Behavior |
|---|---|
| Matching | Aho–Corasick over the same rule set; policy_alert shares core fields (rule ids, severity, action, optional preview / hash). Host logs add pid, comm, enforcement_mode, BPF fields; edge logs add HTTP / sensor_kind: edge context (see EDGE_VS_MESH.md). |
| Allowlist file | One JSON file may include both comm_prefixes (host sensor) and user_agent_prefixes (edge). Each binary only reads the fields it uses. |
| Dedupe / alert caps | Same ideas: sliding windows for alert volume; keys differ (PID+rule vs client IP + rule on edge—see EDGE.md). |
| Topic | spectral-mesh |
spectral-edge |
|---|---|---|
| Data path | Linux: outbound TLS plaintext via OpenSSL SSL_write (eBPF ring buffer → HandleChunk → per-PID rolling buffer → scan). Windows/macOS: same Processor when chunks arrive via -capture-ingest-addr, -capture-stdin-jsonl, -capture-hook-socket (hookwire), or native hook + injector builds under hook/; optional OpenSSL module discovery (Windows) and Endpoint Security mmap telemetry (macOS, -tags spectral_es) do not supply cleartext by themselves. |
HTTP request body (and optional response body with -scan-responses) after TLS is terminated elsewhere—body buffered to -max-body, then scanned (no per-PID TLS rolling buffer). |
sensor_kind |
Host / mesh semantics. | edge. |
bpf_blocking_enabled |
Linux: reflects -enable-bpf-blocking. Windows/macOS: flag may be requested but kernel wipe is not applied in-tree. |
Always false; blocking is HTTP 403 with -reject-on-block-rule, not kernel wipe. |
enforcement_mode |
Present on spectral-mesh policy_alert logs (OS-specific enforcement hint). |
spectral-edge does not emit this field today; use sensor_kind, direction, and HTTP metadata in logs. |
| Blind spots | Apps not using probed libssl, traffic not leaving the node, etc. | Traffic that never hits this HTTP hop. |
For a feature-level comparison, see EDGE_VS_MESH.md.
Many teams run mesh on nodes for broad host coverage and edge at ingress for consistent scanning of API traffic behind a load balancer. The same policy.json can be mounted into both; tune dedupe, allowlists, and routing so duplicate policy_alert lines for one logical request do not overwhelm operators.
Operational defaults and auth patterns for edge-only production are in EDGE_PRODUCTION.md.