nix/ec-node: auto-bootstrap web bridge from local control peers

evolution/proposals/ECP-0069-nixos-control-bridge-autobootstrap.md

@@ -0,0 +1,38 @@
+# ECP-0069: NixOS Control Bridge Auto-Bootstrap
+
+Status: Draft
+
+## Decision
+
+Extend the NixOS `services.every-channel.ec-node` module so web directory bridge startup is automatic and does not require manual peer copy/paste.
+
+1. `ec-node wt-publish` gains `--control-endpoint-addr-out <path>`.
+- When `--control-announce` is enabled, it writes the local control endpoint address JSON to the provided file.
+- It also logs both control endpoint id and endpoint address at startup.
+
+2. NixOS module updates:
+- Publisher units pass `--control-endpoint-addr-out /run/every-channel/control-peer-<broadcast>.json`.
+- New `control.bridgeWeb.*` options start a managed `every-channel-control-bridge-web` service.
+- Bridge service reads endpoint-address files from running publishers and feeds them into `control-bridge-web --gossip-peer ...` automatically.
+
+## Motivation
+
+Browser users need `every.channel` to show active streams without manual bootstrap steps. Previously, the bridge had no stable way to discover local publishers after reboot/service restart. Writing endpoint-address files from publishers makes bridge bootstrap deterministic on one host.
+
+## Scope
+
+In scope:
+- New `wt-publish` endpoint-address output flag.
+- NixOS module wiring for endpoint file emission.
+- Managed bridge service with restart-safe peer refresh.
+
+Out of scope:
+- Cross-host authenticated discovery trust model.
+- Signed control announcements.
+- Browser-native iroh direct transport playback.
+
+## Rollout / Reversibility
+
+- Additive: existing publisher behavior is unchanged when `control.bridgeWeb.enable = false`.
+- Revert path: disable bridge service and/or remove endpoint-file arg.
+- Failure mode: if no peer files exist, bridge waits and retries without failing system activation.