# ECP-0069: NixOS Control Bridge Auto-Bootstrap Status: Implemented ## Decision Extend the NixOS `services.every-channel.ec-node` module so web directory bridge startup is automatic and does not require manual peer copy/paste. 1. `ec-node wt-publish` gains `--control-endpoint-addr-out `. - When `--control-announce` is enabled, it writes the local control endpoint address JSON to the provided file. - It also logs both control endpoint id and endpoint address at startup. 2. NixOS module updates: - Publisher units pass `--control-endpoint-addr-out /run/every-channel/control-peer-.json`. - New `control.bridgeWeb.*` options start a managed `every-channel-control-bridge-web` service. - Bridge service reads endpoint-address files from running publishers and feeds them into `control-bridge-web --gossip-peer ...` automatically. ## Motivation Browser users need `every.channel` to show active streams without manual bootstrap steps. Previously, the bridge had no stable way to discover local publishers after reboot/service restart. Writing endpoint-address files from publishers makes bridge bootstrap deterministic on one host. ## Scope In scope: - New `wt-publish` endpoint-address output flag. - NixOS module wiring for endpoint file emission. - Managed bridge service with restart-safe peer refresh. Out of scope: - Cross-host authenticated discovery trust model. - Signed control announcements. - Browser-native iroh direct transport playback. ## Alternatives considered - Continue manual gossip peer bootstrapping for the bridge. Rejected because restarts/reboots cause repeated operational toil. - Use static peer lists only. Rejected because local publisher sets are dynamic and should be discovered from runtime endpoint files. ## Rollout / Reversibility - Additive: existing publisher behavior is unchanged when `control.bridgeWeb.enable = false`. - Revert path: disable bridge service and/or remove endpoint-file arg. - Failure mode: if no peer files exist, bridge waits and retries without failing system activation.