It's consent-gated. The tunnel doesn't exist until you type "y" at your terminal, and the coordinator in the middle is a dumb pipe. A second, end-to-end TLS handshake runs between the two ends, and the CA's private key never leaves the host, so the broker can't impersonate either side or read the payload. Every approval and denial lands in an append-only audit log.

It's pre-1.0 with no independent security review yet, so I wouldn't guard anything sensitive with it. Happy to dig into the design in the comments, especially the trust model and the metadata it does still leak.