What HIVE Is

HIVE is a hierarchical coordination protocol for distributed autonomous systems. It applies lessons from centuries of military command structure to the problem of getting machines to work together at scale — organizing swarms of autonomous agents into nested tiers that compress information upward and push intent downward, so that large formations can coordinate without drowning in data.

We wrote extensively about the ideas behind HIVE on this blog: from treating every device as the network to hierarchy as communication optimization. Those posts reflect what we believed when we wrote them, and we still stand behind the core thinking.

Why Defense Unicorns

Defense Unicorns builds open-source tooling that helps defense organizations deploy and operate software in disconnected, contested, and resource-constrained environments. That mission overlaps squarely with what HIVE was designed for. They have the team, the community, and the operational credibility to take HIVE places we couldn’t take it alone.

We evaluated this carefully. HIVE needed a home where the protocol would be built, deployed, and iterated on at real scale — not just theorized about. Defense Unicorns is that home.

What We Built

We’re proud of the foundation we laid. HIVE started as a question — what if we stopped treating autonomous coordination as a networking problem and started treating it as an organizational design problem? — and grew into a working protocol with a clear architecture for hierarchical task decomposition, intent propagation, and state compression across tiers.

The ideas are sound. The architecture is sound. Now it’s time for someone with deeper operational reach to carry it forward.

What’s Next

As part of this transition, I — Kit Plummer, CEO and Founder of (r)evolve — am joining Defense Unicorns as VP, Data, AI and Autonomy. I’ll be leading the work to take HIVE and the broader autonomy mission forward from inside Defense Unicorns, with the resources and operational reach to deliver at scale.

(r)evolve continues forward with a sharpened focus on human-machine-AI teaming, coagency, and holistic performance.

To the HIVE Community

If you’ve been following HIVE’s development — thank you. The protocol is in excellent hands, and we’re excited to see what Defense Unicorns builds with it.

“He will win who knows when to fight and when not to fight. He will win who knows how to handle both superior and inferior forces.” — Sun Tzu, The Art of War

Sun Tzu wrote those words around 500 BCE, codifying principles that Chinese armies had refined over centuries. But buried in his treatise on generalship is something more fundamental than tactics: an information architecture for coordinating thousands of soldiers across contested terrain with nothing but signal flags, drums, and runners.

He didn’t have radios. He didn’t have GPS. He certainly didn’t have mesh networks. And yet his armies coordinated at scales that modern autonomous systems programs struggle to match.

What did he understand that we’ve forgotten?

Bamboo slips containing Sun Tzu’s Art of War, discovered in 1972. The oldest surviving copy of the text, sealed in a tomb around 134 BCE. Photo: Gary Todd / Wikimedia Commons / Public Domain

The Modern Prejudice Against Hierarchy

In contemporary discussions of autonomous systems, hierarchy is treated as an obstacle—bureaucratic overhead inherited from rigid institutional thinking. The prevailing assumption is that flat, decentralized architectures are inherently more agile, more resilient, more modern.

This assumption is wrong.

Hierarchy isn’t about authority. It’s about information flow. And it turns out that human organizations discovered the optimal information architecture for large-scale coordination roughly five thousand years ago.

The Cognitive Constraint

In 1956, psychologist George Miller published one of the most cited papers in cognitive science: “The Magical Number Seven, Plus or Minus Two.” His finding was simple but profound: human working memory can only hold about seven items at once.

This isn’t a software limitation we can patch. It’s a hardware constraint baked into the architecture of the human brain. And it explains why every military organization in history—from Roman legions to modern infantry battalions—has converged on the same basic structure: small teams of 4-8 people, led by individuals who report to leaders coordinating 3-5 teams.

A Roman centurion didn’t track 80 individual soldiers. He tracked 10 squad leaders. A modern Army company commander doesn’t manage 120 soldiers directly—she coordinates with 3-4 platoon leaders who each manage 3-4 squad leaders.

This pattern isn’t bureaucratic tradition. It’s cognitive load management.

Hierarchy as Compression

Here’s the insight that matters for autonomous systems: hierarchy is a compression algorithm.

When a platoon leader reports to the company commander, they don’t transmit the position, status, ammunition count, and physiological state of every soldier under their command. They transmit a summary: “Second platoon is combat-effective, in position at grid reference XY, ready to execute.”

That summary compresses perhaps 40 individual data points into one capability statement. The company commander can then hold 3-4 such summaries in working memory—exactly what cognitive science predicts—and make decisions at their echelon.

This compression happens at every level of the hierarchy. Squad leaders summarize fire teams. Platoon leaders summarize squads. Company commanders summarize platoons. The information that flows upward is aggregated, with detail appropriate to the decision-making authority at each level.

Sun Tzu understood this intuitively:

“If words of command are not clear and distinct, if orders are not thoroughly understood, the general is to blame. But if his orders are clear, and the soldiers nevertheless disobey, then it is the fault of their officers.”

Clear orders flowing down. Summarized status flowing up. Coordination happening laterally between peers. Three information flows, each optimized for its purpose.

The Mathematics of Flat vs. Hierarchical

Let’s make this concrete with some numbers.

In a flat mesh network where every node must coordinate with every other node, the number of communication links grows as n(n-1)/2. For practical purposes, this is O(n²)—quadratic scaling.

Now consider a hierarchical structure where each node only communicates with its immediate superior and 4-6 peers. The communication complexity drops to O(n log n).

At 1,000 nodes, the hierarchical approach requires roughly 1% of the communication bandwidth. This isn’t a marginal optimization—it’s the difference between systems that work and systems that collapse under their own coordination overhead.

Trajan reviews his troops from a tribunal, flanked by officers—hierarchy in action. The column depicts 2,662 figures across 155 scenes, organized by cohort and century. Photo: R.B. Ulrich / trajans-column.org

Three Flows, Not One

The hierarchy insight isn’t just about reducing bandwidth. It’s about recognizing that coordination requires three distinct information flows, each with different characteristics:

Upward: Aggregation. Raw state becomes summarized capability. “I have 12 UAVs with 47% average battery” becomes “ISR coverage available for 3 hours.” The next echelon doesn’t need to know which specific platforms are assigned—they need to know what the team can do.

Downward: Dissemination. Commander’s intent becomes specific tasking. “Maintain situational awareness on Route Tampa” gets translated at each level into increasingly specific guidance, until individual platforms receive actionable instructions appropriate to their capabilities.

Lateral: Coordination. Peers synchronize directly without routing through higher echelons. Adjacent squads coordinate their boundaries. Neighboring platoons deconflict their movements. This happens at machine speed, without burdening the hierarchy with routine coordination traffic.

        ┌─────────────────┐
        │   Commander     │
        │   (Intent)      │
        └────────┬────────┘
                 │
    ┌────────────┼────────────┐
    │            │            │
    ▼            ▼            ▼
┌───────┐   ┌───────┐   ┌───────┐
│ Plt 1 │◄─►│ Plt 2 │◄─►│ Plt 3 │  ← Lateral coordination
└───┬───┘   └───┬───┘   └───┬───┘
    │           │           │
    ▼           ▼           ▼
 [Squads]    [Squads]    [Squads]

    ▲           ▲           ▲
    │           │           │
    └───────────┴───────────┘
         Aggregated status
            flows UP

These flows map directly to military doctrine because doctrine encodes the patterns that work.

Sun Tzu again:

“The control of a large force is the same principle as the control of a few men: it is merely a question of dividing up their numbers.”

Divide, aggregate, coordinate. The pattern scales because it was designed to scale.

What This Means for Autonomous Systems

If hierarchy is evolved communication optimization, then treating it as bureaucratic overhead is an architectural mistake. The challenge isn’t to eliminate hierarchy—it’s to implement it properly.

This means:

Design for aggregation. Platforms should advertise capabilities, not just positions. “I can provide persistent surveillance for 4 hours at 10km range” is more useful to a coordination layer than raw telemetry.

Respect cognitive limits. Human operators in the loop should see summarized team capabilities, not individual platform states. If your interface requires an operator to track 20+ entities simultaneously, you’ve exceeded human cognitive capacity.

Enable lateral coordination. Peers should be able to synchronize directly without routing through a central coordinator. Boundary management between adjacent teams is a local problem that should be solved locally.

Preserve authority at appropriate echelons. Not every decision should flow to the top. Define what can execute autonomously, what requires approval, and what demands human judgment—then encode those policies into the coordination architecture.

The Oldest New Idea

We tend to assume that modern problems require modern solutions. But the coordination of large numbers of heterogeneous agents across contested environments with unreliable communications isn’t a new problem. It’s arguably the oldest problem in organized human activity.

Military hierarchies evolved over millennia precisely because they solve this problem. The Roman legion could coordinate 5,000 soldiers across miles of battlefield with nothing but flags and horns. The Mongol army could execute complex maneuvers across hundreds of miles with relay riders.

These weren’t primitive solutions waiting for technology to replace them. They were sophisticated information architectures optimized by centuries of selection pressure. The organizations that got coordination wrong didn’t survive to pass on their patterns.

Sun Tzu’s armies didn’t need mesh networks. They understood something more fundamental: that hierarchy isn’t the enemy of agility—it’s the precondition for it.

“In war, the way is to avoid what is strong, and strike at what is weak.”

Flat coordination architectures are strong in small teams. They are weak at scale. Hierarchy is the way to avoid that weakness.

The ancients figured this out with bronze swords and signal fires. Perhaps it’s time we remembered what they knew.

(r)evolve is building HIVE Protocol, open coordination infrastructure for human-machine-AI teams. We’re encoding five millennia of organizational wisdom into protocol.

Image Credits

• Hero image: Yinqueshan bamboo slips of Sun Zi’s Art of War, Western Han Dynasty, Shandong Museum permanent collection. China Daily.
• Trajan’s Column relief: Scene VII, Trajan reviews his troops from a tribunal. Photo by R.B. Ulrich. trajans-column.org.

By Kit Plummer, (r)evolve

Radicle is a peer-to-peer code collaboration stack built on Git. Unlike GitHub or GitLab, Radicle is decentralized—your code lives on your machine and is replicated across a network of nodes. But this raises a question: how do you run CI/CD for a decentralized repository?

Enter goa (GitOps Agent), a lightweight tool I created about 5 years ago to assist with some MLOps work I was doing that watches repositories for changes and executes commands when updates are detected. With goa’s Radicle support, you can build a self-hosted CI pipeline for your Radicle projects. Thanks to Claude Code for helping review and refresh the original goa codebase quickly.

Why goa for Radicle CI?

• No external services required - runs entirely on your local machine or server
• Watches both pushes and patches - trigger CI on new commits or when contributors submit patches (Radicle’s equivalent of pull requests)
• Simple setup - single binary, no complex configuration
• Environment variables - access commit info, patch details, and more in your CI scripts

Prerequisites

• A running Radicle node (rad CLI installed and initialized)
• Your repository seeded to your node
• Rust toolchain (for installing goa) or install one of the binaries at https://github.com/kitplummer/goa/releases.

Installation

cargo install gitops-agent

This installs the goa binary.

Basic Setup

1. Find Your Repository ID

Every Radicle repository has a unique identifier (RID). Find yours with:

rad inspect

You’ll see output like:

rad:z3fF7wV6LXz915ND1nbHTfeY3Qcq7

2. Identify Your Seed Node

Your local node exposes an HTTP API. By default, it’s available at http://localhost:8080. You can also use public seed nodes like https://seed.radicle.garden.

3. Start Watching

goa radicle \
  --seed-url http://localhost:8080 \
  --rid rad:z3fF7wV6LXz915ND1nbHTfeY3Qcq7 \
  --command './ci.sh' \
  --watch-patches \
  --delay 60

This tells goa to:

• Connect to your local Radicle node’s HTTP API
• Watch the specified repository
• Run ./ci.sh when changes are detected
• Check for both push and patch updates
• Poll every 60 seconds

Writing Your CI Script

goa passes context about the trigger via environment variables. Here’s a complete CI script:

#!/bin/bash
set -e

echo "=== Radicle CI ==="
echo "Repository: $GOA_RADICLE_RID"
echo "Trigger: $GOA_TRIGGER_TYPE"
echo "Commit: $GOA_COMMIT_OID"

# Clone from local Radicle storage
WORK_DIR="/tmp/ci-$(date +%s)"
STORAGE_PATH="$HOME/.radicle/storage/${GOA_RADICLE_RID#rad:}"

git clone "$STORAGE_PATH" "$WORK_DIR"
cd "$WORK_DIR"

# Checkout the specific commit
git checkout "$GOA_COMMIT_OID"

# If this is a patch, show details
if [ "$GOA_TRIGGER_TYPE" = "patch" ]; then
  echo "Patch ID: $GOA_PATCH_ID"
  echo "Title: $GOA_PATCH_TITLE"
  echo "State: $GOA_PATCH_STATE"
  echo "Base: $GOA_BASE_COMMIT"
fi

echo "=== Running Tests ==="

# Your build/test commands here
cargo build
cargo test

echo "=== CI Complete ==="

# Cleanup
cd /
rm -rf "$WORK_DIR"

Save this as ci.sh and make it executable:

chmod +x ci.sh

Environment Variables Reference

goa provides these environment variables when triggered:

Running as a System Service

For production use, run goa as a systemd service:

# /etc/systemd/system/radicle-ci.service
[Unit]
Description=Radicle CI Agent
After=network.target radicle-node.service

[Service]
Type=simple
User=ci
WorkingDirectory=/home/ci/myproject
ExecStart=/usr/local/bin/goa radicle \
  --seed-url http://localhost:8080 \
  --rid rad:z3fF7wV6LXz915ND1nbHTfeY3Qcq7 \
  --command './ci.sh' \
  --watch-patches \
  --delay 60 \
  --timeout 600 \
  --verbosity 1
Restart=on-failure
RestartSec=10

[Install]
WantedBy=multi-user.target

Enable and start:

sudo systemctl enable radicle-ci
sudo systemctl start radicle-ci

View logs:

journalctl -u radicle-ci -f

Advanced: Testing Patches Before Merge

One powerful use case is automatically testing patches (PRs) before they’re merged. Here’s an enhanced CI script that posts results back:

#!/bin/bash
set -e

WORK_DIR="/tmp/ci-$(date +%s)"
STORAGE_PATH="$HOME/.radicle/storage/${GOA_RADICLE_RID#rad:}"
RESULT_FILE="/tmp/ci-result-$$"

# Clone and checkout
git clone "$STORAGE_PATH" "$WORK_DIR"
cd "$WORK_DIR"
git checkout "$GOA_COMMIT_OID"

# Run tests, capture result
if cargo test 2>&1 | tee "$RESULT_FILE"; then
  STATUS="passed"
else
  STATUS="failed"
fi

# If this was a patch, we could comment on it
# (Radicle CLI support for this is evolving)
if [ "$GOA_TRIGGER_TYPE" = "patch" ]; then
  echo "Patch $GOA_PATCH_ID: tests $STATUS"
  # Future: rad patch comment $GOA_PATCH_ID "CI $STATUS"
fi

# Cleanup
rm -rf "$WORK_DIR" "$RESULT_FILE"

# Exit with appropriate code
[ "$STATUS" = "passed" ]

Tips and Best Practices

1. Use --timeout to prevent runaway builds:

   goa radicle ... --timeout 600  # 10 minute limit
   

2. Adjust --delay based on your needs:
   • Development: 30-60 seconds
   • Production: 120-300 seconds
3. Use --verbosity 2 for debugging:

   goa radicle ... --verbosity 2
   

4. Isolate CI environments - use containers or VMs for untrusted code:

   # In ci.sh
   docker run --rm -v "$WORK_DIR:/src" my-ci-image /src/run-tests.sh
   

5. Monitor multiple repositories by running multiple goa instances:

   goa radicle --rid rad:z111... --command './ci-project1.sh' &
   goa radicle --rid rad:z222... --command './ci-project2.sh' &
   

Conclusion

With goa, you can bring CI/CD to the decentralized world of Radicle without relying on centralized services. Your code stays sovereign, your CI runs locally, and you maintain full control over your development workflow.

The combination of Radicle’s peer-to-peer collaboration and goa’s lightweight automation creates a powerful, self-hosted development environment that respects your autonomy while providing the conveniences of modern DevOps practices.

Resources:

• goa on crates.io
• goa on GitHub
• Radicle Documentation

By Kit Plummer, (r)evolve

NATO is building a standard for coordinating unmanned systems across domains. It’s called STANAG 4817, and it’s being positioned as the backbone of future multi-domain operations — enabling drones, UUVs, and USVs from different nations to share data and operate together.

On paper, it sounds essential. In practice, there are problems — both with the approach and with how it’s being developed.

What 4817 Is Trying to Do

STANAG 4817 builds on STANAG 4586, the existing NATO standard for UAV control interfaces. Where 4586 defined how an operator controls a single unmanned aircraft, 4817 extends to multi-domain: air, surface, and underwater systems coordinated from unified control stations.

The standard incorporates the Collaborative Autonomy Tasking Layer (CATL), a message format developed by NATO’s SCI-343 Research Task Group for sharing task and status information between autonomous systems. CATL has been tested at exercises like REPMUS and Dynamic Messenger, demonstrating interoperability between platforms from multiple nations.

The stated goals are reasonable:

• Common data formats for unmanned systems across domains
• Interoperability between different manufacturers and nations
• Unified situational awareness through data fusion

So what’s the problem?

The Transparency Problem

Try to find the STANAG 4817 specification. Or the CATL message schema. Or documentation on how the standard is being developed.

We did. We’re a defense contractor. We couldn’t find it either.

The Custodian Support Team meets periodically — hosted by organizations like Lockheed Martin Canada and NATO Centers of Excellence. Participants include representatives from NATO and Partnership for Peace nations. The work builds on recommendations from NATO Industrial Advisory Group studies (NIAG SG-157 and SG-202).

We know CATL exists because researchers reference it in published papers. We know exercises like REPMUS test it. We know it defines “four message types for task administration and data synchronization.” But the actual schema? The message definitions? The protocol specification? Not publicly available — and apparently not available through normal defense industry channels either.

Compare this to how other standards are developed:

• IETF RFCs: Public drafts, open mailing lists, anyone can comment
• W3C: Public working drafts, community feedback periods
• IEEE: Published specifications, academic participation
• Even SAE/JAUS: While the final documents cost money, there are open-source implementations and public working groups

If the goal is interoperability across nations and vendors, developing the standard behind closed doors is counterproductive. The companies that need to implement it can’t see it. The researchers who could improve it can’t review it. The broader defense industrial base is locked out until… when, exactly?

The Bigger Problem: Data-Centric vs. Decision-Centric

Even setting aside transparency concerns, there’s a more fundamental issue with the approach.

The 4817/CATL model is built on a data-centric mental model:

• Move data from sensors and platforms to control stations
• Fuse that data into a “comprehensive operational picture”
• Give commanders a “unified view” of the battlespace

This made sense when the constraint was information scarcity. Historically, commanders didn’t have enough data. The solution was to collect more and aggregate it centrally.

But that’s not the problem anymore. The problem now is information overload. Commanders are drowning in data. Adding more sensors, more platforms, and more data fusion doesn’t help — it makes cognitive load worse.

AI-enhanced decision support requires the opposite approach — decision-centric rather than data-centric:

The goal shouldn’t be showing commanders everything. It should be showing them only what they need to decide, with the supporting context, at the moment they need it.

This isn’t just a UI problem. It’s an architectural problem. A standard designed around “unified view” and “data fusion” bakes in assumptions that work against effective AI integration.

What Would Actually Help

For human-machine-AI teams to operate effectively at scale, we need coordination frameworks that:

Support hierarchical information flow. Military organizations aggregate information as it flows up and decompose decisions as they flow down. Flat data-sharing models don’t match how operations actually work.

Enable distributed processing. AI and autonomy should filter, prioritize, and pre-process at the edge — not just add more streams to a central fusion engine.

Reduce cognitive load. The measure of success isn’t how much data reaches the commander. It’s how little data reaches the commander while still enabling good decisions.

Work in contested networks. Tactical communications are bandwidth-limited, high-latency, and unreliable. Standards that assume enterprise connectivity will fail in the field.

Are actually open. If interoperability is the goal, the specifications need to be public. Implementations need to be testable. Participation needs to be accessible beyond the current defense insider club.

Where We’re Focused

At (r)evolve, we’re working on coordination infrastructure for human-machine-AI teams — building on concepts we first explored under DIU’s Common Operational Database (COD) program.

We think the solution requires a different starting point: decision-centric rather than data-centric, hierarchical rather than flat, designed for contested networks rather than enterprise connectivity. And we think it needs to be developed in the open.

More to share soon. If you’re working on similar challenges — or frustrated by the same gaps — we’d like to hear from you.

Kit Plummer is the founder of (r)evolve.

The IoT revolution made a promise: connect everything, send it all to the cloud, and intelligence will emerge. Sensors on every machine, every vehicle, every soldier. Terabytes flowing to data centers where AI would make sense of it all.

That promise is breaking.

Not because the cloud isn’t powerful—it is. Not because the AI isn’t capable—it’s extraordinary. The promise is breaking because the architecture assumes something that isn’t true: that you can always move data to where the compute lives.

In contested environments, you can’t.

The Bandwidth Tax

Every byte you send costs something. On a fiber connection in a data center, that cost is negligible. On a tactical radio network, it’s ruinous.

Consider a simple scenario: ten autonomous platforms sharing situational awareness. If each platform sends its full sensor state to every other platform, you have 90 data flows (n² - n). Add a few cameras, some LIDAR, maybe radar returns, and you’re pushing gigabits across links measured in kilobits.

The math doesn’t work. It never did. We just pretended it would because Moore’s Law kept bailing us out on compute, and we assumed bandwidth would follow.

It didn’t. Physics doesn’t care about your roadmap.

Tactical networks—the mesh radios, satellite links, and contested spectrum that actual operations depend on—remain stubbornly constrained. And they degrade exactly when you need them most: when someone is actively trying to deny them.

The Latency Problem

Even when bandwidth exists, latency kills.

Round-trip to a cloud data center: 50-200 milliseconds on a good day. Longer through a satellite hop. Much longer through a congested tactical network under electronic attack.

For a drone making obstacle avoidance decisions at 60 mph, 200 milliseconds is 17 feet of travel. For a coordinated maneuver between platforms, it’s an eternity. For a human operator trying to maintain situational awareness, it’s the difference between seeing what’s happening and seeing what happened.

The IoT model assumes latency is a temporary engineering problem. For edge operations, it’s a permanent physical constraint.

Inverting the Model

Here’s the shift: instead of moving data to where decisions happen, move decision-making to where data lives.

This isn’t a fringe position anymore. The team at Ditto has been evangelizing “cloud optional” architecture for years—building peer-to-peer sync that lets devices share data directly without round-tripping through servers. They’ve proven the model works in retail, healthcare, and defense. The insight is spreading.

But “cloud optional” is just the first step. The deeper move isn’t just about where data lives—it’s about what you’re moving in the first place.

This isn’t a new idea. It’s how biological systems work. Your hand doesn’t send raw nerve signals to your brain and wait for motor commands. The spinal cord handles reflexes locally. The brain gets summaries—”hand touched something hot”—and makes higher-order decisions—”don’t touch the stove again.”

The nervous system is a hierarchical decision architecture. Raw data stays local. Abstractions flow up. Intent flows down.

Apply this to autonomous systems:

Local decisions stay local. Obstacle avoidance, sensor fusion, immediate responses—these happen on the platform, with the data, in microseconds. No round-trip required.

Relevant abstractions propagate. Instead of sending video frames, send “vehicle detected at grid reference.” Instead of raw telemetry, send “capability degraded, estimate 30 minutes to repair.” The information that matters for coordination is orders of magnitude smaller than the raw data that produced it.

Intent distributes. Higher echelons don’t micromanage. They set objectives, constraints, boundaries. “Maintain surveillance of this area.” “Avoid engagement unless threatened.” “Coordinate with adjacent units.” Platforms interpret intent locally, using local data, making local decisions.

This is the control plane / data plane separation that network engineers have understood for decades. The data plane handles packets at line rate, locally. The control plane handles routing decisions, tolerating latency because the decisions are less frequent and more abstract.

What Changes

When you stop moving data and start moving decisions, several things shift:

Bandwidth requirements collapse. Sharing “I can provide ISR coverage for grid squares A1-A3 for the next 2 hours” costs bytes. Sharing the video feed that informed that assessment costs megabytes per second. The ratio can be 1000:1 or more.

Resilience improves. When the network degrades—and it will—local operations continue. Platforms have what they need to execute. They’re not waiting for permission or data from somewhere else. When connectivity returns, they sync state and continue.

Latency becomes tolerable. Coordination decisions can handle hundreds of milliseconds of delay because they’re not time-critical in the same way reflexive actions are. You’ve separated the fast path from the slow path.

Humans stay in the loop. When the system moves decisions rather than data, humans can actually engage at the decision level. They’re not drowning in sensor feeds they can’t possibly process. They’re seeing actionable information at the right level of abstraction for their role.

The Hard Part

This architecture isn’t free. It requires something the IoT model avoided: defining what decisions matter at each level.

When you pump raw data to the cloud, you defer that question. “We’ll figure out what’s important later, with ML, in the cloud.” It’s intellectually lazy but operationally simple.

Moving decisions requires you to think hard about abstraction boundaries. What does a platform need to decide locally? What does a team leader need to know? What does a commander need to see? These aren’t just technical questions—they’re questions about doctrine, authority, and trust.

They’re also the questions that matter. If you can’t answer them, no amount of bandwidth will save you. If you can, you’ve built something that works when the network doesn’t.

The Point

The IoT-to-cloud model works beautifully in environments where connectivity is assumed. Smart homes. Fleet management. Industrial monitoring. Anywhere you have reliable, high-bandwidth, low-latency connections to capable infrastructure.

Contested environments aren’t that. Tactical edge isn’t that. Disaster response isn’t that. Space operations aren’t that.

For those domains, the architecture has to change. Stop assuming you can move data to compute. Start moving compute—and decisions—to data.

The cloud is a tool, not a destination. Use it when you can. Don’t depend on it when you can’t.

Kit Plummer is the founder of (r)evolve, building coordination protocols for human-machine-AI teams. More at revolveteam.com.

Most BLE implementations leave half the toolbox untouched. Coded PHY changes everything—and almost nobody’s using it.

Bluetooth Low Energy has a perception problem. Ask any developer what BLE is good for and they’ll tell you: short-range, low-power, consumer stuff. Fitness trackers. Headphones. Maybe some smart home gadgets.

They’re wrong. Or rather, they’re describing BLE circa 2016.

Since Bluetooth 5.0 shipped in 2017, the spec has included a capability that roughly quadruples transmission range without increasing power consumption. It’s called Coded PHY, and based on our conversations with teams building tactical wearables, industrial IoT systems, and edge computing deployments, almost nobody’s using it.

This is a problem worth fixing.

What Coded PHY Actually Does

Standard BLE (the LE 1M PHY) transmits at 1 megasymbol per second, where each symbol represents one bit. Simple, fast, but range-limited—typically 30-100 meters depending on environment.

Coded PHY takes a different approach. Instead of just sending your data, it wraps it in forward error correction (FEC) using convolutional encoding. The receiver can then reconstruct the original signal from a much weaker reception, because it has redundant information to work with.

The spec defines two modes:

• S=2: Two symbols per bit, 500 kbps effective throughput, roughly 2x range
• S=8: Eight symbols per bit, 125 kbps effective throughput, roughly 4x range

Nordic Semiconductor field-tested this and hit 1,300 meters in connected state with Coded PHY versus 680 meters with standard 1M PHY—nearly doubling range at the same transmit power. In ideal conditions, you can push past a kilometer.

That’s not a typo. Bluetooth. A kilometer. At milliwatt power levels.

The Physics Are Elegant

Here’s the part that trips people up: Coded PHY doesn’t require more transmission power to achieve longer range. The raw data still goes out at 1 Mbps—the radio hardware is unchanged. What changes is how much information is embedded in that signal.

By spreading each bit across multiple symbols, you’re effectively lowering the data rate in exchange for receiver sensitivity. The math works out to roughly 12 dB improvement in link budget for S=8 mode, which translates to approximately 4x the distance in free space.

The tradeoff is throughput. 125 kbps isn’t going to stream video. But for the vast majority of IoT, tactical, and industrial applications? Position updates, sensor telemetry, status messages, coordination signals? 125 kbps is abundant.

Why Isn’t Everyone Using This?

We’ve been building HIVE Protocol with Coded PHY support baked in from the start, and when we talk to teams in adjacent spaces, we keep hearing the same reasons for not adopting it:

“We didn’t know it existed.” Fair. The Bluetooth 5.0 marketing focused heavily on 2M PHY (the faster option) and kind of buried the long-range story. Most developers learned BLE from tutorials written for 4.x.

“Our SDK doesn’t expose it.” This one’s on the toolchain vendors. Many popular BLE stacks abstract away PHY selection entirely, defaulting to 1M mode. You have to dig into platform-specific APIs (BlueZ on Linux, CoreBluetooth on Apple, etc.) to actually configure it.

“We thought long range meant more power.” Intuition says extending range requires boosting transmission. With Coded PHY, the opposite is true—you’re doing more processing at both ends, not more transmitting.

“125 kbps sounds unusably slow.” It’s not. A complete position update with metadata fits in under 100 bytes. At 125 kbps, you can send 150+ of those per second. For most coordination and telemetry use cases, that’s overkill.

Real-World Implications

The use cases that benefit most from Coded PHY:

Wearables that actually last. Current sync solutions drain batteries in 3-4 hours because they keep the radio active constantly. We’ve seen this firsthand with tactical wearables—teams report Samsung watches running sync software dying mid-mission. Coded PHY combined with intelligent duty cycling can push that to 18-24 hours.

Indoor operations. Coded PHY’s error correction doesn’t just extend range in open air—it punches through walls and obstacles more reliably. Building-internal coordination without repeater infrastructure.

Denied spectrum scenarios. When WiFi and cellular are unavailable or contested, BLE on Coded PHY provides an alternative communication path that’s harder to detect and jam.

Sensor mesh at scale. Environmental sensors, asset trackers, perimeter monitoring—all scenarios where you want maximum coverage from minimum infrastructure.

The Adaptive Strategy

The real power move isn’t picking one PHY and sticking with it. It’s switching dynamically based on conditions.

Smart implementations should support PHY selection strategies:

• MaxRange: Always use Coded S=8 when you need to guarantee connectivity at distance
• MaxThroughput: Always use LE 2M when you have strong signal and need speed
• Adaptive: Switch based on RSSI thresholds with hysteresis to prevent oscillation

A device close to its gateway can sync at 2 Mbps. The same device, as it moves away, can gracefully degrade to 1M, then S=2, then S=8, maintaining connectivity across the full range of conditions.

This is table stakes for serious BLE implementations. Yet most SDKs don’t expose it, and most developers don’t know to ask.

Getting Started

If you’re building on BLE and haven’t explored Coded PHY, here’s the minimum you need:

1. Hardware: Both sides need BLE 5.0+ silicon. Most modern chips (Nordic nRF52840, ESP32-C3/S3, Silicon Labs EFR32, etc.) support it.

2. Software: You’ll need to explicitly request Coded PHY mode. On Linux with BlueZ, this means using the bt_conn_le_phy_update() or equivalent. On embedded platforms, check your SDK’s PHY configuration options.

3. Testing: Actual range depends heavily on environment. Do real field tests—the spec guarantees capability, not miracles.

And Then There’s Bluetooth 6.0

Just as the industry is finally waking up to Coded PHY, the Bluetooth SIG dropped version 6.0 in September 2024. Devices are starting to ship now, with broader adoption expected through 2026.

The headline feature is Channel Sounding—a ranging capability that achieves centimeter-level distance measurement between devices. Where RSSI-based distance estimation gives you maybe 3-5 meter accuracy (and that’s being generous), Channel Sounding uses phase-based ranging and round-trip timing to get down to 10 centimeters. That’s UWB territory, but with the ubiquity of Bluetooth.

The implications are significant:

Digital keys that actually work. Your car or building can unlock only when your phone is within a precise radius—not just “somewhere nearby.” This closes relay attack vectors that have plagued current implementations.

Find-my networks with room-level precision. Instead of “your AirTag is somewhere in this building,” you get “it’s in the third drawer of that desk.”

Spatial computing. AR applications that need to know exactly where devices are relative to each other finally have a low-power, standards-based way to do it.

Channel Sounding also brings security improvements—built-in protections against man-in-the-middle attacks and relay attacks that current Bluetooth ranging lacks.

Beyond Channel Sounding, 6.0 introduces Decision-Based Advertising Filtering, which lets devices be smarter about what advertisements they pay attention to. In crowded RF environments (trade shows, stadiums, dense IoT deployments), this dramatically reduces wasted scanning time and associated battery drain.

The catch? Both devices need 6.0 support to use the new features. Your shiny 6.0-capable phone will still talk to your old 5.0 headphones just fine—but you won’t get Channel Sounding or the new filtering capabilities.

Qualcomm’s Snapdragon 8 Elite already supports 6.0. The iPhone 17 is widely expected to include it. Silicon Labs has certified chips shipping now. The rollout is happening faster than previous major version transitions.

What This Means for System Designers

If you’re building systems today, you have a choice:

For range-critical applications, Coded PHY is available now in every BLE 5.0+ device. It’s been sitting there since 2017, waiting for you to use it. Stop leaving 4x range on the table.

For precision-critical applications, plan for Bluetooth 6.0. Channel Sounding will enable use cases that previously required UWB or expensive infrastructure. The hardware is arriving; make sure your architecture can take advantage of it.

For both, understand that these capabilities stack. There’s nothing preventing a future implementation from using Coded PHY for extended range and Channel Sounding for precise ranging within that range.

The Bigger Picture

Bluetooth’s evolution isn’t just a technical curiosity. It represents a fundamental shift in what’s possible with ultra-low-power wireless.

For years, if you needed range, you reached for WiFi (power hungry), cellular (expensive, requires infrastructure), or LoRa (specialized hardware, limited throughput). Coded PHY put legitimate long-range capability into the same radio that’s already in every phone, tablet, and wearable on the planet.

Now, with 6.0, Bluetooth is adding precision that rivals dedicated ranging technologies—again, in hardware that’s already everywhere.

The industry just hasn’t caught up yet.

At (r)evolve, we’re building coordination systems for environments where connectivity is contested, power is limited, and precision matters. That means we pay attention when Bluetooth quietly adds capabilities that most implementations ignore. Coded PHY today, Channel Sounding tomorrow—these aren’t optional features. They’re the foundation of what comes next.

If you’re building systems that need to coordinate across distance without draining batteries or requiring infrastructure, stop ignoring your radio’s full capability. The hardware is ready. The question is whether your software is.

Kit Plummer is the founder of (r)evolve, building coordination protocols for human-machine-AI teams at scale. Follow our work at revolveteam.com.

Nearly three decades later, these principles have profound implications for autonomous systems and human-machine teaming. And they reveal an uncomfortable truth: the autonomy industry is stuck in cathedral mode while the rest of the software world has moved on.

The Current State: Cathedrals Everywhere

Look at the drone and robotics landscape today. It’s a collection of proprietary silos—closed hardware, closed software, closed ecosystems. Every vendor builds their own cathedral, and interoperability is largely a fiction we tell ourselves at trade shows.

The standards we do have are artifacts of a different era. STANAG 4586, NATO’s standard for UAV interoperability, dates to 2002. It was designed for a world of large, expensive platforms with human operators in ground control stations—not swarms of autonomous agents coordinating in real-time. Cursor-on-Target (CoT), MITRE’s protocol for sharing tactical information, is similarly long in the tooth. These aren’t foundations for the future; they’re legacy infrastructure we’re forced to route around.

The result? Every integration is a custom engineering effort. Every new platform requires bespoke adapters. “Interoperability” means spending months building point-to-point bridges that break when either side updates. We’ve created a world where combining a drone from Vendor A with sensors from Vendor B and a command system from Vendor C requires a small army of integration engineers and a large budget for middleware.

This is cathedral thinking at its worst: each vendor optimizing for lock-in rather than capability, and the entire ecosystem paying the tax.

The Platform Trap

The cathedral pattern isn’t limited to legacy defense contractors. It’s being replicated across every domain where autonomy is taking hold.

Agriculture: John Deere has built an impressive autonomous farming stack—and locked it down completely. Farmers who buy Deere equipment can’t access their own data, can’t repair their own machines, can’t integrate third-party implements without Deere’s blessing. The right-to-repair movement exists largely because Deere turned tractors into cathedrals. Your farm, their platform.

Autonomous vehicles: Every major AV player—Waymo, Cruise, Tesla, Motional—has built a vertically integrated stack. Sensors, perception, planning, control: all proprietary, all closed. There’s no “ONNX for autonomous driving” that lets you swap a better perception model into a competitor’s vehicle. Each company is building its own cathedral, betting they’ll be the one left standing.

Warehouse robotics: Amazon acquired Kiva Systems in 2012 and promptly pulled it from the market, keeping the technology for themselves. Competitors had to build from scratch. The warehouse autonomy space has since fragmented into dozens of incompatible systems, each vendor hoping to become the platform that locks in the next generation of logistics.

Industrial automation: Siemens, Rockwell, ABB—the incumbent automation giants—have spent decades building proprietary control systems with proprietary protocols. Integrating across vendors requires expensive middleware and specialized expertise. Sound familiar?

The Defense Variant

In defense, this pattern takes its most acute form. Anduril’s Lattice represents the explicit strategy: become the operating system for defense autonomy, with every other vendor’s hardware plugging into their mesh.

Give them credit—they recognized the interoperability problem and built technology to address it. But their solution is to become the platform. The pitch is seductive: one unified command-and-control layer, one interface, one vendor to call when things break. For acquisition officers exhausted by integration nightmares, it sounds like salvation.

But the end state is the same lock-in, just at a higher level of abstraction. Instead of being locked into a drone vendor, you’re locked into a platform vendor. The middleware becomes the moat. When one company controls the coordination layer, they control the narrative. They decide which systems integrate smoothly and which face friction. Startups with better sensors, better algorithms, better hardware? They succeed or fail based on Lattice compatibility.

This is the cathedral model dressed in software-company clothing. Move fast, ship product, but maintain control. The interoperability offered is interoperability on their terms, through their APIs, mediated by their platform.

Whether it’s tractors, taxis, warehouses, or weapons systems—the pattern is the same. And so is the outcome: lock-in, stagnation, and ecosystems that serve vendors rather than users.

Markets and Procurement: Why Cathedrals Win

These platform traps don’t exist in a vacuum. They’re enabled by how we buy technology—whether through enterprise procurement, venture-backed growth, or government acquisition.

The enterprise buyer wants “one throat to choke.” Integrated platforms reduce vendor management overhead, simplify support contracts, and provide someone to blame when things go wrong. Best-of-breed architectures require more sophistication to evaluate, purchase, and operate. Cathedrals are easier to buy.

The venture model rewards platform plays. Investors want moats. They want network effects and switching costs that compound over time. An open, interoperable component is a commodity; a proprietary platform is a defensible business. The incentives push toward lock-in.

Government acquisition takes these dynamics and amplifies them. The process rewards companies that can absorb compliance overhead, navigate byzantine procurement rules, and sustain years-long sales cycles. When a program office needs to show progress, buying a unified platform from a single vendor is the path of least resistance.

None of this fits neatly into a FAR-compliant contract vehicle. Open standards require coordination across stakeholders. Modular architectures require defining interfaces upfront and holding vendors to them. Bazaar-style development requires accepting that the best solution might come from a company that doesn’t exist yet.

The result is a self-reinforcing cycle: vendors build cathedrals because that’s what gets bought, and buyers keep buying cathedrals because that’s what vendors build. Each iteration entrenches the pattern further.

Breaking the cycle requires changes at every level: procurement language that mandates open interfaces, contract structures that reward interoperability, enterprise architects willing to manage multi-vendor complexity, and investors who recognize that open ecosystems can win too.

The bazaar isn’t just a development philosophy. It’s a procurement philosophy. And until buying catches up with building, we’ll keep erecting cathedrals by default.

Two Models of Development

Raymond’s “Linus’s Law”—named for Linux creator Linus Torvalds—captures the bazaar’s core insight: with enough contributors examining the code, problems that seem intractable to a small team become obvious to someone in the crowd.

Why This Matters for Autonomy

The bazaar model offers distinct advantages for the complex and safety-critical field of autonomous systems:

Improved Safety and Security. A larger and more diverse group of contributors can identify and resolve potential safety flaws, biases, and security vulnerabilities much faster than a small, closed team. Cisco’s release of an open-source security framework for autonomous agent networks exemplifies this approach—inviting the community to stress-test security assumptions rather than hiding them behind closed doors.

Faster Innovation. The open model allows for rapid prototyping and an evolutionary approach to development. This accelerates the creation of better, more functional AI models and enables the emergence of new standards and protocols through collective experimentation rather than committee design.

Enhanced Reliability. Continuous testing and error correction by the community lead to more robust systems. When thousands of developers can probe edge cases, the system hardens faster than any internal QA process could achieve.

Standardization and Interoperability. Open-source foundations create neutral hubs for cross-industry standards. The Open Source AI Definition from the Open Source Initiative and emerging agent interoperability efforts demonstrate how open collaboration enables different AI agents and systems to integrate seamlessly—critical for heterogeneous human-machine teams.

A Model Worth Following: How AI Solved Interoperability

Here’s the contrast that should embarrass the autonomy industry: the AI/ML community faced the same fragmentation problem—and solved it.

In 2017, Facebook and Microsoft launched ONNX (Open Neural Network Exchange). The problem was familiar: models trained in PyTorch couldn’t run in TensorFlow. Every framework was a walled garden. Moving a model from research to production meant rewriting it, sometimes from scratch.

ONNX created an open, vendor-neutral interchange format. Train your model anywhere, deploy it anywhere. Today, ONNX is supported by virtually every major ML framework and hardware accelerator. A model built by a researcher using PyTorch can be optimized and deployed on edge hardware from NVIDIA, Intel, Qualcomm, or a dozen others—without modification.

The AI community chose the bazaar. They built an open standard through collaboration rather than committee, iterated rapidly based on real-world usage, and created an ecosystem where competition happens on quality and performance rather than lock-in.

Now imagine if drones and robots worked this way. A perception model trained on one platform, deployable on any. A planning algorithm developed by one team, integratable by all. Control interfaces that speak a common language. Hardware that competes on capability rather than captivity.

This isn’t utopian thinking. It’s what the software world already does. The autonomy industry just hasn’t caught up.

The ROS2 Exception—And Its Limits

To be fair, robotics has one genuine bazaar success story: ROS2 (Robot Operating System 2).

ROS2 got a lot right. It’s open-source, community-driven, and has become the de facto standard for robotics development. It provides a common framework for perception, planning, and control. It has a thriving ecosystem of packages. Companies that would never share proprietary code contribute to the commons because the rising tide lifts all boats.

For single-robot autonomy, ROS2 is the bazaar in action.

But ROS2 was designed for a different problem. It excels at making one robot work—coordinating sensors, actuators, and algorithms within a single system or a local cluster. What it doesn’t address:

Collaborative autonomy. When dozens or hundreds of heterogeneous autonomous systems need to coordinate—sharing intent, negotiating tasks, maintaining coherent situational awareness—ROS2’s architecture doesn’t scale. It assumes a level of network reliability and latency that simply doesn’t exist in contested, distributed operations.

Global distribution. ROS2’s original communication model (DDS) works well in a lab or a local network. It wasn’t built for systems scattered across continents, operating through intermittent satellite links, mesh networks, and degraded communications. The assumptions baked into DDS break down at scale. (Credit where due: the ROS2 community is actively addressing this. The move toward Zenoh as an alternative middleware—designed from the ground up for constrained networks, edge computing, and global distribution—is exactly the kind of bazaar-style course correction that makes open ecosystems work. Recognize the problem, build the solution, iterate.)

Cross-domain teaming. A future where ground robots, aerial drones, maritime vessels, and space assets collaborate seamlessly requires abstractions ROS2 doesn’t provide. It’s a robotics framework, not a coordination protocol for heterogeneous autonomous systems operating across domains.

ROS2 proved the bazaar model works for robotics. Now we need to apply the same philosophy to the harder problem: collaborative autonomy at global scale, across domains, under real-world constraints.

Implications for Human-Machine Teaming

For human-machine teams, the bazaar approach emphasizes flexible and adaptable systems that can be easily modified and integrated with diverse human workflows and data sources.

Flexible Integration. Open-source AI models can be modified and optimized for specific operational needs, enabling better performance and superior decision-making within human-machine collaboration systems. Teams can adapt tools to their workflows rather than contorting workflows to fit tools.

Focus on Human Oversight. Successful AI-human collaboration requires maintaining human oversight at critical decision points. This is significantly easier when the underlying system’s code and logic are transparent and open to inspection. The bazaar model makes “trust but verify” actually possible—you can verify.

Collaborative Design. The development process can mirror the desired operational outcome: a collaborative environment where both humans and machines (or different teams building them) work together effectively. Building in the open trains organizations for operating in the open.

The Cathedral Still Has Its Place

This isn’t to say closed development is always wrong. Some components—particularly those involving classified capabilities or zero-day vulnerabilities—may require cathedral-style protection. The art is knowing which parts of your system benefit from broad scrutiny and which require controlled access.

But for the core challenges of autonomous systems—reliability, safety, interoperability, and human-machine integration—the bazaar offers something the cathedral cannot: the collective intelligence of a community that has skin in the game.

Given enough eyeballs, all bugs are shallow. Given enough collaborators, even autonomous systems can be made trustworthy.

Attribution: This post draws on Eric S. Raymond’s “The Cathedral and the Bazaar” (1997). Standards referenced include STANAG 4586 (NATO UAV interoperability) and MITRE’s Cursor-on-Target protocol. Open-source projects discussed: ONNX (AI/ML interchange), ROS2 (robotics framework), Zenoh (distributed middleware), Cisco’s Outshift (agentic security), and the Open Source Initiative (AI definitions). Proprietary platform examples: John Deere (agriculture), Anduril Lattice (defense).

The human-machine teaming conversation usually frames trust as a calibration problem: how do we get humans to trust AI the right amount? Not too much (automation complacency), not too little (underutilization). Find the sweet spot, train to it, problem solved.

This framing misses something fundamental. Trust isn’t a dial you set once. It’s a dynamic property of a system—one that emerges, propagates, degrades, and recovers across every node in the network.

Trust is a distributed system problem.

The Byzantine Generals of Human-Machine Teams

Distributed systems engineers have spent decades solving trust problems. How do you coordinate action when some nodes might fail? When messages might be delayed or lost? When you can’t verify every participant’s state in real-time?

The solutions aren’t about eliminating uncertainty. They’re about operating despite it.

Human-machine-AI teams face the same fundamental challenges:

• Partial observability. No single node—human or machine—has complete information about system state.
• Asynchronous updates. Trust-relevant information (capability changes, performance history, context shifts) propagates at different speeds to different participants.
• Partition tolerance. Teams must continue functioning when communication degrades, which means trust decisions must be made locally with incomplete data.

The question isn’t “how much should the human trust the AI?” It’s “how does trust flow through this system, and what happens when that flow is interrupted?”

Trust Has a Topology

In any human-machine team, trust isn’t uniformly distributed. It has structure:

Hierarchical trust. A squad leader trusts their autonomous wingmen differently than they trust a remote AI advisor. A field commander trusts aggregated intelligence differently than raw sensor feeds. Authority boundaries create trust boundaries.

Earned trust. A system that has performed reliably in similar conditions accumulates trust capital. A system operating outside its demonstrated envelope should trigger appropriate skepticism—automatically, not just when a human remembers to be skeptical.

Transitive trust. If I trust the commander, and the commander trusts the autonomous system’s assessment, how much of that trust transfers to me? Distributed systems have formal models for this. Human-machine teams mostly wing it.

Trust decay. Trust isn’t static. A system that hasn’t been validated recently, that’s operating in novel conditions, or that’s reported anomalies should see its trust score degrade over time. This isn’t distrust—it’s appropriate uncertainty.

What This Means for Architecture

If trust is a distributed system property, then your coordination architecture needs to treat it as first-class data:

Trust must be observable. Every node should be able to query its own trust relationships and be aware of how it’s trusted by others. Opacity breeds miscalibration.

Trust must propagate. When conditions change—a sensor degrades, an AI model encounters distribution shift, a human operator becomes fatigued—that information needs to flow to nodes whose decisions depend on it.

Trust must be local-first. You can’t phone home to ask whether you should trust your wingman. Trust decisions happen at the edge, which means the edge needs sufficient context to make them well.

Trust boundaries should match authority boundaries. The natural structure of human organizations—squads, platoons, companies—represents evolved solutions to trust coordination. Technical architecture should respect these boundaries rather than flattening them.

The Human in the Loop, Reconsidered

“Human in the loop” is often framed as a constraint—a regulatory or ethical requirement that slows down autonomous action. But viewed through the lens of distributed trust, humans serve a different function: they’re trust anchors.

In a system where machine nodes are making increasingly autonomous decisions, human judgment provides:

• Ground truth calibration. Humans can recognize when the world has shifted in ways that invalidate machine assumptions.
• Trust reset authority. When something goes wrong, humans can intervene to re-establish trust baselines.
• Contextual override. Humans carry context that may not be encoded in machine state—political considerations, ethical boundaries, commander’s intent.

The goal isn’t to keep humans in every loop. It’s to position humans at the right points in the trust topology—where their judgment has maximum leverage and their attention isn’t wasted on decisions machines can reliably make.

Building Trust-Aware Systems

We’re building HIVE with trust as a core architectural concern, not an afterthought:

• Capability advertisement lets nodes declare what they can do and under what conditions—making trust assessable rather than assumed.
• Hierarchical aggregation ensures trust decisions happen at appropriate levels, with appropriate context.
• Graceful degradation means that when trust relationships are disrupted (by communication loss, node failure, or detected anomalies), the system continues operating with appropriately reduced confidence rather than failing catastrophically.

Trust isn’t a human factors problem bolted onto a technical system. It’s a distributed system property that emerges from architecture choices.

Design accordingly.

This is the second in a series on the principles behind HIVE Protocol. Previously: The Device Is The Network

The original ARPANET designers understood something we’ve collectively forgotten: resilience comes from distribution. Every node was meant to be both consumer and producer, router and endpoint. The network existed between devices, not above them.

Somewhere along the way, we traded that vision for convenience. The cloud promised infinite scale, seamless synchronization, always-on connectivity. What it delivered was dependency—on backbone infrastructure, on hyperscale data centers, on the assumption that the center will always hold.

The center doesn’t always hold.

In contested environments—whether that’s a tactical edge with degraded communications, a disaster zone with failed infrastructure, or simply a subway tunnel—the cloud becomes a single point of failure. Your device, with all its compute power, becomes a dumb terminal waiting for permission from a server it can’t reach.

This isn’t just a military problem. It’s an architectural one.

What if the device itself was the network?

Not as a fallback. Not as a degraded mode. As the primary design assumption.

Every modern device carries more compute power than the systems that ran the early Internet. Your phone could coordinate with its neighbors. Your drone could route traffic for its peers. Your sensor could reason about its own data before deciding what—if anything—needs to flow upstream.

This isn’t about abandoning hierarchy or coordination. It’s about relocating intelligence to where decisions actually happen: at the edge. The network emerges from the collective behavior of intelligent nodes, not from infrastructure imposed upon them.

Stop moving data. Start moving decisions.

When every device is the network, you stop thinking about bandwidth as a pipe for raw data and start thinking about it as a channel for meaning. The question shifts from “how do I get this video to the cloud?” to “what does this video tell us, and who needs to know?”

This is the architecture we’re building with HIVE—not because decentralization is ideologically pure, but because it’s the only approach that works when you can’t guarantee the center.

The Internet’s original promise wasn’t about cloud services. It was about resilience through distribution. It’s time to remember that.

This is the first in a series on the principles behind HIVE Protocol. Next: Trust as a Distributed System Problem