Helios Interdevice Protocol (Proxy-First)
This document defines the Helios-to-Helios protocol we should implement so a peer Helios device is treated as a remote Helios node, not as a generic URL that we decode locally.
Problem Statement
Current behavior treats peer streams as Netcam-style URLs. That causes the receiving device to decode and potentially re-process streams that should stay source-side.
For Helios peers, we want:
- Source device remains authoritative for capture, decode, pipeline execution, controls, and pose metadata.
- Receiving device acts as a proxy/control client unless explicitly told to run local compute.
- Non-Helios peers (Limelight/PhotonVision/Custom) keep current URL-based ingestion behavior.
Design Goals
- Zero unnecessary decode/compute on receiving Helios by default.
- Uniform resource model for remote streams, pipelines, localization outputs, and rig poses.
- Explicit sync semantics for edits (who owns truth, conflict handling, versioning).
- Backward compatibility with existing peers API and non-Helios integrations.
Non-Goals
- Full multi-writer CRDT replication between every device.
- Replacing existing stream engine internals in one release.
- Forcing non-Helios devices into the Helios protocol.
Resource Ownership Model
For Helios peers, each resource has an authority:
authority = source: remote Helios is source of truth (default).authority = local: local override exists (rare, explicit).
Edits targeting a source-authoritative resource are forwarded to source and acknowledged with source revision.
Protocol Layers
1) Discovery + Handshake (Control Plane)
Keep existing /v1/peers registration, but add a Helios capability handshake:
GET /v1/interdevice/hello- Returns:
device_id(stable UUID)protocol_version(for example1.0)capabilities(proxy_streams, remote_control, remote_pipeline_edit, remote_rig_pose, remote_localization_outputs)api_basews_base
If handshake is missing, peer falls back to current legacy behavior.
2) Remote Inventory (Control Plane)
Expose remote-owned resources:
GET /v1/interdevice/resources- Returns:
- remote streams (id, alias, status, codec/preview formats, authority)
- remote pipelines bound to streams (id, revision, outputs)
- remote localization outputs (stream/output keys + data types)
- remote rig entries (camera_uid, pose revision)
3) Proxy Data Plane (No Local Decode by Default)
For Helios peers, previews and frame channels are proxied, not ingested as Netcam:
GET /v1/peers/{peer_id}/streams/{remote_stream_id}/preview(byte-for-byte proxy)GET /v1/peers/{peer_id}/streams/{remote_stream_id}/frame(snapshot proxy)WS /v1/peers/{peer_id}/streams/{remote_stream_id}/frames(ws proxy/tunnel)
Proxy mode constraints:
- Local device does not create capture backend for this stream.
- Local device does not decode unless user opts into a local compute attachment mode.
4) Edit Forwarding (Control Plane)
Remote edits are RPC-style forwards with idempotency and revision control.
Stream settings / controls
POST /v1/peers/{peer_id}/streams/{remote_stream_id}/commands- Request:
request_idexpected_revision(optional but recommended)command(set_control,apply_manifest_patch,start_recording,stop_recording, etc.)payload
- Response:
acceptednew_revisionapplied_at_mserror(if any)
Pipeline edits
POST /v1/peers/{peer_id}/streams/{remote_stream_id}/pipeline/graph/patch- Must include
expected_pipeline_revision. - Source peer applies patch; local receives resulting revision and summary.
Rig pose edits
PUT /v1/peers/{peer_id}/rig/cameras/{camera_uid}/pose- Source owns pose for source cameras; local mirrors with source revision metadata.
5) Realtime Sync (Event Plane)
Add interdevice event stream:
WS /v1/interdevice/events- Event envelope:
seqtimestamp_mskind(stream_changed,pipeline_changed,pose_changed,localization_source_changed,peer_health)resource_ref(peer_id,stream_id, optional pipeline/output/camera ids)revision
Receiving side uses events to invalidate caches and refresh exact resources.
Versioning + Conflict Rules
- Protocol version negotiated in
hello. - All mutable resources expose monotonic
revision(u64 or revision string). - Writes with stale
expected_revisionreturn409 conflict. - Client must refetch and retry with new revision.
Authentication + Trust
Minimum:
- Peer token per device pair (Bearer token over TLS).
- Request signing optional in v1.
Preferred:
- mTLS with device certificates and explicit trust list.
UI Semantics
For integration.kind = helios:
- Show remote streams as
Remote Helios Streamentries, notNetcam. - Label compute mode:
proxy(default)local_attach(explicit local processing mode)
- Apply operations show target peer and remote revision result.
For non-Helios peers:
- Preserve existing
Netcamingestion workflow.
Compatibility + Migration
Phase 1 (safe):
- Add handshake + resources endpoints.
- Add proxy preview/frame endpoints.
- UI uses proxy viewer for Helios peers, keeps Netcam path for others.
Phase 2:
- Add forwarded stream-control and pipeline patch commands with revisions.
- Add interdevice events stream and cache invalidation.
Phase 3:
- Add rig/localization config forwarding and full remote-authoritative editing UX.
Acceptance Criteria
- Registering a Helios peer does not create local decode path by default.
- Viewing a Helios peer stream keeps decode/compute load on source device.
- Editing stream control/pipeline/pose for a Helios peer applies on source and returns source revision.
- Local UI reflects remote changes within one event cycle without manual refresh.