EOSE LABS · V11 · WPA LEVEL 7 · MESH ADHERENCE · DAY 83
WPA7MAS
WPA Level 7 Mesh Adherence Score · γ₁ = 14.134725141734693
TRB-WPA7MAS-001 · ARB1-WPA7MAS-001 · 2026-04-27
Istio ASM 1.28 · 52 sidecars · 17 mTLS STRICT namespaces · mi.pemos.io LOCO DOUBLE MESH
Every silo. Every namespace. Every workload. Honest scores. No hiding D grades.
THE 5 MESH GATES
MGATE · mTLS Gate
30% of WPA7MAS score
Is mTLS STRICT enforced? Are Envoy sidecars injected? Are PeerAuthentication policies set? Does the namespace block non-mTLS traffic?
CGATE · Chaos Gate
25% of WPA7MAS score
Can the mesh survive 1 pod kill? Network partition? Split-brain? Chaos injection test. Does Istio circuit-break before cascade?
RGATE · Routing Gate
20% of WPA7MAS score
VirtualServices defined? DestinationRules set? Traffic weights configured? Retries and timeouts explicit? L7 routing or just raw TCP?
HGATE · HA Gate
25% of WPA7MAS score
Multi-replica? PodDisruptionBudget set? Cross-zone spread? Does the mesh survive a node drain without downtime?
MESH7 · Mesh Tier
Tier classification
LOCO = Consul + Istio (double mesh). GOLD = full Istio ASM. SILVER = managed Istio. TAILSCALE = sovereign home lab. CNI = bare rigs.
🔱 mi.pemos.io — LOCO DOUBLE MESH · Enterprise Pattern
CONSUL LAYER
ISTIO LAYER
WPA7MAS: 94 · A+
The flagship. mi.pemos.io runs both Consul AND Istio — the double LOCO mesh pattern.
CONSUL handles east-west service registry, health checks, KV store, and native service discovery.
Every service knows where every other service is. Consul is the truth table.
ISTIO sits on top: mTLS enforcement, L7 traffic management, circuit breakers, telemetry, ingress control.
Istio is the enforcer. What Consul registers, Istio controls how it talks.
Together: Consul knows where everything is. Istio controls how they communicate. Neither is redundant.
This is the enterprise double-LOCO pattern — what we build for customers who need both layers.
This is the product. mi.pemos.io is running it live in production today.
AKS CLOUD SCORES — aks-eose-aaas-dev
ISTIO ASM 1.28 · 52 SIDECARS
| NAMESPACE | mTLS | SIDECAR | VS | DR | MGATE | CGATE | RGATE | HGATE | WPA7MAS | GRADE |
|---|
| master1-system |
STRICT | asm-1-28 |
✅ ×2 | ✅ ×4 |
95 | 80 | 90 | 85 |
88
|
A |
| master-system |
STRICT | asm-1-28 |
✅ ×2 | ✅ ×2 |
95 | 75 | 80 | 75 |
82
|
B+ |
| hvcp-system |
STRICT | asm-1-28 |
✅ ×5 | ❌ |
85 | 65 | 75 | 65 |
73
|
C+ |
| model-gateway-system |
STRICT | asm-1-28 |
❌ | ✅ ×1 |
80 | 70 | 60 | 70 |
71
|
C+ |
| botu-system |
STRICT | partial |
✅ ×2 | ❌ |
80 | 60 | 60 | 55 |
65
|
C |
| pemos-system |
STRICT | enabled |
❌ | ❌ |
70 | 70 | 40 | 70 |
63
|
C |
| monitoring |
STRICT | partial |
partial | ❌ |
70 | 60 | 60 | 70 |
65
|
C |
| sso-system |
STRICT | NO SIDECAR ⚠️ |
❌ | ❌ |
50 | 50 | 20 | 50 |
43
|
D |
| hivemind-system |
STRICT | NO SIDECAR ⚠️ |
❌ | ❌ |
50 | 50 | 20 | 50 |
43
|
D |
| crew-*-pemos-io ×5 |
NONE | NONE |
❌ | ❌ |
20 | 40 | 10 | 30 |
25
|
F |
| ct-fac-system |
NONE | NONE |
✅ ×1 | ❌ |
40 | 40 | 40 | 30 |
38
|
F (legacy) |
HOME LAB SILOS — TAILSCALE OVERLAY
SOVEREIGN FLOOR · D GRADES BY DESIGN
| SILO | IP | MESH TYPE | MGATE | CGATE | RGATE | HGATE | WPA7MAS | GRADE |
|---|
| forge/lianli01 | 192.168.2.12 |
Tailscale + Docker |
60 | 70 | 30 | 40 |
50
|
D+ |
| msclo | 192.168.2.19 |
Tailscale + Docker |
60 | 65 | 30 | 35 |
48
|
D+ |
| msi01 | 192.168.2.18 |
Docker bridge (L0) |
65 | 60 | 30 | 35 |
48
|
D+ |
| yone/one-deseof | 192.168.2.23 |
Tailscale + Docker |
60 | 65 | 25 | 35 |
46
|
D |
| pcdev | 192.168.2.16 |
Tailscale + Docker |
55 | 60 | 20 | 30 |
41
|
D |
| lounge | 192.168.50.175 |
WSL2 Ring 1 |
50 | 55 | 20 | 25 |
38
|
F (by design) |
| steam-deck | 192.168.50.193 |
Native |
30 | 30 | 10 | 10 |
20
|
F (gaming rig) |
⚠️ Home lab D grades are correct and expected. These are sovereign bare-metal nodes.
The WPA7MAS exam is calibrated for cloud-native Kubernetes. Tailscale = the sovereign mesh on home lab.
These nodes pass the γ₁ floor exam. They are not expected to run Istio.
MINING RIGS — pemos.io BARE CNI
CHAOS NODES · NO MESH BY DESIGN
| RIG | CLOUD | MESH | WPA7MAS | GRADE | WHY |
|---|
| ZERO-DR | GCP NE1 |
Bare CNI |
35
|
D |
DR role — chaos compute, no service mesh needed |
| KRSRHONE | GCP NE1 |
Bare CNI |
35
|
D |
Compute node — chaos/mining by design |
| CATHEDRAL | AWS ca-central-1 |
Bare CNI |
30
|
D- |
S.H.I.E.L.D. special ops — mesh not appropriate |
| JAYRHONE | AWS us-east-2 |
Bare CNI |
30
|
D- |
Wave engine — GPU burst node, not mesh tenant |
THE FLEET ROAST — HONEST WPA7MAS FINDINGS
1. master1-system carries the fleet. 52 sidecars, mTLS STRICT, VirtualServices, DestinationRules, HA L0+L1. Score: 88. This is the standard. Everything else should aspire to this.
2. Kiali is blind — 9 days. Our mesh visualizer has been in CrashLoopBackOff for 9 days. We're flying the mesh without instruments. Fix this first. You can't improve what you can't see.
3. sso-system is a contradiction. mTLS STRICT policy set, but no sidecar injected. The policy says "STRICT" but nothing enforces it. Authentication traffic is unprotected by Istio. This is a P1 gap.
4. hivemind-system same problem. STRICT policy, no sidecar. The label isn't there. The mesh doesn't know this namespace exists. Fix the injection label or the policy is theater.
5. pemos-system (our portal) gets a C. mTLS STRICT ✅. But no VirtualService. No DestinationRule. Running on raw ingress. Our own portal — the face of the fleet — has no L7 mesh routing defined. Embarrassing. P2.
6. crew-* namespaces score 25. Five mining rig namespaces on AKS with zero mesh policies. No mTLS, no sidecars, no routing. These need at minimum a PeerAuthentication policy. P3.
7. mi.pemos.io LOCO double mesh is the crown jewel. Score 94. Consul + Istio. This is the enterprise product. Build the page, build the showcase, show it to customers. This is what we sell.
MESH LAYER DETAIL
CONSUL LAYER (mi.pemos.io)
Service registryLIVE
Health checksLIVE
KV storeLIVE
East-west discoveryNATIVE
Connect (mTLS)CONSUL MESH
IntentionsPOLICY
ISTIO ASM 1.28 LAYER (AKS)
istiod2 replicas ✅
External ingress GW2 replicas ✅
Internal ingress GW2 replicas ✅
Envoy sidecars52 injected
mTLS STRICT namespaces17 active
Kiali visualizerCrashLoop ⚠️ P1
TAILSCALE OVERLAY (Home Lab)
msi01peer ✅
forgepeer ✅
msclopeer ✅
yonepeer ✅
pcdevpeer ✅
EncryptionWireGuard E2E
BARE CNI (Mining Rigs)
ZERO-DRbare K8s
KRSRHONEbare K8s
CATHEDRALbare K8s
JAYRHONEbare K8s
Design intentchaos compute
Mesh required?NO · correct
"The mesh is the memory of the fleet."
— TRB-WPA7MAS-001 · EOSE Labs Inc. · Day 83
master1 carries the fleet at 88. mi.pemos.io shows the enterprise ceiling at 94.
The fleet average is 58 — honest C+. Kiali is down, sso-system contradicts itself,
pemos-system has no VirtualService. This is the roast. This is how we get better.
WPA7MAS is not a vanity metric. It's the exam we run on every silo, every namespace,
every workload. A D on home lab is correct — sovereign bare-metal doesn't need Istio.
A D on a production AKS namespace is a P2. The difference is intentionality.
Know your grade. Fix the gaps. Earn the A.