diff --git a/.huskies/work/1_backlog/480_story_cryptographic_node_auth_for_distributed_mesh.md b/.huskies/work/1_backlog/480_story_cryptographic_node_auth_for_distributed_mesh.md
new file mode 100644
index 00000000..9d37dc6e
--- /dev/null
+++ b/.huskies/work/1_backlog/480_story_cryptographic_node_auth_for_distributed_mesh.md
@@ -0,0 +1,21 @@
+---
+name: "Cryptographic node auth for distributed mesh"
+---
+
+# Story 480: Cryptographic node auth for distributed mesh
+
+## User Story
+
+As a user running a distributed huskies mesh, I want nodes authenticated by Ed25519 keypairs so only trusted machines can join and see pipeline state.
+
+## Acceptance Criteria
+
+- [ ] Each node has an Ed25519 keypair (generated on first run or via CLI command)
+- [ ] Trusted nodes defined by a list of known public keys in config
+- [ ] Nodes authenticate on WebSocket connect by signing a challenge
+- [ ] CRDT node ID derived from public key (already built into bft-json-crdt crate)
+- [ ] Unauthorised nodes rejected on connect
+
+## Out of Scope
+
+- TBD