The wifi service runs Hostap with some patches for better WPA3 support that will be submitted upstream at some point in the future.
The service supports multiple radio interfaces, and will run parallel hostap daemons to manage them.
When a station successfully authenticates, fails to, or disconnects: an action script is ran to inform the API as well as helper program. This communication happens over a dedicated unix socket documented here.
Once a station authenticates successfully, a helper program is kicked off to grant permission to DHCP from the client's approved MAC address. An XDP filter is employed to block stations from making DHCP requests for arbitrary MAC addresses.