Example: AI Agent Network

This example shows Genesis Mesh as a trust fabric for internal AI agents that must prove identity before exchanging tasks or data.

        flowchart TB
    na["Network Authority"]
    supervisor["Supervisor Agent<br/>role:supervisor"]
    finance["Finance Agent<br/>role:finance"]
    crm["CRM Agent<br/>role:crm"]
    support["Support Agent<br/>role:support"]

    na -->|invite + cert| supervisor
    na -->|invite + cert| finance
    na -->|invite + cert| crm
    na -->|invite + cert| support

    supervisor <-->|Noise XX + routes| finance
    supervisor <-->|Noise XX + routes| crm
    supervisor <-->|Noise XX + routes| support

Deployment Steps

  1. Create a signed genesis block for the agent network.

  2. Start the Network Authority with operator keys and durable state.

  3. Issue one invite per agent role.

  4. Enroll each agent node with its invite token.

  5. Start persistent node runtimes so agents can authenticate peers and exchange routes.

Certificates Issued

The Network Authority issues short-lived join certificates:

Agent

Role

Validity

Supervisor

role:supervisor

Operator-defined

Finance

role:finance

Operator-defined

CRM

role:crm

Operator-defined

Support

role:support

Operator-defined

Roles come from invite tokens, not client-supplied claims.

Routes Established

After Noise XX handshakes, agents announce reachable peers. The supervisor can route to individual agents, and agents can communicate through authenticated next hops when topology allows it.

Revocation Drill

If the CRM agent is compromised:

  1. Revoke the CRM certificate with /admin/revoke.

  2. Publish the updated signed CRL.

  3. Peers reject new handshakes from the revoked certificate.

  4. Existing routes from the revoked identity are withdrawn or ignored.

  5. Re-enroll only after issuing a new invite and reviewing the key-compromise reason.

LLM-Backed Agent Flow

The same trust fabric can carry a real LLM-backed responder. The example under examples/agent-network/llm_agent.py uses LiteLLM behind the agent boundary: Genesis Mesh handles enrollment, peer identity, encrypted transport, and provenance; LiteLLM handles the provider call.

Static walkthrough:

LLM-backed agent capability discovery and provenance over Genesis Mesh

Animated execution:

LLM-backed agent response over Genesis Mesh

The docs recording was generated with real LLM_* provider settings loaded from .env:

python docs\examples\assets\scripts\llm-agent-demo.py --real-llm

Run the real LLM recording with Python 3.12 or 3.13 until fixed LiteLLM releases publish Python 3.14-compatible builds. The rest of Genesis Mesh and the deterministic mock demos continue to run on Python 3.14.

The recorder discovers the agent by llm:chat capability, sends the researcher request without a pasted destination key or peer endpoint, and never writes the API key to the rendered assets.

Distributed Capability Orchestration

Discovery becomes more powerful when an agent composes other capabilities. The v0.8 orchestration example adds a planner capability:

Researcher
  -> planner.answer
      -> repo.summary
      -> llm.chat
  -> answer + provenance

The researcher does not configure provider node keys, peer endpoints, provider identities, or provider hosts. It discovers a planner, and the planner discovers and invokes the trusted providers.

Genesis Mesh distributed capability orchestration walkthrough

Full walkthrough: