Capability Demos (Part A)

Part A demonstrates the core Genesis Mesh architecture running end to end: identity, trust, transport, routing, and resilience.

Each demo is self-contained and can run against the live deployment at https://na.genesismesh.connectorzzz.com or a local NA started via Part C.


Part A - Capability Demos

Part A demonstrates the core Genesis Mesh architecture running end to end: identity, trust, transport, routing, and resilience.

1. Enrollment Demo

This demo proves the trust-on-first-use enrollment flow: an operator creates a single-use invite token, a node presents it with proof of possession of its own key, and the Network Authority returns a signed join certificate. The token cannot be reused.

        sequenceDiagram
    participant OP as Operator
    participant NA as Network Authority
    participant N as Node

    OP->>NA: POST /admin/invite (signed with operator key)
    NA-->>OP: token_id, expires_at, max_validity_hours

    N->>NA: POST /join (invite_token + node signature)
    NA->>NA: Verify token, mark consumed
    NA->>NA: Issue cert signed by NA private key
    NA-->>N: JoinCertificate (cert_id, expires_at, roles)

    N->>NA: POST /heartbeat (signed)
    NA-->>N: 200

    N->>NA: GET /nodes
    NA-->>N: count=1, node listed as healthy
    

Run against the live deployment

INVITE=$(genesis-mesh admin invite \
  --role anchor \
  --na https://na.genesismesh.connectorzzz.com)

genesis-mesh join \
  --na https://na.genesismesh.connectorzzz.com \
  --token "$INVITE"

curl -s https://na.genesismesh.connectorzzz.com/nodes | python3 -m json.tool

Expected proof

Joined USG as role:anchor
Certificate: 689499ad-2cb7-4c8f-bb87-ffbf30ffd2b0
Config: ~/.genesis-mesh/config.toml

{
  "count": 1,
  "nodes": {
    "689499ad-...": {
      "node_public_key": "FPqZUoiDnat0S3sy...",
      "roles": ["role:anchor"],
      "status": "healthy",
      "last_heartbeat": "2026-05-30T00:28:25..."
    }
  }
}

What this proves

  • Operator-authenticated invite creation through signed admin headers

  • Token consumption is atomic and single-use

  • NA-signed join certificate issued with operator-defined role and validity

  • Heartbeat path active immediately after enrollment

  • /nodes reflects the new identity within one heartbeat cycle

Reusing the same token fails

genesis-mesh join --na https://... --token "$INVITE"
# Error: 403 invite token already consumed

2. Revocation Demo

Revocation is one of the core Genesis Mesh control-plane promises. This walkthrough starts from a valid enrolled node, revokes its certificate, verifies that the signed CRL contains the revoked identity, and proves that the revoked certificate can no longer heartbeat, renew, or be silently reused by the local CLI.

        sequenceDiagram
    participant OP as Operator
    participant NA as Network Authority
    participant N as Enrolled Node
    participant CRL as Signed CRL
    participant RT as Runtime Checks

    OP->>NA: Revoke certificate with reason
    NA->>CRL: Publish CRL sequence 1
    NA-->>OP: revoked_count = 1
    N->>NA: Heartbeat with revoked cert
    NA-->>N: 403 Certificate revoked
    N->>NA: Renewal with revoked cert
    NA-->>N: 403 Certificate revoked
    RT->>RT: Reject revoked peer handshake
    RT->>RT: Ignore revoked route sender
    

Live recording

Revocation flow â€" CRL published, node removed, 403 enforcement

Screenshot from a control-plane run:

Terminal screenshot of Genesis Mesh revocation demo

Run the control-plane flow

INVITE=$(python -m genesis_mesh.cli admin invite \
  --config "$CONFIG" \
  --na "$ENDPOINT" \
  --role anchor)

python -m genesis_mesh.cli join \
  --config "$CONFIG" \
  --na "$ENDPOINT" \
  --token "$INVITE"

CERT_ID=$(python - <<'PY'
import json, os
from pathlib import Path
home = Path(os.environ["HOME_DIR"])
print(json.loads((home / "node.cert.json").read_text())["cert_id"])
PY
)

python -m genesis_mesh.cli admin revoke \
  --config "$CONFIG" \
  --na "$ENDPOINT" \
  --reason key_compromise \
  "$CERT_ID"

curl "$ENDPOINT/crl"
curl "$ENDPOINT/nodes"

Expected proof

Active nodes before revoke: 1

{
  "crl_sequence": 1,
  "revoked_count": 1
}

CRL sequence: 1
Revoked certificates in CRL: 1
CRL contains revoked cert: True
Active nodes after revoke: 0

After revocation, trying to reuse the same local certificate fails cleanly:

Using existing certificate: b7d9001d-c66b-4be3-867c-e2a0b3e31c78
Heartbeat failed: 403 Client Error: FORBIDDEN for url: http://127.0.0.1:41065/heartbeat
Error: Existing local certificate was rejected by the Network Authority.
Run with --token to re-enroll if this node is still authorized.

Signed renewal and heartbeat attempts are also rejected:

Certificate renewal failed: 403 Client Error: FORBIDDEN for url: http://127.0.0.1:41065/renew
Heartbeat failed: 403 Client Error: FORBIDDEN for url: http://127.0.0.1:41065/heartbeat
renewal accepted: False
heartbeat accepted: False

The peer-side runtime path is covered by targeted tests for revoked handshake rejection, route rejection from revoked senders, and CRL gossip propagation:

python -m pytest `
  genesis_mesh\tests\test_runtime.py::test_runtime_rejects_revoked_peer_certificate `
  genesis_mesh\tests\test_routing_protocol.py::test_route_announce_rejects_revoked_sender `
  genesis_mesh\tests\test_crl_gossip.py `
  -q

Observed result:

5 passed

3. Message Delivery Demo

This demo proves the mesh transport layer: two enrolled nodes authenticate to each other over Noise XX and exchange an encrypted message without the Network Authority being involved in the data path.

        sequenceDiagram
    participant A as Local Node
    participant B as Remote Node (Azure VM)

    A->>B: Noise XX message 1 â€" ephemeral key
    B-->>A: Noise XX message 2 â€" ephemeral + static + cert
    A->>B: Noise XX message 3 â€" static + cert
    note over A,B: Session keys derived, identity verified
    A->>B: DATA frame (encrypted): 'hello from local'
    note over B: DATA message delivered
    A->>B: Connection close
    note over B: Route invalidated
    

Prerequisites

Two nodes must be enrolled against the same Network Authority. The receiving node must be running join --persistent --listen-port 7443 so it has a stable WebSocket peer port.

Live recording

Live P2P message delivery over Noise XX encrypted peer session

Sending a message

genesis-mesh send \
  --to <RECIPIENT_NODE_PUBLIC_KEY> \
  --via ws://<PEER_HOST>:7443 \
  --message "hello from local"

Expected sender output:

Sent: 'hello from local'
  to:  Qcnkr82Fj9qacbUjScYcsOMx...
  via: ws://4.223.130.190:7443

Receiving node logs

sudo journalctl -u genesis-mesh-node -f

Expected log lines:

ReadMessage(message, payload_buffer)
Added connection to iwNqAdixbqKP/jWZ0RGlCEnthBl+AVk8AvnOhs2hVp4= (total: 1)
Connection to iwNqAdixbqKP... marked as established
AUDIT: connection_established | success | actor=None target=iwNqAdixbqKP...
DATA message delivered | from=iwNqAdixbqKP/jWZ | content='hello from local'
Closing connection to iwNqAdixbqKP...
Removed neighbor iwNqAdixbqKP..., invalidated 1 routes

What this proves

  • Noise XX mutual authentication using Ed25519 join certificate keys

  • Encrypted data transport without Network Authority involvement

  • Certificate validation on every inbound connection

  • Route management on connect and disconnect

  • Audit trail for every authenticated session


4. Multi-Hop Routing Demo

This demo proves the routing layer: a sender connects to one peer only, but reaches a destination it has never directly contacted because the intermediate router forwards the DATA frame on its behalf.

        sequenceDiagram
    participant A as Node A (sender)
    participant B as Node B (router, Azure VM)
    participant C as Node C (receiver)

    A->>B: Noise XX peer session
    C->>B: Noise XX peer session
    note over A,C: A and C never connect directly
    B->>A: Route announce â€" C reachable via B (metric=2)
    B->>C: Route announce â€" A reachable via B (metric=2)
    A->>B: DATA frame addressed to C
    B->>C: DATA forwarded (next_hop=C, ttl=9)
    note over C: DATA message delivered
    

Topology

Node

Role

Location

Port

A

Sender

Local (this machine)

ephemeral

B

Router

Azure VM

7443

C

Receiver

Local (separate identity)

ephemeral

A and C both connect only to B. Neither has a direct peer connection to the other.

Live recording

A â†' B â†' C multi-hop routing demo

Run

bash docs/examples/assets/scripts/multi-hop-demo.sh

The script enrolls two fresh identities (A and C), starts both peer runtimes with --peer ws://<vm>:7443, waits for B to propagate routes via distance-vector gossip, sends a DATA message from A to C, and reads delivery confirmation from C’s logs.

Captured proof from the live Azure deployment

On Node A — distance-vector route to C learned via B:

Updated route to SyS04TMQ7tR5qKzT97RADCtHN/p4Be95QiwHeHXGv3M= via Qcnkr82Fj9qacbUjScYcsOMxSAdTZRL3S3R/52hJ8i8= (metric=2, seq=1)
Updated 1 routes from Qcnkr82Fj9qacbUjScYcsOMxSAdTZRL3S3R/52hJ8i8=
Sent: 'hello from A via B to C'

On Node B (Azure VM) — DATA forwarded to next hop:

DATA forwarded | dest=SyS04TMQ7tR5qKzT | next_hop=SyS04TMQ7tR5qKzT | ttl=9

On Node C — message delivered, sender identified by A’s key prefix:

DATA message delivered | from=vqSz9BASkw9dj5tz | content='hello from A via B to C'

The metric=2 route on A means C is two hops away via B — exactly the distance-vector signature for indirect reachability.


5. Route Failure Recovery Demo

This demo proves automatic failover: a sender has two redundant paths to the receiver. The primary router is killed mid-demo; the next send goes through the backup router without retry, reconfiguration, or operator action.

        sequenceDiagram
    participant A as Node A
    participant B as Node B (primary, port 7443)
    participant D as Node D (backup, port 7444)
    participant C as Node C

    A->>B: peer session
    A->>D: peer session
    C->>B: peer session
    C->>D: peer session
    note over A,C: A learns two routes to C â€" via B and via D

    A->>B: Send 1 â€" DATA to C
    B->>C: Forward
    note over C: 'hello via B (primary)' delivered

    note over B: systemctl stop genesis-mesh-node
    B-->>A: connection closed
    note over A: Removed neighbor B, invalidated routes via B

    A->>D: Send 2 â€" DATA to C
    D->>C: Forward
    note over C: 'hello via D (backup)' delivered
    

Topology

Node

Role

Location

Port

A

Sender

Local

ephemeral

B

Primary router

Azure VM

7443

D

Backup router

Azure VM

7444

C

Receiver

Local

ephemeral

Both routers run on the same Azure VM but as independent systemd services (genesis-mesh-node and genesis-mesh-node-d). Stopping one does not affect the other.

Live recording

Route failure recovery â€" primary router B killed, traffic re-routed through D

Run

bash docs/examples/assets/scripts/failover-demo.sh

The script enrolls A and C, connects both to B and D, sends through B, SSHes to the VM and stops genesis-mesh-node, then sends through D and shows delivery on C.

Captured proof from the live Azure deployment

Initial state — Node A learns C is reachable via B:

Updated route to XtWVKWy30xIyASzRXSxtiFEbUqG8QnEaeOdqZfpcoAk= via xop1h3bm1SXMo8xZp/Umwp2l4bxUSgFF6aZvYXSezdo= (metric=2, seq=6)

Send 1 through B (primary) — delivered:

Sent: 'hello via B (primary)'
DATA message delivered | from=7y2r604wQlI6NtaE | content='hello via B (primary)'

B is stopped on the VM. Node A detects the disconnect and withdraws B’s routes:

==> Killing Node B (stopping genesis-mesh-node on Azure VM)
Removed neighbor Qcnkr82Fj9qacbUjScYcsOMxSAdTZRL3S3R/52hJ8i8=, invalidated 1 routes

Send 2 through D (backup) — delivered without retry or reconfiguration:

Sent: 'hello via D (backup)'
DATA message delivered | from=7y2r604wQlI6NtaE | content='hello via D (backup)'

On Node D (Azure VM) — DATA forwarded to C:

DATA forwarded | dest=XtWVKWy30xIyASzR | next_hop=XtWVKWy30xIyASzR | ttl=9

What this proves

  • Neighbor failure detection via WebSocket disconnect

  • Automatic route withdrawal when a neighbor goes offline

  • Multi-path routing tolerates router loss without retransmit

  • No operator intervention required between path A→B→C and path A→D→C


6. Multi-Agent Workflow Demo

This demo proves that Genesis Mesh can carry a cooperative agent workflow, not only direct request/response messages.

Multi-agent workflow demo showing routed request and provenance
        flowchart LR
    researcher["Researcher Agent"]
    router["Router Agent"]
    kb_security["Knowledge Agent A<br/>security"]
    kb_transport["Knowledge Agent B<br/>transport"]

    researcher -->|AgentRequest| router
    router -->|revocation/crl| kb_security
    router -->|noise/routing| kb_transport
    kb_security -->|AgentResponse + provenance| router
    kb_transport -->|AgentResponse + provenance| router
    router -->|answer + provenance| researcher
    

The runnable example lives in examples/agent-network/ and is documented here:

The verified path is:

Researcher -> Router -> kb-security -> Router -> Researcher

Observed proof from the local multi-process smoke test:

Q: how does revocation work?
A: Revocation starts with an operator-signed admin action. The Network Authority publishes a signed CRL, and heartbeat, renewal, peer handshake, and routing checks reject the revoked identity.
  from:    kb-security
  source:  knowledge-security.json
  provenance:
    - router-1: routed (researcher-1 -> kb-security)
    - kb-security: answered (knowledge-security.json)
    - router-1: returned (kb-security -> researcher-1)

The GIF is generated by the reproducible recorder:

python docs\examples\assets\scripts\multi-agent-workflow-demo.py

What this proves

  • One agent can route work to another agent.

  • The requester keeps the same request_id across multiple hops.

  • Each agent has its own mesh identity and join certificate.

  • Responses can be traced back to the agent that produced them.

  • Revocation remains a mesh-level safety boundary for the workflow.


7. Agent Discovery + LLM Demo (v0.7)

This demo proves the discovery layer added in v0.7: agents announce their capabilities to the Network Authority, peers find each other by capability tag, and the LLM-backed responder agent answers a research question — all without anyone pasting a 44-character node public key.

        flowchart LR
    agent["LLM agent<br/>(LiteLLM â†' OpenAI / Anthropic / Ollama / ...)"]
    na["Network Authority<br/>/agents registry"]
    researcher["Researcher"]
    llm["LLM provider"]

    agent -->|signed AgentDescriptor<br/>POST /agents| na
    researcher -->|GET /agents?capability=llm:chat| na
    na -->|node_public_key + endpoint| researcher
    researcher -->|Noise XX peer session + AgentRequest| agent
    agent -->|HTTPS| llm
    llm -->|completion| agent
    agent -->|AgentResponse + provenance| researcher
    

Static walkthrough:

LLM-backed agent demo showing capability discovery and provenance

Animated execution:

LLM-backed agent demo showing a real provider response over Genesis Mesh

The recording was generated with the checked-in recorder:

python docs\examples\assets\scripts\llm-agent-demo.py --real-llm

The recorder loads LLM_* values from .env, starts a temporary Network Authority, enrolls llm-1, discovers it by the llm:chat capability, sends a researcher request over Noise XX without a pasted node key or peer endpoint, verifies the response provenance, and redacts the API key from all rendered output.

Prerequisites

pip install -r examples/agent-network/requirements.txt   # adds LiteLLM on Python 3.12/3.13

The LLM provider dependency is optional. Fixed LiteLLM releases currently cap support below Python 3.14, so run the real LLM recording with Python 3.12 or 3.13 until LiteLLM publishes compatible 3.14 builds.

Set the LLM provider in your environment (see examples/agent-network/README.md for the full provider matrix). For Azure OpenAI’s v1 endpoint:

export LLM_MODEL=openai/gpt-4o-mini
export LLM_API_KEY=<azure-openai-key>
export LLM_BASE_URL=https://<resource>.services.ai.azure.com/openai/v1

Start a responder; let it auto-register

LLM_INVITE=$(genesis-mesh admin invite --role anchor \
  --na https://na.genesismesh.connectorzzz.com)

python examples/agent-network/llm_agent.py \
  --na https://na.genesismesh.connectorzzz.com \
  --config ~/.gm-agents/llm/config.toml \
  --listen-port 7448 \
  --agent-id llm-1 \
  --announce-host 127.0.0.1 \
  --capability llm:chat \
  --invite-token "$LLM_INVITE"

The agent enrolls, opens its peer WebSocket port, signs an AgentDescriptor with its node key, and POSTs it to /agents. A background task refreshes the registration on a timer.

Discover via the CLI

genesis-mesh discover --capability llm:chat \
  --na https://na.genesismesh.connectorzzz.com

Captured output from the v0.7 live-deployment gate run:

1 agent(s) matching capability=llm:v0.7-gate:

  agent_id     : llm-live-1
  node_key     : EGk5lruaR7fveWfEyQsIuo7S2oevUOtKyrHR5sKKXqA=
  capabilities : llm:chat, llm:v0.7-gate
  endpoint     : ws://127.0.0.1:17450
  expires_at   : 2026-06-01T14:12:03.713487Z
  metadata     : {'model': 'openai/gpt-4o-mini'}

Ask through discovery — no key, no peer URI pasted

RES_INVITE=$(genesis-mesh admin invite --role client \
  --na https://na.genesismesh.connectorzzz.com)

python examples/agent-network/researcher.py \
  --na https://na.genesismesh.connectorzzz.com \
  --config ~/.gm-agents/researcher/config.toml \
  --capability llm:chat \
  --invite-token "$RES_INVITE" \
  "In one paragraph, why does a permissioned mesh network benefit from a capability-based discovery layer rather than hardcoded peer addresses?"

Captured response from the live deployment + Azure OpenAI gpt-4o-mini:

Q: In one paragraph, why does a permissioned mesh network benefit from a capability-based discovery layer rather than hardcoded peer addresses?
A: A permissioned mesh network benefits from a capability-based discovery layer because it enhances flexibility and security by allowing dynamic peer interactions without relying on hardcoded addresses. This approach enables nodes to discover and connect with authorized peers based on capabilities and roles, rather than fixed identifiers, making it easier to adapt to network changes or scale. …
  from:    llm-live-1
  source:  llm:openai/gpt-4o-mini
  request: 021826fd-12ec-4d98-932f-6d0f401edc81
  provenance:
    - llm-live-1: answered (llm:openai/gpt-4o-mini)

What this proves

  • An agent can announce its capabilities to the NA without operator action.

  • Peers can find agents by capability without prior knowledge of their keys.

  • The same mesh identity + Noise XX session that v0.5/v0.6 demos used still carries the actual request/response — discovery only changes how peers rendezvous.

  • The LLM provider is swappable through an env var; no provider-specific code touches the mesh layer.

Provider swap matrix

See the agent-network example README for the full LiteLLM provider matrix (OpenAI, Azure OpenAI v1, Anthropic, Ollama, Mistral, Groq, Together, vLLM, LM Studio, and OpenAI-compatible servers).


8. Distributed Capability Orchestration Demo (v0.8)

This demo proves the next step after agent discovery: a researcher asks for an outcome, a planner discovers trusted capability providers, invokes them over the mesh, and returns an answer with complete provenance.

Static walkthrough of Genesis Mesh capability orchestration

Animated execution:

Capability orchestration demo showing planner discovery and provenance
        flowchart LR
    researcher["Researcher"]
    planner["Planner<br/>planner.answer"]
    repo_a["Repo provider A<br/>repo.summary"]
    repo_b["Repo provider B<br/>repo.summary"]
    llm["LLM provider<br/>llm.chat"]

    researcher -->|discover planner.answer| planner
    planner -->|discover + select repo.summary| repo_a
    planner -. alternate .-> repo_b
    planner -->|discover llm.chat| llm
    repo_a -->|summary + provenance| planner
    llm -->|synthesis + provenance| planner
    planner -->|answer + full provenance| researcher
    

The recorder runs a temporary Network Authority, two repo.summary providers, one llm.chat provider, one planner.answer provider, and a researcher. The researcher does not configure any node keys, peer endpoints, provider identities, or provider hosts.

The requester knows only the desired capability. All provider discovery and selection occur dynamically at runtime.

When more than one provider advertises a capability, the planner uses a deterministic provider selection rule. In this demo, repo-agent-a is selected because provider identities are sorted before invocation. Capability is the requested behavior; provider is the selected trusted identity that executes it.

Run:

python docs\examples\assets\scripts\capability-orchestration-demo.py

Observed proof from the local smoke test:

==> Researcher asks for planner.answer
    no node keys configured
    no peer endpoints configured
    no provider identities configured
    no provider hosts configured

Q: Summarize Genesis Mesh and explain why discovery matters.
A: Genesis Mesh is a sovereign trust, identity, and communication fabric for permissioned agent and node networks...

  capability: planner.answer
  provider:   planner-1
  provenance:
    - planner-1: discovered repo.summary (selected provider repo-agent-a)
    - repo-agent-a: executed repo.summary (repo-summary.json)
    - planner-1: discovered llm.chat (selected provider llm-1)
    - llm-1: executed llm.chat (llm:openai/gpt-4o-mini)
    - planner-1: combined planner.answer (repo.summary + llm.chat)

Full walkthrough:


9. Recognition Treaty Demo (v0.10)

This demo proves direct sovereign-to-sovereign recognition. Sovereign B issues a membership attestation, Sovereign A signs a scoped treaty recognizing Sovereign B, and Sovereign A accepts the attestation through that treaty. When Sovereign A revokes the treaty, the same attestation is rejected.

        sequenceDiagram
    participant B as Sovereign B
    participant A as Sovereign A
    participant G as Recognition Graph

    B->>B: Issue MembershipAttestation
    A->>A: Sign RecognitionTreaty for Sovereign B
    B-->>A: Present attestation
    A-->>B: accepted through treaty
    A->>A: Revoke treaty
    B-->>A: Present same attestation
    A-->>B: rejected: treaty_locally_revoked
    A->>G: Export recognition graph
    

Live recording

Recognition treaty flow - signed recognition, revocation, and graph export

Static screenshot:

Static screenshot of the Genesis Mesh recognition treaty demo

Run:

python docs\examples\assets\scripts\recognition-treaty-demo.py

Observed proof from the local smoke test:

==> Sovereign A issued recognition treaty for Sovereign B
    scope:  role:service:maintainer

==> Sovereign A accepted B's attestation through the treaty
    accepted: True
    reason:   accepted

==> Sovereign A revoked the recognition treaty
    reason: trust_boundary_removed

==> Sovereign A rejected the same attestation after treaty revocation
    accepted: False
    reason:   treaty_locally_revoked

==> Sovereign A exported minimal recognition graph
    sovereigns:              2
    recognition_edges:       1
    revoked_trust_material:  1

Full walkthrough:


10. Cross-Sovereign Revocation Demo (v0.11)

This demo proves revocation propagation across a recognition boundary. Sovereign A accepts a membership attestation from Sovereign B through an active treaty. Sovereign B later revokes that specific attestation and publishes a signed revocation feed. Sovereign A imports the feed and rejects the same attestation without revoking the treaty itself.

        sequenceDiagram
    participant B as Sovereign B
    participant A as Sovereign A
    participant F as Signed Revocation Feed
    participant G as Recognition Graph

    B->>B: Issue MembershipAttestation
    A->>A: Activate RecognitionTreaty for B
    B-->>A: Present attestation
    A-->>B: accepted through treaty
    B->>F: Publish revocation feed
    A->>A: Verify and import feed
    B-->>A: Present same attestation
    A-->>B: rejected: attestation_locally_revoked
    A->>G: Export propagated revoked trust material
    

Live recording

Cross-sovereign revocation propagation demo

Static screenshot:

Static screenshot of the Genesis Mesh cross-sovereign revocation demo

Run:

python docs\examples\assets\scripts\cross-sovereign-revocation-demo.py

Observed proof from the local smoke test:

==> Sovereign A accepted B's attestation before feed import
    accepted: True
    reason:   accepted

==> Sovereign B published signed revocation feed
    feed sequence: 1
    revoked IDs:   1

==> Sovereign A imported B's revocation feed
    accepted: True
    sequence: 1

==> Sovereign A rejected the same attestation after feed import
    accepted: False
    reason:   attestation_locally_revoked

==> Recognition graph includes propagated revoked attestation
    propagated revocations: 1
    recognition_edges:      1

Full walkthrough:


11. Connectome Demo (v0.12)

This demo turns recognition graph data into an operator Connectome view. It shows direct recognition edges, active trust paths, revoked trust material, and which accepting sovereigns are affected by imported revocation feeds.

        sequenceDiagram
    participant B as Sovereign B
    participant A as Sovereign A
    participant C as Connectome

    A->>A: Active treaty recognizes Sovereign B
    B->>B: Revoke membership attestation
    B-->>A: Signed revocation feed
    A->>A: Import feed and update graph state
    A->>C: GET /connectome.json
    C-->>A: summary, edges, blast radius
    A->>C: GET /connectome/trust-path?from=A&to=B
    C-->>A: trusted=true, active_treaty_path
    

Live recording

Connectome operator view showing recognition edges and revocation impact

Static screenshot:

Static screenshot of the Genesis Mesh Connectome demo

Run:

python docs\examples\assets\scripts\connectome-demo.py

Observed proof from the local smoke test:

==> Connectome summary
    sovereigns:              2
    recognition edges:       1
    active edges:            1
    imported revocations:    1

==> Direct trust path
    from:    sovereign-a
    to:      sovereign-b
    trusted: True
    reason:  active_treaty_path

==> Revocation blast radius
    issuer:              sovereign-b
    affected acceptors:  sovereign-a

Full walkthrough:


12. Independent Sovereigns Demo

This demo proves the trust-roadmap flow across two different cloud VMs. Azure runs Sovereign A as USG; DigitalOcean runs Sovereign B as USG-NB. NB issues a membership attestation, Azure recognizes NB through a signed treaty, Azure accepts the attestation, NB revokes it through a signed feed, and Azure rejects the same attestation after importing that feed.

        sequenceDiagram
    participant NB as USG-NB (DigitalOcean)
    participant AZ as USG (Azure)
    participant C as Azure Connectome

    NB->>NB: Issue MembershipAttestation
    AZ->>AZ: Issue RecognitionTreaty for USG-NB
    NB-->>AZ: Present attestation
    AZ-->>NB: accepted through treaty
    NB->>NB: Revoke attestation
    NB-->>AZ: Signed revocation feed
    AZ->>AZ: Import feed
    NB-->>AZ: Present same attestation
    AZ-->>NB: rejected: attestation_locally_revoked
    AZ->>C: Export trust path and blast radius
    

Live recording

Independent sovereigns proof across Azure and DigitalOcean

Static screenshot:

Static screenshot of the Genesis Mesh independent sovereigns demo

Run the non-mutating asset renderer:

python docs\examples\assets\scripts\independent-sovereigns-demo.py

Observed proof from the clean Azure + DigitalOcean run:

==> Azure accepted NB attestation before revocation
    accepted: True
    reason:   accepted

==> Azure imported NB revocation feed
    accepted: True
    sequence: 1

==> Azure rejected the same attestation after feed import
    accepted: False
    reason:   attestation_locally_revoked

==> Azure Connectome summary
    sovereigns:           2
    recognition edges:    1
    active edges:         1
    imported revocations: 1

Full walkthrough:


13. Supply-Chain Trust Gate Demo

This demo applies cross-sovereign trust to a release gate. Project A issues a portable maintainer attestation for Alice. Project B recognizes Project A for a narrow release-maintainer role. CI accepts Alice before revocation and rejects the same attestation after importing Project A’s signed revocation feed.

        sequenceDiagram
    participant A as Project A Sovereign
    participant B as Project B Sovereign
    participant CI as CI / Release Gate

    A->>A: Issue maintainer attestation
    B->>B: Sign recognition treaty
    CI->>CI: Verify attestation + treaty
    CI-->>B: allow release action
    A->>A: Revoke attestation
    A-->>CI: Signed revocation feed
    CI->>CI: Verify same attestation + feed
    CI-->>B: deny release action
    
Supply-chain trust gate proof showing allow before revocation and deny after revocation

Static screenshot:

Static screenshot of the Genesis Mesh supply-chain trust gate demo

Run the asset and artifact generator:

python docs\examples\assets\scripts\supply-chain-trust-gate-demo.py

Expected proof:

==> CI verifies Alice before revocation
    accepted:     True
    reason:       accepted
    exit code:    0

==> CI verifies the same attestation after feed import
    accepted:     False
    reason:       attestation_locally_revoked
    exit code:    10

Full walkthrough: