Genesis Mesh

Genesis Mesh is a permissioned peer-to-peer networking system for environments where every node must be known, enrolled, authenticated, and revocable.

The system has two planes. The Network Authority is the online control plane: it issues invite tokens, signs join certificates, publishes policy, and distributes certificate revocation lists. Mesh nodes are the data plane: after enrollment, they authenticate each other with certificates, establish encrypted Noise XX peer sessions, exchange routing information, and forward messages across the mesh.

Use Genesis Mesh when you need decentralized node communication without anonymous membership: private infrastructure, edge networks, lab environments, sovereign or organizational networks, and other deployments where operators must be able to admit, audit, and remove nodes.

It is not a public blockchain, anonymous overlay, or permissionless discovery network. Trust begins with a signed genesis block, flows through the Network Authority, and is enforced by short-lived certificates, operator-signed admin actions, and revocation checks.

        flowchart LR
    operator["Operator"]
    rs["Root Sovereign"]
    genesis["Signed Genesis Block"]
    na["Network Authority"]
    node_a["Mesh Node A"]
    node_b["Mesh Node B"]
    crl["Signed CRL"]
    policy["Signed Policy"]

    rs -->|signs| genesis
    genesis -->|trust anchor| na
    operator -->|signed admin request| na
    na -->|issues join cert| node_a
    na -->|issues join cert| node_b
    na -->|publishes| crl
    na -->|publishes| policy
    node_a <-->|Noise XX peer session| node_b
    node_a -->|validates| crl
    node_b -->|validates| crl
    node_a -->|applies| policy
    node_b -->|applies| policy
    

The documentation is organized by what you are trying to do:

• Start here for setup, local startup, and installation.

• Concepts for architecture, trust, certificate lifecycle, security, and routing.

• Reference for CLI, HTTP API, and configuration details.

• Operations for deployment, infrastructure, monitoring, and revocation.

• Development for contributing, testing, and roadmap context.

Start Here

• Quick Start
  • Prerequisites
  • Operator Workflow
  • Node Operator Workflow
  • Developer Workflow
  • Config Files
  • Roles
  • Security Notes
  • Troubleshooting
• Installation
  • Windows PowerShell
  • Linux, macOS, or WSL
  • Verify the Install
  • Runtime Requirements
  • Generated Files

Concepts

• Overview
  • What Genesis Mesh Is
  • What Genesis Mesh Is Not
  • Current Maturity
• Architecture
  • Components
  • Runtime Flow
  • Storage
• Trust Model
  • Trust Anchors
  • Signed Objects
  • Replay Protection
• Security Model
  • Admission
  • Peer Authentication
  • Peer Discovery
  • Administrative Authentication
  • Revocation
  • Deployment Boundary
  • Current Gaps
• Certificate Lifecycle
  • Enrollment
  • Renewal
  • Revocation
  • Expiry
• Routing
  • Routing Model
  • Route Announcements
  • Route Withdrawal
  • Message Delivery
  • Production Notes

Reference

• CLI Reference
  • Operator Commands
  • Node Operator Commands
  • Developer Commands
  • Low-Level Compatibility Commands
• Network Authority API
  • Browser Console
  • Health
  • Public Network Data
  • Enrollment
  • Node Operations
  • Admin Endpoints
• Configuration Reference
  • CLI Config Discovery
  • Network Authority Environment
  • Node Environment
  • Files and Secrets

Operations

• Deployment
  • Local Development
  • Container Startup
  • Production Readiness Checks
  • Azure Helpers
• Infrastructure
  • Directory Layout
  • Root Files Kept Intentionally
  • Sample Genesis Files
  • Azure Scripts
• Monitoring
  • Network Authority Probes
  • Node Health
  • Operational Signals
  • Logging
• Revocation
  • Revoke a Certificate
  • Reasons
  • Enforcement
  • Operator Checklist

Development

• Contributing
  • Development Workflow
  • Code Standards
  • Pull Request Expectations
• Module Structure
  • Network Authority
  • Node Control Plane
  • Node Runtime
  • Transport Connections
  • Test Layout
  • CLI
• Security Policy
  • Supported Scope
  • Reporting
  • Disclosure Expectations
• Testing
  • Unit and Integration Tests
  • Static and Supply-Chain Checks
  • Documentation Build
  • Smoke Workflow
  • Container Smoke Checks
• Roadmap
  • Implemented and Tested
  • Remaining Hardening Work

Documentation Build

.\.venv\Scripts\Activate.ps1
python -m pip install -r docs/requirements.txt
python -m sphinx -b html -W docs docs/pages

In Git Bash on Windows:

source .venv/Scripts/activate
python -m pip install -r docs/requirements.txt
python -m sphinx -b html -W docs docs/pages

The generated site is written to docs/pages.

To preview the site locally, serve docs/pages as the HTTP root:

python -m http.server 8000 --directory docs/pages

Then open http://localhost:8000/. If you serve the repository root or docs/ instead, / and /concepts/architecture.html will return 404 because the generated index.html lives under docs/pages.