Genesis Mesh¶
Genesis Mesh is a sovereign trust, identity, and communication fabric for AI agents, edge systems, and distributed infrastructure.
It is built for networks where every participant must be known, enrolled, authenticated, authorized, reachable, and revocable. The project is not only a message transport. Unlike traditional mesh networks that focus mainly on connectivity, Genesis Mesh focuses on controlled participation, cryptographic identity, policy enforcement, and operator-owned trust.
It combines identity, trust, routing, authorization, and network ownership into one control model so operators can answer:
Who is allowed to be a node?
How do peers prove they are who they claim to be?
What is each node allowed to do?
How do messages reach the right peer?
How do I remove a compromised or retired identity?
The system has two planes. The Network Authority is the online control plane: it issues invite tokens, signs join certificates, publishes policy, and distributes certificate revocation lists. Mesh nodes are the data plane: after enrollment, they authenticate each other with certificates, establish encrypted Noise XX peer sessions, exchange routing information, and forward messages across the mesh.
Use Genesis Mesh when you need decentralized communication without anonymous membership: private AI-agent networks, edge-service fabrics, lab environments, sovereign organizational networks, distributed compute clusters, and other deployments where operators must be able to admit, audit, route, authorize, and remove nodes.
It is not a public blockchain, anonymous overlay, or permissionless discovery network. Trust begins with a signed genesis block, flows through the Network Authority, and is enforced by short-lived certificates, operator-signed admin actions, and revocation checks.
Why Genesis Mesh?¶
Most mesh networks answer one question: can nodes communicate?
Genesis Mesh answers the harder operational questions: can nodes communicate securely, prove their identity, follow policy, be audited, and be removed when trust is lost?
Genesis Mesh is closest to a sovereign zero-trust control plane combined with decentralized peer routing. It is not just a connectivity overlay; it is a trust fabric for permissioned node and agent networks.
Genesis Mesh is designed for environments where connectivity alone is insufficient and trust must be continuously established, enforced, and revocable.
Typical Use Cases¶
AI agent networks that require identity, authorization, and revocation.
Edge computing platforms operating across multiple locations.
Sovereign organizational networks that cannot rely on third-party control planes.
Distributed compute clusters with operator-controlled membership.
Research and laboratory environments requiring strong enrollment controls.
Five Operating Pillars¶
Identity: every node has a cryptographic identity and a signed join certificate.
Trust: a signed genesis block, Network Authority, operator keys, CRLs, and policy manifests define the trust chain.
Routing: authenticated peers exchange routing state and forward messages without sending all traffic through the Network Authority.
Authorization: enrollment roles, RBAC, signed admin actions, and policy updates define what identities can do.
Sovereignty: the operator owns the genesis block, trust anchors, policy, enrollment process, and revocation authority instead of delegating network membership to a third-party control plane.
flowchart LR
operator["Operator"]
rs["Root Sovereign"]
genesis["Signed Genesis Block"]
na["Network Authority"]
node_a["Mesh Node A"]
node_b["Mesh Node B"]
crl["Signed CRL"]
policy["Signed Policy"]
rs -->|signs| genesis
genesis -->|trust anchor| na
operator -->|signed admin request| na
na -->|issues join cert| node_a
na -->|issues join cert| node_b
na -->|publishes| crl
na -->|publishes| policy
node_a <-->|Noise XX peer session| node_b
node_a -->|validates| crl
node_b -->|validates| crl
node_a -->|applies| policy
node_b -->|applies| policy
The documentation is organized by what you are trying to do.
Get a local mesh running and exercise its first commands.
Architecture, trust model, security model, and how the pieces fit together.
Stand up a sovereign, verify independent operator control, and run recognition proofs.
Deployment runbooks: VM bootstrap, Terraform, Kubernetes, monitoring, audit, incident response, backup.
TypeScript, Go, and C# (.NET) clients for the NA HTTP API — typed errors and dual-mode Ed25519 admin auth.
25 runnable demos: trust thesis, agent orchestration, capacity baselines, and packaging smoke tests.
Project history, roadmap, contributing, module structure, and security policy.
Start Here
Concepts
SDK Clients
Infrastructure
Reference
- CLI Reference
- Operator Commands
- Relationship Agreement Commands
- Delegation Chain Commands
- Relationship Context Commands
- Execution Evidence Commands
- Freshness Proof Commands
- Interop Bridge Commands
- Invocation-Bound Capability Token Commands
- Distributed Consensus Commands
- Peer Risk Signal Commands
- Verifiable Logic Attestation Commands
- Trust Atlas Cache and Pruning Commands
- Process-Level Execution Mediation Commands
- Sovereign Overlay Discovery Commands
- Communication Privacy Commands
- Data Usage Attestation Commands
- Ephemeral Identity Purge Commands
- Context-Injection Defense Commands
- Selective Disclosure Commands
- Human Oversight Commands
- Justification Proof Commands
- Atlas Commands
- Trust Decision Commands
- Node Operator Commands
- Developer Commands
- Low-Level Compatibility Commands
- Network Authority API
- Configuration Reference
- Trust API — HTTP Reference
Protocol RFCs
Contributing
Documentation Build¶
.\.venv\Scripts\Activate.ps1
python -m pip install -r docs/requirements.txt
python -m sphinx -b html -W docs docs/pages
In Git Bash on Windows:
source .venv/Scripts/activate
python -m pip install -r docs/requirements.txt
python -m sphinx -b html -W docs docs/pages
The generated site is written to docs/pages.
To preview the site locally, serve docs/pages as the HTTP root:
python -m http.server 8000 --directory docs/pages
Then open http://localhost:8000/. If you serve the repository root or docs/
instead, / and /concepts/architecture.html will return 404 because the
generated index.html lives under docs/pages.