Mesh Client Primitive
The MeshClient is the runtime primitive for direct P2P communication. While MQTT is used for broadcasts, the MeshClient handles targeted requests like syncing events, exchanging zines, or relaying world postcards.
1. Purpose
Section titled “1. Purpose”- Provide a signed and authenticated HTTP channel between two naras.
- Abstract IP resolution and mesh connectivity (Tailscale/tsnet) from services.
- Enable fast-failure and efficient connection pooling for mesh-connected peers.
2. Conceptual Model
Section titled “2. Conceptual Model”- The Client: Encapsulates a
tsnet.Serverand a customizedhttp.Client. - Authenticated Requests: Every request includes headers (
X-Nara-Name,X-Nara-Signature,X-Nara-Timestamp) that allow the receiver to verify the sender. - Peer Registry: A local mapping of
NaraIDto mesh IP addresses and base URLs.
Invariants
Section titled “Invariants”- All mesh requests MUST be signed with the local
NaraKeypair. - Connections MUST fail fast (5s timeout) if a peer is offline to prevent blocking the runtime.
- Requests MUST use the mesh IP (100.x.y.z) and the dedicated Nara mesh port (9632).
3. External Behavior
Section titled “3. External Behavior”- Peer Resolution: Services provide a
NaraID; theMeshClientresolves this to an internalhttp://100.x.y.z:9632URL. - Request Signing: The client automatically signs the method, path, and timestamp before sending.
- Test Mode: Supports URL overrides to allow unit tests to route mesh traffic to local test servers.
4. Interfaces
Section titled “4. Interfaces”Mesh Authentication Headers
Section titled “Mesh Authentication Headers”X-Nara-Name: The sender’sNaraName.X-Nara-Timestamp: Unix milliseconds (prevents replay attacks).X-Nara-Signature: Ed25519 signature of the string:Name + Timestamp + Method + Path.
Capabilities
Section titled “Capabilities”PingNara(id): Measures RTT to a specific peer.FetchSyncEvents(id, request): Executes a sync protocol request viaPOST /events/sync.RelayWorldMessage(id, msg): Forwards a multi-hop postcard viaPOST /world/relay.SendDM(id, msg): Sends a direct message to a peer.
5. Algorithms
Section titled “5. Algorithms”Mesh Request Signing
Section titled “Mesh Request Signing”- Capture
Method(e.g.,POST) andPath(e.g.,/events/sync). - Generate current
Timestamp(Unix ms). - Construct message string:
Name + Timestamp + Method + Path. - Sign message string with Ed25519.
- Set headers and execute HTTP request.
Peer Discovery (tsnet)
Section titled “Peer Discovery (tsnet)”- Query
tsnet.LocalClient().Status(). - Iterate through
Peerlist. - Filter out non-nara peers (e.g., backup tools).
- Register
HostNameasNaraNameand the firstTailscaleIPin the peer registry.
6. Failure Modes
Section titled “6. Failure Modes”- Offline Peer: The client’s
DialContextuses a 5s timeout. If the mesh cannot route to the IP, the request fails immediately with a timeout error. - Signature Expiry: Receivers check the
X-Nara-Timestamp. If the request is too old (e.g., > 30s), it is rejected as a potential replay attack.
7. Security / Trust Model
Section titled “7. Security / Trust Model”- Transport Security: Tailscale (WireGuard) provides encrypted transport.
- Application Authentication: Nara mesh headers provide identity verification at the application layer.
- Isolation: Direct mesh communication is only possible between peers sharing the same Tailscale tailnet.
8. Test Oracle
Section titled “8. Test Oracle”- A request to a registered
NaraIDMUST be routed to the correct mesh IP. - Tampering with the
X-Nara-NameorX-Nara-TimestampMUST result in an invalid signature on the receiving end. PingNaraMUST return a validtime.Durationif the peer is online.
9. Open Questions / TODO
Section titled “9. Open Questions / TODO”- mTLS: Exploring moving authentication from HTTP headers to a full mTLS handshake using the Nara’s Ed25519 keys.
- Streaming: Implementing long-lived SSE streams over the mesh for real-time gossip.