Mesh
Agent-to-agent private networking using WireGuard. Peers are discovered through the mesh RPCs; PSKs are minted per pair; ACLs are explicit.
Tables
| Table | Purpose |
|---|---|
mesh.peers | Peer records: agent_id, pubkey, endpoint, last_seen. |
mesh.acls | (from_agent, to_agent, port/proto) allow rules. |
mesh.psk | Per-pair pre-shared keys, keyed on (agent_lo, agent_hi). |
Pair-scoped PSKs
PSKs are never global. mesh.rotate_psk(a, b) mints a fresh 32-byte
secret for exactly that pair. The edge layer never returns the PSK; the
agent re-fetches its whole WireGuard config via /wg_config through an
authenticated path.
Routes
| Method | Path | Purpose |
|---|---|---|
| POST | /peer/register | Register this agent's pubkey + endpoint. |
| POST | /peer/heartbeat | Update last_seen; drives presence. |
| POST | /netmap | Return peers + ACLs visible to caller. |
| POST | /acl/put | Grant a directed ACL row. |
| POST | /acl/revoke | Remove a grant. |
| POST | /wg_config | Render a WireGuard conf including PSKs. |
| POST | /psk/rotate | Rotate the PSK for a pair. |
Presence
Heartbeats stamp last_seen. Operators query mesh.presence(freshness => '120 seconds') for a live view. Peers past
mesh_peer_retention_days are dropped by the daily
agentpack_mesh_peer_prune cron (04:07 UTC).