From ab50abaea2a8e742acc295cf0e8b0ad900824523 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Thu, 16 Apr 2026 09:54:00 -0400 Subject: [PATCH 01/14] docs(source-os): add mesh linux estate landing page --- docs/mesh/README.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 docs/mesh/README.md diff --git a/docs/mesh/README.md b/docs/mesh/README.md new file mode 100644 index 0000000..32a65d6 --- /dev/null +++ b/docs/mesh/README.md @@ -0,0 +1,15 @@ +# Mesh Linux Estate Integration + +This directory carries the Linux-native realization material for the mesh work inside `source-os`. + +Placement rule: +- Linux estate realization lives here. +- Shared schemas and canonical capability vocabulary live in `SocioProphet/socioprophet-agent-standards`. +- Control-plane lifecycle and promotion semantics live in `SocioProphet/agentplane`. + +Contents: +- `mesh_linux_estate_upstream_plan.md` — Linux-native integration plan and role split +- `traffic_class_path_template_matrix.md` — traffic classes, path templates, and Linux policy mapping +- `upstream_workstreams.md` — staged upstream workstream plan + +Companion Linux-facing templates live under `linux/`. From 1ba4e13826f7ba4a58a406b999dba458979b4d43 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Thu, 16 Apr 2026 10:06:12 -0400 Subject: [PATCH 02/14] docs(source-os): add mesh linux estate upstream plan --- docs/mesh/mesh_linux_estate_upstream_plan.md | 79 ++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 docs/mesh/mesh_linux_estate_upstream_plan.md diff --git a/docs/mesh/mesh_linux_estate_upstream_plan.md b/docs/mesh/mesh_linux_estate_upstream_plan.md new file mode 100644 index 0000000..860216c --- /dev/null +++ b/docs/mesh/mesh_linux_estate_upstream_plan.md @@ -0,0 +1,79 @@ +# Mesh Linux Estate Upstream Plan + +## Goal + +Integrate the mesh into a Linux estate in a way that is upstream-friendly, operationally sane, and survivable under hostile or degraded networks. + +The design separates four concerns: +1. control-plane provenance and admission +2. transport reachability +3. traffic-class-specific data paths +4. egress and censorship-resistance edge behavior + +## Linux-native constraints + +Release 1 should avoid inventing a bespoke in-kernel anonymous network stack. + +Use existing Linux primitives for what they already do well: +- WireGuard for the encrypted underlay +- rtnetlink / generic netlink / iproute2 for link and route control +- nftables for exit NAT and policy enforcement +- systemd-networkd and NetworkManager as first-class estate front-ends +- systemd units, credentials, and local sockets for lifecycle and secret delivery + +Do not put onion routing, mix scheduling, rendezvous mailboxes, or trust policy into the kernel in Release 1. + +## Privilege split + +Use separate processes instead of one omnipotent daemon: + +### `meshd` +Unprivileged control-plane daemon for identity, enrollment, capability manifests, operator API, and replayable audit data. + +### `meshd-linkd` +Privileged network mutator for WireGuard interfaces, peers, route tables, rules, and fwmarks. + +### `meshd-exitd` +Privileged edge helper for forwarding, nftables NAT/filter policy, and exit-role health/accounting. + +### `mesh-ptd` / bridge helper +Optional user-space censorship-resistance edge for anonymous ingress, bridge integration, or pluggable transports. + +## Estate split + +### Headless servers and relays +Prefer `systemd-networkd` for server roles, exits, relays, and appliances. + +### Workstations and roaming devices +Prefer NetworkManager for laptops and operator-facing devices because it already handles Wi-Fi, roaming, DNS policy, and WireGuard profiles well. + +### Mixed estate rule +Do not force one network manager everywhere. Treat manager choice as a role decision. + +## Release-1 scope + +### In scope +- cryptographic node identity +- signed capability manifests +- direct plus relay-assisted WireGuard underlay +- route policy via fwmark and dedicated route tables +- optional exit role +- Linux templates, units, and packaging notes +- observability and replayable control-plane records + +### Out of scope +- kernel-resident mixnet or onion routing +- global cover traffic by default +- bespoke kernel modules +- full Tor clone inside the Linux realization repo + +## Repo placement in `source-os` + +- `docs/mesh/` — design and rollout docs +- `linux/systemd-networkd/` — networkd templates +- `linux/systemd/` — service units for helper daemons +- `linux/networkmanager/` — NM profile templates +- `linux/nftables/` — exit policy templates +- `linux/packaging/` — packaging notes and future spec stubs + +Shared schemas belong in `SocioProphet/socioprophet-agent-standards`, not here. From 93dfde955a5b68898ea806cea25bbf4a448e9a30 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Thu, 16 Apr 2026 10:07:43 -0400 Subject: [PATCH 03/14] docs(source-os): add traffic class and path template matrix --- .../traffic_class_path_template_matrix.md | 89 +++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 docs/mesh/traffic_class_path_template_matrix.md diff --git a/docs/mesh/traffic_class_path_template_matrix.md b/docs/mesh/traffic_class_path_template_matrix.md new file mode 100644 index 0000000..eb01628 --- /dev/null +++ b/docs/mesh/traffic_class_path_template_matrix.md @@ -0,0 +1,89 @@ +# Traffic-Class / Path-Template Matrix + +The mesh should not pretend that all traffic shares one path discipline. Different traffic classes need different routing semantics. + +## Traffic classes + +### Admission +Purpose: invites, introducer handshakes, first-contact rendezvous, peer metadata provisioning. + +Preferred path: +- wormhole-like or introducer-mediated channel +- short-lived +- never a generic exit path + +Linux expression: +- local `meshd` control socket +- ordinary outbound host networking until enrollment completes + +### Control-plane replication +Purpose: capability manifest updates, revocation, policy distribution, anti-entropy. + +Preferred path: +- direct mesh first +- 2-hop microcascade fallback when observation risk rises + +Linux expression: +- table 100 +- fwmark `0x100` + +### Private service traffic +Purpose: RPC, replication, admin operations, internal APIs. + +Preferred path: +- direct mesh +- relay fallback +- optional microcascade when policy demands operator or jurisdiction separation + +Linux expression: +- table 110 +- fwmark `0x110` + +### Full-tunnel exit traffic +Purpose: public internet egress, remote IP locality, public-Wi-Fi posture. + +Preferred path: +- direct trusted exit for low-risk traffic +- microcascade to exit for medium-risk traffic + +Linux expression: +- table 120 +- fwmark `0x120` +- catch-all routes plus nftables NAT on the exit node + +### Interactive anonymous traffic +Purpose: sessions needing anonymity rather than only transport privacy. + +Preferred path: +- onion rail +- bridge or pluggable-transport entry when required + +Linux expression: +- local proxy or helper process +- table 130 +- fwmark `0x130` + +### Async high-risk traffic +Purpose: delayed messaging, store-and-forward, control replication under active observation. + +Preferred path: +- mix rail only +- not the default for ordinary traffic + +Linux expression: +- user-space app or gateway path first +- table 140 only if emitted as IP + +## Path templates + +- `P0-direct` — single peer path over the WireGuard underlay +- `P1-relay` — one relay for reachability, not anonymity +- `P2-microcascade` — two or three constrained hops from policy-approved nodes +- `P3-onion` — low-latency layered anonymity path +- `P4-mix` — delayed metadata-resistance path for high-risk asynchronous traffic only + +## Default stance + +- servers use `P0` for service traffic and `P2` only where policy requires harder separation +- laptops use `P0` when trusted and `P2` or `P3` when roaming or censored +- exits must not self-select as both client and exit in the same risk context From 2cca465b27b8c690ded8eecd7b9907b5567587a4 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Thu, 16 Apr 2026 10:08:32 -0400 Subject: [PATCH 04/14] docs(source-os): add upstream workstreams for mesh linux estate --- docs/mesh/upstream_workstreams.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 docs/mesh/upstream_workstreams.md diff --git a/docs/mesh/upstream_workstreams.md b/docs/mesh/upstream_workstreams.md new file mode 100644 index 0000000..44935af --- /dev/null +++ b/docs/mesh/upstream_workstreams.md @@ -0,0 +1,28 @@ +# Upstream Workstreams + +## Workstream A — zero-kernel-delta MVP +Ship entirely in user space. +Use existing WireGuard, existing netlink, existing nftables, and existing network managers. + +This is the default and preferred path. + +## Workstream B — Linux estate integration +Deliver: +- systemd units +- systemd-networkd templates +- NetworkManager profile or dispatcher integration +- nftables policy templates +- packaging notes and future package specs +- SELinux/AppArmor policy later + +## Workstream C — censorship-resistance edge +Deliver separately: +- Tor bridge or pluggable-transport helper +- optional anonymous ingress +- workstation-focused packaging + +## Workstream D — mix rail +Defer until the first three workstreams are stable. + +## Rule of thumb +If a feature can remain in user space without harming correctness or performance materially, keep it in user space. From d4cb7fb4abd782f24d2b89a2281ff6d8acbe854c Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Thu, 16 Apr 2026 10:10:38 -0400 Subject: [PATCH 05/14] build(source-os): add mesh systemd-networkd underlay template --- linux/systemd-networkd/50-mesh0.netdev | 31 ++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 linux/systemd-networkd/50-mesh0.netdev diff --git a/linux/systemd-networkd/50-mesh0.netdev b/linux/systemd-networkd/50-mesh0.netdev new file mode 100644 index 0000000..3471701 --- /dev/null +++ b/linux/systemd-networkd/50-mesh0.netdev @@ -0,0 +1,31 @@ +# /etc/systemd/network/50-mesh0.netdev +# Conservative example template for a mesh underlay interface. +# Adapt addresses, keys, ports, and routing policy to your estate. + +[NetDev] +Name=mesh0 +Kind=wireguard +Description=Mesh underlay interface + +[WireGuard] +PrivateKey=@mesh0 +ListenPort=51820 +FirewallMark=0x110 +RouteTable=110 +RouteMetric=50 + +[WireGuardPeer] +PublicKey=__PEER1_PUBLIC_KEY_BASE64__ +PresharedKey=@mesh0-peer1-psk +AllowedIPs=10.77.0.2/32, fd77:77::2/128 +Endpoint=198.51.100.10:51820 +PersistentKeepalive=25 + +# Optional full-tunnel peer / exit role on the client side: +# [WireGuardPeer] +# PublicKey=__EXIT_PUBLIC_KEY_BASE64__ +# AllowedIPs=0.0.0.0/0, ::/0 +# Endpoint=203.0.113.20:51820 +# PersistentKeepalive=25 +# RouteTable=120 +# RouteMetric=10 From 3d7dad295fea5f298bfa44fcb8e31ea93823a962 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Thu, 16 Apr 2026 10:11:02 -0400 Subject: [PATCH 06/14] build(source-os): add mesh systemd-networkd policy template --- linux/systemd-networkd/50-mesh0.network | 29 +++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 linux/systemd-networkd/50-mesh0.network diff --git a/linux/systemd-networkd/50-mesh0.network b/linux/systemd-networkd/50-mesh0.network new file mode 100644 index 0000000..64735be --- /dev/null +++ b/linux/systemd-networkd/50-mesh0.network @@ -0,0 +1,29 @@ +# /etc/systemd/network/50-mesh0.network +# Matching .network file for mesh0. + +[Match] +Name=mesh0 + +[Network] +Address=10.77.0.1/32 +Address=fd77:77::1/128 +LinkLocalAddressing=no +IPv6AcceptRA=no +LLDP=no +ConfigureWithoutCarrier=yes +IgnoreCarrierLoss=yes + +[Route] +Destination=10.90.0.0/16 +Table=110 +Metric=50 + +[RoutingPolicyRule] +FirewallMark=0x110 +Table=110 +Priority=10010 + +[RoutingPolicyRule] +FirewallMark=0x120 +Table=120 +Priority=10020 From 86172af4eeb085ee288540f275743233dcf10e3f Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Thu, 16 Apr 2026 10:11:31 -0400 Subject: [PATCH 07/14] build(source-os): add mesh exit nftables template --- linux/nftables/mesh-exit.nft | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 linux/nftables/mesh-exit.nft diff --git a/linux/nftables/mesh-exit.nft b/linux/nftables/mesh-exit.nft new file mode 100644 index 0000000..64ce0a3 --- /dev/null +++ b/linux/nftables/mesh-exit.nft @@ -0,0 +1,20 @@ +#!/usr/sbin/nft -f +# Stateful NAT and forwarding policy for an exit node. + +flush table inet mesh_exit +table inet mesh_exit { + chain forward { + type filter hook forward priority 0; policy drop; + ct state established,related accept + iifname "mesh0" oifname "eth0" ip saddr 10.77.0.0/16 accept + iifname "mesh0" oifname "eth0" ip6 saddr fd77:77::/48 accept + iifname "eth0" oifname "mesh0" ct state established,related accept + } + + chain postrouting { + type nat hook postrouting priority srcnat; policy accept; + oifname "eth0" ip saddr 10.77.0.0/16 masquerade + # Add NAT66 only if policy truly requires it. + # oifname "eth0" ip6 saddr fd77:77::/48 masquerade + } +} From eb34ef73ca0ab878a669b9b4d68f71eb7e71e70c Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Thu, 16 Apr 2026 10:11:59 -0400 Subject: [PATCH 08/14] build(source-os): add meshd service unit --- linux/systemd/meshd.service | 40 +++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 linux/systemd/meshd.service diff --git a/linux/systemd/meshd.service b/linux/systemd/meshd.service new file mode 100644 index 0000000..a5b1454 --- /dev/null +++ b/linux/systemd/meshd.service @@ -0,0 +1,40 @@ +[Unit] +Description=Mesh control-plane daemon +Documentation=man:meshd(8) +After=network-online.target +Wants=network-online.target + +[Service] +Type=notify +User=meshd +Group=meshd +StateDirectory=meshd +RuntimeDirectory=meshd +ConfigurationDirectory=meshd +ExecStart=/usr/libexec/meshd --config /etc/meshd/meshd.toml --listen unix:/run/meshd/meshd.sock +Restart=on-failure +RestartSec=2s + +NoNewPrivileges=yes +ProtectSystem=strict +ProtectHome=yes +PrivateTmp=yes +PrivateDevices=yes +ProtectControlGroups=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectClock=yes +ProtectHostname=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictSUIDSGID=yes +RestrictRealtime=yes +RestrictNamespaces=yes +SystemCallArchitectures=native +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +CapabilityBoundingSet= +AmbientCapabilities= + +[Install] +WantedBy=multi-user.target From 4e0fa147f040d01afacdf6246a4aaf0048ad4f5c Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Thu, 16 Apr 2026 10:13:00 -0400 Subject: [PATCH 09/14] build(source-os): add meshd-linkd service unit --- linux/systemd/meshd-linkd.service | 34 +++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 linux/systemd/meshd-linkd.service diff --git a/linux/systemd/meshd-linkd.service b/linux/systemd/meshd-linkd.service new file mode 100644 index 0000000..3eefc37 --- /dev/null +++ b/linux/systemd/meshd-linkd.service @@ -0,0 +1,34 @@ +[Unit] +Description=Mesh privileged link helper +After=meshd.service +Requires=meshd.service + +[Service] +Type=notify +User=root +Group=root +RuntimeDirectory=meshd +ExecStart=/usr/libexec/meshd-linkd --rpc unix:/run/meshd/linkd.sock --control unix:/run/meshd/meshd.sock +Restart=on-failure +RestartSec=2s + +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +ProtectSystem=strict +ProtectHome=yes +ProtectControlGroups=yes +ProtectKernelLogs=yes +ProtectClock=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictSUIDSGID=yes +RestrictRealtime=yes +RestrictNamespaces=yes +SystemCallArchitectures=native +RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW + +[Install] +WantedBy=multi-user.target From aecd0793d85d0e55c71108173e8091a5216d79ca Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Thu, 16 Apr 2026 10:13:52 -0400 Subject: [PATCH 10/14] build(source-os): add meshd-exitd service unit --- linux/systemd/meshd-exitd.service | 34 +++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 linux/systemd/meshd-exitd.service diff --git a/linux/systemd/meshd-exitd.service b/linux/systemd/meshd-exitd.service new file mode 100644 index 0000000..52cb78c --- /dev/null +++ b/linux/systemd/meshd-exitd.service @@ -0,0 +1,34 @@ +[Unit] +Description=Mesh exit helper +After=network-online.target meshd-linkd.service +Wants=network-online.target +Requires=meshd-linkd.service + +[Service] +Type=simple +User=root +Group=root +ExecStart=/usr/libexec/meshd-exitd --config /etc/meshd/exits.toml --nft /etc/meshd/nftables/mesh-exit.nft +Restart=on-failure +RestartSec=2s + +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +ProtectSystem=strict +ProtectHome=yes +ProtectControlGroups=yes +ProtectKernelLogs=yes +ProtectClock=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictSUIDSGID=yes +RestrictRealtime=yes +RestrictNamespaces=yes +SystemCallArchitectures=native +RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW + +[Install] +WantedBy=multi-user.target From ef7aa555688e396011b76d72a5935d137fe49785 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Thu, 16 Apr 2026 10:14:28 -0400 Subject: [PATCH 11/14] build(source-os): add NetworkManager mesh profile template --- linux/networkmanager/wg-mesh.nmconnection | 33 +++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 linux/networkmanager/wg-mesh.nmconnection diff --git a/linux/networkmanager/wg-mesh.nmconnection b/linux/networkmanager/wg-mesh.nmconnection new file mode 100644 index 0000000..cd9b01c --- /dev/null +++ b/linux/networkmanager/wg-mesh.nmconnection @@ -0,0 +1,33 @@ +[connection] +id=wg-mesh +type=wireguard +interface-name=wg-mesh +autoconnect=false + +[ipv4] +method=manual +address1=10.77.0.10/32 +route-table=120 +ignore-auto-dns=true +dns-priority=-32768 +never-default=false +routing-rule1=priority 10020 fwmark 0x120 table 120 + +[ipv6] +method=manual +address1=fd77:77::10/128 +route-table=120 +ignore-auto-dns=true +dns-priority=-32768 +never-default=false +routing-rule1=priority 10020 fwmark 0x120 table 120 + +[wireguard] +private-key=__PRIVATE_KEY_BASE64__ +fwmark=0 +ip4-auto-default-route=true +ip6-auto-default-route=true +peer-routes=true +peers=__EXIT_PUBLIC_KEY_BASE64__ endpoint=203.0.113.20:51820 allowed-ips=0.0.0.0/0;::/0 persistent-keepalive=25 + +[proxy] From d429481da99bf4963547cc6adbe220bfdaf9e949 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Thu, 16 Apr 2026 10:27:06 -0400 Subject: [PATCH 12/14] docs(source-os): add nmcli hardening example for mesh exits --- .../harden-existing-wireguard-profile.sh | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 examples/nmcli/harden-existing-wireguard-profile.sh diff --git a/examples/nmcli/harden-existing-wireguard-profile.sh b/examples/nmcli/harden-existing-wireguard-profile.sh new file mode 100644 index 0000000..785bfb1 --- /dev/null +++ b/examples/nmcli/harden-existing-wireguard-profile.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash +set -euo pipefail + +# Harden and classify an existing NetworkManager WireGuard profile for full-tunnel exit use. +# Usage: +# ./harden-existing-wireguard-profile.sh wg-mesh + +NAME="${1:-wg-mesh}" + +nmcli connection modify "$NAME" ipv4.route-table 120 ipv6.route-table 120 +nmcli connection modify "$NAME" wireguard.ip4-auto-default-route yes +nmcli connection modify "$NAME" wireguard.ip6-auto-default-route yes +nmcli connection modify "$NAME" +ipv4.routing-rules "priority 10020 fwmark 0x120 table 120" +nmcli connection modify "$NAME" +ipv6.routing-rules "priority 10020 fwmark 0x120 table 120" +nmcli connection modify "$NAME" ipv4.ignore-auto-dns yes ipv6.ignore-auto-dns yes +nmcli connection modify "$NAME" ipv4.dns-priority -32768 ipv6.dns-priority -32768 +nmcli connection modify "$NAME" ipv4.never-default no ipv6.never-default no + +echo "Profile '$NAME' updated. Review with:" +echo " nmcli -f connection.id,ipv4.route-table,ipv6.route-table,wireguard.ip4-auto-default-route,wireguard.ip6-auto-default-route,ipv4.dns-priority,ipv6.dns-priority connection show $NAME" From 4ad470dcfece0bb2af5d744f3af53ce9133c5dd4 Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Thu, 16 Apr 2026 10:27:52 -0400 Subject: [PATCH 13/14] docs(source-os): add mesh packaging notes --- linux/packaging/README.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 linux/packaging/README.md diff --git a/linux/packaging/README.md b/linux/packaging/README.md new file mode 100644 index 0000000..4de0f66 --- /dev/null +++ b/linux/packaging/README.md @@ -0,0 +1,22 @@ +# Packaging Notes + +Recommended package split: + +- `meshd` +- `meshd-linkd` +- `meshd-exitd` +- `meshctl` +- `meshd-networkd` +- `meshd-networkmanager` +- `meshd-nftables` +- `meshd-selinux` (optional) +- `meshd-apparmor` (optional) +- `meshd-onion` (optional) +- `meshd-mix` (optional) + +Deb/RPM/Nix packaging should converge on the same runtime surfaces: +- `/etc/meshd/` +- `/usr/libexec/` +- `/usr/lib/systemd/system/` +- `/usr/lib/systemd/network/` or `/etc/systemd/network/` +- `/usr/share/doc/meshd/` From eae37cf84059e7d229c29d1f6023bb1257c5f7cf Mon Sep 17 00:00:00 2001 From: mdheller <21163552+mdheller@users.noreply.github.com> Date: Thu, 16 Apr 2026 10:33:29 -0400 Subject: [PATCH 14/14] docs(source-os): link mesh linux estate integration surfaces --- README.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 731ca2d..6317bc1 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,19 @@ # source-os -This is the main SociOS Linux SourceOS Repo. + +This is the main SociOS Linux SourceOS repository. + +## Role + +`source-os` is the Linux realization home for the SourceOS control-plane stack. It carries host roles, profiles, images, builders, and Linux-facing integration surfaces that realize the AgentPlane contract on Linux hosts. + +## Current surfaces + +- `docs/repository-layout.md` — repository shape and intent +- `docs/agentplane-integration.md` — contract boundary with AgentPlane and shared standards +- `docs/mesh/` — mesh Linux estate integration planning, path-template mapping, and staged workstreams +- `linux/` — concrete Linux-facing templates for systemd-networkd, NetworkManager, nftables, and helper units +- `profiles/` / `modules/` — Nix realization surfaces + +## Boundary rule + +Shared schemas and canonical vocabulary belong in `SocioProphet/socioprophet-agent-standards`, not here.