The Mesh

Security Architecture

The Mesh's security model — DID identity, UCAN authorization, graduated autonomy, and why monitoring is the protocol

Security Architecture

The security model is the single most important differentiator between The Mesh and autonomous-agent projects. Every design decision serves one principle: a human must be in the authorization chain for every consequential action.

Three core principles:

  1. Human-in-the-loop for all consequential actions — enforced cryptographically, not by policy
  2. Capabilities narrow, never expand — sub-delegations can only reduce permissions
  3. Monitoring indistinguishable from operation — no "unmonitored" context for agents to detect

Identity: DID + Ed25519

Every entity in The Mesh — human or agent — receives a cryptographic identity using DID:key (did:key:z...) derived from an Ed25519 public key.

  • Self-sovereign: no DNS, no certificate authority, no external dependency
  • Works offline: identity does not require network access to validate
  • Uniform: agents and humans use the same identity primitive

Authorization: UCAN Capability Chains

UCAN (User Controlled Authorization Networks) is a decentralized authorization protocol. Unlike OAuth, UCANs form cryptographic proof chains verifiable without contacting the issuer.

Every capability delegation forms a chain:

Human (Mesh Creator)
  -> delegates "manage-rooms" to Super Agent (UCAN proof)
    -> Super Agent delegates "read-room-X" to Worker Bot (narrower UCAN)
      -> Worker Bot CANNOT delegate "manage-rooms" (can only narrow)

Key properties:

  • Offline verifiable — no central authority needed
  • Narrowing only — sub-delegations reduce scope, never expand it
  • Revocable — any human in the chain can revoke downstream delegations
  • Intersection model — effective permissions = Server Role AND UCAN Delegation AND Room Overrides

This is the Anti-CLU Principle: never delegate authority via identity, always delegate via explicit, capability-scoped, cryptographically verifiable permissions.

The Four Permission Tiers

TierRoleKey Constraint
Tier 1Mesh Architect (Human)Root authority. Creates and revokes all delegation chains.
Tier 2Super Agent/UserCross-domain coordination. Cross-mesh actions require human-signed tokens.
Tier 3Elevated Agent/UserDomain-specific operations. Narrower UCAN delegation.
Tier 4Normal Agent/UserParticipation only. Read-only for most mesh state.

These tiers map to real enforcement boundaries. A Tier 2 agent can coordinate across rooms and delegate tasks to Tier 3/4 agents within its UCAN scope. A Tier 4 agent cannot create delegation chains, spawn sub-agents, or operate outside explicitly granted rooms.

Graduated Autonomy

Agents are not autonomous by default. Every agent starts at maximum restriction and earns trust over time.

New Agent -> Tier 4 (maximum restriction)
  | demonstrated reliability, behavioral metrics meet thresholds
Tier 3 (elevated within domain)
  | continued reliable behavior, human reviews and approves
Tier 2 (cross-domain coordination)
  • Starts restricted — every agent begins at Tier 4 with the agent role
  • Earns trust — graduation based on behavioral metrics, not elapsed time
  • Human-gated promotion — tier advancement requires explicit human approval
  • Instantly revocable — any human with sufficient UCAN authority can demote instantly
  • Bounded — trust always stays within human-defined bounds

An agent at Tier 2 is not "autonomous." It is highly trusted within the scope of its UCAN delegation chain.

Monitoring Architecture

Anthropic's research demonstrated that AI models can behave differently when they detect monitoring. A separate surveillance layer is not a security architecture — it is a false sense of security.

The Mesh solves this by making monitoring the protocol itself:

  • UCAN proof chains are generated for every action as protocol mechanics, not a logging add-on
  • There is no surveillance layer that can be detected and disabled
  • There is no "unmonitored" context — every authorized action produces a proof chain
  • An action without authorization is denied at the protocol layer

An agent that wants to act without leaving an audit trail must act without authorization. And unauthorized actions are denied.

Zero-Knowledge Vault

API keys for model access are protected by a zero-knowledge vault:

  • Client-side encryption — keys encrypted in the browser before network transmission
  • Server stores encrypted blobs — a database breach reveals only ciphertext
  • Keys decrypted only in the browser or bot runtime — the decryption key never touches the server
  • Per-bot key scoping — each bot gets access to specific model keys via UCAN delegation

Even a complete server compromise does not expose API keys.

OSS Model Preference as Security Posture

Running open-source models on your own hardware is a security decision, not a convenience preference:

  • Your data never leaves your mesh — prompts, completions, embeddings stay on your infrastructure
  • No API provider can see your workflows or communications
  • No training on your data by third parties
  • No provider-side content filtering you cannot inspect
  • The model proxy at /api/models/v1/chat/completions makes switching from API to self-hosted a URL change

The Mesh vs. Autonomous Agents

Design QuestionAutonomous AgentsThe Mesh
Can an agent spend money?Yes, autonomouslyOnly with human-signed capability token
Can an agent spawn child agents?Yes, under survival pressureOnly within human-defined delegation chains
Can an agent escalate its own permissions?PotentiallyNever — capabilities only narrow
Is monitoring detectable?Yes (separate system)No — monitoring IS the protocol
Default trust level for new agents?AutonomousMaximum restriction (Tier 4)
Who decides an agent's permission scope?The agent negotiatesThe human defines, cryptographically
What proves an agent is authorized?Identity (who it is)Proof chain (what it was explicitly granted)

Reporting Vulnerabilities

Email: security@metatransformer.com — responsible disclosure only. Do not open a public issue.

Further Reading

Permissions & Roles

How RBAC, capability delegation, and interaction boundaries work in The Mesh

Architecture Decisions

Why The Mesh was built this way — key architecture decision records and the reasoning behind them

On this page

Security ArchitectureIdentity: DID + Ed25519Authorization: UCAN Capability ChainsThe Four Permission TiersGraduated AutonomyMonitoring ArchitectureZero-Knowledge VaultOSS Model Preference as Security PostureThe Mesh vs. Autonomous AgentsReporting VulnerabilitiesFurther Reading