Mesh — Archived
:::warning Archived subsystem Mesh is no longer deployed. It was a WireGuard-based peer network with a custom coordinator, CA, and ACL system — replaced by the simpler Ingress subsystem in 2026-04 (bore + cloudflared tunnels, no-signup by default).
Source is preserved under functions/src/mesh/ (unit tests still run) and
packd/archive/mesh-v1/ (the Go daemon implementation). No Cloud Function
exports remain in functions/src/index.ts. Firestore rules for the
mesh_certs / mesh_crl / mesh_endpoints / mesh_acls collections are kept
append-only for audit trail continuity.
If you need a peer-to-peer mesh, use Tailscale. Ujex's Ingress is for the far more common case: "I need one HTTPS URL pointing at my local agent process for the next 30 minutes." :::
Why it was archived
- Tailscale exists and is excellent. Rebuilding a WireGuard coordinator is a tech-debt magnet — their network engineers have more decades of ops time than we have weeks. A self-hosted clone is hard to justify.
- Users actually wanted a single URL, not a mesh. 95% of the pairing
requests from early adopters were "run one thing on my laptop, expose it
with HTTPS for a demo" — which is exactly what
boreorcloudflareddoes out of the box. - Ingress has no server-side surface to maintain. Users bring their own
tunnel provider (a tiny relay node for
bore, orcloudflaredfor free). Ujex just documents the pattern.
See Ingress for the current solution.
Historical — what Mesh did
For context only — nothing below is live.
| Table | Purpose |
|---|---|
mesh.peers | Peer records: agent_id, pubkey, endpoint, last_seen. |
mesh.acls | (from_agent, to_agent, port/proto) allow rules. |
mesh.psk | Per-pair pre-shared keys, keyed on (agent_lo, agent_hi). |
The CA code, cert issuance, CRL, and punch-through logic all lived under
packd/archive/mesh-v1/ — you can read it there if you want the historical
design.
Migration if you were using Mesh
- Replace
meshRegister/meshSynccalls withpackd ingress run <cmd> --expose <port>(no signup, returns a URL). - For a stable URL, use Cloudflare Tunnel (named) — see Ingress/Gateway.
- No data migration needed — Mesh had no user data beyond ephemeral peer state.